feat: mirror freenet-core HEAD to Freenet-hosted demo repo

[sanity]

Summary

• Adds .github/workflows/mirror-to-freenet.yml which calls the reusable workflow at freenet/freenet-git/.github/workflows/mirror-repo.yml (merged in freenet-git#17).
• Triggers: push to main, workflow_dispatch, daily cron (11:42 UTC) as a safety net for missed pushes.
• Mode is snapshot because freenet-core's git history (~176 MiB) is larger than what the repo contract can hold. Each run rebuilds the demo as a single orphan commit of HEAD's tracked tree -- consumers get current source, no history.

Demo URL

freenet:3GEERif5ihbf/freenet-core (replaces the old AaRxPZVdWrPh demo, which was created from a passphrase-encrypted bundle that doesn't fit a CI workflow).

Required secrets (already configured on this repo)

• FREENET_GIT_IDENTITY_BUNDLE_BASE64 — base64 of the no-passphrase bundle that owns the new prefix.
• FREENET_GIT_WS_URL — same value as RIVER_GATEWAY_URL.

Test plan

• Reusable workflow merged on the freenet-git side (#17).
• Initial state for 3GEERif5ihbf/freenet-core already published manually (clonable today via git clone freenet::3GEERif5ihbf/freenet-core).
• Rescue workflow on the freenet-git side smoke-tested — green in 3m45s against the live demo URLs.
• After merge: confirm a push to main triggers the workflow and produces a fresh snapshot. The first run will overwrite the manually-published initial state.

[AI-assisted - Claude]

[github-actions]

Rule Review: No issues found

Rules checked: .claude/rules/git-workflow.md
Files reviewed: 1 (.github/workflows/mirror-to-freenet.yml)

Warnings

None.

Info

None.

---

Analysis notes:

The PR adds a single GitHub Actions workflow file — no Rust code, no production logic, no tests to check. Against the applicable rules:

• PR title (feat: mirror freenet-core HEAD to Freenet-hosted demo repo, 58 chars): follows conventional commits and is under the 72-char limit ✓
• SHA-pinned reusable workflow: the file pins to a specific merge SHA rather than @main, and the inline comment explicitly explains the supply-chain reasoning — this is the correct posture per the git-workflow stdlib-first / supply-chain guidance ✓
• Secrets scope: secrets: inherit is deliberately avoided; only the two required secrets are forwarded, and the comment explains exactly why (inherit would expose unrelated credentials) ✓
• No fix: prefix, so the regression-test requirement doesn't apply ✓

PR description sections (## Problem / ## Solution / ## Testing / ## Fixes) could not be verified from the diff alone — the gh pr view command was not available in this environment. If the description is missing sections, that would be a WARNING per the rules, but cannot be confirmed here.

---

Rule review against .claude/rules/. WARNING findings block merge.

[sanity]

Addressed Codex P1 + Skeptical H1/H2: pinned @main to the merge SHA of freenet-git#17 (362e547c7035d28968651d2f4106fbfa891c31e2) and replaced secrets: inherit with explicit pass-through of just the two secrets the reusable workflow declares as required.

Pushed back / deferring:

• Skeptical H3 (snapshot orphan commit picks up wall-clock time → daily cron creates a new commit hash even when the source is unchanged). Real issue, but the fix belongs in the reusable workflow in freenet-git, not these caller PRs. Will follow up with a separate PR there to set GIT_AUTHOR_DATE/GIT_COMMITTER_DATE from the source commit's %cI so the orphan commit is deterministic.
• Skeptical M2 (no paths: filter — every commit to main mirrors). Reasonable optimization but not blocking; would tune paths-ignore: ['*.md', 'docs/**', '.github/**'] after observing real workflow usage.
• Skeptical M1, L1, L3: comment polish / minor; not blocking. Caller workflow_dispatch: is a usable manual recovery button per the verified-safe analysis.

[AI-assisted - Claude]