feat(ci): allow for supporting multi-arch images to be built and shipped

.devcontainer/Dockerfile

@@ -0,0 +1,100 @@
+FROM mcr.microsoft.com/devcontainers/go:1.25-bookworm
+
+USER root
+
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
+
+# kind (for local K8s clusters)
+RUN curl -Lo /usr/local/bin/kind https://kind.sigs.k8s.io/dl/latest/kind-linux-amd64 \
+    && chmod +x /usr/local/bin/kind
+
+# Claude Code
+RUN curl -fsSL https://claude.ai/install.sh | bash
+
+# asdf (for teleport-ent)
+# renovate: datasource=github-releases depName=asdf-vm/asdf
+ENV V_ASDF="0.18.1"
+RUN <<EOF
+    curl -L https://github.com/asdf-vm/asdf/releases/download/v${V_ASDF}/asdf-v${V_ASDF}-linux-amd64.tar.gz -o /usr/local/bin/asdf.tar.gz
+    tar -xzf /usr/local/bin/asdf.tar.gz -C /usr/local/bin
+    rm /usr/local/bin/asdf.tar.gz
+    echo "export ASDF_DATA_DIR='/root/.asdf'" >>/etc/zsh/zshrc
+    echo "export PATH=\"\$ASDF_DATA_DIR/shims:\$PATH\"" >>/etc/zsh/zshrc
+    echo "export ASDF_DATA_DIR='/root/.asdf'" >>/etc/bash.bashrc
+    echo "export PATH=\"\$ASDF_DATA_DIR/shims:\$PATH\"" >>/etc/bash.bashrc
+    asdf plugin add teleport-ent
+    asdf install teleport-ent 18.2.2
+    asdf set --home teleport-ent 18.2.2
+EOF
+
+# AWS IAM Roles Anywhere
+RUN <<EOB
+    mkdir -p /opt/roles-anywhere /opt/roles-anywhere-admin /opt/roles-anywhere-sandbox /opt/roles-anywhere-bd /opt/roles-anywhere-cs /opt/roles-anywhere-gtm
+    chown -R root:root /opt/roles-anywhere
+    curl -fsSL https://rolesanywhere.amazonaws.com/releases/1.3.0/X86_64/Linux/aws_signing_helper -o /usr/local/bin/aws_signing_helper && chmod +x /usr/local/bin/aws_signing_helper
+    mkdir -p /root/.aws
+    cat <<EOF > /root/.aws/config
+[default]
+credential_process = /usr/local/bin/aws_signing_helper credential-process --certificate /opt/roles-anywhere/svid.pem --private-key /opt/roles-anywhere/svid_key.pem --profile-arn arn:aws:rolesanywhere:us-west-1:580663733917:profile/1c5babda-a4a9-4c75-9a16-88e143ab0233 --trust-anchor-arn
+arn:aws:rolesanywhere:us-west-1:580663733917:trust-anchor/b15762fd-2a5f-4bcd-a09f-17f63f4f2f98 --role-arn arn:aws:iam::580663733917:role/TeleportDeveloperAccess
+output = json
+[profile teleport-admin]
+credential_process = /usr/local/bin/aws_signing_helper credential-process --certificate /opt/roles-anywhere-admin/svid.pem --private-key /opt/roles-anywhere-admin/svid_key.pem --profile-arn arn:aws:rolesanywhere:us-west-1:580663733917:profile/32163bf3-dd34-4b50-8ff2-bea86d8daf3b --trust-anchor-arn
+arn:aws:rolesanywhere:us-west-1:580663733917:trust-anchor/b15762fd-2a5f-4bcd-a09f-17f63f4f2f98 --role-arn arn:aws:iam::580663733917:role/TeleportAdministratorAccess
+output = json
+[profile sandbox]
+credential_process = /usr/local/bin/aws_signing_helper credential-process --certificate /opt/roles-anywhere-sandbox/svid.pem --private-key /opt/roles-anywhere-sandbox/svid_key.pem --profile-arn arn:aws:rolesanywhere:us-east-1:774922483191:profile/bf98f431-d465-48d8-84b1-6d3090bb17aa --trust-anchor-arn
+arn:aws:rolesanywhere:us-east-1:774922483191:trust-anchor/9f687ddc-5ae6-4459-bd1f-ed9c7d296f25 --role-arn arn:aws:iam::774922483191:role/TeleportRolesAnywhere
+region = us-west-1
+output = json
+[profile bd]
+credential_process = /usr/local/bin/aws_signing_helper credential-process --certificate /opt/roles-anywhere-bd/svid.pem --private-key /opt/roles-anywhere-bd/svid_key.pem --profile-arn arn:aws:rolesanywhere:us-west-1:580663733917:profile/e61115ef-b5d7-415f-b249-6fd1f3814aa1 --trust-anchor-arn
+arn:aws:rolesanywhere:us-west-1:580663733917:trust-anchor/b15762fd-2a5f-4bcd-a09f-17f63f4f2f98 --role-arn arn:aws:iam::580663733917:role/TeleportBusinessDevelopmentAccess
+output = json
+[profile cs]
+credential_process = /usr/local/bin/aws_signing_helper credential-process --certificate /opt/roles-anywhere-cs/svid.pem --private-key /opt/roles-anywhere-cs/svid_key.pem --profile-arn arn:aws:rolesanywhere:us-west-1:580663733917:profile/8bbcfc3e-f5e2-4d17-a7c4-fb10f648b10e --trust-anchor-arn
+arn:aws:rolesanywhere:us-west-1:580663733917:trust-anchor/b15762fd-2a5f-4bcd-a09f-17f63f4f2f98 --role-arn arn:aws:iam::580663733917:role/TeleportCustomerSolutionsAccess
+output = json
+[profile gtm]
+credential_process = /usr/local/bin/aws_signing_helper credential-process --certificate /opt/roles-anywhere-gtm/svid.pem --private-key /opt/roles-anywhere-gtm/svid_key.pem --profile-arn arn:aws:rolesanywhere:us-east-1:649126925216:profile/de329f63-770f-462c-9152-ea822877c9f3 --trust-anchor-arn
+arn:aws:rolesanywhere:us-east-1:649126925216:trust-anchor/a784c1f4-8247-4b9d-b565-d430fec69f15 --role-arn arn:aws:iam::649126925216:role/TeleportAdminAccess
+region = us-west-1
+output = json
+EOF
+EOB
+
+# claude-bedrock helper and gimme-creds aliases
+RUN <<'EOF'
+cat >> /etc/zshrc << 'SHELL_RC'
+
+# Claude / Bedrock helper function
+claude-bedrock() {
+    CLAUDE_CODE_USE_BEDROCK=1 AWS_REGION=us-west-2 claude "$@"
+}
+
+# Teleport credential helpers
+alias gimme-creds="tsh svid issue --output /opt/roles-anywhere --svid-ttl 12h /svc/codespaces"
+alias gimme-admin-creds="tsh svid issue --output /opt/roles-anywhere-admin --svid-ttl 12h /role/administrator"
+alias gimme-sandbox-creds="tsh svid issue --output /opt/roles-anywhere-sandbox --svid-ttl 12h /cloud/aws-sandbox"
+SHELL_RC
+cat >> /etc/bash.bashrc << 'SHELL_RC'
+
+# Claude / Bedrock helper function
+claude-bedrock() {
+    CLAUDE_CODE_USE_BEDROCK=1 AWS_REGION=us-west-2 claude "$@"
+}
+
+# Teleport credential helpers
+alias gimme-creds="tsh svid issue --output /opt/roles-anywhere --svid-ttl 12h /svc/codespaces"
+alias gimme-admin-creds="tsh svid issue --output /opt/roles-anywhere-admin --svid-ttl 12h /role/administrator"
+alias gimme-sandbox-creds="tsh svid issue --output /opt/roles-anywhere-sandbox --svid-ttl 12h /cloud/aws-sandbox"
+SHELL_RC
+EOF
+
+# Needed for teleport & credentials
+RUN <<EOF
+    echo 'export TELEPORT_AUTH=google' >>/etc/zshrc
+    echo 'export TELEPORT_PROXY=anomalo.teleport.sh:443' >>/etc/zshrc
+    echo 'export TELEPORT_AUTH=google' >>/etc/bash.bashrc
+    echo 'export TELEPORT_PROXY=anomalo.teleport.sh:443' >>/etc/bash.bashrc
+EOF

.devcontainer/devcontainer.json

@@ -0,0 +1,44 @@
+{
+  "name": "Kelos Dev",
+  "build": {
+    "dockerfile": "Dockerfile"
+  },
+  "remoteUser": "root",
+  "features": {
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+    "ghcr.io/devcontainers/features/kubectl-helm-minikube:1": {
+      "kubectl": "latest",
+      "helm": "latest",
+      "minikube": "none"
+    },
+    "ghcr.io/devcontainers/features/github-cli:1": {},
+    "ghcr.io/devcontainers/features/sshd:1": {},
+    "ghcr.io/tailscale/codespace/tailscale:1": {}
+  },
+  "customizations": {
+    "vscode": {
+      "settings": {
+        "go.toolsManagement.autoUpdate": true,
+        "go.useLanguageServer": true,
+        "go.lintTool": "golangci-lint",
+        "terminal.integrated.defaultProfile.linux": "zsh"
+      },
+      "extensions": [
+        "anthropic.claude-code",
+        "golang.go",
+        "eamodio.gitlens",
+        "redhat.vscode-yaml",
+        "ms-kubernetes-tools.vscode-kubernetes-tools"
+      ]
+    }
+  },
+  "forwardPorts": [],
+  "postCreateCommand": "/bin/bash .devcontainer/post-create.sh",
+  "remoteEnv": {
+    "LOCAL_WORKSPACE_FOLDER": "${localWorkspaceFolder}"
+  },
+  "hostRequirements": {
+    "cpus": 4,
+    "memory": "8gb"
+  }
+}

.devcontainer/post-create.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -euo pipefail
+
+echo "==> Installing Go tool dependencies..."
+make -C /workspaces/kelos controller-gen envtest yamlfmt shfmt 2>/dev/null || true
+
+echo "==> Downloading Go modules..."
+cd /workspaces/kelos && go mod download
+
+echo "==> Building kelos CLI..."
+make -C /workspaces/kelos build WHAT=cmd/kelos 2>/dev/null || true
+
+cat <<'MSG'
+
+==> Done! To get started:
+1. tailscale up --accept-routes
+2. tsh login --proxy=anomalo.teleport.sh:443 --auth=google
+3. gimme-creds
+4. claude-bedrock
+MSG

.githooks/check-secrets.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+# Pre-commit hook: check staged files for secrets or sensitive information
+
+set -euo pipefail
+
+RED='\033[0;31m'
+NC='\033[0m'
+
+# Patterns that suggest secrets or sensitive info
+PATTERNS=(
+  'AKIA[0-9A-Z]{16}'                                      # AWS Access Key ID
+  '["\x27]sk-[a-zA-Z0-9]{20,}'                            # OpenAI / Stripe secret keys
+  'ghp_[a-zA-Z0-9]{36}'                                   # GitHub personal access token
+  'github_pat_[a-zA-Z0-9_]{22,}'                          # GitHub fine-grained PAT
+  'glpat-[a-zA-Z0-9\-]{20,}'                              # GitLab PAT
+  'xox[bpors]-[a-zA-Z0-9\-]+'                             # Slack tokens
+  '-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----'  # Private keys
+  'password\s*[:=]\s*["\x27][^"\x27]{4,}'                 # password assignments
+  'secret\s*[:=]\s*["\x27][^"\x27]{4,}'                   # secret assignments
+  'api[_-]?key\s*[:=]\s*["\x27][^"\x27]{4,}'              # API key assignments
+  'token\s*[:=]\s*["\x27][^"\x27]{4,}'                    # token assignments
+  'AIza[0-9A-Za-z\-_]{35}'                                # Google API key
+  '[0-9]+-[0-9A-Za-z_]{32}\.apps\.googleusercontent\.com' # Google OAuth client ID
+  'sk-ant-api[0-9]{2}-[a-zA-Z0-9\-_]{80,}'                # Anthropic API key
+  'sk-ant-[a-zA-Z0-9\-_]{40,}'                            # Anthropic API key (older format)
+  'sk-proj-[a-zA-Z0-9\-_]{40,}'                           # OpenAI project API key
+  'sk-[a-zA-Z0-9]{48}'                                    # OpenAI API key (legacy)
+  'ya29\.[a-zA-Z0-9_\-]{50,}'                             # Google/Vertex OAuth access token
+)
+
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || true)
+
+if [ -z "$STAGED_FILES" ]; then
+  exit 0
+fi
+
+FOUND=0
+
+for file in $STAGED_FILES; do
+  # Skip binary files and common non-secret files
+  if [[ "$file" =~ \.(png|jpg|jpeg|gif|ico|woff|woff2|ttf|eot|pdf|zip|tar|gz)$ ]]; then
+    continue
+  fi
+  # Skip this hook script itself and test fixtures
+  if [[ "$file" == *"check-secrets"* ]] || [[ "$file" == *"testdata"* ]] || [[ "$file" == *"test/fixtures"* ]]; then
+    continue
+  fi
+
+  CONTENT=$(git show ":$file" 2>/dev/null || true)
+  if [ -z "$CONTENT" ]; then
+    continue
+  fi
+
+  for pattern in "${PATTERNS[@]}"; do
+    MATCHES=$(echo "$CONTENT" | grep -nEi "$pattern" 2>/dev/null || true)
+    if [ -n "$MATCHES" ]; then
+      echo -e "${RED}Possible secret found in ${file}:${NC}"
+      echo "$MATCHES" | head -5
+      echo ""
+      FOUND=1
+    fi
+  done
+done
+
+# Check for common sensitive filenames
+SENSITIVE_FILES=(
+  '.env'
+  '.env.local'
+  '.env.production'
+  'credentials.json'
+  'service-account.json'
+  'id_rsa'
+  'id_ed25519'
+  '.npmrc'
+  '.pypirc'
+  'kubeconfig'
+)
+
+for file in $STAGED_FILES; do
+  basename=$(basename "$file")
+  for sensitive in "${SENSITIVE_FILES[@]}"; do
+    if [ "$basename" = "$sensitive" ]; then
+      echo -e "${RED}Sensitive file staged for commit: ${file}${NC}"
+      FOUND=1
+    fi
+  done
+done
+
+if [ "$FOUND" -eq 1 ]; then
+  echo -e "${RED}Commit blocked: potential secrets detected.${NC}"
+  echo "If these are false positives, commit with --no-verify to bypass."
+  exit 1
+fi
+
+exit 0

.github/workflows/ci.yaml

@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [main, prod]
   pull_request:
-    branches: [main]
+    branches: [main, prod]
     types: [opened, synchronize, reopened, labeled]
   merge_group:
   workflow_dispatch:
@@ -90,17 +90,17 @@ jobs:
           cluster_name: kind
 
       - name: Build images
-        run: make image VERSION=e2e
+        run: make image VERSION=e2e REGISTRY=public.ecr.aws/anomalo/kelos
 
       - name: Load images into kind
         run: |
-          kind load docker-image ghcr.io/kelos-dev/kelos-controller:e2e
-          kind load docker-image ghcr.io/kelos-dev/kelos-spawner:e2e
-          kind load docker-image ghcr.io/kelos-dev/claude-code:e2e
-          kind load docker-image ghcr.io/kelos-dev/codex:e2e
-          kind load docker-image ghcr.io/kelos-dev/gemini:e2e
-          kind load docker-image ghcr.io/kelos-dev/opencode:e2e
-          kind load docker-image ghcr.io/kelos-dev/cursor:e2e
+          kind load docker-image public.ecr.aws/anomalo/kelos/kelos-controller:e2e
+          kind load docker-image public.ecr.aws/anomalo/kelos/kelos-spawner:e2e
+          kind load docker-image public.ecr.aws/anomalo/kelos/claude-code:e2e
+          kind load docker-image public.ecr.aws/anomalo/kelos/codex:e2e
+          kind load docker-image public.ecr.aws/anomalo/kelos/gemini:e2e
+          kind load docker-image public.ecr.aws/anomalo/kelos/opencode:e2e
+          kind load docker-image public.ecr.aws/anomalo/kelos/cursor:e2e
 
       - name: Build CLI
         run: make build WHAT=cmd/kelos