@aifabrix/server-setup 1.5.2 → 1.5.5

package/README.md

@@ -17,7 +17,9 @@ This is the **one document** you need to get your builder-server **from zero to
 **The builder-server Docker image is not on a public registry.** You get it with the **AI Fabrix platform**.
 
 1. Install the **AI Fabrix Builder** CLI: `npm install -g @aifabrix/builder`
-2. Install the **AI Fabrix server-setup** CLI (af-server): `npm install -g @aifabrix/server-setup`
+2. Install the **AI Fabrix server-setup** CLI (af-server): `npm install -g @aifabrix/server-setup`  
+   - If you get **EACCES** (permission denied), use either:  
+     `sudo npm install -g @aifabrix/server-setup`
 3. Use the Builder CLI to run or deploy the platform (including builder-server). See [AI Fabrix Builder](https://github.com/esystemsdev/aifabrix-builder) and [docs/README.md](https://github.com/esystemsdev/aifabrix-builder/blob/main/docs/README.md).
 
 Once you have the platform (and the builder-server image), use **af-server** to install that server on your own host.
@@ -46,7 +48,7 @@ Complete the [manual prerequisites](#what-you-must-do-before-running-af-server)
 
 | Step | Where     | Action |
 | ---- | --------- | ------ |
-| 1    | From PC   | `af-server install-init $SSH` — only command over SSH; installs on server: SSH (if needed), Node 18+, npm, and `af-server` CLI. |
+| 1    | From PC   | `af-server install-init $SSH` — only command over SSH; installs on server: SSH (if needed), Node 20+, npm, and `af-server` CLI. |
 | 2    | One-time  | Log in to the server once (e.g. with password) to approve passwordless SSH; then from PC: `af-server ssh-cert install $SSH`. |
 | 3    | From PC   | Copy SSL certificate and key to the server (see [SSL directory and certificates](#ssl-directory-and-certificates)); example commands below. |
 | 4    | From PC   | Log in to the server via SSH (passwordless). |
@@ -61,11 +63,10 @@ Set your target and run the only command that uses SSH from your PC:
 
 ```bash
 export SSH=serveradmin@builder02.aifabrix.dev
-export DOMAIN=builder02.aifabrix.dev
 af-server install-init $SSH
 ```
 
-This installs on the server: openssh-server (if needed), Node 18+, npm, and `@aifabrix/builder` + `@aifabrix/server-setup` so `af-server` is available there. No Docker, nginx, or builder-server yet.
+This installs on the server: openssh-server (if needed), Node 20+, npm, and `@aifabrix/builder` + `@aifabrix/server-setup` so `af-server` is available there. You’ll see progress messages and live output from the bootstrap (package lists, SSH, Node, npm install). No Docker, nginx, or builder-server yet.
 
 ### Step 2: Passwordless SSH (from PC)
 
@@ -107,8 +108,8 @@ The image is not on a public registry. Use your platform’s method (e.g. Azure
 
 ```bash
 az login
-az acr login --name aifabrixdevacr
-docker pull aifabrixdevacr.azurecr.io/aifabrix/builder-server:latest
+az acr login --name youracr
+docker pull youracr.azurecr.io/aifabrix/builder-server:latest
 ```
 
 Or with Docker login (username/password from your registry):
@@ -121,11 +122,14 @@ docker pull <registry>/aifabrix/builder-server:latest
 ### Step 7: Install server (nginx vhost + container) (on server)
 
 ```bash
+export DOMAIN=builder02.aifabrix.dev
 sudo af-server install-server --dev-domain $DOMAIN
 ```
 
 Use the same domain as your DNS and SSL. Optional: `--ssl-dir /opt/aifabrix/ssl`, `--data-dir /opt/aifabrix/builder-server/data`, `--builder-port 3000`.
 
+If the builder-server image is not on the host yet, the first run writes an nginx vhost without client-cert verification (so `nginx -t` passes). After you pull the image and re-run `sudo af-server install-server --dev-domain $DOMAIN`, the container will start, create `ca.crt`, and a subsequent run will enable client-cert verification and reload nginx.
+
 ### Step 8: Done
 
 Your builder-server is up. Use the **AI Fabrix Builder CLI** for users, secrets, certs, etc.—see [Builder documentation](https://github.com/esystemsdev/aifabrix-builder/blob/main/docs/developer-isolation.md).
@@ -136,7 +140,7 @@ Your builder-server is up. Use the **AI Fabrix Builder CLI** for users, secrets,
 
 | Command | Description |
 | -------- | ----------- |
-| `af-server install-init <user@host> [ -i SSH_KEY ]` | **From PC only.** One-time bootstrap over SSH: install on server SSH (if needed), Node 18+, npm, and af-server CLI. |
+| `af-server install-init <user@host> [ -i SSH_KEY ]` | **From PC only.** One-time bootstrap over SSH: install on server SSH (if needed), Node 20+, npm, and af-server CLI. Shows progress and streams server output. |
 | `af-server install [ user@host ] [ -d DATA_DIR ] [ --dev-domain DOMAIN ] [ --ssl-dir PATH ] [ -i SSH_KEY ]` | **Run on server** (omit target): `sudo af-server install`. Infra only: Docker, nginx pkg, Mutagen, data dir, cron. No builder vhost or container. With target: same infra over SSH. |
 | `af-server install-server --dev-domain DOMAIN [ -d DATA_DIR ] [ --ssl-dir PATH ] [ --builder-port PORT ]` | **On server only.** Nginx vhost, builder-server container, Docker TLS. Run after `sudo af-server install`. |
 | `af-server backup [ user@host ] [ -d DATA_DIR ] [ -o output.zip ] [ -i SSH_KEY ]` | On-demand backup (config + DB + keys). |
@@ -203,7 +207,7 @@ If you SSH as a non-root user, that user must be able to sudo. The script will a
 - **Admin user** — Adds the admin user (default `serveradmin`) to the `docker` group and grants passwordless sudo.
 - **Nginx** — Installs the nginx **package** only; enables and starts it. Does **not** write the builder vhost yet.
 - **Data dir** — Creates the data directory (default `/opt/aifabrix/builder-server/data`), workspace and ssh-keys subdirs, ownership for the container.
-- **Apply-dev-users** — Installs the script and cron job (every 2 minutes) that sync per-developer OS users from builder-server state.
+- **Apply-dev-users** — Installs the script and cron job (every 2 minutes) that sync per-developer OS users from builder-server state. The script configures a user-writable npm/pnpm prefix (`~/.local`) for dev users and the aifabrix user so they can run `npm install -g` and `pnpm add -g` without sudo. When run as root, it can also grant passwordless sudo to the aifabrix user (override with `SUDO_NOPASSWD_USER` in apply-dev-users-defaults). **Without sudo:** run the script as the current user (e.g. `SUDO_NOPASSWD_USER=aifabrix`); it will only set up that user's `~/.local` and `~/.npmrc`/`~/.pnpmrc` so npm and pnpm global installs work without sudo.
 - **Mutagen** — Downloads and installs Mutagen; systemd service and daemon.
 - **Optional** — If `INSTALL_PORTAINER=1`, installs the Portainer container.
 

package/assets/aifabrix-apply-dev-users.sh

@@ -2,7 +2,11 @@
 # Apply per-developer OS users from builder-server state (DATA_DIR/ssh-keys, pending-removals).
 # Run via cron every 2 minutes. Creates/updates dev<id> users, .ssh/authorized_keys, workspace symlink,
 # and optional ~/.aifabrix/config.yaml when missing. Processes pending-removals then applies keys.
-# Requires root. DATA_DIR must match builder-server (e.g. /opt/aifabrix/builder-server/data).
+# Also: npm/pnpm user prefix (~/.local) for dev users so they can install global packages without sudo;
+#       optional passwordless sudo for SUDO_NOPASSWD_USER (only when run as root; skipped without sudo).
+# Run as root for full sync (useradd, dev users, etc.). When run without root as SUDO_NOPASSWD_USER,
+# only the current user's npm/pnpm prefix is configured so they can install global packages without sudo.
+# DATA_DIR must match builder-server (e.g. /opt/aifabrix/builder-server/data).
 
 set -e
 
@@ -12,10 +16,36 @@ PENDING_REMOVALS="${DATA_DIR}/pending-removals"
 # Defaults matching builder-server env.template (override via env or apply-dev-users-defaults)
 AIFABRIX_SECRETS="${AIFABRIX_SECRETS:-/aifabrix-miso/builder/secrets.local.yaml}"
 AIFABRIX_ENV_CONFIG="${AIFABRIX_ENV_CONFIG:-aifabrix-miso/builder/env-config.yaml}"
+# User that gets npm/pnpm prefix when run as that user without root; passwordless sudo only when root.
+SUDO_NOPASSWD_USER="${SUDO_NOPASSWD_USER:-aifabrix}"
 
+# Only root can write sudoers and manage dev users; without root we only set up current user's npm/pnpm.
+ROOT_OK=0
+[ "$(id -u)" = 0 ] && ROOT_OK=1
+
+# When not root, current user can run script to set up only their npm/pnpm prefix (DATA_DIR not required).
 if [ ! -d "$DATA_DIR" ]; then
-  echo "DATA_DIR not found: $DATA_DIR"
-  exit 0
+  if [ "$ROOT_OK" = 1 ] || [ "$(id -un)" != "$SUDO_NOPASSWD_USER" ]; then
+    echo "DATA_DIR not found: $DATA_DIR"
+    exit 0
+  fi
+fi
+
+# --- 0. Passwordless sudo for SUDO_NOPASSWD_USER (only when run as root; skip when no sudo access) ---
+if [ "$ROOT_OK" = 1 ]; then
+  case "$SUDO_NOPASSWD_USER" in
+    *'..'*|*'/'*|*';'*|*'|'*|*'&'*|*'$'*|*'`'*|*' '*)
+      ;;
+    *)
+      if [ -n "$SUDO_NOPASSWD_USER" ] && getent passwd "$SUDO_NOPASSWD_USER" >/dev/null 2>&1; then
+        SUDOERS_FILE="/etc/sudoers.d/99-nopasswd-${SUDO_NOPASSWD_USER}"
+        if [ ! -f "$SUDOERS_FILE" ]; then
+          echo "${SUDO_NOPASSWD_USER} ALL=(ALL) NOPASSWD:ALL" > "$SUDOERS_FILE"
+          chmod 440 "$SUDOERS_FILE"
+        fi
+      fi
+      ;;
+  esac
 fi
 
 # Read secrets-encryption key from server data dir (same as builder-server ENCRYPTION_KEY_PATH); do not log.
@@ -24,8 +54,8 @@ if [ -f "${DATA_DIR}/secrets-encryption.key" ]; then
   secrets_encryption_value=$(cat "${DATA_DIR}/secrets-encryption.key" | tr -d '\n\r' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
 fi
 
-# --- 1. Process removals ---
-if [ -f "$PENDING_REMOVALS" ]; then
+# --- 1. Process removals (root only) ---
+if [ "$ROOT_OK" = 1 ] && [ -f "$PENDING_REMOVALS" ]; then
   while IFS= read -r dev_id || [ -n "$dev_id" ]; do
     dev_id=$(echo "$dev_id" | tr -d '\r\n ')
     [ -z "$dev_id" ] && continue
@@ -37,7 +67,8 @@ if [ -f "$PENDING_REMOVALS" ]; then
   : > "$PENDING_REMOVALS"
 fi
 
-# --- 2. Process each developer that has keys ---
+# --- 2. Process each developer that has keys (root only) ---
+if [ "$ROOT_OK" = 1 ]; then
 for key_file in "${SSH_KEYS_DIR}"/*/authorized_keys; do
   [ -f "$key_file" ] || continue
   dev_id=$(dirname "$key_file" | xargs basename)
@@ -120,4 +151,59 @@ for key_file in "${SSH_KEYS_DIR}"/*/authorized_keys; do
     echo '[ -d "$HOME/workspace" ] && cd "$HOME/workspace"' >> "$bashrc"
     chown "${user_name}:${user_name}" "$bashrc"
   fi
+
+  # npm/pnpm: user install prefix so dev users can run npm install -g, pnpm install, pnpm setup without sudo
+  mkdir -p "${home_dir}/.local/bin"
+  chown -R "${user_name}:${user_name}" "${home_dir}/.local"
+  printf 'prefix=%s/.local\n' "$home_dir" > "${home_dir}/.npmrc"
+  chown "${user_name}:${user_name}" "${home_dir}/.npmrc"
+  if [ ! -f "${home_dir}/.pnpmrc" ] || ! grep -q '^global-bin-dir=' "${home_dir}/.pnpmrc" 2>/dev/null; then
+    printf 'global-bin-dir=%s/.local/bin\n' "$home_dir" >> "${home_dir}/.pnpmrc"
+    chown "${user_name}:${user_name}" "${home_dir}/.pnpmrc"
+  fi
+  for f in "$profile" "$bashrc"; do
+    if ! grep -q '\.local/bin' "$f" 2>/dev/null; then
+      echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$f"
+      chown "${user_name}:${user_name}" "$f"
+    fi
+  done
 done
+fi
+
+# --- 3. npm/pnpm prefix so SUDO_NOPASSWD_USER can install global packages without sudo ---
+# When root: set up that user's home. When not root: set up current user's home (no chown).
+setup_npm_pnpm_prefix() {
+  _home="$1"
+  _user="$2"
+  _use_chown="$3"
+  mkdir -p "${_home}/.local/bin"
+  [ "$_use_chown" = 1 ] && chown -R "${_user}:${_user}" "${_home}/.local"
+  _npmrc="${_home}/.npmrc"
+  if [ ! -f "$_npmrc" ] || ! grep -q '^prefix=' "$_npmrc" 2>/dev/null; then
+    printf 'prefix=%s/.local\n' "$_home" >> "$_npmrc"
+    [ "$_use_chown" = 1 ] && chown "${_user}:${_user}" "$_npmrc"
+  fi
+  for _f in "${_home}/.profile" "${_home}/.bashrc"; do
+    if [ -f "$_f" ] && ! grep -q '\.local/bin' "$_f" 2>/dev/null; then
+      echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$_f"
+      [ "$_use_chown" = 1 ] && chown "${_user}:${_user}" "$_f"
+    fi
+  done
+  _pnpmrc="${_home}/.pnpmrc"
+  if [ ! -f "$_pnpmrc" ] || ! grep -q '^global-bin-dir=' "$_pnpmrc" 2>/dev/null; then
+    printf 'global-bin-dir=%s/.local/bin\n' "$_home" >> "$_pnpmrc"
+    [ "$_use_chown" = 1 ] && chown "${_user}:${_user}" "$_pnpmrc"
+  fi
+}
+
+case "$SUDO_NOPASSWD_USER" in
+  *'..'*|*'/'*|*';'*|*'|'*|*'&'*|*'$'*|*'`'*|*' '*) ;;
+  *)
+    if [ "$ROOT_OK" = 1 ] && [ -n "$SUDO_NOPASSWD_USER" ] && getent passwd "$SUDO_NOPASSWD_USER" >/dev/null 2>&1; then
+      admin_home=$(getent passwd "$SUDO_NOPASSWD_USER" | cut -d: -f6)
+      [ -n "$admin_home" ] && [ -d "$admin_home" ] && setup_npm_pnpm_prefix "$admin_home" "$SUDO_NOPASSWD_USER" 1
+    elif [ "$ROOT_OK" = 0 ] && [ -n "$SUDO_NOPASSWD_USER" ] && [ "$(id -un)" = "$SUDO_NOPASSWD_USER" ]; then
+      [ -d "$HOME" ] && setup_npm_pnpm_prefix "$HOME" "$(id -un)" 0
+    fi
+    ;;
+esac

package/assets/setup-dev-server-no-node.sh

@@ -252,6 +252,7 @@ fi
 if [ "$INSTALL_PHASE" = "server" ] || [ "$INSTALL_PHASE" = "full" ]; then
 
 # --- Nginx builder vhost from template ---
+# If ca.crt does not exist yet (builder-server not run), omit client cert so nginx -t passes. Re-run install-server after container has created ca.crt to enable client verification.
 NGINX_CONF="$NGINX_CONF_DIR/$DEV_DOMAIN.conf"
 NGINX_TEMPLATE="$REPO_ROOT/builder/builder-server/nginx-builder-server.conf.template"
 if [ -f "$NGINX_TEMPLATE" ]; then
@@ -260,6 +261,10 @@ if [ -f "$NGINX_TEMPLATE" ]; then
       -e "s|BUILDER_SERVER_PORT_PLACEHOLDER|$BUILDER_SERVER_PORT|g" \
       -e "s|DATA_DIR_PLACEHOLDER|$DATA_DIR|g" \
       "$NGINX_TEMPLATE" > "$NGINX_CONF"
+  if [ ! -f "$DATA_DIR/ca.crt" ]; then
+    sed -i '/ssl_client_certificate/d' "$NGINX_CONF"
+    sed -i 's/ssl_verify_client optional;/ssl_verify_client off;/' "$NGINX_CONF"
+  fi
 elif [ ! -f "$NGINX_CONF" ]; then
   echo "Warning: SSL prereqs required. Place $NGINX_CONF (see SETUP.md) and ensure $SSL_DIR/wildcard.crt and $SSL_DIR/wildcard.key exist."
 fi
@@ -410,6 +415,18 @@ DOCKER_EOF
   fi
 fi
 
+# If ca.crt now exists (e.g. container just created it this run), regenerate nginx config with client cert and reload.
+if [ -f "$NGINX_TEMPLATE" ] && [ -n "$DATA_DIR_ABS" ] && [ -f "$DATA_DIR_ABS/ca.crt" ]; then
+  sed -e "s|DEV_DOMAIN_PLACEHOLDER|$DEV_DOMAIN|g" \
+      -e "s|SSL_DIR_PLACEHOLDER|$SSL_DIR|g" \
+      -e "s|BUILDER_SERVER_PORT_PLACEHOLDER|$BUILDER_SERVER_PORT|g" \
+      -e "s|DATA_DIR_PLACEHOLDER|$DATA_DIR|g" \
+      "$NGINX_TEMPLATE" > "$NGINX_CONF"
+  if command -v nginx >/dev/null 2>&1 && nginx -t 2>/dev/null; then
+    systemctl reload nginx
+  fi
+fi
+
 fi
 # --- End server phase ---
 

package/assets/setup-install-init.sh

@@ -1,42 +1,63 @@
 #!/bin/sh
-# One-time bootstrap: ensure SSH, install Node 18+ and npm, then af-server CLI on the server.
+# One-time bootstrap: ensure SSH, install Node 20+ and npm, then af-server CLI on the server.
 # Run via: af-server install-init user@host (from PC over SSH). No Docker, nginx, or builder-server.
 # After this, user logs in to the server and runs: sudo af-server install, then sudo af-server install-server --dev-domain DOMAIN.
 
 set -e
 export DEBIAN_FRONTEND=noninteractive
 
-# --- SSH server (so install-init and later ssh-cert install can connect) ---
+echo "==> AI Fabrix server bootstrap starting..."
+echo ""
+
+# --- Update package lists (so installs use up-to-date indexes) ---
+echo "==> Updating package lists..."
 wait_for_apt() {
   i=0
   while [ $i -lt 20 ]; do
     apt-get update -qq 2>/dev/null && return 0
-    echo "Waiting for apt lock..."; sleep 6
+    echo "    Waiting for apt lock..."; sleep 6
     i=$((i + 1))
   done
   return 1
 }
 wait_for_apt
+echo "    Package lists up to date."
+echo ""
+
+# --- SSH server (so install-init and later ssh-cert install can connect) ---
+echo "==> Ensuring SSH server is installed and running..."
 apt-get install -y openssh-server
 systemctl enable ssh 2>/dev/null || systemctl enable sshd 2>/dev/null || true
 systemctl start ssh 2>/dev/null || systemctl start sshd 2>/dev/null || true
+echo "    SSH server ready."
+echo ""
 
-# --- Node.js 18+ and npm (NodeSource) ---
+# --- Node.js 20+ and npm (NodeSource; af-server and builder need Node 20+) ---
+echo "==> Ensuring Node.js 20+ and npm..."
 need_node=0
 if ! command -v node >/dev/null 2>&1; then
   need_node=1
 else
-  case "$(node -v 2>/dev/null)" in v1[89].*|v[2-9]*) ;; *) need_node=1 ;; esac
+  case "$(node -v 2>/dev/null)" in
+    v2[0-9].*|v3*) ;;
+    *) need_node=1 ;;
+  esac
 fi
 if [ "$need_node" = "1" ]; then
+  echo "    Installing Node.js 20.x from NodeSource..."
   curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
   apt-get install -y nodejs
+  echo "    Node.js installed."
+else
+  echo "    Node $(node -v) already present."
 fi
-node -v
-npm -v
+echo "    node: $(node -v)  npm: $(npm -v)"
+echo ""
 
 # --- af-server CLI (same as on PC) ---
+echo "==> Installing af-server CLI (npm install -g @aifabrix/builder @aifabrix/server-setup)..."
 npm install -g @aifabrix/builder @aifabrix/server-setup
-command -v af-server >/dev/null 2>&1 && af-server --version || true
+command -v af-server >/dev/null 2>&1 && echo "    $(af-server --version)" || true
+echo ""
 
 echo "Bootstrap complete. Log in to the server and run: sudo af-server install, then sudo af-server install-server --dev-domain YOUR_DOMAIN"

package/dist/cli.js

@@ -24,10 +24,11 @@ program
     .version(pkg.version);
 program
     .command('install-init <user@host>')
-    .description('One-time bootstrap over SSH: install on server SSH (if needed), Node 18+, npm, and af-server CLI. Run from PC only.')
+    .description('One-time bootstrap over SSH: install on server SSH (if needed), Node 20+, npm, and af-server CLI. Run from PC only.')
     .option('-i, --identity <path>', 'SSH private key path')
     .action(async (target, opts) => {
     try {
+        console.log('Bootstrap starting. This will connect via SSH and install prerequisites on the server (SSH, Node 20+, npm, af-server CLI).');
         await runInstallInit({ target: target.trim(), privateKeyPath: opts.identity });
         console.log('Install-init complete. Log in to the server and run: sudo af-server install, then sudo af-server install-server --dev-domain YOUR_DOMAIN');
     }

package/dist/install-init-core.d.ts

@@ -0,0 +1,11 @@
+/**
+ * install-init core: script loading and bootstrap flow. No import.meta.url so Jest can load and test.
+ */
+import type { Client } from 'ssh2';
+export declare function toUnixLf(s: string): string;
+export declare function getInitScript(assetsDir: string): string;
+/**
+ * Run bootstrap on the remote host: upload script, chmod, run via sudo, then remove tmp dir.
+ * Caller must open and close the connection.
+ */
+export declare function runBootstrap(conn: Client, scriptContent: string, tmpDir: string): Promise<void>;

package/dist/install-init-core.js

@@ -0,0 +1,29 @@
+/**
+ * install-init core: script loading and bootstrap flow. No import.meta.url so Jest can load and test.
+ */
+import * as path from 'path';
+import * as fs from 'fs';
+import { exec, execStream, writeFile } from './ssh.js';
+export function toUnixLf(s) {
+    return s.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
+}
+export function getInitScript(assetsDir) {
+    const p = path.join(assetsDir, 'setup-install-init.sh');
+    return toUnixLf(fs.readFileSync(p, 'utf8'));
+}
+/**
+ * Run bootstrap on the remote host: upload script, chmod, run via sudo, then remove tmp dir.
+ * Caller must open and close the connection.
+ */
+export async function runBootstrap(conn, scriptContent, tmpDir) {
+    await exec(conn, `mkdir -p ${tmpDir}`);
+    await exec(conn, `chmod 755 ${tmpDir}`);
+    await writeFile(conn, `${tmpDir}/setup-install-init.sh`, scriptContent);
+    await exec(conn, `chmod +x ${tmpDir}/setup-install-init.sh`);
+    const cmd = `sudo ${tmpDir}/setup-install-init.sh`;
+    const result = await execStream(conn, cmd);
+    if (result.code !== 0) {
+        throw new Error(`install-init script exited with code ${result.code}`);
+    }
+    await exec(conn, `rm -rf ${tmpDir}`);
+}

package/dist/install-init-paths.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Paths for install-init (uses import.meta.url). Kept in a separate module so tests can mock it and never load this file in Jest.
+ */
+export declare function getAssetsDir(): string;

package/dist/install-init-paths.js

@@ -0,0 +1,9 @@
+/**
+ * Paths for install-init (uses import.meta.url). Kept in a separate module so tests can mock it and never load this file in Jest.
+ */
+import * as path from 'path';
+import { fileURLToPath } from 'url';
+export function getAssetsDir() {
+    const scriptDir = path.dirname(fileURLToPath(import.meta.url));
+    return path.resolve(scriptDir, '..', 'assets');
+}

package/dist/install-init.d.ts

@@ -1,6 +1,6 @@
 /**
- * install-init: One-time bootstrap over SSH. Installs on the server: SSH (if needed), Node 18+, npm, and af-server CLI.
+ * install-init: One-time bootstrap over SSH. Installs on the server: SSH (if needed), Node 20+, npm, and af-server CLI.
  * No Docker, nginx, or builder-server. After this, the user logs in to the server and runs install + install-server locally.
  */
 import { type SSHConnectionOptions } from './ssh.js';
-export declare function runInstallInit(options: SSHConnectionOptions): Promise<void>;
+export declare function runInstallInit(options: SSHConnectionOptions, assetsDir?: string): Promise<void>;

package/dist/install-init.js

@@ -1,39 +1,20 @@
 /**
- * install-init: One-time bootstrap over SSH. Installs on the server: SSH (if needed), Node 18+, npm, and af-server CLI.
+ * install-init: One-time bootstrap over SSH. Installs on the server: SSH (if needed), Node 20+, npm, and af-server CLI.
  * No Docker, nginx, or builder-server. After this, the user logs in to the server and runs install + install-server locally.
  */
-import * as path from 'path';
-import * as fs from 'fs';
-import { fileURLToPath } from 'url';
-import { createSSHClient, exec, writeFile, close } from './ssh.js';
-const scriptDir = path.dirname(fileURLToPath(import.meta.url));
-const ASSETS_DIR = path.resolve(scriptDir, '..', 'assets');
-function toUnixLf(s) {
-    return s.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
-}
-function getInitScript() {
-    const p = path.join(ASSETS_DIR, 'setup-install-init.sh');
-    return toUnixLf(fs.readFileSync(p, 'utf8'));
-}
-export async function runInstallInit(options) {
+import { createSSHClient, close } from './ssh.js';
+import { getInitScript, runBootstrap } from './install-init-core.js';
+import { getAssetsDir } from './install-init-paths.js';
+export async function runInstallInit(options, assetsDir) {
+    const dir = assetsDir ?? getAssetsDir();
+    console.error(`Connecting to ${options.target}...`);
     const conn = await createSSHClient(options);
     try {
+        console.error('Connected. Uploading bootstrap script...');
         const tmpDir = `/tmp/aifabrix-init-${Date.now()}`;
-        await exec(conn, `mkdir -p ${tmpDir}`);
-        await exec(conn, `chmod 755 ${tmpDir}`);
-        const script = getInitScript();
-        await writeFile(conn, `${tmpDir}/setup-install-init.sh`, script);
-        await exec(conn, `chmod +x ${tmpDir}/setup-install-init.sh`);
-        const cmd = `sudo ${tmpDir}/setup-install-init.sh`;
-        const result = await exec(conn, cmd);
-        if (result.stderr)
-            process.stderr.write(result.stderr);
-        if (result.stdout)
-            process.stdout.write(result.stdout);
-        if (result.code !== 0) {
-            throw new Error(`install-init script exited with code ${result.code}`);
-        }
-        await exec(conn, `rm -rf ${tmpDir}`);
+        const script = getInitScript(dir);
+        console.error('Running bootstrap on server (this may take 1–2 minutes)...\n');
+        await runBootstrap(conn, script, tmpDir);
     }
     finally {
         close(conn);

package/dist/install-init.spec.d.ts

@@ -1 +1,4 @@
+/**
+ * Tests for install-init: bootstrap script content, install-init-core helpers, and runInstallInit (with assetsDir passed so import.meta.url is never evaluated in Jest).
+ */
 export {};

package/dist/install-init.spec.js

@@ -1,10 +1,117 @@
 /**
- * Tests for install-init: bootstrap over SSH (mocked).
- * install-init.ts uses import.meta.url; Jest (CJS) fails to load it. Skipped until ESM/import.meta is supported in tests.
+ * Tests for install-init: bootstrap script content, install-init-core helpers, and runInstallInit (with assetsDir passed so import.meta.url is never evaluated in Jest).
  */
-describe.skip('install-init', () => {
-    it('placeholder until Jest supports import.meta in transformed modules', () => {
-        expect(true).toBe(true);
+import * as fs from 'fs';
+import * as path from 'path';
+const ASSETS_DIR = path.resolve(__dirname, '..', 'assets');
+const INIT_SCRIPT = path.join(ASSETS_DIR, 'setup-install-init.sh');
+describe('install-init bootstrap script (setup-install-init.sh)', () => {
+    it('exists and defines expected bootstrap steps', () => {
+        expect(fs.existsSync(INIT_SCRIPT)).toBe(true);
+        const content = fs.readFileSync(INIT_SCRIPT, 'utf8');
+        expect(content).toContain('AI Fabrix server bootstrap');
+        expect(content).toContain('apt-get update');
+        expect(content).toContain('openssh-server');
+        expect(content).toContain('Node.js 20');
+        expect(content).toContain('NodeSource');
+        expect(content).toContain('setup_20.x');
+        expect(content).toContain('@aifabrix/builder');
+        expect(content).toContain('@aifabrix/server-setup');
+        expect(content).toContain('af-server');
+        expect(content).toContain('Bootstrap complete');
+    });
+    it('has shebang and set -e', () => {
+        const content = fs.readFileSync(INIT_SCRIPT, 'utf8');
+        expect(content).toMatch(/^#!\/bin\/sh/);
+        expect(content).toContain('set -e');
+    });
+});
+const mockConn = {};
+const mockExec = jest.fn();
+const mockWriteFile = jest.fn();
+const mockExecStream = jest.fn();
+const mockCreateSSHClient = jest.fn();
+const mockClose = jest.fn();
+jest.mock('./install-init-paths.js', () => ({
+    getAssetsDir: () => require('path').resolve(__dirname, '..', 'assets'),
+}));
+jest.mock('./ssh.js', () => ({
+    createSSHClient: (...args) => mockCreateSSHClient(...args),
+    close: (...args) => mockClose(...args),
+    exec: (...args) => mockExec(...args),
+    writeFile: (...args) => mockWriteFile(...args),
+    execStream: (...args) => mockExecStream(...args),
+}));
+import { toUnixLf, getInitScript, runBootstrap } from './install-init-core.js';
+import { runInstallInit } from './install-init.js';
+describe('install-init-core', () => {
+    beforeEach(() => {
+        jest.clearAllMocks();
+        mockExec.mockResolvedValue({ stdout: '', stderr: '', code: 0 });
+        mockWriteFile.mockResolvedValue(undefined);
+        mockExecStream.mockResolvedValue({ code: 0 });
+    });
+    describe('toUnixLf', () => {
+        it('converts CRLF to LF', () => {
+            expect(toUnixLf('a\r\nb\r\n')).toBe('a\nb\n');
+        });
+        it('converts CR to LF', () => {
+            expect(toUnixLf('a\rb\rc')).toBe('a\nb\nc');
+        });
+        it('leaves LF-only unchanged', () => {
+            expect(toUnixLf('a\nb\n')).toBe('a\nb\n');
+        });
+    });
+    describe('getInitScript', () => {
+        it('returns script content with Unix line endings', () => {
+            const script = getInitScript(ASSETS_DIR);
+            expect(script).toContain('#!/bin/sh');
+            expect(script).toContain('AI Fabrix server bootstrap');
+            expect(script).not.toMatch(/\r\n/);
+        });
+        it('throws when assets dir has no setup-install-init.sh', () => {
+            expect(() => getInitScript('/nonexistent')).toThrow();
+        });
+    });
+    describe('runBootstrap', () => {
+        it('runs mkdir, chmod, writeFile, chmod +x, execStream (sudo script), rm -rf', async () => {
+            const tmpDir = '/tmp/aifabrix-init-123';
+            const scriptContent = '#!/bin/sh\necho ok\n';
+            await runBootstrap(mockConn, scriptContent, tmpDir);
+            expect(mockExec).toHaveBeenCalledTimes(4);
+            expect(mockExec).toHaveBeenNthCalledWith(1, mockConn, `mkdir -p ${tmpDir}`);
+            expect(mockExec).toHaveBeenNthCalledWith(2, mockConn, `chmod 755 ${tmpDir}`);
+            expect(mockExec).toHaveBeenNthCalledWith(3, mockConn, `chmod +x ${tmpDir}/setup-install-init.sh`);
+            expect(mockExec).toHaveBeenNthCalledWith(4, mockConn, `rm -rf ${tmpDir}`);
+            expect(mockWriteFile).toHaveBeenCalledTimes(1);
+            expect(mockWriteFile).toHaveBeenCalledWith(mockConn, `${tmpDir}/setup-install-init.sh`, scriptContent);
+            expect(mockExecStream).toHaveBeenCalledTimes(1);
+            expect(mockExecStream).toHaveBeenCalledWith(mockConn, `sudo ${tmpDir}/setup-install-init.sh`);
+        });
+        it('throws when execStream returns non-zero code', async () => {
+            mockExecStream.mockResolvedValueOnce({ code: 1 });
+            await expect(runBootstrap(mockConn, '#!/bin/sh\nexit 1\n', '/tmp/test')).rejects.toThrow('install-init script exited with code 1');
+        });
+    });
+    describe('runInstallInit (install-init.ts)', () => {
+        beforeEach(() => {
+            mockCreateSSHClient.mockResolvedValue(mockConn);
+            jest.spyOn(console, 'error').mockImplementation(() => { });
+        });
+        afterEach(() => {
+            console.error.mockRestore();
+        });
+        it('connects, uploads script, runs bootstrap via sudo, then closes', async () => {
+            await runInstallInit({ target: 'user@host' }, ASSETS_DIR);
+            expect(mockCreateSSHClient).toHaveBeenCalledWith({ target: 'user@host' });
+            expect(mockClose).toHaveBeenCalledWith(mockConn);
+            expect(mockWriteFile).toHaveBeenCalledWith(mockConn, expect.stringMatching(/\/setup-install-init\.sh$/), expect.any(String));
+            expect(mockExecStream).toHaveBeenCalledWith(mockConn, expect.stringContaining('sudo'));
+        });
+        it('throws when bootstrap script exits non-zero', async () => {
+            mockExecStream.mockResolvedValueOnce({ code: 1 });
+            await expect(runInstallInit({ target: 'user@host' }, ASSETS_DIR)).rejects.toThrow('install-init script exited with code 1');
+            expect(mockClose).toHaveBeenCalledWith(mockConn);
+        });
     });
 });
-export {};

package/dist/ssh.d.ts

@@ -20,6 +20,13 @@ export declare function exec(conn: Client, command: string): Promise<{
     stderr: string;
     code: number | null;
 }>;
+/**
+ * Run a remote command and stream stdout/stderr to the current process so the user sees progress in real time.
+ * Resolves with the exit code when the command finishes.
+ */
+export declare function execStream(conn: Client, command: string): Promise<{
+    code: number | null;
+}>;
 /** Get remote user home directory (e.g. for ~/.ssh). Uses exec so paths work with SFTP. */
 export declare function getRemoteHome(conn: Client): Promise<string>;
 export declare function readFile(conn: Client, remotePath: string): Promise<Buffer>;

package/dist/ssh.js

@@ -149,6 +149,23 @@ export function exec(conn, command) {
         });
     });
 }
+/**
+ * Run a remote command and stream stdout/stderr to the current process so the user sees progress in real time.
+ * Resolves with the exit code when the command finishes.
+ */
+export function execStream(conn, command) {
+    return new Promise((resolve, reject) => {
+        conn.exec(command, (err, stream) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            stream.on('data', (data) => process.stdout.write(data));
+            stream.stderr.on('data', (data) => process.stderr.write(data));
+            stream.on('close', (code) => resolve({ code: code ?? null }));
+        });
+    });
+}
 /** Get remote user home directory (e.g. for ~/.ssh). Uses exec so paths work with SFTP. */
 export async function getRemoteHome(conn) {
     const result = await exec(conn, 'echo $HOME');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/server-setup",
-  "version": "1.5.2",
+  "version": "1.5.5",
   "description": "CLI to install, backup, and restore AI Fabrix builder-server (config + DB) over SSH",
   "type": "module",
   "main": "dist/cli.js",
@@ -21,12 +21,15 @@
   },
   "dependencies": {
     "archiver": "^7.0.1",
-    "better-sqlite3": "^11.6.0",
+    "better-sqlite3": "^12.0.0",
     "commander": "^12.1.0",
     "extract-zip": "^2.0.1",
     "read": "^1.0.7",
     "ssh2": "^1.15.0"
   },
+  "overrides": {
+    "glob": "^13.0.0"
+  },
   "devDependencies": {
     "@eslint/js": "^9.17.0",
     "@types/archiver": "^6.0.2",