docs: document kernel pin and mirror invariants in runtime-flows

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

bible-local/architecture/runtime-flows.md

@@ -65,6 +65,18 @@ build.sh [--authorized-keys /path/to/keys]
 ```
 
 **Critical invariants:**
+- `KERNEL_PKG_VERSION` in `iso/builder/VERSIONS` pins the exact Alpine package version
+  (e.g. `6.12.76-r0`). This version is used in THREE places that MUST stay in sync:
+  1. `build-nvidia-module.sh` — `apk add linux-lts-dev=${KERNEL_PKG_VERSION}` (compile headers)
+  2. `mkimg.bee.sh` — `linux-lts=${KERNEL_PKG_VERSION}` in apks list (ISO kernel)
+  3. `build.sh` — build-time verification that headers match pin (fails loudly if not)
+  When Alpine releases a new linux-lts patch (e.g. r0 → r1), update KERNEL_PKG_VERSION
+  in VERSIONS — that's the only place to change. The build will fail loudly if the pin
+  doesn't match the installed headers, so stale pins are caught immediately.
+- **All three must use the same APK mirror.** `build-nvidia-module.sh` and `mkimage.sh`
+  both read `/etc/apk/repositories` from the builder. Never hardcode `dl-cdn.alpinelinux.org`
+  in `build.sh` — it may serve a different package state than the builder's configured mirror,
+  causing "unable to select package" failures even when the pin is correct.
 - `linux-lts-dev` is always installed (not conditional) — stale 6.6.x headers on the
   builder would cause modules to be built for the wrong kernel and never load at runtime.
 - NVIDIA modules go to `overlay/usr/local/lib/nvidia/` — NOT `lib/modules/<kver>/extra/`.