Add runbook coverage for REUSE_SURFACE_TOKEN and
REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET in reuse-surface-env, plus an
idempotent make reuse-forgejo-webhook target that wires the coulomb org
push webhook to the hub receiver.
Image update for the forge-host-abstraction and hub-webhook work:
composed_at/stale tracking on GET /v1/federated, new POST
/v1/webhooks/forgejo receiver (fails closed to 503 until
REUSE_SURFACE_FORGEJO_WEBHOOK_SECRET is added to the reuse-surface-env
Secret -- deliberately not added yet, needs separate explicit
authorization for a production secret write), and the migrated
activity-core/state-hub Forgejo raw URLs already visible in the composed
index.
Live-verified post-deploy: /v1/federated (61 capabilities, composed_at/
stale fields present), /v1/repos, and a forced POST /v1/federated/compose
recompose all correct.
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Use PROTOCOL=smtp+starttls with the EU relay (smtp.ionos.de). Port 587 with
implicit TLS on smtp.ionos.com failed TLS handshake; .com auth also fails for
EU mailboxes. Document OpenBao PASSWD field mapping in operator docs.
Add forgejo-mailer ExternalSecret, inject GITEA__mailer__PASSWD from the
synced Secret, remove mailer from SOPS overlay, and add ESO bootstrap targets.
Restores the newer local gitea-values.sops.yaml (2026-03-27) over the
upstream scaffold (2026-03-10). Adds database, cache, session, and queue
sections pointing to external PostgreSQL/Valkey (S3 platform services),
and disables bundled postgresql/redis/valkey sub-charts.
Also adds .sops.yaml encryption policy for railiance-apps.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Receive gitea-values.sops.yaml from railiance-cluster — S5 now
owns the Gitea deployment lifecycle per ADR-003 boundary rules.
Add gitea-deploy and gitea-status Makefile targets. Update
SCOPE.md to reflect boundary violation resolved.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>