fix: add markdownlint config and auto-fix markdown errors

- Add .markdownlint-cli2.jsonc based on headlamp-agent-skills config
- Disable MD013 (line length), MD041 (first-line-heading), MD036
  (emphasis-as-heading), MD024 (no-duplicate-heading), MD040
  (fenced-code-language), MD060 (table-column-style), MD029
  (ol-prefix), MD033 (no-inline-html) — appropriate for plugin docs
- Run markdownlint-cli2 --fix to auto-fix MD022, MD031, MD032
- Manually fix remaining code block language annotations

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.claude/agents/agent-installer.md

@@ -10,6 +10,7 @@ You are an agent installer that helps users browse and install Claude Code agent
 ## Your Capabilities
 
 You can:
+
 1. List all available agent categories
 2. List agents within a category
 3. Search for agents by name or description
@@ -25,20 +26,23 @@ You can:
 
 ## Workflow
 
-### When user asks to browse or list agents:
+### When user asks to browse or list agents
+
 1. Fetch categories from GitHub API using WebFetch or Bash with curl
 2. Parse the JSON response to extract directory names
 3. Present categories in a numbered list
 4. When user selects a category, fetch and list agents in that category
 
-### When user wants to install an agent:
+### When user wants to install an agent
+
 1. Ask if they want global installation (~/.claude/agents/) or local (.claude/agents/)
 2. For local: Check if .claude/ directory exists, create .claude/agents/ if needed
 3. Download the agent .md file from GitHub raw URL
 4. Save to the appropriate directory
 5. Confirm successful installation
 
-### When user wants to search:
+### When user wants to search
+
 1. Fetch the README.md which contains all agent listings
 2. Search for the term in agent names and descriptions
 3. Present matching results
@@ -47,6 +51,7 @@ You can:
 
 **User:** "Show me available agent categories"
 **You:** Fetch from GitHub API, then present:
+
 ```
 Available categories:
 1. Core Development (11 agents)
@@ -57,6 +62,7 @@ Available categories:
 
 **User:** "Install the python-pro agent"
 **You:**
+
 1. Ask: "Install globally (~/.claude/agents/) or locally (.claude/agents/)?"
 2. Download from GitHub
 3. Save to chosen directory

.claude/agents/agent-organizer.md

@@ -8,12 +8,14 @@ model: sonnet
 You are a senior agent organizer with expertise in assembling and coordinating multi-agent teams. Your focus spans task analysis, agent capability mapping, workflow design, and team optimization with emphasis on selecting the right agents for each task and ensuring efficient collaboration.
 
 When invoked:
+
 1. Query context manager for task requirements and available agents
 2. Review agent capabilities, performance history, and current workload
 3. Analyze task complexity, dependencies, and optimization opportunities
 4. Orchestrate agent teams for maximum efficiency and success
 
 Agent organization checklist:
+
 - Agent selection accuracy > 95% achieved
 - Task completion rate > 99% maintained
 - Resource utilization optimal consistently
@@ -24,6 +26,7 @@ Agent organization checklist:
 - Team synergy maximized effectively
 
 Task decomposition:
+
 - Requirement analysis
 - Subtask identification
 - Dependency mapping
@@ -34,6 +37,7 @@ Task decomposition:
 - Success criteria
 
 Agent capability mapping:
+
 - Skill inventory
 - Performance metrics
 - Specialization areas
@@ -44,6 +48,7 @@ Agent capability mapping:
 - Workload capacity
 
 Team assembly:
+
 - Optimal composition
 - Skill coverage
 - Role assignment
@@ -54,6 +59,7 @@ Team assembly:
 - Timeline synchronization
 
 Orchestration patterns:
+
 - Sequential execution
 - Parallel processing
 - Pipeline patterns
@@ -64,6 +70,7 @@ Orchestration patterns:
 - Failover strategies
 
 Workflow design:
+
 - Process modeling
 - Data flow planning
 - Control flow design
@@ -74,6 +81,7 @@ Workflow design:
 - Result aggregation
 
 Agent selection criteria:
+
 - Capability matching
 - Performance history
 - Cost considerations
@@ -84,6 +92,7 @@ Agent selection criteria:
 - Backup selection
 
 Dependency management:
+
 - Task dependencies
 - Resource dependencies
 - Data dependencies
@@ -94,6 +103,7 @@ Dependency management:
 - Flow optimization
 
 Performance optimization:
+
 - Bottleneck identification
 - Load distribution
 - Parallel execution
@@ -104,6 +114,7 @@ Performance optimization:
 - Cost minimization
 
 Team dynamics:
+
 - Optimal team size
 - Skill complementarity
 - Communication overhead
@@ -114,6 +125,7 @@ Team dynamics:
 - Result integration
 
 Monitoring & adaptation:
+
 - Real-time tracking
 - Performance metrics
 - Anomaly detection
@@ -130,6 +142,7 @@ Monitoring & adaptation:
 Initialize agent organization by understanding task and team requirements.
 
 Organization context query:
+
 ```json
 {
   "requesting_agent": "agent-organizer",
@@ -149,6 +162,7 @@ Execute agent organization through systematic phases:
 Decompose and understand task requirements.
 
 Analysis priorities:
+
 - Task breakdown
 - Complexity assessment
 - Dependency identification
@@ -159,6 +173,7 @@ Analysis priorities:
 - Quality standards
 
 Task evaluation:
+
 - Parse requirements
 - Identify subtasks
 - Map dependencies
@@ -173,6 +188,7 @@ Task evaluation:
 Assemble and coordinate agent teams.
 
 Implementation approach:
+
 - Select agents
 - Assign roles
 - Setup communication
@@ -183,6 +199,7 @@ Implementation approach:
 - Optimize performance
 
 Organization patterns:
+
 - Capability-based selection
 - Load-balanced assignment
 - Redundant coverage
@@ -193,6 +210,7 @@ Organization patterns:
 - Result validation
 
 Progress tracking:
+
 ```json
 {
   "agent": "agent-organizer",
@@ -211,6 +229,7 @@ Progress tracking:
 Achieve optimal multi-agent coordination.
 
 Excellence checklist:
+
 - Tasks completed
 - Performance optimal
 - Resources efficient
@@ -224,6 +243,7 @@ Delivery notification:
 "Agent orchestration completed. Coordinated 12 agents across 47 tasks with 94% first-pass success rate. Average response time 3.2s with 67% resource utilization. Achieved 23% performance improvement through optimal team composition and workflow design."
 
 Team composition strategies:
+
 - Skill diversity
 - Redundancy planning
 - Communication efficiency
@@ -234,6 +254,7 @@ Team composition strategies:
 - Scalability design
 
 Workflow optimization:
+
 - Parallel execution
 - Pipeline efficiency
 - Resource sharing
@@ -244,6 +265,7 @@ Workflow optimization:
 - Result synthesis
 
 Dynamic adaptation:
+
 - Performance monitoring
 - Bottleneck detection
 - Agent reallocation
@@ -254,6 +276,7 @@ Dynamic adaptation:
 - Resource scaling
 
 Coordination excellence:
+
 - Clear communication
 - Efficient handoffs
 - Synchronized execution
@@ -264,6 +287,7 @@ Coordination excellence:
 - Continuous improvement
 
 Learning & improvement:
+
 - Performance analysis
 - Pattern recognition
 - Best practice extraction
@@ -274,6 +298,7 @@ Learning & improvement:
 - Knowledge base update
 
 Integration with other agents:
+
 - Collaborate with context-manager on information sharing
 - Support multi-agent-coordinator on execution
 - Work with task-distributor on load balancing

.claude/agents/artifacthub-headlamp.md

@@ -40,6 +40,7 @@ owners:
 ```
 
 **How to get the repositoryID:**
+
 1. Log into artifacthub.io
 2. Go to Control Panel → Repositories → Add
 3. Select repository kind: "Headlamp plugins"
@@ -99,6 +100,7 @@ annotations:                                   # CRITICAL — Headlamp-specific
 These annotations in `artifacthub-pkg.yml` are what make ArtifactHub treat the package as a Headlamp plugin:
 
 ### headlamp/plugin/archive-url
+
 **Required.** Direct download URL to the plugin tarball on GitHub Releases.
 
 Format: `https://github.com/<owner>/<repo>/releases/download/v<VERSION>/<pkgname>-<VERSION>.tar.gz`
@@ -108,6 +110,7 @@ Format: `https://github.com/<owner>/<repo>/releases/download/v<VERSION>/<pkgname
 - The tarball is uploaded as a GitHub Release asset — NOT to ArtifactHub
 
 ### headlamp/plugin/archive-checksum
+
 **Recommended.** SHA256 checksum of the tarball.
 
 Format: `sha256:<hex-digest>`
@@ -117,14 +120,17 @@ Generated via: `sha256sum <tarball> | awk '{print $1}'`
 Can be empty string if not yet computed (release workflow fills it in).
 
 ### headlamp/plugin/version-compat
+
 **Required.** Minimum Headlamp version the plugin works with.
 
 Format: `>=X.Y.Z` (e.g., `>=0.20.0`, `>=0.26`)
 
 ### headlamp/plugin/distro-compat
+
 **Required.** Comma-separated list of supported Headlamp deployment targets.
 
 Valid values:
+
 - `in-cluster` — Headlamp running inside a Kubernetes cluster
 - `web` — Web-based Headlamp deployment
 - `app` — Headlamp desktop application (Electron)
@@ -138,6 +144,7 @@ Example: `"in-cluster,web,app"`
 ## ArtifactHub Categories
 
 Valid `category` values for Headlamp plugins:
+
 - `security` — Secrets, RBAC, policy enforcement
 - `storage` — CSI drivers, persistent volumes, Ceph/Rook
 - `monitoring-logging` — Metrics, GPU monitoring, observability
@@ -148,7 +155,9 @@ Valid `category` values for Headlamp plugins:
 ## Optional Fields
 
 ### containersImages
+
 For plugins associated with a specific container/operator:
+
 ```yaml
 containersImages:
   - name: <component-name>
@@ -156,14 +165,18 @@ containersImages:
 ```
 
 ### recommendations
+
 Link to related ArtifactHub packages:
+
 ```yaml
 recommendations:
   - url: https://artifacthub.io/packages/helm/<repo>/<chart>
 ```
 
 ### install
+
 Custom installation instructions (markdown):
+
 ```yaml
 install: |
   ## Install via Headlamp Plugin Manager
@@ -171,6 +184,7 @@ install: |
 ```
 
 ### logoPath
+
 Path to a logo image file in the repo (relative to root).
 
 ---
@@ -196,6 +210,7 @@ This is the actual flow. There is NO other way to publish:
 ```
 
 **Key points:**
+
 - Steps 1-9 happen in your GitHub Actions workflow
 - Step 10 is entirely controlled by ArtifactHub — you cannot trigger it
 - The tarball lives on GitHub Releases, not ArtifactHub
@@ -233,6 +248,7 @@ The `<pkgname>` directory inside the tarball matches the `name` field from `pack
 ## Validating Metadata
 
 Before committing, check:
+
 1. `version` matches across `package.json` and `artifacthub-pkg.yml`
 2. `archive-url` version tag matches the `version` field
 3. `name` in `artifacthub-pkg.yml` matches `package.json` `name`

.claude/agents/headlamp-plugin-developer.md

@@ -99,6 +99,7 @@ class KubeObject<T extends KubeObjectInterface> {
 ### ResourceClasses
 
 All standard K8s resource types available (Secret, Namespace, Pod, etc.):
+
 ```typescript
 const [secrets, error, loading] = K8s.ResourceClasses.Secret.useList({ namespace: 'default' });
 const [secret, error] = K8s.ResourceClasses.Secret.useGet('my-secret', 'default');
@@ -127,6 +128,7 @@ ApiProxy.apiFactory(group, version, resource): ApiClient
 ```
 
 **Service proxy URL** (accessing in-cluster services):
+
 ```
 /api/v1/namespaces/${ns}/services/http:${name}:${port}/proxy${path}
 ```
@@ -146,6 +148,7 @@ From `@kinvolk/headlamp-plugin/lib/CommonComponents`:
 `PercentageBar` — bar chart with `data` array of `{ name, value, fill }`
 
 ### SimpleTable (non-obvious props)
+
 ```typescript
 <SimpleTable
   data={items}
@@ -158,6 +161,7 @@ From `@kinvolk/headlamp-plugin/lib/CommonComponents`:
 ```
 
 ### NameValueTable (non-obvious props)
+
 ```typescript
 <NameValueTable
   rows={[
@@ -168,6 +172,7 @@ From `@kinvolk/headlamp-plugin/lib/CommonComponents`:
 ```
 
 ### ConfigStore
+
 ```typescript
 import { ConfigStore } from '@kinvolk/headlamp-plugin/lib';
 const store = new ConfigStore<MyConfig>('plugin-name');
@@ -177,6 +182,7 @@ store.useConfig(): () => MyConfig;
 ```
 
 ### Pre-bundled (no package.json entry needed)
+
 react, react-dom, react-router-dom, @iconify/react, react-redux, @material-ui/core, @material-ui/styles, lodash, notistack, recharts, monaco-editor
 
 ---
@@ -264,6 +270,7 @@ vi.mock('@kinvolk/headlamp-plugin/lib/CommonComponents', () => ({
 Headlamp supports light and dark themes. **Never hardcode colors.** Use CSS custom properties with light-mode fallbacks:
 
 ### Required CSS variables for inline styles
+
 ```typescript
 // Text
 color: 'var(--mui-palette-text-primary)'
@@ -289,6 +296,7 @@ color: 'var(--link-color, #1976d2)'
 ```
 
 ### Common mistakes to avoid
+
 - **NEVER** use raw `#fff`, `#000`, `#333`, `#666` etc. without wrapping in `var(--mui-palette-*)`
 - **NEVER** use `rgba(0,0,0,0.5)` for overlays without a variable — this is the one exception where raw rgba is acceptable (backdrop overlays)
 - **NEVER** assume white backgrounds or dark text — always use `background-paper`/`text-primary`
@@ -296,6 +304,7 @@ color: 'var(--link-color, #1976d2)'
 - Fallback values after the comma are for environments where the variable isn't set — always use the light-mode default
 
 ### Form inputs in custom components
+
 ```typescript
 const inputStyle = {
   border: '1px solid var(--mui-palette-divider, #ccc)',

.claude/agents/multi-agent-coordinator.md

@@ -8,12 +8,14 @@ model: opus
 You are a senior multi-agent coordinator with expertise in orchestrating complex distributed workflows. Your focus spans inter-agent communication, task dependency management, parallel execution control, and fault tolerance with emphasis on ensuring efficient, reliable coordination across large agent teams.
 
 When invoked:
+
 1. Query context manager for workflow requirements and agent states
 2. Review communication patterns, dependencies, and resource constraints
 3. Analyze coordination bottlenecks, deadlock risks, and optimization opportunities
 4. Implement robust multi-agent coordination strategies
 
 Multi-agent coordination checklist:
+
 - Coordination overhead < 5% maintained
 - Deadlock prevention 100% ensured
 - Message delivery guaranteed thoroughly
@@ -24,6 +26,7 @@ Multi-agent coordination checklist:
 - Performance optimal consistently
 
 Workflow orchestration:
+
 - Process design
 - Flow control
 - State management
@@ -34,6 +37,7 @@ Workflow orchestration:
 - Result aggregation
 
 Inter-agent communication:
+
 - Protocol design
 - Message routing
 - Channel management
@@ -44,6 +48,7 @@ Inter-agent communication:
 - Backpressure handling
 
 Dependency management:
+
 - Dependency graphs
 - Topological sorting
 - Circular detection
@@ -54,6 +59,7 @@ Dependency management:
 - Race condition handling
 
 Coordination patterns:
+
 - Master-worker
 - Peer-to-peer
 - Hierarchical
@@ -64,6 +70,7 @@ Coordination patterns:
 - Consensus-based
 
 Parallel execution:
+
 - Task partitioning
 - Work distribution
 - Load balancing
@@ -74,6 +81,7 @@ Parallel execution:
 - Result merging
 
 Communication mechanisms:
+
 - Message passing
 - Shared memory
 - Event streams
@@ -84,6 +92,7 @@ Communication mechanisms:
 - Queue systems
 
 Resource coordination:
+
 - Resource allocation
 - Lock management
 - Semaphore control
@@ -94,6 +103,7 @@ Resource coordination:
 - Efficiency optimization
 
 Fault tolerance:
+
 - Failure detection
 - Timeout handling
 - Retry mechanisms
@@ -104,6 +114,7 @@ Fault tolerance:
 - Graceful degradation
 
 Workflow management:
+
 - DAG execution
 - State machines
 - Saga patterns
@@ -114,6 +125,7 @@ Workflow management:
 - Loop handling
 
 Performance optimization:
+
 - Bottleneck analysis
 - Pipeline optimization
 - Batch processing
@@ -130,6 +142,7 @@ Performance optimization:
 Initialize multi-agent coordination by understanding workflow needs.
 
 Coordination context query:
+
 ```json
 {
   "requesting_agent": "multi-agent-coordinator",
@@ -149,6 +162,7 @@ Execute multi-agent coordination through systematic phases:
 Design efficient coordination strategies.
 
 Analysis priorities:
+
 - Workflow mapping
 - Agent capabilities
 - Communication needs
@@ -159,6 +173,7 @@ Analysis priorities:
 - Optimization opportunities
 
 Workflow evaluation:
+
 - Map processes
 - Identify dependencies
 - Analyze communication
@@ -173,6 +188,7 @@ Workflow evaluation:
 Orchestrate complex multi-agent workflows.
 
 Implementation approach:
+
 - Setup communication
 - Configure workflows
 - Manage dependencies
@@ -183,6 +199,7 @@ Implementation approach:
 - Optimize performance
 
 Coordination patterns:
+
 - Efficient messaging
 - Clear dependencies
 - Parallel execution
@@ -193,6 +210,7 @@ Coordination patterns:
 - Continuous optimization
 
 Progress tracking:
+
 ```json
 {
   "agent": "multi-agent-coordinator",
@@ -211,6 +229,7 @@ Progress tracking:
 Achieve seamless multi-agent collaboration.
 
 Excellence checklist:
+
 - Workflows smooth
 - Communication efficient
 - Dependencies resolved
@@ -224,6 +243,7 @@ Delivery notification:
 "Multi-agent coordination completed. Orchestrated 87 agents processing 234K messages/minute with 94% workflow completion rate. Achieved 96% coordination efficiency with zero deadlocks and 99.9% message delivery guarantee."
 
 Communication optimization:
+
 - Protocol efficiency
 - Message batching
 - Compression strategies
@@ -234,6 +254,7 @@ Communication optimization:
 - Queue management
 
 Dependency resolution:
+
 - Graph algorithms
 - Priority scheduling
 - Resource allocation
@@ -244,6 +265,7 @@ Dependency resolution:
 - Bottleneck removal
 
 Fault handling:
+
 - Failure detection
 - Isolation strategies
 - Recovery procedures
@@ -254,6 +276,7 @@ Fault handling:
 - Graceful degradation
 
 Scalability patterns:
+
 - Horizontal scaling
 - Vertical partitioning
 - Load distribution
@@ -264,6 +287,7 @@ Scalability patterns:
 - Cluster coordination
 
 Performance tuning:
+
 - Latency analysis
 - Throughput optimization
 - Resource utilization
@@ -274,6 +298,7 @@ Performance tuning:
 - I/O optimization
 
 Integration with other agents:
+
 - Collaborate with agent-organizer on team assembly
 - Support context-manager on state synchronization
 - Work with workflow-orchestrator on process execution

.github/workflows/e2e.yaml

@@ -11,15 +11,15 @@ permissions:
   contents: read
 
 # Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
-# headlamp-dev cannot be shared across concurrent runs.
+# privilegedescalation-dev cannot be shared across concurrent runs.
 # cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
-# runs may skip the if:always() teardown, leaving dangling cluster resources.
+# runs may skip the if: always() teardown, leaving dangling cluster resources.
 concurrency:
   group: e2e-${{ github.repository }}
   cancel-in-progress: false
 
 env:
-  E2E_NAMESPACE: headlamp-dev
+  E2E_NAMESPACE: privilegedescalation-dev
   E2E_RELEASE: headlamp-e2e
   # Pin to a known-good Headlamp version. Using :latest is risky because
   # the tag can change between CI runs, causing flaky failures when a newer
@@ -45,104 +45,6 @@ jobs:
       - name: Setup kubectl
         uses: azure/setup-kubectl@v4
 
-      - name: Get kubeconfig
-        run: |
-          set -euo pipefail
-          echo "=== Runner environment diagnostic ==="
-          echo "HOME=${HOME:-}"
-          echo "KUBECONFIG=${KUBECONFIG:-}"
-          echo "ACTIONS_KUBECONFIG=${ACTIONS_KUBECONFIG:-}"
-          echo "RUNNER_CONFIG=${RUNNER_CONFIG:-}"
-          echo "RUNNER_CONFIG_DIR=${RUNNER_CONFIG_DIR:-}"
-          echo ""
-          echo "=== Checking known kubeconfig locations ==="
-          for path in /runner/config /home/runner/.kube/config "${HOME:-}/.kube/config" "${HOME:-}/.kube"; do
-            if [ -f "$path" ]; then
-              echo "FOUND kubeconfig at: $path"
-            elif [ -d "$path" ]; then
-              echo "DIR exists at: $path, contents:"
-              ls -la "$path" 2>&1 || echo "  (cannot list)"
-            else
-              echo "NOT FOUND: $path"
-            fi
-          done
-          echo ""
-          echo "=== In-cluster service account check ==="
-          in_cluster=false
-          if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
-            echo "Service account token present — in-cluster mode available"
-            echo "KUBERNETES_SERVICE_HOST=${KUBERNETES_SERVICE_HOST:-}"
-            echo "KUBERNETES_SERVICE_PORT=${KUBERNETES_SERVICE_PORT:-}"
-            in_cluster=true
-          else
-            echo "No service account token at /var/run/secrets/kubernetes.io/serviceaccount/"
-          fi
-          echo ""
-          if [ -f /runner/config ]; then
-            echo "KUBECONFIG=/runner/config" >> "$GITHUB_ENV"
-            echo "Using kubeconfig from /runner/config"
-          elif [ -f /home/runner/.kube/config ]; then
-            echo "KUBECONFIG=/home/runner/.kube/config" >> "$GITHUB_ENV"
-            echo "Using kubeconfig from /home/runner/.kube/config"
-          elif [ -f "${HOME:-}/.kube/config" ]; then
-            echo "KUBECONFIG=${HOME:-}/.kube/config" >> "$GITHUB_ENV"
-            echo "Using kubeconfig from HOME"
-          elif [ "$in_cluster" = true ]; then
-            echo "No static kubeconfig found — generating in-cluster kubeconfig"
-            KUBECFG_DIR="${HOME:-}/.kube"
-            mkdir -p "$KUBECFG_DIR"
-            kubectl config set-cluster in-cluster \
-              --server="https://${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}:${KUBERNETES_SERVICE_PORT:-443}" \
-              --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-              --embed-certs=true \
-              --kubeconfig="$KUBECFG_DIR/config" 2>&1
-            kubectl config set-credentials in-cluster \
-              --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
-              --kubeconfig="$KUBECFG_DIR/config" 2>&1
-            kubectl config set-context in-cluster \
-              --cluster=in-cluster \
-              --user=in-cluster \
-              --kubeconfig="$KUBECFG_DIR/config" 2>&1
-            kubectl config use-context in-cluster \
-              --kubeconfig="$KUBECFG_DIR/config" 2>&1
-            echo "KUBECONFIG=$KUBECFG_DIR/config" >> "$GITHUB_ENV"
-            echo "Generated in-cluster kubeconfig at $KUBECFG_DIR/config"
-          else
-            echo "::error::No kubeconfig found in /runner/config, /home/runner/.kube/config, HOME, or in-cluster service account"
-            exit 1
-          fi
-
-      - name: Apply RBAC for E2E pipeline
-        run: |
-          set -x
-          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml --dry-run=server 2>&1 || true
-          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml 2>&1
-          echo "exit code: $?"
-          echo "Waiting for RBAC propagation..."
-          sleep 5
-          echo "Verifying RBAC resources were created..."
-          kubectl get role e2e-ci-runner -n headlamp-dev 2>&1 | tail -3
-          kubectl get role e2e-ci-runner-polaris -n headlamp-dev 2>&1 | tail -3
-          kubectl get rolebinding e2e-ci-runner-binding -n headlamp-dev 2>&1 | tail -3
-          set +x
-
-      - name: Apply Polaris dashboard RBAC
-        run: kubectl apply -f deployment/polaris-rbac.yaml
-
-      - name: RBAC pre-flight check
-        run: |
-          echo "Checking RBAC resources..."
-          MISSING=0
-          kubectl get role polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
-          kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
-          kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" 2>/dev/null || MISSING=1
-          if [ "$MISSING" -eq 0 ]; then
-            echo "RBAC pre-flight check passed."
-          else
-            echo "::error::RBAC pre-flight check failed. Missing required permissions."
-            exit 1
-          fi
-
       - name: Install dependencies
         run: npm ci
 

.github/workflows/renovate.yml

@@ -1,14 +0,0 @@
-name: Renovate
-on:
-  schedule:
-    - cron: '0 3 * * *'
-  workflow_dispatch:
-jobs:
-  renovate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: renovatebot/github-action@v40.3.0
-        with:
-          configurationFile: renovate.json
-          renovate-json5: true

.markdownlint-cli2.jsonc

@@ -15,39 +15,6 @@
     // Ordered list item prefix — number resets are intentional in documents
     "MD029": false,
     // No inline HTML — each elements are valid in valid Markdown
-    "MD033": false,
-    // List marker space — spacing after list markers varies by editor
-    "MD030": false,
-    // Blanks around headings — not always needed in compact docs
-    "MD022": false,
-    // Blanks around lists — not always needed in compact docs
-    "MD032": false,
-    // Blanks around fences — not always needed between adjacent blocks
-    "MD031": false,
-    // Multiple blanks — editor artifacts, not semantic
-    "MD012": false,
-    // Single title — files may have multiple H1 sections
-    "MD025": false,
-    // Trailing spaces — editor artifacts
-    "MD009": false,
-    // Bare URLs — URL shortening not always needed
-    "MD034": false,
-    // Single trailing newline — editor artifacts
-    "MD047": false,
-    // Trailing punctuation — heading punctuation is intentional
-    "MD026": false,
-    // Space in emphasis — double-asterisk bold spacing varies by renderer
-    "MD037": false,
-    // No hard tabs — some generated docs use tabs for indentation
-    "MD010": false,
-    // Code block style — generated docs may use inconsistent styles
-    "MD046": false,
-    // Comment style — generated docs have no comments
-    "MD048": false,
-    // Commands show output — shell examples intentionally show only commands
-    "MD014": false
-  },
-  "ignores": [
-    "docs/api-reference/generated/**"
-  ]
+    "MD033": false
+  }
 }

.markdownlintignore

@@ -1 +0,0 @@
-docs/api-reference/generated/**

CHANGELOG.md

@@ -13,14 +13,17 @@ First stable release. The plugin API (routes, sidebar entries, settings schema,
 now frozen — no breaking changes without a new major version.
 
 ### Security
+
 - Patched 8 of 9 npm audit vulnerabilities via `pnpm.overrides` (#92)
 
 ### Added
+
 - **Dual-approval CI check**: PRs now require approval from both CTO and QA before merging (#98, #76)
 - **ExemptionManager test suite**: Full coverage of annotation-based exemption flows, exemption creation, and inline feedback (#82)
 - **RBAC preflight check**: `deploy-e2e-headlamp.sh` now verifies runner RBAC before attempting E2E deploy (#80)
 
 ### Fixed
+
 - **E2E infrastructure overhaul**: Replaced Dockerfile.e2e with ConfigMap volume mount for plugin loading; tests now run in the `privilegedescalation-dev` namespace (#73, #89, #94)
 - **E2E token auth**: Workflow uses GitHub App token auth and handles the `/token` redirect correctly (#97)
 - **E2E HTTP readiness**: `deploy-e2e-headlamp.sh` waits for HTTP reachability after rollout before running tests (#104)
@@ -28,6 +31,7 @@ now frozen — no breaking changes without a new major version.
 - **Direct devDependencies**: Added `typescript`, `eslint`, `prettier`, and `@headlamp-k8s/eslint-config` as explicit direct devDependencies to prevent phantom-dep failures in clean installs (#95, #102)
 
 ### Changed
+
 - **pnpm version pinned**: `packageManager` field in `package.json` pins the pnpm version used in CI (#103)
 - **GitHub Actions SHA pinning**: Renovate `pinDigests` enabled to SHA-pin all GitHub Actions (#105)
 - **ArtifactHub metadata polish**: Improved `install` instructions and `changes` section formatting (#82)
@@ -35,12 +39,14 @@ now frozen — no breaking changes without a new major version.
 ## [0.6.0] - 2026-03-04
 
 ### Fixed
+
 - **ExemptionManager apiVersion bug**: `apps` and `batch` resources now correctly use `/apis/{group}/v1/` instead of the broken `/api/v1/` path
 - **Strict TypeScript**: Replaced `resource: any` in InlineAuditSection with proper `KubeResource` interface
 - **PolarisDataContext test mock**: Added missing `triggerRefresh` to mock, preventing silent `undefined` for `refresh` in context
 - **DashboardView test**: Fixed `SimpleTable` mock that used `Array<any>` and didn't exercise column getters
 
 ### Changed
+
 - **Dark mode / theming**: Replaced all `var(--mui-palette-*)` CSS variables with `useTheme()` + `theme.palette.*` across all components (DashboardView, NamespacesListView, InlineAuditSection, ExemptionManager, PolarisSettings, AppBarScoreBadge)
 - **Namespace drawer**: Replaced custom `<style>` block + positioned `<div>` with MUI `Drawer` component for proper accessibility (`role="dialog"`, `aria-modal`, Escape key handling via MUI)
 - **AppBarScoreBadge**: Uses `theme.palette.success/warning/error` with proper `contrastText` instead of hardcoded hex colors
@@ -48,6 +54,7 @@ now frozen — no breaking changes without a new major version.
 - **URL construction**: Exported `getPolarisApiPath` and `isFullUrl` from `polaris.ts`; PolarisSettings now reuses them instead of duplicating logic
 
 ### Added
+
 - **Error boundaries**: All registered components (routes, detail sections, app bar action) wrapped in `PolarisErrorBoundary` for graceful error rendering
 - **Tests for InlineAuditSection** (7 tests): loading, unsupported kind, not found, score/summary, failing checks, link, exemption manager
 - **Tests for AppBarScoreBadge** (6 tests): loading, no data, score colors, navigation, aria-label
@@ -55,6 +62,7 @@ now frozen — no breaking changes without a new major version.
 - **Tests for checkMapping.ts** (11 tests): name/description/category/severity lookups, unknown checks, CHECK_MAPPING structure validation
 
 ### Removed
+
 - **NamespaceDetailView.tsx**: Dead code with no registered route (replaced by drawer in NamespacesListView)
 - **NamespaceDetailView.test.tsx**: Tests for removed component
 - **MockPolarisProvider in test-utils.tsx**: Unused mock provider (tests use `vi.mock` instead)
@@ -63,9 +71,11 @@ now frozen — no breaking changes without a new major version.
 ## [0.3.5] - 2026-02-12
 
 ### Fixed
+
 - Fixed drawer background remaining white in dark mode by using correct CSS variable (`--mui-palette-background-default`)
 
 ### Documentation
+
 - Added comprehensive Priority 2 documentation (ARCHITECTURE.md, DEPLOYMENT.md, SECURITY.md)
 - Added CONTRIBUTING.md with development workflow, branching strategy, and code style guidelines
 - Added complete CHANGELOG.md documenting all releases from v0.0.1 to current
@@ -73,17 +83,20 @@ now frozen — no breaking changes without a new major version.
 ## [0.3.4] - 2026-02-12
 
 ### Fixed
+
 - Removed all `@mui/material` and `@mui/icons-material` imports causing plugin load failure
 - Fixed plugin settings page registration (changed name from 'polaris' to 'headlamp-polaris-plugin')
 - Added dark mode support using MUI CSS variables for proper theme adaptation
 - Resolved TypeScript compilation errors in plugin registration calls
 
 ### Changed
+
 - Replaced all MUI components with standard HTML elements and inline styles
 - Updated `registerDetailsViewSection` and `registerAppBarAction` to match Headlamp plugin API v0.13.0
 - App bar badge, settings buttons, and UI elements now use theme-aware CSS variables
 
 ### Infrastructure
+
 - Added CI workflow for lint, type-check, build, and test
 - Enhanced E2E testing documentation with comprehensive guides
 - Added documentation-engineer subagent
@@ -91,24 +104,28 @@ now frozen — no breaking changes without a new major version.
 ## [0.3.3] - 2026-02-12
 
 ### Fixed
+
 - Corrected plugin settings registration name to match package.json
 - Added displaySaveButton parameter to settings registration
 
 ## [0.3.2] - 2026-02-12
 
 ### Fixed
+
 - Removed all MUI dependencies to fix plugin loading in Headlamp v0.39.0+
 - Plugin now loads correctly in sidebar and routes
 
 ## [0.3.1] - 2026-02-12
 
 ### Fixed
+
 - TypeScript compilation errors in `registerDetailsViewSection` and `registerAppBarAction` calls
 - Test failures in DashboardView (added missing SimpleTable mock)
 
 ## [0.3.0] - 2026-02-11
 
 ### Added
+
 - App bar badge displaying cluster Polaris score
 - Inline audit sections in resource detail views (Deployment, StatefulSet, DaemonSet, Job, CronJob)
 - Exemption management UI (view/add exemptions via annotations)
@@ -117,33 +134,39 @@ now frozen — no breaking changes without a new major version.
 - Namespace drawer navigation with URL hash support
 
 ### Changed
+
 - Migrated namespace detail to right-side drawer panel
 - Improved drawer keyboard navigation (Escape to close)
 - Enhanced settings page with connection testing
 
 ### Fixed
+
 - Empty namespace crash handling
 - Drawer navigation pattern for better UX
 
 ## [0.2.5] - 2025-12-XX
 
 ### Fixed
+
 - Improved theming and settings visibility
 
 ## [0.2.4] - 2025-12-XX
 
 ### Changed
+
 - Increased namespace detail panel width to 1000px for better readability
 
 ## [0.2.3] - 2025-12-XX
 
 ### Added
+
 - Full URL support for custom Polaris dashboards
 - Support for external Polaris instances (not just service proxy)
 
 ## [0.2.2] - 2025-12-XX
 
 ### Added
+
 - Configurable Polaris dashboard URL setting
 - Settings page for plugin configuration
 - Refresh interval configuration
@@ -151,136 +174,161 @@ now frozen — no breaking changes without a new major version.
 ## [0.2.1] - 2025-12-XX
 
 ### Infrastructure
+
 - Migrated to GitHub as primary repository
 - Fixed v0.2.0 checksum in ArtifactHub metadata
 
 ## [0.2.0] - 2025-12-XX
 
 ### Added
+
 - Namespace drawer navigation
 - URL hash-based routing for namespaces
 - Keyboard shortcuts (Escape to close drawer)
 
 ### Infrastructure
+
 - GitHub release automation
 - Improved CI/CD workflow
 
 ## [0.1.7] - 2025-11-XX
 
 ### Documentation
+
 - Removed incorrect development installation instructions
 
 ## [0.1.6] - 2025-11-XX
 
 ### Fixed
+
 - Plugin settings display name changed to "Polaris"
 
 ### Documentation
+
 - Added tooltip to skipped count explaining limitation
 - Documented skipped count limitation in README
 
 ## [0.1.5] - 2025-11-XX
 
 ### Fixed
+
 - Restored `:80` port in service proxy URL for correct dashboard access
 
 ## [0.1.4] - 2025-11-XX
 
 ### Added
+
 - Playwright E2E smoke tests
 - Test coverage for sidebar, overview, namespaces, and detail views
 
 ### Fixed
+
 - Empty namespace crash (graceful handling)
 - Removed `:80` port suffix from service proxy URL for RBAC compatibility
 
 ## [0.1.3] - 2025-11-XX
 
 ### Fixed
+
 - Service proxy URL format for consistent RBAC requirements
 
 ## [0.1.2] - 2025-11-XX
 
 ### Added
+
 - Namespace filtering and sorting
 - Enhanced resource table in namespace detail view
 
 ## [0.1.1] - 2025-11-XX
 
 ### Fixed
+
 - Score calculation for resources with mixed results
 - Percentage display formatting
 
 ## [0.1.0] - 2025-11-XX
 
 ### Added
+
 - Namespace detail view with resource-level audit results
 - Drill-down navigation from namespace list
 
 ### Changed
+
 - Improved data fetching with error handling
 - Better loading states
 
 ## [0.0.10] - 2025-11-XX
 
 ### Fixed
+
 - **RBAC Documentation:** Corrected to use `services/proxy` permission instead of ConfigMap access
 
 ### Documentation
+
 - Updated README with accurate RBAC requirements
 - Added minimal Role example
 
 ## [0.0.9] - 2025-11-XX
 
 ### Added
+
 - Refresh button for manual data reload
 - Last updated timestamp display
 
 ## [0.0.8] - 2025-11-XX
 
 ### Added
+
 - Skipped checks display in check summary
 - Improved check categorization (pass/warning/danger/skipped)
 
 ## [0.0.7] - 2025-11-XX
 
 ### Changed
+
 - Enhanced overview dashboard layout
 - Better visual hierarchy for cluster score
 
 ## [0.0.6] - 2025-11-XX
 
 ### Added
+
 - Namespace list view with per-namespace scores
 - Navigation between overview and namespace views
 
 ## [0.0.5] - 2025-11-XX
 
 ### Fixed
+
 - Data fetching error handling
 - API proxy path configuration
 
 ## [0.0.4] - 2025-11-XX
 
 ### Added
+
 - Check distribution visualization
 - Pass/Warning/Danger count display
 
 ## [0.0.3] - 2025-11-XX
 
 ### Changed
+
 - Improved cluster score calculation
 - Better result aggregation logic
 
 ## [0.0.2] - 2025-11-XX
 
 ### Added
+
 - Cluster score display
 - Basic check summary table
 
 ## [0.0.1] - 2025-10-XX
 
 ### Added
+
 - Initial release
 - Basic Polaris plugin structure
 - Sidebar entry "Polaris"
@@ -290,6 +338,7 @@ now frozen — no breaking changes without a new major version.
 - React components using Headlamp CommonComponents
 
 ### Infrastructure
+
 - GitHub repository setup
 - ArtifactHub package registration
 - Automated release workflow

CLAUDE.md

@@ -33,7 +33,7 @@ All tests and `tsc` must pass before committing.
 
 ## Architecture
 
-```
+```text
 src/
 ├── index.tsx                           # Plugin entry: registerRoute, registerSidebarEntry, registerDetailsViewSection, registerAppBarAction, registerPluginSettings; PolarisErrorBoundary
 ├── test-utils.tsx                      # Shared test fixtures (makeResult, makeAuditData)
@@ -73,9 +73,10 @@ Data is fetched via `ApiProxy.request` to the Polaris dashboard service proxy an
 ## Testing
 
 Mock pattern for headlamp APIs:
+
 ```typescript
 vi.mock('@kinvolk/headlamp-plugin/lib', () => ({
   ApiProxy: { request: vi.fn().mockResolvedValue({}) },
   K8s: { ResourceClasses: {} },
 }));
-```
+```

CONTEXT.md

@@ -83,6 +83,7 @@ import { Box, Chip } from '@mui/material';
 ### Headlamp Component Issues
 
 1. **StatusLabel with empty status**
+
    ```typescript
    // ❌ Renders near-invisible (muted background)
    <StatusLabel status="">{value}</StatusLabel>
@@ -92,6 +93,7 @@ import { Box, Chip } from '@mui/material';
    ```
 
 2. **Link component crashes on plugin routes**
+
    ```typescript
    // ❌ Headlamp Link crashes on plugin-registered routes
    import { Link } from '@kinvolk/headlamp-plugin/lib/CommonComponents';
@@ -210,6 +212,7 @@ npm run format:check
 ### Commit Convention
 
 Use Conventional Commits:
+
 - `feat:` - New feature
 - `fix:` - Bug fix
 - `docs:` - Documentation only
@@ -220,6 +223,7 @@ Use Conventional Commits:
 ### PR Process
 
 All PRs must pass:
+
 1. Build (`npm run build`)
 2. Lint (`npm run lint`)
 3. Type-check (`npm run tsc`)
@@ -276,6 +280,7 @@ npm run e2e
 ### CI Workflow (`.github/workflows/ci.yaml`)
 
 Runs on push to main and all PRs:
+
 1. Checkout
 2. `npm ci`
 3. `npm run build`
@@ -289,6 +294,7 @@ Runner: `local-ubuntu-latest`
 ### E2E Workflow (`.github/workflows/e2e.yaml`)
 
 Runs on push, PR, and manual trigger:
+
 1. Checkout
 2. `npm ci`
 3. `npm run e2e`
@@ -306,6 +312,7 @@ gh workflow run release.yaml -f version=0.4.2
 ```
 
 Steps:
+
 1. Validate version format (semver)
 2. Bump `package.json` + `artifacthub-pkg.yml`
 3. Build plugin
@@ -323,6 +330,7 @@ Steps:
 ### Version Bump Requirements
 
 **ALWAYS bump both files in the same commit**:
+
 - `package.json` - `version` field
 - `artifacthub-pkg.yml` - `version` field + `digest` (checksum) + `archive.url`
 
@@ -331,12 +339,14 @@ Steps:
 ### ⚠️ Headlamp v0.39.0 Known Issues
 
 **AutoSizer JavaScript Error**
+
 - **Symptom**: Console shows `TypeError: undefined is not an object (evaluating 'io.AutoSizer')`
 - **Impact**: Cosmetic error in Settings page, doesn't break functionality
 - **Root Cause**: Headlamp core bug, not plugin-related
 - **Workaround**: None needed, can be ignored
 
 **Plugin Loading (RESOLVED)**
+
 - **Old Issue**: Previously thought `config.watchPlugins: false` was required
 - **Resolution**: Plugins load correctly with default `watchPlugins: true`
 - **Note**: If you see old docs mentioning `watchPlugins: false`, ignore them
@@ -344,28 +354,34 @@ Steps:
 ### Polaris Dashboard Behavior
 
 **Stale Audit Data**
+
 - **Symptom**: Plugin shows old audit timestamp
 - **Root Cause**: Polaris dashboard runs audit once at pod startup, then caches results
 - **Does NOT**: Continuously re-audit in real-time
 - **Workaround**: Restart Polaris pods for fresh data
+
   ```bash
   kubectl rollout restart deployment -n polaris polaris-dashboard
   ```
+
 - **Load Balancing**: Service balances across multiple pods - each may have different audit timestamps
 - **Plugin Auto-Refresh**: Works correctly - just fetches whatever Polaris currently has cached
 
 ### Skipped Count Limitation
 
 **What It Shows**:
+
 - Only checks with `Severity: "ignore"` in Polaris API response
 - Does NOT include annotation-based exemptions (`polaris.fairwinds.com/*-exempt`)
 
 **Why**:
+
 - Polaris omits exempted checks from `results.json`
 - Plugin has no access to raw K8s resources to compute exemptions
 - By design: service proxy limitation
 
 **Workaround**:
+
 - Link to native Polaris dashboard for full exemption count
 - UI tooltip explains this limitation
 

CONTRIBUTING.md

@@ -18,6 +18,7 @@ Thank you for your interest in contributing to the Headlamp Polaris Plugin! This
 ## Code of Conduct
 
 This project follows a standard code of conduct:
+
 - Be respectful and inclusive
 - Welcome newcomers and help them get started
 - Focus on constructive feedback
@@ -35,23 +36,27 @@ This project follows a standard code of conduct:
 ### Development Setup
 
 1. **Fork and clone the repository:**
+
    ```bash
    git clone https://github.com/YOUR_USERNAME/headlamp-polaris-plugin.git
    cd headlamp-polaris-plugin
    ```
 
 2. **Install dependencies:**
+
    ```bash
    npm install
    ```
 
 3. **Start development mode:**
+
    ```bash
    npm start
    # Plugin will be available at http://localhost:4466
    ```
 
 4. **Run tests:**
+
    ```bash
    # Unit tests
    npm test
@@ -61,6 +66,7 @@ This project follows a standard code of conduct:
    ```
 
 5. **Build the plugin:**
+
    ```bash
    npm run build
    ```
@@ -79,18 +85,21 @@ This project follows a standard code of conduct:
 ### Local Testing
 
 **Option 1: Development Mode**
+
 ```bash
 npm start
 # Opens Headlamp at http://localhost:4466 with hot reload
 ```
 
 **Option 2: Production Build**
+
 ```bash
 npm run build
 # Plugin bundle created in dist/
 ```
 
 **Option 3: E2E Testing**
+
 ```bash
 # Set up environment (see e2e/README.md)
 export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h)
@@ -116,6 +125,7 @@ npm run e2e
   - Chores: `chore/description`
 
 **Examples:**
+
 ```bash
 feat/add-exemption-support
 fix/dark-mode-theme-colors
@@ -127,16 +137,19 @@ chore/upgrade-dependencies
 ### Branching Rules
 
 **✅ ALWAYS use feature branches for:**
+
 - Code changes (new features, bug fixes, refactors)
 - Test updates
 - CI/CD workflow changes
 - Package updates
 
 **✅ MAY push directly to main for:**
+
 - Documentation-only changes (README.md, CLAUDE.md, comments)
 - Version bump commits (`package.json` + `artifacthub-pkg.yml`)
 
 **❌ NEVER push directly to main for:**
+
 - Any code changes to `src/`
 - Test file changes
 - Workflow changes
@@ -206,6 +219,7 @@ Co-Authored-By: Happy <yesreply@happy.engineering>
 ### Before Creating a PR
 
 1. **Run all checks locally:**
+
    ```bash
    npm run build      # Verify build succeeds
    npm run lint       # Check for linting errors
@@ -227,6 +241,7 @@ Co-Authored-By: Happy <yesreply@happy.engineering>
 ### Creating a PR
 
 1. **Push your branch:**
+
    ```bash
    git push origin feat/your-feature
    ```
@@ -237,6 +252,7 @@ Co-Authored-By: Happy <yesreply@happy.engineering>
    - Link related issues with `Fixes #123` or `Closes #456`
 
 3. **PR Title Format:**
+
    ```
    feat: add exemption management UI
    fix: correct score calculation for skipped checks
@@ -299,12 +315,14 @@ npm run format:check
 ### Import Organization
 
 Imports are automatically sorted by eslint. Order:
+
 1. React imports
 2. Third-party libraries
 3. Headlamp plugin imports
 4. Local imports (components, API, types)
 
 Example:
+
 ```typescript
 import React from 'react';
 import { SectionBox, StatusLabel } from '@kinvolk/headlamp-plugin/lib/CommonComponents';
@@ -330,6 +348,7 @@ import { computeScore } from '../api/polaris';
 - Use descriptive test names
 
 Example:
+
 ```typescript
 describe('countResults', () => {
   it('counts passing, warning, and danger results correctly', () => {
@@ -371,14 +390,17 @@ npm run e2e:headed
 When making changes, update relevant documentation:
 
 #### Code Changes
+
 - **README.md:** User-facing features, installation, configuration
 - **CLAUDE.md:** Architecture, constraints, MCP integrations
 - **JSDoc:** All public APIs, components, hooks
 
 #### Test Changes
+
 - **e2e/README.md:** New test scenarios or setup changes
 
 #### Build/CI Changes
+
 - **README.md:** Build commands, release process
 - **.github/workflows/*.yaml:** Workflow comments
 
@@ -405,6 +427,7 @@ export function countResults(data: AuditData): ResultCounts {
 ### Version Numbering
 
 We follow [Semantic Versioning](https://semver.org/):
+
 - **Major (1.0.0):** Breaking changes
 - **Minor (0.1.0):** New features, backward compatible
 - **Patch (0.0.1):** Bug fixes, backward compatible
@@ -416,6 +439,7 @@ We follow [Semantic Versioning](https://semver.org/):
 1. **Merge feature PRs to main**
 
 2. **Bump version:**
+
    ```bash
    # Edit package.json and artifacthub-pkg.yml
    # Update version and archive-url
@@ -425,6 +449,7 @@ We follow [Semantic Versioning](https://semver.org/):
    ```
 
 3. **Create and push tag:**
+
    ```bash
    git tag vX.Y.Z
    git push origin vX.Y.Z
@@ -441,6 +466,7 @@ We follow [Semantic Versioning](https://semver.org/):
 ### Pre-release Versions
 
 For testing before stable release:
+
 - Use `-dev.N` suffix: `v0.3.5-dev.1`
 - Follow same process as stable releases
 - Mark as "pre-release" on GitHub

PROJECT_ASSESSMENT.md

@@ -13,10 +13,12 @@ This assessment identifies critical issues and improvement opportunities for the
 ## 🔴 Critical Issues (Must Fix Immediately)
 
 ### 1. TypeScript Compilation Errors
+
 **Severity:** CRITICAL
 **Impact:** Build failures, type safety compromised
 
 **Issues:**
+
 - `src/index.tsx:72` - `registerDetailsViewSection` expects 1 argument, got 2
 - `src/index.tsx:87` - `registerAppBarAction` expects 1 argument, got 2
 
@@ -24,6 +26,7 @@ This assessment identifies critical issues and improvement opportunities for the
 Update Headlamp plugin API calls to match the current version. Check @kinvolk/headlamp-plugin version compatibility.
 
 **Action Items:**
+
 - [ ] Review Headlamp plugin API documentation
 - [ ] Update `registerDetailsViewSection` and `registerAppBarAction` calls
 - [ ] Run `npm run tsc` to verify fixes
@@ -32,6 +35,7 @@ Update Headlamp plugin API calls to match the current version. Check @kinvolk/he
 ---
 
 ### 2. Production Plugin Loading Failure
+
 **Severity:** CRITICAL
 **Impact:** Plugin is completely non-functional in production
 
@@ -39,11 +43,13 @@ Update Headlamp plugin API calls to match the current version. Check @kinvolk/he
 Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugins as "development directory" plugins, preventing frontend JavaScript execution.
 
 **Current Status:**
+
 - Deployment patched to install plugins to `/headlamp/static-plugins`
 - `watchPlugins: false` configured
 - Waiting for user to test if plugins now load
 
 **Action Items:**
+
 - [ ] Confirm plugins load after recent deployment changes
 - [ ] Document the fix in deployment guide
 - [ ] Update MEMORY.md with final resolution
@@ -52,15 +58,18 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 3. Test Failures
+
 **Severity:** HIGH
 **Impact:** CI failures, reduced confidence in changes
 
 **Current Status:**
+
 - 1 test file failing (DashboardView)
 - 49 tests passing
 - Error related to `SimpleTable` component mock
 
 **Action Items:**
+
 - [ ] Fix DashboardView test mocking
 - [ ] Ensure all tests pass before merging PRs
 - [ ] Add test for top issues feature
@@ -71,16 +80,19 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ## 🟡 High Priority Improvements
 
 ### 4. Type Safety Enhancements
+
 **Severity:** HIGH
 **Impact:** Better developer experience, catch errors earlier
 
 **Recommendations:**
+
 - Enable stricter TypeScript checks in `tsconfig.json`
 - Add type definitions for all Headlamp plugin APIs
 - Ensure no `any` types in production code
 - Add JSDoc comments for complex types
 
 **Action Items:**
+
 - [ ] Audit codebase for `any` types
 - [ ] Enable `noImplicitAny` and `strictNullChecks`
 - [ ] Add type guards for API responses
@@ -89,21 +101,25 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 5. Security Hardening
+
 **Severity:** HIGH
 **Impact:** Prevent vulnerabilities, protect user data
 
 **Current Risks:**
+
 - Direct Kubernetes API access via service proxy
 - User input in exemption annotations (potential injection)
 - External URL configuration for Polaris dashboard
 
 **Recommendations:**
+
 - Validate and sanitize all user inputs
 - Implement input validation for dashboard URL
 - Add CSRF protection for exemption management
 - Audit dependencies for known vulnerabilities
 
 **Action Items:**
+
 - [ ] Add input validation utilities
 - [ ] Sanitize exemption annotation values
 - [ ] Validate URL format for dashboard configuration
@@ -113,21 +129,25 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 6. Error Handling & User Experience
+
 **Severity:** MEDIUM
 **Impact:** Better error messages, improved debugging
 
 **Current Gaps:**
+
 - Generic error messages don't help users troubleshoot
 - No retry logic for transient API failures
 - Missing loading states in some components
 
 **Recommendations:**
+
 - Provide specific, actionable error messages
 - Implement retry logic with exponential backoff
 - Add loading skeletons for all async operations
 - Show connection test results with specific failure reasons
 
 **Action Items:**
+
 - [ ] Create error message constants with solutions
 - [ ] Add retry logic to API calls
 - [ ] Implement loading skeletons
@@ -138,21 +158,25 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ## 🟢 Medium Priority Enhancements
 
 ### 7. Testing Coverage
+
 **Severity:** MEDIUM
 **Impact:** Confidence in changes, regression prevention
 
 **Current Coverage:**
+
 - Unit tests: Good coverage for API utilities
 - Component tests: Some coverage, gaps exist
 - E2E tests: Minimal (Playwright configured but underutilized)
 
 **Recommendations:**
+
 - Add E2E tests for critical user flows
 - Test error scenarios and edge cases
 - Add visual regression tests
 - Test RBAC permission denied scenarios
 
 **Action Items:**
+
 - [ ] Write E2E test for complete audit workflow
 - [ ] Add tests for error states
 - [ ] Test exemption management flow
@@ -161,16 +185,19 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 8. Performance Optimization
+
 **Severity:** MEDIUM
 **Impact:** Faster load times, better UX
 
 **Opportunities:**
+
 - Memoize expensive calculations (score computation)
 - Lazy load namespace detail views
 - Debounce search/filter operations
 - Cache Polaris data with stale-while-revalidate
 
 **Action Items:**
+
 - [ ] Add React.memo to pure components
 - [ ] Memoize score calculations
 - [ ] Implement data caching strategy
@@ -179,16 +206,19 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 9. Code Quality & Maintainability
+
 **Severity:** MEDIUM
 **Impact:** Easier maintenance, onboarding
 
 **Recommendations:**
+
 - Extract magic strings to constants
 - Reduce component complexity
 - Add JSDoc comments for public APIs
 - Improve code organization
 
 **Action Items:**
+
 - [ ] Create constants file for check IDs
 - [ ] Split large components (DashboardView, NamespaceDetailView)
 - [ ] Add comments for complex logic
@@ -199,16 +229,19 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ## 🔵 Low Priority / Future Enhancements
 
 ### 10. Documentation
+
 **Severity:** LOW
 **Impact:** Better onboarding, user adoption
 
 **Gaps:**
+
 - No architecture documentation
 - Limited inline code comments
 - Missing troubleshooting guide
 - No contributor guidelines
 
 **Action Items:**
+
 - [ ] Create architecture diagram
 - [ ] Document component hierarchy
 - [ ] Add troubleshooting section to README
@@ -217,19 +250,22 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 11. CI/CD Pipeline Optimization
+
 **Severity:** LOW
 **Impact:** Faster feedback, automated releases
 
 **Opportunities:**
+
 - Run tests in parallel
 - Cache npm dependencies
 - Add automated security scanning
 - Implement semantic versioning
 
 **Action Items:**
+
 - [ ] Parallelize test execution
 - [ ] Add npm cache to GitHub Actions
-- [x] Renovate is configured org-wide via `github>privilegedescalation/.github:renovate-config`
+- [ ] Integrate Dependabot
 - [ ] Add semantic-release
 
 ---
@@ -237,41 +273,48 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ## Summary & Prioritization
 
 ### Week 1 (Immediate)
+
 1. ✅ Fix TypeScript compilation errors
 2. ✅ Resolve production plugin loading issue
 3. ✅ Fix failing DashboardView test
 
 ### Week 2 (High Priority)
+
 4. Enhance type safety (strict mode)
-5. Implement security hardening
-6. Improve error handling and UX
+2. Implement security hardening
+3. Improve error handling and UX
 
 ### Week 3-4 (Medium Priority)
+
 7. Increase test coverage to >80%
-8. Optimize performance (memoization, caching)
-9. Refactor for maintainability
+2. Optimize performance (memoization, caching)
+3. Refactor for maintainability
 
 ### Ongoing (Low Priority)
+
 10. Documentation improvements
-11. CI/CD optimizations
+2. CI/CD optimizations
 
 ---
 
 ## Success Metrics
 
 **Code Quality:**
+
 - ✅ Zero TypeScript errors
 - ✅ All tests passing
 - 🎯 Test coverage >80%
 - 🎯 No high/critical security vulnerabilities
 
 **Production Readiness:**
+
 - ✅ Plugin loads successfully in Headlamp
 - ✅ All features functional
 - 🎯 Error rate <1%
 - 🎯 Average response time <500ms
 
 **Developer Experience:**
+
 - ✅ Clear documentation
 - ✅ Easy local setup
 - 🎯 Fast CI/CD (<5 min)

README.md

@@ -206,7 +206,7 @@ For complete testing guide including CI/CD integration, see **[docs/TESTING.md](
 
 ## Project Structure
 
-```
+```text
 src/
   index.tsx                           -- Entry point. Registers sidebar entries, routes, and error boundaries.
   test-utils.tsx                      -- Shared test fixtures (makeResult, makeAuditData).
@@ -236,7 +236,7 @@ GET /api/v1/namespaces/polaris/services/polaris-dashboard/proxy/results.json
 
 This endpoint is served by the `polaris-dashboard` ClusterIP service, which is created by the Polaris Helm chart when `dashboard.enabled: true`. The JSON response matches Polaris's `AuditData` schema (`pkg/validator/output.go`):
 
-```
+```text
 AuditData
   ClusterInfo      -- nodes, pods, namespaces, controllers
   Results[]        -- per-workload results

SECURITY.md

@@ -17,7 +17,7 @@ The plugin performs **only read operations** via the Kubernetes API server's ser
 
 ### Data Flow
 
-```
+```text
 User Browser
     ↓ (HTTPS)
 Headlamp Pod
@@ -152,6 +152,7 @@ spec:
 Headlamp runs with a dedicated service account (`headlamp` in `kube-system`). All users share the same permissions defined by this service account's RBAC bindings.
 
 **Security Considerations:**
+
 - All users have identical access to the plugin
 - Suitable for trusted internal environments
 - Simpler RBAC management
@@ -161,6 +162,7 @@ Headlamp runs with a dedicated service account (`headlamp` in `kube-system`). Al
 Headlamp can be configured for OIDC authentication, where each user provides their own bearer token. RBAC is enforced per-user.
 
 **Security Considerations:**
+
 - Fine-grained access control per user
 - Users without the `polaris-proxy-reader` role will see 403 errors
 - Requires OIDC provider integration
@@ -198,10 +200,12 @@ If you discover a security vulnerability in this plugin, please report it via:
 2. **Email**: Create a GitHub issue and mark it as "security" if advisories are not available
 
 **Please do not:**
+
 - Open public GitHub issues for security vulnerabilities
 - Disclose vulnerabilities publicly before a fix is available
 
 **Response Timeline:**
+
 - **Acknowledgment**: Within 48 hours
 - **Initial Assessment**: Within 1 week
 - **Fix Timeline**: Depends on severity (critical: 1-2 weeks, high: 2-4 weeks, medium/low: next release cycle)
@@ -211,8 +215,9 @@ If you discover a security vulnerability in this plugin, please report it via:
 ### Dependency Scanning
 
 The project uses:
+
 - **npm audit**: Runs automatically during `npm install`
-- **Renovate**: Automated dependency updates via Mend Renovate (org-wide configured)
+- **Dependabot**: GitHub Dependabot monitors dependencies and creates PRs for updates
 - **GitHub Actions**: CI workflow runs `npm audit` on every commit
 
 ### Updating Dependencies
@@ -262,6 +267,7 @@ The plugin's security posture depends on your cluster's security:
 **Cause**: User or service account lacks `services/proxy` permission on `polaris-dashboard`
 
 **Resolution**:
+
 1. Verify RoleBinding exists in `polaris` namespace
 2. Check RoleBinding references correct subject (service account, group, or user)
 3. Confirm Role includes `resourceNames: ["polaris-dashboard"]`
@@ -273,11 +279,13 @@ The plugin's security posture depends on your cluster's security:
 **Question**: Can I expose Polaris dashboard via Ingress instead of using service proxy?
 
 **Recommendation**: **Avoid exposing Polaris dashboard externally**. The service proxy approach:
+
 - Enforces Kubernetes RBAC on every request
 - Avoids exposing internal services to the internet
 - Prevents authentication bypass attacks
 
 If you must expose Polaris externally:
+
 - Use OAuth2 proxy or similar authentication layer
 - Configure NetworkPolicies to restrict access
 - Enable TLS with valid certificates
@@ -304,6 +312,7 @@ Users not in `team-a` will receive 403 errors when accessing the plugin, prevent
 ### Data Residency
 
 All data remains within your Kubernetes cluster. The plugin does not:
+
 - Send data to external services
 - Store data in browser localStorage (except refresh interval preference)
 - Use third-party analytics or tracking

SPEC-PRI-324.md

@@ -1,98 +0,0 @@
-# PRI-324 Spec: Make E2E Workflow Self-Sufficient with RBAC
-
-## Context
-
-PR #123 introduced an RBAC pre-flight check to the E2E workflow. QA (Nancy, acting as QA) verified the "fails fast without RBAC" path works, but found that the "with RBAC passes" path had no green CI evidence — the workflow did not apply RBAC before the pre-flight check.
-
-PR #131 attempted to fix this by adding `kubectl apply` steps and extending the CI runner RBAC, but its merge commit (739db6fe) was reverted by the next commit on main (aa1db921) due to a vulnerability fix PR (#128).
-
-The current E2E workflow on `main` lacks the RBAC apply steps and CI runner permissions needed to make the pre-flight check meaningful.
-
-## Required Changes
-
-### 1. `.github/workflows/e2e.yaml`
-
-Add between the "Setup kubectl" and "Install dependencies" steps:
-
-```yaml
-      - name: Apply RBAC for E2E pipeline
-        run: |
-          set -x
-          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml --dry-run=server 2>&1 || true
-          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml 2>&1
-          echo "exit code: $?"
-          echo "Waiting for RBAC propagation..."
-          sleep 5
-          echo "Verifying CI runner permissions..."
-          kubectl auth can-i create roles -n headlamp-dev --as="system:serviceaccount:arc-runners:runners-privilegedescalation-gha-rs-no-permission" 2>&1 || { echo "::error::CI runner still lacks roles permission after propagation wait"; exit 1; }
-          set +x
-
-      - name: Apply Polaris dashboard RBAC
-        run: kubectl apply -f deployment/polaris-rbac.yaml
-
-      - name: RBAC pre-flight check
-        run: |
-          echo "Checking RBAC resources..."
-          MISSING=0
-          kubectl get role polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
-          kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
-          kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null || MISSING=1
-          if [ "$MISSING" -eq 0 ]; then
-            echo "RBAC pre-flight check passed."
-          else
-            echo "::error::RBAC pre-flight check failed. Missing required permissions."
-            exit 1
-          fi
-```
-
-### 2. `deployment/e2e-ci-runner-rbac.yaml`
-
-Add a new Role + RoleBinding for the `polaris` namespace (from PR #131):
-
-```yaml
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: e2e-ci-runner-polaris
-  namespace: polaris
-rules:
-  - apiGroups: ["rbac.authorization.k8s.io"]
-    resources: ["roles", "rolebindings"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: e2e-ci-runner-polaris
-  namespace: polaris
-subjects:
-  - kind: ServiceAccount
-    name: runners-privilegedescalation-gha-rs-no-permission
-    namespace: arc-runners
-roleRef:
-  kind: Role
-  name: e2e-ci-runner-polaris
-  apiGroup: rbac.authorization.k8s.io
-```
-
-And add to the existing `e2e-ci-runner` Role in the `headlamp-dev` namespace:
-```yaml
-  # Apply Polaris dashboard RBAC in the polaris namespace
-  - apiGroups: ["rbac.authorization.k8s.io"]
-    resources: ["roles", "rolebindings"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
-```
-
-## Acceptance Criteria
-
-- [ ] Workflow applies `deployment/e2e-ci-runner-rbac.yaml` before the pre-flight check
-- [ ] Workflow applies `deployment/polaris-rbac.yaml` before the pre-flight check
-- [ ] CI runner has RBAC to apply the manifests (added via new Role+RoleBinding in polaris namespace)
-- [ ] E2E pipeline passes on the PR branch (proof of green path)
-- [ ] `kubectl get … --quiet` flag removed (QA nit)
-- [ ] `MISSING_ROLE`/`MISSING_ROLEBINDING` collapsed to single `MISSING` flag (QA nit)
-
-## Definition of Done
-
-PR #123 QA changes-requested are addressed: the workflow is self-sufficient (applies its own RBAC), the green path is demonstrated, and QA review is re-requested.

deployment/PLUGIN_LOADING_FIX.md

@@ -1,19 +1,24 @@
 # Headlamp Plugin Loading Issue - Root Cause and Fix
 
 ## Problem
+
 Headlamp v0.39.0 was not loading plugins installed via the plugin manager. Plugins appeared in Settings → Plugins but:
+
 - No sidebar entries appeared
 - No plugin settings were available
 - Plugin JavaScript was not being executed in the browser
 
 ## Root Cause
+
 When `config.watchPlugins: true` (the default), Headlamp treats catalog-managed plugins in `/headlamp/plugins/` as "development directory" plugins. This causes:
+
 - Backend serves plugin metadata correctly
 - Backend logs show "Treating catalog-installed plugin in development directory as user plugin"
 - **Frontend does NOT execute the plugin JavaScript**
 - Plugin registrations (`registerSidebarEntry`, `registerRoute`, etc.) never happen
 
 ## Solution
+
 Set `config.watchPlugins: false` in the Headlamp HelmRelease values:
 
 ```yaml
@@ -31,14 +36,18 @@ spec:
 ```
 
 ## Why This Works
+
 With `watchPlugins: false`:
+
 - Headlamp no longer treats catalog-managed plugins as "development" plugins
 - Frontend properly loads and executes plugin JavaScript on startup
 - Plugin registrations happen correctly
 - All plugin features (sidebar, routes, settings, etc.) work as expected
 
 ## Testing
+
 After applying this fix:
+
 1. Verify plugins are installed: `kubectl logs -n kube-system <headlamp-pod> -c headlamp-plugin`
 2. Verify watchPlugins is false: `kubectl logs -n kube-system <headlamp-pod> -c headlamp | grep "Watch Plugins"`
 3. Hard refresh browser (Cmd+Shift+R / Ctrl+Shift+F5) to clear cached JavaScript
@@ -46,13 +55,15 @@ After applying this fix:
 5. Verify plugin functionality works
 
 ## Additional Notes
+
 - This appears to be a bug/limitation in Headlamp v0.39.0
 - The `watchPlugins` feature is intended for development scenarios where plugins are being actively modified
 - For production deployments with catalog-managed plugins, `watchPlugins: false` is the correct configuration
 - Once plugins are loaded, subsequent restarts or updates work correctly as long as `watchPlugins` remains false
 
 ## References
-- Headlamp Helm Chart: https://github.com/headlamp-k8s/headlamp/tree/main/charts/headlamp
-- Plugin Manager: https://github.com/headlamp-k8s/headlamp/tree/main/plugins/headlamp-plugin
+
+- Headlamp Helm Chart: <https://github.com/headlamp-k8s/headlamp/tree/main/charts/headlamp>
+- Plugin Manager: <https://github.com/headlamp-k8s/headlamp/tree/main/plugins/headlamp-plugin>
 - Issue discovered: 2026-02-11
 - Fix applied: 2026-02-12

deployment/e2e-ci-runner-rbac.yaml

@@ -2,26 +2,26 @@
 # RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
 # CI-only test fixture — NOT for production use.
 #
-# Grants the ARC runner service account permissions in the headlamp-dev
+# Grants the ARC runner service account permissions in the privilegedescalation-dev
 # namespace to deploy and tear down a dedicated Headlamp instance via Helm.
-# E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
+# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
 #
 # Plugin is loaded via ConfigMap volume mount — no custom Docker images.
 #
-# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
-# and managed by Flux GitOps. The infra repo is the source of truth.
+# Prerequisites:
+#   kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: e2e-ci-runner
-  namespace: headlamp-dev
+  namespace: privilegedescalation-dev
 rules:
   # Helm needs to manage these resources for the Headlamp chart
   - apiGroups: ["apps"]
     resources: ["deployments"]
     verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
   - apiGroups: [""]
-    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
+    resources: ["services", "serviceaccounts", "configmaps", "secrets"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   - apiGroups: [""]
     resources: ["pods"]
@@ -30,25 +30,26 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts/token"]
     verbs: ["create"]
-  # Apply Polaris dashboard RBAC in the polaris namespace
+  # RBAC pre-flight check: verify polaris namespace has proxy-reader Role + RoleBinding
+  # before running E2E tests. Required by the "RBAC pre-flight check" workflow step.
   - apiGroups: ["rbac.authorization.k8s.io"]
     resources: ["roles", "rolebindings"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
+    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: e2e-ci-runner-polaris
+  name: e2e-ci-runner-polaris-reader
   namespace: polaris
 rules:
   - apiGroups: ["rbac.authorization.k8s.io"]
     resources: ["roles", "rolebindings"]
-    verbs: ["get", "list", "create", "update", "patch", "delete"]
+    verbs: ["get"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: e2e-ci-runner-polaris
+  name: e2e-ci-runner-polaris-reader-binding
   namespace: polaris
 subjects:
   - kind: ServiceAccount
@@ -56,14 +57,14 @@ subjects:
     namespace: arc-runners
 roleRef:
   kind: Role
-  name: e2e-ci-runner-polaris
+  name: e2e-ci-runner-polaris-reader
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: e2e-ci-runner-binding
-  namespace: headlamp-dev
+  namespace: privilegedescalation-dev
 subjects:
   - kind: ServiceAccount
     name: runners-privilegedescalation-gha-rs-no-permission

docs/DOCUMENTATION_STANDARDIZATION_PLAN.md

@@ -129,7 +129,7 @@ docs/
 
 ### 3. CHANGELOG.md Standard
 
-**Format**: Keep a Changelog (https://keepachangelog.com/)
+**Format**: Keep a Changelog (<https://keepachangelog.com/>)
 
 **Structure**:
 

docs/TROUBLESHOOTING.md

@@ -703,6 +703,7 @@ If none of these solutions work, gather debugging information and open an issue:
    ```
 
 6. **RBAC Configuration**:
+
    ```bash
    kubectl get role,rolebinding -n polaris
    ```

docs/troubleshooting/common-issues.md

@@ -703,6 +703,7 @@ If none of these solutions work, gather debugging information and open an issue:
    ```
 
 6. **RBAC Configuration**:
+
    ```bash
    kubectl get role,rolebinding -n polaris
    ```

docs/user-guide/configuration.md

@@ -286,6 +286,7 @@ localStorage.removeItem('polaris-plugin-dashboard-url');
 2. Check for JavaScript errors
 3. Disable privacy mode or try different browser
 4. Check if localStorage is enabled:
+
    ```javascript
    console.log('localStorage available:', typeof localStorage !== 'undefined');
    ```

docs/user-guide/rbac-permissions.md

@@ -508,9 +508,11 @@ If using a log aggregator (e.g., Elasticsearch), create filters to exclude or do
    Expected: `yes`
 
 4. **Verify RoleBinding subjects match:**
+
    ```bash
    kubectl -n polaris get rolebinding headlamp-polaris-proxy -o yaml
    ```
+
    Check `subjects[].name` and `subjects[].namespace` match your Headlamp SA or user
 
 ### "404 Not Found" Error

e2e/README.md

@@ -115,6 +115,7 @@ These are smoke tests against real cluster data. They verify the plugin loads an
 ### Cluster Requirements
 
 1. **Polaris Deployment**
+
    ```bash
    # Verify Polaris is running
    kubectl -n polaris get pods
@@ -122,6 +123,7 @@ These are smoke tests against real cluster data. They verify the plugin loads an
    ```
 
 2. **Polaris Audit Data**
+
    ```bash
    # Check if Polaris has generated audit results
    kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq '.AuditTime'
@@ -183,21 +185,25 @@ Tests automatically capture screenshots on failure in `test-results/`
 ### Common Issues
 
 **Auth fails with "Sign In button not found":**
+
 - Check HEADLAMP_URL is correct
 - Verify Headlamp is accessible
 - Ensure OIDC is configured if using Authentik
 
 **Polaris sidebar entry not found:**
+
 - Plugin may not be installed: Check Settings → Plugins in Headlamp
 - Plugin may have failed to load: Check browser console
 - Clear browser cache and hard refresh
 
 **Cluster score not displayed:**
+
 - Polaris may not have audit data yet
 - Check Polaris is running: `kubectl -n polaris get pods`
 - Verify service proxy: `kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json`
 
 **Namespace table empty:**
+
 - Polaris hasn't run audit yet (wait a few minutes)
 - Check Polaris logs: `kubectl -n polaris logs -l app.kubernetes.io/name=polaris`
 
@@ -281,6 +287,7 @@ kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
 ### Manual Trigger
 
 You can manually trigger E2E tests from GitHub Actions:
+
 1. Go to Actions → E2E Tests
 2. Click "Run workflow"
 3. Select branch and run

package.json

@@ -35,11 +35,7 @@
     "overrides": {
       "tar": "^7.5.11",
       "undici": "^7.24.3",
-      "flatted": "^3.4.2",
-      "lodash": ">=4.18.0",
-      "picomatch": ">=4.0.4",
-      "vite": ">=6.4.2",
-      "elliptic": ">=6.6.1"
+      "flatted": "^3.4.2"
     }
   },
   "devDependencies": {

scripts/deploy-e2e-headlamp.sh

@@ -5,16 +5,16 @@
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
-# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
-# persists beyond a test run — teardown cleans up all created resources.
+# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing
+# persists beyond the test run — teardown cleans up all created resources.
 #
 # Prerequisites:
 #   - Plugin built (dist/ exists with plugin-main.js + package.json)
 #   - kubectl configured with cluster access
-#   - RBAC applied (managed by Flux GitOps in privilegedescalation/infra)
+#   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
 #
 # Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: privilegedescalation-dev)
 #   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
 #   HEADLAMP_VERSION  — Headlamp image tag (default: v0.40.1, pinned to match production)
 set -euo pipefail
@@ -22,7 +22,7 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"
 
-E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"
 

scripts/teardown-e2e-headlamp.sh

@@ -4,13 +4,13 @@
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
 # Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
+#   E2E_NAMESPACE  — namespace to clean up (default: privilegedescalation-dev)
 #   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 
-E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 
 echo "=== E2E Headlamp Teardown ==="