Address PR review comments

- Remove audience label from non-tutorial doc
- Link caddy and alloy reference cards alongside zot
- Use forge.ops.eblu.me URLs (hairpinning works via Caddy)
- Add indri-deployment local branch step for version tracking
- Add indri user management to future considerations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/how-to/plans/migrate-forgejo-from-brew.md

@@ -9,7 +9,6 @@ tags:
 # Plan: Migrate Forgejo from Brew to Source Build
 
 > **Status:** Planned (not yet executed)
-> **Audience:** AI agent, Owner
 
 ## Background
 
@@ -18,7 +17,7 @@ Forgejo was force-upgraded from v13 to v14 by `brew upgrade`, breaking version c
 ### Why Source Build?
 
 - **Version pinning** — upgrade on our schedule by checking out specific tags
-- **Consistency** — matches [[zot]], caddy, and alloy deployment patterns
+- **Consistency** — matches [[zot]], [[caddy]], and [[alloy]] deployment patterns
 - **Control** — build flags, patches, and dependencies are explicit
 
 ## Source Remote
@@ -32,11 +31,9 @@ https://codeberg.org/forgejo/forgejo.git
 Add the forge mirror as a secondary remote for convenience and backup:
 
 ```
-http://localhost:3001/eblume/forgejo.git
+https://forge.ops.eblu.me/eblume/forgejo.git
 ```
 
-> **Note:** Use `localhost:3001` because hairpinning through Caddy doesn't work from indri itself.
-
 ## One-Time Migration Steps
 
 These steps are performed manually on indri **before** running Ansible.
@@ -50,7 +47,7 @@ ssh indri 'git clone https://codeberg.org/forgejo/forgejo.git ~/code/3rd/forgejo
 ### 2. Add Forge Mirror as Secondary Remote
 
 ```fish
-ssh indri 'cd ~/code/3rd/forgejo && git remote add forge http://localhost:3001/eblume/forgejo.git'
+ssh indri 'cd ~/code/3rd/forgejo && git remote add forge https://forge.ops.eblu.me/eblume/forgejo.git'
 ```
 
 ### 3. Check Out the Desired Version Tag
@@ -59,7 +56,15 @@ ssh indri 'cd ~/code/3rd/forgejo && git remote add forge http://localhost:3001/e
 ssh indri 'cd ~/code/3rd/forgejo && git checkout v14.0.1'
 ```
 
-### 4. Set Up Build Dependencies via Mise
+### 4. Create a Local Deployment Branch
+
+Create a local-only `indri-deployment` branch to track the deployed version. Rebase this branch when upgrading to new tags:
+
+```fish
+ssh indri 'cd ~/code/3rd/forgejo && git checkout -b indri-deployment'
+```
+
+### 5. Set Up Build Dependencies via Mise
 
 Forgejo requires Go 1.24+ and Node 20+:
 
@@ -67,7 +72,7 @@ Forgejo requires Go 1.24+ and Node 20+:
 ssh indri 'cd ~/code/3rd/forgejo && mise use go@1.24 node@20'
 ```
 
-### 5. Build the Binary
+### 6. Build the Binary
 
 ```fish
 ssh indri 'cd ~/code/3rd/forgejo && TAGS="bindata timedzdata sqlite sqlite_unlock_notify" mise x -- make build'
@@ -75,35 +80,35 @@ ssh indri 'cd ~/code/3rd/forgejo && TAGS="bindata timedzdata sqlite sqlite_unloc
 
 This produces `./forgejo` in the repo root.
 
-### 6. Stop Brew Forgejo
+### 7. Stop Brew Forgejo
 
 ```fish
 ssh indri 'brew services stop forgejo'
 ```
 
-### 7. Copy Data to New Location
+### 8. Copy Data to New Location
 
 ```fish
 ssh indri 'sudo cp -a /opt/homebrew/var/forgejo ~/forgejo'
 ```
 
-### 8. Fix Ownership
+### 9. Fix Ownership
 
 ```fish
 ssh indri 'sudo chown -R erichblume:staff ~/forgejo'
 ```
 
-### 9. Run Ansible to Deploy New Config + LaunchAgent
+### 10. Run Ansible to Deploy New Config + LaunchAgent
 
 ```fish
 mise run provision-indri -- --tags forgejo
 ```
 
-### 10. Verify Service Health
+### 11. Verify Service Health
 
 See the verification checklist below.
 
-### 11. Uninstall Brew Forgejo
+### 12. Uninstall Brew Forgejo
 
 Only after verifying everything works:
 
@@ -149,7 +154,7 @@ Replace brew install/start with binary-check + LaunchAgent pattern (matching `an
 #    ssh indri 'git clone https://codeberg.org/forgejo/forgejo.git ~/code/3rd/forgejo'
 #
 # 2. Add forge mirror as secondary remote:
-#    ssh indri 'cd ~/code/3rd/forgejo && git remote add forge http://localhost:3001/eblume/forgejo.git'
+#    ssh indri 'cd ~/code/3rd/forgejo && git remote add forge https://forge.ops.eblu.me/eblume/forgejo.git'
 #
 # 3. Set up Go and Node via mise:
 #    ssh indri 'cd ~/code/3rd/forgejo && mise use go@1.24 node@20'
@@ -281,6 +286,7 @@ After running the migration and Ansible:
 - **CI-built binaries** — build on gilbert or in Forgejo Actions, deploy as artifact
 - **Artifact release system** — tag-triggered binary builds, similar to container releases (`mise run container-release`)
 - **Automated upgrades** — Renovate or similar watching Codeberg tags, opening PRs with version bumps
+- **Indri user management** — run each service as its own macOS user for isolation (a `forgejo` user exists but LaunchAgent session management under non-login users is tricky on macOS)
 
 ## Reference Pattern Files