Board directive PRI-1710: root directories are cluttered with agent artifacts.
These files duplicate content already in CLAUDE.md or reference stale Paperclip issues.
- CONTEXT.md (18.7KB) — AI reverse-prompt doc, content already covered by CLAUDE.md
- PROJECT_ASSESSMENT.md (8KB) — Stale assessment from v0.3.0 (current is v0.4.1)
- SPEC-PRI-324.md (4KB) — Paperclip task spec, does not belong in repo
cc @cpfarhood
The ubuntu-latest runner host already has curl, jq, and ca-certificates
pre-installed. The apt-get update call inside the Docker container was
failing due to broken container networking on the runner host (runs 577,
578), blocking PR #182 (dev→uat promotion).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The GitHub release does not exist (404). Per board all-Gitea
decision, archive URLs must point to git.farh.net.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Restore install as multi-line Markdown guide (was replaced by url/digest object)
- Point annotations.archive-url to github.com instead of git.farh.net
The GitHub release for v1.0.1 does not exist (404). Per board
decision (2026-05-16), all PE projects use Gitea releases.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Bumps version to 1.0.1, updates createdAt date, and points
archive URL/checksum to the v1.0.1 GitHub release.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The headlamp-plugin package command outputs filenames with .tar.gz extension,
not .tgz. This caused the "Get tarball path" step to fail (exit code 1) on
the v1.0.1 release run #554.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add explicit pnpm installation before Install dependencies step.
Without this, ubuntu-latest runner fails with 'pnpm: command not found'
since pnpm is not bundled with the Node 20 action.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
PR #170 merged conflict with old uat version instead of inlined dev version.
Restore inlined dual-approval.yaml to match main, fixing uat->main promotion gate.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The project declares pnpm@10.32.1 as packageManager but had a committed
package-lock.json. Running npm install produced a broken node_modules
layout. Delete the stale lockfile and add it to .gitignore.
Note: tests were failing before this change due to a missing tsconfig
for vitest.setup.ts — tracked separately as pre-existing issue.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Upgraded @kinvolk/headlamp-plugin from ^0.13.0 to ^0.14.0 and added
fast-uri >=3.1.2 to pnpm overrides to address:
- GHSA-q3j6-qgpj-74h6 (fast-uri path traversal, patched in >=3.1.1)
- GHSA-v39h-62p7-jpjc (fast-uri host confusion, patched in >=3.1.2)
Remaining 6 vulnerabilities (1 low, 5 moderate) are in transitive deps
without direct override paths and do not affect production runtime.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
CTO decision (PRI-854): high-severity vulns from @kinvolk/headlamp-plugin
transitive deps (Picomatch, Vite, lodash) are dev/build-time only and do
not ship in production plugin artifacts.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
CI triggers on dev/uat/main. Promotion gate replaces dual-approval.
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Removed lines 28-29 which listed ghost E2E commands (npm run e2e, npm run e2e:headed). The repo has no E2E files, no playwright.config.ts, no e2e/ directory, and no e2e script in package.json.
Resolves: PRI-1147
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
The lockfile was out of sync with package.json after playwright removal,
causing CI to fail with --frozen-lockfile.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
PRI-750: update plugin repos to reference shared infra RBAC (PRI-695 follow-up)
- deployment/e2e-ci-runner-rbac.yaml: replaced duplicate manifest with
reference comment pointing to privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
- scripts/deploy-e2e-headlamp.sh: updated RBAC preflight comment and error
message to reference infra path
- scripts/teardown-e2e-headlamp.sh: added RBAC reference comment
Infra RBAC is the source of truth managed by Flux GitOps. CI workflow
unchanged (Hugh owns .github/workflows/).
* chore: replace Dependabot references with Renovate
- SECURITY.md: update to mention Renovate (org-wide Mend Renovate)
- PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config)
Closes PRI-389. Parent PRI-387.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities
Resolves 3 high-severity vulnerabilities from pnpm audit:
- GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4)
- GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket
- GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling
Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection).
Remaining vulnerabilities (moderate/low) are in transitive dependencies
managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config
which require upstream updates to those packages.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
---------
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
The E2E workflow and deploy scripts were targeting the legacy
privilegedescalation-dev namespace, which is not managed by Flux GitOps
in privilegedescalation/infra.
The infra repo (PR #11) already provisions the headlamp-dev namespace
and corresponding RBAC (e2e-ci-runner-headlamp-rbac.yaml) that grants
the ARC runner SA (runners-privilegedescalation-gha-rs-no-permission in
arc-runners) the permissions needed to deploy/teardown the E2E
Headlamp instance.
This change aligns all E2E infrastructure to use headlamp-dev:
- .github/workflows/e2e.yaml: E2E_NAMESPACE=headlamp-dev
- scripts/deploy-e2e-headlamp.sh: default namespace and comments
- scripts/teardown-e2e-headlamp.sh: default namespace
- deployment/e2e-ci-runner-rbac.yaml: namespace and add missing events
permission (already present in infra copy)
Refs: PRI-423
Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Null Pointer Nancy
Chris Farhood
Gandalf the Greybeard
Countess von Containerheim
privilegedescalation-engineer[bot]