kars-sre demo + agent — Slices 0-4: autonomous incident triage + typed apply-fix + Telegram

README.md

@@ -1,6 +1,8 @@
 <div align="center">
 
-# 🔱 Agent Reference Stack for Kubernetes
+<img src="docs/assets/logo.png" alt="kars logo" width="128" />
+
+# Agent Reference Stack for Kubernetes
 
 **A secure runtime for AI agents on Azure. Short name: `kars`.**
 

ci/loc-budget.yaml

@@ -44,11 +44,11 @@ files:
 
   - path: controller/src/reconciler/mod.rs
     baseline_2026_04_24: 2383
-    phase0_cap: 3450
+    phase0_cap: 3700
     phase1_cap: 1500
     phase2_cap: 2000
     allow_grow: true
-    notes: "Phase 0 cap bumped to 3050 in PR #323 to absorb cluster-aware memory scope + policy-quintet wiring (Context.cluster_name, openclaw_env injection, tool-policy mount on openclaw container); bumped to 3300 to land Hermes runtime-kind support in the deployment builder (entrypoint selection, env injection for KARS_RUNTIME_KIND/hermes-specific knobs); bumped to 3450 in Hermes-support PR for tool-surface parity (handoff routing, mesh transfer wiring, foundry native tool propagation, telegram_status divergence handling). Phase 1+ caps unchanged. allow_grow honored only until phase2_cap (2000); enforced strictly. Phase 3 must extract per-CRD reconcilers into controller/src/reconcilers/{sandbox,mcp_server,...}.rs and shrink mod.rs back to ≤800 (drop allow_grow at that point)."
+    notes: "Phase 0 cap bumped to 3050 in PR #323 to absorb cluster-aware memory scope + policy-quintet wiring (Context.cluster_name, openclaw_env injection, tool-policy mount on openclaw container); bumped to 3300 to land Hermes runtime-kind support in the deployment builder (entrypoint selection, env injection for KARS_RUNTIME_KIND/hermes-specific knobs); bumped to 3450 in Hermes-support PR for tool-surface parity (handoff routing, mesh transfer wiring, foundry native tool propagation, telegram_status divergence handling); bumped to 3700 in PR #397 (kars-sre demo-and-agent) to absorb cluster-portable apiserver egress-guard bypass (KUBERNETES_SERVICE_HOST/PORT lookup + ACCEPT/RETURN iptables rules for role=sre sandboxes), Hermes gateway port (18789) exposure on per-sandbox Service, SANDBOX_NAME+CLUSTER_NAME env on openclaw container for ClawMemory scope, mesh-keepalive entrypoint plumbing, and Telegram-channel + SRE_WATCHER_MODE env wiring for the proactive watcher. Phase 1+ caps unchanged. allow_grow honored only until phase2_cap (2000); enforced strictly. Phase 3 must extract per-CRD reconcilers into controller/src/reconcilers/{sandbox,mcp_server,...}.rs and shrink mod.rs back to ≤800 (drop allow_grow at that point)."
 
   - path: controller/src/mesh_peer/mod.rs
     baseline_2026_04_24: 1970

cli/src/cli.ts

@@ -33,6 +33,7 @@ import { memoryCommand } from "./commands/memory.js";
 import { inspectCommand } from "./commands/inspect.js";
 import { auditCommand } from "./commands/audit.js";
 import { headlampCommand } from "./commands/headlamp.js";
+import { sreCommand } from "./commands/sre.js";
 
 export function createCli(): Command {
   const program = new Command();
@@ -57,6 +58,7 @@ export function createCli(): Command {
   program.addCommand(listCommand());
   program.addCommand(logsCommand());
   program.addCommand(inspectCommand());
+  program.addCommand(sreCommand());
 
   // Configuration
   program.addCommand(credentialsCommand());

cli/src/commands/dev/local-k8s.ts

@@ -1304,26 +1304,42 @@ export async function runLocalK8s(opts: LocalK8sOptions): Promise<void> {
   if (opts.noBuild) {
     stepper.done("skipped image load (--no-build)");
   } else {
+    // `target` = the canonical image name the controller looks for
+    // INSIDE kind. `aliases` = local docker tags we accept as a SOURCE
+    // for re-tagging. `loadImageIfPresent` re-tags the matched local
+    // image AS the target before kind-loading, so the kind containerd
+    // ends up with the canonical name in `crictl images` and the
+    // controller's IfNotPresent pull succeeds without ever touching
+    // the network.
+    //
+    // Why we DON'T list `kars.azurecr.io/...`: that ACR doesn't exist.
+    // The legacy typo crept in from the 2026-05-27 rename
+    // (azureclaw→kars) before anyone noticed the real ACR is
+    // `karsjpdyyv.azurecr.io` (azd-suffixed) — the `karsacr` alias
+    // here is the canonical name the operator's deploy script
+    // re-publishes to. Keep only `karsacr.azurecr.io/...` so the
+    // controller env stays correct on AKS too.
     const images: { target: string; aliases: string[] }[] = [
       {
-        target: opts.image,
+        target: "karsacr.azurecr.io/openclaw-sandbox:latest",
         aliases: [
-          "karsacr.azurecr.io/openclaw-sandbox:latest",
-          "kars.azurecr.io/openclaw-sandbox:latest",
+          opts.image,                       // e.g. "kars-sandbox:dev" (the local build)
+          "openclaw-sandbox:latest",
+          "openclaw-sandbox:dev",
         ],
       },
       {
-        target: "kars-controller:dev",
+        target: "karsacr.azurecr.io/kars-controller:latest",
         aliases: [
-          "karsacr.azurecr.io/kars-controller:latest",
-          "kars.azurecr.io/kars-controller:latest",
+          "kars-controller:dev",
+          "kars-controller:latest",
         ],
       },
       {
-        target: "kars-inference-router:dev",
+        target: "karsacr.azurecr.io/kars-inference-router:latest",
         aliases: [
-          "karsacr.azurecr.io/kars-inference-router:latest",
-          "kars.azurecr.io/kars-inference-router:latest",
+          "kars-inference-router:dev",
+          "kars-inference-router:latest",
         ],
       },
     ];