--- name: recipe-mirrors-public-org-blocker description: "Recipe mirrors are public repos but the recipe-maintainers ORG is private-visibility, so anon reads 404; bot can't flip the org" metadata: node_type: memory type: project originSessionId: f7960036-d990-4a21-a81e-f7c486d97fea --- As of 2026-06-09 all 21 recipe mirrors under `recipe-maintainers` were flipped `private=false` (secret-scanned first), to power the Recipe Report's live PR-STATUS column via the tokenless same-origin proxy `report.ci.commoninternet.net/pr//` (shipped in cc-ci `nix/modules/reports.nix`). BUT the **org itself is `visibility: private`**, which makes Gitea 404 all its repos for anonymous users — so the live STATUS column shows a muted "?" instead of open/✓. **Blocker:** `autonomic-bot` cannot flip the org (PATCH `/orgs/recipe-maintainers` → 403 "Must be an organization owner"; `is_admin=false`; the basic-auth credential lacks `write:organization` scope, even though the bot is in the Owners team). Confirmed model: `autonomic-cooperative` is a public org and its repos ARE anonymously visible; `recipe-maintainers` is private and they are not. **Why:** the whole live-status feature is dark until this is resolved. Private repos stay hidden even in a public org, so flipping the org public does NOT expose the four locked-private repos (`cc-ci`, `cc-ci-secrets`, `cc-ci-orchestrator`, `archived-cc-ci-orchestrator`). **How to apply:** operator (an org owner) must set `recipe-maintainers` org visibility to **public** in the Gitea UI (Settings → make org public), OR provision a token with `write:organization` scope. The instant that happens, the proxy returns 200 PR JSON and the column lights up — no redeploy needed. Verify: `curl https://report.ci.commoninternet.net/pr/cryptpad/5` should return PR JSON, not a 404. Related: [[push-commits-to-remote]].