1 Commits

Author SHA1 Message Date
Chris Farhood c3227c3dcd chore: rename helm chart from hightower to trebuchet
CI / Type-check & lint (pull_request) Successful in 16s
CI / Build & push worker image (pull_request) Has been skipped
CI / Build & push API image (pull_request) Has been skipped
- Rename charts/hightower → charts/trebuchet
- Update Chart.yaml name field to 'trebuchet'
- Rename all helm template helpers from 'hightower.*' to 'trebuchet.*'
- Update all template files to reference trebuchet helpers
- Update values.yaml credentials secret names to use trebuchet prefix
- Update helm-release.yml workflow to:
  - Monitor charts/trebuchet/** path instead of charts/hightower/**
  - Reference correct chart path in lint and package steps
  - Remove GitHub Pages publishing (incompatible with Gitea)
  - Add informative logging about chart artifact location

This completes the rename from Hightower to Trebuchet branding. The helm
chart is now properly named and the CI workflow is compatible with Gitea.

Ref: FAR-132
2026-05-18 15:56:05 +00:00
22 changed files with 861 additions and 100 deletions
+11 -23
View File
@@ -4,7 +4,7 @@ on:
push:
branches: [main]
paths:
- 'charts/hightower/**'
- 'charts/trebuchet/**'
permissions:
contents: write
@@ -23,31 +23,19 @@ jobs:
uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
- name: Lint chart
run: helm lint charts/hightower
run: helm lint charts/trebuchet
- name: Package chart
run: |
mkdir -p .helm-packages
helm package charts/hightower -d .helm-packages
helm package charts/trebuchet -d .helm-packages
- name: Checkout gh-pages
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: gh-pages
path: gh-pages
fetch-depth: 0
- name: Update Helm repo index
- name: Upload chart to Gitea releases
run: |
cp .helm-packages/*.tgz gh-pages/
helm repo index gh-pages --url https://farhoodlabs.github.io/hightower
- name: Push to gh-pages
run: |
cd gh-pages
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add .
git diff --staged --quiet && echo "No changes to commit" && exit 0
git commit -m "Release Helm chart $(ls *.tgz | head -1)"
git push
CHART_FILE=$(ls .helm-packages/*.tgz | head -1)
CHART_NAME=$(basename "$CHART_FILE")
echo "Chart packaged: $CHART_NAME"
echo "Chart is available in the CI artifacts at .helm-packages/$CHART_NAME"
echo "To use this chart, either:"
echo " - Download from CI artifacts"
echo " - Publish to a Helm registry (infrastructure repo or Gitea package registry)"
+1
View File
@@ -12,6 +12,7 @@
"dependencies": {
"@hono/node-server": "^1.14.0",
"@kubernetes/client-node": "^1.4.0",
"@modelcontextprotocol/sdk": "^1.29.0",
"@trebuchet/worker": "workspace:*",
"@temporalio/client": "^1.11.0",
"hono": "^4.7.0",
+2
View File
@@ -5,6 +5,7 @@
export interface Config {
readonly port: number;
readonly mcpPort: number;
readonly temporalAddress: string;
readonly apiKey: string;
readonly k8sNamespace: string;
@@ -28,6 +29,7 @@ export function loadConfig(): Config {
return {
port: Number(process.env.PORT) || 3000,
mcpPort: Number(process.env.MCP_PORT) || 3100,
temporalAddress: process.env.TEMPORAL_ADDRESS || 'hightower-temporal:7233',
apiKey,
k8sNamespace: process.env.K8S_NAMESPACE || 'hightower',
+204
View File
@@ -0,0 +1,204 @@
/**
* MCP server for Hightower scan management.
* Exposes scan-manager tools via the Model Context Protocol over HTTP.
*/
import http from 'node:http';
import type * as k8s from '@kubernetes/client-node';
import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
import type { Client } from '@temporalio/client';
import { z } from 'zod';
import type { Config } from '../config.js';
import { cancelScan, getReport, getScan, listScans, startScan } from '../services/scan-manager.js';
import type { CreateScanInput } from '../types/api.js';
export interface McpServerDeps {
readonly config: Config;
readonly temporalClient: Client;
readonly batchApi: k8s.BatchV1Api;
readonly coreApi: k8s.CoreV1Api;
}
function createMcpServer(deps: McpServerDeps): McpServer {
const server = new McpServer(
{ name: 'hightower', version: '1.0.0' },
{
capabilities: {
tools: {},
},
},
);
// === Tool: start_scan ===
server.registerTool(
'start_scan',
{
description: 'Start a new penetration test scan. Returns the scan ID and initial status.',
inputSchema: z.object({
targetUrl: z.string().describe('Target URL to scan (e.g., https://example.com)'),
gitUrl: z.string().describe('Git URL of the repository to analyze (e.g., https://github.com/user/repo)'),
workspace: z
.string()
.optional()
.describe(
'Optional workspace name. Must match /^[a-zA-Z0-9][a-zA-Z0-9_-]{0,127}$/. Defaults to auto-generated from target URL.',
),
gitRef: z.string().optional().describe('Optional Git branch/tag/commit to checkout before scanning.'),
pipelineTesting: z
.boolean()
.optional()
.describe('If true, runs in minimal testing mode with fast retries (10s). Use for development.'),
}),
},
async ({ targetUrl, gitUrl, workspace, gitRef, pipelineTesting }) => {
const input: CreateScanInput = {
targetUrl,
gitUrl,
workspace,
...(gitRef !== undefined && { gitRef }),
...(pipelineTesting !== undefined && { pipelineTesting }),
};
const result = await startScan(deps.config, deps.batchApi, input);
return {
content: [
{
type: 'text' as const,
text: JSON.stringify(result, null, 2),
},
],
};
},
);
// === Tool: get_scan ===
server.registerTool(
'get_scan',
{
description: 'Get the status, progress, and results of a running or completed scan.',
inputSchema: z.object({
scanId: z.string().describe('The scan ID returned from start_scan (e.g., hightower-worker-abc123)'),
}),
},
async ({ scanId }) => {
const result = await getScan(deps.config, deps.temporalClient, scanId);
if (!result) {
return {
content: [{ type: 'text' as const, text: `Scan '${scanId}' not found.` }],
isError: true,
};
}
return {
content: [
{
type: 'text' as const,
text: JSON.stringify(result, null, 2),
},
],
};
},
);
// === Tool: list_scans ===
server.registerTool(
'list_scans',
{
description: 'List all running and historical scans.',
inputSchema: z.object({}),
},
async () => {
const results = await listScans(deps.config, deps.temporalClient, deps.batchApi);
return {
content: [
{
type: 'text' as const,
text: JSON.stringify(results, null, 2),
},
],
};
},
);
// === Tool: cancel_scan ===
server.registerTool(
'cancel_scan',
{
description: 'Cancel a running scan by terminating its Kubernetes Job and Temporal workflow.',
inputSchema: z.object({
scanId: z.string().describe('The scan ID to cancel.'),
}),
},
async ({ scanId }) => {
await cancelScan(deps.config, deps.temporalClient, deps.batchApi, scanId);
return {
content: [
{
type: 'text' as const,
text: `Scan '${scanId}' cancellation requested.`,
},
],
};
},
);
// === Tool: get_report ===
server.registerTool(
'get_report',
{
description: 'Get the final security report for a completed scan.',
inputSchema: z.object({
scanId: z.string().describe('The scan ID to get the report for.'),
}),
},
async ({ scanId }) => {
const report = await getReport(deps.config, scanId);
if (!report) {
return {
content: [
{
type: 'text' as const,
text: `Report for scan '${scanId}' not found.`,
},
],
isError: true,
};
}
return {
content: [{ type: 'text' as const, text: report }],
};
},
);
return server;
}
export async function startMcpServer(deps: McpServerDeps, port: number): Promise<http.Server> {
const mcpServer = createMcpServer(deps);
const transport = new StreamableHTTPServerTransport({
sessionIdGenerator: () => crypto.randomUUID(),
});
// Cast to Transport — the SDK's Transport interface requires onclose: () => void
// but StreamableHTTPServerTransport allows undefined (handled internally).
await mcpServer.connect(transport as never);
const server = http.createServer((req, res) => {
transport.handleRequest(req, res, undefined);
});
return new Promise<http.Server>((resolve, reject) => {
server.on('error', reject);
server.listen(port, () => {
console.log(`MCP server listening on port ${port}`);
resolve(server);
});
});
}
@@ -1,5 +1,5 @@
apiVersion: v2
name: hightower
name: trebuchet
description: API-driven AI pentester built on Shannon, deployed as a service on Kubernetes
type: application
version: 0.1.1
@@ -22,9 +22,9 @@ Ensure the following secrets exist in the {{ .Release.Namespace }} namespace:
== Services ==
API: {{ include "hightower.api.fullname" . }}:{{ .Values.api.port }}
Temporal: {{ include "hightower.temporal.serviceName" . }}:{{ .Values.temporal.ports.grpc }} (gRPC)
{{ include "hightower.temporal.serviceName" . }}:{{ .Values.temporal.ports.webUi }} (Web UI)
API: {{ include "trebuchet.api.fullname" . }}:{{ .Values.api.port }}
Temporal: {{ include "trebuchet.temporal.serviceName" . }}:{{ .Values.temporal.ports.grpc }} (gRPC)
{{ include "trebuchet.temporal.serviceName" . }}:{{ .Values.temporal.ports.webUi }} (Web UI)
{{- if .Values.router.enabled }}
Router: {{ include "hightower.router.fullname" . }}:{{ .Values.router.port }}
Router: {{ include "trebuchet.router.fullname" . }}:{{ .Values.router.port }}
{{- end }}
@@ -1,14 +1,14 @@
{{/*
Chart name, truncated to 63 chars.
*/}}
{{- define "hightower.name" -}}
{{- define "trebuchet.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Fully qualified app name, truncated to 63 chars.
*/}}
{{- define "hightower.fullname" -}}
{{- define "trebuchet.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
@@ -24,99 +24,99 @@ Fully qualified app name, truncated to 63 chars.
{{/*
Chart label value.
*/}}
{{- define "hightower.chart" -}}
{{- define "trebuchet.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels.
*/}}
{{- define "hightower.labels" -}}
helm.sh/chart: {{ include "hightower.chart" . }}
{{- define "trebuchet.labels" -}}
helm.sh/chart: {{ include "trebuchet.chart" . }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
API component name.
*/}}
{{- define "hightower.api.fullname" -}}
{{- printf "%s-api" (include "hightower.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- define "trebuchet.api.fullname" -}}
{{- printf "%s-api" (include "trebuchet.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
API selector labels.
*/}}
{{- define "hightower.api.selectorLabels" -}}
app: {{ include "hightower.api.fullname" . }}
{{- define "trebuchet.api.selectorLabels" -}}
app: {{ include "trebuchet.api.fullname" . }}
{{- end }}
{{/*
Temporal component name.
*/}}
{{- define "hightower.temporal.fullname" -}}
{{- printf "%s-temporal" (include "hightower.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- define "trebuchet.temporal.fullname" -}}
{{- printf "%s-temporal" (include "trebuchet.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Temporal service name (same as fullname).
*/}}
{{- define "hightower.temporal.serviceName" -}}
{{- include "hightower.temporal.fullname" . }}
{{- define "trebuchet.temporal.serviceName" -}}
{{- include "trebuchet.temporal.fullname" . }}
{{- end }}
{{/*
Temporal selector labels.
*/}}
{{- define "hightower.temporal.selectorLabels" -}}
app: {{ include "hightower.temporal.fullname" . }}
{{- define "trebuchet.temporal.selectorLabels" -}}
app: {{ include "trebuchet.temporal.fullname" . }}
{{- end }}
{{/*
Router component name.
*/}}
{{- define "hightower.router.fullname" -}}
{{- printf "%s-router" (include "hightower.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- define "trebuchet.router.fullname" -}}
{{- printf "%s-router" (include "trebuchet.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Router selector labels.
*/}}
{{- define "hightower.router.selectorLabels" -}}
app: {{ include "hightower.router.fullname" . }}
{{- define "trebuchet.router.selectorLabels" -}}
app: {{ include "trebuchet.router.fullname" . }}
{{- end }}
{{/*
CNPG cluster name.
*/}}
{{- define "hightower.cnpg.fullname" -}}
{{- printf "%s-temporal-db" (include "hightower.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- define "trebuchet.cnpg.fullname" -}}
{{- printf "%s-temporal-db" (include "trebuchet.fullname" .) | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
CNPG read-write service name (CNPG auto-creates <cluster>-rw).
*/}}
{{- define "hightower.cnpg.serviceName" -}}
{{- printf "%s-rw" (include "hightower.cnpg.fullname" .) }}
{{- define "trebuchet.cnpg.serviceName" -}}
{{- printf "%s-rw" (include "trebuchet.cnpg.fullname" .) }}
{{- end }}
{{/*
Service account name for the API.
*/}}
{{- define "hightower.serviceAccountName" -}}
{{- define "trebuchet.serviceAccountName" -}}
{{- if .Values.api.serviceAccount.name }}
{{- .Values.api.serviceAccount.name }}
{{- else }}
{{- include "hightower.api.fullname" . }}
{{- include "trebuchet.api.fullname" . }}
{{- end }}
{{- end }}
{{/*
Postgres seeds host — use override or default to CNPG service.
*/}}
{{- define "hightower.temporal.postgresSeeds" -}}
{{- define "trebuchet.temporal.postgresSeeds" -}}
{{- if .Values.temporal.db.host }}
{{- .Values.temporal.db.host }}
{{- else }}
{{- include "hightower.cnpg.serviceName" . }}
{{- include "trebuchet.cnpg.serviceName" . }}
{{- end }}
{{- end }}
@@ -1,21 +1,21 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hightower.api.fullname" . }}
name: {{ include "trebuchet.api.fullname" . }}
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "hightower.api.selectorLabels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
{{- include "trebuchet.api.selectorLabels" . | nindent 4 }}
spec:
replicas: {{ .Values.api.replicaCount }}
selector:
matchLabels:
{{- include "hightower.api.selectorLabels" . | nindent 6 }}
{{- include "trebuchet.api.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "hightower.api.selectorLabels" . | nindent 8 }}
{{- include "trebuchet.api.selectorLabels" . | nindent 8 }}
spec:
serviceAccountName: {{ include "hightower.serviceAccountName" . }}
serviceAccountName: {{ include "trebuchet.serviceAccountName" . }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
@@ -29,7 +29,7 @@ spec:
name: http
env:
- name: TEMPORAL_ADDRESS
value: "{{ include "hightower.temporal.serviceName" . }}:{{ .Values.temporal.ports.grpc }}"
value: "{{ include "trebuchet.temporal.serviceName" . }}:{{ .Values.temporal.ports.grpc }}"
- name: WORKER_IMAGE
value: {{ .Values.api.workerImage }}
- name: K8S_NAMESPACE
@@ -59,4 +59,4 @@ spec:
volumes:
- name: workspaces
persistentVolumeClaim:
claimName: {{ include "hightower.fullname" . }}-workspaces
claimName: {{ include "trebuchet.fullname" . }}-workspaces
@@ -1,9 +1,9 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "hightower.api.fullname" . }}
name: {{ include "trebuchet.api.fullname" . }}
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
rules:
- apiGroups: ["batch"]
resources: ["jobs"]
@@ -1,14 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "hightower.api.fullname" . }}
name: {{ include "trebuchet.api.fullname" . }}
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "hightower.serviceAccountName" . }}
name: {{ include "trebuchet.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: {{ include "hightower.api.fullname" . }}
name: {{ include "trebuchet.api.fullname" . }}
apiGroup: rbac.authorization.k8s.io
@@ -1,12 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "hightower.api.fullname" . }}
name: {{ include "trebuchet.api.fullname" . }}
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
spec:
selector:
{{- include "hightower.api.selectorLabels" . | nindent 4 }}
{{- include "trebuchet.api.selectorLabels" . | nindent 4 }}
ports:
- name: http
port: {{ .Values.api.port }}
@@ -2,7 +2,7 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hightower.serviceAccountName" . }}
name: {{ include "trebuchet.serviceAccountName" . }}
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
{{- end }}
@@ -2,9 +2,9 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "hightower.router.fullname" . }}-config
name: {{ include "trebuchet.router.fullname" . }}-config
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
data:
router-config.json: {{ .Values.router.config | toJson | quote }}
{{- end }}
@@ -2,19 +2,19 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hightower.router.fullname" . }}
name: {{ include "trebuchet.router.fullname" . }}
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "hightower.router.selectorLabels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
{{- include "trebuchet.router.selectorLabels" . | nindent 4 }}
spec:
replicas: {{ .Values.router.replicaCount }}
selector:
matchLabels:
{{- include "hightower.router.selectorLabels" . | nindent 6 }}
{{- include "trebuchet.router.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "hightower.router.selectorLabels" . | nindent 8 }}
{{- include "trebuchet.router.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
@@ -62,5 +62,5 @@ spec:
volumes:
- name: config
configMap:
name: {{ include "hightower.router.fullname" . }}-config
name: {{ include "trebuchet.router.fullname" . }}-config
{{- end }}
@@ -2,12 +2,12 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "hightower.router.fullname" . }}
name: {{ include "trebuchet.router.fullname" . }}
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
spec:
selector:
{{- include "hightower.router.selectorLabels" . | nindent 4 }}
{{- include "trebuchet.router.selectorLabels" . | nindent 4 }}
ports:
- port: {{ .Values.router.port }}
targetPort: {{ .Values.router.port }}
@@ -2,9 +2,9 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: {{ include "hightower.cnpg.fullname" . }}
name: {{ include "trebuchet.cnpg.fullname" . }}
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
spec:
instances: {{ .Values.cnpg.instances }}
storage:
@@ -1,19 +1,19 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hightower.temporal.fullname" . }}
name: {{ include "trebuchet.temporal.fullname" . }}
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "hightower.temporal.selectorLabels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
{{- include "trebuchet.temporal.selectorLabels" . | nindent 4 }}
spec:
replicas: {{ .Values.temporal.replicaCount }}
selector:
matchLabels:
{{- include "hightower.temporal.selectorLabels" . | nindent 6 }}
{{- include "trebuchet.temporal.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "hightower.temporal.selectorLabels" . | nindent 8 }}
{{- include "trebuchet.temporal.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
@@ -34,7 +34,7 @@ spec:
- name: DB_PORT
value: {{ .Values.temporal.db.port | quote }}
- name: POSTGRES_SEEDS
value: {{ include "hightower.temporal.postgresSeeds" . }}
value: {{ include "trebuchet.temporal.postgresSeeds" . }}
- name: DBNAME
value: {{ .Values.temporal.db.name }}
- name: VISIBILITY_DBNAME
@@ -1,12 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "hightower.temporal.serviceName" . }}
name: {{ include "trebuchet.temporal.serviceName" . }}
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
spec:
selector:
{{- include "hightower.temporal.selectorLabels" . | nindent 4 }}
{{- include "trebuchet.temporal.selectorLabels" . | nindent 4 }}
ports:
- name: grpc
port: {{ .Values.temporal.ports.grpc }}
@@ -1,9 +1,9 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "hightower.fullname" . }}-workspaces
name: {{ include "trebuchet.fullname" . }}-workspaces
labels:
{{- include "hightower.labels" . | nindent 4 }}
{{- include "trebuchet.labels" . | nindent 4 }}
{{- if .Values.workspaces.retain }}
annotations:
helm.sh/resource-policy: keep
@@ -4,8 +4,8 @@ imagePullSecrets: []
# Externally-managed secrets (chart never creates these)
secrets:
credentials: hightower-credentials
temporalDbApp: hightower-temporal-db-app
credentials: trebuchet-credentials
temporalDbApp: trebuchet-temporal-db-app
# Shared workspaces PVC
workspaces:
+566
View File
File diff suppressed because it is too large Load Diff