fix(mirror): restrict main_only mode to main+tags (Ganymede review)

Finding #1 (recommendation, applied): infra-mode now pushes only main + tags
to GitHub. Agent review branches (epimetheus/*, ganymede/*) stay Forgejo-only.
Public GitHub history reflects merged work, not pre-review WIP with internal
agent context.

Bidirectional mode unchanged — codex still mirrors all branches so external
contributors can fork from any branch.

Nit #4: setup script m3taversal username has a comment explaining it's a
placeholder for fine-grained PAT auth, mirrors the existing teleo-codex remote.

Two pre-existing nits filed for follow-up branch:
- hardcoded `living-ip:` in GH_PR_NUM head filter (line 273)
- spurious CRITICAL log on GH→forgejo→GH cycles (re-fetch forgejo after Step 2.5)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy/setup-infra-mirror.sh

@@ -72,6 +72,9 @@ cd "$REPO_DIR"
 # Forgejo remote (origin convention is reversed in this codebase: origin=GitHub,
 # forgejo=Forgejo, matching the existing teleo-codex.git layout).
 FORGEJO_REMOTE_URL="http://github-mirror:${FORGEJO_TOKEN}@localhost:3000/teleo/teleo-infrastructure.git"
+# NOTE: "m3taversal" is a placeholder username — for fine-grained PATs the
+# username field is decorative; the token does the auth. Matches the existing
+# teleo-codex.git remote for consistency. (Ganymede review nit #4.)
 GITHUB_REMOTE_URL="https://m3taversal:${GITHUB_PAT}@github.com/${GITHUB_REPO}.git"
 
 if git remote get-url forgejo >/dev/null 2>&1; then

deploy/sync-mirror.sh

@@ -149,16 +149,29 @@ for pr in prs:
         fi
     fi
 
-    if [ "$PUSH_MAIN" = true ]; then
+    if [ "$MODE" = "main_only" ]; then
-        git push origin --all --force >> "$LOG" 2>&1 || log "WARN: Push to GitHub failed"
+        # Infra-style mirror: push main + tags ONLY. Pre-review agent branches
+        # (epimetheus/*, ganymede/*, etc.) carry internal context — agent UUIDs,
+        # in-flight discussion, WIP — and must not land in the public GitHub
+        # history. (Ganymede review, finding #1.)
+        if [ "$PUSH_MAIN" = true ]; then
+            git push origin --force "refs/heads/main:refs/heads/main" >> "$LOG" 2>&1 || \
+                log "WARN: main push to GitHub failed"
+        fi
     else
-        # Push all branches except main
+        # Bidirectional mirror (codex): push all branches so external
-        while read branch; do
+        # contributors can fork from any branch, not just main.
-            [ "$branch" = "main" ] && continue
+        if [ "$PUSH_MAIN" = true ]; then
-            [ "$branch" = "HEAD" ] && continue
+            git push origin --all --force >> "$LOG" 2>&1 || log "WARN: Push to GitHub failed"
-            git push origin --force "refs/heads/$branch:refs/heads/$branch" >> "$LOG" 2>&1 || \
+        else
-                log "WARN: Failed to push $branch to GitHub"
+            # Push all branches except main when main is divergent
-        done < <(git for-each-ref --format="%(refname:lstrip=2)" refs/heads/)
+            while read branch; do
+                [ "$branch" = "main" ] && continue
+                [ "$branch" = "HEAD" ] && continue
+                git push origin --force "refs/heads/$branch:refs/heads/$branch" >> "$LOG" 2>&1 || \
+                    log "WARN: Failed to push $branch to GitHub"
+            done < <(git for-each-ref --format="%(refname:lstrip=2)" refs/heads/)
+        fi
     fi
     git push origin --tags --force >> "$LOG" 2>&1 || log "WARN: Tag push to GitHub failed"