Update README and development documentation

[BergCyrill]

Modified README:

• add badges like for arc
• modify content to reflect current multi-shard implementation
• moved development documentation to the docs/development.md

Summary by CodeRabbit

• Documentation
  • Updated README with revised dependency-resolution flow, architecture diagrams, and RBAC model clarification
  • Expanded development documentation with Nix-based setup instructions and pre-commit hooks guidance

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates project documentation to reflect an architectural shift in dependency resolution: replacing an indexed-cache model with on-demand dependent listing via kcp front-proxy. It also introduces Nix flake–based development setup instructions across README and a new docs/development.md guide.

Changes

Architecture Documentation & Development Setup

Layer / File(s)	Summary
Architecture Overview README.md	Title refined to lowercase "kcp-aware"; lifecycle Mermaid diagram updated to show rule metadata registration in RuleRegistry with on-demand dependent listing instead of indexed caching.
DependencyRule Specification README.md	DependencyRule documentation and YAML example expanded to detail APIExport references (path, name, group, version, resource) and fieldRef.path within dependent resources.
Component Behavior & Admission Flow README.md	"Two Binaries" and admission webhook sections rewritten: controller installs webhook config via virtual workspace; webhook maintains only rule metadata and performs per-DELETE dependent listing and in-memory filtering via front-proxy without finalizers.
Architecture Diagram README.md	Mermaid architecture diagram updated to rename webhook responsibilities from "indexed cache manager" to rule registry and deletion validation; routing now reflects front-proxy dependent listing in consumer workspace.
Multicluster Watching Model README.md	Watching model simplified from two-level to one-level: binaries watch only DependencyRule objects; dependents are listed on-demand from consumer workspace.
RBAC Model README.md	RBAC section reworked into three static categories: per-shard webhook listing, controller workspace resolution, and dep-ctrl workspace RBAC for both binaries; clarifies install vs listing permissions.
Development Setup Instructions README.md, docs/development.md	README Development section rewritten with Nix flake + direnv quickstart; docs/development.md expanded with Prerequisites (Nix and non-Nix tooling), Dev shell setup, and Pre-commit hooks configuration.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

A whisker-twitched update, refined and clear,
From cache-indexed past to on-demand frontier.
Flake-built shells now greet each curious soul,
While dependents list freely—front-proxy's kind role. 🐰✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Update README and development documentation' accurately describes the main changes: README.md was rewritten with architectural and behavioral updates, and docs/development.md was created/expanded with dev setup instructions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/update-readme

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/development.md (1)

58-60: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update webhook file descriptions to match the new on-demand model.

These entries still describe a per-rule dependent cache model, which conflicts with the updated architecture in this PR (metadata registry + on-demand listing at admission time).

Proposed doc patch

-    rule_cache_manager.go          Per-rule indexed cache lifecycle manager
-    rule_registry.go               Thread-safe registry of rule caches
+    rule_cache_manager.go          Reconciles DependencyRules into in-memory rule metadata
+    rule_registry.go               Thread-safe registry for rule metadata lookups

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/development.md` around lines 58 - 60, Update the three file descriptions
in docs/development.md to reflect the new metadata-registry + on-demand listing
architecture instead of the old per-rule cache model: replace the description
for rule_cache_manager.go with something like "Cache lifecycle manager
(deprecated) — previously per-rule indexed cache, now unused by on-demand model"
or remove it, change rule_registry.go to "Thread-safe metadata registry for rule
metadata and lookup used at admission time", and change deletion_validator.go to
"Admission webhook handler that queries the metadata registry and performs
on-demand listing/validation at admission time"; edit the three entries
(rule_cache_manager.go, rule_registry.go, deletion_validator.go) accordingly so
the docs match the new design.

README.md (1)

221-223: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

RBAC section contradicts the new admission data path.

This paragraph says the webhook watches dependents via VW + permissionClaims, but the README now documents on-demand listing via kcp front-proxy. Please align this section to avoid incorrect RBAC expectations.

Proposed doc patch

-No shard-wide RBAC is needed. The webhook watches dependent resources through the
-dep-ctrl APIExport's virtual workspace, authorized by dynamically managed
-permissionClaims. Providers accept these claims in their APIBinding.
+The webhook does not watch dependent resources via the dep-ctrl virtual workspace.
+Instead, on DELETE admission it lists dependents on demand in the consumer workspace
+through the kcp front-proxy. Required permissions for those list/get calls are granted
+via bootstrap RBAC (as documented in the deployment/development guides), while
+`permissionClaims` on dep-ctrl remain for webhook installation in provider workspaces.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 221 - 223, The README paragraph that claims "The
webhook watches dependent resources through the dep-ctrl APIExport's virtual
workspace, authorized by dynamically managed permissionClaims" is now incorrect;
update the RBAC section to describe the new admission data path: state that the
webhook performs on-demand listing via the kcp front-proxy (not via a virtual
workspace), explain the RBAC scopes/roles required for the front-proxy/listing
path, and remove or replace references to "dep-ctrl APIExport's virtual
workspace" and "permissionClaims" so the text matches the implemented on-demand
listing behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@docs/development.md`:
- Around line 58-60: Update the three file descriptions in docs/development.md
to reflect the new metadata-registry + on-demand listing architecture instead of
the old per-rule cache model: replace the description for rule_cache_manager.go
with something like "Cache lifecycle manager (deprecated) — previously per-rule
indexed cache, now unused by on-demand model" or remove it, change
rule_registry.go to "Thread-safe metadata registry for rule metadata and lookup
used at admission time", and change deletion_validator.go to "Admission webhook
handler that queries the metadata registry and performs on-demand
listing/validation at admission time"; edit the three entries
(rule_cache_manager.go, rule_registry.go, deletion_validator.go) accordingly so
the docs match the new design.

In `@README.md`:
- Around line 221-223: The README paragraph that claims "The webhook watches
dependent resources through the dep-ctrl APIExport's virtual workspace,
authorized by dynamically managed permissionClaims" is now incorrect; update the
RBAC section to describe the new admission data path: state that the webhook
performs on-demand listing via the kcp front-proxy (not via a virtual
workspace), explain the RBAC scopes/roles required for the front-proxy/listing
path, and remove or replace references to "dep-ctrl APIExport's virtual
workspace" and "permissionClaims" so the text matches the implemented on-demand
listing behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 14d8e57c-0a81-4daf-8d9c-a4a04f5b35a6

📥 Commits

Reviewing files that changed from the base of the PR and between bcc0e62 and 7845450.

📒 Files selected for processing (2)

• README.md
• docs/development.md

[Perseus985]

Relates to the Old Jira Issue I guess

[BergCyrill]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 220-226: The README currently recommends granting the webhook
ServiceAccount `*/* get,list` per-shard under `system:admin`, which is too
broad; update the documentation to mark this wildcard `*/* get,list` binding as
a break-glass fallback only, and replace the default recommendation with a
scoped RBAC approach that limits verbs, API groups, resources, and
namespaces/workspaces to only what the webhook actually needs; mention
`system:admin`, the webhook ServiceAccount, and `BootstrapPolicyAuthorizer` to
explain why the per-shard binding exists, but explicitly advise implementing
least-privilege roles and per-consumer-scoped bindings (or a generated role per
workspace) as the primary recommendation and reserve the `*/* get,list`
per-kcp-shard binding for emergency use.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5cd23074-6dd5-4638-ac07-69784b31209d

📥 Commits

Reviewing files that changed from the base of the PR and between 7845450 and dd19de8.

📒 Files selected for processing (1)

• README.md