[quality] Add handler test helper and health/status endpoint tests

.claude/session-summary.md

@@ -0,0 +1,54 @@
+# KubeStellar Console — Session Summary
+
+## What this project is
+
+KubeStellar Console is a standalone Kubernetes dashboard and AI mission platform. It is **not** related to the legacy `kubestellar/kubestellar` project (BindingPolicy, WECs, ITSs). They share an org name only.
+
+## Architecture
+
+- **Backend**: Go + Fiber v2, port 8080. Serves both the API and the built frontend.
+- **Frontend**: React + TypeScript + Tailwind CSS + Vite, port 5174 in dev.
+- **kc-agent**: Local WebSocket bridge (port 8585) connecting the browser to kubeconfig + MCP servers.
+- **Production**: Netlify (console.kubestellar.io). API routes via Netlify Functions (`web/netlify/functions/*.mts`), not the Go backend.
+- **Database**: SQLite WASM in a Web Worker (off-main-thread), IndexedDB fallback.
+
+## Key directories
+
+```
+cmd/console/       Server entry point
+cmd/kc-agent/      Local agent (kubeconfig + MCP bridge)
+pkg/api/           HTTP/WS server + handlers
+pkg/store/         SQLite database layer
+web/src/           React + TypeScript frontend
+  components/cards/  Dashboard card components
+  hooks/             useCached* data-fetching hooks
+  lib/               Cache, card registry, demo data, themes
+web/netlify/functions/  Netlify serverless API (production)
+deploy/helm/       Helm chart
+```
+
+## Critical rules for agents
+
+- **Feature branches only** — never commit to main directly; always use `git worktree add /tmp/kubestellar-console-<slug> -b <branch>`
+- **DCO required** — every commit must use `git commit -s` (`Signed-off-by: Andy Anderson <andy@clubanderson.com>`)
+- **isDemoData wiring** — every card using `useCached*` MUST pass `isDemoData` and `isRefreshing` to `useCardLoadingState()`
+- **No magic numbers** — every numeric literal must be a named constant
+- **DeduplicatedClusters()** — always use when iterating clusters (multiple contexts can point to the same cluster)
+- **Guard arrays** — never call `.join()`, `.map()`, `.filter()` on values that might be `undefined`
+- **Netlify parity** — Go API handlers need matching Netlify Function counterparts; MSW passthrough rules required for demo mode
+
+## Starting the console
+
+```bash
+cd /tmp/kubestellar-console && bash startup-oauth.sh
+```
+
+Frontend URL: `http://localhost:8080` (served by Go backend, not Vite).
+
+## Active subsystems
+
+- **ACMM dashboard** (`/acmm`) — AI Capability Maturity Model scanner. Badge via `/api/acmm/badge?repo=owner/name` (shields.io endpoint).
+- **AI Missions** — guided install/solution missions defined in `kubestellar/console-kb` under `fixes/cncf-install/`.
+- **Drasi dashboard** (`/drasi`) — reactive-pipeline topology view.
+- **Benchmark cards** — Google Drive API backed; require `GOOGLE_DRIVE_API_KEY` in `.env`.
+- **Nightly E2E** — runs at 1 AM ET via GitHub Actions; failures open rolling incident issues.

.claude/settings.json

@@ -0,0 +1,33 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npm run build)",
+      "Bash(npm run lint)",
+      "Bash(npm run dev*)",
+      "Bash(go build*)",
+      "Bash(go test*)",
+      "Bash(go run*)",
+      "Bash(git status)",
+      "Bash(git diff*)",
+      "Bash(git log*)",
+      "Bash(git add*)",
+      "Bash(git commit*)",
+      "Bash(git checkout*)",
+      "Bash(git branch*)",
+      "Bash(git worktree*)",
+      "Bash(git pull*)",
+      "Bash(git push*)",
+      "Bash(curl*)",
+      "Bash(lsof*)",
+      "Bash(kill*)",
+      "Bash(cat*)",
+      "Bash(ls*)",
+      "Bash(jq*)"
+    ],
+    "deny": [
+      "Bash(rm -rf /)",
+      "Bash(git push --force origin main)",
+      "Bash(git push --force origin master)"
+    ]
+  }
+}

.clomonitor.yml

@@ -0,0 +1,8 @@
+# CLOMonitor metadata file
+# This file must be located at the root of the repository
+# https://clomonitor.io/projects/cncf/kubestellar
+
+# Checks exemptions
+exemptions:
+  - check: trademark_disclaimer
+    reason: 'The Linux Foundation trademark disclaimer and link are contained within the KubeStellar Console at https://console.kubestellar.io in the footer. However, because the site is delivered dynamically via React through JavaScript, the check cannot currently identify it.'

.dockerignore

@@ -0,0 +1,9 @@
+.git
+.github
+node_modules
+web/node_modules
+*.md
+.env
+.env.*
+data/
+tmp/

.editorconfig

@@ -0,0 +1,18 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.go]
+indent_style = tab
+
+[*.md]
+trim_trailing_whitespace = false
+
+[Makefile]
+indent_style = tab

.env.example

@@ -12,10 +12,15 @@ SKIP_ONBOARDING=false
 # External API Configuration (optional)
 # Geocoding API for weather card location search (default: Open-Meteo free API)
 VITE_GEOCODING_API_URL=https://geocoding-api.open-meteo.com/v1/search
+# Override kc-agent URL (useful for WSL→Windows setups where agent runs on Windows host)
+# VITE_KC_AGENT_URL=http://172.x.x.x:8585
 
 # Feature request / AI automation settings (optional)
-# GitHub PAT for creating issues (needs 'repo' scope)
-# Get from: https://github.com/settings/tokens
+# GitHub PAT for programmatic issue creation and screenshot uploads.
+# Classic PAT: needs 'repo' scope (https://github.com/settings/tokens)
+# Fine-grained PAT: needs 'Issues: Read and write' + 'Contents: Read and write'
+#   (https://github.com/settings/personal-access-tokens/new)
+# Without 'Contents' permission, issues are created but screenshots silently fail.
 FEEDBACK_GITHUB_TOKEN=
 # Repository where issues will be created
 FEEDBACK_REPO_OWNER=kubestellar
@@ -24,6 +29,20 @@ FEEDBACK_REPO_NAME=console
 # Generate with: openssl rand -hex 32
 GITHUB_WEBHOOK_SECRET=
 
+# Sidebar dashboard filter (comma-separated dashboard IDs, empty = show all)
+# The order here controls the sidebar display order.
+# Protected items (dashboard, clusters, deploy) cannot be removed by users.
+#
+# All available dashboard IDs:
+#   dashboard, clusters, deploy, ai-ml, ai-agents, ci-cd, alerts,
+#   arcade, compliance, compute, cost, data-compliance, deployments, events,
+#   gitops, gpu-reservations, helm, llm-d-benchmarks, logs, network, nodes,
+#   operators, pods, security, security-posture, services, storage, workloads
+#
+# Example (llm-d focused):
+#   ENABLED_DASHBOARDS=dashboard,gpu-reservations,llm-d-benchmarks,ai-ml,arcade
+ENABLED_DASHBOARDS=
+
 # ===========================================
 # AI Agent Configuration (at least one required for AI features)
 # ===========================================
@@ -43,6 +62,177 @@ GOOGLE_API_KEY=
 # Model selection (optional - default: gemini-2.0-flash)
 GEMINI_MODEL=
 
+# OpenRouter API (https://openrouter.ai/keys)
+# Unified OpenAI-compatible gateway to Anthropic, OpenAI, Google, Meta,
+# Mistral, Qwen and other models via a single API key.
+OPENROUTER_API_KEY=
+# Model selection (optional - default: openai/gpt-4o-mini). See
+# https://openrouter.ai/models for the full catalog.
+OPENROUTER_MODEL=
+# Optional base URL override for self-hosted OpenRouter proxies.
+OPENROUTER_BASE_URL=
+
+# Groq API (https://console.groq.com/keys)
+# OpenAI-compatible chat completions backed by Groq's LPU inference hardware,
+# yielding very low latency for Llama, Mixtral, Gemma and other open-weights
+# models. See https://console.groq.com/docs/openai for wire-format details.
+GROQ_API_KEY=
+# Model selection (optional - default: llama-3.3-70b-versatile). See
+# https://console.groq.com/docs/models for the full catalog.
+GROQ_MODEL=
+# Optional base URL override for self-hosted Groq proxies.
+GROQ_BASE_URL=
+
 # Default AI agent (optional - auto-detected based on available keys)
-# Options: claude, openai, gemini
+# Options: claude, openai, gemini, openrouter, groq
 DEFAULT_AGENT=
+
+# ===========================================
+# Stellar assistant (optional)
+# ===========================================
+# Local Ollama endpoint (defaults to http://localhost:11434)
+OLLAMA_BASE_URL=http://localhost:11434
+# Default provider/model for /api/stellar/ask and /api/stellar/digest
+STELLAR_DEFAULT_PROVIDER=ollama
+STELLAR_DEFAULT_MODEL=llama3
+# Polling interval for Stellar event watcher
+STELLAR_WATCHER_INTERVAL=30s
+
+# ===========================================
+# ArgoCD Integration (optional)
+# ===========================================
+# Auth token for ArgoCD REST API sync (bypasses CLI and annotation fallback)
+# Generate via: argocd account generate-token --account admin
+# If not set, sync falls back to argocd CLI or annotation patching
+ARGOCD_AUTH_TOKEN=
+# WARNING: Setting this to "true" disables TLS certificate verification for
+# ArgoCD API calls. Only use in dev/test environments with self-signed certs.
+ARGOCD_TLS_INSECURE=
+
+# ===========================================
+# GA4 Analytics — Anti-spam proxy
+# ===========================================
+# The frontend uses a DECOY Measurement ID (visible in source code).
+# The first-party proxy at /t/g/collect rewrites it to the real ID below.
+# Spammers who scrape the source code send hits to a non-existent property.
+GA4_REAL_MEASUREMENT_ID=
+
+# ===========================================
+# GPU Utilization Threshold Alerting (optional)
+# ===========================================
+# Alert when GPU utilization exceeds or falls below these percentages
+# Default values: over-threshold 90%, under-threshold 20%
+GPU_UTIL_OVER_THRESHOLD=90
+GPU_UTIL_UNDER_THRESHOLD=20
+
+# ===========================================
+# WebSocket Configuration
+# ===========================================
+# WebSocket connection limit (default: 1000)
+# Prevents resource exhaustion by capping concurrent WebSocket connections.
+# Each connection consumes ~1 file descriptor, ~5KB memory, and 2 goroutines.
+# Scale horizontally (add replicas) for higher total capacity.
+WS_MAX_CONNECTIONS=
+
+# ===========================================
+# Server Configuration (optional — sensible defaults)
+# ===========================================
+# Backend listening port (default: 8080)
+# PORT=8080
+# Path to SQLite database file (default: ./console.db)
+# DATABASE_PATH=./console.db
+# Global HTTP request body size limit in bytes (default: 5242880 = 5 MB)
+# MAX_BODY_BYTES=5242880
+
+# ===========================================
+# Kubernetes Configuration (optional)
+# ===========================================
+# Path to kubeconfig file (default: ~/.kube/config)
+# KUBECONFIG=~/.kube/config
+# Override cluster name (default: auto-detected from kubeconfig)
+# CLUSTER_NAME=
+
+# ===========================================
+# kc-agent Authentication
+# ===========================================
+# Shared secret for authenticating with the co-located kc-agent.
+# startup-oauth.sh and start-dev.sh auto-generate a per-session token if unset.
+# Set this to keep a stable token across restarts or when launching kc-agent manually.
+# Generate with: openssl rand -hex 32
+# KC_AGENT_TOKEN=
+
+# ===========================================
+# KAgent / KAgenti Service Discovery (optional, in-cluster only)
+# ===========================================
+# Direct controller URL overrides (skip service discovery):
+# KAGENT_CONTROLLER_URL=
+# KAGENTI_CONTROLLER_URL=
+# KAGENTI_AGENT_URL=
+# KAGENTI_AGENT_NAME=
+#
+# Service discovery components (used when controller URL is not set):
+# KAGENT_NAMESPACE=
+# KAGENT_SERVICE_NAME=
+# KAGENT_SERVICE_PORT=
+# KAGENT_SERVICE_PROTOCOL=http
+# KAGENTI_NAMESPACE=
+# KAGENTI_SERVICE_NAME=
+# KAGENTI_SERVICE_PORT=
+# KAGENTI_SERVICE_PROTOCOL=http
+
+# ===========================================
+# GPU DCGM Exporter (optional, requires NVIDIA GPU Operator)
+# ===========================================
+# Enable NVIDIA DCGM exporter scraping for real GPU memory/utilization metrics.
+# Requires the NVIDIA GPU Operator to be installed in the cluster.
+# GPU_METRICS_DCGM_ENABLED=false
+# Kubernetes namespace where the GPU Operator DCGM exporter runs (default: gpu-operator)
+# GPU_METRICS_DCGM_NAMESPACE=gpu-operator
+# Service name of the DCGM exporter (default: dcgm-exporter)
+# GPU_METRICS_DCGM_SERVICE=dcgm-exporter
+# GPU metrics polling interval in milliseconds (default: 1200000 = 20 minutes)
+# GPU_UTIL_POLL_INTERVAL_MS=1200000
+
+# ===========================================
+# GitHub Pipelines Integration (optional)
+# ===========================================
+# Comma-separated list of GitHub repos for CI/CD pipeline monitoring
+# Format: owner/repo,owner/repo2
+# PIPELINE_REPOS=
+# GitHub PAT for mutation operations in pipelines (re-run, cancel)
+# GITHUB_MUTATIONS_TOKEN=
+# GitHub repository for update checks (default: kubestellar/console)
+# GITHUB_REPO=kubestellar/console
+
+# ===========================================
+# TLS Configuration (optional)
+# ===========================================
+# Enable HTTPS with TLS certificates
+# TLS_ENABLED=false
+# TLS_CERT_FILE=/path/to/cert.pem
+# TLS_KEY_FILE=/path/to/key.pem
+
+# ===========================================
+# In-Cluster Deployment (optional)
+# ===========================================
+# Suppress local kc-agent connections (for in-cluster deployments that use
+# the backend directly without the local agent bridge)
+# NO_LOCAL_AGENT=false
+# Kubernetes namespace where the console pod runs (for self-upgrade feature)
+# POD_NAMESPACE=
+
+# ===========================================
+# Frontend Build-Time Variables (optional)
+# ===========================================
+# These VITE_* variables are baked into the frontend at build time.
+# They cannot be changed at runtime without rebuilding.
+#
+# API base URL for backend calls (default: empty = same origin)
+# VITE_API_BASE_URL=
+# Enable demo/Netlify preview mode (default: false)
+# VITE_DEMO_MODE=false
+# Suppress local kc-agent in frontend (default: false)
+# VITE_NO_LOCAL_AGENT=false
+# DRASI reactive graph integration (optional)
+# VITE_DRASI_SERVER_URL=
+# VITE_DRASI_PLATFORM_CLUSTER=