@dragonmastery/tamer 0.1.2 → 0.29.0

package/dist/destroy-DzgA4lCA.mjs

@@ -0,0 +1,215 @@
+import { f as getDispatchNamespaces, p as getDnsRecords } from "./normalize-DVSTRZhO.mjs";
+import { n as loadConfig, t as getWorkers } from "./loader-DAvCKLTT.mjs";
+import { n as cloudflareAccountIdFromEnv, t as CFApiClient } from "./CFApiClient-DhbyyV71.mjs";
+import { _ as namingFromConfig, a as resourceModules, o as logicalNamesForResourceKind } from "./fetchStackImports-C-1THPYL.mjs";
+import { f as stackNameForConfig, l as destroyTamerStateDatabase, s as isEphemeralEnv, t as StateManager } from "./StateManager-DTqtLLVX.mjs";
+import "./r2S3EmptyBucket-DD81ZWQ7.mjs";
+import { n as logpushJobDestroy } from "./logpush-job-DsRkOORJ.mjs";
+import { n as workerRoutesDestroy } from "./worker-route-CMbtozNa.mjs";
+import { runSync } from "./sync-B_pyPi7Z.mjs";
+import { i as hashCloudflareSnapshot, t as buildCloudflareSnapshot } from "./cloudflareSnapshot-DzPuCRTh.mjs";
+import { t as verifyPlanFile } from "./verifyPlanFile-ah_4tvTu.mjs";
+import { t as destroyTamerArtifactsBucket } from "./tamerArtifactsR2-Ccgplu2Q.mjs";
+import { n as workersDestroy } from "./workers-C-oeZhdD.mjs";
+
+//#region src/features/dispatch-namespace/dispatch-namespace.destroy.ts
+/**
+* Tear down every dispatch namespace recorded in state.
+*
+* Cloudflare refuses to delete a namespace that still contains scripts, so we
+* enumerate `/dispatch/namespaces/{ns}/scripts` and delete each (with `force`
+* so dependents like service-bind targets don't block the removal). This
+* covers tenant scripts uploaded by `tamer wfp put` / `provision-workflow`
+* that aren't otherwise tracked in Tamer state.
+*/
+async function dispatchNamespaceDestroy(env, state, api, config, _force) {
+	const allowedLogical = new Set(getDispatchNamespaces(config).map((d) => d.logicalName));
+	if (allowedLogical.size === 0) return;
+	for (const [key, entry] of Object.entries(state.getAll())) {
+		if (entry.type !== "dispatch_namespace") continue;
+		const ns = entry;
+		if (!allowedLogical.has(ns.logicalName)) continue;
+		const isSharedEphemeral = ns.derivedName.endsWith("-ephemeral");
+		try {
+			const scripts = await api.dispatchNamespaceScriptList(ns.derivedName);
+			for (const s of scripts) {
+				if (isEphemeralEnv(env, config.tenant) && isSharedEphemeral) {
+					if (!s.id.endsWith(`-${env}`)) continue;
+				}
+				try {
+					await api.dispatchNamespaceScriptDelete(ns.derivedName, s.id, { force: true });
+					console.log(`Deleted tenant script "${s.id}" from namespace ${ns.derivedName}.`);
+				} catch (err) {
+					console.warn(`Failed to delete tenant script ${s.id} in ${ns.derivedName}:`, err instanceof Error ? err.message : err);
+				}
+			}
+			if (isEphemeralEnv(env, config.tenant) && isSharedEphemeral) {
+				console.log(`Left shared dispatch namespace ${ns.derivedName} (removed only scripts suffixed -${env}).`);
+				continue;
+			}
+			await api.dispatchNamespaceDelete(ns.derivedName);
+			state.delete(key);
+		} catch (err) {
+			console.warn(`Failed to delete dispatch namespace ${ns.derivedName}:`, err instanceof Error ? err.message : err);
+		}
+	}
+}
+
+//#endregion
+//#region src/features/dns-records/dns-records.destroy.ts
+/**
+* Tear down every DNS record this stack owns. Restricted to records
+* whose `logicalName` is declared in the current `CfiConfig.dnsRecords`
+* (matches `runDestroy` semantics for shared state rows). Records flagged
+* `preserveOnDestroy: true` are left in place but still dropped from
+* state — the operator is responsible for re-importing them later.
+*/
+async function dnsRecordDestroy(env, state, api, config, _force) {
+	if (env === "local") return;
+	const declared = getDnsRecords(config);
+	if (declared.length === 0) return;
+	const preserve = new Map(declared.map((c) => [c.logicalName, !!c.preserveOnDestroy]));
+	const allowedLogical = new Set(declared.map((c) => c.logicalName));
+	for (const [key, entry] of Object.entries(state.getAll())) {
+		if (entry.type !== "dns_record") continue;
+		const rec = entry;
+		if (!allowedLogical.has(rec.logicalName)) continue;
+		if (preserve.get(rec.logicalName)) {
+			console.log(`Preserved DNS record ${rec.recordType} ${rec.name} (preserveOnDestroy).`);
+			state.delete(key);
+			continue;
+		}
+		try {
+			await api.zoneDnsRecordDelete(rec.zoneId, rec.recordId);
+			state.delete(key);
+		} catch (err) {
+			console.warn(`Failed to delete DNS record ${rec.recordType} ${rec.name}:`, err instanceof Error ? err.message : err);
+		}
+	}
+}
+
+//#endregion
+//#region src/cli/destroyGuard.ts
+/** Shared envs where destroy must be confirmed with `--confirm-env <same>`. */
+const SHARED_ENV_DESTROY = [
+	"dev",
+	"staging",
+	"prod",
+	"production"
+];
+/**
+* @param force When true, skips the typed confirmation (break-glass).
+*/
+function assertDestroyEnvAllowed(env, force, confirmEnv) {
+	if (force) return;
+	if (!SHARED_ENV_DESTROY.includes(env)) return;
+	if (confirmEnv !== env) throw new Error(`Destroying shared environment "${env}" requires --confirm-env ${env}`);
+}
+
+//#endregion
+//#region src/cli/commands/destroy.ts
+async function runDestroy(options) {
+	const { env, force = false, skipWorkers = false, confirmEnv, configPath, wipeMetadata = false } = options;
+	const baseDir = process.cwd();
+	assertDestroyEnvAllowed(env, force, confirmEnv);
+	const config = await loadConfig(configPath, { env });
+	const accountId = config.account_id ?? cloudflareAccountIdFromEnv();
+	if (!accountId) throw new Error("account_id required in config or CLOUDFLARE_ACCOUNT_ID env var");
+	if (options.planFile) {
+		const verifyApi = new CFApiClient(accountId);
+		const verifyState = new StateManager(config.tenant.id, env, stackNameForConfig(config));
+		await verifyState.hydrate(verifyApi);
+		const liveSnapshot = env === "local" ? void 0 : await buildCloudflareSnapshot({
+			config,
+			env,
+			api: verifyApi,
+			baseDir
+		});
+		verifyPlanFile({
+			planPath: options.planFile,
+			command: "destroy",
+			expectedMode: "destroy",
+			env,
+			tenantId: config.tenant.id,
+			config,
+			stateAtPlanCheck: verifyState.load(),
+			liveCloudflareHash: liveSnapshot ? hashCloudflareSnapshot(liveSnapshot) : void 0,
+			allowStale: !!options.allowStale
+		});
+	}
+	if (env !== "local") {
+		console.log(`Syncing state from Cloudflare for env: ${env}...`);
+		await runSync({
+			env,
+			configPath
+		});
+	}
+	const api = new CFApiClient(accountId);
+	const naming = namingFromConfig(config);
+	const state = new StateManager(config.tenant.id, env, stackNameForConfig(config));
+	await state.hydrate(api);
+	state.beginOperation("destroy", wipeMetadata ? "wipe-metadata" : void 0);
+	try {
+		await state.persist(api);
+	} catch {}
+	try {
+		if (!skipWorkers) {
+			await workerRoutesDestroy(env, config, baseDir, state, api);
+			await state.persist(api);
+			await workersDestroy(env, baseDir, accountId, config, state, api, force);
+		}
+		const ownedByKind = await Promise.all(resourceModules.map((m) => logicalNamesForResourceKind(config, baseDir, m.kind).then((set) => ({
+			mod: m,
+			owned: set
+		}))));
+		const workers = await getWorkers(config, baseDir);
+		await logpushJobDestroy(env, state, api, config);
+		await state.persist(api);
+		for (const { mod, owned } of ownedByKind) {
+			if (owned.size === 0) continue;
+			const resources = workers.flatMap(([, wc]) => mod.pickResources(wc));
+			await mod.destroy({
+				resources,
+				tenant: config.tenant,
+				env,
+				api,
+				state,
+				naming,
+				config,
+				baseDir,
+				force
+			});
+		}
+		if (getDispatchNamespaces(config).length > 0) await dispatchNamespaceDestroy(env, state, api, config, force);
+		if (getDnsRecords(config).length > 0) await dnsRecordDestroy(env, state, api, config, force);
+		state.replaceStackOutputs({});
+		if (env !== "local" && wipeMetadata) {
+			if (await destroyTamerStateDatabase(api, env)) console.log(`Deleted Tamer metadata database tamer-state-${env}.`);
+			try {
+				if (await destroyTamerArtifactsBucket(api, env)) console.log(`Deleted Tamer artifacts bucket tamer-artifacts-${env}.`);
+			} catch (err) {
+				console.warn(`Failed to delete Tamer artifacts bucket tamer-artifacts-${env} (likely non-empty; remove objects and re-run with --wipe-metadata):`, err instanceof Error ? err.message : err);
+			}
+		}
+		if (env !== "local" && !wipeMetadata) {
+			state.finishOperation();
+			try {
+				await state.persist(api);
+			} catch {}
+		}
+		state.clearDirty();
+		console.log(`Destroyed all resources for env: ${env}`);
+	} catch (err) {
+		if (env !== "local") {
+			state.failOperation(err instanceof Error ? err.message : String(err));
+			try {
+				await state.persist(api);
+			} catch {}
+		}
+		throw err;
+	}
+}
+
+//#endregion
+export { runDestroy };
+//# sourceMappingURL=destroy-DzgA4lCA.mjs.map

package/dist/destroy-DzgA4lCA.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"destroy-DzgA4lCA.mjs","names":[],"sources":["../src/features/dispatch-namespace/dispatch-namespace.destroy.ts","../src/features/dns-records/dns-records.destroy.ts","../src/cli/destroyGuard.ts","../src/cli/commands/destroy.ts"],"sourcesContent":["import type { CfiConfig } from \"../../types.js\";\nimport { getDispatchNamespaces } from \"../../types.js\";\nimport type { StateManager } from \"../../core/state/StateManager.js\";\nimport type { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport type { DispatchNamespaceStateEntry } from \"../../types.js\";\nimport { isEphemeralEnv } from \"./dispatch-namespace.resolve.js\";\n\n/**\n * Tear down every dispatch namespace recorded in state.\n *\n * Cloudflare refuses to delete a namespace that still contains scripts, so we\n * enumerate `/dispatch/namespaces/{ns}/scripts` and delete each (with `force`\n * so dependents like service-bind targets don't block the removal). This\n * covers tenant scripts uploaded by `tamer wfp put` / `provision-workflow`\n * that aren't otherwise tracked in Tamer state.\n */\nexport async function dispatchNamespaceDestroy(\n  env: string,\n  state: StateManager,\n  api: CFApiClient,\n  config: CfiConfig,\n  _force?: boolean,\n): Promise<void> {\n  const allowedLogical = new Set(\n    getDispatchNamespaces(config).map((d) => d.logicalName),\n  );\n  if (allowedLogical.size === 0) return;\n\n  for (const [key, entry] of Object.entries(state.getAll())) {\n    if (entry.type !== \"dispatch_namespace\") continue;\n    const ns = entry as DispatchNamespaceStateEntry;\n    if (!allowedLogical.has(ns.logicalName)) continue;\n    const isSharedEphemeral = ns.derivedName.endsWith(\"-ephemeral\");\n    try {\n      const scripts = await api.dispatchNamespaceScriptList(ns.derivedName);\n      for (const s of scripts) {\n        if (isEphemeralEnv(env, config.tenant) && isSharedEphemeral) {\n          if (!s.id.endsWith(`-${env}`)) continue;\n        }\n        try {\n          await api.dispatchNamespaceScriptDelete(ns.derivedName, s.id, {\n            force: true,\n          });\n          console.log(\n            `Deleted tenant script \"${s.id}\" from namespace ${ns.derivedName}.`,\n          );\n        } catch (err) {\n          console.warn(\n            `Failed to delete tenant script ${s.id} in ${ns.derivedName}:`,\n            err instanceof Error ? err.message : err,\n          );\n        }\n      }\n      if (isEphemeralEnv(env, config.tenant) && isSharedEphemeral) {\n        console.log(\n          `Left shared dispatch namespace ${ns.derivedName} (removed only scripts suffixed -${env}).`,\n        );\n        continue;\n      }\n      await api.dispatchNamespaceDelete(ns.derivedName);\n      state.delete(key);\n    } catch (err) {\n      console.warn(\n        `Failed to delete dispatch namespace ${ns.derivedName}:`,\n        err instanceof Error ? err.message : err,\n      );\n    }\n  }\n}\n","import type { CfiConfig, DnsRecordStateEntry } from \"../../types.js\";\nimport { getDnsRecords } from \"../../types.js\";\nimport type { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport type { StateManager } from \"../../core/state/StateManager.js\";\n\n/**\n * Tear down every DNS record this stack owns. Restricted to records\n * whose `logicalName` is declared in the current `CfiConfig.dnsRecords`\n * (matches `runDestroy` semantics for shared state rows). Records flagged\n * `preserveOnDestroy: true` are left in place but still dropped from\n * state — the operator is responsible for re-importing them later.\n */\nexport async function dnsRecordDestroy(\n  env: string,\n  state: StateManager,\n  api: CFApiClient,\n  config: CfiConfig,\n  _force?: boolean,\n): Promise<void> {\n  if (env === \"local\") return;\n  const declared = getDnsRecords(config);\n  if (declared.length === 0) return;\n  const preserve = new Map<string, boolean>(\n    declared.map((c) => [c.logicalName, !!c.preserveOnDestroy]),\n  );\n  const allowedLogical = new Set(declared.map((c) => c.logicalName));\n\n  for (const [key, entry] of Object.entries(state.getAll())) {\n    if (entry.type !== \"dns_record\") continue;\n    const rec = entry as DnsRecordStateEntry;\n    if (!allowedLogical.has(rec.logicalName)) continue;\n    if (preserve.get(rec.logicalName)) {\n      console.log(\n        `Preserved DNS record ${rec.recordType} ${rec.name} (preserveOnDestroy).`,\n      );\n      state.delete(key);\n      continue;\n    }\n    try {\n      await api.zoneDnsRecordDelete(rec.zoneId, rec.recordId);\n      state.delete(key);\n    } catch (err) {\n      console.warn(\n        `Failed to delete DNS record ${rec.recordType} ${rec.name}:`,\n        err instanceof Error ? err.message : err,\n      );\n    }\n  }\n}\n","/** Shared envs where destroy must be confirmed with `--confirm-env <same>`. */\nexport const SHARED_ENV_DESTROY = [\n  \"dev\",\n  \"staging\",\n  \"prod\",\n  \"production\",\n] as const;\n\n/**\n * @param force When true, skips the typed confirmation (break-glass).\n */\nexport function assertDestroyEnvAllowed(\n  env: string,\n  force: boolean,\n  confirmEnv?: string,\n): void {\n  if (force) return;\n  if (!SHARED_ENV_DESTROY.includes(env as (typeof SHARED_ENV_DESTROY)[number])) {\n    return;\n  }\n  if (confirmEnv !== env) {\n    throw new Error(\n      `Destroying shared environment \"${env}\" requires --confirm-env ${env}`,\n    );\n  }\n}\n","import { loadConfig, getWorkers } from \"../../core/config/loader.js\";\nimport { logicalNamesForResourceKind } from \"../../core/config/resourcesFromConfig.js\";\nimport { cloudflareAccountIdFromEnv } from \"../../core/cloudflareEnv.js\";\nimport { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport { StateManager } from \"../../core/state/StateManager.js\";\nimport { stackNameForConfig } from \"../../core/state/stackName.js\";\nimport { destroyTamerStateDatabase } from \"../../core/state/tamerStateDb.js\";\nimport { destroyTamerArtifactsBucket } from \"../../core/state/tamerArtifactsR2.js\";\nimport { getDispatchNamespaces, getDnsRecords } from \"../../types.js\";\nimport { logpushJobDestroy } from \"../../features/logpush-job/index.js\";\nimport { assertDestroyEnvAllowed } from \"../destroyGuard.js\";\nimport { dispatchNamespaceDestroy } from \"../../features/dispatch-namespace/index.js\";\nimport { dnsRecordDestroy } from \"../../features/dns-records/index.js\";\nimport { workersDestroy } from \"../../features/workers/index.js\";\nimport { workerRoutesDestroy } from \"../../features/worker-route/index.js\";\nimport { runSync } from \"./sync.js\";\nimport { resourceModules } from \"../../core/registry/registry.js\";\nimport { namingFromConfig } from \"../../core/config/namingFromConfig.js\";\nimport { verifyPlanFile } from \"../../core/plan/verifyPlanFile.js\";\nimport { hashCloudflareSnapshot } from \"../../core/plan/planFile.js\";\nimport { buildCloudflareSnapshot } from \"../../core/plan/cloudflareSnapshot.js\";\n\nexport async function runDestroy(options: {\n  env: string;\n  force?: boolean;\n  skipWorkers?: boolean;\n  confirmEnv?: string;\n  configPath?: string;\n  /** When true, delete the shared `tamer-state-{env}` D1 after other resources (use on last stack teardown). */\n  wipeMetadata?: boolean;\n  /**\n   * Path to a destroy plan file from `tamer plan --destroy --out`. Destroy\n   * recomputes the `(config, state, cloudflare)` attestation hashes and\n   * refuses to proceed if any drifted (override with `allowStale`). The\n   * pinned plan ensures the operator destroys exactly what they reviewed.\n   */\n  planFile?: string;\n  allowStale?: boolean;\n}): Promise<void> {\n  const {\n    env,\n    force = false,\n    skipWorkers = false,\n    confirmEnv,\n    configPath,\n    wipeMetadata = false,\n  } = options;\n  const baseDir = process.cwd();\n\n  assertDestroyEnvAllowed(env, force, confirmEnv);\n\n  const config = await loadConfig(configPath, { env });\n  const accountId =\n    config.account_id ?? cloudflareAccountIdFromEnv();\n  if (!accountId) {\n    throw new Error(\n      \"account_id required in config or CLOUDFLARE_ACCOUNT_ID env var\",\n    );\n  }\n\n  if (options.planFile) {\n    const verifyApi = new CFApiClient(accountId);\n    const verifyState = new StateManager(\n      config.tenant.id,\n      env,\n      stackNameForConfig(config),\n    );\n    await verifyState.hydrate(verifyApi);\n    const liveSnapshot =\n      env === \"local\"\n        ? undefined\n        : await buildCloudflareSnapshot({\n            config,\n            env,\n            api: verifyApi,\n            baseDir,\n          });\n    verifyPlanFile({\n      planPath: options.planFile,\n      command: \"destroy\",\n      expectedMode: \"destroy\",\n      env,\n      tenantId: config.tenant.id,\n      config,\n      stateAtPlanCheck: verifyState.load(),\n      liveCloudflareHash: liveSnapshot\n        ? hashCloudflareSnapshot(liveSnapshot)\n        : undefined,\n      allowStale: !!options.allowStale,\n    });\n  }\n\n  if (env !== \"local\") {\n    console.log(`Syncing state from Cloudflare for env: ${env}...`);\n    await runSync({ env, configPath });\n  }\n\n  const api = new CFApiClient(accountId);\n  const naming = namingFromConfig(config);\n  const state = new StateManager(\n    config.tenant.id,\n    env,\n    stackNameForConfig(config),\n  );\n  await state.hydrate(api);\n  state.beginOperation(\"destroy\", wipeMetadata ? \"wipe-metadata\" : undefined);\n  try {\n    await state.persist(api);\n  } catch {\n    /* in-progress marker best-effort */\n  }\n\n  try {\n    if (!skipWorkers) {\n      await workerRoutesDestroy(env, config, baseDir, state, api);\n      await state.persist(api);\n      await workersDestroy(env, baseDir, accountId, config, state, api, force);\n    }\n\n    const ownedByKind = await Promise.all(\n      resourceModules.map((m) =>\n        logicalNamesForResourceKind(config, baseDir, m.kind).then((set) => ({\n          mod: m,\n          owned: set,\n        })),\n      ),\n    );\n    const workers = await getWorkers(config, baseDir);\n\n    // Always run Logpush + Pipelines teardown: state may still hold\n    // `logpush_pipelines` even if logpush was removed from tamer.config.ts,\n    // and destroy must still delete the Pipelines stream/sink in that case.\n    await logpushJobDestroy(env, state, api, config);\n    await state.persist(api);\n\n    for (const { mod, owned } of ownedByKind) {\n      if (owned.size === 0) continue;\n      // Aggregate this kind's resources across all workers in the config — the\n      // destroy hook only needs them for stack-scope filtering and may walk\n      // state directly. Empty array is acceptable when state holds entries\n      // owned by another stack we still want to filter against `owned`.\n      const resources = workers.flatMap(([, wc]) => mod.pickResources(wc));\n      await mod.destroy({\n        resources,\n        tenant: config.tenant,\n        env,\n        api,\n        state,\n        naming,\n        config,\n        baseDir,\n        force,\n      });\n    }\n\n    if (getDispatchNamespaces(config).length > 0) {\n      await dispatchNamespaceDestroy(env, state, api, config, force);\n    }\n\n    if (getDnsRecords(config).length > 0) {\n      await dnsRecordDestroy(env, state, api, config, force);\n    }\n\n    // Clear `stackOutputs` after every successful destroy — the values\n    // pointed at resources we just deleted, so leaving them in state would\n    // mislead a future `tamer status` and (post-imports) leak dangling\n    // refs into sibling stacks. The state row itself is dropped further\n    // below when `wipeMetadata` is set.\n    state.replaceStackOutputs({});\n\n    if (env !== \"local\" && wipeMetadata) {\n      const deletedDb = await destroyTamerStateDatabase(api, env);\n      if (deletedDb) {\n        console.log(`Deleted Tamer metadata database tamer-state-${env}.`);\n      }\n      try {\n        const deletedBucket = await destroyTamerArtifactsBucket(api, env);\n        if (deletedBucket) {\n          console.log(\n            `Deleted Tamer artifacts bucket tamer-artifacts-${env}.`,\n          );\n        }\n      } catch (err) {\n        console.warn(\n          `Failed to delete Tamer artifacts bucket tamer-artifacts-${env} (likely non-empty; remove objects and re-run with --wipe-metadata):`,\n          err instanceof Error ? err.message : err,\n        );\n      }\n    }\n\n    if (env !== \"local\" && !wipeMetadata) {\n      state.finishOperation();\n      try {\n        await state.persist(api);\n      } catch {\n        /* state row may have been wiped by sub-steps */\n      }\n    }\n    state.clearDirty();\n    console.log(`Destroyed all resources for env: ${env}`);\n  } catch (err) {\n    if (env !== \"local\") {\n      state.failOperation(err instanceof Error ? err.message : String(err));\n      try {\n        await state.persist(api);\n      } catch {\n        /* swallow secondary persist failure */\n      }\n    }\n    throw err;\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAgBA,eAAsB,yBACpB,KACA,OACA,KACA,QACA,QACe;CACf,MAAM,iBAAiB,IAAI,IACzB,sBAAsB,OAAO,CAAC,KAAK,MAAM,EAAE,YAAY,CACxD;AACD,KAAI,eAAe,SAAS,EAAG;AAE/B,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,QAAQ,CAAC,EAAE;AACzD,MAAI,MAAM,SAAS,qBAAsB;EACzC,MAAM,KAAK;AACX,MAAI,CAAC,eAAe,IAAI,GAAG,YAAY,CAAE;EACzC,MAAM,oBAAoB,GAAG,YAAY,SAAS,aAAa;AAC/D,MAAI;GACF,MAAM,UAAU,MAAM,IAAI,4BAA4B,GAAG,YAAY;AACrE,QAAK,MAAM,KAAK,SAAS;AACvB,QAAI,eAAe,KAAK,OAAO,OAAO,IAAI,mBACxC;SAAI,CAAC,EAAE,GAAG,SAAS,IAAI,MAAM,CAAE;;AAEjC,QAAI;AACF,WAAM,IAAI,8BAA8B,GAAG,aAAa,EAAE,IAAI,EAC5D,OAAO,MACR,CAAC;AACF,aAAQ,IACN,0BAA0B,EAAE,GAAG,mBAAmB,GAAG,YAAY,GAClE;aACM,KAAK;AACZ,aAAQ,KACN,kCAAkC,EAAE,GAAG,MAAM,GAAG,YAAY,IAC5D,eAAe,QAAQ,IAAI,UAAU,IACtC;;;AAGL,OAAI,eAAe,KAAK,OAAO,OAAO,IAAI,mBAAmB;AAC3D,YAAQ,IACN,kCAAkC,GAAG,YAAY,mCAAmC,IAAI,IACzF;AACD;;AAEF,SAAM,IAAI,wBAAwB,GAAG,YAAY;AACjD,SAAM,OAAO,IAAI;WACV,KAAK;AACZ,WAAQ,KACN,uCAAuC,GAAG,YAAY,IACtD,eAAe,QAAQ,IAAI,UAAU,IACtC;;;;;;;;;;;;;;ACrDP,eAAsB,iBACpB,KACA,OACA,KACA,QACA,QACe;AACf,KAAI,QAAQ,QAAS;CACrB,MAAM,WAAW,cAAc,OAAO;AACtC,KAAI,SAAS,WAAW,EAAG;CAC3B,MAAM,WAAW,IAAI,IACnB,SAAS,KAAK,MAAM,CAAC,EAAE,aAAa,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAC5D;CACD,MAAM,iBAAiB,IAAI,IAAI,SAAS,KAAK,MAAM,EAAE,YAAY,CAAC;AAElE,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,QAAQ,CAAC,EAAE;AACzD,MAAI,MAAM,SAAS,aAAc;EACjC,MAAM,MAAM;AACZ,MAAI,CAAC,eAAe,IAAI,IAAI,YAAY,CAAE;AAC1C,MAAI,SAAS,IAAI,IAAI,YAAY,EAAE;AACjC,WAAQ,IACN,wBAAwB,IAAI,WAAW,GAAG,IAAI,KAAK,uBACpD;AACD,SAAM,OAAO,IAAI;AACjB;;AAEF,MAAI;AACF,SAAM,IAAI,oBAAoB,IAAI,QAAQ,IAAI,SAAS;AACvD,SAAM,OAAO,IAAI;WACV,KAAK;AACZ,WAAQ,KACN,+BAA+B,IAAI,WAAW,GAAG,IAAI,KAAK,IAC1D,eAAe,QAAQ,IAAI,UAAU,IACtC;;;;;;;;AC5CP,MAAa,qBAAqB;CAChC;CACA;CACA;CACA;CACD;;;;AAKD,SAAgB,wBACd,KACA,OACA,YACM;AACN,KAAI,MAAO;AACX,KAAI,CAAC,mBAAmB,SAAS,IAA2C,CAC1E;AAEF,KAAI,eAAe,IACjB,OAAM,IAAI,MACR,kCAAkC,IAAI,2BAA2B,MAClE;;;;;ACDL,eAAsB,WAAW,SAgBf;CAChB,MAAM,EACJ,KACA,QAAQ,OACR,cAAc,OACd,YACA,YACA,eAAe,UACb;CACJ,MAAM,UAAU,QAAQ,KAAK;AAE7B,yBAAwB,KAAK,OAAO,WAAW;CAE/C,MAAM,SAAS,MAAM,WAAW,YAAY,EAAE,KAAK,CAAC;CACpD,MAAM,YACJ,OAAO,cAAc,4BAA4B;AACnD,KAAI,CAAC,UACH,OAAM,IAAI,MACR,iEACD;AAGH,KAAI,QAAQ,UAAU;EACpB,MAAM,YAAY,IAAI,YAAY,UAAU;EAC5C,MAAM,cAAc,IAAI,aACtB,OAAO,OAAO,IACd,KACA,mBAAmB,OAAO,CAC3B;AACD,QAAM,YAAY,QAAQ,UAAU;EACpC,MAAM,eACJ,QAAQ,UACJ,SACA,MAAM,wBAAwB;GAC5B;GACA;GACA,KAAK;GACL;GACD,CAAC;AACR,iBAAe;GACb,UAAU,QAAQ;GAClB,SAAS;GACT,cAAc;GACd;GACA,UAAU,OAAO,OAAO;GACxB;GACA,kBAAkB,YAAY,MAAM;GACpC,oBAAoB,eAChB,uBAAuB,aAAa,GACpC;GACJ,YAAY,CAAC,CAAC,QAAQ;GACvB,CAAC;;AAGJ,KAAI,QAAQ,SAAS;AACnB,UAAQ,IAAI,0CAA0C,IAAI,KAAK;AAC/D,QAAM,QAAQ;GAAE;GAAK;GAAY,CAAC;;CAGpC,MAAM,MAAM,IAAI,YAAY,UAAU;CACtC,MAAM,SAAS,iBAAiB,OAAO;CACvC,MAAM,QAAQ,IAAI,aAChB,OAAO,OAAO,IACd,KACA,mBAAmB,OAAO,CAC3B;AACD,OAAM,MAAM,QAAQ,IAAI;AACxB,OAAM,eAAe,WAAW,eAAe,kBAAkB,OAAU;AAC3E,KAAI;AACF,QAAM,MAAM,QAAQ,IAAI;SAClB;AAIR,KAAI;AACF,MAAI,CAAC,aAAa;AAChB,SAAM,oBAAoB,KAAK,QAAQ,SAAS,OAAO,IAAI;AAC3D,SAAM,MAAM,QAAQ,IAAI;AACxB,SAAM,eAAe,KAAK,SAAS,WAAW,QAAQ,OAAO,KAAK,MAAM;;EAG1E,MAAM,cAAc,MAAM,QAAQ,IAChC,gBAAgB,KAAK,MACnB,4BAA4B,QAAQ,SAAS,EAAE,KAAK,CAAC,MAAM,SAAS;GAClE,KAAK;GACL,OAAO;GACR,EAAE,CACJ,CACF;EACD,MAAM,UAAU,MAAM,WAAW,QAAQ,QAAQ;AAKjD,QAAM,kBAAkB,KAAK,OAAO,KAAK,OAAO;AAChD,QAAM,MAAM,QAAQ,IAAI;AAExB,OAAK,MAAM,EAAE,KAAK,WAAW,aAAa;AACxC,OAAI,MAAM,SAAS,EAAG;GAKtB,MAAM,YAAY,QAAQ,SAAS,GAAG,QAAQ,IAAI,cAAc,GAAG,CAAC;AACpE,SAAM,IAAI,QAAQ;IAChB;IACA,QAAQ,OAAO;IACf;IACA;IACA;IACA;IACA;IACA;IACA;IACD,CAAC;;AAGJ,MAAI,sBAAsB,OAAO,CAAC,SAAS,EACzC,OAAM,yBAAyB,KAAK,OAAO,KAAK,QAAQ,MAAM;AAGhE,MAAI,cAAc,OAAO,CAAC,SAAS,EACjC,OAAM,iBAAiB,KAAK,OAAO,KAAK,QAAQ,MAAM;AAQxD,QAAM,oBAAoB,EAAE,CAAC;AAE7B,MAAI,QAAQ,WAAW,cAAc;AAEnC,OADkB,MAAM,0BAA0B,KAAK,IAAI,CAEzD,SAAQ,IAAI,+CAA+C,IAAI,GAAG;AAEpE,OAAI;AAEF,QADsB,MAAM,4BAA4B,KAAK,IAAI,CAE/D,SAAQ,IACN,kDAAkD,IAAI,GACvD;YAEI,KAAK;AACZ,YAAQ,KACN,2DAA2D,IAAI,uEAC/D,eAAe,QAAQ,IAAI,UAAU,IACtC;;;AAIL,MAAI,QAAQ,WAAW,CAAC,cAAc;AACpC,SAAM,iBAAiB;AACvB,OAAI;AACF,UAAM,MAAM,QAAQ,IAAI;WAClB;;AAIV,QAAM,YAAY;AAClB,UAAQ,IAAI,oCAAoC,MAAM;UAC/C,KAAK;AACZ,MAAI,QAAQ,SAAS;AACnB,SAAM,cAAc,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI,CAAC;AACrE,OAAI;AACF,UAAM,MAAM,QAAQ,IAAI;WAClB;;AAIV,QAAM"}

package/dist/destroy-tenant-U0t7BeJ0.mjs

@@ -0,0 +1,103 @@
+import { n as loadConfig } from "./loader-DAvCKLTT.mjs";
+import { n as cloudflareAccountIdFromEnv, t as CFApiClient } from "./CFApiClient-DhbyyV71.mjs";
+import { a as tenantStateKey, f as stackNameForConfig, t as StateManager } from "./StateManager-DTqtLLVX.mjs";
+
+//#region src/core/env/protectedEnvs.ts
+/**
+* Default set of envs that require explicit confirmation before
+* `destroy-tenant` will run. Used when the loaded config doesn't pin
+* `tenant.protectedEnvs` — these two names are universal-enough across
+* accounts that "destroying prod by accident" stays guarded by default,
+* but the operator is free to override the list (e.g. a multi-region
+* account with `production-eu` / `production-us` / `canary` adds those
+* here, and a personal account passes `[]` to disable the prompt).
+*/
+const DEFAULT_PROTECTED_ENVS = ["prod", "production"];
+/**
+* `true` when `env` is in `tenant.protectedEnvs` from the loaded
+* `tamer.config.ts` (or in the default set when the config doesn't
+* pin its own list). Single source of truth for the destroy
+* confirmation check — call this **after** `loadConfig` so the
+* config-pinned list is honored.
+*/
+function isProtectedEnv(env, config) {
+	return (config.tenant.protectedEnvs ?? DEFAULT_PROTECTED_ENVS).includes(env);
+}
+
+//#endregion
+//#region src/cli/commands/destroy-tenant.ts
+async function runDestroyTenant(options) {
+	const env = options.env;
+	if (env === "local") throw new Error("destroy-tenant requires a non-local --env.");
+	const config = await loadConfig(options.configPath, { env });
+	if (isProtectedEnv(env, config) && !options.force) {
+		if (options.confirmTenant !== options.workspace) throw new Error(`destroy-tenant: env "${env}" is in tenant.protectedEnvs (or the default ["prod","production"]); pass --confirm-tenant ${options.workspace} (must match --workspace) or use --force`);
+	}
+	const accountId = config.account_id ?? cloudflareAccountIdFromEnv();
+	if (!accountId) throw new Error("account_id required in config or CLOUDFLARE_ACCOUNT_ID env var");
+	const api = new CFApiClient(accountId);
+	const state = new StateManager(config.tenant.id, env, stackNameForConfig(config));
+	await state.hydrate(api);
+	const t = state.getTenant(options.product, options.workspace);
+	if (!t) {
+		if (!options.force) throw new Error(`No tenant state for ${tenantStateKey(options.product, options.workspace)}; pass --force to skip state check`);
+		console.log("No tenant record in state; nothing to remove.");
+		if (options.json) {
+			const result = {
+				status: "noop",
+				tenantKey: tenantStateKey(options.product, options.workspace),
+				product: options.product,
+				workspace: options.workspace,
+				env,
+				removed: { shards: [] },
+				errors: []
+			};
+			process.stdout.write(JSON.stringify(result) + "\n");
+		}
+		return;
+	}
+	const errors = [];
+	try {
+		await api.dispatchNamespaceScriptDelete(t.dispatchNamespaceName, t.scriptName, { force: true });
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.warn(`[destroy-tenant] script delete: ${msg}`);
+		errors.push(`script:${t.scriptName}:${msg}`);
+	}
+	const removedShards = [];
+	for (const shard of t.d1Shards ?? []) try {
+		await api.d1Delete(shard.cfId);
+		removedShards.push({
+			role: shard.role,
+			derivedName: shard.derivedName,
+			cfId: shard.cfId
+		});
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.warn(`[destroy-tenant] D1 ${shard.derivedName}: ${msg}`);
+		errors.push(`d1:${shard.derivedName}:${msg}`);
+	}
+	state.deleteTenant(options.product, options.workspace);
+	await state.persist(api);
+	console.log(`Destroyed tenant ${tenantStateKey(options.product, options.workspace)}`);
+	if (options.json) {
+		const result = {
+			status: "destroyed",
+			tenantKey: tenantStateKey(options.product, options.workspace),
+			product: options.product,
+			workspace: options.workspace,
+			env,
+			removed: {
+				scriptName: t.scriptName,
+				dispatchNamespaceName: t.dispatchNamespaceName,
+				shards: removedShards
+			},
+			errors
+		};
+		process.stdout.write(JSON.stringify(result) + "\n");
+	}
+}
+
+//#endregion
+export { runDestroyTenant };
+//# sourceMappingURL=destroy-tenant-U0t7BeJ0.mjs.map

package/dist/destroy-tenant-U0t7BeJ0.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"destroy-tenant-U0t7BeJ0.mjs","names":["DEFAULT_PROTECTED_ENVS: readonly string[]","result: DestroyTenantResult","errors: string[]","removedShards: { role: string; derivedName: string; cfId: string }[]"],"sources":["../src/core/env/protectedEnvs.ts","../src/cli/commands/destroy-tenant.ts"],"sourcesContent":["import type { CfiConfig } from \"../../types.js\";\n\n/**\n * Default set of envs that require explicit confirmation before\n * `destroy-tenant` will run. Used when the loaded config doesn't pin\n * `tenant.protectedEnvs` — these two names are universal-enough across\n * accounts that \"destroying prod by accident\" stays guarded by default,\n * but the operator is free to override the list (e.g. a multi-region\n * account with `production-eu` / `production-us` / `canary` adds those\n * here, and a personal account passes `[]` to disable the prompt).\n */\nconst DEFAULT_PROTECTED_ENVS: readonly string[] = [\"prod\", \"production\"];\n\n/**\n * `true` when `env` is in `tenant.protectedEnvs` from the loaded\n * `tamer.config.ts` (or in the default set when the config doesn't\n * pin its own list). Single source of truth for the destroy\n * confirmation check — call this **after** `loadConfig` so the\n * config-pinned list is honored.\n */\nexport function isProtectedEnv(env: string, config: CfiConfig): boolean {\n  const list = config.tenant.protectedEnvs ?? DEFAULT_PROTECTED_ENVS;\n  return list.includes(env);\n}\n\nexport { DEFAULT_PROTECTED_ENVS };\n","import { loadConfig } from \"../../core/config/loader.js\";\nimport { cloudflareAccountIdFromEnv } from \"../../core/cloudflareEnv.js\";\nimport { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport { StateManager } from \"../../core/state/StateManager.js\";\nimport { stackNameForConfig } from \"../../core/state/stackName.js\";\nimport { tenantStateKey } from \"../../core/tenant/tenantKeys.js\";\nimport { isProtectedEnv } from \"../../core/env/protectedEnvs.js\";\n\n/**\n * Machine-readable result envelope emitted on the final stdout line\n * when `--json` is passed. Mirrors `ProvisionTenantResult` so the\n * Cloudflare Container caller (`provision-workflow`, see\n * `docs/handoff.md` §7) can consume both commands with the same\n * parsing path. `removed.shards` lists every D1 we attempted to\n * delete; `errors` lists any best-effort delete failures so the\n * Workflow can surface them without re-parsing logs.\n */\nexport interface DestroyTenantResult {\n  status: \"destroyed\" | \"noop\" | \"failed\";\n  tenantKey: string;\n  product: string;\n  workspace: string;\n  env: string;\n  removed: {\n    scriptName?: string;\n    dispatchNamespaceName?: string;\n    shards: { role: string; derivedName: string; cfId: string }[];\n  };\n  errors: string[];\n  error?: string;\n}\n\nexport async function runDestroyTenant(options: {\n  env: string;\n  product: string;\n  workspace: string;\n  force?: boolean;\n  confirmTenant?: string;\n  configPath?: string;\n  json?: boolean;\n}): Promise<void> {\n  const env = options.env;\n  if (env === \"local\") {\n    throw new Error(\"destroy-tenant requires a non-local --env.\");\n  }\n\n  // Load config FIRST so the protection prompt can read\n  // `tenant.protectedEnvs` from `tamer.config.ts`. This intentionally\n  // ignores `--force` so a misconfigured CLI invocation can't\n  // bypass even the load step — we want the parsed config in hand\n  // before we accept any confirmation flag.\n  const config = await loadConfig(options.configPath, { env });\n\n  if (isProtectedEnv(env, config) && !options.force) {\n    if (options.confirmTenant !== options.workspace) {\n      throw new Error(\n        `destroy-tenant: env \"${env}\" is in tenant.protectedEnvs ` +\n          `(or the default [\"prod\",\"production\"]); pass ` +\n          `--confirm-tenant ${options.workspace} (must match --workspace) or use --force`,\n      );\n    }\n  }\n\n  const accountId = config.account_id ?? cloudflareAccountIdFromEnv();\n  if (!accountId) {\n    throw new Error(\n      \"account_id required in config or CLOUDFLARE_ACCOUNT_ID env var\",\n    );\n  }\n\n  const api = new CFApiClient(accountId);\n  const state = new StateManager(\n    config.tenant.id,\n    env,\n    stackNameForConfig(config),\n  );\n  await state.hydrate(api);\n\n  const t = state.getTenant(options.product, options.workspace);\n  if (!t) {\n    if (!options.force) {\n      throw new Error(\n        `No tenant state for ${tenantStateKey(options.product, options.workspace)}; pass --force to skip state check`,\n      );\n    }\n    console.log(\"No tenant record in state; nothing to remove.\");\n    if (options.json) {\n      const result: DestroyTenantResult = {\n        status: \"noop\",\n        tenantKey: tenantStateKey(options.product, options.workspace),\n        product: options.product,\n        workspace: options.workspace,\n        env,\n        removed: { shards: [] },\n        errors: [],\n      };\n      process.stdout.write(JSON.stringify(result) + \"\\n\");\n    }\n    return;\n  }\n\n  const errors: string[] = [];\n  try {\n    await api.dispatchNamespaceScriptDelete(\n      t.dispatchNamespaceName,\n      t.scriptName,\n      { force: true },\n    );\n  } catch (err) {\n    const msg = err instanceof Error ? err.message : String(err);\n    console.warn(`[destroy-tenant] script delete: ${msg}`);\n    errors.push(`script:${t.scriptName}:${msg}`);\n  }\n\n  const removedShards: { role: string; derivedName: string; cfId: string }[] =\n    [];\n  for (const shard of t.d1Shards ?? []) {\n    try {\n      await api.d1Delete(shard.cfId);\n      removedShards.push({\n        role: shard.role,\n        derivedName: shard.derivedName,\n        cfId: shard.cfId,\n      });\n    } catch (err) {\n      const msg = err instanceof Error ? err.message : String(err);\n      console.warn(`[destroy-tenant] D1 ${shard.derivedName}: ${msg}`);\n      errors.push(`d1:${shard.derivedName}:${msg}`);\n    }\n  }\n\n  state.deleteTenant(options.product, options.workspace);\n  await state.persist(api);\n\n  console.log(\n    `Destroyed tenant ${tenantStateKey(options.product, options.workspace)}`,\n  );\n\n  if (options.json) {\n    const result: DestroyTenantResult = {\n      status: \"destroyed\",\n      tenantKey: tenantStateKey(options.product, options.workspace),\n      product: options.product,\n      workspace: options.workspace,\n      env,\n      removed: {\n        scriptName: t.scriptName,\n        dispatchNamespaceName: t.dispatchNamespaceName,\n        shards: removedShards,\n      },\n      errors,\n    };\n    process.stdout.write(JSON.stringify(result) + \"\\n\");\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;AAWA,MAAMA,yBAA4C,CAAC,QAAQ,aAAa;;;;;;;;AASxE,SAAgB,eAAe,KAAa,QAA4B;AAEtE,SADa,OAAO,OAAO,iBAAiB,wBAChC,SAAS,IAAI;;;;;ACU3B,eAAsB,iBAAiB,SAQrB;CAChB,MAAM,MAAM,QAAQ;AACpB,KAAI,QAAQ,QACV,OAAM,IAAI,MAAM,6CAA6C;CAQ/D,MAAM,SAAS,MAAM,WAAW,QAAQ,YAAY,EAAE,KAAK,CAAC;AAE5D,KAAI,eAAe,KAAK,OAAO,IAAI,CAAC,QAAQ,OAC1C;MAAI,QAAQ,kBAAkB,QAAQ,UACpC,OAAM,IAAI,MACR,wBAAwB,IAAI,6FAEN,QAAQ,UAAU,0CACzC;;CAIL,MAAM,YAAY,OAAO,cAAc,4BAA4B;AACnE,KAAI,CAAC,UACH,OAAM,IAAI,MACR,iEACD;CAGH,MAAM,MAAM,IAAI,YAAY,UAAU;CACtC,MAAM,QAAQ,IAAI,aAChB,OAAO,OAAO,IACd,KACA,mBAAmB,OAAO,CAC3B;AACD,OAAM,MAAM,QAAQ,IAAI;CAExB,MAAM,IAAI,MAAM,UAAU,QAAQ,SAAS,QAAQ,UAAU;AAC7D,KAAI,CAAC,GAAG;AACN,MAAI,CAAC,QAAQ,MACX,OAAM,IAAI,MACR,uBAAuB,eAAe,QAAQ,SAAS,QAAQ,UAAU,CAAC,oCAC3E;AAEH,UAAQ,IAAI,gDAAgD;AAC5D,MAAI,QAAQ,MAAM;GAChB,MAAMC,SAA8B;IAClC,QAAQ;IACR,WAAW,eAAe,QAAQ,SAAS,QAAQ,UAAU;IAC7D,SAAS,QAAQ;IACjB,WAAW,QAAQ;IACnB;IACA,SAAS,EAAE,QAAQ,EAAE,EAAE;IACvB,QAAQ,EAAE;IACX;AACD,WAAQ,OAAO,MAAM,KAAK,UAAU,OAAO,GAAG,KAAK;;AAErD;;CAGF,MAAMC,SAAmB,EAAE;AAC3B,KAAI;AACF,QAAM,IAAI,8BACR,EAAE,uBACF,EAAE,YACF,EAAE,OAAO,MAAM,CAChB;UACM,KAAK;EACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,UAAQ,KAAK,mCAAmC,MAAM;AACtD,SAAO,KAAK,UAAU,EAAE,WAAW,GAAG,MAAM;;CAG9C,MAAMC,gBACJ,EAAE;AACJ,MAAK,MAAM,SAAS,EAAE,YAAY,EAAE,CAClC,KAAI;AACF,QAAM,IAAI,SAAS,MAAM,KAAK;AAC9B,gBAAc,KAAK;GACjB,MAAM,MAAM;GACZ,aAAa,MAAM;GACnB,MAAM,MAAM;GACb,CAAC;UACK,KAAK;EACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,UAAQ,KAAK,uBAAuB,MAAM,YAAY,IAAI,MAAM;AAChE,SAAO,KAAK,MAAM,MAAM,YAAY,GAAG,MAAM;;AAIjD,OAAM,aAAa,QAAQ,SAAS,QAAQ,UAAU;AACtD,OAAM,MAAM,QAAQ,IAAI;AAExB,SAAQ,IACN,oBAAoB,eAAe,QAAQ,SAAS,QAAQ,UAAU,GACvE;AAED,KAAI,QAAQ,MAAM;EAChB,MAAMF,SAA8B;GAClC,QAAQ;GACR,WAAW,eAAe,QAAQ,SAAS,QAAQ,UAAU;GAC7D,SAAS,QAAQ;GACjB,WAAW,QAAQ;GACnB;GACA,SAAS;IACP,YAAY,EAAE;IACd,uBAAuB,EAAE;IACzB,QAAQ;IACT;GACD;GACD;AACD,UAAQ,OAAO,MAAM,KAAK,UAAU,OAAO,GAAG,KAAK"}

package/dist/dev-CZbKfdFw.mjs

@@ -0,0 +1,103 @@
+import { n as loadConfig, t as getWorkers } from "./loader-DAvCKLTT.mjs";
+import { n as cloudflareAccountIdFromEnv, t as CFApiClient } from "./CFApiClient-DhbyyV71.mjs";
+import { _ as namingFromConfig, g as wranglerConfigCliArgs, p as resolveWorkerConfig, t as fetchStackImports } from "./fetchStackImports-C-1THPYL.mjs";
+import { f as stackNameForConfig, t as StateManager } from "./StateManager-DTqtLLVX.mjs";
+import "./r2S3EmptyBucket-DD81ZWQ7.mjs";
+import { n as writeWranglerJson, t as generateWranglerConfig } from "./generator-Ba-vqyBG.mjs";
+import "./logpush-job-DsRkOORJ.mjs";
+import "./worker-route-CMbtozNa.mjs";
+import { runSync } from "./sync-B_pyPi7Z.mjs";
+import { spawn } from "child_process";
+
+//#region src/cli/commands/dev.ts
+async function runDev(options) {
+	const workerFilter = options.worker;
+	const env = options.env ?? "local";
+	const configPath = options.configPath;
+	const baseDir = process.cwd();
+	const config = await loadConfig(configPath, { env });
+	const accountId = config.account_id ?? cloudflareAccountIdFromEnv();
+	if (!accountId) throw new Error("account_id required in config or CLOUDFLARE_ACCOUNT_ID env var");
+	const naming = namingFromConfig(config);
+	const api = new CFApiClient(accountId);
+	const state = new StateManager(config.tenant.id, env, stackNameForConfig(config));
+	await state.hydrate(api);
+	if (env !== "local" && Object.keys(state.load().resources).length === 0) {
+		console.log("Tamer state is empty; running sync...");
+		await runSync({
+			env,
+			configPath
+		});
+		state.reset();
+		await state.hydrate(api);
+	}
+	const imports = await fetchStackImports(api, config, env);
+	const workers = await getWorkers(config, baseDir);
+	const toRun = workerFilter ? workers.filter(([k]) => k === workerFilter) : workers;
+	if (toRun.length === 0) throw new Error(workerFilter ? `Worker "${workerFilter}" not found` : "No workers configured");
+	for (const [workerKey$1, workerConfig$1] of toRun) {
+		const resolved$1 = await resolveWorkerConfig(config, workerKey$1, workerConfig$1, env, baseDir, accountId, naming, state, { imports });
+		const wranglerConfig = generateWranglerConfig(resolved$1, state, naming);
+		writeWranglerJson(resolved$1.workerDir, wranglerConfig, resolved$1.wranglerOutFile);
+	}
+	if (options.all && toRun.length > 0) {
+		const basePort = Number(process.env.TAMER_DEV_BASE_PORT) || 8787;
+		const children = [];
+		for (let i = 0; i < toRun.length; i++) {
+			const [workerKey$1, workerConfig$1] = toRun[i];
+			const resolved$1 = await resolveWorkerConfig(config, workerKey$1, workerConfig$1, env, baseDir, accountId, naming, state, { imports });
+			const port = basePort + i;
+			const devArgs = [
+				"wrangler",
+				...wranglerConfigCliArgs(resolved$1.wranglerOutFile),
+				"dev",
+				"--port",
+				String(port)
+			];
+			console.log(`Starting ${workerKey$1} on http://127.0.0.1:${port}`);
+			const proc = spawn("bunx", devArgs, {
+				cwd: resolved$1.workerDir,
+				stdio: "inherit",
+				shell: true
+			});
+			children.push(proc);
+		}
+		const shutdown = () => {
+			for (const c of children) if (!c.killed) c.kill("SIGTERM");
+		};
+		process.once("SIGINT", () => {
+			shutdown();
+			process.exit(0);
+		});
+		process.once("SIGTERM", () => {
+			shutdown();
+			process.exit(0);
+		});
+		await new Promise((resolve) => {
+			let remaining = children.length;
+			for (const c of children) c.on("exit", () => {
+				remaining -= 1;
+				if (remaining <= 0) resolve();
+			});
+		});
+		return;
+	}
+	const [workerKey, workerConfig] = toRun[0];
+	const resolved = await resolveWorkerConfig(config, workerKey, workerConfig, env, baseDir, accountId, naming, state, { imports });
+	console.log(`Starting wrangler dev for ${workerKey}...`);
+	spawn("bunx", [
+		"wrangler",
+		...wranglerConfigCliArgs(resolved.wranglerOutFile),
+		"dev"
+	], {
+		cwd: resolved.workerDir,
+		stdio: "inherit",
+		shell: true
+	}).on("exit", (code) => {
+		process.exit(code ?? 0);
+	});
+}
+
+//#endregion
+export { runDev };
+//# sourceMappingURL=dev-CZbKfdFw.mjs.map

package/dist/dev-CZbKfdFw.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"dev-CZbKfdFw.mjs","names":["workerKey","workerConfig","resolved","children: ChildProcess[]"],"sources":["../src/cli/commands/dev.ts"],"sourcesContent":["import type { ChildProcess } from \"child_process\";\nimport { spawn } from \"child_process\";\nimport { loadConfig, getWorkers } from \"../../core/config/loader.js\";\nimport { cloudflareAccountIdFromEnv } from \"../../core/cloudflareEnv.js\";\nimport { namingFromConfig } from \"../../core/config/namingFromConfig.js\";\nimport { wranglerConfigCliArgs } from \"../../core/wrangler/wranglerOutFile.js\";\nimport { StateManager } from \"../../core/state/StateManager.js\";\nimport { stackNameForConfig } from \"../../core/state/stackName.js\";\nimport { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport { resolveWorkerConfig } from \"../../core/config/resolver.js\";\nimport {\n  generateWranglerConfig,\n  writeWranglerJson,\n} from \"../../core/wrangler/generator.js\";\nimport { runSync } from \"./sync.js\";\nimport { fetchStackImports } from \"../../core/imports/fetchStackImports.js\";\n\nexport async function runDev(options: {\n  worker?: string;\n  env?: string;\n  configPath?: string;\n  /** Run every selected worker as a separate `wrangler dev` on incrementing ports (from TAMER_DEV_BASE_PORT or 8787). */\n  all?: boolean;\n}): Promise<void> {\n  const workerFilter = options.worker;\n  const env = options.env ?? \"local\";\n  const configPath = options.configPath;\n  const baseDir = process.cwd();\n\n  const config = await loadConfig(configPath, { env });\n  const accountId =\n    config.account_id ?? cloudflareAccountIdFromEnv();\n  if (!accountId) {\n    throw new Error(\n      \"account_id required in config or CLOUDFLARE_ACCOUNT_ID env var\",\n    );\n  }\n\n  const naming = namingFromConfig(config);\n  const api = new CFApiClient(accountId);\n  const state = new StateManager(\n    config.tenant.id,\n    env,\n    stackNameForConfig(config),\n  );\n  await state.hydrate(api);\n\n  if (\n    env !== \"local\" &&\n    Object.keys(state.load().resources).length === 0\n  ) {\n    console.log(\"Tamer state is empty; running sync...\");\n    await runSync({ env, configPath });\n    state.reset();\n    await state.hydrate(api);\n  }\n\n  // Pre-fetch sibling stack outputs so worker `vars` / `tamerRoutes`\n  // can reference `${tamer:import:<stack>.<output>}` even in dev mode.\n  // No-op in local env (returns `{}`); when missing in non-local, the\n  // import resolver will throw with a clear \"run apply on <stack>\" hint.\n  const imports = await fetchStackImports(api, config, env);\n\n  const workers = await getWorkers(config, baseDir);\n  const toRun = workerFilter\n    ? workers.filter(([k]) => k === workerFilter)\n    : workers;\n\n  if (toRun.length === 0) {\n    throw new Error(\n      workerFilter\n        ? `Worker \"${workerFilter}\" not found`\n        : \"No workers configured\",\n    );\n  }\n\n  for (const [workerKey, workerConfig] of toRun) {\n    const resolved = await resolveWorkerConfig(\n      config,\n      workerKey,\n      workerConfig,\n      env,\n      baseDir,\n      accountId,\n      naming,\n      state,\n      { imports },\n    );\n    const wranglerConfig = generateWranglerConfig(resolved, state, naming);\n    writeWranglerJson(resolved.workerDir, wranglerConfig, resolved.wranglerOutFile);\n  }\n\n  if (options.all && toRun.length > 0) {\n    const basePort = Number(process.env.TAMER_DEV_BASE_PORT) || 8787;\n    const children: ChildProcess[] = [];\n\n    for (let i = 0; i < toRun.length; i++) {\n      const [workerKey, workerConfig] = toRun[i];\n      const resolved = await resolveWorkerConfig(\n        config,\n        workerKey,\n        workerConfig,\n        env,\n        baseDir,\n        accountId,\n        naming,\n        state,\n        { imports },\n      );\n      const port = basePort + i;\n      const devArgs = [\n        \"wrangler\",\n        ...wranglerConfigCliArgs(resolved.wranglerOutFile),\n        \"dev\",\n        \"--port\",\n        String(port),\n      ];\n      console.log(`Starting ${workerKey} on http://127.0.0.1:${port}`);\n      const proc = spawn(\"bunx\", devArgs, {\n        cwd: resolved.workerDir,\n        stdio: \"inherit\",\n        shell: true,\n      });\n      children.push(proc);\n    }\n\n    const shutdown = () => {\n      for (const c of children) {\n        if (!c.killed) c.kill(\"SIGTERM\");\n      }\n    };\n    process.once(\"SIGINT\", () => {\n      shutdown();\n      process.exit(0);\n    });\n    process.once(\"SIGTERM\", () => {\n      shutdown();\n      process.exit(0);\n    });\n\n    await new Promise<void>((resolve) => {\n      let remaining = children.length;\n      for (const c of children) {\n        c.on(\"exit\", () => {\n          remaining -= 1;\n          if (remaining <= 0) resolve();\n        });\n      }\n    });\n    return;\n  }\n\n  const [workerKey, workerConfig] = toRun[0];\n  const resolved = await resolveWorkerConfig(\n    config,\n    workerKey,\n    workerConfig,\n    env,\n    baseDir,\n    accountId,\n    naming,\n    state,\n    { imports },\n  );\n\n  console.log(`Starting wrangler dev for ${workerKey}...`);\n  const devArgs = [\n    \"wrangler\",\n    ...wranglerConfigCliArgs(resolved.wranglerOutFile),\n    \"dev\",\n  ];\n  const proc = spawn(\"bunx\", devArgs, {\n    cwd: resolved.workerDir,\n    stdio: \"inherit\",\n    shell: true,\n  });\n\n  proc.on(\"exit\", (code) => {\n    process.exit(code ?? 0);\n  });\n}\n"],"mappings":";;;;;;;;;;;;AAiBA,eAAsB,OAAO,SAMX;CAChB,MAAM,eAAe,QAAQ;CAC7B,MAAM,MAAM,QAAQ,OAAO;CAC3B,MAAM,aAAa,QAAQ;CAC3B,MAAM,UAAU,QAAQ,KAAK;CAE7B,MAAM,SAAS,MAAM,WAAW,YAAY,EAAE,KAAK,CAAC;CACpD,MAAM,YACJ,OAAO,cAAc,4BAA4B;AACnD,KAAI,CAAC,UACH,OAAM,IAAI,MACR,iEACD;CAGH,MAAM,SAAS,iBAAiB,OAAO;CACvC,MAAM,MAAM,IAAI,YAAY,UAAU;CACtC,MAAM,QAAQ,IAAI,aAChB,OAAO,OAAO,IACd,KACA,mBAAmB,OAAO,CAC3B;AACD,OAAM,MAAM,QAAQ,IAAI;AAExB,KACE,QAAQ,WACR,OAAO,KAAK,MAAM,MAAM,CAAC,UAAU,CAAC,WAAW,GAC/C;AACA,UAAQ,IAAI,wCAAwC;AACpD,QAAM,QAAQ;GAAE;GAAK;GAAY,CAAC;AAClC,QAAM,OAAO;AACb,QAAM,MAAM,QAAQ,IAAI;;CAO1B,MAAM,UAAU,MAAM,kBAAkB,KAAK,QAAQ,IAAI;CAEzD,MAAM,UAAU,MAAM,WAAW,QAAQ,QAAQ;CACjD,MAAM,QAAQ,eACV,QAAQ,QAAQ,CAAC,OAAO,MAAM,aAAa,GAC3C;AAEJ,KAAI,MAAM,WAAW,EACnB,OAAM,IAAI,MACR,eACI,WAAW,aAAa,eACxB,wBACL;AAGH,MAAK,MAAM,CAACA,aAAWC,mBAAiB,OAAO;EAC7C,MAAMC,aAAW,MAAM,oBACrB,QACAF,aACAC,gBACA,KACA,SACA,WACA,QACA,OACA,EAAE,SAAS,CACZ;EACD,MAAM,iBAAiB,uBAAuBC,YAAU,OAAO,OAAO;AACtE,oBAAkBA,WAAS,WAAW,gBAAgBA,WAAS,gBAAgB;;AAGjF,KAAI,QAAQ,OAAO,MAAM,SAAS,GAAG;EACnC,MAAM,WAAW,OAAO,QAAQ,IAAI,oBAAoB,IAAI;EAC5D,MAAMC,WAA2B,EAAE;AAEnC,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;GACrC,MAAM,CAACH,aAAWC,kBAAgB,MAAM;GACxC,MAAMC,aAAW,MAAM,oBACrB,QACAF,aACAC,gBACA,KACA,SACA,WACA,QACA,OACA,EAAE,SAAS,CACZ;GACD,MAAM,OAAO,WAAW;GACxB,MAAM,UAAU;IACd;IACA,GAAG,sBAAsBC,WAAS,gBAAgB;IAClD;IACA;IACA,OAAO,KAAK;IACb;AACD,WAAQ,IAAI,YAAYF,YAAU,uBAAuB,OAAO;GAChE,MAAM,OAAO,MAAM,QAAQ,SAAS;IAClC,KAAKE,WAAS;IACd,OAAO;IACP,OAAO;IACR,CAAC;AACF,YAAS,KAAK,KAAK;;EAGrB,MAAM,iBAAiB;AACrB,QAAK,MAAM,KAAK,SACd,KAAI,CAAC,EAAE,OAAQ,GAAE,KAAK,UAAU;;AAGpC,UAAQ,KAAK,gBAAgB;AAC3B,aAAU;AACV,WAAQ,KAAK,EAAE;IACf;AACF,UAAQ,KAAK,iBAAiB;AAC5B,aAAU;AACV,WAAQ,KAAK,EAAE;IACf;AAEF,QAAM,IAAI,SAAe,YAAY;GACnC,IAAI,YAAY,SAAS;AACzB,QAAK,MAAM,KAAK,SACd,GAAE,GAAG,cAAc;AACjB,iBAAa;AACb,QAAI,aAAa,EAAG,UAAS;KAC7B;IAEJ;AACF;;CAGF,MAAM,CAAC,WAAW,gBAAgB,MAAM;CACxC,MAAM,WAAW,MAAM,oBACrB,QACA,WACA,cACA,KACA,SACA,WACA,QACA,OACA,EAAE,SAAS,CACZ;AAED,SAAQ,IAAI,6BAA6B,UAAU,KAAK;AAYxD,CANa,MAAM,QALH;EACd;EACA,GAAG,sBAAsB,SAAS,gBAAgB;EAClD;EACD,EACmC;EAClC,KAAK,SAAS;EACd,OAAO;EACP,OAAO;EACR,CAAC,CAEG,GAAG,SAAS,SAAS;AACxB,UAAQ,KAAK,QAAQ,EAAE;GACvB"}

package/dist/dns-records.resolve-C2T0m4NG.mjs

@@ -0,0 +1,3 @@
+import { a as effectiveDnsRecordProxied, i as effectiveDnsRecordComment, n as dnsRecordCommentMarker, o as effectiveDnsRecordTtl, r as dnsRecordStateKey, t as dnsRecordAppliesToEnv } from "./dns-records.resolve-DwBR_1WI.mjs";
+
+export { dnsRecordStateKey };

package/dist/dns-records.resolve-DwBR_1WI.mjs

@@ -0,0 +1,47 @@
+//#region src/features/dns-records/dns-records.resolve.ts
+/**
+* Default skip list — `local` is always implicitly skipped on top of any
+* envs the user lists in `skipEnvs`. Wrangler dev does not own real DNS;
+* Tamer never reaches into Cloudflare for `local` apply/destroy.
+*/
+const ALWAYS_SKIPPED = new Set(["local"]);
+/** Whether the record should be created/updated/destroyed for `env`. */
+function dnsRecordAppliesToEnv(config, env) {
+	if (ALWAYS_SKIPPED.has(env)) return false;
+	return !(config.skipEnvs ?? []).includes(env);
+}
+/**
+* Stable comment marker Tamer attaches to every record it creates so
+* `tamer sync` and `tamer import` can rediscover orphans after state
+* loss. Format: `tamer:<tenantId>:<env>:<logicalName>` followed by the
+* user's own free-form comment when set.
+*/
+function dnsRecordCommentMarker(tenant, env, logicalName) {
+	return `tamer:${tenant.id}:${env}:${logicalName}`;
+}
+/** Compose the comment Tamer writes (marker + optional user-supplied tail). */
+function effectiveDnsRecordComment(config, tenant, env) {
+	const marker = dnsRecordCommentMarker(tenant, env, config.logicalName);
+	if (!config.comment) return marker;
+	return `${marker} ${config.comment}`;
+}
+/** TTL default — `1` is Cloudflare's "auto" sentinel. */
+function effectiveDnsRecordTtl(config) {
+	return config.ttl ?? 1;
+}
+/** Proxied default — `false`, since most managed records (TXT, MX, NS, etc.) cannot be proxied. */
+function effectiveDnsRecordProxied(config) {
+	return config.proxied ?? false;
+}
+/**
+* State key for one DNS record. Includes zone + type + name so multiple
+* records of different types on the same hostname (e.g. A + AAAA + TXT)
+* each get their own row.
+*/
+function dnsRecordStateKey(zoneId, type, name) {
+	return `dns_record:${zoneId}:${type}:${name}`;
+}
+
+//#endregion
+export { effectiveDnsRecordProxied as a, effectiveDnsRecordComment as i, dnsRecordCommentMarker as n, effectiveDnsRecordTtl as o, dnsRecordStateKey as r, dnsRecordAppliesToEnv as t };
+//# sourceMappingURL=dns-records.resolve-DwBR_1WI.mjs.map

package/dist/dns-records.resolve-DwBR_1WI.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"dns-records.resolve-DwBR_1WI.mjs","names":[],"sources":["../src/features/dns-records/dns-records.resolve.ts"],"sourcesContent":["import type { DnsRecordResourceConfig, TenantMeta } from \"../../types.js\";\n\n/**\n * Default skip list — `local` is always implicitly skipped on top of any\n * envs the user lists in `skipEnvs`. Wrangler dev does not own real DNS;\n * Tamer never reaches into Cloudflare for `local` apply/destroy.\n */\nconst ALWAYS_SKIPPED = new Set([\"local\"]);\n\n/** Whether the record should be created/updated/destroyed for `env`. */\nexport function dnsRecordAppliesToEnv(\n  config: DnsRecordResourceConfig,\n  env: string,\n): boolean {\n  if (ALWAYS_SKIPPED.has(env)) return false;\n  return !(config.skipEnvs ?? []).includes(env);\n}\n\n/**\n * Stable comment marker Tamer attaches to every record it creates so\n * `tamer sync` and `tamer import` can rediscover orphans after state\n * loss. Format: `tamer:<tenantId>:<env>:<logicalName>` followed by the\n * user's own free-form comment when set.\n */\nexport function dnsRecordCommentMarker(\n  tenant: TenantMeta,\n  env: string,\n  logicalName: string,\n): string {\n  return `tamer:${tenant.id}:${env}:${logicalName}`;\n}\n\n/** Compose the comment Tamer writes (marker + optional user-supplied tail). */\nexport function effectiveDnsRecordComment(\n  config: DnsRecordResourceConfig,\n  tenant: TenantMeta,\n  env: string,\n): string {\n  const marker = dnsRecordCommentMarker(tenant, env, config.logicalName);\n  if (!config.comment) return marker;\n  return `${marker} ${config.comment}`;\n}\n\n/** TTL default — `1` is Cloudflare's \"auto\" sentinel. */\nexport function effectiveDnsRecordTtl(config: DnsRecordResourceConfig): number {\n  return config.ttl ?? 1;\n}\n\n/** Proxied default — `false`, since most managed records (TXT, MX, NS, etc.) cannot be proxied. */\nexport function effectiveDnsRecordProxied(\n  config: DnsRecordResourceConfig,\n): boolean {\n  return config.proxied ?? false;\n}\n\n/**\n * State key for one DNS record. Includes zone + type + name so multiple\n * records of different types on the same hostname (e.g. A + AAAA + TXT)\n * each get their own row.\n */\nexport function dnsRecordStateKey(\n  zoneId: string,\n  type: string,\n  name: string,\n): string {\n  return `dns_record:${zoneId}:${type}:${name}`;\n}\n"],"mappings":";;;;;;AAOA,MAAM,iBAAiB,IAAI,IAAI,CAAC,QAAQ,CAAC;;AAGzC,SAAgB,sBACd,QACA,KACS;AACT,KAAI,eAAe,IAAI,IAAI,CAAE,QAAO;AACpC,QAAO,EAAE,OAAO,YAAY,EAAE,EAAE,SAAS,IAAI;;;;;;;;AAS/C,SAAgB,uBACd,QACA,KACA,aACQ;AACR,QAAO,SAAS,OAAO,GAAG,GAAG,IAAI,GAAG;;;AAItC,SAAgB,0BACd,QACA,QACA,KACQ;CACR,MAAM,SAAS,uBAAuB,QAAQ,KAAK,OAAO,YAAY;AACtE,KAAI,CAAC,OAAO,QAAS,QAAO;AAC5B,QAAO,GAAG,OAAO,GAAG,OAAO;;;AAI7B,SAAgB,sBAAsB,QAAyC;AAC7E,QAAO,OAAO,OAAO;;;AAIvB,SAAgB,0BACd,QACS;AACT,QAAO,OAAO,WAAW;;;;;;;AAQ3B,SAAgB,kBACd,QACA,MACA,MACQ;AACR,QAAO,cAAc,OAAO,GAAG,KAAK,GAAG"}

package/dist/dns-records.sync-Bpzz9H0s.mjs

@@ -0,0 +1,75 @@
+import { o as effectiveDispatchNamespaceName } from "./StateManager-DTqtLLVX.mjs";
+import { n as dnsRecordCommentMarker, r as dnsRecordStateKey, t as dnsRecordAppliesToEnv } from "./dns-records.resolve-DwBR_1WI.mjs";
+
+//#region src/features/dispatch-namespace/dispatch-namespace.sync.ts
+async function dispatchNamespaceSync(resources, tenant, env, api, state) {
+	if (resources.length === 0) return;
+	if (env === "local") return;
+	const list = await api.dispatchNamespaceListAll();
+	const names = new Set(list.map((n) => n.namespace_name));
+	for (const config of resources) {
+		const resolved = effectiveDispatchNamespaceName(config, env, tenant);
+		const key = `dispatch_ns:${resolved}`;
+		if (!names.has(resolved)) continue;
+		state.set(key, {
+			type: "dispatch_namespace",
+			logicalName: config.logicalName,
+			derivedName: resolved,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+			updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+		});
+	}
+}
+
+//#endregion
+//#region src/features/dns-records/dns-records.sync.ts
+/**
+* Re-adopt every Tamer-attributed DNS record found on the live zones into
+* state. Mirrors the dispatch-namespace sync pattern: Tamer never
+* **destroys** records here, just imports rows that match its
+* attribution comment so a `apply` straight after `sync` is a no-op when
+* Cloudflare and config agree.
+*
+* Records on Cloudflare without Tamer's marker comment are ignored even
+* if they happen to match the declared `(zone, type, name)` — they are
+* presumed to be hand-managed and surface in `tamer drift` as
+* `unrecordedInState` so the operator can decide.
+*/
+async function dnsRecordSync(resources, tenant, env, api, state) {
+	if (resources.length === 0) return;
+	const applicable = resources.filter((r) => dnsRecordAppliesToEnv(r, env));
+	if (applicable.length === 0) return;
+	const zoneCache = /* @__PURE__ */ new Map();
+	for (const config of applicable) {
+		let live = zoneCache.get(config.zoneId);
+		if (!live) {
+			live = await api.zoneDnsRecordListAll(config.zoneId);
+			zoneCache.set(config.zoneId, live);
+		}
+		const marker = dnsRecordCommentMarker(tenant, env, config.logicalName);
+		const adopted = live.find((r) => r.type === config.type && typeof r.comment === "string" && r.comment.startsWith(marker));
+		if (!adopted) continue;
+		const stateKey = dnsRecordStateKey(config.zoneId, config.type, config.name);
+		const ts = (/* @__PURE__ */ new Date()).toISOString();
+		const entry = {
+			type: "dns_record",
+			logicalName: config.logicalName,
+			zoneId: config.zoneId,
+			recordType: config.type,
+			name: adopted.name,
+			content: adopted.content,
+			ttl: adopted.ttl ?? 1,
+			proxied: adopted.proxied ?? false,
+			priority: adopted.priority,
+			comment: adopted.comment ?? marker,
+			recordId: adopted.id,
+			createdAt: state.get(stateKey)?.type === "dns_record" ? state.get(stateKey).createdAt : ts,
+			updatedAt: ts
+		};
+		state.set(stateKey, entry);
+	}
+}
+
+//#endregion
+export { dispatchNamespaceSync as n, dnsRecordSync as t };
+//# sourceMappingURL=dns-records.sync-Bpzz9H0s.mjs.map