add infra credentials setup (gitignored secrets, shared template)

.claude/infra.md.example

@@ -0,0 +1,37 @@
+# Infrastructure Access — TEMPLATE
+# Copy to .claude/infra.md and fill in real values.
+# Share the real file via 1Password / Vault / `age` encrypted blob — NEVER commit it.
+
+## Dokploy
+- **Dashboard**: https://dokploy.example.com
+- **API Token**: `dkp_...`
+- **SSH User**: `deploy`
+- **SSH Host**: `dokploy.example.com`
+- **SSH Port**: `22`
+- **SSH Key Path**: `~/.ssh/id_dokploy`   ← or reference a 1Password SSH key
+
+## Servers
+| Name       | IP / Host              | SSH User | Notes          |
+|------------|------------------------|----------|----------------|
+| prod-1     | 10.0.0.1               | deploy   | primary node   |
+| staging-1  | 10.0.0.2               | deploy   | staging node   |
+
+## Docker Registry
+- **Registry**: `ghcr.io/your-org`
+- **Username**: `bot`
+- **Token**: `ghp_...`
+
+## DNS / Cloudflare
+- **API Token**: `cf_...`
+- **Zone ID**: `...`
+
+## Monitoring
+- **Grafana URL**: https://grafana.example.com
+- **API Key**: `eyJ...`
+
+## Database
+- **Prod Postgres**: `postgres://user:pass@host:5432/db`
+- **Staging Postgres**: `postgres://user:pass@host:5432/db_staging`
+
+## Other Secrets
+<!-- Add anything else Claude Code needs to manage your infra -->

.gitignore

@@ -7,6 +7,7 @@ __pycache__/
 
 # API keys — never commit real credentials
 .env
+.claude/infra.md
 
 .pi/agent-sessions/
 

CLAUDE.md

@@ -1,5 +1,10 @@
 # Pi vs CC — Extension Playground
 
+## Infrastructure Access
+**Always read `.claude/infra.md` at the start of every session** — it contains live credentials and connection details.
+To set up: copy `.claude/infra.md.example` → `.claude/infra.md` and fill in real values.
+**Team distribution**: share the real file via 1Password shared vault (or `age`-encrypted blob, never git).
+
 Pi Coding Agent extension examples and experiments.
 
 ## Tooling