fix: resolve CI lint failures for PR #69

Address ansible-lint (risky-shell-pipe, no-changed-when, line-length),
super-linter markdown and natural language errors, and JSON schema
validation by resetting clusterGroupName to simple.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: butler54

AGENTS.md

@@ -5,7 +5,7 @@ This file provides rules and context for any AI coding assistant working in this
 
 ## Critical Rules
 
-- **DO NOT** edit anything under `/common/`. It is a read-only git subtree from the upstream validated patterns framework.
+- **DO NOT** edit anything under `/common/`. It is a read-only Git subtree from the upstream validated patterns framework.
 - **DO NOT** commit secrets, credentials, or private keys. `values-secret.yaml.template` is a template only.
 - **DO NOT** use Kustomize. This project uses Helm exclusively.
 - **DO NOT** create charts with `apiVersion: v1`. Use `apiVersion: v2` (Helm 3+).
@@ -23,7 +23,7 @@ Use the **first** approach that fits your requirement:
 
 ## Project Structure
 
-```
+```text
 ├── ansible/                        # Ansible playbooks (imperative jobs)
 ├── charts/
 │   ├── all/
@@ -54,9 +54,9 @@ Use the **first** approach that fits your requirement:
 
 ## Companion Chart Repositories
 
-Several charts in this repo have companion repositories for independent versioning and reuse. Develop and test in this repo first (charts deploy via `path:`), then sync changes to the companion repo.
+Several charts in this repository have companion repositories for independent versioning and reuse. Develop and test in this repository first (charts deploy via `path:`), then sync changes to the companion repository.
 
-| Local Path | Companion Repo | Purpose |
+| Local Path | Companion Repository | Purpose |
 |---|---|---|
 | `charts/hub/trustee/` | `trustee-chart` | Trustee / KBS on hub |
 | `charts/hub/sandbox-policies/` | `sandboxed-policies-chart` | ACM policies hub → spoke |
@@ -132,7 +132,7 @@ All commands run via `./pattern.sh make <target>`:
 | `load-secrets` | Load secrets into the configured backend |
 | `uninstall` | Uninstall the pattern |
 
-See the README for secrets backend configuration, RHDP environment variables, and additional maintenance commands.
+See the readme for secrets backend configuration, RHDP environment variables, and additional maintenance commands.
 
 ## Validation and CI
 

README.md

@@ -47,8 +47,7 @@ All previous versions used pre-GA (Technology Preview) releases of Trustee:
 - Azure DNS hosting the cluster's DNS zone
 - Tools on your workstation: `podman`, `yq`, `jq`, `skopeo`
 - OpenShift pull secret saved at `~/pull-secret.json` (download from [console.redhat.com](https://console.redhat.com/openshift/downloads))
-- Fork the repo — ArgoCD reconciles cluster state against your fork, so changes must be pushed to your remote
-
+- Fork the repository — ArgoCD reconciles cluster state against your fork, so changes must be pushed to your remote
 
 ### Secrets and PCR setup
 
@@ -130,5 +129,3 @@ Deployment commands:
 - Multi-cluster: `bash rhdp/wrapper-multicluster.sh <azure-region>`
 
 The wrapper scripts handle cluster provisioning via `openshift-install`, secret generation, PCR retrieval, and pattern installation.
-
-

ansible/init-data-gzipper.yaml

@@ -47,6 +47,7 @@
 
     - name: Gzip and base64 encode the rendered content
       ansible.builtin.shell: |
+        set -o pipefail
         cat "{{ rendered_path }}" | gzip | base64 -w0
       register: initdata_encoded
       changed_when: false
@@ -55,16 +56,21 @@
     # The script performs the following steps:
     # 1. hash=$(sha256sum initdata.toml | cut -d' ' -f1): Computes the sha256 hash of 'initdata.toml' and assigns it to $hash.
     # 2. initial_pcr=0000000000000000000000000000000000000000000000000000000000000000: Initializes a string of zeros as the initial PCR value.
-    # 3. PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1): Concatenates initial_pcr and $hash, converts from hex to binary, computes its sha256 hash, and stores the result as PCR8_HASH.
+    # 3. PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1):
+    #    Concatenates initial_pcr and $hash, converts from hex to binary,
+    #    computes its sha256 hash, and stores the result as PCR8_HASH.
     # 4. echo $PCR8_HASH: Outputs the PCR hash value.
-    # The important part: The 'register: pcr8_hash' registers the **stdout of the command**, which is the value output by 'echo $PCR8_HASH', as 'pcr8_hash.stdout' in Ansible.
+    # The important part: The 'register: pcr8_hash' registers the **stdout of the command**,
+    #    which is the value output by 'echo $PCR8_HASH', as 'pcr8_hash.stdout' in Ansible.
     # It does NOT register an environment variable, but rather the value actually printed by 'echo'.
     - name: Register init data pcr into a var
       ansible.builtin.shell: |
+        set -o pipefail
         hash=$(sha256sum "{{ rendered_path }}" | cut -d' ' -f1)
         initial_pcr=0000000000000000000000000000000000000000000000000000000000000000
         PCR8_HASH=$(echo -n "$initial_pcr$hash" | xxd -r -p | sha256sum | cut -d' ' -f1) && echo $PCR8_HASH
       register: pcr8_hash
+      changed_when: false
 
 
     - name: Create/update ConfigMap with gzipped+base64 content

docs/dell-tdx-configuration.md

@@ -88,7 +88,7 @@ Navigate to: **System BIOS → Processor Settings → Software Guard Extensions
 
 ## Configuration Summary (Order of Operations)
 
-```
+```text
 1. Disable Node Interleaving          → Save & Reboot
 2. Enable x2APIC Mode                 → Save & Reboot
 3. Disable CPU Physical Address Limit → Save & Reboot

values-global.yaml

@@ -24,7 +24,7 @@ main:
   # WARNING
   # This default configuration uses a single cluster on azure.
   # It fundamentally violates the separation of duties.
-  clusterGroupName: trusted-hub
+  clusterGroupName: simple
   multiSourceConfig:
     enabled: true
     clusterGroupChartVersion: 0.9.*