random edits

.env

@@ -32,3 +32,16 @@ INSTANCE_NAME=ForgeBucket
 # ─── Dev only ─────────────────────────────────────────────────────────────────
 # Set to true to disable Secure cookies and enable verbose logging
 DEBUG=true
+
+# PEM-encoded ECDSA P-256 private key.  If empty, an ephemeral key is generated
+# at startup (signatures will not survive restart).  Generate with:
+#   openssl ecparam -genkey -name prime256v1 -noout -out signing-key.pem
+ARTIFACT_SIGNING_KEY="-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKGMjCu0NdczHQ7BRDeo0hTOLauF9vOenWl0HlyN4bzToAoGCCqGSM49
+AwEHoUQDQgAE+VL1HhQ1us0QfNH+5Var8lo5Oww83B+QDQ2obzHL4JZl0UM3kVAB
+SePwUlkfdW6u4a0KYMYf3Op6wsXTp0kA2g==
+-----END EC PRIVATE KEY-----"
+
+# ─── OCI Registry (Phase 4) ───────────────────────────────────────────────────
+# Root directory for the OCI Distribution Spec blob and upload storage.
+OCI_ROOT=/var/lib/forgebucket/oci

CHANGELOG.md

@@ -9,9 +9,9 @@ Versions follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
-### Planned — Phase 4 (Intelligence + Artifacts)
-- AI failure diagnosis (pipeline failure root-cause analysis via Claude API)
-- AI deployment risk scoring
+### Planned — Phase 4 ( Artifacts + Git HTTP(S)/SSH Support + Releases Page)
+
+### 4A. Artifacts
 - Signed artifacts (Sigstore/Cosign)
 - SBOM generation (CycloneDX/SPDX)
 - OCI container registry
@@ -19,6 +19,31 @@ Versions follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 - Dependency vulnerability scanning
 - Cross-instance pull requests (ForgeFed ActivityPub extension)
 
+### 4B. Git HTTP(S)/SSH Support
+
+### 4C. Releases Page
+- Goal:
+  - Make releases operationally meaningful.
+- Build:
+  - releases
+  - release notes
+  - release assets
+  - changelog generation
+  - release timelines
+  - release channels
+- Add:
+  - signed artifacts
+  - rollback metadata
+  - deployment associations
+- UI:
+  - Release page should show:
+    - version
+    - artifacts
+    - deployments
+    - timeline
+    - health
+
+> NOT just markdown notes.
 ---
 
 ## [0.9.0] — 2026-05-12

docker-compose.prod.yml

@@ -27,7 +27,9 @@ services:
       - "8080:8080"
     volumes:
       - repo_data:/var/lib/forgebucket/repos
+      - oci_data:/var/lib/forgebucket/oci
 
 volumes:
   postgres_data:
   repo_data:
+  oci_data:

docker-compose.yml

@@ -1,5 +1,3 @@
-version: "3.9"
-
 # Dev: only PostgreSQL runs here. Run the Go server locally with `make dev`.
 # Production: docker compose -f docker-compose.prod.yml up
 

signing-key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIKGMjCu0NdczHQ7BRDeo0hTOLauF9vOenWl0HlyN4bzToAoGCCqGSM49
+AwEHoUQDQgAE+VL1HhQ1us0QfNH+5Var8lo5Oww83B+QDQ2obzHL4JZl0UM3kVAB
+SePwUlkfdW6u4a0KYMYf3Op6wsXTp0kA2g==
+-----END EC PRIVATE KEY-----