Captures the overnight-paused credential rotation work that began after
the 2026-04-20 EUPL-1.2 + GitHub purge exposed the Codeberg token and
Forgejo account secret to conversation context. Rotation completed next
morning, unblocked by a one-line fix to /home/ubuntu/forgejo/docker-compose.yml
(port mapping was 2222:2222, should have been 2222:22 — Forgejo container
sshd listens on port 22 internally, so DNAT was hitting a dead port).
The handoff references sensitive values only by their Bitwarden item name,
not by literal value. All old credentials are revoked or replaced; all
new credentials live in Bitwarden; Aegis TOTP 2FA is active on both hosts.
Companion to the previous-day handoff (SESSION_HANDOFF_2026-04-20_EUPL12_
OUT_OF_SCOPE_SWEEP.md). No source-code changes in this commit — this is
pure operational documentation.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
