2026-06-12: full KiteStacks session sync

- KiteStacks migration memory updated: OSticket live, Portainer SSO live
  on both monk+kscloud1, portainer.kitestacks.com HTTP 200, CF noTLSVerify
  fixed via API, auth code TTL bumped 1->10min, Karakeep redirect_uri fixed
- Oracle Cloud ARM migration next: user provisioning manually (Ampere A1,
  4 OCPU, 24GB RAM). OSticket x86-only issue to solve on Oracle side.
- CF API token kitestacks-dns-fix needs rolling (was exposed in chat)
- Portainer admin creds: monk=admin/n1t1MvVHCdcXWIIu, kscloud1=kenpat7177/same
- Added: feedback-forgejo-redaction, project-a-plus-core2 memories

feedback-forgejo-redaction.md

@@ -0,0 +1,18 @@
+---
+name: feedback-forgejo-redaction
+description: "Always redact IPs, ports, and passwords in any files committed to the homelab Forgejo repo"
+metadata: 
+  node_type: memory
+  type: feedback
+  originSessionId: 20e70bfb-0880-4ec4-aece-a21855bb3dfe
+---
+
+Always redact IPs, ports, and passwords before committing or editing any file in the KiteStacks homelab Forgejo repo (kitestacks-homelab). This applies to all documents: RUNBOOK.md, docs/, projects/, DEBUG-DOCUMENTATION.md, README.md, etc.
+
+**Why:** Security — user does not want real infrastructure details (IPs, port bindings, credentials) in the public Forgejo repository.
+
+**How to apply:**
+- IPs → descriptive placeholders like `<KSCLOUD1_PUBLIC_IP>`, `<MONK_LAN_IP>`, `<KSCLOUD1_TAILSCALE_IP>`, etc.
+- Port numbers in host bindings, IP:port combos, explicit app URLs → `<port>` placeholder
+- Passwords, sudo passwords, OAuth secrets → `<password>` or descriptive placeholder like `<KSCLOUD1_SUDO_PASSWORD>`
+- Apply proactively when writing new content for these docs, not just on request