npm - @a5c-ai/kradle - Versions diffs - 5.0.1-staging.3abdf9534c25 - Mend

@a5c-ai/kradle 5.0.1-staging.3abdf9534c25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/Dockerfile +31 -0
package/README.md +187 -0
package/bin/kradle-demo.mjs +23 -0
package/bin/kradle-server.mjs +14 -0
package/dist/kradle-controller-ui.json +3482 -0
package/dist/kradle-lifecycle.json +201 -0
package/dist/kradle-runtime-snapshot.json +3125 -0
package/dist/kradle-summary.json +724 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-kradle-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/architecture-v2.md +2759 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/crd-behaviors-and-relationships.md +3926 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/integration-and-design-decisions.md +1530 -0
package/docs/kradle-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/openapi.yaml +1291 -0
package/docs/product-requirements.md +62 -0
package/docs/requirements-v2.md +235 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/sdk-api-reference.md +1108 -0
package/docs/system-requirements.md +90 -0
package/docs/system-spec-v2.md +1230 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/docs/web-console-spec.md +533 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +66 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +95 -0
package/scripts/validate-ui.mjs +305 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +549 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-identity-migration.js +115 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +589 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-persona-controller.js +135 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-prompt-composition.js +55 -0
package/src/agent-provider-config-controller.js +151 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +421 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +387 -0
package/src/agent-workspace-controller.js +702 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +621 -0
package/src/argocd-gitops.js +43 -0
package/src/artifact-registry-controller.js +542 -0
package/src/assistant-runtime.js +284 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +310 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +112 -0
package/src/controller-ui.js +620 -0
package/src/data-plane.js +179 -0
package/src/event-bus.js +397 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +221 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +131 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/health-probes.js +134 -0
package/src/hooks-events.js +63 -0
package/src/hooks-lifecycle.js +117 -0
package/src/http-server.js +409 -0
package/src/identity-policy.js +86 -0
package/src/index.js +71 -0
package/src/jitsi-agent-bridge.js +141 -0
package/src/jitsi-meeting-controller.js +291 -0
package/src/jitsi-sync-controller.js +198 -0
package/src/kradle-inference-service-controller.js +246 -0
package/src/kubernetes-controller-async.js +531 -0
package/src/kubernetes-controller.js +904 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/model-route-controller.js +364 -0
package/src/notification-controller.js +178 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +282 -0
package/src/runner-controller.js +272 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/virtual-model-controller.js +538 -0
package/src/virtual-model-hook-bridge.js +200 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +679 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-identity-migration.test.js +87 -0
package/tests/agent-memory-controller.test.js +461 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +389 -0
package/tests/agent-mux-integration.test.js +971 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-persona-controller.test.js +127 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-prompt-composition.test.js +76 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +303 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +283 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +271 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/artifact-registry.test.js +511 -0
package/tests/assistant-runtime.test.js +506 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/codespace-controller.test.js +318 -0
package/tests/controller-client.test.js +133 -0
package/tests/deployment.test.js +527 -0
package/tests/e2e/lifecycle.test.js +120 -0
package/tests/event-bus-integration.test.js +355 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +415 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +223 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/health-probes.test.js +90 -0
package/tests/hooks-lifecycle.test.js +364 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/jitsi-agent-bridge.test.js +119 -0
package/tests/jitsi-helm-integration.test.js +77 -0
package/tests/jitsi-meeting-controller.test.js +170 -0
package/tests/jitsi-resource-model.test.js +73 -0
package/tests/jitsi-sync-controller.test.js +112 -0
package/tests/kradle-inference-service.test.js +689 -0
package/tests/kradle.test.js +779 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/model-route-controller.test.js +733 -0
package/tests/notification-controller.test.js +196 -0
package/tests/notification-integration.test.js +179 -0
package/tests/org-scoping.test.js +687 -0
package/tests/runner-controller.test.js +327 -0
package/tests/runner-integration.test.js +231 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +315 -0
package/tests/sse-events.test.js +107 -0
package/tests/virtual-model-controller.test.js +877 -0
package/tests/virtual-model-hook-bridge.test.js +384 -0
package/tests/webhook-trigger.test.js +198 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/src/agent-permission-review.js ADDED Viewed

@@ -0,0 +1,250 @@
+import { createHash } from 'node:crypto';
+import { clone } from './resource-model.js';
+export const AGENT_PERMISSION_REVIEW_BOUNDARY = {
+  role: 'agent-permission-review',
+  scope: 'Deterministic permission review for agent dispatch decisions',
+  owns: ['capability expansion', 'grant resolution', 'permission snapshot creation'],
+  delegatesTo: ['resource-model'],
+  mustNotOwn: ['secret values', 'native K8s API calls', 'runtime execution']
+};
+const VALID_APPROVAL_MODES = new Set(['yolo', 'prompt', 'deny']);
+export function createPermissionReviewer(options = {}) {
+  return {
+    role: 'agent-permission-review',
+    reviewPermissions({ repository, ref, actor, agentStack, triggerSource, taskKind, runnerPool, toolRefs = [], skillRefs = [], mcpServerRefs = [], contextLabelRefs = [], workspacePolicyRef, isFork = false, resources = {} }) {
+      const reasons = [];
+      const grants = [];
+      const crossOrgDenials = [];
+      const untrustedForkWarnings = [];
+      // Step 1 — Resolve AgentStack
+      const stacks = resources.AgentStack || [];
+      const stack = stacks.find((s) => s.metadata?.name === agentStack);
+      if (!stack) {
+        return buildDecision({ decision: 'denied', reasons: [{ severity: 'error', message: `AgentStack not found: ${agentStack}` }], grants, capabilities: {}, actor, repository, ref, agentStack, taskKind, crossOrgDenials, untrustedForkWarnings });
+      }
+      // Step 1a — Validate approvalMode
+      const approvalMode = stack.spec?.approvalMode;
+      if (approvalMode !== undefined && !VALID_APPROVAL_MODES.has(approvalMode)) {
+        reasons.push({ severity: 'error', message: `Invalid approvalMode '${approvalMode}': must be one of ${[...VALID_APPROVAL_MODES].join(', ')}` });
+      }
+      // Step 1b — Deny mode blocks everything immediately
+      if (approvalMode === 'deny') {
+        reasons.push({ severity: 'error', message: `approvalMode is 'deny': all requests are blocked by policy` });
+        return buildDecision({ decision: 'denied', reasons, grants, capabilities: {}, actor, repository, ref, agentStack, taskKind, approvalMode, crossOrgDenials, untrustedForkWarnings });
+      }
+      // Step 2 — Cross-org denial check
+      const agentOrg = stack.spec?.organizationRef;
+      if (agentOrg && repository) {
+        // repository format: '<org>/<repo>' or just '<repo>'
+        const repoParts = repository.split('/');
+        const repoOrg = repoParts.length >= 2 ? repoParts[0] : null;
+        if (repoOrg && repoOrg !== agentOrg) {
+          crossOrgDenials.push({ agentOrg, resourceOrg: repoOrg, resource: repository });
+          reasons.push({ severity: 'error', message: `Cross-org access denied: agent org '${agentOrg}' cannot access repository in org '${repoOrg}'` });
+        }
+      }
+      // Step 3 — Expand capabilities from stack spec
+      const capabilities = {
+        toolRefs: clone(stack.spec?.toolPolicy ? [stack.spec.toolPolicy] : toolRefs),
+        mcpServerRefs: clone(stack.spec?.mcpServerRefs || mcpServerRefs),
+        skillRefs: clone(stack.spec?.skillRefs || skillRefs),
+        subagentRefs: clone(stack.spec?.subagentRefs || [])
+      };
+      // Step 4 — Untrusted fork detection
+      const isForkRef = isFork || /^refs\/pull\/\d+\//.test(ref);
+      if (isForkRef) {
+        const blockedKinds = ['AgentServiceAccount', 'AgentSecretGrant'];
+        untrustedForkWarnings.push({
+          ref,
+          isFork: true,
+          blockedKinds,
+          message: `Untrusted fork detected for ref '${ref}': privileged grants restricted`
+        });
+        reasons.push({ severity: 'warning', message: `Untrusted fork detected for ref '${ref}': privileged grants (${blockedKinds.join(', ')}) are not auto-approved` });
+      }
+      // Step 5 — Check runtime identity (AgentServiceAccount)
+      const serviceAccountRef = stack.spec?.runtimeIdentity?.serviceAccountRef || stack.spec?.runtimeIdentity;
+      const serviceAccounts = resources.AgentServiceAccount || [];
+      const serviceAccount = serviceAccounts.find((sa) => sa.metadata?.name === serviceAccountRef);
+      if (!serviceAccount) {
+        reasons.push({ severity: 'error', message: `Missing AgentServiceAccount: ${serviceAccountRef}` });
+      } else {
+        const saGrant = { kind: 'AgentServiceAccount', name: serviceAccount.metadata.name, status: 'bound' };
+        if (isForkRef) {
+          saGrant.status = 'fork-restricted';
+        }
+        grants.push(saGrant);
+      }
+      // Step 6 — Check role bindings
+      const roleBindings = resources.AgentRoleBinding || [];
+      const matchedBindings = roleBindings.filter((rb) => rb.spec?.subject === serviceAccountRef || rb.spec?.subject === agentStack);
+      for (const binding of matchedBindings) {
+        grants.push({ kind: 'AgentRoleBinding', name: binding.metadata.name, roleRef: binding.spec?.roleRef, scope: binding.spec?.scope, status: 'bound' });
+      }
+      if (matchedBindings.length === 0 && serviceAccount) {
+        reasons.push({ severity: 'warning', message: `No AgentRoleBinding found for subject: ${serviceAccountRef}` });
+      }
+      // Step 7 — Check secret grants
+      const secretGrants = resources.AgentSecretGrant || [];
+      const neededSecrets = collectSecretNeeds(stack, capabilities, resources);
+      for (const need of neededSecrets) {
+        const match = secretGrants.find((sg) => {
+          if (sg.spec?.subject !== serviceAccountRef && sg.spec?.subject !== agentStack) return false;
+          if (need.purpose && sg.spec?.purpose !== need.purpose) return false;
+          if (sg.spec?.allowedRepositories && sg.spec.allowedRepositories.length > 0 && !sg.spec.allowedRepositories.includes(repository)) return false;
+          if (sg.spec?.allowedRefs && sg.spec.allowedRefs.length > 0 && !sg.spec.allowedRefs.includes(ref)) return false;
+          return true;
+        });
+        if (!match) {
+          reasons.push({ severity: 'error', message: `Missing AgentSecretGrant for ${need.description} (purpose: ${need.purpose})` });
+        } else {
+          const grantEntry = { kind: 'AgentSecretGrant', name: match.metadata.name, purpose: match.spec?.purpose, status: 'granted' };
+          if (isForkRef) {
+            grantEntry.status = 'fork-restricted';
+          } else if (match.spec?.requiredApproval) {
+            grantEntry.status = 'requires-approval';
+            grantEntry.requiredApproval = match.spec.requiredApproval;
+            reasons.push({ severity: 'info', message: `AgentSecretGrant ${match.metadata.name} requires approval: ${match.spec.requiredApproval}` });
+          }
+          grants.push(grantEntry);
+        }
+      }
+      // Step 8 — Check config grants
+      const configGrants = resources.AgentConfigGrant || [];
+      const neededConfigs = collectConfigNeeds(stack, capabilities, resources);
+      for (const need of neededConfigs) {
+        const match = configGrants.find((cg) => {
+          if (cg.spec?.subject !== serviceAccountRef && cg.spec?.subject !== agentStack) return false;
+          if (need.purpose && cg.spec?.purpose !== need.purpose) return false;
+          return true;
+        });
+        if (!match) {
+          reasons.push({ severity: 'error', message: `Missing AgentConfigGrant for ${need.description} (purpose: ${need.purpose})` });
+        } else {
+          grants.push({ kind: 'AgentConfigGrant', name: match.metadata.name, purpose: match.spec?.purpose, status: 'granted' });
+        }
+      }
+      // Step 9 — Workspace policy enforcement
+      if (workspacePolicyRef) {
+        const policies = resources.KradleWorkspacePolicy || [];
+        const policy = policies.find((p) => p.metadata?.name === workspacePolicyRef);
+        if (policy) {
+          // Check maxConcurrentSessions
+          if (policy.spec?.maxConcurrentSessions === 0) {
+            reasons.push({ severity: 'error', message: `Workspace policy '${workspacePolicyRef}' maxConcurrentSessions is 0: no sessions allowed` });
+          }
+          // Check deniedTools
+          const deniedTools = policy.spec?.deniedTools || [];
+          const requestedTools = capabilities.toolRefs;
+          for (const tool of requestedTools) {
+            if (deniedTools.includes(tool)) {
+              reasons.push({ severity: 'error', message: `Tool '${tool}' is denied by workspace policy '${workspacePolicyRef}'` });
+            }
+          }
+          // Check allowedTools (if specified, only those tools are permitted)
+          const allowedTools = policy.spec?.allowedTools;
+          if (allowedTools && allowedTools.length > 0) {
+            for (const tool of requestedTools) {
+              if (!allowedTools.includes(tool)) {
+                reasons.push({ severity: 'error', message: `Tool '${tool}' is not in allowedTools for workspace policy '${workspacePolicyRef}'` });
+              }
+            }
+          }
+        }
+      }
+      // Step 10 — Decision
+      const hasErrors = reasons.some((r) => r.severity === 'error');
+      const hasApprovals = grants.some((g) => g.status === 'requires-approval');
+      let decision;
+      if (hasErrors) {
+        decision = 'denied';
+      } else if (hasApprovals) {
+        decision = 'requires-approval';
+      } else {
+        decision = 'allowed';
+      }
+      return buildDecision({ decision, reasons, grants, capabilities, actor, repository, ref, agentStack, taskKind, approvalMode, crossOrgDenials, untrustedForkWarnings });
+    },
+    createPermissionSnapshot(reviewResult) {
+      const snapshot = clone(reviewResult);
+      snapshot.snapshotAt = new Date().toISOString();
+      snapshot.frozen = true;
+      snapshot.digest = reviewResult.digest;
+      return Object.freeze(snapshot);
+    }
+  };
+}
+function collectSecretNeeds(stack, capabilities, resources) {
+  const needs = [];
+  if (stack.spec?.adapter) {
+    needs.push({ description: `model provider for adapter ${stack.spec.adapter}`, purpose: 'model-provider' });
+  }
+  const mcpServers = resources.AgentMcpServer || [];
+  for (const ref of capabilities.mcpServerRefs) {
+    const server = mcpServers.find((s) => s.metadata?.name === ref);
+    if (server?.spec?.secretRef) {
+      needs.push({ description: `MCP server ${ref} secret`, purpose: `mcp-server:${ref}` });
+    }
+  }
+  return needs;
+}
+function collectConfigNeeds(stack, capabilities, resources) {
+  const needs = [];
+  const mcpServers = resources.AgentMcpServer || [];
+  for (const ref of capabilities.mcpServerRefs) {
+    const server = mcpServers.find((s) => s.metadata?.name === ref);
+    if (server?.spec?.configMapRef) {
+      needs.push({ description: `MCP server ${ref} config`, purpose: `mcp-server:${ref}` });
+    }
+  }
+  return needs;
+}
+function buildDecision({ decision, reasons, grants, capabilities, actor, repository, ref, agentStack, taskKind, approvalMode, crossOrgDenials = [], untrustedForkWarnings = [] }) {
+  const result = {
+    decision,
+    actor,
+    repository,
+    ref,
+    agentStack,
+    taskKind,
+    capabilities: clone(capabilities),
+    grants: clone(grants),
+    reasons: clone(reasons),
+    crossOrgDenials: clone(crossOrgDenials),
+    untrustedForkWarnings: clone(untrustedForkWarnings),
+    reviewedAt: new Date().toISOString()
+  };
+  if (approvalMode !== undefined) {
+    result.approvalMode = approvalMode;
+  }
+  result.digest = computeDigest(result);
+  return result;
+}
+function computeDigest(result) {
+  const keys = Object.keys(result).filter((k) => k !== 'digest' && k !== 'reviewedAt').sort();
+  const canonical = {};
+  for (const key of keys) canonical[key] = result[key];
+  return createHash('sha256').update(JSON.stringify(canonical)).digest('hex');
+}

package/src/agent-persona-controller.js ADDED Viewed

@@ -0,0 +1,135 @@
+import { clone, createResource } from './resource-model.js';
+export const AGENT_PERSONA_CONTROLLER_BOUNDARY = {
+  role: 'agent-persona-controller',
+  scope: 'Agent identity validation and resolution for personas, definitions, souls, appearance, and voice profiles',
+  owns: ['agent identity reference resolution', 'agent profile validation'],
+  delegatesTo: ['resource-model', 'agent-prompt-composition'],
+  mustNotOwn: ['runtime job creation', 'permission review']
+};
+function findByName(resources, kind, name, organizationRef) {
+  return (resources?.[kind] || []).find((resource) => {
+    if (resource.metadata?.name !== name) return false;
+    return !organizationRef || !resource.spec?.organizationRef || resource.spec.organizationRef === organizationRef;
+  }) || null;
+}
+function required(resource, fields) {
+  const errors = [];
+  for (const field of fields) {
+    const value = resource?.spec?.[field];
+    if (value === undefined || value === null || value === '') errors.push(`spec.${field} is required`);
+  }
+  return errors;
+}
+export function validateAgentPersona(resource) {
+  const errors = required(resource, ['organizationRef', 'displayName']);
+  if (resource?.kind && resource.kind !== 'AgentPersona') errors.push('kind must be AgentPersona');
+  return { valid: errors.length === 0, errors };
+}
+export function validateAgentDefinition(resource) {
+  const errors = required(resource, ['organizationRef', 'personaRef', 'stackRef']);
+  if (resource?.kind && resource.kind !== 'AgentDefinition') errors.push('kind must be AgentDefinition');
+  return { valid: errors.length === 0, errors };
+}
+function inlineResource(kind, name, namespace, organizationRef, spec) {
+  return createResource(kind, { name, namespace }, { organizationRef, ...(spec || {}) });
+}
+function resolveProfileRef({ resources, kind, ref, organizationRef, errors }) {
+  if (!ref) return null;
+  const found = findByName(resources, kind, ref, organizationRef);
+  if (!found) errors.push(`${kind} not found: ${ref}`);
+  return found;
+}
+export function resolveAgentPersona(personaRef, { resources = {}, organizationRef = 'default' } = {}) {
+  const errors = [];
+  const persona = typeof personaRef === 'string' ? findByName(resources, 'AgentPersona', personaRef, organizationRef) : personaRef;
+  if (!persona) {
+    return { error: true, persona: null, soul: null, appearance: null, voiceProfile: null, errors: [`AgentPersona not found: ${personaRef}`] };
+  }
+  const validation = validateAgentPersona(persona);
+  errors.push(...validation.errors);
+  const namespace = persona.metadata?.namespace || 'default';
+  const name = persona.metadata?.name || 'agent';
+  const spec = persona.spec || {};
+  let soul = null;
+  if (spec.soul?.inline) {
+    soul = inlineResource('AgentSoul', `${name}-inline-soul`, namespace, spec.organizationRef || organizationRef, { personaRef: name, content: spec.soul.inline });
+  } else if (spec.soul?.ref) {
+    soul = resolveProfileRef({ resources, kind: 'AgentSoul', ref: spec.soul.ref, organizationRef, errors });
+  }
+  let appearance = null;
+  if (spec.appearance?.inline) {
+    appearance = inlineResource('AgentAppearance', `${name}-inline-appearance`, namespace, spec.organizationRef || organizationRef, { personaRef: name, ...spec.appearance.inline });
+  } else if (spec.appearance?.ref) {
+    appearance = resolveProfileRef({ resources, kind: 'AgentAppearance', ref: spec.appearance.ref, organizationRef, errors });
+  }
+  let voiceProfile = null;
+  if (spec.voiceProfile?.inline) {
+    voiceProfile = inlineResource('AgentVoiceProfile', `${name}-inline-voice`, namespace, spec.organizationRef || organizationRef, { personaRef: name, ...spec.voiceProfile.inline });
+  } else if (spec.voiceProfile?.ref) {
+    voiceProfile = resolveProfileRef({ resources, kind: 'AgentVoiceProfile', ref: spec.voiceProfile.ref, organizationRef, errors });
+  }
+  return { error: errors.length > 0, persona, soul, appearance, voiceProfile, errors };
+}
+export function resolveAgentDefinition(definitionRef, { resources = {}, organizationRef = 'default' } = {}) {
+  const errors = [];
+  const definition = typeof definitionRef === 'string' ? findByName(resources, 'AgentDefinition', definitionRef, organizationRef) : definitionRef;
+  if (!definition) {
+    return { error: true, definition: null, persona: null, soul: null, appearance: null, voiceProfile: null, stack: null, errors: [`AgentDefinition not found: ${definitionRef}`] };
+  }
+  const validation = validateAgentDefinition(definition);
+  errors.push(...validation.errors);
+  const resolvedPersona = resolveAgentPersona(definition.spec?.personaRef, { resources, organizationRef: definition.spec?.organizationRef || organizationRef });
+  errors.push(...resolvedPersona.errors);
+  const stackRef = definition.spec?.stackRef;
+  const stack = stackRef ? findByName(resources, 'AgentStack', stackRef, definition.spec?.organizationRef || organizationRef) : null;
+  if (stackRef && !stack) errors.push(`AgentStack not found: ${stackRef}`);
+  return {
+    error: errors.length > 0,
+    definition,
+    persona: resolvedPersona.persona,
+    soul: resolvedPersona.soul,
+    appearance: resolvedPersona.appearance,
+    voiceProfile: resolvedPersona.voiceProfile,
+    stack,
+    errors,
+  };
+}
+export function createAgentPersonaController() {
+  return {
+    role: 'agent-persona-controller',
+    validateAgentPersona,
+    validateAgentDefinition,
+    resolveAgentPersona,
+    resolveAgentDefinition,
+    summarizeProfile(resolved) {
+      return {
+        definition: clone(resolved.definition),
+        persona: clone(resolved.persona),
+        soul: clone(resolved.soul),
+        appearance: clone(resolved.appearance),
+        voiceProfile: clone(resolved.voiceProfile),
+        stack: clone(resolved.stack),
+        errors: clone(resolved.errors || []),
+      };
+    }
+  };
+}

package/src/agent-project-controller.js ADDED Viewed

@@ -0,0 +1,117 @@
+// Agent Project Controller — Slice 1.2d
+// Manages KradleProject resources: validation, workflow columns, board state, and issue assignment.
+export const AGENT_PROJECT_CONTROLLER_BOUNDARY = {
+  role: 'agent-project-controller',
+  scope: 'KradleProject lifecycle: validation, workflow column definitions, board state management, issue assignment tracking',
+  owns: ['project validation', 'workflow columns', 'board state', 'default column resolution', 'issue assignment tracking'],
+  delegatesTo: ['resource-model'],
+  mustNotOwn: ['issue content', 'PR lifecycle', 'dispatch execution', 'Agent Mux sessions']
+};
+const VALID_BOARD_STATES = ['active', 'archived'];
+/**
+ * Validate a KradleProject resource. Returns { valid, errors }.
+ * @param {object} resource
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function validateAgentProject(resource) {
+  const errors = [];
+  // Guard against null/undefined resource
+  if (resource == null) {
+    errors.push('resource must not be null or undefined');
+    return { valid: false, errors };
+  }
+  // Validate metadata.name
+  if (!resource?.metadata?.name) {
+    errors.push('metadata.name is required');
+  }
+  const spec = resource?.spec || {};
+  // Validate organizationRef
+  if (!spec.organizationRef) {
+    errors.push('spec.organizationRef is required');
+  }
+  // Validate workflowColumns — must be a non-empty array
+  const cols = spec.workflowColumns;
+  if (!Array.isArray(cols) || cols.length === 0) {
+    errors.push('spec.workflowColumns must be a non-empty array');
+  } else {
+    // Check for duplicate column IDs
+    const seen = new Set();
+    for (const col of cols) {
+      if (seen.has(col.id)) {
+        errors.push(`spec.workflowColumns contains duplicate column ID: "${col.id}"`);
+        break;
+      }
+      seen.add(col.id);
+    }
+  }
+  // Validate boardState if explicitly set
+  const boardState = spec.boardState;
+  if (boardState != null && !VALID_BOARD_STATES.includes(boardState)) {
+    errors.push(`spec.boardState "${boardState}" is not supported; valid states are: ${VALID_BOARD_STATES.join(', ')}`);
+  }
+  return { valid: errors.length === 0, errors };
+}
+/**
+ * Factory that returns a KradleProject controller instance.
+ */
+export function createAgentProjectController() {
+  return {
+    role: 'agent-project-controller',
+    /**
+     * Validate a KradleProject resource.
+     * @param {object} resource
+     * @returns {{ valid: boolean, errors: string[] }}
+     */
+    validate(resource) {
+      return validateAgentProject(resource);
+    },
+    /**
+     * Return the workflow columns for a project, in order.
+     * @param {object} resource
+     * @returns {Array<{ id: string, displayName: string, color: string, default?: boolean }>}
+     */
+    getWorkflowColumns(resource) {
+      const cols = resource?.spec?.workflowColumns;
+      if (!Array.isArray(cols)) {
+        return [];
+      }
+      return [...cols];
+    },
+    /**
+     * Return the default column — the one marked `default: true`, or the first column.
+     * @param {object} resource
+     * @returns {{ id: string, displayName: string, color: string, default?: boolean } | undefined}
+     */
+    getDefaultColumn(resource) {
+      const cols = Array.isArray(resource?.spec?.workflowColumns)
+        ? resource.spec.workflowColumns
+        : [];
+      const marked = cols.find((c) => c.default === true);
+      return marked ?? cols[0];
+    },
+    /**
+     * Return the board state for a project.
+     * Defaults to 'active' when spec.boardState is not set.
+     * @param {object} resource
+     * @returns {string}
+     */
+    getBoardState(resource) {
+      return resource?.spec?.boardState ?? 'active';
+    }
+  };
+}

package/src/agent-prompt-composition.js ADDED Viewed

@@ -0,0 +1,55 @@
+function addPart(parts, value) {
+  if (typeof value === 'string' && value.trim()) parts.push(value.trim());
+}
+function joinList(values) {
+  return Array.isArray(values) && values.length > 0 ? values.join(', ') : null;
+}
+export function composeAgentSystemPrompt({ soul = null, persona = null, definition = null, stack = null } = {}) {
+  const parts = [];
+  addPart(parts, soul?.spec?.content);
+  const personaSpec = persona?.spec || {};
+  const personaParts = [];
+  addPart(personaParts, personaSpec.displayName);
+  addPart(personaParts, personaSpec.tagline);
+  const personality = personaSpec.personality || {};
+  const personalityParts = [];
+  if (personality.communicationStyle) personalityParts.push(`Communication style: ${personality.communicationStyle}`);
+  if (personality.tone) personalityParts.push(`Tone: ${personality.tone}`);
+  if (personality.explanationDepth) personalityParts.push(`Explanation depth: ${personality.explanationDepth}`);
+  if (personality.humorLevel) personalityParts.push(`Humor level: ${personality.humorLevel}`);
+  if (personality.language) personalityParts.push(`Language: ${personality.language}`);
+  const traits = joinList(personality.traits);
+  if (traits) personalityParts.push(`Traits: ${traits}`);
+  addPart(personaParts, personalityParts.join('. '));
+  const role = personaSpec.role || {};
+  const roleParts = [];
+  if (role.title) roleParts.push(`Role: ${role.title}`);
+  if (role.domain) roleParts.push(`Domain: ${role.domain}`);
+  const expertise = joinList(role.expertise);
+  if (expertise) roleParts.push(`Expertise: ${expertise}`);
+  addPart(personaParts, roleParts.join('. '));
+  const skills = joinList(personaSpec.skillRefs);
+  if (skills) personaParts.push(`Skills: ${skills}`);
+  const knowledge = joinList(personaSpec.knowledgeRefs);
+  if (knowledge) personaParts.push(`Knowledge: ${knowledge}`);
+  addPart(parts, personaParts.join('\n'));
+  addPart(parts, definition?.spec?.roleContext);
+  addPart(parts, stack?.spec?.systemPrompt);
+  return parts.join('\n\n');
+}
+export function composeAgentPrompt({ soul = null, persona = null, definition = null, stack = null } = {}) {
+  const legacyPrompts = persona?.spec?.legacyPrompts || {};
+  return {
+    system: composeAgentSystemPrompt({ soul, persona, definition, stack }) || null,
+    developer: legacyPrompts.developerPrompt || stack?.spec?.developerPrompt || null,
+    task: legacyPrompts.taskPrompt || stack?.spec?.taskPrompt || null,
+  };
+}