npm - @a5c-ai/krate - Versions diffs - 5.0.1-staging.04a3db697 - Mend

@a5c-ai/krate 5.0.1-staging.04a3db697

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (246) hide show

package/Dockerfile +31 -0
package/README.md +183 -0
package/bin/krate-demo.mjs +23 -0
package/bin/krate-server.mjs +14 -0
package/dist/krate-controller-ui.json +3067 -0
package/dist/krate-lifecycle.json +201 -0
package/dist/krate-runtime-snapshot.json +2955 -0
package/dist/krate-summary.json +722 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-krate-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/krate-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/product-requirements.md +62 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/system-requirements.md +90 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +63 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +93 -0
package/scripts/validate-ui.mjs +236 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +209 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +280 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-provider-config-controller.js +150 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +347 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +321 -0
package/src/agent-workspace-controller.js +447 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +541 -0
package/src/argocd-gitops.js +43 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +307 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +50 -0
package/src/controller-ui.js +551 -0
package/src/data-plane.js +178 -0
package/src/event-bus.js +61 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +161 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +95 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/hooks-events.js +63 -0
package/src/http-server.js +377 -0
package/src/identity-policy.js +86 -0
package/src/index.js +55 -0
package/src/kubernetes-controller-async.js +511 -0
package/src/kubernetes-controller.js +878 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +221 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +315 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-memory-controller.test.js +308 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +204 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +228 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +221 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +211 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/deployment.test.js +396 -0
package/tests/e2e/lifecycle.test.js +117 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +340 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +215 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/krate.test.js +727 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/org-scoping.test.js +687 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +247 -0
package/tests/sse-events.test.js +107 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/tests/agent-context-bundles.test.js ADDED Viewed

@@ -0,0 +1,278 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { assembleContextBundle, createRedactionManifest } from '../src/agent-context-bundles.js';
+import { createResource } from '../src/resource-model.js';
+function makeStack(name, promptOverrides = {}, extraSpec = {}) {
+  return createResource('AgentStack', { name }, {
+    organizationRef: 'default',
+    baseAgent: 'claude-code',
+    adapter: 'babysitter',
+    runtimeIdentity: { serviceAccountRef: 'sa-agent' },
+    prompt: {
+      system: promptOverrides.system || '',
+      developer: promptOverrides.developer || '',
+      task: promptOverrides.task || '',
+    },
+    ...extraSpec
+  });
+}
+function makeSkill(name, promptFragment) {
+  return createResource('AgentSkill', { name }, {
+    organizationRef: 'default',
+    format: 'markdown',
+    sourceRef: `skills/${name}`,
+    promptFragment
+  });
+}
+function makeContextLabel(name, promptFragment) {
+  return createResource('AgentContextLabel', { name }, {
+    organizationRef: 'default',
+    promptFragment,
+    allowedSources: ['manual']
+  });
+}
+describe('agent context bundles', () => {
+  it('basic assembly with system/developer/task prompt', () => {
+    const stack = makeStack('test-stack', {
+      system: 'You are a security reviewer.',
+      developer: 'Focus on OWASP top 10.',
+      task: 'Review the authentication module.'
+    });
+    const bundle = assembleContextBundle({ stack, repository: 'my-repo', ref: 'refs/heads/main' });
+    assert.equal(bundle.kind, 'AgentContextBundle');
+    assert.equal(bundle.apiVersion, 'krate.a5c.ai/v1alpha1');
+    assert.ok(bundle.metadata.name.startsWith('bundle-'));
+    assert.equal(bundle.spec.organizationRef, 'default');
+    assert.equal(bundle.spec.dispatchRun, '');
+    assert.ok(typeof bundle.spec.digest === 'string' && bundle.spec.digest.length === 64);
+    // Prompt layers present
+    const layers = bundle.spec.promptLayers;
+    assert.equal(layers[0].role, 'system');
+    assert.equal(layers[1].role, 'developer');
+    assert.equal(layers[2].role, 'task');
+    assert.ok(layers[0].sizeBytes > 0);
+    assert.ok(layers[1].sizeBytes > 0);
+    assert.ok(layers[2].sizeBytes > 0);
+    // _content present (in-memory, not persisted)
+    assert.equal(bundle._content.system, 'You are a security reviewer.');
+    assert.equal(bundle._content.developer, 'Focus on OWASP top 10.');
+    assert.equal(bundle._content.task, 'Review the authentication module.');
+  });
+  it('redaction catches API_KEY=xxx patterns', () => {
+    const stack = makeStack('test-stack', {
+      system: 'config: API_KEY=sk_live_abc123xyz',
+      developer: '',
+      task: ''
+    });
+    const bundle = assembleContextBundle({ stack });
+    assert.ok(bundle._content.system.includes('[REDACTED:secret-key]'));
+    assert.ok(!bundle._content.system.includes('sk_live_abc123xyz'));
+    assert.ok(bundle.spec.redactions.total > 0);
+    assert.ok(bundle.spec.redactions.byKind['secret-key'] > 0);
+  });
+  it('redaction catches provider tokens (sk-xxx)', () => {
+    const stack = makeStack('test-stack', {
+      system: '',
+      developer: 'Use key: sk-abcdefghijklmnopqrstuvwxyz1234567890',
+      task: ''
+    });
+    const bundle = assembleContextBundle({ stack });
+    assert.ok(bundle._content.developer.includes('[REDACTED:provider-token]'));
+    assert.ok(!bundle._content.developer.includes('sk-abcdefghijklmnopqrstuvwxyz1234567890'));
+    assert.ok(bundle.spec.redactions.byKind['provider-token'] > 0);
+  });
+  it('redaction catches Bearer tokens', () => {
+    const stack = makeStack('test-stack', {
+      system: 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.test',
+      developer: '',
+      task: ''
+    });
+    const bundle = assembleContextBundle({ stack });
+    assert.ok(bundle._content.system.includes('[REDACTED:bearer-token]'));
+    assert.ok(!bundle._content.system.includes('eyJhbGciOiJIUzI1NiJ9'));
+    assert.ok(bundle.spec.redactions.byKind['bearer-token'] > 0);
+  });
+  it('redaction catches private keys', () => {
+    const privateKey = '-----BEGIN RSA PRIVATE KEY-----\nMIIBogIBAAJBALRpYJk...\n-----END RSA PRIVATE KEY-----';
+    const stack = makeStack('test-stack', {
+      system: `Here is a key: ${privateKey}`,
+      developer: '',
+      task: ''
+    });
+    const bundle = assembleContextBundle({ stack });
+    assert.ok(bundle._content.system.includes('[REDACTED:private-key]'));
+    assert.ok(!bundle._content.system.includes('MIIBogIBAAJBALRpYJk'));
+    assert.ok(bundle.spec.redactions.byKind['private-key'] > 0);
+  });
+  it('size truncation at 750 KiB', () => {
+    // Create a bundle that exceeds 750 KiB via many source attachments.
+    // Each source is truncated to 64 KiB per-layer, so we need enough sources
+    // to exceed 750 KiB total. 750/64 ~= 12, so 13 sources at 64 KiB each should exceed.
+    // Use content with spaces to avoid base64-credential pattern matching.
+    const chunk = 'the quick brown fox jumps.\n';
+    const bigContent = chunk.repeat(Math.ceil((64 * 1024) / chunk.length)).slice(0, 64 * 1024);
+    const stack = makeStack('test-stack', {
+      system: 'small system prompt',
+      developer: '',
+      task: ''
+    });
+    const sourceRefs = [];
+    for (let i = 0; i < 15; i++) {
+      sourceRefs.push({ kind: 'file', ref: `big-file-${i}.txt`, content: bigContent });
+    }
+    const bundle = assembleContextBundle({ stack, sourceRefs });
+    assert.equal(bundle.spec.limits.truncated, true);
+    assert.equal(bundle.spec.limits.maxBytes, 750 * 1024);
+    // Verify total content is at or near the limit
+    const allContentLen = bundle._content.system.length +
+      bundle._content.developer.length +
+      bundle._content.task.length +
+      bundle._content.sources.reduce((s, src) => s + src.content.length, 0);
+    assert.ok(allContentLen <= 750 * 1024 + 100, `total size ${allContentLen} should be near 750KiB limit`);
+  });
+  it('digest is deterministic (same input produces same digest)', () => {
+    const stack = makeStack('test-stack', {
+      system: 'Deterministic test system prompt.',
+      developer: 'Deterministic test developer prompt.',
+      task: 'Deterministic test task prompt.'
+    });
+    const sourceRefs = [{ kind: 'pr-body', ref: '#42', content: 'PR description here' }];
+    const bundle1 = assembleContextBundle({ stack, sourceRefs });
+    const bundle2 = assembleContextBundle({ stack, sourceRefs });
+    assert.equal(bundle1.spec.digest, bundle2.spec.digest);
+    assert.ok(typeof bundle1.spec.digest === 'string' && bundle1.spec.digest.length === 64);
+  });
+  it('redaction manifest has counts only (no leaked values)', () => {
+    const stack = makeStack('test-stack', {
+      system: 'SECRET_KEY = "my-super-secret-value123" and PASSWORD=hunter2',
+      developer: '',
+      task: ''
+    });
+    const bundle = assembleContextBundle({ stack });
+    const manifest = bundle.spec.redactions;
+    assert.ok(typeof manifest.total === 'number' && manifest.total >= 2);
+    assert.ok(typeof manifest.byKind === 'object');
+    // Ensure the manifest only has counts, no string values that could leak secrets
+    for (const [kind, count] of Object.entries(manifest.byKind)) {
+      assert.ok(typeof kind === 'string');
+      assert.ok(typeof count === 'number');
+    }
+    // Verify no secret values in the serialized manifest
+    const serialized = JSON.stringify(manifest);
+    assert.ok(!serialized.includes('my-super-secret-value123'));
+    assert.ok(!serialized.includes('hunter2'));
+  });
+  it('empty inputs handled gracefully', () => {
+    const stack = makeStack('test-stack', { system: '', developer: '', task: '' });
+    const bundle = assembleContextBundle({ stack });
+    assert.equal(bundle.kind, 'AgentContextBundle');
+    assert.ok(typeof bundle.spec.digest === 'string' && bundle.spec.digest.length === 64);
+    assert.equal(bundle.spec.promptLayers.length, 3);
+    assert.equal(bundle.spec.promptLayers[0].sizeBytes, 0);
+    assert.equal(bundle.spec.promptLayers[1].sizeBytes, 0);
+    assert.equal(bundle.spec.promptLayers[2].sizeBytes, 0);
+    assert.equal(bundle.spec.redactions.total, 0);
+    assert.equal(bundle.spec.limits.truncated, false);
+    assert.deepEqual(bundle.spec.sources, []);
+    assert.equal(bundle._content.system, '');
+    assert.equal(bundle._content.developer, '');
+    assert.equal(bundle._content.task, '');
+  });
+  it('assembles skill and label fragments from resources', () => {
+    const stack = makeStack('test-stack', {
+      system: 'System prompt',
+      developer: '',
+      task: ''
+    }, { skillRefs: ['skill-review', 'skill-test'] });
+    const resources = {
+      AgentSkill: [
+        makeSkill('skill-review', 'Review all changed files for security issues.'),
+        makeSkill('skill-test', 'Run unit tests before proceeding.'),
+        makeSkill('skill-unused', 'This should not appear.')
+      ],
+      AgentContextLabel: [
+        makeContextLabel('label-prod', 'This is a production environment.')
+      ]
+    };
+    const bundle = assembleContextBundle({
+      stack,
+      contextLabels: ['label-prod'],
+      resources
+    });
+    // Should have system + developer + task + 2 skills + 1 label = 6 layers
+    assert.equal(bundle.spec.promptLayers.length, 6);
+    assert.equal(bundle.spec.promptLayers[3].role, 'skill:skill-review');
+    assert.equal(bundle.spec.promptLayers[4].role, 'skill:skill-test');
+    assert.equal(bundle.spec.promptLayers[5].role, 'label:label-prod');
+    assert.ok(bundle._content.skillFragments.length === 2);
+    assert.ok(bundle._content.labelFragments.length === 1);
+  });
+  it('createRedactionManifest returns correct structure', () => {
+    const manifest = createRedactionManifest({ 'secret-key': 3, 'provider-token': 1, 'bearer-token': 2 });
+    assert.equal(manifest.total, 6);
+    assert.deepEqual(manifest.byKind, { 'secret-key': 3, 'provider-token': 1, 'bearer-token': 2 });
+  });
+  it('createRedactionManifest with empty counts', () => {
+    const manifest = createRedactionManifest({});
+    assert.equal(manifest.total, 0);
+    assert.deepEqual(manifest.byKind, {});
+  });
+  it('source refs are limited to MAX_ATTACHMENTS (32)', () => {
+    const stack = makeStack('test-stack', { system: '', developer: '', task: '' });
+    const sourceRefs = [];
+    for (let i = 0; i < 40; i++) {
+      sourceRefs.push({ kind: 'file', ref: `file-${i}.txt`, content: `content ${i}` });
+    }
+    const bundle = assembleContextBundle({ stack, sourceRefs });
+    assert.ok(bundle.spec.sources.length <= 32, 'should cap at 32 sources');
+    assert.ok(bundle._content.sources.length <= 32);
+  });
+  it('prompt layers are truncated to 64 KiB each', () => {
+    const oversized = 'a'.repeat(80 * 1024); // 80 KiB
+    const stack = makeStack('test-stack', {
+      system: oversized,
+      developer: '',
+      task: ''
+    });
+    const bundle = assembleContextBundle({ stack });
+    assert.ok(bundle._content.system.length <= 64 * 1024, 'system prompt should be truncated to 64 KiB');
+  });
+  it('redaction in source content', () => {
+    const stack = makeStack('test-stack', { system: '', developer: '', task: '' });
+    const sourceRefs = [
+      { kind: 'pipeline-log', ref: 'run-123', content: 'Error: API_KEY=leaked_value_here failed auth' }
+    ];
+    const bundle = assembleContextBundle({ stack, sourceRefs });
+    assert.ok(bundle._content.sources[0].content.includes('[REDACTED:secret-key]'));
+    assert.ok(!bundle._content.sources[0].content.includes('leaked_value_here'));
+    assert.ok(bundle.spec.redactions.total > 0);
+  });
+});

package/tests/agent-dispatch-controller.test.js ADDED Viewed

@@ -0,0 +1,315 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { createAgentDispatchController, createAgentMuxClient, createResource } from '../src/index.js';
+function makeStack(name, spec = {}) {
+  return createResource('AgentStack', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    baseAgent: 'claude-code',
+    adapter: 'anthropic',
+    runtimeIdentity: { serviceAccountRef: 'sa-default' },
+    ...spec
+  });
+}
+function makeServiceAccount(name) {
+  return createResource('AgentServiceAccount', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    namespace: 'krate-org-default',
+    serviceAccountName: name
+  });
+}
+function makeRoleBinding(name, subject) {
+  return createResource('AgentRoleBinding', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    subject,
+    roleRef: 'agent-developer',
+    scope: 'namespace'
+  });
+}
+function makeSecretGrant(name, subject, purpose) {
+  return createResource('AgentSecretGrant', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    subject,
+    secretRef: 'secret-' + purpose,
+    purpose
+  });
+}
+function buildValidResources(stackName) {
+  return {
+    AgentStack: [makeStack(stackName)],
+    AgentServiceAccount: [makeServiceAccount('sa-default')],
+    AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-default')],
+    AgentSecretGrant: [makeSecretGrant('sg-model', 'sa-default', 'model-provider')]
+  };
+}
+test('Successful dispatch with Agent Mux available', async () => {
+  // Use a mock mux client that returns a session without making real HTTP calls
+  const muxClient = {
+    role: 'agent-mux-client',
+    isAvailable() { return true; },
+    async launchSession() { return { runId: `amux-${Date.now()}`, sessionId: `session-${Date.now()}` }; },
+    subscribeToEvents(runId, cb) { return { abort() {} }; },
+    reconcileTranscript(sessionId, events, opts) {
+      return createResource('AgentSessionTranscript', { name: `transcript-${sessionId}`, namespace: opts?.namespace || 'default' }, {
+        organizationRef: opts?.organizationRef || 'default',
+        sessionRef: sessionId,
+        messages: [],
+        cost: { inputTokens: 0, outputTokens: 0, totalTokens: 0 },
+      }, { phase: 'Reconciled', reconciledAt: new Date().toISOString() });
+    },
+  };
+  const resources = buildValidResources('dispatch-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'dispatch-stack',
+    actor: 'test-user',
+    namespace: 'krate-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, false, 'Dispatch should succeed');
+  assert.ok(result.run, 'Result should include run resource');
+  assert.ok(result.attempt, 'Result should include attempt resource');
+  assert.ok(result.contextBundle, 'Result should include contextBundle resource');
+  assert.ok(result.permissionSnapshot, 'Result should include permissionSnapshot');
+  assert.equal(result.run.kind, 'AgentDispatchRun');
+  assert.equal(result.attempt.kind, 'AgentDispatchAttempt');
+  assert.equal(result.run.status.phase, 'Running', 'Run phase should be Running when mux is available');
+  assert.ok(result.attempt.status.agentMuxRunId, 'Attempt should have agentMuxRunId');
+  assert.ok(result.attempt.status.agentMuxSessionId, 'Attempt should have agentMuxSessionId');
+  assert.ok(result.attempt.status.startedAt, 'Attempt should have startedAt timestamp');
+});
+test('Dispatch with Agent Mux unavailable', async () => {
+  const muxClient = createAgentMuxClient({ gateway: '', enabled: false });
+  const resources = buildValidResources('dispatch-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'dispatch-stack',
+    actor: 'test-user',
+    namespace: 'krate-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, false, 'Dispatch should still succeed (queued)');
+  assert.equal(result.run.status.phase, 'Queued', 'Run phase should be Queued when mux is unavailable');
+  assert.ok(result.run.status.conditions, 'Run should have conditions');
+  const muxCondition = result.run.status.conditions.find(c => c.type === 'AgentMuxBound');
+  assert.ok(muxCondition, 'Should have AgentMuxBound condition');
+  assert.equal(muxCondition.status, 'False', 'AgentMuxBound should be False');
+  assert.equal(muxCondition.reason, 'Unavailable');
+});
+test('Dispatch denied by permission review', async () => {
+  const resources = {
+    AgentStack: [makeStack('denied-stack', { runtimeIdentity: { serviceAccountRef: 'sa-missing' } })],
+    // No service account, no role binding, no secret grant — permission review will deny
+  };
+  const controller = createAgentDispatchController();
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'denied-stack',
+    actor: 'test-user',
+    namespace: 'krate-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, true, 'Dispatch should be denied');
+  assert.equal(result.reason, 'permission-denied', 'Reason should be permission-denied');
+  assert.ok(result.review, 'Result should include the review details');
+  assert.equal(result.review.decision, 'denied');
+});
+test('Stack not found', async () => {
+  const resources = buildValidResources('existing-stack');
+  const controller = createAgentDispatchController();
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'nonexistent-stack',
+    actor: 'test-user',
+    namespace: 'krate-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, true, 'Dispatch should fail');
+  assert.equal(result.reason, 'stack-not-found', 'Reason should be stack-not-found');
+  assert.ok(result.message.includes('nonexistent-stack'), 'Message should name the missing stack');
+});
+test('Context bundle referenced correctly', async () => {
+  const muxClient = createAgentMuxClient({ gateway: '', enabled: false });
+  const resources = buildValidResources('ref-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'ref-stack',
+    actor: 'test-user',
+    namespace: 'krate-org-default',
+    organizationRef: 'default',
+    resources
+  });
+  assert.equal(result.error, false, 'Dispatch should succeed');
+  assert.ok(result.contextBundle.spec.digest, 'Context bundle should have a digest');
+  assert.equal(
+    result.attempt.spec.contextBundleDigest,
+    result.contextBundle.spec.digest,
+    'Attempt contextBundleDigest should match context bundle digest'
+  );
+  assert.equal(
+    result.run.spec.contextBundleRef,
+    result.contextBundle.metadata.name,
+    'Run contextBundleRef should match context bundle name'
+  );
+});
+function makeMemoryRepository(name) {
+  return createResource('AgentMemoryRepository', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    repositoryRef: 'memory-repo',
+    defaultBranch: 'main',
+    layoutProfile: 'standard',
+  });
+}
+test('Dispatch with AgentMemoryRepository creates memorySnapshot', async () => {
+  const muxClient = createAgentMuxClient({ gateway: '', enabled: false });
+  const resources = {
+    ...buildValidResources('mem-stack'),
+    AgentMemoryRepository: [makeMemoryRepository('org-memory')],
+  };
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'mem-stack',
+    actor: 'test-user',
+    namespace: 'krate-org-default',
+    organizationRef: 'default',
+    resources,
+  });
+  assert.equal(result.error, false, 'Dispatch should succeed');
+  assert.ok(result.memorySnapshot, 'Result should include memorySnapshot');
+  assert.equal(result.memorySnapshot.kind, 'AgentMemorySnapshot', 'memorySnapshot should be an AgentMemorySnapshot');
+  assert.equal(result.memorySnapshot.spec.memoryRepository, 'org-memory', 'memorySnapshot should reference the memory repo');
+  assert.equal(result.memorySnapshot.status.phase, 'Pinned', 'memorySnapshot should be Pinned');
+  assert.equal(result.run.spec.memorySnapshotRef, result.memorySnapshot.metadata.name, 'Run should reference memorySnapshot');
+});
+test('Dispatch without memory repos has null memorySnapshot', async () => {
+  const muxClient = createAgentMuxClient({ gateway: '', enabled: false });
+  const resources = buildValidResources('no-mem-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'no-mem-stack',
+    actor: 'test-user',
+    namespace: 'krate-org-default',
+    organizationRef: 'default',
+    resources,
+  });
+  assert.equal(result.error, false, 'Dispatch should succeed');
+  assert.equal(result.memorySnapshot, null, 'memorySnapshot should be null when no AgentMemoryRepository');
+  assert.equal(result.run.spec.memorySnapshotRef, undefined, 'Run should not have memorySnapshotRef');
+});
+test('Dispatch with requires-approval returns early with awaitingApproval', async () => {
+  // Build resources where the secret grant has requiredApproval set,
+  // which causes the permission reviewer to return 'requires-approval'
+  const stack = makeStack('approval-stack');
+  const resources = {
+    AgentStack: [stack],
+    AgentServiceAccount: [makeServiceAccount('sa-default')],
+    AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-default')],
+    AgentSecretGrant: [makeSecretGrant('sg-model', 'sa-default', 'model-provider')],
+  };
+  // Add requiredApproval to the secret grant so permission review returns 'requires-approval'
+  resources.AgentSecretGrant[0].spec.requiredApproval = 'manager';
+  const controller = createAgentDispatchController();
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'approval-stack',
+    actor: 'test-user',
+    namespace: 'krate-org-default',
+    organizationRef: 'default',
+    resources,
+  });
+  assert.equal(result.error, false, 'Dispatch should not error — it is awaiting approval');
+  assert.equal(result.awaitingApproval, true, 'Result should indicate awaitingApproval');
+  assert.equal(result.run.status.phase, 'AwaitingApproval', 'Run phase should be AwaitingApproval');
+  assert.ok(result.approval, 'Result should include the approval resource');
+  assert.equal(result.approval.kind, 'AgentApproval', 'Approval should be an AgentApproval resource');
+  assert.equal(result.approval.status.phase, 'Pending', 'Approval should be in Pending phase');
+  assert.ok(result.permissionSnapshot, 'Result should include permissionSnapshot');
+  // No contextBundle or attempt since we returned early
+  assert.equal(result.contextBundle, undefined, 'No contextBundle when awaiting approval');
+  assert.equal(result.attempt, undefined, 'No attempt when awaiting approval');
+});
+test('Successful launch creates transcript ref on run', async () => {
+  const sessionId = `session-${Date.now()}`;
+  const runId = `amux-${Date.now()}`;
+  const muxClient = {
+    role: 'agent-mux-client',
+    isAvailable() { return true; },
+    async launchSession() { return { runId, sessionId }; },
+    subscribeToEvents(rid, cb) { return { abort() {} }; },
+    reconcileTranscript(sid, events, opts) {
+      return createResource('AgentSessionTranscript', { name: `transcript-${sid}`, namespace: opts?.namespace || 'default' }, {
+        organizationRef: opts?.organizationRef || 'default',
+        sessionRef: sid,
+        messages: [],
+        cost: { inputTokens: 0, outputTokens: 0, totalTokens: 0 },
+      }, { phase: 'Reconciled', reconciledAt: new Date().toISOString() });
+    },
+  };
+  const resources = buildValidResources('transcript-stack');
+  const controller = createAgentDispatchController({ agentMuxClient: muxClient });
+  const result = await controller.createManualDispatch({
+    repository: 'test-repo',
+    ref: 'main',
+    agentStack: 'transcript-stack',
+    actor: 'test-user',
+    namespace: 'krate-org-default',
+    organizationRef: 'default',
+    resources,
+  });
+  assert.equal(result.error, false, 'Dispatch should succeed');
+  assert.equal(result.run.status.phase, 'Running', 'Run phase should be Running');
+  assert.ok(result.transcript, 'Result should include transcript');
+  assert.equal(result.transcript.kind, 'AgentSessionTranscript', 'Transcript should be AgentSessionTranscript');
+  assert.ok(result.run.status.transcriptRef, 'Run should have transcriptRef in status');
+  assert.equal(result.run.status.transcriptRef, result.transcript.metadata.name, 'Run transcriptRef should match transcript name');
+});