feat: add phases 10-11, enhance phase 8 direct-check mode, and update Caddy migration

- Phase 10: local repo cutover (rename origin→github, add Gitea remote, push branches/tags)
- Phase 11: custom runner infrastructure with toolchain-based naming
  (go-node-runner, jvm-android-runner) and repo variables via Gitea API
- Add container_options support to manage_runner.sh for KVM passthrough
- Phase 8: add --allow-direct-checks flag for LAN/split-DNS staging
- Phase 7.5: add Cloudflare TLS block, retry logic for probes, multi-upstream support
- Add toggle_dns.sh helper and update orchestration scripts for phases 10-11

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

phase7_5_nginx_to_caddy.sh

@@ -87,7 +87,7 @@ phase_header "7.5" "Nginx to Caddy Migration (Multi-domain)"
 
 # host|upstream|streaming(true/false)|body_limit|insecure_skip_verify(true/false)
 FULL_HOST_MAP=(
-  "ai.sintheus.com|http://192.168.1.82:8181|true|50MB|false"
+  "ai.sintheus.com|http://192.168.1.82:8181 http://192.168.1.83:8181|true|50MB|false"
   "photos.sintheus.com|http://192.168.1.222:2283|false|50GB|false"
   "fin.sintheus.com|http://192.168.1.233:8096|true||false"
   "disk.sintheus.com|http://192.168.1.52:80|false|20GB|false"
@@ -95,11 +95,11 @@ FULL_HOST_MAP=(
   "plex.sintheus.com|http://192.168.1.111:32400|true||false"
   "sync.sintheus.com|http://192.168.1.119:8384|false||false"
   "syno.sintheus.com|https://100.108.182.16:5001|false||true"
-  "tower.sintheus.com|https://192.168.1.82:443|false||true"
+  "tower.sintheus.com|https://192.168.1.82:443 https://192.168.1.83:443|false||true"
 )
 
 CANARY_HOST_MAP=(
-  "tower.sintheus.com|https://192.168.1.82:443|false||true"
+  "tower.sintheus.com|https://192.168.1.82:443 https://192.168.1.83:443|false||true"
 )
 
 GITEA_ENTRY="${GITEA_DOMAIN}|http://${UNRAID_GITEA_IP}:3000|false||false"
@@ -175,7 +175,11 @@ emit_site_block_standalone() {
 
   {
     echo "${host} {"
-    if [[ "$TLS_MODE" == "existing" ]]; then
+    if [[ "$TLS_MODE" == "cloudflare" ]]; then
+      echo "    tls {"
+      echo "        dns cloudflare {env.CF_API_TOKEN}"
+      echo "    }"
+    elif [[ "$TLS_MODE" == "existing" ]]; then
       echo "    tls ${SSL_CERT_PATH} ${SSL_KEY_PATH}"
     fi
     echo "    encode zstd gzip"
@@ -524,23 +528,33 @@ probe_http_code_ok() {
 
 probe_host_via_caddy() {
   local host="$1" upstream="$2" role="$3"
+  local max_attempts="${4:-5}" wait_secs="${5:-5}"
   local path="/"
   if [[ "$role" == "gitea_api" ]]; then
     path="/api/v1/version"
   fi
 
-  local tmp_body http_code
+  local tmp_body http_code attempt
   tmp_body=$(mktemp)
-  http_code=$(curl -sk --resolve "${host}:443:${UNRAID_CADDY_IP}" \
-    -o "$tmp_body" -w "%{http_code}" "https://${host}${path}" 2>/dev/null || echo "000")
 
-  if probe_http_code_ok "$http_code" "$role"; then
-    log_success "Probe passed: ${host} (HTTP ${http_code})"
-    rm -f "$tmp_body"
-    return 0
-  fi
+  for (( attempt=1; attempt<=max_attempts; attempt++ )); do
+    http_code=$(curl -sk --resolve "${host}:443:${UNRAID_CADDY_IP}" \
+      -o "$tmp_body" -w "%{http_code}" "https://${host}${path}" 2>/dev/null) || true
+    [[ -z "$http_code" ]] && http_code="000"
 
-  log_error "Probe failed: ${host} (HTTP ${http_code})"
+    if probe_http_code_ok "$http_code" "$role"; then
+      log_success "Probe passed: ${host} (HTTP ${http_code})"
+      rm -f "$tmp_body"
+      return 0
+    fi
+
+    if [[ $attempt -lt $max_attempts ]]; then
+      log_info "Probe attempt ${attempt}/${max_attempts} for ${host} (HTTP ${http_code}) — retrying in ${wait_secs}s..."
+      sleep "$wait_secs"
+    fi
+  done
+
+  log_error "Probe failed: ${host} (HTTP ${http_code}) after ${max_attempts} attempts"
   if [[ "$http_code" == "502" || "$http_code" == "503" || "$http_code" == "504" || "$http_code" == "000" ]]; then
     local upstream_probe_raw upstream_code
     upstream_probe_raw=$(ssh_exec UNRAID "curl -sk -o /dev/null -w '%{http_code}' '${upstream}' || true" 2>/dev/null || true)