diff --git a/.planning/STATE.md b/.planning/STATE.md
index dc5cdbb..c099c3f 100644
--- a/.planning/STATE.md
+++ b/.planning/STATE.md
@@ -3,15 +3,15 @@ gsd_state_version: 1.0
 milestone: v1.1
 milestone_name: Session Lifecycle, Memory & Reporting
 status: executing
-stopped_at: Phase 9 context gathered
-last_updated: "2026-06-15T15:03:12.180Z"
-last_activity: 2026-06-15 -- Phase 08 execution started
+stopped_at: Phase 9 complete — v1.1 all phases done
+last_updated: "2026-06-15T15:31:44.084Z"
+last_activity: 2026-06-15 -- Phase 09 execution started
 progress:
   total_phases: 5
-  completed_phases: 4
-  total_plans: 5
-  completed_plans: 5
-  percent: 80
+  completed_phases: 5
+  total_plans: 7
+  completed_plans: 7
+  percent: 100
 ---
 
 # Project State
@@ -21,14 +21,14 @@ progress:
 See: .planning/PROJECT.md (updated 2026-06-14)
 
 **Core value:** Agent must NEVER mutate real infrastructure beyond what the limited IAM role permits
-**Current focus:** Phase 08 — cron-reporting
+**Current focus:** Phase 09 — tooling-portable-setup
 
 ## Current Position
 
-Phase: 08 (cron-reporting) — EXECUTING
+Phase: 09 (tooling-portable-setup) — EXECUTING
 Plan: 1 of 2
-Status: Executing Phase 08
-Last activity: 2026-06-15 -- Phase 08 execution started
+Status: Executing Phase 09
+Last activity: 2026-06-15 -- Phase 09 execution started
 
 Progress: [░░░░░░░░░░] 0%
 
@@ -70,7 +70,7 @@ None yet.
 
 ## Session Continuity
 
-Last session: 2026-06-15T15:03:12.173Z
-Stopped at: Phase 9 context gathered
-Resume file: .planning/phases/09-tooling-portable-setup/09-CONTEXT.md
+Last session: 2026-06-15T15:31:44.073Z
+Stopped at: Phase 9 complete — v1.1 all phases done
+Resume file: .planning/phases/09-tooling-portable-setup/09-02-SUMMARY.md
 Next action: /gsd-plan-phase 5 (Hindsight Memory Provider)
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 6c4d9e6..71601b0 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,112 +1,53 @@
-# =============================================================================
-# ngn-agent Docker Image — Custom Hermes image with platform engineering tools
-# =============================================================================
-
-# D-01: Base image tag python3.11-nodejs20 — verify availability at build time;
-# if manifest not found, update to python3.11-nodejs22-bookworm
-# (Node.js 20 EOL April 2026).
-FROM nikolaik/python-nodejs:python3.11-nodejs20
+FROM nikolaik/python-nodejs:python3.11-nodejs20 AS base
 
 LABEL description="ngn-agent: Custom Hermes Docker image with platform engineering tools"
 LABEL maintainer="ngn-agent"
 
-# =============================================================================
-# Tool version pinning (D-02: pin for reproducibility)
-# =============================================================================
 ARG TERRAFORM_VERSION=1.15.6
 ARG HELM_VERSION=4.2.0
 ARG KUBECTL_VERSION=1.36.1
 ARG PUPP_VERSION=1.1.0
 
-# =============================================================================
-# Install system dependencies (single RUN, clean apt lists after)
-# =============================================================================
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl \
-    ca-certificates \
-    unzip \
-    gnupg \
-    wget \
-    && rm -rf /var/lib/apt/lists/*
-
-# =============================================================================
-# Install AWS CLI v2 (D-03: official curl → unzip → ./aws/install method)
-# No apt repo for v2 — use the bundled installer.
-# Architecture detection: supports x86_64 and arm64 (aarch64).
-# T-09-01: download over HTTPS.
-# =============================================================================
-RUN ARCH=$(uname -m) && \
-    case "$ARCH" in \
-        x86_64)   AWS_URL="https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" ;; \
-        aarch64)  AWS_URL="https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" ;; \
-        *)        echo "Unsupported architecture: $ARCH" >&2; exit 1 ;; \
-    esac && \
-    curl -fsSL "$AWS_URL" -o "awscliv2.zip" \
-    && unzip -q awscliv2.zip \
-    && ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli \
-    && rm -rf awscliv2.zip aws/
-
-# =============================================================================
-# Install Terraform (D-03: HashiCorp apt repo, version-pinned)
-# T-09-01: HTTPS + GPG key verification.
-# =============================================================================
-RUN wget -O- https://apt.releases.hashicorp.com/gpg 2>/dev/null \
+    curl ca-certificates unzip gnupg wget \
+    && wget -O- https://apt.releases.hashicorp.com/gpg 2>/dev/null \
     | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \
-    && . /etc/os-release && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com ${VERSION_CODENAME} main" \
-    | tee /etc/apt/sources.list.d/hashicorp.list > /dev/null \
-    && apt-get update && apt-get install -y --no-install-recommends terraform=${TERRAFORM_VERSION}-1 \
-    && rm -rf /var/lib/apt/lists/*
-
-# =============================================================================
-# Install kubectl (D-03: Google Kubernetes apt repo)
-# NOT version-pinned — must match target cluster version.
-# T-09-01: HTTPS + GPG key verification.
-# =============================================================================
-RUN curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.36/deb/Release.key \
+    && curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.36/deb/Release.key \
     | gpg --dearmor -o /usr/share/keyrings/kubernetes-apt-keyring.gpg \
+    && curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey \
+    | gpg --dearmor -o /usr/share/keyrings/helm.gpg \
+    && . /etc/os-release \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com ${VERSION_CODENAME} main" \
+    | tee /etc/apt/sources.list.d/hashicorp.list > /dev/null \
     && echo 'deb [signed-by=/usr/share/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.36/deb/ /' \
     | tee /etc/apt/sources.list.d/kubernetes.list > /dev/null \
-    && apt-get update && apt-get install -y --no-install-recommends kubectl \
-    && rm -rf /var/lib/apt/lists/*
-
-# =============================================================================
-# Install Helm (D-03: Buildkite apt repo, version-pinned)
-# T-09-01: HTTPS + GPG key verification.
-# =============================================================================
-RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey \
-    | gpg --dearmor -o /usr/share/keyrings/helm.gpg \
     && echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
     | tee /etc/apt/sources.list.d/helm-stable-debian.list > /dev/null \
-    && apt-get update && apt-get install -y --no-install-recommends helm=${HELM_VERSION}-1 \
+    && apt-get update && apt-get install -y --no-install-recommends \
+    terraform=${TERRAFORM_VERSION}-1 \
+    kubectl \
+    helm=${HELM_VERSION}-1 \
     && rm -rf /var/lib/apt/lists/*
 
-# =============================================================================
-# Install Datadog CLI — pup (D-03: GitHub releases binary)
-# Architecture detection: supports x86_64 and arm64 (aarch64).
-# T-09-01: download over HTTPS.
-# =============================================================================
 RUN ARCH=$(uname -m) && \
     case "$ARCH" in \
-        x86_64)   PUPP_ARCH="x86_64" ;; \
-        aarch64)  PUPP_ARCH="arm64"  ;; \
+        x86_64)   AWS_URL="https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; PUPP_ARCH="x86_64" ;; \
+        aarch64)  AWS_URL="https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"; PUPP_ARCH="arm64"  ;; \
         *)        echo "Unsupported architecture: $ARCH" >&2; exit 1 ;; \
-    esac && \
-    curl -fsSL "https://github.com/DataDog/pup/releases/download/v${PUPP_VERSION}/pup_${PUPP_VERSION}_Linux_${PUPP_ARCH}.tar.gz" \
-    -o /tmp/pup.tar.gz \
+    esac \
+    && curl -fsSL "$AWS_URL" -o /tmp/awscliv2.zip \
+    && unzip -q /tmp/awscliv2.zip -d /tmp \
+    && /tmp/aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli \
+    && curl -fsSL "https://github.com/DataDog/pup/releases/download/v${PUPP_VERSION}/pup_${PUPP_VERSION}_Linux_${PUPP_ARCH}.tar.gz" -o /tmp/pup.tar.gz \
     && tar xzf /tmp/pup.tar.gz -C /usr/local/bin/ pup \
-    && rm -f /tmp/pup.tar.gz
-
-# =============================================================================
-# Verify all tool installations
-# =============================================================================
-RUN echo "=== Tool versions ===" \
+    && rm -rf /tmp/awscliv2.zip /tmp/aws /tmp/pup.tar.gz \
+    && echo "=== Tool versions ===" \
     && aws --version \
     && terraform --version \
     && helm version --short \
     && kubectl version --client --output=yaml 2>/dev/null | grep gitVersion || true \
     && pup --version || true
 
-# =============================================================================
-# Default command (matching base image behavior)
-# =============================================================================
 CMD ["bash"]
diff --git a/docker/build.sh b/docker/build.sh
index 180b64e..548bde4 100755
--- a/docker/build.sh
+++ b/docker/build.sh
@@ -1,26 +1,22 @@
 #!/bin/bash
-# =============================================================================
-# ngn-agent Docker Image Build Script
-#
-# D-04: Single-command build entry point at docker/build.sh.
-# Builds the custom Hermes Docker image with platform engineering tools.
-# D-05: Tag: ngn-agent:latest (local only, no registry push).
-# =============================================================================
 set -euo pipefail
 
-IMAGE_NAME="ngn-agent"
-IMAGE_TAG="latest"
+REGISTRY="${REGISTRY:-gitea.bpg.pw/bapung/ngn-agent}"
+BUILD_TAG="${BUILD_TAG:-latest}"
 
-# Resolve script location — ensures build context is the docker/ directory
-# (not the repo root, preventing accidental build context leaks — T-09-02)
 DOCKER_DIR="$(cd "$(dirname "$0")" && pwd)"
 
-echo "==> Building ${IMAGE_NAME}:${IMAGE_TAG}..."
-
+echo "==> Building ${REGISTRY}:${BUILD_TAG}..."
 docker build \
-    -t "${IMAGE_NAME}:${IMAGE_TAG}" \
+    -t "${REGISTRY}:${BUILD_TAG}" \
     -f "${DOCKER_DIR}/Dockerfile" \
     "${DOCKER_DIR}"
 
-echo "==> Build complete: ${IMAGE_NAME}:${IMAGE_TAG}"
-docker images "${IMAGE_NAME}:${IMAGE_TAG}"
+echo "==> Build complete: ${REGISTRY}:${BUILD_TAG}"
+docker images "${REGISTRY}:${BUILD_TAG}"
+
+if [[ "${1:-}" == "--push" ]]; then
+    echo "==> Pushing to ${REGISTRY}:${BUILD_TAG}..."
+    docker push "${REGISTRY}:${BUILD_TAG}"
+    echo "==> Push complete"
+fi