diff --git a/.gitea/workflows/cd.yaml b/.gitea/workflows/cd.yaml
index c6759c22..c85c7c5e 100644
--- a/.gitea/workflows/cd.yaml
+++ b/.gitea/workflows/cd.yaml
@@ -198,6 +198,16 @@ jobs:
                 ;;
               .gitea/workflows/cd.yaml)
                 ;;
+              # 2026-06-29 Codex: build-and-deploy writes only these GitOps
+              # deploy marker files after image push. A later merge commit can
+              # carry them back through CD; keep that marker merge on the
+              # controlled profile so non-110 CD does not fall into B5's Docker
+              # socket path just because the previous deploy recorded image
+              # truth.
+              k8s/awoooi-prod/06-deployment-api.yaml)
+                ;;
+              k8s/awoooi-prod/kustomization.yaml)
+                ;;
               product.awoooi.yaml)
                 ;;
               docs/LOGBOOK.md)
diff --git a/ops/runner/test_cd_controlled_runtime_profile.py b/ops/runner/test_cd_controlled_runtime_profile.py
index bb3ce665..c0fec9aa 100644
--- a/ops/runner/test_cd_controlled_runtime_profile.py
+++ b/ops/runner/test_cd_controlled_runtime_profile.py
@@ -27,6 +27,13 @@ def test_product_manifest_changes_stay_on_controlled_runtime_profile() -> None:
     assert "tests/test_product_awoooi_manifest_standard_api.py" in text
 
 
+def test_deploy_marker_k8s_files_stay_on_controlled_runtime_profile() -> None:
+    text = _workflow_text()
+    assert "build-and-deploy writes only these GitOps" in text
+    assert "k8s/awoooi-prod/06-deployment-api.yaml)" in text
+    assert "k8s/awoooi-prod/kustomization.yaml)" in text
+
+
 def test_credential_escrow_intake_stays_on_controlled_runtime_profile() -> None:
     text = _workflow_text()
     assert "apps/api/src/services/credential_escrow_evidence_intake_readiness.py)" in text