commit a075fcf95f4db0f77e04f836b6857194182c516d Author: Vault Sovereign Date: Fri Dec 26 19:35:03 2025 +0000 Initial vmc CLI diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..77f4d82 --- /dev/null +++ b/.env.example @@ -0,0 +1,2 @@ +# Put your token in ~/.env or in vm-cloud/.env +HCLOUD_TOKEN=WXxVT5fyqkUZ7t6Xs20uIWPr7wckgHEc3ExoHRM9diJmmLptC7elJ5SrbsI3SJqj diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..cc5b132 --- /dev/null +++ b/.gitignore @@ -0,0 +1,17 @@ +# secrets +.env* +!.env.example +*.key +*.pem + +# deps/build +node_modules/ +dist/ + +# generated evidence +outputs/ + +# misc +*.log +.DS_Store +__MACOSX/ diff --git a/README.md b/README.md new file mode 100644 index 0000000..996e833 --- /dev/null +++ b/README.md @@ -0,0 +1,14 @@ +# vm-cloud + +Hetzner CLI + MCP tooling for VM ops and research notes. + +## Quick start + +- npm install +- ./bin/vmc servers list +- ./bin/vmc snapshot servers +- ./bin/vmc research new "Title" + +## Env + +Set HCLOUD_TOKEN in ~/.env or ./.env. diff --git a/bin/vmc b/bin/vmc new file mode 100755 index 0000000..8da36b1 --- /dev/null +++ b/bin/vmc @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +set -euo pipefail +cd "$(dirname "$0")/.." +exec npx -y tsx src/cli.ts "$@" diff --git a/docs/AKASH_INTEGRATION.md b/docs/AKASH_INTEGRATION.md new file mode 100644 index 0000000..d4257d1 --- /dev/null +++ b/docs/AKASH_INTEGRATION.md @@ -0,0 +1,248 @@ +# Akash Network Integration + +## Overview + +VaultMesh Cloud CLI integration with [Akash Network](https://akash.network) - a decentralized compute marketplace built on Cosmos blockchain. + +## Why Akash? + +| Feature | Akash | Traditional Cloud | +|---------|-------|-------------------| +| **Cost** | 60-85% cheaper | Baseline | +| **Model** | Reverse auction marketplace | Fixed pricing | +| **Billing** | AKT tokens per-block | Fiat monthly/hourly | +| **Lock-in** | None - switch providers anytime | Vendor lock-in | +| **Censorship** | Resistant (blockchain) | Subject to provider | + +## Architecture + +``` +┌─────────────────────────────────────────────────────────┐ +│ vmc CLI │ +├─────────────────────┬───────────────────────────────────┤ +│ vmc servers ... │ vmc akash ... │ +│ (Hetzner) │ (Akash Network) │ +├─────────────────────┼───────────────────────────────────┤ +│ src/lib/hcloud.ts │ src/lib/akash/client.ts │ +│ │ src/lib/akash/wallet.ts │ +│ │ src/lib/akash/sdl.ts │ +├─────────────────────┴───────────────────────────────────┤ +│ Receipt System (src/lib/receipt.ts) │ +│ Lock System (src/lib/lock.ts) │ +└─────────────────────────────────────────────────────────┘ +``` + +## Akash Concepts + +### SDL (Stack Definition Language) + +YAML-based deployment specification (like docker-compose): + +```yaml +version: "2.0" + +services: + web: + image: nginx:latest + expose: + - port: 80 + as: 80 + to: + - global: true + +profiles: + compute: + web: + resources: + cpu: + units: 1 + memory: + size: 512Mi + storage: + - size: 10Gi + + placement: + akash: + pricing: + web: 50uakt # micro-AKT per block (~6 sec) + +deployment: + web: + akash: + profile: web + count: 1 +``` + +### Deployment Flow + +``` +1. CREATE DEPLOYMENT + └─> SDL manifest → Blockchain transaction + └─> Returns: DSEQ (deployment sequence number) + +2. RECEIVE BIDS + └─> Providers bid on your deployment + └─> ~15 minutes window + +3. ACCEPT BID → CREATE LEASE + └─> Select provider + └─> Escrow AKT for payment + +4. SEND MANIFEST + └─> Upload deployment spec to provider + └─> Provider starts containers + +5. MONITOR / UPDATE / CLOSE + └─> Check status, update resources, or terminate +``` + +### Key Identifiers + +| ID | Description | +|----|-------------| +| `DSEQ` | Deployment sequence number | +| `GSEQ` | Group sequence (usually 1) | +| `OSEQ` | Order sequence (usually 1) | +| `owner` | Wallet address (akash1...) | +| `provider` | Provider address (akash1...) | + +## CLI Commands + +### Read-Only (Phase 1) + +```bash +# List all deployments for configured wallet +vmc akash list + +# Get deployment details +vmc akash status + +# List bids for a deployment +vmc akash bids + +# Check wallet balance +vmc akash balance +``` + +### Mutations (Phase 2) + +```bash +# Deploy from SDL file +vmc akash deploy --sdl app.yaml --yes --reason "deploy web app" + +# Close deployment (refunds remaining escrow) +vmc akash close --yes --reason "scaling down" + +# Update deployment resources +vmc akash update --sdl app.yaml --yes --reason "increase memory" +``` + +## Configuration + +### Environment Variables + +```bash +# Required for queries +AKASH_WALLET_ADDRESS=akash1... # Your wallet address + +# Required for mutations +AKASH_MNEMONIC="word1 word2 ... word12" # 12-word seed phrase + +# Optional +AKASH_NETWORK=testnet # testnet or mainnet +AKASH_REST_ENDPOINT=https://api.akashnet.net +``` + +### Testnet vs Mainnet + +| Network | Endpoint | Tokens | +|---------|----------|--------| +| Testnet | `https://api.sandbox.akash.network` | Free test AKT | +| Mainnet | `https://api.akashnet.net` | Real AKT | + +Get testnet tokens: [Akash Faucet](https://faucet.sandbox.akash.network) + +## File Structure + +``` +src/lib/akash/ +├── types.ts # TypeScript interfaces +├── client.ts # REST API client +├── wallet.ts # Mnemonic/signing (Phase 2) +└── sdl.ts # SDL parsing (Phase 2) + +src/commands/akash/ +├── list.ts # List deployments +├── status.ts # Deployment details +├── bids.ts # List bids +├── balance.ts # Wallet balance +├── deploy.ts # Create deployment (Phase 2) +└── close.ts # Close deployment (Phase 2) + +templates/akash/ +├── web.yaml # Basic web service +├── gpu.yaml # GPU workload +└── postgres.yaml # Database with storage +``` + +## Receipt Structure + +Akash mutations produce VaultMesh-grade receipts: + +```json +{ + "timestamp": "2025-12-26T18:30:00.000Z", + "platform": "akash", + "network": "testnet", + "action": "deploy", + "target": { + "dseq": "12345", + "owner": "akash1abc...", + "provider": "akash1xyz..." + }, + "request": { + "sdl_hash": "sha256:abc123...", + "resources": { + "cpu": 1, + "memory": "512Mi", + "storage": "10Gi" + }, + "max_price": "50uakt" + }, + "response": { + "tx_hash": "ABCD1234...", + "lease_price": { + "amount": "45", + "denom": "uakt" + }, + "status": "active" + }, + "reason": "deploy web app", + "sha256": "..." +} +``` + +## Dependencies + +```json +{ + "@akashnetwork/akash-api": "latest", + "@cosmjs/stargate": "^0.32.0", + "@cosmjs/proto-signing": "^0.32.0" +} +``` + +## Resources + +- [Akash Network Docs](https://akash.network/docs/) +- [SDL Reference](https://docs.akash.network/readme/stack-definition-language) +- [Awesome Akash (326+ examples)](https://github.com/akash-network/awesome-akash) +- [Akash Console (Web UI)](https://console.akash.network) +- [API Endpoints](https://akash.network/docs/akash-nodes/api-endpoints/) + +## Implementation Status + +- [ ] Phase 1: Read-only commands (list, status, bids, balance) +- [ ] Phase 2: Wallet signing + mutations (deploy, close, update) +- [ ] Phase 3: SDL templates and validation +- [ ] Phase 4: Multi-cloud abstraction layer diff --git a/docs/research/2025-12-26-hetzner-baseline-2025-12-26.md b/docs/research/2025-12-26-hetzner-baseline-2025-12-26.md new file mode 100644 index 0000000..b5c77c5 --- /dev/null +++ b/docs/research/2025-12-26-hetzner-baseline-2025-12-26.md @@ -0,0 +1,31 @@ +# Hetzner Baseline 2025-12-26 + +Date: 2025-12-26 + +## Context + +- Purpose: +- Scope: +- Risks: + +## Evidence + + + +## Findings + +- + +## Next actions + +- + + +- Source: `outputs/hetzner/servers-20251226-1814.json` +- Generated: 2025-12-26T18:14:12.297Z +- SHA256: `6da41678f221f56bb57bbe160b971599b75fcfd41675cf1311cc199b6c641347` + +| Server | IP | Status | Type | Location | Created | +|---|---|---|---|---|---| +| vm-op-gb-a | 46.224.119.129 | running | ccx23 | Nuremberg | 2025-12-26 15:20 | +| vm-de-op-b | 46.224.179.24 | running | ccx23 | Nuremberg | 2025-12-26 15:38 | \ No newline at end of file diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000..983831e --- /dev/null +++ b/package-lock.json @@ -0,0 +1,1758 @@ +{ + "name": "vm-cloud", + "version": "0.0.1", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "vm-cloud", + "version": "0.0.1", + "dependencies": { + "@modelcontextprotocol/sdk": "^1.0.0", + "@noble/ed25519": "^2.1.0", + "@noble/hashes": "^1.4.0", + "commander": "^12.0.0", + "dotenv": "^16.0.0", + "json-canonicalize": "^1.0.6" + }, + "bin": { + "vmc": "bin/vmc" + }, + "devDependencies": { + "@types/node": "^20.0.0", + "tsx": "^4.0.0", + "typescript": "^5.0.0" + } + }, + "node_modules/@esbuild/aix-ppc64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.2.tgz", + "integrity": "sha512-GZMB+a0mOMZs4MpDbj8RJp4cw+w1WV5NYD6xzgvzUJ5Ek2jerwfO2eADyI6ExDSUED+1X8aMbegahsJi+8mgpw==", + "cpu": [ + "ppc64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "aix" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/android-arm": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.27.2.tgz", + "integrity": "sha512-DVNI8jlPa7Ujbr1yjU2PfUSRtAUZPG9I1RwW4F4xFB1Imiu2on0ADiI/c3td+KmDtVKNbi+nffGDQMfcIMkwIA==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/android-arm64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.27.2.tgz", + "integrity": "sha512-pvz8ZZ7ot/RBphf8fv60ljmaoydPU12VuXHImtAs0XhLLw+EXBi2BLe3OYSBslR4rryHvweW5gmkKFwTiFy6KA==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/android-x64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.27.2.tgz", + "integrity": "sha512-z8Ank4Byh4TJJOh4wpz8g2vDy75zFL0TlZlkUkEwYXuPSgX8yzep596n6mT7905kA9uHZsf/o2OJZubl2l3M7A==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "android" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/darwin-arm64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.27.2.tgz", + "integrity": "sha512-davCD2Zc80nzDVRwXTcQP/28fiJbcOwvdolL0sOiOsbwBa72kegmVU0Wrh1MYrbuCL98Omp5dVhQFWRKR2ZAlg==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/darwin-x64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.27.2.tgz", + "integrity": "sha512-ZxtijOmlQCBWGwbVmwOF/UCzuGIbUkqB1faQRf5akQmxRJ1ujusWsb3CVfk/9iZKr2L5SMU5wPBi1UWbvL+VQA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/freebsd-arm64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.27.2.tgz", + "integrity": "sha512-lS/9CN+rgqQ9czogxlMcBMGd+l8Q3Nj1MFQwBZJyoEKI50XGxwuzznYdwcav6lpOGv5BqaZXqvBSiB/kJ5op+g==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "freebsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/freebsd-x64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.27.2.tgz", + "integrity": "sha512-tAfqtNYb4YgPnJlEFu4c212HYjQWSO/w/h/lQaBK7RbwGIkBOuNKQI9tqWzx7Wtp7bTPaGC6MJvWI608P3wXYA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "freebsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-arm": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.27.2.tgz", + "integrity": "sha512-vWfq4GaIMP9AIe4yj1ZUW18RDhx6EPQKjwe7n8BbIecFtCQG4CfHGaHuh7fdfq+y3LIA2vGS/o9ZBGVxIDi9hw==", + "cpu": [ + "arm" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-arm64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.27.2.tgz", + "integrity": "sha512-hYxN8pr66NsCCiRFkHUAsxylNOcAQaxSSkHMMjcpx0si13t1LHFphxJZUiGwojB1a/Hd5OiPIqDdXONia6bhTw==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-ia32": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.27.2.tgz", + "integrity": "sha512-MJt5BRRSScPDwG2hLelYhAAKh9imjHK5+NE/tvnRLbIqUWa+0E9N4WNMjmp/kXXPHZGqPLxggwVhz7QP8CTR8w==", + "cpu": [ + "ia32" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-loong64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.27.2.tgz", + "integrity": "sha512-lugyF1atnAT463aO6KPshVCJK5NgRnU4yb3FUumyVz+cGvZbontBgzeGFO1nF+dPueHD367a2ZXe1NtUkAjOtg==", + "cpu": [ + "loong64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-mips64el": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.27.2.tgz", + "integrity": "sha512-nlP2I6ArEBewvJ2gjrrkESEZkB5mIoaTswuqNFRv/WYd+ATtUpe9Y09RnJvgvdag7he0OWgEZWhviS1OTOKixw==", + "cpu": [ + "mips64el" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-ppc64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.27.2.tgz", + "integrity": "sha512-C92gnpey7tUQONqg1n6dKVbx3vphKtTHJaNG2Ok9lGwbZil6DrfyecMsp9CrmXGQJmZ7iiVXvvZH6Ml5hL6XdQ==", + "cpu": [ + "ppc64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-riscv64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.27.2.tgz", + "integrity": "sha512-B5BOmojNtUyN8AXlK0QJyvjEZkWwy/FKvakkTDCziX95AowLZKR6aCDhG7LeF7uMCXEJqwa8Bejz5LTPYm8AvA==", + "cpu": [ + "riscv64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-s390x": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.27.2.tgz", + "integrity": "sha512-p4bm9+wsPwup5Z8f4EpfN63qNagQ47Ua2znaqGH6bqLlmJ4bx97Y9JdqxgGZ6Y8xVTixUnEkoKSHcpRlDnNr5w==", + "cpu": [ + "s390x" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/linux-x64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.27.2.tgz", + "integrity": "sha512-uwp2Tip5aPmH+NRUwTcfLb+W32WXjpFejTIOWZFw/v7/KnpCDKG66u4DLcurQpiYTiYwQ9B7KOeMJvLCu/OvbA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "linux" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/netbsd-arm64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.27.2.tgz", + "integrity": "sha512-Kj6DiBlwXrPsCRDeRvGAUb/LNrBASrfqAIok+xB0LxK8CHqxZ037viF13ugfsIpePH93mX7xfJp97cyDuTZ3cw==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "netbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/netbsd-x64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.27.2.tgz", + "integrity": "sha512-HwGDZ0VLVBY3Y+Nw0JexZy9o/nUAWq9MlV7cahpaXKW6TOzfVno3y3/M8Ga8u8Yr7GldLOov27xiCnqRZf0tCA==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "netbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/openbsd-arm64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.27.2.tgz", + "integrity": "sha512-DNIHH2BPQ5551A7oSHD0CKbwIA/Ox7+78/AWkbS5QoRzaqlev2uFayfSxq68EkonB+IKjiuxBFoV8ESJy8bOHA==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/openbsd-x64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.27.2.tgz", + "integrity": "sha512-/it7w9Nb7+0KFIzjalNJVR5bOzA9Vay+yIPLVHfIQYG/j+j9VTH84aNB8ExGKPU4AzfaEvN9/V4HV+F+vo8OEg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openbsd" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/openharmony-arm64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.27.2.tgz", + "integrity": "sha512-LRBbCmiU51IXfeXk59csuX/aSaToeG7w48nMwA6049Y4J4+VbWALAuXcs+qcD04rHDuSCSRKdmY63sruDS5qag==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "openharmony" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/sunos-x64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.27.2.tgz", + "integrity": "sha512-kMtx1yqJHTmqaqHPAzKCAkDaKsffmXkPHThSfRwZGyuqyIeBvf08KSsYXl+abf5HDAPMJIPnbBfXvP2ZC2TfHg==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "sunos" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/win32-arm64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.27.2.tgz", + "integrity": "sha512-Yaf78O/B3Kkh+nKABUF++bvJv5Ijoy9AN1ww904rOXZFLWVc5OLOfL56W+C8F9xn5JQZa3UX6m+IktJnIb1Jjg==", + "cpu": [ + "arm64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/win32-ia32": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.27.2.tgz", + "integrity": "sha512-Iuws0kxo4yusk7sw70Xa2E2imZU5HoixzxfGCdxwBdhiDgt9vX9VUCBhqcwY7/uh//78A1hMkkROMJq9l27oLQ==", + "cpu": [ + "ia32" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@esbuild/win32-x64": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.27.2.tgz", + "integrity": "sha512-sRdU18mcKf7F+YgheI/zGf5alZatMUTKj/jNS6l744f9u3WFu4v7twcUI9vu4mknF4Y9aDlblIie0IM+5xxaqQ==", + "cpu": [ + "x64" + ], + "dev": true, + "license": "MIT", + "optional": true, + "os": [ + "win32" + ], + "engines": { + "node": ">=18" + } + }, + "node_modules/@hono/node-server": { + "version": "1.19.7", + "resolved": "https://registry.npmjs.org/@hono/node-server/-/node-server-1.19.7.tgz", + "integrity": "sha512-vUcD0uauS7EU2caukW8z5lJKtoGMokxNbJtBiwHgpqxEXokaHCBkQUmCHhjFB1VUTWdqj25QoMkMKzgjq+uhrw==", + "license": "MIT", + "engines": { + "node": ">=18.14.1" + }, + "peerDependencies": { + "hono": "^4" + } + }, + "node_modules/@modelcontextprotocol/sdk": { + "version": "1.25.1", + "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.25.1.tgz", + "integrity": "sha512-yO28oVFFC7EBoiKdAn+VqRm+plcfv4v0xp6osG/VsCB0NlPZWi87ajbCZZ8f/RvOFLEu7//rSRmuZZ7lMoe3gQ==", + "license": "MIT", + "dependencies": { + "@hono/node-server": "^1.19.7", + "ajv": "^8.17.1", + "ajv-formats": "^3.0.1", + "content-type": "^1.0.5", + "cors": "^2.8.5", + "cross-spawn": "^7.0.5", + "eventsource": "^3.0.2", + "eventsource-parser": "^3.0.0", + "express": "^5.0.1", + "express-rate-limit": "^7.5.0", + "jose": "^6.1.1", + "json-schema-typed": "^8.0.2", + "pkce-challenge": "^5.0.0", + "raw-body": "^3.0.0", + "zod": "^3.25 || ^4.0", + "zod-to-json-schema": "^3.25.0" + }, + "engines": { + "node": ">=18" + }, + "peerDependencies": { + "@cfworker/json-schema": "^4.1.1", + "zod": "^3.25 || ^4.0" + }, + "peerDependenciesMeta": { + "@cfworker/json-schema": { + "optional": true + }, + "zod": { + "optional": false + } + } + }, + "node_modules/@noble/ed25519": { + "version": "2.3.0", + "resolved": "https://registry.npmjs.org/@noble/ed25519/-/ed25519-2.3.0.tgz", + "integrity": "sha512-M7dvXL2B92/M7dw9+gzuydL8qn/jiqNHaoR3Q+cb1q1GHV7uwE17WCyFMG+Y+TZb5izcaXk5TdJRrDUxHXL78A==", + "license": "MIT", + "funding": { + "url": "https://paulmillr.com/funding/" + } + }, + "node_modules/@noble/hashes": { + "version": "1.8.0", + "resolved": "https://registry.npmjs.org/@noble/hashes/-/hashes-1.8.0.tgz", + "integrity": "sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==", + "license": "MIT", + "engines": { + "node": "^14.21.3 || >=16" + }, + "funding": { + "url": "https://paulmillr.com/funding/" + } + }, + "node_modules/@types/node": { + "version": "20.19.27", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.19.27.tgz", + "integrity": "sha512-N2clP5pJhB2YnZJ3PIHFk5RkygRX5WO/5f0WC08tp0wd+sv0rsJk3MqWn3CbNmT2J505a5336jaQj4ph1AdMug==", + "dev": true, + "license": "MIT", + "dependencies": { + "undici-types": "~6.21.0" + } + }, + "node_modules/accepts": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz", + "integrity": "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==", + "license": "MIT", + "dependencies": { + "mime-types": "^3.0.0", + "negotiator": "^1.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/ajv": { + "version": "8.17.1", + "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz", + "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==", + "license": "MIT", + "dependencies": { + "fast-deep-equal": "^3.1.3", + "fast-uri": "^3.0.1", + "json-schema-traverse": "^1.0.0", + "require-from-string": "^2.0.2" + }, + "funding": { + "type": "github", + "url": "https://github.com/sponsors/epoberezkin" + } + }, + "node_modules/ajv-formats": { + "version": "3.0.1", + "resolved": "https://registry.npmjs.org/ajv-formats/-/ajv-formats-3.0.1.tgz", + "integrity": "sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==", + "license": "MIT", + "dependencies": { + "ajv": "^8.0.0" + }, + "peerDependencies": { + "ajv": "^8.0.0" + }, + "peerDependenciesMeta": { + "ajv": { + "optional": true + } + } + }, + "node_modules/body-parser": { + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.1.tgz", + "integrity": "sha512-nfDwkulwiZYQIGwxdy0RUmowMhKcFVcYXUU7m4QlKYim1rUtg83xm2yjZ40QjDuc291AJjjeSc9b++AWHSgSHw==", + "license": "MIT", + "dependencies": { + "bytes": "^3.1.2", + "content-type": "^1.0.5", + "debug": "^4.4.3", + "http-errors": "^2.0.0", + "iconv-lite": "^0.7.0", + "on-finished": "^2.4.1", + "qs": "^6.14.0", + "raw-body": "^3.0.1", + "type-is": "^2.0.1" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/bytes": { + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", + "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/call-bind-apply-helpers": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz", + "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/call-bound": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz", + "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "get-intrinsic": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/commander": { + "version": "12.1.0", + "resolved": "https://registry.npmjs.org/commander/-/commander-12.1.0.tgz", + "integrity": "sha512-Vw8qHK3bZM9y/P10u3Vib8o/DdkvA2OtPtZvD871QKjy74Wj1WSKFILMPRPSdUSx5RFK1arlJzEtA4PkFgnbuA==", + "license": "MIT", + "engines": { + "node": ">=18" + } + }, + "node_modules/content-disposition": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.1.tgz", + "integrity": "sha512-oIXISMynqSqm241k6kcQ5UwttDILMK4BiurCfGEREw6+X9jkkpEe5T9FZaApyLGGOnFuyMWZpdolTXMtvEJ08Q==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/content-type": { + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz", + "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie": { + "version": "0.7.2", + "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz", + "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/cookie-signature": { + "version": "1.2.2", + "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz", + "integrity": "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==", + "license": "MIT", + "engines": { + "node": ">=6.6.0" + } + }, + "node_modules/cors": { + "version": "2.8.5", + "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.5.tgz", + "integrity": "sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==", + "license": "MIT", + "dependencies": { + "object-assign": "^4", + "vary": "^1" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/cross-spawn": { + "version": "7.0.6", + "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz", + "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==", + "license": "MIT", + "dependencies": { + "path-key": "^3.1.0", + "shebang-command": "^2.0.0", + "which": "^2.0.1" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/debug": { + "version": "4.4.3", + "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz", + "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==", + "license": "MIT", + "dependencies": { + "ms": "^2.1.3" + }, + "engines": { + "node": ">=6.0" + }, + "peerDependenciesMeta": { + "supports-color": { + "optional": true + } + } + }, + "node_modules/depd": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz", + "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/dotenv": { + "version": "16.6.1", + "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.6.1.tgz", + "integrity": "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow==", + "license": "BSD-2-Clause", + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://dotenvx.com" + } + }, + "node_modules/dunder-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz", + "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.1", + "es-errors": "^1.3.0", + "gopd": "^1.2.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/ee-first": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz", + "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==", + "license": "MIT" + }, + "node_modules/encodeurl": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz", + "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/es-define-property": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz", + "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-errors": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz", + "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/es-object-atoms": { + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz", + "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/esbuild": { + "version": "0.27.2", + "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.2.tgz", + "integrity": "sha512-HyNQImnsOC7X9PMNaCIeAm4ISCQXs5a5YasTXVliKv4uuBo1dKrG0A+uQS8M5eXjVMnLg3WgXaKvprHlFJQffw==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "bin": { + "esbuild": "bin/esbuild" + }, + "engines": { + "node": ">=18" + }, + "optionalDependencies": { + "@esbuild/aix-ppc64": "0.27.2", + "@esbuild/android-arm": "0.27.2", + "@esbuild/android-arm64": "0.27.2", + "@esbuild/android-x64": "0.27.2", + "@esbuild/darwin-arm64": "0.27.2", + "@esbuild/darwin-x64": "0.27.2", + "@esbuild/freebsd-arm64": "0.27.2", + "@esbuild/freebsd-x64": "0.27.2", + "@esbuild/linux-arm": "0.27.2", + "@esbuild/linux-arm64": "0.27.2", + "@esbuild/linux-ia32": "0.27.2", + "@esbuild/linux-loong64": "0.27.2", + "@esbuild/linux-mips64el": "0.27.2", + "@esbuild/linux-ppc64": "0.27.2", + "@esbuild/linux-riscv64": "0.27.2", + "@esbuild/linux-s390x": "0.27.2", + "@esbuild/linux-x64": "0.27.2", + "@esbuild/netbsd-arm64": "0.27.2", + "@esbuild/netbsd-x64": "0.27.2", + "@esbuild/openbsd-arm64": "0.27.2", + "@esbuild/openbsd-x64": "0.27.2", + "@esbuild/openharmony-arm64": "0.27.2", + "@esbuild/sunos-x64": "0.27.2", + "@esbuild/win32-arm64": "0.27.2", + "@esbuild/win32-ia32": "0.27.2", + "@esbuild/win32-x64": "0.27.2" + } + }, + "node_modules/escape-html": { + "version": "1.0.3", + "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz", + "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==", + "license": "MIT" + }, + "node_modules/etag": { + "version": "1.8.1", + "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz", + "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/eventsource": { + "version": "3.0.7", + "resolved": "https://registry.npmjs.org/eventsource/-/eventsource-3.0.7.tgz", + "integrity": "sha512-CRT1WTyuQoD771GW56XEZFQ/ZoSfWid1alKGDYMmkt2yl8UXrVR4pspqWNEcqKvVIzg6PAltWjxcSSPrboA4iA==", + "license": "MIT", + "dependencies": { + "eventsource-parser": "^3.0.1" + }, + "engines": { + "node": ">=18.0.0" + } + }, + "node_modules/eventsource-parser": { + "version": "3.0.6", + "resolved": "https://registry.npmjs.org/eventsource-parser/-/eventsource-parser-3.0.6.tgz", + "integrity": "sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg==", + "license": "MIT", + "engines": { + "node": ">=18.0.0" + } + }, + "node_modules/express": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz", + "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==", + "license": "MIT", + "peer": true, + "dependencies": { + "accepts": "^2.0.0", + "body-parser": "^2.2.1", + "content-disposition": "^1.0.0", + "content-type": "^1.0.5", + "cookie": "^0.7.1", + "cookie-signature": "^1.2.1", + "debug": "^4.4.0", + "depd": "^2.0.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "finalhandler": "^2.1.0", + "fresh": "^2.0.0", + "http-errors": "^2.0.0", + "merge-descriptors": "^2.0.0", + "mime-types": "^3.0.0", + "on-finished": "^2.4.1", + "once": "^1.4.0", + "parseurl": "^1.3.3", + "proxy-addr": "^2.0.7", + "qs": "^6.14.0", + "range-parser": "^1.2.1", + "router": "^2.2.0", + "send": "^1.1.0", + "serve-static": "^2.2.0", + "statuses": "^2.0.1", + "type-is": "^2.0.1", + "vary": "^1.1.2" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/express-rate-limit": { + "version": "7.5.1", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz", + "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==", + "license": "MIT", + "engines": { + "node": ">= 16" + }, + "funding": { + "url": "https://github.com/sponsors/express-rate-limit" + }, + "peerDependencies": { + "express": ">= 4.11" + } + }, + "node_modules/fast-deep-equal": { + "version": "3.1.3", + "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz", + "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==", + "license": "MIT" + }, + "node_modules/fast-uri": { + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz", + "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/fastify" + }, + { + "type": "opencollective", + "url": "https://opencollective.com/fastify" + } + ], + "license": "BSD-3-Clause" + }, + "node_modules/finalhandler": { + "version": "2.1.1", + "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.1.tgz", + "integrity": "sha512-S8KoZgRZN+a5rNwqTxlZZePjT/4cnm0ROV70LedRHZ0p8u9fRID0hJUZQpkKLzro8LfmC8sx23bY6tVNxv8pQA==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.0", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "on-finished": "^2.4.1", + "parseurl": "^1.3.3", + "statuses": "^2.0.1" + }, + "engines": { + "node": ">= 18.0.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/forwarded": { + "version": "0.2.0", + "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz", + "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/fresh": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/fresh/-/fresh-2.0.0.tgz", + "integrity": "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/fsevents": { + "version": "2.3.3", + "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", + "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==", + "dev": true, + "hasInstallScript": true, + "license": "MIT", + "optional": true, + "os": [ + "darwin" + ], + "engines": { + "node": "^8.16.0 || ^10.6.0 || >=11.0.0" + } + }, + "node_modules/function-bind": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz", + "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-intrinsic": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz", + "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==", + "license": "MIT", + "dependencies": { + "call-bind-apply-helpers": "^1.0.2", + "es-define-property": "^1.0.1", + "es-errors": "^1.3.0", + "es-object-atoms": "^1.1.1", + "function-bind": "^1.1.2", + "get-proto": "^1.0.1", + "gopd": "^1.2.0", + "has-symbols": "^1.1.0", + "hasown": "^2.0.2", + "math-intrinsics": "^1.1.0" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/get-proto": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz", + "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==", + "license": "MIT", + "dependencies": { + "dunder-proto": "^1.0.1", + "es-object-atoms": "^1.0.0" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/get-tsconfig": { + "version": "4.13.0", + "resolved": "https://registry.npmjs.org/get-tsconfig/-/get-tsconfig-4.13.0.tgz", + "integrity": "sha512-1VKTZJCwBrvbd+Wn3AOgQP/2Av+TfTCOlE4AcRJE72W1ksZXbAx8PPBR9RzgTeSPzlPMHrbANMH3LbltH73wxQ==", + "dev": true, + "license": "MIT", + "dependencies": { + "resolve-pkg-maps": "^1.0.0" + }, + "funding": { + "url": "https://github.com/privatenumber/get-tsconfig?sponsor=1" + } + }, + "node_modules/gopd": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz", + "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/has-symbols": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz", + "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/hasown": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz", + "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==", + "license": "MIT", + "dependencies": { + "function-bind": "^1.1.2" + }, + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/hono": { + "version": "4.11.3", + "resolved": "https://registry.npmjs.org/hono/-/hono-4.11.3.tgz", + "integrity": "sha512-PmQi306+M/ct/m5s66Hrg+adPnkD5jiO6IjA7WhWw0gSBSo1EcRegwuI1deZ+wd5pzCGynCcn2DprnE4/yEV4w==", + "license": "MIT", + "peer": true, + "engines": { + "node": ">=16.9.0" + } + }, + "node_modules/http-errors": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz", + "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==", + "license": "MIT", + "dependencies": { + "depd": "~2.0.0", + "inherits": "~2.0.4", + "setprototypeof": "~1.2.0", + "statuses": "~2.0.2", + "toidentifier": "~1.0.1" + }, + "engines": { + "node": ">= 0.8" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/iconv-lite": { + "version": "0.7.1", + "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.1.tgz", + "integrity": "sha512-2Tth85cXwGFHfvRgZWszZSvdo+0Xsqmw8k8ZwxScfcBneNUraK+dxRxRm24nszx80Y0TVio8kKLt5sLE7ZCLlw==", + "license": "MIT", + "dependencies": { + "safer-buffer": ">= 2.1.2 < 3.0.0" + }, + "engines": { + "node": ">=0.10.0" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz", + "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==", + "license": "ISC" + }, + "node_modules/ipaddr.js": { + "version": "1.9.1", + "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz", + "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==", + "license": "MIT", + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/is-promise": { + "version": "4.0.0", + "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz", + "integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==", + "license": "MIT" + }, + "node_modules/isexe": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz", + "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==", + "license": "ISC" + }, + "node_modules/jose": { + "version": "6.1.3", + "resolved": "https://registry.npmjs.org/jose/-/jose-6.1.3.tgz", + "integrity": "sha512-0TpaTfihd4QMNwrz/ob2Bp7X04yuxJkjRGi4aKmOqwhov54i6u79oCv7T+C7lo70MKH6BesI3vscD1yb/yzKXQ==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/panva" + } + }, + "node_modules/json-canonicalize": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/json-canonicalize/-/json-canonicalize-1.2.0.tgz", + "integrity": "sha512-TTdjBvqrqJKSADlEsY5rWbx8/1tOrVlTR/aSLU8N2VSInCTffP0p+byYB8Es+OmL4ZOeEftjUdvV+eJeSzJC/Q==", + "license": "MIT" + }, + "node_modules/json-schema-traverse": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz", + "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==", + "license": "MIT" + }, + "node_modules/json-schema-typed": { + "version": "8.0.2", + "resolved": "https://registry.npmjs.org/json-schema-typed/-/json-schema-typed-8.0.2.tgz", + "integrity": "sha512-fQhoXdcvc3V28x7C7BMs4P5+kNlgUURe2jmUT1T//oBRMDrqy1QPelJimwZGo7Hg9VPV3EQV5Bnq4hbFy2vetA==", + "license": "BSD-2-Clause" + }, + "node_modules/math-intrinsics": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz", + "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + } + }, + "node_modules/media-typer": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz", + "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/merge-descriptors": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-2.0.0.tgz", + "integrity": "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==", + "license": "MIT", + "engines": { + "node": ">=18" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/mime-db": { + "version": "1.54.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz", + "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/mime-types": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.2.tgz", + "integrity": "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==", + "license": "MIT", + "dependencies": { + "mime-db": "^1.54.0" + }, + "engines": { + "node": ">=18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/ms": { + "version": "2.1.3", + "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", + "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==", + "license": "MIT" + }, + "node_modules/negotiator": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz", + "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/object-assign": { + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz", + "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==", + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/object-inspect": { + "version": "1.13.4", + "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz", + "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==", + "license": "MIT", + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/on-finished": { + "version": "2.4.1", + "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz", + "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==", + "license": "MIT", + "dependencies": { + "ee-first": "1.1.1" + }, + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/once": { + "version": "1.4.0", + "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz", + "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==", + "license": "ISC", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/parseurl": { + "version": "1.3.3", + "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz", + "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/path-key": { + "version": "3.1.1", + "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz", + "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/path-to-regexp": { + "version": "8.3.0", + "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.3.0.tgz", + "integrity": "sha512-7jdwVIRtsP8MYpdXSwOS0YdD0Du+qOoF/AEPIt88PcCFrZCzx41oxku1jD88hZBwbNUIEfpqvuhjFaMAqMTWnA==", + "license": "MIT", + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/pkce-challenge": { + "version": "5.0.1", + "resolved": "https://registry.npmjs.org/pkce-challenge/-/pkce-challenge-5.0.1.tgz", + "integrity": "sha512-wQ0b/W4Fr01qtpHlqSqspcj3EhBvimsdh0KlHhH8HRZnMsEa0ea2fTULOXOS9ccQr3om+GcGRk4e+isrZWV8qQ==", + "license": "MIT", + "engines": { + "node": ">=16.20.0" + } + }, + "node_modules/proxy-addr": { + "version": "2.0.7", + "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz", + "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==", + "license": "MIT", + "dependencies": { + "forwarded": "0.2.0", + "ipaddr.js": "1.9.1" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/qs": { + "version": "6.14.0", + "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz", + "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==", + "license": "BSD-3-Clause", + "dependencies": { + "side-channel": "^1.1.0" + }, + "engines": { + "node": ">=0.6" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/range-parser": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", + "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/raw-body": { + "version": "3.0.2", + "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.2.tgz", + "integrity": "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==", + "license": "MIT", + "dependencies": { + "bytes": "~3.1.2", + "http-errors": "~2.0.1", + "iconv-lite": "~0.7.0", + "unpipe": "~1.0.0" + }, + "engines": { + "node": ">= 0.10" + } + }, + "node_modules/require-from-string": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz", + "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==", + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/resolve-pkg-maps": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/resolve-pkg-maps/-/resolve-pkg-maps-1.0.0.tgz", + "integrity": "sha512-seS2Tj26TBVOC2NIc2rOe2y2ZO7efxITtLZcGSOnHHNOQ7CkiUBfw0Iw2ck6xkIhPwLhKNLS8BO+hEpngQlqzw==", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1" + } + }, + "node_modules/router": { + "version": "2.2.0", + "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz", + "integrity": "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.0", + "depd": "^2.0.0", + "is-promise": "^4.0.0", + "parseurl": "^1.3.3", + "path-to-regexp": "^8.0.0" + }, + "engines": { + "node": ">= 18" + } + }, + "node_modules/safer-buffer": { + "version": "2.1.2", + "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", + "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", + "license": "MIT" + }, + "node_modules/send": { + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/send/-/send-1.2.1.tgz", + "integrity": "sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==", + "license": "MIT", + "dependencies": { + "debug": "^4.4.3", + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "etag": "^1.8.1", + "fresh": "^2.0.0", + "http-errors": "^2.0.1", + "mime-types": "^3.0.2", + "ms": "^2.1.3", + "on-finished": "^2.4.1", + "range-parser": "^1.2.1", + "statuses": "^2.0.2" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/serve-static": { + "version": "2.2.1", + "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.1.tgz", + "integrity": "sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==", + "license": "MIT", + "dependencies": { + "encodeurl": "^2.0.0", + "escape-html": "^1.0.3", + "parseurl": "^1.3.3", + "send": "^1.2.0" + }, + "engines": { + "node": ">= 18" + }, + "funding": { + "type": "opencollective", + "url": "https://opencollective.com/express" + } + }, + "node_modules/setprototypeof": { + "version": "1.2.0", + "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz", + "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==", + "license": "ISC" + }, + "node_modules/shebang-command": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz", + "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==", + "license": "MIT", + "dependencies": { + "shebang-regex": "^3.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/shebang-regex": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz", + "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==", + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/side-channel": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz", + "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3", + "side-channel-list": "^1.0.0", + "side-channel-map": "^1.0.1", + "side-channel-weakmap": "^1.0.2" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-list": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.0.tgz", + "integrity": "sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==", + "license": "MIT", + "dependencies": { + "es-errors": "^1.3.0", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-map": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz", + "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/side-channel-weakmap": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz", + "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==", + "license": "MIT", + "dependencies": { + "call-bound": "^1.0.2", + "es-errors": "^1.3.0", + "get-intrinsic": "^1.2.5", + "object-inspect": "^1.13.3", + "side-channel-map": "^1.0.1" + }, + "engines": { + "node": ">= 0.4" + }, + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/statuses": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz", + "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/toidentifier": { + "version": "1.0.1", + "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz", + "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==", + "license": "MIT", + "engines": { + "node": ">=0.6" + } + }, + "node_modules/tsx": { + "version": "4.21.0", + "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.21.0.tgz", + "integrity": "sha512-5C1sg4USs1lfG0GFb2RLXsdpXqBSEhAaA/0kPL01wxzpMqLILNxIxIOKiILz+cdg/pLnOUxFYOR5yhHU666wbw==", + "dev": true, + "license": "MIT", + "dependencies": { + "esbuild": "~0.27.0", + "get-tsconfig": "^4.7.5" + }, + "bin": { + "tsx": "dist/cli.mjs" + }, + "engines": { + "node": ">=18.0.0" + }, + "optionalDependencies": { + "fsevents": "~2.3.3" + } + }, + "node_modules/type-is": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz", + "integrity": "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==", + "license": "MIT", + "dependencies": { + "content-type": "^1.0.5", + "media-typer": "^1.1.0", + "mime-types": "^3.0.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/typescript": { + "version": "5.9.3", + "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz", + "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", + "dev": true, + "license": "Apache-2.0", + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=14.17" + } + }, + "node_modules/undici-types": { + "version": "6.21.0", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.21.0.tgz", + "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/unpipe": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz", + "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/vary": { + "version": "1.1.2", + "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz", + "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==", + "license": "MIT", + "engines": { + "node": ">= 0.8" + } + }, + "node_modules/which": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz", + "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==", + "license": "ISC", + "dependencies": { + "isexe": "^2.0.0" + }, + "bin": { + "node-which": "bin/node-which" + }, + "engines": { + "node": ">= 8" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz", + "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==", + "license": "ISC" + }, + "node_modules/zod": { + "version": "4.2.1", + "resolved": "https://registry.npmjs.org/zod/-/zod-4.2.1.tgz", + "integrity": "sha512-0wZ1IRqGGhMP76gLqz8EyfBXKk0J2qo2+H3fi4mcUP/KtTocoX08nmIAHl1Z2kJIZbZee8KOpBCSNPRgauucjw==", + "license": "MIT", + "peer": true, + "funding": { + "url": "https://github.com/sponsors/colinhacks" + } + }, + "node_modules/zod-to-json-schema": { + "version": "3.25.0", + "resolved": "https://registry.npmjs.org/zod-to-json-schema/-/zod-to-json-schema-3.25.0.tgz", + "integrity": "sha512-HvWtU2UG41LALjajJrML6uQejQhNJx+JBO9IflpSja4R03iNWfKXrj6W2h7ljuLyc1nKS+9yDyL/9tD1U/yBnQ==", + "license": "ISC", + "peerDependencies": { + "zod": "^3.25 || ^4" + } + } + } +} diff --git a/package.json b/package.json new file mode 100644 index 0000000..78be5ff --- /dev/null +++ b/package.json @@ -0,0 +1,28 @@ +{ + "name": "vm-cloud", + "version": "0.0.1", + "description": "Hetzner ops + research documentation CLI", + "type": "module", + "bin": { + "vmc": "bin/vmc" + }, + "scripts": { + "dev": "tsx src/cli.ts", + "build": "tsc", + "start": "node dist/cli.js", + "mcp": "tsx src/index.ts" + }, + "dependencies": { + "@noble/ed25519": "^2.1.0", + "@modelcontextprotocol/sdk": "^1.0.0", + "@noble/hashes": "^1.4.0", + "commander": "^12.0.0", + "dotenv": "^16.0.0", + "json-canonicalize": "^1.0.6" + }, + "devDependencies": { + "@types/node": "^20.0.0", + "typescript": "^5.0.0", + "tsx": "^4.0.0" + } +} diff --git a/scripts/hash-receipt.ts b/scripts/hash-receipt.ts new file mode 100644 index 0000000..162f384 --- /dev/null +++ b/scripts/hash-receipt.ts @@ -0,0 +1,17 @@ +import { hashBlake3Hex, hashSha256Hex } from "../src/lib/hash.js"; +import fs from "fs"; + +const body = JSON.parse(fs.readFileSync("outputs/receipts/test-receipt.json", "utf8")); +const blake3 = hashBlake3Hex(body); +const sha256 = hashSha256Hex(body); + +const envelope = { + ...body, + hash_alg: "blake3+sha256", + blake3, + sha256 +}; + +fs.writeFileSync("outputs/receipts/test-receipt.json", JSON.stringify(envelope, null, 2)); +console.log("blake3:", blake3); +console.log("sha256:", sha256); diff --git a/src/cli.ts b/src/cli.ts new file mode 100644 index 0000000..41ccbef --- /dev/null +++ b/src/cli.ts @@ -0,0 +1,246 @@ +import { Command } from "commander"; +import { requireHcloudToken } from "./lib/env.js"; +import { HcloudClient } from "./lib/hcloud.js"; +import { serversList } from "./commands/servers.list.js"; +import { serversAction } from "./commands/servers.action.js"; +import { serversLabels } from "./commands/servers.labels.js"; +import { applyPlan } from "./commands/apply.js"; +import { keygen } from "./commands/keygen.js"; +import { signReceipt } from "./commands/sign.receipt.js"; +import { verifyReceipt } from "./commands/verify.receipt.js"; +import { snapshotServers } from "./commands/snapshot.js"; +import { researchNew } from "./commands/research.new.js"; +import { researchAppend } from "./commands/research.append.js"; + +const program = new Command(); +program + .name("vmc") + .description("vm-cloud: Hetzner ops + research documentation") + .version("0.0.1"); + +const servers = program.command("servers").description("Server operations"); + +servers + .command("list") + .description("List Hetzner servers") + .action(async () => { + const client = new HcloudClient(requireHcloudToken()); + await serversList(client); + }); + +servers + .command("reboot") + .description("Reboot a server by name or id") + .argument("", "Server name or id") + .option("--yes", "Confirm the action without prompting") + .option("--reason ", "Reason for the action (optional)") + .option("--force", "Break an active server lock") + .option("--allow-partial", "Allow partial match when using --yes") + .option("--dry-run", "Plan only; do not call Hetzner") + .option("--sign", "Sign the receipt after mutation") + .option("--require-sig", "Fail if signing fails or key is missing") + .action( + async ( + nameOrId: string, + opts: { + yes?: boolean; + reason?: string; + force?: boolean; + allowPartial?: boolean; + dryRun?: boolean; + sign?: boolean; + requireSig?: boolean; + } + ) => { + const client = new HcloudClient(requireHcloudToken()); + await serversAction(client, nameOrId, "reboot", opts); + } + ); + +servers + .command("poweroff") + .description("Power off a server by name or id") + .argument("", "Server name or id") + .option("--yes", "Confirm the action without prompting") + .option("--reason ", "Reason for the action (optional)") + .option("--force", "Break an active server lock") + .option("--allow-partial", "Allow partial match when using --yes") + .option("--dry-run", "Plan only; do not call Hetzner") + .option("--sign", "Sign the receipt after mutation") + .option("--require-sig", "Fail if signing fails or key is missing") + .action( + async ( + nameOrId: string, + opts: { + yes?: boolean; + reason?: string; + force?: boolean; + allowPartial?: boolean; + dryRun?: boolean; + sign?: boolean; + requireSig?: boolean; + } + ) => { + const client = new HcloudClient(requireHcloudToken()); + await serversAction(client, nameOrId, "poweroff", opts); + } + ); + +servers + .command("poweron") + .description("Power on a server by name or id") + .argument("", "Server name or id") + .option("--yes", "Confirm the action without prompting") + .option("--reason ", "Reason for the action (optional)") + .option("--force", "Break an active server lock") + .option("--allow-partial", "Allow partial match when using --yes") + .option("--dry-run", "Plan only; do not call Hetzner") + .option("--sign", "Sign the receipt after mutation") + .option("--require-sig", "Fail if signing fails or key is missing") + .action( + async ( + nameOrId: string, + opts: { + yes?: boolean; + reason?: string; + force?: boolean; + allowPartial?: boolean; + dryRun?: boolean; + sign?: boolean; + requireSig?: boolean; + } + ) => { + const client = new HcloudClient(requireHcloudToken()); + await serversAction(client, nameOrId, "poweron", opts); + } + ); + +servers + .command("labels") + .description("Set labels on a server by name or id") + .argument("", "Server name or id") + .argument("", "Label pairs in key=value form") + .option("--yes", "Confirm the action without prompting") + .option("--reason ", "Reason for the action (optional)") + .option("--force", "Break an active server lock") + .option("--allow-partial", "Allow partial match when using --yes") + .option("--dry-run", "Plan only; do not call Hetzner") + .option("--sign", "Sign the receipt after mutation") + .option("--require-sig", "Fail if signing fails or key is missing") + .action( + async ( + nameOrId: string, + labels: string[], + opts: { + yes?: boolean; + reason?: string; + force?: boolean; + allowPartial?: boolean; + dryRun?: boolean; + sign?: boolean; + requireSig?: boolean; + } + ) => { + const client = new HcloudClient(requireHcloudToken()); + await serversLabels(client, nameOrId, labels, opts); + } + ); + +program + .command("keygen") + .description("Generate an Ed25519 operator keypair") + .option("--force", "Overwrite existing keypair") + .action(async (opts: { force?: boolean }) => { + await keygen(opts); + }); + +const sign = program.command("sign").description("Signing tools"); + +sign + .command("receipt") + .description("Sign a receipt with the operator key") + .argument("", "Receipt JSON path") + .option("--force", "Overwrite existing signature fields") + .action(async (p: string, opts: { force?: boolean }) => { + await signReceipt(p, opts); + }); + +program + .command("apply") + .description("Apply a plan file and perform the mutation") + .requiredOption("--plan ", "Plan file path (JSON)") + .option("--yes", "Confirm the action without prompting") + .option("--reason ", "Reason for the action (required with --yes)") + .option("--force", "Break an active server lock") + .option("--allow-partial", "Allow partial match when using --yes") + .option("--sign", "Sign the receipt after mutation") + .option("--require-sig", "Fail if signing fails or key is missing") + .action( + async ( + opts: { + plan: string; + yes?: boolean; + reason?: string; + force?: boolean; + allowPartial?: boolean; + sign?: boolean; + requireSig?: boolean; + } + ) => { + const client = new HcloudClient(requireHcloudToken()); + await applyPlan(client, opts.plan, opts); + } + ); + +program + .command("snapshot") + .description("Write snapshots to outputs/") + .command("servers") + .description("Snapshot Hetzner servers JSON") + .action(async () => { + const client = new HcloudClient(requireHcloudToken()); + await snapshotServers(client); + }); + +const research = program + .command("research") + .description("Research documentation helpers"); + +research + .command("new") + .argument("", "Title for the note") + .action((title: string) => { + researchNew(title); + }); + +research + .command("append") + .requiredOption("--from <path>", "Snapshot path (JSON)") + .option("--note <path>", "Specific note path (optional)") + .action((opts: { from: string; note?: string }) => { + researchAppend(opts.from, opts.note); + }); + +const verify = program.command("verify").description("Verification tools"); + +verify + .command("receipt") + .description("Verify a receipt file and optional plan/head linkage") + .argument("<path>", "Receipt JSON path") + .option("--head", "If receipt matches HEAD.file, validate HEAD.blake3 too") + .option("--plan", "If receipt references a plan file, verify its hashes too") + .option("--sig", "Verify the Ed25519 signature on the receipt") + .action( + async (p: string, opts: { head?: boolean; plan?: boolean; sig?: boolean }) => { + await verifyReceipt(p, opts); + } + ); + +program.parseAsync(process.argv).catch((err) => { + console.error(err?.message ?? err); + const exitCode = + typeof (err as { exitCode?: number })?.exitCode === "number" + ? (err as { exitCode?: number }).exitCode + : 1; + process.exit(exitCode); +}); diff --git a/src/commands/apply.ts b/src/commands/apply.ts new file mode 100644 index 0000000..c782108 --- /dev/null +++ b/src/commands/apply.ts @@ -0,0 +1,190 @@ +import fs from "node:fs"; +import path from "node:path"; +import { HcloudClient } from "../lib/hcloud.js"; +import { requireConfirmation } from "../lib/confirm.js"; +import { readPrivateKey } from "../lib/keys.js"; +import { acquireServerLock } from "../lib/lock.js"; +import { hashBlake3Hex, hashSha256Hex } from "../lib/hash.js"; +import { + readPlan, + resolvePlanPath, + type PlanAction, + type PlanMatch, + type ServerPlan +} from "../lib/plan.js"; +import { writeReceipt } from "../lib/receipt.js"; +import { signReceiptFile } from "../lib/signature.js"; + +const ACTIONS: PlanAction[] = ["poweron", "poweroff", "reboot", "labels"]; +const MATCHES: PlanMatch[] = ["id", "exact", "partial"]; + +function planError(message: string): never { + const err = new Error(message); + (err as { exitCode?: number }).exitCode = 4; + throw err; +} + +function validatePlan(plan: ServerPlan) { + if (plan.plan_version !== "1") { + planError(`Unsupported plan_version: ${String(plan.plan_version)}`); + } + if (!plan.created_at || Number.isNaN(Date.parse(plan.created_at))) { + planError("Plan created_at is missing or invalid."); + } + if (!ACTIONS.includes(plan.action)) { + planError(`Unsupported action: ${String(plan.action)}`); + } + if (!plan.server || typeof plan.server.id !== "number" || !plan.server.name) { + planError("Plan server id/name is missing or invalid."); + } + if (!MATCHES.includes(plan.match)) { + planError(`Unsupported match type: ${String(plan.match)}`); + } + if (!plan.request?.method || !plan.request?.path) { + planError("Plan request method/path is missing."); + } + if (plan.applied !== false) { + planError("Plan must have applied=false."); + } +} + +export async function applyPlan( + client: HcloudClient, + planPath: string, + opts: { + yes?: boolean; + reason?: string; + force?: boolean; + allowPartial?: boolean; + sign?: boolean; + requireSig?: boolean; + } = {} +) { + const absPlan = resolvePlanPath(planPath); + if (!fs.existsSync(absPlan)) { + throw new Error(`Plan not found: ${absPlan}`); + } + + const plan = readPlan(absPlan); + const plan_sha256 = hashSha256Hex(plan); + const plan_blake3 = hashBlake3Hex(plan); + validatePlan(plan); + + if (plan.match === "partial" && opts.yes && !opts.allowPartial) { + planError("Plan was created from a partial match. Use --allow-partial."); + } + + const reasonRaw = opts.reason?.trim(); + if (opts.yes && !reasonRaw) { + const err = new Error("Reason is required when using --yes."); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + const expectedPath = + plan.action === "labels" + ? `/servers/${plan.server.id}` + : `/servers/${plan.server.id}/actions/${plan.action}`; + const expectedMethod = plan.action === "labels" ? "PUT" : "POST"; + if (plan.request.path !== expectedPath || plan.request.method !== expectedMethod) { + planError("Plan request does not match the expected action path/method."); + } + + if (plan.action === "labels") { + const body = plan.request.body as { labels?: Record<string, string> } | undefined; + if (!body?.labels || typeof body.labels !== "object") { + planError("Plan labels body is missing or invalid."); + } + } + + const servers = await client.listServers(); + const server = servers.find((s) => s.id === plan.server.id); + if (!server) { + planError(`Server id ${plan.server.id} not found.`); + } + if (server.name !== plan.server.name) { + planError( + `Server name mismatch for id ${plan.server.id}: expected ${plan.server.name}, got ${server.name}` + ); + } + + if (opts.requireSig) { + try { + readPrivateKey(); + } catch (err) { + const msg = err instanceof Error ? err.message : String(err); + const requireErr = new Error(`Signing key required: ${msg}`); + (requireErr as { exitCode?: number }).exitCode = 7; + throw requireErr; + } + } + + const lock = acquireServerLock(server.id, { force: opts.force }); + const plan_file = path.relative(process.cwd(), absPlan) || absPlan; + try { + const reason = reasonRaw || plan.reason || "unspecified"; + await requireConfirmation({ + action: plan.action, + server: { id: server.id, name: server.name, ip: server.public_net?.ipv4?.ip }, + reason, + yes: opts.yes, + match: plan.match + }); + + let response; + if (plan.action === "labels") { + const body = plan.request.body as { labels: Record<string, string> }; + response = await client.updateServerLabels(server.id, body.labels); + } else { + response = await client.powerAction(server.id, plan.action); + } + + const receipt = writeReceipt({ + action: plan.action, + reason, + server: { id: server.id, name: server.name, ip: server.public_net?.ipv4?.ip }, + request: { + method: plan.request.method, + path: plan.request.path, + body: plan.request.body + }, + response: { + status: response.status, + ok: response.ok, + data: response.data, + raw: response.raw + }, + plan: { file: plan_file, sha256: plan_sha256, blake3: plan_blake3 }, + lock: { file: lock.file, started_at: lock.info.started_at, force: opts.force } + }); + + if (!response.ok) { + throw new Error( + `Hetzner API error ${response.status}. Receipt: ${receipt.file}` + ); + } + + const mustSign = Boolean(opts.sign || opts.requireSig); + if (mustSign) { + try { + const signed = await signReceiptFile(receipt.file); + console.log(`Signed: ${signed.file} signer_kid=${signed.signer_kid}`); + } catch (err) { + const msg = err instanceof Error ? err.message : String(err); + if (opts.requireSig) { + const signErr = new Error(`Receipt signing failed: ${msg}`); + (signErr as { exitCode?: number }).exitCode = 7; + throw signErr; + } + console.warn(`WARN: receipt signing failed: ${msg}`); + } + } + + console.log( + `OK ${plan.action} ${server.name} (id=${server.id}) receipt=${receipt.file} blake3=${receipt.blake3} sha256=${receipt.sha256}` + ); + return response.data; + } finally { + lock.release(); + } +} diff --git a/src/commands/keygen.ts b/src/commands/keygen.ts new file mode 100644 index 0000000..79ef459 --- /dev/null +++ b/src/commands/keygen.ts @@ -0,0 +1,8 @@ +import { generateKeypair } from "../lib/keys.js"; + +export async function keygen(opts: { force?: boolean } = {}) { + const { privateKeyPath, publicKeyPath, publicKey } = await generateKeypair(opts); + console.log(`Private key: ${privateKeyPath}`); + console.log(`Public key: ${publicKeyPath}`); + console.log(`Public key (hex): ${publicKey}`); +} diff --git a/src/commands/research.append.ts b/src/commands/research.append.ts new file mode 100644 index 0000000..f0a9e86 --- /dev/null +++ b/src/commands/research.append.ts @@ -0,0 +1,83 @@ +import fs from "node:fs"; +import path from "node:path"; +import crypto from "node:crypto"; +import { appendToResearchNote } from "../lib/report.js"; +import type { HetznerServer } from "../lib/hcloud.js"; + +type Snapshot = { + generated_at?: string; + servers?: HetznerServer[]; +}; + +function sha256File(p: string) { + const buf = fs.readFileSync(p); + return crypto.createHash("sha256").update(buf).digest("hex"); +} + +function latestResearchNote(dir: string) { + if (!fs.existsSync(dir)) throw new Error(`Missing research dir: ${dir}`); + const files = fs + .readdirSync(dir) + .filter((f) => f.endsWith(".md")) + .sort(); + if (files.length === 0) { + throw new Error(`No research notes found in: ${dir}`); + } + return path.join(dir, files[files.length - 1]); +} + +function renderServersTable(servers: HetznerServer[]) { + const rows = servers.map((s) => ({ + name: s.name ?? "—", + ip: s.public_net?.ipv4?.ip ?? "—", + status: s.status ?? "—", + type: s.server_type?.name ?? "—", + location: s.datacenter?.location?.city ?? "—", + created: (s.created ?? "—").slice(0, 16).replace("T", " ") + })); + + const header = `| Server | IP | Status | Type | Location | Created | +|---|---|---|---|---|---|`; + + const body = rows + .map( + (r) => + `| ${r.name} | ${r.ip} | ${r.status} | ${r.type} | ${r.location} | ${r.created} |` + ) + .join("\n"); + + return rows.length ? `${header}\n${body}` : `${header}\n| — | — | — | — | — | — |`; +} + +export function researchAppend(fromPath: string, notePath?: string) { + const absFrom = path.isAbsolute(fromPath) + ? fromPath + : path.join(process.cwd(), fromPath); + if (!fs.existsSync(absFrom)) { + throw new Error(`Snapshot not found: ${absFrom}`); + } + + const researchDir = path.join(process.cwd(), "docs", "research"); + const targetNote = notePath + ? path.isAbsolute(notePath) + ? notePath + : path.join(process.cwd(), notePath) + : latestResearchNote(researchDir); + + const sha = sha256File(absFrom); + const snap = JSON.parse(fs.readFileSync(absFrom, "utf8")) as Snapshot; + + const servers = snap.servers ?? []; + const table = renderServersTable(servers); + const relFrom = path.relative(process.cwd(), absFrom) || absFrom; + + const md = `- Source: \`${relFrom}\` +- Generated: ${snap.generated_at ?? "—"} +- SHA256: \`${sha}\` + +${table}`; + + appendToResearchNote(targetNote, md); + console.log(`Appended to: ${targetNote}`); + console.log(`SHA256: ${sha}`); +} diff --git a/src/commands/research.new.ts b/src/commands/research.new.ts new file mode 100644 index 0000000..95e69e6 --- /dev/null +++ b/src/commands/research.new.ts @@ -0,0 +1,9 @@ +import path from "node:path"; +import { createResearchNote } from "../lib/report.js"; + +export function researchNew(title: string) { + const dir = path.join(process.cwd(), "docs", "research"); + const file = createResearchNote(dir, title); + console.log(`Research note: ${file}`); + return file; +} diff --git a/src/commands/servers.action.ts b/src/commands/servers.action.ts new file mode 100644 index 0000000..25edc32 --- /dev/null +++ b/src/commands/servers.action.ts @@ -0,0 +1,150 @@ +import { HcloudClient } from "../lib/hcloud.js"; +import { requireConfirmation } from "../lib/confirm.js"; +import { readPrivateKey } from "../lib/keys.js"; +import { acquireServerLock } from "../lib/lock.js"; +import { writePlan } from "../lib/plan.js"; +import { writeReceipt } from "../lib/receipt.js"; +import { signReceiptFile } from "../lib/signature.js"; +import { resolveServer } from "../lib/resolve.js"; + +export async function serversAction( + client: HcloudClient, + input: string, + action: "poweron" | "poweroff" | "reboot", + opts: { + yes?: boolean; + reason?: string; + force?: boolean; + allowPartial?: boolean; + dryRun?: boolean; + sign?: boolean; + requireSig?: boolean; + } = {} +) { + const { server, match } = await resolveServer(client, input); + if (match === "partial") { + console.warn( + `Partial match: "${input}" resolved to ${server.name} (${server.id})` + ); + } + + if (match === "partial" && opts.yes && !opts.allowPartial) { + const err = new Error( + `Partial match for "${input}". Use --allow-partial to proceed.` + ); + (err as { exitCode?: number }).exitCode = 4; + throw err; + } + + const reasonRaw = opts.reason?.trim(); + if (!opts.dryRun && opts.yes && !reasonRaw) { + const err = new Error("Reason is required when using --yes."); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + const path = `/servers/${server.id}/actions/${action}`; + if (opts.dryRun) { + if (opts.sign || opts.requireSig) { + const err = new Error("Cannot sign receipts during --dry-run."); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + const plan = { + plan_version: "1", + created_at: new Date().toISOString(), + action, + server: { + id: server.id, + name: server.name, + ip: server.public_net?.ipv4?.ip + }, + match, + request: { method: "POST", path }, + reason: reasonRaw, + applied: false + } as const; + const { file, sha256, blake3 } = writePlan(plan); + console.log(`Resolved: ${server.name} (id=${server.id}) match=${match}`); + console.log(`Request: POST ${path}`); + console.log(`Plan: ${file}`); + console.log(`BLAKE3: ${blake3}`); + console.log(`SHA256: ${sha256}`); + return plan; + } + + if (opts.requireSig) { + try { + readPrivateKey(); + } catch (err) { + const msg = err instanceof Error ? err.message : String(err); + const requireErr = new Error(`Signing key required: ${msg}`); + (requireErr as { exitCode?: number }).exitCode = 7; + throw requireErr; + } + } + + const lock = acquireServerLock(server.id, { force: opts.force }); + try { + const reason = reasonRaw || "unspecified"; + await requireConfirmation({ + action, + server: { + id: server.id, + name: server.name, + ip: server.public_net?.ipv4?.ip + }, + reason, + yes: opts.yes, + match + }); + + const response = await client.powerAction(server.id, action); + const receipt = writeReceipt({ + action, + reason, + server: { + id: server.id, + name: server.name, + ip: server.public_net?.ipv4?.ip + }, + request: { method: "POST", path }, + response: { + status: response.status, + ok: response.ok, + data: response.data, + raw: response.raw + }, + lock: { file: lock.file, started_at: lock.info.started_at, force: opts.force } + }); + + if (!response.ok) { + throw new Error( + `Hetzner API error ${response.status}. Receipt: ${receipt.file}` + ); + } + + const mustSign = Boolean(opts.sign || opts.requireSig); + if (mustSign) { + try { + const signed = await signReceiptFile(receipt.file); + console.log(`Signed: ${signed.file} signer_kid=${signed.signer_kid}`); + } catch (err) { + const msg = err instanceof Error ? err.message : String(err); + if (opts.requireSig) { + const signErr = new Error(`Receipt signing failed: ${msg}`); + (signErr as { exitCode?: number }).exitCode = 7; + throw signErr; + } + console.warn(`WARN: receipt signing failed: ${msg}`); + } + } + + console.log( + `OK ${action} ${server.name} (id=${server.id}) receipt=${receipt.file} blake3=${receipt.blake3} sha256=${receipt.sha256}` + ); + return response.data; + } finally { + lock.release(); + } +} diff --git a/src/commands/servers.labels.ts b/src/commands/servers.labels.ts new file mode 100644 index 0000000..ab1d05d --- /dev/null +++ b/src/commands/servers.labels.ts @@ -0,0 +1,175 @@ +import { HcloudClient } from "../lib/hcloud.js"; +import { requireConfirmation } from "../lib/confirm.js"; +import { readPrivateKey } from "../lib/keys.js"; +import { acquireServerLock } from "../lib/lock.js"; +import { writePlan } from "../lib/plan.js"; +import { writeReceipt } from "../lib/receipt.js"; +import { signReceiptFile } from "../lib/signature.js"; +import { resolveServer } from "../lib/resolve.js"; + +function parseLabels(args: string[]) { + if (!args.length) { + throw new Error("At least one label in key=value form is required"); + } + + const labels: Record<string, string> = {}; + for (const raw of args) { + const idx = raw.indexOf("="); + if (idx <= 0 || idx === raw.length - 1) { + throw new Error(`Invalid label "${raw}". Use key=value`); + } + const key = raw.slice(0, idx).trim(); + const value = raw.slice(idx + 1).trim(); + if (!key || !value) { + throw new Error(`Invalid label "${raw}". Use key=value`); + } + labels[key] = value; + } + return labels; +} + +export async function serversLabels( + client: HcloudClient, + input: string, + args: string[], + opts: { + yes?: boolean; + reason?: string; + force?: boolean; + allowPartial?: boolean; + dryRun?: boolean; + sign?: boolean; + requireSig?: boolean; + } = {} +) { + const { server, match } = await resolveServer(client, input); + if (match === "partial") { + console.warn( + `Partial match: "${input}" resolved to ${server.name} (${server.id})` + ); + } + + if (match === "partial" && opts.yes && !opts.allowPartial) { + const err = new Error( + `Partial match for "${input}". Use --allow-partial to proceed.` + ); + (err as { exitCode?: number }).exitCode = 4; + throw err; + } + + const reasonRaw = opts.reason?.trim(); + if (!opts.dryRun && opts.yes && !reasonRaw) { + const err = new Error("Reason is required when using --yes."); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + const labels = parseLabels(args); + const next = { ...(server.labels ?? {}), ...labels }; + const path = `/servers/${server.id}`; + + if (opts.dryRun) { + if (opts.sign || opts.requireSig) { + const err = new Error("Cannot sign receipts during --dry-run."); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + const plan = { + plan_version: "1", + created_at: new Date().toISOString(), + action: "labels", + server: { + id: server.id, + name: server.name, + ip: server.public_net?.ipv4?.ip + }, + match, + request: { method: "PUT", path, body: { labels: next } }, + reason: reasonRaw, + applied: false + } as const; + const { file, sha256, blake3 } = writePlan(plan); + console.log(`Resolved: ${server.name} (id=${server.id}) match=${match}`); + console.log(`Request: PUT ${path}`); + console.log(JSON.stringify({ labels: next }, null, 2)); + console.log(`Plan: ${file}`); + console.log(`BLAKE3: ${blake3}`); + console.log(`SHA256: ${sha256}`); + return plan; + } + + if (opts.requireSig) { + try { + readPrivateKey(); + } catch (err) { + const msg = err instanceof Error ? err.message : String(err); + const requireErr = new Error(`Signing key required: ${msg}`); + (requireErr as { exitCode?: number }).exitCode = 7; + throw requireErr; + } + } + + const lock = acquireServerLock(server.id, { force: opts.force }); + try { + const reason = reasonRaw || "unspecified"; + await requireConfirmation({ + action: "labels", + server: { + id: server.id, + name: server.name, + ip: server.public_net?.ipv4?.ip + }, + reason, + yes: opts.yes, + match + }); + + const response = await client.updateServerLabels(server.id, next); + const receipt = writeReceipt({ + action: "labels", + reason, + server: { + id: server.id, + name: server.name, + ip: server.public_net?.ipv4?.ip + }, + request: { method: "PUT", path, body: { labels: next } }, + response: { + status: response.status, + ok: response.ok, + data: response.data, + raw: response.raw + }, + lock: { file: lock.file, started_at: lock.info.started_at, force: opts.force } + }); + + if (!response.ok) { + throw new Error( + `Hetzner API error ${response.status}. Receipt: ${receipt.file}` + ); + } + + const mustSign = Boolean(opts.sign || opts.requireSig); + if (mustSign) { + try { + const signed = await signReceiptFile(receipt.file); + console.log(`Signed: ${signed.file} signer_kid=${signed.signer_kid}`); + } catch (err) { + const msg = err instanceof Error ? err.message : String(err); + if (opts.requireSig) { + const signErr = new Error(`Receipt signing failed: ${msg}`); + (signErr as { exitCode?: number }).exitCode = 7; + throw signErr; + } + console.warn(`WARN: receipt signing failed: ${msg}`); + } + } + + console.log( + `OK labels ${server.name} (id=${server.id}) receipt=${receipt.file} blake3=${receipt.blake3} sha256=${receipt.sha256}` + ); + return response.data; + } finally { + lock.release(); + } +} diff --git a/src/commands/servers.list.ts b/src/commands/servers.list.ts new file mode 100644 index 0000000..3650727 --- /dev/null +++ b/src/commands/servers.list.ts @@ -0,0 +1,44 @@ +import { HcloudClient } from "../lib/hcloud.js"; + +function pad(s: string, n: number) { + return s.length >= n ? s.slice(0, n) : s + " ".repeat(n - s.length); +} + +export async function serversList(client: HcloudClient) { + const servers = await client.listServers(); + + const rows = servers.map((s) => ({ + name: s.name, + ip: s.public_net?.ipv4?.ip ?? "—", + status: s.status, + type: s.server_type?.name ?? "—", + location: s.datacenter?.location?.city ?? "—", + created: s.created?.slice(0, 16).replace("T", " ") ?? "—" + })); + + const header = [ + pad("Server", 18), + pad("IP", 16), + pad("Status", 10), + pad("Type", 12), + pad("Location", 14), + "Created" + ].join(" "); + + console.log(header); + console.log("-".repeat(header.length)); + for (const r of rows) { + console.log( + [ + pad(r.name, 18), + pad(String(r.ip), 16), + pad(r.status, 10), + pad(r.type, 12), + pad(r.location, 14), + r.created + ].join(" ") + ); + } + + return rows; +} diff --git a/src/commands/sign.receipt.ts b/src/commands/sign.receipt.ts new file mode 100644 index 0000000..c5c0566 --- /dev/null +++ b/src/commands/sign.receipt.ts @@ -0,0 +1,12 @@ +import { signReceiptFile } from "../lib/signature.js"; + +export async function signReceipt( + receiptPath: string, + opts: { force?: boolean } = {} +) { + const signed = await signReceiptFile(receiptPath, opts); + console.log("OK receipt signed"); + console.log(`file: ${signed.file}`); + console.log(`signer_pub: ${signed.signer_pub}`); + console.log(`signer_kid: ${signed.signer_kid}`); +} diff --git a/src/commands/snapshot.ts b/src/commands/snapshot.ts new file mode 100644 index 0000000..e821613 --- /dev/null +++ b/src/commands/snapshot.ts @@ -0,0 +1,17 @@ +import path from "node:path"; +import { HcloudClient } from "../lib/hcloud.js"; +import { nowStamp, writeJsonSnapshot } from "../lib/report.js"; + +export async function snapshotServers(client: HcloudClient) { + const servers = await client.listServers(); + const { stamp } = nowStamp(); + const outDir = path.join(process.cwd(), "outputs", "hetzner"); + const name = `servers-${stamp}.json`; + const snap = writeJsonSnapshot(outDir, name, { + generated_at: new Date().toISOString(), + servers + }); + console.log(`Saved: ${snap.file}`); + console.log(`SHA256: ${snap.sha}`); + return snap; +} diff --git a/src/commands/verify.receipt.ts b/src/commands/verify.receipt.ts new file mode 100644 index 0000000..69dd217 --- /dev/null +++ b/src/commands/verify.receipt.ts @@ -0,0 +1,172 @@ +import fs from "node:fs"; +import path from "node:path"; +import { hashBlake3Hex, hashSha256Hex } from "../lib/hash.js"; +import { readHead } from "../lib/ledger.js"; +import { keyIdFromPublicHex, verifyMessage } from "../lib/keys.js"; + +type ReceiptEnvelope = { + receipt_version: "1"; + created_at: string; + cwd: string; + user: string; + hostname: string; + argv: string[]; + reason: string; + lock_file: string | null; + lock_started_at: string | null; + force: boolean; + plan_file: string | null; + plan_sha256: string | null; + plan_blake3: string | null; + target: { id: number; name: string; ip?: string | null }; + request: unknown; + response: unknown; + prev_blake3: string | null; + hash_alg: "blake3+sha256"; + blake3: string; + sha256: string; + sig_alg?: "ed25519"; + signer_pub?: string; + signer_kid?: string; + signed_at?: string; + signature?: string; +}; + +type ReceiptBody = Omit<ReceiptEnvelope, "hash_alg" | "blake3" | "sha256">; + +function mustExist(p: string, label: string) { + if (!fs.existsSync(p)) { + const err = new Error(`${label} not found: ${p}`); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } +} + +function stripHashes(env: ReceiptEnvelope): ReceiptBody { + const { + hash_alg: _hash_alg, + blake3: _blake3, + sha256: _sha256, + sig_alg: _sig_alg, + signer_pub: _signer_pub, + signer_kid: _signer_kid, + signed_at: _signed_at, + signature: _signature, + ...body + } = env; + return body; +} + +export async function verifyReceipt( + receiptPath: string, + opts: { head?: boolean; plan?: boolean; sig?: boolean } = {} +) { + const abs = path.resolve(receiptPath); + mustExist(abs, "Receipt"); + + const raw = fs.readFileSync(abs, "utf8"); + let env: ReceiptEnvelope; + try { + env = JSON.parse(raw) as ReceiptEnvelope; + } catch { + const err = new Error("Receipt is not valid JSON"); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + if (env.hash_alg !== "blake3+sha256" || !env.blake3 || !env.sha256) { + const err = new Error( + "Receipt missing required hash fields (hash_alg/blake3/sha256)" + ); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + const body = stripHashes(env); + const blake3 = hashBlake3Hex(body); + const sha256 = hashSha256Hex(body); + + const failures: string[] = []; + if (blake3 !== env.blake3) { + failures.push(`BLAKE3 mismatch (expected ${env.blake3}, got ${blake3})`); + } + if (sha256 !== env.sha256) { + failures.push(`SHA256 mismatch (expected ${env.sha256}, got ${sha256})`); + } + + if (opts.plan && env.plan_file) { + const planAbs = path.isAbsolute(env.plan_file) + ? env.plan_file + : path.join(process.cwd(), env.plan_file); + try { + mustExist(planAbs, "Plan file referenced by receipt"); + const planRaw = fs.readFileSync(planAbs, "utf8"); + const planObj = JSON.parse(planRaw) as unknown; + const planSha = hashSha256Hex(planObj); + const planB3 = hashBlake3Hex(planObj); + if (!env.plan_sha256 || !env.plan_blake3) { + failures.push("Receipt is missing plan hash fields"); + } else { + if (env.plan_sha256 !== planSha) { + failures.push( + `Plan SHA256 mismatch (expected ${env.plan_sha256}, got ${planSha})` + ); + } + if (env.plan_blake3 !== planB3) { + failures.push( + `Plan BLAKE3 mismatch (expected ${env.plan_blake3}, got ${planB3})` + ); + } + } + } catch (err) { + const msg = err instanceof Error ? err.message : String(err); + failures.push(msg); + } + } + + if (opts.head) { + const head = readHead(); + if (!head) { + failures.push("HEAD.json missing"); + } else { + const rel = path.relative(process.cwd(), abs) || abs; + if (head.file === rel && head.blake3 !== env.blake3) { + failures.push( + `HEAD blake3 mismatch (HEAD=${head.blake3}, receipt=${env.blake3})` + ); + } + } + } + + if (opts.sig) { + if (!env.signature || !env.signer_pub || env.sig_alg !== "ed25519") { + const err = new Error("Receipt signature fields missing or invalid"); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + const msg = new TextEncoder().encode(env.blake3); + const ok = await verifyMessage(msg, env.signature, env.signer_pub); + if (!ok) failures.push("Signature verification failed"); + if (env.signer_kid) { + const kid = keyIdFromPublicHex(env.signer_pub); + if (env.signer_kid !== kid) { + failures.push( + `Signer key id mismatch (expected ${env.signer_kid}, got ${kid})` + ); + } + } + } + + if (failures.length) { + const err = new Error("Receipt verification failed:\n- " + failures.join("\n- ")); + (err as { exitCode?: number }).exitCode = 5; + throw err; + } + + console.log("OK receipt verified"); + console.log(`file: ${abs}`); + console.log(`blake3: ${env.blake3}`); + console.log(`sha256: ${env.sha256}`); + if (env.prev_blake3) console.log(`prev_blake3: ${env.prev_blake3}`); + if (env.plan_file) console.log(`plan: ${env.plan_file}`); +} diff --git a/src/index.ts b/src/index.ts new file mode 100644 index 0000000..a72ddff --- /dev/null +++ b/src/index.ts @@ -0,0 +1,6 @@ +import { startMcpServer } from "./mcp/server.js"; + +startMcpServer().catch((e) => { + console.error(e); + process.exit(1); +}); diff --git a/src/lib/confirm.ts b/src/lib/confirm.ts new file mode 100644 index 0000000..514e5c2 --- /dev/null +++ b/src/lib/confirm.ts @@ -0,0 +1,38 @@ +import readline from "node:readline/promises"; + +export async function requireConfirmation(opts: { + action: string; + server: { id: number; name: string; ip?: string | null }; + reason?: string; + yes?: boolean; + match?: "id" | "exact" | "partial"; +}) { + if (opts.yes) return; + + if (!process.stdin.isTTY) { + const err = new Error("Confirmation required. Re-run with --yes."); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + const reason = opts.reason?.trim() || "unspecified"; + const ip = opts.server.ip ? `, ip=${opts.server.ip}` : ""; + const matchNote = opts.match === "partial" ? " [partial match]" : ""; + const prompt = `Confirm ${opts.action}${matchNote} on ${opts.server.name} (id=${opts.server.id}${ip}) reason=\"${reason}\"? [y/N] `; + + const rl = readline.createInterface({ + input: process.stdin, + output: process.stdout + }); + + try { + const answer = await rl.question(prompt); + if (!/^y(es)?$/i.test(answer.trim())) { + const err = new Error("Confirmation declined."); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + } finally { + rl.close(); + } +} diff --git a/src/lib/env.ts b/src/lib/env.ts new file mode 100644 index 0000000..882ca26 --- /dev/null +++ b/src/lib/env.ts @@ -0,0 +1,23 @@ +import fs from "node:fs"; +import path from "node:path"; +import os from "node:os"; +import dotenv from "dotenv"; + +export function loadEnv() { + const homeEnv = path.join(os.homedir(), ".env"); + const localEnv = path.join(process.cwd(), ".env"); + + if (fs.existsSync(homeEnv)) dotenv.config({ path: homeEnv }); + if (fs.existsSync(localEnv)) dotenv.config({ path: localEnv }); +} + +export function requireHcloudToken(): string { + loadEnv(); + const token = process.env.HCLOUD_TOKEN?.trim(); + if (!token) { + throw new Error( + "HCLOUD_TOKEN missing. Put it in ~/.env or ./vm-cloud/.env as: HCLOUD_TOKEN=xxxxx" + ); + } + return token; +} diff --git a/src/lib/hash.ts b/src/lib/hash.ts new file mode 100644 index 0000000..d33cc3f --- /dev/null +++ b/src/lib/hash.ts @@ -0,0 +1,17 @@ +import { blake3 } from "@noble/hashes/blake3"; +import { sha256 } from "@noble/hashes/sha256"; +import { bytesToHex } from "@noble/hashes/utils"; +import { canonicalize } from "json-canonicalize"; + +export function canonicalBytes(obj: unknown): Uint8Array { + const json = canonicalize(obj); + return new TextEncoder().encode(json); +} + +export function hashBlake3Hex(obj: unknown): string { + return bytesToHex(blake3(canonicalBytes(obj))); +} + +export function hashSha256Hex(obj: unknown): string { + return bytesToHex(sha256(canonicalBytes(obj))); +} diff --git a/src/lib/hcloud.ts b/src/lib/hcloud.ts new file mode 100644 index 0000000..31a3e88 --- /dev/null +++ b/src/lib/hcloud.ts @@ -0,0 +1,75 @@ +export interface HetznerServer { + id: number; + name: string; + status: string; + created: string; + public_net: { ipv4: { ip: string | null } }; + server_type: { name: string; cores: number; memory: number; disk?: number }; + datacenter: { name: string; location: { city: string; country?: string } }; + labels?: Record<string, string>; +} + +type HcloudListServersResponse = { + servers: HetznerServer[]; +}; + +export type HcloudResponse<T = unknown> = { + ok: boolean; + status: number; + data: T | null; + raw: string; +}; + +export class HcloudClient { + private base = "https://api.hetzner.cloud/v1"; + constructor(private token: string) {} + + private async requestWithMeta<T>( + method: string, + path: string, + body?: unknown + ): Promise<HcloudResponse<T>> { + const res = await fetch(`${this.base}${path}`, { + method, + headers: { + Authorization: `Bearer ${this.token}`, + "Content-Type": "application/json" + }, + body: body ? JSON.stringify(body) : undefined + }); + + const raw = await res.text().catch(() => ""); + let data: T | null = null; + if (raw) { + try { + data = JSON.parse(raw) as T; + } catch { + data = null; + } + } + + return { ok: res.ok, status: res.status, data, raw }; + } + + private async req<T>(method: string, path: string, body?: unknown): Promise<T> { + const res = await this.requestWithMeta<T>(method, path, body); + if (!res.ok) { + const detail = res.raw || "unknown error"; + throw new Error(`Hetzner API ${res.status} error: ${detail}`); + } + return res.data as T; + } + + async listServers(): Promise<HetznerServer[]> { + const data = await this.req<HcloudListServersResponse>("GET", "/servers"); + return data.servers ?? []; + } + + async powerAction(serverId: number, action: "poweron" | "poweroff" | "reboot") { + return this.requestWithMeta("POST", `/servers/${serverId}/actions/${action}`); + } + + async updateServerLabels(serverId: number, labels: Record<string, string>) { + return this.requestWithMeta("PUT", `/servers/${serverId}`, { labels }); + } +} diff --git a/src/lib/keys.ts b/src/lib/keys.ts new file mode 100644 index 0000000..991ae5c --- /dev/null +++ b/src/lib/keys.ts @@ -0,0 +1,90 @@ +import fs from "node:fs"; +import os from "node:os"; +import path from "node:path"; +import { getPublicKey, sign, verify, utils, etc } from "@noble/ed25519"; +import { blake3 } from "@noble/hashes/blake3"; +import { sha512 } from "@noble/hashes/sha512"; +import { bytesToHex, hexToBytes } from "@noble/hashes/utils"; + +const KEY_DIR = path.join(os.homedir(), ".config", "vm-cloud", "keys"); +const PRIV_PATH = path.join(KEY_DIR, "operator_ed25519.key"); +const PUB_PATH = path.join(KEY_DIR, "operator_ed25519.pub"); + +if (!etc.sha512Sync) { + etc.sha512Sync = (...messages) => sha512(etc.concatBytes(...messages)); +} + +function ensureKeyDir() { + fs.mkdirSync(KEY_DIR, { recursive: true }); +} + +export function keyPaths() { + return { dir: KEY_DIR, privateKey: PRIV_PATH, publicKey: PUB_PATH }; +} + +export function readPrivateKey(): Uint8Array { + if (!fs.existsSync(PRIV_PATH)) { + const err = new Error(`Private key not found: ${PRIV_PATH}`); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + const hex = fs.readFileSync(PRIV_PATH, "utf8").trim(); + return hexToBytes(hex); +} + +export function readPublicKey(): Uint8Array { + if (!fs.existsSync(PUB_PATH)) { + const err = new Error(`Public key not found: ${PUB_PATH}`); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + const hex = fs.readFileSync(PUB_PATH, "utf8").trim(); + return hexToBytes(hex); +} + +export async function generateKeypair(opts: { force?: boolean } = {}) { + ensureKeyDir(); + if (!opts.force && (fs.existsSync(PRIV_PATH) || fs.existsSync(PUB_PATH))) { + const err = new Error( + `Key already exists. Use --force to overwrite: ${PRIV_PATH}` + ); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + const priv = utils.randomPrivateKey(); + const pub = await getPublicKey(priv); + + fs.writeFileSync(PRIV_PATH, bytesToHex(priv), { mode: 0o600 }); + fs.writeFileSync(PUB_PATH, bytesToHex(pub), { mode: 0o644 }); + + return { + privateKeyPath: PRIV_PATH, + publicKeyPath: PUB_PATH, + publicKey: bytesToHex(pub) + }; +} + +export function keyIdFromPublicHex(publicKeyHex: string) { + const pub = hexToBytes(publicKeyHex); + return bytesToHex(blake3(pub)); +} + +export async function signMessage(message: Uint8Array) { + const priv = readPrivateKey(); + const pub = await getPublicKey(priv); + const signature = await sign(message, priv); + const publicKey = bytesToHex(pub); + const signerKid = keyIdFromPublicHex(publicKey); + return { signature: bytesToHex(signature), publicKey, signerKid }; +} + +export async function verifyMessage( + message: Uint8Array, + signatureHex: string, + publicKeyHex: string +) { + const signature = hexToBytes(signatureHex); + const publicKey = hexToBytes(publicKeyHex); + return verify(signature, message, publicKey); +} diff --git a/src/lib/ledger.ts b/src/lib/ledger.ts new file mode 100644 index 0000000..3760971 --- /dev/null +++ b/src/lib/ledger.ts @@ -0,0 +1,39 @@ +import fs from "node:fs"; +import path from "node:path"; +import { ensureDir } from "./report.js"; + +function receiptsDir() { + return path.join(process.cwd(), "outputs", "receipts"); +} + +function headPath() { + return path.join(receiptsDir(), "HEAD.json"); +} + +export type ReceiptHead = { blake3: string; file: string; created_at: string }; + +export function readHead(): ReceiptHead | null { + try { + const raw = fs.readFileSync(headPath(), "utf8"); + const data = JSON.parse(raw) as ReceiptHead; + if (!data?.blake3 || !data?.file || !data?.created_at) return null; + return data; + } catch { + return null; + } +} + +export function readPrevReceiptHash(): string | null { + try { + const raw = fs.readFileSync(headPath(), "utf8"); + const data = JSON.parse(raw) as { blake3?: string }; + return typeof data.blake3 === "string" ? data.blake3 : null; + } catch { + return null; + } +} + +export function writeHead(next: { blake3: string; file: string; created_at: string }) { + ensureDir(receiptsDir()); + fs.writeFileSync(headPath(), JSON.stringify(next, null, 2), { mode: 0o600 }); +} diff --git a/src/lib/lock.ts b/src/lib/lock.ts new file mode 100644 index 0000000..76ea910 --- /dev/null +++ b/src/lib/lock.ts @@ -0,0 +1,102 @@ +import fs from "node:fs"; +import os from "node:os"; +import path from "node:path"; + +export type LockInfo = { + pid: number; + user: string; + hostname: string; + started_at: string; + argv: string[]; +}; + +function homeCacheDir() { + return path.join(os.homedir(), ".cache", "vm-cloud", "locks"); +} + +function lockPath(serverId: number) { + return path.join(homeCacheDir(), `${serverId}.lock`); +} + +function pidAlive(pid: number) { + try { + process.kill(pid, 0); + return true; + } catch { + return false; + } +} + +function writeLockExclusive(lockFile: string, info: LockInfo) { + const fd = fs.openSync(lockFile, "wx", 0o600); + try { + fs.writeFileSync(fd, JSON.stringify(info, null, 2), "utf8"); + } finally { + fs.closeSync(fd); + } +} + +export function acquireServerLock( + serverId: number, + opts: { force?: boolean } = {} +) { + const dir = homeCacheDir(); + fs.mkdirSync(dir, { recursive: true }); + + const lp = lockPath(serverId); + + const info: LockInfo = { + pid: process.pid, + user: process.env.USER || "unknown", + hostname: os.hostname(), + started_at: new Date().toISOString(), + argv: process.argv.slice() + }; + + for (let attempt = 0; attempt < 2; attempt++) { + try { + writeLockExclusive(lp, info); + return { + file: lp, + info, + release() { + try { + fs.unlinkSync(lp); + } catch { + // Ignore missing lock on release. + } + } + }; + } catch (err) { + const code = (err as NodeJS.ErrnoException)?.code; + if (code !== "EEXIST") throw err; + + let existing: LockInfo | null = null; + try { + existing = JSON.parse(fs.readFileSync(lp, "utf8")) as LockInfo; + } catch { + existing = null; + } + + const alive = existing?.pid ? pidAlive(existing.pid) : false; + if (alive && !opts.force) { + const lockErr = new Error( + `Server is locked by pid=${existing!.pid} user=${existing!.user} host=${existing!.hostname} since=${existing!.started_at}` + ); + (lockErr as { exitCode?: number }).exitCode = 6; + (lockErr as { lockInfo?: LockInfo | null }).lockInfo = existing; + throw lockErr; + } + + try { + fs.unlinkSync(lp); + } catch { + // Ignore removal errors so we can attempt to replace. + } + } + } + + const err = new Error("Failed to acquire server lock"); + (err as { exitCode?: number }).exitCode = 6; + throw err; +} diff --git a/src/lib/plan.ts b/src/lib/plan.ts new file mode 100644 index 0000000..0e718e8 --- /dev/null +++ b/src/lib/plan.ts @@ -0,0 +1,41 @@ +import fs from "node:fs"; +import path from "node:path"; +import { hashBlake3Hex, hashSha256Hex } from "./hash.js"; +import { ensureDir, nowStamp } from "./report.js"; + +export type PlanAction = "poweron" | "poweroff" | "reboot" | "labels"; +export type PlanMatch = "id" | "exact" | "partial"; + +export type ServerPlan = { + plan_version: "1"; + created_at: string; + action: PlanAction; + server: { id: number; name: string; ip?: string | null }; + match: PlanMatch; + request: { method: "POST" | "PUT"; path: string; body?: unknown }; + reason?: string; + applied: false; +}; + +export function resolvePlanPath(planPath: string) { + return path.isAbsolute(planPath) ? planPath : path.join(process.cwd(), planPath); +} + +export function writePlan(plan: ServerPlan) { + const { stamp } = nowStamp(); + const dir = path.join(process.cwd(), "outputs", "plans"); + const name = `plan-${stamp}-${plan.action}-${plan.server.id}.json`; + ensureDir(dir); + const file = path.join(dir, name); + const json = JSON.stringify(plan, null, 2); + fs.writeFileSync(file, json, "utf8"); + const sha256 = hashSha256Hex(plan); + const blake3 = hashBlake3Hex(plan); + return { file, sha256, blake3 }; +} + +export function readPlan(planPath: string): ServerPlan { + const abs = resolvePlanPath(planPath); + const raw = fs.readFileSync(abs, "utf8"); + return JSON.parse(raw) as ServerPlan; +} diff --git a/src/lib/receipt.ts b/src/lib/receipt.ts new file mode 100644 index 0000000..1f4d22c --- /dev/null +++ b/src/lib/receipt.ts @@ -0,0 +1,116 @@ +import fs from "node:fs"; +import os from "node:os"; +import path from "node:path"; +import { hashBlake3Hex, hashSha256Hex } from "./hash.js"; +import { readPrevReceiptHash, writeHead } from "./ledger.js"; +import { ensureDir } from "./report.js"; + +type ReceiptRequest = { + method: string; + path: string; + body?: unknown; +}; + +type ReceiptResponse = { + status: number; + ok: boolean; + data?: unknown; + raw?: string; +}; + +type ReceiptInput = { + action: string; + reason: string; + server: { id: number; name: string; ip?: string | null }; + request: ReceiptRequest; + response: ReceiptResponse; + lock?: { file: string; started_at: string; force?: boolean }; + plan?: { file: string; sha256: string; blake3: string }; +}; + +type ReceiptBody = { + receipt_version: "1"; + created_at: string; + cwd: string; + user: string; + hostname: string; + argv: string[]; + reason: string; + lock_file: string | null; + lock_started_at: string | null; + force: boolean; + plan_file: string | null; + plan_sha256: string | null; + plan_blake3: string | null; + target: { id: number; name: string; ip?: string | null }; + request: ReceiptRequest; + response: ReceiptResponse; + prev_blake3: string | null; +}; + +type ReceiptEnvelope = ReceiptBody & { + hash_alg: "blake3+sha256"; + blake3: string; + sha256: string; +}; + +function fileStamp(d = new Date()) { + const yyyy = d.getFullYear(); + const mm = String(d.getMonth() + 1).padStart(2, "0"); + const dd = String(d.getDate()).padStart(2, "0"); + const hh = String(d.getHours()).padStart(2, "0"); + const mi = String(d.getMinutes()).padStart(2, "0"); + const ss = String(d.getSeconds()).padStart(2, "0"); + return `${yyyy}${mm}${dd}-${hh}${mi}${ss}`; +} + +export function writeReceipt(input: ReceiptInput) { + const dir = path.join(process.cwd(), "outputs", "receipts"); + ensureDir(dir); + + const file = path.join( + dir, + `${fileStamp()}-${input.action}-${input.server.id}.json` + ); + + const created_at = new Date().toISOString(); + const prev_blake3 = readPrevReceiptHash(); + const body: ReceiptBody = { + receipt_version: "1", + created_at, + cwd: process.cwd(), + user: process.env.USER ?? process.env.LOGNAME ?? "unknown", + hostname: os.hostname(), + argv: process.argv, + reason: input.reason || "unspecified", + lock_file: input.lock?.file ?? null, + lock_started_at: input.lock?.started_at ?? null, + force: Boolean(input.lock?.force), + plan_file: input.plan?.file ?? null, + plan_sha256: input.plan?.sha256 ?? null, + plan_blake3: input.plan?.blake3 ?? null, + target: { + id: input.server.id, + name: input.server.name, + ip: input.server.ip ?? null + }, + request: input.request, + response: input.response, + prev_blake3 + }; + + const blake3 = hashBlake3Hex(body); + const sha256 = hashSha256Hex(body); + const envelope: ReceiptEnvelope = { + ...body, + hash_alg: "blake3+sha256", + blake3, + sha256 + }; + + fs.writeFileSync(file, JSON.stringify(envelope, null, 2), "utf8"); + const relFile = path.relative(process.cwd(), file) || file; + writeHead({ blake3, file: relFile, created_at }); + + return { file, sha256, blake3 }; +} diff --git a/src/lib/report.ts b/src/lib/report.ts new file mode 100644 index 0000000..5203ae7 --- /dev/null +++ b/src/lib/report.ts @@ -0,0 +1,68 @@ +import fs from "node:fs"; +import path from "node:path"; +import crypto from "node:crypto"; + +export function ensureDir(p: string) { + fs.mkdirSync(p, { recursive: true }); +} + +export function nowStamp() { + const d = new Date(); + const yyyy = d.getFullYear(); + const mm = String(d.getMonth() + 1).padStart(2, "0"); + const dd = String(d.getDate()).padStart(2, "0"); + const hh = String(d.getHours()).padStart(2, "0"); + const mi = String(d.getMinutes()).padStart(2, "0"); + return { date: `${yyyy}-${mm}-${dd}`, stamp: `${yyyy}${mm}${dd}-${hh}${mi}` }; +} + +export function slugify(s: string) { + return s.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/(^-|-$)/g, ""); +} + +export function writeJsonSnapshot(dir: string, name: string, data: unknown) { + ensureDir(dir); + const json = JSON.stringify(data, null, 2); + const file = path.join(dir, name); + fs.writeFileSync(file, json, "utf8"); + const sha = crypto.createHash("sha256").update(json).digest("hex"); + return { file, sha }; +} + +export function createResearchNote(dir: string, title: string) { + ensureDir(dir); + const { date } = nowStamp(); + const slug = slugify(title); + const file = path.join(dir, `${date}-${slug}.md`); + if (fs.existsSync(file)) return file; + + const body = `# ${title} + +Date: ${date} + +## Context + +- Purpose: +- Scope: +- Risks: + +## Evidence + +<!-- snapshots go here --> + +## Findings + +- + +## Next actions + +- +`; + fs.writeFileSync(file, body, "utf8"); + return file; +} + +export function appendToResearchNote(notePath: string, markdown: string) { + const sep = "\n\n"; + fs.appendFileSync(notePath, sep + markdown, "utf8"); +} diff --git a/src/lib/resolve.ts b/src/lib/resolve.ts new file mode 100644 index 0000000..6fc825d --- /dev/null +++ b/src/lib/resolve.ts @@ -0,0 +1,44 @@ +import { HcloudClient, HetznerServer } from "./hcloud.js"; + +function isNumericId(input: string) { + return /^[0-9]+$/.test(input); +} + +export type ServerMatch = { + server: HetznerServer; + match: "id" | "exact" | "partial"; +}; + +export async function resolveServer( + client: HcloudClient, + input: string +): Promise<ServerMatch> { + const needle = input.trim(); + if (!needle) { + throw new Error("Server name or id is required"); + } + + const servers = await client.listServers(); + + if (isNumericId(needle)) { + const id = Number(needle); + const byId = servers.find((s) => s.id === id); + if (byId) return { server: byId, match: "id" }; + throw new Error(`No server found with id ${id}`); + } + + const exact = servers.find((s) => s.name === needle); + if (exact) return { server: exact, match: "exact" }; + + const lower = needle.toLowerCase(); + const partial = servers.filter((s) => s.name.toLowerCase().includes(lower)); + if (partial.length === 1) return { server: partial[0], match: "partial" }; + if (partial.length > 1) { + const names = partial.map((s) => s.name).join(", "); + const err = new Error(`Ambiguous name "${needle}". Matches: ${names}`); + (err as { exitCode?: number }).exitCode = 3; + throw err; + } + + throw new Error(`No server found with name "${needle}"`); +} diff --git a/src/lib/signature.ts b/src/lib/signature.ts new file mode 100644 index 0000000..89b907d --- /dev/null +++ b/src/lib/signature.ts @@ -0,0 +1,63 @@ +import fs from "node:fs"; +import path from "node:path"; +import { signMessage } from "./keys.js"; + +type ReceiptEnvelope = { + blake3: string; + sig_alg?: string; + signer_pub?: string; + signer_kid?: string; + signed_at?: string; + signature?: string; +}; + +export async function signReceiptFile( + receiptPath: string, + opts: { force?: boolean } = {} +) { + const abs = path.resolve(receiptPath); + if (!fs.existsSync(abs)) { + const err = new Error(`Receipt not found: ${abs}`); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + const raw = fs.readFileSync(abs, "utf8"); + let env: ReceiptEnvelope; + try { + env = JSON.parse(raw) as ReceiptEnvelope; + } catch { + const err = new Error("Receipt is not valid JSON"); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + if (!env.blake3) { + const err = new Error("Receipt missing blake3 field"); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + if ((env.signature || env.signer_pub) && !opts.force) { + const err = new Error("Receipt already signed. Use --force to overwrite."); + (err as { exitCode?: number }).exitCode = 2; + throw err; + } + + const msg = new TextEncoder().encode(env.blake3); + const { signature, publicKey, signerKid } = await signMessage(msg); + const signedAt = new Date().toISOString(); + + const next = { + ...env, + sig_alg: "ed25519", + signer_pub: publicKey, + signer_kid: signerKid, + signed_at: signedAt, + signature + }; + + fs.writeFileSync(abs, JSON.stringify(next, null, 2), "utf8"); + + return { file: abs, signer_pub: publicKey, signer_kid: signerKid, signed_at: signedAt, signature }; +} diff --git a/src/lib/wireguard.ts b/src/lib/wireguard.ts new file mode 100644 index 0000000..dbcef74 --- /dev/null +++ b/src/lib/wireguard.ts @@ -0,0 +1 @@ +// Placeholder for WireGuard mesh utilities. diff --git a/src/mcp/server.ts b/src/mcp/server.ts new file mode 100644 index 0000000..2b9b8f7 --- /dev/null +++ b/src/mcp/server.ts @@ -0,0 +1,5 @@ +export async function startMcpServer() { + // Placeholder: wire up @modelcontextprotocol/sdk here in Step 4. + // Keeping it minimal so you can ship CLI first. + console.log("MCP server stub (not yet implemented). Use: npm run dev"); +} diff --git a/src/mcp/tools.ts b/src/mcp/tools.ts new file mode 100644 index 0000000..791a8b0 --- /dev/null +++ b/src/mcp/tools.ts @@ -0,0 +1 @@ +// Placeholder for MCP tool definitions. diff --git a/tsconfig.json b/tsconfig.json new file mode 100644 index 0000000..2c1f0a5 --- /dev/null +++ b/tsconfig.json @@ -0,0 +1,13 @@ +{ + "compilerOptions": { + "target": "ES2022", + "module": "NodeNext", + "moduleResolution": "NodeNext", + "outDir": "dist", + "rootDir": "src", + "strict": true, + "esModuleInterop": true, + "skipLibCheck": true + }, + "include": ["src"] +}