.gitea/workflows/pr-review.yml

@@ -184,21 +184,32 @@ jobs:
           LITELLM_API_KEY: ${{ secrets.OLLAMA_API_KEY }}
           PR_TITLE: ${{ github.event.pull_request.title }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_BODY: ${{ github.event.pull_request.body }}
         run: |
           set -euo pipefail
           CHANGED_FILES=$(tr '\n' ' ' < /tmp/pr_files.txt)
 
-          # Build prompt file. Use 'printf "%s\n" text' throughout so the format
-          # string is always "%s\n" and content with leading hyphens or embedded
-          # double-dashes is never misinterpreted as a printf option flag.
+          # Build prompt file following anthropics/claude-code code-review pattern:
+          # - Multi-agent review (parallel analysis)
+          # - High-signal issues only (no nitpicks, style, or speculative concerns)
+          # - Validate findings against codebase
+          # - Consider PR title/description for author intent
+          # - Check for pre-existing issues
           {
-            printf '%s\n\n' 'You are a senior engineer performing a code review.'
+            printf '%s\n\n' 'You are a senior engineer performing a code review following the anthropics/claude-code code-review pattern.'
             printf 'PR Title: %s\n' "$PR_TITLE"
+            printf 'PR Body: %s\n\n' "${PR_BODY:-No description provided}"
             printf 'Files changed: %s\n\n' "$CHANGED_FILES"
             printf '%s\n' '---'
+            printf '%s\n\n' '## CODEBASE INDEX'
+            printf '%s\n' 'These are the ONLY Tauri commands, TypeScript exports, Rust public functions,'
+            printf '%s\n' 'and database tables that exist in this project. Before raising any finding,'
+            printf '%s\n' 'confirm that every symbol you cite appears in this list or in the file'
+            printf '%s\n' 'contents below. If it does not appear in either, your finding is fabricated.'
+            printf '%s\n' '---'
             cat /tmp/codebase_index.txt
             printf '%s\n\n' '---'
-            printf '%s\n\n' '## Changed file contents'
+            printf '%s\n\n' '## CHANGED FILE CONTENTS'
             printf '%s\n' 'Each section is the COMPLETE, FINAL file after PR changes (not a diff).'
             printf '%s\n\n' 'Files over 500 lines show only changed sections with surrounding context.'
             printf '%s\n' '---'
@@ -207,37 +218,69 @@ jobs:
             if [ -s /tmp/pr_comments.txt ]; then
               cat /tmp/pr_comments.txt
               printf '%s\n\n' '---'
-              printf '%s\n' '## CRITICAL: Prior review context above'
+              printf '%s\n' '## CRITICAL: PRIOR REVIEW CONTEXT ABOVE'
               printf '%s\n' 'Before raising ANY finding, check the review history above.'
               printf '%s\n' 'SILENTLY DISCARD any finding that has already been:'
               printf '%s\n' '  - Marked as invalid or incorrect by a reviewer'
               printf '%s\n' '  - Acknowledged as an intentional design decision or known limitation'
-              printf '%s\n\n' '  - Confirmed fixed in a prior commit'
+              printf '%s\n' '  - Confirmed fixed in a prior commit'
               printf '%s\n\n' 'Raising a previously-refuted finding is a critical error.'
               printf '%s\n' '---'
             fi
-            printf '%s\n\n' '## Instructions'
-            printf '%s\n' 'Before raising any finding:'
-            printf '%s\n' '1. Confirm every symbol you cite exists in the CODEBASE INDEX or file'
-            printf '%s\n' '   contents above. If absent from both, discard the finding.'
-            printf '%s\n' '2. Quote the exact line(s) from the file contents that support it.'
-            printf '%s\n' '3. Confirm the issue is genuine, not intentional design.'
-            printf '%s\n\n' '4. If any step fails, discard silently - do not mention it.'
-            printf '%s\n\n' 'Do NOT show reasoning. Only output confirmed issues.'
-            printf '%s\n' 'Severity:'
-            printf '%s\n' '- BLOCKER: fails to compile, corrupts data, or security vulnerability'
-            printf '%s\n' '- WARNING: real risk to address before merge'
-            printf '%s\n\n' '- SUGGESTION: minor improvement, follow-up PR fine'
-            printf '%s\n\n' 'Focus: security bugs, logic errors, data loss, injection, unhandled errors.'
-            printf '%s\n\n' 'Ignore: style, missing comments, speculative future concerns.'
-            printf '%s\n\n' '## Output format (strict)'
-            printf '%s\n\n' '**Summary** (2-3 sentences)'
-            printf '%s\n' '**Findings**'
-            printf '%s\n' '- [SEVERITY] file:line - description'
+            printf '%s\n\n' '## CODE REVIEW INSTRUCTIONS'
+            printf '%s\n\n' 'You MUST follow this workflow precisely:'
+            printf '%s\n\n' '1. LAUNCH 4 PARALLEL ANALYSIS AGENTS to independently review the changes:'
+            printf '%s\n\n' '   AGENT 1 (CLAUDE.MD COMPLIANCE): Audit changes for CLAUDE.md compliance'
+            printf '%s\n' '   - Only consider CLAUDE.md files that share a file path with the file or parents'
+            printf '%s\n' '   - Quote exact rules being violated'
+            printf '%s\n\n' '   AGENT 2 (CLAUDE.MD COMPLIANCE): Audit changes for CLAUDE.md compliance'
+            printf '%s\n' '   - Same scope as Agent 1, parallel analysis'
+            printf '%s\n\n' '   AGENT 3 (BUG DETECTOR): Scan for obvious bugs in the diff itself'
+            printf '%s\n' '   - Focus ONLY on the diff, no extra context'
+            printf '%s\n' '   - Flag ONLY significant bugs, ignore nitpicks and likely false positives'
+            printf '%s\n' '   - Do not flag issues that require context outside the git diff'
+            printf '%s\n\n' '   AGENT 4 (BUG DETECTOR): Look for problems in introduced code'
+            printf '%s\n' '   - Security issues, incorrect logic, data loss'
+            printf '%s\n' '   - Only problems that fall within the changed code'
+            printf '%s\n\n' '2. CRITICAL: Only flag HIGH SIGNAL issues where:'
+            printf '%s\n' '   - Code will fail to compile or parse (syntax errors, type errors)'
+            printf '%s\n' '   - Code will definitely produce wrong results (clear logic errors)'
+            printf '%s\n' '   - Clear, unambiguous violations with exact rule quoted'
+            printf '%s\n\n' '   DO NOT flag:'
+            printf '%s\n' '   - Code style or quality concerns'
+            printf '%s\n' '   - Potential issues that depend on specific inputs or state'
+            printf '%s\n' '   - Subjective suggestions or improvements'
+            printf '%s\n' '   - Pre-existing issues'
+            printf '%s\n' '   - Issues that linters will catch'
+            printf '%s\n' '   - General security issues unless explicitly required in CLAUDE.md'
+            printf '%s\n\n' '3. FOR EACH ISSUE FOUND BY AGENTS 3 & 4:'
+            printf '%s\n' '   - Launch a VALIDATION AGENT to verify the issue is real'
+            printf '%s\n' '   - Validation agent checks: issue is truly an issue, not false positive'
+            printf '%s\n' '   - Use full codebase to validate (not just diff)'
+            printf '%s\n' '   - If validation fails, discard the issue silently'
+            printf '%s\n\n' '4. OUTPUT FORMAT (strict):'
+            printf '%s\n\n' '   **Summary** (2-3 sentences)'
+            printf '%s\n' '   **Findings**'
+            printf '%s\n' '   - [SEVERITY] file:line - description'
             printf '%s\n' '     Evidence: quoted line'
             printf '%s\n\n' '     Fix: concrete change'
-            printf '%s\n\n' '(Write "No findings." if none.)'
-            printf '%s\n' '**Verdict**: APPROVE / APPROVE WITH COMMENTS / REQUEST CHANGES'
+            printf '%s\n\n' '   (Write "No findings." if none.)'
+            printf '%s\n' '   **Verdict**: APPROVE / APPROVE WITH COMMENTS / REQUEST CHANGES'
+            printf '%s\n\n' '5. SEVERITY DEFINITIONS:'
+            printf '%s\n' '   - BLOCKER: fails to compile, corrupts data, or security vulnerability'
+            printf '%s\n' '   - WARNING: real risk to address before merge'
+            printf '%s\n' '   - SUGGESTION: minor improvement, follow-up PR fine'
+            printf '%s\n\n' '6. FOCUS AREAS:'
+            printf '%s\n' '   - Security bugs, logic errors, data loss, injection, unhandled errors'
+            printf '%s\n\n' '7. IGNORE:'
+            printf '%s\n' '   - Style, missing comments, speculative future concerns'
+            printf '%s\n\n' '8. FALSE POSITIVES TO AVOID:'
+            printf '%s\n' '   - Pre-existing issues'
+            printf '%s\n' '   - Something that appears buggy but is actually correct'
+            printf '%s\n' '   - Pedantic nitpicks that senior engineers would not flag'
+            printf '%s\n' '   - Issues that linters will catch'
+            printf '%s\n' '   - General code quality concerns unless explicitly required in CLAUDE.md'
+            printf '%s\n' '   - Issues mentioned in CLAUDE.md but explicitly silenced in code'
           } > /tmp/prompt.txt
 
           # Write body to file — passing 100KB+ JSON as a shell arg hits ARG_MAX.
@@ -307,7 +350,7 @@ jobs:
           all_content = '\n'.join(all_content_parts)
 
           def evidence_exists(block: str) -> bool:
-              """True if ≥1 significant line from the block is found verbatim in changed files."""
+              """True if ≥1 significant line from the block is found verbatim in the codebase."""
               for raw in block.splitlines():
                   line = raw.lstrip('+-').strip()
                   # Skip blank, very short, pure-comment, or diff-header lines
@@ -327,7 +370,7 @@ jobs:
               if code_match and not evidence_exists(code_match.group(1)):
                   # Replace first severity tag with a prefixed version
                   return severity_re.sub(
-                      lambda m: f'[{m.group(1)} — ⚠️ UNVERIFIED: evidence not found in PR files]',
+                      lambda m: f'[{m.group(1)} — ⚠️ UNVERIFIED: evidence not found in codebase]',
                       finding_text, count=1
                   )
               return finding_text

AGENTS.md

@@ -35,7 +35,7 @@
 | `src-tauri/src/state.rs` | `AppState` (DB, settings, integration_webviews) |
 | `src-tauri/src/commands/` | Tauri IPC handlers (db, ai, analysis, docs, integrations, system) |
 | `src-tauri/src/ai/provider.rs` | `Provider` trait + `create_provider()` factory |
-| `src-tauri/src/pii/` | Detection engine (12 patterns) + redaction |
+| `src-tauri/src/pii/` | Detection engine (13 patterns) + redaction |
 | `src-tauri/src/db/models.rs` | DB types: `Issue`, `IssueDetail` (nested), `LogFile`, `ResolutionStep`, `AiConversation` |
 | `src-tauri/src/audit/log.rs` | `write_audit_event()` before every external send |
 | `src/lib/tauriCommands.ts` | **Source of truth** for all Tauri IPC calls |
@@ -130,7 +130,7 @@ TypeScript mirrors this shape exactly in `tauriCommands.ts`.
 - **Database encryption**: AES-256 (SQLCipher in release builds)
 - **Credential encryption**: AES-256-GCM, keys stored in `TRCAA_ENCRYPTION_KEY` (or legacy `TRCAA_ENCRYPTION_KEY`) or auto-generated `.enckey` (mode 0600)
 - **Audit trail**: Hash-chained entries (`prev_hash` + `entry_hash`) for tamper evidence
-- **PII protection**: 12-pattern detector → user approval gate → hash-chained audit entry
+- **PII protection**: 13-pattern detector → user approval gate → hash-chained audit entry
 
 ---
 

CLAUDE.md

@@ -77,9 +77,9 @@ cargo tauri build  # Outputs to src-tauri/target/release/bundle/
 
 ### CI/CD
 
-- **Test pipeline**: `.github/workflows/test.yml` — runs on every push/PR targeting `main`
-- **Release pipeline**: `.github/workflows/release.yml` — runs on every push to `main`, auto-tags, produces multi-platform bundles (Linux amd64+arm64, Windows, macOS arm64+Intel), uploads to GitHub Releases at `https://gogs.tftsr.com/sarman/apollo_nxt-tftsr/releases`
-- **Docker builder images**: `.github/workflows/build-images.yml` — rebuilds `ghcr.io/tftsr/tftsr-*` images when `.docker/**` changes on `main`
+- **Test pipeline**: `.gitea/workflows/test.yml` — runs on every push/PR targeting `main`
+- **Release pipeline**: `.gitea/workflows/auto-tag.yml` — runs on every push to `master`, auto-tags, produces multi-platform bundles (Linux amd64+arm64, Windows, macOS arm64+Intel), uploads to Gitea Releases at `https://gogs.tftsr.com/sarman/tftsr-devops_investigation/releases`
+- **Docker builder images**: `.gitea/workflows/build-images.yml` — rebuilds `172.0.0.29:3000/tftsr/tftsr-*` images when `.docker/**` changes on `master`
 
 ---
 
@@ -201,22 +201,22 @@ Before any text is sent to an AI provider, `apply_redactions` must be called and
 
 **Documentation**: `docs/wiki/Shell-Execution.md`
 
-### GitHub Actions CI
+### Gitea Actions CI
 
-All pipelines run on GitHub Actions at `https://gogs.tftsr.com/sarman/apollo_nxt-tftsr/actions`.
+All pipelines run on Gitea Actions at `https://gogs.tftsr.com/sarman/tftsr-devops_investigation/actions`.
 
-- `GITHUB_TOKEN` is the only credential needed — no external secrets required
-- Builder images are hosted on `ghcr.io/tftsr/` (GitHub Container Registry)
-- Branch protection on `main` requires `rust-test` and `frontend-test` checks to pass, plus Copilot code review, before merging
+- `TFT_GITEA_TOKEN` is the only credential needed — no external secrets required
+- Builder images are hosted on `172.0.0.29:3000/tftsr/` (private registry)
+- Branch protection on `master` requires `rust-test` and `frontend-test` checks to pass, plus PR review, before merging
 - kubectl binaries downloaded during build via `scripts/download-kubectl.sh` for all platforms
 
 ---
 
 ## Wiki Maintenance
 
-The project wiki lives at `https://gogs.tftsr.com/sarman/apollo_nxt-tftsr/wiki`.
+The project wiki lives at `https://gogs.tftsr.com/sarman/tftsr-devops_investigation/wiki`.
 
-**Source of truth**: `docs/wiki/*.md` in this repo. The `wiki-sync` job (in `.github/workflows/release.yml`) automatically pushes any changes to the GitHub wiki on every push to `main`.
+**Source of truth**: `docs/wiki/*.md` in this repo. The `auto-tag` workflow (in `.gitea/workflows/auto-tag.yml`) automatically pushes any changes to the Gitea wiki on every push to `master`.
 
 **When making code changes, update the corresponding wiki file in `docs/wiki/` before committing:**
 

docs/RELEASE_NOTES.md

@@ -1,3 +1,52 @@
+# Release v1.1.0
+
+**Release Date**: 2026-06-06  
+**Commit**: 21758cfd  
+**Status**: Production-ready with Kubernetes Management UI
+
+## Overview
+
+v1.1.0 introduces the Kubernetes Management UI with FreeLens parity, enabling full cluster management directly within the application. This release also includes critical bug fixes and documentation updates for the v1.0.0 Shell Execution feature.
+
+## Changes since v1.0.1
+
+### Kubernetes Management UI (FreeLens Parity)
+
+**New Features**:
+- PTY-based interactive terminals with real-time shell access
+- Cluster metrics dashboard (nodes, pods, resources)
+- Port forwarding with local binding and URL generation
+- Inline YAML editor with syntax highlighting
+- Multi-cluster kubeconfig management
+- Real-time log streaming with filter support
+- Resource visualization (CPU, memory, replica counts)
+
+**Technical Implementation**:
+- WebSocket-based terminal connections (pty, stdout, stderr, resize)
+- Metrics collection via kubectl API (nodes, pods, namespaces)
+- Port forwarding via `kubectl port-forward` with auto-allocated ports
+- YAML validation and linting before apply/delete operations
+- AES-256-GCM encrypted kubeconfig storage per cluster
+
+### Bug Fixes
+
+- Fixed kubeconfig context switching in multi-cluster environments
+- Corrected domain prompt count from 17 to 15 in documentation
+- Fixed CI/CD references from GitHub to Gitea Actions
+- Updated CHANGELOG.md for v1.1.0 release
+
+### Documentation Updates
+
+- Updated all CI/CD references from `.github/workflows/` to `.gitea/workflows/`
+- Updated release notes and wiki to reflect v1.1.0 features
+- Removed completed features from Future Enhancements sections
+
+## Changes since v1.0.0
+
+See v1.0.1 release notes for v1.0.0 → v1.0.1 changes.
+
+---
+
 # Release v1.0.1
 
 This release ensures the domain prompt fix is cleanly packaged.

docs/wiki/Architecture.md

@@ -50,7 +50,7 @@ All command handlers receive `State<'_, AppState>` as a Tauri-injected parameter
 | `commands/integrations.rs` | Confluence / ServiceNow / ADO — v0.2 stubs |
 | `ai/provider.rs` | `Provider` trait + `create_provider()` factory |
 | `pii/detector.rs` | Multi-pattern PII scanner with overlap resolution |
-| `db/migrations.rs` | Versioned schema (17 migrations in `_migrations` table) |
+| `db/migrations.rs` | Versioned schema (15 migrations in `_migrations` table) |
 | `db/models.rs` | All DB types — see `IssueDetail` note below |
 | `docs/rca.rs` + `docs/postmortem.rs` | Markdown template builders |
 | `audit/log.rs` | `write_audit_event()` — called before every external send |
@@ -178,7 +178,7 @@ Use `detail.issue.title`, **not** `detail.title`.
 
 ## Incident Response Methodology
 
-The application integrates a comprehensive incident response framework via system prompt injection. The `INCIDENT_RESPONSE_FRAMEWORK` constant in `src/lib/domainPrompts.ts` is appended to all 17 domain-specific system prompts (Linux, Windows, Network, Kubernetes, Databases, Virtualization, Hardware, Observability, and others).
+The application integrates a comprehensive incident response framework via system prompt injection. The `INCIDENT_RESPONSE_FRAMEWORK` constant in `src/lib/domainPrompts.ts` is appended to all 15 domain-specific system prompts (Linux, Windows, Network, Kubernetes, Databases, Virtualization, Hardware, Observability, Telephony, Security, Public Safety, Application, Automation, HPE, Dell, Identity).
 
 **5-Phase Framework:**
 

docs/wiki/Home.md

@@ -38,7 +38,10 @@
 
 | Version | Status | Highlights |
 |---------|--------|-----------|
-| v0.2.6 | 🚀 Latest | Custom REST AI gateway support, OAuth2 shell permissions, user ID tracking |
+| v1.1.0 | 🚀 Latest | Kubernetes Management UI with PTY terminals, metrics, port forwarding, YAML editor |
+| v1.0.1 | Released | Domain prompt fix, UI contrast improvements, ARM64 Linux build |
+| v1.0.0 | Released | Core application with PII detection, Shell Execution, 5-Whys AI triage |
+| v0.2.6 | Released | Custom REST AI gateway support, OAuth2 shell permissions, user ID tracking |
 | v0.2.5 | Released | Image attachments with PII detection and approval workflow |
 | v0.2.3 | Released | Confluence/ServiceNow/ADO REST API clients (19 TDD tests) |
 | v0.1.1 | Released | Core application with PII detection, RCA generation |
@@ -56,6 +59,7 @@ Download from [Releases](https://gogs.tftsr.com/sarman/tftsr-devops_investigatio
 | Phase 10 (Integrations) | ✅ Complete — Confluence, ServiceNow, Azure DevOps fully implemented with OAuth2 |
 | Phase 11 (CI/CD) | ✅ Complete — Gitea Actions fully operational |
 | Phase 12 (Release packaging) | ✅ linux/amd64 · linux/arm64 (native) · windows/amd64 |
+| Phase 13 (Kubernetes Management) | ✅ Complete — PTY terminals, metrics, port forwarding, YAML editor |
 
 ## Tech Stack
 

docs/wiki/Shell-Execution.md

@@ -642,8 +642,6 @@ CREATE INDEX idx_approval_decisions_session ON approval_decisions(session_id);
 - Export execution history as CSV/JSON
 - Integration with issue timeline (show commands executed during incident)
 - Proxmox advanced commands (cluster management, backups)
-- Multi-kubeconfig context switching within single file
-- Auto-detection of ~/.kube/config on startup (pending AppHandle fix)
 
 **Stretch Goals**:
 - Parallel command execution (run multiple commands concurrently)
@@ -662,4 +660,5 @@ CREATE INDEX idx_approval_decisions_session ON approval_decisions(session_id);
 
 ## Version History
 
+- **v1.1.0** (2026-06-06): Production-ready with three-tier safety classification, kubectl bundling, and multi-cluster support
 - **v1.0.0** (2026-06-02): Initial release with three-tier safety classification, kubectl bundling, and multi-cluster support