feat(1d): migrate keycloak/cryptpad/matrix-synapse/n8n/lasuite-docs overlays to deploy-once contract (DG7)

Mechanical port to the assertion-only contract (no softened/skipped assertions): install uses
live_app + generic.assert_serving (extend) + the recipe's http/playwright/api checks; upgrade seeds
its data marker then generic.do_upgrade + asserts survival; backup/restore split into test_backup.py
(seed->do_backup->mutate) + new test_restore.py (do_restore->assert original). Recipe-specifics
preserved verbatim (keycloak realm+admin-console+kc_admin, matrix/lasuite db-service psql markers,
cryptpad/n8n volume markers). No recipe now double-deploys under the deploy-once orchestrator.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/cryptpad/test_upgrade.py

@@ -1,53 +1,28 @@
-"""cryptpad — upgrade stage (D2): deploy the previous published version, write a data marker into a
-persistent volume, upgrade to current/$REF, assert the app stays healthy and the data survives.
+"""cryptpad — UPGRADE overlay (Phase 1d, DG4): data-continuity, extends the generic upgrade.
 
-cryptpad data isn't HTTP-served as a static file (it's an encrypted datastore), so the marker is
-written into the cryptpad_data volume and read back via `exec_in_app` (docker exec), not HTTP."""
+The orchestrator deployed the previous published version ONCE; this overlay writes a marker into the
+persistent cryptpad_data volume (cryptpad data isn't HTTP-served as a static file — it's an encrypted
+datastore — so the marker is read back via `exec_in_app`, not HTTP), performs the in-place upgrade via
+the shared op helper (`generic.do_upgrade`, which also asserts reconverge + serving + that the
+deployment moved), then asserts the data SURVIVED. Assertion-only on the shared deployment."""
 
 import os
 import sys
 
-import pytest
-
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import lifecycle  # noqa: E402
+from harness import generic, lifecycle  # noqa: E402
 
 MARKER = "/cryptpad/data/ci-marker.txt"
 
 
-@pytest.fixture
-def old_app(recipe, app_domain, meta, request):
-    prev = lifecycle.previous_version(recipe)
-    if not prev:
-        pytest.skip(f"{recipe}: no previous published version to upgrade from")
-    lifecycle.janitor()
-    request.addfinalizer(lambda: lifecycle.teardown_app(app_domain))
-    lifecycle.deploy_app(recipe, app_domain, version=prev)
-    lifecycle.wait_healthy(
-        app_domain,
-        ok_codes=tuple(meta["HEALTH_OK"]),
-        path=meta["HEALTH_PATH"],
-        deploy_timeout=meta["DEPLOY_TIMEOUT"],
-        http_timeout=meta["HTTP_TIMEOUT"],
-    )
-    return app_domain, prev
-
-
-def test_upgrade_preserves_data(old_app, meta):
-    domain, prev = old_app
+def test_upgrade_preserves_data(live_app, meta):
+    domain = live_app
     # write a data marker into the persistent cryptpad_data volume
     lifecycle.exec_in_app(domain, ["sh", "-c", f"echo upgrade-survives > {MARKER}"])
     assert lifecycle.exec_in_app(domain, ["cat", MARKER]).strip() == "upgrade-survives"
 
-    # upgrade previous -> current/$REF
-    lifecycle.upgrade_app(domain, version=os.environ.get("VERSION") or None)
-    lifecycle.wait_healthy(
-        domain,
-        ok_codes=tuple(meta["HEALTH_OK"]),
-        path=meta["HEALTH_PATH"],
-        deploy_timeout=meta["DEPLOY_TIMEOUT"],
-        http_timeout=meta["HTTP_TIMEOUT"],
-    )
+    # in-place upgrade previous -> target (reuses the generic op: upgrade + assert reconverge/serving)
+    generic.do_upgrade(domain, os.environ.get("VERSION") or None, meta)
 
     # app healthy and the data written before the upgrade is still there
     assert lifecycle.http_get(domain, "/") in (200, 301, 302)