From 343292ac120d18cea4fecf05930020f8592db8f8 Mon Sep 17 00:00:00 2001
From: opspawn <opspawn@users.noreply.github.com>
Date: Fri, 20 Feb 2026 21:10:10 +0000
Subject: [PATCH 1/3] feat: add read-only mode for GitOps deployments (#1344)

Add read-only mode to both the Go backend and Next.js frontend, allowing
kagent to be deployed in GitOps environments where resources are managed
declaratively.

Backend:
- Add ReadOnlyAuthorizer that allows VerbGet but rejects create/update/delete
- Wire via KAGENT_READ_ONLY=true environment variable
- Add comprehensive tests for the new authorizer

Frontend:
- Add ReadOnlyProvider context with useReadOnly() hook
- Hide Create dropdown in Header navigation
- Hide Edit/Delete overlays on agent cards and model rows
- Hide chat session delete option
- Hide Add/Remove buttons on MCP servers page
- Add route guards redirecting /agents/new and /models/new to /
- Skip onboarding wizard in read-only mode
- Show 'Resources are managed via GitOps' in empty states
- Wire via NEXT_PUBLIC_READ_ONLY=true environment variable

Closes #1344

Signed-off-by: opspawn <opspawn@users.noreply.github.com>
---
 go/cmd/controller/main.go                 |  11 +-
 go/internal/httpserver/auth/authz.go      |  15 +++
 go/internal/httpserver/auth/authz_test.go |  60 +++++++++++
 ui/src/app/agents/new/page.tsx            |   8 +-
 ui/src/app/layout.tsx                     |  35 +++---
 ui/src/app/models/new/page.tsx            |   9 +-
 ui/src/app/models/page.tsx                |  70 ++++++------
 ui/src/app/servers/page.tsx               |  73 +++++++------
 ui/src/components/AgentCard.tsx           |  34 +++---
 ui/src/components/AgentList.tsx           |  22 ++--
 ui/src/components/AppInitializer.tsx      |   7 +-
 ui/src/components/Header.tsx              | 124 +++++++++++-----------
 ui/src/components/ReadOnlyProvider.tsx    |  19 ++++
 ui/src/components/sidebars/ChatItem.tsx   |  48 +++++----
 14 files changed, 348 insertions(+), 187 deletions(-)
 create mode 100644 go/internal/httpserver/auth/authz_test.go
 create mode 100644 ui/src/components/ReadOnlyProvider.tsx

diff --git a/go/cmd/controller/main.go b/go/cmd/controller/main.go
index 2049e6962..614ce18c2 100644
--- a/go/cmd/controller/main.go
+++ b/go/cmd/controller/main.go
@@ -17,8 +17,12 @@ limitations under the License.
 package main
 
 import (
+	"os"
+	"strings"
+
 	"github.com/kagent-dev/kagent/go/internal/httpserver/auth"
 	"github.com/kagent-dev/kagent/go/pkg/app"
+	pkgauth "github.com/kagent-dev/kagent/go/pkg/auth"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
@@ -27,7 +31,12 @@ import (
 
 //nolint:gocyclo
 func main() {
-	authorizer := &auth.NoopAuthorizer{}
+	var authorizer pkgauth.Authorizer
+	if strings.EqualFold(os.Getenv("KAGENT_READ_ONLY"), "true") {
+		authorizer = &auth.ReadOnlyAuthorizer{}
+	} else {
+		authorizer = &auth.NoopAuthorizer{}
+	}
 	authenticator := &auth.UnsecureAuthenticator{}
 	app.Start(func(bootstrap app.BootstrapConfig) (*app.ExtensionConfig, error) {
 		return &app.ExtensionConfig{
diff --git a/go/internal/httpserver/auth/authz.go b/go/internal/httpserver/auth/authz.go
index e23c696a8..8fd30354c 100644
--- a/go/internal/httpserver/auth/authz.go
+++ b/go/internal/httpserver/auth/authz.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/kagent-dev/kagent/go/pkg/auth"
 )
@@ -13,3 +14,17 @@ func (a *NoopAuthorizer) Check(ctx context.Context, principal auth.Principal, ve
 }
 
 var _ auth.Authorizer = (*NoopAuthorizer)(nil)
+
+// ReadOnlyAuthorizer allows only read (get) operations and rejects all
+// mutating requests. This is useful for GitOps deployments where resources
+// are managed declaratively and the UI should be view-only.
+type ReadOnlyAuthorizer struct{}
+
+func (a *ReadOnlyAuthorizer) Check(ctx context.Context, principal auth.Principal, verb auth.Verb, resource auth.Resource) error {
+	if verb == auth.VerbGet {
+		return nil
+	}
+	return fmt.Errorf("forbidden: read-only mode is enabled, %s operations on %s are not allowed", verb, resource.Type)
+}
+
+var _ auth.Authorizer = (*ReadOnlyAuthorizer)(nil)
diff --git a/go/internal/httpserver/auth/authz_test.go b/go/internal/httpserver/auth/authz_test.go
new file mode 100644
index 000000000..986052f4a
--- /dev/null
+++ b/go/internal/httpserver/auth/authz_test.go
@@ -0,0 +1,60 @@
+package auth_test
+
+import (
+	"context"
+	"testing"
+
+	authimpl "github.com/kagent-dev/kagent/go/internal/httpserver/auth"
+	"github.com/kagent-dev/kagent/go/pkg/auth"
+)
+
+func TestNoopAuthorizer(t *testing.T) {
+	authorizer := &authimpl.NoopAuthorizer{}
+	principal := auth.Principal{User: auth.User{ID: "test-user"}}
+	resource := auth.Resource{Name: "test-agent", Type: "agents"}
+
+	for _, verb := range []auth.Verb{auth.VerbGet, auth.VerbCreate, auth.VerbUpdate, auth.VerbDelete} {
+		if err := authorizer.Check(context.Background(), principal, verb, resource); err != nil {
+			t.Errorf("NoopAuthorizer should allow %s but got error: %v", verb, err)
+		}
+	}
+}
+
+func TestReadOnlyAuthorizer_AllowsGet(t *testing.T) {
+	authorizer := &authimpl.ReadOnlyAuthorizer{}
+	principal := auth.Principal{User: auth.User{ID: "test-user"}}
+	resource := auth.Resource{Name: "test-agent", Type: "agents"}
+
+	if err := authorizer.Check(context.Background(), principal, auth.VerbGet, resource); err != nil {
+		t.Errorf("ReadOnlyAuthorizer should allow get but got error: %v", err)
+	}
+}
+
+func TestReadOnlyAuthorizer_RejectsMutations(t *testing.T) {
+	authorizer := &authimpl.ReadOnlyAuthorizer{}
+	principal := auth.Principal{User: auth.User{ID: "test-user"}}
+	resource := auth.Resource{Name: "test-agent", Type: "agents"}
+
+	for _, verb := range []auth.Verb{auth.VerbCreate, auth.VerbUpdate, auth.VerbDelete} {
+		err := authorizer.Check(context.Background(), principal, verb, resource)
+		if err == nil {
+			t.Errorf("ReadOnlyAuthorizer should reject %s but allowed it", verb)
+		}
+	}
+}
+
+func TestReadOnlyAuthorizer_ErrorMessage(t *testing.T) {
+	authorizer := &authimpl.ReadOnlyAuthorizer{}
+	principal := auth.Principal{User: auth.User{ID: "test-user"}}
+	resource := auth.Resource{Name: "my-agent", Type: "agents"}
+
+	err := authorizer.Check(context.Background(), principal, auth.VerbCreate, resource)
+	if err == nil {
+		t.Fatal("expected error for create verb")
+	}
+
+	expected := "forbidden: read-only mode is enabled, create operations on agents are not allowed"
+	if err.Error() != expected {
+		t.Errorf("expected error message %q, got %q", expected, err.Error())
+	}
+}
diff --git a/ui/src/app/agents/new/page.tsx b/ui/src/app/agents/new/page.tsx
index 4d15e6195..fc80afeba 100644
--- a/ui/src/app/agents/new/page.tsx
+++ b/ui/src/app/agents/new/page.tsx
@@ -9,8 +9,9 @@ import { ModelConfig, AgentType } from "@/types";
 import { SystemPromptSection } from "@/components/create/SystemPromptSection";
 import { ModelSelectionSection } from "@/components/create/ModelSelectionSection";
 import { ToolsSection } from "@/components/create/ToolsSection";
-import { useRouter, useSearchParams } from "next/navigation";
+import { useRouter, useSearchParams, redirect } from "next/navigation";
 import { useAgents } from "@/components/AgentsProvider";
+import { useReadOnly } from "@/components/ReadOnlyProvider";
 import { LoadingState } from "@/components/LoadingState";
 import { ErrorState } from "@/components/ErrorState";
 import KagentLogo from "@/components/kagent-logo";
@@ -738,12 +739,17 @@ function AgentPageContent({ isEditMode, agentName, agentNamespace }: AgentPageCo
 
 // Main component that wraps the content in a Suspense boundary
 export default function AgentPage() {
+  const readOnly = useReadOnly();
   // Determine if in edit mode
   const searchParams = useSearchParams();
   const isEditMode = searchParams.get("edit") === "true";
   const agentName = searchParams.get("name");
   const agentNamespace = searchParams.get("namespace");
 
+  if (readOnly) {
+    redirect("/");
+  }
+
   // Create a key based on the edit mode and agent ID
   const formKey = isEditMode ? `edit-${agentName}-${agentNamespace}` : 'create';
 
diff --git a/ui/src/app/layout.tsx b/ui/src/app/layout.tsx
index 43f9c75e0..be4336a4f 100644
--- a/ui/src/app/layout.tsx
+++ b/ui/src/app/layout.tsx
@@ -8,6 +8,7 @@ import { Footer } from "@/components/Footer";
 import { ThemeProvider } from "@/components/ThemeProvider";
 import { Toaster } from "@/components/ui/sonner";
 import { AppInitializer } from "@/components/AppInitializer";
+import { ReadOnlyProvider } from "@/components/ReadOnlyProvider";
 
 const geistSans = Geist({
   variable: "--font-geist-sans",
@@ -20,21 +21,23 @@ export const metadata: Metadata = {
 
 export default function RootLayout({ children }: { children: React.ReactNode }) {
   return (
-    <TooltipProvider>
-      <AgentsProvider>
-        <html lang="en" className="">
-          <body className={`${geistSans.className} flex flex-col h-screen overflow-hidden`}>
-            <ThemeProvider attribute="class" defaultTheme="system" enableSystem disableTransitionOnChange>
-              <AppInitializer>
-                <Header />
-                <main className="flex-1 overflow-y-scroll w-full mx-auto">{children}</main>
-                <Footer />
-              </AppInitializer>
-              <Toaster richColors/>
-            </ThemeProvider>
-          </body>
-        </html>
-      </AgentsProvider>
-    </TooltipProvider>
+    <ReadOnlyProvider>
+      <TooltipProvider>
+        <AgentsProvider>
+          <html lang="en" className="">
+            <body className={`${geistSans.className} flex flex-col h-screen overflow-hidden`}>
+              <ThemeProvider attribute="class" defaultTheme="system" enableSystem disableTransitionOnChange>
+                <AppInitializer>
+                  <Header />
+                  <main className="flex-1 overflow-y-scroll w-full mx-auto">{children}</main>
+                  <Footer />
+                </AppInitializer>
+                <Toaster richColors/>
+              </ThemeProvider>
+            </body>
+          </html>
+        </AgentsProvider>
+      </TooltipProvider>
+    </ReadOnlyProvider>
   );
 }
diff --git a/ui/src/app/models/new/page.tsx b/ui/src/app/models/new/page.tsx
index 772944ff3..4214e3f90 100644
--- a/ui/src/app/models/new/page.tsx
+++ b/ui/src/app/models/new/page.tsx
@@ -2,7 +2,7 @@
 import React, { useState, useEffect } from "react";
 import { Button } from "@/components/ui/button";
 import { Loader2 } from "lucide-react";
-import { useRouter, useSearchParams } from "next/navigation";
+import { useRouter, useSearchParams, redirect } from "next/navigation";
 import { LoadingState } from "@/components/LoadingState";
 import { ErrorState } from "@/components/ErrorState";
 import { getModelConfig, createModelConfig, updateModelConfig } from "@/app/actions/modelConfigs";
@@ -30,6 +30,7 @@ import { BasicInfoSection } from '@/components/models/new/BasicInfoSection';
 import { AuthSection } from '@/components/models/new/AuthSection';
 import { ParamsSection } from '@/components/models/new/ParamsSection';
 import { k8sRefUtils } from "@/lib/k8sUtils";
+import { useReadOnly } from "@/components/ReadOnlyProvider";
 
 interface ValidationErrors {
   name?: string;
@@ -759,6 +760,12 @@ function ModelPageContent() {
 }
 
 export default function ModelPage() {
+  const readOnly = useReadOnly();
+
+  if (readOnly) {
+    redirect("/");
+  }
+
   return (
     <React.Suspense fallback={<LoadingState />}>
       <ModelPageContent />
diff --git a/ui/src/app/models/page.tsx b/ui/src/app/models/page.tsx
index 362b1c68f..34a2c6614 100644
--- a/ui/src/app/models/page.tsx
+++ b/ui/src/app/models/page.tsx
@@ -17,9 +17,11 @@ import {
     DialogTitle,
 } from "@/components/ui/dialog";
 import { k8sRefUtils } from "@/lib/k8sUtils";
+import { useReadOnly } from "@/components/ReadOnlyProvider";
 
 export default function ModelsPage() {
     const router = useRouter();
+    const readOnly = useReadOnly();
     const [models, setModels] = useState<ModelConfig[]>([]);
     const [loading, setLoading] = useState(true);
     const [error, setError] = useState<string | null>(null);
@@ -93,17 +95,23 @@ export default function ModelsPage() {
             <div className="max-w-6xl mx-auto">
                 <div className="flex justify-between items-center mb-8">
                     <h1 className="text-2xl font-bold">Models</h1>
-                    <Button
-                        variant="default"
-                        onClick={() => router.push("/models/new")}
-                    >
-                        <Plus className="h-4 w-4 mr-2" />
-                        New Model
-                    </Button>
+                    {!readOnly && (
+                        <Button
+                            variant="default"
+                            onClick={() => router.push("/models/new")}
+                        >
+                            <Plus className="h-4 w-4 mr-2" />
+                            New Model
+                        </Button>
+                    )}
                 </div>
 
                 {loading ? (
                     <LoadingState />
+                ) : models.length === 0 && readOnly ? (
+                    <div className="text-center py-12">
+                        <p className="text-muted-foreground">Resources are managed via GitOps</p>
+                    </div>
                 ) : (
                     <div className="space-y-4">
                         {models.map((model) => (
@@ -120,29 +128,31 @@ export default function ModelsPage() {
                                         )}
                                         <span className="font-medium">{model.ref}</span>
                                     </div>
-                                    <div className="flex space-x-2">
-                                        <Button
-                                            data-test={`edit-model-${model.ref}`}
-                                            variant="ghost"
-                                            size="sm"
-                                            onClick={(e) => {
-                                                e.stopPropagation();
-                                                handleEdit(model);
-                                            }}
-                                        >
-                                            <Pencil className="h-4 w-4" />
-                                        </Button>
-                                        <Button
-                                            variant="destructive"
-                                            size="sm"
-                                            onClick={(e) => {
-                                                e.stopPropagation();
-                                                handleDelete(model);
-                                            }}
-                                        >
-                                            <Trash2 className="h-4 w-4" />
-                                        </Button>
-                                    </div>
+                                    {!readOnly && (
+                                        <div className="flex space-x-2">
+                                            <Button
+                                                data-test={`edit-model-${model.ref}`}
+                                                variant="ghost"
+                                                size="sm"
+                                                onClick={(e) => {
+                                                    e.stopPropagation();
+                                                    handleEdit(model);
+                                                }}
+                                            >
+                                                <Pencil className="h-4 w-4" />
+                                            </Button>
+                                            <Button
+                                                variant="destructive"
+                                                size="sm"
+                                                onClick={(e) => {
+                                                    e.stopPropagation();
+                                                    handleDelete(model);
+                                                }}
+                                            >
+                                                <Trash2 className="h-4 w-4" />
+                                            </Button>
+                                        </div>
+                                    )}
                                 </div>
                                 {expandedRows.has(model.ref) && (
                                     <div className="p-4 border-t bg-secondary/10">
diff --git a/ui/src/app/servers/page.tsx b/ui/src/app/servers/page.tsx
index e40f4f616..601658c53 100644
--- a/ui/src/app/servers/page.tsx
+++ b/ui/src/app/servers/page.tsx
@@ -10,6 +10,7 @@ import { AddServerDialog } from "@/components/AddServerDialog";
 import { ConfirmDialog } from "@/components/ConfirmDialog";
 import Link from "next/link";
 import { toast } from "sonner";
+import { useReadOnly } from "@/components/ReadOnlyProvider";
 
 export default function ServersPage() {
   // State for servers and tools
@@ -18,6 +19,8 @@ export default function ServersPage() {
   const [isLoading, setIsLoading] = useState(true);
   const [expandedServers, setExpandedServers] = useState<Set<string>>(new Set());
 
+  const readOnly = useReadOnly();
+
   // Dialog states
   const [showAddServer, setShowAddServer] = useState(false);
   const [showConfirmDelete, setShowConfirmDelete] = useState<string | null>(null);
@@ -141,7 +144,7 @@ export default function ServersPage() {
             View Tools →
           </Link>
         </div>
-        {servers.length > 0 && (
+        {!readOnly && servers.length > 0 && (
           <Button onClick={() => setShowAddServer(true)} variant="default">
             <Plus className="h-4 w-4 mr-2" />
             Add MCP Server
@@ -181,31 +184,33 @@ export default function ServersPage() {
                       </div>
                     </div>
 
-                    <div className="flex items-center gap-2">
-                      <DropdownMenu 
-                        open={openDropdownMenu === serverName} 
-                        onOpenChange={(isOpen) => setOpenDropdownMenu(isOpen ? serverName : null)}
-                      >
-                        <DropdownMenuTrigger asChild>
-                          <Button variant="ghost" size="icon" className="h-8 w-8">
-                            <MoreHorizontal className="h-4 w-4" />
-                          </Button>
-                        </DropdownMenuTrigger>
-                        <DropdownMenuContent align="end">
-                           <DropdownMenuItem 
-                             className="text-red-600 focus:text-red-700 focus:bg-red-50"
-                             onSelect={(e) => {
-                               e.preventDefault();
-                               setOpenDropdownMenu(null);
-                               setShowConfirmDelete(serverName);
-                             }}
-                           >
-                             <Trash2 className="h-4 w-4 mr-2" />
-                             Remove MCP Server
-                          </DropdownMenuItem>
-                        </DropdownMenuContent>
-                      </DropdownMenu>
-                    </div>
+                    {!readOnly && (
+                      <div className="flex items-center gap-2">
+                        <DropdownMenu
+                          open={openDropdownMenu === serverName}
+                          onOpenChange={(isOpen) => setOpenDropdownMenu(isOpen ? serverName : null)}
+                        >
+                          <DropdownMenuTrigger asChild>
+                            <Button variant="ghost" size="icon" className="h-8 w-8">
+                              <MoreHorizontal className="h-4 w-4" />
+                            </Button>
+                          </DropdownMenuTrigger>
+                          <DropdownMenuContent align="end">
+                             <DropdownMenuItem
+                               className="text-red-600 focus:text-red-700 focus:bg-red-50"
+                               onSelect={(e) => {
+                                 e.preventDefault();
+                                 setOpenDropdownMenu(null);
+                                 setShowConfirmDelete(serverName);
+                               }}
+                             >
+                               <Trash2 className="h-4 w-4 mr-2" />
+                               Remove MCP Server
+                            </DropdownMenuItem>
+                          </DropdownMenuContent>
+                        </DropdownMenu>
+                      </div>
+                    )}
                   </div>
                 </div>
 
@@ -245,11 +250,17 @@ export default function ServersPage() {
         <div className="flex flex-col items-center justify-center h-[300px] text-center p-4 border rounded-lg bg-secondary/5">
           <Server className="h-12 w-12 text-muted-foreground mb-4 opacity-20" />
           <h3 className="font-medium text-lg">No MCP servers connected</h3>
-          <p className="text-muted-foreground mt-1 mb-4">Add an MCP server to discover and use tools.</p>
-          <Button onClick={() => setShowAddServer(true)} variant="default">
-            <Plus className="h-4 w-4 mr-2" />
-            Add MCP Server
-          </Button>
+          {readOnly ? (
+            <p className="text-muted-foreground mt-1 mb-4">Resources are managed via GitOps</p>
+          ) : (
+            <>
+              <p className="text-muted-foreground mt-1 mb-4">Add an MCP server to discover and use tools.</p>
+              <Button onClick={() => setShowAddServer(true)} variant="default">
+                <Plus className="h-4 w-4 mr-2" />
+                Add MCP Server
+              </Button>
+            </>
+          )}
         </div>
       )}
 
diff --git a/ui/src/components/AgentCard.tsx b/ui/src/components/AgentCard.tsx
index a6b5fa6eb..3a2ce6868 100644
--- a/ui/src/components/AgentCard.tsx
+++ b/ui/src/components/AgentCard.tsx
@@ -8,6 +8,7 @@ import { useRouter } from "next/navigation";
 import { Pencil } from "lucide-react";
 import { k8sRefUtils } from "@/lib/k8sUtils";
 import { cn } from "@/lib/utils";
+import { useReadOnly } from "./ReadOnlyProvider";
 
 interface AgentCardProps {
   agentResponse: AgentResponse;
@@ -15,6 +16,7 @@ interface AgentCardProps {
 
 export function AgentCard({ agentResponse: { agent, model, modelProvider, deploymentReady, accepted } }: AgentCardProps) {
   const router = useRouter();
+  const readOnly = useReadOnly();
   const agentRef = k8sRefUtils.toRef(
     agent.metadata.namespace || '',
     agent.metadata.name || ''
@@ -60,21 +62,23 @@ export function AgentCard({ agentResponse: { agent, model, modelProvider, deploy
           <KagentLogo className="h-5 w-5 flex-shrink-0" />
           <span className="truncate">{agentRef}</span>
         </CardTitle>
-        <div className="flex items-center space-x-2 relative z-30 opacity-0 group-hover:opacity-100 transition-opacity">
-          <Button
-            variant="ghost"
-            size="icon"
-            onClick={handleEditClick}
-            aria-label="Edit Agent"
-            className="bg-background/80 hover:bg-background shadow-sm"
-          >
-            <Pencil className="h-4 w-4" />
-          </Button>
-          <DeleteButton
-            agentName={agent.metadata.name}
-            namespace={agent.metadata.namespace || ''}
-          />
-        </div>
+        {!readOnly && (
+          <div className="flex items-center space-x-2 relative z-30 opacity-0 group-hover:opacity-100 transition-opacity">
+            <Button
+              variant="ghost"
+              size="icon"
+              onClick={handleEditClick}
+              aria-label="Edit Agent"
+              className="bg-background/80 hover:bg-background shadow-sm"
+            >
+              <Pencil className="h-4 w-4" />
+            </Button>
+            <DeleteButton
+              agentName={agent.metadata.name}
+              namespace={agent.metadata.namespace || ''}
+            />
+          </div>
+        )}
       </CardHeader>
       <CardContent className="flex flex-col justify-between h-32 relative z-10">
         <p className="text-sm text-muted-foreground line-clamp-3 overflow-hidden">
diff --git a/ui/src/components/AgentList.tsx b/ui/src/components/AgentList.tsx
index 2cda4f683..df8768121 100644
--- a/ui/src/components/AgentList.tsx
+++ b/ui/src/components/AgentList.tsx
@@ -7,9 +7,11 @@ import { ErrorState } from "./ErrorState";
 import { Button } from "./ui/button";
 import { LoadingState } from "./LoadingState";
 import { useAgents } from "./AgentsProvider";
+import { useReadOnly } from "./ReadOnlyProvider";
 
 export default function AgentList() {
   const { agents , loading, error } = useAgents();
+  const readOnly = useReadOnly();
 
   if (error) {
     return <ErrorState message={error} />;
@@ -31,13 +33,19 @@ export default function AgentList() {
         <div className="text-center py-12">
           <KagentLogo className="h-16 w-16 mx-auto mb-4" />
           <h3 className="text-lg font-medium  mb-2">No agents yet</h3>
-          <p className=" mb-6">Create your first agent to get started</p>
-          <Button className="bg-violet-500 hover:bg-violet-600" asChild>
-            <Link href={"/agents/new"}>
-              <Plus className="h-4 w-4 mr-2" />
-              Create New Agent
-            </Link>
-          </Button>
+          {readOnly ? (
+            <p className="text-muted-foreground mb-6">Resources are managed via GitOps</p>
+          ) : (
+            <>
+              <p className=" mb-6">Create your first agent to get started</p>
+              <Button className="bg-violet-500 hover:bg-violet-600" asChild>
+                <Link href={"/agents/new"}>
+                  <Plus className="h-4 w-4 mr-2" />
+                  Create New Agent
+                </Link>
+              </Button>
+            </>
+          )}
         </div>
       ) : (
         <AgentGrid agentResponse={agents || []} />
diff --git a/ui/src/components/AppInitializer.tsx b/ui/src/components/AppInitializer.tsx
index c54f2a627..11a6789af 100644
--- a/ui/src/components/AppInitializer.tsx
+++ b/ui/src/components/AppInitializer.tsx
@@ -2,6 +2,7 @@
 
 import React, { useState } from 'react';
 import { OnboardingWizard } from './onboarding/OnboardingWizard';
+import { useReadOnly } from './ReadOnlyProvider';
 
 const LOCAL_STORAGE_KEY = 'kagent-onboarding';
 
@@ -13,6 +14,7 @@ const getInitialOnboardingState = (): boolean | null => {
 };
 
 export function AppInitializer({ children }: { children: React.ReactNode }) {
+  const readOnly = useReadOnly();
   const [isOnboarding, setIsOnboarding] = useState<boolean | null>(getInitialOnboardingState);
 
   const handleOnboardingComplete = () => {
@@ -23,14 +25,13 @@ export function AppInitializer({ children }: { children: React.ReactNode }) {
   const handleSkipWizard = () => {
     localStorage.setItem(LOCAL_STORAGE_KEY, 'true');
     setIsOnboarding(false);
-    // You might want to show a toast here as well, depending on your UI library setup
   };
 
   if (isOnboarding === null) {
-    return null; 
+    return null;
   }
 
-  if (isOnboarding) {
+  if (isOnboarding && !readOnly) {
     return <OnboardingWizard onOnboardingComplete={handleOnboardingComplete} onSkip={handleSkipWizard} />;
   }
 
diff --git a/ui/src/components/Header.tsx b/ui/src/components/Header.tsx
index 5766c92d7..8c21a3937 100644
--- a/ui/src/components/Header.tsx
+++ b/ui/src/components/Header.tsx
@@ -12,9 +12,11 @@ import {
   DropdownMenuItem,
   DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu";
+import { useReadOnly } from "./ReadOnlyProvider";
 
 export function Header() {
   const [isMenuOpen, setIsMenuOpen] = useState(false);
+  const readOnly = useReadOnly();
 
   const toggleMenu = () => {
     setIsMenuOpen(!isMenuOpen);
@@ -54,36 +56,37 @@ export function Header() {
             </Button>
 
 
-            {/* Create Dropdown */}
-            <DropdownMenu>
-              <DropdownMenuTrigger asChild>
-                <Button variant="link" className="text-secondary-foreground gap-1 px-2">
-                  <Plus className="h-4 w-4" />
-                  Create
-                  <ChevronDown className="h-4 w-4" />
-                </Button>
-              </DropdownMenuTrigger>
-              <DropdownMenuContent align="end" className="w-48">
-                <DropdownMenuItem asChild>
-                  <Link href="/agents/new" className="gap-2 cursor-pointer w-full">
-                    <KagentLogo className="h-4 w-4 text-primary" />
-                    New Agent
-                  </Link>
-                </DropdownMenuItem>
-                <DropdownMenuItem asChild>
-                  <Link href="/models/new" className="gap-2 cursor-pointer w-full">
-                    <Brain className="h-4 w-4" />
-                    New Model
-                  </Link>
-                </DropdownMenuItem>
-                <DropdownMenuItem asChild>
-                  <Link href="/servers" className="gap-2 cursor-pointer w-full">
-                    <Server className="h-4 w-4" />
-                    New MCP Server
-                  </Link>
-                </DropdownMenuItem>
-              </DropdownMenuContent>
-            </DropdownMenu>
+            {!readOnly && (
+              <DropdownMenu>
+                <DropdownMenuTrigger asChild>
+                  <Button variant="link" className="text-secondary-foreground gap-1 px-2">
+                    <Plus className="h-4 w-4" />
+                    Create
+                    <ChevronDown className="h-4 w-4" />
+                  </Button>
+                </DropdownMenuTrigger>
+                <DropdownMenuContent align="end" className="w-48">
+                  <DropdownMenuItem asChild>
+                    <Link href="/agents/new" className="gap-2 cursor-pointer w-full">
+                      <KagentLogo className="h-4 w-4 text-primary" />
+                      New Agent
+                    </Link>
+                  </DropdownMenuItem>
+                  <DropdownMenuItem asChild>
+                    <Link href="/models/new" className="gap-2 cursor-pointer w-full">
+                      <Brain className="h-4 w-4" />
+                      New Model
+                    </Link>
+                  </DropdownMenuItem>
+                  <DropdownMenuItem asChild>
+                    <Link href="/servers" className="gap-2 cursor-pointer w-full">
+                      <Server className="h-4 w-4" />
+                      New MCP Server
+                    </Link>
+                  </DropdownMenuItem>
+                </DropdownMenuContent>
+              </DropdownMenu>
+            )}
             
             {/* View Dropdown */}
             <DropdownMenu>
@@ -183,36 +186,37 @@ export function Header() {
                 </DropdownMenuContent>
               </DropdownMenu>
 
-              {/* Mobile Create Dropdown */}
-               <DropdownMenu>
-                <DropdownMenuTrigger asChild>
-                  <Button variant="ghost" className="text-secondary-foreground justify-start px-1 gap-1 w-full">
-                     <Plus className="h-4 w-4" />
-                    Create
-                    <ChevronDown className="h-4 w-4" />
-                  </Button>
-                </DropdownMenuTrigger>
-                <DropdownMenuContent align="start" className="w-56">
-                   <DropdownMenuItem asChild onClick={handleMobileLinkClick}>
-                    <Link href="/agents/new" className="gap-2 cursor-pointer w-full">
-                      <KagentLogo className="h-4 w-4 text-primary" />
-                      New Agent
-                    </Link>
-                  </DropdownMenuItem>
-                  <DropdownMenuItem asChild onClick={handleMobileLinkClick}>
-                    <Link href="/models/new" className="gap-2 cursor-pointer w-full">
-                      <Brain className="h-4 w-4" />
-                      New Model
-                    </Link>
-                  </DropdownMenuItem>
-                  <DropdownMenuItem asChild onClick={handleMobileLinkClick}>
-                    <Link href="/servers/new" className="gap-2 cursor-pointer w-full">
-                      <Server className="h-4 w-4" />
-                      New MCP Server
-                    </Link>
-                  </DropdownMenuItem>
-                </DropdownMenuContent>
-              </DropdownMenu>
+              {!readOnly && (
+                <DropdownMenu>
+                  <DropdownMenuTrigger asChild>
+                    <Button variant="ghost" className="text-secondary-foreground justify-start px-1 gap-1 w-full">
+                      <Plus className="h-4 w-4" />
+                      Create
+                      <ChevronDown className="h-4 w-4" />
+                    </Button>
+                  </DropdownMenuTrigger>
+                  <DropdownMenuContent align="start" className="w-56">
+                    <DropdownMenuItem asChild onClick={handleMobileLinkClick}>
+                      <Link href="/agents/new" className="gap-2 cursor-pointer w-full">
+                        <KagentLogo className="h-4 w-4 text-primary" />
+                        New Agent
+                      </Link>
+                    </DropdownMenuItem>
+                    <DropdownMenuItem asChild onClick={handleMobileLinkClick}>
+                      <Link href="/models/new" className="gap-2 cursor-pointer w-full">
+                        <Brain className="h-4 w-4" />
+                        New Model
+                      </Link>
+                    </DropdownMenuItem>
+                    <DropdownMenuItem asChild onClick={handleMobileLinkClick}>
+                      <Link href="/servers/new" className="gap-2 cursor-pointer w-full">
+                        <Server className="h-4 w-4" />
+                        New MCP Server
+                      </Link>
+                    </DropdownMenuItem>
+                  </DropdownMenuContent>
+                </DropdownMenu>
+              )}
               
               {/* Mobile Other Links */}
               <Button variant="ghost" className="text-secondary-foreground justify-start px-1" asChild>
diff --git a/ui/src/components/ReadOnlyProvider.tsx b/ui/src/components/ReadOnlyProvider.tsx
new file mode 100644
index 000000000..7c7d7f5d5
--- /dev/null
+++ b/ui/src/components/ReadOnlyProvider.tsx
@@ -0,0 +1,19 @@
+"use client";
+
+import React, { createContext, useContext } from "react";
+
+const ReadOnlyContext = createContext<boolean>(false);
+
+export function ReadOnlyProvider({ children }: { children: React.ReactNode }) {
+  const isReadOnly = process.env.NEXT_PUBLIC_READ_ONLY === "true";
+
+  return (
+    <ReadOnlyContext.Provider value={isReadOnly}>
+      {children}
+    </ReadOnlyContext.Provider>
+  );
+}
+
+export function useReadOnly(): boolean {
+  return useContext(ReadOnlyContext);
+}
diff --git a/ui/src/components/sidebars/ChatItem.tsx b/ui/src/components/sidebars/ChatItem.tsx
index 6b01371ed..ccdcdc061 100644
--- a/ui/src/components/sidebars/ChatItem.tsx
+++ b/ui/src/components/sidebars/ChatItem.tsx
@@ -14,6 +14,7 @@ import { SidebarMenu, SidebarMenuAction, SidebarMenuButton, SidebarMenuItem } fr
 import Link from "next/link";
 import { DropdownMenu, DropdownMenuContent, DropdownMenuItem, DropdownMenuTrigger } from "@/components/ui/dropdown-menu";
 import { Button } from "../ui/button";
+import { useReadOnly } from "../ReadOnlyProvider";
 
 interface ChatItemProps {
   sessionId: string;
@@ -26,6 +27,7 @@ interface ChatItemProps {
 }
 
 const ChatItem = ({ sessionId, agentName, agentNamespace, onDelete, sessionName, onDownload, createdAt }: ChatItemProps) => {
+  const readOnly = useReadOnly();
   const title = sessionName || "Untitled";
   
   // Format timestamp based on how recent it is
@@ -81,29 +83,31 @@ const ChatItem = ({ sessionId, agentName, agentNamespace, onDelete, sessionName,
                   <span>Download</span>
                 </Button>
               </DropdownMenuItem>
-              <DropdownMenuItem onSelect={(e) => e.preventDefault()} className="p-0">
-                <AlertDialog>
-                  <AlertDialogTrigger asChild>
-                    <Button variant={"ghost"} className="w-full justify-start px-2 py-1.5 text-red-500 hover:text-red-500">
-                      <Trash2 className="mr-2 h-4 w-4" />
-                      <span>Delete</span>
-                    </Button>
-                  </AlertDialogTrigger>
+              {!readOnly && (
+                <DropdownMenuItem onSelect={(e) => e.preventDefault()} className="p-0">
+                  <AlertDialog>
+                    <AlertDialogTrigger asChild>
+                      <Button variant={"ghost"} className="w-full justify-start px-2 py-1.5 text-red-500 hover:text-red-500">
+                        <Trash2 className="mr-2 h-4 w-4" />
+                        <span>Delete</span>
+                      </Button>
+                    </AlertDialogTrigger>
 
-                  <AlertDialogContent>
-                    <AlertDialogHeader>
-                      <AlertDialogTitle className="text-secondary-foreground">Delete Chat</AlertDialogTitle>
-                      <AlertDialogDescription>Are you sure you want to delete this chat? This action cannot be undone.</AlertDialogDescription>
-                    </AlertDialogHeader>
-                    <AlertDialogFooter>
-                      <AlertDialogCancel className="text-secondary-foreground">Cancel</AlertDialogCancel>
-                      <AlertDialogAction onClick={async () => onDelete(sessionId)} className="bg-red-500 hover:bg-red-600">
-                        Delete
-                      </AlertDialogAction>
-                    </AlertDialogFooter>
-                  </AlertDialogContent>
-                </AlertDialog>
-              </DropdownMenuItem>
+                    <AlertDialogContent>
+                      <AlertDialogHeader>
+                        <AlertDialogTitle className="text-secondary-foreground">Delete Chat</AlertDialogTitle>
+                        <AlertDialogDescription>Are you sure you want to delete this chat? This action cannot be undone.</AlertDialogDescription>
+                      </AlertDialogHeader>
+                      <AlertDialogFooter>
+                        <AlertDialogCancel className="text-secondary-foreground">Cancel</AlertDialogCancel>
+                        <AlertDialogAction onClick={async () => onDelete(sessionId)} className="bg-red-500 hover:bg-red-600">
+                          Delete
+                        </AlertDialogAction>
+                      </AlertDialogFooter>
+                    </AlertDialogContent>
+                  </AlertDialog>
+                </DropdownMenuItem>
+              )}
             </DropdownMenuContent>
           </DropdownMenu>
         </SidebarMenuItem>

From 4475109e049b41a25c36b01204e4bbe5bfb6ce72 Mon Sep 17 00:00:00 2001
From: opspawn <opspawn@users.noreply.github.com>
Date: Fri, 20 Feb 2026 23:45:14 +0000
Subject: [PATCH 2/3] fix: address Copilot review feedback on read-only mode

- Replace server-only redirect() with client-side useRouter().replace()
  in agents/new and models/new pages (both marked "use client")
- Fix mobile "New MCP Server" link to point to /servers instead of
  non-existent /servers/new route

Signed-off-by: opspawn <opspawn@users.noreply.github.com>
---
 ui/src/app/agents/new/page.tsx | 11 +++++++++--
 ui/src/app/models/new/page.tsx | 11 +++++++++--
 ui/src/components/Header.tsx   |  2 +-
 3 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/ui/src/app/agents/new/page.tsx b/ui/src/app/agents/new/page.tsx
index fc80afeba..3f3ba0b7a 100644
--- a/ui/src/app/agents/new/page.tsx
+++ b/ui/src/app/agents/new/page.tsx
@@ -9,7 +9,7 @@ import { ModelConfig, AgentType } from "@/types";
 import { SystemPromptSection } from "@/components/create/SystemPromptSection";
 import { ModelSelectionSection } from "@/components/create/ModelSelectionSection";
 import { ToolsSection } from "@/components/create/ToolsSection";
-import { useRouter, useSearchParams, redirect } from "next/navigation";
+import { useRouter, useSearchParams } from "next/navigation";
 import { useAgents } from "@/components/AgentsProvider";
 import { useReadOnly } from "@/components/ReadOnlyProvider";
 import { LoadingState } from "@/components/LoadingState";
@@ -740,14 +740,21 @@ function AgentPageContent({ isEditMode, agentName, agentNamespace }: AgentPageCo
 // Main component that wraps the content in a Suspense boundary
 export default function AgentPage() {
   const readOnly = useReadOnly();
+  const router = useRouter();
   // Determine if in edit mode
   const searchParams = useSearchParams();
   const isEditMode = searchParams.get("edit") === "true";
   const agentName = searchParams.get("name");
   const agentNamespace = searchParams.get("namespace");
 
+  useEffect(() => {
+    if (readOnly) {
+      router.replace("/");
+    }
+  }, [readOnly, router]);
+
   if (readOnly) {
-    redirect("/");
+    return null;
   }
 
   // Create a key based on the edit mode and agent ID
diff --git a/ui/src/app/models/new/page.tsx b/ui/src/app/models/new/page.tsx
index 4214e3f90..7dfb7dfb3 100644
--- a/ui/src/app/models/new/page.tsx
+++ b/ui/src/app/models/new/page.tsx
@@ -2,7 +2,7 @@
 import React, { useState, useEffect } from "react";
 import { Button } from "@/components/ui/button";
 import { Loader2 } from "lucide-react";
-import { useRouter, useSearchParams, redirect } from "next/navigation";
+import { useRouter, useSearchParams } from "next/navigation";
 import { LoadingState } from "@/components/LoadingState";
 import { ErrorState } from "@/components/ErrorState";
 import { getModelConfig, createModelConfig, updateModelConfig } from "@/app/actions/modelConfigs";
@@ -761,9 +761,16 @@ function ModelPageContent() {
 
 export default function ModelPage() {
   const readOnly = useReadOnly();
+  const router = useRouter();
+
+  useEffect(() => {
+    if (readOnly) {
+      router.replace("/");
+    }
+  }, [readOnly, router]);
 
   if (readOnly) {
-    redirect("/");
+    return null;
   }
 
   return (
diff --git a/ui/src/components/Header.tsx b/ui/src/components/Header.tsx
index 8c21a3937..fc1c17f2e 100644
--- a/ui/src/components/Header.tsx
+++ b/ui/src/components/Header.tsx
@@ -209,7 +209,7 @@ export function Header() {
                       </Link>
                     </DropdownMenuItem>
                     <DropdownMenuItem asChild onClick={handleMobileLinkClick}>
-                      <Link href="/servers/new" className="gap-2 cursor-pointer w-full">
+                      <Link href="/servers" className="gap-2 cursor-pointer w-full">
                         <Server className="h-4 w-4" />
                         New MCP Server
                       </Link>

From 5b388f01ec02f9d36070c298ce441397d85e8e49 Mon Sep 17 00:00:00 2001
From: opspawn <opspawn@users.noreply.github.com>
Date: Sat, 21 Feb 2026 00:12:08 +0000
Subject: [PATCH 3/3] ci: retrigger CI to clear flaky e2e failure

Signed-off-by: opspawn <opspawn@users.noreply.github.com>