npm - @a5c-ai/kradle - Versions diffs - 5.0.1-staging.3abdf9534c25 - Mend

@a5c-ai/kradle 5.0.1-staging.3abdf9534c25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/Dockerfile +31 -0
package/README.md +187 -0
package/bin/kradle-demo.mjs +23 -0
package/bin/kradle-server.mjs +14 -0
package/dist/kradle-controller-ui.json +3482 -0
package/dist/kradle-lifecycle.json +201 -0
package/dist/kradle-runtime-snapshot.json +3125 -0
package/dist/kradle-summary.json +724 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-kradle-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/architecture-v2.md +2759 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/crd-behaviors-and-relationships.md +3926 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/integration-and-design-decisions.md +1530 -0
package/docs/kradle-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/openapi.yaml +1291 -0
package/docs/product-requirements.md +62 -0
package/docs/requirements-v2.md +235 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/sdk-api-reference.md +1108 -0
package/docs/system-requirements.md +90 -0
package/docs/system-spec-v2.md +1230 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/docs/web-console-spec.md +533 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +66 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +95 -0
package/scripts/validate-ui.mjs +305 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +549 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-identity-migration.js +115 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +589 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-persona-controller.js +135 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-prompt-composition.js +55 -0
package/src/agent-provider-config-controller.js +151 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +421 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +387 -0
package/src/agent-workspace-controller.js +702 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +621 -0
package/src/argocd-gitops.js +43 -0
package/src/artifact-registry-controller.js +542 -0
package/src/assistant-runtime.js +284 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +310 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +112 -0
package/src/controller-ui.js +620 -0
package/src/data-plane.js +179 -0
package/src/event-bus.js +397 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +221 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +131 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/health-probes.js +134 -0
package/src/hooks-events.js +63 -0
package/src/hooks-lifecycle.js +117 -0
package/src/http-server.js +409 -0
package/src/identity-policy.js +86 -0
package/src/index.js +71 -0
package/src/jitsi-agent-bridge.js +141 -0
package/src/jitsi-meeting-controller.js +291 -0
package/src/jitsi-sync-controller.js +198 -0
package/src/kradle-inference-service-controller.js +246 -0
package/src/kubernetes-controller-async.js +531 -0
package/src/kubernetes-controller.js +904 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/model-route-controller.js +364 -0
package/src/notification-controller.js +178 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +282 -0
package/src/runner-controller.js +272 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/virtual-model-controller.js +538 -0
package/src/virtual-model-hook-bridge.js +200 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +679 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-identity-migration.test.js +87 -0
package/tests/agent-memory-controller.test.js +461 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +389 -0
package/tests/agent-mux-integration.test.js +971 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-persona-controller.test.js +127 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-prompt-composition.test.js +76 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +303 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +283 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +271 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/artifact-registry.test.js +511 -0
package/tests/assistant-runtime.test.js +506 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/codespace-controller.test.js +318 -0
package/tests/controller-client.test.js +133 -0
package/tests/deployment.test.js +527 -0
package/tests/e2e/lifecycle.test.js +120 -0
package/tests/event-bus-integration.test.js +355 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +415 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +223 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/health-probes.test.js +90 -0
package/tests/hooks-lifecycle.test.js +364 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/jitsi-agent-bridge.test.js +119 -0
package/tests/jitsi-helm-integration.test.js +77 -0
package/tests/jitsi-meeting-controller.test.js +170 -0
package/tests/jitsi-resource-model.test.js +73 -0
package/tests/jitsi-sync-controller.test.js +112 -0
package/tests/kradle-inference-service.test.js +689 -0
package/tests/kradle.test.js +779 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/model-route-controller.test.js +733 -0
package/tests/notification-controller.test.js +196 -0
package/tests/notification-integration.test.js +179 -0
package/tests/org-scoping.test.js +687 -0
package/tests/runner-controller.test.js +327 -0
package/tests/runner-integration.test.js +231 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +315 -0
package/tests/sse-events.test.js +107 -0
package/tests/virtual-model-controller.test.js +877 -0
package/tests/virtual-model-hook-bridge.test.js +384 -0
package/tests/webhook-trigger.test.js +198 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/docs/external/README.md ADDED Viewed

@@ -0,0 +1,47 @@
+# External backend integration docs
+## Purpose
+This directory defines how Kradle should integrate with GitHub first and support other externally managed backends later. External backends can implement one, two, or all three Kradle provider interfaces:
+1. issue tracking and work management sync;
+2. CI/CD, triggers, runners, pipelines, checks, and workflow sync;
+3. git forge sync for repositories, pull requests, refs, commits, SSH/deploy keys, collaborators, and repository policy.
+The design supports bidirectional, efficient sync without forcing every backend to be a full forge.
+## Documents
+- [Research results](./research-results.md) summarizes GitHub API and webhook capabilities used by this design.
+- [Pluggable backend provider catalog](./provider-catalog.md) lists GitHub, GitLab, Bitbucket, Azure DevOps, Jira, Linear, Buildkite, CircleCI, Jenkins, Gitea, Gerrit, raw Git, and custom providers by supported interface.
+- [Unified external backend model](./unified-external-backend-model.md) defines provider capabilities, ownership, identifiers, sync modes, and the three interface split.
+- [Provider capability manifests](./provider-capability-manifests.md) defines data-driven adapter manifests for operations, auth, webhooks, and tests.
+- [External object mapping spec](./external-object-mapping.md) defines loss-aware mappings from provider objects to Kradle resources.
+- [Issue tracking interface](./issue-tracking-interface.md) defines issue/comment/label/milestone/project/work-item sync.
+- [CI/CD interface](./cicd-interface.md) defines workflow/check/pipeline/job/runner/trigger sync.
+- [Git forge interface](./git-forge-interface.md) defines repository/PR/ref/commit/key/collaborator/policy sync.
+- [GitHub integration design](./github-integration-design.md) maps GitHub App, REST, GraphQL, webhooks, and Actions onto the three interfaces.
+- [Efficient bidirectional sync](./bidirectional-sync-design.md) defines webhook-first, cursor-based, idempotent reconciliation and conflict handling.
+- [External sync state machines](./sync-state-machines.md) defines stable phases for providers, bindings, deliveries, backfill, writes, and conflicts.
+- [External backend CRDs](./external-backend-crds.md) defines resources and schemas.
+- [External backend controllers](./external-backend-controllers.md) defines reconciliation loops and side effects.
+- [User-facing changes](./user-facing-changes.md) defines UI, settings, status, and workflow changes.
+- [External backend UI specification](./external-backend-ui-spec.md) defines org-scoped provider setup, bindings, sync health, conflicts, write intents, webhook, and repository UI.
+- [External backend UX flows](./external-backend-ux-flows.md) defines user-facing setup, mixed-provider, conflict, write approval, recovery, and rate-limit flows.
+- [Security, auth, and permissions](./security-auth-permissions.md) defines GitHub App auth, tokens, secrets, RBAC, and audit.
+- [Provider rollout and testing](./provider-rollout-testing.md) defines implementation slices, validation, and QA coverage.
+## Design principles
+- Kradle keeps its org namespace and resource model; external backends are providers, not the source of Kradle tenancy.
+- Providers declare which interfaces they support.
+- Every external object stores provider ID, native ID, global node ID when available, URL, etag/cursor, and last synced generation.
+- Webhooks are the primary freshness mechanism; polling/backfill repairs missed or truncated events.
+- Kradle can run in mirror mode, bidirectional mode, or Kradle-owned mode per interface and resource type.
+- Conflicts are explicit resources and UI states, not silent overwrites.
+- Secrets and provider tokens stay in Kubernetes Secrets and are surfaced only as grant metadata.

package/docs/external/bidirectional-sync-design.md ADDED Viewed

@@ -0,0 +1,134 @@
+# Efficient bidirectional sync design
+## Purpose
+External backends need efficient two-way sync that converges quickly without overwriting user changes or exhausting provider rate limits. This document defines the common sync strategy for all provider interfaces.
+## Sync layers
+| Layer | Purpose |
+| --- | --- |
+| Webhook ingest | near-real-time event capture and trigger source. |
+| Event normalizer | convert provider payloads into canonical Kradle sync events. |
+| Cursor backfill | recover missed events and hydrate lists. |
+| Object reconciler | compare desired/local/provider state and write projections. |
+| Write intent queue | apply Kradle-originated writes to provider with retries. |
+| Conflict detector | detect local/external divergence. |
+| Audit/event stream | explain every sync and write. |
+## Sync resource model
+```yaml
+kind: ExternalSyncState
+spec:
+  organizationRef: a5c
+  providerRef: github-a5c
+  bindingRef: github-kradle
+  interface: gitForge
+  resourceKind: PullRequest
+status:
+  highWatermark: 2026-05-11T12:00:00Z
+  cursor: opaque-provider-cursor
+  lastWebhookDeliveryId: "..."
+  lastFullBackfillAt: 2026-05-11T00:00:00Z
+  phase: Ready
+```
+```yaml
+kind: ExternalSyncConflict
+spec:
+  organizationRef: a5c
+  providerRef: github-a5c
+  resourceRef:
+    kind: Issue
+    name: issue-42
+  fieldConflicts:
+    - field: labels
+      local: [bug, priority]
+      external: [bug]
+  resolutionPolicy: manual
+```
+## Event processing
+```text
+provider webhook
+  -> validate signature
+  -> persist ExternalWebhookDelivery
+  -> enqueue by provider installation and repository
+  -> normalize into ExternalSyncEvent
+  -> dedupe by delivery ID + action + native object ID
+  -> apply object-specific reconcile
+  -> update Kradle projection and sync state
+  -> emit audit and watch event
+```
+## Backfill processing
+```text
+scheduled or manual backfill
+  -> read ExternalSyncState cursor/highWatermark
+  -> list changed objects from provider
+  -> hydrate missing details
+  -> upsert Kradle projections
+  -> mark deleted/missing objects according to tombstone policy
+  -> update cursor/highWatermark
+```
+## Write processing
+```text
+Kradle user/agent action
+  -> admission and RBAC
+  -> create ExternalWriteIntent
+  -> optional approval
+  -> provider write through connector
+  -> verify provider response
+  -> update local projection with provider IDs/version
+  -> wait for webhook or backfill confirmation
+  -> close write intent
+```
+## Efficiency rules
+- Prefer webhook payloads for targeted updates.
+- Use GraphQL/cursor pagination for bulk list hydration where supported.
+- Use REST endpoints for provider-specific operations and logs/artifacts.
+- Store ETag or provider resource version when available.
+- Batch by installation/org/repository to respect rate limits.
+- Lazy-load large logs, diffs, artifacts, and comments.
+- Apply bounded retries with dead-letter status for repeated provider errors.
+- Separate sync freshness from user-facing last-updated time.
+## Conflict rules
+Conflict when:
+- local desired generation changed after last sync and provider field also changed;
+- provider rejects a write because native version/precondition changed;
+- provider has a value Kradle cannot represent losslessly;
+- ownership mode says external-owned and Kradle has pending local mutation;
+- write intent remains unconfirmed beyond timeout.
+Resolution options:
+- prefer external;
+- prefer Kradle desired;
+- manual merge;
+- create reviewed provider-side change;
+- ignore unsupported field with warning.
+## Deletion and tombstones
+- External deletions become tombstones before local deletion when audit requires retention.
+- Kradle deletions in mirror mode should not delete provider objects.
+- Kradle-owned resources may delete provider objects if admission and provider permissions allow it.
+- PR/issue deletion may be unsupported in some providers; close/archive instead.
+## Acceptance criteria
+- Webhook replay and backfill converge to the same resource state.
+- Duplicate webhooks are idempotent.
+- Rate-limit responses slow sync without losing events.
+- Conflicts are visible in UI and API.
+- Writes are auditable from Kradle action to provider confirmation.

package/docs/external/cicd-interface.md ADDED Viewed

@@ -0,0 +1,64 @@
+# CI/CD interface
+## Purpose
+The CI/CD interface syncs external workflow/check/pipeline state into Kradle and can trigger or control external runs when allowed. It covers workflows, workflow runs, jobs, logs, artifacts, checks, commit statuses, runner groups, and self-hosted runners.
+## Provider contract
+```ts
+interface CicdProvider {
+  listPipelines(cursor): Page<ExternalPipeline>;
+  getPipeline(ref): ExternalPipeline;
+  listJobs(pipelineRef, cursor): Page<ExternalJob>;
+  getJobLog(jobRef): ExternalLogRef;
+  listArtifacts(pipelineRef, cursor): Page<ExternalArtifact>;
+  rerunPipeline(ref, options): ExternalPipeline;
+  cancelPipeline(ref): ExternalPipeline;
+  listRunners(cursor): Page<ExternalRunner>;
+  registerRunner(scope, options): RunnerRegistration;
+  createCheck(input): ExternalCheck;
+  updateCheck(ref, patch): ExternalCheck;
+}
+```
+Providers can implement checks/statuses without implementing runner management.
+## Resource mapping
+| External concept | Kradle resource/projection |
+| --- | --- |
+| workflow/workflow definition | `PipelineTemplate` projection or provider metadata |
+| workflow run/pipeline | `Pipeline` |
+| job/step | `Job` |
+| check run/status | `CheckRun` projection or `Job.status.checks` |
+| runner | `RunnerPool` / `Runner` projection |
+| artifact/log | `Artifact` / object-storage reference |
+| trigger event | `WebhookDelivery` / `ExternalSyncEvent` |
+## GitHub mapping
+GitHub Actions workflow runs map to `Pipeline`; workflow jobs map to `Job`; check runs and commit statuses map to check projections and PR gates. GitHub self-hosted runners map to runner inventory and runner registration flows when Kradle is allowed to manage them.
+## Sync rules
+- Webhooks handle `workflow_run`, `workflow_job`, `check_run`, `check_suite`, `status`, and `push` events.
+- Backfill periodically lists workflow runs/jobs by repository and updated timestamp.
+- Logs and artifacts are lazy-loaded and stored by digest or external URL depending on retention policy.
+- Rerun/cancel actions require permission review and provider capability.
+- External runner registration tokens are short-lived and never stored as plain status.
+## User-facing changes
+- Repository Runs page shows external pipelines next to Kradle-native runs.
+- Run detail badges show external provider and native link.
+- Rerun/cancel buttons are disabled unless provider and RBAC allow them.
+- Runner pages distinguish Kradle-managed, provider-managed, and mirrored runners.
+- Agent triggers can subscribe to external CI failure events through the same trigger rule model.
+## Acceptance criteria
+- A CI-only provider can sync pipelines/jobs without repo/issue ownership.
+- GitHub workflow jobs converge through webhook and backfill.
+- Logs/artifacts are fetched lazily and redacted according to policy.
+- Rerun/cancel actions are audited and idempotent.

package/docs/external/external-backend-controllers.md ADDED Viewed

@@ -0,0 +1,170 @@
+# External backend controllers
+## Purpose
+External backend controllers reconcile provider configuration, webhook deliveries, backfill, object projection, writes, conflicts, and status.
+## Controller set
+| Controller | Responsibilities |
+| --- | --- |
+| provider controller | validate auth, capabilities, installation access, rate limits, and status. |
+| binding controller | validate target refs, create provider webhooks, initialize sync states. |
+| webhook controller | validate signatures, persist deliveries, enqueue events, support replay. |
+| sync controller | process events/backfills and update Kradle projections. |
+| write controller | apply Kradle write intents to provider, retry, confirm, audit. |
+| conflict controller | detect field/resource conflicts and manage resolution workflow. |
+| runner/controller adapter | manage external CI runners when provider supports it. |
+| garbage/tombstone controller | handle external deletions and retention. |
+## Reconciliation order
+```text
+ExternalBackendProvider
+  -> auth/capability check
+  -> ExternalBackendBinding
+  -> webhook registration and sync state initialization
+  -> webhook events and backfill
+  -> Kradle resource projections
+  -> write intents and conflicts
+```
+## Provider controller
+- Resolve org namespace and Secret refs.
+- Validate provider type and base URLs.
+- Verify credentials without storing token values.
+- Discover capabilities where possible.
+- Track rate-limit status and degraded state.
+- Emit `AuthReady`, `InstallationReady`, and interface readiness conditions.
+## Binding controller
+- Validate target resource belongs to same org.
+- Validate provider supports requested interfaces.
+- Create/update provider webhooks when Kradle owns webhook configuration.
+- Create initial `ExternalSyncState` objects.
+- Kick off initial backfill.
+## Webhook controller
+- Validate HMAC/signature before accepting payload.
+- Persist `ExternalWebhookDelivery` with provider delivery ID.
+- Dedupe repeated deliveries.
+- Enqueue normalized `ExternalSyncEvent`.
+- Return quickly and process asynchronously.
+- Support manual replay/redelivery records.
+## Sync controller
+- Hydrate provider objects from webhook payload or API.
+- Upsert Kradle resources/projections with external identity fields.
+- Maintain high-watermarks and cursors.
+- Respect ownership mode.
+- Mark tombstones for external deletions.
+- Emit watch and audit events.
+## Write controller
+- Reads `ExternalWriteIntent` after Kradle admission and optional approval.
+- Applies provider write with provider-specific idempotency where available.
+- Handles rate limits and retryable failures.
+- Confirms via provider response, webhook, or follow-up read.
+- Creates conflict if provider state diverged.
+## Controller acceptance criteria
+- Controllers are idempotent by provider, installation, interface, native object ID, and delivery/write ID.
+- Provider outage degrades sync without corrupting Kradle state.
+- Cross-org references fail before provider calls.
+- Secret/token values never enter status, events, logs, or sync payloads.
+- Webhook replay and cursor backfill converge.
+## Interface adapter controllers
+Each interface has a provider-neutral reconciler and provider-specific adapter methods.
+### Issue sync controller
+Responsibilities:
+- watch issue-related webhooks;
+- backfill issues, comments, labels, milestones, project fields;
+- upsert `Issue` projections;
+- link PR-backed issue numbers to `PullRequest`;
+- process issue write intents;
+- detect comment/label/state conflicts.
+### CI/CD sync controller
+Responsibilities:
+- watch workflow/check/status events;
+- backfill pipelines, jobs, checks, logs, artifacts;
+- upsert `Pipeline` and `Job` projections;
+- lazy-fetch logs/artifacts on demand;
+- process rerun/cancel/check update write intents;
+- sync runner inventory where supported.
+### Git forge sync controller
+Responsibilities:
+- watch repository, PR, review, push, branch/tag, key, collaborator, and protection events;
+- backfill repos, pull requests, refs, branch protection, keys, collaborators;
+- upsert `Repository`, `PullRequest`, `Review`, `SSHKey`, `RepositoryPermission`, `BranchProtection`, and `RefPolicy` projections;
+- process PR, merge, key, collaborator, and branch protection writes;
+- detect force-push and stale diff/check state.
+## Provider adapter lifecycle
+```text
+load provider descriptor
+  -> validate configured interfaces
+  -> create adapter client with scoped credentials
+  -> run health/capability probe
+  -> start webhook/backfill loops
+  -> expose provider operations to sync/write controllers
+```
+## Rate-limit handling
+Controllers should:
+- bucket requests by provider, installation/account, org, and repository;
+- preserve webhook deliveries even when rate limited;
+- pause backfill before write intents when budget is low;
+- expose `RateLimited` conditions with reset time;
+- avoid retry storms by using exponential backoff and jitter.
+## Provider plugin contract
+Future provider plugins should implement:
+```ts
+interface ExternalProviderAdapter {
+  descriptor(): ProviderDescriptor;
+  health(): ProviderHealth;
+  issueTracking?: IssueTrackingProvider;
+  cicd?: CicdProvider;
+  gitForge?: GitForgeProvider;
+  normalizeWebhook(payload): NormalizedExternalEvent[];
+  verifyWebhook(request): VerificationResult;
+}
+```
+The core controllers own persistence, org checks, queueing, conflicts, and audit; adapters only translate provider operations.
+## Controller status surfaces
+Provider and binding status should expose:
+- interface readiness;
+- last successful webhook;
+- last failed webhook;
+- last backfill by interface;
+- queue depth;
+- rate limit remaining/reset;
+- conflicts count;
+- pending write count;
+- last provider error class.

package/docs/external/external-backend-crds.md ADDED Viewed

@@ -0,0 +1,234 @@
+# External backend CRDs
+## Purpose
+This document defines the resource contracts for external backend providers, bindings, sync state, write intents, conflicts, and webhook deliveries.
+## Config resources
+### `ExternalBackendProvider`
+```yaml
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: ExternalBackendProvider
+metadata:
+  name: github-a5c
+  namespace: kradle-org-a5c
+spec:
+  organizationRef: a5c
+  providerType: github
+  displayName: GitHub a5c-ai
+  baseUrl: https://github.com
+  apiBaseUrl: https://api.github.com
+  authRef:
+    secretRef:
+      name: github-app-a5c
+  capabilities:
+    issueTracking: true
+    cicd: true
+    gitForge: true
+status:
+  phase: Ready
+  conditions: []
+```
+### `ExternalBackendBinding`
+```yaml
+kind: ExternalBackendBinding
+spec:
+  organizationRef: a5c
+  providerRef: github-a5c
+  targetRef:
+    kind: Repository
+    name: kradle
+  externalRef:
+    owner: a5c-ai
+    repository: kradle
+    installationId: 123456
+  interfaces:
+    issueTracking:
+      enabled: true
+      mode: bidirectional
+    cicd:
+      enabled: true
+      mode: external-owned
+    gitForge:
+      enabled: true
+      mode: bidirectional
+```
+### `ExternalBackendSyncPolicy`
+```yaml
+kind: ExternalBackendSyncPolicy
+spec:
+  organizationRef: a5c
+  providerRef: github-a5c
+  webhookFirst: true
+  backfill:
+    interval: 15m
+    fullResyncInterval: 24h
+  writePolicy:
+    defaultMode: reviewed-write
+    agentWriteRequiresApproval: true
+  conflictPolicy:
+    defaultResolution: manual
+```
+## Aggregated resources
+| Kind | Purpose |
+| --- | --- |
+| `ExternalWebhookDelivery` | provider webhook delivery record and processing state. |
+| `ExternalSyncEvent` | normalized provider event. |
+| `ExternalSyncState` | cursor/high-watermark per provider/interface/resource scope. |
+| `ExternalWriteIntent` | Kradle-originated write to provider. |
+| `ExternalSyncConflict` | field/resource conflict requiring resolution. |
+| `ExternalObjectLink` | external native ID/link attached to a Kradle resource. |
+## Required labels
+- `kradle.a5c.ai/org`;
+- `kradle.a5c.ai/provider`;
+- `kradle.a5c.ai/interface`;
+- `kradle.a5c.ai/repository` when repository-scoped;
+- `kradle.a5c.ai/external-owner` when provider owner/org is known.
+## Status conditions
+Providers and bindings should use:
+- `AuthReady`;
+- `InstallationReady`;
+- `WebhookReady`;
+- `IssueTrackingReady`;
+- `CicdReady`;
+- `GitForgeReady`;
+- `RateLimited`;
+- `BackfillHealthy`;
+- `ConflictsPresent`;
+- `Ready`.
+## Storage class
+- provider/binding/sync policy: CRD/etcd;
+- deliveries/events/state/write intents/conflicts/object links: aggregated API/Postgres;
+- large payloads/logs/artifacts: object storage by digest;
+- provider credentials: Kubernetes Secret in org namespace.
+## Detailed resource schemas
+### `ExternalWebhookDelivery.spec`
+```yaml
+organizationRef: a5c
+providerRef: github-a5c
+bindingRef: github-kradle
+interfaceHints: [gitForge, issueTracking]
+deliveryId: "github-delivery-guid"
+eventType: pull_request
+action: opened
+receivedAt: 2026-05-11T12:00:00Z
+signature:
+  algorithm: sha256
+  verified: true
+source:
+  owner: a5c-ai
+  repository: kradle
+payloadRef:
+  storage: object
+  digest: sha256:payload
+processing:
+  phase: Queued
+  attempts: 0
+```
+### `ExternalSyncEvent.spec`
+```yaml
+organizationRef: a5c
+providerRef: github-a5c
+bindingRef: github-kradle
+sourceDelivery: github-delivery-guid
+interface: gitForge
+resourceKind: PullRequest
+nativeId: "42"
+nodeId: PR_kwDO...
+action: opened
+eventTime: 2026-05-11T12:00:00Z
+normalized:
+  repository: kradle
+  pullRequest: 42
+  headSha: abcdef1234
+```
+### `ExternalWriteIntent.spec`
+```yaml
+organizationRef: a5c
+providerRef: github-a5c
+bindingRef: github-kradle
+interface: issueTracking
+operation: createComment
+source:
+  kind: UserAction
+  actor: user:alice
+target:
+  kind: Issue
+  name: issue-42
+nativeTarget:
+  owner: a5c-ai
+  repository: kradle
+  issueNumber: 42
+requestDigest: sha256:request
+approvalPolicy:
+  required: false
+idempotencyKey: a5c:issue-42:create-comment:01hx
+```
+### `ExternalObjectLink.spec`
+```yaml
+organizationRef: a5c
+providerRef: github-a5c
+bindingRef: github-kradle
+localRef:
+  apiVersion: kradle.a5c.ai/v1alpha1
+  kind: PullRequest
+  name: pr-42
+external:
+  interface: gitForge
+  nativeId: "42"
+  nativeNumber: 42
+  nodeId: PR_kwDO...
+  url: https://github.com/a5c-ai/kradle/pull/42
+  apiUrl: https://api.github.com/repos/a5c-ai/kradle/pulls/42
+  etag: W/"..."
+```
+## Provider type registry
+Provider types should be registered in a data-driven registry:
+```yaml
+providerType: github
+interfaces: [issueTracking, cicd, gitForge]
+hosting: [saas, ghe]
+authModes: [github-app, oauth-user]
+webhookSignature: hmac-sha256
+supportsGraphql: true
+supportsRest: true
+```
+Custom providers can be loaded later through plugin registration, but CRDs should not need a schema change for every provider.
+## Validation rules
+- `providerType` must exist in registry or use `custom` with explicit adapter ref.
+- enabled interface must be supported by provider descriptor.
+- binding target must be in the same org.
+- auth Secret must be in the org namespace.
+- write mode must be compatible with provider operations.
+- webhook endpoint must have a verification secret unless provider has a signed alternative.
+- `ExternalWriteIntent` cannot reference raw Secret values.