Update docs

Author: Hyperkid123

.mcp.json

@@ -7,16 +7,6 @@
     "bot-memory": {
       "type": "sse",
       "url": "http://localhost:8080/sse"
-    },
-    "mcp-atlassian": {
-      "command": "uvx",
-      "args": ["mcp-atlassian"],
-      "env": {
-        "JIRA_URL": "${JIRA_URL}",
-        "JIRA_USERNAME": "${JIRA_USERNAME}",
-        "JIRA_API_TOKEN": "${JIRA_API_TOKEN}"
-      },
-      "type": "stdio"
     }
   }
 }

ARCHITECTURE.md

@@ -225,7 +225,7 @@ Agent cycle completes
 |---------|-------------|--------|
 | Claude (Vertex AI) | GCP service account key | `sa-key.json` + env vars in `.env` |
 | Jira | API token | `JIRA_URL`, `JIRA_USERNAME`, `JIRA_API_TOKEN` in `.env` |
-| GitHub | SSH key | `gh auth login` (one-time setup, SSH protocol) |
+| GitHub | SSH key + PAT (`GH_TOKEN`) | SSH for git ops, PAT for gh CLI API calls |
 | GitLab | SSH key | `glab auth login` (one-time setup, SSH protocol) |
 | Memory server | None (localhost) | Hardcoded `http://localhost:8080` |
 | Chrome DevTools | None (localhost) | Hardcoded `http://127.0.0.1:9222` |
@@ -243,21 +243,19 @@ The system deploys as **separate pods**:
 
 This keeps the deployment simple — one memory server serves all bot instances, and each bot is independently scalable by adding new pods with different labels.
 
-### What needs to change
+### Container images
 
-1. **Bot container** — containerize with Docker. Proven as a POC (Dockerfile existed, SSH and auth were the main challenges). Needs:
-   - GCP service account key injected via secret mount
-   - SSH key for git access (shared by gh/glab CLIs)
-   - gh/glab CLI auth config files (`~/.config/gh/`, `~/.config/glab-cli/`) — one-time setup by a human via `gh auth login` / `glab auth login` on the bot account, then baked into the image or mounted
-   - Non-root user (Claude Code rejects root)
+Both images use Red Hat UBI9 base images:
 
-2. **Memory server pod** — already containerized (Docker Compose). Needs:
-   - PostgreSQL connection string pointing to RDS instance
-   - Cluster-internal service for bot pods to reach it (e.g. `memory-server:8080`)
+- **Bot container** (`Dockerfile`) — `ubi9/ubi` with Python 3.12, Node.js 22 (NodeSource), Chromium headless (EPEL), gh CLI, glab CLI, uv. Runs as non-root `botuser` (Claude Code rejects root). Entrypoint decodes secrets from env vars (SSH key, GPG key, SA key), starts Chromium in background, then launches the bot runner.
 
-3. **Chrome/Chromium** — needs a headless browser sidecar or a shared remote debugging endpoint for visual verification of UI changes
+- **Memory server** (`memory-server/Dockerfile`) — multi-stage build. Stage 1: `ubi9/nodejs-22` builds the React dashboard. Stage 2: `ubi9/python-312-minimal` runs the FastMCP app with dashboard assets baked in.
 
-4. **Multiple labels** — each label runs as a separate bot container. All bot containers share a single memory server pod (low traffic, no need to replicate).
+### What needs to change for cluster
+
+1. **Memory server** — PostgreSQL connection string pointing to RDS instance instead of local container. Cluster-internal service for bot pods to reach it (e.g. `memory-server:8080`).
+
+2. **Multiple labels** — each label runs as a separate bot container. All bot containers share a single memory server pod (low traffic, no need to replicate).
 
 ### What stays the same
 
@@ -294,9 +292,8 @@ This keeps the deployment simple — one memory server serves all bot instances,
 │                  │ (pgvector) │     │
 │                  └────────────┘     │
 │                                     │
-│  ┌──────────────────────────┐       │
-│  │ Headless Chrome (shared) │       │
-│  └──────────────────────────┘       │
+│  (Chromium headless runs inside     │
+│   each bot pod on port 9222)        │
 │                                     │
 └──────────────────────┬──────────────┘
                        │
@@ -308,13 +305,14 @@ This keeps the deployment simple — one memory server serves all bot instances,
 
 ### Secrets required
 
-| Secret | Used by |
-|--------|---------|
-| GCP service account key (sa-key.json) | Bot — Claude API via Vertex AI |
-| Jira API token | Bot — mcp-atlassian MCP server |
-| SSH key | Bot — git clone/push, used by both gh and glab CLIs |
-| gh/glab CLI auth config | Bot — API access for PRs/MRs (one-time manual setup per bot account) |
-| RDS PostgreSQL credentials | Memory server |
+| Secret | Env var | Used by |
+|--------|---------|---------|
+| SSH private key (base64) | `SSH_PRIVATE_KEY_B64` | Bot — git clone/push over SSH |
+| GPG private key (base64) | `GPG_PRIVATE_KEY_B64` | Bot — commit signing |
+| GitHub PAT | `GH_TOKEN` | Bot — gh CLI (PR creation, reviews, comments) |
+| GCP service account key (base64) | `GOOGLE_SA_KEY_B64` | Bot — Claude API via Vertex AI |
+| Jira credentials | `JIRA_URL`, `JIRA_USERNAME`, `JIRA_API_TOKEN` | Bot — mcp-atlassian MCP server |
+| RDS PostgreSQL credentials | `DATABASE_URL` | Memory server |
 
 ### Scaling
 

OPERATIONS.md

@@ -0,0 +1,245 @@
+# Operations Guide
+
+How to manage and monitor the bot in day-to-day use.
+
+## Monitoring
+
+### Jira Filter
+
+All bot-eligible tickets across teams are tracked via a shared Jira filter:
+
+**Filter ID**: [107017](https://redhat.atlassian.net/issues/?filter=107017)
+
+**JQL**: `project = RHCLOUD AND labels in (hcc-ai-framework, hcc-ai-platform-accessmanagement)`
+
+This shows all tickets tagged for the bot, regardless of status. Use it to see what the bot is working on, what's queued, and what's done.
+
+To add a new team's tickets, add their label to the filter (e.g. `hcc-ai-<team-name>`).
+
+### Dashboard
+
+The memory server dashboard at `http://localhost:8080` shows:
+- **Active tasks** — what the bot is currently working on, with status and PR links
+- **Memories** — learnings the bot has stored from completed work
+- **Costs** — per-cycle cost breakdown by work type
+
+### Logs
+
+```bash
+make logs           # Tail bot.log
+docker compose logs -f bot          # Docker container logs
+docker compose logs -f memory-server  # Memory server logs
+```
+
+## Ticket Lifecycle
+
+A ticket goes through these stages as the bot processes it:
+
+```
+ Backlog                    In Progress              Code Review                Done
+ ┌──────────┐              ┌──────────────┐          ┌─────────────┐          ┌──────┐
+ │ Groomed  │  bot claims  │ Bot working  │  PR open │ Waiting for │  merged  │ Done │
+ │ + labeled│ ───────────> │ on branch    │ ───────> │ human review│ ───────> │      │
+ │          │              │ bot/<KEY>    │          │             │          │      │
+ └──────────┘              └──────────────┘          └─────────────┘          └──────┘
+      │                          │                         │                      │
+      │                          │                         │                      │
+   Human grooms              Bot updates               Bot responds           Bot closes
+   and labels                task metadata             to review              Jira ticket
+   the ticket                in memory server          feedback               + stores
+                                                                              learnings
+```
+
+### Example: RHCLOUD-37254
+
+A real ticket processed by the bot:
+
+1. **Groomed** — Human added labels `hcc-ai-platform-accessmanagement` and `repo:insights-rbac`
+2. **Picked up** — Bot found it via JQL query, assigned itself, transitioned to "In Progress", added to the active sprint
+3. **Implemented** — Bot cloned `insights-rbac`, created branch `bot/RHCLOUD-37254`, loaded the `rbac` persona, read repo `CLAUDE.md`, implemented the fix
+4. **PR opened** — Bot pushed the branch, opened a PR via `gh pr create`, transitioned ticket to "Code Review", commented on Jira with the PR link
+5. **Review cycle** — Human reviewed the PR. Bot checked for new feedback each cycle and addressed comments
+6. **Merged** — Once the PR was merged, bot transitioned the ticket to "Done" and stored learnings in RAG memory
+
+### Example: RHCLOUD-46011
+
+A frontend ticket with visual verification:
+
+1. **Groomed** — Labels `hcc-ai-framework` and `repo:astro-virtual-assistant-frontend`
+2. **Implemented** — Bot loaded the `frontend` persona, used PatternFly MCP for component docs
+3. **Visual verification** — Bot started the dev server, used chrome-devtools MCP to navigate to the affected page, took before/after screenshots
+4. **PR opened** — Screenshots embedded as base64 in the PR description (never committed to the repo)
+5. **Result** — [astro-virtual-assistant-frontend#368](https://github.com/RedHatInsights/astro-virtual-assistant-frontend/pull/368)
+
+## What the Bot Has Done
+
+The bot has been running since late March 2026 on the `hcc-ai-framework` label. Here's a summary of completed work, showing how different ticket types are handled.
+
+### Cross-repo feature: RHCLOUD-46384
+
+**Add icon field to FrontendEnvironment CRD** — a feature spanning 3 repos.
+
+The bot received a groomed ticket with labels `repo:frontend-operator` and `repo:insights-chrome`. It investigated the `insights-chrome` code first, discovered `ServiceIcon.tsx` already supported icon rendering — the gap was in the operator CRD. It then:
+
+- Added an `icon` field to the FrontendEnvironment CRD in Go, updated the reconciler, regenerated manifests, and updated e2e tests
+- Opened [frontend-operator#569](https://github.com/RedHatInsights/frontend-operator/pull/569)
+- Reported on Jira that insights-chrome needed no changes and that app-interface (readonly repo) needed manual config updates
+
+When asked via a Jira comment to also handle the app-interface changes, the bot initially reported it lacked push access. After being told about a fork repo, it cloned the fork, made the changes, and opened [app-interface MR !180888](https://gitlab.cee.redhat.com/service/app-interface/-/merge_requests/180888) — a cross-host (GitHub + GitLab) ticket resolved in a single cycle.
+
+### UI bug fix: RHCLOUD-44667
+
+**Timespan option labels empty in Notifications Event Log** — a PatternFly migration bug.
+
+A user reported that the dropdown for selecting time ranges showed blank labels. The bot identified the root cause: `SelectOption` components were self-closing (`<SelectOption ... />`) with no children. PatternFly v6 requires label text as children.
+
+- Fixed both `EventLogDateFilter.tsx` and `NotificationsLogDateFilter.tsx`
+- Opened [notifications-frontend#884](https://github.com/RedHatInsights/notifications-frontend/pull/884)
+- PR merged, bot closed the Jira ticket and stored the PF6 pattern as a RAG memory for future reference
+
+### CVE triage: RHCLOUD-44642
+
+**CVE-2026-24842 node-tar in pdf-generator** — security vulnerability ticket.
+
+The bot checked the current state of `node-tar` in pdf-generator and found it was already at version 7.5.11 (fix version was 7.5.7). Verified with `npm ls tar` and `npm audit`. No code changes needed — bot commented the analysis on Jira and closed the ticket. Total time: one cycle.
+
+### CI migration with human feedback loop: RHCLOUD-46420
+
+**Migrate pdf-generator Jenkins from GHPRB to GitHub Branch Source** — a deadline-driven infrastructure task.
+
+The bot initially created a Jenkinsfile and opened [pdf-generator#313](https://github.com/RedHatInsights/pdf-generator/pull/313). A human commented on Jira: "The Jenkins jobs haven't been passing for a long time — we should just remove them entirely." The bot:
+
+1. Closed the original PR
+2. Opened a new PR [#314](https://github.com/RedHatInsights/pdf-generator/pull/314) removing the unused CI scripts
+3. Opened [app-interface MR !180890](https://gitlab.cee.redhat.com/service/app-interface/-/merge_requests/180890) removing the Jenkins job config
+4. All within the same conversation thread on Jira
+
+This demonstrates the feedback loop: the bot adapts to human direction mid-flight.
+
+### Summary table
+
+| Ticket | Summary | Repos | Type | Result |
+|--------|---------|-------|------|--------|
+| RHCLOUD-46384 | Add icon field to FrontendEnvironment CRD | frontend-operator, insights-chrome, app-interface | cross-repo feature | PR + MR merged |
+| RHCLOUD-38822 | Service Dropdown displaying incorrect icon set | frontend-operator, insights-chrome, app-interface | investigation + fix | closed |
+| RHCLOUD-46426 | ChangeDefaultTemplate does not reset previous default | widget-layout-backend | bug fix | PR merged |
+| RHCLOUD-44667 | Timespan option labels empty in Notifications Event Log | notifications-frontend | UI bug fix | PR merged |
+| RHCLOUD-46420 | Migrate pdf-generator Jenkins PR check | pdf-generator, app-interface | CI cleanup | PR + MR merged |
+| RHCLOUD-45699 | Update virtual-assistant grype scanning | astro-virtual-assistant-v2 | tech debt | PR merged |
+| RHCLOUD-44642 | CVE-2026-24842 pdf-generator: node-tar | pdf-generator | CVE triage | already fixed, closed |
+| RHCLOUD-44644 | CVE-2026-24842 payload-tracker-frontend: node-tar | payload-tracker-frontend | CVE fix | PR merged |
+| RHCLOUD-43838 | CVE-2025-12816 payload-tracker-frontend: node-forge | payload-tracker-frontend | CVE fix | PR merged |
+
+In progress:
+
+| Ticket | Summary | Repos | Status |
+|--------|---------|-------|--------|
+| RHCLOUD-37254 | RBAC allowing roles with same name as System Roles | insights-rbac | Code Review |
+
+## Adding Work for the Bot
+
+### Step 1: Groom the ticket
+
+Use the interactive grooming prompt:
+
+```bash
+claude --prompt-file prompts/groom.md
+```
+
+Or manually ensure the ticket has:
+- Clear problem statement (current vs expected behavior)
+- Specific files/components if known
+- Acceptance criteria as a checklist
+- Scoped to a single PR
+
+### Step 2: Label the ticket
+
+Required labels:
+- **Primary label** — matches the bot instance: `hcc-ai-framework` or `hcc-ai-platform-accessmanagement`
+- **`repo:<name>`** — must match a key in `project-repos.json` (e.g. `repo:insights-rbac`, `repo:notifications-frontend`)
+
+Optional:
+- `needs-investigation` — bot investigates and reports findings instead of implementing
+- `platform-experience-ui` — routes to the UI sprint board
+
+### Step 3: Leave it unassigned
+
+The bot only picks up unassigned tickets. If a ticket is assigned to someone, the bot skips it.
+
+### JQL the bot uses
+
+New work:
+```
+project = RHCLOUD AND labels = <PRIMARY_LABEL>
+  AND assignee is EMPTY AND status != Done
+  ORDER BY priority DESC, created ASC
+```
+
+Assigned tickets check:
+```
+project = RHCLOUD AND labels = <PRIMARY_LABEL>
+  AND assignee = currentUser() AND status != Done
+  ORDER BY updated DESC
+```
+
+## Running Multiple Bots
+
+Each bot instance handles one team label. To run multiple bots:
+
+### On host (development)
+
+```bash
+# Terminal 1
+make run LABEL=hcc-ai-framework
+
+# Terminal 2
+make run-rbac
+```
+
+### In Docker
+
+```bash
+# Start with default label
+make docker-up
+
+# Start with a different label
+BOT_LABEL=hcc-ai-platform-accessmanagement make docker-up
+```
+
+For multiple labels in Docker simultaneously, you'd run separate compose projects or add multiple bot services to `docker-compose.yml`.
+
+## Cost Management
+
+Each cycle records its cost. Monitor spending:
+
+```bash
+make costs-today    # Today's spend
+make costs-week     # Last 7 days
+make costs          # All time
+```
+
+The bot sleeps for 5 minutes between active cycles and 1 hour when idle (no work found). These intervals are configured in `config.json`.
+
+## Troubleshooting
+
+### Bot finds no work
+
+Check:
+1. Are there tickets with the right primary label? Use the Jira filter above
+2. Are the tickets unassigned?
+3. Do they have a `repo:` label matching `project-repos.json`?
+4. Is the bot at the 5-task capacity limit? Check the dashboard
+
+### MCP server fails to connect
+
+Check the bot logs for which server failed:
+- `bot-memory` — is the memory server running? (`make memory-server`)
+- `mcp-atlassian` — are Jira credentials set in `.env`?
+- `chrome-devtools` — is Chromium running? (only in Docker; on host, run `./start-chromium.sh`)
+
+### Bot is stuck on a ticket
+
+Check the task record in the dashboard. Look at `metadata.last_step` and `metadata.notes`. If truly stuck:
+1. Comment on the Jira ticket explaining the blocker
+2. Manually set the task status to `paused` via the dashboard
+3. The bot will skip it and move to other work

bot/config.py

@@ -28,13 +28,23 @@ def load_config(script_dir: Path) -> Config:
 
 
 def load_mcp_servers(script_dir: Path) -> dict:
-    """Load and merge MCP servers from persona configs.
+    """Load and merge MCP servers from bot and persona configs.
 
-    The root .mcp.json (bot-memory, chrome-devtools, mcp-atlassian) is loaded
-    automatically by the SDK via setting_sources=["project"]. This function
-    only loads additional per-persona MCP servers.
+    The root .mcp.json (bot-memory, chrome-devtools) is loaded automatically
+    by the SDK via setting_sources=["project"]. This function loads additional
+    servers: bot-specific (bot/mcp.json for mcp-atlassian) and per-persona.
     """
     servers: dict = {}
+
+    # Bot-specific MCP servers (e.g. mcp-atlassian — kept separate from
+    # .mcp.json so it doesn't interfere with local dev sessions)
+    bot_mcp = script_dir / "bot" / "mcp.json"
+    if bot_mcp.exists():
+        with open(bot_mcp) as f:
+            data = json.load(f)
+        for name, cfg in data.get("mcpServers", {}).items():
+            servers[name] = cfg
+
     for mcp_file in sorted(script_dir.glob("personas/*/mcp.json")):
         with open(mcp_file) as f:
             data = json.load(f)

bot/mcp.json

@@ -0,0 +1,14 @@
+{
+  "mcpServers": {
+    "mcp-atlassian": {
+      "command": "uvx",
+      "args": ["mcp-atlassian"],
+      "env": {
+        "JIRA_URL": "${JIRA_URL}",
+        "JIRA_USERNAME": "${JIRA_USERNAME}",
+        "JIRA_API_TOKEN": "${JIRA_API_TOKEN}"
+      },
+      "type": "stdio"
+    }
+  }
+}