@caelo-cms/provisioning 0.1.0 → 0.1.1

package/{src/compose.ts → dist/compose.js}

@@ -1,28 +1,7 @@
 // SPDX-License-Identifier: MPL-2.0
-
-/**
- * P14 — production docker-compose.yml generator.
- *
- * Emits the production stack: Postgres + pgBackRest sidecar + Caddy +
- * MinIO + four Caelo services (admin, gateway, orchestrator, runner).
- * Idempotent: same input → byte-identical output. The CLI's `up`
- * sub-command writes this to `<repo>/.caelo/docker-compose.yml` and
- * runs `docker compose up -d`.
- */
-
-export interface ComposeSpec {
-  readonly domain: string;
-  readonly postgresPassword: string; // generated by cms-provision; persisted in .caelo/secrets
-  readonly minioRootUser: string;
-  readonly minioRootPassword: string;
-  readonly anthropicApiKey?: string;
-  readonly resendApiKey?: string;
-  readonly diskSize: string;
-}
-
-export function generateDockerCompose(spec: ComposeSpec): string {
-  const env = (k: string, v: string | undefined): string => (v ? `      ${k}: "${escape(v)}"` : "");
-  return `# SPDX-License-Identifier: MPL-2.0
+export function generateDockerCompose(spec) {
+    const env = (k, v) => (v ? `      ${k}: "${escape(v)}"` : "");
+    return `# SPDX-License-Identifier: MPL-2.0
 # Generated by cms-provision — do not edit; re-run \`bunx cms-provision up\`.
 # Domain: ${spec.domain}
 
@@ -116,8 +95,8 @@ volumes:
   caelo-caddy-config:
 `;
 }
-
-function escape(s: string): string {
-  // Conservative escape for double-quoted YAML strings.
-  return s.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+function escape(s) {
+    // Conservative escape for double-quoted YAML strings.
+    return s.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
 }
+//# sourceMappingURL=compose.js.map

package/dist/compose.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compose.js","sourceRoot":"","sources":["../src/compose.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAsBnC,MAAM,UAAU,qBAAqB,CAAC,IAAiB;IACrD,MAAM,GAAG,GAAG,CAAC,CAAS,EAAE,CAAqB,EAAU,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAClG,OAAO;;YAEG,IAAI,CAAC,MAAM;;;;;;;;4BAQK,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;0BA2B/B,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC;8BACtB,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;8CA0Bd,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC;qDACtB,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC;;EAEhF,GAAG,CAAC,mBAAmB,EAAE,IAAI,CAAC,eAAe,CAAC;EAC9C,GAAG,CAAC,gBAAgB,EAAE,IAAI,CAAC,YAAY,CAAC;;;;;;;;;;;;;8CAaI,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC;+CAC5B,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC;;;;;;;;;;CAU3E,CAAC;AACF,CAAC;AAED,SAAS,MAAM,CAAC,CAAS;IACvB,sDAAsD;IACtD,OAAO,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACvD,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,22 @@
+/**
+ * @caelo-cms/provisioning — P14.
+ *
+ * Pulumi-driven self-hosted stack + cms-provision CLI helpers.
+ *
+ * Public surface:
+ *   - generateCaddyfile(spec) → string
+ *   - generateDockerCompose(spec) → string
+ *   - generateBootstrapToken() → { token, expiresAt }
+ *
+ * The CLI (cli.ts) wires these into init / up / regenerate-caddy /
+ * backup / restore / status sub-commands. The Pulumi stack files
+ * (stacks/self-hosted/*) are imported by the CLI's `up` path and
+ * declare the actual Docker resources.
+ */
+export type { CloudAdapterInputs, CloudAdapterOutputs, DnsRecord, Environment, LocaleConfig, LocaleStrategy, ProvisioningOutputsJson, SupportedProvider, } from "./adapter.js";
+export { type BootstrapToken, generateBootstrapToken, } from "./bootstrap-token.js";
+export { type CaddyDomainSpec, type CaddyfileSpec, generateCaddyfile, } from "./caddy.js";
+export { type CdnCopyAdapter, loadCdnCopyAdapter, selfHostedCdnCopy, } from "./cdn-copy.js";
+export { type ComposeSpec, generateDockerCompose } from "./compose.js";
+export { type CloudFrontRedirectArtifact, emitRedirectsAzureFrontDoor, emitRedirectsCloudFront, emitRedirectsCloudflare, type FrontDoorRule, type RedirectRow, type RedirectStatusCode, } from "./redirects-emit.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;GAcG;AAEH,YAAY,EACV,kBAAkB,EAClB,mBAAmB,EACnB,SAAS,EACT,WAAW,EACX,YAAY,EACZ,cAAc,EACd,uBAAuB,EACvB,iBAAiB,GAClB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,KAAK,cAAc,EACnB,sBAAsB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,iBAAiB,GAClB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,KAAK,cAAc,EACnB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,KAAK,WAAW,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,KAAK,0BAA0B,EAC/B,2BAA2B,EAC3B,uBAAuB,EACvB,uBAAuB,EACvB,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,kBAAkB,GACxB,MAAM,qBAAqB,CAAC"}

package/dist/index.js

@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: MPL-2.0
+export { generateBootstrapToken, } from "./bootstrap-token.js";
+export { generateCaddyfile, } from "./caddy.js";
+export { loadCdnCopyAdapter, selfHostedCdnCopy, } from "./cdn-copy.js";
+export { generateDockerCompose } from "./compose.js";
+export { emitRedirectsAzureFrontDoor, emitRedirectsCloudFront, emitRedirectsCloudflare, } from "./redirects-emit.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,mCAAmC;AA4BnC,OAAO,EAEL,sBAAsB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAGL,iBAAiB,GAClB,MAAM,YAAY,CAAC;AACpB,OAAO,EAEL,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAoB,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EAEL,2BAA2B,EAC3B,uBAAuB,EACvB,uBAAuB,GAIxB,MAAM,qBAAqB,CAAC"}

package/dist/redirects-emit.d.ts

@@ -0,0 +1,65 @@
+/**
+ * P15 — per-provider redirect file generators.
+ *
+ * P14's self-hosted Caddy consumes a `_redirects.caddy` file. Cloud
+ * providers want different formats: Cloudflare Pages reads `_redirects`
+ * (also a fine fit for any platform that consumes that format),
+ * CloudFront wants a JSON config a Lambda@Edge function reads at
+ * startup, and Azure Front Door wants a rules-engine RuleEngineRule[].
+ *
+ * The deploy step calls the right emitter based on `process.env.CAELO_PROVIDER`
+ * and uploads the result to the right place. Each emitter is pure +
+ * idempotent — same input → same byte output.
+ */
+export type RedirectStatusCode = 301 | 302 | 307 | 308;
+export interface RedirectRow {
+    readonly fromPath: string;
+    readonly toPath: string;
+    readonly statusCode: RedirectStatusCode;
+}
+/**
+ * Cloudflare Pages `_redirects` format (also consumed by Netlify, Vercel,
+ * Render, etc.). One redirect per line: `<from> <to> <status>`. Wildcards
+ * use `:splat`; we only support exact-path redirects in v1 (matches what
+ * Caelo's redirects table allows).
+ */
+export declare function emitRedirectsCloudflare(rows: ReadonlyArray<RedirectRow>): string;
+/**
+ * CloudFront via Lambda@Edge. Returns a JSON config the L@E function
+ * reads at startup + a tiny Lambda source that consumes it. The L@E
+ * function is deployed to `us-east-1` (CloudFront constraint); the
+ * config blob is bundled into the Lambda deployment artifact.
+ *
+ * Returning both halves lets the AWS stack ship a single asset.
+ */
+export interface CloudFrontRedirectArtifact {
+    readonly jsonConfig: string;
+    readonly lambdaSource: string;
+}
+export declare function emitRedirectsCloudFront(rows: ReadonlyArray<RedirectRow>): CloudFrontRedirectArtifact;
+/**
+ * Azure Front Door rules engine. Returns a Pulumi-compatible
+ * RuleEngineRule[]-shaped array (untyped here so callers don't need to
+ * import @pulumi/azure-native). Each rule fires on a path-equals match
+ * + executes a 301/302/etc. response.
+ */
+export interface FrontDoorRule {
+    readonly name: string;
+    readonly order: number;
+    readonly conditions: ReadonlyArray<{
+        readonly name: "RequestUri";
+        readonly parameters: {
+            readonly operator: "Equal";
+            readonly matchValues: ReadonlyArray<string>;
+        };
+    }>;
+    readonly actions: ReadonlyArray<{
+        readonly name: "UrlRedirect";
+        readonly parameters: {
+            readonly redirectType: "Moved" | "Found" | "TemporaryRedirect" | "PermanentRedirect";
+            readonly destinationPath: string;
+        };
+    }>;
+}
+export declare function emitRedirectsAzureFrontDoor(rows: ReadonlyArray<RedirectRow>): ReadonlyArray<FrontDoorRule>;
+//# sourceMappingURL=redirects-emit.d.ts.map

package/dist/redirects-emit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redirects-emit.d.ts","sourceRoot":"","sources":["../src/redirects-emit.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;GAYG;AAEH,MAAM,MAAM,kBAAkB,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;AAEvD,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,UAAU,EAAE,kBAAkB,CAAC;CACzC;AA0BD;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,aAAa,CAAC,WAAW,CAAC,GAAG,MAAM,CAKhF;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B;AAED,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,aAAa,CAAC,WAAW,CAAC,GAC/B,0BAA0B,CAwB5B;AAED;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC;QACjC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;QAC5B,QAAQ,CAAC,UAAU,EAAE;YACnB,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;YAC3B,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;SAC7C,CAAC;KACH,CAAC,CAAC;IACH,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;QAC9B,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;QAC7B,QAAQ,CAAC,UAAU,EAAE;YACnB,QAAQ,CAAC,YAAY,EAAE,OAAO,GAAG,OAAO,GAAG,mBAAmB,GAAG,mBAAmB,CAAC;YACrF,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;SAClC,CAAC;KACH,CAAC,CAAC;CACJ;AAED,wBAAgB,2BAA2B,CACzC,IAAI,EAAE,aAAa,CAAC,WAAW,CAAC,GAC/B,aAAa,CAAC,aAAa,CAAC,CAqB9B"}

package/dist/redirects-emit.js

@@ -0,0 +1,89 @@
+// SPDX-License-Identifier: MPL-2.0
+/**
+ * Reject whitespace + control chars in either path before any emitter
+ * touches them. The Cloudflare `_redirects` format is space-delimited;
+ * a `fromPath` containing a space ambiguates the line (CF parses
+ * `/old foo /new 301` as from=`/old`, to=`foo`, status=`/new`, then
+ * fails on `301`). Caelo's redirects table normally rejects these
+ * upstream but the emitter shouldn't trust that — pure functions
+ * defend their own contract.
+ */
+function assertPathClean(label, path) {
+    if (/[\s\x00-\x1f]/.test(path)) {
+        throw new Error(`redirects-emit: ${label}=${JSON.stringify(path)} contains whitespace or control chars; reject upstream`);
+    }
+}
+function assertRowsClean(rows) {
+    for (const r of rows) {
+        assertPathClean("fromPath", r.fromPath);
+        assertPathClean("toPath", r.toPath);
+    }
+}
+/**
+ * Cloudflare Pages `_redirects` format (also consumed by Netlify, Vercel,
+ * Render, etc.). One redirect per line: `<from> <to> <status>`. Wildcards
+ * use `:splat`; we only support exact-path redirects in v1 (matches what
+ * Caelo's redirects table allows).
+ */
+export function emitRedirectsCloudflare(rows) {
+    assertRowsClean(rows);
+    const header = "# Generated by @caelo-cms/provisioning — do not edit by hand.\n";
+    const lines = rows.map((r) => `${r.fromPath} ${r.toPath} ${r.statusCode}`);
+    return header + lines.join("\n") + (rows.length > 0 ? "\n" : "");
+}
+export function emitRedirectsCloudFront(rows) {
+    assertRowsClean(rows);
+    const jsonConfig = JSON.stringify({ redirects: rows.map((r) => ({ from: r.fromPath, to: r.toPath, status: r.statusCode })) }, null, 2);
+    // Tiny Lambda@Edge handler. v1 is exact-path match (matches Caelo's
+    // redirects table). Wildcard support lands when the table grows it.
+    const lambdaSource = `// SPDX-License-Identifier: MPL-2.0
+// Generated by @caelo-cms/provisioning. Bundled with redirects.json.
+const REDIRECTS = require("./redirects.json").redirects;
+const TABLE = new Map(REDIRECTS.map((r) => [r.from, r]));
+exports.handler = (event, _ctx, callback) => {
+  const req = event.Records[0].cf.request;
+  const m = TABLE.get(req.uri);
+  if (!m) return callback(null, req);
+  callback(null, {
+    status: String(m.status),
+    statusDescription: "Redirect",
+    headers: { location: [{ key: "Location", value: m.to }] },
+  });
+};`;
+    return { jsonConfig, lambdaSource };
+}
+export function emitRedirectsAzureFrontDoor(rows) {
+    assertRowsClean(rows);
+    return rows.map((r, i) => ({
+        name: `redirect-${i + 1}`,
+        order: i + 1,
+        conditions: [
+            {
+                name: "RequestUri",
+                parameters: { operator: "Equal", matchValues: [r.fromPath] },
+            },
+        ],
+        actions: [
+            {
+                name: "UrlRedirect",
+                parameters: {
+                    redirectType: statusToFrontDoor(r.statusCode),
+                    destinationPath: r.toPath,
+                },
+            },
+        ],
+    }));
+}
+function statusToFrontDoor(status) {
+    switch (status) {
+        case 301:
+            return "Moved";
+        case 302:
+            return "Found";
+        case 307:
+            return "TemporaryRedirect";
+        case 308:
+            return "PermanentRedirect";
+    }
+}
+//# sourceMappingURL=redirects-emit.js.map

package/dist/redirects-emit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redirects-emit.js","sourceRoot":"","sources":["../src/redirects-emit.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAwBnC;;;;;;;;GAQG;AACH,SAAS,eAAe,CAAC,KAA4B,EAAE,IAAY;IACjE,IAAI,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,mBAAmB,KAAK,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,wDAAwD,CACzG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,IAAgC;IACvD,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,eAAe,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;QACxC,eAAe,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAgC;IACtE,eAAe,CAAC,IAAI,CAAC,CAAC;IACtB,MAAM,MAAM,GAAG,iEAAiE,CAAC;IACjF,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;IAC3E,OAAO,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACnE,CAAC;AAeD,MAAM,UAAU,uBAAuB,CACrC,IAAgC;IAEhC,eAAe,CAAC,IAAI,CAAC,CAAC;IACtB,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAC/B,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAC1F,IAAI,EACJ,CAAC,CACF,CAAC;IACF,oEAAoE;IACpE,oEAAoE;IACpE,MAAM,YAAY,GAAG;;;;;;;;;;;;;GAapB,CAAC;IACF,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;AACtC,CAAC;AA2BD,MAAM,UAAU,2BAA2B,CACzC,IAAgC;IAEhC,eAAe,CAAC,IAAI,CAAC,CAAC;IACtB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QACzB,IAAI,EAAE,YAAY,CAAC,GAAG,CAAC,EAAE;QACzB,KAAK,EAAE,CAAC,GAAG,CAAC;QACZ,UAAU,EAAE;YACV;gBACE,IAAI,EAAE,YAAqB;gBAC3B,UAAU,EAAE,EAAE,QAAQ,EAAE,OAAgB,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE;aACtE;SACF;QACD,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,aAAsB;gBAC5B,UAAU,EAAE;oBACV,YAAY,EAAE,iBAAiB,CAAC,CAAC,CAAC,UAAU,CAAC;oBAC7C,eAAe,EAAE,CAAC,CAAC,MAAM;iBAC1B;aACF;SACF;KACF,CAAC,CAAC,CAAC;AACN,CAAC;AAED,SAAS,iBAAiB,CACxB,MAA0B;IAE1B,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,GAAG;YACN,OAAO,OAAO,CAAC;QACjB,KAAK,GAAG;YACN,OAAO,OAAO,CAAC;QACjB,KAAK,GAAG;YACN,OAAO,mBAAmB,CAAC;QAC7B,KAAK,GAAG;YACN,OAAO,mBAAmB,CAAC;IAC/B,CAAC;AACH,CAAC"}

package/package.json

@@ -1,20 +1,33 @@
 {
   "name": "@caelo-cms/provisioning",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "private": false,
   "license": "MPL-2.0",
   "description": "Pulumi-driven provisioning for Caelo CMS — `bunx @caelo-cms/provisioning --provider <self-hosted|gcp|aws|azure>` brings up a TLS-served install with Postgres + storage + secrets manager + the admin + the API gateway.",
   "type": "module",
-  "main": "./src/index.ts",
-  "types": "./src/index.ts",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
   "bin": {
-    "cms-provision": "./src/cli.ts"
+    "cms-provision": "./dist/cli.js"
   },
   "exports": {
-    ".": "./src/index.ts"
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
   },
+  "files": [
+    "dist/",
+    "stacks/",
+    "caddy/",
+    "README.md",
+    "package.json"
+  ],
   "scripts": {
-    "typecheck": "tsc -b"
+    "typecheck": "tsc -b",
+    "build": "tsc -b --force",
+    "prepublishOnly": "tsc -b --force"
   },
   "dependencies": {
     "@pulumi/aws": "^7",
@@ -23,5 +36,8 @@
     "@pulumi/command": "^1",
     "@pulumi/gcp": "^9",
     "@pulumi/pulumi": "^3"
+  },
+  "publishConfig": {
+    "access": "public"
   }
 }

package/src/adapter.ts

@@ -1,103 +0,0 @@
-// SPDX-License-Identifier: MPL-2.0
-
-/**
- * P15 — shared cloud-provider adapter contract.
- *
- * Every per-provider Pulumi stack at `packages/provisioning/stacks/<provider>/`
- * exports a `provision(inputs: CloudAdapterInputs): CloudAdapterOutputs`
- * function. The Caelo runtime never knows which provider it's running
- * on — it just consumes the connection strings + URLs the adapter
- * publishes via `CloudAdapterOutputs`. This keeps the per-provider
- * surface small (~6 capabilities, see master plan) and the runtime
- * provider-agnostic.
- *
- * Pulumi types are intentionally NOT imported here so that callers
- * outside the Pulumi runtime (e.g. the cms-provision CLI, the admin
- * app's DNS-guidance page) can consume the *plain* shape without
- * dragging in the @pulumi/pulumi peer dep. Per-stack `index.ts` files
- * narrow the output type to `pulumi.Output<T>` at their boundary.
- */
-
-export type Environment = "dev" | "staging" | "production";
-export type LocaleStrategy = "subdirectory" | "subdomain" | "domain";
-
-export interface LocaleConfig {
-  /** ISO code, e.g. "en", "de", "fr-CA". */
-  readonly code: string;
-  /** URL strategy. Mixed strategies in one install are explicitly supported. */
-  readonly strategy: LocaleStrategy;
-  /** Required when strategy is "subdomain" or "domain"; ignored for "subdirectory". */
-  readonly host?: string;
-}
-
-export interface CloudAdapterInputs {
-  /** Primary domain (e.g. example.com). Admin + production public both bind here. */
-  readonly domain: string;
-  /** Operator email used for ACME / cert provisioning + Pulumi notifications. */
-  readonly ownerEmail: string;
-  /** Three-env model (CMS_REQUIREMENTS §16.5). Cloud installs always provision all three. */
-  readonly environments: ReadonlyArray<Environment>;
-  /** Per-locale routing config — drives per-domain cert + DNS guidance + edge routing. */
-  readonly locales: ReadonlyArray<LocaleConfig>;
-  /** Optional pre-existing secret references (e.g. from a CI secrets manager). */
-  readonly preProvisionedSecrets?: {
-    readonly anthropicApiKey?: string;
-    readonly resendApiKey?: string;
-  };
-}
-
-/**
- * DNS records the operator must create at their registrar to make the
- * install reachable. Surfaced in the admin's /security/dns page with
- * live resolver status badges.
- */
-export interface DnsRecord {
-  readonly hostname: string; // e.g. "de.example.com"
-  readonly type: "A" | "AAAA" | "CNAME" | "TXT";
-  readonly value: string; // the value the operator's registrar must hold
-  readonly purpose: string; // human-readable description
-}
-
-/**
- * Plain-data adapter outputs. Per-stack code wraps each field in
- * `pulumi.Output<…>` at the Pulumi boundary, but the *shape* is shared
- * across providers so the cms-provision CLI + the DNS UI can consume
- * any provider's outputs uniformly.
- */
-export interface CloudAdapterOutputs {
-  /** DSN for cms_admin role (encrypted in Pulumi state). */
-  readonly adminDatabaseUrl: string;
-  /** DSN for cms_public role (encrypted in Pulumi state). */
-  readonly publicDatabaseUrl: string;
-  /** Provider-native blob URL (s3://, gs://, https://<account>.blob.core.windows.net/<container>). */
-  readonly mediaStorageUrl: string;
-  /** Public-facing URL the admin reaches for media reads. */
-  readonly mediaCdnBaseUrl: string;
-  /** Bootstrap-token URL — operator opens this once after `pulumi up`. */
-  readonly bootstrapUrl: string;
-  /** DNS records consumed by the admin's DNS-guidance page. */
-  readonly dnsRecordsRequired: ReadonlyArray<DnsRecord>;
-  /**
-   * Where edge-A/B assignment logs land — read by the P12A analytics plugin's
-   * provider-specific log adapter. Provider-native sink URL (BigQuery dataset,
-   * Athena database, Log Analytics workspace).
-   */
-  readonly edgeLogSinkUrl: string;
-  /** Which provider produced these outputs — drives the analytics plugin's adapter dispatch. */
-  readonly provider: SupportedProvider;
-  /** Which environment this output snapshot represents. */
-  readonly environment: Environment;
-}
-
-export type SupportedProvider = "self-hosted" | "gcp" | "aws" | "azure";
-
-/**
- * Convenience: the shape persisted in `cms_admin.provisioning_outputs.outputs_json`.
- * Pulumi runs the adapter, the CLI's `pulumi-output-sync` subcommand reads
- * `pulumi stack output --json`, hashes the result, and writes a row keyed on
- * (provider, environment) so the admin UI can read without provider creds.
- */
-export interface ProvisioningOutputsJson {
-  readonly outputs: CloudAdapterOutputs;
-  readonly syncedAt: string; // ISO timestamp
-}

package/src/bootstrap-token.ts

@@ -1,20 +0,0 @@
-// SPDX-License-Identifier: MPL-2.0
-
-/**
- * P14 — owner bootstrap token. cms-provision generates one at first
- * `up`; the operator visits /setup?token=<…> to create the first
- * Owner. Single-use, 24h TTL.
- */
-
-export interface BootstrapToken {
-  readonly token: string;
-  readonly expiresAt: string;
-}
-
-export function generateBootstrapToken(): BootstrapToken {
-  const bytes = new Uint8Array(32);
-  crypto.getRandomValues(bytes);
-  const token = [...bytes].map((b) => b.toString(16).padStart(2, "0")).join("");
-  const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
-  return { token, expiresAt };
-}

package/src/caddy.ts

@@ -1,93 +0,0 @@
-// SPDX-License-Identifier: MPL-2.0
-
-/**
- * P14 — Caddyfile generator.
- *
- * Reads the `domains` table + the deploy targets and emits a
- * deterministic Caddyfile string. The CLI's `regenerate-caddy`
- * sub-command writes this to `/etc/caddy/Caddyfile` and runs
- * `caddy reload`.
- *
- * Per-vhost shape:
- *   <hostname> {
- *     # admin   → reverse_proxy localhost:5173
- *     # public  → root + try_files (static), with /api/* → gateway
- *     # locale  → same as public, scoped to a per-locale dist dir
- *     tls <ownerEmail>
- *   }
- *
- * Staging vhosts force `X-Robots-Tag: noindex`.
- */
-
-export interface CaddyDomainSpec {
-  readonly hostname: string;
-  readonly kind: "admin" | "public" | "locale-public";
-  readonly localeCode?: string;
-  readonly env: "production" | "staging";
-}
-
-export interface CaddyfileSpec {
-  readonly ownerEmail: string;
-  readonly publicSiteRoot: string; // absolute path on disk
-  readonly stagingSiteRoot: string;
-  readonly adminPort: number;
-  readonly gatewayPort: number;
-  readonly domains: ReadonlyArray<CaddyDomainSpec>;
-}
-
-export function generateCaddyfile(spec: CaddyfileSpec): string {
-  const blocks: string[] = [];
-
-  // Global options.
-  blocks.push(`{
-  email ${spec.ownerEmail}
-}
-`);
-
-  for (const d of spec.domains) {
-    blocks.push(vhost(d, spec));
-  }
-
-  // Localhost dev fallback when no domains are configured (so a fresh
-  // `cms-provision` produces a working Caddyfile even pre-DNS).
-  if (spec.domains.length === 0) {
-    blocks.push(`# No domains configured yet — cms-provision regenerate-caddy
-# will overwrite this file when you add one at /security/domains.
-:8081 {
-  reverse_proxy localhost:${spec.adminPort}
-}
-`);
-  }
-
-  return blocks.join("\n");
-}
-
-function vhost(d: CaddyDomainSpec, spec: CaddyfileSpec): string {
-  const noindex = d.env === "staging" ? `\n  header X-Robots-Tag "noindex"` : "";
-  if (d.kind === "admin") {
-    return `${d.hostname} {${noindex}
-  reverse_proxy localhost:${spec.adminPort}
-}
-`;
-  }
-  // public / locale-public — same shape: API routes go to the gateway,
-  // the rest serves static files. Locale variants serve from a
-  // per-locale subdirectory.
-  const root = d.env === "staging" ? spec.stagingSiteRoot : spec.publicSiteRoot;
-  const localeSubdir = d.kind === "locale-public" && d.localeCode ? `/${d.localeCode}` : "";
-  return `${d.hostname} {${noindex}
-  root * ${root}${localeSubdir}
-  handle /api/* {
-    reverse_proxy localhost:${spec.gatewayPort}
-  }
-  handle /admin/* {
-    reverse_proxy localhost:${spec.adminPort}
-  }
-  handle {
-    file_server {
-      try_files {path} {path}/index.html /index.html
-    }
-  }
-}
-`;
-}