@intentius/chant-lexicon-temporal 0.1.12 → 0.1.15

package/src/op/activities/apply.ts

@@ -0,0 +1,128 @@
+import { exec } from "node:child_process";
+import { promisify } from "node:util";
+import { ownershipKeys, OWNERSHIP_MANAGED_BY_VALUE } from "@intentius/chant/ownership";
+
+const execAsync = promisify(exec);
+
+/** The native apply mechanism for a target. */
+export type ApplyTarget = "cloudformation" | "kubectl" | "arm";
+
+/**
+ * How apply treats resources no longer declared.
+ * - `never` — additive only; never deletes.
+ * - `owned-only` — deletes only chant-owned orphans, via the target's native
+ *   prune/complete mechanism scoped to the ownership marker.
+ * - `gated` — same delete scope as `owned-only`, but the workflow pauses for
+ *   approval before the destructive apply (the gate lives in the composite).
+ */
+export type DeleteMode = "never" | "owned-only" | "gated";
+
+export interface NativeApplyArgs {
+  /** Native mechanism to delegate to. */
+  target: ApplyTarget;
+  /** Environment — CFN stack name / ARM resource group. */
+  env: string;
+  /** Built manifest/template path (or directory for kubectl). Default: dist. */
+  output?: string;
+  /** Delete handling. Default: never. */
+  deleteMode?: DeleteMode;
+}
+
+/**
+ * Build the native apply command. Pure — exported for testing.
+ *
+ * Authority stays with the platform: the CloudFormation stack, the Kubernetes
+ * API server, the ARM resource group. chant hosts no state file. Owned-only
+ * deletes ride the native delete path, scoped to the ownership marker so a
+ * foreign resource is never touched:
+ * - kubectl: `--prune --selector <managed-by>=chant` prunes only chant-owned
+ *   objects absent from the apply set.
+ * - CloudFormation: the stack is the boundary; `deploy` deletes resources
+ *   removed from the template within it.
+ * - ARM: `--mode Complete` removes resources not in the template from the RG.
+ */
+export function applyCommand(
+  target: ApplyTarget,
+  env: string,
+  output: string,
+  deleteMode: DeleteMode,
+): string {
+  const deletes = deleteMode !== "never";
+  switch (target) {
+    case "kubectl": {
+      const prune = deletes
+        ? ` --prune --selector ${ownershipKeys("label").managedBy}=${OWNERSHIP_MANAGED_BY_VALUE}`
+        : "";
+      return `kubectl apply -f ${output}${prune} --wait=true`;
+    }
+    case "cloudformation":
+      // CFN deletes resources removed from the template within the stack itself.
+      return `aws cloudformation deploy --template-file ${output} --stack-name ${env} --capabilities CAPABILITY_NAMED_IAM`;
+    case "arm": {
+      const mode = deletes ? " --mode Complete" : " --mode Incremental";
+      return `az deployment group create --resource-group ${env} --template-file ${output}${mode}`;
+    }
+  }
+}
+
+/**
+ * Apply declared source to the cloud via the target's native mechanism.
+ * Deletes (when enabled) are limited to chant-owned orphans by construction —
+ * the native prune/complete path is scoped to the ownership marker.
+ */
+export async function nativeApply(args: NativeApplyArgs, signal?: AbortSignal): Promise<{ command: string }> {
+  const output = args.output ?? "dist";
+  const deleteMode = args.deleteMode ?? "never";
+  const command = applyCommand(args.target, args.env, output, deleteMode);
+  const { stdout, stderr } = await execAsync(command, { signal });
+  if (stdout) console.log(stdout);
+  if (stderr) console.error(stderr);
+  return { command };
+}
+
+/**
+ * The native rollback command for a target, or undefined when the target has
+ * no single-command rollback. Pure — exported for testing.
+ *
+ * Only CloudFormation has a native "return to last known good state" command.
+ * For kubectl/ARM the caller must supply a rollback command; otherwise the
+ * compensation degrades to a logged warning rather than silently doing nothing.
+ */
+export function rollbackCommand(target: ApplyTarget, env: string): string | undefined {
+  switch (target) {
+    case "cloudformation":
+      return `aws cloudformation rollback-stack --stack-name ${env}`;
+    case "kubectl":
+    case "arm":
+      return undefined;
+  }
+}
+
+export interface CompensateApplyArgs {
+  /** Native mechanism that was applied. */
+  target: ApplyTarget;
+  /** Environment — CFN stack name / ARM resource group. */
+  env: string;
+  /** Explicit rollback command, used in preference to the native default. */
+  command?: string;
+}
+
+/**
+ * Compensation step (saga rollback) for a partial apply failure. Runs the
+ * explicit `command` if given, else the target's native rollback. Where no
+ * automatic rollback exists, it warns rather than silently no-op'ing — partial
+ * state should never look reverted when it isn't.
+ */
+export async function compensateApply(args: CompensateApplyArgs, signal?: AbortSignal): Promise<{ command?: string }> {
+  const command = args.command ?? rollbackCommand(args.target, args.env);
+  if (!command) {
+    console.warn(
+      `[apply] no automatic rollback for target "${args.target}" — partial apply to ${args.env} was NOT reverted; supply compensate.command to enable rollback`,
+    );
+    return {};
+  }
+  const { stdout, stderr } = await execAsync(command, { signal });
+  if (stdout) console.log(stdout);
+  if (stderr) console.error(stderr);
+  return { command };
+}

package/src/op/activities/argo.test.ts

@@ -0,0 +1,78 @@
+import { describe, test, expect } from "vitest";
+import {
+  waitForArgoSync,
+  ArgoSyncFailedError,
+  type ArgoAppStatus,
+  type ArgoStatusFetcher,
+} from "./argo";
+import { TEMPORAL_ACTIVITY_PROFILES } from "../../config";
+
+/** A fetcher that returns a scripted sequence of statuses, repeating the last. */
+function scriptedFetcher(sequence: ArgoAppStatus[]): ArgoStatusFetcher {
+  let i = 0;
+  return async () => {
+    const status = sequence[Math.min(i, sequence.length - 1)];
+    i++;
+    return status;
+  };
+}
+
+const fast = { appName: "guestbook", intervalMs: 0 };
+
+describe("waitForArgoSync", () => {
+  test("resolves once the Application is Healthy and Synced", async () => {
+    const fetcher = scriptedFetcher([
+      { health: "Progressing", sync: "OutOfSync" },
+      { health: "Progressing", sync: "Synced" },
+      { health: "Healthy", sync: "Synced" },
+    ]);
+    const result = await waitForArgoSync(fast, undefined, fetcher);
+    expect(result).toEqual({ health: "Healthy", sync: "Synced" });
+  });
+
+  test("does not resolve while Synced but still Progressing", async () => {
+    // First Healthy+Synced read is the third; ensure it polls past the
+    // Progressing reads rather than returning early.
+    let calls = 0;
+    const fetcher: ArgoStatusFetcher = async () => {
+      calls++;
+      if (calls < 3) return { health: "Progressing", sync: "Synced" };
+      return { health: "Healthy", sync: "Synced" };
+    };
+    await waitForArgoSync(fast, undefined, fetcher);
+    expect(calls).toBe(3);
+  });
+
+  test("throws ArgoSyncFailedError when the Application is Degraded", async () => {
+    const fetcher = scriptedFetcher([{ health: "Degraded", sync: "Synced" }]);
+    await expect(waitForArgoSync(fast, undefined, fetcher)).rejects.toBeInstanceOf(
+      ArgoSyncFailedError,
+    );
+  });
+
+  test("throws ArgoSyncFailedError when the Application is Missing", async () => {
+    const fetcher = scriptedFetcher([{ health: "Missing", sync: "OutOfSync" }]);
+    await expect(waitForArgoSync(fast, undefined, fetcher)).rejects.toThrow(/Missing/);
+  });
+
+  test("honors an aborted signal", async () => {
+    const controller = new AbortController();
+    controller.abort();
+    const fetcher = scriptedFetcher([{ health: "Progressing", sync: "OutOfSync" }]);
+    await expect(waitForArgoSync(fast, controller.signal, fetcher)).rejects.toThrow(/aborted/);
+  });
+});
+
+describe("argoSync profile", () => {
+  test("is exported with a long timeout and 60s heartbeat", () => {
+    const p = TEMPORAL_ACTIVITY_PROFILES.argoSync;
+    expect(p.startToCloseTimeout).toBe("30m");
+    expect(p.heartbeatTimeout).toBe("60s");
+  });
+
+  test("treats ArgoSyncFailedError as non-retryable", () => {
+    expect(TEMPORAL_ACTIVITY_PROFILES.argoSync.retry?.nonRetryableErrorTypes).toContain(
+      "ArgoSyncFailedError",
+    );
+  });
+});

package/src/op/activities/argo.ts

@@ -0,0 +1,147 @@
+import { exec } from "node:child_process";
+import { promisify } from "node:util";
+import { safeHeartbeat } from "./heartbeat";
+import { sleep } from "./util";
+
+const execAsync = promisify(exec);
+
+/**
+ * waitForArgoSync — block until an Argo CD Application reports
+ * `health=Healthy && sync=Synced`.
+ *
+ * This activity is intentionally **dependency-free**: it must not import the k8s
+ * lexicon or its generated Argo CRD types. Its signature is primitives-only
+ * (app name / namespace / server). It reads the Application's status either via
+ * `kubectl get application` (default) or the Argo CD REST API (when `server` is
+ * given), so Temporal can gate procedural steps on a declarative apply that Argo
+ * owns.
+ */
+
+export interface WaitForArgoSyncArgs {
+  /** Argo Application name. */
+  appName: string;
+  /** Namespace the Application object lives in (default "argocd"). */
+  namespace?: string;
+  /**
+   * Argo CD API base URL (e.g. https://argocd.example.com). When set, status is
+   * read from the REST API instead of kubectl. Pass `authToken` with it.
+   */
+  server?: string;
+  /** Bearer token for the Argo CD REST API (used with `server`). */
+  authToken?: string;
+  /** Skip TLS verification for the REST API (default false). */
+  insecure?: boolean;
+  /** kubectl context (used when `server` is not set). */
+  context?: string;
+  /** Poll interval in ms (default 15000). Heartbeats every poll. */
+  intervalMs?: number;
+}
+
+/** The two status fields the activity gates on. */
+export interface ArgoAppStatus {
+  /** Application health: Healthy | Progressing | Degraded | Missing | Suspended | Unknown. */
+  health: string;
+  /** Sync status: Synced | OutOfSync | Unknown. */
+  sync: string;
+}
+
+/** Pluggable status reader — overridden in tests with a faked Argo API. */
+export type ArgoStatusFetcher = (
+  args: WaitForArgoSyncArgs,
+  signal?: AbortSignal,
+) => Promise<ArgoAppStatus>;
+
+/** Health states that will never become Healthy without intervention. */
+const TERMINAL_UNHEALTHY = new Set(["Degraded", "Missing"]);
+
+/** Error thrown when the Application reaches a terminal unhealthy state. */
+export class ArgoSyncFailedError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = "ArgoSyncFailedError";
+  }
+}
+
+/** Read status via the Argo CD REST API. */
+async function fetchViaApi(args: WaitForArgoSyncArgs, signal?: AbortSignal): Promise<ArgoAppStatus> {
+  const base = args.server!.replace(/\/$/, "");
+  const ns = args.namespace ?? "argocd";
+  const url = `${base}/api/v1/applications/${encodeURIComponent(args.appName)}?appNamespace=${encodeURIComponent(ns)}`;
+  const headers: Record<string, string> = { Accept: "application/json" };
+  if (args.authToken) headers.Authorization = `Bearer ${args.authToken}`;
+
+  // Honor `insecure` without importing https Agent types — Node respects this
+  // env toggle for the duration of the call.
+  const prevTlsReject = process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+  if (args.insecure) process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0";
+  try {
+    const res = await fetch(url, { headers, signal });
+    if (!res.ok) {
+      throw new Error(`Argo CD API returned ${res.status} for application "${args.appName}"`);
+    }
+    const body = (await res.json()) as { status?: { health?: { status?: string }; sync?: { status?: string } } };
+    return {
+      health: body.status?.health?.status ?? "Unknown",
+      sync: body.status?.sync?.status ?? "Unknown",
+    };
+  } finally {
+    if (args.insecure) {
+      if (prevTlsReject === undefined) delete process.env.NODE_TLS_REJECT_UNAUTHORIZED;
+      else process.env.NODE_TLS_REJECT_UNAUTHORIZED = prevTlsReject;
+    }
+  }
+}
+
+/** Read status via `kubectl get application -o json`. */
+async function fetchViaKubectl(args: WaitForArgoSyncArgs, signal?: AbortSignal): Promise<ArgoAppStatus> {
+  const ns = args.namespace ?? "argocd";
+  const ctx = args.context ? `--context ${args.context}` : "";
+  const cmd =
+    `kubectl get application ${args.appName} -n ${ns} ${ctx} ` +
+    `-o jsonpath='{.status.health.status}|{.status.sync.status}'`;
+  const { stdout } = await execAsync(cmd, { signal });
+  const [health = "Unknown", sync = "Unknown"] = stdout.trim().replace(/^'|'$/g, "").split("|");
+  return { health: health || "Unknown", sync: sync || "Unknown" };
+}
+
+/** Default fetcher: REST API when `server` is set, else kubectl. */
+export const defaultArgoStatusFetcher: ArgoStatusFetcher = (args, signal) =>
+  args.server ? fetchViaApi(args, signal) : fetchViaKubectl(args, signal);
+
+/**
+ * Poll until the Application is Healthy and Synced. Throws
+ * `ArgoSyncFailedError` if it reaches a terminal unhealthy state (Degraded /
+ * Missing). Heartbeats every poll so the `argoSync` profile's 60s heartbeat
+ * timeout never trips.
+ *
+ * @param fetcher injectable status reader (defaults to kubectl/REST). Tests pass
+ *   a fake to drive Healthy/Progressing/Degraded transitions.
+ */
+export async function waitForArgoSync(
+  args: WaitForArgoSyncArgs,
+  signal?: AbortSignal,
+  fetcher: ArgoStatusFetcher = defaultArgoStatusFetcher,
+): Promise<ArgoAppStatus> {
+  const interval = args.intervalMs ?? 15_000;
+  let attempt = 0;
+
+  while (true) {
+    if (signal?.aborted) throw new Error("waitForArgoSync aborted");
+    attempt++;
+
+    const status = await fetcher(args, signal);
+    safeHeartbeat({ step: "waitForArgoSync", app: args.appName, attempt, ...status });
+
+    if (TERMINAL_UNHEALTHY.has(status.health)) {
+      throw new ArgoSyncFailedError(
+        `Argo Application "${args.appName}" is ${status.health} (sync=${status.sync}) — it will not become Healthy without intervention.`,
+      );
+    }
+
+    if (status.health === "Healthy" && status.sync === "Synced") {
+      return status;
+    }
+
+    await sleep(interval, signal);
+  }
+}

package/src/op/activities/build.ts

@@ -13,10 +13,11 @@ export interface ChantBuildArgs {
  * Run `npm run build` in the given project directory.
  * Uses fastIdempotent profile — 5m timeout, 3 retries.
  */
-export async function chantBuild(args: ChantBuildArgs): Promise<void> {
+export async function chantBuild(args: ChantBuildArgs, signal?: AbortSignal): Promise<void> {
   const { stdout, stderr } = await execAsync("npm run build", {
     cwd: args.path,
     env: { ...process.env, ...args.env },
+    signal,
   });
   if (stdout) console.log(stdout);
   if (stderr) console.error(stderr);

package/src/op/activities/gitlab.ts

@@ -1,6 +1,7 @@
 import { exec } from "node:child_process";
 import { promisify } from "node:util";
-import { Context } from "@temporalio/activity";
+import { safeHeartbeat } from "./heartbeat";
+import { sleep } from "./util";
 
 const execAsync = promisify(exec);
 
@@ -16,26 +17,29 @@ export interface GitlabPipelineArgs {
 /**
  * Trigger a GitLab CI pipeline and wait for it to complete successfully.
  * Requires `glab` CLI authenticated in the environment.
- * Uses longInfra profile — 20m timeout, heartbeat every 60s.
+ * Uses longInfra profile — 20m timeout, heartbeat every poll.
  */
-export async function gitlabPipeline(args: GitlabPipelineArgs): Promise<void> {
+export async function gitlabPipeline(args: GitlabPipelineArgs, signal?: AbortSignal): Promise<void> {
   const ref = args.ref ?? "HEAD";
   const interval = args.intervalMs ?? 30_000;
 
   // Trigger
   const { stdout: triggerOut } = await execAsync(
     `glab ci run --project ${args.name} --ref ${ref}`,
+    { signal },
   );
   console.log(triggerOut);
 
   // Poll status
   let attempt = 0;
   while (true) {
+    if (signal?.aborted) throw new Error("gitlabPipeline aborted");
     attempt++;
-    Context.current().heartbeat({ step: "gitlabPipeline", project: args.name, attempt });
+    safeHeartbeat({ step: "gitlabPipeline", project: args.name, attempt });
 
     const { stdout } = await execAsync(
       `glab ci status --project ${args.name} --format json`,
+      { signal },
     );
 
     let status: string | undefined;
@@ -51,6 +55,6 @@ export async function gitlabPipeline(args: GitlabPipelineArgs): Promise<void> {
       throw new Error(`GitLab pipeline for ${args.name} ended with status: ${status}`);
     }
 
-    await new Promise((r) => setTimeout(r, interval));
+    await sleep(interval, signal);
   }
 }

package/src/op/activities/heartbeat-context.test.ts

@@ -0,0 +1,29 @@
+import { describe, test, expect, vi } from "vitest";
+
+// Positive path: prove the shim actually heartbeats once `@temporalio/activity`
+// is present. The SDK isn't installed in this repo, so we virtual-mock it with a
+// fake `Context` whose `heartbeat` we can observe. Lives in its own file so the
+// module-level cache in heartbeat.ts starts fresh (vitest isolates files), and
+// so heartbeat.test.ts can keep exercising the no-SDK path unmocked.
+const { heartbeat } = vi.hoisted(() => ({ heartbeat: vi.fn() }));
+
+vi.mock("@temporalio/activity", () => ({
+  Context: { current: () => ({ heartbeat }) },
+}));
+
+describe("safeHeartbeat with @temporalio/activity present", () => {
+  test("heartbeats once the lazy import resolves", async () => {
+    const { safeHeartbeat } = await import("./heartbeat");
+
+    // First call only kicks off the one-time lazy load and returns immediately.
+    safeHeartbeat({ step: "first" });
+    expect(heartbeat).not.toHaveBeenCalled();
+
+    // After the dynamic import settles, subsequent calls heartbeat through to
+    // the (mocked) activity Context, preserving the passed details.
+    await vi.waitFor(() => {
+      safeHeartbeat({ step: "after-load" });
+      expect(heartbeat).toHaveBeenCalledWith({ step: "after-load" });
+    });
+  });
+});

package/src/op/activities/heartbeat.test.ts

@@ -0,0 +1,10 @@
+import { describe, test, expect } from "vitest";
+import { safeHeartbeat } from "./heartbeat";
+
+describe("safeHeartbeat", () => {
+  test("no-ops outside a Temporal worker instead of throwing", () => {
+    // No activity execution context and (in this env) no @temporalio/activity.
+    expect(() => safeHeartbeat({ step: "test" })).not.toThrow();
+    expect(() => safeHeartbeat()).not.toThrow();
+  });
+});

package/src/op/activities/heartbeat.ts

@@ -0,0 +1,59 @@
+/**
+ * Activity heartbeat shim.
+ *
+ * Activities heartbeat so a Temporal worker knows they are still alive. Two
+ * things make a naive `Context.current().heartbeat()` call unsafe outside a
+ * worker:
+ *
+ *   1. `@temporalio/activity` may not be installed at all — chant's local
+ *      executor runs these same activity implementations with no Temporal SDK
+ *      present. A static `import` would make the entire activity library fail
+ *      to load. So we resolve `Context` lazily via dynamic import and cache it.
+ *   2. Even when installed, `Context.current()` throws when called outside an
+ *      activity execution context. We swallow that too.
+ *
+ * Net effect: identical activity code heartbeats under a Temporal worker and
+ * no-ops locally, and the activity library imports cleanly without the SDK.
+ */
+
+interface ActivityContext {
+  current(): { heartbeat(details?: unknown): void };
+}
+
+// undefined = not yet attempted; null = unavailable; object = resolved Context.
+let cachedContext: ActivityContext | null | undefined;
+let loading: Promise<void> | undefined;
+
+function ensureContext(): void {
+  if (cachedContext !== undefined || loading) return;
+  // Variable specifier so bundlers/tsc do not statically require the optional dep.
+  const spec = "@temporalio/activity";
+  loading = import(spec)
+    .then((mod: unknown) => {
+      cachedContext = (mod as { Context?: ActivityContext }).Context ?? null;
+    })
+    .catch(() => {
+      cachedContext = null;
+    });
+}
+
+/**
+ * Emit an activity heartbeat if running under a Temporal worker; otherwise no-op.
+ *
+ * The first call kicks off a one-time lazy load of `@temporalio/activity` and
+ * returns immediately; once resolved, subsequent calls heartbeat. Heartbeats
+ * are periodic (every ~15s, well inside the 60s heartbeat timeout), so the
+ * single missed first tick is harmless.
+ */
+export function safeHeartbeat(details?: unknown): void {
+  if (cachedContext === undefined) {
+    ensureContext();
+    return;
+  }
+  if (cachedContext === null) return;
+  try {
+    cachedContext.current().heartbeat(details);
+  } catch {
+    // Not inside an activity execution context — nothing to do.
+  }
+}

package/src/op/activities/helm.ts

@@ -1,6 +1,6 @@
 import { exec } from "node:child_process";
 import { promisify } from "node:util";
-import { Context } from "@temporalio/activity";
+import { safeHeartbeat } from "./heartbeat";
 
 const execAsync = promisify(exec);
 
@@ -19,20 +19,20 @@ export interface HelmInstallArgs {
 
 /**
  * Run `helm upgrade --install <name> <chart>`.
- * Uses longInfra profile — 20m timeout, heartbeat every 60s.
+ * Uses longInfra profile — 20m timeout, heartbeat every 15s.
  */
-export async function helmInstall(args: HelmInstallArgs): Promise<void> {
+export async function helmInstall(args: HelmInstallArgs, signal?: AbortSignal): Promise<void> {
   const parts = ["helm", "upgrade", "--install", "--wait", args.name, args.chart];
   if (args.namespace) parts.push("--namespace", args.namespace, "--create-namespace");
   if (args.values) parts.push("-f", args.values);
   for (const [k, v] of Object.entries(args.set ?? {})) parts.push("--set", `${k}=${v}`);
 
   const heartbeatInterval = setInterval(() => {
-    Context.current().heartbeat({ step: "helm install", release: args.name });
+    safeHeartbeat({ step: "helm install", release: args.name });
   }, 15_000);
 
   try {
-    const { stdout, stderr } = await execAsync(parts.join(" "));
+    const { stdout, stderr } = await execAsync(parts.join(" "), { signal });
     if (stdout) console.log(stdout);
     if (stderr) console.error(stderr);
   } finally {

package/src/op/activities/index.ts

@@ -16,8 +16,17 @@ export type { GitlabPipelineArgs } from "./gitlab";
 export { shellCmd } from "./shell";
 export type { ShellCmdArgs } from "./shell";
 
-export { stateSnapshot, stateDiff } from "./state";
-export type { StateSnapshotArgs, StateDiffArgs, StateDiffResult } from "./state";
+export { lifecycleSnapshot, lifecycleDiff } from "./lifecycle";
+export type { LifecycleSnapshotArgs, LifecycleDiffArgs, LifecycleDiffResult } from "./lifecycle";
 
 export { chantTeardown } from "./teardown";
 export type { ChantTeardownArgs } from "./teardown";
+
+export { reconcilePr } from "./reconcile";
+export type { ReconcilePrArgs, ReconcileResult, ReconcileMode, ReconcileEntry } from "./reconcile";
+
+export { nativeApply, compensateApply } from "./apply";
+export type { NativeApplyArgs, CompensateApplyArgs, ApplyTarget, DeleteMode } from "./apply";
+
+export { waitForArgoSync, defaultArgoStatusFetcher, ArgoSyncFailedError } from "./argo";
+export type { WaitForArgoSyncArgs, ArgoAppStatus, ArgoStatusFetcher } from "./argo";

package/src/op/activities/kubectl.ts

@@ -1,6 +1,6 @@
 import { exec } from "node:child_process";
 import { promisify } from "node:util";
-import { Context } from "@temporalio/activity";
+import { safeHeartbeat } from "./heartbeat";
 
 const execAsync = promisify(exec);
 
@@ -12,17 +12,18 @@ export interface KubectlApplyArgs {
 
 /**
  * Run `kubectl apply -f <manifest>`.
- * Uses longInfra profile — 20m timeout, heartbeat every 60s.
+ * Uses longInfra profile — 20m timeout, heartbeat every 15s.
  */
-export async function kubectlApply(args: KubectlApplyArgs): Promise<void> {
+export async function kubectlApply(args: KubectlApplyArgs, signal?: AbortSignal): Promise<void> {
   const ctx = args.context ? `--context ${args.context}` : "";
   const heartbeatInterval = setInterval(() => {
-    Context.current().heartbeat({ step: "kubectl apply", manifest: args.manifest });
+    safeHeartbeat({ step: "kubectl apply", manifest: args.manifest });
   }, 15_000);
 
   try {
     const { stdout, stderr } = await execAsync(
       `kubectl apply -f ${args.manifest} ${ctx} --wait=true`,
+      { signal },
     );
     if (stdout) console.log(stdout);
     if (stderr) console.error(stderr);