feat(hindsight): wire real vectorize-io OCI Helm chart

full-ai-cluster/README.md

@@ -52,7 +52,7 @@ full-ai-cluster/
         ├── argo-rollouts/      ← progressive delivery
         ├── longhorn/           ← distributed block storage
         ├── cockroachdb/        ← distributed SQL
-        ├── hindsight/          ← agent persistent memory for Hermes (chart URL TBD)
+        ├── hindsight/          ← agent persistent memory for Hermes (vectorize-io OCI chart)
         ├── oz/                 ← OpenZiti zero-trust overlay
         ├── hermes/             ← custom AI agent (cloud LLMs via SOPS-baked keys, OZ transport, Hindsight memory)
         ├── ollama/             ← LLM serving (option A — local — DEFERRED, manual-sync)
@@ -204,10 +204,11 @@ Add new `nixosConfigurations.<host>` entries to `flake.nix` as needed.
     in the tree at `replicas: 0` so the topology is preserved.
     Bump replicas + rebuild Hermes against local endpoints when
     the local-models phase comes back online.
-- ❓ Awaiting maintainer input:
-  - **Hindsight** — confirmed as standalone helm chart for agent
-    persistent memory for Hermes. `Application.yaml` has TODO
-    awaiting `repoURL` + chart name + version.
+- ✅ **Hindsight** wired: vectorize-io OCI Helm chart at
+  `ghcr.io/vectorize-io/charts/hindsight` v0.3.0. Bundled
+  PostgreSQL by default (longhorn-backed); swap to external
+  CockroachDB once that Application is healthy. LLM key sourced
+  from a Vault-backed ExternalSecret (`hindsight-llm-api-key`).
 
 ## Secrets
 

full-ai-cluster/k8s/applications/hindsight/Application.yaml

@@ -1,15 +1,9 @@
-# Hindsight — agent persistent memory system for Hermes.
-# Standalone Helm chart deployed via ArgoCD.
+# Hindsight (vectorize-io) — agent persistent memory system for Hermes.
+# Real chart wired: OCI Helm chart at ghcr.io/vectorize-io/charts/hindsight.
 #
-# TODO(maintainer): provide the Helm chart URL + chart name + version.
-# Confirm which Hindsight chart this refers to:
-#   - public OSS chart (helm repo URL)
-#   - private chart (repoURL + auth)
-#   - in-repo chart (sibling repo URL + path)
-#
-# Once repoURL + chart name + version are provided, this Application
-# wires up directly. Until then, this placeholder declares the
-# namespace + intent so the structure is in place.
+# Pairs with hermes/Application.yaml — Hermes' deployment.yaml
+# sets `HINDSIGHT_URL=http://hindsight.hindsight.svc.cluster.local`
+# which matches this Application's namespace + chart-default service name.
 
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -20,27 +14,55 @@ metadata:
 spec:
   project: default
   source:
-    # TODO(maintainer): replace with the real Helm repo + chart name.
-    # Example shape:
-    #   repoURL: https://your-org.github.io/hindsight-chart/
-    #   chart: hindsight
-    #   targetRevision: 1.0.0
-    #   helm:
-    #     releaseName: hindsight
-    #     valuesObject:
-    #       persistence:
-    #         storageClass: longhorn
-    #         size: 20Gi
-    #       hermesIntegration:
-    #         enabled: true
-    repoURL: https://github.com/Lucent-Financial-Group/Zeta
-    targetRevision: main
-    path: full-ai-cluster/k8s/applications/hindsight
-    directory:
-      include: 'namespace.yaml'
+    repoURL: ghcr.io/vectorize-io/charts
+    chart: hindsight
+    targetRevision: 0.3.0   # bump to latest as vectorize-io publishes
+    helm:
+      releaseName: hindsight
+      valuesObject:
+        # Bundled PostgreSQL for storage. Swap to false +
+        # api.database.url for an external CockroachDB/Postgres
+        # backing store once the cluster's CockroachDB Application
+        # is healthy.
+        postgresql:
+          enabled: true
+          primary:
+            persistence:
+              storageClass: longhorn
+              size: 20Gi
+
+        api:
+          # LLM provider Hindsight uses for its own entity/relation
+          # extraction (separate from Hermes' LLM choice). Sourced
+          # from a Vault-backed ExternalSecret rather than hardcoded.
+          llm:
+            provider: groq   # change per maintainer preference
+            existingSecret:
+              name: hindsight-llm-api-key
+              key: api-key
+
+          # Database URL inferred from bundled postgresql above when
+          # `postgresql.enabled: true`. Override here for external
+          # CockroachDB:
+          # database:
+          #   url: postgresql://hindsight:$(PG_PASSWORD)@cockroachdb-public.cockroachdb.svc.cluster.local:26257/hindsight?sslmode=require
+          #   existingSecret:
+          #     name: hindsight-db-credentials
+          #     passwordKey: password
+
+        # Service for Hermes to reach Hindsight at:
+        #   http://hindsight.hindsight.svc.cluster.local
+        service:
+          type: ClusterIP
+          port: 80
+
   destination:
     server: https://kubernetes.default.svc
     namespace: hindsight
   syncPolicy:
-    automated: { prune: false, selfHeal: true }
-    syncOptions: [ CreateNamespace=true, ServerSideApply=true ]
+    automated:
+      prune: false   # never prune — memory store is precious
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true