npm - @wildo-ai/platform-config-lib - Versions diffs - 1.0.1 - Mend

@wildo-ai/platform-config-lib 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (230) hide show

package/src/project-config/sharing-policy-validation.ts ADDED Viewed

@@ -0,0 +1,159 @@
+import type { WildoSaasConfig } from './define-saas-config';
+import type { WildoSharingPolicy } from './define-sharing-policy';
+/**
+ * Severity levels for sharing policy validation findings.
+ */
+export enum SharingPolicyValidationSeverity {
+  ERROR = 'ERROR',
+  WARNING = 'WARNING',
+  INFO = 'INFO',
+}
+export interface SharingPolicyValidationFinding {
+  severity: SharingPolicyValidationSeverity;
+  code: string;
+  message: string;
+  providerRef?: string;
+}
+/**
+ * Extract all provider refs declared in a SaaS config's capabilities.
+ * Returns a deduplicated set of provider reference strings.
+ */
+export function extractCapabilityProviders(saasConfig: WildoSaasConfig): Set<string> {
+  const providers = new Set<string>();
+  if (!saasConfig.capabilities) return providers;
+  for (const binding of Object.values(saasConfig.capabilities)) {
+    if (!binding || !binding.enabled) continue;
+    if (binding.provider) providers.add(binding.provider);
+    if (binding.providers) {
+      for (const p of binding.providers) providers.add(p);
+    }
+  }
+  return providers;
+}
+/**
+ * Extract all provider refs declared in a sharing policy's secrets.providers section.
+ * Returns the defaults array merged with all perApp include arrays (deduplicated).
+ */
+export function extractSharingPolicyProviders(sharingPolicy: WildoSharingPolicy): Set<string> {
+  const providers = new Set<string>();
+  const providerRule = sharingPolicy.secrets?.['providers'];
+  if (!providerRule) return providers;
+  const rule = providerRule as { defaults?: string[]; perApp?: Record<string, { include?: string[]; exclude?: string[] }> };
+  if (rule.defaults) {
+    for (const p of rule.defaults) providers.add(p);
+  }
+  if (rule.perApp) {
+    for (const appRule of Object.values(rule.perApp)) {
+      if (appRule.include) {
+        for (const p of appRule.include) providers.add(p);
+      }
+    }
+  }
+  return providers;
+}
+/**
+ * Cross-validate a sharing policy against a SaaS config's capabilities.
+ * Checks that all providers declared in capabilities are covered by the sharing policy,
+ * and reports providers in the sharing policy that aren't used by any capability.
+ *
+ * @param saasConfig - The loaded SaaS application config
+ * @param sharingPolicy - The loaded per-env sharing policy
+ * @param knownProviderRefs - Optional set of valid provider refs (e.g., from AllProviders_Map).
+ *   If provided, validates that all referenced providers actually exist in the catalog.
+ * @param availableSecretProviderRefs - Optional set of provider refs that have secrets
+ *   configured in secrets.json. If provided, warns about missing secrets.
+ */
+export function validateSharingPolicy(
+  saasConfig: WildoSaasConfig,
+  sharingPolicy: WildoSharingPolicy,
+  knownProviderRefs?: Set<string>,
+  availableSecretProviderRefs?: Set<string>,
+): SharingPolicyValidationFinding[] {
+  const findings: SharingPolicyValidationFinding[] = [];
+  const capabilityProviders = extractCapabilityProviders(saasConfig);
+  const sharingPolicyProviders = extractSharingPolicyProviders(sharingPolicy);
+  for (const providerRef of capabilityProviders) {
+    if (!sharingPolicyProviders.has(providerRef)) {
+      findings.push({
+        severity: SharingPolicyValidationSeverity.ERROR,
+        code: 'CAPABILITY_PROVIDER_NOT_IN_SHARING_POLICY',
+        message: `Provider "${providerRef}" is declared in capabilities but not covered by the sharing policy`,
+        providerRef,
+      });
+    }
+  }
+  for (const providerRef of sharingPolicyProviders) {
+    if (!capabilityProviders.has(providerRef)) {
+      findings.push({
+        severity: SharingPolicyValidationSeverity.WARNING,
+        code: 'SHARING_POLICY_PROVIDER_NOT_IN_CAPABILITIES',
+        message: `Provider "${providerRef}" is in the sharing policy but not used by any capability`,
+        providerRef,
+      });
+    }
+  }
+  if (knownProviderRefs) {
+    const allReferencedProviders = new Set([...capabilityProviders, ...sharingPolicyProviders]);
+    for (const providerRef of allReferencedProviders) {
+      if (!knownProviderRefs.has(providerRef)) {
+        findings.push({
+          severity: SharingPolicyValidationSeverity.ERROR,
+          code: 'UNKNOWN_PROVIDER_REF',
+          message: `Provider "${providerRef}" is not in the external-connectors catalog (AllProviders_Map)`,
+          providerRef,
+        });
+      }
+    }
+  }
+  if (availableSecretProviderRefs) {
+    for (const providerRef of sharingPolicyProviders) {
+      if (!availableSecretProviderRefs.has(providerRef)) {
+        findings.push({
+          severity: SharingPolicyValidationSeverity.WARNING,
+          code: 'PROVIDER_SECRET_MISSING',
+          message: `Provider "${providerRef}" is declared in the sharing policy but has no API key in secrets.json`,
+          providerRef,
+        });
+      }
+    }
+  }
+  // Validate that servicesRestrictions providers are subsets of the parent capability providers
+  if (saasConfig.capabilities) {
+    for (const [capKey, binding] of Object.entries(saasConfig.capabilities)) {
+      if (!binding?.enabled || !binding.servicesRestrictions) continue;
+      const parentProviders = new Set<string>();
+      if (binding.provider) parentProviders.add(binding.provider);
+      if (binding.providers) {
+        for (const p of binding.providers) parentProviders.add(p);
+      }
+      for (const [serviceName, restrictedProviders] of Object.entries(binding.servicesRestrictions)) {
+        for (const rp of restrictedProviders) {
+          if (!parentProviders.has(rp)) {
+            findings.push({
+              severity: SharingPolicyValidationSeverity.INFO,
+              code: 'SERVICE_RESTRICTION_NOT_IN_PARENT',
+              message: `servicesRestrictions for "${serviceName}" in capability "${capKey}" references provider "${rp}" which is not in the parent providers list`,
+              providerRef: rp,
+            });
+          }
+        }
+      }
+    }
+  }
+  return findings;
+}

package/src/release/framework-release.constants.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export const FRAMEWORK_RELEASE_NPM_SCOPE = '@wildo-ai';
2	+ export const FRAMEWORK_RELEASE_DOCKER_NAMESPACE = 'wildoai';

package/src/schemas/__tests__/platform-config.schemas.test.ts ADDED Viewed

@@ -0,0 +1,90 @@
+import 'reflect-metadata';
+import '@wildo-ai/zod-decorators';
+import { describe, expect, it } from 'vitest';
+import {
+  AppsManagerConfig_Schema,
+  AppsManagerSecrets_Schema,
+} from '../platform-config.schemas';
+describe('AppsManagerConfig_Schema', () => {
+  it('extends the platform application config with runtime platform service URLs', () => {
+    const parsed = AppsManagerConfig_Schema.parse({
+      platformApplicationId: 'app-123',
+      jwtPublicKeys: {
+        primary: 'public-key',
+      },
+      customConfig: {
+        featureFlag: true,
+      },
+      platformServices: {
+        appsManager: 'https://apps-manager.wildo.ai',
+        fileGenerator: 'https://file-generator.wildo.ai',
+        crontabsBatchesManager: 'https://crontabs-manager.wildo.ai',
+      },
+    });
+    expect(parsed.platformApplicationId).toBe('app-123');
+    expect(parsed.jwtPublicKeys.primary).toBe('public-key');
+    expect(parsed.platformServices.fileGenerator).toBe('https://file-generator.wildo.ai');
+  });
+  it('requires the managed platform service URL set', () => {
+    const result = AppsManagerConfig_Schema.safeParse({
+      platformApplicationId: 'app-123',
+      jwtPublicKeys: {
+        primary: 'public-key',
+      },
+      platformServices: {
+        appsManager: 'https://apps-manager.wildo.ai',
+        crontabsBatchesManager: 'https://crontabs-manager.wildo.ai',
+      },
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.issues.some((issue) => issue.path.join('.') === 'platformServices.fileGenerator')).toBe(true);
+  });
+});
+describe('AppsManagerSecrets_Schema', () => {
+  it('requires a mongo connection URL while keeping Atlas credentials optional', () => {
+    const parsed = AppsManagerSecrets_Schema.parse({
+      platformApplicationId: 'app-123',
+      jwt: {
+        privateKey: {
+          primary: 'private-key',
+        },
+      },
+      mongo: {
+        connectUrl: 'https://mongo.example.com',
+      },
+    });
+    expect(parsed.mongo.connectUrl).toBe('https://mongo.example.com');
+    expect(parsed.mongo.atlas).toBeUndefined();
+  });
+  it('rejects empty Atlas credentials when Atlas config is provided', () => {
+    const result = AppsManagerSecrets_Schema.safeParse({
+      platformApplicationId: 'app-123',
+      jwt: {
+        privateKey: {
+          primary: 'private-key',
+        },
+      },
+      mongo: {
+        connectUrl: 'https://mongo.example.com',
+        atlas: {
+          publicKey: '',
+          privateKey: '',
+        },
+      },
+    });
+    expect(result.success).toBe(false);
+    expect(result.error?.issues.some((issue) => issue.path.join('.') === 'mongo.atlas.publicKey')).toBe(true);
+    expect(result.error?.issues.some((issue) => issue.path.join('.') === 'mongo.atlas.privateKey')).toBe(true);
+  });
+});

package/src/schemas/framework-info.schemas.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { z } from 'zod';
+const SemverSchema = z.string().regex(
+  /^\d+\.\d+\.\d+$/,
+  'must be a simple semver string in the form x.y.z',
+);
+export const WildoFrameworkInfoSchema = z.object({
+  name: z.string().min(1).default('wildo-ai'),
+  version: SemverSchema,
+  minCliVersion: SemverSchema,
+});
+export type WildoFrameworkInfo = z.infer<typeof WildoFrameworkInfoSchema>;

package/src/schemas/framework-secrets.schemas.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import { z } from 'zod';
+export const WildoFrameworkPublishNpmSecretsSchema = z.object({
+  publishToken: z.string().min(1),
+});
+export type WildoFrameworkPublishNpmSecrets = z.infer<typeof WildoFrameworkPublishNpmSecretsSchema>;
+export const WildoFrameworkPublishDockerSecretsSchema = z.object({
+  publishUsername: z.string().min(1).optional(),
+  publishToken: z.string().min(1),
+});
+export type WildoFrameworkPublishDockerSecrets = z.infer<typeof WildoFrameworkPublishDockerSecretsSchema>;
+export const WildoFrameworkSecretsSchema = z.object({
+  providers: z.record(z.string(), z.string().min(1)).optional().default({}),
+  docker: WildoFrameworkPublishDockerSecretsSchema.optional(),
+  npm: WildoFrameworkPublishNpmSecretsSchema.optional(),
+});
+export type WildoFrameworkSecrets = z.infer<typeof WildoFrameworkSecretsSchema>;

package/src/schemas/platform-application-config.schemas.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import { z } from 'zod';
+/**
+ * Platform Application Config Schema
+ *
+ * Stored in MongoDB, fetched by platform services via
+ * GET /platform-services-to-manager/config-secrets.
+ *
+ * After T4, platform service URLs and infrastructure addresses are sourced from
+ * each service's env vars (generated by CLI). This schema only contains data
+ * that apps-manager manages dynamically:
+ * - jwtPublicKeys: rotatable public keys for inter-service JWT verification
+ * - customConfig: service-specific key-value configuration
+ */
+export const Platform_Application_Config_Schema = z.object({
+  platformApplicationId: z.string().isDBIndexed().isForeignKey().isSummaryField().excludeFromUpdate(),
+  jwtPublicKeys: z.record(z.string(), z.string().min(1)),
+  customConfig: z.record(z.string(), z.unknown()).optional(),
+});
+export type Platform_Application_Config = z.infer<typeof Platform_Application_Config_Schema>;

package/src/schemas/platform-application-secrets.schemas.ts ADDED Viewed

@@ -0,0 +1,78 @@
+import { z } from 'zod';
+/**
+ * Platform Application Secrets Schema
+ *
+ * This schema defines all secrets for platform microservices.
+ * These secrets are stored in MongoDB and fetched by platform services via the
+ * GET /platform-services-to-manager/config-secrets endpoint.
+ *
+ * Structure:
+ * - primarySecret: The primary authentication secret for the service
+ * - jwt: Private/public keys for JWT signing/verification
+ * - redis: Redis ACL credentials
+ * - rabbitmq: RabbitMQ user credentials
+ * - mongo: MongoDB connection credentials (optional, for services that need direct DB access)
+ * - storage: S3/MinIO credentials (optional, for services that need storage access)
+ */
+export const Platform_Application_Secrets_Schema = z.object({
+  platformApplicationId: z.string().isDBIndexed().isForeignKey().isSummaryField().excludeFromUpdate(),
+  // Primary authentication secret for inter-service auth
+  primarySecret: z.string().min(1).optional(),
+  // JWT private/public keys for signing/verification
+  jwt: z.object({
+    privateKey: z.record(z.string(), z.string().min(1).optional()),
+    publicKey: z.record(z.string(), z.string().min(1).optional()).optional(),
+  }),
+  // Redis ACL credentials
+  redis: z.object({
+    username: z.string().min(1),
+    password: z.string().min(1),
+  }).optional(),
+  // RabbitMQ user credentials
+  rabbitmq: z.object({
+    username: z.string().min(1),
+    password: z.string().min(1),
+    vhost: z.string().default('/'),
+  }).optional(),
+  // MongoDB credentials (for services that need direct DB access)
+  mongo: z.object({
+    username: z.string().min(1).optional(),
+    password: z.string().min(1).optional(),
+    databaseName: z.string().min(1).optional(),
+    // Full connection URL (alternative to username/password)
+    connectUrl: z.string().min(1).optional(),
+  }).optional(),
+  // PostgreSQL credentials (for services that need PostgreSQL access)
+  postgresql: z.object({
+    /** PostgreSQL host */
+    host: z.string().min(1).optional(),
+    /** PostgreSQL port (default: 5432) */
+    port: z.number().int().default(5432),
+    /** Database username */
+    username: z.string().min(1).optional(),
+    /** Database password */
+    password: z.string().min(1).optional(),
+    /** Database name */
+    databaseName: z.string().min(1).optional(),
+    /** Full connection URL (alternative to individual fields) */
+    connectUrl: z.string().min(1).optional(),
+  }).optional(),
+  // S3/MinIO storage credentials (for services that need storage access)
+  storage: z.object({
+    accessKey: z.string().min(1),
+    secretKey: z.string().min(1),
+    bucket: z.string().min(1).optional(),
+  }).optional(),
+});
+export type Platform_Application_Secrets = z.infer<typeof Platform_Application_Secrets_Schema>;

package/src/schemas/platform-config.schemas.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { z } from "zod";
+import { Platform_Application_Config_Schema } from "./platform-application-config.schemas";
+import { Platform_Application_Secrets_Schema } from "./platform-application-secrets.schemas";
+export const AppsManagerStaticConfigurationSchema = z.object({
+  githubActionMetaUrl: z.url().optional(),
+});
+export type AppsManagerStaticConfig = z.infer<typeof AppsManagerStaticConfigurationSchema>;
+/**
+ * Apps-manager runtime config: base Platform_Application_Config + platformServices from env.
+ * Apps-manager is the only service that stores/manages jwtPublicKeys in MongoDB;
+ * all other platform services get them via the fetch endpoint.
+ */
+export const AppsManagerConfig_Schema = Platform_Application_Config_Schema.extend({
+  platformServices: z.object({
+    appsManager: z.url(),
+    fileGenerator: z.url(),
+    crontabsBatchesManager: z.url(),
+  }),
+});
+export const AppsManagerSecrets_Schema = Platform_Application_Secrets_Schema.extend({
+  mongo: z.object({
+    atlas: z.object({
+      publicKey: z.string().min(1),
+      privateKey: z.string().min(1),
+    }).optional(),
+    connectUrl: z.url(),
+  })
+});
+export type AppsManagerConfig = z.infer<typeof AppsManagerConfig_Schema>;
+export type AppsManagerSecrets = z.infer<typeof AppsManagerSecrets_Schema>;
+export type AppsManagerAtlasRuntimeConfig = {
+  baseUrl: string;
+  projectId: string;
+  publicKey: string;
+  privateKey: string;
+};

package/src/workspace-scope/index.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export * from './workspace-scope.schemas';
2	+ export * from './workspace-scope-detector';

package/src/workspace-scope/workspace-scope-detector.ts ADDED Viewed

@@ -0,0 +1,98 @@
+import { existsSync, statSync } from 'fs';
+import { join, resolve } from 'path';
+import {
+  WorkspaceScope,
+  WORKSPACE_CONFIG_NAMES,
+  resolveGlobalPreferencesPath,
+} from './workspace-scope.schemas';
+import type { WorkspaceScopeResult } from './workspace-scope.schemas';
+const MAX_WALK_UP_LEVELS = 20;
+/**
+ * Resolves the workspace scope from a given working directory.
+ *
+ * Performs a single upward traversal from `cwd`, checking for config file
+ * anchors at each directory level. All found anchors are recorded — the
+ * most specific one determines the final scope.
+ *
+ * After the walk-up, checks for `~/.wildo` to determine global context.
+ *
+ * @param cwd - Starting directory (defaults to `process.cwd()`)
+ * @returns Fully resolved scope result with all discovered paths
+ */
+export function resolveWorkspaceScope(cwd: string = process.cwd()): WorkspaceScopeResult {
+  const result: WorkspaceScopeResult = {
+    scope: WorkspaceScope.UNINITIALIZED,
+    saasConfigPath: null,
+    saasRoot: null,
+    projectConfigPath: null,
+    projectRoot: null,
+    frameworkRoot: null,
+    globalPreferencesPath: null,
+  };
+  let dir = resolve(cwd);
+  for (let i = 0; i < MAX_WALK_UP_LEVELS; i++) {
+    if (!result.saasConfigPath) {
+      const saasCandidate = join(dir, WORKSPACE_CONFIG_NAMES.SAAS);
+      if (existsSync(saasCandidate)) {
+        result.saasConfigPath = saasCandidate;
+        result.saasRoot = dir;
+      }
+    }
+    if (!result.projectConfigPath) {
+      const projectCandidate = join(dir, WORKSPACE_CONFIG_NAMES.PROJECT);
+      if (existsSync(projectCandidate)) {
+        result.projectConfigPath = projectCandidate;
+        result.projectRoot = dir;
+      }
+    }
+    if (!result.frameworkRoot) {
+      const frameworkCandidate = join(dir, WORKSPACE_CONFIG_NAMES.FRAMEWORK_DIR);
+      if (existsSync(frameworkCandidate) && isDirectory(frameworkCandidate)) {
+        result.frameworkRoot = dir;
+      }
+    }
+    if (result.saasConfigPath && result.projectConfigPath && result.frameworkRoot) {
+      break;
+    }
+    const parent = resolve(dir, '..');
+    if (parent === dir) break;
+    dir = parent;
+  }
+  const globalPreferencesPath = resolveGlobalPreferencesPath();
+  if (existsSync(globalPreferencesPath)) {
+    result.globalPreferencesPath = globalPreferencesPath;
+  }
+  result.scope = computeScope(result);
+  return result;
+}
+/**
+ * Determines the most specific scope from the resolved anchors.
+ * Order: SAAS_APP > PROJECT > FRAMEWORK > GLOBAL > UNINITIALIZED
+ */
+function computeScope(result: WorkspaceScopeResult): WorkspaceScope {
+  if (result.saasConfigPath) return WorkspaceScope.SAAS_APP;
+  if (result.projectConfigPath) return WorkspaceScope.PROJECT;
+  if (result.frameworkRoot) return WorkspaceScope.FRAMEWORK;
+  if (result.globalPreferencesPath) return WorkspaceScope.GLOBAL;
+  return WorkspaceScope.UNINITIALIZED;
+}
+function isDirectory(path: string): boolean {
+  try {
+    return statSync(path).isDirectory();
+  } catch {
+    return false;
+  }
+}