npm - @uofx/cli - Versions diffs - 1.0.0 - Mend

@uofx/cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (238) hide show

package/dist/infrastructure/config/crypto.service.js ADDED Viewed

@@ -0,0 +1,125 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CryptoService = void 0;
+const crypto = __importStar(require("crypto"));
+/**
+ * 混淆用字典字串
+ */
+const DICT = 'Kp9Xw4LmNrT2vQcYbU7sE0oA5gHdI3lJfZ6WxjMyS8nVuROe1tCaBkFhGqDiP=/+z';
+const OFFSET = 23;
+/**
+ * AES 密鑰 (hex 編碼後混淆)
+ * 原始密鑰: 32 bytes = 64 hex chars
+ */
+const ENCODED_AES_KEY = [25, 57, 50, 34, 37, 25, 37, 25, 39, 39, 25, 50, 57, 71, 41, 57, 37, 34, 57, 70, 70, 41, 41, 39, 25, 47, 25, 52, 47, 64, 64, 57, 70, 41, 25, 28, 70, 70, 64, 44, 37, 34, 41, 28, 28, 70, 41, 70, 41, 52, 28, 47, 50, 64, 50, 64, 57, 57, 34, 57, 64, 25, 64, 74];
+/**
+ * 解碼混淆字串
+ */
+function decodeObfuscated(indices) {
+    return indices.map(i => DICT[i - OFFSET]).join('');
+}
+/**
+ * 加密前綴，用於識別加密後的字串
+ */
+const ENCRYPTED_PREFIX = 'ENC:';
+/**
+ * 加密服務
+ * 使用 AES-256-GCM 對稱加密
+ */
+class CryptoService {
+    /**
+     * 取得解碼後的密鑰
+     */
+    static getKey() {
+        const keyHex = decodeObfuscated(ENCODED_AES_KEY);
+        return Buffer.from(keyHex, 'hex');
+    }
+    /**
+     * 加密字串
+     * @param plaintext 明文
+     * @returns 加密後的字串，格式: ENC:base64(iv + authTag + ciphertext)
+     */
+    static encrypt(plaintext) {
+        const key = this.getKey();
+        const iv = crypto.randomBytes(this.IV_LENGTH);
+        const cipher = crypto.createCipheriv(this.ALGORITHM, key, iv);
+        const encrypted = Buffer.concat([
+            cipher.update(plaintext, 'utf8'),
+            cipher.final(),
+        ]);
+        const authTag = cipher.getAuthTag();
+        // 組合: iv (16) + authTag (16) + ciphertext
+        const combined = Buffer.concat([iv, authTag, encrypted]);
+        return ENCRYPTED_PREFIX + combined.toString('base64');
+    }
+    /**
+     * 解密字串
+     * @param encrypted 加密後的字串
+     * @returns 解密後的明文
+     * @throws 如果解密失敗
+     */
+    static decrypt(encrypted) {
+        if (!this.isEncrypted(encrypted)) {
+            throw new Error('Invalid encrypted format');
+        }
+        const key = this.getKey();
+        const data = Buffer.from(encrypted.slice(ENCRYPTED_PREFIX.length), 'base64');
+        // 解析: iv (16) + authTag (16) + ciphertext
+        const iv = data.subarray(0, this.IV_LENGTH);
+        const authTag = data.subarray(this.IV_LENGTH, this.IV_LENGTH + this.AUTH_TAG_LENGTH);
+        const ciphertext = data.subarray(this.IV_LENGTH + this.AUTH_TAG_LENGTH);
+        const decipher = crypto.createDecipheriv(this.ALGORITHM, key, iv);
+        decipher.setAuthTag(authTag);
+        const decrypted = Buffer.concat([
+            decipher.update(ciphertext),
+            decipher.final(),
+        ]);
+        return decrypted.toString('utf8');
+    }
+    /**
+     * 檢查字串是否為加密格式
+     * @param value 要檢查的字串
+     * @returns 是否為加密格式
+     */
+    static isEncrypted(value) {
+        return value.startsWith(ENCRYPTED_PREFIX);
+    }
+}
+exports.CryptoService = CryptoService;
+CryptoService.ALGORITHM = 'aes-256-gcm';
+CryptoService.IV_LENGTH = 16;
+CryptoService.AUTH_TAG_LENGTH = 16;
+//# sourceMappingURL=crypto.service.js.map

package/dist/infrastructure/deployment/deployment.adapter.js ADDED Viewed

@@ -0,0 +1,118 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeploymentAdapter = void 0;
+const tsyringe_1 = require("tsyringe");
+const tokens_1 = require("../../di/tokens");
+const chart_version_value_object_1 = require("../../domain/value-objects/chart-version.value-object");
+const credentials_entity_1 = require("../../domain/entities/credentials.entity");
+/**
+ * Deployment Adapter
+ *
+ * implements IDeploymentPort
+ * 整合 K8s、Helm、Secret 管理等部署能力
+ */
+let DeploymentAdapter = class DeploymentAdapter {
+    constructor(mssqlDeployment, jobRunner, infraManager, serviceManager, appManager, secretManager, helmRegistry, versionCompatibility) {
+        this.mssqlDeployment = mssqlDeployment;
+        this.jobRunner = jobRunner;
+        this.infraManager = infraManager;
+        this.serviceManager = serviceManager;
+        this.appManager = appManager;
+        this.secretManager = secretManager;
+        this.helmRegistry = helmRegistry;
+        this.versionCompatibility = versionCompatibility;
+    }
+    async deployMssql(instanceName, params, version, output) {
+        await this.mssqlDeployment.deployMssql(instanceName, params, version, output);
+        await this.jobRunner.runInitJobs(instanceName, params, version, output);
+    }
+    async deployInfra(instanceName, params, version, output) {
+        await this.infraManager.deployInfra(instanceName, params, version, output);
+    }
+    async deployService(instanceName, params, version, output) {
+        await this.serviceManager.deployService(instanceName, params, version, output);
+    }
+    async deployApp(instanceName, params, version, output) {
+        await this.appManager.deployApp(instanceName, params, version, output);
+    }
+    async createGlobalConfigSecret(instanceName, params, output) {
+        const rsaKeys = {
+            signInRsa: {
+                privateKey: params.signInRsaKeys.privateKey,
+                publicKey: params.signInRsaKeys.publicKey,
+            },
+            uofxRsa: {
+                privateKey: params.uofxRsaKeys.privateKey,
+                publicKey: params.uofxRsaKeys.publicKey,
+            },
+        };
+        await this.secretManager.createGlobalConfigSecret(instanceName, params.saPassword.toString(), params.adminPassword.toString(), rsaKeys, params.jwtKey.toString(), output);
+    }
+    async getLatestCompatibleVersion(_chartName) {
+        const versionStr = await this.versionCompatibility.getLatestCompatibleVersion();
+        return chart_version_value_object_1.ChartVersion.create(versionStr);
+    }
+    async validateChartVersion(_chartName, version) {
+        // 透過 versionCompatibility 驗證
+        try {
+            await this.versionCompatibility.validateChartVersion(version.toString());
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async getCredentials(instanceName) {
+        const globalConfig = await this.secretManager.getGlobalConfigSecret(instanceName);
+        if (!globalConfig) {
+            return null;
+        }
+        // 從 GlobalConfigData 轉換為 Credentials
+        return credentials_entity_1.Credentials.fromObject({
+            instanceName: globalConfig.instanceName,
+            saPassword: globalConfig.saPassword || '',
+            adminPassword: globalConfig.adminPassword || '',
+            signInRsaPrivateKey: globalConfig.signInRsaPrivateKey || '',
+            signInRsaPublicKey: globalConfig.signInRsaPublicKey || '',
+            uofxRsaPrivateKey: globalConfig.uofxRsaPrivateKey || '',
+            uofxRsaPublicKey: globalConfig.uofxRsaPublicKey || '',
+            jwtSigningKey: globalConfig.jwtSigningKey || '',
+            connectionStringUofxDb: globalConfig.connectionStringUofxDb || '',
+            connectionStringUofxSearchDb: globalConfig.connectionStringUofxSearchDb || '',
+        });
+    }
+    async listChartVersions(_chartName) {
+        // 從 versionCompatibility 取得相容版本清單
+        const compatibility = await this.versionCompatibility.getCompatibility();
+        return compatibility.compatibleCharts.map((v) => chart_version_value_object_1.ChartVersion.create(v));
+    }
+    async getEnvironmentVersion(chartVersion) {
+        return await this.versionCompatibility.getEnvironmentVersion(chartVersion);
+    }
+};
+exports.DeploymentAdapter = DeploymentAdapter;
+exports.DeploymentAdapter = DeploymentAdapter = __decorate([
+    (0, tsyringe_1.injectable)(),
+    __param(0, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IMssqlHelmDeployment)),
+    __param(1, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IK8sJobRunner)),
+    __param(2, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.InfraManagerService)),
+    __param(3, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.ServiceManagerService)),
+    __param(4, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.AppManagerService)),
+    __param(5, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.SecretManagerService)),
+    __param(6, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.HelmRegistryService)),
+    __param(7, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.VersionCompatibilityService)),
+    __metadata("design:paramtypes", [Object, Object, Object, Object, Object, Object, Object, Object])
+], DeploymentAdapter);
+//# sourceMappingURL=deployment.adapter.js.map

package/dist/infrastructure/deployment/interfaces/acr-credential-manager.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=acr-credential-manager.interface.js.map

package/dist/infrastructure/deployment/interfaces/app-manager.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=app-manager.interface.js.map

package/dist/infrastructure/deployment/interfaces/helm-registry.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=helm-registry.interface.js.map

package/dist/infrastructure/deployment/interfaces/infra-manager.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=infra-manager.interface.js.map

package/dist/infrastructure/deployment/interfaces/k8s-job-runner.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=k8s-job-runner.interface.js.map

package/dist/infrastructure/deployment/interfaces/mssql-database-init.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=mssql-database-init.interface.js.map

package/dist/infrastructure/deployment/interfaces/mssql-helm-deployment.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=mssql-helm-deployment.interface.js.map

package/dist/infrastructure/deployment/interfaces/mssql-storage.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=mssql-storage.interface.js.map

package/dist/infrastructure/deployment/interfaces/mssql-user-manager.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=mssql-user-manager.interface.js.map

package/dist/infrastructure/deployment/interfaces/oci-artifact.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=oci-artifact.interface.js.map

package/dist/infrastructure/deployment/interfaces/secret-manager.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=secret-manager.interface.js.map

package/dist/infrastructure/deployment/interfaces/service-manager.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=service-manager.interface.js.map

package/dist/infrastructure/deployment/interfaces/version-compatibility.interface.js ADDED Viewed

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=version-compatibility.interface.js.map

package/dist/infrastructure/deployment/services/acr-credential-manager.service.js ADDED Viewed

@@ -0,0 +1,144 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AcrCredentialManagerService = void 0;
+const tsyringe_1 = require("tsyringe");
+const fs = __importStar(require("fs"));
+const tokens_1 = require("../../../di/tokens");
+const sensitive_decorator_1 = require("../../../domain/decorators/sensitive.decorator");
+let AcrCredentialManagerService = class AcrCredentialManagerService {
+    constructor(appConfig) {
+        this.appConfig = appConfig;
+    }
+    /**
+     * 從檔案載入 ACR 憑證
+     * 支援新格式 (name, account, password) 與舊格式 (acrName, acrAccount, acrPassword)
+     * @param filePath 憑證檔案路徑
+     */
+    loadCredentialsFromFile(filePath) {
+        // 檢查檔案存在
+        if (!fs.existsSync(filePath)) {
+            throw new Error(`Pull secret file not found: ${filePath}`);
+        }
+        // 讀取檔案
+        const content = fs.readFileSync(filePath, 'utf8');
+        // 解析 JSON
+        let raw;
+        try {
+            raw = JSON.parse(content);
+        }
+        catch {
+            throw new Error('Invalid JSON format in pull secret file');
+        }
+        // 正規化欄位名稱（支援舊格式相容）
+        const credentials = this.normalizeCredentials(raw);
+        // 驗證必要欄位
+        this.validateCredentials(credentials);
+        return credentials;
+    }
+    /**
+     * 取得預設 ACR 憑證（從設定檔）
+     * @returns 預設憑證，若未設定或不完整則返回 null
+     */
+    getDefaultCredentials() {
+        const config = this.appConfig.getConfig();
+        const acr = config.acr;
+        // 檢查是否有完整的預設憑證
+        if (acr.name && acr.account && acr.password) {
+            return {
+                name: acr.name,
+                account: acr.account,
+                password: acr.password,
+            };
+        }
+        return null;
+    }
+    /**
+     * 正規化憑證欄位名稱
+     * 支援舊格式 (acrName, acrAccount, acrPassword) 轉換為新格式
+     */
+    normalizeCredentials(raw) {
+        return {
+            name: raw.name || raw.acrName || '',
+            account: raw.account || raw.acrAccount || '',
+            password: raw.password || raw.acrPassword || '',
+        };
+    }
+    /**
+     * 驗證憑證格式 (僅檢查欄位是否存在，不進行登入驗證)
+     */
+    validateCredentials(credentials) {
+        if (!credentials.name) {
+            throw new Error('Missing required field in pull secret: name (or acrName)');
+        }
+        if (!credentials.account) {
+            throw new Error('Missing required field in pull secret: account (or acrAccount)');
+        }
+        if (!credentials.password) {
+            throw new Error('Missing required field in pull secret: password (or acrPassword)');
+        }
+    }
+};
+exports.AcrCredentialManagerService = AcrCredentialManagerService;
+__decorate([
+    (0, sensitive_decorator_1.SensitiveReturn)(),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String]),
+    __metadata("design:returntype", Object)
+], AcrCredentialManagerService.prototype, "loadCredentialsFromFile", null);
+__decorate([
+    (0, sensitive_decorator_1.SensitiveReturn)(),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", Object)
+], AcrCredentialManagerService.prototype, "getDefaultCredentials", null);
+exports.AcrCredentialManagerService = AcrCredentialManagerService = __decorate([
+    (0, tsyringe_1.injectable)(),
+    __param(0, (0, tsyringe_1.inject)(tokens_1.TOKENS.IAppConfig)),
+    __metadata("design:paramtypes", [Object])
+], AcrCredentialManagerService);
+//# sourceMappingURL=acr-credential-manager.service.js.map

package/dist/infrastructure/deployment/services/app-manager.service.js ADDED Viewed

@@ -0,0 +1,193 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AppManagerService = void 0;
+const tsyringe_1 = require("tsyringe");
+const tokens_1 = require("../../../di/tokens");
+const deployment_parameters_entity_1 = require("../../../domain/entities/deployment-parameters.entity");
+const sensitive_decorator_1 = require("../../../domain/decorators/sensitive.decorator");
+const base_helm_deployment_service_1 = require("./base-helm-deployment.service");
+const index_1 = require("../../../constants/index");
+/**
+ * 應用程式管理服務
+ *
+ * 負責 uofx 應用程式 Helm chart 的部署管理，包含：
+ * - Blue/Green 部署策略
+ * - Registry 登入與 Chart 拉取
+ * - Helm Release 安裝與配置
+ * - K8s 就緒檢查
+ *
+ * 繼承 BaseHelmDeploymentService 使用模板方法模式
+ */
+let AppManagerService = class AppManagerService extends base_helm_deployment_service_1.BaseHelmDeploymentService {
+    constructor(envFactory, helmRegistry, logger) {
+        super(helmRegistry, logger, envFactory);
+    }
+    /**
+     * 部署 uofx 應用程式
+     * @param instanceName - 目標 WSL 實例名稱
+     * @param params - 部署參數（含敏感資料）
+     * @param chartVersion - Chart 版本
+     * @param progress - 進度通知回調
+     */
+    async deployApp(instanceName, params, chartVersion, output) {
+        output?.item('arrow', 'Deploying uofx application chart...').flush();
+        await this.deployWithHelm(instanceName, params, chartVersion, output);
+    }
+    // =========================================================================
+    // BaseHelmDeploymentService 抽象方法實作
+    // =========================================================================
+    getServiceName() {
+        return 'App';
+    }
+    getDeploymentConfig(chartVersion) {
+        return {
+            chartName: 'uofx',
+            chartVersion,
+        };
+    }
+    /**
+     * 安裝前處理：修補 Secret 以轉移管理權限
+     * 將 web-appsettings-secret 的 meta.helm.sh/release-name 標註為 uofx-blue
+     */
+    async preInstall(instanceName, _params, _output) {
+        await this.patchSecret(instanceName);
+    }
+    async installChart(instanceName, chartPath, params, output) {
+        // 透過 stdin 傳遞 values 以避免將敏感資料寫入磁碟
+        const valuesContent = this.createValuesContent(params);
+        const builder = this.createHelmUpgradeBuilder(instanceName, {
+            releaseName: 'uofx-blue',
+            chartPath,
+            wait: true,
+            timeout: '1800s',
+            sensitiveStdin: valuesContent,
+        });
+        this.logger.debug('[App] Deploying application chart', {
+            chart: 'uofx-blue',
+            chartPath: chartPath,
+            namespace: 'uofx',
+            instance: instanceName
+        });
+        output?.indent().item('arrow', 'Installing uofx chart (this may take more than 15 minutes, depending on your network speed)...').outdent().flush();
+        await this.executeWithRetry(builder, 'uofx', output);
+    }
+    // =========================================================================
+    // 私有方法
+    // =========================================================================
+    /**
+     * 修補 Secret 以轉移管理權限
+     */
+    async patchSecret(instanceName) {
+        const patchData = JSON.stringify({
+            metadata: {
+                annotations: {
+                    "meta.helm.sh/release-name": "uofx-blue"
+                }
+            }
+        });
+        const env = this.envFactory.getForInstance(instanceName);
+        const builder = env.kubectl('patch')
+            .arg('secret')
+            .arg('web-appsettings-secret')
+            .arg('-n', 'uofx')
+            .arg('-p', `'${patchData}'`);
+        try {
+            await builder.exec();
+        }
+        catch {
+            // 忽略修補錯誤，secret 可能尚不存在
+        }
+    }
+    /**
+     * 產生 Helm Values 內容
+     * @param params - 部署參數
+     * @returns JSON 格式的 Values 字串
+     */
+    createValuesContent(params) {
+        const helmParams = params.toHelmParameters();
+        const values = {
+            appsetting: {
+                LogLevel: index_1.APP_LOG_DEFAULTS.LOG_LEVEL,
+                LogRetentionPeriod: index_1.APP_LOG_DEFAULTS.LOG_RETENTION_PERIOD,
+                LogLevelMicrosoft: index_1.APP_LOG_DEFAULTS.LOG_LEVEL_MICROSOFT,
+                LogLevelHostingLifetime: index_1.APP_LOG_DEFAULTS.LOG_LEVEL_HOSTING_LIFETIME,
+                LogLevelHttpClient: index_1.APP_LOG_DEFAULTS.LOG_LEVEL_HTTP_CLIENT,
+                ConnectionStrings: {
+                    UofxDb: {
+                        Host: index_1.DEPLOYMENT_DEFAULTS.DB_HOST,
+                        Database: index_1.DEPLOYMENT_DEFAULTS.DB_NAME,
+                        User: index_1.DEPLOYMENT_DEFAULTS.DB_USER,
+                        PasswordB64: helmParams.saPasswordB64
+                    },
+                    UofxSearchDb: {
+                        Database: index_1.DEPLOYMENT_DEFAULTS.SEARCH_DB_NAME
+                    }
+                },
+                SignInRSASettings: {
+                    PrivateKeyB64: helmParams.rsaSignInPrivateB64,
+                    PublicKeyB64: helmParams.rsaSignInPublicB64
+                },
+                UofxRsaKey: {
+                    PrivateKeyB64: helmParams.rsaUofxPrivateB64,
+                    PublicKeyB64: helmParams.rsaUofxPublicB64
+                },
+                TokenSettings: {
+                    IssuerSigningKeyB64: helmParams.jwtKeyB64
+                },
+                UofxServiceSettings: {
+                    NotificationCenterUrl: index_1.DEPLOYMENT_DEFAULTS.CONNECT_URL,
+                    LicenseCenterUrl: index_1.DEPLOYMENT_DEFAULTS.CONNECT_URL,
+                    VersionCenterUrl: index_1.DEPLOYMENT_DEFAULTS.CONNECT_URL
+                }
+            },
+            job: {
+                dbHelper: {
+                    enabled: false,
+                    Host: index_1.DEPLOYMENT_DEFAULTS.DB_HOST,
+                    Database: index_1.DEPLOYMENT_DEFAULTS.DB_NAME,
+                    User: index_1.DEPLOYMENT_DEFAULTS.DB_USER,
+                    PasswordB64: helmParams.saPasswordB64
+                }
+            },
+            enabledSearch: true,
+            frontend: {
+                mobiledev: {
+                    enabled: false
+                }
+            },
+            imageCredentials: {
+                registry: `${params.acrCredentials.name}.azurecr.io`,
+                username: params.acrCredentials.account,
+                password: params.acrCredentials.password
+            }
+        };
+        return JSON.stringify(values, null, 2);
+    }
+};
+exports.AppManagerService = AppManagerService;
+__decorate([
+    __param(1, (0, sensitive_decorator_1.Sensitive)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, deployment_parameters_entity_1.DeploymentParameters, String, Object]),
+    __metadata("design:returntype", Promise)
+], AppManagerService.prototype, "deployApp", null);
+exports.AppManagerService = AppManagerService = __decorate([
+    (0, tsyringe_1.injectable)(),
+    __param(0, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IExecutionEnvironmentFactory)),
+    __param(1, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IHelmRegistry)),
+    __param(2, (0, tsyringe_1.inject)(tokens_1.TOKENS.ILoggerPort)),
+    __metadata("design:paramtypes", [Object, Object, Object])
+], AppManagerService);
+//# sourceMappingURL=app-manager.service.js.map