@arcote.tech/arc-cli 0.6.2 → 0.7.1

package/src/commands/platform-deploy.ts

@@ -1,13 +1,16 @@
 import { existsSync, readFileSync } from "fs";
 import { dirname, join } from "path";
+import { fileURLToPath } from "url";
 import { bootstrap } from "../deploy/bootstrap";
 import {
   deployConfigExists,
   loadDeployConfig,
   saveDeployConfig,
 } from "../deploy/config";
+import { updateEnvDeployment } from "../deploy/deploy-env";
+import { buildImage, sanitizeImageName } from "../deploy/image";
 import { detectRemoteState } from "../deploy/remote-state";
-import { syncEnv } from "../deploy/remote-sync";
+import { dockerLogin, dockerPush } from "../deploy/registry";
 import { runSurvey } from "../deploy/survey";
 import {
   buildAll,
@@ -15,6 +18,7 @@ import {
   log,
   ok,
   resolveWorkspace,
+  type WorkspaceInfo,
 } from "../platform/shared";
 
 interface PlatformDeployOptions {
@@ -24,17 +28,34 @@ interface PlatformDeployOptions {
   skipBuild?: boolean;
   /** Force rebuild before deploy. */
   rebuild?: boolean;
+  /** Build the Docker image locally, then exit. Does NOT touch the remote. */
+  buildOnly?: boolean;
+  /**
+   * Rollback / pin to a specific image tag. Skips build + push, only updates
+   * /opt/arc/.env on the host and triggers `docker compose pull/up`.
+   * Format: bare content hash (e.g. `abc123def456`) or full ref.
+   */
+  imageTag?: string;
+  /**
+   * Force the Ansible host-bootstrap step to run even when the marker says
+   * the host is already configured. Default behavior skips Ansible whenever
+   * the server is reachable and has Docker — use this after editing the
+   * embedded playbook or to recover from a corrupted host config.
+   */
+  forceBootstrap?: boolean;
 }
 
 // ---------------------------------------------------------------------------
-// Entry point for `arc platform deploy [env] [--skip-build] [--rebuild]`.
+// Entry point for `arc platform deploy [env]`.
 //
-// High-level flow:
+// Flow:
 //   1. resolveWorkspace
-//   2. load or survey deploy.arc.json
-//   3. ensure local build (buildAll unless --skip-build)
-//   4. detectRemoteState → bootstrap if needed
-//   5. for each env (or the one passed as arg): syncEnv
+//   2. Load or survey deploy.arc.json
+//   3. Ensure local build (buildAll unless --skip-build)
+//   4. Build Docker image (or accept --image-tag for rollback)
+//   5. dockerLogin + dockerPush
+//   6. Detect remote state → bootstrap if needed
+//   7. For each env: updateEnvDeployment (atomic .env line + pull + up + health)
 // ---------------------------------------------------------------------------
 
 export async function platformDeploy(
@@ -63,59 +84,92 @@ export async function platformDeploy(
         })()
     : Object.keys(cfg.envs);
 
-  // 2. Ensure local build
-  const manifestPath = join(ws.modulesDir, "manifest.json");
-  const needBuild = options.rebuild || !existsSync(manifestPath);
-  if (needBuild && !options.skipBuild) {
-    log("Building platform...");
-    await buildAll(ws, { noCache: options.rebuild });
-    ok("Build complete");
-  } else if (!existsSync(manifestPath)) {
-    err("No build found and --skip-build was set.");
-    process.exit(1);
+  // 2. Ensure local build (unless --image-tag rollback skips build+push entirely)
+  const manifestPath = join(ws.arcDir, "manifest.json");
+  if (!options.imageTag) {
+    const needBuild = options.rebuild || !existsSync(manifestPath);
+    if (needBuild && !options.skipBuild) {
+      log("Building platform...");
+      await buildAll(ws, { noCache: options.rebuild });
+      ok("Build complete");
+    } else if (!existsSync(manifestPath)) {
+      err("No build found and --skip-build was set.");
+      process.exit(1);
+    }
+  }
+
+  // 3. Build the image locally. Push happens AFTER bootstrap so the registry
+  // container exists when we try to push to it (chicken-and-egg otherwise).
+  const imageName = sanitizeImageName(ws.rootPkg.name ?? ws.appName);
+  let fullRef: string;
+  let contentHash: string;
+
+  if (options.imageTag) {
+    contentHash = options.imageTag.includes(":")
+      ? options.imageTag.split(":").pop()!
+      : options.imageTag;
+    fullRef = `${cfg.registry.domain}/${imageName}:${contentHash}`;
+    log(`Pinning to existing image ${fullRef} (skipping build + push)`);
+  } else {
+    log(`Building Docker image ${imageName}...`);
+    const result = await buildImage(ws, {
+      imageName,
+      registryDomain: cfg.registry.domain,
+    });
+    fullRef = result.fullRef;
+    contentHash = result.contentHash;
+    ok(`Image built: ${fullRef}`);
+
+    // 3b. --build-only: produce image, log, exit before push/deploy.
+    if (options.buildOnly) {
+      log(`contentHash: ${contentHash}`);
+      return;
+    }
   }
 
-  // 3. Detect remote state
+  // 4. Detect remote state + bootstrap. This brings up caddy + registry on
+  // first deploy (and regenerates the stack if config changed). MUST run
+  // before dockerLogin/dockerPush — without registry container + Caddy vhost
+  // for it, dockerLogin would TLS-fail.
   log("Inspecting remote server...");
   const state = await detectRemoteState(cfg);
   log(`Remote state: ${state.kind}`);
 
-  // 4. Bootstrap if needed
   const cliVersion = readCliVersion();
   const configHash = await hashDeployConfig(ws.rootDir);
-  if (state.kind !== "ready") {
-    await bootstrap({
-      cfg,
-      rootDir: ws.rootDir,
-      state,
-      cliVersion,
-      configHash,
-    });
+  await bootstrap({
+    cfg,
+    rootDir: ws.rootDir,
+    state,
+    cliVersion,
+    configHash,
+    forceAnsible: options.forceBootstrap,
+  });
+
+  // 5. Push the image to the now-running registry.
+  if (!options.imageTag) {
+    log(`Logging in to ${cfg.registry.domain}...`);
+    await dockerLogin(cfg.registry);
+    log(`Pushing ${fullRef}...`);
+    await dockerPush(fullRef);
+    ok("Image pushed");
   }
 
-  // 5. Sync each env
+  // 6. Update each env — atomic /opt/arc/.env line + pull + up + health
   for (const env of targetEnvs) {
-    log(`Syncing env "${env}"...`);
-    const outcome = await syncEnv({
+    log(`Updating env "${env}"...`);
+    const outcome = await updateEnvDeployment({
+      target: cfg.target,
       cfg,
       env,
-      ws,
-      projectDir: ws.rootDir,
+      fullRef,
     });
-    if (
-      outcome.changedModules.length === 0 &&
-      !outcome.shellChanged &&
-      !outcome.stylesChanged
-    ) {
-      ok(`${env}: already up to date`);
+    if (outcome.redeployed) {
+      ok(`${env}: live at ${fullRef}`);
     } else {
-      const parts: string[] = [];
-      if (outcome.changedModules.length > 0) {
-        parts.push(`${outcome.changedModules.length} module(s): ${outcome.changedModules.join(", ")}`);
-      }
-      if (outcome.shellChanged) parts.push("shell");
-      if (outcome.stylesChanged) parts.push("styles");
-      ok(`${env}: updated ${parts.join(", ")}`);
+      err(
+        `${env}: deployed but health check did not pass within retries — check \`docker logs arc-${env}\``,
+      );
     }
   }
 }
@@ -124,30 +178,33 @@ export async function platformDeploy(
 // Helpers
 // ---------------------------------------------------------------------------
 
+/**
+ * Read the arc-cli package version by walking up from this file until we
+ * find a package.json with `name: "@arcote.tech/arc-cli"`. Source and
+ * bundled layouts have different depths (source: src/commands/, bundle:
+ * dist/), so a fixed `..` count doesn't work — walk until we hit the
+ * canonical manifest.
+ */
 function readCliVersion(): string {
-  // import.meta.dir gets mangled by `bun build` — derive from process.argv[1]
-  // (the bundled dist/index.js path) which is stable across run modes.
-  const candidates: string[] = [];
-  const entry = process.argv[1];
-  if (entry) {
-    candidates.push(join(dirname(entry), "..", "package.json"));
-  }
   try {
-    candidates.push(join(import.meta.dir, "..", "..", "package.json"));
-  } catch {
-    // import.meta.dir unavailable
-  }
-  for (const path of candidates) {
-    try {
-      const pkg = JSON.parse(readFileSync(path, "utf-8"));
-      if (pkg.name === "@arcote.tech/arc-cli" && pkg.version) {
-        return pkg.version as string;
+    let cur = dirname(fileURLToPath(import.meta.url));
+    const root = dirname(cur).startsWith("/") ? "/" : ".";
+    while (cur !== root && cur !== "") {
+      const candidate = join(cur, "package.json");
+      if (existsSync(candidate)) {
+        const pkg = JSON.parse(readFileSync(candidate, "utf-8"));
+        if (pkg.name === "@arcote.tech/arc-cli") {
+          return pkg.version ?? "unknown";
+        }
       }
-    } catch {
-      // Try next
+      const parent = dirname(cur);
+      if (parent === cur) break;
+      cur = parent;
     }
+    return "unknown";
+  } catch {
+    return "unknown";
   }
-  return "unknown";
 }
 
 async function hashDeployConfig(rootDir: string): Promise<string> {

package/src/commands/platform-dev.ts

@@ -1,103 +1,14 @@
-import { existsSync, watch } from "fs";
-import { join } from "path";
-import { startPlatformServer } from "../platform/server";
-import {
-  buildAll,
-  collectArcPeerDeps,
-  loadServerContext,
-  log,
-  ok,
-  resolveWorkspace,
-} from "../platform/shared";
+import { startPlatform } from "../platform/startup";
+import { resolveWorkspace } from "../platform/shared";
 
-export async function platformDev(opts: { noCache?: boolean } = {}): Promise<void> {
+/** `arc platform dev` — dev mode (watcher + SSE reload + no-cache headers). */
+export async function platformDev(
+  opts: { noCache?: boolean } = {},
+): Promise<void> {
   const ws = resolveWorkspace();
-  const port = 5005;
-
-  // Initial build — `--no-cache` (if passed) only forces the startup pass;
-  // subsequent rebuilds always respect the cache to keep dev incremental.
-  let manifest = await buildAll(ws, { noCache: opts.noCache });
-
-  log("Loading server context...");
-  const { context, moduleAccess } = await loadServerContext(ws.packages);
-  if (context) {
-    ok("Context loaded");
-  } else {
-    log("No context — server endpoints skipped");
-  }
-
-  const arcEntries = collectArcPeerDeps(ws.packages);
-  const platform = await startPlatformServer({
-    ws,
-    port,
-    manifest,
-    context,
-    moduleAccess,
-    dbPath: join(ws.rootDir, ".arc", "data", "dev.db"),
-    devMode: true,
-    arcEntries,
-  });
-
-  ok(`Server on http://localhost:${port}`);
-  if (platform.contextHandler) ok("Commands, queries, WebSocket — all on same port");
-
-  // Watch for changes — full buildAll on debounce; cache makes it cheap when
-  // only one package changed.
-  log("Watching for changes...");
-  let rebuildTimer: ReturnType<typeof setTimeout> | null = null;
-  let isRebuilding = false;
-
-  const triggerRebuild = () => {
-    if (rebuildTimer) clearTimeout(rebuildTimer);
-    rebuildTimer = setTimeout(async () => {
-      if (isRebuilding) return;
-      isRebuilding = true;
-      log("Rebuilding...");
-      try {
-        manifest = await buildAll(ws);
-        platform.setManifest(manifest);
-        platform.notifyReload(manifest);
-        ok(`Rebuilt — ${manifest.modules.length} module(s)`);
-      } catch (e) {
-        console.error(`Rebuild failed: ${e}`);
-      } finally {
-        isRebuilding = false;
-      }
-    }, 300);
-  };
-
-  for (const pkg of ws.packages) {
-    const srcDir = join(pkg.path, "src");
-    if (!existsSync(srcDir)) continue;
-
-    watch(srcDir, { recursive: true }, (_event, filename) => {
-      if (
-        !filename ||
-        filename.includes(".arc") ||
-        filename.endsWith(".d.ts") ||
-        filename.includes("node_modules") ||
-        filename.includes("dist")
-      ) return;
-
-      if (!filename.endsWith(".ts") && !filename.endsWith(".tsx")) return;
-
-      triggerRebuild();
-    });
-  }
-
-  // .po files — trigger rebuild so the `translations` cache unit picks them up.
-  const localesDir = join(ws.rootDir, "locales");
-  if (existsSync(localesDir)) {
-    watch(localesDir, { recursive: false }, (_event, filename) => {
-      if (!filename?.endsWith(".po")) return;
-      triggerRebuild();
-    });
-  }
-
-  const cleanup = () => {
-    platform.stop();
-    process.exit(0);
-  };
-  process.on("SIGTERM", cleanup);
-  process.on("SIGINT", cleanup);
+  // noCache is consumed by buildAll inside startPlatform when devMode=true.
+  // For now the dev startup always uses the cache after the first build;
+  // explicit --no-cache here only matters if we wire it through later.
+  void opts;
+  await startPlatform({ ws, devMode: true });
 }

package/src/commands/platform-start.ts

@@ -1,94 +1,8 @@
-import { existsSync, readFileSync } from "fs";
-import { join } from "path";
-import { startPlatformServer } from "../platform/server";
-import {
-  collectArcPeerDeps,
-  err,
-  loadServerContext,
-  log,
-  ok,
-  resolveWorkspace,
-  type BuildManifest,
-} from "../platform/shared";
+import { startPlatform } from "../platform/startup";
+import { resolveWorkspace } from "../platform/shared";
 
+/** `arc platform start` — production mode (no watcher, immutable cache). */
 export async function platformStart(): Promise<void> {
   const ws = resolveWorkspace();
-  const port = parseInt(process.env.PORT || "5005", 10);
-  const deployApi = process.env.ARC_DEPLOY_API === "1";
-
-  // Pre-deploy mode: container started with empty volume (first boot of an
-  // arcote/runtime container — manifest hasn't been pushed yet). Boot a
-  // minimal server so the deploy CLI can reach /api/deploy/* to push the
-  // initial framework + modules. Container restart (after first manifest
-  // commit) re-enters this function with manifest present → full mode.
-  const manifestPath = join(ws.modulesDir, "manifest.json");
-  if (!existsSync(manifestPath)) {
-    if (!deployApi) {
-      err("No build found. Run `arc platform build` first.");
-      process.exit(1);
-    }
-    log("Pre-deploy mode — no manifest yet, awaiting first /api/deploy/*");
-    const emptyManifest: BuildManifest = {
-      modules: [],
-      shellHash: "",
-      stylesHash: "",
-      buildTime: new Date().toISOString(),
-    };
-    const platform = await startPlatformServer({
-      ws,
-      port,
-      manifest: emptyManifest,
-      context: null,
-      moduleAccess: new Map(),
-      dbPath: join(ws.rootDir, ".arc", "data", "prod.db"),
-      devMode: false,
-      deployApi: true,
-      arcEntries: [],
-    });
-    ok(`Pre-deploy server on http://localhost:${port}`);
-    registerSignalCleanup(platform);
-    return;
-  }
-
-  const manifest: BuildManifest = JSON.parse(
-    readFileSync(manifestPath, "utf-8"),
-  );
-
-  // Load server context
-  log("Loading server context...");
-  const { context, moduleAccess } = await loadServerContext(ws.packages);
-  if (context) {
-    ok("Context loaded");
-  } else {
-    log("No context — server endpoints skipped");
-  }
-
-  // Start server (production mode = aggressive caching, SSE only used for deploy hot-swap)
-  const arcEntries = collectArcPeerDeps(ws.packages);
-  if (deployApi) ok("Deploy API enabled (/api/deploy/*)");
-  const platform = await startPlatformServer({
-    ws,
-    port,
-    manifest,
-    context,
-    moduleAccess,
-    dbPath: join(ws.rootDir, ".arc", "data", "prod.db"),
-    devMode: false,
-    deployApi,
-    arcEntries,
-  });
-
-  ok(`Server on http://localhost:${port}`);
-  if (platform.contextHandler) ok("Commands, queries, WebSocket — all on same port");
-
-  registerSignalCleanup(platform);
-}
-
-function registerSignalCleanup(platform: { stop: () => void }): void {
-  const cleanup = () => {
-    platform.stop();
-    process.exit(0);
-  };
-  process.on("SIGTERM", cleanup);
-  process.on("SIGINT", cleanup);
+  await startPlatform({ ws, devMode: false });
 }

package/src/deploy/ansible.ts

@@ -1,10 +1,24 @@
 import { spawn as nodeSpawn } from "node:child_process";
-import { mkdirSync, writeFileSync } from "fs";
-import { tmpdir } from "os";
+import { existsSync, mkdirSync, writeFileSync } from "fs";
+import { homedir, tmpdir } from "os";
 import { join } from "path";
 import { ASSETS, materializeAssets } from "./assets";
 import type { DeployProvisionAnsible, DeployTarget } from "./config";
 
+function pickSshKeyForAnsible(configured?: string): string | null {
+  if (configured) {
+    const expanded = configured.startsWith("~")
+      ? join(homedir(), configured.slice(1))
+      : configured;
+    return existsSync(expanded) ? expanded : null;
+  }
+  for (const name of ["id_ed25519", "id_ecdsa", "id_rsa"]) {
+    const path = join(homedir(), ".ssh", name);
+    if (existsSync(path)) return path;
+  }
+  return null;
+}
+
 // ---------------------------------------------------------------------------
 // Runs Ansible from embedded assets. Inventory is generated on the fly,
 // targeting the single host described by DeployTarget. Runs as root on the
@@ -27,12 +41,18 @@ export async function runAnsible(inputs: AnsibleInputs): Promise<void> {
   const user = inputs.asRoot ? "root" : inputs.target.user;
   const port = inputs.ansible?.sshPort ?? inputs.target.port;
 
+  // IdentitiesOnly=yes + explicit -i prevent ssh from walking every key in
+  // ssh-agent (the server's MaxAuthTries=3 trips when the agent holds >3 keys
+  // and ours isn't first). PreferredAuthentications=publickey skips gssapi
+  // prompts that also count against MaxAuthTries.
+  const sshKey = pickSshKeyForAnsible(inputs.target.sshKey);
+  const sshKeyArg = sshKey ? ` -o IdentitiesOnly=yes -i ${sshKey}` : "";
   const inventory = [
     "[arc]",
     `${inputs.target.host} ansible_user=${user} ansible_port=${port}`,
     "",
     "[arc:vars]",
-    "ansible_ssh_common_args='-o StrictHostKeyChecking=accept-new -o BatchMode=yes'",
+    `ansible_ssh_common_args='-o StrictHostKeyChecking=accept-new -o BatchMode=yes -o PreferredAuthentications=publickey${sshKeyArg}'`,
     "ansible_python_interpreter=/usr/bin/python3",
     "",
   ].join("\n");

package/src/deploy/assets/ansible/site.yml

@@ -115,7 +115,22 @@
         - { policy: deny, dir: incoming }
         - { policy: allow, dir: outgoing }
 
-    - name: Open firewall ports
+    - name: Remove legacy ufw limit rule on SSH (replaced by plain allow)
+      # If a prior bootstrap installed `ufw limit 22/tcp`, drop it — otherwise
+      # the limit rule shadows the allow rule and rate-throttles deploy flows.
+      ufw:
+        rule: limit
+        port: "{{ ssh_port }}"
+        proto: tcp
+        delete: true
+      ignore_errors: true
+
+    - name: Open firewall ports (SSH key-only auth, no brute-force surface)
+      # SSH on port 22: PasswordAuthentication=no + key-only means brute force
+      # is impossible without the operator's private key. Rate-limiting (ufw
+      # limit / fail2ban sshd jail) breaks legitimate deploy flows that open
+      # many short SSH connections in sequence (canSsh → sshExec → scp → ...).
+      # 80/443: Caddy ACME + app traffic, never rate-limited.
       ufw:
         rule: allow
         port: "{{ item }}"
@@ -129,17 +144,18 @@
       ufw:
         state: enabled
 
-    - name: Configure fail2ban for sshd
+    - name: Disable fail2ban sshd jail
+      # Key-only SSH + ufw rate-limit make fail2ban for sshd redundant and
+      # actively harmful when the operator's IP roams. Keep fail2ban installed
+      # for future jails (web/db) but turn off the sshd jail explicitly.
       copy:
         dest: /etc/fail2ban/jail.local
         content: |
           [sshd]
-          enabled = true
-          port = {{ ssh_port }}
-          maxretry = 5
-          findtime = 600
-          bantime = 3600
+          enabled = false
+          {% if extra_allowed_ips %}
           ignoreip = 127.0.0.1/8 ::1 {{ extra_allowed_ips | join(' ') }}
+          {% endif %}
         mode: "0644"
       notify: restart fail2ban
 

package/src/deploy/assets.ts

@@ -201,7 +201,22 @@ const ANSIBLE_SITE_YML = `---
         - { policy: deny, dir: incoming }
         - { policy: allow, dir: outgoing }
 
-    - name: Open firewall ports
+    - name: Remove legacy ufw limit rule on SSH (replaced by plain allow)
+      # If a prior bootstrap installed \`ufw limit 22/tcp\`, drop it — otherwise
+      # the limit rule shadows the allow rule and rate-throttles deploy flows.
+      ufw:
+        rule: limit
+        port: "{{ ssh_port }}"
+        proto: tcp
+        delete: true
+      ignore_errors: true
+
+    - name: Open firewall ports (SSH key-only auth, no brute-force surface)
+      # SSH on port 22: PasswordAuthentication=no + key-only means brute force
+      # is impossible without the operator's private key. Rate-limiting (ufw
+      # limit / fail2ban sshd jail) breaks legitimate deploy flows that open
+      # many short SSH connections in sequence (canSsh -> sshExec -> scp -> ...).
+      # 80/443: Caddy ACME + app traffic, never rate-limited.
       ufw:
         rule: allow
         port: "{{ item }}"
@@ -215,17 +230,18 @@ const ANSIBLE_SITE_YML = `---
       ufw:
         state: enabled
 
-    - name: Configure fail2ban for sshd
+    - name: Disable fail2ban sshd jail
+      # Key-only SSH + ufw rate-limit make fail2ban for sshd redundant and
+      # actively harmful when the operator's IP roams. Keep fail2ban installed
+      # for future jails (web/db) but turn off the sshd jail explicitly.
       copy:
         dest: /etc/fail2ban/jail.local
         content: |
           [sshd]
-          enabled = true
-          port = {{ ssh_port }}
-          maxretry = 5
-          findtime = 600
-          bantime = 3600
+          enabled = false
+          {% if extra_allowed_ips %}
           ignoreip = 127.0.0.1/8 ::1 {{ extra_allowed_ips | join(' ') }}
+          {% endif %}
         mode: "0644"
       notify: restart fail2ban