Merge remote-tracking branch 'origin/main' into jaosorior/mcpauthzconfig-crd

# Conflicts:
#	docs/operator/crd-api.md

Author: ChrisJBurns

.claude/rules/operator.md

@@ -36,7 +36,7 @@ See `cmd/thv-operator/DESIGN.md` for detailed decision guidelines.
 
 - Always run `task operator-generate` after modifying CRD types
 - Always run `task operator-manifests` after adding kubebuilder markers
-- Always run `task crdref-gen` from `cmd/thv-operator/` after CRD changes to regenerate API docs (uses relative paths)
+- Always run `task crdref-gen` from the repo root after CRD changes to regenerate API docs (running it from `cmd/thv-operator/` fails — the task resolves the config path relative to the repo root)
 - Use `envtest` for integration testing, not real clusters
 - Chainsaw tests require a real Kubernetes cluster
 - Status writes must go through `controllerutil.MutateAndPatchStatus` — see the Status Writes section below
@@ -65,7 +65,7 @@ task operator-generate        # Generate deepcopy, client code
 task operator-manifests       # Generate CRD YAML, RBAC
 task operator-test            # Run unit tests
 task operator-e2e-test        # Run e2e tests
-task crdref-gen              # Generate CRD API docs (run from cmd/thv-operator/)
+task crdref-gen              # Generate CRD API docs (run from the repo root)
 ```
 
 ## Spec / metadata patching

.github/CODEOWNERS

@@ -9,29 +9,29 @@ CLAUDE.md                            @JAORMX @jhrozek @rdimitrov @jerm-dro
 .claude/rules/                       @JAORMX @jhrozek @rdimitrov @jerm-dro
 
 # CLI (thv)
-cmd/thv/                             @JAORMX @yrobla @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek
-cmd/help/                            @JAORMX @yrobla @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek
-docs/cli/                            @JAORMX @yrobla @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek
-test/e2e/                            @JAORMX @yrobla @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek
+cmd/thv/                             @JAORMX @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek @reyortiz3 @aponcedeleonch
+cmd/help/                            @JAORMX @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek @reyortiz3 @aponcedeleonch
+docs/cli/                            @JAORMX @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek @reyortiz3 @aponcedeleonch
+test/e2e/                            @JAORMX @ChrisJBurns @amirejaz @lujunsan @rdimitrov @jhrozek @reyortiz3 @aponcedeleonch
 
 # HTTP API (ToolHive server)
-pkg/api/                             @JAORMX @amirejaz
-docs/server/                         @JAORMX @amirejaz
+pkg/api/                             @JAORMX @amirejaz @rdimitrov @reyortiz3 @aponcedeleonch
+docs/server/                         @JAORMX @amirejaz @rdimitrov @reyortiz3 @aponcedeleonch
 
 # Kubernetes (operator + proxyrunner + charts)
-cmd/thv-operator/                    @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
-cmd/thv-proxyrunner/                 @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
-deploy/charts/operator/              @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
-deploy/charts/operator-crds/          @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
-config/webhook/                      @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
-test/e2e/chainsaw/operator/           @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
-test/e2e/thv-operator/                @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
-docs/operator/                        @ChrisJBurns @yrobla @JAORMX @jerm-dro @jhrozek
+cmd/thv-operator/                    @ChrisJBurns @JAORMX @jerm-dro @jhrozek @tgrunnagle @rdimitrov @reyortiz3 @blkt
+cmd/thv-proxyrunner/                 @ChrisJBurns @JAORMX @jerm-dro @jhrozek @tgrunnagle @rdimitrov @reyortiz3 @blkt
+deploy/charts/operator/              @ChrisJBurns @JAORMX @jerm-dro @jhrozek @tgrunnagle @rdimitrov @reyortiz3 @blkt
+deploy/charts/operator-crds/          @ChrisJBurns @JAORMX @jerm-dro @jhrozek @tgrunnagle @rdimitrov @reyortiz3 @blkt
+config/webhook/                      @ChrisJBurns @JAORMX @jerm-dro @jhrozek @tgrunnagle @rdimitrov @reyortiz3 @blkt
+test/e2e/chainsaw/operator/           @ChrisJBurns @JAORMX @jerm-dro @jhrozek @tgrunnagle @rdimitrov @reyortiz3 @blkt
+test/e2e/thv-operator/                @ChrisJBurns @JAORMX @jerm-dro @jhrozek @tgrunnagle @rdimitrov @reyortiz3 @blkt
+docs/operator/                        @ChrisJBurns @JAORMX @jerm-dro @jhrozek @tgrunnagle @rdimitrov @reyortiz3 @blkt
 
 # vMCP (Virtual MCP)
-cmd/vmcp/                            @JAORMX @yrobla @jhrozek @jerm-dro @amirejaz
-pkg/vmcp/                            @JAORMX @yrobla @jhrozek @jerm-dro @amirejaz
-test/integration/vmcp/               @JAORMX @yrobla @jhrozek @jerm-dro @amirejaz
+cmd/vmcp/                            @JAORMX @jhrozek @jerm-dro @amirejaz @ChrisJBurns @tgrunnagle
+pkg/vmcp/                            @JAORMX @jhrozek @jerm-dro @amirejaz @ChrisJBurns @tgrunnagle
+test/integration/vmcp/               @JAORMX @jhrozek @jerm-dro @amirejaz @ChrisJBurns @tgrunnagle
 
 # Core Runtime & Lifecycle
 pkg/workloads/                       @JAORMX @amirejaz @lujunsan
@@ -44,32 +44,32 @@ pkg/groups/                          @JAORMX @amirejaz @lujunsan
 pkg/client/                          @JAORMX @amirejaz @lujunsan
 
 # Infrastructure Abstractions
-pkg/container/                        @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
-pkg/transport/                        @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
-pkg/mcp/                              @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
-pkg/networking/                       @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
-pkg/labels/                           @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
-pkg/process/                          @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @yrobla
+pkg/container/                        @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @rdimitrov
+pkg/transport/                        @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @rdimitrov
+pkg/mcp/                              @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @rdimitrov
+pkg/networking/                       @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @rdimitrov
+pkg/labels/                           @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @rdimitrov
+pkg/process/                          @JAORMX @jhrozek @blkt @amirejaz @ChrisJBurns @rdimitrov
 
 # Registry & Distribution
-pkg/registry/                         @JAORMX @rdimitrov
-.github/workflows/update-registry.yml  @JAORMX @rdimitrov
+pkg/registry/                         @JAORMX @rdimitrov @reyortiz3
+.github/workflows/update-registry.yml  @JAORMX @rdimitrov @reyortiz3
 
 # Security & Policy
-pkg/auth/                             @jhrozek @JAORMX @ChrisJBurns @yrobla
-pkg/authz/                            @jhrozek @JAORMX @ChrisJBurns @yrobla
-pkg/oauth/                            @jhrozek @JAORMX @ChrisJBurns @yrobla
-pkg/authserver/                       @jhrozek @JAORMX @ChrisJBurns @yrobla
-pkg/secrets/                          @jhrozek @JAORMX @ChrisJBurns @yrobla
-pkg/permissions/                      @jhrozek @JAORMX @ChrisJBurns @yrobla
-pkg/container/verifier/               @jhrozek @JAORMX @ChrisJBurns @yrobla
-pkg/audit/                            @jhrozek @JAORMX @ChrisJBurns @yrobla
+pkg/auth/                             @jhrozek @JAORMX @ChrisJBurns @tgrunnagle @rdimitrov
+pkg/authz/                            @jhrozek @JAORMX @ChrisJBurns @tgrunnagle @rdimitrov
+pkg/oauth/                            @jhrozek @JAORMX @ChrisJBurns @tgrunnagle @rdimitrov
+pkg/authserver/                       @jhrozek @JAORMX @ChrisJBurns @tgrunnagle @rdimitrov
+pkg/secrets/                          @jhrozek @JAORMX @ChrisJBurns @tgrunnagle @rdimitrov
+pkg/permissions/                      @jhrozek @JAORMX @ChrisJBurns @tgrunnagle @rdimitrov
+pkg/container/verifier/               @jhrozek @JAORMX @ChrisJBurns @tgrunnagle @rdimitrov
+pkg/audit/                            @jhrozek @JAORMX @ChrisJBurns @tgrunnagle @rdimitrov
 
 # Observability
-pkg/telemetry/                        @ChrisJBurns @JAORMX @yrobla @jerm-dro
-pkg/usagemetrics/                     @ChrisJBurns @JAORMX @yrobla @jerm-dro
-pkg/logger/                           @ChrisJBurns @JAORMX @yrobla @jerm-dro
-pkg/recovery/                         @ChrisJBurns @JAORMX @yrobla @jerm-dro
+pkg/telemetry/                        @ChrisJBurns @JAORMX @jerm-dro
+pkg/usagemetrics/                     @ChrisJBurns @JAORMX @jerm-dro
+pkg/logger/                           @ChrisJBurns @JAORMX @jerm-dro
+pkg/recovery/                         @ChrisJBurns @JAORMX @jerm-dro
 
 # Architecture docs
-docs/arch/                            @JAORMX @amirejaz @yrobla @rdimitrov @ChrisJBurns @jhrozek
+docs/arch/                            @JAORMX @amirejaz @rdimitrov @ChrisJBurns @jhrozek @tgrunnagle

.github/workflows/claude.yml

@@ -59,7 +59,7 @@ jobs:
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1
+        uses: anthropics/claude-code-action@fbda2eb1bdc90d319b8d853f5deb53bca199a7c1 # v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           # Security: Restrict tools to prevent arbitrary code execution.

.github/workflows/helm-charts-test.yml

@@ -26,7 +26,7 @@ jobs:
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: v3.20.2 # helm
 
@@ -53,6 +53,14 @@ jobs:
       - name: Run chart-testing (lint)
         run: ct lint --config ct.yaml
 
+      - name: Run helm-unittest
+        # helm-unittest renders the charts and asserts on the resulting
+        # Kubernetes manifests, catching template regressions that `ct lint`
+        # and `ct install` do not — `helm install` can succeed even when the
+        # rendered output is subtly wrong. The plugin version is pinned in
+        # the Taskfile's `helm-unittest` task.
+        run: task helm-unittest
+
       - name: Create KIND cluster
         uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
 

.github/workflows/helm-publish.yml

@@ -73,7 +73,7 @@ jobs:
           echo "Extracted version: $VERSION from tag: $TAG"
 
       - name: Set up Helm
-        uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
         with:
           version: 'v3.14.0'
 

.github/workflows/image-build-and-publish.yml

@@ -29,7 +29,7 @@ jobs:
         uses: ./.github/actions/compute-version
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -92,18 +92,18 @@ jobs:
         uses: ./.github/actions/compute-version
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
         with:
           images: ${{ env.BASE_REPO }}
           tags: |
@@ -112,7 +112,7 @@ jobs:
             type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: containers/egress-proxy
           platforms: linux/amd64,linux/arm64
@@ -168,7 +168,7 @@ jobs:
         uses: ./.github/actions/compute-version
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -178,7 +178,7 @@ jobs:
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Install Cosign
         uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
@@ -239,7 +239,7 @@ jobs:
         uses: ./.github/actions/compute-version
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -249,7 +249,7 @@ jobs:
         uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Install Cosign
         uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
@@ -320,7 +320,7 @@ jobs:
           fi
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/operator-ci.yml

@@ -160,7 +160,7 @@ jobs:
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
     - name: Set up Helm
-      uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 # pin@v4.3.0
+      uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
 
     - name: Setup Ko
       uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9