cmd

.gitea/workflows/ai-review.yaml

@@ -0,0 +1,41 @@
+name: AI Code Review
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+jobs:
+  ai-review:
+    runs-on: ubuntu-latest
+
+    env:
+      AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml
+      # VCS configuration
+      VCS__PROVIDER: GITEA
+      VCS__PIPELINE__OWNER: ${{ github.repository_owner }}
+      VCS__PIPELINE__REPO: ${{ github.event.repository.name }}
+      VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }}
+      VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1
+      VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }}
+      # LLM configuration
+      LLM__PROVIDER: CLAUDE
+      LLM__META__MODEL: claude-sonnet-4-20250514
+      LLM__HTTP_CLIENT__API_URL: https://api.anthropic.com
+      LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: true
+          fetch-depth: 0
+
+      - name: Run inline review
+        uses: docker://nikitafilonov/ai-review:latest
+        with:
+          args: ai-review run-inline
+
+      - name: Run summary review
+        uses: docker://nikitafilonov/ai-review:latest
+        with:
+          args: ai-review run-summary

.gitea/workflows/docs.yaml

@@ -1,32 +0,0 @@
-name: Deploy Gitea Pages
-
-on:
-  push:
-    branches: [ main ]
-    paths:
-    - 'docs/**'
-    - 'mkdocs.yml'
-    - 'Dockerfile.docs'
-    - 'nginx.conf'
-  workflow_dispatch:
-
-jobs:
-  build-and-deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-
-    - name: Install dependencies
-      run: pip install mkdocs mkdocs-material
-
-    - run: mkdocs build
-
-    - name: Deploy to Gitea Pages
-      run: |
-        cd site
-        git init
-        git config user.name "gitea-actions"
-        git config user.email "actions@forteapps.net"
-        git add .
-        git commit -m "Deploy docs"
-        git push --force "https://x-token:${{ gitea.token }}@git.forteapps.net/Forte/launchpad.git" HEAD:gitea-pages

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "shared-prompts"]
+	path = shared-prompts
+	url = https://git.forteapps.net/Forte/ai-review-prompts.git

.project-standards.yaml

@@ -1,7 +1,7 @@
 standards_version: "2025.1"
-last_configured: "2026-04-18"
+last_configured: "2026-04-04"
 components:
-  gitea-pages: "2025.1"
+  github-pages: "2025.1"
-  gitea-pages-generator: "mkdocs"
+  github-pages-generator: "mkdocs"
-  gitea-pages-source: "docs/"
+  github-pages-source: "docs/"
-  gitea-pages-theme: "material"
+  github-pages-theme: "material"

README.md

@@ -4,7 +4,6 @@
 
 [![GitOps](https://img.shields.io/badge/GitOps-ArgoCD-blue)](https://argoproj.github.io/cd/)
 [![Kubernetes](https://img.shields.io/badge/Kubernetes-UpCloud-orange)](https://upcloud.com/)
-[![Docs](https://img.shields.io/badge/Docs-Gitea%20Pages-green)](https://git.forteapps.net/Forte/launchpad/pages/)
 
 ---
 
@@ -12,8 +11,6 @@
 
 **New developers and operators**: Please refer to our comprehensive documentation for detailed guides and references:
 
-### 🌐 [**Live Documentation Site**](https://git.forteapps.net/Forte/launchpad/pages/) (Gitea Pages)
-
 ### 🎯 [**START HERE: Documentation Index**](docs/README.md)
 
 | Document | Description | Audience |
@@ -85,10 +82,6 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 .
 ├── bootstrap.sh                # Cluster initialization script
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
-├── mkdocs.yml                 # MkDocs configuration (Gitea Pages)
-│
-├── .gitea/workflows/          # Gitea Actions CI workflows
-│   └── docs.yaml              # Build & deploy MkDocs to Gitea Pages
 │
 ├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
 │   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
@@ -153,12 +146,12 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 |------------|---------|-----------|-----------|
 | **[launchpad](https://git.forteapps.net/Forte/launchpad)** (this repo) | ArgoCD Applications, cluster resources | Platform / DevOps engineers | ✅ Often |
 | **[forte-helm](https://git.forteapps.net/Forte/forte-helm)** | Generic Helm chart templates | Platform engineers | ❌ Rarely |
-| **[helm-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |
+| **[helm-prod-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |
 
 ### GitOps Workflow
 
 ```
-Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD syncs → Deployed to cluster
+Developer commits code → CI/CD builds image → Updates helm-prod-values → ArgoCD syncs → Deployed to cluster
 ```
 
 **Learn more**: [GitOps Architecture - GitOps Workflow](docs/GITOPS-ARCHITECTURE.md#gitops-workflow)
@@ -173,7 +166,7 @@ Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD
 
 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
-2. Create `helm-values/myapp/values.yaml` (configuration)
+2. Create `helm-prod-values/myapp/values.yaml` (configuration)
 3. Create sealed secrets if needed
 4. Commit and push - ArgoCD auto-syncs!
 
@@ -182,8 +175,8 @@ Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD
 **See detailed guide**: [Developer Guide - Updating an Existing Application](docs/DEVELOPER-GUIDE.md#updating-an-existing-application)
 
 **Quick version**:
-- **Update code**: Push to app repo → CI/CD updates image tag in helm-values
+- **Update code**: Push to app repo → CI/CD updates image tag in helm-prod-values
-- **Update config**: Edit `helm-values/myapp/values.yaml` → commit → push
+- **Update config**: Edit `helm-prod-values/myapp/values.yaml` → commit → push
 
 ### Manage Secrets
 
@@ -211,7 +204,7 @@ git push
 
 **Quick version**:
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 
 # Token-based auth (simple)
 auth:
@@ -351,7 +344,6 @@ kubectl patch application myapp -n argocd \
 | **OpenCost** | Cost monitoring | `monitoring` | 1 |
 | **Renovate** | Dependency updates | `renovate` | CronJob |
 | **Trivy** | Vulnerability scanning | `trivy-system` | 1 |
-| **Gitea Pages** | Documentation hosting | N/A (Gitea built-in) | N/A |
 
 **Full specs**: [Technical Reference - Infrastructure Components](docs/REFERENCE.md#infrastructure-components)
 
@@ -374,7 +366,7 @@ kubectl patch application myapp -n argocd \
 ### Multi-Source Pattern
 Applications reference both:
 1. **Helm charts** from `forte-helm` (templates)
-2. **Values** from `helm-values` (configuration)
+2. **Values** from `helm-prod-values` (configuration)
 
 This separates reusable templates from environment-specific config.
 
@@ -443,7 +435,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 ### Adding a New Application
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
-3. Create Helm values in `helm-values/`
+3. Create Helm values in `helm-prod-values/`
 4. Create sealed secrets if needed
 5. Commit and push - ArgoCD handles the rest!
 
@@ -493,8 +485,8 @@ Documentation lives in `docs/`. To update:
 - [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 
 ### Related Repositories
-- [forte-helm](https://github.com/fortedigital/forte-helm) - Helm chart templates
+- [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates
-- [helm-values](git@github.com:fortedigital/helm-values.git) - Application values
+- [helm-prod-values](git@github.com:fortedigital/helm-prod-values.git) - Application values
 
 ---
 
@@ -512,7 +504,7 @@ Internal use only. Not for public distribution.
 
 ---
 
-**Last Updated**: 2026-04-18
+**Last Updated**: 2026-03-16
 **Documentation Version**: 1.0.0
 
 **🚀 Ready to get started? Check out the [Documentation Index](docs/README.md)!**

apps/base/kustomization.yaml

@@ -4,5 +4,4 @@ resources:
 - dot-ai-stack.yaml
 - mcp10x.yaml
 - musicman.yaml
-- mcpcoder.yaml
 - argo-mcp.yaml

bootstrap.sh

@@ -2,7 +2,7 @@
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
 
-CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (eu|us)}"
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod)}"
 
 echo "running $0 for cluster: ${CLUSTER}..."
 
@@ -17,18 +17,18 @@ echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 Bootstrap()
 {
     ArgoCd
-#    Github
+#    Gitea
 }
 
 
 ############################################################
-# Github                                                     #
+# Gitea                                                     #
 ############################################################
-Github()
+Gitea()
 {
     echo "Installing secret..."
-    kubectl apply -f private/github-${CLUSTER}.yaml
+    kubectl apply -f private/gitea-repo-main.yaml
-    kubectl apply -f private/main-${CLUSTER}.key
+    kubectl apply -f private/main.key
 }
 
 ############################################################

clusters/upc-prod.yaml

@@ -1,10 +1,10 @@
-clusterName: dev-fd-us-east1
+clusterName: prod-fd-no-svg1
-domain: us.forteapps.net
+domain: fortedigital.com
-argocdDomain: argocd.us.forteapps.net
+argocdDomain: argocd.127.0.0.1.nip.io
-grafanaDomain: grafana.us.forteapps.net
+grafanaDomain: grafana.fortedigital.com
-keycloakDomain: id.us.forteapps.net
+keycloakDomain: id.fortedigital.com
-dotaiDomain: kubemcp.us.forteapps.net
+dotaiDomain: kubemcp.fortedigital.com
-dotaiUiDomain: kubemcpui.us.forteapps.net
+dotaiUiDomain: kubemcpui.fortedigital.com
-letsencryptEmail: danijels@gmail.com
+letsencryptEmail: danijel.simeunovic@fortedigital.com
-trustedIPs: "10.0.0.0/16"
+trustedIPs: "172.16.1.0/24"
-cloudProvider: tbd
+cloudProvider: upcloud

docs/DEVELOPER-GUIDE.md

@@ -11,7 +11,6 @@
 - [Enabling Authentication for Applications](#enabling-authentication-for-applications)
 - [Adding a New Keycloak Client](#adding-a-new-keycloak-client)
 - [Troubleshooting](#troubleshooting)
-- [Documentation](#documentation)
 - [Best Practices](#best-practices)
 
 ---
@@ -97,10 +96,10 @@ You'll need read/write access to these repositories:
    cd launchpad
    ```
 
-2. **helm-values** (Values repo)
+2. **helm-prod-values** (Values repo)
    ```bash
    git clone https://git.forteapps.net/Forte/helm-prod-values.git
-   cd helm-values
+   cd helm-prod-values
    ```
 
 3. **forte-helm** (Chart repo - read-only for most developers)
@@ -176,13 +175,13 @@ npm run dev
 │  - GitHub Actions builds image                                  │
 │  - Pushes to container registry (GHCR, Docker Hub)              │
 │  - Tags with version (e.g., v2.0.4)                             │
-│  - Updates helm-values repository with new tag                  │
+│  - Updates helm-prod-values repository with new tag                  │
 └─────────────────────────────────────────────────────────────────┘
                             │
                             ▼
 ┌─────────────────────────────────────────────────────────────────┐
 │  Step 3: GitOps Sync (Automated)                                │
-│  - ArgoCD detects change in helm-values                         │
+│  - ArgoCD detects change in helm-prod-values                         │
 │  - Pulls updated configuration                                  │
 │  - Syncs to Kubernetes cluster                                  │
 │  - Sends Slack notification on success/failure                  │
@@ -202,7 +201,7 @@ Our setup uses three repositories:
 | Repository | Purpose | Who Edits | How Often |
 |------------|---------|-----------|-----------|
 | **forte-helm** | Helm chart templates (generic, reusable) | Platform engineers | ❌ Rarely |
-| **helm-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
+| **helm-prod-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
 | **launchpad** | ArgoCD Applications (what gets deployed) | Platform / DevOps engineers | ✅ Per new app |
 
 ### Example: Deploying "myapp"
@@ -224,7 +223,7 @@ spec:
       value: {{ .Values.app.port }}
 ```
 
-#### Repository: `helm-values` (Your App Config)
+#### Repository: `helm-prod-values` (Your App Config)
 ```yaml
 # myapp/values.yaml
 # Your app's specific configuration
@@ -249,13 +248,13 @@ metadata:
   namespace: argocd
 spec:
   sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
     path: forteapp
     helm:
       valueFiles:
       - $values/myapp/values.yaml
 
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
     ref: values
 
   destination:
@@ -317,10 +316,10 @@ Ensure your app repository has:
              docker build -t ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }} .
              docker push ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }}
 
-         - name: Update helm-values
+         - name: Update helm-prod-values
            run: |
-             git clone git@github.com:fortedigital/helm-values.git
+             git clone git@github.com:fortedigital/helm-prod-values.git
-             cd helm-values
+             cd helm-prod-values
              mkdir -p hello-world
              cat > hello-world/values.yaml <<EOF
              app:
@@ -335,7 +334,7 @@ Ensure your app repository has:
 
 ### Step 2: Create Helm Values
 
-Create a folder in `helm-values` repository:
+Create a folder in `helm-prod-values` repository:
 
 ```bash
 cd ~/dev/k8s/helm-prod-values
@@ -413,7 +412,7 @@ spec:
 
   sources:
   # Source 1: Helm chart templates
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
     path: forteapp
     targetRevision: HEAD
     helm:
@@ -421,7 +420,7 @@ spec:
       - $values/hello-world/values.yaml
 
   # Source 2: Helm values
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
     targetRevision: HEAD
     ref: values
 
@@ -529,7 +528,7 @@ git push origin main
 2. ✅ Builds new Docker image
 3. ✅ Tags with new version (e.g., `v20260316-143022`)
 4. ✅ Pushes to container registry
-5. ✅ Updates `helm-values/myapp/values.yaml` with new tag
+5. ✅ Updates `helm-prod-values/myapp/values.yaml` with new tag
 6. ✅ ArgoCD detects change
 7. ✅ Syncs new version to cluster
 8. ✅ Sends Slack notification
@@ -684,7 +683,7 @@ git push
 
 #### Step 4: Reference Secret in Application
 
-Update your `helm-values/myapp/values.yaml`:
+Update your `helm-prod-values/myapp/values.yaml`:
 
 ```yaml
 app:
@@ -792,7 +791,7 @@ Three authentication modes are supported:
 #### Step 1: Configure Helm Values
 
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 auth:
   enabled: true
   type: token                    # Token mode (default)
@@ -914,7 +913,7 @@ rm private/myapp-auth-oidc.yaml
 #### Step 3: Configure Helm Values
 
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 auth:
   enabled: true
   type: oidc                     # OIDC mode
@@ -1050,7 +1049,7 @@ policies.forteapps.io/auth-image-version: "v1.2.3"
 #### Example 1: Internal API with Token Auth
 
 ```yaml
-# helm-values/internal-api/values.yaml
+# helm-prod-values/internal-api/values.yaml
 app:
   image:
     repository: ghcr.io/company/internal-api
@@ -1078,7 +1077,7 @@ curl -H "Authorization: Bearer d4f88f..." \
 #### Example 2: User-Facing App with OIDC
 
 ```yaml
-# helm-values/web-app/values.yaml
+# helm-prod-values/web-app/values.yaml
 app:
   image:
     repository: ghcr.io/company/web-app
@@ -1113,7 +1112,7 @@ kubectl create secret generic auth-oidc \
 #### Example 3: MCP Server with OAuth 2.0
 
 ```yaml
-# helm-values/mcp-server/values.yaml
+# helm-prod-values/mcp-server/values.yaml
 app:
   image:
     repository: ghcr.io/company/mcp-server
@@ -1137,7 +1136,7 @@ The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) fo
 #### Example 4: Disabling Authentication
 
 ```yaml
-# helm-values/public-api/values.yaml
+# helm-prod-values/public-api/values.yaml
 auth:
   enabled: false                 # No authentication
 
@@ -1501,7 +1500,7 @@ kubectl exec -n myapp <pod-name> -- env
 # Check if secrets exist
 kubectl get secrets -n myapp
 
-# Increase resources in helm-values
+# Increase resources in helm-prod-values
 vim ~/dev/k8s/helm-prod-values/myapp/values.yaml
 ```
 
@@ -1628,47 +1627,6 @@ If you're stuck:
 
 ---
 
-## Documentation
-
-This repository's documentation is built with [MkDocs](https://www.mkdocs.org/) using the [Material](https://squidfund.github.io/mkdocs-material/) theme and published automatically to Gitea Pages.
-
-### Viewing the Docs
-
-The live documentation site is available at:
-
-**https://git.forteapps.net/Forte/launchpad/pages/**
-
-### Editing Documentation
-
-All documentation source files live in the `docs/` directory as Markdown. To make changes:
-
-1. Edit the relevant `.md` file in `docs/`
-2. Commit and push to `main`
-3. The Gitea Actions workflow automatically rebuilds and deploys the site
-
-### Local Preview
-
-To preview documentation changes locally before pushing:
-
-```bash
-# Install dependencies (one-time)
-pip install mkdocs mkdocs-material
-
-# Start the local dev server
-mkdocs serve
-```
-
-Then open `http://127.0.0.1:8000` in your browser. The server live-reloads on file changes.
-
-### How It Works
-
-- **Workflow**: `.gitea/workflows/docs.yaml` triggers on pushes to `main` that change `docs/**`, `mkdocs.yml`, `Dockerfile.docs`, or `nginx.conf`
-- **Build**: Installs MkDocs + Material theme, runs `mkdocs build`
-- **Deploy**: Force-pushes the built `site/` directory to the `gitea-pages` branch
-- **Serve**: Gitea Pages serves the static site from the `gitea-pages` branch
-
----
-
 ## Best Practices
 
 ### Development Workflow
@@ -1691,7 +1649,7 @@ Then open `http://127.0.0.1:8000` in your browser. The server live-reloads on fi
 ### Configuration Management
 
 ✅ **DO**:
-- Keep configuration in `helm-values` repository
+- Keep configuration in `helm-prod-values` repository
 - Use environment variables for config
 - Document what each value does
 - Use reasonable resource limits

docs/GITOPS-ARCHITECTURE.md

@@ -47,7 +47,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
          │                            │                          │
          │                            │                          │
          └────────► Update image tag ─┴──────────────────────────┘
-                    in helm-values                               │
+                    in helm-prod-values                               │
                                                                  │
                                                                  ▼
                                            ┌────────────────────────────────┐
@@ -184,7 +184,7 @@ launchpad/
 ---
 
 ### 2. **Helm Charts Repository**
-**Repository**: `https://github.com/fortedigital/forte-helm`
+**Repository**: `https://git.forteapps.net/Forte/forte-helm`
 **Purpose**: Reusable Helm chart templates for Forte applications
 **Location**: `C:\dev\k8s\forte-helm`
 
@@ -218,7 +218,7 @@ forte-helm/
 ---
 
 ### 3. **Helm Values Repository**
-**Repository**: `git@github.com:fortedigital/helm-values.git`
+**Repository**: `git@github.com:fortedigital/helm-prod-values.git`
 **Purpose**: Environment-specific configuration for each application
 **Location**: `C:\dev\k8s\helm-prod-values`
 
@@ -228,8 +228,6 @@ helm-prod-values/
 │   └── values.yaml                   # MCP 10X configuration
 ├── musicman/
 │   └── values.yaml                   # Music Man configuration
-├── mcpcoder/
-│   └── values.yaml                   # MCP Coder configuration
 └── argocd-mcp/
     └── values.yaml                   # ArgoCD MCP configuration
 ```
@@ -279,7 +277,7 @@ app-repository/
 2. Build Docker image
 3. Tag with version (e.g., `v2.0.4`)
 4. Push to container registry (GHCR, Docker Hub, etc.)
-5. Update image tag in `helm-values` repository
+5. Update image tag in `helm-prod-values` repository
 6. ArgoCD detects change and syncs automatically
 
 ---
@@ -340,13 +338,13 @@ Applications like `mcp10x` and `musicman` use multiple sources:
 ```yaml
 spec:
   sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
     path: forteapp                     # Helm chart templates
     helm:
       valueFiles:
       - $values/mcp10x/values.yaml     # Reference to second source
 
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
     targetRevision: HEAD
     ref: values                        # Named reference
 ```
@@ -414,8 +412,8 @@ jobs:
 
       - name: Update Helm values
         run: |
-          git clone git@github.com:fortedigital/helm-values.git
+          git clone git@github.com:fortedigital/helm-prod-values.git
-          cd helm-values/app
+          cd helm-prod-values/app
           sed -i "s/tag: .*/tag: $VERSION/" values.yaml
           git commit -am "Update app to $VERSION"
           git push
@@ -432,7 +430,7 @@ jobs:
    - Syncs application to cluster
 
 2. **Helm Values Change**:
-   - CI/CD updates `helm-values/myapp/values.yaml`
+   - CI/CD updates `helm-prod-values/myapp/values.yaml`
    - ArgoCD detects change
    - Pulls new Helm chart with updated values
    - Applies to cluster
@@ -639,7 +637,7 @@ Notifications include:
 ✅ **DO**:
 - Follow the `forteapp` chart pattern
 - Use semantic versioning for image tags
-- Update helm-values via CI/CD
+- Update helm-prod-values via CI/CD
 - Test locally with Docker Compose
 - Document environment variables
 

docs/OPERATIONS-RUNBOOK.md

@@ -85,7 +85,8 @@ kubectl get applications -n argocd
 
 1. **Configure DNS** for ingress domains:
    - `argocd.127.0.0.1.nip.io` (local dev)
-   - `*.forteapps.net` (production)
+   - `*.forteapps.net` (dev)
+   - `*.fortedigital.com` (production)
 
 2. **Verify Let's Encrypt certificates**:
    ```bash
@@ -107,7 +108,7 @@ kubectl get applications -n argocd
 
 ### ArgoCD Repository Access Setup
 
-ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for GitHub repositories.
+ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for Gitea repositories.
 
 #### Why Deploy Keys?
 
@@ -119,7 +120,7 @@ ArgoCD needs SSH access to private Git repositories to pull manifests and Helm v
 #### Prerequisites
 
 - kubectl access to the cluster
-- Write access to the GitHub repository
+- Write access to the Gitea repository
 - ArgoCD installed and running
 
 #### Setup Procedure
@@ -138,16 +139,16 @@ ssh-keygen -t rsa -b 4096 -C "argocd-deploy-key-launchpad" -f argocd-deploy-key
 
 This creates two files:
 - `argocd-deploy-key` - Private key (keep secret)
-- `argocd-deploy-key.pub` - Public key (add to GitHub)
+- `argocd-deploy-key.pub` - Public key (add to Gitea)
 
-**Step 2: Add Public Key to GitHub**
+**Step 2: Add Public Key to Gitea**
 
 1. Copy the public key:
    ```bash
    cat argocd-deploy-key.pub
    ```
 
-2. Go to GitHub repository settings:
+2. Go to Gitea repository settings:
    - Navigate to: `https://git.forteapps.net/Forte/launchpad/settings/keys`
    - Or: Repository → Settings → Deploy keys
 
@@ -157,12 +158,12 @@ This creates two files:
    - ☐ Allow write access (leave unchecked - read-only is sufficient)
    - Click **"Add key"**
 
-4. Repeat for the `helm-values` repository if it's private:
+4. Repeat for the `helm-prod-values` repository if it's private:
    ```bash
-   # Generate separate key for helm-values repo
+   # Generate separate key for helm-prod-values repo
-   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-values" -f argocd-helm-values-key -N ""
+   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-prod-values" -f argocd-helm-prod-values-key -N ""
 
-   # Add to: https://github.com/fortedigital/helm-values/settings/keys
+   # Add to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys
    ```
 
 **Step 3: Create Kubernetes Secret**
@@ -270,7 +271,7 @@ rm /tmp/test-repo-access.yaml
    # Generate new key
    ssh-keygen -t ed25519 -C "argocd-deploy-key-$(date +%Y%m)" -f argocd-new-key -N ""
 
-   # Add new public key to GitHub (keep old key for now)
+   # Add new public key to Gitea (keep old key for now)
 
    # Update Kubernetes secret
    kubectl create secret generic repo-launchpad \
@@ -278,7 +279,7 @@ rm /tmp/test-repo-access.yaml
      --namespace=argocd \
      --dry-run=client -o yaml | kubectl apply -f -
 
-   # Test access, then remove old deploy key from GitHub
+   # Test access, then remove old deploy key from Gitea
 
    # Clean up
    shred -u argocd-new-key
@@ -289,7 +290,7 @@ rm /tmp/test-repo-access.yaml
    # List all repository secrets
    kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
 
-   # Review deploy keys in GitHub
+   # Review deploy keys in Gitea
    # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
    ```
 
@@ -312,16 +313,16 @@ kubectl get secret repo-launchpad -n argocd -o yaml | grep argocd.argoproj.io/se
 # Check ArgoCD application controller logs
 kubectl logs -n argocd deployment/argocd-application-controller | grep -i "permission denied"
 
-# Verify deploy key is added to GitHub
+# Verify deploy key is added to Gitea
 # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
 ```
 
 **Issue: "Host key verification failed"**
 
 ```bash
-# Add GitHub to known_hosts
+# Add Gitea to known_hosts
 kubectl exec -n argocd deployment/argocd-repo-server -- \
-  ssh-keyscan github.com >> ~/.ssh/known_hosts
+  ssh-keyscan git.forteapps.net >> ~/.ssh/known_hosts
 
 # Or disable strict host key checking (less secure)
 kubectl patch secret repo-launchpad -n argocd \
@@ -346,16 +347,16 @@ kubectl rollout restart deployment argocd-application-controller -n argocd
 
 #### Multiple Repository Setup
 
-For the three-repository pattern (launchpad, forte-helm, helm-values):
+For the three-repository pattern (launchpad, forte-helm, helm-prod-values):
 
 ```bash
 # 1. launchpad (main config repo)
 ssh-keygen -t ed25519 -C "argocd-launchpad" -f key-sturdy -N ""
 # Add key-sturdy.pub to: https://git.forteapps.net/Forte/launchpad/settings/keys
 
-# 2. helm-values (private values repo)
+# 2. helm-prod-values (private values repo)
-ssh-keygen -t ed25519 -C "argocd-helm-values" -f key-helm-values -N ""
+ssh-keygen -t ed25519 -C "argocd-helm-prod-values" -f key-helm-prod-values -N ""
-# Add key-helm-values.pub to: https://github.com/fortedigital/helm-values/settings/keys
+# Add key-helm-prod-values.pub to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys
 
 # 3. forte-helm (private helm charts repo)
 
@@ -366,14 +367,14 @@ kubectl create secret generic repo-launchpad \
   kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
   kubectl apply -f -
 
-kubectl create secret generic repo-helm-values \
+kubectl create secret generic repo-helm-prod-values \
-  --from-file=sshPrivateKey=key-helm-values \
+  --from-file=sshPrivateKey=key-helm-prod-values \
   --namespace=argocd --dry-run=client -o yaml | \
   kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
   kubectl apply -f -
 
 # Clean up keys
-shred -u key-sturdy key-helm-values
+shred -u key-sturdy key-helm-prod-values
 ```
 
 #### Converting HTTPS to SSH
@@ -390,7 +391,7 @@ If you're currently using HTTPS and want to switch to SSH:
 #   repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
 
 # 3. Update and commit
-find . -name "*.yaml" -type f -exec sed -i 's|https://github.com/fortedigital/|git@github.com:fortedigital/|g' {} +
+find . -name "*.yaml" -type f -exec sed -i 's|https://git.forteapps.net/Forte/|git@git.forteapps.net:Forte/|g' {} +
 
 git add .
 git commit -m "Switch from HTTPS to SSH for repository access"
@@ -494,7 +495,7 @@ spec:
 See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for detailed steps.
 
 **Quick checklist:**
-- [ ] Create `helm-values/myapp/values.yaml`
+- [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
 - [ ] Create SealedSecret if needed
 - [ ] Commit and push changes
@@ -559,7 +560,7 @@ kubectl scale deployment myapp -n myapp --replicas=3
 
 #### GitOps Scaling
 
-Update `helm-values/myapp/values.yaml`:
+Update `helm-prod-values/myapp/values.yaml`:
 
 ```yaml
 app:
@@ -573,7 +574,7 @@ Commit and push - ArgoCD will sync.
 Enable Horizontal Pod Autoscaler:
 
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 app:
   hpa:
     enabled: true
@@ -622,7 +623,7 @@ kubectl rollout undo deployment myapp -n myapp
 #### Option 3: Change Image Tag
 
 ```bash
-# Edit helm-values
+# Edit helm-prod-values
 cd ~/dev/k8s/helm-prod-values
 vim myapp/values.yaml
 
@@ -642,7 +643,7 @@ git push
 #### Update Resource Limits
 
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 app:
   resources:
     requests:
@@ -656,7 +657,7 @@ app:
 #### Enable Database
 
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 db:
   enabled: true
   persistence:
@@ -1266,7 +1267,7 @@ spec:
 **What Needs Backup**:
 - ❌ Cluster state (not backed up - recreate via GitOps)
 - ❌ Persistent volumes (currently not critical)
-- ✅ Git repositories (GitHub provides backup)
+- ✅ Git repositories (Gitea provides backup)
 - ⚠️ Secrets (sealed secrets in Git, unseal keys need safekeeping)
 
 ### Cluster Rebuild
@@ -1561,7 +1562,7 @@ git push
 kubectl scale deployment myapp -n myapp --replicas=0
 
 # Update Git
-vim helm-values/myapp/values.yaml
+vim helm-prod-values/myapp/values.yaml
 # Set replicaCount: 0
 git commit -am "Scale down myapp for maintenance"
 git push
@@ -1634,7 +1635,7 @@ echo "Remember to delete: $SECRET_FILE"
 
 - [ ] Application code repository created
 - [ ] Dockerfile created and tested
-- [ ] GitHub Actions workflow configured
+- [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
 - [ ] Secrets created and sealed

docs/REFERENCE.md

@@ -190,7 +190,7 @@ spec:
 
 ### Helm Charts Repository: `forte-helm`
 
-**URL**: `https://github.com/fortedigital/forte-helm`
+**URL**: `https://git.forteapps.net/Forte/forte-helm`
 
 #### Chart: `forteapp`
 
@@ -337,20 +337,18 @@ configmap: []                    # Application ConfigMap key-value pairs
 
 ---
 
-### Helm Values Repository: `helm-values`
+### Helm Values Repository: `helm-prod-values`
 
-**URL**: `https://github.com/fortedigital/helm-values.git`
+**URL**: `https://git.forteapps.net/Forte/helm-prod-values.git`
 
 #### Structure
 
 ```
-helm-values/
+helm-prod-values/
 ├── mcp10x/
 │   └── values.yaml
 ├── musicman/
 │   └── values.yaml
-├── mcpcoder/
-│   └── values.yaml
 └── argocd-mcp/
     └── values.yaml
 ```
@@ -526,14 +524,14 @@ spec:
 
   # Multi-source configuration
   sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
     path: forteapp
     targetRevision: HEAD
     helm:
       valueFiles:
       - $values/<app-name>/values.yaml
 
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
     targetRevision: HEAD
     ref: values
 
@@ -817,12 +815,19 @@ postgresql:
 
 **Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`). Protocol mapper: `email_verified` hardcoded claim (`true`, boolean) on ID token, Access token, and Userinfo.
 
+**External User Sync**: Disabled (`cron.sync_external_users.ENABLED: false`). This Gitea cron job is designed for LDAP and deactivates OIDC-only users because it cannot enumerate them — causing "Sign-in prohibited" errors after the sync runs.
+
+**Email Notifications**: Enabled (`ENABLE_NOTIFY_MAIL: true`). SMTP credentials injected via `gitea-smtp-secret` using `additionalConfigFromEnvs` with `GITEA__mailer__USER` / `GITEA__mailer__PASSWD` environment variables.
+
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
 - SSH: port 22 (ClusterIP)
 - Metrics: `/metrics` (Prometheus scrape)
 
-**Secrets**: `gitea-credentials` (SealedSecret) containing `admin-password`, `postgres-password`, `secret` (OIDC client secret)
+**Secrets**:
+- `gitea-credentials` (SealedSecret) — admin password
+- `gitea-oidc-credentials` (registrar-managed) — OIDC client ID + secret
+- `gitea-smtp-secret` (SealedSecret) — SMTP username + password
 
 ### Gitea Actions Runners
 
@@ -871,6 +876,84 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 
+### AI Code Review (ai-review)
+
+**Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
+**Trigger**: `pull_request` events (`opened`, `synchronize`)
+**Runner**: `ubuntu-latest` (container: `nikitafilonov/ai-review:latest`)
+
+**Purpose**: Automated AI-powered code review on pull requests using Claude (Anthropic). Posts inline comments on changed lines and a PR summary comment highlighting infrastructure impact.
+
+**Architecture**:
+- Uses [xai-review](https://github.com/nicktechnologies/xai-review) Docker image
+- Shared configuration and prompts live in the `shared-prompts` Git submodule (→ `Forte/ai-review-prompts`)
+- Review mode: `ONLY_ADDED_WITH_CONTEXT` — reviews only new/changed lines plus surrounding context (token-efficient)
+- Agent mode: disabled (one-shot review, no multi-turn reasoning)
+- LLM: Claude Sonnet (`claude-sonnet-4-20250514`)
+
+**Shared Prompts Structure** (submodule: `Forte/ai-review-prompts`):
+```
+shared-prompts/
+  base/
+    security.md          # org-wide security rules (all profiles)
+  iac/
+    .ai-review.yaml      # IaC/GitOps profile config
+    inline.md            # inline review prompt
+    summary.md           # PR summary prompt
+  # future profiles: backend/, frontend/, etc.
+```
+
+**Configuration** (`shared-prompts/iac/.ai-review.yaml`):
+```yaml
+llm:
+  provider: CLAUDE
+  model: claude-sonnet-4-20250514
+vcs:
+  provider: GITEA
+review:
+  mode: ONLY_ADDED_WITH_CONTEXT
+agent:
+  enabled: false
+prompt:
+  inline_prompt_files:            # concatenated in order
+    - ./shared-prompts/base/security.md
+    - ./shared-prompts/iac/inline.md
+  summary_prompt_files:
+    - ./shared-prompts/iac/summary.md
+ignore:
+  - "*.sealed.yaml"
+  - "*.lock"
+  - "docs/**"
+```
+
+**Custom Prompts** (IaC profile):
+- `shared-prompts/base/security.md` — org-wide security rules, concatenated before every inline review prompt
+- `shared-prompts/iac/inline.md` — IaC-specific inline review (YAML, Helm, K8s manifests, shell scripts), max 7 comments
+- `shared-prompts/iac/summary.md` — PR summary: affected services/namespaces, infrastructure impact, security flags
+
+**Prompt composition**: ai-review does not support Jinja includes. Instead, list multiple files under `inline_prompt_files` / `summary_prompt_files` — they are concatenated in order with double newlines.
+
+**Adding a new profile**: Create a new directory (e.g., `backend/`) with its own `.ai-review.yaml`, `inline.md`, and `summary.md`. The `inline_prompt_files` list should include `base/security.md` first, then the profile-specific prompt. Reference it in the consuming repo's workflow: `AI_REVIEW_CONFIG_FILE_YAML=./shared-prompts/backend/.ai-review.yaml`
+
+**Required Secrets** (configure in Gitea repo or org settings):
+
+| Secret | Purpose |
+|--------|---------|
+| `ANTHROPIC_API_KEY` | Claude API key (from Anthropic console) |
+| `AI_REVIEW_TOKEN` | Gitea API token with `write:issue` + `read:repository` scopes (use a bot/service account) |
+
+**Setup Steps**:
+1. Create a Gitea bot/service account and generate an API token with `write:issue` + `read:repository` scopes
+2. Add `AI_REVIEW_TOKEN` secret in Gitea repo settings → Actions → Secrets
+3. Add `ANTHROPIC_API_KEY` secret with your Anthropic API key
+4. Ensure the `shared-prompts` submodule is initialized (`git submodule update --init`)
+5. Push the workflow file — it triggers automatically on PR creation/update
+
+**Verification**:
+- Open a PR with infrastructure changes → workflow runs → inline comments + summary appear
+- Check Gitea Actions tab for workflow run status and logs
+- Monitor Anthropic usage dashboard for token consumption
+
 ### Keycloak Client Registrar
 
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
@@ -1038,29 +1121,6 @@ resources:
 - `kubectl create job --from=cronjob/renovate renovate-test -n renovate` — manual trigger
 - `kubectl logs -n renovate job/renovate-test` — check logs
 
-### Gitea Pages
-
-**Purpose**: Hosts the MkDocs documentation site for this repository.
-
-**How It Works**:
-- A Gitea Actions workflow (`.gitea/workflows/docs.yaml`) builds MkDocs on push to `main`
-- The built site is force-pushed to the `gitea-pages` branch
-- Gitea serves the static site from that branch
-
-**URL**: `https://git.forteapps.net/Forte/launchpad/pages/`
-
-**Configuration**:
-- Gitea server config: `ENABLE_GITEA_PAGES: true` (in gitea-values.yaml)
-- MkDocs config: `mkdocs.yml` (repo root)
-- Source files: `docs/` directory
-- Theme: Material for MkDocs
-
-**Trigger Paths**:
-- `docs/**`
-- `mkdocs.yml`
-- `Dockerfile.docs`
-- `nginx.conf`
-
 ---
 
 ## Kyverno Policies

infra/base/kustomization.yaml

@@ -17,6 +17,7 @@ resources:
 - secrets.yaml
 - gitea.yaml
 - gitea-actions.yaml
+- opencost.yaml
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml

infra/base/opencost.yaml

@@ -21,9 +21,9 @@ spec:
     helm:
       releaseName: opencost
       valueFiles:
-      - $values/infra/values/opencost-values.yaml
+      - $values/infra/values/base/opencost-values.yaml
 
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
     targetRevision: HEAD
     ref: values
 

infra/values/base/traefik-values.yaml

@@ -2,6 +2,8 @@ providers:
   kubernetesIngress:
     publishedService: # Fixes ArgoCD health checks for LoadBalancer services
       enabled: true
+  kubernetesCRD:
+    allowCrossNamespace: true
 deployment:
   replicas: 2
 
@@ -48,3 +50,26 @@ ports:
       accessLogs: true
       metrics: true
       tracing: true
+
+  gitea-ssh:
+    port: 2222
+    expose:
+      default: true
+    exposedPort: 2222
+    protocol: TCP
+
+# -- IngressRouteTCP for Gitea SSH (cross-namespace to gitea/gitea-ssh service)
+extraObjects:
+- apiVersion: traefik.io/v1alpha1
+  kind: IngressRouteTCP
+  metadata:
+    name: gitea-ssh
+  spec:
+    entryPoints:
+    - gitea-ssh
+    routes:
+    - match: HostSNI(`*`)
+      services:
+      - name: gitea-ssh
+        namespace: gitea
+        port: 22

infra/values/upc-dev/traefik-values.yaml

@@ -10,6 +10,10 @@ service:
               {
                   "name": "websecure",
                   "mode": "tcp"
+              },
+              {
+                  "name": "gitea-ssh",
+                  "mode": "tcp"
               }
           ],
           "backends": [
@@ -24,6 +28,9 @@ service:
                   "properties": {
                       "outbound_proxy_protocol": "v2"
                   }
+              },
+              {
+                  "name": "gitea-ssh"
               }
           ]
       }

infra/values/upc-prod/argocd-values.yaml

@@ -1,5 +1,5 @@
 global:
-  domain: argocd.us.forteapps.net
+  domain: argocd.fortedigital.com
 notifications:
   context:
-    clusterName: "dev-fd-us-east1"
+    clusterName: "prod-fd-no-svg1"

infra/values/upc-prod/dot-ai-stack-values.yaml

@@ -1,8 +1,8 @@
 dot-ai:
   ingress:
-    host: kubemcp.us.forteapps.net
+    host: kubemcp.fortedigital.com
   webUI:
-    baseUrl: http://kubemcpui.us.forteapps.net
+    baseUrl: http://kubemcpui.fortedigital.com
 dot-ai-ui:
   ingress:
-    host: kubemcpui.us.forteapps.net
+    host: kubemcpui.fortedigital.com

infra/values/upc-prod/grafana-values.yaml

@@ -1,3 +1,3 @@
 ingress:
   hosts:
-  - grafana.us.forteapps.net
+  - grafana.fortedigital.com

infra/values/upc-prod/keycloak-values.yaml

@@ -1,2 +1,2 @@
 ingress:
-  hostname: id.us.forteapps.net
+  hostname: id.fortedigital.com