npm - @a5c-ai/krate - Versions diffs - 5.0.1-staging.f672fe79b - Mend

@a5c-ai/krate 5.0.1-staging.f672fe79b

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (174) hide show

package/Dockerfile +29 -0
package/README.md +183 -0
package/bin/krate-demo.mjs +23 -0
package/bin/krate-server.mjs +14 -0
package/dist/krate-controller-ui.json +2407 -0
package/dist/krate-lifecycle.json +201 -0
package/dist/krate-runtime-snapshot.json +2955 -0
package/dist/krate-summary.json +687 -0
package/docs/README.md +61 -0
package/docs/agents/README.md +83 -0
package/docs/agents/acceptance-test-matrix.md +193 -0
package/docs/agents/agent-mux-adapter-contract.md +167 -0
package/docs/agents/agent-mux-source-map.md +310 -0
package/docs/agents/agent-run-memory-import-spec.md +256 -0
package/docs/agents/agent-stack-management-spec.md +421 -0
package/docs/agents/api-contract-spec.md +309 -0
package/docs/agents/artifacts-writeback-spec.md +145 -0
package/docs/agents/chart-packaging-spec.md +128 -0
package/docs/agents/ci-orchestration-spec.md +140 -0
package/docs/agents/context-assembly-spec.md +219 -0
package/docs/agents/controller-reconciliation-spec.md +255 -0
package/docs/agents/crd-schema-spec.md +315 -0
package/docs/agents/decision-log-open-questions.md +169 -0
package/docs/agents/developer-implementation-checklist.md +329 -0
package/docs/agents/dispatching-design.md +262 -0
package/docs/agents/glossary.md +66 -0
package/docs/agents/implementation-blueprint.md +324 -0
package/docs/agents/implementation-rollout-slices.md +251 -0
package/docs/agents/memory-context-integration-spec.md +194 -0
package/docs/agents/memory-ontology-schema-spec.md +253 -0
package/docs/agents/memory-operations-runbook.md +121 -0
package/docs/agents/mvp-vertical-slice-spec.md +146 -0
package/docs/agents/observability-audit-spec.md +265 -0
package/docs/agents/operator-runbook.md +174 -0
package/docs/agents/org-memory-api-payload-examples.md +333 -0
package/docs/agents/org-memory-controller-sequence-spec.md +181 -0
package/docs/agents/org-memory-e2e-fixture-plan.md +161 -0
package/docs/agents/org-memory-ui-implementation-map.md +114 -0
package/docs/agents/org-memory-vertical-slice-spec.md +168 -0
package/docs/agents/org-resource-model-delta-spec.md +111 -0
package/docs/agents/org-route-resource-model-spec.md +183 -0
package/docs/agents/org-scoping-namespace-spec.md +114 -0
package/docs/agents/rbac-secrets-management-spec.md +406 -0
package/docs/agents/repository-page-integration-spec.md +255 -0
package/docs/agents/resource-contract-examples.md +808 -0
package/docs/agents/resource-relationship-map.md +190 -0
package/docs/agents/security-threat-model.md +188 -0
package/docs/agents/shared-memory-company-brain-spec.md +358 -0
package/docs/agents/storage-migration-spec.md +168 -0
package/docs/agents/subagent-orchestration-spec.md +152 -0
package/docs/agents/system-overview.md +88 -0
package/docs/agents/tools-mcp-skills-spec.md +189 -0
package/docs/agents/traceability-matrix.md +79 -0
package/docs/agents/ui-flow-spec.md +211 -0
package/docs/agents/ui-ux-system-spec.md +426 -0
package/docs/agents/workspace-lifecycle-spec.md +166 -0
package/docs/architecture-spec.md +78 -0
package/docs/components/control-plane.md +78 -0
package/docs/components/data-plane.md +69 -0
package/docs/components/hooks-events.md +67 -0
package/docs/components/identity-rbac-policy.md +73 -0
package/docs/components/kubevela-oam.md +70 -0
package/docs/components/operations-publishing.md +81 -0
package/docs/components/runners-ci.md +66 -0
package/docs/components/web-ui.md +94 -0
package/docs/external/README.md +47 -0
package/docs/external/bidirectional-sync-design.md +134 -0
package/docs/external/cicd-interface.md +64 -0
package/docs/external/external-backend-controllers.md +170 -0
package/docs/external/external-backend-crds.md +234 -0
package/docs/external/external-backend-ui-spec.md +151 -0
package/docs/external/external-backend-ux-flows.md +115 -0
package/docs/external/external-object-mapping.md +125 -0
package/docs/external/git-forge-interface.md +68 -0
package/docs/external/github-integration-design.md +151 -0
package/docs/external/issue-tracking-interface.md +66 -0
package/docs/external/provider-capability-manifests.md +204 -0
package/docs/external/provider-catalog.md +139 -0
package/docs/external/provider-rollout-testing.md +78 -0
package/docs/external/research-results.md +48 -0
package/docs/external/security-auth-permissions.md +81 -0
package/docs/external/sync-state-machines.md +108 -0
package/docs/external/unified-external-backend-model.md +107 -0
package/docs/external/user-facing-changes.md +67 -0
package/docs/gaps.md +161 -0
package/docs/install.md +94 -0
package/docs/krate-design.md +334 -0
package/docs/local-minikube.md +55 -0
package/docs/ontology/README.md +32 -0
package/docs/ontology/bounded-contexts.md +29 -0
package/docs/ontology/events-and-hooks.md +32 -0
package/docs/ontology/oam-kubevela.md +32 -0
package/docs/ontology/operations-and-release.md +25 -0
package/docs/ontology/personas-and-actors.md +32 -0
package/docs/ontology/policies-and-invariants.md +33 -0
package/docs/ontology/problem-space.md +30 -0
package/docs/ontology/resource-contracts.md +40 -0
package/docs/ontology/resource-taxonomy.md +42 -0
package/docs/ontology/runners-and-ci.md +29 -0
package/docs/ontology/solution-space.md +24 -0
package/docs/ontology/storage-and-data-boundaries.md +29 -0
package/docs/ontology/validation-matrix.md +24 -0
package/docs/ontology/web-ui-excellent-flows.md +32 -0
package/docs/ontology/workflows.md +39 -0
package/docs/ontology/world.md +35 -0
package/docs/product-requirements.md +62 -0
package/docs/roadmap-mvp.md +87 -0
package/docs/system-requirements.md +90 -0
package/docs/tests/README.md +53 -0
package/docs/tests/agent-qa-plan.md +63 -0
package/docs/tests/browser-ui-tests.md +62 -0
package/docs/tests/ci-quality-gates.md +48 -0
package/docs/tests/coverage-model.md +64 -0
package/docs/tests/e2e-scenario-tests.md +53 -0
package/docs/tests/fixtures-test-data.md +63 -0
package/docs/tests/observability-reliability-tests.md +54 -0
package/docs/tests/product-test-matrix.md +145 -0
package/docs/tests/qa-adoption-roadmap.md +130 -0
package/docs/tests/qa-automation-plan.md +101 -0
package/docs/tests/security-compliance-tests.md +57 -0
package/docs/tests/test-framework-tools.md +88 -0
package/docs/tests/test-suite-layout.md +121 -0
package/docs/tests/unit-integration-tests.md +48 -0
package/docs/todo-kyverno +714 -0
package/docs/user-stories.md +78 -0
package/examples/minikube-demo.yaml +190 -0
package/examples/oam-application.yaml +23 -0
package/examples/policy-kyverno-pr-title.yaml +18 -0
package/package.json +63 -0
package/scripts/build.mjs +29 -0
package/scripts/setup-minikube.mjs +65 -0
package/scripts/smoke.mjs +37 -0
package/scripts/validate-doc-coverage.mjs +152 -0
package/scripts/validate-package.mjs +93 -0
package/scripts/validate-ui.mjs +207 -0
package/src/agent-approval-controller.js +123 -0
package/src/agent-context-bundles.js +242 -0
package/src/agent-dispatch-controller.js +86 -0
package/src/agent-mux-client.js +280 -0
package/src/agent-permission-review.js +162 -0
package/src/agent-stack-controller.js +296 -0
package/src/agent-trigger-controller.js +108 -0
package/src/api-controller.js +206 -0
package/src/argocd-gitops.js +43 -0
package/src/auth.js +265 -0
package/src/component-catalog.js +41 -0
package/src/control-plane.js +136 -0
package/src/controller-client.js +38 -0
package/src/controller-ui.js +538 -0
package/src/data-plane.js +178 -0
package/src/gitea-backend.js +95 -0
package/src/handoff.js +98 -0
package/src/hooks-events.js +63 -0
package/src/http-server.js +151 -0
package/src/identity-policy.js +86 -0
package/src/index.js +30 -0
package/src/kubernetes-controller.js +812 -0
package/src/kubernetes-resource-gateway.js +48 -0
package/src/operations.js +112 -0
package/src/resource-model.js +203 -0
package/src/runners-ci.js +48 -0
package/src/runtime.js +196 -0
package/src/web-ui.js +40 -0
package/tests/agent-approval-controller.test.js +173 -0
package/tests/agent-context-bundles.test.js +278 -0
package/tests/agent-dispatch-controller.test.js +176 -0
package/tests/agent-mux-client.test.js +204 -0
package/tests/agent-permission-review.test.js +209 -0
package/tests/agent-resources.test.js +212 -0
package/tests/agent-stack-controller.test.js +221 -0
package/tests/agent-trigger-controller.test.js +211 -0
package/tests/deployment.test.js +395 -0
package/tests/e2e/lifecycle.test.js +117 -0
package/tests/krate.test.js +727 -0

package/src/data-plane.js ADDED Viewed

@@ -0,0 +1,178 @@
+import { giteaRepositoryIntegrationPlan } from './gitea-backend.js';
+import { clone, createResource } from './resource-model.js';
+export function createDefaultGiteaGitBackend({ baseUrl = 'http://krate-gitea-http:3000', sshDomain = 'krate-gitea-ssh', owner = 'krate', webhookBaseUrl = 'http://krate-webhook-worker' } = {}) {
+  return { type: 'gitea', baseUrl: baseUrl.replace(/\/$/, ''), sshDomain, owner, webhookBaseUrl: webhookBaseUrl.replace(/\/$/, '') };
+}
+export function createGiteaRepositoryHosting({ backend = createDefaultGiteaGitBackend(), namespace = 'default', repository, branch = 'main' }) {
+  const owner = backend.owner || namespace;
+  const httpUrl = `${backend.baseUrl}/${owner}/${repository}.git`;
+  const sshUrl = `ssh://git@${backend.sshDomain}/${owner}/${repository}.git`;
+  const webhookUrl = `${backend.webhookBaseUrl}/repositories/${namespace}/${repository}`;
+  return {
+    backend: 'gitea',
+    owner,
+    repository,
+    branch,
+    httpUrl,
+    sshUrl,
+    deployKeyTitle: 'krate-argocd',
+    organization: { kind: 'Organization', name: owner, delegatedTo: 'Gitea /api/v1/orgs' },
+    sshKeys: { kind: 'SSHKey', scopes: ['user', 'deploy', 'argocd'], delegatedTo: 'Gitea /api/v1/user/keys and /repos/{owner}/{repo}/keys' },
+    permissions: { kind: 'RepositoryPermission', defaultCollaborator: 'write', adminTeam: 'maintainers', delegatedTo: 'Gitea collaborators and team repository APIs' },
+    forgeRecords: { issues: 'Gitea /repos/{owner}/{repo}/issues', pullRequests: 'Gitea /repos/{owner}/{repo}/pulls' },
+    webhookUrl,
+    integrationPlan: giteaRepositoryIntegrationPlan({ owner, repo: repository, deployKeyTitle: 'krate-argocd', permission: 'write', branch, webhookUrl })
+  };
+}
+export function stableRepositoryStoreIndex(repositoryName, storeCount) {
+  let hash = 0;
+  for (const character of repositoryName) hash = (hash * 31 + character.charCodeAt(0)) >>> 0;
+  return hash % storeCount;
+}
+export class GiteaRepositoryStore {
+  constructor({ name = 'gitea-primary', receivePackReady = true, capacity = 1000 } = {}) {
+    this.name = name;
+    this.receivePackReady = receivePackReady;
+    this.capacity = capacity;
+    this.repositories = new Map();
+    this.objects = new Map();
+    this.searchIndex = new Map();
+  }
+  assign(repository) { this.repositories.set(repository.metadata.name, repository); return this; }
+  isReceivePackReady() { return this.receivePackReady; }
+  putObject(repository, object) {
+    const objects = this.objects.get(repository) || [];
+    objects.push(object);
+    this.objects.set(repository, objects);
+    return object;
+  }
+  index(repository, entry) {
+    const entries = this.searchIndex.get(repository) || [];
+    entries.push(entry);
+    this.searchIndex.set(repository, entries);
+    return entry;
+  }
+  snapshot() {
+    return {
+      name: this.name,
+      receivePackReady: this.receivePackReady,
+      capacity: this.capacity,
+      repositories: Object.fromEntries([...this.repositories.entries()].map(([name, resource]) => [name, clone(resource)])),
+      objects: Object.fromEntries([...this.objects.entries()].map(([repository, objects]) => [repository, clone(objects)])),
+      searchIndex: Object.fromEntries([...this.searchIndex.entries()].map(([repository, entries]) => [repository, clone(entries)]))
+    };
+  }
+  importSnapshot(snapshot = {}) {
+    this.receivePackReady = snapshot.receivePackReady ?? this.receivePackReady;
+    this.capacity = snapshot.capacity ?? this.capacity;
+    this.repositories = new Map(Object.entries(snapshot.repositories || {}).map(([name, resource]) => [name, clone(resource)]));
+    this.objects = new Map(Object.entries(snapshot.objects || {}).map(([repository, objects]) => [repository, clone(objects)]));
+    this.searchIndex = new Map(Object.entries(snapshot.searchIndex || {}).map(([repository, entries]) => [repository, clone(entries)]));
+    return this;
+  }
+}
+export class GiteaGitService {
+  constructor({ controlPlane, stores = [new GiteaRepositoryStore()], gitBackend = createDefaultGiteaGitBackend() }) {
+    if (!controlPlane) throw new Error('GiteaGitService requires a controlPlane');
+    this.controlPlane = controlPlane;
+    this.stores = stores;
+    this.gitBackend = gitBackend.type === 'gitea' ? gitBackend : createDefaultGiteaGitBackend(gitBackend);
+    this.integrationPlans = new Map();
+  }
+  snapshot() {
+    return {
+      apiVersion: 'krate.a5c.ai/v1alpha1',
+      kind: 'GiteaGitServiceSnapshot',
+      backend: clone(this.gitBackend),
+      integrationPlans: Object.fromEntries([...this.integrationPlans.entries()].map(([repository, plan]) => [repository, clone(plan)])),
+      stores: this.stores.map((store) => store.snapshot())
+    };
+  }
+  importSnapshot(snapshot = {}) {
+    if (snapshot.backend?.type === 'gitea') this.gitBackend = clone(snapshot.backend);
+    this.integrationPlans = new Map(Object.entries(snapshot.integrationPlans || {}).map(([repository, plan]) => [repository, clone(plan)]));
+    if (!Array.isArray(snapshot.stores)) return this;
+    this.stores = snapshot.stores.map((storeSnapshot) => new GiteaRepositoryStore({
+      name: storeSnapshot.name,
+      receivePackReady: storeSnapshot.receivePackReady,
+      capacity: storeSnapshot.capacity
+    }).importSnapshot(storeSnapshot));
+    return this;
+  }
+  route(repositoryName) {
+    const store = this.stores[stableRepositoryStoreIndex(repositoryName, this.stores.length)];
+    const owner = this.gitBackend.owner || 'krate';
+    return { repositoryName, backend: 'gitea', owner, store: store.name, receivePackReady: store.isReceivePackReady(), httpUrl: `${this.gitBackend.baseUrl}/${owner}/${repositoryName}.git`, sshUrl: `ssh://git@${this.gitBackend.sshDomain}/${owner}/${repositoryName}.git` };
+  }
+  createRepository({ name, namespace = 'krate-org-default', organizationRef = 'default', visibility = 'private' }, user) {
+    const route = this.route(name);
+    const hosting = createGiteaRepositoryHosting({ backend: this.gitBackend, namespace, repository: name });
+    const repository = createResource('Repository', { name, namespace, labels: { gitBackend: 'gitea' } }, {
+      organizationRef,
+      visibility,
+      gitHosting: hosting,
+      storage: { mode: 'gitea', persistentVolumeClaim: 'krate-gitea-data', owner: hosting.owner, repository: name, httpUrl: hosting.httpUrl, sshUrl: hosting.sshUrl },
+      objectStorage: { lfs: true, artifacts: true },
+      search: { provider: 'zoekt', enabled: false }
+    }, { ready: true, route: { ...route, backend: 'gitea' }, gitHosting: { backend: 'gitea', httpUrl: hosting.httpUrl, sshUrl: hosting.sshUrl, integrationPlan: hosting.integrationPlan } });
+    const created = this.controlPlane.create(repository, user);
+    this.integrationPlans.set(name, hosting.integrationPlan);
+    this.stores.find((store) => store.name === route.store).assign(created);
+    return created;
+  }
+  receivePack({ repository, namespace = 'krate-org-default', ref, oldRev = '0'.repeat(40), newRev, actor }) {
+    const route = this.route(repository);
+    if (!route.receivePackReady) throw new Error(`receive-pack for ${repository} is not ready`);
+    const refPolicies = this.controlPlane.list('RefPolicy', { namespace }).items;
+    const branchProtections = this.controlPlane.list('BranchProtection', { namespace }).items;
+    const deniedByPolicy = refPolicies.find((policy) => (policy.spec.deny || []).some((prefix) => ref.startsWith(prefix)));
+    if (deniedByPolicy) throw new Error(`RefPolicy ${deniedByPolicy.metadata.name} denied ${ref}`);
+    const protectedBranch = branchProtections.find((policy) => (policy.spec.refs || []).includes(ref));
+    const isRepoAdmin = actor.groups?.includes('krate:repo-admins') || actor.groups?.includes('krate:platform-engineers');
+    if (protectedBranch && protectedBranch.spec.requirePullRequest && !isRepoAdmin) {
+      throw new Error(`BranchProtection ${protectedBranch.metadata.name} requires pull request for ${ref}`);
+    }
+    const event = { repository, namespace, ref, oldRev, newRev, actor: actor.name, backend: 'gitea', store: route.store, remoteUrl: route.httpUrl, at: new Date().toISOString() };
+    this.controlPlane.events.push({ type: 'git.receive-pack', resource: event, storage: 'gitea' });
+    return event;
+  }
+  uploadPack({ repository }) {
+    const route = this.route(repository);
+    return { repository, backend: 'gitea', store: route.store, remoteUrl: route.httpUrl, cacheable: true };
+  }
+  recordObject({ repository, namespace = 'default', key, size, mediaType = 'application/octet-stream' }) {
+    const route = this.route(repository);
+    const store = this.stores.find((candidate) => candidate.name === route.store);
+    const object = { repository, namespace, key, size, mediaType, store: route.store, storage: 'object-storage', at: new Date().toISOString() };
+    store.putObject(repository, object);
+    this.controlPlane.events.push({ type: 'git.object-recorded', resource: object, storage: 'object-storage' });
+    return object;
+  }
+  enqueueSearchIndex({ repository, namespace = 'default', commit, paths = [] }) {
+    const route = this.route(repository);
+    const store = this.stores.find((candidate) => candidate.name === route.store);
+    const entry = { repository, namespace, commit, paths, store: route.store, provider: 'zoekt', status: 'queued', at: new Date().toISOString() };
+    store.index(repository, entry);
+    this.controlPlane.events.push({ type: 'search.index-queued', resource: entry, storage: 'search-index' });
+    return entry;
+  }
+}

package/src/gitea-backend.js ADDED Viewed

@@ -0,0 +1,95 @@
+export function createGiteaBackend({ baseUrl = 'http://krate-gitea-http:3000', token, fetchImpl = globalThis.fetch } = {}) {
+  if (!fetchImpl) throw new Error('Gitea backend requires a fetch implementation');
+  const root = baseUrl.replace(/\/$/, '');
+  async function request(method, path, body) {
+    const response = await fetchImpl(`${root}/api/v1${path}`, {
+      method,
+      headers: {
+        Accept: 'application/json',
+        'Content-Type': 'application/json',
+        ...(token ? { Authorization: `token ${token}` } : {})
+      },
+      ...(body === undefined ? {} : { body: JSON.stringify(body) })
+    });
+    if (!response.ok) throw new Error(`Gitea ${method} ${path} failed with ${response.status}`);
+    return response.status === 204 ? null : response.json();
+  }
+  return {
+    role: 'gitea-backend',
+    baseUrl: root,
+    createOrganization({ name, fullName = name, description = '', visibility = 'private' }) {
+      return request('POST', '/orgs', { username: name, full_name: fullName, description, visibility });
+    },
+    createUser({ username, email, fullName = username, password, mustChangePassword = true }) {
+      return request('POST', '/admin/users', { username, email, full_name: fullName, password, must_change_password: mustChangePassword });
+    },
+    editUser({ username, email, fullName, active = true, admin = false }) {
+      return request('PATCH', `/admin/users/${encodeURIComponent(username)}`, { email, full_name: fullName, active, admin });
+    },
+    addUserSshKey({ title, key, readOnly = false }) {
+      return request('POST', '/user/keys', { title, key, read_only: readOnly });
+    },
+    createRepository({ owner, name, private: isPrivate = true, defaultBranch = 'main', description = '' }) {
+      const path = owner ? `/orgs/${encodeURIComponent(owner)}/repos` : '/user/repos';
+      return request('POST', path, { name, private: isPrivate, default_branch: defaultBranch, description, auto_init: false });
+    },
+    addDeployKey({ owner, repo, title, key, readOnly = true }) {
+      return request('POST', `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/keys`, { title, key, read_only: readOnly });
+    },
+    addCollaborator({ owner, repo, username, permission = 'read' }) {
+      return request('PUT', `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/collaborators/${encodeURIComponent(username)}`, { permission });
+    },
+    addTeamRepository({ org, team, repo, owner = org, permission = 'read' }) {
+      return request('PUT', `/teams/${encodeURIComponent(team)}/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}`, { permission });
+    },
+    createTeam({ org, name, permission = 'read', units = ['repo.code', 'repo.pulls', 'repo.issues'] }) {
+      return request('POST', `/orgs/${encodeURIComponent(org)}/teams`, { name, permission, units });
+    },
+    addTeamMember({ team, username }) {
+      return request('PUT', `/teams/${encodeURIComponent(team)}/members/${encodeURIComponent(username)}`);
+    },
+    protectBranch({ owner, repo, branch = 'main', approvals = 1, statusChecks = [] }) {
+      return request('POST', `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/branch_protections`, {
+        branch_name: branch,
+        enable_push: false,
+        enable_push_whitelist: true,
+        required_approvals: approvals,
+        enable_status_check: statusChecks.length > 0,
+        status_check_contexts: statusChecks
+      });
+    },
+    createIssue({ owner, repo, title, body = '', labels = [], assignees = [] }) {
+      return request('POST', `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/issues`, { title, body, labels, assignees });
+    },
+    createPullRequest({ owner, repo, title, head, base = 'main', body = '' }) {
+      return request('POST', `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/pulls`, { title, head, base, body });
+    },
+    createWebhook({ owner, repo, url, events = ['push', 'pull_request'], secret }) {
+      return request('POST', `/repos/${encodeURIComponent(owner)}/${encodeURIComponent(repo)}/hooks`, {
+        type: 'gitea',
+        active: true,
+        events,
+        config: { url, content_type: 'json', ...(secret ? { secret } : {}) }
+      });
+    }
+  };
+}
+export function giteaRepositoryIntegrationPlan({ owner, repo, deployKeyTitle = 'krate-gitops', permission = 'write', branch = 'main', webhookUrl }) {
+  return {
+    backend: 'gitea',
+    operations: [
+      { action: 'createOrganization', owner },
+      { action: 'createRepository', owner, repo },
+      { action: 'ensureUserMappings', owner },
+      { action: 'addDeployKey', owner, repo, title: deployKeyTitle, readOnly: false },
+      { action: 'addUserSshKey', owner, repo, title: 'developer key' },
+      { action: 'addCollaborator', owner, repo, permission },
+      { action: 'addTeamRepository', owner, repo, team: 'maintainers', permission: 'admin' },
+      { action: 'protectBranch', owner, repo, branch },
+      { action: 'createWebhook', owner, repo, url: webhookUrl }
+    ]
+  };
+}

package/src/handoff.js ADDED Viewed

@@ -0,0 +1,98 @@
+export const HANDOFF_COMMANDS = Object.freeze({
+  build: 'npm run build',
+  demo: 'npm run demo',
+  serve: 'npm run serve',
+  check: 'npm run check',
+  test: 'npm test',
+  smoke: 'npm run smoke',
+  validateDocs: 'npm run validate:docs',
+  e2e: 'npm run e2e',
+  packageCheck: 'npm run package:check',
+  setupMinikube: 'npm run setup:minikube -- --dry-run',
+  dev: 'npm run dev',
+  uiBuild: 'npm run ui:build',
+  uiValidate: 'npm run ui:validate'
+});
+export const HANDOFF_DOCS = Object.freeze([
+  'docs/README.md',
+  'docs/product-requirements.md',
+  'docs/system-requirements.md',
+  'docs/architecture-spec.md',
+  'docs/user-stories.md',
+  'docs/roadmap-mvp.md',
+  'docs/local-minikube.md',
+  'docs/install.md',
+  'docs/ontology/README.md'
+]);
+export function createKrateHandoffSummary(demo, { packageInfo = {}, generatedAt = new Date().toISOString() } = {}) {
+  const smoke = demo.smoke || { ok: true, assertions: [] };
+  return {
+    project: 'Krate',
+    description: 'Kubernetes-native forge runtime with Argo CD and Krate-managed repository hosting',
+    package: {
+      name: packageInfo.name || 'krate',
+      version: packageInfo.version || '0.1.0',
+      private: packageInfo.private !== false
+    },
+    entrypoints: {
+      library: './src/index.js',
+      cli: './bin/krate-demo.mjs',
+      runtimeServer: './bin/krate-server.mjs',
+      webPreview: './public/index.html',
+      nextUi: './apps/web',
+      generatedSummary: './dist/krate-summary.json',
+      lifecycleSnapshot: './dist/krate-lifecycle.json',
+      helmChart: './charts/krate',
+      minikubeSetup: './scripts/setup-minikube.mjs'
+    },
+    commands: { ...HANDOFF_COMMANDS },
+    docs: [...HANDOFF_DOCS],
+    components: demo.components || [],
+    lifecycle: demo.lifecycle || null,
+    resources: Object.fromEntries(Object.entries(demo.resources).map(([key, value]) => [key, value?.kind || 'workflow'])),
+    storage: demo.controlPlane.storageReport(),
+    excellentFlows: demo.ui.dashboard.excellentFlows,
+    agents: demo.agents ? {
+      stacks: demo.agents.stacks?.count || 0,
+      runs: demo.agents.runs?.count || 0,
+      activeRuns: demo.agents.runs?.active?.length || 0,
+      rules: demo.agents.rules?.count || 0,
+      sessions: demo.agents.sessions?.count || 0,
+      workspaces: demo.agents.workspaces?.count || 0,
+      pendingApprovals: demo.agents.approvals?.pending?.length || 0
+    } : null,
+    operations: { chartPackage: demo.operations.chartPackage, localSetup: demo.operations.localSetup },
+    releaseGates: demo.operations.releaseGates,
+    smoke: {
+      ok: smoke.ok,
+      assertions: smoke.assertions.map(([name, passed]) => ({ name, passed }))
+    },
+    generatedAt
+  };
+}
+export function formatHandoffSummary(summary) {
+  const lines = [
+    `${summary.project} ${summary.package.version} — ${summary.description}`,
+    '',
+    'Entrypoints:',
+    ...Object.entries(summary.entrypoints).map(([name, target]) => `- ${name}: ${target}`),
+    '',
+    'Commands:',
+    ...Object.entries(summary.commands).map(([name, command]) => `- ${name}: ${command}`),
+    '',
+    'Storage boundary:',
+    `- etcd: ${summary.storage.etcd.join(', ')}`,
+    `- postgres: ${summary.storage.postgres.join(', ')}`,
+    '',
+    'Excellent flows:',
+    ...summary.excellentFlows.map((flow) => `- ${flow}`),
+    '',
+    `Smoke: ${summary.smoke.ok ? 'pass' : 'fail'}`
+  ];
+  return `${lines.join('\n')}\n`;
+}

package/src/hooks-events.js ADDED Viewed

@@ -0,0 +1,63 @@
+import { createHmac } from 'node:crypto';
+import { createResource } from './resource-model.js';
+export class WebhookBus {
+  constructor({ controlPlane, secret = 'krate-dev-secret' }) { this.controlPlane = controlPlane; this.secret = secret; }
+  subscribe({ name, namespace = 'krate-org-default', organizationRef = 'default', url, events = ['pullrequest.created'], mode = 'active' }, user) {
+    return this.controlPlane.create(createResource('WebhookSubscription', { name, namespace }, {
+      organizationRef, url, events, signing: { algorithm: 'hmac-sha256', secretRef: `${name}-secret` }, mode
+    }, { ready: true }), user);
+  }
+  sign(payload) { return createHmac('sha256', this.secret).update(JSON.stringify(payload)).digest('hex'); }
+  deliver({ subscriptionName, namespace = 'krate-org-default', organizationRef = 'default', eventType, payload, response = { status: 202, body: 'accepted' } }, user) {
+    const subscription = this.controlPlane.get('WebhookSubscription', namespace, subscriptionName);
+    if (!subscription) throw new Error(`WebhookSubscription ${subscriptionName} not found`);
+    if (!subscription.spec.events.includes(eventType)) throw new Error(`${subscriptionName} does not subscribe to ${eventType}`);
+    const delivery = createResource('WebhookDelivery', {
+      name: `${subscriptionName}-${Date.now()}-${this.controlPlane.list('WebhookDelivery', { namespace }).items.length + 1}`,
+      namespace,
+      labels: { subscription: subscriptionName, eventType }
+    }, {
+      organizationRef: subscription.spec.organizationRef || organizationRef,
+      subscription: subscriptionName,
+      url: subscription.spec.url,
+      eventType,
+      payload,
+      signature: this.sign(payload),
+      replayOf: payload.replayOf || null
+    }, {
+      phase: response.status >= 200 && response.status < 300 ? 'Delivered' : 'Failed',
+      response,
+      attempts: 1
+    });
+    return this.controlPlane.create(delivery, user);
+  }
+  replay(delivery, user) {
+    return this.deliver({
+      subscriptionName: delivery.spec.subscription,
+      namespace: delivery.metadata.namespace,
+      organizationRef: delivery.spec.organizationRef,
+      eventType: delivery.spec.eventType,
+      payload: { ...delivery.spec.payload, replayOf: delivery.metadata.name },
+      response: { status: 202, body: 'replayed' }
+    }, user);
+  }
+  inspect(delivery) {
+    return {
+      name: delivery.metadata.name,
+      subscription: delivery.spec.subscription,
+      eventType: delivery.spec.eventType,
+      phase: delivery.status.phase,
+      attempts: delivery.status.attempts,
+      response: delivery.status.response,
+      signature: delivery.spec.signature,
+      replayOf: delivery.spec.replayOf,
+      replayable: Boolean(delivery.spec.subscription && delivery.spec.eventType)
+    };
+  }
+}

package/src/http-server.js ADDED Viewed

@@ -0,0 +1,151 @@
+import { createServer } from 'node:http';
+import { createKrateRuntime } from './runtime.js';
+import { createControllerUiModel } from './controller-ui.js';
+import { createKrateApiController } from './api-controller.js';
+import { createKubernetesResourceGateway } from './kubernetes-resource-gateway.js';
+import { orgNamespaceName } from './kubernetes-controller.js';
+const jsonHeaders = { 'content-type': 'application/json; charset=utf-8' };
+export function createKrateHttpHandler({ runtime = createKrateRuntime(), controller = createKrateApiController({ resourceGateway: createKubernetesResourceGateway() }) } = {}) {
+  return async function handleKrateRequest(request, response) {
+    try {
+      const url = new URL(request.url || '/', 'http://localhost');
+      if (request.method === 'GET' && url.pathname === '/healthz') return send(response, 200, { ok: true, project: 'Krate' });
+      if (request.method === 'GET' && url.pathname === '/api/controller') return send(response, 200, createControllerUiModel(await controller.snapshot(), { organization: url.searchParams.get('org') || undefined }));
+      if (url.pathname === '/api/orgs') {
+        if (request.method === 'GET') return send(response, 200, { organizations: createControllerUiModel(await controller.snapshot()).orgs });
+        if (request.method === 'POST') return send(response, 201, await controller.createOrganization(await readJson(request)));
+      }
+      const orgResourceCollectionMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/resources$/);
+      if (orgResourceCollectionMatch) {
+        const org = orgResourceCollectionMatch[1];
+        const scopedController = createKrateApiController({ namespace: orgNamespaceName(org) });
+        if (request.method === 'GET') return send(response, 200, await scopedController.listResource(url.searchParams.get('kind') || 'Repository'));
+        if (request.method === 'POST') return send(response, 201, await scopedController.applyResource(scopeResource(await readJson(request), org)));
+      }
+      const orgResourceMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/resources\/([^/]+)\/([^/]+)$/);
+      if (orgResourceMatch) {
+        const scopedController = createKrateApiController({ namespace: orgNamespaceName(orgResourceMatch[1]) });
+        if (request.method === 'GET') return send(response, 200, await scopedController.getResource(orgResourceMatch[2], orgResourceMatch[3]));
+        if (request.method === 'DELETE') return send(response, 200, await scopedController.deleteResource(orgResourceMatch[2], orgResourceMatch[3]));
+      }
+      const orgRepositoryCollectionMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/repositories$/);
+      if (orgRepositoryCollectionMatch) {
+        const org = orgRepositoryCollectionMatch[1];
+        const scopedController = createKrateApiController({ namespace: orgNamespaceName(org) });
+        if (request.method === 'GET') return send(response, 200, await scopedController.listResource('Repository'));
+        if (request.method === 'POST') return send(response, 201, await scopedController.createRepository({ ...(await readJson(request)), organizationRef: org }));
+      }
+      const orgRepositoryMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/repositories\/([^/]+)$/);
+      if (orgRepositoryMatch) {
+        const scopedController = createKrateApiController({ namespace: orgNamespaceName(orgRepositoryMatch[1]) });
+        if (request.method === 'GET') return send(response, 200, await scopedController.getResource('Repository', orgRepositoryMatch[2]));
+        if (request.method === 'DELETE') return send(response, 200, await scopedController.deleteResource('Repository', orgRepositoryMatch[2]));
+      }
+      const orgSnapshotMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/snapshot$/);
+      if (orgSnapshotMatch) {
+        ensureRuntimeOrg(runtime, orgSnapshotMatch[1]);
+        if (request.method === 'GET') return send(response, 200, runtime.snapshot());
+        if (request.method === 'POST') return send(response, 200, runtime.importSnapshot(await readJson(request)));
+      }
+      const runtimeResourceMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/runtime-resources\/([^/]+)$/);
+      if (request.method === 'GET' && runtimeResourceMatch) {
+        ensureRuntimeOrg(runtime, runtimeResourceMatch[1]);
+        return send(response, 200, runtime.controlPlane.list(runtimeResourceMatch[2], { namespace: orgNamespaceName(runtimeResourceMatch[1]) }));
+      }
+      const objectMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/repositories\/([^/]+)\/objects$/);
+      if (request.method === 'POST' && objectMatch) {
+        ensureRuntimeOrg(runtime, objectMatch[1]);
+        ensureRepository(runtime, objectMatch[2]);
+        return send(response, 201, runtime.git.recordObject({ organizationRef: objectMatch[1], repository: objectMatch[2], namespace: orgNamespaceName(objectMatch[1]), ...(await readJson(request)) }));
+      }
+      const searchIndexMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/repositories\/([^/]+)\/search-index$/);
+      if (request.method === 'POST' && searchIndexMatch) {
+        ensureRuntimeOrg(runtime, searchIndexMatch[1]);
+        ensureRepository(runtime, searchIndexMatch[2]);
+        return send(response, 202, runtime.git.enqueueSearchIndex({ organizationRef: searchIndexMatch[1], repository: searchIndexMatch[2], namespace: orgNamespaceName(searchIndexMatch[1]), ...(await readJson(request)) }));
+      }
+      const pullRequestCollectionMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/pullrequests$/);
+      if (request.method === 'POST' && pullRequestCollectionMatch) {
+        ensureRuntimeOrg(runtime, pullRequestCollectionMatch[1]);
+        return send(response, 201, runtime.createPullRequest({ ...(await readJson(request)), organizationRef: pullRequestCollectionMatch[1] }));
+      }
+      const reviewMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/pullrequests\/([^/]+)\/reviews$/);
+      if (request.method === 'POST' && reviewMatch) {
+        ensureRuntimeOrg(runtime, reviewMatch[1]);
+        return send(response, 201, runtime.addReview({ ...(await readJson(request)), pullRequest: reviewMatch[2] }));
+      }
+      const completeMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/pullrequests\/([^/]+)\/checks\/complete$/);
+      if (request.method === 'POST' && completeMatch) {
+        ensureRuntimeOrg(runtime, completeMatch[1]);
+        return send(response, 200, runtime.completePipeline({ pipeline: `pipeline-${completeMatch[2]}`, ...(await readJson(request)) }));
+      }
+      const mergeMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/pullrequests\/([^/]+)\/merge$/);
+      if (request.method === 'POST' && mergeMatch) {
+        ensureRuntimeOrg(runtime, mergeMatch[1]);
+        return send(response, 200, runtime.mergePullRequest({ ...(await readJson(request)), pullRequest: mergeMatch[2] }));
+      }
+      const agentApprovalDecideMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/agents\/approvals\/([^/]+)\/decide$/);
+      if (request.method === 'POST' && agentApprovalDecideMatch) {
+        const org = agentApprovalDecideMatch[1];
+        const approvalName = agentApprovalDecideMatch[2];
+        const body = await readJson(request);
+        const scopedController = createKrateApiController({ namespace: orgNamespaceName(org) });
+        const input = { approvalName, decidedBy: body.decidedBy || 'unknown', reason: body.reason || '' };
+        const result = body.decision === 'approve'
+          ? await scopedController.approveAgentAction(input)
+          : await scopedController.denyAgentAction(input);
+        return send(response, result.error ? 400 : 200, result);
+      }
+      const agentTriggerProcessMatch = url.pathname.match(/^\/api\/orgs\/([^/]+)\/agents\/triggers\/process$/);
+      if (request.method === 'POST' && agentTriggerProcessMatch) {
+        const org = agentTriggerProcessMatch[1];
+        const scopedController = createKrateApiController({ namespace: orgNamespaceName(org) });
+        const body = await readJson(request);
+        const result = await scopedController.processWebhookEvent({ ...body, organizationRef: org });
+        return send(response, 200, result);
+      }
+      return send(response, 404, { error: 'not_found', method: request.method, path: url.pathname });
+    } catch (error) {
+      return send(response, 400, { error: 'bad_request', message: error.message });
+    }
+  };
+}
+export function createKrateHttpServer(options = {}) {
+  return createServer(createKrateHttpHandler(options));
+}
+function scopeResource(resource, org) {
+  const namespace = orgNamespaceName(org);
+  return {
+    ...resource,
+    metadata: { ...(resource.metadata || {}), namespace, labels: { ...(resource.metadata?.labels || {}), 'krate.a5c.ai/org': org, 'krate.a5c.ai/namespace': namespace } },
+    spec: { ...(resource.spec || {}), organizationRef: org }
+  };
+}
+function ensureRuntimeOrg(runtime, org) {
+  if (runtime.organizationRef !== org || runtime.namespace !== orgNamespaceName(org)) throw new Error(`Runtime is scoped to ${runtime.organizationRef}`);
+}
+function ensureRepository(runtime, repository) {
+  const existing = runtime.controlPlane.get('Repository', runtime.namespace, repository);
+  if (!existing) throw new Error(`Repository ${repository} not found`);
+  return existing;
+}
+async function readJson(request) {
+  const chunks = [];
+  for await (const chunk of request) chunks.push(chunk);
+  const text = Buffer.concat(chunks).toString('utf8');
+  return text ? JSON.parse(text) : {};
+}
+function send(response, status, body) {
+  response.writeHead(status, jsonHeaders);
+  response.end(JSON.stringify(body, null, 2));
+}