feat(1d): G0 — generic install + deploy-once orchestrator (DG1 green on hedgedoc)

- harness/generic.py: recipe-agnostic assert_serving (converged + real HTTP, 404-excluded +
  not Traefik 404 body + CA-verified trusted wildcard cert), op helpers, backup_capable detect
- harness/discovery.py: per-op overlay resolution (repo-local > cc-ci > generic), custom + hook
- tests/_generic/: assertion-only tiers (install/upgrade/backup/restore) on the shared deployment
- run_recipe_ci.py: deploy-ONCE orchestrator, per-op summary, deploy-count guard (DG4.1)
- conftest live_app fixture; lifecycle deploy-count + install-steps hook + pin DOMAIN to run domain

DG1 cold-verified green on hedgedoc (pure generic, deploy-count=1, clean teardown). G0 CLAIMED.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/_generic/test_backup.py

@@ -0,0 +1,17 @@
+"""Generic BACKUP tier (Phase 1d DG3) — recipe-agnostic, backup-capable recipes only.
+
+Runs `abra app backup create` against the shared live deployment and asserts a snapshot artifact is
+produced (abra app backup snapshots is non-empty). Honest limit: the generic verifies the backup
+MECHANISM, not app-specific data integrity — that's a recipe overlay (test_backup.py seeds a marker).
+For recipes that declare no backup config the orchestrator skips this tier as N/A (not a failure)."""
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from harness import generic  # noqa: E402
+
+
+def test_backup_artifact(live_app, meta):
+    snaps = generic.do_backup(live_app)
+    assert snaps, "backup produced no snapshot artifact"

tests/_generic/test_install.py

@@ -0,0 +1,16 @@
+"""Generic INSTALL tier (Phase 1d DG1) — recipe-agnostic.
+
+The orchestrator has already deployed the app ONCE (deploy-once, DG4.1) and waited for it to
+converge. This tier asserts the app is ACTUALLY SERVING over real HTTPS through Traefik — not a
+404 fallback, not the default cert, not health-only. Runs for ANY recipe that ships no
+test_install.py overlay (the invariant: no overlay ⇒ generic runs)."""
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from harness import generic  # noqa: E402
+
+
+def test_serving(live_app, meta):
+    generic.assert_serving(live_app, meta)

tests/_generic/test_restore.py

@@ -0,0 +1,15 @@
+"""Generic RESTORE tier (Phase 1d DG3) — recipe-agnostic, backup-capable recipes only.
+
+Restores the latest snapshot (produced by the backup tier on the same shared deployment) and asserts
+the restore completes and the app is healthy + serving afterwards. App-specific data-integrity
+(marker survives) is a recipe overlay (test_restore.py); the generic verifies the restore mechanism."""
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from harness import generic  # noqa: E402
+
+
+def test_restore_healthy(live_app, meta):
+    generic.do_restore(live_app, meta)

tests/_generic/test_upgrade.py

@@ -0,0 +1,17 @@
+"""Generic UPGRADE tier (Phase 1d DG2) — recipe-agnostic.
+
+The orchestrator deployed the PREVIOUS published version once; this tier upgrades it IN PLACE
+(abra app upgrade) to the target (VERSION env, else newest published) on the same live deployment,
+then asserts it reconverges and still serves. Data-continuity is a recipe overlay (test_upgrade.py),
+not the generic — the generic verifies the upgrade mechanism + still-serving."""
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from harness import generic  # noqa: E402
+
+
+def test_upgrade_reconverges(live_app, meta):
+    target = os.environ.get("VERSION") or None
+    generic.do_upgrade(live_app, target, meta)