docs: record Forgejo protection final state (Sam & Codex)
Some checks failed
CI / ci (pull_request) Has been cancelled
Some checks failed
CI / ci (pull_request) Has been cancelled
Validation: docs-only; git diff --check. --- Build: pass | Tests: FAIL — 1 failed
This commit is contained in:
parent
f400ff4adf
commit
5cd2ebb8cc
2 changed files with 8 additions and 6 deletions
|
|
@ -1016,10 +1016,11 @@ Each agent host has its own Forgejo user + SSH key. No shared credentials.
|
|||
| `codex-osa` | osa | Codex | **write** on clawdie-ai, clawdie-iso, colibri |
|
||||
|
||||
- **SSH keys**: one per machine user, registered on Forgejo. Never copy private keys.
|
||||
- **Tokens**: scoped `write:repository` only. No admin/user/org scope on day-to-day tokens.
|
||||
- **Bootstrap token**: admin-scoped, used only for initial setup, deleted after.
|
||||
- **Tokens**: day-to-day git auth is SSH-key-only. No admin/user/org tokens for normal agent work.
|
||||
- **Bootstrap/admin token**: retained briefly for stabilization after migration; delete within 1–2 days.
|
||||
- **Email**: hermes@clawdie.si (hermes-debby), claude@clawdie.si (claude-domedog), codex@clawdie.si (codex-osa).
|
||||
- **Branch protection** (future): `main` requires PR + passing status check.
|
||||
- **Secrets**: operator-managed secrets live in Vaultwarden at `vault.smilepowered.org`, collection `agent-secrets`.
|
||||
- **Branch protection**: direct pushes to `main` are rejected on all three repos; `clawdie-iso/xfce-operator-usb` is also protected while live. Use PR branches.
|
||||
- **Webhooks** (future): push events → FreeBSD validation on osa.
|
||||
|
||||
### When Changes Span Repos
|
||||
|
|
|
|||
|
|
@ -86,9 +86,10 @@ not applicable.
|
|||
| Repos imported | ✅ | `clawdie-ai`, `clawdie-iso`, `colibri` |
|
||||
| Clean ISO history published | ✅ | `clawdie-iso` main includes Colibri ISO staging (`ef28677`) |
|
||||
| Machine users created | ✅ | `hermes-debby`, `claude-domedog`, `codex-osa` |
|
||||
| Per-host SSH keys | ⏳ | OSA done and write-verified; debby/domedog update rows above |
|
||||
| Bootstrap/admin tokens deleted | ⏳ | Delete setup tokens after agent SSH keys are proven |
|
||||
| Branch protection | ⏳ | Protect `main` after imports and key checks settle |
|
||||
| Per-host SSH keys | ✅ | `hermes-debby`, `claude-domedog`, and `codex-osa` have per-host keys; no shared private keys |
|
||||
| Bootstrap/admin tokens deleted | ⏳ | Admin token retained briefly for stabilization; delete within 1–2 days |
|
||||
| Branch protection | ✅ | Direct pushes to `main` rejected on all three repos; `clawdie-iso/xfce-operator-usb` also protected while live |
|
||||
| Vaultwarden secrets | ✅ | `vault.smilepowered.org` has `agent-secrets` collection for operator-managed secrets |
|
||||
| Webhook validation | ⏳ | Planned: Forgejo push → OSA FreeBSD proof gate |
|
||||
|
||||
## Rules
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue