Files
pikasTech-unidesk/scripts/src/frontend-auth.ts
T
2026-07-09 15:59:32 +02:00

545 lines
24 KiB
TypeScript

import { createHash } from "node:crypto";
import { existsSync, readFileSync } from "node:fs";
import { isAbsolute, join } from "node:path";
import type { UniDeskConfig } from "./config";
import { rootPath } from "./config";
import type { RenderedCliResult } from "./output";
import { capture, parseJsonOutput } from "./platform-infra-public-service";
import { asRecord, integerField, readYamlRecord, recordField, stringField } from "./platform-infra-ops-library";
const configPath = rootPath("config", "unidesk-host-k8s.yaml");
const configLabel = "config/unidesk-host-k8s.yaml";
const fieldManager = "unidesk-frontend-auth";
type Action = "plan" | "apply" | "status" | "validate";
interface RuntimeAuthConfig {
targetId: string;
source: { path: string; format: "linePair"; usernameLine: number; passwordLine: number };
target: {
route: string;
namespace: string;
configMapName: string;
usernameKey: string;
secretName: string;
passwordKey: string;
rolloutDeployment: string;
};
}
interface AuthMaterial {
sourcePath: string;
sourcePathDisplay: string;
sourceExists: boolean;
username: string | null;
password: string | null;
usernameByteCount: number | null;
passwordByteCount: number | null;
fingerprint: string | null;
}
interface AuthOptions {
confirm: boolean;
dryRun: boolean;
full: boolean;
raw: boolean;
}
export async function runFrontendAuthCommand(config: UniDeskConfig, args: string[]): Promise<Record<string, unknown> | RenderedCliResult> {
const [actionRaw = "plan", ...rest] = args;
const action = parseAction(actionRaw);
const options = parseOptions(rest);
if (action === "plan") {
const result = plan();
return options.full || options.raw ? result : renderPlan(result);
}
if (action === "apply") {
const result = await apply(config, options);
return options.full || options.raw ? result : renderApply(result);
}
if (action === "status") {
const result = await status(config, options);
return options.full || options.raw ? result : renderStatus(result);
}
const result = await validate(config, options);
return options.full || options.raw ? result : renderValidate(result);
}
function plan(): Record<string, unknown> {
const auth = readRuntimeAuthConfig();
const material = readAuthMaterial(auth);
return {
ok: material.sourceExists && material.username !== null && material.password !== null,
action: "frontend-auth-plan",
mutation: false,
config: configSummary(auth),
localSource: materialSummary(auth, material),
target: targetSummary(auth),
policy: {
sourceAuthority: `${configLabel}.runtimeAuth.sourceRef`,
runtimeReverseEngineering: false,
valuesPrinted: false,
},
next: {
apply: "bun scripts/cli.ts frontend auth apply --confirm",
status: "bun scripts/cli.ts frontend auth status",
validate: "bun scripts/cli.ts frontend auth validate",
},
valuesPrinted: false,
};
}
async function apply(config: UniDeskConfig, options: AuthOptions): Promise<Record<string, unknown>> {
const auth = readRuntimeAuthConfig();
const material = readAuthMaterial(auth);
const base = {
action: "frontend-auth-apply",
config: configSummary(auth),
localSource: materialSummary(auth, material),
target: targetSummary(auth),
valuesPrinted: false,
};
if (!material.sourceExists || material.username === null || material.password === null || material.fingerprint === null) {
return { ok: false, ...base, mutation: false, mode: "blocked-local-source" };
}
if (!options.confirm || options.dryRun) {
return { ok: true, ...base, mutation: false, mode: "dry-run" };
}
const remote = await capture(config, auth.target.route, ["sh"], applyScript(auth, material));
const parsed = parseJsonOutput(remote.stdout);
const runtime = await waitForRuntimeStatus(config, options);
return {
ok: remote.exitCode === 0 && parsed?.ok === true && runtime.ok === true,
...base,
mutation: true,
mode: "confirmed",
remote: remoteSummary(remote),
summary: parsed ?? { ok: false, parseError: "remote-json-missing", valuesPrinted: false },
runtime: runtime.summary,
};
}
async function waitForRuntimeStatus(config: UniDeskConfig, options: AuthOptions): Promise<Record<string, unknown>> {
let latest: Record<string, unknown> | null = null;
for (let attempt = 1; attempt <= 12; attempt += 1) {
latest = await status(config, { ...options, raw: false });
if (latest.ok === true) return latest;
await new Promise((resolve) => setTimeout(resolve, 5_000));
}
return latest ?? { ok: false, summary: { ok: false, error: "runtime-status-not-run", valuesPrinted: false } };
}
async function status(config: UniDeskConfig, options: AuthOptions): Promise<Record<string, unknown>> {
const auth = readRuntimeAuthConfig();
const material = readAuthMaterial(auth);
const remote = await capture(config, auth.target.route, ["sh"], statusScript(auth, material.fingerprint));
const parsed = parseJsonOutput(remote.stdout);
return {
ok: remote.exitCode === 0 && parsed?.ok === true,
action: "frontend-auth-status",
mutation: false,
config: configSummary(auth),
localSource: materialSummary(auth, material),
target: targetSummary(auth),
remote: remoteSummary(remote),
summary: parsed ?? { ok: false, parseError: "remote-json-missing", valuesPrinted: false },
rawCaptureOmitted: options.raw ? true : undefined,
valuesPrinted: false,
};
}
async function validate(config: UniDeskConfig, options: AuthOptions): Promise<Record<string, unknown>> {
const planned = plan();
const state = await status(config, options);
const localOk = planned.ok === true;
const runtimeOk = state.ok === true;
return {
ok: localOk && runtimeOk,
action: "frontend-auth-validate",
mutation: false,
checks: [
{ name: "local-source", ok: localOk, detail: configLabel },
{ name: "runtime-target", ok: runtimeOk, detail: `${targetSummary(readRuntimeAuthConfig()).namespace}/${targetSummary(readRuntimeAuthConfig()).secretName}` },
],
localSource: planned.localSource,
runtime: state.summary,
valuesPrinted: false,
};
}
function readRuntimeAuthConfig(): RuntimeAuthConfig {
const root = readYamlRecord(configPath, "UniDeskHostK8sDeployment");
const target = recordField(root, "target", configLabel);
const runtimeAuth = recordField(root, "runtimeAuth", configLabel);
const source = recordField(runtimeAuth, "sourceRef", `${configLabel}.runtimeAuth`);
const targetAuth = recordField(runtimeAuth, "target", `${configLabel}.runtimeAuth`);
const format = stringField(source, "format", `${configLabel}.runtimeAuth.sourceRef`);
if (format !== "linePair") throw new Error(`${configLabel}.runtimeAuth.sourceRef.format must be linePair`);
return {
targetId: stringField(target, "id", `${configLabel}.target`),
source: {
path: stringField(source, "path", `${configLabel}.runtimeAuth.sourceRef`),
format,
usernameLine: integerField(source, "usernameLine", `${configLabel}.runtimeAuth.sourceRef`),
passwordLine: integerField(source, "passwordLine", `${configLabel}.runtimeAuth.sourceRef`),
},
target: {
route: stringField(targetAuth, "route", `${configLabel}.runtimeAuth.target`),
namespace: stringField(targetAuth, "namespace", `${configLabel}.runtimeAuth.target`),
configMapName: stringField(targetAuth, "configMapName", `${configLabel}.runtimeAuth.target`),
usernameKey: stringField(targetAuth, "usernameKey", `${configLabel}.runtimeAuth.target`),
secretName: stringField(targetAuth, "secretName", `${configLabel}.runtimeAuth.target`),
passwordKey: stringField(targetAuth, "passwordKey", `${configLabel}.runtimeAuth.target`),
rolloutDeployment: stringField(targetAuth, "rolloutDeployment", `${configLabel}.runtimeAuth.target`),
},
};
}
function readAuthMaterial(auth: RuntimeAuthConfig): AuthMaterial {
const sourcePath = resolveSourcePath(auth.source.path);
const sourcePathDisplay = displayPath(sourcePath);
if (!existsSync(sourcePath)) {
return { sourcePath, sourcePathDisplay, sourceExists: false, username: null, password: null, usernameByteCount: null, passwordByteCount: null, fingerprint: null };
}
const lines = readFileSync(sourcePath, "utf8").split(/\r?\n/u);
const username = lines[auth.source.usernameLine - 1]?.trim() || null;
const password = lines[auth.source.passwordLine - 1]?.trim() || null;
return {
sourcePath,
sourcePathDisplay,
sourceExists: true,
username,
password,
usernameByteCount: username === null ? null : Buffer.byteLength(username, "utf8"),
passwordByteCount: password === null ? null : Buffer.byteLength(password, "utf8"),
fingerprint: username === null || password === null ? null : fingerprint([username, password]),
};
}
function applyScript(auth: RuntimeAuthConfig, material: AuthMaterial): string {
if (material.username === null || material.password === null || material.fingerprint === null) throw new Error("auth material is incomplete");
const configMapPatch = {
metadata: { annotations: authAnnotations(auth, material) },
data: { [auth.target.usernameKey]: material.username },
};
const secretPatch = {
metadata: { annotations: authAnnotations(auth, material) },
data: { [auth.target.passwordKey]: Buffer.from(material.password, "utf8").toString("base64") },
};
const configMapPatchB64 = Buffer.from(JSON.stringify(configMapPatch), "utf8").toString("base64");
const secretPatchB64 = Buffer.from(JSON.stringify(secretPatch), "utf8").toString("base64");
const summaryB64 = Buffer.from(JSON.stringify({
namespace: auth.target.namespace,
configMapName: auth.target.configMapName,
usernameKey: auth.target.usernameKey,
secretName: auth.target.secretName,
passwordKey: auth.target.passwordKey,
rolloutDeployment: auth.target.rolloutDeployment,
sourceRef: auth.source.path,
fingerprint: material.fingerprint,
valuesPrinted: false,
}), "utf8").toString("base64");
return `
set -u
tmp="$(mktemp -d)"
trap 'rm -rf "$tmp"' EXIT
cm_patch="$tmp/configmap.patch.json"
secret_patch="$tmp/secret.patch.json"
printf '%s' '${configMapPatchB64}' | base64 -d >"$cm_patch"
printf '%s' '${secretPatchB64}' | base64 -d >"$secret_patch"
kubectl -n ${sh(auth.target.namespace)} patch configmap ${sh(auth.target.configMapName)} --type merge --patch-file "$cm_patch" >"$tmp/configmap.out" 2>"$tmp/configmap.err"
cm_rc=$?
kubectl -n ${sh(auth.target.namespace)} patch secret ${sh(auth.target.secretName)} --type merge --patch-file "$secret_patch" >"$tmp/secret.out" 2>"$tmp/secret.err"
secret_rc=$?
if [ "$cm_rc" -eq 0 ] && [ "$secret_rc" -eq 0 ]; then
kubectl -n ${sh(auth.target.namespace)} rollout restart deployment/${sh(auth.target.rolloutDeployment)} >"$tmp/rollout.out" 2>"$tmp/rollout.err"
rollout_rc=$?
else
: >"$tmp/rollout.out"
printf '%s\\n' 'skipped because configmap or secret patch failed' >"$tmp/rollout.err"
rollout_rc=1
fi
python3 - "$cm_rc" "$secret_rc" "$rollout_rc" "$tmp/configmap.out" "$tmp/configmap.err" "$tmp/secret.out" "$tmp/secret.err" "$tmp/rollout.out" "$tmp/rollout.err" <<'PY'
import base64, json, sys
cm_rc, secret_rc, rollout_rc = int(sys.argv[1]), int(sys.argv[2]), int(sys.argv[3])
def tail(path, limit=4000):
try:
return open(path, encoding="utf-8", errors="replace").read()[-limit:]
except FileNotFoundError:
return ""
summary = json.loads(base64.b64decode("${summaryB64}").decode("utf-8"))
payload = {
"ok": cm_rc == 0 and secret_rc == 0 and rollout_rc == 0,
**summary,
"steps": {
"configMapPatch": {"exitCode": cm_rc, "stdoutTail": tail(sys.argv[4]), "stderrTail": tail(sys.argv[5])},
"secretPatch": {"exitCode": secret_rc, "stdoutTail": tail(sys.argv[6]), "stderrTail": tail(sys.argv[7])},
"rolloutRestart": {"exitCode": rollout_rc, "stdoutTail": tail(sys.argv[8]), "stderrTail": tail(sys.argv[9])},
},
"valuesPrinted": False,
}
print(json.dumps(payload, ensure_ascii=False))
sys.exit(0 if payload["ok"] else 1)
PY
`;
}
function statusScript(auth: RuntimeAuthConfig, expectedFingerprint: string | null): string {
const expected = expectedFingerprint ?? "";
return `
set -u
tmp="$(mktemp -d)"
trap 'rm -rf "$tmp"' EXIT
kubectl -n ${sh(auth.target.namespace)} get configmap ${sh(auth.target.configMapName)} -o json >"$tmp/cm.json" 2>"$tmp/cm.err"
cm_rc=$?
kubectl -n ${sh(auth.target.namespace)} get secret ${sh(auth.target.secretName)} -o json >"$tmp/secret.json" 2>"$tmp/secret.err"
secret_rc=$?
kubectl -n ${sh(auth.target.namespace)} get deployment ${sh(auth.target.rolloutDeployment)} -o json >"$tmp/deploy.json" 2>"$tmp/deploy.err"
deploy_rc=$?
kubectl -n ${sh(auth.target.namespace)} exec deployment/${sh(auth.target.rolloutDeployment)} -- sh -c 'printf "%s\\n%s" "$AUTH_USERNAME" "$AUTH_PASSWORD" | sha256sum | awk "{print \\$1}"' >"$tmp/pod-fingerprint.out" 2>"$tmp/pod-fingerprint.err"
pod_fp_rc=$?
python3 - "$tmp" "$cm_rc" "$secret_rc" "$deploy_rc" "$pod_fp_rc" <<'PY'
import json, os, sys
tmp, cm_rc, secret_rc, deploy_rc, pod_fp_rc = sys.argv[1], int(sys.argv[2]), int(sys.argv[3]), int(sys.argv[4]), int(sys.argv[5])
def load(name):
try:
return json.load(open(os.path.join(tmp, name), encoding="utf-8"))
except Exception:
return {}
cm = load("cm.json")
secret = load("secret.json")
deploy = load("deploy.json")
cm_ann = ((cm.get("metadata") or {}).get("annotations") or {})
secret_ann = ((secret.get("metadata") or {}).get("annotations") or {})
cm_data = cm.get("data") or {}
secret_data = secret.get("data") or {}
desired = "${expected}"
observed_cm_fp = cm_ann.get("unidesk.ai/frontend-auth-fingerprint")
observed_secret_fp = secret_ann.get("unidesk.ai/frontend-auth-fingerprint")
available = int(((deploy.get("status") or {}).get("availableReplicas") or 0))
replicas = int(((deploy.get("status") or {}).get("replicas") or 0))
updated = int(((deploy.get("status") or {}).get("updatedReplicas") or 0))
generation = int((deploy.get("metadata") or {}).get("generation") or 0)
observed_generation = int(((deploy.get("status") or {}).get("observedGeneration") or 0))
try:
pod_fp_full = open(os.path.join(tmp, "pod-fingerprint.out"), encoding="utf-8").read().strip().split()[0]
except Exception:
pod_fp_full = None
pod_fp = pod_fp_full[:16] if pod_fp_full else None
checks = [
{"name": "configmap", "ok": cm_rc == 0, "detail": "${auth.target.configMapName}"},
{"name": "username-key", "ok": "${auth.target.usernameKey}" in cm_data, "detail": "${auth.target.usernameKey}"},
{"name": "secret", "ok": secret_rc == 0, "detail": "${auth.target.secretName}"},
{"name": "password-key", "ok": "${auth.target.passwordKey}" in secret_data, "detail": "${auth.target.passwordKey}"},
{"name": "fingerprint", "ok": bool(desired) and observed_cm_fp == desired and observed_secret_fp == desired, "detail": observed_secret_fp or "-"},
{"name": "deployment", "ok": deploy_rc == 0 and replicas > 0 and updated == replicas and available >= replicas and observed_generation >= generation, "detail": "${auth.target.rolloutDeployment}"},
{"name": "pod-env", "ok": pod_fp_rc == 0 and bool(desired) and pod_fp == desired, "detail": pod_fp or "-"},
]
payload = {
"ok": all(item["ok"] for item in checks),
"namespace": "${auth.target.namespace}",
"configMapName": "${auth.target.configMapName}",
"usernameKey": "${auth.target.usernameKey}",
"secretName": "${auth.target.secretName}",
"passwordKey": "${auth.target.passwordKey}",
"rolloutDeployment": "${auth.target.rolloutDeployment}",
"expectedFingerprint": desired or None,
"observedFingerprint": observed_secret_fp,
"podEnvFingerprint": pod_fp,
"checks": checks,
"valuesPrinted": False,
}
print(json.dumps(payload, ensure_ascii=False))
sys.exit(0 if payload["ok"] else 1)
PY
`;
}
function authAnnotations(auth: RuntimeAuthConfig, material: AuthMaterial): Record<string, string> {
if (material.fingerprint === null) throw new Error("auth material fingerprint is missing");
return {
"unidesk.ai/source-ref": auth.source.path,
"unidesk.ai/frontend-auth-fingerprint": material.fingerprint,
};
}
function parseAction(value: string): Action {
if (value === "plan" || value === "apply" || value === "status" || value === "validate") return value;
throw new Error(`frontend auth action must be plan, apply, status, or validate; got ${value}`);
}
function parseOptions(args: string[]): AuthOptions {
let confirm = false;
let dryRun = false;
let full = false;
let raw = false;
for (const arg of args) {
if (arg === "--confirm") confirm = true;
else if (arg === "--dry-run") dryRun = true;
else if (arg === "--full") full = true;
else if (arg === "--raw") {
raw = true;
full = true;
} else {
throw new Error(`unsupported frontend auth option: ${arg}`);
}
}
if (confirm && dryRun) throw new Error("frontend auth apply accepts only one of --confirm or --dry-run");
return { confirm, dryRun, full, raw };
}
function configSummary(auth: RuntimeAuthConfig): Record<string, unknown> {
return {
path: configLabel,
targetId: auth.targetId,
sourceRef: auth.source.path,
format: auth.source.format,
usernameLine: auth.source.usernameLine,
passwordLine: auth.source.passwordLine,
valuesPrinted: false,
};
}
function materialSummary(auth: RuntimeAuthConfig, material: AuthMaterial): Record<string, unknown> {
return {
sourceRef: auth.source.path,
sourcePath: material.sourcePathDisplay,
exists: material.sourceExists,
requiredLines: { username: auth.source.usernameLine, password: auth.source.passwordLine },
byteCounts: { username: material.usernameByteCount, password: material.passwordByteCount },
fingerprint: material.fingerprint,
valuesPrinted: false,
};
}
function targetSummary(auth: RuntimeAuthConfig): Record<string, unknown> {
return { ...auth.target, valuesPrinted: false };
}
function remoteSummary(result: { exitCode: number; stdout: string; stderr: string }): Record<string, unknown> {
return {
exitCode: result.exitCode,
stdoutBytes: Buffer.byteLength(result.stdout, "utf8"),
stderrBytes: Buffer.byteLength(result.stderr, "utf8"),
stdoutTailOmitted: true,
stderrTailOmitted: true,
valuesPrinted: false,
};
}
function renderPlan(result: Record<string, unknown>): RenderedCliResult {
const source = asRecord(result.localSource, "localSource");
const target = asRecord(result.target, "target");
return rendered(result, "frontend auth plan", [
"FRONTEND AUTH PLAN",
...table(["CHECK", "OK", "DETAIL"], [
["source", bool(source.exists), String(source.sourceRef ?? "-")],
["line-pair", bool(source.fingerprint !== undefined && source.fingerprint !== null), `userLine=${source.requiredLines && asRecord(source.requiredLines, "requiredLines").username} passwordLine=${source.requiredLines && asRecord(source.requiredLines, "requiredLines").password}`],
["target", "yes", `${target.namespace}/${target.secretName}`],
]),
"",
`fingerprint: ${str(source.fingerprint)}`,
`valuesPrinted: ${str(result.valuesPrinted)}`,
"Next:",
" bun scripts/cli.ts frontend auth apply --confirm",
]);
}
function renderApply(result: Record<string, unknown>): RenderedCliResult {
const summary = result.summary === undefined ? {} : asRecord(result.summary, "summary");
const steps = summary.steps === undefined ? {} : asRecord(summary.steps, "summary.steps");
if (Object.keys(summary).length === 0 || Object.keys(steps).length === 0) {
const source = asRecord(result.localSource, "localSource");
return rendered(result, "frontend auth apply", [
"FRONTEND AUTH APPLY",
`mode: ${str(result.mode)} mutation: ${str(result.mutation)} ok: ${bool(result.ok)}`,
...table(["CHECK", "OK", "DETAIL"], [
["local-source", bool(source.fingerprint !== undefined && source.fingerprint !== null), str(source.sourceRef)],
["target", "yes", `${str(asRecord(result.target, "target").namespace)}/${str(asRecord(result.target, "target").secretName)}`],
]),
`valuesPrinted: ${str(result.valuesPrinted)}`,
]);
}
return rendered(result, "frontend auth apply", [
"FRONTEND AUTH APPLY",
`mode: ${str(result.mode)} mutation: ${str(result.mutation)} ok: ${bool(result.ok)}`,
...table(["STEP", "OK", "DETAIL"], [
["local-source", bool(asRecord(result.localSource, "localSource").fingerprint !== undefined && asRecord(result.localSource, "localSource").fingerprint !== null), str(asRecord(result.localSource, "localSource").sourceRef)],
["configmap-patch", bool(asRecord(steps.configMapPatch, "steps.configMapPatch").exitCode === 0), compact(str(asRecord(steps.configMapPatch, "steps.configMapPatch").stderrTail, str(asRecord(steps.configMapPatch, "steps.configMapPatch").stdoutTail)))],
["secret-patch", bool(asRecord(steps.secretPatch, "steps.secretPatch").exitCode === 0), compact(str(asRecord(steps.secretPatch, "steps.secretPatch").stderrTail, str(asRecord(steps.secretPatch, "steps.secretPatch").stdoutTail)))],
["rollout-restart", bool(asRecord(steps.rolloutRestart, "steps.rolloutRestart").exitCode === 0), compact(str(asRecord(steps.rolloutRestart, "steps.rolloutRestart").stdoutTail, str(asRecord(steps.rolloutRestart, "steps.rolloutRestart").stderrTail)))],
["runtime-status", bool(asRecord(result.runtime, "runtime").ok), str(asRecord(result.runtime, "runtime").observedFingerprint)],
]),
`valuesPrinted: ${str(result.valuesPrinted)}`,
]);
}
function renderStatus(result: Record<string, unknown>): RenderedCliResult {
const summary = asRecord(result.summary, "summary");
const rows = Array.isArray(summary.checks) ? summary.checks.map((item) => {
const row = asRecord(item, "check");
return [str(row.name), bool(row.ok), str(row.detail)];
}) : [];
return rendered(result, "frontend auth status", [
"FRONTEND AUTH STATUS",
...table(["CHECK", "OK", "DETAIL"], rows),
`fingerprint: ${str(summary.observedFingerprint)}`,
`valuesPrinted: ${str(result.valuesPrinted)}`,
]);
}
function renderValidate(result: Record<string, unknown>): RenderedCliResult {
const rows = Array.isArray(result.checks) ? result.checks.map((item) => {
const row = asRecord(item, "check");
return [str(row.name), bool(row.ok), str(row.detail)];
}) : [];
return rendered(result, "frontend auth validate", [
"FRONTEND AUTH VALIDATE",
...table(["CHECK", "OK", "DETAIL"], rows),
`valuesPrinted: ${str(result.valuesPrinted)}`,
]);
}
function rendered(result: Record<string, unknown>, command: string, lines: string[]): RenderedCliResult {
return { ok: result.ok !== false, command, renderedText: lines.join("\n"), contentType: "text/plain" };
}
function resolveSourcePath(path: string): string {
return isAbsolute(path) ? path : rootPath(path);
}
function displayPath(path: string): string {
const root = rootPath();
return path.startsWith(`${root}/`) ? path.slice(root.length + 1) : path;
}
function fingerprint(parts: string[]): string {
return createHash("sha256").update(parts.join("\n")).digest("hex").slice(0, 16);
}
function yaml(value: string): string {
return JSON.stringify(value);
}
function sh(value: string): string {
return `'${value.replaceAll("'", "'\"'\"'")}'`;
}
function str(value: unknown, fallback = "-"): string {
return value === undefined || value === null || value === "" ? fallback : String(value);
}
function bool(value: unknown): string {
return value === true ? "yes" : value === false ? "no" : "-";
}
function compact(value: string): string {
return value.replace(/\s+/gu, " ").trim().slice(0, 120) || "-";
}
function table(headers: string[], rows: string[][]): string[] {
const widths = headers.map((header, index) => Math.max(header.length, ...rows.map((row) => row[index]?.length ?? 0)));
const renderRow = (row: string[]) => row.map((cell, index) => cell.padEnd(widths[index] ?? cell.length)).join(" ").trimEnd();
return [renderRow(headers), ...rows.map(renderRow)];
}