docs(fc-build-windows): capture runner operator gate

2026-05-20 11:27:21 -05:00
13 changed files with 510 additions and 767 deletions
--- a/apps/fc-build-windows/README.md
+++ b/apps/fc-build-windows/README.md
@@ -0,0 +1,263 @@
 # fc-build-windows runner gate
 Status: OPEN-WITH-OPERATOR-ACTION as of 2026-05-20.
 This directory is intentionally not a live runner deployment. It records the
 exact gate for bringing up the Windows self-hosted runner fleet without faking
 capacity in GitHub or Kubernetes.
 ## Lane evidence
 - `D:\git\FlowerCore\FlowerCore.Notes\docs\dashboards\decisions-waiting.html`
  lines 15078-15085: Q-MR-82 says the Updater Windows Sandbox E2E run is
  queued and `bluejay-ws-sandbox-1` is offline.
 - `D:\git\FlowerCore\FlowerCore.Notes\memory\project_morning_routine_8_2026_05_20.md`:
  Morning Routine #8 carries Q-MR-82 as the fleet-wide Windows runner gap.
 - `D:\git\FlowerCore\FlowerCore.Notes\docs\standards\sprint-37-codex-dispatch-log-2026-05-19.md`
  lines 76, 84-85, and 97: keep BLUEJAY-WS out of runner plans, merge Linux
  runner expansion separately, and keep true Windows-only workflows parked on
  the Windows runner host substrate path.
 - `D:\git\FlowerCore\FlowerCore.Notes\docs\ai-agents\codex-prompts\2026-05-20-xxxxl-sprint-42-orchestrator-briefs.md`
  lane Cx-5: land a deployment only if a Windows runner image/substrate is
  ready; otherwise commit an operator-action gate.
 - `D:\git\FlowerCore\FlowerCore.Notes\memory\feedback_bluejay_ws_never_a_github_runner.md`:
  BLUEJAY-WS is operator-only territory; Windows runners belong on a dedicated
  KubeVirt Windows VM such as `ci1` or a sibling VM.
 ## Live probe summary
 Commands run on 2026-05-20 from `D:\git\FlowerCore\bluejay-infra`:
 ```powershell
 $env:KUBECONFIG="$env:USERPROFILE\.kube\rke2.yaml"
 kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"`t"}{.metadata.labels.kubernetes\.io/os}{"`n"}{end}'
 ```
 Result: `rke2-agent1`, `rke2-agent2`, and `rke2-server` all report
 `kubernetes.io/os=linux`. There is no Windows Kubernetes node, so Windows
 containers on RKE2 cannot satisfy `fc-build-windows`.
 ```powershell
 kubectl -n kubevirt-vms get vm,vmi,pods -o wide
 ```
 Result: KubeVirt is healthy and `ci1` is `Running` / `Ready=True` on
 `rke2-agent1` with VMI IP `10.42.103.35`.
 ```powershell
 virtctl --kubeconfig $env:USERPROFILE\.kube\rke2.yaml port-forward vm/ci1.kubevirt-vms 15985:5985
 ```
 Result during port tests: `dial tcp 10.42.103.35:5985: connect: no route to
 host`. The same result was seen for RDP 3389 and SSH 22. The VM exists, but it
 is not remotely reachable for runner bootstrap from this lane.
 ```powershell
 gh api /repos/astoltz/FlowerCore.Updater/actions/runners `
  --jq '.runners[]? | {name,status,busy,labels:[.labels[].name]}'
 gh run list --repo astoltz/FlowerCore.Updater `
  --workflow "Updater Windows Sandbox E2E" --limit 5
 ```
 Result: GitHub has one Updater runner, `bluejay-ws-sandbox-1`, with
 `status=offline`; run `26150689447` is still `queued`.
 ## Feasibility classification
 ### Option A: Windows containers on RKE2
 Not feasible without operator-physical infrastructure work. Kubernetes Windows
 containers require a Windows node. The current cluster has Linux-only RKE2
 nodes.
 ### Option B: KubeVirt Windows VM
 Partially present, not deployable from this lane.
 `apps/kubevirt-vms/ci1.yaml` already defines a Windows Server 2025 KubeVirt VM
 using `localhost/fc-win-server-2025:v1`, and the live VM is running. However:
 - the guest is not reachable over RDP, WinRM, or SSH through `virtctl
  port-forward`;
 - the current root disk is a `containerDisk`, so runner installation inside the
  running guest is not a durable fleet state unless the first-boot automation
  re-registers on every boot or the VM is moved to a persistent PVC-backed
  disk;
 - FC.Updater `Updater Windows Sandbox E2E` uses
  `[self-hosted, windows, windows-sandbox]`, while `fc-build-windows` build jobs
  use `[self-hosted, windows, fc-build-windows]`. Do not advertise
  `windows-sandbox` until Windows Sandbox has been proven in the guest.
 ### Option C: bluejay-ws-sandbox-1
 Operator-only emergency fallback. GitHub shows it registered but offline. The
 current memory says BLUEJAY-WS must not be a fleet runner host, so this lane
 does not start or re-register it. If the operator deliberately overrides the
 policy to drain an emergency queue, start the existing visible runner console
 from the BLUEJAY-WS desktop and treat that as temporary break-glass, not the
 permanent Q-MR-82 closure.
 ## Operator action plan
 ### 1. Pick the Windows host class
 Use `ci1` or a sibling Windows Server 2025 VM for WPF build/test jobs that need
 `fc-build-windows`.
 Use a Windows 11 Pro/Enterprise KubeVirt VM for Updater or WorldBuilder
 Windows Sandbox gates, unless Windows Sandbox support is explicitly proven on
 the selected guest. The workflow labels must match the real capability:
 - WPF build runner: `self-hosted,windows,fc-build-windows,ci1`
 - Sandbox runner: `self-hosted,windows,windows-sandbox,ci-sandbox1`
 ### 2. Make the VM reachable and durable
 From BLUEJAY-WS:
 ```powershell
 $env:KUBECONFIG="$env:USERPROFILE\.kube\rke2.yaml"
 kubectl -n kubevirt-vms get vm,vmi,pods -o wide
 virtctl --kubeconfig $env:KUBECONFIG vnc ci1 -n kubevirt-vms
 virtctl --kubeconfig $env:KUBECONFIG port-forward vm/ci1.kubevirt-vms 13389:3389
 virtctl --kubeconfig $env:KUBECONFIG port-forward vm/ci1.kubevirt-vms 15985:5985
 ```
 Before runner registration, fix the current port-forward failure. The expected
 state is that RDP or WinRM accepts a connection through the control plane.
 For durability, either:
 - move the runner VM to a persistent PVC-backed root disk; or
 - keep `containerDisk` and bake first-boot runner registration into the sysprep
  flow using a non-expiring credential lookup path.
 Do not install a runner by hand into a transient VM and call Q-MR-82 closed.
 ### 3. Install runner prerequisites inside the VM
 Run in an elevated PowerShell session in the Windows runner guest:
 ```powershell
 winget install Microsoft.DotNet.SDK.10 --silent
 winget install Microsoft.DotNet.DesktopRuntime.8 --silent
 winget install Microsoft.PowerShell --silent
 winget install Git.Git --silent
 winget install Microsoft.VisualStudio.2022.BuildTools --silent
 winget install Google.Chrome --silent
 ```
 For a Sandbox-capable runner only:
 ```powershell
 Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM -All
 Restart-Computer -Force
 ```
 After reboot:
 ```powershell
 Get-CimInstance -ClassName Win32_OptionalFeature -Filter "Name='Containers-DisposableClientVM'"
 Test-Path C:\Windows\System32\WindowsSandbox.exe
 ```
 ### 4. Register repo-scoped GitHub runners
 The `astoltz` account uses repo-scoped runners. Generate a fresh one-hour
 registration token per repo immediately before `config.cmd`.
 From a trusted operator shell with `gh` authenticated:
 ```powershell
 $repos = @(
  "FlowerCore.Updater",
  "FlowerCore.WorldBuilder",
  "FlowerCore.DeviceManagement"
 )
 foreach ($repo in $repos) {
  $token = gh api -X POST "/repos/astoltz/$repo/actions/runners/registration-token" --jq .token
  $repoSlug = $repo.ToLowerInvariant().Replace("flowercore.", "").Replace(".", "-")
  $runnerDir = "C:\fc-ghr\$repoSlug-fc-build-windows"
  New-Item -ItemType Directory -Force -Path $runnerDir | Out-Null
  Set-Location $runnerDir
  if (-not (Test-Path ".\config.cmd")) {
    Invoke-WebRequest `
      -Uri "https://github.com/actions/runner/releases/download/v2.323.0/actions-runner-win-x64-2.323.0.zip" `
      -OutFile "actions-runner.zip"
    Add-Type -AssemblyName System.IO.Compression.FileSystem
    [System.IO.Compression.ZipFile]::ExtractToDirectory((Resolve-Path actions-runner.zip), $runnerDir)
  }
  .\config.cmd `
    --url "https://github.com/astoltz/$repo" `
    --token $token `
    --name "ci1-$repoSlug-fc-build-windows" `
    --labels "self-hosted,windows,fc-build-windows,ci1" `
    --work "_work" `
    --unattended `
    --replace
  .\svc.ps1 install
  .\svc.ps1 start
 }
 ```
 For Updater Sandbox E2E, register only after the guest proves Sandbox support,
 and use `windows-sandbox` labels:
 ```powershell
 $token = gh api -X POST "/repos/astoltz/FlowerCore.Updater/actions/runners/registration-token" --jq .token
 .\config.cmd `
  --url "https://github.com/astoltz/FlowerCore.Updater" `
  --token $token `
  --name "ci-sandbox1-updater" `
  --labels "self-hosted,windows,windows-sandbox,ci-sandbox1" `
  --work "_work" `
  --unattended `
  --replace
 ```
 Keep registration tokens out of Git and logs. The durable credential source for
 automation should be the existing 1Password item named `GitHub PAT (Runner
 Registration)`, used only to mint short-lived repo registration tokens.
 ### 5. Verify GitHub and workflow pickup
 ```powershell
 gh api /repos/astoltz/FlowerCore.Updater/actions/runners `
  --jq '.runners[] | select(.labels[].name == "windows-sandbox") | {name,status,busy,labels:[.labels[].name]}'
 gh api /repos/astoltz/FlowerCore.DeviceManagement/actions/runners `
  --jq '.runners[] | select(.labels[].name == "fc-build-windows") | {name,status,busy,labels:[.labels[].name]}'
 gh run list --repo astoltz/FlowerCore.Updater `
  --workflow "Updater Windows Sandbox E2E" --limit 3
 ```
 Q-MR-82 can be marked resolved only after the Updater run moves from `queued` to
 `in_progress` or `completed` on an online runner, or after the affected WPF
 build repos show online `fc-build-windows` repo-scoped runners and their queued
 jobs start.
 ## Break-glass BLUEJAY-WS command
 Only if the operator explicitly overrides the "BLUEJAY-WS is not a runner"
 policy to drain a queue:
 ```powershell
 Set-Location C:\fc-ghr\updater-sandbox
 .\run.cmd
 ```
 If a Windows service exists:
 ```powershell
 Get-Service 'actions.runner.*'
 Start-Service 'actions.runner.*'
 ```
 This does not close Q-MR-82 permanently. It is a temporary queue drain until a
 dedicated VM runner is online.
--- a/apps/fc-build-windows/kustomization.yaml
+++ b/apps/fc-build-windows/kustomization.yaml
@@ -0,0 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - operator-gate-configmap.yaml
--- a/apps/fc-build-windows/operator-gate-configmap.yaml
+++ b/apps/fc-build-windows/operator-gate-configmap.yaml
@@ -0,0 +1,61 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: fc-build-windows-operator-gate
  namespace: kubevirt-vms
  labels:
    app.kubernetes.io/name: fc-build-windows
    app.kubernetes.io/component: operator-gate
    app.kubernetes.io/part-of: github-runner
    flowercore.io/q-card: Q-MR-82
  annotations:
    flowercore.io/outcome: OPEN-WITH-OPERATOR-ACTION
    flowercore.io/live-runner: "false"
 data:
  outcome: OPEN-WITH-OPERATOR-ACTION
  gate.md: |
    Do not treat this ConfigMap as runner capacity.
    Current probe, 2026-05-20:
    - RKE2 nodes are linux-only; Windows containers require a Windows node.
    - KubeVirt `ci1` is Running/Ready, but RDP 3389, WinRM 5985, and SSH 22
      through `virtctl port-forward` return `connect: no route to host`.
    - GitHub Updater runner list has only `bluejay-ws-sandbox-1`, status
      offline. Updater Windows Sandbox E2E run 26150689447 remains queued.
    Required operator action:
    1. Make a dedicated Windows VM reachable and durable.
    2. Install .NET 10 SDK, .NET 8 Desktop Runtime, Git, VS Build Tools, and
       PowerShell 7.
    3. Register repo-scoped runners with short-lived GitHub registration tokens.
    4. Add `fc-build-windows` labels only to WPF build-capable guests.
    5. Add `windows-sandbox` labels only after Sandbox support is proven.
  registration-token-pattern.ps1: |
    $repo = "FlowerCore.Updater"
    $token = gh api -X POST "/repos/astoltz/$repo/actions/runners/registration-token" --jq .token
    $runnerDir = "C:\fc-ghr\updater-fc-build-windows"
    New-Item -ItemType Directory -Force -Path $runnerDir | Out-Null
    Set-Location $runnerDir
    # Install the Actions runner package here if config.cmd is absent.
    .\config.cmd `
      --url "https://github.com/astoltz/$repo" `
      --token $token `
      --name "ci1-updater-fc-build-windows" `
      --labels "self-hosted,windows,fc-build-windows,ci1" `
      --work "_work" `
      --unattended `
      --replace
    .\svc.ps1 install
    .\svc.ps1 start
  verification.ps1: |
    gh api /repos/astoltz/FlowerCore.Updater/actions/runners `
      --jq '.runners[] | {name,status,busy,labels:[.labels[].name]}'
    gh run list --repo astoltz/FlowerCore.Updater `
      --workflow "Updater Windows Sandbox E2E" --limit 3
    $env:KUBECONFIG="$env:USERPROFILE\.kube\rke2.yaml"
    kubectl -n kubevirt-vms get vm,vmi,pods -o wide
--- a/apps/fc-desktop/limitrange.yaml
+++ b/apps/fc-desktop/limitrange.yaml
@@ -1,33 +0,0 @@
 # FlowerCore Remote Desktop - session pod resource defaults
 #
 # Namespace-level LimitRange for Sprint 44 Phase 1. This defends the
 # fc-desktop namespace from unbounded container requests while the
 # per-tenant advisory FairShareEvaluator lands in FlowerCore.RemoteDesktop.
 apiVersion: v1
 kind: LimitRange
 metadata:
  name: fc-desktop-pod-defaults
  namespace: fc-desktop
  labels:
    app.kubernetes.io/name: fc-desktop
    app.kubernetes.io/part-of: remotedesktop
    app.kubernetes.io/component: capacity-guard
    app.kubernetes.io/managed-by: argocd
    flowercore.io/owner: infra
  annotations:
    flowercore.io/phase: sprint-44-cx-9-phase-a
 spec:
  limits:
    - type: Container
      default:
        cpu: "1.0"
        memory: "2Gi"
      defaultRequest:
        cpu: "500m"
        memory: "1Gi"
      max:
        cpu: "2.0"
        memory: "4Gi"
      min:
        cpu: "100m"
        memory: "128Mi"
--- a/apps/fc-desktop/resourcequota.yaml
+++ b/apps/fc-desktop/resourcequota.yaml
@@ -1,36 +0,0 @@
 # FlowerCore Remote Desktop - namespace ResourceQuota (GitOps-managed)
 #
 # Adopts the live fc-desktop-session-cap object created during the
 # 2026-05-19 prewarm-cascade triage. Sprint 44 Phase 1 keeps the pod,
 # CPU, and memory guard unchanged, then adds storage/PVC backstops from
 # the fc-desktop CPU expansion substrate.
 #
 # Two-phase deploy note:
 #   Phase A: apply this ResourceQuota and limitrange.yaml with the current
 #   FlowerCore.RemoteDesktop image.
 #   Phase B: bump the service image only after the RemoteDesktop service
 #   admission/fair-share code lands in that repo.
 apiVersion: v1
 kind: ResourceQuota
 metadata:
  name: fc-desktop-session-cap
  namespace: fc-desktop
  labels:
    app.kubernetes.io/name: fc-desktop
    app.kubernetes.io/part-of: remotedesktop
    app.kubernetes.io/component: capacity-guard
    app.kubernetes.io/managed-by: argocd
    flowercore.io/owner: infra
  annotations:
    flowercore.io/rationale: |
      Operator-requested limit 2026-05-19: cluster CPU exhausted by RD
      pool prewarm cascade. Preserve count/pods=15 plus requests.cpu=8
      and requests.memory=16Gi until capacity expansion lands.
    flowercore.io/phase: sprint-44-cx-9-phase-a
 spec:
  hard:
    count/pods: "15"
    requests.cpu: "8"
    requests.memory: "16Gi"
    requests.storage: "500Gi"
    persistentvolumeclaims: "30"
--- a/apps/github-runner/.gitattributes
+++ b/apps/github-runner/.gitattributes
@@ -1,2 +0,0 @@
 *.sh text eol=lf
 Dockerfile text eol=lf
--- a/apps/github-runner/Dockerfile
+++ b/apps/github-runner/Dockerfile
@@ -1,44 +0,0 @@
 FROM myoung34/github-runner:latest
 ARG RUBY_VERSION=3.3.11
 ARG RUBY_MINOR=3.3
 ARG RUBY_BUILD_VERSION=v20260326
 ARG RUNNER_UID=1001
 ARG RUNNER_GID=1001
 ENV RUNNER_TOOL_CACHE=/home/runner/_tool
 ENV RUNNER_RUBY_TOOLCACHE=/opt/runner-toolcache
 ENV PATH="/home/runner/_tool/Ruby/${RUBY_MINOR}/x64/bin:/opt/runner-toolcache/Ruby/${RUBY_MINOR}/x64/bin:${PATH}"
 USER root
 RUN apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        autoconf \
        bison \
        build-essential \
        ca-certificates \
        curl \
        libdb-dev \
        libffi-dev \
        libgdbm-dev \
        libgmp-dev \
        libncurses-dev \
        libreadline-dev \
        libssl-dev \
        libyaml-dev \
        patch \
        pkg-config \
        uuid-dev \
        zlib1g-dev \
    && curl -fsSL "https://github.com/rbenv/ruby-build/archive/refs/tags/${RUBY_BUILD_VERSION}.tar.gz" -o /tmp/ruby-build.tar.gz \
    && mkdir -p /tmp/ruby-build \
    && tar -xzf /tmp/ruby-build.tar.gz --strip-components=1 -C /tmp/ruby-build \
    && /tmp/ruby-build/install.sh \
    && rm -rf /tmp/ruby-build /tmp/ruby-build.tar.gz /var/lib/apt/lists/*
 COPY install-ruby-toolcache.sh /usr/local/bin/install-ruby-toolcache.sh
 RUN chmod +x /usr/local/bin/install-ruby-toolcache.sh \
    && RUBY_VERSION="${RUBY_VERSION}" RUBY_MINOR="${RUBY_MINOR}" TOOLCACHE_ROOT="${RUNNER_RUBY_TOOLCACHE}" RUNNER_UID="${RUNNER_UID}" RUNNER_GID="${RUNNER_GID}" /usr/local/bin/install-ruby-toolcache.sh \
    && ruby -v
--- a/apps/github-runner/README.md
+++ b/apps/github-runner/README.md
@@ -7,17 +7,12 @@ Deployments with `kubectl`; update this manifest and let ArgoCD reconcile.
 All repo-scoped Linux runners use:
 - `localhost/fc-github-runner:v20260520-ruby3.3.11`, derived from
  `myoung34/github-runner:latest`
 - `ACCESS_TOKEN` from the `github-runner-token` Secret
 - `RUN_AS_ROOT=false`
 - `EPHEMERAL=true`
 - `LABELS=self-hosted,linux,fc-build-linux`
 - writable non-root paths under `/home/runner` for .NET, NuGet, XDG cache, and
  Actions tool cache
 - Ruby 3.3.11 seeded into `/home/runner/_tool/Ruby/3.3/x64` from the baked
  `/opt/runner-toolcache` copy so `ruby/setup-ruby@v1` can discover it on
  self-hosted `ubuntu-20.04-x64` runners
 `github-runner` for `FlowerCore.Common` is single-replica because it retains the
 original Longhorn ReadWriteOnce NuGet PVC. Every other repo-scoped runner uses
@@ -33,34 +28,6 @@ Sprint 32 final long-tail wave adds 16 two-replica Deployments:
 `FlowerCore.Provisioning`, `FlowerCore.Redis`, `FlowerCore.MessageBoard`, and
 `FlowerCore.MenuBoard`.
 ## Image Build
 Ruby is baked with a pinned `ruby-build` release and Ruby patch version. The pod
 still mounts an `emptyDir` over `/home/runner`, so the `setup-runner-home` init
 container copies the baked toolcache from `/opt/runner-toolcache/Ruby` into
 `/home/runner/_tool/Ruby` before the runner container starts.
 ```bash
 cd apps/github-runner
 podman build -t localhost/fc-github-runner:v20260520-ruby3.3.11 .
 podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 ruby -v
 podman run --rm localhost/fc-github-runner:v20260520-ruby3.3.11 \
  test -f /opt/runner-toolcache/Ruby/3.3/x64.complete
 podman save localhost/fc-github-runner:v20260520-ruby3.3.11 \
  -o fc-github-runner-v20260520-ruby3.3.11.tar
 ```
 Import the saved image on every schedulable RKE2 node before ArgoCD rolls the
 Deployments:
 ```bash
 for node in rke2-server rke2-agent1 rke2-agent2; do
  scp fc-github-runner-v20260520-ruby3.3.11.tar "$node:/tmp/"
  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images rm localhost/fc-github-runner:v20260520-ruby3.3.11 || true'
  ssh "$node" 'sudo ctr -a /run/k3s/containerd/containerd.sock -n k8s.io images import /tmp/fc-github-runner-v20260520-ruby3.3.11.tar'
 done
 ```
 ## Post-Merge Proof
 After the PR is merged and ArgoCD syncs, verify the runner fleet:
@@ -69,14 +36,6 @@ After the PR is merged and ArgoCD syncs, verify the runner fleet:
 kubectl -n github-runner get deploy,pods,pvc
 ```
 Verify the Ruby toolcache in a fresh pod:
 ```bash
 kubectl -n github-runner exec deploy/github-runner-puppet -c runner -- ruby -v
 kubectl -n github-runner exec deploy/github-runner-puppet -c runner -- sh -c \
  'echo "$RUNNER_TOOL_CACHE" && test -f "$RUNNER_TOOL_CACHE/Ruby/3.3/x64.complete"'
 ```
 Verify GitHub registration for the repo-scoped runners:
 ```bash
@@ -110,10 +69,6 @@ from GitHub Actions and verify it lands on an `rke2-linux-*` runner.
 - `actions/setup-dotnet` permission error at `/usr/share/dotnet`: check that
  `DOTNET_INSTALL_DIR=/home/runner/.dotnet` and related cache env vars are
  present on the runner pod.
 - `ruby/setup-ruby@v1` says self-hosted runners must install Ruby in
  `$RUNNER_TOOL_CACHE`: check that the init container copied
  `/opt/runner-toolcache/Ruby` into `/home/runner/_tool/Ruby` and that
  `/home/runner/_tool/Ruby/3.3/x64.complete` exists.
 - `404` during runner registration: the fine-grained PAT is valid but missing
  repository access for that repo. Add the repo to the PAT access list; the PAT
  value does not change.
--- a/apps/github-runner/github-runner.yaml
+++ b/apps/github-runner/github-runner.yaml
@@ -22,16 +22,11 @@
 #   NUGET_PACKAGES, XDG_CACHE_HOME, and RUNNER_TOOL_CACHE are all pointed at
 #   writable mounted paths under /home/runner so actions/setup-dotnet does not
 #   attempt to install into /usr/share/dotnet.
 #   Ruby 3.3.11 is baked into localhost/fc-github-runner:v20260520-ruby3.3.11
 #   under /opt/runner-toolcache; setup-runner-home copies it into
 #   /home/runner/_tool because the runner-home emptyDir masks image content
 #   under /home/runner at runtime.
 #
 # Credentials:
 #   OnePasswordItem "GitHub PAT (Runner Registration)" syncs Secret
-#   github-runner-token with field "credential". The custom image inherits
+#   github-runner-token with field "credential". myoung34/github-runner uses
-#   myoung34/github-runner behavior and uses ACCESS_TOKEN to mint short-lived
+#   ACCESS_TOKEN to mint short-lived registration tokens on pod start.
 #   registration tokens on pod start.
 #
 # Security model:
 #   - No ClusterRole / ClusterRoleBinding. The ServiceAccount has no K8s API
@@ -157,19 +152,15 @@ spec:
      # honors the deeper mount.
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -178,8 +169,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            # GitHub org/repo targeting.
            # Set REPO_URL for a repo-scoped runner (cheaper, simpler).
@@ -334,19 +325,15 @@ spec:
      # rather than re-applied per repo as flipped lanes land.
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -355,8 +342,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Shared.Pos"
@@ -472,19 +459,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -493,8 +476,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Puppet"
@@ -604,19 +587,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -625,8 +604,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Signage"
@@ -736,19 +715,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -757,8 +732,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.DMS"
@@ -868,19 +843,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -889,8 +860,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Telephony"
@@ -1000,19 +971,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1021,8 +988,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Print.Web"
@@ -1132,19 +1099,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1153,8 +1116,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Chat"
@@ -1264,19 +1227,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1285,8 +1244,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.MySQL"
@@ -1396,19 +1355,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1417,8 +1372,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Kiosk.Linux"
@@ -1530,19 +1485,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1551,8 +1502,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Marquee"
@@ -1664,19 +1615,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1685,8 +1632,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.TtsReader"
@@ -1798,19 +1745,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1819,8 +1762,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Knowledge"
@@ -1931,19 +1874,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -1952,8 +1891,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.LlmBridge"
@@ -2064,19 +2003,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2085,8 +2020,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Media"
@@ -2197,19 +2132,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2218,8 +2149,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Presentations"
@@ -2330,19 +2261,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2351,8 +2278,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.RemoteDesktop"
@@ -2463,19 +2390,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2484,8 +2407,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.DNS"
@@ -2596,19 +2519,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2617,8 +2536,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Distribution"
@@ -2729,19 +2648,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2750,8 +2665,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Scoreboard"
@@ -2862,19 +2777,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -2883,8 +2794,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.SegmentDisplay"
@@ -2995,19 +2906,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3016,8 +2923,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Signage.Contracts"
@@ -3128,19 +3035,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3149,8 +3052,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.SignalControl"
@@ -3261,19 +3164,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3282,8 +3181,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Intranet.Web"
@@ -3394,19 +3293,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3415,8 +3310,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Provisioning"
@@ -3527,19 +3422,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3548,8 +3439,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.Redis"
@@ -3660,19 +3551,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3681,8 +3568,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.MessageBoard"
@@ -3793,19 +3680,15 @@ spec:
        fsGroup: 1001
      initContainers:
        - name: setup-runner-home
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: busybox:1.36
          imagePullPolicy: Never
          command:
            - sh
            - -c
            - |
              set -e
-              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet /home/runner/.cache /home/runner/_tool
+              mkdir -p /home/runner/.dotnet /home/runner/.nuget/packages /home/runner/.nuget/NuGet
-              if [ -d /opt/runner-toolcache/Ruby ] && [ ! -d /home/runner/_tool/Ruby ]; then
+              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget
-                cp -a /opt/runner-toolcache/Ruby /home/runner/_tool/
+              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget
              fi
              chown -R 1001:1001 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
              chmod -R 755 /home/runner/.dotnet /home/runner/.nuget /home/runner/.cache /home/runner/_tool
          securityContext:
            runAsUser: 0
            runAsNonRoot: false
@@ -3814,8 +3697,8 @@ spec:
              mountPath: /home/runner
      containers:
        - name: runner
-          image: localhost/fc-github-runner:v20260520-ruby3.3.11
+          image: myoung34/github-runner:latest
-          imagePullPolicy: Never
+          imagePullPolicy: Always
          env:
            - name: REPO_URL
              value: "https://github.com/astoltz/FlowerCore.MenuBoard"
--- a/apps/github-runner/install-ruby-toolcache.sh
+++ b/apps/github-runner/install-ruby-toolcache.sh
@@ -1,19 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 RUBY_VERSION="${RUBY_VERSION:-3.3.11}"
 RUBY_MINOR="${RUBY_MINOR:-3.3}"
 TOOLCACHE_ROOT="${TOOLCACHE_ROOT:-/opt/runner-toolcache}"
 RUNNER_UID="${RUNNER_UID:-1001}"
 RUNNER_GID="${RUNNER_GID:-1001}"
 RUBY_PREFIX="${TOOLCACHE_ROOT}/Ruby/${RUBY_VERSION}/x64"
 mkdir -p "${TOOLCACHE_ROOT}/Ruby"
 RUBY_CONFIGURE_OPTS="${RUBY_CONFIGURE_OPTS:---disable-install-doc --disable-yjit}" ruby-build "${RUBY_VERSION}" "${RUBY_PREFIX}"
 touch "${TOOLCACHE_ROOT}/Ruby/${RUBY_VERSION}/x64.complete"
 ln -sfn "${RUBY_VERSION}" "${TOOLCACHE_ROOT}/Ruby/${RUBY_MINOR}"
 "${RUBY_PREFIX}/bin/ruby" -v
 chown -R "${RUNNER_UID}:${RUNNER_GID}" "${TOOLCACHE_ROOT}"
 chmod -R a+rX "${TOOLCACHE_ROOT}"
--- a/apps/monitoring/noc-monitoring.yaml
+++ b/apps/monitoring/noc-monitoring.yaml
@@ -280,14 +280,13 @@ data:
              printer_model: "NuPrint 210"
      # Print.Web health (Blazor app on edge2:5200)
      # Target `/health` (anonymous) — root path requires API key auth and returns 401.
      - job_name: "probe-printweb"
        metrics_path: /probe
        params:
          module: [http_2xx]
        scrape_interval: 30s
        static_configs:
-          - targets: ["http://10.0.57.16:5200/health"]
+          - targets: ["http://10.0.57.16:5200/"]
            labels:
              instance: "print-web"
              service: "print-web"
--- a/tests/bluejay-infra-lint/FcDesktopCapacityPolicyTests.cs
+++ b/tests/bluejay-infra-lint/FcDesktopCapacityPolicyTests.cs
@@ -1,285 +0,0 @@
 using FluentAssertions;
 using YamlDotNet.RepresentationModel;
 using Xunit;
 namespace BluejayInfraLint.Tests;
 [Trait("Category", "Unit")]
 public sealed class FcDesktopCapacityPolicyTests
 {
    private static readonly ManifestInventory Inventory = ManifestInventory.Load();
    [Fact]
    public void FcDesktop_AppDirectoryMustExist()
    {
        Directory.Exists(Path.Combine(Inventory.BluejayRoot, "apps", "fc-desktop"))
            .Should()
            .BeTrue();
    }
    [Fact]
    public void FcDesktop_MustHaveExactlyOneResourceQuota()
    {
        FcDesktopDocuments()
            .Where(document => document.Kind == "ResourceQuota")
            .Should()
            .ContainSingle();
    }
    [Fact]
    public void FcDesktop_ResourceQuotaMustAdoptLiveSessionCapObject()
    {
        var quota = ResourceQuota();
        quota.RelativePath.Should().Be("fc-desktop/resourcequota.yaml");
        quota.Name.Should().Be("fc-desktop-session-cap");
        quota.Namespace.Should().Be("fc-desktop");
    }
    [Theory]
    [InlineData("count/pods", "15")]
    [InlineData("requests.cpu", "8")]
    [InlineData("requests.memory", "16Gi")]
    [InlineData("requests.storage", "500Gi")]
    [InlineData("persistentvolumeclaims", "30")]
    public void FcDesktop_ResourceQuotaMustDeclarePhaseOneHardLimits(string key, string value)
    {
        ResourceQuota().Scalar("spec", "hard", key).Should().Be(value);
    }
    [Fact]
    public void FcDesktop_ResourceQuotaMustCarryTraceableLabels()
    {
        ResourceQuotaLabels()
            .Should()
            .Contain(new Dictionary<string, string>
            {
                ["app.kubernetes.io/name"] = "fc-desktop",
                ["app.kubernetes.io/part-of"] = "remotedesktop",
                ["app.kubernetes.io/component"] = "capacity-guard",
                ["app.kubernetes.io/managed-by"] = "argocd",
                ["flowercore.io/owner"] = "infra",
            });
    }
    [Fact]
    public void FcDesktop_ResourceQuotaMustUseRequestsKeysForComputeCap()
    {
        var hardKeys = HardLimitKeys(ResourceQuota());
        hardKeys.Should().Contain(new[] { "requests.cpu", "requests.memory" });
        hardKeys.Should().NotContain(new[] { "cpu", "memory" });
    }
    [Fact]
    public void FcDesktop_ResourceQuotaMustAvoidDestructiveArgoAnnotations()
    {
        var quota = ResourceQuota();
        quota.Scalar("metadata", "annotations", "argocd.argoproj.io/hook").Should().BeNull();
        quota.Scalar("metadata", "annotations", "argocd.argoproj.io/hook-delete-policy").Should().BeNull();
        var syncOptions = quota.Scalar("metadata", "annotations", "argocd.argoproj.io/sync-options") ?? string.Empty;
        syncOptions.Should().NotContain("Force=true");
        syncOptions.Should().NotContain("Replace=true");
    }
    [Fact]
    public void FcDesktop_ResourceQuotaMustRecordPhaseAInfraOnlyScope()
    {
        ResourceQuota().Scalar("metadata", "annotations", "flowercore.io/phase")
            .Should()
            .Be("sprint-44-cx-9-phase-a");
    }
    [Fact]
    public void FcDesktop_MustHaveExactlyOneLimitRange()
    {
        FcDesktopDocuments()
            .Where(document => document.Kind == "LimitRange")
            .Should()
            .ContainSingle();
    }
    [Fact]
    public void FcDesktop_LimitRangeMustLiveBesideResourceQuota()
    {
        var limitRange = LimitRange();
        limitRange.RelativePath.Should().Be("fc-desktop/limitrange.yaml");
        limitRange.Name.Should().Be("fc-desktop-pod-defaults");
        limitRange.Namespace.Should().Be("fc-desktop");
    }
    [Fact]
    public void FcDesktop_LimitRangeMustHaveSingleContainerRule()
    {
        var limit = LimitRangeRule();
        LimitRange().MappingSequence("spec", "limits").Should().ContainSingle();
        ManifestNodeExtensions.Scalar(limit, "type").Should().Be("Container");
    }
    [Theory]
    [InlineData("default", "cpu", "1.0")]
    [InlineData("default", "memory", "2Gi")]
    [InlineData("defaultRequest", "cpu", "500m")]
    [InlineData("defaultRequest", "memory", "1Gi")]
    [InlineData("max", "cpu", "2.0")]
    [InlineData("max", "memory", "4Gi")]
    [InlineData("min", "cpu", "100m")]
    [InlineData("min", "memory", "128Mi")]
    public void FcDesktop_LimitRangeMustDeclarePerPodShape(string section, string key, string value)
    {
        ManifestNodeExtensions.Scalar(LimitRangeRule(), section, key).Should().Be(value);
    }
    [Fact]
    public void FcDesktop_LimitRangeMustCarryTraceableLabels()
    {
        LimitRangeLabels()
            .Should()
            .Contain(new Dictionary<string, string>
            {
                ["app.kubernetes.io/name"] = "fc-desktop",
                ["app.kubernetes.io/part-of"] = "remotedesktop",
                ["app.kubernetes.io/component"] = "capacity-guard",
                ["app.kubernetes.io/managed-by"] = "argocd",
                ["flowercore.io/owner"] = "infra",
            });
    }
    [Fact]
    public void FcDesktop_LimitRangeMustAvoidDestructiveArgoAnnotations()
    {
        var limitRange = LimitRange();
        limitRange.Scalar("metadata", "annotations", "argocd.argoproj.io/hook").Should().BeNull();
        limitRange.Scalar("metadata", "annotations", "argocd.argoproj.io/hook-delete-policy").Should().BeNull();
        var syncOptions = limitRange.Scalar("metadata", "annotations", "argocd.argoproj.io/sync-options") ?? string.Empty;
        syncOptions.Should().NotContain("Force=true");
        syncOptions.Should().NotContain("Replace=true");
    }
    [Fact]
    public void FcDesktop_LimitRangeMustRecordPhaseAInfraOnlyScope()
    {
        LimitRange().Scalar("metadata", "annotations", "flowercore.io/phase")
            .Should()
            .Be("sprint-44-cx-9-phase-a");
    }
    [Fact]
    public void FcDesktop_BluejayInfraMustNotOwnDeploymentOrService()
    {
        FcDesktopDocuments()
            .Select(document => document.Kind)
            .Should()
            .NotContain(new[] { "Deployment", "Service" });
    }
    [Fact]
    public void FcDesktop_BluejayInfraMustOnlyOwnInfraResourceKinds()
    {
        var allowedKinds = new HashSet<string>(StringComparer.Ordinal)
        {
            "Certificate",
            "IngressRoute",
            "NetworkPolicy",
            "ResourceQuota",
            "LimitRange",
        };
        FcDesktopDocuments()
            .Select(document => document.Kind)
            .Should()
            .OnlyContain(kind => allowedKinds.Contains(kind));
    }
    [Fact]
    public void FcDesktop_NetworkPolicySetMustRemainPresent()
    {
        FcDesktopDocuments()
            .Where(document => document.Kind == "NetworkPolicy")
            .Select(document => document.Name)
            .Should()
            .BeEquivalentTo(
                "desktop-isolation",
                "fc-desktop-default-deny",
                "remotedesktop-web-isolation",
                "cm-acme-http-solver-allow");
    }
    [Fact]
    public void FcDesktop_TlsIngressMustRemainOwnedByInfra()
    {
        FcDesktopDocuments()
            .Should()
            .Contain(document => document.Kind == "Certificate" && document.Name == "remotedesktop-web-tls")
            .And
            .Contain(document => document.Kind == "IngressRoute" && document.Name == "remotedesktop-web");
    }
    private static IReadOnlyList<ManifestDocument> FcDesktopDocuments()
    {
        return Inventory.Documents
            .Where(document => document.RelativePath.StartsWith("fc-desktop/", StringComparison.Ordinal))
            .ToList();
    }
    private static ManifestDocument ResourceQuota()
    {
        return FcDesktopDocuments()
            .Single(document => document.Kind == "ResourceQuota");
    }
    private static ManifestDocument LimitRange()
    {
        return FcDesktopDocuments()
            .Single(document => document.Kind == "LimitRange");
    }
    private static YamlMappingNode LimitRangeRule()
    {
        return LimitRange()
            .MappingSequence("spec", "limits")
            .Single();
    }
    private static IReadOnlySet<string> HardLimitKeys(ManifestDocument document)
    {
        var hard = ManifestNodeExtensions.Mapping(document.Root, "spec", "hard")
            ?? throw new InvalidOperationException($"{document.Descriptor} is missing spec.hard.");
        return hard.Children.Keys
            .OfType<YamlScalarNode>()
            .Select(key => key.Value)
            .Where(value => !string.IsNullOrWhiteSpace(value))
            .Cast<string>()
            .ToHashSet(StringComparer.Ordinal);
    }
    private static IReadOnlyDictionary<string, string> ResourceQuotaLabels()
    {
        return Labels(ResourceQuota());
    }
    private static IReadOnlyDictionary<string, string> LimitRangeLabels()
    {
        return Labels(LimitRange());
    }
    private static IReadOnlyDictionary<string, string> Labels(ManifestDocument document)
    {
        var labels = ManifestNodeExtensions.Mapping(document.Root, "metadata", "labels")
            ?? throw new InvalidOperationException($"{document.Descriptor} is missing metadata.labels.");
        return labels.Children
            .Where(entry => entry.Key is YamlScalarNode && entry.Value is YamlScalarNode)
            .ToDictionary(
                entry => ((YamlScalarNode)entry.Key).Value ?? string.Empty,
                entry => ((YamlScalarNode)entry.Value).Value ?? string.Empty,
                StringComparer.Ordinal);
    }
 }
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -234,7 +234,7 @@ public sealed class FleetManifestLintTests
        {
            deployments.Should().ContainKey(expectedRunner.Key);
-            var container = RunnerContainer(deployments[expectedRunner.Key]);
+            var container = deployments[expectedRunner.Key].ContainerMappings().Should().ContainSingle().Subject;
            EnvValue(container, "REPO_URL").Should().Be(expectedRunner.Value);
            EnvValue(container, "EPHEMERAL").Should().Be("true");
            EnvValue(container, "LABELS").Should().Be("self-hosted,linux,fc-build-linux");
@@ -250,7 +250,7 @@ public sealed class FleetManifestLintTests
    {
        foreach (var deployment in GitHubRunnerDeployments().Values)
        {
-            var container = RunnerContainer(deployment);
+            var container = deployment.ContainerMappings().Should().ContainSingle().Subject;
            foreach (var expectedEnv in WritableRunnerEnv)
            {
@@ -430,6 +430,7 @@ public sealed class FleetManifestLintTests
        var expectedFiles = new[]
        {
            "1password-item.yaml",
            "argocd-application.yaml",
            "certificate-web.yaml",
            "clusterrole-operator.yaml",
            "clusterrolebinding-operator.yaml",
@@ -585,15 +586,17 @@ public sealed class FleetManifestLintTests
    }
    [Fact]
-    public void FcDeviceManagement_MustRelyOnApplicationSetDiscovery()
+    public void FcDeviceManagement_ArgocdApplicationMustMatchApplicationSetDiscoveryConventions()
    {
-        FcDeviceManagementDocuments()
+        var application = FcDeviceManagementDocuments()
-            .Should()
+            .Single(document => document.Kind == "Application" && document.Name == "infra-fc-devicemgmt");
            .NotContain(document => document.Kind == "Application", "the root ApplicationSet owns apps/fc-devicemgmt discovery");
-        FcDeviceManagementDocuments()
+        application.Namespace.Should().Be("argocd");
        application.Scalar("spec", "source", "repoURL")
            .Should()
-            .Contain(document => document.Kind == "Namespace" && document.Name == "fc-devicemgmt");
+            .Be("http://gitea-clusterip.gitea.svc.cluster.local:3000/bluejay/bluejay-infra.git");
        application.Scalar("spec", "source", "path").Should().Be("apps/fc-devicemgmt");
        application.Scalar("spec", "destination", "namespace").Should().Be("fc-devicemgmt");
    }
    private static IEnumerable<string> ProbeViolations(
@@ -628,12 +631,6 @@ public sealed class FleetManifestLintTests
            .ToDictionary(document => document.Name, StringComparer.Ordinal);
    }
    private static YamlMappingNode RunnerContainer(ManifestDocument deployment)
    {
        return deployment.ContainerMappings()
            .Single(container => string.Equals(ManifestNodeExtensions.Scalar(container, "name"), "runner", StringComparison.Ordinal));
    }
    private static int ReplicaCount(ManifestDocument document)
    {
        return int.TryParse(document.Scalar("spec", "replicas"), out var replicas) ? replicas : 1;