@skyhook-io/radar-app 1.3.5 → 1.4.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skyhook-io/radar-app",
-  "version": "1.3.5",
+  "version": "1.4.0",
   "description": "Radar's full web UI as a reusable React component. Used by Radar's own binary and by external consumers like Radar Cloud.",
   "repository": {
     "type": "git",

package/src/App.tsx

@@ -6,7 +6,7 @@ import { useQueryClient } from '@tanstack/react-query'
 import { useNavigate, useLocation, useSearchParams, useNavigationType, NavigationType } from 'react-router-dom'
 import { HomeView } from './components/home/HomeView'
 import { DebugOverlay } from './components/DebugOverlay'
-import { TopologyGraph, TopologySearch, TopologyFilterSidebar, TopologyControls, gitOpsRouteForKind } from '@skyhook-io/k8s-ui'
+import { TopologyGraph, TopologySearch, TopologyFilterSidebar, TopologyControls, gitOpsRouteForKind, gitOpsRouteForResource } from '@skyhook-io/k8s-ui'
 import { TimelineView } from './components/timeline/TimelineView'
 import { ResourcesView } from './components/resources/ResourcesView'
 import { serializeColumnFilters } from './components/resources/resource-utils'
@@ -416,6 +416,23 @@ function AppInner() {
     navigate({ pathname: `/resources/${pluralKind}`, search: newParams.toString() })
   }, [searchParams, navigate])
 
+  // From the Issues queue: a GitOps reconciler subject (Argo Application / Flux
+  // Kustomization / HelmRelease) routes to its rich detail page (tree + insights
+  // + ops), not the generic resource drawer that's a dead-end for it. Member
+  // resources (Pods, Services, …) fall through to the standard resource view.
+  const navigateFromIssue = useCallback((resource: SelectedResource) => {
+    const gitOpsPath = gitOpsRouteForResource({
+      apiVersion: resource.group ? `${resource.group}/v1` : 'v1',
+      kind: resource.kind,
+      metadata: { namespace: resource.namespace ?? '', name: resource.name },
+    })
+    if (gitOpsPath) {
+      navigate(gitOpsPath)
+      return
+    }
+    navigateToResourceList(resource)
+  }, [navigate, navigateToResourceList])
+
   // Collapse from expanded WorkloadView back to drawer
   const handleCollapseFromExpanded = useCallback(() => {
     suppressViewClearRef.current = true
@@ -1667,12 +1684,13 @@ function AppInner() {
 
         {/* Issues — per-cluster live triage queue (hidden route: not yet in the
             nav `views` list; reachable at /issues). Same shared <IssuesView> the
-            Hub fleet uses; resource clicks open the standard resource drawer. */}
+            Hub fleet uses; a GitOps reconciler subject routes to its detail page,
+            other resources open the standard resource view. */}
         {mainView === 'issues' && (
           <IssuesPane
             namespaces={namespaces}
             onBack={() => setMainView('home')}
-            onNavigateToResource={navigateToResourceList}
+            onNavigateToResource={navigateFromIssue}
           />
         )}
 

package/src/api/client.ts

@@ -35,7 +35,7 @@ import { pluralToKind } from '../utils/navigation'
 // and handles 401 responses globally. Merges caller-provided headers with
 // auth headers from the config module so library consumers (Radar Hub) can
 // inject Authorization bearer tokens without each call site knowing.
-function apiFetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {
+export function apiFetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {
   const headers = new Headers(init?.headers)
   for (const [k, v] of Object.entries(getAuthHeaders())) {
     if (!headers.has(k)) headers.set(k, v)
@@ -237,7 +237,7 @@ export interface DashboardCRDCount {
 }
 
 // Re-export shared types from k8s-ui — single source of truth
-import type { AuditCardData, AuditFinding, ResourceGroup, CheckMeta, Check, Issue } from '@skyhook-io/k8s-ui'
+import type { AuditCardData, AuditFinding, ResourceGroup, CheckMeta, Check, Issue, IssueRecentChange } from '@skyhook-io/k8s-ui'
 export type DashboardAudit = AuditCardData
 export type { AuditFinding, ResourceGroup, CheckMeta, Check }
 
@@ -349,6 +349,8 @@ export interface IssuesResponse {
   issues: Issue[]
   total?: number
   total_matched?: number
+  recent_changes?: IssueRecentChange[]
+  recent_changes_reason?: string
   // Present only when RBAC visibility is incomplete (absent = full access).
   // state 'degraded' means core workload reads are denied, so an empty list may
   // mean "can't see" rather than "nothing broken" — the UI must say so.
@@ -738,6 +740,10 @@ export interface AuthMe {
   /** Pre-computed Cloud tier from `cloud:<tier>` group prefix.
    *  Absent when not running under Cloud (OSS, OIDC, no role group). */
   cloudRole?: CloudRole
+  /** Proxy mode only: whether an upstream sign-out URL is configured.
+   *  When false, logout clears Radar's cookie but the proxy may re-auth
+   *  the same user on the next request. */
+  proxyLogoutConfigured?: boolean
 }
 
 export function useAuthMe() {
@@ -1695,8 +1701,11 @@ export function useDeleteResource() {
   const queryClient = useQueryClient()
 
   return useMutation({
-    mutationFn: async ({ kind, namespace, name, force }: { kind: string; namespace: string; name: string; force?: boolean }) => {
+    mutationFn: async ({ kind, group, namespace, name, force }: { kind: string; group?: string; namespace: string; name: string; force?: boolean }) => {
       const url = new URL(`${getApiBase()}/resources/${kind}/${namespace}/${name}`, window.location.origin)
+      if (group) {
+        url.searchParams.set('group', group)
+      }
       if (force) {
         url.searchParams.set('force', 'true')
       }
@@ -1721,6 +1730,44 @@ export function useDeleteResource() {
   })
 }
 
+export function useBulkDeleteResources() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async ({ items, force }: { items: Array<{ kind: string; group?: string; namespace: string; name: string }>; force?: boolean }) => {
+      const results = await Promise.allSettled(
+        items.map(async ({ kind, group, namespace, name }) => {
+          const url = new URL(`${getApiBase()}/resources/${kind}/${namespace}/${name}`, window.location.origin)
+          if (group) url.searchParams.set('group', group)
+          if (force) url.searchParams.set('force', 'true')
+          const response = await apiFetch(url.toString(), { method: 'DELETE' })
+          if (!response.ok) {
+            const error = await response.json().catch(() => ({ error: 'Unknown error' }))
+            throw new Error(error.error || `Failed to delete ${namespace}/${name}`)
+          }
+          return { kind, namespace, name }
+        })
+      )
+      const failed = results.filter(r => r.status === 'rejected')
+      if (failed.length > 0) {
+        throw new Error(`Failed to delete ${failed.length} of ${items.length} resources`)
+      }
+      return { deleted: items.length }
+    },
+    meta: {
+      errorMessage: 'Failed to delete some resources',
+      successMessage: 'Resources deleted',
+    },
+    // onSettled, not onSuccess — a partial failure still deleted some
+    // resources, and the table must refetch to drop them.
+    onSettled: () => {
+      queryClient.invalidateQueries({ queryKey: ['resources'] })
+      queryClient.invalidateQueries({ queryKey: ['resource-counts'] })
+      queryClient.invalidateQueries({ queryKey: ['topology'] })
+    },
+  })
+}
+
 // Apply (create or update) a resource from YAML
 export interface ApplyResourceResult {
   name: string

package/src/components/ConnectionErrorView.tsx

@@ -4,6 +4,7 @@ import type { ConnectionState } from '../context/ConnectionContext'
 import { ContextSwitcher } from './ContextSwitcher'
 import { parseContextName } from '../utils/context-name'
 import { useOpenLocalTerminal, ClusterName } from '@skyhook-io/k8s-ui'
+import { useAuthMe } from '../api/client'
 
 interface ConnectionErrorViewProps {
   connection: ConnectionState
@@ -165,14 +166,22 @@ export function ConnectionErrorView({ connection, onRetry, isRetrying }: Connect
   const authInfo = isAuth ? getAuthHints(connection.context || '') : null
   const errorInfo = authInfo || errorHints[connection.errorType || 'unknown'] || errorHints.unknown
   const openLocalTerminal = useOpenLocalTerminal()
+  const { data: authMe } = useAuthMe()
 
-  // Build a command that auto-retries connection after successful auth
+  // Auto-retry after successful auth. The terminal shell runs on the server
+  // host, so the auth command itself fixes the server's credentials in every
+  // mode — but the chained retry curl carries no session cookie, so it 401s
+  // once /api/connection is auth-gated. Only chain it when auth is *known*
+  // disabled (authMe still loading → don't chain a doomed call).
   const retryCmd = `curl -s -X POST http://${window.location.host}/api/connection/retry > /dev/null`
 
   const handleAuthInTerminal = () => {
     if (!authInfo?.authCommand) return
+    const cmd = authMe?.authEnabled === false
+      ? `${authInfo.authCommand.command} && ${retryCmd}`
+      : authInfo.authCommand.command
     openLocalTerminal({
-      initialCommand: `${authInfo.authCommand.command} && ${retryCmd}`,
+      initialCommand: cmd,
       title: 'Auth',
     })
   }

package/src/components/UserMenu.tsx

@@ -67,18 +67,17 @@ export function UserMenu() {
               </p>
             )}
           </div>
-          {authMe.authMode === 'proxy' ? (
-            <p className="px-3 py-1.5 text-[11px] text-theme-text-tertiary">
-              Session managed by auth proxy
+          <button
+            onClick={handleLogout}
+            className="w-full flex items-center gap-2 px-3 py-1.5 text-sm text-theme-text-secondary hover:bg-theme-hover transition-colors"
+          >
+            <LogOut className="w-3.5 h-3.5" />
+            Logout
+          </button>
+          {authMe.authMode === 'proxy' && !authMe.proxyLogoutConfigured && (
+            <p className="px-3 py-1.5 text-[11px] text-theme-text-tertiary border-t border-theme-border">
+              Logout clears the Radar session. The auth proxy may sign you back in automatically.
             </p>
-          ) : (
-            <button
-              onClick={handleLogout}
-              className="w-full flex items-center gap-2 px-3 py-1.5 text-sm text-theme-text-secondary hover:bg-theme-hover transition-colors"
-            >
-              <LogOut className="w-3.5 h-3.5" />
-              Logout
-            </button>
           )}
         </div>
       )}

package/src/components/home/mcpToolCatalog.ts

@@ -52,7 +52,7 @@ export const MCP_TOOL_CATALOG: MCPToolInfo[] = [
   },
   {
     name: 'get_resource',
-    desc: 'A single resource: minified spec/status/metadata plus resourceContext (relationships, refs, issue/audit/policy rollups). Optionally include heavier event/metrics sidecars.',
+    desc: 'A single resource: minified spec/status/metadata plus resourceContext (relationships, refs, issue/audit/policy rollups). Optionally include heavier event/metrics data.',
     params: [
       { arg: 'kind', required: true, desc: 'resource kind, e.g. pod, deployment, service' },
       { arg: 'name', required: true, desc: 'resource name' },
@@ -109,10 +109,10 @@ export const MCP_TOOL_CATALOG: MCPToolInfo[] = [
   },
   {
     name: 'diagnose',
-    desc: 'One-call workload root-cause bundle: spec + resourceContext + current AND previous logs across all pods + warning events + startup-blocker analysis. For Pod/Deployment/StatefulSet/DaemonSet.',
+    desc: 'One-call root-cause bundle. Workloads get spec + resourceContext + current AND previous logs across pods + warning events + startup blockers; GitOps reconcilers get status summary + parsed related issues.',
     params: [
-      { arg: 'kind', required: true, desc: 'pod, deployment, statefulset, or daemonset' },
-      { arg: 'namespace', required: true, desc: 'workload namespace' },
+      { arg: 'kind', required: true, desc: 'pod, deployment, statefulset, daemonset, application, kustomization, or helmrelease' },
+      { arg: 'namespace', required: true, desc: 'resource namespace' },
       { arg: 'name', required: true, desc: 'resource name' },
       { arg: 'container', desc: 'specific container (defaults to all)' },
       { arg: 'tail_lines', desc: 'lines per pod/stream (default 100)' },
@@ -163,10 +163,10 @@ export const MCP_TOOL_CATALOG: MCPToolInfo[] = [
   },
   {
     name: 'list_packages',
-    desc: 'Unified "what\'s installed" view across Helm releases, workload labels, CRD registrations, and GitOps declarations (Argo + Flux), with sources, versions, and health.',
+    desc: 'Unified "what\'s installed" view across Helm releases, workload labels, CRD registrations, and GitOps declarations (Argo + Flux), with sources, versions, health, and a sourceLegend for the stable source codes.',
     params: [
       { arg: 'namespace', desc: 'filter to a specific namespace' },
-      { arg: 'source', desc: 'H (Helm), L (labels), C (CRDs), A (Argo), F (Flux)' },
+      { arg: 'source', desc: 'H/helm, L/labels, C/crds, A/argocd, F/fluxcd' },
       { arg: 'chart', desc: 'case-insensitive chart-name substring' },
     ],
   },

package/src/components/logs/LogsViewer.tsx

@@ -10,9 +10,11 @@ interface LogsViewerProps {
   podName: string
   containers: string[]
   initialContainer?: string
+  /** Start streaming on mount. Default true — callers pass false for terminal (completed/failed) pods. */
+  autoStream?: boolean
 }
 
-export function LogsViewer({ namespace, podName, containers, initialContainer }: LogsViewerProps) {
+export function LogsViewer({ namespace, podName, containers, initialContainer, autoStream = true }: LogsViewerProps) {
   const desktopDownload = useDesktopDownload()
   const { theme } = useTheme()
 
@@ -42,6 +44,7 @@ export function LogsViewer({ namespace, podName, containers, initialContainer }:
       createStream={makeStream}
       overrideDownload={desktopDownload}
       forceDark={theme === 'dark' ? true : undefined}
+      autoStream={autoStream}
     />
   )
 }

package/src/components/logs/WorkloadLogsViewer.tsx

@@ -9,9 +9,11 @@ interface WorkloadLogsViewerProps {
   kind: string
   namespace: string
   name: string
+  /** Start streaming on mount. Default true — workload logs are aggregated from live pods. */
+  autoStream?: boolean
 }
 
-export function WorkloadLogsViewer({ kind, namespace, name }: WorkloadLogsViewerProps) {
+export function WorkloadLogsViewer({ kind, namespace, name, autoStream = true }: WorkloadLogsViewerProps) {
   const desktopDownload = useDesktopDownload()
   const { theme } = useTheme()
 
@@ -38,6 +40,7 @@ export function WorkloadLogsViewer({ kind, namespace, name }: WorkloadLogsViewer
       createStream={makeStream}
       overrideDownload={desktopDownload}
       forceDark={theme === 'dark' ? true : undefined}
+      autoStream={autoStream}
     />
   )
 }

package/src/components/resources/ResourcesView.tsx

@@ -1,7 +1,7 @@
 import { useState, useMemo, useCallback, useEffect } from 'react'
 import { useLocation, useNavigate } from 'react-router-dom'
 import { useQuery } from '@tanstack/react-query'
-import { ApiError, debugNamespaceLog, fetchJSON, isForbiddenError, useSecretCertExpiry, useTopPodMetrics, useTopNodeMetrics } from '../../api/client'
+import { ApiError, debugNamespaceLog, fetchJSON, isForbiddenError, useSecretCertExpiry, useTopPodMetrics, useTopNodeMetrics, useBulkDeleteResources } from '../../api/client'
 import { apiUrl, getAuthHeaders, getCredentialsMode, getBasename } from '../../api/config'
 import { useAPIResources } from '../../api/apiResources'
 import { initNavigationMap } from '@skyhook-io/k8s-ui'
@@ -146,6 +146,9 @@ export function ResourcesView({ namespaces, selectedResource, onResourceClick, o
   const openLogs = useOpenLogs()
   const openWorkloadLogs = useOpenWorkloadLogs()
 
+  // Bulk delete
+  const bulkDeleteMutation = useBulkDeleteResources()
+
   // Navigation adapter. k8s-ui constructs paths from `basePath` (which
   // includes the router basename so they line up with window.location.pathname
   // for path-equality checks) and from `window.location.pathname` directly.
@@ -224,6 +227,9 @@ export function ResourcesView({ namespaces, selectedResource, onResourceClick, o
       onOpenWorkloadLogs={openWorkloadLogs}
       // Create resource
       onCreateResource={handleCreateResource}
+      // Bulk operations
+      onBulkDelete={(items, options) => bulkDeleteMutation.mutate({ items, force: options?.force }, { onSuccess: options?.onSuccess })}
+      isBulkDeleting={bulkDeleteMutation.isPending}
     />
     <CreateResourceDialog
       open={createDialogOpen}

package/src/components/workload/WorkloadView.tsx

@@ -705,6 +705,12 @@ function PodLogsTab({ namespace, name, resource, initialContainer, onConsumeInit
     return names
   }, [resource])
 
+  // A terminated pod has nothing to follow — only stream live ones. Wait for
+  // the phase to be known so a completed pod isn't briefly streamed while the
+  // resource is still loading.
+  const phase = resource?.status?.phase
+  const autoStream = !!phase && phase !== 'Succeeded' && phase !== 'Failed'
+
   useEffect(() => {
     if (initialContainer && containers.includes(initialContainer)) {
       onConsumeInitialContainer?.()
@@ -718,6 +724,7 @@ function PodLogsTab({ namespace, name, resource, initialContainer, onConsumeInit
         podName={name}
         containers={containers}
         initialContainer={initialContainer || undefined}
+        autoStream={autoStream}
       />
     </div>
   )
@@ -742,6 +749,13 @@ function MultiPodLogsTab({ pods, namespace, selectedPod, onSelectPod, initialCon
   const { data: logsData } = usePodLogs(podNamespace, selectedPod || '', { tailLines: 1 })
   const containers = logsData?.containers || []
 
+  // A terminated pod (common for Job/CronJob children) has nothing to follow —
+  // only stream live ones. Wait for the pod to load before deciding so we don't
+  // briefly auto-stream a completed pod while its phase is still unknown.
+  const { data: selectedPodResource } = useResource<any>('Pod', podNamespace, selectedPod || '')
+  const phase = selectedPodResource?.status?.phase
+  const autoStream = !!phase && phase !== 'Succeeded' && phase !== 'Failed'
+
   if (pods.length === 0) {
     return (
       <div className="flex flex-col items-center justify-center h-full text-theme-text-tertiary">
@@ -779,6 +793,7 @@ function MultiPodLogsTab({ pods, namespace, selectedPod, onSelectPod, initialCon
             podName={selectedPod}
             containers={containers}
             initialContainer={initialContainer || undefined}
+            autoStream={autoStream}
           />
         </div>
       )}

package/src/context/ConnectionContext.tsx

@@ -1,7 +1,8 @@
 import { createContext, useContext, useState, useCallback, useEffect, useRef, ReactNode } from 'react'
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
 import type { ContextInfo } from '../types'
-import { getApiBase, getAuthHeaders, getCredentialsMode } from '../api/config'
+import { getApiBase } from '../api/config'
+import { apiFetch } from '../api/client'
 
 export type ConnectionStateType = 'connected' | 'disconnected' | 'connecting'
 
@@ -29,10 +30,11 @@ interface ConnectionContextValue {
 const ConnectionContext = createContext<ConnectionContextValue | null>(null)
 
 async function fetchConnectionStatus(): Promise<ConnectionStatusResponse> {
-  const response = await fetch(`${getApiBase()}/connection`, {
-    credentials: getCredentialsMode(),
-    headers: getAuthHeaders(),
-  })
+  // apiFetch handles a 401 globally (re-auth redirect). These endpoints are
+  // no longer auth-exempt, so a session that expires while the connection-
+  // error screen is parked open must route through that path rather than
+  // surfacing as a misleading "cannot connect to cluster" error.
+  const response = await apiFetch(`${getApiBase()}/connection`)
   if (!response.ok) {
     throw new Error('Failed to fetch connection status')
   }
@@ -40,10 +42,8 @@ async function fetchConnectionStatus(): Promise<ConnectionStatusResponse> {
 }
 
 async function retryConnection(): Promise<ConnectionState> {
-  const response = await fetch(`${getApiBase()}/connection/retry`, {
+  const response = await apiFetch(`${getApiBase()}/connection/retry`, {
     method: 'POST',
-    credentials: getCredentialsMode(),
-    headers: getAuthHeaders(),
   })
   if (!response.ok) {
     const error = await response.json().catch(() => ({ error: 'Unknown error' }))