feat(harness): P2 — delete legacy customization keys & paths (rcust)

a) compose.ccci.yml is FIRST-CLASS: the harness auto-copies tests/<recipe>/
   compose.ccci.yml into the run's recipe checkout (ABRA_DIR-aware, lifecycle.
   provide_ccci_overlay) and auto-chaoses the pinned base deploy on its presence
   (kills the R7 implicit coupling). ghost/discourse install_steps.sh (copy-only
   boilerplate) deleted; CHAOS_BASE_DEPLOY removed from both metas + the registry.

b) install-time deps wiring is the ONLY mode: deps with DEPS provision BEFORE the
   single deploy; legacy post-deploy provisioning + the setup_custom_tests.sh
   invocation machinery deleted. lasuite-docs migrated to install_steps.sh OIDC
   wiring (same env names/values as the old hook — only the timing moved);
   lasuite-drive's remaining post-deploy MinIO bucket one-shot moved to ops.py
   pre_install; both setup_custom_tests.sh files deleted; OIDC_AT_INSTALL removed
   from drive/meet metas + the registry.

c) SKIP_GENERIC meta key deleted (zero users). Env form CCCI_SKIP_GENERIC* stays
   as the documented dev-only escape hatch; when active in a drone CI run the
   orchestrator prints a loud !! warning (manifest embedding lands in P5).

d) conftest cleanup: dead pre-deploy-once fixtures deployed/deployed_app deleted
   (zero users), app_domain + _short + _wait_healthy dropped (only users were the
   deleted fixtures); deps_apps+deps_creds consolidated into ONE deps fixture
   (entries expose .domain etc. as attributes; dict access intact); the 6 lasuite
   test files renamed deps_creds->deps (fixture name only — assertions and flows
   byte-identical). requires_deps marker + F2-11 skip-report plumbing unchanged.

Registry is now exactly the 14 final keys; docs §4 table regenerated. Stale
setup_custom_tests/OIDC_AT_INSTALL prose in docstrings/comments/assert MESSAGES
updated (no assert logic or expected value touched).

Verified on cc-ci: cc-ci-run -m pytest tests/unit -q -> 175 passed; scripts/lint.sh -> PASS.

tests/lasuite-docs/functional/test_create_doc.py

@@ -5,7 +5,7 @@ persistence". This is the canonical create-an-object + read-it-back for lasuite-
 
 Flow (uses an OIDC token from the dep keycloak):
 1. Obtain a JWT via OIDC password grant against the dep keycloak (the test user is provisioned
-   by the orchestrator's setup_custom_tests step).
+   by the orchestrator's dep-provisioning step).
 2. POST `/api/v1.0/documents/` with `Authorization: Bearer <jwt>` to create a new doc with a
    unique title; capture the returned `id`.
 3. GET `/api/v1.0/documents/<id>/` with the same Bearer token; assert the returned title and
@@ -15,7 +15,7 @@ Non-vacuous: a misconfigured OIDC, broken backend, or missing endpoint fails at
 broken. The marker-in-the-title + id round-trip proves the doc actually persisted in lasuite-
 docs's database after going through the recipe's nginx → backend → postgres path.
 
-Marked @pytest.mark.requires_deps — skips with `deps-not-ready` if setup_custom_tests failed.
+Marked @pytest.mark.requires_deps — skips with `deps-not-ready` if dep provisioning failed.
 """
 
 from __future__ import annotations
@@ -32,9 +32,9 @@ from harness import sso
 
 
 @pytest.mark.requires_deps
-def test_create_doc_and_read_back(live_app, deps_creds):
+def test_create_doc_and_read_back(live_app, deps):
     """Create a doc via the authenticated API; fetch it back; assert round-trip."""
-    kc = deps_creds["keycloak"]
+    kc = deps["keycloak"]
 
     # Obtain a JWT via OIDC password grant
     access_token = sso.oidc_password_grant(

tests/lasuite-docs/functional/test_oidc_login.py

@@ -5,13 +5,13 @@ SOURCE: references/recipe-maintainer/recipe-info/lasuite-docs/tests/oidc_login.p
 End-to-end flow:
 1. GET `/api/v1.0/users/me/` without auth → asserts the response REDIRECTS to the dep
    keycloak's realm auth endpoint (the recipe is correctly configured to challenge
-   unauthenticated callers — wired via setup_custom_tests.sh).
+   unauthenticated callers — wired via install_steps.sh).
 2. Obtain an OIDC token from the dep keycloak via password grant
    (the test user provisioned by the orchestrator's realm setup).
 3. Call `/api/v1.0/users/me/` with `Authorization: Bearer <jwt>` → asserts 200 and the
    returned user's email matches the provisioned test user.
 
-Marked @pytest.mark.requires_deps — skips with `deps-not-ready` if setup_custom_tests failed.
+Marked @pytest.mark.requires_deps — skips with `deps-not-ready` if dep provisioning failed.
 """
 
 from __future__ import annotations
@@ -51,9 +51,9 @@ def _get_no_redirect(url: str) -> tuple[int, str]:
 
 
 @pytest.mark.requires_deps
-def test_oidc_login_via_keycloak(live_app, deps_creds):
+def test_oidc_login_via_keycloak(live_app, deps):
     """Anonymous → redirect to keycloak; password-grant token → 200 from /api/v1.0/users/me/."""
-    kc = deps_creds["keycloak"]
+    kc = deps["keycloak"]
 
     # Step 1: unauthenticated GET → 302 to keycloak realm's auth endpoint
     status, redirect = _get_no_redirect(f"https://{live_app}/api/v1.0/users/me/")

tests/lasuite-docs/functional/test_oidc_with_keycloak.py

@@ -3,10 +3,10 @@
 Refactored to the refined SSO-dep model:
 - The orchestrator deploys a per-run keycloak dep AFTER generic tiers and provisions a fresh
   realm/client/user via `harness.sso.setup_keycloak_realm`. The creds are written to
-  `$CCCI_DEPS_FILE` (read here via the `deps_creds` fixture).
+  `$CCCI_DEPS_FILE` (read here via the `deps` fixture).
 - This test no longer calls `setup_keycloak_realm` itself — that's the orchestrator's job in
-  the setup_custom_tests step. We just consume the credentials and exercise the OIDC flow.
-- Marked `@pytest.mark.requires_deps` so if setup_custom_tests failed, this test SKIPs with a
+  the dep-provisioning step. We just consume the credentials and exercise the OIDC flow.
+- Marked `@pytest.mark.requires_deps` so if dep provisioning failed, this test SKIPs with a
   clear `deps-not-ready` reason rather than red-flagging a non-recipe failure.
 """
 
@@ -31,13 +31,13 @@ def _b64url_decode(seg: str) -> bytes:
 
 
 @pytest.mark.requires_deps
-def test_oidc_password_grant_against_dep_keycloak(live_app, deps_creds):
+def test_oidc_password_grant_against_dep_keycloak(live_app, deps):
     """The dep keycloak issues a JWT for the pre-provisioned test user via OIDC password grant."""
-    assert "keycloak" in deps_creds, (
-        f"keycloak creds not in deps_creds; got {list(deps_creds.keys())}. "
-        "setup_custom_tests should have populated this."
+    assert "keycloak" in deps, (
+        f"keycloak creds not in deps; got {list(deps.keys())}. "
+        "dep provisioning should have populated this."
     )
-    kc = deps_creds["keycloak"]
+    kc = deps["keycloak"]
 
     # Sanity-check the creds shape — orchestrator-written
     assert kc["domain"]