Merge origin/main into proposal/0004-send-message-ruby

Author: snickell

extended/docs/proposals/0004-send-message-step-plugin/checklist.python.md

@@ -0,0 +1,86 @@
+# 0004 Python Checklist
+
+## Baseline
+
+- [x] Plugin work lives under `extended/plugins/send-message-python/`.
+- [x] The subtree stands alone.
+- [x] No committed Slack credential appears anywhere.
+- [x] The plugin owns Kubernetes reads and Slack calls.
+
+## Phase 0: pin the contract
+
+- [x] Re-read `proposal.md`.
+- [x] Re-read `spec.md`.
+- [x] Re-read the `send-message` slice in proposal `0002`.
+- [x] Keep scope to Slack only.
+
+## Phase 1: create the tiny repo
+
+- [x] Create `extended/plugins/send-message-python/`.
+- [x] Add runtime source.
+- [x] Add image build.
+- [x] Add `plugin.yaml`.
+- [x] Add CRD manifests.
+- [x] Add RBAC manifests.
+- [x] Add smoke assets.
+
+## Phase 2: implement the runtime
+
+- [x] Implement `POST /api/v1/step.execute`.
+- [x] Enforce bearer auth from `/var/run/kargo/token`.
+- [x] Read `MessageChannel`.
+- [x] Read `ClusterMessageChannel`.
+- [x] Read referenced `Secret`.
+- [x] Send plaintext Slack payloads.
+- [x] Send encoded Slack payloads.
+- [x] Return `slack.threadTS`.
+
+## Phase 3: test the contract
+
+- [x] Add auth tests.
+- [x] Add channel lookup tests.
+- [x] Add Secret lookup tests.
+- [x] Add plaintext payload tests.
+- [x] Add encoded payload tests.
+- [x] Add XML decode tests.
+- [x] Add Slack failure tests.
+
+## Phase 4: smoke
+
+- [x] Add plugin-owned `smoke/smoke_test.py`.
+- [x] Keep smoke orchestration in Python, not shell.
+- [x] Build the image.
+- [x] Load it into kind.
+- [x] Install CRDs and RBAC.
+- [x] Install StepPlugin `ConfigMap`.
+- [x] Create local-only test Secret.
+- [x] Create test `MessageChannel`.
+- [x] Run a `Stage` with `uses: send-message`.
+- [x] Assert `Succeeded`.
+- [x] Assert non-empty `slack.threadTS`.
+
+## Phase 5: mandatory radical simplification pass 1
+
+- [x] Ask "can I make this look easier by deleting a dependency?"
+- [x] Ask "can I merge files without making the contract harder to read?"
+- [x] Ask "am I using a framework just because it is familiar?"
+- [x] Delete anything that fails those checks.
+
+## Phase 6: mandatory radical simplification pass 2
+
+- [x] Re-run tests and smoke from a green tree.
+- [x] Ask "can I make this radically simpler?"
+- [x] Remove abstractions that only serve style.
+- [x] Remove helpers that only save a few lines.
+- [x] Stop only when the repo still reads like a small third-party plugin.
+
+Refactor pass notes:
+- Split the runtime into small package files for:
+  - app flow
+  - HTTP entrypoint
+  - Kubernetes and Slack clients
+  - payload decoding and shaping
+- Split smoke support out of the entrypoint into `smoke/lib.py`.
+- Re-ran unit tests after refactor.
+- Re-ran `py_compile` across all Python files after refactor.
+- Re-ran isolated kind smoke through `extended/tests/e2e_stepplugins.sh`.

extended/docs/proposals/0004-send-message-step-plugin/implementation_checklist.md

@@ -0,0 +1,94 @@
+# 0004 Implementation Checklist
+
+Update this as implementation teaches us things.
+
+## Baseline
+
+- [x] Plugin work lives under `extended/plugins/send-message`.
+- [x] The plugin subtree does not rely on repo resources outside itself.
+- [x] Slack credentials stay local-only and out of git.
+- [x] The host does not own channel lookup, Secret reads, or Slack API calls.
+
+## Phase 0: read and pin the seams
+
+- [x] Read proposal 0004 again before starting code.
+- [x] Re-read the `send-message` section in proposal 0002 spec.
+- [x] Read the current StepPlugin host runtime and e2e harness seams.
+- [x] Record any host-side gap found during that read.
+
+## Phase 1: create the standalone subtree
+
+- [x] Create `extended/plugins/send-message/`.
+- [x] Add plugin-owned runtime source there.
+- [x] Add plugin-owned image build there.
+- [x] Add plugin-owned tests there.
+- [x] Add plugin-owned CRD manifests there.
+- [x] Add plugin-owned RBAC manifests there.
+- [x] Add plugin-owned smoke assets or smoke helper there.
+
+## Phase 2: implement the runtime
+
+- [x] Implement `POST /api/v1/step.execute`.
+- [x] Enforce bearer-token auth from `/var/run/kargo/token`.
+- [x] Return `403` on bad auth.
+- [x] Reject unsupported methods cleanly.
+- [x] Parse the v1 step-config subset.
+- [x] Resolve `MessageChannel` from the Project namespace.
+- [x] Resolve `ClusterMessageChannel` from the system-resources namespace.
+- [x] Resolve referenced Secrets from the correct namespace.
+- [x] Read Slack token from Secret key `apiKey`.
+- [x] Send the Slack message from the plugin.
+- [x] Return `slack.threadTS` output.
+
+## Phase 3: own the OSS CRDs and RBAC
+
+- [x] Add Slack-only `MessageChannel` CRD manifest.
+- [x] Add Slack-only `ClusterMessageChannel` CRD manifest.
+- [x] Keep the API group `ee.kargo.akuity.io/v1alpha1`.
+- [x] Add plugin-owned RBAC manifests for channel and Secret reads.
+- [x] Keep RBAC setup out of host code unless a real host gap is proven.
+
+## Phase 4: tests inside the subtree
+
+- [x] Add runtime tests for auth.
+- [x] Add runtime tests for namespaced channel lookup.
+- [x] Add runtime tests for cluster-scoped channel lookup.
+- [x] Add runtime tests for referenced Secret lookup.
+- [x] Add runtime tests for Slack request shaping.
+- [x] Add runtime tests for `slack.channelID` override.
+- [x] Add runtime tests for `slack.threadTS` override and output.
+- [x] Add runtime tests for missing channel or Secret failures.
+- [x] Add runtime tests for Slack API failure handling.
+
+## Phase 5: local smoke path
+
+- [x] Build the plugin image from `extended/plugins/send-message`.
+- [x] Load the image into the local kind cluster.
+- [x] Keep kube access on an isolated `KUBECONFIG`.
+- [x] Keep the user's existing kube context untouched.
+- [x] Install plugin CRDs and RBAC.
+- [x] Generate and install the StepPlugin `ConfigMap`.
+- [x] Inject a local-only Slack token into a cluster `Secret`.
+- [x] Create a test `MessageChannel` or `ClusterMessageChannel`.
+- [x] Run a `Stage` with `uses: send-message`.
+- [x] Prove promotion success in-cluster.
+- [x] Prove `slack.threadTS` output is populated.
+- [x] Verify the message appeared in the target Slack channel.
+
+## Phase 6: repo harness integration
+
+- [x] Extend `extended/tests/e2e_stepplugins.sh` to support the real
+      `send-message` smoke path.
+- [x] Keep the committed harness credential-free.
+- [x] Gate Slack smoke on a local env var for the token.
+- [x] Keep any non-`extended/` edit to a tiny hook only, if one is needed.
+
+## Phase Post-Green: Minimize Diff Of Files Outside ./extended Against Kargo Upstream
+
+- [x] Fetch `upstream`.
+- [x] Review every edited file outside `extended/`, if any, against
+      `upstream/main`.
+- [x] Move more logic behind `extended/` helpers if that shrinks the outside
+      diff safely.
+- [x] Re-run matching tests after each cleanup pass.
+- [x] Stop only when no obvious outside-`extended/` shrink remains.

extended/docs/proposals/0004-send-message-step-plugin/implementation_notes.md

@@ -0,0 +1,71 @@
+# 0004 Implementation Notes
+
+- Plugin subtree:
+  - `extended/plugins/send-message/`
+  - standalone `go.mod`
+  - standalone `Dockerfile`
+  - standalone `plugin.yaml`
+  - standalone CRDs and RBAC under `manifests/`
+  - standalone smoke helper under `smoke/`
+
+- Runtime contract implemented in the plugin:
+  - `POST /api/v1/step.execute`
+  - bearer auth from `/var/run/kargo/token`
+  - direct Kubernetes API reads from projected service-account credentials
+  - direct Slack API call from the plugin
+  - encoded `json`, `yaml`, and `xml` payload support
+
+- V1 scope shipped:
+  - `send-message`
+  - `MessageChannel`
+  - `ClusterMessageChannel`
+  - Slack only
+  - no SMTP
+
+- Secret and channel rules implemented:
+  - `secretRef.name` resolves in the Project namespace for `MessageChannel`
+  - `secretRef.name` resolves in the system-resources namespace for
+    `ClusterMessageChannel`
+  - Slack token key is `apiKey`
+  - `spec.slack.channelID` is required in CRD schema
+
+- Smoke harness knobs:
+  - `STEPPLUGIN_SEND_MESSAGE_SMOKE=true`
+  - `STEPPLUGIN_SEND_MESSAGE_CHANNEL_ID=<channel-id>`
+  - `STEPPLUGIN_SEND_MESSAGE_SLACK_API_KEY=<token>`
+- Plugin-local smoke entrypoint:
+  - `extended/plugins/send-message/smoke/smoke-test.sh`
+  - repo harness calls that script rather than owning the full orchestration
+
+- Host gap found during smoke:
+  - the StepPlugin auth-token mount was not readable by non-root sidecars
+  - fix was in `extended/pkg/stepplugin/agent/command_bridge.go`
+  - auth directory mode is now `0755`
+  - auth file mode is now `0444`
+
+- Smoke-result note:
+  - plugin response includes `output.slack.threadTS`
+  - Promotion state observed in-cluster stored the value under
+    `status.state.step-1.slack.threadTS`
+  - the smoke harness accepts either that path or
+    `status.stepExecutionMetadata[0].output.slack.threadTS`
+
+- Encoded-message note:
+  - when `encodingType` is set, `config.slack.channelID` and
+    `config.slack.threadTS` are ignored
+  - encoded body uses Slack-native field names such as `channel` and
+    `thread_ts`
+  - if encoded body omits `channel`, plugin fills it from channel resource
+    `spec.slack.channelID`
+
+- XML note:
+  - no public exact upstream XML example was found
+  - this implementation treats XML as a Kargo-owned alternate serialization of
+    the same Slack payload object used for `json` and `yaml`
+  - root name is ignored
+  - repeated sibling names become arrays
+
+- Non-plugin repo fix found during smoke:
+  - `pkg/cli/cmd/promote/promote.go` assumed wrapped REST payloads
+  - local smoke showed direct-object and direct-list payloads
+  - decoder helpers now accept both shapes