[Step 15] GitOps CRD integration (Flow 4)

[haydercyber]

Goal — REFACTOR_PLAN.md Step 15

GitOps Flow-4: the operator reconciles ProviderConnection and SecretsSync CRDs defined in Git (applied by ArgoCD), and delegates execution to the Agent/Sync Engine.

Scope

• CRDs:
  • ProviderConnection (cluster-scoped) — references a provider type + auth method + scope; status surfaces last verified time
  • SecretsSync (namespaced) — source ref, destination ref, direction, refreshInterval, conflict policy
• Reconciler:
  • Validates RBAC against the namespace's annotated project
  • Issues a sync job to the CP via the API (not direct provider calls)
  • Mirrors job status back to CRD .status.conditions
• Both CRDs feed the same data model the API exposes (BRD §12.4)
• ArgoCD-friendly: Health/Sync waves; CRDs ship in the chart

Acceptance criteria

• ArgoCD applies a SecretsSync CR; controller posts a job; agent executes; status reaches the CR's .status.conditions
• Audit events for CR apply + reconcile + job creation + completion all share a correlation_id
• The controller has zero direct provider calls — purely a "submit a job and wait" loop

Hard rules (CLAUDE.md / BRD)

• Controller imports only core/providers + core/sync, never api/pkg/*
• No secret values in CR status, conditions, or events

References

• BRD §12.4, §13 FR-11
• REFACTOR_PLAN §6 row 15

Dependencies

• Step 3 (controller migrated onto core)
• Step 4–10 (API + workflow)