PopeBot Operations

This is an operations runbook for PopeBot that legitimately requires high-privilege tokens (GitHub PAT, Ollama API key) and describes Git/Docker/gh workflows. I found no direct evidence of malicious code or exfiltration to attacker-controlled hosts. However, multiple operational guidance items are risky: embedding PATs in git remote URLs, passing tokens on command lines, and recovery procedures that can reintroduce secrets from history. These practices materially increase the chance of accidental credential leakage in a public repository environment. Recommendation: avoid token-in-URL, use ephemeral secrets injection (GitHub Actions secrets, docker run --env-file from secure stores, or gh auth login within ephemeral runner), scrub history before recovery if secrets leaked, and limit token scopes. Overall risk is operational (credential exposure) rather than malicious behavior.