fc-desktop: add phase 1 capacity guards

fix(monitoring): point probe-printweb at /health (Q-MR-90)
Root path requires API key auth — `/` returned 401 to the blackbox probe, firing PrintWebDown despite `/health` reporting Healthy. Pattern: feedback_k8s_probes_behind_auth_middleware. Mirrors FlowerCore.Notes scripts/monitoring/prometheus.yml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 15:49:20 -05:00 · 2026-05-20 14:52:02 -05:00 · 2026-05-20 11:45:43 -05:00 · 2026-05-20 16:20:01 +00:00 · 2026-05-20 11:18:25 -05:00
15 changed files with 810 additions and 407 deletions
--- a/README.md
+++ b/README.md
@@ -103,7 +103,6 @@ curl -sk -X DELETE https://dns.iamworkin.lan/api/v1/servers/<serverId>/zones/iam
 - **Public read-only hosts**: if a public host fronts a service that also exposes admin writes internally, add a Traefik route match like `Host(...) && (Method(GET) || Method(HEAD))` on the public edge instead of trusting the app to reject unsafe methods.
 - **Public read-write allowlist hosts**: if a public host accepts a tightly bounded write surface (e.g. bootstrap-JWT POST), pin the allowlist as `(Method(GET) || Method(HEAD) || Method(POST) || Method(OPTIONS))`. PUT/PATCH/DELETE must still 404 at the route. Track A's `updatecenter.iamworkin.lan` / `updates.iamworkin.lan` are the canonical example. The lint test enforces this invariant.
 - **Traefik VIP netpols**: when a `NetworkPolicy` allows `10.0.56.200`, also allow the post-DNAT backend ports (`8443` for TLS plus `8080` or `8000` for HTTP) or Calico will drop the rewritten flow.
 - **RemoteDesktop isolation**: `apps/fc-desktop/network-policies.yaml` intentionally keeps desktop pod egress to named CoreDNS, `intranet-web:5300/TCP`, and noc1 step-ca `10.0.56.10:9000/9443` only. Guacamole display egress is owned separately by `apps/guacamole/guacamole.yaml` through `guacd-desktop-egress` on `5901/TCP`.
 - **Auth-safe probes**: services behind API-key or global auth middleware should prefer `tcpSocket` probes unless `/health` is explicitly exempted before the middleware runs.
 - **ArgoCD must use internal Gitea URL**: `http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git`, not the external HTTPS URL (step-ca cert isn't trusted by ArgoCD). The `ApplicationSet` and any hand-created `Application` must both use the internal URL.
--- a/apps/fc-desktop/limitrange.yaml
+++ b/apps/fc-desktop/limitrange.yaml
@@ -0,0 +1,33 @@
 # FlowerCore Remote Desktop - session pod resource defaults
 #
 # Namespace-level LimitRange for Sprint 44 Phase 1. This defends the
 # fc-desktop namespace from unbounded container requests while the
 # per-tenant advisory FairShareEvaluator lands in FlowerCore.RemoteDesktop.
 apiVersion: v1
 kind: LimitRange
 metadata:
  name: fc-desktop-pod-defaults
  namespace: fc-desktop
  labels:
    app.kubernetes.io/name: fc-desktop
    app.kubernetes.io/part-of: remotedesktop
    app.kubernetes.io/component: capacity-guard
    app.kubernetes.io/managed-by: argocd
    flowercore.io/owner: infra
  annotations:
    flowercore.io/phase: sprint-44-cx-9-phase-a
 spec:
  limits:
    - type: Container
      default:
        cpu: "1.0"
        memory: "2Gi"
      defaultRequest:
        cpu: "500m"
        memory: "1Gi"
      max:
        cpu: "2.0"
        memory: "4Gi"
      min:
        cpu: "100m"
        memory: "128Mi"
--- a/apps/fc-desktop/network-policies.yaml
+++ b/apps/fc-desktop/network-policies.yaml
@@ -20,12 +20,9 @@
 # 1) desktop-isolation — Browser Lab session pods.
 #
 # Locks down pods labeled `app.kubernetes.io/name=remote-desktop` (every
-# session pod regardless of template). Allows guacd ingress for the display
+# session pod regardless of template). Allows guacd ingress for the VNC/RDP
-# lane and remotedesktop-web's pre-handoff probing. Egress is deliberately
+# display lane and remotedesktop-web's pre-handoff probing. Egress: NFS to
-# narrow: named CoreDNS, direct Intranet web, and noc1 step-ca only. There is
+# Synology, DNS, Traefik (cluster + LB VIP), Intranet (Browser Lab home).
 # no broad Traefik/VIP or internet egress from desktop sessions. If a future
 # Browser Lab path needs a public-style host, prefer an explicit Service rule
 # or include the post-DNAT backend port per the Traefik VIP lint.
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -68,22 +65,51 @@ spec:
        - port: 5901
          protocol: TCP
  egress:
-    # CoreDNS only. The old to: [] DNS rule accidentally allowed any DNS
+    # NFS to Synology
    # listener in any namespace or routed network.
    - to:
-        - namespaceSelector:
+        - ipBlock:
-            matchLabels:
+            cidr: 10.0.58.3/32
-              kubernetes.io/metadata.name: kube-system
+      ports:
-          podSelector:
+        - port: 2049
-            matchLabels:
+          protocol: TCP
-              k8s-app: kube-dns
+        - port: 2049
          protocol: UDP
        - port: 111
          protocol: TCP
        - port: 111
          protocol: UDP
    - to:
        - ipBlock:
            cidr: 10.0.58.3/32
      ports:
        - port: 445
          protocol: TCP
    - to: []
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
-    # Browser Lab home / internal docs target. Use the real service port
+    - to:
-    # directly rather than public Traefik host aliases.
+        - ipBlock:
            cidr: 10.0.56.200/32
        - ipBlock:
            cidr: 10.43.33.87/32
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik-system
          podSelector:
            matchLabels:
              app.kubernetes.io/name: traefik
      ports:
        - port: 80
          protocol: TCP
        - port: 443
          protocol: TCP
        - port: 8000
          protocol: TCP
        - port: 8443
          protocol: TCP
    - to:
        - namespaceSelector:
            matchLabels:
@@ -94,17 +120,6 @@ spec:
      ports:
        - port: 5300
          protocol: TCP
    # noc1 step-ca ACME endpoint. The lane brief called out 9000/TCP; the live
    # ACME directory currently answers on 9443/TCP, so both stay pinned to the
    # same host rather than reopening Traefik or internet egress.
    - to:
        - ipBlock:
            cidr: 10.0.56.10/32
      ports:
        - port: 9000
          protocol: TCP
        - port: 9443
          protocol: TCP
 ---
 # 2) fc-desktop-default-deny — namespace-wide catch-all.
 #
@@ -315,11 +330,3 @@ spec:
          protocol: UDP
        - port: 53
          protocol: TCP
    - to:
        - ipBlock:
            cidr: 10.0.56.10/32
      ports:
        - port: 9000
          protocol: TCP
        - port: 9443
          protocol: TCP
--- a/apps/fc-desktop/resourcequota.yaml
+++ b/apps/fc-desktop/resourcequota.yaml
@@ -0,0 +1,36 @@
 # FlowerCore Remote Desktop - namespace ResourceQuota (GitOps-managed)
 #
 # Adopts the live fc-desktop-session-cap object created during the
 # 2026-05-19 prewarm-cascade triage. Sprint 44 Phase 1 keeps the pod,
 # CPU, and memory guard unchanged, then adds storage/PVC backstops from
 # the fc-desktop CPU expansion substrate.
 #
 # Two-phase deploy note:
 #   Phase A: apply this ResourceQuota and limitrange.yaml with the current
 #   FlowerCore.RemoteDesktop image.
 #   Phase B: bump the service image only after the RemoteDesktop service
 #   admission/fair-share code lands in that repo.
 apiVersion: v1
 kind: ResourceQuota
 metadata:
  name: fc-desktop-session-cap
  namespace: fc-desktop
  labels:
    app.kubernetes.io/name: fc-desktop
    app.kubernetes.io/part-of: remotedesktop
    app.kubernetes.io/component: capacity-guard
    app.kubernetes.io/managed-by: argocd
    flowercore.io/owner: infra
  annotations:
    flowercore.io/rationale: |
      Operator-requested limit 2026-05-19: cluster CPU exhausted by RD
      pool prewarm cascade. Preserve count/pods=15 plus requests.cpu=8
      and requests.memory=16Gi until capacity expansion lands.
    flowercore.io/phase: sprint-44-cx-9-phase-a
 spec:
  hard:
    count/pods: "15"
    requests.cpu: "8"
    requests.memory: "16Gi"
    requests.storage: "500Gi"
    persistentvolumeclaims: "30"
--- a/apps/fc-devicemgmt/argocd-application.yaml
+++ b/apps/fc-devicemgmt/argocd-application.yaml
@@ -1,33 +0,0 @@
 # Explicit ArgoCD Application shape for bootstrap/review.
 #
 # The live bluejay-infra ApplicationSet already discovers apps/* directories
 # and creates this same Application name (`infra-fc-devicemgmt`) automatically.
 # Keep repoURL on the internal Gitea ClusterIP URL; ArgoCD does not trust the
 # external step-ca HTTPS endpoint.
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: infra-fc-devicemgmt
  namespace: argocd
  labels:
    app.kubernetes.io/name: fc-devicemgmt
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
 spec:
  project: default
  source:
    repoURL: http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git
    targetRevision: main
    path: apps/fc-devicemgmt
  destination:
    server: https://kubernetes.default.svc
    namespace: fc-devicemgmt
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - ServerSideApply=true
--- a/apps/github-runner/.gitattributes
+++ b/apps/github-runner/.gitattributes
@@ -0,0 +1,2 @@
 *.sh text eol=lf
 Dockerfile text eol=lf
--- a/apps/github-runner/Dockerfile
+++ b/apps/github-runner/Dockerfile
@@ -0,0 +1,44 @@
 FROM myoung34/github-runner:latest
 ARG RUBY_VERSION=3.3.11
 ARG RUBY_MINOR=3.3
 ARG RUBY_BUILD_VERSION=v20260326
 ARG RUNNER_UID=1001
 ARG RUNNER_GID=1001
 ENV RUNNER_TOOL_CACHE=/home/runner/_tool
 ENV RUNNER_RUBY_TOOLCACHE=/opt/runner-toolcache
 ENV PATH="/home/runner/_tool/Ruby/${RUBY_MINOR}/x64/bin:/opt/runner-toolcache/Ruby/${RUBY_MINOR}/x64/bin:${PATH}"
 USER root
 RUN apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        autoconf \
        bison \
        build-essential \
        ca-certificates \
        curl \
        libdb-dev \
        libffi-dev \
        libgdbm-dev \
        libgmp-dev \
        libncurses-dev \
        libreadline-dev \
        libssl-dev \
        libyaml-dev \
        patch \
        pkg-config \
        uuid-dev \
        zlib1g-dev \
    && curl -fsSL "https://github.com/rbenv/ruby-build/archive/refs/tags/${RUBY_BUILD_VERSION}.tar.gz" -o /tmp/ruby-build.tar.gz \
    && mkdir -p /tmp/ruby-build \
    && tar -xzf /tmp/ruby-build.tar.gz --strip-components=1 -C /tmp/ruby-build \
    && /tmp/ruby-build/install.sh \
    && rm -rf /tmp/ruby-build /tmp/ruby-build.tar.gz /var/lib/apt/lists/*
 COPY install-ruby-toolcache.sh /usr/local/bin/install-ruby-toolcache.sh
 RUN chmod +x /usr/local/bin/install-ruby-toolcache.sh \
    && RUBY_VERSION="${RUBY_VERSION}" RUBY_MINOR="${RUBY_MINOR}" TOOLCACHE_ROOT="${RUNNER_RUBY_TOOLCACHE}" RUNNER_UID="${RUNNER_UID}" RUNNER_GID="${RUNNER_GID}" /usr/local/bin/install-ruby-toolcache.sh \
    && ruby -v
--- a/apps/github-runner/README.md
+++ b/apps/github-runner/README.md
@@ -7,12 +7,17 @@ Deployments with `kubectl`; update this manifest and let ArgoCD reconcile.
 All repo-scoped Linux runners use:
 - `localhost/fc-github-runner:v20260520-ruby3.3.11`, derived from
  `myoung34/github-runner:latest`
 - `ACCESS_TOKEN` from the `github-runner-token` Secret
 - `RUN_AS_ROOT=false`
 - `EPHEMERAL=true`
 - `LABELS=self-hosted,linux,fc-build-linux`
 - writable non-root paths under `/home/runner` for .NET, NuGet, XDG cache, and
  Actions tool cache
 - Ruby 3.3.11 seeded into `/home/runner/_tool/Ruby/3.3/x64` from the baked
  `/opt/runner-toolcache` copy so `ruby/setup-ruby@v1` can discover it on
  self-hosted `ubuntu-20.04-x64` runners
 `github-runner` for `FlowerCore.Common` is single-replica because it retains the
 original Longhorn ReadWriteOnce NuGet PVC. Every other repo-scoped runner uses
@@ -28,6 +33,34 @@ Sprint 32 final long-tail wave adds 16 two-replica Deployments:
 `FlowerCore.Provisioning`, `FlowerCore.Redis`, `FlowerCore.MessageBoard`, and
 `FlowerCore.MenuBoard`.
 ## Image Build
 Ruby is baked with a pinned `ruby-build` release and Ruby patch version. The pod
 still mounts an `emptyDir` over `/home/runner`, so the `setup-runner-home` init
 container copies the baked toolcache from `/opt/runner-toolcache/Ruby` into
 `/home/runner/_tool/Ruby` before the runner container starts.
 ```bash
 cd apps/github-runner
 podman build -t localhost/fc-github-runner:v20260520-ruby3.3.11 .
 podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 ruby -v
 podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 \
  test -f /opt/runner-toolcache/Ruby/3.3/x64.complete
 podman save localhost/fc-github-runner:v20260520-ruby3.3.11 \
  -o fc-github-runner-v20260520-ruby3.3.11.tar
 ```
 Import the saved image on every schedulable RKE2 node before ArgoCD rolls the
 Deployments:
 ```bash
 for node in rke2-server rke2-agent1 rke2-agent2; do
  scp fc-github-runner-v20260520-ruby3.3.11.tar "$node:/tmp/"
  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260520-ruby3.3.11 || true'
  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260520-ruby3.3.11.tar'
 done
 ```
 ## Post-Merge Proof
 After the PR is merged and ArgoCD syncs, verify the runner fleet:
@@ -36,6 +69,14 @@ After the PR is merged and ArgoCD syncs, verify the runner fleet:
 kubectl -n github-runner get deploy,pods,pvc
 ```
 Verify the Ruby toolcache in a fresh pod:
 ```bash
 kubectl -n github-runner exec deploy/github-runner-puppet -c runner -- ruby -v
 kubectl -n github-runner exec deploy/github-runner-puppet -c runner -- sh -c \
  'echo "$RUNNER_TOOL_CACHE" && test -f "$RUNNER_TOOL_CACHE/Ruby/3.3/x64.complete"'
 ```
 Verify GitHub registration for the repo-scoped runners:
 ```bash
@@ -69,6 +110,10 @@ from GitHub Actions and verify it lands on an `rke2-linux-*` runner.
 - `actions/setup-dotnet` permission error at `/usr/share/dotnet`: check that
  `DOTNET_INSTALL_DIR=/home/runner/.dotnet` and related cache env vars are
  present on the runner pod.
 - `ruby/setup-ruby@v1` says self-hosted runners must install Ruby in
  `$RUNNER_TOOL_CACHE`: check that the init container copied
  `/opt/runner-toolcache/Ruby` into `/home/runner/_tool/Ruby` and that
  `/home/runner/_tool/Ruby/3.3/x64.complete` exists.
 - `404` during runner registration: the fine-grained PAT is valid but missing
  repository access for that repo. Add the repo to the PAT access list; the PAT
  value does not change.
--- a/apps/github-runner/github-runner.yaml
+++ b/apps/github-runner/github-runner.yaml
@@ -22,11 +22,16 @@
 #   NUGET_PACKAGES, XDG_CACHE_HOME, and RUNNER_TOOL_CACHE are all pointed at
 #   writable mounted paths under /home/runner so actions/setup-dotnet does not
 #   attempt to install into /usr/share/dotnet.
 #   Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260520-ruby3.3.11
 #   under /opt/runner-toolcache; setup-runner-home copies it into
 #   /home/runner/_tool because the runner-home emptyDir masks image content
 #   under /home/runner at runtime.
 #
 # Credentials:
 #   OnePasswordItem "GitHub PAT (Runner Registration)" syncs Secret
-#   github-runner-token with field "credential". myoung34/github-runner uses
+#   github-runner-token with field "credential". The custom image inherits
-#   ACCESS_TOKEN to mint short-lived registration tokens on pod start.
+#   myoung34/github-runner behavior and uses ACCESS_TOKEN to mint short-lived
 #   registration tokens on pod start.
 #
 # Security model:
 #   - No ClusterRole / ClusterRoleBinding. The ServiceAccount has no K8s API
@@ -152,15 +157,19 @@ spec:
      # honors the deeper mount.
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -169,8 +178,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            # GitHub org/repo targeting.
            # Set REPO_URL for a repo-scoped runner (cheaper, simpler).
@@ -325,15 +334,19 @@ spec:
      # rather than re-applied per repo as flipped lanes land.
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -342,8 +355,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Shared.Pos"
@@ -459,15 +472,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -476,8 +493,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Puppet"
@@ -587,15 +604,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -604,8 +625,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Signage"
@@ -715,15 +736,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -732,8 +757,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.DMS"
@@ -843,15 +868,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -860,8 +889,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Telephony"
@@ -971,15 +1000,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -988,8 +1021,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Print.Web"
@@ -1099,15 +1132,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1116,8 +1153,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Chat"
@@ -1227,15 +1264,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1244,8 +1285,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.MySQL"
@@ -1355,15 +1396,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1372,8 +1417,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Kiosk.Linux"
@@ -1485,15 +1530,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1502,8 +1551,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Marquee"
@@ -1615,15 +1664,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1632,8 +1685,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.TtsReader"
@@ -1745,15 +1798,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1762,8 +1819,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Knowledge"
@@ -1874,15 +1931,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1891,8 +1952,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.LlmBridge"
@@ -2003,15 +2064,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2020,8 +2085,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Media"
@@ -2132,15 +2197,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2149,8 +2218,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Presentations"
@@ -2261,15 +2330,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2278,8 +2351,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.RemoteDesktop"
@@ -2390,15 +2463,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2407,8 +2484,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.DNS"
@@ -2519,15 +2596,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2536,8 +2617,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Distribution"
@@ -2648,15 +2729,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2665,8 +2750,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Scoreboard"
@@ -2777,15 +2862,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2794,8 +2883,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.SegmentDisplay"
@@ -2906,15 +2995,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2923,8 +3016,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Signage.Contracts"
@@ -3035,15 +3128,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3052,8 +3149,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.SignalControl"
@@ -3164,15 +3261,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3181,8 +3282,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Intranet.Web"
@@ -3293,15 +3394,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3310,8 +3415,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Provisioning"
@@ -3422,15 +3527,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3439,8 +3548,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Redis"
@@ -3551,15 +3660,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3568,8 +3681,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.MessageBoard"
@@ -3680,15 +3793,19 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: busybox:1.36
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
-              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
+              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
-              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
+                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3697,8 +3814,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: myoung34/github-runner:latest
+          image: localhost/fc-github-runner:v20260520-ruby3.3.11
-          imagePullPolicy: Always
+          imagePullPolicy: Never
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.MenuBoard"
--- a/apps/github-runner/install-ruby-toolcache.sh
+++ b/apps/github-runner/install-ruby-toolcache.sh
@@ -0,0 +1,19 @@
 #!/usr/bin/env bash
 set -euo pipefail
 RUBY_VERSION="${RUBY_VERSION:-3.3.11}"
 RUBY_MINOR="${RUBY_MINOR:-3.3}"
 TOOLCACHE_ROOT="${TOOLCACHE_ROOT:-/opt/runner-toolcache}"
 RUNNER_UID="${RUNNER_UID:-1001}"
 RUNNER_GID="${RUNNER_GID:-1001}"
 RUBY_PREFIX="${TOOLCACHE_ROOT}/Ruby/${RUBY_VERSION}/x64"
 mkdir -p "${TOOLCACHE_ROOT}/Ruby"
 RUBY_CONFIGURE_OPTS="${RUBY_CONFIGURE_OPTS:---disable-install-doc --disable-yjit}" ruby-build "${RUBY_VERSION}" "${RUBY_PREFIX}"
 touch "${TOOLCACHE_ROOT}/Ruby/${RUBY_VERSION}/x64.complete"
 ln -sfn "${RUBY_VERSION}" "${TOOLCACHE_ROOT}/Ruby/${RUBY_MINOR}"
 "${RUBY_PREFIX}/bin/ruby" -v
 chown -R "${RUNNER_UID}:${RUNNER_GID}" "${TOOLCACHE_ROOT}"
 chmod -R a+rX "${TOOLCACHE_ROOT}"
--- a/apps/guacamole/guacamole.yaml
+++ b/apps/guacamole/guacamole.yaml
@@ -254,68 +254,6 @@ spec:
      targetPort: 4822
      name: guacd
 ---
 # Guacd display egress isolation.
 #
 # Guacamole web talks to guacd on TCP/4822. Guacd then opens the desktop
 # display connection to the per-session pod. Keep that second hop at raw VNC
 # 5901/TCP for the current RemoteDesktop Browser Lab/openSUSE images. Do not
 # grant guacd broad fc-desktop namespace egress; desktop-to-desktop lateral
 # paths remain blocked by apps/fc-desktop/network-policies.yaml.
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: guacd-desktop-egress
  namespace: guacamole
  labels:
    app.kubernetes.io/part-of: remotedesktop
    app.kubernetes.io/component: display-isolation
 spec:
  podSelector:
    matchLabels:
      app: guacd
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: guacamole
      ports:
        - port: 4822
          protocol: TCP
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
          podSelector:
            matchLabels:
              k8s-app: kube-dns
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP
    # kubectl-proxy sidecar reaches the Kubernetes API; keep it explicit
    # because this NetworkPolicy selects the whole guacd pod.
    - to: []
      ports:
        - port: 443
          protocol: TCP
        - port: 6443
          protocol: TCP
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: fc-desktop
          podSelector:
            matchLabels:
              app.kubernetes.io/name: remote-desktop
      ports:
        - port: 5901
          protocol: TCP
 ---
 # Guacamole Web Application
 apiVersion: apps/v1
 kind: Deployment
--- a/apps/monitoring/noc-monitoring.yaml
+++ b/apps/monitoring/noc-monitoring.yaml
@@ -280,13 +280,14 @@ data:
              printer_model: "NuPrint 210"
      # Print.Web health (Blazor app on edge2:5200)
      # Target `/health` (anonymous) — root path requires API key auth and returns 401.
      - job_name: "probe-printweb"
        metrics_path: /probe
        params:
          module: [http_2xx]
        scrape_interval: 30s
        static_configs:
-          - targets: ["http://10.0.57.16:5200/"]
+          - targets: ["http://10.0.57.16:5200/health"]
            labels:
              instance: "print-web"
              service: "print-web"
--- a/tests/bluejay-infra-lint/FcDesktopCapacityPolicyTests.cs
+++ b/tests/bluejay-infra-lint/FcDesktopCapacityPolicyTests.cs
@@ -0,0 +1,285 @@
 using FluentAssertions;
 using YamlDotNet.RepresentationModel;
 using Xunit;
 namespace BluejayInfraLint.Tests;
 [Trait("Category", "Unit")]
 public sealed class FcDesktopCapacityPolicyTests
 {
    private static readonly ManifestInventory Inventory = ManifestInventory.Load();
    [Fact]
    public void FcDesktop_AppDirectoryMustExist()
    {
        Directory.Exists(Path.Combine(Inventory.BluejayRoot, "apps", "fc-desktop"))
            .Should()
            .BeTrue();
    }
    [Fact]
    public void FcDesktop_MustHaveExactlyOneResourceQuota()
    {
        FcDesktopDocuments()
            .Where(document => document.Kind == "ResourceQuota")
            .Should()
            .ContainSingle();
    }
    [Fact]
    public void FcDesktop_ResourceQuotaMustAdoptLiveSessionCapObject()
    {
        var quota = ResourceQuota();
        quota.RelativePath.Should().Be("fc-desktop/resourcequota.yaml");
        quota.Name.Should().Be("fc-desktop-session-cap");
        quota.Namespace.Should().Be("fc-desktop");
    }
    [Theory]
    [InlineData("count/pods", "15")]
    [InlineData("requests.cpu", "8")]
    [InlineData("requests.memory", "16Gi")]
    [InlineData("requests.storage", "500Gi")]
    [InlineData("persistentvolumeclaims", "30")]
    public void FcDesktop_ResourceQuotaMustDeclarePhaseOneHardLimits(string key, string value)
    {
        ResourceQuota().Scalar("spec", "hard", key).Should().Be(value);
    }
    [Fact]
    public void FcDesktop_ResourceQuotaMustCarryTraceableLabels()
    {
        ResourceQuotaLabels()
            .Should()
            .Contain(new Dictionary<string, string>
            {
                ["app.kubernetes.io/name"] = "fc-desktop",
                ["app.kubernetes.io/part-of"] = "remotedesktop",
                ["app.kubernetes.io/component"] = "capacity-guard",
                ["app.kubernetes.io/managed-by"] = "argocd",
                ["flowercore.io/owner"] = "infra",
            });
    }
    [Fact]
    public void FcDesktop_ResourceQuotaMustUseRequestsKeysForComputeCap()
    {
        var hardKeys = HardLimitKeys(ResourceQuota());
        hardKeys.Should().Contain(new[] { "requests.cpu", "requests.memory" });
        hardKeys.Should().NotContain(new[] { "cpu", "memory" });
    }
    [Fact]
    public void FcDesktop_ResourceQuotaMustAvoidDestructiveArgoAnnotations()
    {
        var quota = ResourceQuota();
        quota.Scalar("metadata", "annotations", "argocd.argoproj.io/hook").Should().BeNull();
        quota.Scalar("metadata", "annotations", "argocd.argoproj.io/hook-delete-policy").Should().BeNull();
        var syncOptions = quota.Scalar("metadata", "annotations", "argocd.argoproj.io/sync-options") ?? string.Empty;
        syncOptions.Should().NotContain("Force=true");
        syncOptions.Should().NotContain("Replace=true");
    }
    [Fact]
    public void FcDesktop_ResourceQuotaMustRecordPhaseAInfraOnlyScope()
    {
        ResourceQuota().Scalar("metadata", "annotations", "flowercore.io/phase")
            .Should()
            .Be("sprint-44-cx-9-phase-a");
    }
    [Fact]
    public void FcDesktop_MustHaveExactlyOneLimitRange()
    {
        FcDesktopDocuments()
            .Where(document => document.Kind == "LimitRange")
            .Should()
            .ContainSingle();
    }
    [Fact]
    public void FcDesktop_LimitRangeMustLiveBesideResourceQuota()
    {
        var limitRange = LimitRange();
        limitRange.RelativePath.Should().Be("fc-desktop/limitrange.yaml");
        limitRange.Name.Should().Be("fc-desktop-pod-defaults");
        limitRange.Namespace.Should().Be("fc-desktop");
    }
    [Fact]
    public void FcDesktop_LimitRangeMustHaveSingleContainerRule()
    {
        var limit = LimitRangeRule();
        LimitRange().MappingSequence("spec", "limits").Should().ContainSingle();
        ManifestNodeExtensions.Scalar(limit, "type").Should().Be("Container");
    }
    [Theory]
    [InlineData("default", "cpu", "1.0")]
    [InlineData("default", "memory", "2Gi")]
    [InlineData("defaultRequest", "cpu", "500m")]
    [InlineData("defaultRequest", "memory", "1Gi")]
    [InlineData("max", "cpu", "2.0")]
    [InlineData("max", "memory", "4Gi")]
    [InlineData("min", "cpu", "100m")]
    [InlineData("min", "memory", "128Mi")]
    public void FcDesktop_LimitRangeMustDeclarePerPodShape(string section, string key, string value)
    {
        ManifestNodeExtensions.Scalar(LimitRangeRule(), section, key).Should().Be(value);
    }
    [Fact]
    public void FcDesktop_LimitRangeMustCarryTraceableLabels()
    {
        LimitRangeLabels()
            .Should()
            .Contain(new Dictionary<string, string>
            {
                ["app.kubernetes.io/name"] = "fc-desktop",
                ["app.kubernetes.io/part-of"] = "remotedesktop",
                ["app.kubernetes.io/component"] = "capacity-guard",
                ["app.kubernetes.io/managed-by"] = "argocd",
                ["flowercore.io/owner"] = "infra",
            });
    }
    [Fact]
    public void FcDesktop_LimitRangeMustAvoidDestructiveArgoAnnotations()
    {
        var limitRange = LimitRange();
        limitRange.Scalar("metadata", "annotations", "argocd.argoproj.io/hook").Should().BeNull();
        limitRange.Scalar("metadata", "annotations", "argocd.argoproj.io/hook-delete-policy").Should().BeNull();
        var syncOptions = limitRange.Scalar("metadata", "annotations", "argocd.argoproj.io/sync-options") ?? string.Empty;
        syncOptions.Should().NotContain("Force=true");
        syncOptions.Should().NotContain("Replace=true");
    }
    [Fact]
    public void FcDesktop_LimitRangeMustRecordPhaseAInfraOnlyScope()
    {
        LimitRange().Scalar("metadata", "annotations", "flowercore.io/phase")
            .Should()
            .Be("sprint-44-cx-9-phase-a");
    }
    [Fact]
    public void FcDesktop_BluejayInfraMustNotOwnDeploymentOrService()
    {
        FcDesktopDocuments()
            .Select(document => document.Kind)
            .Should()
            .NotContain(new[] { "Deployment", "Service" });
    }
    [Fact]
    public void FcDesktop_BluejayInfraMustOnlyOwnInfraResourceKinds()
    {
        var allowedKinds = new HashSet<string>(StringComparer.Ordinal)
        {
            "Certificate",
            "IngressRoute",
            "NetworkPolicy",
            "ResourceQuota",
            "LimitRange",
        };
        FcDesktopDocuments()
            .Select(document => document.Kind)
            .Should()
            .OnlyContain(kind => allowedKinds.Contains(kind));
    }
    [Fact]
    public void FcDesktop_NetworkPolicySetMustRemainPresent()
    {
        FcDesktopDocuments()
            .Where(document => document.Kind == "NetworkPolicy")
            .Select(document => document.Name)
            .Should()
            .BeEquivalentTo(
                "desktop-isolation",
                "fc-desktop-default-deny",
                "remotedesktop-web-isolation",
                "cm-acme-http-solver-allow");
    }
    [Fact]
    public void FcDesktop_TlsIngressMustRemainOwnedByInfra()
    {
        FcDesktopDocuments()
            .Should()
            .Contain(document => document.Kind == "Certificate" && document.Name == "remotedesktop-web-tls")
            .And
            .Contain(document => document.Kind == "IngressRoute" && document.Name == "remotedesktop-web");
    }
    private static IReadOnlyList<ManifestDocument> FcDesktopDocuments()
    {
        return Inventory.Documents
            .Where(document => document.RelativePath.StartsWith("fc-desktop/", StringComparison.Ordinal))
            .ToList();
    }
    private static ManifestDocument ResourceQuota()
    {
        return FcDesktopDocuments()
            .Single(document => document.Kind == "ResourceQuota");
    }
    private static ManifestDocument LimitRange()
    {
        return FcDesktopDocuments()
            .Single(document => document.Kind == "LimitRange");
    }
    private static YamlMappingNode LimitRangeRule()
    {
        return LimitRange()
            .MappingSequence("spec", "limits")
            .Single();
    }
    private static IReadOnlySet<string> HardLimitKeys(ManifestDocument document)
    {
        var hard = ManifestNodeExtensions.Mapping(document.Root, "spec", "hard")
            ?? throw new InvalidOperationException($"{document.Descriptor} is missing spec.hard.");
        return hard.Children.Keys
            .OfType<YamlScalarNode>()
            .Select(key => key.Value)
            .Where(value => !string.IsNullOrWhiteSpace(value))
            .Cast<string>()
            .ToHashSet(StringComparer.Ordinal);
    }
    private static IReadOnlyDictionary<string, string> ResourceQuotaLabels()
    {
        return Labels(ResourceQuota());
    }
    private static IReadOnlyDictionary<string, string> LimitRangeLabels()
    {
        return Labels(LimitRange());
    }
    private static IReadOnlyDictionary<string, string> Labels(ManifestDocument document)
    {
        var labels = ManifestNodeExtensions.Mapping(document.Root, "metadata", "labels")
            ?? throw new InvalidOperationException($"{document.Descriptor} is missing metadata.labels.");
        return labels.Children
            .Where(entry => entry.Key is YamlScalarNode && entry.Value is YamlScalarNode)
            .ToDictionary(
                entry => ((YamlScalarNode)entry.Key).Value ?? string.Empty,
                entry => ((YamlScalarNode)entry.Value).Value ?? string.Empty,
                StringComparer.Ordinal);
    }
 }
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -234,7 +234,7 @@ public sealed class FleetManifestLintTests
        {
            deployments.Should().ContainKey(expectedRunner.Key);
-            var container = deployments[expectedRunner.Key].ContainerMappings().Should().ContainSingle().Subject;
+            var container = RunnerContainer(deployments[expectedRunner.Key]);
            EnvValue(container, "REPO_URL").Should().Be(expectedRunner.Value);
            EnvValue(container, "EPHEMERAL").Should().Be("true");
            EnvValue(container, "LABELS").Should().Be("self-hosted,linux,fc-build-linux");
@@ -250,7 +250,7 @@ public sealed class FleetManifestLintTests
    {
        foreach (var deployment in GitHubRunnerDeployments().Values)
        {
-            var container = deployment.ContainerMappings().Should().ContainSingle().Subject;
+            var container = RunnerContainer(deployment);
            foreach (var expectedEnv in WritableRunnerEnv)
            {
@@ -430,7 +430,6 @@ public sealed class FleetManifestLintTests
        var expectedFiles = new[]
        {
            "1password-item.yaml",
            "argocd-application.yaml",
            "certificate-web.yaml",
            "clusterrole-operator.yaml",
            "clusterrolebinding-operator.yaml",
@@ -586,17 +585,15 @@ public sealed class FleetManifestLintTests
    }
    [Fact]
-    public void FcDeviceManagement_ArgocdApplicationMustMatchApplicationSetDiscoveryConventions()
+    public void FcDeviceManagement_MustRelyOnApplicationSetDiscovery()
    {
-        var application = FcDeviceManagementDocuments()
+        FcDeviceManagementDocuments()
            .Single(document => document.Kind == "Application" && document.Name == "infra-fc-devicemgmt");
        application.Namespace.Should().Be("argocd");
        application.Scalar("spec", "source", "repoURL")
            .Should()
-            .Be("http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git");
+            .NotContain(document => document.Kind == "Application", "the root ApplicationSet owns apps/fc-devicemgmt discovery");
-        application.Scalar("spec", "source", "path").Should().Be("apps/fc-devicemgmt");
+
-        application.Scalar("spec", "destination", "namespace").Should().Be("fc-devicemgmt");
+        FcDeviceManagementDocuments()
            .Should()
            .Contain(document => document.Kind == "Namespace" && document.Name == "fc-devicemgmt");
    }
    private static IEnumerable<string> ProbeViolations(
@@ -631,6 +628,12 @@ public sealed class FleetManifestLintTests
            .ToDictionary(document => document.Name, StringComparer.Ordinal);
    }
    private static YamlMappingNode RunnerContainer(ManifestDocument deployment)
    {
        return deployment.ContainerMappings()
            .Single(container => string.Equals(ManifestNodeExtensions.Scalar(container, "name"), "runner", StringComparison.Ordinal));
    }
    private static int ReplicaCount(ManifestDocument document)
    {
        return int.TryParse(document.Scalar("spec", "replicas"), out var replicas) ? replicas : 1;
--- a/tests/bluejay-infra-lint/RemoteDesktopNetworkPolicyTests.cs
+++ b/tests/bluejay-infra-lint/RemoteDesktopNetworkPolicyTests.cs
@@ -1,93 +0,0 @@
 using FluentAssertions;
 using Xunit;
 namespace BluejayInfraLint.Tests;
 [Trait("Category", "Unit")]
 public sealed class RemoteDesktopNetworkPolicyTests
 {
    private static readonly ManifestInventory Inventory = ManifestInventory.Load();
    [Fact]
    public void LiveDesktopIsolation_AllowsOnlyCoreDnsIntranetAndStepCaEgress()
    {
        var policy = NetworkPolicy("fc-desktop", "desktop-isolation");
        var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal);
        ports.Should().BeEquivalentTo("53", "5300", "9000", "9443");
        policy.AllScalars().Should().Contain(new[]
        {
            "kube-system",
            "kube-dns",
            "intranet",
            "intranet-web",
            "10.0.56.10/32"
        });
    }
    [Fact]
    public void LiveDesktopIsolation_RemovesInternetNfsAndTraefikEgress()
    {
        var policy = NetworkPolicy("fc-desktop", "desktop-isolation");
        var scalars = policy.AllScalars().ToList();
        var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal);
        scalars.Should().NotContain(new[] { "10.0.58.3/32", "10.0.56.200/32", "10.43.33.87/32", "traefik-system" });
        ports.Should().NotContain(new[] { "80", "443", "445", "111", "2049", "8000", "8080", "8443" });
        policy.MappingSequence("spec", "egress")
            .Should()
            .NotContain(rule => EgressRuleHasEmptyTo(rule), "desktop sessions must not use to: [] internet-style egress");
    }
    [Fact]
    public void LiveGuacdIsolation_AllowsRawVncToDesktopPodsOnly()
    {
        var policy = NetworkPolicy("guacamole", "guacd-desktop-egress");
        var scalars = policy.AllScalars().ToList();
        var ports = policy.EgressPorts().ToHashSet(StringComparer.Ordinal);
        ports.Should().Contain("5901");
        scalars.Should().Contain(new[] { "fc-desktop", "remote-desktop" });
        ports.Should().NotContain(new[] { "3000", "3001", "3389", "80", "8080", "8443" });
    }
    [Fact]
    public void LiveGuacdIsolation_KeepsGuacamoleWebIngressOnGuacdPort()
    {
        var policy = NetworkPolicy("guacamole", "guacd-desktop-egress");
        policy.Scalar("spec", "podSelector", "matchLabels", "app").Should().Be("guacd");
        policy.AllScalars().Should().Contain(new[] { "guacamole", "4822" });
    }
    [Fact]
    public void HelperSmoke_FindsExpectedRemoteDesktopPolicies()
    {
        NetworkPolicy("fc-desktop", "desktop-isolation").Name.Should().Be("desktop-isolation");
        NetworkPolicy("guacamole", "guacd-desktop-egress").Name.Should().Be("guacd-desktop-egress");
    }
    [Fact]
    public void HelperSmoke_EgressPortExtractionKeepsDistinctPorts()
    {
        var ports = NetworkPolicy("fc-desktop", "desktop-isolation")
            .EgressPorts()
            .ToHashSet(StringComparer.Ordinal);
        ports.Should().HaveCount(4);
        ports.Should().Contain(new[] { "53", "5300", "9000", "9443" });
    }
    private static ManifestDocument NetworkPolicy(string ns, string name)
        => Inventory.Documents.Single(document =>
            document.Kind == "NetworkPolicy"
            && string.Equals(document.Namespace, ns, StringComparison.Ordinal)
            && string.Equals(document.Name, name, StringComparison.Ordinal));
    private static bool EgressRuleHasEmptyTo(YamlDotNet.RepresentationModel.YamlMappingNode rule)
        => rule.Children.Any(entry =>
            entry.Key is YamlDotNet.RepresentationModel.YamlScalarNode key
            && string.Equals(key.Value, "to", StringComparison.Ordinal)
            && entry.Value is YamlDotNet.RepresentationModel.YamlSequenceNode sequence
            && sequence.Children.Count == 0);
 }
Author	SHA1	Message	Date
Andrew Stoltz	eaba7cd171	fc-desktop: add phase 1 capacity guards	2026-05-20 15:49:20 -05:00
Andrew Stoltz	65aa1e6104	fix(monitoring): point probe-printweb at /health (Q-MR-90) Root path requires API key auth — `/` returned 401 to the blackbox probe, firing PrintWebDown despite `/health` reporting Healthy. Pattern: feedback_k8s_probes_behind_auth_middleware. Mirrors FlowerCore.Notes scripts/monitoring/prometheus.yml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-20 14:52:02 -05:00
Andrew Stoltz	7f2a3b76b4	feat(github-runner): bake Ruby 3.3 into Linux self-hosted runner image (Q-MR-81)	2026-05-20 11:45:43 -05:00
bluejay	ea73f00461	fix(fc-devicemgmt): remove self-referential Application resource (Q-MR-79) ApplicationSet already creates infra-fc-devicemgmt; removing the in-repo Application child clears the self-reference drift.	2026-05-20 16:20:01 +00:00
Andrew Stoltz	25ace30a03	fix(fc-devicemgmt): remove self-referential Application resource (Q-MR-79)	2026-05-20 11:18:25 -05:00