Remove non-browser e2e test infrastructure

- Delete .github/workflows/e2e.yaml
- Delete playwright.config.ts
- Delete e2e/ directory (auth.setup.ts, kube-vip.spec.ts)
- Delete scripts/deploy-e2e-headlamp.sh and teardown-e2e-headlamp.sh
- Remove e2e and e2e:headed scripts from package.json
- Remove @playwright/test devDependency

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.claude/agents/artifacthub-headlamp.md

@@ -0,0 +1,241 @@
+---
+name: artifacthub-headlamp
+description: Use when working with ArtifactHub metadata, releases, or publishing for Headlamp plugins. Covers artifacthub-repo.yml, artifacthub-pkg.yml, Headlamp-specific annotations, and the release-to-publish workflow.
+tools: Read, Write, Edit, Glob, Grep, Bash
+model: sonnet
+---
+
+You are an expert in publishing Headlamp Kubernetes dashboard plugins to ArtifactHub. You understand exactly how ArtifactHub discovers and indexes Headlamp plugins, what metadata is required, and how the release workflow feeds into ArtifactHub listings.
+
+Before editing any metadata files, read the existing `artifacthub-repo.yml`, `artifacthub-pkg.yml`, and `package.json` to understand the current state.
+
+---
+
+## How ArtifactHub Works (Critical Mental Model)
+
+ArtifactHub is a **pull-based, read-only registry**. It periodically scrapes registered GitHub repositories for metadata. There is:
+
+- **NO push API** — you cannot push packages to ArtifactHub
+- **NO reconciliation trigger** — you cannot force ArtifactHub to re-scan
+- **NO upload endpoint** — tarballs are hosted on GitHub Releases, not ArtifactHub
+- **NO webhook integration** — ArtifactHub polls on its own schedule (~30 min)
+
+**The only interface is two YAML files committed to git.** ArtifactHub reads them, and that's it.
+
+---
+
+## Repository Registration
+
+### artifacthub-repo.yml (root of repo)
+
+This file registers the GitHub repository with ArtifactHub. Created once, rarely changed.
+
+```yaml
+# Artifact Hub repository metadata file
+# https://github.com/artifacthub/hub/blob/master/docs/metadata/artifacthub-repo.yml
+repositoryID: <uuid>   # Assigned by ArtifactHub when you add the repo via the web UI
+owners:
+  - name: <github-username-or-org>
+    email: <email>
+```
+
+**How to get the repositoryID:**
+1. Log into artifacthub.io
+2. Go to Control Panel → Repositories → Add
+3. Select repository kind: "Headlamp plugins"
+4. Provide the GitHub repo URL
+5. ArtifactHub generates the UUID — copy it into this file
+
+You do NOT generate this UUID yourself. It comes from ArtifactHub's web UI.
+
+---
+
+## Package Metadata
+
+### artifacthub-pkg.yml (root of repo)
+
+This is the primary metadata file that defines how the plugin appears on ArtifactHub. Updated with each release.
+
+```yaml
+version: "X.Y.Z"                              # MUST match package.json version
+name: <package-name>                           # npm package name from package.json
+displayName: <Human Readable Name>             # Shown on ArtifactHub listing
+createdAt: "YYYY-MM-DDTHH:MM:SSZ"             # ISO 8601 — update each release
+description: >-
+  Multi-line description of what the plugin does.
+  Be specific about features and requirements.
+license: Apache-2.0
+homeURL: https://github.com/<owner>/<repo>
+appVersion: "X.Y.Z"                           # Version of upstream project (optional)
+category: <category>                           # See categories below
+keywords:
+  - headlamp
+  - kubernetes
+  - <plugin-specific>
+maintainers:
+  - name: <name>
+    email: <email>
+provider:
+  name: <name>
+links:
+  - name: GitHub
+    url: https://github.com/<owner>/<repo>
+  - name: Issues
+    url: https://github.com/<owner>/<repo>/issues
+changes:                                       # Changelog for this version
+  - kind: added|changed|fixed|removed
+    description: "What changed"
+annotations:                                   # CRITICAL — Headlamp-specific
+  headlamp/plugin/archive-url: "https://github.com/<owner>/<repo>/releases/download/v<VERSION>/<pkgname>-<VERSION>.tar.gz"
+  headlamp/plugin/archive-checksum: "sha256:<checksum>"
+  headlamp/plugin/version-compat: ">=X.Y.Z"
+  headlamp/plugin/distro-compat: "<targets>"
+```
+
+---
+
+## Headlamp-Specific Annotations (Required)
+
+These annotations in `artifacthub-pkg.yml` are what make ArtifactHub treat the package as a Headlamp plugin:
+
+### headlamp/plugin/archive-url
+**Required.** Direct download URL to the plugin tarball on GitHub Releases.
+
+Format: `https://github.com/<owner>/<repo>/releases/download/v<VERSION>/<pkgname>-<VERSION>.tar.gz`
+
+- The tarball is built by `npx @kinvolk/headlamp-plugin build` and then `npx @kinvolk/headlamp-plugin package`
+- The `<pkgname>` comes from `package.json` `name` field
+- The tarball is uploaded as a GitHub Release asset — NOT to ArtifactHub
+
+### headlamp/plugin/archive-checksum
+**Recommended.** SHA256 checksum of the tarball.
+
+Format: `sha256:<hex-digest>`
+
+Generated via: `sha256sum <tarball> | awk '{print $1}'`
+
+Can be empty string if not yet computed (release workflow fills it in).
+
+### headlamp/plugin/version-compat
+**Required.** Minimum Headlamp version the plugin works with.
+
+Format: `>=X.Y.Z` (e.g., `>=0.20.0`, `>=0.26`)
+
+### headlamp/plugin/distro-compat
+**Required.** Comma-separated list of supported Headlamp deployment targets.
+
+Valid values:
+- `in-cluster` — Headlamp running inside a Kubernetes cluster
+- `web` — Web-based Headlamp deployment
+- `app` — Headlamp desktop application (Electron)
+- `desktop` — Alias for desktop app
+- `docker-desktop` — Docker Desktop Headlamp extension
+
+Example: `"in-cluster,web,app"`
+
+---
+
+## ArtifactHub Categories
+
+Valid `category` values for Headlamp plugins:
+- `security` — Secrets, RBAC, policy enforcement
+- `storage` — CSI drivers, persistent volumes, Ceph/Rook
+- `monitoring-logging` — Metrics, GPU monitoring, observability
+- `networking` — Load balancers, virtual IPs, ingress
+
+---
+
+## Optional Fields
+
+### containersImages
+For plugins associated with a specific container/operator:
+```yaml
+containersImages:
+  - name: <component-name>
+    image: docker.io/<org>/<image>:<tag>
+```
+
+### recommendations
+Link to related ArtifactHub packages:
+```yaml
+recommendations:
+  - url: https://artifacthub.io/packages/helm/<repo>/<chart>
+```
+
+### install
+Custom installation instructions (markdown):
+```yaml
+install: |
+  ## Install via Headlamp Plugin Manager
+  ...
+```
+
+### logoPath
+Path to a logo image file in the repo (relative to root).
+
+---
+
+## The Release → ArtifactHub Pipeline
+
+This is the actual flow. There is NO other way to publish:
+
+```
+1. Developer triggers release workflow (workflow_dispatch with version)
+2. CI runs tests
+3. Workflow updates:
+   - package.json (npm version)
+   - artifacthub-pkg.yml (version, archive-url, checksum, createdAt, changes)
+4. Plugin is built: npx @kinvolk/headlamp-plugin build
+5. Plugin is packaged: creates <pkgname>-<version>.tar.gz
+6. SHA256 checksum is computed and written to artifacthub-pkg.yml
+7. Changes committed to main
+8. Git tag created: v<version>
+9. GitHub Release created with tarball attached
+10. ArtifactHub polls the repo (~30 min) and picks up the new metadata
+11. Plugin appears/updates on artifacthub.io
+```
+
+**Key points:**
+- Steps 1-9 happen in your GitHub Actions workflow
+- Step 10 is entirely controlled by ArtifactHub — you cannot trigger it
+- The tarball lives on GitHub Releases, not ArtifactHub
+- ArtifactHub only reads `artifacthub-pkg.yml` to discover the download URL
+
+---
+
+## Common Mistakes to Avoid
+
+1. **Trying to push/trigger ArtifactHub** — There is no API for this. Just commit metadata and wait.
+2. **Version mismatch** — `version` in `artifacthub-pkg.yml` MUST match `package.json`. The release workflow should update both.
+3. **Wrong archive-url** — Must point to the actual GitHub Release asset URL. Verify the tarball filename matches what the build produces.
+4. **Missing checksum** — While optional, missing checksums may cause warnings. The release workflow should compute and write it.
+5. **Forgetting createdAt** — Must be updated each release. ArtifactHub uses this for sorting.
+6. **Stale changes section** — The `changes` list should reflect the current version's changelog only, not cumulative history.
+7. **Assuming ArtifactHub hosts anything** — It's an index/catalog. All artifacts are hosted elsewhere (GitHub Releases).
+8. **Trying to generate repositoryID** — This UUID comes from ArtifactHub's web UI when you register the repo. Don't make one up.
+
+---
+
+## Tarball Structure
+
+The plugin tarball built by `@kinvolk/headlamp-plugin` contains:
+
+```
+<pkgname>/
+  main.js          # Bundled plugin code
+  package.json     # Plugin metadata
+```
+
+The `<pkgname>` directory inside the tarball matches the `name` field from `package.json`.
+
+---
+
+## Validating Metadata
+
+Before committing, check:
+1. `version` matches across `package.json` and `artifacthub-pkg.yml`
+2. `archive-url` version tag matches the `version` field
+3. `name` in `artifacthub-pkg.yml` matches `package.json` `name`
+4. `createdAt` is a valid ISO 8601 timestamp
+5. All required annotations are present
+6. `changes` entries use valid `kind` values: `added`, `changed`, `fixed`, `removed`

.github/FUNDING.yml

@@ -0,0 +1 @@
+github: [privilegedescalation]

.github/workflows/ci.yaml

@@ -6,36 +6,8 @@ on:
   pull_request:
     branches: [main]
   workflow_call:
+  workflow_dispatch:
 
 jobs:
   ci:
-    runs-on: local-ubuntu-latest
-    timeout-minutes: 10
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          cache: 'npm'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build plugin
-        run: npx @kinvolk/headlamp-plugin build
-
-      - name: Lint
-        run: npm run lint
-
-      - name: Type-check
-        run: npm run tsc
-
-      - name: Format check
-        run: npm run format:check
-
-      - name: Run tests
-        run: npm test
+    uses: privilegedescalation/.github/.github/workflows/plugin-ci.yaml@main

.github/workflows/dual-approval.yaml

@@ -0,0 +1,21 @@
+name: Dual Approval (CTO + QA)
+
+# Calls the shared dual-approval-check workflow.
+# Passes when both privilegedescalation-cto and privilegedescalation-qa
+# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
+# in branch protection to enforce this gate.
+
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+  pull_request:
+    branches: [main]
+    types: [opened, reopened, synchronize]
+
+jobs:
+  dual-approval:
+    if: github.event.pull_request != null
+    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}

.github/workflows/release.yaml

@@ -7,98 +7,20 @@ on:
         description: 'Release version (e.g. 1.0.0)'
         required: true
         type: string
+  repository_dispatch:
+    types: [release]
 
 permissions:
   contents: write
-
-concurrency:
-  group: release
-  cancel-in-progress: false
+  pull-requests: write
 
 jobs:
-  ci:
-    uses: ./.github/workflows/ci.yaml
-
   release:
-    needs: ci
-    runs-on: local-ubuntu-latest
-    timeout-minutes: 10
+    uses: privilegedescalation/.github/.github/workflows/plugin-release.yaml@main
+    secrets:
+      RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
+      RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
+    with:
+      version: ${{ inputs.version || github.event.client_payload.version }}
+      upstream-repo: 'kube-vip/kube-vip'
 
-    steps:
-      - name: Validate version format
-        run: |
-          if [[ ! "${{ inputs.version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-            echo "Error: Version must be in X.Y.Z format"
-            exit 1
-          fi
-
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          cache: 'npm'
-
-      - name: Configure Git
-        run: |
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-
-      - name: Update version in package.json
-        run: npm version ${{ inputs.version }} --no-git-tag-version --allow-same-version
-
-      - name: Update artifacthub-pkg.yml
-        run: |
-          VERSION="${{ inputs.version }}"
-          PKG_NAME=$(jq -r .name package.json)
-          RELEASE_URL="https://github.com/${{ github.repository }}/releases/download/v${VERSION}/${PKG_NAME}-${VERSION}.tar.gz"
-          sed -i "s/^version:.*/version: \"${VERSION}\"/" artifacthub-pkg.yml
-          sed -i "s|headlamp/plugin/archive-url:.*|headlamp/plugin/archive-url: \"${RELEASE_URL}\"|" artifacthub-pkg.yml
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build plugin
-        run: npx @kinvolk/headlamp-plugin build
-
-      - name: Package plugin
-        run: npx @kinvolk/headlamp-plugin package
-
-      - name: Prepare release tarball
-        run: |
-          VERSION="${{ inputs.version }}"
-          PKG_NAME=$(jq -r .name package.json)
-          TARBALL="${PKG_NAME}-${VERSION}.tar.gz"
-          echo "TARBALL=$TARBALL" >> $GITHUB_ENV
-          echo "PKG_NAME=$PKG_NAME" >> $GITHUB_ENV
-
-      - name: Validate tarball
-        run: |
-          echo "Tarball: ${{ env.TARBALL }}"
-          ls -lh "${{ env.TARBALL }}"
-          tar -tzf "${{ env.TARBALL }}" | head -20
-          tar -tzf "${{ env.TARBALL }}" | grep -q "main.js" || { echo "Error: main.js not found in tarball"; exit 1; }
-
-      - name: Compute checksum
-        run: |
-          CHECKSUM=$(sha256sum "${{ env.TARBALL }}" | awk '{print $1}')
-          echo "CHECKSUM=$CHECKSUM" >> $GITHUB_ENV
-          sed -i "s|headlamp/plugin/archive-checksum:.*|headlamp/plugin/archive-checksum: sha256:${CHECKSUM}|" artifacthub-pkg.yml
-
-      - name: Commit and tag
-        run: |
-          VERSION="${{ inputs.version }}"
-          git add package.json package-lock.json artifacthub-pkg.yml
-          git commit -m "release: v${VERSION}"
-          git tag "v${VERSION}"
-          git push origin main --tags
-
-      - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: v${{ inputs.version }}
-          name: v${{ inputs.version }}
-          generate_release_notes: true
-          files: ${{ env.TARBALL }}

.github/workflows/renovate-app-token.yaml

@@ -0,0 +1,21 @@
+name: Mend Renovate GitHub App Token
+
+on:
+  workflow_call:
+    outputs:
+      token:
+        description: "Short-lived GitHub App installation token"
+        value: ${{ jobs.app-token.outputs.token }}
+
+jobs:
+  app-token:
+    runs-on: runners-privilegedescalation
+    outputs:
+      token: ${{ steps.app-token.outputs.token }}
+    steps:
+      - name: Generate GitHub App token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          app-id: ${{ secrets.RELEASE_APP_ID }}
+          private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}

.gitignore

@@ -5,3 +5,9 @@ dist/
 .env
 .env.local
 .eslintcache
+
+# E2E
+e2e/.auth/
+.env.e2e
+playwright-report/
+test-results/

.markdownlint-cli2.jsonc

@@ -0,0 +1,53 @@
+{
+  "config": {
+    // Line length — not enforced for docs with code examples
+    "MD013": false,
+    // First line heading — files use YAML frontmatter, not headings
+    "MD041": false,
+    // Emphasis as heading — common pattern for Option 1/2/3 sections
+    "MD036": false,
+    // No duplicate heading — changelog files repeat section names intentionally
+    "MD024": false,
+    // Fenced code language — not always applicable for diagram blocks
+    "MD040": false,
+    // Table column style — table alignment is visual, not semantic
+    "MD060": false,
+    // Ordered list item prefix — number resets are intentional in documents
+    "MD029": false,
+    // No inline HTML — each elements are valid in valid Markdown
+    "MD033": false,
+    // List marker space — spacing after list markers varies by editor
+    "MD030": false,
+    // Blanks around headings — not always needed in compact docs
+    "MD022": false,
+    // Blanks around lists — not always needed in compact docs
+    "MD032": false,
+    // Blanks around fences — not always needed between adjacent blocks
+    "MD031": false,
+    // Multiple blanks — editor artifacts, not semantic
+    "MD012": false,
+    // Single title — files may have multiple H1 sections
+    "MD025": false,
+    // Trailing spaces — editor artifacts
+    "MD009": false,
+    // Bare URLs — URL shortening not always needed
+    "MD034": false,
+    // Single trailing newline — editor artifacts
+    "MD047": false,
+    // Trailing punctuation — heading punctuation is intentional
+    "MD026": false,
+    // Space in emphasis — double-asterisk bold spacing varies by renderer
+    "MD037": false,
+    // No hard tabs — some generated docs use tabs for indentation
+    "MD010": false,
+    // Code block style — generated docs may use inconsistent styles
+    "MD046": false,
+    // Comment style — generated docs have no comments
+    "MD048": false,
+    // Commands show output — shell examples intentionally show only commands
+    "MD014": false
+  },
+  "ignores": [
+    "docs/api-reference/generated/**"
+  ]
+}

.markdownlintignore

@@ -0,0 +1 @@
+docs/api-reference/generated/**

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## [1.0.0] - 2026-03-24
+
+### Added
+
+- Add missing devDependencies to align with reference plugin: `@mui/material`, `@types/react`, `@types/react-dom`, `notistack`
+- Pin `vitest` to `^3.2.4`
+- Add dual-approval caller workflow for CI
+
+### Changed
+
+- Bump version from 0.1.5 to 1.0.0 (stable release)
+- Extend Renovate config from org-level preset
+- Add pinDigests for GitHub Actions SHA pinning
+
 ## [0.1.3] - 2026-03-04
 
 ### Fixed
@@ -38,3 +52,9 @@
 - Nodes page with kube-vip pod status and leader designation
 - Configuration page with DaemonSet config, IP pools, leases
 - Service detail section injected into native Headlamp Service views
+
+[1.0.0]: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/compare/v0.1.5...v1.0.0
+[0.1.3]: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/compare/v0.1.2...v0.1.3
+[0.1.2]: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/compare/v0.1.1...v0.1.2
+[0.1.1]: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/compare/v0.1.0...v0.1.1
+[0.1.0]: https://github.com/privilegedescalation/headlamp-kube-vip-plugin/releases/tag/v0.1.0

INSTALLATION_POLICY.md

@@ -0,0 +1,24 @@
+# Installation Policy
+
+## Approved Installation Method
+
+**The ONLY approved method for installing this plugin is via [Artifact Hub](https://artifacthub.io/) using the Headlamp plugin installer.**
+
+No other installation method is acceptable. This includes but is not limited to:
+
+- Direct installation from GitHub release assets
+- Manual npm pack / tarball extraction
+- initContainer workarounds that bypass Artifact Hub
+- Direct file copy or sidecar injection
+
+## Enforcement
+
+All deployment configurations, CI/CD pipelines, and documentation MUST reference Artifact Hub as the sole plugin distribution channel. Any pull request that introduces an alternative installation method will be rejected.
+
+## Rationale
+
+Artifact Hub provides verified checksums, consistent versioning, and a standard discovery mechanism for the CNCF ecosystem. Bypassing it introduces security and integrity risks.
+
+---
+
+*This policy is set by the CTO and approved by the CEO of Privileged Escalation.*

README.md

@@ -15,29 +15,7 @@ A [Headlamp](https://headlamp.dev/) plugin providing visibility into [kube-vip](
 
 ## Installation
 
-### Plugin Manager (Headlamp UI)
-
-Search for `kube-vip` in the Headlamp Plugin Manager.
-
-### Manual
-
-```bash
-# Download the latest release tarball
-curl -LO https://github.com/privilegedescalation/headlamp-kube-vip-plugin/releases/latest/download/kube-vip-*.tar.gz
-
-# Extract to Headlamp plugins directory
-mkdir -p ~/.config/Headlamp/plugins
-tar -xzf kube-vip-*.tar.gz -C ~/.config/Headlamp/plugins/
-```
-
-### From Source
-
-```bash
-git clone https://github.com/privilegedescalation/headlamp-kube-vip-plugin.git
-cd headlamp-kube-vip-plugin
-npm install
-npm run build
-```
+Search for `kube-vip` in the Headlamp Plugin Manager (Settings → Plugins → Catalog).
 
 ## Requirements
 

SECURITY.md

@@ -22,3 +22,28 @@ All data is fetched through Headlamp's built-in API proxy, which respects the us
 ## Reporting a Vulnerability
 
 Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.
+
+## Known Low-Severity Vulnerabilities
+
+### GHSA-848j-6mx2-7j84 (elliptic)
+
+**Severity:** High (but not exploitable in this plugin's context)
+
+**Affected component:** `elliptic` (transitive, via `vite-plugin-node-polyfills` → `node-stdlib-browser` → `crypto-browserify` → `browserify-sign`)
+
+**Description:** The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a **read-only** Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires:
+- Use of `elliptic` curve operations on untrusted input, AND
+- Ability for an attacker to influence the `elliptic` curve key generation input
+
+Neither condition is met in this plugin's runtime context.
+
+**Remediation:** No patched version of `elliptic` exists on npm. The current override in `package.json` (`"elliptic": ">=6.6.1"`) is a placeholder — no resolvable version satisfies this constraint.
+
+**Risk acceptance rationale:**
+1. Plugin has no write operations against the cluster
+2. All data flows through Headlamp's API proxy with standard RBAC enforcement
+3. The vulnerable dependency is only in the development/build toolchain, not runtime
+4. No untrusted input can reach `elliptic` curve operations through this plugin
+
+**Review date:** 2026-05-05
+**Reviewed by:** Hugh Hackman (VP Engineering Operations)

artifacthub-pkg.yml

@@ -1,5 +1,5 @@
-version: "0.1.3"
-name: kube-vip
+version: "1.0.2"
+name: headlamp-kube-vip
 displayName: kube-vip
 createdAt: "2026-03-04T00:00:00Z"
 description: >-
@@ -25,7 +25,22 @@ maintainers:
 provider:
   name: privilegedescalation
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-kube-vip-plugin/releases/download/v0.1.3/kube-vip-0.1.3.tar.gz"
-  headlamp/plugin/archive-checksum: sha256:f57ea060c0c276c5cfdff2664265f31f69f00ad88f7c1f4a26702a2a9fbdc76e
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-kube-vip-plugin/releases/download/v1.0.2/kube-vip-1.0.2.tar.gz"
+  headlamp/plugin/archive-checksum: sha256:cb6b8b6d93a41c129304c57ed705cdafbcb4d6e7511ce5bad0aa05d5762c3fbf
   headlamp/plugin/version-compat: ">=0.26"
   headlamp/plugin/distro-compat: "in-cluster"
+changes:
+  - kind: changed
+    description: "Fix ArtifactHub checksum for v1.0.0 release tarball"
+  - kind: added
+    description: "v1.0.0 stable release"
+  - kind: changed
+    description: "Bump version from 0.1.5 to 1.0.0"
+  - kind: changed
+    description: "Add missing devDependencies: @mui/material, @types/react, @types/react-dom, notistack; pin vitest to ^3.2.4"
+  - kind: changed
+    description: "Extend Renovate config from org-level preset"
+  - kind: changed
+    description: "Add pinDigests for GitHub Actions SHA pinning"
+  - kind: changed
+    description: "Add dual-approval caller workflow"

artifacthub-repo.yml

@@ -0,0 +1,6 @@
+# Artifact Hub repository metadata
+# https://github.com/artifacthub/hub/blob/master/docs/metadata/artifacthub-repo.yml
+repositoryID: 2f3e67f2-3799-4018-b4bb-84dd2fe1ab9b
+owners:
+  - name: privilegedescalation
+    email: privilegedescalation@users.noreply.github.com

docs/architecture/adr/001-react-context-state.md

@@ -0,0 +1,66 @@
+# ADR 001: React Context for Centralized State
+
+**Status**: Accepted
+
+**Date**: 2026-03-05
+
+**Deciders**: Development Team
+
+---
+
+## Context
+
+The kube-vip plugin shares data across 4 page views (Overview, Services, Nodes, Config) and 1 detail view section (Service). Data comes from standard Kubernetes resources:
+
+- **Services** (via `useList()`)
+- **Nodes** (via `useList()`)
+- **DaemonSet** (via `ApiProxy.request()`)
+- **Pods** (with fallback, via `ApiProxy.request()`)
+- **Leases** (`coordination.k8s.io/v1`, via `ApiProxy.request()`)
+- **ConfigMap** (via `ApiProxy.request()`)
+
+The context exposes 12 fields: `kubeVipInstalled`, `daemonSetStatus`, `kubeVipPods`, `cloudProviderPods`, `loadBalancerServices`, `nodes`, `leases`, `ipPools`, `configMapData`, `kubeVipConfig`, `loading`, `error`, and `refresh`.
+
+The plugin uses dual-track fetching: Headlamp `useList()` for Services and Nodes, `ApiProxy.request()` for everything else.
+
+---
+
+## Decision
+
+Use a single `KubeVipDataProvider` React Context wrapping all routes and the Service detail section registration. All kube-vip state is computed in the provider and made available to consumers via the `useKubeVipData()` hook.
+
+---
+
+## Consequences
+
+### Positive
+
+- ✅ Single fetch location eliminates duplicate API calls across views
+- ✅ Consistent data across all views at any point in time
+- ✅ Derived state (e.g., `ipPools` from ConfigMap) computed once in the provider
+- ✅ `refresh()` function updates everything in a single call
+
+### Negative
+
+- ⚠️ All consumers re-render on any change to any of the 12 fields
+- ⚠️ Complex provider component managing 12 fields and multiple fetch strategies
+
+These negatives are mitigated by the fact that kube-vip state changes infrequently (VIP assignments and pool configurations are relatively stable), so unnecessary re-renders are rare in practice.
+
+---
+
+## Alternatives Considered
+
+1. **Per-page fetching** — Rejected. Would duplicate DaemonSet, ConfigMap, and Lease fetching across multiple pages, leading to redundant API calls and potential data inconsistency between views.
+
+2. **Multiple contexts** (e.g., separate contexts for pods, services, config) — Rejected. Data is heavily cross-referenced: `kubeVipInstalled` depends on the DaemonSet, pod discovery depends on labels from the DaemonSet, and IP pool utilization requires both ConfigMap data and Service annotations. Splitting contexts would require complex inter-context dependencies.
+
+3. **External state library** (e.g., Redux, Zustand) — Rejected. External state management libraries are not available in the Headlamp plugin runtime environment.
+
+---
+
+## Changelog
+
+| Date | Change |
+| ---- | ------ |
+| 2026-03-05 | Initial decision recorded |

docs/architecture/adr/002-annotation-based-state.md

@@ -0,0 +1,63 @@
+# ADR 002: Annotation-Based State Without CRDs
+
+**Status**: Accepted
+
+**Date**: 2026-03-05
+
+**Deciders**: Development Team
+
+---
+
+## Context
+
+kube-vip does not define any Custom Resource Definitions. All kube-vip state is inferred from standard Kubernetes resources:
+
+- **DaemonSet status** indicates whether kube-vip is installed
+- **`kube-vip.io/*` annotations on Services** indicate VIP configuration (requested IP, interface, load balancer class)
+- **Lease holder identity** indicates leader election status
+- **ConfigMap data** contains IP pool configuration
+
+The plugin must extract kube-vip-specific state from these standard resources without relying on any custom APIs or CRDs.
+
+---
+
+## Decision
+
+Parse kube-vip state entirely from annotations on standard Kubernetes resources and ConfigMap data. No CRDs are queried. Annotation parsing functions in `k8s.ts` extract VIP configuration from Service annotations (e.g., `kube-vip.io/vipAddress`, `kube-vip.io/loadbalancerIPs`). IP pool configuration is parsed from the `kubevip` ConfigMap via `parseIPPools()`. Leader election status is read from Lease `.spec.holderIdentity`.
+
+---
+
+## Consequences
+
+### Positive
+
+- ✅ No CRD dependency — works with any kube-vip installation regardless of version or configuration
+- ✅ Uses only standard Kubernetes resources accessible via the standard API
+- ✅ Annotation parsing is implemented as pure functions, making it straightforward to test
+- ✅ Works across all kube-vip versions that follow the annotation conventions
+
+### Negative
+
+- ⚠️ Annotation schema is implicit — there is no API validation or schema enforcement for annotation values
+- ⚠️ Annotations may change across kube-vip versions without notice, since they are not part of a formal API contract
+- ⚠️ Parsing logic must handle missing or malformed annotations gracefully
+
+These negatives are mitigated by defensive parsing with fallbacks for missing annotations and sensible defaults when annotation values are absent or unparseable.
+
+---
+
+## Alternatives Considered
+
+1. **kube-vip CRDs** (if they existed) — Not available. kube-vip does not define any Custom Resource Definitions, so there are no custom resources to query.
+
+2. **kube-vip API server** (if it existed) — Not available. kube-vip does not expose a dedicated API server or endpoint for querying its state.
+
+3. **Parse kube-vip pod logs** — Rejected. Log parsing is inherently fragile, depends on log format stability, and requires log access RBAC permissions that may not be available in all environments.
+
+---
+
+## Changelog
+
+| Date | Change |
+| ---- | ------ |
+| 2026-03-05 | Initial decision recorded |

docs/architecture/adr/003-static-pod-discovery.md

@@ -0,0 +1,66 @@
+# ADR 003: Static Pod Discovery with Label Selector Fallback
+
+**Status**: Accepted
+
+**Date**: 2026-03-05
+
+**Deciders**: Development Team
+
+---
+
+## Context
+
+kube-vip can be deployed in two ways:
+
+1. **DaemonSet deployment**: Pods are managed by a DaemonSet and have standard labels (e.g., `app: kube-vip`) that can be used for label-selector based discovery.
+2. **Static pod deployment**: Pod manifests are placed in `/etc/kubernetes/manifests/` on each node. Static pods do not have the same labels as DaemonSet-managed pods and follow the naming convention `kube-vip-<node-name>`.
+
+The plugin needs to discover kube-vip pods regardless of the deployment method. The pod fetch uses a two-level fallback strategy: first try label-selector based discovery, then fall back to listing all pods in `kube-system` and filtering by name prefix.
+
+---
+
+## Decision
+
+Implement a two-level pod discovery fallback:
+
+1. **Primary**: Fetch pods using label selector (matches DaemonSet-deployed kube-vip).
+2. **Fallback**: If the label-selector fetch fails or returns empty, list all pods in the `kube-system` namespace and filter by `name.startsWith('kube-vip')` (matches static pod naming convention).
+
+This covers both deployment methods without requiring user configuration.
+
+---
+
+## Consequences
+
+### Positive
+
+- ✅ Works with both DaemonSet and static pod deployments out of the box
+- ✅ No user configuration needed — deployment method is auto-detected
+- ✅ Automatic fallback is transparent to the user and other plugin components
+
+### Negative
+
+- ⚠️ Fallback fetches all `kube-system` pods, which is a broader query than necessary
+- ⚠️ Name-prefix matching (`kube-vip`) is convention-dependent and could produce false positives if other pods share the prefix
+
+These negatives are mitigated by the fact that `kube-system` typically has a manageable number of pods, and the name prefix `kube-vip` is the standard convention used by the kube-vip project.
+
+---
+
+## Alternatives Considered
+
+1. **Label selector only** — Rejected. Would miss static pod deployments entirely, leaving users who deploy kube-vip as static pods without visibility.
+
+2. **Name prefix only** — Rejected. Less efficient than label selector for DaemonSet deployments, as it requires listing all pods in the namespace rather than using server-side filtering.
+
+3. **User-configured discovery method** — Rejected. Adds unnecessary configuration burden for something that can be reliably auto-detected through the fallback strategy.
+
+4. **Node filesystem check for static pod manifests** — Rejected. Requires node-level filesystem access, which is not available to Headlamp plugins running in the browser.
+
+---
+
+## Changelog
+
+| Date | Change |
+| ---- | ------ |
+| 2026-03-05 | Initial decision recorded |

docs/architecture/adr/004-component-testing-strategy.md

@@ -0,0 +1,64 @@
+# ADR 004: Comprehensive Component-Level Testing with Shared Helpers
+
+**Status**: Accepted
+
+**Date**: 2026-03-05
+
+**Deciders**: Development Team
+
+---
+
+## Context
+
+The plugin has extensive test coverage including both unit tests (`k8s.ts`, `KubeVipDataContext`) and component render tests (`ConfigPage`, `NodesPage`, `OverviewPage`, `ServiceDetailSection`, `ServicesPage`). Component tests need to mock both Headlamp's API and CommonComponents.
+
+A shared `test-helpers.tsx` file provides fixture factories, and a `__mocks__/commonComponents.ts` file provides stub implementations of Headlamp's CommonComponents for render testing.
+
+---
+
+## Decision
+
+Implement comprehensive component-level testing with two shared test infrastructure files:
+
+1. **`test-helpers.tsx`**: Shared fixture factories for creating test data (mock Services, Nodes, Pods, DaemonSets, ConfigMaps, Leases). Provides consistent test data across all test files.
+2. **`__mocks__/commonComponents.ts`**: Stub implementations of Headlamp CommonComponents (`SectionBox`, `SimpleTable`, `StatusLabel`, `NameValueTable`) that render as simple HTML elements for testing.
+
+All component tests render with a `KubeVipDataProvider` wrapper using mocked context values, verifying the component renders correct data from context.
+
+---
+
+## Consequences
+
+### Positive
+
+- ✅ Consistent test fixtures across all test files eliminate divergent test data
+- ✅ CommonComponents mocks enable render testing without the full Headlamp runtime
+- ✅ Comprehensive coverage of component rendering logic and context integration
+- ✅ Easy to add new component tests by reusing existing fixtures and mocks
+
+### Negative
+
+- ⚠️ Mock maintenance burden when Headlamp's CommonComponents API changes
+- ⚠️ Test helpers may diverge from actual API shapes over time if not kept in sync
+
+These negatives are mitigated by type-checking test helpers against the actual interfaces, ensuring compile-time detection of API shape mismatches.
+
+---
+
+## Alternatives Considered
+
+1. **Unit tests only** (no component rendering) — Rejected. Misses rendering bugs and context integration issues that only surface when components are mounted with real context values.
+
+2. **E2E tests only** — Rejected. Too slow for rapid development feedback and requires a running Headlamp instance with a connected cluster.
+
+3. **Inline mocks per test file** — Rejected. Leads to inconsistent and duplicated test setup across files, making it harder to maintain and update when APIs change.
+
+4. **Storybook for component testing** — Rejected. Additional tooling overhead is not justified for the scope of this plugin, and Storybook does not easily integrate with Headlamp's plugin component model.
+
+---
+
+## Changelog
+
+| Date | Change |
+| ---- | ------ |
+| 2026-03-05 | Initial decision recorded |

docs/architecture/adr/README.md

@@ -0,0 +1,39 @@
+# Architecture Decision Records
+
+## What is an ADR?
+
+An Architecture Decision Record (ADR) is a document that captures an important architectural decision made along with its context and consequences. ADRs are used to record the motivation behind decisions so that future team members can understand why certain choices were made.
+
+## Format
+
+This project uses the Nygard-style ADR format:
+
+- **Title**: Short noun phrase describing the decision
+- **Status**: Proposed, Accepted, Deprecated, or Superseded
+- **Context**: The forces at play, including technical, political, social, and project-specific
+- **Decision**: The change that is being proposed or has been agreed upon
+- **Consequences**: What becomes easier or harder as a result of this decision
+- **Alternatives Considered**: Other options that were evaluated
+
+## Index
+
+| ADR | Title | Status | Date |
+| --- | ----- | ------ | ---- |
+| [001](001-react-context-state.md) | React Context for Centralized State | Accepted | 2026-03-05 |
+| [002](002-annotation-based-state.md) | Annotation-Based State Without CRDs | Accepted | 2026-03-05 |
+| [003](003-static-pod-discovery.md) | Static Pod Discovery with Label Selector Fallback | Accepted | 2026-03-05 |
+| [004](004-component-testing-strategy.md) | Comprehensive Component-Level Testing with Shared Helpers | Accepted | 2026-03-05 |
+
+## Creating New ADRs
+
+1. Copy an existing ADR as a template
+2. Assign the next sequential number (e.g., `005-your-decision.md`)
+3. Fill in all sections following the Nygard-style format
+4. Set the status to `Proposed` until the team has reviewed and accepted
+5. Update the index table in this README
+6. Add a changelog entry at the bottom of the ADR
+
+## References
+
+- [Michael Nygard's article on ADRs](https://cognitect.com/blog/2011/11/15/documenting-architecture-decisions)
+- [ADR GitHub organization](https://adr.github.io/)

package.json

@@ -1,6 +1,6 @@
 {
   "name": "kube-vip",
-  "version": "0.1.3",
+  "version": "1.0.2",
   "description": "Headlamp plugin for kube-vip virtual IP and load balancer visibility",
   "repository": {
     "type": "git",
@@ -12,6 +12,7 @@
   "homepage": "https://github.com/privilegedescalation/headlamp-kube-vip-plugin#readme",
   "author": "privilegedescalation",
   "license": "Apache-2.0",
+  "packageManager": "pnpm@10.32.1",
   "scripts": {
     "start": "headlamp-plugin start",
     "build": "headlamp-plugin build",
@@ -24,7 +25,34 @@
     "test": "vitest run",
     "test:watch": "vitest"
   },
+  "peerDependencies": {
+    "react": "^18.0.0",
+    "react-dom": "^18.0.0"
+  },
+  "overrides": {
+    "tar": "^7.5.11",
+    "undici": "^7.24.3",
+    "lodash": ">=4.18.0",
+    "vite": ">=6.4.2",
+    "elliptic": ">=6.6.1"
+  },
   "devDependencies": {
-    "@kinvolk/headlamp-plugin": "^0.13.0"
+    "@headlamp-k8s/eslint-config": "^0.6.0",
+    "@kinvolk/headlamp-plugin": "^0.13.0",
+    "@mui/material": "^5.15.14",
+    "@testing-library/jest-dom": "^6.4.8",
+    "@testing-library/react": "^16.0.0",
+    "@testing-library/user-event": "^14.5.2",
+    "@types/react": "^18.0.0",
+    "@types/react-dom": "^18.0.0",
+    "eslint": "^8.57.0",
+    "jsdom": "^24.0.0",
+    "notistack": "^3.0.0",
+    "prettier": "^2.8.8",
+    "react": "^18.3.1",
+    "react-dom": "^18.3.1",
+    "react-router-dom": "^5.3.0",
+    "typescript": "~5.6.2",
+    "vitest": "^3.2.4"
   }
 }

renovate.json

@@ -1,4 +1,5 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:recommended"]
+  "extends": ["github>privilegedescalation/.github:renovate-config"]
 }
+

tsconfig.json

@@ -2,7 +2,7 @@
   "extends": "@kinvolk/headlamp-plugin/config/plugins-tsconfig.json",
   "compilerOptions": {
     "module": "esnext",
-    "types": ["vite/client", "vite-plugin-svgr/client", "vitest/globals", "@testing-library/jest-dom"]
+    "types": ["vitest/globals", "@testing-library/jest-dom"]
   },
   "include": ["src"]
 }

vitest.config.mts

@@ -1,6 +1,9 @@
 import { defineConfig } from 'vitest/config';
 
 export default defineConfig({
+  define: {
+    'process.env.NODE_ENV': '"test"',
+  },
   test: {
     globals: true,
     environment: 'jsdom',