npm - @a5c-ai/krate - Versions diffs - 5.0.1-staging.04a3db697 - Mend

@a5c-ai/krate 5.0.1-staging.04a3db697

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (246) hide show

package/Dockerfile +31 -0
package/README.md +183 -0
package/bin/krate-demo.mjs +23 -0
package/bin/krate-server.mjs +14 -0
package/dist/krate-controller-ui.json +3067 -0
package/dist/krate-lifecycle.json +201 -0
package/dist/krate-runtime-snapshot.json +2955 -0
package/dist/krate-summary.json +722 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/gaps-agent-mux-to-krate-crds.md +298 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/krate-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/product-requirements.md +62 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/system-requirements.md +90 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/todos.md +4 -0
package/docs/user-stories.md +78 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +63 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +93 -0
package/scripts/validate-ui.mjs +236 -0
package/src/agent-adapter-controller.js +169 -0
package/src/agent-approval-controller.js +170 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +209 -0
package/src/agent-gateway-config-controller.js +147 -0
package/src/agent-memory-controller.js +357 -0
package/src/agent-memory-import.js +327 -0
package/src/agent-memory-query.js +292 -0
package/src/agent-memory-repository-source-controller.js +255 -0
package/src/agent-mux-client.js +280 -0
package/src/agent-permission-review.js +250 -0
package/src/agent-project-controller.js +117 -0
package/src/agent-provider-config-controller.js +150 -0
package/src/agent-secret-config-grant-controller.js +282 -0
package/src/agent-session-transcript-controller.js +189 -0
package/src/agent-stack-controller.js +347 -0
package/src/agent-subagent-controller.js +160 -0
package/src/agent-transport-binding-controller.js +121 -0
package/src/agent-trigger-controller.js +321 -0
package/src/agent-workspace-controller.js +447 -0
package/src/agent-writeback-controller.js +302 -0
package/src/api-controller.js +541 -0
package/src/argocd-gitops.js +43 -0
package/src/async-controller.js +207 -0
package/src/audit-controller.js +191 -0
package/src/auth.js +307 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +50 -0
package/src/controller-ui.js +551 -0
package/src/data-plane.js +178 -0
package/src/event-bus.js +61 -0
package/src/external/conflict-controller.js +225 -0
package/src/external/github/auth.js +96 -0
package/src/external/github/cicd.js +180 -0
package/src/external/github/git-forge.js +240 -0
package/src/external/github/index.js +144 -0
package/src/external/github/issue-tracking.js +163 -0
package/src/external/provider-adapter.js +161 -0
package/src/external/provider-resource-factory.js +161 -0
package/src/external/sync-controller.js +235 -0
package/src/external/webhook-controller.js +144 -0
package/src/external/write-controller.js +283 -0
package/src/gitea-backend.js +95 -0
package/src/gitea-service.js +173 -0
package/src/handoff.js +98 -0
package/src/hooks-events.js +63 -0
package/src/http-server.js +377 -0
package/src/identity-policy.js +86 -0
package/src/index.js +55 -0
package/src/kubernetes-controller-async.js +511 -0
package/src/kubernetes-controller.js +878 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/operations.js +112 -0
package/src/org-scoping.js +5 -0
package/src/resource-model.js +221 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/snapshot-cache.js +157 -0
package/src/web-ui.js +40 -0
package/tests/agent-adapter-controller.test.js +361 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +315 -0
package/tests/agent-gateway-config-controller.test.js +386 -0
package/tests/agent-memory-controller.test.js +308 -0
package/tests/agent-memory-import-snapshot.test.js +477 -0
package/tests/agent-memory-query.test.js +404 -0
package/tests/agent-memory-repository-source.test.js +514 -0
package/tests/agent-mux-client.test.js +204 -0
package/tests/agent-permission-review-v2.test.js +317 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-project-controller.test.js +302 -0
package/tests/agent-provider-config-controller.test.js +376 -0
package/tests/agent-resources.test.js +228 -0
package/tests/agent-secret-config-grant.test.js +231 -0
package/tests/agent-session-transcript-controller.test.js +499 -0
package/tests/agent-stack-controller.test.js +221 -0
package/tests/agent-subagent-controller.test.js +201 -0
package/tests/agent-transport-binding-controller.test.js +294 -0
package/tests/agent-trigger-controller.test.js +211 -0
package/tests/agent-trigger-routes.test.js +190 -0
package/tests/agent-trigger-sources.test.js +245 -0
package/tests/agent-workspace-controller.test.js +181 -0
package/tests/agent-writeback.test.js +292 -0
package/tests/approval-persistence.test.js +171 -0
package/tests/async-controller.test.js +252 -0
package/tests/audit-controller.test.js +227 -0
package/tests/deployment.test.js +396 -0
package/tests/e2e/lifecycle.test.js +117 -0
package/tests/external-github-forge.test.js +560 -0
package/tests/external-github-issues-cicd.test.js +520 -0
package/tests/external-integration.test.js +470 -0
package/tests/external-persistence.test.js +340 -0
package/tests/external-provider-adapter.test.js +365 -0
package/tests/external-resource-model.test.js +215 -0
package/tests/external-webhook-sync.test.js +287 -0
package/tests/external-write-conflict.test.js +353 -0
package/tests/gitea-service.test.js +253 -0
package/tests/health-check-real.test.js +165 -0
package/tests/integration/full-flow.test.js +266 -0
package/tests/krate.test.js +727 -0
package/tests/memory-search-wiring.test.js +270 -0
package/tests/org-scoping.test.js +687 -0
package/tests/session-cookie-hmac.test.js +151 -0
package/tests/snapshot-performance.test.js +247 -0
package/tests/sse-events.test.js +107 -0
package/tests/workspace-volumes.test.js +312 -0
package/tests/writeback-persistence.test.js +207 -0

package/tests/agent-permission-review.test.js ADDED Viewed

@@ -0,0 +1,209 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { createPermissionReviewer } from '../src/agent-permission-review.js';
+import { createResource } from '../src/resource-model.js';
+function makeStack(name, overrides = {}) {
+  return createResource('AgentStack', { name }, {
+    organizationRef: 'default',
+    baseAgent: 'claude-code',
+    adapter: 'babysitter',
+    runtimeIdentity: { serviceAccountRef: overrides.serviceAccountRef || 'sa-agent' },
+    ...(overrides.spec || {})
+  });
+}
+function makeServiceAccount(name) {
+  return createResource('AgentServiceAccount', { name }, {
+    organizationRef: 'default',
+    namespace: 'krate-agents',
+    serviceAccountName: name
+  });
+}
+function makeRoleBinding(name, subject) {
+  return createResource('AgentRoleBinding', { name }, {
+    organizationRef: 'default',
+    subject,
+    roleRef: 'agent-role',
+    scope: 'namespace'
+  });
+}
+function makeSecretGrant(name, subject, purpose, overrides = {}) {
+  return createResource('AgentSecretGrant', { name }, {
+    organizationRef: 'default',
+    subject,
+    secretRef: 'api-keys',
+    purpose,
+    ...overrides
+  });
+}
+function makeMcpServer(name, overrides = {}) {
+  return createResource('AgentMcpServer', { name }, {
+    organizationRef: 'default',
+    transport: 'stdio',
+    scope: 'workspace',
+    ...overrides
+  });
+}
+function makeModelProviderGrant(subject) {
+  return makeSecretGrant('sg-model', subject, 'model-provider');
+}
+const baseInput = {
+  repository: 'my-repo',
+  ref: 'refs/heads/main',
+  actor: 'user-1',
+  agentStack: 'test-stack',
+  triggerSource: 'manual',
+  taskKind: 'fix'
+};
+describe('agent permission review', () => {
+  it('fully granted stack returns allowed', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = {
+      AgentStack: [makeStack('test-stack')],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [makeModelProviderGrant('sa-agent')],
+      AgentConfigGrant: [],
+      AgentMcpServer: []
+    };
+    const result = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result.decision, 'allowed');
+    assert.ok(result.grants.length > 0, 'should have at least one grant');
+    assert.ok(result.grants.some((g) => g.kind === 'AgentServiceAccount' && g.status === 'bound'));
+    assert.ok(result.grants.some((g) => g.kind === 'AgentRoleBinding' && g.status === 'bound'));
+    assert.ok(typeof result.digest === 'string' && result.digest.length > 0);
+  });
+  it('missing service account returns denied with missing-runtime-identity reason', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = {
+      AgentStack: [makeStack('test-stack', { serviceAccountRef: 'nonexistent-sa' })],
+      AgentServiceAccount: [],
+      AgentRoleBinding: [],
+      AgentSecretGrant: [],
+      AgentConfigGrant: [],
+      AgentMcpServer: []
+    };
+    const result = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result.decision, 'denied');
+    assert.ok(result.reasons.some((r) => r.severity === 'error' && r.message.includes('Missing AgentServiceAccount')));
+  });
+  it('missing secret grant returns denied with missingGrants information', () => {
+    const reviewer = createPermissionReviewer();
+    const mcpServer = makeMcpServer('mcp-github', { secretRef: 'github-token' });
+    const stack = makeStack('test-stack', {
+      spec: {
+        organizationRef: 'default',
+        baseAgent: 'claude-code',
+        adapter: 'babysitter',
+        runtimeIdentity: { serviceAccountRef: 'sa-agent' },
+        mcpServerRefs: ['mcp-github']
+      }
+    });
+    const resources = {
+      AgentStack: [stack],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [],
+      AgentConfigGrant: [],
+      AgentMcpServer: [mcpServer]
+    };
+    const result = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result.decision, 'denied');
+    assert.ok(result.reasons.some((r) => r.severity === 'error' && r.message.includes('Missing AgentSecretGrant')));
+  });
+  it('grant requiring approval returns requires-approval', () => {
+    const reviewer = createPermissionReviewer();
+    const mcpServer = makeMcpServer('mcp-prod', { secretRef: 'prod-secret' });
+    const stack = makeStack('test-stack', {
+      spec: {
+        organizationRef: 'default',
+        baseAgent: 'claude-code',
+        adapter: 'babysitter',
+        runtimeIdentity: { serviceAccountRef: 'sa-agent' },
+        mcpServerRefs: ['mcp-prod']
+      }
+    });
+    const mcpGrant = makeSecretGrant('sg-prod', 'sa-agent', 'mcp-server:mcp-prod', {
+      requiredApproval: 'always'
+    });
+    const resources = {
+      AgentStack: [stack],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [mcpGrant, makeModelProviderGrant('sa-agent')],
+      AgentConfigGrant: [],
+      AgentMcpServer: [mcpServer]
+    };
+    const result = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result.decision, 'requires-approval');
+    assert.ok(result.grants.some((g) => g.status === 'requires-approval' && g.requiredApproval === 'always'));
+  });
+  it('empty capabilities stack returns allowed', () => {
+    const reviewer = createPermissionReviewer();
+    const stack = makeStack('test-stack');
+    const resources = {
+      AgentStack: [stack],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [makeModelProviderGrant('sa-agent')],
+      AgentConfigGrant: [],
+      AgentMcpServer: []
+    };
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      toolRefs: [],
+      skillRefs: [],
+      mcpServerRefs: [],
+      contextLabelRefs: [],
+      resources
+    });
+    assert.equal(result.decision, 'allowed');
+  });
+  it('same input produces deterministic digest', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = {
+      AgentStack: [makeStack('test-stack')],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [makeModelProviderGrant('sa-agent')],
+      AgentConfigGrant: [],
+      AgentMcpServer: []
+    };
+    const result1 = reviewer.reviewPermissions({ ...baseInput, resources });
+    const result2 = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result1.digest, result2.digest);
+    assert.ok(typeof result1.digest === 'string' && result1.digest.length === 64, 'digest should be a 64-char hex SHA-256');
+  });
+  it('createPermissionSnapshot returns frozen object with timestamp', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = {
+      AgentStack: [makeStack('test-stack')],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [makeModelProviderGrant('sa-agent')],
+      AgentConfigGrant: [],
+      AgentMcpServer: []
+    };
+    const review = reviewer.reviewPermissions({ ...baseInput, resources });
+    const snapshot = reviewer.createPermissionSnapshot(review);
+    assert.ok(Object.isFrozen(snapshot), 'snapshot should be frozen');
+    assert.ok(typeof snapshot.snapshotAt === 'string' && snapshot.snapshotAt.length > 0, 'snapshot should have a timestamp');
+    assert.equal(snapshot.frozen, true);
+    assert.equal(snapshot.digest, review.digest);
+    assert.equal(snapshot.decision, review.decision);
+    assert.throws(() => { snapshot.decision = 'denied'; }, TypeError);
+  });
+});

package/tests/agent-project-controller.test.js ADDED Viewed

@@ -0,0 +1,302 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { createAgentProjectController, validateAgentProject, createResource, AGENT_PROJECT_CONTROLLER_BOUNDARY } from '../src/index.js';
+// ---------------------------------------------------------------------------
+// Acceptance criteria: Slice 1.2d — Agent Project Controller
+//
+// A KrateProject groups issues and tasks into a kanban board with workflow
+// columns, default column assignment, issue tracking, and board state management.
+//
+// All tests in this file are expected to FAIL until the controller is
+// implemented and exported from src/index.js.
+// ---------------------------------------------------------------------------
+function makeProject(name, overrides = {}) {
+  return createResource('KrateProject', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    workflowColumns: [
+      { id: 'todo', displayName: 'To Do', color: '#888888', default: true },
+      { id: 'in-progress', displayName: 'In Progress', color: '#0075ca' },
+      { id: 'review', displayName: 'Review', color: '#e4e669' },
+      { id: 'done', displayName: 'Done', color: '#0e8a16' }
+    ],
+    ...overrides
+  });
+}
+// ---------------------------------------------------------------------------
+// 1. Factory and shape
+// ---------------------------------------------------------------------------
+test('createAgentProjectController returns a controller with validate, getWorkflowColumns, getBoardState', () => {
+  const controller = createAgentProjectController();
+  assert.ok(controller, 'controller must be truthy');
+  assert.equal(typeof controller.validate, 'function', 'controller must expose a validate method');
+  assert.equal(typeof controller.getWorkflowColumns, 'function', 'controller must expose a getWorkflowColumns method');
+  assert.equal(typeof controller.getBoardState, 'function', 'controller must expose a getBoardState method');
+  assert.equal(controller.role, 'agent-project-controller', 'controller must declare its role');
+});
+// ---------------------------------------------------------------------------
+// 2. validate — happy path
+// ---------------------------------------------------------------------------
+test('validate accepts valid project with name, organizationRef, workflowColumns', () => {
+  const controller = createAgentProjectController();
+  const project = makeProject('my-sprint');
+  const result = controller.validate(project);
+  assert.equal(result.valid, true, 'valid project must pass validation');
+  assert.ok(Array.isArray(result.errors), 'result must contain an errors array');
+  assert.equal(result.errors.length, 0, 'errors array must be empty for a valid project');
+});
+// ---------------------------------------------------------------------------
+// 3. validate — missing name
+// ---------------------------------------------------------------------------
+test('validate rejects project with missing name', () => {
+  const controller = createAgentProjectController();
+  const project = {
+    apiVersion: 'krate.a5c.ai/v1alpha1',
+    kind: 'KrateProject',
+    metadata: { namespace: 'krate-org-default', labels: {}, annotations: {} },
+    spec: {
+      organizationRef: 'default',
+      workflowColumns: [{ id: 'todo', displayName: 'To Do', color: '#888888' }]
+    },
+    status: {}
+  };
+  const result = controller.validate(project);
+  assert.equal(result.valid, false, 'project without name must fail validation');
+  assert.ok(result.errors.length > 0, 'errors array must not be empty');
+  assert.ok(
+    result.errors.some((e) => /name/i.test(e)),
+    'at least one error must mention "name"'
+  );
+});
+// ---------------------------------------------------------------------------
+// 4. validate — missing organizationRef
+// ---------------------------------------------------------------------------
+test('validate rejects project with missing organizationRef', () => {
+  const controller = createAgentProjectController();
+  const project = makeProject('no-org-project', { organizationRef: undefined });
+  delete project.spec.organizationRef;
+  const result = controller.validate(project);
+  assert.equal(result.valid, false, 'project without organizationRef must fail validation');
+  assert.ok(result.errors.length > 0, 'errors array must not be empty');
+  assert.ok(
+    result.errors.some((e) => /organizationRef/i.test(e)),
+    'at least one error must mention "organizationRef"'
+  );
+});
+// ---------------------------------------------------------------------------
+// 5. validate — empty workflowColumns array
+// ---------------------------------------------------------------------------
+test('validate rejects project with empty workflowColumns array', () => {
+  const controller = createAgentProjectController();
+  const project = makeProject('no-columns-project', { workflowColumns: [] });
+  const result = controller.validate(project);
+  assert.equal(result.valid, false, 'project with empty workflowColumns must fail validation');
+  assert.ok(result.errors.length > 0, 'errors array must not be empty');
+  assert.ok(
+    result.errors.some((e) => /workflowColumns/i.test(e)),
+    'at least one error must mention "workflowColumns"'
+  );
+});
+// ---------------------------------------------------------------------------
+// 6. validate — duplicate column IDs
+// ---------------------------------------------------------------------------
+test('validate rejects project with duplicate column IDs', () => {
+  const controller = createAgentProjectController();
+  const project = makeProject('dup-columns-project', {
+    workflowColumns: [
+      { id: 'todo', displayName: 'To Do', color: '#888888' },
+      { id: 'todo', displayName: 'Also To Do', color: '#999999' },
+      { id: 'done', displayName: 'Done', color: '#0e8a16' }
+    ]
+  });
+  const result = controller.validate(project);
+  assert.equal(result.valid, false, 'project with duplicate column IDs must fail validation');
+  assert.ok(result.errors.length > 0, 'errors array must not be empty');
+  assert.ok(
+    result.errors.some((e) => /duplicate|column/i.test(e)),
+    'at least one error must mention duplicate column IDs'
+  );
+});
+// ---------------------------------------------------------------------------
+// 7. getWorkflowColumns — returns columns in order
+// ---------------------------------------------------------------------------
+test('getWorkflowColumns returns columns from spec with order preserved', () => {
+  const controller = createAgentProjectController();
+  const columns = [
+    { id: 'backlog', displayName: 'Backlog', color: '#cccccc' },
+    { id: 'todo', displayName: 'To Do', color: '#888888', default: true },
+    { id: 'doing', displayName: 'Doing', color: '#0075ca' },
+    { id: 'done', displayName: 'Done', color: '#0e8a16' }
+  ];
+  const project = makeProject('ordered-project', { workflowColumns: columns });
+  const result = controller.getWorkflowColumns(project);
+  assert.ok(Array.isArray(result), 'getWorkflowColumns must return an array');
+  assert.equal(result.length, 4, 'must return all four columns');
+  assert.equal(result[0].id, 'backlog', 'first column must be backlog');
+  assert.equal(result[1].id, 'todo', 'second column must be todo');
+  assert.equal(result[2].id, 'doing', 'third column must be doing');
+  assert.equal(result[3].id, 'done', 'fourth column must be done');
+});
+// ---------------------------------------------------------------------------
+// 8. getDefaultColumn — returns marked default or first column
+// ---------------------------------------------------------------------------
+test('getDefaultColumn returns the column marked as default', () => {
+  const controller = createAgentProjectController();
+  const project = makeProject('default-col-project', {
+    workflowColumns: [
+      { id: 'todo', displayName: 'To Do', color: '#888888' },
+      { id: 'in-progress', displayName: 'In Progress', color: '#0075ca', default: true },
+      { id: 'done', displayName: 'Done', color: '#0e8a16' }
+    ]
+  });
+  const col = controller.getDefaultColumn(project);
+  assert.ok(col, 'getDefaultColumn must return a column');
+  assert.equal(col.id, 'in-progress', 'must return the column marked as default');
+});
+test('getDefaultColumn returns first column when none is marked as default', () => {
+  const controller = createAgentProjectController();
+  const project = makeProject('no-default-col-project', {
+    workflowColumns: [
+      { id: 'backlog', displayName: 'Backlog', color: '#cccccc' },
+      { id: 'todo', displayName: 'To Do', color: '#888888' },
+      { id: 'done', displayName: 'Done', color: '#0e8a16' }
+    ]
+  });
+  const col = controller.getDefaultColumn(project);
+  assert.ok(col, 'getDefaultColumn must return a column');
+  assert.equal(col.id, 'backlog', 'must return first column when no default is marked');
+});
+// ---------------------------------------------------------------------------
+// 9. getBoardState — default is 'active'
+// ---------------------------------------------------------------------------
+test('getBoardState returns "active" by default when boardState is not set', () => {
+  const controller = createAgentProjectController();
+  const project = makeProject('active-project');
+  const state = controller.getBoardState(project);
+  assert.equal(state, 'active', 'getBoardState must return "active" by default');
+});
+// ---------------------------------------------------------------------------
+// 10. getBoardState — returns spec.boardState when set
+// ---------------------------------------------------------------------------
+test('getBoardState returns spec.boardState when explicitly set', () => {
+  const controller = createAgentProjectController();
+  const project = makeProject('archived-project', { boardState: 'archived' });
+  const state = controller.getBoardState(project);
+  assert.equal(state, 'archived', 'getBoardState must return the spec boardState value');
+});
+// ---------------------------------------------------------------------------
+// 11. validate — null resource
+// ---------------------------------------------------------------------------
+test('validate rejects null resource with a clear error', () => {
+  const controller = createAgentProjectController();
+  const result = controller.validate(null);
+  assert.equal(result.valid, false, 'null resource must fail validation');
+  assert.ok(result.errors.length > 0, 'errors array must not be empty');
+  assert.ok(
+    result.errors.some((e) => /null|undefined/i.test(e)),
+    'error must mention null or undefined'
+  );
+});
+// ---------------------------------------------------------------------------
+// 12. BOUNDARY exported with correct role
+// ---------------------------------------------------------------------------
+test('AGENT_PROJECT_CONTROLLER_BOUNDARY is exported and has correct role', () => {
+  assert.ok(AGENT_PROJECT_CONTROLLER_BOUNDARY, 'BOUNDARY must be exported');
+  assert.equal(
+    AGENT_PROJECT_CONTROLLER_BOUNDARY.role,
+    'agent-project-controller',
+    'BOUNDARY role must be "agent-project-controller"'
+  );
+  assert.ok(
+    Array.isArray(AGENT_PROJECT_CONTROLLER_BOUNDARY.owns),
+    'BOUNDARY must declare owned concerns'
+  );
+});
+// ---------------------------------------------------------------------------
+// 13. validateAgentProject — standalone export
+// ---------------------------------------------------------------------------
+test('validateAgentProject exported as standalone function follows existing pattern', () => {
+  assert.equal(typeof validateAgentProject, 'function', 'validateAgentProject must be a named export');
+  const project = makeProject('standalone-validate-project');
+  const result = validateAgentProject(project);
+  assert.ok(result, 'validateAgentProject must return a result');
+  assert.ok('valid' in result, 'result must have a valid property');
+  assert.ok(Array.isArray(result.errors), 'result must have an errors array');
+  assert.equal(result.valid, true, 'a fully-specified project must pass standalone validation');
+});
+// ---------------------------------------------------------------------------
+// 14. validate — missing workflowColumns field entirely
+// ---------------------------------------------------------------------------
+test('validate rejects project with no workflowColumns field', () => {
+  const controller = createAgentProjectController();
+  const project = makeProject('missing-cols-project');
+  delete project.spec.workflowColumns;
+  const result = controller.validate(project);
+  assert.equal(result.valid, false, 'project missing workflowColumns must fail validation');
+  assert.ok(
+    result.errors.some((e) => /workflowColumns/i.test(e)),
+    'at least one error must mention "workflowColumns"'
+  );
+});
+// ---------------------------------------------------------------------------
+// 15. getWorkflowColumns — returns empty array when no spec
+// ---------------------------------------------------------------------------
+test('getWorkflowColumns handles resource with no spec gracefully', () => {
+  const controller = createAgentProjectController();
+  const resource = {
+    apiVersion: 'krate.a5c.ai/v1alpha1',
+    kind: 'KrateProject',
+    metadata: { name: 'spec-less-project', namespace: 'krate-org-default', labels: {}, annotations: {} },
+    status: {}
+  };
+  const result = controller.getWorkflowColumns(resource);
+  assert.ok(Array.isArray(result), 'getWorkflowColumns must return an array');
+  assert.equal(result.length, 0, 'must return empty array when spec is absent');
+});