Stellar scafold fargate backend

.github/actions/oidc/action.yaml

@@ -0,0 +1,45 @@
+---
+name: AWS OIDC Credentials via Role Assume Chaining
+description: Retrieve AWS credentials by chaining role assumes
+inputs:
+  role-for-oidc:
+    description: The role that should be used for GitHub OIDC authentication
+    required: true
+  role-to-assume:
+    description: The role that should be finally assumed
+    required: true
+  role-session-name:
+    description: The session name that should be used when assuming roles
+    required: true
+    default: github-actions
+  role-duration-seconds:
+    description: duration of the credentials validity
+    required: true
+    default: "3600"
+  aws-region:
+    description: The AWS region
+    required: false
+    default: us-east-1
+
+runs:
+  using: composite
+  steps:
+    - name: assume oidc role
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722  # v4.1.0
+      with:
+        aws-region: us-east-1
+        role-to-assume: ${{ inputs.role-for-oidc }}
+        role-session-name: ${{ inputs.role-session-name }}
+        role-duration-seconds: 900
+    - name: assume target role
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722  # v4.1.0
+      id: assume-target-role
+      with:
+        aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+        aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
+        aws-region: ${{ inputs.aws-region }}
+        role-chaining: true
+        role-to-assume: ${{ inputs.role-to-assume }}
+        role-session-name: ${{ inputs.role-session-name }}
+        role-duration-seconds: ${{ inputs.role-duration-seconds }}

.github/workflows/docker-prod.yaml

@@ -0,0 +1,133 @@
+# This workflow runs whenever a release is created.
+# The image is tagged with latest and the release version.
+name: (Production) Build and Push Docker Images
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+      attestations: write
+      security-events: write
+    env:
+      REGISTRY: ${{ secrets.RESEARCH_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com
+      ROLE_FOR_OIDC: 'arn:aws:iam::${{ secrets.ROOT_ACCOUNT_ID }}:role/github-actions-research-account-oidc-role'
+      ROLE_TO_ASSUME: 'arn:aws:iam::${{ secrets.RESEARCH_ACCOUNT_ID }}:role/GithubOIDCResearchAccountRole'
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7
+        id: gh-app-token
+        with:
+          app-id: ${{ vars.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      - name: Checkout Repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: ${{ steps.gh-app-token.outputs.token }}
+          fetch-depth: 0
+
+      - name: Setup pre-requisites
+        uses: ./.github/actions/setup
+        with:
+          token: ${{ steps.gh-app-token.outputs.token }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        with:
+          platforms: 'arm64'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+
+      - name: Set up AWS credentials via OIDC and role chaining
+        uses: ./.github/actions/oidc
+        with:
+          role-for-oidc: ${{ env.ROLE_FOR_OIDC }}
+          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Build Stellar API Docker image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        id: build
+        with:
+          context: .
+          platforms: linux/amd64 # linux/arm64 causes anchore/scan-action to fail
+          tags: |
+            ${{ env.REGISTRY }}/wizard-stellar-api-prod:latest
+            ${{ env.REGISTRY }}/wizard-stellar-api-prod:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          load: true
+
+      - name: Scan Stellar API Docker image
+        uses: anchore/scan-action@df395807f4554463d4455b8047cf58e37b6acaae # v6.5.0
+        id: scan
+        with:
+          image: ${{ env.REGISTRY }}/wizard-stellar-api-prod:${{ github.sha }}
+          fail-build: false
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Build and push Stellar API Docker image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        id: push
+        with:
+          context: packages/ui/api/stellar
+          file: Dockerfile.prod
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/wizard-stellar-api-prod:latest
+            ${{ env.REGISTRY }}/wizard-stellar-api-prod:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build-and-push
+    env:
+      ROLE_FOR_OIDC: 'arn:aws:iam::${{ secrets.ROOT_ACCOUNT_ID }}:role/github-actions-research-account-oidc-role'
+      ROLE_TO_ASSUME: 'arn:aws:iam::${{ secrets.RESEARCH_ACCOUNT_ID }}:role/GithubOIDCResearchAccountRole'
+      ECS_CLUSTER: 'wizard-prod-cluster'
+      ECS_SERVICE: 'wizard-prod-service'
+      AWS_REGION: 'us-east-1'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up AWS credentials via OIDC and role chaining
+        uses: ./.github/actions/oidc
+        with:
+          role-for-oidc: ${{ env.ROLE_FOR_OIDC }}
+          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+
+      - name: AWS ECS force new deployment
+        run: |
+          aws ecs update-service --cluster $ECS_CLUSTER --service $ECS_SERVICE --force-new-deployment --region $AWS_REGION

.github/workflows/docker-stg.yaml

@@ -0,0 +1,126 @@
+# This workflow runs whenever a release is created.
+# The image is tagged with latest and the release version.
+name: (Staging) Build and Push Docker Images
+
+on:
+  push:
+    branches: [staging]
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to build from'
+        required: true
+        default: 'ci-cd'
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+      attestations: write
+      security-events: write
+    env:
+      REGISTRY: ${{ secrets.RESEARCH_ACCOUNT_ID }}.dkr.ecr.us-east-1.amazonaws.com
+      ROLE_FOR_OIDC: 'arn:aws:iam::${{ secrets.ROOT_ACCOUNT_ID }}:role/github-actions-research-account-oidc-role'
+      ROLE_TO_ASSUME: 'arn:aws:iam::${{ secrets.RESEARCH_ACCOUNT_ID }}:role/GithubOIDCResearchAccountRole'
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        with:
+          platforms: 'arm64'
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2
+
+      - name: Set up AWS credentials via OIDC and role chaining
+        uses: ./.github/actions/oidc
+        with:
+          role-for-oidc: ${{ env.ROLE_FOR_OIDC }}
+          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Build Stellar API Docker image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        id: build
+        with:
+          context: ./packages/ui/api/stellar
+          platforms: linux/amd64 # linux/arm64 causes anchore/scan-action to fail
+          tags: |
+            ${{ env.REGISTRY }}/wizard-stellar-api-stg:latest
+            ${{ env.REGISTRY }}/wizard-stellar-api-stg:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          load: true
+
+      - name: Scan Stellar API Docker image
+        uses: anchore/scan-action@df395807f4554463d4455b8047cf58e37b6acaae # v6.5.0
+        id: scan
+        with:
+          image: ${{ env.REGISTRY }}/wizard-stellar-api-stg:${{ github.sha }}
+          fail-build: false
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Build and push Stellar API Docker image
+        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        id: push
+        with:
+          context: packages/ui/api/stellar
+          file: Dockerfile.prod
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            ${{ env.REGISTRY }}/wizard-stellar-api-stg:latest
+            ${{ env.REGISTRY }}/wizard-stellar-api-stg:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build-and-push
+    env:
+      ROLE_FOR_OIDC: 'arn:aws:iam::${{ secrets.ROOT_ACCOUNT_ID }}:role/github-actions-research-account-oidc-role'
+      ROLE_TO_ASSUME: 'arn:aws:iam::${{ secrets.RESEARCH_ACCOUNT_ID }}:role/GithubOIDCResearchAccountRole'
+      ECS_CLUSTER: 'wizard-stg-cluster'
+      ECS_SERVICE: 'wizard-stg-service'
+      AWS_REGION: 'us-east-1'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up AWS credentials via OIDC and role chaining
+        uses: ./.github/actions/oidc
+        with:
+          role-for-oidc: ${{ env.ROLE_FOR_OIDC }}
+          role-to-assume: ${{ env.ROLE_TO_ASSUME }}
+
+      - name: AWS ECS force new deployment
+        run: |
+          aws ecs update-service --cluster $ECS_CLUSTER --service $ECS_SERVICE --force-new-deployment --region $AWS_REGION

.gitignore

@@ -5,3 +5,9 @@ node_modules
 .env
 .env.local
 .vscode/settings.json
+.qodo/
+
+# Generated by Cargo
+# will have compiled files and executables
+debug/
+target/

.prettierignore

@@ -15,4 +15,5 @@ build/
 public/
 remappings.txt
 *.cairo
-*.sh
+*.sh
+*.rs

.vscode/example.settings.json

@@ -4,5 +4,13 @@
   "deno.enable": true,
   "deno.enablePaths": [
     "packages/ui/scripts/deno/"
-  ]
+  ],
+  "[rust]": {
+    "editor.defaultFormatter": "rust-lang.rust-analyzer"
+  },
+  "rust-analyzer.linkedProjects": [
+    "packages/ui/stellar/Cargo.toml"
+  ],
+  "rust-analyzer.check.command": "clippy",
+  "rust-analyzer.checkOnSave": true
 }

.vscode/extensions.json

@@ -2,6 +2,7 @@
   "recommendations": [
     "esbenp.prettier-vscode",
     "dbaeumer.vscode-eslint",
-    "denoland.vscode-deno"
-  ]
+    "denoland.vscode-deno",
+    "rust-lang.rust-analyzer"
+  ],
 }

netlify.toml

@@ -2,11 +2,11 @@
 command = "yarn --cwd packages/ui build"
 publish = "packages/ui/public"
 
-edge_functions = "packages/ui/api"
+edge_functions = "packages/ui/api/ai/paths"
 
 [functions]
-  deno_import_map = "packages/ui/import_map.json"
+deno_import_map = "packages/ui/api/ai/import_map.json"
 
 [[edge_functions]]
-  path = "/ai"
-  function = "ai"
+path = "/ai"
+function = "ai"

package.json

@@ -10,6 +10,7 @@
     "type:check:api": "yarn --cwd ./packages/ui type:check:api",
     "dev:ui": "yarn --cwd ./packages/ui dev",
     "dev:api": "yarn --cwd ./packages/ui dev:api",
+    "dev:api:build": "yarn --cwd ./packages/ui dev:api:build",
     "dev": "concurrently --kill-others-on-fail --names \"UI,API\" --prefix-colors \"magenta.bold,green.bold\" \"yarn dev:ui\" \"yarn dev:api\"",
     "run:core": "node ./scripts/run-command.mjs",
     "version": "bash scripts/release/version.sh",
@@ -41,4 +42,4 @@
     "@changesets/cli": "^2.29.2",
     "@changesets/changelog-github": "^0.5.1"
   }
-}
+}

packages/core/stellar/src/zip-rust.ts

@@ -59,3 +59,6 @@ const addRustProjectReadme = (zip: JSZip) => zip.file('README.md', readme);
 
 export const zipRustProject = async (c: Contract, opts: GenericOptions) =>
   addRustProjectReadme(createRustZipEnvironment(c, opts));
+
+export const zipRustProjectBlob = async (c: Contract, opts: GenericOptions) =>
+  await (await zipRustProject(c, opts)).generateAsync({ type: 'blob', compression: 'DEFLATE' });