npm - @a5c-ai/krate - Versions diffs - 5.0.1-staging.3a341c33c - Mend

@a5c-ai/krate 5.0.1-staging.3a341c33c

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (178) hide show

package/Dockerfile +31 -0
package/README.md +183 -0
package/bin/krate-demo.mjs +23 -0
package/bin/krate-server.mjs +14 -0
package/dist/krate-controller-ui.json +2455 -0
package/dist/krate-lifecycle.json +201 -0
package/dist/krate-runtime-snapshot.json +2955 -0
package/dist/krate-summary.json +722 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/krate-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/product-requirements.md +62 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/system-requirements.md +90 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/user-stories.md +78 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +63 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +93 -0
package/scripts/validate-ui.mjs +207 -0
package/src/agent-approval-controller.js +123 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +86 -0
package/src/agent-memory-controller.js +374 -0
package/src/agent-mux-client.js +280 -0
package/src/agent-permission-review.js +162 -0
package/src/agent-stack-controller.js +296 -0
package/src/agent-trigger-controller.js +108 -0
package/src/agent-workspace-controller.js +208 -0
package/src/api-controller.js +248 -0
package/src/argocd-gitops.js +43 -0
package/src/auth.js +265 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +38 -0
package/src/controller-ui.js +551 -0
package/src/data-plane.js +178 -0
package/src/gitea-backend.js +95 -0
package/src/handoff.js +98 -0
package/src/hooks-events.js +63 -0
package/src/http-server.js +151 -0
package/src/identity-policy.js +86 -0
package/src/index.js +32 -0
package/src/kubernetes-controller.js +812 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/operations.js +112 -0
package/src/resource-model.js +211 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/web-ui.js +40 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +176 -0
package/tests/agent-memory-controller.test.js +308 -0
package/tests/agent-mux-client.test.js +204 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-resources.test.js +228 -0
package/tests/agent-stack-controller.test.js +221 -0
package/tests/agent-trigger-controller.test.js +211 -0
package/tests/agent-workspace-controller.test.js +215 -0
package/tests/deployment.test.js +393 -0
package/tests/e2e/lifecycle.test.js +117 -0
package/tests/krate.test.js +727 -0

package/src/runtime.js ADDED Viewed

@@ -0,0 +1,196 @@
+import { ControlPlane } from './control-plane.js';
+import { GiteaGitService, GiteaRepositoryStore } from './data-plane.js';
+import { WebhookBus } from './hooks-events.js';
+import { createAdmissionPolicy, mapOidcIdentity } from './identity-policy.js';
+import { createInviteResource, createTeamResource, createAuthProviderResources, mapLoginProfileToKrateIdentity } from './auth.js';
+import { createResource, clone } from './resource-model.js';
+import { RunnerScheduler } from './runners-ci.js';
+const DEFAULT_ORG = 'default';
+const DEFAULT_NAMESPACE = 'krate-org-default';
+export function createDefaultKrateUsers() {
+  return {
+    platformEngineer: mapOidcIdentity({ subject: 'user:platform', email: 'platform@example.com', groups: ['krate:platform-engineers'] }),
+    developer: mapOidcIdentity({ subject: 'user:dev', email: 'dev@example.com', groups: ['krate:developers'] }),
+    repoAdmin: mapOidcIdentity({ subject: 'user:admin', email: 'admin@example.com', groups: ['krate:repo-admins'] })
+  };
+}
+export class KrateRuntime {
+  constructor({ organizationRef = DEFAULT_ORG, namespace = DEFAULT_NAMESPACE, users = createDefaultKrateUsers(), controlPlane, git, runners, webhooks } = {}) {
+    this.organizationRef = organizationRef;
+    this.namespace = namespace;
+    this.users = users;
+    this.controlPlane = controlPlane || new ControlPlane();
+    this.controlPlane.addAdmissionPolicy(createAdmissionPolicy({
+      name: 'pr-title-required',
+      mode: 'enforce',
+      match: ({ resource }) => resource.kind === 'PullRequest',
+      validate: ({ resource }) => Boolean(resource.spec.title && resource.spec.title.length >= 8),
+      message: 'PullRequest spec.title must be descriptive'
+    }));
+    this.git = git || new GiteaGitService({ controlPlane: this.controlPlane, stores: [new GiteaRepositoryStore({ name: 'gitea-primary', receivePackReady: true })] });
+    this.runners = runners || new RunnerScheduler({ controlPlane: this.controlPlane });
+    this.webhooks = webhooks || new WebhookBus({ controlPlane: this.controlPlane });
+    this.seeded = false;
+  }
+  static fromSnapshot(snapshot, options = {}) {
+    const runtime = new KrateRuntime(options);
+    runtime.importSnapshot(snapshot);
+    return runtime;
+  }
+  bootstrap({ repository = 'krate-demo', webhookUrl = 'https://hooks.example.test/krate' } = {}) {
+    if (this.seeded) return this.snapshot();
+    const { platformEngineer, repoAdmin } = this.users;
+    this.git.createRepository({ name: repository, namespace: this.namespace, organizationRef: this.organizationRef }, repoAdmin);
+    this.controlPlane.create(createResource('BranchProtection', { name: 'main-protection', namespace: this.namespace }, { organizationRef: this.organizationRef, refs: ['refs/heads/main'], requirePullRequest: true, requiredChecks: ['test'], requiredApprovals: 1 }), repoAdmin);
+    this.controlPlane.create(createResource('RefPolicy', { name: 'deny-internal-refs', namespace: this.namespace }, { organizationRef: this.organizationRef, deny: ['refs/internal/'] }), repoAdmin);
+    this.runners.createRunnerPool({ name: 'trusted-linux', namespace: this.namespace, organizationRef: this.organizationRef, warmReplicas: 1, maxReplicas: 4 }, platformEngineer);
+    this.webhooks.subscribe({ name: 'chatops', namespace: this.namespace, organizationRef: this.organizationRef, url: webhookUrl, events: ['pullrequest.created', 'pullrequest.merged'] }, repoAdmin);
+    this.controlPlane.create(createTeamResource({ name: 'maintainers', organizationRef: this.organizationRef, displayName: 'Maintainers', members: ['admin'], maintainers: ['admin'], repositoryGrants: [{ repository, permission: 'admin' }], namespace: this.namespace }), platformEngineer);
+    const identity = mapLoginProfileToKrateIdentity({ provider: 'sso', subject: 'user:admin', email: 'admin@example.com', displayName: 'Admin', username: 'admin', teams: ['maintainers'], admin: true, namespace: this.namespace, organizationRef: this.organizationRef });
+    this.controlPlane.create(identity.user, platformEngineer);
+    this.controlPlane.create(identity.mapping, platformEngineer);
+    this.controlPlane.create(createInviteResource({ email: 'new-user@example.com', role: 'member', teams: ['maintainers'], invitedBy: 'admin', namespace: this.namespace, organizationRef: this.organizationRef }), repoAdmin);
+    for (const provider of createAuthProviderResources(undefined, this.namespace, this.organizationRef)) this.controlPlane.create(provider, platformEngineer);
+    this.seeded = true;
+    return this.snapshot();
+  }
+  exportSnapshot() {
+    return {
+      apiVersion: 'krate.a5c.ai/v1alpha1',
+      kind: 'KrateRuntimeSnapshot',
+      namespace: this.namespace,
+      organizationRef: this.organizationRef,
+      seeded: this.seeded,
+      controlPlane: this.controlPlane.exportSnapshot(),
+      git: this.git.snapshot?.() || null
+    };
+  }
+  importSnapshot(snapshot) {
+    const controlPlaneSnapshot = snapshot?.controlPlane || snapshot;
+    this.controlPlane.importSnapshot(controlPlaneSnapshot);
+    if (snapshot?.git) this.git.importSnapshot(snapshot.git);
+    this.seeded = Boolean(snapshot?.seeded || this.controlPlane.list('Repository', { namespace: this.namespace }).items.length);
+    return this.snapshot();
+  }
+  createRepository({ name, visibility = 'private' }, user = this.users.repoAdmin) {
+    return this.git.createRepository({ name, namespace: this.namespace, organizationRef: this.organizationRef, visibility }, user);
+  }
+  createPullRequest({ repository, sourceRef = 'refs/heads/feature', targetRef = 'refs/heads/main', title, actor = this.users.developer, fork = false }) {
+    this.#requireRepository(repository);
+    const index = this.controlPlane.list('PullRequest', { namespace: this.namespace }).items.length + 1;
+    const name = `pr-${index}`;
+    const pullRequest = this.controlPlane.create(createResource('PullRequest', { name, namespace: this.namespace, labels: { repository } }, {
+      organizationRef: this.organizationRef,
+      repository,
+      sourceRef,
+      targetRef,
+      title,
+      author: actor.name,
+      checks: [],
+      requiredApprovals: this.#requiredApprovals(targetRef)
+    }, { phase: 'Open', approvals: 0, mergeable: false }), actor);
+    const pipelineRun = this.runners.startPipeline({ name: `pipeline-${name}`, namespace: this.namespace, organizationRef: this.organizationRef, repository, ref: `refs/pull/${index}/head`, actor, fork, steps: ['checkout', 'test'] }, actor);
+    this.webhooks.deliver({ subscriptionName: 'chatops', namespace: this.namespace, organizationRef: this.organizationRef, eventType: 'pullrequest.created', payload: { pullRequest: name, repository, title } }, this.users.repoAdmin);
+    return { pullRequest, pipeline: pipelineRun.pipeline, jobs: pipelineRun.jobs };
+  }
+  completePipeline({ pipeline, phase = 'Succeeded', failedStep = null }, user = this.users.developer) {
+    const existing = this.controlPlane.get('Pipeline', this.namespace, pipeline);
+    if (!existing) throw new Error(`Pipeline ${pipeline} not found`);
+    const jobs = this.controlPlane.list('Job', { namespace: this.namespace, labels: { pipeline } }).items.map((job) => {
+      const jobPhase = failedStep && job.spec.step === failedStep ? 'Failed' : phase;
+      return this.controlPlane.patchStatus('Job', this.namespace, job.metadata.name, { phase: jobPhase, finishedAt: new Date().toISOString() }, user);
+    });
+    const pipelinePhase = jobs.some((job) => job.status.phase === 'Failed') ? 'Failed' : phase;
+    const updatedPipeline = this.controlPlane.patchStatus('Pipeline', this.namespace, pipeline, { phase: pipelinePhase, currentStep: null, finishedAt: new Date().toISOString() }, user);
+    this.#refreshPullRequestMergeability(existing.spec.repository);
+    return { pipeline: updatedPipeline, jobs };
+  }
+  addReview({ pullRequest, decision = 'approved', body = 'Looks good', reviewer = this.users.repoAdmin }) {
+    const pr = this.#requirePullRequest(pullRequest);
+    const reviewCount = this.controlPlane.list('Review', { namespace: this.namespace, labels: { pullRequest } }).items.length + 1;
+    const review = this.controlPlane.create(createResource('Review', { name: `${pullRequest}-review-${reviewCount}`, namespace: this.namespace, labels: { pullRequest, decision } }, {
+      organizationRef: this.organizationRef,
+      pullRequest,
+      repository: pr.spec.repository,
+      reviewer: reviewer.name,
+      decision,
+      body
+    }, { phase: decision === 'approved' ? 'Approved' : 'ChangesRequested' }), reviewer);
+    this.#refreshPullRequestMergeability(pr.spec.repository);
+    return review;
+  }
+  mergePullRequest({ pullRequest, actor = this.users.repoAdmin }) {
+    const pr = this.#requirePullRequest(pullRequest);
+    const refreshed = this.#refreshPullRequestMergeability(pr.spec.repository).find((candidate) => candidate.metadata.name === pullRequest) || pr;
+    if (!refreshed.status.mergeable) throw new Error(`PullRequest ${pullRequest} is not mergeable`);
+    const gitEvent = this.git.receivePack({ repository: refreshed.spec.repository, namespace: this.namespace, ref: refreshed.spec.targetRef, newRev: this.#syntheticRevision(pullRequest), actor });
+    const merged = this.controlPlane.patchStatus('PullRequest', this.namespace, pullRequest, { phase: 'Merged', mergeable: false, mergedAt: new Date().toISOString(), mergeCommit: gitEvent.newRev }, actor);
+    const delivery = this.webhooks.deliver({ subscriptionName: 'chatops', namespace: this.namespace, organizationRef: this.organizationRef, eventType: 'pullrequest.merged', payload: { pullRequest, repository: refreshed.spec.repository, mergeCommit: gitEvent.newRev } }, this.users.repoAdmin);
+    return { pullRequest: merged, gitEvent, delivery };
+  }
+  snapshot() {
+    const kinds = ['Organization', 'User', 'Team', 'Invite', 'IdentityMapping', 'AuthProvider', 'Repository', 'SSHKey', 'RepositoryPermission', 'BranchProtection', 'RefPolicy', 'RunnerPool', 'PullRequest', 'Issue', 'Review', 'Pipeline', 'Job', 'WebhookSubscription', 'WebhookDelivery'];
+    const resources = Object.fromEntries(kinds.map((kind) => [kind, this.controlPlane.list(kind, { namespace: this.namespace }).items]));
+    return {
+      namespace: this.namespace,
+      export: this.exportSnapshot(),
+      storage: this.controlPlane.storageReport(),
+      resources,
+      events: clone(this.controlPlane.events),
+      auditLog: clone(this.controlPlane.auditLog)
+    };
+  }
+  #requireRepository(repository) {
+    const existing = this.controlPlane.get('Repository', this.namespace, repository);
+    if (!existing) throw new Error(`Repository ${repository} not found`);
+    return existing;
+  }
+  #requirePullRequest(pullRequest) {
+    const existing = this.controlPlane.get('PullRequest', this.namespace, pullRequest);
+    if (!existing) throw new Error(`PullRequest ${pullRequest} not found`);
+    return existing;
+  }
+  #requiredApprovals(targetRef) {
+    const branchProtection = this.controlPlane.list('BranchProtection', { namespace: this.namespace }).items.find((policy) => (policy.spec.refs || []).includes(targetRef));
+    return branchProtection?.spec.requiredApprovals || 0;
+  }
+  #refreshPullRequestMergeability(repository) {
+    const pullRequests = this.controlPlane.list('PullRequest', { namespace: this.namespace, labels: { repository } }).items;
+    return pullRequests.map((pr) => {
+      if (pr.status.phase !== 'Open') return pr;
+      const reviews = this.controlPlane.list('Review', { namespace: this.namespace, labels: { pullRequest: pr.metadata.name } }).items;
+      const approvals = reviews.filter((review) => review.spec.decision === 'approved').length;
+      const pipelines = this.controlPlane.list('Pipeline', { namespace: this.namespace, labels: { repository } }).items.filter((pipeline) => pipeline.metadata.name === `pipeline-${pr.metadata.name}`);
+      const checksPassed = pipelines.length > 0 && pipelines.every((pipeline) => pipeline.status.phase === 'Succeeded');
+      return this.controlPlane.patchStatus('PullRequest', this.namespace, pr.metadata.name, { approvals, checksPassed, mergeable: approvals >= (pr.spec.requiredApprovals || 0) && checksPassed }, this.users.repoAdmin);
+    });
+  }
+  #syntheticRevision(seed) {
+    const source = Buffer.from(`${seed}:${Date.now()}`).toString('hex');
+    return source.padEnd(40, '0').slice(0, 40);
+  }
+}
+export function createKrateRuntime(options = {}) {
+  const runtime = new KrateRuntime(options);
+  if (options.bootstrap !== false) runtime.bootstrap(options.bootstrapOptions);
+  return runtime;
+}

package/src/web-ui.js ADDED Viewed

@@ -0,0 +1,40 @@
+import { createResource } from './resource-model.js';
+import { toResourceYaml } from './identity-policy.js';
+export function createPullRequestReviewModel({ pullRequest, changedFiles = [], pipelineRuns = [] }) {
+  return { layout: 'three-pane-review', panes: ['file-tree', 'diff-and-comments', 'conversation-ci'], keyboardShortcuts: ['j/k file navigation', 'n/p comment navigation', 'a add suggestion', 'm merge'], pullRequest, changedFiles, pipelineRuns, yaml: toResourceYaml(pullRequest) };
+}
+export function createFailingRunModel({ pipeline, jobs }) {
+  const failedJobs = jobs.filter((job) => job.status.phase === 'Failed');
+  return { layout: 'live-run-debugger', stream: 'sse', pipeline, failedJobs, actions: ['copy failure', 'find similar runs', 'rerun from step'], similarRunSelector: failedJobs.map((job) => job.metadata.labels).filter(Boolean) };
+}
+export function createRunnerPoolEditor(pool) {
+  return { layout: 'split-form-yaml', fields: ['image', 'resources', 'nodeSelector', 'warmReplicas', 'maxReplicas', 'trustTier', 'cache'], resource: pool, yaml: toResourceYaml(pool), saveModes: ['apply', 'copy kubectl', 'open platform-config PR'] };
+}
+export function createWebhookInspector({ subscription, deliveries }) {
+  return { layout: 'webhook-inspector', subscription, deliveries, columns: ['phase', 'latency', 'attempts', 'response', 'signature'], actions: ['send test delivery', 'inspect headers/body/response', 'replay'] };
+}
+export function createPolicyRolloutModel(policy) {
+  return { layout: 'policy-authoring', modes: ['template', 'CEL/raw'], rollout: ['preview', 'audit', 'enforce'], policy, yaml: toResourceYaml(policy) };
+}
+export function createTriageView({ name, namespace = 'krate-org-default', organizationRef = 'default', selector }) {
+  return createResource('View', { name, namespace, labels: { purpose: 'triage' } }, { organizationRef, selector, columns: ['kind', 'repository', 'priority', 'assignee', 'status'], shareable: true }, { saved: true });
+}
+export function createDashboard({ repositories, pullRequests, pipelines, runnerPools, webhookDeliveries }) {
+  return {
+    product: 'Krate',
+    principles: ['Kubernetes is the backend', 'CRDs are contracts', 'GitOps transparency'],
+    repositories,
+    pullRequests,
+    pipelines,
+    runnerPools,
+    webhookDeliveries,
+    excellentFlows: ['Open and review a PR', 'Debug a failing run', 'Configure a runner pool', 'Add a webhook and verify it works', 'Write a PR policy with audit-to-enforce rollout', 'Cross-repo triage with saved filters']
+  };
+}

package/tests/agent-approval-controller.test.js ADDED Viewed

@@ -0,0 +1,173 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { createAgentApprovalController, createResource } from '../src/index.js';
+function makeApproval(name, dispatchRun, action, phase = 'Pending', extra = {}) {
+  const approval = createResource('AgentApproval', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    dispatchRun,
+    action,
+    requestedBy: 'agent-stack-1',
+    ...extra
+  });
+  approval.status = { phase, createdAt: new Date().toISOString(), ...extra.status };
+  return approval;
+}
+test('Create approval request returns resource with phase=Pending', () => {
+  const controller = createAgentApprovalController();
+  const result = controller.createApprovalRequest({
+    dispatchRun: 'run-1',
+    action: 'tool-use',
+    requestedBy: 'agent-stack-1',
+    context: 'Needs filesystem write access',
+    namespace: 'krate-org-default',
+    organizationRef: 'default',
+    resources: {}
+  });
+  assert.equal(result.error, false, 'Should succeed');
+  assert.equal(result.duplicate, false, 'Should not be a duplicate');
+  assert.ok(result.approval, 'Should return an approval resource');
+  assert.equal(result.approval.kind, 'AgentApproval');
+  assert.equal(result.approval.status.phase, 'Pending');
+  assert.equal(result.approval.spec.action, 'tool-use');
+  assert.equal(result.approval.spec.dispatchRun, 'run-1');
+  assert.equal(result.approval.spec.requestedBy, 'agent-stack-1');
+  assert.ok(result.approval.status.createdAt, 'Should have createdAt timestamp');
+});
+test('Record approve sets phase=Approved and decidedBy', () => {
+  const controller = createAgentApprovalController();
+  const existing = makeApproval('approval-1', 'run-1', 'tool-use', 'Pending');
+  const result = controller.recordDecision({
+    approvalName: 'approval-1',
+    decision: 'approve',
+    decidedBy: 'owner',
+    reason: 'Looks safe',
+    resources: { AgentApproval: [existing] }
+  });
+  assert.equal(result.error, false, 'Should succeed');
+  assert.equal(result.approval.status.phase, 'Approved');
+  assert.equal(result.approval.status.decidedBy, 'owner');
+  assert.equal(result.approval.status.reason, 'Looks safe');
+  assert.ok(result.approval.status.decidedAt, 'Should have decidedAt timestamp');
+});
+test('Record deny sets phase=Denied', () => {
+  const controller = createAgentApprovalController();
+  const existing = makeApproval('approval-2', 'run-1', 'secret-access', 'Pending');
+  const result = controller.recordDecision({
+    approvalName: 'approval-2',
+    decision: 'deny',
+    decidedBy: 'admin',
+    reason: 'Sensitive secrets not allowed',
+    resources: { AgentApproval: [existing] }
+  });
+  assert.equal(result.error, false, 'Should succeed');
+  assert.equal(result.approval.status.phase, 'Denied');
+  assert.equal(result.approval.status.decidedBy, 'admin');
+  assert.equal(result.approval.status.reason, 'Sensitive secrets not allowed');
+});
+test('isActionApproved returns true after approval', () => {
+  const controller = createAgentApprovalController();
+  const approved = makeApproval('approval-3', 'run-2', 'write-back', 'Approved', { status: { decidedBy: 'owner', decidedAt: new Date().toISOString() } });
+  const result = controller.isActionApproved({
+    dispatchRun: 'run-2',
+    action: 'write-back',
+    resources: { AgentApproval: [approved] }
+  });
+  assert.equal(result.approved, true, 'Should be approved');
+  assert.ok(result.approval, 'Should return the approval resource');
+});
+test('isActionApproved returns false when still pending', () => {
+  const controller = createAgentApprovalController();
+  const pending = makeApproval('approval-4', 'run-3', 'release', 'Pending');
+  const result = controller.isActionApproved({
+    dispatchRun: 'run-3',
+    action: 'release',
+    resources: { AgentApproval: [pending] }
+  });
+  assert.equal(result.approved, false, 'Should not be approved');
+  assert.equal(result.reason, 'Approval is still pending');
+});
+test('Duplicate pending request returns existing approval', () => {
+  const controller = createAgentApprovalController();
+  const existing = makeApproval('approval-5', 'run-4', 'tool-use', 'Pending');
+  const result = controller.createApprovalRequest({
+    dispatchRun: 'run-4',
+    action: 'tool-use',
+    requestedBy: 'agent-stack-1',
+    resources: { AgentApproval: [existing] }
+  });
+  assert.equal(result.error, false, 'Should succeed');
+  assert.equal(result.duplicate, true, 'Should be flagged as duplicate');
+  assert.equal(result.approval.metadata.name, 'approval-5', 'Should return the existing approval');
+});
+test('Invalid action type returns error', () => {
+  const controller = createAgentApprovalController();
+  const result = controller.createApprovalRequest({
+    dispatchRun: 'run-5',
+    action: 'invalid-action',
+    requestedBy: 'agent-stack-1',
+    resources: {}
+  });
+  assert.equal(result.error, true, 'Should fail');
+  assert.equal(result.reason, 'invalid-action');
+  assert.ok(result.message.includes('invalid-action'), 'Message should mention the invalid action');
+});
+test('Already decided approval returns error on re-decide', () => {
+  const controller = createAgentApprovalController();
+  const decided = makeApproval('approval-6', 'run-6', 'escalation', 'Approved', { status: { decidedBy: 'admin', decidedAt: new Date().toISOString() } });
+  const result = controller.recordDecision({
+    approvalName: 'approval-6',
+    decision: 'deny',
+    decidedBy: 'other-admin',
+    resources: { AgentApproval: [decided] }
+  });
+  assert.equal(result.error, true, 'Should fail');
+  assert.equal(result.reason, 'already-decided');
+  assert.ok(result.message.includes('already been decided'), 'Message should indicate already decided');
+});
+test('listPendingApprovals filters by org and pending status', () => {
+  const controller = createAgentApprovalController();
+  const pending1 = makeApproval('p1', 'run-7', 'tool-use', 'Pending');
+  const pending2 = makeApproval('p2', 'run-8', 'release', 'Pending');
+  const approved = makeApproval('p3', 'run-9', 'write-back', 'Approved');
+  const result = controller.listPendingApprovals({
+    organizationRef: 'default',
+    resources: { AgentApproval: [pending1, pending2, approved] }
+  });
+  assert.equal(result.length, 2, 'Should return only pending approvals');
+  assert.ok(result.every(a => a.status.phase === 'Pending'), 'All should be Pending');
+});
+test('listApprovalsForRun filters by dispatch run', () => {
+  const controller = createAgentApprovalController();
+  const a1 = makeApproval('r1', 'run-10', 'tool-use', 'Pending');
+  const a2 = makeApproval('r2', 'run-10', 'secret-access', 'Approved');
+  const a3 = makeApproval('r3', 'run-11', 'release', 'Pending');
+  const result = controller.listApprovalsForRun({
+    dispatchRun: 'run-10',
+    resources: { AgentApproval: [a1, a2, a3] }
+  });
+  assert.equal(result.length, 2, 'Should return approvals for run-10 only');
+  assert.ok(result.every(a => a.spec.dispatchRun === 'run-10'), 'All should belong to run-10');
+});