@gezelligate/core 0.1.0

package/dist/schema/serviceYaml.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"serviceYaml.d.ts","sourceRoot":"","sources":["../../src/schema/serviceYaml.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAQ1B,CAAC;AAEH,QAAA,MAAM,gBAAgB;;;;;;;;;;;;;;;EAKpB,CAAC;AAEH,QAAA,MAAM,YAAY;;;;;;;;;;;;EAIhB,CAAC;AAQH,QAAA,MAAM,cAAc;;;;;;;;;;;;;;;;;;EAMT,CAAC;AAMZ,QAAA,MAAM,WAAW;;;;;;EAEN,CAAC;AAuHZ,QAAA,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAMhB,CAAC;AAEH,QAAA,MAAM,cAAc;;;;;;EAElB,CAAC;AAYH,QAAA,MAAM,kBAAkB;;;;;;;;;EAGtB,CAAC;AAEH,QAAA,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EASlB,CAAC;AAoBH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAgB5B,CAAC;AAEH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC5D,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AACxD,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAC1D,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAClD,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AACtD,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AACtD,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAChD,MAAM,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAClD,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAC9D,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC"}

package/dist/schema/serviceYaml.js

@@ -0,0 +1,200 @@
+import { z } from "zod";
+export const FormFieldSchema = z.object({
+    key: z.string().min(1),
+    label: z.string().min(1),
+    type: z.enum(["string", "email", "boolean", "number", "select"]),
+    default: z.union([z.string(), z.number(), z.boolean()]).optional(),
+    required: z.boolean().optional(),
+    help: z.string().optional(),
+    options: z.array(z.object({ value: z.string(), label: z.string() })).optional()
+});
+const DependencySchema = z.object({
+    service: z.string().min(1),
+    reason: z.string().min(1),
+    required: z.boolean(),
+    when: z.string().optional()
+});
+const SecretSchema = z.object({
+    key: z.string().regex(/^[A-Z][A-Z0-9_]*$/, "must be UPPER_SNAKE_CASE"),
+    generator: z.enum(["password", "hex", "uuid"]),
+    length: z.number().int().positive().optional()
+});
+// Services declare a database NEED with `preferShared` (default true). The
+// renderer decides where that need is satisfied by matching against a service
+// that provides `sharedDatabase` (when preferShared is true and such a
+// provider is in the dependency closure). When no provider exists, or when
+// preferShared is false, the renderer falls back to a per-service sidecar
+// using the optional `storage` field.
+const DatabaseSchema = z.object({
+    engine: z.literal("postgres"),
+    preferShared: z.boolean().default(true),
+    name: z.string().min(1),
+    user: z.string().min(1),
+    storage: z.string().optional()
+}).strict();
+// Services declare a redis NEED with `preferShared` (default true). The
+// renderer routes the service's Redis traffic to whichever service provides
+// `sharedRedis` in the dependency closure. Consumers must namespace their
+// keys; every consumer uses logical DB 0.
+const RedisSchema = z.object({
+    preferShared: z.boolean().default(true)
+}).strict();
+const OidcClientSchema = z.object({
+    clientId: z.string().min(1),
+    redirectUris: z.array(z.string().min(1)),
+    scopes: z.array(z.string().min(1)),
+    // Shape of the `/userinfo` response we ask Keycloak to emit for this
+    // client. "oidc" is the standard set of OIDC claims (sub, preferred_username,
+    // email, ...). "gitlab" mimics GitLab's `/api/v4/user` shape (numeric `id`,
+    // `username`, `name`, `email`) — required by Mattermost Team Edition's
+    // `gitlab` OAuth provider, which is the only provider compiled into the
+    // open-source Mattermost binary.
+    userinfoFormat: z.enum(["oidc", "gitlab"]).optional(),
+    // When true, the realm-import enables Keycloak's standard token-exchange
+    // grant on this client. Any service whose backend exchanges its session
+    // token for vendor-audience tokens (e.g. the bridge) opts in here.
+    tokenExchange: z.boolean().optional()
+});
+const IngressSchema = z.object({
+    host: z.string().min(1),
+    port: z.number().int().positive(),
+    // Optional override for the Kubernetes backend Service. Defaults: service
+    // name equals the gezelligate service name; port equals `ingress.port`.
+    // Helm charts that name their Service something other than the release
+    // (e.g. keycloakx creates `<release>-keycloakx-http`) must set this.
+    k8s: z
+        .object({
+        service: z.string().min(1).optional(),
+        port: z.number().int().positive().optional(),
+        // Optional path-based overrides. Each entry routes requests
+        // whose path starts with `prefix` to a different Service+port,
+        // higher priority than the default catch-all route. Used by
+        // multi-component services (e.g. meet — SPA at /, Django API
+        // at /api/*) so a single Host() can fan out across backends.
+        pathOverrides: z
+            .array(z.object({
+            prefix: z.string().min(1),
+            service: z.string().min(1),
+            port: z.number().int().positive()
+        }))
+            .optional()
+    })
+        .optional()
+});
+const BridgeTileSchema = z.object({
+    name: z.string().min(1),
+    icon: z.string().min(1),
+    url: z.string().min(1)
+});
+const BridgeActivitySchema = z.object({
+    api: z.object({
+        unreadEndpoint: z.string().min(1),
+        auth: z.enum(["oidc-passthrough", "service-token"])
+    })
+});
+const BridgeRecentItemsSchema = z.object({
+    api: z.object({
+        endpoint: z.string().min(1),
+        limit: z.number().int().positive(),
+        mapping: z.object({
+            id: z.string().min(1),
+            title: z.string().min(1),
+            url: z.string().min(1),
+            timestamp: z.string().min(1)
+        })
+    })
+});
+const BridgeDbReadSchema = z.object({
+    tables: z.array(z.string().min(1)).min(1)
+});
+const BridgeSearchApiSchema = z.object({
+    method: z.enum(["GET", "POST"]),
+    endpoint: z.string().min(1),
+    body: z.string().optional(),
+    auth: z.enum(["oidc-passthrough", "service-token"]),
+    mapping: z.object({
+        id: z.string().min(1),
+        title: z.string().min(1),
+        url: z.string().min(1),
+        timestamp: z.string().min(1),
+        snippet: z.string().min(1).optional()
+    })
+});
+const SqlColumnIdent = z.string().regex(/^[A-Za-z_][A-Za-z0-9_]*$/, "must be a SQL column identifier");
+const BridgeSearchIndexSchema = z.object({
+    table: z.string().regex(/^[A-Za-z_][A-Za-z0-9_]*(\.[A-Za-z_][A-Za-z0-9_]*)?$/, "table must be a SQL identifier (schema.name or name)"),
+    where: z.string().optional(),
+    watermark: SqlColumnIdent,
+    fields: z.object({
+        id: SqlColumnIdent,
+        title: SqlColumnIdent,
+        body: SqlColumnIdent,
+        url: SqlColumnIdent,
+        timestamp: SqlColumnIdent
+    })
+});
+const BridgeSearchSchema = z.object({
+    api: BridgeSearchApiSchema.optional(),
+    index: BridgeSearchIndexSchema.optional()
+}).refine((s) => s.api !== undefined || s.index !== undefined, { message: "bridge.search must declare at least one of api or index" });
+const BridgeSchema = z.object({
+    tile: BridgeTileSchema,
+    activity: BridgeActivitySchema.optional(),
+    recentItems: BridgeRecentItemsSchema.optional(),
+    dbRead: BridgeDbReadSchema.optional(),
+    search: BridgeSearchSchema.optional()
+});
+const UserSeedSchema = z.object({
+    passwordEnv: z.string().regex(/^[A-Z][A-Z0-9_]*$/, "must be UPPER_SNAKE_CASE")
+});
+const OidcServerSchema = z.object({
+    realmEnv: z.string().regex(/^[A-Z][A-Z0-9_]*$/).optional()
+});
+const SharedDatabaseSchema = z.object({
+    engine: z.literal("postgres")
+});
+const SharedRedisSchema = z.object({}).default({});
+const BridgeReaderSchema = z.object({
+    roleName: z.string().min(1),
+    passwordEnv: z.string().regex(/^[A-Z][A-Z0-9_]*$/, "must be UPPER_SNAKE_CASE")
+});
+const ProvidesSchema = z.object({
+    oidcClient: OidcClientSchema.optional(),
+    oidcServer: OidcServerSchema.optional(),
+    userSeed: UserSeedSchema.optional(),
+    ingress: IngressSchema.optional(),
+    bridge: BridgeSchema.optional(),
+    bridgeReader: BridgeReaderSchema.optional(),
+    sharedDatabase: SharedDatabaseSchema.optional(),
+    sharedRedis: SharedRedisSchema.optional()
+});
+const DockerTargetSchema = z.object({
+    template: z.string().min(1)
+});
+const KubernetesTargetSchema = z.object({
+    helmChart: z.string().min(1),
+    helmVersion: z.string().min(1),
+    valuesTemplate: z.string().min(1)
+});
+const TargetsSchema = z.object({
+    docker: DockerTargetSchema.optional(),
+    kubernetes: KubernetesTargetSchema.optional()
+}).refine((t) => t.docker !== undefined || t.kubernetes !== undefined, { message: "at least one target (docker or kubernetes) must be defined" });
+export const ServiceYamlSchema = z.object({
+    name: z.string().regex(/^[a-z][a-z0-9-]*$/, "must be kebab-case"),
+    displayName: z.string().min(1),
+    description: z.string(),
+    category: z.string().min(1),
+    required: z.boolean(),
+    hidden: z.boolean().optional(),
+    kernel: z.boolean().optional(),
+    icon: z.string().optional(),
+    form: z.array(FormFieldSchema),
+    dependencies: z.array(DependencySchema),
+    secrets: z.array(SecretSchema),
+    database: DatabaseSchema.optional(),
+    redis: RedisSchema.optional(),
+    provides: ProvidesSchema,
+    targets: TargetsSchema
+});
+//# sourceMappingURL=serviceYaml.js.map

package/dist/schema/serviceYaml.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"serviceYaml.js","sourceRoot":"","sources":["../../src/schema/serviceYaml.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAChE,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClE,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAChC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE;CAChF,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACzB,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE;IACrB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC5B,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,mBAAmB,EAAE,0BAA0B,CAAC;IACtE,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IAC9C,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;CAC/C,CAAC,CAAC;AAEH,2EAA2E;AAC3E,8EAA8E;AAC9E,uEAAuE;AACvE,2EAA2E;AAC3E,0EAA0E;AAC1E,sCAAsC;AACtC,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9B,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAC7B,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;IACvC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC/B,CAAC,CAAC,MAAM,EAAE,CAAC;AAEZ,wEAAwE;AACxE,4EAA4E;AAC5E,0EAA0E;AAC1E,0CAA0C;AAC1C,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,CAAC;IAC3B,YAAY,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC;CACxC,CAAC,CAAC,MAAM,EAAE,CAAC;AAEZ,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACxC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAClC,qEAAqE;IACrE,8EAA8E;IAC9E,4EAA4E;IAC5E,uEAAuE;IACvE,wEAAwE;IACxE,iCAAiC;IACjC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;IACrD,yEAAyE;IACzE,wEAAwE;IACxE,mEAAmE;IACnE,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;CACtC,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;IACjC,0EAA0E;IAC1E,wEAAwE;IACxE,uEAAuE;IACvE,qEAAqE;IACrE,GAAG,EAAE,CAAC;SACH,MAAM,CAAC;QACN,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;QACrC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE;QAC5C,4DAA4D;QAC5D,+DAA+D;QAC/D,4DAA4D;QAC5D,6DAA6D;QAC7D,6DAA6D;QAC7D,aAAa,EAAE,CAAC;aACb,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;YACP,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;SAClC,CAAC,CACH;aACA,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACvB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CACvB,CAAC,CAAC;AAEH,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC;QACZ,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACjC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,kBAAkB,EAAE,eAAe,CAAC,CAAC;KACpD,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,GAAG,EAAE,CAAC,CAAC,MAAM,CAAC;QACZ,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC3B,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;QAClC,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;YAChB,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YACrB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YACxB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;YACtB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;SAC7B,CAAC;KACH,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;CAC1C,CAAC,CAAC;AAEH,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC;IACrC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IAC/B,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,kBAAkB,EAAE,eAAe,CAAC,CAAC;IACnD,OAAO,EAAE,CAAC,CAAC,MAAM,CAAC;QAChB,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACrB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACxB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QACtB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5B,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;KACtC,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CACrC,0BAA0B,EAC1B,iCAAiC,CAClC,CAAC;AAEF,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC;IACvC,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,qDAAqD,EAC3E,sDAAsD,CAAC;IACzD,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,SAAS,EAAE,cAAc;IACzB,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,EAAE,EAAE,cAAc;QAClB,KAAK,EAAE,cAAc;QACrB,IAAI,EAAE,cAAc;QACpB,GAAG,EAAE,cAAc;QACnB,SAAS,EAAE,cAAc;KAC1B,CAAC;CACH,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,GAAG,EAAE,qBAAqB,CAAC,QAAQ,EAAE;IACrC,KAAK,EAAE,uBAAuB,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAC,MAAM,CACP,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,SAAS,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS,EACnD,EAAE,OAAO,EAAE,yDAAyD,EAAE,CACvE,CAAC;AAEF,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IAC5B,IAAI,EAAE,gBAAgB;IACtB,QAAQ,EAAE,oBAAoB,CAAC,QAAQ,EAAE;IACzC,WAAW,EAAE,uBAAuB,CAAC,QAAQ,EAAE;IAC/C,MAAM,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IACrC,MAAM,EAAE,kBAAkB,CAAC,QAAQ,EAAE;CACtC,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,mBAAmB,EAAE,0BAA0B,CAAC;CAC/E,CAAC,CAAC;AAEH,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC,QAAQ,EAAE;CAC3D,CAAC,CAAC;AAEH,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAM,CAAC;IACpC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;CAC9B,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;AAEnD,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,mBAAmB,EAAE,0BAA0B,CAAC;CAC/E,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,CAAC,CAAC,MAAM,CAAC;IAC9B,UAAU,EAAE,gBAAgB,CAAC,QAAQ,EAAE;IACvC,UAAU,EAAE,gBAAgB,CAAC,QAAQ,EAAE;IACvC,QAAQ,EAAE,cAAc,CAAC,QAAQ,EAAE;IACnC,OAAO,EAAE,aAAa,CAAC,QAAQ,EAAE;IACjC,MAAM,EAAE,YAAY,CAAC,QAAQ,EAAE;IAC/B,YAAY,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IAC3C,cAAc,EAAE,oBAAoB,CAAC,QAAQ,EAAE;IAC/C,WAAW,EAAE,iBAAiB,CAAC,QAAQ,EAAE;CAC1C,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAC5B,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,CAAC,CAAC,MAAM,CAAC;IACtC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;CAClC,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,MAAM,EAAE,kBAAkB,CAAC,QAAQ,EAAE;IACrC,UAAU,EAAE,sBAAsB,CAAC,QAAQ,EAAE;CAC9C,CAAC,CAAC,MAAM,CACP,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,EAC3D,EAAE,OAAO,EAAE,4DAA4D,EAAE,CAC1E,CAAC;AAEF,MAAM,CAAC,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACxC,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,mBAAmB,EAAE,oBAAoB,CAAC;IACjE,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9B,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;IACvB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3B,QAAQ,EAAE,CAAC,CAAC,OAAO,EAAE;IACrB,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC9B,MAAM,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;IAC9B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC3B,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC;IAC9B,YAAY,EAAE,CAAC,CAAC,KAAK,CAAC,gBAAgB,CAAC;IACvC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,YAAY,CAAC;IAC9B,QAAQ,EAAE,cAAc,CAAC,QAAQ,EAAE;IACnC,KAAK,EAAE,WAAW,CAAC,QAAQ,EAAE;IAC7B,QAAQ,EAAE,cAAc;IACxB,OAAO,EAAE,aAAa;CACvB,CAAC,CAAC"}

package/dist/secrets.d.ts

@@ -0,0 +1,4 @@
+import type { Secret } from "./schema/serviceYaml.js";
+export declare function generateSecret(secret: Secret): string;
+export declare function generateMissingSecrets(declared: Secret[], existing: Record<string, string>): Record<string, string>;
+//# sourceMappingURL=secrets.d.ts.map

package/dist/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../src/secrets.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,yBAAyB,CAAC;AAItD,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAkBrD;AAED,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,MAAM,EAAE,EAClB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAQxB"}

package/dist/secrets.js

@@ -0,0 +1,31 @@
+import { randomBytes, randomUUID } from "node:crypto";
+const PASSWORD_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-";
+export function generateSecret(secret) {
+    switch (secret.generator) {
+        case "password": {
+            const length = secret.length ?? 32;
+            const bytes = randomBytes(length);
+            let out = "";
+            for (let i = 0; i < length; i++) {
+                out += PASSWORD_ALPHABET[bytes[i] % PASSWORD_ALPHABET.length];
+            }
+            return out;
+        }
+        case "hex": {
+            const length = secret.length ?? 32;
+            return randomBytes(Math.ceil(length / 2)).toString("hex").slice(0, length);
+        }
+        case "uuid":
+            return randomUUID();
+    }
+}
+export function generateMissingSecrets(declared, existing) {
+    const out = { ...existing };
+    for (const s of declared) {
+        if (!(s.key in out)) {
+            out[s.key] = generateSecret(s);
+        }
+    }
+    return out;
+}
+//# sourceMappingURL=secrets.js.map

package/dist/secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.js","sourceRoot":"","sources":["../src/secrets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGtD,MAAM,iBAAiB,GAAG,kEAAkE,CAAC;AAE7F,MAAM,UAAU,cAAc,CAAC,MAAc;IAC3C,QAAQ,MAAM,CAAC,SAAS,EAAE,CAAC;QACzB,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;YAClC,IAAI,GAAG,GAAG,EAAE,CAAC;YACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAChC,GAAG,IAAI,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAE,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YACjE,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;QACD,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;YACnC,OAAO,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QAC7E,CAAC;QACD,KAAK,MAAM;YACT,OAAO,UAAU,EAAE,CAAC;IACxB,CAAC;AACH,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,QAAkB,EAClB,QAAgC;IAEhC,MAAM,GAAG,GAA2B,EAAE,GAAG,QAAQ,EAAE,CAAC;IACpD,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,EAAE,CAAC;YACpB,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/secretsSummary.d.ts

@@ -0,0 +1,2 @@
+export declare function buildSecretsSummary(envByService: Record<string, Record<string, string>>, hiddenServices: ReadonlySet<string>): string;
+//# sourceMappingURL=secretsSummary.d.ts.map

package/dist/secretsSummary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretsSummary.d.ts","sourceRoot":"","sources":["../src/secretsSummary.ts"],"names":[],"mappings":"AAAA,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,EACpD,cAAc,EAAE,WAAW,CAAC,MAAM,CAAC,GAClC,MAAM,CAqDR"}

package/dist/secretsSummary.js

@@ -0,0 +1,50 @@
+export function buildSecretsSummary(envByService, hiddenServices) {
+    const lines = [];
+    lines.push("# Secrets Summary");
+    lines.push("");
+    lines.push("> **Save these to a password manager now.** This file is regenerated on every build and is gitignored. The secrets it contains are required to administer your stack.");
+    lines.push("");
+    const keycloakEnv = envByService["keycloak"] ?? {};
+    const userPasswords = Object.entries(keycloakEnv)
+        .filter(([k]) => k.startsWith("USER_") && k.endsWith("_TEMP_PASSWORD"))
+        .sort();
+    if (userPasswords.length > 0) {
+        lines.push("## Initial user first-login credentials");
+        lines.push("");
+        lines.push("> These are **temporary** passwords. Each user will be prompted to set a new password on their first login; after that, Keycloak stores only the hash and these values become meaningless. Share each password with its user via a secure channel.");
+        lines.push("");
+        for (const [k, v] of userPasswords) {
+            // USER_ALICE_TEMP_PASSWORD → alice
+            const username = k.slice("USER_".length, -"_TEMP_PASSWORD".length).toLowerCase();
+            lines.push(`- **${username}**: \`${v}\``);
+        }
+        lines.push("");
+    }
+    const names = Object.keys(envByService).sort();
+    const infraNames = names.filter((n) => hiddenServices.has(n));
+    const appNames = names.filter((n) => !hiddenServices.has(n));
+    if (infraNames.length > 0) {
+        lines.push("## Shared infrastructure");
+        lines.push("");
+        lines.push("> These credentials administer the cluster-wide services (like the shared Postgres superuser). Back them up first.");
+        lines.push("");
+        for (const n of infraNames) {
+            lines.push(`### ${n}`);
+            lines.push("");
+            for (const [k, v] of Object.entries(envByService[n] ?? {}).sort()) {
+                lines.push(`- ${k}: \`${v}\``);
+            }
+            lines.push("");
+        }
+    }
+    for (const n of appNames) {
+        lines.push(`## ${n}`);
+        lines.push("");
+        for (const [k, v] of Object.entries(envByService[n] ?? {}).sort()) {
+            lines.push(`- ${k}: \`${v}\``);
+        }
+        lines.push("");
+    }
+    return lines.join("\n");
+}
+//# sourceMappingURL=secretsSummary.js.map

package/dist/secretsSummary.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secretsSummary.js","sourceRoot":"","sources":["../src/secretsSummary.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,mBAAmB,CACjC,YAAoD,EACpD,cAAmC;IAEnC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IAChC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACf,KAAK,CAAC,IAAI,CAAC,uKAAuK,CAAC,CAAC;IACpL,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,MAAM,WAAW,GAAG,YAAY,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IACnD,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;SAC9C,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;SACtE,IAAI,EAAE,CAAC;IACV,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;QACtD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,oPAAoP,CAAC,CAAC;QACjQ,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,aAAa,EAAE,CAAC;YACnC,mCAAmC;YACnC,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;YACjF,KAAK,CAAC,IAAI,CAAC,OAAO,QAAQ,SAAS,CAAC,IAAI,CAAC,CAAC;QAC5C,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,IAAI,EAAE,CAAC;IAC/C,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAE7D,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QACvC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,oHAAoH,CAAC,CAAC;QACjI,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;YACvB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;gBAClE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACjC,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;YAClE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACjC,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/services.d.ts

@@ -0,0 +1,7 @@
+import { type ConfigYaml } from "./schema/configYaml.js";
+export type Services = Map<string, ConfigYaml>;
+export declare function loadServices(rootDir: string): Promise<Services>;
+export declare function writeServiceConfig(rootDir: string, name: string, config: ConfigYaml): Promise<void>;
+export declare function loadEnv(rootDir: string, name: string): Promise<Record<string, string>>;
+export declare function writeEnv(rootDir: string, name: string, env: Record<string, string>): Promise<void>;
+//# sourceMappingURL=services.d.ts.map

package/dist/services.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../src/services.ts"],"names":[],"mappings":"AAGA,OAAO,EAAoB,KAAK,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAE3E,MAAM,MAAM,QAAQ,GAAG,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;AAE/C,wBAAsB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAqBrE;AAED,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAIf;AAED,wBAAsB,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAkB5F;AAED,wBAAsB,QAAQ,CAC5B,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC1B,OAAO,CAAC,IAAI,CAAC,CAKf"}

package/dist/services.js

@@ -0,0 +1,66 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import yaml from "js-yaml";
+import { ConfigYamlSchema } from "./schema/configYaml.js";
+export async function loadServices(rootDir) {
+    const out = new Map();
+    const entries = await fs.readdir(rootDir, { withFileTypes: true }).catch((err) => {
+        if (err.code === "ENOENT")
+            return null;
+        throw err;
+    });
+    if (entries === null)
+        return out;
+    for (const entry of entries) {
+        if (!entry.isDirectory())
+            continue;
+        const cfgPath = path.join(rootDir, entry.name, "config.yaml");
+        let raw;
+        try {
+            raw = await fs.readFile(cfgPath, "utf8");
+        }
+        catch (err) {
+            if (err.code === "ENOENT")
+                continue;
+            throw err;
+        }
+        const parsed = ConfigYamlSchema.parse(yaml.load(raw));
+        out.set(entry.name, parsed);
+    }
+    return out;
+}
+export async function writeServiceConfig(rootDir, name, config) {
+    const dir = path.join(rootDir, name);
+    await fs.mkdir(dir, { recursive: true });
+    await fs.writeFile(path.join(dir, "config.yaml"), yaml.dump(config), "utf8");
+}
+export async function loadEnv(rootDir, name) {
+    const envPath = path.join(rootDir, name, ".env");
+    let raw;
+    try {
+        raw = await fs.readFile(envPath, "utf8");
+    }
+    catch (err) {
+        if (err.code === "ENOENT")
+            return {};
+        throw err;
+    }
+    const out = {};
+    for (const line of raw.split("\n")) {
+        const trimmed = line.trim();
+        if (!trimmed || trimmed.startsWith("#"))
+            continue;
+        const eq = trimmed.indexOf("=");
+        if (eq === -1)
+            continue;
+        out[trimmed.slice(0, eq)] = trimmed.slice(eq + 1);
+    }
+    return out;
+}
+export async function writeEnv(rootDir, name, env) {
+    const dir = path.join(rootDir, name);
+    await fs.mkdir(dir, { recursive: true });
+    const lines = Object.entries(env).map(([k, v]) => `${k}=${v}`);
+    await fs.writeFile(path.join(dir, ".env"), lines.join("\n") + "\n", "utf8");
+}
+//# sourceMappingURL=services.js.map

package/dist/services.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"services.js","sourceRoot":"","sources":["../src/services.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,IAAI,MAAM,SAAS,CAAC;AAC3B,OAAO,EAAE,gBAAgB,EAAmB,MAAM,wBAAwB,CAAC;AAI3E,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAe;IAChD,MAAM,GAAG,GAAa,IAAI,GAAG,EAAE,CAAC;IAChC,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,GAA0B,EAAE,EAAE;QACtG,IAAI,GAAG,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACvC,MAAM,GAAG,CAAC;IACZ,CAAC,CAAC,CAAC;IACH,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,GAAG,CAAC;IACjC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE;YAAE,SAAS;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QAC9D,IAAI,GAAW,CAAC;QAChB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ;gBAAE,SAAS;YAC/D,MAAM,GAAG,CAAC;QACZ,CAAC;QACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACtD,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAe,EACf,IAAY,EACZ,MAAkB;IAElB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACrC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC;AAC/E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,OAAe,EAAE,IAAY;IACzD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IACjD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAK,GAA6B,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,EAAE,CAAC;QAChE,MAAM,GAAG,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAClD,MAAM,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAChC,IAAI,EAAE,KAAK,CAAC,CAAC;YAAE,SAAS;QACxB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,OAAe,EACf,IAAY,EACZ,GAA2B;IAE3B,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IACrC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACzC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/D,MAAM,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;AAC9E,CAAC"}

package/dist/sharedDb.d.ts

@@ -0,0 +1,3 @@
+import type { ServiceState } from "./keycloak.js";
+export declare function buildInitSql(states: ServiceState[]): string;
+//# sourceMappingURL=sharedDb.d.ts.map

package/dist/sharedDb.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sharedDb.d.ts","sourceRoot":"","sources":["../src/sharedDb.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAwBlD,wBAAgB,YAAY,CAAC,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,CAgH3D"}

package/dist/sharedDb.js

@@ -0,0 +1,104 @@
+import { findOne } from "./capabilities.js";
+// Postgres identifiers: letters, digits, underscores; max 63 bytes. We enforce
+// a safe subset because db.name / db.user are free-form strings in the schema.
+// Valid chars: [A-Za-z_][A-Za-z0-9_]*
+const IDENT_RE = /^[A-Za-z_][A-Za-z0-9_]*$/;
+function assertIdent(kind, value) {
+    if (!IDENT_RE.test(value)) {
+        throw new Error(`sharedDb: invalid ${kind} ${JSON.stringify(value)} — must match ${IDENT_RE.source}`);
+    }
+}
+function assertSafePassword(value) {
+    if (value.includes("'") || value.includes("\\")) {
+        throw new Error("sharedDb: password contains single-quote or backslash — cannot safely embed in init SQL");
+    }
+}
+export function buildInitSql(states) {
+    const shared = states.filter((s) => s.def.database !== undefined && (s.db?.mode ?? (s.def.database.preferShared ? "shared" : "dedicated")) === "shared");
+    if (shared.length === 0)
+        return "";
+    const stanzas = [];
+    for (const s of shared) {
+        const db = s.def.database;
+        const password = s.env.DB_PASSWORD;
+        if (!password) {
+            throw new Error(`sharedDb: service ${s.def.name} has database.preferShared but no DB_PASSWORD in env`);
+        }
+        assertIdent("database name", db.name);
+        assertIdent("database user", db.user);
+        assertSafePassword(password);
+        stanzas.push(`-- ${s.def.name}
+DO $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${db.user}') THEN
+    CREATE USER ${db.user} WITH PASSWORD '${password}';
+  END IF;
+END$$;
+
+SELECT 'CREATE DATABASE ${db.name} OWNER ${db.user}'
+WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${db.name}')\\gexec
+`);
+    }
+    // Helper to collect tables from both dbRead.tables and search.index.table
+    function readerTablesFor(s) {
+        const tables = new Set();
+        // Add tables from explicit dbRead declaration
+        for (const t of s.def.provides.bridge?.dbRead?.tables ?? []) {
+            tables.add(t);
+        }
+        // Add table from search.index if present
+        const idx = s.def.provides.bridge?.search?.index;
+        if (idx) {
+            tables.add(idx.table);
+        }
+        return [...tables];
+    }
+    // Handle bridge_reader grants for services that declare provides.bridge.dbRead
+    // or provides.bridge.search.index.table. The reader role identity (name +
+    // password env) comes from whichever service declares `provides.bridgeReader`
+    // — looked up by capability so the engine never depends on the string "bridge".
+    const readerServices = states.filter((s) => readerTablesFor(s).length > 0);
+    if (readerServices.length > 0) {
+        const readerProvider = findOne(states, "bridgeReader");
+        const readerCap = readerProvider?.def.provides.bridgeReader;
+        const readerPw = readerProvider && readerCap
+            ? readerProvider.env[readerCap.passwordEnv]
+            : undefined;
+        if (!readerProvider || !readerCap || !readerPw) {
+            throw new Error("sharedDb: a service declares provides.bridge.dbRead or provides.bridge.search.index but no enabled service declares provides.bridgeReader with a populated password env");
+        }
+        assertSafePassword(readerPw);
+        const readerRole = readerCap.roleName;
+        assertIdent("bridgeReader.roleName", readerRole);
+        stanzas.push(`-- ${readerRole} (cross-DB SELECT for the launcher's indexer + aggregate widgets)
+DO $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${readerRole}') THEN
+    CREATE USER ${readerRole} WITH PASSWORD '${readerPw}';
+  END IF;
+END$$;
+`);
+        for (const s of readerServices) {
+            const db = s.def.database;
+            if (!db) {
+                throw new Error(`sharedDb: service ${s.def.name} declares provides.bridge.dbRead or provides.bridge.search.index but has no database`);
+            }
+            assertIdent("database name", db.name);
+            const tables = readerTablesFor(s);
+            const grants = [];
+            grants.push(`GRANT CONNECT ON DATABASE ${db.name} TO ${readerRole};`);
+            grants.push(`\\c ${db.name}`);
+            grants.push(`GRANT USAGE ON SCHEMA public TO ${readerRole};`);
+            for (const table of tables) {
+                // Validate table identifier (schema.table form allowed)
+                if (!/^[A-Za-z_][A-Za-z0-9_]*(\.[A-Za-z_][A-Za-z0-9_]*)?$/.test(table)) {
+                    throw new Error(`sharedDb: invalid table identifier ${JSON.stringify(table)}`);
+                }
+                grants.push(`GRANT SELECT ON ${table} TO ${readerRole};`);
+            }
+            stanzas.push(`-- bridge_reader grants for ${s.def.name}\n${grants.join("\n")}\n`);
+        }
+    }
+    return stanzas.join("\n");
+}
+//# sourceMappingURL=sharedDb.js.map

package/dist/sharedDb.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sharedDb.js","sourceRoot":"","sources":["../src/sharedDb.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAE5C,+EAA+E;AAC/E,+EAA+E;AAC/E,sCAAsC;AACtC,MAAM,QAAQ,GAAG,0BAA0B,CAAC;AAE5C,SAAS,WAAW,CAAC,IAAY,EAAE,KAAa;IAC9C,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,qBAAqB,IAAI,IAAI,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,iBAAiB,QAAQ,CAAC,MAAM,EAAE,CACrF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAsB;IACjD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACjC,CAAC,CAAC,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,KAAK,QAAQ,CACpH,CAAC;IACF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAEnC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,QAAS,CAAC;QAC3B,MAAM,QAAQ,GAAG,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC;QACnC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CACb,qBAAqB,CAAC,CAAC,GAAG,CAAC,IAAI,sDAAsD,CACtF,CAAC;QACJ,CAAC;QACD,WAAW,CAAC,eAAe,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QACtC,WAAW,CAAC,eAAe,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;QACtC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAE7B,OAAO,CAAC,IAAI,CACV,MAAM,CAAC,CAAC,GAAG,CAAC,IAAI;;;2DAGqC,EAAE,CAAC,IAAI;kBAChD,EAAE,CAAC,IAAI,mBAAmB,QAAQ;;;;0BAI1B,EAAE,CAAC,IAAI,UAAU,EAAE,CAAC,IAAI;6DACW,EAAE,CAAC,IAAI;CACnE,CACI,CAAC;IACJ,CAAC;IAED,0EAA0E;IAC1E,SAAS,eAAe,CAAC,CAAe;QACtC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;QACjC,8CAA8C;QAC9C,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,IAAI,EAAE,EAAE,CAAC;YAC5D,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAChB,CAAC;QACD,yCAAyC;QACzC,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC;QACjD,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC;IACrB,CAAC;IAED,+EAA+E;IAC/E,0EAA0E;IAC1E,8EAA8E;IAC9E,gFAAgF;IAChF,MAAM,cAAc,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC3E,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,cAAc,GAAG,OAAO,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;QACvD,MAAM,SAAS,GAAG,cAAc,EAAE,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC;QAC5D,MAAM,QAAQ,GAAG,cAAc,IAAI,SAAS;YAC1C,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,WAAW,CAAC;YAC3C,CAAC,CAAC,SAAS,CAAC;QACd,IAAI,CAAC,cAAc,IAAI,CAAC,SAAS,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CACb,yKAAyK,CAC1K,CAAC;QACJ,CAAC;QACD,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QAC7B,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,CAAC;QACtC,WAAW,CAAC,uBAAuB,EAAE,UAAU,CAAC,CAAC;QAEjD,OAAO,CAAC,IAAI,CACV,MAAM,UAAU;;;2DAGqC,UAAU;kBACnD,UAAU,mBAAmB,QAAQ;;;CAGtD,CACI,CAAC;QAEF,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;YAC/B,MAAM,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC;YAC1B,IAAI,CAAC,EAAE,EAAE,CAAC;gBACR,MAAM,IAAI,KAAK,CACb,qBAAqB,CAAC,CAAC,GAAG,CAAC,IAAI,sFAAsF,CACtH,CAAC;YACJ,CAAC;YACD,WAAW,CAAC,eAAe,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC;YAEtC,MAAM,MAAM,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YAClC,MAAM,MAAM,GAAa,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,6BAA6B,EAAE,CAAC,IAAI,OAAO,UAAU,GAAG,CAAC,CAAC;YACtE,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,mCAAmC,UAAU,GAAG,CAAC,CAAC;YAE9D,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,wDAAwD;gBACxD,IAAI,CAAC,qDAAqD,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBACvE,MAAM,IAAI,KAAK,CACb,sCAAsC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAC9D,CAAC;gBACJ,CAAC;gBACD,MAAM,CAAC,IAAI,CAAC,mBAAmB,KAAK,OAAO,UAAU,GAAG,CAAC,CAAC;YAC5D,CAAC;YAED,OAAO,CAAC,IAAI,CACV,+BAA+B,CAAC,CAAC,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CACpE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC"}

package/dist/target.d.ts

@@ -0,0 +1,35 @@
+import type { GlobalConfig } from "./schema/configYaml.js";
+import type { ServiceState } from "./keycloak.js";
+/** Map of relative-output-path → file contents. */
+export type FileTree = Record<string, string>;
+export interface KubernetesExtras {
+    /** When provided, an `/opt/keycloak/data/import/realm-import.json` ConfigMap is emitted. */
+    realmImport?: string;
+    /**
+     * When provided, a `postgres-init` ConfigMap is emitted. The shared postgres
+     * StatefulSet mounts it at `/docker-entrypoint-initdb.d`, so Postgres runs
+     * every `CREATE USER` / `CREATE DATABASE` stanza on first boot.
+     */
+    postgresInitSql?: string;
+    /**
+     * Stringified bridge manifest JSON. When provided, a `bridge-manifest`
+     * ConfigMap is emitted under configmaps/. The bridge Deployment mounts it
+     * at /app/manifest/bridge-manifest.json.
+     */
+    bridgeManifestJson?: string;
+    /**
+     * Per-service icon SVG bodies, keyed by service name (no extension).
+     * When non-empty, a `bridge-icons` ConfigMap is emitted with one data key
+     * per entry: `<name>.svg`. The bridge Deployment mounts it at /app/icons.
+     */
+    bridgeIconsByService?: Record<string, string>;
+    /** Per-file dedicated-peer manifests. Key is the relative output path (e.g. "manifests/drive-postgres.yaml"). */
+    dedicatedPeerManifests?: Record<string, string>;
+}
+export type RenderDockerFn = (states: ServiceState[], global: GlobalConfig, templates: Map<string, string>, extraTopLevel: Record<string, string>, extraFragments?: string[]) => FileTree;
+export type RenderKubernetesFn = (states: ServiceState[], global: GlobalConfig, templates: Map<string, string>, extras: KubernetesExtras, lbAnnotations?: Record<string, string>) => FileTree;
+export interface RenderTargets {
+    docker?: RenderDockerFn;
+    kubernetes?: RenderKubernetesFn;
+}
+//# sourceMappingURL=target.d.ts.map

package/dist/target.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"target.d.ts","sourceRoot":"","sources":["../src/target.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAElD,mDAAmD;AACnD,MAAM,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAE9C,MAAM,WAAW,gBAAgB;IAC/B,4FAA4F;IAC5F,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C,iHAAiH;IACjH,sBAAsB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjD;AAED,MAAM,MAAM,cAAc,GAAG,CAC3B,MAAM,EAAE,YAAY,EAAE,EACtB,MAAM,EAAE,YAAY,EACpB,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EAC9B,aAAa,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACrC,cAAc,CAAC,EAAE,MAAM,EAAE,KACtB,QAAQ,CAAC;AAEd,MAAM,MAAM,kBAAkB,GAAG,CAC/B,MAAM,EAAE,YAAY,EAAE,EACtB,MAAM,EAAE,YAAY,EACpB,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EAC9B,MAAM,EAAE,gBAAgB,EACxB,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KACnC,QAAQ,CAAC;AAEd,MAAM,WAAW,aAAa;IAC5B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,UAAU,CAAC,EAAE,kBAAkB,CAAC;CACjC"}

package/dist/target.js

@@ -0,0 +1,7 @@
+// Target abstraction. The core renderer is target-agnostic — it builds the
+// shared service plan, then delegates emission of artifact files to injected
+// target functions. Concrete renderers live in @gezelligate/{docker,k8s} and
+// are wired in by the caller (cli, studio). Core has no compile-time dep on
+// either renderer package; this is what breaks the workspace cycle.
+export {};
+//# sourceMappingURL=target.js.map

package/dist/target.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"target.js","sourceRoot":"","sources":["../src/target.ts"],"names":[],"mappings":"AAAA,2EAA2E;AAC3E,6EAA6E;AAC7E,6EAA6E;AAC7E,4EAA4E;AAC5E,oEAAoE"}

package/dist/templates/dedicated-postgres.docker.yaml.tmpl

@@ -0,0 +1,12 @@
+  {{name}}:
+    image: postgres:16-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: {{dbName}}
+      POSTGRES_USER: {{dbUser}}
+      POSTGRES_PASSWORD: {{envref passwordRef}}
+    volumes:
+      - {{name}}-data:/var/lib/postgresql/data
+
+volumes:
+  {{name}}-data: