Multi-stage Alpine build pinned to python:3.14-alpine, with libolm pulled
in only for the runtime layer. K8s manifests cover ServiceAccount, Role
(scoped to a single named Secret), RoleBinding, ConfigMap, RWO PVC, and
the CronJob itself (concurrencyPolicy=Forbid, runAsNonRoot, dropped caps,
readOnlyRootFilesystem). Kustomize overlay targets the tenant-2 namespace.
bootstrap-local.sh prepares ./local/ from a Claude install (honors
CLAUDE_CONFIG_DIR for work/priv splits) and prompts for the Matrix bot
credentials.
vikingowl
107f9e1f14