docs(k8s-proxy): add Kubernetes Proxy REST API and DaemonSet recording mode

[officialasishkumar]

What has changed?

Adds the v4 Kubernetes Proxy REST API reference, documents DaemonSet as a first-class recording mode alongside Sidecar in the K8s Live Record & Replay quickstart (v3 + v4), and lands the Vale wiring needed to keep both pages green in CI.

1. New page: versioned_docs/version-4.0.0/running-keploy/k8s-proxy-api.md (+481)

Full REST API reference for the in-cluster keploy/k8s-proxy service, structured to mirror the existing Public REST API guide. Covers:

• Why the proxy — zero-touch webhook-based agent injection, one shared-token endpoint per Deployment, namespace scoping, durable session storage, auto-replay loop, GitOps-aware self-update, and edge-side static deduplication.
• Recording modes — Sidecar (default, agent injected via MutatingAdmissionWebhook) and DaemonSet (per-node Pod, eBPF capture, scoped by a RecordingSession CR, no application-Pod mutation, supports cluster-mode auto-replay). Both modes expose the same REST API documented on the page.
• Authentication — how the 32-byte crypto/rand shared token is generated on every proxy Pod start, heartbeated to the Keploy API server, and retrieved by callers via JWT → /cluster/getApp?namespace=&deployment=&clusterName= (or /cluster/getApps for a fleet-wide read).
• Response format with concrete success / 400 / 401 / 403 examples, plus an HTTP error-code table (400, 401, 403, 404, 405, 500, 503).
• Quick start that walks /deployments → /record/start (with record_config: static_dedup, enable_sampling, filters) → NDJSON /record/status → /record/stop.
• Recording configuration field tables for record_config (filters, client_key, enable_sampling, static_dedup, custom_dedup_fields, low_latency_mode, debug, memory_limit with the 2× memory-request → memory-limit rule, secret_protection), the per-Filter shape, and Auto-replay configuration (autoReplayInterval, mongoPassword, apiTimeout, delay, globalNoise, envOverrides).
• Endpoint reference organised by domain: health & admission, deployments, recording, replay/test, the API-server-compatible data routes mounted under /k8s-proxy/* (testcases, mocks/mappings, reports & schema coverage, saved config), the Assertion-Test Generator (ATG) routes, and proxy self-management (/proxy/update, /proxy/update/status, /proxy/shutdown, proxy log endpoints, auto-replay debug bundles).
• Namespace scoping rules for watchNamespace and the 403 cross-namespace contract.
• Related guides cross-links to Static Deduplication, keploy dedup, the Public REST API, the Kubernetes installation guide, and the GitOps with Argo CD page.

versioned_sidebars/version-4.0.0-sidebars.json wires the new page into the API Reference group right next to running-keploy/public-api.

2. Quickstart: document DaemonSet recording mode (v3 + v4, +46/-0 each)

versioned_docs/version-{3,4}.0.0/quickstart/k8s-proxy.md previously only walked the Sidecar flow. Two additions, applied to both versions (the files were identical pre-edit):

• "Pick a recording mode" section right above step 1, with a comparison table of when to choose Sidecar vs DaemonSet (capture mechanism, behavior on Start Recording, whether application Pods are mutated, whether they restart at recording start, and when each mode is the right fit).
• "DaemonSet mode (optional)" subsection under step 4, with the Helm flags (daemonset.enabled=true, daemonset.crds.install=true) and the verification commands (kubectl get pods -n keploy, kubectl get crd | grep keploy.io).

Both modes drive the identical Console UI / REST API, so the existing screenshots and the rest of the quickstart stay correct verbatim — only the install command branches.

3. CI fixes for the new content

• .vale.ini: disable Google.Units sitewide. The rule's \d+(?:s|ms|ns|min|h|d) regex matches 8s inside the token k8s (and k3s/k0s/…), and every K8s Proxy quickstart screenshot URL contains k8s-proxy/k8s_…. With filter_mode: diff_context, any diff hunk that reaches into those lines turns every K8s image src into a Vale error. Disabling is consistent with the other Google.* overrides already in .vale.ini (PassiveVoice/We/Will/Exclamation/Ellipses/Latin).
• vale_styles/config/vocabularies/Base/accept.txt: add the domain terms used in the new prose — IPs, [Dd]edups, [Rr]ollout[s]?, [Pp]refill[s]?, [Aa]uditable, [Cc]ooldown, [Ll]iveness, MongoIDs, initialised, [Dd]aemon[Ss]et[s]?, [Cc]RD[s]?, eBPF, [Mm]utatingAdmissionWebhook, RecordingSession[s]?, ReplaySession[s]?, keploy-daemonset, keploy-agent, recordingsessions, replaysessions.
• Em-dashes around the new prose stripped of surrounding spaces to satisfy Google.EmDash; the new quickstart sections re-flowed with Prettier 3.8.3 (api.md was already prettier-clean).

The original scope of this PR also included versioned_docs/version-4.0.0/keploy-cloud/static-deduplication.md. That page landed separately via #841, so this PR now ships only the K8s Proxy REST API reference, the Sidecar/DaemonSet quickstart additions, and the supporting Vale wiring (6 files, +595/-1).

Resolves keploy/enterprise#1919.

Type of change

• New feature (non-breaking change which adds functionality).
• Documentation update (if none of the other choices apply).

How Has This Been Tested?

• npm install && npm run build completes cleanly against the new files.
• Vale 3.0.3 run locally against k8s-proxy-api.md and the changed quickstart files: 0 errors, 0 warnings, 0 suggestions.
• Prettier 3.8.3 --check clean on every changed Markdown file.
• JSON validated for versioned_sidebars/version-4.0.0-sidebars.json.
• Every documented endpoint, query parameter, response shape, error code, RBAC claim, and RecordConfig/AutoReplayConfig field was cross-checked against the current keploy/k8s-proxy and keploy/api-server source on main before publishing. The Helm flags and CRD names in the DaemonSet quickstart section were cross-checked against the keploy/k8s-proxy chart values.

Checklist:

• My code follows the style guidelines of this project.
• I have performed a self-review of my own code.

[officialasishkumar]

Force-pushed a single squashed commit (d780b16) replacing the original four commits. Highlights of the rewrite:

Squash + rebase

• Rebased onto current main, which dropped the redundant static-deduplication.md (already merged via docs: add Static Deduplication guide #841) and resolved the accept.txt and sidebars conflicts.
• PR is back to MERGEABLE. Net diff is now +481 / -1 across versioned_docs/version-4.0.0/running-keploy/k8s-proxy-api.md (new), the v4 sidebar, and the Vale base vocabulary.

Authentication section rewrite (was the biggest accuracy bug)

• Removed the recipe that read <release-fullname>-shared-token Secret and KEPLOY_SHARED_TOKEN env var. The Helm chart does not provision either; the only secrets it creates are keploy-credentials (access-key) and mongodb-credentials. Auditing against keploy/k8s-proxy@048cc85, cmd/k8s/main.go:144-148 shows the token is generated at proxy Pod startup via crypto/rand and reported to api-server through the heartbeat in pkg/service/cluster/service.go:485.
• Replaced with the actual retrieval flow: log in to api-server, then GET /cluster/getApp?namespace=&deployment=&clusterName= (or /cluster/getApps) returns sharedToken directly from latestHeartbeat.SharedToken. Routes are mounted in keploy/api-server pkg/http/routes.go:455-456 and the response shape is in pkg/http/cluster.go:389,447,520.
• Added a paragraph explaining why the token rotates on Pod restart and why programmatic callers must re-fetch.

Stripped fabricated DaemonSet / CRD claims

• Removed every "In DaemonSet mode" sentence and the RecordingSession custom resource claim. The repo only has sidecar/webhook injection; the in-tree comment at keploy/k8s-proxy tests/e2e/istio-graceful-attach/manifests/recordingsession.yaml:1 literally states "RecordingSession is NOT a Kubernetes CRD in this codebase."
• Dropped the daemonset-mode record-start response example. handleRecordStart at pkg/http/handlers.go:2082 only ever returns {"record":"started","id":"<ns>-<dep>"}.

Removed two non-existent routes from the endpoint table

• GET /k8s-proxy/mode (no capture_mode literal anywhere in the codebase). The "Capture mode and health" subsection is now just "Health".
• POST /k8s-proxy/apps/ensure (not registered in pkg/http/routes.go:141-204).

What stays as-is (verified accurate against current k8s-proxy code)

• All /k8s-proxy/* data routes, /agent/* ATG sandbox routes, /autoreplay/debug-bundles/* routes, /proxy/update*, /logs/proxy*, /record/*, /test/* route lists.
• RecordConfig / Filter / RecordRequest / AutoReplayConfig / ReplayRequest field tables (matched against pkg/models/http.go:35-150).
• 2x memory-limit rule for the injected sidecar (verified at pkg/service/webhook/service.go:884).
• 401 / 403 envelope shapes, namespace-scoping behavior, /healthz response, /agent/run/{jobID} 30s default timeout.

CI is fully green: vale, lint, prettier, deploy-preview, DCO all pass on the new commit.

[khareyash05]

LGTM