npm - iec-builder - Versions diffs - 0.1.0 - Mend

iec-builder 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/.claude/settings.local.json +111 -0
package/.iec.yaml +5 -0
package/CLAUDE.md +174 -0
package/Dockerfile +34 -0
package/README.md +84 -0
package/catalog-info.yaml +11 -0
package/dist/config/env.d.ts +219 -0
package/dist/config/env.d.ts.map +1 -0
package/dist/config/env.js +89 -0
package/dist/config/env.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +148 -0
package/dist/index.js.map +1 -0
package/dist/middleware/auth.d.ts +43 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +217 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/org-access.d.ts +28 -0
package/dist/middleware/org-access.d.ts.map +1 -0
package/dist/middleware/org-access.js +102 -0
package/dist/middleware/org-access.js.map +1 -0
package/dist/models/types.d.ts +254 -0
package/dist/models/types.d.ts.map +1 -0
package/dist/models/types.js +2 -0
package/dist/models/types.js.map +1 -0
package/dist/routes/ai.d.ts +2 -0
package/dist/routes/ai.d.ts.map +1 -0
package/dist/routes/ai.js +77 -0
package/dist/routes/ai.js.map +1 -0
package/dist/routes/audit.d.ts +2 -0
package/dist/routes/audit.d.ts.map +1 -0
package/dist/routes/audit.js +102 -0
package/dist/routes/audit.js.map +1 -0
package/dist/routes/builds.d.ts +2 -0
package/dist/routes/builds.d.ts.map +1 -0
package/dist/routes/builds.js +262 -0
package/dist/routes/builds.js.map +1 -0
package/dist/routes/cluster.d.ts +2 -0
package/dist/routes/cluster.d.ts.map +1 -0
package/dist/routes/cluster.js +181 -0
package/dist/routes/cluster.js.map +1 -0
package/dist/routes/config.d.ts +2 -0
package/dist/routes/config.d.ts.map +1 -0
package/dist/routes/config.js +291 -0
package/dist/routes/config.js.map +1 -0
package/dist/routes/databases.d.ts +2 -0
package/dist/routes/databases.d.ts.map +1 -0
package/dist/routes/databases.js +161 -0
package/dist/routes/databases.js.map +1 -0
package/dist/routes/db-whitelist.d.ts +2 -0
package/dist/routes/db-whitelist.d.ts.map +1 -0
package/dist/routes/db-whitelist.js +148 -0
package/dist/routes/db-whitelist.js.map +1 -0
package/dist/routes/domains.d.ts +2 -0
package/dist/routes/domains.d.ts.map +1 -0
package/dist/routes/domains.js +449 -0
package/dist/routes/domains.js.map +1 -0
package/dist/routes/oauth.d.ts +2 -0
package/dist/routes/oauth.d.ts.map +1 -0
package/dist/routes/oauth.js +180 -0
package/dist/routes/oauth.js.map +1 -0
package/dist/routes/observability.d.ts +2 -0
package/dist/routes/observability.d.ts.map +1 -0
package/dist/routes/observability.js +167 -0
package/dist/routes/observability.js.map +1 -0
package/dist/routes/orgs.d.ts +2 -0
package/dist/routes/orgs.d.ts.map +1 -0
package/dist/routes/orgs.js +270 -0
package/dist/routes/orgs.js.map +1 -0
package/dist/routes/platform.d.ts +2 -0
package/dist/routes/platform.d.ts.map +1 -0
package/dist/routes/platform.js +107 -0
package/dist/routes/platform.js.map +1 -0
package/dist/routes/push.d.ts +2 -0
package/dist/routes/push.d.ts.map +1 -0
package/dist/routes/push.js +233 -0
package/dist/routes/push.js.map +1 -0
package/dist/routes/rotation.d.ts +3 -0
package/dist/routes/rotation.d.ts.map +1 -0
package/dist/routes/rotation.js +154 -0
package/dist/routes/rotation.js.map +1 -0
package/dist/routes/services.d.ts +2 -0
package/dist/routes/services.d.ts.map +1 -0
package/dist/routes/services.js +246 -0
package/dist/routes/services.js.map +1 -0
package/dist/routes/storage.d.ts +2 -0
package/dist/routes/storage.d.ts.map +1 -0
package/dist/routes/storage.js +118 -0
package/dist/routes/storage.js.map +1 -0
package/dist/routes/users.d.ts +2 -0
package/dist/routes/users.d.ts.map +1 -0
package/dist/routes/users.js +183 -0
package/dist/routes/users.js.map +1 -0
package/dist/routes/versions.d.ts +2 -0
package/dist/routes/versions.d.ts.map +1 -0
package/dist/routes/versions.js +195 -0
package/dist/routes/versions.js.map +1 -0
package/dist/routes/webhooks.d.ts +2 -0
package/dist/routes/webhooks.d.ts.map +1 -0
package/dist/routes/webhooks.js +334 -0
package/dist/routes/webhooks.js.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts +2 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js +482 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js.map +1 -0
package/dist/services/bio-client.d.ts +68 -0
package/dist/services/bio-client.d.ts.map +1 -0
package/dist/services/bio-client.js +110 -0
package/dist/services/bio-client.js.map +1 -0
package/dist/services/build-queue.d.ts +7 -0
package/dist/services/build-queue.d.ts.map +1 -0
package/dist/services/build-queue.js +114 -0
package/dist/services/build-queue.js.map +1 -0
package/dist/services/builder.d.ts +7 -0
package/dist/services/builder.d.ts.map +1 -0
package/dist/services/builder.js +1384 -0
package/dist/services/builder.js.map +1 -0
package/dist/services/catalog.d.ts +177 -0
package/dist/services/catalog.d.ts.map +1 -0
package/dist/services/catalog.js +805 -0
package/dist/services/catalog.js.map +1 -0
package/dist/services/catalog.test.d.ts +2 -0
package/dist/services/catalog.test.d.ts.map +1 -0
package/dist/services/catalog.test.js +467 -0
package/dist/services/catalog.test.js.map +1 -0
package/dist/services/cloudflare.d.ts +43 -0
package/dist/services/cloudflare.d.ts.map +1 -0
package/dist/services/cloudflare.js +182 -0
package/dist/services/cloudflare.js.map +1 -0
package/dist/services/config-validator.d.ts +28 -0
package/dist/services/config-validator.d.ts.map +1 -0
package/dist/services/config-validator.js +68 -0
package/dist/services/config-validator.js.map +1 -0
package/dist/services/config-validator.test.d.ts +2 -0
package/dist/services/config-validator.test.d.ts.map +1 -0
package/dist/services/config-validator.test.js +151 -0
package/dist/services/config-validator.test.js.map +1 -0
package/dist/services/crypto.d.ts +19 -0
package/dist/services/crypto.d.ts.map +1 -0
package/dist/services/crypto.js +63 -0
package/dist/services/crypto.js.map +1 -0
package/dist/services/database.d.ts +26 -0
package/dist/services/database.d.ts.map +1 -0
package/dist/services/database.js +100 -0
package/dist/services/database.js.map +1 -0
package/dist/services/db-credential-manager.d.ts +73 -0
package/dist/services/db-credential-manager.d.ts.map +1 -0
package/dist/services/db-credential-manager.js +342 -0
package/dist/services/db-credential-manager.js.map +1 -0
package/dist/services/db-provisioner.d.ts +57 -0
package/dist/services/db-provisioner.d.ts.map +1 -0
package/dist/services/db-provisioner.js +400 -0
package/dist/services/db-provisioner.js.map +1 -0
package/dist/services/db-provisioner.test.d.ts +2 -0
package/dist/services/db-provisioner.test.d.ts.map +1 -0
package/dist/services/db-provisioner.test.js +141 -0
package/dist/services/db-provisioner.test.js.map +1 -0
package/dist/services/db-whitelist.d.ts +58 -0
package/dist/services/db-whitelist.d.ts.map +1 -0
package/dist/services/db-whitelist.js +379 -0
package/dist/services/db-whitelist.js.map +1 -0
package/dist/services/dependency-resolver.d.ts +58 -0
package/dist/services/dependency-resolver.d.ts.map +1 -0
package/dist/services/dependency-resolver.js +180 -0
package/dist/services/dependency-resolver.js.map +1 -0
package/dist/services/dependency-resolver.test.d.ts +2 -0
package/dist/services/dependency-resolver.test.d.ts.map +1 -0
package/dist/services/dependency-resolver.test.js +195 -0
package/dist/services/dependency-resolver.test.js.map +1 -0
package/dist/services/deploy-gate.d.ts +19 -0
package/dist/services/deploy-gate.d.ts.map +1 -0
package/dist/services/deploy-gate.js +56 -0
package/dist/services/deploy-gate.js.map +1 -0
package/dist/services/deploy-gate.test.d.ts +2 -0
package/dist/services/deploy-gate.test.d.ts.map +1 -0
package/dist/services/deploy-gate.test.js +199 -0
package/dist/services/deploy-gate.test.js.map +1 -0
package/dist/services/dockerfile-generator.d.ts +31 -0
package/dist/services/dockerfile-generator.d.ts.map +1 -0
package/dist/services/dockerfile-generator.js +544 -0
package/dist/services/dockerfile-generator.js.map +1 -0
package/dist/services/dockerfile-generator.test.d.ts +2 -0
package/dist/services/dockerfile-generator.test.d.ts.map +1 -0
package/dist/services/dockerfile-generator.test.js +144 -0
package/dist/services/dockerfile-generator.test.js.map +1 -0
package/dist/services/forgejo.d.ts +58 -0
package/dist/services/forgejo.d.ts.map +1 -0
package/dist/services/forgejo.js +131 -0
package/dist/services/forgejo.js.map +1 -0
package/dist/services/koko.d.ts +153 -0
package/dist/services/koko.d.ts.map +1 -0
package/dist/services/koko.js +260 -0
package/dist/services/koko.js.map +1 -0
package/dist/services/kubernetes.d.ts +16 -0
package/dist/services/kubernetes.d.ts.map +1 -0
package/dist/services/kubernetes.js +102 -0
package/dist/services/kubernetes.js.map +1 -0
package/dist/services/oauth-provisioner.d.ts +30 -0
package/dist/services/oauth-provisioner.d.ts.map +1 -0
package/dist/services/oauth-provisioner.js +182 -0
package/dist/services/oauth-provisioner.js.map +1 -0
package/dist/services/oauth-provisioner.test.d.ts +2 -0
package/dist/services/oauth-provisioner.test.d.ts.map +1 -0
package/dist/services/oauth-provisioner.test.js +349 -0
package/dist/services/oauth-provisioner.test.js.map +1 -0
package/dist/services/pod-diagnostics.d.ts +11 -0
package/dist/services/pod-diagnostics.d.ts.map +1 -0
package/dist/services/pod-diagnostics.js +201 -0
package/dist/services/pod-diagnostics.js.map +1 -0
package/dist/services/rotation-scheduler.d.ts +2 -0
package/dist/services/rotation-scheduler.d.ts.map +1 -0
package/dist/services/rotation-scheduler.js +215 -0
package/dist/services/rotation-scheduler.js.map +1 -0
package/dist/services/storage-credential-manager.d.ts +43 -0
package/dist/services/storage-credential-manager.d.ts.map +1 -0
package/dist/services/storage-credential-manager.js +159 -0
package/dist/services/storage-credential-manager.js.map +1 -0
package/dist/services/storage-provisioner.d.ts +32 -0
package/dist/services/storage-provisioner.d.ts.map +1 -0
package/dist/services/storage-provisioner.js +136 -0
package/dist/services/storage-provisioner.js.map +1 -0
package/dist/services/storage.d.ts +65 -0
package/dist/services/storage.d.ts.map +1 -0
package/dist/services/storage.js +204 -0
package/dist/services/storage.js.map +1 -0
package/dist/services/troubleshooter.d.ts +22 -0
package/dist/services/troubleshooter.d.ts.map +1 -0
package/dist/services/troubleshooter.js +168 -0
package/dist/services/troubleshooter.js.map +1 -0
package/dist/services/vault-client.d.ts +114 -0
package/dist/services/vault-client.d.ts.map +1 -0
package/dist/services/vault-client.js +411 -0
package/dist/services/vault-client.js.map +1 -0
package/dist/utils/logger.d.ts +2 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +6 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/response.d.ts +13 -0
package/dist/utils/response.d.ts.map +1 -0
package/dist/utils/response.js +12 -0
package/dist/utils/response.js.map +1 -0
package/docs/registry-migration.md +301 -0
package/docs/registry-quickstart.md +169 -0
package/ecosystem.config.cjs +14 -0
package/findings.md +168 -0
package/helm/default-service/Chart.yaml +6 -0
package/helm/default-service/templates/deployment.yaml +97 -0
package/helm/default-service/templates/ingress.yaml +43 -0
package/helm/default-service/templates/service.yaml +17 -0
package/helm/default-service/values.yaml +82 -0
package/helm/services/iec-builder/Chart.yaml +6 -0
package/helm/services/iec-builder/templates/_helpers.tpl +61 -0
package/helm/services/iec-builder/templates/deployment.yaml +73 -0
package/helm/services/iec-builder/templates/service.yaml +15 -0
package/helm/services/iec-builder/templates/serviceaccount.yaml +12 -0
package/helm/services/iec-builder/values.yaml +56 -0
package/helm/vault-values.yaml +127 -0
package/package.json +45 -0
package/progress.md +156 -0
package/scripts/.vault-init-keys.json +23 -0
package/scripts/backfill-ownership.ts +113 -0
package/scripts/finalize-mongo-auth.sh +212 -0
package/scripts/setup-ipset.sh +107 -0
package/scripts/setup-mongo-auth.sh +163 -0
package/scripts/setup-neo4j-auth.sh +62 -0
package/scripts/setup-redis-auth.sh +55 -0
package/scripts/setup-registry-secret.sh +71 -0
package/scripts/setup-vault.sh +308 -0
package/src/config/env.ts +117 -0
package/src/index.ts +153 -0
package/src/middleware/auth.ts +294 -0
package/src/middleware/org-access.ts +126 -0
package/src/models/types.ts +288 -0
package/src/routes/ai.ts +115 -0
package/src/routes/audit.ts +121 -0
package/src/routes/builds.ts +320 -0
package/src/routes/cluster.ts +235 -0
package/src/routes/config.ts +369 -0
package/src/routes/databases.ts +201 -0
package/src/routes/db-whitelist.ts +204 -0
package/src/routes/domains.ts +547 -0
package/src/routes/oauth.ts +195 -0
package/src/routes/observability.ts +205 -0
package/src/routes/orgs.ts +330 -0
package/src/routes/platform.ts +134 -0
package/src/routes/rotation.ts +191 -0
package/src/routes/services.ts +290 -0
package/src/routes/storage.ts +153 -0
package/src/routes/users.ts +235 -0
package/src/routes/webhooks.ts +384 -0
package/src/services/__tests__/catalog-storage.test.ts +186 -0
package/src/services/__tests__/deploy-pipeline.integration.test.ts +624 -0
package/src/services/__tests__/pod-diagnostics.test.ts +332 -0
package/src/services/__tests__/storage-credential-manager.test.ts +129 -0
package/src/services/__tests__/storage-provisioner.test.ts +166 -0
package/src/services/__tests__/troubleshooter.test.ts +329 -0
package/src/services/bio-client.ts +189 -0
package/src/services/build-queue.ts +137 -0
package/src/services/builder.ts +1800 -0
package/src/services/catalog.test.ts +1389 -0
package/src/services/catalog.ts +1187 -0
package/src/services/cloudflare.ts +259 -0
package/src/services/config-validator.test.ts +190 -0
package/src/services/config-validator.ts +108 -0
package/src/services/crypto.ts +78 -0
package/src/services/database.ts +122 -0
package/src/services/db-credential-manager.test.ts +101 -0
package/src/services/db-credential-manager.ts +447 -0
package/src/services/db-provisioner.test.ts +602 -0
package/src/services/db-provisioner.ts +589 -0
package/src/services/db-whitelist.test.ts +671 -0
package/src/services/db-whitelist.ts +496 -0
package/src/services/dependency-resolver.test.ts +677 -0
package/src/services/dependency-resolver.ts +319 -0
package/src/services/deploy-gate.test.ts +247 -0
package/src/services/deploy-gate.ts +75 -0
package/src/services/dockerfile-generator.test.ts +401 -0
package/src/services/dockerfile-generator.ts +606 -0
package/src/services/forgejo.ts +212 -0
package/src/services/koko.ts +492 -0
package/src/services/kubernetes.ts +141 -0
package/src/services/oauth-provisioner.test.ts +477 -0
package/src/services/oauth-provisioner.ts +286 -0
package/src/services/pod-diagnostics.ts +261 -0
package/src/services/rotation-scheduler.ts +293 -0
package/src/services/storage-credential-manager.ts +223 -0
package/src/services/storage-provisioner.ts +216 -0
package/src/services/storage.ts +274 -0
package/src/services/troubleshooter.ts +208 -0
package/src/services/vault-client.test.ts +272 -0
package/src/services/vault-client.ts +587 -0
package/src/utils/logger.ts +6 -0
package/src/utils/response.ts +23 -0
package/task_plan.md +171 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +19 -0

package/src/services/storage-provisioner.ts ADDED Viewed

@@ -0,0 +1,216 @@
+import { env } from '../config/env.js'
+import { logger } from '../utils/logger.js'
+import {
+  buildBucketName,
+  buildBucketPolicy,
+  createMinioAdminClient,
+  ensureBucket,
+  setBucketQuota,
+  getStorageTierConfig,
+  DEFAULT_STORAGE_TIER,
+} from './storage-credential-manager.js'
+import {
+  isVaultEnabled,
+  getMinioAdminCreds,
+  configureMinioVaultRole,
+  buildMinioCredsPath,
+  type VaultAnnotations,
+} from './vault-client.js'
+import type { StorageTier, StorageCredential } from '../models/types.js'
+// ─────────────────────────────────────────────────────────────────────────────
+// Types
+// ─────────────────────────────────────────────────────────────────────────────
+export interface StorageSpec {
+  readonly name?: string
+  readonly tier?: StorageTier
+}
+export interface StorageProvisionResult {
+  readonly envVars: Record<string, string>
+  readonly vaultAnnotations: VaultAnnotations
+  readonly credential: StorageCredential | null
+  readonly gasPerMonth: number
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Provisioning
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Calculate total storage gas cost per month for deploy gate.
+ */
+export function calculateStorageGasPerMonth(
+  storageSpecs: ReadonlyArray<StorageSpec>,
+): number {
+  return storageSpecs.reduce((sum, spec) => {
+    const tier = spec.tier || DEFAULT_STORAGE_TIER
+    const tierConfig = getStorageTierConfig(tier)
+    return sum + tierConfig.gasPerMonth
+  }, 0)
+}
+/**
+ * Provision object storage (MinIO) for a service.
+ *
+ * Requires Vault — throws if Vault is not enabled (no static credential fallback).
+ *
+ * Flow:
+ * 1. Read MinIO admin creds from Vault KV
+ * 2. Create buckets via MinIO SDK (idempotent)
+ * 3. Set hard quotas per bucket via mc CLI
+ * 4. Build scoped IAM policy for all declared buckets
+ * 5. Create MinIO user + policy via mc CLI (admin operations)
+ * 6. Store per-service creds in Vault KV
+ * 7. Return Vault Agent annotations for pod credential injection
+ */
+export async function provisionStorage(
+  serviceName: string,
+  environment: string,
+  namespace: string,
+  storageSpecs: ReadonlyArray<StorageSpec>,
+): Promise<StorageProvisionResult> {
+  if (storageSpecs.length === 0) {
+    return { envVars: {}, vaultAnnotations: {}, credential: null, gasPerMonth: 0 }
+  }
+  // Storage requires Vault — no static credential fallback
+  if (!isVaultEnabled()) {
+    throw new Error(
+      'Storage provisioning requires Vault. Set VAULT_ENABLED=true and configure ' +
+      'the MinIO secrets engine in Vault before declaring spec.storage in catalog-info.yaml.'
+    )
+  }
+  // Read MinIO admin credentials from Vault KV (never stored on disk)
+  const adminCreds = await getMinioAdminCreds()
+  // Create MinIO S3 client for bucket management
+  const client = createMinioAdminClient(adminCreds.accessKey, adminCreds.secretKey)
+  // Build bucket names and tiers
+  const bucketEntries = storageSpecs.map((spec) => ({
+    name: buildBucketName(serviceName, environment, spec.name),
+    tier: spec.tier || DEFAULT_STORAGE_TIER,
+    suffix: spec.name,
+  }))
+  // Create buckets (via MinIO SDK) and set quotas (via mc CLI)
+  for (const entry of bucketEntries) {
+    await ensureBucket(client, entry.name)
+    await setBucketQuota(entry.name, entry.tier, adminCreds.accessKey, adminCreds.secretKey)
+  }
+  const bucketNames = bucketEntries.map((e) => e.name)
+  // Build scoped IAM policy for all declared buckets
+  const policyDocument = buildBucketPolicy(bucketNames)
+  // Configure Vault MinIO role with inline policy
+  // When pods read from minio/creds/{role}, the plugin creates an ephemeral
+  // MinIO user with this policy attached (dynamic credentials, lease-based)
+  await configureMinioVaultRole(serviceName, environment, JSON.stringify(policyDocument))
+  // Build Vault Agent annotations for pod injection
+  const vaultAnnotations = buildStorageVaultAnnotations(
+    serviceName,
+    environment,
+    bucketEntries,
+  )
+  // Build credential record
+  const credsPath = buildMinioCredsPath(serviceName, environment)
+  const credential: StorageCredential = {
+    type: 'minio',
+    vaultLeasePath: credsPath,
+    buckets: bucketNames,
+    tiers: bucketEntries.map((e) => e.tier),
+    environment: environment as StorageCredential['environment'],
+    provisionedAt: new Date().toISOString(),
+  }
+  const gasPerMonth = calculateStorageGasPerMonth(storageSpecs)
+  logger.info(
+    { serviceName, environment, buckets: bucketNames, gasPerMonth },
+    'Storage provisioned via Vault KV',
+  )
+  return {
+    envVars: {},  // Credentials injected via Vault Agent, not env vars
+    vaultAnnotations,
+    credential,
+    gasPerMonth,
+  }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Vault Agent Annotations for Storage
+// ─────────────────────────────────────────────────────────────────────────────
+interface BucketEntry {
+  readonly name: string
+  readonly tier: StorageTier
+  readonly suffix?: string
+}
+/**
+ * Build Vault Agent pod annotations that inject S3 credentials into the pod.
+ *
+ * The Vault Agent Injector reads these annotations and:
+ * 1. Injects an init container that fetches credentials from the MinIO secrets engine
+ * 2. Writes credentials to /vault/secrets/storage as env-file format
+ * 3. Sidecar renews the lease and rotates creds automatically
+ *
+ * Credentials are dynamic — Vault creates ephemeral MinIO users on each read,
+ * and revokes them when the lease expires.
+ */
+function buildStorageVaultAnnotations(
+  serviceName: string,
+  environment: string,
+  bucketEntries: readonly BucketEntry[],
+): VaultAnnotations {
+  const endpoint = `http://${env.MINIO_HOST}:${env.MINIO_PORT}`
+  const credsPath = buildMinioCredsPath(serviceName, environment)
+  // Build the template that renders S3 credentials as env vars
+  // Always emit S3_{SUFFIX}_BUCKET (for createStorage('name')),
+  // plus S3_BUCKET alias for single-bucket services (for createStorage())
+  const namedLines = bucketEntries
+    .map((e) => {
+      const envSuffix = (e.suffix || 'default').toUpperCase().replace(/-/g, '_')
+      return `S3_${envSuffix}_BUCKET=${e.name}`
+    })
+    .join('\n')
+  const bucketLines = bucketEntries.length === 1
+    ? `S3_BUCKET=${bucketEntries[0].name}\n${namedLines}`
+    : namedLines
+  // Secrets engine data is at .Data (not .Data.data like KV v2)
+  // Inject both split (S3_HOST/S3_PORT) and combined (S3_ENDPOINT) for SDK compatibility:
+  //   MinIO SDK: new Client({ endPoint: S3_HOST, port: +S3_PORT, ... })
+  //   AWS SDK:   new S3Client({ endpoint: S3_ENDPOINT, ... })
+  const template = [
+    `{{- with secret "${credsPath}" -}}`,
+    `S3_HOST=${env.MINIO_HOST}`,
+    `S3_PORT=${env.MINIO_PORT}`,
+    `S3_ENDPOINT=${endpoint}`,
+    `S3_ACCESS_KEY_ID={{ .Data.access_key_id }}`,
+    `S3_SECRET_ACCESS_KEY={{ .Data.secret_access_key }}`,
+    `S3_REGION=us-east-1`,
+    bucketLines,
+    '{{- end -}}',
+  ].join('\n')
+  // Storage annotations are keyed with "storage" suffix to avoid collisions
+  // with database annotations (which use "mongodb", "redis", "neo4j" suffixes).
+  // The command annotation triggers on credential rotation — it removes the
+  // liveness signal file so K8s restarts the pod with fresh creds (same
+  // pattern as database annotations in vault-client.ts).
+  return {
+    'vault.hashicorp.com/agent-inject-secret-storage': credsPath,
+    'vault.hashicorp.com/agent-inject-template-storage': template,
+    'vault.hashicorp.com/agent-inject-command-storage': 'rm -f /vault/signals/alive',
+  }
+}

package/src/services/storage.ts ADDED Viewed

@@ -0,0 +1,274 @@
+import { MongoClient, GridFSBucket, ObjectId, Db, GridFSFile } from 'mongodb'
+import { Readable } from 'stream'
+import { createHash } from 'crypto'
+import { logger } from '../utils/logger.js'
+let gridfs: GridFSBucket | null = null
+let gridfsDb: Db | null = null
+/**
+ * Initialize GridFS bucket for tarball storage
+ */
+export function initGridFS(client: MongoClient, dbName?: string): void {
+  gridfsDb = client.db(dbName)
+  gridfs = new GridFSBucket(gridfsDb, {
+    bucketName: 'tarballs',
+    chunkSizeBytes: 1024 * 1024, // 1MB chunks for large files
+  })
+  logger.info('GridFS initialized for tarball storage')
+}
+/**
+ * Get the GridFS bucket instance
+ */
+export function getGridFS(): GridFSBucket {
+  if (!gridfs) {
+    throw new Error('GridFS not initialized. Call initGridFS first.')
+  }
+  return gridfs
+}
+function getGridFSDb(): Db {
+  if (!gridfsDb) {
+    throw new Error('GridFS not initialized. Call initGridFS first.')
+  }
+  return gridfsDb
+}
+export interface TarballMetadata {
+  serviceId: string
+  serviceName: string
+  version: string
+  commitSha: string
+  environment: string
+  uploadedBy: string
+  uploadedAt: string
+  size: number
+  checksum: string
+}
+export interface StoredTarball {
+  id: string
+  filename: string
+  metadata: TarballMetadata
+  length: number
+  uploadDate: Date
+}
+/**
+ * Upload a tarball to GridFS
+ */
+export async function uploadTarball(
+  stream: Readable,
+  filename: string,
+  metadata: Omit<TarballMetadata, 'uploadedAt' | 'size' | 'checksum'>
+): Promise<StoredTarball> {
+  const bucket = getGridFS()
+  const db = getGridFSDb()
+  // Calculate checksum while uploading
+  const hash = createHash('sha256')
+  let size = 0
+  const checksumStream = new Readable({
+    read() {}
+  })
+  stream.on('data', (chunk: Buffer) => {
+    hash.update(chunk)
+    size += chunk.length
+    checksumStream.push(chunk)
+  })
+  stream.on('end', () => {
+    checksumStream.push(null)
+  })
+  stream.on('error', (err) => {
+    checksumStream.destroy(err)
+  })
+  const fullMetadata: TarballMetadata = {
+    ...metadata,
+    uploadedAt: new Date().toISOString(),
+    size: 0,
+    checksum: '',
+  }
+  const uploadStream = bucket.openUploadStream(filename, {
+    metadata: fullMetadata,
+  })
+  return new Promise((resolve, reject) => {
+    checksumStream.pipe(uploadStream)
+    uploadStream.on('finish', async () => {
+      // Update metadata with final size and checksum
+      const checksum = hash.digest('hex')
+      fullMetadata.size = size
+      fullMetadata.checksum = checksum
+      // Update the file's metadata
+      await db.collection('tarballs.files').updateOne(
+        { _id: uploadStream.id },
+        { $set: { 'metadata.size': size, 'metadata.checksum': checksum } }
+      )
+      logger.info({ filename, size, checksum }, 'Tarball uploaded to GridFS')
+      resolve({
+        id: uploadStream.id.toString(),
+        filename,
+        metadata: fullMetadata,
+        length: size,
+        uploadDate: new Date(),
+      })
+    })
+    uploadStream.on('error', (error) => {
+      logger.error({ filename, error }, 'Failed to upload tarball')
+      reject(error)
+    })
+  })
+}
+/**
+ * Download a tarball from GridFS
+ */
+export function downloadTarball(fileId: string): Readable {
+  const bucket = getGridFS()
+  return bucket.openDownloadStream(new ObjectId(fileId))
+}
+/**
+ * Download a tarball by filename
+ */
+export function downloadTarballByFilename(filename: string): Readable {
+  const bucket = getGridFS()
+  return bucket.openDownloadStreamByName(filename)
+}
+/**
+ * List all tarballs for a service
+ */
+export async function listServiceTarballs(serviceId: string): Promise<StoredTarball[]> {
+  const db = getGridFSDb()
+  const files = await db
+    .collection<GridFSFile>('tarballs.files')
+    .find({ 'metadata.serviceId': serviceId })
+    .sort({ uploadDate: -1 })
+    .toArray()
+  return files.map((file) => ({
+    id: file._id.toString(),
+    filename: file.filename,
+    metadata: file.metadata as unknown as TarballMetadata,
+    length: file.length,
+    uploadDate: file.uploadDate,
+  }))
+}
+/**
+ * Get a specific tarball by ID
+ */
+export async function getTarball(fileId: string): Promise<StoredTarball | null> {
+  const db = getGridFSDb()
+  const file = await db.collection<GridFSFile>('tarballs.files').findOne({ _id: new ObjectId(fileId) })
+  if (!file) return null
+  return {
+    id: file._id.toString(),
+    filename: file.filename,
+    metadata: file.metadata as unknown as TarballMetadata,
+    length: file.length,
+    uploadDate: file.uploadDate,
+  }
+}
+/**
+ * Get the latest tarball for a service
+ */
+export async function getLatestTarball(serviceId: string): Promise<StoredTarball | null> {
+  const db = getGridFSDb()
+  const file = await db
+    .collection<GridFSFile>('tarballs.files')
+    .findOne(
+      { 'metadata.serviceId': serviceId },
+      { sort: { uploadDate: -1 } }
+    )
+  if (!file) return null
+  return {
+    id: file._id.toString(),
+    filename: file.filename,
+    metadata: file.metadata as unknown as TarballMetadata,
+    length: file.length,
+    uploadDate: file.uploadDate,
+  }
+}
+/**
+ * Delete a tarball
+ */
+export async function deleteTarball(fileId: string): Promise<void> {
+  const bucket = getGridFS()
+  await bucket.delete(new ObjectId(fileId))
+  logger.info({ fileId }, 'Tarball deleted from GridFS')
+}
+/**
+ * Delete all tarballs for a service (cleanup)
+ */
+export async function deleteServiceTarballs(serviceId: string): Promise<number> {
+  const bucket = getGridFS()
+  const db = getGridFSDb()
+  const files = await db
+    .collection<GridFSFile>('tarballs.files')
+    .find({ 'metadata.serviceId': serviceId })
+    .toArray()
+  for (const file of files) {
+    await bucket.delete(file._id)
+  }
+  logger.info({ serviceId, count: files.length }, 'Service tarballs deleted')
+  return files.length
+}
+/**
+ * Extract tarball to a directory
+ */
+export async function extractTarball(fileId: string, destDir: string): Promise<void> {
+  const { pipeline } = await import('stream/promises')
+  const { createWriteStream } = await import('fs')
+  const { mkdir } = await import('fs/promises')
+  const { exec } = await import('child_process')
+  const { promisify } = await import('util')
+  const { join } = await import('path')
+  const execAsync = promisify(exec)
+  const tarPath = join(destDir, 'source.tar.gz')
+  // Ensure destination exists
+  await mkdir(destDir, { recursive: true })
+  // Download tarball to temp file
+  const downloadStream = downloadTarball(fileId)
+  const writeStream = createWriteStream(tarPath)
+  await pipeline(downloadStream, writeStream)
+  // Extract tarball
+  await execAsync(`tar -xzf "${tarPath}" -C "${destDir}"`)
+  // Remove tarball after extraction
+  const { unlink } = await import('fs/promises')
+  await unlink(tarPath)
+  logger.info({ fileId, destDir }, 'Tarball extracted')
+}

package/src/services/troubleshooter.ts ADDED Viewed

@@ -0,0 +1,208 @@
+import { getPods } from './pod-diagnostics.js'
+import type { PodDiagnostic } from '../models/types.js'
+export type IssueSeverity = 'critical' | 'warning' | 'info'
+export interface TroubleshootIssue {
+  readonly severity: IssueSeverity
+  readonly category: string
+  readonly title: string
+  readonly detail: string
+  readonly suggestion: string
+  readonly podName?: string
+  readonly containerName?: string
+}
+export interface TroubleshootResult {
+  readonly service: string
+  readonly namespace: string
+  readonly environment: string
+  readonly analyzedAt: string
+  readonly healthy: boolean
+  readonly issues: ReadonlyArray<TroubleshootIssue>
+  readonly pods: ReadonlyArray<PodDiagnostic>
+}
+interface FailurePattern {
+  readonly name: string
+  readonly detect: (pod: PodDiagnostic) => TroubleshootIssue | null
+}
+const FAILURE_PATTERNS: ReadonlyArray<FailurePattern> = [
+  {
+    name: 'crash-loop',
+    detect: (pod) => {
+      const crashing = [...pod.containerStatuses, ...(pod.initContainerStatuses ?? [])]
+        .find((c) => c.reason === 'CrashLoopBackOff')
+      if (!crashing) return null
+      return {
+        severity: 'critical',
+        category: 'crash',
+        title: 'CrashLoopBackOff',
+        detail: `Container "${crashing.name}" is crash-looping (${pod.restartCount} restarts). Last exit code: ${crashing.exitCode ?? 'unknown'}.`,
+        suggestion: 'Check container logs for startup errors. Common causes: missing environment variable, failed database connection on startup, uncaught exception in entry point. Run `tawa logs <service>` to see the crash output.',
+        podName: pod.name,
+        containerName: crashing.name,
+      }
+    },
+  },
+  {
+    name: 'image-pull',
+    detect: (pod) => {
+      const failing = pod.containerStatuses.find(
+        (c) => c.reason === 'ImagePullBackOff' || c.reason === 'ErrImagePull'
+      )
+      if (!failing) return null
+      return {
+        severity: 'critical',
+        category: 'image',
+        title: 'ImagePullBackOff',
+        detail: `Container "${failing.name}" cannot pull its image. ${failing.message ?? ''}`.trim(),
+        suggestion: 'Verify the image exists in the registry. Check that imagePullSecrets are configured in the namespace. The builder pushes to registry.insureco.io/insureco.',
+        podName: pod.name,
+        containerName: failing.name,
+      }
+    },
+  },
+  {
+    name: 'oom-killed',
+    detect: (pod) => {
+      const oom = pod.containerStatuses.find((c) => c.reason === 'OOMKilled')
+      if (!oom) return null
+      return {
+        severity: 'critical',
+        category: 'resources',
+        title: 'OOMKilled',
+        detail: `Container "${oom.name}" was killed due to exceeding memory limits.`,
+        suggestion: 'Increase pod-tier in catalog-info.yaml (e.g., from "nano" to "small"). Each tier doubles the available memory.',
+        podName: pod.name,
+        containerName: oom.name,
+      }
+    },
+  },
+  {
+    name: 'vault-init-failure',
+    detect: (pod) => {
+      const vaultInit = (pod.initContainerStatuses ?? []).find(
+        (c) => c.name.includes('vault') && !c.ready
+      )
+      if (!vaultInit) return null
+      return {
+        severity: 'critical',
+        category: 'vault',
+        title: 'Vault Init Container Failed',
+        detail: `Init container "${vaultInit.name}" is not ready. State: ${vaultInit.state}. ${vaultInit.message ?? ''}`.trim(),
+        suggestion: 'Vault Agent could not authenticate or fetch secrets. Check: (1) ServiceAccount exists in namespace, (2) Vault K8s auth role is configured, (3) Vault is reachable from the cluster. Re-deploying usually fixes transient Vault issues.',
+        podName: pod.name,
+        containerName: vaultInit.name,
+      }
+    },
+  },
+  {
+    name: 'config-error',
+    detect: (pod) => {
+      const configErr = pod.containerStatuses.find(
+        (c) => c.reason === 'CreateContainerConfigError'
+      )
+      if (!configErr) return null
+      return {
+        severity: 'critical',
+        category: 'config',
+        title: 'Missing ConfigMap or Secret',
+        detail: `Container "${configErr.name}" cannot start because a required ConfigMap or Secret is missing. ${configErr.message ?? ''}`.trim(),
+        suggestion: 'Check that all referenced secrets exist in the namespace. If using managed secrets, ensure `tawa config set --secret` was run and a deploy has occurred since.',
+        podName: pod.name,
+        containerName: configErr.name,
+      }
+    },
+  },
+  {
+    name: 'pending-scheduling',
+    detect: (pod) => {
+      if (pod.phase !== 'Pending') return null
+      const schedEvent = pod.events.find((e) => e.reason === 'FailedScheduling')
+      if (!schedEvent) return null
+      return {
+        severity: 'warning',
+        category: 'scheduling',
+        title: 'Pod Pending (FailedScheduling)',
+        detail: `Pod is pending scheduling. ${schedEvent?.message ?? 'Cluster may lack resources.'}`,
+        suggestion: 'The cluster may not have enough CPU/memory to schedule this pod. Try a smaller pod-tier or wait for other pods to finish.',
+        podName: pod.name,
+      }
+    },
+  },
+  {
+    name: 'high-restarts',
+    detect: (pod) => {
+      if (pod.restartCount < 3) return null
+      const hasCrashLoop = pod.containerStatuses.some((c) => c.reason === 'CrashLoopBackOff')
+      if (hasCrashLoop) return null
+      return {
+        severity: 'warning',
+        category: 'stability',
+        title: 'High Restart Count',
+        detail: `Pod has restarted ${pod.restartCount} times. The container may be intermittently crashing.`,
+        suggestion: 'Check container logs (including --previous) for intermittent failures. Common causes: connection timeouts to databases, health check failures, OOM spikes.',
+        podName: pod.name,
+      }
+    },
+  },
+]
+function detectIssuesForPod(pod: PodDiagnostic): ReadonlyArray<TroubleshootIssue> {
+  const issues: TroubleshootIssue[] = []
+  for (const pattern of FAILURE_PATTERNS) {
+    const issue = pattern.detect(pod)
+    if (issue) {
+      issues.push(issue)
+    }
+  }
+  return issues
+}
+const SEVERITY_ORDER: Record<IssueSeverity, number> = {
+  critical: 0,
+  warning: 1,
+  info: 2,
+}
+export async function troubleshoot(
+  serviceName: string,
+  namespace: string,
+  environment: string
+): Promise<TroubleshootResult> {
+  const pods = await getPods(namespace, serviceName)
+  const issues: TroubleshootIssue[] = []
+  if (pods.length === 0) {
+    issues.push({
+      severity: 'critical',
+      category: 'deployment',
+      title: 'No Pods Found',
+      detail: `No pods found in namespace "${namespace}" for service "${serviceName}".`,
+      suggestion: 'The deployment may not have created any pods. Check that `tawa deploy` completed successfully and that the Helm release exists.',
+    })
+  }
+  for (const pod of pods) {
+    issues.push(...detectIssuesForPod(pod))
+  }
+  const sorted = [...issues].sort(
+    (a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]
+  )
+  const hasCritical = sorted.some((i) => i.severity === 'critical')
+  return {
+    service: serviceName,
+    namespace,
+    environment,
+    analyzedAt: new Date().toISOString(),
+    healthy: !hasCritical,
+    issues: sorted,
+    pods,
+  }
+}