@arcote.tech/arc-cli 0.5.1 → 0.5.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.5.1",
+  "version": "0.5.5",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",
@@ -12,12 +12,13 @@
     "build": "bun build --target=bun ./src/index.ts --outdir=dist --external @arcote.tech/arc --external @arcote.tech/arc-ds --external @arcote.tech/arc-react --external @arcote.tech/platform && chmod +x dist/index.js"
   },
   "dependencies": {
-    "@arcote.tech/arc": "^0.5.1",
-    "@arcote.tech/arc-ds": "^0.5.1",
-    "@arcote.tech/arc-react": "^0.5.1",
-    "@arcote.tech/arc-host": "^0.5.1",
-    "@arcote.tech/arc-adapter-db-sqlite": "^0.5.1",
-    "@arcote.tech/platform": "^0.5.1",
+    "@arcote.tech/arc": "^0.5.5",
+    "@arcote.tech/arc-ds": "^0.5.5",
+    "@arcote.tech/arc-react": "^0.5.5",
+    "@arcote.tech/arc-host": "^0.5.5",
+    "@arcote.tech/arc-adapter-db-sqlite": "^0.5.5",
+    "@arcote.tech/platform": "^0.5.5",
+    "@clack/prompts": "^0.9.0",
     "commander": "^11.1.0",
     "chokidar": "^3.5.3",
     "glob": "^10.3.10",

package/src/builder/module-builder.ts

@@ -7,12 +7,16 @@ import {
   writeFileSync,
 } from "fs";
 import { dirname, join, relative } from "path";
+import type { BuildManifest, ModuleDescriptor } from "@arcote.tech/platform";
 import {
   buildTypeDeclarations,
   type DeclarationResult,
 } from "../utils/build";
 import { i18nExtractPlugin, finalizeTranslations } from "../i18n";
 
+/** Re-export for internal CLI consumers (avoid direct platform dependency in consumers). */
+export type { BuildManifest, ModuleDescriptor };
+
 /** Clients that a context package is built for. */
 const CONTEXT_CLIENTS = [
   { name: "server", target: "bun" as const, defines: { ONLY_SERVER: "true", ONLY_BROWSER: "false", ONLY_CLIENT: "false" } },
@@ -97,14 +101,28 @@ export interface WorkspacePackage {
   packageJson: Record<string, any>;
 }
 
-export interface ModuleEntry {
-  file: string;
-  name: string;
+/** @deprecated use ModuleDescriptor from @arcote.tech/platform */
+export type ModuleEntry = ModuleDescriptor;
+
+/**
+ * sha256 hex of bytes. Uses Bun.CryptoHasher which is always available in the CLI runtime.
+ */
+export function sha256Hex(bytes: Uint8Array | ArrayBuffer | string): string {
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(bytes as any);
+  return hasher.digest("hex");
 }
 
-export interface BuildManifest {
-  modules: ModuleEntry[];
-  buildTime: string;
+/** Hash of concatenated file contents in a directory (stable order). */
+export function sha256OfFiles(paths: readonly string[]): string {
+  const hasher = new Bun.CryptoHasher("sha256");
+  const sorted = [...paths].sort();
+  for (const p of sorted) {
+    if (!existsSync(p)) continue;
+    hasher.update(readFileSync(p));
+    hasher.update("\0");
+  }
+  return hasher.digest("hex");
 }
 
 /**
@@ -270,17 +288,25 @@ export async function buildPackages(
   const { rmSync } = await import("fs");
   rmSync(tmpDir, { recursive: true, force: true });
 
-  // Build manifest
-  const moduleEntries: ModuleEntry[] = result.outputs
+  // Build manifest — hash each module file for deploy diffing & client cache-bust
+  const moduleEntries: ModuleDescriptor[] = result.outputs
     .filter((o) => o.kind === "entry-point")
     .map((o) => {
       const file = o.path.split("/").pop()!;
       const safeName = file.replace(/\.js$/, "");
-      return { file, name: fileToName.get(safeName) ?? safeName };
+      const bytes = readFileSync(o.path);
+      return {
+        file,
+        name: fileToName.get(safeName) ?? safeName,
+        hash: sha256Hex(bytes),
+      };
     });
 
+  // shellHash / stylesHash are filled in by buildAll() after shell and styles are built.
   const manifest: BuildManifest = {
     modules: moduleEntries,
+    shellHash: "",
+    stylesHash: "",
     buildTime: new Date().toISOString(),
   };
 

package/src/commands/platform-deploy.ts

@@ -0,0 +1,143 @@
+import { existsSync, readFileSync } from "fs";
+import { join } from "path";
+import { bootstrap } from "../deploy/bootstrap";
+import {
+  deployConfigExists,
+  loadDeployConfig,
+  saveDeployConfig,
+} from "../deploy/config";
+import { detectRemoteState } from "../deploy/remote-state";
+import { syncEnv } from "../deploy/remote-sync";
+import { runSurvey } from "../deploy/survey";
+import {
+  buildAll,
+  err,
+  log,
+  ok,
+  resolveWorkspace,
+} from "../platform/shared";
+
+interface PlatformDeployOptions {
+  /** Optional env filter from positional arg. */
+  env?: string;
+  /** Skip local build if artifacts already exist. */
+  skipBuild?: boolean;
+  /** Force rebuild before deploy. */
+  rebuild?: boolean;
+}
+
+// ---------------------------------------------------------------------------
+// Entry point for `arc platform deploy [env] [--skip-build] [--rebuild]`.
+//
+// High-level flow:
+//   1. resolveWorkspace
+//   2. load or survey deploy.arc.json
+//   3. ensure local build (buildAll unless --skip-build)
+//   4. detectRemoteState → bootstrap if needed
+//   5. for each env (or the one passed as arg): syncEnv
+// ---------------------------------------------------------------------------
+
+export async function platformDeploy(
+  envArg: string | undefined,
+  options: PlatformDeployOptions = {},
+): Promise<void> {
+  const ws = resolveWorkspace();
+
+  // 1. Load or survey config
+  let cfg;
+  if (!deployConfigExists(ws.rootDir)) {
+    log("No deploy.arc.json found — launching survey.");
+    cfg = await runSurvey();
+    saveDeployConfig(ws.rootDir, cfg);
+    ok("Saved deploy.arc.json");
+  }
+  cfg = loadDeployConfig(ws.rootDir);
+
+  // Filter envs if an arg was provided
+  const targetEnvs = envArg
+    ? envArg in cfg.envs
+      ? [envArg]
+      : (() => {
+          err(`Unknown env "${envArg}". Known: ${Object.keys(cfg.envs).join(", ")}`);
+          process.exit(1);
+        })()
+    : Object.keys(cfg.envs);
+
+  // 2. Ensure local build
+  const manifestPath = join(ws.modulesDir, "manifest.json");
+  const needBuild = options.rebuild || !existsSync(manifestPath);
+  if (needBuild && !options.skipBuild) {
+    log("Building platform...");
+    await buildAll(ws);
+    ok("Build complete");
+  } else if (!existsSync(manifestPath)) {
+    err("No build found and --skip-build was set.");
+    process.exit(1);
+  }
+
+  // 3. Detect remote state
+  log("Inspecting remote server...");
+  const state = await detectRemoteState(cfg);
+  log(`Remote state: ${state.kind}`);
+
+  // 4. Bootstrap if needed
+  const cliVersion = readCliVersion();
+  const configHash = await hashDeployConfig(ws.rootDir);
+  if (state.kind !== "ready") {
+    await bootstrap({
+      cfg,
+      rootDir: ws.rootDir,
+      state,
+      cliVersion,
+      configHash,
+    });
+  }
+
+  // 5. Sync each env
+  for (const env of targetEnvs) {
+    log(`Syncing env "${env}"...`);
+    const outcome = await syncEnv({
+      cfg,
+      env,
+      ws,
+      projectDir: ws.rootDir,
+    });
+    if (
+      outcome.changedModules.length === 0 &&
+      !outcome.shellChanged &&
+      !outcome.stylesChanged
+    ) {
+      ok(`${env}: already up to date`);
+    } else {
+      const parts: string[] = [];
+      if (outcome.changedModules.length > 0) {
+        parts.push(`${outcome.changedModules.length} module(s): ${outcome.changedModules.join(", ")}`);
+      }
+      if (outcome.shellChanged) parts.push("shell");
+      if (outcome.stylesChanged) parts.push("styles");
+      ok(`${env}: updated ${parts.join(", ")}`);
+    }
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function readCliVersion(): string {
+  try {
+    const pkgPath = join(import.meta.dir, "..", "..", "package.json");
+    const pkg = JSON.parse(readFileSync(pkgPath, "utf-8"));
+    return pkg.version ?? "unknown";
+  } catch {
+    return "unknown";
+  }
+}
+
+async function hashDeployConfig(rootDir: string): Promise<string> {
+  const p = join(rootDir, "deploy.arc.json");
+  const content = readFileSync(p);
+  const hasher = new Bun.CryptoHasher("sha256");
+  hasher.update(content);
+  return hasher.digest("hex").slice(0, 16);
+}

package/src/commands/platform-start.ts

@@ -34,8 +34,10 @@ export async function platformStart(): Promise<void> {
     log("No context — server endpoints skipped");
   }
 
-  // Start server (production mode = no SSE reload, aggressive caching)
+  // Start server (production mode = aggressive caching, SSE only used for deploy hot-swap)
   const arcEntries = collectArcPeerDeps(ws.packages);
+  const deployApi = process.env.ARC_DEPLOY_API === "1";
+  if (deployApi) ok("Deploy API enabled (/api/deploy/*)");
   const platform = await startPlatformServer({
     ws,
     port,
@@ -44,6 +46,7 @@ export async function platformStart(): Promise<void> {
     moduleAccess,
     dbPath: join(ws.rootDir, ".arc", "data", "prod.db"),
     devMode: false,
+    deployApi,
     arcEntries,
   });
 

package/src/deploy/ansible.ts

@@ -0,0 +1,69 @@
+import { spawn } from "bun";
+import { mkdirSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
+import { ASSETS, materializeAssets } from "./assets";
+import type { DeployProvisionAnsible, DeployTarget } from "./config";
+
+// ---------------------------------------------------------------------------
+// Runs Ansible from embedded assets. Inventory is generated on the fly,
+// targeting the single host described by DeployTarget. Runs as root on the
+// first bootstrap (via `ansible_user=root`); subsequent runs reuse the
+// `deploy` user created by the playbook.
+// ---------------------------------------------------------------------------
+
+export interface AnsibleInputs {
+  target: DeployTarget;
+  ansible?: DeployProvisionAnsible;
+  /** On first bootstrap, the fresh VM only has root — so override username. */
+  asRoot?: boolean;
+}
+
+export async function runAnsible(inputs: AnsibleInputs): Promise<void> {
+  const workDir = join(tmpdir(), "arc-deploy", `ansible-${Date.now()}`);
+  mkdirSync(workDir, { recursive: true });
+  await materializeAssets(workDir, ASSETS.ansible);
+
+  const user = inputs.asRoot ? "root" : inputs.target.user;
+  const port = inputs.ansible?.sshPort ?? inputs.target.port;
+
+  const inventory = [
+    "[arc]",
+    `${inputs.target.host} ansible_user=${user} ansible_port=${port}`,
+    "",
+    "[arc:vars]",
+    "ansible_ssh_common_args='-o StrictHostKeyChecking=accept-new -o BatchMode=yes'",
+    "ansible_python_interpreter=/usr/bin/python3",
+    "",
+  ].join("\n");
+  writeFileSync(join(workDir, "inventory.ini"), inventory);
+
+  const extraVars = [
+    `username=${inputs.target.user}`,
+    `ssh_port=${port}`,
+  ];
+  if (inputs.ansible?.extraAllowedIps?.length) {
+    extraVars.push(
+      `extra_allowed_ips=${JSON.stringify(inputs.ansible.extraAllowedIps)}`,
+    );
+  }
+
+  const proc = spawn({
+    cmd: [
+      "ansible-playbook",
+      "-i",
+      "inventory.ini",
+      "site.yml",
+      "-e",
+      extraVars.join(" "),
+    ],
+    cwd: workDir,
+    stdout: "inherit",
+    stderr: "inherit",
+    env: { ...process.env, ANSIBLE_HOST_KEY_CHECKING: "False" },
+  });
+  const exit = await proc.exited;
+  if (exit !== 0) {
+    throw new Error(`ansible-playbook failed (exit ${exit})`);
+  }
+}

package/src/deploy/assets/ansible/site.yml

@@ -0,0 +1,169 @@
+---
+# Arc platform bootstrap playbook — minimal hardened Docker host.
+# No Portainer / Watchtower / private registry; images travel via docker save|load.
+- name: Bootstrap Arc host
+  hosts: all
+  become: true
+  gather_facts: true
+  vars:
+    deploy_user: "{{ username | default('deploy') }}"
+    ssh_port: "{{ ssh_port | default(22) }}"
+    extra_allowed_ips: "{{ extra_allowed_ips | default([]) }}"
+
+  tasks:
+    - name: Update apt cache
+      apt:
+        update_cache: true
+        cache_valid_time: 3600
+
+    - name: Install base packages
+      apt:
+        name:
+          - ca-certificates
+          - curl
+          - gnupg
+          - ufw
+          - fail2ban
+          - unattended-upgrades
+          - python3-docker
+        state: present
+
+    - name: Create deploy user
+      user:
+        name: "{{ deploy_user }}"
+        shell: /bin/bash
+        groups: sudo
+        append: true
+        create_home: true
+        state: present
+
+    - name: Copy SSH key from root to deploy user
+      shell: |
+        mkdir -p /home/{{ deploy_user }}/.ssh
+        cp /root/.ssh/authorized_keys /home/{{ deploy_user }}/.ssh/authorized_keys
+        chown -R {{ deploy_user }}:{{ deploy_user }} /home/{{ deploy_user }}/.ssh
+        chmod 700 /home/{{ deploy_user }}/.ssh
+        chmod 600 /home/{{ deploy_user }}/.ssh/authorized_keys
+      args:
+        creates: "/home/{{ deploy_user }}/.ssh/authorized_keys"
+
+    - name: Passwordless sudo for deploy user
+      copy:
+        dest: /etc/sudoers.d/99-{{ deploy_user }}
+        content: "{{ deploy_user }} ALL=(ALL) NOPASSWD:ALL\n"
+        mode: "0440"
+        validate: "visudo -cf %s"
+
+    - name: Harden sshd
+      lineinfile:
+        path: /etc/ssh/sshd_config
+        regexp: "{{ item.re }}"
+        line: "{{ item.line }}"
+        state: present
+      loop:
+        - { re: "^#?PermitRootLogin", line: "PermitRootLogin no" }
+        - { re: "^#?PasswordAuthentication", line: "PasswordAuthentication no" }
+        - { re: "^#?PubkeyAuthentication", line: "PubkeyAuthentication yes" }
+        - { re: "^#?MaxAuthTries", line: "MaxAuthTries 3" }
+      notify: restart ssh
+
+    - name: Install Docker via official convenience script
+      shell: |
+        curl -fsSL https://get.docker.com | sh
+      args:
+        creates: /usr/bin/docker
+
+    - name: Enable and start docker
+      systemd:
+        name: docker
+        enabled: true
+        state: started
+
+    - name: Add deploy user to docker group
+      user:
+        name: "{{ deploy_user }}"
+        groups: docker
+        append: true
+
+    - name: Configure docker log rotation
+      copy:
+        dest: /etc/docker/daemon.json
+        content: |
+          {
+            "log-driver": "json-file",
+            "log-opts": {
+              "max-size": "10m",
+              "max-file": "3"
+            }
+          }
+        mode: "0644"
+      notify: restart docker
+
+    - name: Ensure /opt/arc exists
+      file:
+        path: /opt/arc
+        state: directory
+        owner: "{{ deploy_user }}"
+        group: "{{ deploy_user }}"
+        mode: "0755"
+
+    - name: Configure ufw defaults
+      ufw:
+        policy: "{{ item.policy }}"
+        direction: "{{ item.dir }}"
+      loop:
+        - { policy: deny, dir: incoming }
+        - { policy: allow, dir: outgoing }
+
+    - name: Open firewall ports
+      ufw:
+        rule: allow
+        port: "{{ item }}"
+        proto: tcp
+      loop:
+        - "{{ ssh_port }}"
+        - "80"
+        - "443"
+
+    - name: Enable ufw
+      ufw:
+        state: enabled
+
+    - name: Configure fail2ban for sshd
+      copy:
+        dest: /etc/fail2ban/jail.local
+        content: |
+          [sshd]
+          enabled = true
+          port = {{ ssh_port }}
+          maxretry = 5
+          findtime = 600
+          bantime = 3600
+          ignoreip = 127.0.0.1/8 ::1 {{ extra_allowed_ips | join(' ') }}
+        mode: "0644"
+      notify: restart fail2ban
+
+    - name: Enable unattended upgrades
+      copy:
+        dest: /etc/apt/apt.conf.d/20auto-upgrades
+        content: |
+          APT::Periodic::Update-Package-Lists "1";
+          APT::Periodic::Unattended-Upgrade "1";
+          APT::Periodic::AutocleanInterval "7";
+        mode: "0644"
+
+  handlers:
+    - name: restart ssh
+      systemd:
+        name: ssh
+        state: restarted
+
+    - name: restart docker
+      systemd:
+        name: docker
+        state: restarted
+
+    - name: restart fail2ban
+      systemd:
+        name: fail2ban
+        state: restarted

package/src/deploy/assets/terraform/main.tf

@@ -0,0 +1,38 @@
+terraform {
+  required_providers {
+    hcloud = {
+      source  = "hetznercloud/hcloud"
+      version = "~> 1.51"
+    }
+  }
+}
+
+provider "hcloud" {
+  token = var.hcloud_token
+}
+
+resource "hcloud_ssh_key" "deploy" {
+  name       = "${var.server_name}-deploy"
+  public_key = file(var.ssh_public_key)
+}
+
+resource "hcloud_server" "arc" {
+  name        = var.server_name
+  image       = var.server_image
+  server_type = var.server_type
+  location    = var.server_location
+  ssh_keys    = [hcloud_ssh_key.deploy.id]
+
+  public_net {
+    ipv4_enabled = true
+    ipv6_enabled = true
+  }
+}
+
+output "server_ip" {
+  value = hcloud_server.arc.ipv4_address
+}
+
+output "server_name" {
+  value = hcloud_server.arc.name
+}

package/src/deploy/assets/terraform/variables.tf

@@ -0,0 +1,35 @@
+variable "hcloud_token" {
+  description = "Hetzner Cloud API token"
+  type        = string
+  sensitive   = true
+}
+
+variable "server_name" {
+  description = "Name of the Hetzner server (shown in the console)"
+  type        = string
+  default     = "arc-platform"
+}
+
+variable "server_type" {
+  description = "Hetzner server type (cx22, cx32, cx42, ...)"
+  type        = string
+  default     = "cx32"
+}
+
+variable "server_location" {
+  description = "Hetzner datacenter location (nbg1, fsn1, hel1, ...)"
+  type        = string
+  default     = "nbg1"
+}
+
+variable "server_image" {
+  description = "OS image"
+  type        = string
+  default     = "ubuntu-22.04"
+}
+
+variable "ssh_public_key" {
+  description = "Path to the public key uploaded to the server"
+  type        = string
+  default     = "~/.ssh/id_ed25519.pub"
+}