feat(harness): P2 — delete legacy customization keys & paths (rcust)

a) compose.ccci.yml is FIRST-CLASS: the harness auto-copies tests/<recipe>/
   compose.ccci.yml into the run's recipe checkout (ABRA_DIR-aware, lifecycle.
   provide_ccci_overlay) and auto-chaoses the pinned base deploy on its presence
   (kills the R7 implicit coupling). ghost/discourse install_steps.sh (copy-only
   boilerplate) deleted; CHAOS_BASE_DEPLOY removed from both metas + the registry.

b) install-time deps wiring is the ONLY mode: deps with DEPS provision BEFORE the
   single deploy; legacy post-deploy provisioning + the setup_custom_tests.sh
   invocation machinery deleted. lasuite-docs migrated to install_steps.sh OIDC
   wiring (same env names/values as the old hook — only the timing moved);
   lasuite-drive's remaining post-deploy MinIO bucket one-shot moved to ops.py
   pre_install; both setup_custom_tests.sh files deleted; OIDC_AT_INSTALL removed
   from drive/meet metas + the registry.

c) SKIP_GENERIC meta key deleted (zero users). Env form CCCI_SKIP_GENERIC* stays
   as the documented dev-only escape hatch; when active in a drone CI run the
   orchestrator prints a loud !! warning (manifest embedding lands in P5).

d) conftest cleanup: dead pre-deploy-once fixtures deployed/deployed_app deleted
   (zero users), app_domain + _short + _wait_healthy dropped (only users were the
   deleted fixtures); deps_apps+deps_creds consolidated into ONE deps fixture
   (entries expose .domain etc. as attributes; dict access intact); the 6 lasuite
   test files renamed deps_creds->deps (fixture name only — assertions and flows
   byte-identical). requires_deps marker + F2-11 skip-report plumbing unchanged.

Registry is now exactly the 14 final keys; docs §4 table regenerated. Stale
setup_custom_tests/OIDC_AT_INSTALL prose in docstrings/comments/assert MESSAGES
updated (no assert logic or expected value touched).

Verified on cc-ci: cc-ci-run -m pytest tests/unit -q -> 175 passed; scripts/lint.sh -> PASS.

tests/lasuite-meet/functional/test_meeting_flow.py

@@ -36,8 +36,8 @@ def _b64url(seg: str) -> bytes:
     return base64.urlsafe_b64decode(seg + "=" * ((4 - len(seg) % 4) % 4))
 
 
-def _creds(deps_creds: dict) -> dict:
-    kc = deps_creds["keycloak"]
+def _creds(deps: dict) -> dict:
+    kc = deps["keycloak"]
     return {
         "provider": "keycloak",
         "provider_domain": kc["domain"],
@@ -55,10 +55,10 @@ def _creds(deps_creds: dict) -> dict:
 
 
 @pytest.mark.requires_deps
-def test_create_room_get_livekit_token_and_read_back(live_app, deps_creds):
-    assert "keycloak" in deps_creds, f"keycloak creds missing; got {list(deps_creds.keys())}"
+def test_create_room_get_livekit_token_and_read_back(live_app, deps):
+    assert "keycloak" in deps, f"keycloak creds missing; got {list(deps.keys())}"
     base = f"https://{live_app}"
-    token = sso.oidc_password_grant(_creds(deps_creds))
+    token = sso.oidc_password_grant(_creds(deps))
     assert isinstance(token, str) and token.count(".") == 2, "OIDC access token is not a JWT"
     auth = {"Authorization": f"Bearer {token}"}
 

tests/lasuite-meet/functional/test_oidc_with_keycloak.py

@@ -3,12 +3,12 @@
 Meet (La Suite Meet) is OIDC-required: login is gated by an external OpenID Connect provider.
 Mirrors the proven lasuite-docs SSO model:
 - The orchestrator deploys a per-run keycloak dep AFTER the generic tiers and provisions a fresh
-  realm/client/user via `harness.sso.setup_keycloak_realm`; `setup_custom_tests.sh` then wires the
+  realm/client/user via `harness.sso.setup_keycloak_realm`; `install_steps.sh` then wires the
   OIDC env + client secret into the running drive app and redeploys. Creds land in `$CCCI_DEPS_FILE`
-  (read here via the `deps_creds` fixture).
+  (read here via the `deps` fixture).
 - This test consumes those creds and exercises the real OIDC flow against the dep keycloak: discovery
   endpoint advertises the realm, and a password grant yields a valid JWT with the expected claims.
-- Marked `@pytest.mark.requires_deps` so if setup_custom_tests failed the test SKIPs with a clear
+- Marked `@pytest.mark.requires_deps` so if dep provisioning failed the test SKIPs with a clear
   `deps-not-ready` reason — and (per F2-11) the orchestrator then fails the run rather than going
   green on a skipped SSO test.
 
@@ -36,13 +36,13 @@ def _b64url_decode(seg: str) -> bytes:
 
 
 @pytest.mark.requires_deps
-def test_oidc_password_grant_against_dep_keycloak(live_app, deps_creds):
+def test_oidc_password_grant_against_dep_keycloak(live_app, deps):
     """The dep keycloak issues a JWT for the pre-provisioned test user via OIDC password grant."""
-    assert "keycloak" in deps_creds, (
-        f"keycloak creds not in deps_creds; got {list(deps_creds.keys())}. "
-        "setup_custom_tests should have populated this."
+    assert "keycloak" in deps, (
+        f"keycloak creds not in deps; got {list(deps.keys())}. "
+        "dep provisioning should have populated this."
     )
-    kc = deps_creds["keycloak"]
+    kc = deps["keycloak"]
 
     # Creds shape. WC1: realm is per-run namespaced "<parent>-<6hex>"; client_id stays the parent.
     assert kc["domain"]

tests/lasuite-meet/install_steps.sh

@@ -4,7 +4,8 @@
 # Runs during the install tier AFTER `abra app new` + EXTRA_ENV + `abra app secret generate`, and
 # BEFORE the single `abra app deploy` (lifecycle.py::_run_install_steps). Writing OIDC env + the real
 # client secret HERE means the recipe deploys ONCE with OIDC already wired — no post-deploy reconverge
-# (OIDC_AT_INSTALL). The orchestrator provisions the per-run realm/client on the live-warm keycloak
+# (install-time deps wiring — the only mode since rcust P2b). The orchestrator provisions the
+# per-run realm/client on the live-warm keycloak
 # BEFORE this hook and writes $CCCI_DEPS_FILE (the recipe→creds dict).
 #
 # Meet's OIDC is REQUIRED (recipe README). Same La Suite/impress env contract as drive, with meet's

tests/lasuite-meet/recipe_meta.py

@@ -13,13 +13,12 @@ HEALTH_OK = (200, 301, 302)
 DEPLOY_TIMEOUT = 1200
 HTTP_TIMEOUT = 600
 
-# SSO-dependent (recipe.toml requires=["keycloak"], [sso] provider=keycloak). Wire OIDC at INSTALL
-# time against the live-warm keycloak — same machinery as lasuite-drive (Q3.2a): the orchestrator
-# provisions the per-run realm BEFORE the single `abra app deploy`, and tests/lasuite-meet/
-# install_steps.sh writes the OIDC env + client secret into that one deploy (no post-deploy
-# reconverge). Meet boots fine with OIDC env set because keycloak is live-warm.
+# SSO-dependent (recipe.toml requires=["keycloak"], [sso] provider=keycloak). OIDC is wired at
+# INSTALL time (the only deps mode since rcust P2b) against the live-warm keycloak: the
+# orchestrator provisions the per-run realm BEFORE the single `abra app deploy`, and
+# tests/lasuite-meet/install_steps.sh writes the OIDC env + client secret into that one deploy
+# (no post-deploy reconverge). Meet boots fine with OIDC env set because keycloak is live-warm.
 DEPS = ["keycloak"]
-OIDC_AT_INSTALL = True
 
 
 def EXTRA_ENV(domain):