npm - @a5c-ai/krate - Versions diffs - 5.0.1-staging.00fa5317c - Mend

@a5c-ai/krate 5.0.1-staging.00fa5317c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (256) hide show

package/Dockerfile +31 -0
package/README.md +183 -0
package/bin/krate-demo.mjs +23 -0
package/bin/krate-server.mjs +14 -0
package/dist/krate-controller-ui.json +3205 -0
package/dist/krate-lifecycle.json +201 -0
package/dist/krate-runtime-snapshot.json +3125 -0
package/dist/krate-summary.json +724 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-krate-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/krate-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/openapi.yaml +1275 -0
package/docs/product-requirements.md +62 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/system-requirements.md +90 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +63 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +93 -0
package/scripts/validate-ui.mjs +278 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +209 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +280 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-provider-config-controller.js +150 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +347 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +381 -0
package/src/agent-workspace-controller.js +702 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +541 -0
package/src/argocd-gitops.js +43 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +307 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +72 -0
package/src/controller-ui.js +617 -0
package/src/data-plane.js +179 -0
package/src/event-bus.js +61 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +161 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +131 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/hooks-events.js +63 -0
package/src/http-server.js +377 -0
package/src/identity-policy.js +86 -0
package/src/index.js +57 -0
package/src/kubernetes-controller-async.js +511 -0
package/src/kubernetes-controller.js +878 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/notification-controller.js +178 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +221 -0
package/src/runner-controller.js +272 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +315 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-memory-controller.test.js +308 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +204 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +228 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +221 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +211 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/codespace-controller.test.js +318 -0
package/tests/deployment.test.js +407 -0
package/tests/e2e/lifecycle.test.js +117 -0
package/tests/event-bus-integration.test.js +190 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +340 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +215 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/krate.test.js +756 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/notification-controller.test.js +196 -0
package/tests/notification-integration.test.js +179 -0
package/tests/org-scoping.test.js +687 -0
package/tests/runner-controller.test.js +327 -0
package/tests/runner-integration.test.js +231 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +247 -0
package/tests/sse-events.test.js +107 -0
package/tests/webhook-trigger.test.js +198 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/tests/agent-memory-repository-source.test.js ADDED Viewed

@@ -0,0 +1,514 @@
+// Slice 2.3a — AgentMemoryRepository & AgentMemorySource Controllers
+// TDD: tests written BEFORE implementation.
+//
+// AgentMemoryRepository: org-level memory storage pointer, git repo ref validation.
+// AgentMemorySource: read policies for memory paths, access control.
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import {
+  createResource,
+  validateMemoryRepository,
+  validateMemorySource,
+  createAgentMemoryRepositoryController,
+  createAgentMemorySourceController,
+  AGENT_MEMORY_REPOSITORY_CONTROLLER_BOUNDARY,
+  AGENT_MEMORY_SOURCE_CONTROLLER_BOUNDARY,
+} from '../src/index.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function makeMemoryRepository(name, overrides = {}) {
+  return createResource('AgentMemoryRepository', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'acme',
+    repositoryRef: 'company-brain',
+    defaultBranch: 'main',
+    layoutProfile: 'standard',
+    repoUrl: 'https://github.com/acme/company-brain.git',
+    ...overrides,
+  });
+}
+function makeMemorySource(name, overrides = {}) {
+  return createResource('AgentMemorySource', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'acme',
+    repositoryRef: 'company-brain',
+    appliesTo: { kind: 'AgentStack', name: 'my-stack' },
+    include: { paths: ['docs/**', 'records/**'] },
+    paths: ['docs/**', 'records/**'],
+    ...overrides,
+  });
+}
+// ===========================================================================
+// AgentMemoryRepository — controller factory
+// ===========================================================================
+test('createAgentMemoryRepositoryController returns controller with expected methods', () => {
+  const controller = createAgentMemoryRepositoryController();
+  assert.ok(controller, 'controller must be truthy');
+  assert.equal(typeof controller.validateMemoryRepository, 'function', 'must expose validateMemoryRepository');
+  assert.equal(typeof controller.getRepositoryUrl, 'function', 'must expose getRepositoryUrl');
+  assert.equal(typeof controller.getRetentionPolicy, 'function', 'must expose getRetentionPolicy');
+  assert.equal(controller.role, 'agent-memory-repository-controller', 'must declare its role');
+});
+// ---------------------------------------------------------------------------
+// validateMemoryRepository — happy path
+// ---------------------------------------------------------------------------
+test('validateMemoryRepository accepts valid config with name, orgRef, and repoUrl', () => {
+  const controller = createAgentMemoryRepositoryController();
+  const repo = makeMemoryRepository('brain-repo');
+  const result = controller.validateMemoryRepository(repo);
+  assert.equal(result.valid, true, 'valid config must pass validation');
+  assert.ok(Array.isArray(result.errors), 'result must contain an errors array');
+  assert.equal(result.errors.length, 0, 'errors array must be empty for a valid config');
+});
+// ---------------------------------------------------------------------------
+// validateMemoryRepository — missing name
+// ---------------------------------------------------------------------------
+test('validateMemoryRepository rejects missing name', () => {
+  const controller = createAgentMemoryRepositoryController();
+  const repo = {
+    apiVersion: 'krate.a5c.ai/v1alpha1',
+    kind: 'AgentMemoryRepository',
+    metadata: { namespace: 'krate-org-default', labels: {}, annotations: {} },
+    spec: {
+      organizationRef: 'acme',
+      repositoryRef: 'company-brain',
+      defaultBranch: 'main',
+      layoutProfile: 'standard',
+      repoUrl: 'https://github.com/acme/brain.git',
+    },
+    status: {},
+  };
+  const result = controller.validateMemoryRepository(repo);
+  assert.equal(result.valid, false, 'missing name must fail validation');
+  assert.ok(result.errors.length > 0, 'errors must not be empty');
+  assert.ok(
+    result.errors.some((e) => /name/i.test(e)),
+    'at least one error must mention "name"'
+  );
+});
+// ---------------------------------------------------------------------------
+// validateMemoryRepository — missing repoUrl
+// ---------------------------------------------------------------------------
+test('validateMemoryRepository rejects missing repoUrl', () => {
+  const controller = createAgentMemoryRepositoryController();
+  const repo = makeMemoryRepository('no-url-repo');
+  delete repo.spec.repoUrl;
+  const result = controller.validateMemoryRepository(repo);
+  assert.equal(result.valid, false, 'missing repoUrl must fail validation');
+  assert.ok(result.errors.length > 0, 'errors must not be empty');
+  assert.ok(
+    result.errors.some((e) => /repoUrl/i.test(e)),
+    'at least one error must mention "repoUrl"'
+  );
+});
+// ---------------------------------------------------------------------------
+// validateMemoryRepository — invalid repoUrl (not git/http/ssh URL)
+// ---------------------------------------------------------------------------
+test('validateMemoryRepository rejects invalid repoUrl (not git/http/ssh URL)', () => {
+  const controller = createAgentMemoryRepositoryController();
+  const repo = makeMemoryRepository('bad-url-repo', { repoUrl: 'ftp://not-a-git-url.example.com/repo' });
+  const result = controller.validateMemoryRepository(repo);
+  assert.equal(result.valid, false, 'invalid repoUrl protocol must fail validation');
+  assert.ok(result.errors.length > 0, 'errors must not be empty');
+  assert.ok(
+    result.errors.some((e) => /repoUrl/i.test(e)),
+    'at least one error must mention "repoUrl"'
+  );
+});
+test('validateMemoryRepository accepts git+ssh URL (git@ format)', () => {
+  const controller = createAgentMemoryRepositoryController();
+  const repo = makeMemoryRepository('ssh-repo', { repoUrl: 'git@github.com:acme/company-brain.git' });
+  const result = controller.validateMemoryRepository(repo);
+  assert.equal(result.valid, true, 'git@host:path.git URL must pass validation');
+  assert.equal(result.errors.length, 0, 'errors must be empty for valid git ssh URL');
+});
+test('validateMemoryRepository accepts ssh:// URL', () => {
+  const controller = createAgentMemoryRepositoryController();
+  const repo = makeMemoryRepository('ssh-proto-repo', { repoUrl: 'ssh://git@github.com/acme/brain.git' });
+  const result = controller.validateMemoryRepository(repo);
+  assert.equal(result.valid, true, 'ssh:// URL must pass validation');
+  assert.equal(result.errors.length, 0, 'errors must be empty for valid ssh:// URL');
+});
+// ---------------------------------------------------------------------------
+// getRepositoryUrl — returns configured URL
+// ---------------------------------------------------------------------------
+test('getRepositoryUrl returns the configured repoUrl from spec', () => {
+  const controller = createAgentMemoryRepositoryController();
+  const repo = makeMemoryRepository('url-repo', { repoUrl: 'https://github.com/acme/brain.git' });
+  const url = controller.getRepositoryUrl(repo);
+  assert.equal(url, 'https://github.com/acme/brain.git', 'must return spec repoUrl');
+});
+test('getRepositoryUrl throws on null resource', () => {
+  const controller = createAgentMemoryRepositoryController();
+  assert.throws(
+    () => controller.getRepositoryUrl(null),
+    /null|undefined/i,
+    'getRepositoryUrl must throw on null resource'
+  );
+});
+// ---------------------------------------------------------------------------
+// getRetentionPolicy — returns retention config with defaults
+// ---------------------------------------------------------------------------
+test('getRetentionPolicy returns retention config with defaults (maxAgeDays: 90, maxSizeMb: 500)', () => {
+  const controller = createAgentMemoryRepositoryController();
+  const repo = makeMemoryRepository('retention-repo');
+  const policy = controller.getRetentionPolicy(repo);
+  assert.ok(policy, 'getRetentionPolicy must return a value');
+  assert.equal(policy.maxAgeDays, 90, 'default maxAgeDays must be 90');
+  assert.equal(policy.maxSizeMb, 500, 'default maxSizeMb must be 500');
+});
+test('getRetentionPolicy merges spec retentionPolicy with defaults', () => {
+  const controller = createAgentMemoryRepositoryController();
+  const repo = makeMemoryRepository('custom-retention-repo', {
+    retentionPolicy: { maxAgeDays: 180, maxSizeMb: 1000 },
+  });
+  const policy = controller.getRetentionPolicy(repo);
+  assert.equal(policy.maxAgeDays, 180, 'spec maxAgeDays must override default');
+  assert.equal(policy.maxSizeMb, 1000, 'spec maxSizeMb must override default');
+});
+test('getRetentionPolicy throws on null resource', () => {
+  const controller = createAgentMemoryRepositoryController();
+  assert.throws(
+    () => controller.getRetentionPolicy(null),
+    /null|undefined/i,
+    'getRetentionPolicy must throw on null resource'
+  );
+});
+// ---------------------------------------------------------------------------
+// validateMemoryRepository — rejects null resource
+// ---------------------------------------------------------------------------
+test('validateMemoryRepository rejects null resource', () => {
+  const controller = createAgentMemoryRepositoryController();
+  const result = controller.validateMemoryRepository(null);
+  assert.equal(result.valid, false, 'null resource must fail validation');
+  assert.ok(result.errors.length > 0, 'errors must not be empty');
+  assert.ok(
+    result.errors.some((e) => /null|undefined/i.test(e)),
+    'error must mention null or undefined'
+  );
+});
+// ---------------------------------------------------------------------------
+// validateMemoryRepository standalone export
+// ---------------------------------------------------------------------------
+test('validateMemoryRepository standalone export follows existing pattern', () => {
+  assert.equal(typeof validateMemoryRepository, 'function', 'validateMemoryRepository must be a named export');
+  const repo = makeMemoryRepository('standalone-validate-repo');
+  const result = validateMemoryRepository(repo);
+  assert.ok(result, 'must return a result');
+  assert.ok('valid' in result, 'result must have a valid property');
+  assert.ok(Array.isArray(result.errors), 'result must have an errors array');
+  assert.equal(result.valid, true, 'a fully-specified repo must pass standalone validation');
+});
+// ---------------------------------------------------------------------------
+// BOUNDARY — AgentMemoryRepository
+// ---------------------------------------------------------------------------
+test('AGENT_MEMORY_REPOSITORY_CONTROLLER_BOUNDARY is exported with correct role', () => {
+  assert.ok(AGENT_MEMORY_REPOSITORY_CONTROLLER_BOUNDARY, 'BOUNDARY must be exported');
+  assert.equal(
+    AGENT_MEMORY_REPOSITORY_CONTROLLER_BOUNDARY.role,
+    'agent-memory-repository-controller',
+    'BOUNDARY role must be "agent-memory-repository-controller"'
+  );
+  assert.ok(
+    Array.isArray(AGENT_MEMORY_REPOSITORY_CONTROLLER_BOUNDARY.owns),
+    'BOUNDARY must declare owned concerns'
+  );
+});
+// ===========================================================================
+// AgentMemorySource — controller factory
+// ===========================================================================
+test('createAgentMemorySourceController returns controller with expected methods', () => {
+  const controller = createAgentMemorySourceController();
+  assert.ok(controller, 'controller must be truthy');
+  assert.equal(typeof controller.validateMemorySource, 'function', 'must expose validateMemorySource');
+  assert.equal(typeof controller.getReadPolicy, 'function', 'must expose getReadPolicy');
+  assert.equal(typeof controller.getIncludedPaths, 'function', 'must expose getIncludedPaths');
+  assert.equal(typeof controller.getExcludedPaths, 'function', 'must expose getExcludedPaths');
+  assert.equal(controller.role, 'agent-memory-source-controller', 'must declare its role');
+});
+// ---------------------------------------------------------------------------
+// validateMemorySource — happy path
+// ---------------------------------------------------------------------------
+test('validateMemorySource accepts valid config (name, orgRef, repositoryRef, paths)', () => {
+  const controller = createAgentMemorySourceController();
+  const source = makeMemorySource('good-source');
+  const result = controller.validateMemorySource(source);
+  assert.equal(result.valid, true, 'valid config must pass validation');
+  assert.ok(Array.isArray(result.errors), 'result must contain an errors array');
+  assert.equal(result.errors.length, 0, 'errors array must be empty for a valid config');
+});
+// ---------------------------------------------------------------------------
+// validateMemorySource — missing repositoryRef
+// ---------------------------------------------------------------------------
+test('validateMemorySource rejects missing repositoryRef', () => {
+  const controller = createAgentMemorySourceController();
+  const source = makeMemorySource('no-repo-source');
+  delete source.spec.repositoryRef;
+  const result = controller.validateMemorySource(source);
+  assert.equal(result.valid, false, 'missing repositoryRef must fail validation');
+  assert.ok(result.errors.length > 0, 'errors must not be empty');
+  assert.ok(
+    result.errors.some((e) => /repositoryRef/i.test(e)),
+    'at least one error must mention "repositoryRef"'
+  );
+});
+// ---------------------------------------------------------------------------
+// validateMemorySource — empty paths array
+// ---------------------------------------------------------------------------
+test('validateMemorySource rejects empty paths array', () => {
+  const controller = createAgentMemorySourceController();
+  const source = makeMemorySource('empty-paths-source', { paths: [] });
+  const result = controller.validateMemorySource(source);
+  assert.equal(result.valid, false, 'empty paths must fail validation');
+  assert.ok(result.errors.length > 0, 'errors must not be empty');
+  assert.ok(
+    result.errors.some((e) => /paths/i.test(e)),
+    'at least one error must mention "paths"'
+  );
+});
+// ---------------------------------------------------------------------------
+// validateMemorySource — rejects null resource
+// ---------------------------------------------------------------------------
+test('validateMemorySource rejects null resource', () => {
+  const controller = createAgentMemorySourceController();
+  const result = controller.validateMemorySource(null);
+  assert.equal(result.valid, false, 'null resource must fail validation');
+  assert.ok(result.errors.length > 0, 'errors must not be empty');
+  assert.ok(
+    result.errors.some((e) => /null|undefined/i.test(e)),
+    'error must mention null or undefined'
+  );
+});
+// ---------------------------------------------------------------------------
+// getReadPolicy — returns access policy with defaults
+// ---------------------------------------------------------------------------
+test('getReadPolicy returns access policy from spec with defaults', () => {
+  const controller = createAgentMemorySourceController();
+  const source = makeMemorySource('policy-source');
+  const policy = controller.getReadPolicy(source);
+  assert.ok(policy, 'getReadPolicy must return a value');
+  assert.ok('mode' in policy, 'policy must include a mode');
+  assert.ok('maxDepth' in policy, 'policy must include a maxDepth default');
+});
+test('getReadPolicy merges spec readPolicy with defaults', () => {
+  const controller = createAgentMemorySourceController();
+  const source = makeMemorySource('custom-policy-source', {
+    readPolicy: { mode: 'allow-list', maxDepth: 3 },
+  });
+  const policy = controller.getReadPolicy(source);
+  assert.equal(policy.mode, 'allow-list', 'spec mode must override default');
+  assert.equal(policy.maxDepth, 3, 'spec maxDepth must override default');
+});
+test('getReadPolicy throws on null resource', () => {
+  const controller = createAgentMemorySourceController();
+  assert.throws(
+    () => controller.getReadPolicy(null),
+    /null|undefined/i,
+    'getReadPolicy must throw on null resource'
+  );
+});
+// ---------------------------------------------------------------------------
+// getIncludedPaths — returns the paths array
+// ---------------------------------------------------------------------------
+test('getIncludedPaths returns the paths array from spec', () => {
+  const controller = createAgentMemorySourceController();
+  const source = makeMemorySource('paths-source', { paths: ['docs/**', 'records/**', 'ontology/**'] });
+  const paths = controller.getIncludedPaths(source);
+  assert.ok(Array.isArray(paths), 'getIncludedPaths must return an array');
+  assert.equal(paths.length, 3, 'must return all 3 paths');
+  assert.ok(paths.includes('docs/**'), 'must include docs/**');
+  assert.ok(paths.includes('records/**'), 'must include records/**');
+  assert.ok(paths.includes('ontology/**'), 'must include ontology/**');
+});
+test('getIncludedPaths throws on null resource', () => {
+  const controller = createAgentMemorySourceController();
+  assert.throws(
+    () => controller.getIncludedPaths(null),
+    /null|undefined/i,
+    'getIncludedPaths must throw on null resource'
+  );
+});
+// ---------------------------------------------------------------------------
+// getExcludedPaths — returns excluded paths or empty array
+// ---------------------------------------------------------------------------
+test('getExcludedPaths returns empty array when no excludedPaths in spec', () => {
+  const controller = createAgentMemorySourceController();
+  const source = makeMemorySource('no-exclude-source');
+  const excluded = controller.getExcludedPaths(source);
+  assert.ok(Array.isArray(excluded), 'getExcludedPaths must return an array');
+  assert.equal(excluded.length, 0, 'must return empty array when no excludedPaths set');
+});
+test('getExcludedPaths returns excluded paths from spec', () => {
+  const controller = createAgentMemorySourceController();
+  const source = makeMemorySource('exclude-source', {
+    excludedPaths: ['secrets/**', 'tmp/**'],
+  });
+  const excluded = controller.getExcludedPaths(source);
+  assert.ok(Array.isArray(excluded), 'getExcludedPaths must return an array');
+  assert.equal(excluded.length, 2, 'must return both excluded paths');
+  assert.ok(excluded.includes('secrets/**'), 'must include secrets/**');
+  assert.ok(excluded.includes('tmp/**'), 'must include tmp/**');
+});
+test('getExcludedPaths throws on null resource', () => {
+  const controller = createAgentMemorySourceController();
+  assert.throws(
+    () => controller.getExcludedPaths(null),
+    /null|undefined/i,
+    'getExcludedPaths must throw on null resource'
+  );
+});
+// ---------------------------------------------------------------------------
+// validateMemorySource standalone export
+// ---------------------------------------------------------------------------
+test('validateMemorySource standalone export follows existing pattern', () => {
+  assert.equal(typeof validateMemorySource, 'function', 'validateMemorySource must be a named export');
+  const source = makeMemorySource('standalone-validate-source');
+  const result = validateMemorySource(source);
+  assert.ok(result, 'must return a result');
+  assert.ok('valid' in result, 'result must have a valid property');
+  assert.ok(Array.isArray(result.errors), 'result must have an errors array');
+  assert.equal(result.valid, true, 'a fully-specified source must pass standalone validation');
+});
+// ---------------------------------------------------------------------------
+// BOUNDARY — AgentMemorySource
+// ---------------------------------------------------------------------------
+test('AGENT_MEMORY_SOURCE_CONTROLLER_BOUNDARY is exported with correct role', () => {
+  assert.ok(AGENT_MEMORY_SOURCE_CONTROLLER_BOUNDARY, 'BOUNDARY must be exported');
+  assert.equal(
+    AGENT_MEMORY_SOURCE_CONTROLLER_BOUNDARY.role,
+    'agent-memory-source-controller',
+    'BOUNDARY role must be "agent-memory-source-controller"'
+  );
+  assert.ok(
+    Array.isArray(AGENT_MEMORY_SOURCE_CONTROLLER_BOUNDARY.owns),
+    'BOUNDARY must declare owned concerns'
+  );
+});
+// ---------------------------------------------------------------------------
+// validate — accumulates multiple errors (source)
+// ---------------------------------------------------------------------------
+test('validateMemorySource accumulates all errors when multiple fields are invalid', () => {
+  const controller = createAgentMemorySourceController();
+  const source = {
+    apiVersion: 'krate.a5c.ai/v1alpha1',
+    kind: 'AgentMemorySource',
+    metadata: { namespace: 'krate-org-default', labels: {}, annotations: {} },
+    spec: { organizationRef: 'acme', appliesTo: {}, include: {} },
+    status: {},
+  };
+  const result = controller.validateMemorySource(source);
+  assert.equal(result.valid, false, 'config with multiple missing fields must fail');
+  assert.ok(result.errors.length >= 2, 'must accumulate at least two errors');
+  assert.ok(
+    result.errors.some((e) => /name/i.test(e)),
+    'errors must include a name error'
+  );
+  assert.ok(
+    result.errors.some((e) => /repositoryRef/i.test(e)),
+    'errors must include a repositoryRef error'
+  );
+});