Promote develop → main: POD_TOKEN_SIGNING_SECRET wiring, chart 1.5.0 (client-runtime#79)

[saadqbal]

Promotes the stateless-token chart wiring (#205) from develop to main, so it can be released to the Pages channel.

Included (1 commit)

• feat(secrets): wire POD_TOKEN_SIGNING_SECRET for stateless pod tokens (client-runtime#79) #205 — POD_TOKEN_SIGNING_SECRET in secrets.yaml (stable via lookup), env wiring into jobs-manager + requests-proxy, podTokenSigningSecret/podTokenTtlSeconds values, version 1.4.5 → 1.5.0.

Rollout ordering (important)

The chart secret only activates stateless mode when the running images carry the mint/verify code (client-runtime#89). Recommended order:

1. Land client-runtime develop → staging → master (Prod: Implement self-upgrade CronJob for Helm chart automation #90 then staging→master) so :prod images have docs(claude): require @saadqbal as PR assignee #79.
2. Merge this PR + cut GitHub Release v1.5.0 to publish the chart.
3. Fleet auto-upgrades to 1.5.0 → secret lands → stateless mode activates on the next pod spawn.

Safe either way: if 1.5.0 reaches a fleet whose images predate #79, the secret is simply ignored and the deployment stays in legacy pod_tokens mode (no breakage) until the image catches up.

Validation

Stateless mode validated live on the tracebloc-amazon canary — 10 experiments through stop-storm churn, every proxy post 200, zero 401. See client-runtime#88.

Refs client-runtime#79, client-runtime#89, #205, #204.

🤖 Generated with Claude Code

---

Note

Medium Risk
Touches authentication-related secrets and deployment env across jobs-manager and requests-proxy; misconfigured TTL or secret rotation could invalidate live training tokens, though legacy behavior remains if images predate the runtime support.

Overview
Chart release 1.5.0 promotes Helm wiring for client-runtime#79: a shared HMAC secret so jobs-manager can mint and requests-proxy can verify per-pod REQUESTS_PROXY_TOKEN without the legacy pod_tokens table.

The chart adds POD_TOKEN_SIGNING_SECRET to the main client Secret with upgrade-stable resolution (explicit podTokenSigningSecret, else preserve via lookup, else generate on first install). jobs-manager gets POD_TOKEN_SIGNING_SECRET plus POD_TOKEN_TTL_SECONDS (default 7 days); requests-proxy gets the same signing secret for stateless verification. New values podTokenSigningSecret and podTokenTtlSeconds document operator pin/rotation and TTL backstop behavior.

Stateless mode only takes effect when running images include the mint/verify logic; older images ignore the new env vars and stay on legacy mode until upgraded.

^{Reviewed by Cursor Bugbot for commit 013a88b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[LukasWodka]

👋 Heads-up — Code review queue is at 15 / 8

Above the WIP limit. The team convention is to review existing PRs before opening new work.

Open PRs currently in Code review (oldest first):

• averaging-service#102 — chore(kanban): declare staging as prod-truth branch via .kanban.yml · author: @LukasWodka · no reviewer assigned
• averaging-service#98 — ci: add fr-gate caller workflow · author: @LukasWodka · no reviewer assigned
• backend#732 — feat(experiments): add per-experiment aggregation_strategy field (#730) · author: @LukasWodka · reviewer: @saqlainsyed007, @shujaatTracebloc
• client-runtime#90 — Promote develop → staging: stateless pod tokens (docs(claude): require @saadqbal as PR assignee #79/feat(client): self-upgrade CronJob (closes #69) #89), no-revoke-on-stop (Helm: ingestor subchart that submits runs to jobs-manager #86) · author: @saadqbal · no reviewer assigned
• data-ingestors#146 — test(schema): lock category enum to the engine's TaskCategory (anti-drift) · author: @LukasWodka · reviewer: @saadqbal
• data-ingestors#148 — Develop to prod · author: @divyasinghds · reviewer: @saadqbal
• design-system#19 — fix: un-track coverage/ and node_modules/ from git · author: @LukasWodka · no reviewer assigned
• design-system#22 — ci: add Vitest test workflow · author: @LukasWodka · reviewer: @aptracebloc
• design-system#23 — ci: add fr-gate caller workflow · author: @LukasWodka · no reviewer assigned
• docs#47 — docs(environment-setup): Installer UX: drop PriorityClass, fix namespace, one-per-machine guard, surface version #192 namespace/workspace flow (hold for client#192) · author: @LukasWodka · reviewer: @saadqbal

Pull from review before opening new work. (This is a nudge from the kanban WIP check, not a block.)