diff --git a/bin/y-bin.runner.yaml b/bin/y-bin.runner.yaml
index 46526e11..d052f118 100755
--- a/bin/y-bin.runner.yaml
+++ b/bin/y-bin.runner.yaml
@@ -123,14 +123,14 @@ esbuild:
     path: package/bin/esbuild
 
 turbo:
-  version: 2.9.5-hashdepends.1
+  version: 2.9.10-hashdepends.2
   templates:
     download: https://github.com/solsson/turbo/releases/download/v${version}/turbo-${os}-${arch}
   sha256:
-    darwin_amd64: 45ca441c683ec728d35056406de588b3d40dfbee0d2c6f2e1b5cf36c9b826843
-    darwin_arm64: c866d3f6ac4dc89233775cab233bdf886c0bc8f027cdeba96a897b0f90c7a5f8
-    linux_amd64: ac3b3ea6db7bf1b59ae7ac0024a0af649fc5543fac70aae2e4785ed8a4f0a27b
-    linux_arm64: c5f746d9a1a1628900ac464bb4af989c60a0e888898f68474ee58548fce4b690
+    darwin_amd64: dc40b453579a7944d440b7dba6f1a47f1c15751713e860a49221bb45f845058a
+    darwin_arm64: e0e6ff9ff079757325b73e80ce9722ab728d07113b423e477db04052d5040581
+    linux_amd64: f173eaea91b52d5eeeaaf7c384383a2aabad456ee660c2882af64760d2a0adf0
+    linux_arm64: 2e846b20575759ce2833167b09e35caf5ce216587e52c297cd2774f81efd5f87
 
 yarn:
   version: 0.2.1
@@ -156,14 +156,14 @@ cue:
     path: cue
 
 cluster:
-  version: 0.3.7
+  version: 0.4.5
   templates:
     download: https://github.com/Yolean/y-cluster/releases/download/v${version}/y-cluster_v${version}_${os}_${arch}
   sha256:
-    darwin_amd64: 8b46a3e771a4afc1da855a6cb22f7729bce5b8f09f1b53ab7c02d0d20068b15d
-    darwin_arm64: b220ffd5062e6de3b55d84d2dbb489977ec84517553d48880735a44dd7a0a961
-    linux_amd64: 7c0c97efc6fa3689d6eeb00a7c3a0f1ec9ad4e02d8cc0373434e880d4b807727
-    linux_arm64: 224fb614edfd840e4f06488cc2b51e911286352e2ddb1e724fe9861c71707a2b
+    darwin_amd64: 2e0fe150b581d85bdde8fb794533491d00a958f16674bb38c159e5280a83caa8
+    darwin_arm64: e1cb12fd454c9479387abdfdc5b9ff5a31a2f2bfd3d2e49a42e07e2592c7a281
+    linux_amd64: f1992af6140a59c03a2cbc8a9fc1e55ab25c0edfcdb20160b8392ba21349a346
+    linux_arm64: 563edbcdeb402f57937c2e7c2865bf3ac1c97692a850c0ca48bcbf0494dcda7f
 
 contain:
   version: 0.9.1
diff --git a/bin/y-k8s-ingress-hosts b/bin/y-k8s-ingress-hosts
index 02601d99..6405bfae 100755
--- a/bin/y-k8s-ingress-hosts
+++ b/bin/y-k8s-ingress-hosts
@@ -26,13 +26,16 @@ Flags:
                         the GatewayClass yolean.se/dns-hint-ip annotation)
   -h, --help            show this help
 
-If --host-ip is not given, resolution walks
-  Gateway/ystack.ystack -> spec.gatewayClassName -> GatewayClass
-  -> metadata.annotations[yolean.se/dns-hint-ip]
-which y-cluster provision stamps when the host forwards guest:80.
-The legacy yolean.se/override-ip annotation on Gateway/ystack.ystack
-is consulted as a fallback for clusters provisioned before that
-contract landed.
+If --host-ip is not given, resolution walks (in order):
+  1. Gateway/ystack.ystack -> spec.gatewayClassName -> GatewayClass
+     metadata.annotations[yolean.se/dns-hint-ip]
+  2. Any GatewayClass carrying yolean.se/dns-hint-ip (used when no
+     consumer Gateway/ystack.ystack exists, e.g. y-cluster's
+     appliance flow where the GatewayClass is the only artefact).
+  3. Gateway/ystack.ystack metadata.annotations[yolean.se/override-ip]
+     (legacy, pre-dates the dns-hint-ip contract).
+y-cluster provision stamps the dns-hint-ip annotation when the
+host forwards guest:80.
 EOF
       exit 0 ;;
     --context=*) CTX="${1#*=}"; shift ;;
@@ -60,9 +63,14 @@ kubectl config view --raw --minify --context="$CTX" --request-timeout=5s > "$CON
 
 # Resolve the host-side dial IP, in priority order:
 #   1. --host-ip flag (or Y_HOST_IP env)
-#   2. Provisioner-published annotation on the GatewayClass (per
-#      specs/ystack/CHANGE_REQUEST_HINT_IP.md)
-#   3. Legacy yolean.se/override-ip annotation on the consumer Gateway
+#   2. Gateway/ystack.ystack -> GatewayClass -> yolean.se/dns-hint-ip
+#      (per specs/ystack/CHANGE_REQUEST_HINT_IP.md; this is the
+#      consumer-installs-ystack-Gateway shape, e.g. checkit)
+#   3. Any GatewayClass carrying yolean.se/dns-hint-ip directly.
+#      Picks up the y-cluster appliance shape, where the
+#      provisioner stamps the annotation on the GatewayClass it
+#      installs but no consumer Gateway/ystack.ystack exists yet.
+#   4. Legacy yolean.se/override-ip annotation on the consumer Gateway
 # The resolved value is fed to the underlying Go binary as
 # `-override-ip <IP>`, which still names the override flag in the
 # k8s-ingress-hosts v0.5.x release.
@@ -78,6 +86,27 @@ if [ -z "$HOST_IP" ]; then
     fi
   fi
 fi
+# Direct GatewayClass walk: emit `<name>=<ip>` for every
+# GatewayClass that carries the annotation, then dedupe IPs. Any
+# count !=1 of distinct IPs is treated as ambiguous -- the operator
+# disambiguates with --host-ip. Single-cluster setups (the common
+# case) collapse to one line and one IP.
+if [ -z "$HOST_IP" ]; then
+  HINT_LIST=$(kubectl --context="$CTX" --request-timeout=5s get gatewayclass \
+    -o go-template='{{range .items}}{{$ip := index .metadata.annotations "yolean.se/dns-hint-ip"}}{{if $ip}}{{.metadata.name}}={{$ip}}{{"\n"}}{{end}}{{end}}' \
+    2>/dev/null || true) # y-script-lint:disable=or-true # no GatewayClasses is a normal pre-install state
+  DISTINCT_IPS=$(echo "$HINT_LIST" | awk -F= 'NF==2 && $2!="" {print $2}' | sort -u)
+  IP_COUNT=$(echo "$DISTINCT_IPS" | grep -c .)
+  if [ "$IP_COUNT" = "1" ]; then
+    HOST_IP="$DISTINCT_IPS"
+    GC_NAME=$(echo "$HINT_LIST" | awk -F= 'NF==2 && $2!="" {print $1; exit}')
+    echo "# Using host-ip=$HOST_IP from GatewayClass/$GC_NAME yolean.se/dns-hint-ip (direct)"
+  elif [ "$IP_COUNT" -gt 1 ]; then
+    echo "# warn: multiple GatewayClasses carry yolean.se/dns-hint-ip with different values:" >&2
+    echo "$HINT_LIST" | sed 's/^/#   /' >&2
+    echo "# pass --host-ip to disambiguate; falling through to legacy resolution" >&2
+  fi
+fi
 if [ -z "$HOST_IP" ]; then
   HOST_IP=$(kubectl --context="$CTX" --request-timeout=5s -n ystack get gateway ystack \
     -o jsonpath='{.metadata.annotations.yolean\.se/override-ip}' 2>/dev/null || true) # y-script-lint:disable=or-true # legacy annotation is best-effort
diff --git a/k3s/20-gateway/yconverge.cue b/k3s/20-gateway/yconverge.cue
index 3bf5f310..2069cfae 100644
--- a/k3s/20-gateway/yconverge.cue
+++ b/k3s/20-gateway/yconverge.cue
@@ -13,6 +13,7 @@ _dep_ns: namespace_ystack.step
 
 step: verify.#Step & {
 	checks: [
+		// TODO pending https://github.com/Yolean/y-cluster/issues/11
 		{
 			kind:        "exec"
 			command:     "y-k8s-ingress-hosts --context=$CONTEXT -write || echo 'WARNING: /etc/hosts update failed (may need manual sudo)'"
diff --git a/k3s/29-y-kustomize/yconverge.cue b/k3s/29-y-kustomize/yconverge.cue
index 71319214..986aa6b6 100644
--- a/k3s/29-y-kustomize/yconverge.cue
+++ b/k3s/29-y-kustomize/yconverge.cue
@@ -12,6 +12,7 @@ step: verify.#Step & {
 	checks: [
 		// /etc/hosts must be updated before the /health probe -- the probe
 		// resolves "y-kustomize" via the file we just wrote.
+		// TODO pending https://github.com/Yolean/y-cluster/issues/11
 		{
 			kind:        "exec"
 			command:     "y-k8s-ingress-hosts --context=$CONTEXT -write || echo 'WARNING: /etc/hosts update failed (may need manual sudo)'"
diff --git a/y-kustomize/y-kustomize-deployment.yaml b/y-kustomize/y-kustomize-deployment.yaml
index 30adc1f7..d6e2b047 100644
--- a/y-kustomize/y-kustomize-deployment.yaml
+++ b/y-kustomize/y-kustomize-deployment.yaml
@@ -20,7 +20,7 @@ spec:
         runAsUser: 65532
       containers:
       - name: y-kustomize
-        image: ghcr.io/yolean/y-cluster:v0.3.7@sha256:4b1bb1202e2318de403c1254629fad6e7bac6a26e71ece9fd8eff2ce00891200
+        image: ghcr.io/yolean/y-cluster:v0.4.5@sha256:ba5052b1d884447d0ba8d0869447d9e874442c79d7eccfbe12621ac091678650
         command: ["/usr/local/bin/y-cluster"]
         args:
         - serve