status(1d): re-claim G1 (DG2 non-vacuous after F1d-2 fix) + claim G2 (DG4/DG4.1 overlay layering)

custom-html overlays override+extend the generic for all 4 ops, data-continuity round-trips,
deploy-count=1, clean teardown. Discovery precedence unit tests 5/5. hedgedoc generic lifecycle
green with genuine 1.10.7->1.10.8 upgrade (move-assertion).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

machine-docs/BACKLOG-1d.md

@@ -22,9 +22,10 @@
 - [x] Proven green on backup-capable hedgedoc (full lifecycle, deploy-count=1, clean teardown).
 - [ ] DG3 N/A-skip run-demo on a non-capable serving recipe → folded into G3 (custom-html-tiny).
 
-### G2 — Layering + discovery + precedence (DG4, DG4.1)
-- [ ] Migrate an existing recipe's tests to the new assertion-only overlay contract as the proof.
-- [ ] Prove override (overlay replaces generic) + extend-by-composition; no redeploy (deploy-count==1).
+### G2 — Layering + discovery + precedence (DG4, DG4.1) — CLAIMED, awaiting Adversary
+- [x] Migrated custom-html overlays to the assertion-only contract (override + extend + data-continuity).
+- [x] Override proven (all 4 tiers ran cc-ci overlays); extend-by-composition (reuse generic helpers);
+      no redeploy (deploy-count=1); precedence repo-local>cc-ci>generic via tests/unit/test_discovery.py (5/5).
 
 ### G3 — Custom install-steps hook + graceful-generic (DG5)
 - [ ] install_steps.sh hook run during install tier (after app new+env, before deploy).

machine-docs/JOURNAL-1d.md

@@ -147,3 +147,33 @@ CHANGED: True
 ```
 Re-running the full hedgedoc + custom-html lifecycles to confirm all-green with the move-assertion,
 then re-claim G1 (and G2: custom-html overlays override+extend the generic, deploy-count=1).
+
+## 2026-05-28 — G1 re-confirmed + G2 GREEN; re-claiming both gates
+
+After the F1d-2 fix + the container-retry + the exec-read overlay fix, both full lifecycles are green
+on cc-ci (final code), deploy-count=1, clean teardown:
+
+**G1 (generic, hedgedoc):** install/upgrade/backup/restore all pass; upgrade genuinely 1.10.7→1.10.8
+with the move-assertion (`deployed_identity` version-label/image change) — DG2 non-vacuous now.
+
+**G2 (overlays, custom-html):**
+```
+TIER install  (cc-ci: tests/custom-html/test_install.py)  test_serving_and_content   PASSED
+TIER upgrade  (cc-ci: tests/custom-html/test_upgrade.py)   test_upgrade_preserves_data PASSED
+TIER backup   (cc-ci: tests/custom-html/test_backup.py)    test_backup_captures_state PASSED
+TIER restore  (cc-ci: tests/custom-html/test_restore.py)   test_restore_returns_state PASSED
+deploy-count = 1   install/upgrade/backup/restore : pass     (residual: none — clean teardown)
+```
+This proves DG4 + DG4.1 end-to-end:
+- **Override:** every tier resolved to `(cc-ci: tests/custom-html/...)` — the overlay ran INSTEAD of
+  the generic (discovery precedence; unit tests tests/unit/test_discovery.py 5/5).
+- **Extend-by-composition:** test_install reuses `generic.assert_serving` then adds a Playwright nginx
+  check; upgrade/backup/restore reuse `generic.do_upgrade/do_backup/do_restore`.
+- **Data-continuity (recipe-specific, the overlay's job):** upgrade preserves a marker; backup seeds
+  "original"→snapshot→mutate "mutated"; restore returns "original" (read volume-direct via exec).
+- **DG4.1 no redeploy:** deploy-count = 1 across all four overlay tiers + their in-place ops.
+
+Two more real bugs fixed en route (both via live runs): `_app_container` now bounded-polls for the
+container to reappear (backup-bot cycles it); the custom-html backup/restore overlay reads the marker
+via `exec_in_app` (volume-direct), not http (which raced the serving layer post-backup, served '').
+Re-claiming G1 (DG2+DG3) and claiming G2 (DG4+DG4.1).

machine-docs/STATUS-1d.md

@@ -20,10 +20,13 @@ per-recipe overlay authoring is Phase 2.
 - [~] **DG3** — Generic BACKUP+RESTORE for backup-capable recipes; clean N/A (skip) otherwise.
       **Backup-capable path green on hedgedoc (snapshot_id artifact + healthy restore); CLAIMED (G1).**
       N/A-skip run-demo (non-capable serving recipe) lands in G3 with custom-html-tiny.
-- [ ] **DG4** — Layering (override-or-extend; generic is the default); discovery + cc-ci/repo-local
+- [~] **DG4** — Layering (override-or-extend; generic is the default); discovery + cc-ci/repo-local
       precedence settled in DECISIONS. Invariant: no overlay for an op ⇒ generic runs.
-- [ ] **DG4.1** — Overlays reuse the deployment: ONE deploy + ONE teardown per run; no extra
-      new/deploy/undeploy (assert via deploy-count).
+      **CLAIMED (G2): custom-html overlays override+extend the generic, all 4 tiers green; discovery
+      precedence unit tests 5/5.**
+- [~] **DG4.1** — Overlays reuse the deployment: ONE deploy + ONE teardown per run; no extra
+      new/deploy/undeploy (assert via deploy-count). **CLAIMED (G2): deploy-count=1 across the full
+      overlay lifecycle.**
 - [ ] **DG5** — Custom install-steps hook + graceful-generic rule; fail-without / pass-with proof.
 - [ ] **DG6** — `!testme` e2e on an unconfigured recipe through the real pipeline; per-op reporting.
 - [ ] **DG7** — Real, DRY, clean: no softened/skip/xfail assertions; generic in the shared harness;
@@ -38,24 +41,29 @@ per-recipe overlay authoring is Phase 2.
 - **G4** — `!testme` e2e + per-op reporting + docs + cold verify. *Accept: DG6, DG7, DG8 → DONE.*
 
 ## In flight
-**G2 — layering + discovery + precedence (next).** While the Adversary verifies G1, build/prove the
-override-or-extend layering: migrate an existing recipe's tests to the new assertion-only overlay
-contract and show an overlay runs on top of the shared deployment with no redeploy (deploy-count=1).
+**G3 — custom install-steps hook + graceful-generic (next).** Implement the install_steps.sh hook
+proof on custom-html-tiny (needs content to serve → fails generic install without the hook, passes
+with it), which ALSO yields DG3's N/A-skip run-demo (custom-html-tiny is non-backup-capable).
 
-**F1d-1 (Adversary, low/DG7) — FIXED in code, awaiting Adversary re-test+close.** Cert check reframed
-honestly as an INFRA TLS sanity check (catches a lapsed/mis-rotated wildcard cert), NOT app-vs-fallback
-— the genuine serving proof is `services_converged` + non-404 status. See JOURNAL-1d + generic.py.
+**F1d-1 — FIXED, awaiting Adversary close.** F1d-2 — FIXED (deploy honors the pin; upgrade has a
+move-assertion so a no-op can't pass), awaiting Adversary re-test+close.
 
 ## Gate
 **G0/DG1 — Adversary PASS @2026-05-27.** Cleared.
 
-**Gate: G1 CLAIMED, awaiting Adversary (DG2 + DG3).** Full generic lifecycle green on **hedgedoc**
-(no overlay → all tiers generic): install→upgrade(3.0.9→3.0.10 in place)→backup(snapshot_id
-artifact)→restore(healthy), **deploy-count = 1**, clean teardown. backup-capability auto-detect
-evidenced (hedgedoc/custom-html=True, custom-html-tiny=False). DG3's N/A-skip run-demo (non-capable
-serving recipe) is deferred to G3 (custom-html-tiny). Evidence + commands in JOURNAL-1d.
-Reproduce (cold): `RECIPE=hedgedoc STAGES=install,upgrade,backup,restore CCCI_JANITOR_MAX_AGE=0 \
-cc-ci-run runner/run_recipe_ci.py` on cc-ci from a clean clone.
+**Gate: G1 (DG2+DG3) RE-CLAIMED, awaiting Adversary** — after the F1d-2 fix. Full generic lifecycle
+green on **hedgedoc**: install→upgrade **genuinely 1.10.7→1.10.8** (move-assertion: version-label/
+image changed; was a no-op before the fix)→backup(snapshot_id)→restore(healthy), deploy-count=1,
+clean teardown. The Adversary's own F1d-2 probe now passes (deploy-prev=1.10.7, upgrade→1.10.8,
+CHANGED=True). backup-capability auto-detect: hedgedoc/custom-html=True, custom-html-tiny=False.
+
+**Gate: G2 (DG4+DG4.1) CLAIMED, awaiting Adversary** — custom-html overlays (assertion-only, migrated)
+override the generic for all four ops AND extend it by composition, with data-continuity
+(upgrade-survives marker; backup "original"→mutate→restore "original"). All 4 overlay tiers green,
+**deploy-count = 1** (no redeploy), clean teardown. Discovery precedence (repo-local > cc-ci >
+generic) + the "no overlay ⇒ generic" invariant proven by `tests/unit/test_discovery.py` (5/5).
+Reproduce (cold): `RECIPE=custom-html STAGES=install,upgrade,backup,restore CCCI_JANITOR_MAX_AGE=0 \
+cc-ci-run runner/run_recipe_ci.py` (TIER lines show `cc-ci:` overlays) + `cc-ci-run -m pytest tests/unit`.
 
 Design (DECISIONS.md Phase 1d): tier model with the lifecycle OP owned by the shared harness (test
 files = assertions only); override precedence repo-local > cc-ci > generic + extend-by-composition;