From 24065b239cd3ebfbef32aa0d720beed24f2837ff Mon Sep 17 00:00:00 2001
From: Felix Wolf <felix.wolf@blueworld-gmbh.de>
Date: Mon, 30 Mar 2026 23:08:29 +0200
Subject: [PATCH] docs: Update CLAUDE.md with ArgoCD status and no-bitnami rule

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CLAUDE.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 07381ce..213c3a4 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -72,7 +72,10 @@ export TALOSCONFIG=./talos/talosconfig
 - **Namespace race condition**: First `kubectl apply` of a new app often fails because namespace isn't ready. Re-apply once.
 - **Traefik DaemonSet updates**: Requires `updateStrategy.rollingUpdate.maxSurge: 0` because hostPort conflicts prevent surge.
 - **Forgejo Ingress API version**: Chart renders `extensions/v1beta1`, fixed via `ytt/ingress-fix.ytt.yaml` overlay to `networking.k8s.io/v1`.
-- **ArgoCD Phase 3**: Repo not yet pushed to Forgejo, ArgoCD not yet wired.
+- **ArgoCD**: Fully wired to Forgejo via App of Apps. Root Application in `default` project syncs `rendered/argocd/production/`. Deploy key provisioned automatically by `argocd-deploy-key-init` Job in forgejo namespace.
+
+## Container Images
+- **Never use bitnami images.** Use `alpine/k8s` or plain `alpine` for utility Jobs instead.
 
 ## Secrets (not in git)
 - `cert-manager/letsencrypt-account-key` — ACME account key (auto-generated)