docs(friction): log registry-push auth gotcha (no creds in vault)

Building images is fully automatable; pushing to the Forgejo registry needs an
interactive docker login, and registry creds aren't in vault — so an agent can't
complete a push. Captured for the next kaizen review.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs/FRICTION.md

@@ -22,6 +22,17 @@ earning its keep.
 
 _(append new raw signals here; the next kaizen review consumes them)_
 
+- `[friction]` **Image push to the Forgejo registry fails with `no basic auth
+  credentials`** (2026-06-15): `make caddy-image-push` (and `molecule-image-push`) fail
+  unless the Docker daemon on ubongo has an interactive `docker login
+  forgejo.nyumbani.baobab.band` session — and those creds are **not in vault** (only
+  `gandi` + `hetzner` are), so an agent can't complete a push non-interactively. The
+  build half is fully automatable; the push half silently requires a human. → candidate:
+  document the `docker login` step in `docs/runbooks/claude-code-setup.md`, **or** store
+  a scoped Forgejo registry token in vault + a `make registry-login` target (login via
+  `--password-stdin`, `no_log`) so pushes are agent-completable like every other
+  vault-backed action.
+
 - `[recurring]` **ADRs claim cross-doc reconciliation they didn't actually perform**
   (2026-06-14): ADR-024's Status + Consequences asserted "ADR-017 prose that mentioned
   Traefik is updated to read Caddy" — but ADR-008/017/019 + CAPABILITIES still said