@a5c-ai/krate 5.0.1-staging.f672fe79b

package/docs/tests/agent-qa-plan.md

@@ -0,0 +1,63 @@
+# Agent QA plan
+
+## Scope
+
+Agent QA covers future agent orchestration functionality:
+
+- agent stacks, tools, MCP servers, skills, subagents;
+- triggers from CI, webhooks, issues, PRs, labels, mentions, schedules, and manual UI;
+- Agent Mux run/session/chat integration;
+- dispatches displayed as CI-like runs;
+- context assembly, labels, memory, redaction, and snapshots;
+- company brain memory and `.a5c` run imports;
+- approvals, artifacts, write-back, and audit;
+- org-scoped RBAC, secrets, config, service accounts, and runner placement.
+
+## Required suites
+
+| Suite | Tests |
+| --- | --- |
+| Stack schema | stack/tool/MCP/skill/subagent resource validation and readiness conditions. |
+| Permission review | RBAC, secret/config grants, memory grants, missing capability explanations. |
+| Context assembly | prompt layers, source provenance, labels, redaction, digest snapshots. |
+| Dispatch lifecycle | create run/attempt, Agent Mux handoff, event stream, cancel/resume/retry. |
+| Trigger rules | dry-run, dedupe, coalesce, branch/source filters, trusted/untrusted refs. |
+| Agent Mux adapter | launch payload, capability discovery, session binding, transcript events. |
+| Memory | query, historical refs, tool access, snapshot reuse, stale warnings. |
+| Run import | `MEMORY.md`, sessions, `.a5c` journals/tasks/artifacts, redaction, PR review. |
+| Write-back | patch/comment/check/review artifacts, approval, idempotency, rollback. |
+| UI | dispatch composer, run detail/chat, memory dashboard, imports, approvals. |
+
+## Critical negative tests
+
+- stack references tool without required Secret grant;
+- skill requires ConfigMap not granted;
+- agent on fork tries to access trusted secrets;
+- trigger label tries to grant permission;
+- context label tries to hide instructions from preview;
+- Agent Mux session ID belongs to another org/run;
+- memory tool reads outside pinned snapshot;
+- `.a5c` import contains secret-like content;
+- write-back tries to mutate unapproved target;
+- subagent requests parent-only capability.
+
+## Browser journeys
+
+- manual dispatch from Code page with memory preview;
+- failed CI repair from Runs page;
+- issue mention dispatch with linked workspace/session;
+- run detail chat/session with event timeline;
+- memory import review and approval;
+- permission wizard fixes missing secret/config/memory grant;
+- trigger rule dry-run preview.
+
+## Done criteria
+
+Agent functionality is not production-ready until:
+
+- unit/integration/API tests cover resource and controller logic;
+- browser tests cover the primary user journeys;
+- cross-org and no-secret negative tests pass;
+- Agent Mux fake/session tests pass;
+- memory snapshot and import fixtures pass;
+- audit/events can explain every dispatch and write-back.

package/docs/tests/browser-ui-tests.md

@@ -0,0 +1,62 @@
+# Browser and UI tests
+
+## Browser framework
+
+Use Playwright for browser E2E once added. Browser tests should focus on route behavior, accessibility, and critical workflows rather than brittle visual snapshots.
+
+## Route smoke coverage
+
+Required route smoke tests:
+
+- `/orgs`;
+- `/orgs/[org]`;
+- `/orgs/[org]/repositories`;
+- `/orgs/[org]/repositories/[repo]/code`;
+- `/issues`, `/pull-requests`, `/runs`, `/hooks`, `/settings` under repo routes;
+- `/orgs/[org]/deployments`;
+- `/orgs/[org]/runs`;
+- future `/orgs/[org]/agents/*` and `/orgs/[org]/agents/memory/*`.
+
+Every route smoke asserts:
+
+- org switcher visible;
+- breadcrumbs include org;
+- main heading exists;
+- no server error;
+- advanced YAML/resource panels are reachable where expected;
+- unauthorized or missing resources show safe empty states.
+
+## Critical UI journeys
+
+| Journey | Assertions |
+| --- | --- |
+| Org switch | route changes org, data changes, no cross-org leakage. |
+| Repository navigation | tabs preserve org/repo and active page. |
+| Create/apply resource | YAML/plan preview, server validation, status update. |
+| Run debugging | run list, event stream, details, rerun affordance. |
+| Agent dispatch | composer, memory preview, permission review, created run link. |
+| Memory import review | generated diff, redaction status, validation status, approve/reject. |
+
+## Accessibility checks
+
+Run automated checks on primary routes for:
+
+- headings and landmarks;
+- form labels;
+- button/link names;
+- keyboard navigation;
+- focus management in dialogs/panels;
+- color contrast for status indicators;
+- reduced-motion behavior where relevant.
+
+## Visual regression
+
+Use visual checks sparingly for stable layout contracts:
+
+- app shell/sidebar/topbar;
+- repository code layout;
+- run detail layout;
+- memory import review panel;
+- empty/loading/error states.
+
+Prefer semantic assertions for changing data-heavy pages.

package/docs/tests/ci-quality-gates.md

@@ -0,0 +1,48 @@
+# CI quality gates
+
+## Gate levels
+
+| Gate | Trigger | Required checks |
+| --- | --- | --- |
+| PR fast gate | pull request | install, static/docs/package checks, unit/integration tests, UI validation. |
+| PR browser gate | pull request when UI changes | browser route smoke, critical UI journeys impacted by change. |
+| Merge gate | main/staging merge | full `npm run check`, package/chart validation, UI build. |
+| Nightly gate | schedule | live-ish integration, browser full suite, security scans, performance smoke. |
+| Release gate | tag/release | Docker build, Helm package, smoke install, upgrade/rollback plan, SBOM/signing if enabled. |
+| Staging gate | deployment | real cluster smoke, webhooks, runners, Gitea, Argo/KubeVela, Agent Mux if enabled. |
+
+## Current required local gate
+
+`npm run check` remains the all-up local gate:
+
+```text
+build -> validate:docs -> test -> e2e -> package:check -> smoke -> ui:validate -> ui:build
+```
+
+## Future gate additions
+
+- `test:browser` for Playwright route and journey tests.
+- `test:coverage` for coverage reporting.
+- `test:security` for dependency, secret, and auth/RBAC checks.
+- `test:charts` for rendered chart validation.
+- `test:agents` for agent/company-brain vertical slice.
+
+## CI artifact policy
+
+CI should retain:
+
+- test logs;
+- browser traces/screenshots/videos on failure;
+- coverage reports;
+- rendered manifests;
+- package validation report;
+- memory import redaction/validation fixtures;
+- smoke output;
+- SBOM/signature artifacts when release gates run.
+
+## Flake policy
+
+- A flaky test is a failing test until triaged.
+- Retries may be used only to collect evidence, not to hide failures.
+- Quarantined tests need owner, expiry, issue link, and reduced gate impact.
+- CI should track test duration and failure signatures.

package/docs/tests/coverage-model.md

@@ -0,0 +1,64 @@
+# Coverage model
+
+## Coverage dimensions
+
+Krate coverage is multi-dimensional. Line coverage is useful but not sufficient.
+
+| Dimension | Required coverage |
+| --- | --- |
+| Code coverage | statements, branches, functions, and critical path modules. |
+| Resource coverage | every CRD/config kind and aggregated kind has schema and example tests. |
+| Route coverage | every org/repo/agent/deployment route has render and authorization tests. |
+| API coverage | every typed endpoint has success, validation failure, auth failure, and cross-org negative tests. |
+| Controller coverage | reconcile create/update/delete, idempotency, retry, drift, finalizer, and status conditions. |
+| UI coverage | primary journeys, disabled states, advanced YAML panels, accessibility, route guards. |
+| Security coverage | auth, RBAC, Secret/ConfigMap grants, no-leak responses, audit records. |
+| Release coverage | package files, chart templates, CRDs, examples, smoke install, Docker image. |
+| Agent coverage | dispatch, context, memory, tools, triggers, sessions, imports, approvals, write-back. |
+
+## Initial thresholds
+
+| Layer | Target |
+| --- | --- |
+| Pure `src` modules | 85% line, 75% branch once coverage tooling lands. |
+| Controller/API critical paths | 90% path coverage by table-driven tests. |
+| UI route smoke | 100% of primary org/repo/deployment/agent routes render. |
+| Resource kinds | 100% listed in resource model, docs, package examples, and tests. |
+| Security negative paths | 100% for cross-org, no-secret, untrusted fork, and missing grant cases. |
+
+Thresholds should ratchet upward; do not block early docs-only work on coverage tooling that does not exist yet.
+
+## Traceability
+
+Every feature should map:
+
+```text
+requirement -> resource/API/UI/controller -> test file -> CI gate -> artifact/report
+```
+
+The existing `docs/agents/traceability-matrix.md` is the model for agent features. Product-wide coverage should extend the same pattern into `docs/tests`.
+
+## Coverage reports
+
+Reports should include:
+
+- per-command status;
+- code coverage when available;
+- resource kind coverage;
+- route/API coverage;
+- browser scenario coverage;
+- security negative coverage;
+- flaky tests and retries;
+- untested new files/resources.
+
+## Coverage exclusions
+
+Allowed exclusions:
+
+- generated files;
+- static docs;
+- vendored assets;
+- intentionally unreachable defensive branches when documented;
+- live-only integrations covered by staging/nightly gates.
+
+Exclusions must be explicit and reviewed.

package/docs/tests/e2e-scenario-tests.md

@@ -0,0 +1,53 @@
+# E2E and scenario tests
+
+## Existing E2E baseline
+
+Current E2E tests validate chart package surface and minikube dry-run command plans. This remains the first E2E layer because it is deterministic and does not require a live cluster.
+
+## Core forge scenarios
+
+| Scenario | Steps | Assertions |
+| --- | --- | --- |
+| Create repository | org dashboard -> repositories -> create | repository resource exists, clone instructions render, namespace/org labels exist. |
+| Pull request lifecycle | create PR -> review -> CI status -> merge | PR status, review state, pipeline/job link, policy gates. |
+| CI run lifecycle | trigger pipeline -> jobs run -> logs/events -> rerun | pipeline/job statuses, runner pool, ServiceAccount, artifacts. |
+| Webhook delivery | configure hook -> send test delivery -> replay failed delivery | signed payload, retry policy, delivery records. |
+| Deployment promotion | repo change -> deployment page -> promote/rollback | OAM/Argo status, environment scoping, audit. |
+| Org isolation | duplicate repo slug across orgs | no silent legacy route selection, cross-org API denial. |
+
+## Agent and memory scenarios
+
+| Scenario | Steps | Assertions |
+| --- | --- | --- |
+| Manual agent dispatch | repo code -> dispatch agent -> run detail | dispatch run, attempt, Agent Mux session, context bundle. |
+| Dispatch with memory | select memory source -> preview -> dispatch | memory snapshot commit, selected records, digests, redaction. |
+| Historical memory | choose `refAt` -> dispatch -> retry | retry stays pinned, stale warning shown. |
+| Import run memory | run detail -> import `.a5c` summary -> approve | redacted import, validation report, memory PR/commit. |
+| Triggered repair | failed CI -> trigger rule -> dispatch | dedupe, permission review, run row beside pipeline. |
+| Write-back approval | agent proposes patch/comment -> approve | artifact digest, approval audit, PR/comment update. |
+
+## Live cluster scenarios
+
+Nightly/staging suites should eventually run against a real cluster with:
+
+- Kubernetes API aggregation;
+- Gitea smart HTTP/SSH;
+- Postgres;
+- object storage;
+- NATS/webhook queue;
+- Argo CD/KubeVela;
+- ARC or runner abstraction;
+- Agent Mux gateway/runtime when enabled.
+
+## E2E artifacts
+
+E2E tests should collect:
+
+- generated resources;
+- API responses;
+- event/watch logs;
+- screenshots/traces for browser flows;
+- Helm manifests;
+- controller logs;
+- redaction/validation reports;
+- audit event excerpts.

package/docs/tests/fixtures-test-data.md

@@ -0,0 +1,63 @@
+# Fixtures and test data
+
+## Principles
+
+- Fixtures are deterministic and committed to the repo.
+- Fixtures must never contain real secrets, tokens, private keys, customer data, or personal data beyond synthetic examples.
+- Secret-like synthetic values should be clearly marked and used only to test redaction.
+- Every fixture has an owner and purpose.
+- Fixtures should be small enough to understand in a test failure.
+
+## Core fixtures
+
+| Fixture | Purpose |
+| --- | --- |
+| default org | simple org and namespace for current tests. |
+| duplicate org repos | route ambiguity and cross-org denial. |
+| repository with PR/issue/pipeline | core forge E2E path. |
+| webhook delivery set | success, retry, replay, signature mismatch. |
+| runner pool/job set | trusted/untrusted runner policy. |
+| deployment/OAM set | environment, promotion, rollback. |
+| company brain memory repo | graph/Markdown/frontmatter/search fixtures. |
+| `.a5c` run fixture | Babysitter run import and redaction. |
+| Agent Mux session fixture | session binding, transcript summary, events. |
+
+## Directory proposal
+
+```text
+tests/fixtures/
+  orgs/
+  repositories/
+  resources/
+  webhooks/
+  runners/
+  deployments/
+  agents/
+  memory/
+    company-brain/
+    a5c-runs/
+    sessions/
+  browser/
+```
+
+## Redaction fixture requirements
+
+Redaction fixtures should include synthetic values that look like:
+
+- API keys;
+- bearer tokens;
+- private key headers;
+- kubeconfig snippets;
+- webhook signatures;
+- high-entropy strings.
+
+Tests assert these values do not appear in prompt previews, context bundles, memory imports, transcripts, artifacts, API responses, UI, or audit records.
+
+## Fixture review checklist
+
+- No real credentials.
+- No real customer data.
+- Org labels and namespace fields included.
+- Expected status conditions documented.
+- Stable timestamps and IDs.
+- Cross-platform paths where possible.

package/docs/tests/observability-reliability-tests.md

@@ -0,0 +1,54 @@
+# Observability and reliability tests
+
+## Observability coverage
+
+Required signals:
+
+- API request latency and errors;
+- controller reconcile counts, durations, retries, and failures;
+- watch connection counts and reconnects;
+- Git operation latency/errors;
+- webhook queue depth and delivery status;
+- runner queue/wait/runtime metrics;
+- memory query latency and import validation status;
+- Agent Mux session binding and event stream status;
+- audit event counts by action/outcome.
+
+## Reliability tests
+
+| Failure | Expected behavior |
+| --- | --- |
+| Kubernetes API temporary failure | retry with backoff, status condition, no duplicate side effects. |
+| Gitea unavailable | repository status degraded, no data loss, UI warning. |
+| Postgres unavailable | aggregated API degraded/read-only where possible. |
+| object storage unavailable | artifact writes fail safely with retry. |
+| webhook receiver fails | retry and replay available. |
+| watch disconnects | UI reconnects and resumes from list state. |
+| memory repo unavailable | required-memory dispatch blocks, optional memory warns. |
+| Agent Mux unavailable | dispatch shows pending/failed handoff and retry/recover action. |
+| redaction failure | memory import blocks and no content leaks. |
+
+## Chaos and load
+
+Nightly/staging tests should eventually cover:
+
+- burst webhook deliveries;
+- many repository list queries;
+- concurrent dispatches;
+- runner pool exhaustion;
+- memory grep/query bounds;
+- large context truncation;
+- controller restart during reconciliation;
+- duplicate event delivery idempotency.
+
+## Audit assertions
+
+Every mutating or denied action should emit audit with:
+
+- org and namespace;
+- actor;
+- resource ref;
+- action and outcome;
+- source event/run/session when applicable;
+- digest fields for artifacts/context/memory;
+- no secret values.

package/docs/tests/product-test-matrix.md

@@ -0,0 +1,145 @@
+# Product test matrix
+
+## Purpose
+
+This matrix maps Krate product areas to required automated test coverage. It covers existing functionality and future agent/company-brain functionality so implementation work can add tests in the right layer instead of relying on one broad E2E path.
+
+## Matrix legend
+
+| Mark | Meaning |
+| --- | --- |
+| Required | must exist before feature is considered complete. |
+| Recommended | should exist when the feature reaches production or staging. |
+| Nightly | acceptable in slower scheduled/live suites. |
+| Future | planned once the underlying feature exists. |
+
+## Product-area coverage
+
+| Product area | Unit | Integration/API | Browser/UI | E2E/scenario | Security | Package/install |
+| --- | --- | --- | --- | --- | --- | --- |
+| Resource model and schemas | Required | Required | Recommended | Recommended | Recommended | Required |
+| Organization and namespace scoping | Required | Required | Required | Required | Required | Required |
+| Repository data plane | Required | Required | Required | Required | Required | Required |
+| Pull requests and reviews | Required | Required | Required | Required | Recommended | Recommended |
+| Issues and inbox | Required | Required | Required | Recommended | Recommended | Recommended |
+| Pipelines and jobs | Required | Required | Required | Required | Required | Required |
+| Runner pools and job isolation | Required | Required | Recommended | Required | Required | Required |
+| Webhook subscriptions and deliveries | Required | Required | Required | Required | Required | Recommended |
+| Identity, auth, teams, invites | Required | Required | Required | Recommended | Required | Required |
+| RBAC and policy | Required | Required | Recommended | Required | Required | Required |
+| Secrets and config grants | Required | Required | Required | Required | Required | Recommended |
+| Deployments and environments | Required | Required | Required | Required | Recommended | Required |
+| Argo CD and KubeVela/OAM | Required | Required | Recommended | Nightly | Recommended | Required |
+| Operations install/readiness | Required | Required | Required | Required | Required | Required |
+| Web UI shell and navigation | Recommended | Recommended | Required | Required | Recommended | Recommended |
+| Advanced YAML/resource panels | Required | Required | Required | Recommended | Required | Recommended |
+| Agent stacks and capabilities | Future | Future | Future | Future | Future | Future |
+| Agent dispatch and Agent Mux | Future | Future | Future | Future | Future | Future |
+| Agent triggers | Future | Future | Future | Future | Future | Future |
+| Agent workspaces and sessions | Future | Future | Future | Future | Future | Future |
+| Company brain memory | Future | Future | Future | Future | Future | Future |
+| `.a5c` run memory imports | Future | Future | Future | Future | Future | Future |
+| Artifacts and write-back | Future | Future | Future | Future | Future | Future |
+| Packaging and release | Required | Required | Recommended | Required | Required | Required |
+
+## Existing command mapping
+
+| Command | Covers | Gaps |
+| --- | --- | --- |
+| `npm test` | unit/integration tests in `tests/*.test.js` | not yet split by subsystem; no coverage report. |
+| `npm run e2e` | current deterministic package/minikube E2E tests | no browser automation or live cluster path. |
+| `npm run validate:docs` | docs/source/ontology coverage | does not validate all `docs/tests` requirements yet. |
+| `npm run package:check` | package/chart/example coverage | not yet aware of future agent/memory CRDs. |
+| `npm run smoke` | runtime smoke | should expand as APIs/routes grow. |
+| `npm run ui:validate` | static UI validation | not a browser test. |
+| `npm run ui:build` | Next production build | not behavioral UI coverage. |
+| `npm run check` | all current gates | should remain required as new gates are added. |
+
+## Future suite mapping
+
+| Future suite | Product areas |
+| --- | --- |
+| `test:unit` | resource model, route helpers, redaction, context assembly, ref resolution, validators. |
+| `test:integration` | API controller, controller fakes, memory import, Gitea/K8s/Agent Mux fakes. |
+| `test:api` | org-scoped endpoints, stable errors, resource actions, watch filters. |
+| `test:browser` | org navigation, repository flows, deployments, run detail, agent/memory flows. |
+| `test:coverage` | coverage thresholds and untested-file reporting. |
+| `test:security` | auth/RBAC/no-secret/cross-org/secret-grant checks. |
+| `test:charts` | Helm render, CRD examples, kubeconform, APIService/RBAC. |
+| `test:agents` | agent dispatch, context, memory, Agent Mux, imports, triggers. |
+| `test:live` | real cluster/Gitea/Argo/KubeVela/NATS/ARC/Object storage. |
+
+## Required negative coverage
+
+Every relevant product area must include negative tests for:
+
+- missing or mismatched `organizationRef`;
+- wrong namespace for org;
+- missing RBAC permission;
+- missing Secret/ConfigMap grant;
+- untrusted fork or untrusted runner tries privileged action;
+- cross-org resource reference;
+- invalid or stale Git ref;
+- invalid webhook signature;
+- resource deleted while a controller is reconciling;
+- secret-like value appears in input and must not appear in output;
+- watch reconnect after disconnect;
+- duplicate event delivery and idempotency.
+
+## Release readiness matrix
+
+A release candidate is blocked if any of these are missing:
+
+- package/chart validation;
+- CRD/example coverage for every shipped kind;
+- at least one install smoke path;
+- auth/RBAC/no-secret tests;
+- UI build and route smoke;
+- repository/PR/CI core E2E;
+- deployment/OAM smoke when deployment features ship;
+- agent/company-brain vertical slice when agent features ship;
+- documented known gaps and quarantined tests.
+
+## External backend coverage
+
+External provider support adds required coverage for:
+
+| Area | Required tests |
+| --- | --- |
+| Provider auth | GitHub App Secret metadata, installation access, no-token leak. |
+| Webhooks | signature validation, dedupe, replay, enqueue, malformed payload. |
+| Issue interface | issue/comment/label sync, PR-backed issue handling, conflicts. |
+| CI/CD interface | workflow run/job/check sync, rerun/cancel permissions, lazy logs. |
+| Git forge interface | repo/PR/ref/key/branch protection sync and drift. |
+| Bidirectional writes | write intent, approval, provider failure, confirmation, conflict. |
+| Rate limits | backoff, degraded status, resume. |
+| Cross-org | provider binding and native object references cannot cross orgs. |
+
+## Pluggable provider contract tests
+
+Each provider adapter should run a shared contract suite for every supported interface:
+
+| Contract suite | Providers |
+| --- | --- |
+| Issue tracking contract | GitHub, GitLab, Bitbucket when enabled, Azure DevOps, Jira, Linear, Gitea, custom. |
+| CI/CD contract | GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure Pipelines, Buildkite, CircleCI, Jenkins, custom. |
+| Git forge contract | GitHub, GitLab, Bitbucket, Azure Repos, Gitea, Gerrit, raw Git partial, custom. |
+| Webhook contract | any provider with webhooks. |
+| Write-intent contract | any provider with mutating operations. |
+| Conflict contract | any bidirectional provider. |
+
+Contract tests should use fake provider adapters first, then provider-specific fixtures and optional live tests.
+
+## External UX flow tests
+
+Browser and E2E tests should cover:
+
+- connect GitHub provider;
+- connect Jira issue-only provider;
+- combine GitHub forge with Buildkite CI;
+- resolve a sync conflict;
+- approve an agent-proposed external write;
+- replay a dead-lettered webhook;
+- show provider rate-limit degraded state.
+
+These flows are specified in `docs/external/external-backend-ux-flows.md`.

package/docs/tests/qa-adoption-roadmap.md

@@ -0,0 +1,130 @@
+# QA adoption roadmap
+
+## Purpose
+
+This roadmap sequences QA automation work so Krate can improve coverage without blocking every product change on the final-state toolchain.
+
+## Stage 0: current baseline
+
+Status: available now.
+
+Required gates:
+
+- `npm run validate:docs`;
+- `npm test`;
+- `npm run e2e`;
+- `npm run package:check`;
+- `npm run smoke`;
+- `npm run ui:validate`;
+- `npm run ui:build`;
+- `npm run check` before release-like changes.
+
+## Stage 1: suite organization
+
+Add:
+
+- `tests/fixtures` with org/repository/resource fixtures;
+- test helper modules for fake Kubernetes and API controller setup;
+- metadata comments for owner/gate/area;
+- docs check that `docs/tests` exists and is linked.
+
+Exit criteria:
+
+- existing tests still pass;
+- new fixture policy is followed;
+- no behavior change required.
+
+## Stage 2: browser route smoke
+
+Add:
+
+- Playwright dependency and config;
+- route smoke for org dashboard, repositories, repo code/issues/runs/settings, deployments, and operations pages;
+- screenshot/trace capture on failure;
+- accessibility smoke on primary routes.
+
+Exit criteria:
+
+- browser gate runs in CI for UI changes;
+- route failures show useful artifacts;
+- no test relies on live external services.
+
+## Stage 3: coverage and API suites
+
+Add:
+
+- coverage command and reporting;
+- split API/controller tests;
+- stable error-code assertions;
+- org mismatch tests;
+- no-secret response assertions;
+- watch filter tests.
+
+Exit criteria:
+
+- coverage report generated in CI;
+- minimum thresholds set for critical modules;
+- cross-org denial is tested for resource APIs.
+
+## Stage 4: security and package hardening
+
+Add:
+
+- dependency/secret/license checks;
+- rendered chart schema validation;
+- action/workflow lint;
+- Docker build smoke;
+- SBOM/signature plan for release.
+
+Exit criteria:
+
+- release gate publishes security/package artifacts;
+- chart regressions fail before release.
+
+## Stage 5: agent/company-brain vertical slice
+
+Add:
+
+- org memory fixtures;
+- fake Agent Mux;
+- fake memory Git repo;
+- dispatch with memory snapshot tests;
+- summary-only `.a5c` import tests;
+- cross-org memory denial tests;
+- browser journey for memory preview/import review.
+
+Exit criteria:
+
+- `docs/agents/org-memory-vertical-slice-spec.md` acceptance paths are automated;
+- no raw `.a5c` secret-like content leaks;
+- retry uses pinned memory snapshot.
+
+## Stage 6: live/staging reliability
+
+Add:
+
+- live cluster smoke profiles;
+- Gitea, NATS, Argo CD, KubeVela, ARC, object storage checks;
+- controller restart/idempotency tests;
+- performance smoke for API/UI;
+- webhook burst and retry tests.
+
+Exit criteria:
+
+- staging gates prove install, core workflows, and rollback;
+- failure artifacts are actionable.
+
+## Stage 7: continuous quality intelligence
+
+Add:
+
+- flaky test dashboard;
+- coverage trend dashboard;
+- failure signature clustering;
+- ownership routing;
+- QA metrics in release notes;
+- automated gap reminders when new resources/routes lack tests.
+
+Exit criteria:
+
+- QA reports guide prioritization instead of only blocking merges.