Merge branch 'main' into feature/ai-review

.gitea/workflows/ai-review.yaml

@@ -2,12 +2,10 @@ name: AI Code Review
 
 on:
   pull_request:
-    types: [ labeled, synchronize ]
+    types: [ opened, synchronize, reopened ]
 
 jobs:
   ai-review:
-    if: >-
-      (github.event.action == 'synchronized' && contains(toJSON(github.event.pull_request.labels), 'ai-review')) || contains(toJSON(gitea.event.changes.added_labels), 'ai-review')
     runs-on: ubuntu-latest
 
     env:
@@ -34,14 +32,13 @@ jobs:
       with:
         submodules: true
         fetch-depth: 0
-        token: ${{ secrets.AI_REVIEW_TOKEN }}
 
     - name: Run inline review
-      uses: docker://nikitafilonov/ai-review:v0.64.0
+      uses: docker://nikitafilonov/ai-review:latest
       with:
         args: ai-review run-inline
 
     - name: Run summary review
-      uses: docker://nikitafilonov/ai-review:v0.64.0
+      uses: docker://nikitafilonov/ai-review:latest
       with:
         args: ai-review run-summary

apps/base/kustomization.yaml

@@ -4,5 +4,4 @@ resources:
 - dot-ai-stack.yaml
 - mcp10x.yaml
 - musicman.yaml
-- ts-mcp.yaml
 - argo-mcp.yaml

apps/base/ts-mcp.yaml

@@ -1,50 +0,0 @@
----
-# Namespace must be created first (sync-wave: -1)
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ts-mcp
-  annotations:
-    argocd.argoproj.io/sync-wave: "-1"
----
-# ArgoCD Application syncs last (sync-wave: 11)
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: ts-mcp
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "11"
-    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-    notifications.argoproj.io/subscribe.on-degraded.slack: ""
-  labels:
-    app.kubernetes.io/name: ts-mcp
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  sources:
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
-    path: forteapp
-    targetRevision: HEAD
-    helm:
-      valueFiles:
-      - $values/ts-mcp/values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: ts-mcp
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

cluster-resources/backstage-keycloak-client-config.yaml

@@ -1,43 +0,0 @@
-# Self-service Keycloak client config for Backstage.
-# Kyverno clones this to the keycloak namespace, where the
-# keycloak-client-registrar CronJob processes it and creates
-# the backstage-oidc-credentials Secret in the backstage namespace.
-apiVersion: v1
-kind: Secret
-metadata:
-  name: keycloak-client-backstage
-  namespace: backstage
-  labels:
-    keycloak.forteapps.net/client-config: "true"
-stringData:
-  client.json: |
-    {
-      "clientId": "backstage",
-      "name": "Backstage Developer Portal",
-      "redirectUris": ["https://backstage.forteapps.net/api/auth/oidc/handler/frame"],
-      "webOrigins": ["https://backstage.forteapps.net"],
-      "defaultClientScopes": ["openid", "email", "profile"],
-      "protocolMappers": [
-        {
-          "name": "email_verified",
-          "protocol": "openid-connect",
-          "protocolMapper": "oidc-hardcoded-claim-mapper",
-          "config": {
-            "claim.name": "email_verified",
-            "claim.value": "true",
-            "jsonType.label": "boolean",
-            "id.token.claim": "true",
-            "access.token.claim": "true",
-            "userinfo.token.claim": "true"
-          }
-        }
-      ],
-      "secret": {
-        "namespace": "backstage",
-        "name": "backstage-oidc-credentials",
-        "keys": {
-          "clientId": "AUTH_OIDC_CLIENT_ID",
-          "clientSecret": "AUTH_OIDC_CLIENT_SECRET"
-        }
-      }
-    }

cluster-resources/policies/label-checker.yaml

@@ -0,0 +1,41 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: require-labels
+  annotations:
+    policies.kyverno.io/title: Require Labels
+    policies.kyverno.io/category: Best Practices
+    policies.kyverno.io/minversion: 1.6.0
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod, Label
+    policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
+spec:
+  validationFailureAction: Audit
+  background: true
+  rules:
+  - name: check-for-labels
+    skipBackgroundRequests: true
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - istio-system
+          - argocd
+          - cert-manager
+          - monitoring
+          - secrets
+          - kyverno
+          - trivy-system
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      message: The label `app.kubernetes.io/name` is required.
+      allowExistingViolations: true
+      pattern:
+        metadata:
+          labels:
+            app.kubernetes.io/name: "?*"

docs/DEVELOPER-GUIDE.md

@@ -962,46 +962,6 @@ User sees application (authenticated)
 
 ---
 
-### Accessing Authenticated User Information
-
-The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
-
-After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
-
-| Header | Description | Available in |
-|--------|-------------|-------------|
-| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
-| `X-Auth-Email` | User email address | OIDC |
-| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
-| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
-| `X-Auth-Token` | The validated access token | All modes |
-
-**Your application reads these headers — no auth library needed:**
-
-```javascript
-// Express.js example
-app.get('/profile', (req, res) => {
-  const user = req.headers['x-auth-user'];
-  const email = req.headers['x-auth-email'];
-  res.json({ user, email });
-});
-```
-
-```python
-# Flask example
-@app.route('/profile')
-def profile():
-    user = request.headers.get('X-Auth-User')
-    email = request.headers.get('X-Auth-Email')
-    return jsonify(user=user, email=email)
-```
-
-**Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
-
-**Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
-
----
-
 ### Authentication Configuration Reference
 
 #### Helm Values Schema

docs/REFERENCE.md

@@ -602,15 +602,6 @@ retry:
 4. 40 seconds
 5. 80 seconds (capped at 3 minutes)
 
-### Global Settings (`argocd-cm`)
-
-| Setting | Value | Purpose |
-|---------|-------|---------|
-| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
-| `timeout.reconciliation` | `60s` | Reconciliation interval |
-| `admin.enabled` | `true` | Enable admin account |
-| `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
-
 ---
 
 ## Infrastructure Components
@@ -828,8 +819,6 @@ postgresql:
 
 **Email Notifications**: Enabled (`ENABLE_NOTIFY_MAIL: true`). SMTP credentials injected via `gitea-smtp-secret` using `additionalConfigFromEnvs` with `GITEA__mailer__USER` / `GITEA__mailer__PASSWD` environment variables.
 
-**Auto-Watch**: Disabled (`AUTO_WATCH_ON_CHANGES: false`, `AUTO_WATCH_NEW_REPOS: false`). Prevents contributors from being auto-subscribed to repo notifications on push, reducing email noise from CI bots (e.g., ai-review PR comments). Users who were already watching before this change need to manually unwatch or switch to "Only participating".
-
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
 - SSH: port 22 (ClusterIP)
@@ -965,83 +954,6 @@ ignore:
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption
 
-### Backstage / RHDH (Developer Portal)
-
-**Chart**: `backstage` (RHDH — Red Hat Developer Hub)
-**Version**: `5.8.0`
-**Namespace**: `backstage`
-**Helm Repo**: `https://redhat-developer.github.io/rhdh-chart`
-**Image**: `quay.io/rhdh-community/rhdh:next`
-
-**Purpose**: Internal developer portal where teams register and broadcast themselves, their applications, APIs, and systems. Provides a unified catalog, templates, and documentation hub.
-
-**Why RHDH over vanilla Backstage**: Ships 27+ plugins pre-bundled (ArgoCD, Kubernetes, Keycloak, GitHub, GitLab, Jira, SonarQube, Tekton, Jenkins, Quay, and more). Supports dynamic plugin installation at runtime — no image rebuilds needed.
-
-**Configuration** (`infra/values/base/backstage-values.yaml`):
-- OpenShift Route disabled (`route.enabled: false`) — uses Traefik ingress instead
-- PostgreSQL subchart enabled for persistence (2Gi)
-- SecurityContext configured for vanilla Kubernetes (non-OpenShift)
-- Traefik ingress with `websecure` entrypoint
-- App title: "Forte Developer Portal"
-- Dynamic plugins: loads `dynamic-plugins.default.yaml` (all 27+ bundled plugins)
-- Catalog rules: Component, System, API, Resource, Location, Template, Group, User, Domain
-
-**Authentication** (Keycloak OIDC):
-- Uses the self-service registrar pattern (see [Keycloak Client Registrar](#keycloak-client-registrar))
-- Config Secret: `cluster-resources/backstage-keycloak-client-config.yaml`
-- Kyverno clones it → registrar creates `backstage-oidc-credentials` Secret in `backstage` namespace
-- Credential keys: `AUTH_OIDC_CLIENT_ID`, `AUTH_OIDC_CLIENT_SECRET` (loaded via `extraEnvVarsSecrets`)
-- Redirect URI: `https://backstage.forteapps.net/api/auth/oidc/handler/frame`
-- Sign-in resolver: `emailMatchingUserEntityProfileEmail`
-
-**Catalog Discovery** (Gitea):
-- Auto-discovers `catalog-info.yaml` from all repos in the `Forte` organization
-- Scans every 30 minutes via the Gitea catalog provider plugin
-- Gitea SCM integration configured for URL resolution (`git.forteapps.net`)
-
-**Catalog Registration**:
-Teams register services by adding a `catalog-info.yaml` to their repo root:
-```yaml
-apiVersion: backstage.io/v1alpha1
-kind: Component
-metadata:
-  name: my-service
-  description: My service description
-  annotations:
-    backstage.io/source-location: url:https://git.forteapps.net/Forte/my-service
-spec:
-  type: service
-  lifecycle: production
-  owner: team-name
-```
-
-Repos with this file are auto-discovered — no manual registration needed.
-
-**Dynamic Plugins**:
-Add plugins at runtime via `global.dynamic.plugins` in values — no image rebuild:
-```yaml
-global:
-  dynamic:
-    plugins:
-    - package: "@scope/my-plugin@1.0.0"
-      integrity: "sha512-..."
-```
-
-**Per-cluster Configuration** (`infra/values/upc-dev/backstage-values.yaml`):
-```yaml
-global:
-  host: backstage.forteapps.net
-upstream:
-  backstage:
-    appConfig:
-      app:
-        baseUrl: https://backstage.forteapps.net
-      backend:
-        baseUrl: https://backstage.forteapps.net
-  ingress:
-    host: backstage.forteapps.net
-```
-
 ### Keycloak Client Registrar
 
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
@@ -1602,23 +1514,7 @@ Forward to Application (localhost:3000)
 Application processes request
 ```
 
-#### Forwarded Headers
-
-After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
-
-| Header | Description | Auth Modes |
-|--------|-------------|------------|
-| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
-| `X-Auth-Email` | User email address | OIDC |
-| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
-| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
-| `X-Auth-Token` | The validated access token | All modes |
-
-These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
-
-Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
-
-**See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.
+**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples.
 
 ---
 

infra/base/backstage.yaml

@@ -1,43 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: backstage
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: backstage
-    app.kubernetes.io/part-of: developer-portal
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://redhat-developer.github.io/rhdh-chart
-    chart: backstage
-    targetRevision: "5.8.0"
-    helm:
-      releaseName: backstage
-      valueFiles:
-      - $values/infra/values/base/backstage-values.yaml
-      - $values/infra/values/upc-dev/backstage-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: backstage
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true

infra/base/kustomization.yaml

@@ -22,4 +22,3 @@ resources:
 - tempo.yaml
 - grafana-dashboards.yaml
 - network-policies-application.yaml
-- backstage.yaml

infra/values/base/argocd-values.yaml

@@ -2,21 +2,12 @@ configs:
   secret:
     createSecret: true
     argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
-  ssh:
-    knownHosts: |
-      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
     admin.enabled: "true"
   params:
     "server.insecure": true
-repoServer:
-  env:
-  # Disable git submodule checkout - submodules (e.g. shared-prompts)
-  # are not needed for K8s manifest generation
-  - name: ARGOCD_GIT_MODULES_ENABLED
-    value: "false"
 server:
   ingress:
     enabled: false

infra/values/base/backstage-values.yaml

@@ -1,150 +0,0 @@
-# Red Hat Developer Hub (RHDH) - Internal Developer Portal
-# Helm chart: https://github.com/redhat-developer/rhdh-chart
-# Includes 27+ plugins out of the box: ArgoCD, Kubernetes, Keycloak,
-# GitHub, GitLab, Jira, SonarQube, Tekton, Jenkins, and more.
-
-global:
-  auth:
-    backend:
-      enabled: true
-  dynamic:
-    includes:
-    - dynamic-plugins.default.yaml
-    plugins: []
-
-# Disable OpenShift Route (not on OpenShift)
-route:
-  enabled: false
-
-upstream:
-  backstage:
-    image:
-      registry: quay.io
-      repository: rhdh-community/rhdh
-      tag: next
-
-    podSecurityContext:
-      runAsUser: 1001
-      runAsGroup: 1001
-      fsGroup: 1001
-
-    resources:
-      requests:
-        cpu: 250m
-        memory: 512Mi
-      limits:
-        cpu: 1000m
-        memory: 1Gi
-
-    extraEnvVarsSecrets:
-    - backstage-oidc-credentials
-    - backstage-session-secret
-
-    appConfig:
-      app:
-        title: "Forte Backstage"
-        baseUrl: http://localhost:7007
-
-      backend:
-        baseUrl: http://localhost:7007
-
-      # -- Keycloak OIDC authentication
-      signInPage: oidc
-      auth:
-        session:
-          secret: ${AUTH_SESSION_SECRET}
-        environment: production
-        providers:
-          oidc:
-            production:
-              metadataUrl: https://id.forteapps.net/realms/forte/.well-known/openid-configuration
-              clientId: ${AUTH_OIDC_CLIENT_ID}
-              clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
-              prompt: auto
-              # Allow login before User entities exist in the catalog.
-              # Remove once org data is populated.
-              dangerouslyAllowSignInWithoutUserInCatalog: true
-              signIn:
-                resolvers:
-                - resolver: emailMatchingUserEntityProfileEmail
-
-      # -- Gitea SCM integration (for catalog URL resolution)
-      integrations:
-        gitea:
-        - host: git.forteapps.net
-
-      # -- Software catalog
-      catalog:
-        rules:
-        - allow:
-          - Component
-          - System
-          - API
-          - Resource
-          - Location
-          - Template
-          - Group
-          - User
-          - Domain
-        providers:
-          # Auto-import users and groups from Keycloak
-          keycloakOrg:
-            default:
-              baseUrl: https://id.forteapps.net
-              realm: forte
-              clientId: ${AUTH_OIDC_CLIENT_ID}
-              clientSecret: ${AUTH_OIDC_CLIENT_SECRET}
-              schedule:
-                frequency: { minutes: 30 }
-                timeout: { minutes: 3 }
-                initialDelay: { seconds: 15 }
-          # Auto-discover catalog-info.yaml from all Forte org repos
-          gitea:
-            forte:
-              organization: Forte
-              host: git.forteapps.net
-              catalogPath: catalog-info.yaml
-              schedule:
-                frequency: { minutes: 30 }
-                timeout: { minutes: 3 }
-        locations:
-          # Backstage's own org data (bootstrap teams, systems, domains)
-          # - type: url
-          #   target: https://git.forteapps.net/Forte/backstage-catalog/raw/branch/main/org.yaml
-          #   rules:
-          #   - allow: [Group, User, System, Domain]
-
-  ingress:
-    enabled: true
-    className: traefik
-    annotations:
-      traefik.ingress.kubernetes.io/router.entrypoints: websecure
-      cert-manager.io/cluster-issuer: letsencrypt-prod
-    tls:
-      enabled: true
-      secretName: backstage-tls
-
-  postgresql:
-    enabled: true
-    auth:
-      # Fixed passwords prevent Helm from regenerating the Secret on
-      # each sync, which would mismatch with the PVC-persisted data.
-      password: backstage-db-pw
-      postgresPassword: backstage-admin-pw
-    primary:
-      persistence:
-        enabled: true
-        size: 2Gi
-      podSecurityContext:
-        enabled: true
-        fsGroup: 26
-        runAsUser: 26
-      resources:
-        requests:
-          cpu: 50m
-          memory: 128Mi
-        limits:
-          cpu: 250m
-          memory: 512Mi
-    volumePermissions:
-      enabled: false

infra/values/base/gitea-values.yaml

@@ -29,10 +29,7 @@ gitea:
       ALLOW_ONLY_EXTERNAL_REGISTRATION: true
       ENABLE_BASIC_AUTHENTICATION: true
       ENABLE_PASSWORD_SIGNIN_FORM: false
-      AUTO_WATCH_ON_CHANGES: false
-      AUTO_WATCH_NEW_REPOS: false
-      ENABLE_NOTIFY_MAIL: false
-      ENABLE_TIMETRACKING: false
+      ENABLE_NOTIFY_MAIL: true
 
     openid:
       ENABLE_OPENID_SIGNIN: false

infra/values/base/keycloak-values.yaml

@@ -116,12 +116,12 @@ extraDeploy:
   metadata:
     name: keycloak-client-registrar
   rules:
-  - apiGroups: [ "" ]
-    resources: [ "secrets" ]
-    verbs: [ "get", "list", "create", "update", "patch" ]
-  - apiGroups: [ "" ]
-    resources: [ "namespaces" ]
-    verbs: [ "get", "list" ]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "list"]
 
 # -- ClusterRoleBinding for the registrar ServiceAccount
 - apiVersion: rbac.authorization.k8s.io/v1
@@ -158,7 +158,7 @@ extraDeploy:
             containers:
             - name: registrar
               image: alpine:3.20
-              command: [ "/bin/sh", "-c" ]
+              command: ["/bin/sh", "-c"]
               args:
               - |
                 set -e

infra/values/upc-dev/backstage-values.yaml

@@ -1,12 +0,0 @@
-global:
-  host: backstage.forteapps.net
-
-upstream:
-  backstage:
-    appConfig:
-      app:
-        baseUrl: https://backstage.forteapps.net
-      backend:
-        baseUrl: https://backstage.forteapps.net
-  ingress:
-    host: backstage.forteapps.net