@pleri/olam-cli 0.1.186 → 0.1.195

package/dist/commands/services-tls.js

@@ -0,0 +1,434 @@
+/**
+ * `olam services tls-install` — generate a locally-trusted TLS certificate
+ * for the K3d Traefik IngressRoute and apply it as a Kubernetes Secret.
+ *
+ * Why this exists: HTTP/1.1 inside `kubectl port-forward` hits the browser's
+ * 6-connection-per-origin cap under Electric SQL long-poll load (one shape
+ * subscription per concurrent route → SPA stalls at ~25s pending). Putting
+ * Traefik in front with TLS + HTTP/2 fixes both problems with one cert
+ * provisioning step. mkcert handles the root-CA dance so browsers trust
+ * `https://olam.local` natively — no padlock warnings, no `--insecure`.
+ *
+ * Flow:
+ *   1. Verify `mkcert` is on PATH (actionable error otherwise).
+ *   2. Run `mkcert -install` (idempotent — no-op if root CA already trusted).
+ *   3. Mint a cert in a tmp dir for `olam.local 127.0.0.1 ::1`.
+ *   4. Read tls.crt + tls.key, base64-encode, substitute into the template.
+ *   5. `kubectl apply -f -` against the rendered Secret manifest.
+ *   6. Suggest the /etc/hosts line (do NOT auto-edit).
+ *
+ * Idempotency: if `olam-host-cp-tls` already exists AND its NotAfter is
+ * more than 30 days away, skip the whole flow. Operators can force renewal
+ * with `kubectl -n olam delete secret olam-host-cp-tls`.
+ *
+ * Design constraints honoured:
+ *   - No new npm deps (uses node:child_process + node:fs + node:os).
+ *   - SAN list includes `127.0.0.1` + `::1` because modern browsers ignore
+ *     CN and only honour SANs (Chrome 58+, Brave, Safari, Firefox).
+ *   - `/etc/hosts` is printed, not auto-mutated — touching it behind the
+ *     operator's back is a foot-gun (and would require sudo).
+ */
+import { execFileSync, spawnSync } from 'node:child_process';
+import { existsSync, mkdtempSync, readFileSync, readdirSync, writeFileSync, rmSync } from 'node:fs';
+import { homedir, tmpdir } from 'node:os';
+import { join, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { printError, printHeader, printInfo, printSuccess, printWarning } from '../output.js';
+import { resolveKubectlContext } from '../lib/kubectl-context.js';
+const SECRET_NAME = 'olam-host-cp-tls';
+const NAMESPACE = 'olam';
+const SAN_LIST = ['olam.local', '127.0.0.1', '::1'];
+const RENEWAL_THRESHOLD_DAYS = 30;
+const TRAEFIK_NAMESPACE = 'kube-system';
+const TRAEFIK_SERVICE = 'traefik';
+const MKCERT_INSTALL_URL = 'https://github.com/FiloSottile/mkcert#installation';
+function defaultSpawn(cmd, args, opts) {
+    const r = spawnSync(cmd, [...args], {
+        encoding: 'utf-8',
+        timeout: opts?.timeout,
+        input: opts?.input,
+    });
+    return {
+        status: r.status,
+        stdout: r.stdout ?? '',
+        stderr: r.stderr ?? '',
+    };
+}
+/**
+ * Probe whether the mkcert root CA is already trusted on this machine.
+ *
+ * macOS: `mkcert -CAROOT` → directory; if `rootCA.pem` exists there AND
+ *   `security find-certificate -c mkcert /Library/Keychains/System.keychain`
+ *   exits 0, the CA is already in the system keychain.
+ * Linux/other: CA file existence alone is used as a proxy for "trusted"
+ *   (nss-based stores don't need sudo and mkcert handles them idempotently).
+ *
+ * Returns false on any probe failure so the caller falls back to attempting
+ * `mkcert -install` (safe — mkcert itself is idempotent).
+ */
+export function isMkcertRootTrusted(mkcertPath, spawn) {
+    // Find the CA root directory.
+    const carootResult = spawn(mkcertPath, ['-CAROOT']);
+    if (carootResult.status !== 0)
+        return false;
+    const caRoot = carootResult.stdout.trim();
+    if (caRoot.length === 0)
+        return false;
+    const caPem = join(caRoot, 'rootCA.pem');
+    if (!existsSync(caPem))
+        return false;
+    // macOS: verify the cert is actually in the system keychain.
+    if (process.platform === 'darwin') {
+        const check = spawn('security', [
+            'find-certificate', '-c', 'mkcert', '/Library/Keychains/System.keychain',
+        ]);
+        return check.status === 0;
+    }
+    // Linux / other: CA file presence is sufficient (mkcert uses nss, no sudo needed).
+    return true;
+}
+/**
+ * Locate the bundled TLS Secret template. The CLI ships under
+ * `packages/cli/dist/commands/services-tls.js`; the manifests live under
+ * `packages/host-cp/k8s/manifests/` — three `..` hops from the dist file
+ * resolve to the package root. From source (`src/commands/services-tls.ts`)
+ * the same hop count works because the relative layout matches.
+ */
+function defaultTemplatePath() {
+    const here = fileURLToPath(import.meta.url);
+    return resolve(here, '..', '..', '..', '..', 'host-cp', 'k8s', 'manifests', '65-tls-secret-template.yaml.tmpl');
+}
+/** Parse the NotAfter timestamp from PEM-encoded cert via `openssl x509`. */
+function readCertNotAfter(pemBytes, spawnImpl) {
+    const r = spawnImpl('openssl', ['x509', '-noout', '-enddate'], { input: pemBytes });
+    if (r.status !== 0)
+        return null;
+    // openssl emits e.g. `notAfter=May 26 12:00:00 2028 GMT`
+    const match = r.stdout.match(/notAfter=(.+)/);
+    if (!match || match[1] === undefined)
+        return null;
+    const d = new Date(match[1].trim());
+    return Number.isNaN(d.getTime()) ? null : d;
+}
+/** Resolve mkcert binary, falling back to the well-known Homebrew location. */
+function locateMkcert(deps) {
+    if (deps.mkcertPath !== undefined)
+        return deps.mkcertPath;
+    const spawn = deps.spawnImpl ?? defaultSpawn;
+    const which = spawn('which', ['mkcert']);
+    if (which.status === 0) {
+        const path = which.stdout.trim();
+        if (path.length > 0)
+            return path;
+    }
+    // Homebrew default fallback — common case on operator macs.
+    const brewPath = '/opt/homebrew/bin/mkcert';
+    const exists = spawn('test', ['-x', brewPath]);
+    if (exists.status === 0)
+        return brewPath;
+    return null;
+}
+/** Fetch the current TLS Secret's certificate body (PEM), or null when missing. */
+function fetchExistingCertPem(kubectl, context, spawn) {
+    const r = spawn(kubectl, [
+        '--context', context,
+        '-n', NAMESPACE,
+        'get', 'secret', SECRET_NAME,
+        '-o', 'jsonpath={.data.tls\\.crt}',
+    ]);
+    if (r.status !== 0 || r.stdout.trim().length === 0)
+        return null;
+    try {
+        return Buffer.from(r.stdout.trim(), 'base64').toString('utf-8');
+    }
+    catch {
+        return null;
+    }
+}
+/** Resolve Traefik's `websecure` NodePort (HTTPS edge), or null on failure. */
+export function resolveTraefikHttpsPort(spawnArg, context) {
+    const spawn = spawnArg ?? defaultSpawn;
+    const args = [
+        ...(context !== undefined ? ['--context', context] : []),
+        '-n', TRAEFIK_NAMESPACE,
+        'get', 'svc', TRAEFIK_SERVICE,
+        '-o', 'jsonpath={.spec.ports[?(@.name=="websecure")].nodePort}',
+    ];
+    const r = spawn('kubectl', args);
+    if (r.status !== 0)
+        return null;
+    const n = Number.parseInt(r.stdout.trim(), 10);
+    return Number.isFinite(n) && n > 0 ? n : null;
+}
+/** Check whether `olam.local` is already present in /etc/hosts. */
+function isHostsEntryPresent() {
+    try {
+        const body = readFileSync('/etc/hosts', 'utf-8');
+        return /^[^#\n]*\bolam\.local\b/m.test(body);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Pure renderer: substitutes the placeholders in the TLS Secret template.
+ * Exported for snapshot testing.
+ */
+export function renderTlsSecret(template, crtBase64, keyBase64) {
+    return template
+        .replace('__TLS_CRT_BASE64__', crtBase64)
+        .replace('__TLS_KEY_BASE64__', keyBase64);
+}
+/**
+ * The full tls-install flow. Returns a structured result so the caller in
+ * `services up` can decide whether to print the success URL or fall back.
+ */
+export async function tlsInstall(deps = {}) {
+    const spawn = deps.spawnImpl ?? defaultSpawn;
+    const now = deps.now ?? new Date();
+    // 1. Resolve kubectl context.
+    let context = deps.kubectlContext;
+    if (context === undefined) {
+        const resolved = resolveKubectlContext();
+        if (resolved.error !== undefined || resolved.context === undefined) {
+            return {
+                action: 'failed',
+                reason: 'kubectl context not pinned. Fix one of these ways:\n' +
+                    '  1. Pin it for future runs:  olam config set host.kubectl_context_pinned <your-context>\n' +
+                    '     (current context = `kubectl config current-context`)\n' +
+                    '  2. One-off override:        OLAM_K8S_CONTEXT_ACK=<your-context> olam services tls-install\n' +
+                    'See docs/architecture/peripheral-services-on-k3s.md for the full setup.',
+            };
+        }
+        context = resolved.context;
+    }
+    // 1b. Apply the IngressRoute manifest. The Secret + IngressRoute are a
+    //     pair — without the IngressRoute, Traefik won't route olam.local
+    //     to host-cp even though the cert is present. Applying here (not
+    //     just in `services up`) makes `tls-install` work standalone.
+    //     Non-fatal: a missing CRD (cluster without Traefik) shouldn't block
+    //     cert provisioning; we surface a warning via debug log + continue.
+    const ingressResult = applyIngressManifests(context);
+    if (!ingressResult.ok && process.env['OLAM_DEBUG_TLS'] === '1') {
+        process.stderr.write(`[olam-tls] IngressRoute apply skipped: ${ingressResult.reason}\n`);
+    }
+    // 2. Locate mkcert.
+    const mkcert = locateMkcert(deps);
+    if (mkcert === null) {
+        return {
+            action: 'failed',
+            reason: `mkcert is required but was not found on PATH.\n` +
+                `  Install: brew install mkcert (macOS) or see ${MKCERT_INSTALL_URL}\n` +
+                `  Then re-run: olam services tls-install`,
+        };
+    }
+    // 3. Idempotency check — skip if cert is fresh enough.
+    const existingPem = fetchExistingCertPem('kubectl', context, spawn);
+    if (existingPem !== null) {
+        const notAfter = readCertNotAfter(existingPem, spawn);
+        if (notAfter !== null) {
+            const daysLeft = (notAfter.getTime() - now.getTime()) / (1000 * 60 * 60 * 24);
+            if (daysLeft > RENEWAL_THRESHOLD_DAYS) {
+                const httpsPort = resolveTraefikHttpsPort(spawn, context) ?? undefined;
+                return {
+                    action: 'skipped',
+                    reason: `existing cert valid for ${Math.floor(daysLeft)} more days; no action taken`,
+                    httpsPort,
+                };
+            }
+        }
+    }
+    // 4. Trust the local CA root — skip when already trusted, handle non-TTY gracefully.
+    if (deps.skipRootInstall !== true) {
+        const alreadyTrusted = isMkcertRootTrusted(mkcert, spawn);
+        if (alreadyTrusted) {
+            if (process.env['OLAM_DEBUG_TLS'] === '1') {
+                process.stderr.write('[olam-tls] mkcert root CA already trusted — skipping -install\n');
+            }
+        }
+        else {
+            const isTty = (deps.isTtyAttached ?? (() => process.stdin.isTTY === true))();
+            if (!isTty) {
+                // No terminal — sudo prompt would hang. Surface an actionable hint instead.
+                return {
+                    action: 'failed',
+                    reason: 'mkcert root CA is not yet trusted, and this terminal can\'t prompt for sudo.\n' +
+                        'Run this once manually:\n' +
+                        '  sudo mkcert -install\n' +
+                        'Then re-run: olam services tls-install',
+                };
+            }
+            // Interactive path — pass stdio through so the sudo prompt reaches the operator.
+            try {
+                execFileSync(mkcert, ['-install'], { stdio: 'inherit' });
+            }
+            catch {
+                return {
+                    action: 'failed',
+                    reason: 'mkcert -install failed — ensure mkcert is installed and try again.',
+                };
+            }
+        }
+    }
+    // 5. Mint the cert in a clean tmp dir so we don't pollute cwd.
+    const workDir = mkdtempSync(join(tmpdir(), 'olam-tls-'));
+    try {
+        const crtPath = join(workDir, 'tls.crt');
+        const keyPath = join(workDir, 'tls.key');
+        const mint = spawn(mkcert, [
+            '-cert-file', crtPath,
+            '-key-file', keyPath,
+            ...SAN_LIST,
+        ]);
+        if (mint.status !== 0) {
+            return {
+                action: 'failed',
+                reason: `mkcert failed to mint cert: ${mint.stderr.trim() || mint.stdout.trim()}`,
+            };
+        }
+        // mkcert sometimes writes via temp file → ensure both exist before reading.
+        const files = readdirSync(workDir);
+        if (!files.includes('tls.crt') || !files.includes('tls.key')) {
+            return {
+                action: 'failed',
+                reason: `mkcert succeeded but tls.crt/tls.key not found in ${workDir}`,
+            };
+        }
+        // 6. Generate the Secret manifest via kubectl itself. This eliminates the
+        //    template-substitution failure mode (where any base64-encoding subtlety
+        //    in the YAML produces the cryptic
+        //      "illegal base64 data at input byte 0"
+        //    server-side rejection). `kubectl create secret tls --dry-run=client`
+        //    knows how to format a Secret correctly — no manual base64 step on our
+        //    side. The two-step pipeline (generate → apply) preserves idempotency
+        //    via `kubectl apply` and supports `--dry-run=client` so we never touch
+        //    the cluster during the generate step.
+        const generate = spawn('kubectl', [
+            '--context', context,
+            '-n', NAMESPACE,
+            'create', 'secret', 'tls', SECRET_NAME,
+            `--cert=${crtPath}`,
+            `--key=${keyPath}`,
+            '--dry-run=client',
+            '-o', 'yaml',
+        ]);
+        if (generate.status !== 0) {
+            return {
+                action: 'failed',
+                reason: `kubectl create secret tls --dry-run failed: ${generate.stderr.trim() || generate.stdout.trim()}`,
+            };
+        }
+        if (process.env['OLAM_DEBUG_TLS'] === '1') {
+            process.stderr.write(`[olam-tls] generated Secret manifest:\n${generate.stdout}\n`);
+        }
+        // 7. Apply the generated Secret. Idempotent — `kubectl apply` patches when
+        //    the Secret already exists.
+        const apply = spawn('kubectl', [
+            '--context', context,
+            '-n', NAMESPACE,
+            'apply', '-f', '-',
+        ], { input: generate.stdout });
+        if (apply.status !== 0) {
+            return {
+                action: 'failed',
+                reason: `kubectl apply failed: ${apply.stderr.trim() || apply.stdout.trim()}`,
+            };
+        }
+        const httpsPort = resolveTraefikHttpsPort(spawn, context) ?? undefined;
+        return {
+            action: existingPem === null ? 'installed' : 'renewed',
+            httpsPort,
+        };
+    }
+    finally {
+        rmSync(workDir, { recursive: true, force: true });
+    }
+}
+/** CLI rendering — formats the structured result for the operator. */
+async function runTlsInstallCommand() {
+    printHeader('TLS install (k3d / Traefik)');
+    const result = await tlsInstall();
+    if (result.action === 'failed') {
+        printError(result.reason ?? 'tls-install failed');
+        return { exitCode: 1 };
+    }
+    if (result.action === 'skipped') {
+        printInfo(SECRET_NAME, result.reason ?? 'skipped');
+    }
+    else if (result.action === 'installed') {
+        printSuccess(`${SECRET_NAME} created`);
+    }
+    else {
+        printSuccess(`${SECRET_NAME} renewed`);
+    }
+    // Operator-facing post-conditions.
+    if (!isHostsEntryPresent()) {
+        printWarning(`Add olam.local to /etc/hosts before the SPA will resolve:\n` +
+            `  echo '127.0.0.1 olam.local' | sudo tee -a /etc/hosts`);
+    }
+    if (result.httpsPort !== undefined) {
+        printSuccess(`SPA reachable at https://olam.local:${result.httpsPort}`);
+    }
+    else {
+        printWarning('Could not discover Traefik websecure NodePort. Verify with:\n' +
+            '  kubectl -n kube-system get svc traefik');
+    }
+    return { exitCode: 0 };
+}
+/** Auto-invoke seam used by `olam services up` — silent when skipped, loud when failed. */
+export async function ensureTlsInstalled() {
+    return tlsInstall();
+}
+export function registerServicesTls(services) {
+    services
+        .command('tls-install')
+        .description('Provision a locally-trusted TLS cert (mkcert) for the Traefik IngressRoute')
+        .action(async () => {
+        const result = await runTlsInstallCommand();
+        if (result.exitCode !== 0)
+            process.exitCode = result.exitCode;
+    });
+}
+/** Constants exported for tests + cross-module usage. */
+export const TLS_SECRET_NAME = SECRET_NAME;
+export const TLS_NAMESPACE = NAMESPACE;
+export const TLS_RENEWAL_THRESHOLD_DAYS = RENEWAL_THRESHOLD_DAYS;
+export const TLS_SAN_LIST = SAN_LIST;
+/** Used by services.ts to write a "did we already do this" probe. */
+export function tlsSecretExists(spawnArg, context) {
+    const spawn = spawnArg ?? defaultSpawn;
+    const args = [
+        ...(context !== undefined ? ['--context', context] : []),
+        '-n', NAMESPACE,
+        'get', 'secret', SECRET_NAME,
+        '--ignore-not-found',
+        '-o', 'name',
+    ];
+    const r = spawn('kubectl', args);
+    return r.status === 0 && r.stdout.trim().length > 0;
+}
+/**
+ * Best-effort: `execFileSync('kubectl', ...)` to apply the bundled
+ * IngressRoute + Service manifests when `services up` first runs. Idempotent
+ * via `kubectl apply`. We DON'T do this from tls-install (single-responsibility:
+ * tls-install only handles certs); services.ts orchestrates the manifest apply.
+ */
+export function applyIngressManifests(context) {
+    const here = fileURLToPath(import.meta.url);
+    const manifestDir = resolve(here, '..', '..', '..', '..', 'host-cp', 'k8s', 'manifests');
+    const ingressManifest = join(manifestDir, '70-ingressroute.yaml');
+    try {
+        execFileSync('kubectl', [
+            '--context', context,
+            'apply', '-f', ingressManifest,
+        ], { stdio: 'pipe' });
+        return { ok: true };
+    }
+    catch (err) {
+        const msg = err instanceof Error && 'stderr' in err
+            ? String(err.stderr ?? '').trim()
+            : err instanceof Error ? err.message : String(err);
+        return { ok: false, reason: msg };
+    }
+}
+//# sourceMappingURL=services-tls.js.map

package/dist/commands/services-tls.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"services-tls.js","sourceRoot":"","sources":["../../src/commands/services-tls.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC7D,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACpG,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAC1C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,YAAY,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC9F,OAAO,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAElE,MAAM,WAAW,GAAG,kBAAkB,CAAC;AACvC,MAAM,SAAS,GAAG,MAAM,CAAC;AACzB,MAAM,QAAQ,GAAG,CAAC,YAAY,EAAE,WAAW,EAAE,KAAK,CAAU,CAAC;AAC7D,MAAM,sBAAsB,GAAG,EAAE,CAAC;AAClC,MAAM,iBAAiB,GAAG,aAAa,CAAC;AACxC,MAAM,eAAe,GAAG,SAAS,CAAC;AAElC,MAAM,kBAAkB,GAAG,oDAAoD,CAAC;AA2ChF,SAAS,YAAY,CACnB,GAAW,EACX,IAAuB,EACvB,IAA+D;IAE/D,MAAM,CAAC,GAAG,SAAS,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,EAAE;QAClC,QAAQ,EAAE,OAAO;QACjB,OAAO,EAAE,IAAI,EAAE,OAAO;QACtB,KAAK,EAAE,IAAI,EAAE,KAAK;KACnB,CAAC,CAAC;IACH,OAAO;QACL,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE;QACtB,MAAM,EAAE,CAAC,CAAC,MAAM,IAAI,EAAE;KACvB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,mBAAmB,CACjC,UAAkB,EAClB,KAA+C;IAE/C,8BAA8B;IAC9B,MAAM,YAAY,GAAG,KAAK,CAAC,UAAU,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;IACpD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAC1C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAEtC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IACzC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAErC,6DAA6D;IAC7D,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,KAAK,CAAC,UAAU,EAAE;YAC9B,kBAAkB,EAAE,IAAI,EAAE,QAAQ,EAAE,oCAAoC;SACzE,CAAC,CAAC;QACH,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC;IAC5B,CAAC;IAED,mFAAmF;IACnF,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;GAMG;AACH,SAAS,mBAAmB;IAC1B,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5C,OAAO,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,kCAAkC,CAAC,CAAC;AAClH,CAAC;AAED,6EAA6E;AAC7E,SAAS,gBAAgB,CACvB,QAAgB,EAChB,SAAmD;IAEnD,MAAM,CAAC,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,UAAU,CAAC,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IACpF,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,yDAAyD;IACzD,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAC9C,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC;IAClD,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED,+EAA+E;AAC/E,SAAS,YAAY,CAAC,IAAoB;IACxC,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS;QAAE,OAAO,IAAI,CAAC,UAAU,CAAC;IAC1D,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,IAAI,YAAY,CAAC;IAC7C,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IACzC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACnC,CAAC;IACD,4DAA4D;IAC5D,MAAM,QAAQ,GAAG,0BAA0B,CAAC;IAC5C,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC/C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IACzC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,mFAAmF;AACnF,SAAS,oBAAoB,CAC3B,OAAe,EACf,OAAe,EACf,KAA+C;IAE/C,MAAM,CAAC,GAAG,KAAK,CAAC,OAAO,EAAE;QACvB,WAAW,EAAE,OAAO;QACpB,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,QAAQ,EAAE,WAAW;QAC5B,IAAI,EAAE,4BAA4B;KACnC,CAAC,CAAC;IACH,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAChE,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAClE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,uBAAuB,CACrC,QAAsC,EACtC,OAAgB;IAEhB,MAAM,KAAK,GAAG,QAAQ,IAAI,YAAY,CAAC;IACvC,MAAM,IAAI,GAAG;QACX,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACxD,IAAI,EAAE,iBAAiB;QACvB,KAAK,EAAE,KAAK,EAAE,eAAe;QAC7B,IAAI,EAAE,yDAAyD;KAChE,CAAC;IACF,MAAM,CAAC,GAAG,KAAK,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACjC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAC/C,OAAO,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAChD,CAAC;AAED,mEAAmE;AACnE,SAAS,mBAAmB;IAC1B,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QACjD,OAAO,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB,EAAE,SAAiB,EAAE,SAAiB;IACpF,OAAO,QAAQ;SACZ,OAAO,CAAC,oBAAoB,EAAE,SAAS,CAAC;SACxC,OAAO,CAAC,oBAAoB,EAAE,SAAS,CAAC,CAAC;AAC9C,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAuB,EAAE;IACxD,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,IAAI,YAAY,CAAC;IAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;IAEnC,8BAA8B;IAC9B,IAAI,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC;IAClC,IAAI,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,qBAAqB,EAAE,CAAC;QACzC,IAAI,QAAQ,CAAC,KAAK,KAAK,SAAS,IAAI,QAAQ,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YACnE,OAAO;gBACL,MAAM,EAAE,QAAQ;gBAChB,MAAM,EACJ,sDAAsD;oBACtD,4FAA4F;oBAC5F,6DAA6D;oBAC7D,+FAA+F;oBAC/F,yEAAyE;aAC5E,CAAC;QACJ,CAAC;QACD,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IAC7B,CAAC;IAED,uEAAuE;IACvE,sEAAsE;IACtE,qEAAqE;IACrE,kEAAkE;IAClE,yEAAyE;IACzE,wEAAwE;IACxE,MAAM,aAAa,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACrD,IAAI,CAAC,aAAa,CAAC,EAAE,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,KAAK,GAAG,EAAE,CAAC;QAC/D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,aAAa,CAAC,MAAM,IAAI,CAAC,CAAC;IAC3F,CAAC;IAED,oBAAoB;IACpB,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QACpB,OAAO;YACL,MAAM,EAAE,QAAQ;YAChB,MAAM,EACJ,iDAAiD;gBACjD,iDAAiD,kBAAkB,IAAI;gBACvE,0CAA0C;SAC7C,CAAC;IACJ,CAAC;IAED,uDAAuD;IACvD,MAAM,WAAW,GAAG,oBAAoB,CAAC,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IACpE,IAAI,WAAW,KAAK,IAAI,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,gBAAgB,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,MAAM,QAAQ,GAAG,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;YAC9E,IAAI,QAAQ,GAAG,sBAAsB,EAAE,CAAC;gBACtC,MAAM,SAAS,GAAG,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,SAAS,CAAC;gBACvE,OAAO;oBACL,MAAM,EAAE,SAAS;oBACjB,MAAM,EAAE,2BAA2B,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,6BAA6B;oBACpF,SAAS;iBACV,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,qFAAqF;IACrF,IAAI,IAAI,CAAC,eAAe,KAAK,IAAI,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,mBAAmB,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAC1D,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC1C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iEAAiE,CAAC,CAAC;YAC1F,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,aAAa,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,IAAI,CAAC,CAAC,EAAE,CAAC;YAC7E,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,4EAA4E;gBAC5E,OAAO;oBACL,MAAM,EAAE,QAAQ;oBAChB,MAAM,EACJ,gFAAgF;wBAChF,2BAA2B;wBAC3B,0BAA0B;wBAC1B,wCAAwC;iBAC3C,CAAC;YACJ,CAAC;YACD,iFAAiF;YACjF,IAAI,CAAC;gBACH,YAAY,CAAC,MAAM,EAAE,CAAC,UAAU,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;YAC3D,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,MAAM,EAAE,QAAQ;oBAChB,MAAM,EAAE,oEAAoE;iBAC7E,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,+DAA+D;IAC/D,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,WAAW,CAAC,CAAC,CAAC;IACzD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QACzC,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;QACzC,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,EAAE;YACzB,YAAY,EAAE,OAAO;YACrB,WAAW,EAAE,OAAO;YACpB,GAAG,QAAQ;SACZ,CAAC,CAAC;QACH,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtB,OAAO;gBACL,MAAM,EAAE,QAAQ;gBAChB,MAAM,EAAE,+BAA+B,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE;aAClF,CAAC;QACJ,CAAC;QAED,4EAA4E;QAC5E,MAAM,KAAK,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7D,OAAO;gBACL,MAAM,EAAE,QAAQ;gBAChB,MAAM,EAAE,qDAAqD,OAAO,EAAE;aACvE,CAAC;QACJ,CAAC;QAED,0EAA0E;QAC1E,4EAA4E;QAC5E,sCAAsC;QACtC,6CAA6C;QAC7C,0EAA0E;QAC1E,2EAA2E;QAC3E,0EAA0E;QAC1E,2EAA2E;QAC3E,2CAA2C;QAC3C,MAAM,QAAQ,GAAG,KAAK,CAAC,SAAS,EAAE;YAChC,WAAW,EAAE,OAAO;YACpB,IAAI,EAAE,SAAS;YACf,QAAQ,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW;YACtC,UAAU,OAAO,EAAE;YACnB,SAAS,OAAO,EAAE;YAClB,kBAAkB;YAClB,IAAI,EAAE,MAAM;SACb,CAAC,CAAC;QACH,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO;gBACL,MAAM,EAAE,QAAQ;gBAChB,MAAM,EAAE,+CAA+C,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE;aAC1G,CAAC;QACJ,CAAC;QACD,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,KAAK,GAAG,EAAE,CAAC;YAC1C,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,QAAQ,CAAC,MAAM,IAAI,CAAC,CAAC;QACtF,CAAC;QAED,2EAA2E;QAC3E,gCAAgC;QAChC,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,EAAE;YAC7B,WAAW,EAAE,OAAO;YACpB,IAAI,EAAE,SAAS;YACf,OAAO,EAAE,IAAI,EAAE,GAAG;SACnB,EAAE,EAAE,KAAK,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO;gBACL,MAAM,EAAE,QAAQ;gBAChB,MAAM,EAAE,yBAAyB,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE;aAC9E,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,uBAAuB,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,SAAS,CAAC;QACvE,OAAO;YACL,MAAM,EAAE,WAAW,KAAK,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACtD,SAAS;SACV,CAAC;IACJ,CAAC;YAAS,CAAC;QACT,MAAM,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC;AACH,CAAC;AAED,sEAAsE;AACtE,KAAK,UAAU,oBAAoB;IACjC,WAAW,CAAC,6BAA6B,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAElC,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,UAAU,CAAC,MAAM,CAAC,MAAM,IAAI,oBAAoB,CAAC,CAAC;QAClD,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;IACzB,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAChC,SAAS,CAAC,WAAW,EAAE,MAAM,CAAC,MAAM,IAAI,SAAS,CAAC,CAAC;IACrD,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;QACzC,YAAY,CAAC,GAAG,WAAW,UAAU,CAAC,CAAC;IACzC,CAAC;SAAM,CAAC;QACN,YAAY,CAAC,GAAG,WAAW,UAAU,CAAC,CAAC;IACzC,CAAC;IAED,mCAAmC;IACnC,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC3B,YAAY,CACV,6DAA6D;YAC3D,wDAAwD,CAC3D,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACnC,YAAY,CAAC,uCAAuC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;IAC1E,CAAC;SAAM,CAAC;QACN,YAAY,CACV,+DAA+D;YAC7D,0CAA0C,CAC7C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;AACzB,CAAC;AAED,2FAA2F;AAC3F,MAAM,CAAC,KAAK,UAAU,kBAAkB;IACtC,OAAO,UAAU,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,QAAiB;IACnD,QAAQ;SACL,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CAAC,4EAA4E,CAAC;SACzF,MAAM,CAAC,KAAK,IAAI,EAAE;QACjB,MAAM,MAAM,GAAG,MAAM,oBAAoB,EAAE,CAAC;QAC5C,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC;YAAE,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChE,CAAC,CAAC,CAAC;AACP,CAAC;AAED,yDAAyD;AACzD,MAAM,CAAC,MAAM,eAAe,GAAG,WAAW,CAAC;AAC3C,MAAM,CAAC,MAAM,aAAa,GAAG,SAAS,CAAC;AACvC,MAAM,CAAC,MAAM,0BAA0B,GAAG,sBAAsB,CAAC;AACjE,MAAM,CAAC,MAAM,YAAY,GAAG,QAAQ,CAAC;AAErC,qEAAqE;AACrE,MAAM,UAAU,eAAe,CAC7B,QAAsC,EACtC,OAAgB;IAEhB,MAAM,KAAK,GAAG,QAAQ,IAAI,YAAY,CAAC;IACvC,MAAM,IAAI,GAAG;QACX,GAAG,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACxD,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,QAAQ,EAAE,WAAW;QAC5B,oBAAoB;QACpB,IAAI,EAAE,MAAM;KACb,CAAC;IACF,MAAM,CAAC,GAAG,KAAK,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IACjC,OAAO,CAAC,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;AACtD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAe;IACnD,MAAM,IAAI,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,CAAC,CAAC;IACzF,MAAM,eAAe,GAAG,IAAI,CAAC,WAAW,EAAE,sBAAsB,CAAC,CAAC;IAClE,IAAI,CAAC;QACH,YAAY,CAAC,SAAS,EAAE;YACtB,WAAW,EAAE,OAAO;YACpB,OAAO,EAAE,IAAI,EAAE,eAAe;SAC/B,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACtB,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,IAAI,QAAQ,IAAI,GAAG;YACjD,CAAC,CAAC,MAAM,CAAE,GAAmC,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;YAClE,CAAC,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACrD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;IACpC,CAAC;AACH,CAAC"}

package/dist/commands/services.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../src/commands/services.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAgBzC,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AA+BrD,KAAK,cAAc,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;AAExD,UAAU,eAAe;IACvB,QAAQ,CAAC,KAAK,EAAE,cAAc,CAAC;IAC/B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,qBAAa,0BAA0B;IACrC,OAAO,CAAC,QAAQ,CAA8B;IAE9C,MAAM,IAAI,eAAe;IAiBzB,OAAO,CAAC,WAAW;IAInB,KAAK,IAAI,IAAI;IAgCb,IAAI,IAAI,IAAI;IAMZ,MAAM,IAAI,IAAI;IAIR,YAAY,CAAC,SAAS,SAA6B,GAAG,OAAO,CAAC,OAAO,CAAC;CAa7E;AA6BD,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CA2B/B;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CA0B/B;AAED;;;;GAIG;AACH,wBAAsB,wBAAwB,CAC5C,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC,IAAI,CAAC,CA6Cf;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAwB/B;AAID,8CAA8C;AAC9C;;;;;;GAMG;AACH;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,SAAS,CAAC,EAAE,CACnB,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,KAC5C;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;CAChE;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC;IAClC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,wBAAgB,cAAc,CAAC,IAAI,GAAE,kBAAuB,GAAG,oBAAoB,CA6ClF;AAkBD,wBAAsB,UAAU,IAAI,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CA4JhE;AAED,mCAAmC;AACnC,wBAAgB,YAAY,IAAI;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAwCnD;AAcD,gEAAgE;AAChE,MAAM,WAAW,kBAAkB;IACjC,uDAAuD;IACvD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sGAAsG;IACtG,QAAQ,CAAC,KAAK,EAAE,cAAc,CAAC;IAC/B,kDAAkD;IAClD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CACrC;AAED,2FAA2F;AAC3F,UAAU,uBAAuB;IAC/B,MAAM,IAAI;QAAE,KAAK,EAAE,cAAc,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACzE;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,uBAAuB,CAAC;IACxC,QAAQ,CAAC,OAAO,CAAC,EAAE,uBAAuB,CAAC;IAC3C,QAAQ,CAAC,SAAS,CAAC,EAAE,uBAAuB,CAAC;IAC7C,QAAQ,CAAC,aAAa,CAAC,EAAE,uBAAuB,CAAC;CAClD;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,GAAE,kBAAuB,GAAG,kBAAkB,EAAE,CAsBzF;AAWD,6CAA6C;AAC7C,wBAAgB,cAAc,CAAC,IAAI,GAAE,kBAAuB,GAAG,IAAI,CAOlE;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,GAAE,kBAAuB,GAAG,IAAI,CAGtE;AAID,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAoEvD"}
+{"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../src/commands/services.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAgBzC,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AAsCrD,KAAK,cAAc,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;AAExD,UAAU,eAAe;IACvB,QAAQ,CAAC,KAAK,EAAE,cAAc,CAAC;IAC/B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED,qBAAa,0BAA0B;IACrC,OAAO,CAAC,QAAQ,CAA8B;IAE9C,MAAM,IAAI,eAAe;IAiBzB,OAAO,CAAC,WAAW;IAInB,KAAK,IAAI,IAAI;IAgCb,IAAI,IAAI,IAAI;IAMZ,MAAM,IAAI,IAAI;IAIR,YAAY,CAAC,SAAS,SAA6B,GAAG,OAAO,CAAC,OAAO,CAAC;CAa7E;AA6BD,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,WAAW,CAAC;IAC9C,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;GAIG;AACH,wBAAsB,oBAAoB,CACxC,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CA0D/B;AAED;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CA0B/B;AAED;;;;GAIG;AACH,wBAAsB,wBAAwB,CAC5C,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC,IAAI,CAAC,CA6Cf;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAG/D;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAC7C,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,sBAA2B,GAChC,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAwB/B;AAID,8CAA8C;AAC9C;;;;;;GAMG;AACH;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,SAAS,CAAC,EAAE,CACnB,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,IAAI,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,OAAO,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,KAC5C;QAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC;CAChE;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,eAAe,EAAE,OAAO,CAAC;IAClC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC;IACjC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC;IACzB,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,wBAAgB,cAAc,CAAC,IAAI,GAAE,kBAAuB,GAAG,oBAAoB,CA6ClF;AAkBD,wBAAsB,UAAU,IAAI,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,CAwKhE;AAED,mCAAmC;AACnC,wBAAgB,YAAY,IAAI;IAAE,QAAQ,EAAE,MAAM,CAAA;CAAE,CAwCnD;AAcD,gEAAgE;AAChE,MAAM,WAAW,kBAAkB;IACjC,uDAAuD;IACvD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,sGAAsG;IACtG,QAAQ,CAAC,KAAK,EAAE,cAAc,CAAC;IAC/B,kDAAkD;IAClD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,QAAQ,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CACrC;AAED,2FAA2F;AAC3F,UAAU,uBAAuB;IAC/B,MAAM,IAAI;QAAE,KAAK,EAAE,cAAc,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CACzE;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,uBAAuB,CAAC;IACxC,QAAQ,CAAC,OAAO,CAAC,EAAE,uBAAuB,CAAC;IAC3C,QAAQ,CAAC,SAAS,CAAC,EAAE,uBAAuB,CAAC;IAC7C,QAAQ,CAAC,aAAa,CAAC,EAAE,uBAAuB,CAAC;CAClD;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,GAAE,kBAAuB,GAAG,kBAAkB,EAAE,CAsBzF;AAWD,6CAA6C;AAC7C,wBAAgB,cAAc,CAAC,IAAI,GAAE,kBAAuB,GAAG,IAAI,CAOlE;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,GAAE,kBAAuB,GAAG,IAAI,CAGtE;AAID,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAsEvD"}

package/dist/commands/services.js

@@ -23,6 +23,7 @@ import { readConfig } from '../lib/config.js';
 import { kubectlWrap } from '../lib/kubectl-wrap.js';
 import { PERIPHERALS } from '../lib/peripheral-registry.js';
 import { resolveKubectlContext } from '../lib/kubectl-context.js';
+import { applyIngressManifests, ensureTlsInstalled, registerServicesTls, resolveTraefikHttpsPort, tlsSecretExists, } from './services-tls.js';
 // ── McpAuthContainerController ────────────────────────────────────
 //
 // Mirrors AuthContainerController (packages/core/src/auth/container.ts).
@@ -164,6 +165,31 @@ export async function servicesUpKubernetes(deps = {}) {
             printSuccess(`${deploymentName}: scaled to 1 replica`);
         }
     }
+    // Apply the Traefik IngressRoute + bootstrap TLS on first run. Idempotent:
+    // `kubectl apply` is a no-op when the IngressRoute is unchanged, and the
+    // tls-install seam skips when the secret already exists with a fresh cert.
+    // Non-fatal — if Traefik isn't installed, the SPA still works via port-forward.
+    const ingressResult = applyIngressManifests(context);
+    if (!ingressResult.ok) {
+        printWarning(`IngressRoute apply failed (SPA still reachable via port-forward): ${ingressResult.reason ?? 'unknown'}`);
+    }
+    else {
+        printSuccess('IngressRoute applied (https://olam.local)');
+    }
+    if (!tlsSecretExists(undefined, context)) {
+        const tlsResult = await ensureTlsInstalled();
+        if (tlsResult.action === 'failed') {
+            printWarning(`TLS cert install skipped (SPA still reachable via port-forward): ${tlsResult.reason ?? 'unknown'}`);
+        }
+        else if (tlsResult.action === 'installed') {
+            printSuccess('TLS cert installed (mkcert)');
+        }
+    }
+    // Surface the HTTPS URL when discoverable.
+    const httpsPort = resolveTraefikHttpsPort(undefined, context);
+    if (httpsPort !== null) {
+        printInfo('SPA (HTTPS, h2)', `https://olam.local:${httpsPort}`);
+    }
     return { exitCode };
 }
 /**
@@ -379,6 +405,10 @@ export async function servicesUp() {
         if (!ready) {
             printError(`olam-auth started but /health did not respond within ${MCP_AUTH_HEALTH_TIMEOUT_MS / 1000}s.`);
             dumpContainerLogs('olam-auth');
+            printError('\nTry:');
+            printError('  - olam doctor                    # check service prereqs');
+            printError('  - docker logs olam-auth          # full logs');
+            printError('  - docker restart olam-auth       # restart');
             return { exitCode: 1 };
         }
         printSuccess('olam-auth started');
@@ -400,6 +430,10 @@ export async function servicesUp() {
         if (!ready) {
             printError(`olam-mcp-auth started but /health did not respond within ${MCP_AUTH_HEALTH_TIMEOUT_MS / 1000}s.`);
             dumpContainerLogs('olam-mcp-auth');
+            printError('\nTry:');
+            printError('  - olam doctor                    # check service prereqs');
+            printError('  - docker logs olam-mcp-auth      # full logs');
+            printError('  - docker restart olam-mcp-auth   # restart');
             return { exitCode: 1 };
         }
         printSuccess('olam-mcp-auth started');
@@ -480,6 +514,10 @@ export async function servicesUp() {
         if (!ready) {
             printError(`olam-memory-service started but /agentmemory/livez did not respond within ${MEMORY_SERVICE_HEALTH_TIMEOUT_MS / 1000}s.`);
             dumpContainerLogs('olam-memory-service');
+            printError('\nTry:');
+            printError('  - olam doctor                       # check service prereqs');
+            printError('  - docker logs olam-memory-service   # full logs');
+            printError('  - docker restart olam-memory-service # restart');
             return { exitCode: 1 };
         }
         printSuccess('olam-memory-service started');
@@ -591,7 +629,7 @@ export function servicesStatusJson(deps = {}) {
 export function registerServices(program) {
     const services = program
         .command('services')
-        .description('Manage Olam service containers. Substrate-aware: compose uses docker; kubernetes uses kubectl.');
+        .description('Manage Olam service containers (up/down/status/logs)');
     services
         .command('up')
         .description('Start all service containers (idempotent)')
@@ -643,6 +681,7 @@ export function registerServices(program) {
             servicesStatus();
         }
     });
+    registerServicesTls(services);
     services
         .command('restart <name>')
         .description('Restart a named service (kubernetes: kubectl rollout restart; compose: docker compose restart)')