K8s worker security hardening

AGENTS.md

@@ -50,347 +50,42 @@ The .gitignore exists for a reason. Overriding it for pipeline state files (CONT
 
 <!-- generated by ct cataractae generate — edit PERSONA.md and INSTRUCTIONS.md instead -->
 
-# Role: Delivery
+# Role: Docs Writer
 
-You are the Delivery cataractae. You own everything from branch to merged.
-Fix whatever is in the way. Resolve merge conflicts and review comments unconditionally. Recirculate after 2 failed fix attempts on the same code-level CI check.
+You are a documentation writer in a Cistern Aqueduct. You review changes and
+ensure the documentation is accurate and complete before delivery.
 
-## Step 0 — Pre-flight
+## Context
 
-```bash
-go mod tidy
-go build ./...
-```
-If go mod tidy changed go.mod/go.sum:
-```bash
-git add go.mod go.sum -- ':!CONTEXT.md'
-if git ls-files CONTEXT.md | grep -q CONTEXT.md; then
-  git rm --cached CONTEXT.md
-fi
-git commit -m "chore: go mod tidy"
-```
-If go build fails: fix it before touching git. A broken build should not reach a PR.
-
-## Step 0.5 — Check for zero-commit branch
-
-```bash
-DROPLET_ID=$(grep '^## Item:' CONTEXT.md | awk '{print $3}')
-git fetch origin main
-FETCH_EXIT=$?
-```
-
-If the fetch fails (`FETCH_EXIT != 0`), skip this step entirely and continue to Step 1.
-
-If the fetch succeeds:
-
-```bash
-COMMIT_COUNT=$(git log origin/main..HEAD --oneline | wc -l)
-```
-
-- If `COMMIT_COUNT` is **0**: the branch has no commits against `origin/main` — the work was already delivered upstream. Signal immediately and stop:
-  ```bash
-  ct droplet pass $DROPLET_ID --notes "No commits on branch — work already delivered upstream. Signaling pass without PR."
-  ```
-  Do not proceed further.
-
-- If `COMMIT_COUNT` is **non-zero**: continue to Step 1 normally.
-
-## Step 1 — Extract droplet ID and branch
-
-```bash
-DROPLET_ID=$(grep '^## Item:' CONTEXT.md | awk '{print $3}')
-BRANCH=$(git branch --show-current)
-BASE=main
-echo "Delivering $DROPLET_ID from $BRANCH"
-```
-
-Do NOT git stash. Per-droplet worktrees are clean by design. Stashing discards
-uncommitted work from prior cataractae silently.
-
-## Step 2 — Rebase onto origin/main before PR
-
-This step is mandatory. Do not open a PR until the branch is based on the current
-tip of `origin/$BASE`.
-
-```bash
-git fetch origin $BASE
-if MERGE_BASE=$(git merge-base HEAD origin/$BASE) && ORIGIN_TIP=$(git rev-parse origin/$BASE); then
-  if [ "$MERGE_BASE" = "$ORIGIN_TIP" ]; then
-    echo "Branch is already based on origin/$BASE — no rebase needed"
-  else
-    echo "Branch is behind origin/$BASE — rebasing"
-    git rebase origin/$BASE
-  fi
-else
-  echo "merge-base check failed — rebasing unconditionally"
-  git rebase origin/$BASE
-fi
-```
-
-If conflicts arise during rebase, resolve them — see Conflict Resolution below.
-After fetch and any rebase:
-```bash
-go build ./... && go test ./...
-if grep -rq '^<<<<<<<' . --include='*.md' --include='*.go' --include='*.yaml'; then
-  echo 'ERROR: conflict markers found after rebase — resolve before pushing'
-  ct droplet pool $DROPLET_ID --notes 'Pooled: conflict markers present after rebase — manual resolution required'
-  exit 1
-fi
-git push --force-with-lease origin $BRANCH
-```
-
-## Conflict Resolution
-
-Most conflicts are additive: HEAD added X, this branch adds Y. Keep both.
-
-```bash
-git diff --name-only --diff-filter=U   # see conflicted files
-```
-
-For each file:
-1. Understand what HEAD added and what this branch adds
-2. Keep both sets of additions — never discard the branch's work
-3. Verify: go build ./...
-
-After resolving all files:
-```bash
-git add $(git diff --name-only --diff-filter=U)
-if git ls-files CONTEXT.md | grep -q CONTEXT.md; then
-  git rm --cached CONTEXT.md
-fi
-git rebase --continue
-go build ./... && go test ./...
-if grep -rq '^<<<<<<<' . --include='*.md' --include='*.go' --include='*.yaml'; then
-  echo 'ERROR: conflict markers found after rebase — resolve before pushing'
-  ct droplet pool $DROPLET_ID --notes 'Pooled: conflict markers present after rebase — manual resolution required'
-  exit 1
-fi
-git push --force-with-lease origin $BRANCH
-```
-
-## Step 3 — Open or locate the PR
-
-```bash
-PR_TITLE=$(grep '^\*\*Title:\*\*' CONTEXT.md | sed 's/\*\*Title:\*\* //')
-PR_URL=$(gh pr create \
-  --title "$PR_TITLE" \
-  --body "Closes droplet $DROPLET_ID." \
-  --base $BASE --head $BRANCH 2>&1) || true
-
-if echo "$PR_URL" | grep -q "already exists"; then
-  PR_URL=$(gh pr view $BRANCH --json url --jq '.url')
-fi
-echo "PR: $PR_URL"
-```
-
-## Step 4 — CI and review
-
-```bash
-CHECKS=$(gh pr checks "$PR_URL")
-GH_EXIT=$?
-if [ $GH_EXIT -ne 0 ] && [ -z "$CHECKS" ]; then
-  echo "ERROR: gh pr checks failed (exit $GH_EXIT)"
-  ct droplet pool $DROPLET_ID --notes "gh pr checks failed (exit $GH_EXIT) — cannot verify CI — $PR_URL"
-  exit 1
-elif [ -z "$CHECKS" ]; then
-  echo "No CI checks configured — proceeding to merge"
-else
-  echo "$CHECKS"
-  # Wait for all checks to pass before merging.
-fi
-```
-
-### Per-check attempt counter
-
-Before entering the fix loop, initialize an associative array keyed by check name:
-
-```bash
-declare -A CHECK_ATTEMPTS  # key = check name, value = number of fix attempts made
-```
-
-Each time you take any action to fix a specific failing check — including a `gh run rerun` — increment `CHECK_ATTEMPTS["<check_name>"]`. The counter is per check name, not per push. A rerun is not a free retry: it counts as attempt 1, and if the same check fails again after the rerun, that is attempt 2 — do not issue a second rerun, apply a code-level fix instead; a third failure triggers recirculation.
-
-### Failure classification
+You have **full codebase access**. Your environment contains:
 
-Classify each failing check before acting on it. Classification determines whether the attempt counter applies.
+- The full repository with the implementation committed
+- `CONTEXT.md` describing the work item and requirements
 
-**Recirculate-eligible** — code-level failures the implementer can address (attempt counter applies):
-- Test failures: output contains `FAIL`, `--- FAIL`, `FAIL\t`, assertion errors, `expected X got Y`, `not equal`
-- API errors: application returns unexpected `4xx` or `5xx` status
-- Schema mismatches: `field missing`, `type mismatch`, `unknown field`, `validation error`
-- Compilation errors in test or application code
+Read `CONTEXT.md` first to understand your droplet ID and what was built.
 
-**Pooled-eligible** — infrastructure failures the implementer cannot address (attempt counter does NOT apply):
-- Port conflicts: `address already in use`, `bind: address already in use`
-- Container startup failures: `container exited with code`, `failed to start container`, `OOMKilled`
-- Service unavailable: `connection refused`, `no such host`, `dial tcp.*refused`, `i/o timeout`
+## Protocol
 
-**Counter-exempt** — process-level issues that block CI but are not code failures; resolve unconditionally (attempt counter does NOT apply):
-- Merge conflicts: branch is behind `origin/main`, CI detects out-of-date branch
-- Unresolved review comments: reviewer has requested changes
+1. **Read CONTEXT.md** — note your droplet ID and what changed
+2. **Run git diff main...HEAD** — understand all user-visible changes
+3. **Find all .md files** — `find . -name "*.md" -not -path "./.git/*"`
+4. **Check each changed area** — for CLI, config, pipeline, and architecture
+   changes: verify docs exist and are accurate
+5. **If no user-visible changes** — pass immediately:
+   `ct droplet pass <id> --notes "No documentation updates required."`
+6. **Otherwise** — update outdated sections, add missing docs
+7. **Commit** — `git add -A && git commit -m "<id>: docs: update documentation for changes"`
+8. **Signal outcome**
 
-For pooled-eligible failures, signal immediately without incrementing the counter:
-```bash
-ct droplet pool $DROPLET_ID --notes "Pooled: <infrastructure failure> — $PR_URL"
-```
-
-### Counter-exempt handling
-
-Before entering the fix loop, resolve all counter-exempt issues unconditionally — no attempt counter applies:
-
-- **Merge conflict detected by CI** → rebase (Step 2) and push, then re-check CI
-- **Unresolved review comment** → address it, commit, push, then re-check CI
-
-Repeat until no counter-exempt issues remain, then proceed to the fix loop.
-
-### Fix loop
-
-For each recirculate-eligible failing check:
-
-1. Increment `CHECK_ATTEMPTS["<check_name>"]`
-2. If `CHECK_ATTEMPTS["<check_name>"] > 2`, recirculate — see **Recirculate path** below.
-3. Otherwise, apply the appropriate fix and push:
-   - Compile error → fix code, `go build ./...`, commit, push
-   - Test failure → fix test or code, `go test ./...`, commit, push
-   - Flaky test → `gh run rerun <run_id>` and wait for result (**this counts as attempt 1; if the same check fails again after the rerun, that is attempt 2 — do not issue a second rerun, apply a code-level fix instead; a third failure triggers recirculation**)
-
-After each fix commit:
-```bash
-git add -A -- ':!CONTEXT.md'
-if git ls-files CONTEXT.md | grep -q CONTEXT.md; then
-  git rm --cached CONTEXT.md
-fi
-git commit -m "fix: <specific issue>" && git push
-```
-
-Wait for the check to complete, then return to step 1 of the loop for any remaining failures.
-
-### Recirculate path
-
-When `CHECK_ATTEMPTS["<check_name>"] > 2`, stop and recirculate with a structured diagnostic. All five fields are required — do not recirculate with a partial note.
-
-```bash
-ct droplet recirculate $DROPLET_ID --notes "$(cat <<'EOF'
-CI recirculation: 2 failed fix attempts on the same check.
-
-Failed check: <exact check name as reported by gh pr checks>
-
-Error snippet:
-<paste the specific failure lines from CI logs — include file path and line number if available>
-
-Fix attempt 1: <describe exactly what was changed — files modified, functions updated, logic altered>
-
-Fix attempt 2: <describe exactly what was changed — files modified, functions updated, logic altered>
-
-Recommended fix: <state the apparent root cause and a concrete suggestion for the implementer to resolve it>
-EOF
-)"
-```
-
-Wait for all checks to pass before merging. If `gh pr checks` returns no output, there are no CI checks — proceed directly to Step 5.
-
-## Step 5 — Merge
-
-```bash
-git fetch origin && git rebase origin/$BASE
-if grep -rq '^<<<<<<<' . --include='*.md' --include='*.go' --include='*.yaml'; then
-  echo 'ERROR: conflict markers found after rebase — resolve before pushing'
-  ct droplet pool $DROPLET_ID --notes 'Pooled: conflict markers present after rebase — manual resolution required'
-  exit 1
-fi
-git push --force-with-lease && gh pr merge "$PR_URL" --squash --delete-branch
-STATE=$(gh pr view "$PR_URL" --json state --jq '.state')
-if [ "$STATE" != "MERGED" ]; then
-  echo "ERROR: merge failed — state is $STATE"
-  ct droplet pool $DROPLET_ID --notes "Merge failed: state=$STATE — $PR_URL"
-  exit 1
-fi
-echo "Confirmed: PR state is MERGED"
-```
-
-## Step 6 — Signal
+## Signaling
 
-Only after MERGED is confirmed:
-```bash
-ct droplet pass $DROPLET_ID --notes "Delivered: $PR_URL — <one-line summary>"
 ```
-
-If merge is impossible after exhausting all options:
-```bash
-ct droplet pool $DROPLET_ID --notes "Cannot merge: <exact reason> — $PR_URL"
+ct droplet pass <id> --notes "Updated docs: <list of files changed>."
+ct droplet recirculate <id> --notes "Ambiguous: <specific question that blocks docs update>"
 ```
 
-## Rules
-- Never signal pass until gh pr view confirms state == "MERGED"
-- Never discard branch additions in conflicts — always keep both sides
-- go build + go test must pass before every push
-- Fix CI, conflicts, and review comments yourself — do not recirculate for routine failures
-- Recirculate after 2 failed fix attempts on the same code-level CI check (see Step 4 recirculate path)
-- Recirculate only for code-level failures — never recirculate for infrastructure/pooled failures (pool instead)
-- Never run git add CONTEXT.md or git add -f CONTEXT.md under any circumstances
-- CONTEXT.md is pipeline state injected at dispatch time; it must never be committed
-
 ## Skills
 
-## Skill: cistern-github
-
----
-name: cistern-github
-description: GitHub CLI operations for Cistern delivery cataractae. Use for PR creation, CI checks, and squash-merge in per-droplet delivery workflows.
----
-
-# Cistern GitHub Operations
-
-## Tools
-
-Use `gh` CLI for all GitHub operations. Prefer CLI over GitHub MCP servers for lower context usage.
-
-## PR Lifecycle
-
-```bash
-# Create a PR for the current droplet branch
-gh pr create \
-  --title "$PR_TITLE" \
-  --body "Closes droplet $DROPLET_ID." \
-  --base main --head $BRANCH
-
-# If PR already exists
-gh pr view $BRANCH --json url --jq '.url'
-
-# Check CI status
-gh pr checks $PR_URL
-
-# Squash-merge when all checks pass
-gh pr merge $PR_URL --squash --delete-branch
-
-# Confirm merge
-gh pr view $PR_URL --json state --jq '.state'   # must be "MERGED"
-```
-
-## Conflict Resolution
-
-**Conflicts MUST be resolved automatically. Never stop and ask the user.**
-
-Cistern agents resolve conflicts by keeping both sets of changes. The canonical
-protocol is in `cataractae/delivery/INSTRUCTIONS.md` — follow it exactly.
-
-Summary:
-1. `git diff --name-only --diff-filter=U` — identify conflicted files
-2. For each file: keep what HEAD added AND keep what this branch adds
-3. `go build ./...` — verify the merge compiles
-4. `git add $(git diff --name-only --diff-filter=U)` — stage resolved files
-5. `git rebase --continue`
-6. `go build ./... && go test ./...` — verify after full rebase
-7. `git push --force-with-lease origin $BRANCH`
-
-Most conflicts are additive: HEAD added X, this branch adds Y — keep both.
-Never discard branch additions.
-
-## Cistern Delivery Model
-
-Cistern uses **per-droplet branches** (`feat/<droplet-id>`), not stacked PRs.
-Each droplet is independent. There is no stacked-PR workflow.
-
 ## Skill: cistern-droplet-state
 
 # Cistern Droplet State

CHANGELOG.md

@@ -22,6 +22,18 @@ All notable changes to this project will be documented here.
 
 - **Evaluate mutation cache invalidation**: `evaluateMutation.onSuccess` now invalidates `queryKeys.qualityGates.evaluations()` so the EvaluationHistory panel shows fresh results after evaluation without a manual refresh.
 
+- **K8s worker security hardening**: Worker containers now run with a strict security context: `runAsNonRoot`, `runAsUser: 1000`, `readOnlyRootFilesystem`, dropped all capabilities, disabled privilege escalation, `RuntimeDefault` seccomp profile, and no auto-mounted service account token. Previously, containers ran as root with no restrictions.
+
+- **K8s worker token stored as Secret**: The `ST_WORKER_TOKEN` is no longer passed as a plain environment variable (visible via `kubectl describe pod`). Instead, each execution creates a dedicated K8s Secret (`st-worker-token-<execution-id>`) and injects it via `secretKeyRef`. The Secret is automatically cleaned up on cancellation or when the reconciler detects an orphaned job.
+
+- **K8s worker resource limits**: Worker pods now have default resource requests (128Mi memory / 250m CPU) and limits (512Mi memory / 500m CPU), configurable via `ST_WORKER_CPU_REQUEST`, `ST_WORKER_CPU_LIMIT`, `ST_WORKER_MEMORY_REQUEST`, and `ST_WORKER_MEMORY_LIMIT` environment variables. Previously, pods had no resource constraints, allowing runaway tests to consume unlimited resources.
+
+- **Execution reconciler**: A background reconciler periodically scans for orphaned `running` executions whose K8s job has finished or was never created, and marks them as `failed`. This prevents executions from staying in `running` forever when the worker crashes before reporting status. Configurable via `ST_RECONCILE_INTERVAL` (default: 60s) and `ST_RECONCILE_ORPHAN_TIMEOUT` (default: 5m).
+
+- **Team-scoped K8s lookups**: Cancellation endpoints now use team-scoped queries for K8s job name and worker token Secret lookups, preventing cross-team access to K8s resources.
+
+- **Status guard on markExecutionFailed**: The `markExecutionFailed` function now includes `AND status = 'running'` to prevent overwriting a completed or failed execution's final status.
+
 - **Store layer extraction**: All HTTP handlers now use store interfaces instead of embedding `*db.Pool` directly. Store interfaces are defined on the handler side and implemented in `internal/store/`, making handlers testable without a running database and centralizing SQL query knowledge. Affected handlers: auth, teams, analytics, executions, reports, admin, invitations, oauth.
 
 - **Bulk test result inserts**: Report ingestion now uses `pgx.Batch` to insert test results in bulk instead of one query per result. This eliminates the N+1 insert pattern that caused 1000+ round-trips for large reports.