npm - iec-builder - Versions diffs - 0.1.0 - Mend

iec-builder 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (337) hide show

package/.claude/settings.local.json +111 -0
package/.iec.yaml +5 -0
package/CLAUDE.md +174 -0
package/Dockerfile +34 -0
package/README.md +84 -0
package/catalog-info.yaml +11 -0
package/dist/config/env.d.ts +219 -0
package/dist/config/env.d.ts.map +1 -0
package/dist/config/env.js +89 -0
package/dist/config/env.js.map +1 -0
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +148 -0
package/dist/index.js.map +1 -0
package/dist/middleware/auth.d.ts +43 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +217 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/org-access.d.ts +28 -0
package/dist/middleware/org-access.d.ts.map +1 -0
package/dist/middleware/org-access.js +102 -0
package/dist/middleware/org-access.js.map +1 -0
package/dist/models/types.d.ts +254 -0
package/dist/models/types.d.ts.map +1 -0
package/dist/models/types.js +2 -0
package/dist/models/types.js.map +1 -0
package/dist/routes/ai.d.ts +2 -0
package/dist/routes/ai.d.ts.map +1 -0
package/dist/routes/ai.js +77 -0
package/dist/routes/ai.js.map +1 -0
package/dist/routes/audit.d.ts +2 -0
package/dist/routes/audit.d.ts.map +1 -0
package/dist/routes/audit.js +102 -0
package/dist/routes/audit.js.map +1 -0
package/dist/routes/builds.d.ts +2 -0
package/dist/routes/builds.d.ts.map +1 -0
package/dist/routes/builds.js +262 -0
package/dist/routes/builds.js.map +1 -0
package/dist/routes/cluster.d.ts +2 -0
package/dist/routes/cluster.d.ts.map +1 -0
package/dist/routes/cluster.js +181 -0
package/dist/routes/cluster.js.map +1 -0
package/dist/routes/config.d.ts +2 -0
package/dist/routes/config.d.ts.map +1 -0
package/dist/routes/config.js +291 -0
package/dist/routes/config.js.map +1 -0
package/dist/routes/databases.d.ts +2 -0
package/dist/routes/databases.d.ts.map +1 -0
package/dist/routes/databases.js +161 -0
package/dist/routes/databases.js.map +1 -0
package/dist/routes/db-whitelist.d.ts +2 -0
package/dist/routes/db-whitelist.d.ts.map +1 -0
package/dist/routes/db-whitelist.js +148 -0
package/dist/routes/db-whitelist.js.map +1 -0
package/dist/routes/domains.d.ts +2 -0
package/dist/routes/domains.d.ts.map +1 -0
package/dist/routes/domains.js +449 -0
package/dist/routes/domains.js.map +1 -0
package/dist/routes/oauth.d.ts +2 -0
package/dist/routes/oauth.d.ts.map +1 -0
package/dist/routes/oauth.js +180 -0
package/dist/routes/oauth.js.map +1 -0
package/dist/routes/observability.d.ts +2 -0
package/dist/routes/observability.d.ts.map +1 -0
package/dist/routes/observability.js +167 -0
package/dist/routes/observability.js.map +1 -0
package/dist/routes/orgs.d.ts +2 -0
package/dist/routes/orgs.d.ts.map +1 -0
package/dist/routes/orgs.js +270 -0
package/dist/routes/orgs.js.map +1 -0
package/dist/routes/platform.d.ts +2 -0
package/dist/routes/platform.d.ts.map +1 -0
package/dist/routes/platform.js +107 -0
package/dist/routes/platform.js.map +1 -0
package/dist/routes/push.d.ts +2 -0
package/dist/routes/push.d.ts.map +1 -0
package/dist/routes/push.js +233 -0
package/dist/routes/push.js.map +1 -0
package/dist/routes/rotation.d.ts +3 -0
package/dist/routes/rotation.d.ts.map +1 -0
package/dist/routes/rotation.js +154 -0
package/dist/routes/rotation.js.map +1 -0
package/dist/routes/services.d.ts +2 -0
package/dist/routes/services.d.ts.map +1 -0
package/dist/routes/services.js +246 -0
package/dist/routes/services.js.map +1 -0
package/dist/routes/storage.d.ts +2 -0
package/dist/routes/storage.d.ts.map +1 -0
package/dist/routes/storage.js +118 -0
package/dist/routes/storage.js.map +1 -0
package/dist/routes/users.d.ts +2 -0
package/dist/routes/users.d.ts.map +1 -0
package/dist/routes/users.js +183 -0
package/dist/routes/users.js.map +1 -0
package/dist/routes/versions.d.ts +2 -0
package/dist/routes/versions.d.ts.map +1 -0
package/dist/routes/versions.js +195 -0
package/dist/routes/versions.js.map +1 -0
package/dist/routes/webhooks.d.ts +2 -0
package/dist/routes/webhooks.d.ts.map +1 -0
package/dist/routes/webhooks.js +334 -0
package/dist/routes/webhooks.js.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts +2 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.d.ts.map +1 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js +482 -0
package/dist/services/__tests__/deploy-pipeline.integration.test.js.map +1 -0
package/dist/services/bio-client.d.ts +68 -0
package/dist/services/bio-client.d.ts.map +1 -0
package/dist/services/bio-client.js +110 -0
package/dist/services/bio-client.js.map +1 -0
package/dist/services/build-queue.d.ts +7 -0
package/dist/services/build-queue.d.ts.map +1 -0
package/dist/services/build-queue.js +114 -0
package/dist/services/build-queue.js.map +1 -0
package/dist/services/builder.d.ts +7 -0
package/dist/services/builder.d.ts.map +1 -0
package/dist/services/builder.js +1384 -0
package/dist/services/builder.js.map +1 -0
package/dist/services/catalog.d.ts +177 -0
package/dist/services/catalog.d.ts.map +1 -0
package/dist/services/catalog.js +805 -0
package/dist/services/catalog.js.map +1 -0
package/dist/services/catalog.test.d.ts +2 -0
package/dist/services/catalog.test.d.ts.map +1 -0
package/dist/services/catalog.test.js +467 -0
package/dist/services/catalog.test.js.map +1 -0
package/dist/services/cloudflare.d.ts +43 -0
package/dist/services/cloudflare.d.ts.map +1 -0
package/dist/services/cloudflare.js +182 -0
package/dist/services/cloudflare.js.map +1 -0
package/dist/services/config-validator.d.ts +28 -0
package/dist/services/config-validator.d.ts.map +1 -0
package/dist/services/config-validator.js +68 -0
package/dist/services/config-validator.js.map +1 -0
package/dist/services/config-validator.test.d.ts +2 -0
package/dist/services/config-validator.test.d.ts.map +1 -0
package/dist/services/config-validator.test.js +151 -0
package/dist/services/config-validator.test.js.map +1 -0
package/dist/services/crypto.d.ts +19 -0
package/dist/services/crypto.d.ts.map +1 -0
package/dist/services/crypto.js +63 -0
package/dist/services/crypto.js.map +1 -0
package/dist/services/database.d.ts +26 -0
package/dist/services/database.d.ts.map +1 -0
package/dist/services/database.js +100 -0
package/dist/services/database.js.map +1 -0
package/dist/services/db-credential-manager.d.ts +73 -0
package/dist/services/db-credential-manager.d.ts.map +1 -0
package/dist/services/db-credential-manager.js +342 -0
package/dist/services/db-credential-manager.js.map +1 -0
package/dist/services/db-provisioner.d.ts +57 -0
package/dist/services/db-provisioner.d.ts.map +1 -0
package/dist/services/db-provisioner.js +400 -0
package/dist/services/db-provisioner.js.map +1 -0
package/dist/services/db-provisioner.test.d.ts +2 -0
package/dist/services/db-provisioner.test.d.ts.map +1 -0
package/dist/services/db-provisioner.test.js +141 -0
package/dist/services/db-provisioner.test.js.map +1 -0
package/dist/services/db-whitelist.d.ts +58 -0
package/dist/services/db-whitelist.d.ts.map +1 -0
package/dist/services/db-whitelist.js +379 -0
package/dist/services/db-whitelist.js.map +1 -0
package/dist/services/dependency-resolver.d.ts +58 -0
package/dist/services/dependency-resolver.d.ts.map +1 -0
package/dist/services/dependency-resolver.js +180 -0
package/dist/services/dependency-resolver.js.map +1 -0
package/dist/services/dependency-resolver.test.d.ts +2 -0
package/dist/services/dependency-resolver.test.d.ts.map +1 -0
package/dist/services/dependency-resolver.test.js +195 -0
package/dist/services/dependency-resolver.test.js.map +1 -0
package/dist/services/deploy-gate.d.ts +19 -0
package/dist/services/deploy-gate.d.ts.map +1 -0
package/dist/services/deploy-gate.js +56 -0
package/dist/services/deploy-gate.js.map +1 -0
package/dist/services/deploy-gate.test.d.ts +2 -0
package/dist/services/deploy-gate.test.d.ts.map +1 -0
package/dist/services/deploy-gate.test.js +199 -0
package/dist/services/deploy-gate.test.js.map +1 -0
package/dist/services/dockerfile-generator.d.ts +31 -0
package/dist/services/dockerfile-generator.d.ts.map +1 -0
package/dist/services/dockerfile-generator.js +544 -0
package/dist/services/dockerfile-generator.js.map +1 -0
package/dist/services/dockerfile-generator.test.d.ts +2 -0
package/dist/services/dockerfile-generator.test.d.ts.map +1 -0
package/dist/services/dockerfile-generator.test.js +144 -0
package/dist/services/dockerfile-generator.test.js.map +1 -0
package/dist/services/forgejo.d.ts +58 -0
package/dist/services/forgejo.d.ts.map +1 -0
package/dist/services/forgejo.js +131 -0
package/dist/services/forgejo.js.map +1 -0
package/dist/services/koko.d.ts +153 -0
package/dist/services/koko.d.ts.map +1 -0
package/dist/services/koko.js +260 -0
package/dist/services/koko.js.map +1 -0
package/dist/services/kubernetes.d.ts +16 -0
package/dist/services/kubernetes.d.ts.map +1 -0
package/dist/services/kubernetes.js +102 -0
package/dist/services/kubernetes.js.map +1 -0
package/dist/services/oauth-provisioner.d.ts +30 -0
package/dist/services/oauth-provisioner.d.ts.map +1 -0
package/dist/services/oauth-provisioner.js +182 -0
package/dist/services/oauth-provisioner.js.map +1 -0
package/dist/services/oauth-provisioner.test.d.ts +2 -0
package/dist/services/oauth-provisioner.test.d.ts.map +1 -0
package/dist/services/oauth-provisioner.test.js +349 -0
package/dist/services/oauth-provisioner.test.js.map +1 -0
package/dist/services/pod-diagnostics.d.ts +11 -0
package/dist/services/pod-diagnostics.d.ts.map +1 -0
package/dist/services/pod-diagnostics.js +201 -0
package/dist/services/pod-diagnostics.js.map +1 -0
package/dist/services/rotation-scheduler.d.ts +2 -0
package/dist/services/rotation-scheduler.d.ts.map +1 -0
package/dist/services/rotation-scheduler.js +215 -0
package/dist/services/rotation-scheduler.js.map +1 -0
package/dist/services/storage-credential-manager.d.ts +43 -0
package/dist/services/storage-credential-manager.d.ts.map +1 -0
package/dist/services/storage-credential-manager.js +159 -0
package/dist/services/storage-credential-manager.js.map +1 -0
package/dist/services/storage-provisioner.d.ts +32 -0
package/dist/services/storage-provisioner.d.ts.map +1 -0
package/dist/services/storage-provisioner.js +136 -0
package/dist/services/storage-provisioner.js.map +1 -0
package/dist/services/storage.d.ts +65 -0
package/dist/services/storage.d.ts.map +1 -0
package/dist/services/storage.js +204 -0
package/dist/services/storage.js.map +1 -0
package/dist/services/troubleshooter.d.ts +22 -0
package/dist/services/troubleshooter.d.ts.map +1 -0
package/dist/services/troubleshooter.js +168 -0
package/dist/services/troubleshooter.js.map +1 -0
package/dist/services/vault-client.d.ts +114 -0
package/dist/services/vault-client.d.ts.map +1 -0
package/dist/services/vault-client.js +411 -0
package/dist/services/vault-client.js.map +1 -0
package/dist/utils/logger.d.ts +2 -0
package/dist/utils/logger.d.ts.map +1 -0
package/dist/utils/logger.js +6 -0
package/dist/utils/logger.js.map +1 -0
package/dist/utils/response.d.ts +13 -0
package/dist/utils/response.d.ts.map +1 -0
package/dist/utils/response.js +12 -0
package/dist/utils/response.js.map +1 -0
package/docs/registry-migration.md +301 -0
package/docs/registry-quickstart.md +169 -0
package/ecosystem.config.cjs +14 -0
package/findings.md +168 -0
package/helm/default-service/Chart.yaml +6 -0
package/helm/default-service/templates/deployment.yaml +97 -0
package/helm/default-service/templates/ingress.yaml +43 -0
package/helm/default-service/templates/service.yaml +17 -0
package/helm/default-service/values.yaml +82 -0
package/helm/services/iec-builder/Chart.yaml +6 -0
package/helm/services/iec-builder/templates/_helpers.tpl +61 -0
package/helm/services/iec-builder/templates/deployment.yaml +73 -0
package/helm/services/iec-builder/templates/service.yaml +15 -0
package/helm/services/iec-builder/templates/serviceaccount.yaml +12 -0
package/helm/services/iec-builder/values.yaml +56 -0
package/helm/vault-values.yaml +127 -0
package/package.json +45 -0
package/progress.md +156 -0
package/scripts/.vault-init-keys.json +23 -0
package/scripts/backfill-ownership.ts +113 -0
package/scripts/finalize-mongo-auth.sh +212 -0
package/scripts/setup-ipset.sh +107 -0
package/scripts/setup-mongo-auth.sh +163 -0
package/scripts/setup-neo4j-auth.sh +62 -0
package/scripts/setup-redis-auth.sh +55 -0
package/scripts/setup-registry-secret.sh +71 -0
package/scripts/setup-vault.sh +308 -0
package/src/config/env.ts +117 -0
package/src/index.ts +153 -0
package/src/middleware/auth.ts +294 -0
package/src/middleware/org-access.ts +126 -0
package/src/models/types.ts +288 -0
package/src/routes/ai.ts +115 -0
package/src/routes/audit.ts +121 -0
package/src/routes/builds.ts +320 -0
package/src/routes/cluster.ts +235 -0
package/src/routes/config.ts +369 -0
package/src/routes/databases.ts +201 -0
package/src/routes/db-whitelist.ts +204 -0
package/src/routes/domains.ts +547 -0
package/src/routes/oauth.ts +195 -0
package/src/routes/observability.ts +205 -0
package/src/routes/orgs.ts +330 -0
package/src/routes/platform.ts +134 -0
package/src/routes/rotation.ts +191 -0
package/src/routes/services.ts +290 -0
package/src/routes/storage.ts +153 -0
package/src/routes/users.ts +235 -0
package/src/routes/webhooks.ts +384 -0
package/src/services/__tests__/catalog-storage.test.ts +186 -0
package/src/services/__tests__/deploy-pipeline.integration.test.ts +624 -0
package/src/services/__tests__/pod-diagnostics.test.ts +332 -0
package/src/services/__tests__/storage-credential-manager.test.ts +129 -0
package/src/services/__tests__/storage-provisioner.test.ts +166 -0
package/src/services/__tests__/troubleshooter.test.ts +329 -0
package/src/services/bio-client.ts +189 -0
package/src/services/build-queue.ts +137 -0
package/src/services/builder.ts +1800 -0
package/src/services/catalog.test.ts +1389 -0
package/src/services/catalog.ts +1187 -0
package/src/services/cloudflare.ts +259 -0
package/src/services/config-validator.test.ts +190 -0
package/src/services/config-validator.ts +108 -0
package/src/services/crypto.ts +78 -0
package/src/services/database.ts +122 -0
package/src/services/db-credential-manager.test.ts +101 -0
package/src/services/db-credential-manager.ts +447 -0
package/src/services/db-provisioner.test.ts +602 -0
package/src/services/db-provisioner.ts +589 -0
package/src/services/db-whitelist.test.ts +671 -0
package/src/services/db-whitelist.ts +496 -0
package/src/services/dependency-resolver.test.ts +677 -0
package/src/services/dependency-resolver.ts +319 -0
package/src/services/deploy-gate.test.ts +247 -0
package/src/services/deploy-gate.ts +75 -0
package/src/services/dockerfile-generator.test.ts +401 -0
package/src/services/dockerfile-generator.ts +606 -0
package/src/services/forgejo.ts +212 -0
package/src/services/koko.ts +492 -0
package/src/services/kubernetes.ts +141 -0
package/src/services/oauth-provisioner.test.ts +477 -0
package/src/services/oauth-provisioner.ts +286 -0
package/src/services/pod-diagnostics.ts +261 -0
package/src/services/rotation-scheduler.ts +293 -0
package/src/services/storage-credential-manager.ts +223 -0
package/src/services/storage-provisioner.ts +216 -0
package/src/services/storage.ts +274 -0
package/src/services/troubleshooter.ts +208 -0
package/src/services/vault-client.test.ts +272 -0
package/src/services/vault-client.ts +587 -0
package/src/utils/logger.ts +6 -0
package/src/utils/response.ts +23 -0
package/task_plan.md +171 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +19 -0

package/src/services/vault-client.ts ADDED Viewed

@@ -0,0 +1,587 @@
+import { execSync } from 'child_process'
+import { env } from '../config/env.js'
+import { logger } from '../utils/logger.js'
+// ─────────────────────────────────────────────────────────────────────────────
+// Types
+// ─────────────────────────────────────────────────────────────────────────────
+export interface VaultDatabaseRoleConfig {
+  readonly serviceName: string
+  readonly environment: string
+  readonly databaseName: string
+  readonly role: 'readWrite' | 'read'
+  readonly dbType: 'mongodb' | 'redis' | 'neo4j'
+}
+export interface VaultAnnotations {
+  readonly [key: string]: string
+}
+interface VaultHealthResponse {
+  readonly initialized: boolean
+  readonly sealed: boolean
+  readonly version: string
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Health & Feature Flag
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Check if Vault integration is enabled via feature flag.
+ */
+export function isVaultEnabled(): boolean {
+  return env.VAULT_ENABLED === 'true' && env.VAULT_ADDR !== ''
+}
+/**
+ * Check if Vault is healthy (initialized, unsealed, reachable).
+ * Returns false on any error — builder falls back to Phase 1 static credentials.
+ */
+export async function isVaultHealthy(): Promise<boolean> {
+  if (!isVaultEnabled()) {
+    return false
+  }
+  try {
+    const response = await fetch(`${env.VAULT_ADDR}/v1/sys/health`, {
+      signal: AbortSignal.timeout(5000),
+    })
+    if (!response.ok) {
+      // 429 = standby, 472 = DR secondary, 473 = performance standby — all "healthy enough"
+      // 501 = not initialized, 503 = sealed — not healthy
+      const unhealthy = [501, 503]
+      if (unhealthy.includes(response.status)) {
+        logger.warn({ status: response.status }, 'Vault is not healthy')
+        return false
+      }
+    }
+    const data = await response.json() as VaultHealthResponse
+    return data.initialized && !data.sealed
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Unknown error'
+    logger.warn({ error: message }, 'Vault health check failed — falling back to static credentials')
+    return false
+  }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Vault API helpers
+// ─────────────────────────────────────────────────────────────────────────────
+async function vaultRequest(
+  method: string,
+  path: string,
+  body?: Record<string, unknown>
+): Promise<Response> {
+  const url = `${env.VAULT_ADDR}/v1/${path}`
+  const headers: Record<string, string> = {
+    'X-Vault-Token': env.VAULT_TOKEN,
+  }
+  if (body) {
+    headers['Content-Type'] = 'application/json'
+  }
+  const response = await fetch(url, {
+    method,
+    headers,
+    body: body ? JSON.stringify(body) : undefined,
+    signal: AbortSignal.timeout(10000),
+  })
+  return response
+}
+async function vaultWrite(path: string, data: Record<string, unknown>): Promise<void> {
+  const response = await vaultRequest('POST', path, data)
+  if (!response.ok && response.status !== 204) {
+    const errorBody = await response.text()
+    throw new Error(`Vault write to ${path} failed (${response.status}): ${errorBody}`)
+  }
+}
+async function vaultDelete(path: string): Promise<void> {
+  const response = await vaultRequest('DELETE', path)
+  if (!response.ok && response.status !== 204 && response.status !== 404) {
+    const errorBody = await response.text()
+    throw new Error(`Vault delete at ${path} failed (${response.status}): ${errorBody}`)
+  }
+}
+async function vaultRead(path: string): Promise<Record<string, unknown> | null> {
+  const response = await vaultRequest('GET', path)
+  if (response.status === 404) {
+    return null
+  }
+  if (!response.ok) {
+    const errorBody = await response.text()
+    throw new Error(`Vault read from ${path} failed (${response.status}): ${errorBody}`)
+  }
+  const json = await response.json() as { data: Record<string, unknown> }
+  return json.data
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Vault Role Names
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Build the Vault database role name for a service's own database.
+ */
+export function buildVaultRoleName(serviceName: string, environment: string, dbType: string): string {
+  return `svc-${serviceName}-${environment}-${dbType}`
+}
+/**
+ * Build the Vault database role name for a shared/consumed database.
+ */
+export function buildSharedVaultRoleName(
+  consumerName: string,
+  ownerName: string,
+  environment: string,
+  dbType: string
+): string {
+  return `svc-${consumerName}-on-${ownerName}-${environment}-${dbType}`
+}
+/**
+ * Build the Vault K8s auth role name for a service.
+ */
+function buildKubeAuthRoleName(serviceName: string, environment: string): string {
+  return `svc-${serviceName}-${environment}`
+}
+/**
+ * Build the Vault policy name for a service.
+ */
+function buildPolicyName(serviceName: string, environment: string): string {
+  return `svc-${serviceName}-${environment}`
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Database Secrets Engine — Role Management
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Ensure a MongoDB database connection is configured in Vault's database engine.
+ * Idempotent — updates if exists.
+ */
+export async function ensureMongoDbConnection(connectionName: string, mongoUri: string): Promise<void> {
+  logger.info({ connectionName }, 'Configuring Vault MongoDB connection')
+  await vaultWrite(`database/config/${connectionName}`, {
+    plugin_name: 'mongodb-database-plugin',
+    allowed_roles: 'svc-*',
+    connection_url: mongoUri,
+  })
+}
+/**
+ * Ensure a Vault database role exists for a service's MongoDB database.
+ * Idempotent — updates if exists.
+ */
+export async function ensureVaultMongoRole(config: VaultDatabaseRoleConfig): Promise<void> {
+  const roleName = buildVaultRoleName(config.serviceName, config.environment, 'mongodb')
+  const connectionName = 'mongodb-tawa'  // Single MongoDB instance — matches database/config/mongodb-tawa
+  logger.info(
+    { roleName, databaseName: config.databaseName, role: config.role },
+    'Ensuring Vault MongoDB role'
+  )
+  const creationStatements = JSON.stringify({
+    db: config.databaseName,
+    roles: [{ role: config.role, db: config.databaseName }],
+  })
+  await vaultWrite(`database/roles/${roleName}`, {
+    db_name: connectionName,
+    creation_statements: [creationStatements],
+    default_ttl: '1h',
+    max_ttl: '720h',
+  })
+}
+/**
+ * Ensure a Vault database role exists for a service's Redis ACL.
+ * Idempotent — updates if exists.
+ */
+export async function ensureVaultRedisRole(config: VaultDatabaseRoleConfig): Promise<void> {
+  const roleName = buildVaultRoleName(config.serviceName, config.environment, 'redis')
+  const connectionName = 'redis-tawa'  // TODO Phase 2c: configure redis connection in Vault
+  logger.info(
+    { roleName, role: config.role },
+    'Ensuring Vault Redis role'
+  )
+  // Redis ACL creation template — key prefix isolation
+  const keyPattern = `~${config.serviceName}-${config.environment}:*`
+  const aclRule = config.role === 'readWrite'
+    ? `${keyPattern} +@all`
+    : `${keyPattern} +@read`
+  await vaultWrite(`database/roles/${roleName}`, {
+    db_name: connectionName,
+    creation_statements: [JSON.stringify([aclRule])],
+    default_ttl: '1h',
+    max_ttl: '720h',
+  })
+}
+/**
+ * Ensure a Vault database role exists for Neo4j.
+ * Uses database plugin if available, otherwise KV v2 static rotation.
+ */
+export async function ensureVaultNeo4jRole(config: VaultDatabaseRoleConfig): Promise<void> {
+  const roleName = buildVaultRoleName(config.serviceName, config.environment, 'neo4j')
+  logger.info(
+    { roleName, databaseName: config.databaseName, role: config.role },
+    'Ensuring Vault Neo4j role'
+  )
+  // Try database engine first (community plugin)
+  try {
+    const connectionName = 'neo4j-tawa'  // TODO Phase 2d: configure neo4j connection in Vault
+    await vaultWrite(`database/roles/${roleName}`, {
+      db_name: connectionName,
+      creation_statements: [JSON.stringify({
+        roles: [{ role: config.role === 'readWrite' ? 'admin' : 'reader' }],
+      })],
+      default_ttl: '1h',
+      max_ttl: '720h',
+    })
+  } catch (error) {
+    // Fallback: store in KV v2 for static rotation
+    const message = error instanceof Error ? error.message : 'Unknown error'
+    logger.warn(
+      { roleName, error: message },
+      'Neo4j database plugin not available, using KV v2 static rotation'
+    )
+    // KV v2 path — credentials stored as static secrets, rotated by external script
+    // The Vault Agent template reads from this path instead of database/creds/
+  }
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Kubernetes Auth — Role + Policy Management
+// ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Create a Vault policy scoped to a service's database credentials.
+ * Least privilege — service can only read its own credentials.
+ */
+export async function ensureVaultPolicy(
+  serviceName: string,
+  environment: string,
+  dbTypes: ReadonlyArray<string>
+): Promise<void> {
+  const policyName = buildPolicyName(serviceName, environment)
+  // Build policy rules for each database type
+  const rules = dbTypes.map((dbType) => {
+    const roleName = buildVaultRoleName(serviceName, environment, dbType)
+    return `path "database/creds/${roleName}" {\n  capabilities = ["read"]\n}`
+  })
+  // Add KV v2 access for Neo4j fallback
+  if (dbTypes.includes('neo4j')) {
+    rules.push(
+      `path "secret/data/neo4j/svc-${serviceName}-${environment}" {\n  capabilities = ["read"]\n}`
+    )
+  }
+  const policy = rules.join('\n\n')
+  logger.info({ policyName, dbTypes }, 'Ensuring Vault policy')
+  await vaultWrite(`sys/policy/${policyName}`, { policy })
+}
+/**
+ * Bind a K8s ServiceAccount to a Vault role via K8s auth method.
+ * The service's pod authenticates to Vault using its ServiceAccount token.
+ */
+export async function ensureKubeAuthRole(
+  serviceName: string,
+  environment: string,
+  namespace: string
+): Promise<void> {
+  const roleName = buildKubeAuthRoleName(serviceName, environment)
+  const policyName = buildPolicyName(serviceName, environment)
+  logger.info(
+    { roleName, namespace, serviceAccount: serviceName },
+    'Ensuring Vault K8s auth role'
+  )
+  await vaultWrite(`auth/kubernetes/role/${roleName}`, {
+    bound_service_account_names: [serviceName],
+    bound_service_account_namespaces: [namespace],
+    policies: [policyName],
+    ttl: '1h',
+  })
+}
+/**
+ * Ensure a K8s ServiceAccount exists in the service namespace.
+ * Uses kubectl — idempotent via dry-run + apply.
+ */
+export function ensureServiceAccount(serviceName: string, namespace: string): void {
+  const command = [
+    `kubectl create serviceaccount ${serviceName}`,
+    `--namespace ${namespace}`,
+    '--dry-run=client -o yaml | kubectl apply -f -',
+  ].join(' ')
+  execSync(command, {
+    encoding: 'utf8',
+    shell: '/bin/bash',
+  })
+  logger.info({ serviceName, namespace }, 'K8s ServiceAccount ensured')
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// MinIO — Vault Secrets Engine (custom plugin: vault-plugin-secrets-minio)
+//
+// Dynamic credentials via our custom Vault secrets engine.
+// Plugin creates ephemeral MinIO users + scoped IAM policies on demand.
+// Vault manages the full lifecycle: create on read, revoke on lease expiry.
+// ─────────────────────────────────────────────────────────────────────────────
+export interface MinioAdminCreds {
+  readonly accessKey: string
+  readonly secretKey: string
+  readonly endpoint: string
+}
+/**
+ * Build the Vault MinIO role name for a service's storage.
+ */
+export function buildMinioRoleName(serviceName: string, environment: string): string {
+  return `svc-${serviceName}-${environment}-storage`
+}
+/**
+ * Build the Vault secrets engine creds path for a service.
+ * Pods read from this path via Vault Agent sidecar — Vault generates
+ * ephemeral MinIO credentials on each read.
+ */
+export function buildMinioCredsPath(serviceName: string, environment: string): string {
+  return `minio/creds/${buildMinioRoleName(serviceName, environment)}`
+}
+/**
+ * Read MinIO admin credentials from Vault KV (secret/minio/admin).
+ * These are used by the builder to create buckets via MinIO SDK — never stored on disk.
+ * The custom plugin handles user/policy creation, but bucket creation still needs admin creds.
+ */
+export async function getMinioAdminCreds(): Promise<MinioAdminCreds> {
+  const data = await vaultRead('secret/data/minio/admin')
+  if (!data || !data.data) {
+    throw new Error(
+      'MinIO admin credentials not found in Vault KV at secret/minio/admin. ' +
+      'Run: vault kv put secret/minio/admin access_key=... secret_key=... endpoint=...'
+    )
+  }
+  const inner = data.data as Record<string, string>
+  if (!inner.access_key || !inner.secret_key) {
+    throw new Error(
+      'MinIO admin credentials in Vault KV are missing access_key or secret_key'
+    )
+  }
+  return {
+    accessKey: inner.access_key,
+    secretKey: inner.secret_key,
+    endpoint: inner.endpoint || `http://127.0.0.1:9000`,
+  }
+}
+/**
+ * Configure a Vault MinIO role for a service.
+ * The role defines the inline IAM policy (scoped to declared buckets).
+ * When pods read from `minio/creds/{role}`, Vault creates an ephemeral
+ * MinIO user with this policy attached.
+ *
+ * Idempotent — updates if role exists.
+ */
+export async function configureMinioVaultRole(
+  serviceName: string,
+  environment: string,
+  policyJson: string,
+): Promise<void> {
+  const roleName = buildMinioRoleName(serviceName, environment)
+  logger.info({ roleName, serviceName, environment }, 'Configuring Vault MinIO role')
+  await vaultWrite(`minio/roles/${roleName}`, {
+    policy: policyJson,
+    user_name_prefix: `svc-${serviceName}-${environment}-`,
+    default_ttl: '1h',
+    max_ttl: '720h',
+  })
+}
+/**
+ * Revoke all active MinIO leases for a service (credential rotation).
+ * Forces Vault to delete the ephemeral MinIO users + canned policies.
+ * New credentials are generated on next pod startup.
+ */
+export async function revokeMinioLeases(
+  serviceName: string,
+  environment: string,
+): Promise<void> {
+  const prefix = `minio/creds/${buildMinioRoleName(serviceName, environment)}`
+  logger.info({ serviceName, environment, prefix }, 'Revoking MinIO leases')
+  await vaultWrite(`sys/leases/revoke-prefix/${prefix}`, {})
+}
+/**
+ * Add MinIO creds path to a service's Vault policy.
+ * Call this after ensureVaultPolicy to add storage access rules.
+ */
+export async function addMinioPolicyRules(
+  serviceName: string,
+  environment: string,
+): Promise<void> {
+  const policyName = buildPolicyName(serviceName, environment)
+  const credsPath = buildMinioCredsPath(serviceName, environment)
+  // Read existing policy
+  const existing = await vaultRead(`sys/policy/${policyName}`)
+  const existingPolicy = existing?.rules as string || ''
+  // Only add if not already present
+  const minioRule = `path "${credsPath}" {\n  capabilities = ["read"]\n}`
+  if (existingPolicy.includes(credsPath)) {
+    return
+  }
+  const updatedPolicy = existingPolicy
+    ? `${existingPolicy}\n\n${minioRule}`
+    : minioRule
+  await vaultWrite(`sys/policy/${policyName}`, { policy: updatedPolicy })
+  logger.info({ policyName, credsPath }, 'Added MinIO creds rules to Vault policy')
+}
+// ─────────────────────────────────────────────────────────────────────────────
+// Vault Agent Annotations
+// ─────────────────────────────────────────────────────────────────────────────
+interface DatabaseAnnotationConfig {
+  readonly dbType: 'mongodb' | 'redis' | 'neo4j'
+  readonly roleName: string
+  readonly templateContent: string
+}
+/**
+ * Build the Vault Agent template that renders a MongoDB connection string.
+ */
+function buildMongoTemplate(roleName: string, databaseName: string): string {
+  const host = env.DB_MONGODB_PUBLIC_HOST || env.DB_MONGODB_HOST
+  const port = env.DB_MONGODB_PORT
+  return [
+    `{{- with secret "database/creds/${roleName}" -}}`,
+    `MONGODB_URI=mongodb://{{ .Data.username }}:{{ .Data.password }}@${host}:${port}/${databaseName}?authSource=${databaseName}`,
+    '{{- end -}}',
+  ].join('\n')
+}
+/**
+ * Build the Vault Agent template that renders a Redis URL.
+ */
+function buildRedisTemplate(roleName: string): string {
+  const host = env.DB_REDIS_HOST
+  const port = env.DB_REDIS_PORT
+  return [
+    `{{- with secret "database/creds/${roleName}" -}}`,
+    `REDIS_URL=redis://{{ .Data.username }}:{{ .Data.password }}@${host}:${port}/0`,
+    '{{- end -}}',
+  ].join('\n')
+}
+/**
+ * Build the Vault Agent template that renders Neo4j credentials.
+ */
+function buildNeo4jTemplate(roleName: string): string {
+  const host = env.DB_NEO4J_HOST
+  const port = env.DB_NEO4J_PORT
+  return [
+    `{{- with secret "database/creds/${roleName}" -}}`,
+    `NEO4J_URI=bolt://${host}:${port}`,
+    'NEO4J_USERNAME={{ .Data.username }}',
+    'NEO4J_PASSWORD={{ .Data.password }}',
+    '{{- end -}}',
+  ].join('\n')
+}
+/**
+ * Generate Vault Agent pod annotations for a service.
+ *
+ * These annotations are injected via `--set-json podAnnotations='{...}'` in the Helm command.
+ * The Vault Agent Injector webhook reads them and injects init + sidecar containers.
+ */
+export function getVaultAgentAnnotations(
+  serviceName: string,
+  environment: string,
+  databases: ReadonlyArray<{ type: 'mongodb' | 'redis' | 'neo4j'; name?: string }>
+): VaultAnnotations {
+  if (databases.length === 0) {
+    return {}
+  }
+  const kubeRoleName = buildKubeAuthRoleName(serviceName, environment)
+  const annotations: Record<string, string> = {
+    'vault.hashicorp.com/agent-inject': 'true',
+    'vault.hashicorp.com/role': kubeRoleName,
+    'vault.hashicorp.com/agent-pre-populate-only': 'false',
+  }
+  // Build per-database annotations
+  const dbConfigs: DatabaseAnnotationConfig[] = databases.map((db) => {
+    const databaseName = db.name || `${serviceName}-${environment}`
+    const roleName = buildVaultRoleName(serviceName, environment, db.type)
+    switch (db.type) {
+      case 'mongodb':
+        return { dbType: db.type, roleName, templateContent: buildMongoTemplate(roleName, databaseName) }
+      case 'redis':
+        return { dbType: db.type, roleName, templateContent: buildRedisTemplate(roleName) }
+      case 'neo4j':
+        return { dbType: db.type, roleName, templateContent: buildNeo4jTemplate(roleName) }
+    }
+  })
+  // Each database type gets its own secret file, all rendered to /vault/secrets/
+  // The command annotation triggers when credentials rotate at max_ttl —
+  // it removes the liveness signal file so K8s restarts the container with fresh creds.
+  for (const config of dbConfigs) {
+    const suffix = config.dbType
+    annotations[`vault.hashicorp.com/agent-inject-secret-${suffix}`] = `database/creds/${config.roleName}`
+    annotations[`vault.hashicorp.com/agent-inject-template-${suffix}`] = config.templateContent
+    annotations[`vault.hashicorp.com/agent-inject-command-${suffix}`] = 'rm -f /vault/signals/alive'
+  }
+  return annotations
+}

package/src/utils/logger.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import { pino } from 'pino'
+import { env } from '../config/env.js'
+export const logger = pino({
+  level: env.LOG_LEVEL,
+})

package/src/utils/response.ts ADDED Viewed

@@ -0,0 +1,23 @@
+export interface ApiResponse<T> {
+  success: boolean
+  data?: T
+  error?: {
+    code: string
+    message: string
+    details?: unknown
+  }
+}
+export function apiResponse<T>(data: T): ApiResponse<T> {
+  return { success: true, data }
+}
+// Alias for apiResponse
+export const apiSuccess = apiResponse
+export function apiError(code: string, message: string, details?: unknown): ApiResponse<never> {
+  return {
+    success: false,
+    error: { code, message, details }
+  }
+}