@arcote.tech/arc-cli 0.5.1 → 0.5.5

package/src/deploy/config.ts

@@ -0,0 +1,279 @@
+import { existsSync, readFileSync, writeFileSync } from "fs";
+import { join } from "path";
+
+// ---------------------------------------------------------------------------
+// deploy.arc.json — single source of truth for deployment configuration.
+//
+// Design principles:
+// - One file, zero duplicates. No separate terraform.tfvars, inventory.ini etc.
+// - No inline secrets: tokens come from env vars referenced by name.
+// - Optional provision section: when present, CLI runs terraform+ansible to
+//   create the host; when absent, CLI assumes target.host is already reachable.
+// ---------------------------------------------------------------------------
+
+export interface DeployTarget {
+  host: string;
+  user: string;
+  port: number;
+  /** Remote directory for the arc stack. Default: /opt/arc */
+  remoteDir: string;
+  /** Optional explicit SSH key path (otherwise ssh-agent / ~/.ssh/config is used). */
+  sshKey?: string;
+}
+
+export interface DeployEnv {
+  /** Subdomain or full domain routed by Caddy. */
+  domain: string;
+  /** Extra env vars passed to the arc container. */
+  envVars?: Record<string, string>;
+}
+
+export interface DeployCaddy {
+  /** Email for Let's Encrypt. Use "internal" to use self-signed certs. */
+  email: string;
+}
+
+export interface DeployProvisionTerraform {
+  provider: "hcloud";
+  serverType: string;
+  location: string;
+  image: string;
+  /** Name of environment variable holding the Hetzner Cloud API token. */
+  tokenEnv: string;
+  /** Path to public SSH key uploaded to the provider. Default: ~/.ssh/id_ed25519.pub */
+  sshPublicKey?: string;
+}
+
+export interface DeployProvisionAnsible {
+  sshPort?: number;
+  extraAllowedIps?: string[];
+}
+
+export interface DeployProvision {
+  terraform: DeployProvisionTerraform;
+  ansible?: DeployProvisionAnsible;
+}
+
+export interface DeployConfig {
+  target: DeployTarget;
+  envs: Record<string, DeployEnv>;
+  caddy: DeployCaddy;
+  provision?: DeployProvision;
+}
+
+export const DEPLOY_CONFIG_FILE = "deploy.arc.json";
+
+// ---------------------------------------------------------------------------
+// I/O
+// ---------------------------------------------------------------------------
+
+export function deployConfigPath(rootDir: string): string {
+  return join(rootDir, DEPLOY_CONFIG_FILE);
+}
+
+export function deployConfigExists(rootDir: string): boolean {
+  return existsSync(deployConfigPath(rootDir));
+}
+
+/**
+ * Load deploy.arc.json, expand `${VAR}` references against process.env,
+ * and validate shape. Throws with a precise error on any issue.
+ */
+export function loadDeployConfig(rootDir: string): DeployConfig {
+  const path = deployConfigPath(rootDir);
+  if (!existsSync(path)) {
+    throw new Error(`Missing ${DEPLOY_CONFIG_FILE} at ${path}`);
+  }
+  const raw = readFileSync(path, "utf-8");
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (e) {
+    throw new Error(`Invalid JSON in ${DEPLOY_CONFIG_FILE}: ${(e as Error).message}`);
+  }
+  const expanded = expandEnvVars(parsed, process.env);
+  return validateDeployConfig(expanded);
+}
+
+export function saveDeployConfig(rootDir: string, cfg: DeployConfig): void {
+  writeFileSync(
+    deployConfigPath(rootDir),
+    JSON.stringify(cfg, null, 2) + "\n",
+  );
+}
+
+// ---------------------------------------------------------------------------
+// ${VAR} expansion — recursive, strings only
+// ---------------------------------------------------------------------------
+
+const VAR_REGEX = /\$\{([A-Z0-9_]+)\}|\$([A-Z0-9_]+)/g;
+
+export function expandEnvVars<T>(value: T, env: NodeJS.ProcessEnv): T {
+  if (typeof value === "string") {
+    return value.replace(VAR_REGEX, (_, a, b) => env[a ?? b] ?? "") as T;
+  }
+  if (Array.isArray(value)) {
+    return value.map((v) => expandEnvVars(v, env)) as T;
+  }
+  if (value && typeof value === "object") {
+    const out: Record<string, unknown> = {};
+    for (const [k, v] of Object.entries(value)) {
+      out[k] = expandEnvVars(v, env);
+    }
+    return out as T;
+  }
+  return value;
+}
+
+// ---------------------------------------------------------------------------
+// Validation — strict, descriptive errors, no any
+// ---------------------------------------------------------------------------
+
+export function validateDeployConfig(input: unknown): DeployConfig {
+  if (!isObject(input)) throw cfgErr("root", "object");
+  const target = requireObject(input, "target");
+  const envs = requireObject(input, "envs");
+  const caddy = requireObject(input, "caddy");
+
+  const validated: DeployConfig = {
+    target: {
+      host: requireString(target, "target.host"),
+      user: optionalString(target, "target.user") ?? "deploy",
+      port: optionalNumber(target, "target.port") ?? 22,
+      remoteDir: optionalString(target, "target.remoteDir") ?? "/opt/arc",
+      sshKey: optionalString(target, "target.sshKey"),
+    },
+    envs: {},
+    caddy: {
+      email: requireString(caddy, "caddy.email"),
+    },
+  };
+
+  const envKeys = Object.keys(envs);
+  if (envKeys.length === 0) {
+    throw new Error("deploy.arc.json: envs must contain at least one environment");
+  }
+  for (const name of envKeys) {
+    if (!/^[a-z][a-z0-9-]*$/.test(name)) {
+      throw new Error(`deploy.arc.json: env name "${name}" must match [a-z][a-z0-9-]*`);
+    }
+    const env = requireObject(envs, `envs.${name}`);
+    const domain = requireString(env, `envs.${name}.domain`);
+    if (!/^[a-z0-9.-]+\.[a-z]{2,}$/i.test(domain)) {
+      throw new Error(
+        `deploy.arc.json: envs.${name}.domain "${domain}" doesn't look like a domain`,
+      );
+    }
+    const envVarsRaw = (env as Record<string, unknown>).envVars;
+    let envVars: Record<string, string> | undefined;
+    if (envVarsRaw !== undefined) {
+      if (!isObject(envVarsRaw)) throw cfgErr(`envs.${name}.envVars`, "object");
+      envVars = {};
+      for (const [k, v] of Object.entries(envVarsRaw)) {
+        if (typeof v !== "string") {
+          throw new Error(
+            `deploy.arc.json: envs.${name}.envVars.${k} must be a string`,
+          );
+        }
+        envVars[k] = v;
+      }
+    }
+    validated.envs[name] = { domain, envVars };
+  }
+
+  const provision = (input as Record<string, unknown>).provision;
+  if (provision !== undefined) {
+    if (!isObject(provision)) throw cfgErr("provision", "object");
+    const tf = requireObject(provision, "provision.terraform");
+    const providerVal = requireString(tf, "provision.terraform.provider");
+    if (providerVal !== "hcloud") {
+      throw new Error(
+        `deploy.arc.json: provision.terraform.provider must be "hcloud" (got "${providerVal}")`,
+      );
+    }
+    const terraform: DeployProvisionTerraform = {
+      provider: "hcloud",
+      serverType: requireString(tf, "provision.terraform.serverType"),
+      location: requireString(tf, "provision.terraform.location"),
+      image: optionalString(tf, "provision.terraform.image") ?? "ubuntu-22.04",
+      tokenEnv: requireString(tf, "provision.terraform.tokenEnv"),
+      sshPublicKey: optionalString(tf, "provision.terraform.sshPublicKey"),
+    };
+    let ansible: DeployProvisionAnsible | undefined;
+    const ansibleRaw = (provision as Record<string, unknown>).ansible;
+    if (ansibleRaw !== undefined) {
+      if (!isObject(ansibleRaw)) throw cfgErr("provision.ansible", "object");
+      const allowed = (ansibleRaw as Record<string, unknown>).extraAllowedIps;
+      let extraAllowedIps: string[] | undefined;
+      if (allowed !== undefined) {
+        if (!Array.isArray(allowed)) {
+          throw cfgErr("provision.ansible.extraAllowedIps", "string[]");
+        }
+        extraAllowedIps = allowed.map((v, i) => {
+          if (typeof v !== "string") {
+            throw cfgErr(`provision.ansible.extraAllowedIps[${i}]`, "string");
+          }
+          return v;
+        });
+      }
+      ansible = {
+        sshPort: optionalNumber(ansibleRaw, "provision.ansible.sshPort"),
+        extraAllowedIps,
+      };
+    }
+    validated.provision = { terraform, ansible };
+  }
+
+  return validated;
+}
+
+// ---------------------------------------------------------------------------
+// Validator helpers
+// ---------------------------------------------------------------------------
+
+function isObject(v: unknown): v is Record<string, unknown> {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+
+function requireObject(
+  parent: Record<string, unknown>,
+  key: string,
+): Record<string, unknown> {
+  const bare = key.includes(".") ? key.split(".").pop()! : key;
+  const v = parent[bare];
+  if (!isObject(v)) throw cfgErr(key, "object");
+  return v;
+}
+
+function requireString(parent: Record<string, unknown>, key: string): string {
+  const bare = key.includes(".") ? key.split(".").pop()! : key;
+  const v = parent[bare];
+  if (typeof v !== "string" || v.length === 0) throw cfgErr(key, "non-empty string");
+  return v;
+}
+
+function optionalString(
+  parent: Record<string, unknown>,
+  key: string,
+): string | undefined {
+  const bare = key.includes(".") ? key.split(".").pop()! : key;
+  const v = parent[bare];
+  if (v === undefined) return undefined;
+  if (typeof v !== "string") throw cfgErr(key, "string");
+  return v;
+}
+
+function optionalNumber(
+  parent: Record<string, unknown>,
+  key: string,
+): number | undefined {
+  const bare = key.includes(".") ? key.split(".").pop()! : key;
+  const v = parent[bare];
+  if (v === undefined) return undefined;
+  if (typeof v !== "number") throw cfgErr(key, "number");
+  return v;
+}
+
+function cfgErr(path: string, expected: string): Error {
+  return new Error(`deploy.arc.json: ${path} must be ${expected}`);
+}

package/src/deploy/remote-state.ts

@@ -0,0 +1,92 @@
+import type { DeployConfig, DeployTarget } from "./config";
+import { assertExec, canSsh, sshExec } from "./ssh";
+
+// ---------------------------------------------------------------------------
+// Introspect the remote host to decide whether bootstrap is needed.
+// Classifies into a small enum; bootstrap.ts maps this to actions.
+// ---------------------------------------------------------------------------
+
+export type RemoteState =
+  /** SSH unreachable or target.host is a placeholder from survey. */
+  | { kind: "unreachable"; reason: string }
+  /** SSH works but Docker is missing — needs Ansible. */
+  | { kind: "no-docker" }
+  /** Docker is there but the arc stack is not deployed. */
+  | { kind: "no-stack" }
+  /** Stack is running — state marker present, some services up. */
+  | {
+      kind: "ready";
+      runningEnvs: string[];
+      marker: RemoteStateMarker | null;
+    };
+
+/** Written to /opt/arc/.arc-state.json after each successful bootstrap/deploy. */
+export interface RemoteStateMarker {
+  cliVersion: string;
+  configHash: string;
+  updatedAt: string;
+}
+
+export const STATE_MARKER_PATH = "/opt/arc/.arc-state.json";
+
+export async function detectRemoteState(
+  cfg: DeployConfig,
+): Promise<RemoteState> {
+  if (cfg.target.host === "PENDING_TERRAFORM" || !cfg.target.host) {
+    return { kind: "unreachable", reason: "target.host not yet set" };
+  }
+
+  if (!(await canSsh(cfg.target))) {
+    return { kind: "unreachable", reason: "ssh connection failed" };
+  }
+
+  const dockerCheck = await sshExec(cfg.target, "command -v docker", {
+    quiet: true,
+  });
+  if (dockerCheck.exitCode !== 0) {
+    return { kind: "no-docker" };
+  }
+
+  const composeDir = `${cfg.target.remoteDir}`;
+  const psCheck = await sshExec(
+    cfg.target,
+    `test -f ${composeDir}/docker-compose.yml && cd ${composeDir} && docker compose ps --format '{{.Service}}' || true`,
+    { quiet: true },
+  );
+  if (psCheck.exitCode !== 0 || psCheck.stdout.trim() === "") {
+    return { kind: "no-stack" };
+  }
+
+  const running = psCheck.stdout
+    .split("\n")
+    .map((l) => l.trim())
+    .filter((l) => l.startsWith("arc-"))
+    .map((l) => l.replace(/^arc-/, ""));
+
+  const markerRaw = await sshExec(cfg.target, `cat ${STATE_MARKER_PATH}`, {
+    quiet: true,
+  });
+  let marker: RemoteStateMarker | null = null;
+  if (markerRaw.exitCode === 0) {
+    try {
+      marker = JSON.parse(markerRaw.stdout) as RemoteStateMarker;
+    } catch {
+      marker = null;
+    }
+  }
+
+  return { kind: "ready", runningEnvs: running, marker };
+}
+
+/** Write the state marker file on the remote host. */
+export async function writeStateMarker(
+  target: DeployTarget,
+  marker: RemoteStateMarker,
+): Promise<void> {
+  const json = JSON.stringify(marker, null, 2);
+  // Heredoc avoids any shell escaping surprises with the JSON content.
+  await assertExec(
+    target,
+    `sudo tee ${STATE_MARKER_PATH} > /dev/null <<'JSON'\n${json}\nJSON`,
+  );
+}

package/src/deploy/remote-sync.ts

@@ -0,0 +1,202 @@
+import { existsSync, readFileSync } from "fs";
+import { join, relative } from "path";
+import type { BuildManifest, ModuleDescriptor } from "@arcote.tech/platform";
+import type { DeployConfig } from "./config";
+import { openTunnel, rsyncDir, scpUpload } from "./ssh";
+import type { WorkspaceInfo } from "../platform/shared";
+
+// ---------------------------------------------------------------------------
+// Hot-swap logic.
+//
+// Flow per env:
+//  1. rsync the whole project directory to /opt/arc/<env>/ so the running
+//     container's /app volume sees new code. (This is the authoritative
+//     source — node_modules, package.json, .arc/platform/ all live here.)
+//  2. Open an SSH tunnel to the Caddy loopback listener (127.0.0.1:2019).
+//  3. GET /env/<env>/api/deploy/manifest → remote BuildManifest.
+//  4. diffManifests(local, remote) → list of changed module files + shell/styles flags.
+//  5. POST each changed module (+ shell + styles) as multipart uploads.
+//  6. POST the new manifest to /api/deploy/manifest — server writes
+//     manifest.json and SSE-notifies clients to reimport.
+//
+// Because rsync in step 1 already moved the bytes, the POSTs are redundant
+// for disk writes — but they force the running server to pick up new hashes
+// and push an SSE event so connected browser clients reload without F5.
+// ---------------------------------------------------------------------------
+
+export interface SyncInputs {
+  cfg: DeployConfig;
+  env: string;
+  ws: WorkspaceInfo;
+  /** Path to the project root. */
+  projectDir: string;
+}
+
+export interface SyncOutcome {
+  env: string;
+  changedModules: readonly string[];
+  shellChanged: boolean;
+  stylesChanged: boolean;
+}
+
+// ---------------------------------------------------------------------------
+// Pure diff — exported for tests
+// ---------------------------------------------------------------------------
+
+export interface ManifestDiff {
+  changedModules: ModuleDescriptor[];
+  shellChanged: boolean;
+  stylesChanged: boolean;
+}
+
+export function diffManifests(
+  local: BuildManifest,
+  remote: BuildManifest,
+): ManifestDiff {
+  const remoteByName = new Map(remote.modules.map((m) => [m.name, m]));
+  const changedModules = local.modules.filter(
+    (m) => remoteByName.get(m.name)?.hash !== m.hash,
+  );
+  return {
+    changedModules: [...changedModules],
+    shellChanged: local.shellHash !== remote.shellHash,
+    stylesChanged: local.stylesHash !== remote.stylesHash,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Sync driver
+// ---------------------------------------------------------------------------
+
+export async function syncEnv(inputs: SyncInputs): Promise<SyncOutcome> {
+  const { cfg, env, ws, projectDir } = inputs;
+  const envConfig = cfg.envs[env];
+  if (!envConfig) throw new Error(`Unknown env: ${env}`);
+
+  // 1. Rsync the project to the host. Excludes dev-only dirs.
+  const remotePath = `${cfg.target.remoteDir}/${env}`;
+  await rsyncDir(cfg.target, projectDir, remotePath);
+
+  // 2. Read local manifest
+  const localManifestPath = join(ws.modulesDir, "manifest.json");
+  if (!existsSync(localManifestPath)) {
+    throw new Error(
+      `Local build missing at ${localManifestPath}. Run arc platform build first.`,
+    );
+  }
+  const localManifest = JSON.parse(
+    readFileSync(localManifestPath, "utf-8"),
+  ) as BuildManifest;
+
+  // 3. Open SSH tunnel to Caddy's loopback admin listener
+  const localPort = 15500 + hashEnvToOffset(env);
+  const tunnel = await openTunnel(cfg.target, localPort, "127.0.0.1", 2019);
+
+  try {
+    const base = `http://127.0.0.1:${localPort}/env/${env}`;
+
+    // 4. Fetch remote manifest
+    const remoteManifestRes = await fetch(`${base}/api/deploy/manifest`);
+    if (!remoteManifestRes.ok) {
+      throw new Error(
+        `Failed to fetch remote manifest: ${remoteManifestRes.status}`,
+      );
+    }
+    const remoteManifest = (await remoteManifestRes.json()) as BuildManifest;
+
+    const diff = diffManifests(localManifest, remoteManifest);
+
+    // 5. Upload shell (if changed) — contains every file under .arc/platform/shell
+    if (diff.shellChanged) {
+      const shellFiles = collectFiles(ws.shellDir);
+      const form = new FormData();
+      for (const absPath of shellFiles) {
+        const rel = relative(ws.shellDir, absPath);
+        form.append(rel, new Blob([readFileSync(absPath)]), rel);
+      }
+      const res = await fetch(`${base}/api/deploy/shell`, {
+        method: "POST",
+        body: form,
+      });
+      if (!res.ok)
+        throw new Error(`Shell upload failed: ${res.status} ${await res.text()}`);
+    }
+
+    // 5b. Upload changed styles files alongside shell request if styles changed
+    if (diff.stylesChanged) {
+      const form = new FormData();
+      for (const name of ["styles.css", "theme.css"] as const) {
+        const p = join(ws.arcDir, name);
+        if (existsSync(p)) {
+          form.append(name, new Blob([readFileSync(p)]), name);
+        }
+      }
+      const res = await fetch(`${base}/api/deploy/shell`, {
+        method: "POST",
+        body: form,
+      });
+      if (!res.ok)
+        throw new Error(`Styles upload failed: ${res.status} ${await res.text()}`);
+    }
+
+    // 5c. Upload changed modules
+    if (diff.changedModules.length > 0) {
+      const form = new FormData();
+      for (const mod of diff.changedModules) {
+        const p = join(ws.modulesDir, mod.file);
+        form.append(mod.file, new Blob([readFileSync(p)]), mod.file);
+      }
+      const res = await fetch(`${base}/api/deploy/modules`, {
+        method: "POST",
+        body: form,
+      });
+      if (!res.ok)
+        throw new Error(
+          `Modules upload failed: ${res.status} ${await res.text()}`,
+        );
+    }
+
+    // 6. Post the new manifest so the server flips getManifest() + SSE
+    const res = await fetch(`${base}/api/deploy/manifest`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(localManifest),
+    });
+    if (!res.ok)
+      throw new Error(
+        `Manifest update failed: ${res.status} ${await res.text()}`,
+      );
+
+    return {
+      env,
+      changedModules: diff.changedModules.map((m) => m.name),
+      shellChanged: diff.shellChanged,
+      stylesChanged: diff.stylesChanged,
+    };
+  } finally {
+    tunnel.close();
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+function collectFiles(dir: string): string[] {
+  if (!existsSync(dir)) return [];
+  const { readdirSync } = require("fs") as typeof import("fs");
+  const out: string[] = [];
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    const p = join(dir, entry.name);
+    if (entry.isDirectory()) out.push(...collectFiles(p));
+    else if (entry.isFile()) out.push(p);
+  }
+  return out;
+}
+
+/** Deterministic per-env tunnel port offset so parallel syncs don't collide. */
+function hashEnvToOffset(env: string): number {
+  let h = 0;
+  for (const ch of env) h = (h * 31 + ch.charCodeAt(0)) >>> 0;
+  return h % 100;
+}