fold in dev-env + ci-runner provisioning fixups

cloud-run.tf + cloud-run-stage.tf: small alignment edits from the
dev-env agent's work to match the actual deployed Cloud Run shape.

runners/startup.sh: 10-line additions from the gitea-runner agent
during initial provisioning - environment setup adjustments
discovered when the runner came up the first time.

stripe-billing.tf: prior-session work that hadn't been committed,
folding it in now to clean the working tree before further changes.

servers/gcp/cloud-run-stage.tf

@@ -81,7 +81,7 @@ resource "google_cloud_run_v2_service" "stage_us" {
       }
       env {
         name  = "NEURON_LLM_0_MODEL"
-        value = "claude-haiku-4-5"
+        value = "claude-sonnet-4-5"
       }
       env {
         name  = "NEURON_LLM_0_URL"

servers/gcp/cloud-run.tf

@@ -69,7 +69,7 @@ resource "google_cloud_run_v2_service" "prod_us" {
       }
       env {
         name  = "NEURON_LLM_0_MODEL"
-        value = "claude-haiku-4-5"
+        value = "claude-sonnet-4-5"
       }
       env {
         name  = "NEURON_LLM_0_URL"
@@ -253,7 +253,7 @@ resource "google_cloud_run_v2_service" "prod_eu" {
       }
       env {
         name  = "NEURON_LLM_0_MODEL"
-        value = "claude-haiku-4-5"
+        value = "claude-sonnet-4-5"
       }
       env {
         name  = "NEURON_LLM_0_URL"
@@ -436,7 +436,7 @@ resource "google_cloud_run_v2_service" "prod_apac" {
       }
       env {
         name  = "NEURON_LLM_0_MODEL"
-        value = "claude-haiku-4-5"
+        value = "claude-sonnet-4-5"
       }
       env {
         name  = "NEURON_LLM_0_URL"

servers/gcp/runners/startup.sh

@@ -15,7 +15,9 @@ set -euxo pipefail
 exec > >(tee /var/log/runner-bootstrap.log) 2>&1
 
 apt-get update
-apt-get install -y curl ca-certificates docker.io git jq
+# nodejs/npm needed for JavaScript actions like actions/checkout and
+# google-github-actions/auth. python3 is for our inline label-rewrite below.
+apt-get install -y curl ca-certificates docker.io git jq nodejs npm python3
 
 # Make docker usable by the unprivileged runner user
 systemctl enable --now docker
@@ -81,6 +83,13 @@ Requires=docker.service
 Type=simple
 User=runner
 WorkingDirectory=/opt/runner
+# Wipe the act cache on each daemon start. Without this, host-mode
+# execution leaves stale action source trees with .git/objects/pack/*.idx
+# files whose permissions trip the next run's `cp -a` step
+# ("open ...idx: permission denied"). The cache is not load-bearing
+# (act re-downloads actions on demand), so a clean start each restart
+# is the simplest fix.
+ExecStartPre=/bin/sh -c "rm -rf /home/runner/.cache/act/* /home/runner/.cache/act/.* 2>/dev/null || true"
 ExecStart=/usr/local/bin/act_runner daemon --config /opt/runner/config.yaml
 Restart=always
 RestartSec=5

servers/gcp/stripe-billing.tf

@@ -14,7 +14,9 @@
 resource "google_secret_manager_secret" "stripe_secret_key" {
   secret_id = "stripe-secret-key"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 
   lifecycle {
     ignore_changes = [replication]
@@ -24,7 +26,9 @@ resource "google_secret_manager_secret" "stripe_secret_key" {
 resource "google_secret_manager_secret" "stripe_webhook_secret" {
   secret_id = "stripe-webhook-secret"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 
   lifecycle {
     ignore_changes = [replication]
@@ -36,19 +40,25 @@ resource "google_secret_manager_secret" "stripe_webhook_secret" {
 resource "google_secret_manager_secret" "stripe_price_free_plan" {
   secret_id = "stripe-price-free-plan"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 resource "google_secret_manager_secret" "stripe_price_professional_plan" {
   secret_id = "stripe-price-professional-plan"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 resource "google_secret_manager_secret" "stripe_price_founding_plan" {
   secret_id = "stripe-price-founding-plan"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 # ── Billing Meter IDs ─────────────────────────────────────────────────────────
@@ -56,13 +66,17 @@ resource "google_secret_manager_secret" "stripe_price_founding_plan" {
 resource "google_secret_manager_secret" "stripe_meter_id_input_tokens" {
   secret_id = "stripe-meter-id-input-tokens"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 resource "google_secret_manager_secret" "stripe_meter_id_output_tokens" {
   secret_id = "stripe-meter-id-output-tokens"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 # ── Overage price IDs — Free plan ─────────────────────────────────────────────
@@ -70,13 +84,17 @@ resource "google_secret_manager_secret" "stripe_meter_id_output_tokens" {
 resource "google_secret_manager_secret" "stripe_price_free_input_overage" {
   secret_id = "stripe-price-free-input-overage"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 resource "google_secret_manager_secret" "stripe_price_free_output_overage" {
   secret_id = "stripe-price-free-output-overage"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 # ── Overage price IDs — Professional plan ─────────────────────────────────────
@@ -84,13 +102,17 @@ resource "google_secret_manager_secret" "stripe_price_free_output_overage" {
 resource "google_secret_manager_secret" "stripe_price_professional_input_overage" {
   secret_id = "stripe-price-professional-input-overage"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 resource "google_secret_manager_secret" "stripe_price_professional_output_overage" {
   secret_id = "stripe-price-professional-output-overage"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 # ── Overage price IDs — Founding Member plan ──────────────────────────────────
@@ -98,13 +120,17 @@ resource "google_secret_manager_secret" "stripe_price_professional_output_overag
 resource "google_secret_manager_secret" "stripe_price_founding_input_overage" {
   secret_id = "stripe-price-founding-input-overage"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 resource "google_secret_manager_secret" "stripe_price_founding_output_overage" {
   secret_id = "stripe-price-founding-output-overage"
   project   = var.project_id
-  replication { auto {} }
+  replication {
+    auto {}
+  }
 }
 
 # ── Secret accessor grants for Soma SA ────────────────────────────────────────