feat(1d): migrate keycloak/cryptpad/matrix-synapse/n8n/lasuite-docs overlays to deploy-once contract (DG7)

Mechanical port to the assertion-only contract (no softened/skipped assertions): install uses
live_app + generic.assert_serving (extend) + the recipe's http/playwright/api checks; upgrade seeds
its data marker then generic.do_upgrade + asserts survival; backup/restore split into test_backup.py
(seed->do_backup->mutate) + new test_restore.py (do_restore->assert original). Recipe-specifics
preserved verbatim (keycloak realm+admin-console+kc_admin, matrix/lasuite db-service psql markers,
cryptpad/n8n volume markers). No recipe now double-deploys under the deploy-once orchestrator.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/lasuite-docs/test_backup.py

@@ -1,5 +1,7 @@
-"""lasuite-docs — backup/restore stage (D2): write a postgres marker, backup (pg_backup.sh pre-hook
-dumps the DB), mutate (drop it), restore (post-hook reloads), assert the restored DB matches.
+"""lasuite-docs — BACKUP overlay (Phase 1d, DG4): seed a postgres marker, back it up (pg_backup.sh
+pre-hook dumps the DB; assert a snapshot artifact), then mutate (drop it) so the RESTORE overlay
+(test_restore.py) can prove the backed-up state returns. Runs on the shared deployment; the mutated
+state persists for the restore tier.
 
 Exercises the recipe's real DB-dump backup hook (postgres + minio are both backupbot-labelled); the
 postgres marker is the meaningful Docs-metadata data path."""
@@ -8,7 +10,7 @@ import os
 import sys
 
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import lifecycle  # noqa: E402
+from harness import generic, lifecycle  # noqa: E402
 
 
 def _psql(domain, sql):
@@ -16,31 +18,23 @@ def _psql(domain, sql):
     return lifecycle.exec_in_app(domain, ["sh", "-c", cmd], service="db").strip()
 
 
-def test_backup_mutate_restore(deployed, meta):
-    domain = deployed
+def test_backup_captures_state(live_app, meta):
+    domain = live_app
 
+    # 1) establish original state in postgres, then back up (reuse the generic op: backup +
+    #    assert a snapshot artifact; pg_backup.sh dumps the DB)
     _psql(
         domain,
         "CREATE TABLE IF NOT EXISTS ci_marker(v text); DELETE FROM ci_marker; "
         "INSERT INTO ci_marker VALUES('original');",
     )
     assert _psql(domain, "SELECT v FROM ci_marker;") == "original"
-    lifecycle.backup_app(domain)
+    snap = generic.do_backup(domain)
+    assert snap, "backup produced no snapshot artifact"
 
+    # 2) mutate: drop the marker table (diverge from the backup)
     _psql(domain, "DROP TABLE ci_marker;")
     assert _psql(domain, "SELECT to_regclass('public.ci_marker');") in (
         "",
         "NULL",
     ), "drop did not take"
-
-    lifecycle.restore_app(domain)
-    lifecycle.wait_healthy(
-        domain,
-        ok_codes=tuple(meta["HEALTH_OK"]),
-        path=meta["HEALTH_PATH"],
-        deploy_timeout=meta["DEPLOY_TIMEOUT"],
-        http_timeout=meta["HTTP_TIMEOUT"],
-    )
-    assert (
-        _psql(domain, "SELECT v FROM ci_marker;") == "original"
-    ), "restore did not return the pre-mutation postgres state"

tests/lasuite-docs/test_install.py

@@ -1,27 +1,30 @@
-"""lasuite-docs — install stage (recipe #5, multi-service + object-storage/S3). D2 install: the
-multi-service stack (frontend + Django backend + celery + y-provider + docspec + postgres + redis +
-minio + nginx) converges and serves the app over real HTTPS through the gateway.
+"""lasuite-docs — INSTALL overlay (Phase 1d, DG4): override + extend-by-composition.
 
-Login is OIDC-gated (no live OIDC provider in CI), so the functional assertion is that the frontend
-SPA is served (unauthenticated landing), not an authenticated flow."""
+Reuses the generic "really serving" assertion, then ADDS the recipe-specific checks: the multi-service
+stack serves over real HTTPS through the gateway, and a real browser loads the live Docs frontend (the
+SPA shell). Login is OIDC-gated (no live OIDC provider in CI), so the functional assertion is that the
+frontend SPA is served (unauthenticated landing), not an authenticated flow. Assertion-only on the
+shared deployment."""
 
 import os
 import sys
 
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import lifecycle  # noqa: E402
+from harness import generic, lifecycle  # noqa: E402
 
 
-def test_http_reachable(deployed_app):
-    status = lifecycle.http_get(deployed_app, "/")
-    assert status in (200, 301, 302), f"expected 2xx/3xx from {deployed_app}, got {status}"
+def test_serving_and_frontend(live_app, meta):
+    # extend-by-composition: reuse the generic "really serving" assertion first ...
+    generic.assert_serving(live_app, meta)
 
+    # ... then the recipe-specific assertions.
+    status = lifecycle.http_get(live_app, "/")
+    assert status in (200, 301, 302), f"expected 2xx/3xx from {live_app}, got {status}"
 
-def test_playwright_loads_frontend(deployed_app):
-    """A real browser loads the live Docs frontend (the SPA shell) over HTTPS."""
+    # A real browser loads the live Docs frontend (the SPA shell) over HTTPS.
     from playwright.sync_api import sync_playwright
 
-    url = f"https://{deployed_app}/"
+    url = f"https://{live_app}/"
     with sync_playwright() as p:
         browser = p.chromium.launch(args=["--no-sandbox"])
         try:

tests/lasuite-docs/test_restore.py

@@ -0,0 +1,27 @@
+"""lasuite-docs — RESTORE overlay (Phase 1d, DG4): data-integrity, extends the generic restore.
+
+Runs after the backup overlay (test_backup.py) on the SAME shared deployment, which left the postgres
+marker table dropped after dumping it. This restores the snapshot via the shared op helper
+(`generic.do_restore`, which also asserts the app is healthy + serving afterwards; the recipe's
+restore.post-hook reloads the dump), then asserts the restored DB matches the pre-mutation "original"
+— the app-specific data integrity the generic restore cannot check. Reads via `psql` in the `db`
+service. Assertion-only (no deploy/teardown)."""
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from harness import generic, lifecycle  # noqa: E402
+
+
+def _psql(domain, sql):
+    cmd = f'PGPASSWORD=$(cat /run/secrets/postgres_p) psql -U docs -d docs -tAc "{sql}"'
+    return lifecycle.exec_in_app(domain, ["sh", "-c", cmd], service="db").strip()
+
+
+def test_restore_returns_state(live_app, meta):
+    domain = live_app
+    generic.do_restore(domain, meta)  # restore + assert healthy/serving
+    assert (
+        _psql(domain, "SELECT v FROM ci_marker;") == "original"
+    ), "restore did not return the pre-mutation postgres state"

tests/lasuite-docs/test_upgrade.py

@@ -1,16 +1,16 @@
-"""lasuite-docs — upgrade stage (D2): deploy the previous published version, write a DB marker,
-upgrade to current/$REF, assert the app stays healthy and the postgres data survives.
+"""lasuite-docs — UPGRADE overlay (Phase 1d, DG4): data-continuity, extends the generic upgrade.
 
-Docs metadata lives in postgres, so the marker is a row in a dedicated `ci_marker` table (the app's
-own Django migrations don't touch it), read back via `psql` in the `db` service."""
+The orchestrator deployed the previous published version ONCE; this overlay writes a marker row into
+postgres (a dedicated `ci_marker` table the app's own Django migrations don't touch, read back via
+`psql` in the `db` service), performs the in-place upgrade via the shared op helper
+(`generic.do_upgrade`, which also asserts reconverge + serving + that the deployment moved), then
+asserts the postgres data SURVIVED. Assertion-only on the shared deployment."""
 
 import os
 import sys
 
-import pytest
-
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import lifecycle  # noqa: E402
+from harness import generic, lifecycle  # noqa: E402
 
 
 def _psql(domain, sql):
@@ -18,26 +18,8 @@ def _psql(domain, sql):
     return lifecycle.exec_in_app(domain, ["sh", "-c", cmd], service="db").strip()
 
 
-@pytest.fixture
-def old_app(recipe, app_domain, meta, request):
-    prev = lifecycle.previous_version(recipe)
-    if not prev:
-        pytest.skip(f"{recipe}: no previous published version to upgrade from")
-    lifecycle.janitor()
-    request.addfinalizer(lambda: lifecycle.teardown_app(app_domain))
-    lifecycle.deploy_app(recipe, app_domain, version=prev)
-    lifecycle.wait_healthy(
-        app_domain,
-        ok_codes=tuple(meta["HEALTH_OK"]),
-        path=meta["HEALTH_PATH"],
-        deploy_timeout=meta["DEPLOY_TIMEOUT"],
-        http_timeout=meta["HTTP_TIMEOUT"],
-    )
-    return app_domain, prev
-
-
-def test_upgrade_preserves_data(old_app, meta):
-    domain, prev = old_app
+def test_upgrade_preserves_data(live_app, meta):
+    domain = live_app
     _psql(
         domain,
         "CREATE TABLE IF NOT EXISTS ci_marker(v text); DELETE FROM ci_marker; "
@@ -45,14 +27,8 @@ def test_upgrade_preserves_data(old_app, meta):
     )
     assert _psql(domain, "SELECT v FROM ci_marker;") == "upgrade-survives"
 
-    lifecycle.upgrade_app(domain, version=os.environ.get("VERSION") or None)
-    lifecycle.wait_healthy(
-        domain,
-        ok_codes=tuple(meta["HEALTH_OK"]),
-        path=meta["HEALTH_PATH"],
-        deploy_timeout=meta["DEPLOY_TIMEOUT"],
-        http_timeout=meta["HTTP_TIMEOUT"],
-    )
+    # in-place upgrade previous -> target (reuses the generic op: upgrade + assert reconverge/serving)
+    generic.do_upgrade(domain, os.environ.get("VERSION") or None, meta)
 
     assert lifecycle.http_get(domain, "/") in (200, 301, 302)
     assert (