- secrets.py: seed secret/meet (django-secret-key, application-jwt-secret-key)
- images.py: add sunbeam build meet (meet-backend + meet-frontend from source)
- kube.py: production SSH tunnel support, domain discovery from cluster, cmd_bao
- gitea.py: configure Hydra as OIDC auth source; mark admin account as private
- services.py: minor VSO sync status and services list fixes
- users.py: add cmd_user_enable
manifests.py: fix REPO_ROOT parents index (was 3, needed 2) which
caused kustomize overlay lookup to resolve against the wrong directory.
tools.py: call ensure_tool("helm") before running kustomize so the
bundled helm v3.17.1 is on PATH; system helm v4 dropped the -c flag
that kustomize 5.6.0 uses for version detection.
gitea.py: pass --must-change-password=false to gitea admin user
change-password, removing the separate Postgres UPDATE workaround that
was fragile and required a second exec into the CNPG pod.
