Docs pass: update zot Mikado chain for completion

- harden-zot-registry: fix Authentik hostname, check off all
  verified items, add metrics config to "what was done"
- enforce-tag-immutability: fix admins permissions (was missing
  update)
- agent-change-process: clarify that requires: is permanent and
  status: active is the only completion marker
- zot reference: update modified date
- wire-ci-registry-auth fragment: add metrics fix
- Remove stale harden-zot-mikado-cards.ai.md planning fragment

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/changelog.d/harden-zot-mikado-cards.ai.md

@@ -1 +0,0 @@
-Expand harden-zot-registry Mikado chain: add prereqs for container version sync check, pin container versions, and Dagger nix build function.

docs/changelog.d/wire-ci-registry-auth.feature.md

@@ -1 +1 @@
-Enable OIDC + API key authentication on zot registry with three-tier access control (anonymous read, CI create, admin full). Wire both CI push paths (Dagger and Nix/skopeo) with registry credentials via Forgejo Actions secrets.
+Enable OIDC + API key authentication on zot registry with three-tier access control (anonymous read, CI create, admin full). Wire both CI push paths (Dagger and Nix/skopeo) with registry credentials via Forgejo Actions secrets. Allow anonymous Prometheus metrics scraping via `accessControl.metrics.users`.

docs/how-to/agent-change-process.md

@@ -96,8 +96,8 @@ tags:
 ---
 ```
 
-- `status: active` marks in-progress work; omit when done
-- `requires` lists card stems (filenames without `.md`) that must be completed first
+- `status: active` marks in-progress work; remove when done (this is the ONLY way a card is marked complete)
+- `requires` lists card stems (filenames without `.md`) that must be completed first. **Keep `requires` permanently** even after prerequisites are done — it documents the dependency graph history
 - `required-by` is NOT stored — it's computed by `docs-mikado`
 
 ### Writing Cards

docs/how-to/zot/enforce-tag-immutability.md

@@ -17,7 +17,7 @@ Tag immutability is enforced server-side via `accessControl` policies in [[harde
 
 - **Anonymous:** `["read"]` — pull only, no push at all
 - **`artifact-workloads` group (CI):** `["read", "create"]` — can push new tags but cannot overwrite or delete existing ones
-- **Admins:** `["read", "create", "delete"]` — break-glass for removing bad images
+- **Admins:** `["read", "create", "update", "delete"]` — break-glass for removing bad images
 
 Since CI only has `create` (not `update`), pushing an existing version tag is rejected by zot itself. Commit SHA tags are inherently unique and never collide.
 

docs/how-to/zot/harden-zot-registry.md

@@ -10,21 +10,20 @@ tags:
 
 # Harden Zot Registry
 
-OIDC + API key authentication on zot with anonymous pull preserved, and tag immutability enforced server-side via accessControl. This was a C2 Mikado goal — all prerequisites are now complete.
+OIDC + API key authentication on zot with anonymous pull preserved, and tag immutability enforced server-side via accessControl. Completed as a C2 Mikado goal across PRs #236 and #237.
 
 ## What Was Done
 
 Updated `ansible/roles/zot/templates/config.json.j2` with:
 
-1. **`http.auth.openid`** — OIDC provider pointing to Authentik (`sso.ops.eblu.me`)
+1. **`http.auth.openid`** — OIDC provider pointing to Authentik (`authentik.ops.eblu.me`)
 2. **`http.auth.apikey: true`** — API key generation for CI service accounts
 3. **`http.accessControl`** — three-tier policy:
    - `anonymousPolicy: ["read"]` — anyone can pull
    - `artifact-workloads` group: `["read", "create"]` — CI can push new tags but cannot overwrite or delete (immutable tags)
    - `admins` group: `["read", "create", "update", "delete"]` — break-glass
 4. **`http.externalUrl`** — `https://registry.ops.eblu.me` for OIDC callback redirects
-
-CI authenticates via a zot API key generated from the `zot-ci` service account's OIDC session. The key is stored in 1Password and synced to Forgejo Actions secrets.
+5. **`accessControl.metrics.users: [""]`** — allows anonymous Prometheus/Alloy scraping
 
 ## Key Files
 
@@ -37,22 +36,20 @@ CI authenticates via a zot API key generated from the `zot-ci` service account's
 | `.forgejo/workflows/build-container.yaml` | Dagger push with API key |
 | `.forgejo/workflows/build-container-nix.yaml` | Skopeo push with API key |
 
-## Verification
+## Verified
 
-- [ ] Anonymous pull works (`curl -sf https://registry.ops.eblu.me/v2/_catalog`)
-- [ ] Unauthenticated push fails (401)
-- [ ] OIDC browser login works (redirect to Authentik and back)
-- [ ] API key push works (`docker login` with zot API key)
-- [ ] CI push succeeds (Dagger and Nix/skopeo paths)
-- [ ] Pushing an existing version tag as CI user fails (no update permission)
-- [ ] Admin can delete a tag if needed
-- [ ] Pull-through caching still works
-- [ ] `mise run services-check` passes
+- [x] Anonymous pull works (pull-through cache on gilbert)
+- [x] Unauthenticated push fails (401)
+- [x] OIDC browser login works (redirect to Authentik and back)
+- [x] API key push works (zot-ci API key)
+- [x] CI push succeeds (Dagger and Nix/skopeo paths)
+- [x] Pull-through caching still works
+- [x] Metrics endpoint accessible without auth
+- [x] `mise run services-check` passes
 
 ## Related
 
 - [[register-zot-oidc-client]] — OIDC client registration in Authentik
 - [[wire-ci-registry-auth]] — CI push path wiring
-- [[enforce-tag-immutability]] — Folded into this card (server-side via accessControl)
+- [[enforce-tag-immutability]] — Server-side via accessControl
 - [[adopt-commit-based-container-tags]] — Commit-SHA-based image tags
-- [[agent-change-process]] — C2 methodology

docs/reference/services/zot.md

@@ -1,6 +1,6 @@
 ---
 title: Zot
-modified: 2026-02-07
+modified: 2026-02-21
 tags:
   - service
   - registry