feat(seam): PackExecution in DerivedObjectGVKs + authorship webhook SA fix#22
Merged
Conversation
…memory push
- GovernanceRef struct added to LineageRecordSpec with PermissionSnapshotRevision field
- LineageController root filter narrowed to TalosCluster + PackDelivery (static lineageRootGVKs map)
- LineageArchiveFinalizer (lineage.seam.ontai.dev/archive) added; archive-then-prune pattern
- GovernanceRef populated at PackDelivery ILI creation from seam-tenant-{cluster} snapshot
- DSNSReconciler and internal/dns/ package decommissioned (T-WI5-7)
- LineageSDNSBuffer (internal/sdns/buffer.go) replaces DSNSReconciler; in-memory, flushed to CNPG
- seam-schema.md: GovernanceRef field, CNPG archival tables, canonical join query documented
- CRD YAML and deepcopy regenerated (make generate)
- Unit tests updated: ac4 root GVK count corrected (2 GVKs), integration GVK count corrected
… PermissionSnapshot revision
- ensureGovernanceRefCurrent patches GovernanceRef.PermissionSnapshotRevision when
the PermissionSnapshot version in seam-tenant-{cluster} changes; no-op when current
- Called from both the idempotency path (annotation already set) and the main reconcile
path (ILI pre-existing without annotation), covering all update scenarios
- PackDelivery LineageReconciler watches guardian.ontai.dev/PermissionSnapshot via
mapSnapshotToPackDeliveries; any snapshot version change requeues all PackDeliveries
in the same seam-tenant-{cluster} namespace so GovernanceRef stays current
- TalosCluster LineageRecords are unchanged (ensureGovernanceRefCurrent is no-op for non-PackDelivery)
- governance_ref_test.go: 4 unit tests covering creation, update, no-op, and TalosCluster exclusion
Adds SignalKind enum (GovernanceDrift|RuntimeDrift, default GovernanceDrift) and RuntimeDrift-specific fields: AffectedPackInstalledRef, FailureReason, ConsecutiveFailureCount, Exhausted. Regenerates deepcopy and CRD YAML (T-CW-1 through T-CW-6).
…Context Add OperatorContext CRD as the KBCL-structured awareness contract that operators read at reconcile time to determine operational mode, autonomy level, and approval gates. Encodes T (system state) as operator-readable policy governing B selection for safe AI delegation. Extend DriftSignal with MismatchContext: carries M_perc (perceived state), A(T) constraint reference, governance snapshot revision (T context), and KBCLMismatchLayer (representation/selection/realization) for AI-delegated resolution with full contextual richness. Delete stale infrastructure.ontai.dev CRD manifests (pre-migration group). Update seam-schema.md: new section 7 (OperatorContext), updated section 5 (DriftSignal RuntimeDrift + MismatchContext fields), updated GVK table. 19 unit tests, all passing.
cmd/seam-core/main.go: LeaderElectionID was "seam-core-leader"; corrected to "seam-leader" per post-migration naming. config/crd/seam.ontai.dev_operatorcontexts.yaml: new OperatorContext CRD (Decision 16 -- KBCL-ONT operator awareness contract). config/crd/seam.ontai.dev_driftsignals.yaml: updated DriftSignal schema with MismatchContext for KBCL mismatch evidence encoding. api/v1alpha1/zz_generated.deepcopy.go: regenerated deep copy functions.
Introduces seam/pkg/namespaces as the canonical source for platform namespace strings. Operators must import this package instead of hardcoding namespace literals. Enforced by Governor directive 2026-05-20. - SeamSystem, OntSystem, TenantPrefix constants - Tenant(clusterName) and ClusterNameFromTenant(ns) helpers - pkg/e2e/namespace.go updated to use constants
…eage tracking DescendantReconciler now watches RunnerConfig, PackExecution, and PackInstalled. PackExecution entries in LineageRecord.descendantRegistry enable TC-MC-13 and TC-MC-23 causal chain verification.
The descendant reconciler runs under system:serviceaccount:seam-system:seam but the authorship gate only allowed lineage-controller SA. Added SeamControllerIdentity constant and permitted it alongside LineageControllerIdentity. Two unit tests added covering CREATE and UPDATE from the seam SA. Verified live on ccs-mgmt: descendant reconciler now appends PackExecution and PackInstalled entries to LineageRecord.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
descendant_reconciler.gonow watches PackExecution alongside RunnerConfig and PackInstalled. All three GVKs produce DescendantEntry records in the owning LineageRecord.authorship_gate.goaddsSeamControllerIdentity(system:serviceaccount:seam-system:seam) as an allowed identity alongsideLineageControllerIdentity. The DescendantReconciler runs under the seam SA; the previous webhook only allowedlineage-controllerSA which blocked all LineageRecord updates from the reconciler.TestEvaluateAuthorshipGate_ILI_Create_SeamControllerSA_AllowedandTestEvaluateAuthorshipGate_ILI_Update_SeamControllerSA_Allowed.Test plan
go test ./...-- all pass