From 63d6a4961296fa2aa87793a608df7d7091a32c42 Mon Sep 17 00:00:00 2001 From: Test User Date: Thu, 16 Apr 2026 02:51:22 +0000 Subject: [PATCH] Incorporate INFRASTRUCTURE.md content into TOOLS.md for all agents INFRASTRUCTURE.md files contained deployment targets, Kubernetes access, authentication (Authentik/Better-Auth), secrets (Sealed Secrets/kubeseal), Flux GitOps deployment pipeline, Mend Renovate policy, and OpenTofu/Flux ToFu Controller details. This content was missing from the consolidated TOOLS.md. Now all agents have a comprehensive TOOLS.md with full infrastructure documentation, and stale references to INFRASTRUCTURE.md, HEARTBEAT.md, GITHUB.md, and SOUL.md have been updated to point to SDLC.md and TOOLS.md. Co-Authored-By: Paperclip --- agents/barkley-trimsworth/AGENTS.md | 5 ++ agents/barkley-trimsworth/TOOLS.md | 62 ++++++++++++++++++++++++ agents/daisy-clippington/AGENTS.md | 5 ++ agents/daisy-clippington/TOOLS.md | 62 ++++++++++++++++++++++++ agents/flea-flicker/AGENTS.md | 5 ++ agents/flea-flicker/TOOLS.md | 62 ++++++++++++++++++++++++ agents/lint-roller/AGENTS.md | 5 ++ agents/lint-roller/TOOLS.md | 62 ++++++++++++++++++++++++ agents/pawla-abdul/AGENTS.md | 5 +- agents/pawla-abdul/TOOLS.md | 62 ++++++++++++++++++++++++ agents/scrubs-mcbarkley/AGENTS.md | 5 +- agents/scrubs-mcbarkley/TOOLS.md | 65 ++++++++++++++++++++++++-- agents/shedward-scissorhands/AGENTS.md | 5 ++ agents/shedward-scissorhands/TOOLS.md | 62 ++++++++++++++++++++++++ agents/the-dogfather/AGENTS.md | 7 ++- agents/the-dogfather/TOOLS.md | 62 ++++++++++++++++++++++++ 16 files changed, 527 insertions(+), 14 deletions(-) create mode 100644 agents/barkley-trimsworth/TOOLS.md create mode 100644 agents/daisy-clippington/TOOLS.md create mode 100644 agents/flea-flicker/TOOLS.md create mode 100644 agents/lint-roller/TOOLS.md create mode 100644 agents/pawla-abdul/TOOLS.md create mode 100644 agents/shedward-scissorhands/TOOLS.md create mode 100644 agents/the-dogfather/TOOLS.md diff --git a/agents/barkley-trimsworth/AGENTS.md b/agents/barkley-trimsworth/AGENTS.md index 9bd7cd3..79e4a96 100644 --- a/agents/barkley-trimsworth/AGENTS.md +++ b/agents/barkley-trimsworth/AGENTS.md @@ -124,3 +124,8 @@ Understand what each status means: * **Mandatory status updates:** If you are waiting on a deployment to verify or pending a follow-up, post a status update within 2 heartbeats even if nothing has changed. * Never look for unassigned work. Never cancel cross-team tasks — reassign to manager. * Above 80% budget, focus on critical tasks only. + +## References + +* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy. +* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards. diff --git a/agents/barkley-trimsworth/TOOLS.md b/agents/barkley-trimsworth/TOOLS.md new file mode 100644 index 0000000..5b38df8 --- /dev/null +++ b/agents/barkley-trimsworth/TOOLS.md @@ -0,0 +1,62 @@ +# Tools & Infrastructure + +## Deployment Targets + +| Environment | Namespace | FQDN | +|-------------|-----------|------| +| Production | `groombook` | `groombook.farh.net` | +| UAT | `groombook-uat` | `groombook.uat.farh.net` | +| Development | `groombook-dev` | `groombook.dev.farh.net` | + +## Kubernetes + +* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces. +* `kubectl` is available in the environment; agents operate within the cluster. + +## Authentication + +* Better-Auth with OAuth2 — no custom authentication, no exceptions. +* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only. +* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`. +* Authentik credentials available via the `authentik-credentials` secret in your namespace. +* Supported identity providers: Authentik, Auth0, Okta, Entra-ID. + +## Secrets + +* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed. +* `kubeseal` is available in the environment with access to encrypt via the public key. + +## Databases + +* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL. + +## Cache / Pub-Sub + +* DragonflyDB Operator is the standard — no Redis. + +## Deployment — 2-Stage Flux GitOps + +Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.** + +**Stage 1 — Image build (CI):** +GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`. + +**Stage 2 — Manifest update (GitOps):** +The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically. + +**Critical rules:** +* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself. +* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR. +* Flux owns convergence — do not `kubectl apply` application manifests directly. +* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy. + +## Dependency & Image Updates — Mend Renovate + +Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot. + +## Terraform (OpenTofu) — Flux ToFu Controller + +* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically. +* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm. +* Do not run `tofu` or `terraform` directly outside the controller workflow. +* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource. diff --git a/agents/daisy-clippington/AGENTS.md b/agents/daisy-clippington/AGENTS.md index 01e19eb..8e98ce0 100644 --- a/agents/daisy-clippington/AGENTS.md +++ b/agents/daisy-clippington/AGENTS.md @@ -162,3 +162,8 @@ Use the `para-memory-files` skill for all memory operations. Home dir: `$AGENT_H * Never approve production merges — that is the CEO's sole authority. * Never exfiltrate secrets or private data. * If blocked, set `status: "blocked"` with a comment explaining the blocker and who needs to act. + +## References + +* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy. +* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards. diff --git a/agents/daisy-clippington/TOOLS.md b/agents/daisy-clippington/TOOLS.md new file mode 100644 index 0000000..5b38df8 --- /dev/null +++ b/agents/daisy-clippington/TOOLS.md @@ -0,0 +1,62 @@ +# Tools & Infrastructure + +## Deployment Targets + +| Environment | Namespace | FQDN | +|-------------|-----------|------| +| Production | `groombook` | `groombook.farh.net` | +| UAT | `groombook-uat` | `groombook.uat.farh.net` | +| Development | `groombook-dev` | `groombook.dev.farh.net` | + +## Kubernetes + +* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces. +* `kubectl` is available in the environment; agents operate within the cluster. + +## Authentication + +* Better-Auth with OAuth2 — no custom authentication, no exceptions. +* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only. +* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`. +* Authentik credentials available via the `authentik-credentials` secret in your namespace. +* Supported identity providers: Authentik, Auth0, Okta, Entra-ID. + +## Secrets + +* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed. +* `kubeseal` is available in the environment with access to encrypt via the public key. + +## Databases + +* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL. + +## Cache / Pub-Sub + +* DragonflyDB Operator is the standard — no Redis. + +## Deployment — 2-Stage Flux GitOps + +Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.** + +**Stage 1 — Image build (CI):** +GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`. + +**Stage 2 — Manifest update (GitOps):** +The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically. + +**Critical rules:** +* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself. +* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR. +* Flux owns convergence — do not `kubectl apply` application manifests directly. +* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy. + +## Dependency & Image Updates — Mend Renovate + +Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot. + +## Terraform (OpenTofu) — Flux ToFu Controller + +* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically. +* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm. +* Do not run `tofu` or `terraform` directly outside the controller workflow. +* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource. diff --git a/agents/flea-flicker/AGENTS.md b/agents/flea-flicker/AGENTS.md index 8166e9d..0435930 100644 --- a/agents/flea-flicker/AGENTS.md +++ b/agents/flea-flicker/AGENTS.md @@ -113,3 +113,8 @@ Understand what each status means — do not use them loosely: * **Mandatory status updates:** If you are waiting on a dependency or have delegated work, post a status update within 2 heartbeats even if nothing has changed. "Still waiting on X" is better than silence. * Never look for unassigned work. Never cancel cross-team tasks — reassign to manager. * Above 80% budget, focus on critical tasks only. + +## References + +* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy. +* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards. diff --git a/agents/flea-flicker/TOOLS.md b/agents/flea-flicker/TOOLS.md new file mode 100644 index 0000000..5b38df8 --- /dev/null +++ b/agents/flea-flicker/TOOLS.md @@ -0,0 +1,62 @@ +# Tools & Infrastructure + +## Deployment Targets + +| Environment | Namespace | FQDN | +|-------------|-----------|------| +| Production | `groombook` | `groombook.farh.net` | +| UAT | `groombook-uat` | `groombook.uat.farh.net` | +| Development | `groombook-dev` | `groombook.dev.farh.net` | + +## Kubernetes + +* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces. +* `kubectl` is available in the environment; agents operate within the cluster. + +## Authentication + +* Better-Auth with OAuth2 — no custom authentication, no exceptions. +* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only. +* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`. +* Authentik credentials available via the `authentik-credentials` secret in your namespace. +* Supported identity providers: Authentik, Auth0, Okta, Entra-ID. + +## Secrets + +* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed. +* `kubeseal` is available in the environment with access to encrypt via the public key. + +## Databases + +* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL. + +## Cache / Pub-Sub + +* DragonflyDB Operator is the standard — no Redis. + +## Deployment — 2-Stage Flux GitOps + +Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.** + +**Stage 1 — Image build (CI):** +GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`. + +**Stage 2 — Manifest update (GitOps):** +The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically. + +**Critical rules:** +* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself. +* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR. +* Flux owns convergence — do not `kubectl apply` application manifests directly. +* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy. + +## Dependency & Image Updates — Mend Renovate + +Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot. + +## Terraform (OpenTofu) — Flux ToFu Controller + +* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically. +* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm. +* Do not run `tofu` or `terraform` directly outside the controller workflow. +* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource. diff --git a/agents/lint-roller/AGENTS.md b/agents/lint-roller/AGENTS.md index b9bb00d..4d6f74b 100644 --- a/agents/lint-roller/AGENTS.md +++ b/agents/lint-roller/AGENTS.md @@ -108,3 +108,8 @@ Understand what each status means — enforce these when reviewing: * **QA closure authority:** QA may close IC tasks after CTO has reviewed and merged. IC agents never close their own tasks — if you see this, escalate to CTO. * Never look for unassigned work. Never cancel cross-team tasks — reassign to manager. * Above 80% budget, focus on critical tasks only. + +## References + +* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy. +* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards. diff --git a/agents/lint-roller/TOOLS.md b/agents/lint-roller/TOOLS.md new file mode 100644 index 0000000..5b38df8 --- /dev/null +++ b/agents/lint-roller/TOOLS.md @@ -0,0 +1,62 @@ +# Tools & Infrastructure + +## Deployment Targets + +| Environment | Namespace | FQDN | +|-------------|-----------|------| +| Production | `groombook` | `groombook.farh.net` | +| UAT | `groombook-uat` | `groombook.uat.farh.net` | +| Development | `groombook-dev` | `groombook.dev.farh.net` | + +## Kubernetes + +* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces. +* `kubectl` is available in the environment; agents operate within the cluster. + +## Authentication + +* Better-Auth with OAuth2 — no custom authentication, no exceptions. +* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only. +* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`. +* Authentik credentials available via the `authentik-credentials` secret in your namespace. +* Supported identity providers: Authentik, Auth0, Okta, Entra-ID. + +## Secrets + +* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed. +* `kubeseal` is available in the environment with access to encrypt via the public key. + +## Databases + +* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL. + +## Cache / Pub-Sub + +* DragonflyDB Operator is the standard — no Redis. + +## Deployment — 2-Stage Flux GitOps + +Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.** + +**Stage 1 — Image build (CI):** +GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`. + +**Stage 2 — Manifest update (GitOps):** +The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically. + +**Critical rules:** +* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself. +* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR. +* Flux owns convergence — do not `kubectl apply` application manifests directly. +* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy. + +## Dependency & Image Updates — Mend Renovate + +Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot. + +## Terraform (OpenTofu) — Flux ToFu Controller + +* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically. +* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm. +* Do not run `tofu` or `terraform` directly outside the controller workflow. +* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource. diff --git a/agents/pawla-abdul/AGENTS.md b/agents/pawla-abdul/AGENTS.md index c7fc550..86e4a40 100644 --- a/agents/pawla-abdul/AGENTS.md +++ b/agents/pawla-abdul/AGENTS.md @@ -123,6 +123,5 @@ Invoke it whenever you need to remember, retrieve, or organize anything. These files are essential. Read them. -* `HEARTBEAT.md` — execution and extraction checklist. Run every heartbeat. -* `SOUL.md` — who you are and how you should act. -* `GITHUB.md` — policy and access information for GitHub. +* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy. +* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards. diff --git a/agents/pawla-abdul/TOOLS.md b/agents/pawla-abdul/TOOLS.md new file mode 100644 index 0000000..5b38df8 --- /dev/null +++ b/agents/pawla-abdul/TOOLS.md @@ -0,0 +1,62 @@ +# Tools & Infrastructure + +## Deployment Targets + +| Environment | Namespace | FQDN | +|-------------|-----------|------| +| Production | `groombook` | `groombook.farh.net` | +| UAT | `groombook-uat` | `groombook.uat.farh.net` | +| Development | `groombook-dev` | `groombook.dev.farh.net` | + +## Kubernetes + +* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces. +* `kubectl` is available in the environment; agents operate within the cluster. + +## Authentication + +* Better-Auth with OAuth2 — no custom authentication, no exceptions. +* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only. +* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`. +* Authentik credentials available via the `authentik-credentials` secret in your namespace. +* Supported identity providers: Authentik, Auth0, Okta, Entra-ID. + +## Secrets + +* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed. +* `kubeseal` is available in the environment with access to encrypt via the public key. + +## Databases + +* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL. + +## Cache / Pub-Sub + +* DragonflyDB Operator is the standard — no Redis. + +## Deployment — 2-Stage Flux GitOps + +Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.** + +**Stage 1 — Image build (CI):** +GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`. + +**Stage 2 — Manifest update (GitOps):** +The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically. + +**Critical rules:** +* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself. +* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR. +* Flux owns convergence — do not `kubectl apply` application manifests directly. +* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy. + +## Dependency & Image Updates — Mend Renovate + +Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot. + +## Terraform (OpenTofu) — Flux ToFu Controller + +* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically. +* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm. +* Do not run `tofu` or `terraform` directly outside the controller workflow. +* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource. diff --git a/agents/scrubs-mcbarkley/AGENTS.md b/agents/scrubs-mcbarkley/AGENTS.md index 4e7bcb5..c3cc539 100644 --- a/agents/scrubs-mcbarkley/AGENTS.md +++ b/agents/scrubs-mcbarkley/AGENTS.md @@ -224,6 +224,5 @@ Understand and enforce these across the entire team: These files are essential. Read them. -* `HEARTBEAT.md` — execution and extraction checklist. Run every heartbeat. -* `SOUL.md` — who you are and how you should act. -* `GITHUB.md` -- policy and access information for GitHub. +* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy. +* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards. diff --git a/agents/scrubs-mcbarkley/TOOLS.md b/agents/scrubs-mcbarkley/TOOLS.md index 998d302..5b38df8 100644 --- a/agents/scrubs-mcbarkley/TOOLS.md +++ b/agents/scrubs-mcbarkley/TOOLS.md @@ -1,5 +1,62 @@ -# Tools +# Tools & Infrastructure -* Secret Management: Bitnami Sealed Secrets Controller is the standard and available in the cluster, no plain Kubernetes secrets allowed. -* Databases: CloudNativePG Operator (Postgres) is the standard and available in the cluster, no SQLite, MariaDB, or MySQL allowed. -* Cache/Pub-Sub: DragonflyDB Operator is the standard and available in the cluster, no Redis. \ No newline at end of file +## Deployment Targets + +| Environment | Namespace | FQDN | +|-------------|-----------|------| +| Production | `groombook` | `groombook.farh.net` | +| UAT | `groombook-uat` | `groombook.uat.farh.net` | +| Development | `groombook-dev` | `groombook.dev.farh.net` | + +## Kubernetes + +* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces. +* `kubectl` is available in the environment; agents operate within the cluster. + +## Authentication + +* Better-Auth with OAuth2 — no custom authentication, no exceptions. +* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only. +* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`. +* Authentik credentials available via the `authentik-credentials` secret in your namespace. +* Supported identity providers: Authentik, Auth0, Okta, Entra-ID. + +## Secrets + +* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed. +* `kubeseal` is available in the environment with access to encrypt via the public key. + +## Databases + +* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL. + +## Cache / Pub-Sub + +* DragonflyDB Operator is the standard — no Redis. + +## Deployment — 2-Stage Flux GitOps + +Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.** + +**Stage 1 — Image build (CI):** +GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`. + +**Stage 2 — Manifest update (GitOps):** +The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically. + +**Critical rules:** +* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself. +* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR. +* Flux owns convergence — do not `kubectl apply` application manifests directly. +* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy. + +## Dependency & Image Updates — Mend Renovate + +Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot. + +## Terraform (OpenTofu) — Flux ToFu Controller + +* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically. +* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm. +* Do not run `tofu` or `terraform` directly outside the controller workflow. +* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource. diff --git a/agents/shedward-scissorhands/AGENTS.md b/agents/shedward-scissorhands/AGENTS.md index b62c1dd..e1b12c1 100644 --- a/agents/shedward-scissorhands/AGENTS.md +++ b/agents/shedward-scissorhands/AGENTS.md @@ -159,3 +159,8 @@ Understand what each status means: * **Mandatory status updates:** If you are waiting for a deployment to stabilize or pending a follow-up, post a status update within 2 heartbeats even if nothing has changed. * If blocked, set `status: "blocked"` with a comment. * Never look for unassigned work. + +## References + +* `SDLC.md` — source control, handoff protocol, status semantics, and GitHub policy. +* `TOOLS.md` — infrastructure tooling, deployment targets, and technology standards. diff --git a/agents/shedward-scissorhands/TOOLS.md b/agents/shedward-scissorhands/TOOLS.md new file mode 100644 index 0000000..5b38df8 --- /dev/null +++ b/agents/shedward-scissorhands/TOOLS.md @@ -0,0 +1,62 @@ +# Tools & Infrastructure + +## Deployment Targets + +| Environment | Namespace | FQDN | +|-------------|-----------|------| +| Production | `groombook` | `groombook.farh.net` | +| UAT | `groombook-uat` | `groombook.uat.farh.net` | +| Development | `groombook-dev` | `groombook.dev.farh.net` | + +## Kubernetes + +* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces. +* `kubectl` is available in the environment; agents operate within the cluster. + +## Authentication + +* Better-Auth with OAuth2 — no custom authentication, no exceptions. +* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only. +* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`. +* Authentik credentials available via the `authentik-credentials` secret in your namespace. +* Supported identity providers: Authentik, Auth0, Okta, Entra-ID. + +## Secrets + +* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed. +* `kubeseal` is available in the environment with access to encrypt via the public key. + +## Databases + +* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL. + +## Cache / Pub-Sub + +* DragonflyDB Operator is the standard — no Redis. + +## Deployment — 2-Stage Flux GitOps + +Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.** + +**Stage 1 — Image build (CI):** +GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`. + +**Stage 2 — Manifest update (GitOps):** +The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically. + +**Critical rules:** +* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself. +* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR. +* Flux owns convergence — do not `kubectl apply` application manifests directly. +* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy. + +## Dependency & Image Updates — Mend Renovate + +Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot. + +## Terraform (OpenTofu) — Flux ToFu Controller + +* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically. +* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm. +* Do not run `tofu` or `terraform` directly outside the controller workflow. +* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource. diff --git a/agents/the-dogfather/AGENTS.md b/agents/the-dogfather/AGENTS.md index 020ea97..fbbfa9b 100644 --- a/agents/the-dogfather/AGENTS.md +++ b/agents/the-dogfather/AGENTS.md @@ -27,7 +27,7 @@ Prioritize: correctness > clarity > maintainability > performance > elegance. Use feature flags for risky or user-facing changes where rollback speed matters. Secrets never touch code. Never exfiltrate secrets or private data, not in Paperclip issues, not in GitHub issues, Comments, Discussions, or Pull Requests. -See INFRASTRUCTURE.md for technology stack and tooling standards. +See TOOLS.md for technology stack, infrastructure standards, and deployment information. ## Handoff Protocol — MANDATORY, NON-BYPASSABLE, ZERO EXCEPTIONS @@ -216,6 +216,5 @@ Understand what each status means — enforce these across the team: These files are essential. Read them. -* `HEARTBEAT.md` -- execution and extraction checklist. Run every heartbeat. -* `GITHUB.md` -- policy and access information for GitHub. -* `INFRASTRUCTURE.md` -- infrastructure tooling and deployment information. +* `SDLC.md` -- source control, handoff protocol, status semantics, and GitHub policy. +* `TOOLS.md` -- infrastructure tooling, deployment targets, and technology standards. diff --git a/agents/the-dogfather/TOOLS.md b/agents/the-dogfather/TOOLS.md new file mode 100644 index 0000000..5b38df8 --- /dev/null +++ b/agents/the-dogfather/TOOLS.md @@ -0,0 +1,62 @@ +# Tools & Infrastructure + +## Deployment Targets + +| Environment | Namespace | FQDN | +|-------------|-----------|------| +| Production | `groombook` | `groombook.farh.net` | +| UAT | `groombook-uat` | `groombook.uat.farh.net` | +| Development | `groombook-dev` | `groombook.dev.farh.net` | + +## Kubernetes + +* Cluster-wide read access is granted; read/write access to `-dev` and `-uat` namespaces. +* `kubectl` is available in the environment; agents operate within the cluster. + +## Authentication + +* Better-Auth with OAuth2 — no custom authentication, no exceptions. +* Gateway: `istio-external` (namespace `gateway-system`) for externally accessible sites; `istio-internal` for internal-only. +* Authentik is the OIDC/OAuth2 provider (namespace `auth`). UI: `https://auth.farh.net`. +* Authentik credentials available via the `authentik-credentials` secret in your namespace. +* Supported identity providers: Authentik, Auth0, Okta, Entra-ID. + +## Secrets + +* Bitnami Sealed Secrets Controller (namespace `kube-system`) is the standard — no plain Kubernetes secrets allowed. +* `kubeseal` is available in the environment with access to encrypt via the public key. + +## Databases + +* CloudNativePG Operator (Postgres) is the standard — no SQLite, MariaDB, or MySQL. + +## Cache / Pub-Sub + +* DragonflyDB Operator is the standard — no Redis. + +## Deployment — 2-Stage Flux GitOps + +Deployment is fully GitOps-driven. **Do not use `kubectl apply` to deploy application manifests.** + +**Stage 1 — Image build (CI):** +GitHub Actions builds and pushes container images to GHCR (`ghcr.io/groombook/api`, `ghcr.io/groombook/web`) on push/PR. Tag format: `YYYY.MM.DD-shortsha`. + +**Stage 2 — Manifest update (GitOps):** +The `groombook/infra` repo holds Kustomize manifests for all environments. To deploy, update image tag(s) in the relevant overlay and commit/merge to `groombook/infra`. Flux (running on the cluster) watches a cluster repo that references `groombook/infra` as a target GitRepository and reconciles automatically. + +**Critical rules:** +* `groombook/infra` is a target GitRepository — application manifests only. Do not add `flux-system` resources, do not run `flux bootstrap` against it, do not create GitRepository/Kustomization resources that point to itself. +* To trigger a deployment: update image tags in `groombook/infra` and push/merge a PR. +* Flux owns convergence — do not `kubectl apply` application manifests directly. +* **No Flux Image Automation.** Do not use ImageRepository, ImagePolicy, or ImageUpdateAutomation CRDs. Image tag updates are driven by CI at push time. This is company policy. + +## Dependency & Image Updates — Mend Renovate + +Mend Renovate is the sole tool for automated dependency and container image updates. Do not configure or use Dependabot. + +## Terraform (OpenTofu) — Flux ToFu Controller + +* Commit OpenTofu (`.tf`) configuration to `groombook/infra` in a dedicated path. The Flux ToFu Controller watches for `Terraform` CRDs and reconciles automatically. +* Use for: platform-level provisioning (Authentik config, DNS records, object storage buckets). Application manifests remain Kustomize/Helm. +* Do not run `tofu` or `terraform` directly outside the controller workflow. +* Credentials: provide as Sealed Secrets referenced by the `Terraform` resource.