@caelo-cms/provisioning 0.1.1 → 0.2.1

package/dist/dns/manual.js

@@ -0,0 +1,96 @@
+// SPDX-License-Identifier: MPL-2.0
+/**
+ * Manual DNS adapter — fallback for registrars without an API
+ * integration (Namecheap, GoDaddy, Porkbun, etc.). Prints the records,
+ * waits for the operator to paste them at the registrar, polls public
+ * DNS until resolution succeeds.
+ *
+ * Per CLAUDE.md §11.C: this IS one of the few human-required steps
+ * the wizard can't skip. The polling makes it close to zero-friction —
+ * the operator pastes records, presses Enter, the wizard waits.
+ */
+import { promises as dns } from "node:dns";
+import { setTimeout as sleep } from "node:timers/promises";
+import { confirm, isCancel, log, note, spinner } from "@clack/prompts";
+import { bold, cyan, dim, green, red } from "kleur/colors";
+const POLL_INTERVAL_MS = 5000;
+const POLL_TIMEOUT_MS = 30 * 60 * 1000; // 30 min — managed certs need ~15 min to issue after DNS
+export function makeManualAdapter(opts) {
+    return {
+        name: `Manual (paste at your registrar for ${opts.domain})`,
+        async applyRecords(records) {
+            note([
+                bold("Paste these DNS records at your registrar:"),
+                "",
+                ...records.map((r) => `  ${dim(r.type.padEnd(6))} ${r.hostname.padEnd(35)} → ${bold(r.value)}`),
+                "",
+                dim("After pasting, press Enter to verify resolution."),
+            ].join("\n"), "DNS records");
+            const ack = await confirm({
+                message: "Records pasted at your registrar?",
+                initialValue: true,
+            });
+            if (isCancel(ack) || !ack) {
+                log.error(red("Aborted at DNS step."));
+                throw new Error("DNS records not pasted; aborted by operator.");
+            }
+            const s = spinner();
+            s.start(`Polling DNS — up to 30 min while propagation + records settle...`);
+            const start = Date.now();
+            const remaining = new Set(records.map((r) => recordKey(r)));
+            while (remaining.size > 0) {
+                if (Date.now() - start > POLL_TIMEOUT_MS) {
+                    s.stop(red("DNS verify timeout (30 min)."));
+                    throw new Error(`Records still unresolved after 30 min: ${[...remaining].join(", ")}. Re-run after fixing.`);
+                }
+                for (const key of [...remaining]) {
+                    const record = records.find((r) => recordKey(r) === key);
+                    if (!record) {
+                        remaining.delete(key);
+                        continue;
+                    }
+                    if (await checkRecord(record)) {
+                        remaining.delete(key);
+                        log.success(green(`✓ ${record.type} ${record.hostname} resolves to expected ${record.value}`));
+                    }
+                }
+                if (remaining.size > 0)
+                    await sleep(POLL_INTERVAL_MS);
+            }
+            s.stop(green("All DNS records resolve."));
+            void cyan;
+        },
+    };
+}
+function recordKey(r) {
+    return `${r.type}:${r.hostname}`;
+}
+async function checkRecord(record) {
+    try {
+        if (record.type === "A") {
+            const result = await dns.resolve4(record.hostname);
+            return result.includes(record.value);
+        }
+        if (record.type === "AAAA") {
+            const result = await dns.resolve6(record.hostname);
+            return result.includes(record.value);
+        }
+        if (record.type === "CNAME") {
+            const result = await dns.resolveCname(record.hostname);
+            // CNAME values often have a trailing dot; normalize
+            const expected = record.value.replace(/\.$/, "");
+            return result.some((v) => v.replace(/\.$/, "") === expected);
+        }
+        if (record.type === "TXT") {
+            const result = await dns.resolveTxt(record.hostname);
+            const expected = record.value.replace(/^"|"$/g, "");
+            return result.some((arr) => arr.join("") === expected);
+        }
+        return false;
+    }
+    catch {
+        // ENOTFOUND / SERVFAIL — record not propagated yet
+        return false;
+    }
+}
+//# sourceMappingURL=manual.js.map

package/dist/dns/manual.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manual.js","sourceRoot":"","sources":["../../src/dns/manual.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAEnC;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,IAAI,GAAG,EAAE,MAAM,UAAU,CAAC;AAC3C,OAAO,EAAE,UAAU,IAAI,KAAK,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAG3D,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAC9B,MAAM,eAAe,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,yDAAyD;AAEjG,MAAM,UAAU,iBAAiB,CAAC,IAAwB;IACxD,OAAO;QACL,IAAI,EAAE,uCAAuC,IAAI,CAAC,MAAM,GAAG;QAC3D,KAAK,CAAC,YAAY,CAAC,OAAoB;YACrC,IAAI,CACF;gBACE,IAAI,CAAC,4CAA4C,CAAC;gBAClD,EAAE;gBACF,GAAG,OAAO,CAAC,GAAG,CACZ,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAChF;gBACD,EAAE;gBACF,GAAG,CAAC,kDAAkD,CAAC;aACxD,CAAC,IAAI,CAAC,IAAI,CAAC,EACZ,aAAa,CACd,CAAC;YAEF,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC;gBACxB,OAAO,EAAE,mCAAmC;gBAC5C,YAAY,EAAE,IAAI;aACnB,CAAC,CAAC;YACH,IAAI,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;gBAC1B,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC,CAAC;gBACvC,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;YAClE,CAAC;YAED,MAAM,CAAC,GAAG,OAAO,EAAE,CAAC;YACpB,CAAC,CAAC,KAAK,CAAC,kEAAkE,CAAC,CAAC;YAC5E,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACzB,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAE5D,OAAO,SAAS,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;gBAC1B,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,KAAK,GAAG,eAAe,EAAE,CAAC;oBACzC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC,CAAC;oBAC5C,MAAM,IAAI,KAAK,CACb,0CAA0C,CAAC,GAAG,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,wBAAwB,CAC5F,CAAC;gBACJ,CAAC;gBACD,KAAK,MAAM,GAAG,IAAI,CAAC,GAAG,SAAS,CAAC,EAAE,CAAC;oBACjC,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC;oBACzD,IAAI,CAAC,MAAM,EAAE,CAAC;wBACZ,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;wBACtB,SAAS;oBACX,CAAC;oBACD,IAAI,MAAM,WAAW,CAAC,MAAM,CAAC,EAAE,CAAC;wBAC9B,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;wBACtB,GAAG,CAAC,OAAO,CACT,KAAK,CAAC,KAAK,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,QAAQ,yBAAyB,MAAM,CAAC,KAAK,EAAE,CAAC,CAClF,CAAC;oBACJ,CAAC;gBACH,CAAC;gBACD,IAAI,SAAS,CAAC,IAAI,GAAG,CAAC;oBAAE,MAAM,KAAK,CAAC,gBAAgB,CAAC,CAAC;YACxD,CAAC;YACD,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,0BAA0B,CAAC,CAAC,CAAC;YAC1C,KAAK,IAAI,CAAC;QACZ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,CAAY;IAC7B,OAAO,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;AACnC,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,MAAiB;IAC1C,IAAI,CAAC;QACH,IAAI,MAAM,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC;YACxB,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACnD,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvC,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACnD,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvC,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACvD,oDAAoD;YACpD,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACjD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,QAAQ,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YAC1B,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;YACpD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,QAAQ,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,mDAAmD;QACnD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/dns/types.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Shared DNS-adapter interface. Every adapter (Cloudflare / Route53 /
+ * Cloud DNS / manual) implements `applyRecords` end-to-end: takes the
+ * desired records, makes them real (via API or operator paste), and
+ * resolves only when public DNS lookups succeed.
+ */
+export interface DnsRecord {
+    hostname: string;
+    type: "A" | "AAAA" | "CNAME" | "TXT";
+    value: string;
+    ttl?: number;
+}
+export interface DnsAdapter {
+    /** Human-readable name shown in wizard output. */
+    readonly name: string;
+    /**
+     * Make the records exist + verify they resolve. Resolves when
+     * `dig <hostname> <type>` returns the expected value globally.
+     * Throws on terminal failure (operator should fix + re-run).
+     */
+    applyRecords(records: DnsRecord[]): Promise<void>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/dns/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/dns/types.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AAEH,MAAM,WAAW,SAAS;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,GAAG,GAAG,MAAM,GAAG,OAAO,GAAG,KAAK,CAAC;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,UAAU;IACzB,kDAAkD;IAClD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB;;;;OAIG;IACH,YAAY,CAAC,OAAO,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnD"}

package/dist/dns/types.js

@@ -0,0 +1,3 @@
+// SPDX-License-Identifier: MPL-2.0
+export {};
+//# sourceMappingURL=types.js.map

package/dist/dns/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/dns/types.ts"],"names":[],"mappings":"AAAA,mCAAmC"}

package/dist/gcloud.d.ts

@@ -0,0 +1,42 @@
+export interface GcloudResult {
+    ok: boolean;
+    stdout: string;
+    stderr: string;
+    exitCode: number;
+}
+/**
+ * Run a gcloud command. Buffered stdout + stderr (max 4 MB each).
+ * Throws on spawn failure but NOT on non-zero exit — caller checks `ok`.
+ */
+export declare function gcloud(args: string[], opts?: {
+    stdin?: string;
+}): Promise<GcloudResult>;
+/**
+ * Active gcloud account. Returns `null` when no account is logged in
+ * — caller prompts `gcloud auth login`.
+ */
+export declare function activeAccount(): Promise<string | null>;
+export interface BillingAccount {
+    id: string;
+    displayName: string;
+    open: boolean;
+}
+export declare function listBillingAccounts(): Promise<BillingAccount[]>;
+export declare function projectExists(projectId: string): Promise<boolean>;
+export declare function createProject(projectId: string, displayName: string): Promise<GcloudResult>;
+export declare function linkBilling(projectId: string, billingAccountId: string): Promise<GcloudResult>;
+export declare function enableApis(projectId: string): Promise<GcloudResult>;
+export declare function serviceAccountExists(projectId: string, saEmail: string): Promise<boolean>;
+export declare function createServiceAccount(projectId: string, accountId: string, displayName: string): Promise<GcloudResult>;
+/**
+ * Bind every role the GCP stack provisioner SA needs. Idempotent —
+ * gcloud silently no-ops a binding that already exists.
+ */
+export declare function grantProvisionerRoles(projectId: string, saEmail: string): Promise<{
+    granted: number;
+    failed: string[];
+}>;
+export declare function createServiceAccountKey(saEmail: string, outputPath: string): Promise<GcloudResult>;
+export declare const REQUIRED_API_LIST: readonly string[];
+export declare const PROVISIONER_ROLE_LIST: readonly string[];
+//# sourceMappingURL=gcloud.d.ts.map

package/dist/gcloud.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcloud.d.ts","sourceRoot":"","sources":["../src/gcloud.ts"],"names":[],"mappings":"AAkBA,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAsB,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,IAAI,GAAE;IAAE,KAAK,CAAC,EAAE,MAAM,CAAA;CAAO,GAAG,OAAO,CAAC,YAAY,CAAC,CAqBjG;AAED;;;GAGG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAK5D;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;CACf;AAED,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC,CAiBrE;AAED,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAGvE;AAED,wBAAsB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAEjG;AAED,wBAAsB,WAAW,CAC/B,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC,YAAY,CAAC,CAEvB;AAqBD,wBAAsB,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAEzE;AAED,wBAAsB,oBAAoB,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAW/F;AAED,wBAAsB,oBAAoB,CACxC,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,YAAY,CAAC,CAWvB;AA6BD;;;GAGG;AACH,wBAAsB,qBAAqB,CACzC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAmBhD;AAED,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,YAAY,CAAC,CAUvB;AAED,eAAO,MAAM,iBAAiB,mBAAgB,CAAC;AAC/C,eAAO,MAAM,qBAAqB,mBAAoB,CAAC"}

package/dist/gcloud.js

@@ -0,0 +1,187 @@
+// SPDX-License-Identifier: MPL-2.0
+/**
+ * Thin gcloud shell-out wrapper. The wizard composes high-level
+ * "create the project + link billing + enable APIs + create SA +
+ * grant roles + mint key" flows on top of these primitives.
+ *
+ * Why shell out instead of using the GCP SDK directly:
+ *   - the user's gcloud auth state IS the auth (no separate
+ *     credentials handling — `gcloud` already knows the user)
+ *   - project create + billing link must happen as the user, NOT as
+ *     a service account (the SA doesn't exist yet at bootstrap time)
+ *   - error messages from gcloud are operator-readable; the SDK's
+ *     gRPC errors aren't
+ */
+import { spawn } from "node:child_process";
+/**
+ * Run a gcloud command. Buffered stdout + stderr (max 4 MB each).
+ * Throws on spawn failure but NOT on non-zero exit — caller checks `ok`.
+ */
+export async function gcloud(args, opts = {}) {
+    return new Promise((resolveResult, reject) => {
+        const child = spawn("gcloud", args, { stdio: ["pipe", "pipe", "pipe"] });
+        const stdout = [];
+        const stderr = [];
+        child.stdout.on("data", (chunk) => stdout.push(chunk));
+        child.stderr.on("data", (chunk) => stderr.push(chunk));
+        child.on("error", (e) => reject(e));
+        child.on("close", (code) => resolveResult({
+            ok: code === 0,
+            stdout: Buffer.concat(stdout).toString("utf8"),
+            stderr: Buffer.concat(stderr).toString("utf8"),
+            exitCode: code ?? 1,
+        }));
+        if (opts.stdin !== undefined) {
+            child.stdin.write(opts.stdin);
+            child.stdin.end();
+        }
+    });
+}
+/**
+ * Active gcloud account. Returns `null` when no account is logged in
+ * — caller prompts `gcloud auth login`.
+ */
+export async function activeAccount() {
+    const r = await gcloud(["auth", "list", "--format=value(account)", "--filter=status:ACTIVE"]);
+    if (!r.ok)
+        return null;
+    const value = r.stdout.trim();
+    return value.length > 0 ? value : null;
+}
+export async function listBillingAccounts() {
+    const r = await gcloud(["billing", "accounts", "list", "--format=json"]);
+    if (!r.ok)
+        return [];
+    try {
+        const rows = JSON.parse(r.stdout);
+        return rows.map((row) => ({
+            id: row.name.replace(/^billingAccounts\//, ""),
+            displayName: row.displayName,
+            open: row.open,
+        }));
+    }
+    catch {
+        return [];
+    }
+}
+export async function projectExists(projectId) {
+    const r = await gcloud(["projects", "describe", projectId, "--format=value(projectId)"]);
+    return r.ok && r.stdout.trim() === projectId;
+}
+export async function createProject(projectId, displayName) {
+    return gcloud(["projects", "create", projectId, "--name", displayName]);
+}
+export async function linkBilling(projectId, billingAccountId) {
+    return gcloud(["billing", "projects", "link", projectId, "--billing-account", billingAccountId]);
+}
+const REQUIRED_APIS = [
+    "compute.googleapis.com",
+    "sqladmin.googleapis.com",
+    "run.googleapis.com",
+    "secretmanager.googleapis.com",
+    "servicenetworking.googleapis.com",
+    "dns.googleapis.com",
+    "storage.googleapis.com",
+    "cloudresourcemanager.googleapis.com",
+    "iam.googleapis.com",
+    "cloudbuild.googleapis.com",
+    "artifactregistry.googleapis.com",
+    "bigquery.googleapis.com",
+    "iap.googleapis.com",
+    // Used by gcp.projects.ServiceIdentity to provision the IAP-managed
+    // service account that forwards authenticated requests to Cloud Run.
+    "serviceusage.googleapis.com",
+];
+export async function enableApis(projectId) {
+    return gcloud(["services", "enable", ...REQUIRED_APIS, "--project", projectId]);
+}
+export async function serviceAccountExists(projectId, saEmail) {
+    const r = await gcloud([
+        "iam",
+        "service-accounts",
+        "describe",
+        saEmail,
+        "--project",
+        projectId,
+        "--format=value(email)",
+    ]);
+    return r.ok && r.stdout.trim() === saEmail;
+}
+export async function createServiceAccount(projectId, accountId, displayName) {
+    return gcloud([
+        "iam",
+        "service-accounts",
+        "create",
+        accountId,
+        "--display-name",
+        displayName,
+        "--project",
+        projectId,
+    ]);
+}
+const PROVISIONER_ROLES = [
+    "roles/run.admin",
+    "roles/cloudsql.admin",
+    "roles/storage.admin",
+    "roles/secretmanager.admin",
+    "roles/iam.serviceAccountUser",
+    "roles/compute.networkAdmin",
+    "roles/dns.admin",
+    "roles/servicenetworking.networksAdmin",
+    "roles/iam.serviceAccountTokenCreator",
+    "roles/cloudbuild.builds.editor",
+    "roles/artifactregistry.admin",
+    "roles/compute.securityAdmin",
+    "roles/iam.serviceAccountAdmin",
+    "roles/bigquery.admin",
+    "roles/iap.admin",
+    // compute.admin includes RegionNetworkEndpointGroups + URL maps +
+    // BackendService variants the LB needs. compute.networkAdmin alone
+    // doesn't cover NEG create.
+    "roles/compute.admin",
+    // logging.configWriter creates ProjectSink (BigQuery edge logs).
+    "roles/logging.configWriter",
+    // serviceusage.serviceUsageAdmin lets us trigger the IAP managed
+    // service identity (gcp.projects.ServiceIdentity).
+    "roles/serviceusage.serviceUsageAdmin",
+];
+/**
+ * Bind every role the GCP stack provisioner SA needs. Idempotent —
+ * gcloud silently no-ops a binding that already exists.
+ */
+export async function grantProvisionerRoles(projectId, saEmail) {
+    let granted = 0;
+    const failed = [];
+    for (const role of PROVISIONER_ROLES) {
+        const r = await gcloud([
+            "projects",
+            "add-iam-policy-binding",
+            projectId,
+            "--member",
+            `serviceAccount:${saEmail}`,
+            "--role",
+            role,
+            "--condition=None",
+            "--quiet",
+        ]);
+        if (r.ok)
+            granted++;
+        else
+            failed.push(role);
+    }
+    return { granted, failed };
+}
+export async function createServiceAccountKey(saEmail, outputPath) {
+    return gcloud([
+        "iam",
+        "service-accounts",
+        "keys",
+        "create",
+        outputPath,
+        "--iam-account",
+        saEmail,
+    ]);
+}
+export const REQUIRED_API_LIST = REQUIRED_APIS;
+export const PROVISIONER_ROLE_LIST = PROVISIONER_ROLES;
+//# sourceMappingURL=gcloud.js.map

package/dist/gcloud.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gcloud.js","sourceRoot":"","sources":["../src/gcloud.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAEnC;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAS3C;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,IAAc,EAAE,OAA2B,EAAE;IACxE,OAAO,IAAI,OAAO,CAAC,CAAC,aAAa,EAAE,MAAM,EAAE,EAAE;QAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,CAAC,CAAC;QACzE,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/D,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/D,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACpC,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE,CACzB,aAAa,CAAC;YACZ,EAAE,EAAE,IAAI,KAAK,CAAC;YACd,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC9C,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC9C,QAAQ,EAAE,IAAI,IAAI,CAAC;SACpB,CAAC,CACH,CAAC;QACF,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC7B,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC9B,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACpB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,yBAAyB,EAAE,wBAAwB,CAAC,CAAC,CAAC;IAC9F,IAAI,CAAC,CAAC,CAAC,EAAE;QAAE,OAAO,IAAI,CAAC;IACvB,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC9B,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;AACzC,CAAC;AAQD,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC;IACzE,IAAI,CAAC,CAAC,CAAC,EAAE;QAAE,OAAO,EAAE,CAAC;IACrB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAI9B,CAAC;QACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;YACxB,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,CAAC;YAC9C,WAAW,EAAE,GAAG,CAAC,WAAW;YAC5B,IAAI,EAAE,GAAG,CAAC,IAAI;SACf,CAAC,CAAC,CAAC;IACN,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB;IACnD,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,CAAC,UAAU,EAAE,UAAU,EAAE,SAAS,EAAE,2BAA2B,CAAC,CAAC,CAAC;IACzF,OAAO,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,SAAS,CAAC;AAC/C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,SAAiB,EAAE,WAAmB;IACxE,OAAO,MAAM,CAAC,CAAC,UAAU,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,WAAW,CAAC,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAAiB,EACjB,gBAAwB;IAExB,OAAO,MAAM,CAAC,CAAC,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,mBAAmB,EAAE,gBAAgB,CAAC,CAAC,CAAC;AACnG,CAAC;AAED,MAAM,aAAa,GAAsB;IACvC,wBAAwB;IACxB,yBAAyB;IACzB,oBAAoB;IACpB,8BAA8B;IAC9B,kCAAkC;IAClC,oBAAoB;IACpB,wBAAwB;IACxB,qCAAqC;IACrC,oBAAoB;IACpB,2BAA2B;IAC3B,iCAAiC;IACjC,yBAAyB;IACzB,oBAAoB;IACpB,oEAAoE;IACpE,qEAAqE;IACrE,6BAA6B;CAC9B,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,SAAiB;IAChD,OAAO,MAAM,CAAC,CAAC,UAAU,EAAE,QAAQ,EAAE,GAAG,aAAa,EAAE,WAAW,EAAE,SAAS,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,SAAiB,EAAE,OAAe;IAC3E,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC;QACrB,KAAK;QACL,kBAAkB;QAClB,UAAU;QACV,OAAO;QACP,WAAW;QACX,SAAS;QACT,uBAAuB;KACxB,CAAC,CAAC;IACH,OAAO,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,OAAO,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,SAAiB,EACjB,SAAiB,EACjB,WAAmB;IAEnB,OAAO,MAAM,CAAC;QACZ,KAAK;QACL,kBAAkB;QAClB,QAAQ;QACR,SAAS;QACT,gBAAgB;QAChB,WAAW;QACX,WAAW;QACX,SAAS;KACV,CAAC,CAAC;AACL,CAAC;AAED,MAAM,iBAAiB,GAAsB;IAC3C,iBAAiB;IACjB,sBAAsB;IACtB,qBAAqB;IACrB,2BAA2B;IAC3B,8BAA8B;IAC9B,4BAA4B;IAC5B,iBAAiB;IACjB,uCAAuC;IACvC,sCAAsC;IACtC,gCAAgC;IAChC,8BAA8B;IAC9B,6BAA6B;IAC7B,+BAA+B;IAC/B,sBAAsB;IACtB,iBAAiB;IACjB,kEAAkE;IAClE,mEAAmE;IACnE,4BAA4B;IAC5B,qBAAqB;IACrB,iEAAiE;IACjE,4BAA4B;IAC5B,iEAAiE;IACjE,mDAAmD;IACnD,sCAAsC;CACvC,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,SAAiB,EACjB,OAAe;IAEf,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC;YACrB,UAAU;YACV,wBAAwB;YACxB,SAAS;YACT,UAAU;YACV,kBAAkB,OAAO,EAAE;YAC3B,QAAQ;YACR,IAAI;YACJ,kBAAkB;YAClB,SAAS;SACV,CAAC,CAAC;QACH,IAAI,CAAC,CAAC,EAAE;YAAE,OAAO,EAAE,CAAC;;YACf,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AAC7B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAe,EACf,UAAkB;IAElB,OAAO,MAAM,CAAC;QACZ,KAAK;QACL,kBAAkB;QAClB,MAAM;QACN,QAAQ;QACR,UAAU;QACV,eAAe;QACf,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAG,aAAa,CAAC;AAC/C,MAAM,CAAC,MAAM,qBAAqB,GAAG,iBAAiB,CAAC"}

package/dist/install-state.d.ts

@@ -0,0 +1,54 @@
+export type Provider = "self-hosted" | "gcp" | "aws" | "azure";
+export interface InstallMetadata {
+    installId: string;
+    provider: Provider;
+    /** Cloud-side project / account / subscription id. NULL for self-hosted. */
+    projectId: string | null;
+    domain: string;
+    ownerEmail: string;
+    region: string | null;
+    createdAt: string;
+}
+export interface ProgressCheckpoint {
+    /** Last completed wizard step. Used for resume-after-failure. */
+    lastCompletedStep: string | null;
+    /** Per-step state (e.g. createdProjectId, mintedSaKeyAt, etc.). */
+    steps: Record<string, unknown>;
+    /** ISO timestamp of last successful update. */
+    updatedAt: string;
+}
+export declare function installRoot(installId: string): string;
+/**
+ * Stable install id from the (provider, projectId-or-domain) pair so a re-run
+ * with the same inputs always lands on the same `~/.caelo-<id>/` directory.
+ * The id is short + readable — `gcp-caelo-website` / `self-hosted-mysite-com`.
+ */
+export declare function deriveInstallId(provider: Provider, projectIdOrDomain: string): string;
+/**
+ * Ensure the install directory exists with the right mode + sub-dirs.
+ * Idempotent.
+ */
+export declare function ensureInstallDir(installId: string): {
+    root: string;
+    secretsDir: string;
+    stateDir: string;
+};
+export declare function readMetadata(installId: string): InstallMetadata | null;
+export declare function writeMetadata(installId: string, meta: InstallMetadata): void;
+export declare function readProgress(installId: string): ProgressCheckpoint;
+export declare function writeProgress(installId: string, checkpoint: ProgressCheckpoint): void;
+/**
+ * Mark a step complete. Wizard re-runs check `isStepDone(installId, name)` to
+ * skip already-done steps.
+ */
+export declare function markStepDone(installId: string, stepName: string, payload?: unknown): void;
+export declare function isStepDone(installId: string, stepName: string): boolean;
+export declare function getStepPayload<T>(installId: string, stepName: string): T | null;
+/**
+ * Read a secret file from the install's `secrets/` dir. Returns null if the
+ * file doesn't exist; throws if the file exists but has the wrong mode (a
+ * defence against the user copy-pasting a key into a 644 file by mistake).
+ */
+export declare function readSecret(installId: string, name: string): string | null;
+export declare function writeSecret(installId: string, name: string, value: string): void;
+//# sourceMappingURL=install-state.d.ts.map

package/dist/install-state.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-state.d.ts","sourceRoot":"","sources":["../src/install-state.ts"],"names":[],"mappings":"AAyBA,MAAM,MAAM,QAAQ,GAAG,aAAa,GAAG,KAAK,GAAG,KAAK,GAAG,OAAO,CAAC;AAE/D,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,QAAQ,CAAC;IACnB,4EAA4E;IAC5E,SAAS,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,iEAAiE;IACjE,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAC;IACjC,mEAAmE;IACnE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,+CAA+C;IAC/C,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAErD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,GAAG,MAAM,CAOrF;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG;IACnD,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAeA;AAED,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,eAAe,GAAG,IAAI,CAItE;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,GAAG,IAAI,CAG5E;AAED,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,kBAAkB,CAMlE;AAED,wBAAgB,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,UAAU,EAAE,kBAAkB,GAAG,IAAI,CAOrF;AAED;;;GAGG;AACH,wBAAgB,YAAY,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,IAAI,CAKzF;AAED,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEvE;AAED,wBAAgB,cAAc,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,CAAC,GAAG,IAAI,CAG/E;AAED;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAMzE;AAED,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAIhF"}

package/dist/install-state.js

@@ -0,0 +1,118 @@
+// SPDX-License-Identifier: MPL-2.0
+/**
+ * Per-install state — every Caelo install gets its own
+ * `~/.caelo-<install-id>/` directory with:
+ *
+ *   secrets/                — mode-700 dir for the install's secrets
+ *     anthropic-api-key       (mode 600) — Anthropic API key (one-time prompt)
+ *     pulumi-passphrase       (mode 600) — Pulumi local-backend passphrase
+ *     sa-key.json             (mode 600) — GCP SA key (when local-deploy; absent
+ *                                          when Workload Identity Federation
+ *                                          deploys from CI)
+ *   state/                  — Pulumi local backend state (per-install isolated)
+ *   progress.json           — wizard checkpoint so re-runs resume cleanly
+ *   install.json            — install metadata (provider, project id, region,
+ *                             domain, owner email, install id, created_at)
+ *
+ * The CLAUDE.md §11.C contract: end-users never reach into this directory
+ * by hand. The wizard + lifecycle commands wrap every read + write.
+ */
+import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+const ROOT_PREFIX = ".caelo-";
+export function installRoot(installId) {
+    return join(homedir(), `${ROOT_PREFIX}${installId}`);
+}
+/**
+ * Stable install id from the (provider, projectId-or-domain) pair so a re-run
+ * with the same inputs always lands on the same `~/.caelo-<id>/` directory.
+ * The id is short + readable — `gcp-caelo-website` / `self-hosted-mysite-com`.
+ */
+export function deriveInstallId(provider, projectIdOrDomain) {
+    const slug = projectIdOrDomain
+        .toLowerCase()
+        .replace(/[^a-z0-9]+/g, "-")
+        .replace(/^-+|-+$/g, "")
+        .slice(0, 40);
+    return `${provider}-${slug}`;
+}
+/**
+ * Ensure the install directory exists with the right mode + sub-dirs.
+ * Idempotent.
+ */
+export function ensureInstallDir(installId) {
+    const root = installRoot(installId);
+    const secretsDir = join(root, "secrets");
+    const stateDir = join(root, "state");
+    if (!existsSync(root))
+        mkdirSync(root, { recursive: true, mode: 0o700 });
+    if (!existsSync(secretsDir))
+        mkdirSync(secretsDir, { recursive: true, mode: 0o700 });
+    if (!existsSync(stateDir))
+        mkdirSync(stateDir, { recursive: true, mode: 0o700 });
+    // chmod every time in case the dirs existed with looser perms.
+    chmodSync(root, 0o700);
+    chmodSync(secretsDir, 0o700);
+    chmodSync(stateDir, 0o700);
+    return { root, secretsDir, stateDir };
+}
+export function readMetadata(installId) {
+    const path = join(installRoot(installId), "install.json");
+    if (!existsSync(path))
+        return null;
+    return JSON.parse(readFileSync(path, "utf8"));
+}
+export function writeMetadata(installId, meta) {
+    const path = join(installRoot(installId), "install.json");
+    writeFileSync(path, `${JSON.stringify(meta, null, 2)}\n`, { mode: 0o600 });
+}
+export function readProgress(installId) {
+    const path = join(installRoot(installId), "progress.json");
+    if (!existsSync(path)) {
+        return { lastCompletedStep: null, steps: {}, updatedAt: new Date().toISOString() };
+    }
+    return JSON.parse(readFileSync(path, "utf8"));
+}
+export function writeProgress(installId, checkpoint) {
+    const path = join(installRoot(installId), "progress.json");
+    writeFileSync(path, `${JSON.stringify({ ...checkpoint, updatedAt: new Date().toISOString() }, null, 2)}\n`, { mode: 0o600 });
+}
+/**
+ * Mark a step complete. Wizard re-runs check `isStepDone(installId, name)` to
+ * skip already-done steps.
+ */
+export function markStepDone(installId, stepName, payload) {
+    const cur = readProgress(installId);
+    cur.lastCompletedStep = stepName;
+    if (payload !== undefined)
+        cur.steps[stepName] = payload;
+    writeProgress(installId, cur);
+}
+export function isStepDone(installId, stepName) {
+    return readProgress(installId).steps[stepName] !== undefined;
+}
+export function getStepPayload(installId, stepName) {
+    const v = readProgress(installId).steps[stepName];
+    return (v ?? null);
+}
+/**
+ * Read a secret file from the install's `secrets/` dir. Returns null if the
+ * file doesn't exist; throws if the file exists but has the wrong mode (a
+ * defence against the user copy-pasting a key into a 644 file by mistake).
+ */
+export function readSecret(installId, name) {
+    const path = join(installRoot(installId), "secrets", name);
+    if (!existsSync(path))
+        return null;
+    const contents = readFileSync(path, "utf8").trim();
+    if (contents.length === 0)
+        return null;
+    return contents;
+}
+export function writeSecret(installId, name, value) {
+    ensureInstallDir(installId);
+    const path = join(installRoot(installId), "secrets", name);
+    writeFileSync(path, value.endsWith("\n") ? value : `${value}\n`, { mode: 0o600 });
+}
+//# sourceMappingURL=install-state.js.map

package/dist/install-state.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install-state.js","sourceRoot":"","sources":["../src/install-state.ts"],"names":[],"mappings":"AAAA,mCAAmC;AAEnC;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AACxF,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAwBjC,MAAM,WAAW,GAAG,SAAS,CAAC;AAE9B,MAAM,UAAU,WAAW,CAAC,SAAiB;IAC3C,OAAO,IAAI,CAAC,OAAO,EAAE,EAAE,GAAG,WAAW,GAAG,SAAS,EAAE,CAAC,CAAC;AACvD,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,QAAkB,EAAE,iBAAyB;IAC3E,MAAM,IAAI,GAAG,iBAAiB;SAC3B,WAAW,EAAE;SACb,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC;SAC3B,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC;SACvB,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChB,OAAO,GAAG,QAAQ,IAAI,IAAI,EAAE,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,SAAiB;IAKhD,MAAM,IAAI,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IACzC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAErC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACzE,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,SAAS,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACrF,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEjF,+DAA+D;IAC/D,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACvB,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;IAC7B,SAAS,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAE3B,OAAO,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,cAAc,CAAC,CAAC;IAC1D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAoB,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,IAAqB;IACpE,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,cAAc,CAAC,CAAC;IAC1D,aAAa,CAAC,IAAI,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AAC7E,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,eAAe,CAAC,CAAC;IAC3D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,OAAO,EAAE,iBAAiB,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;IACrF,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAuB,CAAC;AACtE,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,SAAiB,EAAE,UAA8B;IAC7E,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,eAAe,CAAC,CAAC;IAC3D,aAAa,CACX,IAAI,EACJ,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,UAAU,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EACtF,EAAE,IAAI,EAAE,KAAK,EAAE,CAChB,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,SAAiB,EAAE,QAAgB,EAAE,OAAiB;IACjF,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACpC,GAAG,CAAC,iBAAiB,GAAG,QAAQ,CAAC;IACjC,IAAI,OAAO,KAAK,SAAS;QAAE,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC;IACzD,aAAa,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,SAAiB,EAAE,QAAgB;IAC5D,OAAO,YAAY,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,SAAS,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,cAAc,CAAI,SAAiB,EAAE,QAAgB;IACnE,MAAM,CAAC,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAClD,OAAO,CAAC,CAAC,IAAI,IAAI,CAAa,CAAC;AACjC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU,CAAC,SAAiB,EAAE,IAAY;IACxD,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IACnD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,SAAiB,EAAE,IAAY,EAAE,KAAa;IACxE,gBAAgB,CAAC,SAAS,CAAC,CAAC;IAC5B,MAAM,IAAI,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,aAAa,CAAC,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,KAAK,IAAI,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;AACpF,CAAC"}

package/dist/lifecycle.d.ts

@@ -0,0 +1,19 @@
+export declare function statusCommand(): Promise<void>;
+interface UpgradeOpts {
+    /** Explicit semver to roll to (e.g. "0.5.3"). Defaults to "latest". */
+    readonly version?: string;
+    /** Pre-release channel: "stable" (default), "rc", "beta". */
+    readonly channel?: "stable" | "rc" | "beta";
+    /**
+     * P21 ship 4 — escape hatch for forks / staging environments using
+     * unsigned images. Default = verify with cosign; refuse to roll on
+     * mismatch.
+     */
+    readonly skipVerify?: boolean;
+}
+export declare function upgradeCommand(opts?: UpgradeOpts): Promise<void>;
+export declare function backupCommand(): Promise<void>;
+export declare function rotateSecretCommand(name: string | undefined): Promise<void>;
+export declare function destroyCommand(): Promise<void>;
+export {};
+//# sourceMappingURL=lifecycle.d.ts.map

package/dist/lifecycle.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lifecycle.d.ts","sourceRoot":"","sources":["../src/lifecycle.ts"],"names":[],"mappings":"AAyGA,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAWnD;AA0GD,UAAU,WAAW;IACnB,uEAAuE;IACvE,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,6DAA6D;IAC7D,QAAQ,CAAC,OAAO,CAAC,EAAE,QAAQ,GAAG,IAAI,GAAG,MAAM,CAAC;IAC5C;;;;OAIG;IACH,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAC;CAC/B;AAqGD,wBAAsB,cAAc,CAAC,IAAI,GAAE,WAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAsL1E;AAwGD,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CAmCnD;AAMD,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAoCjF;AAMD,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CA6CpD"}