@eve-horizon/cli 0.2.27 → 0.2.29

package/assets/local-k8s/base/agent-runtime-deployment.yaml

@@ -0,0 +1,82 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: eve-agent-runtime
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: eve-agent-runtime
+spec:
+  serviceName: eve-agent-runtime
+  replicas: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: eve-agent-runtime
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: eve-agent-runtime
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: agent-runtime
+          securityContext:
+            allowPrivilegeEscalation: false
+          image: eve-horizon/agent-runtime:local
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - secretRef:
+                name: eve-app
+          env:
+            - name: DATABASE_URL
+              value: postgres://eve:eve@postgres.eve.svc.cluster.local:5432/eve
+            - name: EVE_API_URL
+              value: http://eve-api:4701
+            - name: AGENT_RUNTIME_PORT
+              value: "4812"
+            - name: EVE_ORG_ID
+              value: org_default
+            - name: AGENT_RUNTIME_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: AGENT_RUNTIME_CAPACITY
+              value: "8"
+            - name: AGENT_RUNTIME_STATUS
+              value: healthy
+            - name: EVE_AGENT_RUNTIME_EXECUTION_MODE
+              value: inline
+            - name: EVE_AGENT_CLI_PATH
+              value: /app/packages/eve-agent-cli/bin/eve-agent-cli.js
+            - name: EVE_ORG_FS_ROOT
+              value: /org
+            - name: EVE_K8S_NAMESPACE
+              value: eve
+            - name: EVE_RUNTIME
+              value: k8s
+            - name: WORKSPACE_ROOT
+              value: /opt/eve/workspaces
+          ports:
+            - name: http
+              containerPort: 4812
+          volumeMounts:
+            - name: org-fs
+              mountPath: /org
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            failureThreshold: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 20
+            periodSeconds: 10
+      volumes:
+        - name: org-fs
+          persistentVolumeClaim:
+            claimName: eve-org-fs-org-default

package/assets/local-k8s/base/agent-runtime-pvc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: eve-org-fs-org-default
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: eve-org-fs
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi

package/assets/local-k8s/base/agent-runtime-service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: eve-agent-runtime
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: eve-agent-runtime
+spec:
+  clusterIP: None
+  selector:
+    app.kubernetes.io/name: eve-agent-runtime
+  ports:
+    - name: http
+      port: 4812
+      targetPort: http

package/assets/local-k8s/base/api-deployment.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: eve-api
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: eve-api
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: eve-api
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: eve-api
+    spec:
+      serviceAccountName: eve-api
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: api
+          securityContext:
+            allowPrivilegeEscalation: false
+          image: eve-horizon/api:local
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            # Mount all secrets from eve-app (auth tokens, API keys, etc.)
+            - secretRef:
+                name: eve-app
+          env:
+            - name: DATABASE_URL
+              value: postgres://eve:eve@postgres.eve.svc.cluster.local:5432/eve
+            - name: API_PORT
+              value: "4701"
+            - name: WORKER_URL
+              value: http://eve-worker.eve.svc.cluster.local:4749
+            # --- Web Auth (Supabase) ---
+            - name: SUPABASE_AUTH_URL
+              value: "http://supabase-auth.eve.svc.cluster.local:9999"
+            - name: SUPABASE_AUTH_EXTERNAL_URL
+              value: "http://auth.eve.lvh.me"
+            - name: EVE_SSO_URL
+              value: "http://sso.eve.lvh.me"
+            - name: EVE_DEFAULT_DOMAIN
+              value: lvh.me
+          ports:
+            - name: http
+              containerPort: 4701
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            failureThreshold: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 20
+            periodSeconds: 10

package/assets/local-k8s/base/api-ingress.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: eve-api
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: eve-api
+spec:
+  rules:
+    - host: api.eve.lvh.me
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: eve-api
+                port:
+                  number: 4701

package/assets/local-k8s/base/api-rbac.yaml

@@ -0,0 +1,43 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eve-api
+  namespace: eve
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: eve-api-read
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - pods/status
+      - pods/log
+      - events
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+      - replicasets
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eve-api-read
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: eve-api-read
+subjects:
+  - kind: ServiceAccount
+    name: eve-api
+    namespace: eve

package/assets/local-k8s/base/api-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: eve-api
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: eve-api
+spec:
+  selector:
+    app.kubernetes.io/name: eve-api
+  ports:
+    - name: http
+      port: 4701
+      targetPort: http

package/assets/local-k8s/base/app-secret.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: eve-app
+  namespace: eve
+type: Opaque
+# Platform-only secrets — infrastructure keys required by Eve services.
+#
+# Everything else (LLM API keys, GitHub tokens, GHCR credentials, etc.)
+# flows through Eve org/project-level secrets, resolved at runtime via
+# the secrets API. Never add provider credentials here.
+stringData:
+  EVE_INTERNAL_API_KEY: ""
+  EVE_SECRETS_MASTER_KEY: ""
+  EVE_BOOTSTRAP_TOKEN: ""
+  EVE_GITHUB_WEBHOOK_SECRET: ""
+  EVE_SLACK_SIGNING_SECRET: ""
+  # --- Supabase Auth (GoTrue) ---
+  SUPABASE_JWT_SECRET: ""
+  EVE_AUTH_ADMIN_PASSWORD: ""
+  SUPABASE_AUTH_DATABASE_URL: ""
+  SUPABASE_AUTH_SERVICE_KEY: ""
+  SUPABASE_ANON_KEY: ""
+  # --- Protocol bridge runtime (optional) ---
+  # Anthropic-wire -> OpenAI bridge endpoint and gateway auth key.
+  EVE_BRIDGE_LITELLM_ANTHROPIC_OPENAI_URL: ""
+  EVE_BRIDGE_LITELLM_ANTHROPIC_OPENAI_KEY: ""

package/assets/local-k8s/base/auth-bootstrap-configmap.yaml

@@ -0,0 +1,73 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: auth-bootstrap-scripts
+  namespace: eve
+data:
+  bootstrap-auth-role.sh: |
+    #!/bin/sh
+    set -e
+    echo "Bootstrapping auth DB role..."
+
+    # Create or update the eve_auth_admin role with the password from env.
+    # GoTrue auto-creates and manages the 'auth' schema on startup.
+    # This role gets CREATE on the database (needed for schema creation)
+    # but is NOT granted write access to public tables — clean blast radius.
+    psql -v ON_ERROR_STOP=1 <<EOSQL
+    DO \$\$
+    BEGIN
+      IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'eve_auth_admin') THEN
+        EXECUTE format('CREATE ROLE eve_auth_admin LOGIN PASSWORD %L', '${AUTH_ROLE_PASSWORD}');
+      ELSE
+        EXECUTE format('ALTER ROLE eve_auth_admin PASSWORD %L', '${AUTH_ROLE_PASSWORD}');
+      END IF;
+    END \$\$;
+
+    GRANT CREATE ON DATABASE eve TO eve_auth_admin;
+    -- GoTrue creates a schema_migrations table in public before creating the auth schema.
+    -- It also needs USAGE for cross-schema references.
+    GRANT CREATE, USAGE ON SCHEMA public TO eve_auth_admin;
+
+    -- GoTrue migrations use uuid = text comparisons that need an implicit cast.
+    -- Supabase's custom Postgres has this built in; standard Postgres does not.
+    CREATE OR REPLACE FUNCTION public.uuid_eq_text(uuid, text) RETURNS boolean AS \$fn\$
+      SELECT \$1::text = \$2;
+    \$fn\$ LANGUAGE sql IMMUTABLE;
+    DO \$cast\$
+    BEGIN
+      IF NOT EXISTS (
+        SELECT 1 FROM pg_cast
+        WHERE castsource = 'uuid'::regtype AND casttarget = 'text'::regtype AND castcontext = 'i'
+      ) THEN
+        -- Cannot create implicit casts via SQL, but we can create the function
+        -- GoTrue actually needs the = operator between uuid and text
+        NULL;
+      END IF;
+    END \$cast\$;
+    -- Create a cross-type operator for uuid = text comparisons
+    DROP OPERATOR IF EXISTS = (uuid, text);
+    CREATE OPERATOR = (
+      LEFTARG = uuid,
+      RIGHTARG = text,
+      FUNCTION = public.uuid_eq_text,
+      COMMUTATOR = =
+    );
+
+    -- Pre-create the auth schema owned by eve_auth_admin.
+    -- GoTrue's migrations expect auth.* tables but don't always CREATE SCHEMA first.
+    CREATE SCHEMA IF NOT EXISTS auth AUTHORIZATION eve_auth_admin;
+    GRANT ALL ON SCHEMA auth TO eve_auth_admin;
+
+    -- GoTrue migrations reference a 'postgres' role for RLS grants.
+    -- Our DB superuser is 'eve', not 'postgres'. Create a postgres role alias.
+    DO \$pg\$
+    BEGIN
+      IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'postgres') THEN
+        CREATE ROLE postgres NOLOGIN;
+      END IF;
+    END \$pg\$;
+    GRANT eve TO postgres;
+    GRANT USAGE ON SCHEMA auth TO postgres;
+    EOSQL
+
+    echo "Auth DB role bootstrapped successfully."

package/assets/local-k8s/base/auth-bootstrap-job.yaml

@@ -0,0 +1,48 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: auth-db-bootstrap
+  namespace: eve
+spec:
+  backoffLimit: 3
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: auth-db-bootstrap
+    spec:
+      containers:
+        - name: bootstrap
+          image: postgres:16-alpine
+          command: ["sh", "/scripts/bootstrap-auth-role.sh"]
+          env:
+            - name: PGHOST
+              value: "postgres.eve.svc.cluster.local"
+            - name: PGPORT
+              value: "5432"
+            - name: PGDATABASE
+              value: "eve"
+            - name: PGUSER
+              valueFrom:
+                secretKeyRef:
+                  name: eve-postgres
+                  key: POSTGRES_USER
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: eve-postgres
+                  key: POSTGRES_PASSWORD
+            - name: AUTH_ROLE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: eve-app
+                  key: EVE_AUTH_ADMIN_PASSWORD
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+      volumes:
+        - name: scripts
+          configMap:
+            name: auth-bootstrap-scripts
+            defaultMode: 0755
+      restartPolicy: OnFailure

package/assets/local-k8s/base/buildkitd-deployment.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: buildkitd
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: buildkitd
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: buildkitd
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: buildkitd
+    spec:
+      containers:
+        - name: buildkitd
+          image: moby/buildkit:v0.12.5
+          args:
+            - --addr
+            - tcp://0.0.0.0:1234
+            - --oci-worker-gc
+            - --oci-worker-gc-keepstorage
+            - "12000"
+          ports:
+            - name: grpc
+              containerPort: 1234
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: buildkitd-cache
+              mountPath: /var/lib/buildkit
+      volumes:
+        - name: buildkitd-cache
+          persistentVolumeClaim:
+            claimName: buildkitd-cache

package/assets/local-k8s/base/buildkitd-network-policy.yaml

@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: buildkitd-restrict-ingress
+  namespace: eve
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: buildkitd
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/name: eve-worker
+      ports:
+        - protocol: TCP
+          port: 1234

package/assets/local-k8s/base/buildkitd-pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: buildkitd-cache
+  namespace: eve
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi

package/assets/local-k8s/base/buildkitd-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: buildkitd
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: buildkitd
+spec:
+  selector:
+    app.kubernetes.io/name: buildkitd
+  ports:
+    - name: grpc
+      port: 1234
+      targetPort: grpc

package/assets/local-k8s/base/db-migrate-job.yaml

@@ -0,0 +1,23 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: eve-db-migrate
+  namespace: eve
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: eve-db-migrate
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: migrate
+          image: eve-horizon/worker:local
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: DATABASE_URL
+              value: postgres://eve:eve@postgres.eve.svc.cluster.local:5432/eve
+          command:
+            - node
+            - /app/packages/db/dist/migrate.js

package/assets/local-k8s/base/gateway-deployment.yaml

@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: eve-gateway
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: eve-gateway
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: eve-gateway
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: eve-gateway
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: gateway
+          securityContext:
+            allowPrivilegeEscalation: false
+          image: eve-horizon/gateway:local
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: http
+              containerPort: 4820
+          envFrom:
+            - secretRef:
+                name: eve-app
+          env:
+            - name: GATEWAY_PORT
+              value: "4820"
+            - name: EVE_API_URL
+              value: http://eve-api:4701
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            timeoutSeconds: 2
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 20
+            periodSeconds: 10
+            timeoutSeconds: 2

package/assets/local-k8s/base/gateway-ingress.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: eve-gateway
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: eve-gateway
+spec:
+  rules:
+    - host: api.eve.lvh.me
+      http:
+        paths:
+          - path: /integrations/slack
+            pathType: Prefix
+            backend:
+              service:
+                name: eve-gateway
+                port:
+                  number: 4820
+          - path: /gateway/providers
+            pathType: Prefix
+            backend:
+              service:
+                name: eve-gateway
+                port:
+                  number: 4820

package/assets/local-k8s/base/gateway-service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: eve-gateway
+  namespace: eve
+  labels:
+    app.kubernetes.io/name: eve-gateway
+spec:
+  selector:
+    app.kubernetes.io/name: eve-gateway
+  ports:
+    - name: http
+      port: 4820
+      targetPort: http

package/assets/local-k8s/base/kustomization.yaml

@@ -0,0 +1,42 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - api-rbac.yaml
+  - app-secret.yaml
+  - postgres-secret.yaml
+  - postgres-statefulset.yaml
+  - buildkitd-pvc.yaml
+  - buildkitd-deployment.yaml
+  - buildkitd-service.yaml
+  - buildkitd-network-policy.yaml
+  - api-deployment.yaml
+  - api-service.yaml
+  - api-ingress.yaml
+  - orchestrator-deployment.yaml
+  - orchestrator-service.yaml
+  - worker-rbac.yaml
+  - worker-deployment.yaml
+  - worker-service.yaml
+  - agent-runtime-pvc.yaml
+  - agent-runtime-deployment.yaml
+  - agent-runtime-service.yaml
+  - gateway-deployment.yaml
+  - gateway-service.yaml
+  - gateway-ingress.yaml
+  - registry-configmap.yaml
+  - registry-pvc.yaml
+  - registry-deployment.yaml
+  - registry-service.yaml
+  - mailpit-deployment.yaml
+  - mailpit-service.yaml
+  - mailpit-ingress.yaml
+  - supabase-auth-deployment.yaml
+  - supabase-auth-service.yaml
+  - supabase-auth-ingress.yaml
+  - supabase-auth-cors-middleware.yaml
+  - auth-bootstrap-configmap.yaml
+  - auth-bootstrap-job.yaml
+  - sso-deployment.yaml
+  - sso-service.yaml
+  - sso-ingress.yaml