fix(1d): F1d-2 — pinned base deploys the pinned version; upgrade is non-vacuous

- deploy_app: checkout the pinned tag + deploy NON-chaos when a version is pinned (chaos only for
  version=None / PR-head). Was always -C, which ignored the pin and deployed LATEST -> upgrade no-op.
- do_upgrade: assert the deployment actually MOVED (coop-cloud version label and/or image changed)
  via lifecycle.deployed_identity -> a vacuous no-op upgrade can no longer pass (DG2).
- G2: migrate custom-html overlays to the assertion-only contract (override + extend-by-composition
  + data-continuity; split backup/restore). tests/unit/test_discovery.py proves precedence (5/5).

Probe (Adversary's F1d-2 test): hedgedoc deploy-prev=1.10.7 -> upgrade=1.10.8, CHANGED=True.
hedgedoc full generic lifecycle green (install/upgrade/backup/restore, deploy-count=1).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

runner/harness/lifecycle.py

@@ -8,6 +8,7 @@ from __future__ import annotations
 
 import contextlib
 import datetime
+import json
 import os
 import re
 import ssl
@@ -134,6 +135,12 @@ def deploy_app(
     _record_deploy()
     abra.app_config_remove(domain)  # clear any stale .env from a prior crashed run
     abra.app_new(recipe, domain, version=version, secrets=secrets)
+    # A pinned version must actually deploy that version: check the recipe out to the tag so the
+    # on-disk compose/.env match, and deploy NON-chaos below (chaos ignores the pin → deployed LATEST,
+    # Adversary F1d-2). Chaos is correct ONLY for the version=None case (deploy the current PR-head
+    # checkout). Order matters: checkout before secret_generate (-C) so secrets match the pinned tree.
+    if version:
+        abra.recipe_checkout(recipe, version)
     # Pin DOMAIN to the run domain explicitly. `abra app new -D` fills it for recipes whose
     # .env.sample uses a literal placeholder, but NOT for ones using a `{{ .Domain }}` Go-template
     # (this abra version leaves it unexpanded → deploy fails "can't evaluate field Domain"). Setting
@@ -146,7 +153,7 @@ def deploy_app(
         abra.secret_generate(domain)
     if install_steps_hook:
         _run_install_steps(install_steps_hook, recipe, domain)
-    abra.deploy(domain)
+    abra.deploy(domain, chaos=(version is None))
 
 
 def _stack_name(domain: str) -> str:
@@ -238,6 +245,37 @@ def wait_healthy(
     raise TimeoutError(f"{domain}: not healthy over HTTPS {path} (last status {last})")
 
 
+def deployed_identity(domain: str, service: str = "app") -> tuple[str | None, str | None]:
+    """(coop-cloud version label, image) of the running app service. Used to prove an upgrade
+    actually MOVED the deployment prev→target (not a vacuous no-op — Adversary F1d-2). The version
+    label (`coop-cloud.<stack>.version`) is bumped per published recipe version; the image usually
+    bumps too. Either changing proves the upgrade did something."""
+    name = f"{_stack_name(domain)}_{service}"
+    proc = subprocess.run(
+        [
+            "docker",
+            "service",
+            "inspect",
+            name,
+            "--format",
+            "{{json .Spec.Labels}}|{{.Spec.TaskTemplate.ContainerSpec.Image}}",
+        ],
+        capture_output=True,
+        text=True,
+    )
+    out = proc.stdout.strip()
+    if "|" not in out:
+        return (None, None)
+    labels_json, _, image = out.partition("|")
+    ver = None
+    with contextlib.suppress(ValueError, json.JSONDecodeError):
+        for k, v in json.loads(labels_json).items():
+            if k.startswith("coop-cloud.") and k.endswith(".version"):
+                ver = v
+                break
+    return (ver, image.strip() or None)
+
+
 def upgrade_app(domain: str, version: str | None = None) -> None:
     abra.upgrade(domain, version=version)