npm - @a5c-ai/kradle - Versions diffs - 5.0.1-staging.3abdf9534c25 - Mend

@a5c-ai/kradle 5.0.1-staging.3abdf9534c25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/Dockerfile +31 -0
package/README.md +187 -0
package/bin/kradle-demo.mjs +23 -0
package/bin/kradle-server.mjs +14 -0
package/dist/kradle-controller-ui.json +3482 -0
package/dist/kradle-lifecycle.json +201 -0
package/dist/kradle-runtime-snapshot.json +3125 -0
package/dist/kradle-summary.json +724 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-kradle-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/architecture-v2.md +2759 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/crd-behaviors-and-relationships.md +3926 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/integration-and-design-decisions.md +1530 -0
package/docs/kradle-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/openapi.yaml +1291 -0
package/docs/product-requirements.md +62 -0
package/docs/requirements-v2.md +235 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/sdk-api-reference.md +1108 -0
package/docs/system-requirements.md +90 -0
package/docs/system-spec-v2.md +1230 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/docs/web-console-spec.md +533 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +66 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +95 -0
package/scripts/validate-ui.mjs +305 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +549 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-identity-migration.js +115 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +589 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-persona-controller.js +135 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-prompt-composition.js +55 -0
package/src/agent-provider-config-controller.js +151 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +421 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +387 -0
package/src/agent-workspace-controller.js +702 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +621 -0
package/src/argocd-gitops.js +43 -0
package/src/artifact-registry-controller.js +542 -0
package/src/assistant-runtime.js +284 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +310 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +112 -0
package/src/controller-ui.js +620 -0
package/src/data-plane.js +179 -0
package/src/event-bus.js +397 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +221 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +131 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/health-probes.js +134 -0
package/src/hooks-events.js +63 -0
package/src/hooks-lifecycle.js +117 -0
package/src/http-server.js +409 -0
package/src/identity-policy.js +86 -0
package/src/index.js +71 -0
package/src/jitsi-agent-bridge.js +141 -0
package/src/jitsi-meeting-controller.js +291 -0
package/src/jitsi-sync-controller.js +198 -0
package/src/kradle-inference-service-controller.js +246 -0
package/src/kubernetes-controller-async.js +531 -0
package/src/kubernetes-controller.js +904 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/model-route-controller.js +364 -0
package/src/notification-controller.js +178 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +282 -0
package/src/runner-controller.js +272 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/virtual-model-controller.js +538 -0
package/src/virtual-model-hook-bridge.js +200 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +679 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-identity-migration.test.js +87 -0
package/tests/agent-memory-controller.test.js +461 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +389 -0
package/tests/agent-mux-integration.test.js +971 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-persona-controller.test.js +127 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-prompt-composition.test.js +76 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +303 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +283 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +271 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/artifact-registry.test.js +511 -0
package/tests/assistant-runtime.test.js +506 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/codespace-controller.test.js +318 -0
package/tests/controller-client.test.js +133 -0
package/tests/deployment.test.js +527 -0
package/tests/e2e/lifecycle.test.js +120 -0
package/tests/event-bus-integration.test.js +355 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +415 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +223 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/health-probes.test.js +90 -0
package/tests/hooks-lifecycle.test.js +364 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/jitsi-agent-bridge.test.js +119 -0
package/tests/jitsi-helm-integration.test.js +77 -0
package/tests/jitsi-meeting-controller.test.js +170 -0
package/tests/jitsi-resource-model.test.js +73 -0
package/tests/jitsi-sync-controller.test.js +112 -0
package/tests/kradle-inference-service.test.js +689 -0
package/tests/kradle.test.js +779 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/model-route-controller.test.js +733 -0
package/tests/notification-controller.test.js +196 -0
package/tests/notification-integration.test.js +179 -0
package/tests/org-scoping.test.js +687 -0
package/tests/runner-controller.test.js +327 -0
package/tests/runner-integration.test.js +231 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +315 -0
package/tests/sse-events.test.js +107 -0
package/tests/virtual-model-controller.test.js +877 -0
package/tests/virtual-model-hook-bridge.test.js +384 -0
package/tests/webhook-trigger.test.js +198 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/src/agent-dispatch-controller.js ADDED Viewed

@@ -0,0 +1,549 @@
+import { createPermissionReviewer } from './agent-permission-review.js';
+import { createAgentStackController } from './agent-stack-controller.js';
+import { createAgentPersonaController } from './agent-persona-controller.js';
+import { composeAgentPrompt } from './agent-prompt-composition.js';
+import { legacyAgentStackIdentityWarning } from './agent-identity-migration.js';
+import { assembleContextBundle } from './agent-context-bundles.js';
+import { createResource, clone } from './resource-model.js';
+import { createAgentMuxClient } from './agent-mux-client.js';
+import { createAgentMemoryController } from './agent-memory-controller.js';
+import { createAgentApprovalController } from './agent-approval-controller.js';
+import { createAgentWorkspaceController } from './agent-workspace-controller.js';
+import { createHooksLifecycleEmitter } from './hooks-lifecycle.js';
+import { createJitsiAgentBridge } from './jitsi-agent-bridge.js';
+const MODEL_RATES = {
+  'claude-sonnet-4-20250514': { inputPer1k: 0.003, outputPer1k: 0.015 },
+  'claude-opus-4-20250514': { inputPer1k: 0.015, outputPer1k: 0.075 },
+  'claude-haiku-4-20250514': { inputPer1k: 0.0008, outputPer1k: 0.004 },
+  'gpt-4o': { inputPer1k: 0.005, outputPer1k: 0.015 },
+  'gpt-4o-mini': { inputPer1k: 0.00015, outputPer1k: 0.0006 },
+  'gemini-1.5-pro': { inputPer1k: 0.00125, outputPer1k: 0.005 },
+};
+const DEFAULT_RATE = { inputPer1k: 0.003, outputPer1k: 0.015 };
+function estimateCost(event) {
+  if (!event?.usage) return 0;
+  const model = event.model || 'claude-sonnet-4-20250514';
+  const rate = MODEL_RATES[model] || DEFAULT_RATE;
+  const inputCost = ((event.usage.inputTokens || 0) / 1000) * rate.inputPer1k;
+  const outputCost = ((event.usage.outputTokens || 0) / 1000) * rate.outputPer1k;
+  return inputCost + outputCost;
+}
+export const AGENT_DISPATCH_CONTROLLER_BOUNDARY = {
+  role: 'agent-dispatch-controller',
+  scope: 'Manual dispatch orchestration with permission gating, context assembly, workspace provisioning, stack resolution, K8s Job dispatch, and event persistence',
+  owns: ['dispatch creation', 'attempt lifecycle', 'K8s Job dispatch binding', 'workspace provisioning', 'stack resolution', 'session event persistence'],
+  delegatesTo: ['agent-permission-review', 'agent-stack-controller', 'agent-context-bundles', 'agent-mux-client', 'agent-memory-controller', 'agent-approval-controller', 'agent-workspace-controller'],
+  mustNotOwn: ['secret values', 'UI rendering']
+};
+export function createAgentDispatchController(options = {}) {
+  const permissionReviewer = options.permissionReviewer || createPermissionReviewer();
+  const stackController = options.stackController || createAgentStackController();
+  const personaController = options.personaController || createAgentPersonaController();
+  const agentMuxClient = options.agentMuxClient || createAgentMuxClient();
+  const memoryController = options.memoryController || createAgentMemoryController();
+  const approvalController = options.approvalController || createAgentApprovalController();
+  const workspaceController = options.workspaceController || createAgentWorkspaceController();
+  const eventBus = options.eventBus || null;
+  const lifecycleEmitter = options.lifecycleEmitter || (eventBus ? createHooksLifecycleEmitter(eventBus) : null);
+  const hookBridge = options.hookBridge || null;
+  const jitsiAgentBridge = options.jitsiAgentBridge || createJitsiAgentBridge({
+    meetingController: options.jitsiMeetingController,
+    eventBus,
+  });
+  const logger = options.logger || console;
+  return {
+    role: 'agent-dispatch-controller',
+    /**
+     * Resolve an AgentStack CRD into a concrete execution config for agent-mux.
+     *
+     * @param {object} stack - AgentStack resource
+     * @param {{ organizationRef?: string }} opts
+     * @returns {{ adapter: string, provider: string, model: string, prompt: object, mcpServers: string[], skills: string[], approvalMode: string, env: Record<string,string> }}
+     */
+    resolveStack(stack, { organizationRef = 'default', identity = null } = {}) {
+      if (!stack || !stack.spec) {
+        throw new Error('resolveStack requires a valid AgentStack resource with spec');
+      }
+      const spec = stack.spec;
+      // Merge flat mcpServerRefs with structured externalTools.mcpServerRefs (deduplicated)
+      const mergedMcpServers = [
+        ...(spec.mcpServerRefs || []),
+        ...(spec.externalTools?.mcpServerRefs || [])
+      ].filter((v, i, a) => a.indexOf(v) === i);
+      const memoryConfig = {};
+      if (spec.memoryRepositoryRefs && spec.memoryRepositoryRefs.length > 0) {
+        memoryConfig.memoryRepositoryRefs = clone(spec.memoryRepositoryRefs);
+      }
+      if (spec.memorySnapshotRef) {
+        memoryConfig.memorySnapshotRef = spec.memorySnapshotRef;
+      }
+      const prompt = identity
+        ? composeAgentPrompt({ ...identity, stack })
+        : {
+            system: spec.systemPrompt || null,
+            developer: spec.developerPrompt || null,
+            task: spec.taskPrompt || null,
+          };
+      return {
+        adapter: spec.adapter || spec.baseAgent || 'claude-code',
+        provider: spec.provider || 'anthropic',
+        model: spec.model || 'claude-sonnet-4-20250514',
+        prompt,
+        mcpServers: clone(mergedMcpServers),
+        skills: clone(spec.skillRefs || []),
+        approvalMode: spec.approvalMode || 'prompt',
+        env: {
+          KRADLE_ORG: organizationRef,
+          KRADLE_STACK_NAME: stack.metadata?.name || 'unknown',
+        },
+        memoryConfig: Object.keys(memoryConfig).length > 0 ? memoryConfig : null,
+      };
+    },
+    /**
+     * Check if the run has exceeded its token or cost budget.
+     *
+     * @param {object} run - AgentDispatchRun resource
+     * @param {object} event - SSE event with optional usage field
+     * @returns {{ exceeded: boolean, reason?: string, current?: number, limit?: number, totalTokens?: number, totalCost?: number }}
+     */
+    checkBudget(run, event) {
+      const maxTokens = run.spec?.budget?.maxTokens ?? Infinity;
+      const maxCostUsd = run.spec?.budget?.maxCostUsd ?? Infinity;
+      const currentTokens = run.status?.tokenUsage?.totalTokens || 0;
+      const eventTokens = event?.usage?.totalTokens
+        || ((event?.usage?.inputTokens || 0) + (event?.usage?.outputTokens || 0));
+      const totalTokens = currentTokens + eventTokens;
+      const currentCost = run.status?.costUsd || 0;
+      const totalCost = currentCost + estimateCost(event);
+      if (totalTokens > maxTokens) {
+        return { exceeded: true, reason: 'token_limit', current: totalTokens, limit: maxTokens };
+      }
+      if (totalCost > maxCostUsd) {
+        return { exceeded: true, reason: 'cost_limit', current: totalCost, limit: maxCostUsd };
+      }
+      return { exceeded: false, totalTokens, totalCost };
+    },
+    /**
+     * Persist a session event from an agent-mux session.
+     * Appends to the transcript, updates the dispatch attempt status,
+     * marks the run as Completed/Failed on terminal events, and emits to event bus.
+     *
+     * @param {object} event - The SSE event object
+     * @param {object} run - AgentDispatchRun resource (mutated in place)
+     * @param {object} attempt - AgentDispatchAttempt resource (mutated in place)
+     * @param {{ namespace?: string, organizationRef?: string, transcript?: object }} opts
+     * @returns {{ run: object, attempt: object, transcript: object, notification: object|null }}
+     */
+    persistSessionEvent(event, run, attempt, { namespace = 'default', organizationRef = 'default', transcript = null } = {}) {
+      if (!event || typeof event !== 'object') {
+        return { run, attempt, transcript, notification: null };
+      }
+      // Budget enforcement — check before persisting
+      const budgetCheck = this.checkBudget(run, event);
+      if (budgetCheck.exceeded) {
+        const now = new Date().toISOString();
+        run.status.phase = 'Failed';
+        run.status.failedAt = now;
+        run.status.failureReason = 'budget_exceeded';
+        run.status.budgetExceeded = { reason: budgetCheck.reason, current: budgetCheck.current, limit: budgetCheck.limit };
+        attempt.status.failedAt = now;
+        attempt.status.failureReason = 'budget_exceeded';
+        if (eventBus) {
+          eventBus.emit({ type: 'run-complete', status: 'failed', name: run.metadata?.name, reason: 'budget_exceeded', timestamp: now });
+        }
+        const budgetNotification = { type: 'run-complete', status: 'failed', name: run.metadata?.name, reason: 'budget_exceeded', timestamp: now };
+        return { run, attempt, transcript, notification: budgetNotification };
+      }
+      const now = new Date().toISOString();
+      // 1. Append to AgentSessionTranscript
+      if (!transcript) {
+        const sessionRef = attempt?.status?.agentMuxSessionId || 'unknown';
+        transcript = createResource('AgentSessionTranscript', { name: `transcript-${sessionRef}`, namespace }, {
+          organizationRef,
+          sessionRef,
+          messages: [],
+          cost: { inputTokens: 0, outputTokens: 0, totalTokens: 0 },
+        }, { phase: 'Streaming', startedAt: now });
+      }
+      const role = event.role || 'system';
+      const content = event.content || event.text || event.message || '';
+      const message = {
+        role,
+        content: typeof content === 'string' ? content : JSON.stringify(content),
+        timestamp: event.timestamp || now,
+      };
+      if (event.toolUse) message.toolUse = event.toolUse;
+      if (event.toolResult) message.toolResult = event.toolResult;
+      transcript.spec.messages.push(message);
+      // Accumulate token usage
+      if (event.usage) {
+        transcript.spec.cost.inputTokens += event.usage.inputTokens || 0;
+        transcript.spec.cost.outputTokens += event.usage.outputTokens || 0;
+        transcript.spec.cost.totalTokens = transcript.spec.cost.inputTokens + transcript.spec.cost.outputTokens;
+        if (!run.status.tokenUsage) run.status.tokenUsage = { inputTokens: 0, outputTokens: 0, totalTokens: 0 };
+        run.status.tokenUsage.inputTokens = (run.status.tokenUsage.inputTokens || 0) + (event.usage.inputTokens || 0);
+        run.status.tokenUsage.outputTokens = (run.status.tokenUsage.outputTokens || 0) + (event.usage.outputTokens || 0);
+        run.status.tokenUsage.totalTokens = run.status.tokenUsage.inputTokens + run.status.tokenUsage.outputTokens;
+        run.status.costUsd = (run.status.costUsd || 0) + estimateCost(event);
+      }
+      // 2. Update AgentDispatchAttempt status
+      attempt.status.lastEventAt = now;
+      attempt.status.eventCount = (attempt.status.eventCount || 0) + 1;
+      // 3. Terminal event handling
+      let notification = null;
+      if (event.type === 'completion') {
+        run.status.phase = 'Completed';
+        run.status.completedAt = now;
+        attempt.status.completedAt = now;
+        transcript.status.phase = 'Reconciled';
+        transcript.status.reconciledAt = now;
+        notification = {
+          type: 'run-complete',
+          status: 'completed',
+          name: run.metadata?.name,
+          org: organizationRef,
+          timestamp: now,
+        };
+        if (lifecycleEmitter) {
+          lifecycleEmitter.emitRunCompleted(run, { phase: 'Completed' });
+          lifecycleEmitter.emitSessionEnded({ sessionId: attempt.status?.agentMuxSessionId, runId: attempt.status?.agentMuxRunId });
+        }
+      } else if (event.type === 'error') {
+        run.status.phase = 'Failed';
+        run.status.failedAt = now;
+        run.status.failureReason = event.error || event.message || 'Unknown error';
+        attempt.status.failedAt = now;
+        attempt.status.failureReason = event.error || event.message || 'Unknown error';
+        transcript.status.phase = 'Failed';
+        notification = {
+          type: 'run-complete',
+          status: 'failed',
+          name: run.metadata?.name,
+          org: organizationRef,
+          timestamp: now,
+        };
+        if (lifecycleEmitter) {
+          lifecycleEmitter.emitRunCompleted(run, { phase: 'Failed' });
+          lifecycleEmitter.emitSessionEnded({ sessionId: attempt.status?.agentMuxSessionId, runId: attempt.status?.agentMuxRunId });
+        }
+      }
+      // 5. Emit to event bus for SSE broadcast
+      if (eventBus) {
+        eventBus.emit({
+          type: 'session-event',
+          runName: run.metadata?.name,
+          eventType: event.type || 'message',
+          timestamp: now,
+        });
+        if (notification) {
+          eventBus.emit(notification);
+        }
+      }
+      return { run, attempt, transcript, notification };
+    },
+    async createManualDispatch({ repository, ref, sourceRefs = [], agentDefinition, agentStack, meetingRef, taskKind, actor, namespace = 'default', organizationRef = 'default', resources = {}, callbackUrl } = {}, options = {}) {
+      let identity = null;
+      if (agentDefinition) {
+        const resolved = personaController.resolveAgentDefinition(agentDefinition, { resources, organizationRef });
+        if (resolved.error) {
+          return { error: true, reason: 'agent-definition-invalid', message: resolved.errors.join('; '), errors: resolved.errors };
+        }
+        identity = {
+          definition: resolved.definition,
+          persona: resolved.persona,
+          soul: resolved.soul,
+          appearance: resolved.appearance,
+          voiceProfile: resolved.voiceProfile,
+        };
+        agentStack = resolved.stack.metadata?.name;
+      }
+      if (!agentStack) {
+        return { error: true, reason: 'dispatch-target-required', message: 'Dispatch requires agentDefinition or agentStack' };
+      }
+      // 0. Virtual model PreModelResolution hook — can redirect to a different model/stack
+      if (hookBridge) {
+        const virtualModels = resources.KradleVirtualModel || [];
+        const matchedVm = hookBridge.matchVirtualModel(agentStack, virtualModels);
+        if (matchedVm) {
+          const preResult = hookBridge.handleHook('VirtualModel.PreModelResolution', {
+            modelId: agentStack, repository, actor, taskKind
+          }, matchedVm);
+          if (preResult.decision === 'deny') {
+            return { error: true, reason: 'virtual-model-denied', message: preResult.message || 'Blocked by virtual model policy' };
+          }
+          if (preResult.decision === 'modify' && preResult.modifiedInput?.modelId) {
+            agentStack = preResult.modifiedInput.modelId;
+          }
+        }
+      }
+      // 1. Find stack
+      const stack = (resources.AgentStack || []).find(s => s.metadata?.name === agentStack);
+      if (!stack) return { error: true, reason: 'stack-not-found', message: `AgentStack '${agentStack}' not found` };
+      if (meetingRef && !jitsiAgentBridge.hasMeetingCapability(stack)) {
+        return { error: true, reason: 'meeting-not-supported', message: `AgentStack '${agentStack}' is not Jitsi-capable` };
+      }
+      const legacyWarning = legacyAgentStackIdentityWarning(stack);
+      if (legacyWarning && typeof logger?.warn === 'function') logger.warn(legacyWarning);
+      // 2. Permission review
+      const review = permissionReviewer.reviewPermissions({ repository, ref, actor, agentStack, resources });
+      if (review.decision === 'denied') {
+        return { error: true, reason: 'permission-denied', message: 'Dispatch denied by permission review', review };
+      }
+      const permissionSnapshot = permissionReviewer.createPermissionSnapshot(review);
+      // 3. Memory snapshot — use stack-scoped memoryRepositoryRefs if present, else fall back to all repos
+      let memorySnapshot = null;
+      const allMemoryRepos = resources.AgentMemoryRepository || [];
+      const stackMemoryRefs = stack.spec?.memoryRepositoryRefs || [];
+      const scopedMemoryRepos = stackMemoryRefs.length > 0
+        ? allMemoryRepos.filter((r) => stackMemoryRefs.includes(r.metadata?.name))
+        : allMemoryRepos;
+      if (scopedMemoryRepos.length > 0) {
+        const memRepo = scopedMemoryRepos[0];
+        const timeTravel = memoryController.resolveTimeTravel({ mode: 'current', commits: [] });
+        memorySnapshot = memoryController.createMemorySnapshot({
+          memoryRepository: memRepo.metadata.name,
+          requestedRef: ref,
+          resolvedCommit: timeTravel.resolvedCommit || ref,
+          queryManifest: {},
+          selectedRecords: [],
+          selectedDocuments: [],
+          ontologyDigest: '',
+          namespace,
+          organizationRef,
+        });
+      }
+      // 4. Approval gate — if review requires approval, create approval and return early
+      if (review.decision === 'requires-approval') {
+        const now = new Date().toISOString();
+        const runName = `dispatch-${Date.now()}`;
+        const run = createResource('AgentDispatchRun', { name: runName, namespace }, {
+          organizationRef,
+          repository,
+          sourceRefs: clone(sourceRefs),
+          ...(agentDefinition ? { agentDefinition } : {}),
+          agentStack,
+          taskKind: taskKind || 'diagnostic',
+          contextBundleRef: null,
+        });
+        run.status = { phase: 'AwaitingApproval', queuedAt: now };
+        if (memorySnapshot) {
+          run.spec.memorySnapshotRef = memorySnapshot.metadata.name;
+        }
+        const approvalResult = approvalController.createApprovalRequest({
+          dispatchRun: runName,
+          action: 'secret-access',
+          requestedBy: actor,
+          context: `Dispatch requires approval for agent stack: ${agentStack}`,
+          namespace,
+          organizationRef,
+          resources,
+        });
+        return {
+          error: false,
+          run,
+          approval: approvalResult.error ? null : approvalResult.approval,
+          awaitingApproval: true,
+          memorySnapshot,
+          permissionSnapshot,
+          review,
+          warnings: legacyWarning ? [legacyWarning] : [],
+        };
+      }
+      // 5. Workspace provisioning — reuse or create
+      let workspaceResult = null;
+      let mountSpec = null;
+      const branch = ref || 'main';
+      const reusable = workspaceController.findReusableWorkspace({
+        organizationRef, repository, branch, resources,
+      });
+      if (reusable) {
+        const claimResult = workspaceController.claimWorkspace({
+          name: reusable.metadata.name,
+          runRef: `dispatch-pending`,
+          resources,
+        });
+        if (!claimResult.error) {
+          workspaceResult = { workspace: claimResult.workspace, reused: true };
+          const mount = workspaceController.getMountSpec({ workspace: claimResult.workspace });
+          if (!mount.error) mountSpec = { volume: mount.volume, volumeMount: mount.volumeMount };
+        }
+      }
+      if (!workspaceResult) {
+        const createResult = workspaceController.createWorkspace({
+          organizationRef, repository, branch, namespace,
+          volumeSpec: {},
+        });
+        if (!createResult.error) {
+          workspaceResult = { workspace: createResult.workspace, pvcManifest: createResult.pvcManifest, reused: false };
+          const mount = workspaceController.getMountSpec({ workspace: createResult.workspace });
+          if (!mount.error) mountSpec = { volume: mount.volume, volumeMount: mount.volumeMount };
+        }
+      }
+      // 6. Assemble context bundle
+      const contextBundle = assembleContextBundle({ stack, repository, ref, sourceRefs, contextLabels: [], resources });
+      // 7. Create resources
+      const now = new Date().toISOString();
+      const runName = `dispatch-${Date.now()}`;
+      const run = createResource('AgentDispatchRun', { name: runName, namespace }, {
+        organizationRef,
+        repository,
+        sourceRefs: clone(sourceRefs),
+        ...(agentDefinition ? { agentDefinition } : {}),
+        agentStack,
+        taskKind: taskKind || 'diagnostic',
+        contextBundleRef: contextBundle.metadata.name,
+      });
+      run.status = { phase: 'Pending', queuedAt: now };
+      if (memorySnapshot) {
+        run.spec.memorySnapshotRef = memorySnapshot.metadata.name;
+      }
+      if (workspaceResult) {
+        run.spec.workspaceRef = workspaceResult.workspace.metadata.name;
+      }
+      if (mountSpec) {
+        run.spec.mountSpec = mountSpec;
+      }
+      let runtimeMeetingContext = null;
+      if (meetingRef) {
+        try {
+          runtimeMeetingContext = await jitsiAgentBridge.prepareMeetingContext(run, meetingRef, stack, { resources, organizationRef, namespace });
+        } catch (err) {
+          return { error: true, reason: 'meeting-unavailable', message: err.message || `Meeting ${meetingRef} is not available` };
+        }
+      }
+      if (lifecycleEmitter) {
+        lifecycleEmitter.emitRunCreated(run);
+        if (workspaceResult) {
+          lifecycleEmitter.emitWorkspaceProvisioned(workspaceResult.workspace);
+        }
+      }
+      // Update workspace runRef to actual dispatch name
+      if (workspaceResult) {
+        workspaceResult.workspace.status.runRef = runName;
+      }
+      const attempt = createResource('AgentDispatchAttempt', { name: `${runName}-attempt-1`, namespace }, {
+        organizationRef,
+        agentDispatchRun: runName,
+        attemptReason: 'initial',
+        agentStackSnapshot: clone(stack.spec),
+        ...(identity?.definition ? { agentDefinitionSnapshot: clone(identity.definition.spec) } : {}),
+        ...(identity?.persona ? { agentPersonaSnapshot: clone(identity.persona.spec) } : {}),
+        contextBundleDigest: contextBundle.spec.digest,
+      });
+      attempt.status = { permissionSnapshot, queueEnteredAt: now };
+      // 7. Dispatch as K8s Job
+      let transcript = null;
+      let jobResult = null;
+      const executionConfig = this.resolveStack(stack, { organizationRef, identity });
+      const pvcName = workspaceResult?.workspace?.spec?.volumeClaimName || workspaceResult?.pvcManifest?.metadata?.name || null;
+      const resolvedCallbackUrl = callbackUrl || process.env.KRADLE_CALLBACK_URL || null;
+      try {
+        // Inject memory config env vars into the Job when memory repos are scoped
+        const jobEnv = { ...executionConfig.env };
+        if (executionConfig.memoryConfig) {
+          if (executionConfig.memoryConfig.memoryRepositoryRefs) {
+            jobEnv.KRADLE_MEMORY_REPOS = executionConfig.memoryConfig.memoryRepositoryRefs.join(',');
+          }
+          if (executionConfig.memoryConfig.memorySnapshotRef) {
+            jobEnv.KRADLE_MEMORY_SNAPSHOT = executionConfig.memoryConfig.memorySnapshotRef;
+          }
+        }
+        const { jobManifest, jobName } = agentMuxClient.createAgentJob({
+          adapter: executionConfig.adapter,
+          provider: executionConfig.provider,
+          model: executionConfig.model,
+          org: organizationRef,
+          runId: runName,
+          stackName: stack.metadata?.name,
+          budget: stack.spec?.budget,
+          image: stack.spec?.image,
+          serviceAccount: stack.spec?.runtimeIdentity?.serviceAccountRef,
+          callbackUrl: resolvedCallbackUrl,
+          prompt: executionConfig.prompt,
+          env: jobEnv,
+          workspace: pvcName ? { pvcName } : undefined,
+          resources: stack.spec?.resources,
+          meetingContext: runtimeMeetingContext || run.spec.meetingContext,
+        });
+        attempt.status.jobName = jobName;
+        attempt.status.jobNamespace = jobManifest.metadata.namespace;
+        run.spec.jobRef = jobName;
+        try {
+          const submitResult = await agentMuxClient.submitAgentJob(jobManifest);
+          run.status.phase = 'Running';
+          attempt.status.startedAt = now;
+          attempt.status.jobSubmitted = true;
+          jobResult = { jobName: submitResult.jobName, namespace: submitResult.namespace, submitted: true };
+          if (lifecycleEmitter) {
+            lifecycleEmitter.emitSessionStarted({ sessionId: jobName, runId: runName });
+            lifecycleEmitter.emitStepStarted(run, 'launch');
+          }
+        } catch {
+          // Job manifest was generated but submission failed — queue for retry
+          run.status.phase = 'Queued';
+          run.status.conditions = [{ type: 'JobSubmitted', status: 'False', reason: 'SubmitFailed', message: 'K8s Job submission failed' }];
+          jobResult = { jobName, namespace: jobManifest.metadata.namespace, submitted: false };
+        }
+      } catch (err) {
+        run.status.phase = 'Queued';
+        run.status.conditions = [{ type: 'JobSubmitted', status: 'False', reason: 'ManifestFailed', message: err.message || 'Job manifest generation failed' }];
+      }
+      return { error: false, run, attempt, contextBundle, permissionSnapshot, memorySnapshot, transcript, workspace: workspaceResult, mountSpec, jobResult, executionConfig, identity, warnings: legacyWarning ? [legacyWarning] : [] };
+    }
+  };
+}

package/src/agent-gateway-config-controller.js ADDED Viewed

@@ -0,0 +1,147 @@
+// Agent Gateway Config Controller — Slice 1.2e
+// Manages AgentGatewayConfig resources: gateway name, endpoint URL, feature flags,
+// connection pool settings, and TLS configuration reference.
+export const AGENT_GATEWAY_CONFIG_CONTROLLER_BOUNDARY = {
+  role: 'agent-gateway-config-controller',
+  scope: 'AgentGatewayConfig lifecycle: validation, endpoint resolution, feature flags, connection pool, TLS config ref',
+  owns: ['gateway config validation', 'endpoint URL', 'feature flags', 'connection pool defaults', 'TLS config ref'],
+  delegatesTo: ['resource-model'],
+  mustNotOwn: ['secret values', 'dispatch execution', 'Agent Mux sessions', 'adapter implementation']
+};
+const DEFAULT_FEATURE_FLAGS = Object.freeze({
+  streaming: true,
+  reconnect: true,
+  healthCheck: true
+});
+const DEFAULT_POOL_SETTINGS = Object.freeze({
+  maxConnections: 10,
+  timeoutMs: 30000
+});
+/**
+ * Validate an AgentGatewayConfig resource. Returns { valid, errors }.
+ * @param {object} resource
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function validateAgentGatewayConfig(resource) {
+  const errors = [];
+  // Guard against null/undefined resource
+  if (resource == null) {
+    errors.push('resource must not be null or undefined');
+    return { valid: false, errors };
+  }
+  // Validate metadata.name
+  if (!resource?.metadata?.name) {
+    errors.push('metadata.name is required');
+  }
+  const spec = resource?.spec || {};
+  // Validate organizationRef
+  if (!spec.organizationRef) {
+    errors.push('spec.organizationRef is required');
+  }
+  // Validate endpoint URL
+  if (!spec.endpointUrl) {
+    errors.push('spec.endpointUrl is required; provide the Agent Mux gateway endpoint URL');
+  } else {
+    // Basic URL validation: must start with http:// or https:// or ws:// or wss://
+    const validProtocols = ['http://', 'https://', 'ws://', 'wss://'];
+    const hasValidProtocol = validProtocols.some((p) => spec.endpointUrl.startsWith(p));
+    if (!hasValidProtocol) {
+      errors.push(`spec.endpointUrl must start with one of: ${validProtocols.join(', ')}`);
+    }
+  }
+  // Validate connectionPool if provided
+  const pool = spec.connectionPool;
+  if (pool != null) {
+    if (pool.maxConnections != null && (!Number.isInteger(pool.maxConnections) || pool.maxConnections < 1)) {
+      errors.push('spec.connectionPool.maxConnections must be a positive integer');
+    }
+    if (pool.timeoutMs != null && (!Number.isFinite(pool.timeoutMs) || pool.timeoutMs < 0)) {
+      errors.push('spec.connectionPool.timeoutMs must be a non-negative number');
+    }
+  }
+  return { valid: errors.length === 0, errors };
+}
+/**
+ * Factory that returns an AgentGatewayConfig controller instance.
+ */
+export function createAgentGatewayConfigController() {
+  return {
+    role: 'agent-gateway-config-controller',
+    /**
+     * Validate an AgentGatewayConfig resource.
+     * @param {object} resource
+     * @returns {{ valid: boolean, errors: string[] }}
+     */
+    validate(resource) {
+      return validateAgentGatewayConfig(resource);
+    },
+    /**
+     * Return the effective endpoint URL for the gateway config.
+     * @param {object} resource
+     * @returns {string}
+     */
+    getEndpointUrl(resource) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      return resource?.spec?.endpointUrl ?? null;
+    },
+    /**
+     * Return the effective feature flags for a gateway config.
+     * Merges spec.featureFlags with defaults; spec values take precedence.
+     * @param {object} resource
+     * @returns {{ streaming: boolean, reconnect: boolean, healthCheck: boolean, [key: string]: boolean }}
+     */
+    getFeatureFlags(resource) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      const specFlags = resource?.spec?.featureFlags ?? {};
+      return { ...DEFAULT_FEATURE_FLAGS, ...specFlags };
+    },
+    /**
+     * Return the effective connection pool settings for a gateway config.
+     * Merges spec.connectionPool with defaults; spec values take precedence.
+     * @param {object} resource
+     * @returns {{ maxConnections: number, timeoutMs: number }}
+     */
+    getConnectionPool(resource) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      const specPool = resource?.spec?.connectionPool ?? {};
+      return {
+        maxConnections: specPool.maxConnections ?? DEFAULT_POOL_SETTINGS.maxConnections,
+        timeoutMs: specPool.timeoutMs ?? DEFAULT_POOL_SETTINGS.timeoutMs
+      };
+    },
+    /**
+     * Return the TLS configuration reference from the spec, or null if not set.
+     * @param {object} resource
+     * @returns {string|null}
+     */
+    getTlsConfigRef(resource) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      return resource?.spec?.tlsConfigRef ?? null;
+    }
+  };
+}