Decommission forge compatibility pointers

docs/forge-source-of-truth-decision.md

@@ -0,0 +1,33 @@
+# Forge Source Of Truth Decision
+
+Date: 2026-06-05
+
+## Decision
+
+`railiance-forge` is the source of truth for current Gitea operation, future
+Forgejo migration, forge runtime deployment, source hosting, container and
+Python package registries, Actions runner substrate, artifact retention, and
+forge operating evidence.
+
+`railiance-apps` consumes those forge capabilities only as release
+infrastructure for S5 application workloads. It does not keep Gitea
+deploy/status wrappers, forge SOPS sentinels, registry-retention procedures, or
+local compatibility copies of forge registry docs.
+
+## Rationale
+
+The forge layer is cross-cutting infrastructure for source control, packages,
+images, runners, and promotion evidence. Keeping it in S5 made app release
+runbooks responsible for non-app runtime state. The dedicated forge repo gives
+operators one place to change forge runtime behavior while allowing S5 app
+runbooks to cite forge evidence and consume published artifacts.
+
+## Consequences
+
+- Forge runtime changes start in `/home/worsch/railiance-forge`.
+- S5 app release work links to forge docs instead of duplicating registry or
+  runner operating procedures.
+- App-specific charts, values, manifests, smoke tests, and runbooks remain in
+  `/home/worsch/railiance-apps`.
+- Source repos still own application code, package metadata, package publishing,
+  image build definitions, and lock regeneration.

docs/gitea-container-registry.md

@@ -1,16 +0,0 @@
-# Gitea Container Registry
-
-Canonical registry operating guidance now lives in:
-
-```text
-/home/worsch/railiance-forge/docs/gitea-container-registry.md
-```
-
-This compatibility pointer remains in `railiance-apps` after deploy-capable
-Gitea Helm, SOPS, and manifest files moved to `railiance-forge` under
-`RAILIANCE-WP-0006-T03`.
-
-Use `railiance-forge` for registry endpoints, package-token handling, smoke
-evidence, storage notes, retention posture, and future Forgejo registry
-ownership. Use `railiance-apps` only for S5 app release values and app runbooks
-that consume already-published images.

docs/gitea-package-registry.md

@@ -1,16 +0,0 @@
-# Gitea Package Registry
-
-Canonical package-registry operating guidance now lives in:
-
-```text
-/home/worsch/railiance-forge/docs/gitea-package-registry.md
-```
-
-This compatibility pointer remains in `railiance-apps` after deploy-capable
-Gitea Helm, SOPS, and manifest files moved to `railiance-forge` under
-`RAILIANCE-WP-0006-T03`.
-
-Use `railiance-forge` for the Gitea PyPI endpoint, package-token handling,
-publish/install recipes, retention posture, and future Forgejo package
-ownership. Use `railiance-apps` only for S5 app release values and app runbooks
-that consume already-published packages.

docs/operator-setup.md

@@ -1,10 +1,16 @@
 # Operator Setup
 
-Run these checks before deploying or rotating any S5 workload:
+Run these checks before deploying any S5 workload:
 
 ```bash
 make check-tools
-make check-sops
+```
+
+When the app release work touches encrypted SOPS files, also verify the
+operator age identity against the encrypted file being changed:
+
+```bash
+SOPS_SENTINEL=<encrypted-file> make check-sops
 ```
 
 ## Required Tools
@@ -27,7 +33,7 @@ for primary/replica health and backup state.
 
 ## SOPS Age Key Bootstrap
 
-SOPS-encrypted values in this repo expect an age identity at:
+SOPS-encrypted values used by app release work expect an age identity at:
 
 ```text
 ~/.config/sops/age/keys.txt
@@ -46,9 +52,9 @@ Bootstrap procedure:
    ```bash
    chmod 600 ~/.config/sops/age/keys.txt
    ```
-5. Verify decryption:
+5. Verify decryption against the encrypted file being changed:
    ```bash
-   make check-sops
+   SOPS_SENTINEL=<encrypted-file> make check-sops
    ```
 
 Do not commit age identities, decrypted values, or copied SOPS plaintext