@a5c-ai/krate 5.0.1-staging.f672fe79b

package/src/api-controller.js

@@ -0,0 +1,206 @@
+import { createKubernetesResourceGateway } from './kubernetes-resource-gateway.js';
+import { createPermissionReviewer } from './agent-permission-review.js';
+import { createAgentDispatchController } from './agent-dispatch-controller.js';
+import { createAgentApprovalController } from './agent-approval-controller.js';
+import { createAgentTriggerController } from './agent-trigger-controller.js';
+
+export const KRATE_API_CONTROLLER_BOUNDARY = {
+  role: 'krate-api-controller',
+  scope: 'HTTP/application facade for validation, request orchestration, user-facing DTOs, API errors, and workflow affordances',
+  owns: ['input validation', 'forge DTOs', 'API errors', 'workflow affordances', 'controller UI snapshots'],
+  delegatesTo: ['kubernetes-resource-gateway', 'git-data-plane'],
+  mustNotOwn: ['kubectl process execution', 'Kubernetes reconciliation loops', 'watch stream internals', 'repository storage internals']
+};
+
+export function createKrateApiController(options = {}) {
+  const resourceGateway = options.resourceGateway || createKubernetesResourceGateway(options);
+  const namespace = options.namespace || resourceGateway.namespace || process.env.KRATE_NAMESPACE || 'krate-system';
+
+  return {
+    role: 'krate-api-controller',
+    namespace,
+    resourceGateway,
+    resourceDefinitions: resourceGateway.resourceDefinitions,
+    async snapshot() {
+      return withArchitecture(await resourceGateway.snapshot(), namespace);
+    },
+    async listRepositoriesForForge() {
+      const resources = await resourceGateway.list('Repository');
+      return normalizeResourceList(resources).map((resource) => repositoryForgeSummary(resource, namespace));
+    },
+    async getRepositoryForgeView(name) {
+      const resource = await resourceGateway.get('Repository', name);
+      const repository = resource?.resource || resource;
+      return repositoryForgeView(repository, namespace);
+    },
+    async listResource(kindOrPlural) {
+      return resourceGateway.list(kindOrPlural);
+    },
+    async getResource(kindOrPlural, name) {
+      return resourceGateway.get(kindOrPlural, name);
+    },
+    async applyResource(resource) {
+      return resourceGateway.apply(resource);
+    },
+    async deleteResource(kindOrPlural, name) {
+      return resourceGateway.delete(kindOrPlural, name);
+    },
+    async createRepository(input) {
+      const created = await resourceGateway.createRepository(input);
+      const repository = created?.resource || created;
+      return {
+        operation: created?.operation || 'create-repository',
+        command: created?.command || 'kubectl apply -f -',
+        repository: repositoryForgeSummary(repository, namespace),
+        resource: repository
+      };
+    },
+    async createOrganization(input) {
+      return resourceGateway.createOrganization(input);
+    },
+    watchResource(resourcePath, handlers = {}) {
+      return resourceGateway.watch(resourcePath, handlers);
+    },
+    async reviewAgentPermissions(input) {
+      const reviewer = createPermissionReviewer();
+      const snapshot = await this.snapshot();
+      return reviewer.reviewPermissions({
+        ...input,
+        resources: snapshot.resources
+      });
+    },
+    async dispatchAgent(input) {
+      const snapshot = await this.snapshot();
+      const controller = createAgentDispatchController(input.controllerOptions || {});
+      return controller.createManualDispatch({
+        ...input,
+        resources: snapshot.resources
+      });
+    },
+    async approveAgentAction(input) {
+      const snapshot = await this.snapshot();
+      const approvalController = createAgentApprovalController();
+      return approvalController.recordDecision({
+        ...input,
+        decision: 'approve',
+        resources: snapshot.resources
+      });
+    },
+    async denyAgentAction(input) {
+      const snapshot = await this.snapshot();
+      const approvalController = createAgentApprovalController();
+      return approvalController.recordDecision({
+        ...input,
+        decision: 'deny',
+        resources: snapshot.resources
+      });
+    },
+    async processWebhookEvent(input) {
+      const snapshot = await this.snapshot();
+      const dispatchController = createAgentDispatchController(input.controllerOptions || {});
+      const triggerController = createAgentTriggerController({ dispatchController });
+      return triggerController.processEvent({
+        event: input.event,
+        resources: snapshot.resources,
+        namespace: input.namespace || namespace,
+        organizationRef: input.organizationRef || 'default',
+      });
+    }
+  };
+}
+
+export function withArchitecture(snapshot, namespace = snapshot?.namespace || 'default') {
+  return {
+    ...snapshot,
+    architecture: {
+      apiController: {
+        ...KRATE_API_CONTROLLER_BOUNDARY,
+        owns: [...KRATE_API_CONTROLLER_BOUNDARY.owns, '/api/controller', '/api/orgs/:org/resources', '/api/orgs/:org/repositories', '/api/watch/orgs/:org/*'],
+        scope: `${KRATE_API_CONTROLLER_BOUNDARY.scope}; never owns Kubernetes reconciliation loops`
+      },
+      resourceGateway: {
+        role: 'kubernetes-resource-gateway',
+        scope: 'Narrow application port translating API controller intent into Kubernetes resource-client calls',
+        namespace,
+        delegatesTo: ['kubernetes-resource-client']
+      },
+      kubernetesClient: {
+        role: 'kubernetes-resource-client',
+        scope: 'kubectl-backed Kubernetes API discovery, SubjectAccessReview checks, list/get/apply/delete/watch; no UI flow or product workflow ownership',
+        namespace,
+        owns: ['Krate CRDs', 'aggregated API resources', 'Kubernetes watch streams']
+      },
+      kubernetesReconciler: {
+        role: 'krate-kubernetes-reconciler',
+        scope: 'Repository status projection, repository hosting intent, policy projection, and data-plane sync intent; never owns HTTP routes or browser flows',
+        namespace,
+        delegatesTo: ['kubernetes-resource-gateway', 'git-data-plane']
+      },
+      dataPlane: {
+        role: 'git-data-plane',
+        scope: 'Repository streaming, SSH hosting, object storage, search indexing, and warm receive-pack paths',
+        boundary: process.env.KRATE_GITEA_HTTP_URL || 'repository service not configured'
+      }
+    }
+  };
+}
+
+export function repositoryForgeSummary(resource, namespace = 'krate-system') {
+  const metadata = resource?.metadata || {};
+  const spec = resource?.spec || {};
+  const name = metadata.name || 'unknown-repository';
+  const repositoryNamespace = metadata.namespace || namespace;
+  const org = spec.organizationRef || metadata.labels?.['krate.a5c.ai/org'] || 'default';
+  const repoPath = `/orgs/${encodeURIComponent(org)}/repositories/${encodeURIComponent(name)}`;
+  return {
+    kind: 'Repository',
+    name,
+    org,
+    namespace: repositoryNamespace,
+    visibility: spec.visibility || 'internal',
+    defaultBranch: spec.defaultBranch || 'main',
+    phase: resource?.status?.phase || (resource ? 'Ready' : 'Unknown'),
+    href: `${repoPath}/code`,
+    cloneUrl: spec.gitHosting?.httpUrl || `<krate-repository-service>/${encodeURIComponent(org)}/${name}.git`,
+    actions: {
+      code: `${repoPath}/code`,
+      pullRequests: `${repoPath}/pull-requests`,
+      issues: `${repoPath}/issues`,
+      runs: `${repoPath}/runs`,
+      pipelines: `${repoPath}/runs`,
+      hooks: `${repoPath}/hooks`,
+      settings: `${repoPath}/settings`,
+      yaml: `/orgs/${encodeURIComponent(org)}/advanced-plans?kind=Repository&name=${encodeURIComponent(name)}`
+    },
+    kubectl: {
+      get: `kubectl get repositories.krate.a5c.ai ${name} -n ${repositoryNamespace} -o yaml`,
+      delete: `kubectl delete repositories.krate.a5c.ai ${name} -n ${repositoryNamespace}`
+    }
+  };
+}
+
+export function repositoryForgeView(resource, namespace = 'default') {
+  const summary = repositoryForgeSummary(resource, namespace);
+  return {
+    ...summary,
+    primaryFlow: 'browse-code-open-pr-review-merge',
+    emptyState: resource ? null : 'Repository resource is not available from the Kubernetes resource gateway.',
+    sections: [
+      { id: 'code', label: 'Code', href: summary.actions.code, state: 'branch-and-path-aware' },
+      { id: 'pull-requests', label: 'Pull requests', href: summary.actions.pullRequests, state: 'review-merge-checks' },
+      { id: 'issues', label: 'Issues', href: summary.actions.issues, state: 'triage-policy-aware' },
+      { id: 'runs', label: 'Runs', href: summary.actions.runs, state: 'runner-and-job-aware' },
+      { id: 'hooks', label: 'Hooks', href: summary.actions.hooks, state: 'delivery-replay-aware' },
+      { id: 'settings', label: 'Settings', href: summary.actions.settings, state: 'branch-protection-rbac-danger-actions' }
+    ]
+  };
+}
+
+function normalizeResourceList(result) {
+  if (Array.isArray(result)) return result;
+  if (Array.isArray(result?.items)) return result.items;
+  if (Array.isArray(result?.resources)) return result.resources;
+  if (result?.resource) return [result.resource];
+  return [];
+}
+

package/src/argocd-gitops.js

@@ -0,0 +1,43 @@
+export function createArgoCdApplication({
+  name = 'krate',
+  namespace = 'argocd',
+  project = 'default',
+  repoURL,
+  path = 'charts/krate',
+  targetRevision = 'HEAD',
+  destinationNamespace = 'krate-system',
+  destinationServer = 'https://kubernetes.default.svc',
+  automated = true
+} = {}) {
+  if (!repoURL) throw new Error('Argo CD Application requires repoURL');
+  return {
+    apiVersion: 'argoproj.io/v1alpha1',
+    kind: 'Application',
+    metadata: {
+      name,
+      namespace,
+      labels: {
+        'app.kubernetes.io/part-of': 'krate',
+        'krate.a5c.ai/gitops-engine': 'argocd'
+      }
+    },
+    spec: {
+      project,
+      source: { repoURL, targetRevision, path },
+      destination: { server: destinationServer, namespace: destinationNamespace },
+      syncPolicy: automated ? {
+        automated: { prune: true, selfHeal: true },
+        syncOptions: ['CreateNamespace=true']
+      } : { syncOptions: ['CreateNamespace=true'] }
+    }
+  };
+}
+
+export function createKrateGitOpsPlan({ repoURL, namespace = 'krate-system', applicationName = 'krate' }) {
+  return {
+    engine: 'argocd',
+    application: createArgoCdApplication({ name: applicationName, repoURL, destinationNamespace: namespace }),
+    requiredClusterResources: ['Application.argoproj.io', 'Namespace', 'ServiceAccount', 'RBAC', 'APIService', 'Krate CRDs'],
+    syncGuarantees: ['automated prune', 'automated selfHeal', 'namespace creation']
+  };
+}

package/src/auth.js

@@ -0,0 +1,265 @@
+import { createResource, clone } from './resource-model.js';
+import { mapOidcIdentity } from './identity-policy.js';
+
+const defaultScopes = {
+  github: 'read:user user:email',
+  sso: 'openid profile email groups'
+};
+
+export function createAuthProviderConfig(env = process.env) {
+  const githubEnabled = env.KRATE_AUTH_GITHUB_ENABLED !== 'false';
+  const ssoEnabled = env.KRATE_AUTH_SSO_ENABLED === 'true';
+  return {
+    session: { cookieName: env.KRATE_AUTH_COOKIE_NAME || 'krate_session' },
+    delegatedIdentity: {
+      enabled: env.KRATE_AUTH_DELEGATED_IDENTITY_ENABLED === 'true',
+      userHeader: env.KRATE_AUTH_DELEGATED_USER_HEADER || 'x-forwarded-user',
+      groupsHeader: env.KRATE_AUTH_DELEGATED_GROUPS_HEADER || 'x-forwarded-groups',
+      emailHeader: env.KRATE_AUTH_DELEGATED_EMAIL_HEADER || 'x-forwarded-email',
+      localDevelopment: {
+        enabled: delegatedLocalDevelopmentEnabled(env),
+        user: env.KRATE_AUTH_DELEGATED_LOCAL_USER || 'local-developer',
+        email: env.KRATE_AUTH_DELEGATED_LOCAL_EMAIL || '',
+        groups: env.KRATE_AUTH_DELEGATED_LOCAL_GROUPS || 'krate:repo-admins'
+      }
+    },
+    providers: {
+      github: {
+        id: 'github',
+        label: 'GitHub',
+        type: 'github',
+        enabled: githubEnabled,
+        clientId: env.KRATE_AUTH_GITHUB_CLIENT_ID || '',
+        clientSecret: env.KRATE_AUTH_GITHUB_CLIENT_SECRET || '',
+        clientSecretConfigured: Boolean(env.KRATE_AUTH_GITHUB_CLIENT_SECRET),
+        authorizationUrl: env.KRATE_AUTH_GITHUB_AUTHORIZATION_URL || 'https://github.com/login/oauth/authorize',
+        tokenUrl: env.KRATE_AUTH_GITHUB_TOKEN_URL || 'https://github.com/login/oauth/access_token',
+        userInfoUrl: env.KRATE_AUTH_GITHUB_USERINFO_URL || 'https://api.github.com/user',
+        scopes: env.KRATE_AUTH_GITHUB_SCOPES || defaultScopes.github
+      },
+      sso: {
+        id: 'sso',
+        label: env.KRATE_AUTH_SSO_PROVIDER_NAME || 'Workspace SSO',
+        type: 'oidc',
+        enabled: ssoEnabled,
+        issuerUrl: env.KRATE_AUTH_SSO_ISSUER_URL || '',
+        clientId: env.KRATE_AUTH_SSO_CLIENT_ID || '',
+        clientSecret: env.KRATE_AUTH_SSO_CLIENT_SECRET || '',
+        clientSecretConfigured: Boolean(env.KRATE_AUTH_SSO_CLIENT_SECRET),
+        authorizationUrl: env.KRATE_AUTH_SSO_AUTHORIZATION_URL || '',
+        tokenUrl: env.KRATE_AUTH_SSO_TOKEN_URL || '',
+        userInfoUrl: env.KRATE_AUTH_SSO_USERINFO_URL || '',
+        scopes: env.KRATE_AUTH_SSO_SCOPES || defaultScopes.sso
+      }
+    }
+  };
+}
+
+export function listEnabledAuthProviders(config = createAuthProviderConfig()) {
+  return Object.values(config.providers).filter((provider) => provider.enabled && provider.clientId && provider.authorizationUrl);
+}
+
+export function buildAuthorizationRedirect({ provider, requestUrl, state = cryptoSafeState() }) {
+  if (!provider?.enabled) throw new Error(`${provider?.label || 'Provider'} sign-in is disabled`);
+  if (!provider.clientId) throw new Error(`${provider.label} client id is not configured`);
+  if (!provider.authorizationUrl) throw new Error(`${provider.label} authorization endpoint is not configured`);
+  const request = new URL(requestUrl || 'http://localhost/login');
+  const redirectUri = new URL(`/api/auth/callback/${provider.id}`, `${request.protocol}//${request.host}`);
+  const target = new URL(provider.authorizationUrl);
+  target.searchParams.set('response_type', 'code');
+  target.searchParams.set('client_id', provider.clientId);
+  target.searchParams.set('redirect_uri', redirectUri.toString());
+  target.searchParams.set('scope', provider.scopes || 'openid profile email');
+  target.searchParams.set('state', state);
+  return { url: target.toString(), state, redirectUri: redirectUri.toString() };
+}
+
+
+export async function exchangeOAuthCodeForProfile({ provider, code, requestUrl, fetchImpl = globalThis.fetch }) {
+  if (!provider?.enabled) throw new Error(`${provider?.label || 'Provider'} sign-in is disabled`);
+  if (!code) throw new Error('authorization code is required');
+  if (!provider.tokenUrl || !provider.userInfoUrl) throw new Error(`${provider.label} token and profile endpoints are required`);
+  if (!provider.clientId || !provider.clientSecret) throw new Error(`${provider.label} client credentials are not configured`);
+  const request = new URL(requestUrl || 'http://localhost/login');
+  const redirectUri = new URL(`/api/auth/callback/${provider.id}`, `${request.protocol}//${request.host}`).toString();
+  const tokenResponse = await fetchImpl(provider.tokenUrl, {
+    method: 'POST',
+    headers: { Accept: 'application/json', 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: new URLSearchParams({ grant_type: 'authorization_code', code, redirect_uri: redirectUri, client_id: provider.clientId, client_secret: provider.clientSecret })
+  });
+  if (!tokenResponse.ok) throw new Error(`${provider.label} token exchange failed with ${tokenResponse.status}`);
+  const token = await tokenResponse.json();
+  const accessToken = token.access_token;
+  if (!accessToken) throw new Error(`${provider.label} did not return an access token`);
+  const profileResponse = await fetchImpl(provider.userInfoUrl, { headers: { Accept: 'application/json', Authorization: `Bearer ${accessToken}` } });
+  if (!profileResponse.ok) throw new Error(`${provider.label} profile lookup failed with ${profileResponse.status}`);
+  const profile = await profileResponse.json();
+  return normalizeProviderProfile(provider, profile);
+}
+
+export function normalizeProviderProfile(provider, profile = {}) {
+  if (provider.id === 'github' || provider.type === 'github') {
+    const username = profile.login || profile.username || profile.name;
+    return {
+      provider: provider.id,
+      subject: String(profile.id || username || profile.email),
+      email: profile.email || (username ? `${username}@users.noreply.github.com` : undefined),
+      displayName: profile.name || username || profile.email,
+      username,
+      groups: [],
+      teams: [],
+      admin: false
+    };
+  }
+  const groups = Array.isArray(profile.groups) ? profile.groups : String(profile.groups || '').split(',').map((group) => group.trim()).filter(Boolean);
+  return {
+    provider: provider.id,
+    subject: profile.sub || profile.id || profile.email,
+    email: profile.email,
+    displayName: profile.name || profile.preferred_username || profile.email,
+    username: profile.preferred_username || profile.username || profile.email,
+    groups,
+    teams: [],
+    admin: groups.includes('krate:platform-engineers') || groups.includes('krate:repo-admins')
+  };
+}
+
+export function profileFromDelegatedHeaders(headers, config = createAuthProviderConfig(), options = {}) {
+  if (!config.delegatedIdentity.enabled) throw new Error('Delegated identity sign-in is disabled');
+  const getHeader = (name) => typeof headers.get === 'function' ? headers.get(name) : headers[name] || headers[name.toLowerCase()];
+  const localProfile = localDelegatedDevelopmentProfile(config, options);
+  const headerUser = getHeader(config.delegatedIdentity.userHeader);
+  const user = headerUser || localProfile.user;
+  if (!user) throw new Error(`Delegated identity header ${config.delegatedIdentity.userHeader} is missing`);
+  const email = getHeader(config.delegatedIdentity.emailHeader) || localProfile.email || (String(user).includes('@') ? user : undefined);
+  const groups = String(getHeader(config.delegatedIdentity.groupsHeader) || localProfile.groups || '').split(',').map((group) => group.trim()).filter(Boolean);
+  return { provider: 'delegated', subject: user, email, displayName: user, username: normalizeName(user), groups, teams: [], admin: groups.includes('krate:platform-engineers') || groups.includes('krate:repo-admins'), delegatedIdentitySource: headerUser ? 'proxy-header' : 'local-development' };
+}
+
+export async function registerLoginProfile({ controller, namespace = process.env.KRATE_NAMESPACE || 'default', profile }) {
+  const mapped = mapLoginProfileToKrateIdentity({ ...profile, namespace });
+  const userResult = await controller.applyResource(mapped.user);
+  const mappingResult = await controller.applyResource(mapped.mapping);
+  return { ...mapped, userResult, mappingResult };
+}
+
+export function createSessionCookie(config, profile) {
+  const value = Buffer.from(JSON.stringify({ provider: profile.provider, subject: profile.subject, user: profile.username || profile.email })).toString('base64url');
+  return `${config.session.cookieName}=${value}; Path=/; HttpOnly; SameSite=Lax`;
+}
+
+export function parseSessionCookie(config, cookieValue) {
+  if (!cookieValue || typeof cookieValue !== 'string') return null;
+  try {
+    const session = JSON.parse(Buffer.from(cookieValue, 'base64url').toString('utf8'));
+    const user = typeof session.user === 'string' ? session.user.trim() : '';
+    const subject = typeof session.subject === 'string' ? session.subject.trim() : '';
+    const provider = typeof session.provider === 'string' ? session.provider.trim() : '';
+    if (!user && !subject) return null;
+    return {
+      cookieName: config.session.cookieName,
+      provider: provider || 'krate',
+      subject: subject || user,
+      user: user || subject
+    };
+  } catch {
+    return null;
+  }
+}
+
+export function mapLoginProfileToKrateIdentity({ provider = 'sso', subject, email, displayName, username, groups = [], teams = [], admin = false, namespace = 'krate-org-default', organizationRef = 'default' }) {
+  const userName = username || normalizeName(email || subject || displayName || 'user');
+  const krateGroups = [...new Set(['krate:users', admin ? 'krate:platform-engineers' : 'krate:developers', ...groups])];
+  const identity = mapOidcIdentity({ subject, email, groups: krateGroups });
+  const user = createResource('User', { name: userName, namespace, labels: { role: admin ? 'admin' : 'member' } }, {
+    organizationRef,
+    displayName: displayName || userName,
+    email,
+    username: userName,
+    teams,
+    admin,
+    disabled: false
+  }, { phase: 'Active', lastLoginProvider: provider, groups: identity.groups });
+  const mapping = createResource('IdentityMapping', { name: `${provider}-${userName}`, namespace }, {
+    organizationRef,
+    user: userName,
+    provider,
+    subject: subject || email,
+    email,
+    workspaceIdentity: { name: identity.name, uid: identity.uid, groups: identity.groups },
+    repositoryIdentity: { username: userName, email }
+  }, { phase: 'Synced' });
+  return { identity, user, mapping };
+}
+
+export function createInviteResource({ email, role = 'member', teams = [], invitedBy = 'admin', namespace = 'krate-org-default', organizationRef = 'default', expiresInDays = 7 }) {
+  const expiresAt = new Date(Date.now() + expiresInDays * 24 * 60 * 60 * 1000).toISOString();
+  return createResource('Invite', { name: normalizeName(email), namespace, labels: { role } }, { organizationRef, email, role, teams, invitedBy, expiresAt }, { phase: 'Pending' });
+}
+
+export function createTeamResource({ name, displayName = name, members = [], maintainers = [], repositoryGrants = [], namespace = 'krate-org-default', organizationRef = 'default' }) {
+  return createResource('Team', { name, namespace }, { organizationRef, displayName, members, maintainers, repositoryGrants }, { phase: 'Active', memberCount: members.length });
+}
+
+export function createAuthProviderResources(config = createAuthProviderConfig(), namespace = 'krate-org-default', organizationRef = 'default') {
+  return Object.values(config.providers).map((provider) => createResource('AuthProvider', { name: provider.id, namespace }, {
+    organizationRef,
+    type: provider.type,
+    label: provider.label,
+    enabled: provider.enabled,
+    scopes: provider.scopes,
+    delegatedIdentity: clone(publicDelegatedIdentityConfig(config.delegatedIdentity))
+  }, { phase: provider.enabled ? 'Configured' : 'Disabled', clientConfigured: Boolean(provider.clientId) }));
+}
+
+export function identityBackendSyncPlan({ users = [], teams = [], invites = [], mappings = [], permissions = [], sshKeys = [] } = {}) {
+  return {
+    users: users.map((user) => ({ action: 'ensure-user', user: user.metadata?.name, email: user.spec?.email, disabled: Boolean(user.spec?.disabled) })),
+    teams: teams.map((team) => ({ action: 'ensure-team', team: team.metadata?.name, members: team.spec?.members || [], maintainers: team.spec?.maintainers || [] })),
+    invites: invites.map((invite) => ({ action: 'send-invite', email: invite.spec?.email, teams: invite.spec?.teams || [], role: invite.spec?.role || 'member' })),
+    mappings: mappings.map((mapping) => ({ action: 'link-identity', user: mapping.spec?.user, provider: mapping.spec?.provider, repositoryIdentity: mapping.spec?.repositoryIdentity })),
+    permissions: permissions.map((permission) => ({ action: 'sync-repository-permission', repository: permission.spec?.repository, subject: permission.spec?.subject, subjectKind: permission.spec?.subjectKind || 'user', permission: permission.spec?.permission })),
+    sshKeys: sshKeys.map((key) => ({ action: 'sync-ssh-key', owner: key.spec?.owner, repository: key.spec?.repository, scope: key.spec?.scope, title: key.spec?.title }))
+  };
+}
+
+function normalizeName(value) {
+  return String(value || 'user').toLowerCase().replace(/[^a-z0-9-]+/g, '-').replace(/^-+|-+$/g, '').slice(0, 63) || 'user';
+}
+
+function localDelegatedDevelopmentProfile(config, options = {}) {
+  if (!isLocalDevelopmentRequest(options.requestUrl, options.env)) return {};
+  const localConfig = config.delegatedIdentity.localDevelopment || {};
+  if (!localConfig.enabled) return {};
+  const request = new URL(options.requestUrl);
+  const user = request.searchParams.get('user') || request.searchParams.get('username') || localConfig.user;
+  const email = request.searchParams.get('email') || localConfig.email;
+  const groups = request.searchParams.get('groups') || localConfig.groups;
+  return { user, email, groups };
+}
+
+function delegatedLocalDevelopmentEnabled(env = process.env) {
+  if (env.KRATE_AUTH_DELEGATED_LOCAL_DEVELOPMENT === 'true') return true;
+  if (env.KRATE_AUTH_DELEGATED_LOCAL_DEVELOPMENT === 'false') return false;
+  return env.NODE_ENV !== 'production';
+}
+
+function isLocalDevelopmentRequest(requestUrl) {
+  if (!requestUrl) return false;
+  const { hostname } = new URL(requestUrl);
+  return hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '0.0.0.0' || hostname === '::1' || hostname === '::';
+}
+
+function publicDelegatedIdentityConfig(delegatedIdentity) {
+  return {
+    enabled: delegatedIdentity.enabled,
+    userHeader: delegatedIdentity.userHeader,
+    groupsHeader: delegatedIdentity.groupsHeader,
+    emailHeader: delegatedIdentity.emailHeader,
+    localDevelopment: clone(delegatedIdentity.localDevelopment)
+  };
+}
+
+function cryptoSafeState() {
+  return Math.random().toString(36).slice(2) + Date.now().toString(36);
+}

package/src/component-catalog.js

@@ -0,0 +1,41 @@
+export const KRATE_COMPONENTS = Object.freeze([
+  { id: 'control-plane', title: 'Control Plane', area: 'api', resources: ['Repository', 'BranchProtection', 'RefPolicy'], evidence: ['src/control-plane.js', 'charts/krate/crds'] },
+  { id: 'data-plane', title: 'Repository Data Plane', area: 'git', resources: ['Repository'], evidence: ['src/data-plane.js', 'src/gitea-backend.js', 'charts/krate/templates/gitea.yaml'] },
+  { id: 'identity-policy', title: 'Identity, RBAC, and Policy', area: 'security', resources: ['BranchProtection', 'RefPolicy'], evidence: ['src/identity-policy.js', 'examples/policy-kyverno-pr-title.yaml'] },
+  { id: 'runners-ci', title: 'Runners and CI', area: 'automation', resources: ['RunnerPool', 'Pipeline', 'Job'], evidence: ['src/runners-ci.js', 'docs/components/runners-ci.md'] },
+  { id: 'hooks-events', title: 'Hooks and Events', area: 'integrations', resources: ['WebhookSubscription', 'WebhookDelivery'], evidence: ['src/hooks-events.js', 'docs/components/hooks-events.md'] },
+  { id: 'operations-publishing', title: 'Operations and Publishing', area: 'release', resources: ['APIService', 'Deployment'], evidence: ['src/operations.js', 'charts/krate', 'scripts/setup-minikube.mjs'] },
+  { id: 'web-ui', title: 'Web UI', area: 'experience', resources: ['View'], evidence: ['src/web-ui.js', 'public/index.html'] }
+]);
+
+export function createKrateComponentCatalog(demo) {
+  const resourceKinds = new Set(Object.values(demo.resources).flatMap((value) => value?.kind ? [value.kind] : [value?.pipeline?.kind, ...(value?.jobs || []).map((job) => job.kind)]).filter(Boolean));
+  return KRATE_COMPONENTS.map((component) => ({
+    ...component,
+    implemented: component.resources.some((kind) => resourceKinds.has(kind)) || component.id === 'operations-publishing' || component.id === 'web-ui',
+    resourceCount: component.resources.filter((kind) => resourceKinds.has(kind)).length,
+    docs: `docs/components/${component.id}.md`
+  }));
+}
+
+export function createKrateLifecycleSnapshot(demo, { packageInfo = {}, generatedAt = new Date().toISOString() } = {}) {
+  const catalog = createKrateComponentCatalog(demo);
+  const smoke = demo.smoke || { ok: true, assertions: [] };
+  return {
+    project: 'Krate',
+    version: packageInfo.version || '0.1.0',
+    generatedAt,
+    status: smoke.ok && catalog.every((component) => component.implemented) ? 'ready-for-local-development' : 'needs-attention',
+    components: catalog,
+    resources: Object.fromEntries(Object.entries(demo.resources).map(([name, value]) => [name, value?.kind || value?.pipeline?.kind || 'workflow'])),
+    storage: demo.controlPlane.storageReport(),
+    flows: demo.ui.dashboard.excellentFlows,
+    operations: {
+      chart: demo.operations.chartPackage.chart,
+      setup: demo.operations.localSetup.script,
+      releaseGates: demo.operations.releaseGates,
+      observability: demo.operations.observability
+    },
+    validation: smoke.assertions.map(([name, passed]) => ({ name, passed }))
+  };
+}