fix(1d): F1d-2 — pinned base deploys the pinned version; upgrade is non-vacuous

- deploy_app: checkout the pinned tag + deploy NON-chaos when a version is pinned (chaos only for
  version=None / PR-head). Was always -C, which ignored the pin and deployed LATEST -> upgrade no-op.
- do_upgrade: assert the deployment actually MOVED (coop-cloud version label and/or image changed)
  via lifecycle.deployed_identity -> a vacuous no-op upgrade can no longer pass (DG2).
- G2: migrate custom-html overlays to the assertion-only contract (override + extend-by-composition
  + data-continuity; split backup/restore). tests/unit/test_discovery.py proves precedence (5/5).

Probe (Adversary's F1d-2 test): hedgedoc deploy-prev=1.10.7 -> upgrade=1.10.8, CHANGED=True.
hedgedoc full generic lifecycle green (install/upgrade/backup/restore, deploy-count=1).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

runner/harness/abra.py

@@ -71,6 +71,18 @@ def app_new(
     _run(args)
 
 
+def recipe_checkout(recipe: str, version: str) -> None:
+    """git-checkout the recipe to a published version tag so the on-disk compose/.env match the pin.
+    `abra app new <recipe> <version>` records ENV VERSION but does NOT reliably check out the tag, and
+    a chaos (`-C`) deploy ignores ENV VERSION and uses the current checkout — together that silently
+    deployed LATEST for a 'previous-version' base, making the upgrade a no-op (Adversary F1d-2). With
+    this checkout + a non-chaos deploy, a pinned deploy genuinely deploys that version."""
+    import os
+
+    path = os.path.expanduser(f"~/.abra/recipes/{recipe}")
+    subprocess.run(["git", "-C", path, "checkout", "--quiet", version], check=True)
+
+
 def env_set(domain: str, key: str, value: str) -> None:
     """Set a key in the app's .env (abra has no setter; edit the file directly)."""
     import os