@envsync-cloud/deploy-cli 0.6.0 → 0.6.2

package/README.md

@@ -40,6 +40,7 @@ bunx @envsync-cloud/deploy-cli <command>
 ```text
 envsync-deploy preinstall
 envsync-deploy setup
+envsync-deploy bootstrap
 envsync-deploy deploy
 envsync-deploy health [--json]
 envsync-deploy upgrade
@@ -56,18 +57,29 @@ Prepare the host:
 npx @envsync-cloud/deploy-cli preinstall
 ```
 
-Generate deployment state and prompts:
+Write the desired self-hosted config:
 
 ```bash
 npx @envsync-cloud/deploy-cli setup
 ```
 
-Apply the Docker Swarm stack:
+Bootstrap infra, migrations, RustFS, and OpenFGA:
+
+```bash
+npx @envsync-cloud/deploy-cli bootstrap
+```
+
+Deploy the pending API and frontend services:
 
 ```bash
 npx @envsync-cloud/deploy-cli deploy
 ```
 
+The staged flow is:
+- `setup` writes desired config
+- `bootstrap` starts infra and persists generated runtime env state
+- `deploy` starts the pending API and frontend services
+
 Check service health:
 
 ```bash

package/dist/index.js

@@ -17,6 +17,7 @@ var DEPLOY_ENV = "/etc/envsync/deploy.env";
 var DEPLOY_YAML = "/etc/envsync/deploy.yaml";
 var VERSIONS_LOCK = "/opt/envsync/deploy/versions.lock.json";
 var STACK_FILE = "/opt/envsync/deploy/docker-stack.yaml";
+var BOOTSTRAP_STACK_FILE = "/opt/envsync/deploy/docker-stack.bootstrap.yaml";
 var TRAEFIK_DYNAMIC_FILE = "/opt/envsync/deploy/traefik-dynamic.yaml";
 var KEYCLOAK_REALM_FILE = "/opt/envsync/deploy/keycloak-realm.envsync.json";
 var NGINX_WEB_CONF = "/opt/envsync/deploy/nginx-web.conf";
@@ -34,6 +35,16 @@ var STACK_VOLUMES = [
   "clickstack_ch_data",
   "clickstack_ch_logs"
 ];
+var REQUIRED_BOOTSTRAP_ENV_KEYS = [
+  "S3_SECRET_KEY",
+  "KEYCLOAK_WEB_CLIENT_SECRET",
+  "KEYCLOAK_API_CLIENT_SECRET",
+  "OPENFGA_DB_PASSWORD",
+  "MINIKMS_ROOT_KEY",
+  "MINIKMS_DB_PASSWORD",
+  "OPENFGA_STORE_ID",
+  "OPENFGA_MODEL_ID"
+];
 function run(cmd, args, opts = {}) {
   const result = spawnSync(cmd, args, {
     cwd: opts.cwd,
@@ -48,6 +59,22 @@ ${stderr}` : ""}`);
   }
   return result.stdout?.toString() ?? "";
 }
+function tryRun(cmd, args, opts = {}) {
+  try {
+    return run(cmd, args, opts);
+  } catch {
+    return "";
+  }
+}
+function commandSucceeds(cmd, args, opts = {}) {
+  const result = spawnSync(cmd, args, {
+    cwd: opts.cwd,
+    env: { ...process.env, ...opts.env },
+    stdio: "ignore",
+    encoding: "utf8"
+  });
+  return result.status === 0;
+}
 function ensureDir(dir) {
   fs.mkdirSync(dir, { recursive: true });
 }
@@ -126,9 +153,21 @@ function parseSimpleYamlObject(input) {
   }
   return root;
 }
-function indentBlock(content, spaces) {
-  const prefix = " ".repeat(spaces);
-  return content.split("\n").map((line) => line ? `${prefix}${line}` : line).join("\n");
+function parseEnvFile(content) {
+  const out = {};
+  for (const line of content.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eq = trimmed.indexOf("=");
+    if (eq === -1) continue;
+    const key = trimmed.slice(0, eq).trim();
+    let value = trimmed.slice(eq + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1).replace(/\\n/g, "\n").replace(/\\"/g, '"');
+    }
+    out[key] = value;
+  }
+  return out;
 }
 async function ask(question, fallback = "") {
   if (!process.stdin.isTTY) return fallback;
@@ -140,6 +179,9 @@ async function ask(question, fallback = "") {
     });
   });
 }
+function sleepSeconds(seconds) {
+  spawnSync("sleep", [`${seconds}`], { stdio: "ignore" });
+}
 function domainMap(rootDomain) {
   return {
     landing: rootDomain,
@@ -152,29 +194,130 @@ function domainMap(rootDomain) {
     s3Console: `console.s3.${rootDomain}`
   };
 }
+function getDeployCliVersion() {
+  try {
+    const packageJsonPath = new URL("../package.json", import.meta.url);
+    const raw = fs.readFileSync(packageJsonPath, "utf8");
+    return JSON.parse(raw).version ?? "0.0.0";
+  } catch {
+    return process.env.npm_package_version ?? "0.0.0";
+  }
+}
+function defaultSourceConfig() {
+  return {
+    repo_url: "https://github.com/EnvSync-Cloud/envsync.git",
+    ref: `v${getDeployCliVersion()}`
+  };
+}
+function normalizeConfig(raw) {
+  return {
+    ...raw,
+    source: raw.source ?? defaultSourceConfig()
+  };
+}
+function emptyGeneratedState() {
+  return {
+    openfga: {
+      store_id: "",
+      model_id: ""
+    },
+    secrets: {
+      s3_secret_key: "",
+      keycloak_web_client_secret: "",
+      keycloak_api_client_secret: "",
+      openfga_db_password: "",
+      minikms_root_key: "",
+      minikms_db_password: ""
+    },
+    bootstrap: {
+      completed_at: ""
+    }
+  };
+}
+function normalizeGeneratedState(raw) {
+  const defaults = emptyGeneratedState();
+  return {
+    openfga: {
+      store_id: raw?.openfga?.store_id ?? defaults.openfga.store_id,
+      model_id: raw?.openfga?.model_id ?? defaults.openfga.model_id
+    },
+    secrets: {
+      s3_secret_key: raw?.secrets?.s3_secret_key ?? defaults.secrets.s3_secret_key,
+      keycloak_web_client_secret: raw?.secrets?.keycloak_web_client_secret ?? defaults.secrets.keycloak_web_client_secret,
+      keycloak_api_client_secret: raw?.secrets?.keycloak_api_client_secret ?? defaults.secrets.keycloak_api_client_secret,
+      openfga_db_password: raw?.secrets?.openfga_db_password ?? defaults.secrets.openfga_db_password,
+      minikms_root_key: raw?.secrets?.minikms_root_key ?? defaults.secrets.minikms_root_key,
+      minikms_db_password: raw?.secrets?.minikms_db_password ?? defaults.secrets.minikms_db_password
+    },
+    bootstrap: {
+      completed_at: raw?.bootstrap?.completed_at ?? defaults.bootstrap.completed_at
+    }
+  };
+}
+function readInternalState() {
+  if (!exists(INTERNAL_CONFIG_JSON)) return null;
+  const raw = JSON.parse(fs.readFileSync(INTERNAL_CONFIG_JSON, "utf8"));
+  return {
+    config: raw.config ? normalizeConfig(raw.config) : void 0,
+    generated: normalizeGeneratedState(raw.generated)
+  };
+}
 function loadConfig() {
   if (!exists(DEPLOY_YAML)) {
     throw new Error(`Missing deploy config at ${DEPLOY_YAML}. Run setup first.`);
   }
   const raw = fs.readFileSync(DEPLOY_YAML, "utf8");
   if (raw.trimStart().startsWith("{")) {
-    return JSON.parse(raw);
+    return normalizeConfig(JSON.parse(raw));
   }
-  return parseSimpleYamlObject(raw);
+  return normalizeConfig(parseSimpleYamlObject(raw));
 }
-function saveConfig(config) {
-  writeFile(DEPLOY_YAML, toYaml(config) + "\n");
-  writeFile(INTERNAL_CONFIG_JSON, JSON.stringify(config, null, 2) + "\n");
-  writeFile(DEPLOY_ENV, renderEnv(config), 384);
-  writeFile(VERSIONS_LOCK, JSON.stringify(config.images, null, 2) + "\n");
-  writeFile(KEYCLOAK_REALM_FILE, renderKeycloakRealm(config));
-  writeFile(TRAEFIK_DYNAMIC_FILE, renderTraefikDynamicConfig(config));
-  writeFile(STACK_FILE, renderStack(config));
-  writeFile(NGINX_WEB_CONF, renderNginxConf("web"));
-  writeFile(NGINX_LANDING_CONF, renderNginxConf("landing"));
-  writeFile(OTEL_AGENT_CONF, renderOtelAgentConfig(config));
+function loadGeneratedEnv() {
+  if (!exists(DEPLOY_ENV)) return {};
+  return parseEnvFile(fs.readFileSync(DEPLOY_ENV, "utf8"));
+}
+function mergeGeneratedState(env, generated) {
+  const normalized = normalizeGeneratedState(generated);
+  return normalizeGeneratedState({
+    openfga: {
+      store_id: env.OPENFGA_STORE_ID ?? normalized.openfga.store_id,
+      model_id: env.OPENFGA_MODEL_ID ?? normalized.openfga.model_id
+    },
+    secrets: {
+      s3_secret_key: env.S3_SECRET_KEY ?? normalized.secrets.s3_secret_key,
+      keycloak_web_client_secret: env.KEYCLOAK_WEB_CLIENT_SECRET ?? normalized.secrets.keycloak_web_client_secret,
+      keycloak_api_client_secret: env.KEYCLOAK_API_CLIENT_SECRET ?? normalized.secrets.keycloak_api_client_secret,
+      openfga_db_password: env.OPENFGA_DB_PASSWORD ?? normalized.secrets.openfga_db_password,
+      minikms_root_key: env.MINIKMS_ROOT_KEY ?? normalized.secrets.minikms_root_key,
+      minikms_db_password: env.MINIKMS_DB_PASSWORD ?? normalized.secrets.minikms_db_password
+    },
+    bootstrap: normalized.bootstrap
+  });
+}
+function loadState() {
+  const config = loadConfig();
+  const internal = readInternalState();
+  const generated = mergeGeneratedState(loadGeneratedEnv(), internal?.generated);
+  return { config, generated };
+}
+function ensureGeneratedRuntimeState(generated) {
+  return normalizeGeneratedState({
+    openfga: generated.openfga,
+    secrets: {
+      s3_secret_key: generated.secrets.s3_secret_key || randomSecret(16),
+      keycloak_web_client_secret: generated.secrets.keycloak_web_client_secret || randomSecret(),
+      keycloak_api_client_secret: generated.secrets.keycloak_api_client_secret || randomSecret(),
+      openfga_db_password: generated.secrets.openfga_db_password || randomSecret(),
+      minikms_root_key: generated.secrets.minikms_root_key || randomBytes(32).toString("hex"),
+      minikms_db_password: generated.secrets.minikms_db_password || randomSecret()
+    },
+    bootstrap: generated.bootstrap
+  });
+}
+function keycloakImageTag(image) {
+  return image.split(":").slice(1).join(":") || "local";
 }
-function buildEnvMap(config) {
+function buildRuntimeEnv(config, generated) {
   const hosts = domainMap(config.domain.root_domain);
   return {
     NODE_ENV: "production",
@@ -190,7 +333,7 @@ function buildEnvMap(config) {
     S3_BUCKET: "envsync-bucket",
     S3_REGION: "us-east-1",
     S3_ACCESS_KEY: "envsync-rustfs",
-    S3_SECRET_KEY: randomSecret(16),
+    S3_SECRET_KEY: generated.secrets.s3_secret_key,
     S3_BUCKET_URL: `https://${hosts.s3}`,
     S3_ENDPOINT: "http://rustfs:9000",
     REDIS_URL: "redis://redis:6379",
@@ -205,43 +348,40 @@ function buildEnvMap(config) {
     KEYCLOAK_ADMIN_USER: config.auth.admin_user,
     KEYCLOAK_ADMIN_PASSWORD: config.auth.admin_password,
     KEYCLOAK_WEB_CLIENT_ID: config.auth.web_client_id,
-    KEYCLOAK_WEB_CLIENT_SECRET: randomSecret(),
+    KEYCLOAK_WEB_CLIENT_SECRET: generated.secrets.keycloak_web_client_secret,
     KEYCLOAK_CLI_CLIENT_ID: config.auth.cli_client_id,
     KEYCLOAK_API_CLIENT_ID: config.auth.api_client_id,
-    KEYCLOAK_API_CLIENT_SECRET: randomSecret(),
+    KEYCLOAK_API_CLIENT_SECRET: generated.secrets.keycloak_api_client_secret,
     KEYCLOAK_WEB_REDIRECT_URI: `https://${hosts.api}/api/access/web/callback`,
     KEYCLOAK_WEB_CALLBACK_URL: `https://${hosts.app}/auth/callback`,
     KEYCLOAK_API_REDIRECT_URI: `https://${hosts.api}/api/access/api/callback`,
     LANDING_PAGE_URL: `https://${hosts.landing}`,
     DASHBOARD_URL: `https://${hosts.app}`,
     OPENFGA_API_URL: "http://openfga:8090",
-    OPENFGA_STORE_ID: "",
-    OPENFGA_MODEL_ID: "",
-    OPENFGA_DB_PASSWORD: randomSecret(),
+    OPENFGA_STORE_ID: generated.openfga.store_id,
+    OPENFGA_MODEL_ID: generated.openfga.model_id,
+    OPENFGA_DB_PASSWORD: generated.secrets.openfga_db_password,
     MINIKMS_GRPC_ADDR: "minikms:50051",
     MINIKMS_TLS_ENABLED: "false",
-    MINIKMS_ROOT_KEY: randomBytes(32).toString("hex"),
+    MINIKMS_ROOT_KEY: generated.secrets.minikms_root_key,
     MINIKMS_DB_USER: "postgres",
-    MINIKMS_DB_PASSWORD: randomSecret(),
+    MINIKMS_DB_PASSWORD: generated.secrets.minikms_db_password,
     OTEL_EXPORTER_OTLP_ENDPOINT: "http://otel-agent:4318",
     OTEL_SERVICE_NAME: "envsync-api",
     OTEL_SDK_DISABLED: "false",
-    CLICKSTACK_URL: `https://${hosts.obs}`
+    CLICKSTACK_URL: `https://${hosts.obs}`,
+    KEYCLOAK_IMAGE_TAG: keycloakImageTag(config.images.keycloak)
   };
 }
-function renderEnv(config) {
-  return Object.entries({
-    ...buildEnvMap(config),
-    KEYCLOAK_IMAGE_TAG: config.images.keycloak.split(":").slice(1).join(":") || "local"
-  }).map(([k, v]) => `${k}=${v}`).join("\n") + "\n";
+function renderEnvFile(env) {
+  return Object.entries(env).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${key}=${value}`).join("\n") + "\n";
 }
-function renderServiceEnvironment(config, overrides = {}) {
-  return toYaml({ ...buildEnvMap(config), ...overrides }, 0);
+function renderEnvList(values, indent = 6) {
+  const prefix = " ".repeat(indent);
+  return Object.entries(values).map(([key, value]) => `${prefix}- ${JSON.stringify(`${key}=${String(value)}`)}`).join("\n");
 }
-function renderKeycloakRealm(config) {
+function renderKeycloakRealm(config, runtimeEnv) {
   const hosts = domainMap(config.domain.root_domain);
-  const webSecret = extractEnvValue("KEYCLOAK_WEB_CLIENT_SECRET");
-  const apiSecret = extractEnvValue("KEYCLOAK_API_CLIENT_SECRET");
   return JSON.stringify(
     {
       realm: config.auth.keycloak_realm,
@@ -254,11 +394,18 @@ function renderKeycloakRealm(config) {
           name: "EnvSync Web",
           protocol: "openid-connect",
           publicClient: false,
-          secret: webSecret,
+          secret: runtimeEnv.KEYCLOAK_WEB_CLIENT_SECRET,
           standardFlowEnabled: true,
           directAccessGrantsEnabled: false,
-          redirectUris: [`https://${hosts.api}/api/access/web/callback`],
+          redirectUris: [
+            `https://${hosts.api}/api/access/web/callback`,
+            `https://${hosts.app}/auth/callback`,
+            `https://${hosts.app}`
+          ],
           webOrigins: [`https://${hosts.app}`],
+          attributes: {
+            "post.logout.redirect.uris": "+"
+          },
           defaultClientScopes: ["basic", "web-origins", "profile", "email", "roles"]
         },
         {
@@ -266,7 +413,7 @@ function renderKeycloakRealm(config) {
           name: "EnvSync API",
           protocol: "openid-connect",
           publicClient: false,
-          secret: apiSecret,
+          secret: runtimeEnv.KEYCLOAK_API_CLIENT_SECRET,
           standardFlowEnabled: true,
           redirectUris: [`https://${hosts.api}/api/access/api/callback`],
           webOrigins: [`https://${hosts.api}`],
@@ -290,11 +437,6 @@ function renderKeycloakRealm(config) {
     2
   ) + "\n";
 }
-function extractEnvValue(key) {
-  const env = exists(DEPLOY_ENV) ? fs.readFileSync(DEPLOY_ENV, "utf8") : "";
-  const line = env.split(/\r?\n/).find((entry) => entry.startsWith(`${key}=`));
-  return line?.slice(key.length + 1) ?? "";
-}
 function renderTraefikDynamicConfig(config) {
   const hosts = domainMap(config.domain.root_domain);
   return [
@@ -333,17 +475,17 @@ function renderTraefikDynamicConfig(config) {
     "        servers:",
     "          - url: http://web_nginx:8080",
     "  routers:",
-    `    landing-router:`,
+    "    landing-router:",
     `      rule: Host(\`${hosts.landing}\`)`,
     "      service: landing",
     "      entryPoints: [websecure]",
     "      tls: {}",
-    `    web-router:`,
+    "    web-router:",
     `      rule: Host(\`${hosts.app}\`)`,
     "      service: web",
     "      entryPoints: [websecure]",
     "      tls: {}",
-    `    api-router:`,
+    "    api-router:",
     `      rule: Host(\`${hosts.api}\`)`,
     "      service: envsync-api",
     "      entryPoints: [websecure]",
@@ -363,6 +505,18 @@ function renderNginxConf(kind) {
     "}"
   ].join("\n") + "\n";
 }
+function renderFrontendRuntimeConfig(config) {
+  const hosts = domainMap(config.domain.root_domain);
+  return `window.__ENVSYNC_RUNTIME_CONFIG__ = ${JSON.stringify({
+    apiBaseUrl: `https://${hosts.api}`,
+    appBaseUrl: `https://${hosts.app}`,
+    authBaseUrl: `https://${hosts.auth}`,
+    keycloakRealm: config.auth.keycloak_realm,
+    webClientId: config.auth.web_client_id,
+    apiDocsUrl: `https://${hosts.api}/docs`
+  }, null, 2)};
+`;
+}
 function renderOtelAgentConfig(config) {
   return [
     "receivers:",
@@ -396,16 +550,17 @@ function renderOtelAgentConfig(config) {
     "      exporters: [otlphttp/clickstack]"
   ].join("\n") + "\n";
 }
-function renderStack(config) {
+function renderStack(config, runtimeEnv, includeAppServices) {
   const hosts = domainMap(config.domain.root_domain);
-  const apiEnvironment = renderServiceEnvironment(config, {
+  const apiEnvironment = {
+    ...runtimeEnv,
     OTEL_EXPORTER_OTLP_ENDPOINT: "http://otel-agent:4318",
     KEYCLOAK_URL: "http://keycloak:8080",
     OPENFGA_API_URL: "http://openfga:8090",
     MINIKMS_GRPC_ADDR: "minikms:50051",
     S3_ENDPOINT: "http://rustfs:9000",
     S3_BUCKET_URL: `https://${hosts.s3}`
-  });
+  };
   return `
 version: "3.9"
 services:
@@ -439,9 +594,11 @@ services:
   postgres:
     image: postgres:17
     environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: envsync-postgres
-      POSTGRES_DB: envsync
+${renderEnvList({
+    POSTGRES_USER: "postgres",
+    POSTGRES_PASSWORD: "envsync-postgres",
+    POSTGRES_DB: "envsync"
+  })}
     volumes:
       - postgres_data:/var/lib/postgresql/data
     networks: [envsync]
@@ -455,10 +612,12 @@ services:
   rustfs:
     image: rustfs/rustfs:latest
     environment:
-      RUSTFS_DATA_DIR: /data
-      RUSTFS_ACCESS_KEY: envsync-rustfs
-      RUSTFS_SECRET_KEY: ${extractEnvValue("S3_SECRET_KEY")}
-      RUSTFS_CONSOLE_ENABLE: "true"
+${renderEnvList({
+    RUSTFS_DATA_DIR: "/data",
+    RUSTFS_ACCESS_KEY: "envsync-rustfs",
+    RUSTFS_SECRET_KEY: runtimeEnv.S3_SECRET_KEY,
+    RUSTFS_CONSOLE_ENABLE: "true"
+  })}
     volumes:
       - rustfs_data:/data
     networks: [envsync]
@@ -477,9 +636,11 @@ services:
   keycloak_db:
     image: postgres:17
     environment:
-      POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD: ${extractEnvValue("KEYCLOAK_ADMIN_PASSWORD")}
-      POSTGRES_DB: keycloak
+${renderEnvList({
+    POSTGRES_USER: "keycloak",
+    POSTGRES_PASSWORD: runtimeEnv.KEYCLOAK_ADMIN_PASSWORD,
+    POSTGRES_DB: "keycloak"
+  })}
     volumes:
       - keycloak_db_data:/var/lib/postgresql/data
     networks: [envsync]
@@ -490,17 +651,19 @@ services:
     command:
       - /opt/keycloak/bin/kc.sh import --dir /opt/keycloak/data/import --override true && exec /opt/keycloak/bin/kc.sh start-dev
     environment:
-      KC_DB: postgres
-      KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
-      KC_DB_USERNAME: keycloak
-      KC_DB_PASSWORD: ${extractEnvValue("KEYCLOAK_ADMIN_PASSWORD")}
-      KC_BOOTSTRAP_ADMIN_USERNAME: ${config.auth.admin_user}
-      KC_BOOTSTRAP_ADMIN_PASSWORD: ${config.auth.admin_password}
-      KC_HTTP_ENABLED: "true"
-      KC_PROXY_HEADERS: xforwarded
-      KC_HOSTNAME: ${hosts.auth}
+${renderEnvList({
+    KC_DB: "postgres",
+    KC_DB_URL: "jdbc:postgresql://keycloak_db:5432/keycloak",
+    KC_DB_USERNAME: "keycloak",
+    KC_DB_PASSWORD: runtimeEnv.KEYCLOAK_ADMIN_PASSWORD,
+    KC_BOOTSTRAP_ADMIN_USERNAME: config.auth.admin_user,
+    KC_BOOTSTRAP_ADMIN_PASSWORD: config.auth.admin_password,
+    KC_HTTP_ENABLED: "true",
+    KC_PROXY_HEADERS: "xforwarded",
+    KC_HOSTNAME: hosts.auth
+  })}
     volumes:
-      - ${DEPLOY_ROOT}/keycloak-realm.envsync.json:/opt/keycloak/data/import/realm.json:ro
+      - ${KEYCLOAK_REALM_FILE}:/opt/keycloak/data/import/realm.json:ro
     networks: [envsync]
     deploy:
       labels:
@@ -513,9 +676,11 @@ services:
   openfga_db:
     image: postgres:17
     environment:
-      POSTGRES_USER: openfga
-      POSTGRES_PASSWORD: ${extractEnvValue("OPENFGA_DB_PASSWORD")}
-      POSTGRES_DB: openfga
+${renderEnvList({
+    POSTGRES_USER: "openfga",
+    POSTGRES_PASSWORD: runtimeEnv.OPENFGA_DB_PASSWORD,
+    POSTGRES_DB: "openfga"
+  })}
     volumes:
       - openfga_db_data:/var/lib/postgresql/data
     networks: [envsync]
@@ -524,18 +689,22 @@ services:
     image: openfga/openfga:v1.12.0
     command: run
     environment:
-      OPENFGA_DATASTORE_ENGINE: postgres
-      OPENFGA_DATASTORE_URI: postgres://openfga:${extractEnvValue("OPENFGA_DB_PASSWORD")}@openfga_db:5432/openfga?sslmode=disable
-      OPENFGA_HTTP_ADDR: 0.0.0.0:8090
-      OPENFGA_GRPC_ADDR: 0.0.0.0:8091
+${renderEnvList({
+    OPENFGA_DATASTORE_ENGINE: "postgres",
+    OPENFGA_DATASTORE_URI: `postgres://openfga:${runtimeEnv.OPENFGA_DB_PASSWORD}@openfga_db:5432/openfga?sslmode=disable`,
+    OPENFGA_HTTP_ADDR: "0.0.0.0:8090",
+    OPENFGA_GRPC_ADDR: "0.0.0.0:8091"
+  })}
     networks: [envsync]
 
   minikms_db:
     image: postgres:17
     environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: ${extractEnvValue("MINIKMS_DB_PASSWORD")}
-      POSTGRES_DB: minikms
+${renderEnvList({
+    POSTGRES_USER: "postgres",
+    POSTGRES_PASSWORD: runtimeEnv.MINIKMS_DB_PASSWORD,
+    POSTGRES_DB: "minikms"
+  })}
     volumes:
       - minikms_db_data:/var/lib/postgresql/data
     networks: [envsync]
@@ -543,10 +712,13 @@ services:
   minikms:
     image: ghcr.io/envsync-cloud/minikms:sha-735dfe8
     environment:
-      MINIKMS_ROOT_KEY: ${extractEnvValue("MINIKMS_ROOT_KEY")}
-      MINIKMS_DB_URL: postgres://postgres:${extractEnvValue("MINIKMS_DB_PASSWORD")}@minikms_db:5432/minikms?sslmode=disable
-      MINIKMS_REDIS_URL: redis://redis:6379
-      MINIKMS_TLS_ENABLED: "false"
+${renderEnvList({
+    MINIKMS_ROOT_KEY: runtimeEnv.MINIKMS_ROOT_KEY,
+    MINIKMS_DB_URL: `postgres://postgres:${runtimeEnv.MINIKMS_DB_PASSWORD}@minikms_db:5432/minikms?sslmode=disable`,
+    MINIKMS_REDIS_URL: "redis://redis:6379",
+    MINIKMS_GRPC_ADDR: "0.0.0.0:50051",
+    MINIKMS_TLS_ENABLED: "false"
+  })}
     networks: [envsync]
 
   clickstack:
@@ -570,6 +742,7 @@ services:
     volumes:
       - ${OTEL_AGENT_CONF}:/etc/otel-agent.yaml:ro
     networks: [envsync]
+${includeAppServices ? `
 
   landing_nginx:
     image: nginx:1.27-alpine
@@ -588,14 +761,14 @@ services:
   envsync_api_blue:
     image: ${config.images.api}
     environment:
-${indentBlock(apiEnvironment, 6)}
+${renderEnvList(apiEnvironment)}
     networks: [envsync]
 
   envsync_api_green:
     image: ${config.images.api}
     environment:
-${indentBlock(apiEnvironment, 6)}
-    networks: [envsync]
+${renderEnvList(apiEnvironment)}
+    networks: [envsync]` : ""}
 
 networks:
   envsync:
@@ -614,6 +787,166 @@ volumes:
   clickstack_ch_logs:
 `.trimStart();
 }
+function writeDeployArtifacts(config, generated) {
+  const runtimeEnv = buildRuntimeEnv(config, generated);
+  writeFile(DEPLOY_ENV, renderEnvFile(runtimeEnv), 384);
+  writeFile(
+    INTERNAL_CONFIG_JSON,
+    JSON.stringify({ config, generated: mergeGeneratedState(runtimeEnv, generated) }, null, 2) + "\n"
+  );
+  writeFile(VERSIONS_LOCK, JSON.stringify(config.images, null, 2) + "\n");
+  writeFile(KEYCLOAK_REALM_FILE, renderKeycloakRealm(config, runtimeEnv));
+  writeFile(TRAEFIK_DYNAMIC_FILE, renderTraefikDynamicConfig(config));
+  writeFile(STACK_FILE, renderStack(config, runtimeEnv, true));
+  writeFile(BOOTSTRAP_STACK_FILE, renderStack(config, runtimeEnv, false));
+  writeFile(NGINX_WEB_CONF, renderNginxConf("web"));
+  writeFile(NGINX_LANDING_CONF, renderNginxConf("landing"));
+  writeFile(OTEL_AGENT_CONF, renderOtelAgentConfig(config));
+}
+function saveDesiredConfig(config) {
+  const internal = readInternalState();
+  const generated = mergeGeneratedState(loadGeneratedEnv(), internal?.generated);
+  writeFile(DEPLOY_YAML, toYaml(config) + "\n");
+  writeFile(
+    INTERNAL_CONFIG_JSON,
+    JSON.stringify({ config, generated }, null, 2) + "\n"
+  );
+}
+function ensureRepoCheckout(config) {
+  ensureDir(REPO_ROOT);
+  if (!exists(path.join(REPO_ROOT, ".git"))) {
+    run("git", ["clone", config.source.repo_url, REPO_ROOT]);
+  }
+  run("git", ["remote", "set-url", "origin", config.source.repo_url], { cwd: REPO_ROOT });
+  run("git", ["fetch", "--tags", "--force", "origin"], { cwd: REPO_ROOT });
+  run("git", ["checkout", "--force", config.source.ref], { cwd: REPO_ROOT });
+}
+function extractStaticBundle(image, targetDir) {
+  ensureDir(targetDir);
+  const containerId = run("docker", ["create", image], { quiet: true }).trim();
+  try {
+    run("docker", ["cp", `${containerId}:/app/dist/.`, targetDir]);
+  } finally {
+    run("docker", ["rm", "-f", containerId], { quiet: true });
+  }
+}
+function buildKeycloakImage(imageTag, repoRoot = REPO_ROOT) {
+  const buildContext = path.join(repoRoot, "packages/envsync-keycloak-theme");
+  if (!exists(path.join(buildContext, "Dockerfile"))) {
+    throw new Error(`Missing Keycloak Docker build context at ${buildContext}`);
+  }
+  run("docker", ["build", "-t", imageTag, buildContext]);
+}
+function stackNetworkName(config) {
+  return `${config.services.stack_name}_envsync`;
+}
+function waitForTcpService(config, label, host, port, timeoutSeconds = 120) {
+  const deadline = Date.now() + timeoutSeconds * 1e3;
+  while (Date.now() < deadline) {
+    if (commandSucceeds(
+      "docker",
+      ["run", "--rm", "--network", stackNetworkName(config), "alpine:3.20", "sh", "-lc", `nc -z -w 2 ${host} ${port}`]
+    )) {
+      return;
+    }
+    sleepSeconds(2);
+  }
+  throw new Error(`Timed out waiting for ${label} at ${host}:${port}`);
+}
+function runBootstrapInit(config) {
+  const output = run(
+    "docker",
+    [
+      "run",
+      "--rm",
+      "--network",
+      stackNetworkName(config),
+      "--env-file",
+      DEPLOY_ENV,
+      "-e",
+      "SKIP_ROOT_ENV=1",
+      "-e",
+      "SKIP_ROOT_ENV_WRITE=1",
+      config.images.api,
+      "bun",
+      "run",
+      "scripts/prod-init.ts",
+      "--json",
+      "--no-write-root-env"
+    ],
+    { quiet: true }
+  ).trim();
+  const result = JSON.parse(output);
+  if (!result.openfgaStoreId || !result.openfgaModelId) {
+    throw new Error("Bootstrap init did not return OpenFGA IDs");
+  }
+  return {
+    openfgaStoreId: result.openfgaStoreId,
+    openfgaModelId: result.openfgaModelId
+  };
+}
+function hasCompleteBootstrapState(generated) {
+  return REQUIRED_BOOTSTRAP_ENV_KEYS.every((key) => {
+    switch (key) {
+      case "S3_SECRET_KEY":
+        return generated.secrets.s3_secret_key.length > 0;
+      case "KEYCLOAK_WEB_CLIENT_SECRET":
+        return generated.secrets.keycloak_web_client_secret.length > 0;
+      case "KEYCLOAK_API_CLIENT_SECRET":
+        return generated.secrets.keycloak_api_client_secret.length > 0;
+      case "OPENFGA_DB_PASSWORD":
+        return generated.secrets.openfga_db_password.length > 0;
+      case "MINIKMS_ROOT_KEY":
+        return generated.secrets.minikms_root_key.length > 0;
+      case "MINIKMS_DB_PASSWORD":
+        return generated.secrets.minikms_db_password.length > 0;
+      case "OPENFGA_STORE_ID":
+        return generated.openfga.store_id.length > 0;
+      case "OPENFGA_MODEL_ID":
+        return generated.openfga.model_id.length > 0;
+      default:
+        return false;
+    }
+  });
+}
+function assertBootstrapState(generated) {
+  if (!hasCompleteBootstrapState(generated)) {
+    throw new Error("Missing bootstrap state. Run 'envsync-deploy bootstrap' first.");
+  }
+}
+function parseReplicaHealth(raw) {
+  const match = raw.match(/^(\d+)\/(\d+)$/);
+  if (!match) return raw.trim() ? "degraded" : "missing";
+  const current = Number(match[1]);
+  const desired = Number(match[2]);
+  if (desired === 0) return "missing";
+  if (current === desired) return "healthy";
+  return "degraded";
+}
+function listStackServices(config) {
+  const output = tryRun(
+    "docker",
+    ["stack", "services", config.services.stack_name, "--format", "{{.Name}}|{{.Replicas}}"],
+    { quiet: true }
+  );
+  const services = /* @__PURE__ */ new Map();
+  for (const line of output.split(/\r?\n/)) {
+    if (!line.trim()) continue;
+    const [name, replicas] = line.split("|");
+    services.set(name, parseReplicaHealth(replicas ?? ""));
+  }
+  return services;
+}
+function serviceHealth(services, name) {
+  return services.get(`${name}`) ?? "missing";
+}
+function apiHealth(services, stackName) {
+  const blue = serviceHealth(services, `${stackName}_envsync_api_blue`);
+  const green = serviceHealth(services, `${stackName}_envsync_api_green`);
+  if (blue === "missing" && green === "missing") return "missing";
+  if (blue === "healthy" || green === "healthy") return "healthy";
+  return "degraded";
+}
 async function cmdPreinstall() {
   ensureDir(HOST_ROOT);
   ensureDir(DEPLOY_ROOT);
@@ -650,6 +983,7 @@ async function cmdSetup() {
   const publicObs = await ask("Expose obs.<domain> publicly (true/false)", "true") === "true";
   const mailpitEnabled = await ask("Enable mailpit (true/false)", "false") === "true";
   const config = {
+    source: defaultSourceConfig(),
     domain: { root_domain: rootDomain, acme_email: acmeEmail },
     images: {
       api: `ghcr.io/envsync-cloud/envsync-api:${channel}`,
@@ -703,47 +1037,77 @@ async function cmdSetup() {
     },
     release_channel: channel
   };
-  ensureDir(REPO_ROOT);
-  if (!exists(path.join(REPO_ROOT, ".git"))) {
-    run("git", ["clone", "https://github.com/EnvSync-Cloud/envsync.git", REPO_ROOT]);
-  }
-  saveConfig(config);
+  saveDesiredConfig(config);
   console.log(`Config written to ${DEPLOY_YAML}`);
+  console.log(`Pinned source checkout: ${config.source.repo_url} @ ${config.source.ref}`);
   console.log("Create these DNS records:");
   console.log(JSON.stringify(domainMap(rootDomain), null, 2));
 }
-function extractStaticBundle(image, targetDir) {
-  ensureDir(targetDir);
-  const containerId = run("docker", ["create", image], { quiet: true }).trim();
-  try {
-    run("docker", ["cp", `${containerId}:/app/dist/.`, targetDir]);
-  } finally {
-    run("docker", ["rm", "-f", containerId], { quiet: true });
-  }
-}
-function buildKeycloakImage(imageTag, repoRoot = REPO_ROOT) {
-  const buildContext = path.join(repoRoot, "packages/envsync-keycloak-theme");
-  if (!exists(path.join(buildContext, "Dockerfile"))) {
-    throw new Error(`Missing Keycloak Docker build context at ${buildContext}`);
-  }
-  run("docker", ["build", "-t", imageTag, buildContext]);
+async function cmdBootstrap() {
+  const { config, generated } = loadState();
+  const nextGenerated = ensureGeneratedRuntimeState(generated);
+  ensureRepoCheckout(config);
+  writeDeployArtifacts(config, nextGenerated);
+  buildKeycloakImage(config.images.keycloak);
+  run("docker", ["stack", "deploy", "-c", BOOTSTRAP_STACK_FILE, config.services.stack_name]);
+  waitForTcpService(config, "postgres", "postgres", 5432);
+  waitForTcpService(config, "redis", "redis", 6379);
+  waitForTcpService(config, "rustfs", "rustfs", 9e3);
+  waitForTcpService(config, "keycloak", "keycloak", 8080);
+  waitForTcpService(config, "openfga", "openfga", 8090);
+  waitForTcpService(config, "minikms", "minikms", 50051);
+  const initResult = runBootstrapInit(config);
+  const bootstrappedGenerated = normalizeGeneratedState({
+    openfga: {
+      store_id: initResult.openfgaStoreId,
+      model_id: initResult.openfgaModelId
+    },
+    secrets: nextGenerated.secrets,
+    bootstrap: {
+      completed_at: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  });
+  writeDeployArtifacts(config, bootstrappedGenerated);
+  console.log("Bootstrap completed.");
 }
 async function cmdDeploy() {
-  const config = loadConfig();
+  const { config, generated } = loadState();
+  assertBootstrapState(generated);
+  ensureRepoCheckout(config);
+  writeDeployArtifacts(config, generated);
   buildKeycloakImage(config.images.keycloak);
   ensureDir(`${RELEASES_ROOT}/web/current`);
   ensureDir(`${RELEASES_ROOT}/landing/current`);
   extractStaticBundle(config.images.web, `${RELEASES_ROOT}/web/current`);
   extractStaticBundle(config.images.landing, `${RELEASES_ROOT}/landing/current`);
+  writeFile(`${RELEASES_ROOT}/web/current/runtime-config.js`, renderFrontendRuntimeConfig(config));
+  writeFile(`${RELEASES_ROOT}/landing/current/runtime-config.js`, renderFrontendRuntimeConfig(config));
   run("docker", ["stack", "deploy", "-c", STACK_FILE, config.services.stack_name]);
 }
 async function cmdHealth(asJson) {
-  const config = loadConfig();
+  const { config, generated } = loadState();
   const hosts = domainMap(config.domain.root_domain);
-  const services = run("docker", ["stack", "services", config.services.stack_name], { quiet: true });
+  const services = listStackServices(config);
+  const stackName = config.services.stack_name;
+  const bootstrapServices = {
+    postgres: serviceHealth(services, `${stackName}_postgres`),
+    redis: serviceHealth(services, `${stackName}_redis`),
+    rustfs: serviceHealth(services, `${stackName}_rustfs`),
+    keycloak: serviceHealth(services, `${stackName}_keycloak`),
+    openfga: serviceHealth(services, `${stackName}_openfga`),
+    minikms: serviceHealth(services, `${stackName}_minikms`)
+  };
   const checks = {
-    keycloak_image: config.images.keycloak,
-    services,
+    bootstrap: {
+      completed: hasCompleteBootstrapState(generated) && generated.bootstrap.completed_at.length > 0,
+      completed_at: generated.bootstrap.completed_at || null,
+      services: bootstrapServices
+    },
+    deploy: {
+      api: apiHealth(services, stackName),
+      web: serviceHealth(services, `${stackName}_web_nginx`),
+      landing: serviceHealth(services, `${stackName}_landing_nginx`)
+    },
     public: {
       landing: `https://${hosts.landing}`,
       app: `https://${hosts.app}`,
@@ -752,25 +1116,24 @@ async function cmdHealth(asJson) {
       obs: `https://${hosts.obs}`
     }
   };
-  if (asJson) console.log(JSON.stringify(checks, null, 2));
-  else {
-    console.log(services);
-    console.log(JSON.stringify(checks.public, null, 2));
+  if (asJson) {
+    console.log(JSON.stringify(checks, null, 2));
+    return;
   }
+  console.log(JSON.stringify(checks, null, 2));
 }
 async function cmdUpgrade() {
-  const config = loadConfig();
-  const nextImage = `ghcr.io/envsync-cloud/envsync-api:${config.release_channel}`;
-  config.images.api = nextImage;
-  saveConfig(config);
+  const { config } = loadState();
+  config.images.api = `ghcr.io/envsync-cloud/envsync-api:${config.release_channel}`;
+  saveDesiredConfig(config);
   await cmdDeploy();
 }
 async function cmdUpgradeDeps() {
-  const config = loadConfig();
+  const { config } = loadState();
   config.images.traefik = "traefik:v3.1";
   config.images.clickstack = "clickhouse/clickstack-all-in-one:latest";
   config.images.otel_agent = "otel/opentelemetry-collector-contrib:0.111.0";
-  saveConfig(config);
+  saveDesiredConfig(config);
   await cmdDeploy();
 }
 function sha256File(filePath) {
@@ -812,7 +1175,7 @@ function restoreDockerVolume(volumeName, sourceDir) {
   ]);
 }
 async function cmdBackup() {
-  const config = loadConfig();
+  const { config } = loadState();
   ensureDir(config.backup.output_dir);
   const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:]/g, "-");
   const archiveBase = path.join(config.backup.output_dir, `envsync-backup-${timestamp}`);
@@ -824,14 +1187,14 @@ async function cmdBackup() {
   writeFile(path.join(staged, "deploy.yaml"), fs.readFileSync(DEPLOY_YAML, "utf8"));
   writeFile(path.join(staged, "config.json"), fs.readFileSync(INTERNAL_CONFIG_JSON, "utf8"));
   writeFile(path.join(staged, "versions.lock.json"), fs.readFileSync(VERSIONS_LOCK, "utf8"));
+  writeFile(path.join(staged, "docker-stack.bootstrap.yaml"), fs.readFileSync(BOOTSTRAP_STACK_FILE, "utf8"));
   writeFile(path.join(staged, "docker-stack.yaml"), fs.readFileSync(STACK_FILE, "utf8"));
   writeFile(path.join(staged, "traefik-dynamic.yaml"), fs.readFileSync(TRAEFIK_DYNAMIC_FILE, "utf8"));
   writeFile(path.join(staged, "keycloak-realm.envsync.json"), fs.readFileSync(KEYCLOAK_REALM_FILE, "utf8"));
   writeFile(path.join(staged, "otel-agent.yaml"), fs.readFileSync(OTEL_AGENT_CONF, "utf8"));
   const volumesDir = path.join(staged, "volumes");
   for (const volume of STACK_VOLUMES) {
-    const target = path.join(volumesDir, volume);
-    backupDockerVolume(stackVolumeName(config, volume), target);
+    backupDockerVolume(stackVolumeName(config, volume), path.join(volumesDir, volume));
   }
   run("bash", ["-lc", `tar -czf ${JSON.stringify(tarPath)} -C ${JSON.stringify(staged)} .`]);
   const manifest = {
@@ -846,7 +1209,6 @@ async function cmdBackup() {
 }
 async function cmdRestore(archivePath) {
   if (!archivePath) throw new Error("restore requires a .tar.gz path");
-  const config = loadConfig();
   const restoreRoot = path.join(BACKUPS_ROOT, `restore-${Date.now()}`);
   ensureDir(restoreRoot);
   run("bash", ["-lc", `tar -xzf ${JSON.stringify(archivePath)} -C ${JSON.stringify(restoreRoot)}`]);
@@ -854,14 +1216,16 @@ async function cmdRestore(archivePath) {
   writeFile(DEPLOY_YAML, fs.readFileSync(path.join(restoreRoot, "deploy.yaml"), "utf8"));
   writeFile(INTERNAL_CONFIG_JSON, fs.readFileSync(path.join(restoreRoot, "config.json"), "utf8"));
   writeFile(VERSIONS_LOCK, fs.readFileSync(path.join(restoreRoot, "versions.lock.json"), "utf8"));
+  writeFile(BOOTSTRAP_STACK_FILE, fs.readFileSync(path.join(restoreRoot, "docker-stack.bootstrap.yaml"), "utf8"));
   writeFile(STACK_FILE, fs.readFileSync(path.join(restoreRoot, "docker-stack.yaml"), "utf8"));
   writeFile(TRAEFIK_DYNAMIC_FILE, fs.readFileSync(path.join(restoreRoot, "traefik-dynamic.yaml"), "utf8"));
   writeFile(KEYCLOAK_REALM_FILE, fs.readFileSync(path.join(restoreRoot, "keycloak-realm.envsync.json"), "utf8"));
   writeFile(OTEL_AGENT_CONF, fs.readFileSync(path.join(restoreRoot, "otel-agent.yaml"), "utf8"));
+  const config = loadConfig();
   for (const volume of STACK_VOLUMES) {
     restoreDockerVolume(stackVolumeName(config, volume), path.join(restoreRoot, "volumes", volume));
   }
-  await cmdDeploy();
+  console.log("Restore completed. Run 'envsync-deploy deploy' to start services.");
 }
 async function main() {
   const command = process.argv[2];
@@ -873,6 +1237,9 @@ async function main() {
     case "setup":
       await cmdSetup();
       break;
+    case "bootstrap":
+      await cmdBootstrap();
+      break;
     case "deploy":
       await cmdDeploy();
       break;
@@ -892,7 +1259,7 @@ async function main() {
       await cmdRestore(flag ?? "");
       break;
     default:
-      console.log("Usage: envsync-deploy <preinstall|setup|deploy|health|upgrade|upgrade-deps|backup|restore>");
+      console.log("Usage: envsync-deploy <preinstall|setup|bootstrap|deploy|health|upgrade|upgrade-deps|backup|restore>");
       process.exit(command ? 1 : 0);
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@envsync-cloud/deploy-cli",
-  "version": "0.6.0",
+  "version": "0.6.2",
   "description": "CLI for self-hosted EnvSync deployment on Docker Swarm",
   "type": "module",
   "bin": {