@percepta/create 3.4.0 → 3.4.2

package/templates/webapp/scripts/deploy-percepta-test.ts

@@ -1,1112 +0,0 @@
-#!/usr/bin/env tsx
-
-import { execFileSync, spawnSync } from "node:child_process";
-import { existsSync } from "node:fs";
-import { readFile } from "node:fs/promises";
-import path from "node:path";
-import { stdin as input, stdout as output } from "node:process";
-import { createInterface } from "node:readline/promises";
-import { fileURLToPath } from "node:url";
-
-const APP_NAME = "__APP_NAME__";
-const REPO_SLUG = "Percepta-Core/__REPO_NAME__";
-const ENVIRONMENT = "percepta-test";
-const TERRAFORM_SERVICE_NAME = `${APP_NAME}-terraform`;
-const DEPLOY_URL = `https://${APP_NAME}.${ENVIRONMENT}.aitco.dev`;
-const DEFAULT_TIMEOUT_MINUTES = 20;
-
-const REQUIRED_PLATFORM_INSTALLATIONS = [
-  {
-    name: "percepta-internal-terraform",
-    label: "shared Postgres",
-  },
-  {
-    name: "inngest-test",
-    label: "shared Inngest",
-  },
-  {
-    name: "otel-collector",
-    label: "shared OTEL collector",
-  },
-  {
-    name: "lgtm-stack-helm",
-    label: "shared LGTM stack",
-  },
-  {
-    name: "langfuse",
-    label: "shared Langfuse",
-  },
-] as const;
-
-const REQUIRED_PLATFORM_VARIABLE_GROUPS = [
-  {
-    name: "demos-commons",
-    label: "shared demo config",
-    requiredVariables: [
-      "ANTHROPIC_API_KEY",
-      "LANGFUSE_PUBLIC_KEY",
-      "LANGFUSE_SECRET_KEY",
-    ],
-    requiredSensitiveVariables: ["ANTHROPIC_API_KEY", "LANGFUSE_SECRET_KEY"],
-  },
-] as const;
-
-interface Options {
-  yes: boolean;
-  skipRepo: boolean;
-  skipPush: boolean;
-  skipWorkflows: boolean;
-  skipSecrets: boolean;
-  ref: string;
-  timeoutMinutes: number;
-}
-
-interface WorkflowRun {
-  databaseId: number;
-  status: string;
-  conclusion: string | null;
-  url: string;
-}
-
-interface InstallationTask {
-  associatedTaskId: string;
-  createdAt: string;
-  description?: string;
-  isApprovable: boolean;
-  status: string;
-  taskType: string;
-}
-
-interface Installation {
-  name?: string;
-  status?: string;
-  health?: string;
-  release?: {
-    commitSha?: string;
-    currentVersion?: string;
-    targetVersion?: string;
-  };
-}
-
-interface VariableGroup {
-  name?: string;
-  variables?: Array<{
-    key: string;
-    sensitive?: boolean;
-  }>;
-}
-
-interface Release {
-  version?: string;
-  commit?: {
-    sha?: string;
-  };
-}
-
-interface ReleaseList {
-  releases?: Release[];
-}
-
-function parseArgs(argv: string[]): Options {
-  const options: Options = {
-    yes: false,
-    skipRepo: false,
-    skipPush: false,
-    skipWorkflows: false,
-    skipSecrets: false,
-    ref: "main",
-    timeoutMinutes: DEFAULT_TIMEOUT_MINUTES,
-  };
-
-  for (let index = 0; index < argv.length; index++) {
-    const arg = argv[index];
-    if (arg === "--") {
-      continue;
-    } else if (arg === "--yes" || arg === "-y") {
-      options.yes = true;
-    } else if (arg === "--skip-repo") {
-      options.skipRepo = true;
-    } else if (arg === "--skip-push") {
-      options.skipPush = true;
-    } else if (arg === "--skip-workflows") {
-      options.skipWorkflows = true;
-    } else if (arg === "--skip-secrets") {
-      options.skipSecrets = true;
-    } else if (arg === "--ref") {
-      const value = argv[index + 1];
-      if (!value) throw new Error("--ref requires a branch or ref");
-      options.ref = value;
-      index++;
-    } else if (arg === "--timeout-minutes") {
-      const value = Number(argv[index + 1]);
-      if (!Number.isFinite(value) || value <= 0) {
-        throw new Error("--timeout-minutes requires a positive number");
-      }
-      options.timeoutMinutes = value;
-      index++;
-    } else {
-      throw new Error(`Unknown argument: ${arg}`);
-    }
-  }
-
-  return options;
-}
-
-function run(
-  command: string,
-  args: string[],
-  cwd: string,
-  stdio: "inherit" | "pipe" = "inherit",
-): string {
-  const result = execFileSync(command, args, {
-    cwd,
-    encoding: "utf8",
-    stdio,
-  });
-
-  return typeof result === "string" ? result.trim() : "";
-}
-
-function runWithInput(
-  command: string,
-  args: string[],
-  cwd: string,
-  inputText: string,
-): string {
-  const result = execFileSync(command, args, {
-    cwd,
-    encoding: "utf8",
-    input: inputText,
-    stdio: ["pipe", "inherit", "inherit"],
-  });
-
-  return typeof result === "string" ? result.trim() : "";
-}
-
-function runJson<T>(command: string, args: string[], cwd: string): T {
-  const outputText = run(command, args, cwd, "pipe");
-  return JSON.parse(outputText) as T;
-}
-
-function assertCommand(command: string): void {
-  try {
-    run(command, ["--version"], process.cwd(), "pipe");
-  } catch {
-    throw new Error(
-      `Required command not found or not authenticated: ${command}`,
-    );
-  }
-}
-
-function findUp(startDir: string, fileName: string): string | null {
-  let dir = startDir;
-  while (true) {
-    if (existsSync(path.join(dir, fileName))) return dir;
-    const parent = path.dirname(dir);
-    if (parent === dir) return null;
-    dir = parent;
-  }
-}
-
-function parseGitHubRepo(remoteUrl: string): string | null {
-  const match = remoteUrl.match(
-    /github\.com[:/]([^/\s]+\/[^/\s]+?)(?:\.git)?$/,
-  );
-  return match?.[1] ?? null;
-}
-
-function getRemoteRepoSlug(monorepoRoot: string): string | null {
-  try {
-    return parseGitHubRepo(
-      run("git", ["remote", "get-url", "origin"], monorepoRoot, "pipe"),
-    );
-  } catch {
-    return null;
-  }
-}
-
-async function confirm(message: string): Promise<boolean> {
-  const rl = createInterface({ input, output });
-  try {
-    const answer = (await rl.question(`${message} [Y/n] `))
-      .trim()
-      .toLowerCase();
-    return answer === "" || answer === "y" || answer === "yes";
-  } finally {
-    rl.close();
-  }
-}
-
-async function confirmOrThrow(
-  message: string,
-  options: Options,
-): Promise<void> {
-  if (options.yes) return;
-  if (!process.stdin.isTTY) {
-    throw new Error(`${message} Re-run with --yes to confirm.`);
-  }
-  if (!(await confirm(message))) {
-    throw new Error("Deployment cancelled.");
-  }
-}
-
-function sleep(ms: number): Promise<void> {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-
-async function ensureGitHubRepo(
-  monorepoRoot: string,
-  options: Options,
-): Promise<string> {
-  const remoteRepoSlug = getRemoteRepoSlug(monorepoRoot);
-  const repoSlug = remoteRepoSlug ?? REPO_SLUG;
-
-  if (remoteRepoSlug && remoteRepoSlug !== REPO_SLUG) {
-    console.log(`Using GitHub repo from origin remote: ${remoteRepoSlug}`);
-  }
-
-  if (options.skipRepo) return repoSlug;
-
-  try {
-    run("gh", ["repo", "view", repoSlug], monorepoRoot, "pipe");
-  } catch {
-    await confirmOrThrow(
-      `GitHub repo ${repoSlug} was not found. Create it and push this repo?`,
-      options,
-    );
-    run(
-      "gh",
-      [
-        "repo",
-        "create",
-        repoSlug,
-        "--internal",
-        "--source",
-        monorepoRoot,
-        "--remote",
-        "origin",
-        "--push",
-      ],
-      monorepoRoot,
-    );
-    return repoSlug;
-  }
-
-  if (!remoteRepoSlug) {
-    run(
-      "git",
-      ["remote", "add", "origin", `git@github.com:${repoSlug}.git`],
-      monorepoRoot,
-    );
-  }
-
-  return repoSlug;
-}
-
-function ensureCleanAndPushed(monorepoRoot: string, options: Options): void {
-  if (options.skipPush) return;
-
-  const status = run("git", ["status", "--porcelain"], monorepoRoot, "pipe");
-  if (status.length > 0) {
-    throw new Error(
-      [
-        "The git worktree has uncommitted changes.",
-        "Commit the app before deploying so GitHub Actions builds the exact code you expect.",
-        status,
-      ].join("\n"),
-    );
-  }
-
-  const branch = run("git", ["branch", "--show-current"], monorepoRoot, "pipe");
-  if (!branch) {
-    throw new Error("Could not determine the current git branch.");
-  }
-
-  run(
-    "git",
-    ["push", "-u", "origin", `${branch}:${options.ref}`],
-    monorepoRoot,
-  );
-}
-
-function upsertService(manifestPath: string, monorepoRoot: string): void {
-  run("ryvn", ["replace", "-f", manifestPath], monorepoRoot);
-}
-
-function getCurrentCommitSha(monorepoRoot: string): string {
-  return run("git", ["rev-parse", "HEAD"], monorepoRoot, "pipe");
-}
-
-function getInstallation(
-  name: string,
-  monorepoRoot: string,
-): Installation | null {
-  try {
-    return runJson<Installation>(
-      "ryvn",
-      ["get", "installation", name, "-e", ENVIRONMENT, "-o", "json"],
-      monorepoRoot,
-    );
-  } catch {
-    return null;
-  }
-}
-
-function getVariableGroup(
-  name: string,
-  monorepoRoot: string,
-): VariableGroup | null {
-  try {
-    return runJson<VariableGroup>(
-      "ryvn",
-      ["get", "variable-group", name, "-e", ENVIRONMENT, "-o", "json"],
-      monorepoRoot,
-    );
-  } catch {
-    return null;
-  }
-}
-
-function installationExists(name: string, monorepoRoot: string): boolean {
-  return getInstallation(name, monorepoRoot) !== null;
-}
-
-function isHealthyAtCommit(
-  installation: Installation | null,
-  commitSha: string,
-): boolean {
-  return (
-    installation?.status === "UP_TO_DATE" &&
-    installation.health === "HEALTHY" &&
-    installation.release?.commitSha === commitSha
-  );
-}
-
-function getReleaseForCommit(
-  serviceName: string,
-  commitSha: string,
-  monorepoRoot: string,
-): Release | null {
-  try {
-    const releaseList = runJson<ReleaseList>(
-      "ryvn",
-      ["get", "release", "--service", serviceName, "-o", "json"],
-      monorepoRoot,
-    );
-
-    return (
-      releaseList.releases?.find(
-        (release) => release.commit?.sha === commitSha,
-      ) ?? null
-    );
-  } catch {
-    return null;
-  }
-}
-
-function assertHealthyPlatformInstallation(
-  installation: Installation | null,
-  name: string,
-  label: string,
-): string | null {
-  if (installation === null) {
-    return `${label} (${name}) was not found in ${ENVIRONMENT}.`;
-  }
-
-  if (
-    installation.status !== "UP_TO_DATE" ||
-    installation.health !== "HEALTHY"
-  ) {
-    return `${label} (${name}) is ${installation.status ?? "unknown"}/${installation.health ?? "unknown"}, expected UP_TO_DATE/HEALTHY.`;
-  }
-
-  return null;
-}
-
-function assertPlatformVariableGroup(
-  variableGroup: VariableGroup | null,
-  name: string,
-  label: string,
-  requiredVariables: readonly string[],
-  requiredSensitiveVariables: readonly string[],
-): string | null {
-  if (variableGroup === null) {
-    return `${label} variable group (${name}) was not found in ${ENVIRONMENT}.`;
-  }
-
-  const variables = new Map(
-    (variableGroup.variables ?? []).map((variable) => [variable.key, variable]),
-  );
-  const missing = requiredVariables.filter((key) => !variables.has(key));
-  if (missing.length > 0) {
-    return `${label} variable group (${name}) is missing ${missing.join(", ")}.`;
-  }
-
-  const notSensitive = requiredSensitiveVariables.filter(
-    (key) => variables.get(key)?.sensitive !== true,
-  );
-  if (notSensitive.length > 0) {
-    return `${label} variable group (${name}) must mark ${notSensitive.join(", ")} as sensitive.`;
-  }
-
-  return null;
-}
-
-function verifyExistingPlatform(monorepoRoot: string): void {
-  console.log(`Checking existing ${ENVIRONMENT} platform dependencies...`);
-
-  const installationFailures = REQUIRED_PLATFORM_INSTALLATIONS.map(
-    (dependency) =>
-      assertHealthyPlatformInstallation(
-        getInstallation(dependency.name, monorepoRoot),
-        dependency.name,
-        dependency.label,
-      ),
-  ).filter((failure): failure is string => failure !== null);
-  const variableGroupFailures = REQUIRED_PLATFORM_VARIABLE_GROUPS.map(
-    (dependency) =>
-      assertPlatformVariableGroup(
-        getVariableGroup(dependency.name, monorepoRoot),
-        dependency.name,
-        dependency.label,
-        dependency.requiredVariables,
-        dependency.requiredSensitiveVariables,
-      ),
-  ).filter((failure): failure is string => failure !== null);
-  const failures = [...installationFailures, ...variableGroupFailures];
-
-  if (failures.length > 0) {
-    throw new Error(
-      [
-        `Cannot deploy ${APP_NAME} into ${ENVIRONMENT} because required platform services are missing or unhealthy.`,
-        ...failures,
-        "This helper performs the existing-environment deploy motion only. Stand up the platform services first, then rerun deploy:percepta-test.",
-      ].join("\n"),
-    );
-  }
-
-  for (const dependency of REQUIRED_PLATFORM_INSTALLATIONS) {
-    console.log(`Found ${dependency.label}: ${dependency.name}`);
-  }
-
-  for (const dependency of REQUIRED_PLATFORM_VARIABLE_GROUPS) {
-    console.log(`Found ${dependency.label} variable group: ${dependency.name}`);
-  }
-}
-
-function upsertInstallation(
-  name: string,
-  manifestPath: string,
-  monorepoRoot: string,
-  expectedCommitSha: string,
-  manifestContents?: string,
-): void {
-  const existingInstallation = getInstallation(name, monorepoRoot);
-  if (isHealthyAtCommit(existingInstallation, expectedCommitSha)) {
-    console.log(
-      `${name} is already healthy at ${expectedCommitSha.slice(0, 7)}; skipping installation replace.`,
-    );
-    return;
-  }
-
-  const action = existingInstallation == null ? "create" : "replace";
-  try {
-    if (existingInstallation == null) {
-      if (manifestContents == null) {
-        run("ryvn", ["create", "-f", manifestPath], monorepoRoot);
-      } else {
-        runWithInput(
-          "ryvn",
-          ["create", "-f", "-"],
-          monorepoRoot,
-          manifestContents,
-        );
-      }
-    } else if (manifestContents == null) {
-      run("ryvn", ["replace", "-f", manifestPath], monorepoRoot);
-    } else {
-      runWithInput(
-        "ryvn",
-        ["replace", "-f", "-"],
-        monorepoRoot,
-        manifestContents,
-      );
-    }
-  } catch (error) {
-    const currentInstallation = getInstallation(name, monorepoRoot);
-    if (isHealthyAtCommit(currentInstallation, expectedCommitSha)) {
-      console.log(
-        `${name} ${action} returned an error, but Ryvn now reports it healthy at ${expectedCommitSha.slice(0, 7)}; continuing.`,
-      );
-      return;
-    }
-
-    throw error;
-  }
-}
-
-function printFailedWorkflowLog(
-  repoSlug: string,
-  runId: number,
-  monorepoRoot: string,
-): void {
-  try {
-    console.log("");
-    console.log(`Failed workflow log for ${runId}:`);
-    run(
-      "gh",
-      ["run", "view", String(runId), "--repo", repoSlug, "--log-failed"],
-      monorepoRoot,
-    );
-  } catch {
-    console.log(`Could not fetch failed workflow logs for ${runId}.`);
-  }
-}
-
-async function ensureReleaseForCurrentCommit(
-  serviceName: string,
-  repoSlug: string,
-  workflowFile: string,
-  monorepoRoot: string,
-  options: Options,
-  commitSha: string,
-): Promise<Release> {
-  const existingRelease = getReleaseForCommit(
-    serviceName,
-    commitSha,
-    monorepoRoot,
-  );
-  if (existingRelease != null) {
-    console.log(
-      `${serviceName} release ${existingRelease.version ?? "unknown"} already exists for ${commitSha.slice(0, 7)}.`,
-    );
-    return existingRelease;
-  }
-
-  await triggerWorkflow(
-    serviceName,
-    repoSlug,
-    workflowFile,
-    monorepoRoot,
-    options,
-    commitSha,
-  );
-
-  const release = getReleaseForCommit(serviceName, commitSha, monorepoRoot);
-  if (release == null) {
-    throw new Error(
-      `No Ryvn release for ${serviceName} at ${commitSha} after ${workflowFile}.`,
-    );
-  }
-
-  return release;
-}
-
-function assertReleaseExistsForSkippedWorkflow(
-  serviceName: string,
-  commitSha: string,
-  monorepoRoot: string,
-): Release {
-  const release = getReleaseForCommit(serviceName, commitSha, monorepoRoot);
-  if (release == null) {
-    throw new Error(
-      `--skip-workflows was set, but no ${serviceName} Ryvn release exists for commit ${commitSha}. Rerun without --skip-workflows or confirm the release was created.`,
-    );
-  }
-
-  return release;
-}
-
-function logReleaseSummary(serviceName: string, release: Release): void {
-  console.log(
-    `${serviceName} release ready: ${release.version ?? "unknown version"}.`,
-  );
-}
-
-function requireReleaseForCurrentCommit(
-  serviceName: string,
-  repoSlug: string,
-  workflowFile: string,
-  monorepoRoot: string,
-  options: Options,
-  commitSha: string,
-): Promise<Release> {
-  if (options.skipWorkflows) {
-    return Promise.resolve(
-      assertReleaseExistsForSkippedWorkflow(
-        serviceName,
-        commitSha,
-        monorepoRoot,
-      ),
-    );
-  }
-
-  return ensureReleaseForCurrentCommit(
-    serviceName,
-    repoSlug,
-    workflowFile,
-    monorepoRoot,
-    options,
-    commitSha,
-  );
-}
-
-function isRetryableReleaseFailure(error: unknown): boolean {
-  return error instanceof Error;
-}
-
-async function triggerWorkflow(
-  serviceName: string,
-  repoSlug: string,
-  workflowFile: string,
-  monorepoRoot: string,
-  options: Options,
-  commitSha: string,
-): Promise<void> {
-  if (options.skipWorkflows) return;
-
-  console.log(`Running ${workflowFile}...`);
-  run(
-    "gh",
-    ["workflow", "run", workflowFile, "--repo", repoSlug, "--ref", options.ref],
-    monorepoRoot,
-  );
-  await sleep(3_000);
-
-  let runs = runJson<WorkflowRun[]>(
-    "gh",
-    [
-      "run",
-      "list",
-      "--repo",
-      repoSlug,
-      "--workflow",
-      workflowFile,
-      "--branch",
-      options.ref,
-      "--event",
-      "workflow_dispatch",
-      "--limit",
-      "1",
-      "--json",
-      "databaseId,status,conclusion,url",
-    ],
-    monorepoRoot,
-  );
-
-  if (runs.length === 0) {
-    runs = runJson<WorkflowRun[]>(
-      "gh",
-      [
-        "run",
-        "list",
-        "--repo",
-        repoSlug,
-        "--workflow",
-        workflowFile,
-        "--branch",
-        options.ref,
-        "--limit",
-        "1",
-        "--json",
-        "databaseId,status,conclusion,url",
-      ],
-      monorepoRoot,
-    );
-  }
-
-  const runInfo = runs.at(0);
-  if (runInfo === undefined) {
-    throw new Error(`Could not find a GitHub Actions run for ${workflowFile}`);
-  }
-
-  console.log(`Watching ${runInfo.url}`);
-  try {
-    run(
-      "gh",
-      [
-        "run",
-        "watch",
-        String(runInfo.databaseId),
-        "--repo",
-        repoSlug,
-        "--exit-status",
-      ],
-      monorepoRoot,
-    );
-  } catch (error) {
-    printFailedWorkflowLog(repoSlug, runInfo.databaseId, monorepoRoot);
-
-    const release = getReleaseForCommit(serviceName, commitSha, monorepoRoot);
-    if (release != null && isRetryableReleaseFailure(error)) {
-      console.log(
-        `${workflowFile} reported a failure, but ${serviceName} release ${release.version ?? "unknown"} exists for ${commitSha.slice(0, 7)}; continuing.`,
-      );
-      return;
-    }
-
-    throw error;
-  }
-}
-
-function latestTask(tasks: InstallationTask[]): InstallationTask | null {
-  return (
-    [...tasks].sort(
-      (a, b) =>
-        new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime(),
-    )[0] ?? null
-  );
-}
-
-async function waitForTerraformApply(
-  monorepoRoot: string,
-  options: Options,
-): Promise<void> {
-  const deadline = Date.now() + options.timeoutMinutes * 60_000;
-  const approved = new Set<string>();
-
-  while (Date.now() < deadline) {
-    const tasks = runJson<InstallationTask[]>(
-      "ryvn",
-      [
-        "get",
-        "installation-task",
-        TERRAFORM_SERVICE_NAME,
-        "-e",
-        ENVIRONMENT,
-        "-o",
-        "json",
-      ],
-      monorepoRoot,
-    );
-    const newest = latestTask(tasks);
-    const failed = tasks.find((task) => task.status === "FAILED");
-    if (failed) {
-      throw new Error(
-        `${failed.description ?? failed.taskType} failed for ${TERRAFORM_SERVICE_NAME}.`,
-      );
-    }
-
-    const approvablePlan = tasks.find(
-      (task) =>
-        task.isApprovable &&
-        task.taskType === "terraformPlanV1" &&
-        !approved.has(task.associatedTaskId),
-    );
-    if (approvablePlan) {
-      await confirmOrThrow(
-        `Approve Terraform plan for ${TERRAFORM_SERVICE_NAME}?`,
-        options,
-      );
-      run(
-        "ryvn",
-        [
-          "task",
-          "approve",
-          approvablePlan.associatedTaskId,
-          "--reason",
-          `Deploy ${APP_NAME} schema to ${ENVIRONMENT}`,
-        ],
-        monorepoRoot,
-      );
-      approved.add(approvablePlan.associatedTaskId);
-    }
-
-    if (
-      newest?.status === "COMPLETED" &&
-      newest.taskType === "terraformApplyV1"
-    ) {
-      console.log(`${TERRAFORM_SERVICE_NAME} is applied.`);
-      return;
-    }
-
-    await sleep(5_000);
-  }
-
-  throw new Error(
-    `${TERRAFORM_SERVICE_NAME} did not finish within ${options.timeoutMinutes} minutes.`,
-  );
-}
-
-function parseEnvFile(
-  contents: string,
-): Array<{ name: string; value: string }> {
-  return contents
-    .split("\n")
-    .map((line) => line.trim())
-    .filter((line) => line.length > 0 && !line.startsWith("#"))
-    .map((line) => {
-      const equalsIndex = line.indexOf("=");
-      if (equalsIndex === -1) return null;
-      const name = line.slice(0, equalsIndex).trim();
-      let value = line.slice(equalsIndex + 1).trim();
-      if (
-        (value.startsWith('"') && value.endsWith('"')) ||
-        (value.startsWith("'") && value.endsWith("'"))
-      ) {
-        value = value.slice(1, -1);
-      }
-      return name ? { name, value } : null;
-    })
-    .filter(
-      (entry): entry is { name: string; value: string } => entry !== null,
-    );
-}
-
-async function readInstallationSecrets(
-  packageDir: string,
-  options: Options,
-): Promise<Array<{ name: string; value: string }>> {
-  if (options.skipSecrets) return [];
-
-  const secretsPath = path.join(
-    packageDir,
-    "deploy",
-    "ryvn",
-    `${ENVIRONMENT}.secrets.env`,
-  );
-  if (!existsSync(secretsPath)) {
-    console.log(
-      `No secrets file found at ${secretsPath}; skipping secret patch.`,
-    );
-    return [];
-  }
-
-  return parseEnvFile(await readFile(secretsPath, "utf8"));
-}
-
-function appendInstallationSecrets(
-  manifestContents: string,
-  secrets: Array<{ name: string; value: string }>,
-): string {
-  if (secrets.length === 0) return manifestContents;
-
-  const marker = "  variableGroups:\n";
-  if (!manifestContents.includes(marker)) {
-    throw new Error("Installation manifest is missing variableGroups marker.");
-  }
-
-  const secretYaml = [
-    "  secrets:",
-    ...secrets.flatMap(({ name, value }) => [
-      `    - name: ${name}`,
-      `      value: ${JSON.stringify(value)}`,
-    ]),
-    "",
-  ].join("\n");
-
-  return manifestContents.replace(marker, `${secretYaml}${marker}`);
-}
-
-function patchExistingInstallationSecrets(
-  secrets: Array<{ name: string; value: string }>,
-  monorepoRoot: string,
-): void {
-  if (secrets.length === 0) return;
-
-  const patch = JSON.stringify({ spec: { secrets } });
-  const result = spawnSync(
-    "ryvn",
-    [
-      "update",
-      "installation",
-      APP_NAME,
-      "-e",
-      ENVIRONMENT,
-      "--type",
-      "strategic",
-      "--patch-file",
-      "-",
-    ],
-    {
-      cwd: monorepoRoot,
-      input: patch,
-      stdio: ["pipe", "inherit", "inherit"],
-      encoding: "utf8",
-    },
-  );
-
-  if (result.status !== 0) {
-    throw new Error(`Failed to patch generated app secrets for ${APP_NAME}.`);
-  }
-}
-
-async function waitForHealthy(
-  monorepoRoot: string,
-  options: Options,
-): Promise<void> {
-  const deadline = Date.now() + options.timeoutMinutes * 60_000;
-
-  while (Date.now() < deadline) {
-    const installation = runJson<Installation>(
-      "ryvn",
-      ["get", "installation", APP_NAME, "-e", ENVIRONMENT, "-o", "json"],
-      monorepoRoot,
-    );
-
-    if (
-      installation.status === "UP_TO_DATE" &&
-      installation.health === "HEALTHY"
-    ) {
-      console.log(`${APP_NAME} is healthy.`);
-      return;
-    }
-
-    console.log(
-      `${APP_NAME} status: ${installation.status ?? "unknown"}, health: ${installation.health ?? "unknown"}`,
-    );
-    await sleep(10_000);
-  }
-
-  throw new Error(
-    `${APP_NAME} did not become healthy within ${options.timeoutMinutes} minutes.`,
-  );
-}
-
-async function fetchDeployUrl(
-  pathname: string,
-  init: RequestInit = {},
-): Promise<Response> {
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), 10_000);
-  try {
-    return await fetch(`${DEPLOY_URL}${pathname}`, {
-      ...init,
-      signal: controller.signal,
-    });
-  } finally {
-    clearTimeout(timeout);
-  }
-}
-
-async function verifyEndpoint(pathname: string): Promise<void> {
-  const response = await fetchDeployUrl(pathname);
-  if (!response.ok) {
-    throw new Error(`${pathname} returned HTTP ${response.status}`);
-  }
-}
-
-async function verifyAppRoute(): Promise<void> {
-  const response = await fetchDeployUrl("/", { redirect: "manual" });
-  if (response.ok) return;
-
-  if ([301, 302, 303, 307, 308].includes(response.status)) {
-    const location = response.headers.get("location");
-    let redirectPathname: string | null = null;
-    if (location) {
-      try {
-        redirectPathname = new URL(location, DEPLOY_URL).pathname;
-      } catch {
-        redirectPathname = null;
-      }
-    }
-    if (redirectPathname === "/auth/signin") return;
-
-    throw new Error(
-      `/ redirected to ${location ?? "an empty location"} instead of /auth/signin`,
-    );
-  }
-
-  throw new Error(`/ returned HTTP ${response.status}`);
-}
-
-async function verifyDeployment(): Promise<void> {
-  await verifyEndpoint("/api/healthz");
-  await verifyEndpoint("/api/readyz");
-  await verifyAppRoute();
-}
-
-async function main(): Promise<void> {
-  const options = parseArgs(process.argv.slice(2));
-  assertCommand("git");
-  assertCommand("gh");
-  assertCommand("ryvn");
-
-  const packageDir = path.resolve(
-    path.dirname(fileURLToPath(import.meta.url)),
-    "..",
-  );
-  const monorepoRoot = findUp(packageDir, "pnpm-workspace.yaml") ?? packageDir;
-  verifyExistingPlatform(monorepoRoot);
-
-  const repoSlug = await ensureGitHubRepo(monorepoRoot, options);
-  ensureCleanAndPushed(monorepoRoot, options);
-  const commitSha = getCurrentCommitSha(monorepoRoot);
-
-  const ryvnDir = path.join(packageDir, "deploy", "ryvn");
-  const serviceManifest = path.join(ryvnDir, `${APP_NAME}.service.yaml`);
-  const terraformServiceManifest = path.join(
-    ryvnDir,
-    `${TERRAFORM_SERVICE_NAME}.service.yaml`,
-  );
-  const installationManifest = path.join(
-    ryvnDir,
-    "environments",
-    ENVIRONMENT,
-    "installations",
-    `${APP_NAME}.env.${ENVIRONMENT}.serviceinstallation.yaml`,
-  );
-  const terraformInstallationManifest = path.join(
-    ryvnDir,
-    "environments",
-    ENVIRONMENT,
-    "installations",
-    `${TERRAFORM_SERVICE_NAME}.env.${ENVIRONMENT}.serviceinstallation.yaml`,
-  );
-
-  console.log(`Creating/updating Ryvn services in ${ENVIRONMENT}...`);
-  upsertService(terraformServiceManifest, monorepoRoot);
-  upsertService(serviceManifest, monorepoRoot);
-
-  const terraformRelease = await requireReleaseForCurrentCommit(
-    TERRAFORM_SERVICE_NAME,
-    repoSlug,
-    `${TERRAFORM_SERVICE_NAME}-ryvn-release.yaml`,
-    monorepoRoot,
-    options,
-    commitSha,
-  );
-  logReleaseSummary(TERRAFORM_SERVICE_NAME, terraformRelease);
-  upsertInstallation(
-    TERRAFORM_SERVICE_NAME,
-    terraformInstallationManifest,
-    monorepoRoot,
-    commitSha,
-  );
-  await waitForTerraformApply(monorepoRoot, options);
-
-  const appRelease = await requireReleaseForCurrentCommit(
-    APP_NAME,
-    repoSlug,
-    `${APP_NAME}-ryvn-release.yaml`,
-    monorepoRoot,
-    options,
-    commitSha,
-  );
-  logReleaseSummary(APP_NAME, appRelease);
-  const secrets = await readInstallationSecrets(packageDir, options);
-  if (installationExists(APP_NAME, monorepoRoot)) {
-    patchExistingInstallationSecrets(secrets, monorepoRoot);
-  }
-  upsertInstallation(
-    APP_NAME,
-    installationManifest,
-    monorepoRoot,
-    commitSha,
-    appendInstallationSecrets(
-      await readFile(installationManifest, "utf8"),
-      secrets,
-    ),
-  );
-  await waitForHealthy(monorepoRoot, options);
-
-  await verifyDeployment();
-
-  console.log("");
-  console.log(`Deployed ${APP_NAME}: ${DEPLOY_URL}`);
-}
-
-void main().catch((error) => {
-  console.error(error instanceof Error ? error.message : error);
-  process.exit(1);
-});