@a5c-ai/krate 5.0.1-staging.04a3db697

package/tests/gitea-service.test.js

@@ -0,0 +1,253 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { createGiteaService } from '../src/gitea-service.js';
+
+// ---------------------------------------------------------------------------
+// Helpers — minimal fetch mocks
+// ---------------------------------------------------------------------------
+
+function makeFetch(responses) {
+  // responses: Map<string, { status, body, isText? }>
+  return async (url) => {
+    const match = [...responses.entries()].find(([pattern]) => url.includes(pattern));
+    if (!match) {
+      return {
+        ok: false,
+        status: 404,
+        json: async () => null,
+        text: async () => '',
+      };
+    }
+    const [, { status = 200, body, isText = false }] = match;
+    const ok = status >= 200 && status < 300;
+    return {
+      ok,
+      status,
+      json: async () => (isText ? body : body),
+      text: async () => (typeof body === 'string' ? body : JSON.stringify(body)),
+    };
+  };
+}
+
+// ---------------------------------------------------------------------------
+// 1. No URL → null
+// ---------------------------------------------------------------------------
+
+test('createGiteaService returns null when no URL is configured', () => {
+  const originalEnv = process.env.KRATE_GITEA_HTTP_URL;
+  delete process.env.KRATE_GITEA_HTTP_URL;
+  try {
+    const service = createGiteaService({});
+    assert.equal(service, null, 'should return null when giteaUrl is absent');
+  } finally {
+    if (originalEnv !== undefined) process.env.KRATE_GITEA_HTTP_URL = originalEnv;
+  }
+});
+
+// ---------------------------------------------------------------------------
+// 2. URL provided → service object
+// ---------------------------------------------------------------------------
+
+test('createGiteaService returns a service object when a URL is provided', () => {
+  const service = createGiteaService({ giteaUrl: 'http://localhost:3000', fetchImpl: makeFetch(new Map()) });
+  assert.ok(service !== null, 'should return a service');
+  assert.equal(service.available, true, 'available should be true');
+  assert.ok(typeof service.listTree === 'function', 'has listTree');
+  assert.ok(typeof service.getBlob === 'function', 'has getBlob');
+  assert.ok(typeof service.listBranches === 'function', 'has listBranches');
+  assert.ok(typeof service.getFileContent === 'function', 'has getFileContent');
+  assert.ok(typeof service.createRepository === 'function', 'has createRepository');
+});
+
+// ---------------------------------------------------------------------------
+// 3. listTree — calls correct Gitea endpoint
+// ---------------------------------------------------------------------------
+
+test('listTree calls the Gitea contents endpoint and maps type:dir to tree', async () => {
+  const captured = [];
+  const fetchImpl = async (url, opts) => {
+    captured.push(url);
+    return {
+      ok: true,
+      status: 200,
+      json: async () => [
+        { name: 'src', path: 'src', type: 'dir', size: 0, sha: 'abc' },
+        { name: 'README.md', path: 'README.md', type: 'file', size: 512, sha: 'def' },
+      ],
+      text: async () => '',
+    };
+  };
+
+  const service = createGiteaService({ giteaUrl: 'http://localhost:3000', fetchImpl });
+  const entries = await service.listTree('myorg', 'myrepo', 'main', '');
+
+  assert.ok(captured[0].includes('/repos/myorg/myrepo/contents/'), 'called contents endpoint');
+  assert.ok(captured[0].includes('ref=main'), 'passed ref param');
+
+  assert.equal(entries.length, 2, 'should return 2 entries');
+  const dir = entries.find((e) => e.name === 'src');
+  assert.equal(dir.type, 'tree', 'type:dir should map to tree');
+  const file = entries.find((e) => e.name === 'README.md');
+  assert.equal(file.type, 'blob', 'type:file should map to blob');
+  assert.equal(file.size, 512, 'size is preserved');
+});
+
+// ---------------------------------------------------------------------------
+// 4. listTree — returns null for 404
+// ---------------------------------------------------------------------------
+
+test('listTree returns null when Gitea responds with 404', async () => {
+  const fetchImpl = async () => ({ ok: false, status: 404, json: async () => null, text: async () => '' });
+  const service = createGiteaService({ giteaUrl: 'http://localhost:3000', fetchImpl });
+  const result = await service.listTree('org', 'missing-repo', 'main', '');
+  assert.equal(result, null, 'should return null for 404');
+});
+
+// ---------------------------------------------------------------------------
+// 5. getBlob — calls raw endpoint and returns text
+// ---------------------------------------------------------------------------
+
+test('getBlob calls the Gitea raw endpoint and returns file text', async () => {
+  const capturedUrls = [];
+  const expectedContent = 'console.log("hello");\n';
+  const fetchImpl = async (url) => {
+    capturedUrls.push(url);
+    return {
+      ok: true,
+      status: 200,
+      json: async () => null,
+      text: async () => expectedContent,
+    };
+  };
+
+  const service = createGiteaService({ giteaUrl: 'http://localhost:3000', fetchImpl });
+  const content = await service.getBlob('myorg', 'myrepo', 'main', 'src/index.js');
+
+  assert.ok(capturedUrls[0].includes('/repos/myorg/myrepo/raw/'), 'called raw endpoint');
+  assert.ok(capturedUrls[0].includes('ref=main'), 'passed ref param');
+  assert.equal(content, expectedContent, 'returned raw file text');
+});
+
+// ---------------------------------------------------------------------------
+// 6. getBlob — returns null for 404
+// ---------------------------------------------------------------------------
+
+test('getBlob returns null when file is not found in Gitea', async () => {
+  const fetchImpl = async () => ({ ok: false, status: 404, json: async () => null, text: async () => '' });
+  const service = createGiteaService({ giteaUrl: 'http://localhost:3000', fetchImpl });
+  const result = await service.getBlob('org', 'repo', 'main', 'nonexistent.js');
+  assert.equal(result, null, 'should return null for missing file');
+});
+
+// ---------------------------------------------------------------------------
+// 7. listBranches — maps branch response correctly
+// ---------------------------------------------------------------------------
+
+test('listBranches returns array with name, sha, protected fields', async () => {
+  const fetchImpl = async () => ({
+    ok: true,
+    status: 200,
+    json: async () => [
+      { name: 'main', commit: { id: 'sha-main' }, protected: true },
+      { name: 'dev', commit: { id: 'sha-dev' }, protected: false },
+    ],
+    text: async () => '',
+  });
+
+  const service = createGiteaService({ giteaUrl: 'http://localhost:3000', fetchImpl });
+  const branches = await service.listBranches('myorg', 'myrepo');
+
+  assert.equal(branches.length, 2, 'two branches returned');
+  assert.equal(branches[0].name, 'main');
+  assert.equal(branches[0].sha, 'sha-main');
+  assert.equal(branches[0].protected, true);
+  assert.equal(branches[1].name, 'dev');
+  assert.equal(branches[1].protected, false);
+});
+
+// ---------------------------------------------------------------------------
+// 8. getFileContent — decodes base64 content
+// ---------------------------------------------------------------------------
+
+test('getFileContent decodes base64 content from Gitea response', async () => {
+  const originalText = 'export default function hello() {}\n';
+  const b64 = Buffer.from(originalText).toString('base64');
+
+  const fetchImpl = async () => ({
+    ok: true,
+    status: 200,
+    json: async () => ({
+      path: 'src/hello.js',
+      size: originalText.length,
+      sha: 'abc123',
+      content: b64,
+      last_commit_sha: 'commitsha',
+    }),
+    text: async () => '',
+  });
+
+  const service = createGiteaService({ giteaUrl: 'http://localhost:3000', fetchImpl });
+  const file = await service.getFileContent('myorg', 'myrepo', 'main', 'src/hello.js');
+
+  assert.equal(file.content, originalText, 'content decoded from base64');
+  assert.equal(file.path, 'src/hello.js', 'path preserved');
+  assert.equal(file.sha, 'abc123', 'sha preserved');
+  assert.equal(file.lastCommit, 'commitsha', 'lastCommit mapped');
+});
+
+// ---------------------------------------------------------------------------
+// 9. Error handling — non-404 errors propagate
+// ---------------------------------------------------------------------------
+
+test('listTree throws when Gitea returns a non-404 error status', async () => {
+  const fetchImpl = async () => ({ ok: false, status: 500, json: async () => null, text: async () => '' });
+  const service = createGiteaService({ giteaUrl: 'http://localhost:3000', fetchImpl });
+
+  await assert.rejects(
+    () => service.listTree('org', 'repo', 'main', ''),
+    /500/,
+    'should throw on 500 error'
+  );
+});
+
+// ---------------------------------------------------------------------------
+// 10. createGiteaService picks up KRATE_GITEA_HTTP_URL from env
+// ---------------------------------------------------------------------------
+
+test('createGiteaService reads KRATE_GITEA_HTTP_URL from environment', () => {
+  const original = process.env.KRATE_GITEA_HTTP_URL;
+  process.env.KRATE_GITEA_HTTP_URL = 'http://gitea-from-env:3000';
+  try {
+    const fetchImpl = makeFetch(new Map());
+    const service = createGiteaService({ fetchImpl });
+    assert.ok(service !== null, 'should return a service when env var is set');
+    assert.equal(service.baseUrl, 'http://gitea-from-env:3000', 'baseUrl should match env var');
+  } finally {
+    if (original !== undefined) process.env.KRATE_GITEA_HTTP_URL = original;
+    else delete process.env.KRATE_GITEA_HTTP_URL;
+  }
+});
+
+// ---------------------------------------------------------------------------
+// 11. listTree — subdirectory path is URL-encoded correctly
+// ---------------------------------------------------------------------------
+
+test('listTree encodes subdirectory path in the API URL', async () => {
+  const capturedUrls = [];
+  const fetchImpl = async (url) => {
+    capturedUrls.push(url);
+    return {
+      ok: true,
+      status: 200,
+      json: async () => [{ name: 'App.jsx', path: 'src/components/App.jsx', type: 'file', size: 100, sha: 'x' }],
+      text: async () => '',
+    };
+  };
+
+  const service = createGiteaService({ giteaUrl: 'http://localhost:3000', fetchImpl });
+  await service.listTree('org', 'repo', 'main', 'src/components');
+
+  // The path 'src/components' should appear in the URL (slashes may or may not be encoded)
+  assert.ok(capturedUrls[0].includes('src'), 'URL contains path segment src');
+  assert.ok(capturedUrls[0].includes('components'), 'URL contains path segment components');
+});

package/tests/health-check-real.test.js

@@ -0,0 +1,165 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { createResource } from '../src/index.js';
+import { createAgentAdapterController } from '../src/agent-adapter-controller.js';
+import { createAgentStackController } from '../src/agent-stack-controller.js';
+
+// ---------------------------------------------------------------------------
+// Slice C4 — Real health checks for adapters + MCP
+//
+// healthCheck() must perform a real HTTP fetch when spec.healthEndpoint is set.
+// These tests use a mock fetch via dependency injection.
+// ---------------------------------------------------------------------------
+
+function makeAdapter(name, overrides = {}) {
+  return createResource('AgentAdapter', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    adapterType: 'subprocess',
+    transport: 'http',
+    capabilities: ['tool-use'],
+    ...overrides
+  });
+}
+
+function makeMcpServer(name, overrides = {}) {
+  return createResource('AgentMcpServer', { name, namespace: 'krate-org-default' }, {
+    endpoint: 'http://localhost:9090/mcp',
+    ...overrides
+  });
+}
+
+// ---------------------------------------------------------------------------
+// C4.1: healthCheck with endpoint returns healthy when fetch succeeds
+// ---------------------------------------------------------------------------
+
+test('healthCheck with endpoint returns healthy when fetch succeeds', async () => {
+  const mockFetch = async (url, options) => {
+    return { ok: true, status: 200 };
+  };
+
+  const controller = createAgentAdapterController({ fetch: mockFetch });
+  const adapter = makeAdapter('healthy-adapter', { healthEndpoint: 'http://localhost:9090/health' });
+
+  const result = await controller.healthCheck(adapter);
+
+  assert.ok(result, 'healthCheck must return a result');
+  assert.equal(result.status, 'healthy', 'status must be "healthy" when fetch succeeds');
+  assert.equal(result.adapterName, adapter.metadata.name, 'result must carry the adapter name');
+  assert.ok(typeof result.latencyMs === 'number', 'result must include latencyMs');
+  assert.ok(result.latencyMs >= 0, 'latencyMs must be non-negative');
+  assert.ok(!result.error, 'result must not have an error when healthy');
+});
+
+// ---------------------------------------------------------------------------
+// C4.2: healthCheck with endpoint returns unhealthy when fetch fails (non-ok)
+// ---------------------------------------------------------------------------
+
+test('healthCheck with endpoint returns unhealthy when fetch returns non-ok status', async () => {
+  const mockFetch = async (url, options) => {
+    return { ok: false, status: 503 };
+  };
+
+  const controller = createAgentAdapterController({ fetch: mockFetch });
+  const adapter = makeAdapter('unhealthy-adapter', { healthEndpoint: 'http://localhost:9090/health' });
+
+  const result = await controller.healthCheck(adapter);
+
+  assert.ok(result, 'healthCheck must return a result');
+  assert.equal(result.status, 'unhealthy', 'status must be "unhealthy" when fetch returns non-ok');
+  assert.equal(result.adapterName, adapter.metadata.name, 'result must carry the adapter name');
+  assert.ok(typeof result.latencyMs === 'number', 'result must include latencyMs');
+  assert.ok(result.error, 'result must include an error message when unhealthy');
+});
+
+// ---------------------------------------------------------------------------
+// C4.3: healthCheck with endpoint returns unhealthy on network error / timeout
+// ---------------------------------------------------------------------------
+
+test('healthCheck with endpoint returns unhealthy when fetch throws (timeout/network)', async () => {
+  const mockFetch = async (url, options) => {
+    throw new Error('AbortError: The operation was aborted');
+  };
+
+  const controller = createAgentAdapterController({ fetch: mockFetch });
+  const adapter = makeAdapter('timeout-adapter', { healthEndpoint: 'http://localhost:9090/health' });
+
+  const result = await controller.healthCheck(adapter);
+
+  assert.ok(result, 'healthCheck must return a result');
+  assert.equal(result.status, 'unhealthy', 'status must be "unhealthy" when fetch throws');
+  assert.equal(result.adapterName, adapter.metadata.name, 'result must carry the adapter name');
+  assert.ok(typeof result.latencyMs === 'number', 'result must include latencyMs');
+  assert.ok(result.error, 'result must include an error message when fetch throws');
+  assert.ok(result.error.includes('AbortError') || result.error.includes('aborted') || result.error.length > 0, 'error message must be non-empty');
+});
+
+// ---------------------------------------------------------------------------
+// C4.4: healthCheck without endpoint returns unknown (existing behaviour preserved)
+// ---------------------------------------------------------------------------
+
+test('healthCheck without endpoint returns unknown with reason no-endpoint', async () => {
+  const controller = createAgentAdapterController();
+  const adapter = makeAdapter('no-endpoint-adapter');
+  // no healthEndpoint in spec
+
+  const result = await controller.healthCheck(adapter);
+
+  assert.ok(result, 'healthCheck must return a result');
+  assert.equal(result.status, 'unknown', 'status must be "unknown" when no endpoint configured');
+  assert.equal(result.reason, 'no-endpoint', 'reason must be "no-endpoint"');
+  assert.equal(result.adapterName, adapter.metadata.name, 'result must carry the adapter name');
+});
+
+// ---------------------------------------------------------------------------
+// C4.5: MCP server health check — healthy when endpoint fetch succeeds
+// ---------------------------------------------------------------------------
+
+test('AgentStackController MCP health check returns healthy when server endpoint responds', async () => {
+  const mockFetch = async (url, options) => {
+    return { ok: true, status: 200 };
+  };
+
+  const controller = createAgentStackController({ fetch: mockFetch });
+
+  const mcpServer = makeMcpServer('test-mcp', { endpoint: 'http://localhost:9090/mcp' });
+  const result = await controller.checkMcpHealth(mcpServer);
+
+  assert.ok(result, 'checkMcpHealth must return a result');
+  assert.equal(result.status, 'healthy', 'status must be "healthy" when fetch succeeds');
+  assert.ok(typeof result.latencyMs === 'number', 'result must include latencyMs');
+});
+
+// ---------------------------------------------------------------------------
+// C4.6: MCP server health check — unhealthy when fetch fails
+// ---------------------------------------------------------------------------
+
+test('AgentStackController MCP health check returns unhealthy when server fetch fails', async () => {
+  const mockFetch = async (url, options) => {
+    throw new Error('Connection refused');
+  };
+
+  const controller = createAgentStackController({ fetch: mockFetch });
+
+  const mcpServer = makeMcpServer('unreachable-mcp', { endpoint: 'http://localhost:9999/mcp' });
+  const result = await controller.checkMcpHealth(mcpServer);
+
+  assert.ok(result, 'checkMcpHealth must return a result');
+  assert.equal(result.status, 'unhealthy', 'status must be "unhealthy" when fetch throws');
+  assert.ok(result.error, 'result must include an error message');
+});
+
+// ---------------------------------------------------------------------------
+// C4.7: MCP server health check — unknown when no endpoint configured
+// ---------------------------------------------------------------------------
+
+test('AgentStackController MCP health check returns unknown when no endpoint configured', async () => {
+  const controller = createAgentStackController();
+
+  const mcpServer = makeMcpServer('no-endpoint-mcp', { endpoint: undefined });
+  delete mcpServer.spec.endpoint;
+  const result = await controller.checkMcpHealth(mcpServer);
+
+  assert.ok(result, 'checkMcpHealth must return a result');
+  assert.equal(result.status, 'unknown', 'status must be "unknown" when no endpoint configured');
+  assert.equal(result.reason, 'no-endpoint', 'reason must be "no-endpoint"');
+});

package/tests/integration/full-flow.test.js

@@ -0,0 +1,266 @@
+/**
+ * Core Integration Tests — End-to-end data flow tests using mock kubectl gateway
+ *
+ * Tests the full data flow through the Krate API controller using a mock
+ * resource gateway that stores resources in a Map instead of kubectl.
+ */
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import {
+  createKrateApiController,
+  createResource,
+  createAuditController,
+  createAgentSecretGrantController,
+  createAgentMemoryController,
+  listGrantsForAgent,
+} from '../../src/index.js';
+
+// ---------------------------------------------------------------------------
+// Mock resource gateway — stores resources in a Map instead of kubectl
+// ---------------------------------------------------------------------------
+
+function createMockGateway() {
+  const store = new Map();
+  return {
+    namespace: 'krate-org-test',
+    async apply(resource) {
+      store.set(`${resource.kind}/${resource.metadata.name}`, resource);
+      return { operation: 'apply', resource };
+    },
+    async list(kind) {
+      return { items: [...store.values()].filter((r) => r.kind === kind) };
+    },
+    async get(kind, name) {
+      return { resource: store.get(`${kind}/${name}`) || null };
+    },
+    async delete(kind, name) {
+      store.delete(`${kind}/${name}`);
+      return { operation: 'delete' };
+    },
+    async snapshot() {
+      return { namespace: 'krate-org-test', resources: {} };
+    },
+    watch() {
+      return { close: () => {} };
+    },
+    resourceDefinitions: [],
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Test 1: Org/user/repo flow
+// ---------------------------------------------------------------------------
+
+test('full flow: create org → user → repository → list shows repo', async () => {
+  const gw = createMockGateway();
+  const controller = createKrateApiController({ resourceGateway: gw });
+
+  // Create org
+  const org = createResource('Organization', { name: 'test-org', namespace: 'krate-system' }, { displayName: 'Test Org', namespaceName: 'krate-org-test-org' });
+  await controller.applyResource(org);
+
+  // Create user
+  const user = createResource('User', { name: 'alice', namespace: 'krate-org-test-org' }, { organizationRef: 'test-org', displayName: 'Alice', email: 'alice@example.com' });
+  await controller.applyResource(user);
+
+  // Create repository
+  const repo = createResource('Repository', { name: 'my-repo', namespace: 'krate-org-test-org' }, { organizationRef: 'test-org', visibility: 'internal' });
+  await controller.applyResource(repo);
+
+  // List repositories — should include the new repo
+  const result = await controller.listResource('Repository');
+  assert.ok(Array.isArray(result.items), 'result.items must be an array');
+  const found = result.items.find((r) => r.metadata?.name === 'my-repo');
+  assert.ok(found, 'my-repo should appear in listResource(Repository)');
+  assert.equal(found.spec?.organizationRef, 'test-org');
+});
+
+// ---------------------------------------------------------------------------
+// Test 2: Agent stack + trigger rule flow
+// ---------------------------------------------------------------------------
+
+test('full flow: create agent stack → create trigger rule → both appear in list', async () => {
+  const gw = createMockGateway();
+  const controller = createKrateApiController({ resourceGateway: gw });
+
+  // Create agent stack
+  const stack = createResource(
+    'AgentStack',
+    { name: 'review-bot', namespace: 'krate-org-myorg' },
+    { organizationRef: 'myorg', baseAgent: 'claude-code', adapter: 'default', runtimeIdentity: 'workspace' }
+  );
+  await controller.applyResource(stack);
+
+  // Create trigger rule
+  const rule = createResource(
+    'AgentTriggerRule',
+    { name: 'pr-trigger', namespace: 'krate-org-myorg' },
+    { organizationRef: 'myorg', sources: [{ type: 'pull_request', events: ['opened'] }], agentStack: 'review-bot', taskKind: 'code-review' }
+  );
+  await controller.applyResource(rule);
+
+  // Verify both appear
+  const stackList = await controller.listResource('AgentStack');
+  assert.ok(stackList.items.some((s) => s.metadata?.name === 'review-bot'), 'review-bot stack should appear');
+
+  const ruleList = await controller.listResource('AgentTriggerRule');
+  assert.ok(ruleList.items.some((r) => r.metadata?.name === 'pr-trigger'), 'pr-trigger rule should appear');
+});
+
+// ---------------------------------------------------------------------------
+// Test 3: Workspace flow
+// ---------------------------------------------------------------------------
+
+test('full flow: create workspace → verify it appears in list', async () => {
+  const gw = createMockGateway();
+  const controller = createKrateApiController({ resourceGateway: gw });
+
+  // Create workspace
+  const workspace = createResource(
+    'KrateWorkspace',
+    { name: 'dev-workspace', namespace: 'krate-org-myorg' },
+    { organizationRef: 'myorg', repository: 'my-repo', volumeSpec: { storageClass: 'standard', size: '10Gi' } }
+  );
+  await controller.applyResource(workspace);
+
+  // List workspaces — should include the new one
+  const result = await controller.listResource('KrateWorkspace');
+  assert.ok(Array.isArray(result.items));
+  const found = result.items.find((r) => r.metadata?.name === 'dev-workspace');
+  assert.ok(found, 'dev-workspace should appear in listResource(KrateWorkspace)');
+  assert.equal(found.spec?.repository, 'my-repo');
+});
+
+// ---------------------------------------------------------------------------
+// Test 4: Secret grant flow
+// ---------------------------------------------------------------------------
+
+test('full flow: create secret grant → listGrantsForAgent returns it', async () => {
+  const gw = createMockGateway();
+  const ctrl = createAgentSecretGrantController();
+
+  // Create a secret grant
+  const result = ctrl.createSecretGrant({
+    name: 'db-pass-grant',
+    orgRef: 'myorg',
+    secretName: 'db-password',
+    grantedTo: 'review-bot',
+    permissions: ['read'],
+    namespace: 'krate-org-myorg',
+  });
+
+  assert.ok(result.grant, 'createSecretGrant must return a grant');
+  assert.equal(result.grant.kind, 'AgentSecretGrant');
+  assert.equal(result.grant.metadata.name, 'db-pass-grant');
+  assert.equal(result.grant.spec.grantedTo, 'review-bot');
+
+  // Apply the grant resource via mock gateway
+  await gw.apply(result.grant);
+
+  // List grants and filter for this agent
+  const list = await gw.list('AgentSecretGrant');
+  const agentGrants = listGrantsForAgent(list.items, 'review-bot');
+  assert.ok(agentGrants.length >= 1, 'listGrantsForAgent should return at least 1 grant for review-bot');
+  assert.equal(agentGrants[0].metadata.name, 'db-pass-grant');
+});
+
+// ---------------------------------------------------------------------------
+// Test 5: External flow — syncExternalBinding
+// ---------------------------------------------------------------------------
+
+test('full flow: syncExternalBinding creates resource with external envelope', async () => {
+  const gw = createMockGateway();
+  const controller = createKrateApiController({ resourceGateway: gw });
+
+  const result = await controller.syncExternalBinding('github-binding', {
+    kind: 'Repository',
+    localName: 'synced-repo',
+    namespace: 'default',
+    spec: { organizationRef: 'default', visibility: 'private' },
+    externalEnvelope: {
+      nativeId: 'gh-repo-42',
+      url: 'https://github.com/org/synced-repo',
+      etag: '"abc123"',
+      providerRef: 'github-provider',
+    },
+  });
+
+  assert.ok(result, 'syncExternalBinding must return a result');
+  assert.ok(result.resource, 'result must include the upserted resource');
+  assert.equal(
+    result.resource.status?.external?.nativeId || result.resource?.status?.external?.nativeId,
+    'gh-repo-42',
+    'upserted resource must have correct nativeId'
+  );
+});
+
+// ---------------------------------------------------------------------------
+// Test 6: Memory flow — create repository source → verify in list
+// ---------------------------------------------------------------------------
+
+test('full flow: create memory repository → apply → appears in list', async () => {
+  const gw = createMockGateway();
+  const controller = createKrateApiController({ resourceGateway: gw });
+
+  // Create a memory repository resource
+  const memRepo = createResource(
+    'AgentMemoryRepository',
+    { name: 'org-brain', namespace: 'krate-org-myorg' },
+    { organizationRef: 'myorg', repositoryRef: 'memory-repo', defaultBranch: 'main', layoutProfile: 'standard' }
+  );
+  await controller.applyResource(memRepo);
+
+  // Create a memory source
+  const memSource = createResource(
+    'AgentMemorySource',
+    { name: 'codebase-source', namespace: 'krate-org-myorg' },
+    {
+      organizationRef: 'myorg',
+      repositoryRef: 'org-brain',
+      appliesTo: { stacks: ['review-bot'] },
+      include: ['decisions/', 'patterns/'],
+    }
+  );
+  await controller.applyResource(memSource);
+
+  // Verify both appear in their lists
+  const repoList = await controller.listResource('AgentMemoryRepository');
+  assert.ok(repoList.items.some((r) => r.metadata?.name === 'org-brain'), 'org-brain memory repo should appear');
+
+  const sourceList = await controller.listResource('AgentMemorySource');
+  assert.ok(sourceList.items.some((s) => s.metadata?.name === 'codebase-source'), 'codebase-source should appear');
+});
+
+// ---------------------------------------------------------------------------
+// Test 7: Audit flow — apply resource → audit log contains event
+// ---------------------------------------------------------------------------
+
+test('full flow: apply resource with onAuditEvent → audit log contains the event', async () => {
+  const gw = createMockGateway();
+  const audit = createAuditController();
+
+  const controller = createKrateApiController({
+    resourceGateway: gw,
+    onAuditEvent: (evt) => audit.log({
+      org: evt.org || 'audited',
+      actor: 'system',
+      action: evt.operation || 'apply',
+      resource: { kind: evt.kind, name: evt.name },
+      timestamp: evt.timestamp,
+    }),
+  });
+
+  // Apply a resource
+  const repo = createResource(
+    'Repository',
+    { name: 'audited-repo', namespace: 'krate-org-audited' },
+    { organizationRef: 'audited', visibility: 'private' }
+  );
+  await controller.applyResource(repo);
+
+  // Verify audit log contains the event
+  const { events, total } = audit.query({ org: 'audited' });
+  assert.ok(total >= 1, 'audit log must contain at least 1 event after apply');
+  assert.equal(events[0].action, 'apply', 'audit event action must be "apply"');
+  assert.equal(events[0].org, 'audited', 'audit event org must match');
+});