Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/operator-ci.yml:
- Line 37: The workflow uses an unpinned action reference "uses:
golangci/golangci-lint-action@v9" which should be pinned to a commit SHA to
mitigate supply-chain risk; update that line to the corresponding commit SHA for
golangci/golangci-lint-action and similarly pin other actions used in this file
(e.g., "checkout@v6" and "setup-go@v6") to their commit SHAs so all action
references are consistent and immutable.

In `@apps/operator/.github/workflows/test-e2e.yml`:
- Line 25: Thay vì tải script cài đặt k3d từ nhánh main, sửa bước chạy curl để
ghim một tag phát hành cố định (ví dụ thiết lập TAG=vX.Y.Z và dùng
https://raw.githubusercontent.com/k3d-io/k3d/$TAG/install.sh) và chạy script đã
ghim, đảm bảo hành vi lặp lại; cập nhật dòng hiện tại chứa "curl -s
https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash" để sử dụng
biến TAG hoặc hằng số tag và (tùy chọn) thêm kiểm tra checksum/signature trước
khi pipe vào bash.

In `@apps/operator/.golangci.yml`:
- Around line 38-40: Don't disable SA1019 globally; instead restrict the
suppression to the specific package/files or lines that legitimately require
using a deprecated API. Update the .golangci.yml by removing the global SA1019
entry under linters/staticcheck and add an exclude-rules block that targets only
the specific path(s) or file patterns and the linter name "staticcheck" with
text "SA1019" (or use per-file inline //nolint:staticcheck when narrowest scope
is needed), so other code still receives SA1019 warnings.

In `@apps/operator/internal/controller/database/reconciler_test.go`:
- Line 348: Trình biên dịch báo lỗi vì dùng new(int32(1)) (đối số của new phải
là kiểu, không phải giá trị); sửa tất cả chỗ sử dụng này (ví dụ trường Replicas
trong resources.go và reconciler_test.go) bằng cách khởi tạo một biến kiểu int32
với giá trị 1 rồi trả về địa chỉ của biến đó (ví dụ: tạo biến v := int32(1) và
trả về &v trong biểu thức khởi tạo), hoặc dùng helper trả về *int32 nếu dự án
có; cập nhật mọi vị trí dùng new(int32(1)) thành mẫu khởi tạo
biến-and-return-address tương tự.

In `@apps/operator/internal/controller/tekton/reconciler.go`:
- Around line 224-228: The comparator passed to sort.Slice is taking metav1.Time
values and incorrectly using new(...) which doesn't compile; fix the comparator
in the sort.Slice call by comparing the underlying time.Time values (e.g. use
prList.Items[i].GetCreationTimestamp().Time.Before(prList.Items[j].GetCreationTimestamp().Time))
or by taking addresses of named metav1.Time variables (jTime :=
prList.Items[j].GetCreationTimestamp(); iTime :=
prList.Items[i].GetCreationTimestamp(); return iTime.Before(&jTime)); update the
comparator in the sort.Slice (the anonymous func used to sort prList.Items)
accordingly.

In `@apps/operator/internal/cue/tekton.go`:
- Line 1: Dòng comment đầu tiên `// Package cue /*` chứa ký tự dư `/*` và gây
lỗi định dạng; thay thế comment đó bằng một doc-comment chuẩn trước khai báo
package (ví dụ bắt đầu bằng `// Package cue ...`) mà không có `/*` để tạo
comment mô tả gói cue; đảm bảo comment đứng ngay trước khai báo `package cue` và
chỉ là một dòng hoặc block comment Go hợp lệ.

In `@apps/operator/Makefile`:
- Line 165: Dòng hiện tại thu pids từ lsof (-ti :8081) và gọi kill -9 trực tiếp,
có thể giết nhầm tiến trình và không cho tiến trình dọn tài nguyên; thay bằng
gửi SIGTERM trước (kill -15 hoặc kill $$pids), chờ trong vòng lặp ngắn để kiểm
tra lại pids và chỉ dùng kill -9 nếu tiến trình vẫn còn; cập nhật logic quanh
biến pids, lsof -ti :8081 và lệnh kill để phản ánh thứ tự: TERM -> chờ/kiểm tra
-> KILL nếu cần, và thêm echo thông báo tương ứng.
- Around line 136-138: The test-e2e Makefile target currently runs "go test"
then "$(MAKE) cleanup-test-e2e", but if the test command fails the cleanup step
is skipped; change the target to run the test inside a shell that sets a trap to
always invoke the existing cleanup target (e.g., use: sh -c 'trap "$(MAKE)
cleanup-test-e2e" EXIT; K3D_CLUSTER=$(K3D_CLUSTER) go test ./test/e2e/ -v
-ginkgo.v' ), ensuring the cleanup-test-e2e target always executes regardless of
go test exit status while keeping the K3D_CLUSTER variable passed through.

In `@apps/operator/README.md`:
- Line 26: Update the README description for the make target "make test-e2e" to
accurately reflect its behavior: change the sentence that currently says it
"installs k3d if needed" to state that it checks for k3d and fails with an error
if k3d is not installed (or instructs the user to install k3d), so the README
matches the Makefile's actual behavior for the make test-e2e target.

In `@apps/operator/tekton/pipeline.yaml`:
- Around line 29-32: The parameters env-vars and resources declared in the
pipeline parameters are unused (dead parameters); either remove them from the
parameters list or wire them into the downstream tasks that need
them—specifically check the update-gitops-manifest task (taskRef:
git-update-manifest) and any other tasks/steps that should receive env-vars and
resources (via params or taskRun/step env/resource fields) and add the
corresponding param entries and references, or delete the env-vars and resources
parameter definitions from the pipeline YAML if no task consumes them.

In `@apps/portal/.yarnrc.yml`:
- Around line 1-10: The current Yarn config is insecure:
approvedGitRepositories: '**' is too permissive, enableScripts: true allows
third-party lifecycle scripts, and npmMinimalAgeGate: 0 disables the minimum age
gate; update .yarnrc.yml by replacing approvedGitRepositories with a tight
allowlist (specific domains, orgs or repo patterns) instead of '**', set
enableScripts to false (or scope it only where explicitly required), and set
npmMinimalAgeGate to a positive duration (e.g., '1d' or larger) to reinstate the
publish age gate; keep other keys (nodeLinker, yarnPath) unchanged unless you
have a reason to modify them.

In `@apps/portal/examples/nestjs-prisma-template/content/source/tsconfig.json`:
- Line 18: The tsconfig template currently forces "stableTypeOrdering": true
which is a diagnostic/transition flag (TS 6→7) and can significantly slow
type-checking; remove this fixed setting from the template (or default it to
false / make it configurable) so new projects aren't penalized—locate the
"stableTypeOrdering" entry in the tsconfig.json and delete the key (or set it to
false / document it as an opt-in) so the template no longer hard-enables this
flag.

In `@apps/portal/examples/spring-boot-template/template.yaml`:
- Around line 79-80: Update the explanatory comment that currently says "Use
repoName as the app identifier" to reflect that the template now uses the
parameters.name value as the app identifier (i.e., mention parameters.name
instead of repoName) so the comment matches the actual value used in the name:
${{ parameters.name }}; locate the comment adjacent to the name: ${{
parameters.name }} line and replace the outdated reference to repoName with a
brief note about using parameters.name (and that it is Kubernetes/URL safe) to
avoid confusion.

In
`@apps/portal/packages/app/src/scaffolder/UniqueNamePickerExtension/extension.ts`:
- Around line 20-24: The current validation uses a regex that allows leading or
trailing hyphens; in the block that checks the variable "value" and calls
validation.addError, replace the existing pattern with one that requires the
first and last character to be a lowercase letter or digit while allowing
hyphens only internally (i.e., no leading or trailing '-' ), preserving the
lowercase/alphanumeric-only rule and the same validation.addError message.

In `@apps/portal/plugins/helios-backend/src/plugin.ts`:
- Around line 23-27: The code is using a blunt cast "(await createRouter({
logger, config })) as any" when calling httpRouter.use, which hides type
mismatches between your createRouter return and Backstage/Express
router/middleware signature; update the createRouter function's return type (and
any related helper types) so it explicitly returns the correct Express/Backstage
router/middleware type expected by httpRouter.use (e.g., express.Router or the
framework's RouterMiddleware type), or change the function to wrap/return a
correctly typed router instance, then remove the "as any" cast in plugin.ts (and
make the analogous fix in database-router-simple.ts) so the compiler enforces
the proper contract instead of silencing it.

In `@cue/definitions/tekton/pipelines/patterns.cue`:
- Around line 166-180: The script currently runs "npm ci" whenever package.json
exists, which fails if no lockfile is present; update the logic around the
existing checks (the if that tests for package-lock.json and package.json and
the "npm ci --ignore-scripts --no-audit --no-fund --progress=false
--fetch-retries=5 --fetch-retry-mintimeout=15000" invocation) so that you only
run "npm ci" when a lockfile exists (package-lock.json or npm-shrinkwrap.json);
if package.json exists but no lockfile, either run "npm install --no-audit
--no-fund --progress=false" instead or skip install—implement the preferred path
by replacing the current single "npm ci" call with a conditional: if [ -f
package-lock.json ] || [ -f npm-shrinkwrap.json ]; then npm ci ...; else npm
install ...; fi.

In `@cue/definitions/tekton/tasks/buildah-build.cue`:
- Around line 30-72: The Task BuildahBuild still runs Kaniko; update the steps
in the task (the steps array under BuildahBuild) to use Buildah commands instead
of Kaniko: replace the step that uses image
gcr.io/kaniko-project/executor:v1.23.2-debug and invocation of /kaniko/executor
with a Buildah image and a script that runs buildah bud (with --storage-driver
from params.storage-driver, --isolation from params.buildah-isolation, and
--platform from params.build-platforms (use only the first platform if a list)),
then run buildah push to $(params.image) and write the digest to
/tekton/results/IMAGE_DIGEST; also change the volume/secret mount for docker
auth from /kaniko/.docker to Buildah's auth location (/root/.docker) or use
buildah's --authfile flag tied to the secret (params.docker-secret), and ensure
the write-image-url step still reads /tekton/results/IMAGE_DIGEST into
results.IMAGE_URL.path so params.image@digest is emitted.

In `@cue/definitions/tekton/tasks/git-update.cue`:
- Around line 172-205: The script must not embed credentials into the remote URL
(avoid creating REPO_URL_WITH_AUTH and calling git_safe remote set-url origin);
instead keep origin as-is (RAW_URL handling can remain for validation) and
before pushing set an HTTP Basic auth header via git config --local
http.extraHeader using a Base64-encoded "username:password" value (compute the
Base64 string from ${username}:${password}), perform git_safe push origin
"$(params.gitops-repo-branch)" and then remove/clear the http.extraHeader to
avoid leaking credentials; replace references to REPO_URL_WITH_AUTH and the
git_safe remote set-url origin call with this header-based flow so pushes
authenticate without embedding credentials in the URL.

In `@cue/definitions/tekton/tasks/registry.cue`:
- Line 7: Bản đồ `"buildah-build"` trỏ tới `#BuildahBuild` nhưng nội dung
`#BuildahBuild` vẫn dùng executor/command của Kaniko (ví dụ
`gcr.io/kaniko-project/executor` và `/kaniko/executor`); sửa sao cho tên/nhãn và
hành vi nhất quán: hoặc thay toàn bộ image/command trong `#BuildahBuild` để dùng
Buildah (ví dụ đổi image sang một Buildah image như quay.io/buildah/stable và
thay các lệnh Kaniko bằng lệnh Buildah tương ứng như buildah bud/buildah push
hoặc script dùng buildah), hoặc nếu giữ Kaniko thì đổi tên task/nhãn/ghi chú để
phản ánh Kaniko; tìm và cập nhật mọi tham chiếu đến `#BuildahBuild`, chuỗi image
`gcr.io/kaniko-project/executor` và lệnh `/kaniko/executor` trong định nghĩa
task để đảm bảo nhất quán.

In `@cue/engine/builder.cue`:
- Around line 89-98: The env block currently injects Postgres-specific variables
(PGRST_DB_URI and DATABASE_URL using postgres://) unconditionally, causing wrong
connection strings for other dbType values; update the builder.cue env array so
that PGRST_DB_URI and the DATABASE_URL entry (which builds
postgres://$(DB_USER):$(DB_PASS)@$(DB_HOST):$(DB_PORT)/$(DB_NAME)) are only
added when dbType == "postgres" (use a conditional or separate concat branch
around those two entries referencing dbType and dbSecretName) while leaving the
generic DB_* entries unchanged.

In `@infrastructure/environments/local-dev/providers.tf`:
- Line 22: Replace the hardcoded config_path value in providers.tf (the
config_path setting) with a configurable value: add a new variable
"kubeconfig_path" in variables.tf (default "~/.kube/config") and reference
var.kubeconfig_path in providers.tf, and additionally support honoring the
KUBECONFIG environment variable by using that when set; also consider applying
pathexpand when evaluating the path so Windows/home-dir expansions work
correctly.
- Line 24: The Terraform config currently sets insecure = true (multiple
occurrences) which should be either documented or removed; update each insecure
= true occurrence to either be removed or replaced with a documented toggle
(e.g., a variable like var.skip_tls_validation with a clear comment) and add an
inline comment explaining why TLS verification is skipped for local k3d only and
instructions to switch to proper certs (or how to configure k3d to use
self-signed/valid certs); ensure the default remains secure (false) and that any
boolean toggle is clearly named and documented so this setting cannot be
accidentally promoted to production.

In `@infrastructure/environments/prod/providers.tf`:
- Line 2: The Terraform version constraint in providers.tf (required_version =
">= 1.15.5") is out of sync with the prereq checks in scripts/check-prereqs.sh
and .bat which only require 1.15; update one side so they match: either raise
the prereq minimum in scripts/check-prereqs.sh/.bat to 1.15.5, or change
providers.tf's required_version to a compatible range (e.g. ">= 1.15.0, <
1.16.0" or "~> 1.15.5") and document the chosen production version; locate the
check-prereqs scripts and the required_version line in providers.tf to make the
change.

In `@infrastructure/modules/cluster-k3d/main.tf`:
- Around line 1-4: The terraform_data "k3d_cluster" resource only triggers
replacement on var.cluster_name, so changes to the registry configuration
(var.registry_name, var.registry_port) won't recreate the cluster and k3d may
keep pointing to the old mirror; update the triggers_replace list on resource
"terraform_data" "k3d_cluster" to include the registry-related variables (e.g.,
var.registry_name and var.registry_port) so any change to those values forces
recreate, and verify any script or template that uses
registry_name/registry_port (the create script referenced by k3d_cluster) reads
the updated values.

In `@infrastructure/modules/git-auth/main.tf`:
- Around line 1-7: Trong resource gitlab_personal_access_token.this thay vì
hardcode expires_at = "2026-12-31" dùng module time của HashiCorp: tạo
time_static và time_offset và truyền giá trị đã format về "YYYY-MM-DD" (ví dụ
dùng formatdate("YYYY-MM-DD", time_offset.<name>.rfc3339)) cho thuộc tính
expires_at để có rolling expiry; đồng thời thu hẹp scopes từ ["api"] sang quyền
tối thiểu cần thiết (ví dụ "read_repository" hoặc "write_repository") để áp dụng
principle of least privilege cho token.

In `@infrastructure/modules/gitea/main.tf`:
- Around line 94-96: The use of uuid() inside the input map (the configure_gitea
input) causes every terraform plan to show a diff; remove the nondeterministic
uuid() and instead add a triggers_replace block on the resource (use
triggers_replace = { ... }) populated with the actual deterministic variables or
configuration flags that should force recreation (e.g., var.gitea_version,
var.repo_settings, var.admin_user, or a specific checksum of templates). This
keeps plans stable and only triggers reruns when the real inputs change.

In `@infrastructure/modules/gitea/variables.tf`:
- Around line 13-18: Biến Terraform gitea_admin_pass hiện có mật khẩu mặc định
"helios123" — hãy loại bỏ default cứng này và để biến bắt buộc (không khai báo
default) hoặc thay bằng cơ chế an toàn (ví dụ tạo bằng random_password và truyền
vào output/secret store); giữ sensitive = true và cập nhật description để chỉ rõ
cách cung cấp giá trị (via -var, tfvars, hoặc secret manager). Thao tác này liên
quan trực tiếp tới biến gitea_admin_pass trong file và đảm bảo không còn
credential hardcoded.

In `@infrastructure/modules/platform-services/argocd.tf`:
- Around line 78-80: Thay vì dùng targetRevision: HEAD, thay bằng biến để khóa
revision cụ thể; cập nhật cấu hình ứng dụng ArgoCD (tham chiếu targetRevision)
để dùng ví dụ biến var.gitops_repo_revision (hoặc tên biến tương ứng) và đảm bảo
biến này được khai báo/đặt giá trị trong các môi trường (local/prod) thay vì mặc
định HEAD, đồng thời giữ repo URL hiện tại var.gitops_repo_url; mục tiêu là pin
branch/tag/commit rõ ràng thay cho HEAD trong phần cấu hình targetRevision.

In `@infrastructure/modules/platform-services/tekton.tf`:
- Around line 160-168: The resource terraform_data.install_crds currently only
receives a static path via input.crd_dir so its provisioner won't re-run when
files change; update install_crds so Terraform observes CRD content changes by
feeding a content checksum into its inputs/triggers (e.g., compute a hash of all
files under ${var.workspace_root}/apps/operator/config/crd via a data/local_file
or external/local-exec checksum step and pass that checksum into
terraform_data.install_crds.input or into triggers/ triggers_replace), ensuring
the provisioner "local-exec" command is re-executed whenever any CRD file under
that directory changes.

In `@infrastructure/modules/platform-services/variables.tf`:
- Around line 48-52: The variable workspace_root currently says "Absolute path"
but its default "../../../" is relative; either update the variable description
to indicate it's a relative path (e.g., "Relative path to the workspace root
directory") or convert the default into a true absolute path and use that
throughout: compute an absolute path with abspath(path.module + "/../../../")
(or compute abspath(var.workspace_root) in a local like
local.workspace_root_abs) and replace usages with the absolute local; reference
variable workspace_root, builtins path.module and abspath, and consider adding
local.workspace_root_abs for downstream consumers.

In `@scripts/check-prereqs.bat`:
- Around line 38-41: The call that enforces `make` as required uses the required
check routine `:check_tool` which makes Windows fail hard; change the `call
:check_tool "make" "make --version"` invocation to use the optional routine
`:check_optional_tool` so `make` is treated as a warning (matching the behavior
of check-prereqs.sh). Locate the `call :check_tool "make" "make --version"` line
and replace it with `call :check_optional_tool "make" "make --version"` (leaving
the other `:check_tool` calls for operator-sdk, terraform, task unchanged).

In `@scripts/setup-credentials.ps1`:
- Around line 32-34: The kubectl patch command in the script (the block using
"Write-Host" and "kubectl patch sa default -p '{"imagePullSecrets": [{"name":
"docker-credentials"}]}'") does not specify a namespace and will operate against
the current kubectl context; update the patch command to include the namespace
flag (e.g., add -n default) so the default ServiceAccount in the intended
namespace is patched, and likewise update the earlier pipeline patch step that
patches the ServiceAccount to also include -n default to keep behavior
consistent.

In `@scripts/start-portal.ps1`:
- Line 37: Remove the sensitive Write-Host call that prints the ArgoCD admin
password (the line containing Write-Host "[ArgoCD] Admin Password: $pass") so
the secret is not emitted to console/logs; instead either omit any output or
replace it with a non-sensitive informational message (e.g., "ArgoCD admin
password generated — handle securely" or instructions on how to retrieve the
password manually) since the password is immediately used to generate a token
and should not be logged.

In `@Taskfile.yml`:
- Around line 123-179: The Taskfile's setup flow (setup:all -> setup:registry
and setup:terraform) assumes POSIX shells and currently skips setup:registry on
Windows (platforms: [linux, darwin]) which breaks bootstrap on Windows; update
Taskfile.yml so setup:all either branches by platform or fails fast with a clear
message. Concretely, modify setup:all to detect platform and: (a) call the
existing setup:registry and setup:terraform on linux/darwin, or (b) when on
Windows, print an explicit error and exit recommending WSL/Git Bash (or invoke
Windows-compatible equivalents) — touch the tasks named setup:all,
setup:registry and setup:terraform to add the platform-check/fail-fast logic and
messages so the bootstrap won't silently stop on native Windows shells.
- Around line 628-666: The dev:portal task currently always invokes
dev:free-ports which force-kills any process listening on common ports
(7007,8080,8001,3030); change this to be opt-in or scope kills to only
Helios-owned processes: remove the unconditional dependency on dev:free-ports in
the dev:portal task and instead call it only when an env flag (e.g.
CLEAN_PORTS=true) is set, or update the dev:free-ports scripts to filter PIDs by
process command/owner (e.g. only kill processes whose command line or owner
matches Helios) before sending SIGKILL; update references to start-dev.sh /
start-portal.ps1 if they rely on the unconditional cleanup so they can opt in
via the env flag.

---

Outside diff comments:
In `@apps/operator/internal/controller/heliosapp_controller.go`:
- Around line 228-249: The SetupWithManager adds a watcher for tekton.dev/v1
PipelineRun (see pr variable and r.findObjectsForPipelineRun) but there is no
kubebuilder RBAC granting get,list,watch on pipelineruns; add a kubebuilder RBAC
comment for the PipelineRun resource with verbs=get;list;watch (matching
Group=tekton.dev Version=v1 Resource=pipelineruns) so the controller pod can
inform and reconcile PipelineRun events referenced by SetupWithManager/
findObjectsForPipelineRun.

In `@apps/operator/internal/controller/tekton/pipelinerun.go`:
- Around line 44-57: PipelineRun creation uses apiVersion "tekton.dev/v1beta1"
in pipelinerun.go but the reconciler (PrunePipelineRuns/CancelOlderPipelineRuns
in reconciler.go) lists PipelineRunList with
schema.GroupVersionKind{Group:"tekton.dev", Version:"v1"}, causing a mismatch;
update the GroupVersionKind used when listing PipelineRunList to
Version:"v1beta1" (or otherwise make both sides use the same Tekton API version)
so prune/cancel operate on the same resource version as created.

In `@cue/definitions/tekton/pipelines/patterns.cue`:
- Around line 247-256: The params array in patterns.cue uses uppercase names
"REPLICAS" and "PORT" which don't match the lowered param names used by the
git-update-manifest task (see git-update.cue); replace the two entries with
name: "replicas" and name: "port" (or whatever exact lowercase identifiers the
task defines) so the overrides from patterns.cue apply to the
git-update-manifest task results and prevent falling back to defaults 2/8080.

In `@Taskfile.yml`:
- Around line 593-600: The current patch command overwrites the default
ServiceAccount's imagePullSecrets array; change the logic that targets the
'default' ServiceAccount so it appends the docker-credentials entry only if
missing instead of replacing the whole array. Locate the kubectl patch for "sa
default" in the Taskfile.yml and replace the destructive patch with a safe
check-and-append approach (e.g., use a JSON patch via kubectl --type=json that
conditionally adds the {"name":"docker-credentials"} entry if not present, or
fetch the SA, inspect imagePullSecrets and patch/merge back only when needed) so
existing imagePullSecrets are preserved. Ensure the same non-destructive
behavior is applied consistently alongside the existing 'pipeline'
ServiceAccount handling.