kubeops 0.1.4 → 0.1.5

package/README.md

@@ -33,18 +33,45 @@ Download the latest version for your platform from the **[Releases](https://gith
 
 > The app supports auto-update after installation.
 
+### Requirements
+
+- **kubectl** installed and available on your `PATH`
+- A valid `~/.kube/config` with at least one cluster context
+- *(Optional)* **helm** CLI for Helm chart management
+- *(Optional)* `metrics-server` in the cluster for CPU/memory charts
+- *(Optional)* Prometheus for network I/O and filesystem charts
+- *(Optional)* `tsh` CLI for Teleport-managed clusters
+
 ---
 
 ## Why KubeOps?
 
-- **Zero config** — Reads your `~/.kube/config` and auto-detects every cluster. No setup, no YAML to write.
-- **Visual topology** — See how Ingresses, Services, Deployments, and Pods connect in an interactive App Map.
-- **Built-in terminal & logs** — Open shell sessions and live log streams right inside the app. No more switching between terminal tabs.
-- **Port forwarding dashboard** — Start, monitor, and stop port forwards from a single page.
-- **Real-time metrics** — CPU, memory, network I/O, and filesystem charts per pod (with metrics-server / Prometheus).
-- **ArgoCD-style status** — Health badges on every resource so you can spot problems at a glance.
-- **Fast keyboard navigation** — Command palette (`Cmd+K`) to jump to any cluster, namespace, or resource type instantly.
-- **Cross-platform** — Runs natively on macOS, Windows, and Linux.
+There are many Kubernetes tools out there. Here's how KubeOps compares:
+
+| | KubeOps | Lens | k9s | K8s Dashboard |
+| --- | :---: | :---: | :---: | :---: |
+| Free & open source | **Yes** | Freemium | Yes | Yes (archived) |
+| Visual resource topology | **Yes** | Extension | No | Limited |
+| Built-in terminal & logs | **Yes** | Yes | Yes | Yes |
+| Real-time metrics & charts | **Yes** | Yes | Basic | Basic |
+| Helm chart management | **Yes** | Yes | View only | No |
+| RBAC visualization | **Yes** | No | Basic | No |
+| YAML diff view | **Yes** | No | No | No |
+| Desktop app (no server install) | **Yes** | Yes | Terminal | Needs deploy |
+| Zero config (reads kubeconfig) | **Yes** | Yes | Yes | Needs deploy |
+| CRD browser | **Yes** | Yes | Yes | Limited |
+| Teleport auth | **Yes** | No | No | No |
+
+### In short
+
+- **Free forever** — No subscriptions, no feature gates, no telemetry. MIT licensed.
+- **Visual-first** — Interactive App Map shows how Ingresses, Services, Deployments, and Pods connect. Not just resource lists.
+- **All-in-one desktop app** — Terminal, logs, port forwarding, metrics charts, YAML editor, Helm management in a single window. No server to deploy, no browser extension to install.
+- **Helm chart management** — Browse, install, upgrade, rollback, and uninstall Helm releases directly from the UI.
+- **RBAC visualization** — See who can do what with a permission matrix and interactive access review.
+- **Modern & lightweight** — Fast startup, small footprint. No Electron bloat from bundled IDE features you don't need.
+- **30+ resource types** — Pods, Deployments, StatefulSets, DaemonSets, CronJobs, Services, Ingresses, ConfigMaps, Secrets, CRDs, and more.
+- **Cross-platform** — Runs natively on macOS, Windows, and Linux with auto-update.
 
 ---
 
@@ -90,13 +117,26 @@ Start port forwards from pod container ports, service ports, or YAML editor fiel
 
 ![KubeOps forward](assets/port-forward.png)
 
-### YAML Editor (Table / YAML / Edit)
+### Helm Chart Management
+
+Full Helm release lifecycle from the UI. Browse installed releases across all namespaces, view release details (status, chart info, revision history, values), install new charts from configured repositories, upgrade with modified values, rollback to previous revisions, and uninstall releases. Requires the `helm` CLI on your PATH.
+
+### RBAC Visualization
+
+A dedicated RBAC Summary page aggregates all Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings into a permission matrix showing who (User / Group / ServiceAccount) can do what. Filter by subject type or search by name. The Access Review tab lets you check if a specific subject is allowed to perform an action on a resource.
 
-Three viewing modes for every resource manifest:
+### Cluster Catalog
+
+Organize clusters with tags, groups, and favorites. Switch between list and card views. Group clusters by environment (Production / Staging / Development) or create custom groups. Tag clusters for quick filtering. Star your most-used clusters for fast access. All metadata persists across sessions.
+
+### YAML Editor (Table / YAML / Edit / Diff)
+
+Four viewing modes for every resource manifest:
 
 - **Table view** — Structured, collapsible sections with smart value rendering
 - **YAML view** — Read-only formatted output
 - **Edit mode** — Syntax-highlighted editor with validation, save with `Cmd+S`
+- **Review Changes** — Side-by-side diff showing additions (green) and deletions (red) before saving
 
 <!-- Screenshot: YAML Editor -->
 
@@ -118,33 +158,46 @@ Click the info icon on any App Map node to open a right-side drawer with Overvie
 
 ![KubeOps drawer](assets/drawer.png)
 
+### Deployment Scaling
+
+Scale Deployments and StatefulSets directly from the UI. A dedicated scale dialog lets you set the desired replica count and apply it instantly.
+
+### Custom Resource Definitions (CRDs)
+
+Browse cluster-installed CRDs and their instances. The sidebar lists discovered CRD groups, and each instance supports the same Table / YAML / Edit views as built-in resources.
+
+### Dark / Light Mode
+
+Toggle between dark and light themes from the header. Powered by `next-themes` with system preference detection. Your choice persists across sessions.
+
+### Teleport Authentication
+
+For clusters behind [Teleport](https://goteleport.com/), KubeOps detects Teleport contexts and provides a built-in login flow via `tsh kube login` — no manual terminal steps required.
+
 ### Pod Restart Watcher
 
 Enable Watch on any pod to monitor restart counts in the background. Polls every 10 seconds and sends desktop notifications when restarts increase. Watched pods persist across sessions.
 
----
+### Auto-Update
 
-## Getting Started
+An update indicator in the header shows the current state: checking → available → downloading → ready to install. Updates are downloaded in the background and applied on the next restart.
 
-### Prerequisites
+---
 
-- **Node.js** v18+
-- A valid `~/.kube/config` with at least one context
+## Development
 
 ### Run from Source
 
 ```bash
 git clone https://github.com/trustspirit/kubeops.git
 cd kubeops
-npm install
+npm install          # Node.js v18+ required
 npm run electron:dev
 ```
 
 The app opens automatically once the dev server is ready (port 51230).
 
----
-
-## Build
+### Build
 
 Create a distributable package for your platform:
 
@@ -158,22 +211,6 @@ Output is written to `dist-electron/`.
 
 ---
 
-## Architecture
-
-| Layer          | Technology                                       |
-| -------------- | ------------------------------------------------ |
-| Desktop shell  | Electron                                         |
-| Frontend       | Next.js 16 (App Router), React 19, Tailwind CSS  |
-| State          | Zustand (persisted to localStorage)              |
-| Data fetching  | SWR with auto-refresh                            |
-| K8s API        | `@kubernetes/client-node` via Next.js API routes |
-| Terminal       | xterm.js + node-pty over WebSocket               |
-| Charts         | Recharts                                         |
-| Resource graph | React Flow + Dagre                               |
-| YAML           | js-yaml                                          |
-
----
-
 ## Keyboard Shortcuts
 
 | Shortcut           | Action                 |
@@ -216,6 +253,23 @@ Logs rotate automatically at 5 MB (previous log kept as `error.log.old`).
 
 ---
 
+## Supported Resources
+
+KubeOps provides full browse / detail / YAML / edit support for 30+ Kubernetes resource types:
+
+| Category        | Resources                                                      |
+| --------------- | -------------------------------------------------------------- |
+| Workloads       | Pods, Deployments, StatefulSets, DaemonSets, ReplicaSets, Jobs, CronJobs |
+| Network         | Services, Ingresses, Endpoints, Network Policies               |
+| Config          | ConfigMaps, Secrets, Service Accounts                          |
+| Storage         | Persistent Volumes, Persistent Volume Claims                   |
+| Access Control  | Roles, Role Bindings, Cluster Roles, Cluster Role Bindings, RBAC Summary |
+| Cluster         | Nodes, Namespaces, Events                                      |
+| Helm            | Releases (install, upgrade, rollback, uninstall)               |
+| Custom          | Any installed CRD and its instances                            |
+
+---
+
 ## Troubleshooting
 
 | Problem                   | Solution                                                                    |
@@ -226,6 +280,7 @@ Logs rotate automatically at 5 MB (previous log kept as `error.log.old`).
 | Metrics charts empty      | Ensure `metrics-server` is installed in the cluster                         |
 | Network/FS charts missing | Requires Prometheus with `container_network_*` and `container_fs_*` metrics |
 | Port forward fails        | Check that `kubectl` is on your PATH and the target pod is running          |
+| Teleport login fails      | Ensure `tsh` is installed and on your PATH                                  |
 | Diagnosing crashes        | Open **Help → Open Error Log** to see captured errors                       |
 
 ### macOS Gatekeeper
@@ -245,3 +300,9 @@ Because the app is not yet code-signed with an Apple Developer certificate, macO
 ```bash
 xattr -cr /Applications/KubeOps.app
 ```
+
+---
+
+## License
+
+[MIT](LICENSE)

package/electron/main.js

@@ -58,6 +58,11 @@ autoUpdater.autoDownload = false;
 autoUpdater.autoInstallOnAppQuit = true;
 autoUpdater.logger = null;
 
+// Skip code signing verification for unsigned builds
+if (process.platform === 'darwin') {
+  autoUpdater.forceCodeSigning = false;
+}
+
 function sendUpdateStatus(status) {
   if (mainWindow && !mainWindow.isDestroyed()) {
     mainWindow.webContents.send('updater:status', status);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "kubeops",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "A modern desktop client for Kubernetes cluster management",
   "main": "electron/main.js",
   "repository": {
@@ -58,6 +58,7 @@
     "clsx": "^2.1.1",
     "cmdk": "^1.1.1",
     "dagre": "^0.8.5",
+    "diff": "^8.0.3",
     "electron-updater": "^6.7.3",
     "js-yaml": "^4.1.1",
     "lucide-react": "^0.563.0",
@@ -76,6 +77,7 @@
   },
   "devDependencies": {
     "@tailwindcss/postcss": "^4",
+    "@types/diff": "^7.0.2",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^20",
     "@types/react": "^19",

package/server.ts

@@ -52,6 +52,25 @@ app.prepare().then(() => {
     }
   });
 
+  // Cleanup child processes on shutdown
+  const shutdown = () => {
+    console.log('> Shutting down — cleaning up child processes...');
+    try {
+      const { cleanupAllForwards } = require('./src/app/api/port-forward/route');
+      cleanupAllForwards();
+    } catch { /* module may not be loaded yet */ }
+
+    // Close all WebSocket connections
+    wssLogs.clients.forEach((ws) => ws.terminate());
+    wssExec.clients.forEach((ws) => ws.terminate());
+
+    server.close();
+    process.exit(0);
+  };
+
+  process.on('SIGTERM', shutdown);
+  process.on('SIGINT', shutdown);
+
   server.listen(port, () => {
     console.log(`> KubeOps running on http://${hostname}:${port}`);
   });

package/src/app/api/clusters/[clusterId]/helm/install/route.ts

@@ -0,0 +1,65 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { runHelm, isValidHelmName } from '@/lib/helm/helm-runner';
+import { requireHelm, withTempValuesFile } from '@/lib/helm/helpers';
+
+export const dynamic = 'force-dynamic';
+
+interface RouteParams {
+  params: Promise<{ clusterId: string }>;
+}
+
+export async function POST(req: NextRequest, { params }: RouteParams) {
+  const helmCheck = requireHelm();
+  if (helmCheck) return helmCheck;
+
+  const { clusterId } = await params;
+  const contextName = decodeURIComponent(clusterId);
+
+  let body: any;
+  try {
+    body = await req.json();
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
+  }
+
+  const { releaseName, chart, namespace, values, createNamespace } = body;
+
+  if (!releaseName || !isValidHelmName(releaseName)) {
+    return NextResponse.json({ error: 'Valid releaseName is required (alphanumeric, hyphens, dots, underscores)' }, { status: 400 });
+  }
+  if (!chart) {
+    return NextResponse.json({ error: 'chart is required' }, { status: 400 });
+  }
+  if (!namespace) {
+    return NextResponse.json({ error: 'namespace is required' }, { status: 400 });
+  }
+
+  return withTempValuesFile(values, async (tmpFile) => {
+    const args = ['install', releaseName, chart, '-n', namespace, '--output', 'json'];
+
+    if (createNamespace !== false) {
+      args.push('--create-namespace');
+    }
+
+    if (tmpFile) {
+      args.push('-f', tmpFile);
+    }
+
+    const result = await runHelm(args, contextName);
+
+    if (result.code !== 0) {
+      console.error(`[Helm] install ${releaseName} failed: ${result.stderr}`);
+      return NextResponse.json(
+        { error: result.stderr || `Failed to install chart "${chart}" as "${releaseName}"` },
+        { status: 500 }
+      );
+    }
+
+    try {
+      const installed = JSON.parse(result.stdout);
+      return NextResponse.json(installed);
+    } catch {
+      return NextResponse.json({ success: true, message: result.stdout.trim() });
+    }
+  });
+}

package/src/app/api/clusters/[clusterId]/helm/releases/[name]/history/route.ts

@@ -0,0 +1,44 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { runHelm } from '@/lib/helm/helm-runner';
+import { requireHelm, requireNamespaceParam } from '@/lib/helm/helpers';
+
+export const dynamic = 'force-dynamic';
+
+interface RouteParams {
+  params: Promise<{ clusterId: string; name: string }>;
+}
+
+export async function GET(req: NextRequest, { params }: RouteParams) {
+  const helmCheck = requireHelm();
+  if (helmCheck) return helmCheck;
+
+  const { clusterId, name } = await params;
+  const contextName = decodeURIComponent(clusterId);
+  const releaseName = decodeURIComponent(name);
+  const { searchParams } = new URL(req.url);
+  const namespace = searchParams.get('namespace');
+
+  const nsCheck = requireNamespaceParam(namespace);
+  if (nsCheck) return nsCheck;
+
+  const args = ['history', releaseName, '-n', namespace!, '--output', 'json'];
+  const result = await runHelm(args, contextName);
+
+  if (result.code !== 0) {
+    console.error(`[Helm] history ${releaseName} failed: ${result.stderr}`);
+    return NextResponse.json(
+      { error: result.stderr || `Failed to get history for release "${releaseName}"` },
+      { status: 500 }
+    );
+  }
+
+  try {
+    const history = result.stdout.trim() ? JSON.parse(result.stdout) : [];
+    return NextResponse.json({ history });
+  } catch {
+    return NextResponse.json(
+      { error: 'Failed to parse Helm output' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/clusters/[clusterId]/helm/releases/[name]/rollback/route.ts

@@ -0,0 +1,47 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { runHelm } from '@/lib/helm/helm-runner';
+import { requireHelm } from '@/lib/helm/helpers';
+
+export const dynamic = 'force-dynamic';
+
+interface RouteParams {
+  params: Promise<{ clusterId: string; name: string }>;
+}
+
+export async function POST(req: NextRequest, { params }: RouteParams) {
+  const helmCheck = requireHelm();
+  if (helmCheck) return helmCheck;
+
+  const { clusterId, name } = await params;
+  const contextName = decodeURIComponent(clusterId);
+  const releaseName = decodeURIComponent(name);
+
+  let body: any;
+  try {
+    body = await req.json();
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
+  }
+
+  const { revision, namespace } = body;
+
+  if (!revision) {
+    return NextResponse.json({ error: 'revision is required' }, { status: 400 });
+  }
+  if (!namespace) {
+    return NextResponse.json({ error: 'namespace is required' }, { status: 400 });
+  }
+
+  const args = ['rollback', releaseName, String(revision), '-n', namespace];
+  const result = await runHelm(args, contextName);
+
+  if (result.code !== 0) {
+    console.error(`[Helm] rollback ${releaseName} to ${revision} failed: ${result.stderr}`);
+    return NextResponse.json(
+      { error: result.stderr || `Failed to rollback release "${releaseName}" to revision ${revision}` },
+      { status: 500 }
+    );
+  }
+
+  return NextResponse.json({ success: true, message: result.stdout.trim() || `Rolled back "${releaseName}" to revision ${revision}` });
+}

package/src/app/api/clusters/[clusterId]/helm/releases/[name]/route.ts

@@ -0,0 +1,71 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { runHelm } from '@/lib/helm/helm-runner';
+import { requireHelm, requireNamespaceParam } from '@/lib/helm/helpers';
+
+export const dynamic = 'force-dynamic';
+
+interface RouteParams {
+  params: Promise<{ clusterId: string; name: string }>;
+}
+
+export async function GET(req: NextRequest, { params }: RouteParams) {
+  const helmCheck = requireHelm();
+  if (helmCheck) return helmCheck;
+
+  const { clusterId, name } = await params;
+  const contextName = decodeURIComponent(clusterId);
+  const releaseName = decodeURIComponent(name);
+  const { searchParams } = new URL(req.url);
+  const namespace = searchParams.get('namespace');
+
+  const nsCheck = requireNamespaceParam(namespace);
+  if (nsCheck) return nsCheck;
+
+  const args = ['status', releaseName, '-n', namespace!, '--output', 'json'];
+  const result = await runHelm(args, contextName);
+
+  if (result.code !== 0) {
+    console.error(`[Helm] status ${releaseName} failed: ${result.stderr}`);
+    return NextResponse.json(
+      { error: result.stderr || `Failed to get status for release "${releaseName}"` },
+      { status: 500 }
+    );
+  }
+
+  try {
+    const detail = JSON.parse(result.stdout);
+    return NextResponse.json(detail);
+  } catch {
+    return NextResponse.json(
+      { error: 'Failed to parse Helm output' },
+      { status: 500 }
+    );
+  }
+}
+
+export async function DELETE(req: NextRequest, { params }: RouteParams) {
+  const helmCheck = requireHelm();
+  if (helmCheck) return helmCheck;
+
+  const { clusterId, name } = await params;
+  const contextName = decodeURIComponent(clusterId);
+  const releaseName = decodeURIComponent(name);
+  const { searchParams } = new URL(req.url);
+  const namespace = searchParams.get('namespace');
+
+  const nsCheck = requireNamespaceParam(namespace);
+  if (nsCheck) return nsCheck;
+
+  const args = ['uninstall', releaseName, '-n', namespace!];
+  const result = await runHelm(args, contextName);
+
+  if (result.code !== 0) {
+    console.error(`[Helm] uninstall ${releaseName} failed: ${result.stderr}`);
+    return NextResponse.json(
+      { error: result.stderr || `Failed to uninstall release "${releaseName}"` },
+      { status: 500 }
+    );
+  }
+
+  return NextResponse.json({ success: true, message: result.stdout.trim() });
+}

package/src/app/api/clusters/[clusterId]/helm/releases/[name]/upgrade/route.ts

@@ -0,0 +1,64 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { runHelm } from '@/lib/helm/helm-runner';
+import { requireHelm, withTempValuesFile } from '@/lib/helm/helpers';
+
+export const dynamic = 'force-dynamic';
+
+interface RouteParams {
+  params: Promise<{ clusterId: string; name: string }>;
+}
+
+export async function POST(req: NextRequest, { params }: RouteParams) {
+  const helmCheck = requireHelm();
+  if (helmCheck) return helmCheck;
+
+  const { clusterId, name } = await params;
+  const contextName = decodeURIComponent(clusterId);
+  const releaseName = decodeURIComponent(name);
+
+  let body: any;
+  try {
+    body = await req.json();
+  } catch {
+    return NextResponse.json({ error: 'Invalid JSON body' }, { status: 400 });
+  }
+
+  const { chart, namespace, values, reuseValues } = body;
+
+  if (!chart) {
+    return NextResponse.json({ error: 'chart is required' }, { status: 400 });
+  }
+  if (!namespace) {
+    return NextResponse.json({ error: 'namespace is required' }, { status: 400 });
+  }
+
+  return withTempValuesFile(values, async (tmpFile) => {
+    const args = ['upgrade', releaseName, chart, '-n', namespace, '--output', 'json'];
+
+    if (reuseValues) {
+      args.push('--reuse-values');
+    }
+
+    if (tmpFile) {
+      args.push('-f', tmpFile);
+    }
+
+    const result = await runHelm(args, contextName);
+
+    if (result.code !== 0) {
+      console.error(`[Helm] upgrade ${releaseName} failed: ${result.stderr}`);
+      return NextResponse.json(
+        { error: result.stderr || `Failed to upgrade release "${releaseName}"` },
+        { status: 500 }
+      );
+    }
+
+    try {
+      const upgraded = JSON.parse(result.stdout);
+      return NextResponse.json(upgraded);
+    } catch {
+      // upgrade succeeded but output may not be JSON
+      return NextResponse.json({ success: true, message: result.stdout.trim() });
+    }
+  });
+}

package/src/app/api/clusters/[clusterId]/helm/releases/[name]/values/route.ts

@@ -0,0 +1,51 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { runHelm } from '@/lib/helm/helm-runner';
+import { requireHelm, requireNamespaceParam } from '@/lib/helm/helpers';
+
+export const dynamic = 'force-dynamic';
+
+interface RouteParams {
+  params: Promise<{ clusterId: string; name: string }>;
+}
+
+export async function GET(req: NextRequest, { params }: RouteParams) {
+  const helmCheck = requireHelm();
+  if (helmCheck) return helmCheck;
+
+  const { clusterId, name } = await params;
+  const contextName = decodeURIComponent(clusterId);
+  const releaseName = decodeURIComponent(name);
+  const { searchParams } = new URL(req.url);
+  const namespace = searchParams.get('namespace');
+  const all = searchParams.get('all') === 'true';
+
+  const nsCheck = requireNamespaceParam(namespace);
+  if (nsCheck) return nsCheck;
+
+  const args = ['get', 'values', releaseName, '-n', namespace!, '--output', 'json'];
+  if (all) {
+    args.push('--all');
+  }
+
+  const result = await runHelm(args, contextName);
+
+  if (result.code !== 0) {
+    console.error(`[Helm] get values ${releaseName} failed: ${result.stderr}`);
+    return NextResponse.json(
+      { error: result.stderr || `Failed to get values for release "${releaseName}"` },
+      { status: 500 }
+    );
+  }
+
+  try {
+    // helm get values may return "null" for releases with no custom values
+    const trimmed = result.stdout.trim();
+    const values = trimmed && trimmed !== 'null' ? JSON.parse(trimmed) : {};
+    return NextResponse.json({ values });
+  } catch {
+    return NextResponse.json(
+      { error: 'Failed to parse Helm output' },
+      { status: 500 }
+    );
+  }
+}

package/src/app/api/clusters/[clusterId]/helm/releases/route.ts

@@ -0,0 +1,39 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { runHelm } from '@/lib/helm/helm-runner';
+import { requireHelm, parseHelmJson } from '@/lib/helm/helpers';
+
+export const dynamic = 'force-dynamic';
+
+interface RouteParams {
+  params: Promise<{ clusterId: string }>;
+}
+
+export async function GET(req: NextRequest, { params }: RouteParams) {
+  const helmCheck = requireHelm();
+  if (helmCheck) return helmCheck;
+
+  const { clusterId } = await params;
+  const contextName = decodeURIComponent(clusterId);
+  const { searchParams } = new URL(req.url);
+  const namespace = searchParams.get('namespace');
+
+  const args = ['list', '--output', 'json'];
+  if (namespace) {
+    args.push('-n', namespace);
+  } else {
+    args.push('-A');
+  }
+
+  const result = await runHelm(args, contextName);
+
+  if (result.code !== 0) {
+    console.error(`[Helm] list releases failed: ${result.stderr}`);
+    return NextResponse.json(
+      { error: result.stderr || 'Failed to list Helm releases' },
+      { status: 500 }
+    );
+  }
+
+  const releases = parseHelmJson(result.stdout) ?? [];
+  return NextResponse.json({ releases });
+}