npm - @action-llama/action-llama - Versions diffs - 0.8.2 → 0.9.1 - Mend

@action-llama/action-llama 0.8.2 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (54) hide show

package/dist/cli/commands/cloud-deploy.d.ts +15 -0
package/dist/cli/commands/cloud-deploy.d.ts.map +1 -0
package/dist/cli/commands/cloud-deploy.js +136 -0
package/dist/cli/commands/cloud-deploy.js.map +1 -0
package/dist/cli/commands/cloud-setup.d.ts.map +1 -1
package/dist/cli/commands/cloud-setup.js +298 -3
package/dist/cli/commands/cloud-setup.js.map +1 -1
package/dist/cli/commands/cloud-teardown.js +12 -2
package/dist/cli/commands/cloud-teardown.js.map +1 -1
package/dist/cli/commands/logs.d.ts.map +1 -1
package/dist/cli/commands/logs.js +31 -0
package/dist/cli/commands/logs.js.map +1 -1
package/dist/cli/commands/status.d.ts.map +1 -1
package/dist/cli/commands/status.js +25 -0
package/dist/cli/commands/status.js.map +1 -1
package/dist/cli/main.js +8 -0
package/dist/cli/main.js.map +1 -1
package/dist/cloud/deploy-apprunner.d.ts +37 -0
package/dist/cloud/deploy-apprunner.d.ts.map +1 -0
package/dist/cloud/deploy-apprunner.js +201 -0
package/dist/cloud/deploy-apprunner.js.map +1 -0
package/dist/cloud/deploy-cloudrun.d.ts +36 -0
package/dist/cloud/deploy-cloudrun.d.ts.map +1 -0
package/dist/cloud/deploy-cloudrun.js +154 -0
package/dist/cloud/deploy-cloudrun.js.map +1 -0
package/dist/cloud/image-builder.d.ts +35 -0
package/dist/cloud/image-builder.d.ts.map +1 -0
package/dist/cloud/image-builder.js +111 -0
package/dist/cloud/image-builder.js.map +1 -0
package/dist/cloud/scheduler-image.d.ts +27 -0
package/dist/cloud/scheduler-image.d.ts.map +1 -0
package/dist/cloud/scheduler-image.js +127 -0
package/dist/cloud/scheduler-image.js.map +1 -0
package/dist/docker/aws-shared.d.ts.map +1 -1
package/dist/docker/aws-shared.js +13 -8
package/dist/docker/aws-shared.js.map +1 -1
package/dist/docker/ecs-runtime.d.ts +1 -1
package/dist/docker/ecs-runtime.d.ts.map +1 -1
package/dist/docker/ecs-runtime.js +2 -2
package/dist/docker/ecs-runtime.js.map +1 -1
package/dist/docker/local-runtime.d.ts.map +1 -1
package/dist/docker/local-runtime.js +4 -2
package/dist/docker/local-runtime.js.map +1 -1
package/dist/scheduler/index.d.ts.map +1 -1
package/dist/scheduler/index.js +22 -107
package/dist/scheduler/index.js.map +1 -1
package/dist/shared/aws-constants.d.ts +12 -0
package/dist/shared/aws-constants.d.ts.map +1 -1
package/dist/shared/aws-constants.js +12 -0
package/dist/shared/aws-constants.js.map +1 -1
package/dist/shared/config.d.ts +4 -0
package/dist/shared/config.d.ts.map +1 -1
package/dist/shared/config.js.map +1 -1
package/package.json +2 -1

package/dist/cli/commands/cloud-deploy.d.ts ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * `al cloud deploy` — Build and deploy the scheduler + agents to the cloud.
+ *
+ * Steps:
+ * 1. Validate config (must have [cloud] section)
+ * 2. Run doctor -c to ensure creds are pushed + IAM is set up
+ * 3. Create cloud runtime + build all agent images
+ * 4. Build scheduler image
+ * 5. Deploy scheduler service (App Runner or Cloud Run)
+ * 6. Print deployed URL
+ */
+export declare function execute(opts: {
+    project: string;
+}): Promise<void>;
+//# sourceMappingURL=cloud-deploy.d.ts.map

package/dist/cli/commands/cloud-deploy.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"cloud-deploy.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/cloud-deploy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAWH,wBAAsB,OAAO,CAAC,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA8FtE"}

package/dist/cli/commands/cloud-deploy.js ADDED Viewed

@@ -0,0 +1,136 @@
+/**
+ * `al cloud deploy` — Build and deploy the scheduler + agents to the cloud.
+ *
+ * Steps:
+ * 1. Validate config (must have [cloud] section)
+ * 2. Run doctor -c to ensure creds are pushed + IAM is set up
+ * 3. Create cloud runtime + build all agent images
+ * 4. Build scheduler image
+ * 5. Deploy scheduler service (App Runner or Cloud Run)
+ * 6. Print deployed URL
+ */
+import { resolve } from "path";
+import { loadGlobalConfig, discoverAgents, loadAgentConfig, validateAgentConfig } from "../../shared/config.js";
+import { execute as runDoctor } from "./doctor.js";
+import { buildAllImages } from "../../cloud/image-builder.js";
+import { buildSchedulerImage } from "../../cloud/scheduler-image.js";
+import { createLogger } from "../../shared/logger.js";
+export async function execute(opts) {
+    const projectPath = resolve(opts.project);
+    const globalConfig = loadGlobalConfig(projectPath);
+    const cloud = globalConfig.cloud;
+    if (!cloud) {
+        throw new Error("No [cloud] section found in config.toml. Run 'al cloud setup' first.");
+    }
+    const logger = createLogger(projectPath, "deploy");
+    console.log(`\n=== Cloud Deploy (${cloud.provider}) ===\n`);
+    // 1. Run doctor -c to push credentials and reconcile IAM
+    console.log("Step 1: Validating credentials and IAM...");
+    await runDoctor({ project: opts.project, cloud: true, checkOnly: true });
+    console.log("");
+    // 2. Set up cloud credential backend
+    const { setDefaultBackend } = await import("../../shared/credentials.js");
+    const { createBackendFromCloudConfig } = await import("../../shared/remote.js");
+    const backend = await createBackendFromCloudConfig(cloud);
+    setDefaultBackend(backend);
+    // 3. Discover agents and create runtime
+    const agentNames = discoverAgents(projectPath);
+    if (agentNames.length === 0) {
+        throw new Error("No agents found. Create agents first.");
+    }
+    const agentConfigs = agentNames.map((name) => loadAgentConfig(projectPath, name));
+    for (const config of agentConfigs) {
+        validateAgentConfig(config);
+    }
+    const activeAgentConfigs = agentConfigs.filter((a) => (a.scale ?? 1) > 0);
+    const runtime = await createCloudRuntime(cloud);
+    // 4. Build agent images
+    console.log("Step 2: Building agent images...");
+    const lastProgress = new Map();
+    await buildAllImages({
+        projectPath,
+        globalConfig,
+        activeAgentConfigs,
+        runtime,
+        runtimeType: cloud.provider,
+        logger,
+        skills: { locking: true },
+        onProgress: (label, msg) => {
+            // Avoid repeating the same message for the same label
+            if (lastProgress.get(label) !== msg) {
+                lastProgress.set(label, msg);
+                console.log(`  [${label}] ${msg}`);
+            }
+        },
+    });
+    console.log("Agent images built and pushed.\n");
+    // 5. Build scheduler image
+    console.log("Step 3: Building scheduler image...");
+    const schedulerImageUri = await buildSchedulerImage({
+        projectPath,
+        globalConfig,
+        runtime,
+        logger,
+        onProgress: (msg) => console.log(`  ${msg}`),
+    });
+    console.log(`Scheduler image: ${schedulerImageUri}\n`);
+    // 6. Deploy scheduler service
+    console.log("Step 4: Deploying scheduler service...");
+    const serviceInfo = await deploySchedulerService(cloud, schedulerImageUri);
+    console.log(`\nScheduler deployed successfully!`);
+    console.log(`  URL:    ${serviceInfo.serviceUrl}`);
+    console.log(`  Status: ${serviceInfo.status}`);
+    // Print webhook URLs
+    const webhookSources = globalConfig.webhooks ?? {};
+    const providerTypes = new Set(agentConfigs.flatMap((a) => a.webhooks?.map((t) => webhookSources[t.source]?.type).filter(Boolean) || []));
+    if (providerTypes.size > 0) {
+        console.log("\nWebhook endpoints:");
+        for (const pt of providerTypes) {
+            console.log(`  ${pt}: ${serviceInfo.serviceUrl}/webhooks/${pt}`);
+        }
+    }
+    console.log("");
+}
+async function createCloudRuntime(cloud) {
+    if (cloud.provider === "cloud-run") {
+        const { CloudRunJobRuntime } = await import("../../docker/cloud-run-runtime.js");
+        const { gcpProject, region, artifactRegistry, serviceAccount, secretPrefix } = cloud;
+        if (!gcpProject || !region || !artifactRegistry || !serviceAccount) {
+            throw new Error("Cloud Run deployment requires cloud.gcpProject, cloud.region, " +
+                "cloud.artifactRegistry, and cloud.serviceAccount in config.toml");
+        }
+        return new CloudRunJobRuntime({ gcpProject, region, artifactRegistry, serviceAccount, secretPrefix });
+    }
+    if (cloud.provider === "ecs") {
+        const { ECSFargateRuntime } = await import("../../docker/ecs-runtime.js");
+        const cc = cloud;
+        if (!cc.awsRegion || !cc.ecsCluster || !cc.ecrRepository || !cc.executionRoleArn || !cc.taskRoleArn || !cc.subnets?.length) {
+            throw new Error("ECS deployment requires cloud.awsRegion, cloud.ecsCluster, cloud.ecrRepository, " +
+                "cloud.executionRoleArn, cloud.taskRoleArn, and cloud.subnets in config.toml");
+        }
+        return new ECSFargateRuntime({
+            awsRegion: cc.awsRegion,
+            ecsCluster: cc.ecsCluster,
+            ecrRepository: cc.ecrRepository,
+            executionRoleArn: cc.executionRoleArn,
+            taskRoleArn: cc.taskRoleArn,
+            subnets: cc.subnets,
+            securityGroups: cc.securityGroups,
+            secretPrefix: cc.awsSecretPrefix,
+            buildBucket: cc.buildBucket,
+        });
+    }
+    throw new Error(`Unknown cloud provider: "${cloud.provider}"`);
+}
+async function deploySchedulerService(cloud, imageUri) {
+    if (cloud.provider === "ecs") {
+        const { deployAppRunner } = await import("../../cloud/deploy-apprunner.js");
+        return await deployAppRunner({ imageUri, cloudConfig: cloud });
+    }
+    if (cloud.provider === "cloud-run") {
+        const { deployCloudRun } = await import("../../cloud/deploy-cloudrun.js");
+        return await deployCloudRun({ imageUri, cloudConfig: cloud });
+    }
+    throw new Error(`Unknown cloud provider: "${cloud.provider}"`);
+}
+//# sourceMappingURL=cloud-deploy.js.map

package/dist/cli/commands/cloud-deploy.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cloud-deploy.js","sourceRoot":"","sources":["../../../src/cli/commands/cloud-deploy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAEhH,OAAO,EAAE,OAAO,IAAI,SAAS,EAAE,MAAM,aAAa,CAAC;AACnD,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,mBAAmB,EAAE,MAAM,gCAAgC,CAAC;AACrE,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAGtD,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAyB;IACrD,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,YAAY,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACnD,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC;IAEjC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;IAC1F,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;IAEnD,OAAO,CAAC,GAAG,CAAC,uBAAuB,KAAK,CAAC,QAAQ,SAAS,CAAC,CAAC;IAE5D,yDAAyD;IACzD,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;IACzD,MAAM,SAAS,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,qCAAqC;IACrC,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;IAC1E,MAAM,EAAE,4BAA4B,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;IAChF,MAAM,OAAO,GAAG,MAAM,4BAA4B,CAAC,KAAK,CAAC,CAAC;IAC1D,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAE3B,wCAAwC;IACxC,MAAM,UAAU,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC/C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,MAAM,YAAY,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,eAAe,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,CAAC;IAClF,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;QAClC,mBAAmB,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;IACD,MAAM,kBAAkB,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAE1E,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAEhD,wBAAwB;IACxB,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAChD,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC/C,MAAM,cAAc,CAAC;QACnB,WAAW;QACX,YAAY;QACZ,kBAAkB;QAClB,OAAO;QACP,WAAW,EAAE,KAAK,CAAC,QAAQ;QAC3B,MAAM;QACN,MAAM,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;QACzB,UAAU,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;YACzB,sDAAsD;YACtD,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,GAAG,EAAE,CAAC;gBACpC,YAAY,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAC7B,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,KAAK,GAAG,EAAE,CAAC,CAAC;YACrC,CAAC;QACH,CAAC;KACF,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;IAEhD,2BAA2B;IAC3B,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;IACnD,MAAM,iBAAiB,GAAG,MAAM,mBAAmB,CAAC;QAClD,WAAW;QACX,YAAY;QACZ,OAAO;QACP,MAAM;QACN,UAAU,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC;KAC7C,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,oBAAoB,iBAAiB,IAAI,CAAC,CAAC;IAEvD,8BAA8B;IAC9B,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;IACtD,MAAM,WAAW,GAAG,MAAM,sBAAsB,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;IAE3E,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;IAClD,OAAO,CAAC,GAAG,CAAC,aAAa,WAAW,CAAC,UAAU,EAAE,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,aAAa,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;IAE/C,qBAAqB;IACrB,MAAM,cAAc,GAAG,YAAY,CAAC,QAAQ,IAAI,EAAE,CAAC;IACnD,MAAM,aAAa,GAAG,IAAI,GAAG,CAC3B,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CACzB,CAAC,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAC7E,CACF,CAAC;IAEF,IAAI,aAAa,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACpC,KAAK,MAAM,EAAE,IAAI,aAAa,EAAE,CAAC;YAC/B,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,KAAK,WAAW,CAAC,UAAU,aAAa,EAAE,EAAE,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,KAAkB;IAClD,IAAI,KAAK,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACnC,MAAM,EAAE,kBAAkB,EAAE,GAAG,MAAM,MAAM,CAAC,mCAAmC,CAAC,CAAC;QACjF,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,gBAAgB,EAAE,cAAc,EAAE,YAAY,EAAE,GAAG,KAAK,CAAC;QACrF,IAAI,CAAC,UAAU,IAAI,CAAC,MAAM,IAAI,CAAC,gBAAgB,IAAI,CAAC,cAAc,EAAE,CAAC;YACnE,MAAM,IAAI,KAAK,CACb,gEAAgE;gBAChE,iEAAiE,CAClE,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,kBAAkB,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,gBAAgB,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;IACxG,CAAC;IAED,IAAI,KAAK,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;QAC7B,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,6BAA6B,CAAC,CAAC;QAC1E,MAAM,EAAE,GAAG,KAAK,CAAC;QACjB,IAAI,CAAC,EAAE,CAAC,SAAS,IAAI,CAAC,EAAE,CAAC,UAAU,IAAI,CAAC,EAAE,CAAC,aAAa,IAAI,CAAC,EAAE,CAAC,gBAAgB,IAAI,CAAC,EAAE,CAAC,WAAW,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC;YAC3H,MAAM,IAAI,KAAK,CACb,kFAAkF;gBAClF,6EAA6E,CAC9E,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,iBAAiB,CAAC;YAC3B,SAAS,EAAE,EAAE,CAAC,SAAS;YACvB,UAAU,EAAE,EAAE,CAAC,UAAU;YACzB,aAAa,EAAE,EAAE,CAAC,aAAa;YAC/B,gBAAgB,EAAE,EAAE,CAAC,gBAAgB;YACrC,WAAW,EAAE,EAAE,CAAC,WAAW;YAC3B,OAAO,EAAE,EAAE,CAAC,OAAO;YACnB,cAAc,EAAE,EAAE,CAAC,cAAc;YACjC,YAAY,EAAE,EAAE,CAAC,eAAe;YAChC,WAAW,EAAE,EAAE,CAAC,WAAW;SAC5B,CAAC,CAAC;IACL,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,4BAA4B,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC;AACjE,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,KAAkB,EAClB,QAAgB;IAEhB,IAAI,KAAK,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;QAC7B,MAAM,EAAE,eAAe,EAAE,GAAG,MAAM,MAAM,CAAC,iCAAiC,CAAC,CAAC;QAC5E,OAAO,MAAM,eAAe,CAAC,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,KAAK,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;QACnC,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,gCAAgC,CAAC,CAAC;QAC1E,OAAO,MAAM,cAAc,CAAC,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,CAAC;IAChE,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,4BAA4B,KAAK,CAAC,QAAQ,GAAG,CAAC,CAAC;AACjE,CAAC"}

package/dist/cli/commands/cloud-setup.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"cloud-setup.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/cloud-setup.ts"],"names":[],"mappings":"~~AA+CA~~,wBAAsB,OAAO,CAAC,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA0GtE"}
1	+ {"version":3,"file":"cloud-setup.d.ts","sourceRoot":"","sources":["../../../src/cli/commands/cloud-setup.ts"],"names":[],"mappings":"AAgDA,wBAAsB,OAAO,CAAC,IAAI,EAAE;IAAE,OAAO,EAAE,MAAM,CAAA;CAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CA0GtE"}

package/dist/cli/commands/cloud-setup.js CHANGED Viewed

@@ -8,7 +8,7 @@ import { teardownCloud } from "./cloud-teardown.js";
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
 import { ECRClient, DescribeRepositoriesCommand, CreateRepositoryCommand, SetRepositoryPolicyCommand, } from "@aws-sdk/client-ecr";
 import { ECSClient, ListClustersCommand, DescribeClustersCommand, CreateClusterCommand, } from "@aws-sdk/client-ecs";
-import { IAMClient, ListRolesCommand, CreateRoleCommand, GetRoleCommand, AttachRolePolicyCommand, PutRolePolicyCommand, PutUserPolicyCommand, } from "@aws-sdk/client-iam";
+import { IAMClient, ListRolesCommand, CreateRoleCommand, GetRoleCommand, AttachRolePolicyCommand, PutRolePolicyCommand, PutUserPolicyCommand, CreateServiceLinkedRoleCommand, } from "@aws-sdk/client-iam";
 import { EC2Client, DescribeVpcsCommand, DescribeSubnetsCommand, DescribeSecurityGroupsCommand, } from "@aws-sdk/client-ec2";
 import { CloudWatchLogsClient, CreateLogGroupCommand, } from "@aws-sdk/client-cloudwatch-logs";
 import { AWS_CONSTANTS } from "../../shared/aws-constants.js";
@@ -146,6 +146,8 @@ async function setupEcsCloud(cloud) {
     let accountId;
     const identity = await stsClient.send(new GetCallerIdentityCommand({}));
     accountId = identity.Account;
+    // Ensure service-linked roles exist (one-time per AWS account)
+    await ensureServiceLinkedRoles(iamClient);
     cloud.ecrRepository = await pickOrCreateEcrRepo(ecrClient, region, accountId);
     await ensureLambdaEcrPolicy(ecrClient, cloud.ecrRepository);
     cloud.ecsCluster = await pickOrCreateEcsCluster(ecsClient);
@@ -197,6 +199,9 @@ async function setupEcsCloud(cloud) {
     }
     // Create CodeBuild service role for remote image builds
     await ensureCodeBuildRole(iamClient, accountId, region, cloud.ecrRepository);
+    // Create App Runner roles for cloud deploy
+    cloud.appRunnerAccessRoleArn = await ensureAppRunnerAccessRole(iamClient);
+    cloud.appRunnerInstanceRoleArn = await ensureAppRunnerInstanceRole(iamClient, accountId, region, cloud.ecrRepository);
     const result = await pickVpcAndSubnets(ec2Client);
     cloud.subnets = result.subnets;
     const sgs = await pickSecurityGroups(ec2Client, result.vpcId);
@@ -230,13 +235,37 @@ async function setupEcsCloud(cloud) {
                     Resource: [
                         `arn:aws:logs:${region}:${accountId}:log-group:${AWS_CONSTANTS.LOG_GROUP}*`,
                         `arn:aws:logs:${region}:${accountId}:log-group:${AWS_CONSTANTS.LAMBDA_LOG_GROUP}/al-*`,
+                        `arn:aws:logs:${region}:${accountId}:log-group:${AWS_CONSTANTS.APPRUNNER_LOG_GROUP}*`,
                     ],
                 },
+                {
+                    Effect: "Allow",
+                    Action: [
+                        "apprunner:CreateService",
+                        "apprunner:UpdateService",
+                        "apprunner:DescribeService",
+                        "apprunner:DeleteService",
+                    ],
+                    Resource: `arn:aws:apprunner:${region}:${accountId}:service/al-scheduler/*`,
+                },
+                {
+                    Effect: "Allow",
+                    Action: "apprunner:ListServices",
+                    Resource: "*",
+                },
                 {
                     Effect: "Allow",
                     Action: "iam:PutUserPolicy",
                     Resource: `arn:aws:iam::${accountId}:user/${userName}`,
                 },
+                {
+                    Effect: "Allow",
+                    Action: "iam:CreateServiceLinkedRole",
+                    Resource: [
+                        `arn:aws:iam::${accountId}:role/aws-service-role/ecs.amazonaws.com/*`,
+                        `arn:aws:iam::${accountId}:role/aws-service-role/apprunner.amazonaws.com/*`,
+                    ],
+                },
             ],
         });
         try {
@@ -255,6 +284,30 @@ async function setupEcsCloud(cloud) {
     }
     return true;
 }
+// --- Service-linked roles ---
+async function ensureServiceLinkedRoles(iamClient) {
+    const services = [
+        { name: "ECS", serviceName: "ecs.amazonaws.com" },
+        { name: "App Runner", serviceName: "apprunner.amazonaws.com" },
+    ];
+    for (const svc of services) {
+        try {
+            await iamClient.send(new CreateServiceLinkedRoleCommand({
+                AWSServiceName: svc.serviceName,
+            }));
+            console.log(`  Created service-linked role for ${svc.name}`);
+        }
+        catch (err) {
+            if (err.name === "InvalidInputException" && err.message?.includes("already exists")) {
+                console.log(`  Service-linked role for ${svc.name} already exists`);
+            }
+            else {
+                console.log(`  Warning: could not create service-linked role for ${svc.name}: ${err.message}`);
+                console.log(`  You may need to run: aws iam create-service-linked-role --aws-service-name ${svc.serviceName}`);
+            }
+        }
+    }
+}
 // --- Resource pickers ---
 async function pickOrCreateEcrRepo(ecrClient, region, accountId) {
     console.log("Looking for ECR repositories...");
@@ -399,12 +452,19 @@ async function pickOrCreateEcsRole(iamClient, label, defaultName, managedPolicie
             }
         });
         if (ecsRoles.length > 0) {
+            // Sort so the expected default role appears first
+            const sorted = [...ecsRoles].sort((a, b) => {
+                const aMatch = a.RoleName === defaultName ? 0 : 1;
+                const bMatch = b.RoleName === defaultName ? 0 : 1;
+                return aMatch - bMatch || a.RoleName.localeCompare(b.RoleName);
+            });
+            const defaultArn = sorted.find((r) => r.RoleName === defaultName)?.Arn;
             const choices = [
-                ...ecsRoles.map((r) => ({ name: r.RoleName, value: r.Arn })),
+                ...sorted.map((r) => ({ name: r.RoleName, value: r.Arn })),
                 { name: `Create new: ${defaultName}`, value: CREATE_NEW },
                 { name: "Enter ARN manually", value: MANUAL_INPUT },
             ];
-            const choice = await select({ message: `${label}:`, choices });
+            const choice = await select({ message: `${label}:`, choices, default: defaultArn });
             if (choice === MANUAL_INPUT)
                 return input({ message: `${label} ARN:` });
             if (choice !== CREATE_NEW)
@@ -609,6 +669,241 @@ async function pickVpcAndSubnets(ec2Client) {
     const raw = await input({ message: "Subnet IDs (comma-separated):" });
     return { subnets: raw.split(",").map(s => s.trim()).filter(Boolean), vpcId };
 }
+async function ensureAppRunnerAccessRole(iamClient) {
+    const roleName = AWS_CONSTANTS.APPRUNNER_ACCESS_ROLE;
+    console.log(`\nEnsuring App Runner access role (${roleName})...`);
+    const trustPolicy = JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [{
+                Effect: "Allow",
+                Principal: { Service: "build.apprunner.amazonaws.com" },
+                Action: "sts:AssumeRole",
+            }],
+    });
+    try {
+        const data = await iamClient.send(new CreateRoleCommand({
+            RoleName: roleName,
+            AssumeRolePolicyDocument: trustPolicy,
+        }));
+        console.log(`  Created role: ${roleName}`);
+    }
+    catch (err) {
+        if (err.name === "EntityAlreadyExistsException") {
+            console.log(`  Role already exists`);
+        }
+        else {
+            console.log(`  Warning: could not create ${roleName}: ${err.message}`);
+            return input({ message: "App Runner access role ARN:" });
+        }
+    }
+    try {
+        await iamClient.send(new AttachRolePolicyCommand({
+            RoleName: roleName,
+            PolicyArn: "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess",
+        }));
+        console.log(`  Attached AWSAppRunnerServicePolicyForECRAccess`);
+    }
+    catch (err) {
+        console.log(`  Warning: could not attach ECR access policy: ${err.message}`);
+    }
+    const data = await iamClient.send(new GetRoleCommand({ RoleName: roleName }));
+    return data.Role.Arn;
+}
+async function ensureAppRunnerInstanceRole(iamClient, accountId, region, ecrRepository) {
+    const roleName = AWS_CONSTANTS.APPRUNNER_INSTANCE_ROLE;
+    console.log(`\nEnsuring App Runner instance role (${roleName})...`);
+    const trustPolicy = JSON.stringify({
+        Version: "2012-10-17",
+        Statement: [{
+                Effect: "Allow",
+                Principal: { Service: "tasks.apprunner.amazonaws.com" },
+                Action: "sts:AssumeRole",
+            }],
+    });
+    try {
+        await iamClient.send(new CreateRoleCommand({
+            RoleName: roleName,
+            AssumeRolePolicyDocument: trustPolicy,
+        }));
+        console.log(`  Created role: ${roleName}`);
+    }
+    catch (err) {
+        if (err.name === "EntityAlreadyExistsException") {
+            console.log(`  Role already exists`);
+        }
+        else {
+            console.log(`  Warning: could not create ${roleName}: ${err.message}`);
+            return input({ message: "App Runner instance role ARN:" });
+        }
+    }
+    // The instance role needs the same permissions as the operator:
+    // ECS, ECR, CodeBuild, S3, SecretsManager, CloudWatch Logs, IAM, Lambda, App Runner
+    const repoName = ecrRepository.split("/").pop();
+    const bucketName = AWS_CONSTANTS.buildBucket(accountId, region);
+    try {
+        await iamClient.send(new PutRolePolicyCommand({
+            RoleName: roleName,
+            PolicyName: "ActionLlamaScheduler",
+            PolicyDocument: JSON.stringify({
+                Version: "2012-10-17",
+                Statement: [
+                    {
+                        Sid: "Identity",
+                        Effect: "Allow",
+                        Action: "sts:GetCallerIdentity",
+                        Resource: "*",
+                    },
+                    {
+                        Sid: "ECS",
+                        Effect: "Allow",
+                        Action: [
+                            "ecs:RegisterTaskDefinition",
+                            "ecs:RunTask",
+                            "ecs:DescribeTasks",
+                            "ecs:ListTasks",
+                            "ecs:StopTask",
+                        ],
+                        Resource: "*",
+                    },
+                    {
+                        Sid: "Logs",
+                        Effect: "Allow",
+                        Action: [
+                            "logs:CreateLogGroup",
+                            "logs:CreateLogStream",
+                            "logs:PutLogEvents",
+                            "logs:GetLogEvents",
+                            "logs:FilterLogEvents",
+                        ],
+                        Resource: [
+                            `arn:aws:logs:${region}:${accountId}:log-group:/ecs/action-llama*`,
+                            `arn:aws:logs:${region}:${accountId}:log-group:/aws/lambda/al-*`,
+                            `arn:aws:logs:${region}:${accountId}:log-group:/apprunner/al-scheduler*`,
+                        ],
+                    },
+                    {
+                        Sid: "SecretsManager",
+                        Effect: "Allow",
+                        Action: [
+                            "secretsmanager:ListSecrets",
+                            "secretsmanager:CreateSecret",
+                            "secretsmanager:PutSecretValue",
+                            "secretsmanager:GetSecretValue",
+                        ],
+                        Resource: "*",
+                    },
+                    {
+                        Sid: "PassRole",
+                        Effect: "Allow",
+                        Action: "iam:PassRole",
+                        Resource: `arn:aws:iam::${accountId}:role/al-*`,
+                        Condition: {
+                            StringEquals: {
+                                "iam:PassedToService": [
+                                    "ecs-tasks.amazonaws.com",
+                                    "codebuild.amazonaws.com",
+                                    "lambda.amazonaws.com",
+                                    "apprunner.amazonaws.com",
+                                ],
+                            },
+                        },
+                    },
+                    {
+                        Sid: "IAMAgentRoles",
+                        Effect: "Allow",
+                        Action: [
+                            "iam:CreateRole",
+                            "iam:GetRole",
+                            "iam:GetRolePolicy",
+                            "iam:PutRolePolicy",
+                            "iam:DeleteRole",
+                            "iam:DeleteRolePolicy",
+                            "iam:AttachRolePolicy",
+                        ],
+                        Resource: `arn:aws:iam::${accountId}:role/al-*`,
+                    },
+                    {
+                        Sid: "IAMListRoles",
+                        Effect: "Allow",
+                        Action: "iam:ListRoles",
+                        Resource: "*",
+                    },
+                    {
+                        Sid: "ECR",
+                        Effect: "Allow",
+                        Action: [
+                            "ecr:BatchGetImage",
+                            "ecr:GetDownloadUrlForLayer",
+                            "ecr:BatchCheckLayerAvailability",
+                            "ecr:GetAuthorizationToken",
+                            "ecr:SetRepositoryPolicy",
+                        ],
+                        Resource: "*",
+                    },
+                    {
+                        Sid: "CodeBuild",
+                        Effect: "Allow",
+                        Action: [
+                            "codebuild:StartBuild",
+                            "codebuild:BatchGetBuilds",
+                            "codebuild:CreateProject",
+                        ],
+                        Resource: `arn:aws:codebuild:${region}:${accountId}:project/al-image-builder`,
+                    },
+                    {
+                        Sid: "Lambda",
+                        Effect: "Allow",
+                        Action: [
+                            "lambda:GetFunction",
+                            "lambda:CreateFunction",
+                            "lambda:UpdateFunctionCode",
+                            "lambda:UpdateFunctionConfiguration",
+                            "lambda:InvokeFunction",
+                        ],
+                        Resource: `arn:aws:lambda:${region}:${accountId}:function:al-*`,
+                    },
+                    {
+                        Sid: "S3",
+                        Effect: "Allow",
+                        Action: [
+                            "s3:CreateBucket",
+                            "s3:PutObject",
+                            "s3:GetObject",
+                            "s3:ListBucket",
+                        ],
+                        Resource: [
+                            `arn:aws:s3:::${bucketName}`,
+                            `arn:aws:s3:::${bucketName}/*`,
+                        ],
+                    },
+                    {
+                        Sid: "AppRunner",
+                        Effect: "Allow",
+                        Action: [
+                            "apprunner:CreateService",
+                            "apprunner:UpdateService",
+                            "apprunner:DescribeService",
+                            "apprunner:DeleteService",
+                        ],
+                        Resource: `arn:aws:apprunner:${region}:${accountId}:service/al-scheduler/*`,
+                    },
+                    {
+                        Sid: "AppRunnerList",
+                        Effect: "Allow",
+                        Action: "apprunner:ListServices",
+                        Resource: "*",
+                    },
+                ],
+            }),
+        }));
+        console.log(`  Attached ActionLlamaScheduler policy`);
+    }
+    catch (err) {
+        console.log(`  Warning: could not attach policy to ${roleName}: ${err.message}`);
+    }
+    const data = await iamClient.send(new GetRoleCommand({ RoleName: roleName }));
+    return data.Role.Arn;
+}
 async function pickSecurityGroups(ec2Client, vpcId) {
     if (!vpcId) {
         const raw = await input({ message: "Security group IDs (comma-separated, optional):" });