chore: agents

Author: j-zimnowoda

.github/copilot-instructions.md

@@ -0,0 +1,18 @@
+# APL Core - AI Coding Agent Instructions
+
+## Project Overview
+
+APL Core (App Platform for Linode) is a Kubernetes platform that integrates 30+ cloud-native applications (Istio, Argo CD, Keycloak, Tekton, Harbor, etc.) into a cohesive, multi-tenant PaaS. The codebase is a hybrid of TypeScript (CLI/operators), Helm charts, Helmfile manifests, and Go templates.
+
+## Knowledge Base
+
+Use AGENTS.md files as your primary reference for understanding the codebase structure, conventions, and critical patterns. Each AGENTS.md file provides a comprehensive overview of its respective directory.
+
+| File                                                   | Focus                                                      |
+| ------------------------------------------------------ | ---------------------------------------------------------- |
+| [`AGENTS.md`](AGENTS.md)                               | Root: architecture, conventions, commands                  |
+| [`src/api/AGENTS.md`](src/api/AGENTS.md)               | Versioned route handlers (v1/v2/alpha), handler signatures |
+| [`src/middleware/AGENTS.md`](src/middleware/AGENTS.md) | Auth chain: JWT → groups → CASL → session → errors         |
+| [`src/openapi/AGENTS.md`](src/openapi/AGENTS.md)       | OpenAPI YAML specs, ACL definitions, schema conventions    |
+| [`src/ai/AGENTS.md`](src/ai/AGENTS.md)                 | AI CRD handlers (models, agents, knowledge bases)          |
+| [`src/utils/AGENTS.md`](src/utils/AGENTS.md)           | Domain utilities: workloads, secrets, repos, YAML          |

AGENTS.md

@@ -2,9 +2,20 @@
 
 **Generated:** 2026-05-04
 
+## TABLE OF CONTENTS
+
+| File | Focus |
+|------|-------|
+| [`AGENTS.md`](AGENTS.md) | Root: architecture, conventions, commands |
+| [`src/api/AGENTS.md`](src/api/AGENTS.md) | Versioned route handlers (v1/v2/alpha), handler signatures |
+| [`src/middleware/AGENTS.md`](src/middleware/AGENTS.md) | Auth chain: JWT → groups → CASL → session → errors |
+| [`src/openapi/AGENTS.md`](src/openapi/AGENTS.md) | OpenAPI YAML specs, ACL definitions, schema conventions |
+| [`src/ai/AGENTS.md`](src/ai/AGENTS.md) | AI CRD handlers (models, agents, knowledge bases) |
+| [`src/utils/AGENTS.md`](src/utils/AGENTS.md) | Domain utilities: workloads, secrets, repos, YAML |
+
 ## OVERVIEW
 
-Akamai App Platform API — Express/TypeScript REST API managing Kubernetes teams, workloads, and services. Uses **Git as database** (YAML files in a values repo). OpenAPI-first: specs define endpoints, authorization, and generate types.
+App Platform API — Express/TypeScript REST API managing Kubernetes teams, workloads, and services. Uses **Git as database** (YAML files in a values repo). OpenAPI-first: specs define endpoints, authorization, and generate types.
 
 ## STRUCTURE
 
@@ -42,20 +53,20 @@ apl-api/
 
 ## WHERE TO LOOK
 
-| Task | Location | Notes |
-|------|----------|-------|
-| Add new endpoint | `src/openapi/*.yaml` → `src/api/{version}/` | Define spec FIRST, then handler |
-| Add authorization | OpenAPI spec `x-acl` + `x-aclSchema` | ACLs live in YAML, not code |
-| Understand CRUD flow | `src/otomi-stack.ts` | All resource operations route here |
-| Add middleware | `src/middleware/` → register in `src/app.ts` | Export from `middleware/index.ts` |
-| Modify data models | `src/openapi/*.yaml` → `npm run build:models` | Generates `generated-schema.ts` |
-| Secret handling | `src/fileStore/` + `ARCHITECTURE.md` | Two-pass loading: YAML first, then secrets merged |
-| K8s operations | `src/k8s-operations.ts` | Pod status, logs, builds, sealed secrets |
-| Auth flow | `src/middleware/jwt.ts` → `src/middleware/authz.ts` | JWT → group extraction → CASL check |
-| AI features | `src/ai/` | Kubernetes CRD CRUD — bypasses OtomiStack |
-| Environment config | `src/validators.ts` + `.env.sample` | All env vars validated via envalid |
-| Workload/chart utils | `src/utils/workloadUtils.ts` | Git URL validation, Helm chart fetching |
-| Sealed secrets | `src/utils/sealedSecretUtils.ts` | Encryption, manifest creation |
+| Task                 | Location                                            | Notes                                             |
+| -------------------- | --------------------------------------------------- | ------------------------------------------------- |
+| Add new endpoint     | `src/openapi/*.yaml` → `src/api/{version}/`         | Define spec FIRST, then handler                   |
+| Add authorization    | OpenAPI spec `x-acl` + `x-aclSchema`                | ACLs live in YAML, not code                       |
+| Understand CRUD flow | `src/otomi-stack.ts`                                | All resource operations route here                |
+| Add middleware       | `src/middleware/` → register in `src/app.ts`        | Export from `middleware/index.ts`                 |
+| Modify data models   | `src/openapi/*.yaml` → `npm run build:models`       | Generates `generated-schema.ts`                   |
+| Secret handling      | `src/fileStore/` + `ARCHITECTURE.md`                | Two-pass loading: YAML first, then secrets merged |
+| K8s operations       | `src/k8s-operations.ts`                             | Pod status, logs, builds, sealed secrets          |
+| Auth flow            | `src/middleware/jwt.ts` → `src/middleware/authz.ts` | JWT → group extraction → CASL check               |
+| AI features          | `src/ai/`                                           | Kubernetes CRD CRUD — bypasses OtomiStack         |
+| Environment config   | `src/validators.ts` + `.env.sample`                 | All env vars validated via envalid                |
+| Workload/chart utils | `src/utils/workloadUtils.ts`                        | Git URL validation, Helm chart fetching           |
+| Sealed secrets       | `src/utils/sealedSecretUtils.ts`                    | Encryption, manifest creation                     |
 
 ## CONVENTIONS
 

src/api/AGENTS.md

@@ -14,7 +14,7 @@ api/
 │   ├── apps/        # Platform app configs
 │   ├── settings/    # Cluster settings
 │   └── *.ts         # Top-level resource handlers
-├── v2/              # Current handlers — return AplResponseObject, call req.otomi.*Apl*
+├── v2/              # Current handlers — (req, res) signature, call req.otomi.*Apl*
 │   └── teams/{teamId}/ # Team-scoped with sub-resource dirs
 ├── alpha/           # Experimental (AI features, team extensions)
 │   ├── ai/          # AI model/agent/knowledgebase endpoints
@@ -27,14 +27,15 @@ api/
 | Task | Location | Notes |
 |------|----------|-------|
 | Add v1 endpoint | `v1/` + matching OpenAPI spec | Legacy: `(req, res) => void` |
-| Add v2 endpoint | `v2/` + matching OpenAPI spec | Current: `(req) => Promise<AplResponseObject>` |
+| Add v2 endpoint | `v2/` + matching OpenAPI spec | Current: `(req, res) => void` |
 | Add AI endpoint | `alpha/ai/` | Uses `src/ai/` handlers, not OtomiStack |
 | Team-scoped resource | `{version}/teams/{teamId}/` | Dir name literally `{teamId}` |
 
 ## CONVENTIONS
 
-- **v1 handlers**: `export const opId = (req: OpenApiRequestExt, res: Response): void` — send response via `res.json()`
-- **v2 handlers**: `export async function opId(req: OpenApiRequestExt): Promise<AplResponseObject>` — return value
+- **v1 handlers**: `export const opId = (req: OpenApiRequestExt, res: Response): void` — call `req.otomi.get*()`, send via `res.json()`
+- **v2 handlers**: `export const opId = (req: OpenApiRequestExt, res: Response): void` — call `req.otomi.*Apl*()`, send via `res.json()`
+- **v1 vs v2 difference**: Method names on `req.otomi` — v1 uses `get*()`, v2 uses `getApl*()`/`createApl*()` etc.
 - **File naming**: Matches resource name (e.g., `services.ts`, `coderepos.ts`)
 - **Sub-resource pattern**: Directory for collection, file for item (e.g., `services.ts` = list, `services/{name}.ts` = single)
 - **All business logic** lives in `OtomiStack` via `req.otomi.*` — handlers are thin wrappers
@@ -44,4 +45,3 @@ api/
 
 - **DO NOT** put business logic in handlers — delegate to `req.otomi` (OtomiStack)
 - **DO NOT** create handler files without corresponding OpenAPI spec entry
-- **DO NOT** mix v1/v2 patterns — v1 uses `res.json()`, v2 returns objects

src/utils/AGENTS.md

@@ -0,0 +1,30 @@
+# Utilities
+
+## OVERVIEW
+
+Domain-specific utility modules. No barrel file — import each directly.
+
+## WHERE TO LOOK
+
+| Task | Location | Notes |
+|------|----------|-------|
+| Workload/Helm operations | `workloadUtils.ts` | Git URL validation, chart fetching, sparse clone, provider detection |
+| Code repository setup | `codeRepoUtils.ts` | Gitea URL management, SSH key normalization, connectivity testing |
+| Sealed secret encryption | `sealedSecretUtils.ts` | Encrypt values, create manifests, extract secret paths |
+| User/Keycloak integration | `userUtils.ts` | User data handling, username validation |
+| YAML safety | `yamlUtils.ts` | `quoteIfDangerous`, `deepQuote` — prevents YAML injection |
+| V1↔APL object conversion | `manifests.ts` | Bidirectional transforms, merge utilities |
+| Policy retrieval | `policiesUtils.ts` | Reads policies from generated schema |
+| K8s version checks | `k8sUtils.ts` | Cluster version, Knative support detection |
+| Object storage/cluster ID | `wizardUtils.ts` | `ObjectStorageClient` class, cluster ID definition |
+
+## CONVENTIONS
+
+- **No barrel export** — import individual files: `import { ... } from 'src/utils/workloadUtils'`
+- **Debug namespace**: `otomi:utils:*`
+- **Tests colocated**: `*.test.ts` alongside source files
+
+## ANTI-PATTERNS
+
+- **DO NOT** add generic helpers here — each file is domain-scoped
+- **DO NOT** import from `src/utils` (no index.ts) — always import specific file