From e701a2a11631b26d73b7fa9e7a8bfd6fc4eb13a6 Mon Sep 17 00:00:00 2001 From: mkrause612 Date: Thu, 12 Feb 2026 09:27:22 -0600 Subject: [PATCH] [UPDATE] friend-assistance-protocol: Added Gitea repo access policy (Chronicler=all, project Claude=scoped) --- docs/external/friend-assistance-protocol.md | 29 +++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/external/friend-assistance-protocol.md b/docs/external/friend-assistance-protocol.md index 59068cc..ba04fc2 100644 --- a/docs/external/friend-assistance-protocol.md +++ b/docs/external/friend-assistance-protocol.md @@ -148,6 +148,35 @@ NO if: --- + + +## GITEA REPO ACCESS POLICY + +All repos on git.firefrostgaming.com are Firefrost Gaming infrastructure, regardless of what project they serve. + +**The Chronicler (Firefrost Claude):** +- Has read/write access to ALL repos on the Gitea instance +- Maintains infrastructure-context docs in side project repos +- Reviews cross-project requests against Firefrost policies +- Can directly update, audit, or restructure any repo as part of Firefrost operations + +**Project-Specific Claudes (e.g., Pokerole Claude):** +- Access ONLY their own project repos via scoped token +- Cannot access Firefrost operations manual, staff wiki, or any other project's repos +- Must request infrastructure support through the boundary policy (human checkpoint) + +**Default for all side projects:** +- Side project repos are Firefrost property hosted on Firefrost infrastructure +- The Chronicler has full access as the infrastructure authority +- Project Claudes get scoped access to their project only +- Michael can explicitly override this per-project if needed + +**Token Strategy:** +- Each side project gets its own scoped Gitea API token (created after Vaultwarden) +- Scoped tokens restrict access to that project's repos only +- The Chronicler's master token retains full instance access +- All tokens stored in Vaultwarden when available + ## CROSS-PROJECT BOUNDARY POLICY When friend projects are hosted on Firefrost infrastructure but managed in their own Git repos: