Move Gitea deploy surface into forge

docs/current-forge-asset-inventory.md

@@ -2,18 +2,20 @@
 
 Date: 2026-06-05
 
-This inventory covers forge-related assets currently visible in
+This inventory covers forge-related assets that were originally visible in
 `/home/worsch/railiance-apps`. It supports `FORGE-WP-0001-T03` and the
 coordinating `RAILIANCE-WP-0006` extraction plan.
 
-No files have been moved yet. This document assigns each candidate asset a
-target disposition for the first migration plan.
+Canonical docs and deploy-capable Gitea files have now moved into
+`railiance-forge`. `railiance-apps` keeps compatibility pointers and wrappers
+while app-release ownership remains there.
 
 ## Summary
 
 | Disposition | Meaning |
 |-------------|---------|
 | Move | Canonical file should move to `railiance-forge`. |
+| Moved | Canonical file has moved to `railiance-forge`. |
 | Copy pointer | Copy canonical content to `railiance-forge`, leave a short pointer in `railiance-apps` temporarily. |
 | Leave | Keep in `railiance-apps`; it is S5 app-release surface. |
 | Adapt | Keep local behavior, but update references after forge extraction. |
@@ -23,21 +25,21 @@ target disposition for the first migration plan.
 
 | Asset | Current role | Target disposition | Notes |
 |-------|--------------|--------------------|-------|
-| `helm/gitea-values.sops.yaml` | SOPS-encrypted Gitea Helm values. | Move | Must preserve secret boundary; move without decrypting. |
-| `helm/gitea-registry-values.yaml` | Non-secret overlay enabling Gitea package/container registry behavior. | Move | This is forge runtime config, not S5 app config. |
-| `manifests/gitea-ingress.yaml` | Registry-facing Gitea ingress for `/v2`. | Move | Forge owns Gitea/registry exposure; cluster ingress primitives remain S2. |
-| `releases/gitea/values.yaml` | Legacy/plain Gitea release values reference. | Move or supersede | Likely keep only as historical migration reference if still useful. |
-| `Makefile` variables `GITEA_*` | Gitea release/chart/value/ingress defaults. | Move | Recreate in `railiance-forge/Makefile`; remove from S5 after compatibility window. |
-| `make gitea-deploy` | Deploy/upgrade current Gitea release. | Move | Should become `railiance-forge` operator target. |
-| `make gitea-ingress-deploy` | Apply Gitea registry ingress. | Move | Should become `railiance-forge` operator target. |
-| `make gitea-status` | Check Gitea pod/service/ingress and `gitea-db` status. | Move | Keep database status as consumer evidence; S3 still owns DB implementation. |
+| `helm/gitea-values.sops.yaml` | SOPS-encrypted Gitea Helm values. | Moved | Now `railiance-forge/helm/gitea-values.sops.yaml`; moved without decrypting. |
+| `helm/gitea-registry-values.yaml` | Non-secret overlay enabling Gitea package/container registry behavior. | Moved | Now `railiance-forge/helm/gitea-registry-values.yaml`. |
+| `manifests/gitea-ingress.yaml` | Registry-facing Gitea ingress for `/v2`. | Moved | Now `railiance-forge/manifests/gitea-ingress.yaml`; labels left unchanged until next reviewed deploy. |
+| `releases/gitea/values.yaml` | Legacy/plain Gitea release values reference. | Moved | Now `railiance-forge/releases/gitea/values.yaml`; review before using as active deploy input. |
+| `Makefile` variables `GITEA_*` | Gitea release/chart/value/ingress defaults. | Moved | Forge owns canonical variables; apps keeps only release/name compatibility variables. |
+| `make gitea-deploy` | Deploy/upgrade current Gitea release. | Moved | Forge owns target; apps delegates during compatibility window. |
+| `make gitea-ingress-deploy` | Apply Gitea registry ingress. | Moved | Forge owns target; apps delegates during compatibility window. |
+| `make gitea-status` | Check Gitea pod/service/ingress and `gitea-db` status. | Moved | Forge owns target; apps delegates during compatibility window. |
 
 ## Copy With Compatibility Pointer
 
 | Asset | Current role | Target disposition | Notes |
 |-------|--------------|--------------------|-------|
-| `docs/gitea-container-registry.md` | Canonical operator recipe for container registry host, auth, pull secrets, storage note. | Copy pointer | Copy to `railiance-forge/docs/`; leave S5 pointer for app consumers. |
-| `docs/gitea-package-registry.md` | Python package registry publishing/install recipe and `issue-core` handoff. | Copy pointer | Forge owns endpoint/registry posture; app/source repos own package release details. |
+| `docs/gitea-container-registry.md` | Canonical operator recipe for container registry host, auth, pull secrets, storage note. | Moved | Forge doc is canonical; app-side file is a compatibility pointer. |
+| `docs/gitea-package-registry.md` | Python package registry publishing/install recipe and `issue-core` handoff. | Moved | Forge doc is canonical; app-side file is a compatibility pointer. |
 | `workplans/RAIL-AP-WP-0001-gitea-container-registry.md` | Historical implementation evidence for enabling Gitea registry in S5. | Copy pointer or archive | Keep historical record in S5, but create forge follow-up for storage/retention/restore posture. |
 | `workplans/RAILIANCE-WP-0006-railiance-forge-extraction.md` | Cross-repo coordination plan. | Leave plus pointer | Remains in `railiance-apps` as extraction coordinator; forge work proceeds in `FORGE-WP-*`. |
 
@@ -67,7 +69,7 @@ target disposition for the first migration plan.
 | `SCOPE.md` | Currently lists Gitea as S5-owned workload. | Adapt | After migration, describe forge as upstream release infrastructure. |
 | `INTENT.md` | Mentions Gitea/current forge as S5 workload/learning surface. | Adapt | Keep S5 intent but remove long-term forge ownership language. |
 | `AGENTS.md` | Repo identity still says application Helm releases, Gitea, coulomb services. | Adapt | Update after Gitea files move. Also update task status examples to State Hub canon. |
-| `Makefile` `SOPS_SENTINEL ?= $(GITEA_VALUES)` | `check-sops` currently validates Gitea SOPS values. | Adapt | Once Gitea values move, choose an S5 sentinel or make the check no-op when no SOPS file exists. |
+| `Makefile` `SOPS_SENTINEL` | `check-sops` validates the forge-owned Gitea SOPS sentinel for compatibility. | Adapted | Apps points at `/home/worsch/railiance-forge/helm/gitea-values.sops.yaml`. |
 | `tools/check-sops.sh` | Generic SOPS sentinel check. | Leave/adapt | Useful beyond forge, but current default must change after move. |
 | `.custodian-brief.md` | Generated State Hub brief. | Generated | Do not edit manually; consistency sync updates it. |
 
@@ -82,21 +84,20 @@ target disposition for the first migration plan.
 
 ## First Safe Move Candidate
 
-The first migration should avoid live service changes and move documentation
-before deployment configuration:
+The first migration avoided live service changes and moved documentation before
+deployment configuration:
 
 1. Copy `docs/gitea-container-registry.md` and
    `docs/gitea-package-registry.md` into `railiance-forge/docs/`.
 2. Replace the originals in `railiance-apps` with short compatibility pointers.
 3. Add a `railiance-forge/Makefile` with read-only/status targets first.
 4. Move deploy-capable Gitea targets only after the operator path is reviewed.
+5. Keep app-side compatibility wrappers until operators have switched.
 
-This gives operators a new canonical forge home while keeping current S5 app
+This gives operators a canonical forge home while keeping current S5 app
 runbooks discoverable.
 
 ## Remote Creation Note
 
-Creating `coulomb/railiance-forge` on the current Gitea instance is blocked:
-the configured `tea` login `coulomb` exists, but the stored token is invalid as
-of 2026-06-05. The local repo is initialized and State Hub-registered, but
-`origin` should not be added until the remote repository exists.
+`coulomb/railiance-forge` now exists and the local repo is pushed to
+`gitea-remote:coulomb/railiance-forge.git`.