@cardelli/ambit 0.1.5 → 0.2.1

package/esm/cli/commands/create/machine.js

@@ -0,0 +1,162 @@
+// =============================================================================
+// Create — Phases, Context, Hydration, Transitions
+// =============================================================================
+import { randomId } from "../../../lib/cli.js";
+import { Result } from "../../../lib/result.js";
+import { extractSubnet } from "../../../util/fly-transforms.js";
+import { ROUTER_DOCKER_DIR, SECRET_NETWORK_NAME, SECRET_ROUTER_ID, SECRET_TAILSCALE_AUTHKEY, } from "../../../util/constants.js";
+import { FlyDeployError, } from "../../../providers/fly.js";
+import { getRouterAppName } from "../../../util/naming.js";
+import { enableAcceptRoutes, isAcceptRoutesEnabled, isAutoApproverConfigured, isTailscaleInstalled, waitForDevice, } from "../../../util/tailscale-local.js";
+import { findRouterApp, getRouterMachineInfo } from "../../../util/discovery.js";
+// =============================================================================
+// Phase Labels
+// =============================================================================
+const CREATE_PHASES = [
+    { phase: "create_app", label: "Fly App Created" },
+    { phase: "deploy_router", label: "Router Deployed" },
+    { phase: "await_device", label: "Router in Tailnet" },
+    { phase: "approve_routes", label: "Routes Approved" },
+    { phase: "configure_dns", label: "Split DNS Configured" },
+    { phase: "accept_routes", label: "Accept Routes Enabled" },
+];
+export const reportSkipped = (out, startPhase) => {
+    for (const { phase, label } of CREATE_PHASES) {
+        if (phase === startPhase)
+            break;
+        out.skip(label);
+    }
+};
+// =============================================================================
+// Hydration — determine starting phase from infrastructure state
+// =============================================================================
+export const hydrateCreate = async (ctx) => {
+    const router = await findRouterApp(ctx.fly, ctx.org, ctx.network);
+    if (!router)
+        return "create_app";
+    ctx.appName = router.appName;
+    ctx.routerId = router.routerId;
+    const machine = await getRouterMachineInfo(ctx.fly, router.appName);
+    if (!machine || machine.state !== "started")
+        return "deploy_router";
+    ctx.subnet = machine.subnet;
+    if (!ctx.shouldApprove)
+        return "complete";
+    const device = await ctx.tailscale.devices.getByHostname(router.appName);
+    if (!device)
+        return "await_device";
+    ctx.device = device;
+    const routes = await ctx.tailscale.routes.get(device.id);
+    if (!routes || routes.unapproved.length > 0)
+        return "approve_routes";
+    const dns = await ctx.tailscale.dns.getSplit();
+    if (!dns[ctx.network]?.length)
+        return "configure_dns";
+    if (!(await isAcceptRoutesEnabled()))
+        return "accept_routes";
+    return "complete";
+};
+// =============================================================================
+// Transitions
+// =============================================================================
+export const createTransition = async (phase, ctx) => {
+    switch (phase) {
+        case "create_app": {
+            const suffix = randomId(8);
+            ctx.appName = getRouterAppName(ctx.network, suffix);
+            ctx.routerId = suffix;
+            await ctx.out.spin("Creating App", () => ctx.fly.apps.create(ctx.appName, ctx.org, { network: ctx.network }));
+            ctx.out.ok(`Created App: ${ctx.appName}`);
+            return Result.ok("deploy_router");
+        }
+        case "deploy_router": {
+            const authKey = await ctx.tailscale.auth.createKey({
+                reusable: false,
+                ephemeral: false,
+                preauthorized: true,
+                tags: [ctx.tag],
+            });
+            ctx.out.ok("Auth Key Created");
+            await ctx.out.spin("Setting Secrets", () => ctx.fly.secrets.set(ctx.appName, {
+                [SECRET_TAILSCALE_AUTHKEY]: authKey,
+                [SECRET_NETWORK_NAME]: ctx.network,
+                [SECRET_ROUTER_ID]: ctx.routerId,
+            }, { stage: true }));
+            const dockerDir = ROUTER_DOCKER_DIR;
+            try {
+                await ctx.fly.deploy.router(ctx.appName, dockerDir, {
+                    region: ctx.region,
+                });
+            }
+            catch (e) {
+                if (e instanceof FlyDeployError) {
+                    ctx.out.dim(`  ${e.detail}`);
+                    return Result.err(e.message);
+                }
+                throw e;
+            }
+            ctx.out.ok("Router Deployed");
+            const machines = await ctx.fly.machines.list(ctx.appName);
+            const m = machines.find((m) => m.private_ip);
+            if (m?.private_ip)
+                ctx.subnet = extractSubnet(m.private_ip);
+            if (!ctx.shouldApprove)
+                return Result.ok("complete");
+            return Result.ok("await_device");
+        }
+        case "await_device": {
+            ctx.device = await waitForDevice(ctx.tailscale, ctx.appName, 180000);
+            ctx.out.ok(`Router Joined Tailnet: ${ctx.device.addresses[0]}`);
+            if (!ctx.subnet) {
+                const machines = await ctx.fly.machines.list(ctx.appName);
+                const m = machines.find((m) => m.private_ip);
+                if (m?.private_ip)
+                    ctx.subnet = extractSubnet(m.private_ip);
+            }
+            return Result.ok("approve_routes");
+        }
+        case "approve_routes": {
+            if (!ctx.device || !ctx.subnet) {
+                return Result.err("Missing Device or Subnet");
+            }
+            const policy = await ctx.tailscale.acl.getPolicy();
+            const hasAutoApprover = isAutoApproverConfigured(policy, ctx.tag);
+            if (hasAutoApprover) {
+                ctx.out.ok("Routes Auto-Approved via ACL Policy");
+            }
+            else {
+                await ctx.tailscale.routes.approve(ctx.device.id, [ctx.subnet]);
+                ctx.out.ok("Subnet Routes Approved");
+            }
+            return Result.ok("configure_dns");
+        }
+        case "configure_dns": {
+            if (!ctx.device)
+                return Result.err("Missing Device");
+            await ctx.tailscale.dns.setSplit(ctx.network, [ctx.device.addresses[0]]);
+            ctx.out.ok(`Split DNS Configured: *.${ctx.network}`);
+            return Result.ok("accept_routes");
+        }
+        case "accept_routes": {
+            if (await isTailscaleInstalled()) {
+                if (await isAcceptRoutesEnabled()) {
+                    ctx.out.ok("Accept Routes Already Enabled");
+                }
+                else if (await enableAcceptRoutes()) {
+                    ctx.out.ok("Accept Routes Enabled");
+                }
+                else {
+                    ctx.out.warn("Could Not Enable Accept Routes");
+                    ctx.out.dim("  Run: sudo tailscale set --accept-routes");
+                }
+            }
+            else {
+                ctx.out.warn("Tailscale CLI Not Found");
+                ctx.out.dim("  Ensure Accept-Routes is Enabled on This Device");
+            }
+            return Result.ok("complete");
+        }
+        default:
+            return Result.err(`Unknown Phase: ${phase}`);
+    }
+};

package/esm/cli/commands/deploy/index.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.d.ts.map

package/esm/cli/commands/deploy/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/deploy/index.ts"],"names":[],"mappings":""}

package/esm/cli/commands/deploy/index.js

@@ -0,0 +1,290 @@
+// =============================================================================
+// Deploy Command - Safely Deploy a Workload App on a Custom Private Network
+// =============================================================================
+import { parseArgs } from "../../../deps/jsr.io/@std/cli/1.0.28/mod.js";
+import { bold } from "../../../lib/cli.js";
+import { checkArgs } from "../../../lib/args.js";
+import { createOutput } from "../../../lib/output.js";
+import { runMachine } from "../../../lib/machine.js";
+import { registerCommand } from "../../mod.js";
+import { createFlyProvider, } from "../../../providers/fly.js";
+import { getWorkloadAppName } from "../../../util/naming.js";
+import { findRouterApp, getRouterMachineInfo } from "../../../util/discovery.js";
+import { resolveOrg } from "../../../util/resolve.js";
+import { assertNotRouter } from "../../../util/guard.js";
+import { resolveConfigMode, resolveImageMode, resolveTemplateMode, } from "./modes.js";
+import { deployTransition, hydrateDeploy, reportDeploySkipped, } from "./machine.js";
+// =============================================================================
+// Stage 1: Fly.io Configuration
+// =============================================================================
+const stageFlyConfig = async (out, opts) => {
+    out.header("Step 1: Fly.io Configuration").blank();
+    const fly = createFlyProvider();
+    await fly.auth.ensureInstalled();
+    const email = await fly.auth.login({ interactive: !opts.json });
+    out.ok(`Authenticated as ${email}`);
+    const org = await resolveOrg(fly, opts, out);
+    out.blank();
+    return { fly, org };
+};
+// =============================================================================
+// Stage 2: Network Verification
+// =============================================================================
+const stageNetworkVerification = async (out, fly, opts) => {
+    out.header("Step 2: Network Verification").blank();
+    const routerSpinner = out.spinner("Checking for Router on Network");
+    const router = await findRouterApp(fly, opts.org, opts.network);
+    if (!router) {
+        routerSpinner.fail("No Router Found");
+        return out.die(`No Ambit Router Found on Network '${opts.network}'. ` +
+            `Run 'ambit create ${opts.network}' First.`);
+    }
+    routerSpinner.success(`Router Found: ${router.appName}`);
+    const routerMachine = await getRouterMachineInfo(fly, router.appName);
+    out.blank();
+    return {
+        routerId: router.routerId,
+        flyAppName: getWorkloadAppName(opts.app, router.routerId),
+        routerPrivateIp: routerMachine?.privateIp,
+    };
+};
+// =============================================================================
+// Stage 3: Pre-flight Check
+// =============================================================================
+const stagePreflightCheck = async (out, opts) => {
+    out.header("Step 3: Pre-flight Check").blank();
+    let deployConfig;
+    if (opts.template) {
+        deployConfig = await resolveTemplateMode(opts.template, out);
+    }
+    else if (opts.image) {
+        deployConfig = resolveImageMode(opts.image, opts.mainPort, out);
+    }
+    else {
+        deployConfig = await resolveConfigMode(opts.config, out);
+    }
+    if (!deployConfig)
+        return out.die("Pre-flight Check Failed");
+    out.blank();
+    return deployConfig;
+};
+// =============================================================================
+// Stage 4: Deploy
+// =============================================================================
+const stageDeploy = async (out, fly, deployConfig, opts) => {
+    out.header("Step 4: Deploy").blank();
+    const ctx = {
+        fly,
+        out,
+        ...opts,
+        created: false,
+        deployConfig,
+        deployOptions: {
+            routerId: opts.routerId,
+            image: deployConfig.image,
+            config: deployConfig.configPath,
+            region: opts.region,
+        },
+    };
+    const phase = await hydrateDeploy(ctx);
+    reportDeploySkipped(out, phase);
+    const machine = {
+        terminal: "complete",
+        transition: deployTransition,
+    };
+    const result = await runMachine(machine, phase, ctx);
+    if (!result.ok) {
+        if (result.error === "Cancelled")
+            return;
+        return out.die(result.error);
+    }
+    stageSummary(out, ctx, deployConfig);
+};
+// =============================================================================
+// Stage 5: Summary
+// =============================================================================
+const stageSummary = (out, ctx, deployConfig) => {
+    const audit = ctx.audit ?? {
+        public_ips_released: 0,
+        certs_removed: 0,
+        flycast_allocations: [],
+        warnings: [],
+    };
+    const hasIssues = audit.public_ips_released > 0 || audit.warnings.length > 0;
+    const resultData = {
+        app: ctx.app,
+        network: ctx.network,
+        created: ctx.created,
+        audit,
+        preflight: deployConfig.preflight,
+    };
+    if (hasIssues) {
+        out.fail("Deploy Completed with Issues", resultData);
+    }
+    else {
+        out.done(resultData);
+    }
+    out.blank()
+        .header("=".repeat(50))
+        .header(hasIssues
+        ? "  Deploy Completed (with Warnings)"
+        : "  Deploy Completed!")
+        .header("=".repeat(50))
+        .blank()
+        .text(`App '${ctx.app}' Is Reachable from Your Tailnet as:`)
+        .text(`  ${ctx.app}.${ctx.network}`)
+        .blank();
+    out.print();
+};
+// =============================================================================
+// Deploy Command
+// =============================================================================
+const deploy = async (argv) => {
+    const opts = {
+        string: [
+            "network",
+            "org",
+            "region",
+            "image",
+            "config",
+            "main-port",
+            "template",
+        ],
+        boolean: ["help", "yes", "json"],
+        alias: { y: "yes" },
+        default: { "main-port": "80" },
+    };
+    const args = parseArgs(argv, opts);
+    checkArgs(args, opts, "ambit deploy");
+    if (args.help) {
+        console.log(`
+${bold("ambit deploy")} - Deploy an App Safely on a Custom Private Network
+
+${bold("USAGE")}
+  ambit deploy <app>.<network> [options]
+  ambit deploy <app> --network <name> [options]
+
+  The network can be specified as part of the name (app.network) or with --network.
+
+${bold("MODES")}
+  Config mode (default):
+    ambit deploy my-app.lab                                Uses ./fly.toml
+    ambit deploy my-app.lab --config path                  Explicit fly.toml
+
+  Image mode:
+    ambit deploy my-app.lab --image <img>                  Docker image, no toml
+
+  Template mode:
+    ambit deploy my-app.lab --template <ref>               GitHub template
+
+${bold("OPTIONS")}
+  --network <name>       Target network
+  --org <org>            Fly.io organization slug
+  --region <region>      Primary deployment region
+  -y, --yes              Skip confirmation prompts
+  --json                 Output as JSON
+
+${bold("CONFIG MODE")} (default)
+  --config <path>        Explicit fly.toml path (auto-detects ./fly.toml if omitted)
+
+${bold("IMAGE MODE")}
+  --image <img>          Docker image to deploy (no fly.toml needed)
+  --main-port <port>     Internal port for HTTP service (default: 80, "none" to skip)
+
+${bold("TEMPLATE MODE")}
+  --template <ref>       GitHub template as owner/repo[/path][@ref]
+
+  Reference format:
+    owner/repo                Fetch repo root from the default branch
+    owner/repo/path           Fetch subdirectory from the default branch
+    owner/repo/path@tag       Fetch a tagged release
+    owner/repo/path@branch    Fetch a specific branch
+    owner/repo/path@commit    Fetch a specific commit
+
+${bold("SAFETY")}
+  Always deploys with --no-public-ips and --flycast.
+  Post-deploy audit releases any public IPs and verifies Flycast allocation.
+  Pre-flight scan rejects fly.toml with force_https or TLS on 443.
+
+${bold("EXAMPLES")}
+  ambit deploy my-app.lab
+  ambit deploy my-app.lab --image registry/img:latest
+  ambit deploy my-app.lab --config ./fly.toml --region sea
+  ambit deploy my-claw.lab --template ToxicPine/ambit-openclaw
+  ambit deploy my-browser.lab --template ToxicPine/ambit-templates/chromatic
+  ambit deploy my-browser --network lab --template ToxicPine/ambit-templates/chromatic@v1.0
+`);
+        return;
+    }
+    const out = createOutput(args.json);
+    const appArg = args._[0];
+    if (!appArg || typeof appArg !== "string") {
+        return out.die("Missing App Name. Usage: ambit deploy <app>.<network>");
+    }
+    let app;
+    let network;
+    if (appArg.includes(".")) {
+        const parts = appArg.split(".");
+        if (parts.length !== 2 || !parts[0] || !parts[1]) {
+            return out.die(`'${appArg}' Should Have Exactly One Dot, Like my-app.my-network`);
+        }
+        if (args.network) {
+            return out.die(`Network Is Already Part of the Name ('${appArg}'), --network Is Not Needed`);
+        }
+        app = parts[0];
+        network = parts[1];
+    }
+    else {
+        app = appArg;
+        if (!args.network) {
+            return out.die(`Missing Network. Use: ambit deploy ${app}.<network>`);
+        }
+        network = args.network;
+    }
+    try {
+        assertNotRouter(app);
+    }
+    catch (e) {
+        return out.die(e instanceof Error ? e.message : String(e));
+    }
+    const modeFlags = [args.image, args.config, args.template].filter(Boolean);
+    if (modeFlags.length > 1) {
+        return out.die("--image, --config, and --template Are Mutually Exclusive");
+    }
+    out.blank()
+        .header("=".repeat(50))
+        .header(`  ambit Deploy: ${app}`)
+        .header("=".repeat(50))
+        .blank();
+    const { fly, org } = await stageFlyConfig(out, {
+        json: args.json,
+        org: args.org,
+    });
+    const { routerId, flyAppName, routerPrivateIp } = await stageNetworkVerification(out, fly, { org, network, app });
+    const deployConfig = await stagePreflightCheck(out, {
+        template: args.template,
+        image: args.image,
+        config: args.config,
+        mainPort: String(args["main-port"]),
+    });
+    await stageDeploy(out, fly, deployConfig, {
+        app,
+        network,
+        org,
+        region: args.region,
+        yes: args.yes,
+        json: args.json,
+        routerId,
+        flyAppName,
+        routerPrivateIp,
+    });
+};
+// =============================================================================
+// Register Command
+// =============================================================================
+registerCommand({
+    name: "deploy",
+    description: "Deploy an app safely on a custom private network",
+    usage: "ambit deploy <app> --network <name> [--image <img>] [--template <ref>] [--org <org>] [--region <region>]",
+    run: deploy,
+});

package/esm/cli/commands/deploy/machine.d.ts

@@ -0,0 +1,52 @@
+import { type Output } from "../../../lib/output.js";
+import { Result } from "../../../lib/result.js";
+import { type FlyProvider, type SafeDeployOptions } from "../../../providers/fly.js";
+import type { DeployConfig } from "./modes.js";
+export type DeployPhase = "create_app" | "set_proxy" | "deploy" | "audit" | "complete";
+export type DeployResult = {
+    app: string;
+    network: string;
+    created: boolean;
+    audit: {
+        public_ips_released: number;
+        certs_removed: number;
+        flycast_allocations: Array<{
+            address: string;
+            network: string;
+        }>;
+        warnings: string[];
+    };
+    preflight: {
+        scanned: boolean;
+        warnings: string[];
+    };
+};
+export interface DeployCtx {
+    fly: FlyProvider;
+    out: Output<DeployResult>;
+    app: string;
+    network: string;
+    org: string;
+    region?: string;
+    yes: boolean;
+    json: boolean;
+    routerId: string;
+    flyAppName: string;
+    routerPrivateIp?: string;
+    created: boolean;
+    deployConfig: DeployConfig;
+    deployOptions: SafeDeployOptions;
+    audit?: {
+        public_ips_released: number;
+        certs_removed: number;
+        flycast_allocations: Array<{
+            address: string;
+            network: string;
+        }>;
+        warnings: string[];
+    };
+}
+export declare const reportDeploySkipped: (out: Output<DeployResult>, startPhase: DeployPhase) => void;
+export declare const hydrateDeploy: (ctx: DeployCtx) => Promise<DeployPhase>;
+export declare const deployTransition: (phase: DeployPhase, ctx: DeployCtx) => Promise<Result<DeployPhase>>;
+//# sourceMappingURL=machine.d.ts.map

package/esm/cli/commands/deploy/machine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"machine.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/deploy/machine.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,KAAK,MAAM,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,MAAM,EAAE,MAAM,wBAAwB,CAAC;AAChD,OAAO,EAEL,KAAK,WAAW,EAChB,KAAK,iBAAiB,EACvB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAM/C,MAAM,MAAM,WAAW,GACnB,YAAY,GACZ,WAAW,GACX,QAAQ,GACR,OAAO,GACP,UAAU,CAAC;AAMf,MAAM,MAAM,YAAY,GAAG;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE;QACL,mBAAmB,EAAE,MAAM,CAAC;QAC5B,aAAa,EAAE,MAAM,CAAC;QACtB,mBAAmB,EAAE,KAAK,CAAC;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACjE,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;IACF,SAAS,EAAE;QACT,OAAO,EAAE,OAAO,CAAC;QACjB,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;CACH,CAAC;AAEF,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,WAAW,CAAC;IACjB,GAAG,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,OAAO,CAAC;IACb,IAAI,EAAE,OAAO,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,EAAE,YAAY,CAAC;IAC3B,aAAa,EAAE,iBAAiB,CAAC;IACjC,KAAK,CAAC,EAAE;QACN,mBAAmB,EAAE,MAAM,CAAC;QAC5B,aAAa,EAAE,MAAM,CAAC;QACtB,mBAAmB,EAAE,KAAK,CAAC;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QACjE,QAAQ,EAAE,MAAM,EAAE,CAAC;KACpB,CAAC;CACH;AAaD,eAAO,MAAM,mBAAmB,GAC9B,KAAK,MAAM,CAAC,YAAY,CAAC,EACzB,YAAY,WAAW,SAMxB,CAAC;AAMF,eAAO,MAAM,aAAa,GACxB,KAAK,SAAS,KACb,OAAO,CAAC,WAAW,CAMrB,CAAC;AAMF,eAAO,MAAM,gBAAgB,GAC3B,OAAO,WAAW,EAClB,KAAK,SAAS,KACb,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,CAyG7B,CAAC"}

package/esm/cli/commands/deploy/machine.js

@@ -0,0 +1,116 @@
+// =============================================================================
+// Deploy — Phases, Context, Hydration, Transitions
+// =============================================================================
+import * as dntShim from "../../../_dnt.shims.js";
+import { confirm } from "../../../lib/cli.js";
+import { SECRET_AMBIT_OUTBOUND_PROXY, SOCKS_PROXY_PORT, } from "../../../util/constants.js";
+import { Result } from "../../../lib/result.js";
+import { FlyDeployError, } from "../../../providers/fly.js";
+import { auditDeploy } from "../../../util/guard.js";
+// =============================================================================
+// Phase Labels
+// =============================================================================
+const DEPLOY_PHASES = [
+    { phase: "create_app", label: "App Created" },
+    { phase: "set_proxy", label: "Outbound Proxy Set" },
+    { phase: "deploy", label: "Deployed" },
+    { phase: "audit", label: "Audit Passed" },
+];
+export const reportDeploySkipped = (out, startPhase) => {
+    for (const { phase, label } of DEPLOY_PHASES) {
+        if (phase === startPhase)
+            break;
+        out.skip(label);
+    }
+};
+// =============================================================================
+// Hydration
+// =============================================================================
+export const hydrateDeploy = async (ctx) => {
+    const exists = await ctx.fly.apps.exists(ctx.flyAppName);
+    if (!exists)
+        return "create_app";
+    // App exists — always re-run set_proxy, deploy, and audit (they're idempotent)
+    return "set_proxy";
+};
+// =============================================================================
+// Transitions
+// =============================================================================
+export const deployTransition = async (phase, ctx) => {
+    switch (phase) {
+        case "create_app": {
+            ctx.out.info(`App '${ctx.flyAppName}' Does Not Exist — Will Create on Network '${ctx.network}'`);
+            if (!ctx.yes && !ctx.json) {
+                const confirmed = await confirm(`Create App '${ctx.flyAppName}' on Network '${ctx.network}'?`);
+                if (!confirmed) {
+                    ctx.out.text("Cancelled.");
+                    return Result.err("Cancelled");
+                }
+            }
+            await ctx.out.spin("Creating App", () => ctx.fly.apps.create(ctx.app, ctx.org, {
+                network: ctx.network,
+                routerId: ctx.routerId,
+            }));
+            ctx.out.ok(`Created App '${ctx.flyAppName}' on Network '${ctx.network}'`);
+            ctx.created = true;
+            return Result.ok("set_proxy");
+        }
+        case "set_proxy": {
+            if (!ctx.created) {
+                ctx.out.skip(`App '${ctx.flyAppName}' Exists`);
+            }
+            if (ctx.routerPrivateIp) {
+                const proxyUrl = `socks5://[${ctx.routerPrivateIp}]:${SOCKS_PROXY_PORT}`;
+                await ctx.out.spin("Setting Outbound Proxy", () => ctx.fly.secrets.set(ctx.flyAppName, { [SECRET_AMBIT_OUTBOUND_PROXY]: proxyUrl }, { stage: true }));
+                ctx.out.ok(`Outbound Proxy: ${proxyUrl}`);
+            }
+            return Result.ok("deploy");
+        }
+        case "deploy": {
+            ctx.out.blank().dim("Deploying with --no-public-ips --flycast ...");
+            try {
+                await ctx.fly.deploy.app(ctx.app, ctx.deployOptions);
+            }
+            catch (e) {
+                if (e instanceof FlyDeployError) {
+                    ctx.out.dim(`  ${e.detail}`);
+                    return Result.err(e.message);
+                }
+                throw e;
+            }
+            finally {
+                if (ctx.deployConfig.tempDir) {
+                    try {
+                        dntShim.Deno.removeSync(ctx.deployConfig.tempDir, { recursive: true });
+                    }
+                    catch {
+                        /* ignore */
+                    }
+                }
+            }
+            ctx.out.ok("Deploy Succeeded");
+            return Result.ok("audit");
+        }
+        case "audit": {
+            ctx.out.blank();
+            const auditSpinner = ctx.out.spinner("Auditing Deployment");
+            ctx.audit = await auditDeploy(ctx.fly, ctx.flyAppName, ctx.network);
+            auditSpinner.success("Audit Complete");
+            if (ctx.audit.public_ips_released > 0) {
+                ctx.out.warn(`Released ${ctx.audit.public_ips_released} Public IP(s)`);
+            }
+            if (ctx.audit.certs_removed > 0) {
+                ctx.out.ok(`Removed ${ctx.audit.certs_removed} Public Certificate(s)`);
+            }
+            for (const alloc of ctx.audit.flycast_allocations) {
+                ctx.out.ok(`Flycast: ${alloc.address} (network: ${alloc.network})`);
+            }
+            for (const warn of ctx.audit.warnings) {
+                ctx.out.warn(warn);
+            }
+            return Result.ok("complete");
+        }
+        default:
+            return Result.err(`Unknown Phase: ${phase}`);
+    }
+};

package/esm/cli/commands/deploy/modes.d.ts

@@ -0,0 +1,18 @@
+import { createOutput } from "../../../lib/output.js";
+/** Resolved deploy configuration — the output of mode-specific validation. */
+export interface DeployConfig {
+    image?: string;
+    configPath?: string;
+    preflight: {
+        scanned: boolean;
+        warnings: string[];
+    };
+    tempDir?: string;
+}
+/** Resolve deploy config for image mode (--image). */
+export declare const resolveImageMode: (image: string, mainPortRaw: string, out: ReturnType<typeof createOutput>) => DeployConfig | null;
+/** Resolve deploy config for config mode (default — uses fly.toml). */
+export declare const resolveConfigMode: (explicitConfig: string | undefined, out: ReturnType<typeof createOutput>) => Promise<DeployConfig | null>;
+/** Resolve deploy config for template mode (--template). */
+export declare const resolveTemplateMode: (templateRaw: string, out: ReturnType<typeof createOutput>) => Promise<DeployConfig | null>;
+//# sourceMappingURL=modes.d.ts.map

package/esm/cli/commands/deploy/modes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"modes.d.ts","sourceRoot":"","sources":["../../../../src/cli/commands/deploy/modes.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAQtD,8EAA8E;AAC9E,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IACpD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAoCD,sDAAsD;AACtD,eAAO,MAAM,gBAAgB,GAC3B,OAAO,MAAM,EACb,aAAa,MAAM,EACnB,KAAK,UAAU,CAAC,OAAO,YAAY,CAAC,KACnC,YAAY,GAAG,IAmBjB,CAAC;AAMF,uEAAuE;AACvE,eAAO,MAAM,iBAAiB,GAC5B,gBAAgB,MAAM,GAAG,SAAS,EAClC,KAAK,UAAU,CAAC,OAAO,YAAY,CAAC,KACnC,OAAO,CAAC,YAAY,GAAG,IAAI,CAqC7B,CAAC;AAMF,4DAA4D;AAC5D,eAAO,MAAM,mBAAmB,GAC9B,aAAa,MAAM,EACnB,KAAK,UAAU,CAAC,OAAO,YAAY,CAAC,KACnC,OAAO,CAAC,YAAY,GAAG,IAAI,CAyE7B,CAAC"}