91ca7531ff
993 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
github-actions[bot]
|
91ca7531ff |
deploy: update catalyst images to 3cc24be
|
||
|
e3mrah
|
3cc24beff6
|
fix(rbac): add cutover-driver permissions for wgpolicyk8s + events.k8s.io (#1173)
* fix(build): unblock Build & Deploy Catalyst — Containerfile + test typing
The Build & Deploy Catalyst workflow has been failing on every PR since
EPIC-2 Slice I (#1152) merged. Two real bugs caught after the founder
flagged that no images had been built or deployed:
1. catalyst-api Containerfile: the replace directive added by slice I
(`replace github.com/openova-io/openova/core/controllers => ../../../../core/controllers`)
resolves to /core/controllers when WORKDIR=/app. The Containerfile only
copied products/catalyst/bootstrap/api/go.{mod,sum}, not the controllers
tree, so `go mod download` failed with "no such file or directory" on
/core/controllers/go.mod. Fix: COPY the controllers tree BEFORE go mod.
2. SessionsPage.test.tsx (slice X2+E #1169): vi.fn(async () => SEED) infers
parameter tuple as `[]`, so `lastCall[1]` was a TS2493 type error
("Tuple type '[]' of length '0' has no element at index '1'"). Cast
lastCall to the actual listSessions signature.
Per canon §7 + the founder's "you are the merger" rule, this is the kind
of CI-pipeline regression that MUST be caught BEFORE claiming slice
completion.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* fix(rbac): add cutover-driver permissions for wgpolicyk8s + events.k8s.io
Caught live on omantel during qa-loop setup after image_roll(
|
||
|
github-actions[bot]
|
3b8734f27f |
deploy: update catalyst images to da1d3d1
|
||
|
e3mrah
|
da1d3d1ffa
|
fix(build): unblock Build & Deploy Catalyst — Containerfile + test typing (#1172)
* fix(build): unblock Build & Deploy Catalyst — Containerfile + test typing The Build & Deploy Catalyst workflow has been failing on every PR since EPIC-2 Slice I (#1152) merged. Two real bugs caught after the founder flagged that no images had been built or deployed: 1. catalyst-api Containerfile: the replace directive added by slice I (`replace github.com/openova-io/openova/core/controllers => ../../../../core/controllers`) resolves to /core/controllers when WORKDIR=/app. The Containerfile only copied products/catalyst/bootstrap/api/go.{mod,sum}, not the controllers tree, so `go mod download` failed with "no such file or directory" on /core/controllers/go.mod. Fix: COPY the controllers tree BEFORE go mod. 2. SessionsPage.test.tsx (slice X2+E #1169): vi.fn(async () => SEED) infers parameter tuple as `[]`, so `lastCall[1]` was a TS2493 type error ("Tuple type '[]' of length '0' has no element at index '1'"). Cast lastCall to the actual listSessions signature. Per canon §7 + the founder's "you are the merger" rule, this is the kind of CI-pipeline regression that MUST be caught BEFORE claiming slice completion. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * deploy: update catalyst images to 7235431 --------- Co-authored-by: hatiyildiz <hati.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> |
||
|
e3mrah
|
2c32fde847
|
feat(epic-5): NetBird mesh + ClusterMesh activator + DMZ vCluster scaffolds (#1100) (#1171)
Closes the EPIC-5 leftovers (per .claude/architect-briefs/epic-5/00-master-brief-leftovers.md): * NB — bp-netbird platform Blueprint chart (default-OFF, SHA-pinned, fail-fast). Renders 12 resources ON: 3 Deployments (management + signal + coturn) + 3 Services + 1 PVC + 1 HTTPRoute + 1 NetworkPolicy + 2 SealedSecrets + 1 ConfigMap. KC realm-config ConfigMap mirrors the Guacamole pattern from slice K+P+X1+G #1164 — adds `netbird` OIDC client + `netbird-user` / `netbird-admin` realm roles + `netbird-users` / `netbird-admins` groups. * CM — ClusterMesh activator slice on the existing Cilium chart. ADDs platform/cilium/chart/values-clustermesh.yaml (operator-applied values overlay) + templates/clustermesh-config.yaml (renders the catalyst-clustermesh-config ConfigMap when cluster.name + cluster.id are set per-Sovereign). Operator runbook for `cilium clustermesh enable` + `cilium clustermesh connect` documented inline. Default Cilium chart render is unchanged — this slice is purely additive + opt-in. * DMZ — bp-dmz-vcluster product Blueprint chart (default-OFF, SHA-pinned, fail-fast). Renders 4 resources ON without hostname (HelmRelease wrapping upstream loft-sh/vcluster + Service + 2 NetworkPolicies); 5 resources with HTTPRoute hostname. Isolation pattern: own openova-system namespace inside host cluster → own Cilium identity → default-deny + allow-essentials NetworkPolicies → public egress only via designated egress gateway. All 3 charts: helm lint clean. Tests at chart/tests/render.sh + chart/tests/clustermesh-overlay.sh. Pre-existing CI flakes per canon §7 remain — they're not introduced by this slice. Co-authored-by: hatiyildiz <hati.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
e3mrah
|
9763286900
|
feat(z): cross-EPIC follow-ups — lastLuaRecord + fleet alerts + edit-pr (#1095/#1096/#1099/#1101) (#1170)
Slice Z bundles three small flags surfaced during EPIC-1..6 implementation
into one PR; each is <50 LOC, none blocks shipping individually.
Z1 — K-Cont-2: surface status.lastLuaRecord after PDM commit
- Continuum reconciler's runSwitchover wraps PDMCommit so a successful
/v1/lua/commit patches Continuum.status.lastLuaRecord with the
records-array shape U-DR-1's LuaRecordView already parses (records[].body).
- status.lastLuaRecordAt stamped server-side (RFC3339); rollbacks
re-track to rolled-back records ("status reflects what PDM has").
- CRD extended: explicit status.lastLuaRecord (records[].{hostname,body,
ttl,primaryRegion}) + status.lastLuaRecordAt fields. Server-side
apply confirmed.
Z2 — EPIC-1 score aggregator → U-Fleet alerts count
- ComplianceHandler.SovereignAlertCount(clusterID) — len(violationsFor(
clusterID, "")) with nil-tolerant receiver. Returns the per-cluster
failing (resource, policy) pair count from the existing aggregator.
- summarizeSovereign() reads it instead of returning the alerts: 0
placeholder. h.compliance unwired → 0 (dashboard stays green when
the aggregator isn't wired).
Z3 — Gitea PR write seam for YamlEditor flux-managed branch
- gitea.Client.CreatePullRequest + findOpenPR: typed PullRequest shape,
409 race re-fetches existing PR (mirrors EnsureRepo pattern). Repo
404 → ErrRepoNotFound.
- gitea.Client.EnsureBranch promoted to GiteaBlueprintClient interface
(was already on Client).
- POST /api/v1/sovereigns/{id}/blueprints/edit-pr — body {org, path,
content, message, title}. Auth: applicationInstallCallerAuthorized
(tier-admin or higher), mirrors /publish. Branch name deterministic
per (path, content-hash) — same edit re-targets the same PR via 409
fallback. EnsureBranch + PutFile + CreatePullRequest against
<org>/shared-blueprints. 503 when Gitea unwired; 400 on bad input;
404 when repo missing.
- UI: editPRBlueprint in catalog.api.ts. YamlEditor's flux Apply
branch posts to /blueprints/edit-pr → renders prURL link
([data-testid=yaml-editor-pr-link]). Org slug derived from
catalyst.openova.io/organization label with namespace fallback.
Tests
- Z1: TestRunSwitchover_PatchesLastLuaRecord +
TestPatchStatus_LuaRecordOnlyOnNonNil +
TestLuaRecordStatusValue_NilOnEmpty.
- Z2: TestCompliance_SovereignAlertCount (real aggregator + 3
violations + nil-receiver guard) +
TestHandleFleetSovereignSummary_AlertsFromCompliance (200 with seeded
state) + TestHandleFleetSovereignSummary_AlertsZeroWhenComplianceNil.
- Z3: TestCreatePullRequest_HappyPath + RejectsMissingArgs +
RepoNotFound + 409ReFetchesExisting (gitea client) +
TestHandleBlueprintEditPR_OpensPR + DeterministicBranchPerContent +
403WhenNotTierAdmin + 503WhenGiteaUnwired + 404WhenRepoMissing +
BadRequest + TestEditPRBranchName_DeterministicAndPathSensitive
(handler) + YamlEditor vitest "flux Apply opens PR" + "surfaces
server error" (UI).
go test -count=1 -race ./... clean across core/controllers + catalyst-api;
go vet ./... clean; npm run typecheck clean for changed UI files
(SessionsPage.test.tsx pre-existing tsc error from #1169 per canon §7).
CRD applies via kubectl apply --dry-run=server.
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
e3mrah
|
7b59292cad
|
feat(catalyst-ui): X2+E — xterm.js logs viewer + Guacamole exec + session list + replay (slice X2+E1+E2+E3, #1099) (#1169)
EPIC-4 final slice. Replaces the Logs/Exec placeholders shipped by R (#1167) with target-state implementations and lays the surface for the Guacamole-fronted recorded shell flow. UI (catalyst-ui): - widgets/cloud-list/LogViewer.tsx — xterm.js viewer for the X1 Pod-log WebSocket. Container picker (multi-container Pods), search box (⌃F / ⌘F), 10k scrollback, reconnect-with-since on disconnect (per X1 resume protocol). - widgets/cloud-list/ExecPanel.tsx — Open Shell button → POST /k8s/exec/.../session → Guacamole iframe. 5s iframe-load timeout OR onError → falls through to xterm.js + X1-style fallback WebSocket; banner explains "recording disabled" on fallback. - pages/sovereign/sessions/SessionsPage.tsx — guacamole session list + filter (pod/user) + paginate + Replay modal. Mounted on both /provision/$id/sessions (mothership) and /sessions (chroot). - pages/sovereign/cloud-list/ResourceDetailPage.tsx — Logs tab now renders LogViewer; Exec tab now renders ExecPanel. Non-Pod kinds surface a "drill into Tree to find Pods" hint. - resource.api.ts — adds logsWebSocketURL + execWebSocketURL + createExecSession + listSessions + getSessionReplay helpers (single URL truth per INVIOLABLE-PRINCIPLES #4). API (catalyst-api): - internal/handler/k8s_exec.go — three new endpoints: POST /api/v1/sovereigns/{id}/k8s/exec/{ns}/{pod}/{container}/session (tier-developer or higher; calls GuacamoleClient.CreateSession; emits guacamole-session-opened audit) GET /api/v1/sovereigns/{id}/sessions?from=&to=&pod=&user=&page= (tier-admin or higher; paginated; reads from GuacamoleClient OR in-memory fallback when no client is wired) GET /api/v1/sovereigns/{id}/sessions/{sessionId}/replay (admin/owner only — sessions.playback per EPIC-3 §6.2; emits guacamole-session-replayed audit) - internal/handler/k8s_exec_ws.go — direct WebSocket exec fallback (bidi pump; xterm.js client) for when Guacamole iframe is blocked. - GuacamoleClient interface + in-memory fallback session store: the chroot Sovereign / CI flow renders cleanly even when Guacamole isn't deployed; production wires the real client via SetGuacamoleClient. - Audit-type predicate IsGuacamoleAuditType + 3 canonical type names (guacamole-session-opened/closed/replayed). Reuses the EPIC-3 U5-U8 audit Bus + the slice K+P+X1+G's reservation per the canonical seam map; future audit consumers filter via prefix `guacamole-*`. Tests: - 9 LogViewer / ExecPanel / SessionsPage vitest test files, 38 tests passing in `pages/sovereign/cloud-list/` + `widgets/cloud-list/` + `pages/sovereign/sessions/`. - 22 Go test functions in k8s_exec_test.go + k8s_exec_ws_test.go covering happy/forbidden/not-found/audit-emit/pagination/filter paths. `go test -count=1 -race ./internal/handler/` clean. - 6 Playwright snapshot tests at 1440x900 in `e2e/logs-exec-sessions.spec.ts` covering LogViewer / search box / ExecPanel idle / ExecPanel post-click / SessionsPage list / filter. `npm run typecheck` clean. `go vet ./...` clean. Pre-existing UI test failures (12 files, 99 tests) confirmed identical to main per canon §7. Co-authored-by: hatiyildiz <hati.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
e3mrah
|
21810a3760
|
feat(catalyst-ui): R — resource browser drill-down + tree + YAML editor + events + metrics + actions (slice R, #1099) (#1167)
EPIC-4 Slice R bundle layered on the K+P+X1+G backend (#1164): - R1 ResourceDetailPage with 7 tabs (Overview / YAML / Logs / Exec / Events / Metrics / Tree); routes mounted on both mothership (/provision/$id/cloud/resource/...) and chroot (/cloud/resource/...) trees. - R2 ResourceTree widget with owner-walk UP and selector-walk DOWN, server-side at /k8s/{kind}/{ns}/{name}/tree using new k8scache GetResourcesByOwner + GetResourcesBySelector indexer-only paths. - R3 YamlEditor with side-by-side diff, dry-run validation, flux-vs-manual branching (manual → /apply, flux → PR seam wired for the unified Gitea client). - R4 EventsPanel filtering events.k8s.io/v1 Events by regarding-object; new "event" kind added to k8scache DefaultKinds. - R5 MetricsPanel with Recharts sparkline; rolls up PodMetrics across owned Pods for Deployment/StatefulSet/DaemonSet. - R6 ResourceActions widget: scale (Deployment/StatefulSet), restart (annotation stamp), delete (typed-confirmation gate). All mutation endpoints tier-admin gated server-side via the canonical applicationInstallCallerAuthorized seam — UI hide is convenience only. K8sListPage rows are now clickable and navigate to the detail page. 7 server-side endpoints added under /api/v1/sovereigns/{id}/k8s/{kind}/{ns}/{name}: GET, /tree, /scale, /restart, /dry-run, /apply, DELETE — plus /k8s/metrics/{kind}/{ns}/{name}. New k8scache.Factory accessors: DynamicClientFor + RedactForKind. Same lifecycle as CoreClient — no second per-cluster pool. Tests: 37 new vitest cases (ResourceTree / YamlEditor / EventsPanel / MetricsPanel / ResourceActions / ResourceDetailPage / resource.api) all passing. 12 new Go test funcs covering GET / scale / restart / delete / dry-run / apply / tree / metrics + tree.go owner+selector walks. 8 Playwright snapshots at 1440x900 (one per tab + list-row entry). Pre-existing baselines untouched: 59 lint errors (matches main); 12 vitest test files / 98 vitest tests still failing on main (StepComponents + cosmetic-guards + AppDetail), zero introduced by this slice; pre-existing TestGetKubeconfig_ReadsFromPathPointer TempDir-cleanup race observed only with -race + parallel run, passes in isolation. Co-authored-by: hatiyildiz <hati.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
e3mrah
|
fec95a1867
|
feat(catalyst-ui): U-Fleet — multi-Sovereign fleet view (replace mock dashboard) (slice U-Fleet-1+2+3, #1101) (#1163)
Replaces the mock-data DashboardPage with a live multi-Sovereign
aggregator backed by three new catalyst-api endpoints:
GET /api/v1/fleet/sovereigns
GET /api/v1/fleet/sovereigns/{id}/summary
GET /api/v1/fleet/applications?org=&topology=&drPosture=
Per ADR-0001 §2.7 (K8s-native) the server reads each Sovereign's
Application + Continuum + Organization CRs LIVE — no separate fleet
DB. Per INVIOLABLE-PRINCIPLES #5 the per-tier visibility gate is
centralised in fleetCallerVisibility() (reserved seam).
UI:
- DashboardPage rebuilt around useFleet() — responsive Sovereign-card
grid + empty state + error state + retry
- SovereignCard widget with self-fetched per-Sov rollup
(TanStack Query dedups parent fetches)
- CrossSovereignView page: Application × Sovereign × Region × Topology
× DR posture table with org / topology / DR-posture filters
- Each row click → chroot console URL via sovereignChrootURL helper
Backend:
- internal/handler/fleet.go: 3 read-only endpoints, 4s per-Sov
timeout so a slow Sovereign never stalls the dashboard
- DR posture matrix: continuum present + healthy → "DR active",
continuum failed → "DR alert", active-hotstandby with no
continuum → "Misconfigured", else → "—"
- alerts count placeholder = 0 (EPIC-1 score-aggregator integration
follow-up; wire shape reserved)
- Pagination: ≤50 Sovereigns per page, 25 default
Tests:
- Go: 15 tests covering happy / pagination / adopted-excluded /
org+topology+drPosture filters / 400 + 404 paths / DR posture
matrix / health derivation
- Vitest: 20 tests across useFleet hook (REST + filters + errors),
SovereignCard widget (render + click + keyboard), CrossSovereignView
(table + filters + empty)
- Playwright: 5 specs at 1440x900 (3-card grid / empty state /
cross-Sov table / card-click chroot navigate / DR posture badges)
Pre-existing failures (per implementer-canon §7) unchanged: 98 vitest
StepComponents + AppDetail; cosmetic-guards Playwright; SME demo
Playwright. None introduced by this slice.
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
e3mrah
|
639b94fe55
|
feat(epic-4): K+P+X1+G — k8s-ws-proxy + projector + WebSocket logs + Guacamole chart (#1099) (#1164)
EPIC-4 Slice K+P+X1+G — bundled backend infrastructure for the
"k9s-on-web" Cloud Resources experience:
K1 — core/cmd/k8s-ws-proxy/ — per-node WebSocket exec proxy.
HMAC-signed (X-Catalyst-HMAC: SHA256({timestamp}:{path})) WebSocket
upgrades on /proxy/exec/{ns}/{pod}/{container} bridged to the local
kube-apiserver via in-cluster ServiceAccount. v4.channel.k8s.io
subprotocol echo. Optional TMUX_CASCADE wraps in a shared
catalyst-ops tmux session. Shipped as a DaemonSet + Service with
internalTrafficPolicy=Local in platform/k8s-ws-proxy/chart/.
P1 — core/cmd/projector/ — NATS catalyst.events JetStream → Valkey
KV projector. Canonical key shape:
cluster:{cluster-id}:kind:{kind}:{namespace}/{name}
Cold-start does a full LIST across DefaultKinds, then catches up on
the 24h replay window. Multi-replica safe (durable consumer queue
group, last-write-wins on namespacedName). Shipped as a default-OFF
Deployment + RBAC under products/catalyst/chart/templates/services/projector/.
X1 — products/catalyst/bootstrap/api/internal/handler/k8s_logs.go —
WebSocket Pod-log streaming endpoint:
GET /api/v1/sovereigns/{id}/k8s/logs/{ns}/{pod}/{container}
?follow&tailLines&since=<rfc3339>&previous
Reads from kubelet via client-go GetLogs().Stream(); each WS frame =
one log line. Supports `since` resume. Reuses RequireSession middleware
+ chroot cluster-id resolver. New k8scache.Factory.CoreClient(id)
accessor exposes the per-cluster typed client without duplicating
kubeconfig parsing.
G1 — platform/guacamole/chart/ — full Apache Guacamole chart:
guacd Deployment + Service, Tomcat webapp Deployment + Service,
Cilium Gateway HTTPRoute, SeaweedFS-PVC for recordings (RWO,
hcloud-volumes), SealedSecret placeholder for Keycloak OIDC client
secret, NetworkPolicy (default-deny + selective egress to KC +
k8s-ws-proxy + SeaweedFS + NATS), and ConfigMap consumed by
keycloak-config-cli post-deploy Job (mirrors platform/keycloak
realm-config pattern). Default-OFF gate; full-ON renders 9
resources. Empty image.tag / hostname / oidc.issuer fail-fast at
helm template time per INVIOLABLE-PRINCIPLES #4a/#5. ONE Guacamole
per Sovereign per ADR-0001 §11. Blueprint manifest uses
v1alpha1 + version "0.1.0" + upgrades.from ["0.x"].
Tests:
- k8s-ws-proxy: HMAC happy/expired-old/expired-future/malformed/
bad-signature, path-only signature, WS upgrade + protocol echo,
bad path, bad HMAC, denied namespace via httptest.
- projector: Apply ADD/MOD/DEL/validation, key shape (ns-scoped +
cluster-scoped), handleOne ack/nak/term routing with fakeMsg,
cold-start LIST + project + error continuation via dynamicfake.
- X1: parseLogOptions defaults + edge cases + bad query params,
503/404/400 paths + full WS happy-path with kfake clientset.
- G1: chart/tests/render.sh — default-OFF=0, empty-tag fail-fast,
full-ON=9 resources, every required kind present, realm-config
wires OIDC client.
- bp-k8s-ws-proxy chart: chart/tests/render.sh — default-OFF=0,
empty-tag fail-fast, full-ON=5 resources.
Pre-existing test status: TestPinIssue and TestBootstrapKit/gitea
remain flaky on main per canon §7 — verified not introduced by
this slice.
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
e3mrah
|
a14e8efba6
|
feat(catalyst-ui): Continuum DR UI — switchover button + status panel + history (slice U-DR-1, #1101) (#1162)
EPIC-6 Slice U-DR-1: extends the AppDetail Topology tab (slice T+O+P #1160) with a Disaster-Recovery section that surfaces when an Application's placement is `active-hotstandby`. UI (products/catalyst/bootstrap/ui) - new widgets/continuum/{DRSection,SwitchoverDialog,StatusPanel, SwitchoverHistory,FailbackPanel,LuaRecordView}.tsx — composable DR surface; SwitchoverDialog renders the 7-step list shipped by the K-Cont-2 Sequencer (`SWITCHOVER_STEPS` mirrors the controller's `name:` fields). - new lib/continuum.api.ts — typed REST client (getContinuum, requestSwitchover, requestFailback, approveFailback, listContinuumAudit, continuumAuditStreamURL) + lag-bucket helper. - pages/sovereign/AppDetail/TopologyTab.tsx — extended to render DRSection when currentMode === 'active-hotstandby'. - 31 vitest assertions across 5 test files (SwitchoverDialog, StatusPanel, SwitchoverHistory, FailbackPanel, DRSection). - 6 Playwright snapshots @1440x900 (e2e/continuum-dr-section.spec.ts). Server (products/catalyst/bootstrap/api) - new internal/handler/continuum.go (6 handlers + 1 GVR + 1 audit-type predicate IsContinuumAuditType matching the `continuum-*` prefix reserved by K-Cont-2): • GET /continuums/{name} — CR snapshot • POST /continuums/{name}/switchover — owner-tier; 202 • POST /continuums/{name}/failback — owner-tier; 202 • POST /continuums/{name}/failback/approve — sovereign-admin; 202 • GET /audit/continuum — paginated list • GET /audit/continuum/stream — SSE live tail - REUSES applicationInstallCallerAuthorized (owner+admin) and rbacRequireSovereignAdmin (admin+owner) for tier gating; REUSES audit.Bus from slice U5-U8 with continuum-* type predicate. - 13 unit tests covering 200/202/400/403/404/409/503 paths, audit-emit on switchover/failback/approve, type-prefix narrowing. - routes mounted in cmd/api/main.go. Architecture - ADR-0001 §2.7: handler patches Continuum CR; reconciler executes the 7-step Sequencer and emits NATS audit events. - ADR-0001 §3 (NATS): consumes `catalyst.audit` via shared in-process audit Bus; filter is prefix-based so future audit-type additions (slice F-1 may add 3 more) require zero handler-side change. - INVIOLABLE-PRINCIPLES #5: server-side tier enforcement (UI hide is UX convenience only); #4: every URL derives from API_BASE / env. Out of scope (untouched): K-Cont-2/3/4 reconciler+lease+CF Worker, C-DB-1 CNPG-pair Blueprint. K-Cont-2's existing 9 audit-types are consumed unchanged. Co-authored-by: hatiyildiz <hati.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
e3mrah
|
96f8b260c9
|
feat(continuum): F — dry-run report + post-switchover health check + audit-emit coverage (slice F-1+F-2+F-3, #1101) (#1161)
Slice F layers three concerns on top of K-Cont-2's reconciler +
sequencer:
F-1 — extend audit-emit coverage with three new audit-types:
- continuum-cr-created — fires once per CR observation
- continuum-config-changed — fires on switchover-relevant spec drift
- continuum-lease-collision — fires when Acquire returns
ErrLeaseHeldByAnother during the
opportunistic re-acquire path
Total reserved Continuum audit-types now 12 (was 9). Order is
K-Cont-2's 9 first, then F-1's 3 (additions at end so existing
index-pinned tests keep working). U-DR-1 subscribes by
audit-type=continuum-* so it receives the new types automatically.
F-2 — Sequencer.DryRun + DryRunReport struct + per-step
preconditions evaluator. Walks the same 7 steps Execute would run,
but read-only end-to-end (asserted by tests: zero audit emits, zero
state mutation). Per-step durations as exported constants. Plan
content fingerprint (16-hex SHA-256 prefix) for cache idempotency.
Blockers (FATAL) vs Warnings (advisory) so the UI can render the
report and disable [ Confirm Switchover ] when blockers present.
F-3 — Sequencer.PostSwitchoverHealth + HealthReport struct + 4
fixed-order checks (replicas-healthy, dns-probes, latency-normal,
audit-posted). Replicas check reads both halves of the cluster-pair
post-switchover (new-primary has replica.enabled=false; new-replica
has replica.enabled=true; both must be Ready=true). DNS check
fans out to multi-vantage resolvers (default 8.8.8.8 / 1.1.1.1 /
9.9.9.9) and asserts every (hostname × vantage) returns at least one
ToRegion IP. Latency check is permanently Deferred=true (Cilium
hubble metrics scrape is SRE follow-up). Audit check queries an
injected AuditTail (recorder in tests; NATS PullConsumer wiring is
follow-up — currently Deferred=true in production).
Controller chains PostSwitchoverHealth ~30s after every successful
switchover (HealthDelay; CONTINUUM_HEALTH_DELAY_SECONDS env). Result
written to Continuum CR status condition LastSwitchoverHealthy with
True/False/Unknown + one-line summary message.
Endpoints — small HTTP server in continuum-controller binary on
:8082 (CONTINUUM_API_ADDR env; empty disables):
- POST /v1/continuums/{ns}/{name}/dry-run → DryRunReport
- GET /v1/continuums/{ns}/{name}/health → HealthReport
- GET /healthz → ok
Auth — owner-tier gated per INVIOLABLE-PRINCIPLES #5:
X-Catalyst-Owner-Tier: true header (catalyst-api stamps it after JWT
validation) plus optional Authorization: Bearer <CONTINUUM_API_TOKEN>
for defence in depth. The /api/v1/sovereigns/{id}/... outer envelope
is the catalyst-api's responsibility (separate slice); the controller
exposes only the inner shape.
Chart — values.yaml + deployment.yaml + service.yaml extended with
continuum.api.{port,tokenSecretRef} and
continuum.health.postSwitchoverDelaySeconds. Service exposes new
api port (default 8082) so the catalyst-api proxy can reach it.
Tests — three-tier gate per implementer-canon §6:
- 53 unit tests across switchover (DryRun + Health + integration),
events (3 new types + roundtrip), api (server + auth + cache),
controller (4 new test groups for F-1 + F-3 chain).
- End-to-end integration test: DryRun → Execute → PostSwitchoverHealth
sequence (TestEndToEnd_DryRunThenSwitchoverThenHealth +
TestEndToEnd_DryRunBlockedSwitchoverNeverRuns).
- go test -count=1 -race ./... clean across all sibling controllers.
- go vet ./... clean.
K-Cont-2's sequencer surface was sufficient — this slice ADDED
DryRun + PostSwitchoverHealth methods without modifying the existing
Execute / RequestFailback / steps() implementations.
Out of scope (per slice F brief): WitnessClient interface changes,
CF Worker changes, U-DR-1 UI, 1M-row C-DB-3 acceptance test,
Cilium hubble latency metrics, NATS PullConsumer for audit-posted
health check (deferred).
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
e3mrah
|
06939f6922
|
feat(catalyst-ui): Application detail tabs — topology editor + settings + upgrade + uninstall + Blueprint publishing (slice T+O+P, #1097) (#1160)
EPIC-2 Slice T+O+P (#1097) — bundles three slices into one PR per the master brief's "different files don't conflict" pattern from EPIC-3 U5-U8. Group T (topology editor): - TopologyTab + TopologyEditor widget (mode picker + region multi-select) - Live status panel reading Application.status.regions[] - Server: PUT /applications/{name} + POST /topology/preview - Destructive transition guard (active-active → single-region) with ?force=true confirmation gate Group O (Org self-service): - SettingsTab — REUSES InstallForm in edit mode - UpgradeDialog (preview → confirm) — REUSES the install-preview shape - UninstallDialog (typed-confirm → DELETE) - Server: PUT /applications/{name} (parameter + version) + DELETE /applications/{name} + POST /upgrade/preview?targetVersion= - Members tab REUSES MembersList from slice U5 (no new component) Group P (Blueprint publishing): - PublishPage — Org owner pushes Blueprint to <org>/shared-blueprints via the unified Gitea client (CC2 #1136) - CuratePage — sovereign-admin promotes a Blueprint into catalog-sovereign Org - Server: POST /blueprints/publish + POST /blueprints/curate + GET /blueprints/curatable - Auth: tier-admin for /publish, sovereign-admin for /curate AppDetail full tab set wired (target-state shape per INVIOLABLE-PRINCIPLES.md #1): Jobs / Dependencies / Topology / Resources (EPIC-4 stub) / Compliance / Logs (EPIC-4 stub) / Settings / Members. Architecture: ADR-0001 §2.7 — Application CR remains source of truth; PUT/DELETE patches/removes the CR and the application-controller (slice C4 #1133) reconciles. Preview endpoints REUSE the install-preview renderer (core/controllers/pkg/render) so "looks-good in preview" is byte-identical to the actual write. Blueprint publishing flows through Gitea per ADR-0001 §4.3. Tests: - 17 new server-side handler tests (PUT/DELETE/topology preview/ upgrade preview/publish/curate/list-curatable + validators) - 20 new vitest tests across TopologyEditor, UpgradeDialog, UninstallDialog, SettingsTab, PublishPage, CuratePage - 9 new Playwright E2E snapshots @ 1440x900 covering full tab nav, topology preview, settings flow, upgrade dialog, uninstall typed- confirm, publish page, curate page, members tab reuse - go test -race -count=1 ./internal/handler/... clean - go vet ./... clean - npm run typecheck clean - npm run lint matches main baseline (59 errors / 10 warnings — all pre-existing per canon §7) Pre-existing test failures observed (per canon §7 — UPDATED 2026-05-09): - 12 vitest test files / 98 tests fail on main and on this branch identically (StepComponents wizard cascade, MarketplaceSettings, PinInput6 — all pre-existing). Merge through. Co-authored-by: hatiyildiz <hati.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
e3mrah
|
7ca4abddd2
|
feat(continuum): K-Cont-4 — Cloudflare Worker source + tofu wiring for lease witness (#1101) (#1159)
* feat(continuum): K-Cont-4 — Cloudflare Worker source + tofu wiring for lease witness (#1101) Implements the server side of the Cloudflare KV lease-witness pattern that K-Cont-3's CFKVClient (in core/controllers/continuum/internal/ witness/cloudflarekv/) speaks to. The Worker fronts a Cloudflare Workers KV namespace with read-then-CAS-write semantics enforced via the If-Match header — exact contract per K-Cont-3 #1158 report (item d) and the canonical-seams "Cloudflare KV Worker contract" entry. Routes: GET /lease/<slot-url-encoded> → 200 + LeaseState | 404 | 401 PUT /lease/<slot> → 200 + LeaseState | 412 + state | 401 DELETE /lease/<slot> → 204 | 412 | 401 All 7 K-Cont-3 trap behaviors verified by 46 vitest tests: 1. If-Match: 0 = first-acquire-on-empty-slot 2. Generation increments unconditionally (incl. Release) 3. 412 includes current state body 4. TTL eviction is server-authoritative in stamping (Worker doesn't auto-evict — controller's IsHeldBy decides) 5. X-Holder mismatch on DELETE returns 412 (stale region can't evict new primary) 6. Bearer token validation against env-bound allow-list 7. Optional X-Lease-Slot header logged for KV granularity Files: products/continuum/cloudflare-worker/{package.json, tsconfig.json, wrangler.toml, vitest.config.ts, .eslintrc.cjs, .gitignore, DESIGN.md, src/{index,auth,kv,types}.ts, src/handlers/{get,put,delete}.ts, test/{handlers,contract,env.d}.ts} infra/cloudflare-worker-leases/{versions,variables,main,outputs}.tf + README.md .github/workflows/cloudflare-worker-leases-build.yaml (event-driven, NO cron — push-on-paths + PR + workflow_dispatch) Tests: 46/46 vitest pass (handlers 37 + contract 9). ESLint clean. tsc --noEmit clean. wrangler deploy --dry-run produces 9.47 KiB bundle. Per the brief: tofu module ships ready for operator action — no auto-deploy. Operator runbook in DESIGN.md §"Operator runbook — deploy a new Sovereign". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * fix(continuum/cf-worker-tofu): K-Cont-4 — adopt CF v5 inline secret_text binding (was v4 separate resource) `tofu validate` failed on `cloudflare_workers_secret` — that resource was REMOVED in cloudflare/cloudflare v5 (it consolidated into the inline `bindings = [...]` array on `cloudflare_workers_script` with `type = "secret_text"`). Same security guarantee — encrypted at rest in CF, never visible via dashboard read API once written. `tofu fmt` also wanted versions.tf alignment + the .terraform.lock.hcl pinning the resolved cloudflare/cloudflare v5.19.1 (mirrors infra/hetzner/ which commits its lock file). Per Inviolable Principle #5 the bearer token value still flows from TF_VAR_bearer_tokens_csv extracted at apply time from a K8s SealedSecret — never inlined here. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: hatiyildiz <hati.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
e3mrah
|
c2b93e8165
|
feat(catalyst-ui): RBAC member views — App Members tab + Org Members + access matrix + audit trail (slice U5-U8, #1098) (#1157)
Adds the EPIC-3 #1098 RBAC member-view bundle on top of the U1-U4 multi-grant editor and slice A1+A2 endpoints: - U5: per-Application "Members" tab inside AppDetail (sibling-dir pattern from slice U), backed by A2 access-matrix filtered to the application. Inline tier-picker, Add modal with KCUserPicker. - U6: per-Organization Members page at /organizations/{orgId}/members (mothership + chroot routes). Reuses U5's MembersList component parameterized by scope kind. EPIC-2 Slice O Members page can fully reuse this surface. - U7: access-matrix at /rbac/matrix — Manara-style users × applications × tier grid sourced from A2. Per-cell tier pills with color coding, warning indicators for users surfacing A2 contract warnings, cell-click → editor modal pre-filled with the user × app combo, org + application dropdown filters. - U8: audit trail at /rbac/audit — REST baseline + SSE live tail backed by a new internal/audit.Bus (in-process ring buffer + SSE fan-out + optional NATS forwarder). Server-side endpoints GET /audit/rbac (paginated) + /audit/rbac/stream (SSE). Audit-emit on /rbac/assign: A1's handler now publishes rbac-grant-{created,updated} on every successful CR write, plus a sibling rbac-tier-changed event when the tier rotates. No-op re-grants do not emit. The Bus is nil-tolerant — when audit isn't wired the rbac_assign hot path is unchanged. Tests: - 9 audit Bus unit tests (ring eviction, SSE filter, concurrent publish) - 5 rbac_audit handler tests (list paging + filters, SSE handshake, audit-emit on /rbac/assign create/update/no-op) - 11 vitest tests for matrix-cell + audit-row + helpers - 6 Playwright snapshots at 1440x900: U5 list + U5 add modal + U6 org members + U7 matrix + U7 cell editor + U8 audit page Pre-existing flakes confirmed and merged through per canon §7 (TestPinIssue rate-limit + TestPutKubeconfig + 98 vitest in StepComponents + AppDetail.test). Co-authored-by: hatiyildiz <hati.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
e3mrah
|
ff2172ffda
|
feat(continuum): K-Cont-2 — reconciler with lease + CNPG status watch + 7-step switchover sequence + audit emit (#1101) (#1155)
Replaces K-Cont-1's no-op skeleton with the full per-Continuum-CR
reconcile loop:
- WitnessClient interface (Acquire/Renew/Release/Read) +
InMemoryClient stub for tests + DefaultSelector that returns
ErrNotImplemented for K-Cont-3 paths (cloudflare-kv, dns-quorum)
- Per-CR goroutine: 10s renew, 30s TTL; on ErrLeaseLost re-acquires;
goroutine cancelled on CR delete
- CNPG status reader (Cluster CRs via dynamic client + Unstructured),
cluster-pair lookup by labels catalyst.openova.io/cnpg-pair +
openova.io/cnpg-role
- 7-step switchover Sequencer (validate-lease → cordon-old →
drain-http → flip-dns → swap-lease → uncordon-new → audit-emit)
with per-step rollback hooks unwound in reverse order on failure
- Lua-record body synthesizer (pure function, byte-stable, golden-
file tests for fsn-primary + hel-promoted variants)
- PDM client posting lua-records to /v1/lua/commit with optional
X-Catalyst-Token auth
- NATS JetStream audit publisher emitting on subject catalyst.audit
with header audit-type; 9 reserved audit-type constants
- Failback handler with manual-approval-gate via
Sequencer.RequestFailback + FailbackOptions{ApprovalCh,Timeout}
- HTTPRoute drainer (dynamic client) flips backendRefs[].weight=0
for the old primary's region; falls back to drain-everything when
the <app>-<region> naming convention is broken
- Status writer: phase, primaryRegion, leaseHolder, leaseExpiresAt,
replicationLagSeconds, switchoverInProgress + Step,
lastSwitchover{Result,From,To,At}, conditions {LeaseHeld, Ready}
- RBAC chart extensions: clusters.postgresql.cnpg.io get/list/watch/
update/patch + /status get; httproutes.* update/patch added;
configmaps full + secrets get for K-Cont-3 wiring
Adds github.com/nats-io/nats.go v1.37.0 to core/controllers/go.mod
(matches existing core/services/shared/events use).
Pre-existing CI failures confirmed on main + merged-through per
canon §7: TestPinIssue + TestBootstrapKit/gitea + (new since C-DB-1
#1153) TestValidate_ExistingBlueprintCorpus blueprint.yaml semver
range "bp-cnpg:1.x" — out-of-scope for K-Cont-2.
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
e3mrah
|
d911e28329
|
feat(catalyst-ui): RBAC management UI — multi-grant editor + KC user picker + group/role browsers (slice U1-U4, #1098) (#1154)
Replaces the legacy single-grant UserAccess editor with the EPIC-3
multi-grant editor backed by /rbac/assign (slice A1) and adds three
new sovereign-admin surfaces:
• U1 — MultiGrantEditPage (tier picker + scope chips + KC user picker → POST /rbac/assign)
• U2 — KCUserPicker widget (300ms-debounced type-ahead, federated-IdP badging)
• U3 — GroupBrowserPage (KC group tree + create/delete/attribute-edit, sovereign-admin only)
• U4 — RoleBrowserPage (realm-roles list + members panel + per-OIDC-client roles, sovereign-admin only)
Backend additions:
• internal/handler/keycloak_proxy.go — 8 new endpoints under /api/v1/sovereigns/{id}/keycloak/*
proxying to the Sovereign realm's KC Admin API via the existing h.kc seam.
Authorization: U2 reuses /rbac/assign's tier-admin gate; U3 + U4 use the
stricter sovereign-admin gate (admin or owner only) per INVIOLABLE-PRINCIPLES #5.
• internal/keycloak/admin_users.go — SearchUsers + ListRealmRoleMembers + ListClientRoles
methods on *keycloak.Client with the canonical FederationLink field on User.
Architecture:
• Reuses every canonical seam in the Frontend Compliance UI patterns map
(authedFetch, TanStack Query baseline, no Zustand, render-callback for
treemap-style components). The auto-injected `developer → env-type=dev`
scope is surfaced inline in the form so the operator sees what the
controller will add.
• Scope-key vocabulary validated against NAMING-CONVENTION.md §6 via
pure-function validateScopeKey (per INVIOLABLE-PRINCIPLES #4 — never
invent label keys). Tier action sets pinned to a frozen table mirroring
EPICS-1-6-unified-design.md §6.2.
• New chroot routes /rbac/{grant,groups,roles} mirror the /provision/$id
counterparts so the chroot Sovereign Console reaches the same surface.
Tests:
• Go: 27 new unit tests covering happy paths, 403 auth gates, federation
mapping, limit clamping, 404 paths, plus admin_users HTTP roundtrips.
`go test -count=1 -race ./internal/handler ./internal/keycloak` clean
against this slice's surface; pre-existing TestPinIssue rate-limit
flake stays per canon §7.
• UI vitest: 34 new tests covering tier vocabulary, scope validators,
multi-grant reducer + form validator, role-helpers, KCUserPicker DOM
interactions. Lint baseline matches main (59 errors / 10 warnings,
no new violations).
• Playwright E2E: 7 new specs producing 7 1440x900 snapshots
(rbac-u1/u2/u3/u4-*.png) — all green against a mocked catalyst-api.
Round-trip behavior with /rbac/assign:
• applied=created → green toast "Granted <tier> to <user>"
• applied=updated → green toast "Updated <user>'s grant"
• applied=no-op → green toast "Already granted — no change"
Per `feedback_per_issue_playwright_verification.md` — six per-page
snapshots delivered, never collapsed.
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
e3mrah
|
d5284d7289
|
feat(catalyst-ui): live install flow — useCatalog + InstallForm + /applications + preview (slice I, #1097) (#1152)
EPIC-2 Slice I: replaces the static applicationCatalog stub with a live install flow driven by catalyst-catalog (slice L, #1148). UI: - src/lib/catalog.api.ts — typed REST client to catalyst-api proxy. - src/lib/useCatalog.ts — TanStack Query hooks (list, item, version, versions). Mirrors the slice U useComplianceStream pattern (REST baseline; no Zustand). - src/widgets/install/InstallForm.tsx — auto-form generator backed by @rjsf/core + @rjsf/validator-ajv8. Honors x-catalyst-ui-hint extensions per BLUEPRINT-AUTHORING.md §4: password (masked input), domain-picker, application-ref, secret-ref. Unknown hints fall back to the default RJSF widget. - src/widgets/install/installFormSchema.ts — pure helpers (buildUiSchema, extractConfigSchema) lifted out so the component module exports only components (react-refresh/only-export-components). - src/pages/sovereign/InstallPage.tsx — catalog grid → form → submit with preview button + status modal. - Routes: /provision/$deploymentId/install (mothership tree) and /install (chroot consoleLayoutRoute), each with a $blueprintName variant for deep-linking. Server (catalyst-api): - internal/handler/catalog_client.go — narrow REST client to catalyst-catalog. CATALYST_CATALOG_URL is env-overridable (INVIOLABLE-PRINCIPLES #4); defaults to the in-cluster service FQDN. - internal/handler/applications.go — POST /applications creates the Application CR per ADR-0001 §2.7. Validates parameters against Blueprint.spec.configSchema using core/controllers/pkg/validate (santhosh-tekuri/jsonschema/v5). 201/400/403/404/409/503 surface the canonical error vocabulary the UI status modal renders. - internal/handler/applications_preview.go — POST .../preview renders manifests via core/controllers/pkg/render. Pure simulation (no CR write, no Gitea commit). Response shape is forward-compatible with EPIC-2 T topology preview. - GET .../applications/{name}/status (snapshot) and .../stream (SSE). - Route registration in cmd/api/main.go; catalogClient wired from env unconditionally (handlers surface 502/503 with detail when upstream fails). - internal/handler/applications_test.go — 9 paths: 201 happy, 400 invalid params (configSchema), 400 missing field, 403 unauthorized, 404 unknown blueprint, 409 duplicate, 503 unwired catalog, 502 upstream error, status 200/404, preview 200/400. Promoted packages (per slice L's pattern with the Gitea client): - core/controllers/internal/render → core/controllers/pkg/render. - core/controllers/application/internal/validate → core/controllers/pkg/validate. - products/catalyst/bootstrap/api/go.mod adds a `replace` directive pinning to the in-tree controllers module so the renderer the preview emits is byte-identical to the one application-controller ships at install time. Tests: - Vitest: 5 useCatalog tests, 11 InstallForm tests (16 passed). - Playwright (5 snapshots @ 1440x900): I1 catalog grid, I2 form + password mask, I3 submit + status modal, I4 preview modal, I5 install-with-defaults branch. - go test -count=1 -race ./... clean across both modules. Per per-issue-Playwright-verification rule: 5 snapshots in playwright-report/install-i{1..5}-*.png, one per issue surface. Co-authored-by: hatiyildiz <269457768+hatiyildiz@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
e3mrah
|
ddbe44918f
|
feat(continuum): K-Cont-1 — Continuum product skeleton (chart + binary + GHA workflow, no reconcile yet) (#1101) (#1151)
Slice K-Cont-1 of EPIC-6 (#1101) ships the Continuum product skeleton: - core/controllers/continuum/{cmd,internal/{controller,events}} - cmd/main.go — controller-runtime Manager bootstrap; leader election; /healthz, /readyz, /metrics endpoints; env-only config per INVIOLABLE-PRINCIPLES #4 - internal/controller — ContinuumReconciler with no-op Reconcile() (K-Cont-2 fills the body); SetupWithManager() watches Continuum CRs via unstructured.Unstructured per ADR-0001 §2.7 (no controller-gen) - internal/events — placeholder package documenting K-Cont-2's NATS audit-event-type list - Containerfile — multi-stage Go build → alpine:3.20 runtime, UID 65534 - products/continuum/chart/ — full Helm chart shape (default-OFF): - Chart.yaml + values.yaml (continuum.enabled: false; image.tag empty; fail-fast on empty tag at render time) - templates/{_helpers.tpl, deployment, service, serviceaccount, rbac, networkpolicy}.yaml - blueprint.yaml — OpenOva Blueprint manifest with configSchema + placementSchema (single-region: management cluster) + depends: bp-cnpg-pair + bp-powerdns - crds/README.md — pointer to the canonical Continuum CRD shipped in products/catalyst/chart/crds/continuum.yaml (B8 #1110); not duplicated - products/continuum/DESIGN.md — chart-vs-binary split decision (Option A: binary in shared core/controllers/ module per CC1 #1135), K-Cont-2 fill list, K-Cont-3 lease witness API contract sketch - .github/workflows/build-continuum-controller.yaml — event-driven CI (NO cron) with go vet + go test -race + helm template ON/OFF resource count gates + fail-fast verification + GHCR build & push (cosign keyless signed) + repository_dispatch for chart-bump fan-out helm template verification: - continuum.enabled=false → 0 resources (default OFF) - continuum.enabled=true + image.tag=ci-test → 6 resources (ServiceAccount, ClusterRole, ClusterRoleBinding, Deployment, Service, NetworkPolicy) - continuum.enabled=true + empty image.tag → render fails per #4a go vet ./continuum/... → clean. go test -count=1 -race → all green. Out of scope (per the K-Cont-1 brief): - Reconcile body — K-Cont-2 - Lease witness implementations — K-Cont-3 - Cloudflare Worker source — K-Cont-4 - bp-cnpg-pair Blueprint — C-DB-1 Co-authored-by: hatiyildiz <hati.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
github-actions[bot]
|
6f530189ee |
deploy: update catalyst images to 82ec096
|
||
|
e3mrah
|
82ec096f4d
|
feat(rbac): Keycloak Identity Provider CRUD + Org-controller federation wire-up (slice F1+F2, #1098) (#1150)
Slice F of EPIC-3: per-Organization Azure SSO / Okta / generic-OIDC
federation reconciled into the per-Sovereign Keycloak realm.
F1 — catalyst-api keycloak client extension:
products/catalyst/bootstrap/api/internal/keycloak/admin_idp.go
- IdentityProvider + IdentityProviderMapper struct types
- GET/POST/PUT/DELETE on /identity-provider/instances/{alias}
- GET/POST/PUT on /identity-provider/instances/{alias}/mappers
- EnsureIdentityProvider — find-or-create + drift-correct via byte-equal
short-circuit on the catalyst-tracked field set; idempotent re-runs
- EnsureIdentityProviderMapper — same idempotency anchor by mapper Name
- 409 race path re-finds and reconciles drift after the sibling create
- Drift detection ignores unknown server-side Config keys (Keycloak
defaults like pkceEnabled) so we don't fight the admin UI
- 9 unit tests covering clean-create / steady-state-no-write /
drift-PUT / 409-race / not-found / list / mapper variants
F2 — organization-controller Reconcile extension:
core/controllers/organization/internal/controller/
- KeycloakClient interface gains EnsureIdentityProvider /
EnsureIdentityProviderMapper / DeleteIdentityProvider
- LiveKeycloak implementation mirrors the F1 admin_idp.go pattern
(no cross-module Go dep on catalyst-api — out-of-process callers
re-implement the narrow surface, like cert-manager-dynadot-webhook)
- Reconciler resolves clientSecretRef from a K8s Secret in the
controller's namespace (default catalyst-controllers) and passes
the value to Keycloak in-memory only (Inviolable Principle #5)
- Federation alias is deterministic: <provider>-<slug> (e.g.
azure-sso-acme) so two Orgs federating to the same upstream IdP
stay isolated
- Empty-federation path best-effort deletes any stray IdP under any
of the supported provider aliases
- Two new status conditions surfaced on every reconcile so the
access-matrix UI can render the federation column unconditionally:
IdentityProviderConfigured (True/AzureSSOConfigured|OktaConfigured|OIDCConfigured
or False/NoFederation|SecretMissing|KCUnreachable)
IdentityProviderClaimMappersConfigured
- 5 new unit tests: AzureSSO happy-path / Secret-missing requeue /
federation idempotent / cleanup-on-drop / Okta provider
- Existing TestReconcile_HappyPath updated for 3-condition assertion
CRD extension — products/catalyst/chart/crds/organization.yaml:
spec.identity.federationConfig already had {issuer, clientId,
clientSecretRef}; this PR adds {tenantId, authorizationUrl, tokenUrl,
jwksUrl, claimMappers[{src,dest}]}. No oneOf branches, no default
inside arrays — passes structural-schema admission. Sample fixture
(organization-sample-valid.yaml) extended.
RBAC — chart + kubebuilder source:
Adds secrets:get/list/watch to organization-controller ClusterRole
so the reconciler can read the federation client-secret K8s Secret.
Test coverage:
go test -count=1 -race ./internal/keycloak/... OK
go test -count=1 -race ./core/controllers/organization/... OK
go vet ./... clean across both modules
Pre-existing flake confirmed: TestPinIssue_ConcurrentRapidFireRateLimit
(canon §7 — CI-runner timing flake)
Refs: docs/EPICS-1-6-unified-design.md §6.4
docs/INVIOLABLE-PRINCIPLES.md §4 (no hardcoded values), §5 (secrets)
ADR-0001 §2.7 (Org CR is source of truth, KC is reconciliation target)
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
github-actions[bot]
|
17af93bd58 |
deploy: update sme service images to b0ed216 + bump chart to 1.4.87
|
||
|
e3mrah
|
b0ed216e81
|
feat(catalog): catalog-svc HTTP REST service + chart wiring (slice L1+L2, #1097) (#1148)
EPIC-2 Slice L of #1097. Multi-source Blueprint catalog HTTP REST service backed by Gitea (3 sources: public mirror, sovereign-curated, per-Org private). Replaces the per-Org SME catalog per ADR-0001 §4.3 (different scope: SME's was Org-bound; catalyst-catalog is Sovereign- wide multi-source). L1 — core/services/catalyst-catalog/ Go service: - Separate go.mod (services group is for HTTP services, controllers group is for CRD reconcilers — documented in DESIGN.md). - Imports the unified Gitea client via Go module replace directive. - Promoted core/controllers/internal/gitea → pkg/gitea so the catalog (a sibling Go module) can import it (Go internal/ rule). 5 Group C controllers updated atomically. - HTTP REST endpoints: /api/v1/catalog{,/{name},/{name}/versions, /{name}/versions/{version}} + /healthz. - Source resolution priority on collision: private > sovereign > public. - Per-Org access filter: caller's Claims.Groups[] determines visible private blueprints; Org A user does NOT see Org B's private set. - 30s TTL LRU cache on blueprint.yaml reads (capacity 1024 default). - Session-cookie / Bearer / ?access_token= claim extraction matching catalyst-api's seam; expired-token rejection in-process. - Containerfile: distroless-static, non-root UID 65532. L2 — products/catalyst/chart/templates/services/catalog/ wiring: - 5 templates (deployment, service, serviceaccount, rbac, httproute) + _helpers.tpl. Default-OFF gate via .Values.services.catalog.enabled. - helm template: 0 catalog resources when OFF, 6 when ON. - Empty image.tag fail-fasts at render per Inviolable Principle #4a. - HTTPRoute exposes /api/v1/catalog on api.<sovereign> hostname. - Chart bumped 1.4.85 → 1.4.86. Gitea client extension (canonical seam, NOT per-service variant): - +ListOrgRepos(ctx, org) []Repo — paginated repo listing. - +ListContents(ctx, org, repo, branch, path) []ContentEntry — directory listing for per-Org shared-blueprints fan-out. GitHub Actions workflow: - .github/workflows/catalyst-catalog-build.yaml — push-on-paths + pull_request + workflow_dispatch (NO cron). go vet + go test (race + count=1) + image build → GHCR :<sha>. repository_dispatch fan-out to chart-bump matches the Group C controllers' pattern. Tests (3-tier gate): unit (config, cache, auth, source, handler) + integration (httptest-backed Gitea fixtures across all 3 sources + priority + per-Org access). All green; race detector on. L3 (SME catalog retirement) is deferred per the EPIC-2 master brief. GraphQL deferred (REST first; gqlgen would pull ~80MB of indirect deps for a feature no UI consumer has asked for yet). Co-authored-by: hatiyildiz <hati.yildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
github-actions[bot]
|
03bd1fbb8c |
deploy: update catalyst images to 8437cb7
|
||
|
e3mrah
|
8437cb770b
|
feat(api): PUT /environments/{env}/policy handler — wires slice U PolicyModeToggle (slice X, #1096) (#1147)
Adds HandleEnvironmentPolicyMode at PUT /api/v1/sovereigns/{id}/environments/{env}/policy
backing the slice U PolicyModeToggle widget shipped via #1144. Writes
EnvironmentPolicy.spec.compliance.modes via the dynamic client; the
EnvironmentPolicy controller (separately reconciled) consumes that map and
flips Kyverno's per-namespace validationFailureAction. Per ADR-0001 §2.7
the handler ONLY writes to the CR; per INVIOLABLE-PRINCIPLES #4 the 19
K-slice policy names are discovered at request time via a live ClusterPolicy
list filtered by catalyst.openova.io/policy-tier=compliance — never
hardcoded. Per INVIOLABLE-PRINCIPLES #5 the caller must hold tier-admin or
higher (mirrors rbac_assign.go's authorization shape).
Behavior: 200 on create | update | no-op (Applied field discriminates),
400 on unknown policy / invalid mode / empty modes, 403 without tier-admin,
404 on missing Environment or unknown deployment, 409 after race-tolerant
3-retry on Update conflict.
Tests: 14 cases covering the full coverage matrix (created / merged /
no-op idempotent / unknown policy / invalid mode / empty modes / 403 / admin
allowed / 404 env / 404 dep / 409 retry) plus pure-helper coverage of
mergeEnvironmentPolicyModes (4 sub-cases) and policyModeCallerAuthorized
(9 sub-cases). go test -count=1 -race clean. go vet clean.
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
github-actions[bot]
|
f8e1ee2dfd |
deploy: update catalyst images to 4366f09
|
||
|
e3mrah
|
4366f09a02
|
feat(rbac): Keycloak composite realm-role bootstrap on catalyst-api startup (slice T2, #1098) (#1146)
EPIC-3 slice T2 — at catalyst-api startup, an opt-in goroutine
materialises the 5 catalog-tier composite realm-roles
(catalyst-{viewer,developer,operator,admin,owner}) per
docs/EPICS-1-6-unified-design.md §6.2 in the configured Sovereign
Keycloak realm. Re-runs are idempotent no-ops once the chain is in
place.
What landed:
- internal/keycloak/admin_roles.go — new ListRealmRoleComposites,
AddRealmRoleComposites, EnsureCompositeRealmRole methods (KC Admin
REST API: GET /roles/{name}/composites/realm + POST /composites).
Idempotent attach: pre-checks parent's current composites and only
POSTs missing children.
- internal/keycloak/realm_bootstrap.go — new EnsureTierRealmRoles
driver + CatalogTierBootstrapPlan (Go-source canonical chain per
INVIOLABLE-PRINCIPLES #4: viewer leaf → developer → operator →
admin → owner). Encodes the integer ordering as the role's
`tier-level` attribute so the access-matrix UI can sort tiers
without a hardcoded list.
- cmd/api/main.go — non-blocking goroutine wired behind
KEYCLOAK_BOOTSTRAP_TIER_ROLES (default false). Reuses existing
CATALYST_KC_ADDR/REALM/SA_CLIENT_{ID,SECRET} credentials. Polls
Keycloak readiness for up to 30s, then capped backoff (5 attempts
at 0/5/10/20/40s) before giving up — the next catalyst-api
restart picks the bootstrap up again.
- chart/templates/api-deployment.yaml — env wiring with default
"false" to preserve current contabo behaviour (whose openova realm
has its own role taxonomy). Per-Sovereign HelmRelease overlays
flip to "true" to opt in.
Tests (all pass with -race):
- TestEnsureTierRealmRoles_CleanSlate — 5 role POSTs + 4 composite
POSTs from empty realm; tier-level attribute round-trips.
- TestEnsureTierRealmRoles_AlreadyPopulated_NoWrites — 0 writes when
all 5 roles + 4 composites already present.
- TestEnsureTierRealmRoles_OneMissing_PartialWrites — exactly 1 role
POST + 2 composite POSTs when catalyst-operator + its two
composite links are missing.
- TestEnsureTierRealmRoles_RoleCreate401_SurfacesError — 401 from KC
bubbles up so the startup goroutine can decide whether to retry.
- TestEnsureTierRealmRoles_RealmMismatch_Rejects — guards against a
caller passing a realm that doesn't match the Client's bound realm.
- TestEnsureCompositeRealmRole_AlreadyAttached_NoWrite — idempotent
attach when the composite is already present.
- TestListRealmRoleComposites_NotFound — 404 on a missing parent
surfaces ErrRoleNotFound.
- TestAddRealmRoleComposites_EmptyChildren_NoHTTP — short-circuits
to a no-op without touching the network.
Out of scope (per master brief): UserAccess controller (T3+C5),
keycloak-config-cli Job (chart-install lifecycle, orthogonal),
Azure SSO federation (slice F).
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
github-actions[bot]
|
faccd13f6a |
deploy: update catalyst images to 0ccff7c
|
||
|
e3mrah
|
0ccff7c3e5
|
feat(catalyst-ui): compliance dashboards (SRE + SecLead + App + per-policy + toggle, slice U, #1096) (#1144)
- U1: /admin/compliance/sre + /sre/compliance — SRE Lead fleet treemap (Recharts)
- U2: /admin/compliance/security + /sec/compliance — Security-Lead variant (security palette)
- U3: AppDetail Compliance tab — score hero + drift panel + "what to fix to 90%" list
- U4: /admin/compliance/policy/$policyName + /compliance/policy/$policyName — drill-down with violations table + failures-per-environment bar chart
- U5: PolicyModeToggle widget — Audit↔Enforce switch with confirm dialog + diff copy + PUT /environments/{env}/policy
API contract consumed (slice S,
|
||
|
github-actions[bot]
|
9c36b94658 |
deploy: update catalyst images to a6ccdce
|
||
|
e3mrah
|
a6ccdcef41
|
feat(rbac): /rbac/assign find-or-create + /rbac/access-matrix + boundary validator (slice A, #1098) (#1143)
EPIC-3 slice A bundles three deliverables on top of the just-landed
slice T1 (5-tier ClusterRoles):
A1 — POST /api/v1/sovereigns/{id}/rbac/assign
Find-or-create-role endpoint backing the multi-grant editor (slice
U1). Race-tolerant 409 retry follows the EnsureUser pattern. Three
paths: created / updated (tier rotation on existing scope) / no-op.
Authoring side: writes UserAccess CR with metadata.labels[
catalyst.openova.io/tier]=<tier> + spec.tierRoleRef + spec.scopes[].
A2 — GET /api/v1/sovereigns/{id}/rbac/access-matrix
Manara-style users × applications × tier matrix with per-CR
warnings (developer-tier missing env-type=dev surfaces inline).
Optional org/application filters. Pure aggregator extracted for
testability — no apiserver, no clock.
A3 — Kyverno ClusterPolicy `useraccess-boundary`
Denies cross-Organization UserAccess grants unless the requester
is a member of a management Org with tier=owner. Default Audit
(values-driven action). Test fixtures + kyverno-test.yaml shape
ready for kyverno-CLI CI step in a follow-up slice.
UserAccess CRD extension:
- spec.tierRoleRef (string, openova:tier-* pattern)
- spec.scopes[] ({key, value})
- applications[] no longer required (legacy + new shapes coexist)
Test coverage (26 new tests, race-clean):
- A1: 3-path find-or-create, 409 retry, validation, 404
- A2: matrix shape + filters + warnings, http happy/empty/404
- Pure helpers: scope normalization/equality, CR-name determinism
Pre-existing failure `TestPinIssue_ConcurrentRapidFireRateLimit`
(rate-limit timing flake) reproduced on clean main per canon §7;
not introduced by this slice.
Refs: EPIC-3 master brief at .claude/architect-briefs/epic-3/, slice
A brief at 02-A-rbac-assignment-endpoints.md, T1 ancestor #1142.
Co-authored-by: hatiyildiz <hati.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
github-actions[bot]
|
714faf6db1 |
deploy: update catalyst images to f1d0801
|
||
|
e3mrah
|
f1d0801ad2
|
feat(catalyst-api): compliance score aggregator + handler (slice S, #1096) (#1141)
Joins Kyverno PolicyReports + slice W2's compliance-evaluator events
+ EnvironmentPolicy weights into per-resource → per-Application →
per-Environment → per-Organization → per-Sovereign weighted scores.
Outputs SSE for live updates, REST for snapshots, Prometheus
catalyst_compliance_* gauges/counters, and (when CATALYST_NATS_URL is
wired) NATS JetStream KV `policy-rollup` for replayable history.
S1 — internal/handler/compliance.go:
* REST endpoints under /api/v1/sovereigns/{id}/compliance/
- GET /scorecard — per-app/env/org/sovereign rollups
- GET /policies — per-policy weight + mode + violation tally
- GET /violations — paginated fail rows, ?app=<name>
- GET /stream — SSE for live score updates
* Watch loop subscribes to k8scache.Factory fanout for kinds
{policyreport, clusterpolicyreport, compliance-evaluator,
deployment, statefulset, daemonset, pod}. Per ADR-0001 §5
every score recompute is event-driven; no polling.
* Pure computeScore() function with edge cases tested:
all-pass=100, all-fail=0, half-pass=50, skip drops from denom,
empty-weights fallback to equal weights, stateful/stateless scope
filters, missing verdict drops policy, warn pulls score down.
* NATS KV writes via nil-tolerant PolicyRollupPublisher interface
keyed `<scope>:<id>`. Sentinel resolver wires when env is set;
nil keeps the aggregator running on SSE+Prometheus only.
* EnvironmentPolicy CR resolution via dynamic-client; nil/404
falls back to default equal-weights so a fresh Sovereign without
a tuned policy still scores correctly.
S2 — platform/mimir/chart/templates/prometheusrule-compliance.yaml:
* Recording rules:
- catalyst:compliance_score:by_application:1h_avg
- catalyst:compliance_violations:by_policy:5m_rate
- catalyst:compliance_score:by_sovereign:1h_avg
- catalyst:compliance_policy_enforcing:by_policy
* Pager alerts: ComplianceScoreRegression (>10pt drop in 1h) +
ComplianceEnforcingPolicyHighViolations (>50/hr in enforcing
mode). Every threshold a values.yaml knob per
docs/INVIOLABLE-PRINCIPLES.md #4.
* Capabilities-gated on monitoring.coreos.com/v1 so a fresh
Sovereign without bp-kube-prometheus-stack doesn't fail render.
Tests:
* 18 unit + integration tests in compliance_test.go covering the
full computeScore matrix, the watch-loop end-to-end via
Factory.Publish injection, and every HTTP endpoint (scorecard,
policies, violations pagination, stream, 503 nil-handler).
* `go test -count=1 -race ./internal/handler/...` clean (5 runs).
* `go vet ./...` clean.
Pre-existing CI failures (TestPinIssue_ConcurrentRapidFireRateLimit,
TestRun_FailsFastOnDynadotError, TestAuthHandover_HappyPath nil-ptr,
TestValidate_*Harbor_robot_token*) confirmed not introduced by this
slice — they reproduce on clean main.
Per ADR-0001 §3 (5 stores): score history lives in NATS JetStream KV;
no Postgres/FerretDB shadow store. Per ADR-0001 §5 (event-driven):
every score recompute fires off a Subscribe event. Per
INVIOLABLE-PRINCIPLES #4: SSE retention, KV TTL, alert thresholds all
runtime-configurable.
Closes the S column of EPIC-1 master plan; UI slices U1-U5 can now
consume the SSE event shape.
Co-authored-by: hatiyildiz <hati@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
github-actions[bot]
|
4d6a3e950a |
deploy: update catalyst images to a987748
|
||
|
e3mrah
|
a987748b42
|
feat(k8scache): subscribe to PolicyReport + 5 custom evaluators (slice W, #1096) (#1139)
W1: extend `internal/k8scache/kinds.go` `DefaultKinds` with
`wgpolicyk8s.io/v1alpha2/PolicyReport` (namespaced) and
`ClusterPolicyReport` (cluster-scoped). Reports flow through the
existing `Factory.dispatch` → `fanout` → SSE subscribers — no special
treatment. Test coverage: `TestPolicyReport_FlowsThroughSSEFanout`
applies a synthetic PolicyReport + ClusterPolicyReport via the fake
dynamic client and asserts both ADD events arrive at a kind-filtered
subscriber.
W2: new package `internal/k8scache/evaluators/` shipping 5 custom
evaluators that emit synthetic PolicyReport-shaped rows on the
`compliance-evaluator` SSE channel:
- hpa.go — HPA `spec.minReplicas` vs `status.currentReplicas`,
with Pod → ReplicaSet → Deployment owner chain.
- otel.go — OTel collector sidecar OR Pod auto-inject annotation
+ namespace Instrumentation CR.
- hubble.go — Hubble Observer flow check (DEFERRED: cilium/cilium
client not pulled by current deps; evaluator emits
skip when `Config.HubbleEnabled=false`, follow-up
slice wires the gRPC client).
- harbor.go — image starts with `<HarborDomain>/...` or operator-
supplied allow-list prefix; fail on docker.io / ghcr.io
direct refs.
- flux.go — `app.kubernetes.io/managed-by: flux` label OR Flux
ownerRef on the Pod or its controller.
Engine architecture (per ADR-0001 §5):
- Subscribes to Pod ADD/MODIFY events from the watcher.
- 30s ticker re-evaluates over the in-process Indexer (no apiserver
polling — pure cache reads).
- Publishes synthetic events via the new exported
`Factory.Publish(Event)` method which re-uses the same fanout the
architecture-graph subscribers consume.
- `KindComplianceEvaluator = "compliance-evaluator"` constant for
the score aggregator (slice S1) to subscribe to.
Per INVIOLABLE-PRINCIPLES #4: every threshold (HPA min replicas,
Hubble lookback, Harbor regex, OTel annotation prefix, Flux label
key/value) is a Config field — no hardcoded values.
Tests (28 unit cases, 17 evaluator-specific covering pass/fail/skip
matrix per evaluator + 8 engine + 1 helper):
- go test -count=1 -race ./internal/k8scache/... → CLEAN
- go vet ./... → CLEAN
Co-authored-by: hatiyildiz <hatice@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
github-actions[bot]
|
529c78b980 |
deploy: update catalyst images to 2c7cb90
|
||
|
e3mrah
|
2c7cb90c28
|
feat(catalyst-chart): wire 5 Group C controllers into bp-catalyst-platform deploy templates (CC3, #1095) (#1137)
Each Group C controller (slices C1, C2, C3, C4, C5) shipped its own
deploy/{deployment,rbac}.yaml under core/controllers/<name>/ but those
manifests were NOT yet rendered as Helm templates — a fresh Sovereign
provisioning today does not deploy any of the 5 controllers. CC3
closes that gap.
What this commit ships:
products/catalyst/chart/templates/controllers/:
- _helpers.tpl — shared label / image / SA-name helpers (5 controllers)
- organization-controller-{serviceaccount,clusterrole,clusterrolebinding,deployment}.yaml
- environment-controller-{...}
- blueprint-controller-{...}
- application-controller-{...}
- useraccess-controller-{...}
Values gate: each controller defaults to .Values.controllers.<name>.enabled: false. Operator opts in per-Sovereign.
Per docs/INVIOLABLE-PRINCIPLES.md #4a, deployments fail-fast at template
time if .Values.controllers.<name>.image.tag is empty — CI MUST stamp
a SHA before render. No :latest path exists.
Per canon §5: RBAC ClusterRoles tightened to least-privilege per
controller (the original deploy/rbac.yaml on each agent's PR sometimes
over-granted; this slice audits each):
- organization: get/list/watch Organizations + create/update UserAccess
- environment: get/list/watch Environments + watch Org + GitRepository CRUD
- blueprint: get/list/watch Blueprints + Gitea API write (no in-cluster RBAC)
- application: get/list/watch Applications + watch Env + watch Blueprint
- useraccess: get/list/watch UserAccess + create/update/delete RoleBinding +
ClusterRoleBinding + read on openova:application-* ClusterRoles
ServiceAccount names follow catalyst-<controller>-controller pattern
(consistent with existing catalyst-cutover-driver SA).
Validation:
- helm lint: 1 chart linted, 0 failed (single INFO about chart icon —
pre-existing, not introduced here)
- helm template with all controllers.*.enabled=false: 9 resources
rendered (existing baseline — api, ui, cutover-driver, etc.) — gate
works, 0 controller resources rendered
- helm template with all controllers.*.enabled=true (+ test SHA tags):
29 resources total = 9 baseline + EXACTLY 20 new controller resources
(5 ServiceAccount + 5 ClusterRole + 5 ClusterRoleBinding + 5 Deployment)
- Without image.tag set: template intentionally fails per
INVIOLABLE-PRINCIPLES #4a — verified
Image tags SHA-pinned via .Values.controllers.<name>.image.tag, never
:latest. CI image-build pipelines for each controller already exist
(.github/workflows/build-<name>-controller.yaml shipped by C1/C2/C3/C4/C5
agents) — extending those to PUSH images to GHCR is a follow-up slice
(those workflows currently only run go test, no image build yet).
After this PR merges, EPIC-0 is FULLY code-complete + deployable. Only
G2 + G3 (real Hetzner cluster bring-up via the multi-region tofu module
from G1) remain as operator-side actions.
Refs: #1094, #1095, slice C1 (#1129), C2 (#1127), C3 (#1126),
C4 (#1133), C5 (#1128).
Co-authored-by: hatiyildiz <hatiyildiz@noreply.openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
github-actions[bot]
|
a1f832ab77 |
deploy: update catalyst images to a4d3565
|
||
|
e3mrah
|
a4d3565323
|
fix(api): unbreak 3 pre-existing CI test failures (EPIC-0 stretch) (#1132)
Triages and fixes the 3 known-failing tests blocking every PR's `test` CI job (per brief 04-fix-pre-existing-CI-failures.md, slice EPIC-0/H10). Each test was a pre-existing failure on `main` documented at #1095. All fixes are test-only — no production code changed. 1. internal/handler::TestAuthHandover_HappyPath — nil-pointer panic in handoverjwt.Signer.SignCustomClaims. The test setup was missing handoverSigner initialization; commit b1ff09bf retired Keycloak token-exchange in favour of a locally-minted RS256 JWT signed by that field. Wires the signer in testHandoverSetup using the same GenerateKeypair call the test already runs, and updates the cookie-value assertions to verify the locally-minted JWT's claims instead of the now-removed stub access/refresh tokens. Same root cause fixes TestAuthHandover_KCImpersonateFailure (its old "ImpersonateToken-error → 401" assertion is dead — production no longer calls ImpersonateToken on this path; the test now asserts the migration is durable via a 302 + locally-minted session JWT). 2. cmd/catalyst-dns::TestRun_FailsFastOnDynadotError — "expected error from Dynadot rejection, got nil". The fakeDynadot test server emits `SetDns2Response.ResponseHeader.{ResponseCode,Status,Error}` but internal/dynadot/dynadot.go #939 verified live 2026-05-05 that the real Dynadot api3.json reply uses `SetDnsResponse.{ResponseCode, Status,Error}` with no ResponseHeader wrapper. The production decoder (correctly) saw an empty header and short-circuited the error check; rewrites the fake's envelope to match the real shape so the test can detect a true Dynadot rejection. Mirrors the shape already used by internal/dynadot/dynadot_test.go. 3. internal/provisioner::TestValidate_* — 12 tests in provisioner_test.go and 7 tests under internal/handler all fail with "Harbor robot token is required (CATALYST_HARBOR_ROBOT_TOKEN missing on catalyst-api…)". Issue #557 + Inviolable Principle #11 tightened Validate() to require the env-stamped token; the test fixtures predate that change. Adds HarborRobotToken to validBase() in provisioner_test.go so all 12 cases pass; sets `t.Setenv("CATALYST_HARBOR_ROBOT_TOKEN", "harbor_TEST_PLACEHOLDER")` on the 4 TestCreateDeployment_* + 2 TestPersistence_* + 1 TestLoad_* tests that exercise the handler-stamping path; sets HarborRobotToken explicitly on the load_test.go meta-check that constructs a Request directly (`json:"-"` precludes body-based injection). Bonus pre-existing fix: internal/store::TestLegacyRecord_NoParentDomainsKey_LoadsCleanly — legacy on-disk fixture pinned cpx21/cpx31, both rejected by the post-#916 SKU gate (deprecated Hetzner family). Updated to cpx22/cpx32 preserving the test's true intent (parentDomains JSON-shape migration, not the SKU values themselves). Verified per fix: - Each of the 4 cluster fixes was confirmed failing on clean `main` before my change and passing after. - `GOMAXPROCS=2 go test -count=1 ./...` is fully GREEN end-to-end across the catalyst-api module. - `go vet ./...` clean. Pre-existing flakes still observed on this host under `-race -count=1`: TestPinIssue_ConcurrentRapidFireRateLimit (1-in-5 flake on origin/main too — production rate-limit-before-EnsureUser ordering race) and TestPutKubeconfig_* (TempDir cleanup race). Both are out of scope and unrelated to the 3 documented failures. Refs: #1095 (EPIC-0), #557 (Harbor robot token), #826 (parentDomains), #916 (cpx32 region gate), #939 (Dynadot envelope shape). Co-authored-by: hatiyildiz <hatiyildiz@openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
github-actions[bot]
|
f86718c1c7 |
deploy: update catalyst images to 8988cd9
|
||
|
github-actions[bot]
|
6d137f2821 |
deploy: update catalyst images to a9bef76
|
||
|
e3mrah
|
a9bef76e39
|
feat(keycloak): add Group CRUD + attributes + client-secret rotation (slice D1c, #1095) (#1125)
Final sub-slice of D1 (Keycloak full-CRUD client extension) per
docs/EPICS-1-6-unified-design.md §3.4. Two new files:
internal/keycloak/admin_groups.go — Group CRUD + attribute setters.
organization-controller (slice C1) calls these to materialize a
Keycloak group per Organization. The group's attributes carry the
Catalyst custom claims `org`, `tier`, `openova_scopes` that
auth/Claims fields parse on every token (slice D2).
internal/keycloak/admin_secrets.go — per-OIDC-client secret read +
rotation. Used by organization-controller (creation path) and the
SecretPolicy reconciler (rotation path, post-Phase-0).
Public API — Groups (admin_groups.go):
- ListGroups — GET /groups (paginated to 1000)
- GetGroup — GET /groups/{uuid} → ErrGroupNotFound
- FindGroupByPath — GET /group-by-path/{path} (leading-
slash tolerant)
- CreateGroup — POST /groups (returns UUID via Location)
- CreateSubGroup — POST /groups/{parent}/children
- UpdateGroup — PUT /groups/{uuid} (full replace)
- DeleteGroup — DELETE /groups/{uuid} → ErrGroupNotFound
- EnsureGroup — find-or-create with drift-detection
UPDATE if attributes differ from caller's
desired set
- SetGroupAttributes — GET-mutate-PUT shorthand for the
full-replace attributes semantics
Public API — Secrets (admin_secrets.go):
- GetClientSecret — GET /clients/{uuid}/client-secret
- RotateClientSecret — POST /clients/{uuid}/client-secret
(immediate cutover — no overlap window)
Sentinels:
- ErrGroupNotFound — exported, for absent-as-success
- errGroupAlreadyExists — internal, for EnsureGroup 409 race
Group struct mirrors upstream GroupRepresentation with only the fields
organization-controller uses (ID, Name, Path, Attributes, SubGroups,
RealmRoles). Attributes is map[string][]string — Keycloak natively
supports multi-value attributes; Catalyst uses single-value semantics
for `org` and `tier` (one entry per slice), multi-value for
`openova_scope`.
EnsureGroup drift-detection: if the group exists with different
attributes than the caller's desired map, EnsureGroup automatically
PUTs the updated representation. Comparison is structural via
attributesEqual() helper (length + key-by-key value-slice equality —
slice ORDER matters since Keycloak preserves insertion order in
multi-value attributes).
ClientSecret struct carries the plaintext value; per docs/CLAUDE.md §10
callers MUST write it to a SealedSecret immediately and never log it.
Tests:
- admin_groups_test.go (15 cases): list, get-not-found, find-by-path
(with and without leading slash, and 404-as-empty), create+sub-group,
ensure-find-first, ensure-drift-triggers-update, ensure-create-on-miss,
set-attributes-replaces-all, update-requires-uuid, delete-not-found,
attributesEqual exhaustive cases (8 cases), lastSlashIndex (6 cases)
- admin_secrets_test.go (4 cases): get happy + 404, rotate happy + 404
go test ./internal/keycloak/... → all pass (~36 tests across admin.go,
admin_roles.go, admin_groups.go, admin_secrets.go).
go build ./... + go vet ./... → clean.
D1 complete: Keycloak full-CRUD admin client now covers user (find/
create/group-membership in client.go), client (D1a), realm-role +
role-mapping (D1b), group + group-attributes + client-secret (this
slice). Identity Provider CRUD for corporate Azure-SSO federation
remains post-Phase-0.
Refs: #1094, #1095, #1097, #1098, docs/EPICS-1-6-unified-design.md §3.4.
Co-authored-by: hatiyildiz <hatiyildiz@noreply.openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
e3mrah
|
fe23d758e9
|
feat(keycloak): add realm-role + role-mapping CRUD (slice D1b, #1095) (#1124)
Realizes the second sub-slice of D1 (Keycloak full-CRUD client extension) per docs/EPICS-1-6-unified-design.md §3.4. useraccess-controller (slice C5 of #1095) calls these to materialize the 5 catalog tier roles (viewer / developer / operator / admin / owner) per Sovereign realm at startup, and to bind realm roles to per-Org Keycloak groups so a user's `groups` claim resolves to the catalog tier via Keycloak's group→role inheritance. New file: internal/keycloak/admin_roles.go (separate from admin.go to keep client-CRUD and role-CRUD concerns at distinct files; both share the same package, the same Client struct, and the same serviceAccountToken helper from client.go). Public API — Realm roles: - ListRealmRoles — GET /roles - GetRealmRole — GET /roles/{name} → ErrRoleNotFound on 404 - CreateRealmRole — POST /roles - UpdateRealmRole — PUT /roles/{name} (full replace) - DeleteRealmRole — DELETE /roles/{name} → ErrRoleNotFound on 404 - EnsureRealmRole — find-or-create with 409-tolerant re-find; returns the FRESH representation so callers can detect drift and call UpdateRealmRole Public API — Role mappings (users): - ListUserRealmRoles — GET /users/{uuid}/role-mappings/realm (direct) - ListUserEffectiveRealmRoles — GET /users/{uuid}/role-mappings/realm/composite (transitively-resolved — what /token embeds) - AssignUserRealmRoles — POST /users/{uuid}/role-mappings/realm - UnassignUserRealmRoles — DELETE /users/{uuid}/role-mappings/realm Public API — Role mappings (groups): - ListGroupRealmRoles — GET /groups/{uuid}/role-mappings/realm - AssignGroupRealmRoles — POST /groups/{uuid}/role-mappings/realm - UnassignGroupRealmRoles — DELETE /groups/{uuid}/role-mappings/realm Sentinels: - ErrRoleNotFound — exported, for absent-as-success branches - errRoleAlreadyExists — internal sentinel for the EnsureRealmRole 409 race path RealmRole struct mirrors the upstream RoleRepresentation but only with the fields useraccess-controller actually reads/writes: - Name (canonical key — Catalyst prefixes with `catalyst-`) - Composite (true for tiers above viewer — `developer` composes `viewer`, `operator` composes `developer`, etc.) - ContainerID (realm UUID, populated on read) - Attributes (Catalyst stores `tier-level` int here so access-matrix UI can sort tiers without a hardcoded list) Empty-list optimization on AssignXRealmRoles / UnassignXRealmRoles: if the role slice is empty, the call is a no-op (0 HTTP requests). Catches the common reconciliation case where the desired-set matches the actual-set. Tests (admin_roles_test.go, 11 cases): - TestListRealmRoles_HappyPath - TestGetRealmRole_NotFound (ErrRoleNotFound branch) - TestCreateRealmRole_201Created (request-body inspection) - TestCreateRealmRole_409Conflict (errRoleAlreadyExists sentinel) - TestEnsureRealmRole_FindReturnsExisting (no POST when GET succeeds) - TestEnsureRealmRole_CreateOn404 (GET 404 → POST → re-GET = 2 GETs + 1 POST) - TestUpdateRealmRole_RequiresName (fail-fast before HTTP) - TestDeleteRealmRole_NotFound (ErrRoleNotFound branch) - TestAssignGroupRealmRoles_PostBody (non-empty body sent) - TestAssignGroupRealmRoles_EmptyIsNoOp (0 HTTP calls for empty list) - TestListUserEffectiveRealmRoles_HitsCompositeEndpoint (the /composite suffix) - TestListUserRealmRoles_DirectEndpoint (no /composite when direct) go test ./internal/keycloak/... → all pass (24 tests across admin.go + admin_roles.go). go build ./... + go vet ./... → clean. Out of scope (deferred to D1c): - Group hierarchy + group-attribute setters - Per-OIDC-client client-secret rotation - Identity Provider CRUD for corporate Azure-SSO federation Refs: #1094, #1095, #1098, docs/EPICS-1-6-unified-design.md §3.4 + §6. Co-authored-by: hatiyildiz <hatiyildiz@noreply.openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|
github-actions[bot]
|
77bf30c464 |
deploy: update catalyst images to f9c141a
|
||
|
e3mrah
|
f9c141aaa8
|
feat(keycloak): add OIDC client CRUD admin operations (slice D1a, #1095) (#1123)
Realizes the first sub-slice of D1 (Keycloak full-CRUD client extension)
per docs/EPICS-1-6-unified-design.md §3.4. organization-controller
(slice C1) calls these to provision per-Org OIDC clients in the
Sovereign realm so an Org's vCluster + Hubble UI + Application UIs all
federate to the same Keycloak realm with their own client secrets.
New file: internal/keycloak/admin.go (separate from client.go to keep
the original /auth/handover EnsureUser+ImpersonateToken surface focused).
Public API:
- OIDCClient struct — narrow slice of upstream ClientRepresentation
covering only fields organization-controller
needs to set/read. Secret field NEVER persisted
to disk; lives in memory only long enough to
be written to a SealedSecret by the caller.
- FindClientByClientID — GET /clients?clientId=X (returns empty struct
on miss; the find-or-create caller branches
on .ID == "")
- GetClient — GET /clients/{uuid} → ErrClientNotFound on 404
- ListClients — GET /clients?first=0&max=1000 (1k client cap
is plenty for any Sovereign realm)
- CreateClient — POST /clients; returns Keycloak-assigned UUID
from the Location header's last segment
- UpdateClient — PUT /clients/{uuid} (full replace, not patch
— caller must GET-mutate-PUT)
- DeleteClient — DELETE /clients/{uuid} → ErrClientNotFound on 404
- EnsureClient — find-or-create wrapper with 409-tolerant
re-find for race conditions (mirrors the
EnsureUser pattern from client.go)
Sentinels:
- errClientAlreadyExists — internal sentinel for the 409 race path
- ErrClientNotFound — exported so reconciliation loops can branch
on absence-as-success
Idiom mirrors client.go exactly:
- serviceAccountToken at the top of every public method
- http.Client supplied at New(); tests inject httptest.Server URL
- Request body marshaled via json.Marshal; response parsed explicitly
- Defaults Protocol="openid-connect" if caller leaves it empty (the
upstream API rejects empty protocol with 400, regression caught here
rather than at integration time)
Tests (admin_test.go):
- TestFindClientByClientID_Found / _Empty
- TestGetClient_NotFound (ErrClientNotFound branch)
- TestCreateClient_201Location (Location-header UUID extraction)
- TestCreateClient_DefaultsProtocol (empty Protocol → openid-connect)
- TestEnsureClient_FindFirst (existing client → no POST)
- TestEnsureClient_409ConflictReFinds (race tolerance — mirrors TC-R-089
pattern from EnsureUser)
- TestUpdateClient_RequiresUUID (fail-fast on empty .ID before HTTP)
- TestUpdateClient_204
- TestDeleteClient_NotFound (absence-as-success)
- TestListClients_PaginatesFirstPage
- TestLastSegment (URL-parsing helper)
go test ./internal/keycloak/... → all pass.
go build ./... + go vet ./... → clean.
Out of scope for this slice (deferred to D1b/D1c):
- Realm-role + role-mapping CRUD (slice D1b)
- Per-OIDC-client client-secret rotation endpoint
(POST /clients/{uuid}/client-secret — slice D1c)
- Group hierarchy + group-attribute setters (slice D1c)
- Identity Provider CRUD for corporate Azure-SSO federation
(post-Phase-0)
Refs: #1094, #1095, #1097, #1098, docs/EPICS-1-6-unified-design.md §3.4.
Co-authored-by: hatiyildiz <hatiyildiz@noreply.openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
github-actions[bot]
|
053c8f5602 |
deploy: update catalyst images to 832d0d9
|
||
|
e3mrah
|
832d0d94b7
|
feat(auth): parse groups + realm_access.roles + RBAC custom claims (slice D2, #1095) (#1118)
Realizes design doc §3.4 + §6.3 (parse groups[] and realm_access.roles
claims so authorization context flows into request scope).
Today auth/Claims (session.go:30-47) parses identity-only fields (sub,
email, email_verified, preferred_username, sovereign_fqdn, deployment_id).
Every Keycloak access token already carries the RBAC claims but they
were silently ignored — every handler that needs to gate by tier or
group has to re-parse the JWT, and most just don't.
This slice extends Claims to absorb the standard Keycloak shape:
- Groups from `groups` (full Keycloak path strings)
- RealmAccess.Roles from `realm_access.roles` (catalog tier mapping)
- ResourceAccess from `resource_access.<client>.roles`
(per-OIDC-client role grants)
Plus 3 Catalyst custom claims that the Keycloak protocol mappers
populate (mappers themselves land in slice D1):
- Org : Organization slug, flattened from group hierarchy
- Tier : highest-precedence catalog tier (viewer<dev<op<admin<owner)
- Scopes : label-based scope tags per the Manara model
(`application=wordpress`, `env-type=dev`, …)
All fields are `omitempty` — every existing token (without these
claims) parses cleanly without polluting downstream JSON. No middleware
or handler change in this slice; the useraccess-controller (slice C5)
and the @RequireResourceAccess decorator (D2 follow-up) are the
consumers.
Two convenience helpers:
- Claims.HasRealmRole(role string) bool
- Claims.HasGroup(path string) bool — leading-slash-tolerant so a
Keycloak v22 → v24 bump (one variant has the leading "/", the other
doesn't) doesn't silently break authorization checks.
Tests:
- TestParseJWTClaims_LegacyTokenStillParses — guards against regression
on every existing Catalyst-Zero session shape
- TestParseJWTClaims_RBACFields — exercises the full Keycloak shape with
groups, realm_access, resource_access, and the 3 custom claims
- TestClaims_HasRealmRole — including nil-receiver no-panic
- TestClaims_HasGroup_LeadingSlashTolerant — covers both Keycloak path
conventions and a non-member negative case
go test ./internal/auth/... → all pass.
go build ./... + go vet ./... → clean.
Refs: #1094, #1095, #1098, docs/EPICS-1-6-unified-design.md §3.4 + §6.
Co-authored-by: hatiyildiz <hatiyildiz@noreply.openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
e3mrah
|
25ef20a8e5
|
feat(catalyst-chart): land Blueprint CRD + fix 5 string-form depends (slice B4, #1095) (#1112)
Realizes the Blueprint CRD per docs/BLUEPRINT-AUTHORING.md §3 and design
doc §3.2.4. Promotes the doc-contract (apiVersion catalyst.openova.io)
from a YAML-loaded contract to a schema-validated CRD.
Schema design:
- Two versions served from one inline schema (YAML anchors): v1alpha1
(legacy, served, not storage) and v1 (canonical, served, storage). The
shared schema means the 38 existing v1alpha1 files in platform/ +
products/ continue to validate; migration to v1 is a follow-up slice.
- Required at this layer: spec.version (strict semver pattern),
spec.card.title (minLength=1).
- Card variants accommodated as documented: summary | description |
tagline interchangeable; category | family interchangeable; docs |
documentation interchangeable. All optional except title.
- visibility enum: listed | unlisted | private.
- placementSchema.modes enum: single-region | active-active | active-
hotstandby — same set Application.spec.placement validates against.
- depends[].blueprint pattern accepts both bp-* and bare-name (legacy).
- manifests accepts both manifests.chart (legacy short-form) AND
manifests.source.{kind,ref} (canonical). Three source kinds: HelmChart,
Kustomize, OAM.
- rotation[].ttl pattern '^[0-9]+(s|m|h|d)$'.
- x-kubernetes-preserve-unknown-fields liberally on configSchema (per-
Blueprint JSON Schema is arbitrary by design), card, manifests, owner,
observability, outputs, depends[].values, manifests.values, etc.
Existing files validation:
- Surveyed all blueprint.yaml in platform/ + products/ (59 files).
- Card field frequency: title (59), summary (38), description (20+1),
category (25), family (20), docs (20), documentation (14+1), icon (25),
tags (14), license (14).
- 54 of 59 files passed the schema unchanged.
- 5 files used `depends: [- bp-name]` (string form) instead of the
canonical `[- blueprint: bp-name]` object form per BLUEPRINT-AUTHORING
§3. Those 5 files are fixed in this commit:
* platform/cert-manager-powerdns-webhook/blueprint.yaml
* platform/cert-manager-dynadot-webhook/blueprint.yaml
* platform/crossplane-claims/blueprint.yaml
* platform/powerdns/blueprint.yaml
* platform/self-sovereign-cutover/blueprint.yaml
- After fix: ALL 59 files pass server-side validation (kubectl apply
--dry-run=server) against the new CRD.
Negative validation (tests/blueprint-sample-invalid.yaml):
- spec.version "1.3" → semver pattern
- spec.card missing → required
- spec.card.title missing → required
- spec.visibility "secret" → enum listed|unlisted|private
- spec.placementSchema.modes "round-robin" → enum
- spec.depends[0] bare string "bp-bad-string" → must be object
- spec.depends[1].blueprint "Foo" → pattern fails (uppercase)
- spec.rotation[0].ttl "5 days" → pattern '^[0-9]+(s|m|h|d)$'
All 8 seeded vectors rejected.
This commit ONLY touches new CRD + test files + the 5 depends fixes —
leaves the in-flight router.tsx + rootBeforeLoad.test.ts work from a
parallel agent and the .claude/worktrees/ directory untouched.
Refs: #1094, #1095, docs/EPICS-1-6-unified-design.md §3.2.4,
docs/BLUEPRINT-AUTHORING.md §3
Co-authored-by: hatiyildiz <hatiyildiz@noreply.openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|
github-actions[bot]
|
4234599e52 |
deploy: update catalyst images to b4b9ba0
|
||
|
e3mrah
|
b4b9ba0ffc
|
feat(catalyst-chart): land SecretPolicy + Runbook CRD skeletons (slices B6+B7, #1095) (#1111)
Realizes design doc §3.2.6 (SecretPolicy) and §3.2.7 (Runbook) as schema-only contracts. Both are skeleton CRDs — populated by the SRE Lead and Security Lead post-Phase-0; the rotation engine and runbook executor are future thin in-cluster controllers (out of scope here). SecretPolicy (cluster-scoped): - spec.rotation[] — array of rotation rules; each rule has kind (oauth-client-secret | tls-cert | db-password | api-key | jwt-signer | sealed-secret-master), labelSelector matching target Secrets, ttl (^[0-9]+(s|m|h|d)$), action (rotate | warn | block, default warn), optional gracePeriod, optional handlerRef - status.rotationCount + nextRotationDue printer columns Runbook (namespace-scoped): - spec.trigger.kind: prometheus-alert | cr-condition | nats-event | schedule - spec.action.kind: scale | restart | rollback | run-job | switchover | send-to-nats | create-incident | patch - spec.cooldown — minimum interval between fires; default 5m by controller - spec.approval — optional approver gate (0-10 approvers, timeout) - status.fireCount + lastFiredAt + lastResult enum Both use x-kubernetes-preserve-unknown-fields under .config sub-trees so the SRE Lead can extend without an apiVersion bump until v1beta promotion. Validated: both CRDs apply server-side cleanly; no structural-schema violations. This commit ONLY touches new files in chart/crds/ — leaves the in-flight router.tsx + rootBeforeLoad.test.ts work from a parallel agent untouched (picked up on next pull / handed back to its author). Refs: #1094, #1095, docs/EPICS-1-6-unified-design.md §3.2.6/§3.2.7 Co-authored-by: hatiyildiz <hatiyildiz@noreply.openova.io> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |