Review CV doc and close build-dep review gap

Fix stale CV service doc (URL, forge domain, container tag) and add
guidance for reviewing build-time dependencies in private forge repos
during service reviews.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docs/changelog.d/+cv-doc-review.doc.md

@@ -0,0 +1 @@
+Review and fix CV service doc (correct URL, forge domain, container tag link) and add private forge repo review guidance to review-services process.

docs/how-to/knowledgebase/review-services.md

@@ -38,6 +38,8 @@ mise run service-review --type hybrid
 
 ## Review Process by Service Type
 
+For all service types, start by reading the service's reference card (`docs/reference/services/<service>.md`) for architecture, configuration, and endpoint details.
+
 ### ArgoCD Services (`type: argocd`)
 
 1. Check the upstream releases page for new versions
@@ -59,6 +61,18 @@ mise run service-review --type hybrid
 2. Review the Nix derivation or flake input for version pins
 3. If upgrading, update and deploy via `mise run provision-ringtail`
 
+### Private Forge Repos (`upstream-source` under `forge.eblu.me/eblume/`)
+
+Some services are built from private repos on the forge rather than tracking an external upstream project. When `upstream-source` points to a `forge.eblu.me/eblume/` repo:
+
+1. Clone the repo to `~/code/personal/` if not already checked out
+2. Review the repo's dependency pins — uv script metadata, `pyproject.toml`, `package.json`, `flake.nix` inputs, etc.
+3. Update stale dependencies and rebuild locally to verify nothing breaks
+4. If changes were made, commit, push, and trigger a new release from that repo
+5. Back in blumeops, update the container image or release artifact reference as needed
+
+This extends the service review into the source repo's build-time dependencies, which would otherwise be a blind spot — the blumeops-side review only covers the deployment manifest and container base image.
+
 ## Attached Services
 
 Some services have auxiliary dependencies that run as separate containers — caches, sidecars, init helpers. These are tracked as **attached services** with a naming convention and an optional `parent` field:

docs/reference/services/cv.md

@@ -1,6 +1,7 @@
 ---
 title: CV
-modified: 2026-02-12
+modified: 2026-03-27
+last-reviewed: 2026-03-27
 tags:
   - service
   - resume
@@ -14,11 +15,11 @@ Personal resume/CV served as a static HTML page with PDF download, built from YA
 
 | Property | Value |
 |----------|-------|
-| **URL** | `cv.ops.eblu.me` (tailnet only, via [[caddy]]) |
+| **URL** | `cv.eblu.me` (public, via [[flyio-proxy]]) |
 | **Namespace** | `cv` |
-| **Container** | `registry.ops.eblu.me/blumeops/cv:v1.0.0` |
-| **Source repo** | `forge.ops.eblu.me/eblume/cv` (private, not mirrored to GitHub) |
-| **Content packages** | `forge.ops.eblu.me/eblume/-/packages` (generic package `cv`) |
+| **Container** | `registry.ops.eblu.me/blumeops/cv` ([kustomization](https://forge.eblu.me/eblume/blumeops/src/branch/main/argocd/manifests/cv/kustomization.yaml)) |
+| **Source repo** | `forge.eblu.me/eblume/cv` (private, not mirrored to GitHub) |
+| **Content packages** | `forge.eblu.me/eblume/-/packages` (generic package `cv`) |
 | **ArgoCD App** | `cv` |
 
 ## Architecture
@@ -66,6 +67,6 @@ Provisioned via `forgejo_actions_secrets` Ansible role. See [[create-release-art
 ## Related
 
 - [[docs]] — Similar architecture (nginx container + content tarball)
-- [[caddy]] — Reverse proxy for `cv.ops.eblu.me`
+- [[flyio-proxy]] — Exposes `cv.eblu.me` publicly via Tailscale tunnel
 - [[create-release-artifact-workflow]] — How to set up release artifact workflows
 - [[deploy-k8s-service]] — General k8s deployment guide