From 68d9058f8593d7c0bcefa9e281cb0d22d94c5779 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 21 Jun 2026 13:32:10 +0000
Subject: [PATCH] cleanup: fully remove orphaned council-complaints app
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The council-complaints app (Islington civic-reporting pilot) has been
abandoned. It was already dead in the cluster (deployments scaled 0/0,
image only on the decommissioned registry.viktorbarzin.me which 404s),
and it was never in Terraform — only docs + a kyverno comment referenced
it. Its live cluster resources (namespace, both NFS-backed PVs, ingresses)
were torn down out-of-band via kubectl (nothing in TF to drift from); the
DB-dump PVC was backed up to NFS first.

This removes the remaining repo references to the live app:
- service-catalog.md: drop the council-complaints row
- ci-cd.md + .claude/CLAUDE.md: drop it from the GHA->ghcr app list
- kyverno require-trusted-registries: the registry.viktorbarzin.me/*
  allowlist comment claimed council-complaints as the last referencer;
  rewrite it (no live workload pulls from that registry now; only stale
  completed Job records still carry the ref). The allowlist line itself
  is kept (registry-scoped, not app-specific).

Historical point-in-time plan docs (docs/plans/2026-05-16-auto-upgrade-
apps-{design,plan}.md) still mention it inside a frozen "10 GHA-migrated
repos (memory id=388)" snapshot; left as-is so the dated record stays
accurate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .claude/CLAUDE.md                                   | 2 +-
 .claude/reference/service-catalog.md                | 1 -
 docs/architecture/ci-cd.md                          | 2 +-
 stacks/kyverno/modules/kyverno/security-policies.tf | 5 +++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md
index da1843bd..cc4abddf 100755
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@@ -130,7 +130,7 @@ ghcr, NOT DockerHub), kms-website, Freedify, instagram-poster, payslip-ingest,
 broker-sync (image `wealthfolio-sync`), fire-planner, recruiter-responder,
 x402-gateway — plus tripit. Earlier public-repo apps already on GHA (Website,
 apple-health-data, audiblez-web, plotting-book, insta2spotify,
-audiobook-search, council-complaints) now also land on ghcr.
+audiobook-search) now also land on ghcr.
 - **PUBLIC ghcr packages:** beadboard, nextcloud-todos, claude-agent-service,
   claude-memory-mcp, kms-website, freedify, tuya_bridge, x402-gateway,
   chrome-service-novnc, android-emulator.
diff --git a/.claude/reference/service-catalog.md b/.claude/reference/service-catalog.md
index e3ba2f8a..cd7b5274 100644
--- a/.claude/reference/service-catalog.md
+++ b/.claude/reference/service-catalog.md
@@ -58,7 +58,6 @@
 | claude-memory | Persistent memory MCP server | claude-memory |
 | paperless-mcp | Paperless-ngx document search MCP (barryw/PaperlessMCP). Traefik bearer auth via Aetherinox api-token-middleware. `auth=none` at ingress; gateway-level bearer enforced by `paperless-mcp/bearer-auth` Middleware CRD. Tokens + paperless API token in Vault `secret/paperless-mcp`. | paperless-mcp |
 | paperless-ai | AI layer over Paperless-ngx (clusterzx/paperless-ai): semantic/RAG document search (Chat) + auto-tagging. Local embeddings (sentence-transformers MiniLM) + ChromaDB on the PVC — search is GPU-free. LLM (chat answers + tagging) via in-cluster llama-swap `qwen3-8b` (`SYSTEM_PROMPT=/no_think` to keep Qwen3 output parseable). `auth=required` (Authentik) at `paperless-ai.viktorbarzin.me`. Reads Paperless over the internal svc as a dedicated `paperless-ai` superuser. **Runtime config + app-admin live in the PVC `.env`/SQLite (written once via the app's setup flow), NOT TF env — its dotenv loader does not override `process.env`, so container env shadows the `.env`.** Vault `secret/paperless-ai` (paperless_api_token, api_key, custom_api_key, app_admin_*). | paperless-ai |
-| council-complaints | Islington civic reporting pilot | council-complaints |
 
 ## Optional
 | Service | Description | Stack |
diff --git a/docs/architecture/ci-cd.md b/docs/architecture/ci-cd.md
index 1c78950f..35e041e6 100644
--- a/docs/architecture/ci-cd.md
+++ b/docs/architecture/ci-cd.md
@@ -116,7 +116,7 @@ instagram-poster, payslip-ingest, broker-sync (image name `wealthfolio-sync`),
 fire-planner, recruiter-responder, x402-gateway — plus **tripit** (the original
 pilot, 2026-06-09). Earlier public-repo apps already on GHA (Website,
 k8s-portal, apple-health-data, audiblez-web, plotting-book, insta2spotify,
-audiobook-search, council-complaints) now also land on ghcr.
+audiobook-search) now also land on ghcr.
 
 ### Infra-owned images (issues #29 / #30)
 
diff --git a/stacks/kyverno/modules/kyverno/security-policies.tf b/stacks/kyverno/modules/kyverno/security-policies.tf
index 08902d64..446b4745 100644
--- a/stacks/kyverno/modules/kyverno/security-policies.tf
+++ b/stacks/kyverno/modules/kyverno/security-policies.tf
@@ -330,8 +330,9 @@ resource "kubectl_manifest" "policy_require_trusted_registries" {
                   "docker.n8n.io/*", "registry.gitlab.com/*",
                   # Private
                   "forgejo.viktorbarzin.me/*", "10.0.20.10*",
-                  # Legacy private registry (decommissioned 2026-05-07 per CLAUDE.md
-                  # but council-complaints still references — migrate to Forgejo).
+                  # Legacy private registry (decommissioned 2026-05-07 per CLAUDE.md).
+                  # No live workload pulls from it; only stale completed Job records
+                  # (e.g. old wealthfolio-sync jobs) still carry the image ref.
                   "registry.viktorbarzin.me/*",
                   # DockerHub library (bare image names without slash)
                   "alpine*", "busybox*", "kong*", "mysql*", "nginx*", "postgres*", "python*",