#!/usr/bin/env node // SPEC: PJ2026-01060703 CI/CD branch follower runtime GitOps verify. // Responsibility: fail publish before Argo when rendered runtime GitOps violates UniDesk overlay gates. import { existsSync, readdirSync, readFileSync, statSync } from "node:fs"; import path from "node:path"; const repoDir = process.cwd(); const overlay = readOverlay(); const runtimePath = requiredOverlayString("runtimePath"); const runtimeDir = path.resolve(repoDir, runtimePath); const prometheusOperatorKinds = new Set(["ServiceMonitor", "PrometheusRule", "PodMonitor", "Probe"]); if (!existsSync(runtimeDir)) { fail("runtime-path-missing", { runtimePath }); } const checks = []; if (overlay?.observability?.prometheusOperator === false) { checks.push("prometheus-operator-disabled"); const refs = findPrometheusOperatorResources(); if (refs.length > 0) fail("prometheus-operator-resource-present", { runtimePath, refs: refs.slice(0, 12), refCount: refs.length }); } console.error(JSON.stringify({ event: "unidesk-runtime-gitops-verify", ok: true, runtimePath, checks })); function findPrometheusOperatorResources() { const refs = []; for (const file of listYamlFiles(runtimeDir)) { const rel = path.relative(repoDir, file); for (const doc of splitYamlDocuments(readFileSync(file, "utf8"))) { refs.push(...prometheusOperatorResourceRefs(doc, rel)); } } return refs; } function splitYamlDocuments(text) { return text.split(/^---[ \t]*(?:#.*)?$/mu).map((doc) => doc.trim()).filter(Boolean); } function prometheusOperatorResourceRefs(text, file) { const jsonRefs = prometheusOperatorJsonResourceRefs(text, file); if (jsonRefs !== null) return jsonRefs; const api = text.match(/^\s*apiVersion:\s*["']?(monitoring\.coreos\.com\/[^"'\s#]+)["']?\s*(?:#.*)?$/mu); const kind = text.match(/^\s*kind:\s*["']?([^"'\s#]+)["']?\s*(?:#.*)?$/mu); if (!api || !kind || !prometheusOperatorKinds.has(kind[1])) return []; const name = text.match(/^\s*name:\s*["']?([^"'\s#]+)["']?\s*(?:#.*)?$/mu); return [{ file, kind: kind[1], name: name ? name[1] : null, container: null }]; } function prometheusOperatorJsonResourceRefs(text, file) { const parsed = parseJsonDocument(text); if (parsed === null) return null; const items = isKubernetesList(parsed) ? parsed.items : [parsed]; return items.filter(isPrometheusOperatorResource).map((item) => ({ file, kind: item.kind, name: typeof item.metadata?.name === "string" ? item.metadata.name : null, container: isKubernetesList(parsed) ? "List.items" : null, })); } function isPrometheusOperatorResource(value) { if (!value || typeof value !== "object" || Array.isArray(value)) return false; return typeof value.apiVersion === "string" && value.apiVersion.startsWith("monitoring.coreos.com/") && typeof value.kind === "string" && prometheusOperatorKinds.has(value.kind); } function isKubernetesList(value) { return value && typeof value === "object" && !Array.isArray(value) && value.apiVersion === "v1" && value.kind === "List" && Array.isArray(value.items); } function parseJsonDocument(text) { const trimmed = text.trim(); if (!trimmed.startsWith("{") && !trimmed.startsWith("[")) return null; try { return JSON.parse(trimmed); } catch { return null; } } function listYamlFiles(root) { const out = []; for (const name of readdirSync(root)) { const file = path.join(root, name); const stat = statSync(file); if (stat.isDirectory()) { out.push(...listYamlFiles(file)); } else if (/\.(ya?ml)$/u.test(name)) { out.push(file); } } return out.sort(); } function readOverlay() { const encoded = process.env.UNIDESK_RUNTIME_GITOPS_OVERLAY_B64; if (!encoded) throw new Error("UNIDESK_RUNTIME_GITOPS_OVERLAY_B64 is required"); return JSON.parse(Buffer.from(encoded, "base64").toString("utf8")); } function requiredOverlayString(name) { const value = overlay[name]; if (typeof value !== "string" || value.length === 0) throw new Error(`overlay.${name} is required`); return value; } function fail(reason, extra = {}) { console.error(JSON.stringify({ event: "unidesk-runtime-gitops-verify", ok: false, reason, ...extra })); process.exit(48); }