feat: add phases 10-11, enhance phase 8 direct-check mode, and update Caddy migration

- Phase 10: local repo cutover (rename origin→github, add Gitea remote, push branches/tags)
- Phase 11: custom runner infrastructure with toolchain-based naming
  (go-node-runner, jvm-android-runner) and repo variables via Gitea API
- Add container_options support to manage_runner.sh for KVM passthrough
- Phase 8: add --allow-direct-checks flag for LAN/split-DNS staging
- Phase 7.5: add Cloudflare TLS block, retry logic for probes, multi-upstream support
- Add toggle_dns.sh helper and update orchestration scripts for phases 10-11

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

run_all.sh

@@ -3,11 +3,11 @@ set -euo pipefail
 
 # =============================================================================
 # run_all.sh — Orchestrate the full Gitea migration pipeline
-# Runs: setup → preflight → phase 1-9 (each with post-check) sequentially.
+# Runs: setup → preflight → phase 1-11 (each with post-check) sequentially.
 # Stops on first failure, prints summary of what completed.
 #
 # Usage:
-#   ./run_all.sh                    # Full run: setup + preflight + phases 1-9
+#   ./run_all.sh                    # Full run: setup + preflight + phases 1-11
 #   ./run_all.sh --skip-setup       # Skip setup scripts, start at preflight
 #   ./run_all.sh --start-from=3     # Run preflight, then start at phase 3
 #   ./run_all.sh --skip-setup --start-from=5
@@ -28,10 +28,12 @@ require_local_os "Darwin" "run_all.sh must run from macOS (the control plane)"
 SKIP_SETUP=false
 START_FROM=0
 START_FROM_SET=false
+ALLOW_DIRECT_CHECKS=false
 
 for arg in "$@"; do
   case "$arg" in
     --skip-setup) SKIP_SETUP=true ;;
+    --allow-direct-checks) ALLOW_DIRECT_CHECKS=true ;;
     --dry-run)
       exec "${SCRIPT_DIR}/post-migration-check.sh"
       ;;
@@ -39,11 +41,11 @@ for arg in "$@"; do
       START_FROM="${arg#*=}"
       START_FROM_SET=true
       if ! [[ "$START_FROM" =~ ^[0-9]+$ ]]; then
-        log_error "--start-from must be a number (1-9)"
+        log_error "--start-from must be a number (1-11)"
         exit 1
       fi
-      if [[ "$START_FROM" -lt 1 ]] || [[ "$START_FROM" -gt 9 ]]; then
-        log_error "--start-from must be between 1 and 9"
+      if [[ "$START_FROM" -lt 1 ]] || [[ "$START_FROM" -gt 11 ]]; then
+        log_error "--start-from must be between 1 and 11"
         exit 1
       fi
       ;;
@@ -52,16 +54,19 @@ for arg in "$@"; do
 Usage: $(basename "$0") [options]
 
 Options:
-  --skip-setup       Skip configure_env + machine setup, start at preflight
-  --start-from=N     Skip phases before N (still runs preflight)
-  --dry-run          Run read-only infrastructure check (no mutations)
-  --help             Show this help
+  --skip-setup              Skip configure_env + machine setup, start at preflight
+  --start-from=N            Skip phases before N (still runs preflight)
+  --allow-direct-checks     Pass --allow-direct-checks to Phase 8 scripts
+                            (LAN/split-DNS staging mode)
+  --dry-run                 Run read-only infrastructure check (no mutations)
+  --help                    Show this help
 
 Examples:
-  $(basename "$0")                       Full run
-  $(basename "$0") --skip-setup          Skip setup, start at preflight
-  $(basename "$0") --start-from=3        Run preflight, then phases 3-9
-  $(basename "$0") --dry-run             Check current state without changing anything
+  $(basename "$0")                                  Full run
+  $(basename "$0") --skip-setup                     Skip setup, start at preflight
+  $(basename "$0") --start-from=3                   Run preflight, then phases 3-11
+  $(basename "$0") --allow-direct-checks            LAN mode: use direct Caddy-IP checks
+  $(basename "$0") --dry-run                        Check current state without changing anything
 EOF
       exit 0 ;;
     *) log_error "Unknown argument: $arg"; exit 1 ;;
@@ -157,7 +162,7 @@ else
 fi
 
 # ---------------------------------------------------------------------------
-# Phases 1-9 — run sequentially, each followed by its post-check
+# Phases 1-11 — run sequentially, each followed by its post-check
 # The phase scripts are the "do" step, post-checks verify success.
 # ---------------------------------------------------------------------------
 PHASES=(
@@ -170,6 +175,8 @@ PHASES=(
   "7|Phase 7: Branch Protection|phase7_branch_protection.sh|phase7_post_check.sh"
   "8|Phase 8: Cutover|phase8_cutover.sh|phase8_post_check.sh"
   "9|Phase 9: Security|phase9_security.sh|phase9_post_check.sh"
+  "10|Phase 10: Local Repo Cutover|phase10_local_repo_cutover.sh|phase10_post_check.sh"
+  "11|Phase 11: Custom Runners|phase11_custom_runners.sh|phase11_post_check.sh"
 )
 
 for phase_entry in "${PHASES[@]}"; do
@@ -181,8 +188,14 @@ for phase_entry in "${PHASES[@]}"; do
     continue
   fi
 
-  run_step "$phase_name" "$phase_script"
-  run_step "${phase_name} — post-check" "$post_check"
+  # Phase 8 scripts accept --allow-direct-checks for LAN/split-DNS setups.
+  if [[ "$phase_num" -eq 8 ]] && [[ "$ALLOW_DIRECT_CHECKS" == "true" ]]; then
+    run_step "$phase_name" "$phase_script" --allow-direct-checks
+    run_step "${phase_name} — post-check" "$post_check" --allow-direct-checks
+  else
+    run_step "$phase_name" "$phase_script"
+    run_step "${phase_name} — post-check" "$post_check"
+  fi
 done
 
 # ---------------------------------------------------------------------------