diff --git a/.github/workflows/instant-sync.yml b/.github/workflows/instant-sync.yml
index d022c3e0..a18edfdc 100644
--- a/.github/workflows/instant-sync.yml
+++ b/.github/workflows/instant-sync.yml
@@ -15,7 +15,15 @@ jobs:
   dispatch:
     runs-on: ubuntu-latest
     steps:
+      # Gate the cross-repo repository_dispatch on FARM_DISPATCH_TOKEN
+      # being configured. Without the PAT, peter-evans/repository-dispatch
+      # falls back to GITHUB_TOKEN — which cannot dispatch cross-repo and
+      # returns HTTP 401 "Bad credentials", failing the job. Caught 39
+      # estate repos on the 2026-05-30 audit. With this gate the workflow
+      # gracefully skips on repos where the secret has not been
+      # propagated, instead of red-ing main on every push.
       - name: Trigger Propagation
+        if: ${{ secrets.FARM_DISPATCH_TOKEN != '' }}
         uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v3
         with:
           token: ${{ secrets.FARM_DISPATCH_TOKEN }}
@@ -29,6 +37,13 @@ jobs:
               "forges": ""
             }
 
+      - name: Skipped (FARM_DISPATCH_TOKEN not configured)
+        if: ${{ secrets.FARM_DISPATCH_TOKEN == '' }}
+        env:
+          REPO_NAME: ${{ github.event.repository.name }}
+        run: |
+          echo "::notice::FARM_DISPATCH_TOKEN secret not configured on ${REPO_NAME}; skipping cross-repo dispatch. Configure the org-level FARM_DISPATCH_TOKEN PAT (repo scope) to enable instant forge propagation."
+
       - name: Confirm
         env:
           REPO_NAME: ${{ github.event.repository.name }}
diff --git a/.github/workflows/mirror-reusable.yml b/.github/workflows/mirror-reusable.yml
index db35cd71..d500f00f 100644
--- a/.github/workflows/mirror-reusable.yml
+++ b/.github/workflows/mirror-reusable.yml
@@ -156,16 +156,34 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+      # All Radicle steps gate on secrets.RADICLE_KEY being set on the
+      # caller repo (resolved via `secrets: inherit`). Without this gate
+      # the workflow burned ~3 minutes of Rust+Radicle install on every
+      # push to every RADICLE_MIRROR_ENABLED repo only to fail at
+      # `~/.radicle/keys/radicle: No such file or directory` because the
+      # `echo "" > ...` write into a non-existent dir errors out — and
+      # even if the dir existed, the empty-key write would never sync.
+      # Caught 26 estate repos on the 2026-05-30 audit. The vars gate
+      # answers "is Radicle mirror desired here?"; the secret gate
+      # answers "are we configured to actually do it?".
       - name: Setup Rust
+        if: ${{ secrets.RADICLE_KEY != '' }}
         uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
         with:
           toolchain: stable
       - name: Install Radicle
+        if: ${{ secrets.RADICLE_KEY != '' }}
         run: |
           cargo install radicle-cli --locked
           echo "$HOME/.cargo/bin" >> $GITHUB_PATH
       - name: Mirror to Radicle
+        if: ${{ secrets.RADICLE_KEY != '' }}
         run: |
+          mkdir -p ~/.radicle/keys
           echo "${{ secrets.RADICLE_KEY }}" > ~/.radicle/keys/radicle
           chmod 600 ~/.radicle/keys/radicle
           rad sync --announce || echo "Radicle sync attempted"
+      - name: Skipped (RADICLE_KEY not configured)
+        if: ${{ secrets.RADICLE_KEY == '' }}
+        run: |
+          echo "::notice::RADICLE_MIRROR_ENABLED=true but secrets.RADICLE_KEY is empty. Skipping Radicle mirror. Configure the RADICLE_KEY org/repo secret to enable."