prvng_core/nulib/sops_env.nu


export-env {
    # Get infrastructure path (early return if not set)
    let infra_path = if ("CURRENT_INFRA_PATH" in $env) { $env.CURRENT_INFRA_PATH } else { "" }
    if ($infra_path | is-empty) {
        return
    }

    # Check vault-service configuration
    let vault_url = if ("VAULT_SERVICE_URL" in $env) { $env.VAULT_SERVICE_URL } else { "" }
    let vault_env = if ("PROVISIONING_ENV" in $env) { $env.PROVISIONING_ENV } else { "dev" }
    let use_vault = (not ($vault_url | is-empty)) and ($vault_url | str starts-with "http")

    if $use_vault {
        # Attempt to fetch public key from vault-service
        let response = (http get $"($vault_url)/api/v1/age/get-public?env=($vault_env)" | complete)

        if $response.exit_code == 0 {
            let json = ($response.stdout | from json)
            let public_key = ($json | get -o public_key | default "")

            if not ($public_key | is-empty) {
                $env.SOPS_AGE_RECIPIENTS = $public_key
                print $"✓ Age public key loaded from vault-service for ($vault_env)"
                return
            }
        }

        print "⚠️ Could not fetch Age key from vault-service, using filesystem fallback"
    }

    # Fallback: Load from filesystem
    let kloud_path = if ("CURRENT_KLOUD_PATH" in $env) { $env.CURRENT_KLOUD_PATH } else { "" }
    let base_path = if ($kloud_path | is-empty) { $infra_path } else { $kloud_path }

    $env.PROVISIONING_SOPS = (get_def_sops $base_path)
    $env.PROVISIONING_KAGE = (get_def_age $base_path)

    # Parse filesystem Age key
    let kage_file = if ("PROVISIONING_KAGE" in $env) { $env.PROVISIONING_KAGE } else { "" }
    if not ($kage_file | is-empty) {
        $env.SOPS_AGE_KEY_FILE = $kage_file

        let key_line = (grep "public key:" $env.SOPS_AGE_KEY_FILE | head -n 1 | default "")
        let key_parts = ($key_line | split row ":" | each { |x| $x | str trim })
        let public_key = if ($key_parts | length) > 1 { $key_parts | get 1 } else { "" }

        if not ($public_key | is-empty) {
            $env.SOPS_AGE_RECIPIENTS = $public_key
        } else {
            print $"❗Error no key found in (_ansi red_bold)($kage_file)(_ansi reset) file"
            exit 1
        }
    }
}
chore: codebase 2025-10-07 10:32:04 +01:00
			`export-env {`
feat(core): three-layer DAG, unified component arch, commands-registry cache, Nushell 0.112.2 migration - DAG architecture: `dag show/validate/export` (nulib/main_provisioning/dag.nu), config loader (lib_provisioning/config/loader/dag.nu), taskserv dag-executor. Backed by schemas/lib/dag/.ncl; orchestrator emits NATS events via WorkspaceComposition::into_workflow. See ADR-020, ADR-021. - Unified Component Architecture: components/mod.nu, main_provisioning/ {components,workflow,extensions,ontoref-queries}.nu. Full workflow engine with topological sort and NATS subject emission. Blocks A-H complete (libre-daoshi). - Commands-registry: nulib/commands-registry.ncl (Nickel source, 314 lines) + JSON cache at ~/.cache/provisioning/commands-registry.json rebuilt on source change. cli/provisioning fast-path alias expansion avoids cold Nu startup. ADDING_COMMANDS.md documents new-command workflow. - Platform service manager: service-manager.nu (+573), startup.nu (+611), service-check.nu (+255); autostart/bootstrap/health/target refactored. - Nushell 0.112.2 migration: removed all try/catch and bash redirections; external commands prefixed with ^; type signatures enforced. Driven by scripts/refactor-try-catch{,-simplified}.nu. - TTY stack: removed shlib/-tty.sh; replaced by cli/tty-dispatch.sh, tty-filter.sh, tty-commands.conf. - New domain modules: images/ (golden image lifecycle), workspace/{state,sync}.nu, main_provisioning/{bootstrap,cluster-deploy,fip,state}.nu, commands/{state, build,integrations/auth,utilities/alias}.nu, platform.nu expanded (+874). - Config loader overhaul: loader/core.nu slimmed (-759), cache/core.nu refactored (-454), removed legacy loaders/file_loader.nu (-330). - Thirteen new provisioning-<domain>.nu top-level modules for bash dispatcher. - Tests: test_workspace_state.nu (+351); updates to test_oci_registry, test_services. - README + CHANGELOG updated. 2026-04-17 04:27:33 +01:00			`# Get infrastructure path (early return if not set)`
			`let infra_path = if ("CURRENT_INFRA_PATH" in $env) { $env.CURRENT_INFRA_PATH } else { "" }`
			`if ($infra_path \| is-empty) {`
			`return`
			`}`

			`# Check vault-service configuration`
			`let vault_url = if ("VAULT_SERVICE_URL" in $env) { $env.VAULT_SERVICE_URL } else { "" }`
			`let vault_env = if ("PROVISIONING_ENV" in $env) { $env.PROVISIONING_ENV } else { "dev" }`
			`let use_vault = (not ($vault_url \| is-empty)) and ($vault_url \| str starts-with "http")`

			`if $use_vault {`
			`# Attempt to fetch public key from vault-service`
			`let response = (http get $"($vault_url)/api/v1/age/get-public?env=($vault_env)" \| complete)`

			`if $response.exit_code == 0 {`
			`let json = ($response.stdout \| from json)`
			`let public_key = ($json \| get -o public_key \| default "")`

			`if not ($public_key \| is-empty) {`
			`$env.SOPS_AGE_RECIPIENTS = $public_key`
			`print $"✓ Age public key loaded from vault-service for ($vault_env)"`
			`return`
chore: codebase 2025-10-07 10:32:04 +01:00			`}`
			`}`
feat(core): three-layer DAG, unified component arch, commands-registry cache, Nushell 0.112.2 migration - DAG architecture: `dag show/validate/export` (nulib/main_provisioning/dag.nu), config loader (lib_provisioning/config/loader/dag.nu), taskserv dag-executor. Backed by schemas/lib/dag/.ncl; orchestrator emits NATS events via WorkspaceComposition::into_workflow. See ADR-020, ADR-021. - Unified Component Architecture: components/mod.nu, main_provisioning/ {components,workflow,extensions,ontoref-queries}.nu. Full workflow engine with topological sort and NATS subject emission. Blocks A-H complete (libre-daoshi). - Commands-registry: nulib/commands-registry.ncl (Nickel source, 314 lines) + JSON cache at ~/.cache/provisioning/commands-registry.json rebuilt on source change. cli/provisioning fast-path alias expansion avoids cold Nu startup. ADDING_COMMANDS.md documents new-command workflow. - Platform service manager: service-manager.nu (+573), startup.nu (+611), service-check.nu (+255); autostart/bootstrap/health/target refactored. - Nushell 0.112.2 migration: removed all try/catch and bash redirections; external commands prefixed with ^; type signatures enforced. Driven by scripts/refactor-try-catch{,-simplified}.nu. - TTY stack: removed shlib/-tty.sh; replaced by cli/tty-dispatch.sh, tty-filter.sh, tty-commands.conf. - New domain modules: images/ (golden image lifecycle), workspace/{state,sync}.nu, main_provisioning/{bootstrap,cluster-deploy,fip,state}.nu, commands/{state, build,integrations/auth,utilities/alias}.nu, platform.nu expanded (+874). - Config loader overhaul: loader/core.nu slimmed (-759), cache/core.nu refactored (-454), removed legacy loaders/file_loader.nu (-330). - Thirteen new provisioning-<domain>.nu top-level modules for bash dispatcher. - Tests: test_workspace_state.nu (+351); updates to test_oci_registry, test_services. - README + CHANGELOG updated. 2026-04-17 04:27:33 +01:00
			`print "⚠️ Could not fetch Age key from vault-service, using filesystem fallback"`
			`}`

			`# Fallback: Load from filesystem`
			`let kloud_path = if ("CURRENT_KLOUD_PATH" in $env) { $env.CURRENT_KLOUD_PATH } else { "" }`
			`let base_path = if ($kloud_path \| is-empty) { $infra_path } else { $kloud_path }`

			`$env.PROVISIONING_SOPS = (get_def_sops $base_path)`
			`$env.PROVISIONING_KAGE = (get_def_age $base_path)`

			`# Parse filesystem Age key`
			`let kage_file = if ("PROVISIONING_KAGE" in $env) { $env.PROVISIONING_KAGE } else { "" }`
			`if not ($kage_file \| is-empty) {`
			`$env.SOPS_AGE_KEY_FILE = $kage_file`

			`let key_line = (grep "public key:" $env.SOPS_AGE_KEY_FILE \| head -n 1 \| default "")`
			`let key_parts = ($key_line \| split row ":" \| each { \|x\| $x \| str trim })`
			`let public_key = if ($key_parts \| length) > 1 { $key_parts \| get 1 } else { "" }`

			`if not ($public_key \| is-empty) {`
			`$env.SOPS_AGE_RECIPIENTS = $public_key`
			`} else {`
			`print $"❗Error no key found in (_ansi red_bold)($kage_file)(_ansi reset) file"`
			`exit 1`
			`}`
chore: codebase 2025-10-07 10:32:04 +01:00			`}`
chore: complete KCL to Nickel migration cleanup and setup pre-commit Clean up 404 KCL references (99.75% complete): - Rename kcl_* variables to schema_/nickel_ (kcl_path→schema_path, etc.) - Update functions: parse_kcl_file→parse_nickel_file - Update env vars: KCL_MOD_PATH→NICKEL_IMPORT_PATH - Fix cli/providers-install: add has_nickel and nickel_version variables - Correct import syntax: .nickel.→.ncl. - Update 57 files across core, CLI, config, and utilities Configure pre-commit hooks: - Activate: nushell-check, nickel-typecheck, markdownlint - Comment out: Rust hooks (fmt, clippy, test), check-yaml Testing: - Module discovery: 9 modules (6 providers, 1 taskserv, 2 clusters) ✅ - Syntax validation: 15 core files ✅ - Pre-commit hooks: all passing ✅ 2026-01-08 20:08:46 +00:00			`}`