chore: switch container registry references from ghcr.io to git.farh.net

GroomBook images live on the Gitea registry, not GitHub. Update SDLC,
coding-standards, and CLAUDE.md to match.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -8,7 +8,7 @@ This is the GroomBook **agent skills repository** — it contains skill definiti
 
 ## Skills Overview
 
-- **coding-standards** — Engineering quality bar: priority (correctness > clarity > maintainability > performance > elegance), PR discipline, test requirements, no-hardcoded-values rules, CalVer versioning, `ghcr.io` container registry policy.
+- **coding-standards** — Engineering quality bar: priority (correctness > clarity > maintainability > performance > elegance), PR discipline, test requirements, no-hardcoded-values rules, CalVer versioning, `git.farh.net` container registry policy.
 - **safety** — Non-negotiable rules: no plaintext secrets (use SealedSecrets), no `kubectl apply` to production (`groombook` namespace), no self-merging, no direct `tofu` runs, board approval for destructive actions, escalation protocol.
 - **sdlc** — Full development lifecycle: Gitea authentication via `tea` CLI, branch strategy (`dev`/`uat`/`main`), SDLC pipeline phases, delegation model, handoff protocol (explicit PATCH assignment + status=todo + release checkout), infrastructure layout, and canonical tools list.
 

skills/coding-standards/SKILL.md

@@ -55,7 +55,7 @@ All releases use CalVer (`YYYY.MMDD.PATCH`, e.g. `2026.0504.0`). No SemVer, no c
 
 ## Container images
 
-Push to `ghcr.io` only. Never Docker Hub for first-party images.
+Push to `git.farh.net` only. Never Docker Hub for first-party images.
 
 ## When uncertain
 

skills/sdlc/SKILL.md

@@ -134,7 +134,7 @@ Leave `modelProfile` unset for anything requiring judgment, reasoning, or QA rev
 * **Dev:** namespace `groombook-dev`, FQDN `dev.groombook.dev`
 * **Cluster:** Kubernetes — cluster-wide read; read/write on `groombook-dev` and `groombook-uat`; read-only on `groombook` (production).
 * **Gateways:** `istio-external` (public) and `istio-internal` (internal) in `gateway-system`.
-* **Container registry:** `ghcr.io/groombook/<service>` only.
+* **Container registry:** `git.farh.net/groombook/<service>` only.
 
 ## Authentication
 
@@ -148,7 +148,7 @@ Leave `modelProfile` unset for anything requiring judgment, reasoning, or QA rev
 **Stage 1 — CI (runs in each application repo):**
 - Triggered automatically on every merge to `main`
 - Builds and tags the Docker image: CalVer (`YYYY.MM.DD[.N]`), `latest`, and `sha-<hash>`
-- Pushes tagged images to `ghcr.io/groombook/<service>`
+- Pushes tagged images to `git.farh.net/groombook/<service>`
 - Creates a CalVer git tag in the source repo
 
 **Stage 2 — GitOps (Flux, managed externally):**
@@ -183,7 +183,7 @@ These are the only acceptable choices — alternatives are policy violations:
 * **Cache / pub-sub:** DragonflyDB Operator — no Redis.
 * **Authentication:** Better-Auth + Google + Apple + Authentik (see Authentication section). Never build custom auth.
 * **Dependency updates:** Mend Renovate. **Dependabot is not used and will not be used.** Do not configure it.
-* **Container registry:** `ghcr.io/groombook/<service>` — no Docker Hub for first-party images.
+* **Container registry:** `git.farh.net/groombook/<service>` — no Docker Hub for first-party images.
 * **Browser automation:** the `playwright` MCP server (`http://playwright:8931/mcp`). Target dev only — never test production.
 
 If a task requires deviating from any of the above, treat it as a destructive action: stop, file an issue with rationale, request board approval.