Lines 184-238javascript
184 encodeURIComponent(JSON.stringify([{ key: 'dns', type: 'edit' }])) + '&name=' + encodeURIComponent('ust-ceremony (DNS only — revoke after)');
186// wrangler project for the OAuth path: two files, the route rides the config. Pure + testable.
187export function buildWranglerProject({ domain, genesisText, keylogText = null }) {
189 'worker.mjs': buildWorkerScript(genesisText, keylogText),
191 `name = "ust-genesis-${domain.replaceAll('.', '-')}"`,
192 'main = "worker.mjs"',
193 'compatibility_date = "2026-01-01"',
194 'workers_dev = false',
195 `routes = [{ pattern = "${domain}/.well-known/ust-genesis*", zone_name = "${domain}" }${keylogText !== null ? `, { pattern = "${domain}/.well-known/ust-keylog*", zone_name = "${domain}" }` : ''}]`,
200// The MINIMAL wrangler OAuth consent for this deploy — 5 scopes, not wrangler's default 28. The default
201// consent asks for wrangler's WHOLE toolbox (D1/Pages/Queues/Email/…) because OAuth scopes belong to the
202// CLIENT, not the task; `--scopes` narrows the grant to exactly what deploying a worker+route needs.
203export const WRANGLER_LOGIN_CMD = 'npx wrangler login --scopes account:read user:read workers_scripts:write workers_routes:write zone:read';
205// OAuth half: deploy via `npx wrangler deploy` — wrangler owns the browser-login flow (the CF OAuth client
206// is wrangler-only; a third-party CLI cannot run that flow itself, so we DELEGATE instead of imitating).
207// stdio is inherited so the user SEES the login. execImpl/writeImpl injected — testable without a network.
208export async function wranglerDeploy({ domain, genesisText, keylogText = null, execImpl = null, writeImpl = null }) {
209 const doc = decodeInput(genesisText);
210 if (!P.isValid(P.verify(doc))) throw new Error('refusing to publish: the genesis does not VERIFY');
211 const files = buildWranglerProject({ domain, genesisText, keylogText });
212 const { mkdtempSync } = await import('node:fs');
213 const { tmpdir } = await import('node:os');
214 const { join } = await import('node:path');
215 const dir = mkdtempSync(join(tmpdir(), 'ust-cf-'));
216 const write = writeImpl ?? ((p, c) => writeFileSync(p, c));
217 for (const [name, content] of Object.entries(files)) write(join(dir, name), content);
218 const exec = execImpl ?? (async (cwd) => {
219 const { spawnSync } = await import('node:child_process');
220 const r = spawnSync('npx', ['wrangler', 'deploy'], { cwd, stdio: 'inherit' });
HighRuntime Package Install
Package source invokes a package manager install command at runtime.
index.mjsView on unpkg · L204 221 return r.status ?? 1;
223 const code = await exec(dir);
224 if (code !== 0) throw new Error('wrangler deploy failed (not logged in? run the MINIMAL-scope browser login and re-run):\n ' + WRANGLER_LOGIN_CMD + '\n (5 scopes — not wrangler\'s default 28; `wrangler logout` revokes the grant after the ceremony)');
225 return { genHash: P.contentHash(doc), script: `ust-genesis-${domain.replaceAll('.', '-')}`, route: `${domain}/.well-known/ust-genesis*`, dir };
228// DNS half (small-token): apex proxy check/flip + SSL advisory. Scope needed: Zone.DNS:Edit only — the SSL
229// read degrades to a note when the token cannot see zone settings (never blocks the smaller scope).
230export async function cfApexSteps({ domain, token, flipProxy = false, fetchImpl = fetch }) {
231 if (!token) throw new Error('apex steps need a CF token with Zone.DNS:Edit for ' + domain + ' — create one prefilled: ' + CF_DNS_TOKEN_URL);
232 const cf = (path, init) => fetchImpl('https://api.cloudflare.com/client/v4' + path, { ...init, headers: { Authorization: 'Bearer ' + token, ...(init?.headers) } }).then((r) => r.json());
233 const zone = (await cf(`/zones?name=${domain}`)).result?.[0];
234 if (!zone) throw new Error('CF zone not found / token cannot see ' + domain);
236 const recs = (await cf(`/zones/${zone.id}/dns_records?name=${domain}`)).result || [];
237 const apex = recs.filter((r) => ['A', 'AAAA', 'CNAME'].includes(r.type));
238 const proxied = apex.some((r) => r.proxied);