npm - @cardelli/ambit - Versions diffs - 0.2.3 → 0.3.0 - Mend

@cardelli/ambit 0.2.3 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (38) hide show

package/README.md +38 -22
package/esm/cli/commands/create/index.js +64 -10
package/esm/cli/commands/create/machine.d.ts.map +1 -1
package/esm/cli/commands/create/machine.js +1 -1
package/esm/cli/commands/deploy/index.js +2 -4
package/esm/cli/commands/deploy/machine.d.ts.map +1 -1
package/esm/cli/commands/destroy/app.d.ts.map +1 -1
package/esm/cli/commands/destroy/index.js +2 -0
package/esm/cli/commands/destroy/network.d.ts.map +1 -1
package/esm/cli/commands/destroy/network.js +66 -5
package/esm/cli/commands/doctor.js +13 -4
package/esm/cli/commands/list.js +1 -1
package/esm/cli/commands/share.d.ts +2 -0
package/esm/cli/commands/share.d.ts.map +1 -0
package/esm/cli/commands/share.js +250 -0
package/esm/cli/commands/status.js +4 -1
package/esm/cli/mod.d.ts.map +1 -1
package/esm/cli/mod.js +2 -0
package/esm/deno.js +1 -1
package/esm/lib/command.d.ts.map +1 -1
package/esm/lib/command.js +5 -7
package/esm/main.d.ts +1 -0
package/esm/main.d.ts.map +1 -1
package/esm/main.js +2 -0
package/esm/providers/fly.d.ts.map +1 -1
package/esm/providers/fly.js +14 -3
package/esm/providers/tailscale.d.ts +7 -0
package/esm/providers/tailscale.d.ts.map +1 -1
package/esm/providers/tailscale.js +23 -1
package/esm/util/credentials.d.ts.map +1 -1
package/esm/util/credentials.js +1 -1
package/esm/util/discovery.d.ts.map +1 -1
package/esm/util/discovery.js +1 -1
package/esm/util/tailscale-local.d.ts +41 -0
package/esm/util/tailscale-local.d.ts.map +1 -1
package/esm/util/tailscale-local.js +146 -0
package/esm/util/template.d.ts.map +1 -1
package/package.json +1 -1

package/esm/cli/commands/share.js ADDED Viewed

@@ -0,0 +1,250 @@
+// =============================================================================
+// Share Command - Grant Members Access to a Network via Tailscale ACL
+// =============================================================================
+import { parseArgs } from "../../deps/jsr.io/@std/cli/1.0.28/mod.js";
+import { bold } from "../../lib/cli.js";
+import { checkArgs } from "../../lib/args.js";
+import { createOutput } from "../../lib/output.js";
+import { registerCommand } from "../mod.js";
+import { z } from "../../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
+import { findRouterApp, getRouterMachineInfo } from "../../util/discovery.js";
+import { getRouterTag } from "../../util/naming.js";
+import { assertAdditivePatch, isAclRuleConfigured, patchAclRule, } from "../../util/tailscale-local.js";
+import { initSession } from "../../util/session.js";
+// =============================================================================
+// Validation
+// =============================================================================
+/**
+ * Valid members: Tailscale group/tag/autogroup prefixes, or a plain email.
+ */
+const MemberSchema = z.union([
+    z.string().startsWith("group:").min(7, 'Must be in the form "group:<name>"'),
+    z.string().startsWith("tag:").min(5, 'Must be in the form "tag:<name>"'),
+    z.string().startsWith("autogroup:").min(11, 'Must be in the form "autogroup:<name>"'),
+    z.email(),
+]);
+const parseMembers = (raw) => {
+    const members = [];
+    const errors = [];
+    for (const entry of raw) {
+        const result = MemberSchema.safeParse(String(entry));
+        if (result.success) {
+            members.push(result.data);
+        }
+        else {
+            errors.push(`  '${entry}' — Must Be a Group ("group:team"), Tag ("tag:router"), Autogroup ("autogroup:member"), or Email`);
+        }
+    }
+    return { members, errors };
+};
+// =============================================================================
+// ACL Error Helper
+// =============================================================================
+const handleAclSetFailure = (out, result, action) => {
+    if (result.status === 403) {
+        out.err(`${action}: Permission Denied (HTTP 403)`);
+        return out.die("Your API Token Lacks ACL Write Permission (policy_file scope required)");
+    }
+    return out.die(`${action}: ${result.error ?? `HTTP ${result.status}`}`);
+};
+// =============================================================================
+// Stage 1: Discover Router
+// =============================================================================
+const stageDiscover = async (ctx) => {
+    ctx.out.header("Step 1: Discover Router").blank();
+    const routerSpinner = ctx.out.spinner(`Looking Up Router for '${ctx.network}'`);
+    const router = await findRouterApp(ctx.fly, ctx.org, ctx.network);
+    if (!router) {
+        routerSpinner.fail(`No Router Found for '${ctx.network}'`);
+        return ctx.out.die(`No Router Found for Network '${ctx.network}'. Create It with: ambit create ${ctx.network}`);
+    }
+    ctx.appName = router.appName;
+    routerSpinner.success(`Found Router: ${router.appName}`);
+    const machineSpinner = ctx.out.spinner("Getting Subnet");
+    const machine = await getRouterMachineInfo(ctx.fly, router.appName);
+    if (!machine?.subnet) {
+        machineSpinner.fail("No Subnet Found");
+        return ctx.out.die(`Router Has No Subnet Yet. Ensure the Router Is Running: ambit status network ${ctx.network}`);
+    }
+    ctx.subnet = machine.subnet;
+    machineSpinner.success(`Subnet: ${machine.subnet}`);
+    const device = await ctx.tailscale.devices.getByHostname(router.appName);
+    ctx.tag = device?.tags?.[0] ?? getRouterTag(ctx.network);
+    ctx.out.ok(`Tag: ${ctx.tag}`);
+    ctx.out.blank();
+};
+// =============================================================================
+// Stage 2: Update ACL Policy
+// =============================================================================
+const stageUpdateAcl = async (ctx) => {
+    ctx.out.header("Step 2: Update ACL Policy").blank();
+    const policy = await ctx.tailscale.acl.getPolicy();
+    if (!policy) {
+        return ctx.out.die("Could Not Read Tailscale ACL Policy");
+    }
+    const dnsDst = `${ctx.tag}:53`;
+    const subnetDst = `${ctx.subnet}:*`;
+    let updated = policy;
+    for (const member of ctx.members) {
+        const hasDns = isAclRuleConfigured(updated, member, dnsDst);
+        const hasSubnet = isAclRuleConfigured(updated, member, subnetDst);
+        if (hasDns && hasSubnet) {
+            ctx.out.skip(`${member} — Already Has Full Access`);
+            continue;
+        }
+        if (hasDns) {
+            ctx.out.skip(`${member} — DNS Rule Already Present`);
+        }
+        else {
+            updated = patchAclRule(updated, member, dnsDst);
+            ctx.rulesAdded++;
+        }
+        if (hasSubnet) {
+            ctx.out.skip(`${member} — Subnet Rule Already Present`);
+        }
+        else {
+            updated = patchAclRule(updated, member, subnetDst);
+            ctx.rulesAdded++;
+        }
+    }
+    if (ctx.rulesAdded === 0) {
+        ctx.out.blank().ok(`All Members Already Have Full Access to '${ctx.network}'`);
+        return;
+    }
+    assertAdditivePatch(policy, updated);
+    const validateSpinner = ctx.out.spinner("Validating Policy");
+    const validateResult = await ctx.tailscale.acl.validatePolicy(updated);
+    if (!validateResult.ok) {
+        validateSpinner.fail("Policy Validation Failed");
+        return handleAclSetFailure(ctx.out, validateResult, "Validating ACL Policy");
+    }
+    validateSpinner.success("Policy Valid");
+    const n = ctx.rulesAdded;
+    const patchSpinner = ctx.out.spinner(`Updating ACL Policy (${n} new rule${n !== 1 ? "s" : ""})`);
+    const result = await ctx.tailscale.acl.setPolicy(updated);
+    if (!result.ok) {
+        patchSpinner.fail("Failed to Update ACL Policy");
+        return handleAclSetFailure(ctx.out, result, "Updating ACL Policy");
+    }
+    patchSpinner.success(`ACL Policy Updated (${n} rule${n !== 1 ? "s" : ""} added)`);
+};
+// =============================================================================
+// Stage 3: Summary
+// =============================================================================
+const stageSummary = (ctx) => {
+    const { out, network, members, tag, subnet, rulesAdded } = ctx;
+    out.done({ network, members, tag: tag, subnet: subnet, rulesAdded });
+    if (rulesAdded === 0) {
+        out.blank();
+        out.print();
+        return;
+    }
+    out.blank()
+        .header("=".repeat(50))
+        .header("  Access Granted!")
+        .header("=".repeat(50))
+        .blank();
+    for (const member of members) {
+        out.ok(`${member}`);
+    }
+    out.blank()
+        .dim(`  DNS:    → ${tag}:53`)
+        .dim(`  Subnet: → ${subnet}:*`)
+        .blank()
+        .dim("Invite People to Your Tailnet:")
+        .link("  https://login.tailscale.com/admin/users")
+        .blank()
+        .dim("To Fine-Tune Which Apps They Can Reach:")
+        .link("  https://login.tailscale.com/admin/acls/visual/general-access-rules")
+        .blank();
+    out.print();
+};
+// =============================================================================
+// Share Command
+// =============================================================================
+const share = async (argv) => {
+    const opts = {
+        string: ["org"],
+        boolean: ["help", "json"],
+    };
+    const args = parseArgs(argv, opts);
+    checkArgs(args, opts, "ambit share");
+    if (args.help) {
+        console.log(`
+${bold("ambit share")} - Grant Members Access to a Network
+${bold("USAGE")}
+  ambit share <network> <member> [<member>...] [options]
+${bold("MEMBER TYPES")}
+  group:<name>          A Tailscale group      (e.g. group:team)
+  tag:<name>            A device tag           (e.g. tag:router)
+  autogroup:<name>      A built-in group       (e.g. autogroup:member)
+  <email>               A Tailscale user       (e.g. alice@example.com)
+${bold("OPTIONS")}
+  --org <org>           Fly.io organization slug
+  --json                Output as JSON
+${bold("DESCRIPTION")}
+  Grants access to a network by updating your Tailscale ACL policy.
+  For each member, ambit adds two rules:
+    1. DNS:    <member> → <tag>:53     (resolve *.${args._[0] || "<network>"} names)
+    2. Subnet: <member> → <subnet>:*   (reach apps on the network)
+  The command is idempotent — re-running it is safe.
+${bold("EXAMPLES")}
+  ambit share browsers group:team
+  ambit share browsers group:team alice@example.com group:contractors
+  ambit share browsers group:team --org my-org
+`);
+        return;
+    }
+    const out = createOutput(args.json);
+    const networkArg = args._[0];
+    if (!networkArg || typeof networkArg !== "string") {
+        return out.die("Network Name Required. Usage: ambit share <network> <member> [...]");
+    }
+    const rawMembers = args._.slice(1);
+    if (rawMembers.length === 0) {
+        return out.die("At Least One Member Required. Usage: ambit share <network> <member> [...]");
+    }
+    const { members, errors } = parseMembers(rawMembers);
+    if (errors.length > 0) {
+        for (const err of errors)
+            out.err(err);
+        return out.die(`Invalid Member${errors.length > 1 ? "s" : ""}: Must Be "group:<name>", "tag:<name>", "autogroup:<name>", or a Valid Email`);
+    }
+    out.blank()
+        .header("=".repeat(50))
+        .header(`  ambit Share: ${networkArg}`)
+        .header("=".repeat(50))
+        .blank();
+    const { fly, tailscale, org } = await initSession(out, {
+        json: args.json,
+        org: args.org,
+    });
+    const ctx = {
+        fly,
+        tailscale,
+        out,
+        network: networkArg,
+        org,
+        members,
+        json: args.json,
+        rulesAdded: 0,
+    };
+    await stageDiscover(ctx);
+    await stageUpdateAcl(ctx);
+    stageSummary(ctx);
+};
+// =============================================================================
+// Register Command
+// =============================================================================
+registerCommand({
+    name: "share",
+    description: "Grant members access to a network via Tailscale ACL rules",
+    usage: "ambit share <network> <member> [<member>...]",
+    run: share,
+});

package/esm/cli/commands/status.js CHANGED Viewed

@@ -224,7 +224,10 @@ const stageAppStatus = async (fly, tailscale, app, network, org, json) => {
 // Status App Subcommand
 // =============================================================================
 const statusApp = async (argv) => {
-    const opts = { string: ["network", "org"], boolean: ["help", "json"] };
+    const opts = {
+        string: ["network", "org"],
+        boolean: ["help", "json"],
+    };
     const args = parseArgs(argv, opts);
     checkArgs(args, opts, "ambit status app");
     if (args.help) {

package/esm/cli/mod.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/cli/mod.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACxC;AAQD,eAAO,MAAM,eAAe,GAAI,SAAS,OAAO,KAAG,IAElD,CAAC;AAEF,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,OAAO,GAAG,SAEnD,CAAC;AAEF,eAAO,MAAM,cAAc,QAAO,OAAO,EAExC,CAAC;AAQF,eAAO,MAAM,QAAQ,QAAO,~~IA6B3B~~,CAAC;AAEF,eAAO,MAAM,WAAW,QAAO,IAE9B,CAAC;AAMF,eAAO,MAAM,MAAM,GAAU,MAAM,MAAM,EAAE,KAAG,OAAO,CAAC,IAAI,CAuCzD,CAAC"}
1	+ {"version":3,"file":"mod.d.ts","sourceRoot":"","sources":["../../src/cli/mod.ts"],"names":[],"mappings":"AAcA,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACxC;AAQD,eAAO,MAAM,eAAe,GAAI,SAAS,OAAO,KAAG,IAElD,CAAC;AAEF,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,OAAO,GAAG,SAEnD,CAAC;AAEF,eAAO,MAAM,cAAc,QAAO,OAAO,EAExC,CAAC;AAQF,eAAO,MAAM,QAAQ,QAAO,IA+B3B,CAAC;AAEF,eAAO,MAAM,WAAW,QAAO,IAE9B,CAAC;AAMF,eAAO,MAAM,MAAM,GAAU,MAAM,MAAM,EAAE,KAAG,OAAO,CAAC,IAAI,CAuCzD,CAAC"}

package/esm/cli/mod.js CHANGED Viewed

@@ -32,6 +32,7 @@ ${bold("USAGE")}
 ${bold("COMMANDS")}
   create     Create a Tailscale subnet router on a Fly.io custom network
   deploy     Deploy an app safely on a custom private network
+  share      Grant a Tailscale group access to a network via ACL rules
   list       List all discovered routers across networks
   status     Show router status, network, and tailnet info
   destroy    Destroy a network (router) or a workload app
@@ -43,6 +44,7 @@ ${bold("OPTIONS")}
 ${bold("EXAMPLES")}
   ambit create browsers
+  ambit share browsers group:team
   ambit list
   ambit status --network browsers
   ambit destroy network browsers

package/esm/deno.js CHANGED Viewed

@@ -1,6 +1,6 @@
 export default {
     "name": "@cardelli/ambit",
-    "version": "0.2.3",
+    "version": "0.3.0",
     "description": "Deploy apps to the cloud that only you and your AI agents can reach",
     "license": "MIT",
     "tasks": {

package/esm/lib/command.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"command.d.ts","sourceRoot":"","sources":["../../src/lib/command.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAMrC,MAAM,WAAW,UAAU;IACzB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,KAAK,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;CAC5B;AAMD,qBAAa,SAAS;IAIlB,QAAQ,CAAC,IAAI,EAAE,MAAM;IACrB,QAAQ,CAAC,MAAM,EAAE,MAAM;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM;IALzB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;gBAGV,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM;IAKzB,iDAAiD;IACjD,IAAI,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC;IAapB,8BAA8B;IAC9B,IAAI,MAAM,IAAI,MAAM,CAEnB;CACF;AAMD;;;GAGG;AACH,eAAO,MAAM,UAAU,GACrB,MAAM,MAAM,EAAE,EACd,UAAU,UAAU,KACnB,OAAO,CAAC,SAAS,~~CA2CnB~~,CAAC;AAMF,oCAAoC;AACpC,eAAO,MAAM,OAAO,GAAI,CAAC,EACvB,MAAM,MAAM,EAAE,EACd,UAAU,UAAU,KACnB,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAuD,CAAC"}
1	+ {"version":3,"file":"command.d.ts","sourceRoot":"","sources":["../../src/lib/command.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAMrC,MAAM,WAAW,UAAU;IACzB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,KAAK,CAAC,EAAE,SAAS,GAAG,MAAM,CAAC;CAC5B;AAMD,qBAAa,SAAS;IAIlB,QAAQ,CAAC,IAAI,EAAE,MAAM;IACrB,QAAQ,CAAC,MAAM,EAAE,MAAM;IACvB,QAAQ,CAAC,MAAM,EAAE,MAAM;IALzB,QAAQ,CAAC,EAAE,EAAE,OAAO,CAAC;gBAGV,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM;IAKzB,iDAAiD;IACjD,IAAI,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC;IAapB,8BAA8B;IAC9B,IAAI,MAAM,IAAI,MAAM,CAEnB;CACF;AAMD;;;GAGG;AACH,eAAO,MAAM,UAAU,GACrB,MAAM,MAAM,EAAE,EACd,UAAU,UAAU,KACnB,OAAO,CAAC,SAAS,CAyCnB,CAAC;AAMF,oCAAoC;AACpC,eAAO,MAAM,OAAO,GAAI,CAAC,EACvB,MAAM,MAAM,EAAE,EACd,UAAU,UAAU,KACnB,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAuD,CAAC"}

package/esm/lib/command.js CHANGED Viewed

@@ -48,13 +48,11 @@ export const runCommand = (args, options) => {
         const child = spawn(cmd, cmdArgs, {
             cwd: options?.cwd,
             env: options?.env ? { ...process.env, ...options.env } : undefined,
-            stdio: interactive
-                ? "inherit"
-                : [
-                    options?.stdin === "inherit" ? "inherit" : "ignore",
-                    "pipe",
-                    "pipe",
-                ],
+            stdio: interactive ? "inherit" : [
+                options?.stdin === "inherit" ? "inherit" : "ignore",
+                "pipe",
+                "pipe",
+            ],
         });
         if (interactive) {
             child.on("error", () => {

package/esm/main.d.ts CHANGED Viewed

@@ -2,6 +2,7 @@
 import "./_dnt.polyfills.js";
 import "./cli/commands/create/index.js";
 import "./cli/commands/deploy/index.js";
+import "./cli/commands/share.js";
 import "./cli/commands/list.js";
 import "./cli/commands/status.js";
 import "./cli/commands/destroy/index.js";

package/esm/main.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../src/main.ts"],"names":[],"mappings":";AACA,OAAO,qBAAqB,CAAC;~~AA8B7B~~,OAAO,gCAAgC,CAAC;AACxC,OAAO,gCAAgC,CAAC;AACxC,OAAO,wBAAwB,CAAC;AAChC,OAAO,0BAA0B,CAAC;AAClC,OAAO,iCAAiC,CAAC;AACzC,OAAO,0BAA0B,CAAC"}
1	+ {"version":3,"file":"main.d.ts","sourceRoot":"","sources":["../src/main.ts"],"names":[],"mappings":";AACA,OAAO,qBAAqB,CAAC;AA+B7B,OAAO,gCAAgC,CAAC;AACxC,OAAO,gCAAgC,CAAC;AACxC,OAAO,yBAAyB,CAAC;AACjC,OAAO,wBAAwB,CAAC;AAChC,OAAO,0BAA0B,CAAC;AAClC,OAAO,iCAAiC,CAAC;AACzC,OAAO,0BAA0B,CAAC"}

package/esm/main.js CHANGED Viewed

@@ -12,6 +12,7 @@ import * as dntShim from "./_dnt.shims.js";
 // Commands:
 //   create     Create a Tailscale subnet router on a Fly.io custom network
 //   deploy     Deploy an app safely on a custom private network
+//   share      Grant a group access to a network via Tailscale ACL rules
 //   status     Show router status, network, and tailnet info
 //   destroy    Destroy a network (router) or a workload app
 //   doctor     Check that Tailscale and the router are working correctly
@@ -28,6 +29,7 @@ import { runCli } from "./cli/mod.js";
 import { Spinner, statusErr } from "./lib/cli.js";
 import "./cli/commands/create/index.js";
 import "./cli/commands/deploy/index.js";
+import "./cli/commands/share.js";
 import "./cli/commands/list.js";
 import "./cli/commands/status.js";
 import "./cli/commands/destroy/index.js";

package/esm/providers/fly.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"fly.d.ts","sourceRoot":"","sources":["../../src/providers/fly.ts"],"names":[],"mappings":"AAUA,OAAO,EACL,KAAK,MAAM,EACX,KAAK,UAAU,EAIf,KAAK,KAAK,EAEV,KAAK,UAAU,EAIhB,MAAM,mBAAmB,CAAC;~~AAS3B~~;;;;GAIG;AACH,qBAAa,cAAe,SAAQ,KAAK;IACvC,+CAA+C;IAC/C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBAEZ,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAMxC;AAMD,MAAM,MAAM,WAAW,GAAG,eAAe,GAAG,eAAe,GAAG,eAAe,CAAC;AAE9E,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,WAAW,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAMD,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAMD,MAAM,WAAW,iBAAiB;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAMD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE;QACJ,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,EAAE;YAAE,WAAW,CAAC,EAAE,OAAO,CAAA;SAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QACzD,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;KAC7B,CAAC;IACF,IAAI,EAAE;QACJ,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;KACzC,CAAC;IACF,IAAI,EAAE;QACJ,IAAI,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QACtC,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;QACpD,MAAM,~~CAAC~~,IAAI,EAAE,MAAM,~~EAAE~~,GAAG,EAAE,MAAM,~~EAAE~~,IAAI,CAAC,EAAE;YAAE,OAAO,CAAC,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,~~GAAG~~,OAAO,CAAC,IAAI,CAAC,CAAC;~~QACjG~~,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QACvC,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;KAClE,CAAC;IACF,QAAQ,EAAE;QACR,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;QACzC,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KACxD,CAAC;IACF,OAAO,EAAE;QACP,GAAG,~~CAAC~~,GAAG,EAAE,MAAM,~~EAAE~~,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,~~EAAE~~,IAAI,CAAC,EAAE;YAAE,KAAK,CAAC,EAAE,OAAO,CAAA;SAAE,~~GAAG~~,OAAO,CAAC,IAAI,CAAC,CAAC;~~KAC9F~~,CAAC;IACF,GAAG,EAAE;QACH,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QACrD,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KAC9D,CAAC;IACF,KAAK,EAAE;QACL,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KACtD,CAAC;IACF,MAAM,EAAE;QACN,MAAM,~~CAAC~~,GAAG,EAAE,MAAM,~~EAAE~~,GAAG,EAAE,MAAM,~~EAAE~~,MAAM,CAAC,EAAE;YAAE,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,~~GAAG~~,OAAO,CAAC,IAAI,CAAC,CAAC;~~QAC9E~~,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KAC7D,CAAC;CACH;AAMD,eAAO,MAAM,iBAAiB,QAAO,~~WAobpC~~,CAAC"}
1	+ {"version":3,"file":"fly.d.ts","sourceRoot":"","sources":["../../src/providers/fly.ts"],"names":[],"mappings":"AAUA,OAAO,EACL,KAAK,MAAM,EACX,KAAK,UAAU,EAIf,KAAK,KAAK,EAEV,KAAK,UAAU,EAIhB,MAAM,mBAAmB,CAAC;AAa3B;;;;GAIG;AACH,qBAAa,cAAe,SAAQ,KAAK;IACvC,+CAA+C;IAC/C,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBAEZ,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;CAMxC;AAMD,MAAM,MAAM,WAAW,GAAG,eAAe,GAAG,eAAe,GAAG,eAAe,CAAC;AAE9E,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,WAAW,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAMD,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAMD,MAAM,WAAW,iBAAiB;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAMD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE;QACJ,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;QACjC,KAAK,CAAC,IAAI,CAAC,EAAE;YAAE,WAAW,CAAC,EAAE,OAAO,CAAA;SAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;QACzD,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;KAC7B,CAAC;IACF,IAAI,EAAE;QACJ,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;KACzC,CAAC;IACF,IAAI,EAAE;QACJ,IAAI,CAAC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QACtC,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;QACpD,MAAM,CACJ,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,EACX,IAAI,CAAC,EAAE;YAAE,OAAO,CAAC,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;SAAE,GAC7C,OAAO,CAAC,IAAI,CAAC,CAAC;QACjB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QACvC,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;KAClE,CAAC;IACF,QAAQ,EAAE;QACR,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;QACzC,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KACxD,CAAC;IACF,OAAO,EAAE;QACP,GAAG,CACD,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC/B,IAAI,CAAC,EAAE;YAAE,KAAK,CAAC,EAAE,OAAO,CAAA;SAAE,GACzB,OAAO,CAAC,IAAI,CAAC,CAAC;KAClB,CAAC;IACF,GAAG,EAAE;QACH,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QACrD,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KAC9D,CAAC;IACF,KAAK,EAAE;QACL,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KACtD,CAAC;IACF,MAAM,EAAE;QACN,MAAM,CACJ,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,EACX,MAAM,CAAC,EAAE;YAAE,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,GAC3B,OAAO,CAAC,IAAI,CAAC,CAAC;QACjB,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KAC7D,CAAC;CACH;AAMD,eAAO,MAAM,iBAAiB,QAAO,WAqcpC,CAAC"}

package/esm/providers/fly.js CHANGED Viewed

@@ -9,7 +9,7 @@ import { dirname, resolve } from "../deps/jsr.io/@std/path/1.1.4/mod.js";
 import { FlyAppInfoListSchema, FlyAppsListSchema, FlyAuthSchema, FlyIpListSchema, FlyMachinesListSchema, FlyOrgsSchema, FlyStatusSchema, } from "../schemas/fly.js";
 import { fileExists } from "../lib/cli.js";
 import { getWorkloadAppName } from "../util/naming.js";
-import { extractErrorDetail, getSizeConfig, mapMachines } from "../util/fly-transforms.js";
+import { extractErrorDetail, getSizeConfig, mapMachines, } from "../util/fly-transforms.js";
 // =============================================================================
 // Deploy Error
 // =============================================================================
@@ -60,7 +60,12 @@ export const createFlyProvider = () => {
                 if (!loginResult.ok) {
                     return die("Fly.io Authentication Failed");
                 }
-                const checkResult = await runCommand(["fly", "auth", "whoami", "--json"]);
+                const checkResult = await runCommand([
+                    "fly",
+                    "auth",
+                    "whoami",
+                    "--json",
+                ]);
                 if (!checkResult.ok) {
                     return die("Fly.io Authentication Verification Failed");
                 }
@@ -155,7 +160,13 @@ export const createFlyProvider = () => {
                 }
             },
             async exists(name) {
-                const result = await runCommand(["fly", "status", "-a", name, "--json"]);
+                const result = await runCommand([
+                    "fly",
+                    "status",
+                    "-a",
+                    name,
+                    "--json",
+                ]);
                 return result.json().match({
                     ok: (data) => {
                         const parsed = FlyStatusSchema.safeParse(data);

package/esm/providers/tailscale.d.ts CHANGED Viewed

@@ -4,6 +4,11 @@ export interface DeviceRoutes {
     enabled: string[];
     unapproved: string[];
 }
+export interface AclSetResult {
+    ok: boolean;
+    status: number;
+    error?: string;
+}
 export interface TailscaleProvider {
     auth: {
         validateKey(): Promise<boolean>;
@@ -25,6 +30,8 @@ export interface TailscaleProvider {
     };
     acl: {
         getPolicy(): Promise<Record<string, unknown> | null>;
+        setPolicy(policy: Record<string, unknown>): Promise<AclSetResult>;
+        validatePolicy(policy: Record<string, unknown>): Promise<AclSetResult>;
     };
 }
 export declare const createTailscaleProvider: (apiKey: string, tailnet?: string) => TailscaleProvider;

package/esm/providers/tailscale.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tailscale.d.ts","sourceRoot":"","sources":["../../src/providers/tailscale.ts"],"names":[],"mappings":"AAKA,OAAO,EACL,KAAK,mBAAmB,EAExB,KAAK,eAAe,EAErB,MAAM,yBAAyB,CAAC;AAYjC,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE;QACJ,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;KACxD,CAAC;IACF,OAAO,EAAE;QACP,IAAI,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;QACnC,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;QACjE,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KACnC,CAAC;IACF,MAAM,EAAE;QACN,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;QACpD,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KAC5D,CAAC;IACF,GAAG,EAAE;QACH,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QAC9C,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/D,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KAC3C,CAAC;IACF,GAAG,EAAE;QACH,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;~~KACtD~~,CAAC;CACH;AAiBD,eAAO,MAAM,uBAAuB,GAClC,QAAQ,MAAM,EACd,UAAS,MAAY,KACpB,~~iBAyMF~~,CAAC"}
1	+ {"version":3,"file":"tailscale.d.ts","sourceRoot":"","sources":["../../src/providers/tailscale.ts"],"names":[],"mappings":"AAKA,OAAO,EACL,KAAK,mBAAmB,EAExB,KAAK,eAAe,EAErB,MAAM,yBAAyB,CAAC;AAYjC,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE;QACJ,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;QAChC,SAAS,CAAC,IAAI,CAAC,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;KACxD,CAAC;IACF,OAAO,EAAE;QACP,IAAI,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC,CAAC;QACnC,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC;QACjE,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KACnC,CAAC;IACF,MAAM,EAAE;QACN,GAAG,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAAC;QACpD,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KAC5D,CAAC;IACF,GAAG,EAAE;QACH,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QAC9C,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/D,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;KAC3C,CAAC;IACF,GAAG,EAAE;QACH,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;QACrD,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;QAClE,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;KACxE,CAAC;CACH;AAiBD,eAAO,MAAM,uBAAuB,GAClC,QAAQ,MAAM,EACd,UAAS,MAAY,KACpB,iBA4OF,CAAC"}

package/esm/providers/tailscale.js CHANGED Viewed

@@ -21,7 +21,7 @@ export const createTailscaleProvider = (apiKey, tailnet = "-") => {
             const response = await fetch(`${API_BASE}${path}`, {
                 method,
                 headers: headers(),
-                body: body ? JSON.stringify(body) : undefined,
+                body: body ? JSON.stringify(body, null, 2) : undefined,
             });
             if (!response.ok) {
                 const text = await response.text();
@@ -144,6 +144,28 @@ export const createTailscaleProvider = (apiKey, tailnet = "-") => {
                 }
                 return result.data;
             },
+            async setPolicy(policy) {
+                const result = await request("POST", `/tailnet/${tailnet}/acl`, policy);
+                if (!result.ok) {
+                    return { ok: false, status: result.status, error: result.error };
+                }
+                return { ok: true, status: result.status };
+            },
+            async validatePolicy(policy) {
+                const result = await request("POST", `/tailnet/${tailnet}/acl/validate`, policy);
+                if (!result.ok) {
+                    return { ok: false, status: result.status, error: result.error };
+                }
+                const body = result.data ?? {};
+                if (Object.keys(body).length > 0) {
+                    return {
+                        ok: false,
+                        status: result.status,
+                        error: JSON.stringify(body),
+                    };
+                }
+                return { ok: true, status: result.status };
+            },
         },
     };
     return provider;

package/esm/util/credentials.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/util/credentials.ts"],"names":[],"mappings":"~~AAsBA~~,MAAM,WAAW,eAAe;IAC9B,kBAAkB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAChD;AAQD,eAAO,MAAM,2BAA2B,QAAO,eA0B9C,CAAC;AAMF,eAAO,MAAM,kBAAkB,QAAO,eAerC,CAAC;AAMF;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB,GAC5B,KAAK;IAAE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAAC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,KAAK,CAAA;CAAE,KAC1D,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAA;CAAE,CAyBlC,CAAC"}
1	+ {"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../../src/util/credentials.ts"],"names":[],"mappings":"AA2BA,MAAM,WAAW,eAAe;IAC9B,kBAAkB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;IAC7C,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAChD;AAQD,eAAO,MAAM,2BAA2B,QAAO,eA0B9C,CAAC;AAMF,eAAO,MAAM,kBAAkB,QAAO,eAerC,CAAC;AAMF;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB,GAC5B,KAAK;IAAE,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;IAAC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,KAAK,CAAA;CAAE,KAC1D,OAAO,CAAC;IAAE,YAAY,EAAE,MAAM,CAAA;CAAE,CAyBlC,CAAC"}

package/esm/util/credentials.js CHANGED Viewed

@@ -3,7 +3,7 @@
 // =============================================================================
 import * as dntShim from "../_dnt.shims.js";
 import { z } from "../deps/jsr.io/@zod/zod/4.3.6/src/index.js";
-import { commandExists, ensureConfigDir, fileExists, getConfigDir } from "../lib/cli.js";
+import { commandExists, ensureConfigDir, fileExists, getConfigDir, } from "../lib/cli.js";
 import { ENV_TAILSCALE_API_KEY } from "./constants.js";
 // =============================================================================
 // Schema

package/esm/util/discovery.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/util/discovery.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;~~AAWnE~~,qDAAqD;AACrD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,6DAA6D;AAC7D,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAMD,wDAAwD;AACxD,eAAO,MAAM,cAAc,GACzB,KAAK,WAAW,EAChB,KAAK,MAAM,KACV,OAAO,CAAC,SAAS,EAAE,CAerB,CAAC;AAEF,kDAAkD;AAClD,eAAO,MAAM,aAAa,GACxB,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,SAAS,GAAG,IAAI,CAG1B,CAAC;AAMF,oEAAoE;AACpE,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,uEAAuE;AACvE,eAAO,MAAM,yBAAyB,GACpC,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,WAAW,EAAE,CAcvB,CAAC;AAEF;;+EAE+E;AAC/E,eAAO,MAAM,eAAe,GAC1B,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,EACf,UAAU,MAAM,KACf,OAAO,CAAC,WAAW,GAAG,IAAI,~~CA4B5B~~,CAAC;AAMF,4EAA4E;AAC5E,eAAO,MAAM,oBAAoB,GAC/B,KAAK,WAAW,EAChB,SAAS,MAAM,KACd,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAclC,CAAC;AAMF,yEAAyE;AACzE,eAAO,MAAM,sBAAsB,GACjC,WAAW,iBAAiB,EAC5B,SAAS,MAAM,KACd,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAcpC,CAAC;AAMF,kEAAkE;AAClE,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG;IACvC,OAAO,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAClC,SAAS,EAAE,mBAAmB,GAAG,IAAI,CAAC;CACvC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,eAAe,GAC1B,KAAK;IAAE,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,EAC7D,KAAK,WAAW,EAChB,WAAW,iBAAiB,EAC5B,KAAK,MAAM,KACV,OAAO,CAAC,cAAc,EAAE,CAa1B,CAAC"}
1	+ {"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../../src/util/discovery.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAEvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAQnE,qDAAqD;AACrD,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,6DAA6D;AAC7D,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,2CAA2C;AAC3C,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;CACjB;AAMD,wDAAwD;AACxD,eAAO,MAAM,cAAc,GACzB,KAAK,WAAW,EAChB,KAAK,MAAM,KACV,OAAO,CAAC,SAAS,EAAE,CAerB,CAAC;AAEF,kDAAkD;AAClD,eAAO,MAAM,aAAa,GACxB,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,SAAS,GAAG,IAAI,CAG1B,CAAC;AAMF,oEAAoE;AACpE,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;CACb;AAED,uEAAuE;AACvE,eAAO,MAAM,yBAAyB,GACpC,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,KACd,OAAO,CAAC,WAAW,EAAE,CAcvB,CAAC;AAEF;;+EAE+E;AAC/E,eAAO,MAAM,eAAe,GAC1B,KAAK,WAAW,EAChB,KAAK,MAAM,EACX,SAAS,MAAM,EACf,UAAU,MAAM,KACf,OAAO,CAAC,WAAW,GAAG,IAAI,CAgC5B,CAAC;AAMF,4EAA4E;AAC5E,eAAO,MAAM,oBAAoB,GAC/B,KAAK,WAAW,EAChB,SAAS,MAAM,KACd,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAclC,CAAC;AAMF,yEAAyE;AACzE,eAAO,MAAM,sBAAsB,GACjC,WAAW,iBAAiB,EAC5B,SAAS,MAAM,KACd,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAcpC,CAAC;AAMF,kEAAkE;AAClE,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG;IACvC,OAAO,EAAE,iBAAiB,GAAG,IAAI,CAAC;IAClC,SAAS,EAAE,mBAAmB,GAAG,IAAI,CAAC;CACvC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,eAAe,GAC1B,KAAK;IAAE,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG;QAAE,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;KAAE,CAAA;CAAE,EAC7D,KAAK,WAAW,EAChB,WAAW,iBAAiB,EAC5B,KAAK,MAAM,KACV,OAAO,CAAC,cAAc,EAAE,CAa1B,CAAC"}

package/esm/util/discovery.js CHANGED Viewed

@@ -14,7 +14,7 @@
 // =============================================================================
 import { getRouterSuffix, getWorkloadAppName } from "./naming.js";
 import { extractSubnet } from "./fly-transforms.js";
-import { DEFAULT_FLY_NETWORK, ROUTER_APP_PREFIX, } from "./constants.js";
+import { DEFAULT_FLY_NETWORK, ROUTER_APP_PREFIX } from "./constants.js";
 // =============================================================================
 // 1. Which routers exist? (Fly REST API)
 // =============================================================================

package/esm/util/tailscale-local.d.ts CHANGED Viewed

@@ -8,6 +8,47 @@ export declare const isAcceptRoutesEnabled: () => Promise<boolean>;
  */
 export declare const enableAcceptRoutes: () => Promise<boolean>;
 export declare const waitForDevice: (provider: TailscaleProvider, hostname: string, timeoutMs?: number) => Promise<TailscaleDevice>;
+/**
+ * Asserts that a patch operation only added data and never removed any
+ * top-level key or shortened any existing array. Throws if the invariant is
+ * violated so callers can surface a hard error before writing to the API.
+ */
+export declare const assertAdditivePatch: (original: Record<string, unknown>, patched: Record<string, unknown>) => void;
 export declare const isTagOwnerConfigured: (policy: Record<string, unknown> | null, tag: string) => boolean;
 export declare const isAutoApproverConfigured: (policy: Record<string, unknown> | null, tag: string) => boolean;
+/**
+ * Returns a new policy with the given tag added to tagOwners.
+ * No-op if the tag is already present.
+ */
+export declare const patchTagOwner: (policy: Record<string, unknown>, tag: string, owners?: string[]) => Record<string, unknown>;
+/**
+ * Returns a new policy with the given route + tag added to autoApprovers.
+ * No-op if the tag is already an approver for any route.
+ */
+export declare const patchAutoApprover: (policy: Record<string, unknown>, tag: string, route: string) => Record<string, unknown>;
+/**
+ * Returns true if there is already an accept rule where `src` contains the
+ * given source member and `dst` contains the given destination.
+ */
+export declare const isAclRuleConfigured: (policy: Record<string, unknown> | null, src: string, dst: string) => boolean;
+/**
+ * Returns a new policy with an accept rule `src → dst` appended to `acls`.
+ * No-op if an identical rule already exists.
+ */
+export declare const patchAclRule: (policy: Record<string, unknown>, src: string, dst: string) => Record<string, unknown>;
+/**
+ * Returns a new policy with all accept rules matching `src → dst` removed from `acls`.
+ * No-op if no such rule exists.
+ */
+export declare const unpatchAclRule: (policy: Record<string, unknown>, src: string, dst: string) => Record<string, unknown>;
+/**
+ * Returns a new policy with the given tag removed from tagOwners.
+ * No-op if the tag is not present.
+ */
+export declare const unpatchTagOwner: (policy: Record<string, unknown>, tag: string) => Record<string, unknown>;
+/**
+ * Returns a new policy with the given tag removed from all autoApprovers routes.
+ * If a route's approver list becomes empty after removal, the route entry is dropped.
+ */
+export declare const unpatchAutoApprover: (policy: Record<string, unknown>, tag: string) => Record<string, unknown>;
 //# sourceMappingURL=tailscale-local.d.ts.map

package/esm/util/tailscale-local.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tailscale-local.d.ts","sourceRoot":"","sources":["../../src/util/tailscale-local.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAMnE,eAAO,MAAM,oBAAoB,QAAa,OAAO,CAAC,OAAO,CAE5D,CAAC;AAEF,eAAO,MAAM,qBAAqB,QAAa,OAAO,CAAC,OAAO,CAM7D,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAa,OAAO,CAAC,OAAO,CAG1D,CAAC;AAMF,eAAO,MAAM,aAAa,GACxB,UAAU,iBAAiB,EAC3B,UAAU,MAAM,EAChB,YAAW,MAAe,KACzB,OAAO,CAAC,eAAe,CAazB,CAAC;AAMF,eAAO,MAAM,oBAAoB,GAC/B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,KAAK,MAAM,KACV,OASF,CAAC;AAEF,eAAO,MAAM,wBAAwB,GACnC,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,KAAK,MAAM,KACV,OAgBF,CAAC"}
1	+ {"version":3,"file":"tailscale-local.d.ts","sourceRoot":"","sources":["../../src/util/tailscale-local.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAMnE,eAAO,MAAM,oBAAoB,QAAa,OAAO,CAAC,OAAO,CAE5D,CAAC;AAEF,eAAO,MAAM,qBAAqB,QAAa,OAAO,CAAC,OAAO,CAM7D,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAa,OAAO,CAAC,OAAO,CAG1D,CAAC;AAMF,eAAO,MAAM,aAAa,GACxB,UAAU,iBAAiB,EAC3B,UAAU,MAAM,EAChB,YAAW,MAAe,KACzB,OAAO,CAAC,eAAe,CAazB,CAAC;AAMF;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,GAC9B,UAAU,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC/B,IAiBF,CAAC;AAMF,eAAO,MAAM,oBAAoB,GAC/B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,KAAK,MAAM,KACV,OASF,CAAC;AAEF,eAAO,MAAM,wBAAwB,GACnC,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,KAAK,MAAM,KACV,OAgBF,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,aAAa,GACxB,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,EACX,SAAQ,MAAM,EAAwB,KACrC,MAAM,CAAC,MAAM,EAAE,OAAO,CAIxB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,iBAAiB,GAC5B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,EACX,OAAO,MAAM,KACZ,MAAM,CAAC,MAAM,EAAE,OAAO,CAYxB,CAAC;AAaF;;;GAGG;AACH,eAAO,MAAM,mBAAmB,GAC9B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,KAAK,MAAM,EACX,KAAK,MAAM,KACV,OAUF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,YAAY,GACvB,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,EACX,KAAK,MAAM,KACV,MAAM,CAAC,MAAM,EAAE,OAAO,CAOxB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,cAAc,GACzB,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,EACX,KAAK,MAAM,KACV,MAAM,CAAC,MAAM,EAAE,OAAO,CAaxB,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,eAAe,GAC1B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,KACV,MAAM,CAAC,MAAM,EAAE,OAAO,CAQxB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mBAAmB,GAC9B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,KACV,MAAM,CAAC,MAAM,EAAE,OAAO,CA+BxB,CAAC"}