@a5c-ai/krate 5.0.1-staging.f672fe79b

package/src/agent-permission-review.js

@@ -0,0 +1,162 @@
+import { createHash } from 'node:crypto';
+import { clone } from './resource-model.js';
+
+export const AGENT_PERMISSION_REVIEW_BOUNDARY = {
+  role: 'agent-permission-review',
+  scope: 'Deterministic permission review for agent dispatch decisions',
+  owns: ['capability expansion', 'grant resolution', 'permission snapshot creation'],
+  delegatesTo: ['resource-model'],
+  mustNotOwn: ['secret values', 'native K8s API calls', 'runtime execution']
+};
+
+export function createPermissionReviewer(options = {}) {
+  return {
+    role: 'agent-permission-review',
+
+    reviewPermissions({ repository, ref, actor, agentStack, triggerSource, taskKind, runnerPool, toolRefs = [], skillRefs = [], mcpServerRefs = [], contextLabelRefs = [], resources = {} }) {
+      const reasons = [];
+      const grants = [];
+
+      // Step 1 — Resolve AgentStack
+      const stacks = resources.AgentStack || [];
+      const stack = stacks.find((s) => s.metadata?.name === agentStack);
+      if (!stack) {
+        return buildDecision({ decision: 'denied', reasons: [{ severity: 'error', message: `AgentStack not found: ${agentStack}` }], grants, capabilities: {}, actor, repository, ref, agentStack, taskKind });
+      }
+
+      // Step 2 — Expand capabilities from stack spec
+      const capabilities = {
+        toolRefs: clone(stack.spec?.toolPolicy ? [stack.spec.toolPolicy] : toolRefs),
+        mcpServerRefs: clone(stack.spec?.mcpServerRefs || mcpServerRefs),
+        skillRefs: clone(stack.spec?.skillRefs || skillRefs),
+        subagentRefs: clone(stack.spec?.subagentRefs || [])
+      };
+
+      // Step 3 — Check runtime identity (AgentServiceAccount)
+      const serviceAccountRef = stack.spec?.runtimeIdentity?.serviceAccountRef || stack.spec?.runtimeIdentity;
+      const serviceAccounts = resources.AgentServiceAccount || [];
+      const serviceAccount = serviceAccounts.find((sa) => sa.metadata?.name === serviceAccountRef);
+      if (!serviceAccount) {
+        reasons.push({ severity: 'error', message: `Missing AgentServiceAccount: ${serviceAccountRef}` });
+      } else {
+        grants.push({ kind: 'AgentServiceAccount', name: serviceAccount.metadata.name, status: 'bound' });
+      }
+
+      // Step 4 — Check role bindings
+      const roleBindings = resources.AgentRoleBinding || [];
+      const matchedBindings = roleBindings.filter((rb) => rb.spec?.subject === serviceAccountRef || rb.spec?.subject === agentStack);
+      for (const binding of matchedBindings) {
+        grants.push({ kind: 'AgentRoleBinding', name: binding.metadata.name, roleRef: binding.spec?.roleRef, scope: binding.spec?.scope, status: 'bound' });
+      }
+      if (matchedBindings.length === 0 && serviceAccount) {
+        reasons.push({ severity: 'warning', message: `No AgentRoleBinding found for subject: ${serviceAccountRef}` });
+      }
+
+      // Step 5 — Check secret grants
+      const secretGrants = resources.AgentSecretGrant || [];
+      const neededSecrets = collectSecretNeeds(stack, capabilities, resources);
+      for (const need of neededSecrets) {
+        const match = secretGrants.find((sg) => {
+          if (sg.spec?.subject !== serviceAccountRef && sg.spec?.subject !== agentStack) return false;
+          if (need.purpose && sg.spec?.purpose !== need.purpose) return false;
+          if (sg.spec?.allowedRepositories && sg.spec.allowedRepositories.length > 0 && !sg.spec.allowedRepositories.includes(repository)) return false;
+          if (sg.spec?.allowedRefs && sg.spec.allowedRefs.length > 0 && !sg.spec.allowedRefs.includes(ref)) return false;
+          return true;
+        });
+        if (!match) {
+          reasons.push({ severity: 'error', message: `Missing AgentSecretGrant for ${need.description} (purpose: ${need.purpose})` });
+        } else {
+          const grantEntry = { kind: 'AgentSecretGrant', name: match.metadata.name, purpose: match.spec?.purpose, status: 'granted' };
+          if (match.spec?.requiredApproval) {
+            grantEntry.status = 'requires-approval';
+            grantEntry.requiredApproval = match.spec.requiredApproval;
+            reasons.push({ severity: 'info', message: `AgentSecretGrant ${match.metadata.name} requires approval: ${match.spec.requiredApproval}` });
+          }
+          grants.push(grantEntry);
+        }
+      }
+
+      // Step 6 — Check config grants
+      const configGrants = resources.AgentConfigGrant || [];
+      const neededConfigs = collectConfigNeeds(stack, capabilities, resources);
+      for (const need of neededConfigs) {
+        const match = configGrants.find((cg) => {
+          if (cg.spec?.subject !== serviceAccountRef && cg.spec?.subject !== agentStack) return false;
+          if (need.purpose && cg.spec?.purpose !== need.purpose) return false;
+          return true;
+        });
+        if (!match) {
+          reasons.push({ severity: 'error', message: `Missing AgentConfigGrant for ${need.description} (purpose: ${need.purpose})` });
+        } else {
+          grants.push({ kind: 'AgentConfigGrant', name: match.metadata.name, purpose: match.spec?.purpose, status: 'granted' });
+        }
+      }
+
+      // Step 7 — Decision
+      const hasErrors = reasons.some((r) => r.severity === 'error');
+      const hasApprovals = grants.some((g) => g.status === 'requires-approval');
+      const decision = hasErrors ? 'denied' : hasApprovals ? 'requires-approval' : 'allowed';
+
+      return buildDecision({ decision, reasons, grants, capabilities, actor, repository, ref, agentStack, taskKind });
+    },
+
+    createPermissionSnapshot(reviewResult) {
+      const snapshot = clone(reviewResult);
+      snapshot.snapshotAt = new Date().toISOString();
+      snapshot.frozen = true;
+      snapshot.digest = reviewResult.digest;
+      return Object.freeze(snapshot);
+    }
+  };
+}
+
+function collectSecretNeeds(stack, capabilities, resources) {
+  const needs = [];
+  if (stack.spec?.adapter) {
+    needs.push({ description: `model provider for adapter ${stack.spec.adapter}`, purpose: 'model-provider' });
+  }
+  const mcpServers = resources.AgentMcpServer || [];
+  for (const ref of capabilities.mcpServerRefs) {
+    const server = mcpServers.find((s) => s.metadata?.name === ref);
+    if (server?.spec?.secretRef) {
+      needs.push({ description: `MCP server ${ref} secret`, purpose: `mcp-server:${ref}` });
+    }
+  }
+  return needs;
+}
+
+function collectConfigNeeds(stack, capabilities, resources) {
+  const needs = [];
+  const mcpServers = resources.AgentMcpServer || [];
+  for (const ref of capabilities.mcpServerRefs) {
+    const server = mcpServers.find((s) => s.metadata?.name === ref);
+    if (server?.spec?.configMapRef) {
+      needs.push({ description: `MCP server ${ref} config`, purpose: `mcp-server:${ref}` });
+    }
+  }
+  return needs;
+}
+
+function buildDecision({ decision, reasons, grants, capabilities, actor, repository, ref, agentStack, taskKind }) {
+  const result = {
+    decision,
+    actor,
+    repository,
+    ref,
+    agentStack,
+    taskKind,
+    capabilities: clone(capabilities),
+    grants: clone(grants),
+    reasons: clone(reasons),
+    reviewedAt: new Date().toISOString()
+  };
+  result.digest = computeDigest(result);
+  return result;
+}
+
+function computeDigest(result) {
+  const keys = Object.keys(result).filter((k) => k !== 'digest').sort();
+  const canonical = {};
+  for (const key of keys) canonical[key] = result[key];
+  return createHash('sha256').update(JSON.stringify(canonical)).digest('hex');
+}

package/src/agent-stack-controller.js

@@ -0,0 +1,296 @@
+import { createPermissionReviewer } from './agent-permission-review.js';
+import { clone } from './resource-model.js';
+
+export const AGENT_STACK_CONTROLLER_BOUNDARY = {
+  role: 'agent-stack-controller',
+  scope: 'Stack readiness reconciliation with capability resolution and condition management',
+  owns: ['capability resolution', 'stack conditions', 'readiness computation'],
+  delegatesTo: ['agent-permission-review', 'resource-model'],
+  mustNotOwn: ['secret values', 'dispatch execution', 'Agent Mux sessions']
+};
+
+export function createAgentStackController(options = {}) {
+  const permissionReviewer = options.permissionReviewer || createPermissionReviewer();
+
+  return {
+    role: 'agent-stack-controller',
+
+    reconcileStack(stack, resources = {}) {
+      const spec = stack?.spec || {};
+      const conditions = [];
+      const missing = [];
+
+      // --- Resolve capability refs from stack spec ---
+      const resolvedTools = [];
+      const resolvedMcpServers = [];
+      const resolvedSkills = [];
+      const resolvedSubagents = [];
+      const resolvedContextLabels = [];
+
+      // toolPolicyRef
+      const toolPolicyRef = spec.toolPolicy || spec.toolPolicyRef || null;
+      let toolPolicyFound = true;
+      if (toolPolicyRef) {
+        const profiles = resources.AgentToolProfile || [];
+        const profile = profiles.find((p) => p.metadata?.name === toolPolicyRef);
+        if (profile) {
+          resolvedTools.push(profile.metadata.name);
+        } else {
+          toolPolicyFound = false;
+          missing.push(`AgentToolProfile/${toolPolicyRef}`);
+        }
+      }
+
+      // mcpServerRefs
+      const mcpServerRefs = spec.mcpServerRefs || [];
+      let allMcpFound = true;
+      for (const ref of mcpServerRefs) {
+        const servers = resources.AgentMcpServer || [];
+        const server = servers.find((s) => s.metadata?.name === ref);
+        if (server) {
+          resolvedMcpServers.push(server.metadata.name);
+        } else {
+          allMcpFound = false;
+          missing.push(`AgentMcpServer/${ref}`);
+        }
+      }
+
+      // skillRefs
+      const skillRefs = spec.skillRefs || [];
+      let allSkillsFound = true;
+      let allSkillsValid = true;
+      for (const ref of skillRefs) {
+        const skills = resources.AgentSkill || [];
+        const skill = skills.find((s) => s.metadata?.name === ref);
+        if (skill) {
+          resolvedSkills.push(skill.metadata.name);
+          if (!skill.spec?.format || !skill.spec?.sourceRef) {
+            allSkillsValid = false;
+          }
+        } else {
+          allSkillsFound = false;
+          allSkillsValid = false;
+          missing.push(`AgentSkill/${ref}`);
+        }
+      }
+
+      // subagentRefs
+      const subagentRefs = spec.subagentRefs || [];
+      let allSubagentsFound = true;
+      let allSubagentsValid = true;
+      for (const ref of subagentRefs) {
+        const subagents = resources.AgentSubagent || [];
+        const subagent = subagents.find((s) => s.metadata?.name === ref);
+        if (subagent) {
+          resolvedSubagents.push(subagent.metadata.name);
+          if (!subagent.spec?.taskKinds || subagent.spec.taskKinds.length === 0) {
+            allSubagentsValid = false;
+          }
+        } else {
+          allSubagentsFound = false;
+          allSubagentsValid = false;
+          missing.push(`AgentSubagent/${ref}`);
+        }
+      }
+
+      // contextLabelRefs
+      const contextLabelRefs = spec.contextLabelRefs || [];
+      let allContextLabelsFound = true;
+      for (const ref of contextLabelRefs) {
+        const labels = resources.AgentContextLabel || [];
+        const label = labels.find((l) => l.metadata?.name === ref);
+        if (label) {
+          resolvedContextLabels.push(label.metadata.name);
+        } else {
+          allContextLabelsFound = false;
+          missing.push(`AgentContextLabel/${ref}`);
+        }
+      }
+
+      // --- Build conditions ---
+      const allRefsFound = missing.length === 0;
+      conditions.push({
+        type: 'CapabilitiesResolved',
+        status: allRefsFound ? 'True' : 'False',
+        reason: allRefsFound ? 'AllRefsResolved' : 'MissingRefs',
+        message: allRefsFound ? 'All capability references resolved' : `Missing: ${missing.join(', ')}`
+      });
+
+      conditions.push({
+        type: 'ToolsAdmitted',
+        status: (toolPolicyFound || !toolPolicyRef) ? 'True' : 'False',
+        reason: !toolPolicyRef ? 'NoToolPolicyRef' : toolPolicyFound ? 'ToolPolicyResolved' : 'ToolPolicyMissing',
+        message: !toolPolicyRef ? 'No tool policy reference set' : toolPolicyFound ? 'Tool policy resolved' : `AgentToolProfile/${toolPolicyRef} not found`
+      });
+
+      conditions.push({
+        type: 'McpHealthy',
+        status: allMcpFound ? 'True' : 'False',
+        reason: allMcpFound ? 'AllMcpServersExist' : 'MissingMcpServers',
+        message: allMcpFound ? 'All MCP servers exist (health check deferred)' : `Missing MCP servers: ${mcpServerRefs.filter((ref) => !resolvedMcpServers.includes(ref)).join(', ')}`
+      });
+
+      conditions.push({
+        type: 'SkillsValidated',
+        status: (allSkillsFound && allSkillsValid) ? 'True' : 'False',
+        reason: !allSkillsFound ? 'MissingSkills' : !allSkillsValid ? 'InvalidSkillFormat' : 'AllSkillsValid',
+        message: !allSkillsFound ? `Missing skills: ${skillRefs.filter((ref) => !resolvedSkills.includes(ref)).join(', ')}` : !allSkillsValid ? 'Some skills have invalid format or missing sourceRef' : 'All skills validated'
+      });
+
+      conditions.push({
+        type: 'SubagentsValid',
+        status: (allSubagentsFound && allSubagentsValid) ? 'True' : 'False',
+        reason: !allSubagentsFound ? 'MissingSubagents' : !allSubagentsValid ? 'InvalidSubagentTaskKinds' : 'AllSubagentsValid',
+        message: !allSubagentsFound ? `Missing subagents: ${subagentRefs.filter((ref) => !resolvedSubagents.includes(ref)).join(', ')}` : !allSubagentsValid ? 'Some subagents have invalid or empty taskKinds' : 'All subagents validated'
+      });
+
+      conditions.push({
+        type: 'ContextLabelsValid',
+        status: allContextLabelsFound ? 'True' : 'False',
+        reason: allContextLabelsFound ? 'AllContextLabelsExist' : 'MissingContextLabels',
+        message: allContextLabelsFound ? 'All context labels exist' : `Missing context labels: ${contextLabelRefs.filter((ref) => !resolvedContextLabels.includes(ref)).join(', ')}`
+      });
+
+      // --- Permission review conditions via permissionReviewer ---
+      const serviceAccountRef = spec.runtimeIdentity?.serviceAccountRef || spec.runtimeIdentity;
+      const serviceAccounts = resources.AgentServiceAccount || [];
+      const serviceAccount = serviceAccounts.find((sa) => sa.metadata?.name === serviceAccountRef);
+      const runtimeIdentityReady = Boolean(serviceAccount);
+
+      conditions.push({
+        type: 'RuntimeIdentityReady',
+        status: runtimeIdentityReady ? 'True' : 'False',
+        reason: runtimeIdentityReady ? 'ServiceAccountBound' : 'MissingServiceAccount',
+        message: runtimeIdentityReady ? `AgentServiceAccount ${serviceAccountRef} bound` : `AgentServiceAccount ${serviceAccountRef || 'undefined'} not found`
+      });
+
+      // Run permission review for roles, secrets, config
+      const permissionReview = permissionReviewer.reviewPermissions({
+        repository: stack?.metadata?.labels?.repository || 'unknown',
+        ref: stack?.metadata?.labels?.ref || 'main',
+        actor: stack?.metadata?.labels?.actor || 'system',
+        agentStack: stack?.metadata?.name,
+        triggerSource: 'reconciliation',
+        taskKind: spec.taskKind || 'general',
+        resources
+      });
+
+      const rolesAdmitted = !permissionReview.reasons.some((r) => r.severity === 'error' && r.message.includes('AgentRoleBinding'));
+      const secretsAdmitted = !permissionReview.reasons.some((r) => r.severity === 'error' && r.message.includes('AgentSecretGrant'));
+      const configAdmitted = !permissionReview.reasons.some((r) => r.severity === 'error' && r.message.includes('AgentConfigGrant'));
+
+      conditions.push({
+        type: 'RolesAdmitted',
+        status: rolesAdmitted ? 'True' : 'False',
+        reason: rolesAdmitted ? 'RoleBindingsResolved' : 'MissingRoleBindings',
+        message: rolesAdmitted ? 'Role bindings satisfied' : 'Missing required AgentRoleBinding resources'
+      });
+
+      conditions.push({
+        type: 'SecretsAdmitted',
+        status: secretsAdmitted ? 'True' : 'False',
+        reason: secretsAdmitted ? 'SecretGrantsResolved' : 'MissingSecretGrants',
+        message: secretsAdmitted ? 'Secret grants satisfied' : 'Missing required AgentSecretGrant resources'
+      });
+
+      conditions.push({
+        type: 'ConfigAdmitted',
+        status: configAdmitted ? 'True' : 'False',
+        reason: configAdmitted ? 'ConfigGrantsResolved' : 'MissingConfigGrants',
+        message: configAdmitted ? 'Config grants satisfied' : 'Missing required AgentConfigGrant resources'
+      });
+
+      // --- Ready condition: true only if ALL other conditions are true ---
+      const allTrue = conditions.every((c) => c.status === 'True');
+      const hasErrors = conditions.some((c) => c.status === 'False');
+
+      conditions.push({
+        type: 'Ready',
+        status: allTrue ? 'True' : 'False',
+        reason: allTrue ? 'StackReady' : 'StackNotReady',
+        message: allTrue ? 'All conditions met' : `Failing conditions: ${conditions.filter((c) => c.status === 'False').map((c) => c.type).join(', ')}`
+      });
+
+      return {
+        conditions: clone(conditions),
+        capabilities: {
+          tools: clone(resolvedTools),
+          mcpServers: clone(resolvedMcpServers),
+          skills: clone(resolvedSkills),
+          subagents: clone(resolvedSubagents),
+          contextLabels: clone(resolvedContextLabels)
+        },
+        validation: allTrue ? 'valid' : hasErrors ? 'invalid' : 'warning',
+        permissionDecision: permissionReview.decision
+      };
+    },
+
+    listStackCapabilities(stack, resources = {}) {
+      const spec = stack?.spec || {};
+      const capabilities = [];
+
+      // Tools
+      const toolPolicyRef = spec.toolPolicy || spec.toolPolicyRef || null;
+      if (toolPolicyRef) {
+        const profiles = resources.AgentToolProfile || [];
+        const profile = profiles.find((p) => p.metadata?.name === toolPolicyRef);
+        capabilities.push({
+          kind: 'tool',
+          name: toolPolicyRef,
+          status: profile ? 'resolved' : 'missing',
+          ref: toolPolicyRef
+        });
+      }
+
+      // MCP Servers
+      for (const ref of spec.mcpServerRefs || []) {
+        const servers = resources.AgentMcpServer || [];
+        const server = servers.find((s) => s.metadata?.name === ref);
+        capabilities.push({
+          kind: 'mcp',
+          name: ref,
+          status: server ? 'resolved' : 'missing',
+          ref
+        });
+      }
+
+      // Skills
+      for (const ref of spec.skillRefs || []) {
+        const skills = resources.AgentSkill || [];
+        const skill = skills.find((s) => s.metadata?.name === ref);
+        capabilities.push({
+          kind: 'skill',
+          name: ref,
+          status: skill ? 'resolved' : 'missing',
+          ref
+        });
+      }
+
+      // Subagents
+      for (const ref of spec.subagentRefs || []) {
+        const subagents = resources.AgentSubagent || [];
+        const subagent = subagents.find((s) => s.metadata?.name === ref);
+        capabilities.push({
+          kind: 'subagent',
+          name: ref,
+          status: subagent ? 'resolved' : 'missing',
+          ref
+        });
+      }
+
+      // Context Labels
+      for (const ref of spec.contextLabelRefs || []) {
+        const labels = resources.AgentContextLabel || [];
+        const label = labels.find((l) => l.metadata?.name === ref);
+        capabilities.push({
+          kind: 'contextLabel',
+          name: ref,
+          status: label ? 'resolved' : 'missing',
+          ref
+        });
+      }
+
+      return capabilities;
+    }
+  };
+}

package/src/agent-trigger-controller.js

@@ -0,0 +1,108 @@
+import { createResource, clone } from './resource-model.js';
+
+export const AGENT_TRIGGER_CONTROLLER_BOUNDARY = {
+  role: 'agent-trigger-controller',
+  scope: 'Event normalization, rule matching, deduplication, and dispatch creation',
+  owns: ['event normalization', 'rule matching', 'trigger execution records', 'dispatch initiation'],
+  delegatesTo: ['agent-dispatch-controller', 'resource-model'],
+  mustNotOwn: ['event sourcing', 'webhook delivery', 'secret values']
+};
+
+export function createAgentTriggerController(options = {}) {
+  const dispatchController = options.dispatchController;
+
+  return {
+    role: 'agent-trigger-controller',
+
+    matchRule(rule, event) {
+      // 1. Check event type is in rule.spec.sources
+      const sources = rule.spec?.sources || [];
+      if (!sources.includes(event.type)) return { matches: false, reason: `Event type '${event.type}' not in rule sources [${sources.join(', ')}]` };
+      // 2. Check repository scope (if rule has spec.repository, must match)
+      if (rule.spec?.repository && rule.spec.repository !== event.repository) return { matches: false, reason: `Repository '${event.repository}' does not match rule scope '${rule.spec.repository}'` };
+      // 3. Check actor filter (if rule has spec.allowedActors)
+      if (rule.spec?.allowedActors?.length > 0 && !rule.spec.allowedActors.includes(event.actor)) return { matches: false, reason: `Actor '${event.actor}' not in allowed actors` };
+      return { matches: true, reason: 'All conditions met' };
+    },
+
+    evaluateEvent({ event, resources }) {
+      const rules = resources.AgentTriggerRule || [];
+      const executions = resources.AgentTriggerExecution || [];
+      const eventUid = `${event.type}:${event.source?.kind}:${event.source?.name}`;
+
+      return rules.map(rule => {
+        const match = this.matchRule(rule, event);
+        const isDuplicate = executions.some(ex =>
+          ex.spec?.triggerRule === rule.metadata?.name &&
+          ex.spec?.sourceEvent === eventUid &&
+          ex.status?.phase !== 'Failed'
+        );
+        return { rule, matches: match.matches, reason: match.reason, isDuplicate };
+      });
+    },
+
+    createTriggerExecution({ rule, event, decision, reason, namespace = 'default', organizationRef = 'default' }) {
+      const eventUid = `${event.type}:${event.source?.kind}:${event.source?.name}`;
+      const name = `trigger-exec-${rule.metadata?.name}-${Date.now()}`;
+      const execution = createResource('AgentTriggerExecution', { name, namespace }, {
+        organizationRef,
+        triggerRule: rule.metadata?.name,
+        sourceEvent: eventUid,
+        decision,
+      });
+      execution.status = { phase: decision, reason, evaluatedAt: new Date().toISOString() };
+      return execution;
+    },
+
+    async processEvent({ event, resources, namespace = 'default', organizationRef = 'default' }) {
+      const evaluations = this.evaluateEvent({ event, resources });
+      const executions = [];
+      let dispatched = 0;
+      let skipped = 0;
+
+      for (const { rule, matches, reason, isDuplicate } of evaluations) {
+        if (!matches) {
+          executions.push(this.createTriggerExecution({ rule, event, decision: 'Skipped', reason, namespace, organizationRef }));
+          skipped++;
+          continue;
+        }
+        if (isDuplicate) {
+          executions.push(this.createTriggerExecution({ rule, event, decision: 'Deduplicated', reason: 'Already dispatched for this event', namespace, organizationRef }));
+          skipped++;
+          continue;
+        }
+
+        const execution = this.createTriggerExecution({ rule, event, decision: 'Dispatching', reason, namespace, organizationRef });
+
+        if (dispatchController) {
+          const result = await dispatchController.createManualDispatch({
+            repository: event.repository,
+            ref: event.ref,
+            sourceRefs: [event.source],
+            agentStack: rule.spec?.agentStack,
+            taskKind: rule.spec?.taskKind || 'diagnostic',
+            actor: event.actor,
+            namespace,
+            organizationRef,
+            resources,
+          });
+          if (result.error) {
+            execution.status.phase = 'Failed';
+            execution.status.reason = result.message;
+          } else {
+            execution.status.phase = 'Dispatched';
+            execution.status.dispatchRunRef = result.run?.metadata?.name;
+          }
+        } else {
+          execution.status.phase = 'Dispatched';
+          execution.status.reason = 'No dispatch controller configured (dry-run)';
+        }
+
+        executions.push(execution);
+        dispatched++;
+      }
+
+      return { processed: evaluations.length, dispatched, skipped, executions };
+    },
+  };
+}