claude-agent: grant shared pod executor powers (Forgejo PR, terragrunt apply, kubectl write, MCP)

Elevates the shared claude-agent-service pod (SA claude-agent, ns
claude-agent) so the nextcloud-todos-exec agent can run autonomously.
Viktor explicitly chose to elevate the SHARED service knowing every
agent on the pod inherits these creds — each grant is security-sensitive
and flagged inline for review.

Vault (stacks/vault/main.tf):
- terraform-state k8s-auth role: add `claude-agent` to
  bound_service_account_names (was only `default` — the pod's own SA
  token could not log in, so scripts/tg apply died fetching the PG
  backend password). `default` kept.
- terraform-state policy broadened from `database/static-creds/pg-terraform-state`
  read only to read on database/static-creds/*, database/creds/*,
  secret/data/* and secret/metadata/* — what stacks read at plan/apply
  time. FLAG: grants the shared pod broad Vault READ (effectively all app
  secrets + rotating DB creds); not denied: secret/data/vault.

claude-agent-service stack (stacks/claude-agent-service/main.tf):
- ExternalSecret: add FORGEJO_TOKEN (secret/ci/global -> forgejo_push_token,
  viktor-scoped admin PAT) and HA_MCP_URL (secret/openclaw -> ha_sofia_mcp_url).
- git-init: add url.insteadOf rewrite to authenticate git pushes to
  forgejo.viktorbarzin.me with $FORGEJO_TOKEN (PRs opened via Forgejo API).
- New claude-agent-exec ClusterRole+Binding: cluster-wide
  get/list/watch/create/update/patch/delete on core (incl. secrets),
  apps, batch, networking.k8s.io, rbac roles/rolebindings. Additive to the
  existing read-only claude-agent role; does NOT bind cluster-admin. FLAG:
  very broad — close to cluster-admin in blast radius.
- Vault login: VAULT_ADDR + VAULT_K8S_ROLE env + vault-token-refresher
  sidecar (k8s-auth login role=terraform-state every 30m -> shared
  emptyDir); main container symlinks ~/.vault-token so scripts/tg auto-auths.
- MCP: project-scoped .mcp.json at infra repo root wires `ha` (HTTP,
  ${HA_MCP_URL}) and `paperless` (in-cluster Service, no token in-cluster).

Not applied, not pushed — code only, for human review of the privilege grants.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/vault/main.tf

@@ -558,18 +558,50 @@ resource "vault_kubernetes_auth_backend_role" "openclaw" {
 # --- Terraform State Policy & Role (Claude Agent) ---
 
 resource "vault_policy" "terraform_state" {
-  name   = "terraform-state"
+  name = "terraform-state"
+  # Broadened 2026-06-04 for the claude-agent-service executor elevation
+  # (nextcloud-todos-exec). `scripts/tg apply` of an arbitrary stack needs
+  # to read whatever that stack reads at plan/apply time:
+  #   - database/static-creds/pg-terraform-state — the Tier-1 PG backend
+  #     password (was the only grant before; scripts/tg reads it directly).
+  #   - database/static-creds/* + database/creds/* — app DB passwords that
+  #     stacks pull via `data "vault_kv_secret_v2"` / DB engine.
+  #   - secret/data/* + secret/metadata/* — KV v2 app secrets that the ~14
+  #     hybrid stacks still read at plan time (job commands, Helm
+  #     templatefile, module inputs).
+  # SECURITY: this grants the SHARED claude-agent pod broad Vault READ —
+  # effectively every app secret under secret/ and every rotating DB
+  # credential. Every agent that runs on this pod inherits it. Vault's own
+  # admin/root secrets are under secret/data/vault (covered by secret/data/*
+  # here — NOT explicitly denied; tighten with an explicit deny if that path
+  # must stay out of reach). No write/delete on secret/ or database/.
   policy = <<-EOT
-    path "database/static-creds/pg-terraform-state" {
+    path "database/static-creds/*" {
       capabilities = ["read"]
     }
+    path "database/creds/*" {
+      capabilities = ["read"]
+    }
+    path "secret/data/*" {
+      capabilities = ["read"]
+    }
+    path "secret/metadata/*" {
+      capabilities = ["read", "list"]
+    }
   EOT
 }
 
 resource "vault_kubernetes_auth_backend_role" "terraform_state" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "terraform-state"
-  bound_service_account_names      = ["default"]
+  backend   = vault_auth_backend.kubernetes.path
+  role_name = "terraform-state"
+  # The claude-agent-service pod runs as SA `claude-agent` (see
+  # stacks/claude-agent-service/main.tf), NOT `default`. The original
+  # binding listed only `default`, so the pod's own SA token could not
+  # log in to this role — `scripts/tg apply` died fetching the Tier-1 PG
+  # backend password. `claude-agent` added 2026-06-04 to close that gap
+  # (nextcloud-todos-exec executor elevation). `default` kept for any
+  # legacy/manual SA-token logins from the namespace.
+  bound_service_account_names      = ["claude-agent", "default"]
   bound_service_account_namespaces = ["claude-agent"]
   token_policies                   = [vault_policy.terraform_state.name]
   token_ttl                        = 518400 # 6d (staggered from others: ci=7d, eso=10d, woodpecker=8d, openclaw=9d)