@arcote.tech/arc-cli 0.6.2 → 0.7.1

package/src/deploy/ssh.ts

@@ -1,6 +1,29 @@
 import { spawn } from "bun";
+import { existsSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
 import type { DeployTarget } from "./config";
 
+/**
+ * Pick a private SSH key to authenticate with. Honors target.sshKey if set,
+ * otherwise tries the standard candidates in ~/.ssh/. Returns null if no
+ * usable key is found — caller can then fall back to default ssh-agent
+ * behavior (i.e. omit IdentitiesOnly).
+ */
+function pickSshKey(target: DeployTarget): string | null {
+  if (target.sshKey) {
+    const expanded = target.sshKey.startsWith("~")
+      ? join(homedir(), target.sshKey.slice(1))
+      : target.sshKey;
+    return existsSync(expanded) ? expanded : null;
+  }
+  for (const name of ["id_ed25519", "id_ecdsa", "id_rsa"]) {
+    const path = join(homedir(), ".ssh", name);
+    if (existsSync(path)) return path;
+  }
+  return null;
+}
+
 /** Convert a Bun subprocess stream (which may be a ReadableStream or undefined) to string. */
 async function streamToString(
   stream: ReadableStream<Uint8Array> | number | undefined,
@@ -20,23 +43,36 @@ export interface SshExecResult {
   exitCode: number;
 }
 
-function baseSshArgs(target: DeployTarget): string[] {
-  // IdentitiesOnly=yes pins auth to the explicit key. Without it ssh-agent
-  // offers every loaded identity and trips MaxAuthTries on hardened sshd
-  // (ansible's sshd hardening + fail2ban lowers the threshold).
-  const key = target.sshKey ?? `${process.env.HOME}/.ssh/id_ed25519`;
-  return [
+export function baseSshArgs(target: DeployTarget): string[] {
+  // Pin to a single identity to avoid "Too many authentication failures":
+  // the server's MaxAuthTries=3 (set by ansible) trips when ssh-agent has
+  // more than 3 keys loaded and walks all of them before reaching ours.
+  // PreferredAuthentications=publickey skips gssapi/keyboard prompts entirely.
+  const key = pickSshKey(target);
+  const args = [
     "-o",
     "BatchMode=yes",
     "-o",
     "StrictHostKeyChecking=accept-new",
     "-o",
-    "IdentitiesOnly=yes",
-    "-i",
-    key,
+    "PreferredAuthentications=publickey",
+    // Fail fast: TCP-level connect attempts give up after 5s instead of
+    // hanging on the default ~75s when ufw drops, fail2ban bans, or the
+    // VM is briefly unreachable. ServerAlive* keeps an established
+    // connection from silently stalling on a dead route.
+    "-o",
+    "ConnectTimeout=5",
+    "-o",
+    "ServerAliveInterval=10",
+    "-o",
+    "ServerAliveCountMax=2",
     "-p",
     String(target.port),
   ];
+  if (key) {
+    args.push("-o", "IdentitiesOnly=yes", "-i", key);
+  }
+  return args;
 }
 
 /**
@@ -121,19 +157,22 @@ export async function scpUpload(
   localPath: string,
   remotePath: string,
 ): Promise<void> {
-  const key = target.sshKey ?? `${process.env.HOME}/.ssh/id_ed25519`;
+  const key = pickSshKey(target);
   const args = [
     "-o",
     "BatchMode=yes",
     "-o",
     "StrictHostKeyChecking=accept-new",
     "-o",
-    "IdentitiesOnly=yes",
-    "-i",
-    key,
+    "PreferredAuthentications=publickey",
+    "-o",
+    "ConnectTimeout=5",
     "-P",
     String(target.port),
   ];
+  if (key) {
+    args.push("-o", "IdentitiesOnly=yes", "-i", key);
+  }
   args.push(localPath, `${target.user}@${target.host}:${remotePath}`);
 
   const proc = spawn({ cmd: ["scp", ...args], stderr: "pipe" });
@@ -145,112 +184,3 @@ export async function scpUpload(
     throw new Error(`scp failed (${exitCode}): ${stderr}`);
   }
 }
-
-/**
- * Rsync a directory to the remote host (preserving permissions, deleting stale files).
- *
- * `-L` dereferences symlinks on the source side. This is essential because Arc
- * projects typically use `bun link` for framework packages — `node_modules/@arcote.tech/*`
- * and workspace `@ndt/*` packages are symlinks pointing at paths that don't
- * exist on the remote host. Without `-L`, rsync copies them as dangling
- * symlinks and the container can't resolve `node_modules/.bin/arc`.
- */
-export async function rsyncDir(
-  target: DeployTarget,
-  localDir: string,
-  remoteDir: string,
-  opts: { delete?: boolean } = {},
-): Promise<void> {
-  const sshCmdParts = ["ssh", "-p", String(target.port)];
-  if (target.sshKey) sshCmdParts.push("-i", target.sshKey);
-  const sshCmd = sshCmdParts.join(" ");
-
-  const args: string[] = ["-azL", "-e", sshCmd];
-  if (opts.delete) args.push("--delete");
-  // Trailing slash: sync contents, not the dir itself
-  const src = localDir.endsWith("/") ? localDir : `${localDir}/`;
-  args.push(src, `${target.user}@${target.host}:${remoteDir}`);
-
-  const proc = spawn({
-    cmd: ["rsync", ...args],
-    stderr: "pipe",
-    stdout: "pipe",
-  });
-  const [stderr, exitCode] = await Promise.all([
-    streamToString(proc.stderr),
-    proc.exited,
-  ]);
-  if (exitCode !== 0) {
-    throw new Error(`rsync failed (${exitCode}): ${stderr}`);
-  }
-}
-
-/**
- * Open an SSH -L tunnel. Returns a Disposable-like object with `.close()`.
- * Caller MUST call close() (or use `using` in Bun) to release the tunnel.
- */
-export interface SshTunnel {
-  localPort: number;
-  close(): void;
-}
-
-export async function openTunnel(
-  target: DeployTarget,
-  localPort: number,
-  remoteHost: string,
-  remotePort: number,
-): Promise<SshTunnel> {
-  const args = [
-    ...baseSshArgs(target),
-    "-N",
-    "-L",
-    `${localPort}:${remoteHost}:${remotePort}`,
-    `${target.user}@${target.host}`,
-  ];
-  const proc = spawn({
-    cmd: ["ssh", ...args],
-    stdin: "ignore",
-    stdout: "pipe",
-    stderr: "pipe",
-  });
-  // Wait briefly for the tunnel to establish. ssh prints nothing on success
-  // with -N, so we poll a TCP connect on localPort.
-  const deadline = Date.now() + 10_000;
-  let lastErr: unknown;
-  while (Date.now() < deadline) {
-    if (proc.exitCode !== null) {
-      const stderr = await streamToString(proc.stderr);
-      throw new Error(`ssh tunnel exited early: ${stderr}`);
-    }
-    try {
-      const probe = await Bun.connect({
-        hostname: "127.0.0.1",
-        port: localPort,
-        socket: { data() {}, open() {}, close() {}, error() {} },
-      });
-      probe.end();
-      return {
-        localPort,
-        close() {
-          try {
-            proc.kill();
-          } catch {
-            // ignore
-          }
-        },
-      };
-    } catch (e) {
-      lastErr = e;
-      await Bun.sleep(200);
-    }
-  }
-  try {
-    proc.kill();
-  } catch {
-    // ignore
-  }
-  throw new Error(
-    `Failed to establish SSH tunnel on localhost:${localPort}: ${String(lastErr)}`,
-  );
-}
-

package/src/deploy/survey.ts

@@ -151,6 +151,55 @@ export async function runSurvey(): Promise<DeployConfig> {
   })) as string;
   if (clack.isCancel(email)) cancel();
 
+  // Phase 6: Private Docker Registry
+  clack.note(
+    "The host runs a private Docker registry behind Caddy.\nCreate an A record for the registry domain pointing to your host before deploy.",
+    "Registry",
+  );
+  const registryDomain = (await clack.text({
+    message: "Registry domain (full FQDN)",
+    placeholder: "registry.example.com",
+    validate: (v) =>
+      /^[a-z0-9.-]+\.[a-z]{2,}$/i.test(v) ? undefined : "Expected a domain",
+  })) as string;
+  if (clack.isCancel(registryDomain)) cancel();
+
+  const registryUser = (await clack.text({
+    message: "Registry username",
+    initialValue: "deploy",
+    validate: (v) =>
+      /^[a-z_][a-z0-9_-]*$/.test(v) ? undefined : "Invalid username",
+  })) as string;
+  if (clack.isCancel(registryUser)) cancel();
+
+  const registryPasswordEnv = (await clack.text({
+    message: "Env var holding the registry password",
+    initialValue: "ARC_REGISTRY_PASSWORD",
+    validate: (v) =>
+      /^[A-Z][A-Z0-9_]*$/.test(v)
+        ? undefined
+        : "Must be UPPER_SNAKE_CASE",
+  })) as string;
+  if (clack.isCancel(registryPasswordEnv)) cancel();
+
+  const generatePassword = (await clack.confirm({
+    message: "Generate a random password now?",
+    initialValue: true,
+  })) as boolean;
+  if (clack.isCancel(generatePassword)) cancel();
+  if (generatePassword) {
+    const random = generateRandomPassword(32);
+    clack.note(
+      `Save this password — you'll need it on every deploy.\n\n  export ${registryPasswordEnv}=${random}\n\nThis prompt is the only time it's shown.`,
+      "Registry password",
+    );
+  } else {
+    clack.note(
+      `Set ${registryPasswordEnv} in your shell before running deploy.`,
+      "Registry password",
+    );
+  }
+
   clack.outro("Configuration ready — writing deploy.arc.json");
 
   return {
@@ -162,10 +211,25 @@ export async function runSurvey(): Promise<DeployConfig> {
     },
     envs,
     caddy: { email },
+    registry: {
+      domain: registryDomain,
+      username: registryUser,
+      passwordEnv: registryPasswordEnv,
+    },
     provision,
   };
 }
 
+function generateRandomPassword(bytes: number): string {
+  // 32 random bytes → 43-char base64url. Plenty of entropy for a registry.
+  const buf = new Uint8Array(bytes);
+  crypto.getRandomValues(buf);
+  return btoa(String.fromCharCode(...buf))
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/, "");
+}
+
 function cancel(): never {
   clack.cancel("Cancelled.");
   process.exit(0);

package/src/index.ts

@@ -2,7 +2,6 @@
 
 import { Command } from "commander";
 import { build } from "./commands/build";
-import { buildShell } from "./commands/build-shell";
 import { dev } from "./commands/dev";
 import { platformBuild } from "./commands/platform-build";
 import { platformDeploy } from "./commands/platform-deploy";
@@ -59,20 +58,28 @@ platform
   )
   .option("--skip-build", "Skip local build step")
   .option("--rebuild", "Force rebuild before deploy")
-  .action((env: string | undefined, opts: { skipBuild?: boolean; rebuild?: boolean }) =>
-    platformDeploy(env, opts),
+  .option("--build-only", "Build the Docker image locally, then exit (no remote push)")
+  .option(
+    "--image-tag <hash>",
+    "Roll back / pin to an existing image tag instead of building a new one",
+  )
+  .option(
+    "--force-bootstrap",
+    "Re-run Ansible host bootstrap even if the server is already configured",
+  )
+  .action(
+    (
+      env: string | undefined,
+      opts: {
+        skipBuild?: boolean;
+        rebuild?: boolean;
+        buildOnly?: boolean;
+        imageTag?: string;
+        forceBootstrap?: boolean;
+      },
+    ) => platformDeploy(env, opts),
   );
 
-// Hidden subcommand used by the runtime container's entrypoint / API handlers.
-// Not shown in --help; runs against an installed node_modules tree to emit
-// browser shell bundles for the discovered framework peers.
-program
-  .command("_build-shell", { hidden: true })
-  .description("Build framework shell bundles from a node_modules dir")
-  .requiredOption("--out <dir>", "Output directory for shell .js bundles")
-  .requiredOption("--from <dir>", "node_modules directory to discover packages in")
-  .action((opts: { out: string; from: string }) => buildShell(opts));
-
 // Parse command line arguments
 program.parse(process.argv);