Release 2026-05-07 (#814)

### Release digest — 2026-05-07 —
[#814](#814)

#### cortex v0.0.47 (sha-7d1745d8)

**New features:**
- `ProjectQuota` CRD with per-resource, per-AZ quota breakdown and PAYG
calculation ([#796](#796))
- `FlavorGroupCapacity` CRD + background capacity controller for
pre-computed per-flavor VM slot capacity per (flavor group × AZ)
([#728](#728))
- Capacity reporting in `POST /commitments/v1/report-capacity` now uses
real `FlavorGroupCapacity` CRD values (replaces placeholder zeros)
- CommittedResource usage reconciler — moves usage calculation into CRD
status, feeding both LIQUID API and quota controller
([#800](#800))
- KVM OS version label on host capacity metrics
([#810](#810))
- KVM project usage metrics (running VMs / resource usage per
project/flavor)
([#803](#803))
- `domain_id` + name on vmware project capacity metrics
([#802](#802))
- `domain_id` in vmware project commitment KPI
([#806](#806))
- Weighing explainer for scheduling decisions
([#808](#808))

**Refactors:**
- KVM host capacity metric moved to infrastructure plugins package
([#809](#809))
- Deprecated per-compute KPIs removed (`flavor_running_vms`,
`host_running_vms`, `resource_capacity_kvm`)
([#807](#807))
- Bundle-specific RBAC templates moved from library chart into
`cortex-ironcore` / `cortex-pods` bundles
([#797](#797))
- Webhook templates moved back into `cortex-nova`
([#805](#805))
- `testlib.Ptr` replaced with native `new()`
([#801](#801))

**Fixes:**
- Remove `ignoreAllocations` from kvm-report-capacity pipeline to
unblock older admission webhook
([#812](#812))
- Suppress nova scheduling alerts on transient `no such host` DNS errors
- Add `identity-domains` as KPI dependency
- Rename hypervisor `ClusterRoleBinding` to avoid `roleRef` conflict on
redeploy ([#804](#804))

#### cortex-nova v0.0.60 (sha-7d1745d8)
Includes cortex v0.0.47. Adds Prometheus datasources and KPI CRD
templates for KVM project usage/utilization, and updated RBAC for
`FlavorGroupCapacity` + `ProjectQuota` CRDs.

Author: mblos

.github/actions/setup-claude-code-action/action.yml

@@ -41,7 +41,7 @@ runs:
     - name: Setup Python
       uses: actions/setup-python@v6
       with:
-        python-version: "3.14"
+        python-version: "3.13"
 
     - name: Install LiteLLM dependencies
       shell: bash

.github/renovate.json

@@ -11,7 +11,8 @@
   ],
   "commitMessageAction": "Renovate: Update",
   "constraints": {
-    "go": "1.26"
+    "go": "1.26",
+    "python": "3.13"
   },
   "dependencyDashboardOSVVulnerabilitySummary": "all",
   "osvVulnerabilityAlerts": true,

.github/workflows/claude-assistant.yaml

@@ -1,9 +1,3 @@
-# NOTE: This workflow is temporarily disabled.
-# We need to determine a compliant approach for passing AI Core credentials
-# and whether utilizing the SAP AI Core Proxy is a viable and compliant option.
-# Until this is resolved, no AI Core credentials are configured and no
-# communication with AI Core takes place.
-
 name: Claude Code Assistant on Issues and PRs
 
 on:
@@ -18,7 +12,6 @@ on:
 
 jobs:
   check-allowlist:
-    if: false # Temporarily disabled
     runs-on: ubuntu-latest
     outputs:
       allowed: ${{ steps.check.outputs.allowed }}
@@ -38,7 +31,6 @@ jobs:
 
   claude:
     needs: check-allowlist
-    if: false # Temporarily disabled
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -52,29 +44,32 @@ jobs:
         uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
-
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CORTEX_AI_AGENTS_APP_ID }}
+          private-key: ${{ secrets.CORTEX_AI_AGENTS_CLIENT_PKEY }}
       - uses: ./.github/actions/setup-claude-code-action
-
       - uses: ./.github/actions/start-litellm-proxy
         env:
           AICORE_RESOURCE_GROUP: ${{ secrets.AICORE_RESOURCE_GROUP }}
           AICORE_BASE_URL: ${{ secrets.AICORE_BASE_URL }}
           AICORE_AUTH_URL: ${{ secrets.AICORE_AUTH_URL }}
           AICORE_CLIENT_ID: ${{ secrets.AICORE_CLIENT_ID }}
           AICORE_CLIENT_SECRET: ${{ secrets.AICORE_CLIENT_SECRET }}
-
       - uses: ./.claude-code-action
         with:
           claude_args: |
             --max-turns 1000
             --permission-mode auto
+            --effort-level max
             --allowedTools "Read,Write,Edit,Bash(*),WebSearch,WebFetch"
           trigger_phrase: "@claude"
           include_comments_by_actor: "auhlig,umswmayj,juliusclausnitzer,mblos,PhilippMatthes,Varsius,henrichter,SoWieMarkus,*[bot]"
           use_litellm: "true"
           litellm_model: "sap/anthropic--claude-4.6-opus"
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
           show_full_output: "true"
-
       - uses: ./.github/actions/stop-litellm-proxy
         if: always()

.github/workflows/claude-release.yaml

@@ -1,9 +1,3 @@
-# NOTE: This workflow is temporarily disabled.
-# We need to determine a compliant approach for passing AI Core credentials
-# and whether utilizing the SAP AI Core Proxy is a viable and compliant option.
-# Until this is resolved, no AI Core credentials are configured and no
-# communication with AI Core takes place.
-
 name: Weekly Claude Code Repo Analysis and Grooming
 
 on:
@@ -13,7 +7,6 @@ on:
 
 jobs:
   claude:
-    if: false # Temporarily disabled
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -26,28 +19,31 @@ jobs:
         uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
-
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.CORTEX_AI_AGENTS_APP_ID }}
+          private-key: ${{ secrets.CORTEX_AI_AGENTS_CLIENT_PKEY }}
       - uses: ./.github/actions/setup-claude-code-action
-
       - uses: ./.github/actions/start-litellm-proxy
         env:
           AICORE_RESOURCE_GROUP: ${{ secrets.AICORE_RESOURCE_GROUP }}
           AICORE_BASE_URL: ${{ secrets.AICORE_BASE_URL }}
           AICORE_AUTH_URL: ${{ secrets.AICORE_AUTH_URL }}
           AICORE_CLIENT_ID: ${{ secrets.AICORE_CLIENT_ID }}
           AICORE_CLIENT_SECRET: ${{ secrets.AICORE_CLIENT_SECRET }}
-
       - uses: ./.claude-code-action
         with:
           prompt: "/weekly"
           claude_args: |
             --max-turns 1000
             --permission-mode auto
+            --effort-level max
             --allowedTools "Read,Write,Edit,Bash(*),WebSearch,WebFetch"
           use_litellm: "true"
           litellm_model: "sap/anthropic--claude-4.6-opus"
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+          github_token: ${{ steps.app-token.outputs.token }}
           show_full_output: "true"
-
       - uses: ./.github/actions/stop-litellm-proxy
         if: always()

.github/workflows/claude-review.yaml

@@ -35,7 +35,6 @@ General:
 - You can use `maps.Copy` instead of iteratively copying a map
 - You can use `strings.Contains` to check if some string is in another
 - You can use `slices.Contains` to check if an element is part of a slice
-- And definitely use `testlib.Ptr` for test cases that require pointer values
 
 Testing:
 - Ideally test files should be short and contain only the necessary cases

.github/workflows/claude-weekly.yaml

@@ -1,5 +1,39 @@
 # Changelog
 
+## 2026-05-07 — [#814](https://github.com/cobaltcore-dev/cortex/pull/814)
+
+### cortex v0.0.47 (sha-b8cecd0c)
+
+Non-breaking changes:
+- Add `ProjectQuota` CRD with per-resource, per-AZ quota breakdown and PAYG (pay-as-you-go) calculation support ([#796](https://github.com/cobaltcore-dev/cortex/pull/796))
+- Add `FlavorGroupCapacity` CRD and background capacity controller that pre-computes per-flavor VM slot capacity for each (flavor group × AZ) pair on a configurable interval ([#728](https://github.com/cobaltcore-dev/cortex/pull/728))
+- Report capacity from `FlavorGroupCapacity` CRDs in `POST /commitments/v1/report-capacity` — replaces placeholder zeros with real values; stale CRDs report last-known capacity
+- Move CommittedResource usage computation from the API handler into a dedicated reconciler that persists results in CRD status, making usage data available to both the LIQUID API and quota controller ([#800](https://github.com/cobaltcore-dev/cortex/pull/800))
+- Add KVM OS version as a label to KVM host capacity metrics ([#810](https://github.com/cobaltcore-dev/cortex/pull/810))
+- Add KVM project usage metrics (running VMs and resource usage per project/flavor) ([#803](https://github.com/cobaltcore-dev/cortex/pull/803))
+- Add `domain_id` and name to vmware project capacity metrics ([#802](https://github.com/cobaltcore-dev/cortex/pull/802))
+- Include `domain_id` in vmware project commitment KPI ([#806](https://github.com/cobaltcore-dev/cortex/pull/806))
+- Add weighing explainer for scheduling decisions, surfacing per-host scoring rationale ([#808](https://github.com/cobaltcore-dev/cortex/pull/808))
+- Move KVM host capacity metric into infrastructure plugins package ([#809](https://github.com/cobaltcore-dev/cortex/pull/809))
+- Remove deprecated per-compute infrastructure KPIs (`flavor_running_vms`, `host_running_vms`, `resource_capacity_kvm`) ([#807](https://github.com/cobaltcore-dev/cortex/pull/807))
+- Rename hypervisor `ClusterRoleBinding` objects to avoid `roleRef` conflicts on redeploy ([#804](https://github.com/cobaltcore-dev/cortex/pull/804))
+- Move bundle-specific RBAC templates from the library chart into individual bundle charts (`cortex-ironcore`, `cortex-pods`) ([#797](https://github.com/cobaltcore-dev/cortex/pull/797))
+- Move webhook templates from library chart back into `cortex-nova` bundle (reverts earlier move) ([#805](https://github.com/cobaltcore-dev/cortex/pull/805))
+- Fix: add `identity-domains` as a KPI dependency
+- Fix: remove `ignoreAllocations` from kvm-report-capacity pipeline to unblock deployment against older admission webhook ([#812](https://github.com/cobaltcore-dev/cortex/pull/812))
+- Fix: suppress nova scheduling alerts on transient `no such host` DNS errors
+- Replace `testlib.Ptr` helper with native `new()` across test files ([#801](https://github.com/cobaltcore-dev/cortex/pull/801))
+
+### cortex-nova v0.0.60 (sha-b8cecd0c)
+
+Includes updated chart cortex v0.0.47.
+
+Non-breaking changes:
+- Add Prometheus datasource for KVM project usage metrics
+- Add KVM project usage KPI CRD templates
+- Add KVM project utilization KPI CRD templates
+- Update `cortex-nova` RBAC to grant permissions for `FlavorGroupCapacity` and `ProjectQuota` CRDs
+
 ## 2026-05-04 — [#793](https://github.com/cobaltcore-dev/cortex/pull/793)
 
 ### cortex v0.0.46 (sha-ab6eb45d)

AGENTS.md

@@ -196,7 +196,7 @@ k8s_yaml(helm('./helm/bundles/cortex-crds', name='cortex-crds', set=crd_extra_va
 if 'nova' in ACTIVE_DEPLOYMENTS:
     print("Activating Cortex Nova bundle")
     k8s_yaml(helm('./helm/bundles/cortex-nova', name='cortex-nova', values=tilt_values, set=env_set_overrides))
-    k8s_resource('cortex-nova-postgresql', labels=['Cortex-Nova'], port_forwards=[
+    k8s_resource('cortex-nova-postgresql-v18', labels=['Cortex-Nova'], port_forwards=[
         port_forward(8000, 5432),
     ])
     k8s_resource('cortex-nova-scheduling-controller-manager', labels=['Cortex-Nova'], port_forwards=[
@@ -221,7 +221,7 @@ if 'nova' in ACTIVE_DEPLOYMENTS:
 if 'manila' in ACTIVE_DEPLOYMENTS:
     print("Activating Cortex Manila bundle")
     k8s_yaml(helm('./helm/bundles/cortex-manila', name='cortex-manila', values=tilt_values, set=env_set_overrides))
-    k8s_resource('cortex-manila-postgresql', labels=['Cortex-Manila'], port_forwards=[
+    k8s_resource('cortex-manila-postgresql-v18', labels=['Cortex-Manila'], port_forwards=[
         port_forward(8002, 5432),
     ])
     k8s_resource('cortex-manila-scheduling-controller-manager', labels=['Cortex-Manila'], port_forwards=[
@@ -238,7 +238,7 @@ if 'manila' in ACTIVE_DEPLOYMENTS:
 
 if 'cinder' in ACTIVE_DEPLOYMENTS:
     k8s_yaml(helm('./helm/bundles/cortex-cinder', name='cortex-cinder', values=tilt_values, set=env_set_overrides))
-    k8s_resource('cortex-cinder-postgresql', labels=['Cortex-Cinder'], port_forwards=[
+    k8s_resource('cortex-cinder-postgresql-v18', labels=['Cortex-Cinder'], port_forwards=[
         port_forward(8004, 5432),
     ])
     k8s_resource('cortex-cinder-scheduling-controller-manager', labels=['Cortex-Cinder'], port_forwards=[