From 19e675fa5a9975bb1310b96b7423c61ca187d2c8 Mon Sep 17 00:00:00 2001 From: sjat Date: Mon, 15 Jun 2026 06:58:45 +0200 Subject: [PATCH] docs(friction): log registry-push auth gotcha (no creds in vault) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Building images is fully automatable; pushing to the Forgejo registry needs an interactive docker login, and registry creds aren't in vault — so an agent can't complete a push. Captured for the next kaizen review. Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/FRICTION.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/FRICTION.md b/docs/FRICTION.md index e98ffdb..fdbd5f7 100644 --- a/docs/FRICTION.md +++ b/docs/FRICTION.md @@ -22,6 +22,17 @@ earning its keep. _(append new raw signals here; the next kaizen review consumes them)_ +- `[friction]` **Image push to the Forgejo registry fails with `no basic auth + credentials`** (2026-06-15): `make caddy-image-push` (and `molecule-image-push`) fail + unless the Docker daemon on ubongo has an interactive `docker login + forgejo.nyumbani.baobab.band` session — and those creds are **not in vault** (only + `gandi` + `hetzner` are), so an agent can't complete a push non-interactively. The + build half is fully automatable; the push half silently requires a human. → candidate: + document the `docker login` step in `docs/runbooks/claude-code-setup.md`, **or** store + a scoped Forgejo registry token in vault + a `make registry-login` target (login via + `--password-stdin`, `no_log`) so pushes are agent-completable like every other + vault-backed action. + - `[recurring]` **ADRs claim cross-doc reconciliation they didn't actually perform** (2026-06-14): ADR-024's Status + Consequences asserted "ADR-017 prose that mentioned Traefik is updated to read Caddy" — but ADR-008/017/019 + CAPABILITIES still said