cmd

.gitea/workflows/ai-review.yaml

@@ -2,12 +2,10 @@ name: AI Code Review
 
 on:
   pull_request:
-    types: [ labeled, synchronize ]
+    types: [opened, synchronize]
 
 jobs:
   ai-review:
-    if: >-
-      (github.event.action == 'synchronized' && contains(toJSON(github.event.pull_request.labels), 'ai-review')) || contains(toJSON(gitea.event.changes.added_labels), 'ai-review')
     runs-on: ubuntu-latest
 
     env:
@@ -19,12 +17,9 @@ jobs:
       VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }}
       VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1
       VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }}
-      # Review — disable fallback to see real Gitea API errors
-      REVIEW__INLINE_COMMENT_FALLBACK: "false"
       # LLM configuration
       LLM__PROVIDER: CLAUDE
       LLM__META__MODEL: claude-sonnet-4-20250514
-      LLM__META__MAX_TOKENS: "4096"
       LLM__HTTP_CLIENT__API_URL: https://api.anthropic.com
       LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }}
 
@@ -36,11 +31,11 @@ jobs:
           fetch-depth: 0
 
       - name: Run inline review
-      uses: docker://nikitafilonov/ai-review:v0.64.0
+        uses: docker://nikitafilonov/ai-review:latest
         with:
           args: ai-review run-inline
 
       - name: Run summary review
-      uses: docker://nikitafilonov/ai-review:v0.64.0
+        uses: docker://nikitafilonov/ai-review:latest
         with:
           args: ai-review run-summary

.project-standards.yaml

@@ -0,0 +1,7 @@
+standards_version: "2025.1"
+last_configured: "2026-04-04"
+components:
+  github-pages: "2025.1"
+  github-pages-generator: "mkdocs"
+  github-pages-source: "docs/"
+  github-pages-theme: "material"

apps/base/kustomization.yaml

@@ -4,5 +4,4 @@ resources:
 - dot-ai-stack.yaml
 - mcp10x.yaml
 - musicman.yaml
-- ts-mcp.yaml
 - argo-mcp.yaml

apps/base/ts-mcp.yaml

@@ -1,40 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: ts-mcp
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "11"
-    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-    notifications.argoproj.io/subscribe.on-degraded.slack: ""
-  labels:
-    app.kubernetes.io/name: ts-mcp
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-  sources:
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
-    path: forteapp
-    targetRevision: HEAD
-    helm:
-      valueFiles:
-      - $values/ts-mcp/values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: ts-mcp
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-    - CreateNamespace=true

docs/DEVELOPER-GUIDE.md

@@ -962,46 +962,6 @@ User sees application (authenticated)
 
 ---
 
-### Accessing Authenticated User Information
-
-The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
-
-After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
-
-| Header | Description | Available in |
-|--------|-------------|-------------|
-| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
-| `X-Auth-Email` | User email address | OIDC |
-| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
-| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
-| `X-Auth-Token` | The validated access token | All modes |
-
-**Your application reads these headers — no auth library needed:**
-
-```javascript
-// Express.js example
-app.get('/profile', (req, res) => {
-  const user = req.headers['x-auth-user'];
-  const email = req.headers['x-auth-email'];
-  res.json({ user, email });
-});
-```
-
-```python
-# Flask example
-@app.route('/profile')
-def profile():
-    user = request.headers.get('X-Auth-User')
-    email = request.headers.get('X-Auth-Email')
-    return jsonify(user=user, email=email)
-```
-
-**Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
-
-**Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
-
----
-
 ### Authentication Configuration Reference
 
 #### Helm Values Schema

docs/REFERENCE.md

@@ -602,15 +602,6 @@ retry:
 4. 40 seconds
 5. 80 seconds (capped at 3 minutes)
 
-### Global Settings (`argocd-cm`)
-
-| Setting | Value | Purpose |
-|---------|-------|---------|
-| `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
-| `timeout.reconciliation` | `60s` | Reconciliation interval |
-| `admin.enabled` | `true` | Enable admin account |
-| `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
-
 ---
 
 ## Infrastructure Components
@@ -828,8 +819,6 @@ postgresql:
 
 **Email Notifications**: Enabled (`ENABLE_NOTIFY_MAIL: true`). SMTP credentials injected via `gitea-smtp-secret` using `additionalConfigFromEnvs` with `GITEA__mailer__USER` / `GITEA__mailer__PASSWD` environment variables.
 
-**Auto-Watch**: Disabled (`AUTO_WATCH_ON_CHANGES: false`, `AUTO_WATCH_NEW_REPOS: false`). Prevents contributors from being auto-subscribed to repo notifications on push, reducing email noise from CI bots (e.g., ai-review PR comments). Users who were already watching before this change need to manually unwatch or switch to "Only participating".
-
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
 - SSH: port 22 (ClusterIP)
@@ -951,10 +940,10 @@ ignore:
 | Secret | Purpose |
 |--------|---------|
 | `ANTHROPIC_API_KEY` | Claude API key (from Anthropic console) |
-| `AI_REVIEW_TOKEN` | Gitea API token with `write:repository` + `read:repository` scopes (use a bot/service account) |
+| `AI_REVIEW_TOKEN` | Gitea API token with `write:issue` + `read:repository` scopes (use a bot/service account) |
 
 **Setup Steps**:
-1. Create a Gitea bot/service account and generate an API token with `write:repository` + `read:repository` scopes
+1. Create a Gitea bot/service account and generate an API token with `write:issue` + `read:repository` scopes
 2. Add `AI_REVIEW_TOKEN` secret in Gitea repo settings → Actions → Secrets
 3. Add `ANTHROPIC_API_KEY` secret with your Anthropic API key
 4. Ensure the `shared-prompts` submodule is initialized (`git submodule update --init`)
@@ -1078,33 +1067,6 @@ kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.ann
 
 **See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)
 
-### Karpor
-
-**Chart**: `karpor` from `https://kusionstack.github.io/charts`
-**Version**: 0.7.6 (app v0.6.4)
-**Namespace**: `karpor`
-**Sync Wave**: 1
-
-**Purpose**: Kubernetes visualization and intelligence tool. Provides cross-cluster resource search, compliance checking, and topology visualization. Gives platform engineers a unified view of all cluster resources and their relationships.
-
-**Architecture** (4 components):
-- **Server** — main Karpor API/UI (port 7443)
-- **Syncer** — syncs cluster state into the search index
-- **ElasticSearch** — search backend for resource indexing
-- **etcd** — persistent key-value store (10Gi PVC)
-
-**Configuration** (`infra/values/base/karpor-values.yaml`):
-- `namespaceEnabled: false` — ArgoCD manages namespace creation
-- Default resource limits tuned for small clusters
-- ElasticSearch: 2 CPU / 4Gi memory (the heaviest component)
-- AI features available but not enabled (requires `server.ai.authToken` + backend config)
-
-**Access**: Port-forward to reach the UI:
-```bash
-kubectl port-forward svc/karpor-release-server -n karpor 7443:7443
-# Open https://localhost:7443
-```
-
 ### Renovate
 
 **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -1552,23 +1514,7 @@ Forward to Application (localhost:3000)
 Application processes request
 ```
 
-#### Forwarded Headers
-
-After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
-
-| Header | Description | Auth Modes |
-|--------|-------------|------------|
-| `X-Auth-User` | Username or display name | Token, OIDC, MCP |
-| `X-Auth-Email` | User email address | OIDC |
-| `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
-| `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
-| `X-Auth-Token` | The validated access token | All modes |
-
-These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
-
-Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
-
-**See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.
+**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples.
 
 ---
 

infra/base/karpor.yaml

@@ -1,42 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: karpor
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: "1"
-  labels:
-    app.kubernetes.io/name: karpor
-    app.kubernetes.io/part-of: developer-portal
-    app.kubernetes.io/managed-by: argocd
-  finalizers:
-  - resources-finalizer.argocd.argoproj.io
-spec:
-  project: default
-
-  sources:
-  - repoURL: https://kusionstack.github.io/charts
-    chart: karpor
-    targetRevision: "0.7.6"
-    helm:
-      releaseName: karpor
-      valueFiles:
-      - $values/infra/values/base/karpor-values.yaml
-
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    targetRevision: HEAD
-    ref: values
-
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: karpor
-
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-      allowEmpty: false
-    syncOptions:
-    - CreateNamespace=true
-    - Validate=true
-    - ServerSideApply=true

infra/base/kustomization.yaml

@@ -22,4 +22,3 @@ resources:
 - tempo.yaml
 - grafana-dashboards.yaml
 - network-policies-application.yaml
-- karpor.yaml

infra/values/base/argocd-values.yaml

@@ -2,21 +2,12 @@ configs:
   secret:
     createSecret: true
     argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
-  ssh:
-    knownHosts: |
-      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
   cm:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
     admin.enabled: "true"
   params:
     "server.insecure": true
-repoServer:
-  env:
-  # Disable git submodule checkout - submodules (e.g. shared-prompts)
-  # are not needed for K8s manifest generation
-  - name: ARGOCD_GIT_MODULES_ENABLED
-    value: "false"
 server:
   ingress:
     enabled: false

infra/values/base/gitea-values.yaml

@@ -29,10 +29,7 @@ gitea:
       ALLOW_ONLY_EXTERNAL_REGISTRATION: true
       ENABLE_BASIC_AUTHENTICATION: true
       ENABLE_PASSWORD_SIGNIN_FORM: false
-      AUTO_WATCH_ON_CHANGES: false
-      AUTO_WATCH_NEW_REPOS: false
-      ENABLE_NOTIFY_MAIL: false
-      ENABLE_TIMETRACKING: false
+      ENABLE_NOTIFY_MAIL: true
 
     openid:
       ENABLE_OPENID_SIGNIN: false

infra/values/base/karpor-values.yaml

@@ -1,44 +0,0 @@
-# Karpor - Kubernetes Visualization & Intelligence Tool
-# Helm chart: https://github.com/KusionStack/charts/tree/master/charts/karpor
-
-# Let the ArgoCD Application manage the namespace
-namespaceEnabled: false
-
-server:
-  replicas: 1
-  port: 7443
-  resources:
-    requests:
-      cpu: 250m
-      memory: 256Mi
-    limits:
-      cpu: 500m
-      memory: 1Gi
-
-syncer:
-  replicas: 1
-  port: 7443
-  resources:
-    requests:
-      cpu: 250m
-      memory: 256Mi
-    limits:
-      cpu: 500m
-      memory: 1Gi
-
-elasticsearch:
-  replicas: 1
-  port: 9200
-  resources:
-    requests:
-      cpu: 500m
-      memory: 2Gi
-    limits:
-      cpu: "2"
-      memory: 4Gi
-
-etcd:
-  replicas: 1
-  port: 2379
-  persistence:
-    size: 5Gi

mkdocs.yml

@@ -0,0 +1,43 @@
+site_name: K8s Launchpad
+site_description: Documentation for the GitOps-managed Kubernetes cluster
+repo_url: https://git.forteapps.net/Forte/launchpad
+repo_name: Forte/launchpad
+
+theme:
+  name: material
+  palette:
+  - scheme: default
+    primary: indigo
+    toggle:
+      icon: material/brightness-7
+      name: Switch to dark mode
+  - scheme: slate
+    primary: indigo
+    toggle:
+      icon: material/brightness-4
+      name: Switch to light mode
+  features:
+  - navigation.instant
+  - navigation.sections
+  - navigation.top
+  - search.highlight
+  - content.code.copy
+
+nav:
+- Home: README.md
+- GitOps Architecture: GITOPS-ARCHITECTURE.md
+- Developer Guide: DEVELOPER-GUIDE.md
+- Operations Runbook: OPERATIONS-RUNBOOK.md
+- Technical Reference: REFERENCE.md
+
+markdown_extensions:
+- tables
+- toc:
+    permalink: true
+- pymdownx.highlight:
+    anchor_linenums: true
+- pymdownx.superfences
+- pymdownx.tabbed:
+    alternate_style: true
+- admonition
+- pymdownx.details