npm - @a5c-ai/krate - Versions diffs - 5.0.1-staging.f672fe79b - Mend

@a5c-ai/krate 5.0.1-staging.f672fe79b

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (174) hide show

package/Dockerfile +29 -0
package/README.md +183 -0
package/bin/krate-demo.mjs +23 -0
package/bin/krate-server.mjs +14 -0
package/dist/krate-controller-ui.json +2407 -0
package/dist/krate-lifecycle.json +201 -0
package/dist/krate-runtime-snapshot.json +2955 -0
package/dist/krate-summary.json +687 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/krate-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/product-requirements.md +62 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/system-requirements.md +90 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/user-stories.md +78 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +63 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +93 -0
package/scripts/validate-ui.mjs +207 -0
package/src/agent-approval-controller.js +123 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +86 -0
package/src/agent-mux-client.js +280 -0
package/src/agent-permission-review.js +162 -0
package/src/agent-stack-controller.js +296 -0
package/src/agent-trigger-controller.js +108 -0
package/src/api-controller.js +206 -0
package/src/argocd-gitops.js +43 -0
package/src/auth.js +265 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +38 -0
package/src/controller-ui.js +538 -0
package/src/data-plane.js +178 -0
package/src/gitea-backend.js +95 -0
package/src/handoff.js +98 -0
package/src/hooks-events.js +63 -0
package/src/http-server.js +151 -0
package/src/identity-policy.js +86 -0
package/src/index.js +30 -0
package/src/kubernetes-controller.js +812 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/operations.js +112 -0
package/src/resource-model.js +203 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/web-ui.js +40 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +176 -0
package/tests/agent-mux-client.test.js +204 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-resources.test.js +212 -0
package/tests/agent-stack-controller.test.js +221 -0
package/tests/agent-trigger-controller.test.js +211 -0
package/tests/deployment.test.js +395 -0
package/tests/e2e/lifecycle.test.js +117 -0
package/tests/krate.test.js +727 -0

package/scripts/validate-package.mjs ADDED Viewed

@@ -0,0 +1,93 @@
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+const requiredFiles = [
+  'Dockerfile',
+  '.dockerignore',
+  '.github/workflows/publish.yml',
+  '../web/app/page.jsx',
+  '../web/app/layout.jsx',
+  '../web/app/orgs/[org]/deployments/page.jsx',
+  '../web/app/globals.css',
+  '../web/next.config.mjs',
+  '../charts/Chart.yaml',
+  '../charts/values.yaml',
+  '../charts/crds/repositories.yaml',
+  '../charts/crds/aggregated-resources.yaml',
+  '../charts/crds/policy-resources.yaml',
+  '../charts/templates/apiservice.yaml',
+  '../charts/templates/deployments.yaml',
+  '../charts/templates/rbac.yaml',
+  '../charts/templates/serviceaccount.yaml',
+  '../charts/templates/services.yaml',
+  '../charts/templates/networkpolicy.yaml',
+  '../charts/templates/gitea.yaml',
+  '../charts/templates/ingress.yaml',
+  '../charts/templates/auth-secret.yaml',
+  '../charts/templates/argocd-application.yaml',
+  '../charts/templates/kubevela-application.yaml',
+  '../charts/templates/NOTES.txt',
+  'examples/minikube-demo.yaml',
+  'examples/policy-kyverno-pr-title.yaml',
+  'scripts/setup-minikube.mjs'
+];
+const requiredKinds = ['Deployment', 'Service', 'ServiceAccount', 'ClusterRole', 'ClusterRoleBinding', 'NetworkPolicy', 'PersistentVolumeClaim'];
+const requiredCrds = ['Organization', 'OrgNamespaceBinding', 'User', 'Team', 'Invite', 'IdentityMapping', 'AuthProvider', 'Repository', 'SSHKey', 'RepositoryPermission', 'BranchProtection', 'RefPolicy', 'PolicyProfile', 'PolicyTemplate', 'PolicyBinding', 'PolicyExceptionRequest', 'PullRequest', 'Issue', 'Review', 'Pipeline', 'Job', 'RunnerPool', 'WebhookSubscription', 'WebhookDelivery', 'View', 'Selector'];
+const requiredExampleKinds = ['Pipeline', 'Application'];
+const requiredValueTerms = ['externalDependencies', 'postgres', 'objectStorage', 'nats', 'arc', 'kyverno', 'gatekeeper', 'ingress', 'oidc', 'auth', 'github', 'sso', 'delegatedIdentity', 'autoscaling', 'targetCPUUtilizationPercentage', 'gitea', 'argocd', 'repoURL', 'syncPolicy', 'apiService', 'kubevela', 'vela-core'];
+const missing = [];
+for (const file of requiredFiles) if (!existsSync(file)) missing.push(`missing file: ${file}`);
+const chartText = requiredFiles.filter((file) => file.startsWith('../charts/') && existsSync(file)).map((file) => readFileSync(file, 'utf8')).join('\n');
+const exampleText = existsSync('examples/minikube-demo.yaml') ? readFileSync('examples/minikube-demo.yaml', 'utf8') : '';
+const valuesText = existsSync('../charts/values.yaml') ? readFileSync('../charts/values.yaml', 'utf8') : '';
+const argocdTemplate = ['../charts/templates/argocd-application.yaml', '../charts/templates/kubevela-application.yaml'].filter((file) => existsSync(file)).map((file) => readFileSync(file, 'utf8')).join('\n');
+for (const kind of requiredKinds) if (!chartText.includes(`kind: ${kind}`)) missing.push(`chart missing kind: ${kind}`);
+for (const kind of requiredCrds) if (!chartText.includes(`kind: ${kind}`) && !exampleText.includes(`kind: ${kind}`)) missing.push(`package missing resource kind: ${kind}`);
+for (const kind of requiredExampleKinds) if (!exampleText.includes(`kind: ${kind}`)) missing.push(`example missing resource kind: ${kind}`);
+for (const term of requiredValueTerms) if (!valuesText.includes(term)) missing.push(`values missing ${term}`);
+if (valuesText.includes('`n')) missing.push('values contains escaped newline markers instead of YAML structure');
+const requiredValuePatterns = [
+  [/^gitea:\s*$/m, 'values missing gitea block'],
+  [/^argocd:\s*$/m, 'values missing argocd block'],
+  [/^  repoURL:\s*\S+/m, 'values missing argocd repoURL value'],
+  [/^  syncPolicy:\s*$/m, 'values missing structured argocd syncPolicy block'],
+  [/^    automated:\s*true\s*$/m, 'values missing argocd syncPolicy.automated=true'],
+  [/^    prune:\s*true\s*$/m, 'values missing argocd syncPolicy.prune=true'],
+  [/^    selfHeal:\s*true\s*$/m, 'values missing argocd syncPolicy.selfHeal=true'],
+  [/^    syncOptions:\s*$/m, 'values missing argocd syncPolicy.syncOptions block'],
+  [/^      - CreateNamespace=true\s*$/m, 'values missing CreateNamespace sync option']
+];
+for (const [pattern, message] of requiredValuePatterns) if (!pattern.test(valuesText)) missing.push(message);
+for (const requiredTemplateUse of ['.Values.argocd.syncPolicy.automated', '.Values.argocd.syncPolicy.prune', '.Values.argocd.syncPolicy.selfHeal', '.Values.argocd.syncPolicy.syncOptions']) {
+  if (!argocdTemplate.includes(requiredTemplateUse)) missing.push(`argocd template does not consume ${requiredTemplateUse}`);
+}
+const dockerignore = existsSync('.dockerignore') ? readFileSync('.dockerignore', 'utf8') : '';
+for (const ignored of ['.a5c', 'node_modules', '**/.next', 'dist']) if (!dockerignore.includes(ignored)) missing.push(`dockerignore missing ${ignored}`);
+const packageInfo = JSON.parse(readFileSync('package.json', 'utf8'));
+for (const fileSet of ['bin', 'examples', 'scripts', 'src', 'tests', 'Dockerfile']) {
+  if (!packageInfo.files?.includes(fileSet)) missing.push(`package files missing ${fileSet}`);
+}
+for (const script of ['e2e', 'package:check', 'setup:minikube']) if (!packageInfo.scripts?.[script]) missing.push(`package script missing ${script}`);
+if (missing.length) {
+  console.error(JSON.stringify({ status: 'failed', missing }, null, 2));
+  process.exit(1);
+}
+const npmBin = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+const packOutput = execFileSync(npmBin, ['pack', '--dry-run', '--json'], { encoding: 'utf8', shell: process.platform === 'win32' });
+const pack = JSON.parse(packOutput)[0];
+const packedFiles = new Set(pack.files.map((file) => file.path));
+for (const file of ['Dockerfile', 'examples/minikube-demo.yaml', 'scripts/setup-minikube.mjs', 'scripts/validate-package.mjs']) {
+  if (!packedFiles.has(file)) missing.push(`npm pack missing ${file}`);
+}
+if (missing.length) {
+  console.error(JSON.stringify({ status: 'failed', missing }, null, 2));
+  process.exit(1);
+}
+console.log(JSON.stringify({ status: 'success', checkedFiles: requiredFiles.length, requiredKinds: requiredKinds.length, requiredCrds: requiredCrds.length, packedFiles: pack.files.length, packageSize: pack.size, requiredExampleKinds: requiredExampleKinds.length, requiredValueTerms: requiredValueTerms.length }, null, 2));

package/scripts/validate-ui.mjs ADDED Viewed

@@ -0,0 +1,207 @@
+import { readFileSync } from 'node:fs';
+import { createControllerUiModel } from '../src/index.js';
+const required = [
+  'apps/web/app/layout.jsx',
+  'apps/web/app/page.jsx',
+  'apps/web/app/ui-shell.jsx',
+  'apps/web/proxy.js',
+  'apps/web/app/components/code-editor.jsx',
+  'apps/web/app/components/resource-actions.jsx',
+  'apps/web/app/api/controller/route.js',
+  'apps/web/app/api/orgs/[org]/resources/route.js',
+  'apps/web/app/api/orgs/[org]/resources/[kind]/[name]/route.js',
+  'apps/web/app/api/orgs/[org]/repositories/route.js',
+  'apps/web/app/api/orgs/[org]/repositories/[name]/route.js',
+  'apps/web/app/api/orgs/[org]/policies/route.js',
+  'apps/web/app/api/orgs/[org]/policy-reports/route.js',
+  'apps/web/app/api/orgs/[org]/policy-exception-requests/route.js',
+  'apps/web/app/api/watch/[[...resource]]/route.js',
+  'apps/web/app/api/git-proxy/route.js',
+  'apps/web/app/api/auth/[provider]/route.js',
+  'apps/web/app/api/auth/callback/[provider]/route.js',
+  'apps/web/app/api/auth/logout/route.js',
+  'apps/web/app/api/auth/delegated/route.js',
+  'src/api-controller.js',
+  'src/kubernetes-resource-gateway.js',
+  'src/kubernetes-controller.js',
+  'src/controller-client.js',
+  'src/controller-ui.js',
+  'src/http-server.js'
+];
+const files = Object.fromEntries(required.map((file) => [file, readFileSync(file, 'utf8')]));
+const failures = [];
+for (const [file, source] of Object.entries(files)) {
+  if (!source.trim()) failures.push(`${file} is empty`);
+}
+for (const file of ['apps/web/app/api/controller/route.js', 'apps/web/app/api/watch/[[...resource]]/route.js', 'src/controller-client.js']) {
+  if (files[file].includes('createKrateUiDemoRuntime')) failures.push(`${file} imports or calls createKrateUiDemoRuntime`);
+  if (files[file].includes('createKrateRuntime()')) failures.push(`${file} creates an in-memory runtime fallback`);
+}
+for (const file of ['apps/web/app/page.jsx', 'apps/web/app/ui-shell.jsx']) {
+  if (files[file].includes('krate-demo')) failures.push(`${file} hardcodes krate-demo demo navigation`);
+}
+for (const [file, source] of Object.entries(files)) {
+  if (source.includes('sampleResource') || source.includes('exampleResource')) failures.push(`${file} synthesizes sample/example Krate resources`);
+  if (source.includes('new-repository') && file !== 'apps/web/app/components/resource-actions.jsx') failures.push(`${file} hardcodes synthetic Repository data`);
+}
+for (const token of ['export function proxy', 'NextResponse.redirect', 'KRATE_AUTH_COOKIE_NAME', 'krate_session', '/login', '/api/auth', 'matcher']) {
+  if (!files['apps/web/proxy.js'].includes(token)) failures.push(`web proxy missing ${token}`);
+}
+for (const token of ['spawnSync', 'spawn(', 'kubectl', 'getControllerSnapshot', 'listResource', 'getResource', 'applyResource', 'deleteResource', 'createRepository', 'watchResource', 'auth', 'can-i']) {
+  if (!files['src/kubernetes-controller.js'].includes(token)) failures.push(`kubernetes controller missing ${token}`);
+}
+for (const token of ['createKubernetesResourceGateway', 'controller.snapshot()', 'createControllerUiModel']) {
+  if (!files['src/controller-client.js'].includes(token)) failures.push(`controller client missing ${token}`);
+}
+for (const token of ['createKrateApiController', 'resourceGateway', 'withArchitecture', 'krate-api-controller', 'kubernetes-resource-gateway', 'kubernetes-resource-client', 'git-data-plane', 'never owns Kubernetes reconciliation loops', 'KRATE_API_CONTROLLER_BOUNDARY', 'listRepositoriesForForge', 'getRepositoryForgeView', 'krate-kubernetes-reconciler']) {
+  if (!files['src/api-controller.js'].includes(token)) failures.push(`api controller boundary missing ${token}`);
+}
+for (const token of ['createKubernetesResourceClient', 'repositoryManifest', 'async list', 'async get', 'async apply', 'async delete', 'watch(resourcePath', 'KUBERNETES_RESOURCE_GATEWAY_BOUNDARY', 'mustNotOwn']) {
+  if (!files['src/kubernetes-resource-gateway.js'].includes(token)) failures.push(`kubernetes resource gateway missing ${token}`);
+}
+for (const token of ['GET', 'POST', 'DELETE', 'controller.listResource', 'controller.getResource', 'controller.applyResource', 'controller.deleteResource', 'controller.createRepository']) {
+  const joinedRoutes = files['apps/web/app/api/orgs/[org]/resources/route.js'] + files['apps/web/app/api/orgs/[org]/resources/[kind]/[name]/route.js'] + files['apps/web/app/api/orgs/[org]/repositories/route.js'] + files['apps/web/app/api/orgs/[org]/repositories/[name]/route.js'];
+  if (!joinedRoutes.includes(token)) failures.push(`resource management routes missing ${token}`);
+}
+const policyRoutes = files['apps/web/app/api/orgs/[org]/policies/route.js'] + files['apps/web/app/api/orgs/[org]/policy-reports/route.js'] + files['apps/web/app/api/orgs/[org]/policy-exception-requests/route.js'];
+for (const token of ['GET', 'POST', 'createKrateApiController', 'createControllerUiModel', 'policyEngine', 'controller.applyResource', 'PolicyBinding', 'PolicyExceptionRequest']) {
+  if (!policyRoutes.includes(token)) failures.push(`policy management routes missing ${token}`);
+}
+for (const token of ['--watch', 'text/event-stream', 'controller.watchResource', 'krate-error', 'request.signal']) {
+  if (!files['apps/web/app/api/watch/[[...resource]]/route.js'].includes(token)) failures.push(`watch route missing ${token}`);
+}
+for (const token of ['RepositoryManager', 'DeploymentManager', 'ResourceApplyPanel', '/api/orgs/${org}/repositories', '/api/orgs/${org}/resources', 'fetch(', 'Save changes', 'InviteReviewList', 'UserReviewList', 'PermissionReviewList', 'Mark accepted', 'Revoke invite', 'Disable user', 'Restore user', 'Revoke grant', 'SshKeyReviewList', 'Save SSH key', 'Revoke SSH key', 'Create deployment', 'Prepare deployment']) {
+  if (!(files['apps/web/app/components/resource-actions.jsx'] + files['apps/web/app/ui-shell.jsx']).includes(token)) failures.push(`UI management surface missing ${token}`);
+}
+for (const token of ['DegradedBanner', 'No repositories are available yet.', 'No resource selected yet.', 'Access checks', 'KRATE_CONTROLLER_URL', 'Krate repositories']) {
+  if (!(files['apps/web/app/ui-shell.jsx'] + files['apps/web/app/components/resource-actions.jsx']).includes(token)) failures.push(`truthful degraded/empty UI missing ${token}`);
+}
+for (const token of ['duplex', 'KRATE_GITEA_HTTP_URL', 'fetch(target', 'degraded']) {
+  if (!files['apps/web/app/api/git-proxy/route.js'].includes(token)) failures.push(`git proxy route missing ${token}`);
+}
+for (const token of ['orgResourceCollectionMatch', 'orgRepositoryCollectionMatch', 'orgNamespaceName', 'createKubernetesResourceGateway', 'scopedController.listResource', 'scopedController.getResource', 'scopedController.applyResource', 'scopedController.deleteResource']) {
+  if (!files['src/http-server.js'].includes(token)) failures.push(`http controller missing ${token}`);
+}
+const pageContracts = {
+  'apps/web/app/orgs/[org]/controller-api/page.jsx': 'ControllerApiPage',
+  'apps/web/app/orgs/[org]/repositories/page.jsx': 'RepositoriesPage',
+  'apps/web/app/orgs/[org]/inbox/page.jsx': 'InboxPage',
+  'apps/web/app/orgs/[org]/runs/page.jsx': 'RunsPage',
+  'apps/web/app/orgs/[org]/runners-ci/page.jsx': 'RunnersCiPage',
+  'apps/web/app/orgs/[org]/hooks-events/page.jsx': 'HooksEventsPage',
+  'apps/web/app/orgs/[org]/insights/page.jsx': 'InsightsPage',
+  'apps/web/app/orgs/[org]/operations-install/page.jsx': 'OperationsInstallPage',
+  'apps/web/app/orgs/[org]/advanced-plans/page.jsx': 'AdvancedPlansPage',
+  'apps/web/app/orgs/[org]/people/page.jsx': 'PeoplePage',
+  'apps/web/app/login/page.jsx': 'LoginPage',
+  'apps/web/app/logout/page.jsx': 'LogoutPage',
+  'apps/web/app/orgs/[org]/repositories/[repo]/code/page.jsx': 'RepositoryCodePage',
+  'apps/web/app/orgs/[org]/repositories/[repo]/pull-requests/page.jsx': 'RepositoryPullRequestsPage',
+  'apps/web/app/orgs/[org]/repositories/[repo]/issues/page.jsx': 'RepositoryIssuesPage',
+  'apps/web/app/orgs/[org]/repositories/[repo]/runs/page.jsx': 'RepositoryRunsPage',
+  'apps/web/app/orgs/[org]/repositories/[repo]/hooks/page.jsx': 'RepositoryHooksPage',
+  'apps/web/app/orgs/[org]/repositories/[repo]/settings/page.jsx': 'RepositorySettingsPage'
+};
+for (const file of Object.keys(pageContracts)) {
+  files[file] = readFileSync(file, 'utf8');
+}
+for (const [file, component] of Object.entries(pageContracts)) {
+  if (!files[file].includes(component)) failures.push(`${file} does not use dedicated ${component} route component`);
+}
+if (required.some((file) => file.includes('/pipelines'))) failures.push('legacy pipelines route is still required');
+for (const token of ['ControllerApiPage', 'RepositoriesPage', 'InboxPage', 'RunsPage', 'RunnersCiPage', 'HooksEventsPage', 'InsightsPage', 'OperationsInstallPage', 'AdvancedPlansPage', 'PeoplePage', 'LoginPage', 'LogoutPage', 'RepositoryCodePage', 'RepositoryPullRequestsPage', 'RepositoryIssuesPage', 'RepositoryRunsPage', 'RepositoryHooksPage', 'RepositorySettingsPage']) {
+  if (!files['apps/web/app/ui-shell.jsx'].includes(token)) failures.push(`ui shell missing dedicated flow component ${token}`);
+}
+for (const token of ['Invite people', 'identity links', 'repository permissions', 'Access overview', 'Access readiness', 'Use workspace identity', 'Sign in to Krate', 'Repository home', 'Review inbox', 'Run debugger', 'Capacity designer', 'Automation inspector', 'Clone and refs', 'Repository settings map', 'Advanced architecture details', 'ResourceList', 'PlanCard', 'ForgeFlowRail', 'RepositoryCommandBar', 'breadcrumbs', 'Create → review → merge → deploy', 'Advanced resource details']) {
+  if (!files['apps/web/app/ui-shell.jsx'].includes(token)) failures.push(`ui shell missing forge UX affordance ${token}`);
+}
+const model = createControllerUiModel({
+  source: 'kubernetes',
+  namespace: 'krate-org-default',
+  generatedAt: 'test-time',
+  correlationId: 'validation',
+  kubectl: { available: true, context: 'kind-krate', clientVersion: 'v1.test', errors: [] },
+  apiService: { metadata: { name: 'v1alpha1.krate.a5c.ai' } },
+  crds: [{ metadata: { name: 'repositories.krate.a5c.ai' } }],
+  storage: { etcd: 'etcd', postgres: 'postgres', repositories: 'rwx', objects: 'object' },
+  commands: [],
+  permissions: [],
+  events: [],
+  resources: {
+    Organization: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'Organization', metadata: { name: 'default', namespace: 'krate-system' }, spec: { slug: 'default', namespaceName: 'krate-org-default', displayName: 'Default org' } }],
+    Repository: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'Repository', metadata: { name: 'live-repo', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', visibility: 'internal', defaultBranch: 'main' }, status: { phase: 'Ready' } }],
+    User: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'User', metadata: { name: 'alice', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', email: 'alice@example.com', username: 'alice' }, status: { phase: 'Active' } }],
+    RepositoryPermission: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'RepositoryPermission', metadata: { name: 'live-repo-alice', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', repository: 'live-repo', subject: 'alice', subjectKind: 'user', permission: 'write' }, status: { phase: 'Synced' } }],
+    SSHKey: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'SSHKey', metadata: { name: 'alice-laptop', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', owner: 'alice', title: 'laptop', scope: 'user', key: 'ssh-ed25519 AAAA' }, status: { phase: 'Synced' } }],
+    PolicyProfile: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'PolicyProfile', metadata: { name: 'default-profile', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', displayName: 'Default profile', mode: 'audit' }, status: { phase: 'Ready' } }],
+    PolicyTemplate: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'PolicyTemplate', metadata: { name: 'require-pr-description', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', displayName: 'Require PR description', targetKinds: ['PullRequest'], kyverno: { kind: 'ValidatingPolicy' } }, status: { phase: 'Ready' } }],
+    PolicyBinding: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'PolicyBinding', metadata: { name: 'require-pr-description-audit', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', templateRef: 'require-pr-description', mode: 'audit' }, status: { phase: 'Bound' } }],
+    PolicyExceptionRequest: [{ apiVersion: 'krate.a5c.ai/v1alpha1', kind: 'PolicyExceptionRequest', metadata: { name: 'temporary-bypass', namespace: 'krate-org-default' }, spec: { organizationRef: 'default', policyRef: { name: 'require-pr-description' }, justification: 'migration window', expiresAt: '2026-06-01T00:00:00Z' }, status: { phase: 'Requested' } }],
+    PullRequest: [],
+    Pipeline: [],
+    RunnerPool: [],
+    WebhookSubscription: []
+  },
+  kyverno: {
+    enabled: true,
+    detected: true,
+    mode: 'byo',
+    namespace: 'kyverno',
+    policyNamespace: 'krate-system',
+    health: 'ready',
+    degraded: [],
+    reports: {
+      policyReports: [{ metadata: { name: 'repo-policy', namespace: 'krate-org-default' }, results: [{ policy: 'require-pr-description', rule: 'description', result: 'fail', message: 'description required', resources: [{ kind: 'PullRequest', name: 'pr-1' }] }] }],
+      clusterPolicyReports: [],
+      results: [{ report: 'repo-policy', namespace: 'krate-org-default', policy: 'require-pr-description', rule: 'description', result: 'fail', message: 'description required', resource: { kind: 'PullRequest', name: 'pr-1' } }],
+      violations: [{ report: 'repo-policy', namespace: 'krate-org-default', policy: 'require-pr-description', rule: 'description', result: 'fail', message: 'description required', resource: { kind: 'PullRequest', name: 'pr-1' } }]
+    },
+    resources: { PolicyReport: [], ClusterPolicyReport: [], KyvernoPolicyException: [] }
+  }
+});
+if (model.controller.mode !== 'krate-workspace') failures.push('controller mode is not krate-workspace');
+if (model.status !== 'ready') failures.push('model did not become ready for available Krate snapshot');
+if (!model.resources.find((resource) => resource.kind === 'User')) failures.push('model missing User identity resource');
+if (!model.identity || typeof model.identity.counts?.users !== 'number') failures.push('model missing identity admin projection');
+if (model.identity.counts.sshKeys !== 1) failures.push('model missing SSH key identity projection');
+if (!model.identity.reconciliation?.statuses?.some((status) => status.kind === 'SSHKey' && status.phase === 'Synced')) failures.push('model missing identity reconciliation projection');
+if (!model.resources.find((resource) => resource.kind === 'Repository')?.action?.list?.includes('Open Repository records')) failures.push('repository model missing Krate action list command');
+if (!model.controller.endpoints.some((endpoint) => endpoint.method === 'GET' && endpoint.path === '/api/orgs/:org/resources')) failures.push('model missing resource list endpoint');
+if (!model.controller.endpoints.some((endpoint) => endpoint.method === 'POST' && endpoint.path === '/api/orgs/:org/resources')) failures.push('model missing resource apply endpoint');
+if (!model.controller.endpoints.some((endpoint) => endpoint.method === 'GET' && endpoint.path === '/api/orgs/:org/policies')) failures.push('model missing policy center endpoint');
+if (!model.controller.endpoints.some((endpoint) => endpoint.method === 'GET' && endpoint.path === '/api/orgs/:org/policy-exception-requests')) failures.push('model missing policy exception list endpoint');
+if (model.controller.architecture?.apiController?.role !== 'krate-api-controller') failures.push('model missing API controller architecture boundary');
+if (model.controller.architecture?.resourceGateway?.role !== 'krate-resource-gateway') failures.push('model missing resource gateway architecture boundary');
+if (model.controller.architecture?.resourceClient?.role !== 'krate-resource-client') failures.push('model missing Krate client architecture boundary');
+if (model.controller.architecture?.deliveryReconciler?.role !== 'krate-delivery-reconciler') failures.push('model missing delivery reconciler architecture boundary');
+if (!model.controller.architecture?.apiController?.delegatesTo?.includes('krate-resource-gateway')) failures.push('API controller does not delegate to resource gateway');
+if (model.resources.find((resource) => resource.kind === 'Repository')?.items?.[0]?.metadata?.name !== 'live-repo') failures.push('repository model missing live items');
+if (!model.validation.some((item) => item.evidence.includes('/api/orgs/:org/repositories'))) failures.push('validation missing repository management evidence');
+if (model.policyEngine.health !== 'ready') failures.push('policy engine did not project ready Kyverno health');
+if (model.policyEngine.violations.length !== 1) failures.push('policy engine did not normalize Kyverno violations');
+if (!model.policyEngine.exceptionRequests.some((request) => request.name === 'temporary-bypass')) failures.push('policy engine missing exception request projection');
+const emptyModel = createControllerUiModel({ source: 'kubernetes', namespace: 'krate-org-default', kubectl: { available: true, context: 'kind-krate', errors: [] }, apiService: { metadata: { name: 'v1alpha1.krate.a5c.ai' } }, crds: [{ metadata: { name: 'repositories.krate.a5c.ai' } }], resources: { Repository: [] }, commands: [], events: [], permissions: [], storage: {} });
+if (emptyModel.resources.find((resource) => resource.kind === 'Repository')?.yaml !== null) failures.push('empty Krate repository model synthesized plan');
+if (failures.length) fail(failures);
+console.log(JSON.stringify({
+  status: 'success',
+  checked: required,
+  contract: 'krate-task-led-controller-ui',
+  resources: model.metrics.resources,
+  endpoints: model.controller.endpoints.length,
+  validations: model.metrics.totalChecks
+}, null, 2));
+function fail(failures) {
+  console.error(JSON.stringify({ status: 'failed', failures }, null, 2));
+  process.exit(1);
+}

package/src/agent-approval-controller.js ADDED Viewed

@@ -0,0 +1,123 @@
+import { createResource, clone } from './resource-model.js';
+export const AGENT_APPROVAL_CONTROLLER_BOUNDARY = {
+  role: 'agent-approval-controller',
+  scope: 'Human gate lifecycle for agent tool-use, secret-access, write-back, release, and escalation actions',
+  owns: ['approval creation', 'decision recording', 'approval lookup', 'duplicate detection'],
+  delegatesTo: ['resource-model'],
+  mustNotOwn: ['secret values', 'agent execution', 'UI rendering']
+};
+const VALID_ACTIONS = new Set(['tool-use', 'secret-access', 'write-back', 'release', 'escalation']);
+export function createAgentApprovalController() {
+  return {
+    role: 'agent-approval-controller',
+    createApprovalRequest({ dispatchRun, action, requestedBy, context, namespace = 'default', organizationRef = 'default', resources = {} }) {
+      if (!action || !VALID_ACTIONS.has(action)) {
+        return { error: true, reason: 'invalid-action', message: `Invalid action type: ${action}. Must be one of: ${[...VALID_ACTIONS].join(', ')}` };
+      }
+      if (!dispatchRun) {
+        return { error: true, reason: 'missing-dispatch-run', message: 'dispatchRun is required' };
+      }
+      if (!requestedBy) {
+        return { error: true, reason: 'missing-requested-by', message: 'requestedBy is required' };
+      }
+      // Check for duplicate pending approval
+      const existing = (resources.AgentApproval || []).find(
+        (a) => a.spec?.dispatchRun === dispatchRun && a.spec?.action === action && (!a.status?.phase || a.status.phase === 'Pending')
+      );
+      if (existing) {
+        return { error: false, approval: clone(existing), duplicate: true };
+      }
+      const now = new Date().toISOString();
+      const approvalName = `approval-${dispatchRun}-${action}-${Date.now()}`;
+      const approval = createResource('AgentApproval', { name: approvalName, namespace }, {
+        organizationRef,
+        dispatchRun,
+        action,
+        requestedBy,
+        description: context || `Agent requests permission to perform: ${action}`,
+        requestedAt: now
+      });
+      approval.status = { phase: 'Pending', createdAt: now };
+      return { error: false, approval, duplicate: false };
+    },
+    recordDecision({ approvalName, decision, decidedBy, reason, namespace = 'default', organizationRef = 'default', resources = {} }) {
+      if (!approvalName) {
+        return { error: true, reason: 'missing-approval-name', message: 'approvalName is required' };
+      }
+      if (!decision || (decision !== 'approve' && decision !== 'deny')) {
+        return { error: true, reason: 'invalid-decision', message: `Invalid decision: ${decision}. Must be 'approve' or 'deny'` };
+      }
+      if (!decidedBy) {
+        return { error: true, reason: 'missing-decided-by', message: 'decidedBy is required' };
+      }
+      const approvals = resources.AgentApproval || [];
+      const approval = approvals.find((a) => a.metadata?.name === approvalName);
+      if (!approval) {
+        return { error: true, reason: 'not-found', message: `AgentApproval not found: ${approvalName}` };
+      }
+      if (approval.status?.phase && approval.status.phase !== 'Pending') {
+        return { error: true, reason: 'already-decided', message: `AgentApproval ${approvalName} has already been decided: ${approval.status.phase}` };
+      }
+      const now = new Date().toISOString();
+      const phase = decision === 'approve' ? 'Approved' : 'Denied';
+      const updated = clone(approval);
+      updated.status = {
+        ...updated.status,
+        phase,
+        decidedBy,
+        decidedAt: now,
+        reason: reason || undefined
+      };
+      return { error: false, approval: updated };
+    },
+    isActionApproved({ dispatchRun, action, resources = {} }) {
+      const approvals = resources.AgentApproval || [];
+      const match = approvals.find(
+        (a) => a.spec?.dispatchRun === dispatchRun && a.spec?.action === action
+      );
+      if (!match) {
+        return { approved: false, approval: null, reason: 'No approval request found' };
+      }
+      if (match.status?.phase === 'Approved') {
+        return { approved: true, approval: clone(match), reason: match.status.reason || 'Approved' };
+      }
+      if (match.status?.phase === 'Denied') {
+        return { approved: false, approval: clone(match), reason: match.status.reason || 'Denied' };
+      }
+      return { approved: false, approval: clone(match), reason: 'Approval is still pending' };
+    },
+    listPendingApprovals({ organizationRef, resources = {} }) {
+      const approvals = resources.AgentApproval || [];
+      return approvals.filter((a) => {
+        const matchesOrg = !organizationRef || a.spec?.organizationRef === organizationRef;
+        const isPending = !a.status?.phase || a.status.phase === 'Pending';
+        return matchesOrg && isPending;
+      }).map(clone);
+    },
+    listApprovalsForRun({ dispatchRun, resources = {} }) {
+      const approvals = resources.AgentApproval || [];
+      return approvals.filter((a) => a.spec?.dispatchRun === dispatchRun).map(clone);
+    }
+  };
+}