iec-builder 0.1.0

package/dist/services/cloudflare.js

@@ -0,0 +1,182 @@
+import { env } from '../config/env.js';
+import { logger } from '../utils/logger.js';
+const CLOUDFLARE_API_BASE = 'https://api.cloudflare.com/client/v4';
+async function cloudflareRequest(options) {
+    const { method, path, body, queryParams } = options;
+    if (!env.CLOUDFLARE_API_TOKEN) {
+        throw new Error('CLOUDFLARE_API_TOKEN is not configured');
+    }
+    let url = `${CLOUDFLARE_API_BASE}${path}`;
+    if (queryParams) {
+        const params = new URLSearchParams(queryParams);
+        url += `?${params.toString()}`;
+    }
+    const response = await fetch(url, {
+        method,
+        headers: {
+            'Authorization': `Bearer ${env.CLOUDFLARE_API_TOKEN}`,
+            'Content-Type': 'application/json',
+        },
+        body: body ? JSON.stringify(body) : undefined,
+    });
+    const data = await response.json();
+    if (!data.success) {
+        const errorMessages = data.errors.map(e => `${e.code}: ${e.message}`).join(', ');
+        throw new Error(`Cloudflare API error: ${errorMessages}`);
+    }
+    return data.result;
+}
+/**
+ * Look up the Cloudflare zone ID for a given domain.
+ * Extracts the root domain (e.g. "moonshotfoundry.com" from "www.moonshotfoundry.com")
+ * and queries the Cloudflare API to find the matching zone.
+ */
+export async function getZoneIdForDomain(domain) {
+    // Walk up the domain labels to find the zone (handles subdomains)
+    const parts = domain.split('.');
+    for (let i = 0; i < parts.length - 1; i++) {
+        const candidate = parts.slice(i).join('.');
+        const zones = await cloudflareRequest({
+            method: 'GET',
+            path: '/zones',
+            queryParams: { name: candidate },
+        });
+        if (zones.length > 0) {
+            logger.debug({ domain, zone: zones[0].name, zoneId: zones[0].id }, 'Resolved zone for domain');
+            return zones[0].id;
+        }
+    }
+    throw new Error(`No Cloudflare zone found for domain '${domain}'. Is it added to this Cloudflare account?`);
+}
+/**
+ * Get a DNS record by name and type
+ */
+export async function getDnsRecord(name, type = 'CNAME', zoneId = env.CLOUDFLARE_ZONE_ID) {
+    logger.debug({ name, type, zoneId }, 'Looking up DNS record');
+    const response = await fetch(`${CLOUDFLARE_API_BASE}/zones/${zoneId}/dns_records?name=${encodeURIComponent(name)}&type=${type}`, {
+        method: 'GET',
+        headers: {
+            'Authorization': `Bearer ${env.CLOUDFLARE_API_TOKEN}`,
+            'Content-Type': 'application/json',
+        },
+    });
+    const data = await response.json();
+    if (!data.success) {
+        const errorMessages = data.errors.map(e => `${e.code}: ${e.message}`).join(', ');
+        throw new Error(`Cloudflare API error: ${errorMessages}`);
+    }
+    if (data.result.length === 0) {
+        return null;
+    }
+    return data.result[0];
+}
+/**
+ * Create a new DNS record
+ */
+export async function createDnsRecord(input, zoneId = env.CLOUDFLARE_ZONE_ID) {
+    logger.info({ input, zoneId }, 'Creating DNS record');
+    const record = await cloudflareRequest({
+        method: 'POST',
+        path: `/zones/${zoneId}/dns_records`,
+        body: {
+            type: input.type,
+            name: input.name,
+            content: input.content,
+            ttl: input.ttl ?? 1, // 1 = auto
+            proxied: input.proxied ?? true,
+        },
+    });
+    logger.info({ recordId: record.id, name: record.name }, 'DNS record created');
+    return record;
+}
+/**
+ * Update an existing DNS record
+ */
+export async function updateDnsRecord(recordId, input, zoneId = env.CLOUDFLARE_ZONE_ID) {
+    logger.info({ recordId, input, zoneId }, 'Updating DNS record');
+    const record = await cloudflareRequest({
+        method: 'PUT',
+        path: `/zones/${zoneId}/dns_records/${recordId}`,
+        body: {
+            type: input.type,
+            name: input.name,
+            content: input.content,
+            ttl: input.ttl ?? 1,
+            proxied: input.proxied ?? true,
+        },
+    });
+    logger.info({ recordId: record.id, name: record.name }, 'DNS record updated');
+    return record;
+}
+/**
+ * Delete a DNS record
+ */
+export async function deleteDnsRecord(recordId, zoneId = env.CLOUDFLARE_ZONE_ID) {
+    logger.info({ recordId, zoneId }, 'Deleting DNS record');
+    await cloudflareRequest({
+        method: 'DELETE',
+        path: `/zones/${zoneId}/dns_records/${recordId}`,
+    });
+    logger.info({ recordId }, 'DNS record deleted');
+}
+/**
+ * Create or update a DNS record (upsert)
+ * If the record exists, it will be updated; otherwise, a new record will be created
+ */
+export async function createOrUpdateDnsRecord(input, zoneId = env.CLOUDFLARE_ZONE_ID) {
+    const existingRecord = await getDnsRecord(input.name, input.type, zoneId);
+    if (existingRecord) {
+        logger.info({ existingRecordId: existingRecord.id, name: input.name }, 'DNS record exists, updating');
+        return updateDnsRecord(existingRecord.id, input, zoneId);
+    }
+    return createDnsRecord(input, zoneId);
+}
+/**
+ * Build the DNS hostname for a service based on environment
+ * Pattern: {subdomain}.tawa.insureco.io for prod
+ *          {subdomain}.{env}.tawa.insureco.io for sandbox/uat
+ *
+ * Total TLS on Cloudflare auto-provisions individual certs for each
+ * proxied hostname, including nested subdomains.
+ */
+export function buildDnsHostname(serviceName, environment) {
+    const subdomain = serviceName.toLowerCase().replace(/[^a-z0-9-]/g, '-');
+    if (environment === 'prod' || environment === 'production') {
+        return `${subdomain}.tawa.insureco.io`;
+    }
+    const envSuffix = environment.toLowerCase().replace(/[^a-z0-9-]/g, '-');
+    return `${subdomain}.${envSuffix}.tawa.insureco.io`;
+}
+/**
+ * Configure DNS for a deployed service
+ * Creates/updates a CNAME record pointing to the ingress target
+ */
+export async function configureDnsForService(serviceName, environment, ingressTarget = env.INGRESS_TARGET) {
+    if (!env.CLOUDFLARE_API_TOKEN) {
+        logger.warn('CLOUDFLARE_API_TOKEN not configured, skipping DNS configuration');
+        return null;
+    }
+    if (!ingressTarget) {
+        logger.warn('INGRESS_TARGET not configured, skipping DNS configuration');
+        return null;
+    }
+    const hostname = buildDnsHostname(serviceName, environment);
+    // Determine record type based on target (IP = A record, hostname = CNAME)
+    const isIpAddress = /^(\d{1,3}\.){3}\d{1,3}$/.test(ingressTarget);
+    const recordType = isIpAddress ? 'A' : 'CNAME';
+    logger.info({ hostname, target: ingressTarget, recordType }, 'Configuring DNS for service');
+    const record = await createOrUpdateDnsRecord({
+        type: recordType,
+        name: hostname,
+        content: ingressTarget,
+        proxied: true, // Total TLS auto-provisions certs for proxied records
+        ttl: 1, // auto
+    });
+    logger.info({
+        hostname: record.name,
+        target: record.content,
+        recordId: record.id,
+    }, 'DNS configured for service');
+    return record;
+}
+//# sourceMappingURL=cloudflare.js.map

package/dist/services/cloudflare.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cloudflare.js","sourceRoot":"","sources":["../../src/services/cloudflare.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAA;AACtC,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAA;AAS3C,MAAM,mBAAmB,GAAG,sCAAsC,CAAA;AASlE,KAAK,UAAU,iBAAiB,CAAI,OAAiC;IACnE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,OAAO,CAAA;IAEnD,IAAI,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAA;IAC3D,CAAC;IAED,IAAI,GAAG,GAAG,GAAG,mBAAmB,GAAG,IAAI,EAAE,CAAA;IACzC,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,WAAW,CAAC,CAAA;QAC/C,GAAG,IAAI,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAA;IAChC,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,MAAM;QACN,OAAO,EAAE;YACP,eAAe,EAAE,UAAU,GAAG,CAAC,oBAAoB,EAAE;YACrD,cAAc,EAAE,kBAAkB;SACnC;QACD,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;KAC9C,CAAC,CAAA;IAEF,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA8B,CAAA;IAE9D,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChF,MAAM,IAAI,KAAK,CAAC,yBAAyB,aAAa,EAAE,CAAC,CAAA;IAC3D,CAAC;IAED,OAAO,IAAI,CAAC,MAAM,CAAA;AACpB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,MAAc;IACrD,kEAAkE;IAClE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC1C,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAsC;YACzE,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SACjC,CAAC,CAAA;QAEF,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,0BAA0B,CAAC,CAAA;YAC9F,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;QACpB,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,wCAAwC,MAAM,4CAA4C,CAAC,CAAA;AAC7G,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAY,EACZ,OAAe,OAAO,EACtB,SAAiB,GAAG,CAAC,kBAAkB;IAEvC,MAAM,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,uBAAuB,CAAC,CAAA;IAE7D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,GAAG,mBAAmB,UAAU,MAAM,qBAAqB,kBAAkB,CAAC,IAAI,CAAC,SAAS,IAAI,EAAE,EAClG;QACE,MAAM,EAAE,KAAK;QACb,OAAO,EAAE;YACP,eAAe,EAAE,UAAU,GAAG,CAAC,oBAAoB,EAAE;YACrD,cAAc,EAAE,kBAAkB;SACnC;KACF,CACF,CAAA;IAED,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAA2B,CAAA;IAE3D,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChF,MAAM,IAAI,KAAK,CAAC,yBAAyB,aAAa,EAAE,CAAC,CAAA;IAC3D,CAAC;IAED,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAA;IACb,CAAC;IAED,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;AACvB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAA2B,EAC3B,SAAiB,GAAG,CAAC,kBAAkB;IAEvC,MAAM,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,qBAAqB,CAAC,CAAA;IAErD,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAY;QAChD,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,UAAU,MAAM,cAAc;QACpC,IAAI,EAAE;YACJ,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,GAAG,EAAE,KAAK,CAAC,GAAG,IAAI,CAAC,EAAE,WAAW;YAChC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;SAC/B;KACF,CAAC,CAAA;IAEF,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,oBAAoB,CAAC,CAAA;IAC7E,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,KAA2B,EAC3B,SAAiB,GAAG,CAAC,kBAAkB;IAEvC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,qBAAqB,CAAC,CAAA;IAE/D,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAY;QAChD,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,UAAU,MAAM,gBAAgB,QAAQ,EAAE;QAChD,IAAI,EAAE;YACJ,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,GAAG,EAAE,KAAK,CAAC,GAAG,IAAI,CAAC;YACnB,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,IAAI;SAC/B;KACF,CAAC,CAAA;IAEF,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,oBAAoB,CAAC,CAAA;IAC7E,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,SAAiB,GAAG,CAAC,kBAAkB;IAEvC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,qBAAqB,CAAC,CAAA;IAExD,MAAM,iBAAiB,CAAiB;QACtC,MAAM,EAAE,QAAQ;QAChB,IAAI,EAAE,UAAU,MAAM,gBAAgB,QAAQ,EAAE;KACjD,CAAC,CAAA;IAEF,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,EAAE,oBAAoB,CAAC,CAAA;AACjD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,KAA2B,EAC3B,SAAiB,GAAG,CAAC,kBAAkB;IAEvC,MAAM,cAAc,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;IAEzE,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,CAAC,IAAI,CAAC,EAAE,gBAAgB,EAAE,cAAc,CAAC,EAAE,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,EAAE,6BAA6B,CAAC,CAAA;QACrG,OAAO,eAAe,CAAC,cAAc,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,CAAA;IAC1D,CAAC;IAED,OAAO,eAAe,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;AACvC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,WAAmB,EAAE,WAAmB;IACvE,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,CAAA;IAEvE,IAAI,WAAW,KAAK,MAAM,IAAI,WAAW,KAAK,YAAY,EAAE,CAAC;QAC3D,OAAO,GAAG,SAAS,mBAAmB,CAAA;IACxC,CAAC;IAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,CAAC,CAAA;IACvE,OAAO,GAAG,SAAS,IAAI,SAAS,mBAAmB,CAAA;AACrD,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,WAAmB,EACnB,WAAmB,EACnB,gBAAwB,GAAG,CAAC,cAAc;IAE1C,IAAI,CAAC,GAAG,CAAC,oBAAoB,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAA;QAC9E,OAAO,IAAI,CAAA;IACb,CAAC;IAED,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAA;QACxE,OAAO,IAAI,CAAA;IACb,CAAC;IAED,MAAM,QAAQ,GAAG,gBAAgB,CAAC,WAAW,EAAE,WAAW,CAAC,CAAA;IAE3D,0EAA0E;IAC1E,MAAM,WAAW,GAAG,yBAAyB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAA;IACjE,MAAM,UAAU,GAAG,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAA;IAE9C,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,EAAE,6BAA6B,CAAC,CAAA;IAE3F,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC;QAC3C,IAAI,EAAE,UAA2B;QACjC,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,aAAa;QACtB,OAAO,EAAE,IAAI,EAAE,sDAAsD;QACrE,GAAG,EAAE,CAAC,EAAE,OAAO;KAChB,CAAC,CAAA;IAEF,MAAM,CAAC,IAAI,CAAC;QACV,QAAQ,EAAE,MAAM,CAAC,IAAI;QACrB,MAAM,EAAE,MAAM,CAAC,OAAO;QACtB,QAAQ,EAAE,MAAM,CAAC,EAAE;KACpB,EAAE,4BAA4B,CAAC,CAAA;IAEhC,OAAO,MAAM,CAAA;AACf,CAAC"}

package/dist/services/config-validator.d.ts

@@ -0,0 +1,28 @@
+import type { ConfigDeclaration } from './catalog.js';
+export interface ConfigValidationResult {
+    readonly valid: boolean;
+    readonly missing: readonly string[];
+    readonly warnings: readonly string[];
+}
+export interface ConfigPushResult {
+    readonly config: Record<string, string>;
+    readonly secrets: Record<string, string>;
+    readonly rejected: readonly string[];
+    readonly warnings: readonly string[];
+}
+/**
+ * Validate that all required config declarations have values set.
+ * Used during deploy preflight and by `tawa preflight`.
+ */
+export declare function validateConfigCompleteness(declarations: readonly ConfigDeclaration[], storedConfig: Record<string, string>, storedSecretKeys: readonly string[]): ConfigValidationResult;
+/**
+ * Classify a flat key-value map against catalog declarations.
+ * Separates into config (plain) and secrets (to encrypt), rejects undeclared keys.
+ */
+export declare function classifyConfigVars(vars: Record<string, string>, declarations: readonly ConfigDeclaration[]): ConfigPushResult;
+/**
+ * Compute default values for keys that have no stored config or secret value.
+ * Used during deploy to inject catalog-declared defaults.
+ */
+export declare function computeConfigDefaults(declarations: readonly ConfigDeclaration[], storedConfig: Record<string, string>, storedSecretKeys: readonly string[]): Record<string, string>;
+//# sourceMappingURL=config-validator.d.ts.map

package/dist/services/config-validator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-validator.d.ts","sourceRoot":"","sources":["../../src/services/config-validator.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AAErD,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAA;IACvB,QAAQ,CAAC,OAAO,EAAE,SAAS,MAAM,EAAE,CAAA;IACnC,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAA;CACrC;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACvC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACxC,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAA;IACpC,QAAQ,CAAC,QAAQ,EAAE,SAAS,MAAM,EAAE,CAAA;CACrC;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,YAAY,EAAE,SAAS,iBAAiB,EAAE,EAC1C,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACpC,gBAAgB,EAAE,SAAS,MAAM,EAAE,GAClC,sBAAsB,CAqBxB;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC5B,YAAY,EAAE,SAAS,iBAAiB,EAAE,GACzC,gBAAgB,CA6BlB;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,CACnC,YAAY,EAAE,SAAS,iBAAiB,EAAE,EAC1C,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EACpC,gBAAgB,EAAE,SAAS,MAAM,EAAE,GAClC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAexB"}

package/dist/services/config-validator.js

@@ -0,0 +1,68 @@
+/**
+ * Validate that all required config declarations have values set.
+ * Used during deploy preflight and by `tawa preflight`.
+ */
+export function validateConfigCompleteness(declarations, storedConfig, storedSecretKeys) {
+    const missing = [];
+    const warnings = [];
+    for (const decl of declarations) {
+        if (!decl.required)
+            continue;
+        const hasConfig = decl.key in storedConfig;
+        const hasSecret = storedSecretKeys.includes(decl.key);
+        const hasDefault = decl.default !== undefined;
+        if (!hasConfig && !hasSecret && !hasDefault) {
+            missing.push(decl.key);
+        }
+    }
+    if (missing.length > 0) {
+        warnings.push(`Missing required config: ${missing.join(', ')}`);
+    }
+    return { valid: missing.length === 0, missing, warnings };
+}
+/**
+ * Classify a flat key-value map against catalog declarations.
+ * Separates into config (plain) and secrets (to encrypt), rejects undeclared keys.
+ */
+export function classifyConfigVars(vars, declarations) {
+    const declMap = new Map(declarations.map(d => [d.key, d]));
+    const config = {};
+    const secrets = {};
+    const rejected = [];
+    const warnings = [];
+    for (const [key, value] of Object.entries(vars)) {
+        const decl = declMap.get(key);
+        if (!decl) {
+            rejected.push(key);
+            continue;
+        }
+        if (decl.secret) {
+            secrets[key] = value;
+        }
+        else {
+            config[key] = value;
+        }
+    }
+    if (rejected.length > 0) {
+        warnings.push(`Keys not declared in catalog-info.yaml (rejected): ${rejected.join(', ')}`);
+    }
+    return { config, secrets, rejected, warnings };
+}
+/**
+ * Compute default values for keys that have no stored config or secret value.
+ * Used during deploy to inject catalog-declared defaults.
+ */
+export function computeConfigDefaults(declarations, storedConfig, storedSecretKeys) {
+    const defaults = {};
+    for (const decl of declarations) {
+        if (decl.default === undefined)
+            continue;
+        const hasConfig = decl.key in storedConfig;
+        const hasSecret = storedSecretKeys.includes(decl.key);
+        if (!hasConfig && !hasSecret) {
+            defaults[decl.key] = decl.default;
+        }
+    }
+    return defaults;
+}
+//# sourceMappingURL=config-validator.js.map

package/dist/services/config-validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-validator.js","sourceRoot":"","sources":["../../src/services/config-validator.ts"],"names":[],"mappings":"AAeA;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CACxC,YAA0C,EAC1C,YAAoC,EACpC,gBAAmC;IAEnC,MAAM,OAAO,GAAa,EAAE,CAAA;IAC5B,MAAM,QAAQ,GAAa,EAAE,CAAA;IAE7B,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,SAAQ;QAE5B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,IAAI,YAAY,CAAA;QAC1C,MAAM,SAAS,GAAG,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACrD,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,KAAK,SAAS,CAAA;QAE7C,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,IAAI,CAAC,UAAU,EAAE,CAAC;YAC5C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACxB,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,QAAQ,CAAC,IAAI,CAAC,4BAA4B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IACjE,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAA;AAC3D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,IAA4B,EAC5B,YAA0C;IAE1C,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;IAC1D,MAAM,MAAM,GAA2B,EAAE,CAAA;IACzC,MAAM,OAAO,GAA2B,EAAE,CAAA;IAC1C,MAAM,QAAQ,GAAa,EAAE,CAAA;IAC7B,MAAM,QAAQ,GAAa,EAAE,CAAA;IAE7B,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;QAE7B,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAClB,SAAQ;QACV,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;QACtB,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;QACrB,CAAC;IACH,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,QAAQ,CAAC,IAAI,CACX,sDAAsD,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC5E,CAAA;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAA;AAChD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CACnC,YAA0C,EAC1C,YAAoC,EACpC,gBAAmC;IAEnC,MAAM,QAAQ,GAA2B,EAAE,CAAA;IAE3C,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS;YAAE,SAAQ;QAExC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,IAAI,YAAY,CAAA;QAC1C,MAAM,SAAS,GAAG,gBAAgB,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAErD,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7B,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,OAAO,CAAA;QACnC,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC"}

package/dist/services/config-validator.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=config-validator.test.d.ts.map

package/dist/services/config-validator.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-validator.test.d.ts","sourceRoot":"","sources":["../../src/services/config-validator.test.ts"],"names":[],"mappings":""}

package/dist/services/config-validator.test.js

@@ -0,0 +1,151 @@
+import { describe, it, expect } from 'vitest';
+import { validateConfigCompleteness, classifyConfigVars, computeConfigDefaults } from './config-validator.js';
+describe('validateConfigCompleteness', () => {
+    it('should return valid when no declarations exist', () => {
+        const result = validateConfigCompleteness([], {}, []);
+        expect(result.valid).toBe(true);
+        expect(result.missing).toEqual([]);
+        expect(result.warnings).toEqual([]);
+    });
+    it('should return valid when all required keys have config values', () => {
+        const declarations = [
+            { key: 'API_KEY', secret: true, required: true },
+            { key: 'LOG_LEVEL', required: true },
+        ];
+        const result = validateConfigCompleteness(declarations, { LOG_LEVEL: 'info' }, ['API_KEY']);
+        expect(result.valid).toBe(true);
+        expect(result.missing).toEqual([]);
+    });
+    it('should return valid when required key has a default', () => {
+        const declarations = [
+            { key: 'LOG_LEVEL', required: true, default: 'info' },
+        ];
+        const result = validateConfigCompleteness(declarations, {}, []);
+        expect(result.valid).toBe(true);
+        expect(result.missing).toEqual([]);
+    });
+    it('should return invalid when required key is missing', () => {
+        const declarations = [
+            { key: 'STRIPE_API_KEY', secret: true, required: true },
+            { key: 'NEXTAUTH_SECRET', secret: true, required: true },
+        ];
+        const result = validateConfigCompleteness(declarations, {}, []);
+        expect(result.valid).toBe(false);
+        expect(result.missing).toEqual(['STRIPE_API_KEY', 'NEXTAUTH_SECRET']);
+        expect(result.warnings).toHaveLength(1);
+        expect(result.warnings[0]).toContain('STRIPE_API_KEY');
+        expect(result.warnings[0]).toContain('NEXTAUTH_SECRET');
+    });
+    it('should report only missing required keys', () => {
+        const declarations = [
+            { key: 'PRESENT_KEY', required: true },
+            { key: 'MISSING_KEY', secret: true, required: true },
+            { key: 'OPTIONAL_KEY' },
+        ];
+        const result = validateConfigCompleteness(declarations, { PRESENT_KEY: 'val' }, []);
+        expect(result.valid).toBe(false);
+        expect(result.missing).toEqual(['MISSING_KEY']);
+    });
+    it('should ignore non-required keys that are missing', () => {
+        const declarations = [
+            { key: 'OPTIONAL_A' },
+            { key: 'OPTIONAL_B', secret: true },
+        ];
+        const result = validateConfigCompleteness(declarations, {}, []);
+        expect(result.valid).toBe(true);
+        expect(result.missing).toEqual([]);
+    });
+});
+describe('classifyConfigVars', () => {
+    const declarations = [
+        { key: 'LOG_LEVEL' },
+        { key: 'APP_NAME' },
+        { key: 'STRIPE_API_KEY', secret: true },
+        { key: 'JWT_SECRET', secret: true },
+    ];
+    it('should separate plain config from secrets', () => {
+        const result = classifyConfigVars({ LOG_LEVEL: 'debug', STRIPE_API_KEY: 'sk_test_xxx' }, declarations);
+        expect(result.config).toEqual({ LOG_LEVEL: 'debug' });
+        expect(result.secrets).toEqual({ STRIPE_API_KEY: 'sk_test_xxx' });
+        expect(result.rejected).toEqual([]);
+        expect(result.warnings).toEqual([]);
+    });
+    it('should reject keys not declared in catalog', () => {
+        const result = classifyConfigVars({ LOG_LEVEL: 'info', UNKNOWN_KEY: 'val', ANOTHER: 'val2' }, declarations);
+        expect(result.config).toEqual({ LOG_LEVEL: 'info' });
+        expect(result.secrets).toEqual({});
+        expect(result.rejected).toEqual(['UNKNOWN_KEY', 'ANOTHER']);
+        expect(result.warnings).toHaveLength(1);
+        expect(result.warnings[0]).toContain('UNKNOWN_KEY');
+    });
+    it('should return empty results for empty vars', () => {
+        const result = classifyConfigVars({}, declarations);
+        expect(result.config).toEqual({});
+        expect(result.secrets).toEqual({});
+        expect(result.rejected).toEqual([]);
+    });
+    it('should reject all keys when no declarations exist', () => {
+        const result = classifyConfigVars({ FOO: 'bar' }, []);
+        expect(result.config).toEqual({});
+        expect(result.secrets).toEqual({});
+        expect(result.rejected).toEqual(['FOO']);
+    });
+    it('should classify all vars correctly in a mixed scenario', () => {
+        const result = classifyConfigVars({
+            LOG_LEVEL: 'info',
+            APP_NAME: 'my-app',
+            STRIPE_API_KEY: 'sk_xxx',
+            JWT_SECRET: 'secret123',
+            UNDECLARED: 'nope',
+        }, declarations);
+        expect(result.config).toEqual({ LOG_LEVEL: 'info', APP_NAME: 'my-app' });
+        expect(result.secrets).toEqual({ STRIPE_API_KEY: 'sk_xxx', JWT_SECRET: 'secret123' });
+        expect(result.rejected).toEqual(['UNDECLARED']);
+    });
+});
+describe('computeConfigDefaults', () => {
+    it('should return defaults for keys with no stored value', () => {
+        const declarations = [
+            { key: 'LOG_LEVEL', default: 'info' },
+            { key: 'NODE_ENV', default: 'production' },
+        ];
+        const result = computeConfigDefaults(declarations, {}, []);
+        expect(result).toEqual({ LOG_LEVEL: 'info', NODE_ENV: 'production' });
+    });
+    it('should not return default when config value exists', () => {
+        const declarations = [
+            { key: 'LOG_LEVEL', default: 'info' },
+        ];
+        const result = computeConfigDefaults(declarations, { LOG_LEVEL: 'debug' }, []);
+        expect(result).toEqual({});
+    });
+    it('should not return default when secret value exists', () => {
+        const declarations = [
+            { key: 'API_KEY', secret: true, default: 'fallback' },
+        ];
+        const result = computeConfigDefaults(declarations, {}, ['API_KEY']);
+        expect(result).toEqual({});
+    });
+    it('should return empty when no declarations have defaults', () => {
+        const declarations = [
+            { key: 'STRIPE_KEY', secret: true, required: true },
+            { key: 'APP_NAME' },
+        ];
+        const result = computeConfigDefaults(declarations, {}, []);
+        expect(result).toEqual({});
+    });
+    it('should handle empty declarations', () => {
+        const result = computeConfigDefaults([], {}, []);
+        expect(result).toEqual({});
+    });
+    it('should only return defaults for unset keys in mixed scenario', () => {
+        const declarations = [
+            { key: 'LOG_LEVEL', default: 'info' },
+            { key: 'APP_NAME', default: 'my-app' },
+            { key: 'API_KEY', secret: true, default: 'fallback' },
+        ];
+        const result = computeConfigDefaults(declarations, { APP_NAME: 'custom-name' }, ['API_KEY']);
+        expect(result).toEqual({ LOG_LEVEL: 'info' });
+    });
+});
+//# sourceMappingURL=config-validator.test.js.map

package/dist/services/config-validator.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-validator.test.js","sourceRoot":"","sources":["../../src/services/config-validator.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAA;AAC7C,OAAO,EAAE,0BAA0B,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAG7G,QAAQ,CAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,EAAE,CAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,MAAM,GAAG,0BAA0B,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAA;QACrD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC/B,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QAClC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IACrC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,YAAY,GAAwB;YACxC,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;YAChD,EAAE,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE;SACrC,CAAA;QACD,MAAM,MAAM,GAAG,0BAA0B,CACvC,YAAY,EACZ,EAAE,SAAS,EAAE,MAAM,EAAE,EACrB,CAAC,SAAS,CAAC,CACZ,CAAA;QACD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC/B,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IACpC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,MAAM,YAAY,GAAwB;YACxC,EAAE,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE;SACtD,CAAA;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC,YAAY,EAAE,EAAE,EAAE,EAAE,CAAC,CAAA;QAC/D,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC/B,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IACpC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,YAAY,GAAwB;YACxC,EAAE,GAAG,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;YACvD,EAAE,GAAG,EAAE,iBAAiB,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;SACzD,CAAA;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC,YAAY,EAAE,EAAE,EAAE,EAAE,CAAC,CAAA;QAC/D,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAChC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,gBAAgB,EAAE,iBAAiB,CAAC,CAAC,CAAA;QACrE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;QACvC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAA;QACtD,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAA;IACzD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,MAAM,YAAY,GAAwB;YACxC,EAAE,GAAG,EAAE,aAAa,EAAE,QAAQ,EAAE,IAAI,EAAE;YACtC,EAAE,GAAG,EAAE,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;YACpD,EAAE,GAAG,EAAE,cAAc,EAAE;SACxB,CAAA;QACD,MAAM,MAAM,GAAG,0BAA0B,CACvC,YAAY,EACZ,EAAE,WAAW,EAAE,KAAK,EAAE,EACtB,EAAE,CACH,CAAA;QACD,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;QAChC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,CAAC,CAAC,CAAA;IACjD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kDAAkD,EAAE,GAAG,EAAE;QAC1D,MAAM,YAAY,GAAwB;YACxC,EAAE,GAAG,EAAE,YAAY,EAAE;YACrB,EAAE,GAAG,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE;SACpC,CAAA;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC,YAAY,EAAE,EAAE,EAAE,EAAE,CAAC,CAAA;QAC/D,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAC/B,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IACpC,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,MAAM,YAAY,GAAwB;QACxC,EAAE,GAAG,EAAE,WAAW,EAAE;QACpB,EAAE,GAAG,EAAE,UAAU,EAAE;QACnB,EAAE,GAAG,EAAE,gBAAgB,EAAE,MAAM,EAAE,IAAI,EAAE;QACvC,EAAE,GAAG,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE;KACpC,CAAA;IAED,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,MAAM,GAAG,kBAAkB,CAC/B,EAAE,SAAS,EAAE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,EACrD,YAAY,CACb,CAAA;QACD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAA;QACrD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,cAAc,EAAE,aAAa,EAAE,CAAC,CAAA;QACjE,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACnC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IACrC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,MAAM,GAAG,kBAAkB,CAC/B,EAAE,SAAS,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,EAC1D,YAAY,CACb,CAAA;QACD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAA;QACpD,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QAClC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC,CAAA;QAC3D,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAA;QACvC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,aAAa,CAAC,CAAA;IACrD,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,MAAM,MAAM,GAAG,kBAAkB,CAAC,EAAE,EAAE,YAAY,CAAC,CAAA;QACnD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QAClC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IACrC,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,MAAM,GAAG,kBAAkB,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAA;QACrD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QACjC,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;QAClC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAA;IAC1C,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,MAAM,GAAG,kBAAkB,CAC/B;YACE,SAAS,EAAE,MAAM;YACjB,QAAQ,EAAE,QAAQ;YAClB,cAAc,EAAE,QAAQ;YACxB,UAAU,EAAE,WAAW;YACvB,UAAU,EAAE,MAAM;SACnB,EACD,YAAY,CACb,CAAA;QACD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAA;QACxE,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC,CAAA;QACrF,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,OAAO,CAAC,CAAC,YAAY,CAAC,CAAC,CAAA;IACjD,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA;AAEF,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,YAAY,GAAwB;YACxC,EAAE,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE;YACrC,EAAE,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,YAAY,EAAE;SAC3C,CAAA;QACD,MAAM,MAAM,GAAG,qBAAqB,CAAC,YAAY,EAAE,EAAE,EAAE,EAAE,CAAC,CAAA;QAC1D,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,CAAC,CAAA;IACvE,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,YAAY,GAAwB;YACxC,EAAE,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE;SACtC,CAAA;QACD,MAAM,MAAM,GAAG,qBAAqB,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC,CAAA;QAC9E,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,YAAY,GAAwB;YACxC,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE;SACtD,CAAA;QACD,MAAM,MAAM,GAAG,qBAAqB,CAAC,YAAY,EAAE,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAA;QACnE,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,wDAAwD,EAAE,GAAG,EAAE;QAChE,MAAM,YAAY,GAAwB;YACxC,EAAE,GAAG,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE;YACnD,EAAE,GAAG,EAAE,UAAU,EAAE;SACpB,CAAA;QACD,MAAM,MAAM,GAAG,qBAAqB,CAAC,YAAY,EAAE,EAAE,EAAE,EAAE,CAAC,CAAA;QAC1D,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,MAAM,GAAG,qBAAqB,CAAC,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC,CAAA;QAChD,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,MAAM,YAAY,GAAwB;YACxC,EAAE,GAAG,EAAE,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE;YACrC,EAAE,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE;YACtC,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE;SACtD,CAAA;QACD,MAAM,MAAM,GAAG,qBAAqB,CAClC,YAAY,EACZ,EAAE,QAAQ,EAAE,aAAa,EAAE,EAC3B,CAAC,SAAS,CAAC,CACZ,CAAA;QACD,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAA;IAC/C,CAAC,CAAC,CAAA;AACJ,CAAC,CAAC,CAAA"}

package/dist/services/crypto.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Encrypt a plaintext string using AES-256-GCM.
+ * Returns a base64 string containing: IV (12 bytes) + ciphertext + auth tag (16 bytes)
+ */
+export declare function encrypt(plaintext: string): string;
+/**
+ * Decrypt a base64 string produced by encrypt().
+ * Extracts IV and auth tag, returns the plaintext.
+ */
+export declare function decrypt(ciphertext: string): string;
+/**
+ * Encrypt all values in a record, returning a new record with encrypted values.
+ */
+export declare function encryptRecord(vars: Record<string, string>): Record<string, string>;
+/**
+ * Decrypt all values in a record, returning a new record with plaintext values.
+ */
+export declare function decryptRecord(vars: Record<string, string>): Record<string, string>;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/services/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/services/crypto.ts"],"names":[],"mappings":"AAkBA;;;GAGG;AACH,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAcjD;AAED;;;GAGG;AACH,wBAAgB,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAiBlD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAIlF;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAIlF"}

package/dist/services/crypto.js

@@ -0,0 +1,63 @@
+import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const TAG_LENGTH = 16;
+function getEncryptionKey() {
+    const key = process.env.CONFIG_ENCRYPTION_KEY;
+    if (!key) {
+        throw new Error('CONFIG_ENCRYPTION_KEY env var is required for secret management');
+    }
+    const buf = Buffer.from(key, 'hex');
+    if (buf.length !== 32) {
+        throw new Error('CONFIG_ENCRYPTION_KEY must be a 64-character hex string (32 bytes)');
+    }
+    return buf;
+}
+/**
+ * Encrypt a plaintext string using AES-256-GCM.
+ * Returns a base64 string containing: IV (12 bytes) + ciphertext + auth tag (16 bytes)
+ */
+export function encrypt(plaintext) {
+    const key = getEncryptionKey();
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(plaintext, 'utf8'),
+        cipher.final(),
+    ]);
+    const tag = cipher.getAuthTag();
+    // Pack: iv + encrypted + tag
+    const packed = Buffer.concat([iv, encrypted, tag]);
+    return packed.toString('base64');
+}
+/**
+ * Decrypt a base64 string produced by encrypt().
+ * Extracts IV and auth tag, returns the plaintext.
+ */
+export function decrypt(ciphertext) {
+    const key = getEncryptionKey();
+    const packed = Buffer.from(ciphertext, 'base64');
+    const iv = packed.subarray(0, IV_LENGTH);
+    const tag = packed.subarray(packed.length - TAG_LENGTH);
+    const encrypted = packed.subarray(IV_LENGTH, packed.length - TAG_LENGTH);
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(tag);
+    const decrypted = Buffer.concat([
+        decipher.update(encrypted),
+        decipher.final(),
+    ]);
+    return decrypted.toString('utf8');
+}
+/**
+ * Encrypt all values in a record, returning a new record with encrypted values.
+ */
+export function encryptRecord(vars) {
+    return Object.fromEntries(Object.entries(vars).map(([k, v]) => [k, encrypt(v)]));
+}
+/**
+ * Decrypt all values in a record, returning a new record with plaintext values.
+ */
+export function decryptRecord(vars) {
+    return Object.fromEntries(Object.entries(vars).map(([k, v]) => [k, decrypt(v)]));
+}
+//# sourceMappingURL=crypto.js.map

package/dist/services/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/services/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAA;AAEtE,MAAM,SAAS,GAAG,aAAa,CAAA;AAC/B,MAAM,SAAS,GAAG,EAAE,CAAA;AACpB,MAAM,UAAU,GAAG,EAAE,CAAA;AAErB,SAAS,gBAAgB;IACvB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAA;IAC7C,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAA;IACpF,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;IACnC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAA;IACvF,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB;IACvC,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAA;IAC9B,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAA;IACjC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAA;IAEjD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC;QAChC,MAAM,CAAC,KAAK,EAAE;KACf,CAAC,CAAA;IACF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAA;IAE/B,6BAA6B;IAC7B,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,GAAG,CAAC,CAAC,CAAA;IAClD,OAAO,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AAClC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,OAAO,CAAC,UAAkB;IACxC,MAAM,GAAG,GAAG,gBAAgB,EAAE,CAAA;IAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;IAEhD,MAAM,EAAE,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,GAAG,UAAU,CAAC,CAAA;IACvD,MAAM,SAAS,GAAG,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,MAAM,GAAG,UAAU,CAAC,CAAA;IAExE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAA;IACrD,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAA;IAExB,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC;QAC1B,QAAQ,CAAC,KAAK,EAAE;KACjB,CAAC,CAAA;IAEF,OAAO,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AACnC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,IAA4B;IACxD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CACtD,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,IAA4B;IACxD,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CACtD,CAAA;AACH,CAAC"}

package/dist/services/database.d.ts

@@ -0,0 +1,26 @@
+import { MongoClient, Collection } from 'mongodb';
+import { Redis } from 'ioredis';
+import type { Build, Service, OrgInvite, DbWhitelistEntry } from '../models/types.js';
+export declare function connectDatabase(): Promise<void>;
+export declare function getMongoClient(): MongoClient;
+export declare function connectRedis(): Promise<void>;
+export declare function getBuildsCollection(): Collection<Build>;
+export declare function getServicesCollection(): Collection<Service>;
+export declare function getOrgInvitesCollection(): Collection<OrgInvite>;
+export declare function getDbWhitelistCollection(): Collection<DbWhitelistEntry>;
+export interface RotationNotification {
+    readonly id: string;
+    readonly serviceName: string;
+    readonly notificationType: '7-day' | '3-day' | 'rotation-complete';
+    readonly sentAt: string;
+    readonly rotationCycleStart: string;
+}
+export declare function getRotationNotificationsCollection(): Collection<RotationNotification>;
+export declare function getRedis(): Redis;
+export declare function publishBuildEvent(buildId: string, event: string, data?: Record<string, unknown>): Promise<void>;
+export declare function checkConnections(): Promise<{
+    mongodb: boolean;
+    redis: boolean;
+}>;
+export declare function closeConnections(): Promise<void>;
+//# sourceMappingURL=database.d.ts.map

package/dist/services/database.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../src/services/database.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAM,MAAM,SAAS,CAAA;AACrD,OAAO,EAAE,KAAK,EAAE,MAAM,SAAS,CAAA;AAE/B,OAAO,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AAOrF,wBAAsB,eAAe,IAAI,OAAO,CAAC,IAAI,CAAC,CAkCrD;AAED,wBAAgB,cAAc,IAAI,WAAW,CAG5C;AAED,wBAAsB,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC,CAKlD;AAED,wBAAgB,mBAAmB,IAAI,UAAU,CAAC,KAAK,CAAC,CAGvD;AAED,wBAAgB,qBAAqB,IAAI,UAAU,CAAC,OAAO,CAAC,CAG3D;AAED,wBAAgB,uBAAuB,IAAI,UAAU,CAAC,SAAS,CAAC,CAG/D;AAED,wBAAgB,wBAAwB,IAAI,UAAU,CAAC,gBAAgB,CAAC,CAGvE;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAA;IACnB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,gBAAgB,EAAE,OAAO,GAAG,OAAO,GAAG,mBAAmB,CAAA;IAClE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAA;CACpC;AAED,wBAAgB,kCAAkC,IAAI,UAAU,CAAC,oBAAoB,CAAC,CAGrF;AAED,wBAAgB,QAAQ,IAAI,KAAK,CAGhC;AAKD,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAGrH;AAED,wBAAsB,gBAAgB,IAAI,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,OAAO,CAAA;CAAE,CAAC,CAYtF;AAED,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CAGtD"}