M2 GATE: green build via push (Drone + exec runner); OAuth bootstrap script + docs

Build #1 success (clone+hello on exec runner). Drone<->Gitea OAuth scripted as
one-time bootstrap-drone-oauth.sh. M2 claimed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/install.md

@@ -49,7 +49,22 @@ curl -ks --resolve drone.ci.commoninternet.net:443:<gateway-ip> \
 > it survives a momentary drop, and **use the absolute flake path** (systemd units run with cwd `/`):
 > `systemd-run --unit=ccci-sw --property=Type=oneshot nixos-rebuild switch --flake /root/cc-ci#cc-ci`
 
-## 2. (later milestones) comment-bridge, dashboard, recipe enrollment
+## 2. One-time: link Drone ↔ Gitea (OAuth grant)
+
+The only manual post-rebuild step. Drone needs the bot's Gitea OAuth token (granted by an
+interactive login) before it can sync/clone repos; this can't be Nix-declared without putting the
+bot password on the box. The token then persists in Drone's `data` volume.
+
+```sh
+GITEA_USERNAME=autonomic-bot GITEA_PASSWORD=… bash scripts/bootstrap-drone-oauth.sh
+# -> "drone login ok (admin=true)" / "repo recipe-maintainers/cc-ci active=true"
+```
+
+Verify a build runs green: push any commit to the cc-ci repo and watch
+`https://drone.ci.commoninternet.net` (or the API) — the push webhook (set on activation) triggers
+the `.drone.yml` self-test on the exec runner.
+
+## 3. (later milestones) comment-bridge, dashboard, recipe enrollment
 
 See `docs/enroll-recipe.md` (D5), `docs/secrets.md` (D6), `docs/runbook.md`. Each new piece of infra
 is added as another idempotent reconcile oneshot, so this install stays a single `nixos-rebuild`.