chore: planner run 2026-04-14

vault/pending/disinto-caddy-ssh-key.md

@@ -0,0 +1,29 @@
+# Request: Caddy host SSH key for engagement data collection
+
+## What
+Provision a dedicated SSH keypair with `command=` restriction on the Caddy host serving disinto.ai. This key allows the edge container to fetch access logs for engagement measurement.
+
+## Why
+Blocks #745 (collect-engagement formula) and #426 (website observability).
+The factory cannot make disinto.ai an observable without reading access logs from the Caddy host.
+Waiting since 2026-04-14.
+
+## Human action
+1. Generate keypair: `ssh-keygen -t ed25519 -f caddy-collect -N '' -C 'disinto-collect-engagement'`
+2. Install public key on Caddy host in `~/.ssh/authorized_keys` with restriction:
+   ```
+   command="cat /var/log/caddy/access.log",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAA... disinto-collect-engagement
+   ```
+3. Ensure Caddy is configured for JSON structured access log format
+4. Add private key as `CADDY_SSH_KEY` to `.env.vault.enc`
+5. Add Caddy host address as `CADDY_HOST` to `.env.vault.enc`
+6. Test: `ssh -i caddy-collect user@caddy-host` should output the access log and disconnect
+
+## Factory will then
+- Run `collect-engagement` formula daily via edge container cron
+- Commit evidence JSON to `evidence/engagement/YYYY-MM-DD.json` in ops repo
+- Planner uses evidence data to assess landing page effectiveness
+
+## Unblocks
+- #745 — collect-engagement formula + container script
+- #426 — website observability (parent vision issue)