@a5c-ai/krate 5.0.1-staging.f672fe79b

package/src/kubernetes-resource-gateway.js

@@ -0,0 +1,48 @@
+import { createKubernetesResourceClient, repositoryManifest } from './kubernetes-controller.js';
+
+export const KUBERNETES_RESOURCE_GATEWAY_BOUNDARY = {
+  role: 'kubernetes-resource-gateway',
+  scope: 'Application port translating API controller intent into Kubernetes resource-client operations',
+  owns: ['resource definitions', 'list/get/apply/delete/watch delegation', 'Repository manifest application', 'namespace scoping'],
+  delegatesTo: ['kubernetes-resource-client'],
+  mustNotOwn: ['HTTP routes', 'Next.js page flow decisions', 'forge DTO composition', 'Kubernetes reconciliation scheduling']
+};
+
+export function createKubernetesResourceGateway(options = {}) {
+  const resourceClient = options.resourceClient || options.kubernetesClient || createKubernetesResourceClient(options);
+  const namespace = options.namespace || resourceClient.namespace || process.env.KRATE_NAMESPACE || 'krate-system';
+
+  return {
+    ...KUBERNETES_RESOURCE_GATEWAY_BOUNDARY,
+    namespace,
+    resourceDefinitions: resourceClient.resourceDefinitions,
+    async snapshot() {
+      return resourceClient.snapshot();
+    },
+    async list(kindOrPlural) {
+      return resourceClient.listResource(kindOrPlural);
+    },
+    async get(kindOrPlural, name) {
+      return resourceClient.getResource(kindOrPlural, name);
+    },
+    async apply(resource) {
+      return resourceClient.applyResource(resource);
+    },
+    async delete(kindOrPlural, name) {
+      return resourceClient.deleteResource(kindOrPlural, name);
+    },
+    async createRepository(input) {
+      return resourceClient.applyResource(repositoryManifest(input, namespace));
+    },
+    async createOrganization(input) {
+      return resourceClient.createOrganization(input);
+    },
+    watch(resourcePath, handlers = {}) {
+      return resourceClient.watchResource(resourcePath, handlers);
+    }
+  };
+}
+
+
+
+

package/src/operations.js

@@ -0,0 +1,112 @@
+import { ControlPlane } from './control-plane.js';
+import { GiteaGitService, GiteaRepositoryStore } from './data-plane.js';
+import { WebhookBus } from './hooks-events.js';
+import { RunnerScheduler } from './runners-ci.js';
+import { createAdmissionPolicy, mapOidcIdentity, toResourceYaml } from './identity-policy.js';
+import { createResource } from './resource-model.js';
+import { createDashboard, createPullRequestReviewModel, createRunnerPoolEditor, createTriageView, createWebhookInspector } from './web-ui.js';
+import { createKrateComponentCatalog, createKrateLifecycleSnapshot } from './component-catalog.js';
+
+export function chartPackageSurface() {
+  return {
+    chart: 'charts/krate',
+    values: 'charts/krate/values.yaml',
+    crds: ['Repository', 'BranchProtection', 'RefPolicy', 'RunnerPool', 'WebhookSubscription', 'View', 'Selector'],
+    templates: ['CRDs', 'optional APIService', 'ServiceAccount', 'ClusterRole', 'ClusterRoleBinding', 'Deployment', 'Service', 'NetworkPolicy', 'Gitea backend', 'Argo CD Application'],
+    examples: ['examples/minikube-demo.yaml', 'examples/policy-kyverno-pr-title.yaml'],
+    validation: ['npm run e2e', 'npm run package:check', 'npm run setup:minikube -- --dry-run']
+  };
+}
+
+export function localSetupPlan() {
+  return {
+    script: 'scripts/setup-minikube.mjs',
+    defaultMode: 'dry-run',
+    applyMode: 'npm run setup:minikube -- --apply',
+    requiredTools: ['minikube', 'kubectl', 'helm', 'node', 'npm'],
+    defaultProfile: 'krate',
+    namespace: 'krate-system'
+  };
+}
+
+export function generateInstallManifests({ namespace = 'krate-system' } = {}) {
+  const manifests = [
+    { apiVersion: 'apiregistration.k8s.io/v1', kind: 'APIService', metadata: { name: 'v1alpha1.krate.a5c.ai' }, spec: { group: 'krate.a5c.ai', version: 'v1alpha1', service: { namespace, name: 'krate-api' } } },
+    { apiVersion: 'apps/v1', kind: 'Deployment', metadata: { name: 'krate-api', namespace }, spec: { replicas: 2, template: { spec: { containers: [{ name: 'api', image: 'krate/api:dev' }] } } } },
+    { apiVersion: 'apps/v1', kind: 'Deployment', metadata: { name: 'krate-gitea', namespace, labels: { 'app.kubernetes.io/component': 'gitea-backend' } }, spec: { replicas: 1, template: { spec: { containers: [{ name: 'gitea', image: 'gitea/gitea:1.22-rootless' }] } } } },
+    { apiVersion: 'argoproj.io/v1alpha1', kind: 'Application', metadata: { name: 'krate', namespace: 'argocd' }, spec: { source: { repoURL: 'https://gitea-http.krate-system.svc.cluster.local/krate/platform-config.git', path: 'charts/krate', targetRevision: 'main' }, destination: { namespace, server: 'https://kubernetes.default.svc' }, syncPolicy: { automated: { prune: true, selfHeal: true } } } },
+    { apiVersion: 'apps/v1', kind: 'Deployment', metadata: { name: 'krate-web', namespace }, spec: { replicas: 1 } }
+  ];
+  return manifests.map((manifest) => `---\n${toResourceYaml(manifest)}`).join('\n');
+}
+
+export function backupPlan() {
+  return { resources: ['CRDs and low-cardinality config', 'Postgres aggregated records', 'repository storage', 'object storage'], restoreOrder: ['API/config', 'Postgres', 'repository data', 'objects', 'controllers'], validation: ['list resources', 'read Gitea repository refs', 'open PR', 'replay webhook delivery'] };
+}
+
+export function observabilityModel() {
+  return {
+    metrics: ['api_request_latency', 'postgres_aggregate_lag', 'gitea_receive_pack_latency', 'runner_queue_depth', 'webhook_delivery_phase', 'admission_denials'],
+    logs: ['control-plane audit', 'gitea access', 'runner job', 'webhook dispatcher', 'controller reconcile'],
+    alerts: ['APIService unavailable', 'Postgres unavailable', 'repository service unavailable', 'runner saturation', 'webhook failure burst', 'backup validation failed']
+  };
+}
+
+export function releaseGates() {
+  return ['build', 'docs and ontology coverage', 'unit acceptance tests', 'e2e package lifecycle tests', 'package validation', 'minikube dry-run setup', 'smoke flow', 'backup restore validation', 'known limitations reviewed'];
+}
+
+export function createKrateMvpDemo() {
+  const platformEngineer = mapOidcIdentity({ subject: 'user:platform', email: 'platform@example.com', groups: ['krate:platform-engineers'] });
+  const developer = mapOidcIdentity({ subject: 'user:dev', email: 'dev@example.com', groups: ['krate:developers'] });
+  const repoAdmin = mapOidcIdentity({ subject: 'user:admin', email: 'admin@example.com', groups: ['krate:repo-admins'] });
+  const organizationRef = 'default';
+  const namespace = 'krate-org-default';
+  const controlPlane = new ControlPlane();
+  controlPlane.addAdmissionPolicy(createAdmissionPolicy({ name: 'pr-title-required', mode: 'enforce', match: ({ resource }) => resource.kind === 'PullRequest', validate: ({ resource }) => Boolean(resource.spec.title && resource.spec.title.length >= 8), message: 'PullRequest spec.title must be descriptive' }));
+  const git = new GiteaGitService({ controlPlane, stores: [new GiteaRepositoryStore({ name: 'gitea-primary', receivePackReady: true })] });
+  const runners = new RunnerScheduler({ controlPlane });
+  const webhooks = new WebhookBus({ controlPlane });
+  const repository = git.createRepository({ name: 'krate-demo', namespace, organizationRef }, repoAdmin);
+  const branchProtection = controlPlane.create(createResource('BranchProtection', { name: 'main-protection', namespace }, { organizationRef, refs: ['refs/heads/main'], requirePullRequest: true }), repoAdmin);
+  const refPolicy = controlPlane.create(createResource('RefPolicy', { name: 'deny-internal-refs', namespace }, { organizationRef, deny: ['refs/internal/'] }), repoAdmin);
+  const runnerPool = runners.createRunnerPool({ name: 'trusted-linux', namespace, organizationRef, warmReplicas: 1, maxReplicas: 4 }, platformEngineer);
+  const subscription = webhooks.subscribe({ name: 'chatops', namespace, organizationRef, url: 'https://hooks.example.test/krate', events: ['pullrequest.created'] }, repoAdmin);
+  const pullRequest = controlPlane.create(createResource('PullRequest', { name: 'pr-1', namespace, labels: { repository: 'krate-demo' } }, { organizationRef, repository: 'krate-demo', sourceRef: 'refs/heads/feature', targetRef: 'refs/heads/main', title: 'Add Kubernetes-native forge smoke path' }, { phase: 'Open' }), developer);
+  const pipelineRun = runners.startPipeline({ name: 'pipeline-pr-1', namespace, organizationRef, repository: 'krate-demo', ref: 'refs/pull/1/head', actor: developer, fork: false }, developer);
+  const delivery = webhooks.deliver({ subscriptionName: 'chatops', namespace, organizationRef, eventType: 'pullrequest.created', payload: { pullRequest: pullRequest.metadata.name, repository: 'krate-demo' } }, repoAdmin);
+  const replay = webhooks.replay(delivery, repoAdmin);
+  const triageView = controlPlane.create(createTriageView({ name: 'priority-triage', namespace, organizationRef, selector: { labels: { priority: 'high' } } }), repoAdmin);
+  const demo = {
+    users: { platformEngineer, developer, repoAdmin }, controlPlane, git, runners, webhooks,
+    resources: { repository, branchProtection, refPolicy, runnerPool, subscription, pullRequest, pipelineRun, delivery, replay, triageView },
+    ui: { dashboard: createDashboard({ repositories: [repository], pullRequests: [pullRequest], pipelines: [pipelineRun.pipeline], runnerPools: [runnerPool], webhookDeliveries: [delivery, replay] }), review: createPullRequestReviewModel({ pullRequest, changedFiles: ['src/index.js'], pipelineRuns: [pipelineRun.pipeline] }), runnerPoolEditor: createRunnerPoolEditor(runnerPool), webhookInspector: createWebhookInspector({ subscription, deliveries: [delivery, replay] }) },
+    operations: { installManifests: generateInstallManifests(), chartPackage: chartPackageSurface(), localSetup: localSetupPlan(), backupPlan: backupPlan(), observability: observabilityModel(), releaseGates: releaseGates() }
+  };
+  demo.components = createKrateComponentCatalog(demo);
+  demo.lifecycle = createKrateLifecycleSnapshot(demo);
+  return demo;
+}
+
+export function runSmokeAssertions(demo = createKrateMvpDemo()) {
+  const storage = demo.controlPlane.storageReport();
+  const assertions = [
+    ['Repository stored as CRD/etcd config', storage.etcd.includes('Repository')],
+    ['PullRequest stored as aggregated/Postgres record', storage.postgres.includes('PullRequest')],
+    ['RunnerPool stored as CRD/etcd configuration', storage.etcd.includes('RunnerPool')],
+    ['WebhookDelivery stored as aggregated/Postgres record', storage.postgres.includes('WebhookDelivery')],
+    ['Gitea receive path is ready', demo.git.route('krate-demo').backend === 'gitea' && demo.git.route('krate-demo').receivePackReady],
+    ['Repository exposes Gitea integration plan', demo.resources.repository.spec.gitHosting.backend === 'gitea' && demo.resources.repository.spec.gitHosting.integrationPlan.backend === 'gitea'],
+    ['UI exposes YAML for PR review', demo.ui.review.yaml.includes('kind: PullRequest')],
+    ['Install manifests expose Kubernetes API discovery', demo.operations.installManifests.includes('kind: APIService') || demo.operations.chartPackage.crds.includes('Repository')],
+    ['Chart package exposes CRDs', demo.operations.chartPackage.crds.includes('Repository')],
+    ['Local setup defaults to dry-run minikube flow', demo.operations.localSetup.defaultMode === 'dry-run'],
+    ['Release gates include docs and ontology coverage', demo.operations.releaseGates.includes('docs and ontology coverage')],
+    ['Release gates include e2e package lifecycle tests', demo.operations.releaseGates.includes('e2e package lifecycle tests')],
+    ['Observability tracks webhook delivery phase', demo.operations.observability.metrics.includes('webhook_delivery_phase')],
+    ['Component catalog covers every implementation area', demo.components.every((component) => component.implemented)],
+    ['Lifecycle snapshot is ready for local development', demo.lifecycle.status === 'ready-for-local-development']
+  ];
+  return { ok: assertions.every(([, passed]) => passed), assertions };
+}
+

package/src/resource-model.js

@@ -0,0 +1,203 @@
+export const CONFIG_KINDS = new Set(['Organization', 'OrgNamespaceBinding', 'User', 'Team', 'Invite', 'IdentityMapping', 'AuthProvider', 'Repository', 'SSHKey', 'RepositoryPermission', 'WebhookSubscription', 'RefPolicy', 'BranchProtection', 'PolicyProfile', 'PolicyTemplate', 'PolicyBinding', 'PolicyExceptionRequest', 'RunnerPool', 'View', 'Selector', 'AgentStack', 'AgentSubagent', 'AgentToolProfile', 'AgentMcpServer', 'AgentSkill', 'AgentTriggerRule', 'AgentContextLabel', 'AgentWorkspacePolicy', 'AgentServiceAccount', 'AgentRoleBinding', 'AgentSecretGrant', 'AgentConfigGrant', 'AgentAdapter', 'AgentTransportBinding', 'AgentProviderConfig', 'AgentProject', 'AgentGatewayConfig']);
+export const AGGREGATED_KINDS = new Set(['PullRequest', 'Issue', 'Review', 'Pipeline', 'Job', 'WebhookDelivery', 'AgentDispatchRun', 'AgentDispatchAttempt', 'AgentSession', 'AgentContextBundle', 'AgentArtifact', 'AgentApproval', 'AgentWorkspace', 'AgentTriggerExecution', 'AgentCapabilityRequirement', 'WorkItemSessionLink', 'WorkItemWorkspaceLink', 'AgentSessionTranscript', 'AgentSessionAttachment', 'AgentWorkspaceRuntime']);
+export const ALL_KINDS = new Set([...CONFIG_KINDS, ...AGGREGATED_KINDS]);
+
+export const RESOURCE_DEFINITIONS = Object.freeze({
+  Organization: { storage: 'etcd', context: 'identity', plural: 'organizations', purpose: 'Krate organization identity in the platform namespace with a bound tenant namespace', requiredSpec: ['displayName', 'namespaceName'] },
+  OrgNamespaceBinding: { storage: 'etcd', context: 'identity', plural: 'orgnamespacebindings', purpose: 'Binding from one organization to exactly one tenant namespace for resources and side effects', requiredSpec: ['organizationRef', 'namespace'] },
+  User: { storage: 'etcd', context: 'identity', plural: 'users', purpose: 'Human account profile, sign-in state, admin flag, and linked identities', requiredSpec: ['organizationRef', 'displayName', 'email'] },
+  Team: { storage: 'etcd', context: 'identity', plural: 'teams', purpose: 'Team membership, maintainers, and repository permission grants', requiredSpec: ['organizationRef', 'displayName'] },
+  Invite: { storage: 'etcd', context: 'identity', plural: 'invites', purpose: 'Pending user invitation with requested teams and expiry', requiredSpec: ['organizationRef', 'email', 'role'] },
+  IdentityMapping: { storage: 'etcd', context: 'identity', plural: 'identitymappings', purpose: 'Mapping between Krate users, sign-in subjects, workspace identities, and repository accounts', requiredSpec: ['organizationRef', 'user', 'provider', 'subject'] },
+  AuthProvider: { storage: 'etcd', context: 'identity', plural: 'authproviders', purpose: 'Installation sign-in provider visibility and delegated identity settings', requiredSpec: ['organizationRef', 'type'] },
+  Repository: { storage: 'etcd', context: 'data-plane', plural: 'repositories', purpose: 'Repository identity, visibility, repository hosting integration, object storage, and search settings', requiredSpec: ['organizationRef', 'visibility'] },
+  SSHKey: { storage: 'etcd', context: 'data-plane', plural: 'sshkeys', purpose: 'User, deploy, and automation SSH keys reconciled into repository key APIs', requiredSpec: ['organizationRef', 'scope', 'key'] },
+  RepositoryPermission: { storage: 'etcd', context: 'data-plane', plural: 'repositorypermissions', purpose: 'Repository collaborators and teams synced with repository permissions', requiredSpec: ['organizationRef', 'repository', 'subject', 'permission'] },
+  WebhookSubscription: { storage: 'etcd', context: 'hooks-events', plural: 'webhooksubscriptions', purpose: 'Endpoint, event filters, signing reference, delivery mode, and retry policy', requiredSpec: ['organizationRef', 'url', 'events'] },
+  RefPolicy: { storage: 'etcd', context: 'data-plane', plural: 'refpolicies', purpose: 'Reference deny rules, force-push policy, signing policy, and future custom hook gates', requiredSpec: ['organizationRef'] },
+  BranchProtection: { storage: 'etcd', context: 'control-plane', plural: 'branchprotections', purpose: 'Protected ref rules such as pull-request requirements', requiredSpec: ['organizationRef', 'refs'] },
+  PolicyProfile: { storage: 'etcd', context: 'policy', plural: 'policyprofiles', purpose: 'Organization policy posture, default templates, rollout mode, and exception approval rules', requiredSpec: ['organizationRef', 'displayName', 'mode'] },
+  PolicyTemplate: { storage: 'etcd', context: 'policy', plural: 'policytemplates', purpose: 'Curated Kyverno policy template metadata, parameters, rollout defaults, and remediation guidance', requiredSpec: ['displayName', 'targetKinds', 'kyverno'] },
+  PolicyBinding: { storage: 'etcd', context: 'policy', plural: 'policybindings', purpose: 'Binding from a policy template to org, repository, environment, or resource selectors with audit/enforce rollout state', requiredSpec: ['organizationRef', 'templateRef', 'mode'] },
+  PolicyExceptionRequest: { storage: 'etcd', context: 'policy', plural: 'policyexceptionrequests', purpose: 'Auditable request and approval workflow for temporary Kyverno PolicyException resources', requiredSpec: ['organizationRef', 'policyRef', 'justification', 'expiresAt'] },
+  View: { storage: 'etcd', context: 'web-ui', plural: 'views', purpose: 'Saved triage and dashboard view backed by resource selectors', requiredSpec: ['organizationRef', 'selector'] },
+  Selector: { storage: 'etcd', context: 'web-ui', plural: 'selectors', purpose: 'Reusable label/query selector for workflows and views', requiredSpec: ['organizationRef'] },
+  PullRequest: { storage: 'postgres', context: 'control-plane', plural: 'pullrequests', purpose: 'Review unit with source/target refs, title, checks, and merge lifecycle', requiredSpec: ['organizationRef', 'repository', 'title'] },
+  Issue: { storage: 'postgres', context: 'control-plane', plural: 'issues', purpose: 'Work item with labels, assignment, and lifecycle state', requiredSpec: ['organizationRef', 'title'] },
+  Review: { storage: 'postgres', context: 'control-plane', plural: 'reviews', purpose: 'Approval, comment, or change-request record for a pull request', requiredSpec: ['organizationRef', 'pullRequest'] },
+  Pipeline: { storage: 'postgres', context: 'runners-ci', plural: 'pipelines', purpose: 'CI pipeline run state, trust tier, steps, and resume point', requiredSpec: ['organizationRef', 'repository', 'ref'] },
+  Job: { storage: 'postgres', context: 'runners-ci', plural: 'jobs', purpose: 'Executable CI step with service-account scope and isolation metadata', requiredSpec: ['organizationRef', 'pipeline', 'step'] },
+  RunnerPool: { storage: 'etcd', context: 'runners-ci', plural: 'runnerpools', purpose: 'Runner capacity, warm/max replicas, cache policy, and trust boundary', requiredSpec: ['organizationRef', 'warmReplicas', 'maxReplicas'] },
+  WebhookDelivery: { storage: 'postgres', context: 'hooks-events', plural: 'webhookdeliveries', purpose: 'Durable outbound webhook delivery attempt with signature, phase, response, and replay metadata', requiredSpec: ['organizationRef', 'subscription', 'eventType', 'signature'] },
+  AgentStack: { storage: 'etcd', context: 'agents', plural: 'agentstacks', purpose: 'Reusable agent definition with model, prompt, tools, MCP servers, skills, subagents, approval mode, and runner policy', requiredSpec: ['organizationRef', 'baseAgent', 'adapter', 'runtimeIdentity'] },
+  AgentSubagent: { storage: 'etcd', context: 'agents', plural: 'agentsubagents', purpose: 'Named child-agent definition with role, task kinds, tool subset, and workspace scope', requiredSpec: ['organizationRef', 'rolePrompt', 'taskKinds'] },
+  AgentToolProfile: { storage: 'etcd', context: 'agents', plural: 'agenttoolprofiles', purpose: 'Native tool policy for filesystem, network, shell, and approval gates', requiredSpec: ['organizationRef', 'filesystemPolicy', 'approvalPolicyByTool'] },
+  AgentMcpServer: { storage: 'etcd', context: 'agents', plural: 'agentmcpservers', purpose: 'Managed MCP endpoint with transport, discovery, health, and secret/config refs', requiredSpec: ['organizationRef', 'transport', 'scope'] },
+  AgentSkill: { storage: 'etcd', context: 'agents', plural: 'agentskills', purpose: 'Reusable runbook/procedure bundle with prompt fragments, tool deps, and output contracts', requiredSpec: ['organizationRef', 'format', 'sourceRef'] },
+  AgentTriggerRule: { storage: 'etcd', context: 'agents', plural: 'agenttriggerrules', purpose: 'Event-to-stack routing for CI failures, webhooks, comments, labels, schedules, and manual dispatch', requiredSpec: ['organizationRef', 'sources', 'agentStack', 'taskKind'] },
+  AgentContextLabel: { storage: 'etcd', context: 'agents', plural: 'agentcontextlabels', purpose: 'Reviewed prompt fragment with provenance and allowlisted sources', requiredSpec: ['organizationRef', 'promptFragment', 'allowedSources'] },
+  AgentWorkspacePolicy: { storage: 'etcd', context: 'agents', plural: 'agentworkspacepolicies', purpose: 'Git worktree provisioning, cleanup, retention, and trust tier policies', requiredSpec: ['organizationRef', 'mode', 'retentionPolicy'] },
+  AgentServiceAccount: { storage: 'etcd', context: 'identity', plural: 'agentserviceaccounts', purpose: 'Kubernetes ServiceAccount wrapper for agent/runner identity binding', requiredSpec: ['organizationRef', 'namespace', 'serviceAccountName'] },
+  AgentRoleBinding: { storage: 'etcd', context: 'identity', plural: 'agentrolebindings', purpose: 'Managed projection to native Kubernetes RBAC for agent identity', requiredSpec: ['organizationRef', 'subject', 'roleRef', 'scope'] },
+  AgentSecretGrant: { storage: 'etcd', context: 'identity', plural: 'agentsecretgrants', purpose: 'Explicit permission for subject to access Secret keys with purpose scope', requiredSpec: ['organizationRef', 'subject', 'secretRef', 'purpose'] },
+  AgentConfigGrant: { storage: 'etcd', context: 'identity', plural: 'agentconfiggrants', purpose: 'Explicit permission for subject to access ConfigMap keys with purpose scope', requiredSpec: ['organizationRef', 'subject', 'configMapRef', 'purpose'] },
+  AgentDispatchRun: { storage: 'postgres', context: 'agents', plural: 'agentdispatchruns', purpose: 'Logical CI-like run visible beside Pipeline/Job records with queue, status, workspace, and cost', requiredSpec: ['organizationRef', 'repository', 'sourceRefs', 'agentStack', 'taskKind'] },
+  AgentDispatchAttempt: { storage: 'postgres', context: 'agents', plural: 'agentdispatchattempts', purpose: 'Concrete execution attempt with reason, stack snapshot, and runtime state', requiredSpec: ['organizationRef', 'agentDispatchRun', 'attemptReason', 'agentStackSnapshot'] },
+  AgentSession: { storage: 'postgres', context: 'agents', plural: 'agentsessions', purpose: 'Krate projection of Agent Mux chat/session with lifecycle state', requiredSpec: ['organizationRef', 'agentMuxSessionId', 'dispatchRun'] },
+  AgentContextBundle: { storage: 'postgres', context: 'agents', plural: 'agentcontextbundles', purpose: 'Immutable prompt/context snapshot with digest, provenance, and redaction manifest', requiredSpec: ['organizationRef', 'dispatchRun', 'digest', 'sources'] },
+  AgentArtifact: { storage: 'postgres', context: 'agents', plural: 'agentartifacts', purpose: 'Durable agent output with kind, digest, and retention policy', requiredSpec: ['organizationRef', 'dispatchRun', 'kind', 'digest'] },
+  AgentApproval: { storage: 'postgres', context: 'agents', plural: 'agentapprovals', purpose: 'Human gate for tools, secrets, write-back, and release actions', requiredSpec: ['organizationRef', 'dispatchRun', 'action', 'requestedBy'] },
+  AgentWorkspace: { storage: 'postgres', context: 'agents', plural: 'agentworkspaces', purpose: 'Git worktree/runtime inventory with lifecycle state and ownership', requiredSpec: ['organizationRef', 'repository', 'workspacePath', 'ownership'] },
+  AgentTriggerExecution: { storage: 'postgres', context: 'agents', plural: 'agenttriggerexecutions', purpose: 'Durable trigger evaluation record with dedupe, coalescing, and rejection reason', requiredSpec: ['organizationRef', 'triggerRule', 'sourceEvent', 'decision'] },
+  AgentCapabilityRequirement: { storage: 'postgres', context: 'agents', plural: 'agentcapabilityrequirements', purpose: 'Computed dependency record from tools, MCP, skills, models, and subagents', requiredSpec: ['organizationRef', 'ownerRef', 'requiredRoles'] },
+  WorkItemSessionLink: { storage: 'postgres', context: 'agents', plural: 'workitemsessionlinks', purpose: 'Association between issues/PRs and agent sessions', requiredSpec: ['organizationRef', 'workItemRef', 'agentSession'] },
+  WorkItemWorkspaceLink: { storage: 'postgres', context: 'agents', plural: 'workitemworkspacelinks', purpose: 'Association between issues/PRs and agent workspaces', requiredSpec: ['organizationRef', 'workItemRef', 'workspace'] },
+  AgentAdapter: { storage: 'etcd', context: 'agents', plural: 'agentadapters', purpose: 'Agent adapter definition with transport type, capabilities matrix, auth requirements, and installation method', requiredSpec: ['organizationRef', 'adapterType', 'transport'] },
+  AgentTransportBinding: { storage: 'etcd', context: 'agents', plural: 'agenttransportbindings', purpose: 'Connection configuration for an adapter instance with endpoint, protocol, auth, health check, and reconnect policy', requiredSpec: ['organizationRef', 'adapterRef', 'endpoint', 'protocol'] },
+  AgentProviderConfig: { storage: 'etcd', context: 'agents', plural: 'agentproviderconfigs', purpose: 'Model provider configuration with API base, auth type, default model, model translations, and rate limits', requiredSpec: ['organizationRef', 'provider', 'authType'] },
+  AgentProject: { storage: 'etcd', context: 'agents', plural: 'agentprojects', purpose: 'Project grouping issues with kanban board config, default workflow, and team refs', requiredSpec: ['organizationRef', 'displayName'] },
+  AgentGatewayConfig: { storage: 'etcd', context: 'agents', plural: 'agentgatewayconfigs', purpose: 'Runtime Agent Mux gateway connection settings with URL, auth, reconnect policy, and feature flags', requiredSpec: ['organizationRef', 'gatewayUrl'] },
+  AgentSessionTranscript: { storage: 'postgres', context: 'agents', plural: 'agentsessiontranscripts', purpose: 'Durable chat transcript with message nodes, pagination support, and cost per turn', requiredSpec: ['organizationRef', 'sessionRef', 'messages'] },
+  AgentSessionAttachment: { storage: 'postgres', context: 'agents', plural: 'agentsessionattachments', purpose: 'File attached to a session message with source type, MIME type, digest, and redaction status', requiredSpec: ['organizationRef', 'sessionRef', 'sourceType', 'digest'] },
+  AgentWorkspaceRuntime: { storage: 'postgres', context: 'agents', plural: 'agentworkspaceruntimes', purpose: 'Workspace runtime surface state with cwd, environment variables, process status, and preview URL', requiredSpec: ['organizationRef', 'workspaceRef', 'status'] }
+});
+
+export function listResourceDefinitions() {
+  return Object.entries(RESOURCE_DEFINITIONS).map(([kind, definition]) => ({ kind, ...clone(definition) }));
+}
+
+export function resourceDefinitionForKind(kind) {
+  const definition = RESOURCE_DEFINITIONS[kind];
+  if (!definition) throw new Error(`Unknown Krate resource kind: ${kind}`);
+  return { kind, ...clone(definition) };
+}
+
+export function resourceSchemaForKind(kind) {
+  const definition = resourceDefinitionForKind(kind);
+  return {
+    apiVersion: 'krate.a5c.ai/v1alpha1',
+    kind: definition.kind,
+    plural: definition.plural,
+    storage: definition.storage,
+    context: definition.context,
+    required: {
+      metadata: ['name'],
+      spec: [...definition.requiredSpec]
+    },
+    status: ['storage', 'phase', 'conditions']
+  };
+}
+
+export function storageClassForKind(kind) {
+  return resourceDefinitionForKind(kind).storage;
+}
+
+export function resourceKey(resource) {
+  const namespace = resource.metadata?.namespace || 'default';
+  const name = resource.metadata?.name;
+  if (!name) throw new Error('resource metadata.name is required');
+  return `${resource.kind}/${namespace}/${name}`;
+}
+
+export function clone(value) {
+  return value === undefined ? undefined : JSON.parse(JSON.stringify(value));
+}
+
+export function createResource(kind, metadata, spec = {}, status = {}) {
+  if (!ALL_KINDS.has(kind)) throw new Error(`Unknown Krate resource kind: ${kind}`);
+  if (!metadata?.name) throw new Error(`${kind} requires metadata.name`);
+  return {
+    apiVersion: 'krate.a5c.ai/v1alpha1',
+    kind,
+    metadata: { namespace: metadata.namespace || 'default', labels: {}, annotations: {}, ...metadata },
+    spec: clone(spec),
+    status: clone(status)
+  };
+}
+
+export function validateResource(resource) {
+  if (!resource || typeof resource !== 'object') throw new Error('resource must be an object');
+  const definition = resourceDefinitionForKind(resource.kind);
+  if (!resource.metadata?.name) throw new Error(`${resource.kind} metadata.name is required`);
+  if (!resource.spec || typeof resource.spec !== 'object') resource.spec = {};
+  if (!resource.status || typeof resource.status !== 'object') resource.status = {};
+  resource.metadata.namespace ||= 'default';
+  resource.metadata.labels ||= {};
+  resource.metadata.annotations ||= {};
+  for (const field of definition.requiredSpec) {
+    if (resource.spec[field] === undefined || resource.spec[field] === null || resource.spec[field] === '') {
+      throw new Error(`${resource.kind} spec.${field} is required`);
+    }
+  }
+  return resource;
+}
+
+export function toKubernetesList(kind, items) {
+  return { apiVersion: 'krate.a5c.ai/v1alpha1', kind: `${kind}List`, items: items.map(clone) };
+}
+
+export function matchLabels(resource, selector = {}) {
+  const labels = resource.metadata?.labels || {};
+  return Object.entries(selector).every(([key, value]) => labels[key] === value);
+}
+
+export function createSelector({ name, namespace = 'krate-org-default', organizationRef = 'default', labels = {}, query = '' }) {
+  return createResource('Selector', { name, namespace }, { organizationRef, labels, query });
+}
+
+export function createView({ name, namespace = 'krate-org-default', organizationRef = 'default', selector, columns = [], sort = [] }) {
+  return createResource('View', { name, namespace }, { organizationRef, selector, columns, sort });
+}
+
+export function resourceToYaml(resource) {
+  const lines = [];
+  const scalar = (value) => {
+    if (value === null) return 'null';
+    if (value === undefined) return 'null';
+    if (typeof value === 'string') return value.includes(': ') || value.startsWith('{') || value.startsWith('[') ? JSON.stringify(value) : value;
+    return String(value);
+  };
+  const writeValue = (key, value, indent = 0) => {
+    const pad = ' '.repeat(indent);
+    if (Array.isArray(value)) {
+      lines.push(`${pad}${key}:`);
+      writeArray(value, indent + 2);
+    } else if (value && typeof value === 'object') {
+      lines.push(`${pad}${key}:`);
+      writeObject(value, indent + 2);
+    } else {
+      lines.push(`${pad}${key}: ${scalar(value)}`);
+    }
+  };
+  const writeObject = (value, indent) => {
+    for (const [childKey, childValue] of Object.entries(value)) writeValue(childKey, childValue, indent);
+  };
+  const writeArray = (value, indent) => {
+    const pad = ' '.repeat(indent);
+    for (const item of value) {
+      if (Array.isArray(item)) {
+        lines.push(`${pad}-`);
+        writeArray(item, indent + 2);
+      } else if (item && typeof item === 'object') {
+        const entries = Object.entries(item);
+        if (entries.length === 0) {
+          lines.push(`${pad}- {}`);
+        } else {
+          const [[firstKey, firstValue], ...rest] = entries;
+          if (firstValue && typeof firstValue === 'object') {
+            lines.push(`${pad}- ${firstKey}:`);
+            if (Array.isArray(firstValue)) writeArray(firstValue, indent + 4);
+            else writeObject(firstValue, indent + 4);
+          } else {
+            lines.push(`${pad}- ${firstKey}: ${scalar(firstValue)}`);
+          }
+          for (const [childKey, childValue] of rest) writeValue(childKey, childValue, indent + 2);
+        }
+      } else {
+        lines.push(`${pad}- ${scalar(item)}`);
+      }
+    }
+  };
+  writeObject(resource, 0);
+  return lines.join('\n') + '\n';
+}

package/src/runners-ci.js

@@ -0,0 +1,48 @@
+import { createResource } from './resource-model.js';
+import { serviceAccountForJob } from './identity-policy.js';
+
+export class RunnerScheduler {
+  constructor({ controlPlane }) { this.controlPlane = controlPlane; }
+
+  createRunnerPool({ name, namespace = 'krate-org-default', organizationRef = 'default', image = 'ubuntu:24.04', warmReplicas = 1, maxReplicas = 10, trustTier = 'trusted', cache = { type: 'object-storage' } }, user) {
+    return this.controlPlane.create(createResource('RunnerPool', { name, namespace, labels: { trustTier } }, {
+      organizationRef, image, warmReplicas, maxReplicas, trustTier, cache, scalingMetric: 'queueDepth'
+    }, { readyReplicas: warmReplicas, queueDepth: 0 }), user);
+  }
+
+  planReplicas(pool, queueDepth) {
+    return Math.min(pool.spec.maxReplicas || 0, Math.max(pool.spec.warmReplicas || 0, queueDepth));
+  }
+
+  startPipeline({ name, namespace = 'krate-org-default', organizationRef = 'default', repository, ref, actor, steps = ['checkout', 'test'], fork = false, resumeFrom = null }, user) {
+    const trustTier = fork ? 'untrusted' : 'trusted';
+    const pipeline = this.controlPlane.create(createResource('Pipeline', { name, namespace, labels: { repository, ref, trustTier } }, {
+      organizationRef, repository, ref, actor: actor.name, resumeFrom, trustTier, steps
+    }, { phase: 'Running', currentStep: resumeFrom || steps[0] }), user);
+    const jobs = steps.map((step, index) => this.controlPlane.create(createResource('Job', {
+      name: `${name}-${index + 1}-${step}`,
+      namespace,
+      labels: { pipeline: name, repository, trustTier }
+    }, {
+      organizationRef: pipeline.spec?.organizationRef || organizationRef,
+      pipeline: name,
+      step,
+      serviceAccount: serviceAccountForJob({ namespace, repository, pipeline: name, trustTier })
+    }, { phase: step === (resumeFrom || steps[0]) ? 'Running' : 'Pending' }), user));
+    return { pipeline, jobs };
+  }
+
+  rerunFromStep(pipeline, step, user) {
+    return this.startPipeline({
+      name: `${pipeline.metadata.name}-rerun-${step}`,
+      namespace: pipeline.metadata.namespace,
+      organizationRef: pipeline.spec.organizationRef,
+      repository: pipeline.spec.repository,
+      ref: pipeline.spec.ref,
+      actor: { name: pipeline.spec.actor },
+      steps: pipeline.spec.steps,
+      resumeFrom: step,
+      fork: pipeline.spec.trustTier === 'untrusted'
+    }, user);
+  }
+}

package/src/runtime.js

@@ -0,0 +1,196 @@
+import { ControlPlane } from './control-plane.js';
+import { GiteaGitService, GiteaRepositoryStore } from './data-plane.js';
+import { WebhookBus } from './hooks-events.js';
+import { createAdmissionPolicy, mapOidcIdentity } from './identity-policy.js';
+import { createInviteResource, createTeamResource, createAuthProviderResources, mapLoginProfileToKrateIdentity } from './auth.js';
+import { createResource, clone } from './resource-model.js';
+import { RunnerScheduler } from './runners-ci.js';
+
+const DEFAULT_ORG = 'default';
+const DEFAULT_NAMESPACE = 'krate-org-default';
+
+export function createDefaultKrateUsers() {
+  return {
+    platformEngineer: mapOidcIdentity({ subject: 'user:platform', email: 'platform@example.com', groups: ['krate:platform-engineers'] }),
+    developer: mapOidcIdentity({ subject: 'user:dev', email: 'dev@example.com', groups: ['krate:developers'] }),
+    repoAdmin: mapOidcIdentity({ subject: 'user:admin', email: 'admin@example.com', groups: ['krate:repo-admins'] })
+  };
+}
+
+export class KrateRuntime {
+  constructor({ organizationRef = DEFAULT_ORG, namespace = DEFAULT_NAMESPACE, users = createDefaultKrateUsers(), controlPlane, git, runners, webhooks } = {}) {
+    this.organizationRef = organizationRef;
+    this.namespace = namespace;
+    this.users = users;
+    this.controlPlane = controlPlane || new ControlPlane();
+    this.controlPlane.addAdmissionPolicy(createAdmissionPolicy({
+      name: 'pr-title-required',
+      mode: 'enforce',
+      match: ({ resource }) => resource.kind === 'PullRequest',
+      validate: ({ resource }) => Boolean(resource.spec.title && resource.spec.title.length >= 8),
+      message: 'PullRequest spec.title must be descriptive'
+    }));
+    this.git = git || new GiteaGitService({ controlPlane: this.controlPlane, stores: [new GiteaRepositoryStore({ name: 'gitea-primary', receivePackReady: true })] });
+    this.runners = runners || new RunnerScheduler({ controlPlane: this.controlPlane });
+    this.webhooks = webhooks || new WebhookBus({ controlPlane: this.controlPlane });
+    this.seeded = false;
+  }
+
+  static fromSnapshot(snapshot, options = {}) {
+    const runtime = new KrateRuntime(options);
+    runtime.importSnapshot(snapshot);
+    return runtime;
+  }
+
+  bootstrap({ repository = 'krate-demo', webhookUrl = 'https://hooks.example.test/krate' } = {}) {
+    if (this.seeded) return this.snapshot();
+    const { platformEngineer, repoAdmin } = this.users;
+    this.git.createRepository({ name: repository, namespace: this.namespace, organizationRef: this.organizationRef }, repoAdmin);
+    this.controlPlane.create(createResource('BranchProtection', { name: 'main-protection', namespace: this.namespace }, { organizationRef: this.organizationRef, refs: ['refs/heads/main'], requirePullRequest: true, requiredChecks: ['test'], requiredApprovals: 1 }), repoAdmin);
+    this.controlPlane.create(createResource('RefPolicy', { name: 'deny-internal-refs', namespace: this.namespace }, { organizationRef: this.organizationRef, deny: ['refs/internal/'] }), repoAdmin);
+    this.runners.createRunnerPool({ name: 'trusted-linux', namespace: this.namespace, organizationRef: this.organizationRef, warmReplicas: 1, maxReplicas: 4 }, platformEngineer);
+    this.webhooks.subscribe({ name: 'chatops', namespace: this.namespace, organizationRef: this.organizationRef, url: webhookUrl, events: ['pullrequest.created', 'pullrequest.merged'] }, repoAdmin);
+    this.controlPlane.create(createTeamResource({ name: 'maintainers', organizationRef: this.organizationRef, displayName: 'Maintainers', members: ['admin'], maintainers: ['admin'], repositoryGrants: [{ repository, permission: 'admin' }], namespace: this.namespace }), platformEngineer);
+    const identity = mapLoginProfileToKrateIdentity({ provider: 'sso', subject: 'user:admin', email: 'admin@example.com', displayName: 'Admin', username: 'admin', teams: ['maintainers'], admin: true, namespace: this.namespace, organizationRef: this.organizationRef });
+    this.controlPlane.create(identity.user, platformEngineer);
+    this.controlPlane.create(identity.mapping, platformEngineer);
+    this.controlPlane.create(createInviteResource({ email: 'new-user@example.com', role: 'member', teams: ['maintainers'], invitedBy: 'admin', namespace: this.namespace, organizationRef: this.organizationRef }), repoAdmin);
+    for (const provider of createAuthProviderResources(undefined, this.namespace, this.organizationRef)) this.controlPlane.create(provider, platformEngineer);
+    this.seeded = true;
+    return this.snapshot();
+  }
+
+  exportSnapshot() {
+    return {
+      apiVersion: 'krate.a5c.ai/v1alpha1',
+      kind: 'KrateRuntimeSnapshot',
+      namespace: this.namespace,
+      organizationRef: this.organizationRef,
+      seeded: this.seeded,
+      controlPlane: this.controlPlane.exportSnapshot(),
+      git: this.git.snapshot?.() || null
+    };
+  }
+
+  importSnapshot(snapshot) {
+    const controlPlaneSnapshot = snapshot?.controlPlane || snapshot;
+    this.controlPlane.importSnapshot(controlPlaneSnapshot);
+    if (snapshot?.git) this.git.importSnapshot(snapshot.git);
+    this.seeded = Boolean(snapshot?.seeded || this.controlPlane.list('Repository', { namespace: this.namespace }).items.length);
+    return this.snapshot();
+  }
+
+  createRepository({ name, visibility = 'private' }, user = this.users.repoAdmin) {
+    return this.git.createRepository({ name, namespace: this.namespace, organizationRef: this.organizationRef, visibility }, user);
+  }
+
+  createPullRequest({ repository, sourceRef = 'refs/heads/feature', targetRef = 'refs/heads/main', title, actor = this.users.developer, fork = false }) {
+    this.#requireRepository(repository);
+    const index = this.controlPlane.list('PullRequest', { namespace: this.namespace }).items.length + 1;
+    const name = `pr-${index}`;
+    const pullRequest = this.controlPlane.create(createResource('PullRequest', { name, namespace: this.namespace, labels: { repository } }, {
+      organizationRef: this.organizationRef,
+      repository,
+      sourceRef,
+      targetRef,
+      title,
+      author: actor.name,
+      checks: [],
+      requiredApprovals: this.#requiredApprovals(targetRef)
+    }, { phase: 'Open', approvals: 0, mergeable: false }), actor);
+    const pipelineRun = this.runners.startPipeline({ name: `pipeline-${name}`, namespace: this.namespace, organizationRef: this.organizationRef, repository, ref: `refs/pull/${index}/head`, actor, fork, steps: ['checkout', 'test'] }, actor);
+    this.webhooks.deliver({ subscriptionName: 'chatops', namespace: this.namespace, organizationRef: this.organizationRef, eventType: 'pullrequest.created', payload: { pullRequest: name, repository, title } }, this.users.repoAdmin);
+    return { pullRequest, pipeline: pipelineRun.pipeline, jobs: pipelineRun.jobs };
+  }
+
+  completePipeline({ pipeline, phase = 'Succeeded', failedStep = null }, user = this.users.developer) {
+    const existing = this.controlPlane.get('Pipeline', this.namespace, pipeline);
+    if (!existing) throw new Error(`Pipeline ${pipeline} not found`);
+    const jobs = this.controlPlane.list('Job', { namespace: this.namespace, labels: { pipeline } }).items.map((job) => {
+      const jobPhase = failedStep && job.spec.step === failedStep ? 'Failed' : phase;
+      return this.controlPlane.patchStatus('Job', this.namespace, job.metadata.name, { phase: jobPhase, finishedAt: new Date().toISOString() }, user);
+    });
+    const pipelinePhase = jobs.some((job) => job.status.phase === 'Failed') ? 'Failed' : phase;
+    const updatedPipeline = this.controlPlane.patchStatus('Pipeline', this.namespace, pipeline, { phase: pipelinePhase, currentStep: null, finishedAt: new Date().toISOString() }, user);
+    this.#refreshPullRequestMergeability(existing.spec.repository);
+    return { pipeline: updatedPipeline, jobs };
+  }
+
+  addReview({ pullRequest, decision = 'approved', body = 'Looks good', reviewer = this.users.repoAdmin }) {
+    const pr = this.#requirePullRequest(pullRequest);
+    const reviewCount = this.controlPlane.list('Review', { namespace: this.namespace, labels: { pullRequest } }).items.length + 1;
+    const review = this.controlPlane.create(createResource('Review', { name: `${pullRequest}-review-${reviewCount}`, namespace: this.namespace, labels: { pullRequest, decision } }, {
+      organizationRef: this.organizationRef,
+      pullRequest,
+      repository: pr.spec.repository,
+      reviewer: reviewer.name,
+      decision,
+      body
+    }, { phase: decision === 'approved' ? 'Approved' : 'ChangesRequested' }), reviewer);
+    this.#refreshPullRequestMergeability(pr.spec.repository);
+    return review;
+  }
+
+  mergePullRequest({ pullRequest, actor = this.users.repoAdmin }) {
+    const pr = this.#requirePullRequest(pullRequest);
+    const refreshed = this.#refreshPullRequestMergeability(pr.spec.repository).find((candidate) => candidate.metadata.name === pullRequest) || pr;
+    if (!refreshed.status.mergeable) throw new Error(`PullRequest ${pullRequest} is not mergeable`);
+    const gitEvent = this.git.receivePack({ repository: refreshed.spec.repository, namespace: this.namespace, ref: refreshed.spec.targetRef, newRev: this.#syntheticRevision(pullRequest), actor });
+    const merged = this.controlPlane.patchStatus('PullRequest', this.namespace, pullRequest, { phase: 'Merged', mergeable: false, mergedAt: new Date().toISOString(), mergeCommit: gitEvent.newRev }, actor);
+    const delivery = this.webhooks.deliver({ subscriptionName: 'chatops', namespace: this.namespace, organizationRef: this.organizationRef, eventType: 'pullrequest.merged', payload: { pullRequest, repository: refreshed.spec.repository, mergeCommit: gitEvent.newRev } }, this.users.repoAdmin);
+    return { pullRequest: merged, gitEvent, delivery };
+  }
+
+  snapshot() {
+    const kinds = ['Organization', 'User', 'Team', 'Invite', 'IdentityMapping', 'AuthProvider', 'Repository', 'SSHKey', 'RepositoryPermission', 'BranchProtection', 'RefPolicy', 'RunnerPool', 'PullRequest', 'Issue', 'Review', 'Pipeline', 'Job', 'WebhookSubscription', 'WebhookDelivery'];
+    const resources = Object.fromEntries(kinds.map((kind) => [kind, this.controlPlane.list(kind, { namespace: this.namespace }).items]));
+    return {
+      namespace: this.namespace,
+      export: this.exportSnapshot(),
+      storage: this.controlPlane.storageReport(),
+      resources,
+      events: clone(this.controlPlane.events),
+      auditLog: clone(this.controlPlane.auditLog)
+    };
+  }
+
+  #requireRepository(repository) {
+    const existing = this.controlPlane.get('Repository', this.namespace, repository);
+    if (!existing) throw new Error(`Repository ${repository} not found`);
+    return existing;
+  }
+
+  #requirePullRequest(pullRequest) {
+    const existing = this.controlPlane.get('PullRequest', this.namespace, pullRequest);
+    if (!existing) throw new Error(`PullRequest ${pullRequest} not found`);
+    return existing;
+  }
+
+  #requiredApprovals(targetRef) {
+    const branchProtection = this.controlPlane.list('BranchProtection', { namespace: this.namespace }).items.find((policy) => (policy.spec.refs || []).includes(targetRef));
+    return branchProtection?.spec.requiredApprovals || 0;
+  }
+
+  #refreshPullRequestMergeability(repository) {
+    const pullRequests = this.controlPlane.list('PullRequest', { namespace: this.namespace, labels: { repository } }).items;
+    return pullRequests.map((pr) => {
+      if (pr.status.phase !== 'Open') return pr;
+      const reviews = this.controlPlane.list('Review', { namespace: this.namespace, labels: { pullRequest: pr.metadata.name } }).items;
+      const approvals = reviews.filter((review) => review.spec.decision === 'approved').length;
+      const pipelines = this.controlPlane.list('Pipeline', { namespace: this.namespace, labels: { repository } }).items.filter((pipeline) => pipeline.metadata.name === `pipeline-${pr.metadata.name}`);
+      const checksPassed = pipelines.length > 0 && pipelines.every((pipeline) => pipeline.status.phase === 'Succeeded');
+      return this.controlPlane.patchStatus('PullRequest', this.namespace, pr.metadata.name, { approvals, checksPassed, mergeable: approvals >= (pr.spec.requiredApprovals || 0) && checksPassed }, this.users.repoAdmin);
+    });
+  }
+
+  #syntheticRevision(seed) {
+    const source = Buffer.from(`${seed}:${Date.now()}`).toString('hex');
+    return source.padEnd(40, '0').slice(0, 40);
+  }
+}
+
+export function createKrateRuntime(options = {}) {
+  const runtime = new KrateRuntime(options);
+  if (options.bootstrap !== false) runtime.bootstrap(options.bootstrapOptions);
+  return runtime;
+}