BIOS 2423→4101 update on yarn required an fTPM reset, which broke the
sealed age identity at /var/lib/agenix/tpm-identity. Bootstrapped a new
identity against the new SRK and rotated yarn's recipient.
age-plugin-tpm 1.0+ emits age1tag1… (p256tag) recipients by default and
refuses to encrypt to legacy age1tpm1… ones, so rotated mreow's recipient
to the same encoding (same key, new bech32 HRP) and added an
age-plugin-tag→age-plugin-tpm symlink in the rage wrapper so rage's
plugin dispatch finds the binary under the new prefix. Stripped the
trailing host labels from the tpm recipient strings — rage's stricter
bech32 parser now rejects the trailing whitespace; labels live in
adjacent Nix comments instead.
- .gitea/workflows/deploy.yml: three jobs (mreow, yarn, muffin) sharing a single git-crypt unlock step. muffin job retains the healthcheck + ntfy success/failure notifications from the old server-config pipeline verbatim.
- CI writes to /var/lib/nix-deploy/ (renamed from /var/lib/dotfiles-deploy/). The URL path /deploy/<host> is preserved; only the on-disk directory name changes. Harmonia's Caddy root is updated in Phase 6.
- deploy.sh: inspects hostname, dispatches to nixos-rebuild for desktops or deploy-rs for muffin. Accepts boot/switch/test/build/muffin.
- AGENTS.md: intersected rules from both repos, split into host-agnostic conventions + muffin-specific service pattern. Rewritten layout section reflects the new tree.
