docs(ci): harden runner-config.yaml security comment for /opt/familienarchiv/ write access

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

runner-config.yaml

@@ -17,12 +17,16 @@ container:
     - "/srv/gitea-workspace"
     - "/opt/familienarchiv"
   # appended to `docker run` when the runner spawns a job container
-  # SECURITY: Mounting the Docker socket grants job containers root-equivalent
-  # access to the host Docker daemon. Acceptable here because only trusted code
-  # from this private repo runs on this runner. Do NOT use on a runner that
-  # accepts untrusted PRs from external contributors.
-  # /opt/familienarchiv is mounted so the nightly job can deploy observability
-  # configs to the permanent location without needing ssh or nsenter.
+  # SECURITY WARNING: This mount configuration grants CI job containers:
+  #   1. Root-equivalent access to the host Docker daemon (via the socket).
+  #   2. Read/write access to /opt/familienarchiv/ — including the main app's
+  #      compose files, Caddy config, and observability configs. A malicious
+  #      workflow step could overwrite any file in that directory.
+  # Both are acceptable ONLY because this runner is single-tenant: it executes
+  # code exclusively from this private repo with a fixed set of trusted authors.
+  # WARNING: Do NOT add this runner to any repo with external contributors or
+  # untrusted PRs — the blast radius includes the entire production deployment.
+  # See ADR-016 for the reasoning behind the /opt/familienarchiv mount.
   options: "-v /var/run/docker.sock:/var/run/docker.sock -v /srv/gitea-workspace:/srv/gitea-workspace -v /opt/familienarchiv:/opt/familienarchiv"
   # keep network mode default (bridge) — Testcontainers handles its own networking
   force_pull: false