npm - @a5c-ai/kradle - Versions diffs - 5.0.1-staging.3abdf9534c25 - Mend

@a5c-ai/kradle 5.0.1-staging.3abdf9534c25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/Dockerfile +31 -0
package/README.md +187 -0
package/bin/kradle-demo.mjs +23 -0
package/bin/kradle-server.mjs +14 -0
package/dist/kradle-controller-ui.json +3482 -0
package/dist/kradle-lifecycle.json +201 -0
package/dist/kradle-runtime-snapshot.json +3125 -0
package/dist/kradle-summary.json +724 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-kradle-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/architecture-v2.md +2759 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/crd-behaviors-and-relationships.md +3926 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/integration-and-design-decisions.md +1530 -0
package/docs/kradle-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/openapi.yaml +1291 -0
package/docs/product-requirements.md +62 -0
package/docs/requirements-v2.md +235 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/sdk-api-reference.md +1108 -0
package/docs/system-requirements.md +90 -0
package/docs/system-spec-v2.md +1230 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/docs/web-console-spec.md +533 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +66 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +95 -0
package/scripts/validate-ui.mjs +305 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +549 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-identity-migration.js +115 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +589 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-persona-controller.js +135 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-prompt-composition.js +55 -0
package/src/agent-provider-config-controller.js +151 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +421 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +387 -0
package/src/agent-workspace-controller.js +702 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +621 -0
package/src/argocd-gitops.js +43 -0
package/src/artifact-registry-controller.js +542 -0
package/src/assistant-runtime.js +284 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +310 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +112 -0
package/src/controller-ui.js +620 -0
package/src/data-plane.js +179 -0
package/src/event-bus.js +397 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +221 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +131 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/health-probes.js +134 -0
package/src/hooks-events.js +63 -0
package/src/hooks-lifecycle.js +117 -0
package/src/http-server.js +409 -0
package/src/identity-policy.js +86 -0
package/src/index.js +71 -0
package/src/jitsi-agent-bridge.js +141 -0
package/src/jitsi-meeting-controller.js +291 -0
package/src/jitsi-sync-controller.js +198 -0
package/src/kradle-inference-service-controller.js +246 -0
package/src/kubernetes-controller-async.js +531 -0
package/src/kubernetes-controller.js +904 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/model-route-controller.js +364 -0
package/src/notification-controller.js +178 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +282 -0
package/src/runner-controller.js +272 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/virtual-model-controller.js +538 -0
package/src/virtual-model-hook-bridge.js +200 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +679 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-identity-migration.test.js +87 -0
package/tests/agent-memory-controller.test.js +461 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +389 -0
package/tests/agent-mux-integration.test.js +971 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-persona-controller.test.js +127 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-prompt-composition.test.js +76 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +303 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +283 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +271 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/artifact-registry.test.js +511 -0
package/tests/assistant-runtime.test.js +506 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/codespace-controller.test.js +318 -0
package/tests/controller-client.test.js +133 -0
package/tests/deployment.test.js +527 -0
package/tests/e2e/lifecycle.test.js +120 -0
package/tests/event-bus-integration.test.js +355 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +415 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +223 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/health-probes.test.js +90 -0
package/tests/hooks-lifecycle.test.js +364 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/jitsi-agent-bridge.test.js +119 -0
package/tests/jitsi-helm-integration.test.js +77 -0
package/tests/jitsi-meeting-controller.test.js +170 -0
package/tests/jitsi-resource-model.test.js +73 -0
package/tests/jitsi-sync-controller.test.js +112 -0
package/tests/kradle-inference-service.test.js +689 -0
package/tests/kradle.test.js +779 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/model-route-controller.test.js +733 -0
package/tests/notification-controller.test.js +196 -0
package/tests/notification-integration.test.js +179 -0
package/tests/org-scoping.test.js +687 -0
package/tests/runner-controller.test.js +327 -0
package/tests/runner-integration.test.js +231 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +315 -0
package/tests/sse-events.test.js +107 -0
package/tests/virtual-model-controller.test.js +877 -0
package/tests/virtual-model-hook-bridge.test.js +384 -0
package/tests/webhook-trigger.test.js +198 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/tests/agent-dispatch-controller.test.js ADDED Viewed

@@ -0,0 +1,679 @@
+import assert from 'node:assert/strict';
+import test, { describe, it } from 'node:test';
+import { createAgentDispatchController, createAgentMuxClient, createResource } from '../src/index.js';
+function makeStack(name, spec = {}) {
+  return createResource('AgentStack', { name, namespace: 'kradle-org-default' }, {
+    organizationRef: 'default',
+    baseAgent: 'claude-code',
+    adapter: 'claude-code',
+    provider: 'anthropic',
+    runtimeIdentity: { serviceAccountRef: 'sa-default' },
+    ...spec
+  });
+}
+function createMockResourceGateway() {
+  const applied = [];
+  return {
+    applied,
+    async apply(resource) { applied.push(resource); return resource; },
+    async get() { return null; },
+    async delete() {},
+  };
+}
+function makeServiceAccount(name) {
+  return createResource('AgentServiceAccount', { name, namespace: 'kradle-org-default' }, {
+    organizationRef: 'default',
+    namespace: 'kradle-org-default',
+    serviceAccountName: name
+  });
+}
+function makeRoleBinding(name, subject) {
+  return createResource('AgentRoleBinding', { name, namespace: 'kradle-org-default' }, {
+    organizationRef: 'default',
+    subject,
+    roleRef: 'agent-developer',
+    scope: 'namespace'
+  });
+}
+function makeSecretGrant(name, subject, purpose) {
+  return createResource('AgentSecretGrant', { name, namespace: 'kradle-org-default' }, {
+    organizationRef: 'default',
+    subject,
+    secretRef: 'secret-' + purpose,
+    purpose
+  });
+}
+function buildValidResources(stackName) {
+  return {
+    AgentStack: [makeStack(stackName)],
+    AgentServiceAccount: [makeServiceAccount('sa-default')],
+    AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-default')],
+    AgentSecretGrant: [makeSecretGrant('sg-model', 'sa-default', 'model-provider')]
+  };
+}
+function addIdentityResources(resources, { definitionName = 'aria-reviewer', personaName = 'aria', stackName = 'dispatch-stack' } = {}) {
+  return {
+    ...resources,
+    AgentDefinition: [
+      createResource('AgentDefinition', { name: definitionName, namespace: 'kradle-org-default' }, {
+        organizationRef: 'default',
+        personaRef: personaName,
+        stackRef: stackName,
+        roleContext: 'Review pull requests for authentication security.'
+      })
+    ],
+    AgentPersona: [
+      createResource('AgentPersona', { name: personaName, namespace: 'kradle-org-default' }, {
+        organizationRef: 'default',
+        displayName: 'Aria',
+        personality: { communicationStyle: 'direct', tone: 'professional' },
+        role: { title: 'Senior Reviewer', domain: 'Security' },
+        soul: { ref: 'aria-soul' }
+      })
+    ],
+    AgentSoul: [
+      createResource('AgentSoul', { name: 'aria-soul', namespace: 'kradle-org-default' }, {
+        organizationRef: 'default',
+        personaRef: personaName,
+        content: 'You are Aria, a security-focused code reviewer.'
+      })
+    ]
+  };
+}
+test('Successful dispatch with Agent Mux available', async () => {
+  // Use a mux client with a mock resource gateway so job submission succeeds
+  const gw = createMockResourceGateway();
+  const muxClient = createAgentMuxClient({ resourceGateway: gw });
+  const resources = buildValidResources('dispatch-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'dispatch-stack',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, false, 'Dispatch should succeed');
+  assert.ok(result.run, 'Result should include run resource');
+  assert.ok(result.attempt, 'Result should include attempt resource');
+  assert.ok(result.contextBundle, 'Result should include contextBundle resource');
+  assert.ok(result.permissionSnapshot, 'Result should include permissionSnapshot');
+  assert.equal(result.run.kind, 'AgentDispatchRun');
+  assert.equal(result.attempt.kind, 'AgentDispatchAttempt');
+  assert.equal(result.run.status.phase, 'Running', 'Run phase should be Running when job submits');
+  assert.ok(result.attempt.status.jobName, 'Attempt should have jobName');
+  assert.ok(result.attempt.status.jobSubmitted, 'Attempt should have jobSubmitted=true');
+  assert.ok(result.attempt.status.startedAt, 'Attempt should have startedAt timestamp');
+  assert.ok(result.run.spec.jobRef, 'Run should have jobRef');
+  assert.ok(result.jobResult, 'Result should include jobResult');
+  assert.equal(result.jobResult.submitted, true, 'Job should be submitted');
+  // Verify the K8s Job was applied to the gateway
+  assert.equal(gw.applied.length, 1, 'One Job should be applied');
+  assert.equal(gw.applied[0].kind, 'Job', 'Applied resource should be a Job');
+});
+test('Meeting-aware dispatch injects meeting context only for Jitsi-capable stacks', async () => {
+  const gw = createMockResourceGateway();
+  const muxClient = createAgentMuxClient({ resourceGateway: gw });
+  const resources = buildValidResources('meeting-stack');
+  resources.AgentStack[0].spec.jitsiCapability = true;
+  resources.AgentStack[0].spec.jitsiConfig = { participantName: 'Standup Bot', role: 'observer', capabilities: { chat: 'readwrite' } };
+  resources.JitsiMeeting = [
+    createResource('JitsiMeeting', { name: 'daily', namespace: 'kradle-org-default' }, {
+      organizationRef: 'default',
+      providerRef: 'jitsi-prod',
+      roomId: 'daily-default',
+      ttlMinutes: 30,
+    }, {
+      phase: 'Active',
+      roomUrl: 'https://meet.example/daily-default',
+    })
+  ];
+  const controller = createAgentDispatchController({
+    agentMuxClient: muxClient,
+  });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'meeting-stack',
+    meetingRef: 'daily',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, false);
+  assert.equal(result.run.spec.meetingRef, 'daily');
+  assert.equal(result.run.spec.meetingContext.roomId, 'daily-default');
+  assert.equal(result.run.spec.meetingContext.jwt, undefined);
+  assert.ok(gw.applied[0].spec.template.spec.containers.some((container) => container.name === 'jitsi-agent-sidecar'));
+  const sidecar = gw.applied[0].spec.template.spec.containers.find((container) => container.name === 'jitsi-agent-sidecar');
+  assert.match(sidecar.env.find((entry) => entry.name === 'JITSI_JWT').value, /^kradle-jitsi\./);
+});
+test('Non-Jitsi stack with meetingRef is rejected before job creation', async () => {
+  const gw = createMockResourceGateway();
+  const muxClient = createAgentMuxClient({ resourceGateway: gw });
+  const resources = buildValidResources('plain-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'plain-stack',
+    meetingRef: 'daily',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, true);
+  assert.equal(result.reason, 'meeting-not-supported');
+  assert.equal(gw.applied.length, 0);
+});
+test('Dispatch with Agent Mux unavailable (no resource gateway)', async () => {
+  // When no resourceGateway is provided, job submission throws
+  const muxClient = createAgentMuxClient({});
+  const resources = buildValidResources('dispatch-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'dispatch-stack',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, false, 'Dispatch should still succeed (queued)');
+  assert.equal(result.run.status.phase, 'Queued', 'Run phase should be Queued when job submission fails');
+  assert.ok(result.run.status.conditions, 'Run should have conditions');
+  const jobCondition = result.run.status.conditions.find(c => c.type === 'JobSubmitted');
+  assert.ok(jobCondition, 'Should have JobSubmitted condition');
+  assert.equal(jobCondition.status, 'False', 'JobSubmitted should be False');
+});
+test('Dispatch denied by permission review', async () => {
+  const resources = {
+    AgentStack: [makeStack('denied-stack', { runtimeIdentity: { serviceAccountRef: 'sa-missing' } })],
+    // No service account, no role binding, no secret grant — permission review will deny
+  };
+  const controller = createAgentDispatchController();
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'denied-stack',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, true, 'Dispatch should be denied');
+  assert.equal(result.reason, 'permission-denied', 'Reason should be permission-denied');
+  assert.ok(result.review, 'Result should include the review details');
+  assert.equal(result.review.decision, 'denied');
+});
+test('Stack not found', async () => {
+  const resources = buildValidResources('existing-stack');
+  const controller = createAgentDispatchController();
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'nonexistent-stack',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, true, 'Dispatch should fail');
+  assert.equal(result.reason, 'stack-not-found', 'Reason should be stack-not-found');
+  assert.ok(result.message.includes('nonexistent-stack'), 'Message should name the missing stack');
+});
+test('AgentDefinition dispatch resolves to AgentStack before permission review and job creation', async () => {
+  const gw = createMockResourceGateway();
+  const muxClient = createAgentMuxClient({ resourceGateway: gw });
+  const resources = addIdentityResources(buildValidResources('definition-stack'), { stackName: 'definition-stack' });
+  const reviewed = [];
+  const permissionReviewer = {
+    reviewPermissions(input) {
+      reviewed.push(input);
+      return { decision: 'allow', reasons: [], grants: [], capabilities: {}, agentStack: input.agentStack };
+    },
+    createPermissionSnapshot(review) {
+      return { decision: review.decision, agentStack: review.agentStack };
+    }
+  };
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient, permissionReviewer });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentDefinition: 'aria-reviewer',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, false);
+  assert.equal(reviewed[0].agentStack, 'definition-stack');
+  assert.equal(result.run.spec.agentDefinition, 'aria-reviewer');
+  assert.equal(result.run.spec.agentStack, 'definition-stack');
+  assert.equal(result.attempt.spec.agentStackSnapshot.baseAgent, 'claude-code');
+  assert.equal(result.attempt.spec.agentDefinitionSnapshot.personaRef, 'aria');
+  assert.equal(result.attempt.spec.agentPersonaSnapshot.displayName, 'Aria');
+  assert.ok(gw.applied[0].spec.template.spec.containers[0].env.some((entry) => entry.name === 'KRADLE_STACK_NAME' && entry.value === 'definition-stack'));
+});
+test('AgentDefinition dispatch composes identity prompt for the job while legacy stack dispatch stays unchanged', async () => {
+  const gw = createMockResourceGateway();
+  const stackWithPrompt = makeStack('prompt-stack', { systemPrompt: 'Legacy stack system.', developerPrompt: 'Legacy developer.', taskPrompt: 'Legacy task.' });
+  const resources = addIdentityResources({
+    AgentStack: [stackWithPrompt],
+    AgentServiceAccount: [makeServiceAccount('sa-default')],
+    AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-default')],
+    AgentSecretGrant: [makeSecretGrant('sg-model', 'sa-default', 'model-provider')]
+  }, { stackName: 'prompt-stack' });
+  const controller = createAgentDispatchController({ agentMuxClient: createAgentMuxClient({ resourceGateway: gw }) });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentDefinition: 'aria-reviewer',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, false);
+  assert.ok(result.executionConfig.prompt.system.includes('You are Aria, a security-focused code reviewer.'));
+  assert.ok(result.executionConfig.prompt.system.includes('Aria'));
+  assert.ok(result.executionConfig.prompt.system.includes('Review pull requests for authentication security.'));
+  assert.ok(result.executionConfig.prompt.system.includes('Legacy stack system.'));
+  assert.equal(result.executionConfig.prompt.developer, 'Legacy developer.');
+  assert.equal(result.executionConfig.prompt.task, 'Legacy task.');
+});
+test('Legacy stack dispatch emits deprecation warning for inline identity fields', async () => {
+  const warnings = [];
+  const gw = createMockResourceGateway();
+  const resources = buildValidResources('legacy-prompt-stack');
+  resources.AgentStack[0].spec.systemPrompt = 'Legacy identity prompt.';
+  const controller = createAgentDispatchController({
+    agentMuxClient: createAgentMuxClient({ resourceGateway: gw }),
+    logger: { warn(message) { warnings.push(message); } },
+  });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'legacy-prompt-stack',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, false);
+  assert.equal(warnings.length, 1);
+  assert.match(warnings[0], /AgentStack "legacy-prompt-stack" has inline prompts or skills/);
+  assert.deepEqual(result.warnings, warnings);
+});
+test('Context bundle referenced correctly', async () => {
+  const muxClient = createAgentMuxClient({ gateway: '', enabled: false });
+  const resources = buildValidResources('ref-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'ref-stack',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, false, 'Dispatch should succeed');
+  assert.ok(result.contextBundle.spec.digest, 'Context bundle should have a digest');
+  assert.equal(
+    result.attempt.spec.contextBundleDigest,
+    result.contextBundle.spec.digest,
+    'Attempt contextBundleDigest should match context bundle digest'
+  );
+  assert.equal(
+    result.run.spec.contextBundleRef,
+    result.contextBundle.metadata.name,
+    'Run contextBundleRef should match context bundle name'
+  );
+});
+function makeMemoryRepository(name) {
+  return createResource('AgentMemoryRepository', { name, namespace: 'kradle-org-default' }, {
+    organizationRef: 'default',
+    repositoryRef: 'memory-repo',
+    defaultBranch: 'main',
+    layoutProfile: 'standard',
+  });
+}
+test('Dispatch with AgentMemoryRepository creates memorySnapshot', async () => {
+  const muxClient = createAgentMuxClient({ gateway: '', enabled: false });
+  const resources = {
+    ...buildValidResources('mem-stack'),
+    AgentMemoryRepository: [makeMemoryRepository('org-memory')],
+  };
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'mem-stack',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources,
+  });
+  assert.equal(result.error, false, 'Dispatch should succeed');
+  assert.ok(result.memorySnapshot, 'Result should include memorySnapshot');
+  assert.equal(result.memorySnapshot.kind, 'AgentMemorySnapshot', 'memorySnapshot should be an AgentMemorySnapshot');
+  assert.equal(result.memorySnapshot.spec.memoryRepository, 'org-memory', 'memorySnapshot should reference the memory repo');
+  assert.equal(result.memorySnapshot.status.phase, 'Pinned', 'memorySnapshot should be Pinned');
+  assert.equal(result.run.spec.memorySnapshotRef, result.memorySnapshot.metadata.name, 'Run should reference memorySnapshot');
+});
+test('Dispatch without memory repos has null memorySnapshot', async () => {
+  const muxClient = createAgentMuxClient({ gateway: '', enabled: false });
+  const resources = buildValidResources('no-mem-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'no-mem-stack',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources,
+  });
+  assert.equal(result.error, false, 'Dispatch should succeed');
+  assert.equal(result.memorySnapshot, null, 'memorySnapshot should be null when no AgentMemoryRepository');
+  assert.equal(result.run.spec.memorySnapshotRef, undefined, 'Run should not have memorySnapshotRef');
+});
+test('Dispatch with requires-approval returns early with awaitingApproval', async () => {
+  // Build resources where the secret grant has requiredApproval set,
+  // which causes the permission reviewer to return 'requires-approval'
+  const stack = makeStack('approval-stack');
+  const resources = {
+    AgentStack: [stack],
+    AgentServiceAccount: [makeServiceAccount('sa-default')],
+    AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-default')],
+    AgentSecretGrant: [makeSecretGrant('sg-model', 'sa-default', 'model-provider')],
+  };
+  // Add requiredApproval to the secret grant so permission review returns 'requires-approval'
+  resources.AgentSecretGrant[0].spec.requiredApproval = 'manager';
+  const controller = createAgentDispatchController();
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'approval-stack',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources,
+  });
+  assert.equal(result.error, false, 'Dispatch should not error — it is awaiting approval');
+  assert.equal(result.awaitingApproval, true, 'Result should indicate awaitingApproval');
+  assert.equal(result.run.status.phase, 'AwaitingApproval', 'Run phase should be AwaitingApproval');
+  assert.ok(result.approval, 'Result should include the approval resource');
+  assert.equal(result.approval.kind, 'AgentApproval', 'Approval should be an AgentApproval resource');
+  assert.equal(result.approval.status.phase, 'Pending', 'Approval should be in Pending phase');
+  assert.ok(result.permissionSnapshot, 'Result should include permissionSnapshot');
+  // No contextBundle or attempt since we returned early
+  assert.equal(result.contextBundle, undefined, 'No contextBundle when awaiting approval');
+  assert.equal(result.attempt, undefined, 'No attempt when awaiting approval');
+});
+test('Successful launch creates jobRef on run', async () => {
+  const gw = createMockResourceGateway();
+  const muxClient = createAgentMuxClient({ resourceGateway: gw });
+  const resources = buildValidResources('transcript-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'transcript-stack',
+    actor: 'test-user',
+    namespace: 'kradle-org-default',
+    organizationRef: 'default',
+    resources,
+  });
+  assert.equal(result.error, false, 'Dispatch should succeed');
+  assert.equal(result.run.status.phase, 'Running', 'Run phase should be Running');
+  assert.ok(result.run.spec.jobRef, 'Run should have jobRef in spec');
+  assert.ok(result.attempt.status.jobName, 'Attempt should have jobName');
+  assert.equal(result.attempt.status.jobSubmitted, true, 'Job should be submitted');
+  assert.equal(result.jobResult.submitted, true, 'jobResult.submitted should be true');
+});
+// ─── Budget Enforcement Tests ───────────────────────────────────────────────
+describe('checkBudget', () => {
+  const controller = createAgentDispatchController();
+  function makeRunWithBudget(name, budget = {}) {
+    const run = createResource('AgentDispatchRun', { name, namespace: 'default' }, {
+      organizationRef: 'default', repository: 'repo', sourceRefs: [], agentStack: 'stack', taskKind: 'diagnostic',
+      budget,
+    });
+    run.status = { phase: 'Running' };
+    return run;
+  }
+  it('returns exceeded=false when no budget set and event has no usage', () => {
+    const run = makeRunWithBudget('r1');
+    const result = controller.checkBudget(run, { type: 'message', role: 'assistant', content: 'hi' });
+    assert.equal(result.exceeded, false);
+  });
+  it('returns exceeded=false when tokens under maxTokens limit', () => {
+    const run = makeRunWithBudget('r2', { maxTokens: 10000 });
+    const result = controller.checkBudget(run, { usage: { inputTokens: 100, outputTokens: 50 } });
+    assert.equal(result.exceeded, false);
+    assert.equal(result.totalTokens, 150);
+  });
+  it('returns exceeded=true reason=token_limit when tokens exceed maxTokens', () => {
+    const run = makeRunWithBudget('r3', { maxTokens: 100 });
+    const result = controller.checkBudget(run, { usage: { inputTokens: 80, outputTokens: 50 } });
+    assert.equal(result.exceeded, true);
+    assert.equal(result.reason, 'token_limit');
+    assert.equal(result.current, 130);
+    assert.equal(result.limit, 100);
+  });
+  it('returns exceeded=false when cost under maxCostUsd', () => {
+    const run = makeRunWithBudget('r4', { maxCostUsd: 1.0 });
+    // claude-sonnet: 0.003/1k input, 0.015/1k output → 100 input + 50 output = 0.0003 + 0.00075 = ~$0.00105
+    const result = controller.checkBudget(run, { usage: { inputTokens: 100, outputTokens: 50 } });
+    assert.equal(result.exceeded, false);
+  });
+  it('returns exceeded=true reason=cost_limit when cost exceeds maxCostUsd', () => {
+    const run = makeRunWithBudget('r5', { maxCostUsd: 0.001 });
+    // 1M input tokens at $0.003/1k = $3.00 → exceeds $0.001
+    const result = controller.checkBudget(run, { usage: { inputTokens: 1000000, outputTokens: 0 } });
+    assert.equal(result.exceeded, true);
+    assert.equal(result.reason, 'cost_limit');
+  });
+  it('accumulates existing run.status.tokenUsage.totalTokens with event tokens', () => {
+    const run = makeRunWithBudget('r6', { maxTokens: 10000 });
+    run.status.tokenUsage = { inputTokens: 900, outputTokens: 100, totalTokens: 1000 };
+    const result = controller.checkBudget(run, { usage: { inputTokens: 50, outputTokens: 50 } });
+    assert.equal(result.exceeded, false);
+    assert.equal(result.totalTokens, 1100);
+  });
+  it('accumulates existing run.status.costUsd with event cost', () => {
+    const run = makeRunWithBudget('r7', { maxCostUsd: 100 });
+    run.status.costUsd = 50;
+    const result = controller.checkBudget(run, { usage: { inputTokens: 1000, outputTokens: 500 } });
+    assert.equal(result.exceeded, false);
+    assert.ok(result.totalCost > 50, 'totalCost should include existing costUsd');
+  });
+  it('uses Infinity limits when budget not set in spec', () => {
+    const run = makeRunWithBudget('r8');
+    // Very large usage — should not exceed Infinity
+    const result = controller.checkBudget(run, { usage: { inputTokens: 999999999, outputTokens: 999999999 } });
+    assert.equal(result.exceeded, false);
+  });
+});
+describe('persistSessionEvent — budget enforcement', () => {
+  const controller = createAgentDispatchController();
+  function makeRunWithBudget(name, budget = {}) {
+    const run = createResource('AgentDispatchRun', { name, namespace: 'default' }, {
+      organizationRef: 'default', repository: 'repo', sourceRefs: [], agentStack: 'stack', taskKind: 'diagnostic',
+      budget,
+    });
+    run.status = { phase: 'Running' };
+    return run;
+  }
+  function makeAttempt(runName) {
+    const attempt = createResource('AgentDispatchAttempt', { name: `${runName}-attempt-1` }, {
+      organizationRef: 'default', agentDispatchRun: runName, attemptReason: 'initial', agentStackSnapshot: {},
+    });
+    attempt.status = { agentMuxSessionId: 'sess-1', agentMuxRunId: 'amux-1' };
+    return attempt;
+  }
+  it('returns Failed run with failureReason=budget_exceeded when token limit exceeded', () => {
+    const run = makeRunWithBudget('bp1', { maxTokens: 10 });
+    const attempt = makeAttempt('bp1');
+    const result = controller.persistSessionEvent(
+      { type: 'message', role: 'assistant', content: 'hi', usage: { inputTokens: 5, outputTokens: 10 } },
+      run, attempt
+    );
+    assert.equal(result.run.status.phase, 'Failed');
+    assert.equal(result.run.status.failureReason, 'budget_exceeded');
+    assert.ok(result.run.status.budgetExceeded);
+    assert.equal(result.run.status.budgetExceeded.reason, 'token_limit');
+  });
+  it('budget-exceeded notification has reason=budget_exceeded', () => {
+    const run = makeRunWithBudget('bp2', { maxTokens: 1 });
+    const attempt = makeAttempt('bp2');
+    const result = controller.persistSessionEvent(
+      { type: 'message', role: 'assistant', content: 'hi', usage: { inputTokens: 5, outputTokens: 5 } },
+      run, attempt
+    );
+    assert.ok(result.notification, 'notification should be returned');
+    assert.equal(result.notification.reason, 'budget_exceeded');
+    assert.equal(result.notification.status, 'failed');
+  });
+  it('normal event with usage accumulates tokenUsage on run.status', () => {
+    const run = makeRunWithBudget('bp3', { maxTokens: 100000 });
+    const attempt = makeAttempt('bp3');
+    controller.persistSessionEvent(
+      { type: 'message', role: 'assistant', content: 'hello', usage: { inputTokens: 100, outputTokens: 50 } },
+      run, attempt
+    );
+    assert.ok(run.status.tokenUsage, 'run.status.tokenUsage should be set');
+    assert.equal(run.status.tokenUsage.inputTokens, 100);
+    assert.equal(run.status.tokenUsage.outputTokens, 50);
+    assert.equal(run.status.tokenUsage.totalTokens, 150);
+  });
+  it('event with usage accumulates costUsd on run.status', () => {
+    const run = makeRunWithBudget('bp4', { maxCostUsd: 1000 });
+    const attempt = makeAttempt('bp4');
+    controller.persistSessionEvent(
+      { type: 'message', role: 'assistant', content: 'hello', usage: { inputTokens: 1000, outputTokens: 500 }, model: 'claude-sonnet-4-20250514' },
+      run, attempt
+    );
+    // 1000 input at $0.003/1k + 500 output at $0.015/1k = $0.003 + $0.0075 = $0.0105
+    assert.ok(run.status.costUsd > 0, 'run.status.costUsd should be set');
+    assert.ok(Math.abs(run.status.costUsd - 0.0105) < 0.0001, `costUsd should be ~0.0105 but got ${run.status.costUsd}`);
+  });
+  it('budget check prevents event from being appended when limit exceeded', () => {
+    const run = makeRunWithBudget('bp5', { maxTokens: 10 });
+    const attempt = makeAttempt('bp5');
+    // Pre-set transcript to check it is NOT mutated
+    const existingTranscript = { spec: { messages: [] } };
+    const result = controller.persistSessionEvent(
+      { type: 'message', role: 'assistant', content: 'hi', usage: { inputTokens: 100, outputTokens: 100 } },
+      run, attempt, { transcript: existingTranscript }
+    );
+    // Budget exceeded before appending — messages should still be empty
+    assert.equal(result.transcript.spec.messages.length, 0);
+    assert.equal(result.run.status.phase, 'Failed');
+  });
+});
+describe('estimateCost — via checkBudget', () => {
+  const controller = createAgentDispatchController();
+  function makeRunWithBudget(name, budget = {}) {
+    const run = createResource('AgentDispatchRun', { name, namespace: 'default' }, {
+      organizationRef: 'default', repository: 'repo', sourceRefs: [], agentStack: 'stack', taskKind: 'diagnostic', budget,
+    });
+    run.status = { phase: 'Running' };
+    return run;
+  }
+  it('cost is 0 when event has no usage', () => {
+    const run = makeRunWithBudget('ec1');
+    const result = controller.checkBudget(run, { type: 'message', role: 'assistant', content: 'hi' });
+    assert.equal(result.totalCost, 0);
+  });
+  it('cost computed correctly for claude-sonnet-4-20250514 rates', () => {
+    const run = makeRunWithBudget('ec2');
+    // 1000 input @ $0.003/1k + 1000 output @ $0.015/1k = $0.003 + $0.015 = $0.018
+    const result = controller.checkBudget(run, {
+      usage: { inputTokens: 1000, outputTokens: 1000 },
+      model: 'claude-sonnet-4-20250514',
+    });
+    assert.ok(Math.abs(result.totalCost - 0.018) < 0.0001, `totalCost should be ~0.018 but got ${result.totalCost}`);
+  });
+});