Harden forge NBC worker runtime and MVPD selection

evolution/proposals/ECP-0105-stable-home-for-forge-nbc-browser-workers.md

@@ -0,0 +1,31 @@
+# ECP-0105: Stable home directory for forge NBC browser workers
+
+## Why
+
+The forge NBC worker runs Chrome under a dedicated service user and a persistent profile, but the
+publish unit was not explicitly setting `HOME`.
+
+That leaves browser helper processes free to derive state paths from ambient defaults instead of the
+intended service home. On a long-running forge host, that makes the browser worker more vulnerable
+to stale locks, crash-report paths, and profile contamination from out-of-band debugging sessions.
+
+## Decision
+
+1. Set `HOME=/var/lib/every-channel` on NBC `wt-publish` units, not only on the Xvfb helper units.
+2. Keep the persistent NBC profile and auth artifacts under `/var/lib/every-channel`.
+3. Treat the forge NBC browser runtime as a single-service home/profile domain so cleanup and
+   troubleshooting stay deterministic.
+
+## Consequences
+
+- Forge NBC launches use the same home directory across the display service and publish service.
+- Chrome helper processes no longer need to infer state roots from ambient defaults.
+- Manual debugging sessions must either reuse the service home intentionally or use an isolated
+  profile path to avoid poisoning the live worker profile.
+
+## Rejected Alternatives
+
+- Keep only `--user-data-dir` and leave `HOME` implicit: rejected because browser helper processes
+  still derive ancillary paths outside the intended service state root.
+- Give the publish unit a separate home from the display unit: rejected because it makes the forge
+  browser runtime harder to reason about and recover.

evolution/proposals/ECP-0106-forge-nbc-workers-need-tmp-and-search-driven-mvpd-selection.md

@@ -0,0 +1,35 @@
+# ECP-0106: Forge NBC workers need `/tmp` and search-driven MVPD selection
+
+## Why
+
+The forge NBC worker reached two distinct failure domains:
+
+1. Chrome failed during early startup under the hardened `wt-publish` unit even though the same
+   browser launch worked outside the systemd sandbox.
+2. Once the browser launch succeeded, the MVPD picker automation could reach the provider gate but
+   still mis-clicked broad page containers instead of the intended provider search result.
+
+## Decision
+
+1. Allow NBC `wt-publish` units to write to `/tmp` in addition to the persistent profile and auth
+   directories.
+2. Treat the NBC MVPD picker as a search-first flow:
+   - type the configured provider name
+   - submit the search explicitly
+   - prefer short, actionable provider-result nodes over generic container matches
+3. Keep the provider name configurable through `EVERY_CHANNEL_NBC_MVPD_PROVIDER`, with `Verizon Fios`
+   remaining the default.
+
+## Consequences
+
+- Forge NBC workers align better with Chrome's actual startup needs under systemd hardening.
+- MVPD automation becomes less likely to click the whole picker page or other non-provider chrome.
+- Future provider integrations should extend the same search-first DOM strategy instead of adding
+  brittle page-wide text matches.
+
+## Rejected Alternatives
+
+- Disable most systemd hardening for NBC units entirely: rejected because `/tmp` write access is the
+  smallest validated change that unblocks Chrome startup.
+- Keep broad `div` and `span` provider scans: rejected because they can match large container nodes
+  whose text merely happens to include the provider name.