Release 1.12.0

.gitignore

@@ -151,3 +151,6 @@ testing/docker/certs/
 
 # Claude Code
 .claude/
+
+# Visual Studio Code
+.vscode/

CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+## [1.12.0] - 2026-06-08
+- Fix: do not inject file parameter as env vars
+- Public and private scopes now register DNS records in their correct Route53 hosted zone when using `DNS_TYPE=external_dns`, preventing cross-zone record leakage
+- Add configurable main HTTP port for k8s scopes (default 8080) and HTTP support for additional ports
+- Improve **wait deployment active** failure logging: consolidate repeated `Unhealthy` probe events per pod into a single human-readable line, emit a progress heartbeat every 10% of timeout, and surface a targeted suggested fix based on the probe failure mode (port not open / HTTP non-2xx / probe timeout)
+- Add configurable memory and CPU limits, independent from requests, for k8s scope containers
+- Improve **k8s/diagnose** evidence: every check now emits structured evidence following a documented schema (`summary`, `severity`, `affected`, `details`, `suggested_actions`), failure findings embed the relevant pod log slice (current or previous depending on the failure mode), and a new **Application Logs** category surfaces the user-owned `application` container's log tail directly in the UI
+
 ## [1.11.0] - 2026-04-16
 - Add unit testing support
 - Add scope configuration

k8s/deployment/build_context

@@ -23,6 +23,20 @@ MIN_REPLICAS=$(echo "$MIN_REPLICAS" | awk '{printf "%d", ($1 == int($1) ? $1 : i
 
 DEPLOYMENT_STATUS=$(echo "$CONTEXT" | jq -r ".deployment.status")
 
+# Fill in *_limit capability fields with the corresponding request value when
+# the limit is missing or explicitly null, then clamp any limit below its
+# request up to the request value. The schema rejects limit < request at save
+# time; this is defense-in-depth so the script can never produce an invalid
+# resources block, regardless of how the context was built.
+normalize_capability_limits() {
+  echo "$1" | jq '
+    .scope.capabilities.cpu_millicores_limit //= .scope.capabilities.cpu_millicores
+    | .scope.capabilities.ram_memory_limit //= .scope.capabilities.ram_memory
+    | .scope.capabilities.cpu_millicores_limit = ([.scope.capabilities.cpu_millicores, .scope.capabilities.cpu_millicores_limit] | max)
+    | .scope.capabilities.ram_memory_limit = ([.scope.capabilities.ram_memory, .scope.capabilities.ram_memory_limit] | max)
+  '
+}
+
 validate_status() {
   local action="$1"
   local status="$2"
@@ -245,6 +259,22 @@ if [[ -n "$TRAFFIC_MANAGER_CONFIG_MAP" ]]; then
     log info "✨ ConfigMap '$TRAFFIC_MANAGER_CONFIG_MAP' validation successful"
 fi
 
+MAIN_HTTP_PORT=$(echo "$CONTEXT" | jq -r '.scope.capabilities.main_http_port // 8080')
+log debug "🔍 main_http_port resolved to ${MAIN_HTTP_PORT}"
+
+# Enrich each additional_ports entry with traffic_manager_port = port + 10000.
+# Convention: the traffic-manager sidecar that fronts an additional port binds
+# <port>+10000 inside the pod so the application can bind <port> directly. The
+# fixed +10000 offset makes it trivial to identify which sidecar belongs to
+# which application port at a glance (e.g. app 8081 -> sidecar 18081). Keeping
+# the math here (instead of in every template) means consumers just read
+# .traffic_manager_port and never re-derive it.
+CONTEXT=$(echo "$CONTEXT" | jq '
+  if (.scope.capabilities.additional_ports | type) == "array" then
+    .scope.capabilities.additional_ports |= map(. + {traffic_manager_port: (.port + 10000)})
+  else . end
+')
+
 # Check if blue deployment has K8s services for additional ports
 BLUE_ADDITIONAL_PORT_SERVICES="{}"
 if [ -n "$BLUE_DEPLOYMENT_ID" ] && [ "$BLUE_DEPLOYMENT_ID" != "null" ]; then
@@ -280,6 +310,7 @@ CONTEXT=$(echo "$CONTEXT" | jq \
           --arg container_memory_in_memory "$CONTAINER_MEMORY_IN_MEMORY" \
           --arg container_cpu_in_millicores "$CONTAINER_CPU_IN_MILLICORES" \
           --argjson blue_additional_port_services "$BLUE_ADDITIONAL_PORT_SERVICES" \
+          --arg main_http_port "$MAIN_HTTP_PORT" \
           '. + {blue_deployment_id: $blue_deployment_id,
                 blue_replicas: $blue_replicas,
                 green_replicas: $green_replicas,
@@ -292,9 +323,12 @@ CONTEXT=$(echo "$CONTEXT" | jq \
                 traffic_manager_config_map: $traffic_manager_config_map,
                 container_memory_in_memory: $container_memory_in_memory,
                 container_cpu_in_millicores: $container_cpu_in_millicores,
-                blue_additional_port_services: $blue_additional_port_services
+                blue_additional_port_services: $blue_additional_port_services,
+                main_http_port: ($main_http_port | tonumber)
           }')
 
+CONTEXT=$(normalize_capability_limits "$CONTEXT")
+
 DEPLOYMENT_ID=$(echo "$CONTEXT" | jq -r '.deployment.id')
 
 OUTPUT_DIR="$SERVICE_PATH/output/$SCOPE_ID-$DEPLOYMENT_ID"

k8s/deployment/build_deployment

@@ -3,6 +3,7 @@
 
 DEPLOYMENT_PATH="$OUTPUT_DIR/deployment-$SCOPE_ID-$DEPLOYMENT_ID.yaml"
 SECRET_PATH="$OUTPUT_DIR/secret-$SCOPE_ID-$DEPLOYMENT_ID.yaml"
+SECRET_FILES_PATH="$OUTPUT_DIR/secret-files-$SCOPE_ID-$DEPLOYMENT_ID.yaml"
 SCALING_PATH="$OUTPUT_DIR/scaling-$SCOPE_ID-$DEPLOYMENT_ID.yaml"
 SERVICE_TEMPLATE_PATH="$OUTPUT_DIR/service-$SCOPE_ID-$DEPLOYMENT_ID.yaml"
 PDB_PATH="$OUTPUT_DIR/pdb-$SCOPE_ID-$DEPLOYMENT_ID.yaml"
@@ -38,6 +39,18 @@ if [[ $TEMPLATE_GENERATION_STATUS -ne 0 ]]; then
 fi
 log info "   ✅ Secret template: $SECRET_PATH"
 
+gomplate -c .="$CONTEXT_PATH" \
+  --file "$SECRET_FILES_TEMPLATE" \
+  --out "$SECRET_FILES_PATH"
+
+TEMPLATE_GENERATION_STATUS=$?
+
+if [[ $TEMPLATE_GENERATION_STATUS -ne 0 ]]; then
+    log error "   ❌ Failed to build secret-files template"
+    exit 1
+fi
+log info "   ✅ Secret-files template: $SECRET_FILES_PATH"
+
 gomplate -c .="$CONTEXT_PATH" \
   --file "$SCALING_TEMPLATE" \
   --out "$SCALING_PATH"