Deep Review: 20260413-120825-pr-278

Date	2026-04-13 12:08
Repo	rancher-sandbox/rancher-desktop-daemon
Round	1
Author	@Nino-K
PR	#278 — Bundle k3s versions to app controller
Commits	`070efc9` Write KUBERNETESENABLED and KUBERNETESPORT to sysconfig `e57a182` Resolve HOST_HOME param to actual host home directory `16ef12c` Add BATs test for supported k8s version in k3s-version.json `9df4002` Bundle k3s-versions.json and validate Kubernetes version
Reviewers	Claude Opus 4.6, Codex GPT 5.4, Gemini 3.1 Pro
Verdict	Merge with fixes — validator contract is broken for ~11% of bundled versions and empty-version bypass lets bad specs reach the installer; both need fixes before merge.
Wall-clock time	`19 min 49 s`

Executive Summary ¶

This PR embeds a filtered k3s-versions.json into the App controller and rejects unsupported spec.kubernetes.version values with Ready=False/UnsupportedKubernetesVersion before creating the LimaVM. It also fixes two unrelated VM-provisioning issues: HOST_HOME is now resolved from os.UserHomeDir() instead of the literal Lima {{.Home}} placeholder, and the sysconfig file now carries KUBERNETES_ENABLED and KUBERNETES_PORT for k3s service conditions.

The core intent is sound, but the validation has several gaps that let bad specs through or get stuck in a bad state. All three agents independently flagged the suffix-mismatch issue — the bundled list contains +k3s3 releases but the install template hard-codes +k3s1, so four versions pass validation and then fail at install time. All three also flagged the empty-version bypass and the dropped HOST_HOME quoting. Two agents caught that Ready=False persists indefinitely once set, even after the user fixes the spec. Claude uniquely caught a test assertion that accidentally accepts NotReady, and Gemini uniquely caught that the unconditional os.UserHomeDir() call at the top of Reconcile would block finalizer cleanup if HOME were unset.

No critical-severity findings survived consolidation, but the important-issue list is dense (6 findings) and most block the feature's stated contract.

Critical Issues ¶

None.

Important Issues ¶

I1. Bundled list contains versions the install template cannot install Claude Codex¶

pkg/controllers/app/app/k3s-versions.json

    "v1.32.6+k3s1",
    "v1.32.7+k3s1",
    "v1.32.8+k3s1",
    "v1.32.9+k3s1",
    "v1.32.10+k3s1",
    "v1.32.11+k3s3",
    "v1.32.12+k3s1",
    "v1.32.13+k3s1",
    "v1.33.0+k3s1",
    "v1.33.1+k3s1",
    "v1.33.2+k3s1",

parseK3sVersions strips both the leading v and the +k3s* suffix, so the lookup set becomes {"1.32.11", "1.33.7", ...}. A user setting kubernetes.version=1.32.11 passes validation at app_controller.go:127. The controller then creates the LimaVM, and the provisioning script builds INSTALL_K3S_VERSION from the bare version plus a hardcoded +k3s1 suffix — a tag that does not exist on the k3s release page. curl -sfL https://get.k3s.io | sh - aborts under set -o errexit and the VM never reaches Running.

pkg/controllers/app/app/controllers/app_controller.go

	if app.Spec.Kubernetes.Enabled && app.Spec.Kubernetes.Version != "" {
		supportedVersions, err := parseK3sVersions(r.K3sVersionsData)
		if err != nil {
			return ctrl.Result{}, fmt.Errorf("failed to load k3s versions: %w", err)
		}
		if _, ok := supportedVersions[app.Spec.Kubernetes.Version]; !ok {
			unsupported := apimeta.SetStatusCondition(&app.Status.Conditions, metav1.Condition{
				Type:               "Ready",
				Status:             metav1.ConditionFalse,
				Reason:             "UnsupportedKubernetesVersion",
				Message:            fmt.Sprintf("Kubernetes version %q is not supported; see the bundled k3s-versions.json for valid versions", app.Spec.Kubernetes.Version),

# pkg/controllers/app/app/lima-template.yaml:57
export INSTALL_K3S_VERSION="v${PARAM_KUBERNETES_VERSION}+k3s1"

4 of 35 bundled versions (~11%) hit this. The validator's contract ("if it's in the list, it works") is established and immediately violated.

Fix: have parseK3sVersions return a map from bare semver to the full release identifier (e.g., {"1.32.11": "v1.32.11+k3s3"}). Thread the full tag through applySpecToTemplate as a new PARAM_K3S_RELEASE, and rewrite the template line to export INSTALL_K3S_VERSION="${PARAM_K3S_RELEASE}". Drop the hardcoded +k3s1.

I2. os.UserHomeDir() call blocks finalizer cleanup on failure Gemini¶

pkg/controllers/app/app/controllers/app_controller.go

			log.Error(err, "Unable to fetch App singleton")
		}
		return ctrl.Result{}, client.IgnoreNotFound(err)
	}

	hostHome, err := os.UserHomeDir()
	if err != nil {
		return ctrl.Result{}, fmt.Errorf("failed to get host home directory: %w", err)
	}

	// Handle deletion, delete the LimaVM and wait for it to finish cleaning up.
	if base.IsBeingDeleted(&app) {
		log.Info("App resource is being deleted, performing cleanup")

The os.UserHomeDir() lookup runs unconditionally at the top of every reconcile, before base.IsBeingDeleted(&app) is evaluated. If HOME ever becomes unset or inaccessible (e.g., the daemon is restarted under a launchd context that clears the environment), the finalizer cleanup path deadlocks: the App can never be deleted even though the cleanup logic does not need the host home directory. The correct placement is after the deletion branch and the cleanup-finalizer setup, co-located with the first caller of applySpecToTemplate.

Fix: move the os.UserHomeDir() call below the base.IsBeingDeleted block. Better: cache the result once at controller setup time (see S1).

I3. Empty kubernetes.version with enabled=true bypasses validation Claude Codex Gemini¶

pkg/controllers/app/app/controllers/app_controller.go

	}

	namespace := app.GetResourceNamespace()

	// Validate the requested Kubernetes version against the bundled version list.
	if app.Spec.Kubernetes.Enabled && app.Spec.Kubernetes.Version != "" {
		supportedVersions, err := parseK3sVersions(r.K3sVersionsData)
		if err != nil {
			return ctrl.Result{}, fmt.Errorf("failed to load k3s versions: %w", err)
		}
		if _, ok := supportedVersions[app.Spec.Kubernetes.Version]; !ok {

KubernetesSpec.Version is +optional with no +kubebuilder:default, so a user creating an App with {kubernetes: {enabled: true}} and no version sets Version="". The check short-circuits, the reconciler proceeds, the template exports INSTALL_K3S_VERSION="v+k3s1", and k3s install fails with a non-existent version tag. The CLI rdd set explicitly supports clearing the version field (set.bats:124-131), so this is a reachable state.

bats/tests/32-app-controllers/set.bats

    assert_output "1.32.2"
}

# --- Clear: reuses App from previous test ---

@test "rdd set clears string field with empty value" {
    run -0 get_app_field '.spec.kubernetes.version'
    assert_output "1.32.2"

    rdd set kubernetes.version=

    run -0 get_app_field '.spec.kubernetes.version'
    assert_output ""
}

# --- Dry-run: reuses App from previous tests ---

@test "rdd set --dry-run validates without persisting" {

This is exactly the class of bad input the PR set out to prevent, but the empty-string case falls through into the VM. The user only sees a CreateFailed or k3s install error with no pointer to the spec mistake.

Fix: drop the Version != "" clause and let the empty-string lookup naturally fail with UnsupportedKubernetesVersion. Optionally tailor the message to "version is required when enabled" when empty. A +kubebuilder:default matching a bundled version would close this at the API layer.

-if app.Spec.Kubernetes.Enabled && app.Spec.Kubernetes.Version != "" {
+if app.Spec.Kubernetes.Enabled {

I4. Stale Ready=False condition is never cleared after the spec is fixed Claude Codex¶

pkg/controllers/app/app/controllers/app_controller.go

		return ctrl.Result{}, nil
	}

	namespace := app.GetResourceNamespace()

	// Validate the requested Kubernetes version against the bundled version list.
	if app.Spec.Kubernetes.Enabled && app.Spec.Kubernetes.Version != "" {
		supportedVersions, err := parseK3sVersions(r.K3sVersionsData)
		if err != nil {
			return ctrl.Result{}, fmt.Errorf("failed to load k3s versions: %w", err)
		}
		if _, ok := supportedVersions[app.Spec.Kubernetes.Version]; !ok {
			unsupported := apimeta.SetStatusCondition(&app.Status.Conditions, metav1.Condition{
				Type:               "Ready",
				Status:             metav1.ConditionFalse,
				Reason:             "UnsupportedKubernetesVersion",
				Message:            fmt.Sprintf("Kubernetes version %q is not supported; see the bundled k3s-versions.json for valid versions", app.Spec.Kubernetes.Version),
				ObservedGeneration: app.Generation,
				LastTransitionTime: metav1.Now(),
			})
			if unsupported {
				if err := r.Status().Update(ctx, &app); err != nil {
					log.Error(err, "Unable to update App status for unsupported version")
					return ctrl.Result{}, err
				}
			}
			return ctrl.Result{}, nil
		}
	}

	// Check whether the LimaVM already exists. If not, create the input ConfigMap and LimaVM.
	limaVM := &limav1alpha1.LimaVM{}
	limaVMErr := r.Get(ctx, client.ObjectKey{Name: limaVMName, Namespace: namespace}, limaVM)
	if limaVMErr != nil && !apierrors.IsNotFound(limaVMErr) {

The mirror loop at lines 268-284 only writes condition types the LimaVM exposes (Created, Running). LimaVM never sets Ready. So once the validation block has stamped Ready=False on the App and the user does rdd set kubernetes.version=1.32.0 (or kubernetes.enabled=false), the condition persists indefinitely. kubectl get app -o yaml will show Ready=False even though the VM is happily running k3s. The new BATS tests don't catch this because every test calls delete_app first, which destroys the conditions.

pkg/controllers/app/app/controllers/app_controller.go

	// The priority chain above returns after every other action, so the App's
	// resourceVersion from the initial Get is still current — no re-read needed.
	// Truncate messages defensively: the LimaVM controller already truncates at
	// source, but guarding here ensures a future bypass can't cause the App
	// status update to fail CRD validation.
	statusChanged := false
	for _, cond := range limaVM.Status.Conditions {
		statusChanged = apimeta.SetStatusCondition(&app.Status.Conditions, metav1.Condition{
			Type:               cond.Type,
			Status:             cond.Status,
			Reason:             cond.Reason,
			Message:            base.TruncateConditionMessage(cond.Message),
			ObservedGeneration: app.Generation,
			LastTransitionTime: cond.LastTransitionTime,
		}) || statusChanged
	}
	if statusChanged {
		if err := r.Status().Update(ctx, &app); err != nil {
			log.Error(err, "Unable to update App status")
			return ctrl.Result{}, err
		}
	}

	return ctrl.Result{}, nil
}

// SetupWithManager sets up the controller with the Manager.

Fix: when validation passes (or Kubernetes is disabled entirely), drop the prior Ready condition and requeue. Using apimeta.RemoveStatusCondition followed by r.Status().Update is the minimal change:

+if apimeta.RemoveStatusCondition(&app.Status.Conditions, "Ready") {
+    if err := r.Status().Update(ctx, &app); err != nil {
+        return ctrl.Result{}, err
+    }
+    return ctrl.Result{}, nil
+}

I5. Dropped HOST_HOME quoting is fragile against paths with YAML-special characters Claude Gemini¶

pkg/controllers/app/app/controllers/app_controller.go

	LimaTemplateData string
	K3sVersionsData  string
}

func applySpecToTemplate(baseTemplate string, spec v1alpha1.AppSpec, hostHome string) string {
	return baseTemplate + fmt.Sprintf(
		"\nparam:\n  CONTAINER_ENGINE: %s\n  HOST_HOME: %s\n  KUBERNETES_ENABLED: %v\n  KUBERNETES_VERSION: %s\n",
		spec.ContainerEngine.Name,
		hostHome,
		spec.Kubernetes.Enabled,
		spec.Kubernetes.Version,
	)
}

The previous line read HOST_HOME: \"{{.Home}}\" — the literal string was double-quoted in the YAML output. Commit e57a182 replaces {{.Home}} with os.UserHomeDir() (correct fix for the literal-template bug) but drops the quotes. On Windows, os.UserHomeDir() returns %USERPROFILE%, which commonly includes spaces (C:\Users\Jan Dubois) and can legally contain # in usernames, which turns into a YAML comment. Even on Unix, a user with a # or : in their home path would trip the YAML parser.

Fix: use %q so the value is always emitted as a quoted YAML scalar. Lima's param parser accepts double-quoted scalars — the existing template uses them elsewhere (e.g., hostSocket: "{{.Home}}/.rd/docker.sock").

-"\nparam:\n  CONTAINER_ENGINE: %s\n  HOST_HOME: %s\n  KUBERNETES_ENABLED: %v\n  KUBERNETES_VERSION: %s\n",
+"\nparam:\n  CONTAINER_ENGINE: %s\n  HOST_HOME: %q\n  KUBERNETES_ENABLED: %v\n  KUBERNETES_VERSION: %s\n",

I6. assert_output --partial "Ready" accepts NotReady Claude¶

bats/tests/32-app-controllers/app.bats

@test "wait for k3s to be ready" {
    # k3s is downloaded and installed on first use; allow extra time.
    try --max 36 --delay 10 -- rdd limavm shell "${VM_NAME}" sudo systemctl is-active k3s
}

@test "kubernetes nodes are Ready" {
    run -0 rdd limavm shell "${VM_NAME}" sudo k3s kubectl get nodes
    assert_output --partial "Ready"
}

@test "stop VM after Kubernetes test" {
    rdd set running=false
    rdd ctl wait --for=condition=Running=False \
        limavm/"${VM_NAME}" --namespace "${RDD_NAMESPACE}" --timeout=60s

kubectl get nodes prints either Ready or NotReady in the STATUS column. A substring search for Ready matches both, so the test gives a false positive when the node is still NotReady (cordoned, network init, transient failures). Single-node k3s usually flips Ready quickly, so this rarely fires in practice — but the test claims to verify readiness and doesn't.

Fix: use kubectl wait and let it block on the actual condition. No assert_output needed.

 @test "kubernetes nodes are Ready" {
-    run -0 rdd limavm shell "${VM_NAME}" sudo k3s kubectl get nodes
-    assert_output --partial "Ready"
+    run -0 rdd limavm shell "${VM_NAME}" sudo k3s kubectl wait \
+        --for=condition=Ready nodes --all --timeout=60s
 }

Suggestions ¶

S1. parseK3sVersions runs on every reconcile Claude Gemini¶

pkg/controllers/app/app/controllers/app_controller.go


	namespace := app.GetResourceNamespace()

	// Validate the requested Kubernetes version against the bundled version list.
	if app.Spec.Kubernetes.Enabled && app.Spec.Kubernetes.Version != "" {
		supportedVersions, err := parseK3sVersions(r.K3sVersionsData)
		if err != nil {
			return ctrl.Result{}, fmt.Errorf("failed to load k3s versions: %w", err)
		}
		if _, ok := supportedVersions[app.Spec.Kubernetes.Version]; !ok {
			unsupported := apimeta.SetStatusCondition(&app.Status.Conditions, metav1.Condition{

The data is a compile-time //go:embed string; the parsed set never changes. Parsing on every reconcile is wasted work and the error path is unreachable in practice — if the embed were corrupt at build time, the controller would silently retry forever instead of failing visibly at startup.

Fix: parse once in controller.go's RegisterWithManager and pass the resulting map into AppReconciler. Surface the parse error at that point so a malformed embed fails the manager to start. A side benefit: the call site can also cache hostHome (see I2) and drop both K3sVersionsData and the per-reconcile os.UserHomeDir() call in one refactor.

S2. Non-SSA Status().Update on App — replicates existing anti-pattern Claude Gemini¶

The new validation block adds a second Status().Update(ctx, &app) on the App without retry.RetryOnConflict or Server-Side Apply. The repo context flags this because App.Status.Conditions has multiple writers today (AppReconciler mirrors LimaVM conditions) and the design doc anticipates an EngineReconciler that will write ContainerEngineReady. The new site is no worse than the existing mirror update at line 280 — the PR replicates an existing gap rather than introducing a novel one — but both sites should eventually migrate.

pkg/controllers/app/app/controllers/app_controller.go

			ObservedGeneration: app.Generation,
			LastTransitionTime: cond.LastTransitionTime,
		}) || statusChanged
	}
	if statusChanged {
		if err := r.Status().Update(ctx, &app); err != nil {
			log.Error(err, "Unable to update App status")
			return ctrl.Result{}, err
		}
	}

Fix (when tackling both sites): wrap in retry.RetryOnConflict or convert to Server-Side Apply. Deferring is acceptable if done in a dedicated follow-up PR.

S3. Ready condition only ever set to False Claude¶

K8s convention is Ready=True means the resource is fully reconciled and operational. Here Ready is only written on the failure path and never set to True in the happy path. A reader running kubectl wait --for=condition=Ready app/app in the success case would block forever because the condition never appears — which is surprising and contradicts convention.

Consider either (a) using a more specific condition type like KubernetesVersionValid to avoid reader confusion, or (b) maintaining Ready consistently (set to True after LimaVM Running=True and validation passes). Option (a) is smaller.

S4. delete_app now resurrects a missing App via rdd set Claude¶

bats/tests/32-app-controllers/app.bats


APP_NAME="app"
VM_NAME="rd"
INPUT_CM_NAME="rd"

delete_app() {
    # Stop the VM first so the LimaVM finalizer clears quickly.
    rdd set running=false 2>/dev/null || true
    rdd ctl delete app "${APP_NAME}" --ignore-not-found
    # Wait for full deletion so that create_app always starts with no
    # pre-existing App resource. Without this, rdd ctl apply in create_app
    # can update a still-terminating App, which the controller treats as a
    # deletion request — no LimaVM is ever created.
    rdd ctl wait --for=delete app/"${APP_NAME}" --timeout=120s 2>/dev/null || true
}

create_app() {
    local running=${1:-false}
    delete_app

rdd set creates the App if it does not already exist. When delete_app is called against a fresh control plane (e.g., the new unsupported Kubernetes version test immediately follows verify App can be recreated after deletion which just deleted everything), this call recreates a brand-new App, the controller starts adding finalizers and creating the input ConfigMap, and the subsequent rdd ctl delete app tears it back down. Wasteful and adds seconds to a sequence the comment claims should be faster.

Fix: use rdd ctl patch, which fails silently (via the redirect) when the resource doesn't exist:

-rdd set running=false 2>/dev/null || true
+rdd ctl patch app "${APP_NAME}" --type=merge -p '{"spec":{"running":false}}' 2>/dev/null || true

S5. Design doc api_app.md is stale after this PR Claude Codex¶

The doc says spec.kubernetes.version defaults to 1.30.2, but no such default exists in the Go types and 1.30.2 is now below the supported floor (1.32.0). The condition table (lines 94-104) only lists Created and Running, and an introductory sentence says conditions are "mirrored from the owned LimaVM resource." The new Ready/False/UnsupportedKubernetesVersion condition is controller-owned, not mirrored — a reader following the doc would not expect it to ever appear.

docs/design/api_app.md


- **spec.kubernetes.version**: The Kubernetes version to use (e.g. `"1.30.2"`). Defaults to `"1.30.2"`. Propagated to the `KUBERNETES_VERSION` Lima template param.

- **status.conditions**: Conditions are **mirrored from the owned `LimaVM`** resource. The App controller copies `type`, `status`, `reason`, `message`, and `lastTransitionTime` from the LimaVM's conditions.

  | Type      | Status      | Reason         | Description                                                       |
  |-----------|-------------|----------------|-------------------------------------------------------------------|
  | `Created` | `Unknown`   | `Pending`      | LimaVM controller has started reconciliation                      |
  | `Created` | `True`      | `Created`      | Lima instance created on disk and ready                           |
  | `Created` | `False`     | `CreateFailed` | Lima instance creation failed (see `message` for details)         |
  | `Running` | `Unknown`   | `Reconciling`  | Verifying instance state (e.g. after controller restart)          |
  | `Running` | `True`      | `Started`      | Lima instance is running                                          |
  | `Running` | `False`     | `Stopped`      | Lima instance is stopped                                          |
  | `Running` | `False`     | `Starting`     | Lima instance is starting up                                      |
  | `Running` | `False`     | `StartFailed`  | Lima instance failed to start                                     |
  | `Running` | `False`     | `StopFailed`   | Lima instance failed to stop cleanly                              |

  Because conditions are mirrored, `lastTransitionTime` reflects when the **LimaVM** transitioned, not when the App controller copied the value. This makes the timestamp meaningful for staleness checks.

Deleting the `App` resource triggers the finalizer to stop and delete the owned LimaVM (and wait for the LimaVM controller to complete its own cleanup before removing the App finalizer).

Fix: update the default claim (either restore a real default or document that the field is required when enabled=true), add a row for the Ready condition, and clarify that a small set of App conditions are owned by the reconciler directly rather than mirrored.

S6. Error message references a file the user cannot see Claude¶

pkg/controllers/app/app/controllers/app_controller.go

		if _, ok := supportedVersions[app.Spec.Kubernetes.Version]; !ok {
			unsupported := apimeta.SetStatusCondition(&app.Status.Conditions, metav1.Condition{
				Type:               "Ready",
				Status:             metav1.ConditionFalse,
				Reason:             "UnsupportedKubernetesVersion",
				Message:            fmt.Sprintf("Kubernetes version %q is not supported; see the bundled k3s-versions.json for valid versions", app.Spec.Kubernetes.Version),
				ObservedGeneration: app.Generation,
				LastTransitionTime: metav1.Now(),
			})
			if unsupported {
				if err := r.Status().Update(ctx, &app); err != nil {

The user has no path to the bundled file — it's embedded into the binary. A more useful message would name a CLI affordance or list the channels (stable, latest) from the same JSON.

S7. 300s timeout on first VM start with k3s install is tight Claude¶

bats/tests/32-app-controllers/app.bats

    rdd set running=false kubernetes.enabled=true kubernetes.version=1.32.0
    rdd ctl wait --for=create limavm/"${VM_NAME}" \
        --namespace "${RDD_NAMESPACE}" --timeout=60s
}

@test "start VM with Kubernetes enabled" {
    rdd set running=true
    rdd ctl wait --for=condition=Running \
        limavm/"${VM_NAME}" --namespace "${RDD_NAMESPACE}" --timeout=300s
}

@test "wait for k3s to be ready" {
    # k3s is downloaded and installed on first use; allow extra time.
    try --max 36 --delay 10 -- rdd limavm shell "${VM_NAME}" sudo systemctl is-active k3s
}

The Running condition only fires after the provision script completes, and the provision script downloads and installs k3s (~75 MB binary plus install steps) on first boot. 300s is workable on a fast network but borderline on slow CI runners. Consider bumping to 360s or 480s to reduce flake risk.

Design Observations ¶

Concerns

Validation belongs at admission, not in the reconciler (future) Claude — Validating in Reconcile means rdd set kubernetes.version=invalid succeeds at the CLI layer, the user gets no immediate feedback, and they have to read app.status.conditions to discover the spec was rejected. A validating admission webhook (RDD already runs one for LimaVM) would reject the bad spec at API-call time and return the error directly. Alternatively, a generated +kubebuilder:validation:Enum=... derived from k3s-versions.json at build time would push validation into the API server with no extra runtime infrastructure.
Missing default for kubernetes.version (in-scope) Claude — The Go spec has no default, the CRD has no default, and the design doc claims a 1.30.2 default that is now below the supported floor. The combination of "no default" and "the validator only fires when version != """ is what produces I3. Either commit to a real default or always require version when enabled=true.
Supported-version shape conflates validation and installation (in-scope) Codex — The controller now treats "supported version" as a bare semver while the installer consumes a full k3s tag. A single parsed structure that preserves both forms would eliminate the suffix drift in I1 and make future channel updates safer.
Per-reconcile JSON parsing lacks startup-time failure surface (in-scope) Gemini — The embedded JSON is only validated when the first App with kubernetes.enabled=true is reconciled. A malformed embed introduced in a future bump would not surface until runtime. See S1.

Strengths

(in-scope) Claude The controller correctly returns early on validation failure without updating the template ConfigMap, so a running VM keeps its old working configuration if the user fans out a bad version. Good fail-safe behavior.
(in-scope) Claude Splitting applySpecToTemplate to take an explicit hostHome parameter (rather than reading the env inside the helper) keeps the helper pure and testable.
(in-scope) Codex Bundling a filtered static k3s-versions.json into the controller is the right direction: it removes an external dependency from reconcile-time validation and blocks obviously bad specs before the LimaVM is created.

Testing Assessment ¶

The added tests cover the happy path (valid version → LimaVM created → k3s active) and the rejection path (invalid version → Ready=False). Gaps, ranked by risk:

Recovery from invalid → valid version — would catch I4 (stale Ready=False). Test: set bad version, observe Ready=False, set good version, assert Ready condition is gone (or True).
Empty version with kubernetes.enabled=true — would catch I3. Test: rdd set kubernetes.enabled=true with no version, expect Ready=False.
A +k3s3 version — would catch I1. Test: pick 1.34.3 from the bundled list and run the same start-VM flow.
assert_output --partial "Ready" false positives — I6 itself. Switching to kubectl wait eliminates the class of problem.
Disabling Kubernetes after a validation failure — set bad version, then rdd set kubernetes.enabled=false, expect Ready=False to clear.

Codex ran go test ./pkg/controllers/app/app/... ./pkg/controllers/lima/limavm/... in its sandbox — passed. No agent ran the BATS suite.

Documentation Assessment ¶

docs/design/api_app.md needs the updates in S5 (drop/refresh the 1.30.2 default claim, add the Ready/UnsupportedKubernetesVersion row, clarify mirrored vs. owned conditions).
parseK3sVersions and k3sVersionsJSON have brief godocs; the K3sVersionsData field on AppReconciler does not. Once S1 lands (cache the parsed map), the field can be renamed and documented in one move.

Commit Structure ¶

The four commits are logically separated (bundle+validate / hostHome fix / sysconfig fix / bats tests) and individually reviewable. One concern: 16ef12c "Add BATs test for supported k8s version in k3s-version.json" lands the validation tests but implicitly depends on 070efc9 (sysconfig fix) and e57a182 (hostHome fix) to actually pass — bisecting on the bats commit would leave the test suite broken. Consider squashing the BATS commit into the implementation commit, or moving it to the end of the series.

Acknowledged Limitations ¶

None. The two prior PR comments (Jan: "needs a rebase due to template using finch image"; Nino: "rebased") relate to CI infrastructure and are already addressed by the current branch.

Unresolved Feedback ¶

Nothing outstanding from the two prior comments.

Agent Performance Retro ¶

Claude ¶

Claude produced the most comprehensive review — caught all three of the convergent findings (version suffix, empty version, stale Ready condition) and added two unique ones (the assert_output "Ready" test accepting NotReady, and the delete_app helper accidentally resurrecting the App via rdd set). Claude also did the strongest cross-referencing: it traced docs/design/api_app.md to flag the stale 1.30.2 default claim and the condition-table gap, and noted that the sysconfig template now writes KUBERNETES_PORT=6443 but nothing on the PR touches a k3s port config. Calibration was reasonable — no findings needed downgrading. The one miss: Claude flagged os.UserHomeDir() as a caching-level suggestion (S7) without tracing the deletion-path deadlock Gemini caught.

Codex ¶

Codex delivered a tight, focused review — three important findings, all of which survived consolidation at the same severity. Its unique contribution was the strongest framing of the version suffix bug: it pinpointed the exact +k3s3 entries in the bundled JSON and mapped them to the template's +k3s1 suffix with file:line references. It also flagged the api_app.md staleness independently. Codex missed the HOST_HOME quoting regression and the assert_output bug, and skipped the per-reconcile JSON parsing concern. The surface area was smaller than Claude's but the signal-to-noise ratio was very high — zero false positives or duplicates.

Gemini ¶

Gemini was the only agent to catch the os.UserHomeDir() finalizer deadlock, which is a genuinely important regression that the other two missed or softened. It also independently flagged the HOST_HOME quoting, the non-SSA Status().Update, and the per-reconcile JSON parsing. Calibration was high — Gemini marked the os.UserHomeDir() issue and the empty-version bypass as Critical; both got downgraded to Important in consolidation (the first because the trigger is rare on a normal desktop daemon, the second because the failure is visible, not silent). The review had zero Suggestions — anything that might have been minor got folded into Important or omitted. As expected, Gemini did not run git blame (daily quota) and relied on the explicit commit list in the prompt instead.

Summary ¶

	Claude Opus 4.6	Codex GPT 5.4	Gemini 3.1 Pro
Duration	14m 29s	4m 08s	3m 33s
Findings	5I 8S	3I	4I
Tool calls	47 (Bash 29, Read 14, Grep 4)	47 (shell 45, plan 1, stdin 1)	19 (grepsearch 10, runshellcommand 7, readfile 2)
Design observations	4	2	1
False positives	0	0	0
Unique insights	2	0	1
Files reviewed	6	6	6
Coverage misses	0	0	0
Totals	5I 8S	3I	4I
Downgraded	0	0	4 (I→S)
Dropped	0	0	0

All three agents converged on the core findings (suffix mismatch, empty version, HOST_HOME quoting) which raises confidence that the validation gaps are real and not artifacts of model bias. Claude provided the most breadth; Codex the tightest signal; Gemini the one genuinely unique critical catch (finalizer deadlock). Taken together, the three reviews cover the important-issue space completely — no agent's gaps leave a hole that the other two don't fill.

Reconciliation ¶

Gemini C1 (os.UserHomeDir() blocks finalizer cleanup): critical → important I2. The failure mode is real but the trigger (HOME unset in the daemon environment) is uncommon on a single-user developer desktop; severity aligned with other regressions of comparable likelihood.
Gemini C2 (Empty kubernetes.version bypasses validation): critical → important I3. The failure is visible to the user (VM fails to start with a k3s install error) rather than silent, and Codex/Claude both rated it Important independently.
Gemini I2 (Non-SSA Status().Update): important → suggestion S2. The new call site replicates an existing pattern at app_controller.go:280; the PR does not introduce a novel anti-pattern, and the existing single-writer setup means conflicts are rare in practice.
Gemini I3 (Per-reconcile JSON parse): important → suggestion S1. Pure performance / startup-surface concern with no correctness impact; Claude rated the same issue as suggestion.

Review Process Notes ¶

Repo context updates

None this round. The existing deep-review-context.md entries on multi-writer App.Status.Conditions, non-SSA Status().Update, and ctrl.Result{}, nil return verification were all relevant and matched agent findings — no staleness detected.

Skill improvements

None. The three-agent setup caught all findings; no agent-specific miss suggests a missing review dimension.