fix(gtea): UPGRADE_SECRET_PREP hook — pre-insert lfs_jwt_secret with correct 43-char format

Blocker 4 fix: abra `secret generate --all` uses .env.sample for length hints; the
lfs-plain-gitea PR has SECRET_LFS_JWT_SECRET_VERSION=v1 COMMENTED OUT, so abra produces
a wrong-length secret. gitea requires exactly 43 chars (32 bytes base64 URL-safe); wrong
length → gitea fatals trying to save the JWT secret to the read-only Docker Config
app.ini → health check fails → swarm rolls back.

Fix: new UPGRADE_SECRET_PREP hook (meta.py) called before `abra secret generate --all`
in the upgrade path. abra's `--all` is idempotent (skips existing secrets), so the
correctly pre-inserted secret survives. gitea's recipe_meta.py implements the hook using
`docker secret create` directly to guarantee correct format regardless of .env.sample.

Also consumes machine-docs/BUILDER-INBOX.md (Adversary Blocker 4 digest).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/unit/test_meta.py

@@ -65,6 +65,7 @@ def test_missing_meta_yields_spec_baseline(tmp_path):
     assert meta.DEPS == []
     assert meta.WARM_CANONICAL is False
     assert meta.SCREENSHOT is None
+    assert meta.UPGRADE_SECRET_PREP is None
     assert meta_mod.non_default(meta) == {}
 
 
@@ -73,9 +74,9 @@ def test_registry_field_set_matches_dataclass():
     import dataclasses
 
     assert [f.name for f in dataclasses.fields(RecipeMeta)] == [k.name for k in KEYS]
-    # the 14 final keys, no more (the 3 P2-deleted legacy keys are gone from the registry,
+    # the 15 final keys, no more (the 3 P2-deleted legacy keys are gone from the registry,
     # so any recipe_meta still setting them hard-fails the typo gate)
-    assert len(KEYS) == 14
+    assert len(KEYS) == 15
     assert not [k for k in KEYS if k.deprecated]
     for gone in ("CHAOS_BASE_DEPLOY", "OIDC_AT_INSTALL", "SKIP_GENERIC"):
         assert gone not in {k.name for k in KEYS}