@arcote.tech/arc-cli 0.5.2 → 0.5.5

package/src/deploy/ssh.ts

@@ -0,0 +1,246 @@
+import { spawn } from "bun";
+import type { DeployTarget } from "./config";
+
+/** Convert a Bun subprocess stream (which may be a ReadableStream or undefined) to string. */
+async function streamToString(
+  stream: ReadableStream<Uint8Array> | number | undefined,
+): Promise<string> {
+  if (!stream || typeof stream === "number") return "";
+  return new Response(stream as ReadableStream<Uint8Array>).text();
+}
+
+// ---------------------------------------------------------------------------
+// Thin wrappers over system ssh / scp / rsync via Bun.spawn.
+// Zero JS crypto dependencies — uses ssh-agent / ~/.ssh/config on the host.
+// ---------------------------------------------------------------------------
+
+export interface SshExecResult {
+  stdout: string;
+  stderr: string;
+  exitCode: number;
+}
+
+function baseSshArgs(target: DeployTarget): string[] {
+  const args = [
+    "-o",
+    "BatchMode=yes",
+    "-o",
+    "StrictHostKeyChecking=accept-new",
+    "-p",
+    String(target.port),
+  ];
+  if (target.sshKey) args.push("-i", target.sshKey);
+  return args;
+}
+
+/**
+ * Run a command on the remote host. Captures stdout/stderr. Does NOT throw
+ * on non-zero exit — callers decide. Use `assertExec` for strict mode.
+ */
+export async function sshExec(
+  target: DeployTarget,
+  cmd: string,
+  opts: { stdin?: Uint8Array | string; quiet?: boolean } = {},
+): Promise<SshExecResult> {
+  const args = [
+    ...baseSshArgs(target),
+    `${target.user}@${target.host}`,
+    "--",
+    cmd,
+  ];
+  const proc = spawn({
+    cmd: ["ssh", ...args],
+    stdin: opts.stdin ? "pipe" : "ignore",
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  if (opts.stdin && proc.stdin) {
+    const data =
+      typeof opts.stdin === "string"
+        ? new TextEncoder().encode(opts.stdin)
+        : opts.stdin;
+    await (proc.stdin as any).write(data);
+    await (proc.stdin as any).end?.();
+  }
+  const [stdout, stderr, exitCode] = await Promise.all([
+    streamToString(proc.stdout),
+    streamToString(proc.stderr),
+    proc.exited,
+  ]);
+  if (!opts.quiet && exitCode !== 0) {
+    process.stderr.write(stderr);
+  }
+  return { stdout, stderr, exitCode };
+}
+
+export async function assertExec(
+  target: DeployTarget,
+  cmd: string,
+): Promise<string> {
+  const res = await sshExec(target, cmd);
+  if (res.exitCode !== 0) {
+    throw new Error(
+      `SSH command failed (exit ${res.exitCode}): ${cmd}\n${res.stderr}`,
+    );
+  }
+  return res.stdout;
+}
+
+/** True if ssh can reach the host and authenticate. */
+export async function canSsh(target: DeployTarget): Promise<boolean> {
+  const res = await sshExec(target, "true", { quiet: true });
+  return res.exitCode === 0;
+}
+
+/** Wait up to `timeoutMs` for SSH to become available. */
+export async function waitForSsh(
+  target: DeployTarget,
+  opts: { timeoutMs?: number; intervalMs?: number } = {},
+): Promise<void> {
+  const timeout = opts.timeoutMs ?? 300_000; // 5 min
+  const interval = opts.intervalMs ?? 10_000; // 10s
+  const start = Date.now();
+  while (Date.now() - start < timeout) {
+    if (await canSsh(target)) return;
+    await Bun.sleep(interval);
+  }
+  throw new Error(`Timed out waiting for SSH on ${target.user}@${target.host}`);
+}
+
+/**
+ * Upload a single file to the remote host via scp.
+ */
+export async function scpUpload(
+  target: DeployTarget,
+  localPath: string,
+  remotePath: string,
+): Promise<void> {
+  const args = [
+    "-o",
+    "BatchMode=yes",
+    "-o",
+    "StrictHostKeyChecking=accept-new",
+    "-P",
+    String(target.port),
+  ];
+  if (target.sshKey) args.push("-i", target.sshKey);
+  args.push(localPath, `${target.user}@${target.host}:${remotePath}`);
+
+  const proc = spawn({ cmd: ["scp", ...args], stderr: "pipe" });
+  const [stderr, exitCode] = await Promise.all([
+    streamToString(proc.stderr),
+    proc.exited,
+  ]);
+  if (exitCode !== 0) {
+    throw new Error(`scp failed (${exitCode}): ${stderr}`);
+  }
+}
+
+/**
+ * Rsync a directory to the remote host (preserving permissions, deleting stale files).
+ *
+ * `-L` dereferences symlinks on the source side. This is essential because Arc
+ * projects typically use `bun link` for framework packages — `node_modules/@arcote.tech/*`
+ * and workspace `@ndt/*` packages are symlinks pointing at paths that don't
+ * exist on the remote host. Without `-L`, rsync copies them as dangling
+ * symlinks and the container can't resolve `node_modules/.bin/arc`.
+ */
+export async function rsyncDir(
+  target: DeployTarget,
+  localDir: string,
+  remoteDir: string,
+  opts: { delete?: boolean } = {},
+): Promise<void> {
+  const sshCmdParts = ["ssh", "-p", String(target.port)];
+  if (target.sshKey) sshCmdParts.push("-i", target.sshKey);
+  const sshCmd = sshCmdParts.join(" ");
+
+  const args: string[] = ["-azL", "-e", sshCmd];
+  if (opts.delete) args.push("--delete");
+  // Trailing slash: sync contents, not the dir itself
+  const src = localDir.endsWith("/") ? localDir : `${localDir}/`;
+  args.push(src, `${target.user}@${target.host}:${remoteDir}`);
+
+  const proc = spawn({
+    cmd: ["rsync", ...args],
+    stderr: "pipe",
+    stdout: "pipe",
+  });
+  const [stderr, exitCode] = await Promise.all([
+    streamToString(proc.stderr),
+    proc.exited,
+  ]);
+  if (exitCode !== 0) {
+    throw new Error(`rsync failed (${exitCode}): ${stderr}`);
+  }
+}
+
+/**
+ * Open an SSH -L tunnel. Returns a Disposable-like object with `.close()`.
+ * Caller MUST call close() (or use `using` in Bun) to release the tunnel.
+ */
+export interface SshTunnel {
+  localPort: number;
+  close(): void;
+}
+
+export async function openTunnel(
+  target: DeployTarget,
+  localPort: number,
+  remoteHost: string,
+  remotePort: number,
+): Promise<SshTunnel> {
+  const args = [
+    ...baseSshArgs(target),
+    "-N",
+    "-L",
+    `${localPort}:${remoteHost}:${remotePort}`,
+    `${target.user}@${target.host}`,
+  ];
+  const proc = spawn({
+    cmd: ["ssh", ...args],
+    stdin: "ignore",
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  // Wait briefly for the tunnel to establish. ssh prints nothing on success
+  // with -N, so we poll a TCP connect on localPort.
+  const deadline = Date.now() + 10_000;
+  let lastErr: unknown;
+  while (Date.now() < deadline) {
+    if (proc.exitCode !== null) {
+      const stderr = await streamToString(proc.stderr);
+      throw new Error(`ssh tunnel exited early: ${stderr}`);
+    }
+    try {
+      const probe = await Bun.connect({
+        hostname: "127.0.0.1",
+        port: localPort,
+        socket: { data() {}, open() {}, close() {}, error() {} },
+      });
+      probe.end();
+      return {
+        localPort,
+        close() {
+          try {
+            proc.kill();
+          } catch {
+            // ignore
+          }
+        },
+      };
+    } catch (e) {
+      lastErr = e;
+      await Bun.sleep(200);
+    }
+  }
+  try {
+    proc.kill();
+  } catch {
+    // ignore
+  }
+  throw new Error(
+    `Failed to establish SSH tunnel on localhost:${localPort}: ${String(lastErr)}`,
+  );
+}
+

package/src/deploy/survey.ts

@@ -0,0 +1,172 @@
+import * as clack from "@clack/prompts";
+import type {
+  DeployConfig,
+  DeployEnv,
+  DeployProvision,
+  DeployProvisionTerraform,
+} from "./config";
+
+// ---------------------------------------------------------------------------
+// Interactive init for deploy.arc.json. Grouped into minimal phases:
+//   1) Target server
+//   2) Environments
+//   3) Optional provisioning (Terraform)
+//   4) Caddy email
+// Returns a validated DeployConfig ready to save. On Ctrl-C, exits the process.
+// ---------------------------------------------------------------------------
+
+export async function runSurvey(): Promise<DeployConfig> {
+  clack.intro("arc platform deploy — initial setup");
+
+  // Phase 1: mode
+  const mode = (await clack.select({
+    message: "How should deploy reach the target server?",
+    options: [
+      {
+        value: "existing",
+        label: "Use an existing server (I have SSH access)",
+      },
+      {
+        value: "provision",
+        label: "Provision a new server via Terraform (Hetzner Cloud)",
+      },
+    ],
+    initialValue: "existing",
+  })) as string;
+  if (clack.isCancel(mode)) cancel();
+
+  // Phase 2: target
+  const host = (await clack.text({
+    message:
+      mode === "provision"
+        ? "Alias for the server (leave blank — will be filled after terraform apply)"
+        : "SSH host (IP or alias from ~/.ssh/config)",
+    placeholder: mode === "provision" ? "auto" : "example.com or 1.2.3.4",
+    validate: (v) => {
+      if (mode === "provision") return undefined;
+      if (!v || v.length === 0) return "Host is required";
+      return undefined;
+    },
+  })) as string;
+  if (clack.isCancel(host)) cancel();
+
+  const user = (await clack.text({
+    message: "SSH user",
+    initialValue: "deploy",
+    validate: (v) =>
+      /^[a-z_][a-z0-9_-]*$/.test(v) ? undefined : "Invalid username",
+  })) as string;
+  if (clack.isCancel(user)) cancel();
+
+  const portRaw = (await clack.text({
+    message: "SSH port",
+    initialValue: "22",
+    validate: (v) => {
+      const n = Number(v);
+      return Number.isInteger(n) && n > 0 && n < 65536
+        ? undefined
+        : "Must be a port number";
+    },
+  })) as string;
+  if (clack.isCancel(portRaw)) cancel();
+  const port = Number(portRaw);
+
+  // Phase 3: environments
+  const envs: Record<string, DeployEnv> = {};
+  let more = true;
+  while (more) {
+    const name = (await clack.text({
+      message: `Environment name (lowercase, e.g. "prod", "staging")`,
+      initialValue: Object.keys(envs).length === 0 ? "prod" : "staging",
+      validate: (v) => {
+        if (!/^[a-z][a-z0-9-]*$/.test(v)) return "Must match [a-z][a-z0-9-]*";
+        if (envs[v]) return "Already defined";
+        return undefined;
+      },
+    })) as string;
+    if (clack.isCancel(name)) cancel();
+
+    const domain = (await clack.text({
+      message: `Domain for "${name}" (Caddy will route by Host header)`,
+      placeholder: `${name === "prod" ? "app" : name}.example.com`,
+      validate: (v) =>
+        /^[a-z0-9.-]+\.[a-z]{2,}$/i.test(v)
+          ? undefined
+          : "Expected a domain like app.example.com",
+    })) as string;
+    if (clack.isCancel(domain)) cancel();
+
+    envs[name] = { domain };
+
+    const addAnother = (await clack.confirm({
+      message: "Add another environment?",
+      initialValue: false,
+    })) as boolean;
+    if (clack.isCancel(addAnother)) cancel();
+    more = addAnother;
+  }
+
+  // Phase 4: provisioning (only if user chose it)
+  let provision: DeployProvision | undefined;
+  if (mode === "provision") {
+    const tokenEnv = (await clack.text({
+      message: "Name of env var holding your Hetzner Cloud API token",
+      initialValue: "HCLOUD_TOKEN",
+      validate: (v) =>
+        /^[A-Z_][A-Z0-9_]*$/.test(v) ? undefined : "Must be SCREAMING_SNAKE_CASE",
+    })) as string;
+    if (clack.isCancel(tokenEnv)) cancel();
+
+    const serverType = (await clack.text({
+      message: "Hetzner server type",
+      initialValue: "cx32",
+    })) as string;
+    if (clack.isCancel(serverType)) cancel();
+
+    const location = (await clack.text({
+      message: "Hetzner datacenter location",
+      initialValue: "nbg1",
+    })) as string;
+    if (clack.isCancel(location)) cancel();
+
+    const terraform: DeployProvisionTerraform = {
+      provider: "hcloud",
+      serverType,
+      location,
+      image: "ubuntu-22.04",
+      tokenEnv,
+    };
+    provision = { terraform };
+  }
+
+  // Phase 5: Caddy email
+  const email = (await clack.text({
+    message: `Email for Let's Encrypt (use "internal" for self-signed certs)`,
+    placeholder: "admin@example.com",
+    validate: (v) => {
+      if (v === "internal") return undefined;
+      if (!/^\S+@\S+\.\S+$/.test(v)) return "Expected an email or 'internal'";
+      return undefined;
+    },
+  })) as string;
+  if (clack.isCancel(email)) cancel();
+
+  clack.outro("Configuration ready — writing deploy.arc.json");
+
+  return {
+    target: {
+      host: host || "PENDING_TERRAFORM",
+      user,
+      port,
+      remoteDir: "/opt/arc",
+    },
+    envs,
+    caddy: { email },
+    provision,
+  };
+}
+
+function cancel(): never {
+  clack.cancel("Cancelled.");
+  process.exit(0);
+}

package/src/deploy/terraform.ts

@@ -0,0 +1,109 @@
+import { spawn } from "bun";
+import { existsSync, mkdirSync, writeFileSync } from "fs";
+import { tmpdir } from "os";
+import { join } from "path";
+import { ASSETS, materializeAssets } from "./assets";
+import type { DeployProvisionTerraform } from "./config";
+
+// ---------------------------------------------------------------------------
+// Runs Terraform from embedded assets. Inputs are passed via a generated
+// terraform.tfvars file in the temp working dir — nothing touches the user's
+// project directory.
+// ---------------------------------------------------------------------------
+
+export interface TerraformInputs {
+  tf: DeployProvisionTerraform;
+  /** Resolved Hetzner token (read from env var by caller — NOT from tf). */
+  token: string;
+  /** Deterministic server name shown in Hetzner Console. */
+  serverName: string;
+}
+
+export interface TerraformOutputs {
+  serverIp: string;
+  serverName: string;
+  /** Working dir where state + vars live — caller may keep or delete. */
+  workDir: string;
+}
+
+export async function runTerraform(
+  inputs: TerraformInputs,
+): Promise<TerraformOutputs> {
+  const workDir = join(tmpdir(), "arc-deploy", `tf-${Date.now()}`);
+  mkdirSync(workDir, { recursive: true });
+  await materializeAssets(workDir, ASSETS.terraform);
+
+  // Write tfvars — NEVER put token inline in main.tf
+  const sshPubKey =
+    inputs.tf.sshPublicKey ?? expandHome("~/.ssh/id_ed25519.pub");
+  if (!existsSync(expandHome(sshPubKey))) {
+    throw new Error(
+      `SSH public key not found at ${sshPubKey}. Set provision.terraform.sshPublicKey in deploy.arc.json.`,
+    );
+  }
+
+  const tfvars =
+    [
+      `hcloud_token = "${inputs.token}"`,
+      `server_name = "${inputs.serverName}"`,
+      `server_type = "${inputs.tf.serverType}"`,
+      `server_location = "${inputs.tf.location}"`,
+      `server_image = "${inputs.tf.image}"`,
+      `ssh_public_key = "${expandHome(sshPubKey)}"`,
+    ].join("\n") + "\n";
+
+  writeFileSync(join(workDir, "terraform.tfvars"), tfvars);
+
+  await runTf(workDir, ["init", "-input=false", "-no-color"]);
+  await runTf(workDir, [
+    "apply",
+    "-auto-approve",
+    "-input=false",
+    "-no-color",
+  ]);
+  const ip = await runTfCapture(workDir, [
+    "output",
+    "-raw",
+    "server_ip",
+    "-no-color",
+  ]);
+
+  return { serverIp: ip.trim(), serverName: inputs.serverName, workDir };
+}
+
+async function runTf(workDir: string, args: string[]): Promise<void> {
+  const proc = spawn({
+    cmd: ["terraform", ...args],
+    cwd: workDir,
+    stdout: "inherit",
+    stderr: "inherit",
+  });
+  const exit = await proc.exited;
+  if (exit !== 0) {
+    throw new Error(`terraform ${args[0]} failed (exit ${exit})`);
+  }
+}
+
+async function runTfCapture(workDir: string, args: string[]): Promise<string> {
+  const proc = spawn({
+    cmd: ["terraform", ...args],
+    cwd: workDir,
+    stdout: "pipe",
+    stderr: "pipe",
+  });
+  const [stdout, exit] = await Promise.all([
+    new Response(proc.stdout).text(),
+    proc.exited,
+  ]);
+  if (exit !== 0) {
+    throw new Error(`terraform ${args[0]} failed (exit ${exit})`);
+  }
+  return stdout;
+}
+
+function expandHome(p: string): string {
+  if (p.startsWith("~/")) {
+    return p.replace(/^~/, process.env.HOME ?? "~");
+  }
+  return p;
+}

package/src/index.ts

@@ -4,6 +4,7 @@ import { Command } from "commander";
 import { build } from "./commands/build";
 import { dev } from "./commands/dev";
 import { platformBuild } from "./commands/platform-build";
+import { platformDeploy } from "./commands/platform-deploy";
 import { platformDev } from "./commands/platform-dev";
 import { platformStart } from "./commands/platform-start";
 
@@ -44,6 +45,17 @@ platform
   .description("Start platform in production mode (requires prior build)")
   .action(platformStart);
 
+platform
+  .command("deploy [env]")
+  .description(
+    "Deploy platform to a remote server (reads deploy.arc.json, surveys if missing)",
+  )
+  .option("--skip-build", "Skip local build step")
+  .option("--rebuild", "Force rebuild before deploy")
+  .action((env: string | undefined, opts: { skipBuild?: boolean; rebuild?: boolean }) =>
+    platformDeploy(env, opts),
+  );
+
 // Parse command line arguments
 program.parse(process.argv);