merge: integrate origin/main (v1.1.0.0) — V1 + Puppeteer parity + /plan-tune

Big merge. Main shipped three releases while this branch was in flight:
- v0.19.0.0 /plan-tune skill (observational layer; dual-track dev profile)
- v1.0.0.0 V1 prompts (simpler, outcome-framed, jargon-glossed) + LOC receipts
- v1.1.0.0 browse Puppeteer parity (load-html, file://, --selector, --scale)

This branch bumps to v1.2.0.0 (above main's v1.1.0.0) per the
branch-scoped-version rule in CLAUDE.md. My "0.19.0.0" CHANGELOG entry
is renamed to "1.2.0.0" and dated 2026-04-18 to land above main's trail.

Conflicts resolved:
- VERSION / package.json: 1.2.0.0
- CHANGELOG.md: preserved my entry at top (renamed), kept main's 1.1.0.0
  / 1.0.0.0 / 0.19.0.0 / 0.18.4.0 trail below in correct order
- .github/docker/Dockerfile.ci: kept my xz-utils + nodejs.org tarball
  fix (real CI bug fix main didn't have); absorbed main's retry loop
  structure for both apt and the tarball curl
- bin/gstack-config: kept both my checkpoint_mode/push section and
  main's explain_level writing-style section
- scripts/resolvers/preamble.ts: kept my submodule refactor as the
  file shape; extracted main's new generateWritingStyle and
  generateWritingStyleMigration into scripts/resolvers/preamble/
  submodules; absorbed main's generateQuestionTuning import
- All generated SKILL.md files: resolved by regen via
  bun run gen:skill-docs --host all (per CLAUDE.md: never hand-merge
  generated files — resolve templates and regen)
- Ship golden fixtures (claude/codex/factory): refreshed

Tier 2 preamble composition now includes all 8 sections: context
recovery, ask-user-format, writing-style, completeness, confusion,
continuous checkpoint, context health, question tuning.

Main also brought new test files from /plan-tune: skill-e2e-plan-tune,
upgrade-migration-v1, v0-dormancy, writing-style-resolver. All absorbed.
468 tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/docker/Dockerfile.ci

@@ -20,22 +20,33 @@ RUN sed -i \
     -e 's|http://security.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' \
     /etc/apt/sources.list.d/ubuntu.sources
 
-# System deps (retry apt-get update — even Hetzner can blip occasionally)
-RUN for i in 1 2 3; do apt-get update && break || sleep 5; done \
-    && apt-get install -y --no-install-recommends \
-    git curl unzip xz-utils ca-certificates jq bc gpg \
+# Also make apt itself resilient — per-package retries + generous timeouts.
+# Hetzner's mirror is reliable but individual packages can still blip; the
+# retry config means a single failed fetch doesn't nuke the whole build.
+RUN printf 'Acquire::Retries "5";\nAcquire::http::Timeout "30";\nAcquire::https::Timeout "30";\n' \
+    > /etc/apt/apt.conf.d/80-retries
+
+# System deps (retry apt-get update + install as a unit — even Hetzner can blip).
+# Includes xz-utils so the Node.js .tar.xz download below can decompress.
+RUN for i in 1 2 3; do \
+      apt-get update && apt-get install -y --no-install-recommends \
+        git curl unzip xz-utils ca-certificates jq bc gpg && break || \
+      (echo "apt retry $i/3 after failure"; sleep 10); \
+    done \
     && rm -rf /var/lib/apt/lists/*
 
 # GitHub CLI
-RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+RUN curl --retry 5 --retry-delay 5 --retry-connrefused -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
     | gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
     | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
-    && for i in 1 2 3; do apt-get update && break || sleep 5; done \
-    && apt-get install -y --no-install-recommends gh \
+    && for i in 1 2 3; do \
+         apt-get update && apt-get install -y --no-install-recommends gh && break || \
+         (echo "gh install retry $i/3"; sleep 10); \
+       done \
     && rm -rf /var/lib/apt/lists/*
 
-# Node.js 22 LTS (needed for claude CLI)
+# Node.js 22 LTS (needed for claude CLI).
 # Install from the official nodejs.org tarball instead of NodeSource's apt setup.
 # NodeSource's setup_22.x script runs its own `apt-get update` + `apt-get install gnupg`,
 # both of which depend on archive.ubuntu.com / security.ubuntu.com being reachable.
@@ -44,7 +55,7 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
 # fails before it can add its own repo. Direct tarball download is network-simpler
 # (one host: nodejs.org) and doesn't touch apt at all.
 ENV NODE_VERSION=22.20.0
-RUN curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" -o /tmp/node.tar.xz \
+RUN curl --retry 5 --retry-delay 5 --retry-connrefused -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" -o /tmp/node.tar.xz \
     && tar -xJ -C /usr/local --strip-components=1 --no-same-owner -f /tmp/node.tar.xz \
     && rm -f /tmp/node.tar.xz \
     && node --version \
@@ -52,7 +63,8 @@ RUN curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-l
 
 # Bun (install to /usr/local so non-root users can access it)
 ENV BUN_INSTALL="/usr/local"
-RUN curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
+RUN curl --retry 5 --retry-delay 5 --retry-connrefused -fsSL https://bun.sh/install \
+    | BUN_VERSION=1.3.10 bash
 
 # Claude CLI
 RUN npm i -g @anthropic-ai/claude-code