npm - @skyhook-io/radar-app - Versions diffs - 1.4.1 → 1.5.0 - Mend

@skyhook-io/radar-app 1.4.1 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json +7 -8
package/src/api/client.ts +120 -4
package/src/components/audit/AuditSettingsDialog.tsx +30 -11
package/src/components/audit/AuditView.tsx +8 -3
package/src/components/resources/ResourcesView.tsx +54 -3
package/src/components/settings/SettingsDialog.tsx +90 -29
package/src/contexts/CapabilitiesContext.tsx +16 -5

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@skyhook-io/radar-app",
-  "version": "1.4.1",
+  "version": "1.5.0",
   "description": "Radar's full web UI as a reusable React component. Used by Radar's own binary and by external consumers like Radar Cloud.",
   "repository": {
     "type": "git",
@@ -35,7 +35,7 @@
     "react-markdown": "^10.1.0",
     "react-virtuoso": "^4.18.7",
     "remark-gfm": "^4.0.1",
-    "shiki": "^4.0.1",
+    "shiki": "^4.2.0",
     "yaml": "^2.9.0"
   },
   "peerDependencies": {
@@ -53,12 +53,11 @@
   "devDependencies": {
     "@playwright/test": "^1.59.1",
     "@skyhook-io/k8s-ui": "*",
-    "@tailwindcss/typography": "^0.5.19",
+    "@tailwindcss/typography": "^0.5.20",
     "@tailwindcss/vite": "^4.3.0",
     "@tanstack/react-query": "^5.100.14",
-    "@types/diff": "^8.0.0",
     "@types/node": "^25.7.0",
-    "@types/react": "^19.2.14",
+    "@types/react": "^19.2.17",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^6.0.2",
     "@xyflow/react": "^12.10.2",
@@ -67,9 +66,9 @@
     "lucide-react": "^1.16.0",
     "postcss": "^8.5.14",
     "prettier": "^3.8.1",
-    "react": "^19.2.6",
-    "react-dom": "^19.2.6",
-    "react-router-dom": "^7.15.0",
+    "react": "^19.2.7",
+    "react-dom": "^19.2.7",
+    "react-router-dom": "^7.17.0",
     "tailwind-merge": "^3.6.0",
     "tailwindcss": "^4.2.4",
     "typescript": "^6.0.2",

package/src/api/client.ts CHANGED Viewed

@@ -717,11 +717,10 @@ export function useCapabilities() {
   })
 }
-// Namespace-scoped capabilities: lazy re-check for exec/logs/portForward when
-// global RBAC checks denied them. Users with namespace-scoped RoleBindings may
+// Namespace-scoped capabilities. Users with namespace-scoped RoleBindings may
 // have these permissions in specific namespaces.
-export function useNamespaceCapabilities(namespace: string | undefined, globalCaps: Capabilities) {
-  const needsCheck = namespace && (!globalCaps.exec || !globalCaps.logs || !globalCaps.portForward)
+export function useNamespaceCapabilities(namespace: string | undefined, globalCaps: Capabilities | undefined) {
+  const needsCheck = namespace && globalCaps
   return useQuery<Capabilities>({
     queryKey: ['capabilities', namespace],
     queryFn: () => fetchJSON(`/capabilities?namespace=${encodeURIComponent(namespace!)}`),
@@ -1782,6 +1781,123 @@ export function useBulkDeleteResources() {
   })
 }
+interface BulkWorkloadItem {
+  kind: string
+  namespace: string
+  name: string
+}
+interface BulkWorkloadMutationResult {
+  requested: number
+  succeeded: number
+  failedMessages: string[]
+}
+function failedBulkWorkloadMessages(results: PromiseSettledResult<unknown>[]): string[] {
+  return results.flatMap(r => r.status === 'rejected'
+    ? [r.reason instanceof Error ? r.reason.message : String(r.reason)]
+    : []
+  )
+}
+function bulkWorkloadFailureMessage(action: string, failed: number, total: number, messages: string[]): string {
+  return `Failed to ${action} ${failed} of ${total} workloads:\n${messages.join('\n')}`
+}
+export function useBulkRestartWorkloads() {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: async ({ items }: { items: BulkWorkloadItem[] }): Promise<BulkWorkloadMutationResult> => {
+      if (items.length === 0) {
+        return { requested: 0, succeeded: 0, failedMessages: [] }
+      }
+      const results = await Promise.allSettled(
+        items.map(async ({ kind, namespace, name }) => {
+          const response = await apiFetch(`${getApiBase()}/workloads/${kind}/${namespace}/${name}/restart`, {
+            method: 'POST',
+          })
+          if (!response.ok) {
+            const error = await response.json().catch(() => ({ error: 'Unknown error' }))
+            throw new Error(`${namespace}/${name}: ${error.error || `HTTP ${response.status}`}`)
+          }
+          return { kind, namespace, name }
+        })
+      )
+      const failedMessages = failedBulkWorkloadMessages(results)
+      if (failedMessages.length === items.length) {
+        throw new Error(bulkWorkloadFailureMessage('restart', failedMessages.length, items.length, failedMessages))
+      }
+      return { requested: items.length, succeeded: items.length - failedMessages.length, failedMessages }
+    },
+    meta: {
+      errorMessage: 'Failed to restart some workloads',
+    },
+    onSuccess: (result) => {
+      if (result.failedMessages.length > 0) {
+        showApiError(
+          `Restarted ${result.succeeded} of ${result.requested} workloads`,
+          result.failedMessages.join('\n'),
+        )
+      } else {
+        showApiSuccess('Workloads restarting')
+      }
+    },
+    onSettled: () => {
+      queryClient.invalidateQueries({ queryKey: ['resources'] })
+      queryClient.invalidateQueries({ queryKey: ['topology'] })
+    },
+  })
+}
+export function useBulkScaleWorkloads() {
+  const queryClient = useQueryClient()
+  return useMutation({
+    mutationFn: async ({ items, replicas }: { items: BulkWorkloadItem[]; replicas: number }): Promise<BulkWorkloadMutationResult> => {
+      if (items.length === 0) {
+        return { requested: 0, succeeded: 0, failedMessages: [] }
+      }
+      const results = await Promise.allSettled(
+        items.map(async ({ kind, namespace, name }) => {
+          const response = await apiFetch(`${getApiBase()}/workloads/${kind}/${namespace}/${name}/scale`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({ replicas }),
+          })
+          if (!response.ok) {
+            const error = await response.json().catch(() => ({ error: 'Unknown error' }))
+            throw new Error(`${namespace}/${name}: ${error.error || `HTTP ${response.status}`}`)
+          }
+          return { kind, namespace, name }
+        })
+      )
+      const failedMessages = failedBulkWorkloadMessages(results)
+      if (failedMessages.length === items.length) {
+        throw new Error(bulkWorkloadFailureMessage('scale', failedMessages.length, items.length, failedMessages))
+      }
+      return { requested: items.length, succeeded: items.length - failedMessages.length, failedMessages }
+    },
+    meta: {
+      errorMessage: 'Failed to scale some workloads',
+    },
+    onSuccess: (result) => {
+      if (result.failedMessages.length > 0) {
+        showApiError(
+          `Scaled ${result.succeeded} of ${result.requested} workloads`,
+          result.failedMessages.join('\n'),
+        )
+      } else {
+        showApiSuccess('Workloads scaled')
+      }
+    },
+    onSettled: () => {
+      queryClient.invalidateQueries({ queryKey: ['resources'] })
+      queryClient.invalidateQueries({ queryKey: ['topology'] })
+    },
+  })
+}
 // Apply (create or update) a resource from YAML
 export interface ApplyResourceResult {
   name: string

package/src/components/audit/AuditSettingsDialog.tsx CHANGED Viewed

@@ -1,7 +1,7 @@
 import { useState, useEffect, useMemo } from 'react'
-import { X, Plus, Trash2 } from 'lucide-react'
+import { X, Plus, Trash2, Lock } from 'lucide-react'
 import { clsx } from 'clsx'
-import { useAuditSettings, useUpdateAuditSettings, useAudit } from '../../api/client'
+import { useAuditSettings, useUpdateAuditSettings, useAudit, useCloudRole } from '../../api/client'
 import type { CheckMeta } from '@skyhook-io/k8s-ui'
 import { validateRFC1123Label, type ValidationResult } from '@skyhook-io/k8s-ui/utils/validators'
@@ -14,6 +14,11 @@ export function AuditSettingsDialog({ namespaces, onClose }: AuditSettingsDialog
   const { data: settings } = useAuditSettings()
   const { data: auditData } = useAudit(namespaces)
   const updateSettings = useUpdateAuditSettings()
+  // Audit policy is cluster-shared, so writes are owner-gated (enforced
+  // server-side too). Non-owners get a read-only view. Non-Cloud callers
+  // have no role and pass.
+  const { canAtLeast } = useCloudRole()
+  const canEdit = canAtLeast('owner')
   const [ignoredNs, setIgnoredNs] = useState<string[]>([])
   const [disabledChecks, setDisabledChecks] = useState<string[]>([])
   const [newNs, setNewNs] = useState('')
@@ -75,6 +80,15 @@ export function AuditSettingsDialog({ namespaces, onClose }: AuditSettingsDialog
         </div>
         <div className="px-5 py-4 overflow-y-auto flex-1">
+          {!canEdit && (
+            <div className="mb-4 rounded-lg border border-theme-border bg-theme-elevated/50 p-3 flex items-start gap-2.5">
+              <Lock className="w-3.5 h-3.5 mt-0.5 shrink-0 text-theme-text-tertiary" />
+              <p className="text-xs text-theme-text-tertiary">
+                Audit policy is shared across everyone using this Radar instance, so editing
+                is limited to owners. You can review the current settings here.
+              </p>
+            </div>
+          )}
           {/* Ignored Namespaces */}
           <div className="mb-6">
             <label className="text-xs font-medium text-theme-text-secondary uppercase tracking-wider">
@@ -90,7 +104,8 @@ export function AuditSettingsDialog({ namespaces, onClose }: AuditSettingsDialog
                   <span className="text-sm text-theme-text-primary">{ns}</span>
                   <button
                     onClick={() => setIgnoredNs(ignoredNs.filter(n => n !== ns))}
-                    className="p-1 rounded hover:bg-theme-hover text-theme-text-tertiary hover:text-red-400 transition-colors"
+                    disabled={!canEdit}
+                    className="p-1 rounded hover:bg-theme-hover text-theme-text-tertiary hover:text-red-400 transition-colors disabled:opacity-40 disabled:cursor-not-allowed disabled:hover:text-theme-text-tertiary"
                   >
                     <Trash2 className="w-3.5 h-3.5" />
                   </button>
@@ -108,6 +123,7 @@ export function AuditSettingsDialog({ namespaces, onClose }: AuditSettingsDialog
                 onChange={e => setNewNs(e.target.value)}
                 onKeyDown={e => { if (e.key === 'Enter') addNamespace() }}
                 placeholder="Add namespace..."
+                disabled={!canEdit}
                 aria-invalid={newNsError ? true : undefined}
                 aria-describedby="new-ns-help"
                 className={clsx(
@@ -119,7 +135,7 @@ export function AuditSettingsDialog({ namespaces, onClose }: AuditSettingsDialog
               />
               <button
                 onClick={addNamespace}
-                disabled={!canAddNamespace}
+                disabled={!canEdit || !canAddNamespace}
                 className="px-3 py-1.5 text-sm btn-brand rounded-lg disabled:opacity-50 disabled:cursor-not-allowed"
               >
                 <Plus className="w-4 h-4" />
@@ -155,7 +171,8 @@ export function AuditSettingsDialog({ namespaces, onClose }: AuditSettingsDialog
                       type="checkbox"
                       checked={!disabled}
                       onChange={() => toggleCheck(check.id)}
-                      className="w-4 h-4 rounded border-theme-border text-skyhook-500 focus:ring-skyhook-500"
+                      disabled={!canEdit}
+                      className="w-4 h-4 rounded border-theme-border text-skyhook-500 focus:ring-skyhook-500 disabled:opacity-40 disabled:cursor-not-allowed"
                     />
                     <div className="flex-1 min-w-0">
                       <span className="text-sm text-theme-text-primary">{check.title}</span>
@@ -181,14 +198,16 @@ export function AuditSettingsDialog({ namespaces, onClose }: AuditSettingsDialog
             // text — otherwise the user clicks Save expecting their
             // entry to be included and it's silently dropped.
             disabled={
-              updateSettings.isPending || newNsError !== null || newNsDuplicate
+              !canEdit || updateSettings.isPending || newNsError !== null || newNsDuplicate
             }
             title={
-              newNsError
-                ? 'Fix or clear the pending namespace input before saving'
-                : newNsDuplicate
-                  ? 'Clear the duplicate pending input before saving'
-                  : undefined
+              !canEdit
+                ? 'Audit settings can only be changed by owners'
+                : newNsError
+                  ? 'Fix or clear the pending namespace input before saving'
+                  : newNsDuplicate
+                    ? 'Clear the duplicate pending input before saving'
+                    : undefined
             }
             className="px-4 py-1.5 text-sm btn-brand rounded-lg disabled:opacity-50 disabled:cursor-not-allowed"
           >

package/src/components/audit/AuditView.tsx CHANGED Viewed

@@ -1,5 +1,5 @@
 import { useState, useCallback } from 'react'
-import { useAudit, useAuditSettings, useUpdateAuditSettings } from '../../api/client'
+import { useAudit, useAuditSettings, useUpdateAuditSettings, useCloudRole } from '../../api/client'
 import type { SelectedResource } from '../../types'
 import { ChecksView, PaneLoader, type CheckResourceRef } from '@skyhook-io/k8s-ui'
 import { ArrowLeft, ClipboardCheck, Settings } from 'lucide-react'
@@ -21,6 +21,11 @@ export function AuditView({ namespaces, onBack, onNavigateToResource }: AuditVie
   const { data, isLoading, error } = useAudit(namespaces)
   const { data: auditSettings } = useAuditSettings()
   const updateSettings = useUpdateAuditSettings()
+  // Audit policy is owner-gated (enforced server-side). Withhold the inline
+  // hide affordances from non-owners so they don't click into a 403 — the
+  // hide menus render only when these callbacks are passed.
+  const { canAtLeast } = useCloudRole()
+  const canEdit = canAtLeast('owner')
   const [showSettings, setShowSettings] = useState(false)
   const ignoredCount = auditSettings?.ignoredNamespaces?.length ?? 0
@@ -105,8 +110,8 @@ export function AuditView({ namespaces, onBack, onNavigateToResource }: AuditVie
         catalog={data.checks ?? {}}
         anyData
         onResourceClick={onResourceClick}
-        onHideCheck={hideCheck}
-        onHideCategory={hideCategory}
+        onHideCheck={canEdit ? hideCheck : undefined}
+        onHideCategory={canEdit ? hideCategory : undefined}
       />
       {showSettings && <AuditSettingsDialog namespaces={namespaces} onClose={() => setShowSettings(false)} />}

package/src/components/resources/ResourcesView.tsx CHANGED Viewed

@@ -1,17 +1,20 @@
 import { useState, useMemo, useCallback, useEffect } from 'react'
 import { useLocation, useNavigate } from 'react-router-dom'
 import { useQuery } from '@tanstack/react-query'
-import { ApiError, debugNamespaceLog, fetchJSON, isForbiddenError, useSecretCertExpiry, useTopPodMetrics, useTopNodeMetrics, useBulkDeleteResources } from '../../api/client'
+import { ApiError, debugNamespaceLog, fetchJSON, isForbiddenError, useCapabilities, useNamespaceCapabilities, useSecretCertExpiry, useTopPodMetrics, useTopNodeMetrics, useBulkDeleteResources, useBulkRestartWorkloads, useBulkScaleWorkloads } from '../../api/client'
 import { apiUrl, getAuthHeaders, getCredentialsMode, getBasename } from '../../api/config'
 import { useAPIResources } from '../../api/apiResources'
 import { initNavigationMap } from '@skyhook-io/k8s-ui'
 import { usePinnedKinds } from '../../hooks/useFavorites'
 import { useOpenLogs, useOpenWorkloadLogs } from '../dock'
 import {
+  canBulkRestartKind,
+  canBulkScaleKind,
   ResourcesView as BaseResourcesView,
   CORE_RESOURCES,
+  intersectWorkloadWrites,
 } from '@skyhook-io/k8s-ui'
-import type { ResourceQueryResult } from '@skyhook-io/k8s-ui'
+import type { Capabilities, ResourceQueryResult, WorkloadWritePermissions } from '@skyhook-io/k8s-ui'
 import type { SelectedResource } from '../../types'
 import { kindToPlural, type NavigateToResource } from '../../utils/navigation'
 import { CreateResourceDialog } from '../shared/CreateResourceDialog'
@@ -31,10 +34,45 @@ interface ResourcesViewProps {
   onClearNamespaces?: () => void
 }
+type SelectedKindInfo = { name: string; kind: string; group: string } | null
+const deniedWorkloadWrites: WorkloadWritePermissions = {
+  deployments: false,
+  daemonSets: false,
+  statefulSets: false,
+  rollouts: false,
+}
 export function ResourcesView({ namespaces, selectedResource, onResourceClick, onResourceClickYaml, onKindChange, onClearNamespaces }: ResourcesViewProps) {
   const location = useLocation()
   const navigate = useNavigate()
+  const { data: capabilities } = useCapabilities()
+  const namespaceForCapabilities = namespaces.length === 1 ? namespaces[0] : undefined
+  const { data: namespaceCapabilities } = useNamespaceCapabilities(namespaceForCapabilities, capabilities)
+  const namespaceCapabilityNames = useMemo(() => namespaces.length > 1 ? [...namespaces].sort() : [], [namespaces])
+  const { data: namespaceCapabilitiesList } = useQuery<Array<Pick<Capabilities, 'workloadWrites'>>>({
+    queryKey: ['capabilities', 'namespaces', namespaceCapabilityNames],
+    queryFn: async () => {
+      const results = await Promise.allSettled(
+        namespaceCapabilityNames.map(async ns => ({
+          namespace: ns,
+          capabilities: await fetchJSON<Capabilities>(`/capabilities?namespace=${encodeURIComponent(ns)}`),
+        }))
+      )
+      return results.map((result, index) => {
+        if (result.status === 'fulfilled') {
+          return { workloadWrites: result.value.capabilities.workloadWrites }
+        }
+        console.warn(`Failed to fetch namespace capabilities for ${namespaceCapabilityNames[index]}, withholding workload writes:`, result.reason)
+        return { workloadWrites: deniedWorkloadWrites }
+      })
+    },
+    enabled: namespaceCapabilityNames.length > 1 && capabilities != null,
+    staleTime: 60000,
+  })
+  const multiNamespaceWorkloadWrites = useMemo(() => intersectWorkloadWrites(namespaceCapabilitiesList), [namespaceCapabilitiesList])
   // API resources discovery
   const { data: apiResources } = useAPIResources()
@@ -44,7 +82,14 @@ export function ResourcesView({ namespaces, selectedResource, onResourceClick, o
   }, [apiResources])
   // Track the selected kind from the k8s-ui component
-  const [selectedKind, setSelectedKind] = useState<{ name: string; kind: string; group: string } | null>(null)
+  const [selectedKind, setSelectedKind] = useState<SelectedKindInfo>(null)
+  const workloadWrites = namespaces.length === 0
+    ? capabilities?.workloadWrites
+    : namespaces.length === 1
+      ? namespaceCapabilities?.workloadWrites
+      : multiNamespaceWorkloadWrites
+  const canBulkRestartSelectedKind = useMemo(() => canBulkRestartKind(selectedKind, workloadWrites), [selectedKind, workloadWrites])
+  const canBulkScaleSelectedKind = useMemo(() => canBulkScaleKind(selectedKind, workloadWrites), [selectedKind, workloadWrites])
   // Lightweight resource counts for sidebar badges (~2KB instead of ~608MB)
   const namespacesParam = namespaces.join(',')
@@ -148,6 +193,8 @@ export function ResourcesView({ namespaces, selectedResource, onResourceClick, o
   // Bulk delete
   const bulkDeleteMutation = useBulkDeleteResources()
+  const bulkRestartMutation = useBulkRestartWorkloads()
+  const bulkScaleMutation = useBulkScaleWorkloads()
   // Navigation adapter. k8s-ui constructs paths from `basePath` (which
   // includes the router basename so they line up with window.location.pathname
@@ -230,6 +277,10 @@ export function ResourcesView({ namespaces, selectedResource, onResourceClick, o
       // Bulk operations
       onBulkDelete={(items, options) => bulkDeleteMutation.mutate({ items, force: options?.force }, { onSuccess: options?.onSuccess })}
       isBulkDeleting={bulkDeleteMutation.isPending}
+      onBulkRestart={canBulkRestartSelectedKind ? (items, options) => bulkRestartMutation.mutate({ items }, { onSuccess: options?.onSuccess }) : undefined}
+      isBulkRestarting={canBulkRestartSelectedKind && bulkRestartMutation.isPending}
+      onBulkScale={canBulkScaleSelectedKind ? (items, replicas, options) => bulkScaleMutation.mutate({ items, replicas }, { onSuccess: options?.onSuccess }) : undefined}
+      isBulkScaling={canBulkScaleSelectedKind && bulkScaleMutation.isPending}
     />
     <CreateResourceDialog
       open={createDialogOpen}

package/src/components/settings/SettingsDialog.tsx CHANGED Viewed

@@ -1,10 +1,13 @@
-import { useState, useEffect, useRef, useCallback } from 'react'
+import { useState, useEffect, useRef, useCallback, type ReactNode } from 'react'
 import { createPortal } from 'react-dom'
-import { Settings, X, RotateCcw, Loader2, Copy, Check, Pin, Shield } from 'lucide-react'
+import { Settings, X, RotateCcw, Loader2, Copy, Check, Pin, Shield, Lock } from 'lucide-react'
 import { clsx } from 'clsx'
 import { useAnimatedUnmount } from '../../hooks/useAnimatedUnmount'
 import { TRANSITION_BACKDROP, TRANSITION_PANEL } from '../../utils/animation'
 import { apiUrl, getAuthHeaders, getCredentialsMode } from '../../api/config'
+import { useCloudRole } from '../../api/client'
+import { useCapabilitiesContext } from '../../contexts/CapabilitiesContext'
+import type { DeploymentMode } from '../../types'
 interface Config {
   kubeconfig?: string
@@ -12,6 +15,7 @@ interface Config {
   namespace?: string
   port?: number
   noBrowser?: boolean
+  browser?: string
   timelineStorage?: 'memory' | 'sqlite'
   timelineDbPath?: string
   historyLimit?: number
@@ -34,6 +38,14 @@ interface SettingsDialogProps {
 export function SettingsDialog({ open, onClose, onShowMyPermissions }: SettingsDialogProps) {
   const dialogRef = useRef<HTMLDivElement>(null)
   const { shouldRender, isOpen } = useAnimatedUnmount(open, 200)
+  // Radar configuration (kubeconfig, port, integrations…) is host-level and
+  // affects every user of this instance, so it's gated to owners. Personal
+  // sections (My permissions) stay visible to everyone. Non-Cloud callers
+  // (OSS, OIDC, kubectl plugin) have no role and pass — single-user laptops
+  // are never locked out of their own config. Backend enforces this too.
+  const { canAtLeast } = useCloudRole()
+  const capabilities = useCapabilitiesContext()
+  const canEditConfig = canAtLeast('owner')
   const [configData, setConfigData] = useState<ConfigResponse | null>(null)
   const [editedConfig, setEditedConfig] = useState<Config>({})
   const [saving, setSaving] = useState(false)
@@ -122,6 +134,7 @@ export function SettingsDialog({ open, onClose, onShowMyPermissions }: SettingsD
   if (!shouldRender) return null
   const isDesktop = configData?.isDesktop ?? false
+  const deploymentMode = capabilities.deployment?.mode ?? 'local'
   return createPortal(
     <div className="fixed inset-0 z-50 flex items-center justify-center">
@@ -169,33 +182,56 @@ export function SettingsDialog({ open, onClose, onShowMyPermissions }: SettingsD
             </div>
           )}
           {onShowMyPermissions && (
-            <div className="mb-4 rounded-md border border-theme-border bg-theme-elevated/50 p-3">
-              <div className="flex items-center justify-between gap-3">
-                <div className="min-w-0">
-                  <h3 className="text-sm font-medium text-theme-text-primary">My permissions</h3>
-                  <p className="mt-0.5 text-xs text-theme-text-tertiary">
-                    View what your current identity can do in this cluster.
-                  </p>
+            <div className="mb-5">
+              <SectionLabel>Personal</SectionLabel>
+              <div className="rounded-md border border-theme-border bg-theme-elevated/50 p-3">
+                <div className="flex items-center justify-between gap-3">
+                  <div className="min-w-0">
+                    <h3 className="text-sm font-medium text-theme-text-primary">My permissions</h3>
+                    <p className="mt-0.5 text-xs text-theme-text-tertiary">
+                      View what your current identity can do in this cluster.
+                    </p>
+                  </div>
+                  <button
+                    onClick={onShowMyPermissions}
+                    className="shrink-0 flex items-center gap-1.5 px-3 py-1.5 text-xs font-medium text-theme-text-secondary hover:text-theme-text-primary hover:bg-theme-hover rounded-md transition-colors"
+                  >
+                    <Shield className="w-3.5 h-3.5" />
+                    Open
+                  </button>
                 </div>
-                <button
-                  onClick={onShowMyPermissions}
-                  className="shrink-0 flex items-center gap-1.5 px-3 py-1.5 text-xs font-medium text-theme-text-secondary hover:text-theme-text-primary hover:bg-theme-hover rounded-md transition-colors"
-                >
-                  <Shield className="w-3.5 h-3.5" />
-                  Open
-                </button>
               </div>
             </div>
           )}
-          <StartupConfigTab
-            config={editedConfig}
-            effectiveConfig={configData?.effective}
-            isDesktop={isDesktop}
-            onChange={updateConfigField}
-          />
+          <SectionLabel>Radar configuration</SectionLabel>
+          {canEditConfig ? (
+            <StartupConfigTab
+              config={editedConfig}
+              effectiveConfig={configData?.effective}
+              isDesktop={isDesktop}
+              deploymentMode={deploymentMode}
+              onChange={updateConfigField}
+            />
+          ) : (
+            <div className="rounded-md border border-theme-border bg-theme-elevated/50 p-4 flex items-start gap-3">
+              <Lock className="w-4 h-4 mt-0.5 shrink-0 text-theme-text-tertiary" />
+              <div className="min-w-0">
+                <p className="text-sm font-medium text-theme-text-primary">Owner access required</p>
+                <p className="mt-0.5 text-xs text-theme-text-tertiary">
+                  These settings (kubeconfig, server port, timeline, integrations) affect
+                  every user of this Radar instance, so they're limited to owners. Ask an
+                  owner if you need a change here.
+                </p>
+              </div>
+            </div>
+          )}
         </div>
-        {/* Footer */}
+        {/* Footer — only the owner-gated config section is editable, so hide
+            the save controls entirely for non-owners (personal sections save
+            themselves). */}
+        {canEditConfig && (
         <div className="flex items-center justify-between gap-3 p-4 border-t border-theme-border shrink-0">
             <div className="flex items-center gap-2">
               <button
@@ -225,25 +261,39 @@ export function SettingsDialog({ open, onClose, onShowMyPermissions }: SettingsD
               Save
             </button>
           </div>
+        )}
       </div>
     </div>,
     document.body
   )
 }
+// -- Section label ------------------------------------------------------------
+function SectionLabel({ children }: { children: ReactNode }) {
+  return (
+    <h3 className="text-xs font-medium text-theme-text-secondary uppercase tracking-wider mb-2">
+      {children}
+    </h3>
+  )
+}
 // -- Startup Configuration Tab ------------------------------------------------
 function StartupConfigTab({
   config,
   effectiveConfig,
   isDesktop,
+  deploymentMode,
   onChange,
 }: {
   config: Config
   effectiveConfig?: Config
   isDesktop: boolean
+  deploymentMode: DeploymentMode
   onChange: <K extends keyof Config>(field: K, value: Config[K]) => void
 }) {
+  const showBrowserLaunchControls = !isDesktop && deploymentMode === 'local'
   return (
     <div className="space-y-4">
       <p className="text-xs text-theme-text-tertiary">
@@ -291,12 +341,23 @@ function StartupConfigTab({
         onChange={(v) => onChange('port', v)}
       />
-      {!isDesktop && (
-        <ConfigToggle
-          label="Open browser on start"
-          value={!(config.noBrowser ?? false)}
-          onChange={(v) => onChange('noBrowser', !v ? true : undefined)}
-        />
+      {showBrowserLaunchControls && (
+        <>
+          <ConfigToggle
+            label="Open browser on start"
+            value={!(config.noBrowser ?? false)}
+            onChange={(v) => onChange('noBrowser', !v ? true : undefined)}
+          />
+          <ConfigField
+            label="Browser"
+            help="Browser for automatic launch; macOS app names are supported"
+            value={config.browser ?? ''}
+            effectiveValue={effectiveConfig?.browser}
+            placeholder="System default"
+            onChange={(v) => onChange('browser', v || undefined)}
+          />
+        </>
       )}
       <div className="border-t border-theme-border pt-4 mt-4">

package/src/contexts/CapabilitiesContext.tsx CHANGED Viewed

@@ -12,6 +12,12 @@ const defaultCapabilities: Capabilities = {
   secretsUpdate: true,
   helmWrite: true,
   nodeWrite: true,
+  workloadWrites: {
+    deployments: true,
+    daemonSets: true,
+    statefulSets: true,
+    rollouts: true,
+  },
   mcpEnabled: true,
   // Default to 'local' for the loading window so the UI renders the
   // OSS standalone shape until /api/capabilities resolves. Both
@@ -30,6 +36,12 @@ const restrictedCapabilities: Capabilities = {
   secretsUpdate: false,
   helmWrite: false,
   nodeWrite: false,
+  workloadWrites: {
+    deployments: false,
+    daemonSets: false,
+    statefulSets: false,
+    rollouts: false,
+  },
   mcpEnabled: false,
   deployment: { mode: 'local' },
 }
@@ -121,10 +133,8 @@ export function useHasLimitedAccess(): boolean {
   return Object.entries(resources).some(([kind, allowed]) => !allowed && !isOptionalKind(kind))
 }
-// Namespace-scoped capability hooks: lazily re-check exec/logs/portForward
-// scoped to a specific namespace when global RBAC checks denied them.
-// Falls back to global capability values while the namespace check is loading
-// or when all capabilities are already granted.
+// Namespace-scoped capability hooks. A concrete namespace gets its own
+// capability check; callers use global capability values until it resolves.
 export function useNamespacedCapabilities(namespace: string | undefined) {
   const globalCaps = useContext(CapabilitiesContext)
   const { data: nsCaps, error } = useNamespaceCapabilities(namespace, globalCaps)
@@ -137,5 +147,6 @@ export function useNamespacedCapabilities(namespace: string | undefined) {
     canExec: nsCaps?.exec ?? globalCaps.exec,
     canViewLogs: nsCaps?.logs ?? globalCaps.logs,
     canPortForward: nsCaps?.portForward ?? globalCaps.portForward,
-  }), [globalCaps.exec, globalCaps.logs, globalCaps.portForward, nsCaps])
+    workloadWrites: nsCaps?.workloadWrites ?? globalCaps.workloadWrites,
+  }), [globalCaps.exec, globalCaps.logs, globalCaps.portForward, globalCaps.workloadWrites, nsCaps])
 }