Merge remote-tracking branch 'origin/main' into jerm-dro/script-middleware

# Conflicts:
#	pkg/vmcp/cli/serve.go

Author: jerm-dro

.claude/rules/operator.md

@@ -39,12 +39,24 @@ See `cmd/thv-operator/DESIGN.md` for detailed decision guidelines.
 - Always run `task crdref-gen` from `cmd/thv-operator/` after CRD changes to regenerate API docs (uses relative paths)
 - Use `envtest` for integration testing, not real clusters
 - Chainsaw tests require a real Kubernetes cluster
-- Status updates require a separate client patch (`r.Status().Update()`)
+- Status writes must go through `controllerutil.MutateAndPatchStatus` — see the Status Writes section below
 
 ## Status Condition Parity
 
 When adding a status condition to one CRD type, check all parallel types (e.g., `MCPServer` and `VirtualMCPServer`) for the same condition. Conditions that warn about misconfiguration or unsupported states should be consistent across types that share the same feature set — a gap means one type silently accepts invalid config that the other rejects.
 
+## Status Writes
+
+Use `controllerutil.MutateAndPatchStatus` for every status write — not `r.Status().Update` or inline `client.Status().Patch` (see #4633). The helper's doc comment is the authoritative spec.
+
+When adding a status-write call site, check three things:
+
+1. **Caller holds a freshly-`Get`ted object.** Reconciler-start writers do; writers that iterate `List` results (e.g., deletion-path fan-out in `MCPGroupReconciler`) do not and need a fresh `Get` before calling the helper.
+2. **Caller is the sole owner of the entire `Status.Conditions` array.** Per-condition-type ownership is NOT enough. JSON merge-patch replaces the array wholesale for CRDs (the `+listType=map` marker is only honored by strategic-merge-patch), so any concurrent writer whose Patch lands between this caller's Get and Patch — on any condition type, not just the ones this caller touches — will be erased. A fresh `Get` narrows the TOCTOU window but does not eliminate it. If two code paths must write conditions on the same CRD (e.g., operator reconciler + in-pod `K8sReporter`), fix at the design level: consolidate to a single owner, or move one writer to a dedicated status field outside the array.
+3. **Scalar fields the writer touches are not co-owned.** A stale-computed value different from the caller's snapshot will overwrite the live value — the helper cannot defend against this.
+
+Do not use `MutateAndPatchStatus` for spec or metadata writes — those require optimistic locking (`client.MergeFromWithOptions(..., MergeFromWithOptimisticLock{})`). See #4767.
+
 ## Key Operator Commands
 
 ```bash
@@ -55,3 +67,39 @@ task operator-test            # Run unit tests
 task operator-e2e-test        # Run e2e tests
 task crdref-gen              # Generate CRD API docs (run from cmd/thv-operator/)
 ```
+
+## Spec / metadata patching
+
+Never use `r.Update` on a CR spec or metadata: `Update` is a full PUT,
+so any field our local copy does not track (e.g. `spec.authzConfig`
+written by a separate authorization controller) gets zeroed on every
+reconcile.
+
+Use `controllerutil.MutateAndPatchSpec` instead. The helper wraps an
+optimistic-lock merge patch: the body only contains fields the caller
+changed, and `MergeFromWithOptimisticLock` sends `resourceVersion` as a
+precondition, so if the server moved between our Get and Patch the
+apiserver returns 409 and controller-runtime requeues with a fresh Get.
+
+This is what protects `metadata.finalizers`. Merge-patch has no
+array-append semantics — arrays are replaced wholesale — so when our
+diff includes `finalizers` (e.g. an `AddFinalizer` call) it must have
+been computed from an up-to-date snapshot. The 409 + requeue is what
+guarantees that: any concurrent finalizer added by another controller
+fails our precondition, and the next reconcile observes it via a fresh
+Get before recomputing the diff.
+
+```go
+if err := ctrlutil.MutateAndPatchSpec(ctx, r.Client, mcpServer, func(m *mcpv1beta1.MCPServer) {
+    controllerutil.AddFinalizer(m, MCPServerFinalizerName)
+}); err != nil {
+    return ctrl.Result{}, err
+}
+```
+
+Expect 409s as routine log noise once the external controller lands —
+the guard doing its job, not a bug.
+
+Status-subresource patching uses the sibling helper
+`controllerutil.MutateAndPatchStatus` (see the "Status Writes" section
+above).

.claude/skills/implement-story/SKILL.md

@@ -170,7 +170,7 @@ After changes that affect generated artifacts, run the appropriate tasks:
 
 | Change Type | Regeneration Command |
 |-------------|---------------------|
-| CRD type definitions (`api/v1alpha1/*_types.go`) | `task operator-manifests operator-generate` |
+| CRD type definitions (`api/v1beta1/*_types.go`) | `task operator-manifests operator-generate` |
 | Mock interfaces | `task gen` |
 | CLI commands or API endpoints | `task docs` |
 | Helm chart values | `task helm-docs` |

.claude/skills/toolhive-release/references/WORKFLOW-REFERENCE.md

@@ -68,11 +68,13 @@ Detailed documentation of the ToolHive release workflow chain.
    - Version in commit message matches VERSION file
 3. Check if tag already exists (skip if so)
 4. Create annotated git tag `vX.Y.Z`
-5. Push tag using `RELEASE_TOKEN` (PAT required to trigger downstream workflows)
+5. Push tag using a GitHub App installation token (required to trigger downstream workflows; `GITHUB_TOKEN`-authored events do not)
 6. Create GitHub Release with auto-generated notes
 
 **Requirements**:
-- `RELEASE_TOKEN` secret (PAT with repo access)
+- GitHub App installed on the repo with `contents: write` permission
+- `RELEASE_APP_CLIENT_ID` repository **variable** (the app's Client ID)
+- `RELEASE_APP_PRIVATE_KEY` repository **secret** (the app's private key in PEM)
 
 ## Workflow 3: releaser.yml
 
@@ -162,7 +164,8 @@ If a previous Create Release PR run failed after creating the branch but before
 ### Tag creation fails
 
 - Tag may already exist: `git tag | grep vX.Y.Z`
-- RELEASE_TOKEN may be expired or lack permissions
+- Release GitHub App may be uninstalled, or the `RELEASE_APP_CLIENT_ID` variable / `RELEASE_APP_PRIVATE_KEY` secret may be missing or stale
+- App may lack `contents: write` permission on the repo
 
 ### Releaser workflow fails
 

.codespellrc

@@ -1,3 +1,3 @@
 [codespell]
-ignore-words-list = NotIn,notin,AfterAll,ND,aks,deriver,te,clientA,AtMost,atmost
+ignore-words-list = NotIn,notin,AfterAll,ND,aks,deriver,te,clientA,AtMost,atmost,convertIn
 skip = *.svg,*.mod,*.sum

.github/pull_request_template.md

@@ -42,6 +42,25 @@ describe exactly what you tested below the checkbox.
 - [ ] Linting (`task lint-fix`)
 - [ ] Manual testing (describe below)
 
+## API Compatibility
+
+<!--
+The CRD Schema Compatibility check guards the v1beta1 operator API.
+If the check flags this PR as Incompatible and the break is intentional,
+apply the `api-break-allowed` label and describe below:
+
+1. Which fields, types, or CRDs are changing.
+2. Why the break is unavoidable.
+3. The user-facing migration path (what cluster admins need to do).
+
+See CONTRIBUTING.md → "API Stability" for the full rubric. Coordinate
+with maintainers before applying the label.
+
+Remove this section entirely if the PR does not touch operator API surface.
+-->
+
+- [ ] This PR does not break the `v1beta1` API, OR the `api-break-allowed` label is applied and the migration guidance is described above.
+
 ## Changes
 
 <!--

.github/workflows/api-compat-noop.yml

@@ -0,0 +1,37 @@
+name: API Compatibility
+
+# No-op companion to api-compat.yml. Its sole purpose is to satisfy the
+# required `CRD Schema Compatibility` status check on PRs that don't touch
+# any operator API surface. Without this companion, such PRs deadlock:
+# branch protection requires the check, the real workflow's path filter
+# prevents it from firing, and GitHub shows the required status as
+# "expected — waiting to be reported" forever.
+#
+# The workflow `name:` and job `name:` intentionally mirror api-compat.yml
+# so the check-run context string matches (`CRD Schema Compatibility`).
+# GitHub's branch protection treats a successful report from either
+# workflow as satisfying the requirement.
+#
+# The `paths-ignore` list is the exact inverse of api-compat.yml's
+# `paths:` include list. Keep them in sync: a path that moves from one
+# list needs to move from the other, or PRs touching that path will
+# either run both workflows (double-count) or neither (deadlock returns).
+
+on:
+  pull_request:
+    paths-ignore:
+      - 'cmd/thv-operator/api/**'
+      - 'deploy/charts/operator-crds/files/crds/**'
+      - '.github/workflows/api-compat*.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  crd-schema-check:
+    name: CRD Schema Compatibility
+    runs-on: ubuntu-latest
+    timeout-minutes: 2
+    steps:
+      - name: No API surface changes
+        run: echo "This PR does not touch operator API surface; no compatibility check needed."

.github/workflows/api-compat.yml

@@ -0,0 +1,177 @@
+name: API Compatibility
+
+# This workflow guards the stability of the v1beta1 operator API surface.
+#
+# A breaking CRD schema change (field removal, type change, required-field
+# addition, etc.) fails this check and blocks the PR. If the break is
+# intentional — almost exclusively for graduation to v1beta2 — apply the
+# `api-break-allowed` label to skip the check. See CONTRIBUTING.md → "API
+# Stability" for the full rubric.
+
+on:
+  pull_request:
+    # Include `labeled` and `unlabeled` so applying or removing
+    # `api-break-allowed` triggers a fresh workflow run. Without these,
+    # re-running the job from the UI uses the original event payload
+    # (which still has the old label set) and the skip condition misfires.
+    # Re-evaluating on `unlabeled` closes the gap where a user could
+    # apply the label, watch the check skip, then remove the label and
+    # merge without the check ever running against the current state.
+    types: [opened, synchronize, reopened, labeled, unlabeled]
+    paths:
+      - 'cmd/thv-operator/api/**'
+      # files/crds is the source of truth — controller-gen emits here, and
+      # crd-helm-wrapper copies from here into templates/. Any drift in
+      # templates/ is caught by operator-ci.yml's generate-crds job, so
+      # watching templates/ would be redundant. values.yaml and the
+      # crd-helm-wrapper only affect Helm conditionals and annotations the
+      # checker ignores, so they can't change what we compare.
+      - 'deploy/charts/operator-crds/files/crds/**'
+      # Self-exercise when either workflow file (real or no-op companion)
+      # changes. The companion file reports the same required check on
+      # PRs that don't touch the api surface; see api-compat-noop.yml.
+      - '.github/workflows/api-compat*.yml'
+
+permissions:
+  contents: read
+
+jobs:
+  crd-schema-check:
+    name: CRD Schema Compatibility
+    runs-on: ubuntu-latest
+    # Skip the check entirely when `api-break-allowed` is applied — a
+    # required check that is skipped (rather than failed) counts as passing
+    # for branch protection, so this is the escape hatch for intentional
+    # breaks. Do not remove the label guard without a replacement path.
+    if: ${{ !contains(github.event.pull_request.labels.*.name, 'api-break-allowed') }}
+    # Expected runtime is ~1 minute (checkout + go setup + git fetch tag +
+    # go install + per-CRD checker loop). 10 minutes is a cheap upper
+    # bound that protects against a hung go install or git fetch.
+    timeout-minutes: 10
+    steps:
+      - name: Checkout PR HEAD
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+        with:
+          go-version: 'stable'
+          cache: true
+
+      - name: Resolve baseline tag
+        id: baseline
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          set -euo pipefail
+
+          # Baseline is the most recent release tag. Tags are immutable, so
+          # comparing against the tag gives us a stable, released reference
+          # without needing to render the Helm chart or pull from OCI.
+          # Falling back to origin/main would silently compare against an
+          # already-broken baseline once a break lands on main.
+          LATEST_TAG="$(gh release list --repo "$GITHUB_REPOSITORY" --limit 1 --json tagName --jq '.[0].tagName')"
+          if [ -z "$LATEST_TAG" ]; then
+            echo "::error::No releases found for $GITHUB_REPOSITORY; cannot establish an API compatibility baseline."
+            exit 1
+          fi
+
+          # Fetch just the tag, shallow — no need to unshallow the repo.
+          git fetch origin "refs/tags/$LATEST_TAG:refs/tags/$LATEST_TAG" --depth=1
+          echo "tag=$LATEST_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Install crd-schema-checker
+        # SHA-pinned: openshift/crd-schema-checker has no release tags at the
+        # time of writing, so @latest is the only other option. Pinning makes
+        # CI deterministic and mitigates supply-chain risk (upstream compromise
+        # would otherwise execute attacker code on the runner with GITHUB_TOKEN
+        # in env). Bump via a deliberate PR after verifying the new output
+        # locally. SHA pinned on 2026-04-21.
+        run: go install github.com/openshift/crd-schema-checker/cmd/crd-schema-checker@3fee146022bfe6f4adf84998de35d7267b864bef
+
+      - name: Check CRD schema compatibility
+        id: checker
+        env:
+          # Route step outputs through env vars so bash quotes them instead
+          # of the runner substituting them directly into the script body.
+          # Defense-in-depth against a future edit that routes a
+          # PR-controlled string through these outputs.
+          BASELINE_TAG: ${{ steps.baseline.outputs.tag }}
+        run: |
+          set -euo pipefail
+
+          # NoBools and NoMaps are OpenShift API-style conventions, not
+          # compat-breaking rules. They fire on fields we legitimately use
+          # (e.g. embeddingservers.spec.modelCache.enabled) and drown out
+          # real findings. Re-enable only if upstream clarifies breaking-
+          # change semantics for them.
+          DISABLED_VALIDATORS="NoBools,NoMaps"
+
+          CRD_DIR="deploy/charts/operator-crds/files/crds"
+          mkdir -p /tmp/api-compat
+          : > /tmp/api-compat/output.txt
+
+          OVERALL_EXIT=0
+
+          # Detect CRD files removed between baseline and HEAD — a removed
+          # CRD is a break that the checker can't report (it needs both
+          # inputs present). Compare the set of filenames directly.
+          BASELINE_FILES=$(git ls-tree --name-only "$BASELINE_TAG" -- "$CRD_DIR/" | sed "s|$CRD_DIR/||" | sort)
+          HEAD_FILES=$(ls "$CRD_DIR" | sort)
+          REMOVED=$(comm -23 <(echo "$BASELINE_FILES") <(echo "$HEAD_FILES") || true)
+          if [ -n "$REMOVED" ]; then
+            {
+              echo "ERROR: CRD files removed from HEAD (present at $BASELINE_TAG):"
+              echo "$REMOVED" | sed 's/^/  - /'
+            } | tee -a /tmp/api-compat/output.txt
+            OVERALL_EXIT=1
+          fi
+
+          # For each CRD present on HEAD, fetch the baseline version from the
+          # tag and run the checker. New CRDs (HEAD-only) are additive and
+          # skipped — note that in the output so reviewers see the full
+          # inventory.
+          for crd in "$CRD_DIR"/*.yaml; do
+            fname=$(basename "$crd")
+            rel="$CRD_DIR/$fname"
+            if ! git show "$BASELINE_TAG:$rel" > /tmp/api-compat/baseline.yaml 2>/dev/null; then
+              echo "  (new CRD on HEAD, skipping: $fname)" >> /tmp/api-compat/output.txt
+              continue
+            fi
+            set +e
+            crd-schema-checker check-manifests \
+              --existing-crd-filename /tmp/api-compat/baseline.yaml \
+              --new-crd-filename "$crd" \
+              --disabled-validators="$DISABLED_VALIDATORS" \
+              >> /tmp/api-compat/output.txt 2>&1
+            RC=$?
+            set -e
+            [ "$RC" -ne 0 ] && OVERALL_EXIT=1
+          done
+
+          # Surface the combined output in the step log too, not only in the
+          # summary — some reviewers check the raw log first.
+          cat /tmp/api-compat/output.txt
+
+          if [ "$OVERALL_EXIT" -eq 0 ]; then
+            STATUS="Compatible"
+          else
+            STATUS="Incompatible or Unknown"
+          fi
+
+          {
+            echo "## API Compatibility — CRD Schema Check"
+            echo ""
+            echo "**Baseline**: $BASELINE_TAG"
+            echo "**Status**: $STATUS"
+            echo ""
+            echo "<details><summary>crd-schema-checker output</summary>"
+            echo ""
+            echo '```'
+            cat /tmp/api-compat/output.txt
+            echo '```'
+            echo ""
+            echo "</details>"
+          } >> "$GITHUB_STEP_SUMMARY"
+
+          exit "$OVERALL_EXIT"

.github/workflows/claude.yml

@@ -59,7 +59,7 @@ jobs:
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@b47fd721da662d48c5680e154ad16a73ed74d2e0 # v1
+        uses: anthropics/claude-code-action@567fe954a4527e81f132d87d1bdbcc94f7737434 # v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           # Security: Restrict tools to prevent arbitrary code execution.

.github/workflows/create-release-pr.yml

@@ -30,6 +30,13 @@ jobs:
     name: Create Release PR
     runs-on: ubuntu-latest
     steps:
+      - name: Generate release app token
+        id: app-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          client-id: ${{ vars.RELEASE_APP_CLIENT_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
@@ -71,9 +78,9 @@ jobs:
         id: release
         uses: stacklok/releaseo@80e8d8131d41cf8763254d02360f2c5ce9b7c0df # v0.0.4
         with:
-          releaseo_version: v0.0.3
+          releaseo_version: v0.0.4
           bump_type: ${{ inputs.bump_type }}
-          token: ${{ secrets.RELEASE_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
           version_files: |
             - file: deploy/charts/operator-crds/Chart.yaml
               path: version