npm - @ouro.bot/cli - Versions diffs - 0.1.0-alpha.465 → 0.1.0-alpha.467 - Mend

@ouro.bot/cli 0.1.0-alpha.465 → 0.1.0-alpha.467

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md +4 -0
package/changelog.json +16 -0
package/dist/heart/daemon/cli-exec.js +422 -76
package/dist/heart/daemon/cli-help.js +19 -4
package/dist/heart/daemon/cli-parse.js +180 -4
package/dist/heart/daemon/dns-workflow.js +365 -0
package/dist/heart/daemon/vault-items.js +56 -0
package/dist/heart/outlook/readers/mail.js +34 -1
package/dist/mailroom/attention.js +13 -0
package/dist/mailroom/core.js +27 -0
package/dist/mailroom/outbound.js +4 -0
package/dist/nerves/coverage/file-completeness.js +1 -1
package/dist/repertoire/tools-credential.js +37 -17
package/dist/repertoire/tools-mail.js +22 -1
package/dist/senses/mail.js +33 -25
package/package.json +1 -1
package/dist/heart/daemon/porkbun-ops.js +0 -25

package/dist/heart/daemon/cli-help.js CHANGED Viewed

@@ -212,9 +212,9 @@ exports.COMMAND_REGISTRY = {
     vault: {
         category: "Auth",
         description: "Create, replace, recover, unlock, inspect, and populate the agent credential vault",
-        usage: "ouro vault <create|replace|recover|unlock|status|config|ops> [--agent <name>]",
+        usage: "ouro vault <create|replace|recover|unlock|status|config|item|ops> [--agent <name>]",
         example: "ouro vault status",
-        subcommands: ["create", "replace", "recover", "unlock", "status", "config set", "config status", "ops porkbun set", "ops porkbun status"],
+        subcommands: ["create", "replace", "recover", "unlock", "status", "config set", "config status", "vault item set", "vault item status", "vault item list", "vault ops porkbun set", "vault ops porkbun status"],
     },
     thoughts: {
         category: "Internal",
@@ -366,13 +366,28 @@ const SUBCOMMAND_HELP = {
         usage: "ouro vault config status [--agent <name>] [--scope agent|machine|all]",
         example: "ouro vault config status --scope all",
     },
+    "vault item set": {
+        description: "Store an ordinary vault item / credential with no assumed use. Prompts for hidden secret fields, stores optional public fields and notes, and secret values are not printed.",
+        usage: "ouro vault item set [--agent <name>] --item <path> (--secret-field <name>...|--template <template>) [--public-field <key=value>] [--note <text>]",
+        example: "ouro vault item set --agent slugger --item ops/porkbun/ari@mendelow.me --template porkbun-api",
+    },
+    "vault item status": {
+        description: "Show metadata for an ordinary vault item without printing secret values",
+        usage: "ouro vault item status [--agent <name>] --item <path>",
+        example: "ouro vault item status --agent slugger --item ops/porkbun/ari@mendelow.me",
+    },
+    "vault item list": {
+        description: "List ordinary vault item names and metadata without printing secret values",
+        usage: "ouro vault item list [--agent <name>] [--prefix <path-prefix>]",
+        example: "ouro vault item list --agent slugger --prefix ops/",
+    },
     "vault ops porkbun set": {
-        description: "Store account-scoped Porkbun API credentials as an ops vault item, outside connect/runtime config",
+        description: "deprecated compatibility alias for `ouro vault item set --template porkbun-api`; stores an ordinary vault item, not a special credential kind",
         usage: "ouro vault ops porkbun set [--agent <name>] --account <account>",
         example: "ouro vault ops porkbun set --agent slugger --account ari@mendelow.me",
     },
     "vault ops porkbun status": {
-        description: "Check whether Porkbun ops credentials are present without printing secret values",
+        description: "deprecated compatibility alias for checking the ordinary vault item used by the Porkbun API template",
         usage: "ouro vault ops porkbun status [--agent <name>] [--account <account>]",
         example: "ouro vault ops porkbun status --agent slugger --account ari@mendelow.me",
     },

package/dist/heart/daemon/cli-parse.js CHANGED Viewed

@@ -16,7 +16,7 @@ exports.parseMcpServeCommand = parseMcpServeCommand;
 exports.parseOuroCommand = parseOuroCommand;
 const types_1 = require("../../mind/friends/types");
 const cli_help_1 = require("./cli-help");
-const porkbun_ops_1 = require("./porkbun-ops");
+const vault_items_1 = require("./vault-items");
 // ── Shared helpers ──
 function extractAgentFlag(args) {
     const idx = args.indexOf("--agent");
@@ -96,8 +96,12 @@ function usage() {
         "  ouro vault status [--agent <name>] [--store auto|macos-keychain|windows-dpapi|linux-secret-service|plaintext-file]",
         "  ouro vault config set [--agent <name>] --key <path> [--value <value>] [--scope agent|machine]",
         "  ouro vault config status [--agent <name>] [--scope agent|machine|all]",
+        "  ouro vault item set [--agent <name>] --item <path> --secret-field <name> [--public-field <key=value>] [--note <text>]",
+        "  ouro vault item status [--agent <name>] --item <path>",
+        "  ouro vault item list [--agent <name>] [--prefix <path-prefix>]",
         "  ouro vault ops porkbun set [--agent <name>] --account <account>",
         "  ouro vault ops porkbun status [--agent <name>] [--account <account>]",
+        "  ouro dns backup|plan|apply|verify|rollback|certificate [--agent <name>] --binding <path> [--output <path>] [--backup <path>] [--yes]",
         "  ouro chat <agent>",
         "  ouro msg --to <agent> [--session <id>] [--task <ref>] <message>",
         "  ouro poke <agent> --task <task-id>",
@@ -461,6 +465,8 @@ function parseVaultCommand(args) {
     const sub = args[0];
     if (sub === "config")
         return parseVaultConfigCommand(args.slice(1));
+    if (sub === "item")
+        return parseVaultItemCommand(args.slice(1));
     if (sub === "ops")
         return parseVaultOpsCommand(args.slice(1));
     const { agent, rest } = extractAgentFlag(args.slice(1));
@@ -549,6 +555,87 @@ function parseVaultCommand(args) {
     }
     return { kind: "vault.status", ...(agent ? { agent } : {}), ...(store ? { store } : {}) };
 }
+function parseVaultItemCommand(args) {
+    const action = args[0];
+    if (action !== "set" && action !== "status" && action !== "list") {
+        throw new Error("Usage: ouro vault item set|status|list [--agent <name>] --item <path>");
+    }
+    const { agent, rest } = extractAgentFlag(args.slice(1));
+    let item;
+    let prefix;
+    let template;
+    let note;
+    const secretFields = [];
+    const publicFields = [];
+    for (let i = 0; i < rest.length; i += 1) {
+        const token = rest[i];
+        if (token === "--item") {
+            item = (0, vault_items_1.normalizeVaultItemName)(rest[i + 1]);
+            i += 1;
+            continue;
+        }
+        if (token === "--prefix") {
+            const value = rest[i + 1]?.trim() ?? "";
+            if (!value || /[\r\n\t]/.test(value) || value.startsWith("/")) {
+                throw new Error("Vault item prefix must be non-empty, relative, and free of control characters.");
+            }
+            prefix = value;
+            i += 1;
+            continue;
+        }
+        if (token === "--template") {
+            const value = rest[i + 1];
+            if (!(0, vault_items_1.isVaultItemTemplate)(value)) {
+                throw new Error("vault item --template must be porkbun-api");
+            }
+            template = value;
+            i += 1;
+            continue;
+        }
+        if (token === "--secret-field") {
+            secretFields.push((0, vault_items_1.normalizeVaultItemFieldName)(rest[i + 1]));
+            i += 1;
+            continue;
+        }
+        if (token === "--public-field") {
+            const value = rest[i + 1]?.trim() ?? "";
+            const separator = value.indexOf("=");
+            if (separator <= 0 || separator === value.length - 1) {
+                throw new Error("vault item --public-field must be key=value");
+            }
+            (0, vault_items_1.normalizeVaultItemFieldName)(value.slice(0, separator));
+            publicFields.push(value);
+            i += 1;
+            continue;
+        }
+        if (token === "--note") {
+            note = rest[i + 1] ?? "";
+            i += 1;
+            continue;
+        }
+        throw new Error(`Usage: ouro vault item ${action} [--agent <name>] --item <path>`);
+    }
+    if (action === "list") {
+        return { kind: "vault.item.list", ...(agent ? { agent } : {}), ...(prefix ? { prefix } : {}) };
+    }
+    if (!item)
+        throw new Error(`Usage: ouro vault item ${action} [--agent <name>] --item <path>`);
+    if (action === "status") {
+        return { kind: "vault.item.status", ...(agent ? { agent } : {}), item };
+    }
+    if (!template && secretFields.length === 0) {
+        throw new Error("ouro vault item set requires --secret-field or --template");
+    }
+    return {
+        kind: "vault.item.set",
+        ...(agent ? { agent } : {}),
+        item,
+        ...(template ? { template } : {}),
+        ...(secretFields.length > 0 ? { secretFields } : {}),
+        ...(publicFields.length > 0 ? { publicFields } : {}),
+        ...(note !== undefined ? { note } : {}),
+    };
+}
 function parseVaultOpsCommand(args) {
     const provider = args[0];
     const action = args[1];
@@ -563,7 +650,7 @@ function parseVaultOpsCommand(args) {
     for (let i = 0; i < rest.length; i += 1) {
         const token = rest[i];
         if (token === "--account") {
-            account = (0, porkbun_ops_1.normalizePorkbunOpsAccount)(rest[i + 1]);
+            account = (0, vault_items_1.normalizePorkbunOpsAccount)(rest[i + 1]);
             i += 1;
             continue;
         }
@@ -572,9 +659,96 @@ function parseVaultOpsCommand(args) {
     if (action === "set") {
         if (!account)
             throw new Error("Usage: ouro vault ops porkbun set [--agent <name>] --account <account>");
-        return { kind: "vault.ops.porkbun.set", ...(agent ? { agent } : {}), account };
+        return {
+            kind: "vault.item.set",
+            ...(agent ? { agent } : {}),
+            item: (0, vault_items_1.porkbunOpsCredentialItemName)(account),
+            template: "porkbun-api",
+            compatibilityAlias: vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS,
+        };
+    }
+    if (account) {
+        return {
+            kind: "vault.item.status",
+            ...(agent ? { agent } : {}),
+            item: (0, vault_items_1.porkbunOpsCredentialItemName)(account),
+            compatibilityAlias: vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS,
+        };
+    }
+    return {
+        kind: "vault.item.list",
+        ...(agent ? { agent } : {}),
+        prefix: vault_items_1.PORKBUN_OPS_CREDENTIAL_PREFIX,
+        compatibilityAlias: vault_items_1.PORKBUN_OPS_COMPATIBILITY_ALIAS,
+    };
+}
+function isDnsWorkflowAction(value) {
+    return value === "backup" || value === "plan" || value === "apply" || value === "verify" || value === "rollback" || value === "certificate";
+}
+function normalizeWorkflowPath(value, label) {
+    const trimmed = value?.trim() ?? "";
+    if (!trimmed || /[\r\n\t]/.test(trimmed)) {
+        throw new Error(`${label} must be a non-empty path without control characters.`);
     }
-    return { kind: "vault.ops.porkbun.status", ...(agent ? { agent } : {}), ...(account ? { account } : {}) };
+    return trimmed;
+}
+function parseDnsCommand(args) {
+    const action = args[0];
+    if (!isDnsWorkflowAction(action)) {
+        throw new Error("Usage: ouro dns backup|plan|apply|verify|rollback|certificate [--agent <name>] --binding <path>");
+    }
+    const { agent, rest } = extractAgentFlag(args.slice(1));
+    let bindingPath;
+    let outputPath;
+    let backupPath;
+    let yes = false;
+    for (let i = 0; i < rest.length; i += 1) {
+        const token = rest[i];
+        if (token === "--binding") {
+            bindingPath = normalizeWorkflowPath(rest[i + 1], "dns --binding");
+            i += 1;
+            continue;
+        }
+        if (token === "--output") {
+            outputPath = normalizeWorkflowPath(rest[i + 1], "dns --output");
+            i += 1;
+            continue;
+        }
+        if (token === "--backup") {
+            backupPath = normalizeWorkflowPath(rest[i + 1], "dns --backup");
+            i += 1;
+            continue;
+        }
+        if (token === "--yes") {
+            yes = true;
+            continue;
+        }
+        if (token === "--credential-item") {
+            throw new Error("credential item belongs in the DNS workflow binding");
+        }
+        throw new Error(`Usage: ouro dns ${action} [--agent <name>] --binding <path>`);
+    }
+    if (!bindingPath) {
+        throw new Error(`Usage: ouro dns ${action} [--agent <name>] --binding <path>`);
+    }
+    if (action === "apply" && !yes) {
+        throw new Error("dns apply requires --yes after a reviewed dry-run");
+    }
+    if (action === "rollback") {
+        if (!backupPath)
+            throw new Error("dns rollback requires --backup <path>");
+        if (!yes)
+            throw new Error("dns rollback requires --yes after choosing a backup");
+    }
+    return {
+        kind: "dns.workflow",
+        action,
+        ...(agent ? { agent } : {}),
+        bindingPath,
+        ...(outputPath ? { outputPath } : {}),
+        ...(backupPath ? { backupPath } : {}),
+        ...(yes ? { yes: true } : {}),
+    };
 }
 function parseVaultConfigCommand(args) {
     const sub = args[0];
@@ -1225,6 +1399,8 @@ function parseOuroCommand(args) {
         return parseProviderCommand(args.slice(1));
     if (head === "mail")
         return parseMailCommand(args.slice(1));
+    if (head === "dns")
+        return parseDnsCommand(args.slice(1));
     if (head === "logs") {
         if (second === "prune")
             return { kind: "daemon.logs.prune" };

package/dist/heart/daemon/dns-workflow.js ADDED Viewed

@@ -0,0 +1,365 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadDnsWorkflowBinding = loadDnsWorkflowBinding;
+exports.resolveDnsWorkflowSecrets = resolveDnsWorkflowSecrets;
+exports.createPorkbunDnsDriver = createPorkbunDnsDriver;
+exports.planDnsWorkflow = planDnsWorkflow;
+exports.planDnsRollback = planDnsRollback;
+exports.applyDnsWorkflowPlan = applyDnsWorkflowPlan;
+exports.redactDnsWorkflowArtifact = redactDnsWorkflowArtifact;
+const runtime_1 = require("../../nerves/runtime");
+function isRecordType(value) {
+    return value === "A" || value === "AAAA" || value === "CNAME" || value === "MX" || value === "TXT";
+}
+function requireString(value, label) {
+    if (typeof value !== "string" || value.trim() === "")
+        throw new Error(`${label} is required`);
+    return value.trim();
+}
+function requireRecordType(value, label) {
+    if (!isRecordType(value))
+        throw new Error(`${label} must be A, AAAA, CNAME, MX, or TXT`);
+    return value;
+}
+function parseCertificateSource(value) {
+    if (value === undefined || value === "porkbun-ssl")
+        return "porkbun-ssl";
+    if (value === "acme-dns-01")
+        return "acme-dns-01";
+    throw new Error("certificate.source must be porkbun-ssl or acme-dns-01");
+}
+function recordKey(record) {
+    return `${record.type}:${record.name}`;
+}
+function parseRecord(input, label) {
+    const value = input;
+    const record = {
+        ...(typeof value.id === "string" ? { id: value.id } : {}),
+        type: requireRecordType(value.type, `${label}.type`),
+        name: requireString(value.name, `${label}.name`),
+        content: requireString(value.content, `${label}.content`),
+        ...(typeof value.ttl === "number" ? { ttl: value.ttl } : {}),
+        ...(typeof value.priority === "number" ? { priority: value.priority } : {}),
+    };
+    return record;
+}
+function parseResourceRecord(input, label) {
+    const value = input;
+    return {
+        type: requireRecordType(value.type, `${label}.type`),
+        name: requireString(value.name, `${label}.name`),
+    };
+}
+function assertNoCredentialOntology(input) {
+    if ("credentialItemNoteQuery" in input || "noteQuery" in input || "notes" in input) {
+        throw new Error("notes are not machine contracts");
+    }
+    if ("authority" in input || "kind" in input) {
+        throw new Error("workflow binding must not give a vault item assumed use");
+    }
+}
+function loadDnsWorkflowBinding(input) {
+    if (!input || typeof input !== "object")
+        throw new Error("DNS workflow binding must be an object");
+    const value = input;
+    assertNoCredentialOntology(value);
+    if (value.workflow !== "dns")
+        throw new Error("DNS workflow binding must set workflow to dns");
+    if (value.driver !== "porkbun")
+        throw new Error("DNS workflow binding driver must be porkbun");
+    const resources = value.resources;
+    const desired = value.desired;
+    if (!Array.isArray(resources?.records) || resources.records.length === 0) {
+        throw new Error("DNS workflow binding requires a resource allowlist");
+    }
+    if (!Array.isArray(desired?.records))
+        throw new Error("DNS workflow binding requires desired records");
+    const certificate = value.certificate;
+    return {
+        workflow: "dns",
+        domain: requireString(value.domain, "domain"),
+        driver: "porkbun",
+        credentialItem: requireString(value.credentialItem, "credentialItem"),
+        resources: {
+            records: resources.records.map((record, index) => parseResourceRecord(record, `resources.records[${index}]`)),
+        },
+        desired: {
+            records: desired.records.map((record, index) => parseRecord(record, `desired.records[${index}]`)),
+        },
+        ...(certificate ? {
+            certificate: {
+                host: requireString(certificate.host, "certificate.host"),
+                source: parseCertificateSource(certificate.source),
+                storeItem: requireString(certificate.storeItem, "certificate.storeItem"),
+                ...(certificate.acmeChallengeRecord
+                    ? {
+                        acmeChallengeRecord: parseResourceRecord(certificate.acmeChallengeRecord, "certificate.acmeChallengeRecord"),
+                    }
+                    : {}),
+            },
+        } : {}),
+    };
+}
+async function resolveDnsWorkflowSecrets(binding, reader) {
+    return {
+        apiKey: await reader.readSecretField(binding.credentialItem, "apiKey"),
+        secretApiKey: await reader.readSecretField(binding.credentialItem, "secretApiKey"),
+    };
+}
+async function readPorkbunJson(response) {
+    const payload = await response.json();
+    if (!response.ok || payload.status === "ERROR") {
+        throw new Error(payload.message ?? `Porkbun request failed with status ${response.status}`);
+    }
+    return payload;
+}
+function porkbunHeaders(secrets) {
+    return {
+        "X-API-Key": secrets.apiKey,
+        "X-Secret-API-Key": secrets.secretApiKey,
+    };
+}
+function porkbunRecordBody(record) {
+    return {
+        type: record.type,
+        name: record.name === "@" ? "" : record.name,
+        content: record.content,
+        ttl: record.ttl ?? 600,
+        prio: record.priority ?? 0,
+    };
+}
+function normalizePorkbunRecordName(domain, name) {
+    const suffix = `.${domain}`;
+    if (name === domain)
+        return "@";
+    if (name.endsWith(suffix))
+        return name.slice(0, -suffix.length);
+    return name;
+}
+function normalizePorkbunNumber(value) {
+    const parsed = value === null || value === undefined || value === "" ? Number.NaN : Number(value);
+    return Number.isFinite(parsed) ? parsed : undefined;
+}
+function normalizePorkbunRecord(domain, input) {
+    const value = input;
+    const ttl = normalizePorkbunNumber(value.ttl);
+    const priority = normalizePorkbunNumber(value.priority ?? value.prio);
+    return {
+        ...(typeof value.id === "string" ? { id: value.id } : {}),
+        type: requireString(value.type, "provider record type"),
+        name: normalizePorkbunRecordName(domain, requireString(value.name, "provider record name")),
+        content: requireString(value.content, "provider record content"),
+        ...(ttl === undefined ? {} : { ttl }),
+        ...(priority === undefined ? {} : { priority }),
+    };
+}
+async function emitPorkbunRequest(input) {
+    (0, runtime_1.emitNervesEvent)({
+        event: "daemon.dns_provider_request_start",
+        component: "daemon",
+        message: `DNS provider ${input.method} ${input.path} started`,
+        meta: {
+            driver: "porkbun",
+            method: input.method,
+            path: input.path,
+        },
+    });
+    try {
+        const result = await input.execute();
+        (0, runtime_1.emitNervesEvent)({
+            event: "daemon.dns_provider_request_end",
+            component: "daemon",
+            message: `DNS provider ${input.method} ${input.path} completed`,
+            meta: {
+                driver: "porkbun",
+                method: input.method,
+                path: input.path,
+            },
+        });
+        return result;
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            event: "daemon.dns_provider_request_error",
+            component: "daemon",
+            message: `DNS provider ${input.method} ${input.path} failed`,
+            meta: {
+                driver: "porkbun",
+                method: input.method,
+                path: input.path,
+                error: String(error),
+            },
+        });
+        throw error;
+    }
+}
+function createPorkbunDnsDriver(options) {
+    const baseUrl = (options.baseUrl ?? "https://api.porkbun.com/api/json/v3").replace(/\/+$/, "");
+    const readOnly = async (path, secrets) => {
+        return emitPorkbunRequest({
+            method: "GET",
+            path,
+            execute: async () => readPorkbunJson(await options.fetchImpl(`${baseUrl}${path}`, {
+                method: "GET",
+                headers: porkbunHeaders(secrets),
+            })),
+        });
+    };
+    const mutate = async (path, secrets, body = {}) => {
+        return emitPorkbunRequest({
+            method: "POST",
+            path,
+            execute: async () => readPorkbunJson(await options.fetchImpl(`${baseUrl}${path}`, {
+                method: "POST",
+                headers: {
+                    ...porkbunHeaders(secrets),
+                    "Content-Type": "application/json",
+                },
+                body: JSON.stringify(body),
+            })),
+        });
+    };
+    return {
+        async ping(secrets) {
+            const payload = await readOnly("/ping", secrets);
+            return { credentialsValid: payload.credentialsValid === true };
+        },
+        async retrieveRecords({ domain, secrets }) {
+            const payload = await readOnly(`/dns/retrieve/${encodeURIComponent(domain)}`, secrets);
+            return (payload.records ?? []).map((record) => normalizePorkbunRecord(domain, record));
+        },
+        async retrieveCertificate({ domain, secrets }) {
+            const payload = await readOnly(`/ssl/retrieve/${encodeURIComponent(domain)}`, secrets);
+            return {
+                certificatechain: requireString(payload.certificatechain, "certificatechain"),
+                publickey: requireString(payload.publickey, "publickey"),
+                privatekey: requireString(payload.privatekey, "privatekey"),
+            };
+        },
+        async createRecord({ domain, secrets, record }) {
+            const payload = await mutate(`/dns/create/${encodeURIComponent(domain)}`, secrets, porkbunRecordBody(record));
+            return typeof payload.id === "string" ? { id: payload.id } : {};
+        },
+        async editRecord({ domain, secrets, id, record }) {
+            await mutate(`/dns/edit/${encodeURIComponent(domain)}/${encodeURIComponent(id)}`, secrets, porkbunRecordBody(record));
+        },
+        async deleteRecord({ domain, secrets, id }) {
+            await mutate(`/dns/delete/${encodeURIComponent(domain)}/${encodeURIComponent(id)}`, secrets);
+        },
+    };
+}
+function assertDesiredRecordsAllowed(binding) {
+    const allowed = new Set(binding.resources.records.map(recordKey));
+    for (const desired of binding.desired.records) {
+        if (!allowed.has(recordKey(desired)))
+            throw new Error("desired DNS record is outside DNS workflow allowlist");
+    }
+}
+function recordsEqual(left, right) {
+    const priorityEqual = left.type === "MX"
+        ? (left.priority ?? 0) === (right.priority ?? 0)
+        : true;
+    return left.type === right.type &&
+        left.name === right.name &&
+        left.content === right.content &&
+        left.ttl === right.ttl &&
+        priorityEqual;
+}
+function planDnsWorkflow(input) {
+    assertDesiredRecordsAllowed(input.binding);
+    const allowedKeys = new Set(input.binding.resources.records.map(recordKey));
+    const desiredKeys = new Set(input.binding.desired.records.map(recordKey));
+    const changes = [];
+    for (const desired of input.binding.desired.records) {
+        const current = input.currentRecords.find((record) => recordKey(record) === recordKey(desired));
+        if (!current) {
+            changes.push({ action: "create", record: desired, reason: "desired record is missing" });
+        }
+        else if (!recordsEqual(current, desired)) {
+            changes.push({ action: "update", record: desired, currentRecord: current, reason: "desired record differs from current provider record" });
+        }
+    }
+    if (input.deleteExtraAllowedRecords) {
+        for (const current of input.currentRecords) {
+            if (allowedKeys.has(recordKey(current)) && !desiredKeys.has(recordKey(current))) {
+                changes.push({ action: "delete", record: current, currentRecord: current, reason: "allowlisted record is absent from rollback backup" });
+            }
+        }
+    }
+    const preservedRecords = input.currentRecords.filter((record) => !desiredKeys.has(recordKey(record)));
+    return {
+        backup: { domain: input.binding.domain, records: input.currentRecords },
+        changes,
+        preservedRecords,
+        certificateActions: input.binding.certificate
+            ? [{
+                    action: "retrieve-and-store",
+                    host: input.binding.certificate.host,
+                    secretItem: input.binding.certificate.storeItem,
+                }]
+            : [],
+    };
+}
+function planDnsRollback(input) {
+    const allowedKeys = new Set(input.binding.resources.records.map(recordKey));
+    const rollbackBinding = {
+        ...input.binding,
+        desired: {
+            records: input.backupRecords.filter((record) => allowedKeys.has(recordKey(record))),
+        },
+    };
+    return planDnsWorkflow({
+        binding: rollbackBinding,
+        currentRecords: input.currentRecords,
+        deleteExtraAllowedRecords: true,
+    });
+}
+async function applyDnsWorkflowPlan(input) {
+    const applied = [];
+    for (const change of input.plan.changes) {
+        if (change.action === "create") {
+            const result = await input.driver.createRecord({ domain: input.domain, secrets: input.secrets, record: change.record });
+            applied.push({ action: "create", record: change.record, ...(result.id ? { id: result.id } : {}) });
+            continue;
+        }
+        const id = change.currentRecord?.id ?? change.record.id;
+        if (!id)
+            throw new Error(`cannot ${change.action} ${change.record.type} ${change.record.name} without provider record id`);
+        if (change.action === "update") {
+            await input.driver.editRecord({ domain: input.domain, secrets: input.secrets, id, record: change.record });
+            applied.push({ action: "update", record: change.record, id });
+            continue;
+        }
+        await input.driver.deleteRecord({ domain: input.domain, secrets: input.secrets, id });
+        applied.push({ action: "delete", record: change.record, id });
+    }
+    return applied;
+}
+function redactedValueForKey(key, value) {
+    const normalized = key.toLowerCase();
+    if (normalized === "apikey" || normalized === "secretapikey" || normalized === "x-api-key" || normalized === "x-secret-api-key") {
+        return "[redacted]";
+    }
+    if (normalized === "privatekey" || normalized === "privatekeypem" || normalized === "privatekeypath") {
+        return "[redacted]";
+    }
+    if (typeof value === "string" && value.includes("BEGIN PRIVATE KEY")) {
+        return "[redacted]";
+    }
+    return undefined;
+}
+function redactDnsWorkflowArtifact(input) {
+    if (Array.isArray(input))
+        return input.map((item) => redactDnsWorkflowArtifact(item));
+    if (input && typeof input === "object") {
+        const output = {};
+        for (const [key, value] of Object.entries(input)) {
+            output[key] = redactedValueForKey(key, value) ?? redactDnsWorkflowArtifact(value);
+        }
+        return output;
+    }
+    if (typeof input === "string" && input.includes("BEGIN PRIVATE KEY"))
+        return "[redacted]";
+    return input;
+}