npm - @skyhook-io/radar-app - Versions diffs - 1.3.0 → 1.3.2 - Mend

@skyhook-io/radar-app 1.3.0 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/package.json +1 -1
package/src/components/gitops/GitOpsView.tsx +127 -27
package/src/components/helm/HelmReleaseDrawer.tsx +4 -6
package/src/components/home/GitOpsControllersCard.tsx +14 -12
package/src/components/home/HomeView.tsx +70 -53
package/src/components/home/MCPSetupDialog.tsx +19 -85
package/src/components/home/mcpToolCatalog.ts +276 -0
package/src/components/resources/renderers/RoleBindingRenderer.tsx +5 -3
package/src/components/workload/WorkloadView.tsx +2 -1

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@skyhook-io/radar-app",
-  "version": "1.3.0",
+  "version": "1.3.2",
   "description": "Radar's full web UI as a reusable React component. Used by Radar's own binary and by external consumers like Radar Cloud.",
   "repository": {
     "type": "git",

package/src/components/gitops/GitOpsView.tsx CHANGED Viewed

@@ -18,6 +18,7 @@ import {
   formatGitOpsSourceUrl,
   getGitOpsResourceStatus,
   getGitOpsTool,
+  isArgoSuspendedByRadar,
   gitOpsInsightChangeKey,
   initNavigationMap,
   kindToPlural,
@@ -34,6 +35,7 @@ import {
   type GitOpsResourceTree,
   type GitOpsInsightRef,
   type GitOpsRow,
+  type GitOpsRowAction,
   type GitOpsTreeFilters,
   type GitOpsTreeRef,
   type GitOpsTreePreset,
@@ -102,6 +104,34 @@ function GitOpsTableView({ namespaces, onClearNamespaces }: { namespaces: string
   const namespacesParam = namespaces.join(',')
   const { data: apiResources, isLoading: apiResourcesLoading } = useAPIResources()
+  const argoSync = useArgoSync()
+  const argoRefresh = useArgoRefresh()
+  const argoTerminate = useArgoTerminate()
+  const argoSuspend = useArgoSuspend()
+  const argoResume = useArgoResume()
+  const fluxReconcile = useFluxReconcile()
+  const fluxSyncWithSource = useFluxSyncWithSource()
+  const fluxSuspend = useFluxSuspend()
+  const fluxResume = useFluxResume()
+  const [syncDialogRow, setSyncDialogRow] = useState<GitOpsRow | null>(null)
+  const [pendingActions, setPendingActions] = useState<Map<string, Set<GitOpsRowAction>>>(new Map())
+  // Mark an action as in-flight (or done) for a given row. Cloning the
+  // outer Map + inner Set keeps the state immutable so React rerenders
+  // and the per-item spinner flips at the right moment.
+  function markAction(rowId: string, action: GitOpsRowAction, on: boolean) {
+    setPendingActions((prev) => {
+      const next = new Map(prev)
+      const current = new Set(next.get(rowId) ?? [])
+      if (on) current.add(action)
+      else current.delete(action)
+      if (current.size === 0) next.delete(rowId)
+      else next.set(rowId, current)
+      return next
+    })
+  }
   useEffect(() => {
     initNavigationMap([...(apiResources ?? []), ...GITOPS_KINDS])
   }, [apiResources])
@@ -157,23 +187,99 @@ function GitOpsTableView({ namespaces, onClearNamespaces }: { namespaces: string
     refetchInterval: 120_000,
   })
+  // Row mutations invalidate granular keys (['resource', …], ['gitops-tree', …])
+  // that don't match the table's aggregate gitops-rows-main / counts queries,
+  // so refetch those explicitly — otherwise a row keeps showing the pre-action
+  // state (e.g. "Suspend" after a successful suspend) until the 120s poll,
+  // inviting a duplicate request. Radar serves reads from an informer cache that
+  // lags the write by the watch-propagation delay, so refetch once now (covers
+  // an already-current cache) and once shortly after to catch the propagated
+  // update; refetch() forces a fetch regardless of staleTime.
+  const refetchTable = () => {
+    rowsQuery.refetch()
+    countsQuery.refetch()
+  }
+  const refetchTableAfterMutation = () => {
+    refetchTable()
+    window.setTimeout(refetchTable, 1200)
+  }
+  const handleRowAction = (row: GitOpsRow, action: GitOpsRowAction) => {
+    const { kindName: kind, namespace, name, id } = row
+    const settle = { onSuccess: refetchTableAfterMutation, onSettled: () => markAction(id, action, false) }
+    markAction(id, action, true)
+    switch (action) {
+      case 'sync':
+        // Argo Sync is the one action that confirms — same dialog the
+        // detail page uses. The mutation fires from onConfirm; clear the
+        // in-flight flag here since the dialog now owns the lifecycle.
+        markAction(id, action, false)
+        setSyncDialogRow(row)
+        return
+      case 'refresh':
+        argoRefresh.mutate({ namespace, name, hard: false }, settle)
+        return
+      case 'hard-refresh':
+        argoRefresh.mutate({ namespace, name, hard: true }, settle)
+        return
+      case 'terminate':
+        argoTerminate.mutate({ namespace, name }, settle)
+        return
+      case 'suspend':
+        if (row.tool === 'argo') argoSuspend.mutate({ namespace, name }, settle)
+        else fluxSuspend.mutate({ kind, namespace, name }, settle)
+        return
+      case 'resume':
+        if (row.tool === 'argo') argoResume.mutate({ namespace, name }, settle)
+        else fluxResume.mutate({ kind, namespace, name }, settle)
+        return
+      case 'reconcile':
+        fluxReconcile.mutate({ kind, namespace, name }, settle)
+        return
+      case 'sync-with-source':
+        fluxSyncWithSource.mutate({ kind, namespace, name }, settle)
+        return
+    }
+  }
   return (
-    <SharedGitOpsTableView
-      rows={rowsQuery.data ?? []}
-      loading={apiResourcesLoading || countsQuery.isLoading || rowsQuery.isLoading}
-      error={(rowsQuery.error as Error | null) ?? null}
-      counts={countsQuery.data?.counts ?? {}}
-      onRefresh={() => rowsQuery.refetch()}
-      onRowClick={(row) => {
-        const ns = row.namespace || '_'
-        const params = new URLSearchParams()
-        params.set('apiGroup', row.group)
-        navigate({ pathname: gitOpsDetailPath(row.kindName, ns, row.name), search: params.toString() })
-      }}
-      searchHotkey
-      globalNamespaces={namespaces}
-      onClearNamespaces={onClearNamespaces}
-    />
+    <>
+      <SharedGitOpsTableView
+        rows={rowsQuery.data ?? []}
+        loading={apiResourcesLoading || countsQuery.isLoading || rowsQuery.isLoading}
+        error={(rowsQuery.error as Error | null) ?? null}
+        counts={countsQuery.data?.counts ?? {}}
+        onRefresh={() => rowsQuery.refetch()}
+        onRowClick={(row) => {
+          const ns = row.namespace || '_'
+          const params = new URLSearchParams()
+          params.set('apiGroup', row.group)
+          navigate({ pathname: gitOpsDetailPath(row.kindName, ns, row.name), search: params.toString() })
+        }}
+        onRowAction={handleRowAction}
+        pendingRowActions={pendingActions}
+        searchHotkey
+        globalNamespaces={namespaces}
+        onClearNamespaces={onClearNamespaces}
+      />
+      <SyncOptionsDialog
+        open={!!syncDialogRow}
+        appLabel={syncDialogRow ? `${syncDialogRow.namespace}/${syncDialogRow.name}` : ''}
+        pending={argoSync.isPending}
+        onCancel={() => setSyncDialogRow(null)}
+        onConfirm={(opts) => {
+          if (!syncDialogRow) return
+          const { namespace, name } = syncDialogRow
+          argoSync.mutate(
+            { namespace, name, ...opts },
+            // onSettled so the dialog closes on both success and error —
+            // otherwise the error toast surfaces behind the still-open
+            // modal and the user can't read it.
+            { onSuccess: refetchTableAfterMutation, onSettled: () => setSyncDialogRow(null) },
+          )
+        }}
+      />
+    </>
   )
 }
@@ -219,15 +325,9 @@ function GitOpsDetailView({ namespaces, onOpenResource }: GitOpsViewProps) {
   // pre-suspend prune/selfHeal state for restoration on resume. When present,
   // the app is in a deliberately-paused state (vs. Manual mode, which is a
   // normal operational choice) and should surface a Suspended chip alongside
-  // the other status indicators.
-  const argoSuspendedByRadar =
-    kind === 'applications' &&
-    Boolean(
-      resourceQ.data?.metadata?.annotations?.['radarhq.io/suspended-prune'] ||
-        resourceQ.data?.metadata?.annotations?.['radarhq.io/suspended-selfheal'] ||
-        resourceQ.data?.metadata?.annotations?.['skyhook.io/suspended-prune'] ||
-        resourceQ.data?.metadata?.annotations?.['skyhook.io/suspended-selfheal'],
-    )
+  // the other status indicators. Shared with the fleet table's row normalizer
+  // (isArgoSuspendedByRadar) so both surfaces agree on what "suspended" means.
+  const argoSuspendedByRadar = kind === 'applications' && isArgoSuspendedByRadar(resourceQ.data)
   const effectiveSuspended = (status?.suspended ?? false) || argoSuspendedByRadar
   // Lifecycle gate: when the resource is pending deletion, mutating
   // actions are futile (the controller is processing finalizers and
@@ -608,7 +708,7 @@ function GitOpsDetailView({ namespaces, onOpenResource }: GitOpsViewProps) {
             onCancel={() => setSyncDialogOpen(false)}
             onConfirm={(opts) => {
               argoSync.mutate({ namespace, name, ...opts }, {
-                onSuccess: () => setSyncDialogOpen(false),
+                onSettled: () => setSyncDialogOpen(false),
               })
             }}
           />
@@ -627,7 +727,7 @@ function GitOpsDetailView({ namespaces, onOpenResource }: GitOpsViewProps) {
                 return
               }
               argoRollback.mutate({ namespace, name, id, ...opts }, {
-                onSuccess: () => setRollbackTarget(null),
+                onSettled: () => setRollbackTarget(null),
               })
             }}
           />

package/src/components/helm/HelmReleaseDrawer.tsx CHANGED Viewed

@@ -1,6 +1,6 @@
 import { useState, useCallback, useEffect, useRef } from 'react'
 import { flushSync } from 'react-dom'
-import { PaneLoader, useDockReservedHeight } from '@skyhook-io/k8s-ui'
+import { FetchResult, useDockReservedHeight } from '@skyhook-io/k8s-ui'
 import { startViewTransitionSafe } from '@skyhook-io/k8s-ui/utils/view-transition'
 import { TRANSITION_DRAWER } from '../../utils/animation'
 import { useRefreshAnimation } from '../../hooks/useRefreshAnimation'
@@ -60,7 +60,7 @@ export function HelmReleaseDrawer({ release, onClose, onNavigateToResource, isOp
   const canViewSensitive = canAtLeast('member')
   const helmNamespace = release.storageNamespace || release.namespace
-  const { data: releaseDetail, isLoading, refetch: refetchRelease } = useHelmRelease(
+  const { data: releaseDetail, isLoading, error: releaseError, refetch: refetchRelease } = useHelmRelease(
     helmNamespace,
     release.name
   )
@@ -446,10 +446,8 @@ export function HelmReleaseDrawer({ release, onClose, onNavigateToResource, isOp
       {/* Content */}
       <div className="flex-1 overflow-y-auto" style={{ viewTransitionName: 'helm-drawer-content' }}>
-        {isLoading ? (
-          <PaneLoader className="h-32" />
-        ) : !releaseDetail ? (
-          <div className="flex items-center justify-center h-32 text-theme-text-tertiary">Release not found</div>
+        {!releaseDetail ? (
+          <FetchResult loading={isLoading} error={releaseError} notFoundMessage="Release not found" className="h-32" />
         ) : (
           <>
             {activeTab === 'overview' && (

package/src/components/home/GitOpsControllersCard.tsx CHANGED Viewed

@@ -41,21 +41,23 @@ export function GitOpsControllersCard({ data, onNavigate }: GitOpsControllersCar
     <button
       type="button"
       onClick={onNavigate}
-      className="flex flex-col gap-3 rounded-xl bg-theme-surface p-4 text-left shadow-theme-sm transition-colors hover:bg-theme-hover"
+      className="group h-[260px] rounded-xl bg-theme-surface shadow-theme-sm hover:-translate-y-1 hover:shadow-theme-md transition-all duration-200 text-left animate-fade-in-up"
     >
-      <div className="flex items-center justify-between">
-        <div className="flex items-center gap-2">
-          <GitBranch className="h-4 w-4 text-theme-text-tertiary" />
-          <span className="text-xs font-semibold uppercase tracking-wider text-theme-text-secondary">
-            GitOps Controllers
-          </span>
+      <div className="flex flex-col h-full w-full">
+        <div className="flex items-center justify-between px-5 py-3 border-b border-theme-border/50">
+          <div className="flex items-center gap-2">
+            <GitBranch className={clsx('h-4 w-4', headerTone)} />
+            <span className={clsx('text-xs font-semibold uppercase tracking-wider', headerTone)}>
+              GitOps Controllers
+            </span>
+          </div>
+          <span className={clsx('text-[11px] font-medium', headerTone)}>{headerLabel}</span>
         </div>
-        <span className={clsx('text-[11px] font-medium', headerTone)}>{headerLabel}</span>
-      </div>
-      <div className="flex flex-col gap-2">
-        {argo.length > 0 && <ControllerSection label="Argo CD" controllers={argo} />}
-        {flux.length > 0 && <ControllerSection label="Flux CD" controllers={flux} />}
+        <div className="flex-1 min-h-0 overflow-y-auto px-5 py-3 flex flex-col gap-3">
+          {argo.length > 0 && <ControllerSection label="Argo CD" controllers={argo} />}
+          {flux.length > 0 && <ControllerSection label="Flux CD" controllers={flux} />}
+        </div>
       </div>
     </button>
   )

package/src/components/home/HomeView.tsx CHANGED Viewed

@@ -1,4 +1,4 @@
-import { useMemo } from 'react'
+import { useMemo, type ReactNode } from 'react'
 import { useDashboard, useDashboardCRDs, useDashboardHelm } from '../../api/client'
 import type { DashboardResponse } from '../../api/client'
 import type { ExtendedMainView, Topology, SelectedResource } from '../../types'
@@ -113,71 +113,81 @@ export function HomeView({ namespaces, topology, onNavigateToView, onNavigateToR
         )}>
           {/* Left column: teaser cards */}
           <div className="flex flex-col gap-6 auto-rows-min">
-            {/* Primary cards — 2-col grid */}
+            {/* Live band — Topology + Timeline always render, so a fixed 2-up never strands.
+                These are the richest visuals and the most-used live views, so they get the width. */}
             <div className="grid grid-cols-1 sm:grid-cols-2 gap-6">
               <TopologyPreview
                 topology={scopedTopology}
                 summary={data.topologySummary}
                 onNavigate={() => onNavigateToView('topology')}
               />
-              <HelmSummary
-                data={helmData}
-                onNavigate={() => onNavigateToView('helm')}
-              />
               <ActivitySummary
                 namespaces={namespaces}
                 topology={scopedTopology}
                 onNavigate={() => onNavigateToView('timeline')}
               />
-              <TrafficSummary
-                data={data.trafficSummary}
-                onNavigate={() => onNavigateToView('traffic')}
-              />
-              <CostCard onNavigate={() => onNavigateToView('cost')} />
             </div>
-            {/* Health & compliance cards — 3-col when enough cards, 2-col fallback */}
-            {(data.certificateHealth || data.networkPolicyCoverage || data.audit || data.gitopsControllers) && (() => {
-              const healthCards = [
-                data.certificateHealth && (
-                  <CertificateHealthCard
-                    key="certs"
-                    data={data.certificateHealth}
-                    onNavigate={() => onNavigateToResourceKind('secrets', undefined, { type: ['TLS'] })}
-                  />
-                ),
-                data.networkPolicyCoverage && (
-                  <NetworkPolicyCoverageCard
-                    key="netpol"
-                    data={data.networkPolicyCoverage}
-                    onNavigate={() => onNavigateToResourceKind('networkpolicies', 'networking.k8s.io')}
-                  />
-                ),
-                data.gitopsControllers && (
-                  <GitOpsControllersCard
-                    key="gitops-controllers"
-                    data={data.gitopsControllers}
-                    onNavigate={() => onNavigateToView('gitops')}
-                  />
-                ),
-                data.audit && (
-                  <AuditCard
-                    key="audit"
-                    data={data.audit}
-                    onNavigate={() => onNavigateToView('audit')}
-                  />
-                ),
-              ].filter(Boolean)
-              return (
-                <div className={clsx(
-                  'grid gap-6',
-                  healthCards.length >= 3 ? 'grid-cols-1 sm:grid-cols-2 lg:grid-cols-3' : 'grid-cols-1 sm:grid-cols-2'
-                )}>
-                  {healthCards}
-                </div>
-              )
-            })()}
+            {/* Explore band — flex-grow wrap so the row always fills. The conditional
+                Cost card self-hides via BandItem's empty:hidden when OpenCost is absent,
+                leaving Traffic + Helm to stretch rather than stranding an empty cell. */}
+            <div className="flex flex-wrap gap-6">
+              <BandItem>
+                <TrafficSummary
+                  data={data.trafficSummary}
+                  onNavigate={() => onNavigateToView('traffic')}
+                />
+              </BandItem>
+              <BandItem>
+                <HelmSummary
+                  data={helmData}
+                  onNavigate={() => onNavigateToView('helm')}
+                />
+              </BandItem>
+              <BandItem>
+                <CostCard onNavigate={() => onNavigateToView('cost')} />
+              </BandItem>
+            </div>
+            {/* Posture band — same flex-grow wrap so any subset of compliance cards
+                fills its row instead of stranding the last one (the old 3-col grid
+                left Cluster Audit alone with two empty cells beside it). */}
+            {(data.certificateHealth || data.networkPolicyCoverage || data.audit || data.gitopsControllers) && (
+              <div className="flex flex-wrap gap-6">
+                {data.certificateHealth && (
+                  <BandItem>
+                    <CertificateHealthCard
+                      data={data.certificateHealth}
+                      onNavigate={() => onNavigateToResourceKind('secrets', undefined, { type: ['TLS'] })}
+                    />
+                  </BandItem>
+                )}
+                {data.networkPolicyCoverage && (
+                  <BandItem>
+                    <NetworkPolicyCoverageCard
+                      data={data.networkPolicyCoverage}
+                      onNavigate={() => onNavigateToResourceKind('networkpolicies', 'networking.k8s.io')}
+                    />
+                  </BandItem>
+                )}
+                {data.gitopsControllers && (
+                  <BandItem>
+                    <GitOpsControllersCard
+                      data={data.gitopsControllers}
+                      onNavigate={() => onNavigateToView('gitops')}
+                    />
+                  </BandItem>
+                )}
+                {data.audit && (
+                  <BandItem>
+                    <AuditCard
+                      data={data.audit}
+                      onNavigate={() => onNavigateToView('audit')}
+                    />
+                  </BandItem>
+                )}
+              </div>
+            )}
           </div>
           {/* Right column: problems panel */}
@@ -193,6 +203,13 @@ export function HomeView({ namespaces, topology, onNavigateToView, onNavigateToR
   )
 }
+// A self-tiling flex item: grows to share the row, clamps to a sensible min
+// width, and removes itself (empty:hidden) when its card renders null — so a
+// data-gated card (e.g. Cost without OpenCost) can't leave a phantom column.
+function BandItem({ children }: { children: ReactNode }) {
+  return <div className="flex-1 min-w-[260px] empty:hidden [&>*]:w-full">{children}</div>
+}
 // ============================================================================
 // Problems Panel (right sidebar, scrollable)
 // ============================================================================

package/src/components/home/MCPSetupDialog.tsx CHANGED Viewed

@@ -1,6 +1,7 @@
 import { useRef, useEffect, useState, useCallback } from 'react'
 import { X, Copy, Check, Radio, Terminal, MessageSquare, Code2, ChevronRight, Pin } from 'lucide-react'
 import { apiUrl, getAuthHeaders, getCredentialsMode } from '../../api/config'
+import { MCP_TOOL_CATALOG } from './mcpToolCatalog'
 interface MCPSetupDialogProps {
   open: boolean
@@ -208,8 +209,9 @@ export function MCPSetupDialog({ open, onClose, mcpUrl }: MCPSetupDialogProps) {
               verbose YAML output.
             </p>
             <p className="text-sm text-theme-text-secondary leading-relaxed">
-              Read tools are strictly read-only. Write tools (restart, scale, sync) are
-              non-destructive and annotated so your AI client can distinguish them.
+              Read tools are strictly read-only. Write tools (restart, scale, sync, apply,
+              node drain) are annotated as destructive so your AI client can flag them and
+              prompt before running.
             </p>
           </div>
@@ -296,95 +298,27 @@ export function MCPSetupDialog({ open, onClose, mcpUrl }: MCPSetupDialogProps) {
           {/* Available tools */}
           <div className="space-y-2">
-            <h4 className="text-sm font-semibold text-theme-text-primary">Tools</h4>
+            <div className="flex items-baseline justify-between">
+              <h4 className="text-sm font-semibold text-theme-text-primary">Tools</h4>
+              <span className="text-[11px] text-theme-text-tertiary">{MCP_TOOL_CATALOG.length} tools</span>
+            </div>
             <div className="grid grid-cols-1 gap-1.5">
-              {[
-                { name: 'get_dashboard', desc: 'Get cluster health overview including resource counts, problems (failing pods, unhealthy deployments), recent warning events, and Helm release status. Start here to understand cluster state before drilling into specific resources.', params: [
-                  { name: 'namespace', required: false, desc: 'filter to a specific namespace' },
-                ]},
-                { name: 'list_resources', desc: 'List Kubernetes resources of a given kind with minified summaries. Supports all built-in kinds (pods, deployments, services, etc.) and CRDs. Use to discover what\'s running before inspecting individual resources.', params: [
-                  { name: 'kind', required: true, desc: 'resource kind, e.g. pods, deployments, services' },
-                  { name: 'namespace', required: false, desc: 'filter to a specific namespace' },
-                ]},
-                { name: 'get_resource', desc: 'Get a single Kubernetes resource: minified spec/status/metadata plus default-on resourceContext (managedBy, exposes, selectedBy, uses, runsOn, issue/audit rollups). Optionally include heavier sidecars (events, metrics, logs).', params: [
-                  { name: 'kind', required: true, desc: 'resource kind, e.g. pod, deployment, service' },
-                  { name: 'namespace', required: false, desc: 'omit for cluster-scoped kinds (Node, ClusterRole, IngressClass, etc.)' },
-                  { name: 'name', required: true, desc: 'resource name' },
-                  { name: 'group', required: false, desc: 'API group when the kind is ambiguous (e.g. serving.knative.dev for Knative Service vs core Service)' },
-                  { name: 'include', required: false, desc: 'events, metrics, logs' },
-                  { name: 'context', required: false, desc: 'resourceContext tier: basic (default) or none (bare minified)' },
-                ]},
-                { name: 'get_topology', desc: 'Get the topology graph showing relationships between Kubernetes resources. Returns nodes and edges representing Deployments, Services, Ingresses, Pods, etc. Use \'traffic\' view for network flow or \'resources\' view for ownership hierarchy. Use \'summary\' format for LLM-friendly text descriptions.', params: [
-                  { name: 'namespace', required: false, desc: 'filter to a specific namespace' },
-                  { name: 'view', required: false, desc: 'traffic or resources' },
-                  { name: 'format', required: false, desc: 'graph (default) or summary (text)' },
-                ]},
-                { name: 'get_events', desc: 'Get recent Kubernetes warning events, deduplicated and sorted by recency. Useful for diagnosing issues — shows event reason, message, and occurrence count. Filter by resource kind/name to scope to a specific resource.', params: [
-                  { name: 'namespace', required: false, desc: 'filter to a specific namespace' },
-                  { name: 'limit', required: false, desc: 'max events to return (default 20)' },
-                  { name: 'kind', required: false, desc: 'filter to events for this resource kind' },
-                  { name: 'name', required: false, desc: 'filter to events for this resource name' },
-                ]},
-                { name: 'get_pod_logs', desc: 'Get filtered log lines from a pod, prioritizing errors and warnings. Returns diagnostically relevant lines (errors, panics, stack traces) or falls back to the last 20 lines if no error patterns match.', params: [
-                  { name: 'namespace', required: true, desc: 'pod namespace' },
-                  { name: 'name', required: true, desc: 'pod name' },
-                  { name: 'container', required: false, desc: 'container name (defaults to first)' },
-                  { name: 'tail_lines', required: false, desc: 'lines from end (default 200)' },
-                ]},
-                { name: 'list_namespaces', desc: 'List all Kubernetes namespaces with their status. Use to discover available namespaces before filtering other queries.', params: [] },
-                { name: 'get_changes', desc: 'Get recent resource changes (creates, updates, deletes) from the cluster timeline. Use to investigate what changed before an incident. Filter by namespace, resource kind, or specific resource name.', params: [
-                  { name: 'namespace', required: false, desc: 'filter to a specific namespace' },
-                  { name: 'kind', required: false, desc: 'filter to a resource kind (e.g. Deployment)' },
-                  { name: 'name', required: false, desc: 'filter to a specific resource name' },
-                  { name: 'since', required: false, desc: 'lookback duration, e.g. 1h, 30m (default 1h)' },
-                  { name: 'limit', required: false, desc: 'max changes to return (default 20, max 50)' },
-                ]},
-                { name: 'list_helm_releases', desc: 'List all Helm releases in the cluster with their status and health. Returns release name, namespace, chart, version, status, and resource health.', params: [
-                  { name: 'namespace', required: false, desc: 'filter to a specific namespace' },
-                ]},
-                { name: 'get_helm_release', desc: 'Get detailed information about a specific Helm release including owned resources and their status. Optionally include values, revision history, or manifest diff between revisions.', params: [
-                  { name: 'namespace', required: true, desc: 'release namespace' },
-                  { name: 'name', required: true, desc: 'release name' },
-                  { name: 'include', required: false, desc: 'values, history, diff' },
-                  { name: 'diff_revision_1', required: false, desc: 'first revision for diff' },
-                  { name: 'diff_revision_2', required: false, desc: 'second revision for diff (defaults to current)' },
-                ]},
-                { name: 'get_workload_logs', desc: 'Get aggregated, AI-filtered logs from all pods of a workload (Deployment, StatefulSet, or DaemonSet). Logs are collected from all matching pods, filtered for errors/warnings, and deduplicated.', params: [
-                  { name: 'kind', required: true, desc: 'deployment, statefulset, or daemonset' },
-                  { name: 'namespace', required: true, desc: 'workload namespace' },
-                  { name: 'name', required: true, desc: 'workload name' },
-                  { name: 'container', required: false, desc: 'specific container name' },
-                  { name: 'tail_lines', required: false, desc: 'lines per pod (default 100)' },
-                ]},
-                { name: 'manage_workload', desc: 'Perform operations on a workload. \'restart\' triggers a rolling restart, \'scale\' changes the replica count, \'rollback\' reverts to a previous revision.', params: [
-                  { name: 'action', required: true, desc: 'restart, scale, or rollback' },
-                  { name: 'kind', required: true, desc: 'deployment, statefulset, or daemonset' },
-                  { name: 'namespace', required: true, desc: 'workload namespace' },
-                  { name: 'name', required: true, desc: 'workload name' },
-                  { name: 'replicas', required: false, desc: 'target replica count (for scale)' },
-                  { name: 'revision', required: false, desc: 'target revision (for rollback)' },
-                ]},
-                { name: 'manage_cronjob', desc: 'Perform operations on a CronJob. \'trigger\' creates a manual Job run, \'suspend\' pauses the schedule, \'resume\' re-enables it.', params: [
-                  { name: 'action', required: true, desc: 'trigger, suspend, or resume' },
-                  { name: 'namespace', required: true, desc: 'cronjob namespace' },
-                  { name: 'name', required: true, desc: 'cronjob name' },
-                ]},
-                { name: 'manage_gitops', desc: 'Perform operations on GitOps resources. ArgoCD: sync, suspend, resume. FluxCD: reconcile, suspend, resume.', params: [
-                  { name: 'action', required: true, desc: 'sync/reconcile, suspend, or resume' },
-                  { name: 'tool', required: true, desc: 'argocd or fluxcd' },
-                  { name: 'namespace', required: true, desc: 'resource namespace' },
-                  { name: 'name', required: true, desc: 'resource name' },
-                  { name: 'kind', required: false, desc: 'FluxCD resource kind (e.g. kustomization, helmrelease)' },
-                ]},
-              ].map((tool) => (
+              {MCP_TOOL_CATALOG.map((tool) => (
                 <div key={tool.name} className="card-inner space-y-1.5">
-                  <code className="text-[11px] font-mono text-purple-400">{tool.name}</code>
+                  <div className="flex items-center gap-2">
+                    <code className="text-[11px] font-mono text-purple-400">{tool.name}</code>
+                    {tool.write && (
+                      <span className="badge-sm bg-amber-500/10 text-amber-600 dark:text-amber-400" title="Write tool — annotated as destructive">
+                        write
+                      </span>
+                    )}
+                  </div>
                   <p className="text-[11px] text-theme-text-tertiary leading-relaxed">{tool.desc}</p>
                   {tool.params.length > 0 && (
                     <div className="flex flex-wrap gap-1.5 pt-0.5">
                       {tool.params.map((p) => (
-                        <span key={p.name} className="badge-sm font-mono bg-theme-elevated text-theme-text-secondary" title={p.desc}>
-                          <span className="text-theme-text-secondary">{p.name}</span>
+                        <span key={p.arg} className="badge-sm font-mono bg-theme-elevated text-theme-text-secondary" title={p.desc}>
+                          <span className="text-theme-text-secondary">{p.arg}</span>
                           {p.required && <span className="text-red-400">*</span>}
                         </span>
                       ))}

package/src/components/home/mcpToolCatalog.ts ADDED Viewed

@@ -0,0 +1,276 @@
+// Human-facing catalog for the MCP setup dialog (MCPSetupDialog.tsx).
+//
+// Source of truth for the *set* of tools is the backend registration in
+// internal/mcp/tools.go. This list must stay in sync with it — the Go test
+// TestSetupDialogCoversAllTools (internal/mcp/tools_catalog_test.go) parses
+// this file and fails CI if the tool names here don't exactly match the
+// registered tools. When you add or remove an MCP tool there, update this
+// catalog too.
+//
+// Descriptions here are intentionally shorter and more human-facing than the
+// LLM-oriented routing descriptions in tools.go — different audience, so they
+// are not shared verbatim.
+export interface MCPToolParam {
+  arg: string
+  required?: boolean
+  desc: string
+}
+export interface MCPToolInfo {
+  name: string
+  write?: boolean
+  desc: string
+  params: MCPToolParam[]
+}
+export const MCP_TOOL_CATALOG: MCPToolInfo[] = [
+  {
+    name: 'get_dashboard',
+    desc: 'Cluster or namespace health overview: resource counts, failing pods, unhealthy workloads, recent warning events, and Helm status. Start here before drilling into specific resources.',
+    params: [{ arg: 'namespace', desc: 'filter to a specific namespace' }],
+  },
+  {
+    name: 'top_resources',
+    desc: 'Live CPU/memory ranking (like `kubectl top`) joined with Kubernetes context — pod status, restarts, owner workload, requests, and limits. Ranks pods, workloads, or nodes.',
+    params: [
+      { arg: 'kind', desc: 'pods (default), workloads, or nodes' },
+      { arg: 'namespace', desc: 'filter pods/workloads to a namespace' },
+      { arg: 'sort', desc: 'cpu (default) or memory' },
+      { arg: 'limit', desc: 'max rows (default 20, max 100)' },
+    ],
+  },
+  {
+    name: 'list_resources',
+    desc: 'List Kubernetes resources of a given kind with compact summaries plus per-row health, managedBy, and issue counts. Supports built-in kinds and CRDs.',
+    params: [
+      { arg: 'kind', required: true, desc: 'resource kind, e.g. pods, deployments, services' },
+      { arg: 'group', desc: 'API group when the kind is ambiguous (e.g. serving.knative.dev)' },
+      { arg: 'namespace', desc: 'filter to a specific namespace' },
+      { arg: 'context', desc: 'per-row context: default (summaryContext) or none' },
+    ],
+  },
+  {
+    name: 'get_resource',
+    desc: 'A single resource: minified spec/status/metadata plus resourceContext (relationships, refs, issue/audit/policy rollups). Optionally include heavier event/metrics sidecars.',
+    params: [
+      { arg: 'kind', required: true, desc: 'resource kind, e.g. pod, deployment, service' },
+      { arg: 'name', required: true, desc: 'resource name' },
+      { arg: 'namespace', desc: 'omit for cluster-scoped kinds (Node, ClusterRole, IngressClass, etc.)' },
+      { arg: 'group', desc: 'API group when the kind is ambiguous (e.g. serving.knative.dev for Knative Service vs core Service)' },
+      { arg: 'include', desc: 'events, metrics' },
+      { arg: 'context', desc: 'resourceContext tier: basic (default) or none' },
+    ],
+  },
+  {
+    name: 'get_topology',
+    desc: 'Topology graph of relationships between resources — Services, workloads, Pods, Ingresses, owners. Use traffic view for network flow or resources view for ownership hierarchy.',
+    params: [
+      { arg: 'namespace', desc: 'filter to a specific namespace' },
+      { arg: 'view', desc: 'traffic or resources' },
+      { arg: 'format', desc: 'graph (default) or summary (text)' },
+    ],
+  },
+  {
+    name: 'get_neighborhood',
+    desc: 'BFS-expanded topology around one resource — its upstream/downstream Services, workloads, Pods, refs, and owners. Cheaper and more focused than full topology once you have a suspect.',
+    params: [
+      { arg: 'kind', required: true, desc: 'resource kind, e.g. pod, deployment, service, application' },
+      { arg: 'name', required: true, desc: 'resource name' },
+      { arg: 'namespace', desc: 'resource namespace; omit for cluster-scoped kinds' },
+      { arg: 'group', desc: 'API group to disambiguate colliding kinds' },
+      { arg: 'profile', desc: 'auto (default) or all (every edge type, heavier)' },
+      { arg: 'hops', desc: 'BFS depth (default 1, max 2)' },
+      { arg: 'max_nodes', desc: 'node budget (default 25)' },
+    ],
+  },
+  {
+    name: 'get_events',
+    desc: 'Recent Kubernetes warning events, deduplicated and sorted by recency. Shows reason, message, and occurrence count. Filter to a specific resource by kind/name.',
+    params: [
+      { arg: 'namespace', desc: 'filter to a specific namespace' },
+      { arg: 'limit', desc: 'max events (default 20, max 100)' },
+      { arg: 'kind', desc: 'filter to events for this resource kind' },
+      { arg: 'name', desc: 'filter to events for this resource name' },
+    ],
+  },
+  {
+    name: 'get_pod_logs',
+    desc: 'Filtered log lines from a pod, prioritizing errors and warnings, falling back to recent tail lines. Optional grep, since, and previous-container logs.',
+    params: [
+      { arg: 'namespace', required: true, desc: 'pod namespace' },
+      { arg: 'name', required: true, desc: 'pod name' },
+      { arg: 'container', desc: 'container name (defaults to first)' },
+      { arg: 'tail_lines', desc: 'lines from end (default 200)' },
+      { arg: 'grep', desc: 'regex to filter lines, like kubectl logs | grep' },
+      { arg: 'since', desc: 'only logs newer than this duration (e.g. 30s, 10m, 1h)' },
+      { arg: 'previous', desc: 'logs from the previous terminated container (CrashLoopBackOff)' },
+    ],
+  },
+  {
+    name: 'diagnose',
+    desc: 'One-call workload root-cause bundle: spec + resourceContext + current AND previous logs across all pods + warning events + startup-blocker analysis. For Pod/Deployment/StatefulSet/DaemonSet.',
+    params: [
+      { arg: 'kind', required: true, desc: 'pod, deployment, statefulset, or daemonset' },
+      { arg: 'namespace', required: true, desc: 'workload namespace' },
+      { arg: 'name', required: true, desc: 'resource name' },
+      { arg: 'container', desc: 'specific container (defaults to all)' },
+      { arg: 'tail_lines', desc: 'lines per pod/stream (default 100)' },
+      { arg: 'since', desc: 'only logs newer than this duration' },
+    ],
+  },
+  {
+    name: 'list_namespaces',
+    desc: 'List all Kubernetes namespaces with their status. Use to discover available namespaces before filtering other queries.',
+    params: [],
+  },
+  {
+    name: 'get_changes',
+    desc: 'Recent resource creates, updates, and deletes from the cluster timeline. Use to investigate what changed before an incident.',
+    params: [
+      { arg: 'namespace', desc: 'filter to a specific namespace' },
+      { arg: 'kind', desc: 'filter to a resource kind (e.g. Deployment)' },
+      { arg: 'name', desc: 'filter to a specific resource name' },
+      { arg: 'since', desc: 'lookback duration, e.g. 1h, 30m (default 1h)' },
+      { arg: 'limit', desc: 'max changes (default 20, max 50)' },
+    ],
+  },
+  {
+    name: 'get_cluster_audit',
+    desc: 'Best-practice and security posture findings — Security, Reliability, Efficiency — each with remediation guidance. Static config posture, independent of live operational health.',
+    params: [
+      { arg: 'namespace', desc: 'filter to a specific namespace' },
+      { arg: 'category', desc: 'Security, Reliability, or Efficiency' },
+      { arg: 'severity', desc: 'danger or warning' },
+      { arg: 'limit', desc: 'max findings (default 30, max 100)' },
+    ],
+  },
+  {
+    name: 'list_helm_releases',
+    desc: 'All Helm releases in the cluster with status and resource health — name, namespace, chart, version.',
+    params: [{ arg: 'namespace', desc: 'filter to a specific namespace' }],
+  },
+  {
+    name: 'get_helm_release',
+    desc: 'Detailed Helm release info with owned resources and their status. Optionally include values, revision history, or a manifest diff between revisions.',
+    params: [
+      { arg: 'namespace', required: true, desc: 'release namespace' },
+      { arg: 'name', required: true, desc: 'release name' },
+      { arg: 'include', desc: 'values, history, diff' },
+      { arg: 'diff_revision_1', desc: 'first revision for diff' },
+      { arg: 'diff_revision_2', desc: 'second revision for diff (defaults to current)' },
+    ],
+  },
+  {
+    name: 'list_packages',
+    desc: 'Unified "what\'s installed" view across Helm releases, workload labels, CRD registrations, and GitOps declarations (Argo + Flux), with sources, versions, and health.',
+    params: [
+      { arg: 'namespace', desc: 'filter to a specific namespace' },
+      { arg: 'source', desc: 'H (Helm), L (labels), C (CRDs), A (Argo), F (Flux)' },
+      { arg: 'chart', desc: 'case-insensitive chart-name substring' },
+    ],
+  },
+  {
+    name: 'issues',
+    desc: 'Ranked list of what is broken right now — failing workloads, dangling references, scheduling blockers, and false CRD conditions. Live operational state (distinct from get_cluster_audit posture).',
+    params: [
+      { arg: 'namespace', desc: 'filter to one namespace' },
+      { arg: 'severity', desc: 'comma-separated: critical, warning' },
+      { arg: 'kind', desc: 'comma-separated kind filter' },
+      { arg: 'limit', desc: 'max issues (default 200, max 1000)' },
+      { arg: 'filter', desc: 'optional CEL boolean expression' },
+    ],
+  },
+  {
+    name: 'search',
+    desc: 'Find resources by content/term match — config keys, env refs, images, label values, ConfigMap data, CRD fields, status messages. Secret values are never indexed.',
+    params: [
+      { arg: 'query', required: true, desc: 'tokens AND\'d; modifiers kind:, ns:, label:, image:' },
+      { arg: 'limit', desc: 'max hits (default 50, max 500)' },
+      { arg: 'include', desc: 'summary (default), raw, or none' },
+      { arg: 'filter', desc: 'optional CEL boolean expression' },
+      { arg: 'context', desc: 'per-hit context: default (summaryContext) or none' },
+    ],
+  },
+  {
+    name: 'get_subject_permissions',
+    desc: 'Effective RBAC for a ServiceAccount, User, or Group: the bindings that grant access, a flattened rule list, and (for SAs) the Pods running as it. Answers "what\'s the blast radius if compromised?".',
+    params: [
+      { arg: 'kind', required: true, desc: 'ServiceAccount, User, or Group' },
+      { arg: 'name', required: true, desc: 'subject name' },
+      { arg: 'namespace', desc: 'required for ServiceAccount; omit for User/Group' },
+    ],
+  },
+  {
+    name: 'get_workload_logs',
+    desc: 'Aggregated, filtered logs across all pods of a workload (Deployment, StatefulSet, or DaemonSet) — collected concurrently, filtered for errors/warnings, and deduplicated.',
+    params: [
+      { arg: 'kind', desc: 'deployment (default), statefulset, or daemonset' },
+      { arg: 'namespace', required: true, desc: 'workload namespace' },
+      { arg: 'name', required: true, desc: 'workload name' },
+      { arg: 'container', desc: 'specific container (defaults to all)' },
+      { arg: 'tail_lines', desc: 'lines per pod (default 100)' },
+      { arg: 'grep', desc: 'regex to filter lines, like kubectl logs | grep' },
+      { arg: 'since', desc: 'only logs newer than this duration' },
+      { arg: 'previous', desc: 'logs from the previous terminated container' },
+    ],
+  },
+  {
+    name: 'manage_workload',
+    write: true,
+    desc: 'Operate on a workload: restart triggers a rolling restart, scale changes the replica count, rollback reverts to a previous revision.',
+    params: [
+      { arg: 'action', required: true, desc: 'restart, scale, or rollback' },
+      { arg: 'kind', required: true, desc: 'deployment, statefulset, or daemonset' },
+      { arg: 'namespace', required: true, desc: 'workload namespace' },
+      { arg: 'name', required: true, desc: 'workload name' },
+      { arg: 'replicas', desc: 'target replica count (for scale)' },
+      { arg: 'revision', desc: 'target revision (for rollback)' },
+    ],
+  },
+  {
+    name: 'manage_cronjob',
+    write: true,
+    desc: 'Operate on a CronJob: trigger creates a manual Job run, suspend pauses the schedule, resume re-enables it.',
+    params: [
+      { arg: 'action', required: true, desc: 'trigger, suspend, or resume' },
+      { arg: 'namespace', required: true, desc: 'cronjob namespace' },
+      { arg: 'name', required: true, desc: 'cronjob name' },
+    ],
+  },
+  {
+    name: 'manage_gitops',
+    write: true,
+    desc: 'Operate on GitOps resources. ArgoCD: sync, refresh, terminate, rollback, suspend, resume. FluxCD: reconcile, sync-with-source, suspend, resume.',
+    params: [
+      { arg: 'action', required: true, desc: 'sync/reconcile, refresh, terminate, rollback, suspend, or resume' },
+      { arg: 'tool', required: true, desc: 'argocd or fluxcd' },
+      { arg: 'namespace', required: true, desc: 'resource namespace' },
+      { arg: 'name', required: true, desc: 'resource name' },
+      { arg: 'kind', desc: 'FluxCD resource kind (e.g. kustomization, helmrelease)' },
+    ],
+  },
+  {
+    name: 'apply_resource',
+    write: true,
+    desc: 'Create or update a resource from YAML. apply mode is a server-side apply with Force=true (can take field ownership from Helm/Flux); create mode fails if it exists. Multi-document YAML supported.',
+    params: [
+      { arg: 'yaml', required: true, desc: 'YAML manifest (multi-document with --- supported)' },
+      { arg: 'mode', desc: 'apply (default) or create' },
+      { arg: 'dry_run', desc: 'validate without persisting' },
+      { arg: 'namespace', desc: 'override namespace for the resource' },
+    ],
+  },
+  {
+    name: 'manage_node',
+    write: true,
+    desc: 'Operate on a node: cordon marks it unschedulable, uncordon reverses that, drain cordons then evicts all non-DaemonSet pods.',
+    params: [
+      { arg: 'action', required: true, desc: 'cordon, uncordon, or drain' },
+      { arg: 'name', required: true, desc: 'node name' },
+      { arg: 'delete_empty_dir_data', desc: 'evict pods with emptyDir volumes (default true)' },
+      { arg: 'force', desc: 'evict pods not managed by a controller (default false)' },
+      { arg: 'timeout', desc: 'drain timeout in seconds (default 60)' },
+    ],
+  },
+]

package/src/components/resources/renderers/RoleBindingRenderer.tsx CHANGED Viewed

@@ -21,10 +21,11 @@ export function RoleBindingRenderer({ data, onNavigate }: RoleBindingRendererPro
   const namespace = isClusterRole ? '' : (data?.metadata?.namespace ?? '')
   const name = roleRef.name ?? ''
-  const { data: role, isLoading } = useResource<any>(kind, namespace, name)
+  const { data: role, isLoading, error } = useResource<any>(kind, namespace, name)
   // `role` is undefined while loading, then the resource, then potentially
-  // null on 404. Pass [] for "loaded but no rules" so the base renderer's
-  // `rules === null` branch fires only on outright fetch failure (orphan).
+  // null on 404 / 403. Pass [] for "loaded but no rules" so the base
+  // renderer's `rules === null` branch fires only on outright fetch failure
+  // (orphan or forbidden); `roleRulesError` then disambiguates the two.
   const rules =
     isLoading
       ? undefined
@@ -38,6 +39,7 @@ export function RoleBindingRenderer({ data, onNavigate }: RoleBindingRendererPro
       onNavigate={onNavigate}
       roleRules={rules ?? null}
       roleRulesLoading={isLoading}
+      roleRulesError={error}
     />
   )
 }

package/src/components/workload/WorkloadView.tsx CHANGED Viewed

@@ -255,7 +255,7 @@ export function WorkloadView({
   }, [searchParams, setSearchParams])
   // Fetch resource with relationships
-  const { data: resourceResponse, isLoading: resourceLoading, refetch: refetchResource } = useResourceWithRelationships<any>(kindProp, namespace, name, rest.group)
+  const { data: resourceResponse, isLoading: resourceLoading, error: resourceError, refetch: refetchResource } = useResourceWithRelationships<any>(kindProp, namespace, name, rest.group)
   const resource = resourceResponse?.resource
   const relationships = resourceResponse?.relationships
   const certificateInfo = resourceResponse?.certificateInfo
@@ -398,6 +398,7 @@ export function WorkloadView({
       relationships={relationships}
       certificateInfo={certificateInfo}
       isLoading={resourceLoading}
+      resourceError={resourceError}
       refetch={refetchResource}
       // Timeline
       allEvents={allEvents}