vault: add fix-ops-branch-protection-20260415

- Architect reliability objective DONE (#762, #764 closed)
- Chat objective DONE (all sub-issues closed)
- Added bootstrap reproducibility cluster (#769-#772)
- Added #773 vault bug, #429 versioned images tracking
- Priority: +#769 (blocks bootstrap), -#765 (blocked)
- Graph: 217 nodes, 317 edges, healthy

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

RESOURCES.md

@@ -0,0 +1,5 @@
+# RESOURCES
+
+## Overview
+
+<!-- Add content here -->

portfolio.md

@@ -0,0 +1,5 @@
+# Portfolio
+
+## Overview
+
+<!-- Add content here -->

prerequisites.md

@@ -1,5 +1,5 @@
 # Prerequisite Tree
-<!-- Last updated: 2026-04-08 -->
+<!-- Last updated: 2026-04-15 -->
 
 ## Objective: Foundation — Core agent loop (dev → CI → review → merge)
 - [x] dev-agent picks up backlog issues (dev/dev-agent.sh exists)
@@ -8,6 +8,9 @@
 - [x] Stale in-progress recovery (#224 — closed)
 - [x] Agent race condition fix (#160 — closed)
 - [x] Dispatcher grep Alpine fix (#150 — closed)
+- [x] Dev-poll post-crash deadlock (#749 — closed)
+- [x] Entrypoint wait deadlock (#753 — closed)
+- [x] Credential helper race on cold boot (#741 — closed)
 Status: DONE
 
 ## Objective: Foundation — Supervisor health monitoring
@@ -18,7 +21,7 @@ Status: DONE
 ## Objective: Foundation — Planner gap analysis against vision
 - [x] Planner formula exists (run-planner.toml v4)
 - [x] planner-run.sh cron wrapper exists
-- [x] Planning runs established and maintaining prerequisite tree (run 1: 2026-04-05, run 2: 2026-04-08)
+- [x] Planning runs established (run 1: 2026-04-05, run 2: 2026-04-08, run 3: 2026-04-15)
 Status: DONE
 
 ## Objective: Foundation — Multi-project support
@@ -29,7 +32,7 @@ Status: DONE
 ## Objective: Foundation — Knowledge graph for structural defect detection
 - [x] networkx package installed in agents container (#220 — closed)
 - [x] build-graph.py exists in lib/
-- [x] Graph report generating successfully (165 nodes, 137 edges as of 2026-04-08)
+- [x] Graph report generating successfully (217 nodes, 317 edges as of 2026-04-15)
 Status: DONE
 
 ## Objective: Foundation — Predictor-planner adversarial feedback loop
@@ -45,24 +48,59 @@ Status: DONE
 - [x] disinto init re-run stability (#158 — closed)
 - [x] disinto init repo creation API endpoint (#164 — closed)
 - [x] Prediction labels created during init (#225 — closed)
-- [ ] Ops repo migration for existing deployments (#425 — backlog+priority)
+- [x] Ops repo migration for existing deployments (#425 — closed, #688 — closed)
-Status: BLOCKED — #425 ops repo missing dirs on existing deployments
+- [x] Edge service restart policy (#768 — closed)
+- [ ] Ops repo branch protection blocks agent writes (#758 — blocked, bug-report) blocked-on-vault (vault/pending/disinto-ops-branch-protection.md)
+- [ ] Planner PR-based ops flow (#765 — blocked, engineering fix for #758)
+- [ ] agents-llama as first-class generator service (#769 — backlog)
+- [ ] disinto up should regenerate compose/Caddyfile from generators.sh (#770 — backlog, depends on #769)
+- [ ] Deprecate tracked docker/Caddyfile (#771 — backlog)
+- [ ] disinto down && disinto up reproducibility (#772 — blocked, depends on #769+#770+#771)
+Status: BLOCKED — #758 ops repo branch protection (human action needed); #769-#771 in backlog for bootstrap reproducibility
 
 ## Objective: Adoption — Built-in Forgejo + Woodpecker CI
 - [x] Docker compose with Forgejo + Woodpecker
 - [x] Woodpecker OAuth2 redirect URI fix (#172 — closed)
 - [x] WOODPECKER_HOST override fix (#178 — closed)
+- [x] CI exhaustion root cause fixed (#742 — closed)
 Status: DONE
 
 ## Objective: Adoption — Landing page communicating value proposition
 - [x] Website addressable exists (disinto.ai)
-- [ ] Website observability — no engagement measurement (#426 — vision)
+- [x] Evidence/engagement directory setup (#747 — closed)
-Status: BLOCKED — no evidence process connected to website
+- [x] Format-detection guard in collect-engagement.sh (#746 — closed)
+- [x] Collect-engagement formula + container script (#745 — closed, PR #761)
+- [ ] Website observability — engagement measurement wired (#426 — vision)
+Status: BLOCKED — #426 needs design decisions (vision-level), engagement collection infrastructure ready
 
 ## Objective: Adoption — Example project demonstrating full lifecycle
-- [ ] No example project exists
+- [x] Bootstrap path verified (#425, #688 — closed)
-- [ ] Requires verified bootstrap (#425)
+- [ ] Example project design and implementation (#697 — vision+priority)
-Status: BLOCKED — depends on bootstrap completion and ops repo migration
+Status: BLOCKED — #697 needs design (vision-level), bootstrap path verified
+
+## Objective: Adoption — Subpath routing + Forgejo-OAuth-gated Claude chat (#623)
+- [x] Caddy subpath routing skeleton (#704 — closed)
+- [x] Chat container scaffold (#705 — closed)
+- [x] Chat sandbox hardening (#706 — closed)
+- [x] Claude identity isolation (#707 — closed)
+- [x] Forgejo OAuth gate (#708 — closed)
+- [x] Caddy Remote-User forwarding (#709 — closed)
+- [x] Conversation history persistence (#710 — closed)
+- [x] Cost caps + rate limiting (#711 — closed)
+- [x] Escalation tools (#712 — closed)
+- [x] Per-project subdomain fallback (#713 — closed)
+Status: DONE — all 10 sub-issues closed, parent #623 awaiting architect close
+
+## Objective: Adoption — Architect agent reliability
+- [x] Architect FORGE_TOKEN override bug (#762 — closed 2026-04-15)
+- [x] Architect pitch prompt guardrail bypass (#764 — closed 2026-04-15)
+Status: DONE
+
+## Objective: Adoption — Versioned agent images (#429)
+- [ ] Publish versioned agent images — compose should use image: not build: (#429 — in-progress, vision)
+Status: IN PROGRESS — #429 being worked on
+
+## --- ADOPTION MILESTONE: IN PROGRESS ---
 
 ## Objective: Ship (Fold 2) — Deploy profiles per artifact type
 - [ ] No deploy profiles defined
@@ -72,8 +110,10 @@ Status: BLOCKED — not started, needs design (vision-level)
 ## Objective: Ship (Fold 2) — Vault-gated fold transitions
 - [x] Vault redesign complete (#73-#77 — all closed)
 - [x] Vault PR workflow documented (docs/VAULT.md)
-- [ ] Vault directories complete in ops repo (#425 — approved/fired/rejected missing)
+- [x] Vault directories seeded in ops repo (#425, #688 — closed)
-Status: BLOCKED — #425 ops repo dirs needed for vault workflow
+- [ ] Ops repo branch protection blocks vault item visibility (#758) blocked-on-vault (vault/pending/disinto-ops-branch-protection.md)
+- [ ] vault_request RETURN trap fires prematurely (#773 — backlog, bug-report)
+Status: BLOCKED — #758 prevents vault items from reaching remote; #773 vault bug in backlog
 
 ## Objective: Ship (Fold 2) — Engagement measurement baked into deploy pipelines
 - [ ] No engagement measurement exists
@@ -82,6 +122,7 @@ Status: BLOCKED — depends on deploy profiles + website observability (#426)
 
 ## Objective: Ship (Fold 2) — Rent-a-human for gated channels
 - [x] run-rent-a-human formula exists
+- [x] Caddy SSH key setup documented (#748 — closed)
 - [ ] Not yet exercised in production
 Status: READY
 

vault/actions/fix-ops-branch-protection-20260415.toml

@@ -1,5 +1,23 @@
-id = "fix-ops-branch-protection-20260415"
+# Vault action: fix-ops-branch-protection-20260415
-formula = "run-rent-a-human"
+# Filed by: gardener (2026-04-15)
-context = "The ops repo disinto-ops has branch protection on main that prevents all agent merges. planner-bot has push but cannot merge; review-bot can approve but cannot push. This has frozen all ops state since 2026-04-08 (PR disinto-ops#30 stuck with 2 approvals but cannot merge). Action needed: add planner-bot to the merge bypass list in Forgejo branch protection settings for disinto-ops, OR remove branch protection from disinto-ops main (agents are primary writers). Unblocks issue #758."
+# Unblocks: #758, #765
-secrets = []
+
-blast_radius = "low"
+context = "Ops repo (disinto-admin/disinto-ops) branch protection on main requires approvals but no bot account has sufficient permissions to merge PRs. planner-bot has push but cannot merge. review-bot can approve but cannot push/merge. ops/main frozen at v0.2.0 since 2026-04-08. Knowledge, vault items, and sprint artifacts accumulate locally and are lost on container restart."
+
+unblocks = ["#758", "#765"]
+
+[action_required]
+description = """
+Choose ONE of the following:
+
+Option 1 (recommended): Add planner-bot to the merge allowlist in disinto-ops branch protection.
+  Forgejo admin UI: disinto-admin/disinto-ops > Settings > Branches > main > Edit
+  Under 'Whitelist Merge': add planner-bot
+
+Option 2: Remove branch protection from disinto-ops main.
+  Agents are the primary writers; branch protection adds friction without safety benefit here.
+
+Option 3: Create an admin-level FORGE_ADMIN_TOKEN and add to agent secrets.
+  Create a Forgejo admin user or promote an existing bot, issue a token,
+  add to agent container environment as FORGE_ADMIN_TOKEN.
+"""

vault/pending/disinto-ops-branch-protection.md

@@ -0,0 +1,31 @@
+# Request: Remove or relax ops repo branch protection for agent writes
+
+## What
+The ops repo (`disinto-ops`) has branch protection on `main` that requires approvals, but no bot account has sufficient permissions to merge. The `planner-bot` has push access but cannot merge. The `review-bot` can approve but cannot push or merge. No admin token is available to agents.
+
+This means `prerequisites.md`, `knowledge/planner-memory.md`, and vault items have been accumulating **only locally** since planner run 2 (2026-04-08). The remote `origin/main` is frozen.
+
+## Why
+Blocks #758 (ops repo branch protection), which blocks ALL agent ops-repo writes: planner prerequisite tree, planner memory, evidence collection, vault pending items. Every agent that writes to the ops repo is silently failing.
+
+Downstream: blocks website observability (#426), collect-engagement (#745), and the entire evidence pipeline.
+
+Waiting since 2026-04-08 (first observed planner run 2).
+
+## Human action
+1. In Forgejo, go to `disinto-ops` → Settings → Branch Protection → `main`
+2. Either:
+   - **Option A (recommended):** Remove branch protection from `disinto-ops` entirely — the ops repo is an internal artifact, not production code. Agent writes should flow freely.
+   - **Option B:** Add `planner-bot` and `dev-bot` to the push/merge allowlist so they can push directly to `main`.
+3. Verify by running: `cd disinto-ops && git push origin main` from the agents container.
+
+## Factory will then
+- Planner will push prerequisite tree updates and memory to `origin/main`
+- Evidence collection (#745) will unblock — collect-engagement formula can commit to ops repo
+- Vault pending items will be visible on the remote for human review
+- All agents writing to ops repo will resume normal operation
+
+## Unblocks
+- #758 — ops repo branch protection blocks all agent writes
+- #745 — collect-engagement formula (indirectly, if the no_push is ops-related)
+- #426 — website observability (downstream)