feat(gitea): take ownership of Gitea Helm values (T06)

Receive gitea-values.sops.yaml from railiance-cluster — S5 now
owns the Gitea deployment lifecycle per ADR-003 boundary rules.

Add gitea-deploy and gitea-status Makefile targets. Update
SCOPE.md to reflect boundary violation resolved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Makefile

@@ -1,5 +1,22 @@
 SHELL := /usr/bin/env bash
 .DEFAULT_GOAL := help
 
+##@ Gitea
+
+gitea-deploy: ## Deploy / upgrade Gitea (S5 workload)
+	helm upgrade --install gitea gitea-charts/gitea \
+		-f <(sops -d helm/gitea-values.sops.yaml) \
+		--namespace gitea --create-namespace
+
+gitea-status: ## Check Gitea health
+	kubectl get pods -n gitea
+	kubectl cnpg status gitea-db -n databases
+
+##@ Help
+
 help: ## Show this help
-	@grep -E '^[a-zA-Z0-9_-]+:.*?## ' $(MAKEFILE_LIST) | sort | sed 's/:.*##/: /'
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} \
+	  /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } \
+	  /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
+
+.PHONY: gitea-deploy gitea-status help

SCOPE.md

@@ -53,10 +53,10 @@ Railiance is structured as five independent repos, one per OAS (Open Application
 
 ## Current State
 
-- Status: experimental (placeholder; no active work)
+- Status: active (Gitea Helm values now owned by S5; boundary violation resolved)
-- Implementation: empty (workplans/ has only .gitkeep; no Helm charts yet)
+- Implementation: Gitea is deployed and operational. Helm values (`helm/gitea-values.sops.yaml`) are now managed from this repo (S5) — moved from railiance-cluster in RAIL-HO-WP-0004-T06. Gitea uses an external cnpg database (`gitea-db` in the `databases` namespace) and standalone Valkey.
-- Stability: n/a
+- Stability: Gitea stable; S5 layer now owns the Gitea deployment lifecycle
-- Usage: will be used after railiance-platform (S3) is operational
+- Usage: Gitea serves as the git hosting platform for all Railiance and Custodian repos
 
 ---
 
@@ -99,3 +99,4 @@ keywords: [gitea, coulomb, webapp, helm, application, deployment, workload]
 - Start with: `CLAUDE.md` (session protocol, boundary rules)
 - Key files / directories: `workplans/` (currently empty), `Makefile`
 - Pre-conditions: all four lower layers (S1–S4) must be converged and verified
+- Key files: `helm/gitea-values.sops.yaml` (Gitea Helm values, SOPS-encrypted), `releases/gitea/values.yaml` (legacy plain values — superseded)

helm/gitea-values.sops.yaml

@@ -0,0 +1,46 @@
+#ENC[AES256_GCM,data:RznLDXAkDpHVhaXHZrlMYo6z8+cZyTjRMkku6XrF2Zjzulkt+Ve/8Q==,iv:EHVhhpSUcDGR1ARNfNbSdJ0Gjjq6CyEfXMU+cAnIgc4=,tag:0OWESOcslvCB5wHH6IWE6g==,type:comment]
+#ENC[AES256_GCM,data:RJvbPFrBALVhJm5+rkcdgTqE9G59vRnfjddwXU+G+B3u1saEttf98sTXV/Mim/FK6gAilvSr,iv:h1QLn5NthfdVAayrpvqcPzTXV1sEQATNREAHLRT6c1Y=,tag:32UpAGaIyDbFnnAa3zveAQ==,type:comment]
+#
+#ENC[AES256_GCM,data:mzm+3mIPOZBEuFAZUppd3i2UnJ94mP+pXGVLdkfZ8SOTDgnw6dJa1A==,iv:cO/dj0wp9MlEUUcYU4qOGG1qJ2LWHHgRGoYii7aKMMg=,tag:4jiRnvmaRa3nDoSJ2W6sWw==,type:comment]
+#ENC[AES256_GCM,data:h7vlbkUu+TMbRU83E+nx5F/4FCcovoIPdgRmD4/QVUFPimDGxZ6CtnhJbYQjVw==,iv:kXozUXpTdhy+MPk2y956Pqofww/iDVLUE/bSH0+mHaU=,tag:LsB6Ijmw/sT0d3S+rMbAsQ==,type:comment]
+#ENC[AES256_GCM,data:Uw46ZrbHN5fxwHV/mU9t+z2xYkRE0gUxmlzRfzPVt31qH7SwxvVvcSMRIw==,iv:/nnvTn3ABdKBtCRytjg73T4jl3w+8JRZIaSsw7l9Iyk=,tag:Bn4WRZDMj6lc0o8Z6d/ZXQ==,type:comment]
+#ENC[AES256_GCM,data:6871AIBTjtOWM5CCXlo/MDCYMhBdl4kVCQnxhlW7cyZ6Ucy+0Tg3yn5LO28DDQl2y8f/2ACfttT4KHiGqe7bhg0a0DouN1NLRmXlxNUAADo88FqW33C41EBJ7v50ng==,iv:qOjN0OBPaNNBC33CXwGUPVNdk+eerCa5mOdkcqwQKXM=,tag:U0xLzSBcAR4ILRQHGaoWLg==,type:comment]
+#
+#ENC[AES256_GCM,data:FRaxggcnSudMRfPAMH3nzX04cwkWQ4LhyGk0qMmH5tiSPYMnVoedoLN6TEnk5skCg6UmOaV2jcJo36zpkKoQBf6u,iv:CQoIAYQO09d+jqsvgycCFHZme9SFhgGWaut3JjeEQ5w=,tag:0i56ycYqWuKMOcjentGplw==,type:comment]
+#ENC[AES256_GCM,data:weGb36lC8sz19REjFOI8EagSEnDisNSHteSr+SZmTWAbfxnUk+/G4d5q/KMWHS+Y0SimGbufwDuvj0AiwIl0GZ/46Lqfdg==,iv:IIZCqRFIEp0IxGQkv5aTknJyYA3DG7vxtu6CGhrUh0k=,tag:/X3OGfgurgiNsz1vf6oPxw==,type:comment]
+gitea:
+    config:
+        server:
+            DOMAIN: ENC[AES256_GCM,data:R2HrjW5sW0nvDNIWd0G00ReltOA=,iv:CWZ+Fy+y/hIKNzqCTstaGFpgHgDJvEe6mF0Q7QKbvmE=,tag:+oA9F7xTgaSXLIPmYNkY5A==,type:str]
+            ROOT_URL: ENC[AES256_GCM,data:li2QBHIkm3hVSqGbzuBG2os8qx7tHuiyOttn,iv:2q0LXgp+bhv7t4FG1kBNNlq1ZqSpIpUf7e0hdKhJosg=,tag:h+Mu0/jo/pb78qOWU7W0TQ==,type:str]
+            SSH_DOMAIN: ENC[AES256_GCM,data:i0Vb19m1fbr4TluqQxjFg73X0eA=,iv:ff2Nhmpdc+S8lTye87fj0i5MFyIl4Mhq8+awknKlbTQ=,tag:lPGppk9JT7wR5thdwlmjTQ==,type:str]
+postgresql-ha:
+    postgresql:
+        #ENC[AES256_GCM,data:kRJ/o1D24opEpW87UbrSWzGjOAgRD0GTMrP9wI2x9xY=,iv:hepYzpp2stw6zjHpS2vr84rZrgifhEBK/UovRUWoV6c=,tag:XDwJc1rbI2F9gEr6o5tzgw==,type:comment]
+        password: ENC[AES256_GCM,data:AkkKp+w=,iv:juctW3iHu67VJ8aTOW0XmqCyzr/mXnQ6g4/1G+i+2rY=,tag:LCfo9IyhBMpqEdtMy/iNaA==,type:str]
+        #ENC[AES256_GCM,data:w8IVl9bCaSuivbgZ0XGH9NiM6lb3j7x9WX/hnIawG4ka6ayzkE/J3hf3dHuODQ==,iv:SbtCWprptkkCu8GIOQeh6gAYLuD+T1dyxZE1BOOLMns=,tag:Fa00ndoNxRIcSXDZFaH08Q==,type:comment]
+        postgresPassword: ENC[AES256_GCM,data:2BxdJ++kXX3t,iv:sARgDgLtsKve/KnqMxH2T8bTtyVZDtCWD8/EHIoXkqs=,tag:AJAkFd8EM+zEzd8YgRZlng==,type:str]
+        #ENC[AES256_GCM,data:xz+TDvCisDuBzo7xIsJXUanl1yELabUonk8dRUg1hoaU3EYIJQ==,iv:cWfTjhwfaUNLralnQRe1lmx8lcyxofXPrZU/LZEcQfc=,tag:jUukbPltv6NUOQKRCSoORw==,type:comment]
+        repmgrPassword: ENC[AES256_GCM,data:FC5NW9Jnm1CX,iv:/c1g/luv39LCBDI6Ayhw7O5SzOqgR5RFLtAouuHFWvQ=,tag:wP7xx0ga8i3lzVyVm2iiOQ==,type:str]
+        #ENC[AES256_GCM,data:3w4zrmvevybTsZzr5wgwF3h1UMJuizBQ0+wjyq++X899LCp0ild6YOcPR2KiOvn5zNitG7RW8LpwyWkw+hzK,iv:HnJl+UhEu/M9HeLy2ws/437lMC1ZjTlbEgMnEpG0FY4=,tag:Nxxj4q7eOh0+zmVLhXArcQ==,type:comment]
+        pgpoolPassword: ENC[AES256_GCM,data:MF8mAi9UpHwh,iv:TYvqtUtqFH+JcoHWfUk3SIrh/MsmEitRoGn4FWXyjNE=,tag:bJeGbXI7V8Vcn6EoEfzzHQ==,type:str]
+    pgpool:
+        #ENC[AES256_GCM,data:mwdpjpgs38LDNg0BQukw5t61RN5EHbvbGgDquuMezXCviYMViA==,iv:9QLGDdAAcUOMJAp40cOBC3qN3aBeuXvcj76UWbnazq8=,tag:kRW1CVpoaK7sXOHU4uHpcw==,type:comment]
+        adminPassword: ENC[AES256_GCM,data:9aheOLxvanH9,iv:q7CEnryzyh5zVJHqJ2veAVr9lRVNFPwM6ownxmI12Wg=,tag:EFOOxW7LPLCRJxuhwreo1A==,type:str]
+        #ENC[AES256_GCM,data:FAZHI4BENIuUyILlBh4m/vluaursEkO/yWuKp5mPpYnxYy3vI0Ichehu1o8405ENp1UjyN1bEA==,iv:CBjvgAF4RIEb0wpD+NV1oXAZCZof6X94S0Ny7JrKy5Q=,tag:ytSlhX8knkwKouX5wSO31A==,type:comment]
+        srCheckPassword: ENC[AES256_GCM,data:S5tluU9DfVKV,iv:5pdvQcnebpoBaQq422PTeIdvQKc0AJ3M+PyapnSe0hM=,tag:/sHw4GoqPOiOAnDVqnizqQ==,type:str]
+sops:
+    age:
+        - recipient: age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3eCtCczBraGlibTRpVTI5
+            WGNVV0N3c2NZZ2dmL1lQTXBHcGtJODlTR2tFCnFmOTBCaDhOYW4raFg1WkJhYUxN
+            Q1Y0cnNkYUp6T0ZNUVNUY1RLNkZicEkKLS0tIGZDRkg0TmdkTGNvd1RQTWVacXRs
+            R0RHWml2LzRHcmpDUGRnY1Bwa3BOeWMKN52lakQFLMBflYC/KOTXLECJb6qlTVNG
+            xFlPrgVhMaF2dwTje/5QsSAOuvwQ4HJ7ot3KsUkQAhheqYeiOAxdPg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-10T13:36:49Z"
+    mac: ENC[AES256_GCM,data:3D5CtE5lcEc20pH2iyLF3UaPRqlp3BFF1xbSjVtv6R/YYnnemjBcDKT8kbMWb5mGCGOYlJ7AE+ewmix3KdY1FZnNENRSXkTSMqlu8luRzXNq+QuXSA7ofAtC24VMiHGnCSgY+rxSbbKLC1dcdF4KblcAmKp5tv0/8XyzSWkswAI=,iv:xQ/OotVy329F150A8HEeUgf0l8iZB3LJm9/zm/b+SJg=,tag:pxotV1XcTJfgd3HGdS/eKQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2