@a5c-ai/krate 5.0.1-staging.3a341c33c

package/tests/agent-permission-review.test.js

@@ -0,0 +1,209 @@
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { createPermissionReviewer } from '../src/agent-permission-review.js';
+import { createResource } from '../src/resource-model.js';
+
+function makeStack(name, overrides = {}) {
+  return createResource('AgentStack', { name }, {
+    organizationRef: 'default',
+    baseAgent: 'claude-code',
+    adapter: 'babysitter',
+    runtimeIdentity: { serviceAccountRef: overrides.serviceAccountRef || 'sa-agent' },
+    ...(overrides.spec || {})
+  });
+}
+
+function makeServiceAccount(name) {
+  return createResource('AgentServiceAccount', { name }, {
+    organizationRef: 'default',
+    namespace: 'krate-agents',
+    serviceAccountName: name
+  });
+}
+
+function makeRoleBinding(name, subject) {
+  return createResource('AgentRoleBinding', { name }, {
+    organizationRef: 'default',
+    subject,
+    roleRef: 'agent-role',
+    scope: 'namespace'
+  });
+}
+
+function makeSecretGrant(name, subject, purpose, overrides = {}) {
+  return createResource('AgentSecretGrant', { name }, {
+    organizationRef: 'default',
+    subject,
+    secretRef: 'api-keys',
+    purpose,
+    ...overrides
+  });
+}
+
+function makeMcpServer(name, overrides = {}) {
+  return createResource('AgentMcpServer', { name }, {
+    organizationRef: 'default',
+    transport: 'stdio',
+    scope: 'workspace',
+    ...overrides
+  });
+}
+
+function makeModelProviderGrant(subject) {
+  return makeSecretGrant('sg-model', subject, 'model-provider');
+}
+
+const baseInput = {
+  repository: 'my-repo',
+  ref: 'refs/heads/main',
+  actor: 'user-1',
+  agentStack: 'test-stack',
+  triggerSource: 'manual',
+  taskKind: 'fix'
+};
+
+describe('agent permission review', () => {
+  it('fully granted stack returns allowed', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = {
+      AgentStack: [makeStack('test-stack')],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [makeModelProviderGrant('sa-agent')],
+      AgentConfigGrant: [],
+      AgentMcpServer: []
+    };
+    const result = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result.decision, 'allowed');
+    assert.ok(result.grants.length > 0, 'should have at least one grant');
+    assert.ok(result.grants.some((g) => g.kind === 'AgentServiceAccount' && g.status === 'bound'));
+    assert.ok(result.grants.some((g) => g.kind === 'AgentRoleBinding' && g.status === 'bound'));
+    assert.ok(typeof result.digest === 'string' && result.digest.length > 0);
+  });
+
+  it('missing service account returns denied with missing-runtime-identity reason', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = {
+      AgentStack: [makeStack('test-stack', { serviceAccountRef: 'nonexistent-sa' })],
+      AgentServiceAccount: [],
+      AgentRoleBinding: [],
+      AgentSecretGrant: [],
+      AgentConfigGrant: [],
+      AgentMcpServer: []
+    };
+    const result = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result.decision, 'denied');
+    assert.ok(result.reasons.some((r) => r.severity === 'error' && r.message.includes('Missing AgentServiceAccount')));
+  });
+
+  it('missing secret grant returns denied with missingGrants information', () => {
+    const reviewer = createPermissionReviewer();
+    const mcpServer = makeMcpServer('mcp-github', { secretRef: 'github-token' });
+    const stack = makeStack('test-stack', {
+      spec: {
+        organizationRef: 'default',
+        baseAgent: 'claude-code',
+        adapter: 'babysitter',
+        runtimeIdentity: { serviceAccountRef: 'sa-agent' },
+        mcpServerRefs: ['mcp-github']
+      }
+    });
+    const resources = {
+      AgentStack: [stack],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [],
+      AgentConfigGrant: [],
+      AgentMcpServer: [mcpServer]
+    };
+    const result = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result.decision, 'denied');
+    assert.ok(result.reasons.some((r) => r.severity === 'error' && r.message.includes('Missing AgentSecretGrant')));
+  });
+
+  it('grant requiring approval returns requires-approval', () => {
+    const reviewer = createPermissionReviewer();
+    const mcpServer = makeMcpServer('mcp-prod', { secretRef: 'prod-secret' });
+    const stack = makeStack('test-stack', {
+      spec: {
+        organizationRef: 'default',
+        baseAgent: 'claude-code',
+        adapter: 'babysitter',
+        runtimeIdentity: { serviceAccountRef: 'sa-agent' },
+        mcpServerRefs: ['mcp-prod']
+      }
+    });
+    const mcpGrant = makeSecretGrant('sg-prod', 'sa-agent', 'mcp-server:mcp-prod', {
+      requiredApproval: 'always'
+    });
+    const resources = {
+      AgentStack: [stack],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [mcpGrant, makeModelProviderGrant('sa-agent')],
+      AgentConfigGrant: [],
+      AgentMcpServer: [mcpServer]
+    };
+    const result = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result.decision, 'requires-approval');
+    assert.ok(result.grants.some((g) => g.status === 'requires-approval' && g.requiredApproval === 'always'));
+  });
+
+  it('empty capabilities stack returns allowed', () => {
+    const reviewer = createPermissionReviewer();
+    const stack = makeStack('test-stack');
+    const resources = {
+      AgentStack: [stack],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [makeModelProviderGrant('sa-agent')],
+      AgentConfigGrant: [],
+      AgentMcpServer: []
+    };
+    const result = reviewer.reviewPermissions({
+      ...baseInput,
+      toolRefs: [],
+      skillRefs: [],
+      mcpServerRefs: [],
+      contextLabelRefs: [],
+      resources
+    });
+    assert.equal(result.decision, 'allowed');
+  });
+
+  it('same input produces deterministic digest', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = {
+      AgentStack: [makeStack('test-stack')],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [makeModelProviderGrant('sa-agent')],
+      AgentConfigGrant: [],
+      AgentMcpServer: []
+    };
+    const result1 = reviewer.reviewPermissions({ ...baseInput, resources });
+    const result2 = reviewer.reviewPermissions({ ...baseInput, resources });
+    assert.equal(result1.digest, result2.digest);
+    assert.ok(typeof result1.digest === 'string' && result1.digest.length === 64, 'digest should be a 64-char hex SHA-256');
+  });
+
+  it('createPermissionSnapshot returns frozen object with timestamp', () => {
+    const reviewer = createPermissionReviewer();
+    const resources = {
+      AgentStack: [makeStack('test-stack')],
+      AgentServiceAccount: [makeServiceAccount('sa-agent')],
+      AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-agent')],
+      AgentSecretGrant: [makeModelProviderGrant('sa-agent')],
+      AgentConfigGrant: [],
+      AgentMcpServer: []
+    };
+    const review = reviewer.reviewPermissions({ ...baseInput, resources });
+    const snapshot = reviewer.createPermissionSnapshot(review);
+    assert.ok(Object.isFrozen(snapshot), 'snapshot should be frozen');
+    assert.ok(typeof snapshot.snapshotAt === 'string' && snapshot.snapshotAt.length > 0, 'snapshot should have a timestamp');
+    assert.equal(snapshot.frozen, true);
+    assert.equal(snapshot.digest, review.digest);
+    assert.equal(snapshot.decision, review.decision);
+    assert.throws(() => { snapshot.decision = 'denied'; }, TypeError);
+  });
+});

package/tests/agent-resources.test.js

@@ -0,0 +1,228 @@
+import assert from 'node:assert/strict';
+import { describe, it } from 'node:test';
+import {
+  CONFIG_KINDS,
+  AGGREGATED_KINDS,
+  ALL_KINDS,
+  RESOURCE_DEFINITIONS,
+  createResource,
+  validateResource,
+  resourceSchemaForKind,
+  storageClassForKind,
+  listResourceDefinitions
+} from '../src/resource-model.js';
+
+const AGENT_CONFIG_KINDS = [
+  'AgentStack',
+  'AgentSubagent',
+  'AgentToolProfile',
+  'AgentMcpServer',
+  'AgentSkill',
+  'AgentTriggerRule',
+  'AgentContextLabel',
+  'AgentWorkspacePolicy',
+  'AgentServiceAccount',
+  'AgentRoleBinding',
+  'AgentSecretGrant',
+  'AgentConfigGrant',
+  'AgentAdapter',
+  'AgentTransportBinding',
+  'AgentProviderConfig',
+  'AgentProject',
+  'AgentGatewayConfig',
+  'AgentMemoryRepository',
+  'AgentMemorySource',
+  'AgentMemoryOntology',
+  'AgentMemoryAssociation'
+];
+
+const AGENT_AGGREGATED_KINDS = [
+  'AgentDispatchRun',
+  'AgentDispatchAttempt',
+  'AgentSession',
+  'AgentContextBundle',
+  'AgentArtifact',
+  'AgentApproval',
+  'AgentWorkspace',
+  'AgentTriggerExecution',
+  'AgentCapabilityRequirement',
+  'WorkItemSessionLink',
+  'WorkItemWorkspaceLink',
+  'AgentSessionTranscript',
+  'AgentSessionAttachment',
+  'AgentWorkspaceRuntime',
+  'AgentMemorySnapshot',
+  'AgentMemoryQuery',
+  'AgentMemoryUpdate',
+  'AgentRunMemoryImport'
+];
+
+const ALL_AGENT_KINDS = [...AGENT_CONFIG_KINDS, ...AGENT_AGGREGATED_KINDS];
+
+/** Minimal valid spec for each agent kind, satisfying requiredSpec. */
+function minimalSpecForKind(kind) {
+  const specs = {
+    AgentStack: { organizationRef: 'default', baseAgent: 'claude-code', adapter: 'babysitter', runtimeIdentity: 'sa-agent' },
+    AgentSubagent: { organizationRef: 'default', rolePrompt: 'Code reviewer', taskKinds: ['review'] },
+    AgentToolProfile: { organizationRef: 'default', filesystemPolicy: 'read-write', approvalPolicyByTool: { shell: 'auto' } },
+    AgentMcpServer: { organizationRef: 'default', transport: 'stdio', scope: 'workspace' },
+    AgentSkill: { organizationRef: 'default', format: 'markdown', sourceRef: 'skills/debug.md' },
+    AgentTriggerRule: { organizationRef: 'default', sources: ['ci-failure'], agentStack: 'default-stack', taskKind: 'fix' },
+    AgentContextLabel: { organizationRef: 'default', promptFragment: 'Always run tests before committing', allowedSources: ['admin'] },
+    AgentWorkspacePolicy: { organizationRef: 'default', mode: 'worktree', retentionPolicy: '7d' },
+    AgentServiceAccount: { organizationRef: 'default', namespace: 'krate-agents', serviceAccountName: 'agent-runner' },
+    AgentRoleBinding: { organizationRef: 'default', subject: 'agent-runner', roleRef: 'agent-role', scope: 'namespace' },
+    AgentSecretGrant: { organizationRef: 'default', subject: 'agent-runner', secretRef: 'api-keys', purpose: 'API access' },
+    AgentConfigGrant: { organizationRef: 'default', subject: 'agent-runner', configMapRef: 'agent-config', purpose: 'Configuration' },
+    AgentDispatchRun: { organizationRef: 'default', repository: 'app', sourceRefs: ['refs/heads/main'], agentStack: 'default-stack', taskKind: 'fix' },
+    AgentDispatchAttempt: { organizationRef: 'default', agentDispatchRun: 'run-1', attemptReason: 'initial', agentStackSnapshot: { baseAgent: 'claude-code' } },
+    AgentSession: { organizationRef: 'default', agentMuxSessionId: 'sess-123', dispatchRun: 'run-1' },
+    AgentContextBundle: { organizationRef: 'default', dispatchRun: 'run-1', digest: 'sha256:abc', sources: ['repo-context'] },
+    AgentArtifact: { organizationRef: 'default', dispatchRun: 'run-1', kind: 'patch', digest: 'sha256:def' },
+    AgentApproval: { organizationRef: 'default', dispatchRun: 'run-1', action: 'write-back', requestedBy: 'agent-runner' },
+    AgentWorkspace: { organizationRef: 'default', repository: 'app', workspacePath: '/workspaces/app-1', ownership: 'agent-runner' },
+    AgentTriggerExecution: { organizationRef: 'default', triggerRule: 'on-ci-fail', sourceEvent: 'pipeline-failed', decision: 'dispatch' },
+    AgentCapabilityRequirement: { organizationRef: 'default', ownerRef: 'stack-1', requiredRoles: ['shell', 'git'] },
+    WorkItemSessionLink: { organizationRef: 'default', workItemRef: 'issue-1', agentSession: 'sess-123' },
+    WorkItemWorkspaceLink: { organizationRef: 'default', workItemRef: 'issue-1', workspace: 'ws-1' },
+    AgentAdapter: { organizationRef: 'default', adapterType: 'claude-code', transport: 'stdio' },
+    AgentTransportBinding: { organizationRef: 'default', adapterRef: 'claude-code', endpoint: 'https://agent.example.test', protocol: 'https' },
+    AgentProviderConfig: { organizationRef: 'default', provider: 'anthropic', authType: 'api-key' },
+    AgentProject: { organizationRef: 'default', displayName: 'Platform' },
+    AgentGatewayConfig: { organizationRef: 'default', gatewayUrl: 'https://mux.example.test' },
+    AgentSessionTranscript: { organizationRef: 'default', sessionRef: 'sess-123', messages: [{ role: 'user', content: 'hello' }] },
+    AgentSessionAttachment: { organizationRef: 'default', sessionRef: 'sess-123', sourceType: 'upload', digest: 'sha256:abc' },
+    AgentWorkspaceRuntime: { organizationRef: 'default', workspaceRef: 'ws-1', status: 'running' },
+    AgentMemoryRepository: { organizationRef: 'default', repositoryRef: 'memory-repo', defaultBranch: 'main', layoutProfile: 'standard' },
+    AgentMemorySource: { organizationRef: 'default', repositoryRef: 'memory-repo', appliesTo: 'team:platform', include: ['decisions/**', 'runbooks/**'] },
+    AgentMemoryOntology: { organizationRef: 'default', memoryRepository: 'memory-repo', ontologyPath: '.memory/ontology.yaml' },
+    AgentMemoryAssociation: { organizationRef: 'default', memoryRef: 'decision-001', targetRef: 'issue-42', relationship: 'informs' },
+    AgentMemorySnapshot: { organizationRef: 'default', memoryRepository: 'memory-repo', requestedRef: 'refs/heads/main', resolvedCommit: 'a'.repeat(40) },
+    AgentMemoryQuery: { organizationRef: 'default', snapshotRef: 'snap-1', requester: 'agent-runner', query: 'deployment patterns' },
+    AgentMemoryUpdate: { organizationRef: 'default', memoryRepository: 'memory-repo', sourceRun: 'run-1', changes: [{ path: 'decisions/001.md', op: 'add' }] },
+    AgentRunMemoryImport: { organizationRef: 'default', memoryRepository: 'memory-repo', source: 'babysitter-run-42', include: ['journal', 'effects'] }
+  };
+  return specs[kind];
+}
+
+describe('agent resource set membership', () => {
+  for (const kind of AGENT_CONFIG_KINDS) {
+    it(`${kind} is in CONFIG_KINDS`, () => {
+      assert.ok(CONFIG_KINDS.has(kind), `${kind} should be in CONFIG_KINDS`);
+    });
+  }
+
+  for (const kind of AGENT_AGGREGATED_KINDS) {
+    it(`${kind} is in AGGREGATED_KINDS`, () => {
+      assert.ok(AGGREGATED_KINDS.has(kind), `${kind} should be in AGGREGATED_KINDS`);
+    });
+  }
+
+  for (const kind of ALL_AGENT_KINDS) {
+    it(`${kind} is in ALL_KINDS`, () => {
+      assert.ok(ALL_KINDS.has(kind), `${kind} should be in ALL_KINDS`);
+    });
+  }
+});
+
+describe('RESOURCE_DEFINITIONS for agent kinds', () => {
+  for (const kind of ALL_AGENT_KINDS) {
+    it(`${kind} has valid definition with storage, context, plural, purpose, requiredSpec`, () => {
+      const def = RESOURCE_DEFINITIONS[kind];
+      assert.ok(def, `${kind} should exist in RESOURCE_DEFINITIONS`);
+      assert.ok(['etcd', 'postgres'].includes(def.storage), `${kind} storage should be etcd or postgres`);
+      assert.ok(typeof def.context === 'string' && def.context.length > 0, `${kind} context should be a non-empty string`);
+      assert.ok(typeof def.plural === 'string' && def.plural.length > 0, `${kind} plural should be a non-empty string`);
+      assert.ok(typeof def.purpose === 'string' && def.purpose.length > 0, `${kind} purpose should be a non-empty string`);
+      assert.ok(Array.isArray(def.requiredSpec) && def.requiredSpec.length > 0, `${kind} requiredSpec should be a non-empty array`);
+    });
+  }
+});
+
+describe('createResource for agent kinds', () => {
+  for (const kind of ALL_AGENT_KINDS) {
+    it(`creates a valid ${kind} resource`, () => {
+      const spec = minimalSpecForKind(kind);
+      const resource = createResource(kind, { name: `test-${kind.toLowerCase()}` }, spec);
+      assert.equal(resource.apiVersion, 'krate.a5c.ai/v1alpha1');
+      assert.equal(resource.kind, kind);
+      assert.equal(resource.metadata.name, `test-${kind.toLowerCase()}`);
+      assert.equal(resource.metadata.namespace, 'default');
+      assert.ok(resource.metadata.labels !== undefined);
+      assert.ok(resource.metadata.annotations !== undefined);
+      assert.ok(typeof resource.spec === 'object');
+      assert.ok(typeof resource.status === 'object');
+    });
+  }
+});
+
+describe('validateResource rejects missing required spec fields for agent kinds', () => {
+  for (const kind of ALL_AGENT_KINDS) {
+    it(`throws on empty spec for ${kind}`, () => {
+      const resource = {
+        apiVersion: 'krate.a5c.ai/v1alpha1',
+        kind,
+        metadata: { name: `invalid-${kind.toLowerCase()}` },
+        spec: {},
+        status: {}
+      };
+      const def = RESOURCE_DEFINITIONS[kind];
+      assert.throws(
+        () => validateResource(resource),
+        (err) => {
+          assert.ok(err.message.includes(`${kind} spec.${def.requiredSpec[0]} is required`));
+          return true;
+        }
+      );
+    });
+  }
+});
+
+describe('resourceSchemaForKind for agent kinds', () => {
+  for (const kind of ALL_AGENT_KINDS) {
+    it(`returns correct schema for ${kind}`, () => {
+      const schema = resourceSchemaForKind(kind);
+      assert.equal(schema.apiVersion, 'krate.a5c.ai/v1alpha1');
+      assert.equal(schema.kind, kind);
+      assert.ok(typeof schema.plural === 'string');
+      assert.ok(['etcd', 'postgres'].includes(schema.storage));
+      assert.ok(Array.isArray(schema.required.metadata));
+      assert.ok(schema.required.metadata.includes('name'));
+      assert.ok(Array.isArray(schema.required.spec));
+      assert.ok(schema.required.spec.length > 0);
+      assert.deepEqual(schema.status, ['storage', 'phase', 'conditions']);
+    });
+  }
+});
+
+describe('storageClassForKind for agent kinds', () => {
+  for (const kind of AGENT_CONFIG_KINDS) {
+    it(`${kind} returns etcd`, () => {
+      assert.equal(storageClassForKind(kind), 'etcd');
+    });
+  }
+
+  for (const kind of AGENT_AGGREGATED_KINDS) {
+    it(`${kind} returns postgres`, () => {
+      assert.equal(storageClassForKind(kind), 'postgres');
+    });
+  }
+});
+
+describe('kind set counts', () => {
+  it('CONFIG_KINDS has 41 members', () => {
+    assert.equal(CONFIG_KINDS.size, 41);
+  });
+
+  it('AGGREGATED_KINDS has 24 members', () => {
+    assert.equal(AGGREGATED_KINDS.size, 24);
+  });
+
+  it('ALL_KINDS has 65 members', () => {
+    assert.equal(ALL_KINDS.size, 65);
+  });
+
+  it('listResourceDefinitions returns 65 definitions', () => {
+    assert.equal(listResourceDefinitions().length, 65);
+  });
+});

package/tests/agent-stack-controller.test.js

@@ -0,0 +1,221 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+import { createAgentStackController, createResource } from '../src/index.js';
+
+function makeStack(name, spec = {}) {
+  return createResource('AgentStack', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    baseAgent: 'claude-code',
+    adapter: 'anthropic',
+    runtimeIdentity: { serviceAccountRef: 'sa-default' },
+    ...spec
+  });
+}
+
+function makeToolProfile(name) {
+  return createResource('AgentToolProfile', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    filesystemPolicy: 'read-write',
+    approvalPolicyByTool: {}
+  });
+}
+
+function makeMcpServer(name) {
+  return createResource('AgentMcpServer', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    transport: 'stdio',
+    scope: 'workspace'
+  });
+}
+
+function makeSkill(name, overrides = {}) {
+  return createResource('AgentSkill', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    format: 'markdown',
+    sourceRef: 'git://repo/skills/' + name,
+    ...overrides
+  });
+}
+
+function makeSubagent(name, overrides = {}) {
+  return createResource('AgentSubagent', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    rolePrompt: 'Test subagent',
+    taskKinds: ['code-review'],
+    ...overrides
+  });
+}
+
+function makeContextLabel(name) {
+  return createResource('AgentContextLabel', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    promptFragment: 'context for ' + name,
+    allowedSources: ['manual']
+  });
+}
+
+function makeServiceAccount(name) {
+  return createResource('AgentServiceAccount', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    namespace: 'krate-org-default',
+    serviceAccountName: name
+  });
+}
+
+function makeRoleBinding(name, subject) {
+  return createResource('AgentRoleBinding', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    subject,
+    roleRef: 'agent-developer',
+    scope: 'namespace'
+  });
+}
+
+function makeSecretGrant(name, subject, purpose) {
+  return createResource('AgentSecretGrant', { name, namespace: 'krate-org-default' }, {
+    organizationRef: 'default',
+    subject,
+    secretRef: 'secret-' + purpose,
+    purpose
+  });
+}
+
+test('Stack with all refs present results in Ready=True', () => {
+  const controller = createAgentStackController();
+  const stack = makeStack('full-stack', {
+    toolPolicy: 'tool-profile-1',
+    mcpServerRefs: ['mcp-github'],
+    skillRefs: ['skill-review'],
+    subagentRefs: ['sub-linter'],
+    contextLabelRefs: ['ctx-security']
+  });
+
+  const resources = {
+    AgentStack: [stack],
+    AgentToolProfile: [makeToolProfile('tool-profile-1')],
+    AgentMcpServer: [makeMcpServer('mcp-github')],
+    AgentSkill: [makeSkill('skill-review')],
+    AgentSubagent: [makeSubagent('sub-linter')],
+    AgentContextLabel: [makeContextLabel('ctx-security')],
+    AgentServiceAccount: [makeServiceAccount('sa-default')],
+    AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-default')],
+    AgentSecretGrant: [makeSecretGrant('sg-model', 'sa-default', 'model-provider')]
+  };
+
+  const result = controller.reconcileStack(stack, resources);
+  const readyCondition = result.conditions.find((c) => c.type === 'Ready');
+  assert.equal(readyCondition.status, 'True', 'Ready condition should be True when all refs are present');
+  assert.equal(result.validation, 'valid');
+  assert.equal(result.capabilities.tools.length, 1);
+  assert.equal(result.capabilities.mcpServers.length, 1);
+  assert.equal(result.capabilities.skills.length, 1);
+  assert.equal(result.capabilities.subagents.length, 1);
+  assert.equal(result.capabilities.contextLabels.length, 1);
+});
+
+test('Stack with missing MCP server results in McpHealthy=False and Ready=False', () => {
+  const controller = createAgentStackController();
+  const stack = makeStack('missing-mcp-stack', {
+    mcpServerRefs: ['mcp-github', 'mcp-missing']
+  });
+
+  const resources = {
+    AgentStack: [stack],
+    AgentMcpServer: [makeMcpServer('mcp-github')],
+    AgentServiceAccount: [makeServiceAccount('sa-default')],
+    AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-default')],
+    AgentSecretGrant: [makeSecretGrant('sg-model', 'sa-default', 'model-provider')]
+  };
+
+  const result = controller.reconcileStack(stack, resources);
+  const mcpCondition = result.conditions.find((c) => c.type === 'McpHealthy');
+  const readyCondition = result.conditions.find((c) => c.type === 'Ready');
+  assert.equal(mcpCondition.status, 'False', 'McpHealthy should be False when MCP server is missing');
+  assert.equal(readyCondition.status, 'False', 'Ready should be False when McpHealthy is False');
+  assert.ok(mcpCondition.message.includes('mcp-missing'));
+});
+
+test('Stack with missing skill results in SkillsValidated=False and Ready=False', () => {
+  const controller = createAgentStackController();
+  const stack = makeStack('missing-skill-stack', {
+    skillRefs: ['skill-review', 'skill-ghost']
+  });
+
+  const resources = {
+    AgentStack: [stack],
+    AgentSkill: [makeSkill('skill-review')],
+    AgentServiceAccount: [makeServiceAccount('sa-default')],
+    AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-default')],
+    AgentSecretGrant: [makeSecretGrant('sg-model', 'sa-default', 'model-provider')]
+  };
+
+  const result = controller.reconcileStack(stack, resources);
+  const skillsCondition = result.conditions.find((c) => c.type === 'SkillsValidated');
+  const readyCondition = result.conditions.find((c) => c.type === 'Ready');
+  assert.equal(skillsCondition.status, 'False', 'SkillsValidated should be False when skill is missing');
+  assert.equal(readyCondition.status, 'False', 'Ready should be False when SkillsValidated is False');
+  assert.ok(skillsCondition.message.includes('skill-ghost'));
+});
+
+test('Minimal stack with no capability refs results in Ready=True', () => {
+  const controller = createAgentStackController();
+  const stack = makeStack('minimal-stack');
+
+  const resources = {
+    AgentStack: [stack],
+    AgentServiceAccount: [makeServiceAccount('sa-default')],
+    AgentRoleBinding: [makeRoleBinding('rb-1', 'sa-default')],
+    AgentSecretGrant: [makeSecretGrant('sg-model', 'sa-default', 'model-provider')]
+  };
+
+  const result = controller.reconcileStack(stack, resources);
+  const readyCondition = result.conditions.find((c) => c.type === 'Ready');
+  assert.equal(readyCondition.status, 'True', 'Ready should be True for minimal stack with identity present');
+  assert.equal(result.validation, 'valid');
+  assert.equal(result.capabilities.tools.length, 0);
+  assert.equal(result.capabilities.mcpServers.length, 0);
+  assert.equal(result.capabilities.skills.length, 0);
+  assert.equal(result.capabilities.subagents.length, 0);
+  assert.equal(result.capabilities.contextLabels.length, 0);
+});
+
+test('listStackCapabilities returns correct normalized capability list', () => {
+  const controller = createAgentStackController();
+  const stack = makeStack('caps-stack', {
+    toolPolicy: 'tp-1',
+    mcpServerRefs: ['mcp-a', 'mcp-b'],
+    skillRefs: ['skill-x'],
+    subagentRefs: ['sub-y'],
+    contextLabelRefs: ['ctx-z']
+  });
+
+  const resources = {
+    AgentToolProfile: [makeToolProfile('tp-1')],
+    AgentMcpServer: [makeMcpServer('mcp-a')],
+    AgentSkill: [makeSkill('skill-x')],
+    AgentSubagent: [makeSubagent('sub-y')],
+    AgentContextLabel: [makeContextLabel('ctx-z')]
+  };
+
+  const capabilities = controller.listStackCapabilities(stack, resources);
+  assert.equal(capabilities.length, 6);
+
+  const tool = capabilities.find((c) => c.kind === 'tool');
+  assert.equal(tool.name, 'tp-1');
+  assert.equal(tool.status, 'resolved');
+
+  const mcpA = capabilities.find((c) => c.kind === 'mcp' && c.name === 'mcp-a');
+  assert.equal(mcpA.status, 'resolved');
+
+  const mcpB = capabilities.find((c) => c.kind === 'mcp' && c.name === 'mcp-b');
+  assert.equal(mcpB.status, 'missing');
+
+  const skill = capabilities.find((c) => c.kind === 'skill');
+  assert.equal(skill.status, 'resolved');
+
+  const subagent = capabilities.find((c) => c.kind === 'subagent');
+  assert.equal(subagent.status, 'resolved');
+
+  const ctxLabel = capabilities.find((c) => c.kind === 'contextLabel');
+  assert.equal(ctxLabel.status, 'resolved');
+});