voidforge-build 23.9.1

package/dist/wizard/lib/provisioners/aws-vps.js

@@ -0,0 +1,231 @@
+/**
+ * AWS VPS provisioner — orchestrator that coordinates EC2, RDS, ElastiCache,
+ * script generation, env writing, and cleanup.
+ */
+import { writeFile, mkdir } from 'node:fs/promises';
+import { chmodSync } from 'node:fs';
+import { join } from 'node:path';
+import { buildAwsConfig, validateAwsContext, loadAwsSdk, sleep } from './aws-config.js';
+import { validateCredentials, createKeyPair, createSecurityGroup, findAmi, launchAndWaitEc2, restrictSsh } from './aws-ec2.js';
+import { provisionRds, provisionElastiCache } from './aws-rds.js';
+import { generateProvisionScript } from './scripts/provision-vps.js';
+import { generateDeployScript } from './scripts/deploy-vps.js';
+import { generateRollbackScript } from './scripts/rollback-vps.js';
+import { generateEcosystemConfig } from './scripts/ecosystem-config.js';
+import { generateCaddyfile } from './scripts/caddyfile.js';
+import { appendEnvSection } from '../env-writer.js';
+import { slugify } from './http-client.js';
+export const awsVpsProvisioner = {
+    async validate(ctx) {
+        return validateAwsContext(ctx);
+    },
+    async provision(ctx, emit) {
+        const awsConfig = buildAwsConfig(ctx);
+        const state = {
+            resources: [],
+            outputs: {},
+            files: [],
+            region: awsConfig.region,
+            slug: slugify(ctx.projectName),
+            sgId: '',
+            instanceId: '',
+            publicIp: '',
+            awsConfig,
+        };
+        // Load AWS SDK
+        const sdk = await loadAwsSdk();
+        if ('error' in sdk) {
+            return { success: false, resources: state.resources, outputs: state.outputs, files: state.files, error: sdk.error };
+        }
+        const { ec2Mod, stsMod } = sdk;
+        // Steps 1-6: EC2 provisioning pipeline
+        if (!await validateCredentials(state, stsMod, emit)) {
+            return { success: false, ...stateResult(state), error: 'AWS credential validation failed' };
+        }
+        if (!await createKeyPair(state, ctx, ec2Mod, emit)) {
+            return { success: false, ...stateResult(state), error: 'Failed to create key pair' };
+        }
+        if (!await createSecurityGroup(state, ctx, ec2Mod, emit)) {
+            return { success: false, ...stateResult(state), error: 'Failed to create security group' };
+        }
+        const amiId = await findAmi(state, ec2Mod, emit);
+        if (!amiId) {
+            return { success: false, ...stateResult(state), error: 'AMI lookup failed' };
+        }
+        const ec2InstanceType = (ctx.instanceType || 't3.micro');
+        if (!await launchAndWaitEc2(state, ctx, ec2Mod, amiId, ec2InstanceType, emit)) {
+            return { success: false, ...stateResult(state), error: 'EC2 instance failed to start' };
+        }
+        // Steps 7-8: Optional RDS + ElastiCache (non-fatal)
+        await provisionRds(state, ctx, ec2InstanceType, emit);
+        await provisionElastiCache(state, ctx, ec2InstanceType, emit);
+        // Step 9: Generate infrastructure scripts
+        const scriptsOk = await generateScripts(state, ctx, ec2InstanceType, emit);
+        if (!scriptsOk) {
+            return { success: false, ...stateResult(state), error: 'Failed to generate infrastructure scripts' };
+        }
+        // Step 10: Write .env
+        await writeEnvFile(state, ctx, emit);
+        // DEVOPS-R2-001: Restrict SSH
+        await restrictSsh(state, emit);
+        return { success: true, ...stateResult(state) };
+    },
+    async cleanup(resources, credentials) {
+        if (resources.length === 0)
+            return;
+        const region = resources[0].region;
+        const awsConfig = {
+            region,
+            credentials: {
+                accessKeyId: credentials['aws-access-key-id'] ?? '',
+                secretAccessKey: credentials['aws-secret-access-key'] ?? '',
+            },
+        };
+        // Clean up in reverse order
+        for (const resource of [...resources].reverse()) {
+            try {
+                switch (resource.type) {
+                    case 'ec2-instance': {
+                        const { EC2Client, TerminateInstancesCommand } = await import('@aws-sdk/client-ec2');
+                        const ec2 = new EC2Client(awsConfig);
+                        await ec2.send(new TerminateInstancesCommand({ InstanceIds: [resource.id] }));
+                        break;
+                    }
+                    case 'security-group': {
+                        const { EC2Client, DeleteSecurityGroupCommand } = await import('@aws-sdk/client-ec2');
+                        const ec2 = new EC2Client(awsConfig);
+                        const maxWait = 120000;
+                        const start = Date.now();
+                        while (Date.now() - start < maxWait) {
+                            await sleep(10000);
+                            try {
+                                await ec2.send(new DeleteSecurityGroupCommand({ GroupId: resource.id }));
+                                break;
+                            }
+                            catch (sgErr) {
+                                const msg = sgErr.message || '';
+                                if (msg.includes('DependencyViolation'))
+                                    continue;
+                                throw sgErr;
+                            }
+                        }
+                        break;
+                    }
+                    case 'key-pair': {
+                        const { EC2Client, DeleteKeyPairCommand } = await import('@aws-sdk/client-ec2');
+                        const ec2 = new EC2Client(awsConfig);
+                        await ec2.send(new DeleteKeyPairCommand({ KeyName: resource.id }));
+                        break;
+                    }
+                    case 'rds-instance': {
+                        const { RDSClient, DeleteDBInstanceCommand } = await import('@aws-sdk/client-rds');
+                        const rds = new RDSClient(awsConfig);
+                        try {
+                            await rds.send(new DeleteDBInstanceCommand({
+                                DBInstanceIdentifier: resource.id,
+                                SkipFinalSnapshot: true,
+                            }));
+                        }
+                        catch (rdsErr) {
+                            const code = rdsErr.name ?? '';
+                            if (code === 'InvalidDBInstanceState') {
+                                console.error(`RDS instance "${resource.id}" is still creating — check AWS Console in 10 minutes to delete manually.`);
+                            }
+                            else {
+                                throw rdsErr;
+                            }
+                        }
+                        break;
+                    }
+                    case 'elasticache-cluster': {
+                        const { ElastiCacheClient, DeleteCacheClusterCommand } = await import('@aws-sdk/client-elasticache');
+                        const ec = new ElastiCacheClient(awsConfig);
+                        try {
+                            await ec.send(new DeleteCacheClusterCommand({ CacheClusterId: resource.id }));
+                        }
+                        catch (cacheErr) {
+                            const code = cacheErr.name ?? '';
+                            if (code === 'InvalidCacheClusterState') {
+                                console.error(`ElastiCache cluster "${resource.id}" is still creating — check AWS Console in 10 minutes to delete manually.`);
+                            }
+                            else {
+                                throw cacheErr;
+                            }
+                        }
+                        break;
+                    }
+                }
+            }
+            catch (err) {
+                console.error(`Failed to cleanup ${resource.type} ${resource.id}:`, err.message);
+            }
+        }
+    },
+};
+function stateResult(state) {
+    return { resources: state.resources, outputs: state.outputs, files: state.files };
+}
+async function generateScripts(state, ctx, ec2InstanceType, emit) {
+    emit({ step: 'generate-scripts', status: 'started', message: 'Generating deploy scripts' });
+    try {
+        const infraDir = join(ctx.projectDir, 'infra');
+        await mkdir(infraDir, { recursive: true });
+        const framework = ctx.framework || 'express';
+        const provisionSh = generateProvisionScript({ framework, database: ctx.database, cache: ctx.cache, instanceType: ec2InstanceType });
+        await writeFile(join(infraDir, 'provision.sh'), provisionSh, { mode: 0o755 });
+        state.files.push('infra/provision.sh');
+        const deploySh = generateDeployScript({ framework });
+        await writeFile(join(infraDir, 'deploy.sh'), deploySh, { mode: 0o755 });
+        state.files.push('infra/deploy.sh');
+        const rollbackSh = generateRollbackScript({ framework });
+        await writeFile(join(infraDir, 'rollback.sh'), rollbackSh, { mode: 0o755 });
+        state.files.push('infra/rollback.sh');
+        const caddyfile = generateCaddyfile({ framework, hostname: ctx.hostname || undefined });
+        await writeFile(join(infraDir, 'Caddyfile'), caddyfile, 'utf-8');
+        state.files.push('infra/Caddyfile');
+        if (['next.js', 'express'].includes(framework) || !framework) {
+            const ecosystem = generateEcosystemConfig({ projectName: ctx.projectName, framework });
+            await writeFile(join(ctx.projectDir, 'ecosystem.config.js'), ecosystem, 'utf-8');
+            state.files.push('ecosystem.config.js');
+        }
+        emit({ step: 'generate-scripts', status: 'done', message: `Generated ${state.files.length} infrastructure files` });
+        return true;
+    }
+    catch (err) {
+        console.error('Script generation error:', err.message);
+        emit({ step: 'generate-scripts', status: 'error', message: 'Failed to generate scripts', detail: 'Check AWS Console for details' });
+        return false;
+    }
+}
+async function writeEnvFile(state, ctx, emit) {
+    emit({ step: 'write-env', status: 'started', message: 'Writing infrastructure config to .env' });
+    try {
+        const envLines = [
+            `# VoidForge Infrastructure — generated ${new Date().toISOString()}`,
+            `SSH_HOST=${state.publicIp}`,
+            `SSH_USER=ec2-user`,
+            `SSH_KEY_PATH=.ssh/deploy-key.pem`,
+        ];
+        if (state.outputs['DB_ENGINE']) {
+            envLines.push(`DB_ENGINE=${state.outputs['DB_ENGINE']}`);
+            envLines.push(`DB_HOST=${state.outputs['DB_HOST'] || `# pending — check https://${state.region}.console.aws.amazon.com/rds/home?region=${state.region}#databases:`}`);
+            envLines.push(`DB_PORT=${state.outputs['DB_PORT']}`);
+            envLines.push(`DB_INSTANCE_ID=${state.outputs['DB_INSTANCE_ID']}`);
+            envLines.push(`DB_USERNAME=${state.outputs['DB_USERNAME']}`);
+            envLines.push(`DB_PASSWORD=${state.outputs['DB_PASSWORD']}`);
+        }
+        if (state.outputs['REDIS_CLUSTER_ID']) {
+            envLines.push(`REDIS_CLUSTER_ID=${state.outputs['REDIS_CLUSTER_ID']}`);
+            envLines.push(`REDIS_HOST=${state.outputs['REDIS_HOST'] || `# pending — check https://${state.region}.console.aws.amazon.com/elasticache/home?region=${state.region}`}`);
+            envLines.push(`REDIS_PORT=${state.outputs['REDIS_PORT'] || '6379'}`);
+        }
+        await appendEnvSection(ctx.projectDir, envLines);
+        chmodSync(join(ctx.projectDir, '.env'), 0o600);
+        emit({ step: 'write-env', status: 'done', message: 'Infrastructure config written to .env' });
+    }
+    catch (err) {
+        console.error('Env file write error:', err.message);
+        emit({ step: 'write-env', status: 'error', message: 'Failed to write .env', detail: err.message });
+        // Non-fatal
+    }
+}

package/dist/wizard/lib/provisioners/cloudflare.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Cloudflare provisioner — creates a real Workers/Pages project via API + generates wrangler.toml.
+ * v3.8.0: Includes GitHub source at creation time for auto-deploy (ADR-011, ADR-015).
+ */
+import type { Provisioner } from './types.js';
+export declare const cloudflareProvisioner: Provisioner;

package/dist/wizard/lib/provisioners/cloudflare.js

@@ -0,0 +1,300 @@
+/**
+ * Cloudflare provisioner — creates a real Workers/Pages project via API + generates wrangler.toml.
+ * v3.8.0: Includes GitHub source at creation time for auto-deploy (ADR-011, ADR-015).
+ */
+import { writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { httpsPost, httpsGet, httpsDelete, safeJsonParse, slugify } from './http-client.js';
+import { recordResourcePending, recordResourceCreated } from '../provision-manifest.js';
+import { appendEnvSection } from '../env-writer.js';
+const DEPLOY_POLL_INTERVAL_MS = 5000;
+const DEPLOY_POLL_TIMEOUT_MS = 300_000;
+export const cloudflareProvisioner = {
+    async validate(ctx) {
+        const errors = [];
+        if (!ctx.projectDir)
+            errors.push('Project directory is required');
+        if (!ctx.credentials['cloudflare-api-token'])
+            errors.push('Cloudflare API token is required');
+        return errors;
+    },
+    async provision(ctx, emit) {
+        const files = [];
+        const resources = [];
+        const outputs = {};
+        const token = ctx.credentials['cloudflare-api-token'];
+        const slug = slugify(ctx.projectName);
+        const headers = {
+            'Authorization': `Bearer ${token}`,
+            'Content-Type': 'application/json',
+        };
+        // Step 1: Get account ID
+        emit({ step: 'cf-account', status: 'started', message: 'Fetching Cloudflare account' });
+        let accountId = '';
+        try {
+            const res = await httpsGet('api.cloudflare.com', '/client/v4/accounts?page=1&per_page=1', {
+                'Authorization': `Bearer ${token}`,
+            });
+            if (res.status !== 200) {
+                throw new Error(`Cloudflare API returned ${res.status}`);
+            }
+            const data = safeJsonParse(res.body);
+            if (!data?.success || !data?.result || data.result.length === 0) {
+                throw new Error('No Cloudflare account found for this token');
+            }
+            accountId = data.result[0].id;
+            outputs['CF_ACCOUNT_ID'] = accountId;
+            emit({ step: 'cf-account', status: 'done', message: `Account: ${data.result[0].name}` });
+        }
+        catch (err) {
+            emit({ step: 'cf-account', status: 'error', message: 'Failed to fetch Cloudflare account', detail: err.message });
+            return { success: false, resources, outputs, files, error: err.message };
+        }
+        // GitHub source info (used in project creation and deploy polling)
+        const ghOwner = ctx.credentials['_github-owner'];
+        const ghRepo = ctx.credentials['_github-repo-name'];
+        // Step 2: Create Pages project
+        emit({ step: 'cf-project', status: 'started', message: 'Creating Cloudflare Pages project' });
+        try {
+            await recordResourcePending(ctx.runId, 'cf-pages-project', slug, 'global');
+            const projectPayload = {
+                name: slug,
+                production_branch: 'main',
+            };
+            if (ghOwner && ghRepo) {
+                projectPayload.source = {
+                    type: 'github',
+                    config: {
+                        owner: ghOwner,
+                        repo_name: ghRepo,
+                        production_branch: 'main',
+                        pr_comments_enabled: true,
+                        deployments_enabled: true,
+                    },
+                };
+                projectPayload.build_config = {
+                    build_command: ctx.framework === 'django' ? '' : 'npm run build',
+                    destination_dir: ctx.framework === 'next.js' ? 'out' : 'dist',
+                };
+            }
+            const body = JSON.stringify(projectPayload);
+            const res = await httpsPost('api.cloudflare.com', `/client/v4/accounts/${accountId}/pages/projects`, headers, body);
+            if (res.status === 200 || res.status === 201) {
+                const data = safeJsonParse(res.body);
+                const projectName = data?.result?.name ?? slug;
+                const subdomain = data?.result?.subdomain ?? `${slug}.pages.dev`;
+                resources.push({ type: 'cf-pages-project', id: projectName, region: 'global' });
+                await recordResourceCreated(ctx.runId, 'cf-pages-project', projectName, 'global');
+                outputs['CF_PROJECT_NAME'] = projectName;
+                outputs['CF_PROJECT_URL'] = `https://${subdomain}`;
+                emit({ step: 'cf-project', status: 'done', message: `Pages project "${projectName}" created — ${subdomain}` });
+            }
+            else if (res.status === 409) {
+                // Project exists — track it so cleanup knows about it
+                resources.push({ type: 'cf-pages-project', id: slug, region: 'global' });
+                await recordResourceCreated(ctx.runId, 'cf-pages-project', slug, 'global');
+                emit({ step: 'cf-project', status: 'done', message: `Project "${slug}" already exists on Cloudflare — will use existing` });
+                outputs['CF_PROJECT_NAME'] = slug;
+                outputs['CF_PROJECT_URL'] = `https://${slug}.pages.dev`;
+            }
+            else {
+                const data = safeJsonParse(res.body);
+                const errMsg = data?.errors?.[0]?.message || `Cloudflare API returned ${res.status}`;
+                throw new Error(errMsg);
+            }
+        }
+        catch (err) {
+            emit({ step: 'cf-project', status: 'error', message: 'Failed to create Pages project', detail: err.message });
+            return { success: false, resources, outputs, files, error: err.message };
+        }
+        // Step 3: Add custom domain if hostname provided
+        const projectName = outputs['CF_PROJECT_NAME'] || slug;
+        if (ctx.hostname && accountId) {
+            emit({ step: 'cf-domain', status: 'started', message: `Adding domain ${ctx.hostname} to Pages project` });
+            try {
+                const domainBody = JSON.stringify({ name: ctx.hostname });
+                const domainRes = await httpsPost('api.cloudflare.com', `/client/v4/accounts/${accountId}/pages/projects/${projectName}/domains`, headers, domainBody);
+                if (domainRes.status === 200 || domainRes.status === 201) {
+                    outputs['CF_CUSTOM_DOMAIN'] = ctx.hostname;
+                    emit({ step: 'cf-domain', status: 'done', message: `Domain "${ctx.hostname}" added to Pages project` });
+                }
+                else if (domainRes.status === 409) {
+                    emit({ step: 'cf-domain', status: 'done', message: `Domain "${ctx.hostname}" already configured on Pages project` });
+                    outputs['CF_CUSTOM_DOMAIN'] = ctx.hostname;
+                }
+                else {
+                    const errData = safeJsonParse(domainRes.body);
+                    throw new Error(errData?.errors?.[0]?.message || `Pages domains API returned ${domainRes.status}`);
+                }
+            }
+            catch (err) {
+                emit({ step: 'cf-domain', status: 'error', message: 'Failed to add domain to Pages project', detail: err.message });
+                // Non-fatal
+            }
+        }
+        // Step 4: Create D1 database if requested
+        if (ctx.database === 'sqlite') {
+            emit({ step: 'cf-d1', status: 'started', message: 'Creating D1 database' });
+            try {
+                await recordResourcePending(ctx.runId, 'cf-d1-database', `${slug}-db`, 'global');
+                const body = JSON.stringify({ name: `${slug}-db` });
+                const res = await httpsPost('api.cloudflare.com', `/client/v4/accounts/${accountId}/d1/database`, headers, body);
+                if (res.status === 200 || res.status === 201) {
+                    const data = safeJsonParse(res.body);
+                    const dbId = data?.result?.uuid ?? '';
+                    if (dbId) {
+                        resources.push({ type: 'cf-d1-database', id: dbId, region: 'global' });
+                        await recordResourceCreated(ctx.runId, 'cf-d1-database', dbId, 'global');
+                        outputs['CF_D1_DATABASE_ID'] = dbId;
+                        outputs['CF_D1_DATABASE_NAME'] = `${slug}-db`;
+                    }
+                    emit({ step: 'cf-d1', status: 'done', message: `D1 database "${slug}-db" created` });
+                }
+                else {
+                    const data = safeJsonParse(res.body);
+                    throw new Error(data?.errors?.[0]?.message || `D1 creation returned ${res.status}`);
+                }
+            }
+            catch (err) {
+                emit({ step: 'cf-d1', status: 'error', message: 'Failed to create D1 database', detail: err.message });
+                // Non-fatal
+            }
+        }
+        else {
+            emit({ step: 'cf-d1', status: 'skipped', message: 'No database requested' });
+        }
+        // Step 5: Generate wrangler.toml
+        emit({ step: 'cf-config', status: 'started', message: 'Generating wrangler.toml' });
+        try {
+            let config = `# wrangler.toml — Cloudflare Workers/Pages configuration
+# Generated by VoidForge
+# Deploy with: npx wrangler pages deploy ./dist
+
+name = "${slug}"
+compatibility_date = "${new Date().toISOString().slice(0, 10)}"
+pages_build_output_dir = "./dist"
+
+[vars]
+ENVIRONMENT = "production"
+`;
+            if (outputs['CF_D1_DATABASE_ID']) {
+                config += `
+[[d1_databases]]
+binding = "DB"
+database_name = "${slug}-db"
+database_id = "${outputs['CF_D1_DATABASE_ID']}"
+`;
+            }
+            await writeFile(join(ctx.projectDir, 'wrangler.toml'), config, 'utf-8');
+            files.push('wrangler.toml');
+            emit({ step: 'cf-config', status: 'done', message: 'Generated wrangler.toml' });
+        }
+        catch (err) {
+            emit({ step: 'cf-config', status: 'error', message: 'Failed to write wrangler.toml', detail: err.message });
+        }
+        // Step 6: Poll for deployment (if GitHub-linked, deploy triggered by push)
+        if (ghOwner && ghRepo && accountId) {
+            emit({ step: 'cf-deploy', status: 'started', message: 'Waiting for Cloudflare Pages deployment...' });
+            try {
+                const start = Date.now();
+                let deployUrl = '';
+                while (Date.now() - start < DEPLOY_POLL_TIMEOUT_MS) {
+                    await new Promise(r => setTimeout(r, DEPLOY_POLL_INTERVAL_MS));
+                    if (ctx.abortSignal?.aborted)
+                        break;
+                    const depRes = await httpsGet('api.cloudflare.com', `/client/v4/accounts/${accountId}/pages/projects/${projectName}/deployments?sort_by=created_on&sort_order=desc&per_page=1`, { 'Authorization': `Bearer ${token}` });
+                    if (depRes.status !== 200)
+                        continue;
+                    const depData = safeJsonParse(depRes.body);
+                    const latest = depData?.result?.[0];
+                    if (!latest)
+                        continue;
+                    const stage = latest.latest_stage;
+                    if (stage?.name === 'deploy' && stage?.status === 'success') {
+                        deployUrl = latest.url ? `https://${latest.url}` : outputs['CF_PROJECT_URL'] || '';
+                        break;
+                    }
+                    if (stage?.status === 'failure') {
+                        emit({ step: 'cf-deploy', status: 'error', message: 'Cloudflare Pages deployment failed', detail: 'Check the Cloudflare dashboard for build logs' });
+                        break;
+                    }
+                    const elapsed = Math.round((Date.now() - start) / 1000);
+                    if (elapsed % 15 === 0) {
+                        emit({ step: 'cf-deploy', status: 'started', message: `Deploy status: ${stage?.name || 'queued'} / ${stage?.status || 'waiting'}... (${elapsed}s)` });
+                    }
+                }
+                if (deployUrl) {
+                    outputs['DEPLOY_URL'] = deployUrl;
+                    emit({ step: 'cf-deploy', status: 'done', message: `Live at ${deployUrl}` });
+                }
+                else if (!ctx.abortSignal?.aborted) {
+                    emit({ step: 'cf-deploy', status: 'error', message: 'Deployment polling timed out — check Cloudflare dashboard' });
+                }
+            }
+            catch (err) {
+                emit({ step: 'cf-deploy', status: 'error', message: 'Failed to poll deployment', detail: err.message });
+            }
+        }
+        else if (!ghOwner || !ghRepo) {
+            emit({ step: 'cf-deploy', status: 'skipped', message: 'No GitHub repo linked — deploy manually with: npx wrangler pages deploy ./dist' });
+        }
+        // Step 7: Write .env
+        emit({ step: 'cf-env', status: 'started', message: 'Writing Cloudflare config to .env' });
+        try {
+            const envLines = [
+                `# VoidForge Cloudflare — generated ${new Date().toISOString()}`,
+                `CF_ACCOUNT_ID=${accountId}`,
+                `CF_PROJECT_NAME=${outputs['CF_PROJECT_NAME'] || slug}`,
+            ];
+            if (outputs['CF_PROJECT_URL'])
+                envLines.push(`CF_PROJECT_URL=${outputs['CF_PROJECT_URL']}`);
+            if (outputs['CF_D1_DATABASE_ID'])
+                envLines.push(`CF_D1_DATABASE_ID=${outputs['CF_D1_DATABASE_ID']}`);
+            if (outputs['DEPLOY_URL'])
+                envLines.push(`DEPLOY_URL=${outputs['DEPLOY_URL']}`);
+            envLines.push(ghOwner ? '# Auto-deploys on push to main' : '# Deploy with: npx wrangler pages deploy ./dist');
+            await appendEnvSection(ctx.projectDir, envLines);
+            emit({ step: 'cf-env', status: 'done', message: 'Cloudflare config written to .env' });
+        }
+        catch (err) {
+            emit({ step: 'cf-env', status: 'error', message: 'Failed to write .env', detail: err.message });
+        }
+        return { success: true, resources, outputs, files };
+    },
+    async cleanup(resources, credentials) {
+        const token = credentials['cloudflare-api-token'];
+        if (!token)
+            return;
+        // Need account ID for API calls — fetch it
+        let accountId = '';
+        try {
+            const res = await httpsGet('api.cloudflare.com', '/client/v4/accounts?page=1&per_page=1', {
+                'Authorization': `Bearer ${token}`,
+            });
+            const data = safeJsonParse(res.body);
+            accountId = data?.result?.[0]?.id ?? '';
+        }
+        catch {
+            return;
+        }
+        if (!accountId)
+            return;
+        for (const resource of [...resources].reverse()) {
+            try {
+                switch (resource.type) {
+                    case 'cf-d1-database': {
+                        await httpsDelete('api.cloudflare.com', `/client/v4/accounts/${accountId}/d1/database/${resource.id}`, { 'Authorization': `Bearer ${token}` });
+                        break;
+                    }
+                    case 'cf-pages-project': {
+                        await httpsDelete('api.cloudflare.com', `/client/v4/accounts/${accountId}/pages/projects/${resource.id}`, { 'Authorization': `Bearer ${token}` });
+                        break;
+                    }
+                }
+            }
+            catch (err) {
+                console.error(`Failed to cleanup ${resource.type} ${resource.id}:`, err.message);
+            }
+        }
+    },
+};

package/dist/wizard/lib/provisioners/docker.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Docker provisioner — generates Dockerfile + docker-compose.yml locally.
+ * No cloud API calls. Files only.
+ */
+import type { Provisioner } from './types.js';
+export declare const dockerProvisioner: Provisioner;

package/dist/wizard/lib/provisioners/docker.js

@@ -0,0 +1,75 @@
+/**
+ * Docker provisioner — generates Dockerfile + docker-compose.yml locally.
+ * No cloud API calls. Files only.
+ */
+import { writeFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { generateDockerfile, generateDockerignore } from './scripts/dockerfile.js';
+import { generateDockerCompose } from './scripts/docker-compose.js';
+export const dockerProvisioner = {
+    async validate(ctx) {
+        const errors = [];
+        if (!ctx.projectDir)
+            errors.push('Project directory is required');
+        if (!ctx.projectName)
+            errors.push('Project name is required');
+        return errors;
+    },
+    async provision(ctx, emit) {
+        const files = [];
+        const framework = ctx.framework || 'express';
+        // Step 1: Generate Dockerfile
+        emit({ step: 'dockerfile', status: 'started', message: 'Generating Dockerfile' });
+        try {
+            const dockerfile = generateDockerfile(framework);
+            const dockerfilePath = join(ctx.projectDir, 'Dockerfile');
+            await writeFile(dockerfilePath, dockerfile, 'utf-8');
+            files.push('Dockerfile');
+            emit({ step: 'dockerfile', status: 'done', message: `Dockerfile generated (${framework})` });
+        }
+        catch (err) {
+            emit({ step: 'dockerfile', status: 'error', message: 'Failed to write Dockerfile', detail: err.message });
+            return { success: false, resources: [], outputs: {}, files, error: err.message };
+        }
+        // Step 2: Generate docker-compose.yml
+        emit({ step: 'docker-compose', status: 'started', message: 'Generating docker-compose.yml' });
+        try {
+            const compose = generateDockerCompose({
+                projectName: ctx.projectName,
+                framework,
+                database: ctx.database || 'none',
+                cache: ctx.cache || 'none',
+            });
+            const composePath = join(ctx.projectDir, 'docker-compose.yml');
+            await writeFile(composePath, compose, 'utf-8');
+            files.push('docker-compose.yml');
+            emit({ step: 'docker-compose', status: 'done', message: 'docker-compose.yml generated' });
+        }
+        catch (err) {
+            emit({ step: 'docker-compose', status: 'error', message: 'Failed to write docker-compose.yml', detail: err.message });
+            return { success: false, resources: [], outputs: {}, files, error: err.message };
+        }
+        // Step 3: Generate .dockerignore
+        emit({ step: 'dockerignore', status: 'started', message: 'Generating .dockerignore' });
+        try {
+            const ignore = generateDockerignore();
+            const ignorePath = join(ctx.projectDir, '.dockerignore');
+            await writeFile(ignorePath, ignore, 'utf-8');
+            files.push('.dockerignore');
+            emit({ step: 'dockerignore', status: 'done', message: '.dockerignore generated' });
+        }
+        catch (err) {
+            emit({ step: 'dockerignore', status: 'error', message: 'Failed to write .dockerignore', detail: err.message });
+            return { success: false, resources: [], outputs: {}, files, error: err.message };
+        }
+        return {
+            success: true,
+            resources: [],
+            outputs: {},
+            files,
+        };
+    },
+    async cleanup(_resources, _credentials) {
+        // Docker provisioner creates local files only — nothing to clean up
+    },
+};

package/dist/wizard/lib/provisioners/http-client.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Shared HTTPS client for provisioner API calls.
+ * Uses raw node:https — no dependencies.
+ *
+ * Security: All callers hardcode hostnames (api.cloudflare.com, etc.).
+ * Never pass user-controlled input as the hostname parameter.
+ */
+interface HttpResponse {
+    status: number;
+    body: string;
+}
+export declare function httpsGet(hostname: string, path: string, headers: Record<string, string>, timeout?: number): Promise<HttpResponse>;
+export declare function httpsPost(hostname: string, path: string, headers: Record<string, string>, body?: string, timeout?: number): Promise<HttpResponse>;
+export declare function httpsPut(hostname: string, path: string, headers: Record<string, string>, body?: string, timeout?: number): Promise<HttpResponse>;
+export declare function httpsDelete(hostname: string, path: string, headers: Record<string, string>, timeout?: number): Promise<HttpResponse>;
+/** Slugify a name for use as a cloud resource identifier. Strips non-alphanumeric, trims hyphens. */
+export declare function slugify(name: string): string;
+/** Safely parse JSON — returns null on invalid input instead of throwing. */
+export declare function safeJsonParse(body: string): unknown;
+export {};