fix(poudriere): correct subnet, bridge, diagram and CI alignment

- Subnet: .5 → .10 (was colliding with CMS jail at .5)
- Bridge: lagg0 → warden0 (correct Bastille bridge name)
- Hostname: poudriere.local → poudriere.clawdie.home.arpa (consistent with
  internal naming convention used by other jails)
- Architecture diagram: git (.1→.4), cms (.4→.5), add full subnet legend
- rsync paths: use jail filesystem path directly instead of rsync-over-SSH
  to the jail IP (jails share the host filesystem, no SSH hop needed)
- Phase 5.2 build.sh: align with actual --fetch-only/--skip-fetch flags
  and explain Poudriere as a pre-fetch step in the existing pipeline
- Phase 6.2: cron is fallback only — Forgejo Actions handles scheduling
- Alternatives table: CI/CD marked as implemented, not rejected

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

POUDRIERE-IMPLEMENTATION.md

@@ -34,13 +34,17 @@
 │                                                              │
 │  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐      │
 │  │  git jail   │    │  db jail    │    │  cms jail   │      │
-│  │   (.1)      │    │   (.3)      │    │   (.4)      │      │
+│  │   (.4)      │    │   (.3)      │    │   (.5)      │      │
 │  │ clawdie-iso │    │ postgres    │    │ nginx       │      │
 │  └─────────────┘    └─────────────┘    └─────────────┘      │
 │                                                              │
+│  Subnet layout: .1=gateway .2=mgmt .3=db .4=git .5=cms      │
+│                 .6=ollama  .7-.9=bhyve  .10=poudriere        │
+│                 .101+=workers                                │
+│                                                              │
 │  ┌─────────────────────────────────────────────────────┐    │
 │  │              poudriere jail (new)                    │    │
-│  │                     (.5)                             │    │
+│  │                    (.10)                             │    │
 │  │  ┌─────────────────────────────────────────────┐    │    │
 │  │  │  ZFS: zroot/jails/poudriere/data            │    │    │
 │  │  │  - /usr/local/poudriere/data/packages       │    │    │
@@ -65,8 +69,8 @@
 
 ```bash
 # On controlplane host
-bastille create poudriere 15.0-RELEASE 10.0.0.5 lagg0
-bastille config poudriere set host.hostname poudriere.local
+bastille create poudriere 15.0-RELEASE 10.0.0.10 warden0
+bastille config poudriere set host.hostname poudriere.clawdie.home.arpa
 bastille start poudriere
 ```
 
@@ -246,27 +250,30 @@ server {
 ### 5.1 Sync packages to git jail
 
 ```bash
-# From controlplane host
-rsync -avz poudriere.local:/usr/local/poudriere/data/packages/15amd64-clawdie/.latest/ \
-    /usr/local/bastille/jails/git/root/srv/git/clawdie-iso/packages/
+# From controlplane host — access via jail filesystem path directly (no SSH needed)
+rsync -a --delete \
+    /usr/local/bastille/jails/poudriere/root/usr/local/poudriere/data/packages/15amd64-clawdie/.latest/ \
+    /home/clawdie/clawdie-iso/packages/All/
 ```
 
 ### 5.2 Update build.sh in clawdie-iso
 
+The current `build.sh` already handles `--fetch-only` (stock FreeBSD packages
+via `pkg fetch`) and `--skip-fetch` (use cached packages). When Poudriere is
+active, add a pre-fetch step that syncs Poudriere output before the stock fetch:
+
 ```bash
-# In clawdie-iso/build.sh
+# scripts/build-packages.sh syncs Poudriere output into packages/
+# before ./build.sh --fetch-only runs the stock pkg fetch on top.
+# pkg priority 100 for Clawdie packages ensures they win over stock.
 
-# Step 1: Fetch FreeBSD base packages (stock)
-pkg fetch -d -o ${ISO_ROOT}/packages/base -r latest $(cat pkg-list-base.txt)
-
-# Step 2: Copy Clawdie custom packages (priority)
-cp -r /srv/git/clawdie-iso/packages/* ${ISO_ROOT}/packages/clawdie/
-
-# Step 3: Generate combined repo
-pkg repo ${ISO_ROOT}/packages/base
-pkg repo ${ISO_ROOT}/packages/clawdie
+# Poudriere output lands in packages/All/ alongside stock packages.
+# pkg repo packages/ generates a single unified repo from both.
 ```
 
+The `--fetch-only` stage in the Forgejo Actions pipeline should run
+`build-packages.sh` first, then `build.sh --fetch-only` for stock packages.
+
 ### 5.3 Configure pkg priority on installed system
 
 ```bash
@@ -307,19 +314,25 @@ echo "=== Building Clawdie packages ==="
 jexec poudriere poudriere bulk -j 15amd64 -p clawdie -f /usr/local/etc/poudriere.d/clawdie-pkglist
 
 # Sync to git jail
-rsync -avz --delete \
-    poudriere.local:/usr/local/poudriere/data/packages/15amd64-clawdie/.latest/ \
-    /srv/git/clawdie-iso/packages/
+rsync -a --delete \
+    /usr/local/bastille/jails/poudriere/root/usr/local/poudriere/data/packages/15amd64-clawdie/.latest/ \
+    /home/clawdie/clawdie-iso/packages/All/
 
 echo "=== Package build complete ==="
 echo "Packages available at: /srv/git/clawdie-iso/packages/"
 ```
 
-### 6.2 Cron job (optional)
+### 6.2 Scheduling
+
+The Forgejo Actions pipeline (`.forgejo/workflows/build.yml`) already handles
+weekly scheduling — it triggers every Sunday at 03:00 UTC and runs
+`build.sh --fetch-only` which will call `build-packages.sh` first once
+Poudriere is integrated (see Phase 5.2).
+
+A cron job is only needed as a fallback if the Forgejo runner is offline:
 
 ```bash
-# /etc/cron.d/clawdie-build
-# Rebuild packages weekly on Sunday at 03:00
+# /etc/cron.d/clawdie-build — fallback only, Forgejo Actions is preferred
 0 3 * * 0 root /home/clawdie/clawdie-iso/scripts/build-packages.sh >> /var/log/clawdie-build.log 2>&1
 ```
 
@@ -337,8 +350,9 @@ jexec poudriere poudriere ports -u -p clawdie
 jexec poudriere poudriere bulk -j 15amd64 -p clawdie -f /usr/local/etc/poudriere.d/clawdie-pkglist
 
 # 3. Sync to git jail
-rsync -avz poudriere.local:/usr/local/poudriere/data/packages/15amd64-clawdie/.latest/ \
-    /srv/git/clawdie-iso/packages/
+rsync -a \
+    /usr/local/bastille/jails/poudriere/root/usr/local/poudriere/data/packages/15amd64-clawdie/.latest/ \
+    /home/clawdie/clawdie-iso/packages/All/
 
 # 4. Rebuild ISO
 cd /srv/git/clawdie-iso && ./build.sh
@@ -401,7 +415,7 @@ cd /srv/git/clawdie-iso && ./build.sh
 |--------|-------------|----------------|
 | Minimal (pre-build only) | Build ~20 custom packages, rest stock | Less control, potential ABI conflicts |
 | Full custom repo | Build all ~500 packages | Long builds, must track all security updates |
-| CI/CD pipeline | Automated builds on commit | Complex setup, requires self-hosted runner |
+| CI/CD pipeline | Automated builds on commit | **Implemented** — see `.forgejo/workflows/build.yml` and `runner/README.md`. Poudriere integrates into this pipeline as a pre-fetch step. |
 | Poudriere-as-a-Service | Dedicated build jail serving live systems | Good for later, overkill for v1 |
 | Remote build service | Outsource to cloud VM | External dependency, credential management |