feat(1e): HC3 additive generic + op/assertion split (orchestrator owns the op)

- orchestrator: per mutating tier, run optional pre-op seed hook (ops.py pre_<op>) → perform the op
  ONCE (harness-owned) → run generic assertion (unless opted out) AND overlay assertion, both against
  the shared post-op deployment. Op results passed op→assertion via run-scoped CCCI_OP_STATE_FILE.
- opt-out: CCCI_SKIP_GENERIC / CCCI_SKIP_GENERIC_<OP> / recipe_meta.SKIP_GENERIC (declarative).
- generic.py: split do_* into op primitives (perform_upgrade/backup/restore) + assertions
  (assert_upgraded/backup_artifact/restore_healthy) reading op_state(); deployed_identity now returns
  {version,image,chaos} (chaos label ready for HC1).
- generic test_<op>.py + all 6 recipe overlays migrated to assertion-only; pre-op seeding moved to
  per-recipe ops.py (pre_upgrade/pre_backup/pre_restore). install overlays unchanged (no op).
- deploy-count stays 1 (op primitives never call deploy_app). lint PASS; 8 unit tests PASS on cc-ci.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/cryptpad/ops.py

@@ -0,0 +1,27 @@
+"""cryptpad — pre-op seed hooks (Phase 1e HC3). The orchestrator runs these BEFORE the op; the
+matching test_<op>.py asserts post-op (assertion-only). cryptpad data isn't HTTP-served (encrypted
+datastore), so the marker in the persistent cryptpad_data volume is read back via exec_in_app."""
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from harness import lifecycle  # noqa: E402
+
+MARKER = "/cryptpad/data/ci-marker.txt"
+
+
+def _write(domain, val):
+    lifecycle.exec_in_app(domain, ["sh", "-c", f"echo {val} > {MARKER}"])
+
+
+def pre_upgrade(domain, meta):
+    _write(domain, "upgrade-survives")
+
+
+def pre_backup(domain, meta):
+    _write(domain, "original")
+
+
+def pre_restore(domain, meta):
+    _write(domain, "mutated")  # diverge so a successful restore is observable

tests/cryptpad/test_backup.py

@@ -1,30 +1,19 @@
-"""cryptpad — BACKUP overlay (Phase 1d, DG4): seed a known state into the backed-up cryptpad_data
-volume, back it up (assert a snapshot artifact), then mutate so the RESTORE overlay (test_restore.py)
-can prove the backed-up state returns. Runs on the shared deployment; the mutated marker persists for
-the restore tier.
+"""cryptpad — BACKUP overlay (Phase 1e HC3): assertion-only + additive.
 
-The cryptpad `app` service is labelled `backupbot.backup=true`, so its volumes (incl. cryptpad_data)
-are backed up. Marker is checked via `exec_in_app` (data isn't HTTP-served)."""
+ops.pre_backup seeded "original" into cryptpad_data; the orchestrator performed the backup once
+(generic tier asserted a snapshot artifact). This overlay ADDS: the seeded state is intact at backup
+time. The backup→restore divergence is in ops.pre_restore."""
 
 import os
 import sys
 
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import generic, lifecycle  # noqa: E402
+from harness import lifecycle  # noqa: E402
 
 MARKER = "/cryptpad/data/ci-marker.txt"
 
 
-def test_backup_captures_state(live_app, meta):
-    domain = live_app
-
-    # 1) establish original state in the backed-up volume, then back it up (reuse the generic op:
-    #    backup + assert a snapshot artifact was produced)
-    lifecycle.exec_in_app(domain, ["sh", "-c", f"echo original > {MARKER}"])
-    assert lifecycle.exec_in_app(domain, ["cat", MARKER]).strip() == "original"
-    snap = generic.do_backup(domain)
-    assert snap, "backup produced no snapshot artifact"
-
-    # 2) mutate state (diverge from the backup)
-    lifecycle.exec_in_app(domain, ["sh", "-c", f"echo mutated > {MARKER}"])
-    assert lifecycle.exec_in_app(domain, ["cat", MARKER]).strip() == "mutated"
+def test_backup_captures_state(live_app):
+    assert (
+        lifecycle.exec_in_app(live_app, ["cat", MARKER]).strip() == "original"
+    ), "the seeded state was not present at backup time"

tests/cryptpad/test_restore.py

@@ -1,24 +1,19 @@
-"""cryptpad — RESTORE overlay (Phase 1d, DG4): data-integrity, extends the generic restore.
+"""cryptpad — RESTORE overlay (Phase 1e HC3): data-integrity, assertion-only + additive.
 
-Runs after the backup overlay (test_backup.py) on the SAME shared deployment, which left the
-cryptpad_data marker mutated to "mutated" after backing up "original". This restores the snapshot via
-the shared op helper (`generic.do_restore`, which also asserts the app is healthy + serving
-afterwards), then asserts the volume data returned to the pre-mutation "original" — the app-specific
-data integrity the generic restore cannot check. Reads the marker via `exec_in_app` (data isn't
-HTTP-served). Assertion-only (no deploy/teardown)."""
+ops.pre_restore mutated the cryptpad_data marker to "mutated"; the orchestrator restored once
+(generic tier asserted healthy/serving). This overlay ADDS: the volume data returned to the
+pre-mutation (backed-up) "original". Read via exec_in_app."""
 
 import os
 import sys
 
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import generic, lifecycle  # noqa: E402
+from harness import lifecycle  # noqa: E402
 
 MARKER = "/cryptpad/data/ci-marker.txt"
 
 
-def test_restore_returns_state(live_app, meta):
-    domain = live_app
-    generic.do_restore(domain, meta)  # restore + assert healthy/serving
+def test_restore_returns_state(live_app):
     assert (
-        lifecycle.exec_in_app(domain, ["cat", MARKER]).strip() == "original"
+        lifecycle.exec_in_app(live_app, ["cat", MARKER]).strip() == "original"
     ), "restore did not return the pre-mutation state"

tests/cryptpad/test_upgrade.py

@@ -1,31 +1,19 @@
-"""cryptpad — UPGRADE overlay (Phase 1d, DG4): data-continuity, extends the generic upgrade.
+"""cryptpad — UPGRADE overlay (Phase 1e HC3): data-continuity, assertion-only + additive.
 
-The orchestrator deployed the previous published version ONCE; this overlay writes a marker into the
-persistent cryptpad_data volume (cryptpad data isn't HTTP-served as a static file — it's an encrypted
-datastore — so the marker is read back via `exec_in_app`, not HTTP), performs the in-place upgrade via
-the shared op helper (`generic.do_upgrade`, which also asserts reconverge + serving + that the
-deployment moved), then asserts the data SURVIVED. Assertion-only on the shared deployment."""
+ops.pre_upgrade seeded a marker into the persistent cryptpad_data volume; the orchestrator performed
+the upgrade once (generic tier asserted reconverge/serving/moved). This overlay ADDS: the data
+survived the upgrade. Read via exec_in_app (cryptpad data isn't HTTP-served)."""
 
 import os
 import sys
 
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import generic, lifecycle  # noqa: E402
+from harness import lifecycle  # noqa: E402
 
 MARKER = "/cryptpad/data/ci-marker.txt"
 
 
-def test_upgrade_preserves_data(live_app, meta):
-    domain = live_app
-    # write a data marker into the persistent cryptpad_data volume
-    lifecycle.exec_in_app(domain, ["sh", "-c", f"echo upgrade-survives > {MARKER}"])
-    assert lifecycle.exec_in_app(domain, ["cat", MARKER]).strip() == "upgrade-survives"
-
-    # in-place upgrade previous -> target (reuses the generic op: upgrade + assert reconverge/serving)
-    generic.do_upgrade(domain, os.environ.get("VERSION") or None, meta)
-
-    # app healthy and the data written before the upgrade is still there
-    assert lifecycle.http_get(domain, "/") in (200, 301, 302)
+def test_upgrade_preserves_data(live_app):
     assert (
-        lifecycle.exec_in_app(domain, ["cat", MARKER]).strip() == "upgrade-survives"
+        lifecycle.exec_in_app(live_app, ["cat", MARKER]).strip() == "upgrade-survives"
     ), "data did not survive the upgrade"