monitoring: make overview history panels visible

This reverts commit 19d6ffcf2a4268fd414cbe5109aafd043d7bb514.

Jenkinsfile

@@ -11,9 +11,47 @@ spec:
     hardware: rpi5
     kubernetes.io/arch: arm64
     node-role.kubernetes.io/worker: "true"
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+          - matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: NotIn
+                values:
+                  - titan-06
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 100
+          preference:
+            matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: NotIn
+                values:
+                  - titan-13
+                  - titan-15
+                  - titan-17
+                  - titan-19
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+      labelSelector:
+        matchLabels:
+          jenkins/jenkins-jenkins-agent: "true"
   containers:
+    - name: jnlp
+      image: jenkins/inbound-agent:3355.v388858a_47b_33-2-jdk21
+      resources:
+        requests:
+          cpu: "25m"
+          memory: "256Mi"
     - name: python
-      image: python:3.12-slim
+      image: registry.bstein.dev/bstein/python:3.12-slim
+      command:
+        - cat
+      tty: true
+    - name: quality-tools
+      image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64
       command:
         - cat
       tty: true
@@ -23,6 +61,21 @@ spec:
   environment {
     PIP_DISABLE_PIP_VERSION_CHECK = '1'
     PYTHONUNBUFFERED = '1'
+    SUITE_NAME = 'titan_iac'
+    PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
+    SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000'
+    SONARQUBE_PROJECT_KEY = 'titan_iac'
+    SONARQUBE_TOKEN = credentials('sonarqube-token')
+    VM_URL = 'http://victoria-metrics-single-server.monitoring.svc.cluster.local:8428'
+    QUALITY_GATE_SONARQUBE_ENFORCE = '1'
+    QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
+    QUALITY_GATE_IRONBANK_ENFORCE = '1'
+    QUALITY_GATE_IRONBANK_REQUIRED = '0'
+    QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
+  }
+  options {
+    disableConcurrentBuilds()
+    buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120'))
   }
   stages {
     stage('Checkout') {
@@ -32,12 +85,295 @@ spec:
     }
     stage('Install deps') {
       steps {
-        sh 'pip install --no-cache-dir -r ci/requirements.txt'
+        sh '''
+          set -eu
+          if ! command -v git >/dev/null 2>&1; then
+            apt-get update
+            apt-get install -y --no-install-recommends git ca-certificates
+            rm -rf /var/lib/apt/lists/*
+          fi
+          pip install --no-cache-dir -r ci/requirements.txt
+        '''
       }
     }
-    stage('Glue tests') {
+    stage('Prepare local quality evidence') {
       steps {
-        sh 'pytest -q ci/tests/glue'
+        sh '''
+          set -eu
+          mkdir -p build
+          set +e
+          python3 -m testing.quality_gate --profile local --build-dir build
+          local_quality_rc=$?
+          set -e
+          printf '%s\n' "${local_quality_rc}" > build/local-quality-gate.rc
+        '''
+      }
+    }
+    stage('Collect SonarQube evidence') {
+      steps {
+        container('quality-tools') {
+          sh '''#!/usr/bin/env bash
+            set -euo pipefail
+            mkdir -p build
+            args=(
+              "-Dsonar.host.url=${SONARQUBE_HOST_URL}"
+              "-Dsonar.login=${SONARQUBE_TOKEN}"
+              "-Dsonar.projectKey=${SONARQUBE_PROJECT_KEY}"
+              "-Dsonar.projectName=${SONARQUBE_PROJECT_KEY}"
+              "-Dsonar.sources=."
+              "-Dsonar.exclusions=**/.git/**,**/build/**,**/dist/**,**/node_modules/**,**/.venv/**,**/__pycache__/**,**/coverage/**,**/test-results/**,**/playwright-report/**,services/monitoring/dashboards/**,services/monitoring/grafana-dashboard-*.yaml"
+              "-Dsonar.test.inclusions=**/tests/**,**/testing/**,**/*_test.go,**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx"
+            )
+            [ -f build/coverage-unit.xml ] && args+=("-Dsonar.python.coverage.reportPaths=build/coverage-unit.xml")
+            set +e
+            sonar-scanner "${args[@]}" | tee build/sonar-scanner.log
+            rc=${PIPESTATUS[0]}
+            set -e
+            printf '%s\n' "${rc}" > build/sonarqube-analysis.rc
+          '''
+        }
+        sh '''
+          set -eu
+          mkdir -p build
+          python3 - <<'PY'
+import base64
+import json
+import os
+import time
+import urllib.parse
+import urllib.request
+from pathlib import Path
+
+host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/')
+project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip()
+token = os.getenv('SONARQUBE_TOKEN', '').strip()
+report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json')
+
+payload = {
+    "status": "ERROR",
+    "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY",
+}
+if host and project_key:
+    task_file = Path('.scannerwork/report-task.txt')
+    task_id = ''
+    if task_file.exists():
+        for line in task_file.read_text(encoding='utf-8').splitlines():
+            key, _, value = line.partition('=')
+            if key == 'ceTaskId':
+                task_id = value.strip()
+                break
+    if task_id:
+        ce_query = urllib.parse.urlencode({"id": task_id})
+        deadline = time.monotonic() + 180
+        while time.monotonic() < deadline:
+            ce_request = urllib.request.Request(f"{host}/api/ce/task?{ce_query}", method="GET")
+            if token:
+                encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
+                ce_request.add_header("Authorization", f"Basic {encoded}")
+            try:
+                with urllib.request.urlopen(ce_request, timeout=12) as response:
+                    ce_payload = json.loads(response.read().decode("utf-8"))
+            except Exception:
+                time.sleep(3)
+                continue
+            status = str(ce_payload.get("task", {}).get("status", "")).upper()
+            if status in {"SUCCESS", "FAILED", "CANCELED"}:
+                break
+            time.sleep(3)
+
+    query = urllib.parse.urlencode({"projectKey": project_key})
+    request = urllib.request.Request(
+        f"{host}/api/qualitygates/project_status?{query}",
+        method="GET",
+    )
+    if token:
+        encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
+        request.add_header("Authorization", f"Basic {encoded}")
+    try:
+        with urllib.request.urlopen(request, timeout=12) as response:
+            payload = json.loads(response.read().decode("utf-8"))
+    except Exception as exc:  # noqa: BLE001
+        payload = {"status": "ERROR", "error": str(exc)}
+
+with open(report_path, "w", encoding="utf-8") as handle:
+    json.dump(payload, handle, indent=2, sort_keys=True)
+    handle.write("\\n")
+PY
+        '''
+      }
+    }
+    stage('Collect IronBank evidence') {
+      steps {
+        container('quality-tools') {
+          sh '''#!/usr/bin/env bash
+            set -euo pipefail
+            mkdir -p build
+            set +e
+            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --skip-files clusters/atlas/flux-system/gotk-components.yaml --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
+            trivy_rc=$?
+            set -e
+            if [ ! -s build/trivy-fs.json ]; then
+              cat > build/ironbank-compliance.json <<EOF
+{"status":"failed","compliant":false,"scanner":"trivy","scan_type":"filesystem","error":"trivy did not produce JSON output","trivy_rc":${trivy_rc}}
+EOF
+              exit 0
+            fi
+          '''
+        }
+        sh '''
+          set -eu
+          mkdir -p build
+          if [ -s build/trivy-fs.json ]; then
+            python3 ci/scripts/supply_chain_report.py --trivy-json build/trivy-fs.json --waivers ci/titan-iac-trivy-waivers.json --output build/ironbank-compliance.json
+            exit 0
+          fi
+          python3 - <<'PY'
+import json
+import os
+from pathlib import Path
+
+report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json'))
+if report_path.exists():
+    raise SystemExit(0)
+
+status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip()
+compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower()
+payload = {
+    "status": status or "unknown",
+    "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None,
+}
+payload = {k: v for k, v in payload.items() if v is not None}
+if "status" not in payload:
+    payload["status"] = "unknown"
+payload["note"] = (
+    "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT "
+    "or write build/ironbank-compliance.json in image-building repos."
+)
+
+report_path.parent.mkdir(parents=True, exist_ok=True)
+report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
+PY
+        '''
+      }
+    }
+    stage('Run quality gate') {
+      steps {
+        sh '''
+          set -eu
+          mkdir -p build
+          set +e
+          python3 -m testing.quality_gate --profile jenkins --build-dir build
+          quality_gate_rc=$?
+          set -e
+          printf '%s\n' "${quality_gate_rc}" > build/quality-gate.rc
+        '''
+      }
+    }
+    stage('Publish test metrics') {
+      steps {
+        sh '''
+          set -eu
+          export JUNIT_GLOB='build/junit-*.xml'
+          export QUALITY_GATE_EXIT_CODE_PATH='build/quality-gate.rc'
+          export QUALITY_GATE_SUMMARY_PATH='build/quality-gate-summary.json'
+          python3 ci/scripts/publish_test_metrics.py
+        '''
+      }
+    }
+    stage('Enforce quality gate') {
+      steps {
+        sh '''
+          set -euo pipefail
+          gate_rc="$(cat build/quality-gate.rc 2>/dev/null || echo 1)"
+          fail=0
+          if [ "${gate_rc}" -ne 0 ]; then
+            echo "quality gate failed with rc=${gate_rc}" >&2
+            fail=1
+          fi
+
+          enabled() {
+            case "$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')" in
+              1|true|yes|on) return 0 ;;
+              *) return 1 ;;
+            esac
+          }
+
+          if enabled "${QUALITY_GATE_SONARQUBE_ENFORCE:-1}"; then
+            sonar_status="$(python3 - <<'PY'
+import json
+from pathlib import Path
+
+path = Path("build/sonarqube-quality-gate.json")
+if not path.exists():
+    print("missing")
+    raise SystemExit(0)
+try:
+    payload = json.loads(path.read_text(encoding="utf-8"))
+except Exception:  # noqa: BLE001
+    print("error")
+    raise SystemExit(0)
+status = (payload.get("status") or payload.get("projectStatus", {}).get("status") or payload.get("qualityGate", {}).get("status") or "").strip().lower()
+print(status or "missing")
+PY
+)"
+            case "${sonar_status}" in
+              ok|pass|passed|success) ;;
+              *)
+                echo "sonarqube gate failed: ${sonar_status}" >&2
+                fail=1
+                ;;
+            esac
+          fi
+
+          ironbank_required="${QUALITY_GATE_IRONBANK_REQUIRED:-0}"
+          if [ "${PUBLISH_IMAGES:-false}" = "true" ]; then
+            ironbank_required=1
+          fi
+          if enabled "${QUALITY_GATE_IRONBANK_ENFORCE:-1}"; then
+            supply_status="$(python3 - <<'PY'
+import json
+from pathlib import Path
+
+path = Path("build/ironbank-compliance.json")
+if not path.exists():
+    print("missing")
+    raise SystemExit(0)
+try:
+    payload = json.loads(path.read_text(encoding="utf-8"))
+except Exception:  # noqa: BLE001
+    print("error")
+    raise SystemExit(0)
+compliant = payload.get("compliant")
+if compliant is True:
+    print("ok")
+elif compliant is False:
+    print("failed")
+else:
+    status = str(payload.get("status") or payload.get("result") or payload.get("compliance") or "").strip().lower()
+    print(status or "missing")
+PY
+)"
+            case "${supply_status}" in
+              ok|pass|passed|success|compliant) ;;
+              not_applicable|na|n/a)
+                if enabled "${ironbank_required}"; then
+                  echo "supply chain gate required but status=${supply_status}" >&2
+                  fail=1
+                fi
+                ;;
+              *)
+                if enabled "${ironbank_required}"; then
+                  echo "supply chain gate failed: ${supply_status}" >&2
+                  fail=1
+                else
+                  echo "supply chain gate not passing (${supply_status}) but not required for this run" >&2
+                fi
+                ;;
+            esac
+          fi
+
+          exit "${fail}"
+        '''
       }
     }
     stage('Resolve Flux branch') {
@@ -45,7 +381,7 @@ spec:
         script {
           env.FLUX_BRANCH = sh(
             returnStdout: true,
-            script: "awk '/branch:/{print $2; exit}' clusters/atlas/flux-system/gotk-sync.yaml"
+            script: "grep -m1 '^\\s*branch:' clusters/atlas/flux-system/gotk-sync.yaml | sed 's/^\\s*branch:\\s*//'"
           ).trim()
           if (!env.FLUX_BRANCH) {
             error('Flux branch not found in gotk-sync.yaml')
@@ -64,6 +400,20 @@ spec:
       steps {
         withCredentials([usernamePassword(credentialsId: 'gitea-pat', usernameVariable: 'GIT_USER', passwordVariable: 'GIT_TOKEN')]) {
           sh '''
+            set -euo pipefail
+            if ! command -v git >/dev/null 2>&1; then
+              if command -v apk >/dev/null 2>&1; then
+                apk add --no-cache git >/dev/null
+              elif command -v apt-get >/dev/null 2>&1; then
+                apt-get update >/dev/null
+                apt-get install -y git >/dev/null
+              fi
+            fi
+            cd "${WORKSPACE:-$PWD}"
+            if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+              echo "workspace is not a git checkout; skipping promote"
+              exit 0
+            fi
             set +x
             git config user.email "jenkins@bstein.dev"
             git config user.name "jenkins"
@@ -74,4 +424,18 @@ spec:
       }
     }
   }
+  post {
+    always {
+      script {
+        if (fileExists('build/junit-unit.xml') || fileExists('build/junit-glue.xml')) {
+          try {
+            junit allowEmptyResults: true, testResults: 'build/junit-*.xml'
+          } catch (Throwable err) {
+            echo "junit step unavailable: ${err.class.simpleName}"
+          }
+        }
+      }
+      archiveArtifacts artifacts: 'build/**', allowEmptyArchive: true, fingerprint: true
+    }
+  }
 }

ci/Jenkinsfile.titan-iac

@@ -10,9 +10,47 @@ spec:
     hardware: rpi5
     kubernetes.io/arch: arm64
     node-role.kubernetes.io/worker: "true"
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+          - matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: NotIn
+                values:
+                  - titan-06
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 100
+          preference:
+            matchExpressions:
+              - key: kubernetes.io/hostname
+                operator: NotIn
+                values:
+                  - titan-13
+                  - titan-15
+                  - titan-17
+                  - titan-19
+  topologySpreadConstraints:
+    - maxSkew: 1
+      topologyKey: kubernetes.io/hostname
+      whenUnsatisfiable: ScheduleAnyway
+      labelSelector:
+        matchLabels:
+          jenkins/jenkins-jenkins-agent: "true"
   containers:
+    - name: jnlp
+      image: jenkins/inbound-agent:3355.v388858a_47b_33-2-jdk21
+      resources:
+        requests:
+          cpu: "25m"
+          memory: "256Mi"
     - name: python
-      image: python:3.12-slim
+      image: registry.bstein.dev/bstein/python:3.12-slim
+      command:
+        - cat
+      tty: true
+    - name: quality-tools
+      image: registry.bstein.dev/bstein/quality-tools:sonar8.0.1-trivy0.70.0-db20260422-arm64
       command:
         - cat
       tty: true
@@ -22,6 +60,21 @@ spec:
   environment {
     PIP_DISABLE_PIP_VERSION_CHECK = '1'
     PYTHONUNBUFFERED = '1'
+    SUITE_NAME = 'titan_iac'
+    PUSHGATEWAY_URL = 'http://platform-quality-gateway.monitoring.svc.cluster.local:9091'
+    SONARQUBE_HOST_URL = 'http://sonarqube.quality.svc.cluster.local:9000'
+    SONARQUBE_PROJECT_KEY = 'titan_iac'
+    SONARQUBE_TOKEN = credentials('sonarqube-token')
+    VM_URL = 'http://victoria-metrics-single-server.monitoring.svc.cluster.local:8428'
+    QUALITY_GATE_SONARQUBE_ENFORCE = '1'
+    QUALITY_GATE_SONARQUBE_REPORT = 'build/sonarqube-quality-gate.json'
+    QUALITY_GATE_IRONBANK_ENFORCE = '1'
+    QUALITY_GATE_IRONBANK_REQUIRED = '0'
+    QUALITY_GATE_IRONBANK_REPORT = 'build/ironbank-compliance.json'
+  }
+  options {
+    disableConcurrentBuilds()
+    buildDiscarder(logRotator(daysToKeepStr: '30', numToKeepStr: '200', artifactDaysToKeepStr: '30', artifactNumToKeepStr: '120'))
   }
   stages {
     stage('Checkout') {
@@ -31,12 +84,295 @@ spec:
     }
     stage('Install deps') {
       steps {
-        sh 'pip install --no-cache-dir -r ci/requirements.txt'
+        sh '''
+          set -eu
+          if ! command -v git >/dev/null 2>&1; then
+            apt-get update
+            apt-get install -y --no-install-recommends git ca-certificates
+            rm -rf /var/lib/apt/lists/*
+          fi
+          pip install --no-cache-dir -r ci/requirements.txt
+        '''
       }
     }
-    stage('Glue tests') {
+    stage('Prepare local quality evidence') {
       steps {
-        sh 'pytest -q ci/tests/glue'
+        sh '''
+          set -eu
+          mkdir -p build
+          set +e
+          python3 -m testing.quality_gate --profile local --build-dir build
+          local_quality_rc=$?
+          set -e
+          printf '%s\n' "${local_quality_rc}" > build/local-quality-gate.rc
+        '''
+      }
+    }
+    stage('Collect SonarQube evidence') {
+      steps {
+        container('quality-tools') {
+          sh '''#!/usr/bin/env bash
+            set -euo pipefail
+            mkdir -p build
+            args=(
+              "-Dsonar.host.url=${SONARQUBE_HOST_URL}"
+              "-Dsonar.login=${SONARQUBE_TOKEN}"
+              "-Dsonar.projectKey=${SONARQUBE_PROJECT_KEY}"
+              "-Dsonar.projectName=${SONARQUBE_PROJECT_KEY}"
+              "-Dsonar.sources=."
+              "-Dsonar.exclusions=**/.git/**,**/build/**,**/dist/**,**/node_modules/**,**/.venv/**,**/__pycache__/**,**/coverage/**,**/test-results/**,**/playwright-report/**,services/monitoring/dashboards/**,services/monitoring/grafana-dashboard-*.yaml"
+              "-Dsonar.test.inclusions=**/tests/**,**/testing/**,**/*_test.go,**/*.test.ts,**/*.test.tsx,**/*.spec.ts,**/*.spec.tsx"
+            )
+            [ -f build/coverage-unit.xml ] && args+=("-Dsonar.python.coverage.reportPaths=build/coverage-unit.xml")
+            set +e
+            sonar-scanner "${args[@]}" | tee build/sonar-scanner.log
+            rc=${PIPESTATUS[0]}
+            set -e
+            printf '%s\n' "${rc}" > build/sonarqube-analysis.rc
+          '''
+        }
+        sh '''
+          set -eu
+          mkdir -p build
+          python3 - <<'PY'
+import base64
+import json
+import os
+import time
+import urllib.parse
+import urllib.request
+from pathlib import Path
+
+host = os.getenv('SONARQUBE_HOST_URL', '').strip().rstrip('/')
+project_key = os.getenv('SONARQUBE_PROJECT_KEY', '').strip()
+token = os.getenv('SONARQUBE_TOKEN', '').strip()
+report_path = os.getenv('QUALITY_GATE_SONARQUBE_REPORT', 'build/sonarqube-quality-gate.json')
+
+payload = {
+    "status": "ERROR",
+    "note": "missing SONARQUBE_HOST_URL and/or SONARQUBE_PROJECT_KEY",
+}
+if host and project_key:
+    task_file = Path('.scannerwork/report-task.txt')
+    task_id = ''
+    if task_file.exists():
+        for line in task_file.read_text(encoding='utf-8').splitlines():
+            key, _, value = line.partition('=')
+            if key == 'ceTaskId':
+                task_id = value.strip()
+                break
+    if task_id:
+        ce_query = urllib.parse.urlencode({"id": task_id})
+        deadline = time.monotonic() + 180
+        while time.monotonic() < deadline:
+            ce_request = urllib.request.Request(f"{host}/api/ce/task?{ce_query}", method="GET")
+            if token:
+                encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
+                ce_request.add_header("Authorization", f"Basic {encoded}")
+            try:
+                with urllib.request.urlopen(ce_request, timeout=12) as response:
+                    ce_payload = json.loads(response.read().decode("utf-8"))
+            except Exception:
+                time.sleep(3)
+                continue
+            status = str(ce_payload.get("task", {}).get("status", "")).upper()
+            if status in {"SUCCESS", "FAILED", "CANCELED"}:
+                break
+            time.sleep(3)
+
+    query = urllib.parse.urlencode({"projectKey": project_key})
+    request = urllib.request.Request(
+        f"{host}/api/qualitygates/project_status?{query}",
+        method="GET",
+    )
+    if token:
+        encoded = base64.b64encode(f"{token}:".encode("utf-8")).decode("utf-8")
+        request.add_header("Authorization", f"Basic {encoded}")
+    try:
+        with urllib.request.urlopen(request, timeout=12) as response:
+            payload = json.loads(response.read().decode("utf-8"))
+    except Exception as exc:  # noqa: BLE001
+        payload = {"status": "ERROR", "error": str(exc)}
+
+with open(report_path, "w", encoding="utf-8") as handle:
+    json.dump(payload, handle, indent=2, sort_keys=True)
+    handle.write("\\n")
+PY
+        '''
+      }
+    }
+    stage('Collect IronBank evidence') {
+      steps {
+        container('quality-tools') {
+          sh '''#!/usr/bin/env bash
+            set -euo pipefail
+            mkdir -p build
+            set +e
+            trivy fs --cache-dir "${TRIVY_CACHE_DIR}" --skip-db-update --skip-files clusters/atlas/flux-system/gotk-components.yaml --timeout 5m --no-progress --format json --output build/trivy-fs.json --scanners vuln,secret,misconfig --severity HIGH,CRITICAL .
+            trivy_rc=$?
+            set -e
+            if [ ! -s build/trivy-fs.json ]; then
+              cat > build/ironbank-compliance.json <<EOF
+{"status":"failed","compliant":false,"scanner":"trivy","scan_type":"filesystem","error":"trivy did not produce JSON output","trivy_rc":${trivy_rc}}
+EOF
+              exit 0
+            fi
+          '''
+        }
+        sh '''
+          set -eu
+          mkdir -p build
+          if [ -s build/trivy-fs.json ]; then
+            python3 ci/scripts/supply_chain_report.py --trivy-json build/trivy-fs.json --waivers ci/titan-iac-trivy-waivers.json --output build/ironbank-compliance.json
+            exit 0
+          fi
+          python3 - <<'PY'
+import json
+import os
+from pathlib import Path
+
+report_path = Path(os.getenv('QUALITY_GATE_IRONBANK_REPORT', 'build/ironbank-compliance.json'))
+if report_path.exists():
+    raise SystemExit(0)
+
+status = os.getenv('IRONBANK_COMPLIANCE_STATUS', '').strip()
+compliant = os.getenv('IRONBANK_COMPLIANT', '').strip().lower()
+payload = {
+    "status": status or "unknown",
+    "compliant": compliant in {"1", "true", "yes", "on"} if compliant else None,
+}
+payload = {k: v for k, v in payload.items() if v is not None}
+if "status" not in payload:
+    payload["status"] = "unknown"
+payload["note"] = (
+    "Set IRONBANK_COMPLIANCE_STATUS/IRONBANK_COMPLIANT "
+    "or write build/ironbank-compliance.json in image-building repos."
+)
+
+report_path.parent.mkdir(parents=True, exist_ok=True)
+report_path.write_text(json.dumps(payload, indent=2, sort_keys=True) + "\\n", encoding="utf-8")
+PY
+        '''
+      }
+    }
+    stage('Run quality gate') {
+      steps {
+        sh '''
+          set -eu
+          mkdir -p build
+          set +e
+          python3 -m testing.quality_gate --profile jenkins --build-dir build
+          quality_gate_rc=$?
+          set -e
+          printf '%s\n' "${quality_gate_rc}" > build/quality-gate.rc
+        '''
+      }
+    }
+    stage('Publish test metrics') {
+      steps {
+        sh '''
+          set -eu
+          export JUNIT_GLOB='build/junit-*.xml'
+          export QUALITY_GATE_EXIT_CODE_PATH='build/quality-gate.rc'
+          export QUALITY_GATE_SUMMARY_PATH='build/quality-gate-summary.json'
+          python3 ci/scripts/publish_test_metrics.py
+        '''
+      }
+    }
+    stage('Enforce quality gate') {
+      steps {
+        sh '''
+          set -euo pipefail
+          gate_rc="$(cat build/quality-gate.rc 2>/dev/null || echo 1)"
+          fail=0
+          if [ "${gate_rc}" -ne 0 ]; then
+            echo "quality gate failed with rc=${gate_rc}" >&2
+            fail=1
+          fi
+
+          enabled() {
+            case "$(printf '%s' "${1:-}" | tr '[:upper:]' '[:lower:]')" in
+              1|true|yes|on) return 0 ;;
+              *) return 1 ;;
+            esac
+          }
+
+          if enabled "${QUALITY_GATE_SONARQUBE_ENFORCE:-1}"; then
+            sonar_status="$(python3 - <<'PY'
+import json
+from pathlib import Path
+
+path = Path("build/sonarqube-quality-gate.json")
+if not path.exists():
+    print("missing")
+    raise SystemExit(0)
+try:
+    payload = json.loads(path.read_text(encoding="utf-8"))
+except Exception:  # noqa: BLE001
+    print("error")
+    raise SystemExit(0)
+status = (payload.get("status") or payload.get("projectStatus", {}).get("status") or payload.get("qualityGate", {}).get("status") or "").strip().lower()
+print(status or "missing")
+PY
+)"
+            case "${sonar_status}" in
+              ok|pass|passed|success) ;;
+              *)
+                echo "sonarqube gate failed: ${sonar_status}" >&2
+                fail=1
+                ;;
+            esac
+          fi
+
+          ironbank_required="${QUALITY_GATE_IRONBANK_REQUIRED:-0}"
+          if [ "${PUBLISH_IMAGES:-false}" = "true" ]; then
+            ironbank_required=1
+          fi
+          if enabled "${QUALITY_GATE_IRONBANK_ENFORCE:-1}"; then
+            supply_status="$(python3 - <<'PY'
+import json
+from pathlib import Path
+
+path = Path("build/ironbank-compliance.json")
+if not path.exists():
+    print("missing")
+    raise SystemExit(0)
+try:
+    payload = json.loads(path.read_text(encoding="utf-8"))
+except Exception:  # noqa: BLE001
+    print("error")
+    raise SystemExit(0)
+compliant = payload.get("compliant")
+if compliant is True:
+    print("ok")
+elif compliant is False:
+    print("failed")
+else:
+    status = str(payload.get("status") or payload.get("result") or payload.get("compliance") or "").strip().lower()
+    print(status or "missing")
+PY
+)"
+            case "${supply_status}" in
+              ok|pass|passed|success|compliant) ;;
+              not_applicable|na|n/a)
+                if enabled "${ironbank_required}"; then
+                  echo "supply chain gate required but status=${supply_status}" >&2
+                  fail=1
+                fi
+                ;;
+              *)
+                if enabled "${ironbank_required}"; then
+                  echo "supply chain gate failed: ${supply_status}" >&2
+                  fail=1
+                else
+                  echo "supply chain gate not passing (${supply_status}) but not required for this run" >&2
+                fi
+                ;;
+            esac
+          fi
+
+          exit "${fail}"
+        '''
       }
     }
     stage('Resolve Flux branch') {
@@ -63,6 +399,20 @@ spec:
       steps {
         withCredentials([usernamePassword(credentialsId: 'gitea-pat', usernameVariable: 'GIT_USER', passwordVariable: 'GIT_TOKEN')]) {
           sh '''
+            set -euo pipefail
+            if ! command -v git >/dev/null 2>&1; then
+              if command -v apk >/dev/null 2>&1; then
+                apk add --no-cache git >/dev/null
+              elif command -v apt-get >/dev/null 2>&1; then
+                apt-get update >/dev/null
+                apt-get install -y git >/dev/null
+              fi
+            fi
+            cd "${WORKSPACE:-$PWD}"
+            if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
+              echo "workspace is not a git checkout; skipping promote"
+              exit 0
+            fi
             set +x
             git config user.email "jenkins@bstein.dev"
             git config user.name "jenkins"
@@ -73,4 +423,18 @@ spec:
       }
     }
   }
+  post {
+    always {
+      script {
+        if (fileExists('build/junit-unit.xml') || fileExists('build/junit-glue.xml')) {
+          try {
+            junit allowEmptyResults: true, testResults: 'build/junit-*.xml'
+          } catch (Throwable err) {
+            echo "junit step unavailable: ${err.class.simpleName}"
+          }
+        }
+      }
+      archiveArtifacts artifacts: 'build/**', allowEmptyArchive: true, fingerprint: true
+    }
+  }
 }

ci/requirements.txt

@@ -1,4 +1,7 @@
 pytest==8.3.4
+pytest-cov==6.0.0
+coverage==7.6.10
 kubernetes==30.1.0
 PyYAML==6.0.2
 requests==2.32.3
+ruff==0.8.4

ci/scripts/publish_test_metrics.py

@@ -0,0 +1,358 @@
+#!/usr/bin/env python3
+"""Publish titan-iac quality-gate results to Pushgateway."""
+
+from __future__ import annotations
+
+import json
+import os
+from glob import glob
+from pathlib import Path
+import sys
+import urllib.error
+import urllib.request
+import xml.etree.ElementTree as ET
+
+sys.path.insert(0, str(Path(__file__).resolve().parents[2]))
+
+from ci.scripts import publish_test_metrics_quality as _quality_helpers
+
+CANONICAL_CHECKS = _quality_helpers.CANONICAL_CHECKS
+_build_check_statuses = _quality_helpers._build_check_statuses
+_combine_statuses = _quality_helpers._combine_statuses
+_infer_sonarqube_status = _quality_helpers._infer_sonarqube_status
+_infer_source_lines_over_500 = _quality_helpers._infer_source_lines_over_500
+_infer_supply_chain_status = _quality_helpers._infer_supply_chain_status
+_infer_workspace_coverage_percent = _quality_helpers._infer_workspace_coverage_percent
+_load_optional_json = _quality_helpers._load_optional_json
+_normalize_result_status = _quality_helpers._normalize_result_status
+
+
+def _escape_label(value: str) -> str:
+    """Escape a Prometheus label value without changing its content."""
+    return value.replace("\\", "\\\\").replace("\n", "\\n").replace('"', '\\"')
+
+
+def _label_str(labels: dict[str, str]) -> str:
+    """Render a stable Prometheus label set from a mapping."""
+    parts = [f'{key}="{_escape_label(val)}"' for key, val in labels.items() if val]
+    return "{" + ",".join(parts) + "}" if parts else ""
+
+
+def _read_text(url: str) -> str:
+    """Fetch a plain-text response body from the given URL."""
+    with urllib.request.urlopen(url, timeout=10) as response:
+        return response.read().decode("utf-8")
+
+
+def _post_text(url: str, payload: str) -> None:
+    """PUT a plain-text payload and fail on any 4xx/5xx response."""
+    request = urllib.request.Request(
+        url,
+        data=payload.encode("utf-8"),
+        method="PUT",
+        headers={"Content-Type": "text/plain"},
+    )
+    with urllib.request.urlopen(request, timeout=10) as response:
+        if response.status >= 400:
+            raise RuntimeError(f"push failed with status={response.status}")
+
+
+def _parse_junit(path: str) -> dict[str, int]:
+    """Parse a JUnit XML file into aggregate test counters."""
+    if not os.path.exists(path):
+        return {"tests": 0, "failures": 0, "errors": 0, "skipped": 0}
+
+    tree = ET.parse(path)
+    root = tree.getroot()
+    totals = {"tests": 0, "failures": 0, "errors": 0, "skipped": 0}
+
+    suites: list[ET.Element]
+    if root.tag == "testsuite":
+        suites = [root]
+    elif root.tag == "testsuites":
+        suites = [elem for elem in root if elem.tag == "testsuite"]
+    else:
+        suites = []
+
+    for suite in suites:
+        for key in totals:
+            raw_value = suite.attrib.get(key, "0")
+            try:
+                totals[key] += int(float(raw_value))
+            except ValueError:
+                totals[key] += 0
+    return totals
+
+
+def _collect_junit_totals(pattern: str) -> dict[str, int]:
+    """Sum JUnit counters across every XML file matching the pattern."""
+    totals = {"tests": 0, "failures": 0, "errors": 0, "skipped": 0}
+    for path in sorted(glob(pattern)):
+        parsed = _parse_junit(path)
+        for key in totals:
+            totals[key] += parsed[key]
+    return totals
+
+
+def _collect_junit_cases(pattern: str) -> list[tuple[str, str]]:
+    """Collect individual JUnit test-case statuses for flaky-test trend panels."""
+    cases: list[tuple[str, str]] = []
+    for path in sorted(glob(pattern)):
+        if not os.path.exists(path):
+            continue
+        root = ET.parse(path).getroot()
+        suites: list[ET.Element]
+        if root.tag == "testsuite":
+            suites = [root]
+        elif root.tag == "testsuites":
+            suites = [elem for elem in root if elem.tag == "testsuite"]
+        else:
+            suites = []
+        for suite in suites:
+            for test_case in suite.findall("testcase"):
+                case_name = test_case.attrib.get("name", "").strip()
+                class_name = test_case.attrib.get("classname", "").strip()
+                if not case_name:
+                    continue
+                full_name = f"{class_name}.{case_name}" if class_name else case_name
+                status = "passed"
+                if test_case.find("failure") is not None or test_case.find("error") is not None:
+                    status = "failed"
+                elif test_case.find("skipped") is not None:
+                    status = "skipped"
+                cases.append((full_name, status))
+    return cases
+
+
+def _read_exit_code(path: str) -> int:
+    """Read the quality-gate exit code, defaulting to failure if missing."""
+    try:
+        with open(path, "r", encoding="utf-8") as handle:
+            return int(handle.read().strip())
+    except (FileNotFoundError, ValueError):
+        return 1
+
+
+def _load_summary(path: str) -> dict:
+    """Load the JSON quality-gate summary, returning an empty mapping on error."""
+    try:
+        with open(path, "r", encoding="utf-8") as handle:
+            return json.load(handle)
+    except (FileNotFoundError, json.JSONDecodeError):
+        return {}
+
+
+def _summary_float(summary: dict, key: str) -> float:
+    """Extract a float-like value from the summary, defaulting to 0.0."""
+    value = summary.get(key)
+    if isinstance(value, (int, float)):
+        return float(value)
+    return 0.0
+
+
+def _summary_int(summary: dict, key: str) -> int:
+    """Extract an int-like value from the summary, defaulting to 0."""
+    value = summary.get(key)
+    if isinstance(value, int):
+        return value
+    if isinstance(value, float):
+        return int(value)
+    return 0
+
+
+def _fetch_existing_counter(pushgateway_url: str, metric: str, labels: dict[str, str]) -> float:
+    """Return the current counter value for a labeled metric if present."""
+    text = _read_text(f"{pushgateway_url.rstrip('/')}/metrics")
+    for line in text.splitlines():
+        if not line.startswith(metric + "{"):
+            continue
+        if any(f'{key}="{value}"' not in line for key, value in labels.items()):
+            continue
+        parts = line.split()
+        if len(parts) < 2:
+            continue
+        try:
+            return float(parts[1])
+        except ValueError:
+            return 0.0
+    return 0.0
+
+
+def _build_payload(
+    suite: str,
+    status: str,
+    tests: dict[str, int],
+    test_cases: list[tuple[str, str]],
+    ok_count: int,
+    failed_count: int,
+    branch: str,
+    build_number: str,
+    jenkins_job: str,
+    summary: dict | None = None,
+    workspace_line_coverage_percent: float = 0.0,
+    source_files_total: int = 0,
+    source_lines_over_500: int = 0,
+    check_statuses: dict[str, str] | None = None,
+) -> str:
+    """Build the Pushgateway payload for the current suite run."""
+    passed = max(tests["tests"] - tests["failures"] - tests["errors"] - tests["skipped"], 0)
+    build_labels = _label_str(
+        {
+            "suite": suite,
+            "branch": branch or "unknown",
+            "build_number": build_number or "unknown",
+            "jenkins_job": jenkins_job or suite,
+        }
+    )
+    test_case_base_labels = {
+        "suite": suite,
+        "branch": branch or "unknown",
+        "build_number": build_number or "unknown",
+        "jenkins_job": jenkins_job or suite,
+    }
+    lines = [
+        "# TYPE platform_quality_gate_runs_total counter",
+        f'platform_quality_gate_runs_total{{suite="{suite}",status="ok"}} {ok_count}',
+        f'platform_quality_gate_runs_total{{suite="{suite}",status="failed"}} {failed_count}',
+        "# TYPE titan_iac_quality_gate_tests_total gauge",
+        f'titan_iac_quality_gate_tests_total{{suite="{suite}",result="passed"}} {passed}',
+        f'titan_iac_quality_gate_tests_total{{suite="{suite}",result="failed"}} {tests["failures"]}',
+        f'titan_iac_quality_gate_tests_total{{suite="{suite}",result="error"}} {tests["errors"]}',
+        f'titan_iac_quality_gate_tests_total{{suite="{suite}",result="skipped"}} {tests["skipped"]}',
+        "# TYPE titan_iac_quality_gate_run_status gauge",
+        f'titan_iac_quality_gate_run_status{{suite="{suite}",status="ok"}} {1 if status == "ok" else 0}',
+        f'titan_iac_quality_gate_run_status{{suite="{suite}",status="failed"}} {1 if status == "failed" else 0}',
+        "# TYPE platform_quality_gate_build_info gauge",
+        f"platform_quality_gate_build_info{build_labels} 1",
+        "# TYPE titan_iac_quality_gate_build_info gauge",
+        f"titan_iac_quality_gate_build_info{build_labels} 1",
+        "# TYPE platform_quality_gate_workspace_line_coverage_percent gauge",
+        f'platform_quality_gate_workspace_line_coverage_percent{{suite="{suite}"}} {workspace_line_coverage_percent:.3f}',
+        "# TYPE platform_quality_gate_source_files_total gauge",
+        f'platform_quality_gate_source_files_total{{suite="{suite}"}} {source_files_total}',
+        "# TYPE platform_quality_gate_source_lines_over_500_total gauge",
+        f'platform_quality_gate_source_lines_over_500_total{{suite="{suite}"}} {source_lines_over_500}',
+    ]
+    if check_statuses:
+        lines.append("# TYPE titan_iac_quality_gate_checks_total gauge")
+        for check_name in CANONICAL_CHECKS:
+            check_status = check_statuses.get(check_name, "not_applicable")
+            lines.append(
+                f'titan_iac_quality_gate_checks_total{{suite="{suite}",check="{_escape_label(check_name)}",result="{_escape_label(check_status)}"}} 1'
+            )
+    lines.append("# TYPE platform_quality_gate_test_case_result gauge")
+    if test_cases:
+        for test_name, test_status in test_cases:
+            labels = {
+                **test_case_base_labels,
+                "test": test_name,
+                "status": test_status,
+            }
+            lines.append(
+                f"platform_quality_gate_test_case_result{_label_str(labels)} 1"
+            )
+    else:
+        labels = {**test_case_base_labels, "test": "__no_test_cases__", "status": "skipped"}
+        lines.append(
+            f"platform_quality_gate_test_case_result{_label_str(labels)} 1"
+        )
+    return "\n".join(lines) + "\n"
+
+
+def main() -> int:
+    """Publish the quality-gate metrics and print a compact run summary."""
+    suite = os.getenv("SUITE_NAME", "titan_iac")
+    pushgateway_url = os.getenv("PUSHGATEWAY_URL", "http://platform-quality-gateway.monitoring.svc.cluster.local:9091")
+    job_name = os.getenv("QUALITY_GATE_JOB_NAME", "platform-quality-ci")
+    junit_glob = os.getenv("JUNIT_GLOB", os.getenv("JUNIT_PATH", "build/junit-*.xml"))
+    exit_code_path = os.getenv("QUALITY_GATE_EXIT_CODE_PATH", os.getenv("GLUE_EXIT_CODE_PATH", "build/quality-gate.rc"))
+    summary_path = os.getenv("QUALITY_GATE_SUMMARY_PATH", "build/quality-gate-summary.json")
+    branch = os.getenv("BRANCH_NAME") or os.getenv("GIT_BRANCH") or "unknown"
+    if branch.startswith("origin/"):
+        branch = branch[len("origin/") :]
+    build_number = os.getenv("BUILD_NUMBER", "")
+    jenkins_job = os.getenv("JOB_NAME", "titan-iac")
+
+    tests = _collect_junit_totals(junit_glob)
+    test_cases = _collect_junit_cases(junit_glob)
+    exit_code = _read_exit_code(exit_code_path)
+    status = "ok" if exit_code == 0 else "failed"
+    summary = _load_summary(summary_path)
+    workspace_line_coverage_percent = _summary_float(summary, "workspace_line_coverage_percent")
+    if workspace_line_coverage_percent <= 0:
+        workspace_line_coverage_percent = _infer_workspace_coverage_percent(summary, "build/coverage-unit.xml")
+    source_files_total = _summary_int(summary, "source_files_total")
+    source_lines_over_500 = _summary_int(summary, "source_lines_over_500")
+    if source_lines_over_500 <= 0:
+        source_lines_over_500 = _infer_source_lines_over_500(summary)
+    sonarqube_report = _load_optional_json(os.getenv("QUALITY_GATE_SONARQUBE_REPORT", "build/sonarqube-quality-gate.json"))
+    supply_chain_report = _load_optional_json(os.getenv("QUALITY_GATE_IRONBANK_REPORT", "build/ironbank-compliance.json"))
+    supply_chain_required = os.getenv("QUALITY_GATE_IRONBANK_REQUIRED", "0").strip().lower() in {"1", "true", "yes", "on"}
+    check_statuses = _build_check_statuses(
+        summary=summary,
+        tests=tests,
+        workspace_line_coverage_percent=workspace_line_coverage_percent,
+        source_lines_over_500=source_lines_over_500,
+        sonarqube_report=sonarqube_report,
+        supply_chain_report=supply_chain_report,
+        supply_chain_required=supply_chain_required,
+    )
+
+    ok_count = int(
+        _fetch_existing_counter(
+            pushgateway_url,
+            "platform_quality_gate_runs_total",
+            {"job": job_name, "suite": suite, "status": "ok"},
+        )
+    )
+    failed_count = int(
+        _fetch_existing_counter(
+            pushgateway_url,
+            "platform_quality_gate_runs_total",
+            {"job": job_name, "suite": suite, "status": "failed"},
+        )
+    )
+    if status == "ok":
+        ok_count += 1
+    else:
+        failed_count += 1
+
+    payload = _build_payload(
+        suite=suite,
+        status=status,
+        tests=tests,
+        test_cases=test_cases,
+        ok_count=ok_count,
+        failed_count=failed_count,
+        branch=branch,
+        build_number=build_number,
+        jenkins_job=jenkins_job,
+        summary=summary,
+        workspace_line_coverage_percent=workspace_line_coverage_percent,
+        source_files_total=source_files_total,
+        source_lines_over_500=source_lines_over_500,
+        check_statuses=check_statuses,
+    )
+    push_url = f"{pushgateway_url.rstrip('/')}/metrics/job/{job_name}/suite/{suite}"
+    _post_text(push_url, payload)
+
+    summary = {
+        "suite": suite,
+        "status": status,
+        "tests_total": tests["tests"],
+        "tests_failed": tests["failures"],
+        "tests_error": tests["errors"],
+        "tests_skipped": tests["skipped"],
+        "ok_count": ok_count,
+        "failed_count": failed_count,
+        "checks_recorded": len(check_statuses),
+        "workspace_line_coverage_percent": workspace_line_coverage_percent,
+        "source_files_total": source_files_total,
+        "source_lines_over_500": source_lines_over_500,
+    }
+    print(json.dumps(summary, sort_keys=True))
+    return 0
+
+
+if __name__ == "__main__":  # pragma: no cover
+    raise SystemExit(main())

ci/scripts/publish_test_metrics_quality.py

@@ -0,0 +1,200 @@
+#!/usr/bin/env python3
+"""Quality/status helpers for publish_test_metrics."""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+import xml.etree.ElementTree as ET
+
+SUCCESS_STATUSES = {"ok", "pass", "passed", "success", "compliant"}
+NOT_APPLICABLE_STATUSES = {"not_applicable", "n/a", "na", "none", "skipped"}
+FAILED_STATUSES = {"failed", "fail", "error", "errors", "warn", "warning", "red"}
+
+CANONICAL_CHECKS = [
+    "tests",
+    "coverage",
+    "loc",
+    "docs_naming",
+    "gate_glue",
+    "sonarqube",
+    "supply_chain",
+]
+
+
+def _infer_workspace_coverage_percent(summary: dict, default_xml: str) -> float:
+    """Infer workspace line coverage from quality summary coverage XML metadata."""
+    results = summary.get("results", []) if isinstance(summary, dict) else []
+    coverage_xml = default_xml
+    for result in results:
+        if not isinstance(result, dict):
+            continue
+        if str(result.get("name") or "").strip().lower() != "coverage":
+            continue
+        candidate = str(result.get("coverage_xml") or "").strip()
+        if candidate:
+            coverage_xml = candidate
+            break
+    xml_path = Path(coverage_xml)
+    if not xml_path.exists():
+        return 0.0
+    try:
+        root = ET.parse(xml_path).getroot()
+        line_rate = root.attrib.get("line-rate")
+        if line_rate is None:
+            return 0.0
+        return float(line_rate) * 100.0
+    except (ET.ParseError, OSError, ValueError):
+        return 0.0
+
+
+def _infer_source_lines_over_500(summary: dict) -> int:
+    """Infer over-limit source file count from hygiene issue payloads."""
+    results = summary.get("results", []) if isinstance(summary, dict) else []
+    for result in results:
+        if not isinstance(result, dict):
+            continue
+        if str(result.get("name") or "").strip().lower() not in {"hygiene", "loc", "smell"}:
+            continue
+        issues = result.get("issues")
+        if not isinstance(issues, list):
+            continue
+        return sum(1 for item in issues if isinstance(item, str) and item.startswith("file exceeds"))
+    return 0
+
+
+def _normalize_result_status(value: str | None, default: str = "failed") -> str:
+    """Map arbitrary check status text into canonical check result buckets."""
+    if not value:
+        return default
+    normalized = value.strip().lower()
+    if normalized in SUCCESS_STATUSES:
+        return "ok"
+    if normalized in NOT_APPLICABLE_STATUSES:
+        return "not_applicable"
+    if normalized in FAILED_STATUSES:
+        return "failed"
+    return default
+
+
+def _load_optional_json(path: str | None) -> dict:
+    """Load an optional JSON report file, returning an empty object when absent."""
+    if not path:
+        return {}
+    candidate = Path(path)
+    if not candidate.exists():
+        return {}
+    try:
+        return json.loads(candidate.read_text(encoding="utf-8"))
+    except json.JSONDecodeError:
+        return {}
+
+
+def _combine_statuses(statuses: list[str]) -> str:
+    """Roll up many check statuses into one canonical result."""
+    if not statuses:
+        return "not_applicable"
+    if any(status == "failed" for status in statuses):
+        return "failed"
+    if all(status == "not_applicable" for status in statuses):
+        return "not_applicable"
+    if all(status in {"ok", "not_applicable"} for status in statuses):
+        return "ok"
+    return "failed"
+
+
+def _infer_sonarqube_status(report: dict) -> str:
+    """Infer canonical SonarQube check status from its JSON report payload."""
+    if not report:
+        return "not_applicable"
+    status = (
+        report.get("projectStatus", {}).get("status")
+        or report.get("qualityGate", {}).get("status")
+        or report.get("status")
+    )
+    return _normalize_result_status(str(status) if status is not None else None, default="failed")
+
+
+def _infer_supply_chain_status(report: dict, required: bool) -> str:
+    """Infer canonical supply-chain status from IronBank/artifact report payload."""
+    if not report:
+        return "failed" if required else "not_applicable"
+    compliant = report.get("compliant")
+    if isinstance(compliant, bool):
+        return "ok" if compliant else "failed"
+    status = report.get("status")
+    if status is None:
+        return "failed" if required else "not_applicable"
+    normalized = _normalize_result_status(str(status), default="failed")
+    if normalized == "not_applicable" and required:
+        return "failed"
+    return normalized
+
+
+def _build_check_statuses(
+    summary: dict | None,
+    tests: dict[str, int],
+    workspace_line_coverage_percent: float,
+    source_lines_over_500: int,
+    sonarqube_report: dict,
+    supply_chain_report: dict,
+    supply_chain_required: bool,
+) -> dict[str, str]:
+    """Generate the canonical quality-check status map for dashboarding."""
+    raw_results = summary.get("results", []) if isinstance(summary, dict) else []
+    status_by_name: dict[str, str] = {}
+    for result in raw_results:
+        if not isinstance(result, dict):
+            continue
+        check_name = str(result.get("name") or "").strip().lower()
+        if not check_name:
+            continue
+        status_by_name[check_name] = _normalize_result_status(result.get("status"), default="failed")
+
+    tests_status = status_by_name.get("tests")
+    if not tests_status:
+        candidate_keys = ["unit", "integration", "e2e", "pytest", "test", "tests"]
+        candidates = [status_by_name[key] for key in candidate_keys if key in status_by_name]
+        if candidates:
+            tests_status = _combine_statuses(candidates)
+        elif tests["tests"] > 0:
+            tests_status = "ok" if (tests["failures"] + tests["errors"]) == 0 else "failed"
+        else:
+            tests_status = "not_applicable"
+
+    coverage_status = status_by_name.get("coverage")
+    if not coverage_status:
+        if workspace_line_coverage_percent > 0:
+            coverage_status = "ok" if workspace_line_coverage_percent >= 95.0 else "failed"
+        else:
+            coverage_status = "not_applicable"
+
+    loc_status = status_by_name.get("loc")
+    if not loc_status:
+        loc_status = "ok" if source_lines_over_500 == 0 else "failed"
+
+    docs_naming_status = status_by_name.get("docs_naming")
+    if not docs_naming_status:
+        candidates = [status_by_name[key] for key in ["docs", "hygiene", "smell", "lint", "naming"] if key in status_by_name]
+        docs_naming_status = _combine_statuses(candidates) if candidates else "not_applicable"
+
+    gate_glue_status = status_by_name.get("gate_glue")
+    if not gate_glue_status:
+        candidates = [status_by_name[key] for key in ["gate_glue", "glue", "gate"] if key in status_by_name]
+        gate_glue_status = _combine_statuses(candidates) if candidates else "not_applicable"
+
+    sonarqube_status = status_by_name.get("sonarqube") or _infer_sonarqube_status(sonarqube_report)
+    supply_chain_status = status_by_name.get("supply_chain") or _infer_supply_chain_status(
+        supply_chain_report,
+        required=supply_chain_required,
+    )
+
+    return {
+        "tests": tests_status,
+        "coverage": coverage_status,
+        "loc": loc_status,
+        "docs_naming": docs_naming_status,
+        "gate_glue": gate_glue_status,
+        "sonarqube": sonarqube_status,
+        "supply_chain": supply_chain_status,
+    }

ci/scripts/supply_chain_report.py

@@ -0,0 +1,173 @@
+"""Build a titan-iac supply-chain compliance report from Trivy evidence."""
+
+from __future__ import annotations
+
+import argparse
+import datetime as dt
+import json
+from pathlib import Path
+from typing import Any
+
+
+FAIL_SEVERITIES = {"HIGH", "CRITICAL"}
+
+
+def _read_json(path: Path) -> dict[str, Any]:
+    """Read a JSON object from disk for use as pipeline evidence."""
+    payload = json.loads(path.read_text(encoding="utf-8"))
+    if not isinstance(payload, dict):
+        raise ValueError(f"{path} must contain a JSON object")
+    return payload
+
+
+def _parse_day(raw: str | None) -> dt.date | None:
+    """Parse an ISO day while letting optional waiver dates stay optional."""
+    if not raw:
+        return None
+    return dt.date.fromisoformat(raw)
+
+
+def _today(override: str | None = None) -> dt.date:
+    """Return the policy day so tests can pin expiry behavior."""
+    return _parse_day(override) or dt.date.today()
+
+
+def _load_waiver_pairs(path: Path | None, policy_day: dt.date) -> tuple[set[tuple[str, str]], int]:
+    """Return active ``(misconfiguration id, target)`` waivers and expired count."""
+    if path is None or not path.exists():
+        return set(), 0
+
+    payload = _read_json(path)
+    default_expires_at = payload.get("default_expires_at")
+    active: set[tuple[str, str]] = set()
+    expired = 0
+
+    for entry in payload.get("misconfigurations", []):
+        if not isinstance(entry, dict):
+            continue
+        misconfiguration_id = str(entry.get("id") or "").strip()
+        if not misconfiguration_id:
+            continue
+        expires_at = _parse_day(str(entry.get("expires_at") or default_expires_at or ""))
+        targets = entry.get("targets", [])
+        if not isinstance(targets, list):
+            continue
+
+        if expires_at and expires_at < policy_day:
+            expired += len(targets)
+            continue
+
+        # Waivers are target-specific so a new unsafe manifest fails until it is
+        # either fixed or deliberately accepted with a fresh expiration.
+        for target in targets:
+            if isinstance(target, str) and target:
+                active.add((misconfiguration_id, target))
+
+    return active, expired
+
+
+def _iter_failed_misconfigurations(payload: dict[str, Any]):
+    """Yield failed high/critical Trivy misconfiguration records."""
+    for result in payload.get("Results", []):
+        if not isinstance(result, dict):
+            continue
+        target = str(result.get("Target") or "")
+        for item in result.get("Misconfigurations") or []:
+            if not isinstance(item, dict):
+                continue
+            if item.get("Status") != "FAIL":
+                continue
+            if str(item.get("Severity") or "").upper() not in FAIL_SEVERITIES:
+                continue
+            yield target, item
+
+
+def _count_vulnerabilities(payload: dict[str, Any], severity: str) -> int:
+    """Count Trivy vulnerabilities at a specific severity."""
+    count = 0
+    for result in payload.get("Results", []):
+        if not isinstance(result, dict):
+            continue
+        for item in result.get("Vulnerabilities") or []:
+            if isinstance(item, dict) and str(item.get("Severity") or "").upper() == severity:
+                count += 1
+    return count
+
+
+def _count_secrets(payload: dict[str, Any]) -> int:
+    """Count detected secrets in the Trivy filesystem report."""
+    count = 0
+    for result in payload.get("Results", []):
+        if isinstance(result, dict):
+            count += len(result.get("Secrets") or [])
+    return count
+
+
+def build_report(
+    trivy_payload: dict[str, Any],
+    waiver_path: Path | None = None,
+    today_override: str | None = None,
+) -> dict[str, Any]:
+    """Build the compliance summary consumed by the quality gate."""
+    policy_day = _today(today_override)
+    active_waivers, expired_waivers = _load_waiver_pairs(waiver_path, policy_day)
+
+    open_misconfigs: list[dict[str, str]] = []
+    waived_misconfigs = 0
+    for target, item in _iter_failed_misconfigurations(trivy_payload):
+        misconfiguration_id = str(item.get("ID") or "")
+        if (misconfiguration_id, target) in active_waivers:
+            waived_misconfigs += 1
+            continue
+        open_misconfigs.append(
+            {
+                "id": misconfiguration_id,
+                "target": target,
+                "severity": str(item.get("Severity") or ""),
+                "title": str(item.get("Title") or ""),
+            }
+        )
+
+    critical = _count_vulnerabilities(trivy_payload, "CRITICAL")
+    high = _count_vulnerabilities(trivy_payload, "HIGH")
+    secrets = _count_secrets(trivy_payload)
+    status = "ok" if critical == 0 and secrets == 0 and not open_misconfigs else "failed"
+
+    return {
+        "status": status,
+        "compliant": status == "ok",
+        "category": "artifact_security",
+        "scan_type": "filesystem",
+        "scanner": "trivy",
+        "critical_vulnerabilities": critical,
+        "high_vulnerabilities": high,
+        "high_vulnerability_policy": "observe",
+        "secrets": secrets,
+        "high_or_critical_misconfigurations": len(open_misconfigs),
+        "waived_misconfigurations": waived_misconfigs,
+        "expired_waivers": expired_waivers,
+        "waiver_file": str(waiver_path) if waiver_path else "",
+        "open_misconfiguration_examples": open_misconfigs[:20],
+    }
+
+
+def main(argv: list[str] | None = None) -> int:
+    """CLI entrypoint used by Jenkins after the Trivy scan completes."""
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--trivy-json", required=True)
+    parser.add_argument("--waivers")
+    parser.add_argument("--output", required=True)
+    parser.add_argument("--today")
+    args = parser.parse_args(argv)
+
+    trivy_payload = _read_json(Path(args.trivy_json))
+    waiver_path = Path(args.waivers) if args.waivers else None
+    report = build_report(trivy_payload, waiver_path=waiver_path, today_override=args.today)
+    output_path = Path(args.output)
+    output_path.parent.mkdir(parents=True, exist_ok=True)
+    output_path.write_text(json.dumps(report, indent=2, sort_keys=True) + "\n", encoding="utf-8")
+    return 0
+
+
+if __name__ == "__main__":  # pragma: no cover
+    raise SystemExit(main())

ci/tests/glue/config.yaml

@@ -1,6 +1,7 @@
 max_success_age_hours: 48
 allow_suspended:
   - bstein-dev-home/vaultwarden-cred-sync
+  - comms/guest-name-randomizer
   - comms/othrys-room-reset
   - comms/pin-othrys-invite
   - comms/seed-othrys-room
@@ -9,6 +10,7 @@ allow_suspended:
   - health/wger-user-sync
   - mailu-mailserver/mailu-sync-nightly
   - nextcloud/nextcloud-mail-sync
+  - vault/vault-oidc-config
 ariadne_schedule_tasks:
   - schedule.mailu_sync
   - schedule.nextcloud_sync

ci/tests/glue/test_ariadne_schedules.py

@@ -0,0 +1,108 @@
+"""Glue checks for Ariadne schedules exported to VictoriaMetrics."""
+
+from __future__ import annotations
+
+import os
+from datetime import datetime, timezone
+from pathlib import Path
+
+import requests
+import yaml
+
+
+CONFIG_PATH = Path(__file__).with_name("config.yaml")
+
+
+def _load_config() -> dict:
+    with CONFIG_PATH.open("r", encoding="utf-8") as handle:
+        return yaml.safe_load(handle) or {}
+
+
+def _query(promql: str) -> list[dict]:
+    vm_url = os.environ.get("VM_URL", "http://victoria-metrics-single-server:8428").rstrip("/")
+    response = requests.get(f"{vm_url}/api/v1/query", params={"query": promql}, timeout=10)
+    response.raise_for_status()
+    payload = response.json()
+    return payload.get("data", {}).get("result", [])
+
+
+def _expected_tasks() -> list[dict]:
+    cfg = _load_config()
+    tasks = [
+        _normalize_task(item, cfg)
+        for item in cfg.get("ariadne_schedule_tasks", [])
+    ]
+    assert tasks, "No Ariadne schedule tasks configured"
+    return tasks
+
+
+def _normalize_task(item: object, cfg: dict) -> dict:
+    if isinstance(item, str):
+        return {
+            "task": item,
+            "check_last_success": True,
+            "max_success_age_hours": cfg.get("max_success_age_hours", 48),
+        }
+    if isinstance(item, dict):
+        normalized = dict(item)
+        normalized.setdefault("check_last_success", True)
+        normalized.setdefault("max_success_age_hours", cfg.get("max_success_age_hours", 48))
+        return normalized
+    raise TypeError(f"Unsupported Ariadne schedule task config entry: {item!r}")
+
+
+def _tracked_tasks(tasks: list[dict]) -> list[dict]:
+    tracked = [item for item in tasks if item.get("check_last_success")]
+    assert tracked, "No Ariadne schedule tasks are marked for success tracking"
+    return tracked
+
+
+def _task_regex(tasks: list[dict]) -> str:
+    return "|".join(item["task"] for item in tasks)
+
+
+def test_ariadne_schedule_series_exist():
+    tasks = _expected_tasks()
+    selector = _task_regex(tasks)
+    series = _query(f'ariadne_schedule_next_run_timestamp_seconds{{task=~"{selector}"}}')
+    seen = {item.get("metric", {}).get("task") for item in series}
+    missing = [item["task"] for item in tasks if item["task"] not in seen]
+    assert not missing, f"Missing next-run metrics for: {', '.join(missing)}"
+
+
+def test_ariadne_schedule_recent_success():
+    tasks = _tracked_tasks(_expected_tasks())
+    selector = _task_regex(tasks)
+    series = _query(f'ariadne_schedule_last_success_timestamp_seconds{{task=~"{selector}"}}')
+    seen = {item.get("metric", {}).get("task") for item in series}
+    missing = [item["task"] for item in tasks if item["task"] not in seen]
+    assert not missing, f"Missing last-success metrics for: {', '.join(missing)}"
+
+    now = datetime.now(timezone.utc)
+    age_by_task = {
+        item.get("metric", {}).get("task"): (now - datetime.fromtimestamp(float(item["value"][1]), tz=timezone.utc)).total_seconds() / 3600
+        for item in series
+    }
+    too_old = [
+        f"{task} ({age_by_task[task]:.1f}h > {item['max_success_age_hours']}h)"
+        for item in tasks
+        if (task := item["task"]) in age_by_task and age_by_task[task] > float(item["max_success_age_hours"])
+    ]
+    assert not too_old, "Ariadne schedules are stale: " + ", ".join(too_old)
+
+
+def test_ariadne_schedule_last_status_present_and_boolean():
+    tasks = _tracked_tasks(_expected_tasks())
+    selector = _task_regex(tasks)
+    series = _query(f'ariadne_schedule_last_status{{task=~"{selector}"}}')
+    seen = {item.get("metric", {}).get("task") for item in series}
+    missing = [item["task"] for item in tasks if item["task"] not in seen]
+    assert not missing, f"Missing last-status metrics for: {', '.join(missing)}"
+
+    invalid = []
+    for item in series:
+        task = item.get("metric", {}).get("task")
+        value = float(item["value"][1])
+        if value not in (0.0, 1.0):
+            invalid.append(f"{task}={value}")
+    assert not invalid, f"Unexpected Ariadne last-status values: {', '.join(invalid)}"

ci/tests/glue/test_glue_metrics.py

@@ -1,3 +1,5 @@
+"""Glue checks for the metrics the quality-gate publishes."""
+
 from __future__ import annotations
 
 import os
@@ -23,26 +25,63 @@ def _query(promql: str) -> list[dict]:
     return payload.get("data", {}).get("result", [])
 
 
-def test_glue_metrics_present():
-    series = _query('kube_cronjob_labels{label_atlas_bstein_dev_glue="true"}')
-    assert series, "No glue cronjob label series found"
+def _expected_tasks() -> list[dict]:
+    cfg = _load_config()
+    tasks = [
+        _normalize_task(item, cfg)
+        for item in cfg.get("ariadne_schedule_tasks", [])
+    ]
+    assert tasks, "No Ariadne schedule tasks configured"
+    return tasks
 
 
-def test_glue_metrics_success_join():
-    query = (
-        "kube_cronjob_status_last_successful_time "
-        'and on(namespace,cronjob) kube_cronjob_labels{label_atlas_bstein_dev_glue="true"}'
-    )
-    series = _query(query)
-    assert series, "No glue cronjob last success series found"
+def _normalize_task(item: object, cfg: dict) -> dict:
+    if isinstance(item, str):
+        return {
+            "task": item,
+            "check_last_success": True,
+            "max_success_age_hours": cfg.get("max_success_age_hours", 48),
+        }
+    if isinstance(item, dict):
+        normalized = dict(item)
+        normalized.setdefault("check_last_success", True)
+        normalized.setdefault("max_success_age_hours", cfg.get("max_success_age_hours", 48))
+        return normalized
+    raise TypeError(f"Unsupported Ariadne schedule task config entry: {item!r}")
+
+
+def _tracked_tasks(tasks: list[dict]) -> list[dict]:
+    tracked = [item for item in tasks if item.get("check_last_success")]
+    assert tracked, "No Ariadne schedule tasks are marked for success tracking"
+    return tracked
+
+
+def _task_regex(tasks: list[dict]) -> str:
+    return "|".join(item["task"] for item in tasks)
 
 
 def test_ariadne_schedule_metrics_present():
-    cfg = _load_config()
-    expected = cfg.get("ariadne_schedule_tasks", [])
-    if not expected:
-        return
-    series = _query("ariadne_schedule_next_run_timestamp_seconds")
-    tasks = {item.get("metric", {}).get("task") for item in series}
-    missing = [task for task in expected if task not in tasks]
+    tasks = _expected_tasks()
+    selector = _task_regex(tasks)
+    series = _query(f'ariadne_schedule_next_run_timestamp_seconds{{task=~"{selector}"}}')
+    seen = {item.get("metric", {}).get("task") for item in series}
+    missing = [item["task"] for item in tasks if item["task"] not in seen]
     assert not missing, f"Missing Ariadne schedule metrics for: {', '.join(missing)}"
+
+
+def test_ariadne_schedule_success_and_status_metrics_present():
+    tasks = _tracked_tasks(_expected_tasks())
+    selector = _task_regex(tasks)
+
+    success = _query(f'ariadne_schedule_last_success_timestamp_seconds{{task=~"{selector}"}}')
+    status = _query(f'ariadne_schedule_last_status{{task=~"{selector}"}}')
+
+    success_tasks = {item.get("metric", {}).get("task") for item in success}
+    status_tasks = {item.get("metric", {}).get("task") for item in status}
+    expected = {item["task"] for item in tasks}
+
+    missing_success = sorted(expected - success_tasks)
+    missing_status = sorted(expected - status_tasks)
+
+    assert not missing_success, f"Missing Ariadne success metrics for: {', '.join(missing_success)}"
+    assert not missing_status, f"Missing Ariadne status metrics for: {', '.join(missing_status)}"

ci/titan-iac-trivy-waivers.json

@@ -0,0 +1,407 @@
+{
+  "version": 1,
+  "generated_from": "Jenkins titan-iac build 225 Trivy filesystem scan",
+  "default_expires_at": "2026-05-22",
+  "ticket": "atlas-quality-wave-k8s-hardening",
+  "default_reason": "Existing Kubernetes manifest hardening baseline accepted only for the first quality-gate rollout; fix or renew explicitly before expiry.",
+  "misconfigurations": [
+    {
+      "id": "DS-0002",
+      "targets": [
+        "dockerfiles/Dockerfile.ananke-node-helper"
+      ]
+    },
+    {
+      "id": "KSV-0009",
+      "targets": [
+        "services/mailu/vip-controller.yaml",
+        "services/maintenance/k3s-agent-restart-daemonset.yaml"
+      ]
+    },
+    {
+      "id": "KSV-0010",
+      "targets": [
+        "services/maintenance/k3s-agent-restart-daemonset.yaml",
+        "services/maintenance/metis-sentinel-amd64-daemonset.yaml",
+        "services/maintenance/metis-sentinel-arm64-daemonset.yaml",
+        "services/monitoring/jetson-tegrastats-exporter.yaml"
+      ]
+    },
+    {
+      "id": "KSV-0014",
+      "targets": [
+        "infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml",
+        "infrastructure/core/node-prefer-noschedule-cronjob.yaml",
+        "infrastructure/core/ntp-sync-daemonset.yaml",
+        "infrastructure/longhorn/adopt/longhorn-helm-adopt-job.yaml",
+        "infrastructure/longhorn/core/longhorn-disk-tags-ensure-job.yaml",
+        "infrastructure/longhorn/core/longhorn-settings-ensure-job.yaml",
+        "infrastructure/longhorn/core/vault-sync-deployment.yaml",
+        "infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml",
+        "infrastructure/modules/profiles/components/device-plugin-jetson/daemonset.yaml",
+        "infrastructure/modules/profiles/components/device-plugin-minipc/daemonset.yaml",
+        "infrastructure/modules/profiles/components/device-plugin-tethys/daemonset.yaml",
+        "infrastructure/postgres/statefulset.yaml",
+        "infrastructure/vault-csi/vault-csi-provider.yaml",
+        "services/ai-llm/deployment.yaml",
+        "services/bstein-dev-home/backend-deployment.yaml",
+        "services/bstein-dev-home/chat-ai-gateway-deployment.yaml",
+        "services/bstein-dev-home/frontend-deployment.yaml",
+        "services/bstein-dev-home/oneoffs/migrations/portal-migrate-job.yaml",
+        "services/bstein-dev-home/oneoffs/portal-onboarding-e2e-test-job.yaml",
+        "services/bstein-dev-home/vault-sync-deployment.yaml",
+        "services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml",
+        "services/comms/atlasbot-deployment.yaml",
+        "services/comms/coturn.yaml",
+        "services/comms/element-call-deployment.yaml",
+        "services/comms/guest-name-job.yaml",
+        "services/comms/guest-register-deployment.yaml",
+        "services/comms/livekit-token-deployment.yaml",
+        "services/comms/livekit.yaml",
+        "services/comms/mas-deployment.yaml",
+        "services/comms/oneoffs/bstein-force-leave-job.yaml",
+        "services/comms/oneoffs/comms-secrets-ensure-job.yaml",
+        "services/comms/oneoffs/mas-admin-client-secret-ensure-job.yaml",
+        "services/comms/oneoffs/mas-db-ensure-job.yaml",
+        "services/comms/oneoffs/mas-local-users-ensure-job.yaml",
+        "services/comms/oneoffs/othrys-kick-numeric-job.yaml",
+        "services/comms/oneoffs/synapse-admin-ensure-job.yaml",
+        "services/comms/oneoffs/synapse-seeder-admin-ensure-job.yaml",
+        "services/comms/oneoffs/synapse-signingkey-ensure-job.yaml",
+        "services/comms/oneoffs/synapse-user-seed-job.yaml",
+        "services/comms/pin-othrys-job.yaml",
+        "services/comms/reset-othrys-room-job.yaml",
+        "services/comms/seed-othrys-room.yaml",
+        "services/comms/vault-sync-deployment.yaml",
+        "services/comms/wellknown.yaml",
+        "services/crypto/monerod/deployment.yaml",
+        "services/crypto/wallet-monero-temp/deployment.yaml",
+        "services/crypto/xmr-miner/deployment.yaml",
+        "services/crypto/xmr-miner/vault-sync-deployment.yaml",
+        "services/crypto/xmr-miner/xmrig-daemonset.yaml",
+        "services/finance/actual-budget-deployment.yaml",
+        "services/finance/firefly-cronjob.yaml",
+        "services/finance/firefly-deployment.yaml",
+        "services/finance/firefly-user-sync-cronjob.yaml",
+        "services/finance/oneoffs/finance-secrets-ensure-job.yaml",
+        "services/gitea/deployment.yaml",
+        "services/harbor/vault-sync-deployment.yaml",
+        "services/health/wger-admin-ensure-cronjob.yaml",
+        "services/health/wger-deployment.yaml",
+        "services/health/wger-user-sync-cronjob.yaml",
+        "services/jellyfin/deployment.yaml",
+        "services/jellyfin/loader.yaml",
+        "services/jenkins/deployment.yaml",
+        "services/jenkins/vault-sync-deployment.yaml",
+        "services/keycloak/deployment.yaml",
+        "services/keycloak/oneoffs/actual-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/harbor-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/ldap-federation-job.yaml",
+        "services/keycloak/oneoffs/logs-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/mas-secrets-ensure-job.yaml",
+        "services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/portal-e2e-client-job.yaml",
+        "services/keycloak/oneoffs/portal-e2e-execute-actions-email-test-job.yaml",
+        "services/keycloak/oneoffs/portal-e2e-target-client-job.yaml",
+        "services/keycloak/oneoffs/portal-e2e-token-exchange-permissions-job.yaml",
+        "services/keycloak/oneoffs/portal-e2e-token-exchange-test-job.yaml",
+        "services/keycloak/oneoffs/quality-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/realm-settings-job.yaml",
+        "services/keycloak/oneoffs/soteria-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/synapse-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/user-overrides-job.yaml",
+        "services/keycloak/oneoffs/vault-oidc-secret-ensure-job.yaml",
+        "services/keycloak/vault-sync-deployment.yaml",
+        "services/logging/node-image-gc-rpi4-daemonset.yaml",
+        "services/logging/node-image-prune-rpi5-daemonset.yaml",
+        "services/logging/node-log-rotation-daemonset.yaml",
+        "services/logging/oauth2-proxy.yaml",
+        "services/logging/oneoffs/opensearch-dashboards-setup-job.yaml",
+        "services/logging/oneoffs/opensearch-ism-job.yaml",
+        "services/logging/oneoffs/opensearch-observability-setup-job.yaml",
+        "services/logging/opensearch-prune-cronjob.yaml",
+        "services/logging/vault-sync-deployment.yaml",
+        "services/mailu/mailu-sync-cronjob.yaml",
+        "services/mailu/mailu-sync-listener.yaml",
+        "services/mailu/oneoffs/mailu-sync-job.yaml",
+        "services/mailu/vault-sync-deployment.yaml",
+        "services/mailu/vip-controller.yaml",
+        "services/maintenance/ariadne-deployment.yaml",
+        "services/maintenance/disable-k3s-traefik-daemonset.yaml",
+        "services/maintenance/image-sweeper-cronjob.yaml",
+        "services/maintenance/k3s-agent-restart-daemonset.yaml",
+        "services/maintenance/metis-deployment.yaml",
+        "services/maintenance/metis-k3s-token-sync-cronjob.yaml",
+        "services/maintenance/metis-sentinel-amd64-daemonset.yaml",
+        "services/maintenance/metis-sentinel-arm64-daemonset.yaml",
+        "services/maintenance/node-image-sweeper-daemonset.yaml",
+        "services/maintenance/node-nofile-daemonset.yaml",
+        "services/maintenance/oauth2-proxy-metis.yaml",
+        "services/maintenance/oauth2-proxy-soteria.yaml",
+        "services/maintenance/oneoffs/ariadne-migrate-job.yaml",
+        "services/maintenance/oneoffs/k3s-traefik-cleanup-job.yaml",
+        "services/maintenance/oneoffs/titan-24-rootfs-sweep-job.yaml",
+        "services/maintenance/pod-cleaner-cronjob.yaml",
+        "services/maintenance/soteria-deployment.yaml",
+        "services/maintenance/vault-sync-deployment.yaml",
+        "services/monitoring/dcgm-exporter.yaml",
+        "services/monitoring/jetson-tegrastats-exporter.yaml",
+        "services/monitoring/oneoffs/grafana-org-bootstrap.yaml",
+        "services/monitoring/oneoffs/grafana-user-dedupe-job.yaml",
+        "services/monitoring/platform-quality-gateway-deployment.yaml",
+        "services/monitoring/platform-quality-suite-probe-cronjob.yaml",
+        "services/monitoring/postmark-exporter-deployment.yaml",
+        "services/monitoring/vmalert-atlas-availability.yaml",
+        "services/monitoring/vault-sync-deployment.yaml",
+        "services/nextcloud-mail-sync/cronjob.yaml",
+        "services/nextcloud/collabora.yaml",
+        "services/nextcloud/cronjob.yaml",
+        "services/nextcloud/deployment.yaml",
+        "services/nextcloud/maintenance-cronjob.yaml",
+        "services/oauth2-proxy/deployment.yaml",
+        "services/openldap/statefulset.yaml",
+        "services/outline/deployment.yaml",
+        "services/outline/redis-deployment.yaml",
+        "services/pegasus/deployment.yaml",
+        "services/pegasus/vault-sync-deployment.yaml",
+        "services/planka/deployment.yaml",
+        "services/quality/oauth2-proxy-sonarqube.yaml",
+        "services/quality/sonarqube-deployment.yaml",
+        "services/quality/sonarqube-exporter-deployment.yaml",
+        "services/sui-metrics/base/deployment.yaml",
+        "services/typhon/vault-sync-deployment.yaml",
+        "services/vault/k8s-auth-config-cronjob.yaml",
+        "services/vault/oidc-config-cronjob.yaml",
+        "services/vault/statefulset.yaml",
+        "services/vaultwarden/deployment.yaml"
+      ]
+    },
+    {
+      "id": "KSV-0017",
+      "targets": [
+        "infrastructure/modules/profiles/components/device-plugin-jetson/daemonset.yaml",
+        "infrastructure/modules/profiles/components/device-plugin-minipc/daemonset.yaml",
+        "infrastructure/modules/profiles/components/device-plugin-tethys/daemonset.yaml",
+        "services/logging/node-image-gc-rpi4-daemonset.yaml",
+        "services/logging/node-image-prune-rpi5-daemonset.yaml",
+        "services/logging/node-log-rotation-daemonset.yaml",
+        "services/maintenance/disable-k3s-traefik-daemonset.yaml",
+        "services/maintenance/image-sweeper-cronjob.yaml",
+        "services/maintenance/k3s-agent-restart-daemonset.yaml",
+        "services/maintenance/metis-deployment.yaml",
+        "services/maintenance/metis-sentinel-amd64-daemonset.yaml",
+        "services/maintenance/metis-sentinel-arm64-daemonset.yaml",
+        "services/maintenance/node-image-sweeper-daemonset.yaml",
+        "services/maintenance/node-nofile-daemonset.yaml",
+        "services/maintenance/oneoffs/titan-24-rootfs-sweep-job.yaml",
+        "services/monitoring/dcgm-exporter.yaml",
+        "services/monitoring/jetson-tegrastats-exporter.yaml"
+      ]
+    },
+    {
+      "id": "KSV-0041",
+      "targets": [
+        "infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml",
+        "infrastructure/longhorn/adopt/longhorn-adopt-rbac.yaml",
+        "infrastructure/traefik/clusterrole.yaml",
+        "services/bstein-dev-home/rbac.yaml",
+        "services/comms/comms-secrets-ensure-rbac.yaml",
+        "services/comms/mas-db-ensure-rbac.yaml",
+        "services/comms/mas-secrets-ensure-rbac.yaml",
+        "services/maintenance/soteria-rbac.yaml"
+      ]
+    },
+    {
+      "id": "KSV-0047",
+      "targets": [
+        "services/monitoring/rbac.yaml"
+      ]
+    },
+    {
+      "id": "KSV-0053",
+      "targets": [
+        "services/comms/comms-secrets-ensure-rbac.yaml",
+        "services/comms/mas-db-ensure-rbac.yaml",
+        "services/jenkins/serviceaccount.yaml",
+        "services/maintenance/ariadne-rbac.yaml"
+      ]
+    },
+    {
+      "id": "KSV-0056",
+      "targets": [
+        "infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml",
+        "infrastructure/longhorn/adopt/longhorn-adopt-rbac.yaml",
+        "services/jenkins/serviceaccount.yaml",
+        "services/maintenance/disable-k3s-traefik-rbac.yaml",
+        "services/maintenance/k3s-traefik-cleanup-rbac.yaml"
+      ]
+    },
+    {
+      "id": "KSV-0114",
+      "targets": [
+        "infrastructure/cert-manager/cleanup/cert-manager-cleanup-rbac.yaml"
+      ]
+    },
+    {
+      "id": "KSV-0118",
+      "targets": [
+        "infrastructure/cert-manager/cleanup/cert-manager-cleanup-job.yaml",
+        "infrastructure/core/coredns-deployment.yaml",
+        "infrastructure/core/node-prefer-noschedule-cronjob.yaml",
+        "infrastructure/core/ntp-sync-daemonset.yaml",
+        "infrastructure/longhorn/adopt/longhorn-helm-adopt-job.yaml",
+        "infrastructure/longhorn/core/longhorn-disk-tags-ensure-job.yaml",
+        "infrastructure/longhorn/core/longhorn-settings-ensure-job.yaml",
+        "infrastructure/longhorn/core/vault-sync-deployment.yaml",
+        "infrastructure/longhorn/ui-ingress/oauth2-proxy-longhorn.yaml",
+        "infrastructure/modules/profiles/components/device-plugin-jetson/daemonset.yaml",
+        "infrastructure/modules/profiles/components/device-plugin-minipc/daemonset.yaml",
+        "infrastructure/modules/profiles/components/device-plugin-tethys/daemonset.yaml",
+        "infrastructure/postgres/statefulset.yaml",
+        "infrastructure/vault-csi/vault-csi-provider.yaml",
+        "services/ai-llm/deployment.yaml",
+        "services/bstein-dev-home/backend-deployment.yaml",
+        "services/bstein-dev-home/chat-ai-gateway-deployment.yaml",
+        "services/bstein-dev-home/frontend-deployment.yaml",
+        "services/bstein-dev-home/oneoffs/migrations/portal-migrate-job.yaml",
+        "services/bstein-dev-home/oneoffs/portal-onboarding-e2e-test-job.yaml",
+        "services/bstein-dev-home/vault-sync-deployment.yaml",
+        "services/bstein-dev-home/vaultwarden-cred-sync-cronjob.yaml",
+        "services/comms/atlasbot-deployment.yaml",
+        "services/comms/coturn.yaml",
+        "services/comms/element-call-deployment.yaml",
+        "services/comms/guest-name-job.yaml",
+        "services/comms/livekit-token-deployment.yaml",
+        "services/comms/livekit.yaml",
+        "services/comms/mas-deployment.yaml",
+        "services/comms/oneoffs/bstein-force-leave-job.yaml",
+        "services/comms/oneoffs/comms-secrets-ensure-job.yaml",
+        "services/comms/oneoffs/mas-admin-client-secret-ensure-job.yaml",
+        "services/comms/oneoffs/mas-db-ensure-job.yaml",
+        "services/comms/oneoffs/mas-local-users-ensure-job.yaml",
+        "services/comms/oneoffs/othrys-kick-numeric-job.yaml",
+        "services/comms/oneoffs/synapse-admin-ensure-job.yaml",
+        "services/comms/oneoffs/synapse-seeder-admin-ensure-job.yaml",
+        "services/comms/oneoffs/synapse-signingkey-ensure-job.yaml",
+        "services/comms/oneoffs/synapse-user-seed-job.yaml",
+        "services/comms/pin-othrys-job.yaml",
+        "services/comms/reset-othrys-room-job.yaml",
+        "services/comms/seed-othrys-room.yaml",
+        "services/comms/vault-sync-deployment.yaml",
+        "services/comms/wellknown.yaml",
+        "services/crypto/monerod/deployment.yaml",
+        "services/crypto/wallet-monero-temp/deployment.yaml",
+        "services/crypto/xmr-miner/deployment.yaml",
+        "services/crypto/xmr-miner/vault-sync-deployment.yaml",
+        "services/crypto/xmr-miner/xmrig-daemonset.yaml",
+        "services/finance/firefly-cronjob.yaml",
+        "services/finance/firefly-deployment.yaml",
+        "services/finance/firefly-user-sync-cronjob.yaml",
+        "services/finance/oneoffs/finance-secrets-ensure-job.yaml",
+        "services/gitea/deployment.yaml",
+        "services/harbor/vault-sync-deployment.yaml",
+        "services/health/wger-admin-ensure-cronjob.yaml",
+        "services/health/wger-deployment.yaml",
+        "services/health/wger-user-sync-cronjob.yaml",
+        "services/jellyfin/loader.yaml",
+        "services/jenkins/deployment.yaml",
+        "services/jenkins/vault-sync-deployment.yaml",
+        "services/keycloak/oneoffs/actual-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/harbor-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/ldap-federation-job.yaml",
+        "services/keycloak/oneoffs/logs-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/mas-secrets-ensure-job.yaml",
+        "services/keycloak/oneoffs/metis-node-passwords-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/metis-ssh-keys-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/portal-admin-client-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/portal-e2e-client-job.yaml",
+        "services/keycloak/oneoffs/portal-e2e-execute-actions-email-test-job.yaml",
+        "services/keycloak/oneoffs/portal-e2e-target-client-job.yaml",
+        "services/keycloak/oneoffs/portal-e2e-token-exchange-permissions-job.yaml",
+        "services/keycloak/oneoffs/portal-e2e-token-exchange-test-job.yaml",
+        "services/keycloak/oneoffs/quality-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/realm-settings-job.yaml",
+        "services/keycloak/oneoffs/soteria-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/synapse-oidc-secret-ensure-job.yaml",
+        "services/keycloak/oneoffs/user-overrides-job.yaml",
+        "services/keycloak/oneoffs/vault-oidc-secret-ensure-job.yaml",
+        "services/keycloak/vault-sync-deployment.yaml",
+        "services/logging/node-image-gc-rpi4-daemonset.yaml",
+        "services/logging/node-image-prune-rpi5-daemonset.yaml",
+        "services/logging/node-log-rotation-daemonset.yaml",
+        "services/logging/oauth2-proxy.yaml",
+        "services/logging/oneoffs/opensearch-dashboards-setup-job.yaml",
+        "services/logging/oneoffs/opensearch-ism-job.yaml",
+        "services/logging/oneoffs/opensearch-observability-setup-job.yaml",
+        "services/logging/opensearch-prune-cronjob.yaml",
+        "services/logging/vault-sync-deployment.yaml",
+        "services/mailu/mailu-sync-cronjob.yaml",
+        "services/mailu/mailu-sync-listener.yaml",
+        "services/mailu/oneoffs/mailu-sync-job.yaml",
+        "services/mailu/vault-sync-deployment.yaml",
+        "services/mailu/vip-controller.yaml",
+        "services/maintenance/ariadne-deployment.yaml",
+        "services/maintenance/disable-k3s-traefik-daemonset.yaml",
+        "services/maintenance/image-sweeper-cronjob.yaml",
+        "services/maintenance/k3s-agent-restart-daemonset.yaml",
+        "services/maintenance/metis-deployment.yaml",
+        "services/maintenance/metis-k3s-token-sync-cronjob.yaml",
+        "services/maintenance/metis-sentinel-amd64-daemonset.yaml",
+        "services/maintenance/metis-sentinel-arm64-daemonset.yaml",
+        "services/maintenance/node-image-sweeper-daemonset.yaml",
+        "services/maintenance/node-nofile-daemonset.yaml",
+        "services/maintenance/oauth2-proxy-metis.yaml",
+        "services/maintenance/oauth2-proxy-soteria.yaml",
+        "services/maintenance/oneoffs/ariadne-migrate-job.yaml",
+        "services/maintenance/oneoffs/k3s-traefik-cleanup-job.yaml",
+        "services/maintenance/oneoffs/titan-24-rootfs-sweep-job.yaml",
+        "services/maintenance/pod-cleaner-cronjob.yaml",
+        "services/maintenance/soteria-deployment.yaml",
+        "services/maintenance/vault-sync-deployment.yaml",
+        "services/monitoring/dcgm-exporter.yaml",
+        "services/monitoring/jetson-tegrastats-exporter.yaml",
+        "services/monitoring/oneoffs/grafana-org-bootstrap.yaml",
+        "services/monitoring/oneoffs/grafana-user-dedupe-job.yaml",
+        "services/monitoring/platform-quality-gateway-deployment.yaml",
+        "services/monitoring/platform-quality-suite-probe-cronjob.yaml",
+        "services/monitoring/postmark-exporter-deployment.yaml",
+        "services/monitoring/vmalert-atlas-availability.yaml",
+        "services/monitoring/vault-sync-deployment.yaml",
+        "services/nextcloud/collabora.yaml",
+        "services/oauth2-proxy/deployment.yaml",
+        "services/openldap/statefulset.yaml",
+        "services/outline/deployment.yaml",
+        "services/outline/redis-deployment.yaml",
+        "services/pegasus/vault-sync-deployment.yaml",
+        "services/quality/oauth2-proxy-sonarqube.yaml",
+        "services/quality/sonarqube-deployment.yaml",
+        "services/quality/sonarqube-exporter-deployment.yaml",
+        "services/sui-metrics/base/deployment.yaml",
+        "services/sui-metrics/overlays/atlas/patch-node-selector.yaml",
+        "services/typhon/deployment.yaml",
+        "services/typhon/vault-sync-deployment.yaml",
+        "services/vault/k8s-auth-config-cronjob.yaml",
+        "services/vault/oidc-config-cronjob.yaml",
+        "services/vaultwarden/deployment.yaml"
+      ]
+    },
+    {
+      "id": "KSV-0121",
+      "targets": [
+        "services/logging/node-image-gc-rpi4-daemonset.yaml",
+        "services/logging/node-image-prune-rpi5-daemonset.yaml",
+        "services/logging/node-log-rotation-daemonset.yaml",
+        "services/maintenance/disable-k3s-traefik-daemonset.yaml",
+        "services/maintenance/image-sweeper-cronjob.yaml",
+        "services/maintenance/metis-deployment.yaml",
+        "services/maintenance/node-image-sweeper-daemonset.yaml",
+        "services/maintenance/node-nofile-daemonset.yaml",
+        "services/maintenance/oneoffs/titan-24-rootfs-sweep-job.yaml"
+      ]
+    }
+  ]
+}

clusters/atlas/flux-system/applications/ai-llm/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: ai-llm
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/ai-llm

clusters/atlas/flux-system/applications/bstein-dev-home-migrations/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: bstein-dev-home-migrations
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/bstein-dev-home/oneoffs/migrations

clusters/atlas/flux-system/applications/bstein-dev-home/image-automation.yaml

@@ -13,14 +13,14 @@ spec:
   git:
     checkout:
       ref:
-        branch: feature/ariadne
+        branch: main
     commit:
       author:
         email: ops@bstein.dev
         name: flux-bot
       messageTemplate: "chore(bstein-dev-home): automated image update"
     push:
-      branch: feature/ariadne
+      branch: main
   update:
     strategy: Setters
     path: services/bstein-dev-home

clusters/atlas/flux-system/applications/bstein-dev-home/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: bstein-dev-home
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/bstein-dev-home

clusters/atlas/flux-system/applications/comms/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: comms
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   prune: true
@@ -13,5 +15,3 @@ spec:
   path: ./services/comms
   targetNamespace: comms
   timeout: 2m
-  dependsOn:
-    - name: traefik

clusters/atlas/flux-system/applications/crypto/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: crypto
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/crypto

clusters/atlas/flux-system/applications/finance/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: finance
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/finance

clusters/atlas/flux-system/applications/gitea/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: gitea
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/gitea

clusters/atlas/flux-system/applications/harbor/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: harbor
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/harbor

clusters/atlas/flux-system/applications/health/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: health
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/health
@@ -15,7 +17,6 @@ spec:
   dependsOn:
     - name: keycloak
     - name: postgres
-    - name: traefik
     - name: vault
   healthChecks:
     - apiVersion: apps/v1

clusters/atlas/flux-system/applications/jellyfin/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: jellyfin
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/jellyfin

clusters/atlas/flux-system/applications/jenkins/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: jenkins
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/jenkins
@@ -14,7 +16,6 @@ spec:
   targetNamespace: jenkins
   dependsOn:
     - name: helm
-    - name: traefik
   healthChecks:
     - apiVersion: apps/v1
       kind: Deployment

clusters/atlas/flux-system/applications/keycloak/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: keycloak
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   prune: true

clusters/atlas/flux-system/applications/kustomization.yaml

@@ -21,10 +21,12 @@ resources:
   - sui-metrics/kustomization.yaml
   - openldap/kustomization.yaml
   - keycloak/kustomization.yaml
+  - quality/kustomization.yaml
   - oauth2-proxy/kustomization.yaml
   - mailu/kustomization.yaml
   - jenkins/kustomization.yaml
   - ai-llm/kustomization.yaml
+  - typhon/kustomization.yaml
   - nextcloud/kustomization.yaml
   - nextcloud-mail-sync/kustomization.yaml
   - outline/kustomization.yaml

clusters/atlas/flux-system/applications/mailu/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: mailu
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   sourceRef:

clusters/atlas/flux-system/applications/monerod/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: monerod
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/crypto/monerod

clusters/atlas/flux-system/applications/nextcloud-mail-sync/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: nextcloud-mail-sync
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   prune: true

clusters/atlas/flux-system/applications/nextcloud/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: nextcloud
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/nextcloud

clusters/atlas/flux-system/applications/oauth2-proxy/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: oauth2-proxy
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   prune: true

clusters/atlas/flux-system/applications/openldap/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: openldap
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   prune: true

clusters/atlas/flux-system/applications/outline/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: outline
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/outline
@@ -15,7 +17,6 @@ spec:
   dependsOn:
     - name: keycloak
     - name: mailu
-    - name: traefik
   healthChecks:
     - apiVersion: apps/v1
       kind: Deployment

clusters/atlas/flux-system/applications/pegasus/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: pegasus
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/pegasus

clusters/atlas/flux-system/applications/planka/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: planka
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/planka
@@ -15,7 +17,6 @@ spec:
   dependsOn:
     - name: keycloak
     - name: mailu
-    - name: traefik
   healthChecks:
     - apiVersion: apps/v1
       kind: Deployment

clusters/atlas/flux-system/applications/quality/kustomization.yaml

@@ -0,0 +1,36 @@
+# clusters/atlas/flux-system/applications/quality/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: quality
+  namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
+spec:
+  interval: 10m
+  path: ./services/quality
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  targetNamespace: quality
+  dependsOn:
+    - name: cert-manager
+    - name: keycloak
+    - name: vault
+    - name: postgres
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: sonarqube
+      namespace: quality
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: sonarqube-exporter
+      namespace: quality
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: oauth2-proxy-sonarqube
+      namespace: quality
+  wait: false
+  timeout: 20m

clusters/atlas/flux-system/applications/sui-metrics/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: sui-metrics
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/sui-metrics/overlays/atlas

clusters/atlas/flux-system/applications/typhon/kustomization.yaml

@@ -0,0 +1,31 @@
+# clusters/atlas/flux-system/applications/typhon/kustomization.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: typhon
+  namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
+spec:
+  interval: 10m
+  path: ./services/typhon
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  targetNamespace: climate
+  dependsOn:
+    - name: vault
+    - name: vault-csi
+    - name: monitoring
+  healthChecks:
+    - apiVersion: apps/v1
+      kind: Deployment
+      name: typhon
+      namespace: climate
+    - apiVersion: v1
+      kind: Service
+      name: typhon
+      namespace: climate
+  wait: false
+  timeout: 20m

clusters/atlas/flux-system/applications/vault/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: vault
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   sourceRef:

clusters/atlas/flux-system/applications/vaultwarden/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: vaultwarden
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   suspend: false
@@ -17,4 +19,3 @@ spec:
   wait: true
   dependsOn:
     - name: helm
-    - name: traefik

clusters/atlas/flux-system/applications/wallet-monero-temp/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: wallet-monero-temp
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/crypto/wallet-monero-temp

clusters/atlas/flux-system/applications/xmr-miner/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: xmr-miner
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/crypto/xmr-miner

clusters/atlas/flux-system/gotk-components.yaml

@@ -5966,6 +5966,9 @@ spec:
       - args:
         - --events-addr=http://notification-controller.$(RUNTIME_NAMESPACE).svc.cluster.local./
         - --watch-all-namespaces=true
+        - --concurrent=1
+        - --requeue-dependency=5s
+        - --interval-jitter-percentage=30
         - --log-level=info
         - --log-encoding=json
         - --enable-leader-election

clusters/atlas/flux-system/gotk-sync.yaml

@@ -7,7 +7,7 @@ metadata:
   name: flux-system
   namespace: flux-system
 spec:
-  interval: 1m0s
+  interval: 15m0s
   ref:
     branch: main
   secretRef:
@@ -20,7 +20,7 @@ metadata:
   name: flux-system
   namespace: flux-system
 spec:
-  interval: 10m0s
+  interval: 1h0m0s
   path: ./clusters/atlas/flux-system
   prune: true
   sourceRef:

clusters/atlas/flux-system/platform/cert-manager-cleanup/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: cert-manager-cleanup
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 30m
   path: ./infrastructure/cert-manager/cleanup

clusters/atlas/flux-system/platform/cert-manager/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: cert-manager
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 30m
   path: ./infrastructure/cert-manager

clusters/atlas/flux-system/platform/core/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: core
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./infrastructure/core

clusters/atlas/flux-system/platform/gitops-ui/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: gitops-ui
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   timeout: 10m
@@ -16,5 +18,4 @@ spec:
   targetNamespace: flux-system
   dependsOn:
     - name: helm
-    - name: traefik
   wait: true

clusters/atlas/flux-system/platform/helm/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: helm
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 30m
   sourceRef:

clusters/atlas/flux-system/platform/logging/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: logging
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/logging

clusters/atlas/flux-system/platform/longhorn-adopt/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: longhorn-adopt
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 30m
   path: ./infrastructure/longhorn/adopt

clusters/atlas/flux-system/platform/longhorn-ui/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: longhorn-ui
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./infrastructure/longhorn/ui-ingress

clusters/atlas/flux-system/platform/longhorn/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: longhorn
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 30m
   path: ./infrastructure/longhorn/core

clusters/atlas/flux-system/platform/maintenance/image-automation.yaml

@@ -13,14 +13,14 @@ spec:
   git:
     checkout:
       ref:
-        branch: feature/ariadne
+        branch: main
     commit:
       author:
         email: ops@bstein.dev
         name: flux-bot
       messageTemplate: "chore(maintenance): automated image update"
     push:
-      branch: feature/ariadne
+      branch: main
   update:
     strategy: Setters
     path: services/maintenance

clusters/atlas/flux-system/platform/maintenance/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: maintenance
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/maintenance

clusters/atlas/flux-system/platform/metallb/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: metallb
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 30m
   sourceRef:

clusters/atlas/flux-system/platform/monitoring/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: monitoring
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./services/monitoring

clusters/atlas/flux-system/platform/postgres/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: postgres
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./infrastructure/postgres

clusters/atlas/flux-system/platform/traefik/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: traefik
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 10m
   path: ./infrastructure/traefik

clusters/atlas/flux-system/platform/vault-csi/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: vault-csi
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 30m
   sourceRef:

clusters/atlas/flux-system/platform/vault-injector/kustomization.yaml

@@ -4,6 +4,8 @@ kind: Kustomization
 metadata:
   name: vault-injector
   namespace: flux-system
+  annotations:
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
 spec:
   interval: 30m
   path: ./infrastructure/vault-injector

dockerfiles/Dockerfile.comms-guest-tools

@@ -2,4 +2,8 @@ FROM python:3.11-slim
 
 ENV PIP_DISABLE_PIP_VERSION_CHECK=1
 
-RUN pip install --no-cache-dir requests psycopg2-binary
+RUN pip install --no-cache-dir requests psycopg2-binary \
+    && groupadd --system guest-tools \
+    && useradd --system --uid 65532 --gid guest-tools --home-dir /nonexistent --shell /usr/sbin/nologin guest-tools
+
+USER guest-tools

dockerfiles/Dockerfile.data-prepper

@@ -1,16 +1,8 @@
-FROM --platform=$BUILDPLATFORM opensearchproject/data-prepper:2.8.0 AS source
-
-FROM --platform=$TARGETPLATFORM eclipse-temurin:17-jre
+# Use the mirrored Harbor artifact so CI does not depend on Docker Hub egress.
+FROM registry.bstein.dev/streaming/data-prepper@sha256:32ac6ad42e0f12da08bebee307e290b17d127b30def9b06eeaffbcbbc5033e83
 
 ENV DATA_PREPPER_PATH=/usr/share/data-prepper
 
-RUN useradd -u 10001 -M -U -d / -s /usr/sbin/nologin data_prepper \
-  && mkdir -p /var/log/data-prepper
-
-COPY --from=source /usr/share/data-prepper /usr/share/data-prepper
-
-RUN chown -R 10001:10001 /usr/share/data-prepper /var/log/data-prepper
-
 USER 10001
 WORKDIR /usr/share/data-prepper
 CMD ["bin/data-prepper"]

dockerfiles/Dockerfile.livekit-token-vault

@@ -1,10 +1,13 @@
 FROM ghcr.io/element-hq/lk-jwt-service:0.3.0 AS base
 
 FROM alpine:3.20
-RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S livekit-token \
+    && adduser -S -D -H -u 65532 -G livekit-token livekit-token
 COPY --from=base /lk-jwt-service /lk-jwt-service
 COPY dockerfiles/vault-entrypoint.sh /entrypoint.sh
 RUN chmod 0755 /entrypoint.sh
 
+USER livekit-token
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["/lk-jwt-service"]

dockerfiles/Dockerfile.monero-p2pool

@@ -29,10 +29,12 @@ FROM ${DEBIAN_IMAGE}
 RUN set -eux; \
     apt-get update; \
     apt-get install -y --no-install-recommends ca-certificates; \
-    update-ca-certificates; rm -rf /var/lib/apt/lists/*
+    update-ca-certificates; rm -rf /var/lib/apt/lists/*; \
+    groupadd --system p2pool; \
+    useradd --system --uid 65532 --gid p2pool --home-dir /nonexistent --shell /usr/sbin/nologin p2pool
 COPY --from=fetch /out/p2pool /usr/local/bin/p2pool
 
 RUN /usr/local/bin/p2pool --version || true
 EXPOSE 3333
+USER p2pool
 ENTRYPOINT ["/usr/local/bin/p2pool"]
-

dockerfiles/Dockerfile.monero-wallet-rpc

@@ -26,9 +26,12 @@ RUN set -eux; \
     curl -fsSL "$URL" -o /opt/monero/monero.tar.bz2; \
     tar -xjf /opt/monero/monero.tar.bz2 -C /opt/monero --strip-components=1; \
     install -m 0755 /opt/monero/monero-wallet-rpc /usr/local/bin/monero-wallet-rpc; \
-    rm -f /opt/monero/monero.tar.bz2
+    rm -f /opt/monero/monero.tar.bz2; \
+    groupadd --system monero; \
+    useradd --system --uid 1000 --gid monero --home-dir /nonexistent --shell /usr/sbin/nologin monero
 
 ENV PATH="/usr/local/bin:/usr/bin:/bin"
 RUN /usr/local/bin/monero-wallet-rpc --version || true
 
 EXPOSE 18083
+USER monero

dockerfiles/Dockerfile.monerod

@@ -23,10 +23,14 @@ RUN set -eux; \
     mkdir -p /opt/monero; \
     tar -xjf /tmp/monero.tar.bz2 -C /opt/monero --strip-components=1; \
     rm -f /tmp/monero.tar.bz2; \
+    groupadd --system monero; \
+    useradd --system --uid 1000 --gid monero --home-dir /nonexistent --shell /usr/sbin/nologin monero; \
     mkdir -p /data; \
+    chown monero:monero /data; \
     chmod 0770 /data
 
 ENV LD_LIBRARY_PATH=/opt/monero:/opt/monero/lib \
     PATH="/opt/monero:${PATH}"
 
+USER monero
 CMD ["/opt/monero/monerod", "--version"]

dockerfiles/Dockerfile.oauth2-proxy-vault

@@ -1,10 +1,13 @@
 FROM quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 AS base
 
 FROM alpine:3.20
-RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S oauth2-proxy \
+    && adduser -S -D -H -u 65532 -G oauth2-proxy oauth2-proxy
 COPY --from=base /bin/oauth2-proxy /bin/oauth2-proxy
 COPY dockerfiles/vault-entrypoint.sh /entrypoint.sh
 RUN chmod 0755 /entrypoint.sh
 
+USER oauth2-proxy
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["/bin/oauth2-proxy"]

dockerfiles/Dockerfile.pegasus-vault

@@ -1,10 +1,13 @@
 FROM registry.bstein.dev/streaming/pegasus:1.2.32 AS base
 
 FROM alpine:3.20
-RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache ca-certificates \
+    && addgroup -S pegasus \
+    && adduser -S -D -H -u 65532 -G pegasus pegasus
 COPY --from=base /pegasus /pegasus
 COPY dockerfiles/vault-entrypoint.sh /entrypoint.sh
 RUN chmod 0755 /entrypoint.sh
 
+USER pegasus
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["/pegasus"]

dockerfiles/Dockerfile.quality-tools

@@ -0,0 +1,48 @@
+# dockerfiles/Dockerfile.quality-tools
+FROM debian:bookworm-slim
+
+ARG SONAR_SCANNER_VERSION=8.0.1.6346
+ARG TRIVY_VERSION=0.70.0
+ENV TRIVY_CACHE_DIR=/opt/trivy-cache
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+    bash \
+    ca-certificates \
+    curl \
+    git \
+    jq \
+    unzip \
+  && rm -rf /var/lib/apt/lists/* \
+  && groupadd --system quality-tools \
+  && useradd --system --uid 65532 --gid quality-tools --home-dir /nonexistent --shell /usr/sbin/nologin quality-tools
+
+RUN set -eux; \
+  scanner_zip="sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip"; \
+  base_url="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli"; \
+  curl -fsSL "${base_url}/${scanner_zip}" -o "/tmp/${scanner_zip}"; \
+  curl -fsSL "${base_url}/${scanner_zip}.sha256" -o "/tmp/${scanner_zip}.sha256"; \
+  printf '%s  %s\n' "$(cat "/tmp/${scanner_zip}.sha256")" "/tmp/${scanner_zip}" | sha256sum -c -; \
+  unzip -q "/tmp/${scanner_zip}" -d /opt; \
+  ln -s "/opt/sonar-scanner-${SONAR_SCANNER_VERSION}-linux-aarch64/bin/sonar-scanner" /usr/local/bin/sonar-scanner; \
+  rm -f "/tmp/${scanner_zip}" "/tmp/${scanner_zip}.sha256"
+
+RUN set -eux; \
+  trivy_tgz="trivy_${TRIVY_VERSION}_Linux-ARM64.tar.gz"; \
+  curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/${trivy_tgz}" -o "/tmp/${trivy_tgz}"; \
+  tar -C /usr/local/bin -xzf "/tmp/${trivy_tgz}" trivy; \
+  rm -f "/tmp/${trivy_tgz}"; \
+  trivy --version; \
+  sonar-scanner -v
+
+RUN set -eux; \
+  mkdir -p "${TRIVY_CACHE_DIR}"; \
+  trivy image --download-db-only --cache-dir "${TRIVY_CACHE_DIR}"; \
+  chmod -R a+rX "${TRIVY_CACHE_DIR}"; \
+  mkdir -p /workspace; \
+  chown quality-tools:quality-tools /workspace
+
+WORKDIR /workspace
+USER quality-tools

infrastructure/cert-manager/helmrelease.yaml

@@ -33,6 +33,36 @@ spec:
       node-role.kubernetes.io/worker: "true"
     affinity:
       nodeAffinity:
+        preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            preference:
+              matchExpressions:
+                - key: atlas.bstein.dev/spillover
+                  operator: DoesNotExist
+          - weight: 95
+            preference:
+              matchExpressions:
+                - key: kubernetes.io/hostname
+                  operator: NotIn
+                  values:
+                    - titan-13
+                    - titan-15
+                    - titan-17
+                    - titan-19
+          - weight: 90
+            preference:
+              matchExpressions:
+                - key: hardware
+                  operator: In
+                  values:
+                    - rpi5
+          - weight: 50
+            preference:
+              matchExpressions:
+                - key: hardware
+                  operator: In
+                  values:
+                    - rpi4
         requiredDuringSchedulingIgnoredDuringExecution:
           nodeSelectorTerms:
             - matchExpressions:
@@ -46,6 +76,36 @@ spec:
         node-role.kubernetes.io/worker: "true"
       affinity:
         nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: atlas.bstein.dev/spillover
+                    operator: DoesNotExist
+            - weight: 95
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: NotIn
+                    values:
+                      - titan-13
+                      - titan-15
+                      - titan-17
+                      - titan-19
+            - weight: 90
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values:
+                      - rpi5
+            - weight: 50
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values:
+                      - rpi4
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
               - matchExpressions:
@@ -59,6 +119,36 @@ spec:
         node-role.kubernetes.io/worker: "true"
       affinity:
         nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: atlas.bstein.dev/spillover
+                    operator: DoesNotExist
+            - weight: 95
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: NotIn
+                    values:
+                      - titan-13
+                      - titan-15
+                      - titan-17
+                      - titan-19
+            - weight: 90
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values:
+                      - rpi5
+            - weight: 50
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values:
+                      - rpi4
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
               - matchExpressions:

infrastructure/core/kustomization.yaml

@@ -4,6 +4,9 @@ kind: Kustomization
 resources:
   - ../modules/base
   - ../modules/profiles/atlas-ha
+  - node-prefer-noschedule-serviceaccount.yaml
+  - node-prefer-noschedule-rbac.yaml
+  - node-prefer-noschedule-cronjob.yaml
   - coredns-custom.yaml
   - coredns-deployment.yaml
   - ntp-sync-daemonset.yaml

infrastructure/core/node-prefer-noschedule-cronjob.yaml

@@ -0,0 +1,35 @@
+# infrastructure/core/node-prefer-noschedule-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: node-prefer-noschedule
+  namespace: kube-system
+spec:
+  schedule: "*/20 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          serviceAccountName: node-prefer-noschedule
+          restartPolicy: OnFailure
+          containers:
+            - name: taint
+              image: bitnami/kubectl@sha256:554ab88b1858e8424c55de37ad417b16f2a0e65d1607aa0f3fe3ce9b9f10b131
+              command:
+                - /usr/bin/env
+                - bash
+                - -ceu
+                - |
+                  for node in titan-13 titan-15 titan-17 titan-19; do
+                    if kubectl get node "${node}" >/dev/null 2>&1; then
+                      kubectl label node "${node}" atlas.bstein.dev/spillover=true --overwrite=true
+                      kubectl taint node "${node}" longhorn=true:PreferNoSchedule --overwrite=true
+                      kubectl taint node "${node}" atlas.bstein.dev/spillover=true:PreferNoSchedule --overwrite=true
+                    else
+                      echo "skipping missing node ${node}"
+                    fi
+                  done

infrastructure/core/node-prefer-noschedule-rbac.yaml

@@ -0,0 +1,22 @@
+# infrastructure/core/node-prefer-noschedule-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-prefer-noschedule
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-prefer-noschedule
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-prefer-noschedule
+subjects:
+  - kind: ServiceAccount
+    name: node-prefer-noschedule
+    namespace: kube-system

infrastructure/core/node-prefer-noschedule-serviceaccount.yaml

@@ -0,0 +1,6 @@
+# infrastructure/core/node-prefer-noschedule-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-prefer-noschedule
+  namespace: kube-system

infrastructure/longhorn/core/helmrelease.yaml

@@ -26,6 +26,9 @@ spec:
     cleanupOnFail: true
     timeout: 15m
   values:
+    global:
+      nodeSelector:
+        longhorn-host: "true"
     service:
       ui:
         type: NodePort
@@ -78,3 +81,12 @@ spec:
           tag: v2.16.0
     defaultSettings:
       systemManagedPodsImagePullPolicy: Always
+    longhornManager:
+      nodeSelector:
+        longhorn-host: "true"
+    longhornDriver:
+      nodeSelector:
+        longhorn-host: "true"
+    longhornUI:
+      nodeSelector:
+        longhorn-host: "true"

infrastructure/longhorn/core/longhorn-settings-ensure-job.yaml

@@ -2,10 +2,11 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: longhorn-settings-ensure-4
+  name: longhorn-settings-ensure-7
   namespace: longhorn-system
 spec:
   backoffLimit: 0
+  activeDeadlineSeconds: 240
   ttlSecondsAfterFinished: 3600
   template:
     spec:

infrastructure/longhorn/core/scripts/longhorn_settings_ensure.sh

@@ -4,11 +4,12 @@ set -eu
 # Longhorn blocks direct CR patches for some settings; use the internal API instead.
 
 api_base="http://longhorn-backend.longhorn-system.svc:9500/v1/settings"
+curl_opts="-fsS --connect-timeout 3 --max-time 15"
 
 wait_for_api() {
   attempts=30
   while [ "${attempts}" -gt 0 ]; do
-    if curl -fsS "${api_base}" >/dev/null 2>&1; then
+    if curl ${curl_opts} "${api_base}" >/dev/null 2>&1; then
       return 0
     fi
     attempts=$((attempts - 1))
@@ -22,14 +23,14 @@ update_setting() {
   name="$1"
   value="$2"
 
-  current="$(curl -fsS "${api_base}/${name}" || true)"
+  current="$(curl ${curl_opts} "${api_base}/${name}" || true)"
   if echo "${current}" | grep -Fq "\"value\":\"${value}\""; then
     echo "Setting ${name} already set."
     return 0
   fi
 
   echo "Setting ${name} -> ${value}"
-  curl -fsS -X PUT \
+  curl ${curl_opts} -X PUT \
     -H "Content-Type: application/json" \
     -d "{\"value\":\"${value}\"}" \
     "${api_base}/${name}" >/dev/null
@@ -40,3 +41,7 @@ update_setting default-engine-image "registry.bstein.dev/infra/longhorn-engine:v
 update_setting default-instance-manager-image "registry.bstein.dev/infra/longhorn-instance-manager:v1.8.2"
 update_setting default-backing-image-manager-image "registry.bstein.dev/infra/longhorn-backing-image-manager:v1.8.2"
 update_setting support-bundle-manager-image "registry.bstein.dev/infra/longhorn-support-bundle-kit:v0.0.56"
+# Keep storage-heavy nodes from getting hammered by rebuild storms and skew.
+update_setting replica-auto-balance "best-effort"
+update_setting concurrent-replica-rebuild-per-node-limit "2"
+update_setting node-down-pod-deletion-policy "delete-both-statefulset-and-deployment-pod"

infrastructure/longhorn/core/secretproviderclass.yaml

@@ -13,9 +13,27 @@ spec:
       - objectName: "harbor-pull__dockerconfigjson"
         secretPath: "kv/data/atlas/shared/harbor-pull"
         secretKey: "dockerconfigjson"
+      - objectName: "longhorn-backup-b2__AWS_ACCESS_KEY_ID"
+        secretPath: "kv/data/atlas/longhorn/backup-b2"
+        secretKey: "AWS_ACCESS_KEY_ID"
+      - objectName: "longhorn-backup-b2__AWS_SECRET_ACCESS_KEY"
+        secretPath: "kv/data/atlas/longhorn/backup-b2"
+        secretKey: "AWS_SECRET_ACCESS_KEY"
+      - objectName: "longhorn-backup-b2__AWS_ENDPOINTS"
+        secretPath: "kv/data/atlas/longhorn/backup-b2"
+        secretKey: "AWS_ENDPOINTS"
   secretObjects:
     - secretName: longhorn-registry
       type: kubernetes.io/dockerconfigjson
       data:
         - objectName: harbor-pull__dockerconfigjson
           key: .dockerconfigjson
+    - secretName: longhorn-backup-b2
+      type: Opaque
+      data:
+        - objectName: longhorn-backup-b2__AWS_ACCESS_KEY_ID
+          key: AWS_ACCESS_KEY_ID
+        - objectName: longhorn-backup-b2__AWS_SECRET_ACCESS_KEY
+          key: AWS_SECRET_ACCESS_KEY
+        - objectName: longhorn-backup-b2__AWS_ENDPOINTS
+          key: AWS_ENDPOINTS

infrastructure/longhorn/core/vault-sync-deployment.yaml

@@ -26,6 +26,16 @@ spec:
                   - key: hardware
                     operator: In
                     values: ["rpi5", "rpi4"]
+            - weight: 90
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: NotIn
+                    values:
+                      - titan-13
+                      - titan-15
+                      - titan-17
+                      - titan-19
       containers:
         - name: sync
           image: alpine:3.20

infrastructure/postgres/statefulset.yaml

@@ -25,6 +25,7 @@ spec:
       serviceAccountName: postgres-vault
       nodeSelector:
         node-role.kubernetes.io/worker: "true"
+        hardware: rpi5
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -35,7 +36,17 @@ spec:
                     values: ["true"]
                   - key: hardware
                     operator: In
-                    values: ["rpi4", "rpi5"]
+                    values: ["rpi5"]
+                  - key: kubernetes.io/hostname
+                    operator: NotIn
+                    values: ["titan-06"]
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: In
+                    values: ["titan-05", "titan-07", "titan-08", "titan-11"]
       containers:
         - name: postgres
           image: postgres:15

infrastructure/traefik/deployment.yaml

@@ -70,6 +70,38 @@ items:
         dnsPolicy: ClusterFirst
         nodeSelector:
           node-role.kubernetes.io/worker: "true"
+        affinity:
+          nodeAffinity:
+            preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                - key: atlas.bstein.dev/spillover
+                  operator: DoesNotExist
+            - weight: 95
+              preference:
+                matchExpressions:
+                - key: kubernetes.io/hostname
+                  operator: NotIn
+                  values:
+                  - titan-13
+                  - titan-15
+                  - titan-17
+                  - titan-19
+            - weight: 90
+              preference:
+                matchExpressions:
+                - key: hardware
+                  operator: In
+                  values:
+                  - rpi5
+            - weight: 50
+              preference:
+                matchExpressions:
+                - key: hardware
+                  operator: In
+                  values:
+                  - rpi4
         restartPolicy: Always
         schedulerName: default-scheduler
         serviceAccount: atlas-traefik-ingress-controller

infrastructure/vault-injector/helmrelease.yaml

@@ -41,3 +41,12 @@ spec:
         failurePolicy: Ignore
       nodeSelector:
         node-role.kubernetes.io/worker: "true"
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: NotIn
+                    values: ["titan-13", "titan-15", "titan-17", "titan-19"]

pytest.ini

@@ -0,0 +1,3 @@
+[pytest]
+addopts = -ra
+norecursedirs = .git .venv .venv-ci __pycache__ tmp

scripts/tests/test_dashboards_render_atlas.py

@@ -4,13 +4,21 @@ import pathlib
 
 def load_module():
     path = pathlib.Path(__file__).resolve().parents[1] / "dashboards_render_atlas.py"
-    spec = importlib.util.spec_from_file_location("dashboards_render_atlas", path)
+    spec = importlib.util.spec_from_file_location("scripts.dashboards_render_atlas", path)
     module = importlib.util.module_from_spec(spec)
     assert spec.loader is not None
     spec.loader.exec_module(module)
     return module
 
 
+def flatten_panels(panels):
+    flat = []
+    for panel in panels:
+        flat.append(panel)
+        flat.extend(panel.get("panels", []))
+    return flat
+
+
 def test_table_panel_options_and_filterable():
     mod = load_module()
     panel = mod.table_panel(
@@ -42,6 +50,91 @@ def test_node_filter_and_expr_helpers():
     assert "node_memory_MemAvailable_bytes" in mem_expr
 
 
+def test_overview_availability_panel_uses_recorded_365d_rollup():
+    mod = load_module()
+    dashboard = mod.build_overview()
+    panel = next(panel for panel in flatten_panels(dashboard["panels"]) if panel["id"] == 27)
+
+    assert panel["title"] == "Atlas Availability (365d)"
+    assert panel["targets"][0]["expr"] == 'last_over_time(atlas:availability:ratio_365d{scope="atlas"}[24h])'
+    assert panel["targets"][0]["instant"] is True
+    assert "precomputed" in panel["description"]
+    assert "last successful rollup for up to 24h" in panel["description"]
+
+
+def test_overview_uses_readable_quality_power_and_gitops_panels():
+    mod = load_module()
+    dashboard = mod.build_overview()
+    panels_by_title = {panel["title"]: panel for panel in flatten_panels(dashboard["panels"])}
+
+    assert dashboard["links"] == [
+        {"title": "Atlas Testing", "url": "/d/atlas-testing", "targetBlank": True}
+    ]
+    assert "atlas-jobs" not in repr(dashboard)
+    assert "Platform Test Success Rate" not in panels_by_title
+    assert panels_by_title["Gate Checks Passing by Suite"]["type"] == "state-timeline"
+    assert panels_by_title["Gate Checks Passing by Suite"]["gridPos"] == {"h": 6, "w": 6, "x": 15, "y": 13}
+    assert panels_by_title["Gate Checks Passing by Suite"]["targets"][0]["legendFormat"] == "{{suite}}"
+    assert panels_by_title["UPS History (Power Draw)"]["gridPos"] == {"h": 6, "w": 6, "x": 3, "y": 7}
+    assert panels_by_title["Ariadne Run Volume"]["gridPos"] == {"h": 6, "w": 6, "x": 9, "y": 7}
+    assert panels_by_title["Pyrphoros UPS Current"]["gridPos"]["w"] == 3
+    assert panels_by_title["Current Enclosure Climate"]["gridPos"]["w"] == 3
+    assert panels_by_title["UPS History (Power Draw)"]["options"]["legend"]["placement"] == "bottom"
+    assert panels_by_title["UPS History (Power Draw)"]["options"]["legend"]["displayMode"] == "list"
+    assert panels_by_title["UPS History (Power Draw)"]["fieldConfig"]["defaults"]["custom"]["drawStyle"] == "line"
+    assert panels_by_title["UPS History (Power Draw)"]["fieldConfig"]["defaults"]["custom"]["fillOpacity"] == 18
+    ups_overrides = panels_by_title["UPS History (Power Draw)"]["fieldConfig"]["overrides"]
+    ups_override_by_name = {override["matcher"]["options"]: override for override in ups_overrides}
+    assert ups_override_by_name["Pyrphoros"]["properties"] == [
+        {"id": "color", "value": {"mode": "fixed", "fixedColor": "dark-blue"}},
+    ]
+    assert ups_override_by_name["Statera"]["properties"] == [
+        {"id": "color", "value": {"mode": "fixed", "fixedColor": "dark-yellow"}},
+    ]
+    assert panels_by_title["Ariadne Run Volume"]["fieldConfig"]["defaults"]["custom"]["drawStyle"] == "bars"
+    assert panels_by_title["Ariadne Run Volume"]["options"]["legend"]["placement"] == "bottom"
+    assert panels_by_title["Ariadne Run Volume"]["options"]["legend"]["displayMode"] == "list"
+    assert "Fan History (0-10)" not in panels_by_title
+    assert panels_by_title["Fan Intensity History"]["type"] == "state-timeline"
+    assert panels_by_title["Fan Intensity History"]["gridPos"] == {"h": 6, "w": 6, "x": 9, "y": 13}
+    assert panels_by_title["Fan Intensity History"]["fieldConfig"]["defaults"]["max"] == 10
+    assert panels_by_title["Fan Intensity History"]["targets"][0]["legendFormat"] == "{{fan}}"
+    fan_steps = panels_by_title["Fan Intensity History"]["fieldConfig"]["defaults"]["thresholds"]["steps"]
+    assert [step["value"] for step in fan_steps] == [None, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
+    assert fan_steps[0]["color"] == "#1f60c4"
+    assert fan_steps[5]["color"] == "#d4b106"
+    assert fan_steps[-1]["color"] == "#8f1d1d"
+    assert panels_by_title["Fan Intensity History"]["options"]["legend"]["displayMode"] == "list"
+    assert panels_by_title["Fan Intensity History"]["options"]["mergeValues"] is False
+    assert panels_by_title["Fan Intensity History"]["options"]["showValue"] == "auto"
+
+    assert panels_by_title["Flux Source"]["type"] == "stat"
+    assert panels_by_title["Flux Source"]["gridPos"] == {"h": 2, "w": 3, "x": 21, "y": 7}
+    assert panels_by_title["Flux Source"]["targets"][0]["legendFormat"] == "{{branch}}"
+    assert panels_by_title["Run Reliability (24h)"]["gridPos"] == {"h": 2, "w": 3, "x": 21, "y": 9}
+    assert panels_by_title["Fresh Suites (24h)"]["gridPos"] == {"h": 2, "w": 3, "x": 21, "y": 13}
+    assert panels_by_title["LOC Clean Suites"]["gridPos"] == {"h": 2, "w": 3, "x": 21, "y": 17}
+    assert panels_by_title["GitOps Health"]["type"] == "state-timeline"
+    assert panels_by_title["GitOps Health"]["gridPos"] == {"h": 6, "w": 6, "x": 15, "y": 7}
+    gitops_expr = panels_by_title["GitOps Health"]["targets"][0]["expr"]
+    assert "Kustomizations Not Suspended" in gitops_expr
+    assert "HelmReleases Not Suspended" in gitops_expr
+    assert panels_by_title["Gate Checks Passing by Suite"]["options"]["legend"]["displayMode"] == "hidden"
+    assert panels_by_title["Gate Checks Passing by Suite"]["options"]["mergeValues"] is False
+    assert panels_by_title["Gate Checks Passing by Suite"]["options"]["showValue"] == "auto"
+    assert "rowHeight" not in panels_by_title["Gate Checks Passing by Suite"]["options"]
+
+    pvc_backup_expr = panels_by_title["PVC Backup Health / Age"]["targets"][0]["expr"]
+    assert "backup-telemetry-missing" in pvc_backup_expr
+    assert 'pvc_backup_(count|last_success_timestamp_seconds|health_reason)' in pvc_backup_expr
+
+    gpu_expr = panels_by_title["Namespace GPU Share"]["targets"][0]["expr"]
+    assert 'resource=~"nvidia(_com_|[.]com/)gpu.*"' in gpu_expr
+    assert "/ on(node) group_left() clamp_min" in gpu_expr
+    assert "kube_node_status_allocatable" in gpu_expr
+    assert "kube_node_labels" not in gpu_expr
+
+
 def test_render_configmap_writes(tmp_path):
     mod = load_module()
     mod.DASHBOARD_DIR = tmp_path / "dash"
@@ -56,3 +149,169 @@ def test_render_configmap_writes(tmp_path):
     content = (tmp_path / "cm.yaml").read_text()
     assert "kind: ConfigMap" in content
     assert f"{uid}.json" in content
+
+
+def test_testing_suite_variable_uses_canonical_values_only():
+    mod = load_module()
+    variable = mod.testing_suite_variable()
+    canonical_matcher = "|".join(mod.PLATFORM_TEST_SUITE_NAMES)
+    legacy_names = {"bstein-home", "data-prepper", "titan-iac", "pegasus-health"}
+
+    assert variable["allValue"] == canonical_matcher
+    assert not any(alias in variable["query"] for alias in legacy_names)
+    assert not any(alias in variable["allValue"] for alias in legacy_names)
+    assert [option["value"] for option in variable["options"]] == mod.PLATFORM_TEST_SUITE_NAMES
+
+
+def test_testing_dashboard_is_public_but_jobs_dashboard_remains_internal():
+    mod = load_module()
+    jobs = mod.build_jobs_dashboard()
+    testing = mod.build_testing_dashboard()
+
+    assert jobs["folderUid"] == mod.PRIVATE_FOLDER
+    assert jobs["editable"] is True
+    assert testing["uid"] == "atlas-testing"
+    assert testing["folderUid"] == mod.PUBLIC_DASHBOARD_FOLDER
+    assert testing["editable"] is False
+
+
+def test_jobs_dashboard_separates_current_gate_health_from_reliability():
+    mod = load_module()
+    dashboard = mod.build_jobs_dashboard()
+    panels_by_title = {panel["title"]: panel for panel in flatten_panels(dashboard["panels"])}
+
+    assert "Current Gate Health by Suite" in panels_by_title
+    assert "Run Reliability by Suite (24h)" in panels_by_title
+    assert "Run Reliability by Suite (7d rolling)" in panels_by_title
+    assert "Daily Run Volume (Selected Scope)" in panels_by_title
+    assert "Coverage History by Suite" in panels_by_title
+    assert "Files <=500 LOC History by Suite" in panels_by_title
+    assert "Run Reliability History by Suite" not in panels_by_title
+    assert "Coverage & LOC Compliance History" not in panels_by_title
+    assert "Run Status Mix (30d)" not in panels_by_title
+    assert "Failures by Suite (24h)" not in panels_by_title
+    assert "Success Rate by Suite (24h)" not in panels_by_title
+
+    current_gate_expr = panels_by_title["Current Gate Health by Suite"]["targets"][0]["expr"]
+    assert 'check)' in current_gate_expr
+    assert 'result=~"ok|passed|success|not_applicable|skipped|na|n/a"' in current_gate_expr
+
+    reliability_panel = panels_by_title["Run Reliability by Suite (24h)"]
+    reliability_expr = reliability_panel["targets"][0]["expr"]
+    assert "platform_quality_gate_runs_total" in reliability_expr
+    assert "> 0" in reliability_expr
+    assert "- 1" in reliability_expr
+    assert reliability_panel["fieldConfig"]["defaults"]["mappings"] == [
+        {"type": "value", "options": {"-1": {"text": "no runs"}}}
+    ]
+
+    rolling_panel = panels_by_title["Run Reliability by Suite (7d rolling)"]
+    assert rolling_panel["type"] == "state-timeline"
+    assert "[7d]" in rolling_panel["targets"][0]["expr"]
+
+    coverage_panel = panels_by_title["Coverage History by Suite"]
+    loc_panel = panels_by_title["Files <=500 LOC History by Suite"]
+    assert coverage_panel["type"] == "state-timeline"
+    assert loc_panel["type"] == "state-timeline"
+    assert coverage_panel["targets"][0]["expr"] != loc_panel["targets"][0]["expr"]
+
+    run_volume_panel = panels_by_title["Daily Run Volume (Selected Scope)"]
+    assert run_volume_panel["fieldConfig"]["defaults"]["custom"]["drawStyle"] == "bars"
+    assert "[$__interval]" not in run_volume_panel["targets"][0]["expr"]
+
+
+def test_jobs_dashboard_bar_gauges_use_solid_threshold_colors():
+    mod = load_module()
+    dashboard = mod.build_jobs_dashboard()
+    panels = flatten_panels(dashboard["panels"])
+    bar_gauges = [panel for panel in panels if panel["type"] == "bargauge"]
+
+    assert bar_gauges
+    assert all(panel["options"]["displayMode"] == "basic" for panel in bar_gauges)
+    assert all(
+        panel["fieldConfig"]["defaults"]["color"]["mode"] == "thresholds"
+        for panel in bar_gauges
+    )
+
+    reliability_panel = next(
+        panel for panel in panels if panel["title"] == "Run Reliability by Suite (24h)"
+    )
+    threshold_steps = reliability_panel["fieldConfig"]["defaults"]["thresholds"]["steps"]
+
+    assert {"color": "dark-yellow", "value": 93} in threshold_steps
+    assert {"color": "dark-blue", "value": 100} in threshold_steps
+
+
+def test_jobs_dashboard_collapses_heavy_drilldowns_for_light_first_paint():
+    mod = load_module()
+    dashboard = mod.build_jobs_dashboard()
+    panels = dashboard["panels"]
+    rows = [panel for panel in panels if panel["type"] == "row"]
+    visible_query_panels = [panel for panel in panels if panel["type"] != "row"]
+    nested_panels_by_title = {
+        child["title"]: child
+        for row in rows
+        for child in row.get("panels", [])
+    }
+
+    assert len(panels) == 16
+    assert len(visible_query_panels) == 10
+    assert sum(len(panel.get("targets", [])) for panel in visible_query_panels) == 10
+    assert all(
+        panel["title"] != "Coverage Gap to 95% by Suite"
+        for panel in visible_query_panels
+    )
+    assert [row["title"] for row in rows] == [
+        "Reliability And Run History",
+        "Check Failure Rates By Suite",
+        "Check Healthy Rates By Suite",
+        "Test Drilldowns And Problem Tests",
+        "Telemetry Completeness And Branches",
+        "SonarQube Project Health",
+    ]
+    assert all(row["collapsed"] for row in rows)
+
+    assert "Coverage Failure Rate" in nested_panels_by_title
+    assert "Supply Chain Healthy Rate" in nested_panels_by_title
+    assert "Selected Test Pass Rate History" in nested_panels_by_title
+    assert "Coverage Metrics Present by Suite" in nested_panels_by_title
+    assert "SonarQube API Up" in nested_panels_by_title
+
+    failure_rate_panel = nested_panels_by_title["Coverage Failure Rate"]
+    assert failure_rate_panel["type"] == "state-timeline"
+    assert failure_rate_panel["fieldConfig"]["defaults"]["unit"] == "percent"
+    assert failure_rate_panel["fieldConfig"]["defaults"]["max"] == 100
+    assert failure_rate_panel["fieldConfig"]["defaults"]["thresholds"]["steps"][0]["color"] == "dark-blue"
+    assert "increase(" not in failure_rate_panel["targets"][0]["expr"]
+    assert "0 *" in failure_rate_panel["targets"][0]["expr"]
+    assert "and on(suite)" not in failure_rate_panel["targets"][0]["expr"]
+
+    pass_rate_panel = nested_panels_by_title["Selected Test Pass Rate History"]
+    assert pass_rate_panel["type"] == "state-timeline"
+    assert "platform_quality:test_case_pass_rate:percent_1h" in pass_rate_panel["targets"][0]["expr"]
+    assert "platform_quality_gate_test_case_result" not in pass_rate_panel["targets"][0]["expr"]
+
+    pass_fail_panel = nested_panels_by_title["Selected Test Pass/Fail History"]
+    assert pass_fail_panel["fieldConfig"]["defaults"]["custom"]["drawStyle"] == "bars"
+    assert all(
+        "platform_quality:test_case_status:count_1h" in target["expr"]
+        for target in pass_fail_panel["targets"]
+    )
+
+    problematic_panel = nested_panels_by_title["Problematic Tests Over Time (Top failures)"]
+    assert problematic_panel["type"] == "state-timeline"
+    assert problematic_panel["gridPos"]["w"] == 24
+    assert 'test!=""' in problematic_panel["targets"][0]["expr"]
+    assert "vector(0)" not in problematic_panel["targets"][0]["expr"]
+
+    sonar_mix_panel = nested_panels_by_title["Sonar Gate Status Mix (Selected)"]
+    sonar_health_panel = nested_panels_by_title["Sonar Gate Health by Project"]
+    assert sonar_mix_panel["gridPos"]["w"] == 4
+    assert sonar_health_panel["gridPos"]["w"] == 8
+    assert sonar_health_panel["type"] == "state-timeline"
+    assert "100 * max by (project_key)" in sonar_health_panel["targets"][0]["expr"]
+
+    branch_panel = nested_panels_by_title["Primary Branch Clean by Suite (30d)"]
+    assert branch_panel["fieldConfig"]["defaults"]["unit"] == "percent"
+    assert "unless on(suite)" in branch_panel["targets"][0]["expr"]
+    assert "> bool 0" in branch_panel["targets"][0]["expr"]

scripts/tests/test_mailu_sync.py

@@ -1,5 +1,7 @@
 import importlib.util
 import pathlib
+import sys
+import types
 
 import pytest
 
@@ -20,6 +22,26 @@ def load_sync_module(monkeypatch):
     }
     for k, v in env.items():
         monkeypatch.setenv(k, v)
+    fake_psycopg2 = types.ModuleType("psycopg2")
+    fake_psycopg2.Error = Exception
+    fake_psycopg2.connect = lambda **kwargs: None
+    fake_psycopg2_extras = types.ModuleType("psycopg2.extras")
+    fake_psycopg2_extras.RealDictCursor = object
+    fake_passlib = types.ModuleType("passlib")
+    fake_passlib_hash = types.ModuleType("passlib.hash")
+
+    class _FakeBcryptSha256:
+        @staticmethod
+        def hash(password):
+            return f"stub:{password}"
+
+    fake_passlib_hash.bcrypt_sha256 = _FakeBcryptSha256
+    fake_passlib.hash = fake_passlib_hash
+
+    monkeypatch.setitem(sys.modules, "psycopg2", fake_psycopg2)
+    monkeypatch.setitem(sys.modules, "psycopg2.extras", fake_psycopg2_extras)
+    monkeypatch.setitem(sys.modules, "passlib", fake_passlib)
+    monkeypatch.setitem(sys.modules, "passlib.hash", fake_passlib_hash)
     module_path = (
         pathlib.Path(__file__).resolve().parents[2]
         / "services"
@@ -116,6 +138,100 @@ def test_kc_get_users_paginates(monkeypatch):
     assert sync.SESSION.calls == 1
 
 
+def test_kc_get_users_fetches_second_page_after_full_batch(monkeypatch):
+    sync = load_sync_module(monkeypatch)
+
+    class _PagedSession:
+        def __init__(self):
+            self.calls = 0
+            self.first_params = []
+
+        def get(self, *_, **kwargs):
+            self.calls += 1
+            self.first_params.append(kwargs["params"]["first"])
+            if self.calls == 1:
+                return _FakeResponse([{"id": f"u{i}"} for i in range(200)])
+            return _FakeResponse([{"id": "last"}])
+
+    sync.SESSION = _PagedSession()
+
+    users = sync.kc_get_users("tok")
+
+    assert len(users) == 201
+    assert sync.SESSION.first_params == [0, 200]
+
+
+def test_get_kc_token_posts_client_credentials(monkeypatch):
+    sync = load_sync_module(monkeypatch)
+    calls = []
+
+    class _TokenSession:
+        def post(self, url, data, timeout):
+            calls.append((url, data, timeout))
+            return _FakeResponse({"access_token": "tok"})
+
+    sync.SESSION = _TokenSession()
+
+    assert sync.get_kc_token() == "tok"
+    assert calls[0][1]["grant_type"] == "client_credentials"
+
+
+def test_retry_request_retries_then_succeeds(monkeypatch):
+    sync = load_sync_module(monkeypatch)
+    attempts = []
+    sleeps = []
+
+    def _flaky():
+        attempts.append(1)
+        if len(attempts) == 1:
+            raise sync.requests.RequestException("temporary")
+        return "ok"
+
+    monkeypatch.setattr(sync.time, "sleep", lambda seconds: sleeps.append(seconds))
+
+    assert sync.retry_request("request", _flaky, attempts=2) == "ok"
+    assert sleeps == [2]
+
+
+def test_retry_request_reraises_final_error(monkeypatch):
+    sync = load_sync_module(monkeypatch)
+    monkeypatch.setattr(sync.time, "sleep", lambda seconds: None)
+
+    with pytest.raises(sync.requests.RequestException):
+        sync.retry_request(
+            "request",
+            lambda: (_ for _ in ()).throw(sync.requests.RequestException("nope")),
+            attempts=1,
+        )
+
+
+def test_retry_db_connect_retries_then_succeeds(monkeypatch):
+    sync = load_sync_module(monkeypatch)
+    attempts = []
+    sleeps = []
+
+    def _connect(**kwargs):
+        attempts.append(kwargs)
+        if len(attempts) == 1:
+            raise sync.psycopg2.Error("not yet")
+        return "conn"
+
+    monkeypatch.setattr(sync.psycopg2, "connect", _connect)
+    monkeypatch.setattr(sync.time, "sleep", lambda seconds: sleeps.append(seconds))
+
+    assert sync.retry_db_connect(attempts=2) == "conn"
+    assert sleeps == [2]
+
+
+def test_retry_db_connect_reraises_final_error(monkeypatch):
+    sync = load_sync_module(monkeypatch)
+    monkeypatch.setattr(sync.psycopg2, "connect", lambda **kwargs: (_ for _ in ()).throw(sync.psycopg2.Error("down")))
+    monkeypatch.setattr(sync.time, "sleep", lambda seconds: None)
+
+    with pytest.raises(sync.psycopg2.Error):
+        sync.retry_db_connect(attempts=1)
+
+
 def test_ensure_mailu_user_skips_foreign_domain(monkeypatch):
     sync = load_sync_module(monkeypatch)
     executed = []
@@ -144,6 +260,87 @@ def test_ensure_mailu_user_upserts(monkeypatch):
     assert captured["password"] != "pw"
 
 
+def test_attribute_and_email_helpers(monkeypatch):
+    sync = load_sync_module(monkeypatch)
+
+    assert sync.get_attribute_value({"x": ["first", "second"]}, "x") == "first"
+    assert sync.get_attribute_value({"x": []}, "x") is None
+    assert sync.get_attribute_value({"x": "value"}, "x") == "value"
+    assert sync.mailu_enabled({"mailu_email": ["legacy@example.com"]}) is True
+    assert sync.mailu_enabled({"mailu_enabled": ["off"]}) is False
+    assert sync.resolve_mailu_email({"username": "fallback", "email": "user@example.com"}, {}) == "user@example.com"
+    assert sync.resolve_mailu_email({"username": "fallback", "email": "user@other.com"}, {}) == "fallback@example.com"
+
+
+def test_safe_update_payload_filters_fields(monkeypatch):
+    sync = load_sync_module(monkeypatch)
+
+    payload = sync._safe_update_payload(
+        {
+            "username": "user",
+            "enabled": True,
+            "email": "user@example.com",
+            "emailVerified": False,
+            "firstName": "User",
+            "lastName": "Example",
+            "requiredActions": ["UPDATE_PASSWORD", 7],
+            "attributes": "not-a-dict",
+            "ignored": "value",
+        }
+    )
+
+    assert payload == {
+        "username": "user",
+        "enabled": True,
+        "email": "user@example.com",
+        "emailVerified": False,
+        "firstName": "User",
+        "lastName": "Example",
+        "requiredActions": ["UPDATE_PASSWORD"],
+        "attributes": {},
+    }
+
+
+def test_ensure_system_mailboxes_handles_configurations(monkeypatch, capsys):
+    sync = load_sync_module(monkeypatch)
+    ensured = []
+    monkeypatch.setattr(sync, "MAILU_SYSTEM_USERS", ["postmaster@example.com", "abuse"])
+    monkeypatch.setattr(sync, "MAILU_SYSTEM_PASSWORD", "")
+
+    sync.ensure_system_mailboxes(object())
+
+    assert "MAILU_SYSTEM_PASSWORD is missing" in capsys.readouterr().out
+
+    def _ensure(cursor, email, password, display_name):
+        ensured.append((email, password, display_name))
+        if email == "abuse":
+            raise RuntimeError("boom")
+
+    monkeypatch.setattr(sync, "MAILU_SYSTEM_PASSWORD", "pw")
+    monkeypatch.setattr(sync, "ensure_mailu_user", _ensure)
+
+    sync.ensure_system_mailboxes(object())
+
+    out = capsys.readouterr().out
+    assert ensured == [
+        ("postmaster@example.com", "pw", "postmaster"),
+        ("abuse", "pw", "abuse"),
+    ]
+    assert "Ensured system mailbox for postmaster@example.com" in out
+    assert "Failed to ensure system mailbox abuse" in out
+
+
+def test_main_exits_without_users_or_system_mailboxes(monkeypatch, capsys):
+    sync = load_sync_module(monkeypatch)
+    monkeypatch.setattr(sync, "MAILU_SYSTEM_USERS", [])
+    monkeypatch.setattr(sync, "get_kc_token", lambda: "tok")
+    monkeypatch.setattr(sync, "kc_get_users", lambda token: [])
+
+    sync.main()
+
+    assert "No users found; exiting." in capsys.readouterr().out
+
+
 def test_main_generates_password_and_upserts(monkeypatch):
     sync = load_sync_module(monkeypatch)
     monkeypatch.setattr(sync.bcrypt_sha256, "hash", lambda password: f"hash:{password}")

scripts/tests/test_mailu_sync_listener.py

@@ -0,0 +1,134 @@
+import importlib.util
+import io
+import pathlib
+import types
+
+
+def load_listener_module(monkeypatch):
+    monkeypatch.setenv("MAILU_SYNC_WAIT_TIMEOUT_SEC", "0")
+    module_path = (
+        pathlib.Path(__file__).resolve().parents[2]
+        / "services"
+        / "mailu"
+        / "scripts"
+        / "mailu_sync_listener.py"
+    )
+    spec = importlib.util.spec_from_file_location("mailu_sync_listener_testmod", module_path)
+    module = importlib.util.module_from_spec(spec)
+    assert spec.loader is not None
+    spec.loader.exec_module(module)
+    return module
+
+
+def _handler_for(listener, body):
+    handler = listener.Handler.__new__(listener.Handler)
+    raw = body if isinstance(body, bytes) else body.encode()
+    handler.headers = {"Content-Length": str(len(raw))}
+    handler.rfile = io.BytesIO(raw)
+    handler.responses = []
+    handler.headers_ended = 0
+    handler.send_response = lambda code: handler.responses.append(code)
+    handler.end_headers = lambda: setattr(handler, "headers_ended", handler.headers_ended + 1)
+    return handler
+
+
+def test_listener_run_sync_blocking_updates_state(monkeypatch):
+    listener = load_listener_module(monkeypatch)
+    monkeypatch.setattr(listener, "time", lambda: 42.0)
+    monkeypatch.setattr(
+        listener.subprocess,
+        "run",
+        lambda command, check: types.SimpleNamespace(returncode=3),
+    )
+
+    assert listener._run_sync_blocking() == 3
+    assert listener.last_rc == 3
+    assert listener.last_run == 42.0
+    assert listener.sync_done.is_set()
+
+    listener.sync_running = True
+    assert listener._run_sync_blocking() == 0
+
+
+def test_listener_trigger_sync_async_honors_running_and_debounce(monkeypatch):
+    listener = load_listener_module(monkeypatch)
+    starts = []
+
+    class _Thread:
+        def __init__(self, target, daemon):
+            self.target = target
+            self.daemon = daemon
+
+        def start(self):
+            starts.append((self.target, self.daemon))
+
+    monkeypatch.setattr(listener.threading, "Thread", _Thread)
+    monkeypatch.setattr(listener, "time", lambda: 100.0)
+
+    listener.sync_running = True
+    assert listener._trigger_sync_async() is False
+
+    listener.sync_running = False
+    listener.last_run = 95.0
+    assert listener._trigger_sync_async() is False
+
+    assert listener._trigger_sync_async(force=True) is True
+    assert starts and starts[0][1] is True
+
+
+def test_listener_post_rejects_invalid_json(monkeypatch):
+    listener = load_listener_module(monkeypatch)
+    handler = _handler_for(listener, b"{not-json")
+
+    handler.do_POST()
+
+    assert handler.responses == [400]
+    assert handler.headers_ended == 1
+
+
+def test_listener_post_triggers_async_without_wait(monkeypatch):
+    listener = load_listener_module(monkeypatch)
+    called = []
+    monkeypatch.setattr(listener, "_trigger_sync_async", lambda force=False: called.append(force) or True)
+    handler = _handler_for(listener, '{"force": true}')
+
+    handler.do_POST()
+
+    assert called == [True]
+    assert handler.responses == [202]
+
+
+def test_listener_post_wait_returns_success_or_failure(monkeypatch):
+    listener = load_listener_module(monkeypatch)
+    called = []
+    monkeypatch.setattr(listener, "_trigger_sync_async", lambda force=False: called.append(force) or True)
+    listener.sync_running = False
+    listener.last_rc = 0
+    handler = _handler_for(listener, '{"wait": true, "force": true}')
+
+    handler.do_POST()
+
+    assert called == [True]
+    assert handler.responses == [200]
+
+    listener.last_rc = 2
+    handler = _handler_for(listener, '{"wait": true}')
+    handler.do_POST()
+    assert handler.responses == [500]
+
+
+def test_listener_post_wait_keeps_running_request_successful(monkeypatch):
+    listener = load_listener_module(monkeypatch)
+    listener.sync_running = True
+    handler = _handler_for(listener, '{"wait": true}')
+
+    handler.do_POST()
+
+    assert handler.responses == [200]
+
+
+def test_listener_log_message_is_quiet(monkeypatch):
+    listener = load_listener_module(monkeypatch)
+    handler = listener.Handler.__new__(listener.Handler)
+
+    assert handler.log_message("ignored %s", "value") is None

scripts/verify_jenkins_workspace_cleanup_rollout.sh

@@ -0,0 +1,73 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+MODE="${1:-dry-run}"
+if [[ "$MODE" != "dry-run" && "$MODE" != "active" ]]; then
+  echo "usage: $0 [dry-run|active]" >&2
+  exit 2
+fi
+
+EXPECTED_DRY_RUN="true"
+PROM_MODE="dry_run"
+if [[ "$MODE" == "active" ]]; then
+  EXPECTED_DRY_RUN="false"
+  PROM_MODE="delete"
+fi
+
+KUSTOMIZATION="${KUSTOMIZATION:-maintenance}"
+NAMESPACE="${NAMESPACE:-maintenance}"
+DEPLOYMENT="${DEPLOYMENT:-ariadne}"
+LOCAL_METRICS_PORT="${LOCAL_METRICS_PORT:-18080}"
+
+for cmd in flux kubectl curl grep awk; do
+  if ! command -v "$cmd" >/dev/null 2>&1; then
+    echo "missing required command: $cmd" >&2
+    exit 2
+  fi
+done
+
+echo "[1/5] reconcile Flux kustomization: ${KUSTOMIZATION}"
+flux reconcile kustomization "$KUSTOMIZATION" --namespace flux-system --with-source
+
+echo "[2/5] wait for deployment rollout"
+kubectl -n "$NAMESPACE" rollout status "deployment/$DEPLOYMENT" --timeout=5m
+
+echo "[3/5] verify ariadne env wiring"
+ENV_DUMP="$(kubectl -n "$NAMESPACE" get deployment "$DEPLOYMENT" -o jsonpath='{range .spec.template.spec.containers[0].env[*]}{.name}={.value}{"\n"}{end}')"
+echo "$ENV_DUMP" | grep -F "ARIADNE_SCHEDULE_JENKINS_WORKSPACE_CLEANUP=45 */6 * * *"
+echo "$ENV_DUMP" | grep -F "JENKINS_WORKSPACE_NAMESPACE=jenkins"
+echo "$ENV_DUMP" | grep -F "JENKINS_WORKSPACE_PVC_PREFIX=pvc-workspace-"
+echo "$ENV_DUMP" | grep -F "JENKINS_WORKSPACE_CLEANUP_MIN_AGE_HOURS=24"
+echo "$ENV_DUMP" | grep -F "JENKINS_WORKSPACE_CLEANUP_DRY_RUN=${EXPECTED_DRY_RUN}"
+echo "$ENV_DUMP" | grep -F "JENKINS_WORKSPACE_CLEANUP_MAX_DELETIONS_PER_RUN=20"
+
+echo "[4/5] scrape /metrics and confirm cleanup metrics are exported"
+PF_LOG="$(mktemp)"
+METRICS_FILE="$(mktemp)"
+cleanup() {
+  if [[ -n "${PF_PID:-}" ]]; then
+    kill "$PF_PID" >/dev/null 2>&1 || true
+    wait "$PF_PID" 2>/dev/null || true
+  fi
+  rm -f "$PF_LOG" "$METRICS_FILE"
+}
+trap cleanup EXIT
+
+kubectl -n "$NAMESPACE" port-forward "deployment/$DEPLOYMENT" "${LOCAL_METRICS_PORT}:8080" >"$PF_LOG" 2>&1 &
+PF_PID=$!
+sleep 2
+curl -fsS "http://127.0.0.1:${LOCAL_METRICS_PORT}/metrics" >"$METRICS_FILE"
+grep -F "# HELP ariadne_jenkins_workspace_cleanup_runs_total" "$METRICS_FILE"
+grep -F "# HELP ariadne_jenkins_workspace_cleanup_objects_total" "$METRICS_FILE"
+
+echo "[5/5] show recent cleanup signal"
+if grep -q "ariadne_jenkins_workspace_cleanup_runs_total" "$METRICS_FILE"; then
+  grep "ariadne_jenkins_workspace_cleanup_runs_total" "$METRICS_FILE" | grep "mode=\"${PROM_MODE}\"" || true
+else
+  echo "No run counter sample yet for mode=${PROM_MODE}; wait for schedule window and re-run." >&2
+fi
+
+echo "Recent cleanup logs (if any):"
+kubectl -n "$NAMESPACE" logs "deployment/$DEPLOYMENT" --tail=500 | grep -i "jenkins workspace cleanup" | tail -n 20 || true
+
+echo "verification complete for mode=${MODE}"

services/ai-llm/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   name: ollama
   namespace: ai
 spec:
-  replicas: 1
+  replicas: 0
   revisionHistoryLimit: 2
   strategy:
     type: RollingUpdate
@@ -21,7 +21,7 @@ spec:
         app: ollama
       annotations:
         ai.bstein.dev/model: qwen2.5:14b-instruct-q4_0
-        ai.bstein.dev/gpu: GPU pool (titan-22/24)
+        ai.bstein.dev/gpu: GPU pool (titan-20/21)
         ai.bstein.dev/restartedAt: "2026-01-26T12:00:00Z"
     spec:
       affinity:
@@ -32,13 +32,13 @@ spec:
                   - key: kubernetes.io/hostname
                     operator: In
                     values:
-                      - titan-22
-                      - titan-24
+                      - titan-20
+                      - titan-21
       runtimeClassName: nvidia
       volumes:
         - name: models
           persistentVolumeClaim:
-            claimName: ollama-models
+            claimName: ollama-models-asteria
       initContainers:
         - name: warm-model
           image: ollama/ollama@sha256:2c9595c555fd70a28363489ac03bd5bf9e7c5bdf2890373c3a830ffd7252ce6d

services/ai-llm/pvc.yaml

@@ -2,12 +2,12 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: ollama-models
+  name: ollama-models-asteria
   namespace: ai
 spec:
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
   resources:
     requests:
       storage: 30Gi
-  storageClassName: astreae
+  storageClassName: asteria

services/bstein-dev-home/backend-deployment.yaml

@@ -49,6 +49,15 @@ spec:
       nodeSelector:
         kubernetes.io/arch: arm64
         node-role.kubernetes.io/worker: "true"
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: NotIn
+                    values: ["titan-13", "titan-15", "titan-17", "titan-19"]
       imagePullSecrets:
         - name: harbor-regcred
       containers:

services/bstein-dev-home/chat-ai-gateway-deployment.yaml

@@ -38,6 +38,36 @@ spec:
       nodeSelector:
         kubernetes.io/arch: arm64
         node-role.kubernetes.io/worker: "true"
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 100
+              preference:
+                matchExpressions:
+                  - key: atlas.bstein.dev/spillover
+                    operator: DoesNotExist
+            - weight: 95
+              preference:
+                matchExpressions:
+                  - key: kubernetes.io/hostname
+                    operator: NotIn
+                    values:
+                      - titan-13
+                      - titan-15
+                      - titan-17
+                      - titan-19
+            - weight: 90
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values: ["rpi5"]
+            - weight: 50
+              preference:
+                matchExpressions:
+                  - key: hardware
+                    operator: In
+                    values: ["rpi4"]
       containers:
         - name: gateway
           image: python:3.11-slim

services/bstein-dev-home/frontend-deployment.yaml

@@ -26,7 +26,7 @@ spec:
           imagePullPolicy: Always
           ports:
             - name: http
-              containerPort: 80
+              containerPort: 8080
           readinessProbe:
             httpGet:
               path: /

services/bstein-dev-home/frontend-service.yaml

@@ -10,4 +10,4 @@ spec:
   ports:
     - name: http
       port: 80
-      targetPort: 80
+      targetPort: 8080

services/bstein-dev-home/kustomization.yaml

@@ -20,9 +20,9 @@ resources:
   - ingress.yaml
 images:
   - name: registry.bstein.dev/bstein/bstein-dev-home-frontend
-    newTag: 0.1.1-120 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend:tag"}
+    newTag: 0.1.1-280 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-frontend:tag"}
   - name: registry.bstein.dev/bstein/bstein-dev-home-backend
-    newTag: 0.1.1-123 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend:tag"}
+    newTag: 0.1.1-280 # {"$imagepolicy": "bstein-dev-home:bstein-dev-home-backend:tag"}
 configMapGenerator:
   - name: chat-ai-gateway
     namespace: bstein-dev-home

services/comms/element-call-deployment.yaml

@@ -17,6 +17,7 @@ spec:
     spec:
       nodeSelector:
         hardware: rpi5
+        node-role.kubernetes.io/worker: "true"
       containers:
         - name: element-call
           image: ghcr.io/element-hq/element-call@sha256:e6897c7818331714eae19d83ef8ea94a8b41115f0d8d3f62c2fed2d02c65c9bc

services/comms/helmrelease.yaml

@@ -119,6 +119,7 @@ spec:
           > /synapse/config/conf.d/runtime-secrets.yaml
       nodeSelector:
         hardware: rpi5
+        node-role.kubernetes.io/worker: "true"
       affinity:
         nodeAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:
@@ -417,6 +418,7 @@ spec:
 
     nodeSelector:
       hardware: rpi5
+      node-role.kubernetes.io/worker: "true"
 
     affinity:
       nodeAffinity:

services/harbor/helmrelease.yaml

@@ -53,7 +53,7 @@ spec:
         registry:
           existingClaim: harbor-registry
           accessMode: ReadWriteOnce
-          size: 50Gi
+          size: 100Gi
         jobservice:
           jobLog:
             existingClaim: harbor-jobservice-logs
@@ -77,6 +77,7 @@ spec:
       internal:
         nodeSelector:
           ananke.bstein.dev/harbor-bootstrap: "true"
+          kubernetes.io/hostname: titan-11
         image:
           repository: registry.bstein.dev/infra/harbor-redis
           tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-redis:tag"}
@@ -113,6 +114,7 @@ spec:
     core:
       nodeSelector:
         ananke.bstein.dev/harbor-bootstrap: "true"
+        kubernetes.io/hostname: titan-11
       image:
         repository: registry.bstein.dev/infra/harbor-core
         tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-core:tag"}
@@ -125,6 +127,10 @@ spec:
       podAnnotations:
         vault.hashicorp.com/agent-inject: "true"
         vault.hashicorp.com/role: "harbor"
+        vault.hashicorp.com/agent-requests-cpu: "25m"
+        vault.hashicorp.com/agent-limits-cpu: "100m"
+        vault.hashicorp.com/agent-requests-mem: "32Mi"
+        vault.hashicorp.com/agent-limits-mem: "128Mi"
         vault.hashicorp.com/agent-inject-secret-harbor-core-env.sh: "kv/data/atlas/harbor/harbor-core"
         vault.hashicorp.com/agent-inject-template-harbor-core-env.sh: |
           {{ with secret "kv/data/atlas/harbor/harbor-core" }}
@@ -174,6 +180,7 @@ spec:
     jobservice:
       nodeSelector:
         ananke.bstein.dev/harbor-bootstrap: "true"
+        kubernetes.io/hostname: titan-11
       image:
         repository: registry.bstein.dev/infra/harbor-jobservice
         tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-jobservice:tag"}
@@ -183,6 +190,10 @@ spec:
       podAnnotations:
         vault.hashicorp.com/agent-inject: "true"
         vault.hashicorp.com/role: "harbor"
+        vault.hashicorp.com/agent-requests-cpu: "25m"
+        vault.hashicorp.com/agent-limits-cpu: "100m"
+        vault.hashicorp.com/agent-requests-mem: "32Mi"
+        vault.hashicorp.com/agent-limits-mem: "128Mi"
         vault.hashicorp.com/agent-inject-secret-harbor-jobservice-env.sh: "kv/data/atlas/harbor/harbor-jobservice"
         vault.hashicorp.com/agent-inject-template-harbor-jobservice-env.sh: |
           {{ with secret "kv/data/atlas/harbor/harbor-core" }}
@@ -216,6 +227,7 @@ spec:
     portal:
       nodeSelector:
         ananke.bstein.dev/harbor-bootstrap: "true"
+        kubernetes.io/hostname: titan-11
       image:
         repository: registry.bstein.dev/infra/harbor-portal
         tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-portal:tag"}
@@ -243,6 +255,7 @@ spec:
     registry:
       nodeSelector:
         ananke.bstein.dev/harbor-bootstrap: "true"
+        kubernetes.io/hostname: titan-11
       registry:
         image:
           repository: registry.bstein.dev/infra/harbor-registry
@@ -270,6 +283,10 @@ spec:
       podAnnotations:
         vault.hashicorp.com/agent-inject: "true"
         vault.hashicorp.com/role: "harbor"
+        vault.hashicorp.com/agent-requests-cpu: "25m"
+        vault.hashicorp.com/agent-limits-cpu: "100m"
+        vault.hashicorp.com/agent-requests-mem: "32Mi"
+        vault.hashicorp.com/agent-limits-mem: "128Mi"
         vault.hashicorp.com/agent-inject-secret-harbor-registry-env.sh: "kv/data/atlas/harbor/harbor-registry"
         vault.hashicorp.com/agent-inject-template-harbor-registry-env.sh: |
           {{ with secret "kv/data/atlas/harbor/harbor-registry" }}
@@ -321,6 +338,7 @@ spec:
     nginx:
       nodeSelector:
         ananke.bstein.dev/harbor-bootstrap: "true"
+        kubernetes.io/hostname: titan-11
       image:
         repository: registry.bstein.dev/infra/harbor-nginx
         tag: v2.14.1-arm64 # {"$imagepolicy": "harbor:harbor-nginx:tag"}

services/harbor/pvc.yaml

@@ -8,7 +8,7 @@ spec:
   accessModes: [ "ReadWriteOnce" ]
   resources:
     requests:
-      storage: 50Gi
+      storage: 100Gi
   storageClassName: astreae
 ---
 apiVersion: v1

services/jellyfin/deployment.yaml

@@ -77,23 +77,26 @@ spec:
               mountPath: /config
       affinity:
         nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: longhorn-host
+                    operator: In
+                    values:
+                      - "true"
+                  - key: node-role.kubernetes.io/worker
+                    operator: In
+                    values:
+                      - "true"
           preferredDuringSchedulingIgnoredDuringExecution:
             - weight: 100
               preference:
                 matchExpressions:
-                  - key: kubernetes.io/hostname
+                  - key: hardware
                     operator: In
                     values:
-                      - titan-22
+                      - rpi5
             - weight: 80
-              preference:
-                matchExpressions:
-                  - key: kubernetes.io/hostname
-                    operator: In
-                    values:
-                      - titan-20
-                      - titan-21
-            - weight: 60
               preference:
                 matchExpressions:
                   - key: kubernetes.io/hostname
@@ -105,7 +108,6 @@ spec:
         fsGroup: 65532
         fsGroupChangePolicy: OnRootMismatch
         runAsGroup: 65532
-      runtimeClassName: nvidia
       containers:
         - name: jellyfin
           image: docker.io/jellyfin/jellyfin:10.11.5
@@ -118,8 +120,6 @@ spec:
             - name: http
               containerPort: 8096
           env:
-            - name: NVIDIA_DRIVER_CAPABILITIES
-              value: "compute,video,utility"
             - name: JELLYFIN_PublishedServerUrl
               value: "https://stream.bstein.dev"
             - name: PUID
@@ -131,12 +131,7 @@ spec:
             - name: VAULT_COPY_FILES
               value: /vault/secrets/ldap-config.xml:/config/plugins/configurations/LDAP-Auth.xml
           resources:
-            limits:
-              nvidia.com/gpu.shared: 1
-            #   cpu: "4"
-            #   memory: 8Gi
             requests:
-              nvidia.com/gpu.shared: 1
               cpu: "500m"
               memory: 1Gi
           volumeMounts:

services/jellyfin/oidc/Jenkinsfile

@@ -1,568 +0,0 @@
-pipeline {
-  agent {
-    kubernetes {
-      yaml """
-apiVersion: v1
-kind: Pod
-spec:
-  restartPolicy: Never
-  containers:
-    - name: dotnet
-      image: mcr.microsoft.com/dotnet/sdk:9.0
-      command:
-        - cat
-      tty: true
-"""
-    }
-  }
-  options {
-    timestamps()
-  }
-  parameters {
-    string(name: 'HARBOR_REPO', defaultValue: 'registry.bstein.dev/streaming/oidc-plugin', description: 'OCI repository for the plugin artifact')
-    string(name: 'JELLYFIN_VERSION', defaultValue: '10.11.5', description: 'Jellyfin version to tag the plugin with')
-    string(name: 'PLUGIN_VERSION', defaultValue: '1.0.2.0', description: 'Plugin version')
-  }
-  environment {
-    ORAS_VERSION = "1.2.0"
-    DOTNET_CLI_TELEMETRY_OPTOUT = "1"
-    DOTNET_SKIP_FIRST_TIME_EXPERIENCE = "1"
-  }
-  stages {
-    stage('Checkout') {
-      steps {
-        container('dotnet') {
-          checkout scm
-        }
-      }
-    }
-    stage('Build plugin') {
-      steps {
-        container('dotnet') {
-          sh '''
-            set -euo pipefail
-            apt-get update
-            apt-get install -y --no-install-recommends zip curl ca-certificates git
-            WORKDIR="$(pwd)/build"
-            SRC_DIR="${WORKDIR}/src"
-            DIST_DIR="${WORKDIR}/dist"
-            ART_DIR="${WORKDIR}/artifact"
-            rm -rf "${SRC_DIR}" "${DIST_DIR}" "${ART_DIR}"
-            mkdir -p "${SRC_DIR}" "${DIST_DIR}" "${ART_DIR}"
-            git clone https://github.com/lolerskatez/JellyfinOIDCPlugin.git "${SRC_DIR}"
-            cd "${SRC_DIR}"
-            # Override controllers to avoid DI version issues and add injection script
-            cat > Controllers/OidcController.cs <<'EOF'
-using System;
-using System.Collections.Generic;
-using System.Linq;
-using System.Threading.Tasks;
-using IdentityModel.OidcClient;
-using MediaBrowser.Controller.Library;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.Extensions.DependencyInjection;
-
-namespace JellyfinOIDCPlugin.Controllers;
-
-#nullable enable
-
-[ApiController]
-[Route("api/oidc")]
-public class OidcController : ControllerBase
-{
-    private IUserManager UserManager => HttpContext.RequestServices.GetRequiredService<IUserManager>();
-    private static readonly Dictionary<string, object> StateManager = new(); // Store AuthorizeState objects
-
-    [HttpGet("start")]
-    public async Task<IActionResult> Start()
-    {
-        var config = Plugin.Instance?.Configuration;
-        if (config == null)
-        {
-            return BadRequest("Plugin not initialized");
-        }
-
-        var options = new OidcClientOptions
-        {
-            Authority = config.OidEndpoint?.Trim(),
-            ClientId = config.OidClientId?.Trim(),
-            ClientSecret = config.OidSecret?.Trim(),
-            RedirectUri = GetRedirectUri(),
-            Scope = string.Join(" ", config.OidScopes)
-        };
-
-        try
-        {
-            var client = new OidcClient(options);
-            var result = await client.PrepareLoginAsync().ConfigureAwait(false);
-
-            // Store the authorize state for the callback
-            var stateString = (string)result.GetType().GetProperty("State")?.GetValue(result);
-            if (!string.IsNullOrEmpty(stateString))
-            {
-                StateManager[stateString] = result;
-            }
-
-            var startUrl = (string)result.GetType().GetProperty("StartUrl")?.GetValue(result);
-            if (string.IsNullOrEmpty(startUrl))
-            {
-                Console.WriteLine("OIDC: Could not get StartUrl from OIDC result");
-                return BadRequest("OIDC initialization failed");
-            }
-
-            return Redirect(startUrl);
-        }
-        catch (Exception ex)
-        {
-            Console.WriteLine($"OIDC start error: {ex}");
-            return BadRequest("OIDC error: " + ex.Message);
-        }
-    }
-
-    [HttpGet("callback")]
-    public async Task<IActionResult> Callback()
-    {
-        var config = Plugin.Instance?.Configuration;
-        if (config == null)
-        {
-            return BadRequest("Plugin not initialized");
-        }
-
-        try
-        {
-            var stateParam = Request.Query["state"].ToString();
-            if (string.IsNullOrEmpty(stateParam) || !StateManager.TryGetValue(stateParam, out var storedState))
-            {
-                Console.WriteLine($"OIDC: Invalid state {stateParam}");
-                return BadRequest("Invalid state");
-            }
-
-            var options = new OidcClientOptions
-            {
-                Authority = config.OidEndpoint?.Trim(),
-                ClientId = config.OidClientId?.Trim(),
-                ClientSecret = config.OidSecret?.Trim(),
-                RedirectUri = GetRedirectUri(),
-                Scope = string.Join(" ", config.OidScopes)
-            };
-
-            var client = new OidcClient(options);
-            // Cast stored state to AuthorizeState - it's stored as object
-            var authorizeState = (AuthorizeState)storedState;
-            var result = await client.ProcessResponseAsync(Request.QueryString.Value, authorizeState).ConfigureAwait(false);
-
-            if (result.IsError)
-            {
-                Console.WriteLine($"OIDC callback failed: {result.Error} - {result.ErrorDescription}");
-                return BadRequest("OIDC authentication failed");
-            }
-
-            // Get email from claims
-            var email = result.User?.FindFirst("email")?.Value ?? 
-                       result.User?.FindFirst("preferred_username")?.Value ??
-                       result.User?.FindFirst("sub")?.Value;
-            
-            if (string.IsNullOrEmpty(email))
-            {
-                Console.WriteLine("OIDC: No email/username found in OIDC response");
-                return BadRequest("No email/username found in OIDC response");
-            }
-
-            // Get or create user
-            var user = UserManager.GetUserByName(email);
-            if (user == null)
-            {
-                Console.WriteLine($"OIDC: Creating new user {email}");
-                user = await UserManager.CreateUserAsync(email).ConfigureAwait(false);
-            }
-
-            // Set authentication provider
-            user.AuthenticationProviderId = "OIDC";
-
-            // Get roles from claims
-            var rolesClaimValue = result.User?.FindFirst(config.RoleClaim)?.Value;
-            var roles = string.IsNullOrEmpty(rolesClaimValue)
-                ? Array.Empty<string>()
-                : rolesClaimValue.Split(new[] { ',', ' ' }, StringSplitOptions.RemoveEmptyEntries);
-
-            // Set permissions based on groups
-            var isAdmin = roles.Any(r => r.Equals("admin", StringComparison.OrdinalIgnoreCase));
-            var isPowerUser = roles.Any(r => r.Equals("Power User", StringComparison.OrdinalIgnoreCase)) && !isAdmin;
-
-            Console.WriteLine($"OIDC: User {email} authenticated. Admin: {isAdmin}, PowerUser: {isPowerUser}");
-
-            // Update user in database
-            await UserManager.UpdateUserAsync(user).ConfigureAwait(false);
-
-            StateManager.Remove(stateParam);
-
-            // Redirect to Jellyfin main page
-            return Redirect("/");
-        }
-        catch (Exception ex)
-        {
-            Console.WriteLine($"OIDC callback error: {ex}");
-            return BadRequest("OIDC error: " + ex.Message);
-        }
-    }
-
-    [HttpPost("token")]
-    public async Task<IActionResult> ExchangeToken([FromBody] TokenExchangeRequest request)
-    {
-        var config = Plugin.Instance?.Configuration;
-        if (config == null)
-        {
-            Console.WriteLine("OIDC: Plugin not initialized");
-            return BadRequest("Plugin not initialized");
-        }
-
-        if (string.IsNullOrEmpty(request?.AccessToken))
-        {
-            Console.WriteLine("OIDC: No access token provided");
-            return BadRequest("Access token is required");
-        }
-
-        try
-        {
-            Console.WriteLine("OIDC: Processing token exchange request");
-
-            // Validate the token with the OIDC provider using UserInfo endpoint
-            var options = new OidcClientOptions
-            {
-                Authority = config.OidEndpoint?.Trim(),
-                ClientId = config.OidClientId?.Trim(),
-                ClientSecret = config.OidSecret?.Trim(),
-                Scope = string.Join(" ", config.OidScopes)
-            };
-
-            var client = new OidcClient(options);
-            
-            // Use the access token to get user info
-            var userInfoResult = await client.GetUserInfoAsync(request.AccessToken).ConfigureAwait(false);
-            
-            if (userInfoResult.IsError)
-            {
-                Console.WriteLine($"OIDC: Failed to get user info: {userInfoResult.Error}");
-                return Unauthorized("Invalid access token");
-            }
-
-            // Extract email/username from user info
-            var email = userInfoResult.Claims.FirstOrDefault(c => c.Type == "email")?.Value ??
-                       userInfoResult.Claims.FirstOrDefault(c => c.Type == "preferred_username")?.Value ??
-                       userInfoResult.Claims.FirstOrDefault(c => c.Type == "sub")?.Value;
-
-            if (string.IsNullOrEmpty(email))
-            {
-                Console.WriteLine("OIDC: No email/username found in token");
-                return BadRequest("No email/username found in token");
-            }
-
-            // Get or create user
-            var user = UserManager.GetUserByName(email);
-            if (user == null)
-            {
-                if (!config.AutoCreateUser)
-                {
-                    Console.WriteLine($"OIDC: User {email} not found and auto-create disabled");
-                    return Unauthorized("User does not exist and auto-creation is disabled");
-                }
-
-                Console.WriteLine($"OIDC: Creating new user from token {email}");
-                user = await UserManager.CreateUserAsync(email).ConfigureAwait(false);
-            }
-
-            // Update user authentication provider
-            user.AuthenticationProviderId = "OIDC";
-
-            // Get roles from claims
-            var rolesClaimName = config.RoleClaim ?? "groups";
-            var rolesClaimValue = userInfoResult.Claims.FirstOrDefault(c => c.Type == rolesClaimName)?.Value;
-            var roles = string.IsNullOrEmpty(rolesClaimValue)
-                ? Array.Empty<string>()
-                : rolesClaimValue.Split(new[] { ',', ' ' }, StringSplitOptions.RemoveEmptyEntries);
-
-            // Set permissions based on groups
-            var isAdmin = roles.Any(r => r.Equals("admin", StringComparison.OrdinalIgnoreCase));
-            var isPowerUser = roles.Any(r => r.Equals("Power User", StringComparison.OrdinalIgnoreCase)) && !isAdmin;
-
-            Console.WriteLine($"OIDC: Token exchange for {email} Admin:{isAdmin} Power:{isPowerUser}");
-
-            // Update user in database
-            await UserManager.UpdateUserAsync(user).ConfigureAwait(false);
-
-            // Return success with user info
-            return Ok(new TokenExchangeResponse
-            {
-                Success = true,
-                UserId = user.Id.ToString(),
-                Username = user.Username,
-                Email = email,
-                IsAdmin = isAdmin,
-                Message = "User authenticated successfully"
-            });
-        }
-        catch (Exception ex)
-        {
-            Console.WriteLine($"OIDC token exchange error: {ex}");
-            return StatusCode(500, $"Token exchange failed: {ex.Message}");
-        }
-    }
-
-    private string GetRedirectUri()
-    {
-        var configured = Plugin.Instance?.Configuration?.RedirectUri;
-        if (!string.IsNullOrWhiteSpace(configured))
-        {
-            return configured!;
-        }
-
-        return $"{Request.Scheme}://{Request.Host}/api/oidc/callback";
-    }
-}
-
-public class TokenExchangeRequest
-{
-    public string? AccessToken { get; set; }
-    public string? IdToken { get; set; }
-}
-
-public class TokenExchangeResponse
-{
-    public bool Success { get; set; }
-    public string? UserId { get; set; }
-    public string? Username { get; set; }
-    public string? Email { get; set; }
-    public bool IsAdmin { get; set; }
-    public string? Message { get; set; }
-}
-EOF
-
-            cat > Controllers/OidcStaticController.cs <<'EOF'
-using System;
-using System.IO;
-using System.Reflection;
-using MediaBrowser.Common.Plugins;
-using Microsoft.AspNetCore.Mvc;
-
-namespace JellyfinOIDCPlugin.Controllers;
-
-[ApiController]
-[Route("api/oidc")]
-public class OidcStaticController : ControllerBase
-{
-    [HttpGet("login.js")]
-    public IActionResult GetLoginScript()
-    {
-        try
-        {
-            var assembly = Assembly.GetExecutingAssembly();
-            using var stream = assembly.GetManifestResourceStream("JellyfinOIDCPlugin.web.oidc-login.js");
-            if (stream == null)
-            {
-                Console.WriteLine("OIDC: Login script resource not found");
-                return NotFound();
-            }
-
-            using var reader = new StreamReader(stream);
-            var content = reader.ReadToEnd();
-            
-            return Content(content, "application/javascript");
-        }
-        catch (Exception ex)
-        {
-            Console.WriteLine($"OIDC: Error serving login script {ex}");
-            return StatusCode(500, "Error loading login script");
-        }
-    }
-
-    [HttpGet("loader.js")]
-    public IActionResult GetLoader()
-    {
-        try
-        {
-            var assembly = Assembly.GetExecutingAssembly();
-            using var stream = assembly.GetManifestResourceStream("JellyfinOIDCPlugin.web.oidc-loader.js");
-            if (stream == null)
-            {
-                Console.WriteLine("OIDC: Loader script resource not found");
-                return NotFound();
-            }
-
-            using var reader = new StreamReader(stream);
-            var content = reader.ReadToEnd();
-            
-            return Content(content, "application/javascript");
-        }
-        catch (Exception ex)
-        {
-            Console.WriteLine($"OIDC: Error serving loader script {ex}");
-            return StatusCode(500, "Error loading loader script");
-        }
-    }
-
-    [HttpGet("inject")]
-    public IActionResult GetInject()
-    {
-        try
-        {
-            var script = @"
-(function() {
-    console.log('[OIDC Plugin] Bootstrap inject started');
-    
-    // Load oidc-loader.js dynamically
-    const loaderScript = document.createElement('script');
-    loaderScript.src = '/api/oidc/loader.js';
-    loaderScript.type = 'application/javascript';
-    loaderScript.onerror = function() {
-        console.error('[OIDC Plugin] Failed to load loader.js');
-    };
-    loaderScript.onload = function() {
-        console.log('[OIDC Plugin] Loader.js loaded successfully');
-    };
-    
-    // Append to head or body
-    const target = document.head || document.documentElement;
-    target.appendChild(loaderScript);
-    
-    console.log('[OIDC Plugin] Bootstrap script appended to page');
-})();
-";
-            return Content(script, "application/javascript");
-        }
-        catch (Exception ex)
-        {
-            Console.WriteLine($"OIDC: Error serving inject script {ex}");
-            return StatusCode(500, "Error loading inject script");
-        }
-    }
-
-    [HttpGet("global.js")]
-    public IActionResult GetGlobalInjector()
-    {
-        try
-        {
-            var assembly = Assembly.GetExecutingAssembly();
-            using var stream = assembly.GetManifestResourceStream("JellyfinOIDCPlugin.web.oidc-global-injector.js");
-            if (stream == null)
-            {
-                Console.WriteLine("OIDC: Global injector resource not found");
-                return NotFound();
-            }
-
-            using var reader = new StreamReader(stream);
-            var content = reader.ReadToEnd();
-            
-            return Content(content, "application/javascript");
-        }
-        catch (Exception ex)
-        {
-            Console.WriteLine($"OIDC: Error serving global injector {ex}");
-            return StatusCode(500, "Error loading global injector");
-        }
-    }
-
-    [HttpGet("config")]
-    public IActionResult GetConfigurationPage()
-    {
-        try
-        {
-            var assembly = Assembly.GetExecutingAssembly();
-            using var stream = assembly.GetManifestResourceStream("JellyfinOIDCPlugin.web.configurationpage.html");
-            if (stream == null)
-            {
-                Console.WriteLine("OIDC: Configuration page resource not found");
-                return NotFound("Configuration page resource not found");
-            }
-
-            using var reader = new StreamReader(stream);
-            var content = reader.ReadToEnd();
-            
-            return Content(content, "text/html");
-        }
-        catch (Exception ex)
-        {
-            Console.WriteLine($"OIDC: Error serving configuration page {ex}");
-            return StatusCode(500, $"Error loading configuration page: {ex.Message}");
-        }
-    }
-}
-EOF
-            cat > JellyfinOIDCPlugin.csproj <<'EOF'
-<Project Sdk="Microsoft.NET.Sdk">
-  <PropertyGroup>
-    <TargetFramework>net9.0</TargetFramework>
-    <AssemblyName>JellyfinOIDCPlugin.v2</AssemblyName>
-    <RootNamespace>JellyfinOIDCPlugin</RootNamespace>
-    <LangVersion>latest</LangVersion>
-    <Nullable>enable</Nullable>
-    <ImplicitUsings>enable</ImplicitUsings>
-    <AssemblyVersion>1.0.2.0</AssemblyVersion>
-    <FileVersion>1.0.2.0</FileVersion>
-    <CopyLocalLockFileAssemblies>false</CopyLocalLockFileAssemblies>
-  </PropertyGroup>
-  <ItemGroup>
-    <PackageReference Include="Jellyfin.Controller" Version="10.11.5">
-      <ExcludeAssets>runtime</ExcludeAssets>
-    </PackageReference>
-    <PackageReference Include="Jellyfin.Model" Version="10.11.5">
-      <ExcludeAssets>runtime</ExcludeAssets>
-    </PackageReference>
-    <PackageReference Include="Jellyfin.Common" Version="10.11.5">
-      <ExcludeAssets>runtime</ExcludeAssets>
-    </PackageReference>
-    <PackageReference Include="Jellyfin.Data" Version="10.11.5">
-      <ExcludeAssets>runtime</ExcludeAssets>
-    </PackageReference>
-    <PackageReference Include="Jellyfin.Database.Implementations" Version="10.11.5">
-      <ExcludeAssets>runtime</ExcludeAssets>
-    </PackageReference>
-    <PackageReference Include="IdentityModel.OidcClient" Version="5.2.1">
-      <PrivateAssets>none</PrivateAssets>
-    </PackageReference>
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="9.0.11">
-      <ExcludeAssets>runtime</ExcludeAssets>
-    </PackageReference>
-  </ItemGroup>
-  <ItemGroup>
-    <EmbeddedResource Include="web\\*.html" />
-    <EmbeddedResource Include="web\\*.js" />
-    <EmbeddedResource Include="web\\*.css" />
-  </ItemGroup>
-</Project>
-EOF
-            dotnet restore
-            dotnet publish -c Release --no-self-contained -o "${DIST_DIR}"
-            cd "${DIST_DIR}"
-            zip -r "${ART_DIR}/OIDC_Authentication_${PLUGIN_VERSION}-net9.zip" .
-          '''
-        }
-      }
-    }
-    stage('Push to Harbor') {
-      steps {
-        container('dotnet') {
-          withCredentials([usernamePassword(credentialsId: 'harbor-robot', usernameVariable: 'HARBOR_USERNAME', passwordVariable: 'HARBOR_PASSWORD')]) {
-            sh '''
-              set -euo pipefail
-              WORKDIR="$(pwd)/build"
-              ORAS_BIN="/usr/local/bin/oras"
-              curl -sSL "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz" | tar -xz -C /usr/local/bin oras
-              ref_host="$(echo "${HARBOR_REPO}" | cut -d/ -f1)"
-              "${ORAS_BIN}" login "${ref_host}" -u "${HARBOR_USERNAME}" -p "${HARBOR_PASSWORD}"
-              artifact="${WORKDIR}/artifact/OIDC_Authentication_${PLUGIN_VERSION}-net9.zip"
-              "${ORAS_BIN}" push "${HARBOR_REPO}:${JELLYFIN_VERSION}" "${artifact}:application/zip" --artifact-type application/zip
-              "${ORAS_BIN}" push "${HARBOR_REPO}:latest" "${artifact}:application/zip" --artifact-type application/zip
-            '''
-          }
-        }
-      }
-    }
-  }
-  post {
-    always {
-      container('dotnet') {
-        archiveArtifacts artifacts: 'build/artifact/*.zip', allowEmptyArchive: true
-      }
-    }
-  }
-}