feat(1d): G0 — generic install + deploy-once orchestrator (DG1 green on hedgedoc)

- harness/generic.py: recipe-agnostic assert_serving (converged + real HTTP, 404-excluded +
  not Traefik 404 body + CA-verified trusted wildcard cert), op helpers, backup_capable detect
- harness/discovery.py: per-op overlay resolution (repo-local > cc-ci > generic), custom + hook
- tests/_generic/: assertion-only tiers (install/upgrade/backup/restore) on the shared deployment
- run_recipe_ci.py: deploy-ONCE orchestrator, per-op summary, deploy-count guard (DG4.1)
- conftest live_app fixture; lifecycle deploy-count + install-steps hook + pin DOMAIN to run domain

DG1 cold-verified green on hedgedoc (pure generic, deploy-count=1, clean teardown). G0 CLAIMED.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

machine-docs/BACKLOG-1d.md

@@ -2,18 +2,19 @@
 
 ## Build backlog (Builder-only)
 
-### G0 — Generic install + deploy-once orchestrator (DG1)
-- [ ] `runner/harness/generic.py`: generic assertion helpers (`assert_serving` — real HTTP, not
-      Traefik fallback/default cert) + op helpers (`do_upgrade`, `do_backup`, `do_restore`) +
+### G0 — Generic install + deploy-once orchestrator (DG1) — CLAIMED, awaiting Adversary
+- [x] `runner/harness/generic.py`: `assert_serving` (real HTTP + CA-verified wildcard cert, not
+      Traefik fallback/default) + op helpers (`do_upgrade`, `do_backup`, `do_restore`) +
       `backup_capable(recipe)` (scan compose for backupbot.backup).
-- [ ] `runner/harness/discovery.py`: per-op overlay resolution (repo-local > cc-ci > generic),
+- [x] `runner/harness/discovery.py`: per-op overlay resolution (repo-local > cc-ci > generic),
       custom-test discovery (both locations, additive), install-steps hook discovery.
-- [ ] `tests/_generic/`: assertion-only generic tier files (test_install/upgrade/backup/restore.py).
-- [ ] Refactor `run_recipe_ci.py` → deploy-once: deploy base version once, run tiers in order against
-      the shared deployment, one teardown in finally; per-op result summary.
-- [ ] Refactor `tests/conftest.py` fixtures to expose the shared live deployment (no per-tier deploy).
-- [ ] Deploy-count guard (`CCCI_DEPLOY_COUNT`) in `lifecycle.deploy_app`; assert ==1 per run.
-- [ ] Prove generic install green on custom-html-tiny (no cc-ci/repo-local tests). → claim G0.
+- [x] `tests/_generic/`: assertion-only generic tier files (test_install/upgrade/backup/restore.py).
+- [x] Refactor `run_recipe_ci.py` → deploy-once: deploy base once, tiers in order on the shared
+      deployment, one teardown in finally; per-op result summary.
+- [x] `tests/conftest.py` `live_app` fixture exposes the shared live deployment (no per-tier deploy).
+- [x] Deploy-count guard (`CCCI_DEPLOY_COUNT_FILE`) in `lifecycle.deploy_app`; orchestrator asserts ==1.
+- [x] Generic install green on **hedgedoc** (no cc-ci/repo-local tests, deploy-count=1, clean
+      teardown). custom-html-tiny rejected (empty static volume → 404 zero-config). → G0 CLAIMED.
 
 ### G1 — Generic upgrade + backup/restore (DG2, DG3)
 - [ ] Generic upgrade tier: previous→target in place; reconverge + serving.

machine-docs/JOURNAL-1d.md

@@ -27,3 +27,42 @@ generic with extend-by-composition; deploy-ONCE with a deploy-count guard; base
 
 Seeded STATUS-1d / BACKLOG-1d / JOURNAL-1d. Next: implement G0 (generic.py + discovery.py +
 tests/_generic/ + deploy-once orchestrator), then verify generic install green on custom-html-tiny.
+
+## 2026-05-27 — G0 generic install + deploy-once orchestrator: DG1 GREEN
+
+Built the G0 machinery and proved DG1 end-to-end on the real server:
+- `runner/harness/generic.py` — `assert_serving` (services converged + real HTTP in HEALTH_OK [excludes
+  404] + not Traefik's 404 body + **CA-verified TLS cert is the trusted wildcard**), op helpers
+  (`do_upgrade`/`do_backup`/`do_restore`), `backup_capable` (scan compose for backupbot.backup).
+- `runner/harness/discovery.py` — per-op overlay resolution (repo-local > cc-ci > generic), custom
+  test discovery (both locations, additive), install-steps hook discovery.
+- `tests/_generic/test_{install,upgrade,backup,restore}.py` — assertion-only tiers using `live_app`.
+- `runner/run_recipe_ci.py` — deploy-ONCE orchestrator: base version (prev if upgrade+exists else
+  target), tiers run against the shared deployment, one teardown in finally, deploy-count guard +
+  per-op summary.
+- `tests/conftest.py` — `live_app` fixture (reads CCCI_APP_DOMAIN; tiers never deploy).
+- `lifecycle.deploy_app` — deploy-count recorder + install-steps hook + **pin DOMAIN to the run
+  domain** (fixes recipes whose .env.sample uses `{{ .Domain }}`, which this abra leaves unexpanded).
+
+**Two real generic bugs found+fixed via live runs (not "should work"):**
+1. custom-html-tiny deploy failed: `DOMAIN={{ .Domain }}` not auto-filled by `abra app new -D` on
+   0.13.0-beta → `can't evaluate field Domain`. Fix: `env_set(domain,"DOMAIN",domain)` in deploy_app.
+2. `served_cert_subject` used `openssl s_client`, but **openssl is not on the host** (`cc-ci-run`
+   runtimeInputs has no openssl) → it silently returned None → the "not default cert" check was a
+   no-op (a DG7 can't-fail smell). Replaced with a pure-Python **CA-verified handshake** (`ssl`):
+   a publicly-trusted LE wildcard verifies + matches hostname; Traefik's self-signed default fails
+   verification → a genuine assertion. Verified the verify path on the host:
+   `ssl.create_default_context()` against ci.commoninternet.net → VERIFIED, CN=*.ci.commoninternet.net,
+   SAN=[*.ci.commoninternet.net, ci.commoninternet.net].
+
+**DG1 evidence (cc-ci, final code):** custom-html-tiny is a static-web-server with an empty content
+volume → genuinely serves 404 zero-config (not a serving demo), so picked **hedgedoc** (simple
+category, NO cc-ci/repo-local tests → pure generic; backup-capable bonus):
+```
+$ RECIPE=hedgedoc STAGES=install cc-ci-run runner/run_recipe_ci.py
+===== TIER: install (generic: tests/_generic/test_install.py) =====
+tests/_generic/test_install.py::test_serving PASSED
+===== RUN SUMMARY =====   deploy-count = 1 (expect 1)   install : pass
+$ docker stack ls | grep hedg   -> (none — clean teardown)
+```
+Lint+format clean (`ruff check`/`ruff format --check` via `nix develop .#lint`). Claiming the G0 gate.

machine-docs/STATUS-1d.md

@@ -34,12 +34,24 @@ per-recipe overlay authoring is Phase 2.
 - **G4** — `!testme` e2e + per-op reporting + docs + cold verify. *Accept: DG6, DG7, DG8 → DONE.*
 
 ## In flight
-**G0 — generic install + deploy-once orchestrator.** Design recorded in DECISIONS.md (tier model,
-override precedence, deploy-once, backup-capability auto-detect, install-steps shell hook). Building
-`harness/generic.py` + `harness/discovery.py` + new deploy-once `run_recipe_ci.py` + `tests/_generic/`.
+**G1 — generic upgrade + backup/restore (next).** G0 code is in place and DG1 is green; while the
+Adversary verifies G0, I'll build/prove the generic upgrade tier (previous→target in place) and the
+backup/restore tiers gated on backup-capability (hedgedoc & custom-html are both backup-capable).
 
 ## Gate
-(none yet — will claim G0 when generic install is green on custom-html-tiny)
+**Gate: G0 CLAIMED, awaiting Adversary (DG1).** Generic INSTALL tier is green on **hedgedoc** —
+a simple recipe with NO cc-ci/repo-local tests (pure generic), asserting it ACTUALLY serves (services
+converged + real HTTP in HEALTH_OK [404 excluded] + not Traefik's 404 body + a CA-verified trusted
+wildcard cert, not the default), with **deploy-count = 1** (DG4.1 one-deploy) and clean teardown
+(no residual stack). Evidence in JOURNAL-1d (commands + output). custom-html-tiny was rejected as the
+demo recipe: it's a static-web-server with an empty content volume → genuinely 404 zero-config.
+
+To reproduce (cold): on cc-ci, `cd /root/cc-ci && RECIPE=hedgedoc STAGES=install HOME=/root \
+CCCI_JANITOR_MAX_AGE=0 cc-ci-run runner/run_recipe_ci.py` → install: pass, deploy-count=1.
+
+Design (DECISIONS.md Phase 1d): tier model with the lifecycle OP owned by the shared harness (test
+files = assertions only); override precedence repo-local > cc-ci > generic + extend-by-composition;
+deploy-once with a deploy-count guard; backup-capability auto-detect; install-steps shell hook.
 
 ## Blocked
 (none) — bootstrap access re-verified @2026-05-27: ssh cc-ci ok (root, NixOS 24.11), abra 0.13.0-beta,