@meshxdata/fops 0.0.4 → 0.0.6

package/src/plugins/bundled/fops-plugin-1password/lib/sync.js

@@ -0,0 +1,61 @@
+import fs from "node:fs";
+import chalk from "chalk";
+import { opInject } from "./op.js";
+import { parseEnv, mergeEnv, discoverTemplates } from "./env.js";
+
+/**
+ * Sync secrets from 1Password into .env files.
+ * For each discovered .env.1password template:
+ *   1. Read the template (contains op:// references)
+ *   2. Run `op inject` to resolve references
+ *   3. Parse resolved output into key=value pairs
+ *   4. Merge into .env (create from .env.example if needed)
+ *
+ * Returns { synced: number, errors: string[] }
+ */
+export async function syncSecrets(root) {
+  const templates = discoverTemplates(root);
+  if (templates.length === 0) {
+    console.log(chalk.yellow("  No .env.1password templates found."));
+    return { synced: 0, errors: [] };
+  }
+
+  let synced = 0;
+  const errors = [];
+
+  for (const { templatePath, envPath, dir } of templates) {
+    const relDir = dir === root ? "." : dir.replace(root + "/", "");
+    try {
+      const template = fs.readFileSync(templatePath, "utf8");
+      const resolved = await opInject(template);
+      const secrets = parseEnv(resolved);
+
+      if (secrets.size === 0) {
+        console.log(chalk.dim(`  ${relDir}/.env.1password — no secrets resolved`));
+        continue;
+      }
+
+      // Read existing .env, or fall back to .env.example, or start empty
+      let existing = "";
+      if (fs.existsSync(envPath)) {
+        existing = fs.readFileSync(envPath, "utf8");
+      } else {
+        const examplePath = envPath.replace(/\.env$/, ".env.example");
+        if (fs.existsSync(examplePath)) {
+          existing = fs.readFileSync(examplePath, "utf8");
+        }
+      }
+
+      const merged = mergeEnv(existing, secrets);
+      fs.writeFileSync(envPath, merged);
+      console.log(chalk.green(`  ✓ ${relDir}/.env — ${secrets.size} secret(s) synced`));
+      synced++;
+    } catch (err) {
+      const msg = `${relDir}: ${err.message}`;
+      errors.push(msg);
+      console.log(chalk.red(`  ✗ ${relDir}/.env.1password — ${err.message}`));
+    }
+  }
+
+  return { synced, errors };
+}

package/src/plugins/bundled/fops-plugin-1password/package.json

@@ -0,0 +1 @@
+{ "type": "module" }

package/src/plugins/bundled/fops-plugin-1password/skills/1password/SKILL.md

@@ -0,0 +1,79 @@
+---
+name: 1password
+description: 1Password secrets integration for Foundation .env files
+requires: op
+---
+
+## 1Password Plugin for fops
+
+Automates injecting secrets from 1Password into `.env` files using `op://` references.
+
+## Commands
+
+```bash
+fops 1password setup    # Interactive wizard: install op, sign in, pick vault, scaffold templates
+fops 1password sync     # Pull secrets from 1Password → merge into .env files
+fops 1password status   # Show op version, auth, vault, discovered templates
+fops 1p sync            # Shorthand alias
+```
+
+## Template Format
+
+`.env.1password` files live alongside `.env.example` and contain only secret variables with `op://` references:
+
+```
+# Format: KEY=op://<vault>/<item>/<field>
+BEARER_TOKEN=op://Foundation/auth0-dev/bearer-token
+MX_POSTGRES_PASSWORD=op://Foundation/postgres-dev/password
+S3_SECRET_KEY=op://Foundation/minio-dev/secret-key
+```
+
+The sync command reads each template, resolves the `op://` references via `op inject`, and merges the values into the corresponding `.env` file — preserving comments, ordering, and non-secret values.
+
+## How It Works
+
+1. **Template discovery**: Scans project root + subdirectories for `.env.1password` files
+2. **Secret resolution**: Pipes each template through `op inject` (stdin→stdout)
+3. **Merge**: Parsed secrets overwrite matching keys in `.env`, new keys are appended
+4. **Auto-sync**: When `autoSync: true` in config, secrets sync automatically before `fops up`
+
+## Config
+
+Stored in `~/.fops.json`:
+
+```json
+{
+  "plugins": {
+    "entries": {
+      "fops-plugin-1password": {
+        "enabled": true,
+        "config": {
+          "defaultVault": "Foundation",
+          "autoSync": true
+        }
+      }
+    }
+  }
+}
+```
+
+## Setup
+
+Run `fops 1password setup` to:
+1. Check/install `op` CLI (offers Homebrew install)
+2. Sign in to 1Password (biometric/browser)
+3. Select default vault
+4. Set auto-sync preference
+5. Scaffold `.env.1password` templates from `.env.example` (detects secret-looking keys)
+
+## Troubleshooting
+
+**op CLI not found**: Install via `brew install --cask 1password-cli` or see https://developer.1password.com/docs/cli/get-started/
+
+**Not signed in**: Run `op signin` or `fops 1password setup`
+
+**Secrets not resolving**: Verify the `op://vault/item/field` path matches your 1Password items. Use `op item get "item-name" --vault "vault-name"` to check field names.
+
+**Permission denied**: Ensure 1Password desktop app is running and CLI integration is enabled in Settings → Developer → CLI.
+
+**Auto-sync not firing**: Check `~/.fops.json` has `autoSync: true` under the plugin config.

package/src/plugins/bundled/fops-plugin-ecr/fops.plugin.json

@@ -0,0 +1,7 @@
+{
+  "id": "fops-plugin-ecr",
+  "name": "ECR Container Registry",
+  "version": "0.1.0",
+  "description": "Manage AWS ECR authentication and container image pulls",
+  "skills": ["skills/ecr"]
+}

package/src/plugins/bundled/fops-plugin-ecr/index.js

@@ -0,0 +1,302 @@
+import fs from "node:fs";
+import path from "node:path";
+import chalk from "chalk";
+import {
+  awsVersion,
+  detectEcrRegistry,
+  detectSsoProfiles,
+  stsIdentity,
+  ecrLogin,
+  ssoLogin,
+} from "./lib/aws.js";
+import { listEcrImages, checkImageFreshness } from "./lib/images.js";
+import { syncImages } from "./lib/sync.js";
+import { runSetupWizard } from "./lib/setup.js";
+
+/**
+ * Find the Foundation project root by walking up from cwd,
+ * looking for docker-compose.yaml + Makefile.
+ */
+function findRoot() {
+  let dir = process.cwd();
+  while (dir) {
+    const hasCompose =
+      fs.existsSync(path.join(dir, "docker-compose.yaml")) ||
+      fs.existsSync(path.join(dir, "docker-compose.yml"));
+    if (hasCompose && fs.existsSync(path.join(dir, "Makefile"))) return dir;
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+
+export function register(api) {
+  const config = api.config;
+
+  // ── Command: fops ecr ──────────────────────────────
+  api.registerCommand((program) => {
+    const cmd = program
+      .command("ecr")
+      .description("Manage AWS ECR authentication and images");
+
+    // fops ecr setup
+    cmd
+      .command("setup")
+      .description("Interactive setup wizard for ECR integration")
+      .action(async () => {
+        const root = findRoot();
+        if (!root) {
+          console.log(chalk.red("Not a Foundation project. Run from foundation-compose directory."));
+          process.exit(1);
+        }
+        await runSetupWizard(root);
+      });
+
+    // fops ecr sync
+    cmd
+      .command("sync")
+      .description("Authenticate to ECR and pull latest images")
+      .action(async () => {
+        const root = findRoot();
+        if (!root) {
+          console.log(chalk.red("Not a Foundation project. Run from foundation-compose directory."));
+          process.exit(1);
+        }
+        console.log(chalk.bold.cyan("\n  ECR Sync\n"));
+        await syncImages(root, config);
+      });
+
+    // fops ecr status
+    cmd
+      .command("status")
+      .description("Show AWS CLI, SSO session, ECR auth, and image freshness")
+      .action(async () => {
+        console.log(chalk.bold.cyan("\n  ECR Status\n"));
+
+        // AWS CLI
+        const version = await awsVersion();
+        if (version) {
+          console.log(chalk.green(`  ✓ AWS CLI v${version}`));
+        } else {
+          console.log(chalk.red("  ✗ AWS CLI not installed"));
+          console.log("");
+          return;
+        }
+
+        // SSO profiles
+        const profiles = detectSsoProfiles();
+        const profile = config.profile || profiles[0]?.name || null;
+        if (profile) {
+          console.log(chalk.green(`  ✓ Profile: ${profile}`));
+        } else {
+          console.log(chalk.yellow("  ⚠ No SSO profiles configured"));
+        }
+
+        // STS session
+        if (profile) {
+          const sts = await stsIdentity(profile);
+          if (sts.valid) {
+            console.log(chalk.green(`  ✓ SSO session valid (${sts.account})`));
+          } else {
+            console.log(chalk.yellow("  ⚠ SSO session expired or invalid"));
+          }
+        }
+
+        // ECR registry
+        const root = findRoot();
+        if (root) {
+          const ecr = detectEcrRegistry(root);
+          if (ecr) {
+            const ecrUrl = `${ecr.accountId}.dkr.ecr.${ecr.region}.amazonaws.com`;
+            console.log(chalk.green(`  ✓ ECR registry: ${ecrUrl}`));
+
+            // Image freshness
+            const images = listEcrImages(root);
+            if (images.length > 0) {
+              const freshness = await checkImageFreshness(images);
+              const staleCount = freshness.filter((f) => f.stale === true).length;
+              const missingCount = freshness.filter((f) => f.ageDays === null).length;
+
+              console.log(chalk.dim(`  · ${images.length} ECR image ref(s) in compose`));
+              if (staleCount > 0) {
+                console.log(chalk.yellow(`  ⚠ ${staleCount} stale image(s) (>7d old)`));
+              }
+              if (missingCount > 0) {
+                console.log(chalk.yellow(`  ⚠ ${missingCount} image(s) not pulled locally`));
+              }
+
+              for (const f of freshness) {
+                if (f.ageDays === null) {
+                  console.log(chalk.dim(`    · ${f.image} — not pulled`));
+                } else if (f.stale) {
+                  console.log(chalk.yellow(`    · ${f.image} — ${f.ageDays}d old`));
+                } else {
+                  console.log(chalk.green(`    · ${f.image} — ${f.ageDays === 0 ? "today" : f.ageDays + "d ago"}`));
+                }
+              }
+            }
+          } else {
+            console.log(chalk.dim("  · No ECR images in docker-compose.yaml"));
+          }
+        }
+
+        // Config
+        console.log(chalk.dim(`  · Auto-login: ${config.autoLogin ? "enabled" : "disabled"}`));
+        console.log("");
+      });
+  });
+
+  // ── Doctor check ───────────────────────────────────
+  api.registerDoctorCheck({
+    name: "ECR",
+    fn: async (ok, warn, fail) => {
+      const version = await awsVersion();
+      if (!version) {
+        warn("AWS CLI not installed", "optional — run: brew install awscli");
+        return;
+      }
+      ok(`AWS CLI v${version}`);
+
+      const profiles = detectSsoProfiles();
+      const profile = config.profile || profiles[0]?.name || null;
+      if (!profile) {
+        warn("No AWS SSO profile configured", "run: fops ecr setup", async () => {
+          await runSetupWizard(config, api);
+        });
+        return;
+      }
+
+      const sts = await stsIdentity(profile);
+      if (sts.valid) {
+        ok("AWS SSO session valid", `account ${sts.account}`);
+      } else {
+        fail("AWS SSO session expired", "run: fops ecr sync");
+        return;
+      }
+
+      const root = findRoot();
+      if (!root) return;
+
+      const ecr = detectEcrRegistry(root);
+      if (ecr) {
+        const login = await ecrLogin(ecr.accountId, ecr.region, profile);
+        if (login.success) {
+          ok("ECR authenticated", login.url);
+        } else {
+          fail("ECR login failed", login.url, async () => {
+            await ssoLogin(profile);
+            await ecrLogin(ecr.accountId, ecr.region, profile);
+          });
+        }
+      }
+    },
+  });
+
+  // ── Hook: before:up — auto ECR login ───────────────
+  api.registerHook("before:up", async () => {
+    if (!config.autoLogin) return;
+
+    const root = findRoot();
+    if (!root) return;
+
+    const ecr = detectEcrRegistry(root);
+    if (!ecr) return;
+
+    const profiles = detectSsoProfiles();
+    const profile = config.profile || profiles[0]?.name || null;
+    if (!profile) return;
+
+    // Check if session is valid
+    const sts = await stsIdentity(profile);
+    if (!sts.valid) {
+      console.log(chalk.yellow("  ECR: AWS session expired — logging in via SSO..."));
+      try {
+        await ssoLogin(profile);
+      } catch {
+        console.log(chalk.red("  ✗ ECR: SSO login failed — image pulls may fail"));
+        return;
+      }
+    }
+
+    // Docker login to ECR
+    const login = await ecrLogin(ecr.accountId, ecr.region, profile);
+    if (login.success) {
+      console.log(chalk.green(`  ✓ ECR authenticated (${login.url})`));
+    } else {
+      console.log(chalk.yellow("  ⚠ ECR: docker login failed — image pulls may fail"));
+    }
+  });
+
+  // ── Hook: after:setup — trigger ECR if images detected ─
+  api.registerHook("after:setup", async () => {
+    const root = findRoot();
+    if (!root) return;
+
+    const ecr = detectEcrRegistry(root);
+    if (!ecr) return;
+
+    const profiles = detectSsoProfiles();
+    const profile = config.profile || profiles[0]?.name || null;
+
+    if (profile) {
+      const sts = await stsIdentity(profile);
+      if (sts.valid) {
+        console.log(chalk.blue("\n  ECR images detected — authenticating..."));
+        const login = await ecrLogin(ecr.accountId, ecr.region, profile);
+        if (login.success) {
+          console.log(chalk.green(`  ✓ ECR authenticated (${login.url})`));
+        }
+      } else {
+        console.log(chalk.yellow("\n  ECR images detected. Run: fops ecr setup"));
+      }
+    } else {
+      console.log(chalk.yellow("\n  ECR images detected but no AWS profile configured. Run: fops ecr setup"));
+    }
+  });
+
+  // ── Knowledge source ───────────────────────────────
+  api.registerKnowledgeSource({
+    name: "ECR Container Registry",
+    description: "AWS ECR authentication and image management",
+    search(query) {
+      const keywords = ["ecr", "aws", "docker login", "image pull", "sso", "container registry", "ecr login"];
+      const q = query.toLowerCase();
+      const match = keywords.some((kw) => q.includes(kw));
+      if (!match) return [];
+
+      return [
+        {
+          title: "ECR Plugin",
+          content: [
+            "## ECR Container Registry Plugin",
+            "",
+            "Manages AWS ECR authentication and container image pulls for the Foundation stack.",
+            "",
+            "### Commands",
+            "- `fops ecr setup` — Interactive wizard: install AWS CLI, configure SSO, ECR login",
+            "- `fops ecr sync` — Authenticate to ECR and pull latest images",
+            "- `fops ecr status` — Show AWS CLI, SSO session, ECR auth, image freshness",
+            "",
+            "### Auth Flow",
+            "1. AWS SSO login (`aws sso login --profile <name>`)",
+            "2. Get ECR password (`aws ecr get-login-password`)",
+            "3. Docker login (`docker login --username AWS --password-stdin <registry>`)",
+            "",
+            "### Config (~/.fops.json)",
+            '```json',
+            '{ "plugins": { "entries": { "fops-plugin-ecr": { "config": { "profile": "dev", "autoLogin": true } } } } }',
+            '```',
+            "",
+            "### Troubleshooting",
+            "- `aws sso login --profile dev` — Re-authenticate SSO",
+            "- `aws sts get-caller-identity` — Check current session",
+            "- `docker login` errors — Run `fops ecr sync` to refresh credentials",
+            "- Images not pulling — Check ECR registry URL in docker-compose.yaml",
+          ].join("\n"),
+          score: 0.9,
+        },
+      ];
+    },
+  });
+}

package/src/plugins/bundled/fops-plugin-ecr/lib/aws.js

@@ -0,0 +1,147 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { execa } from "execa";
+
+/**
+ * Get the installed AWS CLI version.
+ * Returns version string or null if not installed.
+ */
+export async function awsVersion() {
+  try {
+    const { stdout } = await execa("aws", ["--version"], { timeout: 5000 });
+    return stdout?.split(" ")[0]?.replace("aws-cli/", "") || null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Check current STS identity for a given profile.
+ * Returns { valid, account, arn } or { valid: false }.
+ */
+export async function stsIdentity(profile) {
+  const profileArgs = profile ? ["--profile", profile] : [];
+  try {
+    const { stdout } = await execa(
+      "aws",
+      ["sts", "get-caller-identity", "--output", "json", ...profileArgs],
+      { timeout: 10000, reject: false },
+    );
+    if (stdout && stdout.includes("Account")) {
+      const info = JSON.parse(stdout);
+      return { valid: true, account: info.Account, arn: info.Arn };
+    }
+  } catch {}
+  return { valid: false, account: null, arn: null };
+}
+
+/**
+ * Run `aws sso login` for the given profile.
+ * Uses inherited stdio so the browser auth flow works.
+ */
+export async function ssoLogin(profile) {
+  const args = ["sso", "login"];
+  if (profile) args.push("--profile", profile);
+
+  // Open /dev/tty so SSO login gets a real terminal even under piped stdio
+  let ttyFd;
+  try {
+    ttyFd = fs.openSync("/dev/tty", "r");
+  } catch {
+    ttyFd = null;
+  }
+
+  await execa("aws", args, {
+    stdio: [ttyFd ?? "inherit", "inherit", "inherit"],
+    reject: false,
+    timeout: 120_000,
+  });
+
+  if (ttyFd !== null) fs.closeSync(ttyFd);
+}
+
+/**
+ * Docker-login to an ECR registry.
+ * Returns { success, url }.
+ */
+export async function ecrLogin(accountId, region, profile) {
+  const profileArgs = profile ? ["--profile", profile] : [];
+  const url = `${accountId}.dkr.ecr.${region}.amazonaws.com`;
+
+  const { stdout: password } = await execa(
+    "aws",
+    ["ecr", "get-login-password", "--region", region, ...profileArgs],
+    { reject: false, timeout: 15000 },
+  );
+
+  if (!password?.trim()) {
+    return { success: false, url };
+  }
+
+  const { exitCode } = await execa(
+    "docker",
+    ["login", "--username", "AWS", "--password-stdin", url],
+    { input: password.trim(), reject: false, timeout: 15000 },
+  );
+
+  return { success: exitCode === 0, url };
+}
+
+/**
+ * Detect ECR registry from a docker-compose.yaml in the given directory.
+ * Returns { accountId, region } or null.
+ */
+export function detectEcrRegistry(root) {
+  try {
+    const composePath = path.join(root, "docker-compose.yaml");
+    if (!fs.existsSync(composePath)) return null;
+    const content = fs.readFileSync(composePath, "utf8");
+    const match = content.match(
+      /(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com/,
+    );
+    if (match) return { accountId: match[1], region: match[2] };
+  } catch {}
+  return null;
+}
+
+/**
+ * Parse ~/.aws/config for profiles that have an sso_session.
+ * Returns [{ name, region, sso_session, ... }].
+ */
+export function detectSsoProfiles() {
+  const configPath = path.join(os.homedir(), ".aws", "config");
+  if (!fs.existsSync(configPath)) return [];
+  const content = fs.readFileSync(configPath, "utf8");
+  const profiles = [];
+  let currentProfile = null;
+  let currentAttrs = {};
+
+  for (const line of content.split("\n")) {
+    const profileMatch = line.match(/^\[profile\s+(.+?)\]/);
+    if (profileMatch) {
+      if (currentProfile && currentAttrs.sso_session) {
+        profiles.push({ name: currentProfile, ...currentAttrs });
+      }
+      currentProfile = profileMatch[1];
+      currentAttrs = {};
+      continue;
+    }
+    if (line.startsWith("[")) {
+      if (currentProfile && currentAttrs.sso_session) {
+        profiles.push({ name: currentProfile, ...currentAttrs });
+      }
+      currentProfile = null;
+      currentAttrs = {};
+      continue;
+    }
+    const kv = line.match(/^\s*(\S+)\s*=\s*(.+)/);
+    if (kv && currentProfile) {
+      currentAttrs[kv[1]] = kv[2].trim();
+    }
+  }
+  if (currentProfile && currentAttrs.sso_session) {
+    profiles.push({ name: currentProfile, ...currentAttrs });
+  }
+  return profiles;
+}

package/src/plugins/bundled/fops-plugin-ecr/lib/images.js

@@ -0,0 +1,73 @@
+import fs from "node:fs";
+import path from "node:path";
+import { execa } from "execa";
+
+const ECR_RE = /(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com\/([^:]+):?(\S*)/;
+
+/**
+ * Parse docker-compose.yaml for all ECR image references.
+ * Returns [{ service, image, repo, tag }].
+ */
+export function listEcrImages(root) {
+  const composePath = path.join(root, "docker-compose.yaml");
+  if (!fs.existsSync(composePath)) return [];
+  const content = fs.readFileSync(composePath, "utf8");
+
+  const results = [];
+  const seen = new Set();
+
+  // Walk through service blocks: "image: ..." lines
+  for (const match of content.matchAll(/^\s+image:\s*(.+)/gm)) {
+    const image = match[1].trim();
+    const ecrMatch = image.match(ECR_RE);
+    if (!ecrMatch) continue;
+
+    // Deduplicate by full image ref
+    if (seen.has(image)) continue;
+    seen.add(image);
+
+    results.push({
+      image,
+      repo: ecrMatch[3],
+      tag: ecrMatch[4] || "latest",
+    });
+  }
+
+  return results;
+}
+
+/**
+ * Check freshness of local Docker images.
+ * Returns [{ image, ageDays, stale }].
+ */
+export async function checkImageFreshness(images, staleDays = 7) {
+  const results = [];
+
+  for (const { image, repo, tag } of images) {
+    // Resolve env vars in tag for inspect (e.g. ${IMAGE_TAG:-compose})
+    const resolvedTag = tag.replace(/\$\{[^}]+:-([^}]+)\}/, "$1");
+    const resolvedImage = image.replace(/\$\{[^}]+:-([^}]+)\}/, "$1");
+
+    try {
+      const { stdout } = await execa(
+        "docker",
+        ["image", "inspect", resolvedImage, "--format", "{{.Created}}"],
+        { reject: false, timeout: 5000 },
+      );
+
+      if (stdout?.trim()) {
+        const created = new Date(stdout.trim());
+        const ageDays = Math.floor(
+          (Date.now() - created.getTime()) / (1000 * 60 * 60 * 24),
+        );
+        results.push({ image: `${repo}:${resolvedTag}`, ageDays, stale: ageDays > staleDays });
+      } else {
+        results.push({ image: `${repo}:${resolvedTag}`, ageDays: null, stale: null });
+      }
+    } catch {
+      results.push({ image: `${repo}:${resolvedTag}`, ageDays: null, stale: null });
+    }
+  }
+
+  return results;
+}