npm - @mizchi/k1c - Versions diffs - 0.3.0 → 0.4.0 - Mend

@mizchi/k1c 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +3 -2
package/dist/manifest/lower.js +78 -10
package/dist/manifest/schemas.d.ts +1655 -0
package/dist/manifest/schemas.js +30 -0
package/dist/manifest/types.d.ts +43 -1
package/dist/providers/access-application.d.ts +53 -0
package/dist/providers/access-application.js +183 -0
package/dist/providers/index.js +4 -0
package/dist/providers/worker-route.d.ts +10 -0
package/dist/providers/worker-route.js +115 -0
package/dist/reconciler/plan.js +2 -0
package/package.json +1 -1

package/dist/manifest/schemas.js CHANGED Viewed

@@ -308,6 +308,35 @@ const ingressRuleSchema = z.object({
     host: z.string().min(1).optional(),
     http: z.object({ paths: z.array(ingressPathSchema).min(1) }),
 });
+const accessRuleSchema = z.union([
+    z.object({ email: z.object({ email: z.string().min(1) }) }),
+    z.object({ emailDomain: z.object({ domain: z.string().min(1) }) }),
+    z.object({ everyone: z.object({}).strict() }),
+    z.object({ ip: z.object({ ip: z.string().min(1) }) }),
+    z.object({ country: z.object({ code: z.string().min(2) }) }),
+    z.object({ serviceToken: z.object({ tokenId: z.string().min(1) }) }),
+    z.object({ anyValidServiceToken: z.object({}).strict() }),
+]);
+const accessAppPolicySchema = z.object({
+    name: z.string().min(1),
+    decision: z.enum(['allow', 'deny', 'bypass', 'non_identity']),
+    include: z.array(accessRuleSchema).min(1),
+    exclude: z.array(accessRuleSchema).optional(),
+    require: z.array(accessRuleSchema).optional(),
+    sessionDuration: z.string().optional(),
+});
+export const accessApplicationSchema = z.object({
+    apiVersion: z.literal('cloudflare.k1c.io/v1alpha1'),
+    kind: z.literal('AccessApplication'),
+    metadata: objectMetaSchema,
+    spec: z.object({
+        domain: z.string().min(1),
+        sessionDuration: z.string().optional(),
+        autoRedirectToIdentity: z.boolean().optional(),
+        allowedIdps: z.array(z.string()).optional(),
+        policies: z.array(accessAppPolicySchema).min(1),
+    }),
+});
 export const ingressSchema = z.object({
     apiVersion: z.literal('networking.k8s.io/v1'),
     kind: z.literal('Ingress'),
@@ -337,5 +366,6 @@ export const k1cResourceSchema = z.discriminatedUnion('kind', [
     dnsRecordSchema,
     logpushJobSchema,
     ingressSchema,
+    accessApplicationSchema,
 ]);
 //# sourceMappingURL=schemas.js.map

package/dist/manifest/types.d.ts CHANGED Viewed

@@ -265,7 +265,49 @@ export interface IngressSpec {
     readonly defaultBackend?: IngressBackend;
 }
 export type Ingress = BaseResource<'Ingress', 'networking.k8s.io/v1', IngressSpec>;
-export type K1cResource = Deployment | Rollout | StatefulSet | CronJob | Job | ConfigMapResource | SecretResource | NamespaceResource | ServiceResource | R2Bucket | KVNamespace | DispatchNamespace | Hyperdrive | D1Database | Queue | Vectorize | DNSRecord | LogpushJob | Ingress;
+export type AccessDecision = 'allow' | 'deny' | 'bypass' | 'non_identity';
+export type AccessRule = {
+    readonly email: {
+        readonly email: string;
+    };
+} | {
+    readonly emailDomain: {
+        readonly domain: string;
+    };
+} | {
+    readonly everyone: Readonly<Record<string, never>>;
+} | {
+    readonly ip: {
+        readonly ip: string;
+    };
+} | {
+    readonly country: {
+        readonly code: string;
+    };
+} | {
+    readonly serviceToken: {
+        readonly tokenId: string;
+    };
+} | {
+    readonly anyValidServiceToken: Readonly<Record<string, never>>;
+};
+export interface AccessAppPolicy {
+    readonly name: string;
+    readonly decision: AccessDecision;
+    readonly include: ReadonlyArray<AccessRule>;
+    readonly exclude?: ReadonlyArray<AccessRule>;
+    readonly require?: ReadonlyArray<AccessRule>;
+    readonly sessionDuration?: string;
+}
+export interface AccessApplicationSpec {
+    readonly domain: string;
+    readonly sessionDuration?: string;
+    readonly autoRedirectToIdentity?: boolean;
+    readonly allowedIdps?: ReadonlyArray<string>;
+    readonly policies: ReadonlyArray<AccessAppPolicy>;
+}
+export type AccessApplication = BaseResource<'AccessApplication', 'cloudflare.k1c.io/v1alpha1', AccessApplicationSpec>;
+export type K1cResource = Deployment | Rollout | StatefulSet | CronJob | Job | ConfigMapResource | SecretResource | NamespaceResource | ServiceResource | R2Bucket | KVNamespace | DispatchNamespace | Hyperdrive | D1Database | Queue | Vectorize | DNSRecord | LogpushJob | Ingress | AccessApplication;
 export type ResourceKind = K1cResource['kind'];
 export interface ResourceRef {
     readonly apiVersion: string;

package/dist/providers/access-application.d.ts ADDED Viewed

@@ -0,0 +1,53 @@
+import { z } from 'zod';
+import type { CloudflareResourceProvider } from './types.ts';
+export type AccessDecisionWire = 'allow' | 'deny' | 'bypass' | 'non_identity';
+/**
+ * SDK-shaped (snake_case) Access rule. The lowering layer translates the camelCase
+ * manifest form into this once and the provider then ferries it across the API
+ * verbatim. Keeping a flat wire shape here makes the discriminated union match
+ * Cloudflare's response without a second translation step.
+ */
+export type AccessRuleWire = {
+    readonly email: {
+        readonly email: string;
+    };
+} | {
+    readonly email_domain: {
+        readonly domain: string;
+    };
+} | {
+    readonly everyone: Readonly<Record<string, never>>;
+} | {
+    readonly ip: {
+        readonly ip: string;
+    };
+} | {
+    readonly country: {
+        readonly country_code: string;
+    };
+} | {
+    readonly service_token: {
+        readonly token_id: string;
+    };
+} | {
+    readonly any_valid_service_token: Readonly<Record<string, never>>;
+};
+export interface AccessAppPolicyWire {
+    readonly name: string;
+    readonly decision: AccessDecisionWire;
+    readonly include: ReadonlyArray<AccessRuleWire>;
+    readonly exclude?: ReadonlyArray<AccessRuleWire>;
+    readonly require?: ReadonlyArray<AccessRuleWire>;
+    readonly session_duration?: string;
+}
+export interface AccessApplicationProperties {
+    readonly appName: string;
+    readonly domain: string;
+    readonly sessionDuration?: string;
+    readonly autoRedirectToIdentity?: boolean;
+    readonly allowedIdps?: ReadonlyArray<string>;
+    readonly policies: ReadonlyArray<AccessAppPolicyWire>;
+}
+export declare const accessApplicationSchema: z.ZodType<AccessApplicationProperties>;
+export declare const accessApplicationProvider: CloudflareResourceProvider<AccessApplicationProperties>;
+//# sourceMappingURL=access-application.d.ts.map

package/dist/providers/access-application.js ADDED Viewed

@@ -0,0 +1,183 @@
+import { z } from 'zod';
+import { NotFound } from "./types.js";
+import { toProviderError } from "./errors.js";
+const accessRuleWireSchema = z.union([
+    z.object({ email: z.object({ email: z.string() }) }),
+    z.object({ email_domain: z.object({ domain: z.string() }) }),
+    z.object({ everyone: z.object({}).strict() }),
+    z.object({ ip: z.object({ ip: z.string() }) }),
+    z.object({ country: z.object({ country_code: z.string() }) }),
+    z.object({ service_token: z.object({ token_id: z.string() }) }),
+    z.object({ any_valid_service_token: z.object({}).strict() }),
+]);
+const accessAppPolicyWireSchema = z.object({
+    name: z.string(),
+    decision: z.enum(['allow', 'deny', 'bypass', 'non_identity']),
+    include: z.array(accessRuleWireSchema),
+    exclude: z.array(accessRuleWireSchema).optional(),
+    require: z.array(accessRuleWireSchema).optional(),
+    session_duration: z.string().optional(),
+});
+export const accessApplicationSchema = z.object({
+    appName: z.string(),
+    domain: z.string(),
+    sessionDuration: z.string().optional(),
+    autoRedirectToIdentity: z.boolean().optional(),
+    allowedIdps: z.array(z.string()).optional(),
+    policies: z.array(accessAppPolicyWireSchema),
+});
+const NAME_PREFIX = 'k1c-';
+/**
+ * Cloudflare Access Applications carry no per-app comment field, so ownership is
+ * inferred from the application name starting with the `k1c-` prefix. This is
+ * the same approach used by other prefix-named resources.
+ */
+function parseLabel(name) {
+    if (typeof name !== 'string' || !name.startsWith(NAME_PREFIX))
+        return null;
+    const rest = name.slice(NAME_PREFIX.length);
+    const dash = rest.indexOf('-');
+    if (dash <= 0 || dash === rest.length - 1)
+        return null;
+    return `${rest.slice(0, dash)}/${rest.slice(dash + 1)}`;
+}
+function buildBody(props) {
+    return {
+        name: props.appName,
+        domain: props.domain,
+        type: 'self_hosted',
+        ...(props.sessionDuration !== undefined ? { session_duration: props.sessionDuration } : {}),
+        ...(props.autoRedirectToIdentity !== undefined
+            ? { auto_redirect_to_identity: props.autoRedirectToIdentity }
+            : {}),
+        ...(props.allowedIdps !== undefined ? { allowed_idps: [...props.allowedIdps] } : {}),
+        policies: props.policies.map((p) => ({
+            name: p.name,
+            decision: p.decision,
+            include: [...p.include],
+            ...(p.exclude !== undefined ? { exclude: [...p.exclude] } : {}),
+            ...(p.require !== undefined ? { require: [...p.require] } : {}),
+            ...(p.session_duration !== undefined ? { session_duration: p.session_duration } : {}),
+        })),
+    };
+}
+export const accessApplicationProvider = {
+    resourceType: 'AccessApplication',
+    schema: accessApplicationSchema,
+    async *list(ctx) {
+        let iter;
+        try {
+            iter = ctx.cloudflare.zeroTrust.access.applications.list({ account_id: ctx.accountId });
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+        try {
+            for await (const app of iter) {
+                const a = app;
+                if (!a.id)
+                    continue;
+                const label = parseLabel(a.name);
+                if (label === null)
+                    continue;
+                yield { nativeId: a.id, label };
+            }
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async read(ctx, nativeId) {
+        try {
+            const app = (await ctx.cloudflare.zeroTrust.access.applications.get(nativeId, {
+                account_id: ctx.accountId,
+            }));
+            if (!app.name || !app.domain)
+                return NotFound;
+            // Reading back the policies is best-effort: Cloudflare returns a richer shape
+            // than we store, so we narrow back to the wire types we know how to emit.
+            // Unknown rule types are dropped from the read result, which means a manual
+            // edit in the dashboard may produce a perpetual "drift" — accepted for v0.4.
+            const policies = [];
+            for (const raw of app.policies ?? []) {
+                const p = raw;
+                if (!p.name || !p.decision || !p.include)
+                    continue;
+                policies.push({
+                    name: p.name,
+                    decision: p.decision,
+                    include: p.include,
+                    ...(p.exclude !== undefined
+                        ? { exclude: p.exclude }
+                        : {}),
+                    ...(p.require !== undefined
+                        ? { require: p.require }
+                        : {}),
+                    ...(p.session_duration !== undefined ? { session_duration: p.session_duration } : {}),
+                });
+            }
+            return {
+                appName: app.name,
+                domain: app.domain,
+                ...(app.session_duration !== undefined
+                    ? { sessionDuration: app.session_duration }
+                    : {}),
+                ...(app.auto_redirect_to_identity !== undefined
+                    ? { autoRedirectToIdentity: app.auto_redirect_to_identity }
+                    : {}),
+                ...(app.allowed_idps !== undefined ? { allowedIdps: [...app.allowed_idps] } : {}),
+                policies,
+            };
+        }
+        catch (raw) {
+            const err = toProviderError(raw);
+            if (err.code === 'NotFound')
+                return NotFound;
+            throw err;
+        }
+    },
+    async create(ctx, _label, desired) {
+        try {
+            const app = (await ctx.cloudflare.zeroTrust.access.applications.create({
+                account_id: ctx.accountId,
+                ...buildBody(desired),
+            }));
+            return {
+                kind: 'sync',
+                nativeId: app.id ?? desired.appName,
+                properties: desired,
+            };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async update(ctx, nativeId, _prior, desired) {
+        try {
+            const app = (await ctx.cloudflare.zeroTrust.access.applications.update(nativeId, {
+                account_id: ctx.accountId,
+                ...buildBody(desired),
+            }));
+            return {
+                kind: 'sync',
+                nativeId: app.id ?? nativeId,
+                properties: desired,
+            };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async delete(ctx, nativeId) {
+        try {
+            await ctx.cloudflare.zeroTrust.access.applications.delete(nativeId, {
+                account_id: ctx.accountId,
+            });
+            return { kind: 'sync' };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+};
+//# sourceMappingURL=access-application.js.map

package/dist/providers/index.js CHANGED Viewed

@@ -13,6 +13,8 @@ import { vectorizeProvider } from "./vectorize.js";
 import { dnsRecordProvider } from "./dns-record.js";
 import { workflowProvider } from "./workflow.js";
 import { logpushJobProvider } from "./logpush-job.js";
+import { workerRouteProvider } from "./worker-route.js";
+import { accessApplicationProvider } from "./access-application.js";
 export function createDefaultRegistry() {
     const r = new ProviderRegistry();
     r.register(workerProvider);
@@ -29,6 +31,8 @@ export function createDefaultRegistry() {
     r.register(dnsRecordProvider);
     r.register(workflowProvider);
     r.register(logpushJobProvider);
+    r.register(workerRouteProvider);
+    r.register(accessApplicationProvider);
     return r;
 }
 export { ProviderRegistry } from "./registry.js";

package/dist/providers/worker-route.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import { z } from 'zod';
+import type { CloudflareResourceProvider } from './types.ts';
+export interface WorkerRouteProperties {
+    readonly zoneId: string;
+    readonly pattern: string;
+    readonly scriptName: string;
+}
+export declare const workerRouteSchema: z.ZodType<WorkerRouteProperties>;
+export declare const workerRouteProvider: CloudflareResourceProvider<WorkerRouteProperties>;
+//# sourceMappingURL=worker-route.d.ts.map

package/dist/providers/worker-route.js ADDED Viewed

@@ -0,0 +1,115 @@
+import { z } from 'zod';
+import { NotFound } from "./types.js";
+import { toProviderError } from "./errors.js";
+export const workerRouteSchema = z.object({
+    zoneId: z.string(),
+    pattern: z.string(),
+    scriptName: z.string(),
+});
+const SCRIPT_PREFIX = 'k1c--';
+/**
+ * Cloudflare Workers Routes carry no per-route comment field, so ownership is
+ * inferred from the bound `script` starting with the k1c naming prefix. This
+ * is the same approach used by the CustomDomain provider.
+ */
+function isManaged(script) {
+    return typeof script === 'string' && script.startsWith(SCRIPT_PREFIX);
+}
+/**
+ * Routes are keyed on `pattern` for the purpose of label matching — the SDK
+ * surface lets us list by zone, and within a zone the pattern is unique.
+ */
+function labelFromPattern(pattern) {
+    if (typeof pattern !== 'string' || pattern.length === 0)
+        return null;
+    return pattern;
+}
+export const workerRouteProvider = {
+    resourceType: 'WorkerRoute',
+    schema: workerRouteSchema,
+    async *list(ctx) {
+        if (ctx.zoneId === undefined) {
+            // Routes are zone-scoped; without a zone we cannot enumerate. Yield nothing.
+            return;
+        }
+        let iter;
+        try {
+            iter = ctx.cloudflare.workers.routes.list({ zone_id: ctx.zoneId });
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+        try {
+            for await (const r of iter) {
+                if (!isManaged(r.script))
+                    continue;
+                const label = labelFromPattern(r.pattern);
+                if (label === null || !r.id)
+                    continue;
+                yield { nativeId: r.id, label };
+            }
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async read(ctx, nativeId) {
+        if (ctx.zoneId === undefined)
+            return NotFound;
+        try {
+            const r = await ctx.cloudflare.workers.routes.get(nativeId, { zone_id: ctx.zoneId });
+            if (!r.pattern || !r.script)
+                return NotFound;
+            return { zoneId: ctx.zoneId, pattern: r.pattern, scriptName: r.script };
+        }
+        catch (raw) {
+            const err = toProviderError(raw);
+            if (err.code === 'NotFound')
+                return NotFound;
+            throw err;
+        }
+    },
+    async create(_ctx, _label, desired) {
+        try {
+            const r = await _ctx.cloudflare.workers.routes.create({
+                zone_id: desired.zoneId,
+                pattern: desired.pattern,
+                script: desired.scriptName,
+            });
+            return { kind: 'sync', nativeId: r.id, properties: desired };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async update(ctx, nativeId, _prior, desired) {
+        try {
+            const r = await ctx.cloudflare.workers.routes.update(nativeId, {
+                zone_id: desired.zoneId,
+                pattern: desired.pattern,
+                script: desired.scriptName,
+            });
+            return { kind: 'sync', nativeId: r.id, properties: desired };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+    async delete(ctx, nativeId) {
+        if (ctx.zoneId === undefined) {
+            throw {
+                code: 'InvalidRequest',
+                recoverable: false,
+                message: 'WorkerRoute delete requires zoneId in ProviderContext',
+            };
+        }
+        try {
+            await ctx.cloudflare.workers.routes.delete(nativeId, { zone_id: ctx.zoneId });
+            return { kind: 'sync' };
+        }
+        catch (raw) {
+            throw toProviderError(raw);
+        }
+    },
+};
+//# sourceMappingURL=worker-route.js.map

package/dist/reconciler/plan.js CHANGED Viewed

@@ -127,9 +127,11 @@ function deletePriority(resourceType) {
         // Top-level edges — nothing else points at these. Delete first so we do not
         // serve traffic to a Worker we are about to remove.
         case 'CustomDomain':
+        case 'WorkerRoute':
         case 'DNSRecord':
         case 'LogpushJob':
         case 'Workflow':
+        case 'AccessApplication':
             return 0;
         case 'Worker':
             return 1;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mizchi/k1c",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "Experimental kubectl-style apply tool for Cloudflare",
   "keywords": [
     "cloudflare",