devops-whc 1.0.1

package/dist/server.js

@@ -0,0 +1,381 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createMcpServer = createMcpServer;
+exports.startMcpServer = startMcpServer;
+const mcp_js_1 = require("@modelcontextprotocol/sdk/server/mcp.js");
+const stdio_js_1 = require("@modelcontextprotocol/sdk/server/stdio.js");
+const node_crypto_1 = require("node:crypto");
+const zod_1 = require("zod");
+const env_js_1 = require("./config/env.js");
+const tool_dispatcher_js_1 = require("./dispatcher/tool-dispatcher.js");
+const store_js_1 = require("./idempotency/store.js");
+const audit_logger_js_1 = require("./audit/audit-logger.js");
+const tool_registry_js_1 = require("./registry/tool-registry.js");
+// Handlers
+const whc_check_health_js_1 = require("./handlers/whc-check-health.js");
+const whc_setup_remote_js_1 = require("./handlers/whc-setup-remote.js");
+const whc_deploy_js_1 = require("./handlers/whc-deploy.js");
+const whc_get_logs_js_1 = require("./handlers/whc-get-logs.js");
+const whc_ssh_exec_js_1 = require("./handlers/whc-ssh-exec.js");
+const whc_db_backup_js_1 = require("./handlers/whc-db-backup.js");
+const whc_prepare_js_1 = require("./handlers/whc-prepare.js");
+const whc_verify_js_1 = require("./handlers/whc-verify.js");
+const whc_pipeline_status_js_1 = require("./handlers/whc-pipeline-status.js");
+const whc_rollback_js_1 = require("./handlers/whc-rollback.js");
+// Validators
+const whc_check_health_js_2 = require("./schemas/whc-check-health.js");
+const whc_setup_remote_js_2 = require("./schemas/whc-setup-remote.js");
+const whc_deploy_js_2 = require("./schemas/whc-deploy.js");
+const whc_get_logs_js_2 = require("./schemas/whc-get-logs.js");
+const whc_ssh_exec_js_2 = require("./schemas/whc-ssh-exec.js");
+const whc_db_backup_js_2 = require("./schemas/whc-db-backup.js");
+const whc_prepare_js_2 = require("./schemas/whc-prepare.js");
+const whc_verify_js_2 = require("./schemas/whc-verify.js");
+const whc_pipeline_status_js_2 = require("./schemas/whc-pipeline-status.js");
+const whc_rollback_js_2 = require("./schemas/whc-rollback.js");
+// --- Shared infrastructure ---
+const idempotencyStore = new store_js_1.InMemoryIdempotencyStore();
+function resultToContent(result) {
+    return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
+}
+// --- MCP Server setup ---
+function createMcpServer() {
+    const config = (0, env_js_1.loadConfig)();
+    const flowLogPath = config.flowLogPath ?? ".mcp/whc-mcp/logs/flow-events.jsonl";
+    const auditLogger = new audit_logger_js_1.CompositeAuditLogger([
+        new audit_logger_js_1.ConsoleAuditLogger(),
+        new audit_logger_js_1.FileAuditLogger(flowLogPath),
+    ]);
+    const instanceName = (process.env.WHC_MCP_INSTANCE_NAME ?? "").trim() || "whc-mcp";
+    const server = new mcp_js_1.McpServer({
+        name: instanceName,
+        version: "1.0.1",
+    });
+    // ── whc_prepare ───────────────────────────────────────────────────────────
+    server.registerTool("whc_prepare", {
+        description: tool_registry_js_1.TOOL_REGISTRY["whc_prepare"].description,
+        inputSchema: zod_1.z.object({
+            request_id: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            actor: zod_1.z
+                .object({ kind: zod_1.z.literal("copilot"), user_hint: zod_1.z.string().optional() })
+                .default({ kind: "copilot" }),
+            dry_run: zod_1.z.boolean().optional(),
+            confirmed: zod_1.z.boolean().optional(),
+            idempotency_key: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            payload: zod_1.z
+                .object({
+                workspace_root: zod_1.z.string().min(1).optional(),
+                target_environment: zod_1.z.enum(["live", "staging"]).optional(),
+                ensure_gitignore_rule: zod_1.z.boolean().default(true),
+                force_reinitialize: zod_1.z.boolean().default(false),
+            })
+                .default({ ensure_gitignore_rule: true, force_reinitialize: false }),
+        }),
+    }, async (args) => {
+        const result = await (0, tool_dispatcher_js_1.dispatch)({
+            config,
+            toolDef: tool_registry_js_1.TOOL_REGISTRY["whc_prepare"],
+            rawInput: args,
+            validate: whc_prepare_js_2.validateWhcPrepareRequest,
+            execute: (cfg, req) => (0, whc_prepare_js_1.executeWhcPrepare)(cfg, req),
+            idempotencyStore,
+            auditLogger,
+            actionIdFactory: node_crypto_1.randomUUID,
+        });
+        return resultToContent(result);
+    });
+    // ── whc_check_health ──────────────────────────────────────────────────────
+    server.registerTool("whc_check_health", {
+        description: tool_registry_js_1.TOOL_REGISTRY["whc_check_health"].description,
+        inputSchema: zod_1.z.object({
+            request_id: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            actor: zod_1.z
+                .object({ kind: zod_1.z.literal("copilot"), user_hint: zod_1.z.string().optional() })
+                .default({ kind: "copilot" }),
+            payload: zod_1.z
+                .object({ target_environment: zod_1.z.enum(["live", "staging"]).default("live") })
+                .default({ target_environment: "live" }),
+        }),
+    }, async (args) => {
+        const result = await (0, tool_dispatcher_js_1.dispatch)({
+            config,
+            toolDef: tool_registry_js_1.TOOL_REGISTRY["whc_check_health"],
+            rawInput: args,
+            validate: whc_check_health_js_2.validateWhcCheckHealthRequest,
+            execute: (cfg, req) => (0, whc_check_health_js_1.executeWhcCheckHealth)(cfg, req),
+            idempotencyStore,
+            auditLogger,
+            actionIdFactory: node_crypto_1.randomUUID,
+        });
+        return resultToContent(result);
+    });
+    // ── whc_setup_remote ──────────────────────────────────────────────────────
+    server.registerTool("whc_setup_remote", {
+        description: tool_registry_js_1.TOOL_REGISTRY["whc_setup_remote"].description,
+        inputSchema: zod_1.z.object({
+            request_id: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            actor: zod_1.z
+                .object({ kind: zod_1.z.literal("copilot"), user_hint: zod_1.z.string().optional() })
+                .default({ kind: "copilot" }),
+            dry_run: zod_1.z.boolean().optional(),
+            confirmed: zod_1.z.boolean().optional(),
+            idempotency_key: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            payload: zod_1.z.object({
+                target_environment: zod_1.z.enum(["live", "staging"]),
+                release_intent: zod_1.z.enum(["refresh", "deploy", "promote", "migrate", "recover"]),
+                pipeline_id: zod_1.z.enum(["P0", "P1", "P2", "P2R", "P3", "P3D", "P4", "P5"]),
+                source_profile: zod_1.z.object({
+                    source_kind: zod_1.z.enum(["full_site", "partial_content", "package_only", "artifact_first", "monorepo_slice"]),
+                    deploy_unit: zod_1.z.enum(["raw_source", "build_artifact", "package_bundle"]),
+                }),
+                deploy_target_path: zod_1.z.string().min(1),
+                clone_url: zod_1.z.string().url().optional(),
+            }),
+        }),
+    }, async (args) => {
+        const result = await (0, tool_dispatcher_js_1.dispatch)({
+            config,
+            toolDef: tool_registry_js_1.TOOL_REGISTRY["whc_setup_remote"],
+            rawInput: args,
+            validate: whc_setup_remote_js_2.validateWhcSetupRemoteRequest,
+            execute: (cfg, req) => (0, whc_setup_remote_js_1.executeWhcSetupRemote)(cfg, req),
+            idempotencyStore,
+            auditLogger,
+            actionIdFactory: node_crypto_1.randomUUID,
+        });
+        return resultToContent(result);
+    });
+    // ── whc_deploy ────────────────────────────────────────────────────────────
+    server.registerTool("whc_deploy", {
+        description: tool_registry_js_1.TOOL_REGISTRY["whc_deploy"].description,
+        inputSchema: zod_1.z.object({
+            request_id: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            actor: zod_1.z
+                .object({ kind: zod_1.z.literal("copilot"), user_hint: zod_1.z.string().optional() })
+                .default({ kind: "copilot" }),
+            dry_run: zod_1.z.boolean().optional(),
+            confirmed: zod_1.z.boolean().optional(),
+            idempotency_key: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            payload: zod_1.z.object({
+                workflow_mode: zod_1.z.enum(["managed_clone_sync", "git_controlled"]),
+                target_environment: zod_1.z.enum(["live", "staging"]),
+                release_intent: zod_1.z.enum(["refresh", "deploy", "promote", "migrate", "recover"]),
+                pipeline_id: zod_1.z.enum(["P0", "P1", "P2", "P2R", "P3", "P3D", "P4", "P5"]),
+                source_profile: zod_1.z.object({
+                    source_kind: zod_1.z.enum(["full_site", "partial_content", "package_only", "artifact_first", "monorepo_slice"]),
+                    deploy_unit: zod_1.z.enum(["raw_source", "build_artifact", "package_bundle"]),
+                }),
+                direction: zod_1.z.enum(["live_to_staging", "staging_to_live"]).optional(),
+                sync_scope: zod_1.z.enum(["files", "database", "everything"]).optional(),
+                repository_root: zod_1.z.string().min(1).optional(),
+                branch: zod_1.z.string().min(1).optional(),
+                rollback_branch: zod_1.z.string().min(1).optional(),
+                backup_reference: zod_1.z.string().min(1).optional(),
+                allow_emergency_without_backup: zod_1.z.boolean().optional(),
+                verify_after_deploy: zod_1.z.boolean().optional(),
+                auto_rollback_on_verify_failure: zod_1.z.boolean().optional(),
+                lock_key: zod_1.z.string().min(1).optional(),
+            }),
+        }),
+    }, async (args) => {
+        const result = await (0, tool_dispatcher_js_1.dispatch)({
+            config,
+            toolDef: tool_registry_js_1.TOOL_REGISTRY["whc_deploy"],
+            rawInput: args,
+            validate: whc_deploy_js_2.validateWhcDeployRequest,
+            execute: (cfg, req) => (0, whc_deploy_js_1.executeWhcDeploy)(cfg, req),
+            idempotencyStore,
+            auditLogger,
+            actionIdFactory: node_crypto_1.randomUUID,
+        });
+        return resultToContent(result);
+    });
+    // ── whc_get_logs ──────────────────────────────────────────────────────────
+    server.registerTool("whc_get_logs", {
+        description: tool_registry_js_1.TOOL_REGISTRY["whc_get_logs"].description,
+        inputSchema: zod_1.z.object({
+            request_id: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            actor: zod_1.z
+                .object({ kind: zod_1.z.literal("copilot"), user_hint: zod_1.z.string().optional() })
+                .default({ kind: "copilot" }),
+            payload: zod_1.z.object({
+                target_environment: zod_1.z.enum(["live", "staging"]),
+                log_type: zod_1.z.enum(["apache_error", "apache_access", "cron", "php_error"]).default("apache_error"),
+                lines: zod_1.z.number().int().min(1).max(500).default(50),
+            }),
+        }),
+    }, async (args) => {
+        const result = await (0, tool_dispatcher_js_1.dispatch)({
+            config,
+            toolDef: tool_registry_js_1.TOOL_REGISTRY["whc_get_logs"],
+            rawInput: args,
+            validate: whc_get_logs_js_2.validateWhcGetLogsRequest,
+            execute: (cfg, req) => (0, whc_get_logs_js_1.executeWhcGetLogs)(cfg, req),
+            idempotencyStore,
+            auditLogger,
+            actionIdFactory: node_crypto_1.randomUUID,
+        });
+        return resultToContent(result);
+    });
+    // ── whc_ssh_exec ──────────────────────────────────────────────────────────
+    server.registerTool("whc_ssh_exec", {
+        description: tool_registry_js_1.TOOL_REGISTRY["whc_ssh_exec"].description,
+        inputSchema: zod_1.z.object({
+            request_id: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            actor: zod_1.z
+                .object({ kind: zod_1.z.literal("copilot"), user_hint: zod_1.z.string().optional() })
+                .default({ kind: "copilot" }),
+            dry_run: zod_1.z.boolean().optional(),
+            confirmed: zod_1.z.boolean().optional(),
+            idempotency_key: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            payload: zod_1.z.object({
+                target_environment: zod_1.z.enum(["live", "staging"]),
+                raw_command: zod_1.z.string().min(1).max(1024),
+                working_dir: zod_1.z.string().min(1).optional(),
+            }),
+        }),
+    }, async (args) => {
+        const result = await (0, tool_dispatcher_js_1.dispatch)({
+            config,
+            toolDef: tool_registry_js_1.TOOL_REGISTRY["whc_ssh_exec"],
+            rawInput: args,
+            validate: whc_ssh_exec_js_2.validateWhcSshExecRequest,
+            execute: (cfg, req) => (0, whc_ssh_exec_js_1.executeWhcSshExec)(cfg, req),
+            idempotencyStore,
+            auditLogger,
+            actionIdFactory: node_crypto_1.randomUUID,
+        });
+        return resultToContent(result);
+    });
+    // ── whc_db_backup ─────────────────────────────────────────────────────────
+    server.registerTool("whc_db_backup", {
+        description: tool_registry_js_1.TOOL_REGISTRY["whc_db_backup"].description,
+        inputSchema: zod_1.z.object({
+            request_id: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            actor: zod_1.z
+                .object({ kind: zod_1.z.literal("copilot"), user_hint: zod_1.z.string().optional() })
+                .default({ kind: "copilot" }),
+            dry_run: zod_1.z.boolean().optional(),
+            confirmed: zod_1.z.boolean().optional(),
+            idempotency_key: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            payload: zod_1.z.object({
+                target_environment: zod_1.z.enum(["live", "staging"]),
+                output_path: zod_1.z.string().min(1).optional(),
+                compress: zod_1.z.boolean().default(true),
+                tables: zod_1.z.array(zod_1.z.string().min(1)).optional(),
+            }),
+        }),
+    }, async (args) => {
+        const result = await (0, tool_dispatcher_js_1.dispatch)({
+            config,
+            toolDef: tool_registry_js_1.TOOL_REGISTRY["whc_db_backup"],
+            rawInput: args,
+            validate: whc_db_backup_js_2.validateWhcDbBackupRequest,
+            execute: (cfg, req) => (0, whc_db_backup_js_1.executeWhcDbBackup)(cfg, req),
+            idempotencyStore,
+            auditLogger,
+            actionIdFactory: node_crypto_1.randomUUID,
+        });
+        return resultToContent(result);
+    });
+    // ── whc_verify ────────────────────────────────────────────────────────────
+    server.registerTool("whc_verify", {
+        description: tool_registry_js_1.TOOL_REGISTRY["whc_verify"].description,
+        inputSchema: zod_1.z.object({
+            request_id: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            actor: zod_1.z
+                .object({ kind: zod_1.z.literal("copilot"), user_hint: zod_1.z.string().optional() })
+                .default({ kind: "copilot" }),
+            payload: zod_1.z.object({
+                target_environment: zod_1.z.enum(["live", "staging"]),
+                release_id: zod_1.z.string().min(1).optional(),
+                manifest_path: zod_1.z.string().min(1).optional(),
+                verify_level: zod_1.z.enum(["default", "with_db"]).default("default"),
+                random_sample_size: zod_1.z.number().int().min(1).max(1000).optional(),
+                random_seed: zod_1.z.string().min(1).optional(),
+            }),
+        }),
+    }, async (args) => {
+        const result = await (0, tool_dispatcher_js_1.dispatch)({
+            config,
+            toolDef: tool_registry_js_1.TOOL_REGISTRY["whc_verify"],
+            rawInput: args,
+            validate: whc_verify_js_2.validateWhcVerifyRequest,
+            execute: (cfg, req) => (0, whc_verify_js_1.executeWhcVerify)(cfg, req),
+            idempotencyStore,
+            auditLogger,
+            actionIdFactory: node_crypto_1.randomUUID,
+        });
+        return resultToContent(result);
+    });
+    // ── whc_pipeline_status ───────────────────────────────────────────────────
+    server.registerTool("whc_pipeline_status", {
+        description: tool_registry_js_1.TOOL_REGISTRY["whc_pipeline_status"].description,
+        inputSchema: zod_1.z.object({
+            request_id: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            actor: zod_1.z
+                .object({ kind: zod_1.z.literal("copilot"), user_hint: zod_1.z.string().optional() })
+                .default({ kind: "copilot" }),
+            payload: zod_1.z
+                .object({
+                workspace_root: zod_1.z.string().min(1).optional(),
+                request_id: zod_1.z.string().min(1).optional(),
+            })
+                .default({}),
+        }),
+    }, async (args) => {
+        const result = await (0, tool_dispatcher_js_1.dispatch)({
+            config,
+            toolDef: tool_registry_js_1.TOOL_REGISTRY["whc_pipeline_status"],
+            rawInput: args,
+            validate: whc_pipeline_status_js_2.validateWhcPipelineStatusRequest,
+            execute: (cfg, req) => (0, whc_pipeline_status_js_1.executeWhcPipelineStatus)(cfg, req),
+            idempotencyStore,
+            auditLogger,
+            actionIdFactory: node_crypto_1.randomUUID,
+        });
+        return resultToContent(result);
+    });
+    // ── whc_rollback ──────────────────────────────────────────────────────────
+    server.registerTool("whc_rollback", {
+        description: tool_registry_js_1.TOOL_REGISTRY["whc_rollback"].description,
+        inputSchema: zod_1.z.object({
+            request_id: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            actor: zod_1.z
+                .object({ kind: zod_1.z.literal("copilot"), user_hint: zod_1.z.string().optional() })
+                .default({ kind: "copilot" }),
+            dry_run: zod_1.z.boolean().optional(),
+            confirmed: zod_1.z.boolean().optional(),
+            idempotency_key: zod_1.z.string().default(() => (0, node_crypto_1.randomUUID)()),
+            payload: zod_1.z.object({
+                target_environment: zod_1.z.enum(["live", "staging"]),
+                rollback_mode: zod_1.z.enum(["git_branch", "db_backup", "managed_sync_reverse"]),
+                rollback_branch: zod_1.z.string().min(1).optional(),
+                backup_reference: zod_1.z.string().min(1).optional(),
+                direction: zod_1.z.enum(["live_to_staging", "staging_to_live"]).optional(),
+                reason: zod_1.z.string().min(1),
+                verify_release_id: zod_1.z.string().min(1).optional(),
+                verify_report_path: zod_1.z.string().min(1).optional(),
+                repository_root: zod_1.z.string().min(1).optional(),
+            }),
+        }),
+    }, async (args) => {
+        const result = await (0, tool_dispatcher_js_1.dispatch)({
+            config,
+            toolDef: tool_registry_js_1.TOOL_REGISTRY["whc_rollback"],
+            rawInput: args,
+            validate: whc_rollback_js_2.validateWhcRollbackRequest,
+            execute: (cfg, req) => (0, whc_rollback_js_1.executeWhcRollback)(cfg, req),
+            idempotencyStore,
+            auditLogger,
+            actionIdFactory: node_crypto_1.randomUUID,
+        });
+        return resultToContent(result);
+    });
+    return server;
+}
+async function startMcpServer() {
+    const server = createMcpServer();
+    const transport = new stdio_js_1.StdioServerTransport();
+    await server.connect(transport);
+}

package/dist/services/deploy-runtime-ops.js

@@ -0,0 +1,104 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runDeployVerification = runDeployVerification;
+exports.runDeployRollback = runDeployRollback;
+async function runDeployVerification(config, request, sshClient) {
+    const payload = request.payload;
+    if (payload.workflow_mode !== "git_controlled") {
+        return { ok: true, message: "Verification passed for managed_clone_sync mode" };
+    }
+    if (!payload.repository_root) {
+        return { ok: false, message: "Missing repository_root for verification" };
+    }
+    const repoPath = shellQuote(payload.repository_root);
+    const verifyProfile = resolveVerifyProfile(payload.source_profile.source_kind);
+    const commandParts = [
+        `test -d ${repoPath} && echo __PATH_OK__ || echo __PATH_MISSING__`,
+        `if [ -f ${repoPath}/.cpanel.yml ]; then echo __CPANEL_YML_OK__; else echo __CPANEL_YML_MISSING__; fi`,
+    ];
+    if (verifyProfile.requireWpCliCheck) {
+        commandParts.push(`if command -v wp >/dev/null 2>&1; then wp core is-installed --path=${repoPath} >/dev/null 2>&1 && echo __WP_OK__ || echo __WP_NOT_READY__; else echo __WPCLI_MISSING__; fi`);
+    }
+    const command = commandParts.join(" ; ");
+    const target = resolveTarget(config, payload.target_environment);
+    if (!target.ok) {
+        return { ok: false, message: target.message };
+    }
+    const sshResult = await sshClient.execWithKey(target.value, command);
+    if (!sshResult.ok) {
+        return { ok: false, message: `SSH verify command failed: ${sshResult.message}` };
+    }
+    const output = sshResult.stdout;
+    if (output.includes("__PATH_MISSING__")) {
+        return { ok: false, message: "Deployment path does not exist after deploy" };
+    }
+    if (output.includes("__CPANEL_YML_MISSING__")) {
+        return { ok: false, message: ".cpanel.yml is missing in deployment root" };
+    }
+    if (verifyProfile.requireWpCliCheck && output.includes("__WPCLI_MISSING__")) {
+        return { ok: false, message: "WP-CLI is required for full_site verification but is not available" };
+    }
+    if (verifyProfile.requireWpCliCheck && output.includes("__WP_NOT_READY__")) {
+        return { ok: false, message: "WordPress core is not installed/ready after deploy" };
+    }
+    return { ok: true, message: `Runtime verification passed (${verifyProfile.name})` };
+}
+async function runDeployRollback(_config, request, uapiClient) {
+    const payload = request.payload;
+    if (payload.workflow_mode !== "git_controlled") {
+        return {
+            ok: false,
+            message: "Automatic rollback is currently supported only for git_controlled mode",
+        };
+    }
+    if (!payload.repository_root) {
+        return { ok: false, message: "Missing repository_root for rollback" };
+    }
+    if (!payload.rollback_branch) {
+        return {
+            ok: false,
+            message: "rollback_branch is required for automatic rollback",
+        };
+    }
+    const rollbackResult = await uapiClient.triggerDeployment(payload.repository_root, payload.rollback_branch);
+    if (!rollbackResult.ok) {
+        return {
+            ok: false,
+            message: `Rollback deployment failed: ${rollbackResult.message}`,
+        };
+    }
+    return { ok: true, message: `Rollback deployed from branch ${payload.rollback_branch}` };
+}
+function shellQuote(value) {
+    return `'${value.replace(/'/g, `'"'"'`)}'`;
+}
+function resolveVerifyProfile(sourceKind) {
+    if (sourceKind === "full_site") {
+        return { name: "wordpress", requireWpCliCheck: true };
+    }
+    if (sourceKind === "package_only" || sourceKind === "artifact_first") {
+        return { name: "generic", requireWpCliCheck: false };
+    }
+    return { name: "generic", requireWpCliCheck: false };
+}
+function resolveTarget(config, environment) {
+    if (environment === "live") {
+        return { ok: true, value: config.sshTargets.prod };
+    }
+    const staging = config.sshTargets.staging;
+    if (!staging) {
+        return { ok: false, message: "Staging SSH target is not configured" };
+    }
+    if (!staging.privateKeyPath) {
+        return { ok: false, message: "Staging verification requires key-based SSH auth" };
+    }
+    return {
+        ok: true,
+        value: {
+            host: staging.host,
+            port: staging.port,
+            username: staging.username,
+            privateKeyPath: staging.privateKeyPath,
+        },
+    };
+}

package/dist/services/deployment-locks.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.InMemoryDeploymentLockService = void 0;
+class InMemoryDeploymentLockService {
+    locks = new Map();
+    acquire(key, owner, ttlMs = 5 * 60 * 1000) {
+        const now = Date.now();
+        const existing = this.locks.get(key);
+        if (existing && existing.expiresAt > now) {
+            return {
+                ok: false,
+                reason: `Deployment lock already held by ${existing.owner}`,
+            };
+        }
+        const lock = {
+            key,
+            owner,
+            acquiredAt: now,
+            expiresAt: now + ttlMs,
+        };
+        this.locks.set(key, lock);
+        return { ok: true, lock };
+    }
+    release(key, owner) {
+        const existing = this.locks.get(key);
+        if (!existing) {
+            return;
+        }
+        if (existing.owner === owner || existing.expiresAt <= Date.now()) {
+            this.locks.delete(key);
+        }
+    }
+}
+exports.InMemoryDeploymentLockService = InMemoryDeploymentLockService;