🤖 Generated by the Daily AI Engineer (Codex sibling instance)
Evidence and problem
The default-off Admins policy was defined and maintainer-approved in #95 / #96, with activation deliberately reserved for a separate issue-backed slice. The latest portfolio audit now reports 20 active repositories without any admin team (devantler-tech/maintenance#19) and seven with no team assignment at all (devantler-tech/maintenance#20). kyverno-policies became the twentieth active repository after #96 was prepared, so the stored 19-grant policy is already one repository short.
The affected audience is the portfolio maintainer: repository administration remains individual-only and the declarative GitHub source of truth cannot yet prove complete team coverage.
Hypothesis and success signal
If the reviewed Admins team, maintainer membership, and one admin grant per active repository are activated declaratively, the next maintenance audit after Flux reconciliation should report zero active repositories without an admin team and zero without any team assignment.
Measurement window: the first scheduled maintenance audit after the released github-config artifact reconciles. Guardrails: do not grant the archived reusable-workflows repository, do not change the existing Maintainers permissions, do not claim Delete, and make no imperative GitHub-configuration writes.
Smallest useful change
- Add the
kyverno-policies Admins grant, bringing the reviewed scope to 20 active repositories.
- List
Team/admins, the explicit maintainer membership, and all 20 grants in the three production Kustomizations.
- Replace the short-lived default-off fixture with an activation regression that validates the production render directly.
- Update the policy comments, deployment documentation, and
AGENTS.md to describe the active state.
Acceptance criteria
Rough size
S — declarative activation plus one new grant and regression/doc updates.
Part of #53.
Evidence and problem
The default-off Admins policy was defined and maintainer-approved in #95 / #96, with activation deliberately reserved for a separate issue-backed slice. The latest portfolio audit now reports 20 active repositories without any admin team (
devantler-tech/maintenance#19) and seven with no team assignment at all (devantler-tech/maintenance#20).kyverno-policiesbecame the twentieth active repository after #96 was prepared, so the stored 19-grant policy is already one repository short.The affected audience is the portfolio maintainer: repository administration remains individual-only and the declarative GitHub source of truth cannot yet prove complete team coverage.
Hypothesis and success signal
If the reviewed Admins team, maintainer membership, and one admin grant per active repository are activated declaratively, the next maintenance audit after Flux reconciliation should report zero active repositories without an admin team and zero without any team assignment.
Measurement window: the first scheduled maintenance audit after the released
github-configartifact reconciles. Guardrails: do not grant the archivedreusable-workflowsrepository, do not change the existing Maintainers permissions, do not claimDelete, and make no imperative GitHub-configuration writes.Smallest useful change
kyverno-policiesAdmins grant, bringing the reviewed scope to 20 active repositories.Team/admins, the explicit maintainer membership, and all 20 grants in the three production Kustomizations.AGENTS.mdto describe the active state.Acceptance criteria
devantlermaintainer membership, and 20adminTeamRepository grants.kyverno-policiesis included; archivedreusable-workflowsis excluded.Deleteand external-name adoption; Maintainers grants remain unchanged atmaintain.kubectl kustomize deploy/, the policy test, ShellCheck, actionlint, andgit diff --checkpass.Rough size
S — declarative activation plus one new grant and regression/doc updates.
Part of #53.