Adds collect_live_cluster_versions() — enumerates pod container images via
kubectl and protects any forgejo.coulomb.social/coulomb/<name>:<tag>. Closes the
gap where CI-deployed apps (e.g. state-hub) pin a live tag absent from Helm
values. On by default (--no-protect-live to skip); emits protection_notes +
live_protection in the JSON summary so consumers can detect reduced coverage.
Verified against production: protects state-hub/vergabe/issue-core live tags.
ACTIVITY-WP-0020 T07 (partial — see workplan note re multi-cluster coverage).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Forgejo has no per-package /versions endpoint — the list endpoint returns one
entry per (name, version). build_delete_plans now groups list results by name
instead of calling a 404ing /versions sub-path. Removed dead list_versions/_paginate.
Added retry + longer timeout to _api_request for slow/large registry listings
(container list was timing out). Updated fixture test to the grouped model.
Dry-run now clean: 29 candidate deletions across 5 container packages, 0 errors
(was 53× HTTP 404). ACTIVITY-WP-0020 T02 fix; enable/apply still gated on
protection-coverage review (T05).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
List and optionally delete package versions beyond the newest three,
protecting production Helm image tags. Adds Make targets and unit tests
for ACTIVITY-WP-0020.
OpenBao's Ember UI expects OIDC to complete in a popup and postMessage to
window.opener. The standalone KeyCape login uses a full-page redirect, so the
callback now exchanges the authorization code directly, persists the UI token
in localStorage, and redirects into the vault UI. Unauthenticated /ui/ loads
also redirect to the standalone login page to avoid ?with= bounce loops.
Ember's auth route bounces between ?with=netkingdom/ and ?with=token when
OIDC mounts are hidden from the unauthenticated listing. Bypass Ember on the
bare auth path with a static login page that calls auth_url directly; OIDC
callbacks still proxy to the OpenBao UI.
Add synchronous redirect-bootstrap, direct KeyCape OIDC on sign-in, and mount
watching so the UI no longer lands on ?with=token when netkingdom is hidden
from unauthenticated mount listing. Document listing_visibility tune helper.
Streamline bao.coulomb.social login as "Sign in with KeyCape" via a versioned
nginx gateway that injects overlay assets and proxies to OpenBao. Disable chart
ingress in favor of the overlay ingress, wire make openbao-deploy, and add
openbao-verify-login-overlay with upstream drift detection.
Generate default CA via ssh/config/ca, split composite KUBECTL for role writes,
read pubkey from config/ca, allow warden key_id in roles, prefer production kubeconfig.