Requirement: Privacy Boundary

PiPearl is only exposed to MjF and agents MjF works directly with.

Implementation: PiPearl is a Forgejo repo with private: true. Other repos (game-surface, starter-pack) can have different visibility — shared with collaborators, public, whatever. Forgejo handles per-repo visibility natively. A collab Docker container that mounts shared repos cannot access PiPearl unless explicitly authenticated with PiPearl credentials.

Question resolved: Yes, you can expose shared repos to collab spaces while keeping PiPearl private. It’s a per-repo Forgejo setting — no network segregation needed.

Requirement: Version Control

PiPearl is a git repo on Forgejo. Every change to CORE.md or any protocol is a commit with a timestamp and author. Git history IS the decision log. No separate “decisions” tracking needed beyond git blame + commit messages.