Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@AGENTS.md`:
- Around line 213-214: Replace the raw cross-build command for the
cluster-version-operator with the supported repository build target: remove the
CGO_ENABLED/GOOS/GOARCH go build line and instead instruct users to run the
repository's make build target (e.g., "make build") which produces the CVO
binary into the _output/ directory; if a raw cross-build must be kept, add an
explicit justification explaining why the dev flow cannot use "make build" and
document expected outputs and environment differences.
- Around line 237-244: Replace the hard-coded personal image reference
quay.io/harpatil/cvo-lightspeed:${TAG} with a configurable IMAGE
variable/placeholder used consistently across the build, push and oc patch
commands (the docker build, docker push lines and the value field in the oc
patch for deployment cluster-version-operator). Update the docs to reference
IMAGE or ${IMAGE} (and document that contributors should set IMAGE to their own
registry/tag) so the build/push and the patch operation use IMAGE instead of the
personal quay.io path.

In `@go.mod`:
- Line 112: The go.mod replace that points github.com/openshift/api to your
personal fork must be removed; edit go.mod to delete the line "replace
github.com/openshift/api => github.com/harche/api ..." and restore use of the
upstream module, then ensure the code referencing FeatureGateLightspeedProposals
in pkg/featuregates/featuregates.go either imports the upstream
github.com/openshift/api package (if the constant exists upstream) or you
instead vendor/define the specific constant locally or upstream the symbol to
the official repo before merging.

In `@install/0000_00_cluster-version-operator_50_lightspeed-prompts.yaml`:
- Around line 1-29: The ota-advisory-prompt ConfigMap (metadata name:
ota-advisory-prompt, namespace: openshift-lightspeed) is missing required
cluster-profile annotations and a kubernetes.io/description; add the standard
include.release.openshift.io/* profile selectors (e.g.
include.release.openshift.io/self-managed-high-availability and other profiles
your repository requires) under metadata.annotations and add
kubernetes.io/description with a short purpose string describing this
ConfigMap’s role as the OTA advisory prompt used by Lightspeed agents; apply the
same annotation/description pattern to the related manifests that reference this
ConfigMap (the resources defined in 51_lightspeed-agents.yaml and
52_lightspeed-workflows.yaml) so the CVO graph selector will correctly install
these resources on profile-scoped clusters.

In `@install/0000_00_cluster-version-operator_51_lightspeed-agents.yaml`:
- Around line 11-20: Replace the mutable, external skill image reference
quay.io/harpatil/ocp-skills:latest with an immutable, release-managed image
(either a specific tag or an image digest) so the manifest is deterministic and
disconnected-cluster friendly; locate the skills entry that contains the image
key (the list under "skills" with image: quay.io/harpatil/ocp-skills:latest) and
update that image value to an approved, immutable release image (e.g., use your
release payload registry or a content-addressable digest) and ensure any
CI/release docs are updated to track the chosen immutable reference.
- Around line 4-7: This manifest for the Agent (metadata.name: ota-advisor) is
missing the required cluster-profile include annotations and a description; add
include.release.openshift.io/<profile-name>: "true" entries for every cluster
profile this feature should be included in (use the same profile keys your repo
uses, e.g., include.release.openshift.io/cluster: "true" or
include.release.openshift.io/optional: "true" as appropriate) alongside the
existing release.openshift.io/feature-gate annotation, and add a
kubernetes.io/description annotation that succinctly explains the Agent’s
purpose (e.g., "OTA Advisor Agent: collects and reports OTA proposal
recommendations for LightspeedProposals feature"). Ensure you update the
annotations block under metadata for the resource named ota-advisor.

In `@install/0000_00_cluster-version-operator_52_lightspeed-workflows.yaml`:
- Around line 4-7: The manifest for the Workflow resource named ota-advisory is
missing required install annotations and a description; update the
metadata.annotations to add the appropriate include.release.openshift.io
cluster-profile keys (e.g.,
include.release.openshift.io/self-managed-high-availability: "true" and any
necessary exclusion annotations consistent with
install/0000_00_cluster-version-operator_30_deployment.yaml and
_02_networkpolicy.yaml) and add kubernetes.io/description explaining the
resource's purpose; ensure you keep the existing
release.openshift.io/feature-gate: LightspeedProposals while adding the new
include.release.openshift.io/* entries and the kubernetes.io/description string.

In `@pkg/cvo/availableupdates.go`:
- Around line 186-190: The proposal creation is currently invoked inline
(optr.shouldCreateLightspeedProposals() ->
optr.maybeCreateLightspeedProposal(...)) which can block the available-updates
worker; change this to run asynchronously and bounded: when
shouldCreateLightspeedProposals() is true, spawn a goroutine to call
maybeCreateLightspeedProposal but pass a derived context with a short timeout
(context.WithTimeout) and use a global or package-level semaphore/channel to
bound concurrent proposal creations so you don’t spawn unlimited goroutines;
ensure maybeCreateLightspeedProposal observes the passed context, logs any
timeout/errors, and that the goroutine exits cleanly to avoid leaks so update
discovery remains non-blocking.

In `@pkg/cvo/cvo.go`:
- Around line 1219-1249: maybeCreateLightspeedProposal currently calls
readiness.RunAll with the caller's unbounded ctx which can block the
available-updates sync; modify maybeCreateLightspeedProposal to enforce an
overall deadline by creating a derived context with timeout (or spawn a
fire-and-forget goroutine using a context with timeout) before calling
readiness.RunAll, then call readiness.RunAll(ctxWithTimeout, dc,
optr.release.Version, targetVersion) and pass the resulting readinessJSON to
optr.proposalCreator.MaybeCreateProposal so the proposal creation cannot delay
the reconcile loop.

In `@pkg/proposal/proposal.go`:
- Around line 210-230: The loop that prints "Other recommended versions" should
operate on a precomputed filtered slice (e.g., others := filter updates where
u.Version != target) instead of iterating the raw updates so counting and
remaining calculations are correct; change the logic in the block that
references updates/target to first build others, only print the header when
len(others) > 0, iterate up to 5 entries from others, and compute remaining as
len(others)-count when truncating so the "... and N more" value is accurate
(update references to updates, target, count and remaining accordingly).
- Around line 136-153: The sort comparator for the candidates slice currently
violates strict weak ordering when versions are equal because it returns the
same result for both directions; update the sorting to use sort.SliceStable on
candidates and change the Less function to: first compare
candidates[i].version.Compare(candidates[j].version) as before; if equal, check
if candidates[i].kind != candidates[j].kind and prefer updateKindRecommended
when kinds differ; if both version and kind are equal, use candidates[i].raw <
candidates[j].raw as a deterministic tiebreaker; after this stable sort you can
simply return candidates[0].raw and candidates[0].kind as the best candidate.
- Around line 248-257: The sanitize function currently leaves characters like
'+', '/', '_' and other non-alphanumeric/non-dash characters untouched,
producing invalid DNS-1035 labels; update sanitize(s string) to first normalize
to lowercase, then replace any character that is not [a-z0-9-] (e.g., using a
regexp or rune check) with '-', keep the existing replacements for '.' and ' '
(or rely on the general rule), preserve the 20-char truncation behavior and the
TrimRight(s, "-") call so trailing dashes are removed, and preserve the current
behavior allowing digit-start labels (do not force an alphabetic prefix).

In `@pkg/readiness/client.go`:
- Around line 3-7: The helper that constructs the label selector string
currently iterates a map and emits unsorted parts (e.g., "a=1,b=2" vs
"b=2,a=1"); to make output deterministic, collect the map entries into a slice
of "key=value" pairs, sort that slice using key as primary and value as
tiebreaker (i.e., sort by key then by value), then join with commas to produce
the selector; apply the same stable-sorting fix to the other occurrence that
builds label selector parts so both places produce deterministic, test-stable
output.
- Around line 153-163: CompareVersions currently masks parse errors by returning
0, so change its signature to return (int, error) instead of just int: parse a
and b with semver.ParseTolerant, if either parse fails return 0 and the parse
error, otherwise return va.Compare(vb), nil; update callers (notably the code in
api_deprecations.go that calls CompareVersions) to handle the error path
explicitly (e.g., treat parse errors as invalid input and skip or surface an
error) so parse failures are distinguishable from genuine equality.

In `@pkg/readiness/crd_compat.go`:
- Around line 15-67: CRDCompatCheck.Run currently ignores its current/target
params and never uses sectionErrors; either make it target-aware or explicitly
document/rename and remove unused vars. Option A (preferred): when target !=
current, consult a removed-version lookup (e.g.,
RemovedCRDVersionsForTarget(target) or a map you add) and flag CRDs whose
storedVersions appear in that removed set (update versionIssues accordingly),
and remove the dead sectionErrors or populate it with real errors; reference
CRDCompatCheck.Run, current, target, versionIssues, sectionErrors. Option B: if
you only want cluster-state hygiene, add a doc comment to CRDCompatCheck.Run
and/or rename the check to crd_stored_versions, remove current/target parameters
and the unused sectionErrors variable so the signature and function behavior
match.

In `@pkg/readiness/etcd_health.go`:
- Around line 33-50: The code counts pods as healthy based on phase=="Running",
which overstates etcd health; change the readiness check to inspect the pod
"Ready" condition instead (e.g., look through pod.Object.status.conditions for a
condition with type "Ready" and status "True" and use that to set
ready/healthyMembers) while still populating result["members"],
result["healthy_members"], and result["total_members"] as before; also update
TestEtcdHealthCheck in pkg/readiness/checks_test.go to add Ready pod conditions
to the fixture pods so the test reflects the new readiness logic.

In `@pkg/readiness/node_capacity.go`:
- Line 10: The comment/docstring for NodeCapacityCheck is inaccurate: it says it
"assesses node readiness and resource headroom" but the code only reports
readiness and schedulability counts. Update the NodeCapacityCheck comment, any
kubernetes.io/description annotations and nearby doc strings to state that the
check reports node readiness and schedulability counts (e.g., "reports counts of
Ready and Schedulable nodes" or similar), removing the incorrect reference to
resource headroom so the description matches the implementation.

In `@pkg/readiness/olm_lifecycle.go`:
- Around line 149-167: The target compatibility logic in the loop (fields
compat, parsedTarget, parsedMax, parsedMin, entry["compatible_with_target"],
incompatibleWithTarget) only checks maxOCP; update it so when hasTarget is true
you evaluate both min and max bounds: parse minOCP (if non-empty) and set a
minOk flag based on parsedTarget.Compare(parsedMin) >= 0 (or true if no min),
parse maxOCP and set maxOk based on parsedTarget.Compare(parsedMax) <= 0 (or
true if no max), then set entry["compatible_with_target"] = minOk && maxOk and
increment incompatibleWithTarget only when that result is false. Ensure error
handling for semver.ParseTolerant leaves the corresponding bound as
not-applicable (treat as true) rather than skipping the combined check.
- Around line 64-65: The PackageManifest indexing currently uses indexByName
(pkgIndex := indexByName(pkgManifests)), which only keys by metadata.name and
can collide across catalogs; change the index to use a composite key consisting
of status.catalogSource + "|" + status.catalogSourceNamespace + "|" +
(status.packageName or metadata.name as a fallback) (either by replacing
indexByName with a new indexByPackageCompositeKey or extending it), and update
the Subscription lookup that builds the pkg key (the code that currently looks
up pkgIndex[...]) to construct the same composite from subscription.Spec.Source
+ "|" + subscription.Spec.SourceNamespace + "|" + (pkgStatusPackageName or
metadata.name fallback). Also update any other places using pkgIndex (the other
lookups noted in the comment) to use the composite-key logic so
channel/compatibility matching uses the correct CatalogSource.

In `@pkg/readiness/pdb_drain.go`:
- Around line 26-27: The code reads PDB thresholds using NestedString which
drops integer values; in pkg/readiness/pdb_drain.go replace the NestedString
calls for maxUnavailable and minAvailable with
unstructured.NestedFieldNoCopy(pdb.Object, "spec", "maxUnavailable") and
unstructured.NestedFieldNoCopy(pdb.Object, "spec", "minAvailable") to capture
the raw IntOrString values from pdb.Object, then convert those raw values to
strings only when building the output/issue map (or keep the raw types if
preferable) so numeric thresholds like 1 or 0 are preserved instead of becoming
empty strings.

---

Nitpick comments:
In `@pkg/cvo/cvo.go`:
- Around line 400-406: Store the dynamic client on the Operator (optr) instead
of relying on proposal.Creator.DynamicClient(): when creating the proposal
creator in the init block where proposal.NewCreator(dynamicClient, ...) is
called, assign dynamicClient to a new optr.dynamicClient field and pass that
same client into proposal.NewCreator; update maybeCreateLightspeedProposal and
readiness.RunAll callers to use optr.dynamicClient directly and remove the
DynamicClient() accessor from proposal.Creator so the proposal package no longer
exposes its internal client.

In `@pkg/readiness/api_deprecations.go`:
- Around line 21-30: Replace the fragile string check in the error handling
block inside the function that lists APIRequestCounts (the code checking if
strings.Contains(err.Error(), "not found")) with the typed Kubernetes error
check apierrors.IsNotFound(err); import "k8s.io/apimachinery/pkg/api/errors"
(alias apierrors if not already) and keep the existing behavior of returning the
warning map and nil error when the resource is absent, otherwise return the
wrapped fmt.Errorf as before.

In `@pkg/readiness/check_test.go`:
- Around line 150-224: The test TestRunAllMixedResults is not exercising the
real RunAll orchestration (it re-implements the logic and only toys with
AllChecks), so either make RunAll testable by accepting an injected []Check or
make AllChecks a package-level variable tests can override and then call RunAll
with []Check{okCheck, failCheck, partialCheck} and assert on the returned
*Output (including Meta.ChecksOK/Meta.ChecksErrored and per-check Data/Error
preservation), or remove the dead test; update the test to call RunAll (or
replace it) instead of manually iterating checks so timeouts, concurrency,
elapsed accounting and partial-data handling in RunAll are actually verified.

In `@pkg/readiness/client_test.go`:
- Around line 102-126: The "empty" subtest currently asserts nothing because
contains: []string{} makes the inner loop skip; update the test to use
strings.Contains(got, s) instead of the manual index walk and for the "empty"
case assert the exact expected output (e.g. for the test case with name "empty"
and labels map[string]string{} add an explicit check like if got != "" {
t.Errorf(...)}), or drop that case—locate the table-driven tests around
FormatLabelSelector in pkg/readiness/client_test.go and modify the test loop to
call strings.Contains and add the explicit equality assertion for the "empty"
entry.

In `@test/cvo/readiness.go`:
- Around line 20-74: Add Ginkgo labels to the suite (e.g., "TechPreview" and
"Serial" or the appropriate "CustomNoUpgrade"/"LightspeedProposals" labels) and
stop calling readiness.RunAll(...) inside every It; instead, run
readiness.RunAll(ctx, dynamicClient, currentVersion, targetVersion) once and
store its result in a suite-scoped variable (e.g., var output *readiness.Output)
populated in BeforeEach or a BeforeAll so each It reads from that cached output;
update all It blocks to reference the cached output and remove the repeated
RunAll calls, then run make update to refresh test metadata.
- Around line 192-194: The code does an unsafe type assertion on
result.Data["blocking_pdbs"] (and similarly result.Data["summary"]) which can
panic; change to a safe assertion using the comma-ok pattern (e.g., v, ok :=
result.Data["blocking_pdbs"]; cast, ok2 := v.([]map[string]any)) or a type
switch, assert with o.Expect that the value exists/is the expected type, and if
nil treat it as an empty slice/map before using len or indexing; update the
references to blockingPDBs and the summary extraction to use these safe checks
so tests fail with assertions instead of panicking.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@install/0000_00_cluster-version-operator_45_lightspeed-crd-proposals.yaml`:
- Around line 44-47: The CRD's openAPIV3Schema.description claims "Proposal is
cluster-scoped" but the CRD sets scope: Namespaced; fix by either changing
scope: Namespaced to scope: Cluster in
install/0000_00_cluster-version-operator_45_lightspeed-crd-proposals.yaml or by
updating openAPIV3Schema.description (and any kubernetes.io/description/doc
comments) to accurately state it is namespaced; then ensure this choice matches
the runtime usage in pkg/proposal/proposal.go (the Create(...) call) and update
nearby comments/annotations to be consistent with the selected scope.
- Around line 6-10: The CRD manifest metadata for proposals.agentic.openshift.io
is missing the cluster-profile annotations used by CVO; update the
metadata.annotations block in
install/0000_00_cluster-version-operator_45_lightspeed-crd-proposals.yaml to add
the same include.release.openshift.io/* profile keys used across other install
manifests (for example
include.release.openshift.io/self-managed-high-availability: "true" and any
other profiles your repo requires) so the CRD is rendered under the appropriate
cluster profiles when the feature gate (release.openshift.io/feature-gate:
LightspeedProposals) is enabled.

In `@install/0000_00_cluster-version-operator_46_lightspeed-crd-agents.yaml`:
- Around line 6-10: Add the required release profile annotations and a
description to the CRD metadata: inside the metadata.annotations block for the
resource named agents.agentic.openshift.io, add the
include.release.openshift.io/* profile annotations (e.g.,
include.release.openshift.io/approved: "true" and the appropriate profile keys
used across manifests such as include.release.openshift.io/optional,
include.release.openshift.io/cluster or similar per your repo conventions) and
add a kubernetes.io/description annotation that succinctly explains this is a
temporary Agent CRD used for LightspeedProposals and its intended lifecycle;
update the annotations list under metadata.annotations in the manifest where
name: agents.agentic.openshift.io appears.
- Around line 98-115: The CRD currently allows invalid Agent specs because
llmRef.name is not required and outputFields vs rawOutputSchema mutual exclusion
is not enforced; update the Agent CRD OpenAPI schema: mark llmRef.name as
required (add "required: [\"name\"]" under llmRef properties or add it to the
containing object) and add a validation that enforces mutual exclusivity between
spec.outputFields and spec.rawOutputSchema (use oneOf/anyOf with schema
predicates or an x-kubernetes-validation rule that checks exactly one is set),
applying the same changes to the other Agent-like schema blocks referenced
(lines ~213-447, 518-521) so invalid Agents are rejected at admission.

In `@install/0000_00_cluster-version-operator_47_lightspeed-crd-workflows.yaml`:
- Around line 6-10: The manifest for the CRD named
workflows.agentic.openshift.io is missing required cluster-profile and
description annotations; add appropriate include.release.openshift.io/* profile
annotations (e.g., include.release.openshift.io/accept-never,
include.release.openshift.io/optional, or the correct profiles your repo uses)
under metadata.annotations and add a kubernetes.io/description annotation that
briefly explains this is a temporary Workflow CRD for LightspeedProposals and
its intended scope/purpose so the resource has both release-profile and
descriptive metadata.
- Around line 95-119: The CRD descriptions state agentRef must be omitted or nil
when skip is true but the validation only requires agentRef.name when skip is
false; add a CEL validation to enforce the contract (e.g., a rule that when skip
== true then agentRef is null/absent or agentRef.name is empty, and when skip ==
false agentRef.name must be present) for the step object containing the skip and
agentRef fields (referencing agentRef, agentRef.name and skip) or alternatively
relax the description to match existing CEL rules—apply the same change to the
other step schemas called out (lines 127-151, 159-183, 189-198).

In `@pkg/cvo/cvo.go`:
- Around line 1275-1286: The code uses optr.release.Version for readiness output
and proposal creation which can miss merged fallback metadata; call and use the
merged currentVersion() result instead: obtain v := optr.currentVersion() (or
however currentVersion() is exposed), pass v into readiness.RunAll(ctx, dc, v,
targetVersion) and into optr.proposalCreator.MaybeCreateProposal(ctx, v,
targetVersion, targetKind, config.Spec.Channel, au.Updates, readinessJSON), and
remove references to optr.release.Version so readinessJSON and proposal metadata
consistently use the merged version.

In `@pkg/readiness/network.go`:
- Around line 33-43: The readiness checker currently embeds raw proxy config
into result by reading GetResource(ctx, dc, GVRProxy, "cluster") and putting
NestedString(proxy.Object, "spec", "httpProxy"/"httpsProxy"/"noProxy") into
result; change this to avoid exposing credentials/domains by replacing the raw
strings with redacted summaries or booleans (e.g., "http_proxy": {"present":
true, "redacted": true, "length": N} or simply {"present": true}) and/or
sanitized metadata (e.g., host-only or masked value), update the code that sets
result["proxy"] (and any callers expecting these keys) accordingly, and keep
error handling via SectionError unchanged; use the proxy variable, GVRProxy,
GetResource and NestedString locations to find the block to modify.

In `@test/cvo/readiness.go`:
- Line 20: The g.Describe block for the cluster-version-operator readiness E2E
test is missing Ginkgo labels; update the g.Describe call (the Describe defined
as var _ = g.Describe(`[Jira:"Cluster Version Operator"]
cluster-version-operator readiness checks`, func() { ... })) to include g.Label
calls for CI categorization (for example add g.Label("Serial") and any relevant
ticket/feature label like g.Label("OTA-1813") or a TechPreview label)
immediately inside the Describe block so the suite is selectable/filterable by
CI tooling.

---

Duplicate comments:
In `@pkg/cvo/cvo.go`:
- Around line 775-779: The proposal path currently calls
optr.handleProposalAnnotation synchronously from the sync path (guarded by
optr.shouldCreateLightspeedProposals()) which can block reconciliation; change
this to a non-blocking bounded call by creating a short child context with a
timeout (e.g., context.WithTimeout) and invoking handleProposalAnnotation in a
separate goroutine (or enqueue the request to an existing worker queue) so the
main sync returns immediately; ensure you pass the timeout-bound ctx into
handleProposalAnnotation and log any timeout/error outcomes instead of letting
it delay status reconciliation.

In `@pkg/readiness/node_capacity.go`:
- Line 10: The comment for NodeCapacityCheck is inaccurate—update the
docstring/comment and any kubernetes.io/description annotations near the
NodeCapacityCheck function to reflect that it reports node readiness and
schedulability counts (not resource headroom); locate the NodeCapacityCheck
declaration in node_capacity.go and change the description text to explicitly
say it assesses node readiness and counts schedulable/unschedulable nodes so the
wording matches the actual output.

In `@pkg/readiness/pdb_drain.go`:
- Around line 26-27: The code currently calls NestedString(pdb.Object, "spec",
"maxUnavailable") and NestedString(... "minAvailable") which coerces numeric PDB
thresholds to strings and loses integer values; change the extraction to fetch
the raw value (use unstructured.NestedFieldCopy or NestedFieldNoCopy on
pdb.Object with "spec","maxUnavailable" and "spec","minAvailable"), then
type-switch the returned interface{} to handle integers (int/int64/float64) and
strings, converting numbers to their exact string representation only when
needed so numeric thresholds are preserved; update any downstream usage that
assumes string to accept the normalized string produced by your type-switch.

---

Nitpick comments:
In `@pkg/proposal/proposal_test.go`:
- Around line 139-161: Rename the misleading test case name inside
TestClassifyUpdate so it reflects the behavior being tested: change the struct
entry with name "major" (which calls classifyUpdate("4.15.1","5.0.0")) to a
clearer label such as "major-bump-classified-as-minor" (keeping the expected
value "minor"); this makes the intent explicit while leaving the classifyUpdate
call and expected assertion unchanged.

In `@pkg/proposal/proposal.go`:
- Around line 275-283: Add a MaxAttempts configuration knob and use it instead
of the hard-coded int64(2): add a MaxAttempts int (default 2) to the Config type
that c.config references, validate/clip it to the CRD-supported range 0–20 when
the config is constructed or loaded, and replace the literal int64(2) in the
proposal spec construction (where "spec" -> "maxAttempts" is set) with
int64(c.config.MaxAttempts) so the value is configurable and bounded.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/cvo/cvo.go`:
- Around line 1247-1252: When creating proposals for conditional updates, pass
combined context containing both recommended and conditional versions instead of
only au.Updates: inside the loop that calls
optr.proposalCreator.MaybeCreateProposal for each entry of
au.ConditionalUpdates, build a deduplicated slice that merges au.Updates and the
versions from au.ConditionalUpdates (or alternatively extend the buildRequest
signature to accept conditional updates) and pass that merged slice as the
"other updates" argument so buildRequest can list both recommended and
conditional alternatives when generating the proposal.

In `@pkg/proposal/proposal.go`:
- Around line 171-185: In Creator.readSystemPrompt, currently when the ConfigMap
exists but the "prompt" key is missing or not a string the code silently returns
"", so change the function to log that misconfiguration before returning: detect
the missing-or-wrong-type branch after unstructured.NestedMap(obj.Object,
"data") and emit a klog.V(2).Infof or klog.Warningf including
c.config.Namespace, c.config.PromptConfigMap and a clear message that the
"prompt" key is missing or not a string (reference symbols: readSystemPrompt,
Creator, unstructured.NestedMap); keep behavior of returning "" but ensure the
log is written to make the issue discoverable.

In `@pkg/readiness/cluster_conditions.go`:
- Around line 34-42: The code treats a missing Upgradeable condition
(conditions[ConditionUpgradeable]) as a zero-value and reports non-upgradeable;
change the logic that builds result["upgradeable"] (and any use of
summary.upgradeable) to first check whether the ConditionUpgradeable key exists
in the conditions map, and if absent default to upgradeable=true (or status
"True"/"Unknown" per your conventions), only setting upgradeable=false when the
condition is present and its Status == ConditionFalse; similarly, for
ConditionProgressing handle missing keys explicitly (keep default false if you
prefer) instead of relying on zero-value semantics so
result["update_in_progress"] accurately reflects an explicit Progressing=False
vs missing condition.

---

Duplicate comments:
In `@pkg/readiness/client.go`:
- Around line 153-163: CompareVersions currently masks parse errors by returning
0; change its signature from CompareVersions(a, b string) int to
CompareVersions(a, b string) (int, error) and return a non-nil error when
semver.ParseTolerant(a) or semver.ParseTolerant(b) fails instead of returning 0;
on success return va.Compare(vb) with nil error. Update the function comment to
document the new (int, error) return and then find and update all callers of
CompareVersions to handle the error path (e.g., via the suggested rg search)
before using the comparison result, and ensure any kubernetes.io/description
comments or docstrings near CompareVersions still accurately describe the new
behavior.
- Around line 3-5: FormatLabelSelector currently builds the selector from a map
and relies on Go's map iteration order; change it to collect each "key=value"
(or "key in (v1,v2)" parts) into a slice, sort that slice deterministically
using a stable comparator that first sorts by key and then by value (as a
tiebreaker), and then join the sorted parts to form the selector string. Apply
the same approach to the other selector-construction logic around lines 166-172
(the other function that assembles selector parts) so both functions produce
stable, deterministic output.

---

Nitpick comments:
In `@pkg/readiness/api_deprecations.go`:
- Around line 20-31: Replace the brittle string match on err.Error() in the
APIRequestCount listing with proper typed checks: when ListResources(ctx, dc,
GVRAPIRequestCount, "") returns an error, test it using meta.IsNoMatchError(err)
and k8s.io/apimachinery/pkg/api/errors.IsNotFound(err) (or the repo helper
isNoMatchError if available) instead of strings.Contains; if either indicates
the resource/GVR is absent, set the same warning/blocker fields and return
result, otherwise propagate the error (the affected symbols are ListResources,
GVRAPIRequestCount and the error handling branch around that call).

In `@pkg/readiness/check.go`:
- Around line 83-151: When a check fails inside RunAll (the goroutine that calls
ch.Run with perCheckTimeout), add a klog emit in the error branch so failures
are visible in cluster logs: detect timeout vs other errors (the err returned
from ch.Run) and call klog.V(4).Infof for timeout-related errors and
klog.Warningf for non-timeout errors, include the check name (ch.Name()), the
error string, elapsed seconds, and any short snippet of result data; keep this
logging inside the same goroutine before populating results[ch.Name()] so the
existing CheckResult building (Status, Error, Data) remains unchanged.

In `@pkg/readiness/checks_test.go`:
- Around line 13-37: The test's gvrs map in newFakeDynamicClient duplicates the
production mapping of GVR→list-kind; add an exported helper (e.g., ListKinds()
returning map[schema.GroupVersionResource]string) in the readiness package
(alongside the GVR constants in client.go), switch newFakeDynamicClient to call
readiness.ListKinds() instead of inlining gvrs, and update production code to
use the same helper so both runtime and tests share one source of truth and
avoid drift when new GVRs are added.

In `@pkg/readiness/client_test.go`:
- Around line 109-126: Replace the manual substring search in the test loop with
strings.Contains by importing "strings" and using if !strings.Contains(got, s)
to check each expected substring for FormatLabelSelector; additionally, make the
"empty" test case assert the actual intended output (e.g., assert got == "" or
whatever the expected string is) instead of leaving contains: []string{} which
makes the inner loop a no-op—update the tests slice entry for the "empty" case
to include the explicit expected value and assert it (refer to the
FormatLabelSelector call and the tests variable in the test function).