plan: PAT transcendence — GitHub App + worker-minted tokens

[klappy]

Backlog item 0 architecture. Owner runbook + steward implementation plan. Charter reservations become permission physics (no Administration grant).

---

Note

Low Risk
Documentation-only change with no runtime, auth, or deployment behavior modified in this PR.

Overview
Adds internal draft planning doc docs/planning/pat-transcendence-github-app.md (E0010) that records backlog item 0 architecture for replacing manual PATs with oddkit-steward GitHub App credentials.

The doc specifies an owner ~10 minute runbook (create app with Contents/PR/Workflows write, no Administration; install on three repos; store GH_APP_* in Worker secrets; retire the last PAT) and a steward implementation outline for a worker github_token tool (JWT → installation token, MCP exposure, boarding-pass wording, telemetry).

It frames charter reserved powers as permission physics (no Administration grant), short-lived minted tokens vs transcript-exposed long-lived keys, and notes why stock GitHub MCP OAuth is insufficient for this shape.

^{Reviewed by Cursor Bugbot for commit ce7ce34. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Canon Quality — oddkit_audit ⚠️

8 finding(s) in writings/ (39 files scanned). Mode: soft.

writings/agentic-software-development.md — 1 finding(s)

Line	Rule	Occurrence	Message
242	dead-reference	klappy://writings/nothing-new-even-ai	URI does not resolve

writings/choosing-faith-not-fear.md — 1 finding(s)

Line	Rule	Occurrence	Message
203	dead-reference	klappy://writings/four-questions-that-change-everything	URI does not resolve

writings/getting-started-with-odd-and-oddkit.md — 4 finding(s)

Line	Rule	Occurrence	Message
69	legacy-link-pattern	/page/writings/the-journey-from-ai-tasks-to-ai-augmented-workflows	Use a klappy:// URI instead of /page/ path
202	legacy-link-pattern	/page/docs/oddkit/proactive/proactive-bootstrap	Use a klappy:// URI instead of /page/ path
204	legacy-link-pattern	/page/docs/examples/project-instructions-template	Use a klappy:// URI instead of /page/ path
260	legacy-link-pattern	/page/writings/the-journey-from-ai-tasks-to-ai-augmented-workflows	Use a klappy:// URI instead of /page/ path

writings/the-broken-wall-and-the-buried-talent.md — 1 finding(s)

Line	Rule	Occurrence	Message
332	dead-reference	klappy://draft-zeros/appendix-a-the-biblical-roots	URI does not resolve

writings/the-voice-came-first.md — 1 finding(s)

Line	Rule	Occurrence	Message
244	dead-reference	klappy://writings/four-questions-that-change-everything	URI does not resolve

Soft-block mode — this status is informational; the job will not fail. Hard-block ships in PR-3.2 after the observation cycle.

What to do for each finding:

• Fix the slug if the target now lives at a different klappy:// URI.
• Remove the link if it is no longer needed.
• Allowlist with a reason if the rot is intentional (e.g. forward-ref to an upcoming article): place <!-- audit-allow: dead-reference reason="..." --> on the line above the offending link. The directive is line-level and scopes to the next markdown link.

_{Spec: klappy://docs/oddkit/specs/oddkit-audit · Workflow: .github/workflows/canon-quality.yml · Run: #246}

[github-actions]

Canon Quality — Homepage Surfacing ✅

46 essay(s) scanned. Soft report — never blocks; the hard field gate is the Frontmatter Schema job.

All published essays resolve to the homepage feed.

_{Report: scripts/surfacing-report.py · Canon: klappy://canon/constraints/frontmatter-validation-before-merge}

[github-actions]

Canon Quality — Frontmatter Schema ✅

All 46 file(s) in writings/ conform to klappy://canon/meta/frontmatter-schema.

_{Validator: scripts/validate-frontmatter.py · Canon: klappy://canon/constraints/frontmatter-validation-before-merge · Run: #246}

[github-actions]

Canon Quality — P0010 Retrieval-Readiness ⚠️

Soft report for klappy://canon/constraints/retrieval-disclosure-contract. 667 files scanned. Never blocks — informational until the corpus is ready to enforce.

• Blocking-class findings: 12 (structural fields the contract would filter on)
• Warnings: 0 (kind resolves to unknown)
• Informational: 13 (exempt templates/archive/drafts)

Kind distribution: {'essays': 48, 'canon': 223, 'apocrypha': 38, 'docs': 295, 'journals': 57, 'unknown': 6}
Kind source: {'path': 541, 'frontmatter': 120, 'none': 6} (frontmatter-primary, path-secondary)
Default-include visibility: 566 visible, 101 hidden (journals/apocrypha/unknown)

By rule: {'audience-invalid': 2, 'exposure-missing': 5, 'tier-missing': 5, 'tier-invalid': 7, 'kind-unresolvable': 6}

These are not schema violations (see the Frontmatter Schema job for those on writings/). They are corpus-readiness signals for the retrieval contract: invalid/missing audience, exposure, tier, and docs whose kind cannot be resolved. Fix in a corpus-cleanup PR before the contract flips to enforcing. See the retrieval-readiness-findings artifact for the full list.

_{Validator: scripts/audit-retrieval-readiness.py · Constraint: klappy://canon/constraints/retrieval-disclosure-contract · Run: #246}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: PAT retired before github_token
  • Updated step 6 of the owner runbook to defer PAT retirement until after the steward's github_token implementation is shipped and verified end-to-end, eliminating the auth gap.

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit ce7ce34. Configure here.}

[cursor]

PAT retired before github_token

High Severity

The owner runbook’s final step retires the last manual PAT, but the github_token worker action is explicitly deferred to a later steward session. Following the runbook in order removes the only Git auth path before app-minted tokens can be requested.

Additional Locations (1)

• docs/planning/pat-transcendence-github-app.md#L29-L32

 

^{Reviewed by Cursor Bugbot for commit ce7ce34. Configure here.}