railiance-forge/workplans/FORGE-WP-0004-public-gitea-root-endpoint.md

---
id: FORGE-WP-0004
type: workplan
title: "Standard public Gitea HTTPS root endpoint"
domain: railiance
repo: railiance-forge
status: finished
owner: codex
topic_slug: railiance
planning_priority: high
created: "2026-06-13"
updated: "2026-06-13"
state_hub_workstream_id: "10a11cbb-9c2b-496b-af6a-dc934aeee68b"
---

# Standard public Gitea HTTPS root endpoint

## Context

Before this workplan, `https://gitea.coulomb.social/` returned `404` because
the forge-owned ingress only routed package and OCI registry paths. The Helm
overlay already declared `ROOT_URL: "https://gitea.coulomb.social/"`, so the
deployment standard now makes the public Gitea web route, Python package route,
and OCI registry route part of the same forge-owned endpoint contract.

## T01 - Set the public endpoint contract

```task
id: FORGE-WP-0004-T01
status: done
priority: high
state_hub_task_id: "f0125038-cf5b-4c8b-a90f-c3f3bedfc386"
```

Define the standard public Gitea endpoint as:

- `https://gitea.coulomb.social/` for the web UI and normal Gitea web/API
  routes;
- `https://gitea.coulomb.social/api/packages/...` for package publication and
  installation;
- `https://gitea.coulomb.social/v2/` for OCI registry clients.

This explicitly supersedes the temporary registry-only ingress posture.

## T02 - Update forge-owned deployment files

```task
id: FORGE-WP-0004-T02
status: done
priority: high
state_hub_task_id: "225707ce-10b5-41e3-809d-55f4b3a52c80"
```

Add a `/` catch-all path to `manifests/gitea-ingress.yaml`, keep the explicit
`/api/packages` and `/v2` paths visible for operator clarity, and reconcile the
ingress labels from the earlier `railiance-apps` extraction to
`railiance-forge` ownership.

Done when the manifest and operator docs describe the root web endpoint as the
standard deployment shape.

Completed on 2026-06-13. The ingress manifest now routes `/`, `/api/packages`,
and `/v2` to the Gitea service, and the ingress labels identify
`railiance-forge` ownership. Forge docs and operator target wording now describe
the public endpoint as web, package, and OCI registry surface rather than a
registry-only ingress.

## T03 - Apply and verify the live endpoint

```task
id: FORGE-WP-0004-T03
status: done
priority: high
state_hub_task_id: "9d1cd8e6-80da-4ded-9ae7-ddfeb64af0ae"
```

Apply the reviewed ingress and, if needed, reconcile the Gitea Helm release so
`ROOT_URL` remains the HTTPS host. Verify:

- root URL returns `200` or an expected redirect;
- `/api/v1/version` is reachable;
- `/v2/` still returns an OCI authentication challenge;
- the package-specific PyPI simple index for `issue-core` still returns `200`.

Completed on 2026-06-13. `kubectl apply -f manifests/gitea-ingress.yaml`
configured the public root path. A pinned Helm `--reuse-values` upgrade kept
chart `gitea-12.5.0` and app `1.25.4` while overriding only
`gitea.config.server.ROOT_URL=https://gitea.coulomb.social/`; Gitea rolled to
Helm revision 7.

Verification evidence:

- `https://gitea.coulomb.social/` returned `200`;
- `https://gitea.coulomb.social/api/v1/version` returned `200` with
  `{"version":"1.25.4"}`;
- `https://gitea.coulomb.social/v2/` returned `401`, preserving the OCI auth
  challenge;
- `https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/issue-core/`
  returned `200`;
- live `ROOT_URL` is `https://gitea.coulomb.social/`;
- the Gitea web UI bootstrap and `issue-core==0.2.0` package artifact links now
  render HTTPS URLs.

## T04 - Sync State Hub and record evidence

```task
id: FORGE-WP-0004-T04
status: done
priority: medium
state_hub_task_id: "ad4b9574-89fd-4ced-8dde-3b0d5a9a555a"
```

Run State Hub consistency sync for `railiance-forge` and record a progress note
with non-secret verification evidence.

Completed on 2026-06-13 after the live endpoint verification.