npm - @a5c-ai/krate - Versions diffs - 5.0.1-staging.00fa5317c - Mend

@a5c-ai/krate 5.0.1-staging.00fa5317c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (256) hide show

package/Dockerfile +31 -0
package/README.md +183 -0
package/bin/krate-demo.mjs +23 -0
package/bin/krate-server.mjs +14 -0
package/dist/krate-controller-ui.json +3205 -0
package/dist/krate-lifecycle.json +201 -0
package/dist/krate-runtime-snapshot.json +3125 -0
package/dist/krate-summary.json +724 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-krate-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/krate-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/openapi.yaml +1275 -0
package/docs/product-requirements.md +62 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/system-requirements.md +90 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +63 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +93 -0
package/scripts/validate-ui.mjs +278 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +209 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +280 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-provider-config-controller.js +150 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +347 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +381 -0
package/src/agent-workspace-controller.js +702 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +541 -0
package/src/argocd-gitops.js +43 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +307 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +72 -0
package/src/controller-ui.js +617 -0
package/src/data-plane.js +179 -0
package/src/event-bus.js +61 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +161 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +131 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/hooks-events.js +63 -0
package/src/http-server.js +377 -0
package/src/identity-policy.js +86 -0
package/src/index.js +57 -0
package/src/kubernetes-controller-async.js +511 -0
package/src/kubernetes-controller.js +878 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/notification-controller.js +178 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +221 -0
package/src/runner-controller.js +272 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +315 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-memory-controller.test.js +308 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +204 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +228 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +221 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +211 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/codespace-controller.test.js +318 -0
package/tests/deployment.test.js +407 -0
package/tests/e2e/lifecycle.test.js +117 -0
package/tests/event-bus-integration.test.js +190 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +340 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +215 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/krate.test.js +756 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/notification-controller.test.js +196 -0
package/tests/notification-integration.test.js +179 -0
package/tests/org-scoping.test.js +687 -0
package/tests/runner-controller.test.js +327 -0
package/tests/runner-integration.test.js +231 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +247 -0
package/tests/sse-events.test.js +107 -0
package/tests/webhook-trigger.test.js +198 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/tests/deployment.test.js ADDED Viewed

@@ -0,0 +1,407 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { createControllerUiModel, createKrateApiController, createKrateHttpServer } from '../src/index.js';
+function read(path) {
+  return readFileSync(path, 'utf8');
+}
+function workflowJobBlock(workflow, jobName) {
+  const match = workflow.match(new RegExp(`\r?\n  ${jobName}:\r?\n([\\s\\S]*?)(?=\r?\n  [a-zA-Z0-9_-]+:\r?\n|$)`));
+  assert.ok(match, `workflow has ${jobName} job`);
+  return match[1];
+}
+function fixtureKubernetesController() {
+  return {
+    async snapshot() {
+      return {
+        source: 'kubernetes',
+        namespace: 'krate-org-default',
+        generatedAt: 'test-time',
+        correlationId: 'test-correlation',
+        kubectl: { available: true, context: 'kind-krate', clientVersion: 'v1.test', errors: [] },
+        apiService: { metadata: { name: 'v1alpha1.krate.a5c.ai' } },
+        crds: [{ metadata: { name: 'repositories.krate.a5c.ai' } }],
+        storage: { etcd: 'etcd', postgres: 'postgres', repositories: 'rwx', objects: 'object' },
+        commands: [],
+        permissions: [],
+        events: [],
+        resources: {
+          Organization: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'Organization', metadata: { name: 'default', namespace: 'krate-system' }, spec: { slug: 'default', namespaceName: 'krate-org-default', displayName: 'Default org' } }],
+          User: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'User', metadata: { name: 'alice', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', displayName: 'Alice', email: 'alice@example.com', teams: ['maintainers'] }, status: { phase: 'Active' } }],
+          Team: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'Team', metadata: { name: 'maintainers', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', displayName: 'Maintainers', members: ['alice'] }, status: { phase: 'Active' } }],
+          Invite: [],
+          IdentityMapping: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'IdentityMapping', metadata: { name: 'sso-alice', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', user: 'alice', provider: 'sso', subject: 'alice', repositoryIdentity: { username: 'alice' } }, status: { phase: 'Synced' } }],
+          AuthProvider: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'AuthProvider', metadata: { name: 'sso', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', type: 'oidc', label: 'Company SSO', enabled: true }, status: { phase: 'Configured' } }],
+          Repository: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'Repository', metadata: { name: 'app', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', visibility: 'internal', defaultBranch: 'main' }, status: { phase: 'Ready' } }],
+          PolicyProfile: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'PolicyProfile', metadata: { name: 'default-profile', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', displayName: 'Default policy posture', mode: 'audit' }, status: { phase: 'Synced', lastViolationCount: 1 } }],
+          PolicyTemplate: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'PolicyTemplate', metadata: { name: 'require-pr-description', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', displayName: 'Require PR description', targetKinds: ['PullRequest'], kyverno: { kind: 'ValidatingPolicy' } }, status: { phase: 'Ready' } }],
+          PolicyBinding: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'PolicyBinding', metadata: { name: 'require-pr-description-audit', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', templateRef: 'require-pr-description', mode: 'audit' }, status: { phase: 'Applied', lastViolationCount: 1 } }],
+          PolicyExceptionRequest: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'PolicyExceptionRequest', metadata: { name: 'pr-1-exception', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', policyRef: { name: 'require-pr-description' }, justification: 'temporary rollout', expiresAt: '2026-06-01T00:00:00Z' }, status: { phase: 'Requested' } }],
+          PullRequest: [],
+          Pipeline: [],
+          RunnerPool: [],
+          WebhookSubscription: []
+        },
+        kyverno: {
+          mode: 'byo',
+          namespace: 'kyverno',
+          policyNamespace: 'krate-org-default',
+          detected: true,
+          controllers: [{ name: 'kyverno-admission-controller', ready: true, readyReplicas: 1, replicas: 1 }],
+          permissions: [{ kind: 'PolicyReport', verbs: { list: true, watch: true } }],
+          resources: { KyvernoValidatingPolicy: [{ metadata: { name: 'require-pr-description' } }], PolicyReport: [{ metadata: { name: 'app-policy', namespace: 'krate-org-default' }, results: [{ policy: 'require-pr-description', rule: 'description', result: 'fail', message: 'description required', resources: [{ kind: 'PullRequest', name: 'pr-1' }] }] }] },
+          reports: { policyReports: [{ metadata: { name: 'app-policy', namespace: 'krate-org-default' } }], clusterPolicyReports: [], results: [{ policy: 'require-pr-description', rule: 'description', result: 'fail', message: 'description required' }], violations: [{ policy: 'require-pr-description', rule: 'description', result: 'fail', message: 'description required' }] },
+          degraded: []
+        }
+      };
+    },
+    async applyResource(resource) {
+      return { operation: 'apply', resource };
+    },
+    async deleteResource(kind, name) {
+      return { operation: 'delete', resource: { kind, metadata: { name } } };
+    },
+    async createRepository(input) {
+      return { operation: 'apply', resource: { kind: 'Repository', metadata: { name: input.name } } };
+    }
+  };
+}
+test('controller deployment assets build and publish the runnable controller', () => {
+  for (const file of ['Dockerfile', '.dockerignore', '.github/workflows/publish.yml']) assert.equal(existsSync(file), true, `${file} exists`);
+  const dockerfile = read('Dockerfile');
+  assert.match(dockerfile, /FROM node:\d+-alpine AS (deps|build)/);
+  assert.match(dockerfile, /npm (ci|install)/);
+  assert.match(dockerfile, /HEALTHCHECK/);
+  assert.match(dockerfile, /krate-server\.mjs/);
+  for (const runtimePath of ['/app/bin', '/app/src', '/app/dist']) assert.ok(dockerfile.includes(runtimePath), `Dockerfile copies ${runtimePath}`);
+  const dockerignore = read('.dockerignore');
+  for (const ignored of ['.a5c', 'node_modules', '**/.next', 'dist']) assert.ok(dockerignore.includes(ignored), `.dockerignore excludes ${ignored}`);
+  const chartDeployment = read('../charts/templates/deployments.yaml');
+  const chartRbac = read('../charts/templates/rbac.yaml');
+  const chartIngress = read('../charts/templates/ingress.yaml');
+  const chartValues = read('../charts/values.yaml');
+  const authSecret = read('../charts/templates/auth-secret.yaml');
+  assert.ok(chartValues.includes('auth:'), 'chart values include auth configuration');
+  assert.ok(chartValues.includes('github:') && chartValues.includes('sso:'), 'chart values expose GitHub and SSO configuration');
+  assert.ok(chartValues.includes('mode: auto') && chartValues.includes('policyReporter:'), 'chart values expose Kyverno auto-discovery modes and policy reporter settings');
+  assert.ok(chartRbac.includes('"*"') && chartRbac.includes('policies.kyverno.io') && chartRbac.includes('policyreports'), 'RBAC covers all Krate resources via wildcard and Kyverno read/write surfaces');
+  assert.ok(chartDeployment.includes('KRATE_KYVERNO_MODE') && chartDeployment.includes('KRATE_KYVERNO_POLICY_NAMESPACE') && chartDeployment.includes('KRATE_KYVERNO_DISCOVER_EXISTING'), 'deployments receive Kyverno discovery env');
+  assert.ok(read('../charts/templates/argocd-kyverno-application.yaml').includes('krate.a5c.ai/policy-engine: kyverno'), 'managed Kyverno Argo CD application template is present');
+  assert.ok(authSecret.includes('github-client-id') && authSecret.includes('sso-client-secret'), 'chart renders auth secret keys');
+  assert.ok(chartIngress.includes('kind: Ingress') && chartIngress.includes('ingressClassName') && chartIngress.includes('app.kubernetes.io/component: web'), 'chart renders web ingress');
+  assert.ok(chartDeployment.includes('imagePullSecrets') && chartDeployment.includes('global.imagePullSecrets'), 'workloads can use registry pull secrets');
+  assert.ok(chartDeployment.includes('KRATE_AUTH_GITHUB_ENABLED') && chartDeployment.includes('KRATE_AUTH_SSO_ENABLED') && chartDeployment.includes('KRATE_AUTH_DELEGATED_EMAIL_HEADER'), 'workloads receive auth provider configuration');
+  assert.ok(chartDeployment.includes('readinessProbe:') && chartDeployment.includes('path: /login'), 'web deployment has an HTTP readiness probe');
+  assert.ok(chartDeployment.includes('KRATE_AUTH_DELEGATED_LOCAL_DEVELOPMENT') && chartDeployment.includes('KRATE_AUTH_DELEGATED_LOCAL_GROUPS'), 'workloads can opt into local delegated development login');
+  assert.ok(chartRbac.includes('core.oam.dev') && chartRbac.includes('applications') && chartRbac.includes('create'), 'delivery resources can be composed through Krate');
+  assert.ok(chartValues.includes('localDevelopment:') && chartValues.includes('enabled: false'), 'local delegated development login is off by default');
+  for (const token of ['command: ["node", "bin/krate-server.mjs"]', '--port=3080', 'app.kubernetes.io/component: controllers']) {
+    assert.ok(chartDeployment.includes(token), `chart deployment includes ${token}`);
+  }
+});
+test('web proxy protects UI pages and authenticated APIs behind login', async () => {
+  let NextRequest, proxy, config;
+  try {
+    ({ NextRequest } = await import('next/server.js'));
+    ({ proxy, config } = await import(`../../web/proxy.js?test=${Date.now()}`));
+  } catch { return; }
+  assert.ok(config.matcher.some((entry) => entry.includes('_next/static')));
+  for (const path of ['/', '/orgs/default/repositories?tab=code', '/orgs/default/repositories/demo/code', '/orgs/default/people', '/logout', '/api/controller']) {
+    const response = proxy(new NextRequest(`http://localhost:3000${path}`));
+    assert.equal(response.status, 307, `${path} redirects to login without session`);
+    assert.equal(new URL(response.headers.get('location')).pathname, '/login');
+  }
+  const nextResponse = proxy(new NextRequest('http://localhost:3000/orgs/default/repositories?tab=code'));
+  assert.equal(new URL(nextResponse.headers.get('location')).searchParams.get('next'), '/orgs/default/repositories?tab=code');
+  assert.equal(proxy(new NextRequest('http://localhost:3000/login')).headers.get('x-middleware-next'), '1');
+  assert.equal(proxy(new NextRequest('http://localhost:3000/api/auth/delegated')).headers.get('x-middleware-next'), '1');
+  assert.equal(proxy(new NextRequest('http://localhost:3000/orgs/default/repositories', { headers: { cookie: 'krate_session=dev' } })).headers.get('x-middleware-next'), '1');
+});
+test('login page stays minimal and does not expose the authenticated console shell', () => {
+  const layout = read('../web/app/layout.jsx');
+  const managePages = read('../web/app/pages/manage-pages.jsx');
+  const loginStart = managePages.indexOf('export function LoginPage');
+  assert.notEqual(loginStart, -1, 'LoginPage is defined in manage-pages module');
+  assert.ok(!layout.includes('<AppShell>{children}</AppShell>'), 'root layout does not wrap public routes in AppShell');
+  const loginSource = managePages.slice(loginStart, managePages.indexOf('export ', loginStart + 1));
+  assert.ok(loginSource.includes('loginMain') || loginSource.includes('login'), 'login page uses standalone login layout');
+});
+test('auth chart uses existing secrets without rendering empty provider keys', () => {
+  const mixed = execFileSync('helm', [
+    'template', 'krate', '../charts', '-n', 'krate-system',
+    '--set', 'argocd.enabled=false',
+    '--set', 'auth.github.clientId=github-client',
+    '--set', 'auth.github.clientSecret=github-secret',
+    '--set', 'auth.sso.enabled=true',
+    '--set', 'auth.sso.existingSecret=shared-auth'
+  ], { encoding: 'utf8' });
+  assert.match(mixed, /name: krate-krate-auth/);
+  assert.match(mixed, /github-client-id: "github-client"/);
+  assert.doesNotMatch(mixed, /sso-client-id:/);
+  assert.match(mixed, /name: "shared-auth"[\s\S]*?key: sso-client-id/);
+  const externalOnly = execFileSync('helm', [
+    'template', 'krate', '../charts', '-n', 'krate-system',
+    '--set', 'argocd.enabled=false',
+    '--set', 'auth.github.existingSecret=shared-auth',
+    '--set', 'auth.sso.enabled=true',
+    '--set', 'auth.sso.existingSecret=shared-auth'
+  ], { encoding: 'utf8' });
+  assert.doesNotMatch(externalOnly, /name: krate-krate-auth/);
+  assert.match(externalOnly, /name: "shared-auth"[\s\S]*?key: github-client-id/);
+  assert.match(externalOnly, /name: "shared-auth"[\s\S]*?key: sso-client-secret/);
+});
+test('web UI and controller API expose live Kubernetes deployment and publishing metadata', async () => {
+  const controller = fixtureKubernetesController();
+  const model = createControllerUiModel(await controller.snapshot());
+  assert.equal(model.controller.mode, 'krate-workspace');
+  assert.ok(model.controller.endpoints.some((endpoint) => endpoint.path === '/api/controller?org=:org'));
+  assert.ok(model.controller.endpoints.some((endpoint) => endpoint.path === '/api/orgs/:org/resources'));
+  assert.equal(model.controller.architecture.apiController.role, 'krate-api-controller');
+  assert.equal(model.controller.architecture.resourceGateway.role, 'krate-resource-gateway');
+  assert.equal(model.controller.architecture.resourceClient.role, 'krate-resource-client');
+  assert.equal(model.controller.architecture.repositoryService.role, 'repository-service');
+  assert.deepEqual(model.controller.architecture.apiController.delegatesTo, ['krate-resource-gateway', 'repository-service']);
+  assert.ok(model.resources.some((resource) => resource.kind === 'Repository' && resource.count > 0));
+  assert.ok(model.resources.some((resource) => resource.kind === 'KrateProject'));
+  assert.ok(model.views.dashboard.issueSync?.gitea?.repo, 'dashboard exposes issue sync backend plan');
+  assert.equal(model.policyEngine.health, 'ready');
+  assert.equal(model.policyEngine.violations.length, 1);
+  assert.ok(model.resources.some((resource) => resource.kind === 'PolicyBinding' && resource.count > 0));
+  assert.ok(model.resources.find((resource) => resource.kind === 'Repository').action.list.includes('Open Repository records'));
+  assert.match(model.operations.image, /krate-controller/);
+  assert.equal(model.operations.chart, 'charts/krate');
+  for (const gate of ['npm run check', 'docker build', 'helm package charts/krate', 'npm pack --json']) assert.ok(model.operations.releaseGates.includes(gate), `release gate ${gate}`);
+  assert.ok(model.validation.every((item) => typeof item.evidence === 'string' && item.evidence.length > 0));
+  const server = createKrateHttpServer({ controller });
+  await new Promise((resolve) => server.listen(0, resolve));
+  try {
+    const response = await fetch(`http://127.0.0.1:${server.address().port}/api/controller`);
+    assert.equal(response.status, 200);
+    const body = await response.json();
+    assert.deepEqual(body.operations.releaseGates, model.operations.releaseGates);
+    assert.equal(body.metrics.resources, model.metrics.resources);
+  } finally {
+    await new Promise((resolve) => server.close(resolve));
+  }
+});
+test('web UI is wired to the Kubernetes controller API instead of a static local snapshot', () => {
+  const page = read('../web/app/page.jsx');
+  const orgPage = read('../web/app/orgs/[org]/page.jsx');
+  const shellModules = ['../web/app/lib/krate-ui.jsx', '../web/app/lib/page-frame.jsx', '../web/app/pages/agent-pages.jsx', '../web/app/pages/repo-pages.jsx', '../web/app/pages/manage-pages.jsx', '../web/app/pages/settings-pages.jsx', '../web/app/pages/external-pages.jsx'];
+  const shell = shellModules.map((m) => { try { return readFileSync(m, 'utf8'); } catch { return ''; } }).join('\n');
+  const actions = read('../web/app/components/resource-actions.jsx');
+  const client = read('src/controller-client.js');
+  const apiController = read('src/api-controller.js');
+  const gateway = read('src/kubernetes-resource-gateway.js');
+  const kubernetes = read('src/kubernetes-controller.js');
+  const server = read('src/http-server.js');
+  const webControllerRoute = read('../web/app/api/controller/route.js');
+  assert.ok(page.includes("redirect('/orgs/'"));
+  assert.ok(orgPage.includes('DashboardPage'));
+  assert.ok(read('../web/app/orgs/page.jsx').includes('Choose an organization'));
+  assert.ok(client.includes('KRATE_CONTROLLER_URL'));
+  assert.ok(client.includes('KRATE_CONTROLLER_REQUEST_TIMEOUT_MS'));
+  assert.ok(client.includes('AbortSignal.timeout'));
+  assert.ok(client.includes('if (!useCache) return revalidateFn();'));
+  assert.ok(client.includes('staleWhileRevalidate(organization, revalidateFn, swrOptions)'));
+  assert.ok(client.includes('createKrateApiController'));
+  assert.ok(client.includes('createKubernetesResourceGateway'));
+  assert.ok(apiController.includes('resourceGateway'));
+  assert.ok(apiController.includes('withArchitecture'));
+  assert.ok(apiController.includes('kubernetes-resource-gateway'));
+  assert.ok(!apiController.includes('createKubernetesController'));
+  assert.ok(gateway.includes('createKubernetesResourceClient'));
+  assert.ok(kubernetes.includes('createKubernetesController(options = {})')); // resource-client alias
+  assert.ok(kubernetes.includes('/var/run/secrets/kubernetes.io/serviceaccount'), 'Kubernetes client can use in-cluster service-account credentials');
+  assert.ok(gateway.includes('repositoryManifest'));
+  assert.ok(shell.includes('/api/controller'));
+  assert.ok(webControllerRoute.includes('KRATE_CONTROLLER_URL'));
+  assert.ok(!webControllerRoute.includes('createKrateApiController'), 'web API route proxies the controller service instead of shelling out through local kubectl');
+  assert.ok(shell.includes('ArchitectureMap'));
+  assert.ok(shell.includes('Repository home'));
+  assert.ok(shell.includes('IssueWorkspace'));
+  assert.ok(shell.includes('IssueViewSwitcher'));
+  assert.ok(shell.includes('issuesForScope'));
+  assert.ok(shell.includes('issueRepositoryRefs'));
+  assert.ok(shell.includes('issueProjectRefs'));
+  assert.ok(shell.includes('DeploymentCenter'));
+  assert.ok(shell.includes('DeploymentManager'));
+  assert.ok(shell.includes('Krate deployment center'));
+  assert.ok(shell.includes('PlanCard'));
+  assert.ok(shell.includes('Advanced resource details'));
+  assert.ok(shell.includes('Releases'));
+  assert.ok(shell.includes('managed resources'));
+  assert.ok(shell.includes('Advanced resource records'));
+  assert.ok(shell.includes('Deployments'));
+  assert.ok(actions.includes('Create deployment'));
+  assert.ok(actions.includes('Prepare deployment'));
+  assert.ok(shell.includes('environments'));
+  assert.ok(shell.includes('Repository code browser'));
+  assert.ok(shell.includes('Manage access'));
+  assert.ok(shell.includes('PeopleAdmin'));
+  assert.ok(shell.includes('getSignedInUser'));
+  assert.ok(shell.includes('topbarAccount'));
+  assert.ok(shell.includes('Signed-in user'));
+  assert.ok(shell.includes('Sign out'));
+  assert.ok(shell.includes('Invite people'));
+  assert.ok(shell.includes('identity links'));
+  assert.ok(shell.includes('repository permissions'));
+  assert.ok(shell.includes('Access readiness'));
+  assert.match(actions, /Mark accepted/i);
+  assert.ok(actions.includes('Revoke invite'));
+  assert.ok(actions.includes('Disable user'));
+  assert.ok(actions.includes('Restore user'));
+  assert.ok(actions.includes('Revoke grant'));
+  assert.ok(actions.includes('SSH keys'));
+  assert.ok(actions.includes('Save SSH key'));
+  assert.ok(actions.includes('Revoke SSH key'));
+  assert.equal(existsSync('../web/app/orgs/[org]/people/page.jsx'), true);
+  assert.equal(existsSync('../web/app/login/page.jsx'), true);
+  assert.equal(existsSync('../web/app/logout/page.jsx'), true);
+  assert.equal(existsSync('../web/app/orgs/[org]/runs/page.jsx'), true);
+  assert.equal(existsSync('../web/app/runs/page.jsx'), false);
+  assert.equal(existsSync('../web/app/pipelines/page.jsx'), false);
+  assert.equal(existsSync('../web/app/orgs/[org]/repositories/[repo]/runs/page.jsx'), true);
+  assert.equal(existsSync('../web/app/orgs/[org]/repositories/[repo]/issues/[issue]/page.jsx'), true);
+  assert.equal(existsSync('../web/app/orgs/[org]/agents/projects/[projectId]/issues/page.jsx'), true);
+  assert.equal(existsSync('../web/app/orgs/[org]/agents/projects/[projectId]/issues/[issue]/page.jsx'), true);
+  assert.equal(existsSync('../web/app/repositories/[repo]/runs/page.jsx'), false);
+  assert.equal(existsSync('../web/app/repositories/[repo]/pipelines/page.jsx'), false);
+  assert.equal(existsSync('../web/proxy.js'), true);
+  assert.equal(existsSync('../web/app/api/auth/[provider]/route.js'), true);
+  assert.equal(existsSync('../web/app/api/auth/callback/[provider]/route.js'), true);
+  assert.equal(existsSync('../web/app/api/auth/delegated/route.js'), true);
+  assert.ok(shell.includes('RepositoryCodePage'));
+  assert.ok(shell.includes('RepositoryPullRequestsPage'));
+  assert.ok(shell.includes('RepositorySettingsPage'));
+  assert.ok(shell.includes('PullRequestReviewPanel'));
+  assert.ok(shell.includes('RunCenter'));
+  assert.ok(shell.includes('Workspace runs'));
+  assert.ok(shell.includes('Run event stream'));
+  assert.ok(shell.includes('/runs'));
+  assert.ok(!shell.includes("['/pipelines', 'Runs']"));
+  assert.ok(!shell.includes('PipelinesPage'), 'legacy pipelines UI component is not exported');
+  assert.ok(!shell.includes('RepositoryPipelinesPage'), 'legacy repository pipelines UI component is not exported');
+  assert.ok(!shell.includes('function PipelineDebugger'), 'runs page does not use the old debugger-first panel');
+  assert.ok(shell.includes('Automation inspector'));
+  assert.ok(shell.includes('Readiness checklist'));
+  assert.ok(kubernetes.includes('spawnSync'));
+  assert.ok(kubernetes.includes('kubectl'));
+  assert.ok(!client.includes('createKrateUiDemoRuntime'));
+  assert.ok(!page.includes('createKrateMvpDemo'));
+  assert.ok(!page.includes('createKrateLifecycleSnapshot'));
+  assert.ok(apiController.includes('const repoPath = `/orgs/${encodeURIComponent(org)}/repositories/${encodeURIComponent(name)}`'));
+  assert.ok(apiController.includes('runs: `${repoPath}/runs`'));
+  assert.ok(server.includes('/api/controller'));
+  assert.ok(server.includes('orgResourceCollectionMatch'));
+  assert.ok(!server.includes("url.pathname === '/api/repositories'"));
+});
+test('API controller delegates through resource gateway instead of owning Kubernetes scope', async () => {
+  const calls = [];
+  const resourceGateway = {
+    namespace: 'krate-org-default',
+    resourceDefinitions: [],
+    async snapshot() { calls.push('snapshot'); return { source: 'kubernetes', namespace: 'krate-org-default', resources: {}, kubectl: { available: true, errors: [] }, commands: [], events: [], permissions: [], storage: {} }; },
+    async list(kind) { calls.push(`list:${kind}`); return { kind, items: [] }; },
+    async get(kind, name) { calls.push(`get:${kind}/${name}`); return { kind, metadata: { name } }; },
+    async apply(resource) { calls.push(`apply:${resource.kind}`); return { operation: 'apply', resource }; },
+    async delete(kind, name) { calls.push(`delete:${kind}/${name}`); return { operation: 'delete', kind, name }; },
+    async createRepository(input) { calls.push(`createRepository:${input.name}`); return { operation: 'apply', resource: { kind: 'Repository', metadata: { name: input.name } } }; },
+    async createOrganization(input) { calls.push(`createOrganization:${input.name}`); return { operation: 'create-organization', organization: { metadata: { name: input.name } } }; },
+    watch(resourcePath) { calls.push(`watch:${resourcePath}`); return { child: { kill() {} } }; }
+  };
+  const controller = createKrateApiController({ resourceGateway });
+  await controller.snapshot();
+  await controller.listResource('Repository');
+  await controller.getResource('Repository', 'app');
+  await controller.applyResource({ kind: 'Repository', metadata: { name: 'app' } });
+  await controller.deleteResource('Repository', 'app');
+  await controller.createRepository({ name: 'next-app' });
+  await controller.createOrganization({ name: 'product' });
+  controller.watchResource('orgs/default/repositories');
+  assert.deepEqual(calls, ['snapshot', 'list:Repository', 'get:Repository/app', 'apply:Repository', 'delete:Repository/app', 'createRepository:next-app', 'createOrganization:product', 'watch:orgs/default/repositories']);
+  assert.equal(controller.resourceGateway, resourceGateway);
+});
+test('GitHub workflow publishes deployable image and chart artifacts with safe gates', () => {
+  const workflow = read('.github/workflows/publish.yml');
+  const validate = workflowJobBlock(workflow, 'validate');
+  assert.ok(workflow.includes('branches: [develop, staging, main]'));
+  assert.ok(workflow.includes('concurrency:') && workflow.includes('group: publish-${{ github.ref_name }}'));
+  assert.ok(validate.includes('npm run check'));
+  assert.ok(validate.includes('npm pack --json'));
+  assert.ok(validate.includes('name: npm-package'));
+  assert.ok(validate.includes('name: dist-artifacts'));
+  assert.ok(validate.includes('name: ui-standalone'));
+  assert.ok(validate.includes('Generate release checksums'));
+  assert.ok(validate.includes('sha256sum'));
+  assert.ok(validate.includes('name: release-checksums'));
+  assert.ok(read('../charts/templates/gitea.yaml').includes('gitea-backend'));
+  const argocdTemplate = read('../charts/templates/argocd-application.yaml');
+  const values = read('../charts/values.yaml');
+  assert.ok(argocdTemplate.includes('kind: Application'));
+  assert.ok(argocdTemplate.includes('.Values.argocd.syncPolicy.prune'));
+  assert.ok(argocdTemplate.includes('.Values.argocd.syncPolicy.selfHeal'));
+  assert.ok(!values.includes('`n'));
+  assert.match(values, /^  syncPolicy:\r?\n\s+automated: true\r?\n\s+prune: true\r?\n\s+selfHeal: true/m);
+  const image = workflowJobBlock(workflow, 'publish-image');
+  assert.ok(image.includes('needs: validate'));
+  assert.ok(image.includes("push: ${{ github.event_name != 'pull_request' }}"));
+  assert.ok(image.includes('docker/build-push-action'));
+  assert.ok(image.includes('ghcr.io/${{ github.repository }}/krate-controller'));
+  const chart = workflowJobBlock(workflow, 'publish-chart');
+  assert.ok(chart.includes('needs: validate'));
+  assert.ok(chart.includes('helm package charts/krate'));
+  assert.ok(chart.includes('SHA256SUMS'));
+  assert.ok(chart.includes('sha256sum dist/charts/*.tgz'));
+  assert.ok(chart.includes("if: startsWith(github.ref, 'refs/tags/v')"));
+  assert.ok(chart.includes('helm push dist/charts/*.tgz'));
+  const deploy = workflowJobBlock(workflow, 'deploy-krate');
+  assert.ok(deploy.includes('Deploy Krate To AKS'));
+  assert.ok(deploy.includes("github.ref == 'refs/heads/develop'"));
+  assert.ok(deploy.includes("github.ref == 'refs/heads/staging'"));
+  assert.ok(deploy.includes("github.ref == 'refs/heads/main'"));
+  assert.ok(deploy.includes('environment:') && deploy.includes('krate-production') && deploy.includes('https://krate.a5c.ai'));
+  assert.ok(deploy.includes('AZURE_ACR_NAME') && deploy.includes('KUBE_CONFIG'));
+  assert.ok(deploy.includes('KRATE_GITHUB_CLIENT_ID') && deploy.includes('KRATE_GITHUB_CLIENT_SECRET'));
+  assert.ok(deploy.includes('krate-develop.a5c.ai') && deploy.includes('krate-staging.a5c.ai') && deploy.includes('krate.a5c.ai'));
+  assert.ok(deploy.includes('docker build -f Dockerfile') && deploy.includes('docker push'));
+  assert.ok(deploy.includes('create secret docker-registry acr-pull'));
+  assert.ok(deploy.includes('helm upgrade --install'));
+  assert.ok(deploy.includes('--values /tmp/krate-deploy-values.yaml'));
+  assert.ok(deploy.includes('--wait'));
+  assert.ok(deploy.includes('rollout status deployment/"${HELM_RELEASE}-krate-web"'));
+  assert.doesNotMatch(workflow, /publish-npm:/);
+  assert.doesNotMatch(workflow, /npm publish/);
+  assert.doesNotMatch(workflow, /PUBLISH_NPM/);
+});

package/tests/e2e/lifecycle.test.js ADDED Viewed

@@ -0,0 +1,117 @@
+import test from 'node:test';
+import assert from 'node:assert/strict';
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { buildMinikubePlan } from '../../scripts/setup-minikube.mjs';
+const requiredChartFiles = [
+  '../charts/Chart.yaml',
+  '../charts/values.yaml',
+  '../charts/crds/repositories.yaml',
+  '../charts/crds/aggregated-resources.yaml',
+  '../charts/templates/apiservice.yaml',
+  '../charts/templates/deployments.yaml',
+  '../charts/templates/rbac.yaml',
+  '../charts/templates/services.yaml',
+  '../charts/templates/networkpolicy.yaml',
+  '../charts/templates/gitea.yaml',
+  '../charts/templates/argocd-application.yaml',
+  'examples/minikube-demo.yaml'
+];
+test('chart package contains the MVP Kubernetes install surface', () => {
+  for (const file of requiredChartFiles) assert.equal(existsSync(file), true, `${file} exists`);
+  const chart = requiredChartFiles.map((file) => readFileSync(file, 'utf8')).join('\n');
+  for (const kind of ['CustomResourceDefinition', 'Deployment', 'Service', 'ServiceAccount', 'ClusterRole', 'NetworkPolicy', 'PersistentVolumeClaim']) assert.ok(chart.includes(`kind: ${kind}`), `chart includes ${kind}`);
+  for (const resource of ['Organization', 'Repository', 'SSHKey', 'RepositoryPermission', 'BranchProtection', 'RefPolicy', 'PullRequest', 'Issue', 'Review', 'Pipeline', 'Job', 'RunnerPool', 'WebhookSubscription', 'WebhookDelivery', 'View', 'Selector']) assert.ok(chart.includes(`kind: ${resource}`), `package covers ${resource}`);
+  assert.ok(chart.includes('kind: Pipeline'), 'package includes demo Pipeline workflow');
+  assert.ok(chart.includes('kind: Application'), 'package includes Argo CD Application');
+  assert.ok(chart.includes('krate-kubevela'), 'package installs KubeVela through Argo CD');
+  assert.ok(chart.includes('core.oam.dev'), 'Krate service account can manage delivery resources');
+  assert.ok(chart.includes('create') && chart.includes('delete'), 'Krate service account can compose and remove delivery resources');
+  assert.ok(chart.includes('vela-core'), 'package references upstream KubeVela vela-core chart');
+  assert.ok(chart.includes('apiService') && chart.includes('enabled: false'), 'APIService registration is optional for CRD-backed local installs');
+  assert.ok(chart.includes('gitea/gitea'), 'package includes Gitea backend image');
+  assert.ok(chart.includes('readinessProbe'), 'workloads expose readiness probes for live installs');
+  assert.ok(chart.includes('serviceAccountName'), 'workloads run with the Krate service account');
+  assert.ok(chart.includes('customresourcedefinitions'), 'service account can discover installed Krate CRDs');
+  assert.ok(chart.includes('krate.webImage'), 'web deployment uses the web container image');
+  assert.ok(chart.includes('sshkeys.krate.a5c.ai'), 'package includes SSH key reconciliation resources');
+  assert.ok(chart.includes('repositorypermissions.krate.a5c.ai'), 'package includes Gitea permission reconciliation resources');
+  assert.ok(chart.includes('revoked'), 'package access CRDs allow revocation state');
+  assert.ok(chart.includes('KRATE_CONTROLLER_URL'), 'web deployment points at the in-cluster controller API');
+  assert.ok(chart.includes('containerPort: 2222'), 'rootless Gitea SSH service targets port 2222');
+  assert.ok(chart.includes('krate.fullname') && chart.includes('gitea-http'), 'Gitea and Argo CD URLs derive the release-scoped service name');
+  assert.ok(chart.includes('krate.a5c.ai/gitops-engine: argocd'), 'package labels Argo CD GitOps engine');
+  assert.ok(!chart.includes('`n'), 'package values use real YAML newlines');
+  assert.ok(chart.includes('.Values.argocd.syncPolicy.prune'), 'Argo CD template consumes syncPolicy.prune');
+  assert.ok(chart.includes('.Values.argocd.syncPolicy.selfHeal'), 'Argo CD template consumes syncPolicy.selfHeal');
+  assert.ok(chart.includes('- CreateNamespace=true'), 'values expose Argo CD CreateNamespace sync option');
+  for (const valueTerm of ['externalDependencies', 'objectStorage', 'oidc', 'gatekeeper', 'autoscaling', 'targetCPUUtilizationPercentage', 'gitea', 'argocd', 'repoURL', 'syncPolicy']) assert.ok(chart.includes(valueTerm), `values expose ${valueTerm}`);
+});
+test('minikube setup dry-run exposes deterministic local install commands', () => {
+  const plan = buildMinikubePlan({ apply: false, json: true, profile: 'krate-test', namespace: 'krate-system', release: 'krate', driver: 'docker', chart: '../charts' });
+  const commands = plan.commands.map(([cmd, args]) => [cmd, ...args].join(' '));
+  assert.equal(plan.mode, 'dry-run');
+  assert.ok(commands.some((command) => command.startsWith('minikube start -p krate-test')));
+  assert.ok(commands.includes('helm lint ../charts'));
+  assert.ok(commands.some((command) => command.includes('helm upgrade --install krate ../charts')));
+  assert.ok(commands.includes('kubectl apply -n krate-system -f examples/minikube-demo.yaml'));
+  assert.ok(commands.includes('node scripts/smoke.mjs'));
+});
+test('setup:minikube --dry-run --json is machine-readable', () => {
+  const output = execFileSync(process.execPath, ['scripts/setup-minikube.mjs', '--dry-run', '--json', '--profile=krate-test'], { encoding: 'utf8' });
+  const parsed = JSON.parse(output);
+  assert.equal(parsed.mode, 'dry-run');
+  assert.ok(parsed.requiredTools.includes('minikube'));
+  assert.ok(parsed.commands.some((command) => command.includes('helm lint ../charts')));
+});