@selleragent/sa-admin 0.1.0

package/dist/rollout.js

@@ -0,0 +1,971 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.inspectRolloutPreflight = inspectRolloutPreflight;
+exports.runRolloutMigrate = runRolloutMigrate;
+exports.runRolloutPromoteProfile = runRolloutPromoteProfile;
+exports.runRolloutFinalizeTelegram = runRolloutFinalizeTelegram;
+exports.listRecordedRollouts = listRecordedRollouts;
+exports.inspectRecordedRollout = inspectRecordedRollout;
+exports.runRolloutVerify = runRolloutVerify;
+exports.inspectReleaseVerdict = inspectReleaseVerdict;
+exports.inspectReleaseEvidence = inspectReleaseEvidence;
+exports.runRolloutPromote = runRolloutPromote;
+const node_crypto_1 = require("node:crypto");
+const shared_1 = require("@selleragent/shared");
+const auth_1 = require("./auth");
+const project_1 = require("./project");
+function normalizeEnvironment(environment) {
+    return environment.trim().toLowerCase() === 'prod' ? 'production' : environment.trim().toLowerCase();
+}
+function schemaSourceKindForEnvironment(environment) {
+    const normalized = normalizeEnvironment(environment);
+    if (normalized === 'beta') {
+        return 'beta_rollout';
+    }
+    if (normalized === 'production') {
+        return 'prod_rollout';
+    }
+    return 'local_bootstrap';
+}
+function backupSourceKindForEnvironment(environment) {
+    const normalized = normalizeEnvironment(environment);
+    if (normalized === 'beta') {
+        return 'beta_rollout';
+    }
+    if (normalized === 'production') {
+        return 'prod_rollout';
+    }
+    return 'local_drill';
+}
+function nowIso() {
+    return new Date().toISOString();
+}
+async function probeUrl(url) {
+    if (!url) {
+        return {
+            url: null,
+            ok: false,
+            status: null,
+            error: 'URL is not configured.'
+        };
+    }
+    try {
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                accept: 'application/json, text/html;q=0.9, */*;q=0.1'
+            }
+        });
+        return {
+            url,
+            ok: response.ok,
+            status: response.status,
+            error: response.ok ? null : `HTTP ${response.status}`
+        };
+    }
+    catch (error) {
+        return {
+            url,
+            ok: false,
+            status: null,
+            error: error instanceof Error ? error.message : String(error)
+        };
+    }
+}
+function buildPhase(input) {
+    return {
+        phaseId: input.phaseId,
+        label: input.label,
+        status: input.status,
+        summary: input.summary,
+        details: input.details ?? {},
+        startedAt: input.startedAt ?? null,
+        completedAt: input.completedAt ?? null
+    };
+}
+function isBlockerStatus(status) {
+    return status === 'fail';
+}
+function authBlockerFromState(input) {
+    if (!input.session) {
+        return ['No sa-admin session is available. Run `sa-admin auth login` before rollout.'];
+    }
+    if (input.whoami.stale) {
+        return ['The current sa-admin session is stale. Refresh it with `sa-admin auth login`.'];
+    }
+    if (!input.whoami.accessContext?.authenticated) {
+        return ['The current sa-admin session is not authenticated.'];
+    }
+    return [];
+}
+function readinessToRolloutStatus(status) {
+    switch (status) {
+        case 'pass':
+            return 'pass';
+        case 'warn':
+            return 'warn';
+        case 'fail':
+            return 'fail';
+        default:
+            return 'warn';
+    }
+}
+function completeRolloutRecord(input) {
+    return {
+        rolloutId: input.rolloutId,
+        environment: input.environment,
+        businessProfileSlug: input.businessProfileSlug,
+        startedBy: input.startedBy,
+        startedAt: input.startedAt,
+        completedAt: nowIso(),
+        status: input.status,
+        summary: input.summary,
+        stopReason: input.stopReason ?? null,
+        backupId: input.backupId ?? null,
+        profileVersionId: input.profileVersionId ?? null,
+        readinessStatus: input.readinessStatus ?? null,
+        codeRef: input.codeRef,
+        phases: input.phases,
+        details: input.details ?? {}
+    };
+}
+function completeReleaseVerificationRecord(input) {
+    return {
+        verificationId: input.verificationId,
+        rolloutId: input.rolloutId ?? null,
+        environment: input.environment,
+        businessProfileSlug: input.businessProfileSlug,
+        verifiedBy: input.verifiedBy,
+        verifiedAt: input.verifiedAt,
+        summary: input.summary,
+        verdict: input.verdict,
+        rollbackRecommended: input.rollbackRecommended ?? input.verdict === 'rollback_recommended',
+        backupId: input.backupId ?? null,
+        profileVersionId: input.profileVersionId ?? null,
+        readinessStatus: input.readinessStatus ?? null,
+        codeRef: input.codeRef,
+        warnings: input.warnings ?? [],
+        phases: input.phases,
+        details: input.details ?? {}
+    };
+}
+async function probeSystemHealth(baseUrl) {
+    try {
+        const response = await fetch(`${baseUrl.replace(/\/+$/, '')}/health`, {
+            method: 'GET',
+            headers: {
+                accept: 'application/json'
+            }
+        });
+        const body = (await response.json().catch(() => null));
+        return {
+            ok: response.ok,
+            status: response.status,
+            requestId: response.headers.get('x-request-id') ??
+                (typeof body?.requestId === 'string' ? body.requestId : null),
+            body,
+            error: response.ok ? null : `HTTP ${response.status}`
+        };
+    }
+    catch (error) {
+        return {
+            ok: false,
+            status: null,
+            requestId: null,
+            body: null,
+            error: error instanceof Error ? error.message : String(error)
+        };
+    }
+}
+function releaseVerdictFromPhases(phases) {
+    if (phases.some((phase) => phase.status === 'fail')) {
+        return 'rollback_recommended';
+    }
+    if (phases.some((phase) => phase.status === 'warn')) {
+        return 'accepted_with_warnings';
+    }
+    return 'accepted';
+}
+function releaseSummaryFromVerdict(verdict, warnings) {
+    switch (verdict) {
+        case 'rollback_recommended':
+            return 'Post-release verification found blocking failures; rollback is recommended.';
+        case 'accepted_with_warnings':
+            return warnings.length > 0
+                ? `Release accepted with warnings (${warnings.length} warning${warnings.length === 1 ? '' : 's'}).`
+                : 'Release accepted with warnings.';
+        default:
+            return 'Release accepted after post-release verification.';
+    }
+}
+async function resolveRolloutForVerification(input) {
+    if (input.rolloutId) {
+        return (await input.auth.client.ops.getRolloutExecution({
+            rolloutId: input.rolloutId
+        })).rollout;
+    }
+    const listed = await input.auth.client.ops.listRolloutExecutions({
+        environment: input.context.environment,
+        businessProfileSlug: input.context.manifest.business_slug
+    });
+    return listed.rollouts[0] ?? null;
+}
+async function resolveReleaseVerificationForInspection(input) {
+    if (input.verificationId) {
+        return (await input.auth.client.ops.getReleaseVerification({
+            verificationId: input.verificationId
+        })).verification;
+    }
+    const listed = await input.auth.client.ops.listReleaseVerifications({
+        environment: input.context.environment,
+        businessProfileSlug: input.context.manifest.business_slug,
+        rolloutId: input.rolloutId ?? null
+    });
+    return listed.verifications[0] ?? null;
+}
+async function inspectRolloutPreflight(input) {
+    const codeRefMetadata = (0, shared_1.resolveBusinessProfileGitMetadata)(input.context.root.rootDir);
+    const codeRef = {
+        repositoryUrl: codeRefMetadata?.repositoryUrl ?? null,
+        commitSha: codeRefMetadata?.commitSha ?? null,
+        branchName: codeRefMetadata?.branchName ?? null
+    };
+    const auth = await (0, auth_1.resolveAuthenticatedClient)({
+        context: input.context,
+        allowBootstrap: false
+    });
+    const whoami = await (0, auth_1.resolveWhoAmI)(input.context);
+    const apiProbe = await probeUrl(`${input.context.baseUrl.replace(/\/+$/, '')}/health`);
+    const webProbe = await probeUrl(input.context.webBaseUrl);
+    let validation = null;
+    let validationError = null;
+    try {
+        validation = await (0, project_1.validateProfileProject)(input.context);
+    }
+    catch (error) {
+        validationError = error instanceof Error ? error.message : String(error);
+    }
+    const declarations = await (0, project_1.loadTelegramBotDeclarations)(input.context);
+    const compatibleIntegrations = declarations
+        .filter((entry) => entry.environmentMatches)
+        .map((entry) => ({
+        integrationKey: entry.integrationKey,
+        environments: [...entry.environments],
+        label: entry.label,
+        enabled: entry.enabled,
+        mode: entry.mode,
+        ...(entry.webhookPath ? { webhookPath: entry.webhookPath } : {})
+    }));
+    const blockers = [
+        ...authBlockerFromState({
+            session: whoami.session,
+            whoami
+        })
+    ];
+    const warnings = [];
+    const phases = [];
+    phases.push(buildPhase({
+        phaseId: 'deploy_pair',
+        label: 'Deploy pair preflight',
+        status: apiProbe.ok && (webProbe.ok || !input.context.webBaseUrl)
+            ? 'pass'
+            : apiProbe.ok
+                ? 'warn'
+                : 'fail',
+        summary: apiProbe.ok
+            ? webProbe.ok || !input.context.webBaseUrl
+                ? 'API and configured web surfaces are reachable.'
+                : 'API is reachable, but the configured web surface could not be confirmed.'
+            : 'API health probe failed.',
+        details: {
+            api: apiProbe,
+            web: webProbe
+        }
+    }));
+    if (!apiProbe.ok) {
+        blockers.push(`API preflight failed: ${apiProbe.error ?? apiProbe.status ?? 'unknown error'}.`);
+    }
+    else if (!webProbe.ok && input.context.webBaseUrl) {
+        warnings.push(`Web preflight warning: ${webProbe.error ?? webProbe.status ?? 'unreachable'}.`);
+    }
+    phases.push(buildPhase({
+        phaseId: 'auth',
+        label: 'Admin auth session',
+        status: blockers.some((entry) => entry.includes('sa-admin session') || entry.includes('authenticated'))
+            ? 'fail'
+            : 'pass',
+        summary: whoami.session && whoami.accessContext?.authenticated && !whoami.stale
+            ? `Authenticated as ${whoami.accessContext.operator?.email ?? 'unknown operator'}.`
+            : 'No valid employee-backed sa-admin session is currently available.',
+        details: {
+            authMode: auth.authMode,
+            session: whoami.session,
+            stale: whoami.stale,
+            authenticated: whoami.accessContext?.authenticated ?? false
+        }
+    }));
+    phases.push(buildPhase({
+        phaseId: 'profile',
+        label: 'Business-profile validation',
+        status: validationError ? 'fail' : compatibleIntegrations.length === 0 ? 'warn' : 'pass',
+        summary: validationError
+            ? 'The current business-profile repo failed governed validation.'
+            : compatibleIntegrations.length === 0
+                ? 'The current repo validated, but no Telegram integrations match the target environment.'
+                : 'The current business-profile repo validated successfully.',
+        details: {
+            validation,
+            validationError,
+            compatibleIntegrations
+        }
+    }));
+    if (validationError) {
+        blockers.push(validationError);
+    }
+    if (compatibleIntegrations.length === 0) {
+        warnings.push('No Telegram integrations match the current target environment.');
+    }
+    let schema = null;
+    let readiness = null;
+    let preReleaseBackups = [];
+    if (auth.authMode !== 'public') {
+        schema = (await auth.client.ops.getSchemaStatus({})).schema;
+        readiness = await auth.client.ops.getReadiness({
+            businessProfileSlug: input.context.manifest.business_slug
+        });
+        preReleaseBackups = (await auth.client.ops.listBackupArtifacts({
+            environment: input.context.environment,
+            backupKind: 'pre_release'
+        })).artifacts;
+    }
+    const schemaStatus = schema ? readinessToRolloutStatus(schema.status) : 'warn';
+    phases.push(buildPhase({
+        phaseId: 'migrations',
+        label: 'Schema migration preflight',
+        status: schemaStatus,
+        summary: schema
+            ? schema.pendingMigrations.length === 0
+                ? 'Schema ledger is ready for rollout.'
+                : `Schema ledger has ${schema.pendingMigrations.length} pending migration(s).`
+            : 'Schema status could not be read without an authenticated session.',
+        details: {
+            schema,
+            latestPreReleaseBackupId: preReleaseBackups[0]?.backupId ?? null,
+            preReleaseBackupCount: preReleaseBackups.length
+        }
+    }));
+    if (schema?.status === 'fail') {
+        blockers.push('Schema migration ledger is in fail state.');
+    }
+    else if (schema && schema.pendingMigrations.length > 0) {
+        warnings.push(`There are ${schema.pendingMigrations.length} pending schema migrations.`);
+    }
+    phases.push(buildPhase({
+        phaseId: 'telegram',
+        label: 'Telegram rollout targets',
+        status: compatibleIntegrations.length > 0 ? 'pass' : 'warn',
+        summary: compatibleIntegrations.length > 0
+            ? `Resolved ${compatibleIntegrations.length} compatible Telegram integration declaration(s).`
+            : 'No Telegram integration declarations match the target environment.',
+        details: {
+            compatibleIntegrations
+        }
+    }));
+    const ready = blockers.length === 0 && !phases.some((phase) => isBlockerStatus(phase.status));
+    return {
+        environment: input.context.environment,
+        businessProfileSlug: input.context.manifest.business_slug,
+        projectRoot: input.context.root.rootDir,
+        baseUrl: input.context.baseUrl,
+        webBaseUrl: input.context.webBaseUrl,
+        authMode: auth.authMode,
+        session: whoami.session,
+        accessContext: whoami.accessContext,
+        blockers,
+        warnings,
+        ready,
+        codeRef,
+        compatibleIntegrations,
+        phases,
+        validation,
+        schema,
+        readiness,
+        preReleaseBackups
+    };
+}
+function requireAuthenticatedRolloutClient(auth) {
+    if (auth.authMode === 'public' || !auth.accessContext?.authenticated) {
+        throw new Error('Rollout commands require an authenticated sa-admin session. Run `sa-admin auth login` first.');
+    }
+    return auth;
+}
+async function runRolloutMigrate(input) {
+    const auth = requireAuthenticatedRolloutClient(await (0, auth_1.resolveAuthenticatedClient)({
+        context: input.context,
+        allowBootstrap: false
+    }));
+    const result = await auth.client.ops.applySchemaMigrations({
+        appliedBy: auth.accessContext?.operator?.email ?? null,
+        sourceKind: schemaSourceKindForEnvironment(input.context.environment)
+    });
+    return {
+        authMode: auth.authMode,
+        ...result
+    };
+}
+async function runRolloutPromoteProfile(input) {
+    const auth = requireAuthenticatedRolloutClient(await (0, auth_1.resolveAuthenticatedClient)({
+        context: input.context,
+        allowBootstrap: false
+    }));
+    const prepared = await (0, project_1.buildProfileBundleForUpload)(input.context);
+    const result = await auth.client.businessProfiles.uploadBundle({
+        bundle: prepared.bundle,
+        activateOnUpload: true,
+        targetEnvironment: input.context.environment,
+        sourceRepositoryUrl: prepared.sourceRepositoryUrl,
+        sourceCommitSha: prepared.sourceCommitSha,
+        resolvedSecrets: prepared.resolvedSecrets
+    });
+    return {
+        authMode: auth.authMode,
+        ...result,
+        sourceRepositoryUrl: prepared.sourceRepositoryUrl,
+        sourceCommitSha: prepared.sourceCommitSha
+    };
+}
+async function runRolloutFinalizeTelegram(input) {
+    const auth = requireAuthenticatedRolloutClient(await (0, auth_1.resolveAuthenticatedClient)({
+        context: input.context,
+        allowBootstrap: false
+    }));
+    const declarations = await (0, project_1.loadTelegramBotDeclarations)(input.context);
+    const compatible = declarations.filter((entry) => entry.environmentMatches);
+    const integrations = [];
+    for (const declaration of compatible) {
+        const integrationKey = declaration.integrationKey;
+        const verify = await auth.client.integrations.verifyTelegramIntegration({
+            integrationKey
+        });
+        const syncWebhook = await auth.client.integrations.syncTelegramWebhook({
+            integrationKey
+        });
+        const syncCommands = await auth.client.integrations.syncTelegramCommands({
+            integrationKey
+        });
+        const reconcile = await auth.client.integrations.reconcileTelegramIntegration({
+            integrationKey
+        });
+        integrations.push({
+            integrationKey,
+            verify,
+            syncWebhook,
+            syncCommands,
+            reconcile
+        });
+    }
+    return {
+        authMode: auth.authMode,
+        integrations
+    };
+}
+async function listRecordedRollouts(input) {
+    const auth = requireAuthenticatedRolloutClient(await (0, auth_1.resolveAuthenticatedClient)({
+        context: input.context,
+        allowBootstrap: false
+    }));
+    return {
+        authMode: auth.authMode,
+        ...(await auth.client.ops.listRolloutExecutions({
+            environment: input.environment ?? input.context.environment,
+            businessProfileSlug: input.businessProfileSlug ?? input.context.manifest.business_slug
+        }))
+    };
+}
+async function inspectRecordedRollout(input) {
+    const auth = requireAuthenticatedRolloutClient(await (0, auth_1.resolveAuthenticatedClient)({
+        context: input.context,
+        allowBootstrap: false
+    }));
+    return {
+        authMode: auth.authMode,
+        ...(await auth.client.ops.getRolloutExecution({
+            rolloutId: input.rolloutId
+        }))
+    };
+}
+async function runRolloutVerify(input) {
+    const auth = requireAuthenticatedRolloutClient(await (0, auth_1.resolveAuthenticatedClient)({
+        context: input.context,
+        allowBootstrap: false
+    }));
+    const rollout = await resolveRolloutForVerification({
+        auth,
+        context: input.context,
+        rolloutId: input.rolloutId ?? null
+    });
+    if (!rollout) {
+        throw new Error('No rollout record is available to verify.');
+    }
+    const businessProfileSlug = rollout.businessProfileSlug ?? input.context.manifest.business_slug ?? null;
+    const verifiedAt = nowIso();
+    const verifiedBy = auth.accessContext?.operator?.email ?? null;
+    const phases = [];
+    const environmentStartedAt = nowIso();
+    const health = await probeSystemHealth(input.context.baseUrl);
+    phases.push(buildPhase({
+        phaseId: 'environment_identity',
+        label: 'Environment identity',
+        status: health.ok && typeof health.body?.environment === 'string'
+            ? normalizeEnvironment(String(health.body.environment)) ===
+                normalizeEnvironment(input.context.environment)
+                ? 'pass'
+                : 'fail'
+            : 'fail',
+        summary: health.ok && typeof health.body?.environment === 'string'
+            ? `Health endpoint reports environment ${String(health.body.environment)}.`
+            : `Health probe failed${health.error ? `: ${health.error}` : '.'}`,
+        startedAt: environmentStartedAt,
+        completedAt: nowIso(),
+        details: {
+            health
+        }
+    }));
+    const accessStartedAt = nowIso();
+    const whoami = await (0, auth_1.resolveWhoAmI)(input.context);
+    const activeProfile = await auth.client.businessProfiles.get({
+        businessProfileSlug: businessProfileSlug ?? input.context.manifest.business_slug
+    });
+    const accessStatus = whoami.stale || !whoami.accessContext?.authenticated || !activeProfile.profile ? 'fail' : 'pass';
+    phases.push(buildPhase({
+        phaseId: 'operator_access',
+        label: 'Operator access',
+        status: accessStatus,
+        summary: accessStatus === 'pass'
+            ? `Authenticated operator ${whoami.accessContext?.operator?.email ?? verifiedBy ?? 'unknown'} can access business profile state.`
+            : 'Authenticated operator session could not prove post-release access.',
+        startedAt: accessStartedAt,
+        completedAt: nowIso(),
+        details: {
+            whoami,
+            activeProfile
+        }
+    }));
+    const schemaStartedAt = nowIso();
+    const schema = await auth.client.ops.getSchemaStatus({});
+    const readiness = await auth.client.ops.getReadiness({
+        businessProfileSlug: businessProfileSlug ?? input.context.manifest.business_slug
+    });
+    const activeVersionId = activeProfile.activeVersion?.versionId ?? null;
+    const schemaProfileStatus = schema.schema.status === 'fail'
+        ? 'fail'
+        : rollout.profileVersionId && activeVersionId && rollout.profileVersionId !== activeVersionId
+            ? 'fail'
+            : readiness.status === 'fail'
+                ? 'fail'
+                : schema.schema.status === 'warn' || readiness.status === 'warn'
+                    ? 'warn'
+                    : 'pass';
+    phases.push(buildPhase({
+        phaseId: 'schema_profile_compatibility',
+        label: 'Schema and profile compatibility',
+        status: schemaProfileStatus,
+        summary: rollout.profileVersionId && activeVersionId && rollout.profileVersionId !== activeVersionId
+            ? `Active profile version ${activeVersionId} no longer matches rollout version ${rollout.profileVersionId}.`
+            : schema.schema.status === 'fail'
+                ? 'Schema status is failing after rollout.'
+                : readiness.status === 'fail'
+                    ? 'Readiness failed during post-release verification.'
+                    : schema.schema.status === 'warn' || readiness.status === 'warn'
+                        ? 'Schema or readiness completed with warnings.'
+                        : 'Schema ledger, readiness, and active profile version are compatible.',
+        startedAt: schemaStartedAt,
+        completedAt: nowIso(),
+        details: {
+            schema: schema.schema,
+            readiness,
+            rolloutProfileVersionId: rollout.profileVersionId ?? null,
+            activeProfileVersionId: activeVersionId
+        }
+    }));
+    const telegramStartedAt = nowIso();
+    const declarations = await (0, project_1.loadTelegramBotDeclarations)(input.context);
+    const compatible = declarations.filter((entry) => entry.environmentMatches);
+    const telegramChecks = [];
+    for (const declaration of compatible) {
+        const verification = await auth.client.integrations.verifyTelegramIntegration({
+            integrationKey: declaration.integrationKey
+        });
+        telegramChecks.push({
+            integrationKey: declaration.integrationKey,
+            label: declaration.label,
+            status: verification.snapshot.status,
+            summary: verification.snapshot.summary
+        });
+    }
+    const telegramStatus = telegramChecks.length === 0
+        ? 'skipped'
+        : telegramChecks.some((entry) => entry.status === 'fail')
+            ? 'fail'
+            : telegramChecks.some((entry) => entry.status === 'warn')
+                ? 'warn'
+                : 'pass';
+    phases.push(buildPhase({
+        phaseId: 'telegram_integrations',
+        label: 'Telegram integrations',
+        status: telegramStatus,
+        summary: telegramChecks.length === 0
+            ? 'No environment-compatible Telegram integrations required post-release verification.'
+            : telegramStatus === 'fail'
+                ? 'At least one Telegram integration failed post-release verification.'
+                : telegramStatus === 'warn'
+                    ? 'Telegram integrations verified with warnings.'
+                    : `Verified ${telegramChecks.length} Telegram integration(s).`,
+        startedAt: telegramStartedAt,
+        completedAt: nowIso(),
+        details: {
+            integrations: telegramChecks
+        }
+    }));
+    const warnings = phases
+        .filter((phase) => phase.status === 'warn')
+        .map((phase) => `${phase.label}: ${phase.summary}`);
+    const verdict = releaseVerdictFromPhases(phases);
+    const verification = completeReleaseVerificationRecord({
+        verificationId: (0, node_crypto_1.randomUUID)(),
+        rolloutId: rollout.rolloutId,
+        environment: rollout.environment,
+        businessProfileSlug,
+        verifiedBy,
+        verifiedAt,
+        verdict,
+        summary: releaseSummaryFromVerdict(verdict, warnings),
+        backupId: rollout.backupId ?? null,
+        profileVersionId: rollout.profileVersionId ?? null,
+        readinessStatus: readiness.status,
+        codeRef: rollout.codeRef,
+        warnings,
+        phases,
+        details: {
+            health,
+            whoami,
+            rollout,
+            schema: schema.schema,
+            readiness,
+            activeProfileVersionId: activeVersionId,
+            telegramIntegrations: telegramChecks
+        }
+    });
+    const recorded = await auth.client.ops.recordReleaseVerification({
+        verification
+    });
+    return {
+        authMode: auth.authMode,
+        verification: recorded.verification
+    };
+}
+async function inspectReleaseVerdict(input) {
+    const auth = requireAuthenticatedRolloutClient(await (0, auth_1.resolveAuthenticatedClient)({
+        context: input.context,
+        allowBootstrap: false
+    }));
+    const verification = await resolveReleaseVerificationForInspection({
+        auth,
+        context: input.context,
+        verificationId: input.verificationId ?? null,
+        rolloutId: input.rolloutId ?? null
+    });
+    return {
+        authMode: auth.authMode,
+        verdict: verification
+            ? {
+                verificationId: verification.verificationId,
+                verdict: verification.verdict,
+                summary: verification.summary,
+                rollbackRecommended: verification.rollbackRecommended,
+                warnings: verification.warnings,
+                rolloutId: verification.rolloutId,
+                backupId: verification.backupId,
+                profileVersionId: verification.profileVersionId
+            }
+            : null
+    };
+}
+async function inspectReleaseEvidence(input) {
+    const auth = requireAuthenticatedRolloutClient(await (0, auth_1.resolveAuthenticatedClient)({
+        context: input.context,
+        allowBootstrap: false
+    }));
+    return {
+        authMode: auth.authMode,
+        verification: await resolveReleaseVerificationForInspection({
+            auth,
+            context: input.context,
+            verificationId: input.verificationId ?? null,
+            rolloutId: input.rolloutId ?? null
+        })
+    };
+}
+async function runRolloutPromote(input) {
+    const auth = requireAuthenticatedRolloutClient(await (0, auth_1.resolveAuthenticatedClient)({
+        context: input.context,
+        allowBootstrap: false
+    }));
+    const startedAt = nowIso();
+    const rolloutId = (0, node_crypto_1.randomUUID)();
+    const businessProfileSlug = input.context.manifest.business_slug;
+    const codeRefMetadata = (0, shared_1.resolveBusinessProfileGitMetadata)(input.context.root.rootDir);
+    const codeRef = {
+        repositoryUrl: codeRefMetadata?.repositoryUrl ?? null,
+        commitSha: codeRefMetadata?.commitSha ?? null,
+        branchName: codeRefMetadata?.branchName ?? null
+    };
+    const startedBy = auth.accessContext?.operator?.email ?? null;
+    const preflight = await inspectRolloutPreflight({
+        context: input.context
+    });
+    if (!preflight.ready) {
+        const stopped = completeRolloutRecord({
+            rolloutId,
+            environment: input.context.environment,
+            businessProfileSlug,
+            startedBy,
+            startedAt,
+            status: 'stopped',
+            summary: 'Rollout preflight reported blockers and promotion was stopped before mutation.',
+            stopReason: preflight.blockers.join(' '),
+            readinessStatus: preflight.readiness?.status ?? null,
+            codeRef,
+            phases: preflight.phases,
+            details: {
+                blockers: preflight.blockers,
+                warnings: preflight.warnings,
+                preflight
+            }
+        });
+        const recorded = await auth.client.ops.recordRolloutExecution({
+            rollout: stopped
+        });
+        return {
+            authMode: auth.authMode,
+            rollout: recorded.rollout
+        };
+    }
+    const phases = [];
+    let backupArtifact = null;
+    let profileVersionId = null;
+    let readinessStatus = null;
+    let currentPhaseId = 'backup';
+    let currentPhaseLabel = 'Pre-release backup';
+    try {
+        const backupStartedAt = nowIso();
+        currentPhaseId = 'backup';
+        currentPhaseLabel = 'Pre-release backup';
+        const backup = await auth.client.ops.createBackupArtifact({
+            environment: input.context.environment,
+            backupKind: 'pre_release',
+            sourceKind: backupSourceKindForEnvironment(input.context.environment),
+            notes: input.notes ?? `Rollout ${rolloutId}`
+        });
+        backupArtifact = backup.artifact;
+        phases.push(buildPhase({
+            phaseId: 'backup',
+            label: 'Pre-release backup',
+            status: 'pass',
+            summary: `Created governed pre-release backup ${backup.artifact.backupId}.`,
+            startedAt: backupStartedAt,
+            completedAt: nowIso(),
+            details: {
+                artifact: backup.artifact
+            }
+        }));
+        const migrationsStartedAt = nowIso();
+        currentPhaseId = 'migrations';
+        currentPhaseLabel = 'Schema migrations';
+        const migrations = await auth.client.ops.applySchemaMigrations({
+            appliedBy: startedBy,
+            sourceKind: schemaSourceKindForEnvironment(input.context.environment)
+        });
+        phases.push(buildPhase({
+            phaseId: 'migrations',
+            label: 'Schema migrations',
+            status: migrations.schema.status === 'fail' ? 'fail' : 'pass',
+            summary: migrations.applied.length > 0
+                ? `Applied ${migrations.applied.length} schema migration(s).`
+                : 'Schema ledger already had no pending migrations.',
+            startedAt: migrationsStartedAt,
+            completedAt: nowIso(),
+            details: {
+                applied: migrations.applied,
+                schema: migrations.schema
+            }
+        }));
+        if (migrations.schema.status === 'fail') {
+            throw new Error('Schema migrations finished in fail state.');
+        }
+        const promotionStartedAt = nowIso();
+        currentPhaseId = 'profile_promotion';
+        currentPhaseLabel = 'Business-profile promotion';
+        const prepared = await (0, project_1.buildProfileBundleForUpload)(input.context);
+        const promotion = await auth.client.businessProfiles.uploadBundle({
+            bundle: prepared.bundle,
+            activateOnUpload: true,
+            targetEnvironment: input.context.environment,
+            sourceRepositoryUrl: prepared.sourceRepositoryUrl,
+            sourceCommitSha: prepared.sourceCommitSha,
+            resolvedSecrets: prepared.resolvedSecrets
+        });
+        profileVersionId = promotion.activeVersion.versionId;
+        phases.push(buildPhase({
+            phaseId: 'profile_promotion',
+            label: 'Business-profile promotion',
+            status: 'pass',
+            summary: `Uploaded and activated profile version ${promotion.activeVersion.versionId}.`,
+            startedAt: promotionStartedAt,
+            completedAt: nowIso(),
+            details: {
+                targetEnvironment: promotion.targetEnvironment,
+                serverEnvironment: promotion.serverEnvironment,
+                appliedDeclarations: promotion.appliedDeclarations,
+                skippedDeclarations: promotion.skippedDeclarations,
+                sourceRepositoryUrl: prepared.sourceRepositoryUrl,
+                sourceCommitSha: prepared.sourceCommitSha
+            }
+        }));
+        const finalizeStartedAt = nowIso();
+        currentPhaseId = 'telegram_finalize';
+        currentPhaseLabel = 'Telegram finalize';
+        const telegram = await runRolloutFinalizeTelegram({
+            context: input.context
+        });
+        const businessReconcile = await auth.client.ops.reconcileBusiness({
+            businessProfileSlug
+        });
+        phases.push(buildPhase({
+            phaseId: 'telegram_finalize',
+            label: 'Telegram finalize',
+            status: telegram.integrations.length > 0
+                ? 'pass'
+                : 'skipped',
+            summary: telegram.integrations.length > 0
+                ? `Verified and synchronized ${telegram.integrations.length} Telegram integration(s).`
+                : 'No environment-compatible Telegram integrations required finalization.',
+            startedAt: finalizeStartedAt,
+            completedAt: nowIso(),
+            details: {
+                integrations: telegram.integrations,
+                reconcile: businessReconcile
+            }
+        }));
+        const readinessStartedAt = nowIso();
+        currentPhaseId = 'readiness';
+        currentPhaseLabel = 'Post-promotion readiness';
+        const readiness = await auth.client.ops.getReadiness({
+            businessProfileSlug
+        });
+        readinessStatus = readiness.status;
+        const readinessPhaseStatus = readinessToRolloutStatus(readiness.status);
+        phases.push(buildPhase({
+            phaseId: 'readiness',
+            label: 'Post-promotion readiness',
+            status: readinessPhaseStatus,
+            summary: readiness.status === 'fail'
+                ? 'Readiness failed after promotion.'
+                : readiness.status === 'warn'
+                    ? 'Readiness completed with warnings after promotion.'
+                    : 'Readiness passed after promotion.',
+            startedAt: readinessStartedAt,
+            completedAt: nowIso(),
+            details: {
+                readiness
+            }
+        }));
+        const rollout = readinessPhaseStatus === 'fail'
+            ? completeRolloutRecord({
+                rolloutId,
+                environment: input.context.environment,
+                businessProfileSlug,
+                startedBy,
+                startedAt,
+                status: 'stopped',
+                summary: 'Rollout stopped because post-promotion readiness failed.',
+                stopReason: 'Post-promotion readiness returned fail.',
+                backupId: backupArtifact?.backupId ?? null,
+                profileVersionId,
+                readinessStatus,
+                codeRef,
+                phases,
+                details: {
+                    notes: input.notes ?? null
+                }
+            })
+            : completeRolloutRecord({
+                rolloutId,
+                environment: input.context.environment,
+                businessProfileSlug,
+                startedBy,
+                startedAt,
+                status: 'completed',
+                summary: readinessPhaseStatus === 'warn'
+                    ? 'Rollout completed with readiness warnings.'
+                    : 'Rollout completed successfully.',
+                backupId: backupArtifact?.backupId ?? null,
+                profileVersionId,
+                readinessStatus,
+                codeRef,
+                phases,
+                details: {
+                    notes: input.notes ?? null
+                }
+            });
+        const recorded = await auth.client.ops.recordRolloutExecution({
+            rollout
+        });
+        return {
+            authMode: auth.authMode,
+            rollout: recorded.rollout
+        };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        const stopped = completeRolloutRecord({
+            rolloutId,
+            environment: input.context.environment,
+            businessProfileSlug,
+            startedBy,
+            startedAt,
+            status: 'stopped',
+            summary: `Rollout stopped during ${currentPhaseId} phase.`,
+            stopReason: message,
+            backupId: backupArtifact?.backupId ?? null,
+            profileVersionId,
+            readinessStatus,
+            codeRef,
+            phases: [
+                ...phases,
+                buildPhase({
+                    phaseId: currentPhaseId,
+                    label: currentPhaseLabel,
+                    status: 'fail',
+                    summary: message,
+                    startedAt: nowIso(),
+                    completedAt: nowIso(),
+                    details: {
+                        error: message
+                    }
+                })
+            ],
+            details: {
+                notes: input.notes ?? null
+            }
+        });
+        const recorded = await auth.client.ops.recordRolloutExecution({
+            rollout: stopped
+        });
+        return {
+            authMode: auth.authMode,
+            rollout: recorded.rollout
+        };
+    }
+}
+//# sourceMappingURL=rollout.js.map