ops/devops: add offline console runner image scaffold

ops/devops/console/README.md

@@ -1,6 +1,6 @@
 # Console CI runner (offline-friendly)
 
-Status: runner spec + CI now wired to PRs; ensure runner image includes pre-baked Playwright cache before enabling broad PR traffic.
+Status: runner spec + CI now wired to PRs; runner image scaffold now available with baked npm + Playwright cache.
 
 ## Runner profile
 - OS: Ubuntu 22.04 LTS (x86_64) with Docker available for Playwright deps if needed.
@@ -24,7 +24,13 @@ Status: runner spec + CI now wired to PRs; ensure runner image includes pre-bake
 - Do not hit external registries during CI; rely on pre-seeded npm mirror or cached tarballs. Runner image should contain npm cache prime. If mirror is used, set `NPM_CONFIG_REGISTRY=https://registry.npmjs.org` equivalent mirror URL inside the runner; default pipeline does not hard-code it.
 - Playwright browsers must be pre-baked; the workflow will not download them.
 
-### Seeding Playwright cache (one-time per runner image)
+### Runner image (with baked caches)
+- Dockerfile: `ops/devops/console/Dockerfile.runner` (Node 20, npm cache, Playwright Chromium cache). Builds with `npm ci` + `playwright install chromium --with-deps` during the image build.
+- Build locally: `IMAGE_TAG=stellaops/console-runner:offline OUTPUT_TAR=ops/devops/artifacts/console-runner/console-runner.tar ops/devops/console/build-runner-image.sh`
+  - `OUTPUT_TAR` optional; when set, the script saves the image for airgap transport.
+- Runner expectations: `NPM_CONFIG_CACHE=~/.npm`, `PLAYWRIGHT_BROWSERS_PATH=~/.cache/ms-playwright` (paths already baked). Register the runner with a label (e.g., `console-ci`) and point `.gitea/workflows/console-ci.yml` at that runner pool.
+
+### Seeding Playwright cache (one-time per runner image, host-based option)
 ```bash
 ops/devops/console/seed_playwright.sh
 # then bake ~/.cache/ms-playwright into the runner image or mount it on the agent