npm - @a5c-ai/kradle - Versions diffs - 5.0.1-staging.3abdf9534c25 - Mend

@a5c-ai/kradle 5.0.1-staging.3abdf9534c25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (295) hide show

package/Dockerfile +31 -0
package/README.md +187 -0
package/bin/kradle-demo.mjs +23 -0
package/bin/kradle-server.mjs +14 -0
package/dist/kradle-controller-ui.json +3482 -0
package/dist/kradle-lifecycle.json +201 -0
package/dist/kradle-runtime-snapshot.json +3125 -0
package/dist/kradle-summary.json +724 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-kradle-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/architecture-v2.md +2759 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/crd-behaviors-and-relationships.md +3926 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/integration-and-design-decisions.md +1530 -0
package/docs/kradle-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/openapi.yaml +1291 -0
package/docs/product-requirements.md +62 -0
package/docs/requirements-v2.md +235 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/sdk-api-reference.md +1108 -0
package/docs/system-requirements.md +90 -0
package/docs/system-spec-v2.md +1230 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/docs/web-console-spec.md +533 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +66 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +95 -0
package/scripts/validate-ui.mjs +305 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +549 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-identity-migration.js +115 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +589 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-persona-controller.js +135 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-prompt-composition.js +55 -0
package/src/agent-provider-config-controller.js +151 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +421 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +387 -0
package/src/agent-workspace-controller.js +702 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +621 -0
package/src/argocd-gitops.js +43 -0
package/src/artifact-registry-controller.js +542 -0
package/src/assistant-runtime.js +284 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +310 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +112 -0
package/src/controller-ui.js +620 -0
package/src/data-plane.js +179 -0
package/src/event-bus.js +397 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +221 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +131 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/health-probes.js +134 -0
package/src/hooks-events.js +63 -0
package/src/hooks-lifecycle.js +117 -0
package/src/http-server.js +409 -0
package/src/identity-policy.js +86 -0
package/src/index.js +71 -0
package/src/jitsi-agent-bridge.js +141 -0
package/src/jitsi-meeting-controller.js +291 -0
package/src/jitsi-sync-controller.js +198 -0
package/src/kradle-inference-service-controller.js +246 -0
package/src/kubernetes-controller-async.js +531 -0
package/src/kubernetes-controller.js +904 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/model-route-controller.js +364 -0
package/src/notification-controller.js +178 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +282 -0
package/src/runner-controller.js +272 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/virtual-model-controller.js +538 -0
package/src/virtual-model-hook-bridge.js +200 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +679 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-identity-migration.test.js +87 -0
package/tests/agent-memory-controller.test.js +461 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +389 -0
package/tests/agent-mux-integration.test.js +971 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-persona-controller.test.js +127 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-prompt-composition.test.js +76 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +303 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +283 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +271 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/artifact-registry.test.js +511 -0
package/tests/assistant-runtime.test.js +506 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/codespace-controller.test.js +318 -0
package/tests/controller-client.test.js +133 -0
package/tests/deployment.test.js +527 -0
package/tests/e2e/lifecycle.test.js +120 -0
package/tests/event-bus-integration.test.js +355 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +415 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +223 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/health-probes.test.js +90 -0
package/tests/hooks-lifecycle.test.js +364 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/jitsi-agent-bridge.test.js +119 -0
package/tests/jitsi-helm-integration.test.js +77 -0
package/tests/jitsi-meeting-controller.test.js +170 -0
package/tests/jitsi-resource-model.test.js +73 -0
package/tests/jitsi-sync-controller.test.js +112 -0
package/tests/kradle-inference-service.test.js +689 -0
package/tests/kradle.test.js +779 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/model-route-controller.test.js +733 -0
package/tests/notification-controller.test.js +196 -0
package/tests/notification-integration.test.js +179 -0
package/tests/org-scoping.test.js +687 -0
package/tests/runner-controller.test.js +327 -0
package/tests/runner-integration.test.js +231 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +315 -0
package/tests/sse-events.test.js +107 -0
package/tests/virtual-model-controller.test.js +877 -0
package/tests/virtual-model-hook-bridge.test.js +384 -0
package/tests/webhook-trigger.test.js +198 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/tests/agent-memory-controller.test.js ADDED Viewed

@@ -0,0 +1,461 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { createKradleApiController, createResource } from '../src/index.js';
+import { createAgentMemoryController } from '../src/agent-memory-controller.js';
+function makeRecords() {
+  return [
+    {
+      id: 'service/auth-api',
+      nodeKind: 'Service',
+      attributes: { name: 'auth-api', language: 'typescript', team: 'platform' },
+      edges: [
+        { target: 'service/user-db', kind: 'depends-on' },
+        { target: 'team/platform', kind: 'owned-by' },
+      ],
+    },
+    {
+      id: 'service/user-db',
+      nodeKind: 'Service',
+      attributes: { name: 'user-db', language: 'go', team: 'data' },
+      edges: [
+        { target: 'infra/postgres-cluster', kind: 'depends-on' },
+      ],
+    },
+    {
+      id: 'team/platform',
+      nodeKind: 'Team',
+      attributes: { name: 'platform', lead: 'alice' },
+      edges: [],
+    },
+    {
+      id: 'infra/postgres-cluster',
+      nodeKind: 'Infrastructure',
+      attributes: { name: 'postgres-cluster', provider: 'aws' },
+      edges: [],
+    },
+    {
+      id: 'runbook/deploy-auth',
+      nodeKind: 'Runbook',
+      attributes: { name: 'deploy-auth', service: 'auth-api' },
+      edges: [
+        { target: 'service/auth-api', kind: 'references' },
+      ],
+    },
+  ];
+}
+function makeDocuments() {
+  return [
+    { path: 'docs/architecture.md', content: 'The auth-api service handles authentication.\nIt uses JWT tokens for session management.\nThe service connects to user-db for persistence.' },
+    { path: 'docs/runbooks/deploy.md', content: 'Step 1: Run the deploy script.\nStep 2: Verify health checks.\nStep 3: Monitor error rates.' },
+    { path: 'src/auth/handler.ts', content: 'export function handleAuth(req) {\n  const token = req.headers.authorization;\n  return validateToken(token);\n}' },
+    { path: 'configs/prod.yaml', content: 'database:\n  host: prod-db.internal\n  port: 5432\n  password: [redacted]' },
+  ];
+}
+function createRecordingGateway({ snapshotResources = {}, failKinds = new Set() } = {}) {
+  const applied = [];
+  return {
+    namespace: 'kradle-system',
+    resourceDefinitions: {},
+    applied,
+    async snapshot() {
+      return { resources: snapshotResources, namespace: 'kradle-system' };
+    },
+    async list() {
+      return { items: [] };
+    },
+    async get() {
+      return null;
+    },
+    async apply(resource) {
+      if (failKinds.has(resource.kind)) {
+        throw new Error(`apply failed for ${resource.kind}`);
+      }
+      applied.push(JSON.parse(JSON.stringify(resource)));
+      return { operation: 'apply', resource };
+    },
+    async delete() {
+      return { operation: 'delete' };
+    },
+    watch() {
+      return { close: () => {} };
+    },
+  };
+}
+function makeDispatchResources() {
+  return {
+    AgentStack: [
+      createResource('AgentStack', { name: 'mem-stack', namespace: 'kradle-org-acme' }, {
+        organizationRef: 'acme',
+        baseAgent: 'claude-code',
+        adapter: 'claude-code',
+        provider: 'anthropic',
+        runtimeIdentity: { serviceAccountRef: 'sa-default' },
+      }),
+    ],
+    AgentServiceAccount: [
+      createResource('AgentServiceAccount', { name: 'sa-default', namespace: 'kradle-org-acme' }, {
+        organizationRef: 'acme',
+        namespace: 'kradle-org-acme',
+        serviceAccountName: 'sa-default',
+      }),
+    ],
+    AgentRoleBinding: [
+      createResource('AgentRoleBinding', { name: 'rb-default', namespace: 'kradle-org-acme' }, {
+        organizationRef: 'acme',
+        subject: 'sa-default',
+        roleRef: 'agent-developer',
+        scope: 'namespace',
+      }),
+    ],
+    AgentSecretGrant: [
+      createResource('AgentSecretGrant', { name: 'sg-model', namespace: 'kradle-org-acme' }, {
+        organizationRef: 'acme',
+        subject: 'sa-default',
+        secretRef: 'model-secret',
+        purpose: 'model-provider',
+      }),
+    ],
+    AgentMemoryRepository: [
+      createResource('AgentMemoryRepository', { name: 'company-brain', namespace: 'kradle-org-acme' }, {
+        organizationRef: 'acme',
+        repositoryRef: 'memory-repo',
+        defaultBranch: 'main',
+        layoutProfile: 'standard',
+      }),
+    ],
+  };
+}
+test('createMemorySnapshot creates valid resource with digests', () => {
+  const controller = createAgentMemoryController();
+  const records = makeRecords();
+  const documents = makeDocuments();
+  const snapshot = controller.createMemorySnapshot({
+    memoryRepository: 'company-brain',
+    requestedRef: 'main',
+    resolvedCommit: 'abc123def456',
+    queryManifest: { include: ['Service', 'Team'] },
+    selectedRecords: records,
+    selectedDocuments: documents,
+    ontologyDigest: 'onto-digest-1',
+    namespace: 'kradle-org-default',
+    organizationRef: 'acme',
+  });
+  assert.equal(snapshot.kind, 'AgentMemorySnapshot');
+  assert.ok(snapshot.metadata.name.startsWith('memsnapshot-'));
+  assert.equal(snapshot.spec.memoryRepository, 'company-brain');
+  assert.equal(snapshot.spec.requestedRef, 'main');
+  assert.equal(snapshot.spec.resolvedCommit, 'abc123def456');
+  assert.ok(snapshot.spec.queryManifestDigest, 'Should have queryManifestDigest');
+  assert.ok(snapshot.spec.selectedRecordsDigest, 'Should have selectedRecordsDigest');
+  assert.ok(snapshot.spec.selectedDocumentsDigest, 'Should have selectedDocumentsDigest');
+  assert.equal(snapshot.spec.ontologyDigest, 'onto-digest-1');
+  assert.equal(snapshot.spec.recordCount, records.length);
+  assert.equal(snapshot.spec.documentCount, documents.length);
+  assert.equal(snapshot.status.phase, 'Pinned');
+});
+test('searchGraph filters by node kind', () => {
+  const controller = createAgentMemoryController();
+  const records = makeRecords();
+  const result = controller.searchGraph({ records, kinds: ['Service'], query: '' });
+  assert.equal(result.totalMatches, 2, 'Should match exactly 2 Service records');
+  assert.ok(result.matches.every(m => m.record.nodeKind === 'Service'));
+});
+test('searchGraph matches query text', () => {
+  const controller = createAgentMemoryController();
+  const records = makeRecords();
+  const result = controller.searchGraph({ records, kinds: [], query: 'auth' });
+  assert.ok(result.totalMatches >= 1, 'Should match at least auth-api');
+  const authMatch = result.matches.find(m => m.record.id === 'service/auth-api');
+  assert.ok(authMatch, 'Should include auth-api in matches');
+  assert.equal(authMatch.score, 2, 'ID match should score 2');
+});
+test('searchGraph respects edgeDepth', () => {
+  const controller = createAgentMemoryController();
+  const records = makeRecords();
+  // edgeDepth=1: from auth-api should reach user-db and team/platform but NOT postgres-cluster
+  const depth1 = controller.searchGraph({ records, kinds: ['Service'], query: 'auth-api', edgeDepth: 1 });
+  const authMatch1 = depth1.matches.find(m => m.record.id === 'service/auth-api');
+  assert.ok(authMatch1, 'Should find auth-api');
+  const depth1Targets = authMatch1.edges.map(e => e.target);
+  assert.ok(depth1Targets.includes('service/user-db'), 'Depth 1 should include user-db');
+  assert.ok(!depth1Targets.includes('infra/postgres-cluster'), 'Depth 1 should NOT include postgres-cluster');
+  // edgeDepth=2: should also reach postgres-cluster
+  const depth2 = controller.searchGraph({ records, kinds: ['Service'], query: 'auth-api', edgeDepth: 2 });
+  const authMatch2 = depth2.matches.find(m => m.record.id === 'service/auth-api');
+  const depth2Targets = authMatch2.edges.map(e => e.target);
+  assert.ok(depth2Targets.includes('infra/postgres-cluster'), 'Depth 2 should include postgres-cluster');
+});
+test('searchGrep finds pattern matches', () => {
+  const controller = createAgentMemoryController();
+  const documents = makeDocuments();
+  const result = controller.searchGrep({ documents, pattern: 'auth', maxMatches: 25 });
+  assert.ok(result.totalMatches >= 1, 'Should find auth pattern');
+  assert.ok(result.excerpts.some(e => e.path === 'docs/architecture.md'), 'Should match in architecture.md');
+  assert.ok(result.excerpts.every(e => e.lineNumber > 0), 'Every excerpt should have a lineNumber');
+  assert.ok(result.excerpts.every(e => typeof e.context === 'string'), 'Every excerpt should have context');
+});
+test('searchGrep caps at maxMatches', () => {
+  const controller = createAgentMemoryController();
+  const documents = makeDocuments();
+  const result = controller.searchGrep({ documents, pattern: 'the', maxMatches: 2 });
+  assert.ok(result.totalMatches <= 2, 'Should not exceed maxMatches');
+  assert.ok(result.excerpts.length <= 2, 'Excerpts length should not exceed maxMatches');
+});
+test('searchGrep filters by path patterns', () => {
+  const controller = createAgentMemoryController();
+  const documents = makeDocuments();
+  const result = controller.searchGrep({ documents, paths: ['docs/*'], pattern: 'deploy' });
+  assert.ok(result.totalMatches >= 1, 'Should find deploy in docs');
+  assert.ok(result.excerpts.every(e => e.path.startsWith('docs/')), 'All matches should be in docs/');
+});
+test('resolveTimeTravel mode=current returns latest commit', () => {
+  const controller = createAgentMemoryController();
+  const commits = [
+    { sha: 'latest-sha', timestamp: '2026-05-10T10:00:00Z' },
+    { sha: 'older-sha', timestamp: '2026-05-09T10:00:00Z' },
+  ];
+  const result = controller.resolveTimeTravel({ mode: 'current', commits });
+  assert.equal(result.resolvedCommit, 'latest-sha');
+  assert.equal(result.mode, 'current');
+  assert.ok(result.resolvedAt);
+});
+test('resolveTimeTravel mode=ref-at-time finds correct commit', () => {
+  const controller = createAgentMemoryController();
+  const commits = [
+    { sha: 'c3', timestamp: '2026-05-10T10:00:00Z' },
+    { sha: 'c2', timestamp: '2026-05-08T10:00:00Z' },
+    { sha: 'c1', timestamp: '2026-05-05T10:00:00Z' },
+  ];
+  const result = controller.resolveTimeTravel({
+    mode: 'ref-at-time',
+    requestedTime: '2026-05-09T00:00:00Z',
+    commits,
+  });
+  assert.equal(result.resolvedCommit, 'c2', 'Should resolve to c2 (latest before requested time)');
+  assert.equal(result.mode, 'ref-at-time');
+  assert.ok(result.staleBy !== null, 'staleBy should be set');
+});
+test('scanForRedaction catches API keys', () => {
+  const controller = createAgentMemoryController();
+  const content = 'API_KEY = sk-test1234567890abcdefghij\nSome normal text\nSECRET_KEY=my-super-secret-value';
+  const result = controller.scanForRedaction(content);
+  assert.equal(result.clean, false, 'Content should not be clean');
+  assert.ok(result.redactionCount > 0, 'Should have redactions');
+  assert.ok(result.redactionsByKind['secret-key'] > 0, 'Should catch secret-key pattern');
+  assert.ok(result.redactedContent.includes('[REDACTED:'), 'Redacted content should have markers');
+  assert.ok(!result.redactedContent.includes('my-super-secret-value'), 'Secret should be redacted');
+});
+test('scanForRedaction catches provider tokens', () => {
+  const controller = createAgentMemoryController();
+  const content = 'token: ghp_abcdefghijklmnopqrstuvwxyz1234567890\nslack: xoxb-123-456-abcdefghij';
+  const result = controller.scanForRedaction(content);
+  assert.equal(result.clean, false);
+  assert.ok(result.redactionsByKind['provider-token'] > 0, 'Should catch provider-token pattern');
+});
+test('validateOntology catches missing required fields', () => {
+  const controller = createAgentMemoryController();
+  const records = [
+    { id: 'svc/a', nodeKind: 'Service', attributes: { name: 'a' }, edges: [] },
+    { id: 'svc/b', nodeKind: 'Service', attributes: { name: 'b', language: 'go' }, edges: [] },
+  ];
+  const ontology = {
+    requiredFields: { Service: ['name', 'language', 'team'] },
+    allowedEdgeKinds: ['depends-on', 'owned-by'],
+  };
+  const result = controller.validateOntology({ records, ontology });
+  assert.equal(result.valid, false, 'Should be invalid due to missing fields');
+  assert.ok(result.errors.length >= 2, 'Should have errors for missing language and team on svc/a, and team on svc/b');
+  const missingLang = result.errors.find(e => e.record === 'svc/a' && e.field === 'language');
+  assert.ok(missingLang, 'Should report missing language on svc/a');
+  const missingTeam = result.errors.find(e => e.record === 'svc/a' && e.field === 'team');
+  assert.ok(missingTeam, 'Should report missing team on svc/a');
+});
+test('validateOntology passes valid records', () => {
+  const controller = createAgentMemoryController();
+  const records = [
+    { id: 'svc/a', nodeKind: 'Service', attributes: { name: 'a', language: 'ts' }, edges: [{ target: 'svc/b', kind: 'depends-on' }] },
+    { id: 'svc/b', nodeKind: 'Service', attributes: { name: 'b', language: 'go' }, edges: [] },
+  ];
+  const ontology = {
+    requiredFields: { Service: ['name', 'language'] },
+    allowedEdgeKinds: ['depends-on', 'owned-by'],
+  };
+  const result = controller.validateOntology({ records, ontology });
+  assert.equal(result.valid, true, 'Should be valid');
+  assert.equal(result.errors.length, 0);
+});
+test('createImport sets phase=Pending', () => {
+  const controller = createAgentMemoryController();
+  const importResource = controller.createImport({
+    organizationRef: 'acme',
+    memoryRepository: 'company-brain',
+    source: 'babysitter-run/run-123',
+    include: { kinds: ['decision', 'learning'] },
+    validationPolicy: 'strict',
+    namespace: 'kradle-org-default',
+  });
+  assert.equal(importResource.kind, 'AgentRunMemoryImport');
+  assert.ok(importResource.metadata.name.startsWith('memimport-'));
+  assert.equal(importResource.status.phase, 'Pending');
+  assert.equal(importResource.spec.memoryRepository, 'company-brain');
+  assert.equal(importResource.spec.source, 'babysitter-run/run-123');
+  assert.equal(importResource.spec.validationPolicy, 'strict');
+});
+test('api-controller createMemoryImport applies returned AgentRunMemoryImport in org namespace', async () => {
+  const gateway = createRecordingGateway();
+  const controller = createKradleApiController({ resourceGateway: gateway });
+  const result = await controller.createMemoryImport({
+    organizationRef: 'acme',
+    memoryRepository: 'company-brain',
+    source: 'babysitter-run/run-123',
+    include: { kinds: ['decision'] },
+    validationPolicy: 'strict',
+  });
+  const appliedImport = gateway.applied.find((resource) => resource.kind === 'AgentRunMemoryImport');
+  assert.ok(appliedImport, 'AgentRunMemoryImport must be applied durably');
+  assert.equal(appliedImport.metadata.namespace, 'kradle-org-acme');
+  assert.equal(appliedImport.spec.organizationRef, 'acme');
+  assert.equal(result.importResource?.metadata?.name || result.metadata?.name, appliedImport.metadata.name);
+  assert.ok(result.applyResult, 'result should expose the apply result');
+});
+test('api-controller createMemoryImport propagates apply failures', async () => {
+  const gateway = createRecordingGateway({ failKinds: new Set(['AgentRunMemoryImport']) });
+  const controller = createKradleApiController({ resourceGateway: gateway });
+  await assert.rejects(
+    () => controller.createMemoryImport({
+      organizationRef: 'acme',
+      memoryRepository: 'company-brain',
+      source: 'babysitter-run/run-123',
+      include: { kinds: ['decision'] },
+    }),
+    /apply failed for AgentRunMemoryImport/
+  );
+});
+test('api-controller createMemoryUpdate applies returned AgentMemoryUpdate in org namespace', async () => {
+  const gateway = createRecordingGateway();
+  const controller = createKradleApiController({ resourceGateway: gateway });
+  assert.equal(typeof controller.createMemoryUpdate, 'function', 'controller must expose createMemoryUpdate');
+  const result = await controller.createMemoryUpdate({
+    organizationRef: 'acme',
+    memoryRepository: 'company-brain',
+    sourceRun: 'dispatch-123',
+    changes: [{ op: 'add', path: 'records/service-api' }],
+  });
+  const appliedUpdate = gateway.applied.find((resource) => resource.kind === 'AgentMemoryUpdate');
+  assert.ok(appliedUpdate, 'AgentMemoryUpdate must be applied durably');
+  assert.equal(appliedUpdate.metadata.namespace, 'kradle-org-acme');
+  assert.equal(appliedUpdate.spec.organizationRef, 'acme');
+  assert.equal(result.update?.metadata?.name || result.metadata?.name, appliedUpdate.metadata.name);
+});
+test('api-controller dispatchAgent applies returned AgentMemorySnapshot in org namespace', async () => {
+  const gateway = createRecordingGateway({ snapshotResources: makeDispatchResources() });
+  const controller = createKradleApiController({ resourceGateway: gateway });
+  const result = await controller.dispatchAgent({
+    agentStack: 'mem-stack',
+    repository: 'repo',
+    ref: 'main',
+    taskKind: 'diagnostic',
+    actor: 'owner',
+    organizationRef: 'acme',
+    namespace: 'kradle-org-acme',
+  });
+  assert.equal(result.error, false);
+  const appliedSnapshot = gateway.applied.find((resource) => resource.kind === 'AgentMemorySnapshot');
+  assert.ok(appliedSnapshot, 'AgentMemorySnapshot returned by dispatch must be applied durably');
+  assert.equal(appliedSnapshot.metadata.namespace, 'kradle-org-acme');
+  assert.equal(appliedSnapshot.spec.organizationRef, 'acme');
+  assert.equal(result.memorySnapshot.metadata.name, appliedSnapshot.metadata.name);
+});
+test('processImport advances phases', () => {
+  const controller = createAgentMemoryController();
+  let importResource = controller.createImport({
+    organizationRef: 'acme',
+    memoryRepository: 'company-brain',
+    source: 'run-1',
+    include: { kinds: ['all'] },
+    namespace: 'kradle-org-default',
+  });
+  assert.equal(importResource.status.phase, 'Pending');
+  // Pending -> Collecting
+  importResource = controller.processImport({ importResource, content: 'some content' });
+  assert.equal(importResource.status.phase, 'Collecting');
+  // Collecting -> Redacting (triggers scanForRedaction)
+  importResource = controller.processImport({ importResource, content: 'API_KEY=secret123' });
+  assert.equal(importResource.status.phase, 'Redacting');
+  assert.ok(importResource.status.redactionScan, 'Should have redaction scan result');
+  assert.equal(importResource.status.redactionScan.clean, false, 'Should detect secret');
+  // Redacting -> Normalizing
+  importResource = controller.processImport({ importResource, content: 'normalized' });
+  assert.equal(importResource.status.phase, 'Normalizing');
+  // Normalizing -> Validating
+  importResource = controller.processImport({ importResource, content: 'validated' });
+  assert.equal(importResource.status.phase, 'Validating');
+  // Validating -> AwaitingReview
+  importResource = controller.processImport({ importResource, content: '' });
+  assert.equal(importResource.status.phase, 'AwaitingReview');
+});