@cardelli/ambit 0.2.3 → 0.3.1

package/esm/util/tailscale-local.d.ts

@@ -8,6 +8,47 @@ export declare const isAcceptRoutesEnabled: () => Promise<boolean>;
  */
 export declare const enableAcceptRoutes: () => Promise<boolean>;
 export declare const waitForDevice: (provider: TailscaleProvider, hostname: string, timeoutMs?: number) => Promise<TailscaleDevice>;
+/**
+ * Asserts that a patch operation only added data and never removed any
+ * top-level key or shortened any existing array. Throws if the invariant is
+ * violated so callers can surface a hard error before writing to the API.
+ */
+export declare const assertAdditivePatch: (original: Record<string, unknown>, patched: Record<string, unknown>) => void;
 export declare const isTagOwnerConfigured: (policy: Record<string, unknown> | null, tag: string) => boolean;
 export declare const isAutoApproverConfigured: (policy: Record<string, unknown> | null, tag: string) => boolean;
+/**
+ * Returns a new policy with the given tag added to tagOwners.
+ * No-op if the tag is already present.
+ */
+export declare const patchTagOwner: (policy: Record<string, unknown>, tag: string, owners?: string[]) => Record<string, unknown>;
+/**
+ * Returns a new policy with the given route + tag added to autoApprovers.
+ * No-op if the tag is already an approver for any route.
+ */
+export declare const patchAutoApprover: (policy: Record<string, unknown>, tag: string, route: string) => Record<string, unknown>;
+/**
+ * Returns true if there is already an accept rule where `src` contains the
+ * given source member and `dst` contains the given destination.
+ */
+export declare const isAclRuleConfigured: (policy: Record<string, unknown> | null, src: string, dst: string) => boolean;
+/**
+ * Returns a new policy with an accept rule `src → dst` appended to `acls`.
+ * No-op if an identical rule already exists.
+ */
+export declare const patchAclRule: (policy: Record<string, unknown>, src: string, dst: string) => Record<string, unknown>;
+/**
+ * Returns a new policy with all accept rules matching `src → dst` removed from `acls`.
+ * No-op if no such rule exists.
+ */
+export declare const unpatchAclRule: (policy: Record<string, unknown>, src: string, dst: string) => Record<string, unknown>;
+/**
+ * Returns a new policy with the given tag removed from tagOwners.
+ * No-op if the tag is not present.
+ */
+export declare const unpatchTagOwner: (policy: Record<string, unknown>, tag: string) => Record<string, unknown>;
+/**
+ * Returns a new policy with the given tag removed from all autoApprovers routes.
+ * If a route's approver list becomes empty after removal, the route entry is dropped.
+ */
+export declare const unpatchAutoApprover: (policy: Record<string, unknown>, tag: string) => Record<string, unknown>;
 //# sourceMappingURL=tailscale-local.d.ts.map

package/esm/util/tailscale-local.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tailscale-local.d.ts","sourceRoot":"","sources":["../../src/util/tailscale-local.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAMnE,eAAO,MAAM,oBAAoB,QAAa,OAAO,CAAC,OAAO,CAE5D,CAAC;AAEF,eAAO,MAAM,qBAAqB,QAAa,OAAO,CAAC,OAAO,CAM7D,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAa,OAAO,CAAC,OAAO,CAG1D,CAAC;AAMF,eAAO,MAAM,aAAa,GACxB,UAAU,iBAAiB,EAC3B,UAAU,MAAM,EAChB,YAAW,MAAe,KACzB,OAAO,CAAC,eAAe,CAazB,CAAC;AAMF,eAAO,MAAM,oBAAoB,GAC/B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,KAAK,MAAM,KACV,OASF,CAAC;AAEF,eAAO,MAAM,wBAAwB,GACnC,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,KAAK,MAAM,KACV,OAgBF,CAAC"}
+{"version":3,"file":"tailscale-local.d.ts","sourceRoot":"","sources":["../../src/util/tailscale-local.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC/D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAMnE,eAAO,MAAM,oBAAoB,QAAa,OAAO,CAAC,OAAO,CAE5D,CAAC;AAEF,eAAO,MAAM,qBAAqB,QAAa,OAAO,CAAC,OAAO,CAM7D,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,kBAAkB,QAAa,OAAO,CAAC,OAAO,CAG1D,CAAC;AAMF,eAAO,MAAM,aAAa,GACxB,UAAU,iBAAiB,EAC3B,UAAU,MAAM,EAChB,YAAW,MAAe,KACzB,OAAO,CAAC,eAAe,CAazB,CAAC;AAMF;;;;GAIG;AACH,eAAO,MAAM,mBAAmB,GAC9B,UAAU,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAC/B,IAiBF,CAAC;AAMF,eAAO,MAAM,oBAAoB,GAC/B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,KAAK,MAAM,KACV,OASF,CAAC;AAEF,eAAO,MAAM,wBAAwB,GACnC,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,KAAK,MAAM,KACV,OAgBF,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,aAAa,GACxB,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,EACX,SAAQ,MAAM,EAAwB,KACrC,MAAM,CAAC,MAAM,EAAE,OAAO,CAIxB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,iBAAiB,GAC5B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,EACX,OAAO,MAAM,KACZ,MAAM,CAAC,MAAM,EAAE,OAAO,CAYxB,CAAC;AAaF;;;GAGG;AACH,eAAO,MAAM,mBAAmB,GAC9B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,EACtC,KAAK,MAAM,EACX,KAAK,MAAM,KACV,OAUF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,YAAY,GACvB,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,EACX,KAAK,MAAM,KACV,MAAM,CAAC,MAAM,EAAE,OAAO,CAOxB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,cAAc,GACzB,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,EACX,KAAK,MAAM,KACV,MAAM,CAAC,MAAM,EAAE,OAAO,CAaxB,CAAC;AAMF;;;GAGG;AACH,eAAO,MAAM,eAAe,GAC1B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,KACV,MAAM,CAAC,MAAM,EAAE,OAAO,CAQxB,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mBAAmB,GAC9B,QAAQ,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,KAAK,MAAM,KACV,MAAM,CAAC,MAAM,EAAE,OAAO,CA+BxB,CAAC"}

package/esm/util/tailscale-local.js

@@ -40,6 +40,28 @@ export const waitForDevice = async (provider, hostname, timeoutMs = 120000) => {
     return die(`Timeout Waiting for Device '${hostname}'`);
 };
 // =============================================================================
+// Sanity Guards
+// =============================================================================
+/**
+ * Asserts that a patch operation only added data and never removed any
+ * top-level key or shortened any existing array. Throws if the invariant is
+ * violated so callers can surface a hard error before writing to the API.
+ */
+export const assertAdditivePatch = (original, patched) => {
+    for (const key of Object.keys(original)) {
+        if (!(key in patched)) {
+            throw new Error(`ACL sanity check failed: key '${key}' was unexpectedly removed`);
+        }
+        const origVal = original[key];
+        const patchedVal = patched[key];
+        if (Array.isArray(origVal) && Array.isArray(patchedVal)) {
+            if (patchedVal.length < origVal.length) {
+                throw new Error(`ACL sanity check failed: '${key}' array shrank (${origVal.length} → ${patchedVal.length} entries)`);
+            }
+        }
+    }
+};
+// =============================================================================
 // Pure Policy Checks
 // =============================================================================
 export const isTagOwnerConfigured = (policy, tag) => {
@@ -61,3 +83,127 @@ export const isAutoApproverConfigured = (policy, tag) => {
         return false;
     return Object.values(routes).some((approvers) => Array.isArray(approvers) && approvers.includes(tag));
 };
+// =============================================================================
+// ACL Policy Patching (Pure)
+// =============================================================================
+/**
+ * Returns a new policy with the given tag added to tagOwners.
+ * No-op if the tag is already present.
+ */
+export const patchTagOwner = (policy, tag, owners = ["autogroup:admin"]) => {
+    const tagOwners = (policy.tagOwners ?? {});
+    if (tag in tagOwners)
+        return policy;
+    return { ...policy, tagOwners: { ...tagOwners, [tag]: owners } };
+};
+/**
+ * Returns a new policy with the given route + tag added to autoApprovers.
+ * No-op if the tag is already an approver for any route.
+ */
+export const patchAutoApprover = (policy, tag, route) => {
+    const autoApprovers = (policy.autoApprovers ?? {});
+    const routes = (autoApprovers.routes ?? {});
+    const existing = routes[route] ?? [];
+    if (existing.includes(tag))
+        return policy;
+    return {
+        ...policy,
+        autoApprovers: {
+            ...autoApprovers,
+            routes: { ...routes, [route]: [...existing, tag] },
+        },
+    };
+};
+/**
+ * Returns true if there is already an accept rule where `src` contains the
+ * given source member and `dst` contains the given destination.
+ */
+export const isAclRuleConfigured = (policy, src, dst) => {
+    if (!policy)
+        return false;
+    const acls = policy.acls;
+    if (!Array.isArray(acls))
+        return false;
+    return acls.some((rule) => rule.action === "accept" &&
+        Array.isArray(rule.src) && rule.src.includes(src) &&
+        Array.isArray(rule.dst) && rule.dst.includes(dst));
+};
+/**
+ * Returns a new policy with an accept rule `src → dst` appended to `acls`.
+ * No-op if an identical rule already exists.
+ */
+export const patchAclRule = (policy, src, dst) => {
+    if (isAclRuleConfigured(policy, src, dst))
+        return policy;
+    const acls = (policy.acls ?? []);
+    return {
+        ...policy,
+        acls: [...acls, { action: "accept", src: [src], dst: [dst] }],
+    };
+};
+/**
+ * Returns a new policy with all accept rules matching `src → dst` removed from `acls`.
+ * No-op if no such rule exists.
+ */
+export const unpatchAclRule = (policy, src, dst) => {
+    const acls = policy.acls;
+    if (!Array.isArray(acls))
+        return policy;
+    const filtered = acls.filter((rule) => !(rule.action === "accept" &&
+        Array.isArray(rule.src) && rule.src.includes(src) &&
+        Array.isArray(rule.dst) && rule.dst.includes(dst)));
+    if (filtered.length === acls.length)
+        return policy;
+    return { ...policy, acls: filtered };
+};
+// =============================================================================
+// ACL Policy Un-patching (Pure) — inverse of the patch helpers above
+// =============================================================================
+/**
+ * Returns a new policy with the given tag removed from tagOwners.
+ * No-op if the tag is not present.
+ */
+export const unpatchTagOwner = (policy, tag) => {
+    const tagOwners = policy.tagOwners;
+    if (!tagOwners || !(tag in tagOwners))
+        return policy;
+    const { [tag]: _, ...rest } = tagOwners;
+    const hasKeys = Object.keys(rest).length > 0;
+    return hasKeys
+        ? { ...policy, tagOwners: rest }
+        : { ...policy, tagOwners: {} };
+};
+/**
+ * Returns a new policy with the given tag removed from all autoApprovers routes.
+ * If a route's approver list becomes empty after removal, the route entry is dropped.
+ */
+export const unpatchAutoApprover = (policy, tag) => {
+    const autoApprovers = policy.autoApprovers;
+    if (!autoApprovers)
+        return policy;
+    const routes = autoApprovers.routes;
+    if (!routes)
+        return policy;
+    const cleaned = {};
+    let changed = false;
+    for (const [route, approvers] of Object.entries(routes)) {
+        if (!Array.isArray(approvers)) {
+            cleaned[route] = approvers;
+            continue;
+        }
+        const filtered = approvers.filter((a) => a !== tag);
+        if (filtered.length !== approvers.length)
+            changed = true;
+        if (filtered.length > 0)
+            cleaned[route] = filtered;
+    }
+    if (!changed)
+        return policy;
+    return {
+        ...policy,
+        autoApprovers: {
+            ...autoApprovers,
+            routes: cleaned,
+        },
+    };
+};

package/esm/util/template.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"template.d.ts","sourceRoot":"","sources":["../../src/util/template.ts"],"names":[],"mappings":"AAqBA,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAM1C,wCAAwC;AACxC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,GAAG,SAAS,CAAC;CACzB;AAED,iDAAiD;AACjD,MAAM,MAAM,mBAAmB,GAAG,MAAM,CACtC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CACzC,CAAC;AAyBF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,gBAAgB,GAAI,KAAK,MAAM,KAAG,WAAW,GAAG,IAyB5D,CAAC;AAMF;;;;;;;;;GASG;AACH,eAAO,MAAM,aAAa,GACxB,KAAK,WAAW,KACf,OAAO,CAAC,mBAAmB,CAqG7B,CAAC"}
+{"version":3,"file":"template.d.ts","sourceRoot":"","sources":["../../src/util/template.ts"],"names":[],"mappings":"AAqBA,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAM1C,wCAAwC;AACxC,MAAM,WAAW,WAAW;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,GAAG,SAAS,CAAC;CACzB;AAED,iDAAiD;AACjD,MAAM,MAAM,mBAAmB,GAAG,MAAM,CACtC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CACzC,CAAC;AAyBF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,gBAAgB,GAAI,KAAK,MAAM,KAAG,WAAW,GAAG,IAyB5D,CAAC;AAMF;;;;;;;;;GASG;AACH,eAAO,MAAM,aAAa,GACxB,KAAK,WAAW,KACf,OAAO,CAAC,mBAAmB,CAuG7B,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cardelli/ambit",
-  "version": "0.2.3",
+  "version": "0.3.1",
   "description": "Deploy apps to the cloud that only you and your AI agents can reach",
   "license": "MIT",
   "scripts": {},