railiance-forge/workplans/FORGE-WP-0004-public-gitea-root-endpoint.md

id, type, title, domain, repo, status, owner, topic_slug, planning_priority, created, updated, state_hub_workstream_id

id	type	title	domain	repo	status	owner	topic_slug	planning_priority	created	updated	state_hub_workstream_id
FORGE-WP-0004	workplan	Standard public Gitea HTTPS root endpoint	railiance	railiance-forge	finished	codex	railiance	high	2026-06-13	2026-06-13	10a11cbb-9c2b-496b-af6a-dc934aeee68b

Standard public Gitea HTTPS root endpoint

Context

Before this workplan, https://gitea.coulomb.social/ returned 404 because the forge-owned ingress only routed package and OCI registry paths. The Helm overlay already declared ROOT_URL: "https://gitea.coulomb.social/", so the deployment standard now makes the public Gitea web route, Python package route, and OCI registry route part of the same forge-owned endpoint contract.

T01 - Set the public endpoint contract

id: FORGE-WP-0004-T01
status: done
priority: high
state_hub_task_id: "f0125038-cf5b-4c8b-a90f-c3f3bedfc386"

Define the standard public Gitea endpoint as:

• https://gitea.coulomb.social/ for the web UI and normal Gitea web/API routes;
• https://gitea.coulomb.social/api/packages/... for package publication and installation;
• https://gitea.coulomb.social/v2/ for OCI registry clients.

This explicitly supersedes the temporary registry-only ingress posture.

T02 - Update forge-owned deployment files

id: FORGE-WP-0004-T02
status: done
priority: high
state_hub_task_id: "225707ce-10b5-41e3-809d-55f4b3a52c80"

Add a / catch-all path to manifests/gitea-ingress.yaml, keep the explicit /api/packages and /v2 paths visible for operator clarity, and reconcile the ingress labels from the earlier railiance-apps extraction to railiance-forge ownership.

Done when the manifest and operator docs describe the root web endpoint as the standard deployment shape.

Completed on 2026-06-13. The ingress manifest now routes /, /api/packages, and /v2 to the Gitea service, and the ingress labels identify railiance-forge ownership. Forge docs and operator target wording now describe the public endpoint as web, package, and OCI registry surface rather than a registry-only ingress.

T03 - Apply and verify the live endpoint

id: FORGE-WP-0004-T03
status: done
priority: high
state_hub_task_id: "9d1cd8e6-80da-4ded-9ae7-ddfeb64af0ae"

Apply the reviewed ingress and, if needed, reconcile the Gitea Helm release so ROOT_URL remains the HTTPS host. Verify:

• root URL returns 200 or an expected redirect;
• /api/v1/version is reachable;
• /v2/ still returns an OCI authentication challenge;
• the package-specific PyPI simple index for issue-core still returns 200.

Completed on 2026-06-13. kubectl apply -f manifests/gitea-ingress.yaml configured the public root path. A pinned Helm --reuse-values upgrade kept chart gitea-12.5.0 and app 1.25.4 while overriding only gitea.config.server.ROOT_URL=https://gitea.coulomb.social/; Gitea rolled to Helm revision 7.

Verification evidence:

• https://gitea.coulomb.social/ returned 200;
• https://gitea.coulomb.social/api/v1/version returned 200 with {"version":"1.25.4"};
• https://gitea.coulomb.social/v2/ returned 401, preserving the OCI auth challenge;
• https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/issue-core/ returned 200;
• live ROOT_URL is https://gitea.coulomb.social/;
• the Gitea web UI bootstrap and issue-core==0.2.0 package artifact links now render HTTPS URLs.

T04 - Sync State Hub and record evidence

id: FORGE-WP-0004-T04
status: done
priority: medium
state_hub_task_id: "ad4b9574-89fd-4ced-8dde-3b0d5a9a555a"

Run State Hub consistency sync for railiance-forge and record a progress note with non-secret verification evidence.

Completed on 2026-06-13 after the live endpoint verification.