npm - @uofx/cli - Versions diffs - 1.0.0 - Mend

@uofx/cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (238) hide show

package/dist/infrastructure/deployment/services/mssql-database-init.service.js ADDED Viewed

@@ -0,0 +1,139 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MssqlDatabaseInitService = void 0;
+const tsyringe_1 = require("tsyringe");
+const tokens_1 = require("../../../di/tokens");
+const paths_1 = require("../../../constants/paths");
+/**
+ * MSSQL 資料庫初始化服務
+ *
+ * 負責等待 MSSQL Pod 就緒和建立初始資料庫
+ */
+let MssqlDatabaseInitService = class MssqlDatabaseInitService {
+    constructor(envFactory, logger) {
+        this.envFactory = envFactory;
+        this.logger = logger;
+    }
+    /**
+     * 等待 MSSQL Pod 完全就緒
+     * @param instanceName WSL 實例名稱
+     */
+    async waitForMssqlReady(instanceName) {
+        const env = this.envFactory.getForInstance(instanceName);
+        const builder = env.kubectl('wait')
+            .arg('--for=condition=ready')
+            .arg('pod')
+            .arg('-l', 'app.kubernetes.io/name=mssql-latest')
+            .arg('-n', 'mssql')
+            .arg('--timeout=300s');
+        const result = await builder.exec();
+        if (result.exitCode !== 0) {
+            throw new Error(`MSSQL Pod not ready: ${result.stderr}`);
+        }
+    }
+    /**
+     * 取得 MSSQL Pod 名稱
+     * @param instanceName WSL 實例名稱
+     * @returns Pod 名稱
+     */
+    async getMssqlPodName(instanceName) {
+        const env = this.envFactory.getForInstance(instanceName);
+        const builder = env.kubectl('get')
+            .arg('pod')
+            .arg('-l', 'app.kubernetes.io/name=mssql-latest')
+            .arg('-n', 'mssql')
+            .arg('-o', "jsonpath='{.items[0].metadata.name}'");
+        const result = await builder.exec();
+        if (result.exitCode !== 0 || !result.stdout.trim()) {
+            throw new Error(`Failed to get MSSQL Pod name: ${result.stderr}`);
+        }
+        return result.stdout.trim();
+    }
+    /**
+     * 等待 SQL Server 服務啟動並接受連線
+     * @param instanceName WSL 實例名稱
+     * @param podName Pod 名稱
+     * @param saPassword SA 密碼
+     */
+    async waitForSqlServerReady(instanceName, podName, saPassword) {
+        this.logger.debug('[Mssql] Waiting for SQL Server connection...');
+        await new Promise(resolve => setTimeout(resolve, 5000)); // 初始等待 5 秒
+        const maxRetries = 30; // 最多重試 30 次
+        const retryDelay = 2000; // 每次重試間隔 2 秒
+        const env = this.envFactory.getForInstance(instanceName);
+        for (let i = 0; i < maxRetries; i++) {
+            // 嘗試連線到 SQL Server
+            const builder = env.kubectl('exec')
+                .arg('-n', 'mssql')
+                .arg(podName)
+                .arg('--')
+                .arg(paths_1.LINUX_PATHS.SQLCMD_BIN)
+                .arg('-S', 'localhost')
+                .arg('-U', 'sa')
+                .sensitiveArg('-P', `'${saPassword}'`)
+                .arg('-C')
+                .arg('-Q', '"SELECT 1"');
+            const result = await builder.exec();
+            if (result.exitCode === 0) {
+                this.logger.debug('[Mssql] SQL Server is ready');
+                return;
+            }
+            // 如果不是最後一次重試,等待後再試
+            if (i < maxRetries - 1) {
+                await new Promise(resolve => setTimeout(resolve, retryDelay));
+            }
+        }
+        throw new Error('SQL Server failed to start accepting connections after 60 seconds');
+    }
+    /**
+     * 建立初始資料庫 (uofx_dev, uofx_search)
+     * @param instanceName WSL 實例名稱
+     * @param saPassword SA 密碼
+     */
+    async createInitialDatabases(instanceName, saPassword) {
+        this.logger.debug('[Mssql] Creating initial databases...');
+        // 等待 MSSQL Pod 完全就緒
+        await this.waitForMssqlReady(instanceName);
+        // 取得 Pod 名稱
+        const podName = await this.getMssqlPodName(instanceName);
+        // 等待 SQL Server 服務啟動並接受連線
+        await this.waitForSqlServerReady(instanceName, podName, saPassword);
+        // 建立資料庫的 SQL 命令
+        const env = this.envFactory.getForInstance(instanceName);
+        const builder = env.kubectl('exec')
+            .arg('-n', 'mssql')
+            .arg(podName)
+            .arg('--')
+            .arg(paths_1.LINUX_PATHS.SQLCMD_BIN)
+            .arg('-S', 'localhost')
+            .arg('-U', 'sa')
+            .sensitiveArg('-P', `'${saPassword}'`)
+            .arg('-C')
+            .arg('-Q', '"CREATE DATABASE uofx_dev; CREATE DATABASE uofx_search;"');
+        this.logger.debug(`[Mssql] Creating databases uofx_dev, uofx_search...`);
+        const result = await builder.exec();
+        if (result.exitCode !== 0) {
+            throw new Error(`Failed to create initial databases: ${result.stderr}`);
+        }
+    }
+};
+exports.MssqlDatabaseInitService = MssqlDatabaseInitService;
+exports.MssqlDatabaseInitService = MssqlDatabaseInitService = __decorate([
+    (0, tsyringe_1.injectable)(),
+    __param(0, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IExecutionEnvironmentFactory)),
+    __param(1, (0, tsyringe_1.inject)(tokens_1.TOKENS.ILoggerPort)),
+    __metadata("design:paramtypes", [Object, Object])
+], MssqlDatabaseInitService);
+//# sourceMappingURL=mssql-database-init.service.js.map

package/dist/infrastructure/deployment/services/mssql-helm-deployment.service.js ADDED Viewed

@@ -0,0 +1,100 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MssqlHelmDeploymentService = void 0;
+const tsyringe_1 = require("tsyringe");
+const tokens_1 = require("../../../di/tokens");
+const base_helm_deployment_service_1 = require("./base-helm-deployment.service");
+/**
+ * MSSQL Helm 部署服務
+ *
+ * 負責使用 Helm 部署 MSSQL，繼承 BaseHelmDeploymentService
+ */
+let MssqlHelmDeploymentService = class MssqlHelmDeploymentService extends base_helm_deployment_service_1.BaseHelmDeploymentService {
+    constructor(envFactory, helmRegistry, storageService, dbInitService, logger) {
+        super(helmRegistry, logger, envFactory);
+        this.storageService = storageService;
+        this.dbInitService = dbInitService;
+    }
+    /**
+     * 部署 MSSQL
+     * @param instanceName WSL 實例名稱
+     * @param params 部署參數
+     * @param chartVersion Chart 版本 (MSSQL 使用固定版本，此參數會被忽略)
+     * @param progress 進度通知回調
+     */
+    async deployMssql(instanceName, params, _chartVersion, output) {
+        output?.item('arrow', 'Deploying MSSQL database...').flush();
+        // MSSQL 使用固定版本，傳入空字串讓 getDeploymentConfig 決定版本
+        await this.deployWithHelm(instanceName, params, '', output);
+    }
+    // =========================================================================
+    // BaseHelmDeploymentService 抽象方法實作
+    // =========================================================================
+    getServiceName() {
+        return 'Mssql';
+    }
+    getDeploymentConfig(_chartVersion) {
+        // MSSQL 使用固定版本和特定 repository
+        return {
+            chartName: 'mssql-latest',
+            chartVersion: '0.0.0-dev',
+            repository: 'uofx-cli',
+        };
+    }
+    /**
+     * 安裝前處理：建立 MSSQL 所需的持久化存儲目錄
+     */
+    async preInstall(instanceName, _params, _output) {
+        await this.storageService.createMssqlDirectories(instanceName);
+    }
+    async installChart(instanceName, chartPath, params, _output) {
+        const env = this.envFactory.getForInstance(instanceName);
+        const builder = env.helm('install')
+            .arg('--wait')
+            .arg('--timeout', '10m')
+            .arg('-n', 'mssql')
+            .arg('database')
+            .arg(`"${chartPath}"`)
+            .arg('--create-namespace')
+            .sensitiveArg('--set', `sa_password='${params.saPassword}'`);
+        this.logger.debug('[Mssql] Installing MSSQL chart', {
+            chart: 'mssql-latest',
+            chartPath: chartPath,
+            namespace: 'mssql',
+            instance: instanceName,
+        });
+        const result = await builder.exec();
+        if (result.exitCode !== 0) {
+            throw new Error(`Failed to deploy MSSQL: ${result.stderr}`);
+        }
+    }
+    /**
+     * 安裝後處理：建立初始資料庫
+     */
+    async postInstall(instanceName, params, _output) {
+        await this.dbInitService.createInitialDatabases(instanceName, params.saPassword.toString());
+    }
+};
+exports.MssqlHelmDeploymentService = MssqlHelmDeploymentService;
+exports.MssqlHelmDeploymentService = MssqlHelmDeploymentService = __decorate([
+    (0, tsyringe_1.injectable)(),
+    __param(0, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IExecutionEnvironmentFactory)),
+    __param(1, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IHelmRegistry)),
+    __param(2, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IMssqlStorage)),
+    __param(3, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IMssqlDatabaseInit)),
+    __param(4, (0, tsyringe_1.inject)(tokens_1.TOKENS.ILoggerPort)),
+    __metadata("design:paramtypes", [Object, Object, Object, Object, Object])
+], MssqlHelmDeploymentService);
+//# sourceMappingURL=mssql-helm-deployment.service.js.map

package/dist/infrastructure/deployment/services/mssql-storage.service.js ADDED Viewed

@@ -0,0 +1,54 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MssqlStorageService = void 0;
+const tsyringe_1 = require("tsyringe");
+const tokens_1 = require("../../../di/tokens");
+const paths_1 = require("../../../constants/paths");
+/**
+ * MSSQL 存儲服務
+ *
+ * 負責建立 MSSQL 所需的持久化存儲目錄
+ */
+let MssqlStorageService = class MssqlStorageService {
+    constructor(envFactory, logger) {
+        this.envFactory = envFactory;
+        this.logger = logger;
+    }
+    /**
+     * 建立 MSSQL 所需的持久化存儲目錄
+     * @param instanceName WSL 實例名稱
+     */
+    async createMssqlDirectories(instanceName) {
+        this.logger.debug(`[Mssql] Creating data directories for instance ${instanceName}...`);
+        const directories = (0, paths_1.getMssqlDataDirectories)();
+        const env = this.envFactory.getForInstance(instanceName);
+        const builder = env.shell('mkdir')
+            .arg('-p')
+            .args(...directories);
+        const result = await builder.exec();
+        if (result.exitCode !== 0) {
+            throw new Error(`Failed to create MSSQL directories: ${result.stderr}`);
+        }
+        this.logger.debug('[Mssql] Directories created successfully');
+    }
+};
+exports.MssqlStorageService = MssqlStorageService;
+exports.MssqlStorageService = MssqlStorageService = __decorate([
+    (0, tsyringe_1.injectable)(),
+    __param(0, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IExecutionEnvironmentFactory)),
+    __param(1, (0, tsyringe_1.inject)(tokens_1.TOKENS.ILoggerPort)),
+    __metadata("design:paramtypes", [Object, Object])
+], MssqlStorageService);
+//# sourceMappingURL=mssql-storage.service.js.map

package/dist/infrastructure/deployment/services/mssql-user-manager.service.js ADDED Viewed

@@ -0,0 +1,66 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MssqlUserManagerService = void 0;
+const tsyringe_1 = require("tsyringe");
+const tokens_1 = require("../../../di/tokens");
+const paths_1 = require("../../../constants/paths");
+/**
+ * MSSQL 使用者管理服務
+ *
+ * 負責在 MSSQL 資料庫中建立管理員使用者
+ */
+let MssqlUserManagerService = class MssqlUserManagerService {
+    constructor(envFactory, dbInitService, logger) {
+        this.envFactory = envFactory;
+        this.dbInitService = dbInitService;
+        this.logger = logger;
+    }
+    /**
+     * 建立 uofxadmin 管理員使用者
+     * @param instanceName WSL 實例名稱
+     * @param params 部署參數
+     */
+    async createAdminUser(instanceName, params) {
+        this.logger.debug('[Mssql] Creating uofxadmin user...');
+        const podName = await this.dbInitService.getMssqlPodName(instanceName);
+        const email = `admin@${instanceName}.com`;
+        const query = `EXECUTE [dbo].[usp_Admin_User_Upcert_v01] 'uofxadmin', '${params.adminPassword}', '${email}'`;
+        const env = this.envFactory.getForInstance(instanceName);
+        const builder = env.kubectl('exec')
+            .arg('-n', 'mssql')
+            .arg(podName)
+            .arg('--')
+            .arg(paths_1.LINUX_PATHS.SQLCMD_BIN)
+            .arg('-S', 'localhost')
+            .arg('-U', 'sa')
+            .sensitiveArg('-P', `'${params.saPassword}'`)
+            .arg('-d', 'uofx_dev')
+            .arg('-C')
+            .sensitiveArg('-Q', `"${query}"`);
+        const result = await builder.exec();
+        if (result.exitCode !== 0) {
+            throw new Error(`Failed to create admin user: ${result.stderr}`);
+        }
+    }
+};
+exports.MssqlUserManagerService = MssqlUserManagerService;
+exports.MssqlUserManagerService = MssqlUserManagerService = __decorate([
+    (0, tsyringe_1.injectable)(),
+    __param(0, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IExecutionEnvironmentFactory)),
+    __param(1, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IMssqlDatabaseInit)),
+    __param(2, (0, tsyringe_1.inject)(tokens_1.TOKENS.ILoggerPort)),
+    __metadata("design:paramtypes", [Object, Object, Object])
+], MssqlUserManagerService);
+//# sourceMappingURL=mssql-user-manager.service.js.map

package/dist/infrastructure/deployment/services/oci-artifact.service.js ADDED Viewed

@@ -0,0 +1,289 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OciArtifactService = void 0;
+const tsyringe_1 = require("tsyringe");
+const tokens_1 = require("../../../di/tokens");
+const sensitive_decorator_1 = require("../../../domain/decorators/sensitive.decorator");
+/**
+ * OCI Artifact 下載服務
+ *
+ * 負責從 OCI registry 下載 artifacts（非 Helm Charts）
+ * 支援兩種模式：
+ * 1. Windows 側 HTTP 下載（用於 JSON 配置檔）
+ * 2. WSL 內透過 curl 下載（用於需要在 WSL 執行的腳本）
+ */
+let OciArtifactService = class OciArtifactService {
+    constructor(httpClient, envFactory, logger) {
+        this.httpClient = httpClient;
+        this.envFactory = envFactory;
+        this.logger = logger;
+    }
+    /**
+     * 從 OCI registry 下載 JSON artifact 並解析
+     * 在 Windows 側執行
+     */
+    async fetchJson(repo, tag, credentials) {
+        const registry = `${credentials.name}.azurecr.io`;
+        const scope = `repository:${repo}:pull`;
+        this.logger.debug(`Fetching OCI artifact: ${repo}:${tag}`);
+        // 1. 取得 Token
+        const token = await this.getAcrToken(registry, scope, credentials.account, credentials.password);
+        // 2. 取得 Manifest
+        const manifestUrl = `https://${registry}/v2/${repo}/manifests/${tag}`;
+        const manifestResponse = await this.httpClient.getJson(manifestUrl, {
+            Authorization: `Bearer ${token}`,
+            Accept: 'application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.manifest.v1+json'
+        });
+        // 3. 取得 Blob Digest
+        const digest = this.extractDigest(manifestResponse);
+        if (!digest) {
+            throw new Error(`Could not find digest in manifest for ${repo}:${tag}`);
+        }
+        // 4. 下載 Blob
+        const blobUrl = `https://${registry}/v2/${repo}/blobs/${digest}`;
+        const blob = await this.httpClient.getJson(blobUrl, {
+            Authorization: `Bearer ${token}`
+        });
+        this.logger.debug(`Successfully fetched OCI artifact: ${repo}:${tag}`);
+        return blob;
+    }
+    /**
+     * 在實例內下載 OCI artifact
+     * 全程在實例內透過 curl 完成
+     * 透過 IExecutionEnvironmentFactory 自動選擇正確的執行環境
+     */
+    async downloadToInstance(instanceName, repo, tag, targetPath, credentials) {
+        const registry = `${credentials.name}.azurecr.io`;
+        const scope = `repository:${repo}:pull`;
+        this.logger.debug(`Downloading OCI artifact to instance: ${repo}:${tag} -> ${targetPath}`);
+        // 建立在實例內執行的下載腳本
+        const downloadScript = this.buildDownloadScript(registry, repo, tag, scope, targetPath, credentials.account, credentials.password);
+        const env = this.envFactory.getForInstance(instanceName);
+        // 使用 stdin 傳遞腳本以避免引號轉義問題
+        const result = await env.shell('bash').sensitiveStdin(downloadScript).exec();
+        if (result.exitCode !== 0) {
+            // 輸出詳細錯誤信息以幫助診斷
+            const errorDetail = result.stderr || result.stdout || 'No output';
+            this.logger.error(new Error(`OCI download script failed`), {
+                exitCode: result.exitCode,
+                stderr: result.stderr,
+                stdout: result.stdout,
+                instanceName,
+                repo,
+                tag
+            });
+            throw new Error(`Failed to download OCI artifact: ${errorDetail}`);
+        }
+        this.logger.debug(`Successfully downloaded OCI artifact to instance: ${targetPath}`);
+    }
+    /**
+     * 建立在實例內執行的下載腳本
+     */
+    buildDownloadScript(registry, repo, tag, scope, targetPath, user, password) {
+        // 使用 base64 編碼密碼以避免特殊字符問題
+        const passwordBase64 = Buffer.from(password).toString('base64');
+        // 腳本會：
+        // 1. 解碼密碼
+        // 2. 取得 Token
+        // 3. 取得 Manifest，解析 digest
+        // 4. 下載 Blob 到目標路徑
+        // 5. 設定執行權限（如果是 .sh 檔案）
+        return `
+set -e
+REGISTRY="${registry}"
+REPO="${repo}"
+TAG="${tag}"
+SCOPE="${scope}"
+TARGET="${targetPath}"
+USER="${user}"
+PASS_B64="${passwordBase64}"
+echo "OCI Download: Starting..."
+# 解碼密碼
+PASS=$(echo "\${PASS_B64}" | base64 -d)
+echo "OCI Download: Getting token..."
+# 1. 取得 Token
+TOKEN_RESPONSE=$(curl -sfL -u "\${USER}:\${PASS}" \\
+  "https://\${REGISTRY}/oauth2/token?service=\${REGISTRY}&scope=\${SCOPE}")
+if [ -z "\${TOKEN_RESPONSE}" ]; then
+  echo "Failed to get ACR token response" >&2
+  exit 1
+fi
+TOKEN=$(echo "\${TOKEN_RESPONSE}" | sed -n 's/.*"access_token":"\\([^"]*\\)".*/\\1/p')
+if [ -z "\${TOKEN}" ]; then
+  echo "Failed to parse ACR token from response" >&2
+  echo "Response: \${TOKEN_RESPONSE}" >&2
+  exit 1
+fi
+echo "OCI Download: Getting manifest..."
+# 2. 取得 Manifest，解析 digest
+MANIFEST=$(curl -sfL -H "Authorization: Bearer \${TOKEN}" \\
+  -H "Accept: application/vnd.oci.image.manifest.v1+json" \\
+  "https://\${REGISTRY}/v2/\${REPO}/manifests/\${TAG}")
+if [ -z "\${MANIFEST}" ]; then
+  echo "Failed to get manifest for \${REPO}:\${TAG}" >&2
+  exit 1
+fi
+# 從 layers 區塊取得第一個 digest
+# 先找到 layers 區塊，再從中提取 digest
+DIGEST=$(echo "\${MANIFEST}" | sed 's/.*"layers"[^[]*\\[//' | grep -o '"digest"[ ]*:[ ]*"sha256:[^"]*"' | head -1 | sed 's/.*"\\(sha256:[^"]*\\)".*/\\1/')
+if [ -z "\${DIGEST}" ]; then
+  echo "Failed to extract digest from manifest" >&2
+  echo "Manifest: \${MANIFEST}" >&2
+  exit 1
+fi
+echo "OCI Download: Downloading blob \${DIGEST}..."
+# 3. 下載 Blob（可能是 tar 或直接檔案）
+# 注意：ACR 會返回 302 重定向到 Azure Blob Storage，需要 -L 跟隨重定向
+TEMP_BLOB="/tmp/oci-blob-$$"
+curl -sfL -H "Authorization: Bearer \${TOKEN}" \\
+  -o "\${TEMP_BLOB}" \\
+  "https://\${REGISTRY}/v2/\${REPO}/blobs/\${DIGEST}"
+if [ ! -f "\${TEMP_BLOB}" ]; then
+  echo "Failed to download blob" >&2
+  exit 1
+fi
+# 4. 檢查是否為 tar 檔案，如果是則解壓縮
+TARGET_DIR=$(dirname "\${TARGET}")
+TARGET_BASENAME=$(basename "\${TARGET}")
+# 嘗試 tar -tf 列出內容，如果成功則是 tar
+if tar -tf "\${TEMP_BLOB}" >/dev/null 2>&1; then
+  # 是 tar 檔案，解壓縮
+  echo "Blob is a tar archive, extracting..."
+  # 取得 tar 內的檔案列表
+  TAR_CONTENTS=$(tar -tf "\${TEMP_BLOB}")
+  # 解壓縮到目標目錄
+  tar -xf "\${TEMP_BLOB}" -C "\${TARGET_DIR}"
+  # 如果目標檔案不存在，找到解壓縮的檔案並重命名
+  if [ ! -f "\${TARGET}" ]; then
+    # 取得 tar 內第一個檔案名稱
+    FIRST_FILE=$(echo "\${TAR_CONTENTS}" | head -1)
+    EXTRACTED_PATH="\${TARGET_DIR}/\${FIRST_FILE}"
+    if [ -f "\${EXTRACTED_PATH}" ]; then
+      echo "Renaming extracted file: \${FIRST_FILE} -> \${TARGET_BASENAME}"
+      mv "\${EXTRACTED_PATH}" "\${TARGET}"
+    else
+      # 備用：尋找目錄中最新的檔案
+      EXTRACTED=$(find "\${TARGET_DIR}" -maxdepth 1 -type f -newer "\${TEMP_BLOB}" 2>/dev/null | head -1)
+      if [ -n "\${EXTRACTED}" ] && [ "\${EXTRACTED}" != "\${TARGET}" ]; then
+        echo "Moving extracted file: \${EXTRACTED} -> \${TARGET}"
+        mv "\${EXTRACTED}" "\${TARGET}"
+      fi
+    fi
+  fi
+else
+  # 不是 tar，直接複製
+  cp "\${TEMP_BLOB}" "\${TARGET}"
+fi
+rm -f "\${TEMP_BLOB}"
+if [ ! -f "\${TARGET}" ]; then
+  echo "Failed to extract/copy blob to \${TARGET}" >&2
+  exit 1
+fi
+echo "OCI Download: Converting line endings..."
+# 5. 轉換 Windows 換行符 (CRLF) 為 Unix 格式 (LF)
+sed -i 's/\\r$//' "\${TARGET}"
+echo "OCI Download: Setting permissions..."
+# 6. 如果是 .sh 檔案，設定執行權限
+case "\${TARGET}" in
+  *.sh)
+    chmod +x "\${TARGET}"
+    ;;
+esac
+echo "OCI Download: Complete - \${TARGET} ($(wc -c < \${TARGET}) bytes)"
+`;
+    }
+    /**
+     * 從 Manifest 回應中提取 Digest
+     */
+    extractDigest(manifest) {
+        // 優先從 layers[0] 取得
+        if (manifest.layers && manifest.layers.length > 0) {
+            return manifest.layers[0].digest;
+        }
+        // 備用：從 config 取得
+        if (manifest.config && manifest.config.digest) {
+            return manifest.config.digest;
+        }
+        return null;
+    }
+    /**
+     * 獲取 ACR 存取 Token（Windows 側）
+     */
+    async getAcrToken(registry, scope, user, password) {
+        const auth = Buffer.from(`${user}:${password}`).toString('base64');
+        const url = `https://${registry}/oauth2/token?service=${registry}&scope=${scope}`;
+        const response = await this.httpClient.getJson(url, {
+            Authorization: `Basic ${auth}`
+        });
+        return response.access_token;
+    }
+};
+exports.OciArtifactService = OciArtifactService;
+__decorate([
+    __param(2, (0, sensitive_decorator_1.Sensitive)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, String, Object]),
+    __metadata("design:returntype", Promise)
+], OciArtifactService.prototype, "fetchJson", null);
+__decorate([
+    __param(4, (0, sensitive_decorator_1.Sensitive)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, String, String, String, Object]),
+    __metadata("design:returntype", Promise)
+], OciArtifactService.prototype, "downloadToInstance", null);
+__decorate([
+    __param(6, (0, sensitive_decorator_1.Sensitive)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, String, String, String, String, String, String]),
+    __metadata("design:returntype", String)
+], OciArtifactService.prototype, "buildDownloadScript", null);
+__decorate([
+    __param(3, (0, sensitive_decorator_1.Sensitive)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [String, String, String, String]),
+    __metadata("design:returntype", Promise)
+], OciArtifactService.prototype, "getAcrToken", null);
+exports.OciArtifactService = OciArtifactService = __decorate([
+    (0, tsyringe_1.injectable)(),
+    __param(0, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IHttpClient)),
+    __param(1, (0, tsyringe_1.inject)(tokens_1.TOKENS.Internal.IExecutionEnvironmentFactory)),
+    __param(2, (0, tsyringe_1.inject)(tokens_1.TOKENS.ILoggerPort)),
+    __metadata("design:paramtypes", [Object, Object, Object])
+], OciArtifactService);
+//# sourceMappingURL=oci-artifact.service.js.map