@agentuity/cli 2.0.11 → 2.0.12

package/src/cmd/dev/process-manager.ts

@@ -7,6 +7,14 @@
  * - Graceful shutdown (SIGINT/SIGTERM)
  *
  * This prevents orphan processes and port conflicts between dev sessions.
+ *
+ * Key design decisions:
+ * - Process tree killing: Uses process.kill(-pid) to kill entire process groups,
+ *   preventing orphaned child processes (e.g., Bun backend spawning workers).
+ * - Per-process SIGTERM→SIGKILL escalation: Each process gets its own grace
+ *   period instead of waiting for all processes to exit before force-killing.
+ * - Last-resort synchronous cleanup: forceKillAllSync() can be called from
+ *   process.on('exit') handlers where async operations are not possible.
  */
 
 import type { Logger } from '../../types';
@@ -39,6 +47,12 @@ export interface ManagedServer {
 	description: string;
 	/** The port this server uses */
 	port?: number;
+	/**
+	 * Maximum time (ms) to wait for this server's close() to resolve before
+	 * moving on. Defaults to 1000ms. Servers like Vite that own filesystem
+	 * watchers and HMR sockets may need more time.
+	 */
+	closeTimeoutMs?: number;
 }
 
 /**
@@ -114,11 +128,71 @@ export class ProcessManager {
 		return ports;
 	}
 
+	/**
+	 * Whether cleanup has already completed.
+	 * Used by forceKillAllSync() to avoid redundant work.
+	 */
+	get isCleanedUp(): boolean {
+		return this.cleaningUp && this.processes.length === 0 && this.servers.length === 0;
+	}
+
+	/**
+	 * Kill a process and its entire process tree.
+	 *
+	 * Uses process.kill(-pid) to send the signal to the entire process group.
+	 * This ensures child processes (e.g., workers spawned by Bun) are also killed.
+	 * Falls back to direct PID kill if process group kill fails (e.g., EPERM or
+	 * the process is not a group leader).
+	 */
+	private killProcessTree(pid: number, signal: NodeJS.Signals): boolean {
+		// Safety: never send signals to PID 0 (own process group), PID 1 (init/systemd),
+		// or negative PIDs (which would be double-negated). process.kill(-1) is
+		// especially dangerous as it signals every process the user owns.
+		if (pid <= 1) {
+			this.logger.debug('Refusing to kill dangerous pid %d, skipping process tree kill', pid);
+			return false;
+		}
+
+		// Try killing the entire process group first (negative PID)
+		try {
+			process.kill(-pid, signal);
+			this.logger.debug('Sent %s to process group -%d', signal, pid);
+			return true;
+		} catch (err) {
+			const error = err as NodeJS.ErrnoException;
+			// ESRCH = no such process/group, EPERM = not a group leader or no permission
+			if (error.code !== 'ESRCH') {
+				this.logger.debug(
+					'Process group kill failed for pid %d (%s), falling back to direct kill',
+					pid,
+					error.code
+				);
+			}
+		}
+
+		// Fall back to direct PID kill
+		try {
+			process.kill(pid, signal);
+			this.logger.debug('Sent %s to pid %d (direct)', signal, pid);
+			return true;
+		} catch (err) {
+			const error = err as NodeJS.ErrnoException;
+			if (error.code !== 'ESRCH') {
+				this.logger.debug('Direct kill failed for pid %d: %s', pid, error.code);
+			}
+			return false;
+		}
+	}
+
 	/**
 	 * Clean up all tracked processes and servers.
 	 *
+	 * Uses per-process SIGTERM→SIGKILL escalation: each process gets up to
+	 * `timeout` ms to exit gracefully after SIGTERM. Processes that exit early
+	 * don't delay cleanup of other processes.
+	 *
 	 * @param reason - Why cleanup is happening (for logging)
-	 * @param timeout - Max time to wait for graceful shutdown (ms)
+	 * @param timeout - Max time to wait for graceful shutdown per process (ms)
 	 */
 	async cleanup(reason: string, timeout = 3000): Promise<void> {
 		if (this.cleaningUp) {
@@ -129,61 +203,94 @@ export class ProcessManager {
 
 		this.logger.debug('Starting cleanup (reason: %s)', reason);
 
-		// Kill processes in reverse order (LIFO)
-		for (let i = this.processes.length - 1; i >= 0; i--) {
-			const proc = this.processes[i];
-			if (!proc) continue;
-
-			try {
-				if (proc.process.exitCode === null) {
-					this.logger.debug(
-						'Killing process %s (pid=%s)',
-						proc.id,
-						proc.process.pid ?? 'unknown'
-					);
-					proc.process.kill('SIGTERM');
-				}
-			} catch (err) {
-				this.logger.debug('Error killing process %s: %s', proc.id, err);
-			}
-		}
+		// Snapshot processes and servers before cleanup so we can clear tracking
+		// lists early. This prevents the exit handler from re-killing already
+		// handled processes.
+		const processSnapshot = [...this.processes];
+		const serverSnapshot = [...this.servers];
 
-		// Close servers
-		for (let i = this.servers.length - 1; i >= 0; i--) {
-			const server = this.servers[i];
+		// Close servers first (reverse order, LIFO)
+		for (let i = serverSnapshot.length - 1; i >= 0; i--) {
+			const server = serverSnapshot[i];
 			if (!server) continue;
 
+			const closeTimeout = server.closeTimeoutMs ?? 1000;
 			try {
-				this.logger.debug('Closing server %s', server.id);
+				this.logger.debug('Closing server %s (timeout=%dms)', server.id, closeTimeout);
 				const closePromise = server.server.close();
 				if (closePromise instanceof Promise) {
+					let timedOut = false;
 					await Promise.race([
 						closePromise,
-						new Promise<void>((resolve) => setTimeout(resolve, 1000)),
+						new Promise<void>((resolve) =>
+							setTimeout(() => {
+								timedOut = true;
+								resolve();
+							}, closeTimeout)
+						),
 					]);
+					if (timedOut) {
+						this.logger.debug(
+							'Server %s did not close within %dms, continuing cleanup',
+							server.id,
+							closeTimeout
+						);
+					}
 				}
 			} catch (err) {
 				this.logger.debug('Error closing server %s: %s', server.id, err);
 			}
 		}
 
-		// Wait for processes to exit, then force-kill if needed
+		// Send SIGTERM to all processes in reverse order (LIFO), targeting
+		// process trees so child processes also receive the signal.
+		for (let i = processSnapshot.length - 1; i >= 0; i--) {
+			const proc = processSnapshot[i];
+			if (!proc) continue;
+
+			try {
+				if (proc.process.exitCode === null) {
+					const pid = proc.process.pid;
+					this.logger.debug('Killing process %s (pid=%s)', proc.id, pid ?? 'unknown');
+					if (pid) {
+						this.killProcessTree(pid, 'SIGTERM');
+					} else {
+						proc.process.kill('SIGTERM');
+					}
+				}
+			} catch (err) {
+				this.logger.debug('Error killing process %s: %s', proc.id, err);
+			}
+		}
+
+		// Wait for processes to exit, then force-kill individually.
+		// Each process gets up to `timeout` ms from the initial SIGTERM.
 		const startTime = Date.now();
 		while (Date.now() - startTime < timeout) {
-			const allExited = this.processes.every((p) => p.process.exitCode !== null);
+			const allExited = processSnapshot.every((p) => p.process.exitCode !== null);
 			if (allExited) break;
 			await new Promise((resolve) => setTimeout(resolve, 100));
 		}
 
-		// Force kill any remaining
-		for (const proc of this.processes) {
-			if (proc.process.exitCode === null) {
-				try {
-					this.logger.debug('Force killing process %s', proc.id);
+		// Force kill any remaining processes and their process trees.
+		// When a PID is available, always attempt process-group SIGKILL even if
+		// the leader has already exited: on Unix, process groups persist after
+		// the leader exits and signaling via negative PGID still reaches
+		// remaining members. killProcessTree() handles ESRCH gracefully.
+		for (const proc of processSnapshot) {
+			const pid = proc.process.pid;
+			const shouldForceTreeKill = typeof pid === 'number' && pid > 1;
+			if (!shouldForceTreeKill && proc.process.exitCode !== null) continue;
+
+			try {
+				this.logger.debug('Force killing process %s (pid=%s)', proc.id, pid ?? 'unknown');
+				if (shouldForceTreeKill) {
+					this.killProcessTree(pid, 'SIGKILL');
+				} else {
 					proc.process.kill('SIGKILL');
-				} catch (err) {
-					this.logger.debug('Error force killing process %s: %s', proc.id, err);
 				}
+			} catch (err) {
+				this.logger.debug('Error force killing process %s: %s', proc.id, err);
 			}
 		}
 
@@ -192,6 +299,39 @@ export class ProcessManager {
 		this.servers = [];
 	}
 
+	/**
+	 * Synchronous last-resort cleanup for use in process.on('exit') handlers.
+	 *
+	 * Sends SIGKILL to all tracked process trees. This is intentionally
+	 * aggressive because it's the final opportunity to prevent orphans.
+	 * Only runs if async cleanup() hasn't already completed.
+	 */
+	forceKillAllSync(): void {
+		if (this.isCleanedUp) return;
+
+		for (const proc of this.processes) {
+			if (proc.process.exitCode !== null) continue;
+			const pid = proc.process.pid;
+			try {
+				if (pid && pid > 1) {
+					// Try process group kill first, fall back to direct
+					try {
+						process.kill(-pid, 'SIGKILL');
+					} catch {
+						process.kill(pid, 'SIGKILL');
+					}
+				} else {
+					proc.process.kill('SIGKILL');
+				}
+			} catch {
+				// Best effort in exit handler — nothing else we can do
+			}
+		}
+
+		this.processes = [];
+		this.servers = [];
+	}
+
 	/**
 	 * Verify that all ports used by tracked processes are released.
 	 * Used after cleanup to ensure no orphan processes remain.

package/src/cmd/project/create.ts

@@ -80,7 +80,6 @@ export const createProjectSubcommand = createSubcommand({
 				.string()
 				.optional()
 				.describe('Storage action: "skip", "new", or existing bucket name'),
-			enableAuth: z.boolean().optional().describe('Enable Agentuity Auth'),
 		}),
 		response: ProjectCreateResponseSchema,
 	},
@@ -115,7 +114,6 @@ export const createProjectSubcommand = createSubcommand({
 			region,
 			database: opts.database,
 			storage: opts.storage,
-			enableAuth: opts.enableAuth,
 		});
 
 		// Exit with error code if setup failed and not in JSON mode

package/src/cmd/project/index.ts

@@ -4,7 +4,6 @@ import { importSubcommand } from './import';
 import { listSubcommand } from './list';
 import { deleteSubcommand } from './delete';
 import { showSubcommand } from './show';
-import { authCommand } from './auth';
 import { addCommand } from './add';
 import { hostnameCommand } from './hostname';
 import { domainCommand } from './domain';
@@ -18,7 +17,6 @@ export const command = createCommand({
 		{ command: getCommand('project create my-agent'), description: 'Create a new project' },
 		{ command: getCommand('project import'), description: 'Import an existing project' },
 		{ command: getCommand('project list'), description: 'List all projects' },
-		{ command: getCommand('project auth init'), description: 'Set up Agentuity Auth' },
 		{ command: getCommand('project add database'), description: 'Link an existing database' },
 		{
 			command: getCommand('project add storage'),
@@ -39,7 +37,6 @@ export const command = createCommand({
 		listSubcommand,
 		deleteSubcommand,
 		showSubcommand,
-		authCommand,
 		addCommand,
 		hostnameCommand,
 		domainCommand,

package/src/cmd/project/template-flow.ts

@@ -31,13 +31,6 @@ import * as tui from '../../tui';
 import { createPrompt, note } from '../../tui';
 import type { AuthData, Config } from '../../types';
 import { getGithubBotIdentity } from '../git/api';
-import {
-	ensureAuthDependencies,
-	generateAuthFileContent,
-	generateAuthSchemaSql,
-	printIntegrationExamples,
-	runAuthMigrations,
-} from './auth/shared';
 import { downloadTemplate, initGitRepo, setupProject } from './download';
 import { fetchTemplates, type TemplateInfo } from './templates';
 
@@ -59,7 +52,6 @@ interface CreateFlowOptions {
 	apiClient?: APIClient;
 	database?: string;
 	storage?: string;
-	enableAuth?: boolean;
 }
 
 export interface CreateFlowResult {
@@ -92,7 +84,6 @@ export async function runCreateFlow(options: CreateFlowOptions): Promise<CreateF
 		domains,
 		database: databaseOption,
 		storage: storageOption,
-		enableAuth: enableAuthOption,
 	} = options;
 
 	const isHeadless = !process.stdin.isTTY || !process.stdout.isTTY;
@@ -314,15 +305,6 @@ export async function runCreateFlow(options: CreateFlowOptions): Promise<CreateF
 		);
 	}
 
-	// Validate that --enable-auth requires authentication and registration
-	if (enableAuthOption && !canProvision) {
-		logger.fatal(
-			'Cannot enable Agentuity Auth without being authenticated and registering the project.\n' +
-				'Remove --no-register or omit --enable-auth flag.',
-			ErrorCode.VALIDATION_FAILED
-		);
-	}
-
 	if (canProvision) {
 		// Fetch resources for selected org and region using Catalyst API (needed for both interactive and CLI flags)
 		let resources: Awaited<ReturnType<typeof listResources>> | undefined;
@@ -556,111 +538,6 @@ export async function runCreateFlow(options: CreateFlowOptions): Promise<CreateF
 		}
 	}
 
-	// Auth setup - either from template, CLI flag, or user choice
-	const templateHasAuth = selectedTemplate.id === 'agentuity-auth';
-
-	let authEnabled = templateHasAuth; // Auth templates have auth enabled by default
-	let authDatabaseName: string | undefined;
-	let authDatabaseUrl: string | undefined;
-
-	// Handle auth enablement: CLI flag > interactive prompt > disabled (headless)
-	if (enableAuthOption !== undefined) {
-		// CLI flag provided
-		authEnabled = enableAuthOption;
-	} else if (canProvision && isInteractive && !templateHasAuth) {
-		// For non-auth templates in interactive mode, ask if they want to enable auth
-		const enableAuth = await prompt.select({
-			message: 'Enable Agentuity Authentication?',
-			options: [
-				{ value: 'no', label: "No, I'll add auth later" },
-				{ value: 'yes', label: 'Yes, set up Agentuity Auth' },
-			],
-		});
-
-		if (enableAuth === 'yes') {
-			authEnabled = true;
-		}
-	}
-	// In headless mode without --enable-auth flag, authEnabled stays false (unless template has auth)
-
-	// Set up database and secret for any auth-enabled project
-	if (authEnabled && canProvision) {
-		// If a database was already selected/created above, use it for auth
-		if (resourceEnvVars.DATABASE_URL) {
-			authDatabaseUrl = resourceEnvVars.DATABASE_URL;
-			// Extract database name from URL using proper URL parsing
-			try {
-				const dbUrl = new URL(authDatabaseUrl);
-				const dbName = dbUrl.pathname.replace(/^\/+/, ''); // Remove leading slashes
-				// Validate: non-empty and contains only safe characters
-				if (dbName && /^[A-Za-z0-9_-]+$/.test(dbName)) {
-					authDatabaseName = dbName;
-				}
-			} catch {
-				// Invalid URL format, authDatabaseName stays undefined
-			}
-		} else {
-			// No database selected yet, create one for auth
-			const created = await tui.spinner({
-				message: 'Provisioning database for auth',
-				clearOnSuccess: true,
-				callback: async () => {
-					return createResources(catalystClient!, orgId!, region!, [{ type: 'db' }]);
-				},
-			});
-			const createdDb = created[0];
-			if (!createdDb) {
-				logger.fatal('Failed to create database for auth', ErrorCode.RESOURCE_NOT_FOUND);
-				return undefined as never;
-			}
-			authDatabaseName = createdDb.name;
-
-			// Get env vars from created resource
-			if (createdDb.env) {
-				authDatabaseUrl = createdDb.env.DATABASE_URL;
-				// Also add to resourceEnvVars if not already set
-				if (!resourceEnvVars.DATABASE_URL) {
-					Object.assign(resourceEnvVars, createdDb.env);
-				}
-			}
-		}
-
-		// Install auth dependencies (skip for agentuity-auth template which has them)
-		if (!templateHasAuth) {
-			await ensureAuthDependencies({ projectDir: dest, logger });
-
-			// Generate auth.ts
-			const authFilePath = resolve(dest, 'src', 'auth.ts');
-			if (!existsSync(authFilePath)) {
-				const srcDir = resolve(dest, 'src');
-				if (!existsSync(srcDir)) {
-					await Bun.write(resolve(srcDir, '.gitkeep'), '');
-				}
-				await Bun.write(authFilePath, generateAuthFileContent());
-				tui.success('Created src/auth.ts');
-			}
-		}
-
-		// Run migrations
-		if (authDatabaseName) {
-			const sql = await tui.spinner({
-				message: 'Preparing auth database schema...',
-				clearOnSuccess: true,
-				callback: () => generateAuthSchemaSql(logger, dest),
-			});
-
-			await runAuthMigrations({
-				logger,
-				auth,
-				orgId,
-				region,
-				databaseName: authDatabaseName,
-				sql,
-				config,
-			});
-		}
-	}
-
 	let projectId: string | undefined;
 
 	if (auth && apiClient && orgId) {
@@ -702,28 +579,9 @@ export async function runCreateFlow(options: CreateFlowOptions): Promise<CreateF
 			},
 		});
 
-		// Add auth secret to resourceEnvVars if auth is enabled
-		if (authEnabled && !resourceEnvVars.AGENTUITY_AUTH_SECRET) {
-			const devSecret = `dev-${crypto.randomUUID()}`;
-			resourceEnvVars.AGENTUITY_AUTH_SECRET = devSecret;
-		}
-
 		// Write resource environment variables to .env
 		if (Object.keys(resourceEnvVars).length > 0) {
 			await addResourceEnvVars(dest, resourceEnvVars);
-
-			// Show user feedback for auth-related env vars
-			if (authEnabled) {
-				if (resourceEnvVars.DATABASE_URL) {
-					tui.success('DATABASE_URL added to .env');
-				}
-				if (resourceEnvVars.AGENTUITY_AUTH_SECRET) {
-					tui.success('AGENTUITY_AUTH_SECRET added to .env');
-					tui.info(
-						`Generate one with: ${tui.muted('npx @better-auth/cli secret')} or ${tui.muted('openssl rand -hex 32')}`
-					);
-				}
-			}
 		}
 
 		// After registration, push any existing env/secrets from .env
@@ -819,11 +677,6 @@ export async function runCreateFlow(options: CreateFlowOptions): Promise<CreateF
 		}
 	}
 
-	// Print auth integration examples if auth was enabled (skip for auth template - already set up)
-	if (authEnabled && !templateHasAuth) {
-		printIntegrationExamples();
-	}
-
 	return {
 		projectId,
 		orgId,

package/dist/cmd/build/vite/public-asset-path-plugin.d.ts

@@ -1,45 +0,0 @@
-/**
- * Vite plugin to fix incorrect public asset paths
- *
- * Developers should use /public/ paths for static assets from src/web/public/.
- * In production, these paths are transformed to CDN URLs.
- *
- * This plugin:
- * 1. During build: Rewrites /public/* paths to CDN URLs
- * 2. During dev: Warns only about incorrect source paths (src/web/public/)
- *
- * Supported patterns (work in dev, rewritten to CDN in production):
- * - '/public/foo.svg'          → CDN URL (recommended)
- * - './public/foo.svg'         → CDN URL
- * - 'url(/public/foo.svg)'    → CDN URL (CSS unquoted)
- * - 'url(./public/foo.svg)'   → CDN URL (CSS unquoted)
- *
- * Incorrect patterns (warned in dev, rewritten in production):
- * - '/src/web/public/foo.svg'  → CDN URL
- * - './src/web/public/foo.svg' → CDN URL
- * - 'src/web/public/foo.svg'   → CDN URL
- */
-import type { Plugin } from 'vite';
-export interface PublicAssetPathPluginOptions {
-    /** Whether to show warnings in dev mode (default: true) */
-    warnInDev?: boolean;
-    /** CDN base URL for production builds (e.g., 'https://cdn.agentuity.com/{deploymentId}/client/') */
-    cdnBaseUrl?: string;
-}
-/**
- * Vite plugin that fixes public asset paths and rewrites to CDN URLs
- *
- * Rewrites all public asset paths to CDN URLs in production.
- *
- * @example
- * // In vite config:
- * plugins: [publicAssetPathPlugin({ cdnBaseUrl: 'https://cdn.example.com/deploy/client/' })]
- *
- * // In code, use /public/ paths:
- * <img src="/public/logo.svg" />
- *
- * // Transforms in production:
- * // '/public/logo.svg' → 'https://cdn.example.com/deploy/client/logo.svg'
- */
-export declare function publicAssetPathPlugin(options?: PublicAssetPathPluginOptions): Plugin;
-//# sourceMappingURL=public-asset-path-plugin.d.ts.map

package/dist/cmd/build/vite/public-asset-path-plugin.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"public-asset-path-plugin.d.ts","sourceRoot":"","sources":["../../../../src/cmd/build/vite/public-asset-path-plugin.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,MAAM,CAAC;AAEnC,MAAM,WAAW,4BAA4B;IAC5C,2DAA2D;IAC3D,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,oGAAoG;IACpG,UAAU,CAAC,EAAE,MAAM,CAAC;CACpB;AAwDD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,GAAE,4BAAiC,GAAG,MAAM,CA4GxF"}