fix(cd): keep awoo op readback on controlled profile

.gitea/workflows/cd.yaml

@@ -242,6 +242,8 @@ jobs:
                 ;;
               apps/api/src/services/ai_agent_autonomous_runtime_control.py)
                 ;;
+              apps/api/src/services/awooop_ansible_check_mode_service.py)
+                ;;
               apps/api/src/services/auto_approve.py)
                 ;;
               apps/api/src/services/decision_fusion.py)
@@ -302,6 +304,8 @@ jobs:
                 ;;
               apps/api/tests/test_ai_agent_autonomous_runtime_control.py)
                 ;;
+              apps/api/tests/test_awooop_truth_chain_service.py)
+                ;;
               apps/api/tests/test_shadow_auto_approve.py)
                 ;;
               apps/api/tests/test_destructive_patterns.py)
@@ -470,6 +474,7 @@ jobs:
               src/services/awoooi_production_deploy_readback_blocker.py \
               src/services/agent_replay_normalizer.py \
               src/services/ai_agent_autonomous_runtime_control.py \
+              src/services/awooop_ansible_check_mode_service.py \
               src/services/auto_repair_service.py \
               src/services/auto_approve.py \
               src/services/decision_fusion.py \
@@ -507,6 +512,7 @@ jobs:
             PYTHONFAULTHANDLER=1 python3.11 -m pytest \
               tests/test_agent_replay_normalizer.py \
               tests/test_ai_agent_autonomous_runtime_control.py \
+              tests/test_awooop_truth_chain_service.py \
               tests/test_shadow_auto_approve.py \
               tests/test_destructive_patterns.py \
               tests/test_approval_pending_visibility.py \

docs/LOGBOOK.md

@@ -1,3 +1,17 @@
+## 2026-06-29 — 17:10 Gitea CD #3925 B5 profile blocker 窄修
+
+**完成內容**：
+- Production Delivery Workbench 已讀回 P0-005 `credential_escrow` lane：`workplan_id=P0-005`、`blocker_count=5`、`secret_value_collection_allowed=false`、`credential_marker_write_authorized_count=0`。
+- Gitea CD `#3925` 失敗定位為 tests job 落入 full profile 後，B5 DB integration 在 non-110 runner 內無法解析 `pg-test-b5`；此輪未操作 host / Docker / K8s，只修 repo 內 profile 分類。
+- `cd.yaml` controlled-runtime profile 納入 `awooop_ansible_check_mode_service.py` 與 `test_awooop_truth_chain_service.py`，讓 AwoooP controlled executor / truth-chain readback 小修走 focused tests，不再因這類變更誤觸 B5 Docker socket DB path。
+- `ops/runner/test_cd_controlled_runtime_profile.py` 補上回歸測試鎖住此分類。
+
+**驗證目標**：
+- `python3.11 -m pytest ops/runner/test_cd_controlled_runtime_profile.py apps/api/tests/test_awooop_truth_chain_service.py apps/api/tests/test_ai_agent_autonomous_runtime_control.py -q --tb=short -x -p no:cacheprovider`。
+- `python3.11 ops/runner/guard-gitea-runner-pressure.py --root .`、`node scripts/ci/check-gitea-step-env-secrets.js`、`git diff --check`。
+
+**邊界**：未使用 GitHub / `gh` / GitHub API；未 workflow_dispatch；未讀 token / cookie / session / secret / auth / `.env`；未操作 host / Docker / K8s / DB；未修改 B5 嚴格測試本身；未 force push。
+
 ## 2026-06-29 — AI 自動化 Log taxonomy / Trace ledger 可見性接線
 
 **完成內容**：

ops/runner/test_cd_controlled_runtime_profile.py

@@ -85,6 +85,18 @@ def test_ai_autonomous_runtime_control_stays_on_controlled_runtime_profile() ->
         assert source in text
 
 
+def test_awooop_ansible_check_mode_stays_on_controlled_runtime_profile() -> None:
+    text = _workflow_text()
+    expected_sources = [
+        "apps/api/src/services/awooop_ansible_check_mode_service.py)",
+        "apps/api/tests/test_awooop_truth_chain_service.py)",
+        "src/services/awooop_ansible_check_mode_service.py",
+        "tests/test_awooop_truth_chain_service.py",
+    ]
+    for source in expected_sources:
+        assert source in text
+
+
 def test_dr_escrow_checklist_stays_on_controlled_runtime_profile() -> None:
     text = _workflow_text()
     expected_sources = [