From 687e97271364e2d20b2055b94a655d91ce588c46 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Fri, 27 Mar 2026 07:11:22 -0700
Subject: [PATCH] Review CV doc and close build-dep review gap

Fix stale CV service doc (URL, forge domain, container tag) and add
guidance for reviewing build-time dependencies in private forge repos
during service reviews.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docs/changelog.d/+cv-doc-review.doc.md       |  1 +
 docs/how-to/knowledgebase/review-services.md | 14 ++++++++++++++
 docs/reference/services/cv.md                | 13 +++++++------
 service-versions.yaml                        |  4 ++--
 4 files changed, 24 insertions(+), 8 deletions(-)
 create mode 100644 docs/changelog.d/+cv-doc-review.doc.md

diff --git a/docs/changelog.d/+cv-doc-review.doc.md b/docs/changelog.d/+cv-doc-review.doc.md
new file mode 100644
index 0000000..ecace7d
--- /dev/null
+++ b/docs/changelog.d/+cv-doc-review.doc.md
@@ -0,0 +1 @@
+Review and fix CV service doc (correct URL, forge domain, container tag link) and add private forge repo review guidance to review-services process.
diff --git a/docs/how-to/knowledgebase/review-services.md b/docs/how-to/knowledgebase/review-services.md
index 675bdd6..30b5833 100644
--- a/docs/how-to/knowledgebase/review-services.md
+++ b/docs/how-to/knowledgebase/review-services.md
@@ -38,6 +38,8 @@ mise run service-review --type hybrid
 
 ## Review Process by Service Type
 
+For all service types, start by reading the service's reference card (`docs/reference/services/<service>.md`) for architecture, configuration, and endpoint details.
+
 ### ArgoCD Services (`type: argocd`)
 
 1. Check the upstream releases page for new versions
@@ -59,6 +61,18 @@ mise run service-review --type hybrid
 2. Review the Nix derivation or flake input for version pins
 3. If upgrading, update and deploy via `mise run provision-ringtail`
 
+### Private Forge Repos (`upstream-source` under `forge.eblu.me/eblume/`)
+
+Some services are built from private repos on the forge rather than tracking an external upstream project. When `upstream-source` points to a `forge.eblu.me/eblume/` repo:
+
+1. Clone the repo to `~/code/personal/` if not already checked out
+2. Review the repo's dependency pins — uv script metadata, `pyproject.toml`, `package.json`, `flake.nix` inputs, etc.
+3. Update stale dependencies and rebuild locally to verify nothing breaks
+4. If changes were made, commit, push, and trigger a new release from that repo
+5. Back in blumeops, update the container image or release artifact reference as needed
+
+This extends the service review into the source repo's build-time dependencies, which would otherwise be a blind spot — the blumeops-side review only covers the deployment manifest and container base image.
+
 ## Attached Services
 
 Some services have auxiliary dependencies that run as separate containers — caches, sidecars, init helpers. These are tracked as **attached services** with a naming convention and an optional `parent` field:
diff --git a/docs/reference/services/cv.md b/docs/reference/services/cv.md
index 0c546d9..55805d6 100644
--- a/docs/reference/services/cv.md
+++ b/docs/reference/services/cv.md
@@ -1,6 +1,7 @@
 ---
 title: CV
-modified: 2026-02-12
+modified: 2026-03-27
+last-reviewed: 2026-03-27
 tags:
   - service
   - resume
@@ -14,11 +15,11 @@ Personal resume/CV served as a static HTML page with PDF download, built from YA
 
 | Property | Value |
 |----------|-------|
-| **URL** | `cv.ops.eblu.me` (tailnet only, via [[caddy]]) |
+| **URL** | `cv.eblu.me` (public, via [[flyio-proxy]]) |
 | **Namespace** | `cv` |
-| **Container** | `registry.ops.eblu.me/blumeops/cv:v1.0.0` |
-| **Source repo** | `forge.ops.eblu.me/eblume/cv` (private, not mirrored to GitHub) |
-| **Content packages** | `forge.ops.eblu.me/eblume/-/packages` (generic package `cv`) |
+| **Container** | `registry.ops.eblu.me/blumeops/cv` ([kustomization](https://forge.eblu.me/eblume/blumeops/src/branch/main/argocd/manifests/cv/kustomization.yaml)) |
+| **Source repo** | `forge.eblu.me/eblume/cv` (private, not mirrored to GitHub) |
+| **Content packages** | `forge.eblu.me/eblume/-/packages` (generic package `cv`) |
 | **ArgoCD App** | `cv` |
 
 ## Architecture
@@ -66,6 +67,6 @@ Provisioned via `forgejo_actions_secrets` Ansible role. See [[create-release-art
 ## Related
 
 - [[docs]] — Similar architecture (nginx container + content tarball)
-- [[caddy]] — Reverse proxy for `cv.ops.eblu.me`
+- [[flyio-proxy]] — Exposes `cv.eblu.me` publicly via Tailscale tunnel
 - [[create-release-artifact-workflow]] — How to set up release artifact workflows
 - [[deploy-k8s-service]] — General k8s deployment guide
diff --git a/service-versions.yaml b/service-versions.yaml
index 909aa8c..ccc062e 100644
--- a/service-versions.yaml
+++ b/service-versions.yaml
@@ -222,8 +222,8 @@ services:
     type: argocd
     last-reviewed: 2026-03-07
     current-version: "1.0.3"
-    upstream-source: null
-    notes: Personal static site, no upstream
+    upstream-source: https://forge.eblu.me/eblume/cv
+    notes: Personal static site; review build deps (WeasyPrint, Jinja2) in source repo
 
   - name: docs
     type: argocd