refactor(apps): move forte-drop apps from base to upc-dev overlay

forte-drop, forte-drop-mcp and forte-drop-postgresql lived under apps/base/ but were only ever wired into the upc-dev overlay (never listed in apps/base/kustomization.yaml). They carry hackathon-domain hardcoded values and must not sync to upc-prod, so they belong in the overlay alongside dbunk-demo — per danijel.simeunovic's review on PR #18. - git mv the three dirs into apps/overlays/upc-dev/ (history preserved) - rewrite overlay kustomization refs from ../../base/forte-drop* to local - repoint forte-drop-postgresql Application path apps/base/... -> apps/overlays/upc-dev/forte-drop-postgresql/resources Render-verified: kubectl kustomize apps/overlays/upc-dev differs only by the postgres path line; apps/overlays/upc-prod render byte-identical (forte-drop never reaches prod). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
refactor(apps): registrar-managed oidc creds, drop mcp client, DRY secret
2026-06-01 12:26:07 +02:00 · 2026-05-29 14:05:29 +02:00 · 2026-05-29 12:14:09 +02:00 · 2026-05-29 10:38:51 +02:00 · 2026-05-29 10:25:37 +02:00 · 2026-05-29 10:03:57 +02:00
82 changed files with 1305 additions and 1364 deletions
--- a/README.md
+++ b/README.md
@@ -57,11 +57,11 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ### What's Inside
- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Vault, Vault Secrets Operator, Homepage (platform dashboard)
+- **Infrastructure Applications**: Traefik, Cert-Manager, Kyverno, Prometheus, Grafana, Loki, Tempo, Sealed Secrets, Homepage (platform dashboard)
 - **Business Applications**: MCP10X, MusicMan, Dot-AI Stack, ArgoCD MCP
 - **Policies**: Kyverno security policies for secret management, namespace controls, pod verification
 - **Monitoring**: Full observability stack with metrics, logs, traces, and alerting
- **Secrets**: Vault Secrets Operator (VSO) syncs secrets from HashiCorp Vault to K8s
+- **Secrets**: Sealed Secrets for secure Git storage
 ### Key Features
@@ -187,7 +187,7 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
 2. Create `helm-prod-values/myapp/values.yaml` (configuration)
-3. Write secrets to Vault and create VaultStaticSecret CRD if needed
+3. Create sealed secrets if needed
 4. Commit and push - ArgoCD auto-syncs!
 ### Update an Existing Application
@@ -200,18 +200,22 @@ Developer commits code → CI/CD builds image → Updates helm-prod-values → A
 ### Manage Secrets
-**See detailed guide**: [Vault Secrets Operator Reference](docs/vault-secrets-operator.md)
+**See detailed guide**: [Developer Guide - Working with Secrets](docs/DEVELOPER-GUIDE.md#working-with-secrets)
 ```bash
-# 1. Write secret to Vault
+# Create plain secret
-vault kv put kv/myapp/myapp-creds KEY=value
+kubectl create secret generic myapp-creds \
  --from-literal=KEY=value \
  --dry-run=client -o yaml > private/myapp-creds.yaml
-# 2. Create VaultStaticSecret CRD (one-time, commit to git)
+# Seal it
-# See docs/vault-secrets-operator.md for CRD template
+kubeseal --format=yaml --cert=pub-cert.pem \
  < private/myapp-creds.yaml > secrets/myapp-creds-sealed.yaml
-# 3. Rotate secrets — no git commit needed!
+# Commit sealed version
-vault kv put kv/myapp/myapp-creds KEY=new-value
+git add secrets/myapp-creds-sealed.yaml
-# VSO picks up changes within 30 seconds
+git commit -m "Add myapp credentials"
 git push
 ```
 ### Enable Authentication
@@ -324,7 +328,7 @@ kubectl patch application myapp -n argocd \
 ## 🔐 Security
 ### Secret Management
- ✅ Vault Secrets Operator (VSO) for secret management
+- ✅ Sealed Secrets for Git storage
 - ✅ Kyverno auto-clones secrets to namespaces
 - ❌ Never commit plain secrets
@@ -351,8 +355,7 @@ kubectl patch application myapp -n argocd \
 | **Traefik** | Ingress controller | `traefik` | 2 |
 | **Cert-Manager** | TLS certificates | `cert-manager` | 1 |
 | **Kyverno** | Policy engine | `kyverno` | 1 |
-| **Vault** | Secret storage | `vault` | 1 |
+| **Sealed Secrets** | Secret encryption | `kube-system` | 1 |
 | **Vault Secrets Operator** | Secret sync (Vault → K8s) | `vault-secrets-operator-system` | 1 |
 | **Prometheus** | Metrics | `monitoring` | 1 |
 | **Grafana** | Dashboards | `monitoring` | 1 |
 | **Loki** | Logs | `monitoring` | 1 |
@@ -452,7 +455,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
 3. Create Helm values in `helm-prod-values/`
-4. Write secrets to Vault and create VaultStaticSecret CRD if needed
+4. Create sealed secrets if needed
 5. Commit and push - ArgoCD handles the rest!
 ### Modifying Infrastructure
@@ -496,8 +499,7 @@ Documentation lives in `docs/`. To update:
 - [Traefik Documentation](https://doc.traefik.io/traefik/)
 - [Cert-Manager Documentation](https://cert-manager.io/docs/)
 - [Grafana Tempo Documentation](https://grafana.com/docs/tempo/)
- [Vault Secrets Operator](https://developer.hashicorp.com/vault/docs/platform/k8s/vso)
+- [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 - [HashiCorp Vault](https://developer.hashicorp.com/vault/docs)
 ### Related Repositories
 - [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates
--- a/apps/base/argo-mcp/argocd-mcp-credentials-vault.yaml
+++ b/apps/base/argo-mcp/argocd-mcp-credentials-vault.yaml
@@ -1,14 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: argocd-mcp-credentials
  namespace: argocd-mcp
 spec:
  type: kv-v2
  mount: kv
  path: argocd-mcp/argocd-mcp-credentials
  destination:
    name: argocd-mcp-credentials
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/apps/base/argo-mcp/auth-oidc-vault.yaml
+++ b/apps/base/argo-mcp/auth-oidc-vault.yaml
@@ -1,14 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: auth-oidc
  namespace: argocd-mcp
 spec:
  type: kv-v2
  mount: kv
  path: argocd-mcp/auth-oidc
  destination:
    name: auth-oidc
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/apps/base/argo-mcp/kustomization.yaml
+++ b/apps/base/argo-mcp/kustomization.yaml
@@ -2,7 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - argo-mcp.yaml
- vault-auth.yaml
+- argocdmcp-auth-oidc-sealed.yaml
- auth-oidc-vault.yaml
+- argocd-mcp-credentials.yaml
 - argocd-mcp-credentials-vault.yaml
 # Removed: argocdmcp-auth-oidc-sealed.yaml, argocd-mcp-credentials.yaml (migrated to VSO)
--- a/apps/base/argo-mcp/vault-auth.yaml
+++ b/apps/base/argo-mcp/vault-auth.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-argocd-mcp
  namespace: argocd-mcp
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: argocd-mcp
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-argocd-mcp
    serviceAccount: vault-auth-argocd-mcp
    audiences:
    - vault
--- a/apps/base/dot-ai-stack/dot-ai-secrets-vault.yaml
+++ b/apps/base/dot-ai-stack/dot-ai-secrets-vault.yaml
@@ -1,14 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: dot-ai-secrets
  namespace: dot-ai
 spec:
  type: kv-v2
  mount: kv
  path: dot-ai/dot-ai-secrets
  destination:
    name: dot-ai-secrets
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/apps/base/dot-ai-stack/kustomization.yaml
+++ b/apps/base/dot-ai-stack/kustomization.yaml
@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
- vault-auth.yaml
+- dot-ai-secrets.yaml
 - dot-ai-secrets-vault.yaml
 # Removed: dot-ai-secrets.yaml (migrated to VSO)
--- a/apps/base/dot-ai-stack/vault-auth.yaml
+++ b/apps/base/dot-ai-stack/vault-auth.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-dot-ai
  namespace: dot-ai
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: dot-ai
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-dot-ai
    serviceAccount: vault-auth-dot-ai
    audiences:
    - vault
--- a/apps/base/mcp10x/app-credentials-vault.yaml
+++ b/apps/base/mcp10x/app-credentials-vault.yaml
@@ -1,15 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: app-credentials
  namespace: mcp10x
 spec:
  type: kv-v2
  mount: kv
  path: mcp10x/app-credentials
  destination:
    name: app-credentials
    create: true
    type: Opaque
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/apps/base/mcp10x/kustomization.yaml
+++ b/apps/base/mcp10x/kustomization.yaml
@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - mcp10x.yaml
- vault-auth.yaml
+- forte10x-app-credentials-sealed.yaml
 - app-credentials-vault.yaml
 # Removed: forte10x-app-credentials-sealed.yaml (migrated to VSO)
--- a/apps/base/mcp10x/vault-auth.yaml
+++ b/apps/base/mcp10x/vault-auth.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-mcp10x
  namespace: mcp10x
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: mcp10x
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-mcp10x
    serviceAccount: vault-auth-mcp10x
    audiences:
    - vault
--- a/apps/base/musicman/kustomization.yaml
+++ b/apps/base/musicman/kustomization.yaml
@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - musicman.yaml
- vault-auth.yaml
+- musicman-credentials.yaml
 - musicman-credentials-vault.yaml
 # Removed: musicman-credentials.yaml (migrated to VSO)
--- a/apps/base/musicman/musicman-credentials-vault.yaml
+++ b/apps/base/musicman/musicman-credentials-vault.yaml
@@ -1,15 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: musicman-credentials
  namespace: music-man
 spec:
  type: kv-v2
  mount: kv
  path: music-man/musicman-credentials
  destination:
    name: musicman-credentials
    create: true
    type: Opaque
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/apps/base/musicman/vault-auth.yaml
+++ b/apps/base/musicman/vault-auth.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-music-man
  namespace: music-man
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: music-man
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-music-man
    serviceAccount: vault-auth-music-man
    audiences:
    - vault
--- a/apps/base/ts-mcp/kustomization.yaml
+++ b/apps/base/ts-mcp/kustomization.yaml
@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ts-mcp.yaml
- vault-auth.yaml
+- ts-mcp-secrets-sealed.yaml
 - ts-mcp-secrets-vault.yaml
 # Removed: ts-mcp-secrets-sealed.yaml (migrated to VSO)
--- a/apps/base/ts-mcp/ts-mcp-secrets-vault.yaml
+++ b/apps/base/ts-mcp/ts-mcp-secrets-vault.yaml
@@ -1,14 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: ts-mcp-secrets
  namespace: ts-mcp
 spec:
  type: kv-v2
  mount: kv
  path: ts-mcp/ts-mcp-secrets
  destination:
    name: ts-mcp-secrets
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/apps/base/ts-mcp/vault-auth.yaml
+++ b/apps/base/ts-mcp/vault-auth.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-ts-mcp
  namespace: ts-mcp
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: ts-mcp
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-ts-mcp
    serviceAccount: vault-auth-ts-mcp
    audiences:
    - vault
--- a/apps/overlays/upc-dev/forte-drop-mcp/forte-drop-mcp.yaml
+++ b/apps/overlays/upc-dev/forte-drop-mcp/forte-drop-mcp.yaml
@@ -1,53 +1,37 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: feedback
+  name: forte-drop-mcp
  namespace: argocd
  annotations:
-    argocd.argoproj.io/sync-wave: "12"
+    argocd.argoproj.io/sync-wave: "1"
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
-    app.kubernetes.io/name: feedback
+    app.kubernetes.io/name: forte-drop-mcp
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
-      - $values/feedback/values.yaml
+      - $values/forte-drop-mcp/values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
-    namespace: feedback
+    namespace: forte-drop
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
    retry:
      limit: 5
      backoff:
        duration: 5s
        factor: 2
        maxDuration: 3m
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/apps/overlays/upc-dev/forte-drop-mcp/kustomization.yaml
+++ b/apps/overlays/upc-dev/forte-drop-mcp/kustomization.yaml
@@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - forte-drop-mcp.yaml
 # No keycloak-client config + no auth-oidc Secret for mcp mode. The chart's
 # auth.type: mcp auto-registers the MCP client; the sidecar is an RFC 9728
 # resource server that validates tokens (no client-secret of its own).
 # forte-drop-secrets (shared with web) covers PG + S3 creds.
--- a/apps/overlays/upc-dev/forte-drop-postgresql/RESTORE.md
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/RESTORE.md
@@ -0,0 +1,143 @@
 # forte-drop Postgres — backup & restore runbook
 ## What gets backed up
 A CronJob (`forte-drop-pg-backup`, namespace `forte-drop`) runs nightly at **02:00 UTC**:
 1. `pg_dump` of the `drops` database → gzip.
 2. Upload to **UpCloud Managed Object Storage**: `s3://drops/_pgbackups/forte-drop-<TS>.sql.gz`
   (the `_pgbackups/` prefix is collision-proof: app slugs match `/^[a-z0-9][a-z0-9-]{0,62}$/`
   and can never start with `_`).
 3. Retention: dumps older than **30 days** are pruned.
 S3 creds come from the `forte-drop-secrets` Secret (`S3_ENDPOINT` / `S3_KEY` / `S3_SECRET`).
 Postgres creds from `forte-drop-pg-creds` (`pgusername` / `pgpassword`).
 > **Object storage is the durable tier.** App data + DB backups both live in UpCloud
 > Managed Object Storage (replicated by UpCloud). The in-cluster Postgres PVC is the
 > live working copy; the nightly dump is the recovery point. The PVC carries
 > `Prune=false,Delete=false` so ArgoCD never deletes it.
 ## Prerequisites
 ```bash
 export KUBECONFIG=~/Downloads/dev-fd-no-svg1_kubeconfig.yaml
 # Confirm the namespace + DB pod are up:
 kubectl -n forte-drop get pods -l app.kubernetes.io/name=postgresql
 ```
 ## List available backups
 ```bash
 # Run an ephemeral mc pod with the app's S3 creds:
 kubectl -n forte-drop run mc-list --rm -it --restart=Never \
  --image=quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z \
  --overrides='{"spec":{"containers":[{"name":"mc","image":"quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z","command":["sh","-c","mc alias set obj \"$S3_ENDPOINT\" \"$S3_KEY\" \"$S3_SECRET\" >/dev/null && mc ls obj/drops/_pgbackups/"],"envFrom":[{"secretRef":{"name":"forte-drop-secrets"}}]}]}}'
 ```
 ## Manually trigger a backup (before risky changes)
 ```bash
 kubectl -n forte-drop create job --from=cronjob/forte-drop-pg-backup pg-backup-manual-$(date +%s)
 # Watch:
 kubectl -n forte-drop get jobs -l app.kubernetes.io/component=backup
 kubectl -n forte-drop logs -l app.kubernetes.io/component=backup --tail=40
 ```
 ## Restore a dump
 > **Destructive.** This overwrites the live `drops` database. Take a fresh manual
 > backup first (above) and confirm with whoever owns the data before proceeding.
 ### 1. Pick the dump to restore
 List backups (above), choose `forte-drop-<TS>.sql.gz`.
 ### 2. Run a restore pod that pulls the dump and pipes it into Postgres
 ```bash
 DUMP="forte-drop-20260530T020000Z.sql.gz"   # <-- set to the chosen file
 kubectl -n forte-drop run pg-restore --rm -it --restart=Never \
  --image=postgres:16-alpine \
  --overrides='{
    "spec": {
      "containers": [{
        "name": "restore",
        "image": "postgres:16-alpine",
        "command": ["sh","-c","set -euo pipefail; \
          apk add --no-cache curl >/dev/null; \
          # download via mc is simpler — use a 2-step instead (see note). \
          echo placeholder"],
        "envFrom": [
          {"secretRef":{"name":"forte-drop-pg-creds"}},
          {"secretRef":{"name":"forte-drop-secrets"}}
        ]
      }]
    }
  }'
 ```
 **Simpler 2-pod approach (recommended — avoids cramming mc + psql in one image):**
 ```bash
 DUMP="forte-drop-20260530T020000Z.sql.gz"
 # (a) Download the dump from object storage to a local file:
 kubectl -n forte-drop run mc-get --rm -it --restart=Never \
  --image=quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z \
  --overrides='{"spec":{"containers":[{"name":"mc","image":"quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z","command":["sh","-c","mc alias set obj \"$S3_ENDPOINT\" \"$S3_KEY\" \"$S3_SECRET\" >/dev/null && mc cat obj/drops/_pgbackups/'"$DUMP"'"],"envFrom":[{"secretRef":{"name":"forte-drop-secrets"}}]}]}}' \
  > /tmp/$DUMP
 # (b) Pipe it into the live Postgres via the service:
 gunzip -c /tmp/$DUMP | kubectl -n forte-drop run pg-restore --rm -i --restart=Never \
  --image=postgres:16-alpine \
  --overrides='{"spec":{"containers":[{"name":"psql","image":"postgres:16-alpine","stdin":true,"command":["sh","-c","PGPASSWORD=\"$pgpassword\" psql -h forte-drop-postgresql.forte-drop.svc -U \"$pgusername\" -d drops"],"env":[{"name":"pgusername","valueFrom":{"secretKeyRef":{"name":"forte-drop-pg-creds","key":"pgusername"}}},{"name":"pgpassword","valueFrom":{"secretKeyRef":{"name":"forte-drop-pg-creds","key":"pgpassword"}}}]}]}}'
 ```
 > The app's schema is created idempotently on boot (`CREATE TABLE IF NOT EXISTS` +
 > `ALTER TABLE ... ADD COLUMN IF NOT EXISTS` in `src/repo/pg.ts`), and `pg_dump`
 > output includes the data. For a clean restore into a fresh DB this just works.
 > To restore over an existing DB with conflicting rows, drop/recreate the `drops`
 > database first (coordinate downtime — scale the web Deployment to 0 during the
 > restore so the app isn't writing).
 ### 3. Verify
 ```bash
 kubectl -n forte-drop run pg-check --rm -it --restart=Never \
  --image=postgres:16-alpine \
  --env="PGPASSWORD=$(kubectl -n forte-drop get secret forte-drop-pg-creds -o jsonpath='{.data.pgpassword}' | base64 -d)" \
  --command -- psql -h forte-drop-postgresql.forte-drop.svc -U drops -d drops \
  -c "SELECT count(*) AS drops FROM drops;" -c "SELECT count(*) AS view_hits FROM view_hits;"
 ```
 ### 4. Bring the app back
 ```bash
 # If you scaled web to 0 for the restore:
 kubectl -n forte-drop scale deploy/forte-drop --replicas=2
 ```
 ## Object data (uploaded drop files)
 Drop files live in `s3://drops/<slug>/...` in the same managed bucket. They are
 **not** part of the pg backup (the dump only holds metadata). Object storage is
 UpCloud-managed/replicated, so no separate file backup is configured. If a
 file-level backup is later required, mirror the bucket to a second bucket/region:
 ```bash
 mc mirror --overwrite obj/drops/ backup-target/drops-mirror/
 ```
 (Exclude `_pgbackups/` from the app-data mirror if you split them.)
 ## Disaster scenarios
 | Scenario | Recovery |
 |---|---|
 | Postgres pod crash / reschedule | StatefulSet reattaches the PVC; ~1–2 min downtime; no data loss. |
 | PVC lost / corrupted | Recreate StatefulSet, restore latest nightly dump (above). Data since last dump is lost. |
 | Accidental `drops` table data loss | Restore latest dump; or `pg_restore` a single table from a dump. |
 | Namespace deleted | PVC has `Prune=false,Delete=false`; recreate Applications, PVC re-binds, app recovers. Backups in object storage are independent. |
 | Object storage bucket lost | UpCloud-managed (replicated). If the IAM key is rotated, update `forte-drop-secrets` (re-seal). |
--- a/apps/overlays/upc-dev/forte-drop-postgresql/forte-drop-postgresql.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/forte-drop-postgresql.yaml
@@ -0,0 +1,40 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: forte-drop-postgresql
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "0"
  labels:
    app.kubernetes.io/name: forte-drop-postgresql
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: apps/overlays/upc-dev/forte-drop-postgresql/resources
  destination:
    server: https://kubernetes.default.svc
    namespace: forte-drop
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/apps/overlays/upc-dev/forte-drop-postgresql/kustomization.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- feedback.yaml
+- forte-drop-postgresql.yaml
--- a/apps/overlays/upc-dev/forte-drop-postgresql/resources/forte-drop-pg-creds-sealed.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/resources/forte-drop-pg-creds-sealed.yaml
@@ -0,0 +1,14 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: forte-drop-pg-creds
  namespace: forte-drop
 spec:
  encryptedData:
    pgpassword: AgBYokuQRCTmPGC8soB7n8W39nmSAZDTV97i77NmdMh5ndaZNtCtXxhMcpM2z8kaGv2tCWIh47dr38a5tGPZ0TsmeEQOF9Rbbtq1fyR7pJwT8S+N2Z2zu354wNWQlltEAVvTvthe2wTer/BpyRofeSZprxihmfNpuHUP8rLsnIXln5tOWDzJ8hnRWoYZFITaihC2qrJj/kFE0Rfdcmzt1tSq3jCB/rWijVaJF9XSh4rzQoqZDiUNjDPUjyERILw59JWU4zf9OKcqNHDnmpXBR4LSjLhd9waN6ElEzO4gGcVaHISKrTwewX1ONwPHDnw6lqkQObyBPx8aUsGzxLkUhNDtvIYDkB4BKWP5Qu4bNcSztIbrxi6l7Lr/DWC9qTbKm1/p83rc6r8VqRMURUyQg8/vBlCHOIUbZ8DM1OfNlMd8gvcSkaxEVIdCDUjguCvE3cGyG4cqv2unllZQ+9417WwLNJecT6x1EL3nQyAlK5c9vUIbcVyaFlbSUcGB7xmPgZrZ6/3RDyOH6Tmew1ssV9gLvdaehscUE0fjnnFnJpczkwdyxIOSNLIkjlWetCKEbhowJbzk05h3M2p6XQQOuNTnsYjAADMGD72GUgAQlY8KXmDELtv09KELcXbeYS4gABPpMrVmvZymq8lqQ13Py8o+cIqbrU5V86WxASTfQ5gMo/ymYabuhTBIapcnaKR1dFCCfu8deh5f2HJ6/1NjdWR+XvEshg+EF5OkTUInukX4vA==
    pgusername: AgCs6vyQ8CIv5OneP/jMltIPGdZQbpq/BFmQM1mkBD61Ve+anzve5K0Gkg+zsNfbZf0pOPAXtu4C4aL1Lwv7gqpoe4Hp/UEb/X9uLfJ1b8ZitmM1XsPmmSiCskHjrc2BLkAvfrVIXkHc3LOY2uZ/E5stc6Ss2WFE8/uzzVXW0B8fdEK0criludQ8iwR1gypulEcDNomXgkK/1gmmCWosUcVv4jDMDhqBD+b9WYnBB6J73gUclWVMvYDFdNas2PuoRzu5Twc9TAZrTxN5lvLOXAonOo0YiUbUhEC83sfMWYDT5/9OxqcJhAxtgFe9j83MpCwLSwfeLZm7UsUapWDb60MxPJLGvoGD/ZOhkeYt/YCZYROa57TMslVIL5YU1KCiNWvtRjIqnvdiBxI7MRvPUfAoawS4ktT5PDhTTfrixFbaF95jul2kKBXV+OYB1UNsFhcCgZx9rzYRt4lNmBv4m4HeXIp3EYY8VlGLQ45BVVqjJ4QkISvb7ifQWH1aPMQllj+J3GwW0KJN0dEgsh1LT+C7W5I5mq461NOTF1eih/XRBeuPoLlgApxiGXvFCTx8lji2/JIdOaqcg29hdabSprxa0YMStChi2pbtHhRzAuFCp8mInGt8Q406vu67Y4/51yuwI40YeDVu0lf010TB+/v2Zy3OrNyjlqrD5JNynsLuRl3UhuAKC14Xhg/MiDLvTzfsYE8aog==
  template:
    metadata:
      name: forte-drop-pg-creds
      namespace: forte-drop
--- a/apps/overlays/upc-dev/forte-drop-postgresql/resources/kustomization.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/resources/kustomization.yaml
@@ -0,0 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - postgresql.yaml
 - forte-drop-pg-creds-sealed.yaml
 - pg-backup-cronjob.yaml
--- a/apps/overlays/upc-dev/forte-drop-postgresql/resources/pg-backup-cronjob.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/resources/pg-backup-cronjob.yaml
@@ -0,0 +1,93 @@
 # Nightly logical backup of the forte-drop Postgres → UpCloud Managed Object Storage.
 # Dumps to s3://drops/_pgbackups/ (the `_` prefix is collision-proof: app slugs match
 # /^[a-z0-9][a-z0-9-]{0,62}$/ and can never start with `_`). Retains 30 days.
 #
 # Pod shape: initContainer pg_dump → shared emptyDir → mc upload + retention prune.
 # Both images pinned. S3 creds reuse forte-drop-secrets (the app's UpCloud user has
 # s3:* on the drops bucket). PG creds from forte-drop-pg-creds.
 apiVersion: batch/v1
 kind: CronJob
 metadata:
  name: forte-drop-pg-backup
  namespace: forte-drop
  labels:
    app.kubernetes.io/name: postgresql
    app.kubernetes.io/instance: forte-drop
    app.kubernetes.io/component: backup
 spec:
  schedule: "0 2 * * *"           # 02:00 UTC daily
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 2
      template:
        metadata:
          labels:
            app.kubernetes.io/name: postgresql
            app.kubernetes.io/instance: forte-drop
            app.kubernetes.io/component: backup
        spec:
          restartPolicy: Never
          securityContext:
            runAsNonRoot: true
            runAsUser: 65532
            fsGroup: 65532
          volumes:
          - name: work
            emptyDir: {}
          initContainers:
          - name: dump
            image: postgres:16-alpine
            command:
            - sh
            - -c
            - |
              set -euo pipefail
              TS=$(date -u +%Y%m%dT%H%M%SZ)
              echo "dumping to /work/forte-drop-${TS}.sql.gz"
              PGPASSWORD="$PGPASSWORD" pg_dump \
                -h forte-drop-postgresql.forte-drop.svc \
                -p 5432 -U "$PGUSER" -d drops \
                --no-owner --no-privileges \
                | gzip -9 > "/work/forte-drop-${TS}.sql.gz"
              echo "dump complete: $(ls -lh /work/)"
            env:
            - name: PGUSER
              valueFrom:
                secretKeyRef: { name: forte-drop-pg-creds, key: pgusername }
            - name: PGPASSWORD
              valueFrom:
                secretKeyRef: { name: forte-drop-pg-creds, key: pgpassword }
            volumeMounts:
            - name: work
              mountPath: /work
          containers:
          - name: upload
            image: quay.io/minio/mc:RELEASE.2024-11-21T17-21-54Z
            command:
            - sh
            - -c
            - |
              set -euo pipefail
              mc alias set obj "$S3_ENDPOINT" "$S3_KEY" "$S3_SECRET"
              mc cp /work/*.sql.gz "obj/${S3_BUCKET}/_pgbackups/"
              echo "uploaded. pruning backups older than 30d:"
              mc rm --recursive --force --older-than 30d "obj/${S3_BUCKET}/_pgbackups/" || true
              echo "backup retention pass complete"
            env:
            - name: S3_ENDPOINT
              valueFrom:
                secretKeyRef: { name: forte-drop-secrets, key: S3_ENDPOINT }
            - name: S3_BUCKET
              value: "drops"
            - name: S3_KEY
              valueFrom:
                secretKeyRef: { name: forte-drop-secrets, key: S3_KEY }
            - name: S3_SECRET
              valueFrom:
                secretKeyRef: { name: forte-drop-secrets, key: S3_SECRET }
            volumeMounts:
            - name: work
              mountPath: /work
--- a/apps/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml
+++ b/apps/overlays/upc-dev/forte-drop-postgresql/resources/postgresql.yaml
@@ -0,0 +1,105 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: forte-drop-postgresql
  namespace: forte-drop
  labels:
    app.kubernetes.io/name: postgresql
    app.kubernetes.io/instance: forte-drop
    app.kubernetes.io/component: database
 spec:
  type: ClusterIP
  ports:
  - name: tcp-postgresql
    port: 5432
    targetPort: tcp-postgresql
  selector:
    app.kubernetes.io/name: postgresql
    app.kubernetes.io/instance: forte-drop
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: forte-drop-postgresql
  namespace: forte-drop
  labels:
    app.kubernetes.io/name: postgresql
    app.kubernetes.io/instance: forte-drop
    app.kubernetes.io/component: database
 spec:
  serviceName: forte-drop-postgresql
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: postgresql
      app.kubernetes.io/instance: forte-drop
  template:
    metadata:
      labels:
        app.kubernetes.io/name: postgresql
        app.kubernetes.io/instance: forte-drop
        app.kubernetes.io/component: database
    spec:
      containers:
      - name: postgresql
        image: postgres:16-alpine
        # NOTE: no securityContext. The official postgres image's entrypoint must
        # start as root to chown a fresh /var/lib/postgresql/data, then drops to
        # the postgres user (uid 70 in alpine) via gosu. Forcing runAsNonRoot here
        # breaks initdb on a fresh PVC. Matches the vaultwarden-postgresql pattern.
        ports:
        - name: tcp-postgresql
          containerPort: 5432
        env:
        - name: POSTGRES_USER
          valueFrom:
            secretKeyRef:
              name: forte-drop-pg-creds
              key: pgusername
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: forte-drop-pg-creds
              key: pgpassword
        - name: POSTGRES_DB
          value: drops
        - name: PGDATA
          value: /var/lib/postgresql/data/pgdata
        volumeMounts:
        - name: data
          mountPath: /var/lib/postgresql/data
        livenessProbe:
          exec:
            command:
            - sh
            - -c
            - pg_isready -U "$POSTGRES_USER" -d drops
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          exec:
            command:
            - sh
            - -c
            - pg_isready -U "$POSTGRES_USER" -d drops
          initialDelaySeconds: 5
          periodSeconds: 5
        resources:
          requests:
            cpu: 100m
            memory: 256Mi
          limits:
            cpu: 500m
            memory: 512Mi
  volumeClaimTemplates:
  - metadata:
      name: data
      annotations:
        argocd.argoproj.io/sync-options: Prune=false,Delete=false
    spec:
      accessModes:
      - ReadWriteOnce
      storageClassName: upcloud-block-storage-maxiops
      resources:
        requests:
          storage: 5Gi
--- a/apps/overlays/upc-dev/forte-drop/forte-drop-pdb.yaml
+++ b/apps/overlays/upc-dev/forte-drop/forte-drop-pdb.yaml
@@ -0,0 +1,24 @@
 # Keep at least 1 web pod up during voluntary disruptions (node drain, upgrade).
 # Pairs with replicaCount: 2 so a drain can evict one pod while the other serves.
 #
 # Selector verified against live forteapp-chart deployments (mcp10x, argocd-mcp):
 # the chart's pod selector is {app.kubernetes.io/instance, app.kubernetes.io/name,
 # component: app} where instance/name == the ArgoCD Application (Helm release) name.
 # Using all three labels also disambiguates the web pods from the forte-drop-mcp
 # deployment that shares the forte-drop namespace (its instance/name == forte-drop-mcp).
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: forte-drop-web
  namespace: forte-drop
  labels:
    app.kubernetes.io/name: forte-drop
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
 spec:
  minAvailable: 1
  selector:
    matchLabels:
      app.kubernetes.io/instance: forte-drop
      app.kubernetes.io/name: forte-drop
      component: app
--- a/apps/overlays/upc-dev/forte-drop/forte-drop-secrets-sealed.yaml
+++ b/apps/overlays/upc-dev/forte-drop/forte-drop-secrets-sealed.yaml
@@ -0,0 +1,24 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  name: forte-drop-secrets
  namespace: forte-drop
 spec:
  encryptedData:
    BASE_DOMAIN: AgAFybdBryVb2AQuGQC8REXzW0YZlyycJp/KeXnROkW71UjDe4qMAWkWszrJWxZMvAPO/tXmibp7jEol6aB5GKG0k3tswWoprTFXLd9CMR2U9SWR3ZCol4npPXo7uOxhBcNSVt+cDXyejSiFTi6goY2oOtbKAJSF9Nv7Z5ePaqhhFni3ntcmM0S1Ad1l3QR7VvyazHFBXfO0b8Z9NgYsUNbGrXWDwoSAZIv3ly3wx90AXn+dXX5FNPtl9CtyAVhHsl3liwQdhEwS2krZZjj7NiQTCfNXp7BSB9ZETpo9KkoV4AZNy1zupd3HpeXHsyhHjq/JqXIAF3iFU0tZTWjhcwnehYdEU5oduwfLCWym5PYgpiQAGiazpkm1Ss3/PYpZYnR2nWv60b1Pa5i79ZiPNi4GL67AiWoJDw6QxV0Kbzi0AvUkZI1E2PeIJvv1w9NKdMRo49xK8LUx2qSTpWeqRP+1kzklHqclTuNVxiWtR2wUgdoLzvU7p5ETu7kPEmaoE8rYw4dKgQvHlMok2Ky2JsELGBkCiYjUN75T+yNlGs5dzbiwtWOja/r0dJ3ZGBQjcK4/BbTLiMYsrxmJTPPF/2zhCOlFY6cfcRMmc7Mwr68mK9m2rTOJQNjBMDoASiqVMmeSqfRSln7JNb1pAeq4xcz9YJMBJhPy2XNiBvRJK3pGIjVcNST0jSpic1X01NJTy7aFbcniZzYnsKJV61AQb+daGEsB1Ib3GnJ+Rv8+9NfvWg==
    PASSWORD_GATE_SECRET: AgDIiAPb7bCpTeORoZXIn7Is/yKT7Qm+qSexgmXuXpe+WaLCJDWM5uOlvxp5tbtK2KD3SNtUDrOJQYfWYBOAPrBMBnSpDr8Ie7/wlJBxXCfROk1TldOU3s5O+5OnFfTDS9rAdcWdZdJ+Bt0aktnpuHJpjdurFca5o8ne5SRwYtGk6mNinCYRcnwMApZ9Y7IxvC9xzOi1QIhoOepMrotRkVJtbrXiclN5cI+P/nU8LaGwM4AEJtO3L8zY5QK30SZ/Tsz20Qo8HHGdIBLhHbhTALrFe8+n+Egda66Vr1DkKgDERW59PeWBd6xHCRGNuAk2ZzUmuiN5DJmWgacAGy9QblMMjhOIGKgiqsd4jx/8wC8FoyxBSstGFajahL2C6oFzCpbp5NiS185znN0ohJXqQzkp5RbcBliSYUZgHC8D1jDGxzcTksD2Hgh2NIAlJOStsfB3fUb6hWIFzxim0lyP9kFM5y92Sf5B1/h6PeHKOi1CMC5RFAEKhoyM4W1W+NxASJeT/NptTehcrjBPxLVKBPh/qgMcuNYNk34EB0asELalYBJ5cxzt31LLiLE/uDxCydXiSk7ACho7LxNffcUUakEwwsJDmjFiCscu83TfZq2vw5/2bgOzUng4XGDBgYwwr/KEHueGX4Keg255R3KqxyiMSKDi4CUEtYShjSsSYwU62rdogOQu20N3HGVn+/CksqKky7GoD958d4PwT5MGJwQhp8EjemBomDxTKNsO+C4moMNZpAEBtPlP65Lc1cfcaLlaFrwP4VtYHLXXBIvMzCC+
    PGDATABASE: AgCCkY7AUaoy2V+fRXrEeLODlHOTXWXmWCW6MBWEY1J32QrN0bWUmwDdTxv5KHchbhH8lra9bABNOGfRcz59GIg8fH3fwTWOE8luh9cD50QkphjZPe9eGXc6YzheG0CG5hDnUoiJjnP9/l5cZc6sRxAo7for/bbLa0zja3VMzI+NMhVVRZT01G5R/Aoyf+B/TGm4mYbMyWAIgEEfjl50yIkc4WscfQrRkbxAtBF2qFuS3OL95TYSRULBAt0f3Z2WpCdS2b/pUyHJuuoi8aTo1a9QLFMrUdxVi6ydIKaMcx8xR8DlXQLOOdtIQu4TrgzGX2MgHwrbWuf/SFO5IWB/6/JI3yubo+i88M9LwPKsGeslcquoBG3Ibqlnmw8pcPrXUwBq2BowjAqpGsxdiR5XIi2j8QnpA8dTmFARX9CWKHoXFH5+uxx7SSTPG+izlGtVspsu5xx3F8MZ6eStInCyBimTVrn74+IvMPEBrj7wThO6Bl9EA3POkTRf6AmjuPItTgZK8lfXY/t0qDN5zApeB051+jSGZ0/o4PaY414vCm/+OteuCAI4ooCpDOwG3QD52VtpmoAvGjtuWExrvCHMW+hTIxsNbYJ+2SE1oQy8n8J5kKK+AU/SnYf/VEpbawHrpU48g6sDUHQzzPhoLN41j67qopmfRZAo1r5Tb4n7MnEOF3Yi7aT3lE6JvB3gZUSRqnDYSWObTg==
    PGHOST: AgCWDPCQ4P+vPKQXmzNspODUJYVidwQDzFRxY8JDj5JYW1u+2xK8LqE2uWWYCW3YjF+H6yJoH6gu35KqOtjm0E23zMlknwZwkK+L93J/nrnNZHCznoub9jEzaAsTRhytvuIUBPQnFulP/t9Q04RjmR9c14puS7VS/tM57/cLq5zq/BiSYL3Wx2lblE7Xn6k44+8robPP3YkmlOuqziM1li/qevB/jxRV9YFjIpCz6D7WG6Kkx9CA6fzgalMJ5ErUVTJOuLDDty3qKd+9mg4WCLahjyzhPq/rIPUFE77EBDCulnnlMyvOSPSP7pMzkaNR1Ce3cOxOYAZ5mO2u5Y5pXt34V8iPe87N85KHQNZTu1Mu5ELMLdhEYOlO5ZX2x/RsdEuriWz1NW8MC57pEUGE/XrFhDe6x80eHi++qDRat2d04rTBOtlceZMmPVxs8tTa3VaD4PepekSogddLVooscLL7lYIpyR0Q6qOA1NdF2uOpx7hf6QLY1HeD4V8RSVVxV9uK5lUTrnBjtU/aUwnGs0xKxVNdBEKwG5Kh7qdsgyBiEa9V4Y2ElteGHave4J7xzimdASrbgMnlgIfcMuo94eX/0M0BAmpD4bEByMCWbcFgAfNnIOpXLZvoEfZ3DxVysmCzD+0nq+CEatdOjKp11EKbtf3H4PgnKqWDe2p8FNPXhev60CMhFvXS/QYg9fe2YJt/wqcN5MstCej4IuiOJkuFJ0UhZ/F5760xhuPYCUWP1suIVZM=
    PGPASSWORD: AgBH32G+EUtc3jzGCA9bf27TCbzgK9xz+r4dqd0QQJL9xHbqgOARGVVaQ88AOkWV5VgYjqc/GFp51jLzVOHxgLdkqO/oCBuX9ajQEoGfq24AxFnaB7fh+Vlc3/N9yhT8lWoxHmHjyMVeX75g/9KvhNaRKBgiWQNHlt1C2FNh1h3U/aMfWVJIENmKKH2A5sxWe5haB7nynZc9r1QXBQKa7XVpuxAFXDHz3j3cFyR5Qflp+ac2APEM1/xbiaZDgkBtBd6dsDoCP56Dr1m91kaRGgbeX6WmRJ/Y89WAp4yt3QVfa8uGL1+DrBBMcfB1nAQKA45eZjPE6zTOEHxgTETCcmXJQiOzttDmBHRkIClOLLipgGDJwMqtgQoEMoJKjXMC0rsRy0NVRmibZa310R3PQjuHrQXxRD9ZAXkYg3opwLKeKi07b/7mvLHr7hU81fkBGnqNm/6heOSAqDZfRdregbBbcI/go72aypn2vQ5R+ozCdfwcp1tGla8FGpkI+zAdBKihp5Yo21VZ83FlIMq2JHF2+tv58C+LFeyqL1nr6BUmGKUQ+lEOnRzGYo1sbO5wBChc6yP3ZbzZYfxfvXAdfDY7vZUsareOC4uyR1wDnIiJgQ4kqmAKf7HulJJatKNgsvbmukj7c6lHLsfFRg5pwLO6iese9TZgtima2wkdcRpHSdt4ycnyHbwrEZ4kepfFlN1pGUl573/3l2cOdzO+WLCqV96P5myL6OOmCTxOaLdSyA==
    PGPORT: AgCXyGjhlTcq3ffD+ZZZxe5gvqRLQl2MYGl7SfJDjw4LMdr3iojAeQNdYZIeZN4Bec9thhz1DI/Bc5Iiw5TiB3MAAvl/XtQM/T23JrSlUsfqECuHKQGw5kkgeVCds4j4d/IHFt9yBv4W4+ogcL5TZIGGgMiKa/99T77xgE4OqjeqqC+bpFuLObiKt5sYcqcHl2DDshTy4xeukfdA2yI3N9Tq7zfbLpZUKHWWe1gE+FbA0s+QA1ZCYv9uEtu/E5BWOYxE0u4GKhMDfMpguks0CNnIoRpovY3vmOxzFtqa7RpPoQrQtEN2Xtizu/G8K8p+mZLQ0cf3KX0rwp8tAsVKWrp8FYOy6+2OLYlhmDl1hK+M15czaL60DVBqiRIlQFdj9K+s5KQ0qfsG9m4v2WPSeCLEKwcsyLyq9vzXbDKwcMN2DOMOan8VDo04UZzkfdZa3lztfw7MWIdpvB0+cpgK3mdbbPCqSIQ8UTjeSVBgEz4EPUds81W8gqAgmeVKpUQplgFuLNwCTnCkuMSNiA93D3dgGccXzXiDrIBIcLzxHAWr0XEjISyD/pmNEowbDvXB5yRlNi1ZB5AHsRPurUYs4XtZN5ar+sxyex78tG18OkcBbABatBp3ol28Rs1LEN+HJupzNl4XDUx35/j3t/FPcw9PkcF+hzaQL7aWj4EDEWfjlzz5FEBlU5N6sd078tB79TpasuIk
    PGUSER: AgDH9oSzu61NVOUlK7Evr278VuOx7ZxZgdsk+kdJmwpBGX7r5gmPrdomh/mqLYTuLokkanFiTfchRWHc76FvjbA/KxqwCq1qsZbW+dXrRtx/z1wQApKxNUJ7JolwMwP7tHE6QlGzO2mWj6RUROnhKpNybJXVvC3E5sSyz2QWC9hjamQP997RGA9yiiT/OShC7I6drFYR5cRDtpjW7Sy46qhMwlCRppiKh3wOV7qIAa0aPQE3Rfcg2WpK2ugRL1N+SiVnM+wPQwYVLiDaVF40vP40Kari99hIgmhcbjPeGG3kGX5VLww9KGm7iryrW3Yx45L/CCh1arUUpjkK2FGLVKtb3+YmDadnOA/I8Rr5kebhoMc93E3U3+mDfQA3cO/23xgpOJEGRCQwBlN9mazqkdq4zQkb4+nuxsdyQcxYtncgxhfCcZ0mXnbX2aW2kYcxKqa/jNjBcEpGMvos7dq6QzNq2nHrITo15S74M0292CAje2NFvKURA/KZnT26dDw3e5xa74E1nI/tBJEHWrUwRXpPu7naCZ2sZMxQV6ixQMuDakx3YamXZmMwgFO2FZ6ZL9BDDsbV4+JAsNwEaHGIIaTbE28R/xPIcUqcxrQV4ZWmHnJXFGyJ0XXxJ57GGjs7QwvvzAm+9WGYtlSC6H/8rX8uZIQLr3llVbJMuLpIv45i3p0Nkx8jyxGSG3rNQ4l3K0rjly2qZg==
    S3_BUCKET: AgBcx2UvWafkVQ4fc+Xuc+gCLm5O5DceYSYBslL1bd8p4hKI/2hJF9z9UoLyAedyyrx8pHizcugkcIccrV1iyfQod2lDrivVJCy3qHz0mrQ6ZCOAk9ApNJTYUn+x/AYZL9EKVj/vfEzSwOTqlri6H53aUrZr8lv01TqLcrZDeG+jv64psydYKmSESkPl0iQ9DOx2sGkowNYbiTjux+ED9yXDMDdzojhMepbuUHhjNr7V7Z2NpX8+pNVz2o8o/oIA0zAJs3+C02018N3cyJ9P9BP2/qR6N31aykyI4P6GU5WlL0CDGKaheYy9ukM5x8SoU87yZBHLUxN0MhrMVKoFswU6CwTG/A8Gjkp84ce2cvlnuXP6JEMlqgSb+O+SeCH8+kwL9A87xmb42OOXSGokS188/2/13b6S733WL81B0RX1X1pOfWybpJzDhgiOC3Pjn18ItVHjKw3FlY6kwk1+P1vbZoRl343avRdyQyJam28A9UvZeTG+ac7drRTDndKYKGP8IWg/A32MEFSiKHsvnRQoYE7KORyzJxp610L1+w46KOUF5VF2afch02Jt4uLcmCOyUb6LdcWln3Jiz+wydJI1HK1RPio5oUT5d5se3K3DCa+GffbPMorHe/SdzqaBH2+uBcQn+wZO7JC1ei7hz4U1xdV41gkG1uq7Xz49ymW6P7G6qUr65MtvD73iMRlnJt/mdkw5UQ==
    S3_ENDPOINT: AgDA5n96LeW1spJfmm7f9lcus5Ndv/91HAlhOfv0YwP+9R8rQhKF1sEL9Oi7Fpd4VJCQi9vDbeWYjGOMtsMqsLJivcZK6367rdSqL/YpKax9SkDgU+UG5Bpr5SDv4p5C3/J4+GPkZV+BduJQlNVPycTrdM80VBK8aALCNs7gGxy68v6mMgI90MpTp84ZeWgtJ7ZpTySivpwgycwcezldJTYDDjOvVfbK79trsRzDtjbAZzbDn0M8At4LYAfY7JTqcdCRHSGnzyg+81CX2jjyMOH0K55SsIqPEBdXqvh+VmC+jPyFMzfAN5hA8+otWTXfI7VucxAMZtRUiLU3I4/kIO60OkVjEf/SWrJv3nKb85aVfvRZ9k/A7kJ/ysKTXz2/iSAHU1DHTJlMW7SfhXciotx1p3BWOREF0QAQvrNCURFP+eZogBCIuiP38fD0gHkhG2BZkAY/OVZTr17a3F02kwemAuJ85hgUf0iwFV+/LD6X2OiqM85lnac/3B5Qp7UQf+Enn5RTqd90Pk/7QtAf/zTDmfxiWTkwpKXeQ62xcnHL9dQnUmDDs16eJZd04AJGgT8yrC//2lVOht7u6KuyG/+JXRxLBXAkGkr68lHBBuGmeVZ/t7ChL2Asyfu/uUTl9E1BOUfNvZXxwyLgqueL0Uw/MGLgswBsP6pYNGraMF+K5v7dse8cUxpyqk3s1C1zqoAhkehsCBtTjI+hF90G9Nh6mVSocoH12znt7fgUnwNbpg==
    S3_KEY: AgAiciTM2ZNVlU1M1CNNXLkhCEYYbO7q5+Mp/DoC4OHBgIDKVfHurH39Dniuwxe6DcvE3vG2glRyTxQEg/ASLcwa7HBwBAwXe3wl1tRGM5Bp40/Vq935BXpkhcdp2fSoup8lPEbKS8q+L5LOqUlx7jmnkHXbI1tasz63KE8O9RUFDdQ8Gxy3nn/u4xkvibYxwmo60ApLKYgOu/ODPEETrWBcITHAVFUxbA8Kr9X9mPm3VpfrnFcUlxsCFr/zZwE/Y01eWdi8GGafb+apDPKMd7mAsLHFcPIQlpkHVT1M21qwwntZg9yV0RBACNu5BVPUgbmtUOQeWYMXn3FE+NJ7ajfdKAUCcEUV/f4s00b0S7jJTJwOUixDquMKSfu00AwDRCs8UcouikZe110uWnfEF3tVE0xQGF/3ItLni9VugBz7wQv7ACvmwnHmX5ZcjE0hxYcIS7ABWgHOZxgWoRWPao8eNAATipafcVIG1szl5ZMNTmAqHFyp2dlNU3zaiW6fz4q4CU7SrlhsrtqYM788qHvpJvDpFdF/i6oitH9CgpwmdCpH6YbBXxatnkWq9bqjEFcSZGDfDyT+iZaoPwhiOfaEoCyKlZ9RLLaK3E8zFcCDRXHnvnkqPtP/+VG30xz9pIat2EVB1N4b/kVIrr+fIM28mwk0vkC/tU8T55GF5BZr7VaYedHM9DVcQ4OJl7Ctrc9Ki8PXrne8gywyomA0F+YY9lxdDw==
    S3_REGION: AgAAHTbNQ3gGnvg67ck2N5zSKKhMwR1j6pi/tZzYMEPK8jSnDTBkLYAt6ZVRtdsO+dG9kjnMsc/xTUMxJspbvQkgLSd9mG5FzJ37rBn+azCCSTDYBKq2ddGK1Yf/9w7MxOgN8aCyD4QCFOzR0EI49GbVYQynxDD5BwYuf7y4t2xCYt5wRGsjyNAmH3202Z90XKUkts8Na1hyD+xrrtrAtNfugyZqKo2WUSsHu82TD+cu5xZI51oQ9w9Mh9LaH3nfn/X5S+t17TjYvI7/c6hOwCVv10OdoaZa+SzqOvy7XxnqAShAYkPqJKfWhjecE1b9c/Cun32X4MRI0GBWyA02z4nR+WBbaVmasicx6hchVn8/wZeKMIl68F5LE7184MKKPNNwqsYslwFhuWq8dEw3TaVvnWgx3+cSMiX15SBwcLtE2UzJp+jjN/dpQ2MM0+6uV1GK4mNso5JAwGpUUUi2i+V1Ng7uXipI+5J9w6K0IMg1puGqFyahby42saSuH6vuPnjSx+2dXQTlgbl2SvCBoCgyOOJs4q5IafEvupAmRCNzx2HHv8/z6CFbSQZITQ3plmyNGLFXjynVw/6Q1PD4z3Pows4uVcYOEPbC0UoaXVgwgdBWa2N44BUhpdbqJUCyKuapLigpjKujG43jmdLzuk6gaPeH7SJTZKr624vs9hrGhzQYKdl6FZOQhmCFRDKXVCUiH2Z2pfwd3oo=
    S3_SECRET: AgCcVQ7YtBAGpKBm+rE/hQBHrFlX5O0JO94xkZeoAppA9Tf8YR/PguZRGBWgLdNEJRI8C08lRRCUX3PY68jTySyjamb32iQkslOXGjAfnULeNGoGg05nLY2ZDYCEom6ieL8cc2xfbrV3yHoPQ7yVz9vcLjh1vATxyfdkqMapl8FpvQf0k0Zecmw3rLWE9y6vAn6Gb+/CWTnuhcW/8uDykmjIBTDQQddWshaZi+HosHyDbNxlnGj4U8mie68wytpS+Unp1gIWWE0hvelqO/3OUEEBB1OYMLV2DW8v86HXAE1Ix9jiCpSbyB+UzjOlrE/p4fJpeG4FtUC+/5ibRSxxgQRQYklKFJmdRDYWUnOngjgcT/Ewe41mTrpCUvb+jtir68pYLmVrLoha7S60w1YQHNkDAN2GftOyBjkkt6MtUDNzvNkfnKqKGUWyDSC27yfJdE/9k/4lDxQs0Sp20kIuz66/culBpg/s/oPSNs4SolCqG3GVLlKL775uqwLLuDN3txlPLb+Ex5vZAUapke+rn2zXzJVc1qlPfI/96vSEy6cx58LXdBadmBXn6c4Uy2MDa66EwsxOMXxzGLTd7AGkd5oeQVYfVPdTfGV5zx1AdzQhP3u/DD5FhKeWGDOr21iYB2jNm/P/hw0nFP2pf83W4/jLzPvuth1LF/WLF8cjclnGbcep2Kxrh/Xq0LmufofuVJyEI9/fl6onl5KIa6ZnVBJ8TsQesXJtNEKt9cPHiCvBKfLj5C+a4FlY
  template:
    metadata:
      name: forte-drop-secrets
      namespace: forte-drop
--- a/apps/overlays/upc-dev/forte-drop/forte-drop.yaml
+++ b/apps/overlays/upc-dev/forte-drop/forte-drop.yaml
@@ -0,0 +1,37 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: forte-drop
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
    app.kubernetes.io/name: forte-drop
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/forte-drop/values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: forte-drop
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml
+++ b/apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml
@@ -0,0 +1,38 @@
 # Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
 # to the keycloak namespace; a CronJob registers the OIDC client in the forte
 # realm and writes the credentials back as forte-drop-oidc-credentials in THIS
 # namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
 # registrar-created Secret automatically — no manual SealedSecret step needed.
 apiVersion: v1
 kind: Secret
 metadata:
  name: keycloak-client-forte-drop
  namespace: forte-drop
  labels:
    keycloak.forteapps.net/client-config: "true"
  annotations:
    keycloak.forteapps.net/source-namespace: "forte-drop"
 stringData:
  client.json: |
    {
      "clientId": "forte-drop",
      "name": "Forte Drop (web)",
      "enabled": true,
      "protocol": "openid-connect",
      "clientAuthenticatorType": "client-secret",
      "standardFlowEnabled": true,
      "directAccessGrantsEnabled": false,
      "serviceAccountsEnabled": false,
      "publicClient": false,
      "redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"],
      "webOrigins": ["https://drop-k8s.hackathon.forteapps.net"],
      "defaultClientScopes": ["openid","email","profile"],
      "secret": {
        "namespace": "forte-drop",
        "name": "forte-drop-oidc-credentials",
        "keys": {
          "clientId": "client-id",
          "clientSecret": "client-secret"
        }
      }
    }
--- a/apps/overlays/upc-dev/forte-drop/kustomization.yaml
+++ b/apps/overlays/upc-dev/forte-drop/kustomization.yaml
@@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - namespace.yaml
 - forte-drop.yaml
 - keycloak-client-forte-drop.yaml
 - forte-drop-pdb.yaml
 - forte-drop-secrets-sealed.yaml
--- a/apps/overlays/upc-dev/forte-drop/namespace.yaml
+++ b/apps/overlays/upc-dev/forte-drop/namespace.yaml
@@ -0,0 +1,17 @@
 # Owns the forte-drop namespace shared by the web + mcp deployments and the
 # postgres StatefulSet (infra overlay). sync-wave -1 ensures the namespace exists
 # before the namespaced Secrets/PDB in this base apply (avoids a first-sync
 # "namespaces forte-drop not found" race when the business-apps parent syncs).
 # Prune=false so removing this base never cascade-deletes the namespace (and with
 # it postgres data + the mcp deployment) — matches the earlier decision to keep
 # namespace ownership decoupled from any single workload.
 apiVersion: v1
 kind: Namespace
 metadata:
  name: forte-drop
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
    argocd.argoproj.io/sync-options: Prune=false
  labels:
    app.kubernetes.io/managed-by: argocd
    app.kubernetes.io/part-of: apps
--- a/apps/overlays/upc-dev/kustomization.yaml
+++ b/apps/overlays/upc-dev/kustomization.yaml
@@ -2,8 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 - forte-drop-postgresql
 - forte-drop
 - forte-drop-mcp
 - dbunk-demo
 - feedback
-# No patches needed — base already has "upc-dev" paths
+# No patches needed — base apps already default to "upc-dev" value paths
-# upc-dev is the default/base cluster
+# (upc-dev is the default/base cluster).
 # forte-drop (postgres + web + mcp) and dbunk-demo are upc-dev-only apps — they
 # have hackathon-domain hardcoded values and must not sync to upc-prod, so they
 # live here in the overlay rather than in apps/base/.
--- a/cluster-resources/argocd-notifications-secret-vault.yaml
+++ b/cluster-resources/argocd-notifications-secret-vault.yaml
@@ -1,15 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: argocd-notifications-secret
  namespace: argocd
 spec:
  type: kv-v2
  mount: kv
  path: argocd/argocd-notifications-secret
  destination:
    name: argocd-notifications-secret
    create: true
    type: Opaque
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/cluster-resources/forte-helm-repo-vault.yaml
+++ b/cluster-resources/forte-helm-repo-vault.yaml
@@ -1,16 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: forte-helm-repo
  namespace: argocd
 spec:
  type: kv-v2
  mount: kv
  path: argocd/forte-helm-repo
  destination:
    name: forte-helm-repo
    create: true
    labels:
      argocd.argoproj.io/secret-type: repository
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/cluster-resources/forte10x-repo-credentials-vault.yaml
+++ b/cluster-resources/forte10x-repo-credentials-vault.yaml
@@ -1,17 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: forte10x-repo-creds
  namespace: argocd
 spec:
  type: kv-v2
  mount: kv
  path: argocd/forte10x-repo-creds
  destination:
    name: forte10x-repo-creds
    create: true
    type: Opaque
    labels:
      argocd.argoproj.io/secret-type: repository
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/cluster-resources/mcp10x-repo-credentials-vault.yaml
+++ b/cluster-resources/mcp10x-repo-credentials-vault.yaml
@@ -1,17 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: mcp10x-repo-creds
  namespace: argocd
 spec:
  type: kv-v2
  mount: kv
  path: argocd/mcp10x-repo-creds
  destination:
    name: mcp10x-repo-creds
    create: true
    type: Opaque
    labels:
      argocd.argoproj.io/secret-type: repository
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -245,12 +245,6 @@ spec:
                secretKeyRef:
                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
            - name: AUTH_OIDC_IDP_HINT
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-idp-hint\" || '' }}"
            - name: AUTH_OIDC_BROKER_ALIAS
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-alias\" || '' }}"
            - name: AUTH_OIDC_BROKER_TOKEN_HEADER
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-broker-token-header\" || '' }}"
            resources:
              limits:
                cpu: 50m
@@ -330,8 +324,6 @@ spec:
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-public-paths\" || '/healthz' }}"
            - name: AUTH_MCP_SCOPES_SUPPORTED
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'profile'  }}"
            - name: AUTH_MCP_IDP_HINT
              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-idp-hint\" || '' }}"
            resources:
              limits:
                cpu: 50m
--- a/cluster-resources/policies/label-checker.yaml
+++ b/cluster-resources/policies/label-checker.yaml
@@ -1,40 +0,0 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: require-labels
  annotations:
    policies.kyverno.io/title: Require Labels
    policies.kyverno.io/category: Best Practices
    policies.kyverno.io/minversion: 1.6.0
    policies.kyverno.io/severity: medium
    policies.kyverno.io/subject: Pod, Label
    policies.kyverno.io/description: Define and use labels that identify semantic attributes of your application or Deployment. A common set of labels allows tools to work collaboratively, describing objects in a common manner that all tools can understand. The recommended labels describe applications in a way that can be queried. This policy validates that the label `app.kubernetes.io/name` is specified with some value.
 spec:
  validationFailureAction: Audit
  background: true
  rules:
  - name: check-for-labels
    skipBackgroundRequests: true
    exclude:
      any:
      - resources:
          namespaces:
          - kube-system
          - istio-system
          - argocd
          - cert-manager
          - monitoring
          - secrets
          - kyverno
    match:
      any:
      - resources:
          kinds:
          - Pod
    validate:
      message: The label `app.kubernetes.io/name` is required.
      allowExistingViolations: true
      pattern:
        metadata:
          labels:
            app.kubernetes.io/name: "?*"
--- a/cluster-resources/vault-auth-argocd.yaml
+++ b/cluster-resources/vault-auth-argocd.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-argocd
  namespace: argocd
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: argocd
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-argocd
    serviceAccount: vault-auth-argocd
    audiences:
    - vault
--- a/docs/DEVELOPER-GUIDE.md
+++ b/docs/DEVELOPER-GUIDE.md
@@ -60,16 +60,18 @@ If you do need cluster access, install:
   curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
   ```
-2. **vault** CLI - For managing secrets in HashiCorp Vault
+2. **kubeseal** - For sealing secrets
   ```bash
   # macOS
-   brew install hashicorp/tap/vault
+   brew install kubeseal
   # Windows
-   choco install vault
+   choco install kubeseal
   # Linux
-   # See https://developer.hashicorp.com/vault/install
+   wget https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/kubeseal-0.24.0-linux-amd64.tar.gz
   tar -xvzf kubeseal-0.24.0-linux-amd64.tar.gz
   sudo mv kubeseal /usr/local/bin/
   ```
 3. **Git** - Version control
@@ -632,100 +634,115 @@ git push
 ### Understanding Secret Management
-Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
+**NEVER commit plain secrets to Git.** We use **Sealed Secrets** to encrypt secrets before committing.
 **NEVER commit plain secret values to Git.** Only VaultStaticSecret CRD manifests are committed.
 ### Creating a New Secret
-#### Step 1: Write Secret to Vault
+#### Step 1: Create Plain Secret Locally
 ```bash
-vault kv put kv/myapp/myapp-credentials \
+cd ~/dev/k8s/launchpad
-  API_KEY=your-secret-key-here \
+
-  DB_PASSWORD=super-secret-password
+# Create secret in private/ folder (Git-ignored)
 kubectl create secret generic myapp-credentials \
  --from-literal=API_KEY=your-secret-key-here \
  --from-literal=DB_PASSWORD=super-secret-password \
  --dry-run=client -o yaml > private/myapp-credentials.yaml
 ```
-#### Step 2: Create VaultStaticSecret CRD
+**DO NOT commit this file!** It's in `private/` which is Git-ignored.
-Create a YAML file (e.g., `apps/base/myapp/myapp-credentials-vault.yaml`):
+#### Step 2: Seal the Secret
-```yaml
+Seal your secret:
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: myapp-credentials
  namespace: myapp
 spec:
  type: kv-v2
  mount: kv
  path: myapp/myapp-credentials
  destination:
    name: myapp-credentials
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
 ```
 #### Step 3: Add VaultAuth (if new namespace)
 If this is a new namespace, also create a `vault-auth.yaml` with a ServiceAccount and VaultAuth CRD. See [VSO Reference](vault-secrets-operator.md#vaultauth) for template.
 #### Step 4: Commit and Push
 ```bash
-git add apps/base/myapp/myapp-credentials-vault.yaml
+kubeseal --format=yaml \
-git commit -m "Add myapp credentials (VSO)"
+  --namespace=myapp \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 ```
 #### Step 3: Commit Sealed Secret
 ```bash
 git add secrets/myapp-credentials-sealed.yaml
 git commit -m "Add myapp credentials (sealed)"
 git push
 ```
-ArgoCD syncs the CRD, VSO creates the K8s Secret.
+#### Step 4: Reference Secret in Application
 #### Step 5: Reference Secret in Application
 Update your `helm-prod-values/myapp/values.yaml`:
 ```yaml
 app:
-  envSecretName: "myapp-credentials"  # VSO creates this K8s Secret
+  envSecretName: "myapp-credentials"  # References the SealedSecret
 ```
-### Updating / Rotating a Secret
+Commit and push:
 **No git commit needed** — just update in Vault:
 ```bash
-vault kv put kv/myapp/myapp-credentials \
+cd ~/dev/k8s/helm-prod-values
-  API_KEY=new-key-here \
+git add myapp/values.yaml
-  DB_PASSWORD=new-password
+git commit -m "Reference myapp credentials"
 git push
 ```
-VSO picks up changes within 30 seconds. Restart pods if they don't watch for secret updates:
+### Updating a Secret
 To update an existing secret:
 ```bash
 # 1. Create new version of secret
 kubectl create secret generic myapp-credentials \
  --from-literal=API_KEY=new-key-here \
  --from-literal=DB_PASSWORD=new-password \
  --dry-run=client -o yaml > private/myapp-credentials.yaml
 # 2. Seal it
 kubeseal --format=yaml \
  --namespace=myapp \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 # 3. Commit sealed version
 git add secrets/myapp-credentials-sealed.yaml
 git commit -m "Update myapp credentials"
 git push
 # 4. Restart pods to pick up new secret
 kubectl rollout restart deployment myapp -n myapp
 ```
 ### Secret Best Practices
- Write secrets to Vault via UI or CLI — never commit values to Git
+✅ **DO**:
- Use meaningful secret names matching the KV path convention: `kv/{namespace}/{secret-name}`
+- Store secrets in `private/` folder locally
 - Always seal secrets before committing
 - Delete plain secrets after sealing
 - Use meaningful secret names
 - Document what each secret contains
- Use Vault's versioning for audit trail
+
 ❌ **DON'T**:
 - Commit plain secrets to Git
 - Share secrets via Slack/email
 - Hard-code secrets in code
 - Use the same secret across multiple environments
 - Store secrets in Docker images
 ### Where Secrets Are Stored
 ```
-┌──────────────────────────────────────────────────────────────────┐
+┌─────────────────────────────────────────────────────────────┐
-│  Location                  │  Content                │  In Git? │
+│  Location                │  Content           │  Committed?│
-├────────────────────────────┼─────────────────────────┼──────────┤
+├──────────────────────────┼────────────────────┼────────────┤
-│  Vault KV (kv/{ns}/{name}) │  Secret values          │  ❌ NO   │
+│  private/                │  Plain secrets     │  ❌ NO      │
-│  VaultStaticSecret CRD     │  Sync config (no values)│  ✅ YES  │
+│  secrets/                │  Sealed secrets    │  ✅ YES     │
-│  Kubernetes cluster        │  K8s Secret (synced)    │  N/A     │
+│  Kubernetes cluster      │  Unsealed secrets  │  N/A       │
-└──────────────────────────────────────────────────────────────────┘
+└─────────────────────────────────────────────────────────────┘
 ```
-**Vault Secrets Operator** syncs secrets from Vault to K8s automatically (30s refresh).
+**Sealed Secrets Controller** in the cluster decrypts sealed secrets automatically.
 ---
@@ -859,13 +876,28 @@ In your identity provider (e.g., Keycloak):
 #### Step 2: Create OIDC Secret
 ```bash
-# Write OIDC secret to Vault
+# Create plain secret
-vault kv put kv/myapp/auth-oidc \
+kubectl create secret generic auth-oidc \
-  client-secret=your-oidc-client-secret \
+  --from-literal=client-secret=your-oidc-client-secret \
-  cookie-secret=$(openssl rand -hex 32)
+  --from-literal=cookie-secret=$(openssl rand -hex 32) \
  --namespace=myapp \
  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
-# Create VaultStaticSecret CRD (see docs/vault-secrets-operator.md for template)
+# Seal it
-# Add to apps/base/myapp/auth-oidc-vault.yaml and commit
+kubeseal --format=yaml \
  --cert=pub-cert.pem \
  --namespace=myapp \
  < private/myapp-auth-oidc.yaml \
  > secrets/myapp-auth-oidc-sealed.yaml
 # Commit sealed secret
 cd ~/dev/k8s/launchpad
 git add secrets/myapp-auth-oidc-sealed.yaml
 git commit -m "Add OIDC secrets for myapp"
 git push
 # Clean up
 rm private/myapp-auth-oidc.yaml
 ```
 #### Step 3: Configure Helm Values
@@ -1095,13 +1127,16 @@ ingress:
  host: web-app.forteapps.net
 ```
-**With Vault OIDC secret**:
+**With sealed OIDC secret**:
 ```bash
-# Write OIDC secret to Vault
+# Create and seal secret
-vault kv put kv/web-app/auth-oidc \
+kubectl create secret generic auth-oidc \
-  client-secret=super-secret-value \
+  --from-literal=client-secret=super-secret-value \
-  cookie-secret=$(openssl rand -hex 32)
+  --from-literal=cookie-secret=$(openssl rand -hex 32) \
-# Then create VaultStaticSecret CRD — see docs/vault-secrets-operator.md
+  --namespace=web-app \
  --dry-run=client -o yaml | \
  kubeseal --format=yaml --cert=pub-cert.pem --namespace=web-app \
  > secrets/web-app-auth-oidc-sealed.yaml
 ```
 #### Example 3: MCP Server with OAuth 2.0
@@ -1229,7 +1264,7 @@ kubectl logs -n myapp <pod-name> -c authn
 - Use token auth for service-to-service communication
 - Rotate tokens and secrets regularly
 - Use strong random tokens (32+ bytes)
- Store client secrets in Vault
+- Store client secrets in SealedSecrets
 - Test authentication before deploying to production
 - Document which tokens/users have access
@@ -1533,22 +1568,22 @@ curl http://localhost:8080
 #### Problem: Secret not found
-**Check VSO sync status:**
+**Check if SealedSecret exists:**
 ```bash
-kubectl get vaultstaticsecret -n myapp
+kubectl get sealedsecret -n myapp
 kubectl get secret -n myapp
 ```
 **Solutions:**
 ```bash
-# Check VaultAuth is authenticated
+# Check if secret is in Git
-kubectl get vaultauth -n myapp
+ls -l secrets/myapp-credentials-sealed.yaml
-# Check VaultStaticSecret events
+# Re-apply sealed secret
-kubectl describe vaultstaticsecret myapp-credentials -n myapp
+kubectl apply -f secrets/myapp-credentials-sealed.yaml
-# Verify secret exists in Vault
+# Check sealed-secrets-controller logs
-vault kv get kv/myapp/myapp-credentials
+kubectl logs -n kube-system deployment/sealed-secrets-controller
 ```
 #### Problem: Secret exists but pods can't access it
@@ -1659,7 +1694,7 @@ If you're stuck:
 ### Secret Management
 ✅ **DO**:
- Use Vault for all secrets (see docs/vault-secrets-operator.md)
+- Use kubeseal for all secrets
 - Store plain secrets in password manager
 - Rotate secrets regularly
 - Use different secrets per environment
@@ -1711,9 +1746,16 @@ kubectl rollout restart deployment myapp -n myapp
 # Port-forward to service
 kubectl port-forward -n myapp service/myapp 8080:3000
-# Write secret to Vault
+# Create secret
-vault kv put kv/myapp/myapp-credentials KEY=value
+kubectl create secret generic myapp-credentials \
-# Create VaultStaticSecret CRD — see docs/vault-secrets-operator.md
+  --from-literal=KEY=value \
  --dry-run=client -o yaml > private/myapp-credentials.yaml
 # Seal secret
 kubeseal --format=yaml \
  --cert=pub-cert.pem \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 ```
 ### Repository Locations
--- a/docs/OPERATIONS-RUNBOOK.md
+++ b/docs/OPERATIONS-RUNBOOK.md
@@ -188,15 +188,13 @@ Save the following file in private/ (gitignored) folder as secret.yaml
      <paste your private key here>
    project: default
 ```
-Write the secret to Vault:
+Seal the secret using `kubeseal` command 
 ```bash
-vault kv put kv/argocd/forte-helm-repo \
+kubeseal --format=yaml \
-  type=git \
+  --namespace=argocd \
-  url=ssh://git@git.forteapps.net:2222/Forte/forte-helm.git \
+  < private/secret.yaml \
-  sshPrivateKey="$(cat private/ssh-key)" \
+  > secrets/forte-helm-repo-secret-sealed.yaml
  project=default
 ```
 Then create a VaultStaticSecret CRD with `argocd.argoproj.io/secret-type: repository` label.
 **Step 4: Register Repository in ArgoCD**
@@ -501,7 +499,7 @@ See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for d
 **Quick checklist:**
 - [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
- [ ] Write secrets to Vault and create VaultStaticSecret CRD if needed
+- [ ] Create SealedSecret if needed
 - [ ] Commit and push changes
 - [ ] Verify sync in Slack/ArgoCD
 - [ ] Configure DNS for domain
@@ -672,61 +670,92 @@ db:
 ## Secret Management
 Secrets are managed via **HashiCorp Vault** and synced to Kubernetes by the **Vault Secrets Operator (VSO)**. See [Vault Secrets Operator Reference](vault-secrets-operator.md) for full details.
 ### Creating Secrets
-#### Step 1: Write to Vault
+#### Step 1: Get Public Certificate
 ```bash
-# From literal values
+# Fetch sealed-secrets public cert (one-time)
-vault kv put kv/myapp/myapp-credentials \
+kubeseal --fetch-cert \
-  API_KEY=secret123 \
+  --controller-name=sealed-secrets-controller \
-  DB_PASSWORD=pass456
+  --controller-namespace=kube-system \
  > pub-cert.pem
 # Save this certificate for future use
 ```
-#### Step 2: Create VaultStaticSecret CRD
+#### Step 2: Create Plain Secret
 ```yaml
 # apps/base/myapp/myapp-credentials-vault.yaml
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: myapp-credentials
  namespace: myapp
 spec:
  type: kv-v2
  mount: kv
  path: myapp/myapp-credentials
  destination:
    name: myapp-credentials
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
 ```
 #### Step 3: Commit CRD
 ```bash
-git add apps/base/myapp/myapp-credentials-vault.yaml
+# Method 1: From literal values
-git commit -m "Add myapp credentials (VSO)"
+kubectl create secret generic myapp-credentials \
  --from-literal=API_KEY=secret123 \
  --from-literal=DB_PASSWORD=pass456 \
  --namespace=myapp \
  --dry-run=client -o yaml > private/myapp-credentials.yaml
 # Method 2: From file
 kubectl create secret generic myapp-credentials \
  --from-file=.env \
  --namespace=myapp \
  --dry-run=client -o yaml > private/myapp-credentials.yaml
 # Method 3: From multiple files
 kubectl create secret generic myapp-credentials \
  --from-file=api-key.txt \
  --from-file=db-password.txt \
  --namespace=myapp \
  --dry-run=client -o yaml > private/myapp-credentials.yaml
 ```
 #### Step 3: Seal Secret
 ```bash
 kubeseal --format=yaml \
  --cert=pub-cert.pem \
  --namespace=myapp \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 ```
 #### Step 4: Commit Sealed Secret
 ```bash
 git add secrets/myapp-credentials-sealed.yaml
 git commit -m "Add myapp credentials"
 git push
 # Delete plain secret
 rm private/myapp-credentials.yaml
 ```
-ArgoCD syncs the CRD, VSO creates the K8s Secret automatically.
+### Updating Secrets
 ### Updating / Rotating Secrets
 **No git commit needed** — just update in Vault:
 ```bash
-vault kv put kv/myapp/myapp-credentials \
+# 1. Create new version
-  API_KEY=new-secret-key \
+kubectl create secret generic myapp-credentials \
-  DB_PASSWORD=new-password
+  --from-literal=API_KEY=new-secret-key \
  --from-literal=DB_PASSWORD=new-password \
  --namespace=myapp \
  --dry-run=client -o yaml > private/myapp-credentials.yaml
-# VSO picks up changes within 30 seconds
+# 2. Seal it
-# Restart pods if needed
+kubeseal --format=yaml \
  --cert=pub-cert.pem \
  --namespace=myapp \
  < private/myapp-credentials.yaml \
  > secrets/myapp-credentials-sealed.yaml
 # 3. Commit
 git add secrets/myapp-credentials-sealed.yaml
 git commit -m "Update myapp credentials"
 git push
 # 4. Restart pods to pick up new secret
 kubectl rollout restart deployment myapp -n myapp
 # 5. Delete plain secret
 rm private/myapp-credentials.yaml
 ```
 ### Viewing Secrets (Unsealed)
@@ -803,13 +832,30 @@ OIDC auth requires an `auth-oidc` Secret with two keys:
 CLIENT_SECRET="your-oidc-client-secret-from-provider"
 COOKIE_SECRET=$(openssl rand -hex 32)
-# Write to Vault
+# Create plain secret
-vault kv put kv/myapp/auth-oidc \
+kubectl create secret generic auth-oidc \
-  client-secret=$CLIENT_SECRET \
+  --from-literal=client-secret=$CLIENT_SECRET \
-  cookie-secret=$COOKIE_SECRET
+  --from-literal=cookie-secret=$COOKIE_SECRET \
  --namespace=myapp \
  --dry-run=client -o yaml > private/myapp-auth-oidc.yaml
-# Create VaultStaticSecret CRD (one-time) and commit
+# Seal it
-# See docs/vault-secrets-operator.md for CRD template
+kubeseal --format=yaml \
  --cert=pub-cert.pem \
  --namespace=myapp \
  < private/myapp-auth-oidc.yaml \
  > secrets/myapp-auth-oidc-sealed.yaml
 # Apply sealed secret
 kubectl apply -f secrets/myapp-auth-oidc-sealed.yaml
 # Commit to Git
 git add secrets/myapp-auth-oidc-sealed.yaml
 git commit -m "Add OIDC secrets for myapp"
 git push
 # Clean up
 rm private/myapp-auth-oidc.yaml
 ```
 #### Rotating Authentication Secrets
@@ -836,12 +882,16 @@ kubectl rollout restart deployment myapp -n myapp
 # Rotate cookie secret (safe - invalidates existing sessions)
 NEW_COOKIE_SECRET=$(openssl rand -hex 32)
-# Update in Vault — no git commit needed
+# Recreate secret
-vault kv put kv/myapp/auth-oidc \
+kubectl create secret generic auth-oidc \
-  client-secret=$CLIENT_SECRET \
+  --from-literal=client-secret=$CLIENT_SECRET \
-  cookie-secret=$NEW_COOKIE_SECRET
+  --from-literal=cookie-secret=$NEW_COOKIE_SECRET \
  --namespace=myapp \
  --dry-run=client -o yaml | \
  kubeseal --format=yaml --cert=pub-cert.pem --namespace=myapp | \
  kubectl apply -f -
-# VSO picks up within 30s. Restart pods to use new secret:
+# Restart to pick up new secret
 kubectl rollout restart deployment myapp -n myapp
 ```
@@ -1292,11 +1342,13 @@ kubectl get applications -n argocd -w
               - pg_dump -U $DB_USER -d $DB_NAME > /backup/dump-$(date +%Y%m%d).sql
   ```
-3. **Vault backup**
+3. **Sealed Secrets private key backup**
   ```bash
-   # Vault data is stored on PVC — ensure PVC snapshots are configured
+   # Backup sealed-secrets controller private key
-   # For disaster recovery, maintain Vault unseal keys in a secure location
+   kubectl get secret -n kube-system sealed-secrets-key \
-   # All secrets can be re-seeded from source if needed
+     -o yaml > sealed-secrets-key-backup.yaml
   # Store in secure location (password manager, vault)
   ```
 ---
@@ -1616,7 +1668,7 @@ echo "Remember to delete: $SECRET_FILE"
 - [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
- [ ] Secrets written to Vault and VaultStaticSecret CRD created
+- [ ] Secrets created and sealed
 - [ ] DNS record added for domain
 - [ ] Application synced successfully
 - [ ] Health check passed
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1063,6 +1063,52 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 ### Vaultwarden
 **Chart**: `guerzon/vaultwarden`
 **Version**: 0.36.4 (app v1.36.0-alpine)
 **Namespace**: `vaultwarden`
 **Purpose**: Self-hosted Bitwarden-compatible password manager.
 **Configuration**:
 ```yaml
 # infra/overlays/upc-dev/vaultwarden/ + infra/values/
 domain: "https://bitwarden.forteapps.net"
 ingress:
  enabled: true
  class: "traefik"
  tls: true
  tlsSecret: vaultwarden-tls
  hostname: bitwarden.forteapps.net
  additionalAnnotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
 database:
  type: postgresql
  host: vaultwarden-postgresql  # StatefulSet in overlay
  existingSecret: prod-db-creds
 storage:
  data: 5Gi (ReadWriteOnce)
  attachments: 5Gi (ReadWriteOnce)
 ```
 **TLS**: cert-manager auto-provisions Let's Encrypt certificate via `letsencrypt-prod` ClusterIssuer (same pattern as Gitea, Grafana, etc).
 **SSO**: Keycloak OIDC via `forte` realm (client ID: `vaultwarden`). Self-service client config Secret (`keycloak-client-vaultwarden`) triggers registrar to create KC client and sync credentials to `vaultwarden-oidc-credentials`. PKCE enabled.
 **Endpoints**:
 - Web UI: `https://bitwarden.forteapps.net`
 **Database**: Separate ArgoCD Application `vaultwarden-postgresql` (sync-wave `"0"`) deploys PostgreSQL 16 StatefulSet + SealedSecret before Vaultwarden (wave `"1"`). 2Gi PVC. Chart does NOT include a PostgreSQL subchart — must be provisioned separately.
 **Secrets**:
 - `prod-db-creds` (SealedSecret) — PostgreSQL credentials (`pgusername`, `pgpassword`) + SMTP credentials
 - `vaultwarden-oidc-credentials` (registrar-managed) — OIDC client ID + secret
 - `vaultwarden-tls` — auto-managed by cert-manager
 ### AI Code Review (ai-review)
 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
@@ -1141,6 +1187,30 @@ ignore:
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption
 ### Keycloak Browser Flow (IdP Auto-Redirect)
 **File**: `infra/values/base/keycloak-values.yaml` (inside `forte-realm.json`)
 The realm uses a custom browser authentication flow (`browser-auto-idp`) that skips the Keycloak login page and redirects directly to the Entra ID identity provider.
 **Flow executions**:
 | Priority | Authenticator | Requirement | Purpose |
 |----------|--------------|-------------|---------|
 | 10 | `auth-cookie` | ALTERNATIVE | Reuse existing session (no redirect) |
 | 20 | `identity-provider-redirector` | ALTERNATIVE | Auto-redirect to `forte-entra` IdP |
 **Key fields in realm JSON**:
 - `"browserFlow": "browser-auto-idp"` — overrides the default `browser` flow at realm level
 - `"authenticationFlows"` — defines the custom flow with its executions
 - `"authenticatorConfig"` — sets `defaultProvider: "forte-entra"` on the redirector
 **Why custom flow**: The default KC browser flow shows a username/password form with an IdP button. Since all authentication is via Entra ID, the custom flow eliminates this step. The `auth-cookie` execution preserves session reuse so returning users aren't redirected again.
 **Important**: The `forte-entra` identity provider must exist in Keycloak (currently configured manually in the KC admin console). If the IdP alias changes, update the `defaultProvider` value in the realm JSON.
 ---
 ### Keycloak Client Registrar
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
@@ -1384,46 +1454,6 @@ spec:
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone
 ### Keycloak Microsoft/Entra Identity Provider
 **File**: `infra/values/upc-dev/keycloak-values.yaml`
 **Namespace**: `keycloak`
 **Purpose**: Configures Microsoft Entra (Azure AD) as an external identity provider for the Forte realm, enabling SSO via Microsoft accounts with token storage for downstream API access (e.g., Microsoft Graph).
 **Configuration via keycloakConfigCli**:
 - IdP alias: `forte-entra`, provider: `microsoft`
 - Client secret injected from `microsoft-idp-credentials` Secret via `$(env:MS_IDP_CLIENT_SECRET)` syntax
 - `extraEnvVarsSecret: microsoft-idp-credentials` makes the Secret available as env vars to config-cli
 **Key Configuration Notes**:
 | Field | Location | Notes |
 |-------|----------|-------|
 | `tenant` | `config.tenant` | **Must be `tenant`, NOT `tenantId`** — wrong key silently falls back to `common` (multi-tenant) |
 | `storeToken` | Top-level IdP field | **NOT inside `config`** — enables broker token storage for KC broker API |
 | `defaultScope` | `config.defaultScope` | Space-separated: `openid email profile User.Read Mail.Send` |
 | `syncMode` | `config.syncMode` | `IMPORT` — imports user on first login |
 **Token Storage & Broker Access**:
 - `storeToken: true` persists the Entra access token in Keycloak
 - Realm role `default-roles-forte` includes composite `broker.read-token` — grants all realm users access to broker token API
 - Broker token retrievable via: `GET /realms/forte/broker/forte-entra/token`
 **Identity Provider Mappers**:
 - `forte-entra-email`: Hardcodes `emailVerified=true` for Entra-authenticated users (Entra guarantees email verification)
 **Required Secret** (`microsoft-idp-credentials`):
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: microsoft-idp-credentials
  namespace: keycloak
 stringData:
  MS_IDP_CLIENT_SECRET: "<entra-app-client-secret>"
 ```
 ### Default Namespace Blocker
 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
--- a/docs/vault-secrets-operator.md
+++ b/docs/vault-secrets-operator.md
@@ -1,206 +0,0 @@
 # Vault Secrets Operator (VSO) Reference
 ## Overview
 The platform uses HashiCorp Vault Secrets Operator (VSO) to sync secrets from Vault KV v2 to native Kubernetes Secrets. This replaces the previous SealedSecrets workflow.
 **Key benefit**: Secret values can be rotated via Vault UI/CLI without a git commit. Only new VaultStaticSecret CRDs need to be committed.
 ## Architecture
 ```
 Vault (KV v2)                VSO                        K8s Secret
 kv/{namespace}/{name}  -->  VaultStaticSecret CRD  -->  Secret in namespace
                            (polls every 30s)
 ```
 - **Vault**: Standalone instance in `vault` namespace, KV v2 at `kv/`
 - **VSO**: Deployed in `vault-secrets-operator-system` namespace via ArgoCD
 - **Auth**: Kubernetes auth method — each namespace has its own ServiceAccount + VaultAuth CRD
 ## KV Path Convention
 ```
 kv/{namespace}/{secret-name}
 ```
 Examples:
 - `kv/homepage/homepage-widget-credentials`
 - `kv/argocd/forte-helm-repo`
 - `kv/gitea/gitea-smtp-secret`
 - `kv/keycloak/keycloak-credentials`
 ## Vault Policy Structure
 Each namespace gets a read-only policy:
 ```hcl
 # Policy: ns-{namespace}
 path "kv/data/{namespace}/*" {
  capabilities = ["read"]
 }
 path "kv/metadata/{namespace}/*" {
  capabilities = ["read", "list"]
 }
 ```
 ## Kubernetes Auth Roles
 Each namespace has a bound ServiceAccount:
 ```
 Role: ns-{namespace}
  bound_service_account_names: vault-auth-{namespace}
  bound_service_account_namespaces: {namespace}
  policies: ns-{namespace}
  audience: vault
  ttl: 1h
 ```
 ## CRD Reference
 ### VaultAuth
 Per-namespace auth binding. One per namespace.
 ```yaml
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: {namespace}
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-{namespace}
    serviceAccount: vault-auth-{namespace}
    audiences:
    - vault
 ```
 Each VaultAuth requires a corresponding ServiceAccount:
 ```yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-{namespace}
  namespace: {namespace}
 ```
 ### VaultStaticSecret
 One per secret. Syncs a Vault KV path to a K8s Secret.
 ```yaml
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: {secret-name}
  namespace: {namespace}
 spec:
  type: kv-v2
  mount: kv
  path: {namespace}/{secret-name}
  destination:
    name: {secret-name}        # K8s Secret name (must match what apps expect)
    create: true
    type: Opaque               # Optional, defaults to Opaque
    labels:                    # Optional, for secrets that need labels
      some-label: "value"
  refreshAfter: 30s
  vaultAuthRef: vault-auth
 ```
 ## Special Labels
 Some secrets require specific labels for correct operation:
 | Secret | Label | Purpose |
 |--------|-------|---------|
 | `renovate-env` | `allowedToBeCloned: "true"` | Kyverno secret-cloner policy |
 | `gitea-smtp-secret` | `allowedToBeCloned: "true"` | Kyverno secret-cloner policy |
 | `forte-helm-repo` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
 | `forte10x-repo-creds` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
 | `mcp10x-repo-creds` | `argocd.argoproj.io/secret-type: repository` | ArgoCD repository recognition |
 These are set in `destination.labels` of the VaultStaticSecret CRD.
 ## Namespaces & Secrets Map
 | Namespace | Secrets |
 |-----------|---------|
 | `homepage` | homepage-widget-credentials |
 | `renovate` | renovate-env |
 | `gitea` | gitea-credentials, gitea-backup-s3, gitea-smtp-secret, gitea-runner-token |
 | `keycloak` | keycloak-credentials, microsoft-idp-credentials (overlay) |
 | `argocd` | forte-helm-repo, forte10x-repo-creds, mcp10x-repo-creds, argocd-notifications-secret |
 | `mcp10x` | app-credentials |
 | `ts-mcp` | ts-mcp-secrets |
 | `argocd-mcp` | auth-oidc, argocd-mcp-credentials |
 | `dot-ai` | dot-ai-secrets |
 | `music-man` | musicman-credentials |
 ## Common Operations
 ### Add a new secret
 1. Write to Vault:
   ```bash
   vault kv put kv/{namespace}/{secret-name} key1=val1 key2=val2
   ```
 2. Create VaultStaticSecret YAML (see template above)
 3. Add to kustomization.yaml in the appropriate directory
 4. Commit and push — ArgoCD syncs the CRD, VSO creates the K8s Secret
 ### Rotate a secret value
 No git commit needed:
 ```bash
 vault kv put kv/{namespace}/{secret-name} key1=new-val1 key2=new-val2
 ```
 VSO picks up changes within 30 seconds.
 ### Check sync status
 ```bash
 # VaultAuth status
 kubectl get vaultauth -n {namespace}
 # VaultStaticSecret status
 kubectl get vaultstaticsecret -n {namespace}
 # Verify K8s Secret exists with correct keys
 kubectl get secret {name} -n {namespace} -o jsonpath='{.data}' | jq
 ```
 ### Troubleshooting
 1. **VaultAuth not authenticating**: Check ServiceAccount exists, Vault role matches SA name/namespace
 2. **VaultStaticSecret not syncing**: Check `kubectl describe vaultstaticsecret {name} -n {ns}` for events
 3. **Secret missing keys**: Verify Vault KV path has all expected keys: `vault kv get kv/{ns}/{name}`
 4. **Permission denied**: Verify Vault policy allows read on `kv/data/{ns}/*`
 ## File Locations
 | Type | Location |
 |------|----------|
 | VSO ArgoCD Application | `infra/base/vault-secrets-operator/` |
 | VSO Helm values | `infra/values/base/vault-secrets-operator-values.yaml` |
 | Vault policies script | `scripts/vault-setup-policies.sh` |
 | Seed script | `scripts/seed-vault-from-cluster.sh` |
 | VaultAuth + VaultStaticSecret | Alongside ArgoCD Application in each component directory |
 ## Setup Scripts
 ```bash
 # Create all Vault policies and auth roles
 ./scripts/vault-setup-policies.sh
 # Seed Vault KV from existing K8s Secrets
 ./scripts/seed-vault-from-cluster.sh
 ```
--- a/infra/base/gitea/gitea-backup-s3-vault.yaml
+++ b/infra/base/gitea/gitea-backup-s3-vault.yaml
@@ -1,15 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: gitea-backup-s3
  namespace: gitea
 spec:
  type: kv-v2
  mount: kv
  path: gitea/gitea-backup-s3
  destination:
    name: gitea-backup-s3
    create: true
    type: Opaque
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/infra/base/gitea/gitea-credentials-vault.yaml
+++ b/infra/base/gitea/gitea-credentials-vault.yaml
@@ -1,14 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: gitea-credentials
  namespace: gitea
 spec:
  type: kv-v2
  mount: kv
  path: gitea/gitea-credentials
  destination:
    name: gitea-credentials
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/infra/base/gitea/gitea-runner-token-vault.yaml
+++ b/infra/base/gitea/gitea-runner-token-vault.yaml
@@ -1,14 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: gitea-runner-token
  namespace: gitea
 spec:
  type: kv-v2
  mount: kv
  path: gitea/gitea-runner-token
  destination:
    name: gitea-runner-token
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/infra/base/gitea/gitea-smtp-secret-vault.yaml
+++ b/infra/base/gitea/gitea-smtp-secret-vault.yaml
@@ -1,17 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: gitea-smtp-secret
  namespace: gitea
 spec:
  type: kv-v2
  mount: kv
  path: gitea/gitea-smtp-secret
  destination:
    name: gitea-smtp-secret
    create: true
    type: Opaque
    labels:
      allowedToBeCloned: "true"
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/infra/base/gitea/kustomization.yaml
+++ b/infra/base/gitea/kustomization.yaml
@@ -2,9 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - gitea.yaml
- vault-auth.yaml
+- gitea-backup-s3-sealed.yaml
- gitea-credentials-vault.yaml
+- gitea-credentials-sealed.yaml
- gitea-backup-s3-vault.yaml
+- gitea-runner-token-sealed.yaml
- gitea-smtp-secret-vault.yaml
+- gitea-smtp-secret-sealed.yaml
 - gitea-runner-token-vault.yaml
 # Removed: gitea-*-sealed.yaml (migrated to VSO)
--- a/infra/base/gitea/vault-auth.yaml
+++ b/infra/base/gitea/vault-auth.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-gitea
  namespace: gitea
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: gitea
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-gitea
    serviceAccount: vault-auth-gitea
    audiences:
    - vault
--- a/infra/base/homepage/homepage-widget-credentials-vault.yaml
+++ b/infra/base/homepage/homepage-widget-credentials-vault.yaml
@@ -1,14 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: homepage-widget-credentials
  namespace: homepage
 spec:
  type: kv-v2
  mount: kv
  path: homepage/homepage-widget-credentials
  destination:
    name: homepage-widget-credentials
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/infra/base/homepage/kustomization.yaml
+++ b/infra/base/homepage/kustomization.yaml
@@ -2,7 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - homepage.yaml
- vault-auth.yaml
+- homepage-widget-credentials-sealed.yaml
 - homepage-widget-credentials-vault.yaml
 - homepage-extra-rbac.yaml
 # Removed: homepage-widget-credentials-sealed.yaml (migrated to VSO)
--- a/infra/base/homepage/vault-auth.yaml
+++ b/infra/base/homepage/vault-auth.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-homepage
  namespace: homepage
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: homepage
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-homepage
    serviceAccount: vault-auth-homepage
    audiences:
    - vault
--- a/infra/base/keycloak/keycloak-credentials-vault.yaml
+++ b/infra/base/keycloak/keycloak-credentials-vault.yaml
@@ -1,14 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: keycloak-credentials
  namespace: keycloak
 spec:
  type: kv-v2
  mount: kv
  path: keycloak/keycloak-credentials
  destination:
    name: keycloak-credentials
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/infra/base/keycloak/keycloak.yaml
+++ b/infra/base/keycloak/keycloak.yaml
@@ -43,10 +43,6 @@ spec:
    - ServerSideApply=true
  ignoreDifferences:
  - group: batch
    kind: CronJob
    jsonPointers:
    - /spec/jobTemplate/spec/template/spec/containers/0/args
  - group: apps
    kind: StatefulSet
    jsonPointers:
--- a/infra/base/keycloak/kustomization.yaml
+++ b/infra/base/keycloak/kustomization.yaml
@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - keycloak.yaml
- vault-auth.yaml
+- keycloak-credentials-sealed.yaml
 - keycloak-credentials-vault.yaml
 # Removed: keycloak-credentials-sealed.yaml (migrated to VSO)
--- a/infra/base/keycloak/vault-auth.yaml
+++ b/infra/base/keycloak/vault-auth.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-keycloak
  namespace: keycloak
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: keycloak
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-keycloak
    serviceAccount: vault-auth-keycloak
    audiences:
    - vault
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -23,4 +23,3 @@ resources:
 - databunker
 - homepage
 - vault
 - vault-secrets-operator
--- a/infra/base/renovate/kustomization.yaml
+++ b/infra/base/renovate/kustomization.yaml
@@ -2,6 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - renovate.yaml
- vault-auth.yaml
+- renovate-env-sealed.yaml
 - renovate-env-vault.yaml
 # Removed: renovate-env-sealed.yaml (migrated to VSO)
--- a/infra/base/renovate/renovate-env-vault.yaml
+++ b/infra/base/renovate/renovate-env-vault.yaml
@@ -1,17 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: renovate-env
  namespace: renovate
 spec:
  type: kv-v2
  mount: kv
  path: renovate/renovate-env
  destination:
    name: renovate-env
    create: true
    type: Opaque
    labels:
      allowedToBeCloned: "true"
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/infra/base/renovate/vault-auth.yaml
+++ b/infra/base/renovate/vault-auth.yaml
@@ -1,20 +0,0 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: vault-auth-renovate
  namespace: renovate
 ---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: vault-auth
  namespace: renovate
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: ns-renovate
    serviceAccount: vault-auth-renovate
    audiences:
    - vault
--- a/infra/base/sealedsecrets/kustomization.yaml
+++ b/infra/base/sealedsecrets/kustomization.yaml
@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - sealedsecrets.yaml
-# Removed: argocd-forte-helm-secret-sealed.yaml (migrated to VSO — now in cluster-resources/)
+- argocd-forte-helm-secret-sealed.yaml
--- a/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
+++ b/infra/overlays/upc-dev/entra-upc-dev-credentials-sealed.yaml
@@ -1,15 +0,0 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: microsoft-idp-credentials
  namespace: keycloak
 spec:
  encryptedData:
    MS_IDP_CLIENT_SECRET: AgBGeloOR8LVop8yluydjc7qj4JUkb85z7B3h07i3xLPup1ojgSqtx08huv+8gvSaFoPdxOY8g23iuKeAr2b2A70paHv0ILSVRsIpxzjuao4aDRWxMHD/SFzvitvqaXD1eQUcBNRDk/1NOG0o5b9o4ddMWkNmyCYuZcmOyx18DC1kFrcWGUgJkLTr+YRZcLJ2T80obZ+y4zztYc+vNQlu11KSIALz++c9XzK2XYSdOMdFHmzadWxoCjvkJqG4W5C6AQBlYa7NSydyU6K3TnwS4VHF8w1DRNneM/IuHLMNbcL8WZjHlSS8xgXFUMhG4rkejwM6joQLx57OosTQe1/xdCOPBXq4NO8Q76RXXkoI0EYMbzfK33vr4NVh8zmBUYxhaeQySh2jYdYp7t/79UzvP7jtGYUgqIZNEBqbDKkzvXsJ4dHJnss8U8lWVgLev31ZhaTjIr3A8VKDPbJKIRZPO71/4DiCF0WKLYNKfbYJ5tsyTxivFWDY5NPNkKkgXk4QoScZ3r4bYNZjDp1rC5zCRPGf0Lt1C5Zovx1HTUjpGpAFVi7DyNmEc0uXn2sTwPARAuAj8str+RnlRNzBkpPWKdlOoDVPTSA41dSTfUVZMlQlluu4fdDgGj5sEnhEN0iIxZNRwU/2DD2AVSqG+KtdIkfH6/j0jzdFn4D3Ha6vwAsBIURK4Ird/pLuNGGCDB+LrrNGXDTTKAPFydCuRtpyoM9kFOtSZb7T7q6Vfkqa7LfgP8mdG9JGXJx
  template:
    metadata:
      creationTimestamp: null
      name: microsoft-idp-credentials
      namespace: keycloak
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
- microsoft-idp-credentials-vault.yaml
+- vaultwarden-postgresql
-# Removed: entra-upc-dev-credentials-sealed.yaml (migrated to VSO)
+- vaultwarden
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/infra/overlays/upc-dev/microsoft-idp-credentials-vault.yaml
+++ b/infra/overlays/upc-dev/microsoft-idp-credentials-vault.yaml
@@ -1,14 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: microsoft-idp-credentials
  namespace: keycloak
 spec:
  type: kv-v2
  mount: kv
  path: keycloak/microsoft-idp-credentials
  destination:
    name: microsoft-idp-credentials
    create: true
  refreshAfter: 30s
  vaultAuthRef: vault-auth
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/kustomization.yaml
@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
- vault-secrets-operator.yaml
+- vaultwarden-postgresql.yaml
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - postgresql.yaml
 - vaultwarden-db-secret-sealed.yaml
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/postgresql.yaml
@@ -0,0 +1,98 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: vaultwarden-postgresql
  namespace: vaultwarden
  labels:
    app.kubernetes.io/name: postgresql
    app.kubernetes.io/instance: vaultwarden
    app.kubernetes.io/component: database
 spec:
  type: ClusterIP
  ports:
  - name: tcp-postgresql
    port: 5432
    targetPort: tcp-postgresql
  selector:
    app.kubernetes.io/name: postgresql
    app.kubernetes.io/instance: vaultwarden
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: vaultwarden-postgresql
  namespace: vaultwarden
  labels:
    app.kubernetes.io/name: postgresql
    app.kubernetes.io/instance: vaultwarden
    app.kubernetes.io/component: database
 spec:
  serviceName: vaultwarden-postgresql
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: postgresql
      app.kubernetes.io/instance: vaultwarden
  template:
    metadata:
      labels:
        app.kubernetes.io/name: postgresql
        app.kubernetes.io/instance: vaultwarden
        app.kubernetes.io/component: database
    spec:
      containers:
      - name: postgresql
        image: postgres:16-alpine
        ports:
        - name: tcp-postgresql
          containerPort: 5432
        env:
        - name: POSTGRES_USER
          valueFrom:
            secretKeyRef:
              name: prod-db-creds
              key: pgusername
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: prod-db-creds
              key: pgpassword
        - name: POSTGRES_DB
          value: vaultwarden
        - name: PGDATA
          value: /var/lib/postgresql/data/pgdata
        volumeMounts:
        - name: data
          mountPath: /var/lib/postgresql/data
        livenessProbe:
          exec:
            command:
            - sh
            - -c
            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          exec:
            command:
            - sh
            - -c
            - pg_isready -U "$POSTGRES_USER" -d vaultwarden
          initialDelaySeconds: 5
          periodSeconds: 5
        resources:
          requests:
            cpu: 100m
            memory: 256Mi
          limits:
            cpu: 500m
            memory: 512Mi
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 2Gi
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/resources/vaultwarden-db-secret-sealed.yaml
@@ -0,0 +1,20 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: prod-db-creds
  namespace: vaultwarden
 spec:
  encryptedData:
    DATABASE_URL: AgAy1d//kBevUqZxB5KAXd+qxm8QykNxp5J1QP7Y30XCpE8hldPXF+NIx3w0B0PUyMAVsa+JrBmCMtzgibddIJqqF2upu/8EYxJZNusrJPOi47g3VcZIg1WyxoFfffH6jwhzv69TE/T8WGBXmWbD2vr+XWjE24Q+lgwLut0mocVfihUjpuYq0WDjgJx7pqLnY1VatTwgSkAv1uRRVqdi7e1M5isDNEpdItCbEoWwdvZhG5JIMAA/2vecY4/vEne3cg46lJAkv4ueZNATG6DOXGgQgz6h7zCKSGS1xTfGr+4A2V2/vSYpQ/r8Td37mlseoBvwN4H5O+FgHrVREm7N6aafDariYd+ZfqUIGObsZIXhxhDmAM96pjtP8ehYVwq1srWTU+SUewEmwLFWhVP1UFnTB5vgIuOWoKjHlS7dSUpStpw2u7/mQ6vhRhEaDqY6cNzJgM9hipQM/pt5an7z4ovWVeAeK8InGzKU+uxOpv/oxmi9N54B+5O4DVZC+BIbFXchxDvqivRcZrTK+CNjHjkk4We5MvN0qlhSuCYOGzEVaQ192yHciDoncw58D7fG4NicT2AcCJDVIwRGG05wqKal7g61g7Qg16oqdZIauKIU7ChSgBk7Xv33biZ4ZPe+JoSEmp9izJ8R7yyNO3KJgqH7iQ2UQzXDUqhfTr6w/oIdFST8sQtEIo7o1Z5JoXpzd4R1gVkcPWqtbbB22iRrDJsofeW+yvgGqyZLsWT2bKuDMLUn3GiqvaHaeQ9AbhNBnl6Qth3X8heBm2Zle1xxapFktisPwBQC7FDlukgvkiAOO7BywVI0+ITU4KLLOAftVqHmZ4fgDDqNFg8=
    SMTP_PASSWORD: AgCbhM99+DbSTCcuxtcccOrZq99GjR51B5SkW6DNxz1jW2q4lgc6o21+gHEGGAamRDg/mWyu2UBBNgEzrW024558qP6SjVPwJclWhNZHyL4R4MCA0kv/kqNa43na2j3pq7kzT0MrqPAXD8IJrtYPxr+ngiuo7MCRef/TzEfwbwK+KgkeB1g+9ErwHWr5tU1B+3yAn5tfNeHmGFrLX230mra2ie+ntNx9kn80mb5TYoJ/mSaX7wv4bqZGEHkg7isXrMoMROXLBepCvP0zi3ta+SKJjHy73TvhKSzo7/ZHxapHw3oaazdpKJobeolWB7SziWsbXfT0gYYim3LrcieQeb7hhN3OAvSYx1Z/3UefEE1o3GFEzK1UV9ISwU/mBjMDZWyM7dK9lSbuPGvbpKU1jjP8qZWQP5v2SIT6Nb5TQgNeATdO3RkjoviqRzjJfpuu+oe5paXNeEIUSTskL7HuUjWj13DX1zDqQWTR1/Tb9ntxRtgIoAl2ymDsOednurnJeX71OJ3G++Oc8b5P2EkNQuEwaYb9raNHqZkCXeRpQVyEGIUh9sAGZUplUJSues/Jw25WuFoNBfMi/F022Mkvfnp/s0J+QrMIxSRvqiWS+7hODknvE3Zf2DI+DKClWxspfv084DAkOSV1Lq9fqNy/bKoJR/5MVHmxbW6teza6zXBnwn2nk+2DZ8IU20P15aVdtKR2zG9u8hnrqWrTQHTdvzb34WKjC0km4/MaIGKvboyw
    SMTP_USERNAME: AgCijAuSvlGeMME1FyPXQdOTGKktyXfT8tjBK/ozt3X8O5hebFVvM61hNLDQTe9V/O/NLw6P1wbV4V+wtztqLs9TPDyq9L3D9JUEDjh97gWxVf7nFf8/d24F0PJoR8srKp3onb7+Rx02318RUp+gp7YsXbK6YBfkaOsoD08UgrFY3ARnP4eIirRICNCdouPgKkh038yAWcQDA20GBN2faJlQSejS4cr8WAa/ME1fRe40Q4tewgiX7hK5BWjt2eoovLrPzcHvbgTbfjwUWvmeiSicnF+VLrc3M56aKML2xuAggBk4vKtla/Af1pJfjv+Ut2z6VzECfIth12yQa6kIvKOE8aa3o/6oKLRJQRO8rQOOmLiInR+jQxrOmYw+OzkON07nBIeBon7nKYSIMiBt68kXKWJ9ZDexF7WGOHsFgUo4hA/z/c/Ccg6XHgxFt7uXZYLyziihQXy33zIsvu0rXOaczT5j3NJIhO60jz2Q8ig9JuWhd7+Dnd9EFMC0WJOM9kjpxeSjg4MYjH7VGnnEDF2GAQTlwDn5HwZJXRQFHfdCiHS5CCpfmak9MtIC9uoIsbPAnEhdTC20wDvIGlR5O4JGlQRyirKKmCdT1MJt8zi5d+EVQiicVZLGGD6nsqCNchvFYcx+glMYqWWsmyS6M+uVaYa/Fb/n+0QR6GNCF3Qi7voMJf2bFxFDk78fk76MG919XPQVAG/FPliNyWJJ7gEM+j/rDYuSrul14duV
    adminToken: AgCVSgRK39WksTX6GogBvMZtPMd4XzMFkKSPhjTCm8pllzuc88pS2LXHxyGDWVLf+GZXRTCNrf5JLPst8/GTvOX17J9scRAjmhoyVVgzFNbcqGI/czLf9vH6JnhorMmUHxS+kWBm3oLZjhW3f/9vq0xzSbut87VDsyenaK4EcFLrYnfVRlMrwxL9oxPPTeB+Wah/uGoyLNfc7MMLK+/sUma4RO61VJ8YvmLUnwYNFosUcbF2B9hXMSzKKCJ+ihXYIdNIz2YWdMmj7a3D+Mor5x4jIjC+tunT4Zge5L1mx0i92KPgPkP48jKxayIZ/FxnYej+ggU6PmdYD1B6wgUbgLQV6ccwysjHce7ICvGWiM+PozFWI1qEVKqtNgp3kwInThD63Hyub9Euj0g/SE/nZcwy8DuIEhsLpLSdvxDT2lCps0VdXcb01kuta/3i4vgozSBvdIL1FrQKPLqF5+6ZEQ6BdZDkgxVqQ845WZoGbfqIyI03BMvsx/8HB5c+0Y0w0C6DRpEW55T9yRTZqzvqWUOpXy5/L2Nc9G4PCUK3lY0QPIFlPCBDl+cKgfP/XvKhMFcFpwp/Ssd0o+RhgOMBHJ5qk7RxAN1k2Y6Tkros39eUKWbM6UQ97LjrAdLcgJKX86ZkEChdeeKOnSxRmqHFXx5m4Wa6syixjipeQPwybCYQA9TgNBv0lToA7gi+lcVvXkoAgYIeB9Cp0j8UVEwdgvwWp8YgkpuWhPCAafhboH8qGhHhVfKADmlB05vUItZ0eoEVv7D9SqUTFueUmoZXwo67uyMLZhQo7eGr9+k8hiesCoEm11HCTa4DvF9zE54zgkyt0TMsKAEKmX47zJwnw76zidZC/K9e
    pgpassword: AgCeQLwzajVBHW+o1ZSAcfbcJXny5K7UxxMfjud0j3hm9qx3TlLaFJrNoWd4XCuHAW1Ybl23ynWm+8kpXfZv95bXGkl0jZIm989MlAJQYKcaSTdhIM6Bkl3Cbr8kTVj2yrylGPJ96QISKNoiV7IetU82t8f21kxjyrNwt4lQEwWRFjW45jozb32qFXRkTioJ1WKaeJkyRSHWn7nLVitqZ4QjZzoN9AC7cUDOY/FffEiz7QRYSf6xaVPqQfCeH6QVtfmwtU5qNTcthOW0+/LQKpkg8i2nuoAsyOe7tsOYCENbDGkLckNTns2oPvDnH5eA8F5VDlnyJtROlwKjWfTC2zjazZynpA6cBH9XzX3Pg9P45G5HJ/4TVSUbTMCSVrbW8Ec+zdA2P4l3ytfVM2ER4N2/bQrUEVW2/ngDzhsKllmOPEN/M7b/VTed7U1xyJHsoT+AJEqVJO/vFBRxpI/ZacD+m5kWf3sp1SUWSgkUi+YWH8xuRurM2/kiUGwwUXu5ZMumjpMTkJBfX4NYRezq0DCsgaXdO2yI4xTfAysj78UikdU0PKyAXPcT8y55kJQ1jECszFauyeSYh0FpLu/XAmeB8dunlBqgISLszwnnman0/ThLeo96MFo6WPXoAeMTy8+GfTSH5tkmm8TVD7A+gRHprfFS66eY5Zi38OPU+VGRJS1J8yLSD2cNvCFR/sz1Br9VV7IySx1S+HvbEd7BwmdWrIoEcVUwIAD/U0Uxbw4sr7wLQ2wFQjDil4VItA==
    pgusername: AgAcgel8GpdRVThE9i4EfFwcJYHEPnCyi4jHEaAltn4VMtub6hvhtH+ihxS97AhK6kgrTLEgtlfb07n1EZ3AK18A+ci9P5ulP0GgwMrMt1yxiHliqInvZPNb8vWC/2f2lZm7EFrBvYqMFRPV10YygtkW3Kku8h31l0xc2/DUKqZ2hMymIjx7hupabUOhnPJeF+IxVhTcsAa6SjhppX1ED0R/Im73pxTxbfLQETkHd5KcB4h6RLIPvuNiG5uftkPP8qjJqFIhNew+0IxMrsTzJbyLx90vqI6LHHtsrNDAsOHqWGnyZqIdkK+Bagm84VlpBfIdz8Fs0YqzBQaZts4+QXByzkcQZBDy11Hg9FCjdUVk3VgVLDQj+hL+aWTeJ0Iui4zW4LMSB0Dk0ZQeQa4BtwuDllky5GUA7sLmkbceAWymBNzNXSOeeAi1qfR6h6rNnh0x5yOnSN8soReNaCEYBSa8HjUamvuzu4yn+fKOJyI50QEJ7hKLXLaqyiNpa5bJw4FQvGM7qESkZW2BZLEvkq4mlKjzvSm891DozA44Zy1s/3CvytFsUtaWmquSvqqHWUxqEEemJ8zOCFXEYo1TjEfkYIUipM5KJ+PrpQGTgjdnL8FbAv3r3NG7DoucQtVeJJVeaBqOZcfEQw4Xz15grsdjggFunhmz+ZjWjgEwV4G/dCmeus3SBWJWLMOoPWCvBWrQZRQq9KVj
  template:
    metadata:
      creationTimestamp: null
      name: prod-db-creds
      namespace: vaultwarden
--- a/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml
+++ b/infra/overlays/upc-dev/vaultwarden-postgresql/vaultwarden-postgresql.yaml
@@ -0,0 +1,46 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: vaultwarden
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: vaultwarden-postgresql
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "0"
  labels:
    app.kubernetes.io/name: vaultwarden-postgresql
    app.kubernetes.io/part-of: security
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    path: infra/overlays/upc-dev/vaultwarden-postgresql/resources
  destination:
    server: https://kubernetes.default.svc
    namespace: vaultwarden
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: apps
    kind: StatefulSet
    jsonPointers:
    - /spec/volumeClaimTemplates
--- a/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/keycloak-client-config.yaml
@@ -0,0 +1,21 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: keycloak-client-vaultwarden
  namespace: vaultwarden
  labels:
    keycloak.forteapps.net/client-config: "true"
 stringData:
  client.json: |
    {
      "clientId": "vaultwarden",
      "name": "Vaultwarden",
      "redirectUris": ["https://vaultwarden.forteapps.net/*"],
      "webOrigins": ["https://vaultwarden.forteapps.net"],
      "protocolMappers": [],
      "secret": {
        "namespace": "vaultwarden",
        "name": "vaultwarden-oidc-credentials",
        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
      }
    }
--- a/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
+++ b/infra/overlays/upc-dev/vaultwarden/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - vaultwarden.yaml
 - keycloak-client-config.yaml
--- a/infra/base/vault-secrets-operator/vault-secrets-operator.yaml
+++ b/infra/base/vault-secrets-operator/vault-secrets-operator.yaml
@@ -1,12 +1,12 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: vault-secrets-operator
+  name: vaultwarden
  namespace: argocd
  annotations:
-    argocd.argoproj.io/sync-wave: "2"
+    argocd.argoproj.io/sync-wave: "1"
  labels:
-    app.kubernetes.io/name: vault-secrets-operator
+    app.kubernetes.io/name: vaultwarden
    app.kubernetes.io/part-of: security
    app.kubernetes.io/managed-by: argocd
  finalizers:
@@ -15,13 +15,14 @@ spec:
  project: default
  sources:
-  - repoURL: https://helm.releases.hashicorp.com
+  - repoURL: https://guerzon.github.io/vaultwarden
-    chart: vault-secrets-operator
+    chart: vaultwarden
-    targetRevision: "0.10.0"
+    targetRevision: "0.36.4"
    helm:
-      releaseName: vault-secrets-operator
+      releaseName: vaultwarden
      valueFiles:
-      - $values/infra/values/base/vault-secrets-operator-values.yaml
+      - $values/infra/values/base/vaultwarden-values.yaml
      - $values/infra/values/upc-dev/vaultwarden-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
@@ -29,7 +30,7 @@ spec:
  destination:
    server: https://kubernetes.default.svc
-    namespace: vault-secrets-operator-system
+    namespace: vaultwarden
  syncPolicy:
    automated:
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -41,6 +41,7 @@ gitea:
    oauth2:
      ENABLED: true
      ENABLE_AUTO_REGISTRATION: true
      ACCOUNT_LINKING: auto
      USERNAME: email
    session:
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -58,6 +58,9 @@ keycloakConfigCli:
  enabled: true
  image:
    repository: bitnamilegacy/keycloak-config-cli
  extraEnvVars:
  - name: IMPORT_MANAGED_PROTOCOL_MAPPER
    value: "no-delete"
  configuration:
    forte-realm.json: |
      {
@@ -101,6 +104,18 @@ keycloakConfigCli:
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              },
              {
                "name": "groups",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-group-membership-mapper",
                "config": {
                  "claim.name": "groups",
                  "full.path": "false",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          },
@@ -173,7 +188,54 @@ keycloakConfigCli:
            ]
          }
        ],
        "browserFlow": "browser-auto-idp",
        "authenticationFlows": [
          {
            "alias": "browser-auto-idp",
            "description": "Browser flow with auto-redirect to Forte Entra IdP",
            "providerId": "basic-flow",
            "topLevel": true,
            "builtIn": false,
            "authenticationExecutions": [
              {
                "authenticator": "auth-cookie",
                "authenticatorFlow": false,
                "requirement": "ALTERNATIVE",
                "priority": 10
              },
              {
                "authenticator": "identity-provider-redirector",
                "authenticatorFlow": false,
                "requirement": "ALTERNATIVE",
                "priority": 20,
                "authenticatorConfig": "forte-entra-redirector"
              }
            ]
          }
        ],
        "authenticatorConfig": [
          {
            "alias": "forte-entra-redirector",
            "config": {
              "defaultProvider": "forte-entra"
            }
          }
        ],
        "groups": [
          {
            "name": "k8s",
            "path": "/k8s",
            "clientRoles": {
              "grafana": ["Editor"]
            }
          },
          {
            "name": "dev",
            "path": "/dev",
            "clientRoles": {
              "grafana": ["Viewer"]
            }
          },
          {
            "name": "ArgoCD Admins",
            "path": "/ArgoCD Admins"
@@ -259,7 +321,7 @@ extraDeploy:
                ADMIN_PASS=$(cat /secrets/admin-password)
                echo "Authenticating to Keycloak..."
-                TOKEN=$(curl -s -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
+                TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
                  -d "client_id=admin-cli" \
                  -d "username=${ADMIN_USER}" \
                  -d "password=${ADMIN_PASS}" \
@@ -276,7 +338,7 @@ extraDeploy:
                upsert_secret() {
                  local ns="$1" name="$2" manifest="$3"
                  local code
-                  code=$(curl -s -o /dev/null -w "%{http_code}" \
+                  code=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/json" \
@@ -285,7 +347,7 @@ extraDeploy:
                  if [ "$code" = "200" ]; then
                    echo "  Updated secret '${ns}/${name}'"
                  elif [ "$code" = "404" ]; then
-                    code=$(curl -s -o /dev/null -w "%{http_code}" \
+                    code=$(curl -sf -o /dev/null -w "%{http_code}" \
                      --cacert "$CA_CERT" \
                      -H "Authorization: Bearer ${SA_TOKEN}" \
                      -H "Content-Type: application/json" \
@@ -332,7 +394,7 @@ extraDeploy:
                  # Get the client secret from Keycloak
                  local secret_value
-                  secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                  secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
                    | jq -r '.value')
@@ -347,7 +409,7 @@ extraDeploy:
                  # Write to target namespace (if it exists)
                  local ns_status
-                  ns_status=$(curl -s -o /dev/null -w "%{http_code}" \
+                  ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${target_ns}")
@@ -371,12 +433,12 @@ extraDeploy:
                  local ns="$1" name="$2" key="$3" value="$4"
                  local patch
                  patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
-                  curl -s -o /dev/null \
+                  curl -sf -o /dev/null \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/strategic-merge-patch+json" \
                    -X PATCH -d "$patch" \
-                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true
+                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
                }
                # =============================================
@@ -384,7 +446,7 @@ extraDeploy:
                # =============================================
                echo "=== Legacy sync: clients with k8s.secret.sync=true ==="
-                CLIENTS=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                  "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
                SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]')
@@ -409,7 +471,7 @@ extraDeploy:
                echo ""
                echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ==="
-                CONFIG_SECRETS=$(curl -s \
+                CONFIG_SECRETS=$(curl -sf \
                  --cacert "$CA_CERT" \
                  -H "Authorization: Bearer ${SA_TOKEN}" \
                  "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true")
@@ -430,10 +492,6 @@ extraDeploy:
                  CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d)
                  CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
                  if [ -z "$CLIENT_ID" ] || [ "$CLIENT_ID" = "null" ]; then
                    echo "ERROR: Could not extract clientId from config '${CONFIG_NAME}', skipping"
                    continue
                  fi
                  echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'"
                  # Compute config hash for change detection
@@ -450,7 +508,7 @@ extraDeploy:
                  CRED_EXISTS=$(curl -s -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
-                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
+                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}" || echo "000")
                  # Skip if hash matches and credential Secret exists
                  if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then
@@ -471,68 +529,46 @@ extraDeploy:
                    redirectUris: .redirectUris,
                    webOrigins: .webOrigins,
                    protocolMappers: (.protocolMappers // [])
-                  } + if .defaultClientScopes then {defaultClientScopes: .defaultClientScopes} else {} end')
+                  } | with_entries(select(.value != null))')
                  # Check if client already exists
-                  EXISTING=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
+                  EXISTING_RESPONSE=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
-                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
+                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" || true)
-                    | jq -r '.[0].id // empty')
+                  EXISTING=$(echo "$EXISTING_RESPONSE" | jq -r '.[0].id // empty' 2>/dev/null || true)
                  if [ -n "$EXISTING" ]; then
                    echo "  Updating existing Keycloak client (uuid: ${EXISTING})"
-                    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+                    RESPONSE=$(curl -s -w "\n%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X PUT -d "$KC_CLIENT" \
-                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}")
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}" || true)
                    HTTP_CODE=$(echo "$RESPONSE" | tail -1)
                    RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
                    if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then
-                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
+                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    CLIENT_UUID="$EXISTING"
                  else
                    echo "  Creating new Keycloak client '${CLIENT_ID}'"
-                    HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
+                    RESPONSE=$(curl -s -w "\n%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X POST -d "$KC_CLIENT" \
-                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
+                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients" || true)
                    HTTP_CODE=$(echo "$RESPONSE" | tail -1)
                    RESPONSE_BODY=$(echo "$RESPONSE" | sed '$d')
                    if [ "$HTTP_CODE" != "201" ]; then
-                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
+                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE}): ${RESPONSE_BODY}"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    # Fetch the newly created client's UUID
                    CLIENT_UUID=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
-                      | jq -r '.[0].id')
+                      | jq -r '.[0].id' || true)
                  fi
                  # Assign default client scopes (KC REST API ignores defaultClientScopes in POST/PUT body)
                  REQUESTED_SCOPES=$(echo "$CLIENT_JSON" | jq -r '.defaultClientScopes // [] | .[]' 2>/dev/null)
                  if [ -n "$REQUESTED_SCOPES" ]; then
                    # Fetch all realm client scopes once
                    ALL_SCOPES=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/client-scopes")
                    echo "$REQUESTED_SCOPES" | while read -r SCOPE_NAME; do
                      [ -z "$SCOPE_NAME" ] && continue
                      SCOPE_ID=$(echo "$ALL_SCOPES" | jq -r --arg name "$SCOPE_NAME" '.[] | select(.name == $name) | .id // empty')
                      if [ -z "$SCOPE_ID" ]; then
                        echo "  WARNING: Scope '${SCOPE_NAME}' not found in realm, skipping"
                        continue
                      fi
                      SC_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
                        -H "Authorization: Bearer ${TOKEN}" \
                        -X PUT \
                        "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${CLIENT_UUID}/default-client-scopes/${SCOPE_ID}")
                      if [ "$SC_CODE" = "204" ] || [ "$SC_CODE" = "200" ]; then
                        echo "  Assigned scope '${SCOPE_NAME}'"
                      else
                        echo "  WARNING: Failed to assign scope '${SCOPE_NAME}' (HTTP ${SC_CODE})"
                      fi
                    done
                  fi
                  # Sync credentials to target namespace
--- a/infra/values/base/vault-secrets-operator-values.yaml
+++ b/infra/values/base/vault-secrets-operator-values.yaml
@@ -1,19 +0,0 @@
 # Vault Secrets Operator Helm values
 # Docs: https://developer.hashicorp.com/vault/docs/platform/k8s/vso
 # Default Vault connection — used by VaultAuth CRDs that don't specify one
 defaultVaultConnection:
  enabled: true
  address: http://vault.vault.svc.cluster.local:8200
 # Default auth method — Kubernetes auth
 defaultAuthMethod:
  enabled: true
  namespace: ""
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: vso-operator
    serviceAccount: default
    audiences:
    - vault
--- a/infra/values/base/vaultwarden-values.yaml
+++ b/infra/values/base/vaultwarden-values.yaml
@@ -0,0 +1,3 @@
 image:
  tag: "1.36.0-alpine"
 domain: "https://vaultwarden.forteapps.net"
--- a/infra/values/upc-dev/homepage-values.yaml
+++ b/infra/values/upc-dev/homepage-values.yaml
@@ -59,6 +59,10 @@ config:
        href: https://benken.hackathon.forteapps.net
        description: Teknisk kompetanse fra offentlige anbud
        icon: forte
    - Forte Drop:
        href: https://drop.hackathon.forteapps.net
        description: Self-hosted HTML-drops + MCP for Claude
        icon: forte
    - Forte Feedback:
        href: https://feedback.forteapps.net
        description: Fortes internal feedback app
--- a/infra/values/upc-dev/keycloak-values.yaml
+++ b/infra/values/upc-dev/keycloak-values.yaml
@@ -1,108 +1,2 @@
 ingress:
  hostname: id.forteapps.net
 keycloakConfigCli:
  enabled: true
  extraEnvVars:
    - name: IMPORT_VAR_SUBSTITUTION_ENABLED
      value: "true"
    - name: MS_IDP_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: microsoft-idp-credentials
          key: MS_IDP_CLIENT_SECRET
  configuration:
    microsoft-idp.json: |
      {
        "realm": "forte",
        "authenticationFlows": [
          {
            "alias": "auto-link-first-broker-login",
            "description": "Auto-link IdP accounts to existing users by email",
            "providerId": "basic-flow",
            "topLevel": true,
            "builtIn": false,
            "authenticationExecutions": [
              {
                "authenticator": "idp-create-user-if-unique",
                "authenticatorFlow": false,
                "requirement": "ALTERNATIVE",
                "priority": 10
              },
              {
                "authenticator": "idp-auto-link",
                "authenticatorFlow": false,
                "requirement": "ALTERNATIVE",
                "priority": 20
              }
            ]
          }
        ],
        "identityProviders": [
          {
            "alias": "forte-entra",
            "displayName": "Forte Entra",
            "providerId": "microsoft",
            "enabled": true,
            "trustEmail": true,
            "firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
            "config": {
              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
              "defaultScope": "openid email profile",
              "tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
              "syncMode": "IMPORT"
            }
          },
          {
            "alias": "forte-entra-graph",
            "displayName": "Forte Entra (Graph)",
            "providerId": "microsoft",
            "enabled": true,
            "storeToken": true,
            "trustEmail": true,
            "firstBrokerLoginFlowAlias": "auto-link-first-broker-login",
            "config": {
              "clientId": "7995d2b5-b798-4caf-8da6-b00b78bb34d7",
              "clientSecret": "$(env:MS_IDP_CLIENT_SECRET)",
              "defaultScope": "openid email profile User.Read Mail.Send",
              "tenantId": "063afd9e-5fcb-48d2-a769-ca31b0f5b443",
              "syncMode": "IMPORT"
            }
          }
        ],
        "identityProviderMappers": [
          {
            "name": "forte-entra-email",
            "identityProviderAlias": "forte-entra",
            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
            "config": {
              "syncMode": "INHERIT",
              "attribute": "emailVerified",
              "attribute.value": "true"
            }
          },
          {
            "name": "forte-entra-graph-email",
            "identityProviderAlias": "forte-entra-graph",
            "identityProviderMapper": "hardcoded-attribute-idp-mapper",
            "config": {
              "syncMode": "INHERIT",
              "attribute": "emailVerified",
              "attribute.value": "true"
            }
          }
        ],
        "roles": {
          "realm": [
            {
              "name": "default-roles-forte",
              "composites": {
                "client": {
                  "broker": ["read-token"]
                }
              }
            }
          ]
        }
      }
--- a/infra/values/upc-dev/vaultwarden-values.yaml
+++ b/infra/values/upc-dev/vaultwarden-values.yaml
@@ -0,0 +1,82 @@
 adminToken:
  existingSecret: "prod-db-creds"
  existingSecretKey: "adminToken"
 domain: "https://vaultwarden.forteapps.net"
 signupsAllowed: false
 resourceType: StatefulSet
 database:
  type: postgresql
  host: vaultwarden-postgresql
  port: "5432"
  dbName: vaultwarden
  existingSecret: prod-db-creds
  existingSecretKey: DATABASE_URL
  existingSecretUserKey: pgusername
  existingSecretPasswordKey: pgpassword
 ingress:
  enabled: true
  class: "traefik"
  tls: true
  tlsSecret: vaultwarden-tls
  hostname: vaultwarden.forteapps.net
  additionalAnnotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "VaultWarden"
    gethomepage.dev/description: "Password management"
    gethomepage.dev/group: "Security"
    gethomepage.dev/icon: "vaultwarden"
    gethomepage.dev/href: "https://vaultwarden.forteapps.net"
 replicas: 1
 # Multi-Attach error for volume "pvc-102ec9a4-dccd-4cba-bb4b-650f7d934c81" Volume is already used by pod(s) vaultwarden-7f568875c7-m9cgs
 service:
  sessionAffinity: ClientIP
  sessionAffinityConfig:
    clientIP:
      timeoutSeconds: 10800
 smtp:
  host: smtp.office365.com
  security: starttls
  port: 587
  authMechanism: "Login"
  from: noreply@fortedigital.com
  fromName: "Forte Bitwarden Administrator"
  debug: true
  existingSecret: prod-db-creds
  username:
    existingSecretKey: SMTP_USERNAME
  password:
    existingSecretKey: SMTP_PASSWORD
 storage:
  data:
    name: "vaultwarden-data"
    size: "5Gi"
    class: ""
    path: "/data"
    keepPvc: true
    accessMode: "ReadWriteOnce"
  attachments:
    name: "vaultwarden-files"
    size: "5Gi"
    class: ""
    path: /files
    keepPvc: true
    accessMode: "ReadWriteOnce"
 sso:
  enabled: true
  existingSecret: vaultwarden-oidc-credentials
  authority: "https://id.forteapps.net/realms/forte"
  scopes: "email profile"
  onlySSO: true
  pkce: true
  signupsMatchEmail: true
  clientId:
    existingSecretKey: client-id
  clientSecret:
    existingSecretKey: client-secret
--- a/scripts/seed-vault-from-cluster.sh
+++ b/scripts/seed-vault-from-cluster.sh
@@ -1,85 +0,0 @@
 #!/usr/bin/env bash
 # seed-vault-from-cluster.sh — Read existing K8s Secrets and write to Vault KV
 #
 # Prerequisites:
 #   - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
 #   - kubectl access to the cluster
 #   - KV v2 engine at kv/
 #
 # Usage: ./scripts/seed-vault-from-cluster.sh
 #
 # This reads plaintext values from existing K8s Secrets and writes them
 # to Vault KV v2 at kv/{namespace}/{secret-name}.
 set -euo pipefail
 echo "=== Seeding Vault KV from existing K8s Secrets ==="
 echo ""
 # Helper: read a K8s secret and write all keys to Vault KV
 seed_secret() {
  local ns="$1"
  local secret_name="$2"
  local vault_path="kv/${ns}/${secret_name}"
  echo "--- ${ns}/${secret_name} → ${vault_path} ---"
  # Get all keys from the secret
  local keys
  keys=$(kubectl get secret "${secret_name}" -n "${ns}" -o json 2>/dev/null | \
    jq -r '.data // {} | keys[]' 2>/dev/null) || {
    echo "  SKIP: secret not found in cluster"
    echo ""
    return
  }
  if [ -z "${keys}" ]; then
    echo "  SKIP: no data keys"
    echo ""
    return
  fi
  # Build vault kv put arguments
  local args=()
  for key in ${keys}; do
    local value
    value=$(kubectl get secret "${secret_name}" -n "${ns}" -o jsonpath="{.data.${key}}" | base64 -d)
    args+=("${key}=${value}")
  done
  vault kv put "${vault_path}" "${args[@]}"
  echo "  OK: $(echo "${keys}" | wc -w | tr -d ' ') keys written"
  echo ""
 }
 # --- Homepage ---
 seed_secret homepage homepage-widget-credentials
 # --- Renovate ---
 seed_secret renovate renovate-env
 # --- Gitea ---
 seed_secret gitea gitea-credentials
 seed_secret gitea gitea-backup-s3
 seed_secret gitea gitea-smtp-secret
 seed_secret gitea gitea-runner-token
 # --- Keycloak ---
 seed_secret keycloak keycloak-credentials
 seed_secret keycloak microsoft-idp-credentials
 # --- ArgoCD ---
 seed_secret argocd forte-helm-repo
 seed_secret argocd forte10x-repo-creds
 seed_secret argocd mcp10x-repo-creds
 seed_secret argocd argocd-notifications-secret
 # --- Application secrets ---
 seed_secret mcp10x app-credentials
 seed_secret ts-mcp ts-mcp-secrets
 seed_secret argocd-mcp auth-oidc
 seed_secret argocd-mcp argocd-mcp-credentials
 seed_secret dot-ai dot-ai-secrets
 seed_secret music-man musicman-credentials
 echo "=== Done. Verify with: vault kv list kv/{namespace} ==="
--- a/scripts/vault-setup-policies.sh
+++ b/scripts/vault-setup-policies.sh
@@ -1,81 +0,0 @@
 #!/usr/bin/env bash
 # vault-setup-policies.sh — Create Vault policies + Kubernetes auth roles for VSO
 #
 # Prerequisites:
 #   - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
 #   - Kubernetes auth method enabled at auth/kubernetes/
 #   - KV v2 secrets engine at kv/
 #
 # Usage: ./scripts/vault-setup-policies.sh
 set -euo pipefail
 echo "=== Vault Secrets Operator — Policy & Auth Role Setup ==="
 echo ""
 # All namespaces that have secrets to migrate
 NAMESPACES=(
  argocd
  gitea
  keycloak
  renovate
  homepage
  argocd-mcp
  mcp10x
  ts-mcp
  dot-ai
  music-man
  vault-secrets-operator-system
 )
 # --- Per-namespace policies and auth roles ---
 for NS in "${NAMESPACES[@]}"; do
  echo "--- Namespace: ${NS} ---"
  # Create read-only policy for this namespace's secrets
  echo "  Creating policy: ns-${NS}"
  vault policy write "ns-${NS}" - <<EOF
 path "kv/data/${NS}/*" {
  capabilities = ["read"]
 }
 path "kv/metadata/${NS}/*" {
  capabilities = ["read", "list"]
 }
 EOF
  # Create Kubernetes auth role bound to namespace-specific ServiceAccount
  echo "  Creating auth role: ns-${NS}"
  vault write "auth/kubernetes/role/ns-${NS}" \
    bound_service_account_names="vault-auth-${NS}" \
    bound_service_account_namespaces="${NS}" \
    policies="ns-${NS}" \
    audience="vault" \
    ttl="1h"
  echo ""
 done
 # --- VSO operator role (broad read for default auth method) ---
 echo "--- VSO Operator Role ---"
 echo "  Creating policy: vso-operator"
 vault policy write vso-operator - <<EOF
 path "kv/data/*" {
  capabilities = ["read"]
 }
 path "kv/metadata/*" {
  capabilities = ["read", "list"]
 }
 EOF
 echo "  Creating auth role: vso-operator"
 vault write auth/kubernetes/role/vso-operator \
  bound_service_account_names="vault-secrets-operator" \
  bound_service_account_namespaces="vault-secrets-operator-system" \
  policies="vso-operator" \
  audience="vault" \
  ttl="1h"
 echo ""
 echo "=== Done. All ${#NAMESPACES[@]} namespace policies + auth roles created. ==="
Author	SHA1	Message	Date
Sten	335dd1366d	refactor(apps): move forte-drop apps from base to upc-dev overlay All checks were successful AI Code Review / ai-review (pull_request) Successful in 6s Details forte-drop, forte-drop-mcp and forte-drop-postgresql lived under apps/base/ but were only ever wired into the upc-dev overlay (never listed in apps/base/kustomization.yaml). They carry hackathon-domain hardcoded values and must not sync to upc-prod, so they belong in the overlay alongside dbunk-demo — per danijel.simeunovic's review on PR #18. - git mv the three dirs into apps/overlays/upc-dev/ (history preserved) - rewrite overlay kustomization refs from ../../base/forte-drop* to local - repoint forte-drop-postgresql Application path apps/base/... -> apps/overlays/upc-dev/forte-drop-postgresql/resources Render-verified: kubectl kustomize apps/overlays/upc-dev differs only by the postgres path line; apps/overlays/upc-prod render byte-identical (forte-drop never reaches prod). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-01 12:26:07 +02:00
Sten	338b4de3ba	refactor(apps): registrar-managed oidc creds, drop mcp client, DRY secret All checks were successful AI Code Review / ai-review (pull_request) Successful in 5s Details Per platform review (danijel): - keycloak-client-forte-drop: add the secret{} block telling the registrar where to write the credential Secret + key names (forte-drop-oidc-credentials, client-id/client-secret). The forte-helm oidc sidecar consumes that registrar-created Secret — no manual auth-oidc SealedSecret step (removed that NOTE). - Delete keycloak-client-forte-drop-mcp: auth.type: mcp auto-registers the MCP client; no manual config needed. - Re-seal forte-drop-secrets with all shared env (BASE_DOMAIN, PG, S3_, PASSWORD_GATE_SECRET) so both deployments get identical values via envSecretName (values extraEnv now carries only APP_MODE).	2026-05-29 14:05:29 +02:00
Sten	61a8a2b4ac	chore(apps): clarify auth-oidc follow-up (drop commented-out resource line) All checks were successful AI Code Review / ai-review (pull_request) Successful in 6s Details ai-review: a commented-out resource line reads as GitOps debt. Replace the '# - auth-oidc-sealed.yaml' line with an explicit NOTE explaining it's a deliberate post-deploy step (needs the registrar-generated client-secret), not a disabled resource.	2026-05-29 12:14:09 +02:00
Sten	96db244e03	refactor(apps): move forte-drop postgres from infra to apps All checks were successful AI Code Review / ai-review (pull_request) Successful in 6s Details Per reviewer (danijel): forte-drop's DB deployment belongs in apps/, not infra/. Straight relocation — same structure (Application + resources/ subdir), source.path updated to apps/base/forte-drop-postgresql/resources, wired into apps/overlays/upc-dev. Backup CronJob + RESTORE.md + sealed pg creds move with it. Consolidates the whole forte-drop deployment (postgres + web + mcp) under apps/. The infra PR (#17) is now superseded by this.	2026-05-29 10:38:51 +02:00
Sten	d6a97a22df	fix(apps): explicit forte-drop namespace (sync-wave -1, Prune=false) All checks were successful AI Code Review / ai-review (pull_request) Successful in 1m40s Details Codex review: the apps overlay applies namespaced resources (keycloak-client Secrets, forte-drop-secrets, PDB) to forte-drop, but no base created the namespace — first sync on a fresh cluster raced ahead of the Applications' CreateNamespace and failed with 'namespaces forte-drop not found' until a retry. Add an explicit Namespace at sync-wave -1 so it exists before the wave-0 namespaced resources (covers both web + mcp bases via the shared parent). Prune=false keeps removing a base from cascade- deleting the namespace + postgres data + the other deployment.	2026-05-29 10:25:37 +02:00
Sten	c4b7167f9e	feat(apps): add forte-drop-secrets sealed secret Sealed forte-drop-secrets with the real UpCloud Managed Object Storage creds (existing drops bucket), PG creds matching the deployed forte-drop-pg-creds, and PASSWORD_GATE_SECRET. Consumed by both web + mcp deployments (envSecretName) and the pg-backup CronJob (S3 creds).	2026-05-29 10:03:57 +02:00
Sten	6bc5bd29b3	feat(apps): PodDisruptionBudget for forte-drop web (minAvailable 1)	2026-05-29 09:31:16 +02:00
Sten	5f6fb9b152	fix(apps): scope forte-drop to upc-dev only, not via base forte-drop and forte-drop-mcp have hackathon-domain values hardcoded (drop-k8s.hackathon.forteapps.net). Listing them in apps/base/ syncs them to both upc-dev and upc-prod overlays — prod sync would create broken Applications pointing at non-existent prod ingress. Move references to apps/overlays/upc-dev/ only. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-28 18:28:51 +02:00
Sten	dbe67a4d56	docs(apps): clarify mcp deployment needs no auth-oidc secret	2026-05-28 16:51:04 +02:00
Sten	a2fae9dd0c	feat(apps): forte-drop web + mcp ArgoCD applications Two ArgoCD apps from the same forte-drop image: - forte-drop (web): admin + public drops, sidecar in oidc mode, ingress drop-k8s.hackathon.forteapps.net. - forte-drop-mcp (mcp): MCP-over-HTTP, sidecar in mcp mode, ingress mcp.drop-k8s.hackathon.forteapps.net. Plus two labeled Keycloak client config Secrets — the registrar creates the OIDC clients in the forte realm within ~2 min. Sealed secrets (forte-drop-secrets + auth-oidc) added in a follow-up commit by the maintainer: cd /Users/sten/dev/work/forte_k8/launchpad kubeseal --format=yaml \ --controller-name=sealed-secrets-controller \ --controller-namespace=kube-system \ < private/forte-drop-secrets.yaml \ > apps/base/forte-drop/forte-drop-secrets-sealed.yaml # auth-oidc: wait for registrar, copy client-secret into private/, # then seal as apps/base/forte-drop/auth-oidc-sealed.yaml. # (mcp deployment is sidecar type=mcp — no auth-oidc Secret needed; # only the web deployment requires it.)	2026-05-28 16:47:38 +02:00
jorgen.stensrud	396c771f59	feat(homepage): list forte_drop in Apps (#16 ) Adds forte_drop as an external service entry in the upc-dev Homepage portal. - Target host: https://drop.hackathon.forteapps.net (current Coolify deploy). - One-line addition under `services > Apps` in `infra/values/upc-dev/homepage-values.yaml`. - Will be retargeted to https://drop.forteapps.net once the K8s migration ships (spec in forte_drop repo: docs/superpowers/specs/2026-05-28-k8s-migration-design.md). Zero risk — pure metadata, no cluster mutation beyond Homepage refresh. Co-authored-by: Sten <sten@Mac.domain_not_set.invalid> Reviewed-on: #16 Reviewed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-05-28 14:04:05 +00:00
Danijel Simeunovic	0582cd9917	policy	2026-05-27 23:23:21 +02:00
Danijel Simeunovic	c49d03d7f7	onlySSO	2026-05-16 23:04:11 +02:00
Danijel Simeunovic	d47dba2ae5	signups	2026-05-16 22:12:04 +02:00
Danijel Simeunovic	cf9eb47ecf	script fix	2026-05-16 22:08:56 +02:00
Danijel Simeunovic	3eca723f05	diffs	2026-05-16 22:05:02 +02:00
Danijel Simeunovic	f36996da11	script fix	2026-05-16 21:57:44 +02:00
Danijel Simeunovic	6bf7db21d0	registrar error	2026-05-16 21:55:44 +02:00
Danijel Simeunovic	2641d55784	scopes	2026-05-16 21:53:36 +02:00
Danijel Simeunovic	117297effc	sso vw	2026-05-16 21:47:59 +02:00
Danijel Simeunovic	fda90f9e01	adminToken enc	2026-05-16 21:34:34 +02:00
Danijel Simeunovic	1124377d97	adminToken	2026-05-16 21:29:14 +02:00
Danijel Simeunovic	c0710b89bb	no signup	2026-05-16 21:15:38 +02:00
Danijel Simeunovic	d7bda18aea	domain	2026-05-16 21:11:17 +02:00
Danijel Simeunovic	2796e1b9d3	name	2026-05-16 21:09:04 +02:00
Danijel Simeunovic	d7a0c26117	icon	2026-05-16 21:08:36 +02:00
Danijel Simeunovic	693f2f9168	homepage	2026-05-16 21:07:29 +02:00
Danijel Simeunovic	2509ef062c	domain restriction	2026-05-16 20:58:00 +02:00
Danijel Simeunovic	957757e557	host	2026-05-16 20:51:44 +02:00
Danijel Simeunovic	070799da05	bitw	2026-05-16 20:49:25 +02:00
Danijel Simeunovic	1a2817e537	domain fix	2026-05-16 20:42:17 +02:00
Danijel Simeunovic	b47b0035f5	smtp auth	2026-05-16 20:38:21 +02:00
Danijel Simeunovic	d3fac4d43e	smtp port	2026-05-16 20:34:22 +02:00
Danijel Simeunovic	c37bd3ef04	from	2026-05-16 20:30:32 +02:00
Danijel Simeunovic	ad661ba3dd	allow signup	2026-05-16 20:27:36 +02:00
Danijel Simeunovic	a9625f96e6	db secrets	2026-05-16 20:23:58 +02:00
Danijel Simeunovic	cb64edc927	cleanup	2026-05-16 20:18:48 +02:00
Danijel Simeunovic	ac1c242fb9	kust	2026-05-16 20:17:14 +02:00
Danijel Simeunovic	4b29c07fd6	secret	2026-05-16 20:15:37 +02:00
Danijel Simeunovic	52732626e5	ignorediffs	2026-05-16 20:10:19 +02:00
Danijel Simeunovic	8634436dd4	StatefulSet	2026-05-16 20:07:17 +02:00
Danijel Simeunovic	a8baa169e9	secrets vw	2026-05-16 20:00:22 +02:00
Danijel Simeunovic	73ef3a6e12	pg fix	2026-05-16 19:49:38 +02:00
Danijel Simeunovic	302705d374	icon	2026-05-16 19:45:19 +02:00
Danijel Simeunovic	f3286ef77e	homepage vw	2026-05-16 19:44:17 +02:00
Danijel Simeunovic	74f4f86770	vw apps	2026-05-16 19:34:42 +02:00
Danijel Simeunovic	f2c56156bf	vw postgres	2026-05-16 18:10:14 +02:00
Danijel Simeunovic	21fb50ba00	vw fixes	2026-05-16 15:55:18 +02:00
Danijel Simeunovic	b90b630b06	comment	2026-05-16 15:52:10 +02:00
Danijel Simeunovic	66de9b8a0a	replicas	2026-05-16 15:48:13 +02:00
Danijel Simeunovic	716c552be9	ns	2026-05-16 15:44:04 +02:00
Danijel Simeunovic	f048b47a0f	vaultwarden	2026-05-16 15:39:55 +02:00
Danijel Simeunovic	66f40427ee	mappings	2026-05-15 15:47:25 +02:00
Danijel Simeunovic	332881cbd0	fix	2026-05-14 23:47:14 +02:00
Danijel Simeunovic	f363afa087	browser flow override	2026-05-14 23:43:40 +02:00
Danijel Simeunovic	bc42347cb6	gitea+ACCOUNT_LINKING	2026-05-14 21:30:53 +02:00
Danijel Simeunovic	80d7bff4bc	groups	2026-05-14 21:18:17 +02:00
Danijel Simeunovic	3644a3ec87	mappers	2026-05-14 21:14:57 +02:00
Danijel Simeunovic	bd478478f1	fix attemt	2026-05-14 20:40:44 +02:00
Danijel Simeunovic	67b1d95509	account linking	2026-05-14 19:39:38 +02:00
Danijel Simeunovic	fff95d98a5	remove protocol mappers	2026-05-13 23:15:28 +02:00
Danijel Simeunovic	8b743efa43	KC fix	2026-05-13 23:13:09 +02:00