feat: add last_transition timestamp, --redact flag, and doc cleanup

Author: Test

CHANGELOG.md

@@ -0,0 +1,47 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [0.2.0] - 2026-03-21
+
+### Added
+- **Agent-native CLI** — Cobra subcommands: `serve`, `status`, `namespaces`, `init`, `doctor`, `version`
+- **StatefulSet and DaemonSet support** — monitors all three workload types with type-specific health logic
+- **Prometheus /metrics endpoint** — workload health gauges, HTTP request metrics, Go runtime collectors
+- **Grafana dashboards** — deployment health and self-monitoring dashboard JSON files
+- **Integration pointer annotations** — `deployscope.dev/owner`, `tier`, `gitops-repo`, `gitops-path`, `oncall`, `runbook`, `dashboard`, `depends-on`, `health-endpoint`, `deep-health`, `deep-health-detail`
+- **Opt-out annotation** — `deployscope.dev/ignore: "true"` makes workloads invisible to agents
+- **Deterministic routing** — status output includes action/reason/priority based on tier + health
+- **Agent readiness score** — `doctor` reports annotation coverage and cluster readiness percentage
+- **`--format json`** — all CLI commands support structured JSON output
+- **`--unhealthy` filter** — status command can show only degraded/down workloads
+- **`--redact` flag** — scrubs sensitive values from annotation output
+- **`last_transition` timestamp** — per-workload transition time from K8s conditions
+- **SKILL.md** — ANCC-compliant agent discovery spec in docs/
+- **GHCR Docker image** — multi-arch (linux/amd64, linux/arm64) published on tag push
+
+### Changed
+- Refactored main.go to delegate to Cobra CLI
+- RBAC updated to include statefulsets and daemonsets
+- Dockerfile updated to Go 1.25
+- go.mod updated to Go 1.25
+
+## [0.1.1] - 2026-03-18
+
+### Added
+- GHCR Docker image build in release workflow
+
+### Changed
+- Dockerfile Go version 1.23 → 1.25
+
+## [0.1.0] - 2026-02-24
+
+### Added
+- Initial release
+- REST API with pagination, filtering, sorting
+- Embedded HTML dashboard
+- In-memory cache with 30s TTL
+- OpenAPI specification
+- Health and readiness probes
+- CORS support
+- Cross-platform release binaries

README.md

@@ -14,9 +14,10 @@ DeployScope is a read-only service that monitors all deployments in a Kubernetes
 
 ## What it is NOT
 
-- Not a replacement for Prometheus/Grafana — shows current state, not history
-- Not an alerting system — display only
+- Not an alerting system — display only, no notifications
 - Not a multi-cluster solution — works within a single cluster
+- Not a diagnostic tool — use [kubenow](https://github.com/ppiankov/kubenow) for OOM, CrashLoop, events
+- Not a CMDB — mirrors K8s annotations, never invents data
 - No database required — everything in memory
 
 ## Philosophy
@@ -148,10 +149,10 @@ DeployScope is becoming the cognitive layer for autonomous Kubernetes operations
 
 ## Known limitations
 
-- Deployments only — StatefulSets and DaemonSets support planned ([WO-5](docs/agent-native.md#scope-all-workloads-that-matter))
 - Single cluster only — cluster discovery is a separate tool
 - In-memory cache (data refreshes on restart)
 - No API authentication
+- No Jobs/CronJobs (ephemeral workloads with different lifecycle)
 
 ## License
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/ppiankov/deployscope
 
-go 1.23.0
+go 1.25
 
 require (
 	github.com/prometheus/client_golang v1.23.2

internal/cli/status.go

@@ -4,13 +4,17 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
+	"regexp"
 	"text/tabwriter"
 
 	"github.com/spf13/cobra"
 
 	"github.com/ppiankov/deployscope/internal/k8s"
 )
 
+var sensitivePattern = regexp.MustCompile(`(?i)(token|secret|key|password|credential|bearer|apikey|api_key)`)
+var urlWithAuthPattern = regexp.MustCompile(`://[^@/]+:[^@/]+@`)
+
 // StatusOutput is the structured JSON output for status command.
 type StatusOutput struct {
 	Summary  k8s.Summary         `json:"summary"`
@@ -29,11 +33,16 @@ type RoutingAdvice struct {
 func newStatusCmd() *cobra.Command {
 	var format string
 	var unhealthy bool
+	var redact bool
 
 	cmd := &cobra.Command{
 		Use:   "status",
 		Short: "Show workload health status (one-shot, exits)",
 		RunE: func(cmd *cobra.Command, args []string) error {
+			if os.Getenv("DEPLOYSCOPE_REDACT") == "true" {
+				redact = true
+			}
+
 			k8sClient, err := k8s.NewClient()
 			if err != nil {
 				return fmt.Errorf("failed to create kubernetes client: %w", err)
@@ -54,6 +63,12 @@ func newStatusCmd() *cobra.Command {
 				services = filtered
 			}
 
+			if redact {
+				for i := range services {
+					redactService(&services[i])
+				}
+			}
+
 			routing := computeRouting(services, summary)
 
 			if format == "json" {
@@ -79,6 +94,7 @@ func newStatusCmd() *cobra.Command {
 
 	cmd.Flags().StringVar(&format, "format", "table", "Output format: table, json")
 	cmd.Flags().BoolVar(&unhealthy, "unhealthy", false, "Show only degraded/down workloads")
+	cmd.Flags().BoolVar(&redact, "redact", false, "Scrub potentially sensitive values from annotations (or set DEPLOYSCOPE_REDACT=true)")
 
 	return cmd
 }
@@ -177,3 +193,28 @@ func printStatusTable(services []k8s.ServiceStatus, summary k8s.Summary, routing
 	}
 	_ = w.Flush()
 }
+
+func redactService(svc *k8s.ServiceStatus) {
+	svc.Integration.Runbook = redactPtr(svc.Integration.Runbook)
+	svc.Integration.Dashboard = redactPtr(svc.Integration.Dashboard)
+	svc.Integration.HealthURL = redactPtr(svc.Integration.HealthURL)
+	svc.Integration.DeepDetail = redactPtr(svc.Integration.DeepDetail)
+}
+
+func redactPtr(s *string) *string {
+	if s == nil {
+		return nil
+	}
+	v := redactValue(*s)
+	return &v
+}
+
+func redactValue(s string) string {
+	if urlWithAuthPattern.MatchString(s) {
+		return urlWithAuthPattern.ReplaceAllString(s, "://***:***@")
+	}
+	if sensitivePattern.MatchString(s) {
+		return "[REDACTED]"
+	}
+	return s
+}

internal/k8s/client.go

@@ -30,24 +30,25 @@ type Integration struct {
 
 // ServiceStatus represents a single Kubernetes workload's status.
 type ServiceStatus struct {
-	ID            string            `json:"id"`
-	Name          string            `json:"name"`
-	Namespace     string            `json:"namespace"`
-	WorkloadType  string            `json:"workload_type"`
-	Version       string            `json:"version"`
-	Image         string            `json:"image"`
-	Replicas      int32             `json:"replicas"`
-	ReadyReplicas int32             `json:"ready_replicas"`
-	Status        string            `json:"status"`
-	Labels        map[string]string `json:"labels,omitempty"`
-	Owner         *string           `json:"owner"`
-	Tier          *string           `json:"tier"`
-	ManagedBy     *string           `json:"managed_by"`
-	PartOf        *string           `json:"part_of"`
-	DependsOn     []string          `json:"depends_on"`
-	Integration   Integration       `json:"integration"`
-	CreatedAt     time.Time         `json:"created_at"`
-	UpdatedAt     time.Time         `json:"updated_at"`
+	ID             string            `json:"id"`
+	Name           string            `json:"name"`
+	Namespace      string            `json:"namespace"`
+	WorkloadType   string            `json:"workload_type"`
+	Version        string            `json:"version"`
+	Image          string            `json:"image"`
+	Replicas       int32             `json:"replicas"`
+	ReadyReplicas  int32             `json:"ready_replicas"`
+	Status         string            `json:"status"`
+	Labels         map[string]string `json:"labels,omitempty"`
+	Owner          *string           `json:"owner"`
+	Tier           *string           `json:"tier"`
+	ManagedBy      *string           `json:"managed_by"`
+	PartOf         *string           `json:"part_of"`
+	DependsOn      []string          `json:"depends_on"`
+	Integration    Integration       `json:"integration"`
+	LastTransition *time.Time        `json:"last_transition"`
+	CreatedAt      time.Time         `json:"created_at"`
+	UpdatedAt      time.Time         `json:"updated_at"`
 }
 
 // Summary contains aggregate statistics.
@@ -138,25 +139,31 @@ func (c *Client) FetchDeployments(ctx context.Context) ([]ServiceStatus, Summary
 		status := computeStatus(ready, desired)
 		addToSummary(&summary, status)
 
+		var condTimes []time.Time
+		for _, cond := range dep.Status.Conditions {
+			condTimes = append(condTimes, cond.LastTransitionTime.Time)
+		}
+
 		services = append(services, ServiceStatus{
-			ID:            fmt.Sprintf("%s/%s", dep.Namespace, dep.Name),
-			Name:          dep.Name,
-			Namespace:     dep.Namespace,
-			WorkloadType:  "deployment",
-			Version:       version,
-			Image:         image,
-			Replicas:      desired,
-			ReadyReplicas: ready,
-			Status:        status,
-			Labels:        dep.Spec.Template.Labels,
-			Owner:         owner,
-			Tier:          tier,
-			ManagedBy:     managedBy,
-			PartOf:        partOf,
-			DependsOn:     dependsOn,
-			Integration:   integration,
-			CreatedAt:     dep.CreationTimestamp.Time,
-			UpdatedAt:     time.Now(),
+			ID:             fmt.Sprintf("%s/%s", dep.Namespace, dep.Name),
+			Name:           dep.Name,
+			Namespace:      dep.Namespace,
+			WorkloadType:   "deployment",
+			Version:        version,
+			Image:          image,
+			Replicas:       desired,
+			ReadyReplicas:  ready,
+			Status:         status,
+			Labels:         dep.Spec.Template.Labels,
+			Owner:          owner,
+			Tier:           tier,
+			ManagedBy:      managedBy,
+			PartOf:         partOf,
+			DependsOn:      dependsOn,
+			Integration:    integration,
+			LastTransition: lastConditionTransition(condTimes),
+			CreatedAt:      dep.CreationTimestamp.Time,
+			UpdatedAt:      time.Now(),
 		})
 	}
 
@@ -191,25 +198,31 @@ func (c *Client) FetchDeployments(ctx context.Context) ([]ServiceStatus, Summary
 			status := computeStatus(ready, desired)
 			addToSummary(&summary, status)
 
+			var ssTimes []time.Time
+			for _, cond := range ss.Status.Conditions {
+				ssTimes = append(ssTimes, cond.LastTransitionTime.Time)
+			}
+
 			services = append(services, ServiceStatus{
-				ID:            fmt.Sprintf("%s/%s", ss.Namespace, ss.Name),
-				Name:          ss.Name,
-				Namespace:     ss.Namespace,
-				WorkloadType:  "statefulset",
-				Version:       version,
-				Image:         image,
-				Replicas:      desired,
-				ReadyReplicas: ready,
-				Status:        status,
-				Labels:        ss.Spec.Template.Labels,
-				Owner:         owner,
-				Tier:          tier,
-				ManagedBy:     managedBy,
-				PartOf:        partOf,
-				DependsOn:     dependsOn,
-				Integration:   integration,
-				CreatedAt:     ss.CreationTimestamp.Time,
-				UpdatedAt:     time.Now(),
+				ID:             fmt.Sprintf("%s/%s", ss.Namespace, ss.Name),
+				Name:           ss.Name,
+				Namespace:      ss.Namespace,
+				WorkloadType:   "statefulset",
+				Version:        version,
+				Image:          image,
+				Replicas:       desired,
+				ReadyReplicas:  ready,
+				Status:         status,
+				Labels:         ss.Spec.Template.Labels,
+				Owner:          owner,
+				Tier:           tier,
+				ManagedBy:      managedBy,
+				PartOf:         partOf,
+				DependsOn:      dependsOn,
+				Integration:    integration,
+				LastTransition: lastConditionTransition(ssTimes),
+				CreatedAt:      ss.CreationTimestamp.Time,
+				UpdatedAt:      time.Now(),
 			})
 		}
 	}
@@ -242,25 +255,31 @@ func (c *Client) FetchDeployments(ctx context.Context) ([]ServiceStatus, Summary
 			status := computeStatus(ready, desired)
 			addToSummary(&summary, status)
 
+			var dsTimes []time.Time
+			for _, cond := range ds.Status.Conditions {
+				dsTimes = append(dsTimes, cond.LastTransitionTime.Time)
+			}
+
 			services = append(services, ServiceStatus{
-				ID:            fmt.Sprintf("%s/%s", ds.Namespace, ds.Name),
-				Name:          ds.Name,
-				Namespace:     ds.Namespace,
-				WorkloadType:  "daemonset",
-				Version:       version,
-				Image:         image,
-				Replicas:      desired,
-				ReadyReplicas: ready,
-				Status:        status,
-				Labels:        ds.Spec.Template.Labels,
-				Owner:         owner,
-				Tier:          tier,
-				ManagedBy:     managedBy,
-				PartOf:        partOf,
-				DependsOn:     dependsOn,
-				Integration:   integration,
-				CreatedAt:     ds.CreationTimestamp.Time,
-				UpdatedAt:     time.Now(),
+				ID:             fmt.Sprintf("%s/%s", ds.Namespace, ds.Name),
+				Name:           ds.Name,
+				Namespace:      ds.Namespace,
+				WorkloadType:   "daemonset",
+				Version:        version,
+				Image:          image,
+				Replicas:       desired,
+				ReadyReplicas:  ready,
+				Status:         status,
+				Labels:         ds.Spec.Template.Labels,
+				Owner:          owner,
+				Tier:           tier,
+				ManagedBy:      managedBy,
+				PartOf:         partOf,
+				DependsOn:      dependsOn,
+				Integration:    integration,
+				LastTransition: lastConditionTransition(dsTimes),
+				CreatedAt:      ds.CreationTimestamp.Time,
+				UpdatedAt:      time.Now(),
 			})
 		}
 	}
@@ -304,6 +323,20 @@ func addToSummary(summary *Summary, status string) {
 	}
 }
 
+// lastConditionTransition returns the most recent condition transition time.
+func lastConditionTransition(times []time.Time) *time.Time {
+	if len(times) == 0 {
+		return nil
+	}
+	latest := times[0]
+	for _, t := range times[1:] {
+		if t.After(latest) {
+			latest = t
+		}
+	}
+	return &latest
+}
+
 const annotationPrefix = "deployscope.dev/"
 
 func mergeAnnotations(sets ...map[string]string) map[string]string {