Move Gitea deploy surface into forge

2026-06-05 13:19:10 +02:00
parent 8b9f3b341d
commit 9ce24968cd
13 changed files with 219 additions and 78 deletions
--- a/19
+++ b/19
@@ -3,9 +3,14 @@ SHELL := /usr/bin/env bash
 GITEA_RELEASE ?= gitea
 GITEA_NAMESPACE ?= default
 GITEA_CHART ?= gitea-charts/gitea
 GITEA_VALUES ?= helm/gitea-values.sops.yaml
 GITEA_REGISTRY_VALUES ?= helm/gitea-registry-values.yaml
 GITEA_INGRESS ?= manifests/gitea-ingress.yaml
 GITEA_DB_CLUSTER ?= gitea-db
 GITEA_DB_NAMESPACE ?= databases
 REGISTRY_DOCS ?= docs/gitea-container-registry.md docs/gitea-package-registry.md
 SOPS_SENTINEL ?= $(GITEA_VALUES)
 ##@ Operator checks
@@ -26,6 +31,9 @@ check-tools: ## Check local tools used by forge operator targets
 	fi; \
 	exit $$missing
 check-sops: ## Verify the configured SOPS sentinel can decrypt
 	sops -d $(SOPS_SENTINEL) >/dev/null
 registry-docs: ## Print canonical registry docs
 	@for doc in $(REGISTRY_DOCS); do \
 		printf '\n## %s\n\n' "$$doc"; \
@@ -34,6 +42,15 @@ registry-docs: ## Print canonical registry docs
 ##@ Current Gitea
 gitea-deploy: ## Deploy / upgrade current Gitea forge runtime
 	helm upgrade --install $(GITEA_RELEASE) $(GITEA_CHART) \
 		-f <(sops -d $(GITEA_VALUES)) \
 		-f $(GITEA_REGISTRY_VALUES) \
 		--namespace $(GITEA_NAMESPACE) --create-namespace
 gitea-ingress-deploy: ## Apply the Gitea OCI registry ingress
 	kubectl apply -f $(GITEA_INGRESS)
 gitea-status: ## Read-only status for current Gitea runtime and database
 	kubectl get pods -n $(GITEA_NAMESPACE) -l app.kubernetes.io/instance=$(GITEA_RELEASE)
 	kubectl get svc -n $(GITEA_NAMESPACE) $(GITEA_RELEASE) --ignore-not-found
@@ -53,4 +70,4 @@ help: ## Show this help
 	  /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } \
 	  /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
-.PHONY: check-tools registry-docs gitea-status help
+.PHONY: check-tools check-sops registry-docs gitea-deploy gitea-ingress-deploy gitea-status help
--- a/README.md
+++ b/README.md
@@ -14,10 +14,9 @@ Start with:
 4. `docs/`
 5. `workplans/`
-Current implementation status: early extraction. Canonical registry operation
+Current implementation status: active forge extraction. Canonical registry
-docs and read-only status targets live here now. Deploy-capable Gitea Helm,
+operation docs, deploy-capable Gitea files, and operator targets live here now.
-SOPS, and manifest files remain in `railiance-apps` until the explicit
+No live Helm deploy or Kubernetes apply was run as part of the move.
 migration review in `RAILIANCE-WP-0006-T03`.
 Useful entry points:
@@ -25,4 +24,5 @@ Useful entry points:
 make registry-docs
 make check-tools
 make gitea-status
 make gitea-deploy
 ```
--- a/SCOPE.md
+++ b/SCOPE.md
@@ -30,8 +30,8 @@ The practical contract is:
 4. `railiance-apps` consumes forge artifacts and deploys user-facing workloads.
 Canonical registry operation docs and read-only forge checks now live here.
-Deploy-capable Gitea Helm/SOPS/manifests remain in `railiance-apps` until the
+Deploy-capable Gitea Helm/SOPS/manifests also live here now; `railiance-apps`
-explicit migration gate for live-affecting files is reviewed.
+keeps only transitional compatibility wrappers for old operator entry points.
 ---
@@ -105,20 +105,20 @@ explicit migration gate for live-affecting files is reviewed.
 ## Current State
- Status: early extraction.
+- Status: active forge extraction.
 - Implementation: repository contract, registry docs, initial operating
-  contracts, and read-only operator targets are present.
+  contracts, deploy-capable Gitea files, and operator targets are present.
- Stability: emerging but non-disruptive; no deploy-capable Gitea state has
+- Stability: emerging but non-disruptive; files moved without any Helm deploy,
-  moved yet.
+  SOPS decryption, or Kubernetes apply.
 - Usage: canonical reference point for forge and registry responsibilities
  currently transitioning out of `railiance-apps`.
 Known starting point:
- `railiance-apps` currently owns Gitea Helm values, registry overlays, ingress,
+- `railiance-forge` owns Gitea Helm values, registry overlays, ingress,
-  and deploy-capable Gitea Makefile targets.
+  operating contracts, and deploy/status entry points.
- `railiance-forge` owns registry operation docs, operating contracts, and
+- `railiance-apps` keeps app release ownership and transitional compatibility
-  read-only status entry points.
+  wrappers for old Gitea commands.
 - `railiance-enablement` owns the intent for delivery templates and developer
  paved paths, but not forge runtime operation.
 - `railiance-forge` should absorb forge runtime and artifact infrastructure
@@ -154,8 +154,8 @@ Known starting point:
 ## Related / Overlapping
- `railiance-apps` - currently hosts Gitea deployment files and registry docs;
+- `railiance-apps` - consumes forge artifacts in S5 app releases and keeps
-  should become a consumer after extraction.
+  transitional pointers/wrappers for old Gitea paths.
 - `railiance-enablement` - owns reusable CI/CD templates, SDKs, buildpacks, and
  developer portal paths.
 - `railiance-platform` - provides database, storage, backup, and runtime secret
--- a/docs/current-forge-asset-inventory.md
+++ b/docs/current-forge-asset-inventory.md
@@ -2,18 +2,20 @@
 Date: 2026-06-05
-This inventory covers forge-related assets currently visible in
+This inventory covers forge-related assets that were originally visible in
 `/home/worsch/railiance-apps`. It supports `FORGE-WP-0001-T03` and the
 coordinating `RAILIANCE-WP-0006` extraction plan.
-No files have been moved yet. This document assigns each candidate asset a
+Canonical docs and deploy-capable Gitea files have now moved into
-target disposition for the first migration plan.
+`railiance-forge`. `railiance-apps` keeps compatibility pointers and wrappers
 while app-release ownership remains there.
 ## Summary
 | Disposition | Meaning |
 |-------------|---------|
 | Move | Canonical file should move to `railiance-forge`. |
 | Moved | Canonical file has moved to `railiance-forge`. |
 | Copy pointer | Copy canonical content to `railiance-forge`, leave a short pointer in `railiance-apps` temporarily. |
 | Leave | Keep in `railiance-apps`; it is S5 app-release surface. |
 | Adapt | Keep local behavior, but update references after forge extraction. |
@@ -23,21 +25,21 @@ target disposition for the first migration plan.
 | Asset | Current role | Target disposition | Notes |
 |-------|--------------|--------------------|-------|
-| `helm/gitea-values.sops.yaml` | SOPS-encrypted Gitea Helm values. | Move | Must preserve secret boundary; move without decrypting. |
+| `helm/gitea-values.sops.yaml` | SOPS-encrypted Gitea Helm values. | Moved | Now `railiance-forge/helm/gitea-values.sops.yaml`; moved without decrypting. |
-| `helm/gitea-registry-values.yaml` | Non-secret overlay enabling Gitea package/container registry behavior. | Move | This is forge runtime config, not S5 app config. |
+| `helm/gitea-registry-values.yaml` | Non-secret overlay enabling Gitea package/container registry behavior. | Moved | Now `railiance-forge/helm/gitea-registry-values.yaml`. |
-| `manifests/gitea-ingress.yaml` | Registry-facing Gitea ingress for `/v2`. | Move | Forge owns Gitea/registry exposure; cluster ingress primitives remain S2. |
+| `manifests/gitea-ingress.yaml` | Registry-facing Gitea ingress for `/v2`. | Moved | Now `railiance-forge/manifests/gitea-ingress.yaml`; labels left unchanged until next reviewed deploy. |
-| `releases/gitea/values.yaml` | Legacy/plain Gitea release values reference. | Move or supersede | Likely keep only as historical migration reference if still useful. |
+| `releases/gitea/values.yaml` | Legacy/plain Gitea release values reference. | Moved | Now `railiance-forge/releases/gitea/values.yaml`; review before using as active deploy input. |
-| `Makefile` variables `GITEA_*` | Gitea release/chart/value/ingress defaults. | Move | Recreate in `railiance-forge/Makefile`; remove from S5 after compatibility window. |
+| `Makefile` variables `GITEA_*` | Gitea release/chart/value/ingress defaults. | Moved | Forge owns canonical variables; apps keeps only release/name compatibility variables. |
-| `make gitea-deploy` | Deploy/upgrade current Gitea release. | Move | Should become `railiance-forge` operator target. |
+| `make gitea-deploy` | Deploy/upgrade current Gitea release. | Moved | Forge owns target; apps delegates during compatibility window. |
-| `make gitea-ingress-deploy` | Apply Gitea registry ingress. | Move | Should become `railiance-forge` operator target. |
+| `make gitea-ingress-deploy` | Apply Gitea registry ingress. | Moved | Forge owns target; apps delegates during compatibility window. |
-| `make gitea-status` | Check Gitea pod/service/ingress and `gitea-db` status. | Move | Keep database status as consumer evidence; S3 still owns DB implementation. |
+| `make gitea-status` | Check Gitea pod/service/ingress and `gitea-db` status. | Moved | Forge owns target; apps delegates during compatibility window. |
 ## Copy With Compatibility Pointer
 | Asset | Current role | Target disposition | Notes |
 |-------|--------------|--------------------|-------|
-| `docs/gitea-container-registry.md` | Canonical operator recipe for container registry host, auth, pull secrets, storage note. | Copy pointer | Copy to `railiance-forge/docs/`; leave S5 pointer for app consumers. |
+| `docs/gitea-container-registry.md` | Canonical operator recipe for container registry host, auth, pull secrets, storage note. | Moved | Forge doc is canonical; app-side file is a compatibility pointer. |
-| `docs/gitea-package-registry.md` | Python package registry publishing/install recipe and `issue-core` handoff. | Copy pointer | Forge owns endpoint/registry posture; app/source repos own package release details. |
+| `docs/gitea-package-registry.md` | Python package registry publishing/install recipe and `issue-core` handoff. | Moved | Forge doc is canonical; app-side file is a compatibility pointer. |
 | `workplans/RAIL-AP-WP-0001-gitea-container-registry.md` | Historical implementation evidence for enabling Gitea registry in S5. | Copy pointer or archive | Keep historical record in S5, but create forge follow-up for storage/retention/restore posture. |
 | `workplans/RAILIANCE-WP-0006-railiance-forge-extraction.md` | Cross-repo coordination plan. | Leave plus pointer | Remains in `railiance-apps` as extraction coordinator; forge work proceeds in `FORGE-WP-*`. |
@@ -67,7 +69,7 @@ target disposition for the first migration plan.
 | `SCOPE.md` | Currently lists Gitea as S5-owned workload. | Adapt | After migration, describe forge as upstream release infrastructure. |
 | `INTENT.md` | Mentions Gitea/current forge as S5 workload/learning surface. | Adapt | Keep S5 intent but remove long-term forge ownership language. |
 | `AGENTS.md` | Repo identity still says application Helm releases, Gitea, coulomb services. | Adapt | Update after Gitea files move. Also update task status examples to State Hub canon. |
-| `Makefile` `SOPS_SENTINEL ?= $(GITEA_VALUES)` | `check-sops` currently validates Gitea SOPS values. | Adapt | Once Gitea values move, choose an S5 sentinel or make the check no-op when no SOPS file exists. |
+| `Makefile` `SOPS_SENTINEL` | `check-sops` validates the forge-owned Gitea SOPS sentinel for compatibility. | Adapted | Apps points at `/home/worsch/railiance-forge/helm/gitea-values.sops.yaml`. |
 | `tools/check-sops.sh` | Generic SOPS sentinel check. | Leave/adapt | Useful beyond forge, but current default must change after move. |
 | `.custodian-brief.md` | Generated State Hub brief. | Generated | Do not edit manually; consistency sync updates it. |
@@ -82,21 +84,20 @@ target disposition for the first migration plan.
 ## First Safe Move Candidate
-The first migration should avoid live service changes and move documentation
+The first migration avoided live service changes and moved documentation before
-before deployment configuration:
+deployment configuration:
 1. Copy `docs/gitea-container-registry.md` and
   `docs/gitea-package-registry.md` into `railiance-forge/docs/`.
 2. Replace the originals in `railiance-apps` with short compatibility pointers.
 3. Add a `railiance-forge/Makefile` with read-only/status targets first.
 4. Move deploy-capable Gitea targets only after the operator path is reviewed.
 5. Keep app-side compatibility wrappers until operators have switched.
-This gives operators a new canonical forge home while keeping current S5 app
+This gives operators a canonical forge home while keeping current S5 app
 runbooks discoverable.
 ## Remote Creation Note
-Creating `coulomb/railiance-forge` on the current Gitea instance is blocked:
+`coulomb/railiance-forge` now exists and the local repo is pushed to
-the configured `tea` login `coulomb` exists, but the stored token is invalid as
+`gitea-remote:coulomb/railiance-forge.git`.
 of 2026-06-05. The local repo is initialized and State Hub-registered, but
 `origin` should not be added until the remote repository exists.
--- a/docs/deploy-capable-gitea-move-review.md
+++ b/docs/deploy-capable-gitea-move-review.md
@@ -2,8 +2,8 @@
 Date: 2026-06-05
-Status: ready for operator review. No deploy-capable files have been moved by
+Status: executed as a file ownership move. No live Helm deploy, SOPS
-this review, and no live cluster command is authorized by this document.
+decryption, or Kubernetes apply was run.
 ## Goal
@@ -15,13 +15,13 @@ breaking operator muscle memory.
 | Current path in `railiance-apps` | Sensitivity | Proposed target | Action |
 |---|---:|---|---|
-| `helm/gitea-values.sops.yaml` | SOPS-encrypted | `railiance-forge/helm/gitea-values.sops.yaml` | Move after confirming SOPS age access still works from the new repo. Do not decrypt into Git. |
+| `helm/gitea-values.sops.yaml` | SOPS-encrypted | `railiance-forge/helm/gitea-values.sops.yaml` | Moved without decrypting. |
-| `helm/gitea-registry-values.yaml` | Non-secret | `railiance-forge/helm/gitea-registry-values.yaml` | Move with the registry docs. |
+| `helm/gitea-registry-values.yaml` | Non-secret | `railiance-forge/helm/gitea-registry-values.yaml` | Moved. |
-| `manifests/gitea-ingress.yaml` | Non-secret | `railiance-forge/manifests/gitea-ingress.yaml` | Move and update ownership labels from `railiance-apps` to `railiance-forge` if desired. |
+| `manifests/gitea-ingress.yaml` | Non-secret | `railiance-forge/manifests/gitea-ingress.yaml` | Moved without live apply. |
-| `releases/gitea/values.yaml` | Plaintext legacy/operator values | `railiance-forge/releases/gitea/values.yaml` or archive | Review before moving; it contains old CoulombCore-era chart notes and a placeholder password comment. |
+| `releases/gitea/values.yaml` | Plaintext legacy/operator values | `railiance-forge/releases/gitea/values.yaml` | Moved as legacy evidence; review before use as active deploy input. |
-| `make gitea-deploy` | Deploy-capable | `railiance-forge/Makefile` | Move only after app-side compatibility target is ready. |
+| `make gitea-deploy` | Deploy-capable | `railiance-forge/Makefile` | Moved; app-side target delegates. |
-| `make gitea-ingress-deploy` | Deploy-capable | `railiance-forge/Makefile` | Move only after app-side compatibility target is ready. |
+| `make gitea-ingress-deploy` | Deploy-capable | `railiance-forge/Makefile` | Moved; app-side target delegates. |
-| `make gitea-status` | Read-only | `railiance-forge/Makefile` | Already introduced as read-only target. |
+| `make gitea-status` | Read-only | `railiance-forge/Makefile` | Moved; app-side target delegates. |
 ## Proposed Target Layout
@@ -98,14 +98,15 @@ the transition:
 - `make gitea-deploy` and `make gitea-ingress-deploy` should either delegate to
  forge or fail with a clear message that deploy ownership has moved.
 ## Resolved During Move
 - `releases/gitea/values.yaml` moved as legacy evidence, not as the preferred
  active deploy input.
 - `manifests/gitea-ingress.yaml` labels were left unchanged to avoid mixing the
  file move with a live-facing manifest semantic change.
 - The SOPS sentinel in forge points at `helm/gitea-values.sops.yaml`.
 ## Open Questions
 - Should `releases/gitea/values.yaml` move as an active file or be archived as
  legacy evidence?
 - Should `manifests/gitea-ingress.yaml` labels change from
  `app.kubernetes.io/part-of: railiance-apps` to `railiance-forge` during the
  move, or stay stable until the next deploy?
 - Should the SOPS sentinel in forge point at `helm/gitea-values.sops.yaml` once
  that file moves?
 - What restore-drill evidence is required before package data becomes
  production-critical?
--- a/docs/first-migration-plan.md
+++ b/docs/first-migration-plan.md
@@ -2,14 +2,15 @@
 Date: 2026-06-05
-Status: Phase 1 is underway. The remote repository exists and is pushed, so the
+Status: Phases 1 through 3 are complete as file ownership moves. No live Helm
-earlier Gitea API blocker no longer applies.
+deploy, SOPS decryption, or Kubernetes apply was run.
 This plan starts the extraction of forge ownership from `railiance-apps` into
 `railiance-forge` without changing the live Gitea deployment.
 The rule for the first migration is simple: move knowledge and read-only
-operator entry points before moving deploy-capable configuration.
+operator entry points before moving deploy-capable configuration. That sequence
 has now been followed.
 ## Goals
@@ -63,18 +64,18 @@ Initial `railiance-forge/Makefile` targets:
 - `check-tools`: minimal local tool check for `kubectl`, `helm`, `sops`, and
  optional `tea`.
-Do not add `gitea-deploy` in this phase.
+`gitea-deploy` was intentionally deferred until Phase 3.
 Validation:
 - Targets are read-only.
 - Targets either succeed or fail with clear missing-tool messages.
- `railiance-apps` still owns deploy-capable Gitea targets during the
+- `railiance-apps` still has compatibility wrappers during the transition.
  transition.
 ## Phase 3 - Deploy-Capable Target Review
 Move deploy-capable Gitea ownership only after Phase 1 and Phase 2 are reviewed.
 This is now complete as a file move.
 Candidate moves:
@@ -123,5 +124,5 @@ aligned with `origin/main`.
 ## Next Recommended Action
-Complete Phase 1 documentation canonicalization and Phase 2 read-only operator
+Complete Phase 4 S5 scope cleanup and decide when compatibility wrappers in
-targets, then review the deploy-capable Gitea file move separately.
+`railiance-apps` can be retired.
--- a/docs/gitea-container-registry.md
+++ b/docs/gitea-container-registry.md
@@ -1,8 +1,8 @@
 # Gitea Container Registry
 This is the canonical Railiance operating note for the current Gitea container
-registry. Compatibility pointers remain in `railiance-apps` while deploy-capable
+registry. Compatibility pointers remain in `railiance-apps`; deploy-capable
-Gitea Helm and manifest files still live there.
+Gitea Helm and manifest files now live in this repo.
 ## Registry Target
@@ -10,12 +10,11 @@ Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is
 live as of 2026-05-15 and returns the OCI registry authentication challenge over
 HTTPS.
-Registry-specific Gitea settings are currently carried in
+Registry-specific Gitea settings are carried in
-`/home/worsch/railiance-apps/helm/gitea-registry-values.yaml`, a non-secret
+`helm/gitea-registry-values.yaml`, a non-secret overlay applied after the SOPS
-overlay applied after the SOPS values file by `make gitea-deploy`. It explicitly
+values file by `make gitea-deploy`. It explicitly enables packages, permits
-enables packages, permits container and PyPI uploads without an app-level size
+container and PyPI uploads without an app-level size cap, clears globally
-cap, clears globally disabled repo units, and moves `ROOT_URL` to the HTTPS
+disabled repo units, and moves `ROOT_URL` to the HTTPS host.
 host.
 Image names should use the Gitea owner and package path:
--- a/docs/gitea-package-registry.md
+++ b/docs/gitea-package-registry.md
@@ -1,13 +1,12 @@
 # Gitea Package Registry
 This is the canonical Railiance operating note for the current Gitea Python
-package registry. Compatibility pointers remain in `railiance-apps` while
+package registry. Compatibility pointers remain in `railiance-apps`;
-deploy-capable Gitea Helm and manifest files still live there.
+deploy-capable Gitea Helm and manifest files now live in this repo.
-Gitea package support is enabled by
+Gitea package support is enabled by `helm/gitea-registry-values.yaml`. That
-`/home/worsch/railiance-apps/helm/gitea-registry-values.yaml`. That overlay is
+overlay is applied after the encrypted base values by `make gitea-deploy` and
-applied after the encrypted base values by `make gitea-deploy` and enables both
+enables both container packages and Python packages.
 container packages and Python packages.
 ## Python Packages
--- a/helm/gitea-registry-values.yaml
+++ b/helm/gitea-registry-values.yaml
@@ -0,0 +1,11 @@
 # Non-secret Gitea registry settings layered after the SOPS values file.
 gitea:
  config:
    packages:
      ENABLED: true
      LIMIT_SIZE_CONTAINER: -1
      LIMIT_SIZE_PYPI: -1
    repository:
      DISABLED_REPO_UNITS: ""
    server:
      ROOT_URL: "https://gitea.coulomb.social/"
--- a/helm/gitea-values.sops.yaml
+++ b/helm/gitea-values.sops.yaml
@@ -0,0 +1,58 @@
 #ENC[AES256_GCM,data:jLG3K9KRtV7zKrLfJ0J42LAc17nX8UKbB2KWJSXZPFQ+5cZjA3RFbQ==,iv:Ync2fzES+Oj1L/yfSLxInef5IgQWpJdK9Wd8fTLinSU=,tag:gHEiHLzOI1eiuAhntcCU2A==,type:comment]
 #ENC[AES256_GCM,data:z6zvj2FcfFTmf7D8ZgbW8Wi68s4O,iv:kwaB3n64IQR4slfLFnQqjtQO9oxm5MkVqvtt53BArqc=,tag:ftjV1jtGa57QSpLOJGGDqA==,type:comment]
 #ENC[AES256_GCM,data:ty8rXwAdeJjr7wA0hXpdDOmpPVaqnCavzzO6/RI9SYpcQ3pnIsBxmIpcdx6hqbkH,iv:YDYrEMvrKX0sGIPIBYbJUdOcPwx84CFQQSmR8+QIZuA=,tag:P/0IbdxCxofZPn+OlSLU0Q==,type:comment]
 #ENC[AES256_GCM,data:2LqlFLbhpKrQH0r6RrgECOpxD74+zK7Ksl26BEhsKukOYBzk8sAfHkRcH2G7Ndk/cgCJjD7Ndk7ogh1d,iv:Z7ueOEVthvm/peyDAT4XpuIvl4if346iitWne7/1HFs=,tag:ziXDL/9d00jGGxOJtK5C8Q==,type:comment]
 #
 #ENC[AES256_GCM,data:G6Jzdr5V/IKyvcG3j6lmD1N6i1vYrOnYWLAQ1e/gnctgMufKqcW7kJA9Cdj7Vw==,iv:093mO8+QElI5tqs6DgTJiO71OLAppbxvGafmpXlt6G0=,tag:MRzd9UupZkdsk3DRKKbp0g==,type:comment]
 #ENC[AES256_GCM,data:DHEo5mRMm0hiEAR++0uJdnmMuZFuecKXfl0rrYeQxNWRAUqgjL8+y0E97Q==,iv:qh7rewpXW0XEe1wLM8nTipByShnG2SO9UGVXgm3Gcd4=,tag:FfC/iiBnaqnP5gZiYmBomA==,type:comment]
 #ENC[AES256_GCM,data:7nU7Z8dZ2JP+WfTIBcc4zoEZUaaqyOiip/Vn/txJm7Eetc9mso7JGKTHSkXV/a9Kqp96yZG6mEaXoh0jFQfmX1ItJOAq6uUtUav0I76FK2coQ2lnTTpPt5LzRWH3Gw==,iv:p7/MR5adZt48uJtpuLHnydcy7af6YOcjRj9Mgknc8aw=,tag:gqvosX3nSHsDLR0E6BJ9MA==,type:comment]
 gitea:
    config:
        server:
            DOMAIN: ENC[AES256_GCM,data:PxKHJeRtHMJFvQMpDl+VFSNcRv4=,iv:L1UtCaBrEoRlyJH36Yd55b7WFhTZMUTYAP6knC6Qfxc=,tag:hFton+zOgXPF+gCzqNEKyQ==,type:str]
            ROOT_URL: ENC[AES256_GCM,data:tDJQG/468fYtXlyKGcl43bmMALvlEJhgxM4/,iv:4u4WzQbZZ1utshFrdtTXmxYMHSX9Mei5rq1I+z8iwpY=,tag:ibrCAk7esdOArFrhB4Qi3w==,type:str]
            SSH_DOMAIN: ENC[AES256_GCM,data:bz41+PZAvGMoJPcNPpSMPfi5L5A=,iv:qG78QHcxFgxmgv+hOcAR3JadM5fL4euBtXk392ILI7A=,tag:M23NRlCTxcAchTfE8S5nKg==,type:str]
        database:
            DB_TYPE: ENC[AES256_GCM,data:A9DE1lAHDLQ=,iv:BJz5BmhvZBNmZ/wL/f/160tNFUN1QOS+cj4jmCrxILA=,tag:D8XHegqVEOYTtMScKoRkeg==,type:str]
            HOST: ENC[AES256_GCM,data:eWWPMjljR4EY63qUmXvtS5VW7evpP261nOCiLljy79Ft+j8pwkAnEA2+iaY=,iv:cJIB2SbEIA+BeAViwJZNP+eOhTP1Y3vFgN8JKGUKQWE=,tag:Ej1YhpzuNcJXy9jbg8LnIw==,type:str]
            NAME: ENC[AES256_GCM,data:8Zp5FNs=,iv:qhrWkp15Oy0SsCiJvGsUBg4vv6X0ez2x2NWqk3XUsno=,tag:4qj1XQf8vHkDGynjUa9JVg==,type:str]
            USER: ENC[AES256_GCM,data:m4Ln0J8=,iv:BmNO265BQVtTCIIF/T5fbNRZBEPZz8tPSeam7ToVSAM=,tag:Lwr7AxxckJ3B/Ff4l+FNIg==,type:str]
            PASSWD: ENC[AES256_GCM,data:tIKMvA4=,iv:FxnmkHazpThExFgsRqeMfFQhTbhPH6+o0fK9xURwqBs=,tag:1mohGBT+ynExzUoM3CtU5Q==,type:str]
            SSL_MODE: ENC[AES256_GCM,data:MHrNNVnCUw==,iv:V5voIFrtJicropHf5FpTWlq6Gk+Vvw1z7ax24fAzcAU=,tag:/DoDYoBb/tv9egi1lJ7xdw==,type:str]
        cache:
            ADAPTER: ENC[AES256_GCM,data:mFEneE8=,iv:fwJm8bK1QH8WoVbFa2oCRQivdVkw0RjPVFNPc5Ecn5U=,tag:XhgsZmHoaReE43JJb9XdGw==,type:str]
            HOST: ENC[AES256_GCM,data:0dx6Jh8lf/VWCEUMCi48oJdB0Yfkrk0zkkyVI9pRJeUV3y6XRZnTYP/e0zTXxhMfXS3bNnGqacZSelgVy4jc7pl354iU94EcIz1Rh2x3bs0W18rzMy5ATuOhdhnlY/Ly1BSWwPkldEPTSw==,iv:cyAPLzWPOeJo7LDXaw27in4IblZxcR3pVXPegqV9Vp4=,tag:UYSmXMDDkPWXE3fO+z6MiA==,type:str]
        session:
            PROVIDER: ENC[AES256_GCM,data:I/43BCQ=,iv:IHbcRbE8C8g8h5sTOyKqUafEVZ6QJuLo71j69Z49AIw=,tag:oiz4f/BF827YbH5jJKp8uQ==,type:str]
            PROVIDER_CONFIG: ENC[AES256_GCM,data:2Qu3Fd7Fov5Qw/E/YXwvynwojFwZpWyOvlvKmRs03Ir8usjlRctRCvfcmW3g8EolkY2xQhmZzd9All/33nJMetA1bZ0MAU5ct5U1tkxiOBEcrruix8WzuokQi+5cPxTfu0bHZYDvrtlpIQ==,iv:3xDoJeUa5OLN9dGJEIqIK2SN9bVZE9Gf2sP1rOYyzEk=,tag:D+9iPT+YYxOOOZckqO+KbQ==,type:str]
        queue:
            TYPE: ENC[AES256_GCM,data:lk3WVMg=,iv:vy2hD1xZf123IwqWbI3a9cI1GUmMpOc+Klw80seQj44=,tag:Y2WkIaCszv201aV7NRPPtw==,type:str]
            CONN_STR: ENC[AES256_GCM,data:/vl9QR4MYnGngiIhXT2bum1rWXZwNz/FyqfWG8QmdKrpNE+vquXWACFiTWhH9Hf8g+OUWzaOqZqn+ph8yZNHFaZqzBNZPyGyyVk7sU1SeUs0iUhPf29/jQGRFHOxxFSx/2FIVVblMhtA7A==,iv:WUx7iG2LqxdoPDNDbhk/tVhRWqgIXjCePMHOM4SpicU=,tag:Xnk7qomvqys2APA4t5Vf9A==,type:str]
 postgresql-ha:
    enabled: ENC[AES256_GCM,data:f0h+GvU=,iv:RDIU37NlWBC1KE3eFSZJxiAkudEIgtwLAicfOcYDcVI=,tag:7GlCCxpNXjyP/tuwG+aA6A==,type:bool]
 postgresql:
    enabled: ENC[AES256_GCM,data:P4WyaR0=,iv:iIiB5j0ZJrizO1LTzGUp1u1i+8L8AispkEUT2sr1gws=,tag:HqNdr1rPSgb8xAv7jhL1UA==,type:bool]
 redis-cluster:
    enabled: ENC[AES256_GCM,data:7h2ZNb0=,iv:qOWCgiCfnbv79EddfSNbBKT/q8JB24gMKfmlEX0g++U=,tag:iNW/PRCqRBX2oPop1ERALg==,type:bool]
 valkey-cluster:
    enabled: ENC[AES256_GCM,data:9ffS+Mo=,iv:GVVBb/JN1Zzj4h6j0jVpoMMHnkFpsJdr5VgSpUXhmUY=,tag:N9vypan+ueWk+RcpL5K6Fw==,type:bool]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbHdUNmpkaFozVDJMY2tG
            TlVBeUJNSlJPcTR5aXhVMkN1MUVLMHJ3NXdVClhkdDhGVTJ6NEdWeGVHeEo2SkZB
            aldWZ25kK3JDcWxsL0Q2c3BYbGI2c2cKLS0tIDU5bEdxTjVvKzlSUlpIZGhRMS9Q
            MnNPMnl0SEc3NVRvVHJhNW53aWxiWTAK2TIz10Md0eNyTzpuxml1CDvCW9Cq6gEt
            8zHyWNA1LayXct2mvcgVmMWyO8+nl7ZIaqhZHGNzC0cLaOqwD2o4bQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2026-03-27T09:02:37Z"
    mac: ENC[AES256_GCM,data:a1pdWiw64d16D1IFRd8PskvOsjAP6YFBzGZICfaN4ABHiQfNeIrSfeYxtvF6SwfK2bXxIfEcvC2Ofl6VKQtXwftmu1jruZeXSGtpAybwsVx8XPxmJNWKJwpfQaSUoE+/Wg1nmpJYBVUPDhVUwnGumnYQB+sXLdrMQD24HjbT4Zc=,iv:ETirgEDjX4aWNLVe1n86jsU2ShdWY728YMgBkMl4JSE=,tag:jX052pHamAbdaB8wJbYaSA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/manifests/gitea-ingress.yaml
+++ b/manifests/gitea-ingress.yaml
@@ -0,0 +1,29 @@
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: gitea
  namespace: default
  labels:
    app.kubernetes.io/name: gitea
    app.kubernetes.io/instance: gitea
    app.kubernetes.io/part-of: railiance-apps
    railiance/component: gitea-registry
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
  ingressClassName: traefik
  rules:
    - host: gitea.coulomb.social
      http:
        paths:
          - path: /v2
            pathType: Prefix
            backend:
              service:
                name: gitea
                port:
                  number: 3000
  tls:
    - hosts:
        - gitea.coulomb.social
      secretName: gitea-tls
--- a/releases/gitea/values.yaml
+++ b/releases/gitea/values.yaml
@@ -0,0 +1,20 @@
 # Gitea Helm values — COULOMBCORE cluster
 # Chart: gitea/gitea  version: 12.5.0
 # Release name: gitea  namespace: default
 #
 # Applied via:
 #   helm upgrade gitea gitea/gitea --version 12.5.0 -n default -f releases/gitea/values.yaml
 postgresql-ha:
  pgpool:
    adminPassword: changeme4   # TODO: move to sealed secret / external secret
    # Right-sized for single-node COULOMBCORE (2 vCPU budget is tight).
    # Default was 250m request which caused scheduling failures — see INC-001.
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 200m
        memory: 384Mi
--- a/workplans/FORGE-WP-0002-registry-docs-and-readonly-ops.md
+++ b/workplans/FORGE-WP-0002-registry-docs-and-readonly-ops.md
@@ -4,7 +4,7 @@ type: workplan
 title: "Canonical registry docs and read-only forge operations"
 domain: railiance
 repo: railiance-forge
-status: active
+status: finished
 owner: codex
 topic_slug: railiance
 planning_priority: high
@@ -105,7 +105,7 @@ competing canonical sources.
 ```task
 id: FORGE-WP-0002-T05
-status: todo
+status: done
 priority: high
 state_hub_task_id: "6f6fc3a4-a883-4803-84e7-2700629d397a"
 ```
@@ -115,3 +115,8 @@ After operator review, move deploy-capable Gitea files and commands into
 Done when `railiance-forge` owns Gitea deploy/status/ingress commands and
 `railiance-apps` no longer carries live forge deployment files as S5 scope.
 Completed on 2026-06-05. The Gitea SOPS values, registry overlay, ingress
 manifest, legacy release values, and deploy/status Makefile targets now live in
 `railiance-forge`. `railiance-apps` keeps compatibility wrappers only. No live
 deploy, SOPS decryption, or Kubernetes apply was run.