@vibesdotdev/infra-core 0.0.1

package/src/credentials/resolve.ts

@@ -0,0 +1,205 @@
+/**
+ * Provider-agnostic credential resolution for infra/* adapters.
+ *
+ * Routes through the `secrets/store` runtime kind so every adapter
+ * (alerts, RUM, observability, …) reads from the same credential chain
+ * the rest of the platform uses. The chain (highest precedence first):
+ *
+ *   1. process.env (CI / explicit overrides)
+ *   2. The tier-resolved secrets/store implementation
+ *      - local tier   → encrypted-local → env-file
+ *      - production   → cloudflare-secrets-store → cloudflare-api
+ *
+ * Adapters declare the secret KEY NAMES (e.g. CLOUDFLARE_API_TOKEN) on
+ * their descriptor's `adapterConfig` and use this helper to resolve
+ * the values. The helper supports `keyCandidates` for fallback chains
+ * (e.g. prefer a scoped CLOUDFLARE_NOTIFICATIONS_API_TOKEN, fall back
+ * to the broad CLOUDFLARE_API_TOKEN).
+ *
+ * Why a helper instead of inlining the secrets/store query: provider
+ * adapters live in different packages and shouldn't all duplicate the
+ * tier-walk + env-overlay logic. Keeping it in infra-core makes the
+ * abstraction explicit ("infra/* adapters route credentials through
+ * vibes secrets") and gives us one place to evolve the chain (e.g.
+ * adding 1Password CLI as a backend).
+ */
+
+import { getVibesRuntime } from '@vibesdotdev/runtime';
+
+export type EnvironmentTier = 'local' | 'dev' | 'staging' | 'production';
+
+export interface ResolveAdapterCredentialOptions {
+	/**
+	 * Ordered list of candidate keys. First one that resolves to a
+	 * non-empty value wins. Useful for scoped → fallback patterns:
+	 *   ['CLOUDFLARE_NOTIFICATIONS_API_TOKEN', 'CLOUDFLARE_API_TOKEN']
+	 */
+	keyCandidates: readonly string[];
+	/**
+	 * Environment name to read from the secrets store (default: 'local').
+	 * Maps onto vault.environments[name] in encrypted-local.
+	 */
+	environment?: string;
+	/**
+	 * Tier hint for runtime store selection. Defaults to inferring from
+	 * the environment name when it matches a known tier; falls back to
+	 * 'local' otherwise.
+	 */
+	tier?: EnvironmentTier;
+	/**
+	 * Whether to consult process.env first. Defaults true — CI/CD and
+	 * explicit shell overrides should win. Pass false to force
+	 * store-only resolution.
+	 */
+	includeProcessEnv?: boolean;
+	/**
+	 * Optional human-readable name for the credential, used in error
+	 * messages when no candidate resolves (e.g. "Cloudflare API token").
+	 */
+	humanName?: string;
+}
+
+export interface ResolvedAdapterCredential {
+	/** The KEY that resolved (one of keyCandidates). Useful for audit. */
+	key: string;
+	/** The resolved secret value. Never logged. */
+	value: string;
+	/** Where the value came from: 'process.env' or the store backend id. */
+	source: string;
+}
+
+interface SecretsStoreImplShape {
+	id?: string;
+	get?(environment: string, key: string): Promise<string | undefined>;
+}
+
+interface SecretsStoreDescriptorShape {
+	id: string;
+	priority?: number;
+	tiers?: readonly EnvironmentTier[] | EnvironmentTier[];
+}
+
+/**
+ * Tier-aware backend selection. Mirrors the secrets/store kind's own
+ * resolver (`packages/secrets/src/kinds/store.kind.ts`) so callers
+ * don't need to import internal helpers.
+ */
+function pickBackend(
+	descriptors: SecretsStoreDescriptorShape[],
+	tier: EnvironmentTier
+): SecretsStoreDescriptorShape | undefined {
+	if (descriptors.length === 0) return undefined;
+	const matches = descriptors.filter((d) => (d.tiers ?? []).includes(tier));
+	const pool = matches.length > 0 ? matches : descriptors;
+	pool.sort((a, b) => (b.priority ?? 0) - (a.priority ?? 0));
+	return pool[0];
+}
+
+function inferTier(environment: string, override?: EnvironmentTier): EnvironmentTier {
+	if (override) return override;
+	if (environment === 'local' || environment === 'dev' || environment === 'staging' || environment === 'production') {
+		return environment;
+	}
+	return 'local';
+}
+
+/**
+ * Resolve a single credential by walking the candidate keys against
+ * process.env then the active secrets store. Returns the first match.
+ *
+ * Throws when no candidate resolves — adapters should let this bubble
+ * up so the CLI surfaces a clean "missing credentials" message rather
+ * than a vague "401 Unauthorized" downstream.
+ */
+export async function resolveAdapterCredential(
+	options: ResolveAdapterCredentialOptions
+): Promise<ResolvedAdapterCredential> {
+	const env = options.environment ?? 'local';
+	const tier = inferTier(env, options.tier);
+	const includeEnv = options.includeProcessEnv ?? true;
+
+	// 1. process.env (CI / shell override)
+	if (includeEnv) {
+		for (const key of options.keyCandidates) {
+			const v = process.env[key];
+			if (v && v.length > 0) {
+				return { key, value: v, source: 'process.env' };
+			}
+		}
+	}
+
+	// 2. secrets/store runtime resolution (tier-aware, priority-ordered)
+	const runtime = getVibesRuntime();
+	if (!runtime.hasKind('secrets/store')) {
+		throw new Error(
+			`No secrets/store kind registered; cannot resolve ${options.humanName ?? options.keyCandidates[0]}. ` +
+				'Load the secrets plugin (and a backend like encrypted-local) before calling this adapter.'
+		);
+	}
+
+	const descriptors = runtime
+		.assets('secrets/store')
+		.descriptors() as SecretsStoreDescriptorShape[];
+	// `VIBES_DEBUG_SECRETS=1` dumps the visible descriptor pool when
+	// you're tracing why a credential is missing or getting misrouted.
+	if (process.env.VIBES_DEBUG_SECRETS === '1') {
+		console.error(`[secrets-debug] descriptors visible at tier=${tier}:`);
+		for (const d of descriptors) {
+			console.error(`  - id=${d.id} priority=${d.priority ?? '-'} tiers=${JSON.stringify(d.tiers)}`);
+		}
+	}
+	const target = pickBackend(descriptors, tier);
+	if (!target) {
+		throw new Error(
+			`No secrets/store backend available for tier=${tier}. Register a backend ` +
+				'(encrypted-local for local, cloudflare-secrets-store for production) before calling this adapter.'
+		);
+	}
+
+	const store = (await runtime
+		.query('secrets/store')
+		.withId(target.id)
+		.resolve()) as SecretsStoreImplShape;
+
+	if (!store || typeof store.get !== 'function') {
+		throw new Error(
+			`Resolved secrets/store '${target.id}' has no get() method for ${options.humanName ?? options.keyCandidates[0]}.`
+		);
+	}
+
+	for (const key of options.keyCandidates) {
+		try {
+			const v = await store.get(env, key);
+			if (v && v.length > 0) {
+				return { key, value: v, source: target.id };
+			}
+		} catch {
+			// next candidate
+		}
+	}
+
+	throw new Error(
+		`Missing credential: none of [${options.keyCandidates.join(', ')}] resolved from process.env or ` +
+			`${target.id} (environment=${env}, tier=${tier}). ` +
+			`Set the value with \`vibes secrets set --environment ${env} ${options.keyCandidates[0]} <value>\`.`
+	);
+}
+
+/**
+ * Convenience wrapper for resolving multiple credentials at once.
+ * Each key gets a candidate list of one (the key itself). Use the
+ * single-credential form when you need fallback chains.
+ */
+export async function resolveAdapterCredentials(
+	keys: readonly string[],
+	options?: Omit<ResolveAdapterCredentialOptions, 'keyCandidates' | 'humanName'>
+): Promise<Record<string, ResolvedAdapterCredential>> {
+	const out: Record<string, ResolvedAdapterCredential> = {};
+	for (const key of keys) {
+		out[key] = await resolveAdapterCredential({
+			keyCandidates: [key],
+			...(options ?? {})
+		});
+	}
+	return out;
+}

package/src/deployment.ts

@@ -0,0 +1,57 @@
+import {
+	appDeploymentSchema,
+	deploymentDependencySchema,
+	deploymentEnvRequirementSchema,
+	deploymentOriginSchema,
+	type AppDeployment,
+	type AppDeploymentInput,
+	type DeploymentDependency,
+	type DeploymentEnvRequirement,
+	type DeploymentOrigin,
+	type DeploymentUpstream
+} from './schemas.ts';
+
+export function createAppDeployment(input: AppDeploymentInput): AppDeployment {
+	return appDeploymentSchema.parse(input);
+}
+
+export function createDeploymentOrigin(input: DeploymentOrigin): DeploymentOrigin {
+	return deploymentOriginSchema.parse(input);
+}
+
+export function createDeploymentEnvRequirement(
+	input: DeploymentEnvRequirement
+): DeploymentEnvRequirement {
+	return deploymentEnvRequirementSchema.parse(input);
+}
+
+export function createDeploymentDependency(input: DeploymentDependency): DeploymentDependency {
+	return deploymentDependencySchema.parse(input);
+}
+
+export function getPrimaryOrigin(deployment: AppDeployment): DeploymentOrigin {
+	return (
+		deployment.origins.find((origin) => origin.kind === 'primary') ?? deployment.origins[0]
+	);
+}
+
+export function getUpstreamOriginEnv(
+	upstream: DeploymentUpstream
+): Record<string, string> {
+	if (!upstream.originEnvVar) {
+		return {};
+	}
+
+	return {
+		[upstream.originEnvVar]: upstream.origin
+	};
+}
+
+export type {
+	AppDeployment,
+	AppDeploymentInput,
+	DeploymentDependency,
+	DeploymentEnvRequirement,
+	DeploymentOrigin,
+	DeploymentUpstream
+};

package/src/index.ts

@@ -0,0 +1,149 @@
+export {
+	createAppDeployment,
+	createDeploymentOrigin,
+	createDeploymentEnvRequirement,
+	createDeploymentDependency,
+	getPrimaryOrigin,
+	getUpstreamOriginEnv
+} from './deployment.ts';
+export type {
+	AppDeployment,
+	AppDeploymentInput,
+	DeploymentDependency,
+	DeploymentEnvRequirement,
+	DeploymentOrigin,
+	DeploymentUpstream
+} from './deployment.ts';
+export {
+	deploymentProviderSchema,
+	appRuntimeSchema,
+	deploymentOriginSchema,
+	deploymentBuildSchema,
+	deploymentEnvRequirementSchema,
+	deploymentDependencySchema,
+	deploymentUpstreamSchema,
+	appDeploymentSchema
+} from './schemas.ts';
+export type {
+	DeploymentProvider,
+	AppRuntime,
+	DeploymentOrigin as DeploymentOriginType,
+	DeploymentBuild,
+	DeploymentEnvRequirement as DeploymentEnvRequirementType,
+	DeploymentDependency as DeploymentDependencyType,
+	DeploymentUpstream as DeploymentUpstreamType,
+	AppDeploymentInput as AppDeploymentInputType,
+	AppDeployment as AppDeploymentType
+} from './schemas.ts';
+export {
+	webAppKind, WebAppDescriptorSchema, WebAppConfigSchema, CloudflareWorkersWebAppConfigSchema, DigitalOceanAppWebAppConfigSchema
+} from './kinds/index.ts';
+export type { WebAppDescriptor, WebAppDependency } from './kinds/index.ts';
+export {
+	workerKind, WorkerDescriptorSchema, WorkerConfigSchema, DoksDeploymentWorkerConfigSchema, WorkerScalingSchema
+} from './kinds/index.ts';
+export type { WorkerDescriptor, WorkerScaling } from './kinds/index.ts';
+export {
+	databaseKind, DatabaseDescriptorSchema, DatabaseConfigSchema, DoksDatabaseConfigSchema, DOManagedPostgresConfigSchema, TursoDatabaseConfigSchema, CloudflareD1ConfigSchema, DatabaseBackupSchema
+} from './kinds/index.ts';
+export type { DatabaseDescriptor, DatabaseBackup } from './kinds/index.ts';
+export {
+	queueKind, QueueDescriptorSchema, QueueConfigSchema, DoksQueueConfigSchema, QueueTopicSchema
+} from './kinds/index.ts';
+export type { QueueDescriptor, QueueTopic } from './kinds/index.ts';
+export { cacheKind, CacheDescriptorSchema, CacheConfigSchema, DOManagedRedisConfigSchema } from './kinds/index.ts';
+export type { CacheDescriptor } from './kinds/index.ts';
+export {
+	objectStorageKind, ObjectStorageDescriptorSchema, ObjectStorageConfigSchema, DOSpacesConfigSchema, CorsRuleSchema, LifecycleRuleSchema
+} from './kinds/index.ts';
+export type { ObjectStorageDescriptor, CorsRule, LifecycleRule } from './kinds/index.ts';
+export {
+	sandboxKind, SandboxDescriptorSchema, SandboxConfigSchema, CloudflareSandboxConfigSchema, DockerSandboxConfigSchema, DigitalOceanDropletSandboxConfigSchema, SandboxOutboundProxySchema, SandboxResourceLimitsSchema
+} from './kinds/index.ts';
+export type { SandboxDescriptor, SandboxOutboundProxy, SandboxResourceLimits } from './kinds/index.ts';
+export {
+	gitHostingKind, GitHostingDescriptorSchema, GitHostingConfigSchema, GiteaDoksGitHostingConfigSchema, GitHostingTypeSchema, GitHostingAuthMethodSchema
+} from './kinds/index.ts';
+export type { GitHostingDescriptor, GitHostingType, GitHostingAuthMethod } from './kinds/index.ts';
+export {
+	packageRegistryKind, PackageRegistryDescriptorSchema, PackageRegistryConfigSchema, VerdaccioDoksPackageRegistryConfigSchema, PackageRegistryTypeSchema
+} from './kinds/index.ts';
+export type { PackageRegistryDescriptor, PackageRegistryType } from './kinds/index.ts';
+export {
+	logsKind, InfraLogsDescriptorSchema, type InfraLogsDescriptor, type InfraLogsDescriptorInput, type InfraLogsKind, type InfraLogsKindInput, type LogsImplementation
+} from './kinds/index.ts';
+export {
+	artifactKind,
+	ArtifactDescriptorSchema,
+	type ArtifactDescriptor,
+	type ArtifactGenerator,
+	type ArtifactOutput
+} from './kinds/index.ts';
+export { INFRA_DISCOVERY_PATTERN, extractStem } from './kinds/index.ts';
+export {
+	alertsKind,
+	InfraAlertsDescriptorSchema,
+	AlertPolicySchema,
+	AlertMechanismSchema,
+	AlertTypeSchema,
+	AlertWindowSchema,
+	type InfraAlertsDescriptor,
+	type InfraAlertsDescriptorInput,
+	type InfraAlertsKind,
+	type InfraAlertsKindInput,
+	type AlertsImplementation,
+	type AlertPolicy,
+	type AlertMechanism,
+	type AlertType
+} from './kinds/index.ts';
+export {
+	observabilityKind,
+	InfraObservabilityDescriptorSchema,
+	ObservabilityScopeSchema,
+	ObservabilitySettingsSchema,
+	type InfraObservabilityDescriptor,
+	type InfraObservabilityDescriptorInput,
+	type InfraObservabilityKind,
+	type InfraObservabilityKindInput,
+	type ObservabilityImplementation,
+	type ObservabilityScope,
+	type ObservabilitySettings,
+	type ObservabilitySnapshot,
+	type SetObservabilityInput,
+	type SetObservabilityResult
+} from './kinds/index.ts';
+export {
+	rumKind,
+	InfraRumDescriptorSchema,
+	RumPrivacySchema,
+	RumInjectionSchema,
+	type InfraRumDescriptor,
+	type InfraRumDescriptorInput,
+	type InfraRumKind,
+	type InfraRumKindInput,
+	type RumImplementation,
+	type RumSiteSnapshot,
+	type RumPrivacy,
+	type RumInjection
+} from './kinds/index.ts';
+export {
+	resolveAdapterCredential,
+	resolveAdapterCredentials,
+	type EnvironmentTier,
+	type ResolveAdapterCredentialOptions,
+	type ResolvedAdapterCredential
+} from './credentials/resolve.ts';
+export {
+	bootstrapSeedKind,
+	bootstrapSeedConditionSchema,
+	bootstrapSeedDescriptorSchema,
+	bootstrapSeedModeSchema,
+	runBootstrapSeeds,
+	type BootstrapSeedCondition,
+	type BootstrapSeedDescriptor,
+	type BootstrapSeedImpl,
+	type BootstrapSeedMode,
+	type BootstrapSeedRunOptions,
+	type BootstrapSeedRunResult
+} from './bootstrap/index.ts';
+export { default as infraPlugin } from './infra.plugin';

package/src/infra.plugin.ts

@@ -0,0 +1,54 @@
+/**
+ * Infrastructure Runtime Plugin
+ *
+ * Registers all infra resource kinds with the runtime.
+ */
+
+import { createRuntimePlugin } from '@vibesdotdev/runtime/factory/plugin';
+import { webAppKind } from './kinds/web-app.kind';
+import { workerKind } from './kinds/worker.kind';
+import { databaseKind } from './kinds/database.kind';
+import { queueKind } from './kinds/queue.kind';
+import { cacheKind } from './kinds/cache.kind';
+import { objectStorageKind } from './kinds/object-storage.kind';
+import { sandboxKind } from './kinds/sandbox.kind';
+import { gitHostingKind } from './kinds/git-hosting.kind';
+import { packageRegistryKind } from './kinds/package-registry.kind';
+import { logsKind } from './kinds/logs.kind';
+import { alertsKind } from './kinds/alerts.kind.ts';
+import { observabilityKind } from './kinds/observability.kind.ts';
+import { rumKind } from './kinds/rum.kind.ts';
+import { bootstrapSeedKind } from './bootstrap/index.ts';
+
+/**
+ * Note on layering: inference is an apps/ai domain concern, not an infra kind.
+ * Existing runtime kinds `ai/provider`, `ai/adapter`, `ai/model`, and
+ * `ai/generation` already express "who/how/where inference runs", and the
+ * runtime's hardware scope + connectionMode qualifier + priority already
+ * select between consumer-direct, consumer-worker, cloud-worker, and
+ * cloud-via-API strategies. New strategies (CF Unified Inference, Agents
+ * Week bindings) should be added as new `ai/provider` descriptors + adapters,
+ * not as a parallel `infra/inference` kind.
+ */
+
+export default createRuntimePlugin({
+	id: 'infra',
+	name: 'Infrastructure',
+	description: 'Resource kinds for deployable infrastructure',
+	kinds: [
+		webAppKind,
+		workerKind,
+		databaseKind,
+		queueKind,
+		cacheKind,
+		objectStorageKind,
+		sandboxKind,
+		gitHostingKind,
+		packageRegistryKind,
+		logsKind,
+		alertsKind,
+		observabilityKind,
+		rumKind,
+		bootstrapSeedKind
+	]
+});

package/src/kinds/alerts.kind.ts

@@ -0,0 +1,164 @@
+/**
+ * Infra Alerts Kind
+ *
+ * Provider-agnostic schema for alerting / notification policies that
+ * span billing (budget + per-product usage), reliability (error rate,
+ * latency), and operational lifecycle (deploys, subscription changes).
+ *
+ * Per-provider implementations (cloudflare-alerts, do-monitoring,
+ * cloudwatch-alarms) map this shape onto the native API. Where a
+ * provider doesn't support a `type`, the impl rejects with a clear
+ * "unsupported" error rather than silently falling back.
+ *
+ * Configuration is declarative — typically encoded in an
+ * `infra/account.config.ts` or `infra/alerts.infra.ts` file alongside
+ * `infra/dns.ts`. The CLI (`vibes infra alerts list|create|delete`)
+ * wraps the same primitive for one-off ops and drift detection.
+ */
+
+import * as z from 'zod/v4';
+import { createRuntimeKind } from '@vibesdotdev/runtime/factory/kind';
+import { RuntimeDescriptorSchema } from '@vibesdotdev/runtime/schemas/descriptor';
+import { INFRA_DISCOVERY_PATTERN, extractStem } from './discovery.ts';
+
+/**
+ * Delivery channel for an alert. Provider impls translate these to
+ * native delivery slots (e.g. CF's `mechanisms.email[]`).
+ */
+const AlertMechanismSchema = z.discriminatedUnion('kind', [
+	z.object({
+		kind: z.literal('email'),
+		/** Email address — must be a verified destination on the provider. */
+		target: z.email()
+	}),
+	z.object({
+		kind: z.literal('webhook'),
+		/** Outbound webhook URL. */
+		target: z.string().url(),
+		/** Optional secret name (in the active secrets store) used for HMAC signing. */
+		secretRef: z.string().optional()
+	}),
+	z.object({
+		kind: z.literal('pagerduty'),
+		/** PagerDuty integration key (Events API v2). */
+		target: z.string().min(1)
+	}),
+	z.object({
+		kind: z.literal('slack'),
+		/** Slack webhook URL (Incoming Webhooks). */
+		target: z.string().url()
+	})
+]);
+
+export type AlertMechanism = z.infer<typeof AlertMechanismSchema>;
+
+/**
+ * Cross-provider alert categories. Each maps to one or more native
+ * alert types per provider.
+ */
+const AlertTypeSchema = z.enum([
+	/** Total cost crossed a dollar threshold for the current billing period. */
+	'budget',
+	/** Per-product usage crossed a numeric threshold (events/req/GB/etc.). */
+	'usage',
+	/** Worker/service error rate over a rolling window. */
+	'error-rate',
+	/** P99 latency or wall-time crossed a threshold. */
+	'latency',
+	/** Catch-all for provider-specific types not yet modeled here. */
+	'custom'
+]);
+
+export type AlertType = z.infer<typeof AlertTypeSchema>;
+
+const AlertWindowSchema = z.enum(['5m', '15m', '1h', '6h', '24h', '7d', '30d']);
+
+const AlertPolicySchema = z.object({
+	/** Stable id for diffing. Auto-generated when omitted. */
+	id: z.string().min(1).optional(),
+	/** Human-readable name (also surfaced by the provider). */
+	name: z.string().min(1),
+	type: AlertTypeSchema,
+	/**
+	 * Threshold value. `budget` reads it as USD (or local currency).
+	 * `usage`/`error-rate`/`latency` read it as units defined by the
+	 * filter (event count, %, ms).
+	 */
+	threshold: z.number().nonnegative(),
+	/** Optional secondary threshold for tiered alerts. */
+	warningThreshold: z.number().nonnegative().optional(),
+	/** Rolling window for `usage`/`error-rate`/`latency`. Ignored for `budget`. */
+	window: AlertWindowSchema.optional(),
+	/**
+	 * Adapter-specific filters. Examples:
+	 *   { product: 'workers_observability' }     // usage on a specific CF product
+	 *   { worker: 'vibes-account' }              // error-rate scoped to one worker
+	 *   { native_alert_type: 'health_check_status_notification' } // custom escape
+	 */
+	filters: z.record(z.string(), z.string()).default({}),
+	mechanisms: z.array(AlertMechanismSchema).min(1),
+	enabled: z.boolean().default(true),
+	description: z.string().optional()
+});
+
+export type AlertPolicy = z.infer<typeof AlertPolicySchema>;
+
+const AlertsBaseSchema = RuntimeDescriptorSchema.extend({
+	kind: z.literal('infra/alerts'),
+	/** Adapter id (e.g. 'cloudflare-alerts', 'do-monitoring'). */
+	adapter: z.string().min(1),
+	adapterConfig: z.record(z.string(), z.unknown()).optional(),
+	/**
+	 * Default environment name for credential resolution via `vibes
+	 * secrets`. Defaults to 'local' since the CLI / dev workflow is
+	 * the primary caller; production Workers that consume this adapter
+	 * read credentials from CF Secrets Store bindings directly, not
+	 * through this descriptor.
+	 */
+	environment: z.string().default('local'),
+	policies: z.array(AlertPolicySchema).default([])
+});
+
+export type InfraAlertsDescriptor = z.infer<typeof AlertsBaseSchema>;
+export type InfraAlertsDescriptorInput = z.input<typeof AlertsBaseSchema>;
+
+/**
+ * Implementation contract every provider implements. Operations are
+ * idempotent: `applyPolicies` reconciles the live policy set to the
+ * desired set without trampling unrelated policies on the provider.
+ */
+export interface AlertsImplementation {
+	/** List policies currently configured on the provider. */
+	listPolicies(): Promise<Array<AlertPolicy & { providerId: string }>>;
+	/** Create a single policy. Returns the provider-assigned id. */
+	createPolicy(policy: AlertPolicy): Promise<{ providerId: string }>;
+	/** Delete a policy by provider id. */
+	deletePolicy(providerId: string): Promise<void>;
+	/**
+	 * Diff desired (descriptor) against live; return the set of policies
+	 * that need create/update/delete. Empty arrays = in sync.
+	 */
+	diff(desired: AlertPolicy[]): Promise<{
+		create: AlertPolicy[];
+		update: Array<{ providerId: string; policy: AlertPolicy }>;
+		delete: Array<{ providerId: string; name: string }>;
+	}>;
+}
+
+export const alertsKind = createRuntimeKind<InfraAlertsDescriptor, AlertsImplementation>({
+	id: 'infra/alerts',
+	descriptorSchema: AlertsBaseSchema,
+	discoveryPattern: INFRA_DISCOVERY_PATTERN,
+	extractStem
+});
+
+export type InfraAlertsKind = InfraAlertsDescriptor;
+export type InfraAlertsKindInput = InfraAlertsDescriptorInput;
+
+export {
+	AlertsBaseSchema as InfraAlertsDescriptorSchema,
+	AlertPolicySchema,
+	AlertMechanismSchema,
+	AlertTypeSchema,
+	AlertWindowSchema
+};