gitops-ai 1.0.0

package/dist/core/dependencies.js

@@ -0,0 +1,134 @@
+import { commandExists, execAsync } from "../utils/shell.js";
+import { isMacOS, getArch } from "../utils/platform.js";
+import { log, withSpinner } from "../utils/log.js";
+async function runInstall(cmd) {
+    await execAsync(cmd);
+}
+const registry = [
+    {
+        name: "kubectl",
+        check: () => commandExists("kubectl"),
+        installDarwin: () => runInstall("brew install kubectl"),
+        installLinux: async () => {
+            const arch = getArch();
+            const version = await execAsync("curl -sL https://dl.k8s.io/release/stable.txt");
+            await execAsync(`curl -sL "https://dl.k8s.io/release/${version}/bin/linux/${arch}/kubectl" -o /tmp/kubectl`);
+            await execAsync("sudo install -o root -g root -m 0755 /tmp/kubectl /usr/local/bin/kubectl");
+            await execAsync("rm -f /tmp/kubectl");
+        },
+    },
+    {
+        name: "helm",
+        check: () => commandExists("helm"),
+        installDarwin: () => runInstall("brew install helm"),
+        installLinux: () => runInstall("curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash"),
+    },
+    {
+        name: "k9s",
+        check: () => commandExists("k9s"),
+        installDarwin: () => runInstall("brew install derailed/k9s/k9s"),
+        installLinux: async () => {
+            await execAsync("wget -qO /tmp/k9s_linux_amd64.deb https://github.com/derailed/k9s/releases/latest/download/k9s_linux_amd64.deb");
+            await execAsync("sudo DEBIAN_FRONTEND=noninteractive apt install -y /tmp/k9s_linux_amd64.deb");
+            await execAsync("rm /tmp/k9s_linux_amd64.deb");
+        },
+    },
+    {
+        name: "flux-operator",
+        check: () => commandExists("flux-operator"),
+        installDarwin: () => runInstall("brew install controlplaneio-fluxcd/tap/flux-operator"),
+        installLinux: async () => {
+            const arch = getArch();
+            const release = await execAsync(`curl -sL https://api.github.com/repos/controlplaneio-fluxcd/flux-operator/releases/latest | grep '"tag_name"' | cut -d'"' -f4`);
+            const num = release.replace(/^v/, "");
+            await execAsync(`curl -Lo /tmp/flux-operator.tar.gz "https://github.com/controlplaneio-fluxcd/flux-operator/releases/download/${release}/flux-operator_${num}_linux_${arch}.tar.gz"`);
+            await execAsync("tar -xzf /tmp/flux-operator.tar.gz -C /tmp flux-operator");
+            await execAsync("sudo install -o root -g root -m 0755 /tmp/flux-operator /usr/local/bin/flux-operator");
+            await execAsync("rm -f /tmp/flux-operator.tar.gz /tmp/flux-operator");
+        },
+    },
+    {
+        name: "k3d",
+        check: () => commandExists("k3d"),
+        installDarwin: () => runInstall("brew install k3d"),
+        installLinux: () => runInstall('curl -sL "https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh" | bash'),
+    },
+    {
+        name: "git",
+        check: () => commandExists("git"),
+        installDarwin: () => runInstall("brew install git"),
+        installLinux: () => runInstall("sudo DEBIAN_FRONTEND=noninteractive apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq git > /dev/null"),
+    },
+    {
+        name: "jq",
+        check: () => commandExists("jq"),
+        installDarwin: () => runInstall("brew install jq"),
+        installLinux: () => runInstall("sudo DEBIAN_FRONTEND=noninteractive apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq jq > /dev/null"),
+    },
+    {
+        name: "glab",
+        check: () => commandExists("glab"),
+        installDarwin: () => runInstall("brew install glab"),
+        installLinux: () => runInstall("sudo DEBIAN_FRONTEND=noninteractive apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq glab > /dev/null"),
+    },
+    {
+        name: "sops",
+        check: () => commandExists("sops"),
+        installDarwin: () => runInstall("brew install sops"),
+        installLinux: async () => {
+            const arch = getArch();
+            const os = "linux";
+            const version = await execAsync(`curl -sL https://api.github.com/repos/getsops/sops/releases/latest | grep '"tag_name"' | cut -d'"' -f4`);
+            await execAsync(`curl -Lo /tmp/sops "https://github.com/getsops/sops/releases/download/${version}/sops-${version}.${os}.${arch}"`);
+            await execAsync("sudo install -m 0755 /tmp/sops /usr/local/bin/sops");
+            await execAsync("rm -f /tmp/sops");
+        },
+    },
+    {
+        name: "age",
+        check: () => commandExists("age") || commandExists("age-keygen"),
+        installDarwin: () => runInstall("brew install age"),
+        installLinux: async () => {
+            const arch = getArch();
+            const version = await execAsync(`curl -sL https://api.github.com/repos/FiloSottile/age/releases/latest | grep '"tag_name"' | cut -d'"' -f4`);
+            await execAsync(`curl -Lo /tmp/age.tar.gz "https://github.com/FiloSottile/age/releases/download/${version}/age-${version}-linux-${arch}.tar.gz"`);
+            await execAsync("tar -xzf /tmp/age.tar.gz -C /tmp");
+            await execAsync("sudo install -m 0755 /tmp/age/age /usr/local/bin/age");
+            await execAsync("sudo install -m 0755 /tmp/age/age-keygen /usr/local/bin/age-keygen");
+            await execAsync("rm -rf /tmp/age.tar.gz /tmp/age");
+        },
+    },
+];
+function getDep(name) {
+    const dep = registry.find((d) => d.name === name);
+    if (!dep)
+        throw new Error(`Unknown dependency: ${name}`);
+    return dep;
+}
+export async function ensureDependency(name) {
+    const dep = getDep(name);
+    if (dep.check()) {
+        log.success(`${dep.name} ✓`);
+        return;
+    }
+    log.detail(`${dep.name} not found, installing...`);
+    await withSpinner(`Installing ${dep.name}`, async () => {
+        if (isMacOS()) {
+            await dep.installDarwin();
+        }
+        else {
+            await dep.installLinux();
+        }
+    });
+}
+export async function ensureAll(names) {
+    for (const name of names) {
+        await ensureDependency(name);
+    }
+}
+export function checkPrerequisite(name) {
+    if (!commandExists(name)) {
+        throw new Error(`Required tool '${name}' is not installed.`);
+    }
+}
+//# sourceMappingURL=dependencies.js.map

package/dist/core/dependencies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.js","sourceRoot":"","sources":["../../src/core/dependencies.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,sBAAsB,CAAC;AACxD,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AASnD,KAAK,UAAU,UAAU,CAAC,GAAW;IACnC,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,MAAM,QAAQ,GAAiB;IAC7B;QACE,IAAI,EAAE,SAAS;QACf,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,SAAS,CAAC;QACrC,aAAa,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,sBAAsB,CAAC;QACvD,YAAY,EAAE,KAAK,IAAI,EAAE;YACvB,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,MAAM,SAAS,CAC7B,+CAA+C,CAChD,CAAC;YACF,MAAM,SAAS,CACb,uCAAuC,OAAO,cAAc,IAAI,2BAA2B,CAC5F,CAAC;YACF,MAAM,SAAS,CACb,0EAA0E,CAC3E,CAAC;YACF,MAAM,SAAS,CAAC,oBAAoB,CAAC,CAAC;QACxC,CAAC;KACF;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;QAClC,aAAa,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,mBAAmB,CAAC;QACpD,YAAY,EAAE,GAAG,EAAE,CACjB,UAAU,CACR,uFAAuF,CACxF;KACJ;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC;QACjC,aAAa,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,+BAA+B,CAAC;QAChE,YAAY,EAAE,KAAK,IAAI,EAAE;YACvB,MAAM,SAAS,CACb,gHAAgH,CACjH,CAAC;YACF,MAAM,SAAS,CACb,6EAA6E,CAC9E,CAAC;YACF,MAAM,SAAS,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;KACF;IACD;QACE,IAAI,EAAE,eAAe;QACrB,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,eAAe,CAAC;QAC3C,aAAa,EAAE,GAAG,EAAE,CAClB,UAAU,CAAC,sDAAsD,CAAC;QACpE,YAAY,EAAE,KAAK,IAAI,EAAE;YACvB,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,MAAM,SAAS,CAC7B,+HAA+H,CAChI,CAAC;YACF,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;YACtC,MAAM,SAAS,CACb,gHAAgH,OAAO,kBAAkB,GAAG,UAAU,IAAI,UAAU,CACrK,CAAC;YACF,MAAM,SAAS,CAAC,0DAA0D,CAAC,CAAC;YAC5E,MAAM,SAAS,CACb,sFAAsF,CACvF,CAAC;YACF,MAAM,SAAS,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;KACF;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC;QACjC,aAAa,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,kBAAkB,CAAC;QACnD,YAAY,EAAE,GAAG,EAAE,CACjB,UAAU,CACR,gFAAgF,CACjF;KACJ;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC;QACjC,aAAa,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,kBAAkB,CAAC;QACnD,YAAY,EAAE,GAAG,EAAE,CACjB,UAAU,CACR,sIAAsI,CACvI;KACJ;IACD;QACE,IAAI,EAAE,IAAI;QACV,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC;QAChC,aAAa,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,iBAAiB,CAAC;QAClD,YAAY,EAAE,GAAG,EAAE,CACjB,UAAU,CACR,qIAAqI,CACtI;KACJ;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;QAClC,aAAa,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,mBAAmB,CAAC;QACpD,YAAY,EAAE,GAAG,EAAE,CACjB,UAAU,CACR,uIAAuI,CACxI;KACJ;IACD;QACE,IAAI,EAAE,MAAM;QACZ,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,MAAM,CAAC;QAClC,aAAa,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,mBAAmB,CAAC;QACpD,YAAY,EAAE,KAAK,IAAI,EAAE;YACvB,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;YACvB,MAAM,EAAE,GAAG,OAAO,CAAC;YACnB,MAAM,OAAO,GAAG,MAAM,SAAS,CAC7B,wGAAwG,CACzG,CAAC;YACF,MAAM,SAAS,CACb,yEAAyE,OAAO,SAAS,OAAO,IAAI,EAAE,IAAI,IAAI,GAAG,CAClH,CAAC;YACF,MAAM,SAAS,CAAC,oDAAoD,CAAC,CAAC;YACtE,MAAM,SAAS,CAAC,iBAAiB,CAAC,CAAC;QACrC,CAAC;KACF;IACD;QACE,IAAI,EAAE,KAAK;QACX,KAAK,EAAE,GAAG,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,aAAa,CAAC,YAAY,CAAC;QAChE,aAAa,EAAE,GAAG,EAAE,CAAC,UAAU,CAAC,kBAAkB,CAAC;QACnD,YAAY,EAAE,KAAK,IAAI,EAAE;YACvB,MAAM,IAAI,GAAG,OAAO,EAAE,CAAC;YACvB,MAAM,OAAO,GAAG,MAAM,SAAS,CAC7B,2GAA2G,CAC5G,CAAC;YACF,MAAM,SAAS,CACb,kFAAkF,OAAO,QAAQ,OAAO,UAAU,IAAI,UAAU,CACjI,CAAC;YACF,MAAM,SAAS,CAAC,kCAAkC,CAAC,CAAC;YACpD,MAAM,SAAS,CACb,sDAAsD,CACvD,CAAC;YACF,MAAM,SAAS,CACb,oEAAoE,CACrE,CAAC;YACF,MAAM,SAAS,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;KACF;CACF,CAAC;AAEF,SAAS,MAAM,CAAC,IAAY;IAC1B,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAClD,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,uBAAuB,IAAI,EAAE,CAAC,CAAC;IACzD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAY;IACjD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;IACzB,IAAI,GAAG,CAAC,KAAK,EAAE,EAAE,CAAC;QAChB,GAAG,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC;QAC7B,OAAO;IACT,CAAC;IAED,GAAG,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC,IAAI,2BAA2B,CAAC,CAAC;IACnD,MAAM,WAAW,CAAC,cAAc,GAAG,CAAC,IAAI,EAAE,EAAE,KAAK,IAAI,EAAE;QACrD,IAAI,OAAO,EAAE,EAAE,CAAC;YACd,MAAM,GAAG,CAAC,aAAa,EAAE,CAAC;QAC5B,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,CAAC,YAAY,EAAE,CAAC;QAC3B,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,KAAe;IAC7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC;AACH,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,kBAAkB,IAAI,qBAAqB,CAAC,CAAC;IAC/D,CAAC;AACH,CAAC"}

package/dist/core/encryption.d.ts

@@ -0,0 +1,25 @@
+import type { SopsConfig } from "../schemas.js";
+export declare function findSecretFiles(searchDir: string): string[];
+export declare function isEncrypted(file: string): boolean;
+export declare function generateAgeKey(cfg: SopsConfig): string;
+export declare function getAgePublicKey(cfg: SopsConfig): string;
+export declare function ageKeyExists(cfg: SopsConfig): boolean;
+export declare function backupAgeKey(cfg: SopsConfig): void;
+export declare function createSopsConfig(publicKey: string, cfg: SopsConfig): void;
+export declare function encryptFile(file: string, cfg: SopsConfig, repoRoot: string): Promise<boolean>;
+export declare function decryptFile(file: string, cfg: SopsConfig, repoRoot: string): Promise<boolean>;
+export declare function editFile(file: string, cfg: SopsConfig): void;
+export declare function encryptAll(cfg: SopsConfig, repoRoot: string): Promise<{
+    encrypted: number;
+    skipped: number;
+    total: number;
+}>;
+export declare function decryptAll(cfg: SopsConfig, repoRoot: string): Promise<string[]>;
+export interface SecretFileStatus {
+    path: string;
+    relpath: string;
+    status: "encrypted" | "template" | "plaintext";
+}
+export declare function getSecretStatus(repoRoot: string): SecretFileStatus[];
+export declare function substituteAndEncrypt(file: string, vars: Record<string, string>, cfg: SopsConfig, repoRoot: string): void;
+export declare function updateFluxKustomization(repoRoot: string, secretName: string): void;

package/dist/core/encryption.js

@@ -0,0 +1,209 @@
+import { readFileSync, writeFileSync, readdirSync, existsSync, mkdirSync, copyFileSync, chmodSync, } from "node:fs";
+import { join, basename, relative } from "node:path";
+import { exec, execSafe } from "../utils/shell.js";
+import { log } from "../utils/log.js";
+// ---------------------------------------------------------------------------
+// File discovery
+// ---------------------------------------------------------------------------
+function* walkYaml(dir) {
+    for (const entry of readdirSync(dir, { withFileTypes: true })) {
+        const full = join(dir, entry.name);
+        if (entry.isDirectory()) {
+            if (entry.name === "node_modules" || entry.name === ".git")
+                continue;
+            yield* walkYaml(full);
+        }
+        else if (entry.name.endsWith(".yaml") || entry.name.endsWith(".yml")) {
+            yield full;
+        }
+    }
+}
+export function findSecretFiles(searchDir) {
+    const results = [];
+    for (const file of walkYaml(searchDir)) {
+        if (basename(file).startsWith("_"))
+            continue;
+        const content = readFileSync(file, "utf-8");
+        if (/^\s*kind:\s*Secret\s*$/m.test(content)) {
+            results.push(file);
+        }
+    }
+    return results.sort();
+}
+export function isEncrypted(file) {
+    const content = readFileSync(file, "utf-8");
+    return content.includes("sops:") && content.includes("encrypted_regex");
+}
+function hasEnvsubstVars(file) {
+    const content = readFileSync(file, "utf-8");
+    return /\$\{[A-Za-z_]+\}/.test(content);
+}
+// ---------------------------------------------------------------------------
+// Age key management
+// ---------------------------------------------------------------------------
+export function generateAgeKey(cfg) {
+    mkdirSync(cfg.keyDir, { recursive: true, mode: 0o700 });
+    exec(`age-keygen -o "${cfg.keyFile}" 2>&1`);
+    chmodSync(cfg.keyFile, 0o600);
+    return getAgePublicKey(cfg);
+}
+export function getAgePublicKey(cfg) {
+    const content = readFileSync(cfg.keyFile, "utf-8");
+    const match = content.match(/public key:\s*(\S+)/);
+    if (!match)
+        throw new Error("Could not extract public key from age key file");
+    return match[1];
+}
+export function ageKeyExists(cfg) {
+    return existsSync(cfg.keyFile);
+}
+export function backupAgeKey(cfg) {
+    mkdirSync(cfg.backupDir, { recursive: true, mode: 0o700 });
+    const backupPath = join(cfg.backupDir, `age.agekey.${Date.now()}.bak`);
+    copyFileSync(cfg.keyFile, backupPath);
+    log.warn(`Old key backed up to ${cfg.backupDir}/`);
+}
+// ---------------------------------------------------------------------------
+// SOPS config
+// ---------------------------------------------------------------------------
+export function createSopsConfig(publicKey, cfg) {
+    const content = `creation_rules:
+  # Encrypt only data and stringData fields in Kubernetes Secrets
+  - path_regex: .*(secret|Secret).*\\.yaml$
+    encrypted_regex: ^(data|stringData)$
+    age: ${publicKey}
+`;
+    writeFileSync(cfg.configFile, content);
+    log.success(`Created ${cfg.configFile}`);
+}
+// ---------------------------------------------------------------------------
+// Encrypt / decrypt
+// ---------------------------------------------------------------------------
+export async function encryptFile(file, cfg, repoRoot) {
+    const relpath = relative(repoRoot, file);
+    if (isEncrypted(file)) {
+        log.warn(`${relpath} is already encrypted`);
+        return false;
+    }
+    const cmd = `SOPS_AGE_KEY_FILE="${cfg.keyFile}" sops --encrypt --in-place --config "${cfg.configFile}" "${file}"`;
+    const { exitCode, stderr } = execSafe(cmd);
+    if (exitCode === 0) {
+        log.success(`Encrypted: ${relpath}`);
+        return true;
+    }
+    log.error(`Failed to encrypt: ${relpath}`);
+    if (stderr)
+        log.error(stderr);
+    return false;
+}
+export async function decryptFile(file, cfg, repoRoot) {
+    const relpath = relative(repoRoot, file);
+    if (!isEncrypted(file)) {
+        log.warn(`${relpath} is not SOPS-encrypted`);
+        return false;
+    }
+    const cmd = `SOPS_AGE_KEY_FILE="${cfg.keyFile}" sops --decrypt --in-place --config "${cfg.configFile}" "${file}"`;
+    const { exitCode, stderr } = execSafe(cmd);
+    if (exitCode === 0) {
+        log.success(`Decrypted: ${relpath}`);
+        log.warn("Remember to re-encrypt before committing!");
+        return true;
+    }
+    log.error(`Failed to decrypt: ${relpath}`);
+    if (stderr)
+        log.error(stderr);
+    return false;
+}
+export function editFile(file, cfg) {
+    exec(`SOPS_AGE_KEY_FILE="${cfg.keyFile}" EDITOR="${process.env.EDITOR ?? "vim"}" sops --config "${cfg.configFile}" "${file}"`);
+}
+// ---------------------------------------------------------------------------
+// Batch operations
+// ---------------------------------------------------------------------------
+export async function encryptAll(cfg, repoRoot) {
+    const files = findSecretFiles(repoRoot);
+    let encrypted = 0;
+    let skipped = 0;
+    for (const file of files) {
+        const relpath = relative(repoRoot, file);
+        if (isEncrypted(file)) {
+            log.info(`  [skip] ${relpath} (already encrypted)`);
+            skipped++;
+            continue;
+        }
+        if (hasEnvsubstVars(file)) {
+            log.warn(`  [skip] ${relpath} (contains envsubst variables)`);
+            skipped++;
+            continue;
+        }
+        const ok = await encryptFile(file, cfg, repoRoot);
+        if (ok)
+            encrypted++;
+        else
+            skipped++;
+    }
+    return { encrypted, skipped, total: files.length };
+}
+export async function decryptAll(cfg, repoRoot) {
+    const files = findSecretFiles(repoRoot);
+    const decrypted = [];
+    for (const file of files) {
+        if (isEncrypted(file)) {
+            const ok = await decryptFile(file, cfg, repoRoot);
+            if (ok)
+                decrypted.push(file);
+        }
+    }
+    return decrypted;
+}
+export function getSecretStatus(repoRoot) {
+    return findSecretFiles(repoRoot).map((file) => {
+        const relpath = relative(repoRoot, file);
+        let status;
+        if (isEncrypted(file)) {
+            status = "encrypted";
+        }
+        else if (hasEnvsubstVars(file)) {
+            status = "template";
+        }
+        else {
+            status = "plaintext";
+        }
+        return { path: file, relpath, status };
+    });
+}
+// ---------------------------------------------------------------------------
+// Template substitution for secrets
+// ---------------------------------------------------------------------------
+export function substituteAndEncrypt(file, vars, cfg, repoRoot) {
+    let content = readFileSync(file, "utf-8");
+    content = content
+        .split("\n")
+        .filter((line) => !line.includes("# This secret is created by the bootstrap script") &&
+        !line.includes("# This is just a template"))
+        .join("\n");
+    for (const [key, value] of Object.entries(vars)) {
+        content = content.replaceAll(`\${${key}}`, value);
+    }
+    writeFileSync(file, content);
+    encryptFile(file, cfg, repoRoot);
+}
+// ---------------------------------------------------------------------------
+// Flux Kustomization patching
+// ---------------------------------------------------------------------------
+export function updateFluxKustomization(repoRoot, secretName) {
+    const syncFile = `${repoRoot}/clusters/_default-template/cluster-sync.yaml`;
+    if (!existsSync(syncFile)) {
+        log.warn("No cluster-sync.yaml template found — skipping auto-patch.");
+        return;
+    }
+    const content = readFileSync(syncFile, "utf-8");
+    if (content.includes("decryption:")) {
+        log.success("Decryption already configured in cluster-sync.yaml");
+        return;
+    }
+    const patched = content.replace(/^(\s*prune:)/m, `  decryption:\n    provider: sops\n    secretRef:\n      name: ${secretName}\n$1`);
+    writeFileSync(syncFile, patched);
+    log.success("Added decryption config to cluster-sync.yaml");
+}
+//# sourceMappingURL=encryption.js.map

package/dist/core/encryption.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/core/encryption.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,aAAa,EACb,WAAW,EAEX,UAAU,EACV,SAAS,EACT,YAAY,EACZ,SAAS,GACV,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrD,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAa,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAC;AAGtC,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,QAAQ,CAAC,CAAC,QAAQ,CAAC,GAAW;IAC5B,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAC9D,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc,IAAI,KAAK,CAAC,IAAI,KAAK,MAAM;gBAAE,SAAS;YACrE,KAAK,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;QACxB,CAAC;aAAM,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACvE,MAAM,IAAI,CAAC;QACb,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,SAAiB;IAC/C,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACvC,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAC7C,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC5C,IAAI,yBAAyB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;AACxB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC5C,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC5C,OAAO,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAC1C,CAAC;AAED,8EAA8E;AAC9E,qBAAqB;AACrB,8EAA8E;AAE9E,MAAM,UAAU,cAAc,CAAC,GAAe;IAC5C,SAAS,CAAC,GAAG,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACxD,IAAI,CAAC,kBAAkB,GAAG,CAAC,OAAO,QAAQ,CAAC,CAAC;IAC5C,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC9B,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAAe;IAC7C,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IACnD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACnD,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IAC9E,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,GAAe;IAC1C,OAAO,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,GAAe;IAC1C,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC3D,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,cAAc,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACvE,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IACtC,GAAG,CAAC,IAAI,CAAC,wBAAwB,GAAG,CAAC,SAAS,GAAG,CAAC,CAAC;AACrD,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE,GAAe;IACjE,MAAM,OAAO,GAAG;;;;WAIP,SAAS;CACnB,CAAC;IACA,aAAa,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACvC,GAAG,CAAC,OAAO,CAAC,WAAW,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC;AAC3C,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAY,EACZ,GAAe,EACf,QAAgB;IAEhB,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACzC,IAAI,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;QACtB,GAAG,CAAC,IAAI,CAAC,GAAG,OAAO,uBAAuB,CAAC,CAAC;QAC5C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,GAAG,GAAG,sBAAsB,GAAG,CAAC,OAAO,yCAAyC,GAAG,CAAC,UAAU,MAAM,IAAI,GAAG,CAAC;IAClH,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;QACnB,GAAG,CAAC,OAAO,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC;QACrC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,GAAG,CAAC,KAAK,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;IAC3C,IAAI,MAAM;QAAE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,IAAY,EACZ,GAAe,EACf,QAAgB;IAEhB,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACzC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,GAAG,CAAC,IAAI,CAAC,GAAG,OAAO,wBAAwB,CAAC,CAAC;QAC7C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,GAAG,GAAG,sBAAsB,GAAG,CAAC,OAAO,yCAAyC,GAAG,CAAC,UAAU,MAAM,IAAI,GAAG,CAAC;IAClH,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;QACnB,GAAG,CAAC,OAAO,CAAC,cAAc,OAAO,EAAE,CAAC,CAAC;QACrC,GAAG,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;QACtD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,GAAG,CAAC,KAAK,CAAC,sBAAsB,OAAO,EAAE,CAAC,CAAC;IAC3C,IAAI,MAAM;QAAE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,IAAY,EAAE,GAAe;IACpD,IAAI,CACF,sBAAsB,GAAG,CAAC,OAAO,aAAa,OAAO,CAAC,GAAG,CAAC,MAAM,IAAI,KAAK,oBAAoB,GAAG,CAAC,UAAU,MAAM,IAAI,GAAG,CACzH,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAe,EACf,QAAgB;IAEhB,MAAM,KAAK,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IACxC,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QAEzC,IAAI,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;YACtB,GAAG,CAAC,IAAI,CAAC,YAAY,OAAO,sBAAsB,CAAC,CAAC;YACpD,OAAO,EAAE,CAAC;YACV,SAAS;QACX,CAAC;QAED,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1B,GAAG,CAAC,IAAI,CAAC,YAAY,OAAO,gCAAgC,CAAC,CAAC;YAC9D,OAAO,EAAE,CAAC;YACV,SAAS;QACX,CAAC;QAED,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QAClD,IAAI,EAAE;YAAE,SAAS,EAAE,CAAC;;YACf,OAAO,EAAE,CAAC;IACjB,CAAC;IAED,OAAO,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;AACrD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,GAAe,EACf,QAAgB;IAEhB,MAAM,KAAK,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,SAAS,GAAa,EAAE,CAAC;IAE/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;YACtB,MAAM,EAAE,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;YAClD,IAAI,EAAE;gBAAE,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAYD,MAAM,UAAU,eAAe,CAAC,QAAgB;IAC9C,OAAO,eAAe,CAAC,QAAQ,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE;QAC5C,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACzC,IAAI,MAAkC,CAAC;QAEvC,IAAI,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC;YACtB,MAAM,GAAG,WAAW,CAAC;QACvB,CAAC;aAAM,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,GAAG,UAAU,CAAC;QACtB,CAAC;aAAM,CAAC;YACN,MAAM,GAAG,WAAW,CAAC;QACvB,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,oCAAoC;AACpC,8EAA8E;AAE9E,MAAM,UAAU,oBAAoB,CAClC,IAAY,EACZ,IAA4B,EAC5B,GAAe,EACf,QAAgB;IAEhB,IAAI,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAE1C,OAAO,GAAG,OAAO;SACd,KAAK,CAAC,IAAI,CAAC;SACX,MAAM,CACL,CAAC,IAAY,EAAE,EAAE,CACf,CAAC,IAAI,CAAC,QAAQ,CAAC,kDAAkD,CAAC;QAClE,CAAC,IAAI,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAC9C;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;IACpD,CAAC;IAED,aAAa,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAC7B,WAAW,CAAC,IAAI,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;AACnC,CAAC;AAED,8EAA8E;AAC9E,8BAA8B;AAC9B,8EAA8E;AAE9E,MAAM,UAAU,uBAAuB,CACrC,QAAgB,EAChB,UAAkB;IAElB,MAAM,QAAQ,GAAG,GAAG,QAAQ,+CAA+C,CAAC;IAC5E,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,GAAG,CAAC,IAAI,CAAC,4DAA4D,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAChD,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACpC,GAAG,CAAC,OAAO,CAAC,oDAAoD,CAAC,CAAC;QAClE,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAC7B,eAAe,EACf,kEAAkE,UAAU,MAAM,CACnF,CAAC;IACF,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IACjC,GAAG,CAAC,OAAO,CAAC,8CAA8C,CAAC,CAAC;AAC9D,CAAC"}

package/dist/core/flux.d.ts

@@ -0,0 +1,6 @@
+import type { BootstrapConfig } from "../schemas.js";
+export declare function installOperator(): Promise<void>;
+export declare function installInstance(config: BootstrapConfig, repoRoot: string): Promise<void>;
+export declare function waitForInstance(): Promise<void>;
+export declare function reconcile(): Promise<void>;
+export declare function getStatus(): string;

package/dist/core/flux.js

@@ -0,0 +1,60 @@
+import { readFileSync, writeFileSync, unlinkSync } from "node:fs";
+import { exec, execAsync } from "../utils/shell.js";
+import { log, withSpinner } from "../utils/log.js";
+export async function installOperator() {
+    const cmd = [
+        "helm install flux-operator",
+        "oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator",
+        "--namespace flux-system",
+        "--create-namespace",
+        "--set web.enabled=false",
+        "--wait",
+    ].join(" ");
+    log.detail(cmd);
+    await withSpinner("Installing Flux Operator via Helm", () => execAsync(cmd));
+}
+export async function installInstance(config, repoRoot) {
+    const templatePath = `${repoRoot}/flux-instance-values.yaml`;
+    const tmpPath = "/tmp/flux-instance-values.yaml";
+    let content = readFileSync(templatePath, "utf-8");
+    content = envsubst(content, {
+        FLUX_GITLAB_REPO_OWNER: config.repoOwner,
+        FLUX_GITLAB_REPO_NAME: config.repoName,
+        FLUX_GITLAB_REPO_BRANCH: config.repoBranch,
+        CLUSTER_NAME: config.clusterName,
+    });
+    writeFileSync(tmpPath, content);
+    const cmd = [
+        "helm install flux",
+        "oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance",
+        "--namespace flux-system",
+        `--values ${tmpPath}`,
+        "--wait",
+    ].join(" ");
+    log.detail(cmd);
+    await withSpinner("Installing Flux Instance via Helm", () => execAsync(cmd));
+    unlinkSync(tmpPath);
+}
+export async function waitForInstance() {
+    await withSpinner("Waiting for FluxInstance to be ready", () => execAsync("kubectl -n flux-system wait fluxinstance/flux --for=condition=Ready --timeout=5m"));
+}
+export async function reconcile() {
+    await withSpinner("Reconciling Flux", async () => {
+        const ts = Math.floor(Date.now() / 1000);
+        await execAsync(`kubectl -n flux-system annotate --overwrite fluxinstance/flux reconcile.fluxcd.io/requestedAt="${ts}"`);
+        log.detail("Waiting for FluxInstance condition=Ready...");
+        await execAsync("kubectl -n flux-system wait fluxinstance/flux --for=condition=Ready --timeout=5m");
+    });
+}
+export function getStatus() {
+    try {
+        return exec("flux-operator -n flux-system get instance flux");
+    }
+    catch {
+        return "(unable to retrieve status)";
+    }
+}
+function envsubst(content, vars) {
+    return Object.entries(vars).reduce((acc, [key, value]) => acc.replaceAll(`\${${key}}`, value), content);
+}
+//# sourceMappingURL=flux.js.map

package/dist/core/flux.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"flux.js","sourceRoot":"","sources":["../../src/core/flux.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAClE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAGnD,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,GAAG,GAAG;QACV,4BAA4B;QAC5B,0DAA0D;QAC1D,yBAAyB;QACzB,oBAAoB;QACpB,yBAAyB;QACzB,QAAQ;KACT,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChB,MAAM,WAAW,CAAC,mCAAmC,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,MAAuB,EACvB,QAAgB;IAEhB,MAAM,YAAY,GAAG,GAAG,QAAQ,4BAA4B,CAAC;IAC7D,MAAM,OAAO,GAAG,gCAAgC,CAAC;IAEjD,IAAI,OAAO,GAAG,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;IAClD,OAAO,GAAG,QAAQ,CAAC,OAAO,EAAE;QAC1B,sBAAsB,EAAE,MAAM,CAAC,SAAS;QACxC,qBAAqB,EAAE,MAAM,CAAC,QAAQ;QACtC,uBAAuB,EAAE,MAAM,CAAC,UAAU;QAC1C,YAAY,EAAE,MAAM,CAAC,WAAW;KACjC,CAAC,CAAC;IACH,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAEhC,MAAM,GAAG,GAAG;QACV,mBAAmB;QACnB,0DAA0D;QAC1D,yBAAyB;QACzB,YAAY,OAAO,EAAE;QACrB,QAAQ;KACT,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAChB,MAAM,WAAW,CAAC,mCAAmC,EAAE,GAAG,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;IAE7E,UAAU,CAAC,OAAO,CAAC,CAAC;AACtB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,WAAW,CAAC,sCAAsC,EAAE,GAAG,EAAE,CAC7D,SAAS,CACP,kFAAkF,CACnF,CACF,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS;IAC7B,MAAM,WAAW,CAAC,kBAAkB,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACzC,MAAM,SAAS,CACb,kGAAkG,EAAE,GAAG,CACxG,CAAC;QACF,GAAG,CAAC,MAAM,CAAC,6CAA6C,CAAC,CAAC;QAC1D,MAAM,SAAS,CACb,kFAAkF,CACnF,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,SAAS;IACvB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,gDAAgD,CAAC,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,6BAA6B,CAAC;IACvC,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CACf,OAAe,EACf,IAA4B;IAE5B,OAAO,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,CAChC,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,EAAE,KAAK,CAAC,EAC1D,OAAO,CACR,CAAC;AACJ,CAAC"}

package/dist/core/gitlab.d.ts

@@ -0,0 +1,10 @@
+export declare function authenticate(pat: string, host: string): Promise<string>;
+export declare function resolveNamespaceId(namespace: string, host: string): Promise<string>;
+export interface ProjectInfo {
+    id: string;
+    httpUrl: string;
+    pathWithNamespace: string;
+}
+export declare function getProject(namespace: string, name: string, host: string): Promise<ProjectInfo | null>;
+export declare function createProject(name: string, namespaceId: string, host: string): Promise<ProjectInfo>;
+export declare function configureGitCredentials(pat: string, cwd: string): void;

package/dist/core/gitlab.js

@@ -0,0 +1,65 @@
+import { exec, execAsync, execSafe } from "../utils/shell.js";
+import { log } from "../utils/log.js";
+export async function authenticate(pat, host) {
+    await execAsync(`echo "${pat}" | glab auth login --hostname "${host}" --stdin`);
+    const username = await execAsync(`glab api "user" --hostname "${host}" | jq -r '.username'`);
+    log.success(`Authenticated as: ${username}`);
+    return username;
+}
+export async function resolveNamespaceId(namespace, host) {
+    const result = execSafe(`glab api --hostname "${host}" "namespaces/${namespace}" 2>/dev/null | jq -r '.id'`);
+    if (result.exitCode !== 0 || !result.stdout || result.stdout === "null") {
+        throw new Error(`Namespace '${namespace}' not found. Check the group or username.`);
+    }
+    log.success(`Namespace ID: ${result.stdout}`);
+    return result.stdout;
+}
+export async function getProject(namespace, name, host) {
+    const encoded = `${namespace}/${name}`.replace(/\//g, "%2F");
+    const { stdout, exitCode } = execSafe(`glab api --hostname "${host}" "projects/${encoded}" 2>/dev/null`);
+    if (exitCode !== 0 || !stdout)
+        return null;
+    try {
+        const data = JSON.parse(stdout);
+        if (!data.id)
+            return null;
+        return {
+            id: String(data.id),
+            httpUrl: data.http_url_to_repo,
+            pathWithNamespace: data.path_with_namespace,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+export async function createProject(name, namespaceId, host) {
+    const result = await execAsync([
+        "glab api --method POST",
+        `--hostname "${host}"`,
+        '"projects"',
+        `-f "name=${name}"`,
+        `-f "path=${name}"`,
+        `-f "namespace_id=${namespaceId}"`,
+        '-f "visibility=private"',
+        '-f "initialize_with_readme=false"',
+    ].join(" "));
+    const data = JSON.parse(result);
+    return {
+        id: String(data.id),
+        httpUrl: data.http_url_to_repo,
+        pathWithNamespace: data.path_with_namespace,
+    };
+}
+export function configureGitCredentials(pat, cwd) {
+    const { exitCode, stdout } = execSafe("git remote get-url origin 2>/dev/null");
+    let host = "gitlab.com";
+    if (exitCode === 0 && stdout) {
+        const match = stdout.match(/https:\/\/([^/]+)\//);
+        if (match)
+            host = match[1];
+    }
+    exec(`git config --local --replace-all credential.helper '!f() { echo "username=oauth2"; echo "password=${pat}"; }; f'`, { cwd });
+    log.success(`git credentials configured for ${host}`);
+}
+//# sourceMappingURL=gitlab.js.map

package/dist/core/gitlab.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gitlab.js","sourceRoot":"","sources":["../../src/core/gitlab.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EAAE,GAAG,EAAe,MAAM,iBAAiB,CAAC;AAEnD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,IAAY;IAEZ,MAAM,SAAS,CACb,SAAS,GAAG,mCAAmC,IAAI,WAAW,CAC/D,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,SAAS,CAC9B,+BAA+B,IAAI,uBAAuB,CAC3D,CAAC;IACF,GAAG,CAAC,OAAO,CAAC,qBAAqB,QAAQ,EAAE,CAAC,CAAC;IAC7C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,SAAiB,EACjB,IAAY;IAEZ,MAAM,MAAM,GAAG,QAAQ,CACrB,wBAAwB,IAAI,iBAAiB,SAAS,6BAA6B,CACpF,CAAC;IACF,IAAI,MAAM,CAAC,QAAQ,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QACxE,MAAM,IAAI,KAAK,CACb,cAAc,SAAS,2CAA2C,CACnE,CAAC;IACJ,CAAC;IACD,GAAG,CAAC,OAAO,CAAC,iBAAiB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAC9C,OAAO,MAAM,CAAC,MAAM,CAAC;AACvB,CAAC;AAQD,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,SAAiB,EACjB,IAAY,EACZ,IAAY;IAEZ,MAAM,OAAO,GAAG,GAAG,SAAS,IAAI,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IAC7D,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,QAAQ,CACnC,wBAAwB,IAAI,eAAe,OAAO,eAAe,CAClE,CAAC;IACF,IAAI,QAAQ,KAAK,CAAC,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAE3C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC;QAC1B,OAAO;YACL,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;YACnB,OAAO,EAAE,IAAI,CAAC,gBAAgB;YAC9B,iBAAiB,EAAE,IAAI,CAAC,mBAAmB;SAC5C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAY,EACZ,WAAmB,EACnB,IAAY;IAEZ,MAAM,MAAM,GAAG,MAAM,SAAS,CAC5B;QACE,wBAAwB;QACxB,eAAe,IAAI,GAAG;QACtB,YAAY;QACZ,YAAY,IAAI,GAAG;QACnB,YAAY,IAAI,GAAG;QACnB,oBAAoB,WAAW,GAAG;QAClC,yBAAyB;QACzB,mCAAmC;KACpC,CAAC,IAAI,CAAC,GAAG,CAAC,CACZ,CAAC;IAEF,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChC,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QACnB,OAAO,EAAE,IAAI,CAAC,gBAAgB;QAC9B,iBAAiB,EAAE,IAAI,CAAC,mBAAmB;KAC5C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CACrC,GAAW,EACX,GAAW;IAEX,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,QAAQ,CACnC,uCAAuC,CACxC,CAAC;IACF,IAAI,IAAI,GAAG,YAAY,CAAC;IACxB,IAAI,QAAQ,KAAK,CAAC,IAAI,MAAM,EAAE,CAAC;QAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAClD,IAAI,KAAK;YAAE,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,IAAI,CACF,qGAAqG,GAAG,UAAU,EAClH,EAAE,GAAG,EAAE,CACR,CAAC;IACF,GAAG,CAAC,OAAO,CAAC,kCAAkC,IAAI,EAAE,CAAC,CAAC;AACxD,CAAC"}

package/dist/core/kubernetes.d.ts

@@ -0,0 +1,10 @@
+export declare function isClusterReachable(): boolean;
+export declare function createK3dCluster(clusterName: string): Promise<void>;
+export declare function installK3s(): Promise<void>;
+export declare function setupKubeconfig(clusterName: string): string;
+export declare function waitForCluster(): Promise<void>;
+export declare function createNamespace(name: string): Promise<void>;
+export declare function createSecret(name: string, namespace: string, data: Record<string, string>): Promise<void>;
+export declare function secretExists(name: string, namespace: string): boolean;
+export declare function deleteSecret(name: string, namespace: string): Promise<void>;
+export declare function createSecretFromFile(name: string, namespace: string, key: string, filePath: string): Promise<void>;

package/dist/core/kubernetes.js

@@ -0,0 +1,81 @@
+import { mkdirSync, writeFileSync } from "node:fs";
+import { exec, execAsync, execSafe } from "../utils/shell.js";
+import { isMacOS, isCI } from "../utils/platform.js";
+import { log, withSpinner } from "../utils/log.js";
+import { KUBERNETES_VERSION } from "../schemas.js";
+export function isClusterReachable() {
+    const { exitCode } = execSafe("kubectl cluster-info 2>/dev/null");
+    return exitCode === 0;
+}
+export async function createK3dCluster(clusterName) {
+    const { stdout } = execSafe("k3d cluster list 2>/dev/null");
+    if (stdout.includes(clusterName)) {
+        log.success(`k3d cluster '${clusterName}' already exists`);
+        return;
+    }
+    const cmd = [
+        "k3d cluster create",
+        clusterName,
+        `--image "rancher/k3s:v${KUBERNETES_VERSION}-k3s1"`,
+        '--k3s-arg "--disable=traefik@server:0"',
+        '--port "80:80@loadbalancer"',
+        '--port "443:443@loadbalancer"',
+        "--wait",
+    ].join(" ");
+    log.detail(cmd);
+    await withSpinner(`Creating k3d cluster '${clusterName}'`, () => execAsync(cmd));
+}
+export async function installK3s() {
+    const { exitCode } = execSafe("command -v k3s");
+    if (exitCode === 0) {
+        log.success("k3s already installed");
+        return;
+    }
+    await withSpinner("Installing k3s", () => execAsync(`curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION="v${KUBERNETES_VERSION}+k3s1" INSTALL_K3S_EXEC="server --disable=traefik --write-kubeconfig-mode=644" sh -`));
+}
+export function setupKubeconfig(clusterName) {
+    mkdirSync(`${process.env.HOME}/.kube`, { recursive: true });
+    if (isMacOS() || isCI()) {
+        const kubeconfigPath = `${process.env.HOME}/.kube/k3d-${clusterName}`;
+        const kubeconfig = exec(`k3d kubeconfig get ${clusterName}`);
+        writeFileSync(kubeconfigPath, kubeconfig, { mode: 0o600 });
+        process.env.KUBECONFIG = kubeconfigPath;
+        return kubeconfigPath;
+    }
+    exec("sudo cp /etc/rancher/k3s/k3s.yaml $HOME/.kube/config");
+    exec('sudo chown "$(id -u):$(id -g)" $HOME/.kube/config');
+    exec("chmod 600 $HOME/.kube/config");
+    const kubeconfigPath = `${process.env.HOME}/.kube/config`;
+    process.env.KUBECONFIG = kubeconfigPath;
+    return kubeconfigPath;
+}
+export async function waitForCluster() {
+    await withSpinner("Waiting for cluster to be ready", async () => {
+        await new Promise((r) => setTimeout(r, 5000));
+        await execAsync("kubectl wait --for=condition=Ready node --all --timeout=120s");
+    });
+}
+export async function createNamespace(name) {
+    await execAsync(`kubectl create namespace ${name} --dry-run=client -o yaml | kubectl apply -f -`);
+}
+export async function createSecret(name, namespace, data) {
+    const literals = Object.entries(data)
+        .map(([k, v]) => `--from-literal=${k}='${v}'`)
+        .join(" ");
+    const cmd = `kubectl create secret generic ${name} --namespace=${namespace} ${literals}`;
+    log.detail(`kubectl create secret generic ${name} --namespace=${namespace}`);
+    await execAsync(cmd);
+}
+export function secretExists(name, namespace) {
+    const { exitCode } = execSafe(`kubectl get secret ${name} -n ${namespace} 2>/dev/null`);
+    return exitCode === 0;
+}
+export async function deleteSecret(name, namespace) {
+    await execAsync(`kubectl delete secret ${name} -n ${namespace}`);
+}
+export async function createSecretFromFile(name, namespace, key, filePath) {
+    const cmd = `kubectl create secret generic ${name} --namespace=${namespace} --from-file=${key}="${filePath}"`;
+    log.detail(`kubectl create secret generic ${name} --namespace=${namespace} --from-file=${key}`);
+    await execAsync(cmd);
+}
+//# sourceMappingURL=kubernetes.js.map