@a5c-ai/kradle 5.0.1-staging.3abdf9534c25

package/examples/minikube-demo.yaml

@@ -0,0 +1,190 @@
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: Organization
+metadata:
+  name: kradle
+  namespace: kradle-system
+spec:
+  displayName: Kradle
+  description: Kradle-managed default organization
+  owners:
+  - platform
+  slug: kradle
+  namespaceName: kradle-org-kradle
+---
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: SSHKey
+metadata:
+  name: platform-deploy
+  namespace: kradle-org-kradle
+  labels:
+    kradle.a5c.ai/org: kradle
+    kradle.a5c.ai/namespace: kradle-org-kradle
+spec:
+  scope: deploy
+  owner: kradle
+  repository: kradle-demo
+  title: platform deploy key
+  key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKradleDemoKey platform@example.test
+  readOnly: true
+  organizationRef: kradle
+---
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: RepositoryPermission
+metadata:
+  name: kradle-demo-maintainers
+  namespace: kradle-org-kradle
+  labels:
+    kradle.a5c.ai/org: kradle
+    kradle.a5c.ai/namespace: kradle-org-kradle
+spec:
+  repository: kradle-demo
+  subjectKind: team
+  subject: maintainers
+  permission: admin
+  organizationRef: kradle
+---
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: Repository
+metadata:
+  name: kradle-demo
+  namespace: kradle-org-kradle
+  labels:
+    kradle.a5c.ai/org: kradle
+    kradle.a5c.ai/namespace: kradle-org-kradle
+spec:
+  visibility: internal
+  defaultBranch: main
+  organizationRef: kradle
+---
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: BranchProtection
+metadata:
+  name: main-protection
+  namespace: kradle-org-kradle
+  labels:
+    kradle.a5c.ai/org: kradle
+    kradle.a5c.ai/namespace: kradle-org-kradle
+spec:
+  refs:
+  - refs/heads/main
+  requirePullRequest: true
+  organizationRef: kradle
+---
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: RefPolicy
+metadata:
+  name: deny-internal-refs
+  namespace: kradle-org-kradle
+  labels:
+    kradle.a5c.ai/org: kradle
+    kradle.a5c.ai/namespace: kradle-org-kradle
+spec:
+  deny:
+  - refs/internal/
+  organizationRef: kradle
+---
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: RunnerPool
+metadata:
+  name: trusted-linux
+  namespace: kradle-org-kradle
+  labels:
+    kradle.a5c.ai/org: kradle
+    kradle.a5c.ai/namespace: kradle-org-kradle
+spec:
+  warmReplicas: 1
+  maxReplicas: 4
+  organizationRef: kradle
+---
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: WebhookSubscription
+metadata:
+  name: chatops
+  namespace: kradle-org-kradle
+  labels:
+    kradle.a5c.ai/org: kradle
+    kradle.a5c.ai/namespace: kradle-org-kradle
+spec:
+  url: https://hooks.example.test/kradle
+  events:
+  - pullrequest.created
+  organizationRef: kradle
+---
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: Pipeline
+metadata:
+  name: demo-pr-checks
+  labels:
+    repository: kradle-demo
+    workflow: pull-request
+    kradle.a5c.ai/org: kradle
+    kradle.a5c.ai/namespace: kradle-org-kradle
+  namespace: kradle-org-kradle
+spec:
+  repository: kradle-demo
+  ref: refs/pull/1/head
+  runnerPool: trusted-linux
+  trustTier: trusted
+  steps:
+  - checkout
+  - test
+  - publish
+  organizationRef: kradle
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kradle-demo
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitea-http.kradle-system.svc.cluster.local/kradle/platform-config.git
+    targetRevision: main
+    path: charts/kradle
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kradle-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+    - CreateNamespace=true
+---
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: Issue
+metadata:
+  name: issue-1
+  namespace: kradle-org-kradle
+  labels:
+    kradle.a5c.ai/org: kradle
+    kradle.a5c.ai/namespace: kradle-org-kradle
+spec:
+  repository: kradle-demo
+  title: Wire Kradle-managed permissions
+  labels:
+  - forge
+  - access
+  organizationRef: kradle
+status:
+  phase: triage
+---
+apiVersion: kradle.a5c.ai/v1alpha1
+kind: PullRequest
+metadata:
+  name: pr-1
+  namespace: kradle-org-kradle
+  labels:
+    kradle.a5c.ai/org: kradle
+    kradle.a5c.ai/namespace: kradle-org-kradle
+spec:
+  repository: kradle-demo
+  title: Improve forge UI
+  head: feature/forge-ui
+  base: main
+  organizationRef: kradle
+status:
+  phase: Open
+  changedFiles:
+  - apps/web/app/ui-shell.jsx

package/examples/oam-application.yaml

@@ -0,0 +1,23 @@
+apiVersion: core.oam.dev/v1beta1
+kind: Application
+metadata:
+  name: kradle-demo-app
+  namespace: kradle-system
+  labels:
+    kradle.a5c.ai/repository: kradle-demo
+spec:
+  components:
+    - name: kradle-demo
+      type: webservice
+      properties:
+        image: kradle/mvp-model:0.1.0
+      traits:
+        - type: scaler
+          properties:
+            replicas: 1
+      scopes:
+        healthscopes.core.oam.dev: kradle-demo-health
+  workflow:
+    steps:
+      - name: deploy
+        type: deploy

package/examples/policy-kyverno-pr-title.yaml

@@ -0,0 +1,18 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: kradle-pullrequest-title-required
+spec:
+  validationFailureAction: Enforce
+  rules:
+    - name: require-descriptive-pr-title
+      match:
+        any:
+          - resources:
+              kinds:
+                - PullRequest.kradle.a5c.ai/v1alpha1
+      validate:
+        message: PullRequest spec.title must be descriptive.
+        pattern:
+          spec:
+            title: "?*"

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "@a5c-ai/kradle",
+  "version": "5.0.1-staging.3abdf9534c25",
+  "description": "a5c.ai Kradle: Kubernetes-native forge runtime with Argo CD GitOps and Gitea-backed Git hosting.",
+  "type": "module",
+  "main": "./src/index.js",
+  "exports": {
+    ".": "./src/index.js"
+  },
+  "bin": {
+    "kradle-demo": "./bin/kradle-demo.mjs",
+    "kradle-server": "./bin/kradle-server.mjs"
+  },
+  "scripts": {
+    "build": "node scripts/build.mjs",
+    "test": "node --test tests/*.test.js",
+    "validate:docs": "node scripts/validate-doc-coverage.mjs",
+    "smoke": "node scripts/smoke.mjs",
+    "check": "npm run build && npm run validate:docs && npm test && npm run e2e && npm run package:check && npm run smoke",
+    "demo": "node bin/kradle-demo.mjs",
+    "e2e": "node --test tests/e2e/*.test.js",
+    "package:check": "node scripts/validate-package.mjs",
+    "setup:minikube": "node scripts/setup-minikube.mjs",
+    "serve": "node bin/kradle-server.mjs"
+  },
+  "keywords": [
+    "kubernetes",
+    "forge",
+    "git",
+    "ci",
+    "rbac",
+    "webhooks"
+  ],
+  "license": "MIT",
+  "engines": {
+    "node": ">=20"
+  },
+  "author": "a5c.ai",
+  "homepage": "https://github.com/a5c-ai/babysitter/tree/main/packages/kradle/core#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/a5c-ai/babysitter.git",
+    "directory": "packages/kradle/core"
+  },
+  "bugs": {
+    "url": "https://github.com/a5c-ai/babysitter/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "bin",
+    "src",
+    "dist",
+    "scripts",
+    "docs",
+    "examples",
+    "tests",
+    "Dockerfile",
+    "README.md"
+  ],
+  "dependencies": {
+    "@nats-io/jetstream": "3.3.0",
+    "@nats-io/transport-node": "3.3.0"
+  }
+}

package/scripts/build.mjs

@@ -0,0 +1,29 @@
+import { readFile } from 'node:fs/promises';
+import { mkdir, writeFile } from 'node:fs/promises';
+import { createControllerUiModel, createKradleHandoffSummary, createKradleMvpDemo, createKradleRuntime } from '../src/index.js';
+
+const packageInfo = JSON.parse(await readFile('package.json', 'utf8'));
+const runtime = createKradleRuntime();
+const controller = createControllerUiModel(runtime);
+const snapshot = runtime.snapshot();
+const demo = createKradleMvpDemo();
+const lifecycle = demo.lifecycle;
+const summary = createKradleHandoffSummary(demo, { packageInfo });
+summary.controller = {
+  status: controller.status,
+  namespace: controller.namespace,
+  endpoints: controller.controller.endpoints,
+  metrics: controller.metrics,
+  operations: controller.operations
+};
+summary.runtime = {
+  resources: Object.fromEntries(Object.entries(snapshot.resources).map(([kind, resources]) => [kind, resources.length])),
+  events: snapshot.events.length,
+  auditEntries: snapshot.auditLog.length
+};
+await mkdir('dist', { recursive: true });
+await writeFile('dist/kradle-summary.json', JSON.stringify(summary, null, 2));
+await writeFile('dist/kradle-controller-ui.json', JSON.stringify(controller, null, 2));
+await writeFile('dist/kradle-runtime-snapshot.json', JSON.stringify(snapshot, null, 2));
+await writeFile('dist/kradle-lifecycle.json', JSON.stringify(lifecycle, null, 2));
+console.log('build ok: dist/kradle-summary.json dist/kradle-controller-ui.json dist/kradle-runtime-snapshot.json dist/kradle-lifecycle.json');

package/scripts/setup-minikube.mjs

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+import { spawnSync } from 'node:child_process';
+
+export function parseArgs(argv = process.argv.slice(2)) {
+  const options = { apply: false, json: false, profile: 'kradle', namespace: 'kradle-system', release: 'kradle', driver: 'docker', chart: '../charts' };
+  for (const arg of argv) {
+    if (arg === '--apply') options.apply = true;
+    else if (arg === '--dry-run') options.apply = false;
+    else if (arg === '--json') options.json = true;
+    else if (arg.startsWith('--profile=')) options.profile = arg.slice('--profile='.length);
+    else if (arg.startsWith('--namespace=')) options.namespace = arg.slice('--namespace='.length);
+    else if (arg.startsWith('--release=')) options.release = arg.slice('--release='.length);
+    else if (arg.startsWith('--driver=')) options.driver = arg.slice('--driver='.length);
+    else if (arg.startsWith('--chart=')) options.chart = arg.slice('--chart='.length);
+    else throw new Error(`Unknown option: ${arg}`);
+  }
+  return options;
+}
+
+export function buildMinikubePlan(options = parseArgs([])) {
+  const { profile, namespace, release, driver, chart } = options;
+  return {
+    mode: options.apply ? 'apply' : 'dry-run',
+    requiredTools: ['minikube', 'kubectl', 'helm', 'node', 'npm'],
+    commands: [
+      ['minikube', ['start', '-p', profile, '--driver', driver]],
+      ['minikube', ['addons', 'enable', 'ingress', '-p', profile]],
+      ['minikube', ['addons', 'enable', 'metrics-server', '-p', profile]],
+      ['kubectl', ['config', 'use-context', profile]],
+      ['kubectl', ['create', 'namespace', namespace, '--dry-run=client', '-o', 'yaml']],
+      ['helm', ['lint', chart]],
+      ['helm', ['upgrade', '--install', release, chart, '--namespace', namespace, '--create-namespace', '--set', 'demo.enabled=true']],
+      ['kubectl', ['apply', '-n', namespace, '-f', 'examples/minikube-demo.yaml']],
+      ['kubectl', ['wait', '--for=condition=Available', `deployment/${release}-kradle-api`, '-n', namespace, '--timeout=120s']],
+      ['node', ['scripts/smoke.mjs']]
+    ]
+  };
+}
+
+function commandToString([command, args]) {
+  return [command, ...args].join(' ');
+}
+
+function runCommand(command) {
+  const [bin, args] = command;
+  const result = spawnSync(bin, args, { stdio: 'inherit', shell: process.platform === 'win32' });
+  if (result.status !== 0) throw new Error(`Command failed: ${commandToString(command)}`);
+}
+
+const isMain = process.argv[1]?.replace(/\\/g, '/').endsWith('/scripts/setup-minikube.mjs');
+if (isMain) {
+  try {
+    const options = parseArgs();
+    const plan = buildMinikubePlan(options);
+    if (options.json) console.log(JSON.stringify({ ...plan, commands: plan.commands.map(commandToString) }, null, 2));
+    else {
+      console.log(`Kradle minikube setup (${plan.mode})`);
+      for (const command of plan.commands) console.log(`- ${commandToString(command)}`);
+    }
+    if (options.apply) for (const command of plan.commands) runCommand(command);
+  } catch (error) {
+    console.error(error.message);
+    process.exit(1);
+  }
+}

package/scripts/smoke.mjs

@@ -0,0 +1,37 @@
+import { createKradleHttpServer, createKradleRuntime, runSmokeAssertions } from '../src/index.js';
+
+const runtime = createKradleRuntime();
+const server = createKradleHttpServer({ runtime });
+const checks = [];
+
+function record(name, passed, evidence = '') {
+  checks.push({ name, passed: Boolean(passed), evidence });
+  console.log(`${passed ? 'ok' : 'not ok'} - ${name}${evidence ? ` (${evidence})` : ''}`);
+}
+
+await new Promise((resolve) => server.listen(0, resolve));
+const base = `http://127.0.0.1:${server.address().port}`;
+let model;
+try {
+  const health = await fetch(`${base}/healthz`);
+  record('HTTP health endpoint is live', health.ok, '/healthz');
+  const modelResponse = await fetch(`${base}/api/controller`);
+  model = await modelResponse.json();
+  record('Controller API exposes Kradle workspace model', modelResponse.ok && model.controller.mode === 'kradle-workspace', '/api/controller');
+  record('Controller model reports truthful ready or degraded state', ['ready', 'degraded'].includes(model.status) && Number.isFinite(model.metrics.resources), `${model.status}; ${model.metrics.resources} resources`);
+  record('Controller model includes Kradle management endpoints', model.controller.endpoints.some((endpoint) => endpoint.path === '/api/orgs/:org/resources') && model.controller.endpoints.some((endpoint) => endpoint.path === '/api/orgs/:org/repositories'), model.controller.endpoints.map((endpoint) => endpoint.path).join(', '));
+  record('Controller model includes publishing gates', model.operations.releaseGates.includes('npm pack --json') && model.operations.releaseGates.includes('docker build'), model.operations.releaseGates.join(', '));
+  const snapshotResponse = await fetch(`${base}/api/orgs/default/snapshot`);
+  const snapshot = await snapshotResponse.json();
+  record('Org snapshot endpoint exports durable runtime state', snapshotResponse.ok && snapshot.export?.controlPlane && snapshot.resources?.Repository?.length > 0, '/api/orgs/default/snapshot');
+} finally {
+  await new Promise((resolve) => server.close(resolve));
+}
+
+const contractSmoke = runSmokeAssertions();
+for (const [name, passed] of contractSmoke.assertions) record(name, passed, 'runtime contract compatibility');
+if (!checks.every((check) => check.passed)) {
+  console.error(JSON.stringify({ status: 'failed', checks }, null, 2));
+  process.exit(1);
+}
+console.log(JSON.stringify({ status: 'success', checks: checks.length, controllerStatus: model.status, resources: model.metrics.resources }, null, 2));

package/scripts/validate-doc-coverage.mjs

@@ -0,0 +1,152 @@
+import { readFile } from 'node:fs/promises';
+
+const requiredDocs = [
+  'README.md',
+  'docs/README.md',
+  'docs/product-requirements.md',
+  'docs/system-requirements.md',
+  'docs/architecture-spec.md',
+  'docs/user-stories.md',
+  'docs/roadmap-mvp.md',
+  'docs/install.md',
+  'docs/local-minikube.md',
+  'docs/components/control-plane.md',
+  'docs/components/data-plane.md',
+  'docs/components/identity-rbac-policy.md',
+  'docs/components/runners-ci.md',
+  'docs/components/hooks-events.md',
+  'docs/components/web-ui.md',
+  'docs/components/operations-publishing.md',
+  'docs/components/kubevela-oam.md'
+];
+
+const requiredOntology = [
+  'docs/ontology/README.md',
+  'docs/ontology/world.md',
+  'docs/ontology/problem-space.md',
+  'docs/ontology/solution-space.md',
+  'docs/ontology/bounded-contexts.md',
+  'docs/ontology/resource-taxonomy.md',
+  'docs/ontology/resource-contracts.md',
+  'docs/ontology/personas-and-actors.md',
+  'docs/ontology/workflows.md',
+  'docs/ontology/policies-and-invariants.md',
+  'docs/ontology/storage-and-data-boundaries.md',
+  'docs/ontology/events-and-hooks.md',
+  'docs/ontology/runners-and-ci.md',
+  'docs/ontology/web-ui-excellent-flows.md',
+  'docs/ontology/operations-and-release.md',
+  'docs/ontology/validation-matrix.md',
+  'docs/ontology/oam-kubevela.md'
+];
+
+const implementationFiles = [
+  'src/resource-model.js',
+  'src/control-plane.js',
+  'src/data-plane.js',
+  'src/identity-policy.js',
+  'src/runners-ci.js',
+  'src/hooks-events.js',
+  'src/web-ui.js',
+  'src/operations.js',
+  'tests/kradle.test.js'
+];
+
+async function readRequired(file) {
+  try {
+    return await readFile(file, 'utf8');
+  } catch (error) {
+    throw new Error(`${file} missing or unreadable: ${error.message}`);
+  }
+}
+
+const docsText = (await Promise.all(requiredDocs.map(readRequired))).join('\n');
+const ontologyByFile = Object.fromEntries(await Promise.all(requiredOntology.map(async (file) => [file, await readRequired(file)])));
+const ontologyText = Object.values(ontologyByFile).join('\n');
+const sourceByFile = Object.fromEntries(await Promise.all(implementationFiles.map(async (file) => [file, await readRequired(file)])));
+const allRequirementsText = `${docsText}\n${ontologyText}`;
+
+const requiredTerms = [
+  'Repository', 'PullRequest', 'Issue', 'Review', 'Pipeline', 'Job', 'RunnerPool',
+  'WebhookSubscription', 'WebhookDelivery', 'RefPolicy', 'BranchProtection', 'View', 'Selector',
+  'RBAC', 'OIDC', 'Postgres', 'etcd', 'receive-pack', 'GitOps', 'backup', 'restore',
+  'APIService', 'fork', 'admission', 'webhook', 'object storage', 'search', 'release gates', 'KubeVela', 'OAM', 'Application', 'Component', 'Trait', 'Workflow Step'
+];
+
+const sourceTerms = [
+  ['RESOURCE_DEFINITIONS', 'src/resource-model.js'],
+  ['resourceSchemaForKind', 'src/resource-model.js'],
+  ['watch', 'src/control-plane.js'],
+  ['auditLog', 'src/control-plane.js'],
+  ['recordObject', 'src/data-plane.js'],
+  ['enqueueSearchIndex', 'src/data-plane.js'],
+  ['serviceAccountForJob', 'src/identity-policy.js'],
+  ['rerunFromStep', 'src/runners-ci.js'],
+  ['inspect', 'src/hooks-events.js'],
+  ['createWebhookInspector', 'src/web-ui.js'],
+  ['observabilityModel', 'src/operations.js'],
+  ['releaseGates', 'src/operations.js']
+];
+
+const workflowText = await readRequired('.github/workflows/publish.yml');
+const releaseSurfaceTerms = [
+  ['Dockerfile', docsText],
+  ['controller image', docsText],
+  ['GitHub publishing', docsText],
+  ['GHCR', docsText],
+  ['Helm chart', docsText],
+  ['Live-cluster conformance', docsText],
+  ['docker/build-push-action', workflowText],
+  ['helm push', workflowText],
+  ['npm pack', workflowText]
+];
+
+const staleReleaseBoundaryPhrases = [
+  'does not claim to ship production controller images yet',
+  'does not yet ship production controller images',
+  'Real controller images, registry publication, and live-cluster conformance remain follow-up release work',
+  'Production controller images, registry publication, and live-cluster conformance still remain tracked follow-ups'
+];
+
+const ontologyExpectations = [
+  ['docs/ontology/resource-taxonomy.md', ['CRD-backed', 'Aggregated', 'Repository', 'WebhookDelivery']],
+  ['docs/ontology/resource-contracts.md', ['metadata.name', 'resourceVersion', 'RunnerPool', 'WebhookDelivery']],
+  ['docs/ontology/policies-and-invariants.md', ['RBAC', 'Admission', 'Fork PR', 'BranchProtection']],
+  ['docs/ontology/storage-and-data-boundaries.md', ['etcd', 'Postgres', 'Gitea', 'Object storage', 'Search']],
+  ['docs/ontology/validation-matrix.md',
+  'docs/ontology/oam-kubevela.md', ['npm run check', 'docs and ontology coverage']]
+];
+
+const missing = [];
+for (const term of requiredTerms) {
+  if (!allRequirementsText.includes(term)) missing.push(`requirements/ontology missing term: ${term}`);
+}
+for (const [term, file] of sourceTerms) {
+  if (!sourceByFile[file]?.includes(term)) missing.push(`${file} missing implementation term: ${term}`);
+}
+for (const [term, text] of releaseSurfaceTerms) {
+  if (!text.includes(term)) missing.push(`release surface missing term: ${term}`);
+}
+for (const phrase of staleReleaseBoundaryPhrases) {
+  if (allRequirementsText.includes(phrase)) missing.push(`stale release boundary phrase still present: ${phrase}`);
+}
+for (const [file, terms] of ontologyExpectations) {
+  for (const term of terms) {
+    if (!ontologyByFile[file]?.includes(term)) missing.push(`${file} missing ontology term: ${term}`);
+  }
+}
+
+if (missing.length) {
+  console.error(JSON.stringify({ status: 'failed', missing }, null, 2));
+  process.exit(1);
+}
+
+console.log(JSON.stringify({
+  status: 'success',
+  checkedDocs: requiredDocs.length,
+  checkedOntologyFiles: requiredOntology.length,
+  checkedImplementationFiles: implementationFiles.length,
+  requiredTerms: requiredTerms.length,
+  sourceTerms: sourceTerms.length,
+  releaseSurfaceTerms: releaseSurfaceTerms.length
+}, null, 2));