ops: document deploy secrets and enforce main branch protection

docs/BRANCH_PROTECTION.md

@@ -0,0 +1,35 @@
+# Branch Protection (Codeberg)
+
+`main` should be protected to satisfy constitutional governance (`all changes merge through pull requests`) and to require CI before merge.
+
+## Required settings
+
+- Protected branch: `main`
+- Direct pushes disabled
+- Required approvals: `1` (or stricter)
+- Required status checks:
+  - `ci-gates / checks`
+- Require signed commits: enabled
+
+## Apply via script
+
+```sh
+./scripts/fj-enforce-branch-protection.sh
+```
+
+Optional overrides:
+
+```sh
+EVERY_CHANNEL_FORGE_REPO=every-channel/every.channel \
+EVERY_CHANNEL_PROTECTED_BRANCH=main \
+EVERY_CHANNEL_REQUIRED_CHECKS="ci-gates / checks" \
+EVERY_CHANNEL_REQUIRED_APPROVALS=1 \
+./scripts/fj-enforce-branch-protection.sh
+```
+
+Token source order:
+
+1. `CODEBERG_TOKEN` env var
+2. `secrets/codeberg-token.age` via `agenix` or `age`
+
+The token must have repository admin scope to edit branch protection.

docs/DEPLOY_CLOUDFLARE.md

@@ -5,18 +5,16 @@ This repo deploys `https://every.channel` via Wrangler.
 ## Prereqs
 
 - Forgejo Actions enabled on the repo.
-- A Cloudflare API token stored as a Forgejo Actions secret:
-  - name: `CLOUDFLARE_API_TOKEN`
+- Forgejo Actions secret `AGE_FORGE_SSH_KEY` set to the SSH private key used to decrypt repo-encrypted age secrets.
+- `secrets/cloudflare-api-token.age` present in-repo and decryptable by `AGE_FORGE_SSH_KEY`.
 
-The workflow is defined in `.forgejo/workflows/deploy-cloudflare.yml`.
+CI and deploy workflows:
+
+- PR/main checks: `.forgejo/workflows/ci-gates.yml`
+- Deploy (main only, depends on checks): `.forgejo/workflows/deploy-cloudflare.yml`
 
 ## Manual deploy (local)
 
 ```sh
-cd apps/tauri/ui
-trunk build --release --public-url /
-
-cd deploy/cloudflare-worker
-npm ci
-npm run deploy
+./scripts/deploy-workers.sh
 ```