@reyemtech/nimbus 1.2.0 → 2.0.1

package/dist/esm/platform/components/vault.js

@@ -0,0 +1,474 @@
+"use strict";
+/**
+ * Vault secrets management deployment with auto-unseal and bootstrap sidecar.
+ *
+ * @module platform/components/vault
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deployVault = deployVault;
+const aws = __importStar(require("@pulumi/aws"));
+const k8s = __importStar(require("@pulumi/kubernetes"));
+const pulumi = __importStar(require("@pulumi/pulumi"));
+/** Number of Vault replicas in HA mode (Raft consensus requires odd count). */
+const VAULT_HA_REPLICAS = 3;
+/**
+ * Bootstrap script for the Vault sidecar container.
+ *
+ * Runs on every pod start. All operations are idempotent:
+ * - Init (if first start) → store keys in K8s Secret
+ * - Unseal (if Shamir) → read keys from K8s Secret
+ * - Enable KV-v2 secrets engine
+ * - Enable + configure Kubernetes auth
+ * - Create ESO policy + role
+ * - Create user-policy for human access
+ * - Sleep infinity
+ */
+const VAULT_BOOTSTRAP_SCRIPT = `#!/bin/sh
+set -e
+export VAULT_ADDR="http://localhost:8200"
+
+# --- Helpers (no jq/curl — vault image is minimal Alpine) ---
+
+# Extract a JSON string field: json_field '{"key":"val"}' key → val
+json_field() {
+  echo "$1" | sed -n 's/.*"'"$2"'"[[:space:]]*:[[:space:]]*"\\([^"]*\\)".*/\\1/p' | head -1
+}
+
+# Extract a JSON boolean field: json_bool '{"key":true}' key → true
+json_bool() {
+  echo "$1" | sed -n 's/.*"'"$2"'"[[:space:]]*:[[:space:]]*\\(true\\|false\\).*/\\1/p' | head -1
+}
+
+# Extract JSON array of strings as comma-separated: json_array '{"k":["a","b"]}' k → a,b
+json_array() {
+  echo "$1" | sed -n 's/.*"'"$2"'"[[:space:]]*:[[:space:]]*\\[\\([^]]*\\)\\].*/\\1/p' | sed 's/"//g; s/ //g' | head -1
+}
+
+# K8s API via wget (available in Alpine)
+SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
+API="https://kubernetes.default.svc"
+
+# Token persistence — write to PVC so it survives pod restarts
+TOKEN_FILE="/vault/data/.bootstrap-token"
+RECOVERY_FILE="/vault/data/.bootstrap-recovery-keys"
+
+# --- Wait for Vault ---
+
+echo "Waiting for Vault..."
+until vault status 2>&1 | grep -q "Initialized"; do sleep 2; done
+echo "Vault is reachable"
+
+# --- Init or Unseal ---
+
+STATUS_JSON=$(vault status -format=json 2>/dev/null || true)
+INITIALIZED=$(json_bool "$STATUS_JSON" initialized)
+SEALED=$(json_bool "$STATUS_JSON" sealed)
+SEAL_TYPE=$(json_field "$STATUS_JSON" seal_type)
+
+if [ "$INITIALIZED" = "false" ]; then
+  # Detect seal type from text output (more reliable when uninitialized)
+  SEAL_TYPE_TEXT=$(vault status 2>&1 | grep "Seal Type" | awk '{print $NF}')
+  echo "Initializing Vault (seal_type=$SEAL_TYPE_TEXT)..."
+  if [ "$SEAL_TYPE_TEXT" = "shamir" ]; then
+    INIT_OUTPUT=$(vault operator init -key-shares=5 -key-threshold=3 -format=json)
+  else
+    # Auto-unseal (awskms, azurekeyvault, gcpckms): use recovery keys
+    INIT_OUTPUT=$(vault operator init -recovery-shares=5 -recovery-threshold=3 -format=json)
+  fi
+  ROOT_TOKEN=$(json_field "$INIT_OUTPUT" root_token)
+
+  # Auto-unseal uses recovery_keys_b64; Shamir uses unseal_keys_b64
+  RECOVERY_KEYS=$(json_array "$INIT_OUTPUT" recovery_keys_b64)
+  if [ -z "$RECOVERY_KEYS" ]; then
+    RECOVERY_KEYS=$(json_array "$INIT_OUTPUT" unseal_keys_b64)
+  fi
+
+  # Store on PVC (survives pod restarts)
+  echo "$ROOT_TOKEN" > "$TOKEN_FILE"
+  echo "$RECOVERY_KEYS" > "$RECOVERY_FILE"
+  chmod 600 "$TOKEN_FILE" "$RECOVERY_FILE"
+  echo "Init keys stored on PVC"
+
+  # Shamir: manually unseal (auto-unseal handles itself)
+  if [ "$SEAL_TYPE" = "shamir" ]; then
+    echo "Unsealing (Shamir)..."
+    for i in 1 2 3; do
+      KEY=$(echo "$RECOVERY_KEYS" | cut -d',' -f$i)
+      vault operator unseal "$KEY"
+    done
+  fi
+
+  export VAULT_TOKEN="$ROOT_TOKEN"
+else
+  echo "Vault already initialized (seal_type=$SEAL_TYPE, sealed=$SEALED)"
+
+  # Read root token from PVC
+  if [ -f "$TOKEN_FILE" ]; then
+    ROOT_TOKEN=$(cat "$TOKEN_FILE")
+    echo "Root token loaded from PVC"
+  else
+    echo "WARNING: No token file found at $TOKEN_FILE"
+  fi
+
+  # Shamir: unseal if sealed
+  if [ "$SEALED" = "true" ] && [ "$SEAL_TYPE" = "shamir" ] && [ -f "$RECOVERY_FILE" ]; then
+    echo "Unsealing (Shamir)..."
+    RECOVERY_KEYS=$(cat "$RECOVERY_FILE")
+    for i in 1 2 3; do
+      KEY=$(echo "$RECOVERY_KEYS" | cut -d',' -f$i)
+      vault operator unseal "$KEY"
+    done
+  fi
+
+  export VAULT_TOKEN="$ROOT_TOKEN"
+fi
+
+# Wait for unseal (auto-unseal may take a moment)
+echo "Waiting for unseal..."
+TRIES=0
+while [ $TRIES -lt 60 ]; do
+  STATUS=$(vault status -format=json 2>/dev/null || true)
+  IS_SEALED=$(json_bool "$STATUS" sealed)
+  if [ "$IS_SEALED" = "false" ]; then
+    break
+  fi
+  TRIES=$((TRIES + 1))
+  sleep 2
+done
+echo "Vault is unsealed"
+
+if [ -z "$VAULT_TOKEN" ]; then
+  echo "ERROR: No root token available. Cannot configure Vault."
+  echo "Create vault-init-keys secret manually with root-token field."
+  exec sleep infinity
+fi
+
+vault login "$VAULT_TOKEN" > /dev/null 2>&1
+
+# --- Configure secrets engines + auth ---
+
+# Enable KV-v2 (idempotent)
+vault secrets list | grep -q "secret/" || vault secrets enable -path=secret kv-v2
+echo "KV-v2 engine ready"
+
+# Enable K8s auth (idempotent)
+vault auth list | grep -q "kubernetes/" || vault auth enable kubernetes
+
+# Configure K8s auth
+vault write auth/kubernetes/config \\
+  token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \\
+  kubernetes_host="https://kubernetes.default.svc" \\
+  kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+echo "K8s auth configured"
+
+# ESO policy + role
+vault policy write eso - <<'EOPOLICY'
+path "secret/data/*" { capabilities = ["read"] }
+EOPOLICY
+
+vault write auth/kubernetes/role/eso \\
+  bound_service_account_names=external-secrets \\
+  bound_service_account_namespaces="*" \\
+  policies=eso \\
+  ttl=24h
+echo "ESO policy and role ready"
+
+# User policy (CRUD for humans)
+vault policy write user-policy - <<'EOPOLICY'
+path "secret/data/*" { capabilities = ["create", "read", "update", "delete", "list"] }
+EOPOLICY
+
+echo "Bootstrap complete — sleeping"
+exec sleep infinity
+`;
+/**
+ * Build the HCL config string for Vault server.
+ *
+ * When auto-unseal is configured, includes the seal stanza.
+ * Must include listener + storage because setting standalone.config
+ * overrides the chart's auto-generated config.
+ */
+function buildVaultHclConfig(ha, sealStanza) {
+    const lines = [
+        "ui = true",
+        "",
+        'listener "tcp" {',
+        "  tls_disable = 1",
+        '  address     = "[::]:8200"',
+        '  cluster_address = "[::]:8201"',
+        "}",
+        "",
+    ];
+    if (ha) {
+        lines.push('storage "raft" {', '  path = "/vault/data"', "}");
+    }
+    else {
+        lines.push('storage "file" {', '  path = "/vault/data"', "}");
+    }
+    if (sealStanza) {
+        lines.push("", sealStanza);
+    }
+    return lines.join("\n");
+}
+/**
+ * Build the seal stanza HCL for the given auto-unseal config.
+ */
+function buildSealStanza(config, kmsKeyId) {
+    if (!config)
+        return undefined;
+    switch (config.provider) {
+        case "awskms":
+            if (!kmsKeyId)
+                throw new Error("KMS key ID required for awskms seal");
+            return kmsKeyId.apply((id) => `seal "awskms" {\n  region     = "${config.region}"\n  kms_key_id = "${id}"\n}`);
+        case "azurekeyvault":
+            throw new Error("Azure Key Vault auto-unseal is not yet implemented. Type is defined for future use.");
+        case "gcpckms":
+            throw new Error("GCP Cloud KMS auto-unseal is not yet implemented. Type is defined for future use.");
+    }
+}
+/**
+ * Provision AWS KMS resources for Vault auto-unseal.
+ *
+ * Creates:
+ * - KMS key (or uses existing)
+ * - IAM user at /nimbus/ path
+ * - IAM policy with kms:Encrypt, kms:Decrypt, kms:DescribeKey
+ * - IAM access key
+ * - K8s Secret with credentials
+ *
+ * Returns the KMS key ID for the Vault seal stanza.
+ */
+function provisionAwsKmsUnseal(name, config, k8sProvider) {
+    const awsOpts = { provider: config.awsProvider };
+    // KMS key
+    let kmsKeyId;
+    if (config.kmsKeyId) {
+        kmsKeyId = pulumi.output(config.kmsKeyId);
+    }
+    else {
+        const key = new aws.kms.Key(`${name}-vault-unseal-key`, {
+            description: "Vault auto-unseal key (managed by nimbus)",
+            deletionWindowInDays: 7,
+            tags: { "managed-by": "nimbus" },
+        }, awsOpts);
+        kmsKeyId = key.keyId;
+    }
+    // IAM user
+    const user = new aws.iam.User(`${name}-vault-unseal-user`, {
+        name: `${name}-vault-unseal`,
+        path: "/nimbus/",
+        tags: { "managed-by": "nimbus" },
+    }, awsOpts);
+    // IAM policy
+    new aws.iam.UserPolicy(`${name}-vault-unseal-policy`, {
+        user: user.name,
+        policy: kmsKeyId.apply((id) => JSON.stringify({
+            Version: "2012-10-17",
+            Statement: [
+                {
+                    Effect: "Allow",
+                    Action: ["kms:Encrypt", "kms:Decrypt", "kms:DescribeKey"],
+                    Resource: [`arn:aws:kms:${config.region}:*:key/${id}`],
+                },
+            ],
+        })),
+    }, awsOpts);
+    // Access key
+    const accessKey = new aws.iam.AccessKey(`${name}-vault-unseal-access-key`, { user: user.name }, awsOpts);
+    // K8s Secret with credentials
+    new k8s.core.v1.Secret(`${name}-vault-unseal-creds`, {
+        metadata: { name: "vault-unseal-credentials", namespace: "vault" },
+        stringData: {
+            AWS_ACCESS_KEY_ID: accessKey.id,
+            AWS_SECRET_ACCESS_KEY: accessKey.secret,
+        },
+    }, { provider: k8sProvider });
+    return { kmsKeyId };
+}
+/**
+ * Deploy Vault with optional auto-unseal and bootstrap sidecar.
+ */
+function deployVault(name, config, domain, provider, defaultVersion) {
+    const ha = config.ha ?? false;
+    const storageSize = config.storageSize ?? "5Gi";
+    const ingressHost = config.ingressHost ?? `vault.${domain}`;
+    const certName = domain.replace(/\./g, "-");
+    const bootstrap = config.bootstrap ?? true;
+    // Auto-unseal: provision cloud resources + build seal stanza
+    let sealStanza;
+    const extraSecretEnvVars = [];
+    if (config.autoUnseal) {
+        switch (config.autoUnseal.provider) {
+            case "awskms": {
+                const { kmsKeyId } = provisionAwsKmsUnseal(name, config.autoUnseal, provider);
+                sealStanza = buildSealStanza(config.autoUnseal, kmsKeyId);
+                extraSecretEnvVars.push({
+                    envName: "AWS_ACCESS_KEY_ID",
+                    secretName: "vault-unseal-credentials",
+                    secretKey: "AWS_ACCESS_KEY_ID",
+                }, {
+                    envName: "AWS_SECRET_ACCESS_KEY",
+                    secretName: "vault-unseal-credentials",
+                    secretKey: "AWS_SECRET_ACCESS_KEY",
+                });
+                break;
+            }
+            case "azurekeyvault":
+                throw new Error("Azure Key Vault auto-unseal is not yet implemented.");
+            case "gcpckms":
+                throw new Error("GCP Cloud KMS auto-unseal is not yet implemented.");
+        }
+    }
+    // Bootstrap sidecar: ConfigMap + RBAC
+    const vaultDependencies = [];
+    if (bootstrap) {
+        const bootstrapConfigMap = new k8s.core.v1.ConfigMap(`${name}-vault-bootstrap-script`, {
+            metadata: { name: "vault-bootstrap", namespace: "vault" },
+            data: { "bootstrap.sh": VAULT_BOOTSTRAP_SCRIPT },
+        }, { provider });
+        vaultDependencies.push(bootstrapConfigMap);
+        // Token review delegation (for K8s auth config)
+        new k8s.rbac.v1.ClusterRoleBinding(`${name}-vault-auth-delegator`, {
+            metadata: { name: "vault-auth-delegator" },
+            roleRef: {
+                apiGroup: "rbac.authorization.k8s.io",
+                kind: "ClusterRole",
+                name: "system:auth-delegator",
+            },
+            subjects: [{ kind: "ServiceAccount", name: "vault", namespace: "vault" }],
+        }, { provider });
+        // Secret CRUD in vault namespace (for storing init keys)
+        const secretRole = new k8s.rbac.v1.Role(`${name}-vault-secret-manager`, {
+            metadata: { name: "vault-secret-manager", namespace: "vault" },
+            rules: [
+                {
+                    apiGroups: [""],
+                    resources: ["secrets"],
+                    verbs: ["get", "create", "update"],
+                },
+            ],
+        }, { provider });
+        new k8s.rbac.v1.RoleBinding(`${name}-vault-secret-manager-binding`, {
+            metadata: {
+                name: "vault-secret-manager",
+                namespace: "vault",
+            },
+            roleRef: {
+                apiGroup: "rbac.authorization.k8s.io",
+                kind: "Role",
+                name: "vault-secret-manager",
+            },
+            subjects: [{ kind: "ServiceAccount", name: "vault", namespace: "vault" }],
+        }, { provider, dependsOn: [secretRole] });
+    }
+    // Build server values
+    const serverValues = {
+        standalone: { enabled: !ha },
+        ha: ha
+            ? {
+                enabled: true,
+                replicas: VAULT_HA_REPLICAS,
+                raft: { enabled: true },
+            }
+            : { enabled: false },
+        dataStorage: { size: storageSize },
+        ingress: {
+            enabled: true,
+            ingressClassName: "traefik",
+            hosts: [{ host: ingressHost }],
+            annotations: {
+                "traefik.ingress.kubernetes.io/router.entrypoints": "websecure",
+            },
+            tls: [{ hosts: [ingressHost], secretName: `${certName}-wildcard-tls` }],
+        },
+    };
+    // Auto-unseal: inject config + credentials
+    if (sealStanza) {
+        const configKey = ha ? "ha" : "standalone";
+        const configObj = serverValues[configKey];
+        if (typeof sealStanza === "string") {
+            configObj["config"] = buildVaultHclConfig(ha, sealStanza);
+        }
+        else {
+            // pulumi.Output<string>
+            configObj["config"] = sealStanza.apply((seal) => buildVaultHclConfig(ha, seal));
+        }
+    }
+    if (extraSecretEnvVars.length > 0) {
+        serverValues["extraSecretEnvironmentVars"] = extraSecretEnvVars;
+    }
+    // Bootstrap sidecar
+    if (bootstrap) {
+        serverValues["extraContainers"] = [
+            {
+                name: "bootstrap",
+                image: "hashicorp/vault:latest",
+                command: ["sh", "/scripts/bootstrap.sh"],
+                env: [{ name: "VAULT_ADDR", value: "http://localhost:8200" }],
+                volumeMounts: [
+                    { name: "bootstrap-script", mountPath: "/scripts" },
+                    { name: "data", mountPath: "/vault/data" },
+                ],
+                resources: {
+                    requests: { cpu: "1m", memory: "64Mi" },
+                    limits: { cpu: "50m", memory: "128Mi" },
+                },
+            },
+        ];
+        serverValues["volumes"] = [
+            {
+                name: "bootstrap-script",
+                configMap: { name: "vault-bootstrap", defaultMode: 493 },
+            },
+        ];
+    }
+    return new k8s.helm.v3.Release(`${name}-vault`, {
+        chart: "vault",
+        repositoryOpts: { repo: "https://helm.releases.hashicorp.com" },
+        version: config.version ?? defaultVersion,
+        namespace: "vault",
+        createNamespace: true,
+        values: {
+            server: serverValues,
+            injector: { enabled: true },
+            ...config.values,
+        },
+    }, { provider, dependsOn: vaultDependencies });
+}
+//# sourceMappingURL=vault.js.map

package/dist/esm/platform/components/vault.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vault.js","sourceRoot":"","sources":["../../../../src/platform/components/vault.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiVH,kCA0LC;AAzgBD,iDAAmC;AACnC,wDAA0C;AAC1C,uDAAyC;AAGzC,+EAA+E;AAC/E,MAAM,iBAAiB,GAAG,CAAC,CAAC;AAE5B;;;;;;;;;;;GAWG;AACH,MAAM,sBAAsB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+J9B,CAAC;AAEF;;;;;;GAMG;AACH,SAAS,mBAAmB,CAAC,EAAW,EAAE,UAAmB;IAC3D,MAAM,KAAK,GAAG;QACZ,WAAW;QACX,EAAE;QACF,kBAAkB;QAClB,mBAAmB;QACnB,6BAA6B;QAC7B,iCAAiC;QACjC,GAAG;QACH,EAAE;KACH,CAAC;IAEF,IAAI,EAAE,EAAE,CAAC;QACP,KAAK,CAAC,IAAI,CAAC,kBAAkB,EAAE,wBAAwB,EAAE,GAAG,CAAC,CAAC;IAChE,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,IAAI,CAAC,kBAAkB,EAAE,wBAAwB,EAAE,GAAG,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;IAC7B,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CACtB,MAAkC,EAClC,QAAgC;IAEhC,IAAI,CAAC,MAAM;QAAE,OAAO,SAAS,CAAC;IAE9B,QAAQ,MAAM,CAAC,QAAQ,EAAE,CAAC;QACxB,KAAK,QAAQ;YACX,IAAI,CAAC,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;YACtE,OAAO,QAAQ,CAAC,KAAK,CACnB,CAAC,EAAE,EAAE,EAAE,CAAC,oCAAoC,MAAM,CAAC,MAAM,sBAAsB,EAAE,MAAM,CACxF,CAAC;QAEJ,KAAK,eAAe;YAClB,MAAM,IAAI,KAAK,CACb,qFAAqF,CACtF,CAAC;QAEJ,KAAK,SAAS;YACZ,MAAM,IAAI,KAAK,CACb,mFAAmF,CACpF,CAAC;IACN,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,qBAAqB,CAC5B,IAAY,EACZ,MAAmE,EACnE,WAAyB;IAEzB,MAAM,OAAO,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC;IAEjD,UAAU;IACV,IAAI,QAA+B,CAAC;IACpC,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC5C,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,CACzB,GAAG,IAAI,mBAAmB,EAC1B;YACE,WAAW,EAAE,2CAA2C;YACxD,oBAAoB,EAAE,CAAC;YACvB,IAAI,EAAE,EAAE,YAAY,EAAE,QAAQ,EAAE;SACjC,EACD,OAAO,CACR,CAAC;QACF,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC;IACvB,CAAC;IAED,WAAW;IACX,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,IAAI,CAC3B,GAAG,IAAI,oBAAoB,EAC3B;QACE,IAAI,EAAE,GAAG,IAAI,eAAe;QAC5B,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE,EAAE,YAAY,EAAE,QAAQ,EAAE;KACjC,EACD,OAAO,CACR,CAAC;IAEF,aAAa;IACb,IAAI,GAAG,CAAC,GAAG,CAAC,UAAU,CACpB,GAAG,IAAI,sBAAsB,EAC7B;QACE,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,MAAM,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,EAAE,CAC5B,IAAI,CAAC,SAAS,CAAC;YACb,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,CAAC,aAAa,EAAE,aAAa,EAAE,iBAAiB,CAAC;oBACzD,QAAQ,EAAE,CAAC,eAAe,MAAM,CAAC,MAAM,UAAU,EAAE,EAAE,CAAC;iBACvD;aACF;SACF,CAAC,CACH;KACF,EACD,OAAO,CACR,CAAC;IAEF,aAAa;IACb,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,SAAS,CACrC,GAAG,IAAI,0BAA0B,EACjC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,EACnB,OAAO,CACR,CAAC;IAEF,8BAA8B;IAC9B,IAAI,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CACpB,GAAG,IAAI,qBAAqB,EAC5B;QACE,QAAQ,EAAE,EAAE,IAAI,EAAE,0BAA0B,EAAE,SAAS,EAAE,OAAO,EAAE;QAClE,UAAU,EAAE;YACV,iBAAiB,EAAE,SAAS,CAAC,EAAE;YAC/B,qBAAqB,EAAE,SAAS,CAAC,MAAM;SACxC;KACF,EACD,EAAE,QAAQ,EAAE,WAAW,EAAE,CAC1B,CAAC;IAEF,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,SAAgB,WAAW,CACzB,IAAY,EACZ,MAAoB,EACpB,MAAc,EACd,QAAsB,EACtB,cAAkC;IAElC,MAAM,EAAE,GAAG,MAAM,CAAC,EAAE,IAAI,KAAK,CAAC;IAC9B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,KAAK,CAAC;IAChD,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,SAAS,MAAM,EAAE,CAAC;IAC5D,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC5C,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC;IAE3C,6DAA6D;IAC7D,IAAI,UAAsD,CAAC;IAC3D,MAAM,kBAAkB,GAA8B,EAAE,CAAC;IAEzD,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;QACtB,QAAQ,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC;YACnC,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,EAAE,QAAQ,EAAE,GAAG,qBAAqB,CAAC,IAAI,EAAE,MAAM,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;gBAC9E,UAAU,GAAG,eAAe,CAAC,MAAM,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;gBAC1D,kBAAkB,CAAC,IAAI,CACrB;oBACE,OAAO,EAAE,mBAAmB;oBAC5B,UAAU,EAAE,0BAA0B;oBACtC,SAAS,EAAE,mBAAmB;iBAC/B,EACD;oBACE,OAAO,EAAE,uBAAuB;oBAChC,UAAU,EAAE,0BAA0B;oBACtC,SAAS,EAAE,uBAAuB;iBACnC,CACF,CAAC;gBACF,MAAM;YACR,CAAC;YACD,KAAK,eAAe;gBAClB,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;YACzE,KAAK,SAAS;gBACZ,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,MAAM,iBAAiB,GAAsB,EAAE,CAAC;IAEhD,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,SAAS,CAClD,GAAG,IAAI,yBAAyB,EAChC;YACE,QAAQ,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,SAAS,EAAE,OAAO,EAAE;YACzD,IAAI,EAAE,EAAE,cAAc,EAAE,sBAAsB,EAAE;SACjD,EACD,EAAE,QAAQ,EAAE,CACb,CAAC;QACF,iBAAiB,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAE3C,gDAAgD;QAChD,IAAI,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,kBAAkB,CAChC,GAAG,IAAI,uBAAuB,EAC9B;YACE,QAAQ,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE;YAC1C,OAAO,EAAE;gBACP,QAAQ,EAAE,2BAA2B;gBACrC,IAAI,EAAE,aAAa;gBACnB,IAAI,EAAE,uBAAuB;aAC9B;YACD,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;SAC1E,EACD,EAAE,QAAQ,EAAE,CACb,CAAC;QAEF,yDAAyD;QACzD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CACrC,GAAG,IAAI,uBAAuB,EAC9B;YACE,QAAQ,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,SAAS,EAAE,OAAO,EAAE;YAC9D,KAAK,EAAE;gBACL;oBACE,SAAS,EAAE,CAAC,EAAE,CAAC;oBACf,SAAS,EAAE,CAAC,SAAS,CAAC;oBACtB,KAAK,EAAE,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,CAAC;iBACnC;aACF;SACF,EACD,EAAE,QAAQ,EAAE,CACb,CAAC;QAEF,IAAI,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,WAAW,CACzB,GAAG,IAAI,+BAA+B,EACtC;YACE,QAAQ,EAAE;gBACR,IAAI,EAAE,sBAAsB;gBAC5B,SAAS,EAAE,OAAO;aACnB;YACD,OAAO,EAAE;gBACP,QAAQ,EAAE,2BAA2B;gBACrC,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE,sBAAsB;aAC7B;YACD,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;SAC1E,EACD,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,UAAU,CAAC,EAAE,CACtC,CAAC;IACJ,CAAC;IAED,sBAAsB;IACtB,MAAM,YAAY,GAA4B;QAC5C,UAAU,EAAE,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE;QAC5B,EAAE,EAAE,EAAE;YACJ,CAAC,CAAC;gBACE,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,iBAAiB;gBAC3B,IAAI,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;aACxB;YACH,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE;QACtB,WAAW,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE;QAClC,OAAO,EAAE;YACP,OAAO,EAAE,IAAI;YACb,gBAAgB,EAAE,SAAS;YAC3B,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC;YAC9B,WAAW,EAAE;gBACX,kDAAkD,EAAE,WAAW;aAChE;YACD,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,EAAE,UAAU,EAAE,GAAG,QAAQ,eAAe,EAAE,CAAC;SACxE;KACF,CAAC;IAEF,2CAA2C;IAC3C,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,SAAS,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC;QAC3C,MAAM,SAAS,GAAG,YAAY,CAAC,SAAS,CAA4B,CAAC;QACrE,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YACnC,SAAS,CAAC,QAAQ,CAAC,GAAG,mBAAmB,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;QAC5D,CAAC;aAAM,CAAC;YACN,wBAAwB;YACxB,SAAS,CAAC,QAAQ,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,mBAAmB,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC;QAClF,CAAC;IACH,CAAC;IAED,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,YAAY,CAAC,4BAA4B,CAAC,GAAG,kBAAkB,CAAC;IAClE,CAAC;IAED,oBAAoB;IACpB,IAAI,SAAS,EAAE,CAAC;QACd,YAAY,CAAC,iBAAiB,CAAC,GAAG;YAChC;gBACE,IAAI,EAAE,WAAW;gBACjB,KAAK,EAAE,wBAAwB;gBAC/B,OAAO,EAAE,CAAC,IAAI,EAAE,uBAAuB,CAAC;gBACxC,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;gBAC7D,YAAY,EAAE;oBACZ,EAAE,IAAI,EAAE,kBAAkB,EAAE,SAAS,EAAE,UAAU,EAAE;oBACnD,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,EAAE;iBAC3C;gBACD,SAAS,EAAE;oBACT,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE;oBACvC,MAAM,EAAE,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE;iBACxC;aACF;SACF,CAAC;QACF,YAAY,CAAC,SAAS,CAAC,GAAG;YACxB;gBACE,IAAI,EAAE,kBAAkB;gBACxB,SAAS,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,WAAW,EAAE,GAAG,EAAE;aACzD;SACF,CAAC;IACJ,CAAC;IAED,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAC5B,GAAG,IAAI,QAAQ,EACf;QACE,KAAK,EAAE,OAAO;QACd,cAAc,EAAE,EAAE,IAAI,EAAE,qCAAqC,EAAE;QAC/D,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,cAAc;QACzC,SAAS,EAAE,OAAO;QAClB,eAAe,EAAE,IAAI;QACrB,MAAM,EAAE;YACN,MAAM,EAAE,YAAY;YACpB,QAAQ,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE;YAC3B,GAAG,MAAM,CAAC,MAAM;SACjB;KACF,EACD,EAAE,QAAQ,EAAE,SAAS,EAAE,iBAAiB,EAAE,CAC3C,CAAC;AACJ,CAAC"}

package/dist/esm/platform/index.d.ts

@@ -3,6 +3,7 @@
  *
  * @module platform
  */
-export type { DnsProvider, IPlatformComponentConfig, IExternalDnsConfig, IVaultConfig, IPlatformStackConfig, IPlatformStack, } from "./interfaces";
+export type { DnsProvider, IPlatformComponentConfig, IExternalDnsConfig, IVaultConfig, IAutoUnsealConfig, IAwsKmsUnsealConfig, IAzureKeyVaultUnsealConfig, IGcpCkmsUnsealConfig, IPlatformStackConfig, IPlatformStack, } from "./interfaces";
+export { DNS_PROVIDERS } from "./interfaces";
 export { createPlatformStack } from "./stack";
 //# sourceMappingURL=index.d.ts.map

package/dist/esm/platform/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/platform/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EACV,WAAW,EACX,wBAAwB,EACxB,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,cAAc,GACf,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/platform/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EACV,WAAW,EACX,wBAAwB,EACxB,kBAAkB,EAClB,YAAY,EACZ,iBAAiB,EACjB,mBAAmB,EACnB,0BAA0B,EAC1B,oBAAoB,EACpB,oBAAoB,EACpB,cAAc,GACf,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C,OAAO,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC"}

package/dist/esm/platform/index.js

@@ -5,7 +5,9 @@
  * @module platform
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.createPlatformStack = void 0;
+exports.createPlatformStack = exports.DNS_PROVIDERS = void 0;
+var interfaces_1 = require("./interfaces");
+Object.defineProperty(exports, "DNS_PROVIDERS", { enumerable: true, get: function () { return interfaces_1.DNS_PROVIDERS; } });
 var stack_1 = require("./stack");
 Object.defineProperty(exports, "createPlatformStack", { enumerable: true, get: function () { return stack_1.createPlatformStack; } });
 //# sourceMappingURL=index.js.map

package/dist/esm/platform/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/platform/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAWH,iCAA8C;AAArC,4GAAA,mBAAmB,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/platform/index.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAcH,2CAA6C;AAApC,2GAAA,aAAa,OAAA;AAEtB,iCAA8C;AAArC,4GAAA,mBAAmB,OAAA"}

package/dist/esm/platform/interfaces.d.ts

@@ -10,12 +10,22 @@
 import type * as pulumi from "@pulumi/pulumi";
 import type * as k8s from "@pulumi/kubernetes";
 import type { ICluster } from "../cluster";
+import type { IExposedService } from "../types";
 /** DNS provider for External DNS integration. */
 export type DnsProvider = "route53" | "azure-dns" | "cloud-dns" | "cloudflare";
+/** Typed constant map for DnsProvider string literals. */
+export declare const DNS_PROVIDERS: {
+    ROUTE53: "route53";
+    AZURE_DNS: "azure-dns";
+    CLOUD_DNS: "cloud-dns";
+    CLOUDFLARE: "cloudflare";
+};
 /** Individual platform component configuration. */
 export interface IPlatformComponentConfig {
     /** Enable or disable this component. Default: true for core components. */
     readonly enabled?: boolean;
+    /** Expose via access gateway (Tailscale). Default: true. */
+    readonly expose?: boolean;
     /** Helm chart version override. */
     readonly version?: string;
     /** Additional Helm values to merge with defaults. */
@@ -24,11 +34,45 @@ export interface IPlatformComponentConfig {
 /** External DNS component configuration with provider-specific auth. */
 export interface IExternalDnsConfig extends IPlatformComponentConfig {
     readonly dnsProvider: DnsProvider;
-    /** Provider-specific credentials (e.g., AWS IAM keys, Azure identity). */
+    /** AWS region for Route53. Required when dnsProvider is "route53". */
+    readonly awsRegion?: string;
+    /** Explicit AWS provider for Route53 IAM resources. If not provided, uses default. */
+    readonly awsProvider?: pulumi.ProviderResource;
+    /**
+     * Manual credentials override. If provided, nimbus uses these instead of
+     * creating IAM resources. Useful for non-AWS providers or pre-existing credentials.
+     */
     readonly dnsCredentials?: Record<string, pulumi.Input<string>>;
     /** DNS zone filter (e.g., ["reyem.tech"]). */
     readonly domainFilters?: ReadonlyArray<string>;
 }
+/** AWS KMS auto-unseal configuration. */
+export interface IAwsKmsUnsealConfig {
+    readonly provider: "awskms";
+    /** AWS region for the KMS key. */
+    readonly region: string;
+    /** Explicit AWS provider for KMS + IAM resources. */
+    readonly awsProvider: pulumi.ProviderResource;
+    /** Use an existing KMS key instead of creating one. */
+    readonly kmsKeyId?: pulumi.Input<string>;
+}
+/** Azure Key Vault auto-unseal configuration (not yet implemented). */
+export interface IAzureKeyVaultUnsealConfig {
+    readonly provider: "azurekeyvault";
+    readonly tenantId: pulumi.Input<string>;
+    readonly vaultName: pulumi.Input<string>;
+    readonly keyName: pulumi.Input<string>;
+}
+/** GCP Cloud KMS auto-unseal configuration (not yet implemented). */
+export interface IGcpCkmsUnsealConfig {
+    readonly provider: "gcpckms";
+    readonly project: pulumi.Input<string>;
+    readonly region: string;
+    readonly keyRing: pulumi.Input<string>;
+    readonly cryptoKey: pulumi.Input<string>;
+}
+/** Auto-unseal configuration — discriminated union on provider. */
+export type IAutoUnsealConfig = IAwsKmsUnsealConfig | IAzureKeyVaultUnsealConfig | IGcpCkmsUnsealConfig;
 /** Vault component configuration. */
 export interface IVaultConfig extends IPlatformComponentConfig {
     /** Enable HA mode. Default: false (single node). */
@@ -37,6 +81,26 @@ export interface IVaultConfig extends IPlatformComponentConfig {
     readonly storageSize?: string;
     /** Domain for Vault ingress (e.g., "vault.reyem.tech"). */
     readonly ingressHost?: string;
+    /** Expose via access gateway (Tailscale). Default: true. */
+    readonly expose?: boolean;
+    /** Auto-unseal via cloud KMS. Creates KMS key + IAM + credentials. */
+    readonly autoUnseal?: IAutoUnsealConfig;
+    /** Deploy bootstrap sidecar (init, KV-v2, K8s auth, ESO policy/role). Default: true. */
+    readonly bootstrap?: boolean;
+}
+/** Image pull secret configuration for private registries. */
+export interface IImagePullSecret {
+    readonly registry: string;
+    readonly username: pulumi.Input<string>;
+    readonly password: pulumi.Input<string>;
+    readonly email?: pulumi.Input<string>;
+    /** Namespaces to replicate the pull secret into. */
+    readonly namespaces?: ReadonlyArray<string>;
+}
+/** Descheduler configuration for spot/preemptible environments. */
+export interface IDeschedulerConfig extends IPlatformComponentConfig {
+    /** Strategies to enable. Default: RemoveDuplicates, LowNodeUtilization, RemovePodsViolatingNodeAffinity */
+    readonly strategies?: ReadonlyArray<string>;
 }
 /**
  * Platform stack configuration input.
@@ -70,6 +134,12 @@ export interface IPlatformStackConfig {
         readonly clientId: pulumi.Input<string>;
         readonly clientSecret: pulumi.Input<string>;
     };
+    /** Block robots/crawlers on staging environments. Default: false. */
+    readonly robotsBlock?: boolean;
+    /** Private registry image pull secrets, replicated to specified namespaces. */
+    readonly imagePullSecrets?: ReadonlyArray<IImagePullSecret>;
+    /** Descheduler for pod rebalancing on spot instances. */
+    readonly descheduler?: IDeschedulerConfig;
     readonly tags?: Readonly<Record<string, string>>;
 }
 /**
@@ -82,5 +152,7 @@ export interface IPlatformStack {
     readonly cluster: ICluster;
     readonly components: Readonly<Record<string, k8s.helm.v3.Release>>;
     readonly traefikEndpoint: pulumi.Output<string>;
+    /** Services available for access gateway exposure. */
+    readonly exposedServices: ReadonlyArray<IExposedService>;
 }
 //# sourceMappingURL=interfaces.d.ts.map

package/dist/esm/platform/interfaces.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"interfaces.d.ts","sourceRoot":"","sources":["../../../src/platform/interfaces.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,KAAK,MAAM,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,KAAK,GAAG,MAAM,oBAAoB,CAAC;AAC/C,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAE3C,iDAAiD;AACjD,MAAM,MAAM,WAAW,GACnB,SAAS,GACT,WAAW,GACX,WAAW,GACX,YAAY,CAAC;AAEjB,mDAAmD;AACnD,MAAM,WAAW,wBAAwB;IACvC,2EAA2E;IAC3E,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B,mCAAmC;IACnC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACrD;AAED,wEAAwE;AACxE,MAAM,WAAW,kBAAmB,SAAQ,wBAAwB;IAClE,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,0EAA0E;IAC1E,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/D,8CAA8C;IAC9C,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAChD;AAED,qCAAqC;AACrC,MAAM,WAAW,YAAa,SAAQ,wBAAwB;IAC5D,oDAAoD;IACpD,QAAQ,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC;IACtB,mDAAmD;IACnD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,2DAA2D;IAC3D,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,OAAO,EAAE,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACrD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IAExB,4CAA4C;IAC5C,QAAQ,CAAC,OAAO,CAAC,EAAE,wBAAwB,CAAC;IAC5C,QAAQ,CAAC,WAAW,CAAC,EAAE,wBAAwB,CAAC;IAChD,QAAQ,CAAC,WAAW,CAAC,EAAE,kBAAkB,CAAC;IAE1C,2BAA2B;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,wBAAwB,CAAC;IAC3C,QAAQ,CAAC,KAAK,CAAC,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,eAAe,CAAC,EAAE,wBAAwB,CAAC;IACpD,QAAQ,CAAC,WAAW,CAAC,EAAE,wBAAwB,GAAG;QAChD,QAAQ,CAAC,QAAQ,EAAE,QAAQ,GAAG,QAAQ,GAAG,OAAO,CAAC;QACjD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACxC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;KAC7C,CAAC;IAEF,QAAQ,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAClD;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC;IAC3B,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACnE,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;CACjD"}
+{"version":3,"file":"interfaces.d.ts","sourceRoot":"","sources":["../../../src/platform/interfaces.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,KAAK,MAAM,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,KAAK,GAAG,MAAM,oBAAoB,CAAC;AAC/C,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD,iDAAiD;AACjD,MAAM,MAAM,WAAW,GACnB,SAAS,GACT,WAAW,GACX,WAAW,GACX,YAAY,CAAC;AAEjB,0DAA0D;AAC1D,eAAO,MAAM,aAAa;;;;;CAKa,CAAC;AAExC,mDAAmD;AACnD,MAAM,WAAW,wBAAwB;IACvC,2EAA2E;IAC3E,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B,4DAA4D;IAC5D,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B,mCAAmC;IACnC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,QAAQ,CAAC,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACrD;AAED,wEAAwE;AACxE,MAAM,WAAW,kBAAmB,SAAQ,wBAAwB;IAClE,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,sEAAsE;IACtE,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAC5B,sFAAsF;IACtF,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC,gBAAgB,CAAC;IAC/C;;;OAGG;IACH,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/D,8CAA8C;IAC9C,QAAQ,CAAC,aAAa,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAChD;AAED,yCAAyC;AACzC,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,kCAAkC;IAClC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,qDAAqD;IACrD,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC,gBAAgB,CAAC;IAC9C,uDAAuD;IACvD,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;CAC1C;AAED,uEAAuE;AACvE,MAAM,WAAW,0BAA0B;IACzC,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;CACxC;AAED,qEAAqE;AACrE,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,QAAQ,EAAE,SAAS,CAAC;IAC7B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;CAC1C;AAED,mEAAmE;AACnE,MAAM,MAAM,iBAAiB,GACzB,mBAAmB,GACnB,0BAA0B,GAC1B,oBAAoB,CAAC;AAEzB,qCAAqC;AACrC,MAAM,WAAW,YAAa,SAAQ,wBAAwB;IAC5D,oDAAoD;IACpD,QAAQ,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC;IACtB,mDAAmD;IACnD,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,2DAA2D;IAC3D,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,4DAA4D;IAC5D,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B,sEAAsE;IACtE,QAAQ,CAAC,UAAU,CAAC,EAAE,iBAAiB,CAAC;IACxC,wFAAwF;IACxF,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,8DAA8D;AAC9D,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACxC,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,oDAAoD;IACpD,QAAQ,CAAC,UAAU,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC7C;AAED,mEAAmE;AACnE,MAAM,WAAW,kBAAmB,SAAQ,wBAAwB;IAClE,2GAA2G;IAC3G,QAAQ,CAAC,UAAU,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC7C;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,OAAO,EAAE,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;IACrD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IAExB,4CAA4C;IAC5C,QAAQ,CAAC,OAAO,CAAC,EAAE,wBAAwB,CAAC;IAC5C,QAAQ,CAAC,WAAW,CAAC,EAAE,wBAAwB,CAAC;IAChD,QAAQ,CAAC,WAAW,CAAC,EAAE,kBAAkB,CAAC;IAE1C,2BAA2B;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,wBAAwB,CAAC;IAC3C,QAAQ,CAAC,KAAK,CAAC,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,eAAe,CAAC,EAAE,wBAAwB,CAAC;IACpD,QAAQ,CAAC,WAAW,CAAC,EAAE,wBAAwB,GAAG;QAChD,QAAQ,CAAC,QAAQ,EAAE,QAAQ,GAAG,QAAQ,GAAG,OAAO,CAAC;QACjD,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACxC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;KAC7C,CAAC;IAEF,qEAAqE;IACrE,QAAQ,CAAC,WAAW,CAAC,EAAE,OAAO,CAAC;IAE/B,+EAA+E;IAC/E,QAAQ,CAAC,gBAAgB,CAAC,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC;IAE5D,yDAAyD;IACzD,QAAQ,CAAC,WAAW,CAAC,EAAE,kBAAkB,CAAC;IAE1C,QAAQ,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;CAClD;AAED;;;;GAIG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC;IAC3B,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACnE,QAAQ,CAAC,eAAe,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAChD,sDAAsD;IACtD,QAAQ,CAAC,eAAe,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;CAC1D"}

package/dist/esm/platform/interfaces.js

@@ -9,4 +9,12 @@
  * @module platform/interfaces
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.DNS_PROVIDERS = void 0;
+/** Typed constant map for DnsProvider string literals. */
+exports.DNS_PROVIDERS = {
+    ROUTE53: "route53",
+    AZURE_DNS: "azure-dns",
+    CLOUD_DNS: "cloud-dns",
+    CLOUDFLARE: "cloudflare",
+};
 //# sourceMappingURL=interfaces.js.map