npm - iec-builder - Versions diffs - 0.1.0 - Mend

iec-builder 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/.claude/settings.local.json +111 -0
package/.iec.yaml +5 -0
package/CLAUDE.md +174 -0
package/Dockerfile +34 -0
package/README.md +84 -0
package/catalog-info.yaml +11 -0
package/dist/config/env.d.ts +219 -0
package/dist/config/env.d.ts.map +1 -0
package/dist/config/env.js +89 -0
package/dist/config/env.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +148 -0
package/dist/index.js.map +1 -0
package/dist/middleware/auth.d.ts +43 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +217 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/org-access.d.ts +28 -0
package/dist/middleware/org-access.d.ts.map +1 -0
package/dist/middleware/org-access.js +102 -0
package/dist/middleware/org-access.js.map +1 -0
package/dist/models/types.d.ts +254 -0
package/dist/models/types.d.ts.map +1 -0
package/dist/models/types.js +2 -0
package/dist/models/types.js.map +1 -0
package/dist/routes/ai.d.ts +2 -0
package/dist/routes/ai.d.ts.map +1 -0
package/dist/routes/ai.js +77 -0
package/dist/routes/ai.js.map +1 -0
package/dist/routes/audit.d.ts +2 -0
package/dist/routes/audit.d.ts.map +1 -0
package/dist/routes/audit.js +102 -0
package/dist/routes/audit.js.map +1 -0
package/dist/routes/builds.d.ts +2 -0
package/dist/routes/builds.d.ts.map +1 -0
package/dist/routes/builds.js +262 -0
package/dist/routes/builds.js.map +1 -0
package/dist/routes/cluster.d.ts +2 -0
package/dist/routes/cluster.d.ts.map +1 -0
package/dist/routes/cluster.js +181 -0
package/dist/routes/cluster.js.map +1 -0
package/dist/routes/config.d.ts +2 -0
package/dist/routes/config.d.ts.map +1 -0
package/dist/routes/config.js +291 -0
package/dist/routes/config.js.map +1 -0
package/dist/routes/databases.d.ts +2 -0
package/dist/routes/databases.d.ts.map +1 -0
package/dist/routes/databases.js +161 -0
package/dist/routes/databases.js.map +1 -0
package/dist/routes/db-whitelist.d.ts +2 -0
package/dist/routes/db-whitelist.d.ts.map +1 -0
package/dist/routes/db-whitelist.js +148 -0
package/dist/routes/db-whitelist.js.map +1 -0
package/dist/routes/domains.d.ts +2 -0
package/dist/routes/domains.d.ts.map +1 -0
package/dist/routes/domains.js +449 -0
package/dist/routes/domains.js.map +1 -0
package/dist/routes/oauth.d.ts +2 -0
package/dist/routes/oauth.d.ts.map +1 -0
package/dist/routes/oauth.js +180 -0
package/dist/routes/oauth.js.map +1 -0
package/dist/routes/observability.d.ts +2 -0
package/dist/routes/observability.d.ts.map +1 -0
package/dist/routes/observability.js +167 -0
package/dist/routes/observability.js.map +1 -0
package/dist/routes/orgs.d.ts +2 -0
package/dist/routes/orgs.d.ts.map +1 -0
package/dist/routes/orgs.js +270 -0
package/dist/routes/orgs.js.map +1 -0
package/dist/routes/platform.d.ts +2 -0
package/dist/routes/platform.d.ts.map +1 -0
package/dist/routes/platform.js +107 -0
package/dist/routes/platform.js.map +1 -0
package/dist/routes/push.d.ts +2 -0
package/dist/routes/push.d.ts.map +1 -0
package/dist/routes/push.js +233 -0
package/dist/routes/push.js.map +1 -0
package/dist/routes/rotation.d.ts +3 -0
package/dist/routes/rotation.d.ts.map +1 -0
package/dist/routes/rotation.js +154 -0
package/dist/routes/rotation.js.map +1 -0
package/dist/routes/services.d.ts +2 -0
package/dist/routes/services.d.ts.map +1 -0
package/dist/routes/services.js +246 -0
package/dist/routes/services.js.map +1 -0
package/dist/routes/storage.d.ts +2 -0
package/dist/routes/storage.d.ts.map +1 -0
package/dist/routes/storage.js +118 -0
package/dist/routes/storage.js.map +1 -0
package/dist/routes/users.d.ts +2 -0
package/dist/routes/users.d.ts.map +1 -0
package/dist/routes/users.js +183 -0
package/dist/routes/users.js.map +1 -0
package/dist/routes/versions.d.ts +2 -0
package/dist/routes/versions.d.ts.map +1 -0
package/dist/routes/versions.js +195 -0
package/dist/routes/versions.js.map +1 -0
package/dist/routes/webhooks.d.ts +2 -0
package/dist/routes/webhooks.d.ts.map +1 -0
package/dist/routes/webhooks.js +334 -0
package/dist/routes/webhooks.js.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts +2 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js +482 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js.map +1 -0
package/dist/services/bio-client.d.ts +68 -0
package/dist/services/bio-client.d.ts.map +1 -0
package/dist/services/bio-client.js +110 -0
package/dist/services/bio-client.js.map +1 -0
package/dist/services/build-queue.d.ts +7 -0
package/dist/services/build-queue.d.ts.map +1 -0
package/dist/services/build-queue.js +114 -0
package/dist/services/build-queue.js.map +1 -0
package/dist/services/builder.d.ts +7 -0
package/dist/services/builder.d.ts.map +1 -0
package/dist/services/builder.js +1384 -0
package/dist/services/builder.js.map +1 -0
package/dist/services/catalog.d.ts +177 -0
package/dist/services/catalog.d.ts.map +1 -0
package/dist/services/catalog.js +805 -0
package/dist/services/catalog.js.map +1 -0
package/dist/services/catalog.test.d.ts +2 -0
package/dist/services/catalog.test.d.ts.map +1 -0
package/dist/services/catalog.test.js +467 -0
package/dist/services/catalog.test.js.map +1 -0
package/dist/services/cloudflare.d.ts +43 -0
package/dist/services/cloudflare.d.ts.map +1 -0
package/dist/services/cloudflare.js +182 -0
package/dist/services/cloudflare.js.map +1 -0
package/dist/services/config-validator.d.ts +28 -0
package/dist/services/config-validator.d.ts.map +1 -0
package/dist/services/config-validator.js +68 -0
package/dist/services/config-validator.js.map +1 -0
package/dist/services/config-validator.test.d.ts +2 -0
package/dist/services/config-validator.test.d.ts.map +1 -0
package/dist/services/config-validator.test.js +151 -0
package/dist/services/config-validator.test.js.map +1 -0
package/dist/services/crypto.d.ts +19 -0
package/dist/services/crypto.d.ts.map +1 -0
package/dist/services/crypto.js +63 -0
package/dist/services/crypto.js.map +1 -0
package/dist/services/database.d.ts +26 -0
package/dist/services/database.d.ts.map +1 -0
package/dist/services/database.js +100 -0
package/dist/services/database.js.map +1 -0
package/dist/services/db-credential-manager.d.ts +73 -0
package/dist/services/db-credential-manager.d.ts.map +1 -0
package/dist/services/db-credential-manager.js +342 -0
package/dist/services/db-credential-manager.js.map +1 -0
package/dist/services/db-provisioner.d.ts +57 -0
package/dist/services/db-provisioner.d.ts.map +1 -0
package/dist/services/db-provisioner.js +400 -0
package/dist/services/db-provisioner.js.map +1 -0
package/dist/services/db-provisioner.test.d.ts +2 -0
package/dist/services/db-provisioner.test.d.ts.map +1 -0
package/dist/services/db-provisioner.test.js +141 -0
package/dist/services/db-provisioner.test.js.map +1 -0
package/dist/services/db-whitelist.d.ts +58 -0
package/dist/services/db-whitelist.d.ts.map +1 -0
package/dist/services/db-whitelist.js +379 -0
package/dist/services/db-whitelist.js.map +1 -0
package/dist/services/dependency-resolver.d.ts +58 -0
package/dist/services/dependency-resolver.d.ts.map +1 -0
package/dist/services/dependency-resolver.js +180 -0
package/dist/services/dependency-resolver.js.map +1 -0
package/dist/services/dependency-resolver.test.d.ts +2 -0
package/dist/services/dependency-resolver.test.d.ts.map +1 -0
package/dist/services/dependency-resolver.test.js +195 -0
package/dist/services/dependency-resolver.test.js.map +1 -0
package/dist/services/deploy-gate.d.ts +19 -0
package/dist/services/deploy-gate.d.ts.map +1 -0
package/dist/services/deploy-gate.js +56 -0
package/dist/services/deploy-gate.js.map +1 -0
package/dist/services/deploy-gate.test.d.ts +2 -0
package/dist/services/deploy-gate.test.d.ts.map +1 -0
package/dist/services/deploy-gate.test.js +199 -0
package/dist/services/deploy-gate.test.js.map +1 -0
package/dist/services/dockerfile-generator.d.ts +31 -0
package/dist/services/dockerfile-generator.d.ts.map +1 -0
package/dist/services/dockerfile-generator.js +544 -0
package/dist/services/dockerfile-generator.js.map +1 -0
package/dist/services/dockerfile-generator.test.d.ts +2 -0
package/dist/services/dockerfile-generator.test.d.ts.map +1 -0
package/dist/services/dockerfile-generator.test.js +144 -0
package/dist/services/dockerfile-generator.test.js.map +1 -0
package/dist/services/forgejo.d.ts +58 -0
package/dist/services/forgejo.d.ts.map +1 -0
package/dist/services/forgejo.js +131 -0
package/dist/services/forgejo.js.map +1 -0
package/dist/services/koko.d.ts +153 -0
package/dist/services/koko.d.ts.map +1 -0
package/dist/services/koko.js +260 -0
package/dist/services/koko.js.map +1 -0
package/dist/services/kubernetes.d.ts +16 -0
package/dist/services/kubernetes.d.ts.map +1 -0
package/dist/services/kubernetes.js +102 -0
package/dist/services/kubernetes.js.map +1 -0
package/dist/services/oauth-provisioner.d.ts +30 -0
package/dist/services/oauth-provisioner.d.ts.map +1 -0
package/dist/services/oauth-provisioner.js +182 -0
package/dist/services/oauth-provisioner.js.map +1 -0
package/dist/services/oauth-provisioner.test.d.ts +2 -0
package/dist/services/oauth-provisioner.test.d.ts.map +1 -0
package/dist/services/oauth-provisioner.test.js +349 -0
package/dist/services/oauth-provisioner.test.js.map +1 -0
package/dist/services/pod-diagnostics.d.ts +11 -0
package/dist/services/pod-diagnostics.d.ts.map +1 -0
package/dist/services/pod-diagnostics.js +201 -0
package/dist/services/pod-diagnostics.js.map +1 -0
package/dist/services/rotation-scheduler.d.ts +2 -0
package/dist/services/rotation-scheduler.d.ts.map +1 -0
package/dist/services/rotation-scheduler.js +215 -0
package/dist/services/rotation-scheduler.js.map +1 -0
package/dist/services/storage-credential-manager.d.ts +43 -0
package/dist/services/storage-credential-manager.d.ts.map +1 -0
package/dist/services/storage-credential-manager.js +159 -0
package/dist/services/storage-credential-manager.js.map +1 -0
package/dist/services/storage-provisioner.d.ts +32 -0
package/dist/services/storage-provisioner.d.ts.map +1 -0
package/dist/services/storage-provisioner.js +136 -0
package/dist/services/storage-provisioner.js.map +1 -0
package/dist/services/storage.d.ts +65 -0
package/dist/services/storage.d.ts.map +1 -0
package/dist/services/storage.js +204 -0
package/dist/services/storage.js.map +1 -0
package/dist/services/troubleshooter.d.ts +22 -0
package/dist/services/troubleshooter.d.ts.map +1 -0
package/dist/services/troubleshooter.js +168 -0
package/dist/services/troubleshooter.js.map +1 -0
package/dist/services/vault-client.d.ts +114 -0
package/dist/services/vault-client.d.ts.map +1 -0
package/dist/services/vault-client.js +411 -0
package/dist/services/vault-client.js.map +1 -0
package/dist/utils/logger.d.ts +2 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +6 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/response.d.ts +13 -0
package/dist/utils/response.d.ts.map +1 -0
package/dist/utils/response.js +12 -0
package/dist/utils/response.js.map +1 -0
package/docs/registry-migration.md +301 -0
package/docs/registry-quickstart.md +169 -0
package/ecosystem.config.cjs +14 -0
package/findings.md +168 -0
package/helm/default-service/Chart.yaml +6 -0
package/helm/default-service/templates/deployment.yaml +97 -0
package/helm/default-service/templates/ingress.yaml +43 -0
package/helm/default-service/templates/service.yaml +17 -0
package/helm/default-service/values.yaml +82 -0
package/helm/services/iec-builder/Chart.yaml +6 -0
package/helm/services/iec-builder/templates/_helpers.tpl +61 -0
package/helm/services/iec-builder/templates/deployment.yaml +73 -0
package/helm/services/iec-builder/templates/service.yaml +15 -0
package/helm/services/iec-builder/templates/serviceaccount.yaml +12 -0
package/helm/services/iec-builder/values.yaml +56 -0
package/helm/vault-values.yaml +127 -0
package/package.json +45 -0
package/progress.md +156 -0
package/scripts/.vault-init-keys.json +23 -0
package/scripts/backfill-ownership.ts +113 -0
package/scripts/finalize-mongo-auth.sh +212 -0
package/scripts/setup-ipset.sh +107 -0
package/scripts/setup-mongo-auth.sh +163 -0
package/scripts/setup-neo4j-auth.sh +62 -0
package/scripts/setup-redis-auth.sh +55 -0
package/scripts/setup-registry-secret.sh +71 -0
package/scripts/setup-vault.sh +308 -0
package/src/config/env.ts +117 -0
package/src/index.ts +153 -0
package/src/middleware/auth.ts +294 -0
package/src/middleware/org-access.ts +126 -0
package/src/models/types.ts +288 -0
package/src/routes/ai.ts +115 -0
package/src/routes/audit.ts +121 -0
package/src/routes/builds.ts +320 -0
package/src/routes/cluster.ts +235 -0
package/src/routes/config.ts +369 -0
package/src/routes/databases.ts +201 -0
package/src/routes/db-whitelist.ts +204 -0
package/src/routes/domains.ts +547 -0
package/src/routes/oauth.ts +195 -0
package/src/routes/observability.ts +205 -0
package/src/routes/orgs.ts +330 -0
package/src/routes/platform.ts +134 -0
package/src/routes/rotation.ts +191 -0
package/src/routes/services.ts +290 -0
package/src/routes/storage.ts +153 -0
package/src/routes/users.ts +235 -0
package/src/routes/webhooks.ts +384 -0
package/src/services/__tests__/catalog-storage.test.ts +186 -0
package/src/services/__tests__/deploy-pipeline.integration.test.ts +624 -0
package/src/services/__tests__/pod-diagnostics.test.ts +332 -0
package/src/services/__tests__/storage-credential-manager.test.ts +129 -0
package/src/services/__tests__/storage-provisioner.test.ts +166 -0
package/src/services/__tests__/troubleshooter.test.ts +329 -0
package/src/services/bio-client.ts +189 -0
package/src/services/build-queue.ts +137 -0
package/src/services/builder.ts +1800 -0
package/src/services/catalog.test.ts +1389 -0
package/src/services/catalog.ts +1187 -0
package/src/services/cloudflare.ts +259 -0
package/src/services/config-validator.test.ts +190 -0
package/src/services/config-validator.ts +108 -0
package/src/services/crypto.ts +78 -0
package/src/services/database.ts +122 -0
package/src/services/db-credential-manager.test.ts +101 -0
package/src/services/db-credential-manager.ts +447 -0
package/src/services/db-provisioner.test.ts +602 -0
package/src/services/db-provisioner.ts +589 -0
package/src/services/db-whitelist.test.ts +671 -0
package/src/services/db-whitelist.ts +496 -0
package/src/services/dependency-resolver.test.ts +677 -0
package/src/services/dependency-resolver.ts +319 -0
package/src/services/deploy-gate.test.ts +247 -0
package/src/services/deploy-gate.ts +75 -0
package/src/services/dockerfile-generator.test.ts +401 -0
package/src/services/dockerfile-generator.ts +606 -0
package/src/services/forgejo.ts +212 -0
package/src/services/koko.ts +492 -0
package/src/services/kubernetes.ts +141 -0
package/src/services/oauth-provisioner.test.ts +477 -0
package/src/services/oauth-provisioner.ts +286 -0
package/src/services/pod-diagnostics.ts +261 -0
package/src/services/rotation-scheduler.ts +293 -0
package/src/services/storage-credential-manager.ts +223 -0
package/src/services/storage-provisioner.ts +216 -0
package/src/services/storage.ts +274 -0
package/src/services/troubleshooter.ts +208 -0
package/src/services/vault-client.test.ts +272 -0
package/src/services/vault-client.ts +587 -0
package/src/utils/logger.ts +6 -0
package/src/utils/response.ts +23 -0
package/task_plan.md +171 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +19 -0

package/src/services/oauth-provisioner.ts ADDED Viewed

@@ -0,0 +1,286 @@
+import { getBioClient } from './bio-client.js'
+import { getServicesCollection } from './database.js'
+import { encrypt, decrypt } from './crypto.js'
+import { logger } from '../utils/logger.js'
+import type { CustomDomainRecord, OAuthCredentialRecord } from '../models/types.js'
+import type { AuthMode } from './catalog.js'
+export interface OAuthCredentials {
+  readonly clientId: string
+  readonly clientSecret: string
+}
+interface BioClientData {
+  clientId: string
+  clientSecret?: string
+  redirectUris?: string[]
+}
+/**
+ * Build the OAuth client ID from service name and environment.
+ */
+export function buildOAuthClientId(serviceName: string, environment: string): string {
+  return `${serviceName}-${environment}`
+}
+const DOMAIN_RE = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/
+/**
+ * Build the set of redirect URIs for a service based on naming convention.
+ * Includes the platform hostname plus any verified custom domains for the environment.
+ */
+export function buildRedirectUris(
+  serviceName: string,
+  environment: string,
+  customDomains?: ReadonlyArray<CustomDomainRecord>
+): ReadonlyArray<string> {
+  const hostname = environment === 'prod'
+    ? `${serviceName}.tawa.insureco.io`
+    : `${serviceName}.${environment}.tawa.insureco.io`
+  const platformUri = `https://${hostname}/api/auth/callback`
+  const customUris = (customDomains ?? [])
+    .filter(d => d.dnsVerified && d.environment === environment && DOMAIN_RE.test(d.domain))
+    .map(d => `https://${d.domain}/api/auth/callback`)
+  return [platformUri, ...customUris]
+}
+/**
+ * Read stored OAuth credentials from the service's MongoDB document.
+ */
+function readStoredCredentials(
+  storedCreds: ReadonlyArray<OAuthCredentialRecord> | undefined,
+  clientId: string,
+  environment: string
+): OAuthCredentials | null {
+  const record = (storedCreds ?? []).find(
+    c => c.clientId === clientId && c.environment === environment
+  )
+  if (!record) return null
+  try {
+    const clientSecret = decrypt(record.clientSecretEncrypted)
+    return { clientId: record.clientId, clientSecret }
+  } catch (error) {
+    logger.warn({ clientId, error }, 'Failed to decrypt stored OAuth credentials')
+    return null
+  }
+}
+/**
+ * Persist OAuth credentials (encrypted) to the service's MongoDB document.
+ */
+async function storeCredentials(
+  serviceId: string,
+  credentials: OAuthCredentials,
+  environment: string,
+  existingCreds: ReadonlyArray<OAuthCredentialRecord> | undefined
+): Promise<void> {
+  const record: OAuthCredentialRecord = {
+    clientId: credentials.clientId,
+    clientSecretEncrypted: encrypt(credentials.clientSecret),
+    environment: environment as OAuthCredentialRecord['environment'],
+    provisionedAt: new Date().toISOString(),
+  }
+  // Replace existing record for this environment, or append
+  const filtered = (existingCreds ?? []).filter(
+    c => !(c.clientId === credentials.clientId && c.environment === environment)
+  )
+  await getServicesCollection().updateOne(
+    { id: serviceId },
+    { $set: { oauthCredentials: [...filtered, record], updatedAt: new Date().toISOString() } }
+  )
+  logger.info({ clientId: credentials.clientId, environment }, 'OAuth credentials stored in service record')
+}
+/**
+ * Try to create a new OAuth client in Bio-id.
+ * Returns the credentials if successful, null otherwise.
+ */
+async function createNewOAuthClient(
+  clientId: string,
+  serviceName: string,
+  environment: string,
+  redirectUris: ReadonlyArray<string>,
+  createdBy?: string,
+  grants?: ReadonlyArray<string>,
+  scopes?: ReadonlyArray<string>,
+  orgSlug?: string
+): Promise<OAuthCredentials | null> {
+  const bioClient = getBioClient()
+  const createResult = await bioClient.createClient({
+    clientId,
+    name: `${serviceName} (${environment})`,
+    redirectUris: [...redirectUris],
+    allowedGrantTypes: grants ? [...grants] : ['authorization_code', 'refresh_token'],
+    ...(scopes ? { allowedScopes: [...scopes] } : {}),
+    ...(createdBy ? { createdBy } : {}),
+    ...(orgSlug ? { orgSlug } : {}),
+  })
+  if (!createResult.success) {
+    logger.error(
+      { clientId, error: createResult.error },
+      'Failed to create OAuth client in Bio-id'
+    )
+    return null
+  }
+  const data = createResult.data as BioClientData
+  if (!data.clientSecret) {
+    logger.error({ clientId }, 'Bio-ID did not return clientSecret on create')
+    return null
+  }
+  return {
+    clientId: data.clientId,
+    clientSecret: data.clientSecret,
+  }
+}
+/**
+ * Update an existing OAuth client's redirect URIs in Bio-ID.
+ * Does NOT attempt to retrieve or regenerate the secret — the caller
+ * must already have the secret from the stored credentials.
+ */
+async function syncRedirectUris(
+  clientId: string,
+  redirectUris: ReadonlyArray<string>,
+  createdBy?: string,
+  grants?: ReadonlyArray<string>,
+  scopes?: ReadonlyArray<string>,
+  orgSlug?: string
+): Promise<void> {
+  const bioClient = getBioClient()
+  const updateResult = await bioClient.updateClient(clientId, {
+    redirectUris: [...redirectUris],
+    ...(grants ? { allowedGrantTypes: [...grants] } : {}),
+    ...(scopes ? { allowedScopes: [...scopes] } : {}),
+    ...(createdBy ? { createdBy } : {}),
+    ...(orgSlug ? { orgSlug } : {}),
+  })
+  if (!updateResult.success) {
+    logger.warn(
+      { clientId, error: updateResult.error },
+      'Failed to update OAuth client redirect URIs'
+    )
+  }
+}
+/**
+ * Provision an OAuth client in Bio-id for a deployed service.
+ *
+ * Priority order for the client secret:
+ * 1. Stored credentials in MongoDB (encrypted) — normal path for subsequent deploys
+ * 2. Create new client in Bio-ID — first deploy
+ * 3. Regenerate secret — client exists in Bio-ID but no stored credentials (migration)
+ *
+ * Credentials are persisted (encrypted) in the service document for future deploys.
+ * Redirect URIs are synced on every deploy to pick up custom domain changes.
+ *
+ * Returns null if Bio-id is unavailable or provisioning fails.
+ */
+export async function provisionOAuthClient(
+  serviceName: string,
+  environment: string,
+  namespace: string,
+  customDomains?: ReadonlyArray<CustomDomainRecord>,
+  createdBy?: string,
+  authMode?: AuthMode,
+  serviceId?: string,
+  storedOAuthCreds?: ReadonlyArray<OAuthCredentialRecord>,
+  hasExternalDeps?: boolean,
+  dependencyScopes?: ReadonlyArray<string>,
+  orgSlug?: string
+): Promise<OAuthCredentials | null> {
+  const clientId = buildOAuthClientId(serviceName, environment)
+  const grants = authMode === 'service-only'
+    ? ['client_credentials'] as const
+    : hasExternalDeps
+      ? ['authorization_code', 'refresh_token', 'client_credentials'] as const
+      : ['authorization_code', 'refresh_token'] as const
+  const redirectUris = authMode === 'service-only'
+    ? []
+    : buildRedirectUris(serviceName, environment, customDomains)
+  // Merge SSO scopes with dependency scopes (e.g. relay:send)
+  const ssoScopes = ['openid', 'profile', 'email']
+  const allScopes = Array.from(new Set([...ssoScopes, ...(dependencyScopes || [])]))
+  logger.info(
+    { clientId, serviceName, environment, authMode, redirectUris, grants, allowedScopes: allScopes },
+    'Provisioning OAuth client'
+  )
+  try {
+    // 1. Check stored credentials first (fastest, no network call to Bio-ID)
+    const stored = readStoredCredentials(storedOAuthCreds, clientId, environment)
+    if (stored) {
+      logger.info({ clientId }, 'Using stored OAuth credentials, syncing redirect URIs')
+      await syncRedirectUris(clientId, redirectUris, createdBy, [...grants], allScopes, orgSlug)
+      return stored
+    }
+    // 2. No stored credentials — check Bio-ID
+    const bioClient = getBioClient()
+    const existingResult = await bioClient.getClient(clientId)
+    let credentials: OAuthCredentials | null
+    if (existingResult.success && existingResult.data) {
+      // Client exists in Bio-ID but we have no stored secret.
+      // Must regenerate to get a secret we can store.
+      logger.warn({ clientId }, 'OAuth client exists in Bio-ID but no stored credentials, regenerating secret')
+      await syncRedirectUris(clientId, redirectUris, createdBy, [...grants], allScopes, orgSlug)
+      const regenResult = await bioClient.regenerateSecret(clientId)
+      const regenSecret = (regenResult.data as BioClientData | undefined)?.clientSecret
+      if (!regenSecret) {
+        logger.error({ clientId, error: regenResult.error }, 'Failed to regenerate OAuth client secret')
+        return null
+      }
+      credentials = { clientId, clientSecret: regenSecret }
+    } else if (
+      existingResult.error?.code === 'NOT_FOUND' ||
+      existingResult.error?.code === 'RESOURCE_NOT_FOUND'
+    ) {
+      // Client does not exist — create new
+      logger.info({ clientId }, 'OAuth client not found, creating new')
+      credentials = await createNewOAuthClient(clientId, serviceName, environment, redirectUris, createdBy, [...grants], allScopes, orgSlug)
+    } else {
+      // Bio-id returned an unexpected error (likely unavailable)
+      logger.error(
+        { clientId, error: existingResult.error },
+        'Bio-id returned unexpected error, skipping OAuth provisioning'
+      )
+      return null
+    }
+    if (!credentials) {
+      return null
+    }
+    // 3. Store credentials for future deploys
+    if (serviceId) {
+      await storeCredentials(serviceId, credentials, environment, storedOAuthCreds)
+    }
+    return credentials
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Unknown error'
+    logger.error(
+      { clientId, error: message },
+      'OAuth provisioning failed'
+    )
+    return null
+  }
+}

package/src/services/pod-diagnostics.ts ADDED Viewed

@@ -0,0 +1,261 @@
+import { spawn } from 'child_process'
+import { logger } from '../utils/logger.js'
+import type { PodDiagnostic, ContainerStatusInfo, PodEventInfo, DeployDiagnostics } from '../models/types.js'
+const KUBECTL_TIMEOUT = 15_000
+// Strict K8s name validation to prevent command injection
+const K8S_NAME_REGEX = /^[a-z0-9][a-z0-9._-]{0,252}$/
+function validateK8sName(value: string, label: string): string {
+  if (!K8S_NAME_REGEX.test(value)) {
+    throw new Error(`Invalid ${label}: "${value}"`)
+  }
+  return value
+}
+async function kubectlArgs(args: ReadonlyArray<string>): Promise<string> {
+  return new Promise((resolve) => {
+    const proc = spawn('kubectl', args as string[])
+    let out = ''
+    let errOut = ''
+    proc.stdout.on('data', (chunk: Buffer) => { out += chunk.toString() })
+    proc.stderr.on('data', (chunk: Buffer) => { errOut += chunk.toString() })
+    proc.on('close', (code) => {
+      if (code !== 0 && errOut) {
+        logger.warn({ args: args.slice(0, 6), code }, 'kubectl command failed (diagnostic)')
+      }
+      resolve(out.trim())
+    })
+    proc.on('error', (err) => {
+      logger.warn({ args: args.slice(0, 6), err }, 'kubectl spawn failed (diagnostic)')
+      resolve('')
+    })
+    const timer = setTimeout(() => {
+      proc.kill('SIGTERM')
+      resolve('')
+    }, KUBECTL_TIMEOUT)
+    proc.on('close', () => clearTimeout(timer))
+  })
+}
+interface K8sContainerStatus {
+  name: string
+  ready: boolean
+  restartCount: number
+  state: Record<string, { reason?: string; message?: string; exitCode?: number; startedAt?: string }>
+  lastState?: Record<string, { reason?: string; message?: string; exitCode?: number }>
+}
+interface K8sPodItem {
+  metadata: { name: string; namespace: string }
+  status: {
+    phase: string
+    reason?: string
+    containerStatuses?: K8sContainerStatus[]
+    initContainerStatuses?: K8sContainerStatus[]
+  }
+}
+interface K8sEvent {
+  type: string
+  reason: string
+  message: string
+  lastTimestamp?: string
+  eventTime?: string
+  metadata?: { creationTimestamp?: string }
+  involvedObject?: { name: string }
+}
+function parseContainerStatus(cs: K8sContainerStatus): ContainerStatusInfo {
+  const stateKey = Object.keys(cs.state)[0] ?? 'unknown'
+  const stateDetail = cs.state[stateKey] ?? {}
+  const lastStateKey = cs.lastState ? Object.keys(cs.lastState)[0] : undefined
+  const lastDetail = lastStateKey && cs.lastState ? cs.lastState[lastStateKey] : undefined
+  return {
+    name: cs.name,
+    ready: cs.ready,
+    state: stateKey,
+    reason: stateDetail.reason ?? lastDetail?.reason,
+    message: stateDetail.message ?? lastDetail?.message,
+    exitCode: stateDetail.exitCode ?? lastDetail?.exitCode,
+  }
+}
+function computeRestartCount(containerStatuses: K8sContainerStatus[] | undefined): number {
+  if (!containerStatuses) return 0
+  return containerStatuses.reduce((sum, cs) => sum + (cs.restartCount || 0), 0)
+}
+export async function getPodEvents(namespace: string, podName: string): Promise<ReadonlyArray<PodEventInfo>> {
+  const ns = validateK8sName(namespace, 'namespace')
+  const pod = validateK8sName(podName, 'podName')
+  const raw = await kubectlArgs([
+    'get', 'events', '-n', ns,
+    '--field-selector', `involvedObject.name=${pod}`,
+    '--sort-by=.lastTimestamp', '-o', 'json',
+  ])
+  if (!raw) return []
+  try {
+    const parsed = JSON.parse(raw)
+    const items: K8sEvent[] = parsed.items ?? []
+    return items.slice(-20).map((e) => ({
+      type: e.type ?? 'Normal',
+      reason: e.reason ?? 'Unknown',
+      message: e.message ?? '',
+      age: e.lastTimestamp ?? e.eventTime ?? e.metadata?.creationTimestamp ?? '',
+    }))
+  } catch {
+    return []
+  }
+}
+export async function getContainerLogs(
+  namespace: string,
+  podName: string,
+  options?: { previous?: boolean; tail?: number; container?: string }
+): Promise<string> {
+  const ns = validateK8sName(namespace, 'namespace')
+  const pod = validateK8sName(podName, 'podName')
+  const tail = options?.tail ?? 50
+  const args = ['logs', '-n', ns, pod, `--tail=${tail}`]
+  if (options?.previous) args.push('--previous')
+  if (options?.container) {
+    args.push('-c', validateK8sName(options.container, 'container'))
+  }
+  return kubectlArgs(args)
+}
+export async function getPods(namespace: string, serviceName?: string): Promise<ReadonlyArray<PodDiagnostic>> {
+  const ns = validateK8sName(namespace, 'namespace')
+  const baseArgs = ['get', 'pods', '-n', ns, '-o', 'json']
+  const labelArgs = serviceName
+    ? [...baseArgs, '-l', `app=${validateK8sName(serviceName, 'serviceName')}`]
+    : baseArgs
+  const raw = await kubectlArgs(labelArgs)
+  if (!raw) {
+    // Try alternative label selector for custom charts
+    if (serviceName) {
+      const altRaw = await kubectlArgs([
+        ...baseArgs, '-l', `app.kubernetes.io/name=${validateK8sName(serviceName, 'serviceName')}`,
+      ])
+      if (altRaw) return parsePodList(altRaw, ns)
+    }
+    return []
+  }
+  return parsePodList(raw, ns)
+}
+async function parsePodList(raw: string, namespace: string): Promise<ReadonlyArray<PodDiagnostic>> {
+  try {
+    const parsed = JSON.parse(raw)
+    const items: K8sPodItem[] = parsed.items ?? []
+    const results = await Promise.all(
+      items.map(async (pod) => {
+        const containerStatuses = (pod.status.containerStatuses ?? []).map(parseContainerStatus)
+        const initContainerStatuses = (pod.status.initContainerStatuses ?? []).map(parseContainerStatus)
+        const restartCount = computeRestartCount(pod.status.containerStatuses)
+        const events = await getPodEvents(namespace, pod.metadata.name)
+        const isUnhealthy = pod.status.phase !== 'Running' && pod.status.phase !== 'Succeeded'
+        const hasCrashes = restartCount > 0
+        const logs = isUnhealthy || hasCrashes
+          ? await getContainerLogs(namespace, pod.metadata.name, { tail: 50 })
+          : undefined
+        const previousLogs = hasCrashes
+          ? await getContainerLogs(namespace, pod.metadata.name, { tail: 30, previous: true })
+          : undefined
+        const combinedLogs = [previousLogs ? `--- Previous container ---\n${previousLogs}` : '', logs]
+          .filter(Boolean)
+          .join('\n--- Current container ---\n')
+        const diagnostic: PodDiagnostic = {
+          name: pod.metadata.name,
+          phase: pod.status.phase,
+          reason: pod.status.reason,
+          restartCount,
+          containerStatuses,
+          ...(initContainerStatuses.length > 0 ? { initContainerStatuses } : {}),
+          events,
+          ...(combinedLogs ? { logs: combinedLogs } : {}),
+        }
+        return diagnostic
+      })
+    )
+    return results
+  } catch {
+    return []
+  }
+}
+export function summarizeDiagnostics(pods: ReadonlyArray<PodDiagnostic>): string {
+  if (pods.length === 0) return 'No pods found in namespace'
+  const issues: string[] = []
+  for (const pod of pods) {
+    const allStatuses = [...pod.containerStatuses, ...(pod.initContainerStatuses ?? [])]
+    for (const cs of allStatuses) {
+      if (cs.reason === 'CrashLoopBackOff') {
+        issues.push(`CrashLoopBackOff: ${cs.name} in ${pod.name} (${pod.restartCount} restarts)`)
+      }
+      if (cs.reason === 'ImagePullBackOff' || cs.reason === 'ErrImagePull') {
+        issues.push(`ImagePullBackOff: ${cs.name} in ${pod.name}`)
+      }
+      if (cs.reason === 'OOMKilled') {
+        issues.push(`OOMKilled: ${cs.name} in ${pod.name}`)
+      }
+      if (cs.reason === 'CreateContainerConfigError') {
+        issues.push(`CreateContainerConfigError: ${cs.name} in ${pod.name}`)
+      }
+    }
+    const vaultInit = (pod.initContainerStatuses ?? []).find(
+      (cs) => cs.name.includes('vault') && !cs.ready
+    )
+    if (vaultInit) {
+      issues.push(`Vault init failed: ${vaultInit.name} in ${pod.name}`)
+    }
+    if (pod.phase === 'Pending') {
+      const schedEvent = pod.events.find((e) => e.reason === 'FailedScheduling')
+      if (schedEvent) {
+        issues.push(`FailedScheduling: ${pod.name} — ${schedEvent.message.slice(0, 100)}`)
+      }
+    }
+  }
+  if (issues.length === 0) {
+    const allRunning = pods.every((p) => p.phase === 'Running' || p.phase === 'Succeeded')
+    const totalRestarts = pods.reduce((sum, p) => sum + p.restartCount, 0)
+    if (allRunning && totalRestarts === 0) return 'All pods healthy'
+    if (allRunning) return `All pods running (${totalRestarts} total restarts)`
+    return `${pods.length} pod(s) — mixed status`
+  }
+  return issues.join('; ')
+}
+export async function captureDeployDiagnostics(
+  serviceName: string,
+  namespace: string
+): Promise<DeployDiagnostics> {
+  const pods = await getPods(namespace, serviceName)
+  const summary = summarizeDiagnostics(pods)
+  return {
+    capturedAt: new Date().toISOString(),
+    namespace,
+    pods,
+    summary,
+  }
+}