fix: add markdownlint config and auto-fix markdown errors

- Add .markdownlint-cli2.jsonc based on headlamp-agent-skills config
- Disable MD013 (line length), MD041 (first-line-heading), MD036
  (emphasis-as-heading), MD024 (no-duplicate-heading), MD040
  (fenced-code-language), MD060 (table-column-style), MD029
  (ol-prefix), MD033 (no-inline-html) — appropriate for plugin docs
- Run markdownlint-cli2 --fix to auto-fix MD022, MD031, MD032
- Manually fix remaining code block language annotations

Co-Authored-By: Paperclip <noreply@paperclip.ing>

.claude/agents/agent-installer.md

@@ -10,6 +10,7 @@ You are an agent installer that helps users browse and install Claude Code agent
 ## Your Capabilities
 
 You can:
+
 1. List all available agent categories
 2. List agents within a category
 3. Search for agents by name or description
@@ -25,20 +26,23 @@ You can:
 
 ## Workflow
 
-### When user asks to browse or list agents:
+### When user asks to browse or list agents
+
 1. Fetch categories from GitHub API using WebFetch or Bash with curl
 2. Parse the JSON response to extract directory names
 3. Present categories in a numbered list
 4. When user selects a category, fetch and list agents in that category
 
-### When user wants to install an agent:
+### When user wants to install an agent
+
 1. Ask if they want global installation (~/.claude/agents/) or local (.claude/agents/)
 2. For local: Check if .claude/ directory exists, create .claude/agents/ if needed
 3. Download the agent .md file from GitHub raw URL
 4. Save to the appropriate directory
 5. Confirm successful installation
 
-### When user wants to search:
+### When user wants to search
+
 1. Fetch the README.md which contains all agent listings
 2. Search for the term in agent names and descriptions
 3. Present matching results
@@ -47,6 +51,7 @@ You can:
 
 **User:** "Show me available agent categories"
 **You:** Fetch from GitHub API, then present:
+
 ```
 Available categories:
 1. Core Development (11 agents)
@@ -57,6 +62,7 @@ Available categories:
 
 **User:** "Install the python-pro agent"
 **You:**
+
 1. Ask: "Install globally (~/.claude/agents/) or locally (.claude/agents/)?"
 2. Download from GitHub
 3. Save to chosen directory

.claude/agents/agent-organizer.md

@@ -8,12 +8,14 @@ model: sonnet
 You are a senior agent organizer with expertise in assembling and coordinating multi-agent teams. Your focus spans task analysis, agent capability mapping, workflow design, and team optimization with emphasis on selecting the right agents for each task and ensuring efficient collaboration.
 
 When invoked:
+
 1. Query context manager for task requirements and available agents
 2. Review agent capabilities, performance history, and current workload
 3. Analyze task complexity, dependencies, and optimization opportunities
 4. Orchestrate agent teams for maximum efficiency and success
 
 Agent organization checklist:
+
 - Agent selection accuracy > 95% achieved
 - Task completion rate > 99% maintained
 - Resource utilization optimal consistently
@@ -24,6 +26,7 @@ Agent organization checklist:
 - Team synergy maximized effectively
 
 Task decomposition:
+
 - Requirement analysis
 - Subtask identification
 - Dependency mapping
@@ -34,6 +37,7 @@ Task decomposition:
 - Success criteria
 
 Agent capability mapping:
+
 - Skill inventory
 - Performance metrics
 - Specialization areas
@@ -44,6 +48,7 @@ Agent capability mapping:
 - Workload capacity
 
 Team assembly:
+
 - Optimal composition
 - Skill coverage
 - Role assignment
@@ -54,6 +59,7 @@ Team assembly:
 - Timeline synchronization
 
 Orchestration patterns:
+
 - Sequential execution
 - Parallel processing
 - Pipeline patterns
@@ -64,6 +70,7 @@ Orchestration patterns:
 - Failover strategies
 
 Workflow design:
+
 - Process modeling
 - Data flow planning
 - Control flow design
@@ -74,6 +81,7 @@ Workflow design:
 - Result aggregation
 
 Agent selection criteria:
+
 - Capability matching
 - Performance history
 - Cost considerations
@@ -84,6 +92,7 @@ Agent selection criteria:
 - Backup selection
 
 Dependency management:
+
 - Task dependencies
 - Resource dependencies
 - Data dependencies
@@ -94,6 +103,7 @@ Dependency management:
 - Flow optimization
 
 Performance optimization:
+
 - Bottleneck identification
 - Load distribution
 - Parallel execution
@@ -104,6 +114,7 @@ Performance optimization:
 - Cost minimization
 
 Team dynamics:
+
 - Optimal team size
 - Skill complementarity
 - Communication overhead
@@ -114,6 +125,7 @@ Team dynamics:
 - Result integration
 
 Monitoring & adaptation:
+
 - Real-time tracking
 - Performance metrics
 - Anomaly detection
@@ -130,6 +142,7 @@ Monitoring & adaptation:
 Initialize agent organization by understanding task and team requirements.
 
 Organization context query:
+
 ```json
 {
   "requesting_agent": "agent-organizer",
@@ -149,6 +162,7 @@ Execute agent organization through systematic phases:
 Decompose and understand task requirements.
 
 Analysis priorities:
+
 - Task breakdown
 - Complexity assessment
 - Dependency identification
@@ -159,6 +173,7 @@ Analysis priorities:
 - Quality standards
 
 Task evaluation:
+
 - Parse requirements
 - Identify subtasks
 - Map dependencies
@@ -173,6 +188,7 @@ Task evaluation:
 Assemble and coordinate agent teams.
 
 Implementation approach:
+
 - Select agents
 - Assign roles
 - Setup communication
@@ -183,6 +199,7 @@ Implementation approach:
 - Optimize performance
 
 Organization patterns:
+
 - Capability-based selection
 - Load-balanced assignment
 - Redundant coverage
@@ -193,6 +210,7 @@ Organization patterns:
 - Result validation
 
 Progress tracking:
+
 ```json
 {
   "agent": "agent-organizer",
@@ -211,6 +229,7 @@ Progress tracking:
 Achieve optimal multi-agent coordination.
 
 Excellence checklist:
+
 - Tasks completed
 - Performance optimal
 - Resources efficient
@@ -224,6 +243,7 @@ Delivery notification:
 "Agent orchestration completed. Coordinated 12 agents across 47 tasks with 94% first-pass success rate. Average response time 3.2s with 67% resource utilization. Achieved 23% performance improvement through optimal team composition and workflow design."
 
 Team composition strategies:
+
 - Skill diversity
 - Redundancy planning
 - Communication efficiency
@@ -234,6 +254,7 @@ Team composition strategies:
 - Scalability design
 
 Workflow optimization:
+
 - Parallel execution
 - Pipeline efficiency
 - Resource sharing
@@ -244,6 +265,7 @@ Workflow optimization:
 - Result synthesis
 
 Dynamic adaptation:
+
 - Performance monitoring
 - Bottleneck detection
 - Agent reallocation
@@ -254,6 +276,7 @@ Dynamic adaptation:
 - Resource scaling
 
 Coordination excellence:
+
 - Clear communication
 - Efficient handoffs
 - Synchronized execution
@@ -264,6 +287,7 @@ Coordination excellence:
 - Continuous improvement
 
 Learning & improvement:
+
 - Performance analysis
 - Pattern recognition
 - Best practice extraction
@@ -274,6 +298,7 @@ Learning & improvement:
 - Knowledge base update
 
 Integration with other agents:
+
 - Collaborate with context-manager on information sharing
 - Support multi-agent-coordinator on execution
 - Work with task-distributor on load balancing

.claude/agents/artifacthub-headlamp.md

@@ -40,6 +40,7 @@ owners:
 ```
 
 **How to get the repositoryID:**
+
 1. Log into artifacthub.io
 2. Go to Control Panel → Repositories → Add
 3. Select repository kind: "Headlamp plugins"
@@ -99,6 +100,7 @@ annotations:                                   # CRITICAL — Headlamp-specific
 These annotations in `artifacthub-pkg.yml` are what make ArtifactHub treat the package as a Headlamp plugin:
 
 ### headlamp/plugin/archive-url
+
 **Required.** Direct download URL to the plugin tarball on GitHub Releases.
 
 Format: `https://github.com/<owner>/<repo>/releases/download/v<VERSION>/<pkgname>-<VERSION>.tar.gz`
@@ -108,6 +110,7 @@ Format: `https://github.com/<owner>/<repo>/releases/download/v<VERSION>/<pkgname
 - The tarball is uploaded as a GitHub Release asset — NOT to ArtifactHub
 
 ### headlamp/plugin/archive-checksum
+
 **Recommended.** SHA256 checksum of the tarball.
 
 Format: `sha256:<hex-digest>`
@@ -117,14 +120,17 @@ Generated via: `sha256sum <tarball> | awk '{print $1}'`
 Can be empty string if not yet computed (release workflow fills it in).
 
 ### headlamp/plugin/version-compat
+
 **Required.** Minimum Headlamp version the plugin works with.
 
 Format: `>=X.Y.Z` (e.g., `>=0.20.0`, `>=0.26`)
 
 ### headlamp/plugin/distro-compat
+
 **Required.** Comma-separated list of supported Headlamp deployment targets.
 
 Valid values:
+
 - `in-cluster` — Headlamp running inside a Kubernetes cluster
 - `web` — Web-based Headlamp deployment
 - `app` — Headlamp desktop application (Electron)
@@ -138,6 +144,7 @@ Example: `"in-cluster,web,app"`
 ## ArtifactHub Categories
 
 Valid `category` values for Headlamp plugins:
+
 - `security` — Secrets, RBAC, policy enforcement
 - `storage` — CSI drivers, persistent volumes, Ceph/Rook
 - `monitoring-logging` — Metrics, GPU monitoring, observability
@@ -148,7 +155,9 @@ Valid `category` values for Headlamp plugins:
 ## Optional Fields
 
 ### containersImages
+
 For plugins associated with a specific container/operator:
+
 ```yaml
 containersImages:
   - name: <component-name>
@@ -156,14 +165,18 @@ containersImages:
 ```
 
 ### recommendations
+
 Link to related ArtifactHub packages:
+
 ```yaml
 recommendations:
   - url: https://artifacthub.io/packages/helm/<repo>/<chart>
 ```
 
 ### install
+
 Custom installation instructions (markdown):
+
 ```yaml
 install: |
   ## Install via Headlamp Plugin Manager
@@ -171,6 +184,7 @@ install: |
 ```
 
 ### logoPath
+
 Path to a logo image file in the repo (relative to root).
 
 ---
@@ -196,6 +210,7 @@ This is the actual flow. There is NO other way to publish:
 ```
 
 **Key points:**
+
 - Steps 1-9 happen in your GitHub Actions workflow
 - Step 10 is entirely controlled by ArtifactHub — you cannot trigger it
 - The tarball lives on GitHub Releases, not ArtifactHub
@@ -233,6 +248,7 @@ The `<pkgname>` directory inside the tarball matches the `name` field from `pack
 ## Validating Metadata
 
 Before committing, check:
+
 1. `version` matches across `package.json` and `artifacthub-pkg.yml`
 2. `archive-url` version tag matches the `version` field
 3. `name` in `artifacthub-pkg.yml` matches `package.json` `name`

.claude/agents/headlamp-plugin-developer.md

@@ -99,6 +99,7 @@ class KubeObject<T extends KubeObjectInterface> {
 ### ResourceClasses
 
 All standard K8s resource types available (Secret, Namespace, Pod, etc.):
+
 ```typescript
 const [secrets, error, loading] = K8s.ResourceClasses.Secret.useList({ namespace: 'default' });
 const [secret, error] = K8s.ResourceClasses.Secret.useGet('my-secret', 'default');
@@ -127,6 +128,7 @@ ApiProxy.apiFactory(group, version, resource): ApiClient
 ```
 
 **Service proxy URL** (accessing in-cluster services):
+
 ```
 /api/v1/namespaces/${ns}/services/http:${name}:${port}/proxy${path}
 ```
@@ -146,6 +148,7 @@ From `@kinvolk/headlamp-plugin/lib/CommonComponents`:
 `PercentageBar` — bar chart with `data` array of `{ name, value, fill }`
 
 ### SimpleTable (non-obvious props)
+
 ```typescript
 <SimpleTable
   data={items}
@@ -158,6 +161,7 @@ From `@kinvolk/headlamp-plugin/lib/CommonComponents`:
 ```
 
 ### NameValueTable (non-obvious props)
+
 ```typescript
 <NameValueTable
   rows={[
@@ -168,6 +172,7 @@ From `@kinvolk/headlamp-plugin/lib/CommonComponents`:
 ```
 
 ### ConfigStore
+
 ```typescript
 import { ConfigStore } from '@kinvolk/headlamp-plugin/lib';
 const store = new ConfigStore<MyConfig>('plugin-name');
@@ -177,6 +182,7 @@ store.useConfig(): () => MyConfig;
 ```
 
 ### Pre-bundled (no package.json entry needed)
+
 react, react-dom, react-router-dom, @iconify/react, react-redux, @material-ui/core, @material-ui/styles, lodash, notistack, recharts, monaco-editor
 
 ---
@@ -264,6 +270,7 @@ vi.mock('@kinvolk/headlamp-plugin/lib/CommonComponents', () => ({
 Headlamp supports light and dark themes. **Never hardcode colors.** Use CSS custom properties with light-mode fallbacks:
 
 ### Required CSS variables for inline styles
+
 ```typescript
 // Text
 color: 'var(--mui-palette-text-primary)'
@@ -289,6 +296,7 @@ color: 'var(--link-color, #1976d2)'
 ```
 
 ### Common mistakes to avoid
+
 - **NEVER** use raw `#fff`, `#000`, `#333`, `#666` etc. without wrapping in `var(--mui-palette-*)`
 - **NEVER** use `rgba(0,0,0,0.5)` for overlays without a variable — this is the one exception where raw rgba is acceptable (backdrop overlays)
 - **NEVER** assume white backgrounds or dark text — always use `background-paper`/`text-primary`
@@ -296,6 +304,7 @@ color: 'var(--link-color, #1976d2)'
 - Fallback values after the comma are for environments where the variable isn't set — always use the light-mode default
 
 ### Form inputs in custom components
+
 ```typescript
 const inputStyle = {
   border: '1px solid var(--mui-palette-divider, #ccc)',

.claude/agents/multi-agent-coordinator.md

@@ -8,12 +8,14 @@ model: opus
 You are a senior multi-agent coordinator with expertise in orchestrating complex distributed workflows. Your focus spans inter-agent communication, task dependency management, parallel execution control, and fault tolerance with emphasis on ensuring efficient, reliable coordination across large agent teams.
 
 When invoked:
+
 1. Query context manager for workflow requirements and agent states
 2. Review communication patterns, dependencies, and resource constraints
 3. Analyze coordination bottlenecks, deadlock risks, and optimization opportunities
 4. Implement robust multi-agent coordination strategies
 
 Multi-agent coordination checklist:
+
 - Coordination overhead < 5% maintained
 - Deadlock prevention 100% ensured
 - Message delivery guaranteed thoroughly
@@ -24,6 +26,7 @@ Multi-agent coordination checklist:
 - Performance optimal consistently
 
 Workflow orchestration:
+
 - Process design
 - Flow control
 - State management
@@ -34,6 +37,7 @@ Workflow orchestration:
 - Result aggregation
 
 Inter-agent communication:
+
 - Protocol design
 - Message routing
 - Channel management
@@ -44,6 +48,7 @@ Inter-agent communication:
 - Backpressure handling
 
 Dependency management:
+
 - Dependency graphs
 - Topological sorting
 - Circular detection
@@ -54,6 +59,7 @@ Dependency management:
 - Race condition handling
 
 Coordination patterns:
+
 - Master-worker
 - Peer-to-peer
 - Hierarchical
@@ -64,6 +70,7 @@ Coordination patterns:
 - Consensus-based
 
 Parallel execution:
+
 - Task partitioning
 - Work distribution
 - Load balancing
@@ -74,6 +81,7 @@ Parallel execution:
 - Result merging
 
 Communication mechanisms:
+
 - Message passing
 - Shared memory
 - Event streams
@@ -84,6 +92,7 @@ Communication mechanisms:
 - Queue systems
 
 Resource coordination:
+
 - Resource allocation
 - Lock management
 - Semaphore control
@@ -94,6 +103,7 @@ Resource coordination:
 - Efficiency optimization
 
 Fault tolerance:
+
 - Failure detection
 - Timeout handling
 - Retry mechanisms
@@ -104,6 +114,7 @@ Fault tolerance:
 - Graceful degradation
 
 Workflow management:
+
 - DAG execution
 - State machines
 - Saga patterns
@@ -114,6 +125,7 @@ Workflow management:
 - Loop handling
 
 Performance optimization:
+
 - Bottleneck analysis
 - Pipeline optimization
 - Batch processing
@@ -130,6 +142,7 @@ Performance optimization:
 Initialize multi-agent coordination by understanding workflow needs.
 
 Coordination context query:
+
 ```json
 {
   "requesting_agent": "multi-agent-coordinator",
@@ -149,6 +162,7 @@ Execute multi-agent coordination through systematic phases:
 Design efficient coordination strategies.
 
 Analysis priorities:
+
 - Workflow mapping
 - Agent capabilities
 - Communication needs
@@ -159,6 +173,7 @@ Analysis priorities:
 - Optimization opportunities
 
 Workflow evaluation:
+
 - Map processes
 - Identify dependencies
 - Analyze communication
@@ -173,6 +188,7 @@ Workflow evaluation:
 Orchestrate complex multi-agent workflows.
 
 Implementation approach:
+
 - Setup communication
 - Configure workflows
 - Manage dependencies
@@ -183,6 +199,7 @@ Implementation approach:
 - Optimize performance
 
 Coordination patterns:
+
 - Efficient messaging
 - Clear dependencies
 - Parallel execution
@@ -193,6 +210,7 @@ Coordination patterns:
 - Continuous optimization
 
 Progress tracking:
+
 ```json
 {
   "agent": "multi-agent-coordinator",
@@ -211,6 +229,7 @@ Progress tracking:
 Achieve seamless multi-agent collaboration.
 
 Excellence checklist:
+
 - Workflows smooth
 - Communication efficient
 - Dependencies resolved
@@ -224,6 +243,7 @@ Delivery notification:
 "Multi-agent coordination completed. Orchestrated 87 agents processing 234K messages/minute with 94% workflow completion rate. Achieved 96% coordination efficiency with zero deadlocks and 99.9% message delivery guarantee."
 
 Communication optimization:
+
 - Protocol efficiency
 - Message batching
 - Compression strategies
@@ -234,6 +254,7 @@ Communication optimization:
 - Queue management
 
 Dependency resolution:
+
 - Graph algorithms
 - Priority scheduling
 - Resource allocation
@@ -244,6 +265,7 @@ Dependency resolution:
 - Bottleneck removal
 
 Fault handling:
+
 - Failure detection
 - Isolation strategies
 - Recovery procedures
@@ -254,6 +276,7 @@ Fault handling:
 - Graceful degradation
 
 Scalability patterns:
+
 - Horizontal scaling
 - Vertical partitioning
 - Load distribution
@@ -264,6 +287,7 @@ Scalability patterns:
 - Cluster coordination
 
 Performance tuning:
+
 - Latency analysis
 - Throughput optimization
 - Resource utilization
@@ -274,6 +298,7 @@ Performance tuning:
 - I/O optimization
 
 Integration with other agents:
+
 - Collaborate with agent-organizer on team assembly
 - Support context-manager on state synchronization
 - Work with workflow-orchestrator on process execution

.github/workflows/dual-approval.yaml

@@ -0,0 +1,20 @@
+name: Dual Approval (CTO + QA)
+
+# Calls the shared dual-approval-check workflow.
+# Passes when both privilegedescalation-cto and privilegedescalation-qa
+# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
+# in branch protection to enforce this gate.
+
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+  pull_request:
+    branches: [main]
+    types: [opened, reopened, synchronize]
+
+jobs:
+  dual-approval:
+    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}

.github/workflows/e2e.yaml

@@ -7,63 +7,61 @@ on:
     branches: [main]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+# Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
+# privilegedescalation-dev cannot be shared across concurrent runs.
+# cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
+# runs may skip the if: always() teardown, leaving dangling cluster resources.
+concurrency:
+  group: e2e-${{ github.repository }}
+  cancel-in-progress: false
+
+env:
+  E2E_NAMESPACE: privilegedescalation-dev
+  E2E_RELEASE: headlamp-e2e
+  # Pin to a known-good Headlamp version. Using :latest is risky because
+  # the tag can change between CI runs, causing flaky failures when a newer
+  # image is pulled on some nodes but not others (IfNotPresent pull policy).
+  # Update this when Headlamp is upgraded in production (kube-system).
+  HEADLAMP_VERSION: v0.40.1
+
 jobs:
   e2e:
-    runs-on: local-ubuntu-latest
+    runs-on: runners-privilegedescalation
     timeout-minutes: 15
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '22'
           cache: 'npm'
 
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v4
+
       - name: Install dependencies
         run: npm ci
 
-      - name: Preflight — verify Headlamp and plugin version
-        env:
-          HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }}
+      - name: Build plugin
+        run: npx @kinvolk/headlamp-plugin build
+
+      - name: Deploy E2E Headlamp instance
+        run: scripts/deploy-e2e-headlamp.sh
+
+      - name: Load E2E environment
         run: |
-          EXPECTED=$(node -p "require('./package.json').version")
-          PLUGIN_NAME=$(node -p "require('./package.json').artifacthub?.name || require('./package.json').name")
-          echo "Expected: $PLUGIN_NAME@$EXPECTED"
-
-          # Check Headlamp connectivity
-          HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' --connect-timeout 10 "$HEADLAMP_URL" || true)
-          if [ "$HTTP_CODE" = "000" ]; then
-            echo "::error::Cannot reach Headlamp at $HEADLAMP_URL"
+          if [ -f .env.e2e ]; then
+            cat .env.e2e >> "$GITHUB_ENV"
+          else
+            echo "::error::deploy-e2e-headlamp.sh did not produce .env.e2e"
             exit 1
           fi
-          echo "Headlamp responded HTTP $HTTP_CODE"
-
-          # Check installed plugins and version match
-          PLUGIN_JSON=$(curl -sf --connect-timeout 10 "$HEADLAMP_URL/plugins" 2>/dev/null || echo "[]")
-          node -e "
-            const expected = '$EXPECTED';
-            const pluginName = '$PLUGIN_NAME';
-            const plugins = JSON.parse(process.argv[1]);
-            console.log('Installed plugins:');
-            for (const p of plugins) console.log('  ' + p.name + '@' + (p.version||'unknown'));
-            const ours = plugins.find(p => p.name === pluginName || p.name === 'polaris' || p.name.includes('polaris'));
-            if (!ours) {
-              console.log('::warning::Plugin ' + pluginName + ' not found in Headlamp — data-dependent tests will fail');
-            } else {
-              console.log('Found plugin: ' + ours.name + ' at path ' + ours.path);
-            }
-          " "$PLUGIN_JSON"
-
-          # Fetch deployed plugin version from package.json
-          DEPLOYED_VERSION=$(curl -sf --connect-timeout 10 "$HEADLAMP_URL/plugins/$PLUGIN_NAME/package.json" 2>/dev/null \
-            | node -p "JSON.parse(require('fs').readFileSync(0,'utf8')).version" 2>/dev/null || echo "unknown")
-          echo "Deployed version: $DEPLOYED_VERSION"
-          if [ "$DEPLOYED_VERSION" != "$EXPECTED" ] && [ "$DEPLOYED_VERSION" != "unknown" ]; then
-            echo "::warning::Version mismatch — repo has $EXPECTED but Headlamp runs $DEPLOYED_VERSION. Tests may fail due to stale plugin."
-          fi
 
       - name: Install Playwright browsers
         run: npx playwright install --with-deps chromium
@@ -71,13 +69,25 @@ jobs:
       - name: Run E2E tests
         run: npm run e2e
         env:
-          HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }}
-          HEADLAMP_TOKEN: ${{ secrets.HEADLAMP_TOKEN }}
-          AUTHENTIK_USERNAME: ${{ secrets.AUTHENTIK_USERNAME }}
-          AUTHENTIK_PASSWORD: ${{ secrets.AUTHENTIK_PASSWORD }}
+          HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
+          HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}
+
+      - name: Collect deployment diagnostics on failure
+        if: failure()
+        run: |
+          echo "=== Pod state ==="
+          kubectl get pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
+          echo "=== Pod describe ==="
+          kubectl describe pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
+          echo "=== Recent namespace events ==="
+          kubectl get events -n "$E2E_NAMESPACE" --sort-by='.lastTimestamp' 2>&1 | tail -20 || true
+
+      - name: Teardown E2E instance
+        if: always()
+        run: scripts/teardown-e2e-headlamp.sh
 
       - name: Upload Playwright report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         if: failure()
         with:
           name: playwright-report
@@ -85,7 +95,7 @@ jobs:
           retention-days: 7
 
       - name: Upload test results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
         if: failure()
         with:
           name: test-results

.github/workflows/release.yaml

@@ -15,6 +15,9 @@ permissions:
 jobs:
   release:
     uses: privilegedescalation/.github/.github/workflows/plugin-release.yaml@main
+    secrets:
+      RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
+      RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
     with:
       version: ${{ inputs.version }}
       upstream-repo: 'FairwindsOps/polaris'

.gitignore

@@ -6,5 +6,6 @@ e2e/.auth/
 test-results/
 .playwright-mcp/
 .env
+.env.e2e
 .env.local
 .eslintcache

.markdownlint-cli2.jsonc

@@ -0,0 +1,20 @@
+{
+  "config": {
+    // Line length — not enforced for docs with code examples
+    "MD013": false,
+    // First line heading — files use YAML frontmatter, not headings
+    "MD041": false,
+    // Emphasis as heading — common pattern for Option 1/2/3 sections
+    "MD036": false,
+    // No duplicate heading — changelog files repeat section names intentionally
+    "MD024": false,
+    // Fenced code language — not always applicable for diagram blocks
+    "MD040": false,
+    // Table column style — table alignment is visual, not semantic
+    "MD060": false,
+    // Ordered list item prefix — number resets are intentional in documents
+    "MD029": false,
+    // No inline HTML — each elements are valid in valid Markdown
+    "MD033": false
+  }
+}

CHANGELOG.md

@@ -7,15 +7,46 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.0] - 2026-03-22
+
+First stable release. The plugin API (routes, sidebar entries, settings schema, and app bar action) is
+now frozen — no breaking changes without a new major version.
+
+### Security
+
+- Patched 8 of 9 npm audit vulnerabilities via `pnpm.overrides` (#92)
+
+### Added
+
+- **Dual-approval CI check**: PRs now require approval from both CTO and QA before merging (#98, #76)
+- **ExemptionManager test suite**: Full coverage of annotation-based exemption flows, exemption creation, and inline feedback (#82)
+- **RBAC preflight check**: `deploy-e2e-headlamp.sh` now verifies runner RBAC before attempting E2E deploy (#80)
+
+### Fixed
+
+- **E2E infrastructure overhaul**: Replaced Dockerfile.e2e with ConfigMap volume mount for plugin loading; tests now run in the `privilegedescalation-dev` namespace (#73, #89, #94)
+- **E2E token auth**: Workflow uses GitHub App token auth and handles the `/token` redirect correctly (#97)
+- **E2E HTTP readiness**: `deploy-e2e-headlamp.sh` waits for HTTP reachability after rollout before running tests (#104)
+- **E2E runner label**: Updated to `runners-privilegedescalation` for self-hosted ARC runners (#71)
+- **Direct devDependencies**: Added `typescript`, `eslint`, `prettier`, and `@headlamp-k8s/eslint-config` as explicit direct devDependencies to prevent phantom-dep failures in clean installs (#95, #102)
+
+### Changed
+
+- **pnpm version pinned**: `packageManager` field in `package.json` pins the pnpm version used in CI (#103)
+- **GitHub Actions SHA pinning**: Renovate `pinDigests` enabled to SHA-pin all GitHub Actions (#105)
+- **ArtifactHub metadata polish**: Improved `install` instructions and `changes` section formatting (#82)
+
 ## [0.6.0] - 2026-03-04
 
 ### Fixed
+
 - **ExemptionManager apiVersion bug**: `apps` and `batch` resources now correctly use `/apis/{group}/v1/` instead of the broken `/api/v1/` path
 - **Strict TypeScript**: Replaced `resource: any` in InlineAuditSection with proper `KubeResource` interface
 - **PolarisDataContext test mock**: Added missing `triggerRefresh` to mock, preventing silent `undefined` for `refresh` in context
 - **DashboardView test**: Fixed `SimpleTable` mock that used `Array<any>` and didn't exercise column getters
 
 ### Changed
+
 - **Dark mode / theming**: Replaced all `var(--mui-palette-*)` CSS variables with `useTheme()` + `theme.palette.*` across all components (DashboardView, NamespacesListView, InlineAuditSection, ExemptionManager, PolarisSettings, AppBarScoreBadge)
 - **Namespace drawer**: Replaced custom `<style>` block + positioned `<div>` with MUI `Drawer` component for proper accessibility (`role="dialog"`, `aria-modal`, Escape key handling via MUI)
 - **AppBarScoreBadge**: Uses `theme.palette.success/warning/error` with proper `contrastText` instead of hardcoded hex colors
@@ -23,6 +54,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **URL construction**: Exported `getPolarisApiPath` and `isFullUrl` from `polaris.ts`; PolarisSettings now reuses them instead of duplicating logic
 
 ### Added
+
 - **Error boundaries**: All registered components (routes, detail sections, app bar action) wrapped in `PolarisErrorBoundary` for graceful error rendering
 - **Tests for InlineAuditSection** (7 tests): loading, unsupported kind, not found, score/summary, failing checks, link, exemption manager
 - **Tests for AppBarScoreBadge** (6 tests): loading, no data, score colors, navigation, aria-label
@@ -30,6 +62,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Tests for checkMapping.ts** (11 tests): name/description/category/severity lookups, unknown checks, CHECK_MAPPING structure validation
 
 ### Removed
+
 - **NamespaceDetailView.tsx**: Dead code with no registered route (replaced by drawer in NamespacesListView)
 - **NamespaceDetailView.test.tsx**: Tests for removed component
 - **MockPolarisProvider in test-utils.tsx**: Unused mock provider (tests use `vi.mock` instead)
@@ -38,9 +71,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.3.5] - 2026-02-12
 
 ### Fixed
+
 - Fixed drawer background remaining white in dark mode by using correct CSS variable (`--mui-palette-background-default`)
 
 ### Documentation
+
 - Added comprehensive Priority 2 documentation (ARCHITECTURE.md, DEPLOYMENT.md, SECURITY.md)
 - Added CONTRIBUTING.md with development workflow, branching strategy, and code style guidelines
 - Added complete CHANGELOG.md documenting all releases from v0.0.1 to current
@@ -48,17 +83,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.3.4] - 2026-02-12
 
 ### Fixed
+
 - Removed all `@mui/material` and `@mui/icons-material` imports causing plugin load failure
 - Fixed plugin settings page registration (changed name from 'polaris' to 'headlamp-polaris-plugin')
 - Added dark mode support using MUI CSS variables for proper theme adaptation
 - Resolved TypeScript compilation errors in plugin registration calls
 
 ### Changed
+
 - Replaced all MUI components with standard HTML elements and inline styles
 - Updated `registerDetailsViewSection` and `registerAppBarAction` to match Headlamp plugin API v0.13.0
 - App bar badge, settings buttons, and UI elements now use theme-aware CSS variables
 
 ### Infrastructure
+
 - Added CI workflow for lint, type-check, build, and test
 - Enhanced E2E testing documentation with comprehensive guides
 - Added documentation-engineer subagent
@@ -66,24 +104,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.3.3] - 2026-02-12
 
 ### Fixed
+
 - Corrected plugin settings registration name to match package.json
 - Added displaySaveButton parameter to settings registration
 
 ## [0.3.2] - 2026-02-12
 
 ### Fixed
+
 - Removed all MUI dependencies to fix plugin loading in Headlamp v0.39.0+
 - Plugin now loads correctly in sidebar and routes
 
 ## [0.3.1] - 2026-02-12
 
 ### Fixed
+
 - TypeScript compilation errors in `registerDetailsViewSection` and `registerAppBarAction` calls
 - Test failures in DashboardView (added missing SimpleTable mock)
 
 ## [0.3.0] - 2026-02-11
 
 ### Added
+
 - App bar badge displaying cluster Polaris score
 - Inline audit sections in resource detail views (Deployment, StatefulSet, DaemonSet, Job, CronJob)
 - Exemption management UI (view/add exemptions via annotations)
@@ -92,33 +134,39 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Namespace drawer navigation with URL hash support
 
 ### Changed
+
 - Migrated namespace detail to right-side drawer panel
 - Improved drawer keyboard navigation (Escape to close)
 - Enhanced settings page with connection testing
 
 ### Fixed
+
 - Empty namespace crash handling
 - Drawer navigation pattern for better UX
 
 ## [0.2.5] - 2025-12-XX
 
 ### Fixed
+
 - Improved theming and settings visibility
 
 ## [0.2.4] - 2025-12-XX
 
 ### Changed
+
 - Increased namespace detail panel width to 1000px for better readability
 
 ## [0.2.3] - 2025-12-XX
 
 ### Added
+
 - Full URL support for custom Polaris dashboards
 - Support for external Polaris instances (not just service proxy)
 
 ## [0.2.2] - 2025-12-XX
 
 ### Added
+
 - Configurable Polaris dashboard URL setting
 - Settings page for plugin configuration
 - Refresh interval configuration
@@ -126,136 +174,161 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.2.1] - 2025-12-XX
 
 ### Infrastructure
+
 - Migrated to GitHub as primary repository
 - Fixed v0.2.0 checksum in ArtifactHub metadata
 
 ## [0.2.0] - 2025-12-XX
 
 ### Added
+
 - Namespace drawer navigation
 - URL hash-based routing for namespaces
 - Keyboard shortcuts (Escape to close drawer)
 
 ### Infrastructure
+
 - GitHub release automation
 - Improved CI/CD workflow
 
 ## [0.1.7] - 2025-11-XX
 
 ### Documentation
+
 - Removed incorrect development installation instructions
 
 ## [0.1.6] - 2025-11-XX
 
 ### Fixed
+
 - Plugin settings display name changed to "Polaris"
 
 ### Documentation
+
 - Added tooltip to skipped count explaining limitation
 - Documented skipped count limitation in README
 
 ## [0.1.5] - 2025-11-XX
 
 ### Fixed
+
 - Restored `:80` port in service proxy URL for correct dashboard access
 
 ## [0.1.4] - 2025-11-XX
 
 ### Added
+
 - Playwright E2E smoke tests
 - Test coverage for sidebar, overview, namespaces, and detail views
 
 ### Fixed
+
 - Empty namespace crash (graceful handling)
 - Removed `:80` port suffix from service proxy URL for RBAC compatibility
 
 ## [0.1.3] - 2025-11-XX
 
 ### Fixed
+
 - Service proxy URL format for consistent RBAC requirements
 
 ## [0.1.2] - 2025-11-XX
 
 ### Added
+
 - Namespace filtering and sorting
 - Enhanced resource table in namespace detail view
 
 ## [0.1.1] - 2025-11-XX
 
 ### Fixed
+
 - Score calculation for resources with mixed results
 - Percentage display formatting
 
 ## [0.1.0] - 2025-11-XX
 
 ### Added
+
 - Namespace detail view with resource-level audit results
 - Drill-down navigation from namespace list
 
 ### Changed
+
 - Improved data fetching with error handling
 - Better loading states
 
 ## [0.0.10] - 2025-11-XX
 
 ### Fixed
+
 - **RBAC Documentation:** Corrected to use `services/proxy` permission instead of ConfigMap access
 
 ### Documentation
+
 - Updated README with accurate RBAC requirements
 - Added minimal Role example
 
 ## [0.0.9] - 2025-11-XX
 
 ### Added
+
 - Refresh button for manual data reload
 - Last updated timestamp display
 
 ## [0.0.8] - 2025-11-XX
 
 ### Added
+
 - Skipped checks display in check summary
 - Improved check categorization (pass/warning/danger/skipped)
 
 ## [0.0.7] - 2025-11-XX
 
 ### Changed
+
 - Enhanced overview dashboard layout
 - Better visual hierarchy for cluster score
 
 ## [0.0.6] - 2025-11-XX
 
 ### Added
+
 - Namespace list view with per-namespace scores
 - Navigation between overview and namespace views
 
 ## [0.0.5] - 2025-11-XX
 
 ### Fixed
+
 - Data fetching error handling
 - API proxy path configuration
 
 ## [0.0.4] - 2025-11-XX
 
 ### Added
+
 - Check distribution visualization
 - Pass/Warning/Danger count display
 
 ## [0.0.3] - 2025-11-XX
 
 ### Changed
+
 - Improved cluster score calculation
 - Better result aggregation logic
 
 ## [0.0.2] - 2025-11-XX
 
 ### Added
+
 - Cluster score display
 - Basic check summary table
 
 ## [0.0.1] - 2025-10-XX
 
 ### Added
+
 - Initial release
 - Basic Polaris plugin structure
 - Sidebar entry "Polaris"
@@ -265,12 +338,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - React components using Headlamp CommonComponents
 
 ### Infrastructure
+
 - GitHub repository setup
 - ArtifactHub package registration
 - Automated release workflow
 - Basic CI/CD pipeline
 
-[Unreleased]: https://github.com/privilegedescalation/headlamp-polaris-plugin/compare/v0.6.0...HEAD
+[Unreleased]: https://github.com/privilegedescalation/headlamp-polaris-plugin/compare/v1.0.0...HEAD
+[1.0.0]: https://github.com/privilegedescalation/headlamp-polaris-plugin/compare/v0.7.2...v1.0.0
 [0.6.0]: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/tag/v0.6.0
 [0.3.5]: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/tag/v0.3.5
 [0.3.4]: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/tag/v0.3.4

CLAUDE.md

@@ -33,7 +33,7 @@ All tests and `tsc` must pass before committing.
 
 ## Architecture
 
-```
+```text
 src/
 ├── index.tsx                           # Plugin entry: registerRoute, registerSidebarEntry, registerDetailsViewSection, registerAppBarAction, registerPluginSettings; PolarisErrorBoundary
 ├── test-utils.tsx                      # Shared test fixtures (makeResult, makeAuditData)
@@ -73,9 +73,10 @@ Data is fetched via `ApiProxy.request` to the Polaris dashboard service proxy an
 ## Testing
 
 Mock pattern for headlamp APIs:
+
 ```typescript
 vi.mock('@kinvolk/headlamp-plugin/lib', () => ({
   ApiProxy: { request: vi.fn().mockResolvedValue({}) },
   K8s: { ResourceClasses: {} },
 }));
-```
+```

CONTEXT.md

@@ -83,6 +83,7 @@ import { Box, Chip } from '@mui/material';
 ### Headlamp Component Issues
 
 1. **StatusLabel with empty status**
+
    ```typescript
    // ❌ Renders near-invisible (muted background)
    <StatusLabel status="">{value}</StatusLabel>
@@ -92,6 +93,7 @@ import { Box, Chip } from '@mui/material';
    ```
 
 2. **Link component crashes on plugin routes**
+
    ```typescript
    // ❌ Headlamp Link crashes on plugin-registered routes
    import { Link } from '@kinvolk/headlamp-plugin/lib/CommonComponents';
@@ -210,6 +212,7 @@ npm run format:check
 ### Commit Convention
 
 Use Conventional Commits:
+
 - `feat:` - New feature
 - `fix:` - Bug fix
 - `docs:` - Documentation only
@@ -220,6 +223,7 @@ Use Conventional Commits:
 ### PR Process
 
 All PRs must pass:
+
 1. Build (`npm run build`)
 2. Lint (`npm run lint`)
 3. Type-check (`npm run tsc`)
@@ -276,6 +280,7 @@ npm run e2e
 ### CI Workflow (`.github/workflows/ci.yaml`)
 
 Runs on push to main and all PRs:
+
 1. Checkout
 2. `npm ci`
 3. `npm run build`
@@ -289,6 +294,7 @@ Runner: `local-ubuntu-latest`
 ### E2E Workflow (`.github/workflows/e2e.yaml`)
 
 Runs on push, PR, and manual trigger:
+
 1. Checkout
 2. `npm ci`
 3. `npm run e2e`
@@ -306,6 +312,7 @@ gh workflow run release.yaml -f version=0.4.2
 ```
 
 Steps:
+
 1. Validate version format (semver)
 2. Bump `package.json` + `artifacthub-pkg.yml`
 3. Build plugin
@@ -323,6 +330,7 @@ Steps:
 ### Version Bump Requirements
 
 **ALWAYS bump both files in the same commit**:
+
 - `package.json` - `version` field
 - `artifacthub-pkg.yml` - `version` field + `digest` (checksum) + `archive.url`
 
@@ -331,12 +339,14 @@ Steps:
 ### ⚠️ Headlamp v0.39.0 Known Issues
 
 **AutoSizer JavaScript Error**
+
 - **Symptom**: Console shows `TypeError: undefined is not an object (evaluating 'io.AutoSizer')`
 - **Impact**: Cosmetic error in Settings page, doesn't break functionality
 - **Root Cause**: Headlamp core bug, not plugin-related
 - **Workaround**: None needed, can be ignored
 
 **Plugin Loading (RESOLVED)**
+
 - **Old Issue**: Previously thought `config.watchPlugins: false` was required
 - **Resolution**: Plugins load correctly with default `watchPlugins: true`
 - **Note**: If you see old docs mentioning `watchPlugins: false`, ignore them
@@ -344,28 +354,34 @@ Steps:
 ### Polaris Dashboard Behavior
 
 **Stale Audit Data**
+
 - **Symptom**: Plugin shows old audit timestamp
 - **Root Cause**: Polaris dashboard runs audit once at pod startup, then caches results
 - **Does NOT**: Continuously re-audit in real-time
 - **Workaround**: Restart Polaris pods for fresh data
+
   ```bash
   kubectl rollout restart deployment -n polaris polaris-dashboard
   ```
+
 - **Load Balancing**: Service balances across multiple pods - each may have different audit timestamps
 - **Plugin Auto-Refresh**: Works correctly - just fetches whatever Polaris currently has cached
 
 ### Skipped Count Limitation
 
 **What It Shows**:
+
 - Only checks with `Severity: "ignore"` in Polaris API response
 - Does NOT include annotation-based exemptions (`polaris.fairwinds.com/*-exempt`)
 
 **Why**:
+
 - Polaris omits exempted checks from `results.json`
 - Plugin has no access to raw K8s resources to compute exemptions
 - By design: service proxy limitation
 
 **Workaround**:
+
 - Link to native Polaris dashboard for full exemption count
 - UI tooltip explains this limitation
 

CONTRIBUTING.md

@@ -18,6 +18,7 @@ Thank you for your interest in contributing to the Headlamp Polaris Plugin! This
 ## Code of Conduct
 
 This project follows a standard code of conduct:
+
 - Be respectful and inclusive
 - Welcome newcomers and help them get started
 - Focus on constructive feedback
@@ -35,23 +36,27 @@ This project follows a standard code of conduct:
 ### Development Setup
 
 1. **Fork and clone the repository:**
+
    ```bash
    git clone https://github.com/YOUR_USERNAME/headlamp-polaris-plugin.git
    cd headlamp-polaris-plugin
    ```
 
 2. **Install dependencies:**
+
    ```bash
    npm install
    ```
 
 3. **Start development mode:**
+
    ```bash
    npm start
    # Plugin will be available at http://localhost:4466
    ```
 
 4. **Run tests:**
+
    ```bash
    # Unit tests
    npm test
@@ -61,6 +66,7 @@ This project follows a standard code of conduct:
    ```
 
 5. **Build the plugin:**
+
    ```bash
    npm run build
    ```
@@ -79,18 +85,21 @@ This project follows a standard code of conduct:
 ### Local Testing
 
 **Option 1: Development Mode**
+
 ```bash
 npm start
 # Opens Headlamp at http://localhost:4466 with hot reload
 ```
 
 **Option 2: Production Build**
+
 ```bash
 npm run build
 # Plugin bundle created in dist/
 ```
 
 **Option 3: E2E Testing**
+
 ```bash
 # Set up environment (see e2e/README.md)
 export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h)
@@ -116,6 +125,7 @@ npm run e2e
   - Chores: `chore/description`
 
 **Examples:**
+
 ```bash
 feat/add-exemption-support
 fix/dark-mode-theme-colors
@@ -127,16 +137,19 @@ chore/upgrade-dependencies
 ### Branching Rules
 
 **✅ ALWAYS use feature branches for:**
+
 - Code changes (new features, bug fixes, refactors)
 - Test updates
 - CI/CD workflow changes
 - Package updates
 
 **✅ MAY push directly to main for:**
+
 - Documentation-only changes (README.md, CLAUDE.md, comments)
 - Version bump commits (`package.json` + `artifacthub-pkg.yml`)
 
 **❌ NEVER push directly to main for:**
+
 - Any code changes to `src/`
 - Test file changes
 - Workflow changes
@@ -206,6 +219,7 @@ Co-Authored-By: Happy <yesreply@happy.engineering>
 ### Before Creating a PR
 
 1. **Run all checks locally:**
+
    ```bash
    npm run build      # Verify build succeeds
    npm run lint       # Check for linting errors
@@ -227,6 +241,7 @@ Co-Authored-By: Happy <yesreply@happy.engineering>
 ### Creating a PR
 
 1. **Push your branch:**
+
    ```bash
    git push origin feat/your-feature
    ```
@@ -237,6 +252,7 @@ Co-Authored-By: Happy <yesreply@happy.engineering>
    - Link related issues with `Fixes #123` or `Closes #456`
 
 3. **PR Title Format:**
+
    ```
    feat: add exemption management UI
    fix: correct score calculation for skipped checks
@@ -299,12 +315,14 @@ npm run format:check
 ### Import Organization
 
 Imports are automatically sorted by eslint. Order:
+
 1. React imports
 2. Third-party libraries
 3. Headlamp plugin imports
 4. Local imports (components, API, types)
 
 Example:
+
 ```typescript
 import React from 'react';
 import { SectionBox, StatusLabel } from '@kinvolk/headlamp-plugin/lib/CommonComponents';
@@ -330,6 +348,7 @@ import { computeScore } from '../api/polaris';
 - Use descriptive test names
 
 Example:
+
 ```typescript
 describe('countResults', () => {
   it('counts passing, warning, and danger results correctly', () => {
@@ -371,14 +390,17 @@ npm run e2e:headed
 When making changes, update relevant documentation:
 
 #### Code Changes
+
 - **README.md:** User-facing features, installation, configuration
 - **CLAUDE.md:** Architecture, constraints, MCP integrations
 - **JSDoc:** All public APIs, components, hooks
 
 #### Test Changes
+
 - **e2e/README.md:** New test scenarios or setup changes
 
 #### Build/CI Changes
+
 - **README.md:** Build commands, release process
 - **.github/workflows/*.yaml:** Workflow comments
 
@@ -405,6 +427,7 @@ export function countResults(data: AuditData): ResultCounts {
 ### Version Numbering
 
 We follow [Semantic Versioning](https://semver.org/):
+
 - **Major (1.0.0):** Breaking changes
 - **Minor (0.1.0):** New features, backward compatible
 - **Patch (0.0.1):** Bug fixes, backward compatible
@@ -416,6 +439,7 @@ We follow [Semantic Versioning](https://semver.org/):
 1. **Merge feature PRs to main**
 
 2. **Bump version:**
+
    ```bash
    # Edit package.json and artifacthub-pkg.yml
    # Update version and archive-url
@@ -425,6 +449,7 @@ We follow [Semantic Versioning](https://semver.org/):
    ```
 
 3. **Create and push tag:**
+
    ```bash
    git tag vX.Y.Z
    git push origin vX.Y.Z
@@ -441,6 +466,7 @@ We follow [Semantic Versioning](https://semver.org/):
 ### Pre-release Versions
 
 For testing before stable release:
+
 - Use `-dev.N` suffix: `v0.3.5-dev.1`
 - Follow same process as stable releases
 - Mark as "pre-release" on GitHub

PROJECT_ASSESSMENT.md

@@ -13,10 +13,12 @@ This assessment identifies critical issues and improvement opportunities for the
 ## 🔴 Critical Issues (Must Fix Immediately)
 
 ### 1. TypeScript Compilation Errors
+
 **Severity:** CRITICAL
 **Impact:** Build failures, type safety compromised
 
 **Issues:**
+
 - `src/index.tsx:72` - `registerDetailsViewSection` expects 1 argument, got 2
 - `src/index.tsx:87` - `registerAppBarAction` expects 1 argument, got 2
 
@@ -24,6 +26,7 @@ This assessment identifies critical issues and improvement opportunities for the
 Update Headlamp plugin API calls to match the current version. Check @kinvolk/headlamp-plugin version compatibility.
 
 **Action Items:**
+
 - [ ] Review Headlamp plugin API documentation
 - [ ] Update `registerDetailsViewSection` and `registerAppBarAction` calls
 - [ ] Run `npm run tsc` to verify fixes
@@ -32,6 +35,7 @@ Update Headlamp plugin API calls to match the current version. Check @kinvolk/he
 ---
 
 ### 2. Production Plugin Loading Failure
+
 **Severity:** CRITICAL
 **Impact:** Plugin is completely non-functional in production
 
@@ -39,11 +43,13 @@ Update Headlamp plugin API calls to match the current version. Check @kinvolk/he
 Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugins as "development directory" plugins, preventing frontend JavaScript execution.
 
 **Current Status:**
+
 - Deployment patched to install plugins to `/headlamp/static-plugins`
 - `watchPlugins: false` configured
 - Waiting for user to test if plugins now load
 
 **Action Items:**
+
 - [ ] Confirm plugins load after recent deployment changes
 - [ ] Document the fix in deployment guide
 - [ ] Update MEMORY.md with final resolution
@@ -52,15 +58,18 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 3. Test Failures
+
 **Severity:** HIGH
 **Impact:** CI failures, reduced confidence in changes
 
 **Current Status:**
+
 - 1 test file failing (DashboardView)
 - 49 tests passing
 - Error related to `SimpleTable` component mock
 
 **Action Items:**
+
 - [ ] Fix DashboardView test mocking
 - [ ] Ensure all tests pass before merging PRs
 - [ ] Add test for top issues feature
@@ -71,16 +80,19 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ## 🟡 High Priority Improvements
 
 ### 4. Type Safety Enhancements
+
 **Severity:** HIGH
 **Impact:** Better developer experience, catch errors earlier
 
 **Recommendations:**
+
 - Enable stricter TypeScript checks in `tsconfig.json`
 - Add type definitions for all Headlamp plugin APIs
 - Ensure no `any` types in production code
 - Add JSDoc comments for complex types
 
 **Action Items:**
+
 - [ ] Audit codebase for `any` types
 - [ ] Enable `noImplicitAny` and `strictNullChecks`
 - [ ] Add type guards for API responses
@@ -89,21 +101,25 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 5. Security Hardening
+
 **Severity:** HIGH
 **Impact:** Prevent vulnerabilities, protect user data
 
 **Current Risks:**
+
 - Direct Kubernetes API access via service proxy
 - User input in exemption annotations (potential injection)
 - External URL configuration for Polaris dashboard
 
 **Recommendations:**
+
 - Validate and sanitize all user inputs
 - Implement input validation for dashboard URL
 - Add CSRF protection for exemption management
 - Audit dependencies for known vulnerabilities
 
 **Action Items:**
+
 - [ ] Add input validation utilities
 - [ ] Sanitize exemption annotation values
 - [ ] Validate URL format for dashboard configuration
@@ -113,21 +129,25 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 6. Error Handling & User Experience
+
 **Severity:** MEDIUM
 **Impact:** Better error messages, improved debugging
 
 **Current Gaps:**
+
 - Generic error messages don't help users troubleshoot
 - No retry logic for transient API failures
 - Missing loading states in some components
 
 **Recommendations:**
+
 - Provide specific, actionable error messages
 - Implement retry logic with exponential backoff
 - Add loading skeletons for all async operations
 - Show connection test results with specific failure reasons
 
 **Action Items:**
+
 - [ ] Create error message constants with solutions
 - [ ] Add retry logic to API calls
 - [ ] Implement loading skeletons
@@ -138,21 +158,25 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ## 🟢 Medium Priority Enhancements
 
 ### 7. Testing Coverage
+
 **Severity:** MEDIUM
 **Impact:** Confidence in changes, regression prevention
 
 **Current Coverage:**
+
 - Unit tests: Good coverage for API utilities
 - Component tests: Some coverage, gaps exist
 - E2E tests: Minimal (Playwright configured but underutilized)
 
 **Recommendations:**
+
 - Add E2E tests for critical user flows
 - Test error scenarios and edge cases
 - Add visual regression tests
 - Test RBAC permission denied scenarios
 
 **Action Items:**
+
 - [ ] Write E2E test for complete audit workflow
 - [ ] Add tests for error states
 - [ ] Test exemption management flow
@@ -161,16 +185,19 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 8. Performance Optimization
+
 **Severity:** MEDIUM
 **Impact:** Faster load times, better UX
 
 **Opportunities:**
+
 - Memoize expensive calculations (score computation)
 - Lazy load namespace detail views
 - Debounce search/filter operations
 - Cache Polaris data with stale-while-revalidate
 
 **Action Items:**
+
 - [ ] Add React.memo to pure components
 - [ ] Memoize score calculations
 - [ ] Implement data caching strategy
@@ -179,16 +206,19 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 9. Code Quality & Maintainability
+
 **Severity:** MEDIUM
 **Impact:** Easier maintenance, onboarding
 
 **Recommendations:**
+
 - Extract magic strings to constants
 - Reduce component complexity
 - Add JSDoc comments for public APIs
 - Improve code organization
 
 **Action Items:**
+
 - [ ] Create constants file for check IDs
 - [ ] Split large components (DashboardView, NamespaceDetailView)
 - [ ] Add comments for complex logic
@@ -199,16 +229,19 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ## 🔵 Low Priority / Future Enhancements
 
 ### 10. Documentation
+
 **Severity:** LOW
 **Impact:** Better onboarding, user adoption
 
 **Gaps:**
+
 - No architecture documentation
 - Limited inline code comments
 - Missing troubleshooting guide
 - No contributor guidelines
 
 **Action Items:**
+
 - [ ] Create architecture diagram
 - [ ] Document component hierarchy
 - [ ] Add troubleshooting section to README
@@ -217,16 +250,19 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ---
 
 ### 11. CI/CD Pipeline Optimization
+
 **Severity:** LOW
 **Impact:** Faster feedback, automated releases
 
 **Opportunities:**
+
 - Run tests in parallel
 - Cache npm dependencies
 - Add automated security scanning
 - Implement semantic versioning
 
 **Action Items:**
+
 - [ ] Parallelize test execution
 - [ ] Add npm cache to GitHub Actions
 - [ ] Integrate Dependabot
@@ -237,41 +273,48 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 ## Summary & Prioritization
 
 ### Week 1 (Immediate)
+
 1. ✅ Fix TypeScript compilation errors
 2. ✅ Resolve production plugin loading issue
 3. ✅ Fix failing DashboardView test
 
 ### Week 2 (High Priority)
+
 4. Enhance type safety (strict mode)
-5. Implement security hardening
-6. Improve error handling and UX
+2. Implement security hardening
+3. Improve error handling and UX
 
 ### Week 3-4 (Medium Priority)
+
 7. Increase test coverage to >80%
-8. Optimize performance (memoization, caching)
-9. Refactor for maintainability
+2. Optimize performance (memoization, caching)
+3. Refactor for maintainability
 
 ### Ongoing (Low Priority)
+
 10. Documentation improvements
-11. CI/CD optimizations
+2. CI/CD optimizations
 
 ---
 
 ## Success Metrics
 
 **Code Quality:**
+
 - ✅ Zero TypeScript errors
 - ✅ All tests passing
 - 🎯 Test coverage >80%
 - 🎯 No high/critical security vulnerabilities
 
 **Production Readiness:**
+
 - ✅ Plugin loads successfully in Headlamp
 - ✅ All features functional
 - 🎯 Error rate <1%
 - 🎯 Average response time <500ms
 
 **Developer Experience:**
+
 - ✅ Clear documentation
 - ✅ Easy local setup
 - 🎯 Fast CI/CD (<5 min)

README.md

@@ -48,9 +48,14 @@ Polaris must be deployed in the `polaris` namespace with the dashboard component
 
 ## Installing
 
-### Option 1: Headlamp Plugin Manager (Recommended)
+The plugin is published on [Artifact Hub](https://artifacthub.io/packages/headlamp/polaris/headlamp-polaris-plugin). Install via the Headlamp UI:
 
-The plugin is published on [Artifact Hub](https://artifacthub.io/packages/headlamp/polaris/headlamp-polaris-plugin). Configure Headlamp via Helm:
+1. Go to **Settings → Plugins**
+2. Click **Catalog** tab
+3. Search for "Polaris"
+4. Click **Install**
+
+Or configure Headlamp via Helm:
 
 ```yaml
 config:
@@ -62,56 +67,6 @@ pluginsManager:
       url: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.3.10/polaris-0.3.10.tar.gz
 ```
 
-Or install via the Headlamp UI:
-
-1. Go to **Settings → Plugins**
-2. Click **Catalog** tab
-3. Search for "Polaris"
-4. Click **Install**
-
-### Option 2: Sidecar Container (Alternative)
-
-For detailed sidecar installation instructions, see [docs/DEPLOYMENT.md#installation-method-2-sidecar-container](docs/DEPLOYMENT.md#installation-method-2-sidecar-container).
-
-```yaml
-sidecars:
-  - name: headlamp-plugin
-    image: node:lts-alpine
-    command: ['/bin/sh']
-    args:
-      - -c
-      - |
-        npm install -g @kinvolk/headlamp-plugin
-        headlamp-plugin install --config /config/plugin.yml
-        tail -f /dev/null
-    volumeMounts:
-      - name: plugins
-        mountPath: /headlamp/plugins
-      - name: plugin-config
-        mountPath: /config
-```
-
-### Option 3: Manual Tarball Install
-
-Download the `.tar.gz` from the [GitHub releases page](https://github.com/privilegedescalation/headlamp-polaris-plugin/releases), then extract into Headlamp's plugin directory:
-
-```bash
-wget https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.3.10/polaris-0.3.10.tar.gz
-tar xzf polaris-0.3.10.tar.gz -C /headlamp/plugins/
-```
-
-### Option 4: Build from Source
-
-```bash
-git clone https://github.com/privilegedescalation/headlamp-polaris-plugin.git
-cd headlamp-polaris-plugin
-npm install
-npm run build
-npx @kinvolk/headlamp-plugin extract . /headlamp/plugins
-```
-
-For complete installation instructions including Helm integration, FluxCD examples, and production deployment checklist, see **[docs/DEPLOYMENT.md](docs/DEPLOYMENT.md)**.
-
 ## RBAC / Security Setup
 
 The plugin fetches audit data through the Kubernetes API server's **service proxy** sub-resource. The identity making the request (Headlamp's service account, or the user's own token in token-auth mode) must be granted:
@@ -251,7 +206,7 @@ For complete testing guide including CI/CD integration, see **[docs/TESTING.md](
 
 ## Project Structure
 
-```
+```text
 src/
   index.tsx                           -- Entry point. Registers sidebar entries, routes, and error boundaries.
   test-utils.tsx                      -- Shared test fixtures (makeResult, makeAuditData).
@@ -281,7 +236,7 @@ GET /api/v1/namespaces/polaris/services/polaris-dashboard/proxy/results.json
 
 This endpoint is served by the `polaris-dashboard` ClusterIP service, which is created by the Polaris Helm chart when `dashboard.enabled: true`. The JSON response matches Polaris's `AuditData` schema (`pkg/validator/output.go`):
 
-```
+```text
 AuditData
   ClusterInfo      -- nodes, pods, namespaces, controllers
   Results[]        -- per-workload results

SECURITY.md

@@ -17,7 +17,7 @@ The plugin performs **only read operations** via the Kubernetes API server's ser
 
 ### Data Flow
 
-```
+```text
 User Browser
     ↓ (HTTPS)
 Headlamp Pod
@@ -152,6 +152,7 @@ spec:
 Headlamp runs with a dedicated service account (`headlamp` in `kube-system`). All users share the same permissions defined by this service account's RBAC bindings.
 
 **Security Considerations:**
+
 - All users have identical access to the plugin
 - Suitable for trusted internal environments
 - Simpler RBAC management
@@ -161,6 +162,7 @@ Headlamp runs with a dedicated service account (`headlamp` in `kube-system`). Al
 Headlamp can be configured for OIDC authentication, where each user provides their own bearer token. RBAC is enforced per-user.
 
 **Security Considerations:**
+
 - Fine-grained access control per user
 - Users without the `polaris-proxy-reader` role will see 403 errors
 - Requires OIDC provider integration
@@ -198,10 +200,12 @@ If you discover a security vulnerability in this plugin, please report it via:
 2. **Email**: Create a GitHub issue and mark it as "security" if advisories are not available
 
 **Please do not:**
+
 - Open public GitHub issues for security vulnerabilities
 - Disclose vulnerabilities publicly before a fix is available
 
 **Response Timeline:**
+
 - **Acknowledgment**: Within 48 hours
 - **Initial Assessment**: Within 1 week
 - **Fix Timeline**: Depends on severity (critical: 1-2 weeks, high: 2-4 weeks, medium/low: next release cycle)
@@ -211,6 +215,7 @@ If you discover a security vulnerability in this plugin, please report it via:
 ### Dependency Scanning
 
 The project uses:
+
 - **npm audit**: Runs automatically during `npm install`
 - **Dependabot**: GitHub Dependabot monitors dependencies and creates PRs for updates
 - **GitHub Actions**: CI workflow runs `npm audit` on every commit
@@ -262,6 +267,7 @@ The plugin's security posture depends on your cluster's security:
 **Cause**: User or service account lacks `services/proxy` permission on `polaris-dashboard`
 
 **Resolution**:
+
 1. Verify RoleBinding exists in `polaris` namespace
 2. Check RoleBinding references correct subject (service account, group, or user)
 3. Confirm Role includes `resourceNames: ["polaris-dashboard"]`
@@ -273,11 +279,13 @@ The plugin's security posture depends on your cluster's security:
 **Question**: Can I expose Polaris dashboard via Ingress instead of using service proxy?
 
 **Recommendation**: **Avoid exposing Polaris dashboard externally**. The service proxy approach:
+
 - Enforces Kubernetes RBAC on every request
 - Avoids exposing internal services to the internet
 - Prevents authentication bypass attacks
 
 If you must expose Polaris externally:
+
 - Use OAuth2 proxy or similar authentication layer
 - Configure NetworkPolicies to restrict access
 - Enable TLS with valid certificates
@@ -304,6 +312,7 @@ Users not in `team-a` will receive 403 errors when accessing the plugin, prevent
 ### Data Residency
 
 All data remains within your Kubernetes cluster. The plugin does not:
+
 - Send data to external services
 - Store data in browser localStorage (except refresh interval preference)
 - Use third-party analytics or tracking

artifacthub-pkg.yml

@@ -1,4 +1,4 @@
-version: "0.7.0"
+version: "1.0.0"
 name: headlamp-polaris
 displayName: Polaris
 createdAt: "2026-02-05T19:00:00Z"
@@ -11,6 +11,7 @@ description: >-
   `polaris-dashboard` service in the `polaris` namespace.
 license: Apache-2.0
 homeURL: "https://github.com/privilegedescalation/headlamp-polaris-plugin"
+appVersion: "10.1.6"
 category: security
 keywords:
   - polaris
@@ -24,11 +25,52 @@ links:
     url: "https://github.com/privilegedescalation/headlamp-polaris-plugin"
   - name: Polaris
     url: "https://polaris.docs.fairwinds.com/"
+install: |
+  ## Installation
+
+  ### Prerequisites
+
+  1. [Headlamp](https://headlamp.dev) v0.26.0 or later
+  2. [Fairwinds Polaris](https://polaris.docs.fairwinds.com/) installed and the dashboard running in your cluster
+
+  ### Install via Headlamp Plugin Catalog
+
+  1. Open Headlamp and navigate to **Settings → Plugin Catalog**
+  2. Search for **"Polaris"**
+  3. Click **Install** and restart Headlamp when prompted
+
+  The plugin is sourced directly from [ArtifactHub](https://artifacthub.io/packages/headlamp/headlamp/headlamp-polaris).
+
+  ## Usage
+
+  After installation, the Polaris plugin adds:
+  - A **cluster score badge** in the Headlamp app bar
+  - A **Polaris** section in the sidebar with the full dashboard and namespace drill-downs
+  - An **inline audit panel** on Deployment, StatefulSet, DaemonSet, Job, and CronJob detail pages
+
+  For more information, see the [README](https://github.com/privilegedescalation/headlamp-polaris-plugin/blob/main/README.md).
+changes:
+  - kind: security
+    description: Patched 8 npm audit vulnerabilities via pnpm.overrides
+  - kind: added
+    description: Dual-approval required CI check — PRs must be approved by both CTO and QA before merge
+  - kind: added
+    description: ExemptionManager test suite — full coverage of annotation-based exemption flows
+  - kind: fixed
+    description: E2E infrastructure overhauled — ConfigMap volume mount replaces Dockerfile-based approach, tests run in privilegedescalation-dev namespace
+  - kind: fixed
+    description: E2E workflow uses token auth and waits for HTTP reachability before running tests
+  - kind: fixed
+    description: Added explicit direct devDependencies (typescript, eslint, prettier, @headlamp-k8s/eslint-config) to prevent phantom dep failures
+  - kind: changed
+    description: pnpm version pinned via packageManager field; GitHub Actions SHA-pinned via Renovate pinDigests
+  - kind: changed
+    description: v1.0.0 stable release — plugin API (routes, sidebar, settings schema, app bar action) is stable and will not change without a major version bump
 maintainers:
   - name: privilegedescalation
     email: "chris@farhood.org"
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.7.0/headlamp-polaris-0.7.0.tar.gz"
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v1.0.0/headlamp-polaris-1.0.0.tar.gz"
   headlamp/plugin/version-compat: ">=0.26"
-  headlamp/plugin/archive-checksum: sha256:69b7adf74416d72580981387b1861e2b5fcf7f96ae9f0620f85f623f8b6dab56
-  headlamp/plugin/distro-compat: in-cluster
+  headlamp/plugin/archive-checksum: sha256:a165e871b40f11a44950aa9f10eb7f7883276f749026ae7a4f886278ecd9bd7d
+  headlamp/plugin/distro-compat: "in-cluster,web,desktop"

deployment/PLUGIN_LOADING_FIX.md

@@ -1,19 +1,24 @@
 # Headlamp Plugin Loading Issue - Root Cause and Fix
 
 ## Problem
+
 Headlamp v0.39.0 was not loading plugins installed via the plugin manager. Plugins appeared in Settings → Plugins but:
+
 - No sidebar entries appeared
 - No plugin settings were available
 - Plugin JavaScript was not being executed in the browser
 
 ## Root Cause
+
 When `config.watchPlugins: true` (the default), Headlamp treats catalog-managed plugins in `/headlamp/plugins/` as "development directory" plugins. This causes:
+
 - Backend serves plugin metadata correctly
 - Backend logs show "Treating catalog-installed plugin in development directory as user plugin"
 - **Frontend does NOT execute the plugin JavaScript**
 - Plugin registrations (`registerSidebarEntry`, `registerRoute`, etc.) never happen
 
 ## Solution
+
 Set `config.watchPlugins: false` in the Headlamp HelmRelease values:
 
 ```yaml
@@ -31,14 +36,18 @@ spec:
 ```
 
 ## Why This Works
+
 With `watchPlugins: false`:
+
 - Headlamp no longer treats catalog-managed plugins as "development" plugins
 - Frontend properly loads and executes plugin JavaScript on startup
 - Plugin registrations happen correctly
 - All plugin features (sidebar, routes, settings, etc.) work as expected
 
 ## Testing
+
 After applying this fix:
+
 1. Verify plugins are installed: `kubectl logs -n kube-system <headlamp-pod> -c headlamp-plugin`
 2. Verify watchPlugins is false: `kubectl logs -n kube-system <headlamp-pod> -c headlamp | grep "Watch Plugins"`
 3. Hard refresh browser (Cmd+Shift+R / Ctrl+Shift+F5) to clear cached JavaScript
@@ -46,13 +55,15 @@ After applying this fix:
 5. Verify plugin functionality works
 
 ## Additional Notes
+
 - This appears to be a bug/limitation in Headlamp v0.39.0
 - The `watchPlugins` feature is intended for development scenarios where plugins are being actively modified
 - For production deployments with catalog-managed plugins, `watchPlugins: false` is the correct configuration
 - Once plugins are loaded, subsequent restarts or updates work correctly as long as `watchPlugins` remains false
 
 ## References
-- Headlamp Helm Chart: https://github.com/headlamp-k8s/headlamp/tree/main/charts/headlamp
-- Plugin Manager: https://github.com/headlamp-k8s/headlamp/tree/main/plugins/headlamp-plugin
+
+- Headlamp Helm Chart: <https://github.com/headlamp-k8s/headlamp/tree/main/charts/headlamp>
+- Plugin Manager: <https://github.com/headlamp-k8s/headlamp/tree/main/plugins/headlamp-plugin>
 - Issue discovered: 2026-02-11
 - Fix applied: 2026-02-12

deployment/e2e-ci-runner-rbac.yaml

@@ -0,0 +1,75 @@
+---
+# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
+# CI-only test fixture — NOT for production use.
+#
+# Grants the ARC runner service account permissions in the privilegedescalation-dev
+# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
+# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
+#
+# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
+#
+# Prerequisites:
+#   kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner
+  namespace: privilegedescalation-dev
+rules:
+  # Helm needs to manage these resources for the Headlamp chart
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
+  - apiGroups: [""]
+    resources: ["services", "serviceaccounts", "configmaps", "secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  # Token creation for E2E test auth
+  - apiGroups: [""]
+    resources: ["serviceaccounts/token"]
+    verbs: ["create"]
+  # RBAC pre-flight check: verify polaris namespace has proxy-reader Role + RoleBinding
+  # before running E2E tests. Required by the "RBAC pre-flight check" workflow step.
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner-polaris-reader
+  namespace: polaris
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-polaris-reader-binding
+  namespace: polaris
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner-polaris-reader
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-binding
+  namespace: privilegedescalation-dev
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner
+  apiGroup: rbac.authorization.k8s.io

deployment/headlamp-static-plugin-values.yaml

@@ -1,83 +0,0 @@
----
-# Custom Headlamp values for static plugin installation
-# This disables the plugin manager and uses an init container instead
-
-# Disable the plugin manager sidecar
-pluginsManager:
-  enabled: false
-
-# Use an init container to install plugins to /headlamp/static-plugins
-initContainers:
-  - name: install-plugins
-    image: node:lts-alpine
-    command:
-      - /bin/sh
-      - -c
-      - |
-        set -e
-        echo "Installing plugins to /headlamp/static-plugins..."
-
-        # Create plugins directory
-        mkdir -p /headlamp/static-plugins
-
-        # Set up npm cache
-        export NPM_CONFIG_CACHE=/tmp/npm-cache
-        export NPM_CONFIG_USERCONFIG=/tmp/npm-userconfig
-        mkdir -p /tmp/npm-cache /tmp/npm-userconfig
-
-        # Install polaris plugin
-        echo "Installing polaris plugin..."
-        cd /headlamp/static-plugins
-        npm pack headlamp-polaris-plugin@0.3.0
-        tar -xzf headlamp-polaris-plugin-0.3.0.tgz
-        mv package headlamp-polaris-plugin
-        rm headlamp-polaris-plugin-0.3.0.tgz
-
-        # Install other plugins
-        npx --yes @headlamp-k8s/plugin@latest install \
-          --source https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_flux \
-          --folderName /headlamp/static-plugins
-
-        npx --yes @headlamp-k8s/plugin@latest install \
-          --source https://artifacthub.io/packages/headlamp/headlamp-trivy/headlamp_trivy \
-          --folderName /headlamp/static-plugins
-
-        npx --yes @headlamp-k8s/plugin@latest install \
-          --source https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_cert-manager \
-          --folderName /headlamp/static-plugins
-
-        npx --yes @headlamp-k8s/plugin@latest install \
-          --source https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_ai_assistant \
-          --folderName /headlamp/static-plugins
-
-        echo "All plugins installed successfully"
-        ls -la /headlamp/static-plugins
-    securityContext:
-      runAsUser: 100
-      runAsGroup: 101
-      runAsNonRoot: true
-      privileged: false
-    resources:
-      requests:
-        cpu: 100m
-        memory: 256Mi
-      limits:
-        memory: 512Mi
-    volumeMounts:
-      - name: static-plugins
-        mountPath: /headlamp/static-plugins
-
-# Configure headlamp to use static plugins
-config:
-  pluginsDir: /headlamp/static-plugins
-
-# Add volume for static plugins
-volumes:
-  - name: static-plugins
-    emptyDir: {}
-
-# Add volume mount to main container
-volumeMounts:
-  - name: static-plugins
-    mountPath: /headlamp/static-plugins
-    readOnly: true

docs/DOCUMENTATION_STANDARDIZATION_PLAN.md

@@ -129,7 +129,7 @@ docs/
 
 ### 3. CHANGELOG.md Standard
 
-**Format**: Keep a Changelog (https://keepachangelog.com/)
+**Format**: Keep a Changelog (<https://keepachangelog.com/>)
 
 **Structure**:
 

docs/TROUBLESHOOTING.md

@@ -703,6 +703,7 @@ If none of these solutions work, gather debugging information and open an issue:
    ```
 
 6. **RBAC Configuration**:
+
    ```bash
    kubectl get role,rolebinding -n polaris
    ```

docs/deployment/helm.md

@@ -19,7 +19,7 @@ Helm provides the easiest way to deploy and manage the plugin in production. Thi
 
 ```bash
 # Add Headlamp Helm repository
-helm repo add headlamp https://headlamp-k8s.github.io/headlamp/
+helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
 helm repo update
 ```
 
@@ -210,7 +210,7 @@ metadata:
   namespace: flux-system
 spec:
   interval: 1h
-  url: https://headlamp-k8s.github.io/headlamp/
+  url: https://kubernetes-sigs.github.io/headlamp/
 ```
 
 ### HelmRelease

docs/getting-started/prerequisites.md

@@ -84,7 +84,7 @@ kubectl -n kube-system get deployment headlamp -o jsonpath='{.spec.template.spec
 
 ```bash
 # Add Headlamp Helm repository
-helm repo add headlamp https://headlamp-k8s.github.io/headlamp/
+helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
 helm repo update
 
 # Install Headlamp

docs/troubleshooting/common-issues.md

@@ -703,6 +703,7 @@ If none of these solutions work, gather debugging information and open an issue:
    ```
 
 6. **RBAC Configuration**:
+
    ```bash
    kubectl get role,rolebinding -n polaris
    ```

docs/user-guide/configuration.md

@@ -286,6 +286,7 @@ localStorage.removeItem('polaris-plugin-dashboard-url');
 2. Check for JavaScript errors
 3. Disable privacy mode or try different browser
 4. Check if localStorage is enabled:
+
    ```javascript
    console.log('localStorage available:', typeof localStorage !== 'undefined');
    ```

docs/user-guide/rbac-permissions.md

@@ -508,9 +508,11 @@ If using a log aggregator (e.g., Elasticsearch), create filters to exclude or do
    Expected: `yes`
 
 4. **Verify RoleBinding subjects match:**
+
    ```bash
    kubectl -n polaris get rolebinding headlamp-polaris-proxy -o yaml
    ```
+
    Check `subjects[].name` and `subjects[].namespace` match your Headlamp SA or user
 
 ### "404 Not Found" Error

e2e/README.md

@@ -4,7 +4,16 @@ Playwright-based smoke tests that validate the Polaris plugin against a live Hea
 
 ## CI
 
-E2E tests run automatically in GitHub Actions on pushes to `main` and pull requests. The workflow (`.github/workflows/e2e.yaml`) uses either Authentik OIDC or token-based authentication via repository secrets.
+E2E tests run automatically in GitHub Actions on pushes to `main` and pull requests. The workflow (`.github/workflows/e2e.yaml`):
+
+1. Builds the plugin (`npm run build`)
+2. Creates a ConfigMap from the built `dist/` output
+3. Deploys a stock Headlamp instance via Helm with the plugin mounted as a ConfigMap volume
+4. Generates a ServiceAccount token for test auth
+5. Runs Playwright tests against the E2E instance
+6. Tears down the E2E instance
+
+This approach uses the stock `ghcr.io/headlamp-k8s/headlamp` image with no custom Docker builds. The plugin is loaded via `HEADLAMP_PLUGINS_DIR` volume mount.
 
 ### Required GitHub Secrets
 
@@ -12,12 +21,12 @@ Configure these in GitHub repository settings (Settings → Secrets and variable
 
 | Secret               | Required | Description                                                    |
 | -------------------- | -------- | -------------------------------------------------------------- |
-| `HEADLAMP_URL`       | Optional | Headlamp instance URL (defaults to `https://headlamp.animaniacs.farh.net`) |
 | `AUTHENTIK_USERNAME` | OIDC     | Authentik email or username for a CI user with Headlamp access |
 | `AUTHENTIK_PASSWORD` | OIDC     | Password for that user                                         |
-| `HEADLAMP_TOKEN`     | Token    | Kubernetes service account token (alternative to OIDC)         |
 
-Set either `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` **or** `HEADLAMP_TOKEN`. OIDC takes priority if both are set.
+Token-based auth is auto-generated by the deploy script. OIDC secrets are only needed if testing against the shared Headlamp instance.
+
+No `GHCR_TOKEN` or Docker registry secrets are needed — the stock Headlamp image is public.
 
 ## Running Locally
 
@@ -47,12 +56,12 @@ HEADLAMP_URL=http://localhost:4466 npm run e2e:headed
 
 | Variable             | Required | Default                                | Description                             |
 | -------------------- | -------- | -------------------------------------- | --------------------------------------- |
-| `HEADLAMP_URL`       | No       | `https://headlamp.animaniacs.farh.net` | Base URL of the Headlamp instance       |
-| `AUTHENTIK_USERNAME` | OIDC     | —                                      | Authentik email/username                |
-| `AUTHENTIK_PASSWORD` | OIDC     | —                                      | Authentik password                      |
-| `HEADLAMP_TOKEN`     | Token    | —                                      | Kubernetes bearer token (fallback auth) |
+| `HEADLAMP_URL`       | No       | `https://headlamp.animaniacs.farh.net` | Base URL of the Headlamp instance                    |
+| `AUTHENTIK_USERNAME` | OIDC     | —                                      | Authentik email/username                             |
+| `AUTHENTIK_PASSWORD` | OIDC     | —                                      | Authentik password                                   |
+| `HEADLAMP_TOKEN`     | Token    | —                                      | Kubernetes bearer token (auto-generated in CI)       |
 
-Set either `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` or `HEADLAMP_TOKEN`. OIDC takes priority if both are set.
+In CI, `HEADLAMP_URL` and `HEADLAMP_TOKEN` are set automatically by the deploy script. For local runs, set either OIDC credentials or a token manually.
 
 ## What the Tests Validate
 
@@ -106,6 +115,7 @@ These are smoke tests against real cluster data. They verify the plugin loads an
 ### Cluster Requirements
 
 1. **Polaris Deployment**
+
    ```bash
    # Verify Polaris is running
    kubectl -n polaris get pods
@@ -113,6 +123,7 @@ These are smoke tests against real cluster data. They verify the plugin loads an
    ```
 
 2. **Polaris Audit Data**
+
    ```bash
    # Check if Polaris has generated audit results
    kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq '.AuditTime'
@@ -174,21 +185,25 @@ Tests automatically capture screenshots on failure in `test-results/`
 ### Common Issues
 
 **Auth fails with "Sign In button not found":**
+
 - Check HEADLAMP_URL is correct
 - Verify Headlamp is accessible
 - Ensure OIDC is configured if using Authentik
 
 **Polaris sidebar entry not found:**
+
 - Plugin may not be installed: Check Settings → Plugins in Headlamp
 - Plugin may have failed to load: Check browser console
 - Clear browser cache and hard refresh
 
 **Cluster score not displayed:**
+
 - Polaris may not have audit data yet
 - Check Polaris is running: `kubectl -n polaris get pods`
 - Verify service proxy: `kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json`
 
 **Namespace table empty:**
+
 - Polaris hasn't run audit yet (wait a few minutes)
 - Check Polaris logs: `kubectl -n polaris logs -l app.kubernetes.io/name=polaris`
 
@@ -249,29 +264,30 @@ test('plugin UI adapts to dark mode', async ({ page }) => {
 
 Tests run automatically in GitHub Actions on pushes to `main` and pull requests. See `.github/workflows/e2e.yaml` for workflow configuration.
 
-### Required Secrets
+### Architecture
 
-Configure these in GitHub repository settings (Settings → Secrets and variables → Actions):
+The E2E workflow deploys a **dedicated Headlamp instance** for each test run:
 
-- `HEADLAMP_URL` (optional): Headlamp instance URL
-- `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` (for OIDC auth)
-- OR `HEADLAMP_TOKEN` (for token-based auth)
+1. Build plugin (`npm run build`)
+2. Create ConfigMap from `dist/` output (`scripts/deploy-e2e-headlamp.sh`)
+3. Deploy stock Headlamp via Helm with ConfigMap volume mount
+4. Run Playwright tests against the E2E instance
+5. Tear down (`scripts/teardown-e2e-headlamp.sh`)
 
-### Workflow Overview
+No custom Docker images, no PVCs, no kubectl exec/cp, no patching of existing deployments. The plugin is mounted from a ConfigMap into the stock Headlamp image.
 
-1. Checkout code
-2. Setup Node.js 20 with npm cache
-3. Install dependencies (`npm ci`)
-4. Install Playwright browsers (`chromium` only)
-5. Run auth setup (creates session in `e2e/.auth/state.json`)
-6. Run all E2E tests
-7. Upload artifacts on failure:
-   - `playwright-report/` - HTML test report
-   - `test-results/` - Screenshots, traces, videos
+### Cluster Prerequisites
+
+One-time setup by a cluster admin:
+
+```bash
+kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+```
 
 ### Manual Trigger
 
 You can manually trigger E2E tests from GitHub Actions:
+
 1. Go to Actions → E2E Tests
 2. Click "Run workflow"
 3. Select branch and run

e2e/auth.setup.ts

@@ -39,13 +39,20 @@ async function authenticateWithOIDC(page: Page, username: string, password: stri
 }
 
 async function authenticateWithToken(page: Page, token: string): Promise<void> {
-  // Navigate to login — Headlamp redirects / to /c/main/login
   await page.goto('/');
-  await page.waitForURL('**/login');
+  // Headlamp goes to /token directly when no OIDC is configured,
+  // or through /login when OIDC is configured
+  await page.waitForURL(/\/(login|token)$/);
 
-  // Click the token auth option
-  await page.getByRole('button', { name: /use a token/i }).click();
-  await page.waitForURL('**/token');
+  if (page.url().includes('/login')) {
+    // OIDC login page — click "use a token" to reach token auth.
+    // Wait explicitly before clicking so failures surface at 15 s
+    // with a clear message rather than silently timing out at 60 s.
+    const useTokenBtn = page.getByRole('button', { name: /use a token/i });
+    await useTokenBtn.waitFor({ state: 'visible', timeout: 15_000 });
+    await useTokenBtn.click();
+    await page.waitForURL('**/token');
+  }
 
   // Fill the "ID token" field and submit
   await page.getByRole('textbox', { name: /id token/i }).fill(token);

e2e/settings.spec.ts

@@ -2,11 +2,17 @@ import { test, expect, Page } from '@playwright/test';
 
 /** Navigate to the Polaris plugin settings page and wait for settings to render. */
 async function goToPolarisSettings(page: Page) {
-  await page.goto('/c/main/settings/plugins');
+  // Headlamp's plugin settings page is a HOME-context route at /settings/plugins,
+  // not an in-cluster route (/c/main/settings/plugins would 404). Headlamp loads
+  // plugin scripts asynchronously on SPA init. When registerPluginSettings() fires,
+  // it dispatches a Redux action — PluginSettings uses useTypedSelector so it
+  // re-renders automatically once the plugin registers. No preloading needed.
+  await page.goto('/settings/plugins');
 
-  // Find and click the Polaris plugin entry to open its settings
-  const pluginEntry = page.locator('text=polaris').first();
-  await expect(pluginEntry).toBeVisible({ timeout: 15_000 });
+  // Wait for the plugin to appear in the settings list. The timeout covers
+  // async plugin script loading + registration.
+  const pluginEntry = page.locator('text=headlamp-polaris').first();
+  await expect(pluginEntry).toBeVisible({ timeout: 30_000 });
   await pluginEntry.click();
 
   // Wait for the PolarisSettings component to render

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "headlamp-polaris",
-  "version": "0.7.1",
+  "version": "1.0.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "headlamp-polaris",
-      "version": "0.7.1",
+      "version": "1.0.0",
       "license": "Apache-2.0",
       "devDependencies": {
         "@kinvolk/headlamp-plugin": "^0.13.0",
@@ -17,10 +17,14 @@
         "@testing-library/user-event": "^14.5.2",
         "@types/react": "^19.2.14",
         "@types/react-dom": "^19.2.3",
+        "@vitest/coverage-v8": "^3.2.4",
         "jsdom": "^24.0.0",
         "react": "^18.3.1",
         "react-dom": "^18.3.1",
         "react-router-dom": "^5.3.0",
+        "tar": "^7.5.11",
+        "typescript": "~5.6.2",
+        "undici": "^7.24.3",
         "vitest": "^3.0.5"
       },
       "peerDependencies": {
@@ -35,6 +39,20 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/@ampproject/remapping": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
+      "integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@jridgewell/gen-mapping": "^0.3.5",
+        "@jridgewell/trace-mapping": "^0.3.24"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
     "node_modules/@apidevtools/json-schema-ref-parser": {
       "version": "11.7.2",
       "resolved": "https://registry.npmjs.org/@apidevtools/json-schema-ref-parser/-/json-schema-ref-parser-11.7.2.tgz",
@@ -429,6 +447,16 @@
         "node": ">=6.9.0"
       }
     },
+    "node_modules/@bcoe/v8-coverage": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-1.0.2.tgz",
+      "integrity": "sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/@bundled-es-modules/cookie": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/@bundled-es-modules/cookie/-/cookie-2.0.1.tgz",
@@ -4844,6 +4872,40 @@
         "vitest": "3.2.4"
       }
     },
+    "node_modules/@vitest/coverage-v8": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-3.2.4.tgz",
+      "integrity": "sha512-EyF9SXU6kS5Ku/U82E259WSnvg6c8KTjppUncuNdm5QHpe17mwREHnjDzozC8x9MZ0xfBUFSaLkRv4TMA75ALQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@ampproject/remapping": "^2.3.0",
+        "@bcoe/v8-coverage": "^1.0.2",
+        "ast-v8-to-istanbul": "^0.3.3",
+        "debug": "^4.4.1",
+        "istanbul-lib-coverage": "^3.2.2",
+        "istanbul-lib-report": "^3.0.1",
+        "istanbul-lib-source-maps": "^5.0.6",
+        "istanbul-reports": "^3.1.7",
+        "magic-string": "^0.30.17",
+        "magicast": "^0.3.5",
+        "std-env": "^3.9.0",
+        "test-exclude": "^7.0.1",
+        "tinyrainbow": "^2.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "@vitest/browser": "3.2.4",
+        "vitest": "3.2.4"
+      },
+      "peerDependenciesMeta": {
+        "@vitest/browser": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/@vitest/expect": {
       "version": "3.2.4",
       "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-3.2.4.tgz",
@@ -5649,6 +5711,35 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/ast-v8-to-istanbul": {
+      "version": "0.3.12",
+      "resolved": "https://registry.npmjs.org/ast-v8-to-istanbul/-/ast-v8-to-istanbul-0.3.12.tgz",
+      "integrity": "sha512-BRRC8VRZY2R4Z4lFIL35MwNXmwVqBityvOIwETtsCSwvjl0IdgFsy9NhdaA6j74nUdtJJlIypeRhpDam19Wq3g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/trace-mapping": "^0.3.31",
+        "estree-walker": "^3.0.3",
+        "js-tokens": "^10.0.0"
+      }
+    },
+    "node_modules/ast-v8-to-istanbul/node_modules/estree-walker": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
+      "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "^1.0.0"
+      }
+    },
+    "node_modules/ast-v8-to-istanbul/node_modules/js-tokens": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
+      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/astral-regex": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/astral-regex/-/astral-regex-2.0.0.tgz",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "headlamp-polaris",
-  "version": "0.7.1",
+  "version": "1.0.0",
   "description": "Headlamp plugin for Fairwinds Polaris audit results",
   "repository": {
     "type": "git",
@@ -12,6 +12,7 @@
   "homepage": "https://github.com/privilegedescalation/headlamp-polaris-plugin#readme",
   "author": "privilegedescalation",
   "license": "Apache-2.0",
+  "packageManager": "pnpm@10.32.1",
   "scripts": {
     "start": "headlamp-plugin start",
     "build": "headlamp-plugin build",
@@ -30,6 +31,13 @@
     "react": "^18.0.0",
     "react-dom": "^18.0.0"
   },
+  "pnpm": {
+    "overrides": {
+      "tar": "^7.5.11",
+      "undici": "^7.24.3",
+      "flatted": "^3.4.2"
+    }
+  },
   "devDependencies": {
     "@kinvolk/headlamp-plugin": "^0.13.0",
     "@mui/material": "^5.15.14",
@@ -39,10 +47,17 @@
     "@testing-library/user-event": "^14.5.2",
     "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
+    "@vitest/coverage-v8": "^3.2.4",
+    "@headlamp-k8s/eslint-config": "^0.6.0",
+    "eslint": "^8.57.0",
     "jsdom": "^24.0.0",
+    "prettier": "^2.8.8",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-router-dom": "^5.3.0",
+    "tar": "^7.5.11",
+    "typescript": "~5.6.2",
+    "undici": "^7.24.3",
     "vitest": "^3.0.5"
   }
 }

pnpm-lock.yaml

@@ -4,10 +4,18 @@ settings:
   autoInstallPeers: true
   excludeLinksFromLockfile: false
 
+overrides:
+  tar: ^7.5.11
+  undici: ^7.24.3
+  flatted: ^3.4.2
+
 importers:
 
   .:
     devDependencies:
+      '@headlamp-k8s/eslint-config':
+        specifier: ^0.6.0
+        version: 0.6.0(@typescript-eslint/eslint-plugin@8.56.1(@typescript-eslint/parser@8.56.1(eslint@8.57.1)(typescript@5.6.2))(eslint@8.57.1)(typescript@5.6.2))(eslint-config-prettier@9.1.2(eslint@8.57.1))(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.56.1(eslint@8.57.1)(typescript@5.6.2))(eslint@8.57.1))(eslint-plugin-jsx-a11y@6.10.2(eslint@8.57.1))(eslint-plugin-react-hooks@4.6.2(eslint@8.57.1))(eslint-plugin-react@7.35.0(eslint@8.57.1))(eslint-plugin-simple-import-sort@12.1.1(eslint@8.57.1))(eslint-plugin-unused-imports@4.4.1(@typescript-eslint/eslint-plugin@8.56.1(@typescript-eslint/parser@8.56.1(eslint@8.57.1)(typescript@5.6.2))(eslint@8.57.1)(typescript@5.6.2))(eslint@8.57.1))(eslint@8.57.1)
       '@kinvolk/headlamp-plugin':
         specifier: ^0.13.0
         version: 0.13.1(@swc/core@1.15.18)(@types/debug@4.1.12)(@typescript-eslint/parser@8.56.1(eslint@8.57.1)(typescript@5.6.2))(csstype@3.2.3)(esbuild@0.25.12)(immer@11.1.4)(openapi-types@12.1.3)(redux@5.0.1)(rollup@4.59.0)(terser@5.46.0)(webpack@5.105.4(@swc/core@1.15.18)(esbuild@0.25.12))
@@ -32,9 +40,18 @@ importers:
       '@types/react-dom':
         specifier: ^19.2.3
         version: 19.2.3(@types/react@19.2.14)
+      '@vitest/coverage-v8':
+        specifier: ^3.2.4
+        version: 3.2.4(vitest@3.2.4(@types/debug@4.1.12)(@types/node@20.19.37)(jsdom@24.1.3)(msw@2.4.9(typescript@5.6.2))(terser@5.46.0)(yaml@2.8.2))
+      eslint:
+        specifier: ^8.57.0
+        version: 8.57.1
       jsdom:
         specifier: ^24.0.0
         version: 24.1.3
+      prettier:
+        specifier: ^2.8.8
+        version: 2.8.8
       react:
         specifier: ^18.3.1
         version: 18.3.1
@@ -44,6 +61,15 @@ importers:
       react-router-dom:
         specifier: ^5.3.0
         version: 5.3.4(react@18.3.1)
+      tar:
+        specifier: ^7.5.11
+        version: 7.5.12
+      typescript:
+        specifier: ~5.6.2
+        version: 5.6.2
+      undici:
+        specifier: ^7.24.3
+        version: 7.24.5
       vitest:
         specifier: ^3.0.5
         version: 3.2.4(@types/debug@4.1.12)(@types/node@20.19.37)(jsdom@24.1.3)(msw@2.4.9(typescript@5.6.2))(terser@5.46.0)(yaml@2.8.2)
@@ -53,6 +79,10 @@ packages:
   '@adobe/css-tools@4.4.4':
     resolution: {integrity: sha512-Elp+iwUx5rN5+Y8xLt5/GRoG20WGoDCQ/1Fb+1LiGtvwbDavuSk0jhD/eZdckHAuzcDzccnkv+rEjyWfRx18gg==}
 
+  '@ampproject/remapping@2.3.0':
+    resolution: {integrity: sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==}
+    engines: {node: '>=6.0.0'}
+
   '@apidevtools/json-schema-ref-parser@11.7.2':
     resolution: {integrity: sha512-4gY54eEGEstClvEkGnwVkTkrx0sqwemEFG5OSRRn3tD91XH0+Q8XIkYIfo7IwEWPpJZwILb9GUXeShtplRc/eA==}
     engines: {node: '>= 16'}
@@ -159,6 +189,10 @@ packages:
     resolution: {integrity: sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==}
     engines: {node: '>=6.9.0'}
 
+  '@bcoe/v8-coverage@1.0.2':
+    resolution: {integrity: sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==}
+    engines: {node: '>=18'}
+
   '@bundled-es-modules/cookie@2.0.1':
     resolution: {integrity: sha512-8o+5fRPLNbjbdGRRmJj3h6Hh1AQJf2dk3qQ/5ZFb+PXkRNiSoMGGUKlsgLfrxneb72axVJyIYji64E2+nNfYyw==}
 
@@ -1599,6 +1633,15 @@ packages:
     peerDependencies:
       vitest: 3.2.4
 
+  '@vitest/coverage-v8@3.2.4':
+    resolution: {integrity: sha512-EyF9SXU6kS5Ku/U82E259WSnvg6c8KTjppUncuNdm5QHpe17mwREHnjDzozC8x9MZ0xfBUFSaLkRv4TMA75ALQ==}
+    peerDependencies:
+      '@vitest/browser': 3.2.4
+      vitest: 3.2.4
+    peerDependenciesMeta:
+      '@vitest/browser':
+        optional: true
+
   '@vitest/expect@3.2.4':
     resolution: {integrity: sha512-Io0yyORnB6sikFlt8QW5K7slY4OjqNX9jmJQ02QDda8lyM6B5oNgVWoSoKPac8/kgnCUzuHQKrSLtu/uOqqrig==}
 
@@ -1845,6 +1888,9 @@ packages:
     resolution: {integrity: sha512-6t10qk83GOG8p0vKmaCr8eiilZwO171AvbROMtvvNiwrTly62t+7XkA8RdIIVbpMhCASAsxgAzdRSwh6nw/5Dg==}
     engines: {node: '>=4'}
 
+  ast-v8-to-istanbul@0.3.12:
+    resolution: {integrity: sha512-BRRC8VRZY2R4Z4lFIL35MwNXmwVqBityvOIwETtsCSwvjl0IdgFsy9NhdaA6j74nUdtJJlIypeRhpDam19Wq3g==}
+
   astral-regex@2.0.0:
     resolution: {integrity: sha512-Z7tMw1ytTXt5jqMcOP+OQteU1VuNK9Y02uuJtKQ1Sv69jXQKKg5cibLwGJow8yzZP+eAc18EmLGPal0bp36rvQ==}
     engines: {node: '>=8'}
@@ -2824,8 +2870,8 @@ packages:
     resolution: {integrity: sha512-CYcENa+FtcUKLmhhqyctpclsq7QF38pKjZHsGNiSQF5r4FtoKDWabFDl3hzaEQMvT1LHEysw5twgLvpYYb4vbw==}
     engines: {node: ^10.12.0 || >=12.0.0}
 
-  flatted@3.4.0:
-    resolution: {integrity: sha512-kC6Bb+ooptOIvWj5B63EQWkF0FEnNjV2ZNkLMLZRDDduIiWeFF4iKnslwhiWxjAdbg4NzTNo6h0qLuvFrcx+Sw==}
+  flatted@3.4.2:
+    resolution: {integrity: sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==}
 
   for-each@0.3.5:
     resolution: {integrity: sha512-dKx12eRCVIzqCxFGplyFKJMPvLEWgmNtUrpTiJIR5u97zEhRG8ySrtboPHZXx7daLxQVrl643cTzbab2tkQjxg==}
@@ -3390,6 +3436,9 @@ packages:
   js-base64@3.7.8:
     resolution: {integrity: sha512-hNngCeKxIUQiEUN3GPJOkz4wF/YvdUdbNL9hsBcMQTkKzboD7T/q3OYOuuPZLUE6dBxSGpwhk5mwuDud7JVAow==}
 
+  js-tokens@10.0.0:
+    resolution: {integrity: sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==}
+
   js-tokens@4.0.0:
     resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
 
@@ -4727,8 +4776,8 @@ packages:
     resolution: {integrity: sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==}
     engines: {node: '>=6'}
 
-  tar@7.5.10:
-    resolution: {integrity: sha512-8mOPs1//5q/rlkNSPcCegA6hiHJYDmSLEI8aMH/CdSQJNWztHC9WHNam5zdQlfpTwB9Xp7IBEsHfV5LKMJGVAw==}
+  tar@7.5.12:
+    resolution: {integrity: sha512-9TsuLcdhOn4XztcQqhNyq1KOwOOED/3k58JAvtULiYqbO8B/0IBAAIE1hj0Svmm58k27TmcigyDI0deMlgG3uw==}
     engines: {node: '>=18'}
 
   teex@1.0.1:
@@ -4912,8 +4961,8 @@ packages:
   undici-types@6.21.0:
     resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
 
-  undici@7.22.0:
-    resolution: {integrity: sha512-RqslV2Us5BrllB+JeiZnK4peryVTndy9Dnqq62S3yYRRTj0tFQCwEniUy2167skdGOy3vqRzEvl1Dm4sV2ReDg==}
+  undici@7.24.5:
+    resolution: {integrity: sha512-3IWdCpjgxp15CbJnsi/Y9TCDE7HWVN19j1hmzVhoAkY/+CJx449tVxT5wZc1Gwg8J+P0LWvzlBzxYRnHJ+1i7Q==}
     engines: {node: '>=20.18.1'}
 
   unicorn-magic@0.1.0:
@@ -5312,6 +5361,11 @@ snapshots:
 
   '@adobe/css-tools@4.4.4': {}
 
+  '@ampproject/remapping@2.3.0':
+    dependencies:
+      '@jridgewell/gen-mapping': 0.3.13
+      '@jridgewell/trace-mapping': 0.3.31
+
   '@apidevtools/json-schema-ref-parser@11.7.2':
     dependencies:
       '@jsdevtools/ono': 7.1.3
@@ -5455,6 +5509,8 @@ snapshots:
       '@babel/helper-string-parser': 7.27.1
       '@babel/helper-validator-identifier': 7.28.5
 
+  '@bcoe/v8-coverage@1.0.2': {}
+
   '@bundled-es-modules/cookie@2.0.1':
     dependencies:
       cookie: 0.7.2
@@ -5546,7 +5602,7 @@ snapshots:
 
   '@emotion/sheet@1.4.0': {}
 
-  '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)':
+  '@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)':
     dependencies:
       '@babel/runtime': 7.28.6
       '@emotion/babel-plugin': 11.13.5
@@ -5717,7 +5773,7 @@ snapshots:
       js-yaml: 4.1.1
       semver: 7.7.4
       table: 6.9.0
-      tar: 7.5.10
+      tar: 7.5.12
       tmp: 0.2.5
       yargs: 17.7.2
 
@@ -5835,18 +5891,18 @@ snapshots:
     dependencies:
       '@apidevtools/swagger-parser': 10.1.1(openapi-types@12.1.3)
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
       '@headlamp-k8s/eslint-config': 0.6.0(@typescript-eslint/eslint-plugin@8.56.1(@typescript-eslint/parser@8.56.1(eslint@8.57.1)(typescript@5.6.2))(eslint@8.57.1)(typescript@5.6.2))(eslint-config-prettier@9.1.2(eslint@8.57.1))(eslint-plugin-import@2.32.0(@typescript-eslint/parser@8.56.1(eslint@8.57.1)(typescript@5.6.2))(eslint@8.57.1))(eslint-plugin-jsx-a11y@6.10.2(eslint@8.57.1))(eslint-plugin-react-hooks@4.6.2(eslint@8.57.1))(eslint-plugin-react@7.35.0(eslint@8.57.1))(eslint-plugin-simple-import-sort@12.1.1(eslint@8.57.1))(eslint-plugin-unused-imports@4.4.1(@typescript-eslint/eslint-plugin@8.56.1(@typescript-eslint/parser@8.56.1(eslint@8.57.1)(typescript@5.6.2))(eslint@8.57.1)(typescript@5.6.2))(eslint@8.57.1))(eslint@8.57.1)
       '@headlamp-k8s/pluginctl': 0.1.1
       '@iconify/icons-mdi': 1.2.48
       '@iconify/react': 3.2.2(react@18.3.1)
       '@monaco-editor/react': 4.7.0(monaco-editor@0.52.2)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
       '@mui/icons-material': 5.18.0(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@types/react@19.2.14)(react@18.3.1)
-      '@mui/lab': 5.0.0-alpha.177(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
+      '@mui/lab': 5.0.0-alpha.177(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
       '@mui/material': 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
       '@mui/system': 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
       '@mui/x-date-pickers': 7.29.4(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@mui/system@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
-      '@mui/x-tree-view': 6.17.0(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@mui/system@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
+      '@mui/x-tree-view': 6.17.0(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@mui/system@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
       '@reduxjs/toolkit': 2.11.2(react-redux@9.2.0(@types/react@18.3.28)(react@18.3.1)(redux@5.0.1))(react@18.3.1)
       '@storybook/addon-docs': 9.1.20(@types/react@18.3.28)(storybook@9.1.20(@testing-library/dom@10.4.1)(msw@2.4.9(typescript@5.6.2))(prettier@2.8.8)(vite@6.4.1(@types/node@20.19.37)(terser@5.46.0)(yaml@2.8.2)))
       '@storybook/addon-links': 9.1.20(react@18.3.1)(storybook@9.1.20(@testing-library/dom@10.4.1)(msw@2.4.9(typescript@5.6.2))(prettier@2.8.8)(vite@6.4.1(@types/node@20.19.37)(terser@5.46.0)(yaml@2.8.2)))
@@ -5900,7 +5956,7 @@ snapshots:
       jsdom: 24.1.3
       jsonpath-plus: 10.4.0
       lodash: 4.17.23
-      material-react-table: 2.13.3(9c8771ba98ea800c4ce3ae047fad2581)
+      material-react-table: 2.13.3(6e12a7d949eb369c0813bc8d1756414b)
       monaco-editor: 0.52.2
       msw: 2.4.9(typescript@5.6.2)
       msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.2))
@@ -5925,7 +5981,7 @@ snapshots:
       spacetime: 7.12.0
       storybook: 9.1.20(@testing-library/dom@10.4.1)(msw@2.4.9(typescript@5.6.2))(prettier@2.8.8)(vite@6.4.1(@types/node@20.19.37)(terser@5.46.0)(yaml@2.8.2))
       table: 6.9.0
-      tar: 7.5.10
+      tar: 7.5.12
       ts-loader: 9.5.4(typescript@5.6.2)(webpack@5.105.4(@swc/core@1.15.18)(esbuild@0.25.12))
       typescript: 5.6.2
       validate-npm-package-name: 3.0.0
@@ -6046,7 +6102,7 @@ snapshots:
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@mui/lab@5.0.0-alpha.177(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)':
+  '@mui/lab@5.0.0-alpha.177(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)':
     dependencies:
       '@babel/runtime': 7.28.6
       '@mui/base': 5.0.0-beta.40-1(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
@@ -6060,7 +6116,7 @@ snapshots:
       react-dom: 18.3.1(react@18.3.1)
     optionalDependencies:
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
       '@types/react': 18.3.28
 
   '@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)':
@@ -6081,7 +6137,7 @@ snapshots:
       react-transition-group: 4.4.5(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
     optionalDependencies:
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
       '@types/react': 18.3.28
 
   '@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)':
@@ -6102,7 +6158,7 @@ snapshots:
       react-transition-group: 4.4.5(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
     optionalDependencies:
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
       '@types/react': 19.2.14
 
   '@mui/private-theming@5.17.1(@types/react@18.3.28)(react@18.3.1)':
@@ -6133,7 +6189,7 @@ snapshots:
       react: 18.3.1
     optionalDependencies:
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
 
   '@mui/system@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)':
     dependencies:
@@ -6148,7 +6204,7 @@ snapshots:
       react: 18.3.1
     optionalDependencies:
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
       '@types/react': 18.3.28
 
   '@mui/system@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1)':
@@ -6164,7 +6220,7 @@ snapshots:
       react: 18.3.1
     optionalDependencies:
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
       '@types/react': 19.2.14
 
   '@mui/types@7.2.24(@types/react@18.3.28)':
@@ -6244,7 +6300,7 @@ snapshots:
       react-transition-group: 4.4.5(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
     optionalDependencies:
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
     transitivePeerDependencies:
       - '@types/react'
 
@@ -6256,11 +6312,11 @@ snapshots:
     transitivePeerDependencies:
       - '@types/react'
 
-  '@mui/x-tree-view@6.17.0(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@mui/system@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)':
+  '@mui/x-tree-view@6.17.0(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@mui/system@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)':
     dependencies:
       '@babel/runtime': 7.28.6
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
       '@mui/base': 5.0.0-beta.70(@types/react@18.3.28)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
       '@mui/material': 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
       '@mui/system': 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
@@ -7149,6 +7205,25 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  '@vitest/coverage-v8@3.2.4(vitest@3.2.4(@types/debug@4.1.12)(@types/node@20.19.37)(jsdom@24.1.3)(msw@2.4.9(typescript@5.6.2))(terser@5.46.0)(yaml@2.8.2))':
+    dependencies:
+      '@ampproject/remapping': 2.3.0
+      '@bcoe/v8-coverage': 1.0.2
+      ast-v8-to-istanbul: 0.3.12
+      debug: 4.4.3
+      istanbul-lib-coverage: 3.2.2
+      istanbul-lib-report: 3.0.1
+      istanbul-lib-source-maps: 5.0.6
+      istanbul-reports: 3.2.0
+      magic-string: 0.30.21
+      magicast: 0.3.5
+      std-env: 3.10.0
+      test-exclude: 7.0.2
+      tinyrainbow: 2.0.0
+      vitest: 3.2.4(@types/debug@4.1.12)(@types/node@20.19.37)(jsdom@24.1.3)(msw@2.4.9(typescript@5.6.2))(terser@5.46.0)(yaml@2.8.2)
+    transitivePeerDependencies:
+      - supports-color
+
   '@vitest/expect@3.2.4':
     dependencies:
       '@types/chai': 5.2.3
@@ -7468,6 +7543,12 @@ snapshots:
     dependencies:
       tslib: 2.8.1
 
+  ast-v8-to-istanbul@0.3.12:
+    dependencies:
+      '@jridgewell/trace-mapping': 0.3.31
+      estree-walker: 3.0.3
+      js-tokens: 10.0.0
+
   astral-regex@2.0.0: {}
 
   async-function@1.0.0: {}
@@ -7718,7 +7799,7 @@ snapshots:
       parse5: 7.3.0
       parse5-htmlparser2-tree-adapter: 7.1.0
       parse5-parser-stream: 7.1.2
-      undici: 7.22.0
+      undici: 7.24.5
       whatwg-mimetype: 4.0.0
 
   chokidar@3.6.0:
@@ -8632,11 +8713,11 @@ snapshots:
 
   flat-cache@3.2.0:
     dependencies:
-      flatted: 3.4.0
+      flatted: 3.4.2
       keyv: 4.5.4
       rimraf: 3.0.2
 
-  flatted@3.4.0: {}
+  flatted@3.4.2: {}
 
   for-each@0.3.5:
     dependencies:
@@ -9306,6 +9387,8 @@ snapshots:
 
   js-base64@3.7.8: {}
 
+  js-tokens@10.0.0: {}
+
   js-tokens@4.0.0: {}
 
   js-tokens@9.0.1: {}
@@ -9469,10 +9552,10 @@ snapshots:
       '@types/minimatch': 3.0.5
       minimatch: 3.1.5
 
-  material-react-table@2.13.3(9c8771ba98ea800c4ce3ae047fad2581):
+  material-react-table@2.13.3(6e12a7d949eb369c0813bc8d1756414b):
     dependencies:
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
-      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@18.3.28)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
+      '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
       '@mui/icons-material': 5.18.0(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@types/react@19.2.14)(react@18.3.1)
       '@mui/material': 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
       '@mui/x-date-pickers': 7.29.4(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@mui/material@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1))(@mui/system@5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
@@ -10975,7 +11058,7 @@ snapshots:
 
   tapable@2.3.0: {}
 
-  tar@7.5.10:
+  tar@7.5.12:
     dependencies:
       '@isaacs/fs-minipass': 4.0.1
       chownr: 3.0.0
@@ -11182,7 +11265,7 @@ snapshots:
 
   undici-types@6.21.0: {}
 
-  undici@7.22.0: {}
+  undici@7.24.5: {}
 
   unicorn-magic@0.1.0: {}
 

renovate.json

@@ -1,19 +1,5 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:recommended"],
-  "baseBranches": ["main"],
-  "schedule": ["every weekend"],
-  "prConcurrentLimit": 10,
-  "packageRules": [
-    {
-      "matchManagers": ["npm"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "npm minor and patch"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "github-actions minor and patch"
-    }
-  ]
+  "extends": ["github>privilegedescalation/.github:renovate-config"]
 }
+

scripts/deploy-e2e-headlamp.sh

@@ -0,0 +1,210 @@
+#!/usr/bin/env bash
+# deploy-e2e-headlamp.sh
+#
+# Deploys a stock Headlamp instance with the polaris plugin loaded via
+# a ConfigMap volume mount. No custom Docker images — the plugin is built
+# in CI and injected as a ConfigMap.
+#
+# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing
+# persists beyond the test run — teardown cleans up all created resources.
+#
+# Prerequisites:
+#   - Plugin built (dist/ exists with plugin-main.js + package.json)
+#   - kubectl configured with cluster access
+#   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+#
+# Environment:
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: privilegedescalation-dev)
+#   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
+#   HEADLAMP_VERSION  — Headlamp image tag (default: v0.40.1, pinned to match production)
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+DIST_DIR="$REPO_ROOT/dist"
+
+E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
+HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"
+
+if [ ! -d "$DIST_DIR" ]; then
+  echo "ERROR: dist/ not found. Run 'npm run build' first." >&2
+  exit 1
+fi
+
+# --- Preflight: verify RBAC before touching the cluster ---
+echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
+if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
+  echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2
+  echo "  Apply RBAC first: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
+  exit 1
+fi
+
+echo "=== E2E Headlamp Deployment ==="
+echo "  Image:     ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}"
+echo "  Namespace: $E2E_NAMESPACE"
+echo "  Release:   $E2E_RELEASE"
+
+# --- Create ConfigMap from built plugin ---
+echo ""
+echo "Creating ConfigMap with plugin files..."
+
+# Delete existing ConfigMap if present (idempotent redeploy)
+kubectl delete configmap headlamp-polaris-plugin \
+  -n "$E2E_NAMESPACE" --ignore-not-found
+
+# Create ConfigMap from dist/ contents and package.json
+kubectl create configmap headlamp-polaris-plugin \
+  -n "$E2E_NAMESPACE" \
+  --from-file="$DIST_DIR" \
+  --from-file=package.json="$REPO_ROOT/package.json"
+
+# --- Tear down any existing E2E deployment for a clean start ---
+# kubectl apply without prior deletion only patches in-place: if the pod spec is
+# unchanged between runs, no new rollout is triggered and a degraded pod keeps
+# serving. Delete first to guarantee a fresh pod regardless of prior state.
+echo ""
+echo "Removing any existing E2E deployment (clean-start)..."
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+
+# --- Deploy Headlamp via kubectl apply ---
+echo ""
+echo "Deploying Headlamp E2E instance..."
+
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: headlamp
+      app.kubernetes.io/instance: ${E2E_RELEASE}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: headlamp
+        app.kubernetes.io/instance: ${E2E_RELEASE}
+    spec:
+      serviceAccountName: ${E2E_RELEASE}
+      automountServiceAccountToken: true
+      securityContext: {}
+      containers:
+        - name: headlamp
+          image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            privileged: false
+            runAsUser: 100
+            runAsGroup: 101
+          args:
+            - "-in-cluster"
+            - "-in-cluster-context-name=main"
+            - "-plugins-dir=/headlamp/plugins"
+          ports:
+            - name: http
+              containerPort: 4466
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          volumeMounts:
+            - name: polaris-plugin
+              mountPath: /headlamp/plugins/headlamp-polaris
+              readOnly: true
+      volumes:
+        - name: polaris-plugin
+          configMap:
+            name: headlamp-polaris-plugin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP
+EOF
+
+echo "Waiting for rollout..."
+kubectl rollout status "deployment/${E2E_RELEASE}" \
+  -n "$E2E_NAMESPACE" --timeout=120s
+
+# --- Generate a service URL for tests ---
+SVC_URL="http://${E2E_RELEASE}.${E2E_NAMESPACE}.svc.cluster.local"
+
+# --- Wait for DNS and HTTP reachability ---
+# rollout status only confirms the pod is ready per readinessProbe.
+# Kubernetes Service DNS may still be propagating to the runner pod.
+# Poll until the service is reachable over HTTP before handing off.
+echo ""
+echo "Waiting for ${SVC_URL} to be reachable..."
+ATTEMPTS=0
+MAX_ATTEMPTS=24  # 24 × 5s = 120s max
+until curl -sf --max-time 5 "${SVC_URL}" -o /dev/null 2>/dev/null; do
+  ATTEMPTS=$((ATTEMPTS + 1))
+  if [ "$ATTEMPTS" -ge "$MAX_ATTEMPTS" ]; then
+    echo "ERROR: ${SVC_URL} not reachable after $((MAX_ATTEMPTS * 5))s" >&2
+    exit 1
+  fi
+  echo "  [${ATTEMPTS}/${MAX_ATTEMPTS}] not yet reachable, retrying in 5s..."
+  sleep 5
+done
+echo ""
+echo "E2E Headlamp is ready at: ${SVC_URL}"
+echo "  export HEADLAMP_URL=${SVC_URL}"
+
+# --- Generate a token for test auth ---
+echo ""
+echo "Creating service account token for E2E auth..."
+kubectl create serviceaccount headlamp-e2e-test \
+  -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
+
+TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
+if [ -n "$TOKEN" ]; then
+  echo "  export HEADLAMP_TOKEN=<generated>"
+  echo ""
+  echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
+  echo "HEADLAMP_TOKEN=${TOKEN}" >> "$REPO_ROOT/.env.e2e"
+  echo "Wrote .env.e2e with HEADLAMP_URL and HEADLAMP_TOKEN"
+else
+  echo "  WARNING: Could not generate token. Set HEADLAMP_TOKEN manually or use OIDC."
+fi
+
+echo ""
+echo "E2E deployment complete."

scripts/teardown-e2e-headlamp.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# teardown-e2e-headlamp.sh
+#
+# Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
+#
+# Environment:
+#   E2E_NAMESPACE  — namespace to clean up (default: privilegedescalation-dev)
+#   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+
+E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
+
+echo "=== E2E Headlamp Teardown ==="
+echo "  Namespace: $E2E_NAMESPACE"
+echo "  Release:   $E2E_RELEASE"
+
+echo "Removing Headlamp Deployment, Service, and ServiceAccount..."
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+
+echo "Cleaning up ConfigMap..."
+kubectl delete configmap headlamp-polaris-plugin -n "$E2E_NAMESPACE" --ignore-not-found
+
+echo "Cleaning up test service account..."
+kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found
+
+# Clean up local env file
+rm -f "$REPO_ROOT/.env.e2e"
+
+echo "Teardown complete."

src/components/AppBarScoreBadge.test.tsx

@@ -7,13 +7,7 @@ import { makeAuditData, makeResult } from '../test-utils';
 // Mock Headlamp lib
 vi.mock('@kinvolk/headlamp-plugin/lib', () => ({
   ApiProxy: { request: vi.fn() },
-  K8s: {
-    useCluster: () => 'test-cluster',
-  },
-  Router: {
-    createRouteURL: (name: string, params?: { cluster?: string }) =>
-      `/c/${params?.cluster ?? 'default'}/${name}`,
-  },
+  K8s: {},
 }));
 
 vi.mock('@mui/material/styles', () => ({
@@ -31,6 +25,15 @@ vi.mock('react-router-dom', () => ({
   useHistory: () => ({ push: mockPush }),
 }));
 
+// Set window.location.pathname for cluster extraction
+beforeEach(() => {
+  Object.defineProperty(window, 'location', {
+    value: { pathname: '/c/test-cluster/some-page' },
+    writable: true,
+  });
+  mockPush.mockClear();
+});
+
 const mockUsePolarisDataContext = vi.fn();
 vi.mock('../api/PolarisDataContext', () => ({
   usePolarisDataContext: () => mockUsePolarisDataContext(),
@@ -97,7 +100,7 @@ describe('AppBarScoreBadge', () => {
     expect(button.style.backgroundColor).toBe('rgb(244, 67, 54)');
   });
 
-  it('navigates to /polaris on click', async () => {
+  it('navigates to /c/<cluster>/polaris on click', async () => {
     const user = userEvent.setup();
     const data = makeAuditData([
       makeResult({
@@ -120,6 +123,33 @@ describe('AppBarScoreBadge', () => {
     expect(mockPush).toHaveBeenCalledWith('/c/test-cluster/polaris');
   });
 
+  it('navigates to /polaris when no cluster in URL', async () => {
+    Object.defineProperty(window, 'location', {
+      value: { pathname: '/settings' },
+      writable: true,
+    });
+    const user = userEvent.setup();
+    const data = makeAuditData([
+      makeResult({
+        Results: {
+          c1: {
+            ID: 'c1',
+            Message: '',
+            Details: [],
+            Success: true,
+            Severity: 'warning',
+            Category: 'X',
+          },
+        },
+      }),
+    ]);
+    mockUsePolarisDataContext.mockReturnValue({ data, loading: false });
+
+    render(<AppBarScoreBadge />);
+    await user.click(screen.getByRole('button'));
+    expect(mockPush).toHaveBeenCalledWith('/polaris');
+  });
+
   it('has correct aria-label', () => {
     const data = makeAuditData([
       makeResult({

src/components/AppBarScoreBadge.tsx

@@ -1,10 +1,21 @@
-import { K8s, Router } from '@kinvolk/headlamp-plugin/lib';
 import { useTheme } from '@mui/material/styles';
 import React from 'react';
 import { useHistory } from 'react-router-dom';
 import { computeScore, countResults } from '../api/polaris';
 import { usePolarisDataContext } from '../api/PolarisDataContext';
 
+/**
+ * Extract the cluster name from the current browser URL.
+ * Headlamp cluster routes follow the pattern /c/<cluster>/...
+ * We read window.location.pathname directly because the AppBar renders
+ * outside the cluster route context, so useCluster() returns null and
+ * React Router's useLocation() may not reflect the cluster prefix.
+ */
+function getClusterFromUrl(): string | null {
+  const match = window.location.pathname.match(/\/c\/([^/]+)/);
+  return match ? match[1] : null;
+}
+
 /**
  * App bar badge showing cluster Polaris score
  * Clicking navigates to the overview dashboard
@@ -13,7 +24,6 @@ export default function AppBarScoreBadge() {
   const theme = useTheme();
   const { data, loading } = usePolarisDataContext();
   const history = useHistory();
-  const cluster = K8s.useCluster();
 
   if (loading || !data) {
     return null; // Graceful degradation when Polaris unavailable
@@ -36,7 +46,9 @@ export default function AppBarScoreBadge() {
   };
 
   const handleClick = () => {
-    history.push(Router.createRouteURL('polaris', { cluster: cluster ?? '' }));
+    const cluster = getClusterFromUrl();
+    const prefix = cluster ? `/c/${cluster}` : '';
+    history.push(`${prefix}/polaris`);
   };
 
   return (

src/components/ExemptionManager.test.tsx

@@ -0,0 +1,432 @@
+import { fireEvent, render, screen, waitFor } from '@testing-library/react';
+import React from 'react';
+import { describe, expect, it, vi } from 'vitest';
+import { makeResult } from '../test-utils';
+
+const { mockApiRequest } = vi.hoisted(() => ({ mockApiRequest: vi.fn() }));
+
+vi.mock('@kinvolk/headlamp-plugin/lib', () => ({
+  ApiProxy: { request: mockApiRequest },
+}));
+
+vi.mock('@mui/material/styles', () => ({
+  useTheme: () => ({
+    palette: {
+      primary: { main: '#1976d2', contrastText: '#fff' },
+      action: { disabledBackground: '#e0e0e0', disabled: '#9e9e9e' },
+      divider: '#e0e0e0',
+    },
+  }),
+}));
+
+vi.mock('@kinvolk/headlamp-plugin/lib/CommonComponents', () => ({
+  SectionBox: ({ title, children }: { title?: string; children?: React.ReactNode }) => (
+    <div data-testid="section-box" data-title={title}>
+      {children}
+    </div>
+  ),
+  StatusLabel: ({ status, children }: { status: string; children?: React.ReactNode }) => (
+    <span data-testid="status-label" data-status={status}>
+      {children}
+    </span>
+  ),
+  Dialog: ({
+    open,
+    children,
+    title,
+  }: {
+    open: boolean;
+    onClose?: () => void;
+    title?: string;
+    children?: React.ReactNode;
+  }) =>
+    open ? (
+      <div data-testid="dialog" data-title={title}>
+        {children}
+      </div>
+    ) : null,
+}));
+
+import ExemptionManager from './ExemptionManager';
+
+const defaultProps = {
+  workloadResult: makeResult(),
+  namespace: 'default',
+  kind: 'Deployment',
+  name: 'my-deploy',
+};
+
+const resultWithPodFailures = makeResult({
+  PodResult: {
+    Name: 'pod',
+    Results: {
+      hostIPCSet: {
+        ID: 'hostIPCSet',
+        Message: 'Host IPC is set',
+        Details: [],
+        Success: false,
+        Severity: 'danger',
+        Category: 'Security',
+      },
+      hostPIDSet: {
+        ID: 'hostPIDSet',
+        Message: 'Host PID is set',
+        Details: [],
+        Success: false,
+        Severity: 'danger',
+        Category: 'Security',
+      },
+    },
+    ContainerResults: [],
+  },
+});
+
+const resultWithContainerFailures = makeResult({
+  PodResult: {
+    Name: 'pod',
+    Results: {},
+    ContainerResults: [
+      {
+        Name: 'container-1',
+        Results: {
+          cpuRequestsMissing: {
+            ID: 'cpuRequestsMissing',
+            Message: 'CPU requests missing',
+            Details: [],
+            Success: false,
+            Severity: 'warning',
+            Category: 'Efficiency',
+          },
+        },
+      },
+    ],
+  },
+});
+
+const resultWithIgnoredFailures = makeResult({
+  PodResult: {
+    Name: 'pod',
+    Results: {
+      hostIPCSet: {
+        ID: 'hostIPCSet',
+        Message: '',
+        Details: [],
+        Success: false,
+        Severity: 'ignore',
+        Category: 'Security',
+      },
+    },
+    ContainerResults: [],
+  },
+});
+
+describe('ExemptionManager', () => {
+  describe('rendering failing checks', () => {
+    it('shows disabled Add Exemption button when no failing checks', () => {
+      render(<ExemptionManager {...defaultProps} />);
+      const btn = screen.getByRole('button', { name: /add exemption/i });
+      expect(btn).toBeDisabled();
+    });
+
+    it('shows enabled Add Exemption button when there are failing checks', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      const btn = screen.getByRole('button', { name: /add exemption/i });
+      expect(btn).not.toBeDisabled();
+    });
+
+    it('does not include ignored-severity checks as failing', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithIgnoredFailures} />);
+      const btn = screen.getByRole('button', { name: /add exemption/i });
+      expect(btn).toBeDisabled();
+    });
+
+    it('collects failing checks from pod-level results', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      expect(screen.getByText('Host IPC')).toBeInTheDocument();
+      expect(screen.getByText('Host PID')).toBeInTheDocument();
+    });
+
+    it('collects failing checks from container-level results', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithContainerFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      expect(screen.getByText('CPU Requests')).toBeInTheDocument();
+    });
+
+    it('deduplicates checks that appear in multiple containers', () => {
+      const resultWithDuplicate = makeResult({
+        PodResult: {
+          Name: 'pod',
+          Results: {},
+          ContainerResults: [
+            {
+              Name: 'container-1',
+              Results: {
+                cpuRequestsMissing: {
+                  ID: 'cpuRequestsMissing',
+                  Message: '',
+                  Details: [],
+                  Success: false,
+                  Severity: 'warning',
+                  Category: 'Efficiency',
+                },
+              },
+            },
+            {
+              Name: 'container-2',
+              Results: {
+                cpuRequestsMissing: {
+                  ID: 'cpuRequestsMissing',
+                  Message: '',
+                  Details: [],
+                  Success: false,
+                  Severity: 'warning',
+                  Category: 'Efficiency',
+                },
+              },
+            },
+          ],
+        },
+      });
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithDuplicate} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      const items = screen.getAllByText('CPU Requests');
+      expect(items).toHaveLength(1);
+    });
+  });
+
+  describe('dialog interactions', () => {
+    it('opens dialog when Add Exemption button is clicked', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      expect(screen.queryByTestId('dialog')).not.toBeInTheDocument();
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      expect(screen.getByTestId('dialog')).toBeInTheDocument();
+    });
+
+    it('closes dialog when Cancel button is clicked', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      expect(screen.getByTestId('dialog')).toBeInTheDocument();
+      fireEvent.click(screen.getByRole('button', { name: /cancel/i }));
+      expect(screen.queryByTestId('dialog')).not.toBeInTheDocument();
+    });
+
+    it('toggles individual check selection', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+
+      // Find the checkbox next to "Host IPC"
+      const checkboxes = screen.getAllByRole('checkbox');
+      // First checkbox is "Exempt from all checks", rest are individual checks
+      const hostIPCCheckbox = checkboxes[1];
+      expect(hostIPCCheckbox).not.toBeChecked();
+      fireEvent.click(hostIPCCheckbox);
+      expect(hostIPCCheckbox).toBeChecked();
+      fireEvent.click(hostIPCCheckbox);
+      expect(hostIPCCheckbox).not.toBeChecked();
+    });
+
+    it('hides individual checks list when exempt-all is toggled', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      expect(screen.getByText('Host IPC')).toBeInTheDocument();
+
+      const exemptAllCheckbox = screen.getByRole('checkbox', { name: /exempt from all checks/i });
+      fireEvent.click(exemptAllCheckbox);
+      expect(screen.queryByText('Host IPC')).not.toBeInTheDocument();
+    });
+
+    it('Apply button is disabled when no checks selected and exemptAll is false', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      expect(screen.getByRole('button', { name: /apply/i })).toBeDisabled();
+    });
+
+    it('Apply button is enabled when exemptAll is checked', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      const exemptAllCheckbox = screen.getByRole('checkbox', { name: /exempt from all checks/i });
+      fireEvent.click(exemptAllCheckbox);
+      expect(screen.getByRole('button', { name: /apply/i })).not.toBeDisabled();
+    });
+
+    it('Apply button is enabled when at least one individual check is selected', () => {
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      const checkboxes = screen.getAllByRole('checkbox');
+      fireEvent.click(checkboxes[1]); // select first individual check
+      expect(screen.getByRole('button', { name: /apply/i })).not.toBeDisabled();
+    });
+  });
+
+  describe('ApiProxy.request calls', () => {
+    it('patches with exempt-all annotation when exemptAll is selected', async () => {
+      mockApiRequest.mockResolvedValue({});
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
+      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
+
+      await waitFor(() => {
+        expect(mockApiRequest).toHaveBeenCalledWith(
+          '/apis/apps/v1/namespaces/default/deployments/my-deploy',
+          expect.objectContaining({
+            method: 'PATCH',
+            headers: { 'Content-Type': 'application/strategic-merge-patch+json' },
+            body: JSON.stringify({
+              metadata: {
+                annotations: { 'polaris.fairwinds.com/exempt': 'true' },
+              },
+            }),
+          })
+        );
+      });
+    });
+
+    it('patches with per-check annotations when individual checks selected', async () => {
+      mockApiRequest.mockResolvedValue({});
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      // Select first check (hostIPCSet)
+      fireEvent.click(screen.getAllByRole('checkbox')[1]);
+      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
+
+      await waitFor(() => {
+        expect(mockApiRequest).toHaveBeenCalledWith(
+          '/apis/apps/v1/namespaces/default/deployments/my-deploy',
+          expect.objectContaining({
+            method: 'PATCH',
+            body: JSON.stringify({
+              metadata: {
+                annotations: { 'polaris.fairwinds.com/hostIPCSet-exempt': 'true' },
+              },
+            }),
+          })
+        );
+      });
+    });
+
+    it('uses core API path for Pod kind (no api group)', async () => {
+      mockApiRequest.mockResolvedValue({});
+      render(
+        <ExemptionManager {...defaultProps} kind="Pod" workloadResult={resultWithPodFailures} />
+      );
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
+      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
+
+      await waitFor(() => {
+        expect(mockApiRequest).toHaveBeenCalledWith(
+          '/api/v1/namespaces/default/pods/my-deploy',
+          expect.anything()
+        );
+      });
+    });
+
+    it('uses batch API group for Job kind', async () => {
+      mockApiRequest.mockResolvedValue({});
+      render(
+        <ExemptionManager {...defaultProps} kind="Job" workloadResult={resultWithPodFailures} />
+      );
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
+      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
+
+      await waitFor(() => {
+        expect(mockApiRequest).toHaveBeenCalledWith(
+          '/apis/batch/v1/namespaces/default/jobs/my-deploy',
+          expect.anything()
+        );
+      });
+    });
+
+    it('uses batch API group for CronJob kind', async () => {
+      mockApiRequest.mockResolvedValue({});
+      render(
+        <ExemptionManager {...defaultProps} kind="CronJob" workloadResult={resultWithPodFailures} />
+      );
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
+      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
+
+      await waitFor(() => {
+        expect(mockApiRequest).toHaveBeenCalledWith(
+          '/apis/batch/v1/namespaces/default/cronjobs/my-deploy',
+          expect.anything()
+        );
+      });
+    });
+
+    it('uses apps API group for StatefulSet kind', async () => {
+      mockApiRequest.mockResolvedValue({});
+      render(
+        <ExemptionManager
+          {...defaultProps}
+          kind="StatefulSet"
+          workloadResult={resultWithPodFailures}
+        />
+      );
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
+      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
+
+      await waitFor(() => {
+        expect(mockApiRequest).toHaveBeenCalledWith(
+          '/apis/apps/v1/namespaces/default/statefulsets/my-deploy',
+          expect.anything()
+        );
+      });
+    });
+  });
+
+  describe('feedback states', () => {
+    it('shows success feedback and closes dialog after successful apply', async () => {
+      mockApiRequest.mockResolvedValue({});
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
+      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
+
+      await waitFor(() => {
+        expect(screen.queryByTestId('dialog')).not.toBeInTheDocument();
+        const label = screen.getByTestId('status-label');
+        expect(label).toHaveAttribute('data-status', 'success');
+        expect(label).toHaveTextContent('Exemptions applied successfully');
+      });
+    });
+
+    it('shows error feedback and keeps dialog closed after failed apply', async () => {
+      mockApiRequest.mockRejectedValue(new Error('403 Forbidden'));
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
+      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
+
+      await waitFor(() => {
+        const label = screen.getByTestId('status-label');
+        expect(label).toHaveAttribute('data-status', 'error');
+        expect(label).toHaveTextContent(/failed to apply exemptions/i);
+      });
+    });
+
+    it('shows "Applying..." text on Apply button while in-flight', async () => {
+      let resolveRequest!: () => void;
+      mockApiRequest.mockReturnValue(
+        new Promise<void>(res => {
+          resolveRequest = res;
+        })
+      );
+
+      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
+      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
+      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
+      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
+
+      expect(screen.getByRole('button', { name: /applying/i })).toBeInTheDocument();
+      resolveRequest();
+      await waitFor(() => {
+        expect(screen.queryByTestId('dialog')).not.toBeInTheDocument();
+      });
+    });
+  });
+});

vitest.config.mts

@@ -9,5 +9,16 @@ export default defineConfig({
     environment: 'jsdom',
     setupFiles: ['./vitest.setup.ts'],
     exclude: ['e2e/**', 'node_modules/**'],
+    coverage: {
+      provider: 'v8',
+      include: ['src/**/*.{ts,tsx}'],
+      exclude: ['src/**/*.test.{ts,tsx}', 'src/test-utils.tsx', 'src/index.tsx'],
+      thresholds: {
+        lines: 80,
+        functions: 80,
+        branches: 80,
+        statements: 80,
+      },
+    },
   },
 });