Add dedicated UAT skill with plugin testing procedures

- Add skills/uat/SKILL.md with concrete testing procedures for all 7 Headlamp plugins
- Update SDLC skill to reference the new uat skill for detailed procedures
- Fix namespace reference: UAT runs in headlamp-uat namespace, not privilegedescalation

Co-Authored-By: Paperclip <noreply@paperclip.ing>

skills/sdlc/SKILL.md

@@ -67,7 +67,7 @@ Each promotion is a PR reviewed and merged by its gate owner:
 
 1. **feature → dev** — Engineer self-merges after CI passes. No review required. Dev is for validation, not quality gates.
 2. **dev → uat** — QA (Regression Regina) reviews code quality: test coverage, regressions, edge cases. QA merges to `uat` after approval.
-3. **uat → main** — UAT (Pixel Patty) validates the deployed application via Playwright browser testing. UAT merges to `main` after validation passes.
+3. **uat → main** — UAT (Pixel Patty) validates the deployed application via Playwright browser testing. UAT merges to `main` after validation passes. For detailed UAT testing procedures, see the `uat` company skill.
 
 **Each gate owner has merge authority.** No separate merge step by another role. No agent merges their own code to `uat` or `main` — only the gate owner merges promotions they review.
 

skills/uat/SKILL.md

@@ -0,0 +1,150 @@
+---
+name: uat
+description: >
+  Functional UAT procedures for Privileged Escalation Headlamp plugins. Concrete testing steps, pass/fail criteria, and artifact requirements for each plugin.
+---
+
+# UAT Procedures
+
+## Purpose
+
+This skill defines **functional User Acceptance Testing** for all Privileged Escalation Headlamp plugins. UAT validates that plugins work correctly in the deployed environment — by **loading plugins in a running Headlamp instance and exercising their features**, not by browsing GitHub or inspecting PR diffs.
+
+## What UAT Is NOT
+
+- Browsing GitHub PRs and taking screenshots of code diffs
+- Checking CI status on GitHub
+- Reading commit messages or PR descriptions
+- Approving based on QA's review alone
+
+If your test evidence is screenshots of GitHub pages, you are not performing UAT.
+
+## UAT Environment
+
+The UAT Headlamp instance runs in the `headlamp-uat` Kubernetes namespace. Navigate to the Headlamp UAT URL using your Playwright browser. The plugin under test must be deployed to UAT before testing.
+
+## General Process
+
+For every `uat→main` promotion:
+
+1. Open the Headlamp UAT instance in the browser
+2. Confirm the plugin appears in the sidebar or app bar
+3. Run the plugin-specific test steps below
+4. Capture screenshots of the **running plugin** at each verification step
+5. Check the browser console for errors
+6. Post a structured test report (see Artifacts section)
+
+## Plugin Test Procedures
+
+### headlamp-polaris-plugin — Kubernetes Best Practices
+
+**Access:** Sidebar → Polaris section
+
+| Step | Action | Expected Result |
+|------|--------|-----------------|
+| 1 | Navigate to the Polaris dashboard | Cluster score loads with a numeric value |
+| 2 | Verify workload list populates | Shows deployments/pods with individual scores |
+| 3 | Click into any workload | Detail view shows pass/fail/warning checks with descriptions |
+| 4 | Cross-check one score against `kubectl` | Polaris CLI output matches plugin display |
+
+**Pass:** Dashboard loads, shows real workload data, scores are non-zero, detail views navigate correctly.
+**Fail:** Page errors, empty data when workloads exist, scores show 0/NaN, detail navigation broken.
+
+### headlamp-sealed-secrets-plugin — Sealed Secrets Management
+
+**Access:** Sidebar → Sealed Secrets section
+
+| Step | Action | Expected Result |
+|------|--------|-----------------|
+| 1 | Navigate to the Sealed Secrets list | List view loads (may be empty if no secrets exist) |
+| 2 | Check the create form | Create sealed secret form is accessible with expected fields |
+| 3 | View an existing sealed secret | Detail view shows metadata, status, and namespace |
+| 4 | Verify sealed secret status | Status reflects actual K8s state |
+
+**Pass:** List loads, create form accessible, detail views work, status accurate.
+**Fail:** Page errors, CRUD forms don't render, missing UI elements, status mismatch.
+
+### headlamp-intel-gpu-plugin — Intel GPU Monitoring
+
+**Access:** Sidebar → Intel GPU section
+
+| Step | Action | Expected Result |
+|------|--------|-----------------|
+| 1 | Navigate to the GPU section | GPU device list or status page loads |
+| 2 | Check node-level GPU info | Per-node GPU allocation is displayed |
+| 3 | Verify device status | Device plugin status matches `kubectl describe node` GPU capacity |
+
+**Pass:** Section loads, shows GPU device information or empty state if no Intel GPUs present, no console errors.
+**Fail:** Page errors, data loading failures, broken rendering.
+
+### headlamp-kube-vip-plugin — Load Balancer Management
+
+**Access:** Sidebar → Kube-VIP section
+
+| Step | Action | Expected Result |
+|------|--------|-----------------|
+| 1 | Navigate to the Kube-VIP section | Load balancer status view loads |
+| 2 | Check VIP list | VIP addresses and their status are displayed |
+| 3 | View configuration details | Configuration is accessible and readable |
+| 4 | Verify against cluster state | VIP data matches `kubectl get svc` LoadBalancer entries |
+
+**Pass:** Section loads, shows VIP data or empty state, navigation works.
+**Fail:** Page errors, data not rendering, broken navigation.
+
+### headlamp-tns-csi-plugin — TrueNAS CSI Monitoring
+
+**Access:** Sidebar → TrueNAS CSI section
+
+| Step | Action | Expected Result |
+|------|--------|-----------------|
+| 1 | Navigate to the TrueNAS CSI section | Volume list loads |
+| 2 | Check PV/PVC list | Shows provisioned volumes with capacity and status |
+| 3 | View volume details | Detail view shows storage class, capacity, access modes |
+| 4 | Verify against cluster state | Volume data matches `kubectl get pv,pvc` output |
+
+**Pass:** Section loads, shows CSI volumes/status, detail views work.
+**Fail:** Page errors, empty state when volumes exist, broken detail views.
+
+### headlamp-rook-plugin — Rook/Ceph Storage
+
+**Access:** Sidebar → Rook/Ceph section
+
+| Step | Action | Expected Result |
+|------|--------|-----------------|
+| 1 | Navigate to the Rook/Ceph dashboard | Cluster health overview loads |
+| 2 | Check storage pools | Pool list shows capacity and utilization |
+| 3 | Verify OSD status | OSD count and status displayed |
+| 4 | Check placement groups | PG status summary is available |
+
+**Pass:** Dashboard loads, shows cluster health, pool data renders correctly.
+**Fail:** Page errors, cluster data missing, health indicators broken.
+
+### headlamp-argocd-plugin — Argo CD Application Delivery
+
+**Access:** Sidebar → Argo CD section
+
+| Step | Action | Expected Result |
+|------|--------|-----------------|
+| 1 | Navigate to the Argo CD application list | Application list loads with sync status |
+| 2 | Check sync indicators | Each app shows Synced/OutOfSync/Unknown status |
+| 3 | Click into an application | Detail view shows resources, sync history, health |
+| 4 | Verify health status | Health icons (Healthy/Degraded/Progressing) are correct |
+| 5 | Cross-check against `argocd app list` | Status matches CLI output |
+
+**Pass:** App list loads, sync/health status visible, detail views work, data matches CLI.
+**Fail:** Page errors, empty list when apps exist, status missing, broken navigation.
+
+## UAT Artifacts
+
+For each plugin tested, the UAT report must include:
+
+1. **Screenshots** of the plugin running in Headlamp — sidebar entry visible, main view loaded, at least one detail view
+2. **Test checklist** — each step from the plugin table above marked pass/fail
+3. **Console errors** — any browser console errors observed (attach screenshot if present)
+4. **Environment** — Headlamp version, plugin version, browser used
+
+## Decision Criteria
+
+- **Approve** the `uat→main` PR when all applicable test steps pass
+- **Request changes** with specific failing steps and failure screenshots
+- **Block** if the plugin fails to load entirely — escalate to CTO as a deployment issue