fix(neuron-prod): add allow-dharma-ingress NetworkPolicy

The neuron-prod namespace runs a default-deny-all NetworkPolicy and
explicit allow-ingress policies for every legitimate service:
allow-mcp-ingress, allow-rest-ingress, allow-marketing-ingress,
allow-daemon-ingress, allow-engram-ingress. There was no equivalent
for dharma — so every request that arrived at Traefik in kube-system
got 502'd at the Service-to-pod hop, even though the dharma pod
itself was healthy and the IngressRoute was correctly defined.

The previous attempt to fix the 502 (PR #1) removed an unrelated
nonexistent certResolver from the IngressRoute. That was real but
not sufficient — the Traefik routing layer was healthy after that
change, but the Service-to-pod NetworkPolicy hop was still denied.

This adds allow-dharma-ingress mirroring allow-mcp-ingress: accepts
traffic from kube-system (Traefik) and from the neuron-prod
namespace itself.

servers/legion/k8s/gitea-runner/Dockerfile

@@ -29,11 +29,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     zstd \
     && rm -rf /var/lib/apt/lists/*
 
-# Node.js 20 LTS — required to execute Forgejo JS actions (checkout, upload-artifact, cache, etc.)
-RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
-    && apt-get install -y nodejs \
-    && npm install -g yarn \
-    && rm -rf /var/lib/apt/lists/*
+# Node.js 20 LTS via binary tarball (nodesource apt repo is unreliable on Ubuntu 24.04)
+RUN NODE_VERSION=20.19.1 \
+    && curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" \
+       | tar -xJ -C /usr/local --strip-components=1 \
+    && node --version \
+    && npm --version \
+    && npm install -g yarn
 
 # Python 3 + pip + venv
 RUN apt-get update && apt-get install -y --no-install-recommends \

servers/legion/k8s/neuron-technologies/dharma/ingressroute.yaml

@@ -14,5 +14,6 @@ spec:
       services:
         - name: dharma
           port: 8765
-  tls:
-    certResolver: letsencrypt
+  # TLS terminates at Cloudflare; tunnel reaches Traefik with noTLSVerify.
+  # Traefik websecure entrypoint has its own default cert (no resolver
+  # configured in this cluster), matching every other neuron-prod IngressRoute.

servers/legion/k8s/neuron-technologies/prod/network-policy.yaml

@@ -117,6 +117,32 @@ spec:
             matchLabels:
               kubernetes.io/metadata.name: neuron-prod
 ---
+# ── dharma: accept from Traefik (kube-system) and neuron-prod namespace ──────
+# The dharma pod was healthy and the IngressRoute was correct, but cross-
+# namespace ingress from kube-system (Traefik) was denied by default-deny-all,
+# so every external request landed at Traefik and bounced back as 502. This
+# allow rule mirrors `allow-mcp-ingress` and brings dharma into line with the
+# other neuron-prod services.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dharma-ingress
+  namespace: neuron-prod
+spec:
+  podSelector:
+    matchLabels:
+      app: dharma
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: kube-system
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: neuron-prod
+---
 # ── Egress: all prod pods may reach platform (postgres/redis), vault,
 #            monitoring (alloy OTLP), kube-dns, and the internet (external APIs) ─
 apiVersion: networking.k8s.io/v1