infra(intranet): mount Notes docs corpus + enable IntranetSearch indexer

Cl-infra-1 (deep-regroup 2026-06-13). Adds a notes-corpus-clone initContainer
(shallow git clone of bluejay/FlowerCore.Notes into an emptyDir at
/srv/flowercore-notes) + a notes-corpus-sync sidecar (30-min pull) and flips
IntranetSearch__Enabled false->true so the previously doubly-disabled indexer
has a corpus to index (768 md + 108 html under docs/).

- Trailing-dot FQDN gitea-clusterip.gitea.svc.cluster.local. bypasses a CoreDNS
  *.iamworkin.lan template that mis-resolves the in-cluster service name to the
  Traefik VIP for musl / ndots:5 pods (search-domain appending).
- Cred via gitea-corpus-cred secret (canonical 1P bluejay read cred, created
  imperatively in-ns; mirrors the gitea-flowercore-notes argocd repo-cred pattern).
- First-boot bulk embed runs in background via edge1 Ollama; /health stays Ready.

Pairs with Codex In-1 (intranet app-side reindex endpoint + SemaphoreSlim).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

apps/intranet/intranet.yaml

@@ -44,6 +44,29 @@ spec:
       labels:
         app: intranet-web
     spec:
+      # notes-corpus-clone: shallow-clones the Notes docs corpus into an emptyDir so
+      # the IntranetSearch indexer has /srv/flowercore-notes/docs to index. Uses the
+      # trailing-dot FQDN (gitea-clusterip.gitea.svc.cluster.local.) to bypass the
+      # CoreDNS *.iamworkin.lan template that otherwise resolves the in-cluster service
+      # name to the Traefik VIP for musl / ndots:5 pods (search-domain appending).
+      # Cred: gitea-corpus-cred (in-ns secret with the canonical 1P bluejay read cred;
+      # mirrors the imperative gitea-flowercore-notes argocd repo-cred pattern).
+      initContainers:
+        - name: notes-corpus-clone
+          image: alpine/git:2.45.2
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: gitea-corpus-cred
+          env:
+            - name: GIT_LFS_SKIP_SMUDGE
+              value: "1"
+          command: ["/bin/sh", "-c"]
+          args:
+            - 'git clone --depth 1 http://$username:$password@gitea-clusterip.gitea.svc.cluster.local.:3000/bluejay/FlowerCore.Notes.git /srv/flowercore-notes && echo "notes corpus cloned; docs entries:" && ls /srv/flowercore-notes/docs | wc -l'
+          volumeMounts:
+            - name: notes-corpus
+              mountPath: /srv/flowercore-notes
       containers:
         - name: intranet-web
           image: localhost/fc-intranet-web:v20260612-screenshot-metadata
@@ -61,11 +84,13 @@ spec:
             # in minutes. Memory: feedback_pi5_nomic_embed_slow.
             - name: IntranetSearch__OllamaBaseUrl
               value: "http://edge1.iamworkin.lan:11434"
-            # External Notes corpus roots are not mounted in the live pod today.
+            # Notes docs corpus IS now mounted at /srv/flowercore-notes (see the
-            # Keep the curated/workflow docs directory active without logging
+            # notes-corpus-clone initContainer + notes-corpus-sync sidecar), so the
-            # repeated /srv/flowercore-notes missing-root warnings.
+            # IntranetSearch indexer is ENABLED. First-boot bulk embed of the corpus
+            # runs in the background via the edge1 Ollama backend above (~6s/chunk on
+            # the Pi 5); /health readiness does not depend on it, so the pod stays Ready.
             - name: IntranetSearch__Enabled
-              value: "false"
+              value: "true"
             # Page-reading override SQLite persistence on the writable PVC at
             # /data. This backs pronunciation, notes, corrections, and
             # page-profile metadata across pod restarts.
@@ -107,10 +132,40 @@ spec:
           volumeMounts:
             - name: vector-store
               mountPath: /data
+            - name: notes-corpus
+              mountPath: /srv/flowercore-notes
+              readOnly: true
+        # notes-corpus-sync: keeps the mounted corpus fresh between pod restarts by
+        # pulling the Notes repo every 30 min (best-effort; the initContainer guarantees
+        # a fresh clone at pod start). Reuses the clone's origin (trailing-dot host + creds).
+        - name: notes-corpus-sync
+          image: alpine/git:2.45.2
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: gitea-corpus-cred
+          env:
+            - name: GIT_LFS_SKIP_SMUDGE
+              value: "1"
+          command: ["/bin/sh", "-c"]
+          args:
+            - 'while true; do sleep 1800; git -C /srv/flowercore-notes pull --depth 1 2>&1 | sed "s/^/[notes-corpus-sync] /" || true; done'
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "10m"
+            limits:
+              memory: "128Mi"
+              cpu: "200m"
+          volumeMounts:
+            - name: notes-corpus
+              mountPath: /srv/flowercore-notes
       volumes:
         - name: vector-store
           persistentVolumeClaim:
             claimName: intranet-vector-store
+        - name: notes-corpus
+          emptyDir: {}
 ---
 apiVersion: v1
 kind: Service