feat(runtime-provider-kata): add NerdctlKataAdapter, harden KataSession, healthCheck & E2E tests

[jafreck]

Summary

Implements the full kata-provider-e2e task: real nerdctl-backed adapter, session hardening, health checks, and a gated E2E test suite for @cadre-dev/runtime-provider-kata.

Changes

New: NerdctlKataAdapter (src/nerdctl-adapter.ts)

• Real KataAdapter implementation backed by nerdctl (containerd CLI with Kata runtime support)
• createSandbox() — builds nerdctl run args from KataSessionConfig (runtime, network isolation, memory, cpu-shares, read-only rootfs)
• execInSandbox() — delegates to nerdctl exec
• stopSandbox() / destroySandbox() — graceful stop then force-remove, errors silenced
• healthCheck() — probes nerdctl info for server version
• Default runner uses node:child_process execFile; injectable for testing

Hardened: KataSession (src/kata-provider.ts)

• Destroyed guard — exec() throws after destroy(), matching DockerSession behavior
• Idempotent destroy — second destroy() is a no-op; calls stopSandbox then destroySandbox with independent try/catch so destroySandbox always runs
• ExecOptions forwarding — cwd via shell wrapper (sh -c 'cd ... && exec "$@"'), env via env K=V prefix, composable when both present
• Timeout support — Promise.race with timeoutMs; returns { exitCode: 124, timedOut: true } on timeout

New: healthCheck() on KataProvider

• Delegates to adapter.healthCheck() if the method exists
• Returns assumed-healthy when adapter lacks healthCheck (e.g., StubKataAdapter in unit tests)
• Never throws

Updated: StubKataAdapter

• Added healthCheck() returning { healthy: true, version: 'stub' }

Updated: Barrel Exports (src/index.ts)

• Exports NerdctlKataAdapter, NerdctlKataAdapterOptions, StubKataAdapter

Tests

File	New Tests	Description
src/tests/nerdctl-adapter.test.ts	8	Adapter arg building, error handling, stop/destroy resilience
src/kata-provider.test.ts	+14	Destroyed guard, idempotent destroy, stop→rm ordering, cwd/env/timeout forwarding, healthCheck delegation
__tests__/index.test.ts	+2	Barrel export smoke tests for NerdctlKataAdapter and StubKataAdapter
src/tests/kata-e2e.test.ts	8 (skipped)	Full E2E suite gated on CADRE_E2E_KATA=1

Test results: 188 passed, 8 skipped (E2E), 0 failures. All existing tests unaffected.

How to validate

# Unit tests
npx vitest run packages/runtime-provider-kata

# E2E tests (requires Kata runtime + containerd)
CADRE_E2E_KATA=1 npx vitest run packages/runtime-provider-kata/src/tests/kata-e2e.test.ts

# Cross-package regression check
npx vitest run packages/runtime-provider-docker packages/runtime-provider-kata

[codecov]

Codecov Report

❌ Patch coverage is 91.14754% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 91.28%. Comparing base (7792725) to head (94567bd).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...kages/runtime-provider-kata/src/nerdctl-adapter.ts	76.11%	16 Missing ⚠️
...s/runtime-provider-kata/src/docker-kata-adapter.ts	91.04%	6 Missing ⚠️
...ackages/runtime-provider-kata/src/kata-provider.ts	90.74%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #412      +/-   ##
==========================================
- Coverage   91.32%   91.28%   -0.04%     
==========================================
  Files         213      215       +2     
  Lines       22904    23203     +299     
  Branches     3600     3666      +66     
==========================================
+ Hits        20916    21182     +266     
- Misses       1940     1973      +33     
  Partials       48       48              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.