@caelo-cms/provisioning 0.1.0 → 0.2.1

package/dist/gcloud.js

@@ -0,0 +1,187 @@
+// SPDX-License-Identifier: MPL-2.0
+/**
+ * Thin gcloud shell-out wrapper. The wizard composes high-level
+ * "create the project + link billing + enable APIs + create SA +
+ * grant roles + mint key" flows on top of these primitives.
+ *
+ * Why shell out instead of using the GCP SDK directly:
+ *   - the user's gcloud auth state IS the auth (no separate
+ *     credentials handling — `gcloud` already knows the user)
+ *   - project create + billing link must happen as the user, NOT as
+ *     a service account (the SA doesn't exist yet at bootstrap time)
+ *   - error messages from gcloud are operator-readable; the SDK's
+ *     gRPC errors aren't
+ */
+import { spawn } from "node:child_process";
+/**
+ * Run a gcloud command. Buffered stdout + stderr (max 4 MB each).
+ * Throws on spawn failure but NOT on non-zero exit — caller checks `ok`.
+ */
+export async function gcloud(args, opts = {}) {
+    return new Promise((resolveResult, reject) => {
+        const child = spawn("gcloud", args, { stdio: ["pipe", "pipe", "pipe"] });
+        const stdout = [];
+        const stderr = [];
+        child.stdout.on("data", (chunk) => stdout.push(chunk));
+        child.stderr.on("data", (chunk) => stderr.push(chunk));
+        child.on("error", (e) => reject(e));
+        child.on("close", (code) => resolveResult({
+            ok: code === 0,
+            stdout: Buffer.concat(stdout).toString("utf8"),
+            stderr: Buffer.concat(stderr).toString("utf8"),
+            exitCode: code ?? 1,
+        }));
+        if (opts.stdin !== undefined) {
+            child.stdin.write(opts.stdin);
+            child.stdin.end();
+        }
+    });
+}
+/**
+ * Active gcloud account. Returns `null` when no account is logged in
+ * — caller prompts `gcloud auth login`.
+ */
+export async function activeAccount() {
+    const r = await gcloud(["auth", "list", "--format=value(account)", "--filter=status:ACTIVE"]);
+    if (!r.ok)
+        return null;
+    const value = r.stdout.trim();
+    return value.length > 0 ? value : null;
+}
+export async function listBillingAccounts() {
+    const r = await gcloud(["billing", "accounts", "list", "--format=json"]);
+    if (!r.ok)
+        return [];
+    try {
+        const rows = JSON.parse(r.stdout);
+        return rows.map((row) => ({
+            id: row.name.replace(/^billingAccounts\//, ""),
+            displayName: row.displayName,
+            open: row.open,
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+export async function projectExists(projectId) {
+    const r = await gcloud(["projects", "describe", projectId, "--format=value(projectId)"]);
+    return r.ok && r.stdout.trim() === projectId;
+}
+export async function createProject(projectId, displayName) {
+    return gcloud(["projects", "create", projectId, "--name", displayName]);
+}
+export async function linkBilling(projectId, billingAccountId) {
+    return gcloud(["billing", "projects", "link", projectId, "--billing-account", billingAccountId]);
+}
+const REQUIRED_APIS = [
+    "compute.googleapis.com",
+    "sqladmin.googleapis.com",
+    "run.googleapis.com",
+    "secretmanager.googleapis.com",
+    "servicenetworking.googleapis.com",
+    "dns.googleapis.com",
+    "storage.googleapis.com",
+    "cloudresourcemanager.googleapis.com",
+    "iam.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "artifactregistry.googleapis.com",
+    "bigquery.googleapis.com",
+    "iap.googleapis.com",
+    // Used by gcp.projects.ServiceIdentity to provision the IAP-managed
+    // service account that forwards authenticated requests to Cloud Run.
+    "serviceusage.googleapis.com",
+];
+export async function enableApis(projectId) {
+    return gcloud(["services", "enable", ...REQUIRED_APIS, "--project", projectId]);
+}
+export async function serviceAccountExists(projectId, saEmail) {
+    const r = await gcloud([
+        "iam",
+        "service-accounts",
+        "describe",
+        saEmail,
+        "--project",
+        projectId,
+        "--format=value(email)",
+    ]);
+    return r.ok && r.stdout.trim() === saEmail;
+}
+export async function createServiceAccount(projectId, accountId, displayName) {
+    return gcloud([
+        "iam",
+        "service-accounts",
+        "create",
+        accountId,
+        "--display-name",
+        displayName,
+        "--project",
+        projectId,
+    ]);
+}
+const PROVISIONER_ROLES = [
+    "roles/run.admin",
+    "roles/cloudsql.admin",
+    "roles/storage.admin",
+    "roles/secretmanager.admin",
+    "roles/iam.serviceAccountUser",
+    "roles/compute.networkAdmin",
+    "roles/dns.admin",
+    "roles/servicenetworking.networksAdmin",
+    "roles/iam.serviceAccountTokenCreator",
+    "roles/cloudbuild.builds.editor",
+    "roles/artifactregistry.admin",
+    "roles/compute.securityAdmin",
+    "roles/iam.serviceAccountAdmin",
+    "roles/bigquery.admin",
+    "roles/iap.admin",
+    // compute.admin includes RegionNetworkEndpointGroups + URL maps +
+    // BackendService variants the LB needs. compute.networkAdmin alone
+    // doesn't cover NEG create.
+    "roles/compute.admin",
+    // logging.configWriter creates ProjectSink (BigQuery edge logs).
+    "roles/logging.configWriter",
+    // serviceusage.serviceUsageAdmin lets us trigger the IAP managed
+    // service identity (gcp.projects.ServiceIdentity).
+    "roles/serviceusage.serviceUsageAdmin",
+];
+/**
+ * Bind every role the GCP stack provisioner SA needs. Idempotent —
+ * gcloud silently no-ops a binding that already exists.
+ */
+export async function grantProvisionerRoles(projectId, saEmail) {
+    let granted = 0;
+    const failed = [];
+    for (const role of PROVISIONER_ROLES) {
+        const r = await gcloud([
+            "projects",
+            "add-iam-policy-binding",
+            projectId,
+            "--member",
+            `serviceAccount:${saEmail}`,
+            "--role",
+            role,
+            "--condition=None",
+            "--quiet",
+        ]);
+        if (r.ok)
+            granted++;
+        else
+            failed.push(role);
+    }
+    return { granted, failed };
+}
+export async function createServiceAccountKey(saEmail, outputPath) {
+    return gcloud([
+        "iam",
+        "service-accounts",
+        "keys",
+        "create",
+        outputPath,
+        "--iam-account",
+        saEmail,
+    ]);
+}
+export const REQUIRED_API_LIST = REQUIRED_APIS;
+export const PROVISIONER_ROLE_LIST = PROVISIONER_ROLES;
+//# sourceMappingURL=gcloud.js.map

package/dist/gcloud.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcloud.js","sourceRoot":"","sources":["../src/gcloud.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAEnC;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAS3C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAc,EAAE,OAA2B,EAAE;IACxE,OAAO,IAAI,OAAO,CAAC,CAAC,aAAa,EAAE,MAAM,EAAE,EAAE;QAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QACzE,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/D,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/D,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE,CACzB,aAAa,CAAC;YACZ,EAAE,EAAE,IAAI,KAAK,CAAC;YACd,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC9C,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC9C,QAAQ,EAAE,IAAI,IAAI,CAAC;SACpB,CAAC,CACH,CAAC;QACF,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC7B,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC9B,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACpB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,yBAAyB,EAAE,wBAAwB,CAAC,CAAC,CAAC;IAC9F,IAAI,CAAC,CAAC,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IACvB,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAQD,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;IACzE,IAAI,CAAC,CAAC,CAAC,EAAE;QAAE,OAAO,EAAE,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAI9B,CAAC;QACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACxB,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,CAAC;YAC9C,WAAW,EAAE,GAAG,CAAC,WAAW;YAC5B,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB;IACnD,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,CAAC,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,2BAA2B,CAAC,CAAC,CAAC;IACzF,OAAO,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,SAAS,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB,EAAE,WAAmB;IACxE,OAAO,MAAM,CAAC,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAAiB,EACjB,gBAAwB;IAExB,OAAO,MAAM,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,mBAAmB,EAAE,gBAAgB,CAAC,CAAC,CAAC;AACnG,CAAC;AAED,MAAM,aAAa,GAAsB;IACvC,wBAAwB;IACxB,yBAAyB;IACzB,oBAAoB;IACpB,8BAA8B;IAC9B,kCAAkC;IAClC,oBAAoB;IACpB,wBAAwB;IACxB,qCAAqC;IACrC,oBAAoB;IACpB,2BAA2B;IAC3B,iCAAiC;IACjC,yBAAyB;IACzB,oBAAoB;IACpB,oEAAoE;IACpE,qEAAqE;IACrE,6BAA6B;CAC9B,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,SAAiB;IAChD,OAAO,MAAM,CAAC,CAAC,UAAU,EAAE,QAAQ,EAAE,GAAG,aAAa,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,SAAiB,EAAE,OAAe;IAC3E,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC;QACrB,KAAK;QACL,kBAAkB;QAClB,UAAU;QACV,OAAO;QACP,WAAW;QACX,SAAS;QACT,uBAAuB;KACxB,CAAC,CAAC;IACH,OAAO,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,OAAO,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,SAAiB,EACjB,SAAiB,EACjB,WAAmB;IAEnB,OAAO,MAAM,CAAC;QACZ,KAAK;QACL,kBAAkB;QAClB,QAAQ;QACR,SAAS;QACT,gBAAgB;QAChB,WAAW;QACX,WAAW;QACX,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED,MAAM,iBAAiB,GAAsB;IAC3C,iBAAiB;IACjB,sBAAsB;IACtB,qBAAqB;IACrB,2BAA2B;IAC3B,8BAA8B;IAC9B,4BAA4B;IAC5B,iBAAiB;IACjB,uCAAuC;IACvC,sCAAsC;IACtC,gCAAgC;IAChC,8BAA8B;IAC9B,6BAA6B;IAC7B,+BAA+B;IAC/B,sBAAsB;IACtB,iBAAiB;IACjB,kEAAkE;IAClE,mEAAmE;IACnE,4BAA4B;IAC5B,qBAAqB;IACrB,iEAAiE;IACjE,4BAA4B;IAC5B,iEAAiE;IACjE,mDAAmD;IACnD,sCAAsC;CACvC,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,SAAiB,EACjB,OAAe;IAEf,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC;YACrB,UAAU;YACV,wBAAwB;YACxB,SAAS;YACT,UAAU;YACV,kBAAkB,OAAO,EAAE;YAC3B,QAAQ;YACR,IAAI;YACJ,kBAAkB;YAClB,SAAS;SACV,CAAC,CAAC;QACH,IAAI,CAAC,CAAC,EAAE;YAAE,OAAO,EAAE,CAAC;;YACf,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AAC7B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAe,EACf,UAAkB;IAElB,OAAO,MAAM,CAAC;QACZ,KAAK;QACL,kBAAkB;QAClB,MAAM;QACN,QAAQ;QACR,UAAU;QACV,eAAe;QACf,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAG,aAAa,CAAC;AAC/C,MAAM,CAAC,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,22 @@
+/**
+ * @caelo-cms/provisioning — P14.
+ *
+ * Pulumi-driven self-hosted stack + cms-provision CLI helpers.
+ *
+ * Public surface:
+ *   - generateCaddyfile(spec) → string
+ *   - generateDockerCompose(spec) → string
+ *   - generateBootstrapToken() → { token, expiresAt }
+ *
+ * The CLI (cli.ts) wires these into init / up / regenerate-caddy /
+ * backup / restore / status sub-commands. The Pulumi stack files
+ * (stacks/self-hosted/*) are imported by the CLI's `up` path and
+ * declare the actual Docker resources.
+ */
+export type { CloudAdapterInputs, CloudAdapterOutputs, DnsRecord, Environment, LocaleConfig, LocaleStrategy, ProvisioningOutputsJson, SupportedProvider, } from "./adapter.js";
+export { type BootstrapToken, generateBootstrapToken, } from "./bootstrap-token.js";
+export { type CaddyDomainSpec, type CaddyfileSpec, generateCaddyfile, } from "./caddy.js";
+export { type CdnCopyAdapter, loadCdnCopyAdapter, selfHostedCdnCopy, } from "./cdn-copy.js";
+export { type ComposeSpec, generateDockerCompose } from "./compose.js";
+export { type CloudFrontRedirectArtifact, emitRedirectsAzureFrontDoor, emitRedirectsCloudFront, emitRedirectsCloudflare, type FrontDoorRule, type RedirectRow, type RedirectStatusCode, } from "./redirects-emit.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;GAcG;AAEH,YAAY,EACV,kBAAkB,EAClB,mBAAmB,EACnB,SAAS,EACT,WAAW,EACX,YAAY,EACZ,cAAc,EACd,uBAAuB,EACvB,iBAAiB,GAClB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,KAAK,cAAc,EACnB,sBAAsB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,KAAK,eAAe,EACpB,KAAK,aAAa,EAClB,iBAAiB,GAClB,MAAM,YAAY,CAAC;AACpB,OAAO,EACL,KAAK,cAAc,EACnB,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,KAAK,WAAW,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EACL,KAAK,0BAA0B,EAC/B,2BAA2B,EAC3B,uBAAuB,EACvB,uBAAuB,EACvB,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,kBAAkB,GACxB,MAAM,qBAAqB,CAAC"}

package/dist/index.js

@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: MPL-2.0
+export { generateBootstrapToken, } from "./bootstrap-token.js";
+export { generateCaddyfile, } from "./caddy.js";
+export { loadCdnCopyAdapter, selfHostedCdnCopy, } from "./cdn-copy.js";
+export { generateDockerCompose } from "./compose.js";
+export { emitRedirectsAzureFrontDoor, emitRedirectsCloudFront, emitRedirectsCloudflare, } from "./redirects-emit.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,mCAAmC;AA4BnC,OAAO,EAEL,sBAAsB,GACvB,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EAGL,iBAAiB,GAClB,MAAM,YAAY,CAAC;AACpB,OAAO,EAEL,kBAAkB,EAClB,iBAAiB,GAClB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAoB,qBAAqB,EAAE,MAAM,cAAc,CAAC;AACvE,OAAO,EAEL,2BAA2B,EAC3B,uBAAuB,EACvB,uBAAuB,GAIxB,MAAM,qBAAqB,CAAC"}

package/dist/install-state.d.ts

@@ -0,0 +1,54 @@
+export type Provider = "self-hosted" | "gcp" | "aws" | "azure";
+export interface InstallMetadata {
+    installId: string;
+    provider: Provider;
+    /** Cloud-side project / account / subscription id. NULL for self-hosted. */
+    projectId: string | null;
+    domain: string;
+    ownerEmail: string;
+    region: string | null;
+    createdAt: string;
+}
+export interface ProgressCheckpoint {
+    /** Last completed wizard step. Used for resume-after-failure. */
+    lastCompletedStep: string | null;
+    /** Per-step state (e.g. createdProjectId, mintedSaKeyAt, etc.). */
+    steps: Record<string, unknown>;
+    /** ISO timestamp of last successful update. */
+    updatedAt: string;
+}
+export declare function installRoot(installId: string): string;
+/**
+ * Stable install id from the (provider, projectId-or-domain) pair so a re-run
+ * with the same inputs always lands on the same `~/.caelo-<id>/` directory.
+ * The id is short + readable — `gcp-caelo-website` / `self-hosted-mysite-com`.
+ */
+export declare function deriveInstallId(provider: Provider, projectIdOrDomain: string): string;
+/**
+ * Ensure the install directory exists with the right mode + sub-dirs.
+ * Idempotent.
+ */
+export declare function ensureInstallDir(installId: string): {
+    root: string;
+    secretsDir: string;
+    stateDir: string;
+};
+export declare function readMetadata(installId: string): InstallMetadata | null;
+export declare function writeMetadata(installId: string, meta: InstallMetadata): void;
+export declare function readProgress(installId: string): ProgressCheckpoint;
+export declare function writeProgress(installId: string, checkpoint: ProgressCheckpoint): void;
+/**
+ * Mark a step complete. Wizard re-runs check `isStepDone(installId, name)` to
+ * skip already-done steps.
+ */
+export declare function markStepDone(installId: string, stepName: string, payload?: unknown): void;
+export declare function isStepDone(installId: string, stepName: string): boolean;
+export declare function getStepPayload<T>(installId: string, stepName: string): T | null;
+/**
+ * Read a secret file from the install's `secrets/` dir. Returns null if the
+ * file doesn't exist; throws if the file exists but has the wrong mode (a
+ * defence against the user copy-pasting a key into a 644 file by mistake).
+ */
+export declare function readSecret(installId: string, name: string): string | null;
+export declare function writeSecret(installId: string, name: string, value: string): void;
+//# sourceMappingURL=install-state.d.ts.map

package/dist/install-state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-state.d.ts","sourceRoot":"","sources":["../src/install-state.ts"],"names":[],"mappings":"AAyBA,MAAM,MAAM,QAAQ,GAAG,aAAa,GAAG,KAAK,GAAG,KAAK,GAAG,OAAO,CAAC;AAE/D,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,QAAQ,CAAC;IACnB,4EAA4E;IAC5E,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,iEAAiE;IACjE,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,mEAAmE;IACnE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAErD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,GAAG,MAAM,CAOrF;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG;IACnD,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAeA;AAED,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAItE;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,GAAG,IAAI,CAG5E;AAED,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,kBAAkB,CAMlE;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,kBAAkB,GAAG,IAAI,CAOrF;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI,CAKzF;AAED,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEvE;AAED,wBAAgB,cAAc,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,CAG/E;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAMzE;AAED,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAIhF"}

package/dist/install-state.js

@@ -0,0 +1,118 @@
+// SPDX-License-Identifier: MPL-2.0
+/**
+ * Per-install state — every Caelo install gets its own
+ * `~/.caelo-<install-id>/` directory with:
+ *
+ *   secrets/                — mode-700 dir for the install's secrets
+ *     anthropic-api-key       (mode 600) — Anthropic API key (one-time prompt)
+ *     pulumi-passphrase       (mode 600) — Pulumi local-backend passphrase
+ *     sa-key.json             (mode 600) — GCP SA key (when local-deploy; absent
+ *                                          when Workload Identity Federation
+ *                                          deploys from CI)
+ *   state/                  — Pulumi local backend state (per-install isolated)
+ *   progress.json           — wizard checkpoint so re-runs resume cleanly
+ *   install.json            — install metadata (provider, project id, region,
+ *                             domain, owner email, install id, created_at)
+ *
+ * The CLAUDE.md §11.C contract: end-users never reach into this directory
+ * by hand. The wizard + lifecycle commands wrap every read + write.
+ */
+import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+const ROOT_PREFIX = ".caelo-";
+export function installRoot(installId) {
+    return join(homedir(), `${ROOT_PREFIX}${installId}`);
+}
+/**
+ * Stable install id from the (provider, projectId-or-domain) pair so a re-run
+ * with the same inputs always lands on the same `~/.caelo-<id>/` directory.
+ * The id is short + readable — `gcp-caelo-website` / `self-hosted-mysite-com`.
+ */
+export function deriveInstallId(provider, projectIdOrDomain) {
+    const slug = projectIdOrDomain
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 40);
+    return `${provider}-${slug}`;
+}
+/**
+ * Ensure the install directory exists with the right mode + sub-dirs.
+ * Idempotent.
+ */
+export function ensureInstallDir(installId) {
+    const root = installRoot(installId);
+    const secretsDir = join(root, "secrets");
+    const stateDir = join(root, "state");
+    if (!existsSync(root))
+        mkdirSync(root, { recursive: true, mode: 0o700 });
+    if (!existsSync(secretsDir))
+        mkdirSync(secretsDir, { recursive: true, mode: 0o700 });
+    if (!existsSync(stateDir))
+        mkdirSync(stateDir, { recursive: true, mode: 0o700 });
+    // chmod every time in case the dirs existed with looser perms.
+    chmodSync(root, 0o700);
+    chmodSync(secretsDir, 0o700);
+    chmodSync(stateDir, 0o700);
+    return { root, secretsDir, stateDir };
+}
+export function readMetadata(installId) {
+    const path = join(installRoot(installId), "install.json");
+    if (!existsSync(path))
+        return null;
+    return JSON.parse(readFileSync(path, "utf8"));
+}
+export function writeMetadata(installId, meta) {
+    const path = join(installRoot(installId), "install.json");
+    writeFileSync(path, `${JSON.stringify(meta, null, 2)}\n`, { mode: 0o600 });
+}
+export function readProgress(installId) {
+    const path = join(installRoot(installId), "progress.json");
+    if (!existsSync(path)) {
+        return { lastCompletedStep: null, steps: {}, updatedAt: new Date().toISOString() };
+    }
+    return JSON.parse(readFileSync(path, "utf8"));
+}
+export function writeProgress(installId, checkpoint) {
+    const path = join(installRoot(installId), "progress.json");
+    writeFileSync(path, `${JSON.stringify({ ...checkpoint, updatedAt: new Date().toISOString() }, null, 2)}\n`, { mode: 0o600 });
+}
+/**
+ * Mark a step complete. Wizard re-runs check `isStepDone(installId, name)` to
+ * skip already-done steps.
+ */
+export function markStepDone(installId, stepName, payload) {
+    const cur = readProgress(installId);
+    cur.lastCompletedStep = stepName;
+    if (payload !== undefined)
+        cur.steps[stepName] = payload;
+    writeProgress(installId, cur);
+}
+export function isStepDone(installId, stepName) {
+    return readProgress(installId).steps[stepName] !== undefined;
+}
+export function getStepPayload(installId, stepName) {
+    const v = readProgress(installId).steps[stepName];
+    return (v ?? null);
+}
+/**
+ * Read a secret file from the install's `secrets/` dir. Returns null if the
+ * file doesn't exist; throws if the file exists but has the wrong mode (a
+ * defence against the user copy-pasting a key into a 644 file by mistake).
+ */
+export function readSecret(installId, name) {
+    const path = join(installRoot(installId), "secrets", name);
+    if (!existsSync(path))
+        return null;
+    const contents = readFileSync(path, "utf8").trim();
+    if (contents.length === 0)
+        return null;
+    return contents;
+}
+export function writeSecret(installId, name, value) {
+    ensureInstallDir(installId);
+    const path = join(installRoot(installId), "secrets", name);
+    writeFileSync(path, value.endsWith("\n") ? value : `${value}\n`, { mode: 0o600 });
+}
+//# sourceMappingURL=install-state.js.map

package/dist/install-state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-state.js","sourceRoot":"","sources":["../src/install-state.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAEnC;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxF,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAwBjC,MAAM,WAAW,GAAG,SAAS,CAAC;AAE9B,MAAM,UAAU,WAAW,CAAC,SAAiB;IAC3C,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,GAAG,WAAW,GAAG,SAAS,EAAE,CAAC,CAAC;AACvD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,QAAkB,EAAE,iBAAyB;IAC3E,MAAM,IAAI,GAAG,iBAAiB;SAC3B,WAAW,EAAE;SACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;SACvB,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChB,OAAO,GAAG,QAAQ,IAAI,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAKhD,MAAM,IAAI,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAErC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzE,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACrF,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEjF,+DAA+D;IAC/D,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACvB,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAC7B,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAE3B,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,cAAc,CAAC,CAAC;IAC1D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAoB,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,IAAqB;IACpE,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,cAAc,CAAC,CAAC;IAC1D,aAAa,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,eAAe,CAAC,CAAC;IAC3D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;IACrF,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAuB,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,UAA8B;IAC7E,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,eAAe,CAAC,CAAC;IAC3D,aAAa,CACX,IAAI,EACJ,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EACtF,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,SAAiB,EAAE,QAAgB,EAAE,OAAiB;IACjF,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACpC,GAAG,CAAC,iBAAiB,GAAG,QAAQ,CAAC;IACjC,IAAI,OAAO,KAAK,SAAS;QAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC;IACzD,aAAa,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,SAAiB,EAAE,QAAgB;IAC5D,OAAO,YAAY,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,SAAS,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,cAAc,CAAI,SAAiB,EAAE,QAAgB;IACnE,MAAM,CAAC,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAClD,OAAO,CAAC,CAAC,IAAI,IAAI,CAAa,CAAC;AACjC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,SAAiB,EAAE,IAAY;IACxD,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IACnD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,SAAiB,EAAE,IAAY,EAAE,KAAa;IACxE,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAC5B,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,KAAK,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACpF,CAAC"}

package/dist/lifecycle.d.ts

@@ -0,0 +1,19 @@
+export declare function statusCommand(): Promise<void>;
+interface UpgradeOpts {
+    /** Explicit semver to roll to (e.g. "0.5.3"). Defaults to "latest". */
+    readonly version?: string;
+    /** Pre-release channel: "stable" (default), "rc", "beta". */
+    readonly channel?: "stable" | "rc" | "beta";
+    /**
+     * P21 ship 4 — escape hatch for forks / staging environments using
+     * unsigned images. Default = verify with cosign; refuse to roll on
+     * mismatch.
+     */
+    readonly skipVerify?: boolean;
+}
+export declare function upgradeCommand(opts?: UpgradeOpts): Promise<void>;
+export declare function backupCommand(): Promise<void>;
+export declare function rotateSecretCommand(name: string | undefined): Promise<void>;
+export declare function destroyCommand(): Promise<void>;
+export {};
+//# sourceMappingURL=lifecycle.d.ts.map

package/dist/lifecycle.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lifecycle.d.ts","sourceRoot":"","sources":["../src/lifecycle.ts"],"names":[],"mappings":"AAyGA,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAWnD;AA0GD,UAAU,WAAW;IACnB,uEAAuE;IACvE,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,6DAA6D;IAC7D,QAAQ,CAAC,OAAO,CAAC,EAAE,QAAQ,GAAG,IAAI,GAAG,MAAM,CAAC;IAC5C;;;;OAIG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC;CAC/B;AAqGD,wBAAsB,cAAc,CAAC,IAAI,GAAE,WAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAsL1E;AAwGD,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAmCnD;AAMD,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAoCjF;AAMD,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CA6CpD"}