ops/devops: add offline console runner image scaffold

docs/implplan/SPRINT_0504_0001_0001_ops_devops_ii.md

@@ -26,7 +26,7 @@
 | 4 | DEVOPS-CLI-42-001 | DONE (2025-11-24) | DEVOPS-CLI-41-001 | DevOps Guild | CLI golden output tests, parity diff automation, pack run CI harness, remote cache. |
 | 5 | DEVOPS-CLI-43-002 | DONE (2025-11-24) | DEVOPS-CLI-43-001 | DevOps Guild; Task Runner Guild | Task Pack chaos smoke in CI; sealed-mode toggle; evidence bundles. |
 | 6 | DEVOPS-CLI-43-003 | DONE (2025-11-24) | DEVOPS-CLI-43-002 | DevOps Guild; DevEx/CLI Guild | Integrate CLI golden/parity automation into release gating; publish parity report artifact. |
-| 7 | DEVOPS-CONSOLE-23-001 | DOING (runner + workflow stub 2025-12-07) | Offline runner spec at `ops/devops/console/README.md`; manual-only CI skeleton at `.gitea/workflows/console-ci.yml` awaiting runner cache bake and console approval. | DevOps Guild; Console Guild | Add console CI workflow with offline runners and artifact retention. |
+| 7 | DEVOPS-CONSOLE-23-001 | DOING (runner image scaffold 2025-12-07; awaiting bake/test) | Offline runner spec at `ops/devops/console/README.md`; manual-only CI skeleton at `.gitea/workflows/console-ci.yml` awaiting runner cache bake and console approval. | DevOps Guild; Console Guild | Add console CI workflow with offline runners and artifact retention. |
 | 8 | DEVOPS-CONSOLE-23-002 | BLOCKED | Depends on DEVOPS-CONSOLE-23-001; prepare build/Helm overlays once CI contract lands. | DevOps Guild; Console Guild | Produce `stella-console` container build + Helm chart overlays with deterministic digests, SBOM/provenance artefacts, offline bundle packaging scripts. |
 | 9 | DEVOPS-CONTAINERS-44-001 | DONE (2025-11-24) | — | DevOps Guild | Automate multi-arch image builds with buildx, SBOM generation, cosign signing, CI verification. |
 | 10 | DEVOPS-CONTAINERS-45-001 | DONE (2025-11-24) | DEVOPS-CONTAINERS-44-001 | DevOps Guild | Add Compose/Helm smoke tests (VM + kind), publish artifacts/logs. |
@@ -41,6 +41,7 @@
 ## Execution Log
 | Date (UTC) | Update | Owner |
 | --- | --- | --- |
+| 2025-12-07 | Added console runner Dockerfile + build helper to bake npm/Playwright caches; README updated with runner image usage. | DevOps Guild |
 | 2025-12-07 | Added console offline runner spec (`ops/devops/console/README.md`) and manual-only CI skeleton (`.gitea/workflows/console-ci.yml`); moved DEVOPS-CONSOLE-23-001 to DOING pending runner cache bake/approval. | DevOps Guild |
 | 2025-12-07 | Added Playwright cache seeding helper (`ops/devops/console/seed_playwright.sh`) to bake Chromium into offline runners; enabled PR triggers in `.gitea/workflows/console-ci.yml` (runner must include seeded cache). | DevOps Guild |
 | 2025-12-06 | Header normalised to standard template; no content/status changes. | Project Mgmt |

ops/devops/console/Dockerfile.runner

@@ -0,0 +1,40 @@
+# syntax=docker/dockerfile:1.7
+# Offline-friendly console CI runner image with pre-baked npm and Playwright caches (DEVOPS-CONSOLE-23-001)
+ARG BASE_IMAGE=node:20-bookworm-slim
+ARG APP_DIR=src/Web/StellaOps.Web
+ARG SOURCE_DATE_EPOCH=1704067200
+
+FROM ${BASE_IMAGE}
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    NPM_CONFIG_FUND=false \
+    NPM_CONFIG_AUDIT=false \
+    NPM_CONFIG_PROGRESS=false \
+    SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH} \
+    PLAYWRIGHT_BROWSERS_PATH=/home/runner/.cache/ms-playwright \
+    NPM_CONFIG_CACHE=/home/runner/.npm \
+    CI=true
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends git ca-certificates dumb-init wget curl && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN useradd -m -u 1000 runner
+
+WORKDIR /tmp/console-seed
+COPY ${APP_DIR}/package.json ${APP_DIR}/package-lock.json ./
+
+ENV npm_config_cache=/tmp/npm-cache
+RUN npm ci --cache ${npm_config_cache} --prefer-offline --no-audit --progress=false --ignore-scripts && \
+    PLAYWRIGHT_BROWSERS_PATH=/tmp/ms-playwright npx playwright install chromium --with-deps && \
+    rm -rf node_modules
+
+RUN install -d -o runner -g runner /home/runner/.npm /home/runner/.cache && \
+    mv /tmp/npm-cache /home/runner/.npm && \
+    mv /tmp/ms-playwright /home/runner/.cache/ms-playwright && \
+    chown -R runner:runner /home/runner/.npm /home/runner/.cache
+
+WORKDIR /workspace
+USER runner
+ENTRYPOINT ["/usr/bin/dumb-init","--"]
+CMD ["/bin/bash"]

ops/devops/console/README.md

@@ -1,6 +1,6 @@
 # Console CI runner (offline-friendly)
 
-Status: runner spec + CI now wired to PRs; ensure runner image includes pre-baked Playwright cache before enabling broad PR traffic.
+Status: runner spec + CI now wired to PRs; runner image scaffold now available with baked npm + Playwright cache.
 
 ## Runner profile
 - OS: Ubuntu 22.04 LTS (x86_64) with Docker available for Playwright deps if needed.
@@ -24,7 +24,13 @@ Status: runner spec + CI now wired to PRs; ensure runner image includes pre-bake
 - Do not hit external registries during CI; rely on pre-seeded npm mirror or cached tarballs. Runner image should contain npm cache prime. If mirror is used, set `NPM_CONFIG_REGISTRY=https://registry.npmjs.org` equivalent mirror URL inside the runner; default pipeline does not hard-code it.
 - Playwright browsers must be pre-baked; the workflow will not download them.
 
-### Seeding Playwright cache (one-time per runner image)
+### Runner image (with baked caches)
+- Dockerfile: `ops/devops/console/Dockerfile.runner` (Node 20, npm cache, Playwright Chromium cache). Builds with `npm ci` + `playwright install chromium --with-deps` during the image build.
+- Build locally: `IMAGE_TAG=stellaops/console-runner:offline OUTPUT_TAR=ops/devops/artifacts/console-runner/console-runner.tar ops/devops/console/build-runner-image.sh`
+  - `OUTPUT_TAR` optional; when set, the script saves the image for airgap transport.
+- Runner expectations: `NPM_CONFIG_CACHE=~/.npm`, `PLAYWRIGHT_BROWSERS_PATH=~/.cache/ms-playwright` (paths already baked). Register the runner with a label (e.g., `console-ci`) and point `.gitea/workflows/console-ci.yml` at that runner pool.
+
+### Seeding Playwright cache (one-time per runner image, host-based option)
 ```bash
 ops/devops/console/seed_playwright.sh
 # then bake ~/.cache/ms-playwright into the runner image or mount it on the agent

ops/devops/console/build-runner-image.sh

@@ -0,0 +1,29 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Builds the offline console CI runner image with baked npm/Playwright caches.
+# IMAGE_TAG: docker tag to produce (default: stellaops/console-runner:offline)
+# OUTPUT_TAR: optional path to save the image tarball for airgap use.
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
+IMAGE_TAG=${IMAGE_TAG:-stellaops/console-runner:offline}
+DOCKERFILE=${DOCKERFILE:-ops/devops/console/Dockerfile.runner}
+APP_DIR=${APP_DIR:-src/Web/StellaOps.Web}
+OUTPUT_TAR=${OUTPUT_TAR:-}
+
+if ! command -v docker >/dev/null 2>&1; then
+  echo "docker not found; install Docker/Podman before building the runner image." >&2
+  exit 1
+fi
+
+docker build -f "$ROOT/$DOCKERFILE" --build-arg APP_DIR="$APP_DIR" -t "$IMAGE_TAG" "$ROOT"
+
+if [[ -n "$OUTPUT_TAR" ]]; then
+  mkdir -p "$(dirname "$OUTPUT_TAR")"
+  docker save "$IMAGE_TAG" -o "$OUTPUT_TAR"
+fi
+
+echo "Runner image built: $IMAGE_TAG"
+if [[ -n "$OUTPUT_TAR" ]]; then
+  echo "Saved tarball: $OUTPUT_TAR"
+fi