Incorporate INFRASTRUCTURE.md content into TOOLS.md for all agents

INFRASTRUCTURE.md files contained deployment targets, Kubernetes access,
authentication (Authentik/Better-Auth), secrets (Sealed Secrets/kubeseal),
Flux GitOps deployment pipeline, Mend Renovate policy, and OpenTofu/Flux
ToFu Controller details. This content was missing from the consolidated
TOOLS.md. Now all agents have a comprehensive TOOLS.md with full
infrastructure documentation, and stale references to INFRASTRUCTURE.md,
HEARTBEAT.md, GITHUB.md, and SOUL.md have been updated to point to
SDLC.md and TOOLS.md.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

agents/barkley-trimsworth/AGENTS.md

@@ -124,3 +124,8 @@ Understand what each status means:
 * **Mandatory status updates:** If you are waiting on a deployment to verify or pending a follow-up, post a status update within 2 heartbeats even if nothing has changed.
 * Never look for unassigned work. Never cancel cross-team tasks — reassign to manager.
 * Above 80% budget, focus on critical tasks only.
+
+## References
+
+* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy.
+* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards.

agents/barkley-trimsworth/TOOLS.md

@@ -0,0 +1,62 @@
+# Tools & Infrastructure
+
+## Deployment Targets
+
+| Environment | Namespace | FQDN |
+|-------------|-----------|------|
+| Production | `groombook` | `groombook.farh.net` |
+| UAT | `groombook-uat` | `groombook.uat.farh.net` |
+| Development | `groombook-dev` | `groombook.dev.farh.net` |
+
+## Kubernetes
+
+* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces.
+* `kubectl` is available in the environment; agents operate within the cluster.
+
+## Authentication
+
+* Better-Auth with OAuth2 — no custom authentication, no exceptions.
+* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only.
+* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`.
+* Authentik credentials available via the `authentik-credentials` secret in your namespace.
+* Supported identity providers: Authentik, Auth0, Okta, Entra-ID.
+
+## Secrets
+
+* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed.
+* `kubeseal` is available in the environment with access to encrypt via the public key.
+
+## Databases
+
+* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL.
+
+## Cache / Pub-Sub
+
+* DragonflyDB Operator is the standard — no Redis.
+
+## Deployment — 2-Stage Flux GitOps
+
+Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.**
+
+**Stage 1 — Image build (CI):**
+GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`.
+
+**Stage 2 — Manifest update (GitOps):**
+The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically.
+
+**Critical rules:**
+* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself.
+* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR.
+* Flux owns convergence — do not `kubectl apply` application manifests directly.
+* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy.
+
+## Dependency & Image Updates — Mend Renovate
+
+Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot.
+
+## Terraform (OpenTofu) — Flux ToFu Controller
+
+* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically.
+* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm.
+* Do not run `tofu` or `terraform` directly outside the controller workflow.
+* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource.

agents/daisy-clippington/AGENTS.md

@@ -162,3 +162,8 @@ Use the `para-memory-files` skill for all memory operations. Home dir: `$AGENT_H
 * Never approve production merges — that is the CEO's sole authority.
 * Never exfiltrate secrets or private data.
 * If blocked, set `status: "blocked"` with a comment explaining the blocker and who needs to act.
+
+## References
+
+* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy.
+* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards.

agents/daisy-clippington/TOOLS.md

@@ -0,0 +1,62 @@
+# Tools & Infrastructure
+
+## Deployment Targets
+
+| Environment | Namespace | FQDN |
+|-------------|-----------|------|
+| Production | `groombook` | `groombook.farh.net` |
+| UAT | `groombook-uat` | `groombook.uat.farh.net` |
+| Development | `groombook-dev` | `groombook.dev.farh.net` |
+
+## Kubernetes
+
+* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces.
+* `kubectl` is available in the environment; agents operate within the cluster.
+
+## Authentication
+
+* Better-Auth with OAuth2 — no custom authentication, no exceptions.
+* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only.
+* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`.
+* Authentik credentials available via the `authentik-credentials` secret in your namespace.
+* Supported identity providers: Authentik, Auth0, Okta, Entra-ID.
+
+## Secrets
+
+* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed.
+* `kubeseal` is available in the environment with access to encrypt via the public key.
+
+## Databases
+
+* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL.
+
+## Cache / Pub-Sub
+
+* DragonflyDB Operator is the standard — no Redis.
+
+## Deployment — 2-Stage Flux GitOps
+
+Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.**
+
+**Stage 1 — Image build (CI):**
+GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`.
+
+**Stage 2 — Manifest update (GitOps):**
+The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically.
+
+**Critical rules:**
+* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself.
+* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR.
+* Flux owns convergence — do not `kubectl apply` application manifests directly.
+* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy.
+
+## Dependency & Image Updates — Mend Renovate
+
+Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot.
+
+## Terraform (OpenTofu) — Flux ToFu Controller
+
+* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically.
+* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm.
+* Do not run `tofu` or `terraform` directly outside the controller workflow.
+* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource.

agents/flea-flicker/AGENTS.md

@@ -113,3 +113,8 @@ Understand what each status means — do not use them loosely:
 * **Mandatory status updates:** If you are waiting on a dependency or have delegated work, post a status update within 2 heartbeats even if nothing has changed. "Still waiting on X" is better than silence.
 * Never look for unassigned work. Never cancel cross-team tasks — reassign to manager.
 * Above 80% budget, focus on critical tasks only.
+
+## References
+
+* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy.
+* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards.

agents/flea-flicker/TOOLS.md

@@ -0,0 +1,62 @@
+# Tools & Infrastructure
+
+## Deployment Targets
+
+| Environment | Namespace | FQDN |
+|-------------|-----------|------|
+| Production | `groombook` | `groombook.farh.net` |
+| UAT | `groombook-uat` | `groombook.uat.farh.net` |
+| Development | `groombook-dev` | `groombook.dev.farh.net` |
+
+## Kubernetes
+
+* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces.
+* `kubectl` is available in the environment; agents operate within the cluster.
+
+## Authentication
+
+* Better-Auth with OAuth2 — no custom authentication, no exceptions.
+* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only.
+* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`.
+* Authentik credentials available via the `authentik-credentials` secret in your namespace.
+* Supported identity providers: Authentik, Auth0, Okta, Entra-ID.
+
+## Secrets
+
+* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed.
+* `kubeseal` is available in the environment with access to encrypt via the public key.
+
+## Databases
+
+* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL.
+
+## Cache / Pub-Sub
+
+* DragonflyDB Operator is the standard — no Redis.
+
+## Deployment — 2-Stage Flux GitOps
+
+Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.**
+
+**Stage 1 — Image build (CI):**
+GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`.
+
+**Stage 2 — Manifest update (GitOps):**
+The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically.
+
+**Critical rules:**
+* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself.
+* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR.
+* Flux owns convergence — do not `kubectl apply` application manifests directly.
+* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy.
+
+## Dependency & Image Updates — Mend Renovate
+
+Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot.
+
+## Terraform (OpenTofu) — Flux ToFu Controller
+
+* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically.
+* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm.
+* Do not run `tofu` or `terraform` directly outside the controller workflow.
+* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource.

agents/lint-roller/AGENTS.md

@@ -108,3 +108,8 @@ Understand what each status means — enforce these when reviewing:
 * **QA closure authority:** QA may close IC tasks after CTO has reviewed and merged. IC agents never close their own tasks — if you see this, escalate to CTO.
 * Never look for unassigned work. Never cancel cross-team tasks — reassign to manager.
 * Above 80% budget, focus on critical tasks only.
+
+## References
+
+* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy.
+* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards.

agents/lint-roller/TOOLS.md

@@ -0,0 +1,62 @@
+# Tools & Infrastructure
+
+## Deployment Targets
+
+| Environment | Namespace | FQDN |
+|-------------|-----------|------|
+| Production | `groombook` | `groombook.farh.net` |
+| UAT | `groombook-uat` | `groombook.uat.farh.net` |
+| Development | `groombook-dev` | `groombook.dev.farh.net` |
+
+## Kubernetes
+
+* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces.
+* `kubectl` is available in the environment; agents operate within the cluster.
+
+## Authentication
+
+* Better-Auth with OAuth2 — no custom authentication, no exceptions.
+* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only.
+* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`.
+* Authentik credentials available via the `authentik-credentials` secret in your namespace.
+* Supported identity providers: Authentik, Auth0, Okta, Entra-ID.
+
+## Secrets
+
+* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed.
+* `kubeseal` is available in the environment with access to encrypt via the public key.
+
+## Databases
+
+* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL.
+
+## Cache / Pub-Sub
+
+* DragonflyDB Operator is the standard — no Redis.
+
+## Deployment — 2-Stage Flux GitOps
+
+Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.**
+
+**Stage 1 — Image build (CI):**
+GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`.
+
+**Stage 2 — Manifest update (GitOps):**
+The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically.
+
+**Critical rules:**
+* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself.
+* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR.
+* Flux owns convergence — do not `kubectl apply` application manifests directly.
+* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy.
+
+## Dependency & Image Updates — Mend Renovate
+
+Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot.
+
+## Terraform (OpenTofu) — Flux ToFu Controller
+
+* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically.
+* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm.
+* Do not run `tofu` or `terraform` directly outside the controller workflow.
+* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource.

agents/pawla-abdul/AGENTS.md

@@ -123,6 +123,5 @@ Invoke it whenever you need to remember, retrieve, or organize anything.
 
 These files are essential. Read them.
 
-* `HEARTBEAT.md` — execution and extraction checklist. Run every heartbeat.
-* `SOUL.md` — who you are and how you should act.
-* `GITHUB.md` — policy and access information for GitHub.
+* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy.
+* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards.

agents/pawla-abdul/TOOLS.md

@@ -0,0 +1,62 @@
+# Tools & Infrastructure
+
+## Deployment Targets
+
+| Environment | Namespace | FQDN |
+|-------------|-----------|------|
+| Production | `groombook` | `groombook.farh.net` |
+| UAT | `groombook-uat` | `groombook.uat.farh.net` |
+| Development | `groombook-dev` | `groombook.dev.farh.net` |
+
+## Kubernetes
+
+* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces.
+* `kubectl` is available in the environment; agents operate within the cluster.
+
+## Authentication
+
+* Better-Auth with OAuth2 — no custom authentication, no exceptions.
+* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only.
+* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`.
+* Authentik credentials available via the `authentik-credentials` secret in your namespace.
+* Supported identity providers: Authentik, Auth0, Okta, Entra-ID.
+
+## Secrets
+
+* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed.
+* `kubeseal` is available in the environment with access to encrypt via the public key.
+
+## Databases
+
+* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL.
+
+## Cache / Pub-Sub
+
+* DragonflyDB Operator is the standard — no Redis.
+
+## Deployment — 2-Stage Flux GitOps
+
+Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.**
+
+**Stage 1 — Image build (CI):**
+GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`.
+
+**Stage 2 — Manifest update (GitOps):**
+The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically.
+
+**Critical rules:**
+* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself.
+* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR.
+* Flux owns convergence — do not `kubectl apply` application manifests directly.
+* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy.
+
+## Dependency & Image Updates — Mend Renovate
+
+Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot.
+
+## Terraform (OpenTofu) — Flux ToFu Controller
+
+* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically.
+* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm.
+* Do not run `tofu` or `terraform` directly outside the controller workflow.
+* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource.

agents/scrubs-mcbarkley/AGENTS.md

@@ -224,6 +224,5 @@ Understand and enforce these across the entire team:
 
 These files are essential. Read them.
 
-* `HEARTBEAT.md` — execution and extraction checklist. Run every heartbeat.
-* `SOUL.md` — who you are and how you should act.
-* `GITHUB.md` -- policy and access information for GitHub.
+* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy.
+* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards.

agents/scrubs-mcbarkley/TOOLS.md

@@ -1,5 +1,62 @@
-# Tools
+# Tools & Infrastructure
 
-* Secret Management: Bitnami Sealed Secrets Controller is the standard and available in the cluster, no plain Kubernetes secrets allowed.
-* Databases: CloudNativePG Operator (Postgres) is the standard and available in the cluster, no SQLite, MariaDB, or MySQL allowed.
-* Cache/Pub-Sub: DragonflyDB Operator is the standard and available in the cluster, no Redis.
+## Deployment Targets
+
+| Environment | Namespace | FQDN |
+|-------------|-----------|------|
+| Production | `groombook` | `groombook.farh.net` |
+| UAT | `groombook-uat` | `groombook.uat.farh.net` |
+| Development | `groombook-dev` | `groombook.dev.farh.net` |
+
+## Kubernetes
+
+* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces.
+* `kubectl` is available in the environment; agents operate within the cluster.
+
+## Authentication
+
+* Better-Auth with OAuth2 — no custom authentication, no exceptions.
+* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only.
+* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`.
+* Authentik credentials available via the `authentik-credentials` secret in your namespace.
+* Supported identity providers: Authentik, Auth0, Okta, Entra-ID.
+
+## Secrets
+
+* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed.
+* `kubeseal` is available in the environment with access to encrypt via the public key.
+
+## Databases
+
+* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL.
+
+## Cache / Pub-Sub
+
+* DragonflyDB Operator is the standard — no Redis.
+
+## Deployment — 2-Stage Flux GitOps
+
+Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.**
+
+**Stage 1 — Image build (CI):**
+GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`.
+
+**Stage 2 — Manifest update (GitOps):**
+The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically.
+
+**Critical rules:**
+* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself.
+* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR.
+* Flux owns convergence — do not `kubectl apply` application manifests directly.
+* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy.
+
+## Dependency & Image Updates — Mend Renovate
+
+Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot.
+
+## Terraform (OpenTofu) — Flux ToFu Controller
+
+* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically.
+* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm.
+* Do not run `tofu` or `terraform` directly outside the controller workflow.
+* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource.

agents/shedward-scissorhands/AGENTS.md

@@ -159,3 +159,8 @@ Understand what each status means:
 * **Mandatory status updates:** If you are waiting for a deployment to stabilize or pending a follow-up, post a status update within 2 heartbeats even if nothing has changed.
 * If blocked, set `status: "blocked"` with a comment.
 * Never look for unassigned work.
+
+## References
+
+* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy.
+* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards.

agents/shedward-scissorhands/TOOLS.md

@@ -0,0 +1,62 @@
+# Tools & Infrastructure
+
+## Deployment Targets
+
+| Environment | Namespace | FQDN |
+|-------------|-----------|------|
+| Production | `groombook` | `groombook.farh.net` |
+| UAT | `groombook-uat` | `groombook.uat.farh.net` |
+| Development | `groombook-dev` | `groombook.dev.farh.net` |
+
+## Kubernetes
+
+* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces.
+* `kubectl` is available in the environment; agents operate within the cluster.
+
+## Authentication
+
+* Better-Auth with OAuth2 — no custom authentication, no exceptions.
+* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only.
+* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`.
+* Authentik credentials available via the `authentik-credentials` secret in your namespace.
+* Supported identity providers: Authentik, Auth0, Okta, Entra-ID.
+
+## Secrets
+
+* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed.
+* `kubeseal` is available in the environment with access to encrypt via the public key.
+
+## Databases
+
+* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL.
+
+## Cache / Pub-Sub
+
+* DragonflyDB Operator is the standard — no Redis.
+
+## Deployment — 2-Stage Flux GitOps
+
+Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.**
+
+**Stage 1 — Image build (CI):**
+GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`.
+
+**Stage 2 — Manifest update (GitOps):**
+The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically.
+
+**Critical rules:**
+* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself.
+* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR.
+* Flux owns convergence — do not `kubectl apply` application manifests directly.
+* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy.
+
+## Dependency & Image Updates — Mend Renovate
+
+Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot.
+
+## Terraform (OpenTofu) — Flux ToFu Controller
+
+* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically.
+* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm.
+* Do not run `tofu` or `terraform` directly outside the controller workflow.
+* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource.

agents/the-dogfather/AGENTS.md

@@ -27,7 +27,7 @@ Prioritize: correctness > clarity > maintainability > performance > elegance.
 Use feature flags for risky or user-facing changes where rollback speed matters.
 Secrets never touch code. Never exfiltrate secrets or private data, not in Paperclip issues, not in GitHub issues, Comments, Discussions, or Pull Requests.
 
-See INFRASTRUCTURE.md for technology stack and tooling standards.
+See TOOLS.md for technology stack, infrastructure standards, and deployment information.
 
 ## Handoff Protocol — MANDATORY, NON-BYPASSABLE, ZERO EXCEPTIONS
 
@@ -216,6 +216,5 @@ Understand what each status means — enforce these across the team:
 
 These files are essential. Read them.
 
-* `HEARTBEAT.md` -- execution and extraction checklist. Run every heartbeat.
-* `GITHUB.md` -- policy and access information for GitHub.
-* `INFRASTRUCTURE.md` -- infrastructure tooling and deployment information.
+* `SDLC.md` -- source control, handoff protocol, status semantics, and GitHub policy.
+* `TOOLS.md` -- infrastructure tooling, deployment targets, and technology standards.

agents/the-dogfather/TOOLS.md

@@ -0,0 +1,62 @@
+# Tools & Infrastructure
+
+## Deployment Targets
+
+| Environment | Namespace | FQDN |
+|-------------|-----------|------|
+| Production | `groombook` | `groombook.farh.net` |
+| UAT | `groombook-uat` | `groombook.uat.farh.net` |
+| Development | `groombook-dev` | `groombook.dev.farh.net` |
+
+## Kubernetes
+
+* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces.
+* `kubectl` is available in the environment; agents operate within the cluster.
+
+## Authentication
+
+* Better-Auth with OAuth2 — no custom authentication, no exceptions.
+* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only.
+* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`.
+* Authentik credentials available via the `authentik-credentials` secret in your namespace.
+* Supported identity providers: Authentik, Auth0, Okta, Entra-ID.
+
+## Secrets
+
+* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed.
+* `kubeseal` is available in the environment with access to encrypt via the public key.
+
+## Databases
+
+* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL.
+
+## Cache / Pub-Sub
+
+* DragonflyDB Operator is the standard — no Redis.
+
+## Deployment — 2-Stage Flux GitOps
+
+Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.**
+
+**Stage 1 — Image build (CI):**
+GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`.
+
+**Stage 2 — Manifest update (GitOps):**
+The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically.
+
+**Critical rules:**
+* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself.
+* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR.
+* Flux owns convergence — do not `kubectl apply` application manifests directly.
+* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy.
+
+## Dependency & Image Updates — Mend Renovate
+
+Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot.
+
+## Terraform (OpenTofu) — Flux ToFu Controller
+
+* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically.
+* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm.
+* Do not run `tofu` or `terraform` directly outside the controller workflow.
+* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource.