thumbgate 1.4.3 → 1.4.4

package/scripts/rotate-stripe-webhook-secret.js

@@ -1,314 +0,0 @@
-#!/usr/bin/env node
-'use strict';
-
-const https = require('node:https');
-const fs = require('node:fs');
-const path = require('node:path');
-const { spawnSync } = require('node:child_process');
-
-const DEFAULT_ENDPOINT_URL = 'https://thumbgate-production.up.railway.app/v1/billing/webhook';
-const REQUIRED_EVENTS = ['checkout.session.completed', 'customer.subscription.deleted'];
-const FIXED_GH_BINARIES = ['/usr/bin/gh', '/usr/local/bin/gh', '/opt/homebrew/bin/gh'];
-const SECRET_PATTERN = /\b(?:sk|rk)_(?:live|test)_\w+|\bwhsec_\w+/g;
-
-function redact(value) {
-  return String(value || '').replaceAll(SECRET_PATTERN, '[REDACTED]');
-}
-
-function encodeForm(params) {
-  const pairs = [];
-  for (const [key, value] of Object.entries(params || {})) {
-    if (Array.isArray(value)) {
-      for (const item of value) {
-        const arrayKey = `${key}[]`;
-        pairs.push(`${encodeURIComponent(arrayKey)}=${encodeURIComponent(String(item))}`);
-      }
-      continue;
-    }
-    if (value !== undefined && value !== null) {
-      pairs.push(`${encodeURIComponent(key)}=${encodeURIComponent(String(value))}`);
-    }
-  }
-  return pairs.join('&');
-}
-
-function assertLiveStripeKey(apiKey, requireLive = true) {
-  if (!apiKey) {
-    throw new Error('STRIPE_SECRET_KEY is required.');
-  }
-  if (requireLive && !/^(sk|rk)_live_/.test(apiKey)) {
-    throw new Error('Refusing to rotate production webhook with a non-live Stripe key.');
-  }
-}
-
-function stripeRequest({ method = 'GET', path, apiKey, body, request = https.request }) {
-  return new Promise((resolve, reject) => {
-    const payload = body ? encodeForm(body) : '';
-    const req = request({
-      hostname: 'api.stripe.com',
-      path,
-      method,
-      headers: {
-        Authorization: `Bearer ${apiKey}`,
-        'Content-Type': 'application/x-www-form-urlencoded',
-        'Content-Length': Buffer.byteLength(payload),
-      },
-    }, (res) => {
-      let raw = '';
-      res.setEncoding('utf8');
-      res.on('data', (chunk) => { raw += chunk; });
-      res.on('end', () => {
-        let parsed = {};
-        try {
-          parsed = raw ? JSON.parse(raw) : {};
-        } catch {
-          reject(new Error(`Stripe returned non-JSON response (${res.statusCode}): ${redact(raw)}`));
-          return;
-        }
-        if (res.statusCode < 200 || res.statusCode >= 300) {
-          const message = parsed.error?.message ? parsed.error.message : raw;
-          reject(new Error(`Stripe API ${method} ${path} failed (${res.statusCode}): ${redact(message)}`));
-          return;
-        }
-        resolve(parsed);
-      });
-    });
-    req.on('error', reject);
-    req.end(payload);
-  });
-}
-
-async function listWebhookEndpoints(apiKey, options = {}) {
-  const requestStripe = options.stripeRequest || stripeRequest;
-  const endpoints = [];
-  let startingAfter = '';
-  for (;;) {
-    const suffix = startingAfter
-      ? `&starting_after=${encodeURIComponent(startingAfter)}`
-      : '';
-    const response = await requestStripe({
-      apiKey,
-      path: `/v1/webhook_endpoints?limit=100${suffix}`,
-    });
-    endpoints.push(...(Array.isArray(response.data) ? response.data : []));
-    if (!response.has_more || endpoints.length === 0) {
-      return endpoints;
-    }
-    startingAfter = endpoints.at(-1).id;
-  }
-}
-
-async function createWebhookEndpoint({ apiKey, endpointUrl, timestamp, stripeRequest: requestStripe = stripeRequest }) {
-  const endpoint = await requestStripe({
-    method: 'POST',
-    path: '/v1/webhook_endpoints',
-    apiKey,
-    body: {
-      url: endpointUrl,
-      enabled_events: REQUIRED_EVENTS,
-      description: `ThumbGate billing webhook rotated ${timestamp}`,
-    },
-  });
-  if (!endpoint.id || !endpoint.secret) {
-    throw new Error('Stripe webhook endpoint creation did not return both id and signing secret.');
-  }
-  return endpoint;
-}
-
-async function disableWebhookEndpoint({ apiKey, endpointId, stripeRequest: requestStripe = stripeRequest }) {
-  return requestStripe({
-    method: 'POST',
-    path: `/v1/webhook_endpoints/${encodeURIComponent(endpointId)}`,
-    apiKey,
-    body: { disabled: true },
-  });
-}
-
-function resolveGhBinary(options = {}) {
-  const accessSync = options.accessSync || fs.accessSync;
-  const candidates = options.candidates || FIXED_GH_BINARIES;
-
-  for (const candidate of candidates) {
-    try {
-      accessSync(candidate, fs.constants.X_OK);
-      return candidate;
-    } catch {
-      // Try the next fixed, system-owned path.
-    }
-  }
-
-  throw new Error(`Unable to locate GH CLI in fixed paths: ${candidates.join(', ')}`);
-}
-
-function runGh(args, { token, input, ghBinary, accessSync, spawnSyncImpl = spawnSync } = {}) {
-  const result = spawnSyncImpl(ghBinary || resolveGhBinary({ accessSync }), args, {
-    input,
-    encoding: 'utf8',
-    env: {
-      ...process.env,
-      GH_TOKEN: token || process.env.GH_TOKEN || process.env.GITHUB_TOKEN || '',
-    },
-  });
-  if (result.status !== 0) {
-    throw new Error(`gh ${args.join(' ')} failed: ${redact(result.stderr || result.stdout)}`);
-  }
-  return result.stdout.trim();
-}
-
-function getSecretUpdatedAt({ repo, token, secretName, runner = runGh }) {
-  return runner([
-    'api',
-    `repos/${repo}/actions/secrets/${secretName}`,
-    '--jq',
-    '.updated_at',
-  ], { token });
-}
-
-function setGithubSecret({ repo, token, name, value, runner = runGh }) {
-  runner(['secret', 'set', name, '--repo', repo], { token, input: value });
-}
-
-function setGithubVariable({ repo, token, name, value, runner = runGh }) {
-  runner(['variable', 'set', name, '--repo', repo, '--body', value], { token });
-}
-
-function findSameUrlEndpoints(endpoints, endpointUrl, excludeId) {
-  return endpoints.filter((endpoint) => endpoint?.id
-    && endpoint.id !== excludeId
-    && endpoint?.url === endpointUrl
-    && endpoint?.status !== 'disabled');
-}
-
-function resolveRequireLiveStripeKey(options) {
-  if (Object.hasOwn(options, 'requireLive')) {
-    return options.requireLive;
-  }
-  const envModes = {
-    false: false,
-    true: true,
-  };
-  return envModes[process.env.REQUIRE_LIVE_STRIPE_KEY] ?? true;
-}
-
-async function rotateStripeWebhookSecret(options = {}) {
-  const endpointUrl = options.endpointUrl || process.env.STRIPE_WEBHOOK_ENDPOINT_URL || DEFAULT_ENDPOINT_URL;
-  const repo = Object.hasOwn(options, 'repo') ? options.repo : process.env.GITHUB_REPOSITORY;
-  const stripeKey = options.stripeKey || process.env.STRIPE_SECRET_KEY;
-  const githubToken = options.githubToken || process.env.GH_ADMIN_TOKEN || process.env.THUMBGATE_MAINTENANCE_GH_TOKEN;
-  const timestamp = options.timestamp || new Date().toISOString();
-  const requireLive = resolveRequireLiveStripeKey(options);
-  const dryRun = options.dryRun === true || process.env.DRY_RUN === 'true';
-  const stripe = {
-    listWebhookEndpoints: options.listWebhookEndpoints || listWebhookEndpoints,
-    createWebhookEndpoint: options.createWebhookEndpoint || createWebhookEndpoint,
-    disableWebhookEndpoint: options.disableWebhookEndpoint || disableWebhookEndpoint,
-  };
-  const github = {
-    getSecretUpdatedAt: options.getSecretUpdatedAt || getSecretUpdatedAt,
-    setGithubSecret: options.setGithubSecret || setGithubSecret,
-    setGithubVariable: options.setGithubVariable || setGithubVariable,
-  };
-
-  assertLiveStripeKey(stripeKey, requireLive);
-  if (!repo) {
-    throw new Error('GITHUB_REPOSITORY is required.');
-  }
-  if (dryRun || githubToken) {
-    // Dry runs only need Stripe read access; real rotations also need GitHub secret write access.
-  } else {
-    throw new Error('THUMBGATE_MAINTENANCE_GH_TOKEN is required to update GitHub Secrets and Variables.');
-  }
-
-  const before = await stripe.listWebhookEndpoints(stripeKey);
-  const replacementCandidates = findSameUrlEndpoints(before, endpointUrl);
-  if (dryRun) {
-    return {
-      dryRun: true,
-      endpointUrl,
-      matchingEnabledEndpoints: replacementCandidates.map((endpoint) => endpoint.id),
-      requiredEvents: REQUIRED_EVENTS,
-    };
-  }
-
-  const endpoint = await stripe.createWebhookEndpoint({ apiKey: stripeKey, endpointUrl, timestamp });
-  github.setGithubSecret({
-    repo,
-    token: githubToken,
-    name: 'STRIPE_WEBHOOK_SECRET',
-    value: endpoint.secret,
-  });
-  github.setGithubVariable({
-    repo,
-    token: githubToken,
-    name: 'STRIPE_WEBHOOK_SECRET_ROTATED_AT',
-    value: timestamp,
-  });
-
-  const stripeSecretUpdatedAt = github.getSecretUpdatedAt({
-    repo,
-    token: githubToken,
-    secretName: 'STRIPE_SECRET_KEY',
-  });
-  if (stripeSecretUpdatedAt) {
-    github.setGithubVariable({
-      repo,
-      token: githubToken,
-      name: 'STRIPE_SECRET_KEY_ROTATED_AT',
-      value: stripeSecretUpdatedAt,
-    });
-  }
-
-  const disabledEndpointIds = [];
-  for (const oldEndpoint of findSameUrlEndpoints(before, endpointUrl, endpoint.id)) {
-    await stripe.disableWebhookEndpoint({ apiKey: stripeKey, endpointId: oldEndpoint.id });
-    disabledEndpointIds.push(oldEndpoint.id);
-  }
-
-  return {
-    dryRun: false,
-    endpointUrl,
-    newEndpointId: endpoint.id,
-    disabledEndpointIds,
-    requiredEvents: REQUIRED_EVENTS,
-    rotatedAt: timestamp,
-    stripeSecretKeyRotatedAt: stripeSecretUpdatedAt || null,
-  };
-}
-
-async function main() {
-  try {
-    const result = await rotateStripeWebhookSecret();
-    process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);
-  } catch (err) {
-    process.stderr.write(`${redact(err?.message ? err.message : err)}\n`);
-    process.exit(1);
-  }
-}
-
-function isCliInvocation(argv = process.argv) {
-  return path.resolve(argv[1] || '') === __filename;
-}
-
-if (isCliInvocation()) {
-  main();
-}
-
-module.exports = {
-  DEFAULT_ENDPOINT_URL,
-  REQUIRED_EVENTS,
-  assertLiveStripeKey,
-  createWebhookEndpoint,
-  disableWebhookEndpoint,
-  encodeForm,
-  findSameUrlEndpoints,
-  getSecretUpdatedAt,
-  listWebhookEndpoints,
-  redact,
-  resolveGhBinary,
-  resolveRequireLiveStripeKey,
-  rotateStripeWebhookSecret,
-  runGh,
-  setGithubSecret,
-  setGithubVariable,
-  stripeRequest,
-};

package/scripts/schedule-manager.js

@@ -1,249 +0,0 @@
-#!/usr/bin/env node
-'use strict';
-
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const { execSync } = require('child_process');
-const { buildAgenticDataPipelineJobSpec } = require('./agentic-data-pipeline');
-const { ensureDir } = require('./fs-utils');
-
-const SCHEDULES_DIR = path.join(os.homedir(), '.thumbgate', 'schedules');
-const PLIST_PREFIX = 'com.thumbgate.schedule';
-
-
-function escapePlistString(value) {
-  return String(value || '')
-    .replace(/&/g, '&')
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/"/g, '&quot;')
-    .replace(/'/g, '&#39;');
-}
-
-/**
- * Parse a simple cron-like spec into LaunchAgent calendar intervals
- * Supports: "daily 9:00", "weekly monday 8:30", "hourly", "every 6h"
- */
-function parseCronSpec(spec) {
-  const s = spec.toLowerCase().trim();
-
-  if (s === 'hourly') {
-    return { Minute: 0 };
-  }
-
-  const everyHMatch = s.match(/^every\s+(\d+)\s*h/);
-  if (everyHMatch) {
-    return { Minute: 0 }; // LaunchAgent doesn't support "every Nh" natively, use hourly
-  }
-
-  const dailyMatch = s.match(/^daily\s+(\d{1,2}):(\d{2})$/);
-  if (dailyMatch) {
-    return { Hour: parseInt(dailyMatch[1]), Minute: parseInt(dailyMatch[2]) };
-  }
-
-  const weeklyMatch = s.match(/^weekly\s+(monday|tuesday|wednesday|thursday|friday|saturday|sunday)\s+(\d{1,2}):(\d{2})$/);
-  if (weeklyMatch) {
-    const dayMap = { sunday: 0, monday: 1, tuesday: 2, wednesday: 3, thursday: 4, friday: 5, saturday: 6 };
-    return {
-      Weekday: dayMap[weeklyMatch[1]],
-      Hour: parseInt(weeklyMatch[2]),
-      Minute: parseInt(weeklyMatch[3]),
-    };
-  }
-
-  // Fallback: try to parse as "HH:MM" (daily)
-  const timeMatch = s.match(/^(\d{1,2}):(\d{2})$/);
-  if (timeMatch) {
-    return { Hour: parseInt(timeMatch[1]), Minute: parseInt(timeMatch[2]) };
-  }
-
-  return null;
-}
-
-function generatePlist(schedule) {
-  const label = escapePlistString(`${PLIST_PREFIX}.${schedule.id}`);
-  const interval = schedule.calendarInterval;
-
-  let intervalXml = '<dict>\n';
-  for (const [key, value] of Object.entries(interval)) {
-    intervalXml += `        <key>${key}</key>\n        <integer>${value}</integer>\n`;
-  }
-  intervalXml += '    </dict>';
-
-  const logDir = escapePlistString(path.join(os.homedir(), '.thumbgate', 'logs'));
-  const workingDirectory = escapePlistString(schedule.workingDirectory || os.homedir());
-  const command = escapePlistString(schedule.command);
-  const homeDir = escapePlistString(os.homedir());
-  const escapedScheduleId = escapePlistString(schedule.id);
-
-  return `<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>Label</key>
-    <string>${label}</string>
-    <key>ProgramArguments</key>
-    <array>
-        <string>${process.execPath}</string>
-        <string>-e</string>
-        <string>${command}</string>
-    </array>
-    <key>WorkingDirectory</key>
-    <string>${workingDirectory}</string>
-    <key>StartCalendarInterval</key>
-    ${intervalXml}
-    <key>StandardOutPath</key>
-    <string>${logDir}/schedule-${escapedScheduleId}.log</string>
-    <key>StandardErrorPath</key>
-    <string>${logDir}/schedule-${escapedScheduleId}-error.log</string>
-    <key>EnvironmentVariables</key>
-    <dict>
-        <key>PATH</key>
-        <string>/usr/local/bin:/opt/homebrew/bin:/usr/bin:/bin</string>
-        <key>HOME</key>
-        <string>${homeDir}</string>
-    </dict>
-</dict>
-</plist>`;
-}
-
-function buildManagedScheduleCommand(params = {}) {
-  if (!params.jobFile) {
-    throw new Error('buildManagedScheduleCommand requires jobFile');
-  }
-
-  const runnerPath = path.join(__dirname, 'async-job-runner.js');
-  const jobFile = path.resolve(params.jobFile);
-  const autoResume = params.autoResume !== false;
-
-  return [
-    `const runner = require(${JSON.stringify(runnerPath)});`,
-    `const result = runner.runJobFromFile(${JSON.stringify(jobFile)}, ${JSON.stringify({ autoResume })});`,
-    'process.stdout.write(JSON.stringify(result, null, 2) + "\\n");',
-    'if (["failed", "cancelled"].includes(result.status)) process.exit(1);',
-  ].join(' ');
-}
-
-function buildAgenticDataPipelineSchedule(params = {}) {
-  const id = params.id || params.name || 'agentic-data-pipeline';
-  const jobFile = path.resolve(
-    params.jobFile || path.join(SCHEDULES_DIR, `${id}.job.json`)
-  );
-  const jobSpec = buildAgenticDataPipelineJobSpec({
-    jobId: id,
-    feedbackDir: params.feedbackDir,
-    outDir: params.outDir,
-    window: params.window,
-    liveBilling: params.liveBilling,
-    recordWorkflowRun: params.recordWorkflowRun,
-  });
-
-  return {
-    id,
-    jobFile,
-    jobSpec,
-    command: buildManagedScheduleCommand({
-      jobFile,
-      autoResume: params.autoResume !== false,
-    }),
-  };
-}
-
-function createSchedule(params) {
-  ensureDir(SCHEDULES_DIR);
-
-  const id = params.id || params.name || `sched_${Date.now()}`;
-  const calendarInterval = parseCronSpec(params.schedule);
-  if (!calendarInterval) {
-    return { success: false, error: `Cannot parse schedule: "${params.schedule}". Use formats like "daily 9:00", "weekly monday 8:30", "hourly"` };
-  }
-
-  const jobFile = params.jobFile ? path.resolve(params.jobFile) : null;
-  const command = params.command || (jobFile ? buildManagedScheduleCommand({
-    jobFile,
-    autoResume: params.autoResume !== false,
-  }) : null);
-
-  if (!command) {
-    return { success: false, error: 'Schedule requires command or jobFile' };
-  }
-
-  const schedule = {
-    id,
-    name: params.name || id,
-    description: params.description || '',
-    schedule: params.schedule,
-    command,
-    jobFile,
-    resumePolicy: jobFile ? (params.autoResume !== false ? 'auto_resume' : 'fresh_only') : null,
-    workingDirectory: params.workingDirectory || (jobFile ? path.dirname(jobFile) : process.cwd()),
-    calendarInterval,
-    createdAt: new Date().toISOString(),
-  };
-
-  // Save schedule metadata
-  const metaPath = path.join(SCHEDULES_DIR, `${id}.json`);
-  fs.writeFileSync(metaPath, JSON.stringify(schedule, null, 2), 'utf8');
-
-  // Generate and install LaunchAgent
-  if (process.platform === 'darwin') {
-    const plistContent = generatePlist(schedule);
-    const plistPath = path.join(os.homedir(), 'Library', 'LaunchAgents', `${PLIST_PREFIX}.${id}.plist`);
-    const logDir = path.join(os.homedir(), '.thumbgate', 'logs');
-    if (!fs.existsSync(logDir)) fs.mkdirSync(logDir, { recursive: true });
-    fs.mkdirSync(path.dirname(plistPath), { recursive: true });
-
-    fs.writeFileSync(plistPath, plistContent, 'utf8');
-    try {
-      execSync(`launchctl unload "${plistPath}" 2>/dev/null`, { stdio: 'pipe' });
-    } catch { /* not loaded */ }
-    try {
-      execSync(`launchctl load "${plistPath}"`, { stdio: 'pipe' });
-    } catch (e) {
-      return { success: false, error: `Failed to load LaunchAgent: ${e.message}`, schedule };
-    }
-
-    return { success: true, schedule, plistPath, message: `Schedule "${id}" created and loaded` };
-  }
-
-  // Linux keeps the schedule metadata so operators can install it via user crontab tooling.
-  return { success: true, schedule, message: `Schedule "${id}" saved for Linux crontab installation` };
-}
-
-function listSchedules() {
-  ensureDir(SCHEDULES_DIR);
-  const files = fs.readdirSync(SCHEDULES_DIR).filter(f => f.endsWith('.json'));
-  return files.map(f => {
-    try {
-      return JSON.parse(fs.readFileSync(path.join(SCHEDULES_DIR, f), 'utf8'));
-    } catch {
-      return { id: f.replace('.json', ''), error: 'corrupt' };
-    }
-  });
-}
-
-function deleteSchedule(id) {
-  const metaPath = path.join(SCHEDULES_DIR, `${id}.json`);
-  const plistPath = path.join(os.homedir(), 'Library', 'LaunchAgents', `${PLIST_PREFIX}.${id}.plist`);
-
-  try {
-    execSync(`launchctl unload "${plistPath}" 2>/dev/null`, { stdio: 'pipe' });
-  } catch { /* not loaded */ }
-
-  if (fs.existsSync(plistPath)) fs.unlinkSync(plistPath);
-  if (fs.existsSync(metaPath)) fs.unlinkSync(metaPath);
-
-  return { success: true, message: `Schedule "${id}" deleted` };
-}
-
-module.exports = {
-  createSchedule,
-  listSchedules,
-  deleteSchedule,
-  escapePlistString,
-  generatePlist,
-  parseCronSpec,
-  buildManagedScheduleCommand,
-  buildAgenticDataPipelineSchedule,
-};