chore: move source to repo root and standardize config

Phase 1 — Structural overhaul:
- Move all source from headlamp-sealed-secrets/ subdirectory to repo root
- Delete 23 AI-generated docs, 8 pre-built tarballs, release snapshots dir
- Remove all working-directory refs from CI/release workflows
- Update install-plugin.sh and typedoc.json paths

Phase 2 — Config standardization:
- Create .eslintrc.js and .prettierrc.js (standard Headlamp configs)
- Remove inline eslintConfig/prettier from package.json (drop jsx-a11y, prettier extends)
- Rewrite tsconfig.json (package name extend, add compilerOptions.types)
- Create vitest.config.mts and vitest.setup.ts (standard from polaris)
- Replace headlamp-plugin CLI scripts with direct tool invocation
- Rewrite .gitignore with standard baseline

Phase 3 — MCP & Claude settings:
- Create .mcp.json with github/kubernetes/flux/playwright servers
- Create .claude/settings.local.json
- Remove 7 specialized agents, keep 3 meta-orchestration agents

Phase 4 — Documentation:
- Rewrite CLAUDE.md (remove subdirectory refs, standard format)
- Add ArtifactHub badge, Architecture section, standardized install methods to README.md
- Create CONTRIBUTING.md and SECURITY.md
- Fix pre-existing test bugs in validators.test.ts (isValidNamespace returns boolean,
  not ValidationResult; error message string mismatches)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/hooks/useControllerHealth.ts

@@ -0,0 +1,70 @@
+/**
+ * Custom Hook for Controller Health Monitoring
+ *
+ * Provides controller health status with automatic refresh capability.
+ */
+
+import React from 'react';
+import { checkControllerHealth, ControllerHealthStatus, getPluginConfig } from '../lib/controller';
+
+/**
+ * Custom hook for monitoring controller health
+ *
+ * Automatically checks controller health on mount and can optionally
+ * refresh at a specified interval.
+ *
+ * @param autoRefresh Whether to automatically refresh health status
+ * @param refreshIntervalMs Refresh interval in milliseconds (default: 30000ms = 30s)
+ * @returns Object with health status, loading state, and manual refresh function
+ *
+ * @example
+ * // Manual refresh only
+ * const { health, loading, refresh } = useControllerHealth();
+ *
+ * // Auto-refresh every 30 seconds
+ * const { health, loading } = useControllerHealth(true, 30000);
+ *
+ * // Auto-refresh every 10 seconds
+ * const { health, loading } = useControllerHealth(true, 10000);
+ */
+export function useControllerHealth(autoRefresh = false, refreshIntervalMs = 30000) {
+  const [health, setHealth] = React.useState<ControllerHealthStatus | null>(null);
+  const [loading, setLoading] = React.useState(true);
+
+  const fetchHealth = React.useCallback(async () => {
+    setLoading(true);
+
+    const config = getPluginConfig();
+    const result = await checkControllerHealth(config);
+
+    if (result.ok) {
+      setHealth(result.value);
+    } else if (result.ok === false) {
+      // Even on error, checkControllerHealth returns a status
+      // This shouldn't happen, but handle gracefully
+      setHealth({
+        healthy: false,
+        reachable: false,
+        error: result.error,
+      });
+    }
+
+    setLoading(false);
+  }, []);
+
+  // Initial fetch and auto-refresh setup
+  React.useEffect(() => {
+    fetchHealth();
+
+    if (autoRefresh) {
+      const interval = setInterval(fetchHealth, refreshIntervalMs);
+      return () => clearInterval(interval);
+    }
+  }, [autoRefresh, refreshIntervalMs, fetchHealth]);
+
+  return {
+    health,
+    loading,
+    refresh: fetchHealth,
+  };
+}

src/hooks/usePermissions.ts

@@ -0,0 +1,137 @@
+/**
+ * React Hooks for RBAC Permission Checking
+ *
+ * Provides React hooks for checking and caching user permissions
+ * for SealedSecrets and related resources.
+ */
+
+import React from 'react';
+import { checkSealedSecretPermissions, ResourcePermissions } from '../lib/rbac';
+
+/**
+ * Hook to check SealedSecret permissions for a namespace
+ *
+ * Automatically fetches permissions on mount and when namespace changes.
+ * Returns loading state and permissions.
+ *
+ * @param namespace Optional namespace to check (cluster-wide if omitted)
+ * @returns Object with loading state, permissions, and error
+ *
+ * @example
+ * const { loading, permissions, error } = usePermissions('default');
+ * if (!loading && permissions?.canCreate) {
+ *   // Show create button
+ * }
+ */
+export function usePermissions(namespace?: string) {
+  const [loading, setLoading] = React.useState(true);
+  const [permissions, setPermissions] = React.useState<ResourcePermissions | null>(null);
+  const [error, setError] = React.useState<string | null>(null);
+
+  React.useEffect(() => {
+    let mounted = true;
+
+    async function fetchPermissions() {
+      setLoading(true);
+      setError(null);
+
+      const result = await checkSealedSecretPermissions(namespace);
+
+      if (!mounted) return;
+
+      if (result.ok) {
+        setPermissions(result.value);
+        setError(null);
+      } else if (result.ok === false) {
+        setPermissions(null);
+        setError(result.error);
+      }
+
+      setLoading(false);
+    }
+
+    fetchPermissions();
+
+    return () => {
+      mounted = false;
+    };
+  }, [namespace]);
+
+  return { loading, permissions, error };
+}
+
+/**
+ * Hook to check a specific permission
+ *
+ * Useful when you only need to check one permission (e.g., canCreate)
+ * instead of fetching all permissions.
+ *
+ * @param namespace Optional namespace to check
+ * @param permission Permission key to check
+ * @returns Object with loading state and allowed flag
+ *
+ * @example
+ * const { loading, allowed } = usePermission('default', 'canCreate');
+ * if (allowed) {
+ *   // Show create button
+ * }
+ */
+export function usePermission(
+  namespace: string | undefined,
+  permission: keyof ResourcePermissions
+) {
+  const { loading, permissions } = usePermissions(namespace);
+  const allowed = permissions?.[permission] ?? false;
+
+  return { loading, allowed };
+}
+
+/**
+ * Hook to check if user has any write permissions
+ *
+ * Returns true if user can create, update, or delete.
+ * Useful for showing/hiding entire sections of UI.
+ *
+ * @param namespace Optional namespace to check
+ * @returns Object with loading state and hasWriteAccess flag
+ *
+ * @example
+ * const { loading, hasWriteAccess } = useHasWriteAccess('default');
+ * if (hasWriteAccess) {
+ *   // Show management UI
+ * }
+ */
+export function useHasWriteAccess(namespace?: string) {
+  const { loading, permissions } = usePermissions(namespace);
+
+  const hasWriteAccess =
+    permissions?.canCreate || permissions?.canUpdate || permissions?.canDelete || false;
+
+  return { loading, hasWriteAccess };
+}
+
+/**
+ * Hook to check if user has read-only access
+ *
+ * Returns true if user can read/list but cannot create/update/delete.
+ *
+ * @param namespace Optional namespace to check
+ * @returns Object with loading state and isReadOnly flag
+ *
+ * @example
+ * const { loading, isReadOnly } = useIsReadOnly('default');
+ * if (isReadOnly) {
+ *   // Show read-only warning
+ * }
+ */
+export function useIsReadOnly(namespace?: string) {
+  const { loading, permissions } = usePermissions(namespace);
+
+  const isReadOnly =
+    (permissions?.canRead || permissions?.canList) &&
+    !permissions?.canCreate &&
+    !permissions?.canUpdate &&
+    !permissions?.canDelete;
+
+  return { loading, isReadOnly };
+}

src/hooks/useSealedSecretEncryption.ts

@@ -0,0 +1,208 @@
+/**
+ * Custom Hook for SealedSecret Encryption
+ *
+ * Encapsulates the business logic for encrypting secrets and creating SealedSecrets.
+ * Handles certificate fetching, validation, expiry warnings, encryption, and object creation.
+ */
+
+import { useSnackbar } from 'notistack';
+import React from 'react';
+import { fetchPublicCertificate, getPluginConfig } from '../lib/controller';
+import {
+  encryptKeyValues,
+  isCertificateExpiringSoon,
+  parseCertificateInfo,
+  parsePublicKeyFromCert,
+} from '../lib/crypto';
+import { validateSecretKey, validateSecretName, validateSecretValue } from '../lib/validators';
+import {
+  AsyncResult,
+  CertificateInfo,
+  Err,
+  Ok,
+  PlaintextValue,
+  SealedSecretScope,
+} from '../types';
+
+/**
+ * Request parameters for encryption
+ */
+export interface EncryptionRequest {
+  /** Name of the SealedSecret to create */
+  name: string;
+  /** Namespace to create the SealedSecret in */
+  namespace: string;
+  /** Encryption scope (strict, namespace-wide, cluster-wide) */
+  scope: SealedSecretScope;
+  /** Key-value pairs to encrypt */
+  keyValues: Array<{ key: string; value: string }>;
+}
+
+/**
+ * Result of successful encryption
+ */
+export interface EncryptionResult {
+  /** The complete SealedSecret object ready to apply */
+  sealedSecretData: any;
+  /** Information about the certificate used */
+  certificateInfo?: CertificateInfo;
+}
+
+/**
+ * Custom hook for SealedSecret encryption
+ *
+ * Provides encryption functionality with built-in validation, error handling,
+ * and user notifications.
+ *
+ * @returns Object with encrypt function and encrypting state
+ *
+ * @example
+ * const { encrypt, encrypting } = useSealedSecretEncryption();
+ *
+ * const result = await encrypt({
+ *   name: 'my-secret',
+ *   namespace: 'default',
+ *   scope: 'strict',
+ *   keyValues: [{ key: 'password', value: 'secret123' }]
+ * });
+ *
+ * if (result.ok) {
+ *   // Use result.value.sealedSecretData
+ * }
+ */
+export function useSealedSecretEncryption() {
+  const [encrypting, setEncrypting] = React.useState(false);
+  const { enqueueSnackbar } = useSnackbar();
+
+  const encrypt = React.useCallback(
+    async (request: EncryptionRequest): AsyncResult<EncryptionResult, string> => {
+      setEncrypting(true);
+
+      try {
+        // Step 1: Validate inputs
+        const nameValidation = validateSecretName(request.name);
+        if (!nameValidation.valid) {
+          enqueueSnackbar(nameValidation.error, { variant: 'error' });
+          return Err(nameValidation.error || 'Invalid secret name');
+        }
+
+        // Validate all key-value pairs
+        for (const kv of request.keyValues) {
+          const keyValidation = validateSecretKey(kv.key);
+          if (!keyValidation.valid) {
+            const error = `Invalid key "${kv.key}": ${keyValidation.error}`;
+            enqueueSnackbar(error, { variant: 'error' });
+            return Err(error);
+          }
+
+          const valueValidation = validateSecretValue(kv.value);
+          if (!valueValidation.valid) {
+            const error = `Invalid value for key "${kv.key}": ${valueValidation.error}`;
+            enqueueSnackbar(error, { variant: 'error' });
+            return Err(error);
+          }
+        }
+
+        if (request.keyValues.length === 0) {
+          const error = 'At least one key-value pair is required';
+          enqueueSnackbar(error, { variant: 'error' });
+          return Err(error);
+        }
+
+        // Step 2: Fetch the controller's public certificate
+        const config = getPluginConfig();
+        const certResult = await fetchPublicCertificate(config);
+
+        if (certResult.ok === false) {
+          const error = `Failed to fetch certificate: ${certResult.error}`;
+          enqueueSnackbar(error, { variant: 'error' });
+          return Err(error);
+        }
+
+        // Step 3: Check certificate expiry and warn user
+        let certInfo: CertificateInfo | undefined;
+        const certInfoResult = parseCertificateInfo(certResult.value);
+        if (certInfoResult.ok) {
+          certInfo = certInfoResult.value;
+
+          if (certInfo.isExpired) {
+            enqueueSnackbar(
+              `Warning: Controller certificate expired on ${certInfo.validTo.toLocaleDateString()}. ` +
+                'Secrets may not be decryptable.',
+              { variant: 'warning' }
+            );
+          } else if (isCertificateExpiringSoon(certInfo, 30)) {
+            enqueueSnackbar(
+              `Warning: Controller certificate expires in ${certInfo.daysUntilExpiry} days ` +
+                `(${certInfo.validTo.toLocaleDateString()}).`,
+              { variant: 'warning' }
+            );
+          }
+        }
+
+        // Step 4: Parse the public key from certificate
+        const keyResult = parsePublicKeyFromCert(certResult.value);
+
+        if (keyResult.ok === false) {
+          const error = `Invalid certificate: ${keyResult.error}`;
+          enqueueSnackbar(error, { variant: 'error' });
+          return Err(error);
+        }
+
+        // Step 5: Encrypt all values client-side
+        const encryptResult = encryptKeyValues(
+          keyResult.value,
+          request.keyValues.map(kv => ({ key: kv.key, value: PlaintextValue(kv.value) })),
+          request.namespace,
+          request.name,
+          request.scope
+        );
+
+        if (encryptResult.ok === false) {
+          const error = `Encryption failed: ${encryptResult.error}`;
+          enqueueSnackbar(error, { variant: 'error' });
+          return Err(error);
+        }
+
+        // Step 6: Construct the SealedSecret object
+        const sealedSecretData: any = {
+          apiVersion: 'bitnami.com/v1alpha1',
+          kind: 'SealedSecret',
+          metadata: {
+            name: request.name,
+            namespace: request.namespace,
+            annotations: {},
+          },
+          spec: {
+            encryptedData: encryptResult.value,
+            template: {
+              metadata: {},
+            },
+          },
+        };
+
+        // Add scope annotations
+        if (request.scope === 'namespace-wide') {
+          sealedSecretData.metadata.annotations['sealedsecrets.bitnami.com/namespace-wide'] =
+            'true';
+        } else if (request.scope === 'cluster-wide') {
+          sealedSecretData.metadata.annotations['sealedsecrets.bitnami.com/cluster-wide'] = 'true';
+        }
+
+        return Ok({
+          sealedSecretData,
+          certificateInfo: certInfo,
+        });
+      } catch (error: any) {
+        const errorMsg = error.message || 'Unknown encryption error';
+        enqueueSnackbar(errorMsg, { variant: 'error' });
+        return Err(errorMsg);
+      } finally {
+        setEncrypting(false);
+      }
+    },
+    [enqueueSnackbar]
+  );
+
+  return { encrypt, encrypting };
+}