feat: add phases 10-11, enhance phase 8 direct-check mode, and update Caddy migration

- Phase 10: local repo cutover (rename origin→github, add Gitea remote, push branches/tags)
- Phase 11: custom runner infrastructure with toolchain-based naming
  (go-node-runner, jvm-android-runner) and repo variables via Gitea API
- Add container_options support to manage_runner.sh for KVM passthrough
- Phase 8: add --allow-direct-checks flag for LAN/split-DNS staging
- Phase 7.5: add Cloudflare TLS block, retry logic for probes, multi-upstream support
- Add toggle_dns.sh helper and update orchestration scripts for phases 10-11

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

phase11_post_check.sh

@@ -0,0 +1,204 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# =============================================================================
+# phase11_post_check.sh — Verify custom runner infrastructure deployment
+# Checks:
+#   1. Toolchain images exist on Unraid
+#   2. All phase 11 runners registered and online in Gitea
+#   3. Shared macOS runner has correct labels
+#   4. Repository variables set correctly
+#   5. KVM available on Unraid (warning only)
+# =============================================================================
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "${SCRIPT_DIR}/lib/common.sh"
+
+load_env
+require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
+             UNRAID_IP UNRAID_SSH_USER UNRAID_SSH_PORT
+
+phase_header 11 "Custom Runners — Post-Check"
+
+REPO_VARS_CONF="${SCRIPT_DIR}/repo_variables.conf"
+PASS=0
+FAIL=0
+WARN=0
+
+run_check() {
+  local desc="$1"
+  shift
+  if "$@"; then
+    log_success "$desc"
+    PASS=$((PASS + 1))
+  else
+    log_error "FAIL: $desc"
+    FAIL=$((FAIL + 1))
+  fi
+}
+
+run_warn_check() {
+  local desc="$1"
+  shift
+  if "$@"; then
+    log_success "$desc"
+    PASS=$((PASS + 1))
+  else
+    log_warn "WARN: $desc"
+    WARN=$((WARN + 1))
+  fi
+}
+
+# =========================================================================
+# Check 1: Toolchain images exist on Unraid
+# =========================================================================
+log_info "--- Checking toolchain images ---"
+
+check_image() {
+  local tag="$1"
+  ssh_exec "UNRAID" "docker image inspect '${tag}' >/dev/null 2>&1"
+}
+
+run_check "Image go-node-runner:latest exists on Unraid" check_image "go-node-runner:latest"
+run_check "Image jvm-android-runner:slim exists on Unraid" check_image "jvm-android-runner:slim"
+run_check "Image jvm-android-runner:full exists on Unraid" check_image "jvm-android-runner:full"
+
+# =========================================================================
+# Check 2: All phase 11 runners registered and online
+# =========================================================================
+log_info "--- Checking runner status ---"
+
+# Fetch all runners from Gitea admin API (single call)
+ALL_RUNNERS=$(gitea_api GET "/admin/runners" 2>/dev/null || echo "[]")
+
+check_runner_online() {
+  local name="$1"
+  local status
+  status=$(printf '%s' "$ALL_RUNNERS" | jq -r --arg n "$name" \
+    '[.[] | select(.name == $n)] | .[0].status // "not-found"' 2>/dev/null)
+  if [[ "$status" == "not-found" ]] || [[ -z "$status" ]]; then
+    log_error "  Runner '${name}' not found in Gitea"
+    return 1
+  fi
+  if [[ "$status" == "offline" ]] || [[ "$status" == "2" ]]; then
+    log_error "  Runner '${name}' is offline"
+    return 1
+  fi
+  return 0
+}
+
+PHASE11_RUNNERS=(
+  macbook-runner
+  unraid-go-node-1
+  unraid-go-node-2
+  unraid-go-node-3
+  unraid-jvm-slim-1
+  unraid-jvm-slim-2
+  unraid-android-emulator
+)
+
+for runner in "${PHASE11_RUNNERS[@]}"; do
+  run_check "Runner '${runner}' registered and online" check_runner_online "$runner"
+done
+
+# =========================================================================
+# Check 3: Shared macOS runner has correct labels
+# =========================================================================
+log_info "--- Checking macOS runner labels ---"
+
+check_mac_labels() {
+  local labels
+  labels=$(printf '%s' "$ALL_RUNNERS" | jq -r \
+    '[.[] | select(.name == "macbook-runner")] | .[0].labels // [] | .[].name' 2>/dev/null)
+  local missing=0
+  for expected in "self-hosted" "macOS" "ARM64"; do
+    if ! printf '%s' "$labels" | grep -qx "$expected" 2>/dev/null; then
+      log_error "  macbook-runner missing label: ${expected}"
+      missing=1
+    fi
+  done
+  return "$missing"
+}
+
+run_check "macbook-runner has labels: self-hosted, macOS, ARM64" check_mac_labels
+
+# =========================================================================
+# Check 4: Repository variables set correctly
+# =========================================================================
+log_info "--- Checking repository variables ---"
+
+check_repo_variable() {
+  local repo="$1" var_name="$2" expected="$3"
+  local owner="${GITEA_ORG_NAME}"
+  local response
+  if ! response=$(gitea_api GET "/repos/${owner}/${repo}/actions/variables/${var_name}" 2>/dev/null); then
+    log_error "  Variable ${var_name} not found on ${repo}"
+    return 1
+  fi
+  local actual
+  actual=$(printf '%s' "$response" | jq -r '.value // .data // empty' 2>/dev/null)
+  if [[ "$actual" != "$expected" ]]; then
+    log_error "  Variable ${var_name} on ${repo}: expected '${expected}', got '${actual}'"
+    return 1
+  fi
+  return 0
+}
+
+if [[ -f "$REPO_VARS_CONF" ]]; then
+  while IFS= read -r repo; do
+    [[ -z "$repo" ]] && continue
+    # Read all keys from the section using inline parsing
+    local_in_section=false
+    while IFS= read -r line; do
+      line="${line#"${line%%[![:space:]]*}"}"
+      line="${line%"${line##*[![:space:]]}"}"
+      [[ -z "$line" ]] && continue
+      [[ "$line" == \#* ]] && continue
+      if [[ "$line" =~ ^\[([^]]+)\] ]]; then
+        if [[ "${BASH_REMATCH[1]}" == "$repo" ]]; then
+          local_in_section=true
+        elif $local_in_section; then
+          break
+        fi
+        continue
+      fi
+      if $local_in_section && [[ "$line" =~ ^([^=]+)=(.*) ]]; then
+        k="${BASH_REMATCH[1]}"
+        v="${BASH_REMATCH[2]}"
+        k="${k#"${k%%[![:space:]]*}"}"
+        k="${k%"${k##*[![:space:]]}"}"
+        v="${v#"${v%%[![:space:]]*}"}"
+        v="${v%"${v##*[![:space:]]}"}"
+        run_check "Variable ${k} on ${repo}" check_repo_variable "$repo" "$k" "$v"
+      fi
+    done < "$REPO_VARS_CONF"
+  done < <(ini_list_sections "$REPO_VARS_CONF")
+else
+  log_warn "repo_variables.conf not found — skipping variable checks"
+  WARN=$((WARN + 1))
+fi
+
+# =========================================================================
+# Check 5: KVM available on Unraid
+# =========================================================================
+log_info "--- Checking KVM availability ---"
+
+check_kvm() {
+  ssh_exec "UNRAID" "test -c /dev/kvm"
+}
+
+run_warn_check "KVM device available on Unraid (/dev/kvm)" check_kvm
+
+# ---------------------------------------------------------------------------
+# Summary
+# ---------------------------------------------------------------------------
+printf '\n'
+TOTAL=$((PASS + FAIL + WARN))
+log_info "Results: ${PASS} passed, ${FAIL} failed, ${WARN} warnings (out of ${TOTAL})"
+
+if [[ $FAIL -gt 0 ]]; then
+  log_error "Some checks failed — review above"
+  exit 1
+fi
+
+log_success "Phase 11 post-check complete"