Files
pikasTech-unidesk/scripts/native/agentrun/managed-repository-reconciler.mjs
T

675 lines
26 KiB
JavaScript

#!/usr/bin/env node
import { createHash, randomBytes } from "node:crypto";
import { spawn } from "node:child_process";
import {
existsSync,
mkdirSync,
readFileSync,
renameSync,
rmSync,
writeFileSync,
} from "node:fs";
import { dirname, join, resolve, sep } from "node:path";
const args = process.argv.slice(2);
const configPath = optionValue("--config");
const mode = args.includes("--health")
? "health"
: args.includes("--status")
? "status"
: args.includes("--once")
? "once"
: "run";
if (!configPath) failUsage("--config <path> is required");
const config = readConfig(configPath);
const statePath = join(config.cacheMountPath, config.stateDirectory, "status.json");
const activeChildren = new Set();
let stopping = false;
process.on("SIGTERM", beginShutdown);
process.on("SIGINT", beginShutdown);
if (mode === "health" || mode === "status") {
const view = await currentStatus(config, statePath);
process.stdout.write(`${JSON.stringify(view)}\n`);
process.exit(mode === "health" && view.ready !== true ? 1 : 0);
}
if (mode === "once") {
const state = await reconcileOnce(config, statePath);
process.stdout.write(`${JSON.stringify(compactStatus(config, state))}\n`);
process.exit(state.ready === true ? 0 : 1);
}
log({ event: "managed-repository-reconciler-started", node: config.nodeId, lane: config.lane, desiredHash: config.desiredHash, repositoryCount: config.repositories.length });
while (!stopping) {
const state = await reconcileOnce(config, statePath);
log({
event: "managed-repository-reconcile-completed",
node: config.nodeId,
lane: config.lane,
ready: state.ready,
lastCycleOk: state.lastCycleOk,
repositoryCount: state.repositories.length,
desiredHash: config.desiredHash,
});
if (!stopping) await sleep(config.reconcileIntervalMs);
}
log({ event: "managed-repository-reconciler-stopped", node: config.nodeId, lane: config.lane });
function optionValue(name) {
const index = args.indexOf(name);
if (index < 0) return null;
const value = args[index + 1];
if (!value || value.startsWith("--")) failUsage(`${name} requires a value`);
return value;
}
function failUsage(message) {
process.stderr.write(`${JSON.stringify({ ok: false, errorType: "invalid-arguments", message })}\n`);
process.exit(64);
}
function readConfig(path) {
let raw;
try {
raw = JSON.parse(readFileSync(path, "utf8"));
} catch {
throw new Error("managed repository config is not readable JSON");
}
requireObject(raw, "config");
const desiredHash = requireString(raw.desiredHash, "desiredHash");
const { desiredHash: _omitted, ...desired } = raw;
const computedHash = sha256(JSON.stringify(desired));
if (computedHash !== desiredHash) throw new Error("managed repository config desiredHash does not match rendered content");
if (raw.schemaVersion !== 1 || raw.kind !== "AgentRunManagedRepositoryReconciler") throw new Error("unsupported managed repository config envelope");
const cacheMountPath = requireAbsolutePath(raw.cacheMountPath, "cacheMountPath");
const stateDirectory = requireRelativePath(raw.stateDirectory, "stateDirectory");
requireObject(raw.remoteAuth, "remoteAuth");
requireObject(raw.remoteAuth.proxy, "remoteAuth.proxy");
const remoteAuth = {
configRef: requireString(raw.remoteAuth.configRef, "remoteAuth.configRef"),
capabilitySha256: requireHex(raw.remoteAuth.capabilitySha256, "remoteAuth.capabilitySha256"),
authMode: requireLiteral(raw.remoteAuth.authMode, "remoteAuth.authMode", "github-https-token"),
host: requireHost(raw.remoteAuth.host, "remoteAuth.host"),
tokenFile: requireAbsolutePath(raw.remoteAuth.tokenFile, "remoteAuth.tokenFile"),
askPassFile: requireAbsolutePath(raw.remoteAuth.askPassFile, "remoteAuth.askPassFile"),
proxy: {
host: requireHost(raw.remoteAuth.proxy.host, "remoteAuth.proxy.host"),
port: requirePort(raw.remoteAuth.proxy.port, "remoteAuth.proxy.port"),
},
};
const repositories = requireArray(raw.repositories, "repositories").map((item, index) => {
requireObject(item, `repositories[${index}]`);
const key = requireSimpleId(item.key, `repositories[${index}].key`);
const repository = requireRepository(item.repository, `repositories[${index}].repository`);
const remote = requireString(item.remote, `repositories[${index}].remote`);
const sourceBranch = requireGitRef(item.sourceBranch, `repositories[${index}].sourceBranch`);
const desiredFingerprint = requireHex(item.desiredFingerprint, `repositories[${index}].desiredFingerprint`);
const expectedFingerprint = sha256([key, repository, remote, sourceBranch].join("\0"));
if (desiredFingerprint !== expectedFingerprint) throw new Error(`repositories[${index}].desiredFingerprint does not match repository desired state`);
requireCanonicalRemote(remote, repository, remoteAuth.host, `repositories[${index}].remote`);
return { key, repository, remote, sourceBranch, desiredFingerprint };
});
if (repositories.length === 0) throw new Error("repositories must not be empty");
ensureUnique(repositories.map((item) => item.key), "repository keys");
ensureUnique(repositories.map((item) => item.repository), "repository paths");
ensureUnique(repositories.map((item) => item.remote), "repository remotes");
requireObject(raw.retry, "retry");
requireObject(raw.freshness, "freshness");
requireObject(raw.lifecycle, "lifecycle");
if (raw.lifecycle.undeclaredRepositoryPolicy !== "retain" || raw.lifecycle.managedRefs !== "source-branch-only") {
throw new Error("unsupported managed repository lifecycle policy");
}
return {
schemaVersion: 1,
kind: raw.kind,
desiredHash,
nodeId: requireString(raw.nodeId, "nodeId"),
lane: requireString(raw.lane, "lane"),
cacheMountPath,
stateDirectory,
reconcileIntervalMs: requirePositiveInteger(raw.reconcileIntervalMs, "reconcileIntervalMs"),
fetchTimeoutMs: requirePositiveInteger(raw.fetchTimeoutMs, "fetchTimeoutMs"),
shutdownGraceMs: requirePositiveInteger(raw.shutdownGraceMs, "shutdownGraceMs"),
maxConcurrentRepositories: requirePositiveInteger(raw.maxConcurrentRepositories, "maxConcurrentRepositories"),
retry: {
maxAttempts: requirePositiveInteger(raw.retry.maxAttempts, "retry.maxAttempts"),
initialDelayMs: requirePositiveInteger(raw.retry.initialDelayMs, "retry.initialDelayMs"),
maxDelayMs: requirePositiveInteger(raw.retry.maxDelayMs, "retry.maxDelayMs"),
},
freshness: {
maxAgeMs: requirePositiveInteger(raw.freshness.maxAgeMs, "freshness.maxAgeMs"),
},
lifecycle: {
undeclaredRepositoryPolicy: "retain",
managedRefs: "source-branch-only",
},
repositories,
remoteAuth,
};
}
async function reconcileOnce(cfg, path) {
mkdirSync(dirname(path), { recursive: true });
const credential = credentialStatus(cfg);
const previous = readState(path);
const previousByFingerprint = new Map(
Array.isArray(previous?.repositories)
? previous.repositories.map((item) => [item?.desiredFingerprint, item])
: [],
);
const results = await mapConcurrent(cfg.repositories, cfg.maxConcurrentRepositories, async (repository) => {
const prior = previousByFingerprint.get(repository.desiredFingerprint) ?? null;
return reconcileWithRetry(cfg, repository, prior);
});
const now = new Date().toISOString();
const repositories = results.map((item) => withFreshness(item, cfg.freshness.maxAgeMs));
const state = {
schemaVersion: 1,
kind: "AgentRunManagedRepositoryReconcilerStatus",
desiredHash: cfg.desiredHash,
nodeId: cfg.nodeId,
lane: cfg.lane,
observedAt: now,
heartbeatAt: now,
ready: credential.ready === true && repositories.every((item) => item.fresh === true && item.refPresent === true),
lastCycleOk: repositories.every((item) => item.lastAttemptOk === true),
credential,
lifecycle: cfg.lifecycle,
repositories,
valuesPrinted: false,
};
writeState(path, state);
return state;
}
async function reconcileWithRetry(cfg, repository, prior) {
let failure = null;
for (let attempt = 1; attempt <= cfg.retry.maxAttempts && !stopping; attempt += 1) {
try {
const result = await materializeRepository(cfg, repository);
return {
...repositoryIdentity(repository),
refPresent: true,
commit: result.commit,
lastAttemptAt: new Date().toISOString(),
lastAttemptOk: true,
lastSuccessAt: new Date().toISOString(),
attempts: attempt,
errorCode: null,
errorFingerprint: null,
};
} catch (error) {
failure = safeError(error);
log({ event: "managed-repository-reconcile-attempt-failed", repository: repository.repository, sourceBranch: repository.sourceBranch, attempt, errorCode: failure.code, errorFingerprint: failure.fingerprint });
if (attempt < cfg.retry.maxAttempts && !stopping) {
const delayMs = Math.min(cfg.retry.maxDelayMs, cfg.retry.initialDelayMs * (2 ** (attempt - 1)));
await sleep(delayMs);
}
}
}
const inspected = await inspectRepository(cfg, repository);
const preserveSuccess = prior
&& prior.desiredFingerprint === repository.desiredFingerprint
&& prior.commit === inspected.commit
&& typeof prior.lastSuccessAt === "string";
return {
...repositoryIdentity(repository),
refPresent: inspected.refPresent,
commit: inspected.commit,
lastAttemptAt: new Date().toISOString(),
lastAttemptOk: false,
lastSuccessAt: preserveSuccess ? prior.lastSuccessAt : null,
attempts: cfg.retry.maxAttempts,
errorCode: failure?.code ?? (stopping ? "shutdown" : "reconcile-failed"),
errorFingerprint: failure?.fingerprint ?? null,
};
}
async function materializeRepository(cfg, repository) {
assertCredentialReady(cfg);
const finalPath = repositoryPath(cfg, repository);
mkdirSync(dirname(finalPath), { recursive: true });
const existing = existsSync(finalPath);
if (existing && !(await isBareRepository(finalPath, cfg.fetchTimeoutMs))) {
throw codedError("invalid-repository-path", "declared repository path exists but is not a bare Git repository");
}
const workPath = existing
? finalPath
: join(dirname(finalPath), `.${repository.key}.managed-tmp-${process.pid}-${randomBytes(6).toString("hex")}`);
const stageRef = `refs/agentrun-managed/stage/${repository.key}`;
try {
if (!existing) await git(cfg, ["init", "--bare", workPath]);
await git(cfg, ["--git-dir", workPath, "config", "uploadpack.allowReachableSHA1InWant", "true"]);
await git(cfg, ["--git-dir", workPath, "config", "uploadpack.allowAnySHA1InWant", "true"]);
await git(cfg, ["--git-dir", workPath, "config", "http.uploadpack", "true"]);
await git(cfg, ["--git-dir", workPath, "fetch", "--no-tags", repository.remote, `+refs/heads/${repository.sourceBranch}:${stageRef}`]);
const commit = (await git(cfg, ["--git-dir", workPath, "rev-parse", "--verify", `${stageRef}^{commit}`])).stdout.trim();
if (!/^[0-9a-f]{40}$/u.test(commit)) throw codedError("invalid-source-commit", "fetched source ref did not resolve to a commit");
await git(cfg, ["--git-dir", workPath, "update-ref", `refs/heads/${repository.sourceBranch}`, commit]);
await git(cfg, ["--git-dir", workPath, "update-ref", "-d", stageRef]);
await git(cfg, ["--git-dir", workPath, "update-server-info"]);
if (!existing) {
await git(cfg, ["--git-dir", workPath, "symbolic-ref", "HEAD", `refs/heads/${repository.sourceBranch}`]);
renameSync(workPath, finalPath);
}
return { commit };
} catch (error) {
if (existing) {
try { await git(cfg, ["--git-dir", workPath, "update-ref", "-d", stageRef]); } catch {}
} else {
rmSync(workPath, { recursive: true, force: true });
}
throw error;
}
}
async function inspectRepository(cfg, repository) {
const path = repositoryPath(cfg, repository);
if (!existsSync(path) || !(await isBareRepository(path, Math.min(cfg.fetchTimeoutMs, 10000)))) return { refPresent: false, commit: null };
try {
const result = await run("git", ["--git-dir", path, "rev-parse", "--verify", `refs/heads/${repository.sourceBranch}^{commit}`], { timeoutMs: Math.min(cfg.fetchTimeoutMs, 10000), env: process.env });
const commit = result.stdout.trim();
return { refPresent: /^[0-9a-f]{40}$/u.test(commit), commit: /^[0-9a-f]{40}$/u.test(commit) ? commit : null };
} catch {
return { refPresent: false, commit: null };
}
}
async function isBareRepository(path, timeoutMs) {
try {
const result = await run("git", ["--git-dir", path, "rev-parse", "--is-bare-repository"], { timeoutMs, env: process.env });
return result.stdout.trim() === "true";
} catch {
return false;
}
}
async function git(cfg, gitArgs) {
const proxyUrl = `http://${cfg.remoteAuth.proxy.host}:${cfg.remoteAuth.proxy.port}`;
const env = {
PATH: process.env.PATH ?? "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
LANG: process.env.LANG ?? "C.UTF-8",
LC_ALL: process.env.LC_ALL ?? "C.UTF-8",
GIT_TERMINAL_PROMPT: "0",
GIT_ASKPASS: cfg.remoteAuth.askPassFile,
GIT_ASKPASS_REQUIRE: "force",
GIT_CONFIG_NOSYSTEM: "1",
GIT_CONFIG_GLOBAL: "/dev/null",
GIT_SSL_NO_VERIFY: "0",
HTTPS_PROXY: proxyUrl,
HTTP_PROXY: proxyUrl,
https_proxy: proxyUrl,
http_proxy: proxyUrl,
NO_PROXY: "",
no_proxy: "",
};
return run("git", [
"-c", "credential.helper=",
"-c", "http.extraHeader=",
"-c", "http.sslVerify=true",
...gitArgs,
], { timeoutMs: cfg.fetchTimeoutMs, env });
}
async function currentStatus(cfg, path) {
const credential = credentialStatus(cfg);
const state = readState(path);
if (!state || state.desiredHash !== cfg.desiredHash || !Array.isArray(state.repositories)) {
return {
ok: false,
ready: false,
desiredHash: cfg.desiredHash,
observedDesiredHash: state?.desiredHash ?? null,
reason: state ? "desired-state-mismatch" : "status-missing",
repositoryCount: cfg.repositories.length,
credential,
valuesPrinted: false,
};
}
const stateByFingerprint = new Map(state.repositories.map((item) => [item?.desiredFingerprint, item]));
const repositories = [];
for (const desired of cfg.repositories) {
const observed = stateByFingerprint.get(desired.desiredFingerprint) ?? null;
const inspected = await inspectRepository(cfg, desired);
const desiredIdentity = repositoryIdentity(desired);
const item = withFreshness({
...desiredIdentity,
remoteFingerprint: observed?.remoteFingerprint ?? null,
remoteFingerprintAligned: observed?.remoteFingerprint === desiredIdentity.remoteFingerprint,
refPresent: inspected.refPresent,
commit: inspected.commit,
lastAttemptAt: observed?.lastAttemptAt ?? null,
lastAttemptOk: observed?.lastAttemptOk === true,
lastSuccessAt: observed?.commit === inspected.commit ? observed?.lastSuccessAt ?? null : null,
attempts: Number.isInteger(observed?.attempts) ? observed.attempts : null,
errorCode: observed?.errorCode ?? null,
errorFingerprint: observed?.errorFingerprint ?? null,
}, cfg.freshness.maxAgeMs);
repositories.push(item);
}
const heartbeatAgeMs = isoAgeMs(state.heartbeatAt);
const heartbeatFresh = heartbeatAgeMs !== null && heartbeatAgeMs <= cfg.freshness.maxAgeMs;
const ready = credential.ready === true && heartbeatFresh && repositories.every((item) => item.refPresent === true && item.fresh === true && item.remoteFingerprintAligned === true);
return {
ok: ready,
ready,
desiredHash: cfg.desiredHash,
observedDesiredHash: state.desiredHash,
nodeId: cfg.nodeId,
lane: cfg.lane,
heartbeatAt: state.heartbeatAt ?? null,
heartbeatAgeMs,
heartbeatFresh,
lifecycle: cfg.lifecycle,
credential,
repositories,
valuesPrinted: false,
};
}
function compactStatus(cfg, state) {
return {
ok: state.ready === true,
ready: state.ready === true,
desiredHash: cfg.desiredHash,
nodeId: cfg.nodeId,
lane: cfg.lane,
heartbeatAt: state.heartbeatAt,
lifecycle: cfg.lifecycle,
credential: state.credential,
repositories: state.repositories,
valuesPrinted: false,
};
}
function repositoryIdentity(repository) {
return {
key: repository.key,
repository: repository.repository,
sourceBranch: repository.sourceBranch,
desiredFingerprint: repository.desiredFingerprint,
remoteFingerprint: `sha256:${sha256(repository.remote)}`,
};
}
function withFreshness(item, maxAgeMs) {
const ageMs = isoAgeMs(item.lastSuccessAt);
return {
...item,
lastSuccessAgeMs: ageMs,
fresh: item.refPresent === true && ageMs !== null && ageMs <= maxAgeMs,
};
}
function repositoryPath(cfg, repository) {
const root = resolve(cfg.cacheMountPath);
const path = resolve(root, `${repository.repository}.git`);
if (path !== root && !path.startsWith(`${root}${sep}`)) throw codedError("unsafe-repository-path", "repository path escapes cache root");
return path;
}
function readState(path) {
try {
return JSON.parse(readFileSync(path, "utf8"));
} catch {
return null;
}
}
function writeState(path, state) {
mkdirSync(dirname(path), { recursive: true });
const temporary = `${path}.tmp-${process.pid}-${randomBytes(4).toString("hex")}`;
writeFileSync(temporary, `${JSON.stringify(state)}\n`, { mode: 0o600 });
renameSync(temporary, path);
}
async function mapConcurrent(items, concurrency, worker) {
const results = new Array(items.length);
let index = 0;
async function consume() {
while (!stopping) {
const current = index;
index += 1;
if (current >= items.length) return;
results[current] = await worker(items[current], current);
}
}
await Promise.all(Array.from({ length: Math.min(concurrency, items.length) }, () => consume()));
for (let current = 0; current < results.length; current += 1) {
if (results[current] === undefined) {
const item = items[current];
results[current] = {
...repositoryIdentity(item),
refPresent: false,
commit: null,
lastAttemptAt: new Date().toISOString(),
lastAttemptOk: false,
lastSuccessAt: null,
attempts: 0,
errorCode: "shutdown",
errorFingerprint: null,
};
}
}
return results;
}
function run(command, commandArgs, options) {
return new Promise((resolvePromise, rejectPromise) => {
const child = spawn(command, commandArgs, { env: options.env, stdio: ["ignore", "pipe", "pipe"] });
activeChildren.add(child);
let stdout = "";
let stderr = "";
let timedOut = false;
const timer = setTimeout(() => {
timedOut = true;
child.kill("SIGKILL");
}, options.timeoutMs);
child.stdout.on("data", (chunk) => { if (stdout.length < 32768) stdout += chunk.toString("utf8"); });
child.stderr.on("data", (chunk) => { if (stderr.length < 32768) stderr += chunk.toString("utf8"); });
child.on("error", (error) => {
clearTimeout(timer);
activeChildren.delete(child);
rejectPromise(codedError("command-start-failed", error.message));
});
child.on("close", (code, signal) => {
clearTimeout(timer);
activeChildren.delete(child);
if (timedOut) return rejectPromise(codedError("fetch-timeout", `${command} exceeded timeout`));
if (code !== 0) return rejectPromise(codedError("command-failed", `${command} exited ${code ?? signal}: ${stderr || stdout}`));
resolvePromise({ stdout, stderr });
});
});
}
function beginShutdown() {
if (stopping) return;
stopping = true;
const timer = setTimeout(() => {
for (const child of activeChildren) child.kill("SIGKILL");
}, config.shutdownGraceMs);
timer.unref();
}
function sleep(ms) {
if (stopping) return Promise.resolve();
return new Promise((resolvePromise) => {
let settled = false;
const finish = () => {
if (settled) return;
settled = true;
clearTimeout(timer);
clearInterval(check);
resolvePromise();
};
const timer = setTimeout(finish, ms);
const check = setInterval(() => {
if (stopping) finish();
}, Math.min(ms, 100));
});
}
function safeError(error) {
const message = error instanceof Error ? error.message : String(error);
const lower = message.toLowerCase();
const code = error?.code && typeof error.code === "string" && error.code !== "command-failed"
? error.code
: lower.includes("couldn't find remote ref") || lower.includes("remote ref does not exist")
? "source-ref-missing"
: lower.includes("repository not found") || lower.includes("not found")
? "repository-not-found"
: lower.includes("permission denied") || lower.includes("publickey") || lower.includes("authentication")
? "authentication-failed"
: lower.includes("timeout") || lower.includes("timed out")
? "fetch-timeout"
: "fetch-failed";
return { code, fingerprint: sha256(message).slice(0, 16) };
}
function codedError(code, message) {
const error = new Error(message);
error.code = code;
return error;
}
function isoAgeMs(value) {
if (typeof value !== "string") return null;
const time = Date.parse(value);
return Number.isFinite(time) ? Math.max(0, Date.now() - time) : null;
}
function sha256(value) {
return createHash("sha256").update(value).digest("hex");
}
function log(value) {
process.stdout.write(`${JSON.stringify({ ...value, valuesPrinted: false })}\n`);
}
function requireObject(value, path) {
if (!value || typeof value !== "object" || Array.isArray(value)) throw new Error(`${path} must be an object`);
return value;
}
function requireArray(value, path) {
if (!Array.isArray(value)) throw new Error(`${path} must be an array`);
return value;
}
function requireString(value, path) {
if (typeof value !== "string" || value.length === 0) throw new Error(`${path} must be a non-empty string`);
return value;
}
function requirePositiveInteger(value, path) {
if (!Number.isInteger(value) || value <= 0) throw new Error(`${path} must be a positive integer`);
return value;
}
function requirePort(value, path) {
const port = requirePositiveInteger(value, path);
if (port > 65535) throw new Error(`${path} must be at most 65535`);
return port;
}
function requireLiteral(value, path, expected) {
if (value !== expected) throw new Error(`${path} must be ${expected}`);
return expected;
}
function requireHost(value, path) {
const host = requireString(value, path);
if (host !== host.toLowerCase() || !/^(?:[a-z0-9](?:[a-z0-9.-]*[a-z0-9])?|\d{1,3}(?:\.\d{1,3}){3})$/u.test(host) || host.includes("..")) {
throw new Error(`${path} must be a lowercase hostname or IPv4 address without a port`);
}
return host;
}
function requireCanonicalRemote(value, repository, host, path) {
let parsed;
try {
parsed = new URL(value);
} catch {
throw new Error(`${path} must be a canonical HTTPS URL`);
}
const expected = `https://${host}/${repository}.git`;
if (
value !== expected
|| parsed.protocol !== "https:"
|| parsed.hostname !== host
|| parsed.port !== ""
|| parsed.username !== ""
|| parsed.password !== ""
|| parsed.search !== ""
|| parsed.hash !== ""
) throw new Error(`${path} must exactly match ${expected} without userinfo, port, query, or fragment`);
}
function credentialStatus(cfg) {
try {
assertCredentialReady(cfg);
return { ready: true, errorCode: null, errorFingerprint: null, valuesPrinted: false };
} catch (error) {
const failure = safeError(error);
return { ready: false, errorCode: failure.code, errorFingerprint: failure.fingerprint, valuesPrinted: false };
}
}
function assertCredentialReady(cfg) {
if (!existsSync(cfg.remoteAuth.askPassFile)) throw codedError("credential-helper-missing", "rendered credential helper is missing");
let token;
try {
token = readFileSync(cfg.remoteAuth.tokenFile, "utf8").trim();
} catch {
throw codedError("credential-file-missing", "projected credential file is missing or unreadable");
}
if (token.length === 0) throw codedError("credential-empty", "projected credential file is empty");
if (/[\u0000\r\n]/u.test(token)) throw codedError("credential-invalid", "projected credential file contains unsupported control characters");
}
function requireAbsolutePath(value, path) {
const text = requireString(value, path);
if (!text.startsWith("/") || text.includes("..")) throw new Error(`${path} must be an absolute path without ..`);
return text;
}
function requireRelativePath(value, path) {
const text = requireString(value, path);
if (text.startsWith("/") || text.includes("..") || text === ".") throw new Error(`${path} must be a dedicated relative path without ..`);
return text;
}
function requireSimpleId(value, path) {
const text = requireString(value, path);
if (!/^[A-Za-z0-9._-]+$/u.test(text)) throw new Error(`${path} must use a simple id`);
return text;
}
function requireRepository(value, path) {
const text = requireString(value, path);
if (!/^[A-Za-z0-9._-]+\/[A-Za-z0-9._-]+$/u.test(text) || text.includes("..")) throw new Error(`${path} must be owner/name without ..`);
return text;
}
function requireGitRef(value, path) {
const text = requireString(value, path);
if (text.startsWith("-") || text.startsWith("/") || text.endsWith("/") || text.endsWith(".") || text.includes("..") || text.includes("@{") || /[\u0000-\u0020~^:?*[\\]/u.test(text)) {
throw new Error(`${path} must be a safe Git ref name`);
}
return text;
}
function requireHex(value, path) {
const text = requireString(value, path);
if (!/^[0-9a-f]{64}$/u.test(text)) throw new Error(`${path} must be a sha256 fingerprint`);
return text;
}
function ensureUnique(values, path) {
if (new Set(values).size !== values.length) throw new Error(`${path} must be unique`);
}