npm - @a5c-ai/krate - Versions diffs - 5.0.1-staging.00fa5317c - Mend

@a5c-ai/krate 5.0.1-staging.00fa5317c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (256) hide show

package/Dockerfile +31 -0
package/README.md +183 -0
package/bin/krate-demo.mjs +23 -0
package/bin/krate-server.mjs +14 -0
package/dist/krate-controller-ui.json +3205 -0
package/dist/krate-lifecycle.json +201 -0
package/dist/krate-runtime-snapshot.json +3125 -0
package/dist/krate-summary.json +724 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-krate-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/krate-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/openapi.yaml +1275 -0
package/docs/product-requirements.md +62 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/system-requirements.md +90 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +63 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +93 -0
package/scripts/validate-ui.mjs +278 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +209 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +280 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-provider-config-controller.js +150 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +347 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +381 -0
package/src/agent-workspace-controller.js +702 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +541 -0
package/src/argocd-gitops.js +43 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +307 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +72 -0
package/src/controller-ui.js +617 -0
package/src/data-plane.js +179 -0
package/src/event-bus.js +61 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +161 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +131 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/hooks-events.js +63 -0
package/src/http-server.js +377 -0
package/src/identity-policy.js +86 -0
package/src/index.js +57 -0
package/src/kubernetes-controller-async.js +511 -0
package/src/kubernetes-controller.js +878 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/notification-controller.js +178 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +221 -0
package/src/runner-controller.js +272 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +315 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-memory-controller.test.js +308 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +204 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +228 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +221 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +211 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/codespace-controller.test.js +318 -0
package/tests/deployment.test.js +407 -0
package/tests/e2e/lifecycle.test.js +117 -0
package/tests/event-bus-integration.test.js +190 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +340 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +215 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/krate.test.js +756 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/notification-controller.test.js +196 -0
package/tests/notification-integration.test.js +179 -0
package/tests/org-scoping.test.js +687 -0
package/tests/runner-controller.test.js +327 -0
package/tests/runner-integration.test.js +231 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +247 -0
package/tests/sse-events.test.js +107 -0
package/tests/webhook-trigger.test.js +198 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/tests/external-integration.test.js ADDED Viewed

@@ -0,0 +1,470 @@
+/**
+ * External Integration Tests — Wire external controllers into runtime
+ *
+ * Tests that the api-controller properly delegates to sync-controller,
+ * write-controller, conflict-controller, and webhook-controller.
+ */
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { createKrateApiController } from '../src/api-controller.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Minimal resource gateway stub for testing */
+function makeGateway(overrides = {}) {
+  const store = new Map();
+  return {
+    namespace: 'krate-system',
+    resourceDefinitions: {},
+    async snapshot() { return { resources: {}, namespace: 'krate-system' }; },
+    async list(kind) { return { items: [] }; },
+    async get(kind, name) { return null; },
+    async apply(resource) {
+      store.set(resource.metadata?.name, resource);
+      return { operation: 'apply', resource };
+    },
+    async delete(kind, name) { return { operation: 'delete' }; },
+    watch() { return { close: () => {} }; },
+    ...overrides
+  };
+}
+function makeController(gatewayOverrides = {}) {
+  return createKrateApiController({ resourceGateway: makeGateway(gatewayOverrides) });
+}
+// ---------------------------------------------------------------------------
+// Test 1: syncExternalBinding exists on controller
+// ---------------------------------------------------------------------------
+test('api-controller exposes syncExternalBinding method', () => {
+  const controller = makeController();
+  assert.equal(typeof controller.syncExternalBinding, 'function',
+    'controller must expose syncExternalBinding');
+});
+// ---------------------------------------------------------------------------
+// Test 2: syncExternalBinding creates sync controller and runs sync
+// ---------------------------------------------------------------------------
+test('syncExternalBinding creates sync controller and upserts resource', async () => {
+  const controller = makeController();
+  const result = await controller.syncExternalBinding('github-binding', {
+    kind: 'Repository',
+    localName: 'my-repo',
+    namespace: 'default',
+    spec: { organizationRef: 'default' },
+    externalEnvelope: {
+      nativeId: 'github-repo-42',
+      url: 'https://github.com/org/repo',
+      etag: '"abc"',
+      providerRef: 'github-provider'
+    }
+  });
+  assert.ok(result, 'syncExternalBinding must return a result');
+  assert.ok(result.resource, 'result must include the upserted resource');
+  assert.equal(result.resource.status?.external?.nativeId, 'github-repo-42',
+    'upserted resource must have correct nativeId');
+});
+// ---------------------------------------------------------------------------
+// Test 3: syncExternalBinding calls persistFn (applyResource) for watermark
+// ---------------------------------------------------------------------------
+test('syncExternalBinding with watermark timestamp persists watermark via applyResource', async () => {
+  const applied = [];
+  const controller = createKrateApiController({
+    resourceGateway: makeGateway({
+      async apply(resource) {
+        applied.push(JSON.parse(JSON.stringify(resource)));
+        return { operation: 'apply', resource };
+      }
+    })
+  });
+  await controller.syncExternalBinding('github-binding-wm', {
+    kind: 'Repository',
+    localName: 'wm-repo',
+    namespace: 'default',
+    spec: {},
+    externalEnvelope: { nativeId: 'id-1', url: 'https://example.com', etag: '"v1"', providerRef: 'github' },
+    watermark: '2024-01-01T10:00:00.000Z'
+  });
+  // Allow async persist tick
+  await new Promise((r) => setImmediate(r));
+  assert.ok(applied.length >= 1, 'applyResource must be called at least once for the upserted resource');
+  const kinds = applied.map((r) => r.kind);
+  assert.ok(kinds.some((k) => k), 'applied resources must have kind fields');
+});
+// ---------------------------------------------------------------------------
+// Test 4: writeController called from api-controller creates and persists intent
+// ---------------------------------------------------------------------------
+test('api-controller exposes approveExternalWriteIntent method', () => {
+  const controller = makeController();
+  assert.equal(typeof controller.approveExternalWriteIntent, 'function',
+    'controller must expose approveExternalWriteIntent');
+});
+// ---------------------------------------------------------------------------
+// Test 5: createExternalWriteIntent creates a WriteIntent via write controller
+// ---------------------------------------------------------------------------
+test('api-controller exposes createExternalWriteIntent method', () => {
+  const controller = makeController();
+  assert.equal(typeof controller.createExternalWriteIntent, 'function',
+    'controller must expose createExternalWriteIntent');
+});
+test('createExternalWriteIntent creates intent with correct phase', async () => {
+  const controller = makeController();
+  const result = await controller.createExternalWriteIntent({
+    interfaceKey: 'issueTracking',
+    operation: 'createIssue',
+    payload: { title: 'Bug fix' },
+    resourceRef: 'org/repo#1',
+    requiresApproval: false
+  });
+  assert.ok(result, 'createExternalWriteIntent must return a result');
+  assert.ok(result.intent, 'result must include the intent');
+  assert.equal(result.intent.status.phase, 'ReadyToSend',
+    'intent without approval must start as ReadyToSend');
+});
+// ---------------------------------------------------------------------------
+// Test 6: conflictController detects divergence when sync finds changed resource
+// ---------------------------------------------------------------------------
+test('api-controller exposes detectExternalConflict method', () => {
+  const controller = makeController();
+  assert.equal(typeof controller.detectExternalConflict, 'function',
+    'controller must expose detectExternalConflict');
+});
+test('detectExternalConflict creates conflict when local and external values differ', async () => {
+  const controller = makeController();
+  const result = await controller.detectExternalConflict({
+    resourceRef: 'org/repo#issue-1',
+    fieldPath: 'spec.title',
+    localValue: 'Local Title',
+    externalValue: 'External Title'
+  });
+  assert.ok(result, 'detectExternalConflict must return a result');
+  assert.ok(result.conflict, 'result must include a conflict resource when values differ');
+  assert.equal(result.conflict.status.phase, 'Open',
+    'detected conflict must start as Open');
+});
+test('detectExternalConflict returns null conflict when values match', async () => {
+  const controller = makeController();
+  const result = await controller.detectExternalConflict({
+    resourceRef: 'org/repo#issue-2',
+    fieldPath: 'spec.title',
+    localValue: 'Same Value',
+    externalValue: 'Same Value'
+  });
+  assert.ok(result, 'detectExternalConflict must return a result');
+  assert.equal(result.conflict, null,
+    'conflict must be null when values are equal');
+});
+// ---------------------------------------------------------------------------
+// Test 7: Full flow — webhook → normalize → sync → detect conflict → resolve
+// ---------------------------------------------------------------------------
+test('api-controller exposes processExternalWebhook method', () => {
+  const controller = makeController();
+  assert.equal(typeof controller.processExternalWebhook, 'function',
+    'controller must expose processExternalWebhook');
+});
+test('processExternalWebhook processes delivery and emits to subscribers', async () => {
+  const controller = makeController();
+  const eventsReceived = [];
+  const result = await controller.processExternalWebhook({
+    deliveryId: 'delivery-001',
+    eventType: 'pull_request',
+    payload: { action: 'opened', repo: 'org/repo' },
+    rawBody: '{"action":"opened","repo":"org/repo"}',
+    providerType: 'github',
+    secret: 'my-secret'
+  });
+  assert.ok(result, 'processExternalWebhook must return a result');
+  assert.ok(!result.error, `must not error: ${result.message}`);
+  assert.ok('duplicate' in result || 'deliveryId' in result || 'queued' in result,
+    'result must have delivery tracking fields');
+});
+// ---------------------------------------------------------------------------
+// Test 8: api-controller.syncExternalBinding creates sync controller and runs sync
+// ---------------------------------------------------------------------------
+test('syncExternalBinding returns sync state for the binding', async () => {
+  const controller = makeController();
+  // Sync a resource
+  await controller.syncExternalBinding('binding-status-test', {
+    kind: 'Repository',
+    localName: 'status-repo',
+    namespace: 'default',
+    spec: { organizationRef: 'default' },
+    externalEnvelope: {
+      nativeId: 'id-status-1',
+      url: 'https://github.com/org/status-repo',
+      etag: '"v1"',
+      providerRef: 'github'
+    }
+  });
+  assert.ok(true, 'syncExternalBinding must complete without error');
+});
+// ---------------------------------------------------------------------------
+// Test 9: api-controller.resolveExternalConflict calls conflict controller
+// ---------------------------------------------------------------------------
+test('api-controller exposes resolveExternalConflict method', () => {
+  const controller = makeController();
+  assert.equal(typeof controller.resolveExternalConflict, 'function',
+    'controller must expose resolveExternalConflict');
+});
+test('resolveExternalConflict resolves an existing Open conflict', async () => {
+  const controller = makeController();
+  // First detect a conflict
+  const detectResult = await controller.detectExternalConflict({
+    resourceRef: 'org/repo#3',
+    fieldPath: 'spec.body',
+    localValue: 'Old',
+    externalValue: 'New'
+  });
+  assert.ok(detectResult.conflict, 'must detect conflict first');
+  // Now resolve it using the prefer-external strategy
+  const resolveResult = await controller.resolveExternalConflict({
+    conflictName: detectResult.conflict.metadata.name,
+    strategy: 'prefer-external',
+    resources: { ExternalSyncConflict: [detectResult.conflict] }
+  });
+  assert.ok(resolveResult, 'resolveExternalConflict must return a result');
+  assert.ok(!resolveResult.error, `must not error: ${resolveResult.message}`);
+  assert.equal(resolveResult.conflict.status.phase, 'Resolved',
+    'conflict must be Resolved after resolution');
+  assert.equal(resolveResult.resolution.chosenValue, 'New',
+    'prefer-external must choose the external value');
+});
+// ---------------------------------------------------------------------------
+// Test 10: api-controller.approveExternalWriteIntent calls write controller
+// ---------------------------------------------------------------------------
+test('approveExternalWriteIntent approves a PendingApproval intent', async () => {
+  const controller = makeController();
+  // Create a pending approval intent
+  const createResult = await controller.createExternalWriteIntent({
+    interfaceKey: 'gitForge',
+    operation: 'createPR',
+    payload: { title: 'My PR' },
+    resourceRef: 'org/repo#pr-1',
+    requiresApproval: true
+  });
+  assert.ok(createResult.intent, 'must create intent');
+  assert.equal(createResult.intent.status.phase, 'PendingApproval', 'must start as PendingApproval');
+  // Now approve it
+  const approveResult = await controller.approveExternalWriteIntent({
+    intentName: createResult.intent.metadata.name,
+    approvedBy: 'admin-user',
+    resources: { ExternalWriteIntent: [createResult.intent] }
+  });
+  assert.ok(approveResult, 'approveExternalWriteIntent must return a result');
+  assert.ok(!approveResult.error, `must not error: ${approveResult.message}`);
+  assert.equal(approveResult.intent.status.phase, 'ReadyToSend',
+    'approved intent must transition to ReadyToSend');
+  assert.equal(approveResult.intent.status.approvedBy, 'admin-user',
+    'approver must be recorded');
+});
+// ---------------------------------------------------------------------------
+// Test 11: api-controller.cancelExternalWriteIntent cancels an intent
+// ---------------------------------------------------------------------------
+test('api-controller exposes cancelExternalWriteIntent method', () => {
+  const controller = makeController();
+  assert.equal(typeof controller.cancelExternalWriteIntent, 'function',
+    'controller must expose cancelExternalWriteIntent');
+});
+test('cancelExternalWriteIntent rejects a PendingApproval intent', async () => {
+  const controller = makeController();
+  const createResult = await controller.createExternalWriteIntent({
+    interfaceKey: 'cicd',
+    operation: 'triggerBuild',
+    payload: { branch: 'main' },
+    resourceRef: 'org/repo#build-1',
+    requiresApproval: true
+  });
+  assert.ok(createResult.intent, 'must create intent');
+  const cancelResult = await controller.cancelExternalWriteIntent({
+    intentName: createResult.intent.metadata.name,
+    cancelledBy: 'user-1',
+    resources: { ExternalWriteIntent: [createResult.intent] }
+  });
+  assert.ok(cancelResult, 'cancelExternalWriteIntent must return a result');
+  assert.ok(!cancelResult.error, `must not error: ${cancelResult.message}`);
+  assert.equal(cancelResult.intent.status.phase, 'Rejected',
+    'cancelled intent must be Rejected');
+});
+// ---------------------------------------------------------------------------
+// Test 12: api-controller.getExternalSyncStatus returns binding sync state
+// ---------------------------------------------------------------------------
+test('api-controller exposes getExternalSyncStatus method', () => {
+  const controller = makeController();
+  assert.equal(typeof controller.getExternalSyncStatus, 'function',
+    'controller must expose getExternalSyncStatus');
+});
+test('getExternalSyncStatus returns null watermark for unknown binding', async () => {
+  const controller = makeController();
+  const result = await controller.getExternalSyncStatus('no-such-binding');
+  assert.ok(result, 'getExternalSyncStatus must return a result');
+  assert.equal(result.watermark, null,
+    'watermark must be null for unseen binding');
+});
+// ---------------------------------------------------------------------------
+// Test 13: processWebhookAndSync — webhook delivery → event normalization → sync controller upserts resource
+// ---------------------------------------------------------------------------
+test('syncExternalBinding normalizes the provided envelope into a K8s-style resource', async () => {
+  const controller = makeController();
+  const result = await controller.syncExternalBinding('github-binding-norm', {
+    kind: 'PullRequest',
+    localName: 'pr-101',
+    namespace: 'krate-org-acme',
+    spec: { organizationRef: 'acme', title: 'Fix bug' },
+    externalEnvelope: {
+      nativeId: 'pr-github-101',
+      url: 'https://github.com/acme/repo/pull/101',
+      etag: '"pr-etag-1"',
+      providerRef: 'github'
+    }
+  });
+  assert.ok(result.resource, 'result must include resource');
+  assert.equal(result.resource.kind, 'PullRequest', 'resource kind must match input');
+  assert.equal(result.resource.metadata.name, 'pr-101', 'resource name must match localName');
+  assert.equal(result.resource.metadata.namespace, 'krate-org-acme', 'namespace must be preserved');
+  assert.equal(result.resource.status.external.nativeId, 'pr-github-101', 'nativeId must be set');
+});
+// ---------------------------------------------------------------------------
+// Test 14: syncController called with persistFn persists watermark and resource
+// ---------------------------------------------------------------------------
+test('syncExternalBinding with watermark option advances the watermark', async () => {
+  const applied = [];
+  const controller = createKrateApiController({
+    resourceGateway: makeGateway({
+      async apply(resource) {
+        applied.push(JSON.parse(JSON.stringify(resource)));
+        return { operation: 'apply', resource };
+      }
+    })
+  });
+  const watermarkTs = '2025-03-15T09:30:00.000Z';
+  await controller.syncExternalBinding('wm-binding-adv', {
+    kind: 'Repository',
+    localName: 'adv-repo',
+    namespace: 'default',
+    spec: {},
+    externalEnvelope: { nativeId: 'id-wm', url: 'https://x.com', etag: '"wm"', providerRef: 'github' },
+    watermark: watermarkTs
+  });
+  await new Promise((r) => setImmediate(r));
+  // At least the upserted resource must have been applied
+  assert.ok(applied.length >= 1, 'at least one resource must be applied');
+  // Look for the watermark in the applied resources payload
+  const applied2 = await controller.getExternalSyncStatus('wm-binding-adv');
+  assert.equal(applied2.watermark, watermarkTs,
+    'getExternalSyncStatus must reflect the advanced watermark');
+});
+// ---------------------------------------------------------------------------
+// Test 15: Full end-to-end flow: webhook → normalize → sync → detect conflict → resolve
+// ---------------------------------------------------------------------------
+test('end-to-end: processExternalWebhook → syncExternalBinding → detectExternalConflict → resolveExternalConflict', async () => {
+  const controller = makeController();
+  // Step 1: Process an inbound webhook
+  const webhookResult = await controller.processExternalWebhook({
+    deliveryId: 'e2e-delivery-001',
+    eventType: 'issues',
+    payload: { action: 'edited', issue: { id: 5001, title: 'New Title' } },
+    rawBody: '{"action":"edited","issue":{"id":5001,"title":"New Title"}}',
+    providerType: 'github',
+    secret: 'e2e-secret'
+  });
+  assert.ok(webhookResult, 'processExternalWebhook must succeed');
+  // Step 2: Sync the resource from the external provider
+  const syncResult = await controller.syncExternalBinding('e2e-github-binding', {
+    kind: 'Issue',
+    localName: 'issue-5001',
+    namespace: 'default',
+    spec: { title: 'New Title', organizationRef: 'default' },
+    externalEnvelope: {
+      nativeId: 'gh-issue-5001',
+      url: 'https://github.com/org/repo/issues/5001',
+      etag: '"etag-v2"',
+      providerRef: 'github'
+    }
+  });
+  assert.ok(syncResult.resource, 'syncExternalBinding must return a resource');
+  // Step 3: Detect a conflict between local and external state
+  const conflictResult = await controller.detectExternalConflict({
+    resourceRef: 'org/repo#issue-5001',
+    fieldPath: 'spec.title',
+    localValue: 'Old Title',
+    externalValue: 'New Title'
+  });
+  assert.ok(conflictResult.conflict, 'conflict must be detected when titles differ');
+  // Step 4: Resolve the conflict
+  const resolveResult = await controller.resolveExternalConflict({
+    conflictName: conflictResult.conflict.metadata.name,
+    strategy: 'prefer-external',
+    resources: { ExternalSyncConflict: [conflictResult.conflict] }
+  });
+  assert.ok(!resolveResult.error, `conflict resolution must succeed: ${resolveResult.message}`);
+  assert.equal(resolveResult.conflict.status.phase, 'Resolved',
+    'conflict must be Resolved after end-to-end flow');
+});