run402 1.54.4 → 1.55.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +28 -0
- package/cli.mjs +7 -0
- package/core-dist/allowance-auth.js +42 -22
- package/lib/ci.mjs +395 -0
- package/lib/deploy-v2.mjs +115 -6
- package/lib/sdk.mjs +2 -2
- package/package.json +1 -1
- package/sdk/core-dist/allowance-auth.js +42 -22
- package/sdk/dist/ci-credentials.d.ts +22 -0
- package/sdk/dist/ci-credentials.d.ts.map +1 -0
- package/sdk/dist/ci-credentials.js +103 -0
- package/sdk/dist/ci-credentials.js.map +1 -0
- package/sdk/dist/index.d.ts +6 -0
- package/sdk/dist/index.d.ts.map +1 -1
- package/sdk/dist/index.js +5 -0
- package/sdk/dist/index.js.map +1 -1
- package/sdk/dist/namespaces/ci.d.ts +21 -0
- package/sdk/dist/namespaces/ci.d.ts.map +1 -0
- package/sdk/dist/namespaces/ci.js +253 -0
- package/sdk/dist/namespaces/ci.js.map +1 -0
- package/sdk/dist/namespaces/ci.types.d.ts +91 -0
- package/sdk/dist/namespaces/ci.types.d.ts.map +1 -0
- package/sdk/dist/namespaces/ci.types.js +8 -0
- package/sdk/dist/namespaces/ci.types.js.map +1 -0
- package/sdk/dist/namespaces/deploy.d.ts.map +1 -1
- package/sdk/dist/namespaces/deploy.js +45 -21
- package/sdk/dist/namespaces/deploy.js.map +1 -1
- package/sdk/dist/node/ci.d.ts +12 -0
- package/sdk/dist/node/ci.d.ts.map +1 -0
- package/sdk/dist/node/ci.js +30 -0
- package/sdk/dist/node/ci.js.map +1 -0
- package/sdk/dist/node/index.d.ts +7 -2
- package/sdk/dist/node/index.d.ts.map +1 -1
- package/sdk/dist/node/index.js +3 -2
- package/sdk/dist/node/index.js.map +1 -1
package/lib/sdk.mjs
CHANGED
package/package.json
CHANGED
|
@@ -70,16 +70,44 @@ export function formatSIWEMessage(opts, address) {
|
|
|
70
70
|
opts.statement,
|
|
71
71
|
"",
|
|
72
72
|
`URI: ${opts.uri}`,
|
|
73
|
-
`Version: ${opts.version}`,
|
|
74
|
-
`Chain ID: ${opts.chainId}`,
|
|
73
|
+
`Version: ${opts.version ?? "1"}`,
|
|
74
|
+
`Chain ID: ${messageChainId(opts.chainId)}`,
|
|
75
75
|
`Nonce: ${opts.nonce}`,
|
|
76
76
|
`Issued At: ${opts.issuedAt}`,
|
|
77
77
|
];
|
|
78
78
|
if (opts.expirationTime) {
|
|
79
79
|
lines.push(`Expiration Time: ${opts.expirationTime}`);
|
|
80
80
|
}
|
|
81
|
+
if (opts.resources && opts.resources.length > 0) {
|
|
82
|
+
lines.push("Resources:");
|
|
83
|
+
for (const resource of opts.resources)
|
|
84
|
+
lines.push(`- ${resource}`);
|
|
85
|
+
}
|
|
81
86
|
return lines.join("\n");
|
|
82
87
|
}
|
|
88
|
+
export function buildSIWxAuthHeaders(opts) {
|
|
89
|
+
const message = formatSIWEMessage(opts, opts.allowance.address);
|
|
90
|
+
const signature = personalSign(opts.allowance.privateKey, opts.allowance.address, message);
|
|
91
|
+
const payload = {
|
|
92
|
+
domain: opts.domain,
|
|
93
|
+
address: toChecksumAddress(opts.allowance.address),
|
|
94
|
+
statement: opts.statement,
|
|
95
|
+
uri: opts.uri,
|
|
96
|
+
version: opts.version ?? "1",
|
|
97
|
+
chainId: payloadChainId(opts.chainId),
|
|
98
|
+
type: opts.type ?? "eip191",
|
|
99
|
+
nonce: opts.nonce,
|
|
100
|
+
issuedAt: opts.issuedAt,
|
|
101
|
+
expirationTime: opts.expirationTime,
|
|
102
|
+
signature,
|
|
103
|
+
};
|
|
104
|
+
if (opts.resources !== undefined) {
|
|
105
|
+
payload.resources = opts.resources;
|
|
106
|
+
}
|
|
107
|
+
return {
|
|
108
|
+
"SIGN-IN-WITH-X": Buffer.from(JSON.stringify(payload)).toString("base64"),
|
|
109
|
+
};
|
|
110
|
+
}
|
|
83
111
|
/**
|
|
84
112
|
* Get SIWX auth headers for the Run402 API.
|
|
85
113
|
* Returns null if no allowance is configured.
|
|
@@ -103,32 +131,24 @@ export function getAllowanceAuthHeaders(path, allowancePath) {
|
|
|
103
131
|
const now = new Date();
|
|
104
132
|
const issuedAt = now.toISOString();
|
|
105
133
|
const expirationTime = new Date(now.getTime() + 5 * 60 * 1000).toISOString();
|
|
106
|
-
|
|
134
|
+
return buildSIWxAuthHeaders({
|
|
135
|
+
allowance,
|
|
107
136
|
domain,
|
|
108
137
|
uri,
|
|
109
138
|
statement: "Sign in to Run402",
|
|
110
|
-
version: "1",
|
|
111
|
-
chainId: 84532, // Base Sepolia
|
|
112
|
-
nonce,
|
|
113
|
-
issuedAt,
|
|
114
|
-
expirationTime,
|
|
115
|
-
}, allowance.address);
|
|
116
|
-
const signature = personalSign(allowance.privateKey, allowance.address, message);
|
|
117
|
-
const payload = {
|
|
118
|
-
domain,
|
|
119
|
-
address: toChecksumAddress(allowance.address),
|
|
120
|
-
statement: "Sign in to Run402",
|
|
121
|
-
uri,
|
|
122
|
-
version: "1",
|
|
123
139
|
chainId: "eip155:84532",
|
|
124
|
-
type: "eip191",
|
|
125
140
|
nonce,
|
|
126
141
|
issuedAt,
|
|
127
142
|
expirationTime,
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
143
|
+
});
|
|
144
|
+
}
|
|
145
|
+
function messageChainId(chainId) {
|
|
146
|
+
if (typeof chainId === "number")
|
|
147
|
+
return String(chainId);
|
|
148
|
+
const match = /^eip155:(\d+)$/.exec(chainId);
|
|
149
|
+
return match ? match[1] : chainId;
|
|
150
|
+
}
|
|
151
|
+
function payloadChainId(chainId) {
|
|
152
|
+
return typeof chainId === "number" ? `eip155:${chainId}` : chainId;
|
|
133
153
|
}
|
|
134
154
|
//# sourceMappingURL=allowance-auth.js.map
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
/** CI-session credential helpers for OIDC-backed deploy flows. */
|
|
2
|
+
import type { CredentialsProvider } from "./credentials.js";
|
|
3
|
+
export declare const CI_SESSION_CREDENTIALS: unique symbol;
|
|
4
|
+
export interface CiMarkedCredentialsProvider extends CredentialsProvider {
|
|
5
|
+
readonly [CI_SESSION_CREDENTIALS]: true;
|
|
6
|
+
}
|
|
7
|
+
export interface CreateCiSessionCredentialsOptions {
|
|
8
|
+
projectId: string;
|
|
9
|
+
accessToken?: string;
|
|
10
|
+
getAccessToken?: () => Promise<string>;
|
|
11
|
+
}
|
|
12
|
+
export interface GithubActionsCredentialsOptions {
|
|
13
|
+
projectId: string;
|
|
14
|
+
apiBase?: string;
|
|
15
|
+
audience?: string;
|
|
16
|
+
refreshBeforeSeconds?: number;
|
|
17
|
+
fetch?: typeof globalThis.fetch;
|
|
18
|
+
}
|
|
19
|
+
export declare function isCiSessionCredentials(credentials: CredentialsProvider): credentials is CiMarkedCredentialsProvider;
|
|
20
|
+
export declare function createCiSessionCredentials(opts: CreateCiSessionCredentialsOptions): CiMarkedCredentialsProvider;
|
|
21
|
+
export declare function githubActionsCredentials(opts: GithubActionsCredentialsOptions): CiMarkedCredentialsProvider;
|
|
22
|
+
//# sourceMappingURL=ci-credentials.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ci-credentials.d.ts","sourceRoot":"","sources":["../src/ci-credentials.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAElE,OAAO,KAAK,EAAE,mBAAmB,EAAe,MAAM,kBAAkB,CAAC;AASzE,eAAO,MAAM,sBAAsB,eAAmD,CAAC;AAEvF,MAAM,WAAW,2BAA4B,SAAQ,mBAAmB;IACtE,QAAQ,CAAC,CAAC,sBAAsB,CAAC,EAAE,IAAI,CAAC;CACzC;AAED,MAAM,WAAW,iCAAiC;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACxC;AAED,MAAM,WAAW,+BAA+B;IAC9C,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,wBAAgB,sBAAsB,CACpC,WAAW,EAAE,mBAAmB,GAC/B,WAAW,IAAI,2BAA2B,CAE5C;AAED,wBAAgB,0BAA0B,CACxC,IAAI,EAAE,iCAAiC,GACtC,2BAA2B,CAuC7B;AAED,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,+BAA+B,GACpC,2BAA2B,CA4B7B"}
|
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
/** CI-session credential helpers for OIDC-backed deploy flows. */
|
|
2
|
+
import { LocalError } from "./errors.js";
|
|
3
|
+
import { buildClient } from "./kernel.js";
|
|
4
|
+
import { Ci } from "./namespaces/ci.js";
|
|
5
|
+
import { CI_AUDIENCE, } from "./namespaces/ci.types.js";
|
|
6
|
+
export const CI_SESSION_CREDENTIALS = Symbol.for("@run402/sdk/ci-session-credentials");
|
|
7
|
+
export function isCiSessionCredentials(credentials) {
|
|
8
|
+
return Boolean(credentials[CI_SESSION_CREDENTIALS]);
|
|
9
|
+
}
|
|
10
|
+
export function createCiSessionCredentials(opts) {
|
|
11
|
+
if (!opts?.projectId) {
|
|
12
|
+
throw new LocalError("createCiSessionCredentials requires projectId", "creating CI session credentials");
|
|
13
|
+
}
|
|
14
|
+
if (!opts.accessToken && !opts.getAccessToken) {
|
|
15
|
+
throw new LocalError("createCiSessionCredentials requires accessToken or getAccessToken", "creating CI session credentials");
|
|
16
|
+
}
|
|
17
|
+
const provider = {
|
|
18
|
+
async getAuth() {
|
|
19
|
+
const token = opts.getAccessToken ? await opts.getAccessToken() : opts.accessToken;
|
|
20
|
+
if (!token) {
|
|
21
|
+
throw new LocalError("CI session credentials did not return an access token", "authenticating with CI session");
|
|
22
|
+
}
|
|
23
|
+
return { Authorization: `Bearer ${token}` };
|
|
24
|
+
},
|
|
25
|
+
async getProject(id) {
|
|
26
|
+
if (id !== opts.projectId)
|
|
27
|
+
return null;
|
|
28
|
+
return { anon_key: "", service_key: "" };
|
|
29
|
+
},
|
|
30
|
+
async getActiveProject() {
|
|
31
|
+
return opts.projectId;
|
|
32
|
+
},
|
|
33
|
+
};
|
|
34
|
+
Object.defineProperty(provider, CI_SESSION_CREDENTIALS, {
|
|
35
|
+
value: true,
|
|
36
|
+
enumerable: false,
|
|
37
|
+
});
|
|
38
|
+
return provider;
|
|
39
|
+
}
|
|
40
|
+
export function githubActionsCredentials(opts) {
|
|
41
|
+
if (!opts?.projectId) {
|
|
42
|
+
throw new LocalError("githubActionsCredentials requires projectId", "creating GitHub Actions CI credentials");
|
|
43
|
+
}
|
|
44
|
+
const apiBase = opts.apiBase ?? CI_AUDIENCE;
|
|
45
|
+
const audience = opts.audience ?? CI_AUDIENCE;
|
|
46
|
+
const fetchImpl = opts.fetch ?? globalThis.fetch.bind(globalThis);
|
|
47
|
+
const refreshBeforeMs = Math.max(0, opts.refreshBeforeSeconds ?? 60) * 1000;
|
|
48
|
+
let cached = null;
|
|
49
|
+
return createCiSessionCredentials({
|
|
50
|
+
projectId: opts.projectId,
|
|
51
|
+
getAccessToken: async () => {
|
|
52
|
+
const now = Date.now();
|
|
53
|
+
if (cached && now < cached.refreshAtMs)
|
|
54
|
+
return cached.token;
|
|
55
|
+
const subjectToken = await requestGithubOidcToken(fetchImpl, audience);
|
|
56
|
+
const exchanged = await exchangeWithRun402Ci(fetchImpl, apiBase, opts.projectId, subjectToken);
|
|
57
|
+
cached = {
|
|
58
|
+
token: exchanged.access_token,
|
|
59
|
+
refreshAtMs: now + Math.max(0, exchanged.expires_in * 1000 - refreshBeforeMs),
|
|
60
|
+
};
|
|
61
|
+
return cached.token;
|
|
62
|
+
},
|
|
63
|
+
});
|
|
64
|
+
}
|
|
65
|
+
async function requestGithubOidcToken(fetchImpl, audience) {
|
|
66
|
+
const env = getProcessEnv();
|
|
67
|
+
const requestUrl = env.ACTIONS_ID_TOKEN_REQUEST_URL;
|
|
68
|
+
const requestToken = env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
|
|
69
|
+
if (!requestUrl || !requestToken) {
|
|
70
|
+
throw new LocalError("GitHub Actions OIDC environment is missing ACTIONS_ID_TOKEN_REQUEST_URL or ACTIONS_ID_TOKEN_REQUEST_TOKEN. Ensure the workflow has permissions: id-token: write.", "requesting GitHub Actions OIDC token");
|
|
71
|
+
}
|
|
72
|
+
const url = new URL(requestUrl);
|
|
73
|
+
url.searchParams.set("audience", audience);
|
|
74
|
+
const res = await fetchImpl(url.toString(), {
|
|
75
|
+
headers: { Authorization: `Bearer ${requestToken}` },
|
|
76
|
+
});
|
|
77
|
+
const body = await res.json().catch(() => null);
|
|
78
|
+
if (!res.ok || typeof body?.value !== "string" || body.value.length === 0) {
|
|
79
|
+
throw new LocalError(`GitHub Actions OIDC token request failed (HTTP ${res.status})`, "requesting GitHub Actions OIDC token");
|
|
80
|
+
}
|
|
81
|
+
return body.value;
|
|
82
|
+
}
|
|
83
|
+
async function exchangeWithRun402Ci(fetchImpl, apiBase, projectId, subjectToken) {
|
|
84
|
+
const noAuth = {
|
|
85
|
+
async getAuth() {
|
|
86
|
+
return null;
|
|
87
|
+
},
|
|
88
|
+
async getProject() {
|
|
89
|
+
return null;
|
|
90
|
+
},
|
|
91
|
+
};
|
|
92
|
+
const ci = new Ci(buildClient({
|
|
93
|
+
apiBase,
|
|
94
|
+
fetch: fetchImpl,
|
|
95
|
+
credentials: noAuth,
|
|
96
|
+
}));
|
|
97
|
+
return ci.exchangeToken({ project_id: projectId, subject_token: subjectToken });
|
|
98
|
+
}
|
|
99
|
+
function getProcessEnv() {
|
|
100
|
+
const proc = globalThis;
|
|
101
|
+
return proc.process?.env ?? {};
|
|
102
|
+
}
|
|
103
|
+
//# sourceMappingURL=ci-credentials.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ci-credentials.js","sourceRoot":"","sources":["../src/ci-credentials.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAGlE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EACL,WAAW,GAEZ,MAAM,0BAA0B,CAAC;AAElC,MAAM,CAAC,MAAM,sBAAsB,GAAG,MAAM,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;AAoBvF,MAAM,UAAU,sBAAsB,CACpC,WAAgC;IAEhC,OAAO,OAAO,CAAE,WAAoD,CAAC,sBAAsB,CAAC,CAAC,CAAC;AAChG,CAAC;AAED,MAAM,UAAU,0BAA0B,CACxC,IAAuC;IAEvC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAClB,+CAA+C,EAC/C,iCAAiC,CAClC,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;QAC9C,MAAM,IAAI,UAAU,CAClB,mEAAmE,EACnE,iCAAiC,CAClC,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAwB;QACpC,KAAK,CAAC,OAAO;YACX,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC;YACnF,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,MAAM,IAAI,UAAU,CAClB,uDAAuD,EACvD,gCAAgC,CACjC,CAAC;YACJ,CAAC;YACD,OAAO,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC;QAC9C,CAAC;QACD,KAAK,CAAC,UAAU,CAAC,EAAU;YACzB,IAAI,EAAE,KAAK,IAAI,CAAC,SAAS;gBAAE,OAAO,IAAI,CAAC;YACvC,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,CAAC;QAC3C,CAAC;QACD,KAAK,CAAC,gBAAgB;YACpB,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;KACF,CAAC;IAEF,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,sBAAsB,EAAE;QACtD,KAAK,EAAE,IAAI;QACX,UAAU,EAAE,KAAK;KAClB,CAAC,CAAC;IACH,OAAO,QAAuC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,wBAAwB,CACtC,IAAqC;IAErC,IAAI,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;QACrB,MAAM,IAAI,UAAU,CAClB,6CAA6C,EAC7C,wCAAwC,CACzC,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,WAAW,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,WAAW,CAAC;IAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAClE,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,oBAAoB,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC;IAC5E,IAAI,MAAM,GAAkD,IAAI,CAAC;IAEjE,OAAO,0BAA0B,CAAC;QAChC,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,cAAc,EAAE,KAAK,IAAI,EAAE;YACzB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,IAAI,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,WAAW;gBAAE,OAAO,MAAM,CAAC,KAAK,CAAC;YAE5D,MAAM,YAAY,GAAG,MAAM,sBAAsB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;YACvE,MAAM,SAAS,GAAG,MAAM,oBAAoB,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;YAC/F,MAAM,GAAG;gBACP,KAAK,EAAE,SAAS,CAAC,YAAY;gBAC7B,WAAW,EAAE,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,UAAU,GAAG,IAAI,GAAG,eAAe,CAAC;aAC9E,CAAC;YACF,OAAO,MAAM,CAAC,KAAK,CAAC;QACtB,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,sBAAsB,CACnC,SAAkC,EAClC,QAAgB;IAEhB,MAAM,GAAG,GAAG,aAAa,EAAE,CAAC;IAC5B,MAAM,UAAU,GAAG,GAAG,CAAC,4BAA4B,CAAC;IACpD,MAAM,YAAY,GAAG,GAAG,CAAC,8BAA8B,CAAC;IACxD,IAAI,CAAC,UAAU,IAAI,CAAC,YAAY,EAAE,CAAC;QACjC,MAAM,IAAI,UAAU,CAClB,kKAAkK,EAClK,sCAAsC,CACvC,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;IAChC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;QAC1C,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,YAAY,EAAE,EAAE;KACrD,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAA+B,CAAC;IAC9E,IAAI,CAAC,GAAG,CAAC,EAAE,IAAI,OAAO,IAAI,EAAE,KAAK,KAAK,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1E,MAAM,IAAI,UAAU,CAClB,kDAAkD,GAAG,CAAC,MAAM,GAAG,EAC/D,sCAAsC,CACvC,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC;AACpB,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,SAAkC,EAClC,OAAe,EACf,SAAiB,EACjB,YAAoB;IAEpB,MAAM,MAAM,GAAwB;QAClC,KAAK,CAAC,OAAO;YACX,OAAO,IAAI,CAAC;QACd,CAAC;QACD,KAAK,CAAC,UAAU;YACd,OAAO,IAAI,CAAC;QACd,CAAC;KACF,CAAC;IACF,MAAM,EAAE,GAAG,IAAI,EAAE,CAAC,WAAW,CAAC;QAC5B,OAAO;QACP,KAAK,EAAE,SAAS;QAChB,WAAW,EAAE,MAAM;KACpB,CAAC,CAAC,CAAC;IACJ,OAAO,EAAE,CAAC,aAAa,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,YAAY,EAAE,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,aAAa;IACpB,MAAM,IAAI,GAAG,UAEZ,CAAC;IACF,OAAO,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC;AACjC,CAAC"}
|
package/sdk/dist/index.d.ts
CHANGED
|
@@ -25,6 +25,7 @@ import { Email } from "./namespaces/email.js";
|
|
|
25
25
|
import { Contracts } from "./namespaces/contracts.js";
|
|
26
26
|
import { Admin } from "./namespaces/admin.js";
|
|
27
27
|
import { Deploy } from "./namespaces/deploy.js";
|
|
28
|
+
import { Ci } from "./namespaces/ci.js";
|
|
28
29
|
import type { ContentSource, FileSet } from "./namespaces/deploy.types.js";
|
|
29
30
|
import { ScopedRun402 } from "./scoped.js";
|
|
30
31
|
export interface Run402Options {
|
|
@@ -61,6 +62,7 @@ export declare class Run402 {
|
|
|
61
62
|
readonly contracts: Contracts;
|
|
62
63
|
readonly admin: Admin;
|
|
63
64
|
readonly deploy: Deploy;
|
|
65
|
+
readonly ci: Ci;
|
|
64
66
|
constructor(opts: Run402Options);
|
|
65
67
|
/**
|
|
66
68
|
* Return a project-scoped sub-client where every project-id-bearing namespace
|
|
@@ -122,7 +124,11 @@ export { withRetry } from "./retry.js";
|
|
|
122
124
|
export type { RetryOptions } from "./retry.js";
|
|
123
125
|
export type { CredentialsProvider, ProjectKeys } from "./credentials.js";
|
|
124
126
|
export type { RequestOptions, Client } from "./kernel.js";
|
|
127
|
+
export { CI_SESSION_CREDENTIALS, createCiSessionCredentials, githubActionsCredentials, isCiSessionCredentials, } from "./ci-credentials.js";
|
|
128
|
+
export type { CiMarkedCredentialsProvider, CreateCiSessionCredentialsOptions, GithubActionsCredentialsOptions, } from "./ci-credentials.js";
|
|
125
129
|
export { Deploy } from "./namespaces/deploy.js";
|
|
130
|
+
export { Ci, CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, DEFAULT_CI_DELEGATION_CHAIN_ID, V1_CI_ALLOWED_ACTIONS, V1_CI_ALLOWED_EVENTS_DEFAULT, assertCiDeployableSpec, buildCiDelegationResourceUri, buildCiDelegationStatement, normalizeCiDelegationValues, validateCiNonce, validateCiSubjectMatch, } from "./namespaces/ci.js";
|
|
126
131
|
export { ScopedRun402 } from "./scoped.js";
|
|
132
|
+
export type { CiAllowedAction, CiAllowedEvent, CiBindingErrorCode, CiBindingRow, CiCreateBindingInput, CiDelegationValues, CiDeployErrorCode, CiErrorCode, CiListBindingsInput, CiListBindingsResult, CiProvider, CiTokenExchangeErrorCode, CiTokenExchangeInput, CiTokenExchangeRequestBody, CiTokenExchangeResponse, NormalizedCiDelegationValues, ParsedDelegation, } from "./namespaces/ci.types.js";
|
|
127
133
|
export type { ApplyOptions, CommitResponse, CommitStatus, ContentRef, ContentSource, DatabaseSpec, DeployDiff, DeployEvent, DeployOperation, DeployResult, ExposeManifest, FileSet, FsFileSource, FunctionSpec, FunctionsSpec, MigrationSpec, MissingContent, OperationSnapshot, OperationStatus, PaymentRequiredHint, PlanRequest, PlanResponse, ReleaseSpec, RouteSpec, SecretsSpec, SiteSpec, SmokeCheck, StartOptions, SubdomainsSpec, } from "./namespaces/deploy.types.js";
|
|
128
134
|
//# sourceMappingURL=index.d.ts.map
|
package/sdk/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,MAAM,WAAW,aAAa;IAC5B,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC;IAChB,mFAAmF;IACnF,WAAW,EAAE,mBAAmB,CAAC;IACjC;;;;OAIG;IACH,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,qBAAa,MAAM;;IACjB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,KAAK,EAAG,EAAE,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,MAAM,WAAW,aAAa;IAC5B,mDAAmD;IACnD,OAAO,EAAE,MAAM,CAAC;IAChB,mFAAmF;IACnF,WAAW,EAAE,mBAAmB,CAAC;IACjC;;;;OAIG;IACH,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,qBAAa,MAAM;;IACjB,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,UAAU,CAAC;IAChC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC;IAChB,QAAQ,CAAC,KAAK,EAAG,EAAE,CAAC;IACpB,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,YAAY,EAAE,YAAY,CAAC;IACpC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC;IAC1B,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC;IACpB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAC;IACtB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC;gBAIJ,IAAI,EAAE,aAAa;IA6D/B;;;;;;;;;;;;;;;;OAgBG;IACG,OAAO,CAAC,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAsBjD;;;;;;;;;;;OAWG;IACG,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;CAIpD;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,KAAK,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,GAAG,OAAO,CAEpE;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,IAAI,EAAE,aAAa,GAAG,MAAM,CAElD;AAED,OAAO,EACL,WAAW,EACX,eAAe,EACf,eAAe,EACf,YAAY,EACZ,QAAQ,EACR,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,UAAU,EACV,cAAc,EACd,YAAY,EACZ,aAAa,EACb,sBAAsB,GACvB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,qBAAqB,EACrB,oBAAoB,EACpB,eAAe,GAChB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,YAAY,EAAE,mBAAmB,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AACzE,YAAY,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC1D,OAAO,EACL,sBAAsB,EACtB,0BAA0B,EAC1B,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,2BAA2B,EAC3B,iCAAiC,EACjC,+BAA+B,GAChC,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EACL,EAAE,EACF,WAAW,EACX,wBAAwB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,qBAAqB,EACrB,4BAA4B,EAC5B,sBAAsB,EACtB,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,EAC3B,eAAe,EACf,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,YAAY,EACV,eAAe,EACf,cAAc,EACd,kBAAkB,EAClB,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,EAClB,iBAAiB,EACjB,WAAW,EACX,mBAAmB,EACnB,oBAAoB,EACpB,UAAU,EACV,wBAAwB,EACxB,oBAAoB,EACpB,0BAA0B,EAC1B,uBAAuB,EACvB,4BAA4B,EAC5B,gBAAgB,GACjB,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,YAAY,EACZ,cAAc,EACd,YAAY,EACZ,UAAU,EACV,aAAa,EACb,YAAY,EACZ,UAAU,EACV,WAAW,EACX,eAAe,EACf,YAAY,EACZ,cAAc,EACd,OAAO,EACP,YAAY,EACZ,YAAY,EACZ,aAAa,EACb,aAAa,EACb,cAAc,EACd,iBAAiB,EACjB,eAAe,EACf,mBAAmB,EACnB,WAAW,EACX,YAAY,EACZ,WAAW,EACX,SAAS,EACT,WAAW,EACX,QAAQ,EACR,UAAU,EACV,YAAY,EACZ,cAAc,GACf,MAAM,8BAA8B,CAAC"}
|
package/sdk/dist/index.js
CHANGED
|
@@ -25,6 +25,7 @@ import { Email } from "./namespaces/email.js";
|
|
|
25
25
|
import { Contracts } from "./namespaces/contracts.js";
|
|
26
26
|
import { Admin } from "./namespaces/admin.js";
|
|
27
27
|
import { Deploy } from "./namespaces/deploy.js";
|
|
28
|
+
import { Ci } from "./namespaces/ci.js";
|
|
28
29
|
import { ScopedRun402 } from "./scoped.js";
|
|
29
30
|
import { LocalError } from "./errors.js";
|
|
30
31
|
export class Run402 {
|
|
@@ -48,6 +49,7 @@ export class Run402 {
|
|
|
48
49
|
contracts;
|
|
49
50
|
admin;
|
|
50
51
|
deploy;
|
|
52
|
+
ci;
|
|
51
53
|
#client;
|
|
52
54
|
constructor(opts) {
|
|
53
55
|
if (!opts || typeof opts !== "object") {
|
|
@@ -93,6 +95,7 @@ export class Run402 {
|
|
|
93
95
|
this.contracts = new Contracts(client);
|
|
94
96
|
this.admin = new Admin(client);
|
|
95
97
|
this.deploy = new Deploy(client);
|
|
98
|
+
this.ci = new Ci(client);
|
|
96
99
|
}
|
|
97
100
|
/**
|
|
98
101
|
* Return a project-scoped sub-client where every project-id-bearing namespace
|
|
@@ -171,6 +174,8 @@ export function run402(opts) {
|
|
|
171
174
|
}
|
|
172
175
|
export { Run402Error, PaymentRequired, ProjectNotFound, Unauthorized, ApiError, NetworkError, LocalError, Run402DeployError, isRun402Error, isPaymentRequired, isProjectNotFound, isUnauthorized, isApiError, isNetworkError, isLocalError, isDeployError, isRetryableRun402Error, } from "./errors.js";
|
|
173
176
|
export { withRetry } from "./retry.js";
|
|
177
|
+
export { CI_SESSION_CREDENTIALS, createCiSessionCredentials, githubActionsCredentials, isCiSessionCredentials, } from "./ci-credentials.js";
|
|
174
178
|
export { Deploy } from "./namespaces/deploy.js";
|
|
179
|
+
export { Ci, CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, DEFAULT_CI_DELEGATION_CHAIN_ID, V1_CI_ALLOWED_ACTIONS, V1_CI_ALLOWED_EVENTS_DEFAULT, assertCiDeployableSpec, buildCiDelegationResourceUri, buildCiDelegationStatement, normalizeCiDelegationValues, validateCiNonce, validateCiSubjectMatch, } from "./namespaces/ci.js";
|
|
175
180
|
export { ScopedRun402 } from "./scoped.js";
|
|
176
181
|
//# sourceMappingURL=index.js.map
|
package/sdk/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAkC,MAAM,aAAa,CAAC;AAE1E,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAkC,MAAM,aAAa,CAAC;AAE1E,OAAO,EAAE,QAAQ,EAAE,MAAM,0BAA0B,CAAC;AACpD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,UAAU,EAAE,MAAM,4BAA4B,CAAC;AACxD,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAC7D,OAAO,EAAE,OAAO,EAAE,MAAM,yBAAyB,CAAC;AAClD,OAAO,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAC5C,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACtD,OAAO,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAAE,EAAE,EAAE,MAAM,oBAAoB,CAAC;AAExC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAezC,MAAM,OAAO,MAAM;IACR,QAAQ,CAAW;IACnB,KAAK,CAAQ;IACb,SAAS,CAAY;IACrB,OAAO,CAAU;IACjB,UAAU,CAAa;IACvB,OAAO,CAAU;IACjB,KAAK,CAAQ;IACb,OAAO,CAAU;IACjB,IAAI,CAAO;IACX,SAAS,CAAY;IACrB,EAAE,CAAK;IACP,KAAK,CAAM;IACX,IAAI,CAAO;IACX,YAAY,CAAe;IAC3B,OAAO,CAAU;IACjB,IAAI,CAAO;IACX,KAAK,CAAQ;IACb,SAAS,CAAY;IACrB,KAAK,CAAQ;IACb,MAAM,CAAS;IACf,EAAE,CAAK;IAEP,OAAO,CAAS;IAEzB,YAAY,IAAmB;QAC7B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,UAAU,CAClB,mCAAmC,EACnC,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;YACtD,MAAM,IAAI,UAAU,CAClB,mDAAmD,EACnD,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACtB,MAAM,IAAI,UAAU,CAClB,gKAAgK,EAChK,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,IACE,OAAO,IAAI,CAAC,WAAW,CAAC,OAAO,KAAK,UAAU;YAC9C,OAAO,IAAI,CAAC,WAAW,CAAC,UAAU,KAAK,UAAU,EACjD,CAAC;YACD,MAAM,IAAI,UAAU,CAClB,+EAA+E,EAC/E,qBAAqB,CACtB,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAiB;YAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC;YACtD,WAAW,EAAE,IAAI,CAAC,WAAW;SAC9B,CAAC;QACF,MAAM,MAAM,GAAW,WAAW,CAAC,MAAM,CAAC,CAAC;QAC3C,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC;QACtB,IAAI,CAAC,QAAQ,GAAG,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,UAAU,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7B,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;QACzB,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,OAAO,EAAE;YACnC,KAAK,EAAE,IAAI,CAAC,EAAE;YACd,UAAU,EAAE,KAAK;SAClB,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7B,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,CAAC,OAAO,GAAG,IAAI,OAAO,CAAC,MAAM,CAAC,CAAC;QACnC,IAAI,CAAC,IAAI,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,CAAC;QAC7B,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;QACvC,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,IAAI,CAAC,MAAM,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC,EAAE,GAAG,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC;IAC3B,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,OAAO,CAAC,EAAW;QACvB,IAAI,UAAU,GAAG,EAAE,CAAC;QACpB,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,gBAAgB,CAAC;YACzD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,UAAU,CAClB,yIAAyI,EACzI,2BAA2B,CAC5B,CAAC;YACJ,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YAC3D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAI,UAAU,CAClB,yIAAyI,EACzI,2BAA2B,CAC5B,CAAC;YACJ,CAAC;YACD,UAAU,GAAG,MAAM,CAAC;QACtB,CAAC;QACD,OAAO,IAAI,YAAY,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAC1D,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,UAAU,CAAC,EAAU;QACzB,MAAM,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC5B,OAAO,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,CAAC;CACF;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,KAAK,CAAC,MAAqC;IACzD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,MAAM,CAAC,IAAmB;IACxC,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,OAAO,EACL,WAAW,EACX,eAAe,EACf,eAAe,EACf,YAAY,EACZ,QAAQ,EACR,YAAY,EACZ,UAAU,EACV,iBAAiB,EACjB,aAAa,EACb,iBAAiB,EACjB,iBAAiB,EACjB,cAAc,EACd,UAAU,EACV,cAAc,EACd,YAAY,EACZ,aAAa,EACb,sBAAsB,GACvB,MAAM,aAAa,CAAC;AAMrB,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAIvC,OAAO,EACL,sBAAsB,EACtB,0BAA0B,EAC1B,wBAAwB,EACxB,sBAAsB,GACvB,MAAM,qBAAqB,CAAC;AAM7B,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EACL,EAAE,EACF,WAAW,EACX,wBAAwB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,qBAAqB,EACrB,4BAA4B,EAC5B,sBAAsB,EACtB,4BAA4B,EAC5B,0BAA0B,EAC1B,2BAA2B,EAC3B,eAAe,EACf,sBAAsB,GACvB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC"}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
/** CI/OIDC federation namespace and canonical delegation helpers. */
|
|
2
|
+
import type { Client } from "../kernel.js";
|
|
3
|
+
import type { PlanRequest, ReleaseSpec } from "./deploy.types.js";
|
|
4
|
+
import type { CiBindingRow, CiCreateBindingInput, CiDelegationValues, CiListBindingsInput, CiListBindingsResult, CiTokenExchangeInput, CiTokenExchangeResponse, NormalizedCiDelegationValues } from "./ci.types.js";
|
|
5
|
+
export { CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, DEFAULT_CI_DELEGATION_CHAIN_ID, V1_CI_ALLOWED_ACTIONS, V1_CI_ALLOWED_EVENTS_DEFAULT, } from "./ci.types.js";
|
|
6
|
+
export declare class Ci {
|
|
7
|
+
private readonly client;
|
|
8
|
+
constructor(client: Client);
|
|
9
|
+
createBinding(input: CiCreateBindingInput): Promise<CiBindingRow>;
|
|
10
|
+
listBindings(input: CiListBindingsInput): Promise<CiListBindingsResult>;
|
|
11
|
+
getBinding(bindingId: string): Promise<CiBindingRow>;
|
|
12
|
+
revokeBinding(bindingId: string): Promise<CiBindingRow>;
|
|
13
|
+
exchangeToken(input: CiTokenExchangeInput): Promise<CiTokenExchangeResponse>;
|
|
14
|
+
}
|
|
15
|
+
export declare function normalizeCiDelegationValues(values: CiDelegationValues): NormalizedCiDelegationValues;
|
|
16
|
+
export declare function buildCiDelegationStatement(values: CiDelegationValues): string;
|
|
17
|
+
export declare function buildCiDelegationResourceUri(values: CiDelegationValues): string;
|
|
18
|
+
export declare function validateCiSubjectMatch(subject: string): string;
|
|
19
|
+
export declare function validateCiNonce(nonce: string): string;
|
|
20
|
+
export declare function assertCiDeployableSpec(specOrPlanBody: ReleaseSpec | PlanRequest | unknown): void;
|
|
21
|
+
//# sourceMappingURL=ci.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ci.d.ts","sourceRoot":"","sources":["../../src/namespaces/ci.ts"],"names":[],"mappings":"AAAA,qEAAqE;AAErE,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAE3C,OAAO,KAAK,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAClE,OAAO,KAAK,EACV,YAAY,EACZ,oBAAoB,EACpB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,oBAAoB,EAEpB,uBAAuB,EACvB,4BAA4B,EAC7B,MAAM,eAAe,CAAC;AAUvB,OAAO,EACL,WAAW,EACX,wBAAwB,EACxB,0BAA0B,EAC1B,8BAA8B,EAC9B,qBAAqB,EACrB,4BAA4B,GAC7B,MAAM,eAAe,CAAC;AAkBvB,qBAAa,EAAE;IACD,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,MAAM;IAErC,aAAa,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,YAAY,CAAC;IA+BjE,YAAY,CAAC,KAAK,EAAE,mBAAmB,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAcvE,UAAU,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAUpD,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAUvD,aAAa,CAAC,KAAK,EAAE,oBAAoB,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAoBnF;AAED,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,kBAAkB,GACzB,4BAA4B,CA4B9B;AAED,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CA2B7E;AAED,wBAAgB,4BAA4B,CAAC,MAAM,EAAE,kBAAkB,GAAG,MAAM,CAuB/E;AAED,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CA6B9D;AAED,wBAAgB,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAQrD;AAED,wBAAgB,sBAAsB,CAAC,cAAc,EAAE,WAAW,GAAG,WAAW,GAAG,OAAO,GAAG,IAAI,CA4BhG"}
|
|
@@ -0,0 +1,253 @@
|
|
|
1
|
+
/** CI/OIDC federation namespace and canonical delegation helpers. */
|
|
2
|
+
import { LocalError, Run402DeployError } from "../errors.js";
|
|
3
|
+
import { CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, } from "./ci.types.js";
|
|
4
|
+
export { CI_AUDIENCE, CI_GITHUB_ACTIONS_ISSUER, CI_GITHUB_ACTIONS_PROVIDER, DEFAULT_CI_DELEGATION_CHAIN_ID, V1_CI_ALLOWED_ACTIONS, V1_CI_ALLOWED_EVENTS_DEFAULT, } from "./ci.types.js";
|
|
5
|
+
const TOKEN_EXCHANGE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:token-exchange";
|
|
6
|
+
const TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt";
|
|
7
|
+
const MAX_SUBJECT_MATCH_CHARS = 256;
|
|
8
|
+
const MAX_RESOURCE_URI_BYTES = 4096;
|
|
9
|
+
const MAX_STATEMENT_BYTES = 8192;
|
|
10
|
+
const NONCE_RE = /^[0-9a-f]{16,64}$/;
|
|
11
|
+
const CI_DEPLOY_SPEC_ALLOWED_KEYS = new Set([
|
|
12
|
+
"project",
|
|
13
|
+
"database",
|
|
14
|
+
"functions",
|
|
15
|
+
"site",
|
|
16
|
+
"base",
|
|
17
|
+
]);
|
|
18
|
+
export class Ci {
|
|
19
|
+
client;
|
|
20
|
+
constructor(client) {
|
|
21
|
+
this.client = client;
|
|
22
|
+
}
|
|
23
|
+
async createBinding(input) {
|
|
24
|
+
if (input?.provider !== CI_GITHUB_ACTIONS_PROVIDER) {
|
|
25
|
+
throw new LocalError('ci.createBinding provider must be "github-actions" in v1', "creating CI binding");
|
|
26
|
+
}
|
|
27
|
+
if (!input.signed_delegation) {
|
|
28
|
+
throw new LocalError("ci.createBinding requires signed_delegation", "creating CI binding");
|
|
29
|
+
}
|
|
30
|
+
const values = normalizeCiDelegationValues(input);
|
|
31
|
+
return this.client.request("/ci/v1/bindings", {
|
|
32
|
+
method: "POST",
|
|
33
|
+
body: {
|
|
34
|
+
project_id: values.project_id,
|
|
35
|
+
provider: input.provider,
|
|
36
|
+
subject_match: values.subject_match,
|
|
37
|
+
allowed_actions: values.allowed_actions,
|
|
38
|
+
allowed_events: values.allowed_events,
|
|
39
|
+
github_repository_id: values.github_repository_id,
|
|
40
|
+
expires_at: values.expires_at,
|
|
41
|
+
nonce: values.nonce,
|
|
42
|
+
signed_delegation: input.signed_delegation,
|
|
43
|
+
},
|
|
44
|
+
context: "creating CI binding",
|
|
45
|
+
});
|
|
46
|
+
}
|
|
47
|
+
async listBindings(input) {
|
|
48
|
+
if (!input?.project) {
|
|
49
|
+
throw new LocalError("ci.listBindings requires { project }", "listing CI bindings");
|
|
50
|
+
}
|
|
51
|
+
const qs = new URLSearchParams({ project: input.project });
|
|
52
|
+
return this.client.request(`/ci/v1/bindings?${qs.toString()}`, { context: "listing CI bindings" });
|
|
53
|
+
}
|
|
54
|
+
async getBinding(bindingId) {
|
|
55
|
+
if (!bindingId) {
|
|
56
|
+
throw new LocalError("ci.getBinding requires a binding id", "getting CI binding");
|
|
57
|
+
}
|
|
58
|
+
return this.client.request(`/ci/v1/bindings/${encodeURIComponent(bindingId)}`, { context: "getting CI binding" });
|
|
59
|
+
}
|
|
60
|
+
async revokeBinding(bindingId) {
|
|
61
|
+
if (!bindingId) {
|
|
62
|
+
throw new LocalError("ci.revokeBinding requires a binding id", "revoking CI binding");
|
|
63
|
+
}
|
|
64
|
+
return this.client.request(`/ci/v1/bindings/${encodeURIComponent(bindingId)}/revoke`, { method: "POST", context: "revoking CI binding" });
|
|
65
|
+
}
|
|
66
|
+
async exchangeToken(input) {
|
|
67
|
+
if (!input?.project_id || !input.subject_token) {
|
|
68
|
+
throw new LocalError("ci.exchangeToken requires { project_id, subject_token }", "exchanging CI OIDC token");
|
|
69
|
+
}
|
|
70
|
+
const body = {
|
|
71
|
+
grant_type: TOKEN_EXCHANGE_GRANT_TYPE,
|
|
72
|
+
subject_token: input.subject_token,
|
|
73
|
+
subject_token_type: TOKEN_EXCHANGE_SUBJECT_TOKEN_TYPE,
|
|
74
|
+
project_id: input.project_id,
|
|
75
|
+
};
|
|
76
|
+
return this.client.request("/ci/v1/token-exchange", {
|
|
77
|
+
method: "POST",
|
|
78
|
+
body,
|
|
79
|
+
withAuth: false,
|
|
80
|
+
context: "exchanging CI OIDC token",
|
|
81
|
+
});
|
|
82
|
+
}
|
|
83
|
+
}
|
|
84
|
+
export function normalizeCiDelegationValues(values) {
|
|
85
|
+
if (!values || typeof values !== "object") {
|
|
86
|
+
throw new LocalError("CI delegation values must be an object", "validating CI delegation");
|
|
87
|
+
}
|
|
88
|
+
if (!values.project_id) {
|
|
89
|
+
throw new LocalError("CI delegation project_id is required", "validating CI delegation");
|
|
90
|
+
}
|
|
91
|
+
const subject_match = validateCiSubjectMatch(values.subject_match);
|
|
92
|
+
const nonce = validateCiNonce(values.nonce);
|
|
93
|
+
const allowed_actions = normalizeAllowedActions(values.allowed_actions);
|
|
94
|
+
const allowed_events = normalizeAllowedList(values.allowed_events, "allowed_events");
|
|
95
|
+
if (allowed_events.length === 0) {
|
|
96
|
+
throw new LocalError("CI delegation allowed_events must contain at least one event", "validating CI delegation");
|
|
97
|
+
}
|
|
98
|
+
return {
|
|
99
|
+
project_id: values.project_id,
|
|
100
|
+
issuer: values.issuer ?? CI_GITHUB_ACTIONS_ISSUER,
|
|
101
|
+
audience: values.audience ?? CI_AUDIENCE,
|
|
102
|
+
subject_match,
|
|
103
|
+
allowed_actions,
|
|
104
|
+
allowed_events,
|
|
105
|
+
expires_at: values.expires_at ?? null,
|
|
106
|
+
github_repository_id: values.github_repository_id ?? null,
|
|
107
|
+
nonce,
|
|
108
|
+
};
|
|
109
|
+
}
|
|
110
|
+
export function buildCiDelegationStatement(values) {
|
|
111
|
+
const v = normalizeCiDelegationValues(values);
|
|
112
|
+
const statement = [
|
|
113
|
+
`Authorize GitHub Actions workflows whose OIDC subject matches ${v.subject_match} to deploy to run402 project ${v.project_id}.`,
|
|
114
|
+
"",
|
|
115
|
+
"The workflows can:",
|
|
116
|
+
" - deploy function code that runs with this project's runtime authority, including the project's service-role key, the adminDb() bypass-RLS surface, and configured runtime secrets read via process.env;",
|
|
117
|
+
" - deploy database migrations, RLS/expose changes, and schema-altering SQL via spec.database.",
|
|
118
|
+
"",
|
|
119
|
+
"The workflows cannot directly call secrets, domain, subdomain, lifecycle, billing, contracts, or faucet endpoints. They cannot ship spec.secrets, spec.subdomains, spec.routes, spec.checks, or non-current spec.base.",
|
|
120
|
+
"",
|
|
121
|
+
`Audience: ${v.audience}`,
|
|
122
|
+
`Allowed events: ${v.allowed_events.join(",")}`,
|
|
123
|
+
`Repository ID: ${v.github_repository_id ?? "none-soft-bound"}`,
|
|
124
|
+
`Expires: ${v.expires_at ?? "never"}`,
|
|
125
|
+
`Nonce: ${v.nonce}`,
|
|
126
|
+
"",
|
|
127
|
+
"Revoke at any time via the run402 CLI or POST /ci/v1/bindings/:id/revoke. Revocation stops future CI gateway requests but does not undo already-deployed code, stop in-flight deploy operations, rotate exfiltrated keys, or remove deployed functions. Recovery from a compromise: revoke the binding, then SIWE-deploy a known-good release that overwrites the malicious code, and rotate any service-role key the deployed code may have read.",
|
|
128
|
+
].join("\n");
|
|
129
|
+
if (new TextEncoder().encode(statement).byteLength > MAX_STATEMENT_BYTES) {
|
|
130
|
+
throw new LocalError(`CI delegation Statement exceeds ${MAX_STATEMENT_BYTES} bytes`, "building CI delegation statement");
|
|
131
|
+
}
|
|
132
|
+
return statement;
|
|
133
|
+
}
|
|
134
|
+
export function buildCiDelegationResourceUri(values) {
|
|
135
|
+
const v = normalizeCiDelegationValues(values);
|
|
136
|
+
const parts = [
|
|
137
|
+
`project_id=${encodeRfc3986(v.project_id)}`,
|
|
138
|
+
`issuer=${encodeRfc3986(v.issuer)}`,
|
|
139
|
+
`audience=${encodeRfc3986(v.audience)}`,
|
|
140
|
+
`subject_match=${encodeRfc3986(v.subject_match)}`,
|
|
141
|
+
`allowed_actions=${v.allowed_actions.map(encodeRfc3986).join(",")}`,
|
|
142
|
+
`allowed_events=${v.allowed_events.map(encodeRfc3986).join(",")}`,
|
|
143
|
+
];
|
|
144
|
+
if (v.expires_at !== null)
|
|
145
|
+
parts.push(`expires_at=${encodeRfc3986(v.expires_at)}`);
|
|
146
|
+
if (v.github_repository_id !== null) {
|
|
147
|
+
parts.push(`github_repository_id=${encodeRfc3986(v.github_repository_id)}`);
|
|
148
|
+
}
|
|
149
|
+
parts.push(`nonce=${encodeRfc3986(v.nonce)}`);
|
|
150
|
+
const uri = `run402-ci-delegation:v1?${parts.join("&")}`;
|
|
151
|
+
if (new TextEncoder().encode(uri).byteLength > MAX_RESOURCE_URI_BYTES) {
|
|
152
|
+
throw new LocalError(`CI delegation Resource URI exceeds ${MAX_RESOURCE_URI_BYTES} bytes`, "building CI delegation resource URI");
|
|
153
|
+
}
|
|
154
|
+
return uri;
|
|
155
|
+
}
|
|
156
|
+
export function validateCiSubjectMatch(subject) {
|
|
157
|
+
if (typeof subject !== "string" || subject.length === 0) {
|
|
158
|
+
throw new LocalError("CI subject_match must be a non-empty string", "validating CI subject");
|
|
159
|
+
}
|
|
160
|
+
if (subject.length > MAX_SUBJECT_MATCH_CHARS) {
|
|
161
|
+
throw new LocalError(`CI subject_match must be ${MAX_SUBJECT_MATCH_CHARS} characters or fewer`, "validating CI subject");
|
|
162
|
+
}
|
|
163
|
+
if (/[\x00-\x1f\x7f]/.test(subject)) {
|
|
164
|
+
throw new LocalError("CI subject_match must not contain control characters", "validating CI subject");
|
|
165
|
+
}
|
|
166
|
+
const firstWildcard = subject.indexOf("*");
|
|
167
|
+
if (firstWildcard >= 0) {
|
|
168
|
+
if (subject === "*") {
|
|
169
|
+
throw new LocalError("CI subject_match cannot be a bare wildcard", "validating CI subject");
|
|
170
|
+
}
|
|
171
|
+
if (firstWildcard !== subject.length - 1) {
|
|
172
|
+
throw new LocalError("CI subject_match wildcard is only allowed as the final character", "validating CI subject");
|
|
173
|
+
}
|
|
174
|
+
if (subject.indexOf("*", firstWildcard + 1) >= 0) {
|
|
175
|
+
throw new LocalError("CI subject_match can contain at most one wildcard", "validating CI subject");
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
return subject;
|
|
179
|
+
}
|
|
180
|
+
export function validateCiNonce(nonce) {
|
|
181
|
+
if (typeof nonce !== "string" || !NONCE_RE.test(nonce)) {
|
|
182
|
+
throw new LocalError("CI delegation nonce must be lowercase hex between 16 and 64 characters", "validating CI nonce");
|
|
183
|
+
}
|
|
184
|
+
return nonce;
|
|
185
|
+
}
|
|
186
|
+
export function assertCiDeployableSpec(specOrPlanBody) {
|
|
187
|
+
const { spec, manifestRef } = unwrapSpecOrPlanBody(specOrPlanBody);
|
|
188
|
+
if (manifestRef !== undefined && manifestRef !== null) {
|
|
189
|
+
throwCiDeploySpecError("manifest_ref", "CI deploys must use inline specs under the gateway body cap; manifest_ref is not allowed.");
|
|
190
|
+
}
|
|
191
|
+
if (!spec || typeof spec !== "object" || Array.isArray(spec)) {
|
|
192
|
+
throwCiDeploySpecError("spec", "CI deploy requires a ReleaseSpec object.");
|
|
193
|
+
}
|
|
194
|
+
const obj = spec;
|
|
195
|
+
for (const key of Object.keys(obj)) {
|
|
196
|
+
if (!CI_DEPLOY_SPEC_ALLOWED_KEYS.has(key)) {
|
|
197
|
+
throwCiDeploySpecError(key, `CI deploy cannot ship spec.${key}; only project, database, functions, site, and base:{release:"current"} are allowed.`);
|
|
198
|
+
}
|
|
199
|
+
}
|
|
200
|
+
if (Object.prototype.hasOwnProperty.call(obj, "base") && !isCurrentBase(obj.base)) {
|
|
201
|
+
throwCiDeploySpecError("base", 'CI deploy base must be absent or exactly { release: "current" }.');
|
|
202
|
+
}
|
|
203
|
+
}
|
|
204
|
+
function normalizeAllowedActions(values) {
|
|
205
|
+
const actions = normalizeAllowedList(values, "allowed_actions");
|
|
206
|
+
if (actions.length !== 1 || actions[0] !== "deploy") {
|
|
207
|
+
throw new LocalError('CI delegation allowed_actions must be exactly ["deploy"] in v1', "validating CI delegation");
|
|
208
|
+
}
|
|
209
|
+
return ["deploy"];
|
|
210
|
+
}
|
|
211
|
+
function normalizeAllowedList(values, field) {
|
|
212
|
+
if (!Array.isArray(values)) {
|
|
213
|
+
throw new LocalError(`CI delegation ${field} must be an array`, "validating CI delegation");
|
|
214
|
+
}
|
|
215
|
+
const cleaned = values.map((value) => {
|
|
216
|
+
if (typeof value !== "string" || value.length === 0) {
|
|
217
|
+
throw new LocalError(`CI delegation ${field} must contain only non-empty strings`, "validating CI delegation");
|
|
218
|
+
}
|
|
219
|
+
return value;
|
|
220
|
+
});
|
|
221
|
+
return Array.from(new Set(cleaned)).sort();
|
|
222
|
+
}
|
|
223
|
+
function encodeRfc3986(value) {
|
|
224
|
+
return encodeURIComponent(value).replace(/[!'()*]/g, (char) => `%${char.charCodeAt(0).toString(16).toUpperCase()}`);
|
|
225
|
+
}
|
|
226
|
+
function unwrapSpecOrPlanBody(value) {
|
|
227
|
+
if (value &&
|
|
228
|
+
typeof value === "object" &&
|
|
229
|
+
!Array.isArray(value) &&
|
|
230
|
+
"spec" in value &&
|
|
231
|
+
!("project" in value)) {
|
|
232
|
+
const body = value;
|
|
233
|
+
return { spec: body.spec, manifestRef: body.manifest_ref };
|
|
234
|
+
}
|
|
235
|
+
return { spec: value };
|
|
236
|
+
}
|
|
237
|
+
function isCurrentBase(value) {
|
|
238
|
+
if (!value || typeof value !== "object" || Array.isArray(value))
|
|
239
|
+
return false;
|
|
240
|
+
const obj = value;
|
|
241
|
+
const keys = Object.keys(obj);
|
|
242
|
+
return keys.length === 1 && obj.release === "current";
|
|
243
|
+
}
|
|
244
|
+
function throwCiDeploySpecError(resource, message) {
|
|
245
|
+
throw new Run402DeployError(message, {
|
|
246
|
+
code: "forbidden_spec_field",
|
|
247
|
+
phase: "validate",
|
|
248
|
+
resource,
|
|
249
|
+
retryable: false,
|
|
250
|
+
context: "validating CI deploy spec",
|
|
251
|
+
});
|
|
252
|
+
}
|
|
253
|
+
//# sourceMappingURL=ci.js.map
|