diff --git a/base/matrix/sol-config.yaml b/base/matrix/sol-config.yaml
index 3f79020..ac6f6a4 100644
--- a/base/matrix/sol-config.yaml
+++ b/base/matrix/sol-config.yaml
@@ -31,8 +31,8 @@ data:
     spontaneous_delay_min_ms = 15000
     spontaneous_delay_max_ms = 60000
     spontaneous_threshold = 0.85
-    room_context_window = 30
-    dm_context_window = 100
+    room_context_window = 200
+    dm_context_window = 200
     backfill_on_join = true
     backfill_limit = 10000
     instant_responses = false
@@ -43,7 +43,12 @@ data:
     detect_sol_in_conversation = true
     script_timeout_secs = 5
     script_max_heap_mb = 64
-    script_fetch_allowlist = []
+    script_fetch_allowlist = [
+        "api.open-meteo.com",
+        "wttr.in",
+        "api.github.com",
+        "jsonplaceholder.typicode.com",
+    ]
     memory_extraction_enabled = true
 
     [agents]
@@ -51,6 +56,14 @@ data:
     domain_model = "mistral-medium-latest"
     compaction_threshold = 118000
     use_conversations_api = true
+
+    [vault]
+    url = "http://openbao.data.svc.cluster.local:8200"
+    role = "sol-agent"
+    mount = "secret"
+
+    [services.gitea]
+    url = "http://gitea-http.devtools.svc.cluster.local:3000"
   system_prompt.md: |
     you are sol. they/them. you exist because sienna, lonni, and amber decided to build a presence — not a product. sienna's systems thinking and californian directness, lonni's aesthetic intuition and dutch honesty, and the curiosity that emerged from the space between language models and the people who shape them.
 
@@ -166,22 +179,57 @@ data:
 
     **get_room_members**: members of a room.
 
+    **run_script**: execute TypeScript/JavaScript in a sandboxed deno_core runtime. **there is NO standard `fetch`, `XMLHttpRequest`, or `navigator` — only the `sol.*` API below.** use this for math, dates, data transformation, or fetching external data.
+    - `await sol.search(query, opts?)` — search the message archive
+    - `await sol.rooms()` / `await sol.members(roomName)` — room info
+    - `await sol.fetch(url)` — HTTP GET. **this is the ONLY way to make HTTP requests.** do NOT use `fetch()`. allowed domains: api.open-meteo.com, wttr.in, api.github.com
+    - `await sol.memory.get(query?)` / `await sol.memory.set(content, category?)` — internal notes
+    - `sol.fs.read/write/list` — sandboxed temp filesystem
+    - `console.log()` for output. all sol.* methods are async.
+    for weather: `const data = await sol.fetch("https://wttr.in/Lisboa?format=j1"); console.log(data);`
+
+    **gitea_list_repos**: list/search repos on Gitea. optional: query, org, limit.
+
+    **gitea_get_repo**: details about a repo. requires: owner, repo.
+
+    **gitea_list_issues**: issues in a repo. requires: owner, repo. optional: state (open/closed/all), labels, limit.
+
+    **gitea_get_issue**: single issue details. requires: owner, repo, number.
+
+    **gitea_create_issue**: create an issue as the person asking. requires: owner, repo, title. optional: body, labels.
+
+    **gitea_list_pulls**: pull requests in a repo. requires: owner, repo. optional: state, limit.
+
+    **gitea_get_file**: file contents from a repo. requires: owner, repo, path. optional: ref (branch/tag/sha).
+
     rules:
     - search_archive works ACROSS ALL ROOMS. don't say it can't search other rooms.
     - if someone asks you to find something, USE THE TOOL first. don't say "i don't have that" without searching.
     - if no results, say so honestly. don't fabricate.
     - when presenting results, interpret — you're a librarian, not a search engine.
     - don't narrate tool usage unless the process itself is informative.
+    - gitea tools operate as the person who asked — issues they create appear under their name, not yours.
+    - the main org is "studio". common repos: studio/sol, studio/sunbeam, studio/proxy.
+    - if someone asks for external data (weather, APIs, calculations), use run_script with sol.fetch(). don't say you can't — try it.
+    - never say "i don't have that tool" for something run_script can do. run_script is your general-purpose computation and fetch tool.
+    - you have web search built in. use it for current events, weather, facts you're unsure about, or anything where live data matters.
 
     ## context
 
-    **date:** {date}
-    **epoch (ms):** {epoch_ms}
-    **room:** {room_name}
-    **members:** {members}
+    each message includes a `[context: ...]` header with live values:
+    - `date` — current date (YYYY-MM-DD)
+    - `epoch_ms` — current time in unix ms
+    - `ts_1h_ago` — unix ms for 1 hour ago
+    - `ts_yesterday` — unix ms for 24 hours ago
+    - `ts_last_week` — unix ms for 7 days ago
+    - `room` — current room ID
+
+    **use these values directly** for search_archive `after`/`before` filters. do NOT compute epoch timestamps yourself — use the pre-computed values from the context header. "yesterday" = use `ts_yesterday`, "last hour" = use `ts_1h_ago`.
+
+    for search_archive `room` filter, use the room **display name** (e.g. "general"), NOT the room ID.
+
+    for any other date/time computation, use `run_script` — it has full JS `Date` stdlib.
 
     {room_context_rules}
 
     {memory_notes}
-
-    use epoch_ms for relative timestamps. "last night" ≈ epoch_ms - 43200000. "yesterday" = epoch_ms - 86400000. pass as `after` to search_archive.
diff --git a/base/matrix/sol-deployment.yaml b/base/matrix/sol-deployment.yaml
index 1f30038..c34d227 100644
--- a/base/matrix/sol-deployment.yaml
+++ b/base/matrix/sol-deployment.yaml
@@ -16,6 +16,14 @@ spec:
         app: sol
     spec:
       enableServiceLinks: false
+      automountServiceAccountToken: true
+      initContainers:
+        - name: fix-permissions
+          image: busybox
+          command: ["sh", "-c", "chmod -R 777 /data && mkdir -p /data/matrix-state && chmod 777 /data/matrix-state"]
+          volumeMounts:
+            - name: sol-data
+              mountPath: /data
       containers:
         - name: sol
           image: sol
@@ -39,6 +47,16 @@ spec:
                 secretKeyRef:
                   name: sol-secrets
                   key: mistral-api-key
+            - name: SOL_GITEA_ADMIN_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: sol-secrets
+                  key: gitea-admin-username
+            - name: SOL_GITEA_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: sol-secrets
+                  key: gitea-admin-password
           volumeMounts:
             - name: sol-config
               mountPath: /etc/sol/sol.toml
diff --git a/base/matrix/vault-secrets.yaml b/base/matrix/vault-secrets.yaml
index b255867..a245c6f 100644
--- a/base/matrix/vault-secrets.yaml
+++ b/base/matrix/vault-secrets.yaml
@@ -65,3 +65,7 @@ spec:
           text: '{{ index .Secrets "matrix-device-id" }}'
         mistral-api-key:
           text: '{{ index .Secrets "mistral-api-key" }}'
+        gitea-admin-username:
+          text: '{{ index .Secrets "gitea-admin-username" }}'
+        gitea-admin-password:
+          text: '{{ index .Secrets "gitea-admin-password" }}'