intranet: deploy v202604240040search with Notes corpus + vector store

Phase 3 lane 1 of FlowerCore.Shared.Indexing rollout — wires the new
search consumer in FlowerCore.Intranet.Web to live infrastructure.

Manifest changes:
- Image bump: localhost/fc-intranet-web:latest -> :v202604240040search.
  Built from FlowerCore.Intranet.Web@feat/shared-indexing-search and
  imported into all three RKE2 nodes (rke2-server, rke2-agent1, rke2-agent2)
  via ctr import. Both :latest and :v202604240040search tags are present.
- New PersistentVolumeClaim intranet-vector-store (1Gi, ReadWriteOnce,
  Longhorn) mounted at /data for the SQLite vector store
  (intranet-vectors.db).
- New emptyDir volume notes-corpus (1Gi sizeLimit) shared between the
  init container and main container, mounted at /srv/flowercore-notes
  (read-only in the main container).
- New init container clone-notes-corpus (alpine/git) that shallow-clones
  https://github.com/astoltz/FlowerCore.Notes.git
  (codex/notes-pimanager-live-drift) into /srv/flowercore-notes on every
  pod start. Re-clone is cheap (depth=1) and re-runs of git fetch +
  reset --hard are idempotent.
- Strategy switched to Recreate for the deployment, since the new RWO
  PVC blocks rolling updates — see CLAUDE.md memory "RWO PVC blocks K8s
  rolling updates".
- Resource bumps: memory 128Mi -> 256Mi req, 512Mi -> 1Gi limit; CPU
  500m -> 1000m limit. The DocsCorpusIndexer + Ollama HTTP calls add
  measurable load during the initial index build.
- initialDelaySeconds bumps on both probes (10s -> 30s liveness, 5s ->
  10s readiness) to account for startup-time Ollama probing and the
  slightly larger image.

The DocsCorpusIndexer waits 15s after host startup before its first
indexing pass, then loops every RescanInterval (default 1h). Its first
run will:
1. Embed all *.md under /srv/flowercore-notes/docs against
   nomic-embed-text on edge1 (10.0.57.17:11434).
2. Embed all *.html under /srv/flowercore-notes/docs/dashboards.
3. Persist chunks + embeddings to /data/intranet-vectors.db.

Verify after rollout:
- kubectl -n intranet logs deploy/intranet-web -c clone-notes-corpus
  (init container should show the docs/ listing).
- kubectl -n intranet logs deploy/intranet-web -f
  (DocsCorpusIndexer should log "Indexing docs root 'notes-md'..." then
  "Docs root 'notes-md' indexed: N files, M chunks, M stored").
- curl -sk https://intranet.iamworkin.lan/api/search/indexes
  -> ["notes-html","notes-md"]
- curl -sk 'https://intranet.iamworkin.lan/api/search?q=guacamole+single+host&topK=3'
  -> hits from docs/infrastructure/guacamole-customization-plan.md

Companion source on FlowerCore.Intranet.Web@feat/shared-indexing-search.
Depends on FlowerCore.Common@feat/shared-indexing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/intranet/intranet.yaml

@@ -3,6 +3,19 @@ kind: Namespace
 metadata:
   name: intranet
 ---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: intranet-vector-store
+  namespace: intranet
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 1Gi
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -12,6 +25,8 @@ metadata:
     app: intranet-web
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: intranet-web
@@ -20,9 +35,28 @@ spec:
       labels:
         app: intranet-web
     spec:
+      initContainers:
+        - name: clone-notes-corpus
+          image: alpine/git:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - sh
+            - -c
+            - |
+              set -e
+              if [ -d /srv/flowercore-notes/.git ]; then
+                cd /srv/flowercore-notes && git fetch --depth=1 origin && git reset --hard origin/codex/notes-pimanager-live-drift
+              else
+                rm -rf /srv/flowercore-notes/* /srv/flowercore-notes/.[!.]* 2>/dev/null || true
+                git clone --depth=1 --branch codex/notes-pimanager-live-drift https://github.com/astoltz/FlowerCore.Notes.git /srv/flowercore-notes
+              fi
+              ls -la /srv/flowercore-notes/docs | head -10
+          volumeMounts:
+            - name: notes-corpus
+              mountPath: /srv/flowercore-notes
       containers:
         - name: intranet-web
-          image: localhost/fc-intranet-web:latest
+          image: localhost/fc-intranet-web:v202604240040search
           imagePullPolicy: Never
           ports:
             - containerPort: 5300
@@ -34,23 +68,36 @@ spec:
               value: "http://+:5300"
           resources:
             requests:
-              memory: "128Mi"
+              memory: "256Mi"
               cpu: "100m"
             limits:
-              memory: "512Mi"
-              cpu: "500m"
+              memory: "1Gi"
+              cpu: "1000m"
           livenessProbe:
             httpGet:
               path: /health
               port: 5300
-            initialDelaySeconds: 10
+            initialDelaySeconds: 30
             periodSeconds: 30
           readinessProbe:
             httpGet:
               path: /health
               port: 5300
-            initialDelaySeconds: 5
+            initialDelaySeconds: 10
             periodSeconds: 10
+          volumeMounts:
+            - name: notes-corpus
+              mountPath: /srv/flowercore-notes
+              readOnly: true
+            - name: vector-store
+              mountPath: /data
+      volumes:
+        - name: notes-corpus
+          emptyDir:
+            sizeLimit: 1Gi
+        - name: vector-store
+          persistentVolumeClaim:
+            claimName: intranet-vector-store
 ---
 apiVersion: v1
 kind: Service