feat(skills): align with cross-org review
- safety: drop tools section (moved to sdlc); relax kubectl-apply ban to production-only (dev and uat permit direct kubectl for iteration); keep kubectl-create-secret ban at all environments - sdlc: split Authentication into its own section (Better-Auth + Google + Apple + Authentik); add Tools (canonical, not alternatives) section moved from safety, including the playwright MCP and ghcr.io registry standard
This commit is contained in:
+22
-2
@@ -147,11 +147,17 @@ Without this release, the receiving agent cannot check out the issue.
|
||||
* **Production:** namespace `cartsnitch`, FQDN `cartsnitch.farh.net`
|
||||
* **UAT:** namespace `cartsnitch-uat`, FQDN `cartsnitch.uat.farh.net`
|
||||
* **Dev:** namespace `cartsnitch-dev`, FQDN `cartsnitch.dev.farh.net`
|
||||
* **Auth:** Better-Auth + OAuth2 via Authentik OIDC at `https://auth.farh.net` (credentials in `authentik-credentials` secret in the relevant namespace). Authentik / Auth0 / Okta / Entra-ID are all supported. **Never build custom auth.**
|
||||
* **Cluster:** Kubernetes — cluster-wide read; read/write on `cartsnitch-dev` and `cartsnitch-uat`; read-only on `cartsnitch` (production).
|
||||
* **Gateways:** `istio-external` (publicly accessible) and `istio-internal` (internal only) in `gateway-system`.
|
||||
* **Container registry:** `ghcr.io/cartsnitch/<service>` only.
|
||||
|
||||
## Authentication
|
||||
|
||||
* **Framework:** Better-Auth.
|
||||
* **Social login:** Google and Apple OAuth.
|
||||
* **SSO:** Authentik OIDC at `https://auth.farh.net` (credentials in `authentik-credentials` secret).
|
||||
* **Never build custom authentication.**
|
||||
|
||||
## Deployment — 2-stage Flux GitOps
|
||||
|
||||
**Stage 1 — CI (GitHub Actions, runs in each application repo):**
|
||||
@@ -181,7 +187,21 @@ kubectl rollout restart deployment/<name> -n <namespace>
|
||||
|
||||
Terraform (OpenTofu) is deployed via the **Flux OpenTofu Controller** in a GitOps fashion. Submit Terraform configurations via a PR to `cartsnitch/infra` — the tofu controller reconciles them on merge. Use for Authentik configuration, DNS, or other infra provisioning.
|
||||
|
||||
**Never run `tofu` directly.** Never `kubectl apply` against production. Production changes go through Flux only.
|
||||
**Never run `tofu` directly.** Never `kubectl apply` against production. Production changes go through Flux only. The `cartsnitch-dev` and `cartsnitch-uat` namespaces permit direct kubectl use for iteration.
|
||||
|
||||
## Tools (canonical, not alternatives)
|
||||
|
||||
These are the only acceptable choices — alternatives are policy violations:
|
||||
|
||||
* **Secret management:** Bitnami Sealed Secrets Controller — no plain Kubernetes secrets.
|
||||
* **Database:** CloudNativePG Operator (Postgres) — no SQLite, MariaDB, or MySQL.
|
||||
* **Cache / pub-sub:** DragonflyDB Operator — no Redis.
|
||||
* **Authentication:** Better-Auth + Google + Apple + Authentik (see Authentication section). Never build custom auth.
|
||||
* **Dependency updates:** Mend Renovate. **Dependabot is not used and will not be used.** Do not configure it.
|
||||
* **Container registry:** `ghcr.io/cartsnitch/<service>` — no Docker Hub for first-party images.
|
||||
* **Browser automation:** the `playwright` MCP server (`http://playwright:8931/mcp`). Never run Playwright locally or install browser binaries. Target dev (`cartsnitch.dev.farh.net`) — never test production.
|
||||
|
||||
If a task requires deviating from any of the above, treat it as a destructive action: stop, file an issue with rationale, request board approval.
|
||||
|
||||
## External communication
|
||||
|
||||
|
||||
Reference in New Issue
Block a user