@dragonmastery/tamer 0.36.7 → 0.37.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{apply-DNrNhXc-.mjs → apply-ByHaKpxD.mjs} +11 -11
- package/dist/{apply-DNrNhXc-.mjs.map → apply-ByHaKpxD.mjs.map} +1 -1
- package/dist/{applyTarget-91EYUetp.mjs → applyTarget-BkBg8MFW.mjs} +2 -2
- package/dist/{applyTarget-91EYUetp.mjs.map → applyTarget-BkBg8MFW.mjs.map} +1 -1
- package/dist/{bootstrap-BYxkCI8L.mjs → bootstrap-DvOce6vA.mjs} +3 -3
- package/dist/{bootstrap-BYxkCI8L.mjs.map → bootstrap-DvOce6vA.mjs.map} +1 -1
- package/dist/{buildDispatchUploadForm-BNDcS5_9.mjs → buildDispatchUploadForm-D9ZrefZX.mjs} +1 -1
- package/dist/{buildDispatchUploadForm-BNDcS5_9.mjs.map → buildDispatchUploadForm-D9ZrefZX.mjs.map} +1 -1
- package/dist/{cloudflareSnapshot-B6WFaaih.mjs → cloudflareSnapshot-CjXNMr4X.mjs} +4 -4
- package/dist/{cloudflareSnapshot-B6WFaaih.mjs.map → cloudflareSnapshot-CjXNMr4X.mjs.map} +1 -1
- package/dist/{deploy-UM9jazjs.mjs → deploy-C4NOE5S1.mjs} +8 -8
- package/dist/{deploy-UM9jazjs.mjs.map → deploy-C4NOE5S1.mjs.map} +1 -1
- package/dist/{destroy-BsvERMdR.mjs → destroy-BeOYY2U6.mjs} +75 -22
- package/dist/destroy-BeOYY2U6.mjs.map +1 -0
- package/dist/{destroy-tenant-CT_uzdl7.mjs → destroy-tenant-B9ZTeUDk.mjs} +2 -2
- package/dist/{destroy-tenant-CT_uzdl7.mjs.map → destroy-tenant-B9ZTeUDk.mjs.map} +1 -1
- package/dist/{dev-DoB7r93_.mjs → dev-0zkF2iqF.mjs} +6 -6
- package/dist/{dev-DoB7r93_.mjs.map → dev-0zkF2iqF.mjs.map} +1 -1
- package/dist/{dns-records.sync-PoahWQjY.mjs → dns-records.sync-FyzKl-Ph.mjs} +2 -2
- package/dist/{dns-records.sync-PoahWQjY.mjs.map → dns-records.sync-FyzKl-Ph.mjs.map} +1 -1
- package/dist/{doctor-BnsOxqnA.mjs → doctor-fm_vGe2C.mjs} +2 -2
- package/dist/{doctor-BnsOxqnA.mjs.map → doctor-fm_vGe2C.mjs.map} +1 -1
- package/dist/{drift-Bl51ml0_.mjs → drift-Ci368_WQ.mjs} +5 -5
- package/dist/{drift-Bl51ml0_.mjs.map → drift-Ci368_WQ.mjs.map} +1 -1
- package/dist/{drift-BFBQj1jH.mjs → drift-CryXFwSh.mjs} +4 -4
- package/dist/{emit-X6pAAeqe.mjs → emit-DDTQVfi_.mjs} +3 -3
- package/dist/{emit-X6pAAeqe.mjs.map → emit-DDTQVfi_.mjs.map} +1 -1
- package/dist/env-gc-DlQxkZPj.mjs +122 -0
- package/dist/env-gc-DlQxkZPj.mjs.map +1 -0
- package/dist/env-list-DhbYisDn.mjs +32 -0
- package/dist/env-list-DhbYisDn.mjs.map +1 -0
- package/dist/{events-B0bvWdiQ.mjs → events-C7wAGJae.mjs} +2 -2
- package/dist/{events-B0bvWdiQ.mjs.map → events-C7wAGJae.mjs.map} +1 -1
- package/dist/{generator-Bu8sQJie.mjs → generator-MX8MAHd9.mjs} +2 -2
- package/dist/{generator-Bu8sQJie.mjs.map → generator-MX8MAHd9.mjs.map} +1 -1
- package/dist/{import-DIkhDk5y.mjs → import-Bzow4TPf.mjs} +3 -3
- package/dist/{import-DIkhDk5y.mjs.map → import-Bzow4TPf.mjs.map} +1 -1
- package/dist/{migrate-B_HSxaRD.mjs → migrate-YfRtATkG.mjs} +5 -5
- package/dist/{migrate-B_HSxaRD.mjs.map → migrate-YfRtATkG.mjs.map} +1 -1
- package/dist/{plan-wJDEX_LX.mjs → plan-C0XRZK_J.mjs} +8 -8
- package/dist/{plan-wJDEX_LX.mjs.map → plan-C0XRZK_J.mjs.map} +1 -1
- package/dist/{provision-tenant-Dh3-p5ZK.mjs → provision-tenant-B4VgWlbl.mjs} +4 -4
- package/dist/{provision-tenant-Dh3-p5ZK.mjs.map → provision-tenant-B4VgWlbl.mjs.map} +1 -1
- package/dist/{registry-BF1E6sk5.mjs → registry-BrOxbA2i.mjs} +36 -6
- package/dist/registry-BrOxbA2i.mjs.map +1 -0
- package/dist/{stackOutputs-CuLa76D4.mjs → stackOutputs-CkpNSng8.mjs} +2 -2
- package/dist/{stackOutputs-CuLa76D4.mjs.map → stackOutputs-CkpNSng8.mjs.map} +1 -1
- package/dist/{status-Xd2gJtII.mjs → status-Ck6Xo8aV.mjs} +4 -4
- package/dist/{status-Xd2gJtII.mjs.map → status-Ck6Xo8aV.mjs.map} +1 -1
- package/dist/sync-Bky8pptf.mjs +7 -0
- package/dist/{sync-B4wfsPIQ.mjs → sync-kl7MaCQV.mjs} +6 -7
- package/dist/{sync-B4wfsPIQ.mjs.map → sync-kl7MaCQV.mjs.map} +1 -1
- package/dist/tamer.mjs +101 -19
- package/dist/tamer.mjs.map +1 -1
- package/dist/{tamerArtifactsR2-7qUbhOLD.mjs → tamerArtifactsR2-COndFmk5.mjs} +1 -1
- package/dist/{tamerArtifactsR2-7qUbhOLD.mjs.map → tamerArtifactsR2-COndFmk5.mjs.map} +1 -1
- package/dist/{types-m1Wz_vz_.mjs → types-BZkoBzpD.mjs} +5 -5
- package/dist/{types-m1Wz_vz_.mjs.map → types-BZkoBzpD.mjs.map} +1 -1
- package/dist/{verifyPlanFile-BYZts3kA.mjs → verifyPlanFile-D_-Qbh1J.mjs} +2 -2
- package/dist/{verifyPlanFile-BYZts3kA.mjs.map → verifyPlanFile-D_-Qbh1J.mjs.map} +1 -1
- package/dist/{wfp-delete-DJXpe2B7.mjs → wfp-delete-BmibnUuz.mjs} +2 -2
- package/dist/{wfp-delete-DJXpe2B7.mjs.map → wfp-delete-BmibnUuz.mjs.map} +1 -1
- package/dist/{wfp-put-BMSAGpZ6.mjs → wfp-put-B7MW5m64.mjs} +3 -3
- package/dist/{wfp-put-BMSAGpZ6.mjs.map → wfp-put-B7MW5m64.mjs.map} +1 -1
- package/dist/{worker-route-C7kgtUXH.mjs → worker-route-CUQBu9xe.mjs} +2 -2
- package/dist/{worker-route-C7kgtUXH.mjs.map → worker-route-CUQBu9xe.mjs.map} +1 -1
- package/dist/{workers-Bq1AY8aB.mjs → workers-DWXnZAzG.mjs} +3 -3
- package/dist/{workers-Bq1AY8aB.mjs.map → workers-DWXnZAzG.mjs.map} +1 -1
- package/dist/{wranglerSpawn-CqVNGkA9.mjs → wranglerSpawn-Dx4I0Wu-.mjs} +1 -1
- package/dist/{wranglerSpawn-CqVNGkA9.mjs.map → wranglerSpawn-Dx4I0Wu-.mjs.map} +1 -1
- package/package.json +1 -1
- package/dist/destroy-BsvERMdR.mjs.map +0 -1
- package/dist/registry-BF1E6sk5.mjs.map +0 -1
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
import { f as getDispatchNamespaces, p as getDnsRecords } from "./normalize-DVSTRZhO.mjs";
|
|
2
|
-
import { B as
|
|
3
|
-
import { a as logicalNamesForResourceKind, n as resourceModules } from "./registry-
|
|
2
|
+
import { B as getConfigBaseDir, F as deleteEnvSecretRows, H as loadConfig, L as CFApiClient, P as isEphemeralEnv, R as cloudflareAccountIdFromEnv, V as getWorkers, h as StateManager, u as namingFromConfig, w as stackNameForConfig, x as deleteEnvStateRows } from "./tamer.mjs";
|
|
3
|
+
import { a as logicalNamesForResourceKind, n as resourceModules } from "./registry-BrOxbA2i.mjs";
|
|
4
4
|
import "./r2S3EmptyBucket-B9_pHfvB.mjs";
|
|
5
5
|
import { n as logpushJobDestroy } from "./logpush-job-GqVKG_HI.mjs";
|
|
6
|
-
import { n as workerRoutesDestroy } from "./worker-route-
|
|
7
|
-
import { runSync } from "./sync-
|
|
8
|
-
import { i as hashCloudflareSnapshot, t as buildCloudflareSnapshot } from "./cloudflareSnapshot-
|
|
9
|
-
import { t as verifyPlanFile } from "./verifyPlanFile-
|
|
10
|
-
import { t as deleteEnvArtifacts } from "./tamerArtifactsR2-
|
|
11
|
-
import { n as workersDestroy } from "./workers-
|
|
6
|
+
import { n as workerRoutesDestroy } from "./worker-route-CUQBu9xe.mjs";
|
|
7
|
+
import { t as runSync } from "./sync-kl7MaCQV.mjs";
|
|
8
|
+
import { i as hashCloudflareSnapshot, t as buildCloudflareSnapshot } from "./cloudflareSnapshot-CjXNMr4X.mjs";
|
|
9
|
+
import { t as verifyPlanFile } from "./verifyPlanFile-D_-Qbh1J.mjs";
|
|
10
|
+
import { t as deleteEnvArtifacts } from "./tamerArtifactsR2-COndFmk5.mjs";
|
|
11
|
+
import { n as workersDestroy } from "./workers-DWXnZAzG.mjs";
|
|
12
12
|
|
|
13
13
|
//#region src/features/dispatch-namespace/dispatch-namespace.destroy.ts
|
|
14
14
|
/**
|
|
@@ -150,23 +150,62 @@ async function runDestroy(options) {
|
|
|
150
150
|
try {
|
|
151
151
|
await state.persist(api);
|
|
152
152
|
} catch {}
|
|
153
|
+
const destroyErrors = [];
|
|
154
|
+
async function tryStep(step, fn) {
|
|
155
|
+
try {
|
|
156
|
+
await fn();
|
|
157
|
+
} catch (err) {
|
|
158
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
159
|
+
if (/404|not found|does not exist|already/i.test(msg)) console.log(` ~ ${step}: already gone`);
|
|
160
|
+
else {
|
|
161
|
+
console.warn(` ✗ ${step}: ${msg}`);
|
|
162
|
+
destroyErrors.push({
|
|
163
|
+
step,
|
|
164
|
+
error: msg
|
|
165
|
+
});
|
|
166
|
+
}
|
|
167
|
+
}
|
|
168
|
+
}
|
|
153
169
|
try {
|
|
170
|
+
const allState = state.getAll();
|
|
171
|
+
const stateKeys = Object.keys(allState);
|
|
172
|
+
if (stateKeys.length > 0) {
|
|
173
|
+
console.log(`\nDestroy inventory (${stateKeys.length} resource(s) in state for env ${env}):`);
|
|
174
|
+
const byType = {};
|
|
175
|
+
for (const [key, entry] of Object.entries(allState)) {
|
|
176
|
+
const type = entry.type ?? "unknown";
|
|
177
|
+
if (!byType[type]) byType[type] = [];
|
|
178
|
+
byType[type].push(key);
|
|
179
|
+
}
|
|
180
|
+
for (const [type, keys] of Object.entries(byType).sort()) {
|
|
181
|
+
console.log(` ${type} (${keys.length}):`);
|
|
182
|
+
for (const key of keys) {
|
|
183
|
+
const entry = allState[key];
|
|
184
|
+
console.log(` ${entry.derivedName ?? key}`);
|
|
185
|
+
}
|
|
186
|
+
}
|
|
187
|
+
console.log("");
|
|
188
|
+
}
|
|
154
189
|
if (!skipWorkers) {
|
|
155
|
-
await
|
|
156
|
-
|
|
157
|
-
|
|
190
|
+
await tryStep("worker routes", async () => {
|
|
191
|
+
await workerRoutesDestroy(env, config, baseDir, state, api);
|
|
192
|
+
await state.persist(api);
|
|
193
|
+
});
|
|
194
|
+
await tryStep("worker scripts", () => workersDestroy(env, baseDir, accountId, config, state, api, force));
|
|
158
195
|
}
|
|
159
196
|
const ownedByKind = await Promise.all(resourceModules.map((m) => logicalNamesForResourceKind(config, baseDir, m.kind).then((set) => ({
|
|
160
197
|
mod: m,
|
|
161
198
|
owned: set
|
|
162
199
|
}))));
|
|
163
200
|
const workers = await getWorkers(config, baseDir);
|
|
164
|
-
await
|
|
165
|
-
|
|
201
|
+
await tryStep("Logpush + Pipelines", async () => {
|
|
202
|
+
await logpushJobDestroy(env, state, api, config);
|
|
203
|
+
await state.persist(api);
|
|
204
|
+
});
|
|
166
205
|
for (const { mod, owned } of ownedByKind) {
|
|
167
206
|
if (owned.size === 0) continue;
|
|
168
207
|
const resources = workers.flatMap(([, wc]) => mod.pickResources(wc));
|
|
169
|
-
await mod.destroy({
|
|
208
|
+
await tryStep(`${mod.label} (${[...owned].join(", ")})`, () => mod.destroy({
|
|
170
209
|
resources,
|
|
171
210
|
tenant: config.tenant,
|
|
172
211
|
env,
|
|
@@ -176,12 +215,12 @@ async function runDestroy(options) {
|
|
|
176
215
|
config,
|
|
177
216
|
baseDir,
|
|
178
217
|
force
|
|
179
|
-
});
|
|
218
|
+
}));
|
|
180
219
|
}
|
|
181
|
-
if (getDispatchNamespaces(config).length > 0) await dispatchNamespaceDestroy(env, state, api, config, force);
|
|
182
|
-
if (getDnsRecords(config).length > 0) await dnsRecordDestroy(env, state, api, config, force);
|
|
220
|
+
if (getDispatchNamespaces(config).length > 0) await tryStep("dispatch namespaces", () => dispatchNamespaceDestroy(env, state, api, config, force));
|
|
221
|
+
if (getDnsRecords(config).length > 0) await tryStep("DNS records", () => dnsRecordDestroy(env, state, api, config, force));
|
|
183
222
|
state.replaceStackOutputs({});
|
|
184
|
-
if (env !== "local" && wipeMetadata) {
|
|
223
|
+
if (env !== "local" && wipeMetadata && destroyErrors.length === 0) {
|
|
185
224
|
state.clearDirty();
|
|
186
225
|
if (await deleteEnvStateRows(api, env)) console.log(`Cleared Tamer state rows for env ${env}.`);
|
|
187
226
|
try {
|
|
@@ -195,16 +234,30 @@ async function runDestroy(options) {
|
|
|
195
234
|
console.warn(`Failed to clean Tamer secrets for env ${env}:`, err instanceof Error ? err.message : err);
|
|
196
235
|
}
|
|
197
236
|
}
|
|
198
|
-
if (env !== "local" && !wipeMetadata) {
|
|
199
|
-
state.
|
|
237
|
+
if (env !== "local" && (!wipeMetadata || destroyErrors.length > 0)) {
|
|
238
|
+
if (destroyErrors.length > 0) state.failOperation(`${destroyErrors.length} step(s) failed: ${destroyErrors.map((e) => e.step).join(", ")}`);
|
|
239
|
+
else state.finishOperation();
|
|
200
240
|
try {
|
|
201
241
|
await state.persist(api);
|
|
202
242
|
} catch {}
|
|
203
243
|
}
|
|
204
244
|
state.clearDirty();
|
|
245
|
+
const remaining = Object.keys(state.getAll());
|
|
246
|
+
if (remaining.length > 0) {
|
|
247
|
+
console.warn(`\nWarning: ${remaining.length} resource(s) still in state after destroy:`);
|
|
248
|
+
for (const key of remaining) {
|
|
249
|
+
const entry = state.get(key);
|
|
250
|
+
console.warn(` ${entry?.derivedName ?? key} (${entry?.type})`);
|
|
251
|
+
}
|
|
252
|
+
}
|
|
253
|
+
if (destroyErrors.length > 0) {
|
|
254
|
+
console.warn(`\n${destroyErrors.length} step(s) failed during destroy:`);
|
|
255
|
+
for (const { step, error } of destroyErrors) console.warn(` ${step}: ${error}`);
|
|
256
|
+
throw new Error(`destroy completed with ${destroyErrors.length} failure(s); ${remaining.length} resource(s) may be orphaned`);
|
|
257
|
+
}
|
|
205
258
|
console.log(`Destroyed all resources for env: ${env}`);
|
|
206
259
|
} catch (err) {
|
|
207
|
-
if (env !== "local") {
|
|
260
|
+
if (env !== "local" && !(err instanceof Error && err.message.includes("destroy completed with"))) {
|
|
208
261
|
state.failOperation(err instanceof Error ? err.message : String(err));
|
|
209
262
|
try {
|
|
210
263
|
await state.persist(api);
|
|
@@ -216,4 +269,4 @@ async function runDestroy(options) {
|
|
|
216
269
|
|
|
217
270
|
//#endregion
|
|
218
271
|
export { runDestroy };
|
|
219
|
-
//# sourceMappingURL=destroy-
|
|
272
|
+
//# sourceMappingURL=destroy-BeOYY2U6.mjs.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"destroy-BeOYY2U6.mjs","names":["destroyErrors: Array<{ step: string; error: string }>","byType: Record<string, string[]>"],"sources":["../src/features/dispatch-namespace/dispatch-namespace.destroy.ts","../src/features/dns-records/dns-records.destroy.ts","../src/cli/destroyGuard.ts","../src/cli/commands/destroy.ts"],"sourcesContent":["import type { CfiConfig } from \"../../types.js\";\nimport { getDispatchNamespaces } from \"../../types.js\";\nimport type { StateManager } from \"../../core/state/StateManager.js\";\nimport type { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport type { DispatchNamespaceStateEntry } from \"../../types.js\";\nimport { isEphemeralEnv } from \"./dispatch-namespace.resolve.js\";\n\n/**\n * Tear down every dispatch namespace recorded in state.\n *\n * Cloudflare refuses to delete a namespace that still contains scripts, so we\n * enumerate `/dispatch/namespaces/{ns}/scripts` and delete each (with `force`\n * so dependents like service-bind targets don't block the removal). This\n * covers tenant scripts uploaded by `tamer wfp put` / `provision-workflow`\n * that aren't otherwise tracked in Tamer state.\n */\nexport async function dispatchNamespaceDestroy(\n env: string,\n state: StateManager,\n api: CFApiClient,\n config: CfiConfig,\n _force?: boolean,\n): Promise<void> {\n const allowedLogical = new Set(\n getDispatchNamespaces(config).map((d) => d.logicalName),\n );\n if (allowedLogical.size === 0) return;\n\n for (const [key, entry] of Object.entries(state.getAll())) {\n if (entry.type !== \"dispatch_namespace\") continue;\n const ns = entry as DispatchNamespaceStateEntry;\n if (!allowedLogical.has(ns.logicalName)) continue;\n const isSharedEphemeral = ns.derivedName.endsWith(\"-ephemeral\");\n try {\n const scripts = await api.dispatchNamespaceScriptList(ns.derivedName);\n for (const s of scripts) {\n if (isEphemeralEnv(env, config.tenant) && isSharedEphemeral) {\n if (!s.id.endsWith(`-${env}`)) continue;\n }\n try {\n await api.dispatchNamespaceScriptDelete(ns.derivedName, s.id, {\n force: true,\n });\n console.log(\n `Deleted tenant script \"${s.id}\" from namespace ${ns.derivedName}.`,\n );\n } catch (err) {\n console.warn(\n `Failed to delete tenant script ${s.id} in ${ns.derivedName}:`,\n err instanceof Error ? err.message : err,\n );\n }\n }\n if (isEphemeralEnv(env, config.tenant) && isSharedEphemeral) {\n console.log(\n `Left shared dispatch namespace ${ns.derivedName} (removed only scripts suffixed -${env}).`,\n );\n continue;\n }\n await api.dispatchNamespaceDelete(ns.derivedName);\n state.delete(key);\n } catch (err) {\n console.warn(\n `Failed to delete dispatch namespace ${ns.derivedName}:`,\n err instanceof Error ? err.message : err,\n );\n }\n }\n}\n","import type { CfiConfig, DnsRecordStateEntry } from \"../../types.js\";\nimport { getDnsRecords } from \"../../types.js\";\nimport type { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport type { StateManager } from \"../../core/state/StateManager.js\";\n\n/**\n * Tear down every DNS record this stack owns. Restricted to records\n * whose `logicalName` is declared in the current `CfiConfig.dnsRecords`\n * (matches `runDestroy` semantics for shared state rows). Records flagged\n * `preserveOnDestroy: true` are left in place but still dropped from\n * state — the operator is responsible for re-importing them later.\n */\nexport async function dnsRecordDestroy(\n env: string,\n state: StateManager,\n api: CFApiClient,\n config: CfiConfig,\n _force?: boolean,\n): Promise<void> {\n if (env === \"local\") return;\n const declared = getDnsRecords(config);\n if (declared.length === 0) return;\n const preserve = new Map<string, boolean>(\n declared.map((c) => [c.logicalName, !!c.preserveOnDestroy]),\n );\n const allowedLogical = new Set(declared.map((c) => c.logicalName));\n\n for (const [key, entry] of Object.entries(state.getAll())) {\n if (entry.type !== \"dns_record\") continue;\n const rec = entry as DnsRecordStateEntry;\n if (!allowedLogical.has(rec.logicalName)) continue;\n if (preserve.get(rec.logicalName)) {\n console.log(\n `Preserved DNS record ${rec.recordType} ${rec.name} (preserveOnDestroy).`,\n );\n state.delete(key);\n continue;\n }\n try {\n await api.zoneDnsRecordDelete(rec.zoneId, rec.recordId);\n state.delete(key);\n } catch (err) {\n console.warn(\n `Failed to delete DNS record ${rec.recordType} ${rec.name}:`,\n err instanceof Error ? err.message : err,\n );\n }\n }\n}\n","/** Shared envs where destroy must be confirmed with `--confirm-env <same>`. */\nexport const SHARED_ENV_DESTROY = [\n \"dev\",\n \"staging\",\n \"prod\",\n \"production\",\n] as const;\n\n/**\n * @param force When true, skips the typed confirmation (break-glass).\n */\nexport function assertDestroyEnvAllowed(\n env: string,\n force: boolean,\n confirmEnv?: string,\n): void {\n if (force) return;\n if (!SHARED_ENV_DESTROY.includes(env as (typeof SHARED_ENV_DESTROY)[number])) {\n return;\n }\n if (confirmEnv !== env) {\n throw new Error(\n `Destroying shared environment \"${env}\" requires --confirm-env ${env}`,\n );\n }\n}\n","import { loadConfig, getWorkers, getConfigBaseDir } from \"../../core/config/loader.js\";\nimport { logicalNamesForResourceKind } from \"../../core/config/resourcesFromConfig.js\";\nimport { cloudflareAccountIdFromEnv } from \"../../core/cloudflareEnv.js\";\nimport { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport { StateManager } from \"../../core/state/StateManager.js\";\nimport { stackNameForConfig } from \"../../core/state/stackName.js\";\nimport { deleteEnvStateRows } from \"../../core/state/tamerStateDb.js\";\nimport { deleteEnvArtifacts } from \"../../core/state/tamerArtifactsR2.js\";\nimport { deleteEnvSecretRows } from \"../../core/secrets/secretsDb.js\";\nimport { getDispatchNamespaces, getDnsRecords } from \"../../types.js\";\nimport { logpushJobDestroy } from \"../../features/logpush-job/index.js\";\nimport { assertDestroyEnvAllowed } from \"../destroyGuard.js\";\nimport { dispatchNamespaceDestroy } from \"../../features/dispatch-namespace/index.js\";\nimport { dnsRecordDestroy } from \"../../features/dns-records/index.js\";\nimport { workersDestroy } from \"../../features/workers/index.js\";\nimport { workerRoutesDestroy } from \"../../features/worker-route/index.js\";\nimport { runSync } from \"./sync.js\";\nimport { resourceModules } from \"../../core/registry/registry.js\";\nimport { namingFromConfig } from \"../../core/config/namingFromConfig.js\";\nimport { verifyPlanFile } from \"../../core/plan/verifyPlanFile.js\";\nimport { hashCloudflareSnapshot } from \"../../core/plan/planFile.js\";\nimport { buildCloudflareSnapshot } from \"../../core/plan/cloudflareSnapshot.js\";\n\nexport async function runDestroy(options: {\n env: string;\n force?: boolean;\n skipWorkers?: boolean;\n confirmEnv?: string;\n configPath?: string;\n /** When true, delete the shared `tamer-state-{env}` D1 after other resources (use on last stack teardown). */\n wipeMetadata?: boolean;\n /**\n * Path to a destroy plan file from `tamer plan --destroy --out`. Destroy\n * recomputes the `(config, state, cloudflare)` attestation hashes and\n * refuses to proceed if any drifted (override with `allowStale`). The\n * pinned plan ensures the operator destroys exactly what they reviewed.\n */\n planFile?: string;\n allowStale?: boolean;\n}): Promise<void> {\n const {\n env,\n force = false,\n skipWorkers = false,\n confirmEnv,\n configPath,\n wipeMetadata = false,\n } = options;\n assertDestroyEnvAllowed(env, force, confirmEnv);\n\n const config = await loadConfig(configPath, { env });\n const baseDir = getConfigBaseDir();\n const accountId =\n config.account_id ?? cloudflareAccountIdFromEnv();\n if (!accountId) {\n throw new Error(\n \"account_id required in config or CLOUDFLARE_ACCOUNT_ID env var\",\n );\n }\n\n if (options.planFile) {\n const verifyApi = new CFApiClient(accountId);\n const verifyState = new StateManager(\n config.tenant.id,\n env,\n stackNameForConfig(config),\n );\n await verifyState.hydrate(verifyApi);\n const liveSnapshot =\n env === \"local\"\n ? undefined\n : await buildCloudflareSnapshot({\n config,\n env,\n api: verifyApi,\n baseDir,\n });\n verifyPlanFile({\n planPath: options.planFile,\n command: \"destroy\",\n expectedMode: \"destroy\",\n env,\n tenantId: config.tenant.id,\n config,\n stateAtPlanCheck: verifyState.load(),\n liveCloudflareHash: liveSnapshot\n ? hashCloudflareSnapshot(liveSnapshot)\n : undefined,\n allowStale: !!options.allowStale,\n });\n }\n\n if (env !== \"local\") {\n console.log(`Syncing state from Cloudflare for env: ${env}...`);\n await runSync({ env, configPath });\n }\n\n const api = new CFApiClient(accountId);\n const naming = namingFromConfig(config);\n const state = new StateManager(\n config.tenant.id,\n env,\n stackNameForConfig(config),\n );\n await state.hydrate(api);\n state.beginOperation(\"destroy\", wipeMetadata ? \"wipe-metadata\" : undefined);\n try {\n await state.persist(api);\n } catch {\n /* in-progress marker best-effort */\n }\n\n const destroyErrors: Array<{ step: string; error: string }> = [];\n\n async function tryStep(step: string, fn: () => Promise<void>): Promise<void> {\n try {\n await fn();\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err);\n if (/404|not found|does not exist|already/i.test(msg)) {\n console.log(` ~ ${step}: already gone`);\n } else {\n console.warn(` ✗ ${step}: ${msg}`);\n destroyErrors.push({ step, error: msg });\n }\n }\n }\n\n try {\n // Inventory: show what's in state so the operator can verify\n // nothing will be missed (or left behind).\n const allState = state.getAll();\n const stateKeys = Object.keys(allState);\n if (stateKeys.length > 0) {\n console.log(`\\nDestroy inventory (${stateKeys.length} resource(s) in state for env ${env}):`);\n const byType: Record<string, string[]> = {};\n for (const [key, entry] of Object.entries(allState)) {\n const type = entry.type ?? \"unknown\";\n if (!byType[type]) byType[type] = [];\n byType[type].push(key);\n }\n for (const [type, keys] of Object.entries(byType).sort()) {\n console.log(` ${type} (${keys.length}):`);\n for (const key of keys) {\n const entry = allState[key] as { derivedName?: string };\n console.log(` ${entry.derivedName ?? key}`);\n }\n }\n console.log(\"\");\n }\n\n if (!skipWorkers) {\n await tryStep(\"worker routes\", async () => {\n await workerRoutesDestroy(env, config, baseDir, state, api);\n await state.persist(api);\n });\n await tryStep(\"worker scripts\", () =>\n workersDestroy(env, baseDir, accountId, config, state, api, force),\n );\n }\n\n const ownedByKind = await Promise.all(\n resourceModules.map((m) =>\n logicalNamesForResourceKind(config, baseDir, m.kind).then((set) => ({\n mod: m,\n owned: set,\n })),\n ),\n );\n const workers = await getWorkers(config, baseDir);\n\n await tryStep(\"Logpush + Pipelines\", async () => {\n await logpushJobDestroy(env, state, api, config);\n await state.persist(api);\n });\n\n for (const { mod, owned } of ownedByKind) {\n if (owned.size === 0) continue;\n const resources = workers.flatMap(([, wc]) => mod.pickResources(wc));\n await tryStep(`${mod.label} (${[...owned].join(\", \")})`, () =>\n mod.destroy({\n resources,\n tenant: config.tenant,\n env,\n api,\n state,\n naming,\n config,\n baseDir,\n force,\n }),\n );\n }\n\n if (getDispatchNamespaces(config).length > 0) {\n await tryStep(\"dispatch namespaces\", () =>\n dispatchNamespaceDestroy(env, state, api, config, force),\n );\n }\n\n if (getDnsRecords(config).length > 0) {\n await tryStep(\"DNS records\", () =>\n dnsRecordDestroy(env, state, api, config, force),\n );\n }\n\n // Clear `stackOutputs` — the values pointed at resources we just deleted.\n state.replaceStackOutputs({});\n\n if (env !== \"local\" && wipeMetadata && destroyErrors.length === 0) {\n state.clearDirty();\n const deletedState = await deleteEnvStateRows(api, env);\n if (deletedState) {\n console.log(`Cleared Tamer state rows for env ${env}.`);\n }\n try {\n await deleteEnvArtifacts(api, env);\n } catch (err) {\n console.warn(\n `Failed to clean Tamer artifacts for env ${env}:`,\n err instanceof Error ? err.message : err,\n );\n }\n try {\n const deletedSecrets = await deleteEnvSecretRows(api, env);\n if (deletedSecrets) {\n console.log(`Cleared Tamer secret rows for env ${env}.`);\n }\n } catch (err) {\n console.warn(\n `Failed to clean Tamer secrets for env ${env}:`,\n err instanceof Error ? err.message : err,\n );\n }\n }\n\n if (env !== \"local\" && (!wipeMetadata || destroyErrors.length > 0)) {\n if (destroyErrors.length > 0) {\n state.failOperation(\n `${destroyErrors.length} step(s) failed: ${destroyErrors.map((e) => e.step).join(\", \")}`,\n );\n } else {\n state.finishOperation();\n }\n try {\n await state.persist(api);\n } catch {\n /* state row may have been wiped by sub-steps */\n }\n }\n state.clearDirty();\n\n // Post-destroy check: what's still in state?\n const remaining = Object.keys(state.getAll());\n if (remaining.length > 0) {\n console.warn(\n `\\nWarning: ${remaining.length} resource(s) still in state after destroy:`,\n );\n for (const key of remaining) {\n const entry = state.get(key) as { derivedName?: string; type?: string } | undefined;\n console.warn(` ${entry?.derivedName ?? key} (${entry?.type})`);\n }\n }\n\n if (destroyErrors.length > 0) {\n console.warn(`\\n${destroyErrors.length} step(s) failed during destroy:`);\n for (const { step, error } of destroyErrors) {\n console.warn(` ${step}: ${error}`);\n }\n throw new Error(\n `destroy completed with ${destroyErrors.length} failure(s); ${remaining.length} resource(s) may be orphaned`,\n );\n }\n\n console.log(`Destroyed all resources for env: ${env}`);\n } catch (err) {\n if (env !== \"local\" && !(err instanceof Error && err.message.includes(\"destroy completed with\"))) {\n state.failOperation(err instanceof Error ? err.message : String(err));\n try {\n await state.persist(api);\n } catch {\n /* swallow secondary persist failure */\n }\n }\n throw err;\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAgBA,eAAsB,yBACpB,KACA,OACA,KACA,QACA,QACe;CACf,MAAM,iBAAiB,IAAI,IACzB,sBAAsB,OAAO,CAAC,KAAK,MAAM,EAAE,YAAY,CACxD;AACD,KAAI,eAAe,SAAS,EAAG;AAE/B,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,QAAQ,CAAC,EAAE;AACzD,MAAI,MAAM,SAAS,qBAAsB;EACzC,MAAM,KAAK;AACX,MAAI,CAAC,eAAe,IAAI,GAAG,YAAY,CAAE;EACzC,MAAM,oBAAoB,GAAG,YAAY,SAAS,aAAa;AAC/D,MAAI;GACF,MAAM,UAAU,MAAM,IAAI,4BAA4B,GAAG,YAAY;AACrE,QAAK,MAAM,KAAK,SAAS;AACvB,QAAI,eAAe,KAAK,OAAO,OAAO,IAAI,mBACxC;SAAI,CAAC,EAAE,GAAG,SAAS,IAAI,MAAM,CAAE;;AAEjC,QAAI;AACF,WAAM,IAAI,8BAA8B,GAAG,aAAa,EAAE,IAAI,EAC5D,OAAO,MACR,CAAC;AACF,aAAQ,IACN,0BAA0B,EAAE,GAAG,mBAAmB,GAAG,YAAY,GAClE;aACM,KAAK;AACZ,aAAQ,KACN,kCAAkC,EAAE,GAAG,MAAM,GAAG,YAAY,IAC5D,eAAe,QAAQ,IAAI,UAAU,IACtC;;;AAGL,OAAI,eAAe,KAAK,OAAO,OAAO,IAAI,mBAAmB;AAC3D,YAAQ,IACN,kCAAkC,GAAG,YAAY,mCAAmC,IAAI,IACzF;AACD;;AAEF,SAAM,IAAI,wBAAwB,GAAG,YAAY;AACjD,SAAM,OAAO,IAAI;WACV,KAAK;AACZ,WAAQ,KACN,uCAAuC,GAAG,YAAY,IACtD,eAAe,QAAQ,IAAI,UAAU,IACtC;;;;;;;;;;;;;;ACrDP,eAAsB,iBACpB,KACA,OACA,KACA,QACA,QACe;AACf,KAAI,QAAQ,QAAS;CACrB,MAAM,WAAW,cAAc,OAAO;AACtC,KAAI,SAAS,WAAW,EAAG;CAC3B,MAAM,WAAW,IAAI,IACnB,SAAS,KAAK,MAAM,CAAC,EAAE,aAAa,CAAC,CAAC,EAAE,kBAAkB,CAAC,CAC5D;CACD,MAAM,iBAAiB,IAAI,IAAI,SAAS,KAAK,MAAM,EAAE,YAAY,CAAC;AAElE,MAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,MAAM,QAAQ,CAAC,EAAE;AACzD,MAAI,MAAM,SAAS,aAAc;EACjC,MAAM,MAAM;AACZ,MAAI,CAAC,eAAe,IAAI,IAAI,YAAY,CAAE;AAC1C,MAAI,SAAS,IAAI,IAAI,YAAY,EAAE;AACjC,WAAQ,IACN,wBAAwB,IAAI,WAAW,GAAG,IAAI,KAAK,uBACpD;AACD,SAAM,OAAO,IAAI;AACjB;;AAEF,MAAI;AACF,SAAM,IAAI,oBAAoB,IAAI,QAAQ,IAAI,SAAS;AACvD,SAAM,OAAO,IAAI;WACV,KAAK;AACZ,WAAQ,KACN,+BAA+B,IAAI,WAAW,GAAG,IAAI,KAAK,IAC1D,eAAe,QAAQ,IAAI,UAAU,IACtC;;;;;;;;AC5CP,MAAa,qBAAqB;CAChC;CACA;CACA;CACA;CACD;;;;AAKD,SAAgB,wBACd,KACA,OACA,YACM;AACN,KAAI,MAAO;AACX,KAAI,CAAC,mBAAmB,SAAS,IAA2C,CAC1E;AAEF,KAAI,eAAe,IACjB,OAAM,IAAI,MACR,kCAAkC,IAAI,2BAA2B,MAClE;;;;;ACAL,eAAsB,WAAW,SAgBf;CAChB,MAAM,EACJ,KACA,QAAQ,OACR,cAAc,OACd,YACA,YACA,eAAe,UACb;AACJ,yBAAwB,KAAK,OAAO,WAAW;CAE/C,MAAM,SAAS,MAAM,WAAW,YAAY,EAAE,KAAK,CAAC;CACpD,MAAM,UAAU,kBAAkB;CAClC,MAAM,YACJ,OAAO,cAAc,4BAA4B;AACnD,KAAI,CAAC,UACH,OAAM,IAAI,MACR,iEACD;AAGH,KAAI,QAAQ,UAAU;EACpB,MAAM,YAAY,IAAI,YAAY,UAAU;EAC5C,MAAM,cAAc,IAAI,aACtB,OAAO,OAAO,IACd,KACA,mBAAmB,OAAO,CAC3B;AACD,QAAM,YAAY,QAAQ,UAAU;EACpC,MAAM,eACJ,QAAQ,UACJ,SACA,MAAM,wBAAwB;GAC5B;GACA;GACA,KAAK;GACL;GACD,CAAC;AACR,iBAAe;GACb,UAAU,QAAQ;GAClB,SAAS;GACT,cAAc;GACd;GACA,UAAU,OAAO,OAAO;GACxB;GACA,kBAAkB,YAAY,MAAM;GACpC,oBAAoB,eAChB,uBAAuB,aAAa,GACpC;GACJ,YAAY,CAAC,CAAC,QAAQ;GACvB,CAAC;;AAGJ,KAAI,QAAQ,SAAS;AACnB,UAAQ,IAAI,0CAA0C,IAAI,KAAK;AAC/D,QAAM,QAAQ;GAAE;GAAK;GAAY,CAAC;;CAGpC,MAAM,MAAM,IAAI,YAAY,UAAU;CACtC,MAAM,SAAS,iBAAiB,OAAO;CACvC,MAAM,QAAQ,IAAI,aAChB,OAAO,OAAO,IACd,KACA,mBAAmB,OAAO,CAC3B;AACD,OAAM,MAAM,QAAQ,IAAI;AACxB,OAAM,eAAe,WAAW,eAAe,kBAAkB,OAAU;AAC3E,KAAI;AACF,QAAM,MAAM,QAAQ,IAAI;SAClB;CAIR,MAAMA,gBAAwD,EAAE;CAEhE,eAAe,QAAQ,MAAc,IAAwC;AAC3E,MAAI;AACF,SAAM,IAAI;WACH,KAAK;GACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,OAAI,wCAAwC,KAAK,IAAI,CACnD,SAAQ,IAAI,OAAO,KAAK,gBAAgB;QACnC;AACL,YAAQ,KAAK,OAAO,KAAK,IAAI,MAAM;AACnC,kBAAc,KAAK;KAAE;KAAM,OAAO;KAAK,CAAC;;;;AAK9C,KAAI;EAGF,MAAM,WAAW,MAAM,QAAQ;EAC/B,MAAM,YAAY,OAAO,KAAK,SAAS;AACvC,MAAI,UAAU,SAAS,GAAG;AACxB,WAAQ,IAAI,wBAAwB,UAAU,OAAO,gCAAgC,IAAI,IAAI;GAC7F,MAAMC,SAAmC,EAAE;AAC3C,QAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,SAAS,EAAE;IACnD,MAAM,OAAO,MAAM,QAAQ;AAC3B,QAAI,CAAC,OAAO,MAAO,QAAO,QAAQ,EAAE;AACpC,WAAO,MAAM,KAAK,IAAI;;AAExB,QAAK,MAAM,CAAC,MAAM,SAAS,OAAO,QAAQ,OAAO,CAAC,MAAM,EAAE;AACxD,YAAQ,IAAI,KAAK,KAAK,IAAI,KAAK,OAAO,IAAI;AAC1C,SAAK,MAAM,OAAO,MAAM;KACtB,MAAM,QAAQ,SAAS;AACvB,aAAQ,IAAI,OAAO,MAAM,eAAe,MAAM;;;AAGlD,WAAQ,IAAI,GAAG;;AAGjB,MAAI,CAAC,aAAa;AAChB,SAAM,QAAQ,iBAAiB,YAAY;AACzC,UAAM,oBAAoB,KAAK,QAAQ,SAAS,OAAO,IAAI;AAC3D,UAAM,MAAM,QAAQ,IAAI;KACxB;AACF,SAAM,QAAQ,wBACZ,eAAe,KAAK,SAAS,WAAW,QAAQ,OAAO,KAAK,MAAM,CACnE;;EAGH,MAAM,cAAc,MAAM,QAAQ,IAChC,gBAAgB,KAAK,MACnB,4BAA4B,QAAQ,SAAS,EAAE,KAAK,CAAC,MAAM,SAAS;GAClE,KAAK;GACL,OAAO;GACR,EAAE,CACJ,CACF;EACD,MAAM,UAAU,MAAM,WAAW,QAAQ,QAAQ;AAEjD,QAAM,QAAQ,uBAAuB,YAAY;AAC/C,SAAM,kBAAkB,KAAK,OAAO,KAAK,OAAO;AAChD,SAAM,MAAM,QAAQ,IAAI;IACxB;AAEF,OAAK,MAAM,EAAE,KAAK,WAAW,aAAa;AACxC,OAAI,MAAM,SAAS,EAAG;GACtB,MAAM,YAAY,QAAQ,SAAS,GAAG,QAAQ,IAAI,cAAc,GAAG,CAAC;AACpE,SAAM,QAAQ,GAAG,IAAI,MAAM,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,KAAK,CAAC,UACnD,IAAI,QAAQ;IACV;IACA,QAAQ,OAAO;IACf;IACA;IACA;IACA;IACA;IACA;IACA;IACD,CAAC,CACH;;AAGH,MAAI,sBAAsB,OAAO,CAAC,SAAS,EACzC,OAAM,QAAQ,6BACZ,yBAAyB,KAAK,OAAO,KAAK,QAAQ,MAAM,CACzD;AAGH,MAAI,cAAc,OAAO,CAAC,SAAS,EACjC,OAAM,QAAQ,qBACZ,iBAAiB,KAAK,OAAO,KAAK,QAAQ,MAAM,CACjD;AAIH,QAAM,oBAAoB,EAAE,CAAC;AAE7B,MAAI,QAAQ,WAAW,gBAAgB,cAAc,WAAW,GAAG;AACjE,SAAM,YAAY;AAElB,OADqB,MAAM,mBAAmB,KAAK,IAAI,CAErD,SAAQ,IAAI,oCAAoC,IAAI,GAAG;AAEzD,OAAI;AACF,UAAM,mBAAmB,KAAK,IAAI;YAC3B,KAAK;AACZ,YAAQ,KACN,2CAA2C,IAAI,IAC/C,eAAe,QAAQ,IAAI,UAAU,IACtC;;AAEH,OAAI;AAEF,QADuB,MAAM,oBAAoB,KAAK,IAAI,CAExD,SAAQ,IAAI,qCAAqC,IAAI,GAAG;YAEnD,KAAK;AACZ,YAAQ,KACN,yCAAyC,IAAI,IAC7C,eAAe,QAAQ,IAAI,UAAU,IACtC;;;AAIL,MAAI,QAAQ,YAAY,CAAC,gBAAgB,cAAc,SAAS,IAAI;AAClE,OAAI,cAAc,SAAS,EACzB,OAAM,cACJ,GAAG,cAAc,OAAO,mBAAmB,cAAc,KAAK,MAAM,EAAE,KAAK,CAAC,KAAK,KAAK,GACvF;OAED,OAAM,iBAAiB;AAEzB,OAAI;AACF,UAAM,MAAM,QAAQ,IAAI;WAClB;;AAIV,QAAM,YAAY;EAGlB,MAAM,YAAY,OAAO,KAAK,MAAM,QAAQ,CAAC;AAC7C,MAAI,UAAU,SAAS,GAAG;AACxB,WAAQ,KACN,cAAc,UAAU,OAAO,4CAChC;AACD,QAAK,MAAM,OAAO,WAAW;IAC3B,MAAM,QAAQ,MAAM,IAAI,IAAI;AAC5B,YAAQ,KAAK,KAAK,OAAO,eAAe,IAAI,IAAI,OAAO,KAAK,GAAG;;;AAInE,MAAI,cAAc,SAAS,GAAG;AAC5B,WAAQ,KAAK,KAAK,cAAc,OAAO,iCAAiC;AACxE,QAAK,MAAM,EAAE,MAAM,WAAW,cAC5B,SAAQ,KAAK,KAAK,KAAK,IAAI,QAAQ;AAErC,SAAM,IAAI,MACR,0BAA0B,cAAc,OAAO,eAAe,UAAU,OAAO,8BAChF;;AAGH,UAAQ,IAAI,oCAAoC,MAAM;UAC/C,KAAK;AACZ,MAAI,QAAQ,WAAW,EAAE,eAAe,SAAS,IAAI,QAAQ,SAAS,yBAAyB,GAAG;AAChG,SAAM,cAAc,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI,CAAC;AACrE,OAAI;AACF,UAAM,MAAM,QAAQ,IAAI;WAClB;;AAIV,QAAM"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { H as loadConfig, L as CFApiClient, R as cloudflareAccountIdFromEnv, h as StateManager, w as stackNameForConfig, y as tenantStateKey } from "./tamer.mjs";
|
|
2
2
|
|
|
3
3
|
//#region src/core/env/protectedEnvs.ts
|
|
4
4
|
/**
|
|
@@ -98,4 +98,4 @@ async function runDestroyTenant(options) {
|
|
|
98
98
|
|
|
99
99
|
//#endregion
|
|
100
100
|
export { runDestroyTenant };
|
|
101
|
-
//# sourceMappingURL=destroy-tenant-
|
|
101
|
+
//# sourceMappingURL=destroy-tenant-B9ZTeUDk.mjs.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"destroy-tenant-
|
|
1
|
+
{"version":3,"file":"destroy-tenant-B9ZTeUDk.mjs","names":["DEFAULT_PROTECTED_ENVS: readonly string[]","result: DestroyTenantResult","errors: string[]","removedShards: { role: string; derivedName: string; cfId: string }[]"],"sources":["../src/core/env/protectedEnvs.ts","../src/cli/commands/destroy-tenant.ts"],"sourcesContent":["import type { CfiConfig } from \"../../types.js\";\n\n/**\n * Default set of envs that require explicit confirmation before\n * `destroy-tenant` will run. Used when the loaded config doesn't pin\n * `tenant.protectedEnvs` — these two names are universal-enough across\n * accounts that \"destroying prod by accident\" stays guarded by default,\n * but the operator is free to override the list (e.g. a multi-region\n * account with `production-eu` / `production-us` / `canary` adds those\n * here, and a personal account passes `[]` to disable the prompt).\n */\nconst DEFAULT_PROTECTED_ENVS: readonly string[] = [\"prod\", \"production\"];\n\n/**\n * `true` when `env` is in `tenant.protectedEnvs` from the loaded\n * `tamer.config.ts` (or in the default set when the config doesn't\n * pin its own list). Single source of truth for the destroy\n * confirmation check — call this **after** `loadConfig` so the\n * config-pinned list is honored.\n */\nexport function isProtectedEnv(env: string, config: CfiConfig): boolean {\n const list = config.tenant.protectedEnvs ?? DEFAULT_PROTECTED_ENVS;\n return list.includes(env);\n}\n\nexport { DEFAULT_PROTECTED_ENVS };\n","import { loadConfig } from \"../../core/config/loader.js\";\nimport { cloudflareAccountIdFromEnv } from \"../../core/cloudflareEnv.js\";\nimport { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport { StateManager } from \"../../core/state/StateManager.js\";\nimport { stackNameForConfig } from \"../../core/state/stackName.js\";\nimport { tenantStateKey } from \"../../core/tenant/tenantKeys.js\";\nimport { isProtectedEnv } from \"../../core/env/protectedEnvs.js\";\n\n/**\n * Machine-readable result envelope emitted on the final stdout line\n * when `--json` is passed. Mirrors `ProvisionTenantResult` so the\n * Cloudflare Container caller (`provision-workflow`, see\n * `docs/handoff.md` §7) can consume both commands with the same\n * parsing path. `removed.shards` lists every D1 we attempted to\n * delete; `errors` lists any best-effort delete failures so the\n * Workflow can surface them without re-parsing logs.\n */\nexport interface DestroyTenantResult {\n status: \"destroyed\" | \"noop\" | \"failed\";\n tenantKey: string;\n product: string;\n workspace: string;\n env: string;\n removed: {\n scriptName?: string;\n dispatchNamespaceName?: string;\n shards: { role: string; derivedName: string; cfId: string }[];\n };\n errors: string[];\n error?: string;\n}\n\nexport async function runDestroyTenant(options: {\n env: string;\n product: string;\n workspace: string;\n force?: boolean;\n confirmTenant?: string;\n configPath?: string;\n json?: boolean;\n}): Promise<void> {\n const env = options.env;\n if (env === \"local\") {\n throw new Error(\"destroy-tenant requires a non-local --env.\");\n }\n\n // Load config FIRST so the protection prompt can read\n // `tenant.protectedEnvs` from `tamer.config.ts`. This intentionally\n // ignores `--force` so a misconfigured CLI invocation can't\n // bypass even the load step — we want the parsed config in hand\n // before we accept any confirmation flag.\n const config = await loadConfig(options.configPath, { env });\n\n if (isProtectedEnv(env, config) && !options.force) {\n if (options.confirmTenant !== options.workspace) {\n throw new Error(\n `destroy-tenant: env \"${env}\" is in tenant.protectedEnvs ` +\n `(or the default [\"prod\",\"production\"]); pass ` +\n `--confirm-tenant ${options.workspace} (must match --workspace) or use --force`,\n );\n }\n }\n\n const accountId = config.account_id ?? cloudflareAccountIdFromEnv();\n if (!accountId) {\n throw new Error(\n \"account_id required in config or CLOUDFLARE_ACCOUNT_ID env var\",\n );\n }\n\n const api = new CFApiClient(accountId);\n const state = new StateManager(\n config.tenant.id,\n env,\n stackNameForConfig(config),\n );\n await state.hydrate(api);\n\n const t = state.getTenant(options.product, options.workspace);\n if (!t) {\n if (!options.force) {\n throw new Error(\n `No tenant state for ${tenantStateKey(options.product, options.workspace)}; pass --force to skip state check`,\n );\n }\n console.log(\"No tenant record in state; nothing to remove.\");\n if (options.json) {\n const result: DestroyTenantResult = {\n status: \"noop\",\n tenantKey: tenantStateKey(options.product, options.workspace),\n product: options.product,\n workspace: options.workspace,\n env,\n removed: { shards: [] },\n errors: [],\n };\n process.stdout.write(JSON.stringify(result) + \"\\n\");\n }\n return;\n }\n\n const errors: string[] = [];\n try {\n await api.dispatchNamespaceScriptDelete(\n t.dispatchNamespaceName,\n t.scriptName,\n { force: true },\n );\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err);\n console.warn(`[destroy-tenant] script delete: ${msg}`);\n errors.push(`script:${t.scriptName}:${msg}`);\n }\n\n const removedShards: { role: string; derivedName: string; cfId: string }[] =\n [];\n for (const shard of t.d1Shards ?? []) {\n try {\n await api.d1Delete(shard.cfId);\n removedShards.push({\n role: shard.role,\n derivedName: shard.derivedName,\n cfId: shard.cfId,\n });\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err);\n console.warn(`[destroy-tenant] D1 ${shard.derivedName}: ${msg}`);\n errors.push(`d1:${shard.derivedName}:${msg}`);\n }\n }\n\n state.deleteTenant(options.product, options.workspace);\n await state.persist(api);\n\n console.log(\n `Destroyed tenant ${tenantStateKey(options.product, options.workspace)}`,\n );\n\n if (options.json) {\n const result: DestroyTenantResult = {\n status: \"destroyed\",\n tenantKey: tenantStateKey(options.product, options.workspace),\n product: options.product,\n workspace: options.workspace,\n env,\n removed: {\n scriptName: t.scriptName,\n dispatchNamespaceName: t.dispatchNamespaceName,\n shards: removedShards,\n },\n errors,\n };\n process.stdout.write(JSON.stringify(result) + \"\\n\");\n }\n}\n"],"mappings":";;;;;;;;;;;;AAWA,MAAMA,yBAA4C,CAAC,QAAQ,aAAa;;;;;;;;AASxE,SAAgB,eAAe,KAAa,QAA4B;AAEtE,SADa,OAAO,OAAO,iBAAiB,wBAChC,SAAS,IAAI;;;;;ACU3B,eAAsB,iBAAiB,SAQrB;CAChB,MAAM,MAAM,QAAQ;AACpB,KAAI,QAAQ,QACV,OAAM,IAAI,MAAM,6CAA6C;CAQ/D,MAAM,SAAS,MAAM,WAAW,QAAQ,YAAY,EAAE,KAAK,CAAC;AAE5D,KAAI,eAAe,KAAK,OAAO,IAAI,CAAC,QAAQ,OAC1C;MAAI,QAAQ,kBAAkB,QAAQ,UACpC,OAAM,IAAI,MACR,wBAAwB,IAAI,6FAEN,QAAQ,UAAU,0CACzC;;CAIL,MAAM,YAAY,OAAO,cAAc,4BAA4B;AACnE,KAAI,CAAC,UACH,OAAM,IAAI,MACR,iEACD;CAGH,MAAM,MAAM,IAAI,YAAY,UAAU;CACtC,MAAM,QAAQ,IAAI,aAChB,OAAO,OAAO,IACd,KACA,mBAAmB,OAAO,CAC3B;AACD,OAAM,MAAM,QAAQ,IAAI;CAExB,MAAM,IAAI,MAAM,UAAU,QAAQ,SAAS,QAAQ,UAAU;AAC7D,KAAI,CAAC,GAAG;AACN,MAAI,CAAC,QAAQ,MACX,OAAM,IAAI,MACR,uBAAuB,eAAe,QAAQ,SAAS,QAAQ,UAAU,CAAC,oCAC3E;AAEH,UAAQ,IAAI,gDAAgD;AAC5D,MAAI,QAAQ,MAAM;GAChB,MAAMC,SAA8B;IAClC,QAAQ;IACR,WAAW,eAAe,QAAQ,SAAS,QAAQ,UAAU;IAC7D,SAAS,QAAQ;IACjB,WAAW,QAAQ;IACnB;IACA,SAAS,EAAE,QAAQ,EAAE,EAAE;IACvB,QAAQ,EAAE;IACX;AACD,WAAQ,OAAO,MAAM,KAAK,UAAU,OAAO,GAAG,KAAK;;AAErD;;CAGF,MAAMC,SAAmB,EAAE;AAC3B,KAAI;AACF,QAAM,IAAI,8BACR,EAAE,uBACF,EAAE,YACF,EAAE,OAAO,MAAM,CAChB;UACM,KAAK;EACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,UAAQ,KAAK,mCAAmC,MAAM;AACtD,SAAO,KAAK,UAAU,EAAE,WAAW,GAAG,MAAM;;CAG9C,MAAMC,gBACJ,EAAE;AACJ,MAAK,MAAM,SAAS,EAAE,YAAY,EAAE,CAClC,KAAI;AACF,QAAM,IAAI,SAAS,MAAM,KAAK;AAC9B,gBAAc,KAAK;GACjB,MAAM,MAAM;GACZ,aAAa,MAAM;GACnB,MAAM,MAAM;GACb,CAAC;UACK,KAAK;EACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,UAAQ,KAAK,uBAAuB,MAAM,YAAY,IAAI,MAAM;AAChE,SAAO,KAAK,MAAM,MAAM,YAAY,GAAG,MAAM;;AAIjD,OAAM,aAAa,QAAQ,SAAS,QAAQ,UAAU;AACtD,OAAM,MAAM,QAAQ,IAAI;AAExB,SAAQ,IACN,oBAAoB,eAAe,QAAQ,SAAS,QAAQ,UAAU,GACvE;AAED,KAAI,QAAQ,MAAM;EAChB,MAAMF,SAA8B;GAClC,QAAQ;GACR,WAAW,eAAe,QAAQ,SAAS,QAAQ,UAAU;GAC7D,SAAS,QAAQ;GACjB,WAAW,QAAQ;GACnB;GACA,SAAS;IACP,YAAY,EAAE;IACd,uBAAuB,EAAE;IACzB,QAAQ;IACT;GACD;GACD;AACD,UAAQ,OAAO,MAAM,KAAK,UAAU,OAAO,GAAG,KAAK"}
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { B as
|
|
2
|
-
import "./registry-
|
|
1
|
+
import { B as getConfigBaseDir, H as loadConfig, L as CFApiClient, M as wranglerConfigCliArgs, R as cloudflareAccountIdFromEnv, V as getWorkers, f as fetchStackImports, h as StateManager, k as resolveWorkerConfig, u as namingFromConfig, w as stackNameForConfig } from "./tamer.mjs";
|
|
2
|
+
import "./registry-BrOxbA2i.mjs";
|
|
3
3
|
import "./r2S3EmptyBucket-B9_pHfvB.mjs";
|
|
4
|
-
import { n as writeWranglerJson, t as generateWranglerConfig } from "./generator-
|
|
4
|
+
import { n as writeWranglerJson, t as generateWranglerConfig } from "./generator-MX8MAHd9.mjs";
|
|
5
5
|
import "./logpush-job-GqVKG_HI.mjs";
|
|
6
|
-
import "./worker-route-
|
|
7
|
-
import { runSync } from "./sync-
|
|
6
|
+
import "./worker-route-CUQBu9xe.mjs";
|
|
7
|
+
import { t as runSync } from "./sync-kl7MaCQV.mjs";
|
|
8
8
|
import { spawn } from "child_process";
|
|
9
9
|
|
|
10
10
|
//#region src/cli/commands/dev.ts
|
|
@@ -98,4 +98,4 @@ async function runDev(options) {
|
|
|
98
98
|
|
|
99
99
|
//#endregion
|
|
100
100
|
export { runDev };
|
|
101
|
-
//# sourceMappingURL=dev-
|
|
101
|
+
//# sourceMappingURL=dev-0zkF2iqF.mjs.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dev-
|
|
1
|
+
{"version":3,"file":"dev-0zkF2iqF.mjs","names":["workerKey","workerConfig","resolved","children: ChildProcess[]"],"sources":["../src/cli/commands/dev.ts"],"sourcesContent":["import type { ChildProcess } from \"child_process\";\nimport { spawn } from \"child_process\";\nimport { loadConfig, getWorkers, getConfigBaseDir } from \"../../core/config/loader.js\";\nimport { cloudflareAccountIdFromEnv } from \"../../core/cloudflareEnv.js\";\nimport { namingFromConfig } from \"../../core/config/namingFromConfig.js\";\nimport { wranglerConfigCliArgs } from \"../../core/wrangler/wranglerOutFile.js\";\nimport { StateManager } from \"../../core/state/StateManager.js\";\nimport { stackNameForConfig } from \"../../core/state/stackName.js\";\nimport { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport { resolveWorkerConfig } from \"../../core/config/resolver.js\";\nimport {\n generateWranglerConfig,\n writeWranglerJson,\n} from \"../../core/wrangler/generator.js\";\nimport { runSync } from \"./sync.js\";\nimport { fetchStackImports } from \"../../core/imports/fetchStackImports.js\";\n\nexport async function runDev(options: {\n worker?: string;\n env?: string;\n configPath?: string;\n /** Run every selected worker as a separate `wrangler dev` on incrementing ports (from TAMER_DEV_BASE_PORT or 8787). */\n all?: boolean;\n}): Promise<void> {\n const workerFilter = options.worker;\n const env = options.env ?? \"local\";\n const configPath = options.configPath;\n\n const config = await loadConfig(configPath, { env });\n const baseDir = getConfigBaseDir();\n const accountId =\n config.account_id ?? cloudflareAccountIdFromEnv();\n if (!accountId) {\n throw new Error(\n \"account_id required in config or CLOUDFLARE_ACCOUNT_ID env var\",\n );\n }\n\n const naming = namingFromConfig(config);\n const api = new CFApiClient(accountId);\n const state = new StateManager(\n config.tenant.id,\n env,\n stackNameForConfig(config),\n );\n await state.hydrate(api);\n\n if (\n env !== \"local\" &&\n Object.keys(state.load().resources).length === 0\n ) {\n console.log(\"Tamer state is empty; running sync...\");\n await runSync({ env, configPath });\n state.reset();\n await state.hydrate(api);\n }\n\n // Pre-fetch sibling stack outputs so worker `vars` / `tamerRoutes`\n // can reference `${tamer:import:<stack>.<output>}` even in dev mode.\n // No-op in local env (returns `{}`); when missing in non-local, the\n // import resolver will throw with a clear \"run apply on <stack>\" hint.\n const imports = await fetchStackImports(api, config, env);\n\n const workers = await getWorkers(config, baseDir);\n const toRun = workerFilter\n ? workers.filter(([k]) => k === workerFilter)\n : workers;\n\n if (toRun.length === 0) {\n throw new Error(\n workerFilter\n ? `Worker \"${workerFilter}\" not found`\n : \"No workers configured\",\n );\n }\n\n for (const [workerKey, workerConfig] of toRun) {\n const resolved = await resolveWorkerConfig(\n config,\n workerKey,\n workerConfig,\n env,\n baseDir,\n accountId,\n naming,\n state,\n { imports },\n );\n const wranglerConfig = generateWranglerConfig(resolved, state, naming);\n writeWranglerJson(resolved.workerDir, wranglerConfig, resolved.wranglerOutFile);\n }\n\n if (options.all && toRun.length > 0) {\n const basePort = Number(process.env.TAMER_DEV_BASE_PORT) || 8787;\n const children: ChildProcess[] = [];\n\n for (let i = 0; i < toRun.length; i++) {\n const [workerKey, workerConfig] = toRun[i];\n const resolved = await resolveWorkerConfig(\n config,\n workerKey,\n workerConfig,\n env,\n baseDir,\n accountId,\n naming,\n state,\n { imports },\n );\n const port = basePort + i;\n const devArgs = [\n \"wrangler\",\n ...wranglerConfigCliArgs(resolved.wranglerOutFile),\n \"dev\",\n \"--port\",\n String(port),\n ];\n console.log(`Starting ${workerKey} on http://127.0.0.1:${port}`);\n const proc = spawn(\"bunx\", devArgs, {\n cwd: resolved.workerDir,\n stdio: \"inherit\",\n shell: true,\n });\n children.push(proc);\n }\n\n const shutdown = () => {\n for (const c of children) {\n if (!c.killed) c.kill(\"SIGTERM\");\n }\n };\n process.once(\"SIGINT\", () => {\n shutdown();\n process.exit(0);\n });\n process.once(\"SIGTERM\", () => {\n shutdown();\n process.exit(0);\n });\n\n await new Promise<void>((resolve) => {\n let remaining = children.length;\n for (const c of children) {\n c.on(\"exit\", () => {\n remaining -= 1;\n if (remaining <= 0) resolve();\n });\n }\n });\n return;\n }\n\n const [workerKey, workerConfig] = toRun[0];\n const resolved = await resolveWorkerConfig(\n config,\n workerKey,\n workerConfig,\n env,\n baseDir,\n accountId,\n naming,\n state,\n { imports },\n );\n\n console.log(`Starting wrangler dev for ${workerKey}...`);\n const devArgs = [\n \"wrangler\",\n ...wranglerConfigCliArgs(resolved.wranglerOutFile),\n \"dev\",\n ];\n const proc = spawn(\"bunx\", devArgs, {\n cwd: resolved.workerDir,\n stdio: \"inherit\",\n shell: true,\n });\n\n proc.on(\"exit\", (code) => {\n process.exit(code ?? 0);\n });\n}\n"],"mappings":";;;;;;;;;;AAiBA,eAAsB,OAAO,SAMX;CAChB,MAAM,eAAe,QAAQ;CAC7B,MAAM,MAAM,QAAQ,OAAO;CAC3B,MAAM,aAAa,QAAQ;CAE3B,MAAM,SAAS,MAAM,WAAW,YAAY,EAAE,KAAK,CAAC;CACpD,MAAM,UAAU,kBAAkB;CAClC,MAAM,YACJ,OAAO,cAAc,4BAA4B;AACnD,KAAI,CAAC,UACH,OAAM,IAAI,MACR,iEACD;CAGH,MAAM,SAAS,iBAAiB,OAAO;CACvC,MAAM,MAAM,IAAI,YAAY,UAAU;CACtC,MAAM,QAAQ,IAAI,aAChB,OAAO,OAAO,IACd,KACA,mBAAmB,OAAO,CAC3B;AACD,OAAM,MAAM,QAAQ,IAAI;AAExB,KACE,QAAQ,WACR,OAAO,KAAK,MAAM,MAAM,CAAC,UAAU,CAAC,WAAW,GAC/C;AACA,UAAQ,IAAI,wCAAwC;AACpD,QAAM,QAAQ;GAAE;GAAK;GAAY,CAAC;AAClC,QAAM,OAAO;AACb,QAAM,MAAM,QAAQ,IAAI;;CAO1B,MAAM,UAAU,MAAM,kBAAkB,KAAK,QAAQ,IAAI;CAEzD,MAAM,UAAU,MAAM,WAAW,QAAQ,QAAQ;CACjD,MAAM,QAAQ,eACV,QAAQ,QAAQ,CAAC,OAAO,MAAM,aAAa,GAC3C;AAEJ,KAAI,MAAM,WAAW,EACnB,OAAM,IAAI,MACR,eACI,WAAW,aAAa,eACxB,wBACL;AAGH,MAAK,MAAM,CAACA,aAAWC,mBAAiB,OAAO;EAC7C,MAAMC,aAAW,MAAM,oBACrB,QACAF,aACAC,gBACA,KACA,SACA,WACA,QACA,OACA,EAAE,SAAS,CACZ;EACD,MAAM,iBAAiB,uBAAuBC,YAAU,OAAO,OAAO;AACtE,oBAAkBA,WAAS,WAAW,gBAAgBA,WAAS,gBAAgB;;AAGjF,KAAI,QAAQ,OAAO,MAAM,SAAS,GAAG;EACnC,MAAM,WAAW,OAAO,QAAQ,IAAI,oBAAoB,IAAI;EAC5D,MAAMC,WAA2B,EAAE;AAEnC,OAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;GACrC,MAAM,CAACH,aAAWC,kBAAgB,MAAM;GACxC,MAAMC,aAAW,MAAM,oBACrB,QACAF,aACAC,gBACA,KACA,SACA,WACA,QACA,OACA,EAAE,SAAS,CACZ;GACD,MAAM,OAAO,WAAW;GACxB,MAAM,UAAU;IACd;IACA,GAAG,sBAAsBC,WAAS,gBAAgB;IAClD;IACA;IACA,OAAO,KAAK;IACb;AACD,WAAQ,IAAI,YAAYF,YAAU,uBAAuB,OAAO;GAChE,MAAM,OAAO,MAAM,QAAQ,SAAS;IAClC,KAAKE,WAAS;IACd,OAAO;IACP,OAAO;IACR,CAAC;AACF,YAAS,KAAK,KAAK;;EAGrB,MAAM,iBAAiB;AACrB,QAAK,MAAM,KAAK,SACd,KAAI,CAAC,EAAE,OAAQ,GAAE,KAAK,UAAU;;AAGpC,UAAQ,KAAK,gBAAgB;AAC3B,aAAU;AACV,WAAQ,KAAK,EAAE;IACf;AACF,UAAQ,KAAK,iBAAiB;AAC5B,aAAU;AACV,WAAQ,KAAK,EAAE;IACf;AAEF,QAAM,IAAI,SAAe,YAAY;GACnC,IAAI,YAAY,SAAS;AACzB,QAAK,MAAM,KAAK,SACd,GAAE,GAAG,cAAc;AACjB,iBAAa;AACb,QAAI,aAAa,EAAG,UAAS;KAC7B;IAEJ;AACF;;CAGF,MAAM,CAAC,WAAW,gBAAgB,MAAM;CACxC,MAAM,WAAW,MAAM,oBACrB,QACA,WACA,cACA,KACA,SACA,WACA,QACA,OACA,EAAE,SAAS,CACZ;AAED,SAAQ,IAAI,6BAA6B,UAAU,KAAK;AAYxD,CANa,MAAM,QALH;EACd;EACA,GAAG,sBAAsB,SAAS,gBAAgB;EAClD;EACD,EACmC;EAClC,KAAK,SAAS;EACd,OAAO;EACP,OAAO;EACR,CAAC,CAEG,GAAG,SAAS,SAAS;AACxB,UAAQ,KAAK,QAAQ,EAAE;GACvB"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { N as effectiveDispatchNamespaceName } from "./tamer.mjs";
|
|
2
2
|
import { n as dnsRecordCommentMarker, r as dnsRecordStateKey, t as dnsRecordAppliesToEnv } from "./dns-records.resolve-DV6XBZf3.mjs";
|
|
3
3
|
|
|
4
4
|
//#region src/features/dispatch-namespace/dispatch-namespace.sync.ts
|
|
@@ -72,4 +72,4 @@ async function dnsRecordSync(resources, tenant, env, api, state) {
|
|
|
72
72
|
|
|
73
73
|
//#endregion
|
|
74
74
|
export { dispatchNamespaceSync as n, dnsRecordSync as t };
|
|
75
|
-
//# sourceMappingURL=dns-records.sync-
|
|
75
|
+
//# sourceMappingURL=dns-records.sync-FyzKl-Ph.mjs.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dns-records.sync-
|
|
1
|
+
{"version":3,"file":"dns-records.sync-FyzKl-Ph.mjs","names":["entry: DnsRecordStateEntry"],"sources":["../src/features/dispatch-namespace/dispatch-namespace.sync.ts","../src/features/dns-records/dns-records.sync.ts"],"sourcesContent":["import type { TenantMeta, DispatchNamespaceResourceConfig } from \"../../types.js\";\nimport type { StateManager } from \"../../core/state/StateManager.js\";\nimport type { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport { effectiveDispatchNamespaceName } from \"./dispatch-namespace.resolve.js\";\n\nexport async function dispatchNamespaceSync(\n resources: DispatchNamespaceResourceConfig[],\n tenant: TenantMeta,\n env: string,\n api: CFApiClient,\n state: StateManager,\n): Promise<void> {\n if (resources.length === 0) return;\n if (env === \"local\") return;\n\n const list = await api.dispatchNamespaceListAll();\n const names = new Set(list.map((n) => n.namespace_name));\n\n for (const config of resources) {\n const resolved = effectiveDispatchNamespaceName(config, env, tenant);\n const key = `dispatch_ns:${resolved}`;\n if (!names.has(resolved)) continue;\n\n state.set(key, {\n type: \"dispatch_namespace\",\n logicalName: config.logicalName,\n derivedName: resolved,\n createdAt: new Date().toISOString(),\n updatedAt: new Date().toISOString(),\n });\n }\n}\n","import type {\n DnsRecordResourceConfig,\n DnsRecordStateEntry,\n TenantMeta,\n} from \"../../types.js\";\nimport type { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport type { StateManager } from \"../../core/state/StateManager.js\";\nimport {\n dnsRecordAppliesToEnv,\n dnsRecordCommentMarker,\n dnsRecordStateKey,\n} from \"./dns-records.resolve.js\";\n\n/**\n * Re-adopt every Tamer-attributed DNS record found on the live zones into\n * state. Mirrors the dispatch-namespace sync pattern: Tamer never\n * **destroys** records here, just imports rows that match its\n * attribution comment so a `apply` straight after `sync` is a no-op when\n * Cloudflare and config agree.\n *\n * Records on Cloudflare without Tamer's marker comment are ignored even\n * if they happen to match the declared `(zone, type, name)` — they are\n * presumed to be hand-managed and surface in `tamer drift` as\n * `unrecordedInState` so the operator can decide.\n */\nexport async function dnsRecordSync(\n resources: DnsRecordResourceConfig[],\n tenant: TenantMeta,\n env: string,\n api: CFApiClient,\n state: StateManager,\n): Promise<void> {\n if (resources.length === 0) return;\n const applicable = resources.filter((r) => dnsRecordAppliesToEnv(r, env));\n if (applicable.length === 0) return;\n\n const zoneCache = new Map<\n string,\n Awaited<ReturnType<CFApiClient[\"zoneDnsRecordListAll\"]>>\n >();\n\n for (const config of applicable) {\n let live = zoneCache.get(config.zoneId);\n if (!live) {\n live = await api.zoneDnsRecordListAll(config.zoneId);\n zoneCache.set(config.zoneId, live);\n }\n const marker = dnsRecordCommentMarker(tenant, env, config.logicalName);\n const adopted = live.find(\n (r) =>\n r.type === config.type &&\n typeof r.comment === \"string\" &&\n r.comment.startsWith(marker),\n );\n if (!adopted) continue;\n const stateKey = dnsRecordStateKey(config.zoneId, config.type, config.name);\n const ts = new Date().toISOString();\n const entry: DnsRecordStateEntry = {\n type: \"dns_record\",\n logicalName: config.logicalName,\n zoneId: config.zoneId,\n recordType: config.type,\n name: adopted.name,\n content: adopted.content,\n ttl: adopted.ttl ?? 1,\n proxied: adopted.proxied ?? false,\n priority: adopted.priority,\n comment: adopted.comment ?? marker,\n recordId: adopted.id,\n createdAt: state.get(stateKey)?.type === \"dns_record\"\n ? (state.get(stateKey) as DnsRecordStateEntry).createdAt\n : ts,\n updatedAt: ts,\n };\n state.set(stateKey, entry);\n }\n}\n"],"mappings":";;;;AAKA,eAAsB,sBACpB,WACA,QACA,KACA,KACA,OACe;AACf,KAAI,UAAU,WAAW,EAAG;AAC5B,KAAI,QAAQ,QAAS;CAErB,MAAM,OAAO,MAAM,IAAI,0BAA0B;CACjD,MAAM,QAAQ,IAAI,IAAI,KAAK,KAAK,MAAM,EAAE,eAAe,CAAC;AAExD,MAAK,MAAM,UAAU,WAAW;EAC9B,MAAM,WAAW,+BAA+B,QAAQ,KAAK,OAAO;EACpE,MAAM,MAAM,eAAe;AAC3B,MAAI,CAAC,MAAM,IAAI,SAAS,CAAE;AAE1B,QAAM,IAAI,KAAK;GACb,MAAM;GACN,aAAa,OAAO;GACpB,aAAa;GACb,4BAAW,IAAI,MAAM,EAAC,aAAa;GACnC,4BAAW,IAAI,MAAM,EAAC,aAAa;GACpC,CAAC;;;;;;;;;;;;;;;;;;ACJN,eAAsB,cACpB,WACA,QACA,KACA,KACA,OACe;AACf,KAAI,UAAU,WAAW,EAAG;CAC5B,MAAM,aAAa,UAAU,QAAQ,MAAM,sBAAsB,GAAG,IAAI,CAAC;AACzE,KAAI,WAAW,WAAW,EAAG;CAE7B,MAAM,4BAAY,IAAI,KAGnB;AAEH,MAAK,MAAM,UAAU,YAAY;EAC/B,IAAI,OAAO,UAAU,IAAI,OAAO,OAAO;AACvC,MAAI,CAAC,MAAM;AACT,UAAO,MAAM,IAAI,qBAAqB,OAAO,OAAO;AACpD,aAAU,IAAI,OAAO,QAAQ,KAAK;;EAEpC,MAAM,SAAS,uBAAuB,QAAQ,KAAK,OAAO,YAAY;EACtE,MAAM,UAAU,KAAK,MAClB,MACC,EAAE,SAAS,OAAO,QAClB,OAAO,EAAE,YAAY,YACrB,EAAE,QAAQ,WAAW,OAAO,CAC/B;AACD,MAAI,CAAC,QAAS;EACd,MAAM,WAAW,kBAAkB,OAAO,QAAQ,OAAO,MAAM,OAAO,KAAK;EAC3E,MAAM,sBAAK,IAAI,MAAM,EAAC,aAAa;EACnC,MAAMA,QAA6B;GACjC,MAAM;GACN,aAAa,OAAO;GACpB,QAAQ,OAAO;GACf,YAAY,OAAO;GACnB,MAAM,QAAQ;GACd,SAAS,QAAQ;GACjB,KAAK,QAAQ,OAAO;GACpB,SAAS,QAAQ,WAAW;GAC5B,UAAU,QAAQ;GAClB,SAAS,QAAQ,WAAW;GAC5B,UAAU,QAAQ;GAClB,WAAW,MAAM,IAAI,SAAS,EAAE,SAAS,eACpC,MAAM,IAAI,SAAS,CAAyB,YAC7C;GACJ,WAAW;GACZ;AACD,QAAM,IAAI,UAAU,MAAM"}
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { L as CFApiClient, R as cloudflareAccountIdFromEnv, z as cloudflareApiTokenFromEnv } from "./tamer.mjs";
|
|
2
2
|
|
|
3
3
|
//#region src/cli/commands/doctor.ts
|
|
4
4
|
async function runDoctor(options) {
|
|
@@ -31,4 +31,4 @@ async function runDoctor(options) {
|
|
|
31
31
|
|
|
32
32
|
//#endregion
|
|
33
33
|
export { runDoctor };
|
|
34
|
-
//# sourceMappingURL=doctor-
|
|
34
|
+
//# sourceMappingURL=doctor-fm_vGe2C.mjs.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"doctor-
|
|
1
|
+
{"version":3,"file":"doctor-fm_vGe2C.mjs","names":["report: DoctorReport"],"sources":["../src/cli/commands/doctor.ts"],"sourcesContent":["import {\n cloudflareAccountIdFromEnv,\n cloudflareApiTokenFromEnv,\n} from \"../../core/cloudflareEnv.js\";\nimport { CFApiClient } from \"../../core/api/CFApiClient.js\";\n\nexport interface DoctorReport {\n ok: boolean;\n accountIdPresent: boolean;\n apiTokenPresent: boolean;\n accountReadable: boolean;\n error?: string;\n}\n\nexport async function runDoctor(options: { json?: boolean }): Promise<number> {\n const accountId = cloudflareAccountIdFromEnv();\n const token = cloudflareApiTokenFromEnv();\n const report: DoctorReport = {\n ok: false,\n accountIdPresent: !!accountId,\n apiTokenPresent: !!token && token.length > 0,\n accountReadable: false,\n };\n\n if (!accountId || token.length === 0) {\n report.error = \"CLOUDFLARE_ACCOUNT_ID and CLOUDFLARE_API_TOKEN must be set\";\n if (options.json) console.log(JSON.stringify(report, null, 2));\n else console.error(report.error);\n return 1;\n }\n\n try {\n const api = new CFApiClient(accountId, token);\n await api.accountRead();\n report.accountReadable = true;\n report.ok = true;\n } catch (err) {\n report.error = err instanceof Error ? err.message : String(err);\n }\n\n if (options.json) {\n console.log(JSON.stringify(report, null, 2));\n } else {\n console.log(\n report.ok\n ? \"doctor: account token can read Cloudflare account API.\"\n : `doctor: failed — ${report.error ?? \"unknown\"}`,\n );\n }\n\n if (!report.ok) {\n return 1;\n }\n return 0;\n}\n"],"mappings":";;;AAcA,eAAsB,UAAU,SAA8C;CAC5E,MAAM,YAAY,4BAA4B;CAC9C,MAAM,QAAQ,2BAA2B;CACzC,MAAMA,SAAuB;EAC3B,IAAI;EACJ,kBAAkB,CAAC,CAAC;EACpB,iBAAiB,CAAC,CAAC,SAAS,MAAM,SAAS;EAC3C,iBAAiB;EAClB;AAED,KAAI,CAAC,aAAa,MAAM,WAAW,GAAG;AACpC,SAAO,QAAQ;AACf,MAAI,QAAQ,KAAM,SAAQ,IAAI,KAAK,UAAU,QAAQ,MAAM,EAAE,CAAC;MACzD,SAAQ,MAAM,OAAO,MAAM;AAChC,SAAO;;AAGT,KAAI;AAEF,QADY,IAAI,YAAY,WAAW,MAAM,CACnC,aAAa;AACvB,SAAO,kBAAkB;AACzB,SAAO,KAAK;UACL,KAAK;AACZ,SAAO,QAAQ,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;;AAGjE,KAAI,QAAQ,KACV,SAAQ,IAAI,KAAK,UAAU,QAAQ,MAAM,EAAE,CAAC;KAE5C,SAAQ,IACN,OAAO,KACH,2DACA,oBAAoB,OAAO,SAAS,YACzC;AAGH,KAAI,CAAC,OAAO,GACV,QAAO;AAET,QAAO"}
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
import { f as getDispatchNamespaces, m as getLogpushJobs, p as getDnsRecords } from "./normalize-DVSTRZhO.mjs";
|
|
2
|
-
import { B as
|
|
3
|
-
import { n as resourceModules } from "./registry-
|
|
2
|
+
import { B as getConfigBaseDir, E as mergeWorkerConfigForResourcePick, H as loadConfig, L as CFApiClient, N as effectiveDispatchNamespaceName, O as resolveDeployedWorkerName, R as cloudflareAccountIdFromEnv, V as getWorkers, a as reconcileSecrets, c as vaultReaderFromMap, d as requiredSecretsForWorker, f as fetchStackImports, h as StateManager, o as secretsDrift, u as namingFromConfig, w as stackNameForConfig, y as tenantStateKey } from "./tamer.mjs";
|
|
3
|
+
import { n as resourceModules } from "./registry-BrOxbA2i.mjs";
|
|
4
4
|
import { n as dnsRecordCommentMarker, r as dnsRecordStateKey, t as dnsRecordAppliesToEnv } from "./dns-records.resolve-DV6XBZf3.mjs";
|
|
5
5
|
import { r as logpushJobDrift } from "./logpush-job-GqVKG_HI.mjs";
|
|
6
|
-
import { t as workerRoutesDrift } from "./worker-route-
|
|
7
|
-
import { t as workersDrift } from "./workers-
|
|
6
|
+
import { t as workerRoutesDrift } from "./worker-route-CUQBu9xe.mjs";
|
|
7
|
+
import { t as workersDrift } from "./workers-DWXnZAzG.mjs";
|
|
8
8
|
|
|
9
9
|
//#region src/features/dispatch-namespace/dispatch-namespace.drift.ts
|
|
10
10
|
function dispatchNamespaceDrift(allDispatch, resources, env, tenant, state) {
|
|
@@ -348,4 +348,4 @@ async function buildSecretWorkerInputs(workers, config, env, baseDir, accountId,
|
|
|
348
348
|
|
|
349
349
|
//#endregion
|
|
350
350
|
export { runDrift as n, computeDriftReport as t };
|
|
351
|
-
//# sourceMappingURL=drift-
|
|
351
|
+
//# sourceMappingURL=drift-Ci368_WQ.mjs.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"drift-Bl51ml0_.mjs","names":["drift: ResourceDrift","drift: ResourceDrift","drift: ResourceDrift","byZone: DnsRecordsByZone","out: T[]","REGISTRY_LABELS: Record<string, string>","out: Array<{\n workerKey: string;\n required: string[];\n workerSecretNames: string[];\n }>","workerSecretNames: string[]"],"sources":["../src/features/dispatch-namespace/dispatch-namespace.drift.ts","../src/features/dns-records/dns-records.drift.ts","../src/core/drift/drift.types.ts","../src/core/drift/tenantDrift.ts","../src/cli/commands/drift.ts"],"sourcesContent":["import type {\n DispatchNamespaceResourceConfig,\n DispatchNamespaceStateEntry,\n TenantMeta,\n} from \"../../types.js\";\nimport type { StateManager } from \"../../core/state/StateManager.js\";\nimport type { ResourceDrift } from \"../../core/drift/drift.types.js\";\nimport { effectiveDispatchNamespaceName } from \"./dispatch-namespace.resolve.js\";\n\ninterface CFDispatchNamespace {\n namespace_name: string;\n}\n\nexport function dispatchNamespaceDrift(\n allDispatch: CFDispatchNamespace[],\n resources: DispatchNamespaceResourceConfig[],\n env: string,\n tenant: TenantMeta,\n state: StateManager,\n): ResourceDrift {\n const drift: ResourceDrift = {\n kind: \"dispatch_namespace\",\n missingFromCloudflare: [],\n unrecordedInState: [],\n undeployed: [],\n };\n\n const cfNames = new Set(allDispatch.map((d) => d.namespace_name));\n const allState = state.getAll();\n const nsState = Object.values(allState).filter(\n (e): e is DispatchNamespaceStateEntry => e.type === \"dispatch_namespace\",\n );\n\n for (const config of resources) {\n const derivedName = effectiveDispatchNamespaceName(config, env, tenant);\n const stateEntry = nsState.find(\n (e) => e.logicalName === config.logicalName && e.derivedName === derivedName,\n );\n const onCf = cfNames.has(derivedName);\n\n if (stateEntry && !onCf) {\n drift.missingFromCloudflare.push({\n logicalName: stateEntry.logicalName,\n derivedName: stateEntry.derivedName,\n });\n } else if (onCf && !stateEntry) {\n drift.unrecordedInState.push({\n logicalName: config.logicalName,\n derivedName,\n });\n } else if (!onCf && !stateEntry) {\n drift.undeployed.push({\n logicalName: config.logicalName,\n derivedName,\n });\n }\n }\n\n return drift;\n}\n","import type {\n DnsRecordResourceConfig,\n DnsRecordStateEntry,\n TenantMeta,\n} from \"../../types.js\";\nimport type { StateManager } from \"../../core/state/StateManager.js\";\nimport type { ResourceDrift } from \"../../core/drift/drift.types.js\";\nimport {\n dnsRecordAppliesToEnv,\n dnsRecordCommentMarker,\n dnsRecordStateKey,\n} from \"./dns-records.resolve.js\";\n\ninterface CFDnsRecord {\n id: string;\n type: string;\n name: string;\n content: string;\n ttl?: number;\n proxied?: boolean;\n priority?: number;\n comment?: string | null;\n}\n\n/**\n * Map of `zoneId → live records`. The drift caller pre-fetches because\n * other resource modules also iterate zones (worker routes), so we\n * accept the snapshot rather than refetching here.\n */\nexport type DnsRecordsByZone = Map<string, CFDnsRecord[]>;\n\nexport function dnsRecordDrift(\n byZone: DnsRecordsByZone,\n resources: DnsRecordResourceConfig[],\n tenant: TenantMeta,\n env: string,\n state: StateManager,\n): ResourceDrift {\n const drift: ResourceDrift = {\n kind: \"dns_record\",\n missingFromCloudflare: [],\n unrecordedInState: [],\n undeployed: [],\n };\n\n const stateRecords = Object.values(state.getAll()).filter(\n (e): e is DnsRecordStateEntry => e.type === \"dns_record\",\n );\n\n for (const config of resources) {\n if (!dnsRecordAppliesToEnv(config, env)) continue;\n const live = byZone.get(config.zoneId) ?? [];\n const marker = dnsRecordCommentMarker(tenant, env, config.logicalName);\n const stateKey = dnsRecordStateKey(config.zoneId, config.type, config.name);\n const entry = stateRecords.find(\n (e) =>\n e.zoneId === config.zoneId &&\n e.recordType === config.type &&\n e.logicalName === config.logicalName,\n );\n const onCf = entry\n ? live.find((r) => r.id === entry.recordId)\n : live.find(\n (r) =>\n r.type === config.type &&\n typeof r.comment === \"string\" &&\n r.comment.startsWith(marker),\n );\n\n if (entry && !onCf) {\n drift.missingFromCloudflare.push({\n logicalName: entry.logicalName,\n derivedName: `${entry.recordType} ${entry.name}`,\n cfId: entry.recordId,\n });\n } else if (onCf && !entry) {\n drift.unrecordedInState.push({\n logicalName: config.logicalName,\n derivedName: `${config.type} ${onCf.name}`,\n cfId: onCf.id,\n });\n } else if (!onCf && !entry) {\n drift.undeployed.push({\n logicalName: config.logicalName,\n derivedName: `${config.type} ${config.name}`,\n detail: stateKey,\n });\n }\n }\n\n return drift;\n}\n","/**\n * Read-only drift report comparing recorded state vs. Cloudflare reality vs.\n * the current `tamer.config.ts`.\n */\n\nexport type DriftKind =\n | \"d1\"\n | \"r2\"\n | \"kv\"\n | \"queue\"\n | \"hyperdrive\"\n | \"vectorize\"\n | \"ai_gateway\"\n | \"pipeline\"\n | \"workflow\"\n | \"secret_store\"\n | \"secret\"\n | \"dns_record\"\n | \"dispatch_namespace\"\n | \"logpush_job\"\n | \"tenant\"\n | \"worker_route\"\n | \"worker_script\";\n\nexport interface DriftEntry {\n /** Logical resource name from `tamer.config.ts`. */\n logicalName: string;\n /** Cloudflare-side name (or `(unknown)` when no CF or state side knows it). */\n derivedName: string;\n /** Cloudflare resource ID, when known (D1 uuid, KV id). */\n cfId?: string;\n /** Optional human-readable detail (e.g. shard date). */\n detail?: string;\n}\n\nexport interface ResourceDrift {\n kind: DriftKind;\n /** Tracked in state but no longer present on Cloudflare. */\n missingFromCloudflare: DriftEntry[];\n /**\n * Present on Cloudflare and matches a declared resource in this config,\n * but no state entry tracks it (e.g. created out-of-band).\n */\n unrecordedInState: DriftEntry[];\n /**\n * Declared in this stack's config but neither tracked in state nor present\n * on Cloudflare (run `tamer apply`).\n */\n undeployed: DriftEntry[];\n}\n\nexport interface DriftReport {\n tenantId: string;\n env: string;\n generatedAt: string;\n resources: ResourceDrift[];\n /** True iff any of the three categories has at least one entry. */\n hasDrift: boolean;\n}\n\nexport function resourceDriftIsClean(d: ResourceDrift): boolean {\n return (\n d.missingFromCloudflare.length === 0 &&\n d.unrecordedInState.length === 0 &&\n d.undeployed.length === 0\n );\n}\n\nexport function reportHasDrift(resources: ResourceDrift[]): boolean {\n return resources.some((d) => !resourceDriftIsClean(d));\n}\n","import type { CFApiClient } from \"../api/CFApiClient.js\";\nimport type { StateManager } from \"../state/StateManager.js\";\nimport type { ResourceDrift } from \"./drift.types.js\";\nimport { tenantStateKey } from \"../tenant/tenantKeys.js\";\n\ninterface CFD1 {\n uuid: string;\n name: string;\n}\n\n/**\n * Drift for workspace tenants in {@link CfiState.tenants}: dispatch script and\n * recorded D1 shards must still exist on Cloudflare.\n *\n * `unrecordedInState` / `undeployed` are intentionally empty here — tenant\n * discovery from CF alone is heuristic until product/script naming is fully\n * pinned (`docs/scope-remaining.md` D-1).\n */\nexport async function tenantDrift(\n state: StateManager,\n api: CFApiClient,\n allD1: CFD1[],\n): Promise<ResourceDrift> {\n const drift: ResourceDrift = {\n kind: \"tenant\",\n missingFromCloudflare: [],\n unrecordedInState: [],\n undeployed: [],\n };\n\n const d1ById = new Map(allD1.map((d) => [d.uuid, d.name]));\n const tenants = state\n .listTenants()\n .filter((t) => t.provisioningStatus !== \"tombstoned\");\n if (tenants.length === 0) return drift;\n\n const scriptLists = new Map<string, Set<string>>();\n async function scriptsInNs(ns: string): Promise<Set<string>> {\n let set = scriptLists.get(ns);\n if (!set) {\n const list = await api.dispatchNamespaceScriptList(ns);\n set = new Set(list.map((s) => s.id));\n scriptLists.set(ns, set);\n }\n return set;\n }\n\n for (const t of tenants) {\n const logical = tenantStateKey(t.product, t.workspace);\n try {\n const ids = await scriptsInNs(t.dispatchNamespaceName);\n if (!ids.has(t.scriptName)) {\n drift.missingFromCloudflare.push({\n logicalName: logical,\n derivedName: t.scriptName,\n detail: \"dispatch_script\",\n });\n }\n } catch {\n drift.missingFromCloudflare.push({\n logicalName: logical,\n derivedName: t.dispatchNamespaceName,\n detail: \"dispatch_namespace_list_failed\",\n });\n }\n\n for (const shard of t.d1Shards ?? []) {\n if (!d1ById.has(shard.cfId)) {\n drift.missingFromCloudflare.push({\n logicalName: logical,\n derivedName: shard.derivedName,\n cfId: shard.cfId,\n detail: `d1:${shard.role}`,\n });\n }\n }\n }\n\n return drift;\n}\n","import { loadConfig, getWorkers, getConfigBaseDir } from \"../../core/config/loader.js\";\nimport { cloudflareAccountIdFromEnv } from \"../../core/cloudflareEnv.js\";\nimport { namingFromConfig } from \"../../core/config/namingFromConfig.js\";\nimport { StateManager } from \"../../core/state/StateManager.js\";\nimport { stackNameForConfig } from \"../../core/state/stackName.js\";\nimport { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport { dispatchNamespaceDrift } from \"../../features/dispatch-namespace/index.js\";\nimport {\n dnsRecordDrift,\n type DnsRecordsByZone,\n} from \"../../features/dns-records/index.js\";\nimport { getDispatchNamespaces, getDnsRecords, getLogpushJobs } from \"../../types.js\";\nimport { logpushJobDrift } from \"../../features/logpush-job/index.js\";\nimport type {\n DriftReport,\n ResourceDrift,\n} from \"../../core/drift/drift.types.js\";\nimport { reportHasDrift } from \"../../core/drift/drift.types.js\";\nimport { tenantDrift } from \"../../core/drift/tenantDrift.js\";\nimport { workerRoutesDrift } from \"../../features/worker-route/index.js\";\nimport { workersDrift } from \"../../features/workers/index.js\";\nimport { resourceModules } from \"../../core/registry/registry.js\";\nimport { fetchStackImports } from \"../../core/imports/fetchStackImports.js\";\nimport { mergeWorkerConfigForResourcePick } from \"../../core/config/resolver.js\";\nimport { resolveDeployedWorkerName } from \"../../core/config/resolver.js\";\nimport { requiredSecretsForWorker } from \"../../core/secrets/declared.js\";\nimport {\n reconcileSecrets,\n secretsDrift,\n vaultReaderFromMap,\n type SecretsVaultReader,\n} from \"../../core/secrets/reconcile.js\";\n\n/**\n * Compute a read-only drift report for the given env.\n *\n * Compares Tamer state (D1 `tamer-state-{env}`) against the Cloudflare API\n * and the resources declared in `tamer.config.ts`. Reports three categories:\n *\n * - `missingFromCloudflare` — tracked in state but the CF resource is gone.\n * - `unrecordedInState` — exists on CF and matches a declared resource, but\n * no state entry tracks it (e.g. created out-of-band; run `tamer sync`).\n * - `undeployed` — declared in this stack's config, present in neither\n * state nor CF (run `tamer apply`).\n *\n * Pure: never writes to state. Returns the report so callers can choose how to\n * render or consume it.\n */\nexport async function computeDriftReport(options: {\n env?: string;\n configPath?: string;\n /** Optional vault reader for secret reconciliation (defaults to empty). */\n secretsVault?: SecretsVaultReader;\n}): Promise<DriftReport> {\n const env = options.env ?? \"local\";\n const configPath = options.configPath;\n\n const config = await loadConfig(configPath, { env });\n const baseDir = getConfigBaseDir();\n const accountId = config.account_id ?? cloudflareAccountIdFromEnv();\n if (!accountId) {\n throw new Error(\n \"account_id required in config or CLOUDFLARE_ACCOUNT_ID env var\",\n );\n }\n\n const api = new CFApiClient(accountId);\n const naming = namingFromConfig(config);\n const state = new StateManager(\n config.tenant.id,\n env,\n stackNameForConfig(config),\n );\n await state.hydrate(api);\n // Tolerant pre-fetch keeps drift accurate when worker `tamerRoutes`\n // depend on sibling-stack outputs (otherwise the placeholder pattern\n // would never match anything CF returned).\n const imports = await fetchStackImports(api, config, env).catch(() => ({}));\n\n async function safeList<T>(\n label: string,\n fn: () => Promise<T[]>,\n ): Promise<T[]> {\n try {\n return await fn();\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err);\n console.warn(`[drift] skipping ${label}: ${msg}`);\n return [];\n }\n }\n\n const lists = await Promise.all(\n resourceModules.map((m) =>\n safeList(`${m.label} list`, () => m.fetchAll(api)),\n ),\n );\n\n const allDispatch =\n getDispatchNamespaces(config).length > 0\n ? await safeList(\"dispatch namespaces\", () =>\n api.dispatchNamespaceListAll(),\n )\n : [];\n\n const allLogpushJobs =\n getLogpushJobs(config).length > 0 && env !== \"local\"\n ? await safeList(\"logpush jobs\", () => api.logpushAccountJobsList())\n : [];\n\n const workers = await getWorkers(config, baseDir);\n\n const aggregated = new Map<string, ResourceDrift>();\n function merge(d: ResourceDrift): void {\n const existing = aggregated.get(d.kind);\n if (!existing) {\n aggregated.set(d.kind, d);\n return;\n }\n existing.missingFromCloudflare.push(...d.missingFromCloudflare);\n existing.unrecordedInState.push(...d.unrecordedInState);\n existing.undeployed.push(...d.undeployed);\n }\n\n for (const [workerKey, workerConfig] of workers) {\n const mergedWorker = mergeWorkerConfigForResourcePick(\n config,\n workerKey,\n workerConfig,\n env,\n accountId,\n naming,\n state,\n { referencesMode: \"tolerant\", imports },\n );\n resourceModules.forEach((mod, i) => {\n const resources = mod.pickResources(mergedWorker);\n if (resources.length === 0) return;\n merge(\n mod.drift({\n resources,\n all: lists[i],\n tenant: config.tenant,\n env,\n api,\n state,\n naming,\n config,\n baseDir,\n }),\n );\n });\n }\n\n const dispatchResources = getDispatchNamespaces(config);\n if (dispatchResources.length > 0) {\n merge(\n dispatchNamespaceDrift(\n allDispatch,\n dispatchResources,\n env,\n config.tenant,\n state,\n ),\n );\n }\n\n const dnsResources = getDnsRecords(config);\n if (dnsResources.length > 0 && env !== \"local\") {\n const byZone: DnsRecordsByZone = new Map();\n const zones = Array.from(new Set(dnsResources.map((r) => r.zoneId)));\n for (const zoneId of zones) {\n const live = await safeList(`dns records (zone ${zoneId})`, () =>\n api.zoneDnsRecordListAll(zoneId),\n );\n byZone.set(zoneId, live);\n }\n merge(dnsRecordDrift(byZone, dnsResources, config.tenant, env, state));\n }\n\n const logpushResources = getLogpushJobs(config);\n if (logpushResources.length > 0 && env !== \"local\") {\n merge(\n logpushJobDrift(\n allLogpushJobs,\n logpushResources,\n env,\n config.tenant,\n state,\n ),\n );\n }\n\n if (state.listTenants().length > 0) {\n const allD1Idx = resourceModules.findIndex((m) => m.kind === \"d1\");\n const allD1 =\n allD1Idx >= 0\n ? (lists[allD1Idx] as Array<{ uuid: string; name: string }>)\n : [];\n merge(await tenantDrift(state, api, allD1));\n }\n\n const workerRouteReport = await workerRoutesDrift(\n env,\n config,\n baseDir,\n accountId,\n naming,\n state,\n api,\n { imports },\n );\n if (workerRouteReport) merge(workerRouteReport);\n\n const workerScriptReport = await workersDrift(\n env,\n config,\n baseDir,\n accountId,\n naming,\n state,\n api,\n { imports },\n );\n if (workerScriptReport) merge(workerScriptReport);\n\n const secretWorkers = await buildSecretWorkerInputs(\n workers,\n config,\n env,\n baseDir,\n accountId,\n naming,\n state,\n api,\n imports,\n );\n if (secretWorkers.length > 0) {\n const secretEntries = await reconcileSecrets({\n workers: secretWorkers,\n vault: options.secretsVault ?? vaultReaderFromMap({}),\n state,\n });\n merge(secretsDrift(secretEntries));\n }\n\n const dedupedResources = Array.from(aggregated.values()).map((d) => ({\n ...d,\n missingFromCloudflare: dedupe(d.missingFromCloudflare),\n unrecordedInState: dedupe(d.unrecordedInState),\n undeployed: dedupe(d.undeployed),\n }));\n\n return {\n tenantId: config.tenant.id,\n env,\n generatedAt: new Date().toISOString(),\n resources: dedupedResources,\n hasDrift: reportHasDrift(dedupedResources),\n };\n}\n\nfunction dedupe<T extends { logicalName: string; derivedName: string }>(\n list: T[],\n): T[] {\n const seen = new Set<string>();\n const out: T[] = [];\n for (const item of list) {\n const key = `${item.logicalName}::${item.derivedName}`;\n if (seen.has(key)) continue;\n seen.add(key);\n out.push(item);\n }\n return out;\n}\n\n/**\n * CLI entry point. Prints a human report (or JSON when `--json`) and sets a\n * non-zero process exit code when drift is found.\n */\nexport async function runDrift(options: {\n env?: string;\n configPath?: string;\n json?: boolean;\n}): Promise<number> {\n const report = await computeDriftReport({\n env: options.env,\n configPath: options.configPath,\n });\n\n if (options.json) {\n console.log(JSON.stringify(report, null, 2));\n } else {\n printHumanReport(report);\n }\n\n return report.hasDrift ? 1 : 0;\n}\n\nfunction printHumanReport(report: DriftReport): void {\n console.log(\n `\\nDrift report — tenant ${report.tenantId}, env ${report.env}\\n`,\n );\n if (report.resources.length === 0) {\n console.log(\" (no managed resource kinds in this config)\\n\");\n return;\n }\n for (const d of report.resources) {\n const total =\n d.missingFromCloudflare.length +\n d.unrecordedInState.length +\n d.undeployed.length;\n console.log(`${labelFor(d.kind)} (${total} drift):`);\n if (total === 0) {\n console.log(\" ok\");\n continue;\n }\n if (d.missingFromCloudflare.length) {\n console.log(\" missing from Cloudflare (state references gone):\");\n for (const e of d.missingFromCloudflare) {\n console.log(` - ${e.logicalName} -> ${e.derivedName}${suffix(e.cfId)}`);\n }\n }\n if (d.unrecordedInState.length) {\n console.log(\" unrecorded in state (run `tamer sync`):\");\n for (const e of d.unrecordedInState) {\n console.log(` - ${e.logicalName} -> ${e.derivedName}${suffix(e.cfId)}`);\n }\n }\n if (d.undeployed.length) {\n console.log(\" undeployed (run `tamer apply`):\");\n for (const e of d.undeployed) {\n console.log(` - ${e.logicalName} -> ${e.derivedName}`);\n }\n }\n }\n console.log(report.hasDrift ? \"\\nDrift detected.\\n\" : \"\\nNo drift.\\n\");\n}\n\nconst REGISTRY_LABELS: Record<string, string> = Object.fromEntries(\n resourceModules.map((m) => [m.kind, m.label]),\n);\n\nfunction labelFor(kind: ResourceDrift[\"kind\"]): string {\n if (REGISTRY_LABELS[kind]) return REGISTRY_LABELS[kind];\n switch (kind) {\n case \"dispatch_namespace\":\n return \"Dispatch namespaces\";\n case \"logpush_job\":\n return \"Logpush jobs\";\n case \"dns_record\":\n return \"DNS records\";\n case \"tenant\":\n return \"Workspace tenants\";\n case \"worker_route\":\n return \"HTTP routes (Workers Routes API)\";\n case \"worker_script\":\n return \"Worker scripts\";\n case \"secret\":\n return \"Worker secrets\";\n default:\n return kind;\n }\n}\n\nfunction suffix(cfId?: string): string {\n return cfId ? ` [${cfId}]` : \"\";\n}\n\nasync function buildSecretWorkerInputs(\n workers: Awaited<ReturnType<typeof getWorkers>>,\n config: Awaited<ReturnType<typeof loadConfig>>,\n env: string,\n baseDir: string,\n accountId: string,\n naming: ReturnType<typeof namingFromConfig>,\n state: StateManager,\n api: CFApiClient,\n imports: Awaited<ReturnType<typeof fetchStackImports>>,\n): Promise<\n Array<{\n workerKey: string;\n required: string[];\n workerSecretNames: string[];\n }>\n> {\n const out: Array<{\n workerKey: string;\n required: string[];\n workerSecretNames: string[];\n }> = [];\n\n for (const [workerKey, workerConfig] of workers) {\n const merged = mergeWorkerConfigForResourcePick(\n config,\n workerKey,\n workerConfig,\n env,\n accountId,\n naming,\n state,\n { referencesMode: \"tolerant\", imports },\n );\n const required = requiredSecretsForWorker(merged);\n if (required.length === 0) continue;\n\n const deployedName = resolveDeployedWorkerName(\n config,\n workerKey,\n workerConfig,\n env,\n naming,\n );\n let workerSecretNames: string[] = [];\n if (env !== \"local\") {\n try {\n workerSecretNames = await api.workersSecretsList(deployedName);\n } catch {\n workerSecretNames = [];\n }\n }\n\n out.push({ workerKey, required, workerSecretNames });\n }\n\n return out;\n}\n"],"mappings":";;;;;;;;;AAaA,SAAgB,uBACd,aACA,WACA,KACA,QACA,OACe;CACf,MAAMA,QAAuB;EAC3B,MAAM;EACN,uBAAuB,EAAE;EACzB,mBAAmB,EAAE;EACrB,YAAY,EAAE;EACf;CAED,MAAM,UAAU,IAAI,IAAI,YAAY,KAAK,MAAM,EAAE,eAAe,CAAC;CACjE,MAAM,WAAW,MAAM,QAAQ;CAC/B,MAAM,UAAU,OAAO,OAAO,SAAS,CAAC,QACrC,MAAwC,EAAE,SAAS,qBACrD;AAED,MAAK,MAAM,UAAU,WAAW;EAC9B,MAAM,cAAc,+BAA+B,QAAQ,KAAK,OAAO;EACvE,MAAM,aAAa,QAAQ,MACxB,MAAM,EAAE,gBAAgB,OAAO,eAAe,EAAE,gBAAgB,YAClE;EACD,MAAM,OAAO,QAAQ,IAAI,YAAY;AAErC,MAAI,cAAc,CAAC,KACjB,OAAM,sBAAsB,KAAK;GAC/B,aAAa,WAAW;GACxB,aAAa,WAAW;GACzB,CAAC;WACO,QAAQ,CAAC,WAClB,OAAM,kBAAkB,KAAK;GAC3B,aAAa,OAAO;GACpB;GACD,CAAC;WACO,CAAC,QAAQ,CAAC,WACnB,OAAM,WAAW,KAAK;GACpB,aAAa,OAAO;GACpB;GACD,CAAC;;AAIN,QAAO;;;;;AC3BT,SAAgB,eACd,QACA,WACA,QACA,KACA,OACe;CACf,MAAMC,QAAuB;EAC3B,MAAM;EACN,uBAAuB,EAAE;EACzB,mBAAmB,EAAE;EACrB,YAAY,EAAE;EACf;CAED,MAAM,eAAe,OAAO,OAAO,MAAM,QAAQ,CAAC,CAAC,QAChD,MAAgC,EAAE,SAAS,aAC7C;AAED,MAAK,MAAM,UAAU,WAAW;AAC9B,MAAI,CAAC,sBAAsB,QAAQ,IAAI,CAAE;EACzC,MAAM,OAAO,OAAO,IAAI,OAAO,OAAO,IAAI,EAAE;EAC5C,MAAM,SAAS,uBAAuB,QAAQ,KAAK,OAAO,YAAY;EACtE,MAAM,WAAW,kBAAkB,OAAO,QAAQ,OAAO,MAAM,OAAO,KAAK;EAC3E,MAAM,QAAQ,aAAa,MACxB,MACC,EAAE,WAAW,OAAO,UACpB,EAAE,eAAe,OAAO,QACxB,EAAE,gBAAgB,OAAO,YAC5B;EACD,MAAM,OAAO,QACT,KAAK,MAAM,MAAM,EAAE,OAAO,MAAM,SAAS,GACzC,KAAK,MACF,MACC,EAAE,SAAS,OAAO,QAClB,OAAO,EAAE,YAAY,YACrB,EAAE,QAAQ,WAAW,OAAO,CAC/B;AAEL,MAAI,SAAS,CAAC,KACZ,OAAM,sBAAsB,KAAK;GAC/B,aAAa,MAAM;GACnB,aAAa,GAAG,MAAM,WAAW,GAAG,MAAM;GAC1C,MAAM,MAAM;GACb,CAAC;WACO,QAAQ,CAAC,MAClB,OAAM,kBAAkB,KAAK;GAC3B,aAAa,OAAO;GACpB,aAAa,GAAG,OAAO,KAAK,GAAG,KAAK;GACpC,MAAM,KAAK;GACZ,CAAC;WACO,CAAC,QAAQ,CAAC,MACnB,OAAM,WAAW,KAAK;GACpB,aAAa,OAAO;GACpB,aAAa,GAAG,OAAO,KAAK,GAAG,OAAO;GACtC,QAAQ;GACT,CAAC;;AAIN,QAAO;;;;;AC9BT,SAAgB,qBAAqB,GAA2B;AAC9D,QACE,EAAE,sBAAsB,WAAW,KACnC,EAAE,kBAAkB,WAAW,KAC/B,EAAE,WAAW,WAAW;;AAI5B,SAAgB,eAAe,WAAqC;AAClE,QAAO,UAAU,MAAM,MAAM,CAAC,qBAAqB,EAAE,CAAC;;;;;;;;;;;;;ACnDxD,eAAsB,YACpB,OACA,KACA,OACwB;CACxB,MAAMC,QAAuB;EAC3B,MAAM;EACN,uBAAuB,EAAE;EACzB,mBAAmB,EAAE;EACrB,YAAY,EAAE;EACf;CAED,MAAM,SAAS,IAAI,IAAI,MAAM,KAAK,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;CAC1D,MAAM,UAAU,MACb,aAAa,CACb,QAAQ,MAAM,EAAE,uBAAuB,aAAa;AACvD,KAAI,QAAQ,WAAW,EAAG,QAAO;CAEjC,MAAM,8BAAc,IAAI,KAA0B;CAClD,eAAe,YAAY,IAAkC;EAC3D,IAAI,MAAM,YAAY,IAAI,GAAG;AAC7B,MAAI,CAAC,KAAK;GACR,MAAM,OAAO,MAAM,IAAI,4BAA4B,GAAG;AACtD,SAAM,IAAI,IAAI,KAAK,KAAK,MAAM,EAAE,GAAG,CAAC;AACpC,eAAY,IAAI,IAAI,IAAI;;AAE1B,SAAO;;AAGT,MAAK,MAAM,KAAK,SAAS;EACvB,MAAM,UAAU,eAAe,EAAE,SAAS,EAAE,UAAU;AACtD,MAAI;AAEF,OAAI,EADQ,MAAM,YAAY,EAAE,sBAAsB,EAC7C,IAAI,EAAE,WAAW,CACxB,OAAM,sBAAsB,KAAK;IAC/B,aAAa;IACb,aAAa,EAAE;IACf,QAAQ;IACT,CAAC;UAEE;AACN,SAAM,sBAAsB,KAAK;IAC/B,aAAa;IACb,aAAa,EAAE;IACf,QAAQ;IACT,CAAC;;AAGJ,OAAK,MAAM,SAAS,EAAE,YAAY,EAAE,CAClC,KAAI,CAAC,OAAO,IAAI,MAAM,KAAK,CACzB,OAAM,sBAAsB,KAAK;GAC/B,aAAa;GACb,aAAa,MAAM;GACnB,MAAM,MAAM;GACZ,QAAQ,MAAM,MAAM;GACrB,CAAC;;AAKR,QAAO;;;;;;;;;;;;;;;;;;;;AC9BT,eAAsB,mBAAmB,SAKhB;CACvB,MAAM,MAAM,QAAQ,OAAO;CAC3B,MAAM,aAAa,QAAQ;CAE3B,MAAM,SAAS,MAAM,WAAW,YAAY,EAAE,KAAK,CAAC;CACpD,MAAM,UAAU,kBAAkB;CAClC,MAAM,YAAY,OAAO,cAAc,4BAA4B;AACnE,KAAI,CAAC,UACH,OAAM,IAAI,MACR,iEACD;CAGH,MAAM,MAAM,IAAI,YAAY,UAAU;CACtC,MAAM,SAAS,iBAAiB,OAAO;CACvC,MAAM,QAAQ,IAAI,aAChB,OAAO,OAAO,IACd,KACA,mBAAmB,OAAO,CAC3B;AACD,OAAM,MAAM,QAAQ,IAAI;CAIxB,MAAM,UAAU,MAAM,kBAAkB,KAAK,QAAQ,IAAI,CAAC,aAAa,EAAE,EAAE;CAE3E,eAAe,SACb,OACA,IACc;AACd,MAAI;AACF,UAAO,MAAM,IAAI;WACV,KAAK;GACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,WAAQ,KAAK,oBAAoB,MAAM,IAAI,MAAM;AACjD,UAAO,EAAE;;;CAIb,MAAM,QAAQ,MAAM,QAAQ,IAC1B,gBAAgB,KAAK,MACnB,SAAS,GAAG,EAAE,MAAM,cAAc,EAAE,SAAS,IAAI,CAAC,CACnD,CACF;CAED,MAAM,cACJ,sBAAsB,OAAO,CAAC,SAAS,IACnC,MAAM,SAAS,6BACb,IAAI,0BAA0B,CAC/B,GACD,EAAE;CAER,MAAM,iBACJ,eAAe,OAAO,CAAC,SAAS,KAAK,QAAQ,UACzC,MAAM,SAAS,sBAAsB,IAAI,wBAAwB,CAAC,GAClE,EAAE;CAER,MAAM,UAAU,MAAM,WAAW,QAAQ,QAAQ;CAEjD,MAAM,6BAAa,IAAI,KAA4B;CACnD,SAAS,MAAM,GAAwB;EACrC,MAAM,WAAW,WAAW,IAAI,EAAE,KAAK;AACvC,MAAI,CAAC,UAAU;AACb,cAAW,IAAI,EAAE,MAAM,EAAE;AACzB;;AAEF,WAAS,sBAAsB,KAAK,GAAG,EAAE,sBAAsB;AAC/D,WAAS,kBAAkB,KAAK,GAAG,EAAE,kBAAkB;AACvD,WAAS,WAAW,KAAK,GAAG,EAAE,WAAW;;AAG3C,MAAK,MAAM,CAAC,WAAW,iBAAiB,SAAS;EAC/C,MAAM,eAAe,iCACnB,QACA,WACA,cACA,KACA,WACA,QACA,OACA;GAAE,gBAAgB;GAAY;GAAS,CACxC;AACD,kBAAgB,SAAS,KAAK,MAAM;GAClC,MAAM,YAAY,IAAI,cAAc,aAAa;AACjD,OAAI,UAAU,WAAW,EAAG;AAC5B,SACE,IAAI,MAAM;IACR;IACA,KAAK,MAAM;IACX,QAAQ,OAAO;IACf;IACA;IACA;IACA;IACA;IACA;IACD,CAAC,CACH;IACD;;CAGJ,MAAM,oBAAoB,sBAAsB,OAAO;AACvD,KAAI,kBAAkB,SAAS,EAC7B,OACE,uBACE,aACA,mBACA,KACA,OAAO,QACP,MACD,CACF;CAGH,MAAM,eAAe,cAAc,OAAO;AAC1C,KAAI,aAAa,SAAS,KAAK,QAAQ,SAAS;EAC9C,MAAMC,yBAA2B,IAAI,KAAK;EAC1C,MAAM,QAAQ,MAAM,KAAK,IAAI,IAAI,aAAa,KAAK,MAAM,EAAE,OAAO,CAAC,CAAC;AACpE,OAAK,MAAM,UAAU,OAAO;GAC1B,MAAM,OAAO,MAAM,SAAS,qBAAqB,OAAO,UACtD,IAAI,qBAAqB,OAAO,CACjC;AACD,UAAO,IAAI,QAAQ,KAAK;;AAE1B,QAAM,eAAe,QAAQ,cAAc,OAAO,QAAQ,KAAK,MAAM,CAAC;;CAGxE,MAAM,mBAAmB,eAAe,OAAO;AAC/C,KAAI,iBAAiB,SAAS,KAAK,QAAQ,QACzC,OACE,gBACE,gBACA,kBACA,KACA,OAAO,QACP,MACD,CACF;AAGH,KAAI,MAAM,aAAa,CAAC,SAAS,GAAG;EAClC,MAAM,WAAW,gBAAgB,WAAW,MAAM,EAAE,SAAS,KAAK;AAKlE,QAAM,MAAM,YAAY,OAAO,KAH7B,YAAY,IACP,MAAM,YACP,EAAE,CACkC,CAAC;;CAG7C,MAAM,oBAAoB,MAAM,kBAC9B,KACA,QACA,SACA,WACA,QACA,OACA,KACA,EAAE,SAAS,CACZ;AACD,KAAI,kBAAmB,OAAM,kBAAkB;CAE/C,MAAM,qBAAqB,MAAM,aAC/B,KACA,QACA,SACA,WACA,QACA,OACA,KACA,EAAE,SAAS,CACZ;AACD,KAAI,mBAAoB,OAAM,mBAAmB;CAEjD,MAAM,gBAAgB,MAAM,wBAC1B,SACA,QACA,KACA,SACA,WACA,QACA,OACA,KACA,QACD;AACD,KAAI,cAAc,SAAS,EAMzB,OAAM,aALgB,MAAM,iBAAiB;EAC3C,SAAS;EACT,OAAO,QAAQ,gBAAgB,mBAAmB,EAAE,CAAC;EACrD;EACD,CAAC,CAC+B,CAAC;CAGpC,MAAM,mBAAmB,MAAM,KAAK,WAAW,QAAQ,CAAC,CAAC,KAAK,OAAO;EACnE,GAAG;EACH,uBAAuB,OAAO,EAAE,sBAAsB;EACtD,mBAAmB,OAAO,EAAE,kBAAkB;EAC9C,YAAY,OAAO,EAAE,WAAW;EACjC,EAAE;AAEH,QAAO;EACL,UAAU,OAAO,OAAO;EACxB;EACA,8BAAa,IAAI,MAAM,EAAC,aAAa;EACrC,WAAW;EACX,UAAU,eAAe,iBAAiB;EAC3C;;AAGH,SAAS,OACP,MACK;CACL,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAMC,MAAW,EAAE;AACnB,MAAK,MAAM,QAAQ,MAAM;EACvB,MAAM,MAAM,GAAG,KAAK,YAAY,IAAI,KAAK;AACzC,MAAI,KAAK,IAAI,IAAI,CAAE;AACnB,OAAK,IAAI,IAAI;AACb,MAAI,KAAK,KAAK;;AAEhB,QAAO;;;;;;AAOT,eAAsB,SAAS,SAIX;CAClB,MAAM,SAAS,MAAM,mBAAmB;EACtC,KAAK,QAAQ;EACb,YAAY,QAAQ;EACrB,CAAC;AAEF,KAAI,QAAQ,KACV,SAAQ,IAAI,KAAK,UAAU,QAAQ,MAAM,EAAE,CAAC;KAE5C,kBAAiB,OAAO;AAG1B,QAAO,OAAO,WAAW,IAAI;;AAG/B,SAAS,iBAAiB,QAA2B;AACnD,SAAQ,IACN,2BAA2B,OAAO,SAAS,QAAQ,OAAO,IAAI,IAC/D;AACD,KAAI,OAAO,UAAU,WAAW,GAAG;AACjC,UAAQ,IAAI,iDAAiD;AAC7D;;AAEF,MAAK,MAAM,KAAK,OAAO,WAAW;EAChC,MAAM,QACJ,EAAE,sBAAsB,SACxB,EAAE,kBAAkB,SACpB,EAAE,WAAW;AACf,UAAQ,IAAI,GAAG,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,UAAU;AACpD,MAAI,UAAU,GAAG;AACf,WAAQ,IAAI,OAAO;AACnB;;AAEF,MAAI,EAAE,sBAAsB,QAAQ;AAClC,WAAQ,IAAI,qDAAqD;AACjE,QAAK,MAAM,KAAK,EAAE,sBAChB,SAAQ,IAAI,SAAS,EAAE,YAAY,MAAM,EAAE,cAAc,OAAO,EAAE,KAAK,GAAG;;AAG9E,MAAI,EAAE,kBAAkB,QAAQ;AAC9B,WAAQ,IAAI,4CAA4C;AACxD,QAAK,MAAM,KAAK,EAAE,kBAChB,SAAQ,IAAI,SAAS,EAAE,YAAY,MAAM,EAAE,cAAc,OAAO,EAAE,KAAK,GAAG;;AAG9E,MAAI,EAAE,WAAW,QAAQ;AACvB,WAAQ,IAAI,oCAAoC;AAChD,QAAK,MAAM,KAAK,EAAE,WAChB,SAAQ,IAAI,SAAS,EAAE,YAAY,MAAM,EAAE,cAAc;;;AAI/D,SAAQ,IAAI,OAAO,WAAW,wBAAwB,gBAAgB;;AAGxE,MAAMC,kBAA0C,OAAO,YACrD,gBAAgB,KAAK,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,CAC9C;AAED,SAAS,SAAS,MAAqC;AACrD,KAAI,gBAAgB,MAAO,QAAO,gBAAgB;AAClD,SAAQ,MAAR;EACE,KAAK,qBACH,QAAO;EACT,KAAK,cACH,QAAO;EACT,KAAK,aACH,QAAO;EACT,KAAK,SACH,QAAO;EACT,KAAK,eACH,QAAO;EACT,KAAK,gBACH,QAAO;EACT,KAAK,SACH,QAAO;EACT,QACE,QAAO;;;AAIb,SAAS,OAAO,MAAuB;AACrC,QAAO,OAAO,KAAK,KAAK,KAAK;;AAG/B,eAAe,wBACb,SACA,QACA,KACA,SACA,WACA,QACA,OACA,KACA,SAOA;CACA,MAAMC,MAID,EAAE;AAEP,MAAK,MAAM,CAAC,WAAW,iBAAiB,SAAS;EAW/C,MAAM,WAAW,yBAVF,iCACb,QACA,WACA,cACA,KACA,WACA,QACA,OACA;GAAE,gBAAgB;GAAY;GAAS,CACxC,CACgD;AACjD,MAAI,SAAS,WAAW,EAAG;EAE3B,MAAM,eAAe,0BACnB,QACA,WACA,cACA,KACA,OACD;EACD,IAAIC,oBAA8B,EAAE;AACpC,MAAI,QAAQ,QACV,KAAI;AACF,uBAAoB,MAAM,IAAI,mBAAmB,aAAa;UACxD;AACN,uBAAoB,EAAE;;AAI1B,MAAI,KAAK;GAAE;GAAW;GAAU;GAAmB,CAAC;;AAGtD,QAAO"}
|
|
1
|
+
{"version":3,"file":"drift-Ci368_WQ.mjs","names":["drift: ResourceDrift","drift: ResourceDrift","drift: ResourceDrift","byZone: DnsRecordsByZone","out: T[]","REGISTRY_LABELS: Record<string, string>","out: Array<{\n workerKey: string;\n required: string[];\n workerSecretNames: string[];\n }>","workerSecretNames: string[]"],"sources":["../src/features/dispatch-namespace/dispatch-namespace.drift.ts","../src/features/dns-records/dns-records.drift.ts","../src/core/drift/drift.types.ts","../src/core/drift/tenantDrift.ts","../src/cli/commands/drift.ts"],"sourcesContent":["import type {\n DispatchNamespaceResourceConfig,\n DispatchNamespaceStateEntry,\n TenantMeta,\n} from \"../../types.js\";\nimport type { StateManager } from \"../../core/state/StateManager.js\";\nimport type { ResourceDrift } from \"../../core/drift/drift.types.js\";\nimport { effectiveDispatchNamespaceName } from \"./dispatch-namespace.resolve.js\";\n\ninterface CFDispatchNamespace {\n namespace_name: string;\n}\n\nexport function dispatchNamespaceDrift(\n allDispatch: CFDispatchNamespace[],\n resources: DispatchNamespaceResourceConfig[],\n env: string,\n tenant: TenantMeta,\n state: StateManager,\n): ResourceDrift {\n const drift: ResourceDrift = {\n kind: \"dispatch_namespace\",\n missingFromCloudflare: [],\n unrecordedInState: [],\n undeployed: [],\n };\n\n const cfNames = new Set(allDispatch.map((d) => d.namespace_name));\n const allState = state.getAll();\n const nsState = Object.values(allState).filter(\n (e): e is DispatchNamespaceStateEntry => e.type === \"dispatch_namespace\",\n );\n\n for (const config of resources) {\n const derivedName = effectiveDispatchNamespaceName(config, env, tenant);\n const stateEntry = nsState.find(\n (e) => e.logicalName === config.logicalName && e.derivedName === derivedName,\n );\n const onCf = cfNames.has(derivedName);\n\n if (stateEntry && !onCf) {\n drift.missingFromCloudflare.push({\n logicalName: stateEntry.logicalName,\n derivedName: stateEntry.derivedName,\n });\n } else if (onCf && !stateEntry) {\n drift.unrecordedInState.push({\n logicalName: config.logicalName,\n derivedName,\n });\n } else if (!onCf && !stateEntry) {\n drift.undeployed.push({\n logicalName: config.logicalName,\n derivedName,\n });\n }\n }\n\n return drift;\n}\n","import type {\n DnsRecordResourceConfig,\n DnsRecordStateEntry,\n TenantMeta,\n} from \"../../types.js\";\nimport type { StateManager } from \"../../core/state/StateManager.js\";\nimport type { ResourceDrift } from \"../../core/drift/drift.types.js\";\nimport {\n dnsRecordAppliesToEnv,\n dnsRecordCommentMarker,\n dnsRecordStateKey,\n} from \"./dns-records.resolve.js\";\n\ninterface CFDnsRecord {\n id: string;\n type: string;\n name: string;\n content: string;\n ttl?: number;\n proxied?: boolean;\n priority?: number;\n comment?: string | null;\n}\n\n/**\n * Map of `zoneId → live records`. The drift caller pre-fetches because\n * other resource modules also iterate zones (worker routes), so we\n * accept the snapshot rather than refetching here.\n */\nexport type DnsRecordsByZone = Map<string, CFDnsRecord[]>;\n\nexport function dnsRecordDrift(\n byZone: DnsRecordsByZone,\n resources: DnsRecordResourceConfig[],\n tenant: TenantMeta,\n env: string,\n state: StateManager,\n): ResourceDrift {\n const drift: ResourceDrift = {\n kind: \"dns_record\",\n missingFromCloudflare: [],\n unrecordedInState: [],\n undeployed: [],\n };\n\n const stateRecords = Object.values(state.getAll()).filter(\n (e): e is DnsRecordStateEntry => e.type === \"dns_record\",\n );\n\n for (const config of resources) {\n if (!dnsRecordAppliesToEnv(config, env)) continue;\n const live = byZone.get(config.zoneId) ?? [];\n const marker = dnsRecordCommentMarker(tenant, env, config.logicalName);\n const stateKey = dnsRecordStateKey(config.zoneId, config.type, config.name);\n const entry = stateRecords.find(\n (e) =>\n e.zoneId === config.zoneId &&\n e.recordType === config.type &&\n e.logicalName === config.logicalName,\n );\n const onCf = entry\n ? live.find((r) => r.id === entry.recordId)\n : live.find(\n (r) =>\n r.type === config.type &&\n typeof r.comment === \"string\" &&\n r.comment.startsWith(marker),\n );\n\n if (entry && !onCf) {\n drift.missingFromCloudflare.push({\n logicalName: entry.logicalName,\n derivedName: `${entry.recordType} ${entry.name}`,\n cfId: entry.recordId,\n });\n } else if (onCf && !entry) {\n drift.unrecordedInState.push({\n logicalName: config.logicalName,\n derivedName: `${config.type} ${onCf.name}`,\n cfId: onCf.id,\n });\n } else if (!onCf && !entry) {\n drift.undeployed.push({\n logicalName: config.logicalName,\n derivedName: `${config.type} ${config.name}`,\n detail: stateKey,\n });\n }\n }\n\n return drift;\n}\n","/**\n * Read-only drift report comparing recorded state vs. Cloudflare reality vs.\n * the current `tamer.config.ts`.\n */\n\nexport type DriftKind =\n | \"d1\"\n | \"r2\"\n | \"kv\"\n | \"queue\"\n | \"hyperdrive\"\n | \"vectorize\"\n | \"ai_gateway\"\n | \"pipeline\"\n | \"workflow\"\n | \"secret_store\"\n | \"secret\"\n | \"dns_record\"\n | \"dispatch_namespace\"\n | \"logpush_job\"\n | \"tenant\"\n | \"worker_route\"\n | \"worker_script\";\n\nexport interface DriftEntry {\n /** Logical resource name from `tamer.config.ts`. */\n logicalName: string;\n /** Cloudflare-side name (or `(unknown)` when no CF or state side knows it). */\n derivedName: string;\n /** Cloudflare resource ID, when known (D1 uuid, KV id). */\n cfId?: string;\n /** Optional human-readable detail (e.g. shard date). */\n detail?: string;\n}\n\nexport interface ResourceDrift {\n kind: DriftKind;\n /** Tracked in state but no longer present on Cloudflare. */\n missingFromCloudflare: DriftEntry[];\n /**\n * Present on Cloudflare and matches a declared resource in this config,\n * but no state entry tracks it (e.g. created out-of-band).\n */\n unrecordedInState: DriftEntry[];\n /**\n * Declared in this stack's config but neither tracked in state nor present\n * on Cloudflare (run `tamer apply`).\n */\n undeployed: DriftEntry[];\n}\n\nexport interface DriftReport {\n tenantId: string;\n env: string;\n generatedAt: string;\n resources: ResourceDrift[];\n /** True iff any of the three categories has at least one entry. */\n hasDrift: boolean;\n}\n\nexport function resourceDriftIsClean(d: ResourceDrift): boolean {\n return (\n d.missingFromCloudflare.length === 0 &&\n d.unrecordedInState.length === 0 &&\n d.undeployed.length === 0\n );\n}\n\nexport function reportHasDrift(resources: ResourceDrift[]): boolean {\n return resources.some((d) => !resourceDriftIsClean(d));\n}\n","import type { CFApiClient } from \"../api/CFApiClient.js\";\nimport type { StateManager } from \"../state/StateManager.js\";\nimport type { ResourceDrift } from \"./drift.types.js\";\nimport { tenantStateKey } from \"../tenant/tenantKeys.js\";\n\ninterface CFD1 {\n uuid: string;\n name: string;\n}\n\n/**\n * Drift for workspace tenants in {@link CfiState.tenants}: dispatch script and\n * recorded D1 shards must still exist on Cloudflare.\n *\n * `unrecordedInState` / `undeployed` are intentionally empty here — tenant\n * discovery from CF alone is heuristic until product/script naming is fully\n * pinned (`docs/scope-remaining.md` D-1).\n */\nexport async function tenantDrift(\n state: StateManager,\n api: CFApiClient,\n allD1: CFD1[],\n): Promise<ResourceDrift> {\n const drift: ResourceDrift = {\n kind: \"tenant\",\n missingFromCloudflare: [],\n unrecordedInState: [],\n undeployed: [],\n };\n\n const d1ById = new Map(allD1.map((d) => [d.uuid, d.name]));\n const tenants = state\n .listTenants()\n .filter((t) => t.provisioningStatus !== \"tombstoned\");\n if (tenants.length === 0) return drift;\n\n const scriptLists = new Map<string, Set<string>>();\n async function scriptsInNs(ns: string): Promise<Set<string>> {\n let set = scriptLists.get(ns);\n if (!set) {\n const list = await api.dispatchNamespaceScriptList(ns);\n set = new Set(list.map((s) => s.id));\n scriptLists.set(ns, set);\n }\n return set;\n }\n\n for (const t of tenants) {\n const logical = tenantStateKey(t.product, t.workspace);\n try {\n const ids = await scriptsInNs(t.dispatchNamespaceName);\n if (!ids.has(t.scriptName)) {\n drift.missingFromCloudflare.push({\n logicalName: logical,\n derivedName: t.scriptName,\n detail: \"dispatch_script\",\n });\n }\n } catch {\n drift.missingFromCloudflare.push({\n logicalName: logical,\n derivedName: t.dispatchNamespaceName,\n detail: \"dispatch_namespace_list_failed\",\n });\n }\n\n for (const shard of t.d1Shards ?? []) {\n if (!d1ById.has(shard.cfId)) {\n drift.missingFromCloudflare.push({\n logicalName: logical,\n derivedName: shard.derivedName,\n cfId: shard.cfId,\n detail: `d1:${shard.role}`,\n });\n }\n }\n }\n\n return drift;\n}\n","import { loadConfig, getWorkers, getConfigBaseDir } from \"../../core/config/loader.js\";\nimport { cloudflareAccountIdFromEnv } from \"../../core/cloudflareEnv.js\";\nimport { namingFromConfig } from \"../../core/config/namingFromConfig.js\";\nimport { StateManager } from \"../../core/state/StateManager.js\";\nimport { stackNameForConfig } from \"../../core/state/stackName.js\";\nimport { CFApiClient } from \"../../core/api/CFApiClient.js\";\nimport { dispatchNamespaceDrift } from \"../../features/dispatch-namespace/index.js\";\nimport {\n dnsRecordDrift,\n type DnsRecordsByZone,\n} from \"../../features/dns-records/index.js\";\nimport { getDispatchNamespaces, getDnsRecords, getLogpushJobs } from \"../../types.js\";\nimport { logpushJobDrift } from \"../../features/logpush-job/index.js\";\nimport type {\n DriftReport,\n ResourceDrift,\n} from \"../../core/drift/drift.types.js\";\nimport { reportHasDrift } from \"../../core/drift/drift.types.js\";\nimport { tenantDrift } from \"../../core/drift/tenantDrift.js\";\nimport { workerRoutesDrift } from \"../../features/worker-route/index.js\";\nimport { workersDrift } from \"../../features/workers/index.js\";\nimport { resourceModules } from \"../../core/registry/registry.js\";\nimport { fetchStackImports } from \"../../core/imports/fetchStackImports.js\";\nimport { mergeWorkerConfigForResourcePick } from \"../../core/config/resolver.js\";\nimport { resolveDeployedWorkerName } from \"../../core/config/resolver.js\";\nimport { requiredSecretsForWorker } from \"../../core/secrets/declared.js\";\nimport {\n reconcileSecrets,\n secretsDrift,\n vaultReaderFromMap,\n type SecretsVaultReader,\n} from \"../../core/secrets/reconcile.js\";\n\n/**\n * Compute a read-only drift report for the given env.\n *\n * Compares Tamer state (D1 `tamer-state-{env}`) against the Cloudflare API\n * and the resources declared in `tamer.config.ts`. Reports three categories:\n *\n * - `missingFromCloudflare` — tracked in state but the CF resource is gone.\n * - `unrecordedInState` — exists on CF and matches a declared resource, but\n * no state entry tracks it (e.g. created out-of-band; run `tamer sync`).\n * - `undeployed` — declared in this stack's config, present in neither\n * state nor CF (run `tamer apply`).\n *\n * Pure: never writes to state. Returns the report so callers can choose how to\n * render or consume it.\n */\nexport async function computeDriftReport(options: {\n env?: string;\n configPath?: string;\n /** Optional vault reader for secret reconciliation (defaults to empty). */\n secretsVault?: SecretsVaultReader;\n}): Promise<DriftReport> {\n const env = options.env ?? \"local\";\n const configPath = options.configPath;\n\n const config = await loadConfig(configPath, { env });\n const baseDir = getConfigBaseDir();\n const accountId = config.account_id ?? cloudflareAccountIdFromEnv();\n if (!accountId) {\n throw new Error(\n \"account_id required in config or CLOUDFLARE_ACCOUNT_ID env var\",\n );\n }\n\n const api = new CFApiClient(accountId);\n const naming = namingFromConfig(config);\n const state = new StateManager(\n config.tenant.id,\n env,\n stackNameForConfig(config),\n );\n await state.hydrate(api);\n // Tolerant pre-fetch keeps drift accurate when worker `tamerRoutes`\n // depend on sibling-stack outputs (otherwise the placeholder pattern\n // would never match anything CF returned).\n const imports = await fetchStackImports(api, config, env).catch(() => ({}));\n\n async function safeList<T>(\n label: string,\n fn: () => Promise<T[]>,\n ): Promise<T[]> {\n try {\n return await fn();\n } catch (err) {\n const msg = err instanceof Error ? err.message : String(err);\n console.warn(`[drift] skipping ${label}: ${msg}`);\n return [];\n }\n }\n\n const lists = await Promise.all(\n resourceModules.map((m) =>\n safeList(`${m.label} list`, () => m.fetchAll(api)),\n ),\n );\n\n const allDispatch =\n getDispatchNamespaces(config).length > 0\n ? await safeList(\"dispatch namespaces\", () =>\n api.dispatchNamespaceListAll(),\n )\n : [];\n\n const allLogpushJobs =\n getLogpushJobs(config).length > 0 && env !== \"local\"\n ? await safeList(\"logpush jobs\", () => api.logpushAccountJobsList())\n : [];\n\n const workers = await getWorkers(config, baseDir);\n\n const aggregated = new Map<string, ResourceDrift>();\n function merge(d: ResourceDrift): void {\n const existing = aggregated.get(d.kind);\n if (!existing) {\n aggregated.set(d.kind, d);\n return;\n }\n existing.missingFromCloudflare.push(...d.missingFromCloudflare);\n existing.unrecordedInState.push(...d.unrecordedInState);\n existing.undeployed.push(...d.undeployed);\n }\n\n for (const [workerKey, workerConfig] of workers) {\n const mergedWorker = mergeWorkerConfigForResourcePick(\n config,\n workerKey,\n workerConfig,\n env,\n accountId,\n naming,\n state,\n { referencesMode: \"tolerant\", imports },\n );\n resourceModules.forEach((mod, i) => {\n const resources = mod.pickResources(mergedWorker);\n if (resources.length === 0) return;\n merge(\n mod.drift({\n resources,\n all: lists[i],\n tenant: config.tenant,\n env,\n api,\n state,\n naming,\n config,\n baseDir,\n }),\n );\n });\n }\n\n const dispatchResources = getDispatchNamespaces(config);\n if (dispatchResources.length > 0) {\n merge(\n dispatchNamespaceDrift(\n allDispatch,\n dispatchResources,\n env,\n config.tenant,\n state,\n ),\n );\n }\n\n const dnsResources = getDnsRecords(config);\n if (dnsResources.length > 0 && env !== \"local\") {\n const byZone: DnsRecordsByZone = new Map();\n const zones = Array.from(new Set(dnsResources.map((r) => r.zoneId)));\n for (const zoneId of zones) {\n const live = await safeList(`dns records (zone ${zoneId})`, () =>\n api.zoneDnsRecordListAll(zoneId),\n );\n byZone.set(zoneId, live);\n }\n merge(dnsRecordDrift(byZone, dnsResources, config.tenant, env, state));\n }\n\n const logpushResources = getLogpushJobs(config);\n if (logpushResources.length > 0 && env !== \"local\") {\n merge(\n logpushJobDrift(\n allLogpushJobs,\n logpushResources,\n env,\n config.tenant,\n state,\n ),\n );\n }\n\n if (state.listTenants().length > 0) {\n const allD1Idx = resourceModules.findIndex((m) => m.kind === \"d1\");\n const allD1 =\n allD1Idx >= 0\n ? (lists[allD1Idx] as Array<{ uuid: string; name: string }>)\n : [];\n merge(await tenantDrift(state, api, allD1));\n }\n\n const workerRouteReport = await workerRoutesDrift(\n env,\n config,\n baseDir,\n accountId,\n naming,\n state,\n api,\n { imports },\n );\n if (workerRouteReport) merge(workerRouteReport);\n\n const workerScriptReport = await workersDrift(\n env,\n config,\n baseDir,\n accountId,\n naming,\n state,\n api,\n { imports },\n );\n if (workerScriptReport) merge(workerScriptReport);\n\n const secretWorkers = await buildSecretWorkerInputs(\n workers,\n config,\n env,\n baseDir,\n accountId,\n naming,\n state,\n api,\n imports,\n );\n if (secretWorkers.length > 0) {\n const secretEntries = await reconcileSecrets({\n workers: secretWorkers,\n vault: options.secretsVault ?? vaultReaderFromMap({}),\n state,\n });\n merge(secretsDrift(secretEntries));\n }\n\n const dedupedResources = Array.from(aggregated.values()).map((d) => ({\n ...d,\n missingFromCloudflare: dedupe(d.missingFromCloudflare),\n unrecordedInState: dedupe(d.unrecordedInState),\n undeployed: dedupe(d.undeployed),\n }));\n\n return {\n tenantId: config.tenant.id,\n env,\n generatedAt: new Date().toISOString(),\n resources: dedupedResources,\n hasDrift: reportHasDrift(dedupedResources),\n };\n}\n\nfunction dedupe<T extends { logicalName: string; derivedName: string }>(\n list: T[],\n): T[] {\n const seen = new Set<string>();\n const out: T[] = [];\n for (const item of list) {\n const key = `${item.logicalName}::${item.derivedName}`;\n if (seen.has(key)) continue;\n seen.add(key);\n out.push(item);\n }\n return out;\n}\n\n/**\n * CLI entry point. Prints a human report (or JSON when `--json`) and sets a\n * non-zero process exit code when drift is found.\n */\nexport async function runDrift(options: {\n env?: string;\n configPath?: string;\n json?: boolean;\n}): Promise<number> {\n const report = await computeDriftReport({\n env: options.env,\n configPath: options.configPath,\n });\n\n if (options.json) {\n console.log(JSON.stringify(report, null, 2));\n } else {\n printHumanReport(report);\n }\n\n return report.hasDrift ? 1 : 0;\n}\n\nfunction printHumanReport(report: DriftReport): void {\n console.log(\n `\\nDrift report — tenant ${report.tenantId}, env ${report.env}\\n`,\n );\n if (report.resources.length === 0) {\n console.log(\" (no managed resource kinds in this config)\\n\");\n return;\n }\n for (const d of report.resources) {\n const total =\n d.missingFromCloudflare.length +\n d.unrecordedInState.length +\n d.undeployed.length;\n console.log(`${labelFor(d.kind)} (${total} drift):`);\n if (total === 0) {\n console.log(\" ok\");\n continue;\n }\n if (d.missingFromCloudflare.length) {\n console.log(\" missing from Cloudflare (state references gone):\");\n for (const e of d.missingFromCloudflare) {\n console.log(` - ${e.logicalName} -> ${e.derivedName}${suffix(e.cfId)}`);\n }\n }\n if (d.unrecordedInState.length) {\n console.log(\" unrecorded in state (run `tamer sync`):\");\n for (const e of d.unrecordedInState) {\n console.log(` - ${e.logicalName} -> ${e.derivedName}${suffix(e.cfId)}`);\n }\n }\n if (d.undeployed.length) {\n console.log(\" undeployed (run `tamer apply`):\");\n for (const e of d.undeployed) {\n console.log(` - ${e.logicalName} -> ${e.derivedName}`);\n }\n }\n }\n console.log(report.hasDrift ? \"\\nDrift detected.\\n\" : \"\\nNo drift.\\n\");\n}\n\nconst REGISTRY_LABELS: Record<string, string> = Object.fromEntries(\n resourceModules.map((m) => [m.kind, m.label]),\n);\n\nfunction labelFor(kind: ResourceDrift[\"kind\"]): string {\n if (REGISTRY_LABELS[kind]) return REGISTRY_LABELS[kind];\n switch (kind) {\n case \"dispatch_namespace\":\n return \"Dispatch namespaces\";\n case \"logpush_job\":\n return \"Logpush jobs\";\n case \"dns_record\":\n return \"DNS records\";\n case \"tenant\":\n return \"Workspace tenants\";\n case \"worker_route\":\n return \"HTTP routes (Workers Routes API)\";\n case \"worker_script\":\n return \"Worker scripts\";\n case \"secret\":\n return \"Worker secrets\";\n default:\n return kind;\n }\n}\n\nfunction suffix(cfId?: string): string {\n return cfId ? ` [${cfId}]` : \"\";\n}\n\nasync function buildSecretWorkerInputs(\n workers: Awaited<ReturnType<typeof getWorkers>>,\n config: Awaited<ReturnType<typeof loadConfig>>,\n env: string,\n baseDir: string,\n accountId: string,\n naming: ReturnType<typeof namingFromConfig>,\n state: StateManager,\n api: CFApiClient,\n imports: Awaited<ReturnType<typeof fetchStackImports>>,\n): Promise<\n Array<{\n workerKey: string;\n required: string[];\n workerSecretNames: string[];\n }>\n> {\n const out: Array<{\n workerKey: string;\n required: string[];\n workerSecretNames: string[];\n }> = [];\n\n for (const [workerKey, workerConfig] of workers) {\n const merged = mergeWorkerConfigForResourcePick(\n config,\n workerKey,\n workerConfig,\n env,\n accountId,\n naming,\n state,\n { referencesMode: \"tolerant\", imports },\n );\n const required = requiredSecretsForWorker(merged);\n if (required.length === 0) continue;\n\n const deployedName = resolveDeployedWorkerName(\n config,\n workerKey,\n workerConfig,\n env,\n naming,\n );\n let workerSecretNames: string[] = [];\n if (env !== \"local\") {\n try {\n workerSecretNames = await api.workersSecretsList(deployedName);\n } catch {\n workerSecretNames = [];\n }\n }\n\n out.push({ workerKey, required, workerSecretNames });\n }\n\n return out;\n}\n"],"mappings":";;;;;;;;;AAaA,SAAgB,uBACd,aACA,WACA,KACA,QACA,OACe;CACf,MAAMA,QAAuB;EAC3B,MAAM;EACN,uBAAuB,EAAE;EACzB,mBAAmB,EAAE;EACrB,YAAY,EAAE;EACf;CAED,MAAM,UAAU,IAAI,IAAI,YAAY,KAAK,MAAM,EAAE,eAAe,CAAC;CACjE,MAAM,WAAW,MAAM,QAAQ;CAC/B,MAAM,UAAU,OAAO,OAAO,SAAS,CAAC,QACrC,MAAwC,EAAE,SAAS,qBACrD;AAED,MAAK,MAAM,UAAU,WAAW;EAC9B,MAAM,cAAc,+BAA+B,QAAQ,KAAK,OAAO;EACvE,MAAM,aAAa,QAAQ,MACxB,MAAM,EAAE,gBAAgB,OAAO,eAAe,EAAE,gBAAgB,YAClE;EACD,MAAM,OAAO,QAAQ,IAAI,YAAY;AAErC,MAAI,cAAc,CAAC,KACjB,OAAM,sBAAsB,KAAK;GAC/B,aAAa,WAAW;GACxB,aAAa,WAAW;GACzB,CAAC;WACO,QAAQ,CAAC,WAClB,OAAM,kBAAkB,KAAK;GAC3B,aAAa,OAAO;GACpB;GACD,CAAC;WACO,CAAC,QAAQ,CAAC,WACnB,OAAM,WAAW,KAAK;GACpB,aAAa,OAAO;GACpB;GACD,CAAC;;AAIN,QAAO;;;;;AC3BT,SAAgB,eACd,QACA,WACA,QACA,KACA,OACe;CACf,MAAMC,QAAuB;EAC3B,MAAM;EACN,uBAAuB,EAAE;EACzB,mBAAmB,EAAE;EACrB,YAAY,EAAE;EACf;CAED,MAAM,eAAe,OAAO,OAAO,MAAM,QAAQ,CAAC,CAAC,QAChD,MAAgC,EAAE,SAAS,aAC7C;AAED,MAAK,MAAM,UAAU,WAAW;AAC9B,MAAI,CAAC,sBAAsB,QAAQ,IAAI,CAAE;EACzC,MAAM,OAAO,OAAO,IAAI,OAAO,OAAO,IAAI,EAAE;EAC5C,MAAM,SAAS,uBAAuB,QAAQ,KAAK,OAAO,YAAY;EACtE,MAAM,WAAW,kBAAkB,OAAO,QAAQ,OAAO,MAAM,OAAO,KAAK;EAC3E,MAAM,QAAQ,aAAa,MACxB,MACC,EAAE,WAAW,OAAO,UACpB,EAAE,eAAe,OAAO,QACxB,EAAE,gBAAgB,OAAO,YAC5B;EACD,MAAM,OAAO,QACT,KAAK,MAAM,MAAM,EAAE,OAAO,MAAM,SAAS,GACzC,KAAK,MACF,MACC,EAAE,SAAS,OAAO,QAClB,OAAO,EAAE,YAAY,YACrB,EAAE,QAAQ,WAAW,OAAO,CAC/B;AAEL,MAAI,SAAS,CAAC,KACZ,OAAM,sBAAsB,KAAK;GAC/B,aAAa,MAAM;GACnB,aAAa,GAAG,MAAM,WAAW,GAAG,MAAM;GAC1C,MAAM,MAAM;GACb,CAAC;WACO,QAAQ,CAAC,MAClB,OAAM,kBAAkB,KAAK;GAC3B,aAAa,OAAO;GACpB,aAAa,GAAG,OAAO,KAAK,GAAG,KAAK;GACpC,MAAM,KAAK;GACZ,CAAC;WACO,CAAC,QAAQ,CAAC,MACnB,OAAM,WAAW,KAAK;GACpB,aAAa,OAAO;GACpB,aAAa,GAAG,OAAO,KAAK,GAAG,OAAO;GACtC,QAAQ;GACT,CAAC;;AAIN,QAAO;;;;;AC9BT,SAAgB,qBAAqB,GAA2B;AAC9D,QACE,EAAE,sBAAsB,WAAW,KACnC,EAAE,kBAAkB,WAAW,KAC/B,EAAE,WAAW,WAAW;;AAI5B,SAAgB,eAAe,WAAqC;AAClE,QAAO,UAAU,MAAM,MAAM,CAAC,qBAAqB,EAAE,CAAC;;;;;;;;;;;;;ACnDxD,eAAsB,YACpB,OACA,KACA,OACwB;CACxB,MAAMC,QAAuB;EAC3B,MAAM;EACN,uBAAuB,EAAE;EACzB,mBAAmB,EAAE;EACrB,YAAY,EAAE;EACf;CAED,MAAM,SAAS,IAAI,IAAI,MAAM,KAAK,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;CAC1D,MAAM,UAAU,MACb,aAAa,CACb,QAAQ,MAAM,EAAE,uBAAuB,aAAa;AACvD,KAAI,QAAQ,WAAW,EAAG,QAAO;CAEjC,MAAM,8BAAc,IAAI,KAA0B;CAClD,eAAe,YAAY,IAAkC;EAC3D,IAAI,MAAM,YAAY,IAAI,GAAG;AAC7B,MAAI,CAAC,KAAK;GACR,MAAM,OAAO,MAAM,IAAI,4BAA4B,GAAG;AACtD,SAAM,IAAI,IAAI,KAAK,KAAK,MAAM,EAAE,GAAG,CAAC;AACpC,eAAY,IAAI,IAAI,IAAI;;AAE1B,SAAO;;AAGT,MAAK,MAAM,KAAK,SAAS;EACvB,MAAM,UAAU,eAAe,EAAE,SAAS,EAAE,UAAU;AACtD,MAAI;AAEF,OAAI,EADQ,MAAM,YAAY,EAAE,sBAAsB,EAC7C,IAAI,EAAE,WAAW,CACxB,OAAM,sBAAsB,KAAK;IAC/B,aAAa;IACb,aAAa,EAAE;IACf,QAAQ;IACT,CAAC;UAEE;AACN,SAAM,sBAAsB,KAAK;IAC/B,aAAa;IACb,aAAa,EAAE;IACf,QAAQ;IACT,CAAC;;AAGJ,OAAK,MAAM,SAAS,EAAE,YAAY,EAAE,CAClC,KAAI,CAAC,OAAO,IAAI,MAAM,KAAK,CACzB,OAAM,sBAAsB,KAAK;GAC/B,aAAa;GACb,aAAa,MAAM;GACnB,MAAM,MAAM;GACZ,QAAQ,MAAM,MAAM;GACrB,CAAC;;AAKR,QAAO;;;;;;;;;;;;;;;;;;;;AC9BT,eAAsB,mBAAmB,SAKhB;CACvB,MAAM,MAAM,QAAQ,OAAO;CAC3B,MAAM,aAAa,QAAQ;CAE3B,MAAM,SAAS,MAAM,WAAW,YAAY,EAAE,KAAK,CAAC;CACpD,MAAM,UAAU,kBAAkB;CAClC,MAAM,YAAY,OAAO,cAAc,4BAA4B;AACnE,KAAI,CAAC,UACH,OAAM,IAAI,MACR,iEACD;CAGH,MAAM,MAAM,IAAI,YAAY,UAAU;CACtC,MAAM,SAAS,iBAAiB,OAAO;CACvC,MAAM,QAAQ,IAAI,aAChB,OAAO,OAAO,IACd,KACA,mBAAmB,OAAO,CAC3B;AACD,OAAM,MAAM,QAAQ,IAAI;CAIxB,MAAM,UAAU,MAAM,kBAAkB,KAAK,QAAQ,IAAI,CAAC,aAAa,EAAE,EAAE;CAE3E,eAAe,SACb,OACA,IACc;AACd,MAAI;AACF,UAAO,MAAM,IAAI;WACV,KAAK;GACZ,MAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,IAAI;AAC5D,WAAQ,KAAK,oBAAoB,MAAM,IAAI,MAAM;AACjD,UAAO,EAAE;;;CAIb,MAAM,QAAQ,MAAM,QAAQ,IAC1B,gBAAgB,KAAK,MACnB,SAAS,GAAG,EAAE,MAAM,cAAc,EAAE,SAAS,IAAI,CAAC,CACnD,CACF;CAED,MAAM,cACJ,sBAAsB,OAAO,CAAC,SAAS,IACnC,MAAM,SAAS,6BACb,IAAI,0BAA0B,CAC/B,GACD,EAAE;CAER,MAAM,iBACJ,eAAe,OAAO,CAAC,SAAS,KAAK,QAAQ,UACzC,MAAM,SAAS,sBAAsB,IAAI,wBAAwB,CAAC,GAClE,EAAE;CAER,MAAM,UAAU,MAAM,WAAW,QAAQ,QAAQ;CAEjD,MAAM,6BAAa,IAAI,KAA4B;CACnD,SAAS,MAAM,GAAwB;EACrC,MAAM,WAAW,WAAW,IAAI,EAAE,KAAK;AACvC,MAAI,CAAC,UAAU;AACb,cAAW,IAAI,EAAE,MAAM,EAAE;AACzB;;AAEF,WAAS,sBAAsB,KAAK,GAAG,EAAE,sBAAsB;AAC/D,WAAS,kBAAkB,KAAK,GAAG,EAAE,kBAAkB;AACvD,WAAS,WAAW,KAAK,GAAG,EAAE,WAAW;;AAG3C,MAAK,MAAM,CAAC,WAAW,iBAAiB,SAAS;EAC/C,MAAM,eAAe,iCACnB,QACA,WACA,cACA,KACA,WACA,QACA,OACA;GAAE,gBAAgB;GAAY;GAAS,CACxC;AACD,kBAAgB,SAAS,KAAK,MAAM;GAClC,MAAM,YAAY,IAAI,cAAc,aAAa;AACjD,OAAI,UAAU,WAAW,EAAG;AAC5B,SACE,IAAI,MAAM;IACR;IACA,KAAK,MAAM;IACX,QAAQ,OAAO;IACf;IACA;IACA;IACA;IACA;IACA;IACD,CAAC,CACH;IACD;;CAGJ,MAAM,oBAAoB,sBAAsB,OAAO;AACvD,KAAI,kBAAkB,SAAS,EAC7B,OACE,uBACE,aACA,mBACA,KACA,OAAO,QACP,MACD,CACF;CAGH,MAAM,eAAe,cAAc,OAAO;AAC1C,KAAI,aAAa,SAAS,KAAK,QAAQ,SAAS;EAC9C,MAAMC,yBAA2B,IAAI,KAAK;EAC1C,MAAM,QAAQ,MAAM,KAAK,IAAI,IAAI,aAAa,KAAK,MAAM,EAAE,OAAO,CAAC,CAAC;AACpE,OAAK,MAAM,UAAU,OAAO;GAC1B,MAAM,OAAO,MAAM,SAAS,qBAAqB,OAAO,UACtD,IAAI,qBAAqB,OAAO,CACjC;AACD,UAAO,IAAI,QAAQ,KAAK;;AAE1B,QAAM,eAAe,QAAQ,cAAc,OAAO,QAAQ,KAAK,MAAM,CAAC;;CAGxE,MAAM,mBAAmB,eAAe,OAAO;AAC/C,KAAI,iBAAiB,SAAS,KAAK,QAAQ,QACzC,OACE,gBACE,gBACA,kBACA,KACA,OAAO,QACP,MACD,CACF;AAGH,KAAI,MAAM,aAAa,CAAC,SAAS,GAAG;EAClC,MAAM,WAAW,gBAAgB,WAAW,MAAM,EAAE,SAAS,KAAK;AAKlE,QAAM,MAAM,YAAY,OAAO,KAH7B,YAAY,IACP,MAAM,YACP,EAAE,CACkC,CAAC;;CAG7C,MAAM,oBAAoB,MAAM,kBAC9B,KACA,QACA,SACA,WACA,QACA,OACA,KACA,EAAE,SAAS,CACZ;AACD,KAAI,kBAAmB,OAAM,kBAAkB;CAE/C,MAAM,qBAAqB,MAAM,aAC/B,KACA,QACA,SACA,WACA,QACA,OACA,KACA,EAAE,SAAS,CACZ;AACD,KAAI,mBAAoB,OAAM,mBAAmB;CAEjD,MAAM,gBAAgB,MAAM,wBAC1B,SACA,QACA,KACA,SACA,WACA,QACA,OACA,KACA,QACD;AACD,KAAI,cAAc,SAAS,EAMzB,OAAM,aALgB,MAAM,iBAAiB;EAC3C,SAAS;EACT,OAAO,QAAQ,gBAAgB,mBAAmB,EAAE,CAAC;EACrD;EACD,CAAC,CAC+B,CAAC;CAGpC,MAAM,mBAAmB,MAAM,KAAK,WAAW,QAAQ,CAAC,CAAC,KAAK,OAAO;EACnE,GAAG;EACH,uBAAuB,OAAO,EAAE,sBAAsB;EACtD,mBAAmB,OAAO,EAAE,kBAAkB;EAC9C,YAAY,OAAO,EAAE,WAAW;EACjC,EAAE;AAEH,QAAO;EACL,UAAU,OAAO,OAAO;EACxB;EACA,8BAAa,IAAI,MAAM,EAAC,aAAa;EACrC,WAAW;EACX,UAAU,eAAe,iBAAiB;EAC3C;;AAGH,SAAS,OACP,MACK;CACL,MAAM,uBAAO,IAAI,KAAa;CAC9B,MAAMC,MAAW,EAAE;AACnB,MAAK,MAAM,QAAQ,MAAM;EACvB,MAAM,MAAM,GAAG,KAAK,YAAY,IAAI,KAAK;AACzC,MAAI,KAAK,IAAI,IAAI,CAAE;AACnB,OAAK,IAAI,IAAI;AACb,MAAI,KAAK,KAAK;;AAEhB,QAAO;;;;;;AAOT,eAAsB,SAAS,SAIX;CAClB,MAAM,SAAS,MAAM,mBAAmB;EACtC,KAAK,QAAQ;EACb,YAAY,QAAQ;EACrB,CAAC;AAEF,KAAI,QAAQ,KACV,SAAQ,IAAI,KAAK,UAAU,QAAQ,MAAM,EAAE,CAAC;KAE5C,kBAAiB,OAAO;AAG1B,QAAO,OAAO,WAAW,IAAI;;AAG/B,SAAS,iBAAiB,QAA2B;AACnD,SAAQ,IACN,2BAA2B,OAAO,SAAS,QAAQ,OAAO,IAAI,IAC/D;AACD,KAAI,OAAO,UAAU,WAAW,GAAG;AACjC,UAAQ,IAAI,iDAAiD;AAC7D;;AAEF,MAAK,MAAM,KAAK,OAAO,WAAW;EAChC,MAAM,QACJ,EAAE,sBAAsB,SACxB,EAAE,kBAAkB,SACpB,EAAE,WAAW;AACf,UAAQ,IAAI,GAAG,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,UAAU;AACpD,MAAI,UAAU,GAAG;AACf,WAAQ,IAAI,OAAO;AACnB;;AAEF,MAAI,EAAE,sBAAsB,QAAQ;AAClC,WAAQ,IAAI,qDAAqD;AACjE,QAAK,MAAM,KAAK,EAAE,sBAChB,SAAQ,IAAI,SAAS,EAAE,YAAY,MAAM,EAAE,cAAc,OAAO,EAAE,KAAK,GAAG;;AAG9E,MAAI,EAAE,kBAAkB,QAAQ;AAC9B,WAAQ,IAAI,4CAA4C;AACxD,QAAK,MAAM,KAAK,EAAE,kBAChB,SAAQ,IAAI,SAAS,EAAE,YAAY,MAAM,EAAE,cAAc,OAAO,EAAE,KAAK,GAAG;;AAG9E,MAAI,EAAE,WAAW,QAAQ;AACvB,WAAQ,IAAI,oCAAoC;AAChD,QAAK,MAAM,KAAK,EAAE,WAChB,SAAQ,IAAI,SAAS,EAAE,YAAY,MAAM,EAAE,cAAc;;;AAI/D,SAAQ,IAAI,OAAO,WAAW,wBAAwB,gBAAgB;;AAGxE,MAAMC,kBAA0C,OAAO,YACrD,gBAAgB,KAAK,MAAM,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,CAC9C;AAED,SAAS,SAAS,MAAqC;AACrD,KAAI,gBAAgB,MAAO,QAAO,gBAAgB;AAClD,SAAQ,MAAR;EACE,KAAK,qBACH,QAAO;EACT,KAAK,cACH,QAAO;EACT,KAAK,aACH,QAAO;EACT,KAAK,SACH,QAAO;EACT,KAAK,eACH,QAAO;EACT,KAAK,gBACH,QAAO;EACT,KAAK,SACH,QAAO;EACT,QACE,QAAO;;;AAIb,SAAS,OAAO,MAAuB;AACrC,QAAO,OAAO,KAAK,KAAK,KAAK;;AAG/B,eAAe,wBACb,SACA,QACA,KACA,SACA,WACA,QACA,OACA,KACA,SAOA;CACA,MAAMC,MAID,EAAE;AAEP,MAAK,MAAM,CAAC,WAAW,iBAAiB,SAAS;EAW/C,MAAM,WAAW,yBAVF,iCACb,QACA,WACA,cACA,KACA,WACA,QACA,OACA;GAAE,gBAAgB;GAAY;GAAS,CACxC,CACgD;AACjD,MAAI,SAAS,WAAW,EAAG;EAE3B,MAAM,eAAe,0BACnB,QACA,WACA,cACA,KACA,OACD;EACD,IAAIC,oBAA8B,EAAE;AACpC,MAAI,QAAQ,QACV,KAAI;AACF,uBAAoB,MAAM,IAAI,mBAAmB,aAAa;UACxD;AACN,uBAAoB,EAAE;;AAI1B,MAAI,KAAK;GAAE;GAAW;GAAU;GAAmB,CAAC;;AAGtD,QAAO"}
|
|
@@ -1,8 +1,8 @@
|
|
|
1
|
-
import "./registry-
|
|
1
|
+
import "./registry-BrOxbA2i.mjs";
|
|
2
2
|
import "./r2S3EmptyBucket-B9_pHfvB.mjs";
|
|
3
|
-
import { n as runDrift, t as computeDriftReport } from "./drift-
|
|
3
|
+
import { n as runDrift, t as computeDriftReport } from "./drift-Ci368_WQ.mjs";
|
|
4
4
|
import "./logpush-job-GqVKG_HI.mjs";
|
|
5
|
-
import "./worker-route-
|
|
6
|
-
import "./workers-
|
|
5
|
+
import "./worker-route-CUQBu9xe.mjs";
|
|
6
|
+
import "./workers-DWXnZAzG.mjs";
|
|
7
7
|
|
|
8
8
|
export { runDrift };
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import { o as d1CloudflareDatabaseName, s as d1SkipsProvisionAndMigrate } from "./registry-
|
|
1
|
+
import { k as resolveWorkerConfig } from "./tamer.mjs";
|
|
2
|
+
import { o as d1CloudflareDatabaseName, s as d1SkipsProvisionAndMigrate } from "./registry-BrOxbA2i.mjs";
|
|
3
3
|
import { dirname, join } from "path";
|
|
4
4
|
import { existsSync, mkdirSync, writeFileSync } from "fs";
|
|
5
5
|
|
|
@@ -138,4 +138,4 @@ async function assertShardRegistryPresentForDeploy(args) {
|
|
|
138
138
|
|
|
139
139
|
//#endregion
|
|
140
140
|
export { emitShardRegistryOnApply as n, assertShardRegistryPresentForDeploy as t };
|
|
141
|
-
//# sourceMappingURL=emit-
|
|
141
|
+
//# sourceMappingURL=emit-DDTQVfi_.mjs.map
|