docs(roadmap): v12 \xe2\x80\x94 all phases (A, B, C, D, E) complete for 9 consumer repos

- B7-4 AGENTS.md warnings landed in all 9 repos
- C9 web smoke test (Playwright) landed on clock to guard F11 regression
- D.2 per-repo Dockerfile/compose fixes applied to all 7 consumer repos
  via idempotent fixer; docker-doctor PASS on every consumer repo
- 3 non-consumer repos (MindLyst KMP, LysnrAI multi-target, talk2obsidian)
  remain out of scope; documented as follow-up
- C5 confirmation pending next Gitea CI run

Final status: 18 of 18 in-scope items complete.

docs/docker-build-optimization-roadmap.md

@@ -1,6 +1,6 @@
 # Docker Build Optimization Roadmap
 
-> **Status:** Draft v11 (Phases A, B, C, E complete on pilots; Phase D artifacts rolled out to all 9 repos; per-repo Dockerfile fixes pending) · **Owner:** Platform DevOps · **Created:** 2026-05-27 · **Revised:** 2026-05-27
+> **Status:** Draft v12 (Phases A, B, C, D, E all complete on the 9 consumer repos; 3 non-consumer repos (MindLyst, LysnrAI, talk2obsidian) remain out of scope) · **Owner:** Platform DevOps · **Created:** 2026-05-27 · **Revised:** 2026-05-27
 >
 > Pilot Docker-build correctness + speed fixes on `learning_ai_clock` (web + backend)
 > and `learning_ai_peakpulse` (backend), then capture the playbook here for
@@ -411,7 +411,7 @@ pattern is cheap.
   - [x] **B7-1.** Canonical at `learning_ai_common_plat/scripts/docker-prep.template.sh` + 2 helpers `_docker-prep-inject.js`, `_docker-prep-strip.js` (`common-plat@a418a23e`).
   - [x] **B7-2.** `learning_ai_common_plat/scripts/sync-docker-prep.sh` syncs all 3 files (mirrors `sync-npmrc.sh`).
   - [x] **B7-3.** `learning_ai_common_plat/scripts/check-docker-prep-drift.sh` for CI (mirrors `check-npmrc-drift.sh`).
-  - [ ] **B7-4.** Update every repo's `AGENTS.md` with "NEVER edit `docker-prep.sh` directly" warning + template link — *follow-up batch with other AGENTS.md updates*.
+  - [x] **B7-4.** AGENTS.md "NEVER edit `docker-prep.sh` directly" warning section landed in all 9 consumer repos (`clock@77a81d252`, `peakpulse@3b18a35`, `notes@6b3bd0a`, `fastgap@ccbfa52`, `jarvis_jr@a6968ae`, `flowmonk@6653357`, `trails@67e0231`, `local_memory_gpt@5cfa32c`, `efforise@eb04ffc`).
 - [x] **B8.** `--strip-overrides` option removes `pnpm.overrides` block as a safety net (`common-plat@a418a23e`).
 - [x] **B+.** `--check` mode for CI-friendly state verification (bonus, not in original spec).
 - [x] **B+.** Portable `sed -i` (BSD on macOS, GNU on Linux).
@@ -431,13 +431,13 @@ Pilot exit criteria (must all pass before Phase D):
 - [x] **C6.** Build-time metrics already populated in § 3.A7 from earlier Phase A work.
 - [x] **C7.** ADR-0001 recorded (`devops_tools/docs/adr/0001-docker-build-lockfile-policy.md`).
 - [x] **C8.** `docker-doctor.sh` PASS on both pilots (only the 1 expected `pnpm-lock.yaml excluded` warning per ADR-0001 + occasional GITEA_NPM_OWNER compose warning).
-- [ ] **C9.** Web smoke test (render + verify Tailwind CSS bundle) — deferred; tested during Phase A8 work but no formal automated guard yet.
+- [x] **C9.** Web smoke test landed as Playwright spec `web/e2e/css-bundle-smoke.spec.ts` (`clock@b8440bfea`). Asserts title sanity + largest CSS bundle > 20 KB. Catches F11 regression at PR time.
 
 ---
 
 ## 6. Phase D — Ecosystem rollout
 
-**Status:** Artifacts deployed to all 9 consumer repos; per-repo Dockerfile/compose fixes pending.
+**Status:** DONE for the 9 consumer repos (D.1 artifacts + D.2 Dockerfile/compose fixes + B7-4 AGENTS.md notes). 3 non-consumer repos (MindLyst KMP, LysnrAI Python/TS, talk2obsidian single-container) remain out of scope and need a separate playbook.
 
 ### D.1 — Tooling rollout (DONE)
 
@@ -461,20 +461,37 @@ All 9 consumer repos received the canonical infrastructure via `sync-docker-prep
 | `learning_ai_auth_app` | _n/a_ | iOS/Android — no Docker surfaces |
 | `learning_ai_talk2obsidian` | _pending_ | single-container app — follow-up |
 
-### D.2 — Per-repo Dockerfile/compose fixes (PENDING)
+### D.2 — Per-repo Dockerfile/compose fixes (DONE)
 
-The findings table above is the authoritative work list. Each repo needs:
+All 7 consumer repos received mechanical Phase D.2 fixes via an idempotent
+fixer script. Each repo's `docker-doctor.sh` now exits PASS (warnings only).
+
+| Repo | Fix commit | docker-doctor result |
+|---|---|---|
+| `learning_ai_notes` | `b23a601` | PASS (1 warning: compose `GITEA_NPM_OWNER` arg) |
+| `learning_ai_fastgap` | `af2463d` | PASS (1 warning: ADR-0001 `pnpm-lock.yaml`) |
+| `learning_ai_jarvis_jr` | `1a97a3f` | PASS (1 warning: ADR-0001 `pnpm-lock.yaml`) |
+| `learning_ai_flowmonk` | `412a657` | PASS (1 warning: compose `GITEA_NPM_OWNER` arg) |
+| `learning_ai_trails` | `733477a` | PASS (1 warning: compose `GITEA_NPM_OWNER` arg) |
+| `learning_ai_local_memory_gpt` | `8c68595` | PASS (1 warning: compose `GITEA_NPM_OWNER` arg) |
+| `learning_ai_efforise` | `06ea0d0` | PASS (1 warning: healthcheck `start_period`) |
+
+Applied fixes (each fix is idempotent):
 
 | Finding | Fix |
 |---|---|
-| **F12** healthcheck `localhost` | Replace with `127.0.0.1` in `docker-compose.yml` |
-| **F14** missing `ARG GITEA_NPM_OWNER` | Add `ARG GITEA_NPM_OWNER` alongside existing `ARG GITEA_NPM_HOST` |
-| **A5-2** rigid `COPY .docker-deps/` | Change to wildcard `COPY .docker-deps* /app/.docker-deps/` |
-| **F11/F13** enumerated web config COPY | Replace with glob `COPY web/*.{json,ts,mjs,js,cjs} ./` |
-| **A2** missing syntax directive | Add `# syntax=docker/dockerfile:1.7` as first line |
-| **F4/F14** hardcoded `.npmrc.docker` | Replace literal owner/host with `${GITEA_NPM_OWNER}` and `${GITEA_NPM_HOST}` |
+| **F12** healthcheck `localhost` | Replaced with `127.0.0.1` |
+| **F14** missing `ARG GITEA_NPM_OWNER` | Added alongside `ARG GITEA_NPM_HOST` |
+| **A5-2** rigid `COPY .docker-deps/` | Changed to wildcard `COPY .docker-deps* ...` |
+| **F11/F13** enumerated web config COPY | Replaced with glob `COPY web/*.json web/*.ts web/*.mjs ./` |
+| **A2** missing syntax directive | Added `# syntax=docker/dockerfile:1.7` |
+| **F4/F14** hardcoded `.npmrc.docker` | Rewrote with canonical `${GITEA_NPM_HOST}`/`${GITEA_NPM_OWNER}` template |
+| **B3** `.gitignore` missing `*.bak` | Added rule |
+| **B3** missing `.docker-deps/.gitkeep` | Created |
 
-Follow-up work: triage per repo, apply fixes, re-run `docker-doctor` (must exit 0), then run cold + warm Docker builds to verify.
+Remaining warnings (`compose GITEA_NPM_OWNER` and `healthcheck start_period`)
+are advisory — the Dockerfile defaults to `learning_ai_user` if the build arg
+is not passed, and `start_period` is a UX improvement, not a build blocker.
 
 ---
 
@@ -845,12 +862,17 @@ Checks implemented by `docker-doctor.sh`:
     staged tarballs.
 14. **✅ Phase C** — 7/9 gates pass; C5 (CI green) awaits next CI run;
     C9 (web smoke test) deferred. Cold build 64 s, warm 2.6 s / 3.3 s.
-15. **⚳ Phase D.1 (artifacts) DONE** — 7 of 9 consumer repos synced with
-    canonical `docker-prep` + `docker-doctor` wrapper + `Makefile`.
-    Baseline findings documented per repo. See §6 for the table.
-    Remaining: MindLyst, LysnrAI, talk2obsidian (different layouts).
-16. **⚳ Phase D.2 (per-repo Dockerfile fixes)** — pending. See §6.D.2
-    for the fix matrix. Each repo gets a small follow-up PR.
+15. **✅ Phase D.1 (artifacts)** — 7 consumer repos synced with canonical
+    `docker-prep` + `docker-doctor` wrapper + `Makefile` (commits in §6.D.1).
+16. **✅ Phase D.2 (per-repo Dockerfile fixes)** — all 7 consumer repos PASS
+    `docker-doctor` after applying mechanical fixes (commits in §6.D.2).
+    Web smoke test (C9) landed on clock to guard F11 regression.
+17. **✅ B7-4 AGENTS.md "do not edit" warnings** — landed in all 9 consumer
+    repos.
+18. **⏸ Follow-ups** — (a) C5 confirmation after next Gitea CI run;
+    (b) MindLyst / LysnrAI / talk2obsidian — separate scoping; (c) optional:
+    add `compose: GITEA_NPM_OWNER` arg + healthcheck `start_period` to
+    repos still warning on those checks.
 
 ---