Add cgit web interface for browsing repos

Adds cgit as a web frontend for browsing git repositories. Visiting the
base domain now shows a cgit repo index with trees, commits, diffs, and
blame views. Public repos (marked with git-daemon-export-ok) are browsable
and cloneable over HTTPS.

- Install cgit during host init
- Configure cgit with dark theme and base domain integration
- Add cgit CGI handler to base domain Caddyfile
- Update README to emphasize git-centric workflow with cgit frontend

1 files changed, 1 insertions, 1 deletions

diff --git a/SECURITY.md b/SECURITY.md
index ad04094..2d7a96e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -26,7 +26,7 @@ Git's `safe.directory` is set only for the `www-data` user (not system-wide), pr
 The `git` user is in the `docker` group, which is root-equivalent (can mount the host filesystem). Additionally, `.ship/service` files pushed via git are installed as systemd units. Anyone with SSH push access effectively has root. This is intentional for a single-user tool.
 
 ### Git repo visibility
-Repos are private by default (not cloneable over HTTPS). Use `ship init --public` to make a repo publicly cloneable. This is controlled by the `git-daemon-export-ok` marker file in each bare repo. Only public repos are accessible via `go get` or `git clone` over HTTPS.
+Repos are private by default (not cloneable over HTTPS). Use `ship init --public` to make a repo publicly cloneable. This is controlled by the `git-daemon-export-ok` marker file in each bare repo. Only public repos are accessible via `go get` or `git clone` over HTTPS. The cgit web interface respects the same model — it is configured with `export-ok=git-daemon-export-ok`, so only public repos are browsable.
 
 ### User-controlled systemd units
 The `.ship/service` file in each repo is copied to `/etc/systemd/system/` on push. A malicious service file could run arbitrary commands as root. This is equivalent to the Docker access risk above.