@serve.zone/gitops 2.13.1

package/dist_ts/classes/managedsecrets.manager.js

@@ -0,0 +1,247 @@
+import * as plugins from '../plugins.js';
+import { logger } from '../logging.js';
+const MANAGED_SECRETS_PREFIX = '/managed-secrets/';
+const KEYCHAIN_PREFIX = 'keychain:';
+const KEYCHAIN_ID_PREFIX = 'gitops-msecret-';
+const SECRET_KEY_PREFIX = 'GITOPS_';
+export class ManagedSecretsManager {
+    storageManager;
+    smartSecret;
+    connectionManager;
+    secrets = [];
+    constructor(storageManager, smartSecret, connectionManager) {
+        this.storageManager = storageManager;
+        this.smartSecret = smartSecret;
+        this.connectionManager = connectionManager;
+    }
+    async init() {
+        await this.loadSecrets();
+    }
+    // ---- Storage helpers ----
+    keychainId(secretId) {
+        return `${KEYCHAIN_ID_PREFIX}${secretId}`;
+    }
+    prefixedKey(key) {
+        return `${SECRET_KEY_PREFIX}${key}`;
+    }
+    async loadSecrets() {
+        const keys = await this.storageManager.list(MANAGED_SECRETS_PREFIX);
+        this.secrets = [];
+        for (const key of keys) {
+            const stored = await this.storageManager.getJSON(key);
+            if (stored) {
+                this.secrets.push(stored);
+            }
+        }
+        if (this.secrets.length > 0) {
+            logger.info(`Loaded ${this.secrets.length} managed secret(s)`);
+        }
+    }
+    async persistSecret(stored, realValue) {
+        // Store real value in keychain
+        await this.smartSecret.setSecret(this.keychainId(stored.id), realValue);
+        // Save JSON with sentinel
+        const jsonStored = { ...stored, value: `${KEYCHAIN_PREFIX}${this.keychainId(stored.id)}` };
+        await this.storageManager.setJSON(`${MANAGED_SECRETS_PREFIX}${stored.id}.json`, jsonStored);
+        // Update in-memory sentinel too
+        stored.value = jsonStored.value;
+    }
+    async removeFromStorage(id) {
+        await this.smartSecret.deleteSecret(this.keychainId(id));
+        await this.storageManager.delete(`${MANAGED_SECRETS_PREFIX}${id}.json`);
+    }
+    async getSecretValue(id) {
+        return await this.smartSecret.getSecret(this.keychainId(id));
+    }
+    toApiModel(stored) {
+        return {
+            id: stored.id,
+            key: stored.key,
+            description: stored.description,
+            targets: stored.targets,
+            targetStatuses: stored.targetStatuses,
+            createdAt: stored.createdAt,
+            updatedAt: stored.updatedAt,
+            lastPushedAt: stored.lastPushedAt,
+        };
+    }
+    // ---- Push logic ----
+    async pushToTargets(stored, mode, targetsOverride) {
+        const targets = targetsOverride || stored.targets;
+        const value = mode === 'upsert' ? await this.getSecretValue(stored.id) : null;
+        const prefixedKey = this.prefixedKey(stored.key);
+        const results = [];
+        for (const target of targets) {
+            const status = {
+                connectionId: target.connectionId,
+                scope: target.scope,
+                scopeId: target.scopeId,
+                scopeName: target.scopeName,
+                status: 'pending',
+            };
+            try {
+                const provider = this.connectionManager.getProvider(target.connectionId);
+                if (mode === 'upsert') {
+                    // Try update first; if it fails, create
+                    try {
+                        if (target.scope === 'project') {
+                            await provider.updateProjectSecret(target.scopeId, prefixedKey, value);
+                        }
+                        else {
+                            await provider.updateGroupSecret(target.scopeId, prefixedKey, value);
+                        }
+                    }
+                    catch {
+                        // Secret doesn't exist yet — create it
+                        if (target.scope === 'project') {
+                            await provider.createProjectSecret(target.scopeId, prefixedKey, value);
+                        }
+                        else {
+                            await provider.createGroupSecret(target.scopeId, prefixedKey, value);
+                        }
+                    }
+                }
+                else {
+                    // mode === 'delete'
+                    try {
+                        if (target.scope === 'project') {
+                            await provider.deleteProjectSecret(target.scopeId, prefixedKey);
+                        }
+                        else {
+                            await provider.deleteGroupSecret(target.scopeId, prefixedKey);
+                        }
+                    }
+                    catch {
+                        // Secret may not exist on target — that's fine
+                    }
+                }
+                status.status = 'success';
+                status.lastPushedAt = Date.now();
+            }
+            catch (err) {
+                status.status = 'error';
+                status.error = err instanceof Error ? err.message : String(err);
+            }
+            results.push(status);
+        }
+        return results;
+    }
+    // ---- Public API ----
+    async getAll() {
+        return this.secrets.map((s) => this.toApiModel(s));
+    }
+    async getById(id) {
+        const stored = this.secrets.find((s) => s.id === id);
+        return stored ? this.toApiModel(stored) : null;
+    }
+    async create(key, value, description, targets) {
+        // Validate key
+        if (key.toUpperCase().startsWith(SECRET_KEY_PREFIX)) {
+            throw new Error(`Key must not start with ${SECRET_KEY_PREFIX} — the prefix is added automatically`);
+        }
+        if (this.secrets.some((s) => s.key === key)) {
+            throw new Error(`A managed secret with key "${key}" already exists`);
+        }
+        const now = Date.now();
+        const stored = {
+            id: crypto.randomUUID(),
+            key,
+            description,
+            value: '', // will be set by persistSecret
+            targets,
+            targetStatuses: [],
+            createdAt: now,
+            updatedAt: now,
+        };
+        this.secrets.push(stored);
+        await this.persistSecret(stored, value);
+        // Push to all targets
+        const pushResults = await this.pushToTargets(stored, 'upsert');
+        stored.targetStatuses = pushResults;
+        stored.lastPushedAt = now;
+        stored.updatedAt = now;
+        await this.storageManager.setJSON(`${MANAGED_SECRETS_PREFIX}${stored.id}.json`, {
+            ...stored,
+            value: `${KEYCHAIN_PREFIX}${this.keychainId(stored.id)}`,
+        });
+        logger.info(`Created managed secret "${key}" with ${targets.length} target(s)`);
+        return { managedSecret: this.toApiModel(stored), pushResults };
+    }
+    async update(id, updates) {
+        const stored = this.secrets.find((s) => s.id === id);
+        if (!stored)
+            throw new Error(`Managed secret not found: ${id}`);
+        const now = Date.now();
+        // Update value in keychain if provided
+        if (updates.value !== undefined) {
+            await this.smartSecret.setSecret(this.keychainId(id), updates.value);
+        }
+        if (updates.description !== undefined) {
+            stored.description = updates.description;
+        }
+        // Handle target changes — delete from removed targets
+        let removedTargets = [];
+        if (updates.targets !== undefined) {
+            const oldTargets = stored.targets;
+            const newTargetKeys = new Set(updates.targets.map((t) => `${t.connectionId}:${t.scope}:${t.scopeId}`));
+            removedTargets = oldTargets.filter((t) => !newTargetKeys.has(`${t.connectionId}:${t.scope}:${t.scopeId}`));
+            stored.targets = updates.targets;
+        }
+        stored.updatedAt = now;
+        // Delete from removed targets
+        if (removedTargets.length > 0) {
+            await this.pushToTargets(stored, 'delete', removedTargets);
+        }
+        // Push to current targets
+        const pushResults = await this.pushToTargets(stored, 'upsert');
+        stored.targetStatuses = pushResults;
+        stored.lastPushedAt = now;
+        await this.storageManager.setJSON(`${MANAGED_SECRETS_PREFIX}${stored.id}.json`, {
+            ...stored,
+            value: `${KEYCHAIN_PREFIX}${this.keychainId(stored.id)}`,
+        });
+        logger.info(`Updated managed secret "${stored.key}"`);
+        return { managedSecret: this.toApiModel(stored), pushResults };
+    }
+    async delete(id) {
+        const stored = this.secrets.find((s) => s.id === id);
+        if (!stored)
+            throw new Error(`Managed secret not found: ${id}`);
+        // Best-effort: remove from all targets
+        const deleteResults = await this.pushToTargets(stored, 'delete');
+        // Remove from local storage regardless
+        const idx = this.secrets.indexOf(stored);
+        this.secrets.splice(idx, 1);
+        await this.removeFromStorage(id);
+        logger.info(`Deleted managed secret "${stored.key}"`);
+        return { ok: true, deleteResults };
+    }
+    async pushOne(id) {
+        const stored = this.secrets.find((s) => s.id === id);
+        if (!stored)
+            throw new Error(`Managed secret not found: ${id}`);
+        const now = Date.now();
+        const pushResults = await this.pushToTargets(stored, 'upsert');
+        stored.targetStatuses = pushResults;
+        stored.lastPushedAt = now;
+        stored.updatedAt = now;
+        await this.storageManager.setJSON(`${MANAGED_SECRETS_PREFIX}${stored.id}.json`, {
+            ...stored,
+            value: `${KEYCHAIN_PREFIX}${this.keychainId(stored.id)}`,
+        });
+        return { managedSecret: this.toApiModel(stored), pushResults };
+    }
+    async pushAll() {
+        const results = [];
+        for (const stored of this.secrets) {
+            const { pushResults } = await this.pushOne(stored.id);
+            results.push({
+                managedSecretId: stored.id,
+                key: stored.key,
+                pushResults,
+            });
+        }
+        return results;
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibWFuYWdlZHNlY3JldHMubWFuYWdlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3RzL2NsYXNzZXMvbWFuYWdlZHNlY3JldHMubWFuYWdlci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEtBQUssT0FBTyxNQUFNLGVBQWUsQ0FBQztBQUN6QyxPQUFPLEVBQUUsTUFBTSxFQUFFLE1BQU0sZUFBZSxDQUFDO0FBS3ZDLE1BQU0sc0JBQXNCLEdBQUcsbUJBQW1CLENBQUM7QUFDbkQsTUFBTSxlQUFlLEdBQUcsV0FBVyxDQUFDO0FBQ3BDLE1BQU0sa0JBQWtCLEdBQUcsaUJBQWlCLENBQUM7QUFDN0MsTUFBTSxpQkFBaUIsR0FBRyxTQUFTLENBQUM7QUFFcEMsTUFBTSxPQUFPLHFCQUFxQjtJQUl0QjtJQUNBO0lBQ0E7SUFMRixPQUFPLEdBQTJDLEVBQUUsQ0FBQztJQUU3RCxZQUNVLGNBQThCLEVBQzlCLFdBQTRDLEVBQzVDLGlCQUFvQztRQUZwQyxtQkFBYyxHQUFkLGNBQWMsQ0FBZ0I7UUFDOUIsZ0JBQVcsR0FBWCxXQUFXLENBQWlDO1FBQzVDLHNCQUFpQixHQUFqQixpQkFBaUIsQ0FBbUI7SUFDM0MsQ0FBQztJQUVKLEtBQUssQ0FBQyxJQUFJO1FBQ1IsTUFBTSxJQUFJLENBQUMsV0FBVyxFQUFFLENBQUM7SUFDM0IsQ0FBQztJQUVELDRCQUE0QjtJQUVwQixVQUFVLENBQUMsUUFBZ0I7UUFDakMsT0FBTyxHQUFHLGtCQUFrQixHQUFHLFFBQVEsRUFBRSxDQUFDO0lBQzVDLENBQUM7SUFFTyxXQUFXLENBQUMsR0FBVztRQUM3QixPQUFPLEdBQUcsaUJBQWlCLEdBQUcsR0FBRyxFQUFFLENBQUM7SUFDdEMsQ0FBQztJQUVPLEtBQUssQ0FBQyxXQUFXO1FBQ3ZCLE1BQU0sSUFBSSxHQUFHLE1BQU0sSUFBSSxDQUFDLGNBQWMsQ0FBQyxJQUFJLENBQUMsc0JBQXNCLENBQUMsQ0FBQztRQUNwRSxJQUFJLENBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztRQUNsQixLQUFLLE1BQU0sR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO1lBQ3ZCLE1BQU0sTUFBTSxHQUFHLE1BQU0sSUFBSSxDQUFDLGNBQWMsQ0FBQyxPQUFPLENBQXVDLEdBQUcsQ0FBQyxDQUFDO1lBQzVGLElBQUksTUFBTSxFQUFFLENBQUM7Z0JBQ1gsSUFBSSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7WUFDNUIsQ0FBQztRQUNILENBQUM7UUFDRCxJQUFJLElBQUksQ0FBQyxPQUFPLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQzVCLE1BQU0sQ0FBQyxJQUFJLENBQUMsVUFBVSxJQUFJLENBQUMsT0FBTyxDQUFDLE1BQU0sb0JBQW9CLENBQUMsQ0FBQztRQUNqRSxDQUFDO0lBQ0gsQ0FBQztJQUVPLEtBQUssQ0FBQyxhQUFhLENBQUMsTUFBNEMsRUFBRSxTQUFpQjtRQUN6RiwrQkFBK0I7UUFDL0IsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUMsRUFBRSxTQUFTLENBQUMsQ0FBQztRQUN4RSwwQkFBMEI7UUFDMUIsTUFBTSxVQUFVLEdBQUcsRUFBRSxHQUFHLE1BQU0sRUFBRSxLQUFLLEVBQUUsR0FBRyxlQUFlLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLEVBQUUsRUFBRSxDQUFDO1FBQzNGLE1BQU0sSUFBSSxDQUFDLGNBQWMsQ0FBQyxPQUFPLENBQUMsR0FBRyxzQkFBc0IsR0FBRyxNQUFNLENBQUMsRUFBRSxPQUFPLEVBQUUsVUFBVSxDQUFDLENBQUM7UUFDNUYsZ0NBQWdDO1FBQ2hDLE1BQU0sQ0FBQyxLQUFLLEdBQUcsVUFBVSxDQUFDLEtBQUssQ0FBQztJQUNsQyxDQUFDO0lBRU8sS0FBSyxDQUFDLGlCQUFpQixDQUFDLEVBQVU7UUFDeEMsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLFlBQVksQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7UUFDekQsTUFBTSxJQUFJLENBQUMsY0FBYyxDQUFDLE1BQU0sQ0FBQyxHQUFHLHNCQUFzQixHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7SUFDMUUsQ0FBQztJQUVPLEtBQUssQ0FBQyxjQUFjLENBQUMsRUFBVTtRQUNyQyxPQUFPLE1BQU0sSUFBSSxDQUFDLFdBQVcsQ0FBQyxTQUFTLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDO0lBQy9ELENBQUM7SUFFTyxVQUFVLENBQUMsTUFBNEM7UUFDN0QsT0FBTztZQUNMLEVBQUUsRUFBRSxNQUFNLENBQUMsRUFBRTtZQUNiLEdBQUcsRUFBRSxNQUFNLENBQUMsR0FBRztZQUNmLFdBQVcsRUFBRSxNQUFNLENBQUMsV0FBVztZQUMvQixPQUFPLEVBQUUsTUFBTSxDQUFDLE9BQU87WUFDdkIsY0FBYyxFQUFFLE1BQU0sQ0FBQyxjQUFjO1lBQ3JDLFNBQVMsRUFBRSxNQUFNLENBQUMsU0FBUztZQUMzQixTQUFTLEVBQUUsTUFBTSxDQUFDLFNBQVM7WUFDM0IsWUFBWSxFQUFFLE1BQU0sQ0FBQyxZQUFZO1NBQ2xDLENBQUM7SUFDSixDQUFDO0lBRUQsdUJBQXVCO0lBRWYsS0FBSyxDQUFDLGFBQWEsQ0FDekIsTUFBNEMsRUFDNUMsSUFBeUIsRUFDekIsZUFBd0Q7UUFFeEQsTUFBTSxPQUFPLEdBQUcsZUFBZSxJQUFJLE1BQU0sQ0FBQyxPQUFPLENBQUM7UUFDbEQsTUFBTSxLQUFLLEdBQUcsSUFBSSxLQUFLLFFBQVEsQ0FBQyxDQUFDLENBQUMsTUFBTSxJQUFJLENBQUMsY0FBYyxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDO1FBQzlFLE1BQU0sV0FBVyxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ2pELE1BQU0sT0FBTyxHQUFpRCxFQUFFLENBQUM7UUFFakUsS0FBSyxNQUFNLE1BQU0sSUFBSSxPQUFPLEVBQUUsQ0FBQztZQUM3QixNQUFNLE1BQU0sR0FBK0M7Z0JBQ3pELFlBQVksRUFBRSxNQUFNLENBQUMsWUFBWTtnQkFDakMsS0FBSyxFQUFFLE1BQU0sQ0FBQyxLQUFLO2dCQUNuQixPQUFPLEVBQUUsTUFBTSxDQUFDLE9BQU87Z0JBQ3ZCLFNBQVMsRUFBRSxNQUFNLENBQUMsU0FBUztnQkFDM0IsTUFBTSxFQUFFLFNBQVM7YUFDbEIsQ0FBQztZQUNGLElBQUksQ0FBQztnQkFDSCxNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsaUJBQWlCLENBQUMsV0FBVyxDQUFDLE1BQU0sQ0FBQyxZQUFZLENBQUMsQ0FBQztnQkFDekUsSUFBSSxJQUFJLEtBQUssUUFBUSxFQUFFLENBQUM7b0JBQ3RCLHdDQUF3QztvQkFDeEMsSUFBSSxDQUFDO3dCQUNILElBQUksTUFBTSxDQUFDLEtBQUssS0FBSyxTQUFTLEVBQUUsQ0FBQzs0QkFDL0IsTUFBTSxRQUFRLENBQUMsbUJBQW1CLENBQUMsTUFBTSxDQUFDLE9BQU8sRUFBRSxXQUFXLEVBQUUsS0FBTSxDQUFDLENBQUM7d0JBQzFFLENBQUM7NkJBQU0sQ0FBQzs0QkFDTixNQUFNLFFBQVEsQ0FBQyxpQkFBaUIsQ0FBQyxNQUFNLENBQUMsT0FBTyxFQUFFLFdBQVcsRUFBRSxLQUFNLENBQUMsQ0FBQzt3QkFDeEUsQ0FBQztvQkFDSCxDQUFDO29CQUFDLE1BQU0sQ0FBQzt3QkFDUCx1Q0FBdUM7d0JBQ3ZDLElBQUksTUFBTSxDQUFDLEtBQUssS0FBSyxTQUFTLEVBQUUsQ0FBQzs0QkFDL0IsTUFBTSxRQUFRLENBQUMsbUJBQW1CLENBQUMsTUFBTSxDQUFDLE9BQU8sRUFBRSxXQUFXLEVBQUUsS0FBTSxDQUFDLENBQUM7d0JBQzFFLENBQUM7NkJBQU0sQ0FBQzs0QkFDTixNQUFNLFFBQVEsQ0FBQyxpQkFBaUIsQ0FBQyxNQUFNLENBQUMsT0FBTyxFQUFFLFdBQVcsRUFBRSxLQUFNLENBQUMsQ0FBQzt3QkFDeEUsQ0FBQztvQkFDSCxDQUFDO2dCQUNILENBQUM7cUJBQU0sQ0FBQztvQkFDTixvQkFBb0I7b0JBQ3BCLElBQUksQ0FBQzt3QkFDSCxJQUFJLE1BQU0sQ0FBQyxLQUFLLEtBQUssU0FBUyxFQUFFLENBQUM7NEJBQy9CLE1BQU0sUUFBUSxDQUFDLG1CQUFtQixDQUFDLE1BQU0sQ0FBQyxPQUFPLEVBQUUsV0FBVyxDQUFDLENBQUM7d0JBQ2xFLENBQUM7NkJBQU0sQ0FBQzs0QkFDTixNQUFNLFFBQVEsQ0FBQyxpQkFBaUIsQ0FBQyxNQUFNLENBQUMsT0FBTyxFQUFFLFdBQVcsQ0FBQyxDQUFDO3dCQUNoRSxDQUFDO29CQUNILENBQUM7b0JBQUMsTUFBTSxDQUFDO3dCQUNQLCtDQUErQztvQkFDakQsQ0FBQztnQkFDSCxDQUFDO2dCQUNELE1BQU0sQ0FBQyxNQUFNLEdBQUcsU0FBUyxDQUFDO2dCQUMxQixNQUFNLENBQUMsWUFBWSxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztZQUNuQyxDQUFDO1lBQUMsT0FBTyxHQUFHLEVBQUUsQ0FBQztnQkFDYixNQUFNLENBQUMsTUFBTSxHQUFHLE9BQU8sQ0FBQztnQkFDeEIsTUFBTSxDQUFDLEtBQUssR0FBRyxHQUFHLFlBQVksS0FBSyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDbEUsQ0FBQztZQUNELE9BQU8sQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDdkIsQ0FBQztRQUNELE9BQU8sT0FBTyxDQUFDO0lBQ2pCLENBQUM7SUFFRCx1QkFBdUI7SUFFdkIsS0FBSyxDQUFDLE1BQU07UUFDVixPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7SUFDckQsQ0FBQztJQUVELEtBQUssQ0FBQyxPQUFPLENBQUMsRUFBVTtRQUN0QixNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQyxDQUFDLEVBQUUsS0FBSyxFQUFFLENBQUMsQ0FBQztRQUNyRCxPQUFPLE1BQU0sQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDO0lBQ2pELENBQUM7SUFFRCxLQUFLLENBQUMsTUFBTSxDQUNWLEdBQVcsRUFDWCxLQUFhLEVBQ2IsV0FBK0IsRUFDL0IsT0FBK0M7UUFLL0MsZUFBZTtRQUNmLElBQUksR0FBRyxDQUFDLFdBQVcsRUFBRSxDQUFDLFVBQVUsQ0FBQyxpQkFBaUIsQ0FBQyxFQUFFLENBQUM7WUFDcEQsTUFBTSxJQUFJLEtBQUssQ0FBQywyQkFBMkIsaUJBQWlCLHNDQUFzQyxDQUFDLENBQUM7UUFDdEcsQ0FBQztRQUNELElBQUksSUFBSSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsQ0FBQyxHQUFHLEtBQUssR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUM1QyxNQUFNLElBQUksS0FBSyxDQUFDLDhCQUE4QixHQUFHLGtCQUFrQixDQUFDLENBQUM7UUFDdkUsQ0FBQztRQUVELE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUN2QixNQUFNLE1BQU0sR0FBeUM7WUFDbkQsRUFBRSxFQUFFLE1BQU0sQ0FBQyxVQUFVLEVBQUU7WUFDdkIsR0FBRztZQUNILFdBQVc7WUFDWCxLQUFLLEVBQUUsRUFBRSxFQUFFLCtCQUErQjtZQUMxQyxPQUFPO1lBQ1AsY0FBYyxFQUFFLEVBQUU7WUFDbEIsU0FBUyxFQUFFLEdBQUc7WUFDZCxTQUFTLEVBQUUsR0FBRztTQUNmLENBQUM7UUFFRixJQUFJLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsQ0FBQztRQUMxQixNQUFNLElBQUksQ0FBQyxhQUFhLENBQUMsTUFBTSxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBRXhDLHNCQUFzQjtRQUN0QixNQUFNLFdBQVcsR0FBRyxNQUFNLElBQUksQ0FBQyxhQUFhLENBQUMsTUFBTSxFQUFFLFFBQVEsQ0FBQyxDQUFDO1FBQy9ELE1BQU0sQ0FBQyxjQUFjLEdBQUcsV0FBVyxDQUFDO1FBQ3BDLE1BQU0sQ0FBQyxZQUFZLEdBQUcsR0FBRyxDQUFDO1FBQzFCLE1BQU0sQ0FBQyxTQUFTLEdBQUcsR0FBRyxDQUFDO1FBQ3ZCLE1BQU0sSUFBSSxDQUFDLGNBQWMsQ0FBQyxPQUFPLENBQUMsR0FBRyxzQkFBc0IsR0FBRyxNQUFNLENBQUMsRUFBRSxPQUFPLEVBQUU7WUFDOUUsR0FBRyxNQUFNO1lBQ1QsS0FBSyxFQUFFLEdBQUcsZUFBZSxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLEVBQUUsQ0FBQyxFQUFFO1NBQ3pELENBQUMsQ0FBQztRQUVILE1BQU0sQ0FBQyxJQUFJLENBQUMsMkJBQTJCLEdBQUcsVUFBVSxPQUFPLENBQUMsTUFBTSxZQUFZLENBQUMsQ0FBQztRQUNoRixPQUFPLEVBQUUsYUFBYSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLEVBQUUsV0FBVyxFQUFFLENBQUM7SUFDakUsQ0FBQztJQUVELEtBQUssQ0FBQyxNQUFNLENBQ1YsRUFBVSxFQUNWLE9BSUM7UUFLRCxNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQyxDQUFDLEVBQUUsS0FBSyxFQUFFLENBQUMsQ0FBQztRQUNyRCxJQUFJLENBQUMsTUFBTTtZQUFFLE1BQU0sSUFBSSxLQUFLLENBQUMsNkJBQTZCLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFaEUsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBRXZCLHVDQUF1QztRQUN2QyxJQUFJLE9BQU8sQ0FBQyxLQUFLLEtBQUssU0FBUyxFQUFFLENBQUM7WUFDaEMsTUFBTSxJQUFJLENBQUMsV0FBVyxDQUFDLFNBQVMsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLEVBQUUsQ0FBQyxFQUFFLE9BQU8sQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUN2RSxDQUFDO1FBRUQsSUFBSSxPQUFPLENBQUMsV0FBVyxLQUFLLFNBQVMsRUFBRSxDQUFDO1lBQ3RDLE1BQU0sQ0FBQyxXQUFXLEdBQUcsT0FBTyxDQUFDLFdBQVcsQ0FBQztRQUMzQyxDQUFDO1FBRUQsc0RBQXNEO1FBQ3RELElBQUksY0FBYyxHQUEyQyxFQUFFLENBQUM7UUFDaEUsSUFBSSxPQUFPLENBQUMsT0FBTyxLQUFLLFNBQVMsRUFBRSxDQUFDO1lBQ2xDLE1BQU0sVUFBVSxHQUFHLE1BQU0sQ0FBQyxPQUFPLENBQUM7WUFDbEMsTUFBTSxhQUFhLEdBQUcsSUFBSSxHQUFHLENBQzNCLE9BQU8sQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUMsQ0FBQyxZQUFZLElBQUksQ0FBQyxDQUFDLEtBQUssSUFBSSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FDeEUsQ0FBQztZQUNGLGNBQWMsR0FBRyxVQUFVLENBQUMsTUFBTSxDQUNoQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQyxhQUFhLENBQUMsR0FBRyxDQUFDLEdBQUcsQ0FBQyxDQUFDLFlBQVksSUFBSSxDQUFDLENBQUMsS0FBSyxJQUFJLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUN2RSxDQUFDO1lBQ0YsTUFBTSxDQUFDLE9BQU8sR0FBRyxPQUFPLENBQUMsT0FBTyxDQUFDO1FBQ25DLENBQUM7UUFFRCxNQUFNLENBQUMsU0FBUyxHQUFHLEdBQUcsQ0FBQztRQUV2Qiw4QkFBOEI7UUFDOUIsSUFBSSxjQUFjLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQzlCLE1BQU0sSUFBSSxDQUFDLGFBQWEsQ0FBQyxNQUFNLEVBQUUsUUFBUSxFQUFFLGNBQWMsQ0FBQyxDQUFDO1FBQzdELENBQUM7UUFFRCwwQkFBMEI7UUFDMUIsTUFBTSxXQUFXLEdBQUcsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLE1BQU0sRUFBRSxRQUFRLENBQUMsQ0FBQztRQUMvRCxNQUFNLENBQUMsY0FBYyxHQUFHLFdBQVcsQ0FBQztRQUNwQyxNQUFNLENBQUMsWUFBWSxHQUFHLEdBQUcsQ0FBQztRQUUxQixNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsT0FBTyxDQUFDLEdBQUcsc0JBQXNCLEdBQUcsTUFBTSxDQUFDLEVBQUUsT0FBTyxFQUFFO1lBQzlFLEdBQUcsTUFBTTtZQUNULEtBQUssRUFBRSxHQUFHLGVBQWUsR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUMsRUFBRTtTQUN6RCxDQUFDLENBQUM7UUFFSCxNQUFNLENBQUMsSUFBSSxDQUFDLDJCQUEyQixNQUFNLENBQUMsR0FBRyxHQUFHLENBQUMsQ0FBQztRQUN0RCxPQUFPLEVBQUUsYUFBYSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLEVBQUUsV0FBVyxFQUFFLENBQUM7SUFDakUsQ0FBQztJQUVELEtBQUssQ0FBQyxNQUFNLENBQUMsRUFBVTtRQUlyQixNQUFNLE1BQU0sR0FBRyxJQUFJLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsQ0FBQyxDQUFDLEVBQUUsS0FBSyxFQUFFLENBQUMsQ0FBQztRQUNyRCxJQUFJLENBQUMsTUFBTTtZQUFFLE1BQU0sSUFBSSxLQUFLLENBQUMsNkJBQTZCLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFaEUsdUNBQXVDO1FBQ3ZDLE1BQU0sYUFBYSxHQUFHLE1BQU0sSUFBSSxDQUFDLGFBQWEsQ0FBQyxNQUFNLEVBQUUsUUFBUSxDQUFDLENBQUM7UUFFakUsdUNBQXVDO1FBQ3ZDLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBQ3pDLElBQUksQ0FBQyxPQUFPLENBQUMsTUFBTSxDQUFDLEdBQUcsRUFBRSxDQUFDLENBQUMsQ0FBQztRQUM1QixNQUFNLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxFQUFFLENBQUMsQ0FBQztRQUVqQyxNQUFNLENBQUMsSUFBSSxDQUFDLDJCQUEyQixNQUFNLENBQUMsR0FBRyxHQUFHLENBQUMsQ0FBQztRQUN0RCxPQUFPLEVBQUUsRUFBRSxFQUFFLElBQUksRUFBRSxhQUFhLEVBQUUsQ0FBQztJQUNyQyxDQUFDO0lBRUQsS0FBSyxDQUFDLE9BQU8sQ0FBQyxFQUFVO1FBSXRCLE1BQU0sTUFBTSxHQUFHLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDLENBQUMsRUFBRSxLQUFLLEVBQUUsQ0FBQyxDQUFDO1FBQ3JELElBQUksQ0FBQyxNQUFNO1lBQUUsTUFBTSxJQUFJLEtBQUssQ0FBQyw2QkFBNkIsRUFBRSxFQUFFLENBQUMsQ0FBQztRQUVoRSxNQUFNLEdBQUcsR0FBRyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7UUFDdkIsTUFBTSxXQUFXLEdBQUcsTUFBTSxJQUFJLENBQUMsYUFBYSxDQUFDLE1BQU0sRUFBRSxRQUFRLENBQUMsQ0FBQztRQUMvRCxNQUFNLENBQUMsY0FBYyxHQUFHLFdBQVcsQ0FBQztRQUNwQyxNQUFNLENBQUMsWUFBWSxHQUFHLEdBQUcsQ0FBQztRQUMxQixNQUFNLENBQUMsU0FBUyxHQUFHLEdBQUcsQ0FBQztRQUV2QixNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsT0FBTyxDQUFDLEdBQUcsc0JBQXNCLEdBQUcsTUFBTSxDQUFDLEVBQUUsT0FBTyxFQUFFO1lBQzlFLEdBQUcsTUFBTTtZQUNULEtBQUssRUFBRSxHQUFHLGVBQWUsR0FBRyxJQUFJLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxFQUFFLENBQUMsRUFBRTtTQUN6RCxDQUFDLENBQUM7UUFFSCxPQUFPLEVBQUUsYUFBYSxFQUFFLElBQUksQ0FBQyxVQUFVLENBQUMsTUFBTSxDQUFDLEVBQUUsV0FBVyxFQUFFLENBQUM7SUFDakUsQ0FBQztJQUVELEtBQUssQ0FBQyxPQUFPO1FBT1gsTUFBTSxPQUFPLEdBSVIsRUFBRSxDQUFDO1FBRVIsS0FBSyxNQUFNLE1BQU0sSUFBSSxJQUFJLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDbEMsTUFBTSxFQUFFLFdBQVcsRUFBRSxHQUFHLE1BQU0sSUFBSSxDQUFDLE9BQU8sQ0FBQyxNQUFNLENBQUMsRUFBRSxDQUFDLENBQUM7WUFDdEQsT0FBTyxDQUFDLElBQUksQ0FBQztnQkFDWCxlQUFlLEVBQUUsTUFBTSxDQUFDLEVBQUU7Z0JBQzFCLEdBQUcsRUFBRSxNQUFNLENBQUMsR0FBRztnQkFDZixXQUFXO2FBQ1osQ0FBQyxDQUFDO1FBQ0wsQ0FBQztRQUVELE9BQU8sT0FBTyxDQUFDO0lBQ2pCLENBQUM7Q0FDRiJ9

package/dist_ts/classes/syncmanager.d.ts

@@ -0,0 +1,189 @@
+import type * as interfaces from '../../dist_ts_interfaces/index.js';
+import type { ConnectionManager } from './connectionmanager.js';
+import type { ActionLog } from './actionlog.js';
+import type { StorageManager } from '../storage/index.js';
+/**
+ * Manages sync configurations and executes periodic git mirror operations.
+ * Each sync config defines a source → target connection mapping.
+ * Repos are mirrored using bare git repos stored on disk.
+ */
+export declare class SyncManager {
+    private storageManager;
+    private connectionManager;
+    private actionLog;
+    private configs;
+    private timers;
+    private runningSync;
+    private syncedGroupMeta;
+    private currentSyncConfig;
+    private avatarUploadCache;
+    private activeGitChildren;
+    private stopping;
+    private mirrorsPath;
+    constructor(storageManager: StorageManager, connectionManager: ConnectionManager, actionLog: ActionLog);
+    init(): Promise<void>;
+    stop(): Promise<void>;
+    getConfigs(): interfaces.data.ISyncConfig[];
+    getConfig(id: string): interfaces.data.ISyncConfig | undefined;
+    createConfig(data: {
+        name: string;
+        sourceConnectionId: string;
+        targetConnectionId: string;
+        targetGroupOffset?: string;
+        intervalMinutes?: number;
+        enforceDelete?: boolean;
+        enforceGroupDelete?: boolean;
+        addMirrorHint?: boolean;
+        useGroupAvatarsForProjects?: boolean;
+    }): Promise<interfaces.data.ISyncConfig>;
+    updateConfig(id: string, updates: {
+        name?: string;
+        targetGroupOffset?: string;
+        intervalMinutes?: number;
+        enforceDelete?: boolean;
+        enforceGroupDelete?: boolean;
+        addMirrorHint?: boolean;
+        useGroupAvatarsForProjects?: boolean;
+    }): Promise<interfaces.data.ISyncConfig>;
+    deleteConfig(id: string): Promise<void>;
+    pauseConfig(id: string, paused: boolean): Promise<interfaces.data.ISyncConfig>;
+    getRepoStatuses(syncConfigId: string): Promise<interfaces.data.ISyncRepoStatus[]>;
+    previewSync(configId: string): Promise<{
+        mappings: Array<{
+            sourceFullPath: string;
+            targetFullPath: string;
+        }>;
+        deletions: string[];
+        groupDeletions: string[];
+    }>;
+    executeSync(configId: string, force?: boolean): Promise<void>;
+    private syncRepo;
+    private ensureTargetExists;
+    private ensureGitLabTarget;
+    private ensureGiteaTarget;
+    private enforceDeleteStaleRepos;
+    private enforceDeleteStaleGroups;
+    /**
+     * Move a GitLab group to the obsolete group with a unique suffix.
+     * Transfers the entire group (including subgroups and projects).
+     */
+    private moveGroupToObsolete;
+    /**
+     * Move all repos in a Gitea org to obsolete, then delete the empty org.
+     * Gitea orgs can't be transferred, so we move repos individually.
+     */
+    private moveGiteaOrgToObsolete;
+    /**
+     * Returns true if the given full path belongs to an obsolete namespace.
+     * Matches path segments named "obsolete" or ending with "-obsolete".
+     */
+    private isObsoletePath;
+    private buildAuthUrl;
+    private computeRelativePath;
+    /**
+     * Reverse-map a target group path to the corresponding source group path.
+     * Returns null if the target path is part of the offset itself (not a source-derived group).
+     */
+    private reverseTargetGroupPath;
+    private computeTargetFullPath;
+    /**
+     * Validates that the sync config's targetGroupOffset is reachable
+     * by the target connection's groupFilter. Throws when enforceDelete
+     * is on and the offset is outside the filter scope.
+     */
+    private validateSyncConfig;
+    /**
+     * Download binary data (e.g. avatar image) with provider auth headers.
+     * Returns null on 404 or error.
+     */
+    private rawBinaryFetch;
+    /**
+     * Raw multipart call for avatar uploads (GitLab requires multipart FormData).
+     */
+    private rawMultipartCall;
+    /**
+     * Normalize visibility values between GitLab and Gitea.
+     * GitLab: "public" | "internal" | "private"
+     * Gitea:  "public" | "limited" | "private"
+     */
+    private normalizeVisibility;
+    /**
+     * Guess MIME type from binary content or URL for avatar uploads.
+     */
+    private guessAvatarMimeType;
+    /**
+     * Pre-push: ensure target's default_branch matches source so --prune won't delete it.
+     */
+    private syncDefaultBranchBeforePush;
+    /**
+     * Unprotect branches on the target that no longer exist in the source,
+     * so that git push --prune can delete them.
+     */
+    private unprotectStaleBranches;
+    /**
+     * Sync project metadata (description, visibility, topics, default_branch, avatar)
+     * from source to target after the git push.
+     */
+    private syncProjectMetadata;
+    /**
+     * Sync group/org metadata (description, visibility, avatar) from source to target.
+     */
+    private syncGroupMetadata;
+    private fetchProjectRaw;
+    private fetchGroupRaw;
+    private extractProjectMeta;
+    private extractGroupMeta;
+    private updateProjectMeta;
+    private updateGroupMeta;
+    private syncProjectAvatar;
+    private removeProjectAvatar;
+    private syncGroupAvatar;
+    private removeGroupAvatar;
+    private binaryEqual;
+    private hashBytes;
+    private uint8ArrayToBase64;
+    /**
+     * Raw HTTP call for API endpoints not supported by the client libraries.
+     */
+    private rawApiCall;
+    private generateSuffix;
+    /**
+     * Ensure an "obsolete" group/org exists under the target base path.
+     * Returns the obsolete group/org identifier needed for transfers.
+     */
+    private ensureObsoleteGroup;
+    /**
+     * Move a target repo to the "obsolete" group with a unique suffix.
+     * The project is also set to private.
+     */
+    private moveToObsolete;
+    /**
+     * Check whether the target remote in a bare mirror dir has unrelated history
+     * compared to the source (origin). Returns true if histories are completely disjoint.
+     */
+    private checkUnrelatedHistory;
+    private sanitizePath;
+    private dirExists;
+    /**
+     * Fetch all branch and tag SHAs from a repo via provider API.
+     * Returns null on any error (safe fallback to git-based comparison).
+     */
+    private listRefsViaProvider;
+    /**
+     * Compare refs between source and target via provider API (no git clone needed).
+     * Returns true (match), false (differ), or null (can't determine — fall through to git).
+     */
+    private refsMatchViaApi;
+    /**
+     * Compare local refs (source) with target remote refs.
+     * Returns true when all branches and tags are identical — no push needed.
+     */
+    private refsMatch;
+    private runGit;
+    private loadConfigs;
+    private persistConfig;
+    private updateRepoStatus;
+    private startTimer;
+    private stopTimer;
+    private waitForRunningSyncs;
+}