fix: pin MCP sidecar versions for stability

- Pin kubernetes-mcp to v0.0.57 (Jan 27, 2025) with token exchange and field selector support
- Pin flux-mcp to v0.41.1 (already pinned)
- Pin homeassistant-mcp to v6.7.1 (Feb 20, 2026) - latest stable release
- Update documentation with version details
- Bump chart version to 0.1.19

This ensures reproducible deployments and prevents unexpected breaking changes
from floating tags (latest/stable).

Generated with Claude Code via Happy

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>

CLAUDE.md

@@ -81,11 +81,11 @@ Container start
 
 MCP (Model Context Protocol) servers run as sidecar containers in the pod, enabling AI assistants to interact with various services:
 
-| Sidecar | Image | Port | Endpoint | Default |
+| Sidecar | Image | Version | Port | Endpoint | Default |
-|---------|-------|------|----------|---------|
+|---------|-------|---------|------|----------|---------|
-| `kubernetes-mcp` | `quay.io/containers/kubernetes_mcp_server` | 8080 | `http://localhost:8080/sse` | Enabled |
+| `kubernetes-mcp` | `quay.io/containers/kubernetes_mcp_server` | v0.0.57 | 8080 | `http://localhost:8080/sse` | Enabled |
-| `flux-mcp` | `ghcr.io/controlplaneio-fluxcd/flux-operator-mcp` | 8081 | `http://localhost:8081/sse` | Enabled |
+| `flux-mcp` | `ghcr.io/controlplaneio-fluxcd/flux-operator-mcp` | v0.41.1 | 8081 | `http://localhost:8081/sse` | Enabled |
-| `homeassistant-mcp` | `ghcr.io/homeassistant-ai/ha-mcp` | 8087 | `http://localhost:8087/sse` | Disabled |
+| `homeassistant-mcp` | `ghcr.io/homeassistant-ai/ha-mcp` | v6.7.1 | 8087 | `http://localhost:8087/sse` | Disabled |
 
 **Note:**
 - Kubernetes and Flux sidecars require `clusterAccess` != `none` to be deployed (they need RBAC permissions)

README.md

@@ -221,7 +221,7 @@ mcpSidecars:
     enabled: true
     image:
       repository: ghcr.io/homeassistant-ai/ha-mcp
-      tag: stable  # or 'latest' for dev builds
+      tag: v6.7.1  # Override the pinned version if needed
     port: 8087
     resources:
       requests:

chart/values.yaml

@@ -73,7 +73,7 @@ mcpSidecars:
     enabled: true
     image:
       repository: quay.io/containers/kubernetes_mcp_server
-      tag: latest
+      tag: v0.0.57  # Pinned version (Jan 27, 2025) with token exchange and field selector support
     port: 8080
     resources:
       requests:
@@ -99,7 +99,7 @@ mcpSidecars:
     enabled: false  # Disabled by default, requires HOMEASSISTANT_URL and HOMEASSISTANT_TOKEN
     image:
       repository: ghcr.io/homeassistant-ai/ha-mcp
-      tag: stable
+      tag: v6.7.1  # Pinned version (Feb 20, 2026) - latest stable release
     port: 8087
     resources:
       requests:

memory/MEMORY.md

@@ -14,13 +14,14 @@
 - Chart published as OCI artifact to GHCR, reconciled by Flux
 
 ## MCP Sidecars
-- **Kubernetes MCP** (port 8080): Only deployed when enabled AND `clusterAccess` != `none`
+- **Kubernetes MCP** (v0.0.57, port 8080): Only deployed when enabled AND `clusterAccess` != `none`
-- **Flux MCP** (port 8081): Only deployed when enabled AND `clusterAccess` != `none`
+- **Flux MCP** (v0.41.1, port 8081): Only deployed when enabled AND `clusterAccess` != `none`
-- **Home Assistant MCP** (port 8087): Disabled by default, requires secrets:
+- **Home Assistant MCP** (v6.7.1, port 8087): Disabled by default, requires secrets:
   - `homeassistant-url`: Base URL like `http://homeassistant.local:8123`
   - `homeassistant-token`: Long-lived access token
 - **Playwright MCP**: External service, not a sidecar
 - Configure via `mcpSidecars.<name>.enabled` in values
+- **Version Strategy**: All MCP images use pinned versions for stability (no `latest` tags)
 
 ## Common Gotchas
 - `baseimage-gui` creates user dynamically — don't hardcode usernames in scripts, use numeric UID/GID