Close runner ownership task

SCOPE.md

@@ -157,7 +157,10 @@ lessons into reusable S5 app release patterns.
 - The first-app lessons from `vergabe-teilnahme` are documented, but there is
   no reusable "new S5 app release checklist" yet.
 - The manifest dry-run workflow assumes access to a representative cluster and
-  CRDs. Its operating requirements should be made explicit for future runners.
+  CRDs. Forge-owned runner labels, placement, and credential prerequisites are
+  defined in
+  `/home/worsch/railiance-forge/docs/ci-runner-actions-gitops-ownership.md`;
+  the app-side workflow behavior still needs explicit S5 readiness docs.
 - App-level backup and restore responsibilities need clearer handoff contracts
   with `railiance-platform`, especially for shared CNPG databases consumed by
   S5 apps.

workplans/RAILIANCE-WP-0006-railiance-forge-extraction.md

@@ -238,7 +238,7 @@ Completed on 2026-06-05 in
 
 ```task
 id: RAILIANCE-WP-0006-T06
-status: todo
+status: done
 priority: high
 state_hub_task_id: "37945939-e7c5-4717-83d9-294873810fb3"
 ```
@@ -258,6 +258,15 @@ Questions to answer:
 
 Done when CI runner substrate and CI/CD templates no longer blur together.
 
+Completed 2026-06-05: the detailed ownership contract now lives in
+`/home/worsch/railiance-forge/docs/ci-runner-actions-gitops-ownership.md`.
+It defines runner deployment and credential ownership, reusable template
+ownership, app-specific workflow ownership, label and placement rules, secret
+access constraints, the Gitea-to-Forgejo automation cutover path, GitOps
+controller boundaries, and the split between S5 server-side dry-run checks and
+forge-owned runner prerequisites. `railiance-apps` and `railiance-enablement`
+now point at that contract from their scope/intent docs.
+
 ---
 
 ## T07 - Define backup, restore, and secret handoff contracts