@ouro.bot/cli 0.1.0-alpha.51 → 0.1.0-alpha.511

package/dist/heart/daemon/dns-workflow.js

@@ -0,0 +1,394 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadDnsWorkflowBinding = loadDnsWorkflowBinding;
+exports.resolveDnsWorkflowSecrets = resolveDnsWorkflowSecrets;
+exports.createPorkbunDnsDriver = createPorkbunDnsDriver;
+exports.planDnsWorkflow = planDnsWorkflow;
+exports.planDnsRollback = planDnsRollback;
+exports.applyDnsWorkflowPlan = applyDnsWorkflowPlan;
+exports.redactDnsWorkflowArtifact = redactDnsWorkflowArtifact;
+const runtime_1 = require("../../nerves/runtime");
+function isRecordType(value) {
+    return value === "A" || value === "AAAA" || value === "CNAME" || value === "MX" || value === "TXT";
+}
+function requireString(value, label) {
+    if (typeof value !== "string" || value.trim() === "")
+        throw new Error(`${label} is required`);
+    return value.trim();
+}
+function requireRecordType(value, label) {
+    if (!isRecordType(value))
+        throw new Error(`${label} must be A, AAAA, CNAME, MX, or TXT`);
+    return value;
+}
+function parseCertificateSource(value) {
+    if (value === undefined || value === "porkbun-ssl")
+        return "porkbun-ssl";
+    if (value === "acme-dns-01")
+        return "acme-dns-01";
+    throw new Error("certificate.source must be porkbun-ssl or acme-dns-01");
+}
+function recordKey(record) {
+    return `${record.type}:${record.name}`;
+}
+function parseRecord(input, label) {
+    const value = input;
+    const record = {
+        ...(typeof value.id === "string" ? { id: value.id } : {}),
+        type: requireRecordType(value.type, `${label}.type`),
+        name: requireString(value.name, `${label}.name`),
+        content: requireString(value.content, `${label}.content`),
+        ...(typeof value.ttl === "number" ? { ttl: value.ttl } : {}),
+        ...(typeof value.priority === "number" ? { priority: value.priority } : {}),
+    };
+    return record;
+}
+function parseResourceRecord(input, label) {
+    const value = input;
+    return {
+        type: requireRecordType(value.type, `${label}.type`),
+        name: requireString(value.name, `${label}.name`),
+    };
+}
+function assertNoCredentialOntology(input) {
+    if ("credentialItemNoteQuery" in input || "noteQuery" in input || "notes" in input) {
+        throw new Error("notes are not machine contracts");
+    }
+    if ("authority" in input || "kind" in input) {
+        throw new Error("workflow binding must not give a vault item assumed use");
+    }
+}
+function loadDnsWorkflowBinding(input) {
+    if (!input || typeof input !== "object")
+        throw new Error("DNS workflow binding must be an object");
+    const value = input;
+    assertNoCredentialOntology(value);
+    if (value.workflow !== "dns")
+        throw new Error("DNS workflow binding must set workflow to dns");
+    if (value.driver !== "porkbun")
+        throw new Error("DNS workflow binding driver must be porkbun");
+    const resources = value.resources;
+    const desired = value.desired;
+    if (!Array.isArray(resources?.records) || resources.records.length === 0) {
+        throw new Error("DNS workflow binding requires a resource allowlist");
+    }
+    if (!Array.isArray(desired?.records))
+        throw new Error("DNS workflow binding requires desired records");
+    const certificate = value.certificate;
+    return {
+        workflow: "dns",
+        domain: requireString(value.domain, "domain"),
+        driver: "porkbun",
+        credentialItem: requireString(value.credentialItem, "credentialItem"),
+        resources: {
+            records: resources.records.map((record, index) => parseResourceRecord(record, `resources.records[${index}]`)),
+        },
+        desired: {
+            records: desired.records.map((record, index) => parseRecord(record, `desired.records[${index}]`)),
+        },
+        ...(certificate ? {
+            certificate: {
+                host: requireString(certificate.host, "certificate.host"),
+                source: parseCertificateSource(certificate.source),
+                storeItem: requireString(certificate.storeItem, "certificate.storeItem"),
+                ...(certificate.acmeChallengeRecord
+                    ? {
+                        acmeChallengeRecord: parseResourceRecord(certificate.acmeChallengeRecord, "certificate.acmeChallengeRecord"),
+                    }
+                    : {}),
+            },
+        } : {}),
+    };
+}
+async function resolveDnsWorkflowSecrets(binding, reader) {
+    return {
+        apiKey: await reader.readSecretField(binding.credentialItem, "apiKey"),
+        secretApiKey: await reader.readSecretField(binding.credentialItem, "secretApiKey"),
+    };
+}
+async function readPorkbunJson(response) {
+    const payload = await response.json();
+    if (!response.ok || payload.status === "ERROR") {
+        throw new Error(payload.message ?? `Porkbun request failed with status ${response.status}`);
+    }
+    return payload;
+}
+function porkbunHeaders(secrets) {
+    return {
+        "X-API-Key": secrets.apiKey,
+        "X-Secret-API-Key": secrets.secretApiKey,
+    };
+}
+function porkbunRecordBody(record) {
+    return {
+        type: record.type,
+        name: record.name === "@" ? "" : record.name,
+        content: record.content,
+        ttl: record.ttl ?? 600,
+        prio: record.priority ?? 0,
+    };
+}
+function normalizePorkbunRecordName(domain, name) {
+    const suffix = `.${domain}`;
+    if (name === domain)
+        return "@";
+    if (name.endsWith(suffix))
+        return name.slice(0, -suffix.length);
+    return name;
+}
+function normalizePorkbunNumber(value) {
+    const parsed = value === null || value === undefined || value === "" ? Number.NaN : Number(value);
+    return Number.isFinite(parsed) ? parsed : undefined;
+}
+function normalizePorkbunRecord(domain, input) {
+    const value = input;
+    const ttl = normalizePorkbunNumber(value.ttl);
+    const priority = normalizePorkbunNumber(value.priority ?? value.prio);
+    return {
+        ...(typeof value.id === "string" ? { id: value.id } : {}),
+        type: requireString(value.type, "provider record type"),
+        name: normalizePorkbunRecordName(domain, requireString(value.name, "provider record name")),
+        content: requireString(value.content, "provider record content"),
+        ...(ttl === undefined ? {} : { ttl }),
+        ...(priority === undefined ? {} : { priority }),
+    };
+}
+async function emitPorkbunRequest(input) {
+    (0, runtime_1.emitNervesEvent)({
+        event: "daemon.dns_provider_request_start",
+        component: "daemon",
+        message: `DNS provider ${input.method} ${input.path} started`,
+        meta: {
+            driver: "porkbun",
+            method: input.method,
+            path: input.path,
+        },
+    });
+    try {
+        const result = await input.execute();
+        (0, runtime_1.emitNervesEvent)({
+            event: "daemon.dns_provider_request_end",
+            component: "daemon",
+            message: `DNS provider ${input.method} ${input.path} completed`,
+            meta: {
+                driver: "porkbun",
+                method: input.method,
+                path: input.path,
+            },
+        });
+        return result;
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "error",
+            event: "daemon.dns_provider_request_error",
+            component: "daemon",
+            message: `DNS provider ${input.method} ${input.path} failed`,
+            meta: {
+                driver: "porkbun",
+                method: input.method,
+                path: input.path,
+                error: String(error),
+            },
+        });
+        throw error;
+    }
+}
+function createPorkbunDnsDriver(options) {
+    const baseUrl = (options.baseUrl ?? "https://api.porkbun.com/api/json/v3").replace(/\/+$/, "");
+    const readOnly = async (path, secrets) => {
+        return emitPorkbunRequest({
+            method: "GET",
+            path,
+            execute: async () => readPorkbunJson(await options.fetchImpl(`${baseUrl}${path}`, {
+                method: "GET",
+                headers: porkbunHeaders(secrets),
+            })),
+        });
+    };
+    const mutate = async (path, secrets, body = {}) => {
+        return emitPorkbunRequest({
+            method: "POST",
+            path,
+            execute: async () => readPorkbunJson(await options.fetchImpl(`${baseUrl}${path}`, {
+                method: "POST",
+                headers: {
+                    ...porkbunHeaders(secrets),
+                    "Content-Type": "application/json",
+                },
+                body: JSON.stringify(body),
+            })),
+        });
+    };
+    return {
+        async ping(secrets) {
+            const payload = await readOnly("/ping", secrets);
+            return { credentialsValid: payload.credentialsValid === true };
+        },
+        async retrieveRecords({ domain, secrets }) {
+            const payload = await readOnly(`/dns/retrieve/${encodeURIComponent(domain)}`, secrets);
+            return (payload.records ?? []).map((record) => normalizePorkbunRecord(domain, record));
+        },
+        async retrieveCertificate({ domain, secrets }) {
+            const payload = await readOnly(`/ssl/retrieve/${encodeURIComponent(domain)}`, secrets);
+            return {
+                certificatechain: requireString(payload.certificatechain, "certificatechain"),
+                publickey: requireString(payload.publickey, "publickey"),
+                privatekey: requireString(payload.privatekey, "privatekey"),
+            };
+        },
+        async createRecord({ domain, secrets, record }) {
+            const payload = await mutate(`/dns/create/${encodeURIComponent(domain)}`, secrets, porkbunRecordBody(record));
+            return typeof payload.id === "string" ? { id: payload.id } : {};
+        },
+        async editRecord({ domain, secrets, id, record }) {
+            await mutate(`/dns/edit/${encodeURIComponent(domain)}/${encodeURIComponent(id)}`, secrets, porkbunRecordBody(record));
+        },
+        async deleteRecord({ domain, secrets, id }) {
+            await mutate(`/dns/delete/${encodeURIComponent(domain)}/${encodeURIComponent(id)}`, secrets);
+        },
+    };
+}
+function assertDesiredRecordsAllowed(binding) {
+    const allowed = new Set(binding.resources.records.map(recordKey));
+    for (const desired of binding.desired.records) {
+        if (!allowed.has(recordKey(desired)))
+            throw new Error("desired DNS record is outside DNS workflow allowlist");
+    }
+}
+function recordsEqual(left, right) {
+    const priorityEqual = left.type === "MX"
+        ? (left.priority ?? 0) === (right.priority ?? 0)
+        : true;
+    return left.type === right.type &&
+        left.name === right.name &&
+        left.content === right.content &&
+        left.ttl === right.ttl &&
+        priorityEqual;
+}
+function recordIdentityKey(record) {
+    const priority = record.type === "MX" ? String(record.priority ?? 0) : "";
+    return `${recordKey(record)}:${record.content}:${priority}`;
+}
+function sameRecordIdentity(left, right) {
+    return recordIdentityKey(left) === recordIdentityKey(right);
+}
+function recordsWithKey(records, key) {
+    return records.filter((record) => recordKey(record) === key);
+}
+function findCurrentRecordForDesired(input) {
+    const key = recordKey(input.desired);
+    const currentSameKey = recordsWithKey(input.currentRecords, key);
+    const exact = currentSameKey.find((record) => sameRecordIdentity(record, input.desired));
+    if (exact)
+        return exact;
+    const desiredSameKey = recordsWithKey(input.desiredRecords, key);
+    if (currentSameKey.length === 1 && desiredSameKey.length === 1)
+        return currentSameKey[0];
+    return undefined;
+}
+function planDnsWorkflow(input) {
+    assertDesiredRecordsAllowed(input.binding);
+    const allowedKeys = new Set(input.binding.resources.records.map(recordKey));
+    const changes = [];
+    const matchedCurrentRecords = new Set();
+    for (const desired of input.binding.desired.records) {
+        const current = findCurrentRecordForDesired({
+            desired,
+            desiredRecords: input.binding.desired.records,
+            currentRecords: input.currentRecords,
+        });
+        if (!current) {
+            changes.push({ action: "create", record: desired, reason: "desired record is missing" });
+        }
+        else if (!recordsEqual(current, desired)) {
+            matchedCurrentRecords.add(current);
+            changes.push({ action: "update", record: desired, currentRecord: current, reason: "desired record differs from current provider record" });
+        }
+        else {
+            matchedCurrentRecords.add(current);
+        }
+    }
+    if (input.deleteExtraAllowedRecords) {
+        for (const current of input.currentRecords) {
+            if (allowedKeys.has(recordKey(current)) && !matchedCurrentRecords.has(current)) {
+                changes.push({ action: "delete", record: current, currentRecord: current, reason: "allowlisted record is absent from rollback backup" });
+            }
+        }
+    }
+    const preservedRecords = input.currentRecords.filter((record) => !matchedCurrentRecords.has(record));
+    return {
+        backup: { domain: input.binding.domain, records: input.currentRecords },
+        changes,
+        preservedRecords,
+        certificateActions: input.binding.certificate
+            ? [{
+                    action: "retrieve-and-store",
+                    host: input.binding.certificate.host,
+                    secretItem: input.binding.certificate.storeItem,
+                }]
+            : [],
+    };
+}
+function planDnsRollback(input) {
+    const allowedKeys = new Set(input.binding.resources.records.map(recordKey));
+    const rollbackBinding = {
+        ...input.binding,
+        desired: {
+            records: input.backupRecords.filter((record) => allowedKeys.has(recordKey(record))),
+        },
+    };
+    return planDnsWorkflow({
+        binding: rollbackBinding,
+        currentRecords: input.currentRecords,
+        deleteExtraAllowedRecords: true,
+    });
+}
+async function applyDnsWorkflowPlan(input) {
+    const applied = [];
+    for (const change of input.plan.changes) {
+        if (change.action === "create") {
+            const result = await input.driver.createRecord({ domain: input.domain, secrets: input.secrets, record: change.record });
+            applied.push({ action: "create", record: change.record, ...(result.id ? { id: result.id } : {}) });
+            continue;
+        }
+        const id = change.currentRecord?.id ?? change.record.id;
+        if (!id)
+            throw new Error(`cannot ${change.action} ${change.record.type} ${change.record.name} without provider record id`);
+        if (change.action === "update") {
+            await input.driver.editRecord({ domain: input.domain, secrets: input.secrets, id, record: change.record });
+            applied.push({ action: "update", record: change.record, id });
+            continue;
+        }
+        await input.driver.deleteRecord({ domain: input.domain, secrets: input.secrets, id });
+        applied.push({ action: "delete", record: change.record, id });
+    }
+    return applied;
+}
+function redactedValueForKey(key, value) {
+    const normalized = key.toLowerCase();
+    if (normalized === "apikey" || normalized === "secretapikey" || normalized === "x-api-key" || normalized === "x-secret-api-key") {
+        return "[redacted]";
+    }
+    if (normalized === "privatekey" || normalized === "privatekeypem" || normalized === "privatekeypath") {
+        return "[redacted]";
+    }
+    if (typeof value === "string" && value.includes("BEGIN PRIVATE KEY")) {
+        return "[redacted]";
+    }
+    return undefined;
+}
+function redactDnsWorkflowArtifact(input) {
+    if (Array.isArray(input))
+        return input.map((item) => redactDnsWorkflowArtifact(item));
+    if (input && typeof input === "object") {
+        const output = {};
+        for (const [key, value] of Object.entries(input)) {
+            output[key] = redactedValueForKey(key, value) ?? redactDnsWorkflowArtifact(value);
+        }
+        return output;
+    }
+    if (typeof input === "string" && input.includes("BEGIN PRIVATE KEY"))
+        return "[redacted]";
+    return input;
+}

package/dist/heart/daemon/doctor-types.js

@@ -0,0 +1,8 @@
+"use strict";
+/**
+ * Type definitions for the `ouro doctor` system health check.
+ *
+ * Describes the structure of health check results: individual checks,
+ * grouped categories, and the aggregated result.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });