status(1d): G1 CLAIMED — DG2+DG3 green on hedgedoc full lifecycle (deploy-count=1)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

machine-docs/BACKLOG-1d.md

@@ -16,10 +16,11 @@
 - [x] Generic install green on **hedgedoc** (no cc-ci/repo-local tests, deploy-count=1, clean
       teardown). custom-html-tiny rejected (empty static volume → 404 zero-config). → G0 CLAIMED.
 
-### G1 — Generic upgrade + backup/restore (DG2, DG3)
-- [ ] Generic upgrade tier: previous→target in place; reconverge + serving.
-- [ ] Generic backup/restore tiers gated on backup-capability; clean N/A skip otherwise.
-- [ ] Prove on a backup-capable recipe (custom-html: has backupbot labels).
+### G1 — Generic upgrade + backup/restore (DG2, DG3) — CLAIMED, awaiting Adversary
+- [x] Generic upgrade tier: previous→target in place; reconverge + serving (hedgedoc 3.0.9→3.0.10).
+- [x] Generic backup/restore tiers gated on backup-capability (snapshot_id artifact + healthy restore).
+- [x] Proven green on backup-capable hedgedoc (full lifecycle, deploy-count=1, clean teardown).
+- [ ] DG3 N/A-skip run-demo on a non-capable serving recipe → folded into G3 (custom-html-tiny).
 
 ### G2 — Layering + discovery + precedence (DG4, DG4.1)
 - [ ] Migrate an existing recipe's tests to the new assertion-only overlay contract as the proof.

machine-docs/JOURNAL-1d.md

@@ -99,3 +99,25 @@ Two real bugs found+fixed via live runs:
    while a persistent failure still fails within HTTP_TIMEOUT (no bare sleep). `do_upgrade`/`do_restore`
    call it (dropped the redundant `wait_serving`).
 Re-running full hedgedoc install→upgrade→backup→restore to confirm all-green before claiming G1.
+
+## 2026-05-27 — G1 GREEN (DG2 + DG3), claiming gate
+
+Full generic lifecycle on **hedgedoc** (no overlay → all tiers generic), final code, on cc-ci:
+```
+$ RECIPE=hedgedoc STAGES=install,upgrade,backup,restore CCCI_JANITOR_MAX_AGE=0 cc-ci-run runner/run_recipe_ci.py
+TIER: install  (generic) test_serving            PASSED   # deploy base=prev 3.0.9, serves
+TIER: upgrade  (generic) test_upgrade_reconverges PASSED  # abra app upgrade -> 3.0.10 in place, reconverged+serving
+TIER: backup   (generic) test_backup_artifact     PASSED  # snapshot_id produced
+TIER: restore  (generic) test_restore_healthy     PASSED  # restored + healthy
+RUN SUMMARY: deploy-count = 1 (expect 1)   install/upgrade/backup/restore : pass
+$ docker stack ls | grep -iE 'hedg|cust'  -> (none — clean teardown)
+```
+- **DG2** (generic upgrade, prev→target in place on the shared deployment, reconverge+serving) ✅.
+- **DG3** backup-capable path ✅ (artifact = snapshot_id from create; restore completes + healthy).
+- **DG3 N/A logic** evidenced: `generic.backup_capable` → hedgedoc=True, custom-html=True,
+  custom-html-tiny=False. The non-capable **run-demo** (backup/restore reported `skip`, install
+  passing) lands naturally in **G3**: custom-html-tiny is non-backup-capable AND only serves once the
+  install-steps content hook is added — so the same recipe proves DG5 (fail-without/pass-with) and
+  DG3-N/A (skip on a serving non-backup recipe) together.
+- **DG4.1** corroborated again: deploy-count=1 across the whole install→upgrade→backup→restore run.
+Claiming G1.

machine-docs/STATUS-1d.md

@@ -15,8 +15,11 @@ per-recipe overlay authoring is Phase 2.
 - [x] **DG1** — Generic INSTALL test (recipe-agnostic): app new→deploy→converged→really serving
       (real HTTP(S), not Traefik fallback). Green on a simple recipe with no cc-ci/repo-local tests.
       **Adversary PASS @2026-05-27** (cold, hedgedoc, deploy-count=1, clean teardown).
-- [ ] **DG2** — Generic UPGRADE: previous/pinned → upgrade to target; reconverge + still serving.
-- [ ] **DG3** — Generic BACKUP+RESTORE for backup-capable recipes; clean N/A (skip) otherwise.
+- [~] **DG2** — Generic UPGRADE: previous/pinned → upgrade to target; reconverge + still serving.
+      **Green on hedgedoc (3.0.9→3.0.10); CLAIMED (G1).**
+- [~] **DG3** — Generic BACKUP+RESTORE for backup-capable recipes; clean N/A (skip) otherwise.
+      **Backup-capable path green on hedgedoc (snapshot_id artifact + healthy restore); CLAIMED (G1).**
+      N/A-skip run-demo (non-capable serving recipe) lands in G3 with custom-html-tiny.
 - [ ] **DG4** — Layering (override-or-extend; generic is the default); discovery + cc-ci/repo-local
       precedence settled in DECISIONS. Invariant: no overlay for an op ⇒ generic runs.
 - [ ] **DG4.1** — Overlays reuse the deployment: ONE deploy + ONE teardown per run; no extra
@@ -35,21 +38,24 @@ per-recipe overlay authoring is Phase 2.
 - **G4** — `!testme` e2e + per-op reporting + docs + cold verify. *Accept: DG6, DG7, DG8 → DONE.*
 
 ## In flight
-**G1 — generic upgrade + backup/restore.** Verifying the full generic lifecycle on hedgedoc
-(install→upgrade→backup→restore). DG2 (upgrade) already green; fixed two real bugs (backup artifact
-read from `abra app backup create`'s snapshot_id since `snapshots` needs a TTY; restore serving race
-→ single-request `http_fetch` + bounded-poll `assert_serving`). Re-running to confirm all-green, then
-claim G1.
+**G2 — layering + discovery + precedence (next).** While the Adversary verifies G1, build/prove the
+override-or-extend layering: migrate an existing recipe's tests to the new assertion-only overlay
+contract and show an overlay runs on top of the shared deployment with no redeploy (deploy-count=1).
 
-**F1d-1 (Adversary, low/DG7) — FIXED in code, awaiting Adversary re-test+close.** The cert check is
-reframed honestly as an INFRA TLS sanity check (catches a lapsed/mis-rotated wildcard cert), NOT an
-app-vs-fallback check — the genuine serving proof is `services_converged` + non-404 status. See
-JOURNAL-1d + generic.py docstrings.
+**F1d-1 (Adversary, low/DG7) — FIXED in code, awaiting Adversary re-test+close.** Cert check reframed
+honestly as an INFRA TLS sanity check (catches a lapsed/mis-rotated wildcard cert), NOT app-vs-fallback
+— the genuine serving proof is `services_converged` + non-404 status. See JOURNAL-1d + generic.py.
 
 ## Gate
-**G0/DG1 — Adversary PASS @2026-05-27.** Cleared past G0. Generic INSTALL green on hedgedoc (pure
-generic, deploy-count=1, clean teardown). Next gate: G1 (DG2+DG3), claimed once the hedgedoc full
-lifecycle is confirmed all-green.
+**G0/DG1 — Adversary PASS @2026-05-27.** Cleared.
+
+**Gate: G1 CLAIMED, awaiting Adversary (DG2 + DG3).** Full generic lifecycle green on **hedgedoc**
+(no overlay → all tiers generic): install→upgrade(3.0.9→3.0.10 in place)→backup(snapshot_id
+artifact)→restore(healthy), **deploy-count = 1**, clean teardown. backup-capability auto-detect
+evidenced (hedgedoc/custom-html=True, custom-html-tiny=False). DG3's N/A-skip run-demo (non-capable
+serving recipe) is deferred to G3 (custom-html-tiny). Evidence + commands in JOURNAL-1d.
+Reproduce (cold): `RECIPE=hedgedoc STAGES=install,upgrade,backup,restore CCCI_JANITOR_MAX_AGE=0 \
+cc-ci-run runner/run_recipe_ci.py` on cc-ci from a clean clone.
 
 Design (DECISIONS.md Phase 1d): tier model with the lifecycle OP owned by the shared harness (test
 files = assertions only); override precedence repo-local > cc-ci > generic + extend-by-composition;