npm - @a5c-ai/krate - Versions diffs - 5.0.1-staging.04a3db697 - Mend

@a5c-ai/krate 5.0.1-staging.04a3db697

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (246) hide show

package/Dockerfile +31 -0
package/README.md +183 -0
package/bin/krate-demo.mjs +23 -0
package/bin/krate-server.mjs +14 -0
package/dist/krate-controller-ui.json +3067 -0
package/dist/krate-lifecycle.json +201 -0
package/dist/krate-runtime-snapshot.json +2955 -0
package/dist/krate-summary.json +722 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-krate-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/krate-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/product-requirements.md +62 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/system-requirements.md +90 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +63 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +93 -0
package/scripts/validate-ui.mjs +236 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +209 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +280 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-provider-config-controller.js +150 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +347 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +321 -0
package/src/agent-workspace-controller.js +447 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +541 -0
package/src/argocd-gitops.js +43 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +307 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +50 -0
package/src/controller-ui.js +551 -0
package/src/data-plane.js +178 -0
package/src/event-bus.js +61 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +161 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +95 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/hooks-events.js +63 -0
package/src/http-server.js +377 -0
package/src/identity-policy.js +86 -0
package/src/index.js +55 -0
package/src/kubernetes-controller-async.js +511 -0
package/src/kubernetes-controller.js +878 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +221 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +315 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-memory-controller.test.js +308 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +204 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +228 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +221 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +211 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/deployment.test.js +396 -0
package/tests/e2e/lifecycle.test.js +117 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +340 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +215 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/krate.test.js +727 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/org-scoping.test.js +687 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +247 -0
package/tests/sse-events.test.js +107 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/src/runtime.js ADDED Viewed

@@ -0,0 +1,196 @@
+import { ControlPlane } from './control-plane.js';
+import { GiteaGitService, GiteaRepositoryStore } from './data-plane.js';
+import { WebhookBus } from './hooks-events.js';
+import { createAdmissionPolicy, mapOidcIdentity } from './identity-policy.js';
+import { createInviteResource, createTeamResource, createAuthProviderResources, mapLoginProfileToKrateIdentity } from './auth.js';
+import { createResource, clone } from './resource-model.js';
+import { RunnerScheduler } from './runners-ci.js';
+const DEFAULT_ORG = 'default';
+const DEFAULT_NAMESPACE = 'krate-org-default';
+export function createDefaultKrateUsers() {
+  return {
+    platformEngineer: mapOidcIdentity({ subject: 'user:platform', email: 'platform@example.com', groups: ['krate:platform-engineers'] }),
+    developer: mapOidcIdentity({ subject: 'user:dev', email: 'dev@example.com', groups: ['krate:developers'] }),
+    repoAdmin: mapOidcIdentity({ subject: 'user:admin', email: 'admin@example.com', groups: ['krate:repo-admins'] })
+  };
+}
+export class KrateRuntime {
+  constructor({ organizationRef = DEFAULT_ORG, namespace = DEFAULT_NAMESPACE, users = createDefaultKrateUsers(), controlPlane, git, runners, webhooks } = {}) {
+    this.organizationRef = organizationRef;
+    this.namespace = namespace;
+    this.users = users;
+    this.controlPlane = controlPlane || new ControlPlane();
+    this.controlPlane.addAdmissionPolicy(createAdmissionPolicy({
+      name: 'pr-title-required',
+      mode: 'enforce',
+      match: ({ resource }) => resource.kind === 'PullRequest',
+      validate: ({ resource }) => Boolean(resource.spec.title && resource.spec.title.length >= 8),
+      message: 'PullRequest spec.title must be descriptive'
+    }));
+    this.git = git || new GiteaGitService({ controlPlane: this.controlPlane, stores: [new GiteaRepositoryStore({ name: 'gitea-primary', receivePackReady: true })] });
+    this.runners = runners || new RunnerScheduler({ controlPlane: this.controlPlane });
+    this.webhooks = webhooks || new WebhookBus({ controlPlane: this.controlPlane });
+    this.seeded = false;
+  }
+  static fromSnapshot(snapshot, options = {}) {
+    const runtime = new KrateRuntime(options);
+    runtime.importSnapshot(snapshot);
+    return runtime;
+  }
+  bootstrap({ repository = 'krate-demo', webhookUrl = 'https://hooks.example.test/krate' } = {}) {
+    if (this.seeded) return this.snapshot();
+    const { platformEngineer, repoAdmin } = this.users;
+    this.git.createRepository({ name: repository, namespace: this.namespace, organizationRef: this.organizationRef }, repoAdmin);
+    this.controlPlane.create(createResource('BranchProtection', { name: 'main-protection', namespace: this.namespace }, { organizationRef: this.organizationRef, refs: ['refs/heads/main'], requirePullRequest: true, requiredChecks: ['test'], requiredApprovals: 1 }), repoAdmin);
+    this.controlPlane.create(createResource('RefPolicy', { name: 'deny-internal-refs', namespace: this.namespace }, { organizationRef: this.organizationRef, deny: ['refs/internal/'] }), repoAdmin);
+    this.runners.createRunnerPool({ name: 'trusted-linux', namespace: this.namespace, organizationRef: this.organizationRef, warmReplicas: 1, maxReplicas: 4 }, platformEngineer);
+    this.webhooks.subscribe({ name: 'chatops', namespace: this.namespace, organizationRef: this.organizationRef, url: webhookUrl, events: ['pullrequest.created', 'pullrequest.merged'] }, repoAdmin);
+    this.controlPlane.create(createTeamResource({ name: 'maintainers', organizationRef: this.organizationRef, displayName: 'Maintainers', members: ['admin'], maintainers: ['admin'], repositoryGrants: [{ repository, permission: 'admin' }], namespace: this.namespace }), platformEngineer);
+    const identity = mapLoginProfileToKrateIdentity({ provider: 'sso', subject: 'user:admin', email: 'admin@example.com', displayName: 'Admin', username: 'admin', teams: ['maintainers'], admin: true, namespace: this.namespace, organizationRef: this.organizationRef });
+    this.controlPlane.create(identity.user, platformEngineer);
+    this.controlPlane.create(identity.mapping, platformEngineer);
+    this.controlPlane.create(createInviteResource({ email: 'new-user@example.com', role: 'member', teams: ['maintainers'], invitedBy: 'admin', namespace: this.namespace, organizationRef: this.organizationRef }), repoAdmin);
+    for (const provider of createAuthProviderResources(undefined, this.namespace, this.organizationRef)) this.controlPlane.create(provider, platformEngineer);
+    this.seeded = true;
+    return this.snapshot();
+  }
+  exportSnapshot() {
+    return {
+      apiVersion: 'krate.a5c.ai/v1alpha1',
+      kind: 'KrateRuntimeSnapshot',
+      namespace: this.namespace,
+      organizationRef: this.organizationRef,
+      seeded: this.seeded,
+      controlPlane: this.controlPlane.exportSnapshot(),
+      git: this.git.snapshot?.() || null
+    };
+  }
+  importSnapshot(snapshot) {
+    const controlPlaneSnapshot = snapshot?.controlPlane || snapshot;
+    this.controlPlane.importSnapshot(controlPlaneSnapshot);
+    if (snapshot?.git) this.git.importSnapshot(snapshot.git);
+    this.seeded = Boolean(snapshot?.seeded || this.controlPlane.list('Repository', { namespace: this.namespace }).items.length);
+    return this.snapshot();
+  }
+  createRepository({ name, visibility = 'private' }, user = this.users.repoAdmin) {
+    return this.git.createRepository({ name, namespace: this.namespace, organizationRef: this.organizationRef, visibility }, user);
+  }
+  createPullRequest({ repository, sourceRef = 'refs/heads/feature', targetRef = 'refs/heads/main', title, actor = this.users.developer, fork = false }) {
+    this.#requireRepository(repository);
+    const index = this.controlPlane.list('PullRequest', { namespace: this.namespace }).items.length + 1;
+    const name = `pr-${index}`;
+    const pullRequest = this.controlPlane.create(createResource('PullRequest', { name, namespace: this.namespace, labels: { repository } }, {
+      organizationRef: this.organizationRef,
+      repository,
+      sourceRef,
+      targetRef,
+      title,
+      author: actor.name,
+      checks: [],
+      requiredApprovals: this.#requiredApprovals(targetRef)
+    }, { phase: 'Open', approvals: 0, mergeable: false }), actor);
+    const pipelineRun = this.runners.startPipeline({ name: `pipeline-${name}`, namespace: this.namespace, organizationRef: this.organizationRef, repository, ref: `refs/pull/${index}/head`, actor, fork, steps: ['checkout', 'test'] }, actor);
+    this.webhooks.deliver({ subscriptionName: 'chatops', namespace: this.namespace, organizationRef: this.organizationRef, eventType: 'pullrequest.created', payload: { pullRequest: name, repository, title } }, this.users.repoAdmin);
+    return { pullRequest, pipeline: pipelineRun.pipeline, jobs: pipelineRun.jobs };
+  }
+  completePipeline({ pipeline, phase = 'Succeeded', failedStep = null }, user = this.users.developer) {
+    const existing = this.controlPlane.get('Pipeline', this.namespace, pipeline);
+    if (!existing) throw new Error(`Pipeline ${pipeline} not found`);
+    const jobs = this.controlPlane.list('Job', { namespace: this.namespace, labels: { pipeline } }).items.map((job) => {
+      const jobPhase = failedStep && job.spec.step === failedStep ? 'Failed' : phase;
+      return this.controlPlane.patchStatus('Job', this.namespace, job.metadata.name, { phase: jobPhase, finishedAt: new Date().toISOString() }, user);
+    });
+    const pipelinePhase = jobs.some((job) => job.status.phase === 'Failed') ? 'Failed' : phase;
+    const updatedPipeline = this.controlPlane.patchStatus('Pipeline', this.namespace, pipeline, { phase: pipelinePhase, currentStep: null, finishedAt: new Date().toISOString() }, user);
+    this.#refreshPullRequestMergeability(existing.spec.repository);
+    return { pipeline: updatedPipeline, jobs };
+  }
+  addReview({ pullRequest, decision = 'approved', body = 'Looks good', reviewer = this.users.repoAdmin }) {
+    const pr = this.#requirePullRequest(pullRequest);
+    const reviewCount = this.controlPlane.list('Review', { namespace: this.namespace, labels: { pullRequest } }).items.length + 1;
+    const review = this.controlPlane.create(createResource('Review', { name: `${pullRequest}-review-${reviewCount}`, namespace: this.namespace, labels: { pullRequest, decision } }, {
+      organizationRef: this.organizationRef,
+      pullRequest,
+      repository: pr.spec.repository,
+      reviewer: reviewer.name,
+      decision,
+      body
+    }, { phase: decision === 'approved' ? 'Approved' : 'ChangesRequested' }), reviewer);
+    this.#refreshPullRequestMergeability(pr.spec.repository);
+    return review;
+  }
+  mergePullRequest({ pullRequest, actor = this.users.repoAdmin }) {
+    const pr = this.#requirePullRequest(pullRequest);
+    const refreshed = this.#refreshPullRequestMergeability(pr.spec.repository).find((candidate) => candidate.metadata.name === pullRequest) || pr;
+    if (!refreshed.status.mergeable) throw new Error(`PullRequest ${pullRequest} is not mergeable`);
+    const gitEvent = this.git.receivePack({ repository: refreshed.spec.repository, namespace: this.namespace, ref: refreshed.spec.targetRef, newRev: this.#syntheticRevision(pullRequest), actor });
+    const merged = this.controlPlane.patchStatus('PullRequest', this.namespace, pullRequest, { phase: 'Merged', mergeable: false, mergedAt: new Date().toISOString(), mergeCommit: gitEvent.newRev }, actor);
+    const delivery = this.webhooks.deliver({ subscriptionName: 'chatops', namespace: this.namespace, organizationRef: this.organizationRef, eventType: 'pullrequest.merged', payload: { pullRequest, repository: refreshed.spec.repository, mergeCommit: gitEvent.newRev } }, this.users.repoAdmin);
+    return { pullRequest: merged, gitEvent, delivery };
+  }
+  snapshot() {
+    const kinds = ['Organization', 'User', 'Team', 'Invite', 'IdentityMapping', 'AuthProvider', 'Repository', 'SSHKey', 'RepositoryPermission', 'BranchProtection', 'RefPolicy', 'RunnerPool', 'PullRequest', 'Issue', 'Review', 'Pipeline', 'Job', 'WebhookSubscription', 'WebhookDelivery'];
+    const resources = Object.fromEntries(kinds.map((kind) => [kind, this.controlPlane.list(kind, { namespace: this.namespace }).items]));
+    return {
+      namespace: this.namespace,
+      export: this.exportSnapshot(),
+      storage: this.controlPlane.storageReport(),
+      resources,
+      events: clone(this.controlPlane.events),
+      auditLog: clone(this.controlPlane.auditLog)
+    };
+  }
+  #requireRepository(repository) {
+    const existing = this.controlPlane.get('Repository', this.namespace, repository);
+    if (!existing) throw new Error(`Repository ${repository} not found`);
+    return existing;
+  }
+  #requirePullRequest(pullRequest) {
+    const existing = this.controlPlane.get('PullRequest', this.namespace, pullRequest);
+    if (!existing) throw new Error(`PullRequest ${pullRequest} not found`);
+    return existing;
+  }
+  #requiredApprovals(targetRef) {
+    const branchProtection = this.controlPlane.list('BranchProtection', { namespace: this.namespace }).items.find((policy) => (policy.spec.refs || []).includes(targetRef));
+    return branchProtection?.spec.requiredApprovals || 0;
+  }
+  #refreshPullRequestMergeability(repository) {
+    const pullRequests = this.controlPlane.list('PullRequest', { namespace: this.namespace, labels: { repository } }).items;
+    return pullRequests.map((pr) => {
+      if (pr.status.phase !== 'Open') return pr;
+      const reviews = this.controlPlane.list('Review', { namespace: this.namespace, labels: { pullRequest: pr.metadata.name } }).items;
+      const approvals = reviews.filter((review) => review.spec.decision === 'approved').length;
+      const pipelines = this.controlPlane.list('Pipeline', { namespace: this.namespace, labels: { repository } }).items.filter((pipeline) => pipeline.metadata.name === `pipeline-${pr.metadata.name}`);
+      const checksPassed = pipelines.length > 0 && pipelines.every((pipeline) => pipeline.status.phase === 'Succeeded');
+      return this.controlPlane.patchStatus('PullRequest', this.namespace, pr.metadata.name, { approvals, checksPassed, mergeable: approvals >= (pr.spec.requiredApprovals || 0) && checksPassed }, this.users.repoAdmin);
+    });
+  }
+  #syntheticRevision(seed) {
+    const source = Buffer.from(`${seed}:${Date.now()}`).toString('hex');
+    return source.padEnd(40, '0').slice(0, 40);
+  }
+}
+export function createKrateRuntime(options = {}) {
+  const runtime = new KrateRuntime(options);
+  if (options.bootstrap !== false) runtime.bootstrap(options.bootstrapOptions);
+  return runtime;
+}

package/src/snapshot-cache.js ADDED Viewed

@@ -0,0 +1,157 @@
+/**
+ * Snapshot cache with:
+ *  - Per-org storage (multiple orgs cached simultaneously)
+ *  - stale-while-revalidate: return stale data immediately, refresh in background
+ *  - Configurable TTL via KRATE_SNAPSHOT_CACHE_TTL_MS
+ */
+export const CACHE_TTL_MS = Number(process.env.KRATE_SNAPSHOT_CACHE_TTL_MS || 30_000);
+/**
+ * Per-org cache map.  Key = org string (or '' for no-org).
+ * Value = { data, timestamp, revalidating: boolean }
+ */
+const orgCacheMap = new Map();
+// Legacy single-org cache kept for backward compatibility with controller-client.js
+let snapshotCache = { data: null, timestamp: 0, org: null };
+export function getSnapshotCache() {
+  return snapshotCache;
+}
+export function setSnapshotCache(data, org) {
+  snapshotCache = { data, timestamp: Date.now(), org };
+  // Also update per-org map
+  const key = org ?? '';
+  const entry = orgCacheMap.get(key) || {};
+  orgCacheMap.set(key, { ...entry, data, timestamp: Date.now(), revalidating: false });
+}
+export function clearSnapshotCache() {
+  snapshotCache = { data: null, timestamp: 0, org: null };
+  orgCacheMap.clear();
+}
+// ---------------------------------------------------------------------------
+// Per-org cache API
+// ---------------------------------------------------------------------------
+/**
+ * Get the cached snapshot for a specific org.
+ * Returns null when nothing is cached or when the TTL has expired.
+ *
+ * @param {string|null} org
+ * @returns {{ data: object, timestamp: number, revalidating: boolean } | null}
+ */
+export function getOrgCache(org) {
+  const key = org ?? '';
+  const entry = orgCacheMap.get(key);
+  if (!entry || !entry.data) return null;
+  return entry;
+}
+/**
+ * Store a snapshot for a specific org.
+ *
+ * @param {object} data
+ * @param {string|null} org
+ */
+export function setOrgCache(data, org) {
+  const key = org ?? '';
+  orgCacheMap.set(key, { data, timestamp: Date.now(), revalidating: false });
+  // Keep legacy cache in sync for the most recently written org
+  snapshotCache = { data, timestamp: Date.now(), org };
+}
+/**
+ * Clear the cache entry for a specific org only.
+ *
+ * @param {string|null} org
+ */
+export function clearOrgCache(org) {
+  orgCacheMap.delete(org ?? '');
+  if (snapshotCache.org === org) {
+    snapshotCache = { data: null, timestamp: 0, org: null };
+  }
+}
+/**
+ * Return all orgs currently in the cache (for introspection / debugging).
+ *
+ * @returns {string[]}
+ */
+export function cachedOrgs() {
+  return [...orgCacheMap.keys()];
+}
+// ---------------------------------------------------------------------------
+// stale-while-revalidate helpers
+// ---------------------------------------------------------------------------
+/**
+ * Check whether the cache entry for the given org is fresh.
+ *
+ * @param {string|null} org
+ * @param {number} [ttlMs] - defaults to CACHE_TTL_MS
+ * @returns {boolean}
+ */
+export function isCacheFresh(org, ttlMs = CACHE_TTL_MS) {
+  const entry = getOrgCache(org);
+  if (!entry) return false;
+  return (Date.now() - entry.timestamp) < ttlMs;
+}
+/**
+ * stale-while-revalidate: return stale data immediately if available, then
+ * trigger revalidateFn() in the background to refresh the cache entry.
+ *
+ * @param {string|null} org - Organization key for the cache
+ * @param {Function} revalidateFn - Async function that returns fresh data
+ * @param {object} [swrOptions]
+ * @param {number} [swrOptions.ttlMs] - Fresh TTL in ms (default: CACHE_TTL_MS)
+ * @param {number} [swrOptions.staleMs] - Max staleness before we block on revalidate (default: 5 × ttlMs)
+ * @returns {Promise<object>} Either the stale cached value or the freshly fetched one
+ */
+export async function staleWhileRevalidate(org, revalidateFn, swrOptions = {}) {
+  const ttlMs = swrOptions.ttlMs ?? CACHE_TTL_MS;
+  const staleMs = swrOptions.staleMs ?? ttlMs * 5;
+  const key = org ?? '';
+  const entry = orgCacheMap.get(key);
+  const now = Date.now();
+  const isFresh = entry && entry.data && (now - entry.timestamp) < ttlMs;
+  const isStale = entry && entry.data && (now - entry.timestamp) < staleMs;
+  if (isFresh) {
+    // Cache is fresh: return immediately
+    return entry.data;
+  }
+  if (isStale && !entry.revalidating) {
+    // Stale but still usable: return immediately and revalidate in background
+    orgCacheMap.set(key, { ...entry, revalidating: true });
+    Promise.resolve().then(async () => {
+      try {
+        const fresh = await revalidateFn();
+        setOrgCache(fresh, org);
+      } catch {
+        // On background refresh error, clear the revalidating flag so a future
+        // request can try again
+        const current = orgCacheMap.get(key);
+        if (current) orgCacheMap.set(key, { ...current, revalidating: false });
+      }
+    });
+    return entry.data;
+  }
+  if (isStale && entry.revalidating) {
+    // Another caller is already refreshing: return stale data now
+    return entry.data;
+  }
+  // No usable cache: block on the revalidation
+  const fresh = await revalidateFn();
+  setOrgCache(fresh, org);
+  return fresh;
+}

package/src/web-ui.js ADDED Viewed

@@ -0,0 +1,40 @@
+import { createResource } from './resource-model.js';
+import { toResourceYaml } from './identity-policy.js';
+export function createPullRequestReviewModel({ pullRequest, changedFiles = [], pipelineRuns = [] }) {
+  return { layout: 'three-pane-review', panes: ['file-tree', 'diff-and-comments', 'conversation-ci'], keyboardShortcuts: ['j/k file navigation', 'n/p comment navigation', 'a add suggestion', 'm merge'], pullRequest, changedFiles, pipelineRuns, yaml: toResourceYaml(pullRequest) };
+}
+export function createFailingRunModel({ pipeline, jobs }) {
+  const failedJobs = jobs.filter((job) => job.status.phase === 'Failed');
+  return { layout: 'live-run-debugger', stream: 'sse', pipeline, failedJobs, actions: ['copy failure', 'find similar runs', 'rerun from step'], similarRunSelector: failedJobs.map((job) => job.metadata.labels).filter(Boolean) };
+}
+export function createRunnerPoolEditor(pool) {
+  return { layout: 'split-form-yaml', fields: ['image', 'resources', 'nodeSelector', 'warmReplicas', 'maxReplicas', 'trustTier', 'cache'], resource: pool, yaml: toResourceYaml(pool), saveModes: ['apply', 'copy kubectl', 'open platform-config PR'] };
+}
+export function createWebhookInspector({ subscription, deliveries }) {
+  return { layout: 'webhook-inspector', subscription, deliveries, columns: ['phase', 'latency', 'attempts', 'response', 'signature'], actions: ['send test delivery', 'inspect headers/body/response', 'replay'] };
+}
+export function createPolicyRolloutModel(policy) {
+  return { layout: 'policy-authoring', modes: ['template', 'CEL/raw'], rollout: ['preview', 'audit', 'enforce'], policy, yaml: toResourceYaml(policy) };
+}
+export function createTriageView({ name, namespace = 'krate-org-default', organizationRef = 'default', selector }) {
+  return createResource('View', { name, namespace, labels: { purpose: 'triage' } }, { organizationRef, selector, columns: ['kind', 'repository', 'priority', 'assignee', 'status'], shareable: true }, { saved: true });
+}
+export function createDashboard({ repositories, pullRequests, pipelines, runnerPools, webhookDeliveries }) {
+  return {
+    product: 'Krate',
+    principles: ['Kubernetes is the backend', 'CRDs are contracts', 'GitOps transparency'],
+    repositories,
+    pullRequests,
+    pipelines,
+    runnerPools,
+    webhookDeliveries,
+    excellentFlows: ['Open and review a PR', 'Debug a failing run', 'Configure a runner pool', 'Add a webhook and verify it works', 'Write a PR policy with audit-to-enforce rollout', 'Cross-repo triage with saved filters']
+  };
+}