Update stabilization checkpoint after run command

docs/infrastructure-stabilization-pickup-checkpoint.md

@@ -25,7 +25,7 @@ State Hub active workstreams queried on 2026-06-27:
 | `cust-wp-0051` | This metaplan is the coordination layer for remaining cross-workplan gates. |
 | `activity-wp-0016-llm-output-robustness-trust-boundary` | Repo-side output robustness bundle is prepared; live deploy/smoke proof remains. |
 | `three-phoenix-ha-cluster` | HA substrate remains future critical-workload work, not the current State Hub cutover blocker. |
-| `staged-promotion-lifecycle` | T02 `railiance/app.toml` contract and T03 overlay repo pattern/script are done; continue with T04/T05 command/canary implementation before broad production migrations. |
+| `staged-promotion-lifecycle` | T02 `railiance/app.toml` contract, T03 overlay repo pattern/script, and T04 Stage 1 runner are done; continue with T05 canary template before broad production migrations. |
 | `rail-ho-wp-0005` | Forgejo production migration is parked behind explicit design, SMTP, backup, runner, and cutover decisions. |
 | `net-wp-0020` | OpenBao unseal/token custody remains an operator design and smoke gate. |
 | `issue-wp-0003` | issue-core service is healthy; activity-core REST emission wiring remains. |
@@ -106,7 +106,7 @@ Resume from `docs/daily-triage-stabilization-status.md` and
    `ISSUE_SINK_TYPE=rest` and one known-safe emission smoke.
 5. Request explicit State Hub cutover approval for `CUST-WP-0011-T07`, or
    record that WSL2 remains primary for the next operating period.
-6. Continue staged-promotion T04/T05 and start artifact-store D7.1/D7.2
+6. Continue staged-promotion T05 and start artifact-store D7.1/D7.2
    so Forgejo and storage work inherit clear production promotion gates.
 7. Keep Forgejo cutover and State Hub HA work parked until their human decision
    and drill gates are satisfied.

docs/near-term-production-service-lanes-status.md

@@ -14,7 +14,7 @@ before starting larger migrations.
 | `issue-wp-0003` | issue-core is live through ArgoCD; image `0.2.1`, Service port `8765`, ExternalSecret Ready, authenticated smoke created Gitea issue `175`. | Do not flip activity-core blindly. First inject `ISSUE_CORE_API_KEY` into `actcore-runtime-secret` through route `activity-core-issue-sink`; then set activity-core `ISSUE_CORE_URL` to port `8765`, set `ISSUE_SINK_TYPE=rest`, restart/sync, and run one safe emission smoke. |
 | `rail-ho-wp-0005` | Forgejo migration remains pre-implementation. Inventory is in progress; production decisions, SMTP/email recovery, cutover, and legacy retirement are human-gated. | Resolve T02 production decisions first, then build the disposable Forgejo probe. Do not start production cutover before promotion lifecycle, email recovery, package registry, Actions, backup/restore, and migration drill pass. |
 | `artifact-store-wp-0007` | All tasks are still `todo`; no live secret gate is currently recorded. | Start with D7.1 fork/object-store landscape and D7.2 compatibility harness. Route D7.3 STS credential vending to NetKingdom if implementation belongs outside artifact-store. |
-| `staged-promotion-lifecycle` | Lifecycle spec, T02 `railiance/app.toml` contract, and T03 overlay repo pattern/script are done; CLI commands, canary template, deployment observation, promotion, and rollback tasks remain. | Start T04 `railiance run` and T05 canary Helm chart template using generated overlays as reference consumers for Stage 1/2 promotion gates. |
+| `staged-promotion-lifecycle` | Lifecycle spec, T02 `railiance/app.toml` contract, T03 overlay repo pattern/script, and T04 `railiance run` Stage 1 runner are done; canary template, deployment observation, promotion, and rollback tasks remain. | Start T05 canary Helm chart template using generated overlays as reference consumers for Stage 2 promotion gates. |
 
 ## Credential And Operator Routing
 
@@ -40,8 +40,8 @@ No secret value was read or written. The required non-secret evidence is:
 
 1. Close the issue-core handoff gate because the service is already healthy and
    only activity-core live emission remains.
-2. Continue staged-promotion with T04 `railiance run` and T05 canary
-   template implementation before Forgejo cutover work accelerates.
+2. Continue staged-promotion with T05 canary template implementation before
+   Forgejo cutover work accelerates.
 3. Run artifact-store D7.1/D7.2 as an assessment/build harness lane, with D7.3
    routed to NetKingdom if STS vending is not artifact-store-owned.
 4. Keep Forgejo production cutover parked behind explicit T02 decisions and the

workplans/CUST-WP-0051-infrastructure-stabilization-metaplan.md

@@ -313,6 +313,24 @@ Progress 2026-06-27 staged promotion T03:
 - `make fix-consistency REPO=railiance-cluster` passed with pre-existing
   C-12 warnings and synced the T03 status into State Hub.
 
+Progress 2026-06-27 staged promotion T04:
+
+- Completed `RAIL-BS-WP-0006-T04` in `/home/worsch/railiance-cluster`.
+  Added `tools/cmd/railiance-run`, the `bin/railiance run` dispatcher entry,
+  and `docs/railiance-run-command.md`. The command reads `railiance/app.toml`,
+  runs Stage 1 commands and local checks, and emits a
+  `railiance.run-result.v1` JSON result with command references and scrubbed
+  HTTP URLs rather than command logs, stdout/stderr, or secret-bearing URL
+  details.
+- Updated generated overlays so a Forgejo overlay completes Stage 1 locally:
+  `stage1-script` is required, `local-health` is optional when no local service
+  is running, and Helm rendering remains optional when Helm is unavailable.
+- Verified a fresh generated Forgejo overlay against
+  `schemas/railiance-app.schema.json` and `bin/railiance run`; the smoke passed
+  with one command, two checks, and zero required failures.
+- `make fix-consistency REPO=railiance-cluster` passed with pre-existing
+  C-12 warnings and synced the T04 status into State Hub.
+
 ## Task: Decide State Hub Migration Strategy
 
 ```task