M3 start: comment-bridge source (stdlib) + bridge secrets in sops

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

JOURNAL.md

@@ -266,3 +266,22 @@ clone success exit 0; hello success exit 0 — log shows `whoami=root`, `abra 0.
 **Next:** M3 — comment-bridge service: Gitea issue_comment webhook → verify HMAC + `!testme` exact +
 collaborator → resolve PR head repo/SHA → trigger a parameterized Drone build; post a PR comment with
 the run link. Need a Drone API token for the bridge (mint from the bot's Drone account).
+
+## 2026-05-26 — M3 start: bridge secrets + comment-bridge source
+
+**Secrets (sops):** minted a Gitea API token (`cc-ci-bridge`, scopes read:org/user, write:repo/issue),
+a Drone API token (`POST /api/user/token`, the stable personal token; rotates on call), and a webhook
+HMAC (urandom hex64). Stored as bridge_gitea_token / bridge_drone_token / bridge_webhook_hmac via
+`sops set` (host age identity). secrets.yaml now holds 6 secrets.
+
+**bridge/bridge.py** (Python stdlib only, §4.1): POST /hook handler — verifies Gitea HMAC
+(`X-Gitea-Signature` sha256), requires `X-Gitea-Event: issue_comment`, action=created, body trimmed
+== `!testme`, issue is a PR; checks commenter is a collaborator (Gitea collaborators endpoint, 204);
+resolves PR head sha+repo; triggers a parameterized Drone build
+(`POST /api/repos/<CI_REPO>/builds?branch=main&RECIPE&REF&PR&SRC`, custom params → pipeline env);
+posts a PR comment linking the run. Secrets read from mounted files; config via env. `/healthz` GET.
+
+**Next:** package the bridge as a swarm service (dockerTools image, no Docker Hub pull) behind
+traefik at `ci.commoninternet.net/hook` via a reconcile oneshot (modules/bridge.nix); register a
+per-repo webhook with the HMAC; demo on a scratch PR (!testme triggers; non-!testme + non-collab
+rejected). That's the M3 gate.