@arcote.tech/arc-cli 0.7.6 → 0.7.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@arcote.tech/arc-cli",
-  "version": "0.7.6",
+  "version": "0.7.8",
   "description": "CLI tool for Arc framework",
   "module": "index.ts",
   "main": "dist/index.js",
@@ -9,17 +9,29 @@
     "arc": "./dist/index.js"
   },
   "scripts": {
-    "build": "bun build --target=bun ./src/index.ts --outdir=dist --external @arcote.tech/arc --external @arcote.tech/arc-ds --external @arcote.tech/arc-react --external @arcote.tech/platform && chmod +x dist/index.js"
+    "build": "bun build --target=bun ./src/index.ts --outdir=dist --external @arcote.tech/arc --external @arcote.tech/arc-ds --external @arcote.tech/arc-react --external @arcote.tech/platform --external '@opentelemetry/*' && chmod +x dist/index.js"
   },
   "dependencies": {
-    "@arcote.tech/arc": "^0.7.6",
-    "@arcote.tech/arc-ds": "^0.7.6",
-    "@arcote.tech/arc-react": "^0.7.6",
-    "@arcote.tech/arc-host": "^0.7.6",
-    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.6",
-    "@arcote.tech/arc-adapter-db-postgres": "^0.7.6",
-    "@arcote.tech/arc-otel": "^0.7.6",
-    "@arcote.tech/platform": "^0.7.6",
+    "@arcote.tech/arc": "^0.7.8",
+    "@arcote.tech/arc-ds": "^0.7.8",
+    "@arcote.tech/arc-react": "^0.7.8",
+    "@arcote.tech/arc-host": "^0.7.8",
+    "@arcote.tech/arc-adapter-db-sqlite": "^0.7.8",
+    "@arcote.tech/arc-adapter-db-postgres": "^0.7.8",
+    "@arcote.tech/arc-otel": "^0.7.8",
+    "@opentelemetry/api": "^1.9.0",
+    "@opentelemetry/api-logs": "^0.57.0",
+    "@opentelemetry/core": "^1.30.0",
+    "@opentelemetry/exporter-logs-otlp-http": "^0.57.0",
+    "@opentelemetry/exporter-metrics-otlp-http": "^0.57.0",
+    "@opentelemetry/exporter-trace-otlp-http": "^0.57.0",
+    "@opentelemetry/resources": "^1.30.0",
+    "@opentelemetry/sdk-logs": "^0.57.0",
+    "@opentelemetry/sdk-metrics": "^1.30.0",
+    "@opentelemetry/sdk-trace-base": "^1.30.0",
+    "@opentelemetry/sdk-trace-node": "^1.30.0",
+    "@opentelemetry/semantic-conventions": "^1.27.0",
+    "@arcote.tech/platform": "^0.7.8",
     "@clack/prompts": "^0.9.0",
     "commander": "^11.1.0",
     "chokidar": "^3.5.3",

package/src/builder/dependency-collector.ts

@@ -1,6 +1,7 @@
 import { createHash } from "node:crypto";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { basename, join } from "path";
+import { basename, dirname, join } from "path";
+import { fileURLToPath } from "node:url";
 import { FRAMEWORK_PEERS, FRAMEWORK_PEER_SET } from "./framework-peers";
 import type { WorkspacePackage } from "./module-builder";
 
@@ -46,6 +47,38 @@ export function collectFrameworkDeps(
   for (const { name, version } of sharedDeps) {
     versions[name] = version;
   }
+
+  // OpenTelemetry deps — included unconditionally so deployed images can
+  // resolve them at runtime when telemetry is enabled. Cheap install
+  // (~5MB) and avoids per-deploy branching on `observability.enabled`.
+  // CLI's bundle externalizes @opentelemetry/* to dodge a Bun bundling
+  // bug that mixes ES5/ES6 class semantics across these packages.
+  // Resolve arc-otel from the CLI bundle's own location: arc-otel is a
+  // dep of arc-cli, not of the consumer app, so it isn't reachable from
+  // `rootDir`. Bun installs it nested under `.bun/<arc-cli-id>/...`,
+  // visible to a resolve call rooted in arc-cli's own dist directory.
+  try {
+    const cliDir = dirname(fileURLToPath(import.meta.url));
+    const arcOtelPkgPath = Bun.resolveSync(
+      "@arcote.tech/arc-otel/package.json",
+      cliDir,
+    );
+    const arcOtelPkg = JSON.parse(readFileSync(arcOtelPkgPath, "utf-8"));
+    for (const [name, spec] of Object.entries(arcOtelPkg.dependencies ?? {})) {
+      if (name.startsWith("@opentelemetry/")) {
+        versions[name] = spec as string;
+      }
+    }
+    versions["@arcote.tech/arc-otel"] = `^${arcOtelPkg.version}`;
+  } catch (e) {
+    // arc-otel not installed alongside the CLI — older CLI release without
+    // observability support, or a bundle that stripped the dep. Log once
+    // so a misconfigured deploy doesn't silently disable telemetry libs
+    // when the operator was expecting them.
+    console.warn(
+      `[arc-otel] could not resolve @arcote.tech/arc-otel — image will run without telemetry deps: ${(e as Error).message}`,
+    );
+  }
   const manifest = {
     name: "arc-platform-framework",
     private: true,

package/src/commands/platform-deploy.ts

@@ -235,5 +235,11 @@ async function hashDeployConfig(rootDir: string): Promise<string> {
   const content = readFileSync(p);
   const hasher = new Bun.CryptoHasher("sha256");
   hasher.update(content);
+  // Mix in the CLI version so a new CLI release that changes compose
+  // / caddyfile / observability templates forces upStack to re-run even
+  // when the user's deploy.arc.json is byte-identical. Without this,
+  // template changes ship in the npm package but never reach the host
+  // because the marker says "no config drift, skipping bootstrap".
+  hasher.update(readCliVersion());
   return hasher.digest("hex").slice(0, 16);
 }

package/src/deploy/bootstrap.ts

@@ -1,12 +1,12 @@
 import { spawn } from "bun";
 import { mkdirSync, writeFileSync } from "fs";
 import { tmpdir } from "os";
-import { join } from "path";
+import { dirname, join } from "path";
 import { runAnsible } from "./ansible";
 import { generateCaddyfile } from "./caddyfile";
 import { generateCompose } from "./compose";
 import type { DeployConfig } from "./config";
-import { generateHtpasswd } from "./htpasswd";
+import { generateCaddyBasicAuthLine, generateHtpasswd } from "./htpasswd";
 import { generateObservabilityConfigs } from "./observability-configs";
 import { runTerraform } from "./terraform";
 import { saveDeployConfig } from "./config";
@@ -148,6 +148,22 @@ export async function bootstrap(inputs: BootstrapInputs): Promise<void> {
     ok("Docker stack up");
   }
 
+  // Observability sidecars — always reconcile state, independent of
+  // upStack. `docker compose up -d` is idempotent: when the containers
+  // already match the current compose definition, nothing happens. When
+  // the user just turned observability on (config changed but upStack
+  // ran in a previous deploy), this brings the new services to life
+  // without forcing a full bootstrap.
+  if (cfg.observability?.enabled) {
+    log("Ensuring observability sidecars are running...");
+    const obsServices = ["otel-collector", "tempo", "loki", "prometheus", "grafana"];
+    await assertExec(
+      cfg.target,
+      `cd ${cfg.target.remoteDir} && docker compose pull --ignore-pull-failures ${obsServices.join(" ")} && docker compose up -d ${obsServices.join(" ")}`,
+    );
+    ok("Observability stack up");
+  }
+
   // Keep marker fresh
   await writeStateMarker(cfg.target, {
     cliVersion: inputs.cliVersion,
@@ -241,11 +257,13 @@ async function upStack(inputs: BootstrapInputs): Promise<void> {
         `bootstrap: ${adminPasswordEnv} not set — observability needs a Grafana admin password.`,
       );
     }
-    // Caddy basic_auth import file uses `username bcrypt_hash` syntax.
-    observabilityHtpasswd = await generateHtpasswd("admin", adminPassword);
-    mkdirSync(join(workDir, "observability"), { recursive: true });
+    // Caddy basic_auth import file uses `username bcrypt_hash` syntax
+    // (space-separated), NOT the registry-style htpasswd colon format.
+    observabilityHtpasswd = await generateCaddyBasicAuthLine("admin", adminPassword);
     for (const [relPath, contents] of Object.entries(observabilityFiles)) {
-      writeFileSync(join(workDir, relPath), contents);
+      const fullPath = join(workDir, relPath);
+      mkdirSync(dirname(fullPath), { recursive: true });
+      writeFileSync(fullPath, contents);
     }
     writeFileSync(join(workDir, "observability-htpasswd"), observabilityHtpasswd);
   }
@@ -288,10 +306,19 @@ async function upStack(inputs: BootstrapInputs): Promise<void> {
   // tempo / loki / prometheus / grafana configs go into a sibling
   // `observability/` directory referenced by compose bind-mounts.
   if (observabilityFiles && observabilityHtpasswd) {
+    // Make sure both the top-level `observability/` dir and the nested
+    // `grafana-dashboards/` exist before scp tries to land files there.
     await assertExec(
       cfg.target,
-      `mkdir -p ${cfg.target.remoteDir}/observability`,
+      `mkdir -p ${cfg.target.remoteDir}/observability/grafana-dashboards`,
     );
+    // Make sure local nested dir exists too — `generateObservabilityConfigs`
+    // returns relative paths like `observability/grafana-dashboards/x.json`
+    // which mkdirSync below uses for writeFileSync's directory.
+    for (const relPath of Object.keys(observabilityFiles)) {
+      const localDir = dirname(join(workDir, relPath));
+      mkdirSync(localDir, { recursive: true });
+    }
     for (const relPath of Object.keys(observabilityFiles)) {
       await scpUpload(
         cfg.target,
@@ -371,6 +398,7 @@ async function upStack(inputs: BootstrapInputs): Promise<void> {
         .join(" ")}`,
     );
   }
+
 }
 
 /**

package/src/deploy/compose.ts

@@ -224,6 +224,7 @@ export function generateCompose({ cfg }: ComposeOptions): string {
     lines.push("      - \"3100\"  # HTTP API");
     lines.push("");
 
+    const metricsRetention = cfg.observability.retention?.metrics ?? "30d";
     lines.push("  prometheus:");
     lines.push("    image: prom/prometheus:v2.55.1");
     lines.push("    container_name: arc-prometheus");
@@ -231,6 +232,7 @@ export function generateCompose({ cfg }: ComposeOptions): string {
     lines.push("    command:");
     lines.push("      - \"--config.file=/etc/prometheus/prometheus.yml\"");
     lines.push("      - \"--storage.tsdb.path=/prometheus\"");
+    lines.push(`      - "--storage.tsdb.retention.time=${metricsRetention}"`);
     lines.push("      - \"--web.enable-remote-write-receiver\"");
     lines.push("      - \"--enable-feature=exemplar-storage\"");
     lines.push("    volumes:");
@@ -259,6 +261,16 @@ export function generateCompose({ cfg }: ComposeOptions): string {
     lines.push(
       "      - ./observability/grafana-datasources.yaml:/etc/grafana/provisioning/datasources/datasources.yaml:ro",
     );
+    // Dashboard auto-provisioning: a single provider config points at the
+    // bind-mounted /arc directory; each JSON in that dir becomes a live
+    // dashboard inside the "Arc" folder. Updates land within the
+    // provider's `updateIntervalSeconds` (30s).
+    lines.push(
+      "      - ./observability/grafana-dashboards.yaml:/etc/grafana/provisioning/dashboards/dashboards.yaml:ro",
+    );
+    lines.push(
+      "      - ./observability/grafana-dashboards:/etc/grafana/provisioning/dashboards/arc:ro",
+    );
     lines.push("      - grafana_data:/var/lib/grafana");
     lines.push("    networks: [arc-net]");
     lines.push("    expose:");

package/src/deploy/htpasswd.ts

@@ -26,3 +26,23 @@ export async function generateHtpasswd(
   });
   return `${user}:${hash}\n`;
 }
+
+/**
+ * Caddy's `basic_auth` directive takes a different format than the
+ * registry-style htpasswd file: `<user> <bcrypt-hash>` (space-separated,
+ * no colon). Newer Caddy syntax also accepts a quoted hash, but the
+ * unquoted bcrypt string works in both 2.7 and 2.8+.
+ */
+export async function generateCaddyBasicAuthLine(
+  user: string,
+  password: string,
+): Promise<string> {
+  if (!user || !password) {
+    throw new Error("caddy basic_auth: user and password must both be non-empty");
+  }
+  const hash = await Bun.password.hash(password, {
+    algorithm: "bcrypt",
+    cost: 10,
+  });
+  return `${user} ${hash}\n`;
+}