Merge pull request 'cleanup: fully remove orphaned council-complaints app' (#9) from wizard/council-cleanup into master

2026-06-21 13:33:23 +00:00 · 2026-06-21 13:33:23 +00:00 · df86075c3d
commit df86075c3d
parent 6dc3ce139f 68d9058f85
4 changed files with 5 additions and 5 deletions
--- a/.claude/CLAUDE.md
+++ b/.claude/CLAUDE.md
@ -130,7 +130,7 @@ ghcr, NOT DockerHub), kms-website, Freedify, instagram-poster, payslip-ingest,
 broker-sync (image `wealthfolio-sync`), fire-planner, recruiter-responder,
 x402-gateway — plus tripit. Earlier public-repo apps already on GHA (Website,
 apple-health-data, audiblez-web, plotting-book, insta2spotify,
-audiobook-search, council-complaints) now also land on ghcr.
+audiobook-search) now also land on ghcr.
 - **PUBLIC ghcr packages:** beadboard, nextcloud-todos, claude-agent-service,
  claude-memory-mcp, kms-website, freedify, tuya_bridge, x402-gateway,
  chrome-service-novnc, android-emulator.
--- a/.claude/reference/service-catalog.md
+++ b/.claude/reference/service-catalog.md
@ -58,7 +58,6 @@
 | claude-memory | Persistent memory MCP server | claude-memory |
 | paperless-mcp | Paperless-ngx document search MCP (barryw/PaperlessMCP). Traefik bearer auth via Aetherinox api-token-middleware. `auth=none` at ingress; gateway-level bearer enforced by `paperless-mcp/bearer-auth` Middleware CRD. Tokens + paperless API token in Vault `secret/paperless-mcp`. | paperless-mcp |
 | paperless-ai | AI layer over Paperless-ngx (clusterzx/paperless-ai): semantic/RAG document search (Chat) + auto-tagging. Local embeddings (sentence-transformers MiniLM) + ChromaDB on the PVC — search is GPU-free. LLM (chat answers + tagging) via in-cluster llama-swap `qwen3-8b` (`SYSTEM_PROMPT=/no_think` to keep Qwen3 output parseable). `auth=required` (Authentik) at `paperless-ai.viktorbarzin.me`. Reads Paperless over the internal svc as a dedicated `paperless-ai` superuser. **Runtime config + app-admin live in the PVC `.env`/SQLite (written once via the app's setup flow), NOT TF env — its dotenv loader does not override `process.env`, so container env shadows the `.env`.** Vault `secret/paperless-ai` (paperless_api_token, api_key, custom_api_key, app_admin_*). | paperless-ai |
 | council-complaints | Islington civic reporting pilot | council-complaints |
 ## Optional
 | Service | Description | Stack |
--- a/docs/architecture/ci-cd.md
+++ b/docs/architecture/ci-cd.md
@ -116,7 +116,7 @@ instagram-poster, payslip-ingest, broker-sync (image name `wealthfolio-sync`),
 fire-planner, recruiter-responder, x402-gateway — plus **tripit** (the original
 pilot, 2026-06-09). Earlier public-repo apps already on GHA (Website,
 k8s-portal, apple-health-data, audiblez-web, plotting-book, insta2spotify,
-audiobook-search, council-complaints) now also land on ghcr.
+audiobook-search) now also land on ghcr.
 ### Infra-owned images (issues #29 / #30)
--- a/stacks/kyverno/modules/kyverno/security-policies.tf
+++ b/stacks/kyverno/modules/kyverno/security-policies.tf
@ -330,8 +330,9 @@ resource "kubectl_manifest" "policy_require_trusted_registries" {
                  "docker.n8n.io/*", "registry.gitlab.com/*",
                  # Private
                  "forgejo.viktorbarzin.me/*", "10.0.20.10*",
-                  # Legacy private registry (decommissioned 2026-05-07 per CLAUDE.md
+                  # Legacy private registry (decommissioned 2026-05-07 per CLAUDE.md).
-                  # but council-complaints still references — migrate to Forgejo).
+                  # No live workload pulls from it; only stale completed Job records
                  # (e.g. old wealthfolio-sync jobs) still carry the image ref.
                  "registry.viktorbarzin.me/*",
                  # DockerHub library (bare image names without slash)
                  "alpine*", "busybox*", "kong*", "mysql*", "nginx*", "postgres*", "python*",