v0.6.75: scheduler claim-budget drain, helm chart hardening, mothership md polish

[TheodoreSpeaks]

• improvement(helm): helm chart updates with security, ESO, and docs overhaul (improvement(helm): helm chart updates with security, ESO, and docs overhaul #4565)
• improvement(mothership): align markdown blockquote, img, em, del with design tokens (improvement(mothership): align markdown blockquote, img, em, del with design tokens #4566)
• improvement(scheduler): raise per-tick claim budget to drain backlog (improvement(scheduler): raise per-tick claim budget to drain backlog #4567)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 12, 2026 8:07pm

[cursor]

PR Summary

Medium Risk
Medium risk because it significantly changes Helm chart templating for secrets/env precedence, network policies, and workload specs, which can break or alter Kubernetes deployments if values are misconfigured. Scheduler claim-budget increase could also increase load by executing more due work per tick.

Overview
Raises the schedule executor claim budget (from 20/10 to 200/100) to drain larger backlogs faster.

Aligns markdown rendering across chat/file/note viewers by standardizing blockquote styling and adding support/styling for em, del, and images in workspace chat content.

Overhauls the helm/sim chart for safer production ops: bumps chart metadata/versioning, adds install/upgrade guidance and NOTES.txt, tightens secret validation (including ESO fail-fast coverage checks), switches cron jobs to source CRON_SECRET from the mounted Secret, and introduces more consistent PSS-restricted security contexts, topology spread hooks, network policy improvements (cron ingress, telemetry egress, configurable ingress peers, metadata IP block exceptions), plus headless Postgres services and updated example values/tests.

^{Reviewed by Cursor Bugbot for commit 05892f7. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
32763747	Triggered	Generic Password	9d2dd8f	helm/sim/tests/validators_test.yaml	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[greptile-apps]

Greptile Summary

This release bundles three changes: a 10× increase to the scheduler's per-tick claim budget to drain backlogs faster; a Helm chart major-version overhaul (0.1.0 → 1.0.0) adding security hardening, External Secrets Operator improvements, and extensive documentation; and alignment of blockquote, em, del, and img markdown rendering across five UI surfaces to use consistent design tokens.

• Scheduler (route.ts): MAX_CRON_CLAIMS raised from 20 → 200; no logic changes beyond the budget constants.
• Helm chart v1.0.0: sim.image gains digest-pinning and Chart.AppVersion fallback; envDefaults introduced to separate operational tunables from secret-grade values; NetworkPolicy hardened with IMDS CIDR blocking; PostgreSQL StatefulSet given a proper headless governing service (immutable field — see inline comment); networkPolicy.egress schema changed from a flat list to an object (breaking for existing users with custom egress rules).
• Markdown rendering: blockquote, em, del, and img components added or restyled across four files to use var(--divider) / var(--text-primary) design tokens.

Confidence Score: 3/5

Safe for new installs and the app/scheduler changes; existing PostgreSQL deployments will fail to upgrade without manual StatefulSet deletion.

The PostgreSQL StatefulSet spec.serviceName change from the ClusterIP service to the new headless service is a technically correct fix, but Kubernetes treats that field as immutable after creation. Any operator running helm upgrade on an existing release will hit a hard API rejection and need to delete and recreate the StatefulSet. Additionally, the networkPolicy.egress schema shifted from a flat list to a nested object — users who previously enabled NetworkPolicy with custom egress rules will find those rules silently absent after the upgrade. Both issues are contained to the Helm chart and do not affect the application or scheduler logic, which are straightforward and low-risk.

helm/sim/templates/statefulset-postgresql.yaml (immutable serviceName change), helm/sim/values.yaml (networkPolicy.egress schema change)

Important Files Changed

Filename	Overview
apps/sim/app/api/schedules/execute/route.ts	Raises per-tick claim budget 10x (MAX_CRON_CLAIMS 20→200, RESERVED_WORKFLOW_CLAIMS 10→100) to drain schedule backlogs; logic and concurrency guards are unchanged.
apps/sim/app/chat/components/message/components/markdown-renderer.tsx	Blockquote styling updated to use CSS design-token variables; inconsistent with all other elements in this file which use concrete Tailwind palette classes with explicit dark-mode variants.
apps/sim/app/workspace/[workspaceId]/home/components/message-content/components/chat-content/chat-content.tsx	Adds blockquote, em, del, and img markdown components using design tokens; img includes a proper null-guard and lazy loading.
helm/sim/templates/statefulset-postgresql.yaml	Adds headless service as governing service; also adds automountServiceAccountToken, podManagementPolicy, and updateStrategy. The governing service rename is an immutable field change that will block helm upgrade on existing deployments.
helm/sim/templates/_helpers.tpl	Major refactor: sim.image supports digest pinning and Chart.AppVersion fallback; sim.securityContext renamed to sim.containerSecurityContext with secure defaults; INTERNAL_API_SECRET and CRON_SECRET validation checks added (correctly guarded by existingSecret/ESO); ESO coverage validation added.
helm/sim/templates/networkpolicy.yaml	Significant hardening: metadata-endpoint CIDR blocking (169.254.169.254/32), configurable ingressFrom peers, cron-pod-to-app ingress rule, telemetry egress, and OTEL ports; old flat egress list migrated to egress.extraRules.
helm/sim/templates/external-secret-app.yaml	Refactored from hardcoded 6-key allowlist to iterating externalSecrets.remoteRefs.app, supporting both string (legacy) and map (full remoteRef block) values; apiVersion default changed to v1beta1.
helm/sim/values.yaml	Large refactor separating env (secret-grade, Secret-bound) from envDefaults (operational tunables, inline env on container); image tag defaults to empty string (falls back to Chart.AppVersion); networkPolicy.egress schema changed from list to object — breaking for existing users with custom egress rules.
helm/sim/templates/services.yaml	Adds headless Service (*-postgresql-headless) for PostgreSQL StatefulSet with publishNotReadyAddresses=true; existing ClusterIP service unchanged.
helm/sim/templates/deployment-app.yaml	HPA-aware replica gate added; pod rollout triggered on config checksum; serviceAccount token auto-mount disabled; startupProbe and topology spread support added; env routing refactored for envDefaults vs existingSecret vs ESO modes.
helm/sim/templates/cronjobs.yaml	Auth token now sourced from a SecretKeyRef rather than a plain value; component-group label added for NetworkPolicy targeting; serviceAccount token auto-mount disabled; job TTL cleanup field added.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[helm upgrade] --> B{statefulset-postgresql spec.serviceName changed?}
    B -- existing install --> C[Forbidden: immutable field - helm upgrade fails]
    B -- fresh install --> D[StatefulSet created with headless governing service]
    E[app.env keys] --> F{secret mode?}
    F -- inline --> G[chart-managed Secret plus envDefaults inline env]
    F -- existingSecret --> H[user Secret plus app.env inline env]
    F -- ESO --> I[ExternalSecret syncs remoteRefs.app to Secret]
    J[networkPolicy.egress] --> K{key type}
    K -- list pre-1.0 --> L[Rules silently dropped - now expects egress.extraRules]
    K -- egress.extraRules --> M[Rules applied]

Loading

_{Reviews (1): Last reviewed commit: "improvement(scheduler): raise per-tick c..." | Re-trigger Greptile}

[greptile-apps]

Immutable StatefulSet field change breaks helm upgrade

spec.serviceName is an immutable field on a StatefulSet — Kubernetes only allows mutations to replicas, template, updateStrategy, persistentVolumeClaimRetentionPolicy, and minReadySeconds. Changing it from <release>-postgresql to <release>-postgresql-headless will cause helm upgrade to fail with a Forbidden: updates to statefulset spec for fields other than … error on any installation that already has the PostgreSQL StatefulSet. Operators would need to delete the StatefulSet (and re-attach the PVC) before the upgrade can proceed. Upgrade documentation or a pre-upgrade hook that deletes the old StatefulSet gracefully should be provided.

[greptile-apps]

Breaking schema change for networkPolicy.egress

The networkPolicy.egress key changed type from a plain list to a map with extraRules and exceptCidrs sub-keys. Any existing deployment that set networkPolicy.egress: [...] will have those rules silently dropped because the template now reads networkPolicy.egress.extraRules rather than networkPolicy.egress. Since networkPolicy defaults to enabled: false, only deployments that explicitly enabled it are affected, but those users will lose their custom egress rules without any error or warning.

[greptile-apps]

CSS variable mismatch with the rest of the file's styling

Every other element in COMPONENTS (paragraphs, headings, lists, tables, img, etc.) uses concrete Tailwind palette classes with explicit dark: variants (e.g. text-gray-700 dark:text-gray-300, border-gray-300 dark:border-gray-600). The updated blockquote is now the sole element using var(--divider) and var(--text-primary). In the rendering context of this component (the public chat / landing page, where the wrapper already uses var(--landing-text)), if --divider or --text-primary are not defined, the border and text color will fall through to the browser default rather than the intended dark-mode-aware value.

[greptile-apps]

The default ESO apiVersion was changed from "v1" to "v1beta1". Existing installations that relied on the previous default (and are running ESO ≥ v0.17 where the v1 API is stable) will now render ExternalSecret resources at the v1beta1 API version on the next helm upgrade. While v1beta1 is functionally equivalent and this is a safe downgrade, the change is not surfaced to the user through a default-diff. Adding a note in NOTES.txt about this API version shift would reduce surprise.

Suggested change

	# ESO API version. Default "v1beta1" — supported by every ESO release from
	# v0.7+ (mid-2023) through current. Set to "v1" only when targeting ESO
	# v0.17+ clusters where the v1 API has graduated.
	apiVersion: "v1beta1"
	# ESO API version. Use "v1beta1" for broad compatibility (ESO v0.7+).
	# Set to "v1" when targeting ESO >= v0.17 clusters where the v1 API has graduated.
	apiVersion: "v1beta1"