fix(deploy): on-host bootstrap defaults to online mode (pull fixed main playbooks)

The deploy job ran curl|bash with no AI_WORKSPACE_OFFLINE_MODE -> auto -> stale
offline package, which still ships the pinned-Chrome / root-PGDATA playbooks that
were already fixed in playbooks main. Pipeline kept failing at the Chrome task.

- run-on-host-bootstrap.sh: thread AI_WORKSPACE_OFFLINE_MODE (default off) into the
  remote env so the bootstrap git-clones latest main instead of the stale package.
- workflow: add offline_mode input (off|auto|force, default off); flip back to auto
  once the offline package is republished with the fixes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/deploy-ai-workspace-iac.yaml

@@ -76,6 +76,12 @@ on:
         required: false
         default: ""
         type: string
+      offline_mode:
+        description: "on-host 离线包模式: off=在线拉最新 main(默认,离线包落后时用); auto=离线加速; force=强制离线"
+        required: false
+        default: "off"
+        type: choice
+        options: ["off", "auto", "force"]
       terraform_action:
         description: "apply 创建/更新，destroy 销毁"
         required: false
@@ -359,6 +365,9 @@ jobs:
           MATRIX_HOST: ${{ matrix.host }}
           CMDB_PATH: cmdb/cmdb.json
           SSH_KEY_PATH: ~/.ssh/id_deploy
+          # 离线包落后于 main 时用在线模式拉最新 playbook（见 run-on-host-bootstrap.sh）。
+          # 离线包重新发布后可设为 auto 恢复离线加速。
+          AI_WORKSPACE_OFFLINE_MODE: ${{ github.event.inputs.offline_mode || 'off' }}
           XWORKMATE_BRIDGE_DOMAIN: ${{ github.event.inputs.bridge_domain }}
           DEEPSEEK_API_KEY: ${{ steps.vault.outputs.DEEPSEEK_API_KEY }}
           NVIDIA_API_KEY: ${{ steps.vault.outputs.NVIDIA_API_KEY }}

scripts/run-on-host-bootstrap.sh

@@ -39,7 +39,12 @@ echo "Bootstrapping ${host} (${user}@${ip}) on-host, domain=${domain:-<none>} ..
 remote_payload="$(mktemp)"
 trap 'rm -f "$remote_payload"' EXIT
 
+# 离线包是按 release 快照打包的；当其落后于 playbooks main（如 Chrome 版本钉点、
+# postgres PGDATA 属主等已在 main 修复但未重新发包）时，默认 offline=auto 会用到
+# 过期 playbook 导致部署失败。默认 off，让 on-host 引导在线 git clone 最新 main；
+# 待离线包重新发布后可改回 auto 以恢复离线加速。
 {
+  printf 'AI_WORKSPACE_OFFLINE_MODE=%q\n' "${AI_WORKSPACE_OFFLINE_MODE:-off}"
   printf 'XWORKMATE_BRIDGE_DOMAIN=%q\n' "$domain"
   printf 'DEEPSEEK_API_KEY=%q\n' "${DEEPSEEK_API_KEY:-}"
   printf 'NVIDIA_API_KEY=%q\n' "${NVIDIA_API_KEY:-}"
@@ -62,7 +67,7 @@ fi
 (
   set +e
   source "$remote_env"
-  export XWORKMATE_BRIDGE_DOMAIN DEEPSEEK_API_KEY NVIDIA_API_KEY OLLAMA_API_KEY
+  export AI_WORKSPACE_OFFLINE_MODE XWORKMATE_BRIDGE_DOMAIN DEEPSEEK_API_KEY NVIDIA_API_KEY OLLAMA_API_KEY
   bash -lc 'curl -sfL https://install.svc.plus/ai-workspace | bash -'
   rc=$?
   printf '%s\n' "$rc" > "$remote_rc"