ops/devops: add offline console runner image scaffold

ops/devops/console/Dockerfile.runner

@@ -0,0 +1,40 @@
+# syntax=docker/dockerfile:1.7
+# Offline-friendly console CI runner image with pre-baked npm and Playwright caches (DEVOPS-CONSOLE-23-001)
+ARG BASE_IMAGE=node:20-bookworm-slim
+ARG APP_DIR=src/Web/StellaOps.Web
+ARG SOURCE_DATE_EPOCH=1704067200
+
+FROM ${BASE_IMAGE}
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    NPM_CONFIG_FUND=false \
+    NPM_CONFIG_AUDIT=false \
+    NPM_CONFIG_PROGRESS=false \
+    SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} \
+    PLAYWRIGHT_BROWSERS_PATH=/home/runner/.cache/ms-playwright \
+    NPM_CONFIG_CACHE=/home/runner/.npm \
+    CI=true
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends git ca-certificates dumb-init wget curl && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN useradd -m -u 1000 runner
+
+WORKDIR /tmp/console-seed
+COPY ${APP_DIR}/package.json ${APP_DIR}/package-lock.json ./
+
+ENV npm_config_cache=/tmp/npm-cache
+RUN npm ci --cache ${npm_config_cache} --prefer-offline --no-audit --progress=false --ignore-scripts && \
+    PLAYWRIGHT_BROWSERS_PATH=/tmp/ms-playwright npx playwright install chromium --with-deps && \
+    rm -rf node_modules
+
+RUN install -d -o runner -g runner /home/runner/.npm /home/runner/.cache && \
+    mv /tmp/npm-cache /home/runner/.npm && \
+    mv /tmp/ms-playwright /home/runner/.cache/ms-playwright && \
+    chown -R runner:runner /home/runner/.npm /home/runner/.cache
+
+WORKDIR /workspace
+USER runner
+ENTRYPOINT ["/usr/bin/dumb-init","--"]
+CMD ["/bin/bash"]

ops/devops/console/README.md

@@ -1,6 +1,6 @@
 # Console CI runner (offline-friendly)
 
-Status: runner spec + CI now wired to PRs; ensure runner image includes pre-baked Playwright cache before enabling broad PR traffic.
+Status: runner spec + CI now wired to PRs; runner image scaffold now available with baked npm + Playwright cache.
 
 ## Runner profile
 - OS: Ubuntu 22.04 LTS (x86_64) with Docker available for Playwright deps if needed.
@@ -24,7 +24,13 @@ Status: runner spec + CI now wired to PRs; ensure runner image includes pre-bake
 - Do not hit external registries during CI; rely on pre-seeded npm mirror or cached tarballs. Runner image should contain npm cache prime. If mirror is used, set `NPM_CONFIG_REGISTRY=https://registry.npmjs.org` equivalent mirror URL inside the runner; default pipeline does not hard-code it.
 - Playwright browsers must be pre-baked; the workflow will not download them.
 
-### Seeding Playwright cache (one-time per runner image)
+### Runner image (with baked caches)
+- Dockerfile: `ops/devops/console/Dockerfile.runner` (Node 20, npm cache, Playwright Chromium cache). Builds with `npm ci` + `playwright install chromium --with-deps` during the image build.
+- Build locally: `IMAGE_TAG=stellaops/console-runner:offline OUTPUT_TAR=ops/devops/artifacts/console-runner/console-runner.tar ops/devops/console/build-runner-image.sh`
+  - `OUTPUT_TAR` optional; when set, the script saves the image for airgap transport.
+- Runner expectations: `NPM_CONFIG_CACHE=~/.npm`, `PLAYWRIGHT_BROWSERS_PATH=~/.cache/ms-playwright` (paths already baked). Register the runner with a label (e.g., `console-ci`) and point `.gitea/workflows/console-ci.yml` at that runner pool.
+
+### Seeding Playwright cache (one-time per runner image, host-based option)
 ```bash
 ops/devops/console/seed_playwright.sh
 # then bake ~/.cache/ms-playwright into the runner image or mount it on the agent

ops/devops/console/build-runner-image.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Builds the offline console CI runner image with baked npm/Playwright caches.
+# IMAGE_TAG: docker tag to produce (default: stellaops/console-runner:offline)
+# OUTPUT_TAR: optional path to save the image tarball for airgap use.
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+IMAGE_TAG=${IMAGE_TAG:-stellaops/console-runner:offline}
+DOCKERFILE=${DOCKERFILE:-ops/devops/console/Dockerfile.runner}
+APP_DIR=${APP_DIR:-src/Web/StellaOps.Web}
+OUTPUT_TAR=${OUTPUT_TAR:-}
+
+if ! command -v docker >/dev/null 2>&1; then
+  echo "docker not found; install Docker/Podman before building the runner image." >&2
+  exit 1
+fi
+
+docker build -f "$ROOT/$DOCKERFILE" --build-arg APP_DIR="$APP_DIR" -t "$IMAGE_TAG" "$ROOT"
+
+if [[ -n "$OUTPUT_TAR" ]]; then
+  mkdir -p "$(dirname "$OUTPUT_TAR")"
+  docker save "$IMAGE_TAG" -o "$OUTPUT_TAR"
+fi
+
+echo "Runner image built: $IMAGE_TAG"
+if [[ -n "$OUTPUT_TAR" ]]; then
+  echo "Saved tarball: $OUTPUT_TAR"
+fi