--- id: FORGE-WP-0004 type: workplan title: "Standard public Gitea HTTPS root endpoint" domain: railiance repo: railiance-forge status: finished owner: codex topic_slug: railiance planning_priority: high created: "2026-06-13" updated: "2026-06-13" state_hub_workstream_id: "10a11cbb-9c2b-496b-af6a-dc934aeee68b" --- # Standard public Gitea HTTPS root endpoint ## Context Before this workplan, `https://gitea.coulomb.social/` returned `404` because the forge-owned ingress only routed package and OCI registry paths. The Helm overlay already declared `ROOT_URL: "https://gitea.coulomb.social/"`, so the deployment standard now makes the public Gitea web route, Python package route, and OCI registry route part of the same forge-owned endpoint contract. ## T01 - Set the public endpoint contract ```task id: FORGE-WP-0004-T01 status: done priority: high state_hub_task_id: "f0125038-cf5b-4c8b-a90f-c3f3bedfc386" ``` Define the standard public Gitea endpoint as: - `https://gitea.coulomb.social/` for the web UI and normal Gitea web/API routes; - `https://gitea.coulomb.social/api/packages/...` for package publication and installation; - `https://gitea.coulomb.social/v2/` for OCI registry clients. This explicitly supersedes the temporary registry-only ingress posture. ## T02 - Update forge-owned deployment files ```task id: FORGE-WP-0004-T02 status: done priority: high state_hub_task_id: "225707ce-10b5-41e3-809d-55f4b3a52c80" ``` Add a `/` catch-all path to `manifests/gitea-ingress.yaml`, keep the explicit `/api/packages` and `/v2` paths visible for operator clarity, and reconcile the ingress labels from the earlier `railiance-apps` extraction to `railiance-forge` ownership. Done when the manifest and operator docs describe the root web endpoint as the standard deployment shape. Completed on 2026-06-13. The ingress manifest now routes `/`, `/api/packages`, and `/v2` to the Gitea service, and the ingress labels identify `railiance-forge` ownership. Forge docs and operator target wording now describe the public endpoint as web, package, and OCI registry surface rather than a registry-only ingress. ## T03 - Apply and verify the live endpoint ```task id: FORGE-WP-0004-T03 status: done priority: high state_hub_task_id: "9d1cd8e6-80da-4ded-9ae7-ddfeb64af0ae" ``` Apply the reviewed ingress and, if needed, reconcile the Gitea Helm release so `ROOT_URL` remains the HTTPS host. Verify: - root URL returns `200` or an expected redirect; - `/api/v1/version` is reachable; - `/v2/` still returns an OCI authentication challenge; - the package-specific PyPI simple index for `issue-core` still returns `200`. Completed on 2026-06-13. `kubectl apply -f manifests/gitea-ingress.yaml` configured the public root path. A pinned Helm `--reuse-values` upgrade kept chart `gitea-12.5.0` and app `1.25.4` while overriding only `gitea.config.server.ROOT_URL=https://gitea.coulomb.social/`; Gitea rolled to Helm revision 7. Verification evidence: - `https://gitea.coulomb.social/` returned `200`; - `https://gitea.coulomb.social/api/v1/version` returned `200` with `{"version":"1.25.4"}`; - `https://gitea.coulomb.social/v2/` returned `401`, preserving the OCI auth challenge; - `https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/issue-core/` returned `200`; - live `ROOT_URL` is `https://gitea.coulomb.social/`; - the Gitea web UI bootstrap and `issue-core==0.2.0` package artifact links now render HTTPS URLs. ## T04 - Sync State Hub and record evidence ```task id: FORGE-WP-0004-T04 status: done priority: medium state_hub_task_id: "ad4b9574-89fd-4ced-8dde-3b0d5a9a555a" ``` Run State Hub consistency sync for `railiance-forge` and record a progress note with non-secret verification evidence. Completed on 2026-06-13 after the live endpoint verification.