npm - @a5c-ai/kradle - Versions diffs - 5.0.1-staging.3abdf9534c25 - Mend

@a5c-ai/kradle 5.0.1-staging.3abdf9534c25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/Dockerfile +31 -0
package/README.md +187 -0
package/bin/kradle-demo.mjs +23 -0
package/bin/kradle-server.mjs +14 -0
package/dist/kradle-controller-ui.json +3482 -0
package/dist/kradle-lifecycle.json +201 -0
package/dist/kradle-runtime-snapshot.json +3125 -0
package/dist/kradle-summary.json +724 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-kradle-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/architecture-v2.md +2759 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/crd-behaviors-and-relationships.md +3926 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/integration-and-design-decisions.md +1530 -0
package/docs/kradle-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/openapi.yaml +1291 -0
package/docs/product-requirements.md +62 -0
package/docs/requirements-v2.md +235 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/sdk-api-reference.md +1108 -0
package/docs/system-requirements.md +90 -0
package/docs/system-spec-v2.md +1230 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/docs/web-console-spec.md +533 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +66 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +95 -0
package/scripts/validate-ui.mjs +305 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +549 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-identity-migration.js +115 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +589 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-persona-controller.js +135 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-prompt-composition.js +55 -0
package/src/agent-provider-config-controller.js +151 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +421 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +387 -0
package/src/agent-workspace-controller.js +702 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +621 -0
package/src/argocd-gitops.js +43 -0
package/src/artifact-registry-controller.js +542 -0
package/src/assistant-runtime.js +284 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +310 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +112 -0
package/src/controller-ui.js +620 -0
package/src/data-plane.js +179 -0
package/src/event-bus.js +397 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +221 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +131 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/health-probes.js +134 -0
package/src/hooks-events.js +63 -0
package/src/hooks-lifecycle.js +117 -0
package/src/http-server.js +409 -0
package/src/identity-policy.js +86 -0
package/src/index.js +71 -0
package/src/jitsi-agent-bridge.js +141 -0
package/src/jitsi-meeting-controller.js +291 -0
package/src/jitsi-sync-controller.js +198 -0
package/src/kradle-inference-service-controller.js +246 -0
package/src/kubernetes-controller-async.js +531 -0
package/src/kubernetes-controller.js +904 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/model-route-controller.js +364 -0
package/src/notification-controller.js +178 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +282 -0
package/src/runner-controller.js +272 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/virtual-model-controller.js +538 -0
package/src/virtual-model-hook-bridge.js +200 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +679 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-identity-migration.test.js +87 -0
package/tests/agent-memory-controller.test.js +461 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +389 -0
package/tests/agent-mux-integration.test.js +971 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-persona-controller.test.js +127 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-prompt-composition.test.js +76 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +303 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +283 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +271 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/artifact-registry.test.js +511 -0
package/tests/assistant-runtime.test.js +506 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/codespace-controller.test.js +318 -0
package/tests/controller-client.test.js +133 -0
package/tests/deployment.test.js +527 -0
package/tests/e2e/lifecycle.test.js +120 -0
package/tests/event-bus-integration.test.js +355 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +415 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +223 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/health-probes.test.js +90 -0
package/tests/hooks-lifecycle.test.js +364 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/jitsi-agent-bridge.test.js +119 -0
package/tests/jitsi-helm-integration.test.js +77 -0
package/tests/jitsi-meeting-controller.test.js +170 -0
package/tests/jitsi-resource-model.test.js +73 -0
package/tests/jitsi-sync-controller.test.js +112 -0
package/tests/kradle-inference-service.test.js +689 -0
package/tests/kradle.test.js +779 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/model-route-controller.test.js +733 -0
package/tests/notification-controller.test.js +196 -0
package/tests/notification-integration.test.js +179 -0
package/tests/org-scoping.test.js +687 -0
package/tests/runner-controller.test.js +327 -0
package/tests/runner-integration.test.js +231 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +315 -0
package/tests/sse-events.test.js +107 -0
package/tests/virtual-model-controller.test.js +877 -0
package/tests/virtual-model-hook-bridge.test.js +384 -0
package/tests/webhook-trigger.test.js +198 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/src/agent-provider-config-controller.js ADDED Viewed

@@ -0,0 +1,151 @@
+// Agent Provider Config Controller — Slice 1.2c
+// Manages AgentProviderConfig resources: model provider config validation,
+// endpoint resolution, credential ref validation, and feature flag management.
+export const AGENT_PROVIDER_CONFIG_CONTROLLER_BOUNDARY = {
+  role: 'agent-provider-config-controller',
+  scope: 'AgentProviderConfig lifecycle: validation, endpoint resolution, credential ref validation, feature flags',
+  owns: ['provider config validation', 'endpoint resolution', 'credential ref validation', 'feature flag defaults', 'rate limit defaults'],
+  delegatesTo: ['resource-model'],
+  mustNotOwn: ['secret values', 'dispatch execution', 'Agent Mux sessions', 'adapter implementation']
+};
+const VALID_PROVIDER_TYPES = ['anthropic', 'openai', 'azure-openai', 'google-vertex', 'foundry', 'custom', 'kserve'];
+const DEFAULT_ENDPOINTS = Object.freeze({
+  anthropic: 'https://api.anthropic.com/v1',
+  openai: 'https://api.openai.com/v1',
+  'azure-openai': null,   // requires explicit endpoint (tenant-specific)
+  'google-vertex': 'https://us-central1-aiplatform.googleapis.com/v1',
+  foundry: null,          // requires explicit endpoint
+  custom: null,           // requires explicit endpoint
+  kserve: null            // requires explicit endpoint from InferenceService discovery
+});
+const DEFAULT_FEATURE_FLAGS = Object.freeze({
+  streaming: true,
+  tool_use: true,
+  vision: false
+});
+const DEFAULT_RATE_LIMITS = Object.freeze({
+  requestsPerMinute: 60,
+  tokensPerMinute: 100000
+});
+/**
+ * Validate an AgentProviderConfig resource. Returns { valid, errors }.
+ * @param {object} resource
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function validateAgentProviderConfig(resource) {
+  const errors = [];
+  // Guard against null/undefined resource
+  if (resource == null) {
+    errors.push('resource must not be null or undefined');
+    return { valid: false, errors };
+  }
+  // Validate metadata.name
+  if (!resource?.metadata?.name) {
+    errors.push('metadata.name is required');
+  }
+  const spec = resource?.spec || {};
+  // Validate providerType
+  const providerType = spec.providerType;
+  if (!providerType) {
+    errors.push(`spec.providerType is required; valid types are: ${VALID_PROVIDER_TYPES.join(', ')}`);
+  } else if (!VALID_PROVIDER_TYPES.includes(providerType)) {
+    errors.push(`spec.providerType "${providerType}" is not supported; valid types are: ${VALID_PROVIDER_TYPES.join(', ')}`);
+  }
+  // Validate credentialRef — always required for security
+  if (!spec.credentialRef) {
+    errors.push('spec.credentialRef is required; provide a Kubernetes Secret name for the API key');
+  }
+  return { valid: errors.length === 0, errors };
+}
+/**
+ * Factory that returns an AgentProviderConfig controller instance.
+ */
+export function createAgentProviderConfigController() {
+  return {
+    role: 'agent-provider-config-controller',
+    /**
+     * Validate an AgentProviderConfig resource.
+     * @param {object} resource
+     * @returns {{ valid: boolean, errors: string[] }}
+     */
+    validate(resource) {
+      return validateAgentProviderConfig(resource);
+    },
+    /**
+     * Resolve the effective API endpoint for a provider config.
+     * Returns the explicit spec.endpoint if set, otherwise falls back to
+     * the well-known default for the provider type.
+     * @param {object} resource
+     * @returns {string|null}
+     */
+    resolveEndpoint(resource) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      const spec = resource?.spec || {};
+      // If an explicit endpoint is set in spec, prefer it
+      if (spec.endpoint) {
+        return spec.endpoint;
+      }
+      // Fall back to the known default for the provider type
+      const providerType = spec.providerType;
+      return DEFAULT_ENDPOINTS[providerType] ?? null;
+    },
+    /**
+     * Return the effective feature flags for a provider config.
+     * Merges spec.featureFlags with defaults; spec values take precedence.
+     * @param {object} resource
+     * @returns {{ streaming: boolean, tool_use: boolean, vision: boolean, [key: string]: boolean }}
+     */
+    getFeatureFlags(resource) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      const specFlags = resource?.spec?.featureFlags ?? {};
+      return { ...DEFAULT_FEATURE_FLAGS, ...specFlags };
+    },
+    /**
+     * Return the effective rate limit configuration for a provider config.
+     * Merges spec.rateLimits with defaults; spec values take precedence.
+     * @param {object} resource
+     * @returns {{ requestsPerMinute: number, tokensPerMinute: number }}
+     */
+    getRateLimits(resource) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      const specLimits = resource?.spec?.rateLimits ?? {};
+      return {
+        requestsPerMinute: specLimits.requestsPerMinute ?? DEFAULT_RATE_LIMITS.requestsPerMinute,
+        tokensPerMinute: specLimits.tokensPerMinute ?? DEFAULT_RATE_LIMITS.tokensPerMinute
+      };
+    },
+    /**
+     * Return the list of supported provider types.
+     * @returns {string[]}
+     */
+    getSupportedProviderTypes() {
+      return [...VALID_PROVIDER_TYPES];
+    }
+  };
+}

package/src/agent-secret-config-grant-controller.js ADDED Viewed

@@ -0,0 +1,282 @@
+// Agent Secret/Config Grant Controller — Secret & ConfigMap grant lifecycle
+//
+// Provides:
+//   - createAgentSecretGrantController() — validates AgentSecretGrant resources
+//   - createAgentConfigGrantController() — validates AgentConfigGrant resources
+//   - listGrantsForAgent(agentRef) — filter grants by target agent
+//   - revokeGrant(grantName) — mark a grant as revoked
+import { createResource, clone } from './resource-model.js';
+export const AGENT_SECRET_GRANT_CONTROLLER_BOUNDARY = {
+  role: 'agent-secret-grant-controller',
+  scope: 'AgentSecretGrant lifecycle — creation, listing, revocation for agent-to-secret access grants',
+  owns: ['grant creation', 'grant listing', 'grant revocation', 'input validation'],
+  delegatesTo: ['resource-model'],
+  mustNotOwn: ['Kubernetes Secret storage', 'agent execution', 'secret value decryption', 'UI rendering']
+};
+export const AGENT_CONFIG_GRANT_CONTROLLER_BOUNDARY = {
+  role: 'agent-config-grant-controller',
+  scope: 'AgentConfigGrant lifecycle — creation, listing, revocation for agent-to-configmap access grants',
+  owns: ['grant creation', 'grant listing', 'grant revocation', 'input validation'],
+  delegatesTo: ['resource-model'],
+  mustNotOwn: ['Kubernetes ConfigMap storage', 'agent execution', 'UI rendering']
+};
+const VALID_PERMISSIONS = new Set(['read', 'use', 'mount']);
+// ---------------------------------------------------------------------------
+// Validation helpers
+// ---------------------------------------------------------------------------
+/**
+ * Validate an AgentSecretGrant input.
+ *
+ * @param {object} input
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function validateAgentSecretGrant(input) {
+  const errors = [];
+  if (!input) return { valid: false, errors: ['input must not be null or undefined'] };
+  if (!input.name || typeof input.name !== 'string') errors.push('name is required and must be a non-empty string');
+  if (!input.orgRef || typeof input.orgRef !== 'string') errors.push('orgRef is required and must be a non-empty string');
+  if (!input.secretName || typeof input.secretName !== 'string') errors.push('secretName is required and must be a non-empty string');
+  if (!input.grantedTo || typeof input.grantedTo !== 'string') errors.push('grantedTo is required and must be a non-empty string');
+  if (!Array.isArray(input.permissions) || input.permissions.length === 0) {
+    errors.push('permissions is required and must be a non-empty array');
+  } else {
+    const invalid = input.permissions.filter((p) => !VALID_PERMISSIONS.has(p));
+    if (invalid.length > 0) errors.push(`invalid permissions: ${invalid.join(', ')}. Valid values: ${[...VALID_PERMISSIONS].join(', ')}`);
+  }
+  return { valid: errors.length === 0, errors };
+}
+/**
+ * Validate an AgentConfigGrant input.
+ *
+ * @param {object} input
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function validateAgentConfigGrant(input) {
+  const errors = [];
+  if (!input) return { valid: false, errors: ['input must not be null or undefined'] };
+  if (!input.name || typeof input.name !== 'string') errors.push('name is required and must be a non-empty string');
+  if (!input.orgRef || typeof input.orgRef !== 'string') errors.push('orgRef is required and must be a non-empty string');
+  if (!input.configMapName || typeof input.configMapName !== 'string') errors.push('configMapName is required and must be a non-empty string');
+  if (!input.grantedTo || typeof input.grantedTo !== 'string') errors.push('grantedTo is required and must be a non-empty string');
+  return { valid: errors.length === 0, errors };
+}
+// ---------------------------------------------------------------------------
+// listGrantsForAgent — shared utility
+// ---------------------------------------------------------------------------
+/**
+ * Filter grants by the grantedTo (agent ref) field from a collection of grant resources.
+ *
+ * @param {object[]} grants  Array of AgentSecretGrant or AgentConfigGrant resources
+ * @param {string}   agentRef  The agent identifier to filter by
+ * @returns {object[]}
+ */
+export function listGrantsForAgent(grants, agentRef) {
+  if (!agentRef) return [];
+  return grants.filter((g) => g.spec?.grantedTo === agentRef || g.spec?.subject === agentRef);
+}
+// ---------------------------------------------------------------------------
+// revokeGrant — shared utility
+// ---------------------------------------------------------------------------
+/**
+ * Mark a grant as revoked by returning an updated copy of the resource.
+ *
+ * @param {object[]} grants  Array of grant resources
+ * @param {string}   grantName  Name of the grant to revoke
+ * @returns {{ grant: object } | { error: true, reason: string, message: string }}
+ */
+export function revokeGrant(grants, grantName) {
+  if (!grantName) return { error: true, reason: 'missing-name', message: 'grantName is required' };
+  const found = grants.find((g) => g.metadata?.name === grantName);
+  if (!found) return { error: true, reason: 'not-found', message: `Grant not found: ${grantName}` };
+  if (found.status?.phase === 'Revoked') {
+    return { error: true, reason: 'already-revoked', message: `Grant "${grantName}" is already revoked` };
+  }
+  const updated = clone(found);
+  updated.status = {
+    ...updated.status,
+    phase: 'Revoked',
+    revokedAt: new Date().toISOString()
+  };
+  return { grant: updated };
+}
+// ---------------------------------------------------------------------------
+// createAgentSecretGrantController
+// ---------------------------------------------------------------------------
+/**
+ * Create a controller for AgentSecretGrant resources.
+ *
+ * @param {{ persistFn?: (resource: object) => Promise<any> }} [opts]
+ * @returns {object}
+ */
+export function createAgentSecretGrantController({ persistFn } = {}) {
+  function persist(resource) {
+    if (typeof persistFn === 'function') {
+      Promise.resolve(persistFn(resource)).catch(() => {});
+    }
+  }
+  return {
+    role: 'agent-secret-grant-controller',
+    /**
+     * Create an AgentSecretGrant resource.
+     *
+     * @param {{ name, orgRef, secretName, grantedTo, permissions, namespace?, keys? }} input
+     * @returns {{ grant: object } | { error: true, message: string }}
+     */
+    createSecretGrant({
+      name,
+      orgRef,
+      secretName,
+      grantedTo,
+      permissions = ['read'],
+      namespace = 'default',
+      keys = []
+    }) {
+      const validation = validateAgentSecretGrant({ name, orgRef, secretName, grantedTo, permissions });
+      if (!validation.valid) {
+        return { error: true, message: validation.errors.join('; ') };
+      }
+      const now = new Date().toISOString();
+      const grant = createResource('AgentSecretGrant', { name, namespace }, {
+        organizationRef: orgRef,
+        orgRef,
+        secretName,
+        secretRef: secretName,
+        grantedTo,
+        subject: grantedTo,
+        permissions,
+        keys,
+        purpose: permissions.join(',')
+      });
+      grant.status = { phase: 'Active', createdAt: now };
+      persist(grant);
+      return { grant };
+    },
+    /**
+     * List all grants for a specific agent.
+     *
+     * @param {string}   agentRef
+     * @param {object[]} grants
+     * @returns {object[]}
+     */
+    listGrantsForAgent(agentRef, grants = []) {
+      return listGrantsForAgent(grants, agentRef);
+    },
+    /**
+     * Revoke a grant by name.
+     *
+     * @param {string}   grantName
+     * @param {object[]} grants
+     * @returns {{ grant: object } | { error: true, reason: string, message: string }}
+     */
+    revokeGrant(grantName, grants = []) {
+      const result = revokeGrant(grants, grantName);
+      if (!result.error && result.grant) persist(result.grant);
+      return result;
+    }
+  };
+}
+// ---------------------------------------------------------------------------
+// createAgentConfigGrantController
+// ---------------------------------------------------------------------------
+/**
+ * Create a controller for AgentConfigGrant resources.
+ *
+ * @param {{ persistFn?: (resource: object) => Promise<any> }} [opts]
+ * @returns {object}
+ */
+export function createAgentConfigGrantController({ persistFn } = {}) {
+  function persist(resource) {
+    if (typeof persistFn === 'function') {
+      Promise.resolve(persistFn(resource)).catch(() => {});
+    }
+  }
+  return {
+    role: 'agent-config-grant-controller',
+    /**
+     * Create an AgentConfigGrant resource.
+     *
+     * @param {{ name, orgRef, configMapName, grantedTo, namespace?, keys? }} input
+     * @returns {{ grant: object } | { error: true, message: string }}
+     */
+    createConfigGrant({
+      name,
+      orgRef,
+      configMapName,
+      grantedTo,
+      namespace = 'default',
+      keys = []
+    }) {
+      const validation = validateAgentConfigGrant({ name, orgRef, configMapName, grantedTo });
+      if (!validation.valid) {
+        return { error: true, message: validation.errors.join('; ') };
+      }
+      const now = new Date().toISOString();
+      const grant = createResource('AgentConfigGrant', { name, namespace }, {
+        organizationRef: orgRef,
+        orgRef,
+        configMapName,
+        configMapRef: configMapName,
+        grantedTo,
+        subject: grantedTo,
+        keys,
+        purpose: 'read'
+      });
+      grant.status = { phase: 'Active', createdAt: now };
+      persist(grant);
+      return { grant };
+    },
+    /**
+     * List all grants for a specific agent.
+     *
+     * @param {string}   agentRef
+     * @param {object[]} grants
+     * @returns {object[]}
+     */
+    listGrantsForAgent(agentRef, grants = []) {
+      return listGrantsForAgent(grants, agentRef);
+    },
+    /**
+     * Revoke a grant by name.
+     *
+     * @param {string}   grantName
+     * @param {object[]} grants
+     * @returns {{ grant: object } | { error: true, reason: string, message: string }}
+     */
+    revokeGrant(grantName, grants = []) {
+      const result = revokeGrant(grants, grantName);
+      if (!result.error && result.grant) persist(result.grant);
+      return result;
+    }
+  };
+}

package/src/agent-session-transcript-controller.js ADDED Viewed

@@ -0,0 +1,189 @@
+// Agent Session Transcript Controller — Slice 1.2e
+// Manages AgentSessionTranscript resources: durable transcript storage,
+// message indexing, and pagination support.
+export const AGENT_SESSION_TRANSCRIPT_CONTROLLER_BOUNDARY = {
+  role: 'agent-session-transcript-controller',
+  scope: 'AgentSessionTranscript lifecycle: validation, message indexing, pagination, role/tool filtering',
+  owns: ['transcript validation', 'message indexing', 'pagination', 'role filter', 'tool name filter'],
+  delegatesTo: ['resource-model'],
+  mustNotOwn: ['session lifecycle', 'dispatch execution', 'Agent Mux sessions', 'secret values']
+};
+const VALID_ROLES = ['user', 'assistant', 'tool', 'system'];
+/**
+ * Validate an AgentSessionTranscript resource. Returns { valid, errors }.
+ * @param {object} resource
+ * @returns {{ valid: boolean, errors: string[] }}
+ */
+export function validateAgentSessionTranscript(resource) {
+  const errors = [];
+  // Guard against null/undefined resource
+  if (resource == null) {
+    errors.push('resource must not be null or undefined');
+    return { valid: false, errors };
+  }
+  // Validate metadata.name
+  if (!resource?.metadata?.name) {
+    errors.push('metadata.name is required');
+  }
+  const spec = resource?.spec || {};
+  // Validate organizationRef
+  if (!spec.organizationRef) {
+    errors.push('spec.organizationRef is required');
+  }
+  // Validate sessionRef
+  if (!spec.sessionRef) {
+    errors.push('spec.sessionRef is required; provide the AgentSession ID this transcript is linked to');
+  }
+  // Validate messages — must be an array (can be empty for a new transcript)
+  const messages = spec.messages;
+  if (!Array.isArray(messages)) {
+    errors.push('spec.messages must be an array');
+  } else {
+    // Validate each message shape
+    for (let i = 0; i < messages.length; i++) {
+      const msg = messages[i];
+      if (msg == null || typeof msg !== 'object') {
+        errors.push(`spec.messages[${i}] must be an object`);
+        continue;
+      }
+      if (!msg.role) {
+        errors.push(`spec.messages[${i}].role is required`);
+      } else if (!VALID_ROLES.includes(msg.role)) {
+        errors.push(`spec.messages[${i}].role "${msg.role}" is not valid; valid roles are: ${VALID_ROLES.join(', ')}`);
+      }
+      if (msg.content == null) {
+        errors.push(`spec.messages[${i}].content is required`);
+      }
+    }
+  }
+  // Validate pageSize if explicitly set
+  const pageSize = spec.pageSize;
+  if (pageSize != null && (!Number.isInteger(pageSize) || pageSize < 1)) {
+    errors.push('spec.pageSize must be a positive integer when specified');
+  }
+  return { valid: errors.length === 0, errors };
+}
+/**
+ * Factory that returns an AgentSessionTranscript controller instance.
+ */
+export function createAgentSessionTranscriptController() {
+  return {
+    role: 'agent-session-transcript-controller',
+    /**
+     * Validate an AgentSessionTranscript resource.
+     * @param {object} resource
+     * @returns {{ valid: boolean, errors: string[] }}
+     */
+    validate(resource) {
+      return validateAgentSessionTranscript(resource);
+    },
+    /**
+     * Return all messages in the transcript, in order.
+     * @param {object} resource
+     * @returns {Array<{ role: string, content: string, timestamp?: string, toolCalls?: object[] }>}
+     */
+    getMessages(resource) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      const messages = resource?.spec?.messages;
+      if (!Array.isArray(messages)) {
+        return [];
+      }
+      return [...messages];
+    },
+    /**
+     * Return the total number of messages in the transcript.
+     * @param {object} resource
+     * @returns {number}
+     */
+    getTotalMessages(resource) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      const messages = resource?.spec?.messages;
+      return Array.isArray(messages) ? messages.length : 0;
+    },
+    /**
+     * Return a page of messages from the transcript.
+     * @param {object} resource
+     * @param {number} pageIndex - zero-based page index
+     * @param {number} [pageSizeOverride] - override spec.pageSize (defaults to spec.pageSize or 20)
+     * @returns {{ messages: object[], pageIndex: number, pageSize: number, totalMessages: number, totalPages: number }}
+     */
+    getPage(resource, pageIndex, pageSizeOverride) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      const messages = Array.isArray(resource?.spec?.messages) ? resource.spec.messages : [];
+      const pageSize = pageSizeOverride ?? resource?.spec?.pageSize ?? 20;
+      const totalMessages = messages.length;
+      const totalPages = Math.max(1, Math.ceil(totalMessages / pageSize));
+      const safePageIndex = Math.max(0, Math.min(pageIndex, totalPages - 1));
+      const start = safePageIndex * pageSize;
+      const end = start + pageSize;
+      return {
+        messages: messages.slice(start, end),
+        pageIndex: safePageIndex,
+        pageSize,
+        totalMessages,
+        totalPages
+      };
+    },
+    /**
+     * Return all messages filtered by role.
+     * @param {object} resource
+     * @param {string} role - one of: user, assistant, tool, system
+     * @returns {Array<object>}
+     */
+    getMessagesByRole(resource, role) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      const messages = Array.isArray(resource?.spec?.messages) ? resource.spec.messages : [];
+      return messages.filter((m) => m.role === role);
+    },
+    /**
+     * Return all messages that contain a tool call with the given tool name.
+     * @param {object} resource
+     * @param {string} toolName
+     * @returns {Array<object>}
+     */
+    getMessagesByToolName(resource, toolName) {
+      if (resource == null) {
+        throw new Error('resource must not be null or undefined');
+      }
+      const messages = Array.isArray(resource?.spec?.messages) ? resource.spec.messages : [];
+      return messages.filter((m) => {
+        if (!Array.isArray(m.toolCalls)) return false;
+        return m.toolCalls.some((tc) => tc.name === toolName);
+      });
+    },
+    /**
+     * Return the list of valid message roles.
+     * @returns {string[]}
+     */
+    getValidRoles() {
+      return [...VALID_ROLES];
+    }
+  };
+}