@athsra/cli 0.1.0 → 1.0.0

package/src/lib/wrangler-sync.ts

@@ -0,0 +1,202 @@
+/**
+ * wrangler-sync.ts — athsra envelope 의 key=value 를 sibling worker 의 wrangler
+ * secrets 로 bulk inject.
+ *
+ * canon: modfolio-ecosystem/knowledge/canon/secret-store.md (athsra v3, universe-wide)
+ *
+ * CF 의 `wrangler secret bulk` 는 단일 호출당 25 키 제한 (code 100160). 자동 chunk
+ * 분할. tmp file mode 0o600 으로 디스크 노출 최소화 + finally 에서 강제 cleanup.
+ *
+ * Phase 2.6 (2026-05-26, Option γ): default-deny + manifest opt-in.
+ * `<workerCwd>/.athsra/secrets.json` manifest 가 sync 대상 키를 명시.
+ * manifest 없으면 sync 거부 (allowAll=true 로 legacy override 가능).
+ *
+ * 정공법: idempotent — 같은 envelope+worker 로 재호출 시 wrangler 가 PATCH 처리.
+ */
+
+import { mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { $ } from 'bun';
+import { applyManifest, describeMissingManifest, loadManifest } from './secrets-manifest.ts';
+
+export interface SyncOptions {
+  /** Worker 의 wrangler.jsonc 가 있는 디렉토리 (wrangler CLI 의 cwd) */
+  cwd: string;
+  /** envelope key → value map. 빈 값/undefined 키는 호출자가 사전 제거 */
+  envelope: Record<string, string>;
+  /** CF Worker 이름 (wrangler.jsonc 의 `name`) */
+  workerName: string;
+  /** true 면 wrangler 호출 안 하고 sync 대상 key 목록만 반환 */
+  dryRun?: boolean;
+  /** progress / 결과 console 출력 비활성 (caller 가 직접 출력하면 true) */
+  silent?: boolean;
+  /**
+   * true 면 manifest 무시하고 envelope 전체 sync (Phase 2.6 legacy override).
+   * 권장 X — 명시적 ack 가 필요한 경우만.
+   */
+  allowAll?: boolean;
+}
+
+export interface SyncResult {
+  /** wrangler 에 sync 된 key 수 (dryRun 이면 sync 됐을 key 수) */
+  syncedKeys: number;
+  /** dryRun 시 출력할 key 목록 (정렬됨) */
+  keysToSync: string[];
+  /** manifest 에 있으나 envelope 에 없는 키 — onboarding gap */
+  missingFromEnvelope: string[];
+  /** envelope 에 있으나 manifest 에 없는 키 — 의도된 제외 */
+  excludedFromManifest: string[];
+  /** allowAll=true 였는지 (감사 추적용) */
+  bypassedManifest: boolean;
+}
+
+export class ManifestRequiredError extends Error {
+  readonly workerCwd: string;
+  readonly workerName: string;
+  constructor(workerCwd: string, workerName: string) {
+    super(describeMissingManifest(workerCwd, workerName));
+    this.name = 'ManifestRequiredError';
+    this.workerCwd = workerCwd;
+    this.workerName = workerName;
+  }
+}
+
+export class ManifestInvalidError extends Error {
+  readonly path: string;
+  constructor(path: string, reason: string) {
+    super(`secrets manifest invalid (${path}): ${reason}`);
+    this.name = 'ManifestInvalidError';
+    this.path = path;
+  }
+}
+
+const CHUNK_SIZE = 25;
+
+export async function syncWranglerSecrets(opts: SyncOptions): Promise<SyncResult> {
+  const filled: Record<string, string> = {};
+  for (const [k, v] of Object.entries(opts.envelope)) {
+    if (typeof v === 'string' && v.length > 0) filled[k] = v;
+  }
+  const envelopeKeys = Object.keys(filled).sort();
+
+  // Phase 2.6 — manifest 적용 (default-deny)
+  const loaded = loadManifest({ workerCwd: opts.cwd });
+  let allowedKeys: string[];
+  let missingFromEnvelope: string[] = [];
+  let excludedFromManifest: string[] = [];
+  let bypassedManifest = false;
+
+  if (loaded.error) {
+    throw new ManifestInvalidError(loaded.path, loaded.error);
+  }
+  if (loaded.manifest) {
+    const applied = applyManifest(loaded.manifest, envelopeKeys);
+    allowedKeys = applied.allowed;
+    missingFromEnvelope = applied.missing;
+    excludedFromManifest = applied.excluded;
+    if (!opts.silent) {
+      console.log(`  manifest: ${loaded.path} (${loaded.manifest.secrets.length} keys opt-in)`);
+      if (excludedFromManifest.length > 0) {
+        console.log(
+          `  excluded by manifest: ${excludedFromManifest.length} envelope keys (${excludedFromManifest.slice(0, 3).join(', ')}${excludedFromManifest.length > 3 ? ', ...' : ''})`,
+        );
+      }
+      if (missingFromEnvelope.length > 0) {
+        console.log(
+          `  ⚠ manifest references ${missingFromEnvelope.length} keys missing from envelope: ${missingFromEnvelope.join(', ')}`,
+        );
+      }
+    }
+  } else if (opts.allowAll) {
+    allowedKeys = envelopeKeys;
+    bypassedManifest = true;
+    if (!opts.silent) {
+      console.log(
+        `  ⚠ manifest absent + --allow-all → envelope 전체 ${envelopeKeys.length} keys sync (legacy)`,
+      );
+    }
+  } else {
+    // default-deny
+    throw new ManifestRequiredError(opts.cwd, opts.workerName);
+  }
+
+  const count = allowedKeys.length;
+
+  if (count === 0) {
+    if (!opts.silent) {
+      if (loaded.manifest) {
+        console.log('(no overlap between manifest and envelope — nothing to sync)');
+      } else {
+        console.log('(no non-empty keys to sync)');
+      }
+    }
+    return {
+      syncedKeys: 0,
+      keysToSync: [],
+      missingFromEnvelope,
+      excludedFromManifest,
+      bypassedManifest,
+    };
+  }
+
+  if (opts.dryRun) {
+    if (!opts.silent) {
+      console.log(`--dry-run: would sync ${count} keys to ${opts.workerName}:`);
+      for (const k of allowedKeys) console.log(`  ${k}`);
+    }
+    return {
+      syncedKeys: count,
+      keysToSync: allowedKeys,
+      missingFromEnvelope,
+      excludedFromManifest,
+      bypassedManifest,
+    };
+  }
+
+  const allowedPairs: [string, string][] = [];
+  for (const k of allowedKeys) {
+    const v = filled[k];
+    if (typeof v === 'string') allowedPairs.push([k, v]);
+  }
+  const chunks: Record<string, string>[] = [];
+  for (let i = 0; i < allowedPairs.length; i += CHUNK_SIZE) {
+    chunks.push(Object.fromEntries(allowedPairs.slice(i, i + CHUNK_SIZE)));
+  }
+
+  const tmpDir = mkdtempSync(join(tmpdir(), 'athsra-sync-'));
+  try {
+    let synced = 0;
+    for (const [idx, chunk] of chunks.entries()) {
+      const tmpFile = join(tmpDir, `${opts.workerName}-chunk-${idx}.json`);
+      writeFileSync(tmpFile, JSON.stringify(chunk), { mode: 0o600 });
+      const chunkSize = Object.keys(chunk).length;
+      if (!opts.silent) {
+        console.log(`  chunk ${idx + 1}/${chunks.length} (${chunkSize} keys) → ${opts.workerName}`);
+      }
+      const result = await $`bunx wrangler secret bulk ${tmpFile} --name ${opts.workerName}`
+        .cwd(opts.cwd)
+        .quiet()
+        .nothrow();
+      if (result.exitCode !== 0) {
+        const stderr = result.stderr.toString();
+        const stdout = result.stdout.toString();
+        const detail = stderr || stdout || `exit ${result.exitCode}`;
+        throw new Error(`wrangler secret bulk failed (chunk ${idx + 1}): ${detail}`);
+      }
+      synced += chunkSize;
+    }
+    if (!opts.silent) {
+      console.log(`✓ ${opts.workerName}: ${synced} secrets synced`);
+    }
+    return {
+      syncedKeys: synced,
+      keysToSync: allowedKeys,
+      missingFromEnvelope,
+      excludedFromManifest,
+      bypassedManifest,
+    };
+  } finally {
+    rmSync(tmpDir, { recursive: true, force: true });
+  }
+}