@vizamodo/pkg-runtime-primitives 1.0.99

package/README.md

@@ -0,0 +1,8 @@
+# viza-command-hub
+
+Internal execution worker for Viza.
+
+- Single entry point
+- Command-centric
+- Policy per command
+- Binding-only (no public endpoints)

package/dist/aws/console-login.d.ts

@@ -0,0 +1,17 @@
+export interface AwsConsoleLoginConfig {
+    profile: string;
+    region: string;
+    trustAnchorArn: string;
+    roleArn: string;
+    profileArn: string;
+    certBase64: string;
+    privateKeyBase64: string;
+}
+export declare function issueAwsSessionCredentials(config: AwsConsoleLoginConfig): Promise<import("@vizamodo/aws-sts-core").AwsCredentialResult>;
+export declare function createAwsFederatedLogin(params: AwsConsoleLoginConfig & {
+    intent?: "console" | "billing" | "dynamodb" | "ssm";
+}): Promise<{
+    loginUrl: string;
+    shortUrl: string;
+    ttlHours: number;
+}>;

package/dist/aws/console-login.js

@@ -0,0 +1,36 @@
+import { issueAwsCredentials, buildFederationLoginUrl, } from "@vizamodo/aws-sts-core";
+import { retryOnce } from "../runtime/retry-once";
+export async function issueAwsSessionCredentials(config) {
+    const { profile, region, trustAnchorArn, roleArn, profileArn, certBase64, privateKeyBase64, } = config;
+    return await retryOnce((ctx) => issueAwsCredentials({
+        trustAnchorArn,
+        roleArn,
+        profileArn,
+        region,
+        certBase64,
+        privateKeyPkcs8Base64: privateKeyBase64,
+        profile,
+        ...ctx,
+    }));
+}
+export async function createAwsFederatedLogin(params) {
+    const { intent, ...config } = params;
+    const creds = await issueAwsSessionCredentials(config);
+    const { loginUrl, shortUrl } = await retryOnce((ctx) => buildFederationLoginUrl({
+        accessKeyId: creds.accessKeyId,
+        secretAccessKey: creds.secretAccessKey,
+        sessionToken: creds.sessionToken,
+        region: config.region,
+        expiration: creds.expiration,
+        ...(intent ? { intent } : {}),
+        ...ctx,
+    }));
+    const ttlMs = new Date(creds.expiration).getTime() - Date.now();
+    const ttlHoursRaw = ttlMs / (1000 * 60 * 60);
+    const ttlHours = Math.max(0, Math.round(ttlHoursRaw * 10) / 10);
+    return {
+        loginUrl,
+        shortUrl,
+        ttlHours
+    };
+}

package/dist/aws/load-backup-from-ssm.d.ts

@@ -0,0 +1,9 @@
+import { AwsCredentials } from "@vizamodo/aws-sts-core";
+export declare function loadBackupFromSSM(params: {
+    region: string;
+    credentials: AwsCredentials;
+    path: string;
+}): Promise<{
+    vars: Record<string, string>;
+    secrets: Record<string, string>;
+}>;

package/dist/aws/load-backup-from-ssm.js

@@ -0,0 +1,48 @@
+import { buildSignedAwsRequest } from "@vizamodo/aws-sts-core";
+export async function loadBackupFromSSM(params) {
+    const { region, credentials, path } = params;
+    const vars = {};
+    const secrets = {};
+    let nextToken = undefined;
+    do {
+        const body = {
+            Path: path,
+            Recursive: true,
+            WithDecryption: true,
+            MaxResults: 10
+        };
+        if (nextToken) {
+            body.NextToken = nextToken;
+        }
+        const resp = await fetch(`https://ssm.${region}.amazonaws.com/`, await buildSignedAwsRequest({
+            service: "ssm",
+            region,
+            target: "AmazonSSM.GetParametersByPath",
+            contentType: "application/x-amz-json-1.1",
+            body: JSON.stringify(body),
+            credentials
+        }));
+        if (!resp.ok) {
+            const text = await resp.text().catch(() => "");
+            throw new Error(`SSM request failed: ${resp.status} ${text}`);
+        }
+        const json = await resp.json();
+        const parameters = json.Parameters ?? [];
+        for (const p of parameters) {
+            const name = p.Name;
+            const value = p.Value;
+            // Extract key using last slash (faster than split)
+            const i = name.lastIndexOf("/");
+            const key = name.substring(i + 1);
+            // Fast path prefix checks (avoid multiple scans)
+            if (name.startsWith("/modo/github/vars/")) {
+                vars[key] = value;
+            }
+            else if (name.startsWith("/modo/github/secrets/")) {
+                secrets[key] = value;
+            }
+        }
+        nextToken = json.NextToken;
+    } while (nextToken);
+    return { vars, secrets };
+}

package/dist/crypto/age.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Encrypt plaintext using age recipient.
+ * Returns armored ciphertext string (safe to store in SSM / JSON).
+ */
+export declare function encryptWithAge(plaintext: string, recipient: string): Promise<string>;
+/**
+ * Decrypt armored age ciphertext using identity key.
+ */
+export declare function decryptWithAge(ciphertext: string, identity: string): Promise<string>;
+/**
+ * Encrypt multiple values in parallel with a concurrency limit.
+ * Useful when encrypting many secrets to avoid Worker memory spikes.
+ */
+export declare function encryptManyWithAge(items: Record<string, string>, recipient: string, concurrency?: number): Promise<Record<string, string>>;
+/**
+ * Decrypt multiple values in parallel with a concurrency limit.
+ * Protects Worker memory (128MB) by limiting active decrypt operations.
+ */
+export declare function decryptManyWithAge(items: Record<string, string>, identity: string, concurrency?: number): Promise<{
+    data: Record<string, string>;
+    warnings: string[];
+}>;

package/dist/crypto/age.js

@@ -0,0 +1,78 @@
+import * as age from "age-encryption";
+/**
+ * Encrypt plaintext using age recipient.
+ * Returns armored ciphertext string (safe to store in SSM / JSON).
+ */
+export async function encryptWithAge(plaintext, recipient) {
+    const e = new age.Encrypter();
+    e.addRecipient(recipient);
+    const ciphertext = await e.encrypt(plaintext);
+    // convert binary age file to ASCII armor (safe for SSM / JSON)
+    return age.armor.encode(ciphertext);
+}
+/**
+ * Decrypt armored age ciphertext using identity key.
+ */
+export async function decryptWithAge(ciphertext, identity) {
+    try {
+        const d = new age.Decrypter();
+        d.addIdentity(identity);
+        const decoded = age.armor.decode(ciphertext);
+        const out = await d.decrypt(decoded, "text");
+        return out;
+    }
+    catch (error) {
+        throw new Error("age decryption failed: invalid identity key or corrupted ciphertext", { cause: error });
+    }
+}
+/**
+ * Encrypt multiple values in parallel with a concurrency limit.
+ * Useful when encrypting many secrets to avoid Worker memory spikes.
+ */
+export async function encryptManyWithAge(items, recipient, concurrency = 5) {
+    const entries = Object.entries(items);
+    const result = {};
+    let index = 0;
+    async function worker() {
+        while (index < entries.length) {
+            const current = index++;
+            const entry = entries[current];
+            if (!entry)
+                break;
+            const [key, value] = entry;
+            result[key] = await encryptWithAge(value, recipient);
+        }
+    }
+    const workers = Array.from({ length: concurrency }, () => worker());
+    await Promise.all(workers);
+    return result;
+}
+/**
+ * Decrypt multiple values in parallel with a concurrency limit.
+ * Protects Worker memory (128MB) by limiting active decrypt operations.
+ */
+export async function decryptManyWithAge(items, identity, concurrency = 5) {
+    const entries = Object.entries(items);
+    const result = {};
+    const warnings = [];
+    let index = 0;
+    async function worker() {
+        while (index < entries.length) {
+            const current = index++;
+            const entry = entries[current];
+            if (!entry)
+                break;
+            const [key, value] = entry;
+            try {
+                result[key] = await decryptWithAge(value, identity);
+            }
+            catch (err) {
+                const msg = `[age.decrypt] skipped key=${key}: ${err.message}`;
+                warnings.push(msg);
+            }
+        }
+    }
+    const workers = Array.from({ length: concurrency }, () => worker());
+    await Promise.all(workers);
+    return { data: result, warnings };
+}

package/dist/github/github-app-token.d.ts

@@ -0,0 +1,4 @@
+export declare function getGithubInstallationToken(installationId: number, privateKey: string, appId: string): Promise<{
+    token: string;
+    expiresAt: string;
+}>;

package/dist/github/github-app-token.js

@@ -0,0 +1,74 @@
+async function createGithubAppJwt(appId, privateKeyPem) {
+    // Convert PEM → ArrayBuffer
+    const pem = privateKeyPem
+        .replace("-----BEGIN PRIVATE KEY-----", "")
+        .replace("-----END PRIVATE KEY-----", "")
+        .replace(/\n/g, "");
+    const binary = atob(pem);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++)
+        bytes[i] = binary.charCodeAt(i);
+    const key = await crypto.subtle.importKey("pkcs8", bytes.buffer, {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: "SHA-256",
+    }, false, ["sign"]);
+    const now = Math.floor(Date.now() / 1000);
+    const header = {
+        alg: "RS256",
+        typ: "JWT",
+    };
+    const payload = {
+        iat: now - 60,
+        exp: now + 540,
+        iss: appId,
+    };
+    const encode = (obj) => btoa(JSON.stringify(obj))
+        .replace(/=/g, "")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_");
+    const headerB64 = encode(header);
+    const payloadB64 = encode(payload);
+    const data = `${headerB64}.${payloadB64}`;
+    const signature = await crypto.subtle.sign("RSASSA-PKCS1-v1_5", key, new TextEncoder().encode(data));
+    const sigBytes = new Uint8Array(signature);
+    let binarySig = "";
+    for (let i = 0; i < sigBytes.length; i++)
+        binarySig += String.fromCharCode(sigBytes[i]);
+    const sigB64 = btoa(binarySig)
+        .replace(/=/g, "")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_");
+    return `${data}.${sigB64}`;
+}
+export async function getGithubInstallationToken(installationId, privateKey, appId) {
+    const jwt = await createGithubAppJwt(appId, privateKey);
+    const res = await fetch(`https://api.github.com/app/installations/${installationId}/access_tokens`, {
+        method: "POST",
+        headers: {
+            Authorization: `Bearer ${jwt}`,
+            Accept: "application/vnd.github+json",
+            "User-Agent": "viza-command-hub",
+        },
+    });
+    const text = await res.text();
+    if (!res.ok) {
+        throw new Error(`GitHub installation token request failed (${res.status}): ${text}`);
+    }
+    let json;
+    try {
+        json = JSON.parse(text);
+    }
+    catch {
+        throw new Error("Invalid JSON from GitHub installation token response");
+    }
+    if (!json.token) {
+        throw new Error("GitHub installation token response missing token");
+    }
+    if (!json.expires_at) {
+        throw new Error("GitHub installation token response missing expires_at");
+    }
+    return {
+        token: json.token,
+        expiresAt: json.expires_at,
+    };
+}

package/dist/github/github-env.d.ts

@@ -0,0 +1,2 @@
+export declare function repoUrl(repo: string, environment: string): string;
+export declare function ensureEnvironment(repo: string, environment: string, headers: Record<string, string>): Promise<void>;

package/dist/github/github-env.js

@@ -0,0 +1,13 @@
+export function repoUrl(repo, environment) {
+    return `https://api.github.com/repos/${repo}/environments/${environment}`;
+}
+export async function ensureEnvironment(repo, environment, headers) {
+    const res = await fetch(repoUrl(repo, environment), {
+        method: "PUT",
+        headers
+    });
+    if (!res.ok) {
+        const text = await res.text();
+        throw new Error(`Failed to ensure environment ${repo}:${environment}: ${text}`);
+    }
+}

package/dist/github/github-headers.d.ts

@@ -0,0 +1 @@
+export declare function githubHeaders(token: string): Record<string, string>;

package/dist/github/github-headers.js

@@ -0,0 +1,8 @@
+export function githubHeaders(token) {
+    return {
+        Authorization: `Bearer ${token}`,
+        Accept: "application/vnd.github+json",
+        "Content-Type": "application/json",
+        "User-Agent": "viza-command-hub",
+    };
+}

package/dist/github/github-owner-token.d.ts

@@ -0,0 +1,7 @@
+export declare function getTokenForRepo(params: {
+    repo: string;
+    installationId: number;
+    appPrivateKey: string;
+    appId: string;
+    forceRefresh?: boolean;
+}): Promise<string>;

package/dist/github/github-owner-token.js

@@ -0,0 +1,20 @@
+import { getGithubInstallationToken } from "./github-app-token";
+import { getCachedOrFetch, wrapResult } from "@vizamodo/edge-cache-core";
+export async function getTokenForRepo(params) {
+    const { repo, installationId, appPrivateKey, appId, forceRefresh } = params;
+    const [owner] = repo.split("/");
+    if (!owner) {
+        throw new Error(`invalid_repo_format: ${repo}`);
+    }
+    const key = `gh-token:${owner}`;
+    const token = await getCachedOrFetch(key, async () => {
+        const { token, expiresAt } = await getGithubInstallationToken(installationId, appPrivateKey, appId);
+        // use wrapResult pattern to let cache derive TTL from expiresAt
+        return wrapResult(token, expiresAt);
+    }, {
+        ttlSec: 60,
+        ...(forceRefresh !== undefined ? { forceRefresh } : {})
+    } // allow caller-controlled retry
+    );
+    return token;
+}

package/dist/github/list-workflow-runs.d.ts

@@ -0,0 +1,9 @@
+import type { RunSummary } from "../types/github";
+export declare function listWorkflowRuns(params: {
+    token: string;
+    repo: string;
+    workflow: string;
+    limit?: number;
+    baseUrl?: string;
+    fetchFn?: typeof fetch;
+}): Promise<RunSummary[]>;

package/dist/github/list-workflow-runs.js

@@ -0,0 +1,36 @@
+export async function listWorkflowRuns(params) {
+    const { token, repo, workflow, limit: inputLimit = 20, baseUrl = "https://api.github.com", fetchFn = fetch } = params;
+    let limit = inputLimit;
+    if (!limit || limit <= 0)
+        limit = 20;
+    if (limit > 100)
+        limit = 100;
+    const res = await fetchFn(`${baseUrl}/repos/${repo}/actions/workflows/${workflow}/runs?per_page=${limit}`, {
+        headers: {
+            Authorization: `Bearer ${token}`,
+            Accept: "application/vnd.github+json",
+            "User-Agent": "viza-command-hub",
+        },
+    });
+    if (!res.ok) {
+        throw new Error(`GitHub API error: ${await res.text()}`);
+    }
+    const json = (await res.json());
+    return json.workflow_runs.map((r) => ({
+        id: r.id,
+        status: r.status,
+        conclusion: r.conclusion ?? null,
+        actor: r.actor?.login ?? "unknown",
+        attempt: r.run_attempt ?? 1,
+        createdAt: r.created_at,
+        updatedAt: r.updated_at,
+        ...(r.head_commit?.committer
+            ? {
+                committer: {
+                    name: r.head_commit.committer.name,
+                    email: r.head_commit.committer.email,
+                },
+            }
+            : {}),
+    }));
+}

package/dist/github/put-secret.d.ts

@@ -0,0 +1,8 @@
+export declare function base64ToBytes(b64: string): Uint8Array;
+export declare function bytesToBase64(bytes: Uint8Array): string;
+export declare function encryptSecret(recipientPub: Uint8Array, secret: string): string;
+export declare function getPublicKey(repo: string, environment: string, headers: Record<string, string>): Promise<{
+    key_id: string;
+    key: string;
+}>;
+export declare function putSecret(repo: string, environment: string, name: string, encryptedValue: string, keyId: string, headers: Record<string, string>): Promise<void>;

package/dist/github/put-secret.js

@@ -0,0 +1,45 @@
+import sealedbox from "tweetnacl-sealedbox-js";
+import { repoUrl } from "./github-env";
+// ─────────────────────────────────────────────
+// Crypto
+// ─────────────────────────────────────────────
+export function base64ToBytes(b64) {
+    const bin = atob(b64);
+    const bytes = new Uint8Array(bin.length);
+    for (let i = 0; i < bin.length; i++)
+        bytes[i] = bin.charCodeAt(i);
+    return bytes;
+}
+export function bytesToBase64(bytes) {
+    const chunk = 0x8000;
+    const parts = [];
+    for (let i = 0; i < bytes.length; i += chunk) {
+        parts.push(String.fromCharCode(...bytes.subarray(i, i + chunk)));
+    }
+    return btoa(parts.join(""));
+}
+export function encryptSecret(recipientPub, secret) {
+    const messageBytes = new TextEncoder().encode(secret);
+    const sealed = sealedbox.seal(messageBytes, recipientPub);
+    return bytesToBase64(sealed);
+}
+// ─────────────────────────────────────────────
+// GitHub API
+// ─────────────────────────────────────────────
+export async function getPublicKey(repo, environment, headers) {
+    const res = await fetch(`${repoUrl(repo, environment)}/secrets/public-key`, { headers });
+    if (!res.ok) {
+        throw new Error(`Failed to get public key for ${environment}: ${await res.text()}`);
+    }
+    return res.json();
+}
+export async function putSecret(repo, environment, name, encryptedValue, keyId, headers) {
+    const res = await fetch(`${repoUrl(repo, environment)}/secrets/${name}`, {
+        method: "PUT",
+        headers,
+        body: JSON.stringify({ encrypted_value: encryptedValue, key_id: keyId }),
+    });
+    if (!res.ok && res.status !== 204) {
+        throw new Error(`Failed to put secret ${name}: ${await res.text()}`);
+    }
+}

package/dist/github/put-var.d.ts

@@ -0,0 +1 @@
+export declare function putVar(repo: string, environment: string, name: string, value: string, headers: Record<string, string>): Promise<void>;

package/dist/github/put-var.js

@@ -0,0 +1,27 @@
+// ─────────────────────────────────────────────
+// GitHub API
+// ─────────────────────────────────────────────
+import { repoUrl } from "./github-env";
+export async function putVar(repo, environment, name, value, headers) {
+    const baseUrl = `${repoUrl(repo, environment)}/variables`;
+    // PATCH nếu đã tồn tại, POST nếu chưa có
+    const patchRes = await fetch(`${baseUrl}/${name}`, {
+        method: "PATCH",
+        headers,
+        body: JSON.stringify({ name, value }),
+    });
+    if (patchRes.ok || patchRes.status === 204)
+        return;
+    if (patchRes.status === 404) {
+        const postRes = await fetch(baseUrl, {
+            method: "POST",
+            headers,
+            body: JSON.stringify({ name, value }),
+        });
+        if (!postRes.ok) {
+            throw new Error(`Failed to put variable ${name}: ${await postRes.text()}`);
+        }
+        return;
+    }
+    throw new Error(`Failed to put variable ${name}: ${await patchRes.text()}`);
+}

package/dist/index.d.ts

@@ -0,0 +1,15 @@
+/****
+ * Root export for runtime primitives
+ * Organized by domain to keep imports explicit and tree-shake friendly
+ */
+export * from "./aws/console-login";
+export * from "./aws/load-backup-from-ssm";
+export * from "./crypto/age";
+export * from "./github/github-app-token";
+export * from "./github/github-owner-token";
+export * from "./github/list-workflow-runs";
+export * from "./github/put-secret";
+export * from "./github/put-var";
+export * from "./github/github-headers";
+export * from "./runtime/retry-once";
+export * from "./types/github";

package/dist/index.js

@@ -0,0 +1,20 @@
+/****
+ * Root export for runtime primitives
+ * Organized by domain to keep imports explicit and tree-shake friendly
+ */
+// AWS
+export * from "./aws/console-login";
+export * from "./aws/load-backup-from-ssm";
+// Crypto
+export * from "./crypto/age";
+// GitHub
+export * from "./github/github-app-token";
+export * from "./github/github-owner-token";
+export * from "./github/list-workflow-runs";
+export * from "./github/put-secret";
+export * from "./github/put-var";
+export * from "./github/github-headers";
+// Runtime
+export * from "./runtime/retry-once";
+// Types
+export * from "./types/github";

package/dist/runtime/retry-once.d.ts

@@ -0,0 +1,20 @@
+type RetryOptions = {
+    shouldRetry?: (err: unknown) => boolean;
+    onRetry?: (err: unknown) => void;
+};
+type RetryCtx = {
+    forceRefresh?: boolean;
+};
+/**
+ * retryOnce
+ *
+ * - First attempt: normal execution (cache allowed)
+ * - Second attempt: forceRefresh = true (bypass cache)
+ *
+ * This ensures:
+ *   - cache remains best-effort
+ *   - failures are recoverable
+ *   - no infinite retry loop
+ */
+export declare function retryOnce<T>(fn: (ctx: RetryCtx) => Promise<T>, options?: RetryOptions): Promise<T>;
+export {};

package/dist/runtime/retry-once.js

@@ -0,0 +1,25 @@
+/**
+ * retryOnce
+ *
+ * - First attempt: normal execution (cache allowed)
+ * - Second attempt: forceRefresh = true (bypass cache)
+ *
+ * This ensures:
+ *   - cache remains best-effort
+ *   - failures are recoverable
+ *   - no infinite retry loop
+ */
+export async function retryOnce(fn, options) {
+    try {
+        return await fn({ forceRefresh: false });
+    }
+    catch (err) {
+        if (options?.shouldRetry && !options.shouldRetry(err)) {
+            throw err;
+        }
+        if (options?.onRetry) {
+            options.onRetry(err);
+        }
+        return await fn({ forceRefresh: true });
+    }
+}

package/dist/types/github.d.ts

@@ -0,0 +1,13 @@
+export type RunSummary = {
+    id: number;
+    status: "queued" | "in_progress" | "completed";
+    conclusion: string | null;
+    actor: string;
+    attempt: number;
+    createdAt: string;
+    updatedAt: string;
+    committer?: {
+        name: string;
+        email: string;
+    };
+};

package/dist/types/github.js

@@ -0,0 +1 @@
+export {};

package/package.json

@@ -0,0 +1,41 @@
+{
+  "name": "@vizamodo/pkg-runtime-primitives",
+  "version": "1.0.99",
+  "description": "Edge-compatible runtime primitives for AWS, GitHub, crypto, and caching used across Viza services",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist",
+    "test": "vitest run",
+    "prepublishOnly": "npm run clean && npm run build",
+    "release:prod": "rm -rf dist && npx npm-check-updates -u && npm install && git add package.json package-lock.json && git commit -m 'chore(deps): auto update dependencies before release' || echo 'No changes' && node versioning.js && npm publish --tag latest --access public && git push",
+    "release:full": "rm -rf dist && npx npm-check-updates -u && npm install && git add package.json package-lock.json && git commit -m 'chore(deps): auto update dependencies before release' || echo 'No changes' && node versioning.js && npm login && npm publish --tag latest --access public && git push"
+  },
+  "dependencies": {
+    "@vizamodo/aws-sts-core": "^0.4.36",
+    "@vizamodo/edge-cache-core": "^0.3.41",
+    "age-encryption": "^0.3.0",
+    "tweetnacl-sealedbox-js": "^1.2.0"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.0",
+    "typescript": "^6.0.2"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  },
+  "author": "Viza Team",
+  "license": "MIT"
+}