@vibesdotdev/infra-core 0.0.1

package/README.md

@@ -0,0 +1,78 @@
+# @vibesdotdev/infra-core
+
+Provider-agnostic contract for deployable infrastructure. Defines runtime
+kinds, descriptor schemas, and deployment factories shared by adapter packages
+(`infra-cloudflare`, `infra-doks`) and consuming apps.
+
+See [`SPEC.md`](./SPEC.md) for the contract.
+
+## What's in here
+
+- `src/schemas.ts` — atomic Zod schemas (provider, runtime, origin, build,
+  env requirement, dependency, upstream) plus the assembled
+  `appDeploymentSchema`.
+- `src/kinds/` — one file per runtime kind: `infra/web-app`, `infra/worker`,
+  `infra/database`, `infra/queue`, `infra/cache`, `infra/object-storage`,
+  `infra/sandbox`. Each kind ships a Zod descriptor schema and a pass-through
+  default `Implementation` class.
+- `src/deployment.ts` — factory functions that produce validated deployment
+  objects from authored input (`createAppDeployment` and friends).
+- `src/infra.plugin.ts` — `infraPlugin` registers all 7 kinds with the
+  runtime under `discoveryPattern: "**/*.infra.ts"`.
+
+## Common usage
+
+Authoring a per-app deployment config (in `apps/<app>-web/deployment.config.ts`):
+
+```ts
+import { createAppDeployment } from '@vibesdotdev/infra-core/deployment';
+import { createCloudflarePagesDeployment } from '@vibesdotdev/infra-cloudflare/pages';
+
+const deployment = createAppDeployment({
+  appId: 'my-app',
+  appName: 'My App',
+  provider: 'cloudflare-workers',
+  runtime: 'edge',
+  build: { /* ... */ },
+  origins: [/* ... */],
+  env: [/* ... */]
+});
+
+export default createCloudflarePagesDeployment({ deployment, /* ... */ });
+```
+
+Declaring a discoverable infra resource (in any `*.infra.ts` file):
+
+```ts
+import type { WebAppDescriptor } from '@vibesdotdev/infra-core/kinds';
+
+export default {
+  id: 'my-app',
+  kind: 'infra/web-app',
+  domain: 'my-app.vibes.dev',
+  appDir: 'apps/my-app-web',
+  outputDir: 'apps/my-app-web/.svelte-kit/cloudflare',
+  adapter: 'cloudflare-pages',
+  runtime: 'edge',
+  env: []
+} satisfies WebAppDescriptor;
+```
+
+Real provider behavior comes from adapter packages registering against the
+same kinds. Core never imports adapters.
+
+## Verification
+
+```bash
+cd packages/infra-core
+bun test
+bun --bun tsc -p tsconfig.json --noEmit
+```
+
+## Links
+
+- [SPEC.md](./SPEC.md)
+- [PROD-CHECKLIST.md](./PROD-CHECKLIST.md)
+- [`infra-cloudflare`](../infra-cloudflare/SPEC.md)
+- [`infra-doks`](../infra-doks/SPEC.md)
+- [`deploy`](../deploy/SPEC.md)

package/SPEC.md

@@ -0,0 +1,169 @@
+# @vibesdotdev/infra-core
+
+Provider-agnostic contract for deployable infrastructure. Defines the runtime
+kinds, descriptor schemas, and deployment factories that adapter packages and
+consuming apps share. Adapter packages
+([`infra-cloudflare`](../infra-cloudflare/SPEC.md),
+[`infra-doks`](../infra-doks/SPEC.md)) implement provider-specific behavior
+against these kinds; consumed by per-app `deployment.config.ts` files, by
+`*.infra.ts` resource declarations under workspace `infra/`, by
+[`secrets`](../secrets/SPEC.md) for env-requirement resolution, and by
+[`deploy`](../deploy/SPEC.md) for orchestration.
+
+## Owns
+
+- **Runtime kinds:** `infra/web-app`, `infra/worker`, `infra/database`,
+  `infra/queue`, `infra/cache`, `infra/object-storage`, `infra/sandbox`,
+  `infra/git-hosting`, `infra/package-registry`.
+- **Plugin descriptors registered by the plugin:** `infraPlugin` (id `infra`)
+  registers all 9 kinds with `discoveryPattern: "**/*.infra.ts"` and
+  pass-through default implementations exposing the validated descriptor as
+  `config`.
+- **Schemas** (`./schemas`): atomic Zod schemas — provider enum, runtime enum,
+  origin, build, env requirement, dependency, upstream — and the assembled
+  `appDeploymentSchema`. Single source of truth for cross-cutting shapes;
+  kind descriptor schemas compose from these primitives.
+- **Kind descriptors** (`./kinds`): one file per kind, each defining a Zod
+  descriptor schema (composed from `./schemas`) and a pass-through default
+  `Implementation` class wired through `createRuntimeKind`.
+- **Deployment factories** (`./deployment`): `createAppDeployment`,
+  `createDeploymentOrigin`, `createDeploymentEnvRequirement`,
+  `createDeploymentDependency`, `getPrimaryOrigin`, `getUpstreamOriginEnv`.
+  These produce the validated objects authored in per-app
+  `deployment.config.ts` files.
+
+## Does not own
+
+- Cloudflare Workers / Workers / Queues / R2 / KV implementations →
+  [`infra-cloudflare`](../infra-cloudflare/SPEC.md).
+- DigitalOcean App Platform / DOKS / Spaces / Managed DB / Managed Redis
+  implementations → [`infra-doks`](../infra-doks/SPEC.md).
+- Standalone Kubernetes / Docker / DO Droplet implementations — no adapter
+  package exists yet (see migration debt).
+- Deployment orchestration, manifest generation, env materialization, and the
+  `infra/` workspace tree (`infra/manifest.ts`, `infra/generate.ts`,
+  `infra/resources/`) → [`deploy`](../deploy/SPEC.md). Per-app
+  `deployment.config.ts` files live in `apps/<app>-web/`.
+- Env-requirement resolution against descriptors →
+  [`secrets`](../secrets/SPEC.md).
+- AI inference selection. Inference is an `ai/provider` + `ai/adapter`
+  concern — see [`ai`](../ai/SPEC.md) and
+  [`ai-providers`](../ai-providers/SPEC.md). No `infra/inference` kind exists
+  or should be added.
+
+## Hard rules
+
+- Core never imports adapter packages. Dependencies are exactly
+  `@vibesdotdev/runtime` + `zod`.
+- Shared shapes live in `./schemas`. Kind descriptor schemas compose from
+  `./schemas`. Do not redeclare an env-requirement schema or any other
+  primitive inside a kind file.
+- New deployable resource types are added as new kinds in `src/kinds/`.
+  Provider-specific concepts (Wrangler bindings, Helm values, Spaces CORS,
+  CF Sandbox outbound proxy specifics, etc.) belong in adapter packages
+  registering implementations against the existing kinds.
+- Inference is not an infra kind. New inference strategies (CF Unified
+  Inference, Agents bindings, etc.) are added as `ai/provider` descriptors +
+  adapters in [`ai-providers`](../ai-providers/SPEC.md).
+- Default implementations are inert pass-throughs that expose the validated
+  descriptor as `config`. Real provider behavior must come from an adapter
+  package registering an implementation for the same kind.
+- Kind discovery pattern is `**/*.infra.ts` for every kind. Apps and the
+  `infra/` workspace declare concrete resources in `*.infra.ts` files; do
+  not change the pattern per kind.
+- Pure TypeScript only. No `$env`, `$server`, `$app`, `@sveltejs/kit`,
+  Svelte, Drizzle, or filesystem APIs in this package.
+- `deploymentProviderSchema` enumerates exactly the providers backed by an
+  active adapter package. Adding a provider value without a corresponding
+  adapter is a contract lie — add the adapter or omit the value.
+- `appDeploymentSchema` cross-validates provider against runtime and origin
+  hostnames (e.g. `cloudflare-workers` requires `edge`; `digitalocean-app`
+  requires `node` or `worker`). Nonsense combinations fail at parse time,
+  not deploy time.
+
+## Migration debt (completed)
+
+- [x] `envRequirementSchema` is locally redeclared in
+  `src/kinds/web-app.kind.ts`, `src/kinds/worker.kind.ts`, and
+  `src/kinds/sandbox.kind.ts` instead of imported from `./schemas`.
+  **Resolution:** Kinds now import `deploymentEnvRequirementSchema` from `./schemas`.
+  All kind files use `import { z } from 'zod/v4'` style for consistency.
+- [x] `package.json#exports` includes `"./kinds/*": "./src/kinds/*.ts"`.
+  **Resolution:** Wildcard removed. All 26 consumers updated to use `./kinds`
+  aggregate subpath instead of deep imports.
+- [x] `deploymentProviderSchema` declares `digitalocean-droplet`,
+  `digitalocean-kubernetes`, `kubernetes`, and `docker`, but only
+  `digitalocean-app` (via `infra-doks`) and `cloudflare-workers` (via
+  `infra-cloudflare`) have active adapter implementations.
+  **Resolution:** Trimmed to only `cloudflare-workers` and `digitalocean-app`.
+- [x] `appDeploymentSchema` does not cross-validate provider against runtime.
+  **Resolution:** Added `.refine()` enforcing provider × runtime matrix:
+  - `cloudflare-workers`: `edge`, `worker`
+  - `digitalocean-app`: `node`, `worker`
+- [x] `discoveryPattern` and `extractStem` are duplicated identically across all
+  9 kind files.
+  **Resolution:** Extracted shared helper in `src/kinds/discovery.ts` with
+  `INFRA_DISCOVERY_PATTERN` constant and `extractStem()` function. All 7
+  kind files now import and reuse.
+- [x] `WebAppDescriptor` and `appDeploymentSchema` describe overlapping concepts
+  (`appDir`, `outputDir`, `runtime`, `env`).
+  **Resolution:** The parallel surfaces are **intentional**:
+  - `WebAppDescriptor` (runtime-discovered resource) lives at `infra/web-app`
+    kind with `adapter`, `domain`, `env`, etc. Used by runtime discovery.
+  - `appDeploymentSchema` (authored deployment config) lives in `./schemas` and
+    is used by `deployment.config.ts` files with `provider`, `build`, `origins`,
+    etc. Both shapes reference similar fields but serve different consumers.
+  No merging; keep parallel with potential future composition via shared
+  fragment schemas if divergence becomes problematic.
+
+## Migration debt
+
+- [x] **`adapter` discriminator → `config` field migration.** All 7 original
+  infra kinds declare `adapter: z.string()` as a top-level discriminator field.
+  This field is not in `RuntimeDescriptorSchema` and `createRuntimeAsset` could not
+  validate it. Every infra kind has moved `adapter` and all adapter-specific
+  fields into a `config` object validated against the kind's registered
+  `descriptorSchema`. **Affected kinds:** `infra/web-app`, `infra/worker`,
+  `infra/database`, `infra/queue`, `infra/cache`, `infra/object-storage`,
+  `infra/sandbox`, `infra/git-hosting`, `infra/package-registry`.
+  - [x] `infra/web-app`: added `WebAppConfigSchema` union
+    (cloudflare-workers, digitalocean-apps)
+  - [x] `infra/worker`: added `WorkerConfigSchema` union
+    (doks-deployment, cloudflare-workers)
+  - [x] `infra/database`: added `DatabaseConfigSchema` union
+    (doks-statefulset, do-managed-postgres, turso)
+  - [x] `infra/queue`: added `QueueConfigSchema` union
+    (doks-statefulset, cloudflare-queues)
+  - [x] `infra/cache`: added `CacheConfigSchema` union
+    (do-managed-redis, cloudflare-kv, doks-redis)
+  - [x] `infra/object-storage`: added `ObjectStorageConfigSchema` union
+    (do-spaces, cloudflare-r2)
+  - [x] `infra/sandbox`: already had all variants (cloudflare-sandbox, docker,
+    digitalocean-droplet)
+  - [x] `infra/git-hosting`: added `GitHostingConfigSchema` union (gitea-doks)
+  - [x] `infra/package-registry`: added `PackageRegistryConfigSchema` union
+    (verdaccio-doks)
+
+## Public entrypoints
+
+`.`, `./schemas`, `./kinds`, `./deployment`, `./plugin`.
+
+Wildcard / migration-era subpaths: `./kinds/*` — do not normalize new code
+against this.
+
+## Verification
+
+`bun test` from `packages/infra-core`. Covers all 9 schemas (accept-valid +
+reject-invalid), all 9 kind descriptor structures, plugin registration shape
+(id, kinds count, kind IDs, discovery pattern, no dependencies, no lifecycle
+hooks), and all 6 factory functions. `bun --bun tsc -p tsconfig.json
+--noEmit` is the type gate.
+
+## Links
+
+- [infra-cloudflare/SPEC.md](../infra-cloudflare/SPEC.md)
+- [infra-doks/SPEC.md](../infra-doks/SPEC.md)
+- [deploy/SPEC.md](../deploy/SPEC.md)
+- [secrets/SPEC.md](../secrets/SPEC.md)
+- [runtime/SPEC.md](../runtime/SPEC.md)
+- [ai/SPEC.md](../ai/SPEC.md), [ai-providers/SPEC.md](../ai-providers/SPEC.md)

package/dist/bootstrap/index.d.ts

@@ -0,0 +1,5 @@
+export { bootstrapSeedKind } from './seed.kind.ts';
+export { bootstrapSeedConditionSchema, bootstrapSeedDescriptorSchema, bootstrapSeedModeSchema, type BootstrapSeedCondition, type BootstrapSeedDescriptor, type BootstrapSeedMode } from './seed.descriptor.ts';
+export type { BootstrapSeedImpl } from './seed.impl-shape.ts';
+export { runBootstrapSeeds, type BootstrapSeedRunOptions, type BootstrapSeedRunResult } from './seed.runner.ts';
+//# sourceMappingURL=index.d.ts.map

package/dist/bootstrap/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/bootstrap/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACN,4BAA4B,EAC5B,6BAA6B,EAC7B,uBAAuB,EACvB,KAAK,sBAAsB,EAC3B,KAAK,uBAAuB,EAC5B,KAAK,iBAAiB,EACtB,MAAM,sBAAsB,CAAC;AAC9B,YAAY,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EACN,iBAAiB,EACjB,KAAK,uBAAuB,EAC5B,KAAK,sBAAsB,EAC3B,MAAM,kBAAkB,CAAC"}

package/dist/bootstrap/index.js

@@ -0,0 +1,4 @@
+export { bootstrapSeedKind } from "./seed.kind.js";
+export { bootstrapSeedConditionSchema, bootstrapSeedDescriptorSchema, bootstrapSeedModeSchema } from "./seed.descriptor.js";
+export { runBootstrapSeeds } from "./seed.runner.js";
+//# sourceMappingURL=index.js.map

package/dist/bootstrap/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/bootstrap/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EACN,4BAA4B,EAC5B,6BAA6B,EAC7B,uBAAuB,EAIvB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACN,iBAAiB,EAGjB,MAAM,kBAAkB,CAAC"}

package/dist/bootstrap/seed.descriptor.d.ts

@@ -0,0 +1,31 @@
+import { z } from 'zod';
+export declare const bootstrapSeedModeSchema: z.ZodEnum<{
+    "cold-start": "cold-start";
+    deploy: "deploy";
+}>;
+export type BootstrapSeedMode = z.infer<typeof bootstrapSeedModeSchema>;
+export declare const bootstrapSeedConditionSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    kind: z.ZodLiteral<"always">;
+}, z.core.$strip>, z.ZodObject<{
+    kind: z.ZodLiteral<"env-keys-present">;
+    keys: z.ZodArray<z.ZodString>;
+}, z.core.$strip>], "kind">;
+export type BootstrapSeedCondition = z.infer<typeof bootstrapSeedConditionSchema>;
+export declare const bootstrapSeedDescriptorSchema: z.ZodObject<{
+    kind: z.ZodLiteral<"bootstrap/seed">;
+    id: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    executeOn: z.ZodArray<z.ZodEnum<{
+        "cold-start": "cold-start";
+        deploy: "deploy";
+    }>>;
+    condition: z.ZodOptional<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        kind: z.ZodLiteral<"always">;
+    }, z.core.$strip>, z.ZodObject<{
+        kind: z.ZodLiteral<"env-keys-present">;
+        keys: z.ZodArray<z.ZodString>;
+    }, z.core.$strip>], "kind">>;
+    priority: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>;
+export type BootstrapSeedDescriptor = z.infer<typeof bootstrapSeedDescriptorSchema>;
+//# sourceMappingURL=seed.descriptor.d.ts.map

package/dist/bootstrap/seed.descriptor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"seed.descriptor.d.ts","sourceRoot":"","sources":["../../src/bootstrap/seed.descriptor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,eAAO,MAAM,uBAAuB;;;EAAmC,CAAC;AACxE,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAExE,eAAO,MAAM,4BAA4B;;;;;2BAMvC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAElF,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;iBAOxC,CAAC;AAEH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC"}

package/dist/bootstrap/seed.descriptor.js

@@ -0,0 +1,18 @@
+import { z } from 'zod';
+export const bootstrapSeedModeSchema = z.enum(['cold-start', 'deploy']);
+export const bootstrapSeedConditionSchema = z.discriminatedUnion('kind', [
+    z.object({ kind: z.literal('always') }),
+    z.object({
+        kind: z.literal('env-keys-present'),
+        keys: z.array(z.string().min(1)).min(1)
+    })
+]);
+export const bootstrapSeedDescriptorSchema = z.object({
+    kind: z.literal('bootstrap/seed'),
+    id: z.string().min(1),
+    description: z.string().optional(),
+    executeOn: z.array(bootstrapSeedModeSchema).min(1),
+    condition: bootstrapSeedConditionSchema.optional(),
+    priority: z.number().int().optional()
+});
+//# sourceMappingURL=seed.descriptor.js.map

package/dist/bootstrap/seed.descriptor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"seed.descriptor.js","sourceRoot":"","sources":["../../src/bootstrap/seed.descriptor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC;AAGxE,MAAM,CAAC,MAAM,4BAA4B,GAAG,CAAC,CAAC,kBAAkB,CAAC,MAAM,EAAE;IACxE,CAAC,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;IACvC,CAAC,CAAC,MAAM,CAAC;QACR,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC;QACnC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;KACvC,CAAC;CACF,CAAC,CAAC;AAGH,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC,MAAM,CAAC;IACrD,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC;IACjC,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACrB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAClC,SAAS,EAAE,CAAC,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAClD,SAAS,EAAE,4BAA4B,CAAC,QAAQ,EAAE;IAClD,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE;CACrC,CAAC,CAAC"}

package/dist/bootstrap/seed.impl-shape.d.ts

@@ -0,0 +1,5 @@
+import type { VibesRuntime } from '@vibesdotdev/runtime';
+export interface BootstrapSeedImpl {
+    run(runtime: VibesRuntime, env: Record<string, string | undefined>): Promise<void>;
+}
+//# sourceMappingURL=seed.impl-shape.d.ts.map

package/dist/bootstrap/seed.impl-shape.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"seed.impl-shape.d.ts","sourceRoot":"","sources":["../../src/bootstrap/seed.impl-shape.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAEzD,MAAM,WAAW,iBAAiB;IACjC,GAAG,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACnF"}

package/dist/bootstrap/seed.impl-shape.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=seed.impl-shape.js.map

package/dist/bootstrap/seed.impl-shape.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"seed.impl-shape.js","sourceRoot":"","sources":["../../src/bootstrap/seed.impl-shape.ts"],"names":[],"mappings":""}

package/dist/bootstrap/seed.kind.d.ts

@@ -0,0 +1,5 @@
+import type { RuntimeKindDescriptor } from '@vibesdotdev/runtime/schemas/kind';
+import { type BootstrapSeedDescriptor } from './seed.descriptor.ts';
+import type { BootstrapSeedImpl } from './seed.impl-shape.ts';
+export declare const bootstrapSeedKind: RuntimeKindDescriptor<BootstrapSeedDescriptor, BootstrapSeedImpl, never>;
+//# sourceMappingURL=seed.kind.d.ts.map

package/dist/bootstrap/seed.kind.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"seed.kind.d.ts","sourceRoot":"","sources":["../../src/bootstrap/seed.kind.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAqB,qBAAqB,EAAE,MAAM,mCAAmC,CAAC;AAClG,OAAO,EAEN,KAAK,uBAAuB,EAC5B,MAAM,sBAAsB,CAAC;AAC9B,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAS9D,eAAO,MAAM,iBAAiB,EAAE,qBAAqB,CACpD,uBAAuB,EACvB,iBAAiB,EACjB,KAAK,CAQL,CAAC"}

package/dist/bootstrap/seed.kind.js

@@ -0,0 +1,14 @@
+import { bootstrapSeedDescriptorSchema } from "./seed.descriptor.js";
+class UnregisteredBootstrapSeed {
+    constructor(_descriptor) { }
+    async run() {
+        // No-op when no impl loader is registered for this descriptor id.
+    }
+}
+export const bootstrapSeedKind = {
+    id: 'bootstrap/seed',
+    descriptorSchema: bootstrapSeedDescriptorSchema,
+    defaultImplementation: UnregisteredBootstrapSeed,
+    contexts: []
+};
+//# sourceMappingURL=seed.kind.js.map

package/dist/bootstrap/seed.kind.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"seed.kind.js","sourceRoot":"","sources":["../../src/bootstrap/seed.kind.ts"],"names":[],"mappings":"AACA,OAAO,EACN,6BAA6B,EAE7B,MAAM,sBAAsB,CAAC;AAG9B,MAAM,yBAAyB;IAC9B,YAAY,WAA8B,IAAG,CAAC;IAC9C,KAAK,CAAC,GAAG;QACR,kEAAkE;IACnE,CAAC;CACD;AAED,MAAM,CAAC,MAAM,iBAAiB,GAI1B;IACH,EAAE,EAAE,gBAAgB;IACpB,gBAAgB,EAAE,6BAA6B;IAC/C,qBAAqB,EAAE,yBAED;IACtB,QAAQ,EAAE,EAAE;CACZ,CAAC"}

package/dist/bootstrap/seed.runner.d.ts

@@ -0,0 +1,18 @@
+import type { VibesRuntime } from '@vibesdotdev/runtime';
+import type { BootstrapSeedMode } from './seed.descriptor.ts';
+export interface BootstrapSeedRunResult {
+    ran: string[];
+    skipped: Array<{
+        id: string;
+        reason: string;
+    }>;
+    failed: Array<{
+        id: string;
+        error: string;
+    }>;
+}
+export interface BootstrapSeedRunOptions {
+    env: Record<string, string | undefined>;
+}
+export declare function runBootstrapSeeds(runtime: VibesRuntime, mode: BootstrapSeedMode, options: BootstrapSeedRunOptions): Promise<BootstrapSeedRunResult>;
+//# sourceMappingURL=seed.runner.d.ts.map

package/dist/bootstrap/seed.runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"seed.runner.d.ts","sourceRoot":"","sources":["../../src/bootstrap/seed.runner.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAEzD,OAAO,KAAK,EAGX,iBAAiB,EACjB,MAAM,sBAAsB,CAAC;AAK9B,MAAM,WAAW,sBAAsB;IACtC,GAAG,EAAE,MAAM,EAAE,CAAC;IACd,OAAO,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC/C,MAAM,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CAC7C;AAED,MAAM,WAAW,uBAAuB;IACvC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC;CACxC;AAED,wBAAsB,iBAAiB,CACtC,OAAO,EAAE,YAAY,EACrB,IAAI,EAAE,iBAAiB,EACvB,OAAO,EAAE,uBAAuB,GAC9B,OAAO,CAAC,sBAAsB,CAAC,CAiDjC"}

package/dist/bootstrap/seed.runner.js

@@ -0,0 +1,59 @@
+import { getLogger } from '@vibesdotdev/logging';
+const log = getLogger('infra.bootstrap.seed');
+export async function runBootstrapSeeds(runtime, mode, options) {
+    const allDescriptors = runtime
+        .assets('bootstrap/seed')
+        .descriptors();
+    const result = { ran: [], skipped: [], failed: [] };
+    const runnable = [];
+    for (const descriptor of allDescriptors) {
+        if (!descriptor.executeOn.includes(mode)) {
+            result.skipped.push({
+                id: descriptor.id,
+                reason: `mode ${mode} not in executeOn`
+            });
+            continue;
+        }
+        if (!evaluateCondition(descriptor.condition, options.env)) {
+            result.skipped.push({
+                id: descriptor.id,
+                reason: 'condition not met'
+            });
+            continue;
+        }
+        runnable.push(descriptor);
+    }
+    runnable.sort((a, b) => (a.priority ?? 100) - (b.priority ?? 100));
+    for (const descriptor of runnable) {
+        try {
+            const impl = (await runtime
+                .query('bootstrap/seed')
+                .withId(descriptor.id)
+                .resolve());
+            await impl.run(runtime, options.env);
+            result.ran.push(descriptor.id);
+            log.info('bootstrap seed completed', {
+                id: descriptor.id,
+                mode,
+                priority: descriptor.priority ?? 100
+            });
+        }
+        catch (err) {
+            const error = err instanceof Error ? err.message : String(err);
+            result.failed.push({ id: descriptor.id, error });
+            log.error('bootstrap seed failed', { id: descriptor.id, mode, error });
+        }
+    }
+    return result;
+}
+function evaluateCondition(condition, env) {
+    if (!condition)
+        return true;
+    if (condition.kind === 'always')
+        return true;
+    if (condition.kind === 'env-keys-present') {
+        return condition.keys.every((key) => Boolean(env[key]));
+    }
+    return true;
+}
+//# sourceMappingURL=seed.runner.js.map

package/dist/bootstrap/seed.runner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"seed.runner.js","sourceRoot":"","sources":["../../src/bootstrap/seed.runner.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AAQjD,MAAM,GAAG,GAAG,SAAS,CAAC,sBAAsB,CAAC,CAAC;AAY9C,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACtC,OAAqB,EACrB,IAAuB,EACvB,OAAgC;IAEhC,MAAM,cAAc,GAAG,OAAO;SAC5B,MAAM,CAAC,gBAAgB,CAAC;SACxB,WAAW,EAAmD,CAAC;IAEjE,MAAM,MAAM,GAA2B,EAAE,GAAG,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;IAC5E,MAAM,QAAQ,GAA8B,EAAE,CAAC;IAE/C,KAAK,MAAM,UAAU,IAAI,cAAc,EAAE,CAAC;QACzC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1C,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,UAAU,CAAC,EAAE;gBACjB,MAAM,EAAE,QAAQ,IAAI,mBAAmB;aACvC,CAAC,CAAC;YACH,SAAS;QACV,CAAC;QACD,IAAI,CAAC,iBAAiB,CAAC,UAAU,CAAC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3D,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,UAAU,CAAC,EAAE;gBACjB,MAAM,EAAE,mBAAmB;aAC3B,CAAC,CAAC;YACH,SAAS;QACV,CAAC;QACD,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC3B,CAAC;IAED,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,GAAG,CAAC,CAAC,CAAC;IAEnE,KAAK,MAAM,UAAU,IAAI,QAAQ,EAAE,CAAC;QACnC,IAAI,CAAC;YACJ,MAAM,IAAI,GAAG,CAAC,MAAM,OAAO;iBACzB,KAAK,CAAC,gBAAgB,CAAC;iBACvB,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC;iBACrB,OAAO,EAAE,CAAsB,CAAC;YAClC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;YACrC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC;YAC/B,GAAG,CAAC,IAAI,CAAC,0BAA0B,EAAE;gBACpC,EAAE,EAAE,UAAU,CAAC,EAAE;gBACjB,IAAI;gBACJ,QAAQ,EAAE,UAAU,CAAC,QAAQ,IAAI,GAAG;aACpC,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,KAAK,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC/D,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,UAAU,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YACjD,GAAG,CAAC,KAAK,CAAC,uBAAuB,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QACxE,CAAC;IACF,CAAC;IAED,OAAO,MAAM,CAAC;AACf,CAAC;AAED,SAAS,iBAAiB,CACzB,SAA6C,EAC7C,GAAuC;IAEvC,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,IAAI,SAAS,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC7C,IAAI,SAAS,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAC3C,OAAO,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACzD,CAAC;IACD,OAAO,IAAI,CAAC;AACb,CAAC"}

package/dist/credentials/resolve.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Provider-agnostic credential resolution for infra/* adapters.
+ *
+ * Routes through the `secrets/store` runtime kind so every adapter
+ * (alerts, RUM, observability, …) reads from the same credential chain
+ * the rest of the platform uses. The chain (highest precedence first):
+ *
+ *   1. process.env (CI / explicit overrides)
+ *   2. The tier-resolved secrets/store implementation
+ *      - local tier   → encrypted-local → env-file
+ *      - production   → cloudflare-secrets-store → cloudflare-api
+ *
+ * Adapters declare the secret KEY NAMES (e.g. CLOUDFLARE_API_TOKEN) on
+ * their descriptor's `adapterConfig` and use this helper to resolve
+ * the values. The helper supports `keyCandidates` for fallback chains
+ * (e.g. prefer a scoped CLOUDFLARE_NOTIFICATIONS_API_TOKEN, fall back
+ * to the broad CLOUDFLARE_API_TOKEN).
+ *
+ * Why a helper instead of inlining the secrets/store query: provider
+ * adapters live in different packages and shouldn't all duplicate the
+ * tier-walk + env-overlay logic. Keeping it in infra-core makes the
+ * abstraction explicit ("infra/* adapters route credentials through
+ * vibes secrets") and gives us one place to evolve the chain (e.g.
+ * adding 1Password CLI as a backend).
+ */
+export type EnvironmentTier = 'local' | 'dev' | 'staging' | 'production';
+export interface ResolveAdapterCredentialOptions {
+    /**
+     * Ordered list of candidate keys. First one that resolves to a
+     * non-empty value wins. Useful for scoped → fallback patterns:
+     *   ['CLOUDFLARE_NOTIFICATIONS_API_TOKEN', 'CLOUDFLARE_API_TOKEN']
+     */
+    keyCandidates: readonly string[];
+    /**
+     * Environment name to read from the secrets store (default: 'local').
+     * Maps onto vault.environments[name] in encrypted-local.
+     */
+    environment?: string;
+    /**
+     * Tier hint for runtime store selection. Defaults to inferring from
+     * the environment name when it matches a known tier; falls back to
+     * 'local' otherwise.
+     */
+    tier?: EnvironmentTier;
+    /**
+     * Whether to consult process.env first. Defaults true — CI/CD and
+     * explicit shell overrides should win. Pass false to force
+     * store-only resolution.
+     */
+    includeProcessEnv?: boolean;
+    /**
+     * Optional human-readable name for the credential, used in error
+     * messages when no candidate resolves (e.g. "Cloudflare API token").
+     */
+    humanName?: string;
+}
+export interface ResolvedAdapterCredential {
+    /** The KEY that resolved (one of keyCandidates). Useful for audit. */
+    key: string;
+    /** The resolved secret value. Never logged. */
+    value: string;
+    /** Where the value came from: 'process.env' or the store backend id. */
+    source: string;
+}
+/**
+ * Resolve a single credential by walking the candidate keys against
+ * process.env then the active secrets store. Returns the first match.
+ *
+ * Throws when no candidate resolves — adapters should let this bubble
+ * up so the CLI surfaces a clean "missing credentials" message rather
+ * than a vague "401 Unauthorized" downstream.
+ */
+export declare function resolveAdapterCredential(options: ResolveAdapterCredentialOptions): Promise<ResolvedAdapterCredential>;
+/**
+ * Convenience wrapper for resolving multiple credentials at once.
+ * Each key gets a candidate list of one (the key itself). Use the
+ * single-credential form when you need fallback chains.
+ */
+export declare function resolveAdapterCredentials(keys: readonly string[], options?: Omit<ResolveAdapterCredentialOptions, 'keyCandidates' | 'humanName'>): Promise<Record<string, ResolvedAdapterCredential>>;
+//# sourceMappingURL=resolve.d.ts.map

package/dist/credentials/resolve.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve.d.ts","sourceRoot":"","sources":["../../src/credentials/resolve.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAIH,MAAM,MAAM,eAAe,GAAG,OAAO,GAAG,KAAK,GAAG,SAAS,GAAG,YAAY,CAAC;AAEzE,MAAM,WAAW,+BAA+B;IAC/C;;;;OAIG;IACH,aAAa,EAAE,SAAS,MAAM,EAAE,CAAC;IACjC;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,IAAI,CAAC,EAAE,eAAe,CAAC;IACvB;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,yBAAyB;IACzC,sEAAsE;IACtE,GAAG,EAAE,MAAM,CAAC;IACZ,+CAA+C;IAC/C,KAAK,EAAE,MAAM,CAAC;IACd,wEAAwE;IACxE,MAAM,EAAE,MAAM,CAAC;CACf;AAqCD;;;;;;;GAOG;AACH,wBAAsB,wBAAwB,CAC7C,OAAO,EAAE,+BAA+B,GACtC,OAAO,CAAC,yBAAyB,CAAC,CAsEpC;AAED;;;;GAIG;AACH,wBAAsB,yBAAyB,CAC9C,IAAI,EAAE,SAAS,MAAM,EAAE,EACvB,OAAO,CAAC,EAAE,IAAI,CAAC,+BAA+B,EAAE,eAAe,GAAG,WAAW,CAAC,GAC5E,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,yBAAyB,CAAC,CAAC,CASpD"}