feat(1e): HC3 additive generic + op/assertion split (orchestrator owns the op)

- orchestrator: per mutating tier, run optional pre-op seed hook (ops.py pre_<op>) → perform the op
  ONCE (harness-owned) → run generic assertion (unless opted out) AND overlay assertion, both against
  the shared post-op deployment. Op results passed op→assertion via run-scoped CCCI_OP_STATE_FILE.
- opt-out: CCCI_SKIP_GENERIC / CCCI_SKIP_GENERIC_<OP> / recipe_meta.SKIP_GENERIC (declarative).
- generic.py: split do_* into op primitives (perform_upgrade/backup/restore) + assertions
  (assert_upgraded/backup_artifact/restore_healthy) reading op_state(); deployed_identity now returns
  {version,image,chaos} (chaos label ready for HC1).
- generic test_<op>.py + all 6 recipe overlays migrated to assertion-only; pre-op seeding moved to
  per-recipe ops.py (pre_upgrade/pre_backup/pre_restore). install overlays unchanged (no op).
- deploy-count stays 1 (op primitives never call deploy_app). lint PASS; 8 unit tests PASS on cc-ci.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

runner/harness/lifecycle.py

@@ -245,11 +245,18 @@ def wait_healthy(
     raise TimeoutError(f"{domain}: not healthy over HTTPS {path} (last status {last})")
 
 
-def deployed_identity(domain: str, service: str = "app") -> tuple[str | None, str | None]:
-    """(coop-cloud version label, image) of the running app service. Used to prove an upgrade
-    actually MOVED the deployment prev→target (not a vacuous no-op — Adversary F1d-2). The version
-    label (`coop-cloud.<stack>.version`) is bumped per published recipe version; the image usually
-    bumps too. Either changing proves the upgrade did something."""
+def deployed_identity(domain: str, service: str = "app") -> dict[str, str | None]:
+    """Identity of the running app service: {"version", "image", "chaos"}. Used to prove an upgrade
+    actually MOVED the deployment (not a vacuous no-op — Adversary F1d-2), AND (Phase 1e HC1) that an
+    `abra app deploy --chaos` upgrade actually deployed the PR-head code under test.
+
+    - `version` = the `coop-cloud.<stack>.version` label (bumped per published recipe version).
+    - `image`   = the running container image (usually bumps with a published version).
+    - `chaos`   = the chaos label value (a chaos deploy stamps the recipe git commit/dirty state here)
+      — present after `abra app deploy --chaos`, absent on a clean pinned-tag deploy. For prev→PR-head
+      this is THE proof PR-head was deployed even when the version label is unbumped (HC1). The exact
+      chaos label key varies by abra version, so we capture any `coop-cloud.<stack>.*` label whose key
+      contains "chaos"."""
     name = f"{_stack_name(domain)}_{service}"
     proc = subprocess.run(
         [
@@ -265,15 +272,18 @@ def deployed_identity(domain: str, service: str = "app") -> tuple[str | None, st
     )
     out = proc.stdout.strip()
     if "|" not in out:
-        return (None, None)
+        return {"version": None, "image": None, "chaos": None}
     labels_json, _, image = out.partition("|")
-    ver = None
+    ver = chaos = None
     with contextlib.suppress(ValueError, json.JSONDecodeError):
         for k, v in json.loads(labels_json).items():
-            if k.startswith("coop-cloud.") and k.endswith(".version"):
+            if not k.startswith("coop-cloud."):
+                continue
+            if k.endswith(".version"):
                 ver = v
-                break
-    return (ver, image.strip() or None)
+            elif "chaos" in k:
+                chaos = v
+    return {"version": ver, "image": image.strip() or None, "chaos": chaos}
 
 
 def upgrade_app(domain: str, version: str | None = None) -> None: