npm - iec-builder - Versions diffs - 0.1.0 - Mend

iec-builder 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/.claude/settings.local.json +111 -0
package/.iec.yaml +5 -0
package/CLAUDE.md +174 -0
package/Dockerfile +34 -0
package/README.md +84 -0
package/catalog-info.yaml +11 -0
package/dist/config/env.d.ts +219 -0
package/dist/config/env.d.ts.map +1 -0
package/dist/config/env.js +89 -0
package/dist/config/env.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +148 -0
package/dist/index.js.map +1 -0
package/dist/middleware/auth.d.ts +43 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +217 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/org-access.d.ts +28 -0
package/dist/middleware/org-access.d.ts.map +1 -0
package/dist/middleware/org-access.js +102 -0
package/dist/middleware/org-access.js.map +1 -0
package/dist/models/types.d.ts +254 -0
package/dist/models/types.d.ts.map +1 -0
package/dist/models/types.js +2 -0
package/dist/models/types.js.map +1 -0
package/dist/routes/ai.d.ts +2 -0
package/dist/routes/ai.d.ts.map +1 -0
package/dist/routes/ai.js +77 -0
package/dist/routes/ai.js.map +1 -0
package/dist/routes/audit.d.ts +2 -0
package/dist/routes/audit.d.ts.map +1 -0
package/dist/routes/audit.js +102 -0
package/dist/routes/audit.js.map +1 -0
package/dist/routes/builds.d.ts +2 -0
package/dist/routes/builds.d.ts.map +1 -0
package/dist/routes/builds.js +262 -0
package/dist/routes/builds.js.map +1 -0
package/dist/routes/cluster.d.ts +2 -0
package/dist/routes/cluster.d.ts.map +1 -0
package/dist/routes/cluster.js +181 -0
package/dist/routes/cluster.js.map +1 -0
package/dist/routes/config.d.ts +2 -0
package/dist/routes/config.d.ts.map +1 -0
package/dist/routes/config.js +291 -0
package/dist/routes/config.js.map +1 -0
package/dist/routes/databases.d.ts +2 -0
package/dist/routes/databases.d.ts.map +1 -0
package/dist/routes/databases.js +161 -0
package/dist/routes/databases.js.map +1 -0
package/dist/routes/db-whitelist.d.ts +2 -0
package/dist/routes/db-whitelist.d.ts.map +1 -0
package/dist/routes/db-whitelist.js +148 -0
package/dist/routes/db-whitelist.js.map +1 -0
package/dist/routes/domains.d.ts +2 -0
package/dist/routes/domains.d.ts.map +1 -0
package/dist/routes/domains.js +449 -0
package/dist/routes/domains.js.map +1 -0
package/dist/routes/oauth.d.ts +2 -0
package/dist/routes/oauth.d.ts.map +1 -0
package/dist/routes/oauth.js +180 -0
package/dist/routes/oauth.js.map +1 -0
package/dist/routes/observability.d.ts +2 -0
package/dist/routes/observability.d.ts.map +1 -0
package/dist/routes/observability.js +167 -0
package/dist/routes/observability.js.map +1 -0
package/dist/routes/orgs.d.ts +2 -0
package/dist/routes/orgs.d.ts.map +1 -0
package/dist/routes/orgs.js +270 -0
package/dist/routes/orgs.js.map +1 -0
package/dist/routes/platform.d.ts +2 -0
package/dist/routes/platform.d.ts.map +1 -0
package/dist/routes/platform.js +107 -0
package/dist/routes/platform.js.map +1 -0
package/dist/routes/push.d.ts +2 -0
package/dist/routes/push.d.ts.map +1 -0
package/dist/routes/push.js +233 -0
package/dist/routes/push.js.map +1 -0
package/dist/routes/rotation.d.ts +3 -0
package/dist/routes/rotation.d.ts.map +1 -0
package/dist/routes/rotation.js +154 -0
package/dist/routes/rotation.js.map +1 -0
package/dist/routes/services.d.ts +2 -0
package/dist/routes/services.d.ts.map +1 -0
package/dist/routes/services.js +246 -0
package/dist/routes/services.js.map +1 -0
package/dist/routes/storage.d.ts +2 -0
package/dist/routes/storage.d.ts.map +1 -0
package/dist/routes/storage.js +118 -0
package/dist/routes/storage.js.map +1 -0
package/dist/routes/users.d.ts +2 -0
package/dist/routes/users.d.ts.map +1 -0
package/dist/routes/users.js +183 -0
package/dist/routes/users.js.map +1 -0
package/dist/routes/versions.d.ts +2 -0
package/dist/routes/versions.d.ts.map +1 -0
package/dist/routes/versions.js +195 -0
package/dist/routes/versions.js.map +1 -0
package/dist/routes/webhooks.d.ts +2 -0
package/dist/routes/webhooks.d.ts.map +1 -0
package/dist/routes/webhooks.js +334 -0
package/dist/routes/webhooks.js.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts +2 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js +482 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js.map +1 -0
package/dist/services/bio-client.d.ts +68 -0
package/dist/services/bio-client.d.ts.map +1 -0
package/dist/services/bio-client.js +110 -0
package/dist/services/bio-client.js.map +1 -0
package/dist/services/build-queue.d.ts +7 -0
package/dist/services/build-queue.d.ts.map +1 -0
package/dist/services/build-queue.js +114 -0
package/dist/services/build-queue.js.map +1 -0
package/dist/services/builder.d.ts +7 -0
package/dist/services/builder.d.ts.map +1 -0
package/dist/services/builder.js +1384 -0
package/dist/services/builder.js.map +1 -0
package/dist/services/catalog.d.ts +177 -0
package/dist/services/catalog.d.ts.map +1 -0
package/dist/services/catalog.js +805 -0
package/dist/services/catalog.js.map +1 -0
package/dist/services/catalog.test.d.ts +2 -0
package/dist/services/catalog.test.d.ts.map +1 -0
package/dist/services/catalog.test.js +467 -0
package/dist/services/catalog.test.js.map +1 -0
package/dist/services/cloudflare.d.ts +43 -0
package/dist/services/cloudflare.d.ts.map +1 -0
package/dist/services/cloudflare.js +182 -0
package/dist/services/cloudflare.js.map +1 -0
package/dist/services/config-validator.d.ts +28 -0
package/dist/services/config-validator.d.ts.map +1 -0
package/dist/services/config-validator.js +68 -0
package/dist/services/config-validator.js.map +1 -0
package/dist/services/config-validator.test.d.ts +2 -0
package/dist/services/config-validator.test.d.ts.map +1 -0
package/dist/services/config-validator.test.js +151 -0
package/dist/services/config-validator.test.js.map +1 -0
package/dist/services/crypto.d.ts +19 -0
package/dist/services/crypto.d.ts.map +1 -0
package/dist/services/crypto.js +63 -0
package/dist/services/crypto.js.map +1 -0
package/dist/services/database.d.ts +26 -0
package/dist/services/database.d.ts.map +1 -0
package/dist/services/database.js +100 -0
package/dist/services/database.js.map +1 -0
package/dist/services/db-credential-manager.d.ts +73 -0
package/dist/services/db-credential-manager.d.ts.map +1 -0
package/dist/services/db-credential-manager.js +342 -0
package/dist/services/db-credential-manager.js.map +1 -0
package/dist/services/db-provisioner.d.ts +57 -0
package/dist/services/db-provisioner.d.ts.map +1 -0
package/dist/services/db-provisioner.js +400 -0
package/dist/services/db-provisioner.js.map +1 -0
package/dist/services/db-provisioner.test.d.ts +2 -0
package/dist/services/db-provisioner.test.d.ts.map +1 -0
package/dist/services/db-provisioner.test.js +141 -0
package/dist/services/db-provisioner.test.js.map +1 -0
package/dist/services/db-whitelist.d.ts +58 -0
package/dist/services/db-whitelist.d.ts.map +1 -0
package/dist/services/db-whitelist.js +379 -0
package/dist/services/db-whitelist.js.map +1 -0
package/dist/services/dependency-resolver.d.ts +58 -0
package/dist/services/dependency-resolver.d.ts.map +1 -0
package/dist/services/dependency-resolver.js +180 -0
package/dist/services/dependency-resolver.js.map +1 -0
package/dist/services/dependency-resolver.test.d.ts +2 -0
package/dist/services/dependency-resolver.test.d.ts.map +1 -0
package/dist/services/dependency-resolver.test.js +195 -0
package/dist/services/dependency-resolver.test.js.map +1 -0
package/dist/services/deploy-gate.d.ts +19 -0
package/dist/services/deploy-gate.d.ts.map +1 -0
package/dist/services/deploy-gate.js +56 -0
package/dist/services/deploy-gate.js.map +1 -0
package/dist/services/deploy-gate.test.d.ts +2 -0
package/dist/services/deploy-gate.test.d.ts.map +1 -0
package/dist/services/deploy-gate.test.js +199 -0
package/dist/services/deploy-gate.test.js.map +1 -0
package/dist/services/dockerfile-generator.d.ts +31 -0
package/dist/services/dockerfile-generator.d.ts.map +1 -0
package/dist/services/dockerfile-generator.js +544 -0
package/dist/services/dockerfile-generator.js.map +1 -0
package/dist/services/dockerfile-generator.test.d.ts +2 -0
package/dist/services/dockerfile-generator.test.d.ts.map +1 -0
package/dist/services/dockerfile-generator.test.js +144 -0
package/dist/services/dockerfile-generator.test.js.map +1 -0
package/dist/services/forgejo.d.ts +58 -0
package/dist/services/forgejo.d.ts.map +1 -0
package/dist/services/forgejo.js +131 -0
package/dist/services/forgejo.js.map +1 -0
package/dist/services/koko.d.ts +153 -0
package/dist/services/koko.d.ts.map +1 -0
package/dist/services/koko.js +260 -0
package/dist/services/koko.js.map +1 -0
package/dist/services/kubernetes.d.ts +16 -0
package/dist/services/kubernetes.d.ts.map +1 -0
package/dist/services/kubernetes.js +102 -0
package/dist/services/kubernetes.js.map +1 -0
package/dist/services/oauth-provisioner.d.ts +30 -0
package/dist/services/oauth-provisioner.d.ts.map +1 -0
package/dist/services/oauth-provisioner.js +182 -0
package/dist/services/oauth-provisioner.js.map +1 -0
package/dist/services/oauth-provisioner.test.d.ts +2 -0
package/dist/services/oauth-provisioner.test.d.ts.map +1 -0
package/dist/services/oauth-provisioner.test.js +349 -0
package/dist/services/oauth-provisioner.test.js.map +1 -0
package/dist/services/pod-diagnostics.d.ts +11 -0
package/dist/services/pod-diagnostics.d.ts.map +1 -0
package/dist/services/pod-diagnostics.js +201 -0
package/dist/services/pod-diagnostics.js.map +1 -0
package/dist/services/rotation-scheduler.d.ts +2 -0
package/dist/services/rotation-scheduler.d.ts.map +1 -0
package/dist/services/rotation-scheduler.js +215 -0
package/dist/services/rotation-scheduler.js.map +1 -0
package/dist/services/storage-credential-manager.d.ts +43 -0
package/dist/services/storage-credential-manager.d.ts.map +1 -0
package/dist/services/storage-credential-manager.js +159 -0
package/dist/services/storage-credential-manager.js.map +1 -0
package/dist/services/storage-provisioner.d.ts +32 -0
package/dist/services/storage-provisioner.d.ts.map +1 -0
package/dist/services/storage-provisioner.js +136 -0
package/dist/services/storage-provisioner.js.map +1 -0
package/dist/services/storage.d.ts +65 -0
package/dist/services/storage.d.ts.map +1 -0
package/dist/services/storage.js +204 -0
package/dist/services/storage.js.map +1 -0
package/dist/services/troubleshooter.d.ts +22 -0
package/dist/services/troubleshooter.d.ts.map +1 -0
package/dist/services/troubleshooter.js +168 -0
package/dist/services/troubleshooter.js.map +1 -0
package/dist/services/vault-client.d.ts +114 -0
package/dist/services/vault-client.d.ts.map +1 -0
package/dist/services/vault-client.js +411 -0
package/dist/services/vault-client.js.map +1 -0
package/dist/utils/logger.d.ts +2 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +6 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/response.d.ts +13 -0
package/dist/utils/response.d.ts.map +1 -0
package/dist/utils/response.js +12 -0
package/dist/utils/response.js.map +1 -0
package/docs/registry-migration.md +301 -0
package/docs/registry-quickstart.md +169 -0
package/ecosystem.config.cjs +14 -0
package/findings.md +168 -0
package/helm/default-service/Chart.yaml +6 -0
package/helm/default-service/templates/deployment.yaml +97 -0
package/helm/default-service/templates/ingress.yaml +43 -0
package/helm/default-service/templates/service.yaml +17 -0
package/helm/default-service/values.yaml +82 -0
package/helm/services/iec-builder/Chart.yaml +6 -0
package/helm/services/iec-builder/templates/_helpers.tpl +61 -0
package/helm/services/iec-builder/templates/deployment.yaml +73 -0
package/helm/services/iec-builder/templates/service.yaml +15 -0
package/helm/services/iec-builder/templates/serviceaccount.yaml +12 -0
package/helm/services/iec-builder/values.yaml +56 -0
package/helm/vault-values.yaml +127 -0
package/package.json +45 -0
package/progress.md +156 -0
package/scripts/.vault-init-keys.json +23 -0
package/scripts/backfill-ownership.ts +113 -0
package/scripts/finalize-mongo-auth.sh +212 -0
package/scripts/setup-ipset.sh +107 -0
package/scripts/setup-mongo-auth.sh +163 -0
package/scripts/setup-neo4j-auth.sh +62 -0
package/scripts/setup-redis-auth.sh +55 -0
package/scripts/setup-registry-secret.sh +71 -0
package/scripts/setup-vault.sh +308 -0
package/src/config/env.ts +117 -0
package/src/index.ts +153 -0
package/src/middleware/auth.ts +294 -0
package/src/middleware/org-access.ts +126 -0
package/src/models/types.ts +288 -0
package/src/routes/ai.ts +115 -0
package/src/routes/audit.ts +121 -0
package/src/routes/builds.ts +320 -0
package/src/routes/cluster.ts +235 -0
package/src/routes/config.ts +369 -0
package/src/routes/databases.ts +201 -0
package/src/routes/db-whitelist.ts +204 -0
package/src/routes/domains.ts +547 -0
package/src/routes/oauth.ts +195 -0
package/src/routes/observability.ts +205 -0
package/src/routes/orgs.ts +330 -0
package/src/routes/platform.ts +134 -0
package/src/routes/rotation.ts +191 -0
package/src/routes/services.ts +290 -0
package/src/routes/storage.ts +153 -0
package/src/routes/users.ts +235 -0
package/src/routes/webhooks.ts +384 -0
package/src/services/__tests__/catalog-storage.test.ts +186 -0
package/src/services/__tests__/deploy-pipeline.integration.test.ts +624 -0
package/src/services/__tests__/pod-diagnostics.test.ts +332 -0
package/src/services/__tests__/storage-credential-manager.test.ts +129 -0
package/src/services/__tests__/storage-provisioner.test.ts +166 -0
package/src/services/__tests__/troubleshooter.test.ts +329 -0
package/src/services/bio-client.ts +189 -0
package/src/services/build-queue.ts +137 -0
package/src/services/builder.ts +1800 -0
package/src/services/catalog.test.ts +1389 -0
package/src/services/catalog.ts +1187 -0
package/src/services/cloudflare.ts +259 -0
package/src/services/config-validator.test.ts +190 -0
package/src/services/config-validator.ts +108 -0
package/src/services/crypto.ts +78 -0
package/src/services/database.ts +122 -0
package/src/services/db-credential-manager.test.ts +101 -0
package/src/services/db-credential-manager.ts +447 -0
package/src/services/db-provisioner.test.ts +602 -0
package/src/services/db-provisioner.ts +589 -0
package/src/services/db-whitelist.test.ts +671 -0
package/src/services/db-whitelist.ts +496 -0
package/src/services/dependency-resolver.test.ts +677 -0
package/src/services/dependency-resolver.ts +319 -0
package/src/services/deploy-gate.test.ts +247 -0
package/src/services/deploy-gate.ts +75 -0
package/src/services/dockerfile-generator.test.ts +401 -0
package/src/services/dockerfile-generator.ts +606 -0
package/src/services/forgejo.ts +212 -0
package/src/services/koko.ts +492 -0
package/src/services/kubernetes.ts +141 -0
package/src/services/oauth-provisioner.test.ts +477 -0
package/src/services/oauth-provisioner.ts +286 -0
package/src/services/pod-diagnostics.ts +261 -0
package/src/services/rotation-scheduler.ts +293 -0
package/src/services/storage-credential-manager.ts +223 -0
package/src/services/storage-provisioner.ts +216 -0
package/src/services/storage.ts +274 -0
package/src/services/troubleshooter.ts +208 -0
package/src/services/vault-client.test.ts +272 -0
package/src/services/vault-client.ts +587 -0
package/src/utils/logger.ts +6 -0
package/src/utils/response.ts +23 -0
package/task_plan.md +171 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +19 -0

package/src/services/__tests__/troubleshooter.test.ts ADDED Viewed

@@ -0,0 +1,329 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+const { mockGetPods } = vi.hoisted(() => ({
+  mockGetPods: vi.fn(),
+}))
+vi.mock('../pod-diagnostics.js', () => ({
+  getPods: (...args: unknown[]) => mockGetPods(...args),
+}))
+vi.mock('../../utils/logger.js', () => ({
+  logger: { info: vi.fn(), warn: vi.fn(), error: vi.fn() },
+}))
+import { troubleshoot, type TroubleshootResult } from '../troubleshooter.js'
+import type { PodDiagnostic } from '../../models/types.js'
+function makePod(overrides: Partial<PodDiagnostic> = {}): PodDiagnostic {
+  return {
+    name: 'my-api-abc123',
+    phase: 'Running',
+    restartCount: 0,
+    containerStatuses: [{ name: 'my-api', ready: true, state: 'running' }],
+    events: [],
+    ...overrides,
+  }
+}
+describe('troubleshooter', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+  describe('healthy service', () => {
+    it('returns healthy=true with no issues for running pods', async () => {
+      mockGetPods.mockResolvedValue([makePod()])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      expect(result.healthy).toBe(true)
+      expect(result.issues).toHaveLength(0)
+      expect(result.service).toBe('my-api')
+      expect(result.namespace).toBe('my-api-prod')
+      expect(result.environment).toBe('prod')
+      expect(result.pods).toHaveLength(1)
+    })
+  })
+  describe('no pods', () => {
+    it('returns critical issue when namespace has no pods', async () => {
+      mockGetPods.mockResolvedValue([])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      expect(result.healthy).toBe(false)
+      expect(result.issues).toHaveLength(1)
+      expect(result.issues[0].severity).toBe('critical')
+      expect(result.issues[0].category).toBe('deployment')
+      expect(result.issues[0].title).toBe('No Pods Found')
+    })
+  })
+  describe('crash-loop detection', () => {
+    it('detects CrashLoopBackOff in container', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({
+          restartCount: 5,
+          containerStatuses: [{
+            name: 'my-api',
+            ready: false,
+            state: 'waiting',
+            reason: 'CrashLoopBackOff',
+            exitCode: 1,
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      expect(result.healthy).toBe(false)
+      const issue = result.issues.find((i) => i.title === 'CrashLoopBackOff')
+      expect(issue).toBeDefined()
+      expect(issue!.severity).toBe('critical')
+      expect(issue!.category).toBe('crash')
+      expect(issue!.detail).toContain('5 restarts')
+      expect(issue!.containerName).toBe('my-api')
+      expect(issue!.suggestion).toContain('tawa logs')
+    })
+    it('detects CrashLoopBackOff in init container', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({
+          phase: 'Init:Error',
+          containerStatuses: [{ name: 'my-api', ready: false, state: 'waiting' }],
+          initContainerStatuses: [{
+            name: 'vault-agent-init',
+            ready: false,
+            state: 'waiting',
+            reason: 'CrashLoopBackOff',
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      expect(result.healthy).toBe(false)
+      const crashIssue = result.issues.find((i) => i.title === 'CrashLoopBackOff')
+      expect(crashIssue).toBeDefined()
+      expect(crashIssue!.containerName).toBe('vault-agent-init')
+    })
+  })
+  describe('image-pull detection', () => {
+    it('detects ImagePullBackOff', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({
+          phase: 'Pending',
+          containerStatuses: [{
+            name: 'my-api',
+            ready: false,
+            state: 'waiting',
+            reason: 'ImagePullBackOff',
+            message: 'Back-off pulling image',
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      expect(result.healthy).toBe(false)
+      const issue = result.issues.find((i) => i.title === 'ImagePullBackOff')
+      expect(issue).toBeDefined()
+      expect(issue!.severity).toBe('critical')
+      expect(issue!.suggestion).toContain('registry')
+    })
+    it('detects ErrImagePull', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({
+          phase: 'Pending',
+          containerStatuses: [{
+            name: 'my-api',
+            ready: false,
+            state: 'waiting',
+            reason: 'ErrImagePull',
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      const issue = result.issues.find((i) => i.title === 'ImagePullBackOff')
+      expect(issue).toBeDefined()
+    })
+  })
+  describe('OOMKilled detection', () => {
+    it('detects OOMKilled container', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({
+          restartCount: 1,
+          containerStatuses: [{
+            name: 'my-api',
+            ready: false,
+            state: 'terminated',
+            reason: 'OOMKilled',
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      expect(result.healthy).toBe(false)
+      const issue = result.issues.find((i) => i.title === 'OOMKilled')
+      expect(issue).toBeDefined()
+      expect(issue!.severity).toBe('critical')
+      expect(issue!.suggestion).toContain('pod-tier')
+    })
+  })
+  describe('vault-init-failure detection', () => {
+    it('detects failed Vault init container', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({
+          phase: 'Init:Error',
+          containerStatuses: [{ name: 'my-api', ready: false, state: 'waiting' }],
+          initContainerStatuses: [{
+            name: 'vault-agent-init',
+            ready: false,
+            state: 'waiting',
+            message: 'vault auth failed',
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      expect(result.healthy).toBe(false)
+      const issue = result.issues.find((i) => i.title === 'Vault Init Container Failed')
+      expect(issue).toBeDefined()
+      expect(issue!.severity).toBe('critical')
+      expect(issue!.category).toBe('vault')
+      expect(issue!.suggestion).toContain('Vault')
+    })
+  })
+  describe('config-error detection', () => {
+    it('detects CreateContainerConfigError', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({
+          containerStatuses: [{
+            name: 'my-api',
+            ready: false,
+            state: 'waiting',
+            reason: 'CreateContainerConfigError',
+            message: 'secret "my-api-managed-secrets" not found',
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      expect(result.healthy).toBe(false)
+      const issue = result.issues.find((i) => i.title === 'Missing ConfigMap or Secret')
+      expect(issue).toBeDefined()
+      expect(issue!.detail).toContain('my-api-managed-secrets')
+      expect(issue!.suggestion).toContain('tawa config set')
+    })
+  })
+  describe('pending-scheduling detection', () => {
+    it('detects FailedScheduling event on Pending pod', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({
+          phase: 'Pending',
+          containerStatuses: [],
+          events: [{
+            type: 'Warning',
+            reason: 'FailedScheduling',
+            message: '0/3 nodes are available: insufficient cpu.',
+            age: '2m',
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      const issue = result.issues.find((i) => i.title === 'Pod Pending (FailedScheduling)')
+      expect(issue).toBeDefined()
+      expect(issue!.severity).toBe('warning')
+      expect(issue!.detail).toContain('insufficient cpu')
+    })
+  })
+  describe('high-restarts detection', () => {
+    it('flags pods with 3+ restarts not in CrashLoopBackOff', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({
+          restartCount: 4,
+          containerStatuses: [{
+            name: 'my-api',
+            ready: true,
+            state: 'running',
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      const issue = result.issues.find((i) => i.title === 'High Restart Count')
+      expect(issue).toBeDefined()
+      expect(issue!.severity).toBe('warning')
+      expect(issue!.detail).toContain('4 times')
+    })
+    it('does not flag high restarts when CrashLoopBackOff is already detected', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({
+          restartCount: 10,
+          containerStatuses: [{
+            name: 'my-api',
+            ready: false,
+            state: 'waiting',
+            reason: 'CrashLoopBackOff',
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      const highRestartsIssue = result.issues.find((i) => i.title === 'High Restart Count')
+      expect(highRestartsIssue).toBeUndefined()
+      const crashIssue = result.issues.find((i) => i.title === 'CrashLoopBackOff')
+      expect(crashIssue).toBeDefined()
+    })
+  })
+  describe('mixed status', () => {
+    it('reports multiple issues from different pods sorted by severity', async () => {
+      mockGetPods.mockResolvedValue([
+        makePod({ name: 'healthy-pod' }),
+        makePod({
+          name: 'crash-pod',
+          restartCount: 5,
+          containerStatuses: [{
+            name: 'app',
+            ready: false,
+            state: 'waiting',
+            reason: 'CrashLoopBackOff',
+          }],
+        }),
+        makePod({
+          name: 'restart-pod',
+          restartCount: 4,
+          containerStatuses: [{
+            name: 'app',
+            ready: true,
+            state: 'running',
+          }],
+        }),
+      ])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      expect(result.healthy).toBe(false)
+      expect(result.issues.length).toBeGreaterThanOrEqual(2)
+      // Critical issues should come first
+      expect(result.issues[0].severity).toBe('critical')
+      expect(result.pods).toHaveLength(3)
+    })
+  })
+  describe('result structure', () => {
+    it('includes analyzedAt timestamp', async () => {
+      mockGetPods.mockResolvedValue([makePod()])
+      const result = await troubleshoot('my-api', 'my-api-prod', 'prod')
+      expect(result.analyzedAt).toBeTruthy()
+      expect(new Date(result.analyzedAt).getTime()).not.toBeNaN()
+    })
+  })
+})

package/src/services/bio-client.ts ADDED Viewed

@@ -0,0 +1,189 @@
+import { env } from '../config/env.js'
+import { logger } from '../utils/logger.js'
+interface ApiResponse<T> {
+  success: boolean
+  data?: T
+  error?: {
+    code: string
+    message: string
+    details?: unknown
+  }
+}
+interface RequestOptions {
+  forwardedFor?: string
+  userAgent?: string
+}
+class BioClient {
+  private baseUrl: string
+  private internalKey: string
+  constructor(baseUrl: string, internalKey: string) {
+    this.baseUrl = baseUrl.replace(/\/$/, '')
+    this.internalKey = internalKey
+  }
+  private async request<T>(
+    method: string,
+    path: string,
+    body?: unknown,
+    options?: RequestOptions
+  ): Promise<ApiResponse<T>> {
+    const url = `${this.baseUrl}${path}`
+    const headers: Record<string, string> = {
+      'Content-Type': 'application/json',
+      'X-Internal-Key': this.internalKey,
+    }
+    if (options?.forwardedFor) {
+      headers['X-Forwarded-For'] = options.forwardedFor
+    }
+    if (options?.userAgent) {
+      headers['User-Agent'] = options.userAgent
+    }
+    try {
+      const response = await fetch(url, {
+        method,
+        headers,
+        body: body ? JSON.stringify(body) : undefined,
+      })
+      const json = await response.json() as ApiResponse<T>
+      if (!response.ok && !json.error) {
+        return {
+          success: false,
+          error: {
+            code: 'UPSTREAM_ERROR',
+            message: `Bio-ID returned ${response.status}`,
+          },
+        }
+      }
+      return json
+    } catch (error) {
+      logger.error({ error, url, method }, 'Bio-ID request failed')
+      return {
+        success: false,
+        error: {
+          code: 'UPSTREAM_ERROR',
+          message: 'Bio-ID service unavailable',
+        },
+      }
+    }
+  }
+  async listClients(options?: RequestOptions) {
+    return this.request<unknown[]>('GET', '/api/admin/oauth-clients', undefined, options)
+  }
+  async getClient(clientId: string, options?: RequestOptions) {
+    return this.request<unknown>('GET', `/api/admin/oauth-clients/${encodeURIComponent(clientId)}`, undefined, options)
+  }
+  async createClient(data: unknown, options?: RequestOptions) {
+    return this.request<unknown>('POST', '/api/admin/oauth-clients', data, options)
+  }
+  async updateClient(clientId: string, data: unknown, options?: RequestOptions) {
+    return this.request<unknown>('PATCH', `/api/admin/oauth-clients/${encodeURIComponent(clientId)}`, data, options)
+  }
+  async deleteClient(clientId: string, options?: RequestOptions) {
+    return this.request<unknown>('DELETE', `/api/admin/oauth-clients/${encodeURIComponent(clientId)}`, undefined, options)
+  }
+  async addRedirectUri(clientId: string, uri: string, options?: RequestOptions) {
+    return this.request<unknown>(
+      'POST',
+      `/api/admin/oauth-clients/${encodeURIComponent(clientId)}/redirect-uris`,
+      { uri },
+      options
+    )
+  }
+  async removeRedirectUri(clientId: string, uri: string, options?: RequestOptions) {
+    return this.request<unknown>(
+      'DELETE',
+      `/api/admin/oauth-clients/${encodeURIComponent(clientId)}/redirect-uris`,
+      { uri },
+      options
+    )
+  }
+  async regenerateSecret(clientId: string, options?: RequestOptions) {
+    return this.request<unknown>(
+      'POST',
+      `/api/admin/oauth-clients/${encodeURIComponent(clientId)}/regenerate-secret`,
+      undefined,
+      options
+    )
+  }
+  async listScopeGrants(filters: {
+    requestingServiceId?: string
+    targetServiceId?: string
+    credentialId?: string
+    status?: string
+  }, options?: RequestOptions) {
+    const params = new URLSearchParams()
+    if (filters.requestingServiceId) params.set('requestingServiceId', filters.requestingServiceId)
+    if (filters.targetServiceId) params.set('targetServiceId', filters.targetServiceId)
+    if (filters.credentialId) params.set('credentialId', filters.credentialId)
+    if (filters.status) params.set('status', filters.status)
+    const qs = params.toString()
+    return this.request<unknown[]>('GET', `/api/admin/scope-grants${qs ? `?${qs}` : ''}`, undefined, options)
+  }
+  async createScopeGrant(data: {
+    requestingServiceId: string
+    targetServiceId: string
+    requestedScopes: string[]
+    requestNote?: string
+    credentialType: 'oauth_client' | 'api_key'
+    credentialId: string
+  }, options?: RequestOptions) {
+    return this.request<unknown>('POST', '/api/admin/scope-grants', data, options)
+  }
+  async registerModule(data: {
+    moduleId: string
+    name: string
+    description: string
+    serviceId: string
+    owner?: string
+    homepage?: string
+    scopes: ReadonlyArray<{ code: string; name: string; description: string }>
+    defaultScopes?: readonly string[]
+    onboarding?: {
+      requirePasswordSetup?: boolean
+      requireProfileCompletion?: boolean
+      podOnboardingUrl?: string
+      welcomeMessage?: string
+      skipForExistingUsers?: boolean
+    }
+  }, options?: RequestOptions) {
+    return this.request<unknown>('POST', '/api/admin/modules', data, options)
+  }
+}
+let bioClientInstance: BioClient | null = null
+export function getBioClient(): BioClient {
+  if (!bioClientInstance) {
+    if (!env.BIO_INTERNAL_KEY) {
+      throw new Error('BIO_INTERNAL_KEY is not configured')
+    }
+    bioClientInstance = new BioClient(env.BIO_ID_URL, env.BIO_INTERNAL_KEY)
+  }
+  return bioClientInstance
+}
+export function extractRequestMeta(req: { headers: Record<string, string | string[] | undefined> }): RequestOptions {
+  const forwardedFor = (req.headers['x-forwarded-for'] as string) || (req.headers['x-real-ip'] as string)
+  const userAgent = req.headers['user-agent'] as string
+  return { forwardedFor, userAgent }
+}

package/src/services/build-queue.ts ADDED Viewed

@@ -0,0 +1,137 @@
+import { Queue, Worker, type Job } from 'bullmq'
+import { env } from '../config/env.js'
+import { logger } from '../utils/logger.js'
+import { executeBuild } from './builder.js'
+import { getBuildsCollection, getRedis } from './database.js'
+const QUEUE_NAME = 'iec-builds'
+const LEGACY_QUEUE_KEY = 'iec:build:queue'
+let buildQueue: Queue | null = null
+let buildWorker: Worker | null = null
+function parseRedisConnection() {
+  const url = new URL(env.REDIS_URL)
+  return {
+    host: url.hostname,
+    port: Number(url.port) || 6379,
+    ...(url.username ? { username: url.username } : {}),
+    ...(url.password ? { password: url.password } : {}),
+    maxRetriesPerRequest: null as null,  // Required for BullMQ blocking commands
+  }
+}
+export async function initBuildQueue(): Promise<void> {
+  const connection = parseRedisConnection()
+  buildQueue = new Queue(QUEUE_NAME, {
+    connection,
+    defaultJobOptions: {
+      attempts: 1,
+      removeOnComplete: 100,
+      removeOnFail: 200,
+    },
+  })
+  await drainLegacyQueue()
+  logger.info({ queue: QUEUE_NAME }, 'BullMQ build queue initialized')
+}
+/**
+ * One-time migration: drain any buildIds remaining in the legacy
+ * Redis list into BullMQ. After first deploy this is always a no-op.
+ */
+async function drainLegacyQueue(): Promise<void> {
+  try {
+    const redis = getRedis()
+    let migrated = 0
+    let buildId = await redis.rpop(LEGACY_QUEUE_KEY)
+    while (buildId) {
+      await enqueueBuild(buildId)
+      migrated++
+      buildId = await redis.rpop(LEGACY_QUEUE_KEY)
+    }
+    if (migrated > 0) {
+      logger.info({ migrated }, 'Drained legacy Redis list queue into BullMQ')
+    }
+  } catch (err) {
+    // Redis is connected at this point (connectRedis ran first); a failure here is unexpected
+    logger.error({ err }, 'Failed to drain legacy Redis queue — some builds may have been lost')
+  }
+}
+export async function enqueueBuild(buildId: string): Promise<void> {
+  if (!buildQueue) throw new Error('Build queue not initialized')
+  await buildQueue.add('build', { buildId }, { jobId: buildId })
+}
+export function initBuildWorker(): void {
+  if (!buildQueue) throw new Error('Build queue must be initialized before worker')
+  const connection = parseRedisConnection()
+  const concurrency = env.BUILD_CONCURRENCY
+  buildWorker = new Worker(
+    QUEUE_NAME,
+    async (job: Job<{ buildId: string }>) => {
+      const { buildId } = job.data
+      // Guard: if the build was already marked failed (e.g. by recoverStaleBuilds
+      // after a crash) or cancelled, skip re-execution. BullMQ marks this job as
+      // completed — intentional, since the build state is managed in MongoDB.
+      const builds = getBuildsCollection()
+      const build = await builds.findOne({ id: buildId })
+      if (!build || build.status === 'failed' || build.status === 'cancelled' || build.status === 'completed') {
+        logger.info({ buildId, status: build?.status }, 'Skipping build — already in terminal state')
+        return
+      }
+      logger.info({ buildId, jobId: job.id, concurrency }, 'Processing build')
+      await executeBuild(buildId)
+    },
+    {
+      connection,
+      concurrency,
+      lockDuration: 20 * 60 * 1000,   // 20 min — generous for slow Docker builds
+      lockRenewTime: 5 * 60 * 1000,   // renew every 5 min (4x before expiry)
+      stalledInterval: 5 * 60 * 1000,
+    },
+  )
+  buildWorker.on('completed', (job) => {
+    logger.info({ jobId: job.id, buildId: job.data.buildId }, 'Build job completed')
+  })
+  buildWorker.on('failed', (job, err) => {
+    logger.error({ jobId: job?.id, buildId: job?.data.buildId, err }, 'Build job failed')
+  })
+  buildWorker.on('stalled', (jobId) => {
+    logger.warn({ jobId }, 'Build job stalled — BullMQ will attempt recovery')
+  })
+  buildWorker.on('error', (err) => {
+    logger.error({ err }, 'BullMQ worker error')
+  })
+  logger.info({ concurrency, queue: QUEUE_NAME }, 'BullMQ build worker started')
+}
+export function getBuildQueue(): Queue | null {
+  return buildQueue
+}
+export async function closeBuildQueue(): Promise<void> {
+  if (buildWorker) {
+    logger.info('Closing BullMQ worker — waiting for active builds to finish...')
+    await buildWorker.close()
+    logger.info('BullMQ worker closed')
+  }
+  if (buildQueue) {
+    await buildQueue.close()
+    logger.info('BullMQ queue closed')
+  }
+}