@treeseed/sdk 0.8.1 → 0.8.3

package/dist/operations/services/config-runtime.d.ts

@@ -315,12 +315,13 @@ export declare function checkTreeseedProviderConnections({ tenantRoot, scope, en
     issues: any[];
 }>;
 export declare function formatTreeseedProviderConnectionReport(report: any): string;
-export declare function syncTreeseedGitHubEnvironment({ tenantRoot, scope, dryRun, repository: repositoryInput, valuesOverlay, execution, concurrency, onProgress, }: {
+export declare function syncTreeseedGitHubEnvironment({ tenantRoot, scope, dryRun, repository: repositoryInput, valuesOverlay, managedHostMode, execution, concurrency, onProgress, }: {
     tenantRoot: string;
     scope?: TreeseedConfigScope;
     dryRun?: boolean;
     repository?: string | null;
     valuesOverlay?: Record<string, string | undefined>;
+    managedHostMode?: 'auto' | 'direct' | 'managed';
     execution?: 'parallel' | 'sequential';
     concurrency?: number;
     onProgress?: (message: string, stream?: 'stdout' | 'stderr') => void;

package/dist/operations/services/config-runtime.js

@@ -52,6 +52,10 @@ import {
   resolveTreeseedToolBinary,
   resolveTreeseedToolCommand
 } from "../../managed-dependencies.js";
+import {
+  filterManagedHostGitHubEnvironment,
+  usesManagedHostOperationRequests
+} from "./managed-host-security.js";
 import {
   assertTreeseedKeyAgentResponse,
   getTreeseedKeyAgentPaths,
@@ -1979,6 +1983,7 @@ async function syncTreeseedGitHubEnvironment({
   dryRun = false,
   repository: repositoryInput,
   valuesOverlay = {},
+  managedHostMode = "auto",
   execution = "parallel",
   concurrency = 4,
   onProgress
@@ -1992,7 +1997,22 @@ async function syncTreeseedGitHubEnvironment({
     ...resolveTreeseedMachineEnvironmentValues(tenantRoot, scope),
     ...nonEmptyEnvironmentValues(valuesOverlay)
   };
-  const relevant = registry.entries.filter((entry) => entry.scopes.includes(scope));
+  const deployConfig = loadCliDeployConfig(tenantRoot);
+  const managedBoundary = managedHostMode === "managed" || managedHostMode === "auto" && usesManagedHostOperationRequests(deployConfig);
+  const allowed = managedBoundary ? filterManagedHostGitHubEnvironment({
+    secrets: registry.entries.filter((entry) => entry.scopes.includes(scope) && entry.targets.includes("github-secret")).map((entry) => entry.id),
+    variables: registry.entries.filter((entry) => entry.scopes.includes(scope) && entry.targets.includes("github-variable")).map((entry) => entry.id)
+  }) : null;
+  const allowedSecrets = allowed ? new Set(allowed.secrets) : null;
+  const allowedVariables = allowed ? new Set(allowed.variables) : null;
+  const relevant = registry.entries.filter((entry) => {
+    if (!entry.scopes.includes(scope)) return false;
+    if (!managedBoundary) return true;
+    if (entry.sensitivity === "secret") {
+      return Boolean(entry.targets.includes("github-secret") && allowedSecrets?.has(entry.id));
+    }
+    return Boolean(entry.targets.includes("github-variable") && allowedVariables?.has(entry.id));
+  });
   const ghToken = values.GH_TOKEN || process.env.GH_TOKEN || process.env.GITHUB_TOKEN || "";
   const ghEnv = ghToken ? {
     GH_TOKEN: ghToken,

package/dist/operations/services/github-automation.d.ts

@@ -68,22 +68,25 @@ export declare function initializeGitHubRepositoryWorkingTree(cwd: any, reposito
     pushed: boolean;
 };
 export declare function resolveGitRepositoryRoot(tenantRoot: any): any;
-export declare function requiredGitHubEnvironment(tenantRoot: any, { scope, purpose }?: {
+export declare function requiredGitHubEnvironment(tenantRoot: any, { scope, purpose, managedHostMode }?: {
     scope?: string | undefined;
     purpose?: string | undefined;
+    managedHostMode?: string | undefined;
 }): {
     secrets: string[];
     variables: string[];
 };
 export declare function requiredGitHubSecrets(tenantRoot: any): string[];
-export declare function renderDeployWorkflow({ workingDirectory }: {
+export declare function renderDeployWorkflow({ workingDirectory, executionBoundary }: {
     workingDirectory: any;
+    executionBoundary?: string | undefined;
 }): string;
 export declare function renderHostedProjectWorkflow({ workingDirectory }: {
     workingDirectory: any;
 }): string;
 export declare function ensureDeployWorkflow(tenantRoot: any): {
     workingDirectory: string;
+    executionBoundary: string;
     workflowPath: string;
     changed: boolean;
 };
@@ -94,6 +97,7 @@ export declare function ensureHostedProjectWorkflow(tenantRoot: any): {
 };
 export declare function ensureStandardizedGitHubWorkflows(tenantRoot: any): {
     workingDirectory: string;
+    executionBoundary: string;
     workflowPath: string;
     changed: boolean;
 }[];
@@ -109,11 +113,12 @@ export declare function ensureGitHubSecrets(tenantRoot: any, { dryRun }?: {
     existing: string[];
     created: string[];
 }>;
-export declare function ensureGitHubEnvironment(tenantRoot: any, { dryRun, scope, purpose, valuesOverlay }?: {
+export declare function ensureGitHubEnvironment(tenantRoot: any, { dryRun, scope, purpose, valuesOverlay, managedHostMode }?: {
     dryRun?: boolean | undefined;
     scope?: string | undefined;
     purpose?: string | undefined;
     valuesOverlay?: {} | undefined;
+    managedHostMode?: string | undefined;
 }): Promise<{
     repository: null;
     secrets: {
@@ -144,11 +149,13 @@ export declare function ensureGitHubDeployAutomation(tenantRoot: any, { dryRun,
     mode: string;
     workflow: {
         workingDirectory: string;
+        executionBoundary: string;
         workflowPath: string;
         changed: boolean;
     };
     workflows: {
         workingDirectory: string;
+        executionBoundary: string;
         workflowPath: string;
         changed: boolean;
     }[];

package/dist/operations/services/github-automation.js

@@ -3,6 +3,10 @@ import { dirname, relative, resolve } from "node:path";
 import { spawnSync } from "node:child_process";
 import { resolveTreeseedEnvironmentRegistry } from "../../platform/environment.js";
 import { packageRoot, loadCliDeployConfig } from "./runtime-tools.js";
+import {
+  filterManagedHostGitHubEnvironment,
+  usesManagedHostOperationRequests
+} from "./managed-host-security.js";
 import {
   createGitHubApiClient,
   ensureGitHubRepository,
@@ -256,16 +260,18 @@ function resolveGitRepositoryRoot(tenantRoot) {
   const result = runGit(["rev-parse", "--show-toplevel"], { cwd: tenantRoot, allowFailure: true });
   return result.status === 0 ? result.stdout.trim() : tenantRoot;
 }
-function requiredGitHubEnvironment(tenantRoot, { scope = "prod", purpose = "save" } = {}) {
+function requiredGitHubEnvironment(tenantRoot, { scope = "prod", purpose = "save", managedHostMode = "auto" } = {}) {
   const deployConfig = loadCliDeployConfig(tenantRoot);
   const registry = resolveTreeseedEnvironmentRegistry({ deployConfig });
   const relevant = registry.entries.filter(
     (entry) => entry.scopes.includes(scope) && entry.purposes.includes(purpose) && (!entry.isRelevant || entry.isRelevant(registry.context, scope, purpose))
   );
-  return {
+  const required = {
     secrets: [...new Set(relevant.filter((entry) => entry.targets.includes("github-secret")).map((entry) => entry.id))],
     variables: [...new Set(relevant.filter((entry) => entry.targets.includes("github-variable")).map((entry) => entry.id))]
   };
+  const managedBoundary = managedHostMode === "managed" || managedHostMode === "auto" && usesManagedHostOperationRequests(deployConfig);
+  return managedBoundary ? filterManagedHostGitHubEnvironment(required) : required;
 }
 function requiredGitHubSecrets(tenantRoot) {
   return requiredGitHubEnvironment(tenantRoot).secrets;
@@ -299,8 +305,11 @@ function renderWorkflowTemplate(templateName, { workingDirectory }) {
     normalizedWorkingDirectory === "." ? "package-lock.json" : `${normalizedWorkingDirectory}/package-lock.json`
   );
 }
-function renderDeployWorkflow({ workingDirectory }) {
-  return renderWorkflowTemplate("deploy.workflow.yml", { workingDirectory });
+function deployWorkflowTemplateName(executionBoundary = "direct") {
+  return executionBoundary === "managed" ? "deploy.managed.workflow.yml" : "deploy.workflow.yml";
+}
+function renderDeployWorkflow({ workingDirectory, executionBoundary = "direct" }) {
+  return renderWorkflowTemplate(deployWorkflowTemplateName(executionBoundary), { workingDirectory });
 }
 function renderHostedProjectWorkflow({ workingDirectory }) {
   return renderWorkflowTemplate("hosted-project.workflow.yml", { workingDirectory });
@@ -318,10 +327,13 @@ function ensureWorkflowFile(tenantRoot, fileName, expected) {
 function ensureDeployWorkflow(tenantRoot) {
   const repositoryRoot = resolveGitRepositoryRoot(tenantRoot);
   const workingDirectory = relative(repositoryRoot, tenantRoot).replaceAll("\\", "/") || ".";
-  const expected = renderDeployWorkflow({ workingDirectory });
+  const deployConfig = loadCliDeployConfig(tenantRoot);
+  const executionBoundary = usesManagedHostOperationRequests(deployConfig) ? "managed" : "direct";
+  const expected = renderDeployWorkflow({ workingDirectory, executionBoundary });
   return {
     ...ensureWorkflowFile(tenantRoot, "deploy.yml", expected),
-    workingDirectory
+    workingDirectory,
+    executionBoundary
   };
 }
 function ensureHostedProjectWorkflow(tenantRoot) {
@@ -370,7 +382,7 @@ function nonEmptyValues(values = {}) {
     Object.entries(values).filter(([, value]) => typeof value === "string" && value.length > 0)
   );
 }
-async function ensureGitHubEnvironment(tenantRoot, { dryRun = false, scope = "prod", purpose = "save", valuesOverlay = {} } = {}) {
+async function ensureGitHubEnvironment(tenantRoot, { dryRun = false, scope = "prod", purpose = "save", valuesOverlay = {}, managedHostMode = "auto" } = {}) {
   const repository = maybeResolveGitHubRepositorySlug(tenantRoot);
   if (!repository) {
     if (dryRun) {
@@ -383,7 +395,7 @@ async function ensureGitHubEnvironment(tenantRoot, { dryRun = false, scope = "pr
     }
     throw new Error("Unable to determine GitHub repository from the current tenant. Configure an origin remote before syncing GitHub secrets.");
   }
-  const required = requiredGitHubEnvironment(tenantRoot, { scope, purpose });
+  const required = requiredGitHubEnvironment(tenantRoot, { scope, purpose, managedHostMode });
   const requiredSecrets = required.secrets;
   const requiredVariables = required.variables;
   const client = createGitHubApiClient();

package/dist/operations/services/hosting-audit.d.ts

@@ -0,0 +1,67 @@
+import { type TreeseedEnvironmentScope } from '../../platform/environment.ts';
+import type { TreeseedReconcileTarget } from '../../reconcile/contracts.ts';
+export type TreeseedHostingAuditEnvironment = 'current' | 'local' | 'staging' | 'prod';
+export type TreeseedHostingAuditResolvedEnvironment = 'local' | 'staging' | 'prod' | 'preview';
+export type TreeseedHostingAuditHostKind = 'repository' | 'web' | 'processing' | 'email';
+export type TreeseedHostingAuditCheckStatus = 'passed' | 'warning' | 'failed' | 'skipped' | 'repaired';
+export type TreeseedHostingAuditSeverity = 'info' | 'warning' | 'critical';
+export type TreeseedHostingAuditCheck = {
+    id: string;
+    hostType: TreeseedHostingAuditHostKind | 'platform';
+    provider: string;
+    category: 'config' | 'identity' | 'resource' | 'connectivity' | 'repair' | 'security';
+    status: TreeseedHostingAuditCheckStatus;
+    severity: TreeseedHostingAuditSeverity;
+    summary: string;
+    detail?: string;
+    resourceRef?: string;
+    repairAvailable?: boolean;
+    repaired?: boolean;
+    remediation?: string;
+};
+export type TreeseedHostingAuditReport = {
+    ok: boolean;
+    environment: TreeseedHostingAuditResolvedEnvironment;
+    requestedEnvironment: TreeseedHostingAuditEnvironment;
+    repairMode: boolean;
+    repaired: boolean;
+    target: {
+        kind: TreeseedReconcileTarget['kind'];
+        scope?: string;
+        branchName?: string;
+        label: string;
+    };
+    hostKinds: TreeseedHostingAuditHostKind[];
+    checkedAt: string;
+    checks: TreeseedHostingAuditCheck[];
+    missingConfig: Array<{
+        key: string;
+        hostType: TreeseedHostingAuditHostKind | 'platform';
+        severity: TreeseedHostingAuditSeverity;
+        summary: string;
+    }>;
+    resources: Record<string, unknown>;
+    warnings: string[];
+    blockers: string[];
+    nextActions: string[];
+};
+export type TreeseedHostingAuditOptions = {
+    tenantRoot: string;
+    environment?: TreeseedHostingAuditEnvironment;
+    repair?: boolean;
+    env?: NodeJS.ProcessEnv | Record<string, string | undefined>;
+    valuesOverlay?: Record<string, string | undefined>;
+    hostKinds?: TreeseedHostingAuditHostKind[];
+    write?: (line: string) => void;
+};
+export declare function resolveTreeseedHostingAuditTarget({ tenantRoot, environment, }: {
+    tenantRoot: string;
+    environment?: TreeseedHostingAuditEnvironment;
+}): {
+    environment: TreeseedHostingAuditResolvedEnvironment;
+    scope: TreeseedEnvironmentScope;
+    target: TreeseedReconcileTarget;
+    branchName: string | null;
+};
+export declare function runTreeseedHostingAudit({ tenantRoot, environment, repair, env, valuesOverlay, hostKinds: requestedHostKinds, write, }: TreeseedHostingAuditOptions): Promise<TreeseedHostingAuditReport>;
+export declare function formatTreeseedHostingAuditReport(report: TreeseedHostingAuditReport): string;