updates to enable config updater

updates to enable config updater

…dentation

- Revert package-lock.json peer flag pollution (Critical kubestellar#2)
- Revert AddCardModal.tsx re-indentation, keep only catalog entries (Critical kubestellar#3)
- Revert cardRegistry.ts formatting noise (restore original comment) (kubestellar#6)
- Revert unrelated BuildpacksStatus.tsx i18n changes (kubestellar#8)
- Add backend proxy handler for Artifact Hub API to fix CORS (kubestellar#5)
- Wire isDemoFallback through useCardLoadingState for proper demo badge (kubestellar#4)
- Convert all artifact-hub_status files to 2-space indentation (kubestellar#7)
- Add i18n keys for relative time strings (justNow, minutesAgo, etc.) (kubestellar#9)
- Remove unrelated buildpacksStatus i18n keys from en/cards.json (kubestellar#8)

Co-Authored-By: Claude Opus 4.6 <[email protected]>
Signed-off-by: Aaradhy Chinche <[email protected]>

Fixes #5 - Error responses in pkg/agent/kagent_crds.go were returning
HTTP 200 instead of proper error codes. Added w.WriteHeader() calls:
- Missing cluster parameter: 400 Bad Request (5 handlers)
- GetDynamicClient failure: 500 Internal Server Error (5 handlers)

Signed-off-by: GitHub Copilot <[email protected]>

Agent-Logs-Url: https://github.com/kubestellar/console/sessions/b6e474d6-d1fe-4a9c-82bf-4e02c57654a9

Co-authored-by: clubanderson <[email protected]>

…ECTION_REFUSED

Both nightly-ux-journeys AND fullstack-e2e.yml suffer from the same
issue: Go backend starts, healthz passes, but Chromium gets
ERR_CONNECTION_REFUSED. This is a CI runner issue, not a test issue.

Revert to npx serve (which got 183/195 passing in run #5). The 8
remaining failures are test-level issues, not infra issues. Tests
that need demo data (drilldown, search, tour) will be skipped
gracefully since the static server doesn't inject mock data.

Signed-off-by: Andy Anderson <[email protected]>

…DME (#8207)

Fixes #8207

Addresses all 6 Copilot review comments from PR #8203 (security docs
bundle). Verified each claim against source before applying:

- Verified InitializeProviders (pkg/agent/registry.go:283) registers
  only CLI-based tool agents and explicitly excludes API-key HTTP
  providers (claude/openai/gemini/groq/openrouter/open-webui).
- Verified update_checker.go lives in pkg/agent/ (local kc-agent),
  not in the Go backend server pod.
- Verified DEV_MODE is read in cmd/kc-agent/main.go:18 while
  KC_DEV_MODE=1 is only used in pkg/agent/server_http.go:2202 for
  the backend-driven agent restart path.

Changes:

1. README.md (finding #1): The "security model" paragraph no longer
   claims users can point an OpenAI-compatible local LLM at kc-agent
   via GROQ_BASE_URL / OPENROUTER_BASE_URL / OPEN_WEBUI_URL today.
   Reframed as a planned follow-up; currently supported path is the
   CLI-based agents.

2. SECURITY-MODEL.md §1 data flow (finding #2): Replaced the
   single-sentence "Key consequence" block with the two-path
   distinction (CLI tool agents vs direct HTTP providers). Notes
   that CLI agents can exfiltrate cluster data indirectly via
   kubectl/helm tool output; direct HTTP providers are not
   registered at runtime today.

3. SECURITY-MODEL.md §2 Posture B (finding #3): Rewrote the
   restricted-egress section to match runtime reality. AI gating
   is by registered CLI agent availability, not by API-key env
   vars. Setting *_API_KEY does not by itself enable AI. Settings
   → API Keys modal documented as non-operative.

4. SECURITY-MODEL.md §1 "leaves the cluster" (finding #5):
   Corrected the update_checker.go reference. The local kc-agent
   (not the backend pod) performs any GitHub update polling.
   In-cluster backend deployments do not poll GitHub from the
   server pod.

5. SECURITY-MODEL.md §3 Local/Self-hosted LLMs (finding #4):
   Added a prominent "current registration status" subsection
   stating that Groq/OpenRouter/Open WebUI provider implementations
   exist but are NOT registered by InitializeProviders. Relabeled
   the Ollama / vLLM / LM Studio / internal-gateway recipes as
   "planned follow-up" (not operative today). Base-URL env vars
   noted as "parsed, not wired". Retained the mermaid diagrams
   from PR #8206 and framed them as the intended direction.

6. SECURITY-MODEL.md §4 env var cheat sheet (finding #6): Split
   the KC_DEV_MODE row into two entries — DEV_MODE (general
   kc-agent dev/logging toggle, read in cmd/kc-agent/main.go)
   and KC_DEV_MODE (backend-driven restart/dev path in
   pkg/agent/server_http.go) — so operators don't set the wrong
   variable.

Docs-only change. web build + lint pass.

Signed-off-by: Andy Anderson <[email protected]>

…DME (#8207) (#8223)

Fixes #8207

Addresses all 6 Copilot review comments from PR #8203 (security docs
bundle). Verified each claim against source before applying:

- Verified InitializeProviders (pkg/agent/registry.go:283) registers
  only CLI-based tool agents and explicitly excludes API-key HTTP
  providers (claude/openai/gemini/groq/openrouter/open-webui).
- Verified update_checker.go lives in pkg/agent/ (local kc-agent),
  not in the Go backend server pod.
- Verified DEV_MODE is read in cmd/kc-agent/main.go:18 while
  KC_DEV_MODE=1 is only used in pkg/agent/server_http.go:2202 for
  the backend-driven agent restart path.

Changes:

1. README.md (finding #1): The "security model" paragraph no longer
   claims users can point an OpenAI-compatible local LLM at kc-agent
   via GROQ_BASE_URL / OPENROUTER_BASE_URL / OPEN_WEBUI_URL today.
   Reframed as a planned follow-up; currently supported path is the
   CLI-based agents.

2. SECURITY-MODEL.md §1 data flow (finding #2): Replaced the
   single-sentence "Key consequence" block with the two-path
   distinction (CLI tool agents vs direct HTTP providers). Notes
   that CLI agents can exfiltrate cluster data indirectly via
   kubectl/helm tool output; direct HTTP providers are not
   registered at runtime today.

3. SECURITY-MODEL.md §2 Posture B (finding #3): Rewrote the
   restricted-egress section to match runtime reality. AI gating
   is by registered CLI agent availability, not by API-key env
   vars. Setting *_API_KEY does not by itself enable AI. Settings
   → API Keys modal documented as non-operative.

4. SECURITY-MODEL.md §1 "leaves the cluster" (finding #5):
   Corrected the update_checker.go reference. The local kc-agent
   (not the backend pod) performs any GitHub update polling.
   In-cluster backend deployments do not poll GitHub from the
   server pod.

5. SECURITY-MODEL.md §3 Local/Self-hosted LLMs (finding #4):
   Added a prominent "current registration status" subsection
   stating that Groq/OpenRouter/Open WebUI provider implementations
   exist but are NOT registered by InitializeProviders. Relabeled
   the Ollama / vLLM / LM Studio / internal-gateway recipes as
   "planned follow-up" (not operative today). Base-URL env vars
   noted as "parsed, not wired". Retained the mermaid diagrams
   from PR #8206 and framed them as the intended direction.

6. SECURITY-MODEL.md §4 env var cheat sheet (finding #6): Split
   the KC_DEV_MODE row into two entries — DEV_MODE (general
   kc-agent dev/logging toggle, read in cmd/kc-agent/main.go)
   and KC_DEV_MODE (backend-driven restart/dev path in
   pkg/agent/server_http.go) — so operators don't set the wrong
   variable.

Docs-only change. web build + lint pass.

Signed-off-by: Andy Anderson <[email protected]>