@aigne/afs-dns 1.11.0-beta.11 → 1.11.0-beta.13

package/dist/index.mjs

@@ -1,4 +1,6 @@
 import { createRequire } from "node:module";
+import { AFSNotFoundError } from "@aigne/afs";
+import { AFSBaseProvider, Actions, Delete, Explain, List, Meta, Read, Search, Stat, Write } from "@aigne/afs/provider";
 import { minimatch } from "minimatch";
 import { z } from "zod";
 import { ChangeResourceRecordSetsCommand, GetHostedZoneCommand, ListHostedZonesCommand, ListResourceRecordSetsCommand, Route53Client } from "@aws-sdk/client-route-53";
@@ -1011,9 +1013,23 @@ function validateRecord(record) {
 	};
 }
 
+//#endregion
+//#region \0@oxc-project+runtime@0.108.0/helpers/decorate.js
+function __decorate(decorators, target, key, desc) {
+	var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+	if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+	else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+	return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+
 //#endregion
 //#region src/provider/dns-provider.ts
-var DNSProvider = class {
+/**
+* DNS Provider
+*
+* AFS module for DNS zone management via various providers.
+*/
+var DNSProvider = class extends AFSBaseProvider {
 	name;
 	description;
 	accessMode;
@@ -1028,6 +1044,48 @@ var DNSProvider = class {
 	static schema() {
 		return z.object({ zone: z.string() });
 	}
+	static treeSchema() {
+		return {
+			operations: [
+				"list",
+				"read",
+				"write",
+				"delete",
+				"search",
+				"stat",
+				"explain"
+			],
+			tree: {
+				"/": {
+					kind: "dns:zone",
+					operations: [
+						"list",
+						"read",
+						"search"
+					]
+				},
+				"/_zone": {
+					kind: "dns:zone-meta",
+					operations: ["read"]
+				},
+				"/{record-name}": {
+					kind: "dns:record",
+					operations: [
+						"read",
+						"write",
+						"delete"
+					],
+					destructive: ["delete"]
+				}
+			},
+			auth: {
+				type: "aws",
+				env: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY"]
+			},
+			bestFor: ["DNS zone management", "record CRUD"],
+			notFor: ["domain registration"]
+		};
+	}
 	/**
 	* Provider manifest for URI-based discovery
 	*/
@@ -1036,12 +1094,40 @@ var DNSProvider = class {
 			name: "dns",
 			description: "DNS zone management — Route53 and Google Cloud DNS.\n- List, create, update, and delete DNS records (A, AAAA, CNAME, MX, TXT, etc.)\n- Audit logging and rate limiting for safe zone modifications\n- Path structure: `/{zone}/{record-name}`",
 			uriTemplate: "dns://{zone}",
-			category: "cloud-dns",
+			category: "network",
 			schema: z.object({ zone: z.string() }),
-			tags: ["dns", "cloud"]
+			tags: ["dns", "cloud"],
+			capabilityTags: [
+				"read-write",
+				"crud",
+				"destructive",
+				"auth:aws",
+				"remote",
+				"cloud",
+				"http"
+			],
+			security: {
+				riskLevel: "external",
+				resourceAccess: ["cloud-api"],
+				requires: ["cloud-credentials"],
+				dataSensitivity: ["system-config"],
+				notes: ["Can modify DNS records — misconfiguration may cause service outages"]
+			},
+			capabilities: {
+				network: {
+					egress: true,
+					allowedDomains: ["*.amazonaws.com", "*.googleapis.com"]
+				},
+				secrets: [
+					"aws/access-key-id",
+					"aws/secret-access-key",
+					"gcp/credentials"
+				]
+			}
 		};
 	}
 	constructor(options) {
+		super();
 		this.zone = options.zone;
 		this.adapter = options.adapter;
 		this.accessMode = options.accessMode ?? "readonly";
@@ -1051,70 +1137,163 @@ var DNSProvider = class {
 		this.name = `dns:${this.zone}`;
 		this.description = `DNS zone: ${this.zone}`;
 	}
-	async list(path, options) {
-		const normalizedPath = this.normalizePath(path);
-		if ((options?.maxDepth ?? 1) === 0) return { data: [] };
-		if (normalizedPath === "/") {
-			const entries = [];
-			const names = await this.adapter.listRecords(this.zone);
-			for (const name of names) entries.push({
-				id: name,
-				path: `/${name}`,
-				summary: name === "_zone" ? "Zone metadata" : `DNS record: ${name}`,
-				meta: {
-					kind: name === "_zone" ? "dns:zone-meta" : "dns:record",
-					childrenCount: 0
-				}
-			});
-			return { data: entries };
-		}
-		const recordName = this.extractRecordName(normalizedPath);
-		if ((await this.adapter.getRecord(this.zone, recordName)).records.length === 0 && recordName !== "_zone") return { data: [] };
-		return { data: [{
-			id: recordName,
-			path: normalizedPath,
-			summary: recordName === "_zone" ? "Zone metadata" : `DNS record: ${recordName}`,
+	async listRoot(_ctx) {
+		const entries = [];
+		const names = await this.adapter.listRecords(this.zone);
+		for (const name of names) entries.push({
+			id: name,
+			path: `/${name}`,
+			summary: name === "_zone" ? "Zone metadata" : `DNS record: ${name}`,
 			meta: {
-				kind: recordName === "_zone" ? "dns:zone-meta" : "dns:record",
+				kind: name === "_zone" ? "dns:zone-meta" : "dns:record",
 				childrenCount: 0
 			}
-		}] };
+		});
+		return { data: entries };
 	}
-	async read(path, _options) {
-		const normalizedPath = this.normalizePath(path);
-		if (normalizedPath === "/.meta/.capabilities") return this.readCapabilities();
-		const { recordName, type } = this.parsePathWithQuery(normalizedPath);
-		if (recordName === "_zone") {
-			const metadata = await this.adapter.getZoneMetadata(this.zone);
-			return { data: {
-				id: "_zone",
-				path: "/_zone",
-				summary: `Zone metadata for ${this.zone}`,
-				meta: { kind: "dns:zone-meta" },
-				content: metadata
-			} };
-		}
+	async listRecord(ctx) {
+		const recordName = ctx.params.recordName;
+		if (recordName === "_zone") return { data: [] };
+		if ((await this.adapter.getRecord(this.zone, recordName)).records.length === 0) throw new AFSNotFoundError(`/${recordName}`);
+		return { data: [] };
+	}
+	async readRoot(_ctx) {
+		const names = await this.adapter.listRecords(this.zone);
+		return {
+			id: this.zone,
+			path: "/",
+			summary: `DNS zone: ${this.zone}`,
+			meta: {
+				kind: "dns:zone",
+				childrenCount: names.length
+			}
+		};
+	}
+	async readRootMeta(_ctx) {
+		const names = await this.adapter.listRecords(this.zone);
+		return {
+			id: "meta",
+			path: "/.meta",
+			summary: `DNS zone: ${this.zone}`,
+			meta: {
+				kind: "dns:zone",
+				childrenCount: names.length
+			}
+		};
+	}
+	readCapabilities(_ctx) {
+		const actionCatalogs = [];
+		actionCatalogs.push({
+			kind: "dns:zone",
+			description: "Zone-level operations",
+			catalog: [{
+				name: "validate-zone",
+				description: "Validate zone integrity (SOA, NS records)",
+				inputSchema: {
+					type: "object",
+					properties: {},
+					description: "No parameters required"
+				}
+			}, {
+				name: "export-zone",
+				description: "Export zone as BIND zone file format",
+				inputSchema: {
+					type: "object",
+					properties: {},
+					description: "No parameters required"
+				}
+			}],
+			discovery: {
+				pathTemplate: "/.actions/{action}",
+				note: "Exec /.actions/validate-zone or /.actions/export-zone to execute"
+			}
+		});
+		const operations = {
+			read: true,
+			list: true,
+			write: this.accessMode === "readwrite",
+			delete: this.accessMode === "readwrite",
+			search: true,
+			exec: true,
+			stat: true,
+			explain: true
+		};
+		return {
+			id: "/.meta/.capabilities",
+			path: "/.meta/.capabilities",
+			content: {
+				schemaVersion: 1,
+				provider: this.name,
+				version: "1.0.0",
+				description: this.description,
+				tools: [],
+				actions: actionCatalogs,
+				operations
+			},
+			meta: { kind: "afs:capabilities" }
+		};
+	}
+	async readZone(_ctx) {
+		const metadata = await this.adapter.getZoneMetadata(this.zone);
+		return {
+			id: "_zone",
+			path: "/_zone",
+			summary: `Zone metadata for ${this.zone}`,
+			meta: {
+				kind: "dns:zone-meta",
+				childrenCount: 0
+			},
+			content: metadata
+		};
+	}
+	async readRecord(ctx) {
+		const { name: recordName, type } = this.parseRecordParam(ctx.params.recordName);
 		const recordSet = await this.adapter.getRecord(this.zone, recordName);
 		let records = recordSet.records;
 		if (type) records = records.filter((r) => r.type === type);
-		if (records.length === 0) return { data: void 0 };
-		return { data: {
+		if (records.length === 0) throw new AFSNotFoundError(`/${recordName}`);
+		return {
 			id: recordName,
-			path: normalizedPath.split("?")[0] ?? normalizedPath,
+			path: ctx.path.split("?")[0] ?? ctx.path,
 			summary: `DNS records for ${recordSet.fqdn}`,
-			meta: { kind: "dns:record" },
+			meta: {
+				kind: "dns:record",
+				childrenCount: 0
+			},
 			content: {
 				fqdn: recordSet.fqdn,
 				records
 			}
-		} };
+		};
 	}
-	async write(path, content, _options) {
-		if (this.accessMode !== "readwrite") throw new Error(`DNS provider is readonly, cannot write to ${path}`);
-		const normalizedPath = this.normalizePath(path);
-		const recordName = this.extractRecordName(normalizedPath);
-		if (recordName === "validate-zone") return this.handleValidateZone();
-		if (recordName === "export-zone") return this.handleExportZone();
+	async readRecordMeta(ctx) {
+		const recordName = ctx.params.recordName;
+		if (recordName === "_zone") return {
+			id: "_zone",
+			path: "/_zone/.meta",
+			summary: "Zone metadata",
+			meta: {
+				kind: "dns:zone-meta",
+				childrenCount: 0
+			}
+		};
+		const recordSet = await this.adapter.getRecord(this.zone, recordName);
+		if (recordSet.records.length === 0) throw new AFSNotFoundError(`/${recordName}`);
+		const firstRecord = recordSet.records[0];
+		return {
+			id: recordName,
+			path: `/${recordName}/.meta`,
+			summary: `DNS record: ${recordName}`,
+			meta: {
+				kind: "dns:record",
+				childrenCount: 0,
+				recordType: firstRecord?.type,
+				ttl: firstRecord?.ttl
+			}
+		};
+	}
+	async writeRecord(ctx, content) {
+		const recordName = ctx.params.recordName;
 		if (recordName === "_zone") throw new Error("Cannot write to _zone metadata");
 		const record = content.content;
 		if (!record || !record.type) throw new Error("Invalid record content: must include type");
@@ -1147,16 +1326,14 @@ var DNSProvider = class {
 		});
 		return { data: {
 			id: recordName,
-			path: normalizedPath,
+			path: ctx.path,
 			summary: `Updated DNS record: ${recordName}`,
 			meta: { kind: "dns:record" },
 			content: record
 		} };
 	}
-	async delete(path, _options) {
-		if (this.accessMode !== "readwrite") throw new Error(`DNS provider is readonly, cannot delete ${path}`);
-		const normalizedPath = this.normalizePath(path);
-		const { recordName, type } = this.parsePathWithQuery(normalizedPath);
+	async deleteRecord(ctx) {
+		const { name: recordName, type } = this.parseRecordParam(ctx.params.recordName);
 		if (recordName === "_zone") throw new Error("Cannot delete _zone metadata");
 		const permResult = checkPermission({
 			name: recordName,
@@ -1172,6 +1349,9 @@ var DNSProvider = class {
 			});
 			throw new Error(formatPermissionError(permResult));
 		}
+		const existing = await this.adapter.getRecord(this.zone, recordName);
+		if (existing.records.length === 0) throw new AFSNotFoundError(`/${recordName}`);
+		if (type && !existing.records.some((r) => r.type === type)) throw new AFSNotFoundError(`/${recordName}?type=${type}`, `No ${type} record found for ${recordName}`);
 		await this.acquireRateLimit();
 		await this.adapter.deleteRecord(this.zone, recordName, type);
 		this.auditLogger.logDelete({
@@ -1181,68 +1361,34 @@ var DNSProvider = class {
 		});
 		return { message: `Record ${recordName}${type ? ` (${type})` : ""} deleted` };
 	}
-	normalizePath(path) {
-		if (!path.startsWith("/")) return `/${path}`;
-		return path;
-	}
-	extractRecordName(path) {
-		return (path.replace(/^\//, "").split("?")[0] ?? "") || "@";
-	}
-	parsePathWithQuery(path) {
-		const [pathPart, queryPart] = path.split("?");
-		const recordName = this.extractRecordName(pathPart ?? path);
-		let type;
-		if (queryPart) type = new URLSearchParams(queryPart).get("type") ?? void 0;
-		return {
-			recordName,
-			type
-		};
-	}
-	/**
-	* Sanitize record values to prevent injection attacks
-	*/
-	sanitizeRecordValues(record) {
-		const { values } = record;
-		if (typeof values === "string") {
-			rejectNullBytes(values);
-			const result = sanitizeRecordValue(values, record.type);
-			if (!result.valid) throw new Error(`Invalid record value: ${result.error}`);
-		} else if (Array.isArray(values)) {
-			for (const value of values) if (typeof value === "string") {
-				rejectNullBytes(value);
-				const result = sanitizeRecordValue(value, record.type);
-				if (!result.valid) throw new Error(`Invalid record value: ${result.error}`);
+	async statRoot(_ctx) {
+		const names = await this.adapter.listRecords(this.zone);
+		return { data: {
+			id: this.zone,
+			path: "/",
+			meta: {
+				kind: "dns:zone",
+				childrenCount: names.length
 			}
-		}
-	}
-	/**
-	* Acquire rate limit token (waits if necessary)
-	*/
-	async acquireRateLimit() {
-		if (this.rateLimiter) {
-			if (!await this.rateLimiter.tryAcquire()) throw new Error("Rate limit exceeded. Please retry later.");
-		}
+		} };
 	}
-	/**
-	* Extract values from a record for audit logging
-	*/
-	extractValues(record) {
-		const { values } = record;
-		if (typeof values === "string") return [values];
-		if (Array.isArray(values)) return values;
-		return [values];
+	async statZone(_ctx) {
+		return { data: {
+			id: "_zone",
+			path: "/_zone",
+			meta: { kind: "dns:zone-meta" }
+		} };
 	}
-	async stat(path) {
-		const normalizedPath = this.normalizePath(path);
-		const recordName = this.extractRecordName(normalizedPath);
+	async statRecord(ctx) {
+		const recordName = ctx.params.recordName;
 		const recordSet = await this.adapter.getRecord(this.zone, recordName);
-		if (recordSet.records.length === 0 && recordName !== "_zone") throw new Error(`Record not found: ${recordName}`);
+		if (recordSet.records.length === 0) throw new AFSNotFoundError(`/${recordName}`);
 		const firstRecord = recordSet.records[0];
 		return { data: {
 			id: recordName,
-			path: normalizedPath,
+			path: ctx.path,
 			meta: {
-				kind: recordName === "_zone" ? "dns:zone-meta" : "dns:record",
+				kind: "dns:record",
 				recordType: firstRecord?.type,
 				ttl: firstRecord?.ttl,
 				valueCount: recordSet.records.reduce((count, r) => {
@@ -1253,14 +1399,7 @@ var DNSProvider = class {
 			}
 		} };
 	}
-	async explain(path) {
-		const normalizedPath = this.normalizePath(path);
-		const recordName = this.extractRecordName(normalizedPath);
-		if (normalizedPath === "/" || recordName === "@") return this.explainRoot();
-		if (recordName === "_zone") return this.explainZone();
-		throw new Error(`Cannot explain path: ${path}`);
-	}
-	async explainRoot() {
+	async explainRoot(_ctx) {
 		const metadata = await this.adapter.getZoneMetadata(this.zone);
 		const names = await this.adapter.listRecords(this.zone);
 		return {
@@ -1274,7 +1413,7 @@ var DNSProvider = class {
 `
 		};
 	}
-	async explainZone() {
+	async explainZone(_ctx) {
 		const metadata = await this.adapter.getZoneMetadata(this.zone);
 		const apex = await this.adapter.getRecord(this.zone, "@");
 		const soaRecord = apex.records.find((r) => r.type === "SOA");
@@ -1306,7 +1445,7 @@ var DNSProvider = class {
 			content: lines.join("\n")
 		};
 	}
-	async search(_path, query) {
+	async searchRecords(_ctx, query) {
 		const names = await this.adapter.listRecords(this.zone);
 		const results = [];
 		for (const name of names) {
@@ -1333,59 +1472,28 @@ var DNSProvider = class {
 		}
 		return { data: results };
 	}
-	readCapabilities() {
-		const actionCatalogs = [];
-		actionCatalogs.push({
-			kind: "dns:zone",
-			description: "Zone-level operations",
-			catalog: [{
+	listActions(_ctx) {
+		return { data: [{
+			id: "validate-zone",
+			path: "/.actions/validate-zone",
+			summary: "validate-zone",
+			meta: {
+				kind: "afs:action",
 				name: "validate-zone",
-				description: "Validate zone integrity (SOA, NS records)",
-				inputSchema: {
-					type: "object",
-					properties: {},
-					description: "No parameters required"
-				}
-			}, {
+				description: "Validate zone integrity (SOA, NS records)"
+			}
+		}, {
+			id: "export-zone",
+			path: "/.actions/export-zone",
+			summary: "export-zone",
+			meta: {
+				kind: "afs:action",
 				name: "export-zone",
-				description: "Export zone as BIND zone file format",
-				inputSchema: {
-					type: "object",
-					properties: {},
-					description: "No parameters required"
-				}
-			}],
-			discovery: {
-				pathTemplate: "/{action}",
-				note: "Write to /validate-zone or /export-zone to execute"
+				description: "Export zone as BIND zone file format"
 			}
-		});
-		const operations = {
-			read: true,
-			list: true,
-			write: this.accessMode === "readwrite",
-			delete: this.accessMode === "readwrite",
-			search: true,
-			exec: false,
-			stat: true,
-			explain: true
-		};
-		return { data: {
-			id: "/.meta/.capabilities",
-			path: "/.meta/.capabilities",
-			content: {
-				schemaVersion: 1,
-				provider: this.name,
-				version: "1.0.0",
-				description: this.description,
-				tools: [],
-				actions: actionCatalogs,
-				operations
-			},
-			meta: { kind: "afs:capabilities" }
-		} };
+		}] };
 	}
-	async handleValidateZone() {
+	async execValidateZone(_ctx, _args) {
 		const apex = await this.adapter.getRecord(this.zone, "@");
 		const checks = [];
 		const soaRecord = apex.records.find((r) => r.type === "SOA");
@@ -1404,18 +1512,13 @@ var DNSProvider = class {
 		});
 		const allValid = checks.every((c) => c.valid);
 		return { data: {
-			id: "validate-zone",
-			path: "/validate-zone",
-			summary: `Zone validation: ${allValid ? "PASSED" : "FAILED"}`,
-			meta: { kind: "dns:action-result" },
-			content: {
-				valid: allValid,
-				checks,
-				zone: this.zone
-			}
+			valid: allValid,
+			checks,
+			zone: this.zone,
+			summary: `Zone validation: ${allValid ? "PASSED" : "FAILED"}`
 		} };
 	}
-	async handleExportZone() {
+	async execExportZone(_ctx, _args) {
 		const names = await this.adapter.listRecords(this.zone);
 		const lines = [];
 		lines.push(`; Zone file for ${this.zone}`);
@@ -1433,14 +1536,77 @@ var DNSProvider = class {
 		}
 		lines.push("");
 		return { data: {
-			id: "export-zone",
-			path: "/export-zone",
-			summary: `BIND zone file for ${this.zone}`,
-			meta: { kind: "dns:action-result" },
-			content: lines.join("\n")
+			content: lines.join("\n"),
+			summary: `BIND zone file for ${this.zone}`
 		} };
 	}
+	/**
+	* Parse a record param that may contain a query string (e.g. "www?type=A")
+	*/
+	parseRecordParam(param) {
+		const queryIndex = param.indexOf("?");
+		if (queryIndex === -1) return { name: param };
+		const name = param.slice(0, queryIndex);
+		const queryPart = param.slice(queryIndex + 1);
+		return {
+			name,
+			type: new URLSearchParams(queryPart).get("type") ?? void 0
+		};
+	}
+	/**
+	* Sanitize record values to prevent injection attacks
+	*/
+	sanitizeRecordValues(record) {
+		const { values } = record;
+		if (typeof values === "string") {
+			rejectNullBytes(values);
+			const result = sanitizeRecordValue(values, record.type);
+			if (!result.valid) throw new Error(`Invalid record value: ${result.error}`);
+		} else if (Array.isArray(values)) {
+			for (const value of values) if (typeof value === "string") {
+				rejectNullBytes(value);
+				const result = sanitizeRecordValue(value, record.type);
+				if (!result.valid) throw new Error(`Invalid record value: ${result.error}`);
+			}
+		}
+	}
+	/**
+	* Acquire rate limit token (waits if necessary)
+	*/
+	async acquireRateLimit() {
+		if (this.rateLimiter) {
+			if (!await this.rateLimiter.tryAcquire()) throw new Error("Rate limit exceeded. Please retry later.");
+		}
+	}
+	/**
+	* Extract values from a record for audit logging
+	*/
+	extractValues(record) {
+		const { values } = record;
+		if (typeof values === "string") return [values];
+		if (Array.isArray(values)) return values;
+		return [values];
+	}
 };
+__decorate([List("/")], DNSProvider.prototype, "listRoot", null);
+__decorate([List("/:recordName")], DNSProvider.prototype, "listRecord", null);
+__decorate([Read("/")], DNSProvider.prototype, "readRoot", null);
+__decorate([Meta("/")], DNSProvider.prototype, "readRootMeta", null);
+__decorate([Read("/.meta/.capabilities")], DNSProvider.prototype, "readCapabilities", null);
+__decorate([Read("/_zone")], DNSProvider.prototype, "readZone", null);
+__decorate([Read("/:recordName")], DNSProvider.prototype, "readRecord", null);
+__decorate([Meta("/:recordName")], DNSProvider.prototype, "readRecordMeta", null);
+__decorate([Write("/:recordName")], DNSProvider.prototype, "writeRecord", null);
+__decorate([Delete("/:recordName")], DNSProvider.prototype, "deleteRecord", null);
+__decorate([Stat("/")], DNSProvider.prototype, "statRoot", null);
+__decorate([Stat("/_zone")], DNSProvider.prototype, "statZone", null);
+__decorate([Stat("/:recordName")], DNSProvider.prototype, "statRecord", null);
+__decorate([Explain("/")], DNSProvider.prototype, "explainRoot", null);
+__decorate([Explain("/_zone")], DNSProvider.prototype, "explainZone", null);
+__decorate([Search("/")], DNSProvider.prototype, "searchRecords", null);
+__decorate([Actions("/")], DNSProvider.prototype, "listActions", null);
+__decorate([Actions.Exec("/", "validate-zone")], DNSProvider.prototype, "execValidateZone", null);
+__decorate([Actions.Exec("/", "export-zone")], DNSProvider.prototype, "execExportZone", null);
 
 //#endregion
 //#region src/route53/parser.ts