npm - @a5c-ai/krate - Versions diffs - 5.0.1-staging.00fa5317c - Mend

@a5c-ai/krate 5.0.1-staging.00fa5317c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (256) hide show

package/Dockerfile +31 -0
package/README.md +183 -0
package/bin/krate-demo.mjs +23 -0
package/bin/krate-server.mjs +14 -0
package/dist/krate-controller-ui.json +3205 -0
package/dist/krate-lifecycle.json +201 -0
package/dist/krate-runtime-snapshot.json +3125 -0
package/dist/krate-summary.json +724 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-krate-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/krate-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/openapi.yaml +1275 -0
package/docs/product-requirements.md +62 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/system-requirements.md +90 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +63 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +93 -0
package/scripts/validate-ui.mjs +278 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +209 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +280 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-provider-config-controller.js +150 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +347 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +381 -0
package/src/agent-workspace-controller.js +702 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +541 -0
package/src/argocd-gitops.js +43 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +307 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +72 -0
package/src/controller-ui.js +617 -0
package/src/data-plane.js +179 -0
package/src/event-bus.js +61 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +161 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +131 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/hooks-events.js +63 -0
package/src/http-server.js +377 -0
package/src/identity-policy.js +86 -0
package/src/index.js +57 -0
package/src/kubernetes-controller-async.js +511 -0
package/src/kubernetes-controller.js +878 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/notification-controller.js +178 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +221 -0
package/src/runner-controller.js +272 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +315 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-memory-controller.test.js +308 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +204 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +228 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +221 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +211 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/codespace-controller.test.js +318 -0
package/tests/deployment.test.js +407 -0
package/tests/e2e/lifecycle.test.js +117 -0
package/tests/event-bus-integration.test.js +190 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +340 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +215 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/krate.test.js +756 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/notification-controller.test.js +196 -0
package/tests/notification-integration.test.js +179 -0
package/tests/org-scoping.test.js +687 -0
package/tests/runner-controller.test.js +327 -0
package/tests/runner-integration.test.js +231 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +247 -0
package/tests/sse-events.test.js +107 -0
package/tests/webhook-trigger.test.js +198 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/tests/org-scoping.test.js ADDED Viewed

@@ -0,0 +1,687 @@
+// Slice 1.1 — Org Scoping Enforcement
+import assert from 'node:assert/strict';
+import { describe, test } from 'node:test';
+import {
+  orgNamespaceName,
+  normalizeOrgSlug,
+  createResource,
+} from '../src/index.js';
+// ---------------------------------------------------------------------------
+// Helper: create a fake resource gateway for controller tests
+// ---------------------------------------------------------------------------
+function createFakeGateway(overrides = {}) {
+  const calls = { applied: [], deleted: [], got: [] };
+  return {
+    calls,
+    gateway: {
+      role: 'kubernetes-resource-gateway',
+      namespace: 'krate-system',
+      resourceDefinitions: [],
+      async snapshot() { return { source: 'kubernetes', namespace: 'krate-system', resources: {}, commands: [], events: [], permissions: [], storage: {} }; },
+      async list() { return overrides.listResult || { items: [] }; },
+      async get(kind, name) { calls.got.push({ kind, name }); return overrides.getResult !== undefined ? overrides.getResult : null; },
+      async apply(resource) { calls.applied.push(resource); return { operation: 'apply', resource }; },
+      async delete(kind, name) { calls.deleted.push({ kind, name }); return { operation: 'delete', resource: null }; },
+      async createRepository(input) { return { operation: 'apply', resource: input }; },
+      async createOrganization(input) { return { operation: 'create-organization', organization: { kind: 'Organization', metadata: { name: input.slug || input.name }, spec: { organizationRef: input.slug || input.name, ...input } } }; },
+      watch() { return {}; }
+    }
+  };
+}
+async function makeController(overrides = {}, controllerOptions = {}) {
+  const { calls, gateway } = createFakeGateway(overrides);
+  const { createKrateApiController } = await import('../src/api-controller.js');
+  const controller = createKrateApiController({ resourceGateway: gateway, ...controllerOptions });
+  return { controller, calls };
+}
+// ---------------------------------------------------------------------------
+// Test 1 — Org namespace derivation
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — Org namespace derivation', () => {
+  test('orgNamespaceName derives krate-org-<slug> from org slug', () => {
+    return import('../src/org-scoping.js').then(({ orgNamespaceName: scopedFn }) => {
+      assert.equal(scopedFn('a5c-ai'), 'krate-org-a5c-ai');
+      assert.equal(scopedFn('my-org'), 'krate-org-my-org');
+      assert.equal(scopedFn('default'), 'krate-org-default');
+    });
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 2 — applyResourceForOrg creates resource in correct namespace
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — applyResource in org scope', () => {
+  test('applyResourceForOrg creates resource in the correct org namespace', async () => {
+    const { controller, calls } = await makeController();
+    assert.equal(typeof controller.applyResourceForOrg, 'function',
+      'controller must expose applyResourceForOrg(orgSlug, resource)');
+    const resource = createResource('Repository', { name: 'my-repo' }, {
+      organizationRef: 'a5c-ai',
+      visibility: 'internal'
+    });
+    const result = await controller.applyResourceForOrg('a5c-ai', resource);
+    assert.equal(
+      result.resource.metadata.namespace,
+      'krate-org-a5c-ai',
+      'resource must be placed in the org namespace krate-org-a5c-ai'
+    );
+    assert.equal(calls.applied.length, 1);
+    assert.equal(calls.applied[0].metadata.namespace, 'krate-org-a5c-ai');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 3 — Cross-org reference denial (krate-org-* namespace mismatch)
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — Cross-org reference denial', () => {
+  test('applyResource rejects a resource that references a different org namespace', async () => {
+    const { controller, calls } = await makeController();
+    const crossOrgResource = {
+      apiVersion: 'krate.a5c.ai/v1alpha1',
+      kind: 'Repository',
+      metadata: {
+        name: 'stolen-repo',
+        namespace: 'krate-org-org-b',
+        labels: {}
+      },
+      spec: {
+        organizationRef: 'org-a',
+        visibility: 'internal'
+      }
+    };
+    await assert.rejects(
+      () => controller.applyResource(crossOrgResource),
+      (err) => {
+        assert.match(
+          err.message,
+          /cross.org|org.*mismatch|namespace.*does not match/i,
+          'error message must describe the cross-org violation'
+        );
+        return true;
+      },
+      'applyResource must reject resources with cross-org namespace/organizationRef mismatch'
+    );
+    assert.equal(calls.applied.length, 0, 'gateway.apply must not be called for a cross-org resource');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 4 — Org-scoped resource listing
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — Org-scoped resource listing', () => {
+  test('listResource with org filter returns only resources from that org namespace', async () => {
+    const repoOrgA = createResource(
+      'Repository',
+      { name: 'repo-alpha', namespace: 'krate-org-org-a' },
+      { organizationRef: 'org-a', visibility: 'internal' }
+    );
+    const repoOrgB = createResource(
+      'Repository',
+      { name: 'repo-beta', namespace: 'krate-org-org-b' },
+      { organizationRef: 'org-b', visibility: 'private' }
+    );
+    const { controller } = await makeController({ listResult: { items: [repoOrgA, repoOrgB] } });
+    assert.equal(typeof controller.listResourceForOrg, 'function',
+      'controller must expose listResourceForOrg(org, kind)');
+    const result = await controller.listResourceForOrg('org-a', 'Repository');
+    assert.ok(Array.isArray(result.items), 'result must have an items array');
+    assert.equal(result.items.length, 1, 'only org-a resources should be returned');
+    assert.equal(result.items[0].metadata.name, 'repo-alpha');
+    assert.equal(
+      result.items.every((item) => item.spec?.organizationRef === 'org-a'),
+      true,
+      'every returned item must belong to org-a'
+    );
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 5 — Org-scoped audit event
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — Org-scoped audit event', () => {
+  test('applyResource emits an audit event with org context after a successful apply', async () => {
+    const auditEvents = [];
+    const resource = createResource(
+      'Repository',
+      { name: 'audited-repo', namespace: 'krate-org-a5c-ai' },
+      { organizationRef: 'a5c-ai', visibility: 'internal' }
+    );
+    const { controller } = await makeController({}, {
+      onAuditEvent: (event) => auditEvents.push(event)
+    });
+    await controller.applyResource(resource);
+    assert.equal(auditEvents.length, 1, 'exactly one audit event must be emitted per apply');
+    const event = auditEvents[0];
+    assert.ok(event, 'audit event must be emitted');
+    assert.equal(event.operation, 'apply', 'event.operation must be "apply"');
+    assert.equal(event.org, 'a5c-ai', 'event.org must be the org slug');
+    assert.equal(event.namespace, 'krate-org-a5c-ai', 'event.namespace must be the org namespace');
+    assert.equal(event.kind, 'Repository', 'event.kind must match the resource kind');
+    assert.equal(event.name, 'audited-repo', 'event.name must match the resource name');
+    assert.ok(event.timestamp, 'event.timestamp must be present');
+    assert.doesNotThrow(() => new Date(event.timestamp).toISOString(),
+      'event.timestamp must be a valid ISO date string');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 6 — applyResourceForOrg rejects org mismatch in organizationRef
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — applyResourceForOrg org mismatch error path', () => {
+  test('applyResourceForOrg rejects when organizationRef does not match target org', async () => {
+    const { controller, calls } = await makeController();
+    const resource = createResource('Repository', { name: 'mismatch-repo' }, {
+      organizationRef: 'org-a',
+      visibility: 'internal'
+    });
+    await assert.rejects(
+      () => controller.applyResourceForOrg('org-b', resource),
+      (err) => {
+        assert.match(
+          err.message,
+          /org.*mismatch/i,
+          'error must describe the org mismatch'
+        );
+        return true;
+      }
+    );
+    assert.equal(calls.applied.length, 0, 'gateway.apply must not be called on org mismatch');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 7 — deleteResourceForOrg happy path
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — deleteResourceForOrg', () => {
+  test('deleteResourceForOrg deletes resource in the correct org namespace', async () => {
+    const orgResource = {
+      resource: createResource('Repository', { name: 'my-repo', namespace: 'krate-org-org-a' }, {
+        organizationRef: 'org-a',
+        visibility: 'internal'
+      })
+    };
+    const { controller, calls } = await makeController({ getResult: orgResource });
+    assert.equal(typeof controller.deleteResourceForOrg, 'function',
+      'controller must expose deleteResourceForOrg(org, kind, name)');
+    await controller.deleteResourceForOrg('org-a', 'Repository', 'my-repo');
+    assert.equal(calls.deleted.length, 1, 'gateway.delete must be called once');
+    assert.equal(calls.deleted[0].name, 'my-repo');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 8 — deleteResourceForOrg cross-org denial
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — deleteResourceForOrg cross-org denial', () => {
+  test('deleteResourceForOrg rejects when resource belongs to a different org', async () => {
+    const foreignResource = {
+      resource: createResource('Repository', { name: 'foreign-repo', namespace: 'krate-org-org-b' }, {
+        organizationRef: 'org-b',
+        visibility: 'internal'
+      })
+    };
+    const { controller, calls } = await makeController({ getResult: foreignResource });
+    await assert.rejects(
+      () => controller.deleteResourceForOrg('org-a', 'Repository', 'foreign-repo'),
+      (err) => {
+        assert.match(
+          err.message,
+          /cross.org|does not match/i,
+          'error must describe the cross-org denial'
+        );
+        return true;
+      }
+    );
+    assert.equal(calls.deleted.length, 0, 'gateway.delete must not be called for cross-org denial');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 9 — getResourceForOrg happy path
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — getResourceForOrg', () => {
+  test('getResourceForOrg returns resource when org matches', async () => {
+    const orgResource = {
+      resource: createResource('Repository', { name: 'my-repo', namespace: 'krate-org-org-a' }, {
+        organizationRef: 'org-a',
+        visibility: 'internal'
+      })
+    };
+    const { controller } = await makeController({ getResult: orgResource });
+    assert.equal(typeof controller.getResourceForOrg, 'function',
+      'controller must expose getResourceForOrg(org, kind, name)');
+    const result = await controller.getResourceForOrg('org-a', 'Repository', 'my-repo');
+    assert.ok(result, 'result must be returned');
+    assert.equal(result.resource.metadata.name, 'my-repo');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 10 — getResourceForOrg cross-org denial
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — getResourceForOrg cross-org denial', () => {
+  test('getResourceForOrg rejects when resource belongs to a different org', async () => {
+    const foreignResource = {
+      resource: createResource('Repository', { name: 'stolen-repo', namespace: 'krate-org-org-b' }, {
+        organizationRef: 'org-b',
+        visibility: 'internal'
+      })
+    };
+    const { controller } = await makeController({ getResult: foreignResource });
+    await assert.rejects(
+      () => controller.getResourceForOrg('org-a', 'Repository', 'stolen-repo'),
+      (err) => {
+        assert.match(
+          err.message,
+          /cross.org|does not match/i,
+          'error must describe the cross-org denial'
+        );
+        return true;
+      }
+    );
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 11 — createRepository emits audit event
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — createRepository audit', () => {
+  test('createRepository emits an audit event', async () => {
+    const auditEvents = [];
+    const { controller } = await makeController({}, {
+      onAuditEvent: (event) => auditEvents.push(event)
+    });
+    await controller.createRepository({
+      name: 'new-repo',
+      organizationRef: 'a5c-ai',
+      visibility: 'internal'
+    });
+    assert.ok(auditEvents.length >= 1, 'at least one audit event must be emitted');
+    const event = auditEvents.find((e) => e.operation === 'create-repository');
+    assert.ok(event, 'audit event with operation "create-repository" must exist');
+    assert.ok(event.timestamp, 'event.timestamp must be present');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 12 — createOrganization emits audit event
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — createOrganization audit', () => {
+  test('createOrganization emits an audit event', async () => {
+    const auditEvents = [];
+    const { controller } = await makeController({}, {
+      onAuditEvent: (event) => auditEvents.push(event)
+    });
+    await controller.createOrganization({
+      slug: 'new-org',
+      displayName: 'New Org'
+    });
+    assert.ok(auditEvents.length >= 1, 'at least one audit event must be emitted');
+    const event = auditEvents.find((e) => e.operation === 'create-organization');
+    assert.ok(event, 'audit event with operation "create-organization" must exist');
+    assert.ok(event.timestamp, 'event.timestamp must be present');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 13 — Audit callback error resilience
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — Audit callback error resilience', () => {
+  test('audit callback error does not crash apply operations', async () => {
+    const { controller } = await makeController({}, {
+      onAuditEvent: () => { throw new Error('audit system down'); }
+    });
+    const resource = createResource('Repository', { name: 'resilient-repo', namespace: 'krate-org-a5c-ai' }, {
+      organizationRef: 'a5c-ai',
+      visibility: 'internal'
+    });
+    // This must not throw despite the audit callback throwing
+    const result = await controller.applyResource(resource);
+    assert.ok(result, 'apply must succeed even when audit callback throws');
+    assert.equal(result.operation, 'apply');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 14 — applyResourceForOrg normalizes un-normalized slug
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — applyResourceForOrg slug normalization', () => {
+  test('applyResourceForOrg with un-normalized slug ("Org-A") normalizes the stored organizationRef to "org-a"', async () => {
+    const { controller, calls } = await makeController();
+    const resource = createResource('Repository', { name: 'norm-repo' }, {
+      visibility: 'internal'
+    });
+    const result = await controller.applyResourceForOrg('Org-A', resource);
+    assert.equal(result.resource.spec.organizationRef, 'org-a',
+      'organizationRef must be normalized to lowercase');
+    assert.equal(result.resource.metadata.namespace, 'krate-org-org-a',
+      'namespace must use the normalized slug');
+    assert.equal(calls.applied.length, 1);
+    assert.equal(calls.applied[0].spec.organizationRef, 'org-a');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 15 — deleteResourceForOrg when resource has no namespace
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — deleteResourceForOrg no-namespace denial', () => {
+  test('deleteResourceForOrg when resource has no namespace throws cross-org error', async () => {
+    const noNsResource = {
+      resource: createResource('Repository', { name: 'no-ns-repo' }, {
+        organizationRef: 'org-a',
+        visibility: 'internal'
+      })
+    };
+    // Ensure metadata.namespace is absent
+    delete noNsResource.resource.metadata.namespace;
+    const { controller, calls } = await makeController({ getResult: noNsResource });
+    await assert.rejects(
+      () => controller.deleteResourceForOrg('org-a', 'Repository', 'no-ns-repo'),
+      (err) => {
+        assert.match(err.message, /cross.org|does not match/i,
+          'error must describe cross-org denial for absent namespace');
+        return true;
+      }
+    );
+    assert.equal(calls.deleted.length, 0, 'gateway.delete must not be called');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 16 — getResourceForOrg when resource has no namespace
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — getResourceForOrg no-namespace denial', () => {
+  test('getResourceForOrg when resource has no namespace throws cross-org error', async () => {
+    const noNsResource = {
+      resource: createResource('Repository', { name: 'no-ns-get-repo' }, {
+        organizationRef: 'org-a',
+        visibility: 'internal'
+      })
+    };
+    delete noNsResource.resource.metadata.namespace;
+    const { controller } = await makeController({ getResult: noNsResource });
+    await assert.rejects(
+      () => controller.getResourceForOrg('org-a', 'Repository', 'no-ns-get-repo'),
+      (err) => {
+        assert.match(err.message, /cross.org|does not match/i,
+          'error must describe cross-org denial for absent namespace');
+        return true;
+      }
+    );
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 17 — applyResource with organizationRef but no namespace auto-assigns
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — applyResource auto-assigns namespace from organizationRef', () => {
+  test('applyResource with organizationRef but no namespace auto-assigns namespace', async () => {
+    const { controller, calls } = await makeController();
+    const resource = {
+      apiVersion: 'krate.a5c.ai/v1alpha1',
+      kind: 'Repository',
+      metadata: {
+        name: 'auto-ns-repo',
+        labels: {}
+      },
+      spec: {
+        organizationRef: 'org-a',
+        visibility: 'internal'
+      }
+    };
+    const result = await controller.applyResource(resource);
+    assert.ok(result, 'apply must succeed');
+    assert.equal(calls.applied.length, 1);
+    assert.equal(calls.applied[0].metadata.namespace, 'krate-org-org-a',
+      'namespace must be auto-assigned from organizationRef');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 18 — deleteResourceForOrg when resource not found returns gracefully
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — deleteResourceForOrg not found', () => {
+  test('deleteResourceForOrg when resource not found returns gracefully', async () => {
+    // getResult = null means resource not found
+    const { controller, calls } = await makeController({ getResult: null });
+    const result = await controller.deleteResourceForOrg('org-a', 'Repository', 'nonexistent-repo');
+    assert.ok(result, 'delete must return a result even when resource is not found');
+    assert.equal(calls.deleted.length, 1, 'gateway.delete must still be called');
+    assert.equal(calls.deleted[0].name, 'nonexistent-repo');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 19 — normalizeOrgSlug collision detection note
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — normalizeOrgSlug collision detection', () => {
+  test('normalizeOrgSlug collision: org-a-b and org_a_b normalize identically', () => {
+    // This test documents that underscores and hyphens collapse to the same slug.
+    // Real production code should add collision detection when creating organizations.
+    assert.equal(normalizeOrgSlug('org-a-b'), normalizeOrgSlug('org_a_b'),
+      'org-a-b and org_a_b must normalize to the same slug (collision)');
+    assert.equal(normalizeOrgSlug('org_a_b'), 'org-a-b',
+      'underscores must be replaced by hyphens in normalized form');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 20 — normalizeOrgSlug edge cases
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — normalizeOrgSlug edge cases', () => {
+  test('normalizeOrgSlug handles empty string', () => {
+    assert.equal(normalizeOrgSlug(''), '');
+  });
+  test('normalizeOrgSlug handles null/undefined', () => {
+    assert.equal(normalizeOrgSlug(null), '');
+    assert.equal(normalizeOrgSlug(undefined), '');
+  });
+  test('normalizeOrgSlug lowercases and strips special chars', () => {
+    assert.equal(normalizeOrgSlug('My_Org!@#'), 'my-org');
+  });
+  test('normalizeOrgSlug strips leading and trailing hyphens', () => {
+    assert.equal(normalizeOrgSlug('--my-org--'), 'my-org');
+  });
+  test('normalizeOrgSlug truncates to 63 chars', () => {
+    const longSlug = 'a'.repeat(100);
+    assert.ok(normalizeOrgSlug(longSlug).length <= 63);
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 15 — listResourceForOrg with empty results
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — listResourceForOrg empty results', () => {
+  test('listResourceForOrg returns empty items when no resources match', async () => {
+    const repoOrgB = createResource(
+      'Repository',
+      { name: 'repo-beta', namespace: 'krate-org-org-b' },
+      { organizationRef: 'org-b', visibility: 'private' }
+    );
+    const { controller } = await makeController({ listResult: { items: [repoOrgB] } });
+    const result = await controller.listResourceForOrg('org-a', 'Repository');
+    assert.ok(Array.isArray(result.items), 'result must have an items array');
+    assert.equal(result.items.length, 0, 'no items should match org-a');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 16 — listResourceForOrg multi-org filtering
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — listResourceForOrg multi-org filtering', () => {
+  test('listResourceForOrg correctly filters across multiple orgs', async () => {
+    const repoA1 = createResource('Repository', { name: 'a-repo-1', namespace: 'krate-org-org-a' }, { organizationRef: 'org-a', visibility: 'internal' });
+    const repoA2 = createResource('Repository', { name: 'a-repo-2', namespace: 'krate-org-org-a' }, { organizationRef: 'org-a', visibility: 'internal' });
+    const repoB1 = createResource('Repository', { name: 'b-repo-1', namespace: 'krate-org-org-b' }, { organizationRef: 'org-b', visibility: 'private' });
+    const repoC1 = createResource('Repository', { name: 'c-repo-1', namespace: 'krate-org-org-c' }, { organizationRef: 'org-c', visibility: 'public' });
+    const { controller } = await makeController({ listResult: { items: [repoA1, repoA2, repoB1, repoC1] } });
+    const resultA = await controller.listResourceForOrg('org-a', 'Repository');
+    assert.equal(resultA.items.length, 2, 'org-a should have 2 repos');
+    assert.deepEqual(resultA.items.map((i) => i.metadata.name).sort(), ['a-repo-1', 'a-repo-2']);
+    const resultB = await controller.listResourceForOrg('org-b', 'Repository');
+    assert.equal(resultB.items.length, 1, 'org-b should have 1 repo');
+    assert.equal(resultB.items[0].metadata.name, 'b-repo-1');
+    const resultC = await controller.listResourceForOrg('org-c', 'Repository');
+    assert.equal(resultC.items.length, 1, 'org-c should have 1 repo');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 17 — deleteResource emits audit event
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — deleteResource audit', () => {
+  test('deleteResource emits an audit event', async () => {
+    const auditEvents = [];
+    const { controller } = await makeController({}, {
+      onAuditEvent: (event) => auditEvents.push(event)
+    });
+    await controller.deleteResource('Repository', 'some-repo');
+    assert.ok(auditEvents.length >= 1, 'at least one audit event must be emitted');
+    const event = auditEvents.find((e) => e.operation === 'delete');
+    assert.ok(event, 'audit event with operation "delete" must exist');
+    assert.equal(event.name, 'some-repo');
+    assert.ok(event.timestamp, 'event.timestamp must be present');
+  });
+});
+// ---------------------------------------------------------------------------
+// Test 18 — Cross-org denial for system namespaces
+// (Regression: resources targeting system namespaces like krate-system
+//  with any organizationRef must also be blocked.)
+// ---------------------------------------------------------------------------
+describe('Slice 1.1 — Cross-org denial for system namespaces', () => {
+  test('applyResource rejects resource targeting krate-system with an organizationRef', async () => {
+    const { controller, calls } = await makeController();
+    const systemNsResource = {
+      apiVersion: 'krate.a5c.ai/v1alpha1',
+      kind: 'Repository',
+      metadata: {
+        name: 'sneaky-repo',
+        namespace: 'krate-system',
+        labels: {}
+      },
+      spec: {
+        organizationRef: 'org-a',
+        visibility: 'internal'
+      }
+    };
+    await assert.rejects(
+      () => controller.applyResource(systemNsResource),
+      (err) => {
+        assert.match(
+          err.message,
+          /cross.org|org.*mismatch|namespace.*does not match/i,
+          'error message must describe the namespace/org mismatch'
+        );
+        return true;
+      }
+    );
+    assert.equal(calls.applied.length, 0, 'gateway.apply must not be called');
+  });
+  test('applyResource rejects resource targeting default namespace with an organizationRef', async () => {
+    const { controller, calls } = await makeController();
+    const defaultNsResource = {
+      apiVersion: 'krate.a5c.ai/v1alpha1',
+      kind: 'Repository',
+      metadata: {
+        name: 'sneaky-repo-2',
+        namespace: 'default',
+        labels: {}
+      },
+      spec: {
+        organizationRef: 'org-a',
+        visibility: 'internal'
+      }
+    };
+    await assert.rejects(
+      () => controller.applyResource(defaultNsResource),
+      (err) => {
+        assert.match(
+          err.message,
+          /cross.org|org.*mismatch|namespace.*does not match/i
+        );
+        return true;
+      }
+    );
+    assert.equal(calls.applied.length, 0);
+  });
+});