feat(enterprise): add enterprise enablement features for Issue #476

[boshu2]

Summary

Implements enterprise-grade deployment capabilities for kagent, addressing Issue #476.

High Availability

• PodDisruptionBudgets for controller and UI with configurable min/max availability
• Helm chart templates with sensible defaults

Observability

• ServiceMonitor for Prometheus Operator integration
• PrometheusRule with default alerts (controller down, high error rate, high latency)
• Structured audit logging with JSON format and request tracing

Security

• OAuth2/OIDC authentication with JWT validation and JWKS caching
• Configurable claims extraction (user ID, roles, scopes)
• Bearer token support from header and query parameter

Multi-tenancy

• Namespace-scoped controller via watchNamespaces parameter
• Namespace isolation validation in all reconcilers
• Cluster-wide mode when no namespaces specified

OpenShift Support

• Security context compatible with restricted-v2 SCC
• Deployment guide for Routes, SCCs, and Pod Security Standards

Test Plan

Tested on OpenShift 4.16 (ocppoc cluster):

• helm upgrade --install succeeds with enterprise values
• Pods reach Running state (controller 1/1, UI 1/1)
• PodDisruptionBudgets created with minAvailable: 1
• ServiceMonitor exists and Prometheus scraping active
• PrometheusRule loaded with alerting rules
• Audit logs show structured JSON with request IDs
• OpenShift Route created and accessible
• helm unittest passes for PDB templates

Validation Evidence

$ oc get pods -n kagent-dev
NAME                                 READY   STATUS    RESTARTS   AGE
kagent-controller-7999c7db56-nqbpd   1/1     Running   0          7m
kagent-ui-7b754f65bf-f7vps           1/1     Running   0          7m

$ oc get pdb -n kagent-dev
NAME                MIN AVAILABLE   MAX UNAVAILABLE   ALLOWED DISRUPTIONS   AGE
kagent-controller   1               N/A               0                     8m
kagent-ui           1               N/A               0                     8m

$ oc get servicemonitor,prometheusrule -n kagent-dev
NAME                                        AGE
servicemonitor.monitoring.coreos.com/kagent-controller   8m
NAME                                            AGE
prometheusrule.monitoring.coreos.com/kagent-controller   8m

Audit Log Sample

{"level":"info","ts":"2026-01-02T01:57:36Z","logger":"audit",
 "msg":"Audit: request completed","request_id":"ed5c6c22-6ddb-4814-a4f6-d68a344f3aae",
 "user":"admin@kagent.dev","action":"GET /health","status":200,"duration_ms":0}

Changes

Category	Files	Lines
Go (OAuth2, Audit, Namespace)	8	+1,552
Go Tests	3	+1,107
Helm Templates	4	+344
Helm Values	1	+88
Docs	2	+229
Total	16	+3,142

Commits

1. feat(enterprise): Core implementation - OAuth2, namespace isolation, audit logging, Helm templates
2. docs: EP-476 design proposal and OpenShift deployment guide

Closes #476

[boshu2]

Closing - submitted prematurely. Will resubmit as draft after proper validation.