Clarify root GitHub credential ownership

docs/hermes-operations.md

@@ -260,6 +260,17 @@ Verification recorded on 2026-05-27:
 
 For write operations, create a separate repo-scoped token and store it in a new root-only token file. Do not reuse this read-focused token for broad automation unless the required scope is explicitly reviewed first.
 
+## GitHub credential ownership
+
+Root Git operations already have GitHub push credentials through the root Git credential store. Root is the operator account for both:
+
+- `https://github.com/saravanakumardb/learning_ai_devops_tools.git`
+- `https://github.com/umadev0931/uma_hostinger_hermes_vm.git`
+
+Uma does not need a separate `/home/uma/.git-credentials` file for the current workflow because repo maintenance and pushes are performed from root. Do not copy root GitHub credentials into Uma's home directory unless there is a concrete need for Uma-user GitHub pushes.
+
+Remaining audit item: confirm in GitHub that the root token is fine-grained or otherwise limited to the intended repos and permissions. Do not print the token while checking this.
+
 ## Telegram topics and session handling
 
 Root and Uma currently use the standard Telegram gateway session handling. Do not enable or change topic/session behavior without a concrete routing need.

docs/hermes-setup-upgrade-roadmap.md

@@ -9,12 +9,13 @@
 ## Completion Status
 
 - **Overall checklist completion:** ~68% (`122/179` checked after the 2026-05-27 Gitea/Hermes Git smoke test).
-- **Credential-independent setup:** materially further along; remaining blockers are mostly provider/search credentials, GitHub automation token, Uma backup design, and policy decisions.
+- **Credential-independent setup:** materially further along; remaining blockers are mostly provider/search credentials, GitHub token scope audit, Uma backup design, and policy decisions.
 - vijay: percentage is based on literal Markdown checklist boxes, including nested sub-items. It intentionally counts credential-dependent future work as incomplete.
 
 ## Remaining Unchecked Item Classification
 
-- **Needs credentials/API keys:** fallback provider setup, web search/extract backend, GitHub automation token, Browserbase/Browser Use, and provider fallback tests.
+- **Needs credentials/API keys:** fallback provider setup, web search/extract backend, Browserbase/Browser Use, and provider fallback tests.
+- **Needs credential audit:** GitHub push credentials already exist for root Git operations, including root-managed pushes to Uma's GitHub repo; least-privilege scope still needs to be verified from GitHub.
 - **Needs explicit policy decision:** Cloudflare Access/basic-auth public fallback, model-routing tiers, local browser automation, vision/image provider choice, `security.redact_secrets`, `privacy.redact_pii`, and credential rotation.
 - **Needs Uma backup design:** Uma/Bheem currently has a clean VM wrapper repo, but not a root-style sanitized Hermes persistent backup/restore workflow.
 - **Needs manual UX validation:** dashboard feature-by-feature checks, Telegram approval prompt flow, and Telegram media/file delivery.
@@ -63,7 +64,8 @@ Observed on 2026-05-26:
   - last status: ok
 - Config version: `24` after `hermes doctor --fix` migration on 2026-05-27; root and Uma both verified at config v24
 - Telegram credentials are present
-- Most optional provider/API keys are not configured, including OpenRouter, Google/Gemini, Anthropic, Firecrawl/Tavily/Exa, Browserbase/Browser Use, GitHub token, FAL, and ElevenLabs
+- Most optional provider/API keys are not configured, including OpenRouter, Google/Gemini, Anthropic, Firecrawl/Tavily/Exa, Browserbase/Browser Use, FAL, and ElevenLabs
+- GitHub push credentials are configured for root Git operations through the root credential store; root also performs Uma repo pushes because root has access to `https://github.com/umadev0931/uma_hostinger_hermes_vm`
 - `hermes doctor --fix` completed on 2026-05-27; it migrated config v23 → v24 and left only manual provider/API-key setup as the main optional follow-up
 - User preference: do **not** expose the Hermes dashboard publicly
 
@@ -234,7 +236,7 @@ A healthy ByteLyst Hermes setup should be:
   - [ ] Browserbase/Browser Use
 - [ ] Configure GitHub/Gitea automation credentials with least privilege.
   - vijay: root local Gitea read-only Git path is configured with `/root/.local/bin/gitea-git` plus `GIT_ASKPASS`; the token remains in `/root/.gitea_npm_token_home` and was not printed. Verified direct Git and Hermes one-shot read access to `http://localhost:3300/bytelyst/learning_ai_common_plat.git`.
-  - vijay: still unchecked because GitHub automation credentials are separate and have not been provisioned.
+  - vijay: GitHub push credentials are already configured for root Git operations through `/root/.git-credentials`; root performs pushes for both root and Uma tracking repos. Still unchecked until GitHub token repo/scope permissions are audited as least-privilege.
 - [ ] Add vision/image capability if screenshots, diagrams, or UI reviews are common.
 - [x] Validate the active Telegram toolset includes the capabilities ByteLyst expects:
   - vijay: `hermes doctor --fix` reported browser, clarify, code_execution, cronjob, terminal, delegation, file, memory, messaging, session_search, skills, todo, tts, vision, video, and related toolsets available; web remains blocked by missing search backend API key.
@@ -411,7 +413,7 @@ A healthy ByteLyst Hermes setup should be:
   - vijay: documented restore drill and restored root backup into `/tmp/hermes-restore-test-root`.
   - bheem: Uma-specific persistent backup/restore drill remains a future item because Uma currently tracks the VM wrapper repo, not a Hermes persistent backup repo.
 - [ ] Add Gitea/GitHub least-privilege automation credential path.
-  - vijay: Gitea path is complete for root via `/root/.local/bin/gitea-git`; GitHub path remains pending, so this combined item stays unchecked.
+  - vijay: Gitea path is complete for root via `/root/.local/bin/gitea-git`; GitHub push path exists in root's credential store and is used for root-managed pushes, including Uma repo updates. Least-privilege scope verification remains pending, so this combined item stays unchecked.
 
 ### Medium-Term — This Month
 
@@ -488,7 +490,7 @@ This roadmap is complete when:
 - vijay: installed `/root/.local/bin/gitea-git-askpass` and `/root/.local/bin/gitea-git` so Hermes/Git can authenticate to local Gitea without embedding tokens in remotes or Git config.
 - vijay: verified direct Git read operation: `gitea-git ls-remote http://localhost:3300/bytelyst/learning_ai_common_plat.git HEAD` returned HEAD `59c4638f85be...`.
 - vijay: verified the same read-only operation through Hermes one-shot; Hermes reported success and only the truncated HEAD hash.
-- vijay: documented the exact safe token flow in `docs/hermes-operations.md`; GitHub automation token remains a separate future credential item.
+- vijay: documented the exact safe token flow in `docs/hermes-operations.md`; corrected GitHub status to show credentials already exist for root-managed pushes, with least-privilege scope audit still pending.
 
 ## Notes For Future Transcript Pass