Standardize public Gitea HTTPS endpoint

Makefile

@@ -84,7 +84,7 @@ gitea-deploy: ## Deploy / upgrade current Gitea forge runtime
 		-f $(GITEA_REGISTRY_VALUES) \
 		--namespace $(GITEA_NAMESPACE) --create-namespace
 
-gitea-ingress-deploy: ## Apply the Gitea OCI registry ingress
+gitea-ingress-deploy: ## Apply the public Gitea HTTPS ingress
 	kubectl apply -f $(GITEA_INGRESS)
 
 gitea-status: ## Read-only status for current Gitea runtime and database

SCOPE.md

@@ -3,7 +3,7 @@
 This file defines what `railiance-forge` owns, when to use it, and where its
 boundaries stop.
 
-Last reviewed: 2026-06-05
+Last reviewed: 2026-06-13
 
 ---
 
@@ -116,15 +116,15 @@ The Fabric graph declarations for forge capabilities and edges live in
 - Status: active forge extraction.
 - Implementation: repository contract, registry docs, initial operating
   contracts, deploy-capable Gitea files, and operator targets are present.
-- Stability: emerging but non-disruptive; files moved without any Helm deploy,
-  SOPS decryption, or Kubernetes apply.
+- Stability: emerging but now live-facing; forge owns the reviewed public
+  Gitea HTTPS ingress for the web UI, package registry, and OCI registry.
 - Usage: canonical reference point for forge and registry responsibilities
   currently transitioning out of `railiance-apps`.
 
 Known starting point:
 
-- `railiance-forge` owns Gitea Helm values, registry overlays, ingress,
-  operating contracts, and deploy/status entry points.
+- `railiance-forge` owns Gitea Helm values, registry overlays, public HTTPS
+  ingress, operating contracts, and deploy/status entry points.
 - `railiance-apps` keeps app release ownership and transitional compatibility
   wrappers for old Gitea commands.
 - `railiance-enablement` owns the intent for delivery templates and developer

docs/current-forge-asset-inventory.md

@@ -27,11 +27,11 @@ while app-release ownership remains there.
 |-------|--------------|--------------------|-------|
 | `helm/gitea-values.sops.yaml` | SOPS-encrypted Gitea Helm values. | Moved | Now `railiance-forge/helm/gitea-values.sops.yaml`; moved without decrypting. |
 | `helm/gitea-registry-values.yaml` | Non-secret overlay enabling Gitea package/container registry behavior. | Moved | Now `railiance-forge/helm/gitea-registry-values.yaml`. |
-| `manifests/gitea-ingress.yaml` | Registry-facing Gitea ingress for `/v2`. | Moved | Now `railiance-forge/manifests/gitea-ingress.yaml`; labels left unchanged until next reviewed deploy. |
+| `manifests/gitea-ingress.yaml` | Public Gitea HTTPS ingress for `/`, `/api/packages`, and `/v2`. | Moved | Now `railiance-forge/manifests/gitea-ingress.yaml`; labels reconciled to forge ownership during the reviewed public-root deploy. |
 | `releases/gitea/values.yaml` | Legacy/plain Gitea release values reference. | Moved | Now `railiance-forge/releases/gitea/values.yaml`; review before using as active deploy input. |
 | `Makefile` variables `GITEA_*` | Gitea release/chart/value/ingress defaults. | Moved | Forge owns canonical variables; apps keeps only release/name compatibility variables. |
 | `make gitea-deploy` | Deploy/upgrade current Gitea release. | Moved | Forge owns target; apps delegates during compatibility window. |
-| `make gitea-ingress-deploy` | Apply Gitea registry ingress. | Moved | Forge owns target; apps delegates during compatibility window. |
+| `make gitea-ingress-deploy` | Apply public Gitea HTTPS ingress. | Moved | Forge owns target; apps delegates during compatibility window. |
 | `make gitea-status` | Check Gitea pod/service/ingress and `gitea-db` status. | Moved | Forge owns target; apps delegates during compatibility window. |
 
 ## Copy With Compatibility Pointer

docs/gitea-actions-runner-evidence.md

@@ -29,6 +29,10 @@ Collected from `/home/worsch/railiance-forge` on 2026-06-07.
 
 Public endpoint checks from this environment:
 
+Historical note: the root/API `404` results below were collected before
+`FORGE-WP-0004` made `https://gitea.coulomb.social/` the standard public Gitea
+web endpoint on 2026-06-13.
+
 | Endpoint | Result | Interpretation |
 | --- | --- | --- |
 | `https://gitea.coulomb.social/` | HTTP `404` | Public root route is not a useful Gitea web health signal here. |

docs/gitea-container-registry.md

@@ -6,15 +6,16 @@ Gitea Helm and manifest files now live in this repo.
 
 ## Registry Target
 
-Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is
-live as of 2026-05-15 and returns the OCI registry authentication challenge over
-HTTPS.
+Use `gitea.coulomb.social` as the approved forge and registry host. The public
+ingress serves the Gitea web route at `https://gitea.coulomb.social/`, the OCI
+registry route at `/v2`, and the Python package route at `/api/packages`. The
+`/v2` route returns the OCI registry authentication challenge over HTTPS.
 
 Registry-specific Gitea settings are carried in
 `helm/gitea-registry-values.yaml`, a non-secret overlay applied after the SOPS
 values file by `make gitea-deploy`. It explicitly enables packages, permits
 container and PyPI uploads without an app-level size cap, clears globally
-disabled repo units, and moves `ROOT_URL` to the HTTPS host.
+disabled repo units, and keeps `ROOT_URL` on the HTTPS host.
 
 Image names should use the Gitea owner and package path:
 

docs/gitea-package-registry.md

@@ -8,14 +8,15 @@ Gitea package support is enabled by `helm/gitea-registry-values.yaml`. That
 overlay is applied after the encrypted base values by `make gitea-deploy` and
 enables both container packages and Python packages.
 
-The public ingress intentionally exposes `/api/packages` and `/v2` only. The
-package route is required for Python package upload and install traffic; the
-general Gitea web UI and API remain outside this ingress manifest.
+The public ingress exposes the Gitea web route at
+`https://gitea.coulomb.social/`, the Python package route at `/api/packages`,
+and the OCI registry route at `/v2`. The standard endpoint is HTTPS; if package
+simple-index pages render `http://gitea.coulomb.social/...` artifact links,
+reconcile the Gitea Helm release with `helm/gitea-registry-values.yaml` so
+`ROOT_URL` is restored to the HTTPS host.
 
-The live simple-index pages currently render package artifact links with
-`http://gitea.coulomb.social/...`. `uv lock` and clean `pip install` checks work
-against the public package route, but the next Gitea config reconciliation
-should align `ROOT_URL` with the HTTPS package endpoint.
+Status on 2026-06-13: the root web route returns `200`, live `ROOT_URL` is
+`https://gitea.coulomb.social/`, and package artifact links render HTTPS URLs.
 
 ## Python Packages
 

docs/observability-operating-evidence.md

@@ -1,6 +1,6 @@
 # Forge Observability And Operating Evidence
 
-Last reviewed: 2026-06-07
+Last reviewed: 2026-06-13
 
 Status: contract v1. This document defines checks, evidence, and future
 monitoring expectations. It does not authorize a live monitoring deployment,
@@ -44,7 +44,7 @@ Railiance cluster.
 Additional checks should stay read-only:
 
 ```bash
-# Web/API health: expect HTTP 200/3xx for the web route, not 5xx.
+# Web/API health: expect HTTP 200/3xx for the web route, not 404/5xx.
 curl -fsSI https://gitea.coulomb.social/
 curl -fsS https://gitea.coulomb.social/api/v1/version
 

manifests/gitea-ingress.yaml

@@ -6,8 +6,8 @@ metadata:
   labels:
     app.kubernetes.io/name: gitea
     app.kubernetes.io/instance: gitea
-    app.kubernetes.io/part-of: railiance-apps
-    railiance/component: gitea-registry
+    app.kubernetes.io/part-of: railiance-forge
+    railiance/component: gitea-public-endpoint
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
@@ -30,6 +30,13 @@ spec:
                 name: gitea
                 port:
                   number: 3000
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea
+                port:
+                  number: 3000
   tls:
     - hosts:
         - gitea.coulomb.social

workplans/FORGE-WP-0004-public-gitea-root-endpoint.md

@@ -0,0 +1,116 @@
+---
+id: FORGE-WP-0004
+type: workplan
+title: "Standard public Gitea HTTPS root endpoint"
+domain: railiance
+repo: railiance-forge
+status: finished
+owner: codex
+topic_slug: railiance
+planning_priority: high
+created: "2026-06-13"
+updated: "2026-06-13"
+state_hub_workstream_id: "10a11cbb-9c2b-496b-af6a-dc934aeee68b"
+---
+
+# Standard public Gitea HTTPS root endpoint
+
+## Context
+
+Before this workplan, `https://gitea.coulomb.social/` returned `404` because
+the forge-owned ingress only routed package and OCI registry paths. The Helm
+overlay already declared `ROOT_URL: "https://gitea.coulomb.social/"`, so the
+deployment standard now makes the public Gitea web route, Python package route,
+and OCI registry route part of the same forge-owned endpoint contract.
+
+## T01 - Set the public endpoint contract
+
+```task
+id: FORGE-WP-0004-T01
+status: done
+priority: high
+state_hub_task_id: "f0125038-cf5b-4c8b-a90f-c3f3bedfc386"
+```
+
+Define the standard public Gitea endpoint as:
+
+- `https://gitea.coulomb.social/` for the web UI and normal Gitea web/API
+  routes;
+- `https://gitea.coulomb.social/api/packages/...` for package publication and
+  installation;
+- `https://gitea.coulomb.social/v2/` for OCI registry clients.
+
+This explicitly supersedes the temporary registry-only ingress posture.
+
+## T02 - Update forge-owned deployment files
+
+```task
+id: FORGE-WP-0004-T02
+status: done
+priority: high
+state_hub_task_id: "225707ce-10b5-41e3-809d-55f4b3a52c80"
+```
+
+Add a `/` catch-all path to `manifests/gitea-ingress.yaml`, keep the explicit
+`/api/packages` and `/v2` paths visible for operator clarity, and reconcile the
+ingress labels from the earlier `railiance-apps` extraction to
+`railiance-forge` ownership.
+
+Done when the manifest and operator docs describe the root web endpoint as the
+standard deployment shape.
+
+Completed on 2026-06-13. The ingress manifest now routes `/`, `/api/packages`,
+and `/v2` to the Gitea service, and the ingress labels identify
+`railiance-forge` ownership. Forge docs and operator target wording now describe
+the public endpoint as web, package, and OCI registry surface rather than a
+registry-only ingress.
+
+## T03 - Apply and verify the live endpoint
+
+```task
+id: FORGE-WP-0004-T03
+status: done
+priority: high
+state_hub_task_id: "9d1cd8e6-80da-4ded-9ae7-ddfeb64af0ae"
+```
+
+Apply the reviewed ingress and, if needed, reconcile the Gitea Helm release so
+`ROOT_URL` remains the HTTPS host. Verify:
+
+- root URL returns `200` or an expected redirect;
+- `/api/v1/version` is reachable;
+- `/v2/` still returns an OCI authentication challenge;
+- the package-specific PyPI simple index for `issue-core` still returns `200`.
+
+Completed on 2026-06-13. `kubectl apply -f manifests/gitea-ingress.yaml`
+configured the public root path. A pinned Helm `--reuse-values` upgrade kept
+chart `gitea-12.5.0` and app `1.25.4` while overriding only
+`gitea.config.server.ROOT_URL=https://gitea.coulomb.social/`; Gitea rolled to
+Helm revision 7.
+
+Verification evidence:
+
+- `https://gitea.coulomb.social/` returned `200`;
+- `https://gitea.coulomb.social/api/v1/version` returned `200` with
+  `{"version":"1.25.4"}`;
+- `https://gitea.coulomb.social/v2/` returned `401`, preserving the OCI auth
+  challenge;
+- `https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/issue-core/`
+  returned `200`;
+- live `ROOT_URL` is `https://gitea.coulomb.social/`;
+- the Gitea web UI bootstrap and `issue-core==0.2.0` package artifact links now
+  render HTTPS URLs.
+
+## T04 - Sync State Hub and record evidence
+
+```task
+id: FORGE-WP-0004-T04
+status: done
+priority: medium
+state_hub_task_id: "ad4b9574-89fd-4ced-8dde-3b0d5a9a555a"
+```
+
+Run State Hub consistency sync for `railiance-forge` and record a progress note
+with non-secret verification evidence.
+
+Completed on 2026-06-13 after the live endpoint verification.