karpor

ts-mcp
ns
2026-04-24 09:43:16 +02:00 · 2026-04-23 14:44:33 +02:00 · 2026-04-23 14:11:45 +02:00 · 2026-04-23 13:41:51 +02:00 · 2026-04-23 13:40:33 +02:00 · 2026-04-23 13:38:47 +02:00
86 changed files with 1996 additions and 622 deletions
--- a/.gitea/workflows/ai-review.yaml
+++ b/.gitea/workflows/ai-review.yaml
@@ -0,0 +1,46 @@
 name: AI Code Review
 on:
  pull_request:
    types: [ labeled, synchronize ]
 jobs:
  ai-review:
    if: >-
      (github.event.action == 'synchronized' && contains(toJSON(github.event.pull_request.labels), 'ai-review')) || contains(toJSON(gitea.event.changes.added_labels), 'ai-review')
    runs-on: ubuntu-latest
    env:
      AI_REVIEW_CONFIG_FILE_YAML: ./shared-prompts/iac/.ai-review.yaml
      # VCS configuration
      VCS__PROVIDER: GITEA
      VCS__PIPELINE__OWNER: ${{ github.repository_owner }}
      VCS__PIPELINE__REPO: ${{ github.event.repository.name }}
      VCS__PIPELINE__PULL_NUMBER: ${{ github.event.pull_request.number }}
      VCS__HTTP_CLIENT__API_URL: https://git.forteapps.net/api/v1
      VCS__HTTP_CLIENT__API_TOKEN: ${{ secrets.AI_REVIEW_TOKEN }}
      # Review — disable fallback to see real Gitea API errors
      REVIEW__INLINE_COMMENT_FALLBACK: "false"
      # LLM configuration
      LLM__PROVIDER: CLAUDE
      LLM__META__MODEL: claude-sonnet-4-20250514
      LLM__META__MAX_TOKENS: "4096"
      LLM__HTTP_CLIENT__API_URL: https://api.anthropic.com
      LLM__HTTP_CLIENT__API_TOKEN: ${{ secrets.ANTHROPIC_API_KEY }}
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
      with:
        submodules: true
        fetch-depth: 0
    - name: Run inline review
      uses: docker://nikitafilonov/ai-review:v0.64.0
      with:
        args: ai-review run-inline
    - name: Run summary review
      uses: docker://nikitafilonov/ai-review:v0.64.0
      with:
        args: ai-review run-summary
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,34 +0,0 @@
 name: Deploy Gitea Pages
 on:
  push:
    branches: [ main ]
    paths:
    - 'docs/**'
    - 'mkdocs.yml'
  workflow_dispatch:
 jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: Install dependencies
      run: |
        apt-get update -qq
        apt-get install -y -qq python3-pip
        pip3 install --break-system-packages mkdocs mkdocs-material
    - run: mkdocs build
    - name: Deploy to Gitea Pages
      run: |
        cd site
        git init
        git config user.name "gitea-actions"
        git config user.email "actions@forteapps.net"
        git add .
        git commit -m "Deploy docs"
        git push --force "https://x-token:${{ secrets.GITEA_TOKEN }}@git.forteapps.net/Forte/launchpad.git" HEAD:gitea-pages
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,3 @@
 [submodule "shared-prompts"]
 	path = shared-prompts
 	url = https://git.forteapps.net/Forte/ai-review-prompts.git
--- a/.project-standards.yaml
+++ b/.project-standards.yaml
@@ -1,7 +0,0 @@
 standards_version: "2025.1"
 last_configured: "2026-04-04"
 components:
  github-pages: "2025.1"
  github-pages-generator: "mkdocs"
  github-pages-source: "docs/"
  github-pages-theme: "material"
--- a/README.md
+++ b/README.md
@@ -83,20 +83,26 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 ├── bootstrap.sh                # Cluster initialization script
 ├── _app-of-apps.yaml          # Root ArgoCD Application (App-of-Apps pattern)
 │
-├── infra/                     # Infrastructure ArgoCD Applications
+├── infra/                     # Infrastructure ArgoCD Applications (Kustomize multi-cluster)
-│   ├── enterprise-apps.yaml   # Manages all apps in apps/ folder
+│   ├── base/                  # Base ArgoCD Application manifests (EU defaults)
-│   ├── traefik-application.yaml
+│   │   ├── kustomization.yaml
-│   ├── cert-manager-application.yaml
+│   │   ├── traefik-application.yaml
-│   ├── kyverno.yaml
+│   │   ├── keycloak.yaml
-│   ├── prometheus.yaml
+│   │   ├── grafana.yaml
-│   ├── grafana.yaml
+│   │   ├── gitea.yaml
-│   ├── loki.yaml
+│   │   ├── gitea-actions.yaml
-│   ├── tempo.yaml
+│   │   ├── tempo.yaml
-│   ├── fluent-bit.yaml
+│   │   ├── renovate.yaml
-│   ├── trivy.yaml
+│   │   ├── ...                # All other Application manifests
-│   ├── sealedsecrets.yaml
+│   │   └── secrets.yaml
-│   ├── renovate.yaml
+│   ├── overlays/              # Per-cluster overrides
 │   │   ├── upc-dev/           # UpCloud Dev cluster (uses base as-is)
 │   │   └── upc-prod/         # UpCloud Prod cluster (patches value paths)
 │   ├── dashboards/            # Grafana dashboard ConfigMaps
 │   └── values/                # Helm value overrides
 │       ├── base/              # Shared values (all clusters)
 │       ├── upc-dev/           # UpCloud Dev-specific values
 │       └── upc-prod/         # UpCloud Prod-specific values
 │
 ├── apps/                      # Business Applications
 │   ├── mcp10x.yaml
@@ -140,12 +146,12 @@ This repository contains the complete GitOps configuration for our Kubernetes cl
 |------------|---------|-----------|-----------|
 | **[launchpad](https://git.forteapps.net/Forte/launchpad)** (this repo) | ArgoCD Applications, cluster resources | Platform / DevOps engineers | ✅ Often |
 | **[forte-helm](https://git.forteapps.net/Forte/forte-helm)** | Generic Helm chart templates | Platform engineers | ❌ Rarely |
-| **[helm-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |
+| **[helm-prod-values](ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git)** | App-specific configuration & versions | Developers / CI pipelines | ✅ Sometimes |
 ### GitOps Workflow
 ```
-Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD syncs → Deployed to cluster
+Developer commits code → CI/CD builds image → Updates helm-prod-values → ArgoCD syncs → Deployed to cluster
 ```
 **Learn more**: [GitOps Architecture - GitOps Workflow](docs/GITOPS-ARCHITECTURE.md#gitops-workflow)
@@ -160,7 +166,7 @@ Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD
 **Quick version**:
 1. Create `apps/myapp.yaml` (ArgoCD Application manifest)
-2. Create `helm-values/myapp/values.yaml` (configuration)
+2. Create `helm-prod-values/myapp/values.yaml` (configuration)
 3. Create sealed secrets if needed
 4. Commit and push - ArgoCD auto-syncs!
@@ -169,8 +175,8 @@ Developer commits code → CI/CD builds image → Updates helm-values → ArgoCD
 **See detailed guide**: [Developer Guide - Updating an Existing Application](docs/DEVELOPER-GUIDE.md#updating-an-existing-application)
 **Quick version**:
- **Update code**: Push to app repo → CI/CD updates image tag in helm-values
+- **Update code**: Push to app repo → CI/CD updates image tag in helm-prod-values
- **Update config**: Edit `helm-values/myapp/values.yaml` → commit → push
+- **Update config**: Edit `helm-prod-values/myapp/values.yaml` → commit → push
 ### Manage Secrets
@@ -198,7 +204,7 @@ git push
 **Quick version**:
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 # Token-based auth (simple)
 auth:
@@ -355,12 +361,12 @@ kubectl patch application myapp -n argocd \
 ## 📖 Key Concepts
 ### App-of-Apps Pattern
-`_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Each YAML in `infra/` becomes a child Application managed by ArgoCD.
+`_app-of-apps.yaml` is the root Application that manages all other Applications in `infra/`. Kustomize overlays in `infra/overlays/{upc-dev,upc-prod}/` render the base Applications with per-cluster patches (e.g., swapping value file paths from `upc-dev` to `upc-prod`).
 ### Multi-Source Pattern
 Applications reference both:
 1. **Helm charts** from `forte-helm` (templates)
-2. **Values** from `helm-values` (configuration)
+2. **Values** from `helm-prod-values` (configuration)
 This separates reusable templates from environment-specific config.
@@ -429,7 +435,7 @@ Applications deploy in order using `argocd.argoproj.io/sync-wave`:
 ### Adding a New Application
 1. Read [Developer Guide - Deploying Your First Application](docs/DEVELOPER-GUIDE.md#deploying-your-first-application)
 2. Create ArgoCD Application manifest in `apps/`
-3. Create Helm values in `helm-values/`
+3. Create Helm values in `helm-prod-values/`
 4. Create sealed secrets if needed
 5. Commit and push - ArgoCD handles the rest!
@@ -454,14 +460,14 @@ Documentation lives in `docs/`. To update:
 ### Current Environment
 - **Provider**: UpCloud Managed Kubernetes
 - **Environment**: Production (internal use only)
- **Cluster**: Single cluster
+- **Clusters**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
 - **Auth**: Disabled for ArgoCD (internal access)
 - **Backup**: None (cluster rebuildable via GitOps)
 ### Known Limitations
 - No automated backups (yet)
 - Secret rotation not automated
- Single cluster (no multi-cluster setup)
+- Multi-cluster limited to upc-dev and upc-prod environments
 - DNS management is manual
 **Future improvements**: See [Operations Runbook - Disaster Recovery](docs/OPERATIONS-RUNBOOK.md#disaster-recovery)
@@ -479,8 +485,8 @@ Documentation lives in `docs/`. To update:
 - [Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 ### Related Repositories
- [forte-helm](https://github.com/fortedigital/forte-helm) - Helm chart templates
+- [forte-helm](https://git.forteapps.net/Forte/forte-helm) - Helm chart templates
- [helm-values](git@github.com:fortedigital/helm-values.git) - Application values
+- [helm-prod-values](git@github.com:fortedigital/helm-prod-values.git) - Application values
 ---
--- a/_app-of-apps-upc-dev.yaml
+++ b/_app-of-apps-upc-dev.yaml
@@ -20,7 +20,7 @@ spec:
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: infra
+    path: infra/overlays/upc-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: default
--- a/_app-of-apps-upc-prod.yaml
+++ b/_app-of-apps-upc-prod.yaml
@@ -0,0 +1,32 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: monitoring
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: infrastructure-apps
  namespace: argocd
  labels:
    app.kubernetes.io/name: infrastructure-apps
    app.kubernetes.io/part-of: platform
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: git@github.com:fortedigital/sturdy-adventure.git
    targetRevision: HEAD
    path: infra/overlays/upc-prod
  destination:
    server: https://kubernetes.default.svc
    namespace: default
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/apps/base/argo-mcp.yaml
+++ b/apps/base/argo-mcp.yaml
--- a/apps/base/dot-ai-stack.yaml
+++ b/apps/base/dot-ai-stack.yaml
@@ -27,29 +27,19 @@ metadata:
 spec:
  project: default
-  source:
+  sources:
-    repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
+  - repoURL: ghcr.io/vfarcic/dot-ai-stack/charts
    chart: dot-ai-stack
    targetRevision: "0.56.0"
    helm:
      releaseName: dot-ai-stack
-      values: |
+      valueFiles:
-        dot-ai:
+      - $values/infra/values/base/dot-ai-stack-values.yaml
-          ingress:
+      - $values/infra/values/upc-dev/dot-ai-stack-values.yaml
-            enabled: true
+
-            className: traefik
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
-            host: kubemcp.forteapps.net
+    targetRevision: HEAD
-          webUI:
+    ref: values
            baseUrl: http://kubemcpui.forteapps.net
        dot-ai-ui:
          uiAuth:
            secretRef:
              name: dot-ai-secrets
          ingress:
            enabled: true
            className: traefik
            host: kubemcpui.forteapps.net
  destination:
    server: https://kubernetes.default.svc
--- a/apps/base/kustomization.yaml
+++ b/apps/base/kustomization.yaml
@@ -0,0 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - dot-ai-stack.yaml
 - mcp10x.yaml
 - musicman.yaml
 - ts-mcp.yaml
 - argo-mcp.yaml
--- a/apps/base/mcp10x.yaml
+++ b/apps/base/mcp10x.yaml
--- a/apps/base/musicman.yaml
+++ b/apps/base/musicman.yaml
--- a/apps/base/ts-mcp.yaml
+++ b/apps/base/ts-mcp.yaml
@@ -0,0 +1,40 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: ts-mcp
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "11"
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
    notifications.argoproj.io/subscribe.on-degraded.slack: ""
  labels:
    app.kubernetes.io/name: ts-mcp
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/forte-helm.git
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/ts-mcp/values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/helm-prod-values.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: ts-mcp
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
--- a/apps/overlays/upc-dev/kustomization.yaml
+++ b/apps/overlays/upc-dev/kustomization.yaml
@@ -0,0 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/apps/overlays/upc-prod/kustomization.yaml
+++ b/apps/overlays/upc-prod/kustomization.yaml
@@ -0,0 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 patches:
 # dot-ai-stack: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: dot-ai-stack
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/dot-ai-stack-values.yaml
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -2,7 +2,14 @@
 # in case of  $'\r': command not found error, run command below first
 # sed -i 's/\r$//' ./bootstrap.sh
-echo "running $0..."
+CLUSTER="${1:?Usage: ./bootstrap.sh <cluster> (upc-dev|upc-prod)}"
 echo "running $0 for cluster: ${CLUSTER}..."
 # Source cluster config
 eval $(yq -r 'to_entries[] | "export \(.key)=\"\(.value)\""' "clusters/${CLUSTER}.yaml")
 echo "Bootstrapping cluster: ${clusterName} (${CLUSTER})..."
 ############################################################
 # Bootstrap                                                     #
@@ -10,17 +17,17 @@ echo "running $0..."
 Bootstrap()
 {
    ArgoCd
-#    Github
+#    Gitea
 }
 ############################################################
-# Github                                                     #
+# Gitea                                                     #
 ############################################################
-Github()
+Gitea()
 {
    echo "Installing secret..."
-    kubectl apply -f private/github.yaml
+    kubectl apply -f private/gitea-repo-main.yaml
    kubectl apply -f private/main.key
 }
@@ -31,15 +38,15 @@ ArgoCd()
 {
    # install argocd
    echo "Installing ArgoCD..."
    CLUSTER_NAME="${CLUSTER_NAME:-dev-fd-no-svg1}"
    helm upgrade --install argocd argo-cd \
            --repo https://argoproj.github.io/argo-helm \
            --namespace argocd --create-namespace \
-            --values infra/values/argocd-values.yaml \
+            --values infra/values/base/argocd-values.yaml \
-            --set notifications.context.clusterName="$CLUSTER_NAME" \
+            --values "infra/values/${CLUSTER}/argocd-values.yaml" \
            --set notifications.context.clusterName="${clusterName}" \
            --timeout 60s --atomic
-    kubectl apply -f _app-of-apps.yaml -n argocd
+    kubectl apply -f "_app-of-apps-${CLUSTER}.yaml" -n argocd
 }
-Bootstrap
+# Bootstrap
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -243,8 +243,8 @@ spec:
            - name: AUTH_OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: auth-oidc
+                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret\" || 'auth-oidc' }}"
-                  key: client-secret
+                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oidc-credentials-secret-key\" || 'client-secret' }}"
            resources:
              limits:
                cpu: 50m
@@ -410,8 +410,8 @@ spec:
            - name: AUTH_OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
-                  name: auth-oauth
+                  name: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-credentials-secret\" || 'auth-oauth' }}"
-                  key: client-secret
+                  key: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-oauth-credentials-secret-key\" || 'client-secret' }}"
            - name: AUTH_OAUTH_DELEGATION_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
--- a/cluster-resources/policies/keycloak-client-cloner.yaml
+++ b/cluster-resources/policies/keycloak-client-cloner.yaml
@@ -0,0 +1,37 @@
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: keycloak-client-config-cloner
 spec:
  rules:
  - name: clone-client-config-to-keycloak
    skipBackgroundRequests: false
    match:
      any:
      - resources:
          kinds:
          - Secret
          selector:
            matchLabels:
              keycloak.forteapps.net/client-config: "true"
    exclude:
      any:
      - resources:
          namespaces:
          - keycloak
    generate:
      apiVersion: v1
      kind: Secret
      name: "{{request.object.metadata.name}}"
      namespace: keycloak
      synchronize: true
      data:
        metadata:
          labels:
            keycloak.forteapps.net/client-config: "true"
            keycloak.forteapps.net/source-namespace: "{{request.object.metadata.namespace}}"
          annotations:
            keycloak.forteapps.net/source-name: "{{request.object.metadata.name}}"
            keycloak.forteapps.net/source-namespace: "{{request.object.metadata.namespace}}"
        data: "{{request.object.data}}"
        type: "{{request.object.type}}"
--- a/clusters/upc-dev.yaml
+++ b/clusters/upc-dev.yaml
@@ -0,0 +1,10 @@
 clusterName: dev-fd-no-svg1
 domain: forteapps.net
 argocdDomain: argocd.127.0.0.1.nip.io
 grafanaDomain: grafana.forteapps.net
 keycloakDomain: id.forteapps.net
 dotaiDomain: kubemcp.forteapps.net
 dotaiUiDomain: kubemcpui.forteapps.net
 letsencryptEmail: danijels@gmail.com
 trustedIPs: "172.16.1.0/24"
 cloudProvider: upcloud
--- a/clusters/upc-prod.yaml
+++ b/clusters/upc-prod.yaml
@@ -0,0 +1,10 @@
 clusterName: prod-fd-no-svg1
 domain: fortedigital.com
 argocdDomain: argocd.127.0.0.1.nip.io
 grafanaDomain: grafana.fortedigital.com
 keycloakDomain: id.fortedigital.com
 dotaiDomain: kubemcp.fortedigital.com
 dotaiUiDomain: kubemcpui.fortedigital.com
 letsencryptEmail: danijel.simeunovic@fortedigital.com
 trustedIPs: "172.16.1.0/24"
 cloudProvider: upcloud
--- a/docs/DEVELOPER-GUIDE.md
+++ b/docs/DEVELOPER-GUIDE.md
@@ -9,6 +9,7 @@
 - [Updating an Existing Application](#updating-an-existing-application)
 - [Working with Secrets](#working-with-secrets)
 - [Enabling Authentication for Applications](#enabling-authentication-for-applications)
 - [Adding a New Keycloak Client](#adding-a-new-keycloak-client)
 - [Troubleshooting](#troubleshooting)
 - [Best Practices](#best-practices)
@@ -95,10 +96,10 @@ You'll need read/write access to these repositories:
   cd launchpad
   ```
-2. **helm-values** (Values repo)
+2. **helm-prod-values** (Values repo)
   ```bash
   git clone https://git.forteapps.net/Forte/helm-prod-values.git
-   cd helm-values
+   cd helm-prod-values
   ```
 3. **forte-helm** (Chart repo - read-only for most developers)
@@ -174,13 +175,13 @@ npm run dev
 │  - GitHub Actions builds image                                  │
 │  - Pushes to container registry (GHCR, Docker Hub)              │
 │  - Tags with version (e.g., v2.0.4)                             │
-│  - Updates helm-values repository with new tag                  │
+│  - Updates helm-prod-values repository with new tag                  │
 └─────────────────────────────────────────────────────────────────┘
                            │
                            ▼
 ┌─────────────────────────────────────────────────────────────────┐
 │  Step 3: GitOps Sync (Automated)                                │
-│  - ArgoCD detects change in helm-values                         │
+│  - ArgoCD detects change in helm-prod-values                         │
 │  - Pulls updated configuration                                  │
 │  - Syncs to Kubernetes cluster                                  │
 │  - Sends Slack notification on success/failure                  │
@@ -200,7 +201,7 @@ Our setup uses three repositories:
 | Repository | Purpose | Who Edits | How Often |
 |------------|---------|-----------|-----------|
 | **forte-helm** | Helm chart templates (generic, reusable) | Platform engineers | ❌ Rarely |
-| **helm-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
+| **helm-prod-values** | Application configuration (image tag, env vars) | Developers / CI pipelines | ✅ Sometimes |
 | **launchpad** | ArgoCD Applications (what gets deployed) | Platform / DevOps engineers | ✅ Per new app |
 ### Example: Deploying "myapp"
@@ -222,7 +223,7 @@ spec:
      value: {{ .Values.app.port }}
 ```
-#### Repository: `helm-values` (Your App Config)
+#### Repository: `helm-prod-values` (Your App Config)
 ```yaml
 # myapp/values.yaml
 # Your app's specific configuration
@@ -247,13 +248,13 @@ metadata:
  namespace: argocd
 spec:
  sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp
    helm:
      valueFiles:
      - $values/myapp/values.yaml
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    ref: values
  destination:
@@ -315,10 +316,10 @@ Ensure your app repository has:
             docker build -t ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }} .
             docker push ghcr.io/fortedigital/hello-world:${{ steps.version.outputs.VERSION }}
-         - name: Update helm-values
+         - name: Update helm-prod-values
           run: |
-             git clone git@github.com:fortedigital/helm-values.git
+             git clone git@github.com:fortedigital/helm-prod-values.git
-             cd helm-values
+             cd helm-prod-values
             mkdir -p hello-world
             cat > hello-world/values.yaml <<EOF
             app:
@@ -333,7 +334,7 @@ Ensure your app repository has:
 ### Step 2: Create Helm Values
-Create a folder in `helm-values` repository:
+Create a folder in `helm-prod-values` repository:
 ```bash
 cd ~/dev/k8s/helm-prod-values
@@ -411,7 +412,7 @@ spec:
  sources:
  # Source 1: Helm chart templates
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp
    targetRevision: HEAD
    helm:
@@ -419,7 +420,7 @@ spec:
      - $values/hello-world/values.yaml
  # Source 2: Helm values
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    targetRevision: HEAD
    ref: values
@@ -527,7 +528,7 @@ git push origin main
 2. ✅ Builds new Docker image
 3. ✅ Tags with new version (e.g., `v20260316-143022`)
 4. ✅ Pushes to container registry
-5. ✅ Updates `helm-values/myapp/values.yaml` with new tag
+5. ✅ Updates `helm-prod-values/myapp/values.yaml` with new tag
 6. ✅ ArgoCD detects change
 7. ✅ Syncs new version to cluster
 8. ✅ Sends Slack notification
@@ -682,7 +683,7 @@ git push
 #### Step 4: Reference Secret in Application
-Update your `helm-values/myapp/values.yaml`:
+Update your `helm-prod-values/myapp/values.yaml`:
 ```yaml
 app:
@@ -790,7 +791,7 @@ Three authentication modes are supported:
 #### Step 1: Configure Helm Values
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 auth:
  enabled: true
  type: token                    # Token mode (default)
@@ -912,7 +913,7 @@ rm private/myapp-auth-oidc.yaml
 #### Step 3: Configure Helm Values
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 auth:
  enabled: true
  type: oidc                     # OIDC mode
@@ -961,6 +962,46 @@ User sees application (authenticated)
 ---
 ### Accessing Authenticated User Information
 The auth sidecar handles all authentication before requests reach your application. Your app never sees unauthenticated traffic — the sidecar returns 401 or redirects to the IdP first.
 After successful authentication, the sidecar forwards the request to your application with user identity injected as HTTP headers:
 | Header | Description | Available in |
 |--------|-------------|-------------|
 | `X-Auth-User` | Username or display name | Token, OIDC, MCP |
 | `X-Auth-Email` | User email address | OIDC |
 | `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
 | `X-Auth-Groups` | Comma-separated group memberships | OIDC (if scope includes `groups`) |
 | `X-Auth-Token` | The validated access token | All modes |
 **Your application reads these headers — no auth library needed:**
 ```javascript
 // Express.js example
 app.get('/profile', (req, res) => {
  const user = req.headers['x-auth-user'];
  const email = req.headers['x-auth-email'];
  res.json({ user, email });
 });
 ```
 ```python
 # Flask example
@app.route('/profile')
 def profile():
    user = request.headers.get('X-Auth-User')
    email = request.headers.get('X-Auth-Email')
    return jsonify(user=user, email=email)
 ```
 **Why this is safe**: The Kyverno-generated NetworkPolicy restricts ingress to the sidecar port only. Traffic cannot bypass the sidecar to reach the application port directly, so the `X-Auth-*` headers can be trusted unconditionally.
 **Key principle**: Your application is zero-trust-unaware by design. It reads headers and renders UI. All authentication complexity lives in the sidecar and Kyverno policy.
 ---
 ### Authentication Configuration Reference
 #### Helm Values Schema
@@ -1048,7 +1089,7 @@ policies.forteapps.io/auth-image-version: "v1.2.3"
 #### Example 1: Internal API with Token Auth
 ```yaml
-# helm-values/internal-api/values.yaml
+# helm-prod-values/internal-api/values.yaml
 app:
  image:
    repository: ghcr.io/company/internal-api
@@ -1076,7 +1117,7 @@ curl -H "Authorization: Bearer d4f88f..." \
 #### Example 2: User-Facing App with OIDC
 ```yaml
-# helm-values/web-app/values.yaml
+# helm-prod-values/web-app/values.yaml
 app:
  image:
    repository: ghcr.io/company/web-app
@@ -1111,7 +1152,7 @@ kubectl create secret generic auth-oidc \
 #### Example 3: MCP Server with OAuth 2.0
 ```yaml
-# helm-values/mcp-server/values.yaml
+# helm-prod-values/mcp-server/values.yaml
 app:
  image:
    repository: ghcr.io/company/mcp-server
@@ -1135,7 +1176,7 @@ The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) fo
 #### Example 4: Disabling Authentication
 ```yaml
-# helm-values/public-api/values.yaml
+# helm-prod-values/public-api/values.yaml
 auth:
  enabled: false                 # No authentication
@@ -1247,6 +1288,202 @@ kubectl logs -n myapp <pod-name> -c authn
 ---
 ## Adding a New Keycloak Client
 There are two ways to add an OIDC client, depending on your use case:
 | Method | Best for | Who edits the infra repo? |
 |--------|----------|--------------------------|
 | **Self-service** (recommended) | New apps that deploy their own resources | App developer — no infra changes needed |
 | **Legacy (realm JSON)** | Existing clients already defined in forte-realm.json (e.g., Gitea) | Platform engineer |
 Both methods are served by the **Keycloak Client Registrar** CronJob, which runs every 2 minutes.
 ### Self-Service OIDC Client Registration
 This is the recommended flow for new applications. Your app deploys a labeled config Secret in its own namespace; the platform handles everything else.
 #### How It Works
 1. You deploy a Secret with label `keycloak.forteapps.net/client-config: "true"` containing a `client.json` definition
 2. A **Kyverno ClusterPolicy** (`keycloak-client-config-cloner`) clones it to the `keycloak` namespace
 3. The **Client Registrar CronJob** picks it up within 2 minutes:
   - Registers (or updates) the client in Keycloak
   - Fetches the auto-generated client secret
   - Creates a credential Secret in your app's namespace
   - Annotates the config Secret with sync status
 #### Step 1: Create the Config Secret
 Deploy this Secret in your application's namespace (e.g., as part of your Helm chart or Kustomize overlay):
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: keycloak-client-myapp
  namespace: myapp
  labels:
    keycloak.forteapps.net/client-config: "true"
 stringData:
  client.json: |
    {
      "clientId": "myapp",
      "name": "My Application",
      "redirectUris": ["https://myapp.forteapps.net/*"],
      "webOrigins": ["https://myapp.forteapps.net"],
      "defaultClientScopes": ["openid", "email", "profile"],
      "protocolMappers": [],
      "secret": {
        "namespace": "myapp",
        "name": "myapp-oidc-credentials",
        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
      }
    }
 ```
 **`client.json` fields**:
 | Field | Required | Description |
 |-------|----------|-------------|
 | `clientId` | Yes | Keycloak client ID |
 | `name` | Yes | Display name in Keycloak |
 | `redirectUris` | Yes | Allowed redirect URIs |
 | `webOrigins` | Yes | Allowed web origins (CORS) |
 | `defaultClientScopes` | No | Scopes (default: `["openid", "email", "profile"]`) |
 | `protocolMappers` | No | Custom claim mappers (default: `[]`) |
 | `secret.namespace` | No | Namespace for the credential Secret (default: source namespace) |
 | `secret.name` | No | Name of the credential Secret (default: `<clientId>-oidc-credentials`) |
 | `secret.keys.clientId` | No | Key name for client ID in credential Secret (default: `client-id`) |
 | `secret.keys.clientSecret` | No | Key name for client secret in credential Secret (default: `client-secret`) |
 #### Step 2: Reference the Credential Secret
 In your application's deployment config, reference the credential Secret that the registrar creates:
 ```yaml
 env:
 - name: OIDC_CLIENT_ID
  valueFrom:
    secretKeyRef:
      name: myapp-oidc-credentials
      key: client-id
 - name: OIDC_CLIENT_SECRET
  valueFrom:
    secretKeyRef:
      name: myapp-oidc-credentials
      key: client-secret
 ```
 #### Step 3: Deploy and Wait
 Commit and push your changes. The credential Secret will appear within 2 minutes:
 ```bash
 # Watch for the credential Secret to be created
 kubectl get secret myapp-oidc-credentials -n myapp -w
 # Check registrar logs
 kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
 # Check sync status on the config Secret
 kubectl get secret keycloak-client-myapp -n keycloak -o jsonpath='{.metadata.annotations}'
 ```
 #### Change Detection
 The registrar computes a SHA-256 hash of `client.json` and stores it as an annotation. On subsequent runs, it skips processing if:
 - The hash hasn't changed, AND
 - The credential Secret already exists in the target namespace
 To force a re-sync, update any field in `client.json` (e.g., add a trailing space to `name`).
 ### Legacy Method: Realm JSON
 Existing clients (like Gitea) are defined directly in `forte-realm.json` inside `keycloak-values.yaml`. The registrar syncs their secrets via client attributes.
 #### Step 1: Add Client to Realm Config
 In `infra/values/base/keycloak-values.yaml`, add a new entry to the `clients` array in `forte-realm.json`:
 ```json
 {
  "clientId": "myapp",
  "name": "My Application",
  "enabled": true,
  "protocol": "openid-connect",
  "clientAuthenticatorType": "client-secret",
  "standardFlowEnabled": true,
  "directAccessGrantsEnabled": false,
  "publicClient": false,
  "redirectUris": ["https://myapp.forteapps.net/*"],
  "webOrigins": ["https://myapp.forteapps.net"],
  "defaultClientScopes": ["openid", "email", "profile"],
  "attributes": {
    "k8s.secret.sync": "true",
    "k8s.secret.namespace": "myapp",
    "k8s.secret.name": "myapp-oidc-credentials",
    "k8s.secret.client-id-key": "key",
    "k8s.secret.client-secret-key": "secret"
  }
 }
 ```
 **Important**:
 - Do **NOT** include a `"secret"` field — Keycloak generates one automatically
 - The `attributes` block tells the registrar where to create the K8s Secret
 - Set `client-id-key` / `client-secret-key` to match what the consuming app expects (defaults: `client-id` / `client-secret`)
 #### Step 2: Reference the Secret in Your Application
 ```yaml
 existingSecret: myapp-oidc-credentials
 ```
 #### Step 3: Commit and Push
 ```bash
 cd ~/dev/k8s/launchpad
 git add infra/values/base/keycloak-values.yaml
 git commit -m "Add myapp Keycloak client with auto-sync"
 git push
 ```
 ArgoCD will sync the Keycloak config, and the registrar CronJob will pick up the new client within 2 minutes.
 #### Legacy Sync Attribute Reference
 | Attribute | Required | Default | Description |
 |-----------|----------|---------|-------------|
 | `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
 | `k8s.secret.namespace` | Yes | — | Target K8s namespace for the secret |
 | `k8s.secret.name` | Yes | — | Name of the K8s Secret to create |
 | `k8s.secret.client-id-key` | No | `client-id` | Field name for the client ID in the K8s Secret |
 | `k8s.secret.client-secret-key` | No | `client-secret` | Field name for the client secret in the K8s Secret |
 ### Retrieving Secrets for External Deployments
 The registrar always writes a **central copy** of every synced secret to the `secrets` namespace, in addition to the target namespace. This allows operators to retrieve client credentials for applications deployed outside this cluster:
 ```bash
 # View the central copy
 kubectl get secret gitea-oidc-credentials -n secrets -o yaml
 # Extract the client secret for use elsewhere
 kubectl get secret myapp-oidc-credentials -n secrets \
  -o jsonpath='{.data.client-secret}' | base64 -d
 ```
 ### Registrar Behavior Notes
 - The registrar runs as a CronJob every 2 minutes (`concurrencyPolicy: Forbid`)
 - If the target namespace doesn't exist, the target write is skipped with a warning (the central copy still happens)
 - A central copy is **always** written to the `secrets` namespace for every synced client
 - The registrar uses the `keycloak-credentials` secret for admin authentication
 - Created secrets have the label `app.kubernetes.io/managed-by: keycloak-client-registrar`
 ---
 ## Troubleshooting
 ### Application Not Deploying
@@ -1303,7 +1540,7 @@ kubectl exec -n myapp <pod-name> -- env
 # Check if secrets exist
 kubectl get secrets -n myapp
-# Increase resources in helm-values
+# Increase resources in helm-prod-values
 vim ~/dev/k8s/helm-prod-values/myapp/values.yaml
 ```
@@ -1452,7 +1689,7 @@ If you're stuck:
 ### Configuration Management
 ✅ **DO**:
- Keep configuration in `helm-values` repository
+- Keep configuration in `helm-prod-values` repository
 - Use environment variables for config
 - Document what each value does
 - Use reasonable resource limits
@@ -1579,4 +1816,4 @@ Now that you understand the basics:
 - Docs: [Full documentation index](README.md)
 - Help: Contact platform team
-**Last Updated**: 2026-03-16
+**Last Updated**: 2026-04-16
--- a/docs/GITOPS-ARCHITECTURE.md
+++ b/docs/GITOPS-ARCHITECTURE.md
@@ -16,7 +16,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
 ### Key Characteristics
 - **Environment**: Production (internal use only)
- **Cluster Type**: Single cluster, single environment
+- **Cluster Type**: Multi-cluster (upc-dev, upc-prod) via Kustomize overlays
 - **GitOps Tool**: ArgoCD
 - **Deployment Pattern**: App-of-Apps
 - **Secret Management**: Sealed Secrets (kubeseal)
@@ -47,7 +47,7 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
         │                            │                          │
         │                            │                          │
         └────────► Update image tag ─┴──────────────────────────┘
-                    in helm-values                               │
+                    in helm-prod-values                               │
                                                                 │
                                                                 ▼
                                           ┌────────────────────────────────┐
@@ -62,8 +62,8 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
                                                        │
                                                        ▼
                                           ┌────────────────────────────────┐
-                                           │   Kubernetes Cluster           │
+                                           │   Kubernetes Clusters          │
-                                           │   (UpCloud Managed)            │
+                                           │   (UpCloud: upc-dev, upc-prod) │
                                           │                                │
                                           │  ┌──────────────────────────┐  │
                                           │  │    ArgoCD                │  │
@@ -116,81 +116,75 @@ This Kubernetes cluster uses a **GitOps approach** powered by **ArgoCD**, where
 ```
 launchpad/
 ├── bootstrap.sh                      # Cluster initialization script
-├── _app-of-apps.yaml                 # Root ArgoCD Application (App-of-Apps pattern)
+├── _app-of-apps-upc-dev.yaml        # Root ArgoCD Application (upc-dev cluster)
 ├── _app-of-apps-upc-prod.yaml       # Root ArgoCD Application (upc-prod cluster)
 │
-├── infra/                            # Infrastructure ArgoCD Applications
+├── infra/                            # Infrastructure ArgoCD Applications (Kustomize)
-│   ├── enterprise-apps.yaml          # Parent app managing all apps in apps/
+│   ├── base/                         # Base Application manifests (upc-dev defaults)
-│   ├── cluster-resources-application.yaml
+│   │   ├── kustomization.yaml
-│   ├── traefik-application.yaml
+│   │   ├── traefik-application.yaml
-│   ├── cert-manager-application.yaml
+│   │   ├── keycloak.yaml
-│   ├── kyverno.yaml
+│   │   ├── grafana.yaml
-│   ├── kyverno-policies.yaml
+│   │   ├── gitea.yaml
-│   ├── prometheus.yaml
+│   │   ├── gitea-actions.yaml
-│   ├── grafana.yaml
+│   │   ├── tempo.yaml
-│   ├── loki.yaml
+│   │   ├── renovate.yaml
-│   ├── tempo.yaml
+│   │   ├── ...                       # All other Application manifests
-│   ├── fluent-bit.yaml
+│   │   └── secrets.yaml
-│   ├── trivy.yaml
+│   ├── overlays/                     # Per-cluster overrides
-│   ├── sealedsecrets.yaml
+│   │   ├── upc-dev/                  # UpCloud Dev (uses base as-is)
-│   ├── secrets.yaml
+│   │   └── upc-prod/                # UpCloud Prod (patches value paths)
 │   ├── dashboards/                   # Grafana dashboard ConfigMaps
 │   └── values/                       # Helm value overrides for infra
-│       ├── argocd-values.yaml
+│       ├── base/                     # Shared values (all clusters)
-│       ├── prometheus-values.yaml
+│       │   ├── traefik-values.yaml
-│       ├── grafana-values.yaml
+│       │   ├── keycloak-values.yaml
-│       ├── loki-values.yaml
+│       │   ├── grafana-values.yaml
-│       ├── tempo-values.yaml
+│       │   ├── prometheus-values.yaml
-│       └── fluent-bit-values.yaml
+│       │   ├── gitea-values.yaml
 │       │   └── ...
 │       ├── upc-dev/                  # upc-dev cluster-specific values
 │       │   ├── traefik-values.yaml
 │       │   ├── keycloak-values.yaml
 │       │   └── grafana-values.yaml
 │       └── upc-prod/                # upc-prod cluster-specific values
 │           ├── traefik-values.yaml
 │           ├── keycloak-values.yaml
 │           └── grafana-values.yaml
 │
-├── apps/                             # Business Application ArgoCD manifests
+├── apps/                             # Business Application ArgoCD manifests (Kustomize)
-│   ├── mcp10x.yaml                   # MCP 10X application
+│   ├── base/                         # Base app manifests
-│   ├── musicman.yaml                 # Music Man application
+│   │   ├── kustomization.yaml
-│   ├── dot-ai-stack.yaml             # Dot AI Stack
+│   │   ├── dot-ai-stack.yaml
-│   └── argo-mcp.yaml                 # ArgoCD MCP server
+│   │   └── ...
 │   └── overlays/
 │       ├── upc-dev/                  # Uses base as-is
 │       └── upc-prod/                # Patches value paths
 │
 ├── cluster-resources/                # Cluster-wide Kubernetes resources
-│   ├── cert-manager-namespace.yaml
+│   ├── ...
 │   ├── secrets-namespace.yaml
 │   ├── letsencrypt-issuer.yaml       # Let's Encrypt ClusterIssuer
 │   ├── kyverno-config.yaml
 │   ├── argocd-notifications-secret-sealed.yaml
 │   ├── forte10x-repo-credentials-sealed.yaml
 │   ├── mcp10x-repo-credentials-sealed.yaml
 │   └── policies/                     # Kyverno policies
 │       ├── deployment-verifier.yaml
 │       ├── label-checker.yaml
 │       ├── bare-pod-cleaner.yaml
 │       ├── replicaset-cleaner.yaml
 │       ├── default-ns-blocker.yaml
 │       ├── secret-cloner.yaml
 │       └── auth-sidecar-injector.yaml
 │
-├── secrets/                          # Application secrets (sealed)
+├── secrets/                          # Application secrets (sealed, per-cluster)
-│   ├── argocd-mcp-credentials.yaml
+│   └── upc-dev/                      # Secrets for upc-dev cluster
 │   ├── dot-ai-secrets.yaml
 │   ├── mcp10x-credentials-sealed.yaml
 │   └── musicman-credentials.yaml
 │
 ├── private/                          # Local-only files (NOT in Git)
 │   ├── *.yaml                        # Unsealed secrets
 │   └── *.sh                          # Helper scripts
 │
 └── docs/                             # Documentation
    ├── GITOPS-ARCHITECTURE.md        # This file
    ├── DEVELOPER-GUIDE.md
    ├── OPERATIONS-RUNBOOK.md
    └── REFERENCE.md
 ```
 **Key Points**:
- `_app-of-apps.yaml` is the root Application that ArgoCD monitors
+- `_app-of-apps-upc-dev.yaml` and `_app-of-apps-upc-prod.yaml` are the per-cluster root Applications
- `infra/enterprise-apps.yaml` auto-discovers all apps in `apps/` folder
+- Kustomize overlays in `infra/overlays/` render base Applications with per-cluster patches
 - Helm values are split: `values/base/` (shared) + `values/upc-dev/` or `values/upc-prod/` (cluster-specific)
 - `apps/` follows the same base/overlays pattern for business applications
 - Changes pushed to this repo trigger automatic syncs in ArgoCD
 - `private/` folder contains local-only files (Git-ignored)
 ---
 ### 2. **Helm Charts Repository**
-**Repository**: `https://github.com/fortedigital/forte-helm`
+**Repository**: `https://git.forteapps.net/Forte/forte-helm`
 **Purpose**: Reusable Helm chart templates for Forte applications
 **Location**: `C:\dev\k8s\forte-helm`
@@ -224,7 +218,7 @@ forte-helm/
 ---
 ### 3. **Helm Values Repository**
-**Repository**: `git@github.com:fortedigital/helm-values.git`
+**Repository**: `git@github.com:fortedigital/helm-prod-values.git`
 **Purpose**: Environment-specific configuration for each application
 **Location**: `C:\dev\k8s\helm-prod-values`
@@ -234,8 +228,6 @@ helm-prod-values/
 │   └── values.yaml                   # MCP 10X configuration
 ├── musicman/
 │   └── values.yaml                   # Music Man configuration
 ├── mcpcoder/
 │   └── values.yaml                   # MCP Coder configuration
 └── argocd-mcp/
    └── values.yaml                   # ArgoCD MCP configuration
 ```
@@ -285,7 +277,7 @@ app-repository/
 2. Build Docker image
 3. Tag with version (e.g., `v2.0.4`)
 4. Push to container registry (GHCR, Docker Hub, etc.)
-5. Update image tag in `helm-values` repository
+5. Update image tag in `helm-prod-values` repository
 6. ArgoCD detects change and syncs automatically
 ---
@@ -295,7 +287,7 @@ app-repository/
 ### The App-of-Apps Pattern
 ```
-_app-of-apps.yaml (Root)
+_app-of-apps-{upc-dev,upc-prod}.yaml (Root, per cluster)
    │
    ├── infrastructure-apps (manages infra/)
    │   ├── cluster-resources-application
@@ -315,10 +307,10 @@ _app-of-apps.yaml (Root)
 ```
 **How It Works**:
-1. Bootstrap script installs ArgoCD and applies `_app-of-apps.yaml`
+1. Bootstrap script installs ArgoCD and applies `_app-of-apps-upc-dev.yaml` (or `upc-prod`)
-2. ArgoCD creates the root Application which monitors `infra/` folder
+2. ArgoCD creates the root Application which monitors the appropriate `infra/overlays/` folder
-3. Each YAML in `infra/` becomes a child Application
+3. Kustomize renders base Applications with cluster-specific patches
-4. `enterprise-apps.yaml` monitors `apps/` folder and auto-discovers applications
+4. `enterprise-apps` Application monitors the cluster's `apps/overlays/` folder
 5. ArgoCD continuously syncs (every 60s) and auto-heals drift
 ### Sync Waves & Ordering
@@ -346,13 +338,13 @@ Applications like `mcp10x` and `musicman` use multiple sources:
 ```yaml
 spec:
  sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp                     # Helm chart templates
    helm:
      valueFiles:
      - $values/mcp10x/values.yaml     # Reference to second source
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    targetRevision: HEAD
    ref: values                        # Named reference
 ```
@@ -363,6 +355,34 @@ spec:
 - Easy to update all apps by changing the chart
 - Environment-specific values isolated in separate repo
 ### Multi-Cluster Pattern
 Kustomize overlays enable deploying the same Applications across clusters with different configurations:
 ```yaml
 # infra/base/ contains default (upc-dev) Applications
 # Helm values are layered: base + cluster-specific
 valueFiles:
 - $values/infra/values/base/traefik-values.yaml    # Shared config
 - $values/infra/values/upc-dev/traefik-values.yaml  # Cluster-specific
 # infra/overlays/upc-prod/kustomization.yaml patches the second valueFile
 patches:
 - target:
    kind: Application
    name: traefik
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/traefik-values.yaml
 ```
 **Benefits**:
 - Single source of truth for Application definitions
 - Cluster-specific values isolated per overlay
 - Easy to add new clusters by creating a new overlay
 - Base values shared across all clusters reduce duplication
 ---
 ## CI/CD Pipeline
@@ -392,8 +412,8 @@ jobs:
      - name: Update Helm values
        run: |
-          git clone git@github.com:fortedigital/helm-values.git
+          git clone git@github.com:fortedigital/helm-prod-values.git
-          cd helm-values/app
+          cd helm-prod-values/app
          sed -i "s/tag: .*/tag: $VERSION/" values.yaml
          git commit -am "Update app to $VERSION"
          git push
@@ -410,7 +430,7 @@ jobs:
   - Syncs application to cluster
 2. **Helm Values Change**:
-   - CI/CD updates `helm-values/myapp/values.yaml`
+   - CI/CD updates `helm-prod-values/myapp/values.yaml`
   - ArgoCD detects change
   - Pulls new Helm chart with updated values
   - Applies to cluster
@@ -617,7 +637,7 @@ Notifications include:
 ✅ **DO**:
 - Follow the `forteapp` chart pattern
 - Use semantic versioning for image tags
- Update helm-values via CI/CD
+- Update helm-prod-values via CI/CD
 - Test locally with Docker Compose
 - Document environment variables
--- a/docs/OPERATIONS-RUNBOOK.md
+++ b/docs/OPERATIONS-RUNBOOK.md
@@ -85,7 +85,8 @@ kubectl get applications -n argocd
 1. **Configure DNS** for ingress domains:
   - `argocd.127.0.0.1.nip.io` (local dev)
-   - `*.forteapps.net` (production)
+   - `*.forteapps.net` (dev)
   - `*.fortedigital.com` (production)
 2. **Verify Let's Encrypt certificates**:
   ```bash
@@ -107,7 +108,7 @@ kubectl get applications -n argocd
 ### ArgoCD Repository Access Setup
-ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for GitHub repositories.
+ArgoCD needs SSH access to private Git repositories to pull manifests and Helm values. This section covers setting up deploy keys for Gitea repositories.
 #### Why Deploy Keys?
@@ -119,7 +120,7 @@ ArgoCD needs SSH access to private Git repositories to pull manifests and Helm v
 #### Prerequisites
 - kubectl access to the cluster
- Write access to the GitHub repository
+- Write access to the Gitea repository
 - ArgoCD installed and running
 #### Setup Procedure
@@ -138,16 +139,16 @@ ssh-keygen -t rsa -b 4096 -C "argocd-deploy-key-launchpad" -f argocd-deploy-key
 This creates two files:
 - `argocd-deploy-key` - Private key (keep secret)
- `argocd-deploy-key.pub` - Public key (add to GitHub)
+- `argocd-deploy-key.pub` - Public key (add to Gitea)
-**Step 2: Add Public Key to GitHub**
+**Step 2: Add Public Key to Gitea**
 1. Copy the public key:
   ```bash
   cat argocd-deploy-key.pub
   ```
-2. Go to GitHub repository settings:
+2. Go to Gitea repository settings:
   - Navigate to: `https://git.forteapps.net/Forte/launchpad/settings/keys`
   - Or: Repository → Settings → Deploy keys
@@ -157,12 +158,12 @@ This creates two files:
   - ☐ Allow write access (leave unchecked - read-only is sufficient)
   - Click **"Add key"**
-4. Repeat for the `helm-values` repository if it's private:
+4. Repeat for the `helm-prod-values` repository if it's private:
   ```bash
-   # Generate separate key for helm-values repo
+   # Generate separate key for helm-prod-values repo
-   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-values" -f argocd-helm-values-key -N ""
+   ssh-keygen -t ed25519 -C "argocd-deploy-key-helm-prod-values" -f argocd-helm-prod-values-key -N ""
-   # Add to: https://github.com/fortedigital/helm-values/settings/keys
+   # Add to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys
   ```
 **Step 3: Create Kubernetes Secret**
@@ -207,7 +208,7 @@ kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
 # Settings → Repositories → Should show "Successful" status
 # Test by creating an application
-kubectl apply -f _app-of-apps.yaml
+kubectl apply -f _app-of-apps-upc-dev.yaml   # or _app-of-apps-upc-prod.yaml
 # Check application sync status
 kubectl get applications -n argocd
@@ -270,7 +271,7 @@ rm /tmp/test-repo-access.yaml
   # Generate new key
   ssh-keygen -t ed25519 -C "argocd-deploy-key-$(date +%Y%m)" -f argocd-new-key -N ""
-   # Add new public key to GitHub (keep old key for now)
+   # Add new public key to Gitea (keep old key for now)
   # Update Kubernetes secret
   kubectl create secret generic repo-launchpad \
@@ -278,7 +279,7 @@ rm /tmp/test-repo-access.yaml
     --namespace=argocd \
     --dry-run=client -o yaml | kubectl apply -f -
-   # Test access, then remove old deploy key from GitHub
+   # Test access, then remove old deploy key from Gitea
   # Clean up
   shred -u argocd-new-key
@@ -289,7 +290,7 @@ rm /tmp/test-repo-access.yaml
   # List all repository secrets
   kubectl get secrets -n argocd -l argocd.argoproj.io/secret-type=repository
-   # Review deploy keys in GitHub
+   # Review deploy keys in Gitea
   # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
   ```
@@ -312,16 +313,16 @@ kubectl get secret repo-launchpad -n argocd -o yaml | grep argocd.argoproj.io/se
 # Check ArgoCD application controller logs
 kubectl logs -n argocd deployment/argocd-application-controller | grep -i "permission denied"
-# Verify deploy key is added to GitHub
+# Verify deploy key is added to Gitea
 # Visit: https://git.forteapps.net/Forte/launchpad/settings/keys
 ```
 **Issue: "Host key verification failed"**
 ```bash
-# Add GitHub to known_hosts
+# Add Gitea to known_hosts
 kubectl exec -n argocd deployment/argocd-repo-server -- \
-  ssh-keyscan github.com >> ~/.ssh/known_hosts
+  ssh-keyscan git.forteapps.net >> ~/.ssh/known_hosts
 # Or disable strict host key checking (less secure)
 kubectl patch secret repo-launchpad -n argocd \
@@ -346,16 +347,16 @@ kubectl rollout restart deployment argocd-application-controller -n argocd
 #### Multiple Repository Setup
-For the three-repository pattern (launchpad, forte-helm, helm-values):
+For the three-repository pattern (launchpad, forte-helm, helm-prod-values):
 ```bash
 # 1. launchpad (main config repo)
 ssh-keygen -t ed25519 -C "argocd-launchpad" -f key-sturdy -N ""
 # Add key-sturdy.pub to: https://git.forteapps.net/Forte/launchpad/settings/keys
-# 2. helm-values (private values repo)
+# 2. helm-prod-values (private values repo)
-ssh-keygen -t ed25519 -C "argocd-helm-values" -f key-helm-values -N ""
+ssh-keygen -t ed25519 -C "argocd-helm-prod-values" -f key-helm-prod-values -N ""
-# Add key-helm-values.pub to: https://github.com/fortedigital/helm-values/settings/keys
+# Add key-helm-prod-values.pub to: https://git.forteapps.net/Forte/helm-prod-values/settings/keys
 # 3. forte-helm (private helm charts repo)
@@ -366,14 +367,14 @@ kubectl create secret generic repo-launchpad \
  kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
  kubectl apply -f -
-kubectl create secret generic repo-helm-values \
+kubectl create secret generic repo-helm-prod-values \
-  --from-file=sshPrivateKey=key-helm-values \
+  --from-file=sshPrivateKey=key-helm-prod-values \
  --namespace=argocd --dry-run=client -o yaml | \
  kubectl label --local -f - argocd.argoproj.io/secret-type=repository --dry-run=client -o yaml | \
  kubectl apply -f -
 # Clean up keys
-shred -u key-sturdy key-helm-values
+shred -u key-sturdy key-helm-prod-values
 ```
 #### Converting HTTPS to SSH
@@ -390,7 +391,7 @@ If you're currently using HTTPS and want to switch to SSH:
 #   repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
 # 3. Update and commit
-find . -name "*.yaml" -type f -exec sed -i 's|https://github.com/fortedigital/|git@github.com:fortedigital/|g' {} +
+find . -name "*.yaml" -type f -exec sed -i 's|https://git.forteapps.net/Forte/|git@git.forteapps.net:Forte/|g' {} +
 git add .
 git commit -m "Switch from HTTPS to SSH for repository access"
@@ -494,7 +495,7 @@ spec:
 See [Developer Guide](DEVELOPER-GUIDE.md#deploying-your-first-application) for detailed steps.
 **Quick checklist:**
- [ ] Create `helm-values/myapp/values.yaml`
+- [ ] Create `helm-prod-values/myapp/values.yaml`
 - [ ] Create `apps/myapp.yaml` in config repo
 - [ ] Create SealedSecret if needed
 - [ ] Commit and push changes
@@ -559,7 +560,7 @@ kubectl scale deployment myapp -n myapp --replicas=3
 #### GitOps Scaling
-Update `helm-values/myapp/values.yaml`:
+Update `helm-prod-values/myapp/values.yaml`:
 ```yaml
 app:
@@ -573,7 +574,7 @@ Commit and push - ArgoCD will sync.
 Enable Horizontal Pod Autoscaler:
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 app:
  hpa:
    enabled: true
@@ -622,7 +623,7 @@ kubectl rollout undo deployment myapp -n myapp
 #### Option 3: Change Image Tag
 ```bash
-# Edit helm-values
+# Edit helm-prod-values
 cd ~/dev/k8s/helm-prod-values
 vim myapp/values.yaml
@@ -642,7 +643,7 @@ git push
 #### Update Resource Limits
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 app:
  resources:
    requests:
@@ -656,7 +657,7 @@ app:
 #### Enable Database
 ```yaml
-# In helm-values/myapp/values.yaml
+# In helm-prod-values/myapp/values.yaml
 db:
  enabled: true
  persistence:
@@ -1266,7 +1267,7 @@ spec:
 **What Needs Backup**:
 - ❌ Cluster state (not backed up - recreate via GitOps)
 - ❌ Persistent volumes (currently not critical)
- ✅ Git repositories (GitHub provides backup)
+- ✅ Git repositories (Gitea provides backup)
 - ⚠️ Secrets (sealed secrets in Git, unseal keys need safekeeping)
 ### Cluster Rebuild
@@ -1352,13 +1353,13 @@ kubectl get deployment argocd-server -n argocd \
  -o jsonpath='{.spec.template.spec.containers[0].image}'
 # Update version in values
-vim infra/values/argocd-values.yaml
+vim infra/values/base/argocd-values.yaml
 # Or upgrade via Helm directly
 helm upgrade argocd argo-cd \
  --repo https://argoproj.github.io/argo-helm \
  --namespace argocd \
-  --values infra/values/argocd-values.yaml \
+  --values infra/values/base/argocd-values.yaml \
  --version 6.0.0  # New version
 # Verify
@@ -1454,8 +1455,8 @@ kubectl top pods --all-namespaces --sort-by=cpu
 Example: Adding Redis
 ```bash
-# 1. Create application manifest
+# 1. Create application manifest in base/
-cat > infra/redis-application.yaml <<EOF
+cat > infra/base/redis-application.yaml <<EOF
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -1465,15 +1466,17 @@ metadata:
    argocd.argoproj.io/sync-wave: "1"
 spec:
  project: default
-  source:
+  sources:
-    repoURL: https://charts.bitnami.com/bitnami
+  - repoURL: https://charts.bitnami.com/bitnami
    chart: redis
    targetRevision: 18.0.0
    helm:
-      values: |
+      releaseName: redis
-        auth:
+      valueFiles:
-          enabled: true
+      - \$values/infra/values/base/redis-values.yaml
-          password: changeme
+  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: redis
@@ -1485,30 +1488,37 @@ spec:
    - CreateNamespace=true
 EOF
-# 2. Commit and push
+# 2. Add to base kustomization
-git add infra/redis-application.yaml
+# Edit infra/base/kustomization.yaml and add: - redis-application.yaml
 # 3. Create base values file
 cat > infra/values/base/redis-values.yaml <<EOF
 auth:
  enabled: true
 EOF
 # 4. Commit and push
 git add infra/base/redis-application.yaml infra/values/base/redis-values.yaml infra/base/kustomization.yaml
 git commit -m "Add Redis infrastructure component"
 git push
-# 3. ArgoCD will auto-sync within 60 seconds
+# 5. ArgoCD will auto-sync within 60 seconds
 ```
-### Multi-Cluster Setup (Future)
+### Multi-Cluster Setup
-For multi-cluster deployments:
+The repository supports multiple clusters via Kustomize overlays:
-```yaml
+- **upc-dev** (default): `infra/overlays/upc-dev/` — uses base Applications as-is
-# Different destinations per environment
+- **upc-prod**: `infra/overlays/upc-prod/` — patches value file paths from `upc-dev` to `upc-prod`
 # dev-cluster
 destination:
  server: https://dev.k8s.example.com
  namespace: myapp
-# prod-cluster
+Each cluster has its own:
-destination:
+- Root app-of-apps file: `_app-of-apps-upc-dev.yaml` / `_app-of-apps-upc-prod.yaml`
-  server: https://prod.k8s.example.com
+- Cluster-specific Helm values: `infra/values/upc-dev/` / `infra/values/upc-prod/`
-  namespace: myapp
+- Sealed secrets: `secrets/upc-dev/` (others as needed)
-```
+- Apps overlay: `apps/overlays/upc-dev/` / `apps/overlays/upc-prod/`
 To add a new cluster, create a new overlay directory (e.g., `infra/overlays/upc-staging/`) with patches that swap the value file paths.
 ### Blue-Green Deployments
@@ -1552,7 +1562,7 @@ git push
 kubectl scale deployment myapp -n myapp --replicas=0
 # Update Git
-vim helm-values/myapp/values.yaml
+vim helm-prod-values/myapp/values.yaml
 # Set replicaCount: 0
 git commit -am "Scale down myapp for maintenance"
 git push
@@ -1625,7 +1635,7 @@ echo "Remember to delete: $SECRET_FILE"
 - [ ] Application code repository created
 - [ ] Dockerfile created and tested
- [ ] GitHub Actions workflow configured
+- [ ] Gitea Actions workflow configured
 - [ ] Helm values created in `helm-prod-values/`
 - [ ] ArgoCD application manifest created in `apps/`
 - [ ] Secrets created and sealed
--- a/docs/README.md
+++ b/docs/README.md
@@ -180,7 +180,7 @@ Reference for:
                            │
                            ▼
 ┌──────────────────────────────────────────────────────────────┐
-│               Kubernetes Cluster (UpCloud)                    │
+│          Kubernetes Clusters (UpCloud: upc-dev, upc-prod)     │
 │  ┌──────────────────────────────────────────────────────┐    │
 │  │  Infrastructure: Traefik, Cert-Manager, Kyverno     │    │
 │  ├──────────────────────────────────────────────────────┤    │
@@ -194,7 +194,7 @@ Reference for:
 ### Key Technologies
 - **GitOps**: ArgoCD
- **Kubernetes**: UpCloud Managed Kubernetes
+- **Kubernetes**: UpCloud Managed Kubernetes (multi-cluster: upc-dev, upc-prod)
 - **Ingress**: Traefik v2
 - **Certificates**: Cert-Manager + Let's Encrypt
 - **Policies**: Kyverno
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -21,7 +21,7 @@
 |-----------|-------|
 | **Provider** | UpCloud Managed Kubernetes |
 | **Environment** | Production (internal use) |
-| **Cluster Count** | Single cluster |
+| **Cluster Count** | Multi-cluster (upc-dev, upc-prod) |
 | **GitOps Tool** | ArgoCD |
 | **Ingress Controller** | Traefik v2 |
 | **Certificate Management** | Cert-Manager + Let's Encrypt |
@@ -71,7 +71,8 @@ Internet
 ```
 launchpad/
 ├── bootstrap.sh                   # Cluster initialization script
-├── _app-of-apps.yaml              # Root ArgoCD Application
+├── _app-of-apps-upc-dev.yaml     # Root ArgoCD Application (upc-dev)
 ├── _app-of-apps-upc-prod.yaml    # Root ArgoCD Application (upc-prod)
 │
 ├── infra/                         # Infrastructure applications
 │   ├── cluster-resources-application.yaml
@@ -123,6 +124,7 @@ launchpad/
 │       ├── replicaset-cleaner.yaml
 │       ├── default-ns-blocker.yaml
 │       ├── secret-cloner.yaml
 │       ├── keycloak-client-cloner.yaml
 │       └── auth-sidecar-injector.yaml
 │
 ├── secrets/                       # Application secrets (sealed)
@@ -155,15 +157,15 @@ ArgoCd() {
  helm upgrade --install argocd argo-cd \
    --repo https://argoproj.github.io/argo-helm \
    --namespace argocd --create-namespace \
-    --values infra/values/argocd-values.yaml \
+    --values infra/values/base/argocd-values.yaml \
    --set notifications.context.clusterName="$CLUSTER_NAME" \
    --timeout 60s --atomic
-  kubectl apply -f _app-of-apps.yaml -n argocd
+  kubectl apply -f _app-of-apps-upc-dev.yaml -n argocd   # or _app-of-apps-upc-prod.yaml
 }
 ```
-**`_app-of-apps.yaml`**
+**`_app-of-apps-upc-dev.yaml`** / **`_app-of-apps-upc-prod.yaml`**
 ```yaml
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -188,7 +190,7 @@ spec:
 ### Helm Charts Repository: `forte-helm`
-**URL**: `https://github.com/fortedigital/forte-helm`
+**URL**: `https://git.forteapps.net/Forte/forte-helm`
 #### Chart: `forteapp`
@@ -335,20 +337,18 @@ configmap: []                    # Application ConfigMap key-value pairs
 ---
-### Helm Values Repository: `helm-values`
+### Helm Values Repository: `helm-prod-values`
-**URL**: `https://github.com/fortedigital/helm-values.git`
+**URL**: `https://git.forteapps.net/Forte/helm-prod-values.git`
 #### Structure
 ```
-helm-values/
+helm-prod-values/
 ├── mcp10x/
 │   └── values.yaml
 ├── musicman/
 │   └── values.yaml
 ├── mcpcoder/
 │   └── values.yaml
 └── argocd-mcp/
    └── values.yaml
 ```
@@ -524,14 +524,14 @@ spec:
  # Multi-source configuration
  sources:
-  - repoURL: https://github.com/fortedigital/forte-helm
+  - repoURL: https://git.forteapps.net/Forte/forte-helm
    path: forteapp
    targetRevision: HEAD
    helm:
      valueFiles:
      - $values/<app-name>/values.yaml
-  - repoURL: git@github.com:fortedigital/helm-values.git
+  - repoURL: git@github.com:fortedigital/helm-prod-values.git
    targetRevision: HEAD
    ref: values
@@ -602,6 +602,15 @@ retry:
 4. 40 seconds
 5. 80 seconds (capped at 3 minutes)
 ### Global Settings (`argocd-cm`)
 | Setting | Value | Purpose |
 |---------|-------|---------|
 | `application.resourceTrackingMethod` | `annotation` | Track resources via annotations |
 | `timeout.reconciliation` | `60s` | Reconciliation interval |
 | `admin.enabled` | `true` | Enable admin account |
 | `git.submodule.enabled` | `false` | Disable git submodule checkout — submodules are not needed for manifest generation |
 ---
 ## Infrastructure Components
@@ -614,7 +623,7 @@ retry:
 **Configuration**:
 ```yaml
-# infra/traefik-application.yaml
+# infra/base/traefik-application.yaml
 replicas: 2
 service:
@@ -789,7 +798,7 @@ persistence:
 **Configuration**:
 ```yaml
-# infra/gitea.yaml + infra/values/gitea-values.yaml
+# infra/base/gitea.yaml + infra/values/base/gitea-values.yaml
 ingress:
  host: git.forteapps.net
  tls: cert-manager (letsencrypt-prod)
@@ -813,14 +822,23 @@ postgresql:
  persistence: 8Gi (upcloud-block-storage-maxiops)
 ```
-**Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`)
+**Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`). Protocol mapper: `email_verified` hardcoded claim (`true`, boolean) on ID token, Access token, and Userinfo.
 **External User Sync**: Disabled (`cron.sync_external_users.ENABLED: false`). This Gitea cron job is designed for LDAP and deactivates OIDC-only users because it cannot enumerate them — causing "Sign-in prohibited" errors after the sync runs.
 **Email Notifications**: Enabled (`ENABLE_NOTIFY_MAIL: true`). SMTP credentials injected via `gitea-smtp-secret` using `additionalConfigFromEnvs` with `GITEA__mailer__USER` / `GITEA__mailer__PASSWD` environment variables.
 **Auto-Watch**: Disabled (`AUTO_WATCH_ON_CHANGES: false`, `AUTO_WATCH_NEW_REPOS: false`). Prevents contributors from being auto-subscribed to repo notifications on push, reducing email noise from CI bots (e.g., ai-review PR comments). Users who were already watching before this change need to manually unwatch or switch to "Only participating".
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
 - SSH: port 22 (ClusterIP)
 - Metrics: `/metrics` (Prometheus scrape)
-**Secrets**: `gitea-credentials` (SealedSecret) containing `admin-password`, `postgres-password`, `secret` (OIDC client secret)
+**Secrets**:
 - `gitea-credentials` (SealedSecret) — admin password
 - `gitea-oidc-credentials` (registrar-managed) — OIDC client ID + secret
 - `gitea-smtp-secret` (SealedSecret) — SMTP username + password
 ### Gitea Actions Runners
@@ -832,7 +850,7 @@ postgresql:
 **Configuration**:
 ```yaml
-# infra/gitea-actions.yaml + infra/values/gitea-actions-values.yaml
+# infra/base/gitea-actions.yaml + infra/values/base/gitea-actions-values.yaml
 replicaCount: 3
 runner:
@@ -869,6 +887,224 @@ dind:
 - Gitea admin panel (`/admin/runners`) — runners show as Online
 - Create test workflow in `.gitea/workflows/test.yml` — job executes
 ### AI Code Review (ai-review)
 **Type**: Gitea Actions workflow (`.gitea/workflows/ai-review.yaml`)
 **Trigger**: `pull_request` events (`opened`, `synchronize`)
 **Runner**: `ubuntu-latest` (container: `nikitafilonov/ai-review:latest`)
 **Purpose**: Automated AI-powered code review on pull requests using Claude (Anthropic). Posts inline comments on changed lines and a PR summary comment highlighting infrastructure impact.
 **Architecture**:
 - Uses [xai-review](https://github.com/nicktechnologies/xai-review) Docker image
 - Shared configuration and prompts live in the `shared-prompts` Git submodule (→ `Forte/ai-review-prompts`)
 - Review mode: `ONLY_ADDED_WITH_CONTEXT` — reviews only new/changed lines plus surrounding context (token-efficient)
 - Agent mode: disabled (one-shot review, no multi-turn reasoning)
 - LLM: Claude Sonnet (`claude-sonnet-4-20250514`)
 **Shared Prompts Structure** (submodule: `Forte/ai-review-prompts`):
 ```
 shared-prompts/
  base/
    security.md          # org-wide security rules (all profiles)
  iac/
    .ai-review.yaml      # IaC/GitOps profile config
    inline.md            # inline review prompt
    summary.md           # PR summary prompt
  # future profiles: backend/, frontend/, etc.
 ```
 **Configuration** (`shared-prompts/iac/.ai-review.yaml`):
 ```yaml
 llm:
  provider: CLAUDE
  model: claude-sonnet-4-20250514
 vcs:
  provider: GITEA
 review:
  mode: ONLY_ADDED_WITH_CONTEXT
 agent:
  enabled: false
 prompt:
  inline_prompt_files:            # concatenated in order
    - ./shared-prompts/base/security.md
    - ./shared-prompts/iac/inline.md
  summary_prompt_files:
    - ./shared-prompts/iac/summary.md
 ignore:
  - "*.sealed.yaml"
  - "*.lock"
  - "docs/**"
 ```
 **Custom Prompts** (IaC profile):
 - `shared-prompts/base/security.md` — org-wide security rules, concatenated before every inline review prompt
 - `shared-prompts/iac/inline.md` — IaC-specific inline review (YAML, Helm, K8s manifests, shell scripts), max 7 comments
 - `shared-prompts/iac/summary.md` — PR summary: affected services/namespaces, infrastructure impact, security flags
 **Prompt composition**: ai-review does not support Jinja includes. Instead, list multiple files under `inline_prompt_files` / `summary_prompt_files` — they are concatenated in order with double newlines.
 **Adding a new profile**: Create a new directory (e.g., `backend/`) with its own `.ai-review.yaml`, `inline.md`, and `summary.md`. The `inline_prompt_files` list should include `base/security.md` first, then the profile-specific prompt. Reference it in the consuming repo's workflow: `AI_REVIEW_CONFIG_FILE_YAML=./shared-prompts/backend/.ai-review.yaml`
 **Required Secrets** (configure in Gitea repo or org settings):
 | Secret | Purpose |
 |--------|---------|
 | `ANTHROPIC_API_KEY` | Claude API key (from Anthropic console) |
 | `AI_REVIEW_TOKEN` | Gitea API token with `write:repository` + `read:repository` scopes (use a bot/service account) |
 **Setup Steps**:
 1. Create a Gitea bot/service account and generate an API token with `write:repository` + `read:repository` scopes
 2. Add `AI_REVIEW_TOKEN` secret in Gitea repo settings → Actions → Secrets
 3. Add `ANTHROPIC_API_KEY` secret with your Anthropic API key
 4. Ensure the `shared-prompts` submodule is initialized (`git submodule update --init`)
 5. Push the workflow file — it triggers automatically on PR creation/update
 **Verification**:
 - Open a PR with infrastructure changes → workflow runs → inline comments + summary appear
 - Check Gitea Actions tab for workflow run status and logs
 - Monitor Anthropic usage dashboard for token consumption
 ### Keycloak Client Registrar
 **Type**: CronJob (deployed via Keycloak Helm chart `extraDeploy`)
 **Namespace**: `keycloak`
 **Schedule**: `*/2 * * * *` (every 2 minutes)
 **Purpose**: Handles two responsibilities:
 1. **Legacy sync** — extracts secrets from Keycloak clients with `k8s.secret.sync: "true"` attribute (same as former PostSync syncer)
 2. **Self-service registration** — processes config Secrets (cloned by Kyverno) to register new OIDC clients and sync their credentials
 **How It Works**:
 *Legacy path (existing clients like Gitea):*
 1. Authenticates to Keycloak Admin API using admin credentials from `keycloak-credentials` secret
 2. Queries all clients in the `forte` realm
 3. Filters clients with `k8s.secret.sync: "true"` attribute
 4. For each matching client, retrieves the auto-generated secret via Keycloak Admin API
 5. Creates/updates a K8s Secret in the target namespace (from `k8s.secret.namespace` attribute)
 6. Always writes a central copy to the `secrets` namespace
 *Self-service path (new clients):*
 1. Lists Secrets in `keycloak` namespace with label `keycloak.forteapps.net/client-config=true`
 2. For each config Secret, parses `client.json` and computes a config hash
 3. Skips if hash matches annotation and credential Secret already exists
 4. Creates or updates the Keycloak client via Admin API
 5. Fetches the generated client secret
 6. Upserts credential Secret in target namespace + central `secrets` namespace
 7. Annotates config Secret with sync status, config hash, and timestamp
 **Resources**:
 - `ServiceAccount`: `keycloak-client-registrar` (namespace: `keycloak`)
 - `ClusterRole`: `keycloak-client-registrar` (secrets: get/list/create/update/patch; namespaces: get/list)
 - `ClusterRoleBinding`: `keycloak-client-registrar`
 - `CronJob`: `keycloak-client-registrar`
 **Kyverno Policy**: `keycloak-client-config-cloner` — clones labeled Secrets from app namespaces to `keycloak` namespace (see [Kyverno Policies](#kyverno-policies))
 **Legacy Client Attributes** (set in `forte-realm.json`):
 | Attribute | Required | Default | Description |
 |-----------|----------|---------|-------------|
 | `k8s.secret.sync` | Yes | — | Set to `"true"` to enable syncing |
 | `k8s.secret.namespace` | Yes | — | Target K8s namespace |
 | `k8s.secret.name` | Yes | — | Name of the K8s Secret |
 | `k8s.secret.client-id-key` | No | `client-id` | Field name for client ID in the Secret |
 | `k8s.secret.client-secret-key` | No | `client-secret` | Field name for client secret in the Secret |
 **Self-Service Config Secret Schema**:
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: keycloak-client-<app>
  namespace: <app-namespace>
  labels:
    keycloak.forteapps.net/client-config: "true"
 stringData:
  client.json: |
    {
      "clientId": "<app>",
      "name": "<App Name>",
      "redirectUris": ["https://<app>.forteapps.net/*"],
      "webOrigins": ["https://<app>.forteapps.net"],
      "defaultClientScopes": ["openid", "email", "profile"],
      "protocolMappers": [],
      "secret": {
        "namespace": "<app-namespace>",
        "name": "<app>-oidc-credentials",
        "keys": { "clientId": "client-id", "clientSecret": "client-secret" }
      }
    }
 ```
 **Created Credential Secret Format**:
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: <target-name>
  namespace: <target-namespace>
  labels:
    app.kubernetes.io/managed-by: keycloak-client-registrar
 type: Opaque
 data:
  <client-id-key>: <base64-encoded client ID>
  <client-secret-key>: <base64-encoded client secret>
 ```
 **Config Secret Annotations** (set by registrar):
 | Annotation | Description |
 |-----------|-------------|
 | `keycloak.forteapps.net/config-hash` | SHA-256 hash of client.json for change detection |
 | `keycloak.forteapps.net/sync-status` | `synced` or `error` |
 | `keycloak.forteapps.net/last-sync` | ISO 8601 timestamp of last successful sync |
 **Verification**:
 ```bash
 # Check CronJob status
 kubectl get cronjobs -n keycloak
 # View latest registrar logs
 kubectl logs -n keycloak job/$(kubectl get jobs -n keycloak --sort-by=.metadata.creationTimestamp -o jsonpath='{.items[-1].metadata.name}')
 # Verify created secret
 kubectl get secret <name> -n <namespace> -o yaml
 # Check config Secret annotations (self-service)
 kubectl get secret keycloak-client-<app> -n keycloak -o jsonpath='{.metadata.annotations}'
 ```
 **See**: [Developer Guide - Adding a New Keycloak Client](DEVELOPER-GUIDE.md#adding-a-new-keycloak-client)
 ### Karpor
 **Chart**: `karpor` from `https://kusionstack.github.io/charts`
 **Version**: 0.7.6 (app v0.6.4)
 **Namespace**: `karpor`
 **Sync Wave**: 1
 **Purpose**: Kubernetes visualization and intelligence tool. Provides cross-cluster resource search, compliance checking, and topology visualization. Gives platform engineers a unified view of all cluster resources and their relationships.
 **Architecture** (4 components):
 - **Server** — main Karpor API/UI (port 7443)
 - **Syncer** — syncs cluster state into the search index
 - **ElasticSearch** — search backend for resource indexing
 - **etcd** — persistent key-value store (10Gi PVC)
 **Configuration** (`infra/values/base/karpor-values.yaml`):
 - `namespaceEnabled: false` — ArgoCD manages namespace creation
 - Default resource limits tuned for small clusters
 - ElasticSearch: 2 CPU / 4Gi memory (the heaviest component)
 - AI features available but not enabled (requires `server.ai.authToken` + backend config)
 **Access**: Port-forward to reach the UI:
 ```bash
 kubectl port-forward svc/karpor-release-server -n karpor 7443:7443
 # Open https://localhost:7443
 ```
 ### Renovate
 **Chart**: `renovate` (OCI: `ghcr.io/renovatebot/charts`)
@@ -880,9 +1116,9 @@ dind:
 **Configuration**:
 ```yaml
-# infra/renovate.yaml + infra/values/renovate-values.yaml
+# infra/base/renovate.yaml + infra/values/base/renovate-values.yaml
 cronjob:
-  schedule: "@hourly"
+  schedule: "@daily"
  concurrencyPolicy: Forbid
 renovate:
@@ -891,12 +1127,24 @@ renovate:
    endpoint: https://git.forteapps.net
    autodiscover: true
    gitAuthor: "Renovate Bot <renovate@forteapps.net>"
    packageRules:
      - matchRepositories: ["**/10x"]
        assignees: ["edvard.unsvag"]
        reviewers: ["edvard.unsvag"]
      - matchRepositories: ["**/auth-sidecar"]
        assignees: ["danijel.simeunovic"]
        reviewers: ["danijel.simeunovic"]
      - matchRepositories: ["**/forte-helm"]
        assignees: ["danijel.simeunovic"]
        reviewers: ["danijel.simeunovic"]
 resources:
-  requests: { cpu: 250m, memory: 512Mi }
+  requests: { cpu: 500m, memory: 1Gi }
-  limits: { cpu: "1", memory: 1Gi }
+  limits: { cpu: "2", memory: 4Gi }
 ```
 **Note**: Assignees and reviewers are only applied at PR creation time. Existing PRs must be closed and recreated for new assignment rules to take effect.
 **Secrets**: `renovate-env` (SealedSecret in `secrets` namespace, cloned by Kyverno) containing:
 - `RENOVATE_TOKEN` — Gitea PAT with repo write + issue write permissions
 - `RENOVATE_GITHUB_COM_TOKEN` — GitHub PAT (public_repo read-only) for changelog fetching
@@ -947,6 +1195,19 @@ spec:
 **Label Requirement**: Secrets must have `allowedToBeCloned: "true"`
 ### Keycloak Client Config Cloner
 **File**: `cluster-resources/policies/keycloak-client-cloner.yaml`
 **Purpose**: Clones Secrets labeled `keycloak.forteapps.net/client-config: "true"` from app namespaces to the `keycloak` namespace. This allows apps to declare their OIDC client configuration in their own namespace, which the [Keycloak Client Registrar](#keycloak-client-registrar) then processes.
 **Trigger**: Any Secret with label `keycloak.forteapps.net/client-config: "true"` created outside the `keycloak` namespace.
 **Behavior**:
 - Generates a copy of the Secret in the `keycloak` namespace with the same name
 - Adds source tracking annotations (`keycloak.forteapps.net/source-namespace`, `keycloak.forteapps.net/source-name`)
 - `synchronize: true` — changes to the source Secret are reflected in the clone
 ### Default Namespace Blocker
 **File**: `cluster-resources/policies/default-ns-blocker.yaml`
@@ -1291,7 +1552,23 @@ Forward to Application (localhost:3000)
 Application processes request
 ```
-**See**: [Developer Guide - Enabling Authentication](DEVELOPER-GUIDE.md#enabling-authentication-for-applications) for usage examples.
+#### Forwarded Headers
 After successful authentication, the sidecar injects user identity as HTTP headers before forwarding the request to the application container:
 | Header | Description | Auth Modes |
 |--------|-------------|------------|
 | `X-Auth-User` | Username or display name | Token, OIDC, MCP |
 | `X-Auth-Email` | User email address | OIDC |
 | `X-Auth-Subject` | OIDC `sub` claim (stable user ID) | OIDC, MCP |
 | `X-Auth-Groups` | Comma-separated group memberships | OIDC (if `groups` scope) |
 | `X-Auth-Token` | The validated access token | All modes |
 These headers are trustworthy because the auto-generated `NetworkPolicy` restricts pod ingress to the sidecar port only — external traffic cannot reach the application container directly, so headers cannot be spoofed.
 Applications should read these headers to obtain authenticated user information (e.g. for display, authorisation decisions, or audit logging) instead of implementing their own authentication.
 **See**: [Developer Guide - Accessing Authenticated User Information](DEVELOPER-GUIDE.md#accessing-authenticated-user-information) for code examples.
 ---
@@ -1528,6 +1805,6 @@ team: platform
 ---
-**Last Updated**: 2026-04-14
+**Last Updated**: 2026-04-16
 **Maintained By**: Platform Team
 **Version**: 1.0.0
--- a/infra/base/cert-manager-application.yaml
+++ b/infra/base/cert-manager-application.yaml
--- a/infra/base/cluster-resources-application.yaml
+++ b/infra/base/cluster-resources-application.yaml
--- a/infra/base/enterprise-apps.yaml
+++ b/infra/base/enterprise-apps.yaml
@@ -18,7 +18,7 @@ spec:
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
-    path: apps
+    path: apps/overlays/upc-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: apps
--- a/infra/base/fluent-bit.yaml
+++ b/infra/base/fluent-bit.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: fluent-bit
      valueFiles:
-      - $values/infra/values/fluent-bit-values.yaml
+      - $values/infra/values/base/fluent-bit-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/gitea-actions.yaml
+++ b/infra/base/gitea-actions.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: gitea-actions
      valueFiles:
-      - $values/infra/values/gitea-actions-values.yaml
+      - $values/infra/values/base/gitea-actions-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/gitea.yaml
+++ b/infra/base/gitea.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: gitea
      valueFiles:
-      - $values/infra/values/gitea-values.yaml
+      - $values/infra/values/base/gitea-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/grafana-dashboards.yaml
+++ b/infra/base/grafana-dashboards.yaml
--- a/infra/base/grafana.yaml
+++ b/infra/base/grafana.yaml
@@ -21,7 +21,8 @@ spec:
    helm:
      releaseName: grafana
      valueFiles:
-      - $values/infra/values/grafana-values.yaml
+      - $values/infra/values/base/grafana-values.yaml
      - $values/infra/values/upc-dev/grafana-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/karpor.yaml
+++ b/infra/base/karpor.yaml
@@ -0,0 +1,42 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: karpor
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: karpor
    app.kubernetes.io/part-of: developer-portal
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: https://kusionstack.github.io/charts
    chart: karpor
    targetRevision: "0.7.6"
    helm:
      releaseName: karpor
      valueFiles:
      - $values/infra/values/base/karpor-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: karpor
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/keycloak.yaml
+++ b/infra/base/keycloak.yaml
@@ -21,7 +21,8 @@ spec:
    helm:
      releaseName: keycloak
      valueFiles:
-      - $values/infra/values/keycloak-values.yaml
+      - $values/infra/values/base/keycloak-values.yaml
      - $values/infra/values/upc-dev/keycloak-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
@@ -40,3 +41,9 @@ spec:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
  ignoreDifferences:
  - group: batch
    kind: CronJob
    jsonPointers:
    - /spec/jobTemplate/spec/template/spec/containers/0/args
--- a/infra/base/kustomization.yaml
+++ b/infra/base/kustomization.yaml
@@ -0,0 +1,25 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - traefik-application.yaml
 - keycloak.yaml
 - grafana.yaml
 - cert-manager-application.yaml
 - kyverno.yaml
 - sealedsecrets.yaml
 - prometheus.yaml
 - loki.yaml
 - fluent-bit.yaml
 - trivy.yaml
 - enterprise-apps.yaml
 - cluster-resources-application.yaml
 - kyverno-policies.yaml
 - secrets.yaml
 - gitea.yaml
 - gitea-actions.yaml
 - opencost.yaml
 - renovate.yaml
 - tempo.yaml
 - grafana-dashboards.yaml
 - network-policies-application.yaml
 - karpor.yaml
--- a/infra/base/kyverno-policies.yaml
+++ b/infra/base/kyverno-policies.yaml
--- a/infra/base/kyverno.yaml
+++ b/infra/base/kyverno.yaml
--- a/infra/base/loki.yaml
+++ b/infra/base/loki.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: loki
      valueFiles:
-      - $values/infra/values/loki-values.yaml
+      - $values/infra/values/base/loki-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/network-policies-application.yaml
+++ b/infra/base/network-policies-application.yaml
--- a/infra/base/opencost.yaml
+++ b/infra/base/opencost.yaml
@@ -21,9 +21,9 @@ spec:
    helm:
      releaseName: opencost
      valueFiles:
-      - $values/infra/values/opencost-values.yaml
+      - $values/infra/values/base/opencost-values.yaml
-  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
+  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
    targetRevision: HEAD
    ref: values
--- a/infra/base/prometheus.yaml
+++ b/infra/base/prometheus.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: prometheus
      valueFiles:
-      - $values/infra/values/prometheus-values.yaml
+      - $values/infra/values/base/prometheus-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/renovate.yaml
+++ b/infra/base/renovate.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: renovate
      valueFiles:
-      - $values/infra/values/renovate-values.yaml
+      - $values/infra/values/base/renovate-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/sealedsecrets.yaml
+++ b/infra/base/sealedsecrets.yaml
--- a/infra/base/secrets.yaml
+++ b/infra/base/secrets.yaml
@@ -18,7 +18,7 @@ spec:
  project: default
  source:
    repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
-    path: secrets
+    path: secrets/upc-dev
  destination:
    server: https://kubernetes.default.svc
    namespace: secrets
--- a/infra/base/tempo.yaml
+++ b/infra/base/tempo.yaml
@@ -21,7 +21,7 @@ spec:
    helm:
      releaseName: tempo
      valueFiles:
-      - $values/infra/values/tempo-values.yaml
+      - $values/infra/values/base/tempo-values.yaml
  - repoURL: ssh://git@git.forteapps.net:2222/Forte/launchpad.git
    targetRevision: HEAD
--- a/infra/base/traefik-application.yaml
+++ b/infra/base/traefik-application.yaml
@@ -0,0 +1,51 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: traefik-system
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: traefik
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: traefik
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  sources:
  - repoURL: https://traefik.github.io/charts
    chart: traefik
    targetRevision: "28.0.0"
    helm:
      releaseName: traefik
      valueFiles:
      - $values/infra/values/base/traefik-values.yaml
      - $values/infra/values/upc-dev/traefik-values.yaml
  - repoURL: git@github.com:fortedigital/sturdy-adventure.git
    targetRevision: HEAD
    ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: traefik-system
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/base/trivy.yaml
+++ b/infra/base/trivy.yaml
--- a/infra/overlays/upc-dev/kustomization.yaml
+++ b/infra/overlays/upc-dev/kustomization.yaml
@@ -0,0 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 # No patches needed — base already has "upc-dev" paths
 # upc-dev is the default/base cluster
--- a/infra/overlays/upc-prod/kustomization.yaml
+++ b/infra/overlays/upc-prod/kustomization.yaml
@@ -0,0 +1,50 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ../../base
 patches:
 # Traefik: swap upc-dev → upc-prod in valueFiles
 - target:
    kind: Application
    name: traefik
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/traefik-values.yaml
 # Keycloak: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: keycloak
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/keycloak-values.yaml
 # Grafana: swap upc-dev → upc-prod
 - target:
    kind: Application
    name: grafana
  patch: |
    - op: replace
      path: /spec/sources/0/helm/valueFiles/1
      value: $values/infra/values/upc-prod/grafana-values.yaml
 # Secrets: change path to upc-prod
 - target:
    kind: Application
    name: secrets
  patch: |
    - op: replace
      path: /spec/source/path
      value: secrets/upc-prod
 # Enterprise-apps: point to upc-prod overlay
 - target:
    kind: Application
    name: enterprise-apps
  patch: |
    - op: replace
      path: /spec/source/path
      value: apps/overlays/upc-prod
--- a/infra/traefik-application.yaml
+++ b/infra/traefik-application.yaml
@@ -1,159 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: traefik-system
  annotations:
    argocd.argoproj.io/sync-wave: "-1"
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: traefik
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "1"
  labels:
    app.kubernetes.io/name: traefik
    app.kubernetes.io/part-of: platform
    app.kubernetes.io/managed-by: argocd
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://traefik.github.io/charts
    chart: traefik
    targetRevision: "28.0.0"
    helm:
      values: |
        metrics:
          addInternals: true
        tracing:
          otlp:
            enabled: true
        logs:
          general:
            level: DEBUG
          access:
            format: json
            enabled: true
        additionalArguments:
          - "--tracing.otlp.http.endpoint=http://tempo.monitoring.svc.cluster.local:4318/v1/traces"
        providers:
          kubernetesIngress:
            publishedService: # Fixes ArgoCD health checks for LoadBalancer services
              enabled: true
        deployment:
          replicas: 2
        ingressRoute:
          dashboard:
            enabled: true
            # Optional: specify entrypoint
            entrypoint: traefik
        api:
          dashboard: true
          debug: false
        service:
          type: LoadBalancer
          annotations:
            traefik.ingress.kubernetes.io/router.entrypoints: websecure
            traefik.ingress.kubernetes.io/router.priority: "42"
            traefik.ingress.kubernetes.io/router.tls: "true"
            service.beta.kubernetes.io/upcloud-load-balancer-config: |
              {
                  "frontends": [
                      {
                          "name": "web",
                          "mode": "tcp"
                      },
                      {
                          "name": "websecure",
                          "mode": "tcp"
                      },
                      {
                          "name": "giteassh",
                          "mode": "tcp"
                      }
                  ],
                  "backends": [
                      {
                          "name": "web",
                          "properties": {
                              "outbound_proxy_protocol": "v2"
                          }
                      },
                      {
                          "name": "websecure",
                          "properties": {
                              "outbound_proxy_protocol": "v2"
                          }
                      },
                      {
                          "name": "giteassh"
                      }
                  ]
              }
        ingressClass:
          enabled: true
          isDefaultClass: true
        # Configure entry points
        ports:
          metrics:
            expose: 
              default: true
            observability:
              accessLogs: true
              metrics: true
              tracing: true
              traceVerbosity: detailed
          web:
            proxyProtocol:
              trustedIPs: "172.16.1.0/24"
            forwardedHeaders:
              trustedIPs: "172.16.1.0/24"
            http:
              redirections:
                entrypoint:
                  to: websecure
                  scheme: https
          websecure:
            proxyProtocol:
              trustedIPs: "172.16.1.0/24"
            forwardedHeaders:
              trustedIPs: "172.16.1.0/24"
            observability:
              accessLogs: true
              metrics: true
              tracing: true
          giteassh:
            port: 2222
            expose:
              default: true
            exposedPort: 2222
            protocol: TCP
  destination:
    server: https://kubernetes.default.svc
    namespace: traefik-system
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
      allowEmpty: false
    syncOptions:
    - CreateNamespace=true
    - Validate=true
    - ServerSideApply=true
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -1,15 +1,22 @@
 global:
  domain: argocd.127.0.0.1.nip.io
 configs:
  secret:
    createSecret: true
    argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
  ssh:
    knownHosts: |
      [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
  cm:
    application.resourceTrackingMethod: annotation
    timeout.reconciliation: 60s
    admin.enabled: "true"
  params:
    "server.insecure": true
 repoServer:
  env:
  # Disable git submodule checkout - submodules (e.g. shared-prompts)
  # are not needed for K8s manifest generation
  - name: ARGOCD_GIT_MODULES_ENABLED
    value: "false"
 server:
  ingress:
    enabled: false
@@ -22,10 +29,6 @@ notifications:
  secret:
    create: false
  # Shared context variables available in all templates
  context:
    clusterName: "dev-fd-no-svg1"
  # Define notification templates
  templates:
    template.app-syncing: |
--- a/infra/values/base/dot-ai-stack-values.yaml
+++ b/infra/values/base/dot-ai-stack-values.yaml
@@ -0,0 +1,11 @@
 dot-ai:
  ingress:
    enabled: true
    className: traefik
 dot-ai-ui:
  uiAuth:
    secretRef:
      name: dot-ai-secrets
  ingress:
    enabled: true
    className: traefik
--- a/infra/values/base/fluent-bit-values.yaml
+++ b/infra/values/base/fluent-bit-values.yaml
--- a/infra/values/base/gitea-actions-values.yaml
+++ b/infra/values/base/gitea-actions-values.yaml
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -29,6 +29,10 @@ gitea:
      ALLOW_ONLY_EXTERNAL_REGISTRATION: true
      ENABLE_BASIC_AUTHENTICATION: true
      ENABLE_PASSWORD_SIGNIN_FORM: false
      AUTO_WATCH_ON_CHANGES: false
      AUTO_WATCH_NEW_REPOS: false
      ENABLE_NOTIFY_MAIL: false
      ENABLE_TIMETRACKING: false
    openid:
      ENABLE_OPENID_SIGNIN: false
@@ -65,11 +69,33 @@ gitea:
      ISSUE_INDEXER_TYPE: bleve
      REPO_INDEXER_ENABLED: true
    mailer:
      ENABLED: true
      PROTOCOL: smtp+starttls
      SMTP_ADDR: smtp.office365.com
      SMTP_PORT: 587
      FROM: "noreply@fortedigital.com"
    admin:
      DEFAULT_EMAIL_NOTIFICATIONS: enabled
  # -- SMTP credentials injected from secret (USER and PASSWD)
  additionalConfigFromEnvs:
  - name: GITEA__mailer__USER
    valueFrom:
      secretKeyRef:
        name: gitea-smtp-secret
        key: username
  - name: GITEA__mailer__PASSWD
    valueFrom:
      secretKeyRef:
        name: gitea-smtp-secret
        key: password
  # -- OIDC authentication via Forte
  oauth:
  - name: "Forte"
    provider: "openidConnect"
-    existingSecret: gitea-credentials
+    existingSecret: gitea-oidc-credentials
    key: gitea
    autoDiscoverUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
    scopes: "openid email profile organization"
--- a/infra/values/base/grafana-values.yaml
+++ b/infra/values/base/grafana-values.yaml
@@ -1,7 +1,5 @@
 ingress:
  enabled: true
  hosts:
  - grafana.127.0.0.1.nip.io
 resources:
  requests:
    cpu: 50m
--- a/infra/values/base/karpor-values.yaml
+++ b/infra/values/base/karpor-values.yaml
@@ -0,0 +1,44 @@
 # Karpor - Kubernetes Visualization & Intelligence Tool
 # Helm chart: https://github.com/KusionStack/charts/tree/master/charts/karpor
 # Let the ArgoCD Application manage the namespace
 namespaceEnabled: false
 server:
  replicas: 1
  port: 7443
  resources:
    requests:
      cpu: 250m
      memory: 256Mi
    limits:
      cpu: 500m
      memory: 1Gi
 syncer:
  replicas: 1
  port: 7443
  resources:
    requests:
      cpu: 250m
      memory: 256Mi
    limits:
      cpu: 500m
      memory: 1Gi
 elasticsearch:
  replicas: 1
  port: 9200
  resources:
    requests:
      cpu: 500m
      memory: 2Gi
    limits:
      cpu: "2"
      memory: 4Gi
 etcd:
  replicas: 1
  port: 2379
  persistence:
    size: 5Gi
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -0,0 +1,456 @@
 # Bitnami Keycloak Helm Chart Values
 # Chart version: 25.2.0
 image:
  repository: bitnamilegacy/keycloak
 production: true
 proxyHeaders: xforwarded
 auth:
  adminUser: admin
  existingSecret: keycloak-credentials
  passwordSecretKey: admin-password
 ingress:
  enabled: true
  tls: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
 metrics:
  enabled: true
  prometheusRule:
    namespace: monitoring
    enabled: true
 resources:
  requests:
    cpu: 250m
    memory: 512Mi
  limits:
    cpu: 500m
    memory: 1Gi
 postgresql:
  enabled: true
  image:
    repository: bitnamilegacy/postgresql
  auth:
    existingSecret: keycloak-credentials
    secretKeys:
      adminPasswordKey: postgres-password
      userPasswordKey: password
    username: bn_keycloak
    database: bitnami_keycloak
  primary:
    persistence:
      size: 8Gi
 keycloakConfigCli:
  enabled: true
  image:
    repository: bitnamilegacy/keycloak-config-cli
  configuration:
    forte-realm.json: |
      {
        "realm": "forte",
        "enabled": true,
        "displayName": "Forte",
        "sslRequired": "external",
        "registrationAllowed": false,
        "loginWithEmailAllowed": true,
        "resetPasswordAllowed": true,
        "rememberMe": true,
        "clients": [
          {
            "clientId": "gitea",
            "name": "Gitea",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://git.forteapps.net/*"],
            "webOrigins": ["https://git.forteapps.net"],
            "defaultClientScopes": ["openid", "email", "profile"],
            "attributes": {
              "k8s.secret.sync": "true",
              "k8s.secret.namespace": "gitea",
              "k8s.secret.name": "gitea-oidc-credentials",
              "k8s.secret.client-id-key": "key",
              "k8s.secret.client-secret-key": "secret"
            },
            "protocolMappers": [
              {
                "name": "email_verified",
                "protocol": "openid-connect",
                "protocolMapper": "oidc-hardcoded-claim-mapper",
                "config": {
                  "claim.name": "email_verified",
                  "claim.value": "true",
                  "jsonType.label": "boolean",
                  "id.token.claim": "true",
                  "access.token.claim": "true",
                  "userinfo.token.claim": "true"
                }
              }
            ]
          }
        ]
      }
 extraDeploy:
 # -- ServiceAccount for the client registrar CronJob
 - apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: keycloak-client-registrar
    namespace: keycloak
 # -- ClusterRole granting access to secrets and namespaces
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: keycloak-client-registrar
  rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "create", "update", "patch"]
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list"]
 # -- ClusterRoleBinding for the registrar ServiceAccount
 - apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: keycloak-client-registrar
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: keycloak-client-registrar
  subjects:
  - kind: ServiceAccount
    name: keycloak-client-registrar
    namespace: keycloak
 # -- CronJob: registers Keycloak clients and syncs secrets
 - apiVersion: batch/v1
  kind: CronJob
  metadata:
    name: keycloak-client-registrar
    namespace: keycloak
  spec:
    schedule: "*/2 * * * *"
    concurrencyPolicy: Forbid
    successfulJobsHistoryLimit: 1
    failedJobsHistoryLimit: 3
    jobTemplate:
      spec:
        backoffLimit: 3
        template:
          spec:
            serviceAccountName: keycloak-client-registrar
            restartPolicy: Never
            containers:
            - name: registrar
              image: alpine:3.20
              command: ["/bin/sh", "-c"]
              args:
              - |
                set -e
                apk add --no-cache curl jq > /dev/null 2>&1
                KEYCLOAK_URL="http://keycloak:80"
                REALM="forte"
                K8S_API="https://kubernetes.default.svc"
                SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
                CA_CERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
                CENTRAL_NS="secrets"
                # --- Authenticate to Keycloak Admin API ---
                ADMIN_USER="admin"
                ADMIN_PASS=$(cat /secrets/admin-password)
                echo "Authenticating to Keycloak..."
                TOKEN=$(curl -sf -X POST "${KEYCLOAK_URL}/realms/master/protocol/openid-connect/token" \
                  -d "client_id=admin-cli" \
                  -d "username=${ADMIN_USER}" \
                  -d "password=${ADMIN_PASS}" \
                  -d "grant_type=password" | jq -r '.access_token')
                if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
                  echo "ERROR: Failed to authenticate to Keycloak"
                  exit 1
                fi
                # --- Helper functions ---
                # Upsert a K8s Secret: try PUT (update), fall back to POST (create)
                upsert_secret() {
                  local ns="$1" name="$2" manifest="$3"
                  local code
                  code=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/json" \
                    -X PUT -d "$manifest" \
                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}")
                  if [ "$code" = "200" ]; then
                    echo "  Updated secret '${ns}/${name}'"
                  elif [ "$code" = "404" ]; then
                    code=$(curl -sf -o /dev/null -w "%{http_code}" \
                      --cacert "$CA_CERT" \
                      -H "Authorization: Bearer ${SA_TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X POST -d "$manifest" \
                      "${K8S_API}/api/v1/namespaces/${ns}/secrets")
                    if [ "$code" = "201" ]; then
                      echo "  Created secret '${ns}/${name}'"
                    else
                      echo "  ERROR: Failed to create secret '${ns}/${name}' (HTTP ${code})"
                      return 1
                    fi
                  else
                    echo "  ERROR: Failed to update secret '${ns}/${name}' (HTTP ${code})"
                    return 1
                  fi
                }
                # Build a credential Secret JSON manifest
                build_credential_secret() {
                  local ns="$1" name="$2" id_key="$3" secret_key="$4" b64_id="$5" b64_secret="$6"
                  cat <<MANIFEST
                {
                  "apiVersion": "v1",
                  "kind": "Secret",
                  "metadata": {
                    "name": "${name}",
                    "namespace": "${ns}",
                    "labels": {
                      "app.kubernetes.io/managed-by": "keycloak-client-registrar"
                    }
                  },
                  "type": "Opaque",
                  "data": {
                    "${id_key}": "${b64_id}",
                    "${secret_key}": "${b64_secret}"
                  }
                }
                MANIFEST
                }
                # Sync credentials to target + central namespace
                sync_credentials() {
                  local client_id="$1" client_uuid="$2" target_ns="$3" target_name="$4" id_key="$5" secret_key="$6"
                  # Get the client secret from Keycloak
                  local secret_value
                  secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
                    | jq -r '.value')
                  if [ -z "$secret_value" ] || [ "$secret_value" = "null" ]; then
                    echo "  WARNING: No secret found for client '${client_id}', skipping"
                    return 0
                  fi
                  local b64_id b64_secret
                  b64_id=$(printf '%s' "$client_id" | base64 | tr -d '\n')
                  b64_secret=$(printf '%s' "$secret_value" | base64 | tr -d '\n')
                  # Write to target namespace (if it exists)
                  local ns_status
                  ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${target_ns}")
                  if [ "$ns_status" = "200" ]; then
                    local manifest
                    manifest=$(build_credential_secret "$target_ns" "$target_name" "$id_key" "$secret_key" "$b64_id" "$b64_secret")
                    upsert_secret "$target_ns" "$target_name" "$manifest" || return 1
                  else
                    echo "  WARNING: Namespace '${target_ns}' does not exist, skipping target"
                  fi
                  # Always write a central copy to the secrets namespace
                  local central_manifest
                  central_manifest=$(build_credential_secret "$CENTRAL_NS" "$target_name" "$id_key" "$secret_key" "$b64_id" "$b64_secret")
                  upsert_secret "$CENTRAL_NS" "$target_name" "$central_manifest" || return 1
                }
                # Annotate a K8s Secret with sync status
                annotate_secret() {
                  local ns="$1" name="$2" key="$3" value="$4"
                  local patch
                  patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
                  curl -sf -o /dev/null \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    -H "Content-Type: application/strategic-merge-patch+json" \
                    -X PATCH -d "$patch" \
                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
                }
                # =============================================
                # LEGACY PATH — sync existing realm clients
                # =============================================
                echo "=== Legacy sync: clients with k8s.secret.sync=true ==="
                CLIENTS=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                  "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
                SYNC_CLIENTS=$(echo "$CLIENTS" | jq -c '[.[] | select(.attributes["k8s.secret.sync"] == "true")]')
                COUNT=$(echo "$SYNC_CLIENTS" | jq 'length')
                echo "Found ${COUNT} legacy client(s) with sync enabled"
                echo "$SYNC_CLIENTS" | jq -c '.[]' | while read -r CLIENT; do
                  CLIENT_ID=$(echo "$CLIENT" | jq -r '.clientId')
                  CLIENT_UUID=$(echo "$CLIENT" | jq -r '.id')
                  TARGET_NS=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.namespace"]')
                  TARGET_NAME=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.name"]')
                  ID_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-id-key"] // "client-id"')
                  SECRET_KEY=$(echo "$CLIENT" | jq -r '.attributes["k8s.secret.client-secret-key"] // "client-secret"')
                  echo "Processing legacy client '${CLIENT_ID}' -> '${TARGET_NS}/${TARGET_NAME}' (keys: ${ID_KEY}, ${SECRET_KEY})"
                  sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$TARGET_NS" "$TARGET_NAME" "$ID_KEY" "$SECRET_KEY"
                done
                # =============================================
                # NEW PATH — self-service config Secrets
                # =============================================
                echo ""
                echo "=== Self-service: config Secrets with label keycloak.forteapps.net/client-config=true ==="
                CONFIG_SECRETS=$(curl -sf \
                  --cacert "$CA_CERT" \
                  -H "Authorization: Bearer ${SA_TOKEN}" \
                  "${K8S_API}/api/v1/namespaces/keycloak/secrets?labelSelector=keycloak.forteapps.net/client-config=true")
                CONFIG_COUNT=$(echo "$CONFIG_SECRETS" | jq '.items | length')
                echo "Found ${CONFIG_COUNT} config Secret(s) to process"
                echo "$CONFIG_SECRETS" | jq -c '.items[]' | while read -r CONFIG_SECRET; do
                  CONFIG_NAME=$(echo "$CONFIG_SECRET" | jq -r '.metadata.name')
                  SOURCE_NS=$(echo "$CONFIG_SECRET" | jq -r '.metadata.annotations["keycloak.forteapps.net/source-namespace"] // .metadata.labels["keycloak.forteapps.net/source-namespace"] // "unknown"')
                  # Decode client.json from the Secret data
                  CLIENT_JSON_B64=$(echo "$CONFIG_SECRET" | jq -r '.data["client.json"] // empty')
                  if [ -z "$CLIENT_JSON_B64" ]; then
                    echo "WARNING: Config Secret '${CONFIG_NAME}' missing client.json field, skipping"
                    continue
                  fi
                  CLIENT_JSON=$(printf '%s' "$CLIENT_JSON_B64" | base64 -d)
                  CLIENT_ID=$(echo "$CLIENT_JSON" | jq -r '.clientId')
                  echo "Processing self-service client '${CLIENT_ID}' from config '${CONFIG_NAME}'"
                  # Compute config hash for change detection
                  CONFIG_HASH=$(printf '%s' "$CLIENT_JSON" | sha256sum | cut -d' ' -f1)
                  EXISTING_HASH=$(echo "$CONFIG_SECRET" | jq -r '.metadata.annotations["keycloak.forteapps.net/config-hash"] // ""')
                  # Extract secret delivery config from client.json
                  CRED_NS=$(echo "$CLIENT_JSON" | jq -r '.secret.namespace // "'"${SOURCE_NS}"'"')
                  CRED_NAME=$(echo "$CLIENT_JSON" | jq -r '.secret.name // "'"${CLIENT_ID}"'-oidc-credentials"')
                  CRED_ID_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientId // "client-id"')
                  CRED_SECRET_KEY=$(echo "$CLIENT_JSON" | jq -r '.secret.keys.clientSecret // "client-secret"')
                  # Check if credential Secret already exists in target namespace
                  CRED_EXISTS=$(curl -sf -o /dev/null -w "%{http_code}" \
                    --cacert "$CA_CERT" \
                    -H "Authorization: Bearer ${SA_TOKEN}" \
                    "${K8S_API}/api/v1/namespaces/${CRED_NS}/secrets/${CRED_NAME}")
                  # Skip if hash matches and credential Secret exists
                  if [ "$CONFIG_HASH" = "$EXISTING_HASH" ] && [ "$CRED_EXISTS" = "200" ]; then
                    echo "  No changes detected, skipping"
                    continue
                  fi
                  # Build Keycloak client representation (strip our secret delivery config)
                  KC_CLIENT=$(echo "$CLIENT_JSON" | jq '{
                    clientId: .clientId,
                    name: .name,
                    enabled: true,
                    protocol: "openid-connect",
                    clientAuthenticatorType: "client-secret",
                    standardFlowEnabled: true,
                    directAccessGrantsEnabled: false,
                    publicClient: false,
                    redirectUris: .redirectUris,
                    webOrigins: .webOrigins,
                    defaultClientScopes: .defaultClientScopes,
                    protocolMappers: (.protocolMappers // [])
                  }')
                  # Check if client already exists
                  EXISTING=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                    "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
                    | jq -r '.[0].id // empty')
                  if [ -n "$EXISTING" ]; then
                    echo "  Updating existing Keycloak client (uuid: ${EXISTING})"
                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X PUT -d "$KC_CLIENT" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${EXISTING}")
                    if [ "$HTTP_CODE" != "204" ] && [ "$HTTP_CODE" != "200" ]; then
                      echo "  ERROR: Failed to update client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    CLIENT_UUID="$EXISTING"
                  else
                    echo "  Creating new Keycloak client '${CLIENT_ID}'"
                    HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
                      -H "Authorization: Bearer ${TOKEN}" \
                      -H "Content-Type: application/json" \
                      -X POST -d "$KC_CLIENT" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients")
                    if [ "$HTTP_CODE" != "201" ]; then
                      echo "  ERROR: Failed to create client '${CLIENT_ID}' (HTTP ${HTTP_CODE})"
                      annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "error"
                      continue
                    fi
                    # Fetch the newly created client's UUID
                    CLIENT_UUID=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
                      "${KEYCLOAK_URL}/admin/realms/${REALM}/clients?clientId=${CLIENT_ID}" \
                      | jq -r '.[0].id')
                  fi
                  # Sync credentials to target namespace
                  sync_credentials "$CLIENT_ID" "$CLIENT_UUID" "$CRED_NS" "$CRED_NAME" "$CRED_ID_KEY" "$CRED_SECRET_KEY"
                  # Annotate config Secret with hash and sync status
                  annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/config-hash" "$CONFIG_HASH"
                  annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/sync-status" "synced"
                  TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
                  annotate_secret "keycloak" "$CONFIG_NAME" "keycloak.forteapps.net/last-sync" "$TIMESTAMP"
                  echo "  Synced successfully"
                done
                echo ""
                echo "Client registrar run complete"
              volumeMounts:
              - name: keycloak-credentials
                mountPath: /secrets
                readOnly: true
              resources:
                requests:
                  cpu: 50m
                  memory: 64Mi
                limits:
                  cpu: 200m
                  memory: 128Mi
            volumes:
            - name: keycloak-credentials
              secret:
                secretName: keycloak-credentials
                items:
                - key: admin-password
                  path: admin-password
--- a/infra/values/base/loki-values.yaml
+++ b/infra/values/base/loki-values.yaml
--- a/infra/values/base/opencost-values.yaml
+++ b/infra/values/base/opencost-values.yaml
--- a/infra/values/base/prometheus-values.yaml
+++ b/infra/values/base/prometheus-values.yaml
--- a/infra/values/base/renovate-values.yaml
+++ b/infra/values/base/renovate-values.yaml
@@ -0,0 +1,45 @@
 cronjob:
  schedule: "@daily"
  concurrencyPolicy: Forbid
 renovate:
  config: |
    {
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "platform": "gitea",
      "endpoint": "https://git.forteapps.net",
      "autodiscover": true,
      "gitAuthor": "Renovate Bot <renovate@forteapps.net>",
      "packageRules": [
        {
          "matchRepositories": ["**/10x"],
          "assignees": ["edvard.unsvag"],
          "reviewers": ["edvard.unsvag"]
        },
        {
          "matchRepositories": ["**/auth-sidecar"],
          "assignees": ["danijel.simeunovic"],
          "reviewers": ["danijel.simeunovic"]
        },
        {
          "matchRepositories": ["**/forte-helm"],
          "assignees": ["danijel.simeunovic"],
          "reviewers": ["danijel.simeunovic"]
        }
      ]
    }
 envFrom:
 - secretRef:
    name: renovate-env
 env:
  LOG_LEVEL: info
 resources:
  requests:
    cpu: 500m
    memory: 1Gi
  limits:
    cpu: "2"
    memory: 4Gi
--- a/infra/values/base/tempo-values.yaml
+++ b/infra/values/base/tempo-values.yaml
--- a/infra/values/base/traefik-values.yaml
+++ b/infra/values/base/traefik-values.yaml
@@ -0,0 +1,75 @@
 providers:
  kubernetesIngress:
    publishedService: # Fixes ArgoCD health checks for LoadBalancer services
      enabled: true
  kubernetesCRD:
    allowCrossNamespace: true
 deployment:
  replicas: 2
 ingressRoute:
  dashboard:
    enabled: true
    # Optional: specify entrypoint
    entrypoint: traefik
 api:
  dashboard: true
  debug: false
 service:
  type: LoadBalancer
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.priority: "42"
    traefik.ingress.kubernetes.io/router.tls: "true"
 ingressClass:
  enabled: true
  isDefaultClass: true
 # Configure entry points
 ports:
  metrics:
    expose:
      default: true
    observability:
      accessLogs: true
      metrics: true
      tracing: true
      traceVerbosity: detailed
  web:
    http:
      redirections:
        entrypoint:
          to: websecure
          scheme: https
  websecure:
    observability:
      accessLogs: true
      metrics: true
      tracing: true
  gitea-ssh:
    port: 2222
    expose:
      default: true
    exposedPort: 2222
    protocol: TCP
 # -- IngressRouteTCP for Gitea SSH (cross-namespace to gitea/gitea-ssh service)
 extraObjects:
 - apiVersion: traefik.io/v1alpha1
  kind: IngressRouteTCP
  metadata:
    name: gitea-ssh
  spec:
    entryPoints:
    - gitea-ssh
    routes:
    - match: HostSNI(`*`)
      services:
      - name: gitea-ssh
        namespace: gitea
        port: 22
--- a/infra/values/keycloak-values.yaml
+++ b/infra/values/keycloak-values.yaml
@@ -1,84 +0,0 @@
 # Bitnami Keycloak Helm Chart Values
 # Host: id.forteapps.net
 # Chart version: 25.2.0
 image:
  repository: bitnamilegacy/keycloak
 production: true
 proxyHeaders: xforwarded
 auth:
  adminUser: admin
  existingSecret: keycloak-credentials
  passwordSecretKey: admin-password
 ingress:
  enabled: true
  hostname: id.forteapps.net
  tls: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
 metrics:
  enabled: true
  prometheusRule:
    namespace: monitoring
    enabled: true
 resources:
  requests:
    cpu: 250m
    memory: 512Mi
  limits:
    cpu: 500m
    memory: 1Gi
 postgresql:
  enabled: true
  image:
    repository: bitnamilegacy/postgresql
  auth:
    existingSecret: keycloak-credentials
    secretKeys:
      adminPasswordKey: postgres-password
      userPasswordKey: password
    username: bn_keycloak
    database: bitnami_keycloak
  primary:
    persistence:
      size: 8Gi
 keycloakConfigCli:
  enabled: true
  image:
    repository: bitnamilegacy/keycloak-config-cli
  configuration:
    forte-realm.json: |
      {
        "realm": "forte",
        "enabled": true,
        "displayName": "Forte",
        "sslRequired": "external",
        "registrationAllowed": false,
        "loginWithEmailAllowed": true,
        "resetPasswordAllowed": true,
        "rememberMe": true,
        "clients": [
          {
            "clientId": "gitea",
            "name": "Gitea",
            "enabled": true,
            "protocol": "openid-connect",
            "clientAuthenticatorType": "client-secret",
            "secret": "382ed413580cb79d0f54813e5da87007b28fe766a8903d378b9e1c266405a784",
            "standardFlowEnabled": true,
            "directAccessGrantsEnabled": false,
            "publicClient": false,
            "redirectUris": ["https://git.forteapps.net/*"],
            "webOrigins": ["https://git.forteapps.net"],
            "defaultClientScopes": ["openid", "email", "profile"]
          }
        ]
      }
--- a/infra/values/renovate-values.yaml
+++ b/infra/values/renovate-values.yaml
@@ -1,28 +0,0 @@
 cronjob:
  schedule: "@hourly"
  concurrencyPolicy: Forbid
 renovate:
  config: |
    {
      "$schema": "https://docs.renovatebot.com/renovate-schema.json",
      "platform": "gitea",
      "endpoint": "https://git.forteapps.net",
      "autodiscover": true,
      "gitAuthor": "Renovate Bot <renovate@forteapps.net>"
    }
 envFrom:
 - secretRef:
    name: renovate-env
 env:
  LOG_LEVEL: debug
 resources:
  requests:
    cpu: 250m
    memory: 512Mi
  limits:
    cpu: "1"
    memory: 1Gi
--- a/infra/values/upc-dev/argocd-values.yaml
+++ b/infra/values/upc-dev/argocd-values.yaml
@@ -0,0 +1,5 @@
 global:
  domain: argocd.127.0.0.1.nip.io
 notifications:
  context:
    clusterName: "dev-fd-eu-no-svg1"
--- a/infra/values/upc-dev/dot-ai-stack-values.yaml
+++ b/infra/values/upc-dev/dot-ai-stack-values.yaml
@@ -0,0 +1,8 @@
 dot-ai:
  ingress:
    host: kubemcp.forteapps.net
  webUI:
    baseUrl: http://kubemcpui.forteapps.net
 dot-ai-ui:
  ingress:
    host: kubemcpui.forteapps.net
--- a/infra/values/upc-dev/grafana-values.yaml
+++ b/infra/values/upc-dev/grafana-values.yaml
@@ -0,0 +1,3 @@
 ingress:
  hosts:
  - grafana.forteapps.net
--- a/infra/values/upc-dev/keycloak-values.yaml
+++ b/infra/values/upc-dev/keycloak-values.yaml
@@ -0,0 +1,2 @@
 ingress:
  hostname: id.forteapps.net
--- a/infra/values/upc-dev/traefik-values.yaml
+++ b/infra/values/upc-dev/traefik-values.yaml
@@ -0,0 +1,47 @@
 service:
  annotations:
    service.beta.kubernetes.io/upcloud-load-balancer-config: |
      {
          "frontends": [
              {
                  "name": "web",
                  "mode": "tcp"
              },
              {
                  "name": "websecure",
                  "mode": "tcp"
              },
              {
                  "name": "gitea-ssh",
                  "mode": "tcp"
              }
          ],
          "backends": [
              {
                  "name": "web",
                  "properties": {
                      "outbound_proxy_protocol": "v2"
                  }
              },
              {
                  "name": "websecure",
                  "properties": {
                      "outbound_proxy_protocol": "v2"
                  }
              },
              {
                  "name": "gitea-ssh"
              }
          ]
      }
 ports:
  web:
    proxyProtocol:
      trustedIPs: "172.16.1.0/24"
    forwardedHeaders:
      trustedIPs: "172.16.1.0/24"
  websecure:
    proxyProtocol:
      trustedIPs: "172.16.1.0/24"
    forwardedHeaders:
      trustedIPs: "172.16.1.0/24"
--- a/infra/values/upc-prod/argocd-values.yaml
+++ b/infra/values/upc-prod/argocd-values.yaml
@@ -0,0 +1,5 @@
 global:
  domain: argocd.fortedigital.com
 notifications:
  context:
    clusterName: "prod-fd-no-svg1"
--- a/infra/values/upc-prod/dot-ai-stack-values.yaml
+++ b/infra/values/upc-prod/dot-ai-stack-values.yaml
@@ -0,0 +1,8 @@
 dot-ai:
  ingress:
    host: kubemcp.fortedigital.com
  webUI:
    baseUrl: http://kubemcpui.fortedigital.com
 dot-ai-ui:
  ingress:
    host: kubemcpui.fortedigital.com
--- a/infra/values/upc-prod/grafana-values.yaml
+++ b/infra/values/upc-prod/grafana-values.yaml
@@ -0,0 +1,3 @@
 ingress:
  hosts:
  - grafana.fortedigital.com
--- a/infra/values/upc-prod/keycloak-values.yaml
+++ b/infra/values/upc-prod/keycloak-values.yaml
@@ -0,0 +1,2 @@
 ingress:
  hostname: id.fortedigital.com
--- a/infra/values/upc-prod/traefik-values.yaml
+++ b/infra/values/upc-prod/traefik-values.yaml
@@ -0,0 +1,13 @@
 service:
  annotations: {}
 ports:
  web:
    proxyProtocol:
      trustedIPs: "10.0.0.0/16"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/16"
  websecure:
    proxyProtocol:
      trustedIPs: "10.0.0.0/16"
    forwardedHeaders:
      trustedIPs: "10.0.0.0/16"
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -1,43 +0,0 @@
 site_name: K8s Launchpad
 site_description: Documentation for the GitOps-managed Kubernetes cluster
 repo_url: https://git.forteapps.net/Forte/launchpad
 repo_name: Forte/launchpad
 theme:
  name: material
  palette:
  - scheme: default
    primary: indigo
    toggle:
      icon: material/brightness-7
      name: Switch to dark mode
  - scheme: slate
    primary: indigo
    toggle:
      icon: material/brightness-4
      name: Switch to light mode
  features:
  - navigation.instant
  - navigation.sections
  - navigation.top
  - search.highlight
  - content.code.copy
 nav:
 - Home: README.md
 - GitOps Architecture: GITOPS-ARCHITECTURE.md
 - Developer Guide: DEVELOPER-GUIDE.md
 - Operations Runbook: OPERATIONS-RUNBOOK.md
 - Technical Reference: REFERENCE.md
 markdown_extensions:
 - tables
 - toc:
    permalink: true
 - pymdownx.highlight:
    anchor_linenums: true
 - pymdownx.superfences
 - pymdownx.tabbed:
    alternate_style: true
 - admonition
 - pymdownx.details
--- a/secrets/gitea-smtp-secret-sealed.yaml
+++ b/secrets/gitea-smtp-secret-sealed.yaml
@@ -0,0 +1,19 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: gitea-smtp-secret
  namespace: gitea
 spec:
  encryptedData:
    password: AgBMuISQeA41mtBIOo686sND2EO12Jv7BIogL5G7xxt7wKfIk88dQrU74vs+fv3OtPce2Ra63QkR6po31M9fZkoiYba5yqJtEOc6em3y0ZxM/UzavbRvHwrvsWEYqmHBnkCUjcJijdGbSX+rHyGsXLfZO0gOjqXO379Zl1fzmV4p3F5REXFQm6HorVtWX/LOSRj9GDW76l6KgPR/A+CbtAx8Cq0m3D3fyiaVLEReP3uOgBOo70APHj9Yp56EcgOtVa1pEgCxR4ctXeS4t/EliWcHc/JT4TBdRBRDYPKLfME6FvJxjLjaSZcWxtJrJzCv3+vA5LlfObuHY31aSDRqYwO4VBCPhf3Aa6Z5UXgUnmAtJRhHa9pKSSjW48jgNb1jDPIkQn5XgB2/twJ+gX3inAkrTQ82JJ75Rz7XWC8KmYkOtkgXgU2buCa4nIfPeXOr5qvutyywxV1Ge1nK0fQYneQZVFXlHTbAQXBJMpVvJoJ+G3xGjm1904/iBGkVKmNrQwaABUsGBC6ZIHGOTa45GBqrg3ODU2Gr61SCYxv6m3pMU1msR7QYne0oqLCVD8mLDaeSeiQI4ZY9u4ddsVwM6l2BFrT6+3IQuYPBgOoodzDVlCgmA7hoekhpak9vZ0loSHaWDXdNt75SemAjsQfwCO5sSEkr+wbCJEQpXh5p38RMZKTuOh3nYEGQEx/MQNl3VD4FarK/zOJM9EO9IkqdM4LnqVo3zPX4KAPosS1PPKS8
    username: AgBF6MiaI1x2xQOUoF4NUh4MeFF64Db3vywcEO0FdJ0U9EirVFMsBSSiqJLy8ok43ha72s+/RLBNHiSSRKX1UMWwwCsfs+LQJNh9EetgHRxoyqkHiqRMX5V2acU2scdPE/FCFQFOYzAjweup+kP8xNu1WKuDtPBRiAgBNDfW59ihFi9TgOJQ2AnDHottjm5CNaWsbTOSgZrXqzCEChfHu5K0W9cty9ENHYqnYDfcm/zPLYeUPW0gVN5GJq3lPo9vZjM7T2JnwryjOkBaPCRCzHOpRF3bMrArFrjbUlH6gdI0APf4CzGLMMKol/jTMG2tLBseaNQHfbz6p1vFYExCL60gSN46fzh10zIWaIC2O+SgoLLOizkQZWf/v86cdRerBSl6PFmbRUO18XUQ4SyR/WPM71HD1jeLnUZjKtkOu+fqQKlv8kBSELHGqiURNYDnbmUA1LQpdNkDnMkRS+uzQ3XwWCSQBAn+u9wh69kg1oPVEN60Nc4KpNwFIg25aycGkP3cMklfl3/u9nr5KruwtJe+hl2ynSk8zeEFWWQrBki7+88CH9aWVW/GTA8Ho7Fz+gp4ZUdUA0WhH2LRAQIN945pvJIkHm/AYAhH6pZiXdBzYeguPY5VEf6hDVM1sa39aSZzs81cj0YHxbjR/BoBxbUAa9xW7JYH2rcIqXDhJB4zq2H++8e0eABsdQC3tMmE1eQA51d0yg8+2fX+CRkcvMCmI3VjS/mdirrtnctv
  template:
    metadata:
      creationTimestamp: null
      labels:
        allowedToBeCloned: "true"
      name: gitea-smtp-secret
      namespace: gitea
    type: Opaque
--- a/secrets/upc-dev/argocd-mcp-credentials.yaml
+++ b/secrets/upc-dev/argocd-mcp-credentials.yaml
--- a/secrets/upc-dev/argocdmcp-auth-oidc-sealed.yaml
+++ b/secrets/upc-dev/argocdmcp-auth-oidc-sealed.yaml
--- a/secrets/upc-dev/dot-ai-secrets.yaml
+++ b/secrets/upc-dev/dot-ai-secrets.yaml
@@ -0,0 +1,18 @@
 # SealedSecret created after namespace (sync-wave: 0)
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: dot-ai-secrets
  namespace: dot-ai
 spec:
  encryptedData:
    anthropic-api-key: AgASIRVNs7kIvZ/XwFJ4j9TJ05TW4YlFNzi2lx+6URlvzjTkMignK+y4/HD3wTK37BkIonnOXf/DGJcMgqgxOrHBVu9tLkSamve5qgf+SOZ8jxaqpLX2e5hdmHrgMp7rVWKiOoxM+bvu8Gdve3eMwXX8Eazj7W7vi430LsvW4BmPrQp+A9SOP+hwMlV5r+P5pUogC3hddt5KoSwpgnpOb8fRGlLDpc548eDNBJrhsAZiiFqc8+CycHX6idxWzlWOTPR05LBs7YrTIP/LUXWdyq6UG8yB5D0c9JNndnGo6kSfJxdaxCNO7GhMAOmo4CitzYn/zhICwuHPLKwUYQBcEHVpFxgub0U9fY7s4i0SAH9aF1kk8yqHWaCicHzi6B3AxMZYr+knS5vVNB+uGZmSKgZ7QNE1bF6E4Gg5bXRwk7OVQhuJSBzxVNDoXoJ6stL8ejU+MP5FtI792FxZbNDImu3kqor/t9wB49ZeB9Ngks2yvtlSrQ3G2lxJaOgNBPmKYhAX95JFI3xUSHOMa18ftn+aXmEQTXOHtM/IT8A95gUvIKz8Hrt03CwgZ8E+3lcsjAVsfNjqn/erqV+xi93OYOL6o9ivmTIem3MzsqjKuQ57HKaghnd+Ygdt/WfotRBSgZtCweOkZBV0XKxI1RmCQXk6dce8x4T7FDEeaSQwkc4yZ77LfQJnyVgU1rds9Hqv0RbymHK8JCQEMMb6PcK+Ow068fdj4NP27HkuYMB5JdPp682KIRwGznN2d3+QPXRd/ZHshnixudY7CLirlZl9xD0HssfSBI+uCrFEAln8D93UYbn7trF5gkKWYQsQ07CVZ5Z1qXieqwJWjHRY+oY=
    auth-token: AgB65rUY3yJuTTLbGyrCtJPZp8UyEOr+kznSMGvUaZ9PoHq+kIEhazRdVKHa/WGvMWuc4x+XYRuIGj+2KiooyilUPrLcE3bz9fUOAFbRw3+iUh3WAgwK+f3eBUG6/0OoFw+GJ583IRidDW1t2BchMxSM1m+3vmQoF24qj7k9j/lWPsnX2IX3DhM0SomD1xmG+LsQMo2e4vQXB0BxhVDIQ621JTrvUPYzYx0NlPqZO/MtR1JWYS7WBTvegvgeBKLxfy9KLnqsuzu7rc2t9BYt7TRqvBg/prrKPdSV6Ei4GOZq+AcG15iOKXhsj8SxejPpM0QDemFTRQkdfz+k8ms4/SM0eylr5fEaa99TMTvjYGCfjJJyRcVm5Ef/XdmXiM3OI1u+9QNPiqXh1zmtp0yQMZ7nRE70kKQ2MHVhEmSUkBjovybIzLk4OL1v0FGDDqa1BN9KmNEBlo8H7DqXzfamVoNPyuuO625B3HgSeR3Udq8hngy9W/wiolmMNSc9C6vBA0HzE7Mkq79fHh/ruTi5zOJLfyEP7KQQqlNKfEtDFQfabaV9ERthQjuUs8ZIrdfCTOyQkrmmGY/sH5yodLRSYSEpHFrhPepwHS7lGzbVucW3Fn34D4OxJXyXQQObZKybLV7g6Oglf2Pdn11CEu/4+19RlykuOlm1dlj852a5NWWmmX319laLGlEd1BpG4cZyc9UZud68dGumwzrUupUMTLlJx8bR5rLgqaMpQMluwvq8MQbBXm4ySOcQ2jQhjw==
    openai-api-key: AgBc4cSrd0riSxKPrp7AqrNYMDAZJTe3aCjTOwEb5pS/KARkgoEGz+0ZhLXa2bcCsPlQzqRzZ1c1cUCnBACkp1xoMfhSOoIJUWJQHRgZx5kEDhNIE/M8PQe8es7jYsW7/ui6iK8uj3Ljk21r8l/ctnP/KiKyML4553el28Ya7XsPQynRvpVexFC4BoJw50nkauLnvl3in0cKmEVAkMWorUP3Etapaj4DWkCQQ22RPN0xGNo9yiIUEAVE+uTRFNKGEHMIvJzgB291FJQtG/WoN/Sy/DeoZkUYndA7CbfFgiz9sq3GqJwyqTM+Ikzw6VCQ3TVWYO/6+yaEzT1NZ/rw00YhDyFoH+yGTkX5lrSUo8lGf3T9OODTdSS1203xtj4dhGbY70sPGMxDfucnO6piVcuRfh9bWg1VX+MTjqpBQE1J0DKJanhoh6lKbPOJhRbi0TIoCz1a3btbbKLDq2YJl7FXA3QNdBsR4qVJ3xmgWlH/eTUskCE2YxDzHmkxgZN2mL22SfeUJYtDRswRG0UGc6pvg2xrR0iEDB0UbH4FQK46fWv8aiOejteLlAAyA9HNA8yi73rTEjq55wpO19/MYj+6oUGEHpFaJje77INTHAKpdbfkp8iKotNXFYLM2hsjyau+x/AFjg87kEdIUVVHHLVMDhOq6NO+foM0nFOIv4lr2Yjl15+ImMSTEfcBr+nWaomnb9G8i5ptqz9bMHbxAcHpzWUBH9SZhzrCWZNDzOm2X2K6mpXhg4WX7VJMoIJk/f+bxTTKnWBawdnpCdbdG5GYQh7usqjPuELFYRTsx+6Tqoddp4KIEyMMxO81XObiN5vEBg74ygunxrjKNg5FoOkUA79YvcGBVVU1FNRl3d8IslXFqhEOT35nxGBB0T7ZORii34tZ2E551NkIo1WbCwilD3Dlgw==
    ui-auth-token: AgDStP4jHhMehx/SAv5x2aQrJwChnWq8WhV/LVTSuuCSSy9kFQGa3Izyl21sMhLKUgrlS030GH50lbku+IY90S+MSBfaCq0Xb8qwohfH+qJulMRgljoU8r58/3ZsaBzbGJjiNMgBCwGlvuK85t3R3662ftwikahWqLfwAahi12L0llUDNyG9UB0Os3oR2CVAt83+YB07YspCWRzwuOz9D1SgOL/g/JF2hoL43pDD65BqYKdEuLFInJZx1Ul68V/FPmJK1gmJb/Kv8pgtk0sGTzxbbTdIQ1Ugf6+8//CWEq6GsMeEZG9VwExL/KYqobnbqd02FRgSSvWybhWLjiALLQvAFtce6FR6bur0rsariyogGjYCuXYdRnhf7QnB6NopwplhFP37Qf6E4q2pJTJ6Fzv0xq+XlfzNkn9Jvebrdkk/5CThW+wPAfx8r1VIySqBsYnPO/ZQDkfQ5ocX6fmzZ1iCg+0NI24k2YwCeMZtEAGpKEtejS0BLvqrilUG6Oz9sHCGHro4Bv5B/jzUjGbye0DSDj1f6c2RcpqMiUxfPvydJIcJGhrTx8sZS3qhEWME7kwjJCZpHEzfdv0weSJbgVGBSh9e1wjZxxeJGXuZKdFzdhpNEWP4uScGW0UnRDwxZzHMsLjS/W30mQmwmgJVTKdPl6VQrvdq7m4AC6+/d7iXlHazieC1KpBme4hWzO+/h7qRw1P5Va/ZWZtnGs8476J8hIojRtOJ/CdWwVLUa0gHo4CYnempIMwCIS3GtA==
  template:
    metadata:
      creationTimestamp: null
      name: dot-ai-secrets
      namespace: dot-ai
--- a/secrets/upc-dev/forte10x-app-credentials-sealed.yaml
+++ b/secrets/upc-dev/forte10x-app-credentials-sealed.yaml
--- a/secrets/upc-dev/keycloak-credentials-sealed.yaml
+++ b/secrets/upc-dev/keycloak-credentials-sealed.yaml
--- a/secrets/upc-dev/musicman-credentials.yaml
+++ b/secrets/upc-dev/musicman-credentials.yaml
--- a/1
+++ b/1
Author	SHA1	Message	Date
Danijel Simeunovic	3f0f70699b	karpor	2026-04-24 09:43:16 +02:00
Danijel Simeunovic	06522b2f19	ts-mcp	2026-04-23 14:44:33 +02:00
Danijel Simeunovic	4c65035485	ns	2026-04-23 14:11:45 +02:00
Danijel Simeunovic	84f4bebc08	ts-mcp	2026-04-23 13:41:51 +02:00
Danijel Simeunovic	5394b2c714	ts-mcp	2026-04-23 13:40:33 +02:00
Danijel Simeunovic	c4e586a7be	ts-mcp	2026-04-23 13:38:47 +02:00
Danijel Simeunovic	1fa070b041	argo	2026-04-23 13:35:42 +02:00
Danijel Simeunovic	9c905355e3	argocd known host	2026-04-23 13:28:34 +02:00
Danijel Simeunovic	6b1115ec28	argocd disable submodule	2026-04-23 13:09:02 +02:00
Danijel Simeunovic	2fb276a62c	ts-mcp	2026-04-23 13:02:00 +02:00
Danijel Simeunovic	3efe1b68ef	auth doc	2026-04-23 10:05:15 +02:00
Danijel Simeunovic	5df104beec	sp	2026-04-22 13:54:51 +02:00
Danijel Simeunovic	0ecfee3cf8	prompts	2026-04-22 13:51:38 +02:00
Danijel Simeunovic	c88938adb5	feature/ai-review (#7 ) Co-authored-by: gitea_admin <admin@forteapps.net> Reviewed-on: #7 Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-04-22 09:30:02 +00:00
Danijel Simeunovic	d05a16840e	pr trigger	2026-04-22 09:11:40 +02:00
Danijel Simeunovic	d7c7242aa1	submodule	2026-04-22 09:10:38 +02:00
Danijel Simeunovic	3bf9fa7837	pr label	2026-04-22 08:48:05 +02:00
Danijel Simeunovic	d2596568f2	version tag	2026-04-21 15:17:52 +02:00
Danijel Simeunovic	2a3539350b	AI-review (#6 ) Co-authored-by: gitea_admin <admin@forteapps.net> Reviewed-on: #6 Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-04-21 08:20:41 +00:00
Danijel Simeunovic	f97b613c12	remove unneeded yml	2026-04-20 22:46:44 +02:00
Danijel Simeunovic	9c7db11470	remove unneeded yml	2026-04-20 22:45:53 +02:00
Danijel Simeunovic	723072bd1e	cleanup	2026-04-19 13:47:29 +02:00
Danijel Simeunovic	046b78446b	add opencost	2026-04-19 13:41:44 +02:00
Danijel Simeunovic	56a1b49d10	missing manifest	2026-04-19 13:39:26 +02:00
Danijel Simeunovic	d557eb1865	revert	2026-04-19 13:28:40 +02:00
Danijel Simeunovic	a51ed84124	Merge branch 'main' of https://git.forteapps.net/Forte/launchpad	2026-04-19 13:28:03 +02:00
Danijel Simeunovic	73e253a579	traefik	2026-04-19 13:27:59 +02:00
Danijel Simeunovic	d7c1341eab	don't sync users with cron job	2026-04-19 11:43:47 +02:00
Danijel Simeunovic	eed53006c1	docs	2026-04-18 23:12:18 +02:00
Danijel Simeunovic	395ca70c2a	prod values	2026-04-18 23:02:02 +02:00
Danijel Simeunovic	ea04ec20c9	remove docs wf	2026-04-18 20:54:48 +02:00
Danijel Simeunovic	03a0d7c9ae	feature/multicluster Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 5s Details Co-authored-by: Danijel Simeunovic <danijel.simeunovic@trumf.no> Reviewed-on: #4 Reviewed-by: gitea_admin <admin@forteapps.net>	2026-04-18 18:14:00 +00:00
Danijel Simeunovic	72a65f0e06	client cloner (#3 ) Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 7s Details Reviewed-on: #3 Reviewed-by: gitea_admin <admin@forteapps.net> Co-authored-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com> Co-committed-by: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>	2026-04-17 13:42:44 +00:00
Danijel Simeunovic	44fc242ae8	doc Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 7s Details	2026-04-17 11:43:50 +02:00
Danijel Simeunovic	b2f601e950	doc Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 6s Details	2026-04-17 11:42:46 +02:00
Danijel Simeunovic	f8b17cc030	log level info renovate	2026-04-17 10:59:52 +02:00
Danijel Simeunovic	6639d0e3ff	renovate prs Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 5m15s Details	2026-04-17 09:58:52 +02:00
Danijel Simeunovic	4485731ab5	smtp+starttls	2026-04-16 15:57:59 +02:00
Danijel Simeunovic	439b8516f0	smtps auth	2026-04-16 15:46:54 +02:00
Danijel Simeunovic	0eccd2d439	smtp auth	2026-04-16 15:43:10 +02:00
Danijel Simeunovic	3e1029a557	mail notification	2026-04-16 15:39:51 +02:00
Danijel Simeunovic	61c2801e0a	smtp	2026-04-16 15:32:10 +02:00
gitea_admin	8902a0e51e	Merge pull request 'SMTP config Gitea' (#2 ) from feature/smtp into main Reviewed-on: #2	2026-04-16 13:17:28 +00:00
Danijel Simeunovic	4486279eab	smtp config	2026-04-16 15:13:18 +02:00
Danijel Simeunovic	020dfeffd4	client secret fixes Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 6m6s Details	2026-04-16 15:04:27 +02:00
Danijel Simeunovic	7e10954a8f	client secret bootstrapping Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 39m32s Details	2026-04-16 13:55:13 +02:00
Danijel Simeunovic	88c29565b6	smtp	2026-04-16 10:42:35 +02:00
Danijel Simeunovic	87ee0588a7	renovate pr targets	2026-04-15 16:33:58 +02:00
Danijel Simeunovic	db8a1de797	10x repo PRs	2026-04-15 13:46:13 +02:00
Danijel Simeunovic	177150e069	gitea protocol mapper Some checks failed Deploy Gitea Pages / build-and-deploy (push) Failing after 7s Details	2026-04-15 13:27:14 +02:00
Danijel Simeunovic	c63a9242f0	renovate loglevel	2026-04-14 12:44:47 +02:00
Danijel Simeunovic	1d43ecddad	renovate daily and more mem	2026-04-14 12:26:46 +02:00