@h-rig/runtime 0.0.6-alpha.0

package/dist/src/control-plane/tasks/task-record-reader.js

@@ -0,0 +1,9 @@
+// @bun
+// packages/runtime/src/control-plane/tasks/task-record-reader.ts
+async function findTaskById(reader, id) {
+  const tasks = await reader.listTasks();
+  return tasks.find((task) => task.id === id) ?? null;
+}
+export {
+  findTaskById
+};

package/dist/src/control-plane/validators/boundary/public-apis.js

@@ -0,0 +1,107 @@
+#!/usr/bin/env bun
+// @bun
+
+// packages/runtime/src/control-plane/validators/boundary/public-apis.ts
+import { existsSync, readFileSync, readdirSync } from "fs";
+import { join } from "path";
+import { Checker } from "@rig/validator-kit";
+var ID = "boundary:public-apis";
+var checker = new Checker;
+var workspaceRoot = process.cwd();
+var modulesRoots = findModulesRoots(workspaceRoot, 0);
+if (modulesRoots.length === 0) {
+  checker.pass("no modules directory present");
+  checker.emit(ID);
+}
+var moduleDirs = [];
+for (const modulesRoot of modulesRoots) {
+  for (const entry of readdirSync(modulesRoot, { withFileTypes: true })) {
+    if (entry.isDirectory()) {
+      moduleDirs.push(join(modulesRoot, entry.name));
+    }
+  }
+}
+for (const moduleDir of moduleDirs) {
+  const moduleName = relativeModuleName(workspaceRoot, moduleDir);
+  const tsFiles = collectTsFiles(moduleDir);
+  if (tsFiles.length === 0) {
+    continue;
+  }
+  const indexPath = join(moduleDir, "index.ts");
+  if (!existsSync(indexPath)) {
+    checker.fail(moduleName, `missing index.ts in src/modules/${moduleName}/`);
+    continue;
+  }
+  if (!indexHasExports(indexPath)) {
+    checker.fail(moduleName, `src/modules/${moduleName}/index.ts has no export statements`);
+    continue;
+  }
+  checker.pass(moduleName);
+}
+checker.emit(ID);
+function findModulesRoots(start, depth, max = 6) {
+  const out = [];
+  if (depth > max)
+    return out;
+  if (!existsSync(start))
+    return out;
+  let entries;
+  try {
+    entries = readdirSync(start, { withFileTypes: true });
+  } catch {
+    return out;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory())
+      continue;
+    if (entry.name === "node_modules" || entry.name === ".git" || entry.name === ".rig")
+      continue;
+    if (entry.name === "modules" && depth >= 1) {
+      const parts = start.split("/");
+      if (parts[parts.length - 1] === "src") {
+        out.push(join(start, entry.name));
+        continue;
+      }
+    }
+    out.push(...findModulesRoots(join(start, entry.name), depth + 1, max));
+  }
+  return out;
+}
+function relativeModuleName(workspaceRoot2, moduleDir) {
+  const rel = moduleDir.startsWith(workspaceRoot2) ? moduleDir.slice(workspaceRoot2.length + 1) : moduleDir;
+  const segments = rel.split("/");
+  const idx = segments.lastIndexOf("modules");
+  if (idx >= 0 && idx < segments.length - 1) {
+    return segments.slice(idx + 1).join("/");
+  }
+  return rel;
+}
+function collectTsFiles(dir) {
+  const out = [];
+  const entries = readdirSync(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    const path = join(dir, entry.name);
+    if (entry.isDirectory()) {
+      out.push(...collectTsFiles(path));
+    } else if (entry.isFile() && entry.name.endsWith(".ts")) {
+      out.push(path);
+    }
+  }
+  return out;
+}
+function indexHasExports(indexPath) {
+  const lines = readFileSync(indexPath, "utf-8").split(/\r?\n/);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed)
+      continue;
+    if (trimmed.startsWith("//"))
+      continue;
+    if (trimmed.startsWith("/*") || trimmed.startsWith("*"))
+      continue;
+    if (/^export\b/.test(trimmed)) {
+      return true;
+    }
+  }
+  return false;
+}

package/dist/src/control-plane/validators/integration/_shared.js

@@ -0,0 +1,51 @@
+// @bun
+// packages/runtime/src/control-plane/validators/integration/_shared.ts
+import { existsSync, readFileSync, readdirSync, statSync } from "fs";
+import { join, resolve } from "path";
+function findAdminServiceRoot(workspaceRoot) {
+  const candidates = [
+    resolve(workspaceRoot, "microservices", "hp-admin-service")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate))
+      return candidate;
+  }
+  return findRecursive(workspaceRoot, "hp-admin-service", 0, 6);
+}
+function findRecursive(dir, name, depth, max) {
+  if (depth > max || !existsSync(dir))
+    return null;
+  let entries;
+  try {
+    entries = readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return null;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory())
+      continue;
+    if (entry.name === "node_modules" || entry.name === ".git")
+      continue;
+    if (entry.name === name)
+      return join(dir, name);
+    const nested = findRecursive(join(dir, entry.name), name, depth + 1, max);
+    if (nested)
+      return nested;
+  }
+  return null;
+}
+function readFileOrNull(path) {
+  if (!existsSync(path))
+    return null;
+  try {
+    if (!statSync(path).isFile())
+      return null;
+    return readFileSync(path, "utf-8");
+  } catch {
+    return null;
+  }
+}
+export {
+  readFileOrNull,
+  findAdminServiceRoot
+};

package/dist/src/control-plane/validators/integration/adm-audit-http.js

@@ -0,0 +1,85 @@
+#!/usr/bin/env bun
+// @bun
+
+// packages/runtime/src/control-plane/validators/integration/adm-audit-http.ts
+import { resolve as resolve2 } from "path";
+import { Checker } from "@rig/validator-kit";
+
+// packages/runtime/src/control-plane/validators/integration/_shared.ts
+import { existsSync, readFileSync, readdirSync, statSync } from "fs";
+import { join, resolve } from "path";
+function findAdminServiceRoot(workspaceRoot) {
+  const candidates = [
+    resolve(workspaceRoot, "microservices", "hp-admin-service")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate))
+      return candidate;
+  }
+  return findRecursive(workspaceRoot, "hp-admin-service", 0, 6);
+}
+function findRecursive(dir, name, depth, max) {
+  if (depth > max || !existsSync(dir))
+    return null;
+  let entries;
+  try {
+    entries = readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return null;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory())
+      continue;
+    if (entry.name === "node_modules" || entry.name === ".git")
+      continue;
+    if (entry.name === name)
+      return join(dir, name);
+    const nested = findRecursive(join(dir, entry.name), name, depth + 1, max);
+    if (nested)
+      return nested;
+  }
+  return null;
+}
+function readFileOrNull(path) {
+  if (!existsSync(path))
+    return null;
+  try {
+    if (!statSync(path).isFile())
+      return null;
+    return readFileSync(path, "utf-8");
+  } catch {
+    return null;
+  }
+}
+
+// packages/runtime/src/control-plane/validators/integration/adm-audit-http.ts
+var ID = "integration:adm-audit-http";
+var checker = new Checker;
+var adminRoot = findAdminServiceRoot(process.cwd());
+if (!adminRoot) {
+  checker.fail("hp-admin-service", "missing microservices/hp-admin-service directory");
+  checker.emit(ID);
+}
+var routes = readFileOrNull(resolve2(adminRoot, "src", "http", "audit-routes.ts"));
+if (routes === null) {
+  checker.fail("audit-routes.ts", "src/http/audit-routes.ts is missing");
+  checker.emit(ID);
+}
+if (!/AuditService\.findEvents/.test(routes)) {
+  checker.fail("AuditService.findEvents proxy", "audit-routes.ts must proxy to AuditService.findEvents via grpc field");
+} else {
+  checker.pass("AuditService.findEvents proxy");
+}
+var expectedQueryFields = ["adminId", "action", "resourceType", "page", "pageSize"];
+var missing = expectedQueryFields.filter((field) => !routes.includes(`"${field}"`));
+if (missing.length > 0) {
+  checker.fail("paginated query fields", `audit-routes.ts query is missing fields: ${missing.join(", ")}`);
+} else {
+  checker.pass("paginated query fields");
+}
+if (/collection\.\w+\(|\bDb\.collection\(|humanity_AdminAuditLogs\s+collection/.test(routes)) {
+  checker.fail("no direct Mongo access", "audit-routes.ts must not access Mongo collections directly; use AuditService.findEvents instead");
+} else {
+  checker.pass("no direct Mongo access");
+}
+checker.emit(ID);

package/dist/src/control-plane/validators/integration/adm-auth-http.js

@@ -0,0 +1,78 @@
+#!/usr/bin/env bun
+// @bun
+
+// packages/runtime/src/control-plane/validators/integration/adm-auth-http.ts
+import { resolve as resolve2 } from "path";
+import { Checker } from "@rig/validator-kit";
+
+// packages/runtime/src/control-plane/validators/integration/_shared.ts
+import { existsSync, readFileSync, readdirSync, statSync } from "fs";
+import { join, resolve } from "path";
+function findAdminServiceRoot(workspaceRoot) {
+  const candidates = [
+    resolve(workspaceRoot, "microservices", "hp-admin-service")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate))
+      return candidate;
+  }
+  return findRecursive(workspaceRoot, "hp-admin-service", 0, 6);
+}
+function findRecursive(dir, name, depth, max) {
+  if (depth > max || !existsSync(dir))
+    return null;
+  let entries;
+  try {
+    entries = readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return null;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory())
+      continue;
+    if (entry.name === "node_modules" || entry.name === ".git")
+      continue;
+    if (entry.name === name)
+      return join(dir, name);
+    const nested = findRecursive(join(dir, entry.name), name, depth + 1, max);
+    if (nested)
+      return nested;
+  }
+  return null;
+}
+function readFileOrNull(path) {
+  if (!existsSync(path))
+    return null;
+  try {
+    if (!statSync(path).isFile())
+      return null;
+    return readFileSync(path, "utf-8");
+  } catch {
+    return null;
+  }
+}
+
+// packages/runtime/src/control-plane/validators/integration/adm-auth-http.ts
+var ID = "integration:adm-auth-http";
+var checker = new Checker;
+var adminRoot = findAdminServiceRoot(process.cwd());
+if (!adminRoot) {
+  checker.fail("hp-admin-service", "missing microservices/hp-admin-service directory");
+  checker.emit(ID);
+}
+var routes = readFileOrNull(resolve2(adminRoot, "src", "http", "auth-routes.ts"));
+if (routes === null) {
+  checker.fail("auth-routes.ts", "src/http/auth-routes.ts is missing");
+  checker.emit(ID);
+}
+if (!/X-HP-Admin-Key/.test(routes)) {
+  checker.fail("X-HP-Admin-Key enforcement", 'auth-routes.ts must declare adminKeyHeader = "X-HP-Admin-Key" enforcement');
+} else {
+  checker.pass("X-HP-Admin-Key enforcement");
+}
+if (!/\b(OrgService|ApiKeyService)\.\w+/.test(routes)) {
+  checker.fail("auth-routes proxy", "auth-routes.ts must proxy to OrgService.* / ApiKeyService.* gRPC methods");
+} else {
+  checker.pass("auth-routes proxy");
+}
+checker.emit(ID);

package/dist/src/control-plane/validators/integration/adm-issuer-http.js

@@ -0,0 +1,80 @@
+#!/usr/bin/env bun
+// @bun
+
+// packages/runtime/src/control-plane/validators/integration/adm-issuer-http.ts
+import { resolve as resolve2 } from "path";
+import { Checker } from "@rig/validator-kit";
+
+// packages/runtime/src/control-plane/validators/integration/_shared.ts
+import { existsSync, readFileSync, readdirSync, statSync } from "fs";
+import { join, resolve } from "path";
+function findAdminServiceRoot(workspaceRoot) {
+  const candidates = [
+    resolve(workspaceRoot, "microservices", "hp-admin-service")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate))
+      return candidate;
+  }
+  return findRecursive(workspaceRoot, "hp-admin-service", 0, 6);
+}
+function findRecursive(dir, name, depth, max) {
+  if (depth > max || !existsSync(dir))
+    return null;
+  let entries;
+  try {
+    entries = readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return null;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory())
+      continue;
+    if (entry.name === "node_modules" || entry.name === ".git")
+      continue;
+    if (entry.name === name)
+      return join(dir, name);
+    const nested = findRecursive(join(dir, entry.name), name, depth + 1, max);
+    if (nested)
+      return nested;
+  }
+  return null;
+}
+function readFileOrNull(path) {
+  if (!existsSync(path))
+    return null;
+  try {
+    if (!statSync(path).isFile())
+      return null;
+    return readFileSync(path, "utf-8");
+  } catch {
+    return null;
+  }
+}
+
+// packages/runtime/src/control-plane/validators/integration/adm-issuer-http.ts
+var ID = "integration:adm-issuer-http";
+var checker = new Checker;
+var adminRoot = findAdminServiceRoot(process.cwd());
+if (!adminRoot) {
+  checker.fail("hp-admin-service", "missing microservices/hp-admin-service directory");
+  checker.emit(ID);
+}
+var routes = readFileOrNull(resolve2(adminRoot, "src", "http", "issuer-routes.ts"));
+if (routes === null) {
+  checker.fail("issuer-routes.ts", "src/http/issuer-routes.ts is missing");
+  checker.emit(ID);
+}
+if (!/\bIssuerService\.\w+/.test(routes)) {
+  checker.fail("issuer-routes routing", "issuer-routes.ts must proxy to IssuerService.* gRPC methods");
+} else {
+  checker.pass("issuer-routes routing");
+}
+var forbidden = ["hp-signer", "AWS KMS", "StakingManager"];
+var leaks = forbidden.filter((needle) => routes.includes(needle));
+if (leaks.length > 0) {
+  checker.fail("no signer/staking leak", `issuer-routes.ts must not contain ${leaks.join(", ")} \u2014 that logic belongs in hp-issuer-service`);
+} else {
+  checker.pass("no signer/staking leak");
+}
+checker.emit(ID);

package/dist/src/control-plane/validators/integration/adm-migration.js

@@ -0,0 +1,78 @@
+#!/usr/bin/env bun
+// @bun
+
+// packages/runtime/src/control-plane/validators/integration/adm-migration.ts
+import { resolve as resolve2 } from "path";
+import { Checker } from "@rig/validator-kit";
+
+// packages/runtime/src/control-plane/validators/integration/_shared.ts
+import { existsSync, readFileSync, readdirSync, statSync } from "fs";
+import { join, resolve } from "path";
+function findAdminServiceRoot(workspaceRoot) {
+  const candidates = [
+    resolve(workspaceRoot, "microservices", "hp-admin-service")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate))
+      return candidate;
+  }
+  return findRecursive(workspaceRoot, "hp-admin-service", 0, 6);
+}
+function findRecursive(dir, name, depth, max) {
+  if (depth > max || !existsSync(dir))
+    return null;
+  let entries;
+  try {
+    entries = readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return null;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory())
+      continue;
+    if (entry.name === "node_modules" || entry.name === ".git")
+      continue;
+    if (entry.name === name)
+      return join(dir, name);
+    const nested = findRecursive(join(dir, entry.name), name, depth + 1, max);
+    if (nested)
+      return nested;
+  }
+  return null;
+}
+function readFileOrNull(path) {
+  if (!existsSync(path))
+    return null;
+  try {
+    if (!statSync(path).isFile())
+      return null;
+    return readFileSync(path, "utf-8");
+  } catch {
+    return null;
+  }
+}
+
+// packages/runtime/src/control-plane/validators/integration/adm-migration.ts
+var ID = "integration:adm-migration";
+var checker = new Checker;
+var adminRoot = findAdminServiceRoot(process.cwd());
+if (!adminRoot) {
+  checker.fail("hp-admin-service", "missing microservices/hp-admin-service directory");
+  checker.emit(ID);
+}
+var migration = readFileOrNull(resolve2(adminRoot, "src", "migrations", "migrate-admin-audit-logs.ts"));
+if (migration === null) {
+  checker.fail("migrate-admin-audit-logs.ts", "src/migrations/migrate-admin-audit-logs.ts is missing");
+  checker.emit(ID);
+}
+if (!/\bdry-?run\b|\bdryRun\b/i.test(migration)) {
+  checker.fail("dry-run support", "migration script must support a dry-run mode (no dry-run parameter found)");
+} else {
+  checker.pass("dry-run support");
+}
+if (!/\bidempot/i.test(migration) && !/\bupsert\b/i.test(migration)) {
+  checker.fail("idempotency contract", "migration script must declare idempotent behavior (idempotent flag or upsert mode)");
+} else {
+  checker.pass("idempotency contract");
+}
+checker.emit(ID);

package/dist/src/control-plane/validators/integration/adm-scaffold.js

@@ -0,0 +1,78 @@
+#!/usr/bin/env bun
+// @bun
+
+// packages/runtime/src/control-plane/validators/integration/adm-scaffold.ts
+import { resolve as resolve2 } from "path";
+import { Checker } from "@rig/validator-kit";
+
+// packages/runtime/src/control-plane/validators/integration/_shared.ts
+import { existsSync, readFileSync, readdirSync, statSync } from "fs";
+import { join, resolve } from "path";
+function findAdminServiceRoot(workspaceRoot) {
+  const candidates = [
+    resolve(workspaceRoot, "microservices", "hp-admin-service")
+  ];
+  for (const candidate of candidates) {
+    if (existsSync(candidate))
+      return candidate;
+  }
+  return findRecursive(workspaceRoot, "hp-admin-service", 0, 6);
+}
+function findRecursive(dir, name, depth, max) {
+  if (depth > max || !existsSync(dir))
+    return null;
+  let entries;
+  try {
+    entries = readdirSync(dir, { withFileTypes: true });
+  } catch {
+    return null;
+  }
+  for (const entry of entries) {
+    if (!entry.isDirectory())
+      continue;
+    if (entry.name === "node_modules" || entry.name === ".git")
+      continue;
+    if (entry.name === name)
+      return join(dir, name);
+    const nested = findRecursive(join(dir, entry.name), name, depth + 1, max);
+    if (nested)
+      return nested;
+  }
+  return null;
+}
+function readFileOrNull(path) {
+  if (!existsSync(path))
+    return null;
+  try {
+    if (!statSync(path).isFile())
+      return null;
+    return readFileSync(path, "utf-8");
+  } catch {
+    return null;
+  }
+}
+
+// packages/runtime/src/control-plane/validators/integration/adm-scaffold.ts
+var ID = "integration:adm-scaffold";
+var checker = new Checker;
+var adminRoot = findAdminServiceRoot(process.cwd());
+if (!adminRoot) {
+  checker.fail("hp-admin-service", "missing microservices/hp-admin-service directory");
+  checker.emit(ID);
+}
+for (const file of ["package.json", "tsconfig.json", "Dockerfile", "docker-compose.yml"]) {
+  if (readFileOrNull(resolve2(adminRoot, file)) === null) {
+    checker.fail(file, `missing required file: ${file}`);
+  } else {
+    checker.pass(file);
+  }
+}
+var compose = readFileOrNull(resolve2(adminRoot, "docker-compose.yml"));
+if (compose !== null) {
+  if (!/\bmongo\b/i.test(compose)) {
+    checker.fail("docker-compose mongo", "docker-compose.yml is missing a mongo service contract");
+  } else {
+    checker.pass("docker-compose mongo");
+  }
+}
+checker.emit(ID);

package/dist/src/control-plane/validators/runtime-registration.js

@@ -0,0 +1,64 @@
+// @bun
+// packages/runtime/src/control-plane/validators/runtime-registration.ts
+import { existsSync } from "fs";
+import { join } from "path";
+function createValidatorRegistry() {
+  const map = new Map;
+  const order = [];
+  const registry = {
+    register(v) {
+      if (map.has(v.id))
+        throw new Error(`validator already registered: ${v.id}`);
+      map.set(v.id, v);
+      order.push(v);
+    },
+    resolve(id) {
+      const v = map.get(id);
+      if (!v)
+        throw new Error(`validator not registered: ${id}`);
+      return v;
+    },
+    list: () => order
+  };
+  registerBuiltInValidators(registry);
+  return registry;
+}
+function registerBuiltInValidators(registry) {
+  registry.register({
+    id: "std:typecheck",
+    category: "custom",
+    description: "Runs the package typecheck script when present.",
+    run: async (ctx) => runStdTypecheck(ctx)
+  });
+}
+async function runStdTypecheck(ctx) {
+  const packageJsonPath = join(ctx.workspaceRoot, "package.json");
+  if (!existsSync(packageJsonPath)) {
+    return {
+      id: "std:typecheck",
+      passed: false,
+      summary: `package.json not found at ${packageJsonPath}`
+    };
+  }
+  const proc = Bun.spawn(["bun", "run", "typecheck"], {
+    cwd: ctx.workspaceRoot,
+    env: process.env,
+    stdout: "pipe",
+    stderr: "pipe"
+  });
+  const [exitCode, stdout, stderr] = await Promise.all([
+    proc.exited,
+    new Response(proc.stdout).text(),
+    new Response(proc.stderr).text()
+  ]);
+  const output = `${stdout}${stderr}`.trim();
+  return {
+    id: "std:typecheck",
+    passed: exitCode === 0,
+    summary: exitCode === 0 ? "typecheck passed" : "typecheck failed",
+    ...output ? { details: output.slice(0, 4000) } : {}
+  };
+}
+export {
+  createValidatorRegistry
+};