# Catalyst Implementation Status **Status:** Authoritative. Living document. **Updated:** 2026-04-27 This document is the **bridge** between the target architecture (described in [`ARCHITECTURE.md`](ARCHITECTURE.md), [`SECURITY.md`](SECURITY.md), [`BLUEPRINT-AUTHORING.md`](BLUEPRINT-AUTHORING.md), etc.) and the current state of the code in this repository. The other architecture docs describe the **target**: where Catalyst is going. This document records **what exists today** and **what is design-only**. When in doubt, read this file before making any claim about Catalyst's capabilities. > If you find a claim elsewhere in this repo that contradicts this file, this file wins until either (a) the code catches up to the claim or (b) the claim is corrected. --- ## Status legend | Status | Meaning | |---|---| | βœ… **Implemented** | Code exists, tested, deployable. | | 🚧 **Partial** | Some code exists; significant gaps; not production-ready. | | πŸ“ **Design** | Documented in canonical docs; no code yet. The doc is the contract for the future implementation. | | ⏸ **Deferred** | Mentioned in docs but explicitly out of scope until later. | --- ## 1. Repository structure | Item | Status | Notes | |---|---|---| | Public repo at `github.com/openova-io/openova` (this repo) | βœ… | Monorepo. Source of truth for documentation and (eventually) for every Blueprint's manifests. | | Per-folder Blueprint convention (`platform//` and `products//`) | 🚧 | Folders exist with READMEs only. None yet contain a `blueprint.yaml`, `chart/`, or CI pipeline. | | `bp-:` OCI artifacts in `ghcr.io/openova-io/` | πŸ“ | Target: every Blueprint folder fans out to a signed OCI artifact via CI. Not yet wired. | | `core/{console,admin,marketplace,marketplace-api}/` | 🚧 | **Consolidated 2026-04-28 (Pass 105)** from `openova-private/apps/{console,admin,marketplace}/` and `openova-private/website/marketplace-api/`. Astro+Svelte UIs (console, admin, marketplace) plus Go backend (marketplace-api). All deployed today on Catalyst-Zero (Contabo k3s, namespaces `sme` + `marketplace`). | | `products/axon/` | βœ… | Real implementation (chart/, src/, scripts/). | | `products/catalyst/` umbrella Blueprint (`bp-catalyst-platform`) | 🚧 | **Has `bootstrap/{ui,api}/` source code** (React SPA wizard + Go bootstrap API, deployed on Catalyst-Zero in `catalyst` namespace). **Has `chart/` with Chart.yaml + Helm templates for the full Catalyst-Zero deployment** (catalyst-ui, catalyst-api, console, admin, marketplace, marketplace-api, plus the legacy `sme-services/` backend services). Per `docs/PROVISIONING-PLAN.md`, this is the canonical Helm chart for Catalyst-Zero and every franchised Sovereign. | | `products/{cortex,fabric,fingate,relay,specter}/` | πŸ“ | README only. No charts or manifests. | --- ## 2. Catalyst control plane components (per [`PLATFORM-TECH-STACK.md`](PLATFORM-TECH-STACK.md) Β§2) These run **per-Sovereign** on the management cluster: ### 2.1 User-facing surfaces and backend services | Component | Status | Notes | |---|---|---| | console (Catalyst UI) | 🚧 | Astro + Svelte UI at `core/console/`. Deployed on Catalyst-Zero (Contabo, namespace `sme`). Sovereign-provisioning wizard at `/sovereign` not yet built (Phase 3 of `docs/PROVISIONING-PLAN.md`). | | marketplace (public Blueprint card grid) | 🚧 | Astro + Svelte UI at `core/marketplace/`. Deployed on Catalyst-Zero. 5-step `Planβ†’Appsβ†’Addonsβ†’Checkoutβ†’Review` flow exists; `AppsStep` to be replaced with unified `bp-` marketplace card grid (Phase 3). | | admin (sovereign-admin operations UI) | 🚧 | Astro + Svelte UI at `core/admin/`. Deployed on Catalyst-Zero. Includes existing voucher / billing / catalog / orders / tenants admin surface (the canonical voucher implementation per `docs/PROVISIONING-PLAN.md`). | | catalyst-ui | 🚧 | React SPA wizard scaffold at `products/catalyst/bootstrap/ui/`. Deployed on Catalyst-Zero (namespace `catalyst`). 7-step wizard: Org β†’ Provider β†’ Credentials β†’ Infrastructure β†’ Topology β†’ Components β†’ Review. Merges into `core/console/src/pages/sovereign/` per Phase 3. | | catalyst-api | 🚧 | Go bootstrap API at `products/catalyst/bootstrap/api/`. Deployed on Catalyst-Zero. `internal/hetzner/` already has Hetzner Cloud API client groundwork. Migrates into `core/marketplace-api/provisioner/` per Phase 4. | | marketplace-api | 🚧 | Go backend at `core/marketplace-api/`. Deployed on Catalyst-Zero (namespace `marketplace`). Has `provisioner/` and `store/` modules β€” extends to full Hetzner Sovereign provisioning per Phase 4. | | catalog-svc | πŸ“ | Designed. No code. | | projector (CQRS read-side, JetStream β†’ KV β†’ SSE) | πŸ“ | Designed. No code. | | provisioning service | 🚧 | Provisioning logic exists in `core/marketplace-api/provisioner/` (consolidated 2026-04-28). Extends per Phase 4. | | environment-controller | πŸ“ | Designed. No code. | | blueprint-controller | πŸ“ | Designed. No code. | | billing | πŸ“ | Designed. No code. | ### 2.2 Per-Sovereign supporting services | Component | Status | Notes | |---|---|---| | Gitea (per Sovereign) | 🚧 | Component README exists; no Catalyst-specific deployment manifest. | | NATS JetStream (per Sovereign) | πŸ“ | Selected as event spine; no Catalyst-specific deployment manifest. | | OpenBao (per region, independent Raft) | 🚧 | Component README exists with the agreed multi-region semantics; deployment manifests not in this repo. | | Keycloak (per-Org SME / per-Sovereign corporate) | 🚧 | Component README exists; topology choice is a Catalyst-level concern not yet wired. | | SPIRE server + agent | πŸ“ | Selected for workload identity; no integration code. | | Catalyst observability (Grafana stack) | 🚧 | Per-component READMEs exist; not yet wired as a Catalyst-level umbrella. | ## 3. Per-host-cluster infrastructure (per [`PLATFORM-TECH-STACK.md`](PLATFORM-TECH-STACK.md) Β§3) These run on **every host cluster** (mgt, rtz, dmz). Status is per-component README only β€” none yet ship as deployable Blueprints. | Component | Status | Notes | |---|---|---| | Cilium | 🚧 | README only. | | External-DNS | 🚧 | README only. | | k8gb | 🚧 | README only. | | Coraza | 🚧 | README only. | | Flux | 🚧 | README only. Per-vcluster Flux is a Catalyst-managed convention not yet implemented. | | Crossplane | 🚧 | README only. | | OpenTofu (bootstrap IaC) | 🚧 | README only. | | cert-manager | 🚧 | README only. | | External Secrets Operator | 🚧 | README only. | | Kyverno | 🚧 | README only. | | Trivy | 🚧 | README only. | | Falco | 🚧 | README only. | | Sigstore | 🚧 | README only. | | Syft + Grype | 🚧 | README only. | | VPA, KEDA, Reloader | 🚧 | READMEs only. | | SeaweedFS, Velero, Harbor | 🚧 | READMEs only. | | failover-controller | 🚧 | README only. | --- ## 4. CRDs [`core/README.md`](../core/README.md) and [`ARCHITECTURE.md`](ARCHITECTURE.md) reference these CRDs: | CRD | Status | Notes | |---|---|---| | `Sovereign` | πŸ“ | Top-level deployment object. No Go type yet. | | `Organization` | πŸ“ | Multi-tenancy unit. No Go type yet. | | `Environment` | πŸ“ | `{org}-{env_type}` scope. No Go type yet. | | `Application` | πŸ“ | An installed Blueprint. No Go type yet. | | `Blueprint` | πŸ“ | The unified Blueprint CRD spec is in [`BLUEPRINT-AUTHORING.md`](BLUEPRINT-AUTHORING.md) Β§3 β€” that is the design contract for the Go type. | | `EnvironmentPolicy` | πŸ“ | Promotion gating. No Go type yet. | | `SecretPolicy` | πŸ“ | Rotation policy. No Go type yet. | | `Runbook` | πŸ“ | Auto-remediation. No Go type yet. | `core/pkg/apis/v1alpha1/` is currently a `.gitkeep` directory. The Go types will be added when the control-plane services are scaffolded. --- ## 5. Surfaces | Surface | Status | Notes | |---|---|---| | **UI** (Catalyst console) | πŸ“ | Astro + Svelte target stack chosen; no code yet. | | **Git** (direct push to Application Gitea repo, branch per env_type) | πŸ“ | Pattern documented; depends on provisioning-service + environment-controller being implemented. | | **API** (REST + GraphQL) | πŸ“ | OpenAPI / GraphQL schema not yet defined. | | **kubectl** (debug-only inside own vcluster) | πŸ“ | Standard K8s; works as soon as a Sovereign exists. | --- ## 6. Sovereigns running today | Sovereign | Status | Notes | |---|---|---| | `openova` Catalyst-Zero (the chicken in the chicken-and-egg) | 🚧 | **Running on Contabo k3s today** in namespaces `catalyst`, `sme`, `marketplace`, `website`. Pods include catalyst-{ui,api}, console, admin, marketplace, marketplace-api. Catalyst-Zero IS the catalyst-provisioner that provisions every other Sovereign β€” see `docs/PROVISIONING-PLAN.md`. As of 2026-04-28 (Pass 105), all UI source code is consolidated into `core/` and `products/catalyst/` in this public repo; cutover to public-repo CI builds happens in Phase 2 of the plan. | | `omantel` (first franchised Sovereign, target: `omantel.omani.works` on Hetzner) | πŸ“ | Provisioned by Catalyst-Zero per Phase 8 of `docs/PROVISIONING-PLAN.md`. Not yet provisioned. | | `bankdhofar` | πŸ“ | Planned. Customer-hosted. Not yet provisioned. | --- ## 7. Catalyst provisioner | Item | Status | Notes | |---|---|---| | `catalyst-provisioner.openova.io` always-on service | πŸ“ | Documented in [`SOVEREIGN-PROVISIONING.md`](SOVEREIGN-PROVISIONING.md). Currently the legacy Contabo VPS runs the SME marketplace; provisioner role is target state. | | Hetzner OpenTofu modules | πŸ“ | Skeleton may exist in `openova-private/infra/`; not yet aligned with the Catalyst bootstrap kit. | | Bootstrap kit (cilium β†’ flux β†’ spire β†’ jetstream β†’ openbao β†’ catalyst control plane) | πŸ“ | Designed; implementation tracked under issue #37 follow-ups. | --- ## 8. What this means for newcomers If you're reading the Catalyst architecture for the first time: - The **architectural model** in [`ARCHITECTURE.md`](ARCHITECTURE.md) is the agreed direction. The model is settled. - The **code in this repo** is mostly a scaffold today. Significant implementation lies ahead. - The **canonical docs** ([`GLOSSARY.md`](GLOSSARY.md), [`NAMING-CONVENTION.md`](NAMING-CONVENTION.md), [`SECURITY.md`](SECURITY.md), [`SOVEREIGN-PROVISIONING.md`](SOVEREIGN-PROVISIONING.md), [`BLUEPRINT-AUTHORING.md`](BLUEPRINT-AUTHORING.md), [`PERSONAS-AND-JOURNEYS.md`](PERSONAS-AND-JOURNEYS.md), [`PLATFORM-TECH-STACK.md`](PLATFORM-TECH-STACK.md), [`SRE.md`](SRE.md)) describe the **target** the implementation is converging toward. - Component-level READMEs under `platform//` describe the upstream technology and Catalyst's intended use of it. Most do not yet contain a deployable Blueprint. If a doc says "Catalyst does X" without a `πŸ“` or `🚧` marker, treat it as a target. Use this `IMPLEMENTATION-STATUS.md` to confirm whether X is built today. --- ## 9. How to update this file This file is updated whenever a status changes: - A controller is implemented β†’ flip the row from πŸ“ to βœ…. - A component is partially shipped β†’ 🚧 with notes on what's missing. - A target is deferred β†’ ⏸ with a forward-pointing reference. Keeping this honest is the only way to prevent the kind of doc/code drift that makes the architecture text unreliable.