@appliance.sh/api-server 1.19.0 → 1.20.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@appliance.sh/api-server",
-  "version": "1.19.0",
+  "version": "1.20.0",
   "description": "",
   "author": "Eliot Lim",
   "repository": "https://github.com/appliance-sh/appliance.sh",
@@ -19,8 +19,9 @@
     "test:e2e": "vitest run --config vitest.e2e.config.ts"
   },
   "dependencies": {
-    "@appliance.sh/infra": "1.19.0",
-    "@appliance.sh/sdk": "1.19.0",
+    "@appliance.sh/infra": "1.20.0",
+    "@appliance.sh/sdk": "1.20.0",
+    "@aws-sdk/client-ecr": "^3.1005.0",
     "@aws-sdk/client-s3": "^3.750.0",
     "express": "^5.2.1"
   },

package/src/main.ts

@@ -4,6 +4,7 @@ import { indexRoutes } from './routes';
 import { projectRoutes } from './routes/projects';
 import { environmentRoutes } from './routes/environments';
 import { deploymentRoutes } from './routes/deployments';
+import { buildRoutes } from './routes/builds';
 import { bootstrapRoutes } from './routes/bootstrap';
 import { signatureAuth } from './middleware/auth';
 
@@ -26,6 +27,7 @@ export function createApp() {
   app.use('/api/v1/projects', signatureAuth, projectRoutes);
   app.use('/api/v1/projects/:projectId/environments', signatureAuth, environmentRoutes);
   app.use('/api/v1/deployments', signatureAuth, deploymentRoutes);
+  app.use('/api/v1/builds', signatureAuth, buildRoutes);
 
   return app;
 }

package/src/routes/builds/index.ts

@@ -0,0 +1,46 @@
+import { Router, raw } from 'express';
+import { S3Client, PutObjectCommand } from '@aws-sdk/client-s3';
+import { applianceBaseConfig, generateId } from '@appliance.sh/sdk';
+
+export const buildRoutes = Router();
+
+// Accept raw binary body up to 500MB
+buildRoutes.post('/', raw({ type: 'application/octet-stream', limit: '500mb' }), async (req, res) => {
+  try {
+    const configRaw = process.env.APPLIANCE_BASE_CONFIG;
+    if (!configRaw) {
+      res.status(500).json({ error: 'Base config not available' });
+      return;
+    }
+    const config = applianceBaseConfig.parse(JSON.parse(configRaw));
+
+    if (!config.aws.dataBucketName) {
+      res.status(500).json({ error: 'Data bucket not configured' });
+      return;
+    }
+
+    const body = req.body as Buffer;
+    if (!body || body.length === 0) {
+      res.status(400).json({ error: 'Empty body' });
+      return;
+    }
+
+    const buildId = generateId('build');
+    const s3Key = `builds/${buildId}.zip`;
+
+    const s3 = new S3Client({ region: config.aws.region });
+    await s3.send(
+      new PutObjectCommand({
+        Bucket: config.aws.dataBucketName,
+        Key: s3Key,
+        Body: body,
+        ContentType: 'application/zip',
+      })
+    );
+
+    res.status(201).json({ buildId, size: body.length });
+  } catch (error) {
+    console.error('Build upload error:', error);
+    res.status(500).json({ error: 'Failed to upload build' });
+  }
+});

package/src/routes/environments/index.ts

@@ -1,5 +1,5 @@
 import { Router } from 'express';
-import { environmentInput, applianceBaseConfig } from '@appliance.sh/sdk';
+import { environmentInput } from '@appliance.sh/sdk';
 import { environmentService } from '../../services/environment.service';
 import { projectService } from '../../services/project.service';
 
@@ -8,12 +8,6 @@ interface EnvironmentParams {
   id?: string;
 }
 
-function getServerBaseConfig() {
-  const raw = process.env.APPLIANCE_BASE_CONFIG;
-  if (!raw) throw new Error('APPLIANCE_BASE_CONFIG is not set on the server');
-  return applianceBaseConfig.parse(JSON.parse(raw));
-}
-
 export const environmentRoutes = Router({ mergeParams: true });
 
 environmentRoutes.post('/', async (req, res) => {
@@ -24,12 +18,11 @@ environmentRoutes.post('/', async (req, res) => {
       res.status(404).json({ error: 'Project not found' });
       return;
     }
-    const baseConfig = getServerBaseConfig();
     const input = environmentInput.parse({
       ...req.body,
       projectId: params.projectId,
     });
-    const environment = await environmentService.create(input, project.name, baseConfig);
+    const environment = await environmentService.create(input, project.name);
     res.status(201).json(environment);
   } catch (error) {
     console.error('Create environment error:', error);

package/src/services/api-key.service.spec.ts

@@ -38,9 +38,9 @@ describe('ApiKeyService', () => {
     service = new ApiKeyService();
   });
 
-  it('should create a key with ak_ prefixed id and sk_ prefixed secret', async () => {
+  it('should create a key with apikey_ prefixed id and sk_ prefixed secret', async () => {
     const result = await service.create('test-key');
-    expect(result.id).toMatch(/^ak_/);
+    expect(result.id).toMatch(/^apikey_/);
     expect(result.secret).toMatch(/^sk_/);
     expect(result.name).toBe('test-key');
     expect(result.createdAt).toBeDefined();

package/src/services/api-key.service.ts

@@ -17,7 +17,7 @@ interface StoredApiKey {
 export class ApiKeyService {
   async create(name: string): Promise<ApiKeyCreateResponse> {
     const storage = getStorageService();
-    const id = generateId('ak');
+    const id = generateId('apikey');
     const secret = `sk_${randomBytes(32).toString('hex')}`;
     const now = new Date().toISOString();
 

package/src/services/build.service.ts

@@ -0,0 +1,138 @@
+import { S3Client, GetObjectCommand } from '@aws-sdk/client-s3';
+import { ECRClient, GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr';
+import { applianceBaseConfig, applianceInput } from '@appliance.sh/sdk';
+import type { ApplianceContainer } from '@appliance.sh/sdk';
+import { execSync } from 'child_process';
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import * as os from 'node:os';
+
+export interface ResolvedBuild {
+  imageUri?: string;
+  codeS3Key?: string;
+}
+
+function getBaseConfig() {
+  const raw = process.env.APPLIANCE_BASE_CONFIG;
+  if (!raw) throw new Error('APPLIANCE_BASE_CONFIG not set');
+  return applianceBaseConfig.parse(JSON.parse(raw));
+}
+
+export class BuildService {
+  async resolve(buildId: string, tag: string): Promise<ResolvedBuild> {
+    const config = getBaseConfig();
+    if (!config.aws.dataBucketName) throw new Error('Data bucket not configured');
+
+    const s3Key = `builds/${buildId}.zip`;
+    const s3 = new S3Client({ region: config.aws.region });
+
+    // Download the build zip
+    const result = await s3.send(new GetObjectCommand({ Bucket: config.aws.dataBucketName, Key: s3Key }));
+    const body = await result.Body?.transformToByteArray();
+    if (!body) throw new Error('Empty build');
+
+    // Extract to temp dir
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'appliance-build-'));
+    const zipPath = path.join(tmpDir, 'appliance.zip');
+    fs.writeFileSync(zipPath, body);
+
+    try {
+      // List zip contents and validate paths before extracting
+      const entries = execSync(`zipinfo -1 "${zipPath}"`, { encoding: 'utf-8' }).trim().split('\n');
+      for (const entryPath of entries) {
+        const resolved = path.resolve(tmpDir, entryPath);
+        if (!resolved.startsWith(tmpDir + path.sep) && resolved !== tmpDir) {
+          throw new Error(`Zip contains path traversal: ${entryPath}`);
+        }
+      }
+
+      execSync(`unzip -o -q "${zipPath}" -d "${tmpDir}"`, { stdio: 'pipe' });
+
+      // Read the manifest
+      const manifestPath = path.join(tmpDir, 'appliance.json');
+      if (!fs.existsSync(manifestPath)) throw new Error('Build missing appliance.json');
+      const manifest = applianceInput.parse(JSON.parse(fs.readFileSync(manifestPath, 'utf-8')));
+
+      if (manifest.type === 'container') {
+        return this.resolveContainer(tmpDir, manifest, tag, config);
+      } else {
+        // For framework/other, the zip is already in S3 — just reference it
+        return { codeS3Key: s3Key };
+      }
+    } finally {
+      fs.rmSync(tmpDir, { recursive: true, force: true });
+    }
+  }
+
+  private async resolveContainer(
+    tmpDir: string,
+    manifest: ApplianceContainer,
+    tag: string,
+    config: ReturnType<typeof getBaseConfig>
+  ): Promise<ResolvedBuild> {
+    const ecrRepositoryUrl = config.aws.ecrRepositoryUrl;
+    if (!ecrRepositoryUrl) throw new Error('ECR repository not configured');
+
+    const imageTarPath = path.join(tmpDir, 'image.tar');
+    if (!fs.existsSync(imageTarPath)) throw new Error('Build missing image.tar');
+
+    // Load the user's original image into Docker and capture the loaded image reference
+    const loadOutput = execSync(`docker load -i "${imageTarPath}"`, { encoding: 'utf-8' });
+    // Output is like "Loaded image: name:tag" or "Loaded image ID: sha256:abc..."
+    const loadedMatch = loadOutput.match(/Loaded image(?: ID)?:\s*(.+)/);
+    if (!loadedMatch) throw new Error(`Failed to parse docker load output: ${loadOutput}`);
+    const loadedImage = loadedMatch[1].trim();
+
+    // Wrap the image with the Lambda Web Adapter so the same plain HTTP
+    // container works on both Lambda and ECS/Fargate without any changes.
+    const lambdaImageName = `${manifest.name}-lambda`;
+    const wrapperDockerfile = path.join(tmpDir, 'Dockerfile.lambda');
+    fs.writeFileSync(
+      wrapperDockerfile,
+      [
+        `FROM --platform=${manifest.platform} public.ecr.aws/awsguru/aws-lambda-adapter:0.9.1 AS adapter`,
+        `FROM ${loadedImage}`,
+        `COPY --from=adapter /lambda-adapter /opt/extensions/lambda-adapter`,
+        `ENV AWS_LWA_PORT=${manifest.port}`,
+      ].join('\n')
+    );
+    execSync(
+      `docker build --platform ${manifest.platform} --provenance=false -f "${wrapperDockerfile}" -t "${lambdaImageName}" "${tmpDir}"`,
+      { stdio: 'pipe' }
+    );
+
+    // Auth with ECR
+    const ecr = new ECRClient({ region: config.aws.region });
+    const authResult = await ecr.send(new GetAuthorizationTokenCommand({}));
+    const authData = authResult.authorizationData?.[0];
+    if (!authData?.authorizationToken || !authData?.proxyEndpoint) {
+      throw new Error('Failed to get ECR auth');
+    }
+
+    const decoded = Buffer.from(authData.authorizationToken, 'base64').toString();
+    const [username, password] = decoded.split(':');
+    execSync(`docker login --username ${username} --password-stdin ${authData.proxyEndpoint}`, {
+      input: password,
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+
+    // Tag and push the Lambda-wrapped image
+    const remoteTag = `${ecrRepositoryUrl}:${tag}`;
+    execSync(`docker tag ${lambdaImageName} ${remoteTag}`, { stdio: 'pipe' });
+    execSync(`docker push ${remoteTag}`, { stdio: 'pipe' });
+
+    // Get digest
+    let imageUri: string;
+    try {
+      imageUri = execSync(`docker inspect --format='{{index .RepoDigests 0}}' ${remoteTag}`, {
+        encoding: 'utf-8',
+      }).trim();
+    } catch {
+      imageUri = remoteTag;
+    }
+
+    return { imageUri };
+  }
+}
+
+export const buildService = new BuildService();

package/src/services/deployment.service.ts

@@ -10,6 +10,7 @@ import { createApplianceDeploymentService } from '@appliance.sh/infra';
 import { getStorageService } from './storage.service';
 import { environmentService } from './environment.service';
 import { projectService } from './project.service';
+import { buildService } from './build.service';
 
 const COLLECTION = 'deployments';
 
@@ -25,7 +26,7 @@ export class DeploymentService {
     const now = new Date().toISOString();
     const deployment: Deployment = {
       ...input,
-      id: generateId('dep'),
+      id: generateId('deployment'),
       projectId: environment.projectId,
       status: DeploymentStatus.Pending,
       startedAt: now,
@@ -59,15 +60,18 @@ export class DeploymentService {
 
     // Execute the deployment
     try {
-      const deploymentService = createApplianceDeploymentService({
-        baseConfig: environment.baseConfig,
-      });
+      const infraService = createApplianceDeploymentService();
 
       let result;
       if (input.action === DeploymentAction.Deploy) {
-        result = await deploymentService.deploy(environment.stackName, metadata);
+        // Resolve the build into cloud-specific params if present
+        const build = input.buildId
+          ? await buildService.resolve(input.buildId, `${environment.stackName}-${deployment.id}`)
+          : undefined;
+
+        result = await infraService.deploy(environment.stackName, metadata, build);
       } else {
-        result = await deploymentService.destroy(environment.stackName);
+        result = await infraService.destroy(environment.stackName);
       }
 
       deployment.status = DeploymentStatus.Succeeded;

package/src/services/environment.service.ts

@@ -1,18 +1,16 @@
 import { Environment, EnvironmentInput, EnvironmentStatus, generateId } from '@appliance.sh/sdk';
-import type { ApplianceBaseConfig } from '@appliance.sh/sdk';
 import { getStorageService } from './storage.service';
 
 const COLLECTION = 'environments';
 
 export class EnvironmentService {
-  async create(input: EnvironmentInput, projectName: string, baseConfig: ApplianceBaseConfig): Promise<Environment> {
+  async create(input: EnvironmentInput, projectName: string): Promise<Environment> {
     const storage = getStorageService();
     const now = new Date().toISOString();
-    const id = generateId('env');
+    const id = generateId('environment');
     const environment: Environment = {
       ...input,
       id,
-      baseConfig,
       status: EnvironmentStatus.Pending,
       stackName: `${projectName}-${input.name}`,
       createdAt: now,

package/src/services/project.service.ts

@@ -9,7 +9,7 @@ export class ProjectService {
     const now = new Date().toISOString();
     const project: Project = {
       ...input,
-      id: generateId('proj'),
+      id: generateId('project'),
       status: ProjectStatus.Active,
       createdAt: now,
       updatedAt: now,