devops-whc 1.0.1

package/dist/schemas/whc-deploy.js

@@ -0,0 +1,66 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildDefaultWhcDeployPayload = buildDefaultWhcDeployPayload;
+exports.validateWhcDeployRequest = validateWhcDeployRequest;
+const zod_1 = require("zod");
+const whc_setup_remote_1 = require("./whc-setup-remote");
+const payloadSchema = zod_1.z.object({
+    workflow_mode: zod_1.z.enum(["managed_clone_sync", "git_controlled"]),
+    target_environment: zod_1.z.enum(["live", "staging"]),
+    release_intent: zod_1.z.enum(["refresh", "deploy", "promote", "migrate", "recover"]),
+    pipeline_id: zod_1.z.enum(["P0", "P1", "P2", "P2R", "P3", "P3D", "P4", "P5"]),
+    source_profile: whc_setup_remote_1.sourceProfileSchema,
+    // managed_clone_sync fields
+    direction: zod_1.z.enum(["live_to_staging", "staging_to_live"]).optional(),
+    sync_scope: zod_1.z.enum(["files", "database", "everything"]).optional(),
+    // git_controlled fields
+    repository_root: zod_1.z.string().min(1).optional(),
+    branch: zod_1.z.string().min(1).optional(),
+    rollback_branch: zod_1.z.string().min(1).optional(),
+    // hardening and recovery controls
+    backup_reference: zod_1.z.string().min(1).optional(),
+    allow_emergency_without_backup: zod_1.z.boolean().optional(),
+    verify_after_deploy: zod_1.z.boolean().optional(),
+    auto_rollback_on_verify_failure: zod_1.z.boolean().optional(),
+    lock_key: zod_1.z.string().min(1).optional(),
+});
+const requestSchema = zod_1.z.object({
+    request_id: zod_1.z.string().min(1),
+    actor: zod_1.z.object({
+        kind: zod_1.z.literal("copilot"),
+        user_hint: zod_1.z.string().min(1).optional(),
+    }),
+    dry_run: zod_1.z.boolean().optional(),
+    confirmed: zod_1.z.boolean().optional(),
+    idempotency_key: zod_1.z.string().min(1),
+    payload: payloadSchema,
+});
+function buildDefaultWhcDeployPayload(config) {
+    const releaseIntent = config.sourceProfile.defaultReleaseIntent;
+    const sourceProfile = {
+        local_project_root: config.sourceProfile.localProjectRoot,
+        local_app_path: config.sourceProfile.localAppPath,
+        source_kind: config.sourceProfile.sourceKind,
+        deploy_unit: config.sourceProfile.deployUnit,
+        build_command: config.sourceProfile.buildCommand,
+        build_artifact_path: config.sourceProfile.buildArtifactPath,
+    };
+    const pipelineId = "P3";
+    return {
+        workflow_mode: config.workflowMode,
+        target_environment: "live",
+        release_intent: releaseIntent,
+        pipeline_id: pipelineId,
+        source_profile: sourceProfile,
+        direction: "staging_to_live",
+        sync_scope: "files",
+    };
+}
+function validateWhcDeployRequest(input) {
+    const parsed = requestSchema.safeParse(input);
+    if (!parsed.success) {
+        const issues = parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        throw new Error(`VALIDATION_ERROR: ${issues}`);
+    }
+    return parsed.data;
+}

package/dist/schemas/whc-get-logs.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateWhcGetLogsRequest = validateWhcGetLogsRequest;
+const zod_1 = require("zod");
+const payloadSchema = zod_1.z.object({
+    target_environment: zod_1.z.enum(["live", "staging"]),
+    log_type: zod_1.z.enum(["apache_error", "apache_access", "cron", "php_error"]).default("apache_error"),
+    lines: zod_1.z.number().int().min(1).max(500).default(50),
+});
+const requestSchema = zod_1.z.object({
+    request_id: zod_1.z.string().min(1),
+    actor: zod_1.z.object({
+        kind: zod_1.z.literal("copilot"),
+        user_hint: zod_1.z.string().min(1).optional(),
+    }),
+    payload: payloadSchema,
+});
+function validateWhcGetLogsRequest(input) {
+    const parsed = requestSchema.safeParse(input);
+    if (!parsed.success) {
+        const issues = parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        throw new Error(`VALIDATION_ERROR: ${issues}`);
+    }
+    return parsed.data;
+}

package/dist/schemas/whc-pipeline-status.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateWhcPipelineStatusRequest = validateWhcPipelineStatusRequest;
+const zod_1 = require("zod");
+const payloadSchema = zod_1.z.object({
+    workspace_root: zod_1.z.string().min(1).optional(),
+    request_id: zod_1.z.string().min(1).optional(),
+});
+const requestSchema = zod_1.z.object({
+    request_id: zod_1.z.string().min(1),
+    actor: zod_1.z.object({
+        kind: zod_1.z.literal("copilot"),
+        user_hint: zod_1.z.string().min(1).optional(),
+    }),
+    payload: payloadSchema.default({}),
+});
+function validateWhcPipelineStatusRequest(input) {
+    const parsed = requestSchema.safeParse(input);
+    if (!parsed.success) {
+        const issues = parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        throw new Error(`VALIDATION_ERROR: ${issues}`);
+    }
+    return parsed.data;
+}

package/dist/schemas/whc-prepare.js

@@ -0,0 +1,29 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateWhcPrepareRequest = validateWhcPrepareRequest;
+const zod_1 = require("zod");
+const payloadSchema = zod_1.z.object({
+    workspace_root: zod_1.z.string().min(1).optional(),
+    target_environment: zod_1.z.enum(["live", "staging"]).optional(),
+    ensure_gitignore_rule: zod_1.z.boolean().default(true),
+    force_reinitialize: zod_1.z.boolean().default(false),
+});
+const requestSchema = zod_1.z.object({
+    request_id: zod_1.z.string().min(1),
+    actor: zod_1.z.object({
+        kind: zod_1.z.literal("copilot"),
+        user_hint: zod_1.z.string().min(1).optional(),
+    }),
+    dry_run: zod_1.z.boolean().optional(),
+    confirmed: zod_1.z.boolean().optional(),
+    idempotency_key: zod_1.z.string().min(1),
+    payload: payloadSchema,
+});
+function validateWhcPrepareRequest(input) {
+    const parsed = requestSchema.safeParse(input);
+    if (!parsed.success) {
+        const issues = parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        throw new Error(`VALIDATION_ERROR: ${issues}`);
+    }
+    return parsed.data;
+}

package/dist/schemas/whc-rollback.js

@@ -0,0 +1,58 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateWhcRollbackRequest = validateWhcRollbackRequest;
+const zod_1 = require("zod");
+const payloadSchema = zod_1.z
+    .object({
+    target_environment: zod_1.z.enum(["live", "staging"]),
+    rollback_mode: zod_1.z.enum(["git_branch", "db_backup", "managed_sync_reverse"]),
+    rollback_branch: zod_1.z.string().min(1).optional(),
+    backup_reference: zod_1.z.string().min(1).optional(),
+    direction: zod_1.z.enum(["live_to_staging", "staging_to_live"]).optional(),
+    reason: zod_1.z.string().min(1),
+    verify_release_id: zod_1.z.string().min(1).optional(),
+    verify_report_path: zod_1.z.string().min(1).optional(),
+    repository_root: zod_1.z.string().min(1).optional(),
+})
+    .superRefine((payload, ctx) => {
+    if (payload.rollback_mode === "git_branch" && !payload.rollback_branch) {
+        ctx.addIssue({
+            code: zod_1.z.ZodIssueCode.custom,
+            path: ["rollback_branch"],
+            message: "rollback_branch is required for rollback_mode=git_branch",
+        });
+    }
+    if (payload.rollback_mode === "db_backup" && !payload.backup_reference) {
+        ctx.addIssue({
+            code: zod_1.z.ZodIssueCode.custom,
+            path: ["backup_reference"],
+            message: "backup_reference is required for rollback_mode=db_backup",
+        });
+    }
+    if (payload.rollback_mode === "managed_sync_reverse" && !payload.direction) {
+        ctx.addIssue({
+            code: zod_1.z.ZodIssueCode.custom,
+            path: ["direction"],
+            message: "direction is required for rollback_mode=managed_sync_reverse",
+        });
+    }
+});
+const requestSchema = zod_1.z.object({
+    request_id: zod_1.z.string().min(1),
+    actor: zod_1.z.object({
+        kind: zod_1.z.literal("copilot"),
+        user_hint: zod_1.z.string().min(1).optional(),
+    }),
+    dry_run: zod_1.z.boolean().optional(),
+    confirmed: zod_1.z.boolean().optional(),
+    idempotency_key: zod_1.z.string().min(1),
+    payload: payloadSchema,
+});
+function validateWhcRollbackRequest(input) {
+    const parsed = requestSchema.safeParse(input);
+    if (!parsed.success) {
+        const issues = parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        throw new Error(`VALIDATION_ERROR: ${issues}`);
+    }
+    return parsed.data;
+}

package/dist/schemas/whc-setup-remote.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sourceProfileSchema = void 0;
+exports.buildDefaultWhcSetupRemotePayload = buildDefaultWhcSetupRemotePayload;
+exports.validateWhcSetupRemoteRequest = validateWhcSetupRemoteRequest;
+const zod_1 = require("zod");
+exports.sourceProfileSchema = zod_1.z.object({
+    local_project_root: zod_1.z.string().min(1).optional(),
+    local_app_path: zod_1.z.string().min(1).optional(),
+    source_kind: zod_1.z.enum(["full_site", "partial_content", "package_only", "artifact_first", "monorepo_slice"]),
+    deploy_unit: zod_1.z.enum(["raw_source", "build_artifact", "package_bundle"]),
+    build_command: zod_1.z.string().min(1).optional(),
+    build_artifact_path: zod_1.z.string().min(1).optional(),
+});
+const payloadSchema = zod_1.z.object({
+    target_environment: zod_1.z.enum(["live", "staging"]),
+    release_intent: zod_1.z.enum(["refresh", "deploy", "promote", "migrate", "recover"]),
+    pipeline_id: zod_1.z.enum(["P0", "P1", "P2", "P2R", "P3", "P3D", "P4", "P5"]),
+    source_profile: exports.sourceProfileSchema,
+    deploy_target_path: zod_1.z.string().min(1),
+    clone_url: zod_1.z.string().url().optional(),
+});
+const requestSchema = zod_1.z.object({
+    request_id: zod_1.z.string().min(1),
+    actor: zod_1.z.object({
+        kind: zod_1.z.literal("copilot"),
+        user_hint: zod_1.z.string().min(1).optional(),
+    }),
+    dry_run: zod_1.z.boolean().optional(),
+    confirmed: zod_1.z.boolean().optional(),
+    idempotency_key: zod_1.z.string().min(1),
+    payload: payloadSchema,
+});
+function buildDefaultWhcSetupRemotePayload(config, deployTargetPath) {
+    const releaseIntent = config.sourceProfile.defaultReleaseIntent;
+    const sourceProfile = {
+        local_project_root: config.sourceProfile.localProjectRoot,
+        local_app_path: config.sourceProfile.localAppPath,
+        source_kind: config.sourceProfile.sourceKind,
+        deploy_unit: config.sourceProfile.deployUnit,
+        build_command: config.sourceProfile.buildCommand,
+        build_artifact_path: config.sourceProfile.buildArtifactPath,
+    };
+    const pipelineId = "P3";
+    return {
+        target_environment: "live",
+        release_intent: releaseIntent,
+        pipeline_id: pipelineId,
+        source_profile: sourceProfile,
+        deploy_target_path: deployTargetPath,
+    };
+}
+function validateWhcSetupRemoteRequest(input) {
+    const parsed = requestSchema.safeParse(input);
+    if (!parsed.success) {
+        const issues = parsed.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join("; ");
+        throw new Error(`VALIDATION_ERROR: ${issues}`);
+    }
+    return parsed.data;
+}

package/dist/schemas/whc-ssh-exec.js

@@ -0,0 +1,117 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SSH_EXEC_DENYLIST = exports.SSH_EXEC_SAFE_SYNC_PATTERNS = exports.SSH_EXEC_SAFE_WP_PATTERNS = exports.SSH_EXEC_SAFE_READ_COMMANDS = void 0;
+exports.validateWhcSshExecRequest = validateWhcSshExecRequest;
+exports.isCommandAllowed = isCommandAllowed;
+const zod_1 = require("zod");
+exports.SSH_EXEC_SAFE_READ_COMMANDS = [
+    "ls",
+    "cat",
+    "echo",
+    "pwd",
+    "df",
+    "du",
+    "uptime",
+    "free",
+    "ps",
+    "whoami",
+    "id",
+    "env",
+    "printenv",
+    "find",
+    "grep",
+    "tail",
+    "head",
+    "wc",
+    "stat",
+    "file",
+    "which",
+    "test",
+];
+exports.SSH_EXEC_SAFE_WP_PATTERNS = [
+    /^wp\s+--info(\s|$)/i,
+    /^wp\s+core\s+(is-installed|version)(\s|$)/i,
+    /^wp\s+plugin\s+list(\s|$)/i,
+    /^wp\s+theme\s+list(\s|$)/i,
+    /^wp\s+option\s+get\s+\S+/i,
+    /^wp\s+user\s+list(\s|$)/i,
+    /^wp\s+post\s+list(\s|$)/i,
+    /^wp\s+db\s+size(\s|$)/i,
+    /^wp\s+config\s+get\s+\S+/i,
+];
+exports.SSH_EXEC_SAFE_SYNC_PATTERNS = [
+    /^rsync(\s|$)/i,
+];
+// Patterns that are never allowed regardless of allowlist.
+exports.SSH_EXEC_DENYLIST = [
+    /rm\s+-rf\s+\//i,
+    /chmod\s+777\s+\//i,
+    /chmod\s+-R\s+777\s+\//i,
+    /\/etc\/passwd/i,
+    /\/etc\/shadow/i,
+    />\s*\/dev\/sd[a-z]/i,
+    /mkfs/i,
+    /dd\s+if=\/dev\/zero/i,
+    /\|\s*bash/i,
+    /\|\s*sh/i,
+    /curl\s+.*\|\s*bash/i,
+    /wget\s+.*\|\s*bash/i,
+    /nc\s+.*-e/i,
+    /ncat\s+.*-e/i,
+    /--delete(\s|$)/i,
+    /--remove-source-files(\s|$)/i,
+];
+const payloadSchema = zod_1.z.object({
+    target_environment: zod_1.z.enum(["live", "staging"]),
+    raw_command: zod_1.z.string().min(1).max(1024),
+    working_dir: zod_1.z.string().min(1).optional(),
+});
+const requestSchema = zod_1.z.object({
+    request_id: zod_1.z.string().min(1),
+    actor: zod_1.z.object({
+        kind: zod_1.z.literal("copilot"),
+        user_hint: zod_1.z.string().min(1).optional(),
+    }),
+    dry_run: zod_1.z.boolean().optional(),
+    confirmed: zod_1.z.boolean().optional(),
+    idempotency_key: zod_1.z.string().min(1),
+    payload: payloadSchema,
+});
+function validateWhcSshExecRequest(input) {
+    const parsed = requestSchema.safeParse(input);
+    if (!parsed.success) {
+        const issues = parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        throw new Error(`VALIDATION_ERROR: ${issues}`);
+    }
+    return parsed.data;
+}
+/**
+ * Returns true if the command is classified as a safe read/sync command.
+ */
+function isCommandAllowed(rawCommand) {
+    const trimmed = rawCommand.trim();
+    for (const pattern of exports.SSH_EXEC_DENYLIST) {
+        if (pattern.test(trimmed)) {
+            return { allowed: false, reason: `Command matches denylist pattern: ${pattern.source}` };
+        }
+    }
+    const firstToken = trimmed.split(/\s+/)[0] ?? "";
+    const binaryName = firstToken.split("/").pop() ?? "";
+    if (exports.SSH_EXEC_SAFE_READ_COMMANDS.includes(binaryName.toLowerCase())) {
+        return { allowed: true };
+    }
+    for (const pattern of exports.SSH_EXEC_SAFE_WP_PATTERNS) {
+        if (pattern.test(trimmed)) {
+            return { allowed: true };
+        }
+    }
+    for (const pattern of exports.SSH_EXEC_SAFE_SYNC_PATTERNS) {
+        if (pattern.test(trimmed)) {
+            return { allowed: true };
+        }
+    }
+    return {
+        allowed: false,
+        reason: `Command '${binaryName}' is not in the safe read/sync command set. Use read-only probes or rsync-based sync only.`,
+    };
+}

package/dist/schemas/whc-verify.js

@@ -0,0 +1,28 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.validateWhcVerifyRequest = validateWhcVerifyRequest;
+const zod_1 = require("zod");
+const payloadSchema = zod_1.z.object({
+    target_environment: zod_1.z.enum(["live", "staging"]),
+    release_id: zod_1.z.string().min(1).optional(),
+    manifest_path: zod_1.z.string().min(1).optional(),
+    verify_level: zod_1.z.enum(["default", "with_db"]).default("default"),
+    random_sample_size: zod_1.z.number().int().min(1).max(1000).optional(),
+    random_seed: zod_1.z.string().min(1).optional(),
+});
+const requestSchema = zod_1.z.object({
+    request_id: zod_1.z.string().min(1),
+    actor: zod_1.z.object({
+        kind: zod_1.z.literal("copilot"),
+        user_hint: zod_1.z.string().min(1).optional(),
+    }),
+    payload: payloadSchema,
+});
+function validateWhcVerifyRequest(input) {
+    const parsed = requestSchema.safeParse(input);
+    if (!parsed.success) {
+        const issues = parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        throw new Error(`VALIDATION_ERROR: ${issues}`);
+    }
+    return parsed.data;
+}

package/dist/server-entry.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const server_1 = require("./server");
+(0, server_1.startMcpServer)().catch((error) => {
+    const message = error instanceof Error ? error.message : "MCP server startup failed";
+    process.stderr.write(message + "\n");
+    process.exitCode = 1;
+});