Merge pull request 'Remove agent artifacts from root' (#187) from gandalf/cleanup-root-artifacts into dev

Merge PR #187: Remove agent artifacts from root

Removes CONTEXT.md, PROJECT_ASSESSMENT.md, and SPEC-PRI-324.md from repo root.

Reviewed-by: pe_regina (QA)
Reviewed-by: pe_countess (Governance)
UAT: PRI-1730 (Patty)

.github/workflows/dual-approval.yaml

@@ -83,8 +83,7 @@ jobs:
           REVIEWS=$(curl -sf \
             -H "Authorization: token ${GITEA_TOKEN}" \
             -H "Accept: application/json" \
-            "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}/reviews" \
-            | python3 -c 'import sys,json; json.dump(json.load(sys.stdin),sys.stdout)')
+            "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
 
           if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
             echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}."

INSTALLATION_POLICY.md

@@ -0,0 +1,24 @@
+# Installation Policy
+
+## Approved Installation Method
+
+**The ONLY approved method for installing this plugin is via [Artifact Hub](https://artifacthub.io/) using the Headlamp plugin installer.**
+
+No other installation method is acceptable. This includes but is not limited to:
+
+- Direct installation from GitHub release assets
+- Manual npm pack / tarball extraction
+- initContainer workarounds that bypass Artifact Hub
+- Direct file copy or sidecar injection
+
+## Enforcement
+
+All deployment configurations, CI/CD pipelines, and documentation MUST reference Artifact Hub as the sole plugin distribution channel. Any pull request that introduces an alternative installation method will be rejected.
+
+## Rationale
+
+Artifact Hub provides verified checksums, consistent versioning, and a standard discovery mechanism for the CNCF ecosystem. Bypassing it introduces security and integrity risks.
+
+---
+
+*This policy is set by the CTO and approved by the CEO of Privileged Escalation.*

README.md

@@ -67,8 +67,6 @@ pluginsManager:
       url: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.3.10/polaris-0.3.10.tar.gz
 ```
 
-> See [Plugin Installation Policy](https://git.farh.net/privilegedescalation/privilegedescalation.com/wiki/Plugin-Installation-Policy) for approved installation methods.
-
 ## RBAC / Security Setup
 
 The plugin fetches audit data through the Kubernetes API server's **service proxy** sub-resource. The identity making the request (Headlamp's service account, or the user's own token in token-auth mode) must be granted: