feat(1d): G0 — generic install + deploy-once orchestrator (DG1 green on hedgedoc)

- harness/generic.py: recipe-agnostic assert_serving (converged + real HTTP, 404-excluded +
  not Traefik 404 body + CA-verified trusted wildcard cert), op helpers, backup_capable detect
- harness/discovery.py: per-op overlay resolution (repo-local > cc-ci > generic), custom + hook
- tests/_generic/: assertion-only tiers (install/upgrade/backup/restore) on the shared deployment
- run_recipe_ci.py: deploy-ONCE orchestrator, per-op summary, deploy-count guard (DG4.1)
- conftest live_app fixture; lifecycle deploy-count + install-steps hook + pin DOMAIN to run domain

DG1 cold-verified green on hedgedoc (pure generic, deploy-count=1, clean teardown). G0 CLAIMED.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/_generic/test_upgrade.py

@@ -0,0 +1,17 @@
+"""Generic UPGRADE tier (Phase 1d DG2) — recipe-agnostic.
+
+The orchestrator deployed the PREVIOUS published version once; this tier upgrades it IN PLACE
+(abra app upgrade) to the target (VERSION env, else newest published) on the same live deployment,
+then asserts it reconverges and still serves. Data-continuity is a recipe overlay (test_upgrade.py),
+not the generic — the generic verifies the upgrade mechanism + still-serving."""
+
+import os
+import sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
+from harness import generic  # noqa: E402
+
+
+def test_upgrade_reconverges(live_app, meta):
+    target = os.environ.get("VERSION") or None
+    generic.do_upgrade(live_app, target, meta)