{"id":50733359,"url":"https://github.com/bigg01/claude-mate-agent","last_synced_at":"2026-06-10T11:01:32.281Z","repository":{"id":359985253,"uuid":"1248197768","full_name":"bigg01/claude-mate-agent","owner":"bigg01","description":"🤖 Enterprise Claude Code agent for Kubernetes ☸️ — static service or on-demand CI/CD job 🐳. Helm chart for K8s / OpenShift / AKS with personas 🎭, multi-provider LLM gateway, audit + OTEL 📊, sandboxes 📦. GitLab CI + GitHub Actions ready 🐍","archived":false,"fork":false,"pushed_at":"2026-05-24T13:34:27.000Z","size":541,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-24T14:12:06.253Z","etag":null,"topics":["ai-agents","anthropic","argocd","claude","claude-code","container","devops","fluxcd","github-actions","gitlab-ci","gitops","helm","helm-chart","kubernetes","llm","llm-gateway","mcp","openshift","opentelemetry","python"],"latest_commit_sha":null,"homepage":"https://bigg01.containerize.ch/claude-mate-agent/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bigg01.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security-scanning.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-05-24T10:15:52.000Z","updated_at":"2026-05-24T13:34:30.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bigg01/claude-mate-agent","commit_stats":null,"previous_names":["bigg01/claude-mate-agent"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/bigg01/claude-mate-agent","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bigg01%2Fclaude-mate-agent","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bigg01%2Fclaude-mate-agent/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bigg01%2Fclaude-mate-agent/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bigg01%2Fclaude-mate-agent/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bigg01","download_url":"https://codeload.github.com/bigg01/claude-mate-agent/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bigg01%2Fclaude-mate-agent/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34149132,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","anthropic","argocd","claude","claude-code","container","devops","fluxcd","github-actions","gitlab-ci","gitops","helm","helm-chart","kubernetes","llm","llm-gateway","mcp","openshift","opentelemetry","python"],"created_at":"2026-06-10T11:01:30.769Z","updated_at":"2026-06-10T11:01:32.272Z","avatar_url":"https://github.com/bigg01.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/assets/logo.svg\" alt=\"Claude Mate Agent\" width=\"140\"/\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eClaude Mate Agent\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cem\u003eEnterprise-grade \u003ca href=\"https://claude.ai/code\"\u003eClaude Code\u003c/a\u003e agent platform for Kubernetes and Red Hat OpenShift.\u003c/em\u003e\n\u003c/p\u003e\n\n\u003c!-- Live build / release banners — generated server-side, click through to the workflow run / release / docs site. --\u003e\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/bigg01/claude-mate-agent/actions/workflows/ci.yml\"\u003e\u003cimg alt=\"CI\" src=\"https://github.com/bigg01/claude-mate-agent/actions/workflows/ci.yml/badge.svg?branch=main\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/bigg01/claude-mate-agent/actions/workflows/security.yml\"\u003e\u003cimg alt=\"Security\" src=\"https://github.com/bigg01/claude-mate-agent/actions/workflows/security.yml/badge.svg?branch=main\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/bigg01/claude-mate-agent/actions/workflows/pages.yml\"\u003e\u003cimg alt=\"Pages\" src=\"https://github.com/bigg01/claude-mate-agent/actions/workflows/pages.yml/badge.svg?branch=main\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/bigg01/claude-mate-agent/releases/latest\"\u003e\u003cimg alt=\"Release\" src=\"https://img.shields.io/github/v/release/bigg01/claude-mate-agent?display_name=tag\u0026sort=semver\u0026logo=github\u0026label=release\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/bigg01/claude-mate-agent/pkgs/container/claude-mate-agent%2Fclaude-mate-agent\"\u003e\u003cimg alt=\"GHCR\" src=\"https://img.shields.io/badge/ghcr.io-claude--mate--agent-2088FF?logo=github\"/\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/bigg01/claude-mate-agent/blob/main/LICENSE\"\u003e\u003cimg alt=\"License\" src=\"https://img.shields.io/github/license/bigg01/claude-mate-agent\"/\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cimg alt=\"Kubernetes\" src=\"https://img.shields.io/badge/Kubernetes-CNCF-326CE5?logo=kubernetes\"/\u003e\n  \u003cimg alt=\"OpenShift\" src=\"https://img.shields.io/badge/OpenShift-compatible-EE0000?logo=redhatopenshift\"/\u003e\n  \u003cimg alt=\"Helm\" src=\"https://img.shields.io/badge/Helm-0.1.0-5B21B6?logo=helm\"/\u003e\n  \u003cimg alt=\"Node.js\" src=\"https://img.shields.io/badge/Node.js-22%20LTS-339933?logo=nodedotjs\"/\u003e\n  \u003cimg alt=\"Python\" src=\"https://img.shields.io/badge/Python-3.12-3776AB?logo=python\"/\u003e\n  \u003cimg alt=\"OCI\" src=\"https://img.shields.io/badge/OCI-ubi9--minimal-EE0000?logo=redhat\"/\u003e\n  \u003cimg alt=\"Trivy\" src=\"https://img.shields.io/badge/CVE--scan-Trivy-1904DA?logo=aqua\"/\u003e\n  \u003cimg alt=\"DORA\" src=\"https://img.shields.io/badge/DORA-instrumented-F46800?logo=grafana\"/\u003e\n\u003c/p\u003e\n\n---\n\nClaude Mate Agent packages the [Claude Code CLI](https://claude.ai/code) as a production-grade Kubernetes workload with defense-in-depth security, multi-provider LLM routing, full DORA-metric telemetry, and an SDLC quality-gate pipeline. The runtime image is built from `ubi9-minimal` with no package managers, no Python interpreter, and no build tools in the final layer.\n\n## Key capabilities\n\n| Pillar | What you get |\n|---|---|\n| **Execution** | Static long-running Deployment · on-demand CI/CD Job · isolated [sandbox](docs/sandbox.md) (one-shot K8s Job with gVisor / Kata / experimental NVIDIA OpenShell, ephemeral workspace, TTL cleanup) |\n| **Connectivity** | Direct Anthropic · Kong AI Gateway · LiteLLM · OpenRouter · Azure AI Foundry · Vertex AI · NVIDIA NIM · **local Ollama / vLLM / LM Studio** (air-gapped, no API key) — switch with one Helm value, no image rebuild ([details](docs/llm-gateway.md)) |\n| **Personas** | Architect · Security · DevOps · SRE — each with a curated system prompt and Claude CLI tool allow-list (security persona is read-only) |\n| **Guardrails** | Five opt-in runtime controls — [cost cap](docs/guardrails.md) · input/output content scrubbing (api-keys / credentials / PII / RFC1918) · `.claudeignore` workspace allowlist · per-persona intent denylist. Each is independent; zero overhead when disabled. |\n| **Routing** | Kubernetes Ingress · OpenShift Route · Gateway API HTTPRoute — same chart, capability-gated templates |\n| **GitOps** | ArgoCD `Application` and FluxCD `HelmRelease` examples with automated sync, pruning, and self-heal |\n| **Observability** | Always-on Prometheus `/metrics` · opt-in OTEL OTLP · Grafana **agent** + **DORA** dashboards auto-provisioned · structured JSON audit logs |\n| **Quality gates** | Trivy CVE + IaC scan · Bandit + Semgrep SAST · Gitleaks · CycloneDX SBOM · pytest coverage with `--cov-fail-under` floor · Renovate for deps |\n| **DORA telemetry** | Deployment Frequency, Lead Time, Change Failure Rate, MTTR — emitted from every CI deploy job ([details](docs/dora-metrics.md)) |\n| **Enterprise infra** | Artifactory mirrors for Docker/PyPI/npm/Helm · NVIDIA Container Runtime for GPU · Vault Agent Injector + Secrets Operator · cert-manager integration |\n\n## Defense-in-depth protection\n\nSeven independent security layers, each useful even if every other layer is breached:\n\n| # | Layer | Controls |\n|---|---|---|\n| 1 | **Image** | `ubi9-minimal` base · no pip/npm/dnf/python in runtime · PyInstaller-compiled single binary · Renovate-tracked base/dep versions |\n| 2 | **Container** | `readOnlyRootFilesystem: true` · `runAsNonRoot` + arbitrary UID for OpenShift SCC · `capabilities.drop: ALL` · seccomp `RuntimeDefault` · pinned Claude Code CLI version |\n| 3 | **Network** | NetworkPolicy enabled by default · operator-defined egress allow-list · sandbox NetworkPolicy blocks all ingress · RFC 1918 excluded from default sandbox egress |\n| 4 | **Sandbox** | One-shot K8s Job · `automountServiceAccountToken: false` · optional gVisor / Kata / experimental [NVIDIA OpenShell](docs/sandbox.md#nvidia-openshell-experimental) `runtimeClassName` (the last with inference-routing policy) · `activeDeadlineSeconds` hard cap · `ttlSecondsAfterFinished` auto-cleanup · ephemeral `/workspace` volume |\n| 5 | **Identity** | API key from K8s Secret (never image-baked) · persona-bound Claude tool allow-list (`security` is read-only) · passive SIEM audit annotations on every pod · Vault Agent Injector option |\n| 6 | **Content / DLP** | Runtime [guardrails](docs/guardrails.md): per-task + hourly cost cap · pre-flight input scrubbing · post-task output scrubbing (redact or block on api-keys, PEM, SSN, CC, RFC1918) · `.claudeignore` workspace allowlist · per-persona intent denylist. All opt-in via Helm. |\n| 7 | **Supply chain** | Trivy `image` + `fs` + `config` (fixed CRITICAL/HIGH blocks merge) · Bandit + Semgrep SAST (SARIF → Code Scanning) · Gitleaks secret scan · Syft CycloneDX SBOM (90-day retention) · `.trivyignore` + `.gitleaks.toml` allowlists with rationale |\n\nSee [Security \u0026 Compliance](docs/security.md) and [Security Scanning](docs/security-scanning.md) for the full controls catalogue.\n\n## Quick start\n\n### Fully local — no API key, no cloud (recommended first run)\n\n\u003e **Runtime:** every command below works with either `docker compose` or `podman compose` (or via `make compose-up-*` which auto-detects). The compose files are tool-agnostic.\n\n```bash\n# Boot agent + Ollama + LiteLLM together; LiteLLM bridges Anthropic ↔ OpenAI\nmake compose-up-local-llm     # auto-detects podman or docker\n\n# One-time: pull a model into Ollama\ndocker compose -f docker-compose.yml -f docker-compose.local-llm.yml \\\n  exec ollama ollama pull llama3.1:8b\n# (or: podman compose ...)\n\n# Run a one-shot task against the local model — no ANTHROPIC_API_KEY needed\nCLAUDE_TASK=\"say hello in exactly three words\" \\\n  docker compose -f docker-compose.yml -f docker-compose.local-llm.yml \\\n  run --rm agent --once\n```\n\n### Against the real Anthropic API\n\n```bash\n# Build the image (auto-detects podman or docker)\nmake build\n\n# Run the static server (health + metrics on :8080)\nmake run\n\n# Run an on-demand Claude task locally\nexport ANTHROPIC_API_KEY=sk-ant-...\nexport CLAUDE_TASK=\"summarise the open issues in this repo\"\nmake run-once\n\n# Spin up the full observability stack (agent + Prometheus + Grafana + Pushgateway)\ndocker compose up\n```\n\nGrafana opens at \u003chttp://localhost:3000\u003e with the **Claude Mate Agent** and **DORA Metrics** dashboards pre-loaded.\n\n## Local quality gates\n\n```bash\nmake test          # pytest + coverage (50% floor)\nmake sast          # Bandit Python SAST\nmake scan          # Trivy filesystem + IaC + image\nmake secrets       # Gitleaks\nmake sbom          # Syft → sbom.cyclonedx.json\nmake security      # all of the above, sequentially\n```\n\n## What's inside\n\n| Component | Description |\n|---|---|\n| `container/app.py` | Python wrapper — health/readiness/metrics server, persona-aware Claude subprocess runner, cost-tracking + audit |\n| `container/tests/` | pytest unit tests + coverage config (50% floor) |\n| `Dockerfile` | 3-stage multi-stage build: `python-builder` (uv + PyInstaller) → `node-builder` (npm + claude CLI) → `ubi9-minimal` runtime |\n| `charts/claude-mate-agent` | Helm chart — Ingress · Route · Gateway API HTTPRoute · sandbox Job · NetworkPolicy · cert-manager · Vault · NVIDIA GPU |\n| `examples/` | Deployment overlays: static-kubernetes · static-openshift · gateway-api · monitoring · on-demand-gitlab · on-demand-github · argocd · fluxcd · personas · sandbox · nvidia-gpu · **llm-gateway** (10 providers including Ollama / vLLM / LM Studio) · **mcp-deploy** (drive `kubernetes-mcp-server` from Claude Code) |\n| `docker-compose.*.yml` | Opt-in local overlays: `local-llm` (Ollama + LiteLLM) · `opensearch` (audit-log sink test) · `nvidia` (GPU passthrough) · `artifactory` (corporate mirror) |\n| `grafana/dashboards/` | `claude-mate-agent.json` + `dora-metrics.json` — auto-provisioned |\n| `prometheus/` | Scrape config + `dora_rules.yml` (recording + alerting) |\n| `scripts/dora-emit.sh` | Canonical DORA event emitter (deploy / failure / restore) |\n| `.github/workflows/` | `ci.yml` (test + build + push) · `security.yml` (Trivy + Bandit + Semgrep + Gitleaks + SBOM → SARIF) · `deploy.yml` · `sandbox.yml` · `on-demand.yml` |\n| `.gitlab-ci.yml` | `validate → test → build → scan → package → deploy → on-demand` with full quality-gate gating |\n| `.github/renovate.json` | Renovate config for Python, Node, Dockerfile, Helm, Compose, Actions |\n\n## Operating modes\n\n| Mode | Lifecycle | When to use | How it runs |\n|---|---|---|---|\n| **Static** | Long-running Deployment | Always-on service with continuous metrics/health endpoints | `make run` / `helm upgrade --install` |\n| **On-demand** | Short-lived CI job | Manual or scheduled tasks triggered from CI/CD | GitHub Actions `on-demand.yml` / GitLab `run:on-demand-agent` |\n| **Sandbox** | One-shot K8s Job | Untrusted prompts, contractor work, per-request isolation | `helm template ... \\| kubectl create -f -` ([details](docs/sandbox.md)) |\n\n## Observability\n\nThe platform emits three classes of telemetry:\n\n1. **Service metrics** — `claude_mate_agent_*` on `/metrics` (always on) and OTLP (opt-in via `OTEL_ENABLED=true`)\n2. **Cost + audit** — structured JSON with `task_cost_summary`, role, CI system, commit SHA, pod identifiers\n3. **DORA** — `dora_deployments_total`, `dora_lead_time_seconds`, `dora_change_failures_total`, `dora_restore_seconds` emitted via Pushgateway, surfaced on the Grafana DORA dashboard\n\nDORA failure definition is codified in CI: rollout timeout, probe failure, or explicit `dora-emit.sh failure` within 24 h of deploy. Targets and alerting rules are in [`docs/dora-metrics.md`](docs/dora-metrics.md).\n\n## Documentation\n\nFull docs in [`docs/`](docs/), served with MkDocs Material:\n\n```bash\nmake docs-serve        # live preview at http://localhost:8000\nmake docs-build        # build static site to site/\n```\n\n| Page | Purpose |\n|---|---|\n| [Getting Started](docs/getting-started.md) | Build, run, first task |\n| [Local Development](docs/local-dev.md) | Compose overlays · fully-local Ollama stack · GPU passthrough |\n| [Solution Architecture](docs/solution-architecture.md) | End-to-end reference architecture |\n| [Container Internals](docs/architecture.md) | Two-layer design (agent + claude CLI), graceful shutdown |\n| [Container Build](docs/container.md) | Multi-stage Dockerfile, PyInstaller, OTEL bundling |\n| [Helm Chart](docs/helm-chart.md) | Values reference, routing, secrets |\n| [GitLab CI/CD](docs/gitlab-ci.md) | Pipeline jobs and required variables |\n| [GitHub Actions](docs/github-actions.md) | Workflows and required secrets |\n| [Deploy via MCP](docs/mcp-deploy.md) | Drive `kubernetes-mcp-server` from Claude Code for interactive deploys |\n| [Personas](docs/personas.md) | Architect / Security / DevOps / SRE roles |\n| [LLM Gateway](docs/llm-gateway.md) | Provider routing — Anthropic, Kong, LiteLLM, OpenRouter, Azure, Vertex AI, NVIDIA NIM, **Ollama / vLLM / LM Studio** |\n| [Sandboxes](docs/sandbox.md) | Ephemeral one-shot Job execution · gVisor / Kata / **NVIDIA OpenShell** runtimes |\n| [Guardrails](docs/guardrails.md) | Cost cap · input/output scrubbing · workspace allowlist · intent denylist |\n| [Monitoring](docs/monitoring.md) | Metrics reference, OTEL setup, ServiceMonitor |\n| [Security \u0026 Compliance](docs/security.md) | RBAC, SCC, NetworkPolicy, audit |\n| [Security Scanning](docs/security-scanning.md) | Trivy, Bandit, Semgrep, Gitleaks, SBOM |\n| [Quality Gates](docs/quality-gates.md) | SDLC stage → gate matrix, pipeline DAG |\n| [DORA Metrics](docs/dora-metrics.md) | Definitions, targets, dashboard, alerting |\n| [Versioning](docs/versioning.md) | SemVer scheme, release tags, version-bump helper |\n\n## Requirements\n\nSee [`requirement.md`](requirement.md) for the full enterprise requirements catalogue covering Kubernetes/OpenShift support, container hardening, monitoring, logging, OpenShell protection, audit trail, remote log sync, team-mate roles, LLM gateways, GPU support, Artifactory mirrors, Claude sandboxes, security scanning, SAST, code coverage, SDLC quality gates, and DORA metrics.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbigg01%2Fclaude-mate-agent","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbigg01%2Fclaude-mate-agent","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbigg01%2Fclaude-mate-agent/lists"}