@caelo-cms/provisioning 0.1.0 → 0.2.1

package/dist/migration-runner.js

@@ -0,0 +1,174 @@
+// SPDX-License-Identifier: MPL-2.0
+/**
+ * P21 ship 3 — shared migration runner. Used by both the GCP wizard
+ * (apps/admin/scripts/wizards/gcp.ts) AND the lifecycle `upgrade`
+ * command (lifecycle.ts).
+ *
+ * Spawns a one-shot Cloud Run Job that invokes
+ * `bun /app/packages/migrations/src/migrate.ts <target>` against the
+ * private-IP Cloud SQL instance. The job inherits the running admin
+ * Cloud Run's image (so it always carries the matching migration set)
+ * + its DB URLs + its network/subnet.
+ *
+ * Idempotent: drizzle's `__drizzle_migrations` table tracks applied
+ * versions, so re-runs only apply NEW migrations. Returns `{ok}` so
+ * callers (especially `upgrade`) can abort cleanly when a migration
+ * fails BEFORE traffic shifts to the new revision.
+ */
+import { spinner } from "@clack/prompts";
+import { green, red } from "kleur/colors";
+import { gcloud } from "./gcloud.js";
+/**
+ * Resolve the running admin Cloud Run service's image + DB URLs +
+ * VPC config. Returns null on any failure; caller surfaces the error.
+ */
+async function readAdminConfig(opts) {
+    // Find the actual deployed service name (Pulumi appends a 7-char
+    // suffix; hardcoding the bare name 404s).
+    const list = await gcloud([
+        "run",
+        "services",
+        "list",
+        "--region",
+        opts.region,
+        "--project",
+        opts.projectId,
+        "--filter",
+        "metadata.name~^caelo-production-admin",
+        "--format=value(metadata.name)",
+    ]);
+    if (!list.ok)
+        return null;
+    const serviceName = list.stdout.trim().split("\n")[0]?.trim();
+    if (!serviceName)
+        return null;
+    const descr = await gcloud([
+        "run",
+        "services",
+        "describe",
+        serviceName,
+        "--region",
+        opts.region,
+        "--project",
+        opts.projectId,
+        "--format=json",
+    ]);
+    if (!descr.ok)
+        return null;
+    try {
+        const d = JSON.parse(descr.stdout);
+        const c = d.spec.template.spec.containers[0];
+        const imageRef = c?.image ?? "";
+        let adminUrl = "";
+        let publicUrl = "";
+        for (const e of c?.env ?? []) {
+            if (e.name === "ADMIN_DATABASE_URL")
+                adminUrl = e.value ?? "";
+            if (e.name === "PUBLIC_ADMIN_DATABASE_URL")
+                publicUrl = e.value ?? "";
+        }
+        let networkRef = "";
+        let subnetRef = "";
+        const niAnnotation = d.spec.template.metadata?.annotations?.["run.googleapis.com/network-interfaces"];
+        if (niAnnotation) {
+            try {
+                const parsed = JSON.parse(niAnnotation);
+                networkRef = parsed[0]?.network ?? "";
+                subnetRef = parsed[0]?.subnetwork ?? "";
+            }
+            catch {
+                // fall through
+            }
+        }
+        if (!networkRef || !subnetRef) {
+            const ni = d.spec.template.spec.vpcAccess?.networkInterfaces?.[0];
+            networkRef ||= ni?.network ?? "";
+            subnetRef ||= ni?.subnetwork ?? "";
+        }
+        if (!imageRef || !adminUrl || !publicUrl || !networkRef || !subnetRef)
+            return null;
+        return { imageRef, adminUrl, publicUrl, networkRef, subnetRef };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Run admin + public migrations against Cloud SQL. Returns `{ok}` so
+ * callers can decide what to do on failure (the wizard exits the
+ * process; upgrade aborts before rolling Cloud Run).
+ */
+export async function runMigrationsViaCloudRunJob(opts) {
+    const sAdmin = spinner();
+    sAdmin.start("Reading admin Cloud Run config for migration job...");
+    const cfg = await readAdminConfig(opts);
+    if (!cfg) {
+        sAdmin.stop(red("Couldn't resolve admin config — admin may not be deployed yet"));
+        return { ok: false, error: "admin-config-unresolved" };
+    }
+    sAdmin.stop(green(`Admin config resolved (${cfg.imageRef.slice(-19)})`));
+    for (const target of ["admin", "public"]) {
+        const s = spinner();
+        s.start(`Applying ${target} migrations via one-shot Cloud Run Job...`);
+        // Delete-then-create so each invocation runs with the freshest
+        // image + env (no stale job specs).
+        await gcloud([
+            "run",
+            "jobs",
+            "delete",
+            `caelo-migrate-${target}`,
+            "--region",
+            opts.region,
+            "--project",
+            opts.projectId,
+            "--quiet",
+        ]);
+        const create = await gcloud([
+            "run",
+            "jobs",
+            "create",
+            `caelo-migrate-${target}`,
+            `--image=${cfg.imageRef}`,
+            "--region",
+            opts.region,
+            "--project",
+            opts.projectId,
+            "--service-account",
+            `caelo-production-run-sa@${opts.projectId}.iam.gserviceaccount.com`,
+            "--network",
+            cfg.networkRef.split("/").pop() ?? cfg.networkRef,
+            "--subnet",
+            cfg.subnetRef.split("/").pop() ?? cfg.subnetRef,
+            "--vpc-egress=private-ranges-only",
+            "--command=bun",
+            `--args=--bun,/app/packages/migrations/src/migrate.ts,${target}`,
+            "--set-env-vars",
+            `ADMIN_DATABASE_URL=${cfg.adminUrl},PUBLIC_ADMIN_DATABASE_URL=${cfg.publicUrl}`,
+            "--max-retries=0",
+            "--task-timeout=10m",
+            "--quiet",
+        ]);
+        if (!create.ok) {
+            s.stop(red(`Job create failed: ${create.stderr.trim()}`));
+            return { ok: false, error: `migrate-${target}-create: ${create.stderr.trim()}` };
+        }
+        const exec = await gcloud([
+            "run",
+            "jobs",
+            "execute",
+            `caelo-migrate-${target}`,
+            "--region",
+            opts.region,
+            "--project",
+            opts.projectId,
+            "--wait",
+        ]);
+        if (!exec.ok) {
+            s.stop(red(`${target} migrations failed: ${exec.stderr.trim()}`));
+            return { ok: false, error: `migrate-${target}-exec: ${exec.stderr.trim()}` };
+        }
+        s.stop(green(`${target} migrations applied`));
+    }
+    return { ok: true };
+}
+//# sourceMappingURL=migration-runner.js.map

package/dist/migration-runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"migration-runner.js","sourceRoot":"","sources":["../src/migration-runner.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAEnC;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AACzC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAerC;;;GAGG;AACH,KAAK,UAAU,eAAe,CAAC,IAAyB;IACtD,iEAAiE;IACjE,0CAA0C;IAC1C,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC;QACxB,KAAK;QACL,UAAU;QACV,MAAM;QACN,UAAU;QACV,IAAI,CAAC,MAAM;QACX,WAAW;QACX,IAAI,CAAC,SAAS;QACd,UAAU;QACV,uCAAuC;QACvC,+BAA+B;KAChC,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC;IAC9D,IAAI,CAAC,WAAW;QAAE,OAAO,IAAI,CAAC;IAE9B,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC;QACzB,KAAK;QACL,UAAU;QACV,UAAU;QACV,WAAW;QACX,UAAU;QACV,IAAI,CAAC,MAAM;QACX,WAAW;QACX,IAAI,CAAC,SAAS;QACd,eAAe;KAChB,CAAC,CAAC;IACH,IAAI,CAAC,KAAK,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IAE3B,IAAI,CAAC;QACH,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAUhC,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,QAAQ,GAAG,CAAC,EAAE,KAAK,IAAI,EAAE,CAAC;QAChC,IAAI,QAAQ,GAAG,EAAE,CAAC;QAClB,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,IAAI,EAAE,EAAE,CAAC;YAC7B,IAAI,CAAC,CAAC,IAAI,KAAK,oBAAoB;gBAAE,QAAQ,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9D,IAAI,CAAC,CAAC,IAAI,KAAK,2BAA2B;gBAAE,SAAS,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACxE,CAAC;QACD,IAAI,UAAU,GAAG,EAAE,CAAC;QACpB,IAAI,SAAS,GAAG,EAAE,CAAC;QACnB,MAAM,YAAY,GAChB,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC,uCAAuC,CAAC,CAAC;QACnF,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAgD,CAAC;gBACvF,UAAU,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,EAAE,CAAC;gBACtC,SAAS,GAAG,MAAM,CAAC,CAAC,CAAC,EAAE,UAAU,IAAI,EAAE,CAAC;YAC1C,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe;YACjB,CAAC;QACH,CAAC;QACD,IAAI,CAAC,UAAU,IAAI,CAAC,SAAS,EAAE,CAAC;YAC9B,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,iBAAiB,EAAE,CAAC,CAAC,CAAC,CAAC;YAClE,UAAU,KAAK,EAAE,EAAE,OAAO,IAAI,EAAE,CAAC;YACjC,SAAS,KAAK,EAAE,EAAE,UAAU,IAAI,EAAE,CAAC;QACrC,CAAC;QACD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC;QACnF,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,IAAyB;IAEzB,MAAM,MAAM,GAAG,OAAO,EAAE,CAAC;IACzB,MAAM,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACpE,MAAM,GAAG,GAAG,MAAM,eAAe,CAAC,IAAI,CAAC,CAAC;IACxC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC,CAAC;QAClF,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;IACzD,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,0BAA0B,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAEzE,KAAK,MAAM,MAAM,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAU,EAAE,CAAC;QAClD,MAAM,CAAC,GAAG,OAAO,EAAE,CAAC;QACpB,CAAC,CAAC,KAAK,CAAC,YAAY,MAAM,2CAA2C,CAAC,CAAC;QACvE,+DAA+D;QAC/D,oCAAoC;QACpC,MAAM,MAAM,CAAC;YACX,KAAK;YACL,MAAM;YACN,QAAQ;YACR,iBAAiB,MAAM,EAAE;YACzB,UAAU;YACV,IAAI,CAAC,MAAM;YACX,WAAW;YACX,IAAI,CAAC,SAAS;YACd,SAAS;SACV,CAAC,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC;YAC1B,KAAK;YACL,MAAM;YACN,QAAQ;YACR,iBAAiB,MAAM,EAAE;YACzB,WAAW,GAAG,CAAC,QAAQ,EAAE;YACzB,UAAU;YACV,IAAI,CAAC,MAAM;YACX,WAAW;YACX,IAAI,CAAC,SAAS;YACd,mBAAmB;YACnB,2BAA2B,IAAI,CAAC,SAAS,0BAA0B;YACnE,WAAW;YACX,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,GAAG,CAAC,UAAU;YACjD,UAAU;YACV,GAAG,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,GAAG,CAAC,SAAS;YAC/C,kCAAkC;YAClC,eAAe;YACf,wDAAwD,MAAM,EAAE;YAChE,gBAAgB;YAChB,sBAAsB,GAAG,CAAC,QAAQ,8BAA8B,GAAG,CAAC,SAAS,EAAE;YAC/E,iBAAiB;YACjB,oBAAoB;YACpB,SAAS;SACV,CAAC,CAAC;QACH,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;YAC1D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,MAAM,YAAY,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC;QACnF,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC;YACxB,KAAK;YACL,MAAM;YACN,SAAS;YACT,iBAAiB,MAAM,EAAE;YACzB,UAAU;YACV,IAAI,CAAC,MAAM;YACX,WAAW;YACX,IAAI,CAAC,SAAS;YACd,QAAQ;SACT,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,uBAAuB,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;YAClE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,MAAM,UAAU,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC;QAC/E,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,MAAM,qBAAqB,CAAC,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC"}

package/dist/redirects-emit.d.ts

@@ -0,0 +1,65 @@
+/**
+ * P15 — per-provider redirect file generators.
+ *
+ * P14's self-hosted Caddy consumes a `_redirects.caddy` file. Cloud
+ * providers want different formats: Cloudflare Pages reads `_redirects`
+ * (also a fine fit for any platform that consumes that format),
+ * CloudFront wants a JSON config a Lambda@Edge function reads at
+ * startup, and Azure Front Door wants a rules-engine RuleEngineRule[].
+ *
+ * The deploy step calls the right emitter based on `process.env.CAELO_PROVIDER`
+ * and uploads the result to the right place. Each emitter is pure +
+ * idempotent — same input → same byte output.
+ */
+export type RedirectStatusCode = 301 | 302 | 307 | 308;
+export interface RedirectRow {
+    readonly fromPath: string;
+    readonly toPath: string;
+    readonly statusCode: RedirectStatusCode;
+}
+/**
+ * Cloudflare Pages `_redirects` format (also consumed by Netlify, Vercel,
+ * Render, etc.). One redirect per line: `<from> <to> <status>`. Wildcards
+ * use `:splat`; we only support exact-path redirects in v1 (matches what
+ * Caelo's redirects table allows).
+ */
+export declare function emitRedirectsCloudflare(rows: ReadonlyArray<RedirectRow>): string;
+/**
+ * CloudFront via Lambda@Edge. Returns a JSON config the L@E function
+ * reads at startup + a tiny Lambda source that consumes it. The L@E
+ * function is deployed to `us-east-1` (CloudFront constraint); the
+ * config blob is bundled into the Lambda deployment artifact.
+ *
+ * Returning both halves lets the AWS stack ship a single asset.
+ */
+export interface CloudFrontRedirectArtifact {
+    readonly jsonConfig: string;
+    readonly lambdaSource: string;
+}
+export declare function emitRedirectsCloudFront(rows: ReadonlyArray<RedirectRow>): CloudFrontRedirectArtifact;
+/**
+ * Azure Front Door rules engine. Returns a Pulumi-compatible
+ * RuleEngineRule[]-shaped array (untyped here so callers don't need to
+ * import @pulumi/azure-native). Each rule fires on a path-equals match
+ * + executes a 301/302/etc. response.
+ */
+export interface FrontDoorRule {
+    readonly name: string;
+    readonly order: number;
+    readonly conditions: ReadonlyArray<{
+        readonly name: "RequestUri";
+        readonly parameters: {
+            readonly operator: "Equal";
+            readonly matchValues: ReadonlyArray<string>;
+        };
+    }>;
+    readonly actions: ReadonlyArray<{
+        readonly name: "UrlRedirect";
+        readonly parameters: {
+            readonly redirectType: "Moved" | "Found" | "TemporaryRedirect" | "PermanentRedirect";
+            readonly destinationPath: string;
+        };
+    }>;
+}
+export declare function emitRedirectsAzureFrontDoor(rows: ReadonlyArray<RedirectRow>): ReadonlyArray<FrontDoorRule>;
+//# sourceMappingURL=redirects-emit.d.ts.map

package/dist/redirects-emit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"redirects-emit.d.ts","sourceRoot":"","sources":["../src/redirects-emit.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;GAYG;AAEH,MAAM,MAAM,kBAAkB,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;AAEvD,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,UAAU,EAAE,kBAAkB,CAAC;CACzC;AA6BD;;;;;GAKG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE,aAAa,CAAC,WAAW,CAAC,GAAG,MAAM,CAKhF;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;CAC/B;AAED,wBAAgB,uBAAuB,CACrC,IAAI,EAAE,aAAa,CAAC,WAAW,CAAC,GAC/B,0BAA0B,CAwB5B;AAED;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC5B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC;QACjC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;QAC5B,QAAQ,CAAC,UAAU,EAAE;YACnB,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;YAC3B,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;SAC7C,CAAC;KACH,CAAC,CAAC;IACH,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC;QAC9B,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;QAC7B,QAAQ,CAAC,UAAU,EAAE;YACnB,QAAQ,CAAC,YAAY,EAAE,OAAO,GAAG,OAAO,GAAG,mBAAmB,GAAG,mBAAmB,CAAC;YACrF,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC;SAClC,CAAC;KACH,CAAC,CAAC;CACJ;AAED,wBAAgB,2BAA2B,CACzC,IAAI,EAAE,aAAa,CAAC,WAAW,CAAC,GAC/B,aAAa,CAAC,aAAa,CAAC,CAqB9B"}

package/dist/redirects-emit.js

@@ -0,0 +1,92 @@
+// SPDX-License-Identifier: MPL-2.0
+/**
+ * Reject whitespace + control chars in either path before any emitter
+ * touches them. The Cloudflare `_redirects` format is space-delimited;
+ * a `fromPath` containing a space ambiguates the line (CF parses
+ * `/old foo /new 301` as from=`/old`, to=`foo`, status=`/new`, then
+ * fails on `301`). Caelo's redirects table normally rejects these
+ * upstream but the emitter shouldn't trust that — pure functions
+ * defend their own contract.
+ */
+function assertPathClean(label, path) {
+    // \p{Cc} matches the Unicode control category (U+0000–U+001F + U+007F–U+009F);
+    // the linter rejects literal \x00-\x1f ranges in regex, but the intent — defending
+    // emitter contracts against control chars — is the explicit reason for this check.
+    if (/[\s\p{Cc}]/u.test(path)) {
+        throw new Error(`redirects-emit: ${label}=${JSON.stringify(path)} contains whitespace or control chars; reject upstream`);
+    }
+}
+function assertRowsClean(rows) {
+    for (const r of rows) {
+        assertPathClean("fromPath", r.fromPath);
+        assertPathClean("toPath", r.toPath);
+    }
+}
+/**
+ * Cloudflare Pages `_redirects` format (also consumed by Netlify, Vercel,
+ * Render, etc.). One redirect per line: `<from> <to> <status>`. Wildcards
+ * use `:splat`; we only support exact-path redirects in v1 (matches what
+ * Caelo's redirects table allows).
+ */
+export function emitRedirectsCloudflare(rows) {
+    assertRowsClean(rows);
+    const header = "# Generated by @caelo-cms/provisioning — do not edit by hand.\n";
+    const lines = rows.map((r) => `${r.fromPath} ${r.toPath} ${r.statusCode}`);
+    return header + lines.join("\n") + (rows.length > 0 ? "\n" : "");
+}
+export function emitRedirectsCloudFront(rows) {
+    assertRowsClean(rows);
+    const jsonConfig = JSON.stringify({ redirects: rows.map((r) => ({ from: r.fromPath, to: r.toPath, status: r.statusCode })) }, null, 2);
+    // Tiny Lambda@Edge handler. v1 is exact-path match (matches Caelo's
+    // redirects table). Wildcard support lands when the table grows it.
+    const lambdaSource = `// SPDX-License-Identifier: MPL-2.0
+// Generated by @caelo-cms/provisioning. Bundled with redirects.json.
+const REDIRECTS = require("./redirects.json").redirects;
+const TABLE = new Map(REDIRECTS.map((r) => [r.from, r]));
+exports.handler = (event, _ctx, callback) => {
+  const req = event.Records[0].cf.request;
+  const m = TABLE.get(req.uri);
+  if (!m) return callback(null, req);
+  callback(null, {
+    status: String(m.status),
+    statusDescription: "Redirect",
+    headers: { location: [{ key: "Location", value: m.to }] },
+  });
+};`;
+    return { jsonConfig, lambdaSource };
+}
+export function emitRedirectsAzureFrontDoor(rows) {
+    assertRowsClean(rows);
+    return rows.map((r, i) => ({
+        name: `redirect-${i + 1}`,
+        order: i + 1,
+        conditions: [
+            {
+                name: "RequestUri",
+                parameters: { operator: "Equal", matchValues: [r.fromPath] },
+            },
+        ],
+        actions: [
+            {
+                name: "UrlRedirect",
+                parameters: {
+                    redirectType: statusToFrontDoor(r.statusCode),
+                    destinationPath: r.toPath,
+                },
+            },
+        ],
+    }));
+}
+function statusToFrontDoor(status) {
+    switch (status) {
+        case 301:
+            return "Moved";
+        case 302:
+            return "Found";
+        case 307:
+            return "TemporaryRedirect";
+        case 308:
+            return "PermanentRedirect";
+    }
+}
+//# sourceMappingURL=redirects-emit.js.map

package/dist/redirects-emit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"redirects-emit.js","sourceRoot":"","sources":["../src/redirects-emit.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAwBnC;;;;;;;;GAQG;AACH,SAAS,eAAe,CAAC,KAA4B,EAAE,IAAY;IACjE,+EAA+E;IAC/E,mFAAmF;IACnF,mFAAmF;IACnF,IAAI,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,mBAAmB,KAAK,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,wDAAwD,CACzG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,IAAgC;IACvD,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,eAAe,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;QACxC,eAAe,CAAC,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAAgC;IACtE,eAAe,CAAC,IAAI,CAAC,CAAC;IACtB,MAAM,MAAM,GAAG,iEAAiE,CAAC;IACjF,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC;IAC3E,OAAO,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACnE,CAAC;AAeD,MAAM,UAAU,uBAAuB,CACrC,IAAgC;IAEhC,eAAe,CAAC,IAAI,CAAC,CAAC;IACtB,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAC/B,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAC1F,IAAI,EACJ,CAAC,CACF,CAAC;IACF,oEAAoE;IACpE,oEAAoE;IACpE,MAAM,YAAY,GAAG;;;;;;;;;;;;;GAapB,CAAC;IACF,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,CAAC;AACtC,CAAC;AA2BD,MAAM,UAAU,2BAA2B,CACzC,IAAgC;IAEhC,eAAe,CAAC,IAAI,CAAC,CAAC;IACtB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC;QACzB,IAAI,EAAE,YAAY,CAAC,GAAG,CAAC,EAAE;QACzB,KAAK,EAAE,CAAC,GAAG,CAAC;QACZ,UAAU,EAAE;YACV;gBACE,IAAI,EAAE,YAAqB;gBAC3B,UAAU,EAAE,EAAE,QAAQ,EAAE,OAAgB,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE;aACtE;SACF;QACD,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,aAAsB;gBAC5B,UAAU,EAAE;oBACV,YAAY,EAAE,iBAAiB,CAAC,CAAC,CAAC,UAAU,CAAC;oBAC7C,eAAe,EAAE,CAAC,CAAC,MAAM;iBAC1B;aACF;SACF;KACF,CAAC,CAAC,CAAC;AACN,CAAC;AAED,SAAS,iBAAiB,CACxB,MAA0B;IAE1B,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,GAAG;YACN,OAAO,OAAO,CAAC;QACjB,KAAK,GAAG;YACN,OAAO,OAAO,CAAC;QACjB,KAAK,GAAG;YACN,OAAO,mBAAmB,CAAC;QAC7B,KAAK,GAAG;YACN,OAAO,mBAAmB,CAAC;IAC/B,CAAC;AACH,CAAC"}

package/dist/wizard.d.ts

@@ -0,0 +1,35 @@
+/**
+ * `bunx @caelo-cms/provisioning` — interactive wizard.
+ *
+ * Per CLAUDE.md §11.C, this is the primary surface OSS users interact
+ * with: one command, end-to-end, < 20 min, on the user's own cloud.
+ *
+ * Top-level shape:
+ *   1. Pick provider (gcp / aws / azure / self-hosted)
+ *   2. Detect existing install at `~/.caelo-<id>/` and offer to resume
+ *   3. Prompt for the few inputs the provider needs (domain, owner email,
+ *      project id, Anthropic key — input-hidden)
+ *   4. Show cost estimate + final confirm
+ *   5. Delegate to the provider-specific wizard which handles project
+ *      bootstrap → Pulumi up → DNS → cert → IAP enable → bootstrap URL
+ *
+ * Each provider wizard is a separate file under `wizards/<provider>.ts`
+ * so adding a new provider is one new file, not a sprawling switch.
+ */
+import { spinner } from "@clack/prompts";
+import { type Provider } from "./install-state.js";
+export interface WizardOptions {
+    /** Skip prompts; require all inputs via flags. CI-friendly. */
+    nonInteractive?: boolean;
+    /** Pre-supplied provider — skips the picker. */
+    provider?: Provider;
+    /** Pre-supplied domain — skips the prompt. */
+    domain?: string;
+    /** Pre-supplied owner email — skips the prompt. */
+    ownerEmail?: string;
+    /** Pre-supplied GCP project id — skips the prompt for gcp. */
+    projectId?: string;
+}
+export declare function runWizard(opts?: WizardOptions): Promise<void>;
+export { spinner };
+//# sourceMappingURL=wizard.d.ts.map

package/dist/wizard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wizard.d.ts","sourceRoot":"","sources":["../src/wizard.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAmD,OAAO,EAAQ,MAAM,gBAAgB,CAAC;AAEhG,OAAO,EAGL,KAAK,QAAQ,EAGd,MAAM,oBAAoB,CAAC;AAG5B,MAAM,WAAW,aAAa;IAC5B,+DAA+D;IAC/D,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,gDAAgD;IAChD,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,8CAA8C;IAC9C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,mDAAmD;IACnD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8DAA8D;IAC9D,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,wBAAsB,SAAS,CAAC,IAAI,GAAE,aAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAyEvE;AA0ED,OAAO,EAAE,OAAO,EAAE,CAAC"}

package/dist/wizard.js

@@ -0,0 +1,160 @@
+// SPDX-License-Identifier: MPL-2.0
+/**
+ * `bunx @caelo-cms/provisioning` — interactive wizard.
+ *
+ * Per CLAUDE.md §11.C, this is the primary surface OSS users interact
+ * with: one command, end-to-end, < 20 min, on the user's own cloud.
+ *
+ * Top-level shape:
+ *   1. Pick provider (gcp / aws / azure / self-hosted)
+ *   2. Detect existing install at `~/.caelo-<id>/` and offer to resume
+ *   3. Prompt for the few inputs the provider needs (domain, owner email,
+ *      project id, Anthropic key — input-hidden)
+ *   4. Show cost estimate + final confirm
+ *   5. Delegate to the provider-specific wizard which handles project
+ *      bootstrap → Pulumi up → DNS → cert → IAP enable → bootstrap URL
+ *
+ * Each provider wizard is a separate file under `wizards/<provider>.ts`
+ * so adding a new provider is one new file, not a sprawling switch.
+ */
+import { cancel, confirm, intro, isCancel, outro, select, spinner, text } from "@clack/prompts";
+import { bold, cyan, dim } from "kleur/colors";
+import { deriveInstallId, ensureInstallDir, readMetadata, writeMetadata, } from "./install-state.js";
+import { runGcpWizard } from "./wizards/gcp.js";
+export async function runWizard(opts = {}) {
+    intro(bold(cyan("Caelo CMS provisioner")) + dim(" — one-command deploy"));
+    // 1. Provider — pre-supplied via flag OR picker.
+    const provider = opts.provider ?? (await pickProvider());
+    // 2. Common inputs the provider wizard always needs. Provider-specific
+    //    inputs (GCP project id, AWS region, etc.) are prompted inside the
+    //    per-provider wizard.
+    const domain = opts.domain ?? (await promptDomain());
+    const ownerEmail = opts.ownerEmail ?? (await promptOwnerEmail());
+    // 3. Per-install state directory + resume detection. The install id is
+    //    derived from (provider, projectId-or-domain) so re-runs land here.
+    //    For GCP we don't have the project id yet (it's the next prompt);
+    //    use domain as the seed, then rewrite metadata once project id is
+    //    set in the GCP wizard.
+    const installId = deriveInstallId(provider, opts.projectId ?? domain);
+    ensureInstallDir(installId);
+    const existing = readMetadata(installId);
+    if (existing && !opts.nonInteractive) {
+        const resume = await confirm({
+            message: `Existing install '${installId}' detected (created ${dim(existing.createdAt)}). Resume?`,
+            initialValue: true,
+        });
+        if (isCancel(resume)) {
+            cancel("Cancelled.");
+            process.exit(0);
+        }
+        if (!resume) {
+            cancel(`Aborted. Run with a different domain or remove ~/.caelo-${installId}/ first.`);
+            process.exit(0);
+        }
+    }
+    else {
+        writeMetadata(installId, {
+            installId,
+            provider,
+            projectId: opts.projectId ?? null,
+            domain,
+            ownerEmail,
+            region: null,
+            createdAt: new Date().toISOString(),
+        });
+    }
+    // 4. Delegate to the provider-specific wizard.
+    switch (provider) {
+        case "gcp":
+            await runGcpWizard({
+                installId,
+                domain,
+                ownerEmail,
+                projectId: opts.projectId ?? null,
+                nonInteractive: opts.nonInteractive ?? false,
+            });
+            break;
+        case "self-hosted":
+            cancel("Self-hosted wizard is the existing `cms-provision init` flow. Run `bunx @caelo-cms/provisioning init --domain ... --owner-email ...` for now; wizard polish lands in a follow-up commit.");
+            process.exit(0);
+            break;
+        case "aws":
+        case "azure":
+            cancel(`${provider.toUpperCase()} provider wizard not yet implemented. GCP is the first cloud target; AWS + Azure follow the same shape and land in upcoming commits.`);
+            process.exit(0);
+            break;
+    }
+    outro(bold("Done. Welcome to Caelo CMS."));
+}
+async function pickProvider() {
+    const choice = await select({
+        message: "Where do you want to deploy?",
+        options: [
+            {
+                value: "gcp",
+                label: "Google Cloud Platform",
+                hint: "Cloud Run + Cloud SQL + Cloud Storage + Cloud CDN. Default for v0.1.",
+            },
+            {
+                value: "self-hosted",
+                label: "Self-hosted (Docker Compose)",
+                hint: "Single Linux box. Postgres + Caddy + the admin + the gateway.",
+            },
+            {
+                value: "aws",
+                label: "Amazon Web Services",
+                hint: "Lambda + RDS + S3 + CloudFront. Lands in a follow-up commit.",
+            },
+            {
+                value: "azure",
+                label: "Microsoft Azure",
+                hint: "Container Apps + Azure DB + Blob + Front Door. Lands in a follow-up commit.",
+            },
+        ],
+    });
+    if (isCancel(choice)) {
+        cancel("Cancelled.");
+        process.exit(0);
+    }
+    return choice;
+}
+async function promptDomain() {
+    const value = await text({
+        message: "Domain you'd like to use",
+        placeholder: "mysite.com",
+        validate: (v) => {
+            if (!v || v.length === 0)
+                return "Domain is required";
+            if (!/^[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?(?:\.[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?)+$/.test(v)) {
+                return "Looks like an invalid domain (e.g. mysite.com)";
+            }
+            return undefined;
+        },
+    });
+    if (isCancel(value)) {
+        cancel("Cancelled.");
+        process.exit(0);
+    }
+    return value;
+}
+async function promptOwnerEmail() {
+    const value = await text({
+        message: "Owner email (you'll be the IAP allowlisted Owner; can add more later)",
+        placeholder: "you@example.com",
+        validate: (v) => {
+            if (!v || v.length === 0)
+                return "Email is required";
+            if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(v))
+                return "Looks like an invalid email";
+            return undefined;
+        },
+    });
+    if (isCancel(value)) {
+        cancel("Cancelled.");
+        process.exit(0);
+    }
+    return value;
+}
+// Re-export the spinner factory so per-provider wizards use a consistent UX.
+export { spinner };
+//# sourceMappingURL=wizard.js.map

package/dist/wizard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wizard.js","sourceRoot":"","sources":["../src/wizard.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAEnC;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAChG,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EACL,eAAe,EACf,gBAAgB,EAEhB,YAAY,EACZ,aAAa,GACd,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAehD,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAsB,EAAE;IACtD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC,GAAG,GAAG,CAAC,uBAAuB,CAAC,CAAC,CAAC;IAE1E,iDAAiD;IACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM,YAAY,EAAE,CAAC,CAAC;IAEzD,uEAAuE;IACvE,uEAAuE;IACvE,0BAA0B;IAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,YAAY,EAAE,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,CAAC,MAAM,gBAAgB,EAAE,CAAC,CAAC;IAEjE,uEAAuE;IACvE,wEAAwE;IACxE,sEAAsE;IACtE,sEAAsE;IACtE,4BAA4B;IAC5B,MAAM,SAAS,GAAG,eAAe,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;IACtE,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAE5B,MAAM,QAAQ,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACzC,IAAI,QAAQ,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC;YAC3B,OAAO,EAAE,qBAAqB,SAAS,uBAAuB,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,YAAY;YACjG,YAAY,EAAE,IAAI;SACnB,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACrB,MAAM,CAAC,YAAY,CAAC,CAAC;YACrB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QACD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,CAAC,2DAA2D,SAAS,UAAU,CAAC,CAAC;YACvF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;SAAM,CAAC;QACN,aAAa,CAAC,SAAS,EAAE;YACvB,SAAS;YACT,QAAQ;YACR,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI;YACjC,MAAM;YACN,UAAU;YACV,MAAM,EAAE,IAAI;YACZ,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACpC,CAAC,CAAC;IACL,CAAC;IAED,+CAA+C;IAC/C,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,KAAK;YACR,MAAM,YAAY,CAAC;gBACjB,SAAS;gBACT,MAAM;gBACN,UAAU;gBACV,SAAS,EAAE,IAAI,CAAC,SAAS,IAAI,IAAI;gBACjC,cAAc,EAAE,IAAI,CAAC,cAAc,IAAI,KAAK;aAC7C,CAAC,CAAC;YACH,MAAM;QACR,KAAK,aAAa;YAChB,MAAM,CACJ,0LAA0L,CAC3L,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChB,MAAM;QACR,KAAK,KAAK,CAAC;QACX,KAAK,OAAO;YACV,MAAM,CACJ,GAAG,QAAQ,CAAC,WAAW,EAAE,sIAAsI,CAChK,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChB,MAAM;IACV,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,KAAK,UAAU,YAAY;IACzB,MAAM,MAAM,GAAG,MAAM,MAAM,CAAW;QACpC,OAAO,EAAE,8BAA8B;QACvC,OAAO,EAAE;YACP;gBACE,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,uBAAuB;gBAC9B,IAAI,EAAE,sEAAsE;aAC7E;YACD;gBACE,KAAK,EAAE,aAAa;gBACpB,KAAK,EAAE,8BAA8B;gBACrC,IAAI,EAAE,+DAA+D;aACtE;YACD;gBACE,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,qBAAqB;gBAC5B,IAAI,EAAE,8DAA8D;aACrE;YACD;gBACE,KAAK,EAAE,OAAO;gBACd,KAAK,EAAE,iBAAiB;gBACxB,IAAI,EAAE,6EAA6E;aACpF;SACF;KACF,CAAC,CAAC;IACH,IAAI,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACrB,MAAM,CAAC,YAAY,CAAC,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,MAAkB,CAAC;AAC5B,CAAC;AAED,KAAK,UAAU,YAAY;IACzB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC;QACvB,OAAO,EAAE,0BAA0B;QACnC,WAAW,EAAE,YAAY;QACzB,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE;YACd,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,oBAAoB,CAAC;YACtD,IACE,CAAC,mFAAmF,CAAC,IAAI,CAAC,CAAC,CAAC,EAC5F,CAAC;gBACD,OAAO,gDAAgD,CAAC;YAC1D,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC,CAAC;IACH,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACpB,MAAM,CAAC,YAAY,CAAC,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,KAAe,CAAC;AACzB,CAAC;AAED,KAAK,UAAU,gBAAgB;IAC7B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC;QACvB,OAAO,EAAE,uEAAuE;QAChF,WAAW,EAAE,iBAAiB;QAC9B,QAAQ,EAAE,CAAC,CAAC,EAAE,EAAE;YACd,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,mBAAmB,CAAC;YACrD,IAAI,CAAC,4BAA4B,CAAC,IAAI,CAAC,CAAC,CAAC;gBAAE,OAAO,6BAA6B,CAAC;YAChF,OAAO,SAAS,CAAC;QACnB,CAAC;KACF,CAAC,CAAC;IACH,IAAI,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACpB,MAAM,CAAC,YAAY,CAAC,CAAC;QACrB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,KAAe,CAAC;AACzB,CAAC;AAED,6EAA6E;AAC7E,OAAO,EAAE,OAAO,EAAE,CAAC"}

package/dist/wizards/gcp-cost.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Per-resource static price table for the GCP stack — used by the
+ * wizard's pre-flight cost estimate. Prices are EUR/USD per month at
+ * `europe-west1` list rates as of 2026-05; ship updates with each
+ * Caelo release.
+ *
+ * The estimate is intentionally OVER-conservative — it shows the
+ * floor cost (idle + scale-to-zero traffic). Real usage adds egress
+ * + AI calls + storage growth on top.
+ */
+export interface CostLine {
+    name: string;
+    monthlyUsd: number;
+    notes?: string;
+}
+export interface CostEstimateInputs {
+    cloudSqlTier: string;
+    cloudSqlHa: boolean;
+    adminMinInstances: number;
+    gatewayMinInstances: number;
+    wafAdaptiveProtection: boolean;
+}
+export declare function estimateGcpCost(inputs: CostEstimateInputs): {
+    lines: CostLine[];
+    totalUsd: number;
+};
+//# sourceMappingURL=gcp-cost.d.ts.map

package/dist/wizards/gcp-cost.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcp-cost.d.ts","sourceRoot":"","sources":["../../src/wizards/gcp-cost.ts"],"names":[],"mappings":"AAEA;;;;;;;;;GASG;AAEH,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,OAAO,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mBAAmB,EAAE,MAAM,CAAC;IAC5B,qBAAqB,EAAE,OAAO,CAAC;CAChC;AAgBD,wBAAgB,eAAe,CAAC,MAAM,EAAE,kBAAkB,GAAG;IAC3D,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAiEA"}