@aifabrix/server-setup 1.5.3 → 1.5.6

package/README.md

@@ -48,7 +48,7 @@ Complete the [manual prerequisites](#what-you-must-do-before-running-af-server)
 
 | Step | Where     | Action |
 | ---- | --------- | ------ |
-| 1    | From PC   | `af-server install-init $SSH` — only command over SSH; installs on server: SSH (if needed), Node 18+, npm, and `af-server` CLI. |
+| 1    | From PC   | `af-server install-init $SSH` — only command over SSH; installs on server: SSH (if needed), Node 20+, npm, and `af-server` CLI. |
 | 2    | One-time  | Log in to the server once (e.g. with password) to approve passwordless SSH; then from PC: `af-server ssh-cert install $SSH`. |
 | 3    | From PC   | Copy SSL certificate and key to the server (see [SSL directory and certificates](#ssl-directory-and-certificates)); example commands below. |
 | 4    | From PC   | Log in to the server via SSH (passwordless). |
@@ -63,11 +63,10 @@ Set your target and run the only command that uses SSH from your PC:
 
 ```bash
 export SSH=serveradmin@builder02.aifabrix.dev
-export DOMAIN=builder02.aifabrix.dev
 af-server install-init $SSH
 ```
 
-This installs on the server: openssh-server (if needed), Node 18+, npm, and `@aifabrix/builder` + `@aifabrix/server-setup` so `af-server` is available there. No Docker, nginx, or builder-server yet.
+This installs on the server: openssh-server (if needed), Node 20+, npm, and `@aifabrix/builder` + `@aifabrix/server-setup` so `af-server` is available there. You’ll see progress messages and live output from the bootstrap (package lists, SSH, Node, npm install). No Docker, nginx, or builder-server yet.
 
 ### Step 2: Passwordless SSH (from PC)
 
@@ -109,8 +108,8 @@ The image is not on a public registry. Use your platform’s method (e.g. Azure
 
 ```bash
 az login
-az acr login --name aifabrixdevacr
-docker pull aifabrixdevacr.azurecr.io/aifabrix/builder-server:latest
+az acr login --name youracr
+docker pull youracr.azurecr.io/aifabrix/builder-server:latest
 ```
 
 Or with Docker login (username/password from your registry):
@@ -123,11 +122,14 @@ docker pull <registry>/aifabrix/builder-server:latest
 ### Step 7: Install server (nginx vhost + container) (on server)
 
 ```bash
+export DOMAIN=builder02.aifabrix.dev
 sudo af-server install-server --dev-domain $DOMAIN
 ```
 
 Use the same domain as your DNS and SSL. Optional: `--ssl-dir /opt/aifabrix/ssl`, `--data-dir /opt/aifabrix/builder-server/data`, `--builder-port 3000`.
 
+If the builder-server image is not on the host yet, the first run writes an nginx vhost without client-cert verification (so `nginx -t` passes). After you pull the image and re-run `sudo af-server install-server --dev-domain $DOMAIN`, the container will start, create `ca.crt`, and a subsequent run will enable client-cert verification and reload nginx.
+
 ### Step 8: Done
 
 Your builder-server is up. Use the **AI Fabrix Builder CLI** for users, secrets, certs, etc.—see [Builder documentation](https://github.com/esystemsdev/aifabrix-builder/blob/main/docs/developer-isolation.md).
@@ -138,7 +140,7 @@ Your builder-server is up. Use the **AI Fabrix Builder CLI** for users, secrets,
 
 | Command | Description |
 | -------- | ----------- |
-| `af-server install-init <user@host> [ -i SSH_KEY ]` | **From PC only.** One-time bootstrap over SSH: install on server SSH (if needed), Node 18+, npm, and af-server CLI. |
+| `af-server install-init <user@host> [ -i SSH_KEY ]` | **From PC only.** One-time bootstrap over SSH: install on server SSH (if needed), Node 20+, npm, and af-server CLI. Shows progress and streams server output. |
 | `af-server install [ user@host ] [ -d DATA_DIR ] [ --dev-domain DOMAIN ] [ --ssl-dir PATH ] [ -i SSH_KEY ]` | **Run on server** (omit target): `sudo af-server install`. Infra only: Docker, nginx pkg, Mutagen, data dir, cron. No builder vhost or container. With target: same infra over SSH. |
 | `af-server install-server --dev-domain DOMAIN [ -d DATA_DIR ] [ --ssl-dir PATH ] [ --builder-port PORT ]` | **On server only.** Nginx vhost, builder-server container, Docker TLS. Run after `sudo af-server install`. |
 | `af-server backup [ user@host ] [ -d DATA_DIR ] [ -o output.zip ] [ -i SSH_KEY ]` | On-demand backup (config + DB + keys). |
@@ -216,3 +218,24 @@ If you SSH as a non-root user, that user must be able to sudo. The script will a
 - **Docker TLS** — Copies certs and configures `/etc/docker/daemon.json` for TLS (using website cert and builder-server CA).
 
 Result: after both steps, the server has Docker, nginx (HTTPS for your domain), the builder-server container (if image present), and Mutagen—ready for the Builder CLI to use.
+
+---
+
+## Troubleshooting
+
+### `af-server --version` shows an old version after installing a newer one
+
+If you ran `sudo npm install -g @aifabrix/server-setup@1.5.6` but `af-server --version` still reports an older version (e.g. 1.5.3):
+
+1. **Check which binary is used**  
+   Run `which af-server` and `sudo which af-server`. If they differ, your shell may be using a user-level install while the new one was installed for root.
+
+2. **Uninstall, clear cache, then reinstall**
+
+   ```bash
+   sudo npm uninstall -g @aifabrix/server-setup
+   npm cache clean --force
+   sudo npm install -g @aifabrix/server-setup@1.5.6
+   hash -r   # clear shell’s command cache
+   af-server --version
+   ```

package/assets/setup-dev-server-no-node.sh

@@ -252,6 +252,7 @@ fi
 if [ "$INSTALL_PHASE" = "server" ] || [ "$INSTALL_PHASE" = "full" ]; then
 
 # --- Nginx builder vhost from template ---
+# If ca.crt does not exist yet (builder-server not run), omit client cert so nginx -t passes. Re-run install-server after container has created ca.crt to enable client verification.
 NGINX_CONF="$NGINX_CONF_DIR/$DEV_DOMAIN.conf"
 NGINX_TEMPLATE="$REPO_ROOT/builder/builder-server/nginx-builder-server.conf.template"
 if [ -f "$NGINX_TEMPLATE" ]; then
@@ -260,6 +261,10 @@ if [ -f "$NGINX_TEMPLATE" ]; then
       -e "s|BUILDER_SERVER_PORT_PLACEHOLDER|$BUILDER_SERVER_PORT|g" \
       -e "s|DATA_DIR_PLACEHOLDER|$DATA_DIR|g" \
       "$NGINX_TEMPLATE" > "$NGINX_CONF"
+  if [ ! -f "$DATA_DIR/ca.crt" ]; then
+    sed -i '/ssl_client_certificate/d' "$NGINX_CONF"
+    sed -i 's/ssl_verify_client optional;/ssl_verify_client off;/' "$NGINX_CONF"
+  fi
 elif [ ! -f "$NGINX_CONF" ]; then
   echo "Warning: SSL prereqs required. Place $NGINX_CONF (see SETUP.md) and ensure $SSL_DIR/wildcard.crt and $SSL_DIR/wildcard.key exist."
 fi
@@ -410,6 +415,18 @@ DOCKER_EOF
   fi
 fi
 
+# If ca.crt now exists (e.g. container just created it this run), regenerate nginx config with client cert and reload.
+if [ -f "$NGINX_TEMPLATE" ] && [ -n "$DATA_DIR_ABS" ] && [ -f "$DATA_DIR_ABS/ca.crt" ]; then
+  sed -e "s|DEV_DOMAIN_PLACEHOLDER|$DEV_DOMAIN|g" \
+      -e "s|SSL_DIR_PLACEHOLDER|$SSL_DIR|g" \
+      -e "s|BUILDER_SERVER_PORT_PLACEHOLDER|$BUILDER_SERVER_PORT|g" \
+      -e "s|DATA_DIR_PLACEHOLDER|$DATA_DIR|g" \
+      "$NGINX_TEMPLATE" > "$NGINX_CONF"
+  if command -v nginx >/dev/null 2>&1 && nginx -t 2>/dev/null; then
+    systemctl reload nginx
+  fi
+fi
+
 fi
 # --- End server phase ---
 

package/assets/setup-install-init.sh

@@ -1,42 +1,63 @@
 #!/bin/sh
-# One-time bootstrap: ensure SSH, install Node 18+ and npm, then af-server CLI on the server.
+# One-time bootstrap: ensure SSH, install Node 20+ and npm, then af-server CLI on the server.
 # Run via: af-server install-init user@host (from PC over SSH). No Docker, nginx, or builder-server.
 # After this, user logs in to the server and runs: sudo af-server install, then sudo af-server install-server --dev-domain DOMAIN.
 
 set -e
 export DEBIAN_FRONTEND=noninteractive
 
-# --- SSH server (so install-init and later ssh-cert install can connect) ---
+echo "==> AI Fabrix server bootstrap starting..."
+echo ""
+
+# --- Update package lists (so installs use up-to-date indexes) ---
+echo "==> Updating package lists..."
 wait_for_apt() {
   i=0
   while [ $i -lt 20 ]; do
     apt-get update -qq 2>/dev/null && return 0
-    echo "Waiting for apt lock..."; sleep 6
+    echo "    Waiting for apt lock..."; sleep 6
     i=$((i + 1))
   done
   return 1
 }
 wait_for_apt
+echo "    Package lists up to date."
+echo ""
+
+# --- SSH server (so install-init and later ssh-cert install can connect) ---
+echo "==> Ensuring SSH server is installed and running..."
 apt-get install -y openssh-server
 systemctl enable ssh 2>/dev/null || systemctl enable sshd 2>/dev/null || true
 systemctl start ssh 2>/dev/null || systemctl start sshd 2>/dev/null || true
+echo "    SSH server ready."
+echo ""
 
-# --- Node.js 18+ and npm (NodeSource) ---
+# --- Node.js 20+ and npm (NodeSource; af-server and builder need Node 20+) ---
+echo "==> Ensuring Node.js 20+ and npm..."
 need_node=0
 if ! command -v node >/dev/null 2>&1; then
   need_node=1
 else
-  case "$(node -v 2>/dev/null)" in v1[89].*|v[2-9]*) ;; *) need_node=1 ;; esac
+  case "$(node -v 2>/dev/null)" in
+    v2[0-9].*|v3*) ;;
+    *) need_node=1 ;;
+  esac
 fi
 if [ "$need_node" = "1" ]; then
+  echo "    Installing Node.js 20.x from NodeSource..."
   curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
   apt-get install -y nodejs
+  echo "    Node.js installed."
+else
+  echo "    Node $(node -v) already present."
 fi
-node -v
-npm -v
+echo "    node: $(node -v)  npm: $(npm -v)"
+echo ""
 
 # --- af-server CLI (same as on PC) ---
+echo "==> Installing af-server CLI (npm install -g @aifabrix/builder @aifabrix/server-setup)..."
 npm install -g @aifabrix/builder @aifabrix/server-setup
-command -v af-server >/dev/null 2>&1 && af-server --version || true
+command -v af-server >/dev/null 2>&1 && echo "    $(af-server --version)" || true
+echo ""
 
 echo "Bootstrap complete. Log in to the server and run: sudo af-server install, then sudo af-server install-server --dev-domain YOUR_DOMAIN"

package/dist/cli.js

@@ -24,10 +24,11 @@ program
     .version(pkg.version);
 program
     .command('install-init <user@host>')
-    .description('One-time bootstrap over SSH: install on server SSH (if needed), Node 18+, npm, and af-server CLI. Run from PC only.')
+    .description('One-time bootstrap over SSH: install on server SSH (if needed), Node 20+, npm, and af-server CLI. Run from PC only.')
     .option('-i, --identity <path>', 'SSH private key path')
     .action(async (target, opts) => {
     try {
+        console.log('Bootstrap starting. This will connect via SSH and install prerequisites on the server (SSH, Node 20+, npm, af-server CLI).');
         await runInstallInit({ target: target.trim(), privateKeyPath: opts.identity });
         console.log('Install-init complete. Log in to the server and run: sudo af-server install, then sudo af-server install-server --dev-domain YOUR_DOMAIN');
     }

package/dist/install-init-core.d.ts

@@ -0,0 +1,11 @@
+/**
+ * install-init core: script loading and bootstrap flow. No import.meta.url so Jest can load and test.
+ */
+import type { Client } from 'ssh2';
+export declare function toUnixLf(s: string): string;
+export declare function getInitScript(assetsDir: string): string;
+/**
+ * Run bootstrap on the remote host: upload script, chmod, run via sudo, then remove tmp dir.
+ * Caller must open and close the connection.
+ */
+export declare function runBootstrap(conn: Client, scriptContent: string, tmpDir: string): Promise<void>;

package/dist/install-init-core.js

@@ -0,0 +1,29 @@
+/**
+ * install-init core: script loading and bootstrap flow. No import.meta.url so Jest can load and test.
+ */
+import * as path from 'path';
+import * as fs from 'fs';
+import { exec, execStream, writeFile } from './ssh.js';
+export function toUnixLf(s) {
+    return s.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
+}
+export function getInitScript(assetsDir) {
+    const p = path.join(assetsDir, 'setup-install-init.sh');
+    return toUnixLf(fs.readFileSync(p, 'utf8'));
+}
+/**
+ * Run bootstrap on the remote host: upload script, chmod, run via sudo, then remove tmp dir.
+ * Caller must open and close the connection.
+ */
+export async function runBootstrap(conn, scriptContent, tmpDir) {
+    await exec(conn, `mkdir -p ${tmpDir}`);
+    await exec(conn, `chmod 755 ${tmpDir}`);
+    await writeFile(conn, `${tmpDir}/setup-install-init.sh`, scriptContent);
+    await exec(conn, `chmod +x ${tmpDir}/setup-install-init.sh`);
+    const cmd = `sudo ${tmpDir}/setup-install-init.sh`;
+    const result = await execStream(conn, cmd);
+    if (result.code !== 0) {
+        throw new Error(`install-init script exited with code ${result.code}`);
+    }
+    await exec(conn, `rm -rf ${tmpDir}`);
+}

package/dist/install-init-paths.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Paths for install-init (uses import.meta.url). Kept in a separate module so tests can mock it and never load this file in Jest.
+ */
+export declare function getAssetsDir(): string;

package/dist/install-init-paths.js

@@ -0,0 +1,9 @@
+/**
+ * Paths for install-init (uses import.meta.url). Kept in a separate module so tests can mock it and never load this file in Jest.
+ */
+import * as path from 'path';
+import { fileURLToPath } from 'url';
+export function getAssetsDir() {
+    const scriptDir = path.dirname(fileURLToPath(import.meta.url));
+    return path.resolve(scriptDir, '..', 'assets');
+}

package/dist/install-init.d.ts

@@ -1,6 +1,6 @@
 /**
- * install-init: One-time bootstrap over SSH. Installs on the server: SSH (if needed), Node 18+, npm, and af-server CLI.
+ * install-init: One-time bootstrap over SSH. Installs on the server: SSH (if needed), Node 20+, npm, and af-server CLI.
  * No Docker, nginx, or builder-server. After this, the user logs in to the server and runs install + install-server locally.
  */
 import { type SSHConnectionOptions } from './ssh.js';
-export declare function runInstallInit(options: SSHConnectionOptions): Promise<void>;
+export declare function runInstallInit(options: SSHConnectionOptions, assetsDir?: string): Promise<void>;

package/dist/install-init.js

@@ -1,39 +1,20 @@
 /**
- * install-init: One-time bootstrap over SSH. Installs on the server: SSH (if needed), Node 18+, npm, and af-server CLI.
+ * install-init: One-time bootstrap over SSH. Installs on the server: SSH (if needed), Node 20+, npm, and af-server CLI.
  * No Docker, nginx, or builder-server. After this, the user logs in to the server and runs install + install-server locally.
  */
-import * as path from 'path';
-import * as fs from 'fs';
-import { fileURLToPath } from 'url';
-import { createSSHClient, exec, writeFile, close } from './ssh.js';
-const scriptDir = path.dirname(fileURLToPath(import.meta.url));
-const ASSETS_DIR = path.resolve(scriptDir, '..', 'assets');
-function toUnixLf(s) {
-    return s.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
-}
-function getInitScript() {
-    const p = path.join(ASSETS_DIR, 'setup-install-init.sh');
-    return toUnixLf(fs.readFileSync(p, 'utf8'));
-}
-export async function runInstallInit(options) {
+import { createSSHClient, close } from './ssh.js';
+import { getInitScript, runBootstrap } from './install-init-core.js';
+import { getAssetsDir } from './install-init-paths.js';
+export async function runInstallInit(options, assetsDir) {
+    const dir = assetsDir ?? getAssetsDir();
+    console.error(`Connecting to ${options.target}...`);
     const conn = await createSSHClient(options);
     try {
+        console.error('Connected. Uploading bootstrap script...');
         const tmpDir = `/tmp/aifabrix-init-${Date.now()}`;
-        await exec(conn, `mkdir -p ${tmpDir}`);
-        await exec(conn, `chmod 755 ${tmpDir}`);
-        const script = getInitScript();
-        await writeFile(conn, `${tmpDir}/setup-install-init.sh`, script);
-        await exec(conn, `chmod +x ${tmpDir}/setup-install-init.sh`);
-        const cmd = `sudo ${tmpDir}/setup-install-init.sh`;
-        const result = await exec(conn, cmd);
-        if (result.stderr)
-            process.stderr.write(result.stderr);
-        if (result.stdout)
-            process.stdout.write(result.stdout);
-        if (result.code !== 0) {
-            throw new Error(`install-init script exited with code ${result.code}`);
-        }
-        await exec(conn, `rm -rf ${tmpDir}`);
+        const script = getInitScript(dir);
+        console.error('Running bootstrap on server (this may take 1–2 minutes)...\n');
+        await runBootstrap(conn, script, tmpDir);
     }
     finally {
         close(conn);

package/dist/install-init.spec.d.ts

@@ -1 +1,4 @@
+/**
+ * Tests for install-init: bootstrap script content, install-init-core helpers, and runInstallInit (with assetsDir passed so import.meta.url is never evaluated in Jest).
+ */
 export {};

package/dist/install-init.spec.js

@@ -1,10 +1,117 @@
 /**
- * Tests for install-init: bootstrap over SSH (mocked).
- * install-init.ts uses import.meta.url; Jest (CJS) fails to load it. Skipped until ESM/import.meta is supported in tests.
+ * Tests for install-init: bootstrap script content, install-init-core helpers, and runInstallInit (with assetsDir passed so import.meta.url is never evaluated in Jest).
  */
-describe.skip('install-init', () => {
-    it('placeholder until Jest supports import.meta in transformed modules', () => {
-        expect(true).toBe(true);
+import * as fs from 'fs';
+import * as path from 'path';
+const ASSETS_DIR = path.resolve(__dirname, '..', 'assets');
+const INIT_SCRIPT = path.join(ASSETS_DIR, 'setup-install-init.sh');
+describe('install-init bootstrap script (setup-install-init.sh)', () => {
+    it('exists and defines expected bootstrap steps', () => {
+        expect(fs.existsSync(INIT_SCRIPT)).toBe(true);
+        const content = fs.readFileSync(INIT_SCRIPT, 'utf8');
+        expect(content).toContain('AI Fabrix server bootstrap');
+        expect(content).toContain('apt-get update');
+        expect(content).toContain('openssh-server');
+        expect(content).toContain('Node.js 20');
+        expect(content).toContain('NodeSource');
+        expect(content).toContain('setup_20.x');
+        expect(content).toContain('@aifabrix/builder');
+        expect(content).toContain('@aifabrix/server-setup');
+        expect(content).toContain('af-server');
+        expect(content).toContain('Bootstrap complete');
+    });
+    it('has shebang and set -e', () => {
+        const content = fs.readFileSync(INIT_SCRIPT, 'utf8');
+        expect(content).toMatch(/^#!\/bin\/sh/);
+        expect(content).toContain('set -e');
+    });
+});
+const mockConn = {};
+const mockExec = jest.fn();
+const mockWriteFile = jest.fn();
+const mockExecStream = jest.fn();
+const mockCreateSSHClient = jest.fn();
+const mockClose = jest.fn();
+jest.mock('./install-init-paths.js', () => ({
+    getAssetsDir: () => require('path').resolve(__dirname, '..', 'assets'),
+}));
+jest.mock('./ssh.js', () => ({
+    createSSHClient: (...args) => mockCreateSSHClient(...args),
+    close: (...args) => mockClose(...args),
+    exec: (...args) => mockExec(...args),
+    writeFile: (...args) => mockWriteFile(...args),
+    execStream: (...args) => mockExecStream(...args),
+}));
+import { toUnixLf, getInitScript, runBootstrap } from './install-init-core.js';
+import { runInstallInit } from './install-init.js';
+describe('install-init-core', () => {
+    beforeEach(() => {
+        jest.clearAllMocks();
+        mockExec.mockResolvedValue({ stdout: '', stderr: '', code: 0 });
+        mockWriteFile.mockResolvedValue(undefined);
+        mockExecStream.mockResolvedValue({ code: 0 });
+    });
+    describe('toUnixLf', () => {
+        it('converts CRLF to LF', () => {
+            expect(toUnixLf('a\r\nb\r\n')).toBe('a\nb\n');
+        });
+        it('converts CR to LF', () => {
+            expect(toUnixLf('a\rb\rc')).toBe('a\nb\nc');
+        });
+        it('leaves LF-only unchanged', () => {
+            expect(toUnixLf('a\nb\n')).toBe('a\nb\n');
+        });
+    });
+    describe('getInitScript', () => {
+        it('returns script content with Unix line endings', () => {
+            const script = getInitScript(ASSETS_DIR);
+            expect(script).toContain('#!/bin/sh');
+            expect(script).toContain('AI Fabrix server bootstrap');
+            expect(script).not.toMatch(/\r\n/);
+        });
+        it('throws when assets dir has no setup-install-init.sh', () => {
+            expect(() => getInitScript('/nonexistent')).toThrow();
+        });
+    });
+    describe('runBootstrap', () => {
+        it('runs mkdir, chmod, writeFile, chmod +x, execStream (sudo script), rm -rf', async () => {
+            const tmpDir = '/tmp/aifabrix-init-123';
+            const scriptContent = '#!/bin/sh\necho ok\n';
+            await runBootstrap(mockConn, scriptContent, tmpDir);
+            expect(mockExec).toHaveBeenCalledTimes(4);
+            expect(mockExec).toHaveBeenNthCalledWith(1, mockConn, `mkdir -p ${tmpDir}`);
+            expect(mockExec).toHaveBeenNthCalledWith(2, mockConn, `chmod 755 ${tmpDir}`);
+            expect(mockExec).toHaveBeenNthCalledWith(3, mockConn, `chmod +x ${tmpDir}/setup-install-init.sh`);
+            expect(mockExec).toHaveBeenNthCalledWith(4, mockConn, `rm -rf ${tmpDir}`);
+            expect(mockWriteFile).toHaveBeenCalledTimes(1);
+            expect(mockWriteFile).toHaveBeenCalledWith(mockConn, `${tmpDir}/setup-install-init.sh`, scriptContent);
+            expect(mockExecStream).toHaveBeenCalledTimes(1);
+            expect(mockExecStream).toHaveBeenCalledWith(mockConn, `sudo ${tmpDir}/setup-install-init.sh`);
+        });
+        it('throws when execStream returns non-zero code', async () => {
+            mockExecStream.mockResolvedValueOnce({ code: 1 });
+            await expect(runBootstrap(mockConn, '#!/bin/sh\nexit 1\n', '/tmp/test')).rejects.toThrow('install-init script exited with code 1');
+        });
+    });
+    describe('runInstallInit (install-init.ts)', () => {
+        beforeEach(() => {
+            mockCreateSSHClient.mockResolvedValue(mockConn);
+            jest.spyOn(console, 'error').mockImplementation(() => { });
+        });
+        afterEach(() => {
+            console.error.mockRestore();
+        });
+        it('connects, uploads script, runs bootstrap via sudo, then closes', async () => {
+            await runInstallInit({ target: 'user@host' }, ASSETS_DIR);
+            expect(mockCreateSSHClient).toHaveBeenCalledWith({ target: 'user@host' });
+            expect(mockClose).toHaveBeenCalledWith(mockConn);
+            expect(mockWriteFile).toHaveBeenCalledWith(mockConn, expect.stringMatching(/\/setup-install-init\.sh$/), expect.any(String));
+            expect(mockExecStream).toHaveBeenCalledWith(mockConn, expect.stringContaining('sudo'));
+        });
+        it('throws when bootstrap script exits non-zero', async () => {
+            mockExecStream.mockResolvedValueOnce({ code: 1 });
+            await expect(runInstallInit({ target: 'user@host' }, ASSETS_DIR)).rejects.toThrow('install-init script exited with code 1');
+            expect(mockClose).toHaveBeenCalledWith(mockConn);
+        });
     });
 });
-export {};

package/dist/ssh.d.ts

@@ -20,6 +20,13 @@ export declare function exec(conn: Client, command: string): Promise<{
     stderr: string;
     code: number | null;
 }>;
+/**
+ * Run a remote command and stream stdout/stderr to the current process so the user sees progress in real time.
+ * Resolves with the exit code when the command finishes.
+ */
+export declare function execStream(conn: Client, command: string): Promise<{
+    code: number | null;
+}>;
 /** Get remote user home directory (e.g. for ~/.ssh). Uses exec so paths work with SFTP. */
 export declare function getRemoteHome(conn: Client): Promise<string>;
 export declare function readFile(conn: Client, remotePath: string): Promise<Buffer>;

package/dist/ssh.js

@@ -149,6 +149,23 @@ export function exec(conn, command) {
         });
     });
 }
+/**
+ * Run a remote command and stream stdout/stderr to the current process so the user sees progress in real time.
+ * Resolves with the exit code when the command finishes.
+ */
+export function execStream(conn, command) {
+    return new Promise((resolve, reject) => {
+        conn.exec(command, (err, stream) => {
+            if (err) {
+                reject(err);
+                return;
+            }
+            stream.on('data', (data) => process.stdout.write(data));
+            stream.stderr.on('data', (data) => process.stderr.write(data));
+            stream.on('close', (code) => resolve({ code: code ?? null }));
+        });
+    });
+}
 /** Get remote user home directory (e.g. for ~/.ssh). Uses exec so paths work with SFTP. */
 export async function getRemoteHome(conn) {
     const result = await exec(conn, 'echo $HOME');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aifabrix/server-setup",
-  "version": "1.5.3",
+  "version": "1.5.6",
   "description": "CLI to install, backup, and restore AI Fabrix builder-server (config + DB) over SSH",
   "type": "module",
   "main": "dist/cli.js",