@nuvlore/extension-bds 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (31) hide show
  1. package/package.json +4 -16
  2. package/vendor/extension-read-only-toolkit/LICENSE +0 -202
  3. package/vendor/extension-read-only-toolkit/README.md +0 -29
  4. package/vendor/extension-read-only-toolkit/package.json +0 -46
  5. package/vendor/extension-read-only-toolkit/src/devops-data-paths.mjs +0 -222
  6. package/vendor/extension-read-only-toolkit/src/devops-diagnostics.mjs +0 -440
  7. package/vendor/extension-read-only-toolkit/src/enterprise-api-read.mjs +0 -180
  8. package/vendor/extension-read-only-toolkit/src/read-only-command-pack.mjs +0 -1
  9. package/vendor/extension-read-only-toolkit/src/read-only-plan.mjs +0 -45
  10. package/vendor/extension-read-only-toolkit/src/read-only-shell-policy.d.mts +0 -26
  11. package/vendor/extension-read-only-toolkit/src/read-only-shell-policy.mjs +0 -170
  12. package/vendor/extension-workday-infra-access/LICENSE +0 -202
  13. package/vendor/extension-workday-infra-access/README.md +0 -3
  14. package/vendor/extension-workday-infra-access/agents/workday-infra-access-readonly.yaml +0 -183
  15. package/vendor/extension-workday-infra-access/package.json +0 -49
  16. package/vendor/extension-workday-infra-access/skills/workday-infra-access/SKILL.md +0 -102
  17. package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-boundary-runbook.md +0 -43
  18. package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-runbook.md +0 -15
  19. package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-scylla-cloud-runbook.md +0 -39
  20. package/vendor/extension-workday-infra-access/skills/workday-infra-access/references/access-spc-argo-runbook.md +0 -99
  21. package/vendor/extension-workday-infra-access/src/workday-access-profiles.mjs +0 -194
  22. package/vendor/extension-workday-infra-access/tools/aws_cust_federated_readonly_command_pack.mjs +0 -234
  23. package/vendor/extension-workday-infra-access/tools/gcp_readonly_command_pack.mjs +0 -167
  24. package/vendor/extension-workday-infra-access/tools/public_cloud_access_status.mjs +0 -48
  25. package/vendor/extension-workday-infra-access/tools/workday_boundary_login.mjs +0 -460
  26. package/vendor/extension-workday-infra-access/tools/workday_private_cloud_sudo_readonly_command.mjs +0 -386
  27. package/vendor/extension-workday-infra-access/tools/workday_public_cloud_environment_map.mjs +0 -189
  28. package/vendor/extension-workday-infra-access/tools/workday_public_cloud_kubernetes_read.mjs +0 -297
  29. package/vendor/extension-workday-infra-access/tools/workday_public_cloud_spc_login.mjs +0 -505
  30. package/vendor/extension-workday-infra-access/tools/workday_spc_argo_readonly_command_pack.mjs +0 -215
  31. package/vendor/extension-workday-infra-access/workflows/public-cloud-readonly-investigation.js +0 -99
@@ -1,234 +0,0 @@
1
- export const description = "Create a local-only AWS CUST federated access read-only CLI command pack based on the approved CCOE guide; does not authenticate, read credentials, or call AWS APIs.";
2
-
3
- import { z } from "zod";
4
- import { defineReadOnlyTool, fail, ok } from "@nuvlore/extension-read-only-toolkit/devops-diagnostics";
5
-
6
- const AWS_FEDERATED_ACCESS_GUIDE_URL = "https://confluence.workday.com/display/CCOE/AWS+-+Federated+Access+to+CUST+Accounts+-+User+Guide";
7
- const DEFAULT_REGION = "us-west-2";
8
- const READ_ONLY_SERVICES = new Set([
9
- "account",
10
- "cloudformation",
11
- "cloudtrail",
12
- "cloudwatch",
13
- "ec2",
14
- "eks",
15
- "elb",
16
- "iam",
17
- "kms",
18
- "lambda",
19
- "logs",
20
- "rds",
21
- "route53",
22
- "s3",
23
- "s3api",
24
- "secretsmanager",
25
- "sts"
26
- ]);
27
-
28
- function normalizeText(value) {
29
- return typeof value === "string" ? value.trim() : "";
30
- }
31
-
32
- function shellQuote(value) {
33
- return `'${String(value).replaceAll("'", "'\\''")}'`;
34
- }
35
-
36
- function normalizeService(value) {
37
- const service = normalizeText(value || "sts").toLowerCase();
38
- if (!READ_ONLY_SERVICES.has(service)) {
39
- throw new Error(`Unsupported AWS read-only service: ${service}. Supported services: ${[...READ_ONLY_SERVICES].sort().join(", ")}.`);
40
- }
41
- return service;
42
- }
43
-
44
- function normalizeInput(input = {}) {
45
- return {
46
- accountId: normalizeText(input.accountId),
47
- accountAlias: normalizeText(input.accountAlias),
48
- roleName: normalizeText(input.roleName),
49
- profile: normalizeText(input.profile),
50
- region: normalizeText(input.region) || DEFAULT_REGION,
51
- service: normalizeService(input.service),
52
- resource: normalizeText(input.resource),
53
- guideUrl: normalizeText(input.guideUrl) || AWS_FEDERATED_ACCESS_GUIDE_URL
54
- };
55
- }
56
-
57
- function baseAws(input) {
58
- const profile = input.profile ? ` --profile ${shellQuote(input.profile)}` : "";
59
- const region = input.region ? ` --region ${shellQuote(input.region)}` : "";
60
- return `aws${profile}${region}`;
61
- }
62
-
63
- function serviceCommands(input) {
64
- const aws = baseAws(input);
65
- const resource = input.resource;
66
- switch (input.service) {
67
- case "account":
68
- return [
69
- `${aws} account get-contact-information`,
70
- `${aws} account get-alternate-contact --alternate-contact-type OPERATIONS`,
71
- `${aws} account get-region-opt-status --region-name ${shellQuote(input.region)}`
72
- ];
73
- case "cloudformation":
74
- return [
75
- `${aws} cloudformation list-stacks --stack-status-filter CREATE_COMPLETE UPDATE_COMPLETE UPDATE_ROLLBACK_COMPLETE ROLLBACK_COMPLETE`,
76
- resource ? `${aws} cloudformation describe-stacks --stack-name ${shellQuote(resource)}` : `${aws} cloudformation describe-stacks`
77
- ];
78
- case "cloudtrail":
79
- return [
80
- `${aws} cloudtrail describe-trails`,
81
- `${aws} cloudtrail get-trail-status --name ${shellQuote(resource || "trail-name")}`
82
- ];
83
- case "cloudwatch":
84
- return [
85
- `${aws} cloudwatch describe-alarms`,
86
- `${aws} cloudwatch list-metrics`
87
- ];
88
- case "ec2":
89
- return [
90
- `${aws} ec2 describe-instances`,
91
- `${aws} ec2 describe-security-groups`,
92
- `${aws} ec2 describe-subnets`,
93
- `${aws} ec2 describe-vpcs`
94
- ];
95
- case "eks":
96
- return [
97
- `${aws} eks list-clusters`,
98
- resource ? `${aws} eks describe-cluster --name ${shellQuote(resource)}` : `${aws} eks describe-cluster --name ${shellQuote("cluster-name")}`
99
- ];
100
- case "elb":
101
- return [
102
- `${aws} elbv2 describe-load-balancers`,
103
- `${aws} elbv2 describe-target-groups`
104
- ];
105
- case "iam":
106
- return [
107
- `${aws} iam get-account-summary`,
108
- `${aws} iam list-roles`,
109
- resource ? `${aws} iam get-role --role-name ${shellQuote(resource)}` : `${aws} iam list-policies --scope Local`
110
- ];
111
- case "kms":
112
- return [
113
- `${aws} kms list-keys`,
114
- resource ? `${aws} kms describe-key --key-id ${shellQuote(resource)}` : `${aws} kms list-aliases`
115
- ];
116
- case "lambda":
117
- return [
118
- `${aws} lambda list-functions`,
119
- resource ? `${aws} lambda get-function-configuration --function-name ${shellQuote(resource)}` : `${aws} lambda list-event-source-mappings`
120
- ];
121
- case "logs":
122
- return [
123
- `${aws} logs describe-log-groups`,
124
- resource ? `${aws} logs describe-log-streams --log-group-name ${shellQuote(resource)} --max-items 25` : `${aws} logs describe-log-groups --max-items 50`
125
- ];
126
- case "rds":
127
- return [
128
- `${aws} rds describe-db-instances`,
129
- `${aws} rds describe-db-clusters`
130
- ];
131
- case "route53":
132
- return [
133
- `${aws} route53 list-hosted-zones`,
134
- resource ? `${aws} route53 list-resource-record-sets --hosted-zone-id ${shellQuote(resource)}` : `${aws} route53 list-health-checks`
135
- ];
136
- case "s3":
137
- return [
138
- `${aws} s3 ls${resource ? ` ${shellQuote(resource)}` : ""}`,
139
- `${aws} s3 ls${resource ? ` ${shellQuote(resource)}` : " s3://<bucket>"} --recursive --summarize --human-readable`
140
- ];
141
- case "s3api":
142
- return [
143
- resource ? `${aws} s3api get-bucket-location --bucket ${shellQuote(resource)}` : `${aws} s3api list-buckets`,
144
- resource ? `${aws} s3api get-bucket-encryption --bucket ${shellQuote(resource)}` : `${aws} s3api list-buckets`
145
- ];
146
- case "secretsmanager":
147
- return [
148
- `${aws} secretsmanager list-secrets`,
149
- resource ? `${aws} secretsmanager describe-secret --secret-id ${shellQuote(resource)}` : `${aws} secretsmanager list-secrets --max-results 50`
150
- ];
151
- case "sts":
152
- default:
153
- return [
154
- `${aws} sts get-caller-identity`
155
- ];
156
- }
157
- }
158
-
159
- function awsCustFederatedReadonlyPlan(input) {
160
- const normalized = normalizeInput(input);
161
- return JSON.stringify({
162
- mode: "atomic-helper",
163
- platform: "aws",
164
- accessPattern: "cust-federated-readonly",
165
- sourceGuide: {
166
- title: "AWS - Federated Access to CUST Accounts - User Guide",
167
- url: normalized.guideUrl,
168
- status: "referenced; not executed by this tool"
169
- },
170
- target: {
171
- accountId: normalized.accountId,
172
- accountAlias: normalized.accountAlias,
173
- roleName: normalized.roleName,
174
- profile: normalized.profile,
175
- region: normalized.region,
176
- service: normalized.service,
177
- resource: normalized.resource
178
- },
179
- credentialBoundary: [
180
- "Complete AWS CUST federated access outside this tool using the approved CCOE guide.",
181
- "This tool never opens a browser login, never stores SAML/OIDC tokens, and never reads AWS credential files.",
182
- "After federation, use an explicit AWS_PROFILE or exported session supplied by the operator."
183
- ],
184
- commands: {
185
- identity: `${baseAws(normalized)} sts get-caller-identity`,
186
- serviceReads: serviceCommands(normalized)
187
- },
188
- forbiddenActions: [
189
- "aws s3 cp",
190
- "aws s3 mv",
191
- "aws s3 rm",
192
- "aws s3 sync",
193
- "aws s3api put-object",
194
- "aws s3api delete-object",
195
- "aws ec2 start-instances",
196
- "aws ec2 stop-instances",
197
- "aws eks update-*",
198
- "aws iam create-*",
199
- "aws iam put-*",
200
- "aws secretsmanager get-secret-value"
201
- ],
202
- remoteWrite: "not_executed"
203
- }, null, 2);
204
- }
205
-
206
- export default defineReadOnlyTool({
207
- name: "aws_cust_federated_readonly_command_pack",
208
- description: "Create a local-only AWS CUST federated access read-only CLI command pack based on the approved CCOE guide; does not authenticate, read credentials, or call AWS APIs.",
209
- inputSchema: {
210
- accountId: z.string().trim().max(64).default(""),
211
- accountAlias: z.string().trim().max(256).default(""),
212
- roleName: z.string().trim().max(256).default(""),
213
- profile: z.string().trim().max(256).default(""),
214
- region: z.string().trim().max(64).default(DEFAULT_REGION),
215
- service: z.string().trim().max(64).default("sts"),
216
- resource: z.string().trim().max(2048).default(""),
217
- guideUrl: z.string().trim().url().max(2048).default(AWS_FEDERATED_ACCESS_GUIDE_URL)
218
- },
219
- async handler(input) {
220
- try {
221
- return ok(awsCustFederatedReadonlyPlan(input));
222
- } catch (error) {
223
- return fail(error);
224
- }
225
- }
226
- });
227
-
228
- export const __test = {
229
- AWS_FEDERATED_ACCESS_GUIDE_URL,
230
- READ_ONLY_SERVICES,
231
- normalizeInput,
232
- serviceCommands,
233
- awsCustFederatedReadonlyPlan
234
- };
@@ -1,167 +0,0 @@
1
- export const description = "Create a local-only GCP read-only CLI command pack; does not authenticate, read credentials, or call GCP APIs.";
2
-
3
- import { z } from "zod";
4
- import { defineReadOnlyTool, fail, ok } from "@nuvlore/extension-read-only-toolkit/devops-diagnostics";
5
-
6
- const DEFAULT_REGION = "us-west1";
7
- const READ_ONLY_SERVICES = new Set([
8
- "billing",
9
- "compute",
10
- "gke",
11
- "iam",
12
- "logging",
13
- "monitoring",
14
- "projects",
15
- "storage"
16
- ]);
17
-
18
- function normalizeText(value) {
19
- return typeof value === "string" ? value.trim() : "";
20
- }
21
-
22
- function shellQuote(value) {
23
- return `'${String(value).replaceAll("'", "'\\''")}'`;
24
- }
25
-
26
- function normalizeService(value) {
27
- const service = normalizeText(value || "projects").toLowerCase();
28
- if (!READ_ONLY_SERVICES.has(service)) {
29
- throw new Error(`Unsupported GCP read-only service: ${service}. Supported services: ${[...READ_ONLY_SERVICES].sort().join(", ")}.`);
30
- }
31
- return service;
32
- }
33
-
34
- function normalizeInput(input = {}) {
35
- return {
36
- projectId: normalizeText(input.projectId),
37
- account: normalizeText(input.account),
38
- region: normalizeText(input.region) || DEFAULT_REGION,
39
- zone: normalizeText(input.zone),
40
- service: normalizeService(input.service),
41
- resource: normalizeText(input.resource)
42
- };
43
- }
44
-
45
- function baseGcloud(input) {
46
- const project = input.projectId ? ` --project=${shellQuote(input.projectId)}` : "";
47
- const account = input.account ? ` --account=${shellQuote(input.account)}` : "";
48
- return `gcloud${project}${account}`;
49
- }
50
-
51
- function serviceCommands(input) {
52
- const gcloud = baseGcloud(input);
53
- const resource = input.resource;
54
- switch (input.service) {
55
- case "billing":
56
- return [
57
- `${gcloud} billing projects describe ${shellQuote(input.projectId || "PROJECT_ID")}`
58
- ];
59
- case "compute":
60
- return [
61
- `${gcloud} compute instances list`,
62
- resource ? `${gcloud} compute instances describe ${shellQuote(resource)}${input.zone ? ` --zone=${shellQuote(input.zone)}` : ""}` : `${gcloud} compute networks list`,
63
- `${gcloud} compute firewall-rules list`
64
- ];
65
- case "gke":
66
- return [
67
- `${gcloud} container clusters list`,
68
- resource ? `${gcloud} container clusters describe ${shellQuote(resource)}${input.region ? ` --region=${shellQuote(input.region)}` : ""}` : `${gcloud} container clusters list`
69
- ];
70
- case "iam":
71
- return [
72
- `${gcloud} projects get-iam-policy ${shellQuote(input.projectId || "PROJECT_ID")}`,
73
- `${gcloud} iam service-accounts list`
74
- ];
75
- case "logging":
76
- return [
77
- `${gcloud} logging sinks list`,
78
- `${gcloud} logging read ${shellQuote(resource || "timestamp >= \"$(date -u -v-1H +%Y-%m-%dT%H:%M:%SZ)\"")} --limit=50`
79
- ];
80
- case "monitoring":
81
- return [
82
- `${gcloud} monitoring policies list`,
83
- `${gcloud} monitoring uptime list-configs`
84
- ];
85
- case "storage":
86
- return [
87
- `gcloud storage buckets list${input.projectId ? ` --project=${shellQuote(input.projectId)}` : ""}`,
88
- resource ? `gcloud storage objects list ${shellQuote(resource)}` : "gcloud storage objects list gs://<bucket>"
89
- ];
90
- case "projects":
91
- default:
92
- return [
93
- `${gcloud} auth list`,
94
- `${gcloud} config list`,
95
- `${gcloud} projects describe ${shellQuote(input.projectId || "PROJECT_ID")}`
96
- ];
97
- }
98
- }
99
-
100
- function gcpReadonlyAccessPlan(input) {
101
- const normalized = normalizeInput(input);
102
- return JSON.stringify({
103
- mode: "atomic-helper",
104
- platform: "gcp",
105
- accessPattern: "readonly-cli",
106
- target: {
107
- projectId: normalized.projectId,
108
- account: normalized.account,
109
- region: normalized.region,
110
- zone: normalized.zone,
111
- service: normalized.service,
112
- resource: normalized.resource
113
- },
114
- credentialBoundary: [
115
- "Use an already-approved local gcloud identity; this tool does not run gcloud auth login or read credential files.",
116
- "Run auth list/config list first and verify the active account and project match incident evidence.",
117
- "Do not change active config, impersonation, IAM policy, project settings, buckets, clusters, instances, or logs."
118
- ],
119
- commands: {
120
- identity: [
121
- `${baseGcloud(normalized)} auth list`,
122
- `${baseGcloud(normalized)} config list`
123
- ],
124
- serviceReads: serviceCommands(normalized)
125
- },
126
- forbiddenActions: [
127
- "gcloud auth login",
128
- "gcloud config set",
129
- "gcloud projects set-iam-policy",
130
- "gcloud iam service-accounts keys create",
131
- "gcloud compute instances start",
132
- "gcloud compute instances stop",
133
- "gcloud container clusters update",
134
- "gcloud storage cp",
135
- "gcloud storage rm",
136
- "gcloud storage mv"
137
- ],
138
- remoteWrite: "not_executed"
139
- }, null, 2);
140
- }
141
-
142
- export default defineReadOnlyTool({
143
- name: "gcp_readonly_command_pack",
144
- description: "Create a local-only GCP read-only CLI command pack; does not authenticate, read credentials, or call GCP APIs.",
145
- inputSchema: {
146
- projectId: z.string().trim().max(256).default(""),
147
- account: z.string().trim().max(256).default(""),
148
- region: z.string().trim().max(64).default(DEFAULT_REGION),
149
- zone: z.string().trim().max(64).default(""),
150
- service: z.string().trim().max(64).default("projects"),
151
- resource: z.string().trim().max(2048).default("")
152
- },
153
- async handler(input) {
154
- try {
155
- return ok(gcpReadonlyAccessPlan(input));
156
- } catch (error) {
157
- return fail(error);
158
- }
159
- }
160
- });
161
-
162
- export const __test = {
163
- READ_ONLY_SERVICES,
164
- normalizeInput,
165
- serviceCommands,
166
- gcpReadonlyAccessPlan
167
- };
@@ -1,48 +0,0 @@
1
- export const description = "Return local public-cloud connection readiness status; does not authenticate or call cloud APIs.";
2
-
3
- import { z } from "zod";
4
- import { defineReadOnlyTool, fail, ok } from "@nuvlore/extension-read-only-toolkit/devops-diagnostics";
5
-
6
- function normalizeText(value) {
7
- return typeof value === "string" ? value.trim() : "";
8
- }
9
-
10
- export class PublicCloudConnectPlanService {
11
- invoke(input) {
12
- const platform = normalizeText(input.platform) || "unknown";
13
- return JSON.stringify({
14
- mode: "atomic-helper",
15
- platform,
16
- environment: normalizeText(input.environment),
17
- target: normalizeText(input.target),
18
- status: "connection_procedure_lives_in_skill",
19
- nextAtomicTool: platform === "aws" ? "aws_cust_federated_readonly_command_pack" : platform === "gcp" ? "gcp_readonly_command_pack" : "",
20
- remoteWrite: "not_executed"
21
- }, null, 2);
22
- }
23
- }
24
-
25
- const defaultService = new PublicCloudConnectPlanService();
26
-
27
- function publicCloudConnectPlan(input) {
28
- return defaultService.invoke(input);
29
- }
30
-
31
- export default defineReadOnlyTool({
32
- name: "public_cloud_access_status",
33
- description: "Return local public-cloud connection readiness status; does not authenticate or call cloud APIs.",
34
- inputSchema: {
35
- platform: z.string().trim().max(128).default(""),
36
- environment: z.string().trim().max(256).default(""),
37
- target: z.string().trim().max(1024).default("")
38
- },
39
- async handler(input) {
40
- try {
41
- return ok(publicCloudConnectPlan(input));
42
- } catch (error) {
43
- return fail(error);
44
- }
45
- }
46
- });
47
-
48
- export const __test = { PublicCloudConnectPlanService, publicCloudConnectPlan };