diff --git a/.beads/issues.jsonl b/.beads/issues.jsonl
index a7fd794..69677b8 100644
--- a/.beads/issues.jsonl
+++ b/.beads/issues.jsonl
@@ -100,7 +100,7 @@
 {"id":"ops-jrz1-oxx","title":"Add disk quota or watchdog for /home","description":"No disk limits for users. Could fill /home. Options: ext4 quotas, btrfs subvolume limits, or simple watchdog.","status":"open","priority":3,"issue_type":"task","created_at":"2026-01-03T08:40:26.188569342-08:00","created_by":"dan","updated_at":"2026-01-03T08:40:26.188569342-08:00"}
 {"id":"ops-jrz1-p2d","title":"Add egress connection logging","description":"Log all new outbound connections for forensics.\n\n## Config\n```nix\nnetworking.firewall.extraCommands = ''\n  # Log all new outbound from regular users\n  iptables -A OUTPUT -m state --state NEW -m owner --uid-owner 1000:65534 \\\n    -j LOG --log-prefix \"EGRESS: \" --log-level info\n'';\n```\n\n## Usage\n```bash\n# View egress logs\njournalctl -k | grep EGRESS\n\n# Watch live\njournalctl -kf | grep EGRESS\n```\n\n## Notes\n- Logs before rate limit rules (if both implemented)\n- Includes source UID, dest IP, dest port","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T20:17:39.566590459-08:00","created_by":"dan","updated_at":"2026-01-02T21:12:35.575052381-08:00","closed_at":"2026-01-02T21:12:35.575052381-08:00","close_reason":"Closed"}
 {"id":"ops-jrz1-qj4","title":"Evaluate bun as faster npm alternative for AI tool installs","description":"npm install -g @google/gemini-cli takes ~1 min (580 packages). Bun is much faster. Consider: (1) Add bun to system packages, (2) Update dev-add onboarding to suggest bun install -g, (3) Or pre-install popular tools system-wide.","status":"closed","priority":3,"issue_type":"task","created_at":"2026-01-03T12:26:38.457885819-08:00","created_by":"dan","updated_at":"2026-01-04T13:49:50.343836853-08:00","closed_at":"2026-01-04T13:49:50.343836853-08:00","close_reason":"Added bun to systemPackages, updated dev-add.sh to use bun in PATH and onboarding"}
-{"id":"ops-jrz1-qts","title":"Plan: Dev access to ops-jrz1 repo for learning and contribution","description":"Use case: Devs on the server can access ops-jrz1 repo to follow along with infra work and potentially contribute.\n\n## Questions\n- Where does canonical repo live? (local laptop, Forgejo on jrz1, GitHub?)\n- Read-only clone vs fork/PR workflow?\n- How do devs authenticate to push? (SSH keys already set up)\n- Do we want contribution workflow or just \"follow along\"?\n\n## Options\n1. **Forgejo on jrz1** - already running, devs have accounts, keeps it self-contained\n2. **GitHub/public mirror** - more familiar, but exposes infra details\n3. **Local clone only** - devs can read ~/proj/ops-jrz1 on server, no push\n4. **Hybrid** - Forgejo primary, mirror to GitHub for visibility\n\n## Current state\n- Repo lives on dan laptop, pushed to git.clarun.xyz (Forgejo)\n- Devs have SSH access to jrz1 but no Forgejo accounts yet\n- Forgejo running at git.clarun.xyz\n\n## Next steps\n- Decide on workflow (read-only vs contrib)\n- Set up access (Forgejo accounts or clone permissions)\n- Document in onboarding","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-05T18:42:23.691289101-08:00","created_by":"dan","updated_at":"2026-01-05T18:42:23.691289101-08:00"}
+{"id":"ops-jrz1-qts","title":"RFC: Seamless dev access to ops-jrz1 repo","description":"Devs on jrz1 should be able to access ops-jrz1 repo to learn and potentially contribute. Goal: minimal friction, leverage existing SSH access.\n\n## Options explored\n\n### 1. Bare repo on server (simplest)\n```\n/srv/git/ops-jrz1.git\n```\n- Devs clone via filesystem or SSH\n- Zero setup - already have access\n- \"PR\" = branch + Matrix conversation\n- No web UI\n\n### 2. Forgejo API provisioning\n- dev-add.sh creates Forgejo account + SSH key via API\n- Full web UI, real PRs\n- More setup but polished workflow\n\n### 3. Forgejo PAM auth\n- Unix users auto-authenticate to Forgejo\n- Needs password or SSH key sync\n- More complex\n\n### 4. Gitolite\n- Lightweight, reads authorized_keys directly\n- Less UI, seamless auth\n\n## Questions\n- Do we need web UI / PR workflow, or is branch + conversation enough?\n- Is this for learning (read-only) or real contribution?\n- How many devs realistically?\n\n## Recommendation\nStart with option 1 (bare repo) - zero friction, test the workflow. Graduate to option 2 if PR workflow needed.","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-05T18:42:23.691289101-08:00","created_by":"dan","updated_at":"2026-01-05T18:52:35.398669839-08:00"}
 {"id":"ops-jrz1-qxr","title":"mautrix-slack message edit panic (upstream bug)","description":"Bridge upgraded to v25.11. Need to verify if edit panic is fixed by testing a Slack message edit. Watch logs: journalctl -u mautrix-slack -f | grep -E 'ERR|panic|edit'","status":"closed","priority":2,"issue_type":"bug","created_at":"2025-12-05T18:22:38.18203834-08:00","updated_at":"2025-12-05T19:36:00.556011621-08:00","closed_at":"2025-12-05T19:36:00.556011621-08:00","dependencies":[{"issue_id":"ops-jrz1-qxr","depends_on_id":"ops-jrz1-03o","type":"blocks","created_at":"2025-12-05T18:24:23.259399275-08:00","created_by":"daemon","metadata":"{}"}]}
 {"id":"ops-jrz1-rkp","title":"Add egress abuse watchdog","description":"Monitor for users hitting egress rate limits, kill if sustained.\n\n## Script: /usr/local/bin/egress-watchdog\n```bash\n#\\!/usr/bin/env bash\n# Kill users who keep hitting egress limits\nTHRESHOLD=10  # EGRESS-LIMIT hits per minute\nCOUNTFILE=\"/var/lib/egress-watchdog\"\nmkdir -p \"$COUNTFILE\"\n\n# Count recent limit hits per UID\njournalctl -k --since \"1 minute ago\" 2\u003e/dev/null | grep \"EGRESS-LIMIT\" | \\\n  grep -oP 'UID=\\K[0-9]+' | sort | uniq -c | while read count uid; do\n  \n  user=$(getent passwd \"$uid\" | cut -d: -f1)\n  [ -z \"$user\" ] \u0026\u0026 continue\n  \n  if [ \"$count\" -gt \"$THRESHOLD\" ]; then\n    strikes=$(cat \"$COUNTFILE/$user\" 2\u003e/dev/null || echo 0)\n    strikes=$((strikes + 1))\n    echo \"$strikes\" \u003e \"$COUNTFILE/$user\"\n    logger -t egress-watchdog \"User $user hit egress limit $count times (strike $strikes/3)\"\n    \n    if [ \"$strikes\" -ge 3 ]; then\n      /usr/local/bin/killswitch \"$user\" \"egress abuse ($count hits)\"\n      rm -f \"$COUNTFILE/$user\"\n    fi\n  else\n    rm -f \"$COUNTFILE/$user\"\n  fi\ndone\n```\n\n## Behavior\n- Runs every minute (same timer as CPU watchdog, or separate)\n- 3 consecutive minutes of \u003e10 blocked connections = kill\n- Works with egress rate limiting (ops-jrz1-cmv)\n\n## Dependencies\n- Requires ops-jrz1-cmv (egress rate limiting)\n- Requires ops-jrz1-396 (killswitch script)","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T20:21:09.516724064-08:00","created_by":"dan","updated_at":"2026-01-03T06:02:02.132992356-08:00","closed_at":"2026-01-03T06:02:02.132992356-08:00","close_reason":"Egress watchdog deployed and tested. Script monitors EGRESS-LIMIT kernel log entries, tracks strikes per user, kills after 3 strikes.","dependencies":[{"issue_id":"ops-jrz1-rkp","depends_on_id":"ops-jrz1-396","type":"blocks","created_at":"2026-01-02T20:21:14.314011866-08:00","created_by":"dan"},{"issue_id":"ops-jrz1-rkp","depends_on_id":"ops-jrz1-cmv","type":"blocks","created_at":"2026-01-02T20:21:14.352411765-08:00","created_by":"dan"}]}
 {"id":"ops-jrz1-s8x","title":"Add health check endpoint for Matrix homeserver monitoring","description":"modules/dev-services.nix Matrix service has no health check for monitoring. Add nginx location for /_matrix/client/versions health probe.","status":"open","priority":4,"issue_type":"task","created_at":"2026-01-05T15:44:34.407481321-08:00","created_by":"dan","updated_at":"2026-01-05T15:44:34.407481321-08:00"}