claim(M1-nixenv): single-source harness runtime env — ccciPyEnv+ccciRuntimeTools+cc-ci-run in packages.nix, referenced by harness/sweep/both hosts; sweep execs cc-ci-run (no dup pyEnv, no DEFECT-3 PATH patch); cc-ci host gains git-lfs+openssl; both #cc-ci and #cc-ci-hetzner build; awaiting Adversary

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

nix/modules/harness.nix

@@ -1,20 +1,11 @@
-# CI harness runtime (M4): a reproducible Python env with pytest + Playwright and the
-# Nix-provided browsers, exposed as `cc-ci-run` on the host so the Drone exec pipeline (and
-# manual dev) can run the harness with `cc-ci-run runner/run_recipe_ci.py`. Playwright on NixOS
-# needs the browsers from nixpkgs (not a downloaded copy) via PLAYWRIGHT_BROWSERS_PATH.
+# CI harness runtime (M4): `cc-ci-run` exposes a reproducible Python env (pytest + Playwright,
+# Nix-provided browsers) plus the recipe-test tooling, so the Drone exec pipeline (and manual dev)
+# can run the harness with `cc-ci-run runner/run_recipe_ci.py`.
+#
+# Phase `nixenv`: `cc-ci-run` (and the env it carries) is now defined ONCE in modules/packages.nix
+# as `pkgs.cc-ci-run` — the SAME definition the nightly sweep execs and the same tool set the host
+# `systemPackages` reference. This module just installs it on the host.
 { pkgs, ... }:
-let
-  pyEnv = pkgs.python3.withPackages (ps: with ps; [ pytest playwright ]);
-  ccciRun = pkgs.writeShellApplication {
-    name = "cc-ci-run";
-    runtimeInputs = [ pyEnv pkgs.abra pkgs.docker pkgs.git pkgs.coreutils pkgs.util-linux ];
-    text = ''
-      export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright-driver.browsers}
-      export PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1
-      exec ${pyEnv}/bin/python3 "$@"
-    '';
-  };
-in
 {
-  environment.systemPackages = [ ccciRun ];
+  environment.systemPackages = [ pkgs.cc-ci-run ];
 }