@ingram-tech/pulumi-ingram-cloud 0.1.0

package/README.md

@@ -0,0 +1,133 @@
+# @ingram-tech/pulumi-ingram-cloud
+
+Pulumi dynamic resources for the [Ingram Cloud](https://cloud.ingram.tech) `/v1`
+API. Declare your tenant's IC configuration — blueprints, MCP servers, channels,
+webhooks, BYOK model keys — as Pulumi resources instead of imperative
+`register-*.ts` / `ensure-blueprint.ts` scripts, so it lives in state and a change
+is a `pulumi up`.
+
+The library is published from the `pulumi/` folder of the
+[`cloud.ingram.tech`](https://github.com/ingram-technologies/cloud.ingram.tech)
+repo so the wrapper tracks the `/v1` surface it wraps. The API version it targets
+is pinned per library version (`IC_API_VERSION`).
+
+## Install
+
+```bash
+bun add @ingram-tech/pulumi-ingram-cloud @pulumi/pulumi
+```
+
+## How the repos interact
+
+```
+cloud.ingram.tech/pulumi/   THIS LIBRARY — knows nothing about any consumer
+                            (Blueprint, McpServer, TelegramBot, WhatsAppConfig,
+                             Webhook, ModelKey, Secret)
+
+app repos (thornhill, …)    declare their BLUEPRINTS — the `instructions` are
+                            app-owned content (prompts), so they stay in the app
+                            repo, sourced from the app's own spec module. The app's
+                            Pulumi program imports this library + those specs.
+
+infra repo (~/src/infra)    declares tenant CHANNEL config (MCP, Telegram, WhatsApp,
+                            webhook, model keys) alongside DNS/DB/Vercel, and can
+                            read an app stack's outputs via pulumi.StackReference to
+                            push IC-derived values (blueprint ids, webhook secret)
+                            into Vercel env. No prompts ever live here.
+```
+
+The hard rule: **prompts never leave the app repo.** This library carries no
+content; it only carries the machinery.
+
+## Connection
+
+Every resource takes `baseUrl` + `token` (the tenant-admin bearer). Resolve them
+once with `connectionFromConfig()` and spread:
+
+```ts
+import * as ic from "@ingram-tech/pulumi-ingram-cloud";
+
+const conn = ic.connectionFromConfig(); // ingram-cloud:token (secret) / :baseUrl
+                                        // or env INGRAM_CLOUD_TOKEN|CLOUD_API_KEY
+```
+
+Set the token as a stack secret:
+
+```bash
+pulumi config set --secret ingram-cloud:token tha_live_…
+```
+
+## Resources
+
+### IcBlueprint (declare in the APP repo)
+
+Create-or-adopt by name → publish a new immutable version **only when the content
+changed** → roll it out. Mirrors the old `ensure-blueprint.ts` idempotency, so the
+first `pulumi up` after switching from a script **adopts** the existing blueprint
+(matched by name) rather than recreating it.
+
+```ts
+import { BLUEPRINT_SPECS } from "../src/lib/cloud/blueprint-spec"; // app-owned
+
+const curator = new ic.IcBlueprint("curator", {
+  ...conn,
+  name: BLUEPRINT_SPECS.curator.name,
+  instructions: BLUEPRINT_SPECS.curator.instructions,
+  model: BLUEPRINT_SPECS.curator.model,
+  autoMemory: BLUEPRINT_SPECS.curator.auto_memory,
+  // variables: [...], enabledHostedTools: [...], rolloutPercent: 100,
+});
+
+export const curatorBlueprintId = curator.blueprintId;
+```
+
+> Attaching **existing** principals to a blueprint is a one-time fleet backfill —
+> keep it as the app's migration script. New principals attach at birth in app code.
+> Pulumi does not own per-user runtime state.
+
+### IcMcpServer, IcTelegramBot, IcWhatsAppConfig, IcWebhook, IcModelKey (declare in INFRA)
+
+```ts
+new ic.IcMcpServer("thornhill-mcp", {
+  ...conn, serverName: "thornhill", url: `${APP_URL}/api/mcp`,
+  authKind: "static", secret: mcpSecret,
+});
+
+new ic.IcTelegramBot("thornhill-telegram", { ...conn, botToken });
+
+const hook = new ic.IcWebhook("thornhill-events", {
+  ...conn, url: `${APP_URL}/api/ic/events`,
+  events: ["run.completed", "approval.required", /* … */],
+});
+export const webhookSigningSecret = hook.secret; // whsec_… (create-only secret output)
+
+new ic.IcModelKey("anthropic", { ...conn, provider: "anthropic", apiKey });
+```
+
+`IcWebhook.secret` is the `whsec_…` signing secret IC returns exactly once — it
+becomes a secret Pulumi output, so the infra stack can flow it straight into Vercel
+env with no copy-paste.
+
+### IcSecret (IC-hosted apps only)
+
+`PUT /v1/apps/{appId}/env` — one resource per secret name. Only relevant if your
+tenant runs an IC-hosted `app`.
+
+## Importing resources a script already created
+
+Blueprints and webhooks implement `read`, so you can adopt pre-existing ones:
+
+```bash
+pulumi import 'ingram-cloud:index:IcBlueprint' curator bp_123…
+```
+
+(Blueprints also self-adopt by name on first `create`, so an explicit import is
+usually unnecessary — a plain `pulumi up` will reconcile the live blueprint.)
+
+## Notes
+
+- Built as CommonJS to match the Pulumi Node.js runtime and the infra stack's
+  `module: commonjs` tsconfig.
+- `token` and every credential input are marked `additionalSecretOutputs`, so they
+  are encrypted in Pulumi state.
+- CRUD runs inline in the Pulumi process over the global `fetch` (Node ≥18).

package/dist/connection.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Connection helper — resolves the IC `{ baseUrl, token }` pair once so a Pulumi
+ * program can spread it into every resource:
+ *
+ *   const conn = connectionFromConfig();
+ *   new ic.IcBlueprint("assistant", { ...conn, name: "…", instructions: "…" });
+ *
+ * Resolution order (first hit wins):
+ *   baseUrl: `ingram-cloud:baseUrl` config → IC_BASE_URL → CLOUD_BASE_URL → prod
+ *   token:   `ingram-cloud:token` secret config → INGRAM_CLOUD_TOKEN → CLOUD_API_KEY
+ *
+ * The env fallbacks bridge the two naming conventions already in the fleet
+ * (thornhill's INGRAM_CLOUD_TOKEN, integrain's CLOUD_API_KEY). The returned
+ * token is always a secret Output so it stays encrypted in state.
+ */
+import * as pulumi from "@pulumi/pulumi";
+export declare const DEFAULT_BASE_URL = "https://api.cloud.ingram.tech";
+export interface IcConnection {
+    baseUrl: pulumi.Input<string>;
+    token: pulumi.Input<string>;
+}
+export declare function connectionFromConfig(cfg?: pulumi.Config): IcConnection;

package/dist/connection.js

@@ -0,0 +1,65 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_BASE_URL = void 0;
+exports.connectionFromConfig = connectionFromConfig;
+/**
+ * Connection helper — resolves the IC `{ baseUrl, token }` pair once so a Pulumi
+ * program can spread it into every resource:
+ *
+ *   const conn = connectionFromConfig();
+ *   new ic.IcBlueprint("assistant", { ...conn, name: "…", instructions: "…" });
+ *
+ * Resolution order (first hit wins):
+ *   baseUrl: `ingram-cloud:baseUrl` config → IC_BASE_URL → CLOUD_BASE_URL → prod
+ *   token:   `ingram-cloud:token` secret config → INGRAM_CLOUD_TOKEN → CLOUD_API_KEY
+ *
+ * The env fallbacks bridge the two naming conventions already in the fleet
+ * (thornhill's INGRAM_CLOUD_TOKEN, integrain's CLOUD_API_KEY). The returned
+ * token is always a secret Output so it stays encrypted in state.
+ */
+const pulumi = __importStar(require("@pulumi/pulumi"));
+exports.DEFAULT_BASE_URL = "https://api.cloud.ingram.tech";
+function connectionFromConfig(cfg) {
+    const c = cfg ?? new pulumi.Config("ingram-cloud");
+    const baseUrl = c.get("baseUrl") ??
+        process.env.IC_BASE_URL ??
+        process.env.CLOUD_BASE_URL ??
+        exports.DEFAULT_BASE_URL;
+    const tokenFromCfg = c.getSecret("token");
+    const token = tokenFromCfg ??
+        pulumi.secret(process.env.INGRAM_CLOUD_TOKEN ?? process.env.CLOUD_API_KEY ?? "");
+    return { baseUrl, token };
+}

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+/**
+ * @ingram-tech/pulumi-ingram-cloud
+ *
+ * Pulumi dynamic resources for the Ingram Cloud /v1 API. See README.md for the
+ * repo-interaction model (library here, blueprints declared in app repos,
+ * channel/tenant config in the infra repo).
+ */
+export * from "./resources";
+export * from "./connection";

package/dist/index.js

@@ -0,0 +1,25 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+/**
+ * @ingram-tech/pulumi-ingram-cloud
+ *
+ * Pulumi dynamic resources for the Ingram Cloud /v1 API. See README.md for the
+ * repo-interaction model (library here, blueprints declared in app repos,
+ * channel/tenant config in the infra repo).
+ */
+__exportStar(require("./resources"), exports);
+__exportStar(require("./connection"), exports);

package/dist/resources.d.ts

@@ -0,0 +1,137 @@
+/**
+ * Ingram Cloud /v1 tenant configuration as Pulumi dynamic resources.
+ *
+ * Replaces the per-app `scripts/register-*.ts` / `ensure-blueprint.ts` one-shots
+ * with declarative resources, so IC wiring is a `pulumi up` and lives in state
+ * instead of drifting in someone's shell history.
+ *
+ * Each resource talks to the IC REST API. `token` is the tenant-admin bearer;
+ * keep it (and any credential input) a stack secret — it's marked as an
+ * additional secret output so it's encrypted in state.
+ *
+ * Where each resource is meant to be declared:
+ *   - **Blueprints** (`IcBlueprint`) — the `instructions` are app-owned *content*,
+ *     so declare these in the APP repo's Pulumi program, sourced from the app's
+ *     own spec module. Never copy prompts into the infra repo.
+ *   - **Channels / tenant config** (`IcMcpServer`, `IcTelegramBot`,
+ *     `IcWhatsAppConfig`, `IcWebhook`, `IcModelKey`) — tenant-level wiring;
+ *     declare in the infra repo alongside DNS/DB/Vercel.
+ *   - **App env secrets** (`IcSecret`) — only relevant to IC-hosted `apps`.
+ *
+ * Not modelled here, on purpose:
+ *   - **Per-end-user actions** — creating users, binding channels, pushing
+ *     per-user connection tokens, minting user tokens — happen at app runtime.
+ *   - **Attaching existing principals to a blueprint** — a one-time backfill that
+ *     mutates the live fleet; keep it as the app's migration script. New
+ *     principals attach at birth in app code.
+ *   - **Slack app factory** — config-token rotation is stateful and app-driven.
+ */
+import * as pulumi from "@pulumi/pulumi";
+/**
+ * The /v1 API version this library targets. Bumping the IC API contract is a
+ * library version bump — consumers pin behaviour by pinning this package.
+ */
+export declare const IC_API_VERSION = "2026-05-01";
+export interface BlueprintVariable {
+    name: string;
+    default?: string | null;
+    description?: string | null;
+    required?: boolean;
+}
+export interface IcBlueprintArgs {
+    baseUrl: pulumi.Input<string>;
+    token: pulumi.Input<string>;
+    /** Tenant-unique blueprint name (the create/adopt key). */
+    name: pulumi.Input<string>;
+    /** The persona/instruction template (may contain `{{ variables }}`). */
+    instructions?: pulumi.Input<string>;
+    model?: pulumi.Input<string>;
+    enabledHostedTools?: pulumi.Input<string[]>;
+    autoMemory?: pulumi.Input<boolean>;
+    variables?: pulumi.Input<BlueprintVariable[]>;
+    /** Release note recorded when a new version is published. */
+    publishNote?: pulumi.Input<string>;
+    /** Rollout percentage for the published version (default 100). */
+    rolloutPercent?: pulumi.Input<number>;
+}
+export declare class IcBlueprint extends pulumi.dynamic.Resource {
+    /** The `bp_…` id (same as `.id`, exposed for convenience). */
+    readonly blueprintId: pulumi.Output<string>;
+    /** The version number currently rolled out. */
+    readonly activeVersion: pulumi.Output<number>;
+    constructor(name: string, args: IcBlueprintArgs, opts?: pulumi.CustomResourceOptions);
+}
+export interface IcMcpServerArgs {
+    baseUrl: pulumi.Input<string>;
+    token: pulumi.Input<string>;
+    /** Registry name — the `{name}` in `/v1/tenant/mcp/{name}`. */
+    serverName: pulumi.Input<string>;
+    url: pulumi.Input<string>;
+    authKind?: pulumi.Input<string>;
+    authProvider?: pulumi.Input<string>;
+    secret?: pulumi.Input<string>;
+}
+export declare class IcMcpServer extends pulumi.dynamic.Resource {
+    readonly toolsDiscovered: pulumi.Output<number>;
+    readonly discoveryError: pulumi.Output<string | undefined>;
+    constructor(name: string, args: IcMcpServerArgs, opts?: pulumi.CustomResourceOptions);
+}
+export interface IcTelegramBotArgs {
+    baseUrl: pulumi.Input<string>;
+    token: pulumi.Input<string>;
+    botToken: pulumi.Input<string>;
+}
+export declare class IcTelegramBot extends pulumi.dynamic.Resource {
+    readonly botUsername: pulumi.Output<string>;
+    readonly webhookUrl: pulumi.Output<string>;
+    constructor(name: string, args: IcTelegramBotArgs, opts?: pulumi.CustomResourceOptions);
+}
+export interface IcWhatsAppConfigArgs {
+    baseUrl: pulumi.Input<string>;
+    token: pulumi.Input<string>;
+    phoneNumberId: pulumi.Input<string>;
+    accessToken: pulumi.Input<string>;
+    appSecret?: pulumi.Input<string>;
+    verifyToken?: pulumi.Input<string>;
+    businessId?: pulumi.Input<string>;
+}
+export declare class IcWhatsAppConfig extends pulumi.dynamic.Resource {
+    readonly displayPhoneNumber: pulumi.Output<string>;
+    readonly webhookUrl: pulumi.Output<string>;
+    readonly verifyToken: pulumi.Output<string>;
+    constructor(name: string, args: IcWhatsAppConfigArgs, opts?: pulumi.CustomResourceOptions);
+}
+export interface IcWebhookArgs {
+    baseUrl: pulumi.Input<string>;
+    token: pulumi.Input<string>;
+    url: pulumi.Input<string>;
+    events: pulumi.Input<string[]>;
+}
+export declare class IcWebhook extends pulumi.dynamic.Resource {
+    /** The signing secret — present only when Pulumi created the webhook. */
+    readonly secret: pulumi.Output<string | undefined>;
+    constructor(name: string, args: IcWebhookArgs, opts?: pulumi.CustomResourceOptions);
+}
+export interface IcModelKeyArgs {
+    baseUrl: pulumi.Input<string>;
+    token: pulumi.Input<string>;
+    /** Provider id, e.g. `openai`, `anthropic`. */
+    provider: pulumi.Input<string>;
+    apiKey: pulumi.Input<string>;
+    /** Optional override base URL (OpenAI-compatible backends). */
+    providerBaseUrl?: pulumi.Input<string>;
+}
+export declare class IcModelKey extends pulumi.dynamic.Resource {
+    constructor(name: string, args: IcModelKeyArgs, opts?: pulumi.CustomResourceOptions);
+}
+export interface IcSecretArgs {
+    baseUrl: pulumi.Input<string>;
+    token: pulumi.Input<string>;
+    /** The IC-hosted app id (`app_…`) this secret belongs to. */
+    appId: pulumi.Input<string>;
+    name: pulumi.Input<string>;
+    value: pulumi.Input<string>;
+}
+export declare class IcSecret extends pulumi.dynamic.Resource {
+    constructor(name: string, args: IcSecretArgs, opts?: pulumi.CustomResourceOptions);
+}

package/dist/resources.js

@@ -0,0 +1,478 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.IcSecret = exports.IcModelKey = exports.IcWebhook = exports.IcWhatsAppConfig = exports.IcTelegramBot = exports.IcMcpServer = exports.IcBlueprint = exports.IC_API_VERSION = void 0;
+/**
+ * Ingram Cloud /v1 tenant configuration as Pulumi dynamic resources.
+ *
+ * Replaces the per-app `scripts/register-*.ts` / `ensure-blueprint.ts` one-shots
+ * with declarative resources, so IC wiring is a `pulumi up` and lives in state
+ * instead of drifting in someone's shell history.
+ *
+ * Each resource talks to the IC REST API. `token` is the tenant-admin bearer;
+ * keep it (and any credential input) a stack secret — it's marked as an
+ * additional secret output so it's encrypted in state.
+ *
+ * Where each resource is meant to be declared:
+ *   - **Blueprints** (`IcBlueprint`) — the `instructions` are app-owned *content*,
+ *     so declare these in the APP repo's Pulumi program, sourced from the app's
+ *     own spec module. Never copy prompts into the infra repo.
+ *   - **Channels / tenant config** (`IcMcpServer`, `IcTelegramBot`,
+ *     `IcWhatsAppConfig`, `IcWebhook`, `IcModelKey`) — tenant-level wiring;
+ *     declare in the infra repo alongside DNS/DB/Vercel.
+ *   - **App env secrets** (`IcSecret`) — only relevant to IC-hosted `apps`.
+ *
+ * Not modelled here, on purpose:
+ *   - **Per-end-user actions** — creating users, binding channels, pushing
+ *     per-user connection tokens, minting user tokens — happen at app runtime.
+ *   - **Attaching existing principals to a blueprint** — a one-time backfill that
+ *     mutates the live fleet; keep it as the app's migration script. New
+ *     principals attach at birth in app code.
+ *   - **Slack app factory** — config-token rotation is stateful and app-driven.
+ */
+const pulumi = __importStar(require("@pulumi/pulumi"));
+/**
+ * The /v1 API version this library targets. Bumping the IC API contract is a
+ * library version bump — consumers pin behaviour by pinning this package.
+ */
+exports.IC_API_VERSION = "2026-05-01";
+// Shared IC REST call. Module-scope so Pulumi's closure serialization captures
+// it into each provider's methods; uses only the global `fetch` (Node ≥18).
+async function icRequest(baseUrl, token, method, path, body, idempotencyKey) {
+    const headers = {
+        Authorization: `Bearer ${token}`,
+        "IC-Api-Version": exports.IC_API_VERSION,
+    };
+    if (body !== undefined)
+        headers["Content-Type"] = "application/json";
+    if (idempotencyKey)
+        headers["Idempotency-Key"] = idempotencyKey;
+    const res = await fetch(`${baseUrl}${path}`, {
+        method,
+        headers,
+        body: body !== undefined ? JSON.stringify(body) : undefined,
+    });
+    const text = await res.text();
+    if (!res.ok) {
+        throw new Error(`IC ${method} ${path} → ${res.status}: ${text.slice(0, 400)}`);
+    }
+    return text ? JSON.parse(text) : {};
+}
+// The draft body IC's create/patch expect (snake_case wire shape).
+function blueprintBody(i) {
+    return {
+        name: i.name,
+        instructions: i.instructions ?? null,
+        model: i.model ?? null,
+        enabled_hosted_tools: i.enabledHostedTools ?? [],
+        auto_memory: i.autoMemory ?? null,
+        variables: i.variables ?? [],
+    };
+}
+// Stable signature of the *content* that warrants a new published version
+// (name and rollout% deliberately excluded — a rename/restage is not new content).
+function blueprintContentSig(i) {
+    return JSON.stringify({
+        instructions: i.instructions ?? null,
+        model: i.model ?? null,
+        tools: [...(i.enabledHostedTools ?? [])].sort(),
+        auto_memory: i.autoMemory ?? null,
+        variables: i.variables ?? [],
+    });
+}
+async function findBlueprintByName(baseUrl, token, name) {
+    const res = await icRequest(baseUrl, token, "GET", "/v1/blueprints");
+    return (res.data ?? []).find((b) => b.name === name) ?? null;
+}
+// Signature of the snapshot currently published as the active version, or null
+// if nothing is published yet.
+async function activeSnapshotSig(baseUrl, token, id, activeVersion) {
+    if (!activeVersion)
+        return null;
+    const res = await icRequest(baseUrl, token, "GET", `/v1/blueprints/${id}/versions`);
+    const v = (res.data ?? []).find((x) => x.version === activeVersion);
+    if (!v)
+        return null;
+    const s = v.snapshot ?? {};
+    return blueprintContentSig({
+        instructions: s.instructions,
+        model: s.model,
+        enabledHostedTools: s.enabled_hosted_tools,
+        autoMemory: s.auto_memory,
+        variables: s.variables,
+    });
+}
+// Ensure the live blueprint matches desired: adopt-or-create, publish iff the
+// content drifted from the active version, then roll out at `percent`.
+async function reconcileBlueprint(i, knownId, priorSig) {
+    let id;
+    if (!knownId) {
+        const existing = await findBlueprintByName(i.baseUrl, i.token, i.name);
+        if (existing) {
+            id = existing.id;
+            await icRequest(i.baseUrl, i.token, "PATCH", `/v1/blueprints/${id}`, blueprintBody(i));
+        }
+        else {
+            // No idempotency key: Pulumi calls create once and tracks the id in
+            // state, and the adopt-by-name branch above covers re-runs and the
+            // script→Pulumi migration. Keying on the name would replay a stale
+            // (possibly archived) create after a destroy+recreate within the 24h
+            // idempotency window.
+            const bp = await icRequest(i.baseUrl, i.token, "POST", "/v1/blueprints", blueprintBody(i));
+            id = bp.id;
+        }
+    }
+    else {
+        // Known id (update path): push the draft to the desired shape.
+        id = knownId;
+        await icRequest(i.baseUrl, i.token, "PATCH", `/v1/blueprints/${id}`, blueprintBody(i));
+    }
+    const bp = await icRequest(i.baseUrl, i.token, "GET", `/v1/blueprints/${id}`);
+    const desiredSig = blueprintContentSig(i);
+    // On the create path we don't know the prior sig — compare to what's actually
+    // published so adopting a script-made blueprint doesn't churn a needless version.
+    const liveSig = priorSig ?? (await activeSnapshotSig(i.baseUrl, i.token, id, bp.active_version));
+    let version = bp.active_version ?? 0;
+    if (!bp.active_version || liveSig !== desiredSig) {
+        // Publishing snapshots the draft as the next immutable version and returns
+        // its number. Only the *first* publish auto-activates; later ones go live
+        // only via the rollout below — so take the version from the publish reply,
+        // not from active_version (which hasn't advanced yet).
+        const pub = await icRequest(i.baseUrl, i.token, "POST", `/v1/blueprints/${id}/versions`, {
+            note: i.publishNote ?? null,
+        });
+        version = pub.version;
+    }
+    // Always assert the rollout: it activates a freshly published version and is
+    // an idempotent no-op when `version` is already the active one at `percent`.
+    const percent = i.rolloutPercent ?? 100;
+    await icRequest(i.baseUrl, i.token, "POST", `/v1/blueprints/${id}/rollout`, { version, percent });
+    return {
+        ...i,
+        blueprintId: id,
+        contentSig: desiredSig,
+        activeVersion: version,
+        rolloutPercent: percent,
+    };
+}
+const blueprintProvider = {
+    async create(i) {
+        const outs = await reconcileBlueprint(i);
+        return { id: outs.blueprintId, outs };
+    },
+    async update(id, olds, news) {
+        const outs = await reconcileBlueprint(news, id, olds.contentSig);
+        return { outs };
+    },
+    async delete(id, props) {
+        try {
+            await icRequest(props.baseUrl, props.token, "DELETE", `/v1/blueprints/${id}`);
+        }
+        catch (e) {
+            throw new Error(`Blueprint ${id} could not be archived (it likely still has users attached). ` +
+                `Detach its users first, or set { retainOnDelete: true } on the resource. ` +
+                `Original error: ${e}`);
+        }
+    },
+    async diff(_id, olds, news) {
+        const contentChanged = blueprintContentSig(olds) !== blueprintContentSig(news);
+        const nameChanged = olds.name !== news.name;
+        const rolloutChanged = (olds.rolloutPercent ?? 100) !== (news.rolloutPercent ?? 100);
+        return { changes: contentChanged || nameChanged || rolloutChanged };
+    },
+    // Adopt a blueprint a script already created (`pulumi import <id>`).
+    async read(id, props) {
+        const bp = await icRequest(props.baseUrl, props.token, "GET", `/v1/blueprints/${id}`);
+        if (!bp || !bp.id)
+            return { id, props: props };
+        const d = bp.draft ?? {};
+        return {
+            id,
+            props: {
+                ...props,
+                name: bp.name,
+                instructions: d.instructions ?? undefined,
+                model: d.model ?? undefined,
+                enabledHostedTools: d.enabled_hosted_tools ?? [],
+                autoMemory: d.auto_memory ?? undefined,
+                variables: d.variables ?? [],
+            },
+        };
+    },
+};
+class IcBlueprint extends pulumi.dynamic.Resource {
+    constructor(name, args, opts) {
+        super(blueprintProvider, name, {
+            instructions: undefined,
+            model: undefined,
+            enabledHostedTools: undefined,
+            autoMemory: undefined,
+            variables: undefined,
+            publishNote: undefined,
+            rolloutPercent: undefined,
+            blueprintId: undefined,
+            activeVersion: undefined,
+            contentSig: undefined,
+            ...args,
+        }, { ...opts, additionalSecretOutputs: ["token"] });
+    }
+}
+exports.IcBlueprint = IcBlueprint;
+function mcpBody(i) {
+    const auth = { kind: i.authKind };
+    if (i.authProvider)
+        auth.provider = i.authProvider;
+    if (i.secret)
+        auth.secret = i.secret;
+    return { url: i.url, auth };
+}
+async function mcpPut(i) {
+    const res = await icRequest(i.baseUrl, i.token, "PUT", `/v1/tenant/mcp/${encodeURIComponent(i.serverName)}`, mcpBody(i));
+    return {
+        ...i,
+        toolsDiscovered: res.tools_discovered ?? 0,
+        discoveryError: res.discovery_error ?? null,
+    };
+}
+const mcpProvider = {
+    async create(i) {
+        return { id: i.serverName, outs: await mcpPut(i) };
+    },
+    async update(_id, _olds, news) {
+        return { outs: await mcpPut(news) };
+    },
+    async delete(id, props) {
+        await icRequest(props.baseUrl, props.token, "DELETE", `/v1/tenant/mcp/${encodeURIComponent(id)}`);
+    },
+    async diff(_id, olds, news) {
+        const replaces = olds.serverName !== news.serverName ? ["serverName"] : [];
+        const changed = replaces.length > 0 ||
+            ["url", "authKind", "authProvider", "secret", "token", "baseUrl"].some((k) => olds[k] !== news[k]);
+        return { changes: changed, replaces, deleteBeforeReplace: true };
+    },
+};
+class IcMcpServer extends pulumi.dynamic.Resource {
+    constructor(name, args, opts) {
+        super(mcpProvider, name, {
+            authKind: "static",
+            authProvider: undefined,
+            secret: undefined,
+            toolsDiscovered: undefined,
+            discoveryError: undefined,
+            ...args,
+        }, { ...opts, additionalSecretOutputs: ["token", "secret"] });
+    }
+}
+exports.IcMcpServer = IcMcpServer;
+async function telegramPut(i) {
+    const res = await icRequest(i.baseUrl, i.token, "PUT", "/v1/tenant/telegram", {
+        bot_token: i.botToken,
+    });
+    return { ...i, botUsername: res.bot_username, botId: res.bot_id, webhookUrl: res.webhook_url };
+}
+const telegramProvider = {
+    async create(i) {
+        return { id: "telegram", outs: await telegramPut(i) };
+    },
+    async update(_id, _olds, news) {
+        return { outs: await telegramPut(news) };
+    },
+    async delete(_id, props) {
+        await icRequest(props.baseUrl, props.token, "DELETE", "/v1/tenant/telegram");
+    },
+    async diff(_id, olds, news) {
+        return {
+            changes: ["botToken", "token", "baseUrl"].some((k) => olds[k] !== news[k]),
+        };
+    },
+};
+class IcTelegramBot extends pulumi.dynamic.Resource {
+    constructor(name, args, opts) {
+        super(telegramProvider, name, { botUsername: undefined, botId: undefined, webhookUrl: undefined, ...args }, { ...opts, additionalSecretOutputs: ["token", "botToken"] });
+    }
+}
+exports.IcTelegramBot = IcTelegramBot;
+async function whatsappPut(i) {
+    const res = await icRequest(i.baseUrl, i.token, "PUT", "/v1/tenant/whatsapp", {
+        phone_number_id: i.phoneNumberId,
+        access_token: i.accessToken,
+        app_secret: i.appSecret,
+        verify_token: i.verifyToken,
+        business_id: i.businessId,
+    });
+    return {
+        ...i,
+        // IC generates verify_token if we didn't supply one — capture it so it's
+        // stable in state (and so the operator can paste it into Meta).
+        verifyToken: res.verify_token ?? i.verifyToken,
+        displayPhoneNumber: res.display_phone_number,
+        webhookUrl: res.webhook_url,
+    };
+}
+const whatsappProvider = {
+    async create(i) {
+        return { id: "whatsapp", outs: await whatsappPut(i) };
+    },
+    async update(_id, _olds, news) {
+        return { outs: await whatsappPut(news) };
+    },
+    async delete(_id, props) {
+        await icRequest(props.baseUrl, props.token, "DELETE", "/v1/tenant/whatsapp");
+    },
+    async diff(_id, olds, news) {
+        return {
+            changes: ["phoneNumberId", "accessToken", "appSecret", "businessId", "token", "baseUrl"].some((k) => olds[k] !== news[k]),
+        };
+    },
+};
+class IcWhatsAppConfig extends pulumi.dynamic.Resource {
+    constructor(name, args, opts) {
+        super(whatsappProvider, name, {
+            appSecret: undefined,
+            verifyToken: undefined,
+            businessId: undefined,
+            displayPhoneNumber: undefined,
+            webhookUrl: undefined,
+            ...args,
+        }, { ...opts, additionalSecretOutputs: ["token", "accessToken", "appSecret", "verifyToken"] });
+    }
+}
+exports.IcWhatsAppConfig = IcWhatsAppConfig;
+const webhookProvider = {
+    async create(i) {
+        const res = await icRequest(i.baseUrl, i.token, "POST", "/v1/tenant/webhooks", {
+            url: i.url,
+            events: i.events,
+            active: true,
+        });
+        return { id: res.id, outs: { ...i, secret: res.secret } };
+    },
+    async update(id, _olds, news) {
+        await icRequest(news.baseUrl, news.token, "PATCH", `/v1/tenant/webhooks/${id}`, {
+            events: news.events,
+        });
+        return { outs: { ...news } };
+    },
+    async delete(id, props) {
+        await icRequest(props.baseUrl, props.token, "DELETE", `/v1/tenant/webhooks/${id}`);
+    },
+    async diff(_id, olds, news) {
+        const replaces = olds.url !== news.url ? ["url"] : [];
+        const eventsChanged = JSON.stringify([...(olds.events ?? [])].sort()) !==
+            JSON.stringify([...(news.events ?? [])].sort());
+        return { changes: replaces.length > 0 || eventsChanged, replaces };
+    },
+    // Enables `pulumi import` of a webhook a script already created (id is the
+    // import id). The signing secret is intentionally not recoverable.
+    async read(id, props) {
+        const list = await icRequest(props.baseUrl, props.token, "GET", "/v1/tenant/webhooks");
+        const hit = (list.data ?? []).find((w) => w.id === id);
+        if (!hit)
+            return { id, props: props };
+        return { id, props: { ...props, url: hit.url, events: hit.events } };
+    },
+};
+class IcWebhook extends pulumi.dynamic.Resource {
+    constructor(name, args, opts) {
+        super(webhookProvider, name, { secret: undefined, ...args }, {
+            ...opts,
+            additionalSecretOutputs: ["token", "secret"],
+        });
+    }
+}
+exports.IcWebhook = IcWebhook;
+async function modelKeyPut(i) {
+    await icRequest(i.baseUrl, i.token, "PUT", `/v1/tenant/model_keys/${encodeURIComponent(i.provider)}`, { api_key: i.apiKey, base_url: i.providerBaseUrl ?? null });
+    return { ...i };
+}
+const modelKeyProvider = {
+    async create(i) {
+        return { id: i.provider, outs: await modelKeyPut(i) };
+    },
+    async update(_id, _olds, news) {
+        return { outs: await modelKeyPut(news) };
+    },
+    async delete(id, props) {
+        await icRequest(props.baseUrl, props.token, "DELETE", `/v1/tenant/model_keys/${encodeURIComponent(id)}`);
+    },
+    async diff(_id, olds, news) {
+        const replaces = olds.provider !== news.provider ? ["provider"] : [];
+        const changed = replaces.length > 0 ||
+            ["apiKey", "providerBaseUrl", "token", "baseUrl"].some((k) => olds[k] !== news[k]);
+        return { changes: changed, replaces, deleteBeforeReplace: true };
+    },
+};
+class IcModelKey extends pulumi.dynamic.Resource {
+    constructor(name, args, opts) {
+        super(modelKeyProvider, name, { providerBaseUrl: undefined, ...args }, { ...opts, additionalSecretOutputs: ["token", "apiKey"] });
+    }
+}
+exports.IcModelKey = IcModelKey;
+async function secretPut(i) {
+    await icRequest(i.baseUrl, i.token, "PUT", `/v1/apps/${encodeURIComponent(i.appId)}/env`, {
+        values: { [i.name]: i.value },
+    });
+    return { ...i };
+}
+const secretProvider = {
+    async create(i) {
+        return { id: `${i.appId}:${i.name}`, outs: await secretPut(i) };
+    },
+    async update(_id, _olds, news) {
+        return { outs: await secretPut(news) };
+    },
+    async delete(_id, props) {
+        await icRequest(props.baseUrl, props.token, "DELETE", `/v1/apps/${encodeURIComponent(props.appId)}/env/${encodeURIComponent(props.name)}`);
+    },
+    async diff(_id, olds, news) {
+        const replaces = [];
+        if (olds.appId !== news.appId)
+            replaces.push("appId");
+        if (olds.name !== news.name)
+            replaces.push("name");
+        const changed = replaces.length > 0 ||
+            ["value", "token", "baseUrl"].some((k) => olds[k] !== news[k]);
+        return { changes: changed, replaces, deleteBeforeReplace: true };
+    },
+};
+class IcSecret extends pulumi.dynamic.Resource {
+    constructor(name, args, opts) {
+        super(secretProvider, name, { ...args }, {
+            ...opts,
+            additionalSecretOutputs: ["token", "value"],
+        });
+    }
+}
+exports.IcSecret = IcSecret;

package/package.json

@@ -0,0 +1,32 @@
+{
+	"name": "@ingram-tech/pulumi-ingram-cloud",
+	"version": "0.1.0",
+	"description": "Pulumi dynamic resources for the Ingram Cloud /v1 API — blueprints, MCP servers, channels, webhooks, model keys.",
+	"license": "MIT",
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/ingram-technologies/cloud.ingram.tech.git",
+		"directory": "pulumi"
+	},
+	"homepage": "https://github.com/ingram-technologies/cloud.ingram.tech/tree/main/pulumi#readme",
+	"keywords": ["pulumi", "ingram-cloud", "ingram"],
+	"main": "dist/index.js",
+	"types": "dist/index.d.ts",
+	"files": ["dist"],
+	"publishConfig": {
+		"access": "public"
+	},
+	"scripts": {
+		"build": "tsc -p tsconfig.json",
+		"type-check": "tsc -p tsconfig.json --noEmit",
+		"prepublishOnly": "npm run build"
+	},
+	"peerDependencies": {
+		"@pulumi/pulumi": "^3.0.0"
+	},
+	"devDependencies": {
+		"@pulumi/pulumi": "^3.0.0",
+		"@types/node": "^22.0.0",
+		"typescript": "^5.0.0"
+	}
+}