@factiii/stack 0.1.2

package/dist/plugins/pipelines/factiii/scanfix/secrets.js

@@ -0,0 +1,237 @@
+"use strict";
+/**
+ * Ansible Vault Secrets fixes for Factiii Pipeline plugin
+ * Handles Ansible Vault secrets validation for secrets stage
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.secretsFixes = void 0;
+const fs = __importStar(require("fs"));
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const ansible_vault_secrets_js_1 = require("../../../../utils/ansible-vault-secrets.js");
+const secret_prompts_js_1 = require("../../../../utils/secret-prompts.js");
+function getAnsibleStore(config, rootDir) {
+    if (!config.ansible?.vault_path)
+        return null;
+    return new ansible_vault_secrets_js_1.AnsibleVaultSecrets({
+        vault_path: config.ansible.vault_path,
+        vault_password_file: config.ansible.vault_password_file,
+        rootDir,
+    });
+}
+function getSecretNameFromFixId(fixId) {
+    const map = {
+        'missing-staging-ssh': 'STAGING_SSH',
+        'missing-prod-ssh': 'PROD_SSH',
+        'missing-aws-secret': 'AWS_SECRET_ACCESS_KEY',
+    };
+    return map[fixId] ?? '';
+}
+exports.secretsFixes = [
+    {
+        id: 'missing-ansible-config',
+        stage: 'secrets',
+        severity: 'critical',
+        description: 'Ansible Vault not configured (ansible.vault_path missing in factiii.yml)',
+        scan: async (config, _rootDir) => {
+            return !config.ansible?.vault_path;
+        },
+        fix: null,
+        manualFix: 'Add ansible section to factiii.yml:\n' +
+            '  ansible:\n' +
+            '    vault_path: group_vars/all/vault.yml\n' +
+            '    vault_password_file: ~/.vault_pass  # optional',
+    },
+    {
+        id: 'missing-staging-ssh',
+        stage: 'secrets',
+        severity: 'critical',
+        description: 'STAGING_SSH secret not found in Ansible Vault',
+        scan: async (config, rootDir) => {
+            const { extractEnvironments } = await Promise.resolve().then(() => __importStar(require('../../../../utils/config-helpers.js')));
+            const environments = extractEnvironments(config);
+            // Only check if staging environment is defined in config
+            const hasStagingEnv = environments.staging;
+            if (!hasStagingEnv)
+                return false; // Skip check if staging not configured
+            const store = getAnsibleStore(config, rootDir);
+            if (!store)
+                return false; // Will be caught by missing-ansible-config fix
+            const result = await store.checkSecrets(['STAGING_SSH']);
+            return result.missing?.includes('STAGING_SSH') ?? false;
+        },
+        fix: async (config, rootDir) => {
+            const store = getAnsibleStore(config, rootDir);
+            if (!store)
+                return false;
+            try {
+                const value = await (0, secret_prompts_js_1.promptForSecret)('STAGING_SSH', config);
+                const result = await store.setSecret('STAGING_SSH', value);
+                return result.success;
+            }
+            catch {
+                return false;
+            }
+        },
+        manualFix: 'Store your staging SSH key in the vault:\n' +
+            '      1. Generate key: ssh-keygen -t ed25519 -C "staging-deploy" -f ~/.ssh/staging_deploy_key\n' +
+            '      2. Add to server: ssh-copy-id -i ~/.ssh/staging_deploy_key.pub user@staging-host\n' +
+            '      3. Store in vault: npx factiii secrets set STAGING_SSH',
+    },
+    {
+        id: 'missing-prod-ssh',
+        stage: 'secrets',
+        severity: 'critical',
+        description: 'PROD_SSH secret not found in Ansible Vault',
+        scan: async (config, rootDir) => {
+            const { extractEnvironments } = await Promise.resolve().then(() => __importStar(require('../../../../utils/config-helpers.js')));
+            const environments = extractEnvironments(config);
+            // Only check if prod environment is defined in config
+            const hasProdEnv = environments.prod;
+            if (!hasProdEnv)
+                return false; // Skip check if prod not configured
+            const store = getAnsibleStore(config, rootDir);
+            if (!store)
+                return false; // Will be caught by missing-ansible-config fix
+            const result = await store.checkSecrets(['PROD_SSH']);
+            return result.missing?.includes('PROD_SSH') ?? false;
+        },
+        fix: async (config, rootDir) => {
+            const store = getAnsibleStore(config, rootDir);
+            if (!store)
+                return false;
+            try {
+                const value = await (0, secret_prompts_js_1.promptForSecret)('PROD_SSH', config);
+                const result = await store.setSecret('PROD_SSH', value);
+                return result.success;
+            }
+            catch {
+                return false;
+            }
+        },
+        manualFix: 'Store your prod SSH key in the vault:\n' +
+            '      1. Generate key: ssh-keygen -t ed25519 -C "prod-deploy" -f ~/.ssh/prod_deploy_key\n' +
+            '      2. Add to server: ssh-copy-id -i ~/.ssh/prod_deploy_key.pub user@prod-host\n' +
+            '      3. Store in vault: npx factiii secrets set PROD_SSH',
+    },
+    {
+        id: 'missing-aws-secret',
+        stage: 'secrets',
+        severity: 'warning',
+        description: 'AWS_SECRET_ACCESS_KEY not found in Ansible Vault (needed for ECR)',
+        scan: async (config, rootDir) => {
+            const { extractEnvironments } = await Promise.resolve().then(() => __importStar(require('../../../../utils/config-helpers.js')));
+            const environments = extractEnvironments(config);
+            // Check if any environment uses AWS pipeline
+            const hasAwsEnv = Object.values(environments).some(env => env.pipeline === 'aws' && env.access_key_id);
+            if (!hasAwsEnv)
+                return false;
+            const store = getAnsibleStore(config, rootDir);
+            if (!store)
+                return false; // Will be caught by missing-ansible-config fix
+            const result = await store.checkSecrets(['AWS_SECRET_ACCESS_KEY']);
+            return result.missing?.includes('AWS_SECRET_ACCESS_KEY') ?? false;
+        },
+        fix: async (config, rootDir) => {
+            const store = getAnsibleStore(config, rootDir);
+            if (!store)
+                return false;
+            try {
+                const value = await (0, secret_prompts_js_1.promptForSecret)('AWS_SECRET_ACCESS_KEY', config);
+                const result = await store.setSecret('AWS_SECRET_ACCESS_KEY', value);
+                return result.success;
+            }
+            catch {
+                return false;
+            }
+        },
+        manualFix: 'Set AWS_SECRET_ACCESS_KEY secret: npx factiii secrets set AWS_SECRET_ACCESS_KEY',
+    },
+    {
+        id: 'missing-vault-password-file',
+        stage: 'secrets',
+        severity: 'critical',
+        description: 'Vault password file not found (required to decrypt secrets)',
+        scan: async (config) => {
+            if (!config.ansible?.vault_path)
+                return false; // Will be caught by missing-ansible-config
+            if (!config.ansible.vault_password_file)
+                return false; // Not using password file
+            const passwordFile = config.ansible.vault_password_file.replace(/^~/, os.homedir());
+            return !fs.existsSync(passwordFile);
+        },
+        fix: null,
+        manualFix: 'Create the vault password file specified in factiii.yml ansible.vault_password_file:\n' +
+            '      macOS/Linux: echo "your-vault-password" > ~/.vault_pass && chmod 600 ~/.vault_pass\n' +
+            '      Windows:     echo your-vault-password > %USERPROFILE%\\.vault_pass\n' +
+            '      Or run: npx factiii init (will guide you through vault setup)',
+    },
+    {
+        id: 'missing-ssh-key-staging',
+        stage: 'secrets',
+        severity: 'critical',
+        description: 'SSH key file ' + path.join(os.homedir(), '.ssh', 'staging_deploy_key') + ' not found (required for staging access)',
+        scan: async (config) => {
+            const { extractEnvironments } = await Promise.resolve().then(() => __importStar(require('../../../../utils/config-helpers.js')));
+            const environments = extractEnvironments(config);
+            // Only check if staging environment is defined
+            if (!environments.staging)
+                return false;
+            const keyPath = path.join(os.homedir(), '.ssh', 'staging_deploy_key');
+            return !fs.existsSync(keyPath);
+        },
+        fix: null,
+        manualFix: 'Extract SSH keys from vault: npx factiii secrets write-ssh-keys',
+    },
+    {
+        id: 'missing-ssh-key-prod',
+        stage: 'secrets',
+        severity: 'critical',
+        description: 'SSH key file ' + path.join(os.homedir(), '.ssh', 'prod_deploy_key') + ' not found (required for prod access)',
+        scan: async (config) => {
+            const { extractEnvironments } = await Promise.resolve().then(() => __importStar(require('../../../../utils/config-helpers.js')));
+            const environments = extractEnvironments(config);
+            // Only check if prod environment is defined
+            if (!environments.prod)
+                return false;
+            const keyPath = path.join(os.homedir(), '.ssh', 'prod_deploy_key');
+            return !fs.existsSync(keyPath);
+        },
+        fix: null,
+        manualFix: 'Extract SSH keys from vault: npx factiii secrets write-ssh-keys',
+    },
+];
+//# sourceMappingURL=secrets.js.map

package/dist/plugins/pipelines/factiii/scanfix/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/factiii/scanfix/secrets.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,uCAAyB;AACzB,2CAA6B;AAE7B,yFAAiF;AACjF,2EAAsE;AAEtE,SAAS,eAAe,CAAC,MAAqB,EAAE,OAAe;IAC7D,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7C,OAAO,IAAI,8CAAmB,CAAC;QAC7B,UAAU,EAAE,MAAM,CAAC,OAAO,CAAC,UAAU;QACrC,mBAAmB,EAAE,MAAM,CAAC,OAAO,CAAC,mBAAmB;QACvD,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAa;IAC3C,MAAM,GAAG,GAA2B;QAClC,qBAAqB,EAAE,aAAa;QACpC,kBAAkB,EAAE,UAAU;QAC9B,oBAAoB,EAAE,uBAAuB;KAC9C,CAAC;IACF,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;AAC1B,CAAC;AAEY,QAAA,YAAY,GAAU;IACjC;QACE,EAAE,EAAE,wBAAwB;QAC5B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,0EAA0E;QACvF,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,QAAgB,EAAoB,EAAE;YACxE,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,UAAU,CAAC;QACrC,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EACP,uCAAuC;YACvC,cAAc;YACd,4CAA4C;YAC5C,oDAAoD;KACvD;IACD;QACE,EAAE,EAAE,qBAAqB;QACzB,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,+CAA+C;QAC5D,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACvE,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;YACpF,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAEjD,yDAAyD;YACzD,MAAM,aAAa,GAAG,YAAY,CAAC,OAAO,CAAC;YAC3C,IAAI,CAAC,aAAa;gBAAE,OAAO,KAAK,CAAC,CAAC,uCAAuC;YAEzE,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC,CAAC,+CAA+C;YAEzE,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC;YACzD,OAAO,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,aAAa,CAAC,IAAI,KAAK,CAAC;QAC1D,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACtE,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YAEzB,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,IAAA,mCAAe,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;gBAC3D,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,aAAa,EAAE,KAAK,CAAC,CAAC;gBAC3D,OAAO,MAAM,CAAC,OAAO,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EACP,4CAA4C;YAC5C,iGAAiG;YACjG,0FAA0F;YAC1F,8DAA8D;KACjE;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,4CAA4C;QACzD,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACvE,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;YACpF,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAEjD,sDAAsD;YACtD,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC;YACrC,IAAI,CAAC,UAAU;gBAAE,OAAO,KAAK,CAAC,CAAC,oCAAoC;YAEnE,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC,CAAC,+CAA+C;YAEzE,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;YACtD,OAAO,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC;QACvD,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACtE,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YAEzB,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,IAAA,mCAAe,EAAC,UAAU,EAAE,MAAM,CAAC,CAAC;gBACxD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;gBACxD,OAAO,MAAM,CAAC,OAAO,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EACP,yCAAyC;YACzC,2FAA2F;YAC3F,oFAAoF;YACpF,2DAA2D;KAC9D;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,mEAAmE;QAChF,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACvE,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;YACpF,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAEjD,6CAA6C;YAC7C,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CACvD,GAAG,CAAC,QAAQ,KAAK,KAAK,IAAI,GAAG,CAAC,aAAa,CAC5C,CAAC;YACF,IAAI,CAAC,SAAS;gBAAE,OAAO,KAAK,CAAC;YAE7B,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC,CAAC,+CAA+C;YAEzE,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,YAAY,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC;YACnE,OAAO,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,uBAAuB,CAAC,IAAI,KAAK,CAAC;QACpE,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,MAAqB,EAAE,OAAe,EAAoB,EAAE;YACtE,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;YAC/C,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;YAEzB,IAAI,CAAC;gBACH,MAAM,KAAK,GAAG,MAAM,IAAA,mCAAe,EAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;gBACrE,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,uBAAuB,EAAE,KAAK,CAAC,CAAC;gBACrE,OAAO,MAAM,CAAC,OAAO,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,SAAS,EACP,iFAAiF;KACpF;IACD;QACE,EAAE,EAAE,6BAA6B;QACjC,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,6DAA6D;QAC1E,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,UAAU;gBAAE,OAAO,KAAK,CAAC,CAAC,2CAA2C;YAC1F,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,mBAAmB;gBAAE,OAAO,KAAK,CAAC,CAAC,0BAA0B;YAEjF,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YACpF,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC;QACtC,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EACP,wFAAwF;YACxF,4FAA4F;YAC5F,4EAA4E;YAC5E,qEAAqE;KACxE;IACD;QACE,EAAE,EAAE,yBAAyB;QAC7B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,oBAAoB,CAAC,GAAG,0CAA0C;QACjI,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;YACpF,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAEjD,+CAA+C;YAC/C,IAAI,CAAC,YAAY,CAAC,OAAO;gBAAE,OAAO,KAAK,CAAC;YAExC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,oBAAoB,CAAC,CAAC;YACtE,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EACP,iEAAiE;KACpE;IACD;QACE,EAAE,EAAE,sBAAsB;QAC1B,KAAK,EAAE,SAAS;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,eAAe,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,iBAAiB,CAAC,GAAG,uCAAuC;QAC3H,IAAI,EAAE,KAAK,EAAE,MAAqB,EAAoB,EAAE;YACtD,MAAM,EAAE,mBAAmB,EAAE,GAAG,wDAAa,qCAAqC,GAAC,CAAC;YACpF,MAAM,YAAY,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC;YAEjD,4CAA4C;YAC5C,IAAI,CAAC,YAAY,CAAC,IAAI;gBAAE,OAAO,KAAK,CAAC;YAErC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,iBAAiB,CAAC,CAAC;YACnE,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACjC,CAAC;QACD,GAAG,EAAE,IAAI;QACT,SAAS,EACP,iEAAiE;KACpE;CACF,CAAC"}

package/dist/plugins/pipelines/factiii/scanfix/workflows.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Workflow-related fixes for Factiii Pipeline plugin
+ * Handles GitHub workflow generation, validation, and cleanup
+ */
+import type { Fix } from '../../../../types/index.js';
+export declare const workflowFixes: Fix[];
+//# sourceMappingURL=workflows.d.ts.map

package/dist/plugins/pipelines/factiii/scanfix/workflows.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workflows.d.ts","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/factiii/scanfix/workflows.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,OAAO,KAAK,EAAiB,GAAG,EAAE,MAAM,4BAA4B,CAAC;AAIrE,eAAO,MAAM,aAAa,EAAE,GAAG,EAyI9B,CAAC"}

package/dist/plugins/pipelines/factiii/scanfix/workflows.js

@@ -0,0 +1,169 @@
+"use strict";
+/**
+ * Workflow-related fixes for Factiii Pipeline plugin
+ * Handles GitHub workflow generation, validation, and cleanup
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.workflowFixes = void 0;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const child_process_1 = require("child_process");
+const workflows_js_1 = require("../utils/workflows.js");
+const version_check_js_1 = require("../../../../utils/version-check.js");
+exports.workflowFixes = [
+    {
+        id: 'missing-workflows',
+        stage: 'dev',
+        severity: 'warning',
+        description: 'GitHub workflows not generated',
+        scan: async (_config, rootDir) => {
+            const workflowsDir = path.join(rootDir, '.github', 'workflows');
+            return !fs.existsSync(path.join(workflowsDir, 'factiii-deploy.yml'));
+        },
+        fix: async (_config, rootDir) => {
+            await (0, workflows_js_1.generateWorkflows)(rootDir);
+            return true;
+        },
+        manualFix: 'Run: npx factiii fix (will generate workflow files)',
+    },
+    {
+        id: 'outdated-workflows',
+        stage: 'dev',
+        severity: 'info',
+        description: 'GitHub workflows may be outdated',
+        scan: async (_config, rootDir) => {
+            const workflowPath = path.join(rootDir, '.github', 'workflows', 'factiii-deploy.yml');
+            if (!fs.existsSync(workflowPath))
+                return false;
+            const content = fs.readFileSync(workflowPath, 'utf8');
+            // Check if using old bloated workflow (has inline bash logic not from template)
+            if (content.includes('docker compose build'))
+                return true;
+            // Check version comment
+            const currentVersion = (0, version_check_js_1.getFactiiiVersion)();
+            const versionMatch = content.match(/# Generated by @factiii\/stack v([\d.]+)/);
+            if (!versionMatch)
+                return true; // No version comment = outdated
+            const workflowVersion = versionMatch[1];
+            return workflowVersion !== currentVersion;
+        },
+        fix: async (_config, rootDir) => {
+            await (0, workflows_js_1.generateWorkflows)(rootDir);
+            return true;
+        },
+        manualFix: 'Run: npx factiii fix (will regenerate thin workflows)',
+    },
+    {
+        id: 'orphaned-workflows',
+        stage: 'dev',
+        severity: 'warning',
+        description: 'Old workflow files found that are not generated by current version',
+        scan: async (_config, rootDir) => {
+            const workflowsDir = path.join(rootDir, '.github', 'workflows');
+            if (!fs.existsSync(workflowsDir))
+                return false;
+            // List of workflows we currently generate
+            const validWorkflows = [
+                'factiii-deploy.yml',
+                'factiii-fix.yml',
+                'factiii-scan.yml',
+                'factiii-undeploy.yml',
+                'factiii-cicd-staging.yml',
+                'factiii-cicd-prod.yml',
+                'factiii-dev-sync.yml', // Only in dev mode
+            ];
+            // Find all factiii-*.yml files
+            const files = fs.readdirSync(workflowsDir);
+            const factiiiFiles = files.filter((f) => f.startsWith('factiii-') && f.endsWith('.yml'));
+            // Check for orphaned files
+            const orphaned = factiiiFiles.filter((f) => !validWorkflows.includes(f));
+            return orphaned.length > 0;
+        },
+        fix: async (_config, rootDir) => {
+            const workflowsDir = path.join(rootDir, '.github', 'workflows');
+            const validWorkflows = [
+                'factiii-deploy.yml',
+                'factiii-fix.yml',
+                'factiii-scan.yml',
+                'factiii-undeploy.yml',
+                'factiii-cicd-staging.yml',
+                'factiii-cicd-prod.yml',
+                'factiii-dev-sync.yml',
+            ];
+            const files = fs.readdirSync(workflowsDir);
+            const factiiiFiles = files.filter((f) => f.startsWith('factiii-') && f.endsWith('.yml'));
+            const orphaned = factiiiFiles.filter((f) => !validWorkflows.includes(f));
+            for (const file of orphaned) {
+                const filePath = path.join(workflowsDir, file);
+                fs.unlinkSync(filePath);
+                console.log(`   🗑️  Deleted orphaned workflow: ${file}`);
+            }
+            return orphaned.length > 0;
+        },
+        manualFix: 'Run: npx factiii fix (will remove old workflow files)',
+    },
+    {
+        id: 'workflows-uncommitted',
+        stage: 'dev',
+        severity: 'critical',
+        description: 'GitHub workflows not committed to git',
+        scan: async (_config, rootDir) => {
+            const workflowsDir = path.join(rootDir, '.github', 'workflows');
+            if (!fs.existsSync(workflowsDir))
+                return false;
+            try {
+                // Check git status for workflow files
+                const status = (0, child_process_1.execSync)('git status --porcelain .github/workflows/', {
+                    cwd: rootDir,
+                    encoding: 'utf8',
+                    stdio: ['pipe', 'pipe', 'ignore'],
+                });
+                // If there's any output, workflows are uncommitted or untracked
+                return status.trim().length > 0;
+            }
+            catch {
+                // Not a git repo or git not available
+                return false;
+            }
+        },
+        fix: null, // Cannot auto-commit
+        manualFix: 'Commit and push workflow files to git:\n' +
+            '      git add .github/workflows/\n' +
+            '      git commit -m "Update factiii workflows"\n' +
+            '      git push',
+    },
+];
+//# sourceMappingURL=workflows.js.map

package/dist/plugins/pipelines/factiii/scanfix/workflows.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workflows.js","sourceRoot":"","sources":["../../../../../src/plugins/pipelines/factiii/scanfix/workflows.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,uCAAyB;AACzB,2CAA6B;AAC7B,iDAAyC;AAEzC,wDAAmF;AACnF,yEAAuE;AAE1D,QAAA,aAAa,GAAU;IAClC;QACE,EAAE,EAAE,mBAAmB;QACvB,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,gCAAgC;QAC7C,IAAI,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACxE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;YAChE,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,oBAAoB,CAAC,CAAC,CAAC;QACvE,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACvE,MAAM,IAAA,gCAAqB,EAAC,OAAO,CAAC,CAAC;YACrC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,SAAS,EAAE,qDAAqD;KACjE;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,kCAAkC;QAC/C,IAAI,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACxE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAC5B,OAAO,EACP,SAAS,EACT,WAAW,EACX,oBAAoB,CACrB,CAAC;YACF,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC;gBAAE,OAAO,KAAK,CAAC;YAE/C,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;YAEtD,gFAAgF;YAChF,IAAI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC;gBAAE,OAAO,IAAI,CAAC;YAE1D,wBAAwB;YACxB,MAAM,cAAc,GAAG,IAAA,oCAAiB,GAAE,CAAC;YAE3C,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;YAC/E,IAAI,CAAC,YAAY;gBAAE,OAAO,IAAI,CAAC,CAAC,gCAAgC;YAEhE,MAAM,eAAe,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;YACxC,OAAO,eAAe,KAAK,cAAc,CAAC;QAC5C,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACvE,MAAM,IAAA,gCAAqB,EAAC,OAAO,CAAC,CAAC;YACrC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,SAAS,EAAE,uDAAuD;KACnE;IACD;QACE,EAAE,EAAE,oBAAoB;QACxB,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,oEAAoE;QACjF,IAAI,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACxE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;YAChE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC;gBAAE,OAAO,KAAK,CAAC;YAE/C,0CAA0C;YAC1C,MAAM,cAAc,GAAG;gBACrB,oBAAoB;gBACpB,iBAAiB;gBACjB,kBAAkB;gBAClB,sBAAsB;gBACtB,0BAA0B;gBAC1B,uBAAuB;gBACvB,sBAAsB,EAAE,mBAAmB;aAC5C,CAAC;YAEF,+BAA+B;YAC/B,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;YAC3C,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YAEzF,2BAA2B;YAC3B,MAAM,QAAQ,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YAEzE,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAC7B,CAAC;QACD,GAAG,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACvE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;YAEhE,MAAM,cAAc,GAAG;gBACrB,oBAAoB;gBACpB,iBAAiB;gBACjB,kBAAkB;gBAClB,sBAAsB;gBACtB,0BAA0B;gBAC1B,uBAAuB;gBACvB,sBAAsB;aACvB,CAAC;YAEF,MAAM,KAAK,GAAG,EAAE,CAAC,WAAW,CAAC,YAAY,CAAC,CAAC;YAC3C,MAAM,YAAY,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YACzF,MAAM,QAAQ,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YAEzE,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;gBAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;gBAC/C,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;gBACxB,OAAO,CAAC,GAAG,CAAC,sCAAsC,IAAI,EAAE,CAAC,CAAC;YAC5D,CAAC;YAED,OAAO,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;QAC7B,CAAC;QACD,SAAS,EAAE,uDAAuD;KACnE;IACD;QACE,EAAE,EAAE,uBAAuB;QAC3B,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,uCAAuC;QACpD,IAAI,EAAE,KAAK,EAAE,OAAsB,EAAE,OAAe,EAAoB,EAAE;YACxE,MAAM,YAAY,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;YAChE,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC;gBAAE,OAAO,KAAK,CAAC;YAE/C,IAAI,CAAC;gBACH,sCAAsC;gBACtC,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,2CAA2C,EAAE;oBACnE,GAAG,EAAE,OAAO;oBACZ,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC;iBAClC,CAAC,CAAC;gBAEH,gEAAgE;gBAChE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;YAClC,CAAC;YAAC,MAAM,CAAC;gBACP,sCAAsC;gBACtC,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,GAAG,EAAE,IAAI,EAAE,qBAAqB;QAChC,SAAS,EACP,0CAA0C;YAC1C,oCAAoC;YACpC,kDAAkD;YAClD,gBAAgB;KACnB;CACF,CAAC"}

package/dist/plugins/pipelines/factiii/staging.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Staging Build Utilities
+ *
+ * Functions for building Docker images for staging environment:
+ * - Builds linux/arm64 images on staging server (no ECR push)
+ */
+import type { FactiiiConfig, EnvironmentConfig, DeployResult } from '../../../types/index.js';
+/**
+ * Get dockerfile path from factiiiAuto.yml or use default
+ */
+export declare function getDockerfilePath(repoDir: string): string;
+/**
+ * Ensure Docker is running before deployment
+ * Starts Docker Desktop if not running and waits for it to be ready
+ */
+export declare function ensureDockerRunning(envConfig: EnvironmentConfig, isOnServer: boolean): Promise<void>;
+/**
+ * Build staging Docker image (linux/arm64) on staging server
+ * No ECR push - builds locally and uses image tag
+ *
+ * CRITICAL: This function MUST always build on the staging server, never locally.
+ * When running from a local machine, it SSHs to staging and builds there.
+ */
+export declare function buildStagingImage(config: FactiiiConfig, envConfig: EnvironmentConfig): Promise<DeployResult>;
+//# sourceMappingURL=staging.d.ts.map

package/dist/plugins/pipelines/factiii/staging.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"staging.d.ts","sourceRoot":"","sources":["../../../../src/plugins/pipelines/factiii/staging.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAQH,OAAO,KAAK,EACV,aAAa,EACb,iBAAiB,EACjB,YAAY,EACb,MAAM,yBAAyB,CAAC;AAEjC;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAgBzD;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,CACvC,SAAS,EAAE,iBAAiB,EAC5B,UAAU,EAAE,OAAO,GAClB,OAAO,CAAC,IAAI,CAAC,CAuFf;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,aAAa,EACrB,SAAS,EAAE,iBAAiB,GAC3B,OAAO,CAAC,YAAY,CAAC,CA4DvB"}