ci(bazel): enroll scheduling-kit in the shared cache-backed lane (TIN-2110)

[Jesssullivan]

Enrollment contract — cache-first (TIN-1997 Option D / TIN-2110)

This is the pilot / reusable template for enrolling spokes in the
GloriousFlywheel shared Bazel cache. It flips scheduling-kit from
local-disk-only to shared-cache-backed. Cache-first only: no remote
executor / REAPI lane is wired anywhere (out of scope).

What changed (additive, opt-in, default-off)

1. Repin + opt-in — both ci.yml and publish.yml move from the bare
   ci-templates commit SHA @61cd1338… to the immutable tag
   @v2.3.0 (which ships the opt-in cache_backed path) and set
   cache_backed: true. When cache_backed is unset/false the shared
   js-bazel-package.yml Bazel validation is byte-identical to today
   (bazelisk build … --verbose_failures) — zero behavior change for the ~190
   non-opted consumers. The opted path runs a fail-closed contract step then
   --config=ci-cached --remote_cache=$BAZEL_REMOTE_CACHE --remote_upload_local_results=false.
2. .bazelrc — adds the endpoint-free ci-cached block (--config=ci +
   --remote_upload_local_results=false + --remote_download_minimal +
   --remote_timeout=60) plus cache-readonly / no-remote-cache, and empties
   the disk cache under :ci so a cache hit proves the REMOTE shared cache,
   not an incidental local disk hit. Endpoints are injected at runtime, never
   baked.
3. scripts/cache-attachment-contract.sh — vendors the GF#889-proven
   fail-closed classifier (TIN-2108 naming: GF_BAZEL_SUBSTRATE_MODE; modes
   shared-cache-backed / compatibility-local-only / executor-backed).
   Rejects unexpanded ${…} placeholders, non-grpc/http endpoints, localhost
   without explicit proof, and executor-without-cache. Executor is classified
   but never selected by this lane.
4. tinyland.repo.json — declares kit's enrollment dimensions (forge scope
   = Jesssullivan personal; operator overlay = jesssullivan-infra; execution
   pool = tinyland-nix; substrate mode = shared-cache-backed) per the
   ci-templates manifest schema.
5. AGENTS.md — adds the GloriousFlywheel cache-enrollment stanza near the
   top (names GF; do not create runners; do not run raw bazel build as
   validation; attach via the cache-backed lane; self-verify via the contract
   checker; REAPI out of scope).
6. justfile + flake just — org house-style
   nix develop --command just <recipe>: info / cache-contract-strict
   (fail-closed checker) / flywheel-build / flywheel-test behind a
   FLYWHEEL flag. No executor recipe (cache-first).

Attach evidence

The tinyland-nix runner is in-cluster and nix-setup exports
BAZEL_REMOTE_CACHE=grpc://bazel-cache.nix-cache.svc.cluster.local:9092 from
cluster DNS. The real-attach proof is remote cache hit/transfer lines in the
Validate Bazel targets (cache-backed) step log (replacing the prior
all-local 1822-action breakdown). A green build showing only --disk_cache and
no remote transfer is NOT enrollment and will be reported as such. The
fail-closed contract step surfaces any BLOCKED state instead of silently
building local-only.

Reusable-template note

Logic lives in the shared tinyland-inc/ci-templates@v2.3.0 surface
(cache_backed input, scripts/cache-attachment-contract.sh,
bazelrc/ci-cached.bazelrc); kit only opts in + carries the consumer .bazelrc
block, manifest, AGENTS stanza, and justfile. Any spoke enrolls the same way —
no per-repo runners, no bespoke cache instance, no baked endpoints.

Non-claims

Cache attach is not org-migration closure: a green cache-backed build does
not close GF#412 / TIN-1516.

Refs TIN-2110.