Amend PAT transcendence plan with challenge findings

[klappy]

Seven amendments from oddkit_challenge (planning mode, 2026-06-09), per E0010 — findings go to the doc:

1. Rotation reframe — rotation moved (PAT-in-chat → rarely-rotated .pem in worker secrets), it didn't cease.
2. Escalation path acknowledged — Workflows RW means CI modification with the repo's GITHUB_TOKEN; accepted because changes are visible under the bot identity. New section.
3. Middleware as load-bearing dependency — the bearer-token middleware becomes the entire security boundary; cited explicitly.
4. Cache spec — expiry-aware, keyed on (repositories, permissions); flat TTL serves near-dead tokens, scope-blind keys leak broad tokens to narrow requests.
5. PKCS#8 runbook step — GitHub ships PKCS#1; Workers WebCrypto needs PKCS#8. openssl pkcs8 -topk8 one-liner added.
6. Sequencing gate — last PAT retires only after github_token passes fresh-context validation; otherwise lockout risk.
7. Public-template disclosure — per explore: credential relay as product (deferred to strategy meeting) #248, the escalation acknowledgment becomes a README requirement if the self-host template ships.

Also adds complements: frontmatter linking the middleware handoff and #248 exploration, dates the stock-connector comparison (as of June 2026), and names the retraction condition / 6B tripwire.

Plan shape unchanged — challenge verdict was block_until_addressed: false. Build gate (6B borrow evaluation) is named in the doc and lands before any code.

---

Note

Low Risk
Internal planning documentation only; no runtime, auth, or application code changes.

Overview
Amends the PAT transcendence planning doc with seven oddkit_challenge findings (E0010): rotation is reframed (PAT-in-chat → rarely rotated worker-held key; token expiry replaces PAT rotation), Workflows RW / CI escalation is called out explicitly, and the MCP bearer middleware is documented as the load-bearing security boundary once github_token exists.

The owner runbook gains a PKCS#8 conversion step for Workers WebCrypto and a sequencing gate—do not retire the last PAT until github_token validates in a fresh session. Implementation notes add a 6B borrow build gate, an expiry-aware cache keyed on (repositories, permissions), and a executed 6B evaluation table (~190-line minimal build). New sections cover accepted escalation, public template naming (git-repo-auth-mcp) and README disclosure (#248), stock-connector retraction/tripwire language, and the v0.2 bridge model (OAuth front door, per-user grants). Frontmatter adds complements: links to the middleware handoff and credential-relay exploration.

^{Reviewed by Cursor Bugbot for commit 3749cf9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

Canon Quality — Homepage Surfacing ✅

46 essay(s) scanned. Soft report — never blocks; the hard field gate is the Frontmatter Schema job.

All published essays resolve to the homepage feed.

_{Report: scripts/surfacing-report.py · Canon: klappy://canon/constraints/frontmatter-validation-before-merge}

[github-actions]

Canon Quality — P0010 Retrieval-Readiness ⚠️

Soft report for klappy://canon/constraints/retrieval-disclosure-contract. 668 files scanned. Never blocks — informational until the corpus is ready to enforce.

• Blocking-class findings: 12 (structural fields the contract would filter on)
• Warnings: 0 (kind resolves to unknown)
• Informational: 13 (exempt templates/archive/drafts)

Kind distribution: {'essays': 48, 'canon': 223, 'apocrypha': 38, 'docs': 296, 'journals': 57, 'unknown': 6}
Kind source: {'path': 541, 'frontmatter': 121, 'none': 6} (frontmatter-primary, path-secondary)
Default-include visibility: 567 visible, 101 hidden (journals/apocrypha/unknown)

By rule: {'audience-invalid': 2, 'exposure-missing': 5, 'tier-missing': 5, 'tier-invalid': 7, 'kind-unresolvable': 6}

These are not schema violations (see the Frontmatter Schema job for those on writings/). They are corpus-readiness signals for the retrieval contract: invalid/missing audience, exposure, tier, and docs whose kind cannot be resolved. Fix in a corpus-cleanup PR before the contract flips to enforcing. See the retrieval-readiness-findings artifact for the full list.

_{Validator: scripts/audit-retrieval-readiness.py · Constraint: klappy://canon/constraints/retrieval-disclosure-contract · Run: #253}

[github-actions]

Canon Quality — Frontmatter Schema ✅

All 46 file(s) in writings/ conform to klappy://canon/meta/frontmatter-schema.

_{Validator: scripts/validate-frontmatter.py · Canon: klappy://canon/constraints/frontmatter-validation-before-merge · Run: #253}

[github-actions]

Canon Quality — oddkit_audit ✅

No dead klappy:// references or legacy link patterns found in writings/. 48 files scanned.

_{Spec: klappy://docs/oddkit/specs/oddkit-audit · Workflow: .github/workflows/canon-quality.yml · Run: #253}