Prepare Renovate bot against Gitea (F-12) + doc sweep

renovate.json: gitea platform, autodiscover Micha/*, group rules
(major separate, minor+patch+digest grouped, stateful tier-1
individual, komodo-major disabled), pin range strategy, no
automerge, dependency dashboard enabled.

ops/renovate/run-renovate.sh: one-shot docker run wrapper that
reads the Gitea PAT from /mnt/user/appdata/secrets/renovate_token.txt,
runs renovate/renovate:41, logs into /mnt/user/services/renovate/logs/.

docs/RENOVATE.md: 5-step operator setup (Gitea service account,
PAT, token file, first run, six-hourly user script). Explicit
no-automerge stance with notfall-stop checklist.

Cross-doc sweep: SECRETS_MAP entry for renovate_token.txt,
REPO_MAP entry for RENOVATE.md, AUDIT_2026-05-25_TODO new
Sprint 8 with F-15, F-07, F-09 rest, F-12 status, MIGRATION_LOG
captures the four-block sprint in one entry.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

renovate.json

@@ -0,0 +1,80 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":dependencyDashboard",
+    ":semanticCommits",
+    "schedule:weekly"
+  ],
+  "platform": "gitea",
+  "endpoint": "https://git.kaleschke.info/api/v1",
+  "username": "renovate",
+  "gitAuthor": "Renovate Bot <renovate@kaleschke.info>",
+  "onboarding": false,
+  "requireConfig": "optional",
+  "autodiscover": true,
+  "autodiscoverFilter": ["Micha/*"],
+  "dependencyDashboardTitle": "Renovate Dependency Dashboard",
+  "prHourlyLimit": 0,
+  "prConcurrentLimit": 5,
+  "branchConcurrentLimit": 10,
+  "labels": ["dependencies"],
+  "rangeStrategy": "pin",
+  "lockFileMaintenance": {
+    "enabled": false
+  },
+  "docker-compose": {
+    "fileMatch": [
+      "(^|/)docker-compose([^/]*)\\.ya?ml$",
+      "(^|/)compose([^/]*)\\.ya?ml$"
+    ]
+  },
+  "dockerfile": {
+    "enabled": true
+  },
+  "packageRules": [
+    {
+      "description": "Major-Updates getrennt sammeln, manuell mergen",
+      "matchUpdateTypes": ["major"],
+      "groupName": "major-updates",
+      "groupSlug": "major-updates",
+      "automerge": false,
+      "labels": ["dependencies", "major"]
+    },
+    {
+      "description": "Patch- und Minor-Digest-Updates fuer stabile Images zusammenfassen",
+      "matchUpdateTypes": ["minor", "patch", "digest"],
+      "matchManagers": ["docker-compose", "dockerfile"],
+      "groupName": "minor-and-patch-updates",
+      "groupSlug": "minor-patch-updates",
+      "automerge": false,
+      "labels": ["dependencies", "minor-patch"]
+    },
+    {
+      "description": "Stateful Tier-1 (Postgres, Mongo, Redis): keine Auto-Group, einzelne PRs, kein Auto-Merge",
+      "matchPackageNames": [
+        "postgres",
+        "mongo",
+        "redis",
+        "tensorchord/pgvecto-rs"
+      ],
+      "groupName": null,
+      "automerge": false,
+      "labels": ["dependencies", "stateful-tier1"]
+    },
+    {
+      "description": "Komodo Major-Tag (release :2 mit Digest-Pin) wird nicht von Renovate auf :3 hochgesetzt",
+      "matchPackageNames": [
+        "ghcr.io/moghtech/komodo-core",
+        "ghcr.io/moghtech/komodo-periphery"
+      ],
+      "matchUpdateTypes": ["major"],
+      "enabled": false
+    }
+  ],
+  "ignorePaths": [
+    "**/_archive/**",
+    "ops/grafana-influxdb/**",
+    "ops/loki/**"
+  ]
+}