foundation/bootstrap/index.ts
Andreas Niemann 57c4eadea7 feat(bootstrap): Bun-workspace skeleton + typed config + vendored modules — T02
- Bun workspaces (packages/* + bootstrap); Pulumi nodejs runtime under
  packagemanager: bun (no npm fallback needed).
- bootstrap/config.ts: typed FoundationConfig per CONTRACT_001; loadConfig()
  fails closed, aggregating all missing+malformed keys in one error. Reads flat
  dotted keys; image digests excluded (they live in VERSIONS, D5).
- bootstrap/Pulumi.foundation.yaml: non-secret placeholders only (RFC-5737 vm.host,
  .invalid offsite); no encryptionsalt/secrets committed (D2). pulumi preview = 0
  resources under the passphrase provider via gitignored file:// state backend.
- Stage-1 vendoring: packages/pulumi-{docker,vault} as @olsitec/* (source-only,
  logic unchanged). vault's 5 type-only imports from modules/olsitec re-homed
  verbatim into pulumi-vault/olsitec-types.ts to keep the egg self-contained.

Realizes PLAN-002 §10 T02; ADR-005 / 000_TOPOLOGY.md §5 Stage-1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 18:06:21 +02:00

37 lines
1.8 KiB
TypeScript
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// index.ts — the foundation egg entrypoint (PLAN-002 §0, Layer 0).
//
// T02 SCAFFOLD STATE: this entrypoint is intentionally a NO-OP beyond config
// validation. It calls loadConfig() so that `pulumi preview` exercises the
// CONTRACT_001 fail-closed validation (acceptance T02), but it creates NO real
// resources yet. The data plane / Vault / RustFS / Postgres / Forgejo / Caddy /
// runner components are LATER tasks (PLAN-002 §10: T03T15) and are deliberately
// NOT authored here.
import * as pulumi from "@pulumi/pulumi";
import { loadConfig, sshPrivateKeyPath } from "./config";
// Fail closed here: if required config is missing/malformed, loadConfig throws
// and `pulumi preview` reports the full gap (CONTRACT_001 §Validation).
const config = loadConfig();
// The vendored @olsitec/pulumi-docker provider (CONTRACT_003) will, in T03+, use
// this key path + config.vm.{host,user} to reach the foundation VM over SSH.
// Resolved here only to prove the ENV channel is wired; not yet consumed.
const sshKeyPath = sshPrivateKeyPath();
pulumi.log.info(
`foundation config loaded (no-op scaffold): ` +
`baseDomain=${config.baseDomain}, vm=${config.vm.user}@${config.vm.host}, ` +
`network=${config.network.name} (${config.network.subnet}), tls=${config.tls.mode}`,
);
// Stack outputs — safe, non-secret echoes so `pulumi preview`/`up` has something
// to show while no resources exist. Replaced by real component outputs in T03+.
export const phase = "T02-scaffold";
export const baseDomain = config.baseDomain;
export const networkName = config.network.name;
export const vmTarget = pulumi.interpolate`${config.vm.user}@${config.vm.host}`;
export const sshKeyConfigured = sshKeyPath.length > 0;
export const enabledFeatures = Object.entries(config.features)
.filter(([, on]) => on)
.map(([name]) => name);