Merge pull request 'fix(ci): inline CI workflow, remove reusable .github dependency (PRI-1630)' (#89 ) from fix/pri-1630-inline-ci into main

fix(ci): inline CI workflow (PRI-1630)
fix(ci): inline CI workflow, remove reusable .github dependency (PRI-1630)
2026-05-20 10:46:34 +00:00 · 2026-05-20 10:46:08 +00:00 · 2026-05-14 05:06:10 +00:00 · 2026-05-12 22:22:44 +00:00 · 2026-05-11 21:40:02 +00:00 · 2026-05-11 20:11:55 +00:00
21 changed files with 12594 additions and 18378 deletions
@@ -2,12 +2,210 @@ name: CI

 on:
  push:
-    branches: [main]
+    branches: ['**']
  pull_request:
-    branches: [main]
+    branches: [main, dev, uat]
  workflow_dispatch:
-  workflow_call:
+
+permissions:
+  contents: read

 jobs:
  ci:
-    uses: privilegedescalation/.github/.github/workflows/plugin-ci.yaml@main
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    container: node:22-slim
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Install Python
+        run: apt-get update && apt-get install -y --no-install-recommends python3 python3-yaml
+
+      - name: Validate artifacthub-pkg.yml
+        run: |
+          python3 - <<'EOF'
+          import sys, re
+          try:
+              import yaml
+          except ImportError:
+              print("::warning::PyYAML not available, skipping artifacthub-pkg.yml validation")
+              sys.exit(0)
+
+          try:
+              with open("artifacthub-pkg.yml") as f:
+                  pkg = yaml.safe_load(f)
+          except FileNotFoundError:
+              print("::error::artifacthub-pkg.yml not found")
+              sys.exit(1)
+          except yaml.YAMLError as e:
+              print(f"::error::artifacthub-pkg.yml is invalid YAML: {e}")
+              sys.exit(1)
+
+          errors = []
+
+          for field in ["version", "name", "description", "homeURL"]:
+              if not pkg.get(field):
+                  errors.append(f"Missing required field: {field}")
+
+          version = pkg.get("version", "")
+          if version and not re.match(r'^\d+\.\d+\.\d+$', str(version)):
+              errors.append(f"version '{version}' is not SemVer (expected X.Y.Z)")
+
+          annotations = pkg.get("annotations", {}) or {}
+          archive_url = annotations.get("headlamp/plugin/archive-url", "")
+          archive_checksum = annotations.get("headlamp/plugin/archive-checksum", "")
+
+          if not archive_url:
+              errors.append("Missing annotation: headlamp/plugin/archive-url")
+          if not archive_checksum:
+              errors.append("Missing annotation: headlamp/plugin/archive-checksum")
+          elif not re.match(r'^sha256:[0-9a-f]{64}$', str(archive_checksum)):
+              errors.append(f"archive-checksum has unexpected format: '{archive_checksum}' (expected sha256:<64 hex chars>)")
+
+          if errors:
+              for e in errors:
+                  print(f"::error::{e}")
+              sys.exit(1)
+
+          print(f"artifacthub-pkg.yml valid: name={pkg['name']} version={pkg['version']}")
+          EOF
+
+      - name: Detect package manager
+        id: pkg-manager
+        run: |
+          if [ -f "pnpm-lock.yaml" ]; then
+            echo "manager=pnpm" >> $GITHUB_OUTPUT
+            PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
+            echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
+          else
+            echo "manager=npm" >> $GITHUB_OUTPUT
+            echo "has_package_manager=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}
+
+      - name: Setup pnpm (via Corepack, reads version from packageManager field)
+        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
+        run: |
+          npm install -g corepack
+          corepack enable pnpm
+          corepack install
+
+      - name: Setup pnpm (version latest)
+        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'false'
+        uses: pnpm/action-setup@v5
+        with:
+          run_install: false
+          version: latest
+
+      - name: Get pnpm store directory
+        id: pnpm-store
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        run: echo "dir=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
+
+      - name: Cache pnpm store
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        uses: actions/cache@v5
+        with:
+          path: ${{ steps.pnpm-store.outputs.dir }}
+          key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-
+
+      - name: Validate pnpm lockfile freshness
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        run: |
+          if [ ! -f "pnpm-lock.yaml" ]; then
+            echo "No pnpm-lock.yaml found, skipping lockfile freshness check"
+            exit 0
+          fi
+          if ! grep -q 'overrides:' pnpm-lock.yaml 2>/dev/null; then
+            echo "No overrides section in pnpm-lock.yaml, skipping lockfile freshness check"
+            exit 0
+          fi
+          echo "Detected pnpm-lock.yaml with overrides section. Checking lockfile freshness..."
+          ERR_FILE=$(mktemp)
+          if pnpm install --frozen-lockfile 2>&1 | tee "$ERR_FILE"; then
+            echo "Lockfile is fresh."
+          else
+            if grep -q "CONFIG_MISMATCH\|EBADLOCKFILE\|ERR_PNPM_LOCKFILE" "$ERR_FILE"; then
+              echo ""
+              echo "::error::pnpm-lock.yaml is out of sync with package.json overrides."
+              echo "::error::Run 'pnpm install' to regenerate the lockfile and commit the updated pnpm-lock.yaml."
+              rm -f "$ERR_FILE"
+              exit 1
+            fi
+            rm -f "$ERR_FILE"
+            echo "::warning::Install failed with a different error. Will retry in the Install dependencies step."
+          fi
+
+      - name: Install dependencies
+        run: |
+          max_attempts=3
+          attempt=1
+          while [ $attempt -le $max_attempts ]; do
+            echo "Attempt $attempt of $max_attempts"
+            if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+              pnpm install --frozen-lockfile && break
+            else
+              npm ci && break
+            fi
+            if [ $attempt -lt $max_attempts ]; then
+              echo "::warning::Install step failed on attempt $attempt. Retrying in 5 seconds..."
+              sleep 5
+            fi
+            attempt=$((attempt + 1))
+          done
+          if [ $attempt -gt $max_attempts ]; then
+            echo "::error::Install step failed after $max_attempts attempts."
+            exit 1
+          fi
+
+      - name: Build plugin
+        run: npx @kinvolk/headlamp-plugin build
+
+      - name: Lint
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm run lint
+          else
+            npm run lint
+          fi
+
+      - name: Type-check
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm run tsc
+          else
+            npm run tsc
+          fi
+
+      - name: Format check
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm run format:check
+          else
+            npm run format:check
+          fi
+
+      - name: Run tests
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm test
+          else
+            npm test
+          fi
+
+      - name: Security audit
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            npx audit-ci --pnpm --audit-level=high --config ./audit-ci.jsonc
+          else
+            npx audit-ci --npm --audit-level=high --config ./audit-ci.jsonc
+          fi
@@ -0,0 +1,21 @@
+name: Promotion Gate
+
+# Calls the shared promotion gate workflow.
+# dev PRs: no gate (engineer self-merges).
+# uat PRs: QA approval required.
+# main PRs: UAT approval required (uat→main promotions).
+
+on:
+  pull_request_review:
+    types: [submitted, dismissed]
+  pull_request:
+    branches: [uat, main]
+    types: [opened, reopened, synchronize]
+
+jobs:
+  promotion-gate:
+    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
+    secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}
+
@@ -7,13 +7,19 @@ on:
        description: 'Release version (e.g. 1.0.0)'
        required: true
        type: string
+  repository_dispatch:
+    types: [release]

 permissions:
  contents: write
+  pull-requests: write

 jobs:
  release:
    uses: privilegedescalation/.github/.github/workflows/plugin-release.yaml@main
+    secrets:
+      RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
+      RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
    with:
-      version: ${{ inputs.version }}
-      upstream-repo: 'bitnami-labs/sealed-secrets'
+      version: ${{ inputs.version || github.event.client_payload.version }}
+
@@ -23,3 +23,10 @@ Thumbs.db
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
+
+# E2E
+.env.e2e
+e2e/.auth/state.json
+playwright-report/
+test-results/
+package-lock.json
@@ -0,0 +1,53 @@
+{
+  "config": {
+    // Line length — not enforced for docs with code examples
+    "MD013": false,
+    // First line heading — files use YAML frontmatter, not headings
+    "MD041": false,
+    // Emphasis as heading — common pattern for Option 1/2/3 sections
+    "MD036": false,
+    // No duplicate heading — changelog files repeat section names intentionally
+    "MD024": false,
+    // Fenced code language — not always applicable for diagram blocks
+    "MD040": false,
+    // Table column style — table alignment is visual, not semantic
+    "MD060": false,
+    // Ordered list item prefix — number resets are intentional in documents
+    "MD029": false,
+    // No inline HTML — each elements are valid in valid Markdown
+    "MD033": false,
+    // List marker space — spacing after list markers varies by editor
+    "MD030": false,
+    // Blanks around headings — not always needed in compact docs
+    "MD022": false,
+    // Blanks around lists — not always needed in compact docs
+    "MD032": false,
+    // Blanks around fences — not always needed between adjacent blocks
+    "MD031": false,
+    // Multiple blanks — editor artifacts, not semantic
+    "MD012": false,
+    // Single title — files may have multiple H1 sections
+    "MD025": false,
+    // Trailing spaces — editor artifacts
+    "MD009": false,
+    // Bare URLs — URL shortening not always needed
+    "MD034": false,
+    // Single trailing newline — editor artifacts
+    "MD047": false,
+    // Trailing punctuation — heading punctuation is intentional
+    "MD026": false,
+    // Space in emphasis — double-asterisk bold spacing varies by renderer
+    "MD037": false,
+    // No hard tabs — some generated docs use tabs for indentation
+    "MD010": false,
+    // Code block style — generated docs may use inconsistent styles
+    "MD046": false,
+    // Comment style — generated docs have no comments
+    "MD048": false,
+    // Commands show output — shell examples intentionally show only commands
+    "MD014": false
+  },
+  "ignores": [
+    "docs/api-reference/generated/**"
+  ]
+}
@@ -0,0 +1 @@
+docs/api-reference/generated/**
@@ -7,6 +7,48 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+## [1.0.0] - 2026-03-24
+
+### Added
+- Explicit `vitest`, `@testing-library/react`, `@testing-library/jest-dom`, `jsdom`, `react`, and `react-dom` devDependencies so tests run reliably without relying on transitive hoisting
+
+### Changed
+- Bump to v1.0.0 — stable public API, comprehensive test coverage, ArtifactHub-only installation
+
+### Fixed
+- Removed `install-plugin.sh` custom install script in compliance with ArtifactHub-only installation policy
+
+## [0.2.24] - 2026-03-19
+
+### Fixed
+- Added npm overrides for `tar` (>=7.5.11) and `undici` (>=7.24.3) to resolve security advisories
+- Added `pull-requests: write` permission to release workflow to unblock PR creation
+
+### Changed
+- Added ArtifactHub-only installation policy (INSTALLATION_POLICY.md)
+- Removed manual install instructions from README
+- Dependency bumps: `tar` 7.5.7→7.5.11, `undici` 7.14.0→7.24.4, `rollup` 4.46.3→4.59.0, `minimatch` 3.1.2→3.1.5, `qs` 6.14.1→6.15.0, `storybook` 9.1.17→9.1.20
+
+## [0.2.23] - 2026-03-09
+
+### Changed
+- Internal release-pipeline stabilization (re-release of v0.2.22 fixes)
+
+## [0.2.22] - 2026-03-09
+
+### Added
+- Architecture decision records for error boundaries and hooks architecture
+
+### Fixed
+- Removed remaining `any` types, dead code, and unused exports; added comprehensive tests
+- Added missing `archive-checksum` annotation to `artifacthub-pkg.yml`
+- Upstream `appVersion` tracking in release workflow (automatically syncs sealed-secrets controller version)
+- Package renamed to `headlamp-sealed-secrets` on ArtifactHub for discoverability
+- Added `FUNDING.yml` and Apache-2.0 `LICENSE` file
+
+### Changed
+- Enhanced Renovate configuration
+
 ## [0.2.21] - 2026-03-04

 ### Added
@@ -126,11 +168,15 @@ Version 0.2.3 was published but with checksum mismatch on Artifact Hub. Supersed
 - Dependencies: node-forge for cryptography
 - Compatible with Headlamp v0.13.0+

-[Unreleased]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.21...HEAD
+[Unreleased]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v1.0.0...HEAD
+[1.0.0]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.24...v1.0.0
+[0.2.24]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.23...v0.2.24
+[0.2.23]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.22...v0.2.23
+[0.2.22]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.21...v0.2.22
 [0.2.21]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/compare/v0.2.20...v0.2.21
-[0.1.0]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.1.0
 [0.2.4]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.4
 [0.2.3]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.3
 [0.2.2]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.2
 [0.2.1]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.1
 [0.2.0]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.2.0
+[0.1.0]: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/tag/v0.1.0
@@ -0,0 +1,24 @@
+# Installation Policy
+
+## Approved Installation Method
+
+**The ONLY approved method for installing this plugin is via [Artifact Hub](https://artifacthub.io/) using the Headlamp plugin installer.**
+
+No other installation method is acceptable. This includes but is not limited to:
+
+- Direct installation from GitHub release assets
+- Manual npm pack / tarball extraction
+- initContainer workarounds that bypass Artifact Hub
+- Direct file copy or sidecar injection
+
+## Enforcement
+
+All deployment configurations, CI/CD pipelines, and documentation MUST reference Artifact Hub as the sole plugin distribution channel. Any pull request that introduces an alternative installation method will be rejected.
+
+## Rationale
+
+Artifact Hub provides verified checksums, consistent versioning, and a standard discovery mechanism for the CNCF ecosystem. Bypassing it introduces security and integrity risks.
+
+---
+
+*This policy is set by the CTO and approved by the CEO of Privileged Escalation.*
@@ -25,34 +25,8 @@ A comprehensive [Headlamp](https://headlamp.dev) plugin for managing [Bitnami Se

 ### Installation

-#### Option 1: Headlamp Plugin Manager (Recommended)
-
 Browse the Headlamp Plugin Manager (Settings → Plugins → Catalog) and install **sealed-secrets** directly.

-#### Option 2: Manual Tarball Install
-
-Download the latest tarball from the [Releases page](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases), then extract it into your Headlamp plugins directory:
-
-```bash
-# macOS
-tar -xzf sealed-secrets-*.tar.gz -C ~/Library/Application\ Support/Headlamp/plugins/
-
-# Linux
-tar -xzf sealed-secrets-*.tar.gz -C ~/.config/Headlamp/plugins/
-
-# Restart Headlamp after installing
-```
-
-#### Option 3: Build from Source
-
-```bash
-git clone https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin.git
-cd headlamp-sealed-secrets-plugin
-npm install
-npm run build
-npx @kinvolk/headlamp-plugin extract . /headlamp/plugins
-```
-
 ### First Secret

 ```bash
@@ -177,7 +151,7 @@ Plaintext values never leave your browser.
 | Network sniffing | No plaintext on network | ✅ Protected |
 | Compromised proxy | Only sees encrypted data | ✅ Protected |
 | Browser XSS | Headlamp CSP policies | ⚠️ Standard web security |
-| Supply chain | Package locks, dependabot | ⚠️ Ongoing monitoring |
+| Supply chain | Package locks, Renovate | ⚠️ Ongoing monitoring |

 See: [ADR 003: Client-Side Encryption](docs/architecture/adr/003-client-side-crypto.md)

@@ -321,4 +295,3 @@ Built with:


 # Test runner
-
@@ -70,7 +70,7 @@ Key dependencies with security implications:
 - **node-forge**: Used for client-side encryption of secret values with the cluster's sealing certificate. Keep this dependency up to date.
 - **@kinvolk/headlamp-plugin**: Peer dependency providing the Kubernetes API proxy. Update by upgrading your Headlamp installation.

-The project uses `npm audit` and Dependabot to monitor for known vulnerabilities.
+The project uses `npm audit` and Renovate to monitor for known vulnerabilities.

 ## Contact

@@ -1,13 +1,13 @@
 # Artifact Hub package metadata file
 # https://github.com/artifacthub/hub/blob/master/docs/metadata/artifacthub-pkg.yml
-version: "0.2.22"
+version: "1.0.2"
 name: headlamp-sealed-secrets
 displayName: Sealed Secrets
 createdAt: "2026-02-12T00:00:00Z"
 description: A comprehensive Headlamp plugin for managing Bitnami Sealed Secrets with client-side encryption and RBAC-aware UI
 license: Apache-2.0
 homeURL: https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin
-appVersion: "0.36.0"
+appVersion: "0.36.1"
 containersImages:
  - name: sealed-secrets-controller
    image: docker.io/bitnami/sealed-secrets-controller:v0.24.0
@@ -19,8 +19,8 @@ keywords:
  - encryption
  - security
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/download/v0.2.22/sealed-secrets-0.2.22.tar.gz"
-  headlamp/plugin/archive-checksum: sha256:3c6dfdaa90fc5010d59cd40725ab26f4c4fee4c7b0ee4a6bc205c8d0198c5013
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/releases/download/v1.0.2/sealed-secrets-1.0.2.tar.gz"
+  headlamp/plugin/archive-checksum: sha256:0eaf34d380d133120d3a50c890e0c96b23717427887b1f23377a841cb3783b11
  headlamp/plugin/version-compat: ">=0.13.0"
  headlamp/plugin/distro-compat: "desktop,in-cluster,web,docker-desktop"
 links:
@@ -35,31 +35,19 @@ install: |

  ### Prerequisites

-  1. Headlamp v0.13.0 or later
+  1. [Headlamp](https://headlamp.dev) v0.13.0 or later
  2. Sealed Secrets controller installed on your cluster:
     ```bash
     kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
     ```

-  ### Install the Plugin
+  ### Install via Headlamp Plugin Catalog

-  #### Option 1: From NPM
-  ```bash
-  npm install -g headlamp-sealed-secrets
-  ```
+  1. Open Headlamp and navigate to **Settings → Plugin Catalog**
+  2. Search for **"Sealed Secrets"**
+  3. Click **Install** and restart Headlamp when prompted

-  #### Option 2: Build from Source
-  ```bash
-  git clone https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin
-  cd headlamp-sealed-secrets-plugin
-  npm install
-  npm run build
-  ```
-
-  Then copy the `dist` folder to your Headlamp plugins directory:
-  - **Linux**: `~/.config/Headlamp/plugins/headlamp-sealed-secrets/`
-  - **macOS**: `~/Library/Application Support/Headlamp/plugins/headlamp-sealed-secrets/`
-  - **Windows**: `%APPDATA%\Headlamp\plugins\headlamp-sealed-secrets\`
+  The plugin is sourced directly from [ArtifactHub](https://artifacthub.io/packages/headlamp/headlamp/headlamp-sealed-secrets).

  ## Usage

@@ -70,6 +58,15 @@ install: |
  - Configure controller settings

  For detailed usage instructions, see the [README](https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin/blob/main/README.md).
+changes:
+  - kind: fixed
+    description: "Fix ArtifactHub checksum — release workflow now computes checksums after rebuilding tarball"
+  - kind: changed
+    description: "Bump to v1.0.0 — stable public release with comprehensive tests, ArtifactHub-only installation, and full RBAC-aware UI"
+  - kind: added
+    description: Explicit vitest and @testing-library devDependencies for reliable test execution
+  - kind: fixed
+    description: Removed install-plugin.sh custom install script (ArtifactHub-only policy)
 maintainers:
  - name: privilegedescalation
    email: privilegedescalation@users.noreply.github.com
@@ -0,0 +1,20 @@
+{
+  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
+  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
+  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
+  // and do NOT ship in production plugin artifacts.
+  "allowlist": [
+    {
+      "id": "GHSA-hhpm-516h-p3p6",
+      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-36xf-7xpp-53w5",
+      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
+    },
+    {
+      "id": "GHSA-jf8v-p3pp-93qh",
+      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
+    }
+  ]
+}
@@ -349,7 +349,7 @@ Added type safety:

 **Supply Chain**:
 - Risk: Compromised node-forge dependency
- Mitigation: Package lock, dependabot, regular audits
+- Mitigation: Package lock, Renovate, regular audits
 - Same risk as any JavaScript dependency

 **Browser Extensions**:
@@ -121,7 +121,7 @@ For Headlamp running in Kubernetes:
   kubectl create configmap headlamp-sealed-secrets-plugin \
     --from-file=main.js=dist/main.js \
     --from-file=package.json=package.json \
-     -n headlamp
+     -n <your-namespace>
   ```

 2. **Update Headlamp deployment**:
@@ -130,7 +130,7 @@ For Headlamp running in Kubernetes:
   kind: Deployment
   metadata:
     name: headlamp
-     namespace: headlamp
+     namespace: <your-namespace>
   spec:
     template:
       spec:
@@ -149,7 +149,7 @@ For Headlamp running in Kubernetes:
 3. **Apply and restart**:
   ```bash
   kubectl apply -f headlamp-deployment.yaml
-   kubectl rollout restart deployment/headlamp -n headlamp
+   kubectl rollout restart deployment/headlamp -n <your-namespace>
   ```

 ## Verification
@@ -1,79 +0,0 @@
-#!/bin/bash
-#
-# Install Headlamp Sealed Secrets Plugin
-#
-# This script builds and installs the plugin to your local Headlamp installation.
-#
-
-set -e
-
-# Colors for output
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-NC='\033[0m' # No Color
-
-echo -e "${GREEN}Headlamp Sealed Secrets Plugin Installer${NC}"
-echo "=========================================="
-echo
-
-# Detect OS and set plugin directory
-if [[ "$OSTYPE" == "darwin"* ]]; then
-    PLUGIN_DIR="$HOME/Library/Application Support/Headlamp/plugins/headlamp-sealed-secrets"
-    echo -e "${YELLOW}Detected: macOS${NC}"
-elif [[ "$OSTYPE" == "linux-gnu"* ]]; then
-    PLUGIN_DIR="$HOME/.config/Headlamp/plugins/headlamp-sealed-secrets"
-    echo -e "${YELLOW}Detected: Linux${NC}"
-else
-    echo -e "${RED}Unsupported OS: $OSTYPE${NC}"
-    echo "For Windows, please see HEADLAMP_INSTALLATION.md"
-    exit 1
-fi
-
-echo "Plugin will be installed to: $PLUGIN_DIR"
-echo
-
-# Check if node/npm are available
-if ! command -v npm &> /dev/null; then
-    echo -e "${RED}Error: npm is not installed${NC}"
-    echo "Please install Node.js and npm first"
-    exit 1
-fi
-
-# Navigate to plugin directory
-cd "$(dirname "$0")"
-
-echo -e "${GREEN}Step 1: Installing dependencies...${NC}"
-npm install
-
-echo
-echo -e "${GREEN}Step 2: Building plugin...${NC}"
-npm run build
-
-echo
-echo -e "${GREEN}Step 3: Creating plugin directory...${NC}"
-mkdir -p "$PLUGIN_DIR"
-
-echo
-echo -e "${GREEN}Step 4: Copying plugin files...${NC}"
-cp -v dist/main.js "$PLUGIN_DIR/"
-cp -v package.json "$PLUGIN_DIR/"
-cp -v README.md "$PLUGIN_DIR/" 2>/dev/null || true
-cp -v LICENSE "$PLUGIN_DIR/" 2>/dev/null || true
-
-echo
-echo -e "${GREEN}✓ Installation complete!${NC}"
-echo
-echo "Plugin installed to: $PLUGIN_DIR"
-echo
-echo "Next steps:"
-echo "1. Restart Headlamp desktop application"
-echo "2. Open Headlamp and connect to your cluster"
-echo "3. Look for 'Sealed Secrets' in the sidebar"
-echo
-echo "To verify sealed-secrets controller is installed:"
-echo "  kubectl get pods -n kube-system -l name=sealed-secrets-controller"
-echo
-echo "To install sealed-secrets controller (if not present):"
-echo "  kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml"
-echo
@@ -1,6 +1,6 @@
 {
  "name": "sealed-secrets",
-  "version": "0.2.22",
+  "version": "1.0.2",
  "description": "Headlamp plugin for Bitnami Sealed Secrets - manage encrypted Kubernetes secrets",
  "files": [
    "dist",
@@ -17,6 +17,7 @@
  "homepage": "https://github.com/privilegedescalation/headlamp-sealed-secrets-plugin#readme",
  "author": "privilegedescalation",
  "license": "Apache-2.0",
+  "packageManager": "pnpm@10.32.1",
  "scripts": {
    "start": "headlamp-plugin start",
    "build": "headlamp-plugin build",
@@ -47,16 +48,36 @@
    "k8s"
  ],
  "overrides": {
-    "typescript": "5.6.2"
+    "tar": "^7.5.11",
+    "undici": "^7.24.3",
+    "vite": ">=6.4.2",
+    "lodash": ">=4.18.0",
+    "elliptic": ">=6.6.1"
  },
  "dependencies": {
-    "node-forge": "^1.3.1"
+    "node-forge": "^1.4.0"
  },
  "devDependencies": {
+    "@headlamp-k8s/eslint-config": "^0.6.0",
    "@iconify/react": "^6.0.2",
    "@kinvolk/headlamp-plugin": "^0.13.0",
+    "@mui/material": "^5.15.14",
+    "@testing-library/jest-dom": "^6.4.8",
+    "@testing-library/react": "^16.0.0",
+    "@testing-library/user-event": "^14.5.2",
    "@types/node-forge": "^1.3.11",
+    "@types/react": "^18.0.0",
+    "@types/react-dom": "^18.0.0",
+    "eslint": "^8.57.0",
+    "jsdom": "^24.0.0",
+    "notistack": "^3.0.0",
+    "prettier": "^2.8.8",
+    "react": "^18.3.1",
+    "react-dom": "^18.3.1",
+    "react-router-dom": "^5.3.0",
    "typedoc": "^0.28.16",
-    "typedoc-plugin-markdown": "^4.10.0"
+    "typescript": "~5.6.2",
+    "typedoc-plugin-markdown": "^4.10.0",
+    "vitest": "^3.2.4"
  }
 }
@@ -1,19 +1,5 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:recommended"],
-  "baseBranches": ["main"],
-  "schedule": ["every weekend"],
-  "prConcurrentLimit": 10,
-  "packageRules": [
-    {
-      "matchManagers": ["npm"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "npm minor and patch"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "github-actions minor and patch"
-    }
-  ]
+  "extends": ["github>privilegedescalation/.github:renovate-config"]
 }
+
@@ -1,7 +1,7 @@
 {
  "extends": "@kinvolk/headlamp-plugin/config/plugins-tsconfig.json",
  "compilerOptions": {
-    "types": ["vite/client", "vite-plugin-svgr/client", "vitest/globals", "@testing-library/jest-dom"]
+    "types": ["vitest/globals", "@testing-library/jest-dom"]
  },
  "include": ["src"]
 }
@@ -1,6 +1,9 @@
 import { defineConfig } from 'vitest/config';

 export default defineConfig({
+  define: {
+    'process.env.NODE_ENV': '"test"',
+  },
  test: {
    globals: true,
    environment: 'jsdom',