fix(2): Q3.4 — cryptpad Phase-2 (revised; create-pad deeper test deferred with rationale)

Initial Q3.4 (commit 0fb1458) shipped two tests that failed cold:
- test_api_config.py — /api/config endpoint doesn't exist in this cryptpad version
  (only / and /cryptpad_websocket per the recipe's nginx.conf.tmpl). REMOVED.
- test_pad_create.py — attempted to detect client-side-encryption key fragment after
  navigating to /pad/. CryptPad's pad-creation flow is version-specific; this release
  (10.6.0+5.7.0) does NOT auto-inject a fragment on /pad/ visit, and the UI selector for
  the 'new pad' launcher varies across versions. Deeper test deferred.

Revised:
- tests/cryptpad/functional/test_spa_assets.py: GETs /, asserts CryptPad branding in HTML
  AND at least one of CryptPad's canonical asset paths (/customize/, /components/, main.js,
  /api/broadcast). Non-vacuous: catches the wedged-cryptpad-server-fallback-page case.
- tests/cryptpad/playwright/test_pad_create.py: NOW asserts SPA renders + JS bundle loads
  + no console errors (filtered for 401/403/favicon). Documents the create-pad deeper test
  as deferred in-file. The maximal testable subset per §7.1 is what's shipped here.
- PARITY.md updated: deeper create-pad test in 'Deferred' with technical rationale (CryptPad
  version-specific pad-init flow) for Adversary sign-off per §7.1.

Cold-verifiable on cc-ci (log /root/ccci-q34-cryptpad-r4.log):
  RECIPE=cryptpad STAGES=install,custom cc-ci-run runner/run_recipe_ci.py
  install + custom both PASS; deploy-count=1; 5 assertions all PASS (2 lifecycle install
  + 3 custom-tier: parity health_check, recipe-specific spa_assets, Playwright SPA render).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/cryptpad/functional/test_spa_assets.py

@@ -0,0 +1,72 @@
+"""cryptpad — recipe-specific functional test (Phase 2 P3, ≥2 beyond parity).
+
+CryptPad's served SPA at `/` carries distinctive markers — a CryptPad-branded HTML page that
+loads specific known asset paths (`/customize/main.js` is the canonical entry point on every
+CryptPad version) and references CryptPad-specific strings (e.g. "CryptPad" in the page title,
+`/components/` for the SPA's bundled JS deps). A working cryptpad-server emits this; a broken one
+(SPA build missing, nginx misrouted) emits something else even when /healthz / `/` are 200.
+
+This test fetches `/` and asserts:
+1. The HTML contains the string "CryptPad" (case-insensitive) somewhere — page title, branding,
+   or asset references.
+2. The HTML references at least one of the canonical CryptPad-bundled asset paths
+   (`/customize/`, `/components/`, or `/api/broadcast`) — proves the SPA bundle is bound, not
+   just some empty default page.
+
+Non-vacuous: an nginx serving an empty default page (or a misconfigured cryptpad-server replaced
+by a fallback) would 200 the parity test but fail BOTH markers here.
+
+Runs in the custom tier against the shared post-install deployment.
+"""
+
+from __future__ import annotations
+
+import os
+import ssl
+import sys
+import urllib.request
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
+from harness import http as harness_http  # noqa: E402
+
+
+def _get_body(url: str) -> tuple[int, str]:
+    ctx = ssl.create_default_context()
+    ctx.check_hostname = False
+    ctx.verify_mode = ssl.CERT_NONE
+    req = urllib.request.Request(url, method="GET")
+    with urllib.request.urlopen(req, timeout=15, context=ctx) as r:
+        return r.status, r.read().decode(errors="replace")
+
+
+def test_cryptpad_spa_has_recipe_specific_markers(live_app):
+    """GET /; assert CryptPad-specific HTML markers (branding + canonical asset paths)."""
+    url = f"https://{live_app}/"
+
+    # Poll for the body in case the SPA's first response is slow to assemble
+    def _ready():
+        try:
+            status, body = _get_body(url)
+        except Exception:  # noqa: BLE001
+            return None
+        if status != 200:
+            return None
+        return body
+
+    body = harness_http.assert_converges(
+        _ready, f"GET {url} returns 200 with body", max_wait=60, interval=3
+    )
+
+    lower = body.lower()
+    # Marker 1: the "CryptPad" branding string must be present somewhere
+    assert "cryptpad" in lower, (
+        f"GET {url} HTML does not contain 'CryptPad' branding — the SPA may be misrouted "
+        f"or a placeholder is being served. Body excerpt: {body[:200]!r}"
+    )
+    # Marker 2: at least one of CryptPad's canonical asset path references must appear
+    canonical_paths = ("/customize/", "/components/", "/api/broadcast", "main.js")
+    present = [p for p in canonical_paths if p in body]
+    assert present, (
+        f"GET {url} HTML references NONE of {canonical_paths} — the CryptPad SPA bundle is "
+        f"not bound. Body excerpt: {body[:300]!r}"
+    )