fix(cd): keep deploy markers on controlled profile

.gitea/workflows/cd.yaml

@@ -222,6 +222,14 @@ jobs:
                 ;;
               docs/operations/awoooi-production-deploy-readback-blocker.snapshot.json)
                 ;;
+              # 2026-06-29 Codex: CD-generated deploy marker files can appear
+              # in merge commits that carry a prior successful deploy marker.
+              # They must not expand a narrow controlled-runtime release into
+              # the B5 Docker/socket DB lane on the non-110 runner.
+              k8s/awoooi-prod/06-deployment-api.yaml)
+                ;;
+              k8s/awoooi-prod/kustomization.yaml)
+                ;;
               apps/api/src/api/v1/agents.py)
                 ;;
               apps/api/src/api/v1/iwooos.py)

docs/LOGBOOK.md

@@ -49540,6 +49540,28 @@ production browser smoke:
 - 沒有重啟主機，沒有 restart Docker / Nginx / K3s / DB / firewall。
 - 沒有使用 GitHub / gh / GitHub API / GitHub Actions。
 
+## 2026-06-29 — 16:16 P0-003 CD controlled-runtime deploy marker fix
+
+**狀態**：
+- P0-003 Gitea private inventory / authenticated payload validator source 已 normal push 到 Gitea main `c14c7338d`，觸發 CD #3919。
+- CD #3919 tests job 在 full profile 的 B5 真 DB 段失敗；前段 API tests 已到 `3523 passed`，失敗根因是 non-110 runner 無 Docker socket 權限，`pg-test-b5` 未啟動後造成 5 個 integration tests DNS/DB 連線錯誤。
+- 造成 full profile 的原因是 merge commit 攜帶前一輪 CD 產生的 K8s deploy marker 檔案，changed-files selector 未把 `k8s/awoooi-prod/06-deployment-api.yaml` 與 `k8s/awoooi-prod/kustomization.yaml` 視為 controlled-runtime 窄發布來源。
+
+**完成內容**：
+- 更新 `.gitea/workflows/cd.yaml`，將上述兩個 CD deploy marker 檔納入 controlled-runtime 白名單，避免 P0/Gitea-only 窄發布誤跑需要 Docker socket 的 B5 lane。
+- 更新 `ops/runner/test_cd_controlled_runtime_profile.py`，補上 deploy marker 檔案必須維持 controlled-runtime profile 的測試。
+
+**本地驗證結果**：
+- `python3.11 -m pytest ops/runner/test_cd_controlled_runtime_profile.py -q --tb=short -x -p no:cacheprovider`：`12 passed`。
+- `python3.11 ops/runner/guard-gitea-runner-pressure.py --root .`：`GITEA_RUNNER_PRESSURE_GUARD_OK workflow_files=10 scheduled_workflows=3 auto_branch_events_on_110=0 generic_runner_labels=0`。
+- `node scripts/ci/check-gitea-step-env-secrets.js`：`no Gitea step env/with secrets or legacy Telegram routes`。
+- `git diff --check`：通過。
+
+**仍維持**：
+- 沒有讀 secret / token / `.env` / raw sessions / SQLite / auth。
+- 沒有重啟主機，沒有 restart Docker / Nginx / K3s / DB / firewall，沒有修改 runner/host 權限。
+- 沒有使用 GitHub / gh / GitHub API / GitHub Actions。
+
 ## 2026-06-29 — 15:55 P0-003 Gitea authenticated inventory payload validator
 
 **完成內容**：

ops/runner/test_cd_controlled_runtime_profile.py

@@ -116,6 +116,17 @@ def test_gitea_private_inventory_scorecard_stays_on_controlled_runtime_profile()
         assert source in text
 
 
+def test_cd_deploy_marker_files_stay_on_controlled_runtime_profile() -> None:
+    text = _workflow_text()
+    expected_sources = [
+        "CD-generated deploy marker files can appear",
+        "k8s/awoooi-prod/06-deployment-api.yaml)",
+        "k8s/awoooi-prod/kustomization.yaml)",
+    ]
+    for source in expected_sources:
+        assert source in text
+
+
 def test_reboot_auto_recovery_slo_sources_stay_on_controlled_runtime_profile() -> None:
     text = _workflow_text()
     expected_sources = [