@skyhook-io/radar-app 1.3.5 → 1.4.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skyhook-io/radar-app",
-  "version": "1.3.5",
+  "version": "1.4.1",
   "description": "Radar's full web UI as a reusable React component. Used by Radar's own binary and by external consumers like Radar Cloud.",
   "repository": {
     "type": "git",

package/src/App.tsx

@@ -6,7 +6,7 @@ import { useQueryClient } from '@tanstack/react-query'
 import { useNavigate, useLocation, useSearchParams, useNavigationType, NavigationType } from 'react-router-dom'
 import { HomeView } from './components/home/HomeView'
 import { DebugOverlay } from './components/DebugOverlay'
-import { TopologyGraph, TopologySearch, TopologyFilterSidebar, TopologyControls, gitOpsRouteForKind } from '@skyhook-io/k8s-ui'
+import { TopologyGraph, TopologySearch, TopologyFilterSidebar, TopologyControls, gitOpsRouteForKind, gitOpsRouteForResource } from '@skyhook-io/k8s-ui'
 import { TimelineView } from './components/timeline/TimelineView'
 import { ResourcesView } from './components/resources/ResourcesView'
 import { serializeColumnFilters } from './components/resources/resource-utils'
@@ -19,6 +19,7 @@ import { CostView } from './components/cost/CostView'
 import { AuditView } from './components/audit/AuditView'
 import { IssuesPane } from './components/issues/IssuesPane'
 import { GitOpsView } from './components/gitops/GitOpsView'
+import { ApplicationsView } from './components/applications/ApplicationsView'
 import { HelmReleaseDrawer } from './components/helm/HelmReleaseDrawer'
 import { PortForwardProvider, PortForwardIndicator, PortForwardPanel } from './components/portforward/PortForwardManager'
 import { DockProvider, BottomDock, useDock, useDockReservedHeight, useOpenLocalTerminal } from './components/dock'
@@ -93,7 +94,7 @@ const FLEET_MODE_KINDS = new Set<NodeKind>([
 
 // Convert API resource name back to topology node ID prefix
 // Extended MainView type that includes traffic and cost
-type ExtendedMainView = MainView | 'traffic' | 'cost' | 'workload' | 'audit' | 'gitops' | 'compare' | 'issues'
+type ExtendedMainView = MainView | 'traffic' | 'cost' | 'workload' | 'audit' | 'gitops' | 'compare' | 'issues' | 'applications'
 
 // Extract view from URL path
 function getViewFromPath(pathname: string): ExtendedMainView {
@@ -108,6 +109,7 @@ function getViewFromPath(pathname: string): ExtendedMainView {
   if (path === 'workload') return 'workload'
   if (path === 'audit') return 'audit'
   if (path === 'gitops') return 'gitops'
+  if (path === 'applications') return 'applications'
   if (path === 'compare') return 'compare'
   if (path === 'issues') return 'issues'
   return 'home'
@@ -416,6 +418,23 @@ function AppInner() {
     navigate({ pathname: `/resources/${pluralKind}`, search: newParams.toString() })
   }, [searchParams, navigate])
 
+  // From the Issues queue: a GitOps reconciler subject (Argo Application / Flux
+  // Kustomization / HelmRelease) routes to its rich detail page (tree + insights
+  // + ops), not the generic resource drawer that's a dead-end for it. Member
+  // resources (Pods, Services, …) fall through to the standard resource view.
+  const navigateFromIssue = useCallback((resource: SelectedResource) => {
+    const gitOpsPath = gitOpsRouteForResource({
+      apiVersion: resource.group ? `${resource.group}/v1` : 'v1',
+      kind: resource.kind,
+      metadata: { namespace: resource.namespace ?? '', name: resource.name },
+    })
+    if (gitOpsPath) {
+      navigate(gitOpsPath)
+      return
+    }
+    navigateToResourceList(resource)
+  }, [navigate, navigateToResourceList])
+
   // Collapse from expanded WorkloadView back to drawer
   const handleCollapseFromExpanded = useCallback(() => {
     suppressViewClearRef.current = true
@@ -434,7 +453,7 @@ function AppInner() {
   const contextSwitcherRef = useRef<ContextSwitcherHandle>(null)
 
   // View switching keyboard shortcuts
-  const views: ExtendedMainView[] = ['home', 'topology', 'resources', 'timeline', 'helm', 'gitops', 'traffic', 'cost', 'audit']
+  const views: ExtendedMainView[] = ['home', 'topology', 'resources', 'timeline', 'helm', 'gitops', 'applications', 'traffic', 'cost', 'audit']
   useRegisterShortcuts([
     ...views.map((view, i) => ({
       id: `view-${view}`,
@@ -1190,6 +1209,10 @@ function AppInner() {
             { view: 'timeline' as const, icon: Clock, label: 'Timeline' },
             { view: 'helm' as const, icon: Package, label: 'Helm' },
             { view: 'gitops' as const, icon: GitBranch, label: 'GitOps' },
+            // Applications is intentionally hidden from the pill bar for now —
+            // the bar is full, and the view's primary home is Cloud's fleet
+            // rail. The view still exists and is reachable via /applications
+            // and the view-switching shortcuts. Same treatment as Cost below.
             { view: 'traffic' as const, icon: Activity, label: 'Traffic' },
             // Cost is intentionally hidden from the pill bar for now — the view still
             // exists and is reachable via /cost, the Home dashboard card, and the
@@ -1637,6 +1660,16 @@ function AppInner() {
           />
         )}
 
+        {/* Applications view — deployable software grouped by app/release evidence */}
+        {mainView === 'applications' && (
+          <ApplicationsView
+            namespaces={namespaces}
+            onOpenResource={(resource) => {
+              setSelectedResource(resource)
+            }}
+          />
+        )}
+
         {/* Traffic view */}
         {mainView === 'traffic' && (
           <TrafficView namespaces={namespaces} />
@@ -1667,12 +1700,13 @@ function AppInner() {
 
         {/* Issues — per-cluster live triage queue (hidden route: not yet in the
             nav `views` list; reachable at /issues). Same shared <IssuesView> the
-            Hub fleet uses; resource clicks open the standard resource drawer. */}
+            Hub fleet uses; a GitOps reconciler subject routes to its detail page,
+            other resources open the standard resource view. */}
         {mainView === 'issues' && (
           <IssuesPane
             namespaces={namespaces}
             onBack={() => setMainView('home')}
-            onNavigateToResource={navigateToResourceList}
+            onNavigateToResource={navigateFromIssue}
           />
         )}
 

package/src/api/client.ts

@@ -1,4 +1,5 @@
 import { useEffect, useRef } from 'react'
+import type { AppRow } from '@skyhook-io/k8s-ui'
 import { useQuery, useMutation, useQueryClient, skipToken } from '@tanstack/react-query'
 import { showApiError, showApiSuccess } from '../components/ui/Toast'
 import { useCanHelmWrite } from '../contexts/CapabilitiesContext'
@@ -35,7 +36,7 @@ import { pluralToKind } from '../utils/navigation'
 // and handles 401 responses globally. Merges caller-provided headers with
 // auth headers from the config module so library consumers (Radar Hub) can
 // inject Authorization bearer tokens without each call site knowing.
-function apiFetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {
+export function apiFetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response> {
   const headers = new Headers(init?.headers)
   for (const [k, v] of Object.entries(getAuthHeaders())) {
     if (!headers.has(k)) headers.set(k, v)
@@ -237,7 +238,7 @@ export interface DashboardCRDCount {
 }
 
 // Re-export shared types from k8s-ui — single source of truth
-import type { AuditCardData, AuditFinding, ResourceGroup, CheckMeta, Check, Issue } from '@skyhook-io/k8s-ui'
+import type { AuditCardData, AuditFinding, ResourceGroup, CheckMeta, Check, Issue, IssueRecentChange } from '@skyhook-io/k8s-ui'
 export type DashboardAudit = AuditCardData
 export type { AuditFinding, ResourceGroup, CheckMeta, Check }
 
@@ -349,6 +350,8 @@ export interface IssuesResponse {
   issues: Issue[]
   total?: number
   total_matched?: number
+  recent_changes?: IssueRecentChange[]
+  recent_changes_reason?: string
   // Present only when RBAC visibility is incomplete (absent = full access).
   // state 'degraded' means core workload reads are denied, so an empty list may
   // mean "can't see" rather than "nothing broken" — the UI must say so.
@@ -738,6 +741,10 @@ export interface AuthMe {
   /** Pre-computed Cloud tier from `cloud:<tier>` group prefix.
    *  Absent when not running under Cloud (OSS, OIDC, no role group). */
   cloudRole?: CloudRole
+  /** Proxy mode only: whether an upstream sign-out URL is configured.
+   *  When false, logout clears Radar's cookie but the proxy may re-auth
+   *  the same user on the next request. */
+  proxyLogoutConfigured?: boolean
 }
 
 export function useAuthMe() {
@@ -847,6 +854,19 @@ export function useTopology(namespaces: string[], viewMode: string = 'resources'
   })
 }
 
+export function useApplications(namespaces: string[]) {
+  const params = new URLSearchParams()
+  if (namespaces.length > 0) params.set('namespaces', namespaces.join(','))
+  const queryString = params.toString()
+
+  return useQuery<{ applications: AppRow[] }>({
+    queryKey: ['applications', namespaces],
+    queryFn: () => fetchJSON(`/applications${queryString ? `?${queryString}` : ''}`),
+    staleTime: 30_000,
+    refetchInterval: 60_000,
+  })
+}
+
 export function useGitOpsTree(kind: string, namespace: string, name: string, group?: string, namespaces: string[] = []) {
   const ns = namespace || '_'
   const params = new URLSearchParams()
@@ -1695,8 +1715,11 @@ export function useDeleteResource() {
   const queryClient = useQueryClient()
 
   return useMutation({
-    mutationFn: async ({ kind, namespace, name, force }: { kind: string; namespace: string; name: string; force?: boolean }) => {
+    mutationFn: async ({ kind, group, namespace, name, force }: { kind: string; group?: string; namespace: string; name: string; force?: boolean }) => {
       const url = new URL(`${getApiBase()}/resources/${kind}/${namespace}/${name}`, window.location.origin)
+      if (group) {
+        url.searchParams.set('group', group)
+      }
       if (force) {
         url.searchParams.set('force', 'true')
       }
@@ -1721,6 +1744,44 @@ export function useDeleteResource() {
   })
 }
 
+export function useBulkDeleteResources() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async ({ items, force }: { items: Array<{ kind: string; group?: string; namespace: string; name: string }>; force?: boolean }) => {
+      const results = await Promise.allSettled(
+        items.map(async ({ kind, group, namespace, name }) => {
+          const url = new URL(`${getApiBase()}/resources/${kind}/${namespace}/${name}`, window.location.origin)
+          if (group) url.searchParams.set('group', group)
+          if (force) url.searchParams.set('force', 'true')
+          const response = await apiFetch(url.toString(), { method: 'DELETE' })
+          if (!response.ok) {
+            const error = await response.json().catch(() => ({ error: 'Unknown error' }))
+            throw new Error(error.error || `Failed to delete ${namespace}/${name}`)
+          }
+          return { kind, namespace, name }
+        })
+      )
+      const failed = results.filter(r => r.status === 'rejected')
+      if (failed.length > 0) {
+        throw new Error(`Failed to delete ${failed.length} of ${items.length} resources`)
+      }
+      return { deleted: items.length }
+    },
+    meta: {
+      errorMessage: 'Failed to delete some resources',
+      successMessage: 'Resources deleted',
+    },
+    // onSettled, not onSuccess — a partial failure still deleted some
+    // resources, and the table must refetch to drop them.
+    onSettled: () => {
+      queryClient.invalidateQueries({ queryKey: ['resources'] })
+      queryClient.invalidateQueries({ queryKey: ['resource-counts'] })
+      queryClient.invalidateQueries({ queryKey: ['topology'] })
+    },
+  })
+}
+
 // Apply (create or update) a resource from YAML
 export interface ApplyResourceResult {
   name: string

package/src/components/ConnectionErrorView.tsx

@@ -4,6 +4,7 @@ import type { ConnectionState } from '../context/ConnectionContext'
 import { ContextSwitcher } from './ContextSwitcher'
 import { parseContextName } from '../utils/context-name'
 import { useOpenLocalTerminal, ClusterName } from '@skyhook-io/k8s-ui'
+import { useAuthMe } from '../api/client'
 
 interface ConnectionErrorViewProps {
   connection: ConnectionState
@@ -165,14 +166,22 @@ export function ConnectionErrorView({ connection, onRetry, isRetrying }: Connect
   const authInfo = isAuth ? getAuthHints(connection.context || '') : null
   const errorInfo = authInfo || errorHints[connection.errorType || 'unknown'] || errorHints.unknown
   const openLocalTerminal = useOpenLocalTerminal()
+  const { data: authMe } = useAuthMe()
 
-  // Build a command that auto-retries connection after successful auth
+  // Auto-retry after successful auth. The terminal shell runs on the server
+  // host, so the auth command itself fixes the server's credentials in every
+  // mode — but the chained retry curl carries no session cookie, so it 401s
+  // once /api/connection is auth-gated. Only chain it when auth is *known*
+  // disabled (authMe still loading → don't chain a doomed call).
   const retryCmd = `curl -s -X POST http://${window.location.host}/api/connection/retry > /dev/null`
 
   const handleAuthInTerminal = () => {
     if (!authInfo?.authCommand) return
+    const cmd = authMe?.authEnabled === false
+      ? `${authInfo.authCommand.command} && ${retryCmd}`
+      : authInfo.authCommand.command
     openLocalTerminal({
-      initialCommand: `${authInfo.authCommand.command} && ${retryCmd}`,
+      initialCommand: cmd,
       title: 'Auth',
     })
   }

package/src/components/UserMenu.tsx

@@ -67,18 +67,17 @@ export function UserMenu() {
               </p>
             )}
           </div>
-          {authMe.authMode === 'proxy' ? (
-            <p className="px-3 py-1.5 text-[11px] text-theme-text-tertiary">
-              Session managed by auth proxy
+          <button
+            onClick={handleLogout}
+            className="w-full flex items-center gap-2 px-3 py-1.5 text-sm text-theme-text-secondary hover:bg-theme-hover transition-colors"
+          >
+            <LogOut className="w-3.5 h-3.5" />
+            Logout
+          </button>
+          {authMe.authMode === 'proxy' && !authMe.proxyLogoutConfigured && (
+            <p className="px-3 py-1.5 text-[11px] text-theme-text-tertiary border-t border-theme-border">
+              Logout clears the Radar session. The auth proxy may sign you back in automatically.
             </p>
-          ) : (
-            <button
-              onClick={handleLogout}
-              className="w-full flex items-center gap-2 px-3 py-1.5 text-sm text-theme-text-secondary hover:bg-theme-hover transition-colors"
-            >
-              <LogOut className="w-3.5 h-3.5" />
-              Logout
-            </button>
           )}
         </div>
       )}

package/src/components/applications/ApplicationsView.tsx

@@ -0,0 +1,218 @@
+import { useCallback, useEffect, useMemo } from 'react'
+import { useSearchParams } from 'react-router-dom'
+import {
+  ApplicationsList,
+  ApplicationDetail,
+  CenteredEmpty,
+  useToast,
+  orderEnvs,
+  matchWorkloadAcrossInstances,
+  workloadKey,
+  healthOf,
+  compareVersions,
+  type AppRow,
+  type AppIdentityInstance,
+  type SelectedAppWorkload,
+  type SelectedResource,
+} from '@skyhook-io/k8s-ui'
+import { Boxes } from 'lucide-react'
+import { useApplications, useTopology } from '../../api/client'
+import { kindToPlural } from '../../utils/navigation'
+import { WorkloadView } from '../workload/WorkloadView'
+
+interface ApplicationsViewProps {
+  namespaces: string[]
+  onOpenResource: (resource: SelectedResource) => void
+}
+
+export function ApplicationsView({ namespaces, onOpenResource }: ApplicationsViewProps) {
+  const query = useApplications(namespaces)
+  const apps = query.data?.applications ?? []
+
+  // Which app is open lives in the URL (?app=<key>) so the detail view is
+  // deep-linkable and the browser back button returns to the list. Opening or
+  // closing an app also clears the per-app params (workload, tab).
+  const [searchParams, setSearchParams] = useSearchParams()
+  const selectedKey = searchParams.get('app')
+  const selected = useMemo(() => apps.find((a) => a.key === selectedKey) ?? null, [apps, selectedKey])
+
+  const selectApp = useCallback(
+    (key: string | null) => {
+      const params = new URLSearchParams(searchParams)
+      if (key) params.set('app', key)
+      else params.delete('app')
+      params.delete('workload')
+      params.delete('tab')
+      setSearchParams(params)
+    },
+    [searchParams, setSearchParams],
+  )
+
+  // A stale ?app= (uninstalled/renamed app, or a link from another cluster)
+  // would leave the URL lying under the list view — clear it once data is
+  // fresh. Never during load, so a slow fetch can't eject a valid deep link.
+  useEffect(() => {
+    if (selectedKey && !selected && query.isSuccess) {
+      const params = new URLSearchParams(searchParams)
+      params.delete('app')
+      params.delete('workload')
+      params.delete('tab')
+      setSearchParams(params, { replace: true })
+    }
+  }, [selectedKey, selected, query.isSuccess, searchParams, setSearchParams])
+
+  if (selectedKey && selected) {
+    return <AppDetailRoute app={selected} apps={apps} onBack={() => selectApp(null)} onOpenResource={onOpenResource} />
+  }
+
+  return (
+    <div className="flex-1 overflow-auto px-4 py-4 sm:px-6">
+      <header className="mb-4 flex flex-col gap-1">
+        <h1 className="text-xl font-semibold text-theme-text-primary">Applications</h1>
+        <p className="max-w-3xl text-sm text-theme-text-secondary">Deployable software in this cluster — your services, workers, and jobs, grouped by app/release evidence.</p>
+      </header>
+
+      {query.isLoading ? (
+        <CenteredEmpty icon={Boxes} headline="Loading applications…" />
+      ) : query.error ? (
+        <CenteredEmpty tone="filtered" icon={Boxes} headline="Failed to load applications" body={(query.error as Error).message} />
+      ) : apps.length === 0 ? (
+        <CenteredEmpty
+          icon={Boxes}
+          headline="No applications detected yet"
+          body="Deploy services, workers, or jobs to this cluster to see them grouped by app."
+        />
+      ) : (
+        <ApplicationsList apps={apps} onSelect={selectApp} />
+      )}
+    </div>
+  )
+}
+
+// AppDetailRoute wires the OSS data hooks the shared ApplicationDetail can't:
+// the resources-view topology over the app's namespaces (for the app graph)
+// and the per-workload WorkloadView (which fetches its own topology for the
+// Topology tab). Split out so useTopology runs unconditionally (Rules of Hooks).
+function AppDetailRoute({ app, apps, onBack, onOpenResource }: { app: AppRow; apps: AppRow[]; onBack: () => void; onOpenResource: (resource: SelectedResource) => void }) {
+  const appNamespaces = useMemo(
+    () => Array.from(new Set((app.workloads ?? []).map((w) => w.namespace).filter(Boolean))).sort(),
+    [app.workloads],
+  )
+  const { data: topology, isLoading: topologyLoading } = useTopology(appNamespaces, 'resources', { enabled: appNamespaces.length > 0 })
+
+  // The selected workload (?workload=<key>) lives in the URL too: deep-linkable,
+  // and back returns from a workload's runtime to the app graph. Clearing it
+  // also drops the workload's tab param.
+  const [searchParams, setSearchParams] = useSearchParams()
+  const selectedWorkloadKey = searchParams.get('workload')
+  const selectWorkload = useCallback(
+    (key: string | null) => {
+      const params = new URLSearchParams(searchParams)
+      // Always drop the workload's tab: a fresh workload opens on its overview,
+      // and clearing back to the graph leaves no stale tab on the route.
+      params.delete('tab')
+      if (key) params.set('workload', key)
+      else params.delete('workload')
+      setSearchParams(params)
+    },
+    [searchParams, setSearchParams],
+  )
+
+  // App identity switcher data: this instance's siblings (ladder-ordered
+  // digests). It switches between REAL instances — ?app= changes, deep links
+  // stay instance-keyed.
+  const { showToast } = useToast();
+  const identityInstances = useMemo<AppIdentityInstance[] | null>(() => {
+    const fam = app.identity;
+    if (!fam) return null;
+    const sibs = apps.filter((a) => a.identity?.key === fam.key);
+    if (sibs.length < 2) return null;
+    const newest = (a: AppRow) =>
+      (a.versions ?? []).reduce<string | undefined>((best, v) => (!best || compareVersions(v, best) === 1 ? v : best), undefined) ?? a.appVersion;
+    const order = orderEnvs(sibs.map((a) => a.identity!.env));
+    return [...sibs]
+      .sort((a, b) => order.indexOf(a.identity!.env) - order.indexOf(b.identity!.env) || a.name.localeCompare(b.name))
+      .map((a) => ({
+        appKey: a.key,
+        name: a.name,
+        env: a.identity!.env,
+        health: healthOf(a.health),
+        version: newest(a),
+        confidence: a.identity!.confidence,
+        evidence: a.identity!.evidence,
+      }));
+  }, [apps, app]);
+
+  // Position-preserving env switch: carry the selected workload + tab into the
+  // sibling when a matching workload exists there (exact kind+name, else the
+  // env-affix-stripped stem); otherwise land on the instance overview and say
+  // the workload wasn't found.
+  const switchInstance = useCallback(
+    (targetKey: string) => {
+      const target = apps.find((a) => a.key === targetKey);
+      const params = new URLSearchParams(searchParams);
+      params.set('app', targetKey);
+      const wk = params.get('workload');
+      let matched = false;
+      if (wk && target) {
+        // Stem matching strips this app group's own env tokens too, so
+        // discovered envs (loadtest, …) carry position like the trio does.
+        const identityEnvs = new Set((identityInstances ?? []).map((i) => i.env));
+        const m = matchWorkloadAcrossInstances(wk, target.workloads, identityEnvs);
+        if (m) {
+          params.set('workload', workloadKey(m));
+          matched = true;
+        }
+      }
+      if (!matched && wk) {
+        // A workload WAS selected but has no counterpart — land on the target
+        // instance's overview and say so. (With no workload selected the tab
+        // rides along: it applies to the lone workload either side.)
+        params.delete('workload');
+        params.delete('tab');
+        if (target) {
+          showToast(`No matching workload in ${target.identity?.env ?? target.name}`, { detail: 'Showing the instance overview instead.', type: 'info' });
+        }
+      }
+      setSearchParams(params);
+    },
+    [apps, identityInstances, searchParams, setSearchParams, showToast],
+  );
+
+  const discoveredEnvs = useMemo(
+    () => new Set(apps.map((a) => a.identity?.env).filter((e): e is string => !!e)),
+    [apps],
+  );
+
+  return (
+    <div className="flex-1 overflow-auto">
+      <ApplicationDetail
+        app={app}
+        onBack={onBack}
+        topology={topology}
+        topologyLoading={topologyLoading}
+        identityInstances={identityInstances}
+        onSwitchInstance={switchInstance}
+        discoveredEnvs={discoveredEnvs}
+        onNavigateToResource={onOpenResource}
+        selectedWorkloadKey={selectedWorkloadKey}
+        onSelectWorkload={selectWorkload}
+        renderWorkload={(workload: SelectedAppWorkload) => (
+          <div className="h-full overflow-hidden">
+            <WorkloadView
+              kind={kindToPlural(workload.kind)}
+              namespace={workload.namespace}
+              name={workload.name}
+              onBack={() => selectWorkload(null)}
+              // "Back" returns to the app graph — meaningless for a
+              // single-workload app, which has no graph to return to.
+              hideBackButton={(app.workloads?.length ?? 0) <= 1}
+              compactHeader
+              onNavigateToResource={onOpenResource}
+            />
+          </div>
+        )}
+      />
+    </div>
+  )
+}

package/src/components/home/mcpToolCatalog.ts

@@ -52,7 +52,7 @@ export const MCP_TOOL_CATALOG: MCPToolInfo[] = [
   },
   {
     name: 'get_resource',
-    desc: 'A single resource: minified spec/status/metadata plus resourceContext (relationships, refs, issue/audit/policy rollups). Optionally include heavier event/metrics sidecars.',
+    desc: 'A single resource: minified spec/status/metadata plus resourceContext (relationships, refs, issue/audit/policy rollups). Optionally include heavier event/metrics data.',
     params: [
       { arg: 'kind', required: true, desc: 'resource kind, e.g. pod, deployment, service' },
       { arg: 'name', required: true, desc: 'resource name' },
@@ -109,10 +109,10 @@ export const MCP_TOOL_CATALOG: MCPToolInfo[] = [
   },
   {
     name: 'diagnose',
-    desc: 'One-call workload root-cause bundle: spec + resourceContext + current AND previous logs across all pods + warning events + startup-blocker analysis. For Pod/Deployment/StatefulSet/DaemonSet.',
+    desc: 'One-call root-cause bundle. Workloads get spec + resourceContext + current AND previous logs across pods + warning events + startup blockers; GitOps reconcilers get status summary + parsed related issues.',
     params: [
-      { arg: 'kind', required: true, desc: 'pod, deployment, statefulset, or daemonset' },
-      { arg: 'namespace', required: true, desc: 'workload namespace' },
+      { arg: 'kind', required: true, desc: 'pod, deployment, statefulset, daemonset, application, kustomization, or helmrelease' },
+      { arg: 'namespace', required: true, desc: 'resource namespace' },
       { arg: 'name', required: true, desc: 'resource name' },
       { arg: 'container', desc: 'specific container (defaults to all)' },
       { arg: 'tail_lines', desc: 'lines per pod/stream (default 100)' },
@@ -163,10 +163,10 @@ export const MCP_TOOL_CATALOG: MCPToolInfo[] = [
   },
   {
     name: 'list_packages',
-    desc: 'Unified "what\'s installed" view across Helm releases, workload labels, CRD registrations, and GitOps declarations (Argo + Flux), with sources, versions, and health.',
+    desc: 'Unified "what\'s installed" view across Helm releases, workload labels, CRD registrations, and GitOps declarations (Argo + Flux), with sources, versions, health, and a sourceLegend for the stable source codes.',
     params: [
       { arg: 'namespace', desc: 'filter to a specific namespace' },
-      { arg: 'source', desc: 'H (Helm), L (labels), C (CRDs), A (Argo), F (Flux)' },
+      { arg: 'source', desc: 'H/helm, L/labels, C/crds, A/argocd, F/fluxcd' },
       { arg: 'chart', desc: 'case-insensitive chart-name substring' },
     ],
   },

package/src/components/logs/LogsViewer.tsx

@@ -10,9 +10,11 @@ interface LogsViewerProps {
   podName: string
   containers: string[]
   initialContainer?: string
+  /** Start streaming on mount. Default true — callers pass false for terminal (completed/failed) pods. */
+  autoStream?: boolean
 }
 
-export function LogsViewer({ namespace, podName, containers, initialContainer }: LogsViewerProps) {
+export function LogsViewer({ namespace, podName, containers, initialContainer, autoStream = true }: LogsViewerProps) {
   const desktopDownload = useDesktopDownload()
   const { theme } = useTheme()
 
@@ -42,6 +44,7 @@ export function LogsViewer({ namespace, podName, containers, initialContainer }:
       createStream={makeStream}
       overrideDownload={desktopDownload}
       forceDark={theme === 'dark' ? true : undefined}
+      autoStream={autoStream}
     />
   )
 }

package/src/components/logs/WorkloadLogsViewer.tsx

@@ -9,9 +9,11 @@ interface WorkloadLogsViewerProps {
   kind: string
   namespace: string
   name: string
+  /** Start streaming on mount. Default true — workload logs are aggregated from live pods. */
+  autoStream?: boolean
 }
 
-export function WorkloadLogsViewer({ kind, namespace, name }: WorkloadLogsViewerProps) {
+export function WorkloadLogsViewer({ kind, namespace, name, autoStream = true }: WorkloadLogsViewerProps) {
   const desktopDownload = useDesktopDownload()
   const { theme } = useTheme()
 
@@ -38,6 +40,7 @@ export function WorkloadLogsViewer({ kind, namespace, name }: WorkloadLogsViewer
       createStream={makeStream}
       overrideDownload={desktopDownload}
       forceDark={theme === 'dark' ? true : undefined}
+      autoStream={autoStream}
     />
   )
 }

package/src/components/resources/ResourcesView.tsx

@@ -1,7 +1,7 @@
 import { useState, useMemo, useCallback, useEffect } from 'react'
 import { useLocation, useNavigate } from 'react-router-dom'
 import { useQuery } from '@tanstack/react-query'
-import { ApiError, debugNamespaceLog, fetchJSON, isForbiddenError, useSecretCertExpiry, useTopPodMetrics, useTopNodeMetrics } from '../../api/client'
+import { ApiError, debugNamespaceLog, fetchJSON, isForbiddenError, useSecretCertExpiry, useTopPodMetrics, useTopNodeMetrics, useBulkDeleteResources } from '../../api/client'
 import { apiUrl, getAuthHeaders, getCredentialsMode, getBasename } from '../../api/config'
 import { useAPIResources } from '../../api/apiResources'
 import { initNavigationMap } from '@skyhook-io/k8s-ui'
@@ -146,6 +146,9 @@ export function ResourcesView({ namespaces, selectedResource, onResourceClick, o
   const openLogs = useOpenLogs()
   const openWorkloadLogs = useOpenWorkloadLogs()
 
+  // Bulk delete
+  const bulkDeleteMutation = useBulkDeleteResources()
+
   // Navigation adapter. k8s-ui constructs paths from `basePath` (which
   // includes the router basename so they line up with window.location.pathname
   // for path-equality checks) and from `window.location.pathname` directly.
@@ -224,6 +227,9 @@ export function ResourcesView({ namespaces, selectedResource, onResourceClick, o
       onOpenWorkloadLogs={openWorkloadLogs}
       // Create resource
       onCreateResource={handleCreateResource}
+      // Bulk operations
+      onBulkDelete={(items, options) => bulkDeleteMutation.mutate({ items, force: options?.force }, { onSuccess: options?.onSuccess })}
+      isBulkDeleting={bulkDeleteMutation.isPending}
     />
     <CreateResourceDialog
       open={createDialogOpen}

package/src/components/workload/WorkloadView.tsx

@@ -5,6 +5,9 @@ import { clsx } from 'clsx'
 import { Terminal } from 'lucide-react'
 import {
   WorkloadView as BaseWorkloadView,
+  EditableYamlView,
+  FetchResult,
+  type WorkloadTabType,
   type RendererOverrides,
   type GitOpsOwnerRef,
   type GitOpsStatus,
@@ -57,7 +60,7 @@ import { useDesktopDownload } from '../../hooks/useDesktopDownload'
 import { useCompareLauncher } from '../compare/useCompareLauncher'
 import { apiVersionToGroup } from '../../utils/navigation'
 
-type TabType = 'overview' | 'timeline' | 'logs' | 'metrics' | 'yaml'
+type TabType = WorkloadTabType
 
 // Stable reference — web renderer wrappers inject platform hooks internally
 const rendererOverrides: RendererOverrides = {
@@ -136,6 +139,8 @@ interface WorkloadViewProps {
   namespace: string
   name: string
   onBack: () => void
+  hideBackButton?: boolean
+  compactHeader?: boolean
   onNavigateToResource?: NavigateToResource
   onCollapseToDrawer?: () => void
   expanded?: boolean
@@ -496,6 +501,7 @@ export function WorkloadView({
       onTabChange={handleTabChange}
       // Render props
       renderLogsTab={(props) => <LogsTabContent {...props} />}
+      renderRelatedYaml={(ref) => <RelatedResourceYaml key={`${ref.kind}/${ref.namespace}/${ref.name}`} target={ref} />}
       renderMetricsTab={({ kind, namespace: ns, name: n }) => (
         <MetricsTabContent kind={kind} namespace={ns} name={n} resource={resource} expanded={expanded} />
       )}
@@ -705,6 +711,12 @@ function PodLogsTab({ namespace, name, resource, initialContainer, onConsumeInit
     return names
   }, [resource])
 
+  // A terminated pod has nothing to follow — only stream live ones. Wait for
+  // the phase to be known so a completed pod isn't briefly streamed while the
+  // resource is still loading.
+  const phase = resource?.status?.phase
+  const autoStream = !!phase && phase !== 'Succeeded' && phase !== 'Failed'
+
   useEffect(() => {
     if (initialContainer && containers.includes(initialContainer)) {
       onConsumeInitialContainer?.()
@@ -718,6 +730,7 @@ function PodLogsTab({ namespace, name, resource, initialContainer, onConsumeInit
         podName={name}
         containers={containers}
         initialContainer={initialContainer || undefined}
+        autoStream={autoStream}
       />
     </div>
   )
@@ -742,6 +755,13 @@ function MultiPodLogsTab({ pods, namespace, selectedPod, onSelectPod, initialCon
   const { data: logsData } = usePodLogs(podNamespace, selectedPod || '', { tailLines: 1 })
   const containers = logsData?.containers || []
 
+  // A terminated pod (common for Job/CronJob children) has nothing to follow —
+  // only stream live ones. Wait for the pod to load before deciding so we don't
+  // briefly auto-stream a completed pod while its phase is still unknown.
+  const { data: selectedPodResource } = useResource<any>('Pod', podNamespace, selectedPod || '')
+  const phase = selectedPodResource?.status?.phase
+  const autoStream = !!phase && phase !== 'Succeeded' && phase !== 'Failed'
+
   if (pods.length === 0) {
     return (
       <div className="flex flex-col items-center justify-center h-full text-theme-text-tertiary">
@@ -779,6 +799,7 @@ function MultiPodLogsTab({ pods, namespace, selectedPod, onSelectPod, initialCon
             podName={selectedPod}
             containers={containers}
             initialContainer={initialContainer || undefined}
+            autoStream={autoStream}
           />
         </div>
       )}
@@ -949,3 +970,26 @@ const FLUX_SOURCE_KIND_BY_LOWER = new Map<string, string>([
   ['ocirepository', 'OCIRepository'],
   ['bucket', 'Bucket'],
 ])
+
+// Read-only manifest view for an object in the workload's neighborhood (the
+// YAML tab's object rail). Read-only by design — editing an arbitrary related
+// object belongs on that resource's own page.
+function RelatedResourceYaml({ target }: { target: { kind: string; namespace: string; name: string; group?: string } }) {
+  const { data, isLoading, error } = useResource<any>(kindToPlural(target.kind), target.namespace, target.name, target.group)
+  const [copied, setCopied] = useState(false)
+  const handleCopy = useCallback((text: string) => {
+    navigator.clipboard.writeText(text)
+    setCopied(true)
+    setTimeout(() => setCopied(false), 1500)
+  }, [])
+  if (!data) return <FetchResult loading={isLoading} error={error as Error | null} className="h-32" />
+  return (
+    <EditableYamlView
+      resource={{ kind: kindToPlural(target.kind), namespace: target.namespace, name: target.name, group: target.group }}
+      data={data}
+      onCopy={handleCopy}
+      copied={copied}
+      readOnly
+    />
+  )
+}

package/src/context/ConnectionContext.tsx

@@ -1,7 +1,8 @@
 import { createContext, useContext, useState, useCallback, useEffect, useRef, ReactNode } from 'react'
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
 import type { ContextInfo } from '../types'
-import { getApiBase, getAuthHeaders, getCredentialsMode } from '../api/config'
+import { getApiBase } from '../api/config'
+import { apiFetch } from '../api/client'
 
 export type ConnectionStateType = 'connected' | 'disconnected' | 'connecting'
 
@@ -29,10 +30,11 @@ interface ConnectionContextValue {
 const ConnectionContext = createContext<ConnectionContextValue | null>(null)
 
 async function fetchConnectionStatus(): Promise<ConnectionStatusResponse> {
-  const response = await fetch(`${getApiBase()}/connection`, {
-    credentials: getCredentialsMode(),
-    headers: getAuthHeaders(),
-  })
+  // apiFetch handles a 401 globally (re-auth redirect). These endpoints are
+  // no longer auth-exempt, so a session that expires while the connection-
+  // error screen is parked open must route through that path rather than
+  // surfacing as a misleading "cannot connect to cluster" error.
+  const response = await apiFetch(`${getApiBase()}/connection`)
   if (!response.ok) {
     throw new Error('Failed to fetch connection status')
   }
@@ -40,10 +42,8 @@ async function fetchConnectionStatus(): Promise<ConnectionStatusResponse> {
 }
 
 async function retryConnection(): Promise<ConnectionState> {
-  const response = await fetch(`${getApiBase()}/connection/retry`, {
+  const response = await apiFetch(`${getApiBase()}/connection/retry`, {
     method: 'POST',
-    credentials: getCredentialsMode(),
-    headers: getAuthHeaders(),
   })
   if (!response.ok) {
     const error = await response.json().catch(() => ({ error: 'Unknown error' }))