[chore] Update deployment artifacts (docker-compose/, kubernetes/, etc)

[junaway]

Deployment artifacts refresh for v0.100.3 (helm + compose + env)

Why this PR exists

The deployment artifacts (Helm chart, docker-compose, env files) had drifted from the actual application config surface defined in api/oss/src/utils/env.py. The drift made every self-host upgrade harder than it should be: variable names didn't match between the three surfaces, several knobs existed in env.py but not in the chart, the chart used Kubernetes-flavored groupings (secrets.*, accessControl.*, email.*) that an Agenta operator had no prior context for, and the example values files contained stale and partially-empty placeholders. This PR resolves that drift in one pass, lands a self-contained chart at hosting/kubernetes/helm/, and ships a written migration path from pre-v0.100.3 deployments.

Non-breaking by construction

Every renamed environment variable retains its legacy name as a fallback in api/oss/src/utils/env.py. The Pydantic loader reads the new name first, falls back to the old, so existing deployments keep working without setting anything new. Helm values.yaml key reshape is a breaking change for users upgrading the chart (no way to alias YAML paths), and that's exactly what the migration guide at docs/docs/self-host/upgrades/v0.100.3-migration.mdx walks through, with a step-by-step rewrite procedure that's been QA'd end-to-end on a live cluster (see docs/design/kubernetes-oss-ee-self-hosting/qa-plan.md). The QA exercised: install from v0.100.1 → snapshot values → git checkout to this branch → translate values → helm upgrade → verify pods, PVCs, alembic, ingress, and the new defaultPlanOverlay knob all survived; no data loss, same auth keys, same crypt key, same Postgres password.

1. Canonical config mapping (hosting/kubernetes/CONFIG_MAPPING.md)

The whole refactor hangs off a single source of truth: a three-column table mapping every environment variable to its env.py attribute path and its values.yaml path, with legacy names struck through where they were renamed. Naming rule: AGENTA_<GROUP>_<FIELD> ↔ env.<group>.<field> ↔ <group>.<field> (helm). Exceptions for identity.* (no AGENTA_ prefix because they're OIDC provider names like GOOGLE_*) and llm.* (same reason). This file is referenced from every doc that touches deployment config and is intended to stay as the canonical mapping going forward.

2. api/oss/src/utils/env.py reshape (with legacy aliases)

env.py is regrouped to match CONFIG_MAPPING.md: top-level sections agenta.{access,aiServices,api,billing,extras,logging,otlp,services,webhooks}, plus alembic, cloudflare.turnstile, identity.<provider>, llm, postgres, redis, sendgrid, stripe, supertokens, newrelic, etc. Every renamed field reads os.getenv("NEW") or os.getenv("LEGACY") so old env vars still resolve. Major renames (full list in CONFIG_MAPPING.md deprecation table): AGENTA_ALLOWED_DOMAINS → AGENTA_ACCESS_ALLOWED_DOMAINS, AGENTA_DEMOS → AGENTA_EXTRAS_DEMOS, AGENTA_LOG_* → AGENTA_LOGGING_*, AGENTA_CACHE_ENABLED → AGENTA_API_CACHING_ENABLED, AGENTA_WEBHOOK_ALLOW_INSECURE → AGENTA_WEBHOOKS_ALLOW_INSECURE (API side) / AGENTA_SERVICES_HOOK_ALLOW_INSECURE (SDK side), SUPERTOKENS_CONNECTION_URI → SUPERTOKENS_URI_CORE, SUPERTOKENS_EMAIL_DISABLED → AGENTA_ACCESS_EMAIL_DISABLED, POSTHOG_HOST → POSTHOG_API_URL, STRIPE_TARGET → STRIPE_WEBHOOK_TARGET, NEW_RELIC_LICENSE_KEY → NEWRELIC_LICENSE_KEY, ACTIVE_DIRECTORY_OAUTH_* → AZURE_AD_OAUTH_*. Removed (was unused): AGENTA_RUNTIME_PREFIX. All API/EE/SDK consumers updated to the new attribute paths.

3. Helm chart relocation: hosting/helm/agenta-oss/ → hosting/kubernetes/helm/

The chart is now self-contained at hosting/kubernetes/helm/ (publishable as-is to a Helm repo), with edition-specific example values living outside the chart at hosting/kubernetes/{oss,ee}/values.{oss,ee}.example.yaml. Chart name is agenta (the previous agenta-oss was misleading since the same chart deploys EE); rendered resource names follow the standard <release>-agenta-* pattern. The chart's own values.yaml mirrors only the docker-compose env surface (the irreducible set of values an operator must provide); everything else — image repositories, ports, replicas, resource requests, ingress wiring, postgresql/redis subchart knobs — is supplied by templates and helpers via default fallbacks. This makes the chart lint cleanly standalone and means the example files don't have to repeat platform plumbing.

4. Helm chart key reshape (values.yaml keys regrouped by domain)

Where pre-v0.100.3 used Kubernetes-flavored groupings (global.* for license + URLs, secrets.* for everything secret-shaped, accessControl.*, email.*, integrations.*, observability.*, captcha.*), v0.100.3 groups by domain: agenta.{license,webUrl,apiUrl,servicesUrl,authKey,cryptKey}, agenta.access.*, identity.<provider>.*, llm.*, postgres.*, sendgrid.*, composio.*, newrelic.*, cloudflare.turnstile.*. An operator who knows the env vars now recognizes the yaml on sight (the three surfaces encode the same nesting). The migration guide has the full reshape table; the canonical mapping is in CONFIG_MAPPING.md. A compat layer in _compat.tpl accepts the pre-v0.100.3 shape (legacy global.*, secrets.*, accessControl.*, email.*, integrations.*, observability.*, captcha.*) and folds it into the canonical positions at render time — operators can upgrade with helm upgrade -f pre-v0.100.3-values.yaml and only rewrite their values file when convenient. The fold uses hasKey (not truthy if), so an explicit false/""/0 from a legacy values file is preserved instead of being silently dropped to the canonical default — important for booleans like accessControl.emailDisabled: false. The compat layer is transitional and is planned for removal one minor release after v0.100.3; NOTES.txt flags every install where legacy keys are detected so it stays visible.

5. Helm templates: _helpers.tpl rewrite + per-template conventions

Templates were rewritten to use {{- $values := include "agenta.values" . | fromYaml -}} at the top, plus same-named per-group locals ($api, $web, $ingress, $newrelic, etc.) rooted in $values. This makes every template nil-safe and routes every read through the compat layer, so legacy keys translate uniformly whether they're consumed in helpers or directly in templates. agenta.values is the single permanent helper in _helpers.tpl; it delegates to agenta.deprecated in _compat.tpl. Removing the compat layer in the future means deleting one file and replacing the body of agenta.values with a single line — no consumer changes. _helpers.tpl consolidates env-var rendering: a single commonEnv helper inlines what used to be split across commonEnv + backendOptionalEnv. commonEnv covers every value documented in the example files — including agenta.access.emailDisabled (→ AGENTA_ACCESS_EMAIL_DISABLED), cloudflare.turnstile.allowedHostnames (→ CLOUDFLARE_TURNSTILE_ALLOWED_HOSTNAMES), and the SuperTokens password-policy knobs (supertokens.{application,tenant,passwordPolicy,passwordMinLength,passwordMaxLength,passwordRegex}) — so documented values never become dead config. Identity-provider env vars are similarly auto-derived from identity.<provider>.* and LLM keys from llm.<provider> so an operator setting identity.google.clientId or llm.openai gets the corresponding GOOGLE_OAUTH_CLIENT_ID / OPENAI_API_KEY env vars on api/web/services/workers without also writing into a raw secrets.* map. The redis-durable-statefulset.yaml template defaults persistence to true when redisDurable.persistence.enabled is unset, and honors an explicit false (QA caught the missing default — without it, the upgrade fails because volumeClaimTemplates is an immutable StatefulSet field, and v0.100.1 had persistence enabled by default; the explicit-false path uses hasKey so it can't be silently flipped back to true). The chart's values.yaml pins postgresql.primary.persistence.size: "10Gi" and postgresql.image.tag: "18" so the Bitnami subchart's defaults never float (the size pin was caught by QA; the image-tag pin keeps the chart aligned with the postgres:18 pin in Docker Compose — Postgres data directories are tied to the major version that created them). Ingress default is traefik (backends hardcode SCRIPT_NAME=/api|/services so the ingress class must strip prefixes; the example values ship the matching Traefik StripPrefix middleware under extraObjects). The chart-managed Secret template renders each conditional identity-provider key on its own line so emitted YAML keeps the required two-space indent under stringData: even when only some provider fields are set. _validations.tpl rejects the misconfiguration where secrets.existingSecret is set with bundled Postgres enabled but global.postgresql.auth.existingSecret is left at the chart default (detected by looking for the unrendered {{...}} tpl expression — Helm doesn't tpl-render values.yaml, the Bitnami subchart does at install time). values.schema.json enumerates every documented values key with leaf-level types and env-var pointers, so misspellings like agenta.bogusKey fail at helm install; Bitnami subchart and per-component overrides stay open.

6. Example values files (hosting/kubernetes/{oss,ee}/values.{oss,ee}.example.yaml)

Two example files, one per edition. License + endpoints + secrets uncommented (essentials operators must edit); everything else commented with sample values, no empty placeholders. Section order: License → Images → Endpoints → Secrets → rest alphabetical. The Traefik StripPrefix middleware setup discovered during QA is shown (commented out) under ingress.annotations + extraObjects so future readers find the pattern. Postgres PVC size and redis-durable persistence are also shown (commented) under their respective sections.

7. Docker-compose env files + compose files

hosting/docker-compose/{oss,ee}/env.{oss,ee}.{dev,gh}.example regenerated with the same canonical mapping: ordering License → Images (commented) → Endpoints → Secrets → rest alphabetical. Variable names match env.py and values.yaml exactly; defaults shown match what the code actually applies when the variable is unset (in particular AGENTA_SERVICES_HOOK_ALLOW_INSECURE and AGENTA_WEBHOOKS_ALLOW_INSECURE show true, matching the code default for backwards-compatibility with pre-v0.100.3 deployments — operators tightening these flip them to false explicitly). Legacy aliases are no longer carried inline in the env files; the full deprecation table lives in CONFIG_MAPPING.md and the migration guide. Compose files themselves bumped/pinned to current images (notably postgres:18, matching the new chart pin).

8. Run scripts

hosting/docker-compose/run.sh and a new hosting/kubernetes/run.sh share a near-identical CLI surface (--oss/--ee, --nuke, --wait, --env/--values, etc.) so an operator can switch between compose and helm without relearning flags. Helm's run.sh wraps the common helm upgrade --install invocation against the new chart paths. On re-install, the script inspects the existing release's agenta.license and refuses an OSS↔EE flip; without that check, --reuse-values + --set agenta.license=$LICENSE would silently swap the edition.

9. Migration guide (docs/docs/self-host/upgrades/v0.100.3-migration.mdx)

New page. Three reshape tables (chart folder relocation, values.yaml key reshape, env-var renames with legacy aliases), seven-step migration procedure with concrete commands including helm get values snapshot and a kubectl-only fallback for unwrapping the release Secret when helm isn't available. Includes a worked example for translating accessControl.plans → agenta.access.plans, OAuth secrets.oauth.* → identity.<provider>.*, and llmProviders.* → llm.*. Calls out the new agenta.access.defaultPlanOverlay v0.100.3 feature with a usage snippet (live-verified during QA: round-trips YAML → ConfigMap → pod env intact). The "Verify" step uses the actual resource names the chart emits (job/<release>-agenta-alembic, ingress-based curl) and warns about the expected Alembic Job retry pattern during the Postgres StatefulSet roll.

10. Install + upgrade guides (docs/docs/self-host/guides/03-deploy-to-kubernetes.mdx, docs/docs/self-host/03-upgrading.mdx)

Install guide updated to v0.100.3 values paths (agenta.authKey, postgres.password, agenta.webUrl, sendgrid.{apiKey,fromAddress}, etc.) and gains an explicit ingress prerequisite plus a local-testing Traefik recipe (Traefik v3 + /etc/hosts + port-forward) — without it, new operators following the Quick Start with EE values discover the hard way that a single port-forward can't satisfy path-based routing. openssl rand snippet added for the EE path (the OSS path had one, EE didn't). The existing-Secret path documents the required pairing: when secrets.existingSecret is set with bundled Postgres enabled, global.postgresql.auth.existingSecret must point at the same Secret (the chart now fails the install with a clear error otherwise). NOTES.txt lists every optional key the chart consumes from a pre-created Secret (LLM providers, identity providers, sendgrid, composio, daytona, newrelic, …) so operators don't have to read templates to know what to put in it. Upgrade page links to the v0.100.3 migration callout.

11. Configuration reference (docs/docs/self-host/02-configuration.mdx)

Rewritten as per-section three-column tables (env var | env.py path | values.yaml path) matching CONFIG_MAPPING.md. Deprecated variables collected in a single table at the bottom with their canonical replacements. Replaces the previous mix of prose + inconsistent partial tables.

12. CI/release workflows

.github/workflows/01-create-release-branch.yml also bumps the Helm chart version when cutting a release branch (Helm chart version and appVersion now stay in lockstep with API/SDK/web versions). The standalone application-side .github/workflows/09-helm-publish.yml is removed — Helm publishing moves to the platform-side 41-release-to-public.yml chain so it runs off the same release branch as PyPI and GHCR publishes. (Platform-side workflow change lives in the platform repo.)

13. Cleanups (dead code, generated artifacts)

hosting/old/{aws,gcp}/ Terraform left over from an abandoned cloud-hosting attempt is removed (verified unreferenced). hosting/docker-compose/tmp/*.override.yml left over from local debugging is removed. sdks/typescript/.gitkeep removed (the directory has real content now). The old hosting/helm/agenta-oss/ chart directory is removed; the new chart lives at hosting/kubernetes/helm/.

14. SDK runtime hooks (sdks/python/agenta/sdk/engines/running/handlers.py)

The SDK reads AGENTA_SERVICES_HOOK_ALLOW_INSECURE first, falling back to AGENTA_WEBHOOK_ALLOW_INSECURE. The rename clarifies that this flag governs SDK-side workflow hooks (which talk to user code), not API-side webhooks (which the API delivers outward). Both names work; the legacy form is documented as deprecated. The middleware toggles (AGENTA_SERVICES_MIDDLEWARE_AUTH_ENABLED / _CACHING_ENABLED) similarly fall back to their pre-v0.100.3 names — which were singular AGENTA_SERVICE_MIDDLEWARE_{AUTH,CACHE}_ENABLED (the S was added in this PR's canonical shape, and the migration table records the singular form as the legacy alias).

15. Misc API touch-ups for the env reshape

api/ee/src/core/meters/types.py inlines AGENTA_METERS_NAMESPACE_UUID (previously env.agenta.uuid_namespace, a static computed value — moving it to a module constant removes a config knob that operators couldn't meaningfully set). EE controls test (test_controls_env_override.py) updated for the new AGENTA_ACCESS_* env-var names. Supertokens config reads SUPERTOKENS_URI_CORE with SUPERTOKENS_CONNECTION_URI fallback, and the chart emits the canonical name across every container (api, services, workers, web) — the web container's entrypoint.sh back-fills the legacy SUPERTOKENS_CONNECTION_URI from the canonical name so older web images still pick it up without the chart needing to ship both. Auth/turnstile/webhooks/caching/logging modules updated to read from the new env.agenta.* attribute paths via the shared env object (per AGENTS.md's no-raw-os.getenv rule).

QA evidence

docs/design/kubernetes-oss-ee-self-hosting/qa-plan.md captures the live cluster QA: install pre-v0.100.3 (v0.100.1 EE tag) → create data → snapshot values → checkout this branch → translate values → helm upgrade → verify. Caught (and fixed in this PR) two chart regressions: missing postgres PVC size pin and missing redis-durable persistence default. Plus six doc-gaps in the migration guide and install guide (wrong Job/Service names, missing ingress prerequisite, stale values paths) — all listed at the bottom of qa-plan.md with FIXED/NOT-FIXED status and file paths.

Risk assessment

• App config drift (env.py legacy aliases): low. Pydantic loader prefers new names, falls back to old. Existing deployments work without touching anything.
• Helm values YAML reshape: low. The compat layer in _compat.tpl accepts pre-v0.100.3 keys (global.*, secrets.*, accessControl.*, email.*, integrations.*, observability.*, captcha.*) and folds them into the canonical v0.100.3 positions at render time, so existing values files keep working through the upgrade. The migration guide documents both paths: reuse the legacy file as-is (recommended fast path), or rewrite into the canonical shape (slower but produces a long-term-clean file). Compat layer is transitional and planned for removal one minor release after v0.100.3.
• Chart resource naming: changed because the chart was renamed (agenta-oss → agenta). Rendered names follow Helm's standard fullname collapse: when the release name is agenta (the default helm install agenta …), resources render as agenta-api, agenta-alembic, etc.; otherwise they render as <release>-agenta-api. Pre-v0.100.3 installs used the old chart name and therefore had <release>-agenta-oss-* Services/Jobs — Service DNS hostnames and Job names change on upgrade. PVCs follow the subchart and StatefulSet names (<release>-postgresql-0, data-<release>-agenta-redis-durable-0), so data survives, but any external references (Job-name greps in operator scripts, in-cluster DNS pointing at <release>-agenta-oss-api) need a one-time rename. The migration guide covers this.
• PVC preservation across upgrade: validated live (10Gi postgres + 5Gi redis-durable PVCs survive helm upgrade from v0.100.1 to v0.100.3 with the fixes in this PR).
• Image tag bump only changes binaries: separate from the chart/values changes. The migration guide tells operators to bump tags as part of the values translation; they can also bump tags without the values reshape if they pin to a v0.100.x ≥ .2 release that includes both.

What's in scope vs out

• In scope: env config canonicalization, helm chart relocation + reshape, docker-compose env files, migration guide, install/upgrade docs, run scripts, removal of unused legacy code under hosting/old/.
• Out of scope (not in this PR): the platform-side 41-release-to-public.yml workflow change that adds Helm publishing — lives in the platform repo. Templated service deployments (chart only provisions the services gateway, not the per-template service deployments) — same as v0.100.1 behavior, not introduced or changed here.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agenta-documentation	Ready	Preview, Comment	May 26, 2026 11:45pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d68e1b30-bbe8-467f-99d7-834567e9a224

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Relocates and rewrites the Helm chart under hosting/kubernetes/helm with compatibility/validation helpers, refactors env.py and consumers to a canonical schema, updates SDKs and web entrypoint, adjusts CI release workflow, refreshes compose/env templates, extensively updates docs, and removes legacy Helm/Terraform assets.

Changes

Unified Helm chart and environment model

Layer / File(s)	Summary
Helm chart relocation, helpers, validators, and templates hosting/kubernetes/helm/..., hosting/kubernetes/ee/*, hosting/kubernetes/oss/*, hosting/kubernetes/run.sh	New chart under hosting/kubernetes/helm with compatibility and validation helpers; rewritten templates for all components; example values for OSS/EE; install/upgrade script added.
Environment model refactor and wiring api/oss/src/utils/env.py, api/* auth/migrations/meters/subscriptions/commoners, api/oss/src/utils/caching.py, api/oss/src/utils/logging.py, api/oss/src/core/webhooks/utils.py	Introduces nested env schema and updates modules to new env paths; adjusts caching/logging/otlp/turnstile/auth helpers and meters namespace.
SDKs and web entrypoint sdks/python/agenta/sdk/**/*, web/entrypoint.sh	SDK webhooks/security and runner env names updated with fallbacks; web entrypoint normalizes SuperTokens URI vars.
CI, compose, removals, and docs .github/workflows/*, hosting/docker-compose/**/*, hosting/helm/agenta-oss/* (removed), hosting/old/**/* (removed), docs/**/*	Release workflow bumps Helm version; compose images/env templates refreshed; old Helm/Terraform removed; docs updated with migration, configuration, and Kubernetes guide changes.

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related issues

• [Bug] OSS failure when running automatic evaluations #3169 — Env and webhook/service hook variable renames here could affect worker URL construction and evaluation flow.

Possibly related PRs

• Agenta-AI/agenta#4300 — Both PRs modify the release-branch workflow and version comparison/output details including Helm-related entries.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-deployment-artifacts

[Copilot]

Pull request overview

This PR refreshes self-hosting deployment artifacts by relocating and reworking the Kubernetes Helm chart layout, aligning configuration/env-var surfaces across Docker Compose + Helm, and updating docs/tests to match the new configuration model.

Changes:

• Introduces the new hosting/kubernetes/helm/ chart layout (with OSS/EE example values and a hosting/kubernetes/run.sh helper), and removes the legacy hosting/helm/agenta-oss/ chart and old cloud Terraform artifacts.
• Updates Docker Compose env examples, compose files, and run scripts to reflect the reshaped canonical env-var model (including deprecation/fallback notes).
• Updates API/SDK code and documentation to use the reshaped env config tree (env.agenta.*, env.identity.*, etc.), plus adds a v0.100.2 migration guide.

Reviewed changes

Copilot reviewed 100 out of 106 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
sdks/typescript/.gitkeep	Keeps the TypeScript SDK folder tracked in git.
sdks/python/oss/tests/pytest/utils/test_hook_v0.py	Updates hook_v0 tests to patch the renamed allow-insecure flag.
sdks/python/agenta/sdk/engines/running/handlers.py	Renames allow-insecure flag and adds env var fallback for hook/webhook URL validation.
hosting/old/gcp/main.tf	Removes legacy GCP Terraform provider boilerplate.
hosting/old/gcp/credentials.json	Removes legacy GCP credentials artifact.
hosting/old/gcp/agenta-instance.tf	Removes legacy GCP compute instance Terraform config.
hosting/old/aws/main.tf	Removes legacy AWS provider Terraform config.
hosting/old/aws/instance-setup.sh	Removes legacy AWS instance bootstrap script.
hosting/old/aws/agenta_instance.tf	Removes legacy AWS instance Terraform config.
hosting/old/aws/agenta_instance_sg.tf	Removes legacy AWS security group Terraform config.
hosting/kubernetes/run.sh	Adds a Helm install/upgrade helper for OSS/EE with optional wait/dry-run/nuke flows.
hosting/kubernetes/oss/values.oss.example.yaml	Adds an OSS example values file for the new chart layout.
hosting/kubernetes/ee/values.ee.example.yaml	Adds an EE example values file for the new chart layout.
hosting/kubernetes/helm/values.yaml	Adds a minimal default values surface intended to mirror compose env defaults.
hosting/kubernetes/helm/values.schema.json	Adds a JSON schema for validating the minimal values surface.
hosting/kubernetes/helm/templates/api-deployment.yaml	Refactors API deployment to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/api-service.yaml	Switches API service condition/ports to helper includes.
hosting/kubernetes/helm/templates/services-deployment.yaml	Refactors services deployment to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/services-service.yaml	Switches services service condition/ports to helper includes.
hosting/kubernetes/helm/templates/web-deployment.yaml	Refactors web deployment to use helper-based defaults/safe accessors and new agenta URL values.
hosting/kubernetes/helm/templates/web-service.yaml	Switches web service condition/ports to helper includes.
hosting/kubernetes/helm/templates/worker-evaluations-deployment.yaml	Refactors worker deployment to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/worker-tracing-deployment.yaml	Refactors worker deployment to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/worker-webhooks-deployment.yaml	Refactors worker deployment to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/worker-events-deployment.yaml	Refactors worker deployment to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/cron-deployment.yaml	Refactors cron deployment to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/alembic-job.yaml	Refactors Alembic job to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/secrets.yaml	Adds chart-managed Secret rendering from the new values model.
hosting/kubernetes/helm/templates/serviceaccount.yaml	Refactors ServiceAccount rendering to use safe accessors.
hosting/kubernetes/helm/templates/ingress.yaml	Adds a first-class Ingress template using helper-defined settings.
hosting/kubernetes/helm/templates/extra-objects.yaml	Adds support for rendering arbitrary extra Kubernetes objects.
hosting/kubernetes/helm/templates/tests/test-connection.yaml	Refactors helm test pod to use helper-enabled checks and helper-based ports.
hosting/kubernetes/helm/templates/supertokens-deployment.yaml	Refactors SuperTokens deployment to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/supertokens-service.yaml	Switches SuperTokens service condition/ports to helper includes.
hosting/kubernetes/helm/templates/redis-volatile-deployment.yaml	Refactors redis-volatile deployment to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/redis-volatile-service.yaml	Switches redis-volatile service condition/ports to helper includes.
hosting/kubernetes/helm/templates/redis-durable-statefulset.yaml	Refactors redis-durable statefulset to use helper-based defaults/safe accessors.
hosting/kubernetes/helm/templates/redis-durable-service.yaml	Switches redis-durable service condition/ports to helper includes.
hosting/kubernetes/helm/templates/postgresql-initdb-configmap.yaml	Keeps initdb ConfigMap gated by helper-based postgresql enabled flag.
hosting/kubernetes/helm/templates/postgresql-auth-secret.yaml	Refactors PostgreSQL auth Secret generation to use new postgres.password value.
hosting/kubernetes/helm/templates/_validations.tpl	Updates validation logic around Bitnami auth secret wiring guidance.
hosting/kubernetes/helm/templates/NOTES.txt	Updates installation notes to match new values layout and helper-based ports/enabled flags.
hosting/kubernetes/helm/Chart.yaml	Bumps chart/appVersion and adds chart icon + Bitnami PostgreSQL dependency.
hosting/kubernetes/helm/Chart.lock	Adds a lockfile pinning Bitnami PostgreSQL dependency.
hosting/helm/agenta-oss/values.yaml	Removes the legacy chart default values file (chart relocation).
hosting/helm/agenta-oss/values.schema.json	Removes the legacy chart schema (chart relocation).
hosting/helm/agenta-oss/values-oss.example.yaml	Removes the legacy OSS example values file (chart relocation).
hosting/helm/agenta-oss/values-ee.example.yaml	Removes the legacy EE example values file (chart relocation).
hosting/helm/agenta-oss/templates/secrets.yaml	Removes legacy secrets template (moved to new chart).
hosting/helm/agenta-oss/templates/ingress.yaml	Removes legacy ingress template (moved to new chart).
hosting/docker-compose/tmp/docker-compose.gh.local.override.yml	Removes deprecated tmp compose override.
hosting/docker-compose/tmp/docker-compose.ee.gh.override.yml	Removes deprecated tmp compose override.
hosting/docker-compose/run.sh	Adjusts pull defaults and env-file flag parsing (adds --pull and -e/--env alias).
hosting/docker-compose/oss/env.oss.gh.example	Reshapes/expands OSS GH env example to the canonical variable model + deprecations.
hosting/docker-compose/oss/env.oss.dev.example	Reshapes/expands OSS dev env example to the canonical variable model + deprecations.
hosting/docker-compose/oss/docker-compose.otel.yml	Pins the OTEL collector image tag.
hosting/docker-compose/oss/docker-compose.gh.yml	Updates image pins (notably Postgres, nginx, SuperTokens).
hosting/docker-compose/oss/docker-compose.gh.ssl.yml	Updates image pins (notably Postgres, SuperTokens).
hosting/docker-compose/oss/docker-compose.gh.local.yml	Updates image pins (notably Postgres, nginx, SuperTokens).
hosting/docker-compose/oss/docker-compose.dev.yml	Updates image pins (notably Postgres, SuperTokens).
hosting/docker-compose/ee/README.md	Updates EE compose docs to match new pinned image versions.
hosting/docker-compose/ee/env.ee.gh.example	Reshapes/expands EE GH env example to the canonical variable model + deprecations.
hosting/docker-compose/ee/env.ee.dev.example	Reshapes/expands EE dev env example to the canonical variable model + deprecations.
hosting/docker-compose/ee/docker-compose.gh.yml	Updates image pins (notably Postgres, SuperTokens).
hosting/docker-compose/ee/docker-compose.gh.local.yml	Updates image pins (notably Postgres, SuperTokens, stripe-cli).
hosting/docker-compose/ee/docker-compose.dev.yml	Updates image pins (notably Postgres, SuperTokens, stripe-cli).
docs/docs/self-host/upgrades/v0.100.2-migration.mdx	Adds a dedicated migration guide for the Helm chart relocation + values reshape.
docs/docs/self-host/guides/03-deploy-to-kubernetes.mdx	Updates k8s deploy docs to new checkout/layout and install commands (but needs follow-up corrections per comments).
docs/docs/self-host/guides/01-deploy-remotely.mdx	Updates clone instructions to use sparse checkout for docker-compose.
docs/docs/self-host/guides/04-deploy-on-railway.mdx	Updates clone instructions to use sparse checkout for hosting/railway.
docs/docs/self-host/01-quick-start.mdx	Updates clone instructions to use sparse checkout for docker-compose.
docs/docs/self-host/03-upgrading.mdx	Updates Helm upgrade path, adds PG 17→18 upgrade guidance, and links to the v0.100.2 one-time migration doc.
docs/docs/self-host/04-dynamic-access-controls.mdx	Adds a compose-vs-k8s tip section (but Helm value paths need correction per comments).
docs/design/kubernetes-oss-ee-self-hosting/status.md	Updates design doc references for the new helm layout/paths.
docs/design/kubernetes-oss-ee-self-hosting/research.md	Updates design doc terminology/paths (kubernetes → helm chart).
docs/design/kubernetes-oss-ee-self-hosting/plan.md	Updates design doc example filenames for the new values naming.
docs/design/kubernetes-oss-ee-self-hosting/context.md	Updates design doc wording (kubernetes chart → helm chart) and end-state description.
api/oss/src/utils/logging.py	Switches logging config reads to env.agenta.logging.*.
api/oss/src/utils/caching.py	Switches caching feature flag reads to env.agenta.api.caching.enabled.
api/oss/src/core/webhooks/utils.py	Adds canonical env var AGENTA_WEBHOOKS_ALLOW_INSECURE with legacy fallback.
api/oss/src/core/auth/turnstile.py	Moves Turnstile config reads under env.cloudflare.turnstile.*.
api/oss/src/core/auth/supertokens/config.py	Moves OAuth provider config reads under env.identity.*.
api/oss/src/core/auth/service.py	Updates enabled-provider checks to env.identity.*.
api/oss/src/core/auth/helper.py	Moves allowed/blocked domain/email config reads under env.agenta.access.*.
api/oss/src/core/ai_services/service.py	Moves AI services config reads under env.agenta.ai_services.
api/oss/src/apis/fastapi/otlp/router.py	Moves OTLP max batch size under env.agenta.otlp.max_batch_bytes.
api/oss/databases/postgres/migrations/core/utils.py	Moves auto-migration flag under env.alembic.auto_migrations.
api/oss/databases/postgres/migrations/tracing/utils.py	Moves auto-migration flag under env.alembic.auto_migrations.
api/ee/tests/pytest/unit/test_controls_env_override.py	Updates env paths in subprocess snippets to the reshaped env model.
api/ee/tests/pytest/unit/test_compute_meter_id.py	Updates meter namespace derivation documentation/test to the new fixed UUID derivation.
api/ee/src/services/commoners.py	Updates org creation allowlist env path to env.agenta.access.allowed_owner_emails and updates docstring.
api/ee/src/core/subscriptions/types.py	Updates default plan lookup to env.agenta.access.default_plan.
api/ee/src/core/subscriptions/settings.py	Updates billing env access to env.agenta.billing.* and default plan env path.
api/ee/src/core/meters/types.py	Changes meters namespace UUID derivation to be independent of env and removes env import.
api/ee/src/core/entitlements/controls.py	Updates access control env reads to env.agenta.access.*.
api/ee/databases/postgres/migrations/core/utils.py	Moves auto-migration flag under env.alembic.auto_migrations.
api/ee/databases/postgres/migrations/tracing/utils.py	Moves auto-migration flag under env.alembic.auto_migrations.
.gitignore	Ignores local k8s .values.*.yaml overlays while keeping values.*.example.yaml tracked.
.github/workflows/09-helm-publish.yml	Removes legacy helm publish workflow targeting the old chart path.
.github/workflows/01-create-release-branch.yml	Adds automated version bumping for the new hosting/kubernetes/helm/Chart.yaml.

Comments suppressed due to low confidence (2)

hosting/kubernetes/helm/templates/postgresql-initdb-configmap.yaml:5

• This ConfigMap creates an init-db.sql, but the chart doesn’t set the Bitnami subchart value that makes Postgres actually execute it (e.g., postgresql.primary.initdb.scriptsConfigMap: <release>-postgresql-initdb). Without wiring, the bundled DB won’t auto-create the core/tracing/supertokens databases this script defines.
  hosting/kubernetes/helm/templates/postgresql-auth-secret.yaml:5
• This Secret is intended to provide POSTGRES_PASSWORD, but the chart doesn’t define defaults that wire the Bitnami PostgreSQL subchart to read its password from global.postgresql.auth.existingSecret / secretKeys.* (so the subchart will generate/use a different password). Add/restore those default values so bundled PostgreSQL and the application agree on the password key/name.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Railway Preview Environment

Status	Destroyed (PR converted to draft)

Updated at 2026-05-26T22:08:06.687Z

[Copilot]

Pull request overview

Copilot reviewed 101 out of 107 changed files in this pull request and generated 10 comments.

[Copilot]

Pull request overview

Copilot reviewed 102 out of 108 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (1)

hosting/kubernetes/helm/Chart.yaml:6

• Chart metadata is still set to version: 0.100.1 / appVersion: v0.100.1, but this PR and its migration docs are scoped to the v0.100.2 deployment-artifacts refresh. If this PR is intended to ship with v0.100.2, bump Chart.yaml accordingly so helm packaging, Chart.AppVersion, and the published chart version stay consistent with the release.

[Copilot]

Pull request overview

Copilot reviewed 113 out of 119 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

hosting/kubernetes/helm/templates/web-deployment.yaml:54

• AGENTA_WEB_URL / AGENTA_SERVICES_URL / AGENTA_API_URL are populated from $agenta.{webUrl,servicesUrl,apiUrl} directly, but the chart’s documented/validated behavior is to derive these from ingress.host when ingress is enabled (see agenta.{web,api,services}UrlEffective + validatePublicUrls). With ingress enabled and these values unset (the expected default), this Deployment will inject empty URLs into the web container even though the install passes validation. Use the effective URL helpers (or reuse the same helper used by agenta.commonEnv) so the web pod always receives the derived URLs.

[jp-agenta]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 20

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: e3a7f5a1-15b8-42af-a651-09e487778aa2

📥 Commits

Reviewing files that changed from the base of the PR and between 4adb7bd and 6b021b3.

⛔ Files ignored due to path filters (1)

• hosting/kubernetes/helm/Chart.lock is excluded by !**/*.lock

📒 Files selected for processing (118)

• .github/workflows/01-create-release-branch.yml
• .github/workflows/09-helm-publish.yml
• .gitignore
• api/ee/databases/postgres/migrations/core/utils.py
• api/ee/databases/postgres/migrations/tracing/utils.py
• api/ee/src/core/entitlements/controls.py
• api/ee/src/core/meters/types.py
• api/ee/src/core/subscriptions/settings.py
• api/ee/src/core/subscriptions/types.py
• api/ee/src/services/commoners.py
• api/ee/tests/pytest/unit/test_compute_meter_id.py
• api/ee/tests/pytest/unit/test_controls_env_override.py
• api/oss/databases/postgres/migrations/core/utils.py
• api/oss/databases/postgres/migrations/tracing/utils.py
• api/oss/src/apis/fastapi/otlp/router.py
• api/oss/src/core/ai_services/service.py
• api/oss/src/core/auth/helper.py
• api/oss/src/core/auth/service.py
• api/oss/src/core/auth/supertokens/config.py
• api/oss/src/core/auth/turnstile.py
• api/oss/src/core/webhooks/utils.py
• api/oss/src/utils/caching.py
• api/oss/src/utils/env.py
• api/oss/src/utils/logging.py
• api/oss/tests/pytest/acceptance/test_revision_commit_extra_forbid.py
• docs/design/kubernetes-oss-ee-self-hosting/context.md
• docs/design/kubernetes-oss-ee-self-hosting/plan.md
• docs/design/kubernetes-oss-ee-self-hosting/pr-description.md
• docs/design/kubernetes-oss-ee-self-hosting/qa-plan.md
• docs/design/kubernetes-oss-ee-self-hosting/research.md
• docs/design/kubernetes-oss-ee-self-hosting/status.md
• docs/docs/self-host/01-quick-start.mdx
• docs/docs/self-host/02-configuration.mdx
• docs/docs/self-host/03-upgrading.mdx
• docs/docs/self-host/04-dynamic-access-controls.mdx
• docs/docs/self-host/guides/01-deploy-remotely.mdx
• docs/docs/self-host/guides/03-deploy-to-kubernetes.mdx
• docs/docs/self-host/guides/04-deploy-on-railway.mdx
• docs/docs/self-host/upgrades/v0.100.2-migration.mdx
• hosting/docker-compose/ee/README.md
• hosting/docker-compose/ee/docker-compose.dev.yml
• hosting/docker-compose/ee/docker-compose.gh.local.yml
• hosting/docker-compose/ee/docker-compose.gh.yml
• hosting/docker-compose/ee/env.ee.dev.example
• hosting/docker-compose/ee/env.ee.gh.example
• hosting/docker-compose/oss/docker-compose.dev.yml
• hosting/docker-compose/oss/docker-compose.gh.local.yml
• hosting/docker-compose/oss/docker-compose.gh.ssl.yml
• hosting/docker-compose/oss/docker-compose.gh.yml
• hosting/docker-compose/oss/docker-compose.otel.yml
• hosting/docker-compose/oss/env.oss.dev.example
• hosting/docker-compose/oss/env.oss.gh.example
• hosting/docker-compose/run.sh
• hosting/docker-compose/tmp/docker-compose.ee.gh.override.yml
• hosting/docker-compose/tmp/docker-compose.gh.local.override.yml
• hosting/helm/agenta-oss/Chart.yaml
• hosting/helm/agenta-oss/templates/NOTES.txt
• hosting/helm/agenta-oss/templates/_helpers.tpl
• hosting/helm/agenta-oss/templates/_validations.tpl
• hosting/helm/agenta-oss/templates/ingress.yaml
• hosting/helm/agenta-oss/templates/secrets.yaml
• hosting/helm/agenta-oss/templates/serviceaccount.yaml
• hosting/helm/agenta-oss/values-ee.example.yaml
• hosting/helm/agenta-oss/values-oss.example.yaml
• hosting/helm/agenta-oss/values.schema.json
• hosting/helm/agenta-oss/values.yaml
• hosting/kubernetes/ee/values.ee.example.yaml
• hosting/kubernetes/helm/Chart.yaml
• hosting/kubernetes/helm/charts/postgresql-18.5.1.tgz
• hosting/kubernetes/helm/templates/NOTES.txt
• hosting/kubernetes/helm/templates/_compatibility.tpl
• hosting/kubernetes/helm/templates/_helpers.tpl
• hosting/kubernetes/helm/templates/_validations.tpl
• hosting/kubernetes/helm/templates/alembic-job.yaml
• hosting/kubernetes/helm/templates/api-deployment.yaml
• hosting/kubernetes/helm/templates/api-service.yaml
• hosting/kubernetes/helm/templates/cron-deployment.yaml
• hosting/kubernetes/helm/templates/extra-objects.yaml
• hosting/kubernetes/helm/templates/ingress.yaml
• hosting/kubernetes/helm/templates/postgresql-auth-secret.yaml
• hosting/kubernetes/helm/templates/postgresql-initdb-configmap.yaml
• hosting/kubernetes/helm/templates/redis-durable-service.yaml
• hosting/kubernetes/helm/templates/redis-durable-statefulset.yaml
• hosting/kubernetes/helm/templates/redis-volatile-deployment.yaml
• hosting/kubernetes/helm/templates/redis-volatile-service.yaml
• hosting/kubernetes/helm/templates/secrets.yaml
• hosting/kubernetes/helm/templates/serviceaccount.yaml
• hosting/kubernetes/helm/templates/services-deployment.yaml
• hosting/kubernetes/helm/templates/services-service.yaml
• hosting/kubernetes/helm/templates/supertokens-deployment.yaml
• hosting/kubernetes/helm/templates/supertokens-service.yaml
• hosting/kubernetes/helm/templates/tests/test-connection.yaml
• hosting/kubernetes/helm/templates/web-deployment.yaml
• hosting/kubernetes/helm/templates/web-service.yaml
• hosting/kubernetes/helm/templates/worker-evaluations-deployment.yaml
• hosting/kubernetes/helm/templates/worker-events-deployment.yaml
• hosting/kubernetes/helm/templates/worker-tracing-deployment.yaml
• hosting/kubernetes/helm/templates/worker-webhooks-deployment.yaml
• hosting/kubernetes/helm/values.schema.json
• hosting/kubernetes/helm/values.yaml
• hosting/kubernetes/oss/values.oss.example.yaml
• hosting/kubernetes/run.sh
• hosting/old/aws/agenta_instance.tf
• hosting/old/aws/agenta_instance_sg.tf
• hosting/old/aws/instance-setup.sh
• hosting/old/aws/main.tf
• hosting/old/gcp/agenta-instance.tf
• hosting/old/gcp/credentials.json
• hosting/old/gcp/main.tf
• sdks/python/agenta/sdk/engines/running/handlers.py
• sdks/python/agenta/sdk/engines/running/runners/daytona.py
• sdks/python/agenta/sdk/engines/running/runners/registry.py
• sdks/python/agenta/sdk/engines/running/sandbox.py
• sdks/python/agenta/sdk/middlewares/routing/auth.py
• sdks/python/agenta/sdk/middlewares/running/vault.py
• sdks/python/oss/tests/pytest/utils/test_hook_v0.py
• sdks/typescript/.gitkeep
• web/entrypoint.sh

💤 Files with no reviewable changes (20)

• hosting/helm/agenta-oss/Chart.yaml
• hosting/docker-compose/tmp/docker-compose.ee.gh.override.yml
• hosting/helm/agenta-oss/templates/NOTES.txt
• hosting/old/aws/instance-setup.sh
• hosting/helm/agenta-oss/templates/_validations.tpl
• hosting/helm/agenta-oss/templates/secrets.yaml
• hosting/helm/agenta-oss/values-oss.example.yaml
• hosting/old/gcp/main.tf
• hosting/helm/agenta-oss/templates/_helpers.tpl
• hosting/helm/agenta-oss/values.yaml
• hosting/helm/agenta-oss/values.schema.json
• hosting/old/aws/agenta_instance_sg.tf
• hosting/helm/agenta-oss/values-ee.example.yaml
• hosting/old/aws/agenta_instance.tf
• hosting/old/aws/main.tf
• .github/workflows/09-helm-publish.yml
• hosting/docker-compose/tmp/docker-compose.gh.local.override.yml
• hosting/helm/agenta-oss/templates/ingress.yaml
• hosting/old/gcp/agenta-instance.tf
• hosting/helm/agenta-oss/templates/serviceaccount.yaml

[Copilot]

Pull request overview

Copilot reviewed 113 out of 119 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

hosting/kubernetes/helm/templates/web-deployment.yaml:54

• web-deployment.yaml sets AGENTA_{WEB,API,SERVICES}_URL from raw agenta.{webUrl,apiUrl,servicesUrl} values (defaulting to empty). This breaks the intended behavior where these URLs can be derived from ingress.host when ingress.enabled=true (and agenta.validatePublicUrls already validates the effective URLs). Use the existing helpers (agenta.webUrlEffective, agenta.apiUrlEffective, agenta.servicesUrlEffective) here so the web pod gets non-empty URLs whenever the chart’s effective URL logic is satisfied.

[Copilot]

Pull request overview

Copilot reviewed 113 out of 122 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 115 out of 124 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

hosting/kubernetes/helm/templates/tests/test-connection.yaml:19

• busybox:1 is a floating tag, so helm test results can change over time (and might break if the tag’s contents change). Consider pinning to a specific BusyBox minor/patch tag (or an image digest) for reproducible tests (and apply consistently to the other BusyBox usages in this chart, e.g. wait-for init containers).