Lines 175-229javascript
175 encodeURIComponent(JSON.stringify([{ key: 'dns', type: 'edit' }])) + '&name=' + encodeURIComponent('ust-ceremony (DNS only — revoke after)');
177// wrangler project for the OAuth path: two files, the route rides the config. Pure + testable.
178export function buildWranglerProject({ domain, genesisText }) {
180 'worker.mjs': buildWorkerScript(genesisText),
182 `name = "ust-genesis-${domain.replaceAll('.', '-')}"`,
183 'main = "worker.mjs"',
184 'compatibility_date = "2026-01-01"',
185 'workers_dev = false',
186 `routes = [{ pattern = "${domain}/.well-known/ust-genesis*", zone_name = "${domain}" }]`,
191// The MINIMAL wrangler OAuth consent for this deploy — 5 scopes, not wrangler's default 28. The default
192// consent asks for wrangler's WHOLE toolbox (D1/Pages/Queues/Email/…) because OAuth scopes belong to the
193// CLIENT, not the task; `--scopes` narrows the grant to exactly what deploying a worker+route needs.
194export const WRANGLER_LOGIN_CMD = 'npx wrangler login --scopes account:read user:read workers_scripts:write workers_routes:write zone:read';
196// OAuth half: deploy via `npx wrangler deploy` — wrangler owns the browser-login flow (the CF OAuth client
197// is wrangler-only; a third-party CLI cannot run that flow itself, so we DELEGATE instead of imitating).
198// stdio is inherited so the user SEES the login. execImpl/writeImpl injected — testable without a network.
199export async function wranglerDeploy({ domain, genesisText, execImpl = null, writeImpl = null }) {
200 const doc = decodeInput(genesisText);
201 if (!P.isValid(P.verify(doc))) throw new Error('refusing to publish: the genesis does not VERIFY');
202 const files = buildWranglerProject({ domain, genesisText });
203 const { mkdtempSync } = await import('node:fs');
204 const { tmpdir } = await import('node:os');
205 const { join } = await import('node:path');
206 const dir = mkdtempSync(join(tmpdir(), 'ust-cf-'));
207 const write = writeImpl ?? ((p, c) => writeFileSync(p, c));
208 for (const [name, content] of Object.entries(files)) write(join(dir, name), content);
209 const exec = execImpl ?? (async (cwd) => {
210 const { spawnSync } = await import('node:child_process');
211 const r = spawnSync('npx', ['wrangler', 'deploy'], { cwd, stdio: 'inherit' });
HighRuntime Package Install
Package source invokes a package manager install command at runtime.
index.mjsView on unpkg · L195 212 return r.status ?? 1;
214 const code = await exec(dir);
215 if (code !== 0) throw new Error('wrangler deploy failed (not logged in? run the MINIMAL-scope browser login and re-run):\n ' + WRANGLER_LOGIN_CMD + '\n (5 scopes — not wrangler\'s default 28; `wrangler logout` revokes the grant after the ceremony)');
216 return { genHash: P.contentHash(doc), script: `ust-genesis-${domain.replaceAll('.', '-')}`, route: `${domain}/.well-known/ust-genesis*`, dir };
219// DNS half (small-token): apex proxy check/flip + SSL advisory. Scope needed: Zone.DNS:Edit only — the SSL
220// read degrades to a note when the token cannot see zone settings (never blocks the smaller scope).
221export async function cfApexSteps({ domain, token, flipProxy = false, fetchImpl = fetch }) {
222 if (!token) throw new Error('apex steps need a CF token with Zone.DNS:Edit for ' + domain + ' — create one prefilled: ' + CF_DNS_TOKEN_URL);
223 const cf = (path, init) => fetchImpl('https://api.cloudflare.com/client/v4' + path, { ...init, headers: { Authorization: 'Bearer ' + token, ...(init?.headers) } }).then((r) => r.json());
224 const zone = (await cf(`/zones?name=${domain}`)).result?.[0];
225 if (!zone) throw new Error('CF zone not found / token cannot see ' + domain);
227 const recs = (await cf(`/zones/${zone.id}/dns_records?name=${domain}`)).result || [];
228 const apex = recs.filter((r) => ['A', 'AAAA', 'CNAME'].includes(r.type));
229 const proxied = apex.some((r) => r.proxied);