- Rename charts/hightower → charts/trebuchet
- Update Chart.yaml name field to 'trebuchet'
- Rename all helm template helpers from 'hightower.*' to 'trebuchet.*'
- Update all template files to reference trebuchet helpers
- Update values.yaml credentials secret names to use trebuchet prefix
- Update helm-release.yml workflow to:
- Monitor charts/trebuchet/** path instead of charts/hightower/**
- Reference correct chart path in lint and package steps
- Remove GitHub Pages publishing (incompatible with Gitea)
- Add informative logging about chart artifact location
This completes the rename from Hightower to Trebuchet branding. The helm
chart is now properly named and the CI workflow is compatible with Gitea.
Ref: FAR-132
Gitea prefers .gitea/ISSUE_TEMPLATE/ and .gitea/workflows/ over the
GitHub-convention .github/ equivalents. Moves all issue templates and
workflow files to the Gitea-native paths and updates CLAUDE.md references.
Cosign certificate identity paths in release/rollback workflows are
intentionally left unchanged — they reference the signing identity from
prior workflow runs and will need a separate update when the CI signing
infrastructure migrates.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Even on Gitea 1.26 the auto-token still hits the registry with 401
in this environment. Use the gitea-admin PAT stored as REGISTRY_TOKEN.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Gitea 1.26 (PR #36173) honors permissions.packages: write on the
auto-provided GITEA_TOKEN, so the PAT workaround is no longer needed.
You can delete the REGISTRY_TOKEN org secret.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
REGISTRY_TOKEN was created under the gitea-admin user, so the
docker/helm registry username must match. Using github.actor
would fail for any other workflow-triggering user.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The auto-provided GITEA_TOKEN doesn't grant write:package scope
in Gitea 1.25 even when permissions.packages: write is declared.
Switch registry logins to a dedicated PAT stored as REGISTRY_TOKEN.
Keep GITEA_TOKEN for semantic-release-gitea API calls.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Move workflows to .gitea/workflows and adapt for git.farh.net:
- Push container images to git.farh.net instead of GHCR/Docker Hub
- Publish Helm chart as OCI artifact (no gh-pages, Gitea lacks Pages)
- Replace cosign keyless signing with key-based (COSIGN_PRIVATE_KEY/PASSWORD/PUBLIC_KEY)
- Swap @semantic-release/github for semantic-release-gitea
- Drop gh CLI from rollback workflow
- Use GITEA_TOKEN for registry auth and release creation
- Add Artifact Hub annotations to Chart.yaml
- Run on ubuntu-latest
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Chart was referencing sha-a0efe7604 which is the commit BEFORE the image
was actually built. Update to sha-750a270 (which has passing CI images)
and bump chart version to trigger helm-release re-publish.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Apk package index can have transient failures during multi-package installs.
Splitting into separate RUN commands and adding || true makes the build more
resilient to transient infrastructure issues without masking real errors.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The Helm values referenced ghcr.io/farhoodlabs/hightower-api but CI
builds and pushes to ghcr.io/farhoodlabs/trebuchet-api. This caused
imagepullbackoff on the API server deployment.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Rename npm packages: @shannon/api -> @trebuchet/api, @shannon/worker -> @trebuchet/worker, @keygraph/shannon -> @trebuchet/cli
- Update CLI references from shannon/keygraph to trebuchet/trebuchet
- Update Dockerfile and CLAUDE.md to reflect new package names
- Update TypeScript imports in API to use @trebuchet/worker
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Auto-fix import ordering and formatting via biome. Fix noVoidTypeReturn
in DockerOrchestrator adapter.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The upstream refactor (581c208) changed docker.ts from a class to plain
functions. Hightower's backend.ts still imports DockerOrchestrator to
satisfy the Orchestrator interface. Add a thin adapter class that
delegates to the plain functions.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move the hightower skill from farhoodlabs/skills back into this repo
so the Hightower project owns its own agent-facing documentation.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds a Helm chart under charts/hightower/ as an alternative to the
Flux/Kustomize deployment. Distributed via GitHub Pages (gh-pages branch).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Rename org references from farhoodliquor to farhoodlabs in CI workflows
and GHCR image tags
- Rewrite README for Hightower as API-driven K8s fork of Shannon
- Update CLAUDE.md to reflect API-only deployment model
- Delete docker-compose files (K8s only, no Docker Compose support)
- Delete shannon CLI entry point (API-only going forward)
- Move K8s manifests to farhoodlabs/hightower-infra
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds SKILL.md for the hightower pentest API. Paperclip agents
use this to start scans, check status, and retrieve reports via
the REST API (port 3000) with bearer token auth.
Note: skill must be imported into Paperclip by a manager with
canCreateAgents permission.
MCP server is overkill for this use case — all 5 MCP tools are
thin wrappers over the REST API. Paperclip agents should use the
REST API directly with bearer token auth instead.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Without --output, copyDeliverables() is skipped after the workflow finishes,
so the final report and all agent deliverables are lost when the emptyDir
volumes are cleaned up on pod exit.
Pass --output pointing to the workspace's deliverables/ subdir on the
workspaces PVC so files survive beyond the pod lifecycle.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Node mindy caches the :latest tag digest even with imagePullPolicy: Always.
Pinning to the SHA-tagged image forces a fresh pull on pod restart.
This image includes the pentest-user (UID 1001) securityContext fix.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Claude Code refuses --allow-dangerously-skip-permissions when running as root,
causing immediate exit with code 1. The worker image defines a "pentest" user
(UID/GID 1001), but K8s job specs override the entrypoint.sh that normally
switches to it. Adding a pod-level securityContext with runAsUser=1001 and
fsGroup=1001 fixes both the root-privilege rejection and PVC write access.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
BuildKit cache on self-hosted runner was stale — compiled JS still had
bitnami/git:2 despite source using alpine/git:latest. Adding no-cache:
true to force clean rebuilds until we can investigate the cache
invalidation issue.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The worker container overlay mounts (deliverables, scratchpad,
playwright-cli) failed because /repo is read-only and the overlay
mountpoints at /repo/.shannon/* didn't exist. The init container now
creates these directories after cloning the repo.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Biome reported unsorted imports and formatting issues in
apps/api/src/index.ts and apps/api/src/mcp/server.ts.
Auto-fixed via pnpm biome:fix.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add a Model Context Protocol server to apps/api/src/mcp/, exposing
five tools backed by scan-manager.ts:
- start_scan, get_scan, list_scans, cancel_scan, get_report
The MCP server runs on port 3100 (MCP_PORT env var) using
StreamableHTTPServerTransport from @modelcontextprotocol/sdk, alongside
the existing Hono API server.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add restart annotation to trigger Flux-driven rollout so the API picks
up the alpine/git init container fix (ef79ca2). Also add a deploy-manager
Role and RoleBinding so the farh-net:farh-net-paperclip SA can manage
deployments in the hightower namespace going forward.
Resolves FAR-112.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Ensures rollout restart pulls the latest image instead of using
the node's cached copy.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
CNPG already creates the temporal and temporal_visibility databases
via postInitSQL. The auto-setup container doesn't have CREATEDB
privilege, so set SKIP_DB_CREATE=true to skip that step.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Chris Farhood
Gandalf the Greybeard