Catalog display metadata: check category + default severity, issue-ca…

…tegory catalog (#915)

Catalog display metadata: check category + default severity, issue-ca…

…tegory catalog (#915)

Catalog display metadata: check category + default severity, issue-ca…

…tegory catalog (#915)

Catalog display metadata: check category + default severity, issue-ca…

…tegory catalog (#915)

Gate Radar config + audit settings to owners (#901)

* feat(settings): gate Radar config + audit settings to owners

The gear icon exposes two distinct surfaces with different ownership:
host-level Radar configuration (kubeconfig, port, timeline, integrations)
that affects every user of the instance, and personal surfaces (My
permissions). Previously any authenticated user could mutate the
host-level config and the cluster-shared audit policy.

Gate the mutating surfaces on the Cloud `owner` role, enforced both
server-side (source of truth) and in the UI:

- /api/config PUT and /api/settings/audit PUT now require owner via a
  new Server.requireCloudRole helper mirroring internal/helm's gate.
  Non-Cloud callers (OSS, OIDC, kubectl plugin) have no role and pass
  through unchanged, so a single-user laptop is never locked out of its
  own config. Denials return 403 with error_code=cloud_role_insufficient.
- SettingsDialog splits into a Personal section (My permissions, always
  visible) and an owner-gated Radar configuration section; non-owners
  see a locked explanation instead of the form, and the save controls
  are hidden. The gear icon itself stays visible so non-owners can still
  reach their personal surfaces.
- AuditSettingsDialog renders read-only for non-owners with a locked
  banner and disabled controls.

* fix(audit): withhold inline hide actions from non-owners

The row-level Hide check / Hide category menus in ChecksView persist via
PUT /api/settings/audit, which is now owner-gated. They were wired for
every user, so a viewer/member clicking them hit a silent 403. Pass the
hide callbacks only when the caller is an owner; ChecksView renders the
menu items only when the callbacks are present.

fix(chart): bump appVersion to 1.7.6 and add kubevirt RBAC (#883)

Chart.yaml pinned appVersion/image to 1.5.7 while the templates render flags
(--auth-oidc-scopes, --timeline-retention, --timeline-max-size) that only exist
in 1.7.x binaries. Installing with chart defaults pulls the 1.5.7 image, which
rejects those flags, prints usage, and never becomes ready. Bump appVersion and
the artifacthub image annotation to 1.7.6 to match the templates.

Also add a kubevirt crdGroup (kubevirt.io + cdi/clone/export/instancetype/
migrations/pool/snapshot sub-APIs), defaulted on like the other CRD groups, so
the resource browser and topology can read KubeVirt VMs instead of spamming
forbidden-watch errors on clusters running KubeVirt.

fix(chart): bump appVersion to 1.7.6 and add kubevirt RBAC (#883)

Chart.yaml pinned appVersion/image to 1.5.7 while the templates render flags
(--auth-oidc-scopes, --timeline-retention, --timeline-max-size) that only exist
in 1.7.x binaries. Installing with chart defaults pulls the 1.5.7 image, which
rejects those flags, prints usage, and never becomes ready. Bump appVersion and
the artifacthub image annotation to 1.7.6 to match the templates.

Also add a kubevirt crdGroup (kubevirt.io + cdi/clone/export/instancetype/
migrations/pool/snapshot sub-APIs), defaulted on like the other CRD groups, so
the resource browser and topology can read KubeVirt VMs instead of spamming
forbidden-watch errors on clusters running KubeVirt.

fix(chart): bump appVersion to 1.7.6 and add kubevirt RBAC (#883)

Chart.yaml pinned appVersion/image to 1.5.7 while the templates render flags
(--auth-oidc-scopes, --timeline-retention, --timeline-max-size) that only exist
in 1.7.x binaries. Installing with chart defaults pulls the 1.5.7 image, which
rejects those flags, prints usage, and never becomes ready. Bump appVersion and
the artifacthub image annotation to 1.7.6 to match the templates.

Also add a kubevirt crdGroup (kubevirt.io + cdi/clone/export/instancetype/
migrations/pool/snapshot sub-APIs), defaulted on like the other CRD groups, so
the resource browser and topology can read KubeVirt VMs instead of spamming
forbidden-watch errors on clusters running KubeVirt.

applications: add app topology and identities (#875)

applications: add app topology and identities (#875)