Sync develop → main for v1.4.0 chart release

[saadqbal]

Summary

Brings the image-refresh CronJob feature to main ahead of cutting the v1.4.0 release tag.

What's included

• feat(#154): auto-refresh jobs-manager image on Docker Hub publish #155 — feat(#154): auto-refresh jobs-manager image on Docker Hub publish
• fix(#154): read annotations via jq (kubectl jsonpath bracket notation broken on dotted keys) #156 — fix(#154): read annotations via jq, not kubectl jsonpath bracket notation

Together they deliver the closure for #154: existing customers' jobs-manager (and pods-monitor) deployments now auto-refresh on Docker Hub tag publishes with no manual kubectl rollout restart needed. Source of truth is a tracebloc.io/last-refreshed-<image>-digest annotation on the deployment, comparing against the registry's HEAD digest each tick.

Dev verification

Smoke-tested end-to-end on tb-client-dev-templates EKS:

Test	Expected	Actual
Fresh helm upgrade from 1.3.5 → 1.4.0 with --reset-then-reuse-values	new image-refresh resources install, nothing else churns	✅
First image-refresh tick (no annotation)	records both digests, no restart	✅
Second tick (annotation matches)	digest unchanged; no-op, no annotate, no rollout	✅
Forced annotation clobber (simulates new image push)	digest changed → restart needed, rollout, then re-annotate to current digest	✅
Rollout history	bumped by 1 only on the forced-change test	✅

After merging

Cut v1.4.0 release tag from main — that fires release-helm-chart.yaml which publishes client-1.4.0.tgz to gh-pages. Existing customers' autoUpgrade CronJobs pick it up at the next :23 tick.

Closes #154

🤖 Generated with Claude Code

---

Note

Medium Risk
The CronJob can restart the jobs-manager deployment and holds patch RBAC on it; blast radius is one deployment in one namespace, but unintended restarts or registry/API failures could cause brief outages.

Overview
Releases the Helm chart at v1.4.0 and adds an image-refresh path so jobs-manager (and pods-monitor via the same deployment) can pick up new Docker Hub images under the floating CLIENT_ENV tag without manual kubectl rollout restart.

A scheduled CronJob runs a shell script that HEADs Docker Hub for manifest digests, compares them to tracebloc.io/last-refreshed-*-digest annotations on the deployment (not pod imageID), records digests on first run without restarting, and on change runs kubectl rollout restart then rollout status before updating annotations. Rendering is gated by tracebloc.imageRefreshEnabled (off when disabled or both images are digest-pinned); namespace-scoped RBAC limits the job to patch/watch that deployment. New imageRefresh values and schema defaults, plus helm-unittest coverage for script/RBAC contracts and upgrade safety when imageRefresh is missing.

^{Reviewed by Cursor Bugbot for commit 15e78d9. Bugbot is set up for automated code reviews on this repo. Configure here.}

[LukasWodka]

👋 Heads-up — Code review queue is at 17 / 8

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• client-runtime#36 — Bump requests from 2.32.3 to 2.33.0 in /Node-deploy · author: @dependabot · no reviewer assigned
• client-runtime#37 — Bump black from 25.1.0 to 26.3.1 in /Node-deploy · author: @dependabot · no reviewer assigned
• client-runtime#38 — Bump requests from 2.32.3 to 2.33.0 · author: @dependabot · no reviewer assigned
• client-runtime#39 — Bump black from 25.1.0 to 26.3.1 · author: @dependabot · no reviewer assigned
• client-runtime#45 — Staging: Enhance jobs-manager with HTTP proxy, ingestion endpoint, and fixes · author: @saadqbal · no reviewer assigned
• data-ingestors#118 — Document data-ingestor release procedure · author: @saadqbal · no reviewer assigned
• design-system#19 — fix: un-track coverage/ and node_modules/ from git · author: @LukasWodka · no reviewer assigned
• docs#3 — Block bots from crawling Mintlify static assets · author: @LukasWodka · reviewer: @saadqbal
• tracebloc-client#296 — chore(deps): bump ray from 2.44.1 to 2.55.0 in /use_cases · author: @dependabot · no reviewer assigned
• tracebloc-client#300 — feat(nlp): add token classification use case (shape Add label type=system #3) · author: @shujaatTracebloc · reviewer: @saadqbal, @divyasinghds

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)

[saadqbal]

Adding skip-fr-gate label to bypass the FR gate's self-check on this sync PR.

The gate checks each referenced PR (#155, #156) AND the current PR (#157). Both #155 and #156 are correctly at Ready for prod after the /fr-pass commands. But the kanban automation has moved #157 itself to Prod (the natural state for a release-sync PR), so the gate's required = Ready for prod check fails on #157 by being too far along.

This is the gate's own documented emergency override — audit-logged via the ::warning::FR gate bypassed via 'skip-fr-gate' label. line in the workflow output.