npm - @envsync-cloud/deploy-cli - Versions diffs - 0.6.1 → 0.6.3 - Mend

@envsync-cloud/deploy-cli 0.6.1 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -40,6 +40,7 @@ bunx @envsync-cloud/deploy-cli <command>
 ```text
 envsync-deploy preinstall
 envsync-deploy setup
+envsync-deploy bootstrap
 envsync-deploy deploy
 envsync-deploy health [--json]
 envsync-deploy upgrade
@@ -56,18 +57,31 @@ Prepare the host:
 npx @envsync-cloud/deploy-cli preinstall
 ```
-Generate deployment state and prompts:
+Write the desired self-hosted config:
 ```bash
 npx @envsync-cloud/deploy-cli setup
 ```
-Apply the Docker Swarm stack:
+`setup` requires an exact release version such as `0.6.2`. Channel names like `stable` and `latest` are not accepted for self-hosted installs.
+Bootstrap infra, migrations, RustFS, and OpenFGA:
+```bash
+npx @envsync-cloud/deploy-cli bootstrap
+```
+Deploy the pending API and frontend services:
 ```bash
 npx @envsync-cloud/deploy-cli deploy
 ```
+The staged flow is:
+- `setup` writes desired config
+- `bootstrap` starts base infra, runs OpenFGA and miniKMS migrations, starts runtime infra, and persists generated runtime env state
+- `deploy` starts the pending API and frontend services
 Check service health:
 ```bash

package/dist/index.js CHANGED Viewed

@@ -17,6 +17,8 @@ var DEPLOY_ENV = "/etc/envsync/deploy.env";
 var DEPLOY_YAML = "/etc/envsync/deploy.yaml";
 var VERSIONS_LOCK = "/opt/envsync/deploy/versions.lock.json";
 var STACK_FILE = "/opt/envsync/deploy/docker-stack.yaml";
+var BOOTSTRAP_BASE_STACK_FILE = "/opt/envsync/deploy/docker-stack.bootstrap.base.yaml";
+var BOOTSTRAP_STACK_FILE = "/opt/envsync/deploy/docker-stack.bootstrap.yaml";
 var TRAEFIK_DYNAMIC_FILE = "/opt/envsync/deploy/traefik-dynamic.yaml";
 var KEYCLOAK_REALM_FILE = "/opt/envsync/deploy/keycloak-realm.envsync.json";
 var NGINX_WEB_CONF = "/opt/envsync/deploy/nginx-web.conf";
@@ -34,6 +36,17 @@ var STACK_VOLUMES = [
   "clickstack_ch_data",
   "clickstack_ch_logs"
 ];
+var REQUIRED_BOOTSTRAP_ENV_KEYS = [
+  "S3_SECRET_KEY",
+  "KEYCLOAK_WEB_CLIENT_SECRET",
+  "KEYCLOAK_API_CLIENT_SECRET",
+  "OPENFGA_DB_PASSWORD",
+  "MINIKMS_ROOT_KEY",
+  "MINIKMS_DB_PASSWORD",
+  "OPENFGA_STORE_ID",
+  "OPENFGA_MODEL_ID"
+];
+var SEMVER_VERSION_RE = /^\d+\.\d+\.\d+$/;
 function run(cmd, args, opts = {}) {
   const result = spawnSync(cmd, args, {
     cwd: opts.cwd,
@@ -48,6 +61,22 @@ ${stderr}` : ""}`);
   }
   return result.stdout?.toString() ?? "";
 }
+function tryRun(cmd, args, opts = {}) {
+  try {
+    return run(cmd, args, opts);
+  } catch {
+    return "";
+  }
+}
+function commandSucceeds(cmd, args, opts = {}) {
+  const result = spawnSync(cmd, args, {
+    cwd: opts.cwd,
+    env: { ...process.env, ...opts.env },
+    stdio: "ignore",
+    encoding: "utf8"
+  });
+  return result.status === 0;
+}
 function ensureDir(dir) {
   fs.mkdirSync(dir, { recursive: true });
 }
@@ -126,9 +155,21 @@ function parseSimpleYamlObject(input) {
   }
   return root;
 }
-function indentBlock(content, spaces) {
-  const prefix = " ".repeat(spaces);
-  return content.split("\n").map((line) => line ? `${prefix}${line}` : line).join("\n");
+function parseEnvFile(content) {
+  const out = {};
+  for (const line of content.split(/\r?\n/)) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eq = trimmed.indexOf("=");
+    if (eq === -1) continue;
+    const key = trimmed.slice(0, eq).trim();
+    let value = trimmed.slice(eq + 1).trim();
+    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+      value = value.slice(1, -1).replace(/\\n/g, "\n").replace(/\\"/g, '"');
+    }
+    out[key] = value;
+  }
+  return out;
 }
 async function ask(question, fallback = "") {
   if (!process.stdin.isTTY) return fallback;
@@ -140,6 +181,9 @@ async function ask(question, fallback = "") {
     });
   });
 }
+function sleepSeconds(seconds) {
+  spawnSync("sleep", [`${seconds}`], { stdio: "ignore" });
+}
 function domainMap(rootDomain) {
   return {
     landing: rootDomain,
@@ -152,29 +196,234 @@ function domainMap(rootDomain) {
     s3Console: `console.s3.${rootDomain}`
   };
 }
+function getDeployCliVersion() {
+  try {
+    const packageJsonPath = new URL("../package.json", import.meta.url);
+    const raw = fs.readFileSync(packageJsonPath, "utf8");
+    return JSON.parse(raw).version ?? "0.0.0";
+  } catch {
+    return process.env.npm_package_version ?? "0.0.0";
+  }
+}
+function assertSemverVersion(version, label = "release version") {
+  if (!SEMVER_VERSION_RE.test(version)) {
+    throw new Error(`Invalid ${label} '${version}'. Expected an exact semver like 0.6.2.`);
+  }
+}
+function versionedImages(version) {
+  assertSemverVersion(version);
+  return {
+    api: `ghcr.io/envsync-cloud/envsync-api:${version}`,
+    keycloak: `envsync-keycloak:${version}`,
+    web: `ghcr.io/envsync-cloud/envsync-web-static:${version}`,
+    landing: `ghcr.io/envsync-cloud/envsync-landing-static:${version}`
+  };
+}
+function defaultSourceConfig(version) {
+  return {
+    repo_url: "https://github.com/EnvSync-Cloud/envsync.git",
+    ref: `v${version}`
+  };
+}
+function resolveReleaseVersion(raw) {
+  const releaseVersion = raw.release?.version;
+  if (releaseVersion) {
+    assertSemverVersion(releaseVersion);
+    return releaseVersion;
+  }
+  if (typeof raw.release_channel === "string" && raw.release_channel.length > 0) {
+    if (SEMVER_VERSION_RE.test(raw.release_channel)) {
+      return raw.release_channel;
+    }
+    if (raw.release_channel === "stable" || raw.release_channel === "latest") {
+      throw new Error(
+        "Legacy release channel config is no longer supported for self-hosted installs. Set an exact release version in /etc/envsync/deploy.yaml."
+      );
+    }
+    throw new Error(`Invalid legacy release channel '${raw.release_channel}'. Set an exact release version in /etc/envsync/deploy.yaml.`);
+  }
+  return getDeployCliVersion();
+}
+function requireDefined(value, label) {
+  if (value === void 0) {
+    throw new Error(`Missing ${label} in ${DEPLOY_YAML}. Run setup again.`);
+  }
+  return value;
+}
+function normalizeConfig(raw) {
+  const version = resolveReleaseVersion(raw);
+  const derivedImages = versionedImages(version);
+  const { release_channel: _legacyReleaseChannel, ...rest } = raw;
+  const rootDomain = requireDefined(raw.domain?.root_domain, "domain.root_domain");
+  const acmeEmail = requireDefined(raw.domain?.acme_email, "domain.acme_email");
+  return {
+    ...rest,
+    source: {
+      repo_url: raw.source?.repo_url ?? "https://github.com/EnvSync-Cloud/envsync.git",
+      ref: `v${version}`
+    },
+    release: {
+      version
+    },
+    domain: {
+      root_domain: rootDomain,
+      acme_email: acmeEmail
+    },
+    images: {
+      api: derivedImages.api,
+      keycloak: derivedImages.keycloak,
+      web: derivedImages.web,
+      landing: derivedImages.landing,
+      clickstack: raw.images?.clickstack ?? "clickhouse/clickstack-all-in-one:latest",
+      traefik: raw.images?.traefik ?? "traefik:v3.1",
+      otel_agent: raw.images?.otel_agent ?? "otel/opentelemetry-collector-contrib:0.111.0"
+    },
+    services: {
+      stack_name: requireDefined(raw.services?.stack_name, "services.stack_name"),
+      api_port: requireDefined(raw.services?.api_port, "services.api_port"),
+      clickstack_ui_port: requireDefined(raw.services?.clickstack_ui_port, "services.clickstack_ui_port"),
+      clickstack_otlp_http_port: requireDefined(raw.services?.clickstack_otlp_http_port, "services.clickstack_otlp_http_port"),
+      clickstack_otlp_grpc_port: requireDefined(raw.services?.clickstack_otlp_grpc_port, "services.clickstack_otlp_grpc_port"),
+      keycloak_port: requireDefined(raw.services?.keycloak_port, "services.keycloak_port"),
+      rustfs_port: requireDefined(raw.services?.rustfs_port, "services.rustfs_port"),
+      rustfs_console_port: requireDefined(raw.services?.rustfs_console_port, "services.rustfs_console_port")
+    },
+    auth: {
+      keycloak_realm: requireDefined(raw.auth?.keycloak_realm, "auth.keycloak_realm"),
+      admin_user: requireDefined(raw.auth?.admin_user, "auth.admin_user"),
+      admin_password: requireDefined(raw.auth?.admin_password, "auth.admin_password"),
+      web_client_id: requireDefined(raw.auth?.web_client_id, "auth.web_client_id"),
+      api_client_id: requireDefined(raw.auth?.api_client_id, "auth.api_client_id"),
+      cli_client_id: requireDefined(raw.auth?.cli_client_id, "auth.cli_client_id")
+    },
+    observability: {
+      retention_days: requireDefined(raw.observability?.retention_days, "observability.retention_days"),
+      public_obs: requireDefined(raw.observability?.public_obs, "observability.public_obs")
+    },
+    backup: {
+      output_dir: requireDefined(raw.backup?.output_dir, "backup.output_dir"),
+      encrypted: requireDefined(raw.backup?.encrypted, "backup.encrypted")
+    },
+    smtp: {
+      host: requireDefined(raw.smtp?.host, "smtp.host"),
+      port: requireDefined(raw.smtp?.port, "smtp.port"),
+      secure: requireDefined(raw.smtp?.secure, "smtp.secure"),
+      user: requireDefined(raw.smtp?.user, "smtp.user"),
+      pass: requireDefined(raw.smtp?.pass, "smtp.pass"),
+      from: requireDefined(raw.smtp?.from, "smtp.from")
+    },
+    exposure: {
+      public_auth: requireDefined(raw.exposure?.public_auth, "exposure.public_auth"),
+      public_obs: requireDefined(raw.exposure?.public_obs, "exposure.public_obs"),
+      mailpit_enabled: requireDefined(raw.exposure?.mailpit_enabled, "exposure.mailpit_enabled"),
+      s3_public: requireDefined(raw.exposure?.s3_public, "exposure.s3_public"),
+      s3_console_public: requireDefined(raw.exposure?.s3_console_public, "exposure.s3_console_public")
+    }
+  };
+}
+function emptyGeneratedState() {
+  return {
+    openfga: {
+      store_id: "",
+      model_id: ""
+    },
+    secrets: {
+      s3_secret_key: "",
+      keycloak_web_client_secret: "",
+      keycloak_api_client_secret: "",
+      openfga_db_password: "",
+      minikms_root_key: "",
+      minikms_db_password: ""
+    },
+    bootstrap: {
+      completed_at: ""
+    }
+  };
+}
+function normalizeGeneratedState(raw) {
+  const defaults = emptyGeneratedState();
+  return {
+    openfga: {
+      store_id: raw?.openfga?.store_id ?? defaults.openfga.store_id,
+      model_id: raw?.openfga?.model_id ?? defaults.openfga.model_id
+    },
+    secrets: {
+      s3_secret_key: raw?.secrets?.s3_secret_key ?? defaults.secrets.s3_secret_key,
+      keycloak_web_client_secret: raw?.secrets?.keycloak_web_client_secret ?? defaults.secrets.keycloak_web_client_secret,
+      keycloak_api_client_secret: raw?.secrets?.keycloak_api_client_secret ?? defaults.secrets.keycloak_api_client_secret,
+      openfga_db_password: raw?.secrets?.openfga_db_password ?? defaults.secrets.openfga_db_password,
+      minikms_root_key: raw?.secrets?.minikms_root_key ?? defaults.secrets.minikms_root_key,
+      minikms_db_password: raw?.secrets?.minikms_db_password ?? defaults.secrets.minikms_db_password
+    },
+    bootstrap: {
+      completed_at: raw?.bootstrap?.completed_at ?? defaults.bootstrap.completed_at
+    }
+  };
+}
+function readInternalState() {
+  if (!exists(INTERNAL_CONFIG_JSON)) return null;
+  const raw = JSON.parse(fs.readFileSync(INTERNAL_CONFIG_JSON, "utf8"));
+  return {
+    config: raw.config ? normalizeConfig(raw.config) : void 0,
+    generated: normalizeGeneratedState(raw.generated)
+  };
+}
 function loadConfig() {
   if (!exists(DEPLOY_YAML)) {
     throw new Error(`Missing deploy config at ${DEPLOY_YAML}. Run setup first.`);
   }
   const raw = fs.readFileSync(DEPLOY_YAML, "utf8");
   if (raw.trimStart().startsWith("{")) {
-    return JSON.parse(raw);
+    return normalizeConfig(JSON.parse(raw));
   }
-  return parseSimpleYamlObject(raw);
+  return normalizeConfig(parseSimpleYamlObject(raw));
 }
-function saveConfig(config) {
-  writeFile(DEPLOY_YAML, toYaml(config) + "\n");
-  writeFile(INTERNAL_CONFIG_JSON, JSON.stringify(config, null, 2) + "\n");
-  writeFile(DEPLOY_ENV, renderEnv(config), 384);
-  writeFile(VERSIONS_LOCK, JSON.stringify(config.images, null, 2) + "\n");
-  writeFile(KEYCLOAK_REALM_FILE, renderKeycloakRealm(config));
-  writeFile(TRAEFIK_DYNAMIC_FILE, renderTraefikDynamicConfig(config));
-  writeFile(STACK_FILE, renderStack(config));
-  writeFile(NGINX_WEB_CONF, renderNginxConf("web"));
-  writeFile(NGINX_LANDING_CONF, renderNginxConf("landing"));
-  writeFile(OTEL_AGENT_CONF, renderOtelAgentConfig(config));
+function loadGeneratedEnv() {
+  if (!exists(DEPLOY_ENV)) return {};
+  return parseEnvFile(fs.readFileSync(DEPLOY_ENV, "utf8"));
 }
-function buildEnvMap(config) {
+function mergeGeneratedState(env, generated) {
+  const normalized = normalizeGeneratedState(generated);
+  return normalizeGeneratedState({
+    openfga: {
+      store_id: env.OPENFGA_STORE_ID ?? normalized.openfga.store_id,
+      model_id: env.OPENFGA_MODEL_ID ?? normalized.openfga.model_id
+    },
+    secrets: {
+      s3_secret_key: env.S3_SECRET_KEY ?? normalized.secrets.s3_secret_key,
+      keycloak_web_client_secret: env.KEYCLOAK_WEB_CLIENT_SECRET ?? normalized.secrets.keycloak_web_client_secret,
+      keycloak_api_client_secret: env.KEYCLOAK_API_CLIENT_SECRET ?? normalized.secrets.keycloak_api_client_secret,
+      openfga_db_password: env.OPENFGA_DB_PASSWORD ?? normalized.secrets.openfga_db_password,
+      minikms_root_key: env.MINIKMS_ROOT_KEY ?? normalized.secrets.minikms_root_key,
+      minikms_db_password: env.MINIKMS_DB_PASSWORD ?? normalized.secrets.minikms_db_password
+    },
+    bootstrap: normalized.bootstrap
+  });
+}
+function loadState() {
+  const config = loadConfig();
+  const internal = readInternalState();
+  const generated = mergeGeneratedState(loadGeneratedEnv(), internal?.generated);
+  return { config, generated };
+}
+function ensureGeneratedRuntimeState(generated) {
+  return normalizeGeneratedState({
+    openfga: generated.openfga,
+    secrets: {
+      s3_secret_key: generated.secrets.s3_secret_key || randomSecret(16),
+      keycloak_web_client_secret: generated.secrets.keycloak_web_client_secret || randomSecret(),
+      keycloak_api_client_secret: generated.secrets.keycloak_api_client_secret || randomSecret(),
+      openfga_db_password: generated.secrets.openfga_db_password || randomSecret(),
+      minikms_root_key: generated.secrets.minikms_root_key || randomBytes(32).toString("hex"),
+      minikms_db_password: generated.secrets.minikms_db_password || randomSecret()
+    },
+    bootstrap: generated.bootstrap
+  });
+}
+function keycloakImageTag(image) {
+  return image.split(":").slice(1).join(":") || "local";
+}
+function buildRuntimeEnv(config, generated) {
   const hosts = domainMap(config.domain.root_domain);
   return {
     NODE_ENV: "production",
@@ -190,7 +439,7 @@ function buildEnvMap(config) {
     S3_BUCKET: "envsync-bucket",
     S3_REGION: "us-east-1",
     S3_ACCESS_KEY: "envsync-rustfs",
-    S3_SECRET_KEY: randomSecret(16),
+    S3_SECRET_KEY: generated.secrets.s3_secret_key,
     S3_BUCKET_URL: `https://${hosts.s3}`,
     S3_ENDPOINT: "http://rustfs:9000",
     REDIS_URL: "redis://redis:6379",
@@ -205,43 +454,40 @@ function buildEnvMap(config) {
     KEYCLOAK_ADMIN_USER: config.auth.admin_user,
     KEYCLOAK_ADMIN_PASSWORD: config.auth.admin_password,
     KEYCLOAK_WEB_CLIENT_ID: config.auth.web_client_id,
-    KEYCLOAK_WEB_CLIENT_SECRET: randomSecret(),
+    KEYCLOAK_WEB_CLIENT_SECRET: generated.secrets.keycloak_web_client_secret,
     KEYCLOAK_CLI_CLIENT_ID: config.auth.cli_client_id,
     KEYCLOAK_API_CLIENT_ID: config.auth.api_client_id,
-    KEYCLOAK_API_CLIENT_SECRET: randomSecret(),
+    KEYCLOAK_API_CLIENT_SECRET: generated.secrets.keycloak_api_client_secret,
     KEYCLOAK_WEB_REDIRECT_URI: `https://${hosts.api}/api/access/web/callback`,
     KEYCLOAK_WEB_CALLBACK_URL: `https://${hosts.app}/auth/callback`,
     KEYCLOAK_API_REDIRECT_URI: `https://${hosts.api}/api/access/api/callback`,
     LANDING_PAGE_URL: `https://${hosts.landing}`,
     DASHBOARD_URL: `https://${hosts.app}`,
     OPENFGA_API_URL: "http://openfga:8090",
-    OPENFGA_STORE_ID: "",
-    OPENFGA_MODEL_ID: "",
-    OPENFGA_DB_PASSWORD: randomSecret(),
+    OPENFGA_STORE_ID: generated.openfga.store_id,
+    OPENFGA_MODEL_ID: generated.openfga.model_id,
+    OPENFGA_DB_PASSWORD: generated.secrets.openfga_db_password,
     MINIKMS_GRPC_ADDR: "minikms:50051",
     MINIKMS_TLS_ENABLED: "false",
-    MINIKMS_ROOT_KEY: randomBytes(32).toString("hex"),
+    MINIKMS_ROOT_KEY: generated.secrets.minikms_root_key,
     MINIKMS_DB_USER: "postgres",
-    MINIKMS_DB_PASSWORD: randomSecret(),
+    MINIKMS_DB_PASSWORD: generated.secrets.minikms_db_password,
     OTEL_EXPORTER_OTLP_ENDPOINT: "http://otel-agent:4318",
     OTEL_SERVICE_NAME: "envsync-api",
     OTEL_SDK_DISABLED: "false",
-    CLICKSTACK_URL: `https://${hosts.obs}`
+    CLICKSTACK_URL: `https://${hosts.obs}`,
+    KEYCLOAK_IMAGE_TAG: keycloakImageTag(config.images.keycloak)
   };
 }
-function renderEnv(config) {
-  return Object.entries({
-    ...buildEnvMap(config),
-    KEYCLOAK_IMAGE_TAG: config.images.keycloak.split(":").slice(1).join(":") || "local"
-  }).map(([k, v]) => `${k}=${v}`).join("\n") + "\n";
+function renderEnvFile(env) {
+  return Object.entries(env).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${key}=${value}`).join("\n") + "\n";
 }
-function renderServiceEnvironment(config, overrides = {}) {
-  return toYaml({ ...buildEnvMap(config), ...overrides }, 0);
+function renderEnvList(values, indent = 6) {
+  const prefix = " ".repeat(indent);
+  return Object.entries(values).map(([key, value]) => `${prefix}- ${JSON.stringify(`${key}=${String(value)}`)}`).join("\n");
 }
-function renderKeycloakRealm(config) {
+function renderKeycloakRealm(config, runtimeEnv) {
   const hosts = domainMap(config.domain.root_domain);
-  const webSecret = extractEnvValue("KEYCLOAK_WEB_CLIENT_SECRET");
-  const apiSecret = extractEnvValue("KEYCLOAK_API_CLIENT_SECRET");
   return JSON.stringify(
     {
       realm: config.auth.keycloak_realm,
@@ -254,7 +500,7 @@ function renderKeycloakRealm(config) {
           name: "EnvSync Web",
           protocol: "openid-connect",
           publicClient: false,
-          secret: webSecret,
+          secret: runtimeEnv.KEYCLOAK_WEB_CLIENT_SECRET,
           standardFlowEnabled: true,
           directAccessGrantsEnabled: false,
           redirectUris: [
@@ -273,7 +519,7 @@ function renderKeycloakRealm(config) {
           name: "EnvSync API",
           protocol: "openid-connect",
           publicClient: false,
-          secret: apiSecret,
+          secret: runtimeEnv.KEYCLOAK_API_CLIENT_SECRET,
           standardFlowEnabled: true,
           redirectUris: [`https://${hosts.api}/api/access/api/callback`],
           webOrigins: [`https://${hosts.api}`],
@@ -297,11 +543,6 @@ function renderKeycloakRealm(config) {
     2
   ) + "\n";
 }
-function extractEnvValue(key) {
-  const env = exists(DEPLOY_ENV) ? fs.readFileSync(DEPLOY_ENV, "utf8") : "";
-  const line = env.split(/\r?\n/).find((entry) => entry.startsWith(`${key}=`));
-  return line?.slice(key.length + 1) ?? "";
-}
 function renderTraefikDynamicConfig(config) {
   const hosts = domainMap(config.domain.root_domain);
   return [
@@ -340,17 +581,17 @@ function renderTraefikDynamicConfig(config) {
     "        servers:",
     "          - url: http://web_nginx:8080",
     "  routers:",
-    `    landing-router:`,
+    "    landing-router:",
     `      rule: Host(\`${hosts.landing}\`)`,
     "      service: landing",
     "      entryPoints: [websecure]",
     "      tls: {}",
-    `    web-router:`,
+    "    web-router:",
     `      rule: Host(\`${hosts.app}\`)`,
     "      service: web",
     "      entryPoints: [websecure]",
     "      tls: {}",
-    `    api-router:`,
+    "    api-router:",
     `      rule: Host(\`${hosts.api}\`)`,
     "      service: envsync-api",
     "      entryPoints: [websecure]",
@@ -415,16 +656,19 @@ function renderOtelAgentConfig(config) {
     "      exporters: [otlphttp/clickstack]"
   ].join("\n") + "\n";
 }
-function renderStack(config) {
+function renderStack(config, runtimeEnv, mode) {
   const hosts = domainMap(config.domain.root_domain);
-  const apiEnvironment = renderServiceEnvironment(config, {
+  const includeRuntimeInfra = mode !== "base";
+  const includeAppServices = mode === "full";
+  const apiEnvironment = {
+    ...runtimeEnv,
     OTEL_EXPORTER_OTLP_ENDPOINT: "http://otel-agent:4318",
     KEYCLOAK_URL: "http://keycloak:8080",
     OPENFGA_API_URL: "http://openfga:8090",
     MINIKMS_GRPC_ADDR: "minikms:50051",
     S3_ENDPOINT: "http://rustfs:9000",
     S3_BUCKET_URL: `https://${hosts.s3}`
-  });
+  };
   return `
 version: "3.9"
 services:
@@ -458,9 +702,11 @@ services:
   postgres:
     image: postgres:17
     environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: envsync-postgres
-      POSTGRES_DB: envsync
+${renderEnvList({
+    POSTGRES_USER: "postgres",
+    POSTGRES_PASSWORD: "envsync-postgres",
+    POSTGRES_DB: "envsync"
+  })}
     volumes:
       - postgres_data:/var/lib/postgresql/data
     networks: [envsync]
@@ -474,10 +720,12 @@ services:
   rustfs:
     image: rustfs/rustfs:latest
     environment:
-      RUSTFS_DATA_DIR: /data
-      RUSTFS_ACCESS_KEY: envsync-rustfs
-      RUSTFS_SECRET_KEY: ${extractEnvValue("S3_SECRET_KEY")}
-      RUSTFS_CONSOLE_ENABLE: "true"
+${renderEnvList({
+    RUSTFS_DATA_DIR: "/data",
+    RUSTFS_ACCESS_KEY: "envsync-rustfs",
+    RUSTFS_SECRET_KEY: runtimeEnv.S3_SECRET_KEY,
+    RUSTFS_CONSOLE_ENABLE: "true"
+  })}
     volumes:
       - rustfs_data:/data
     networks: [envsync]
@@ -496,30 +744,34 @@ services:
   keycloak_db:
     image: postgres:17
     environment:
-      POSTGRES_USER: keycloak
-      POSTGRES_PASSWORD: ${extractEnvValue("KEYCLOAK_ADMIN_PASSWORD")}
-      POSTGRES_DB: keycloak
+${renderEnvList({
+    POSTGRES_USER: "keycloak",
+    POSTGRES_PASSWORD: runtimeEnv.KEYCLOAK_ADMIN_PASSWORD,
+    POSTGRES_DB: "keycloak"
+  })}
     volumes:
       - keycloak_db_data:/var/lib/postgresql/data
     networks: [envsync]
+${includeRuntimeInfra ? `
   keycloak:
     image: ${config.images.keycloak}
     entrypoint: ["/bin/sh", "-lc"]
     command:
       - /opt/keycloak/bin/kc.sh import --dir /opt/keycloak/data/import --override true && exec /opt/keycloak/bin/kc.sh start-dev
     environment:
-      KC_DB: postgres
-      KC_DB_URL: jdbc:postgresql://keycloak_db:5432/keycloak
-      KC_DB_USERNAME: keycloak
-      KC_DB_PASSWORD: ${extractEnvValue("KEYCLOAK_ADMIN_PASSWORD")}
-      KC_BOOTSTRAP_ADMIN_USERNAME: ${config.auth.admin_user}
-      KC_BOOTSTRAP_ADMIN_PASSWORD: ${config.auth.admin_password}
-      KC_HTTP_ENABLED: "true"
-      KC_PROXY_HEADERS: xforwarded
-      KC_HOSTNAME: ${hosts.auth}
+${renderEnvList({
+    KC_DB: "postgres",
+    KC_DB_URL: "jdbc:postgresql://keycloak_db:5432/keycloak",
+    KC_DB_USERNAME: "keycloak",
+    KC_DB_PASSWORD: runtimeEnv.KEYCLOAK_ADMIN_PASSWORD,
+    KC_BOOTSTRAP_ADMIN_USERNAME: config.auth.admin_user,
+    KC_BOOTSTRAP_ADMIN_PASSWORD: config.auth.admin_password,
+    KC_HTTP_ENABLED: "true",
+    KC_PROXY_HEADERS: "xforwarded",
+    KC_HOSTNAME: hosts.auth
+  })}
     volumes:
-      - ${DEPLOY_ROOT}/keycloak-realm.envsync.json:/opt/keycloak/data/import/realm.json:ro
+      - ${KEYCLOAK_REALM_FILE}:/opt/keycloak/data/import/realm.json:ro
     networks: [envsync]
     deploy:
       labels:
@@ -527,46 +779,55 @@ services:
         - traefik.http.routers.keycloak.rule=Host(\`${hosts.auth}\`)
         - traefik.http.routers.keycloak.entrypoints=websecure
         - traefik.http.routers.keycloak.tls.certresolver=letsencrypt
-        - traefik.http.services.keycloak.loadbalancer.server.port=8080
+        - traefik.http.services.keycloak.loadbalancer.server.port=8080` : ""}
   openfga_db:
     image: postgres:17
     environment:
-      POSTGRES_USER: openfga
-      POSTGRES_PASSWORD: ${extractEnvValue("OPENFGA_DB_PASSWORD")}
-      POSTGRES_DB: openfga
+${renderEnvList({
+    POSTGRES_USER: "openfga",
+    POSTGRES_PASSWORD: runtimeEnv.OPENFGA_DB_PASSWORD,
+    POSTGRES_DB: "openfga"
+  })}
     volumes:
       - openfga_db_data:/var/lib/postgresql/data
     networks: [envsync]
+${includeRuntimeInfra ? `
   openfga:
     image: openfga/openfga:v1.12.0
     command: run
     environment:
-      OPENFGA_DATASTORE_ENGINE: postgres
-      OPENFGA_DATASTORE_URI: postgres://openfga:${extractEnvValue("OPENFGA_DB_PASSWORD")}@openfga_db:5432/openfga?sslmode=disable
-      OPENFGA_HTTP_ADDR: 0.0.0.0:8090
-      OPENFGA_GRPC_ADDR: 0.0.0.0:8091
-    networks: [envsync]
+${renderEnvList({
+    OPENFGA_DATASTORE_ENGINE: "postgres",
+    OPENFGA_DATASTORE_URI: `postgres://openfga:${runtimeEnv.OPENFGA_DB_PASSWORD}@openfga_db:5432/openfga?sslmode=disable`,
+    OPENFGA_HTTP_ADDR: "0.0.0.0:8090",
+    OPENFGA_GRPC_ADDR: "0.0.0.0:8091"
+  })}
+    networks: [envsync]` : ""}
   minikms_db:
     image: postgres:17
     environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: ${extractEnvValue("MINIKMS_DB_PASSWORD")}
-      POSTGRES_DB: minikms
+${renderEnvList({
+    POSTGRES_USER: "postgres",
+    POSTGRES_PASSWORD: runtimeEnv.MINIKMS_DB_PASSWORD,
+    POSTGRES_DB: "minikms"
+  })}
     volumes:
       - minikms_db_data:/var/lib/postgresql/data
     networks: [envsync]
+${includeRuntimeInfra ? `
   minikms:
     image: ghcr.io/envsync-cloud/minikms:sha-735dfe8
     environment:
-      MINIKMS_ROOT_KEY: ${extractEnvValue("MINIKMS_ROOT_KEY")}
-      MINIKMS_DB_URL: postgres://postgres:${extractEnvValue("MINIKMS_DB_PASSWORD")}@minikms_db:5432/minikms?sslmode=disable
-      MINIKMS_REDIS_URL: redis://redis:6379
-      MINIKMS_TLS_ENABLED: "false"
-    networks: [envsync]
+${renderEnvList({
+    MINIKMS_ROOT_KEY: runtimeEnv.MINIKMS_ROOT_KEY,
+    MINIKMS_DB_URL: `postgres://postgres:${runtimeEnv.MINIKMS_DB_PASSWORD}@minikms_db:5432/minikms?sslmode=disable`,
+    MINIKMS_REDIS_URL: "redis://redis:6379",
+    MINIKMS_GRPC_ADDR: "0.0.0.0:50051",
+    MINIKMS_TLS_ENABLED: "false"
+  })}
+    networks: [envsync]` : ""}
   clickstack:
     image: ${config.images.clickstack}
@@ -589,6 +850,7 @@ services:
     volumes:
       - ${OTEL_AGENT_CONF}:/etc/otel-agent.yaml:ro
     networks: [envsync]
+${includeAppServices ? `
   landing_nginx:
     image: nginx:1.27-alpine
@@ -607,14 +869,14 @@ services:
   envsync_api_blue:
     image: ${config.images.api}
     environment:
-${indentBlock(apiEnvironment, 6)}
+${renderEnvList(apiEnvironment)}
     networks: [envsync]
   envsync_api_green:
     image: ${config.images.api}
     environment:
-${indentBlock(apiEnvironment, 6)}
-    networks: [envsync]
+${renderEnvList(apiEnvironment)}
+    networks: [envsync]` : ""}
 networks:
   envsync:
@@ -633,6 +895,232 @@ volumes:
   clickstack_ch_logs:
 `.trimStart();
 }
+function writeDeployArtifacts(config, generated) {
+  const runtimeEnv = buildRuntimeEnv(config, generated);
+  writeFile(DEPLOY_ENV, renderEnvFile(runtimeEnv), 384);
+  writeFile(
+    INTERNAL_CONFIG_JSON,
+    JSON.stringify({ config, generated: mergeGeneratedState(runtimeEnv, generated) }, null, 2) + "\n"
+  );
+  writeFile(VERSIONS_LOCK, JSON.stringify(config.images, null, 2) + "\n");
+  writeFile(KEYCLOAK_REALM_FILE, renderKeycloakRealm(config, runtimeEnv));
+  writeFile(TRAEFIK_DYNAMIC_FILE, renderTraefikDynamicConfig(config));
+  writeFile(BOOTSTRAP_BASE_STACK_FILE, renderStack(config, runtimeEnv, "base"));
+  writeFile(BOOTSTRAP_STACK_FILE, renderStack(config, runtimeEnv, "bootstrap"));
+  writeFile(STACK_FILE, renderStack(config, runtimeEnv, "full"));
+  writeFile(NGINX_WEB_CONF, renderNginxConf("web"));
+  writeFile(NGINX_LANDING_CONF, renderNginxConf("landing"));
+  writeFile(OTEL_AGENT_CONF, renderOtelAgentConfig(config));
+}
+function saveDesiredConfig(config) {
+  const internal = readInternalState();
+  const generated = mergeGeneratedState(loadGeneratedEnv(), internal?.generated);
+  writeFile(DEPLOY_YAML, toYaml(config) + "\n");
+  writeFile(
+    INTERNAL_CONFIG_JSON,
+    JSON.stringify({ config, generated }, null, 2) + "\n"
+  );
+}
+function ensureRepoCheckout(config) {
+  ensureDir(REPO_ROOT);
+  if (!exists(path.join(REPO_ROOT, ".git"))) {
+    run("git", ["clone", config.source.repo_url, REPO_ROOT]);
+  }
+  run("git", ["remote", "set-url", "origin", config.source.repo_url], { cwd: REPO_ROOT });
+  run("git", ["fetch", "--tags", "--force", "origin"], { cwd: REPO_ROOT });
+  run("git", ["checkout", "--force", config.source.ref], { cwd: REPO_ROOT });
+}
+function extractStaticBundle(image, targetDir) {
+  ensureDir(targetDir);
+  const containerId = run("docker", ["create", image], { quiet: true }).trim();
+  try {
+    run("docker", ["cp", `${containerId}:/app/dist/.`, targetDir]);
+  } finally {
+    run("docker", ["rm", "-f", containerId], { quiet: true });
+  }
+}
+function buildKeycloakImage(imageTag, repoRoot = REPO_ROOT) {
+  const buildContext = path.join(repoRoot, "packages/envsync-keycloak-theme");
+  if (!exists(path.join(buildContext, "Dockerfile"))) {
+    throw new Error(`Missing Keycloak Docker build context at ${buildContext}`);
+  }
+  run("docker", ["build", "-t", imageTag, buildContext]);
+}
+function stackNetworkName(config) {
+  return `${config.services.stack_name}_envsync`;
+}
+function assertSwarmManager() {
+  const state = tryRun("docker", ["info", "--format", "{{.Swarm.LocalNodeState}}|{{.Swarm.ControlAvailable}}"], { quiet: true }).trim();
+  if (state !== "active|true") {
+    throw new Error("Docker Swarm is not initialized on this node. Run 'docker swarm init' or 'envsync-deploy preinstall' first.");
+  }
+}
+function waitForCommand(config, label, image, command, timeoutSeconds = 120, env = {}, volumes = []) {
+  const deadline = Date.now() + timeoutSeconds * 1e3;
+  while (Date.now() < deadline) {
+    const args = ["run", "--rm", "--network", stackNetworkName(config)];
+    for (const volume of volumes) {
+      args.push("-v", volume);
+    }
+    for (const [key, value] of Object.entries(env)) {
+      args.push("-e", `${key}=${value}`);
+    }
+    args.push(image, "sh", "-lc", command);
+    if (commandSucceeds("docker", args)) {
+      return;
+    }
+    sleepSeconds(2);
+  }
+  throw new Error(`Timed out waiting for ${label}`);
+}
+function waitForPostgresService(config, label, host, user, password) {
+  waitForCommand(config, `${label} database readiness`, "postgres:17", `pg_isready -h ${host} -U ${user}`, 120, {
+    PGPASSWORD: password
+  });
+}
+function waitForRedisService(config) {
+  waitForCommand(config, "redis readiness", "redis:7", "redis-cli -h redis ping | grep PONG");
+}
+function waitForTcpService(config, label, host, port, timeoutSeconds = 120) {
+  const deadline = Date.now() + timeoutSeconds * 1e3;
+  while (Date.now() < deadline) {
+    if (commandSucceeds(
+      "docker",
+      ["run", "--rm", "--network", stackNetworkName(config), "alpine:3.20", "sh", "-lc", `nc -z -w 2 ${host} ${port}`]
+    )) {
+      return;
+    }
+    sleepSeconds(2);
+  }
+  throw new Error(`Timed out waiting for ${label} at ${host}:${port}`);
+}
+function waitForHttpService(config, label, url, timeoutSeconds = 120) {
+  waitForCommand(config, `${label} HTTP readiness`, "alpine:3.20", `wget -q -O /dev/null ${JSON.stringify(url)}`, timeoutSeconds);
+}
+function runOpenFgaMigrate(config, runtimeEnv) {
+  run("docker", [
+    "run",
+    "--rm",
+    "--network",
+    stackNetworkName(config),
+    "-e",
+    "OPENFGA_DATASTORE_ENGINE=postgres",
+    "-e",
+    `OPENFGA_DATASTORE_URI=postgres://openfga:${runtimeEnv.OPENFGA_DB_PASSWORD}@openfga_db:5432/openfga?sslmode=disable`,
+    "openfga/openfga:v1.12.0",
+    "migrate"
+  ]);
+}
+function runMiniKmsMigrate(config, runtimeEnv) {
+  run("docker", [
+    "run",
+    "--rm",
+    "--network",
+    stackNetworkName(config),
+    "-e",
+    `PGPASSWORD=${runtimeEnv.MINIKMS_DB_PASSWORD}`,
+    "-v",
+    `${path.join(REPO_ROOT, "docker/minikms/migrations")}:/migrations:ro`,
+    "postgres:17",
+    "sh",
+    "-lc",
+    "psql -h minikms_db -U postgres -d minikms -f /migrations/001_initial_schema.sql && psql -h minikms_db -U postgres -d minikms -f /migrations/002_vault_storage.sql"
+  ]);
+}
+function runBootstrapInit(config) {
+  const output = run(
+    "docker",
+    [
+      "run",
+      "--rm",
+      "--network",
+      stackNetworkName(config),
+      "--env-file",
+      DEPLOY_ENV,
+      "-e",
+      "SKIP_ROOT_ENV=1",
+      "-e",
+      "SKIP_ROOT_ENV_WRITE=1",
+      config.images.api,
+      "bun",
+      "run",
+      "scripts/prod-init.ts",
+      "--json",
+      "--no-write-root-env"
+    ],
+    { quiet: true }
+  ).trim();
+  const result = JSON.parse(output);
+  if (!result.openfgaStoreId || !result.openfgaModelId) {
+    throw new Error("Bootstrap init did not return OpenFGA IDs");
+  }
+  return {
+    openfgaStoreId: result.openfgaStoreId,
+    openfgaModelId: result.openfgaModelId
+  };
+}
+function hasCompleteBootstrapState(generated) {
+  return REQUIRED_BOOTSTRAP_ENV_KEYS.every((key) => {
+    switch (key) {
+      case "S3_SECRET_KEY":
+        return generated.secrets.s3_secret_key.length > 0;
+      case "KEYCLOAK_WEB_CLIENT_SECRET":
+        return generated.secrets.keycloak_web_client_secret.length > 0;
+      case "KEYCLOAK_API_CLIENT_SECRET":
+        return generated.secrets.keycloak_api_client_secret.length > 0;
+      case "OPENFGA_DB_PASSWORD":
+        return generated.secrets.openfga_db_password.length > 0;
+      case "MINIKMS_ROOT_KEY":
+        return generated.secrets.minikms_root_key.length > 0;
+      case "MINIKMS_DB_PASSWORD":
+        return generated.secrets.minikms_db_password.length > 0;
+      case "OPENFGA_STORE_ID":
+        return generated.openfga.store_id.length > 0;
+      case "OPENFGA_MODEL_ID":
+        return generated.openfga.model_id.length > 0;
+      default:
+        return false;
+    }
+  });
+}
+function assertBootstrapState(generated) {
+  if (!hasCompleteBootstrapState(generated)) {
+    throw new Error("Missing bootstrap state. Run 'envsync-deploy bootstrap' first.");
+  }
+}
+function parseReplicaHealth(raw) {
+  const match = raw.match(/^(\d+)\/(\d+)$/);
+  if (!match) return raw.trim() ? "degraded" : "missing";
+  const current = Number(match[1]);
+  const desired = Number(match[2]);
+  if (desired === 0) return "missing";
+  if (current === desired) return "healthy";
+  return "degraded";
+}
+function listStackServices(config) {
+  const output = tryRun(
+    "docker",
+    ["stack", "services", config.services.stack_name, "--format", "{{.Name}}|{{.Replicas}}"],
+    { quiet: true }
+  );
+  const services = /* @__PURE__ */ new Map();
+  for (const line of output.split(/\r?\n/)) {
+    if (!line.trim()) continue;
+    const [name, replicas] = line.split("|");
+    services.set(name, parseReplicaHealth(replicas ?? ""));
+  }
+  return services;
+}
+function serviceHealth(services, name) {
+  return services.get(`${name}`) ?? "missing";
+}
+function apiHealth(services, stackName) {
+  const blue = serviceHealth(services, `${stackName}_envsync_api_blue`);
+  const green = serviceHealth(services, `${stackName}_envsync_api_green`);
+  if (blue === "missing" && green === "missing") return "missing";
+  if (blue === "healthy" || green === "healthy") return "healthy";
+  return "degraded";
+}
 async function cmdPreinstall() {
   ensureDir(HOST_ROOT);
   ensureDir(DEPLOY_ROOT);
@@ -655,7 +1143,9 @@ async function cmdPreinstall() {
 async function cmdSetup() {
   const rootDomain = await ask("Root domain", "example.com");
   const acmeEmail = await ask("ACME email", `admin@${rootDomain}`);
-  const channel = await ask("Release channel", "stable");
+  const releaseVersion = await ask("Release version", getDeployCliVersion());
+  assertSemverVersion(releaseVersion, "release version");
+  const releaseImages = versionedImages(releaseVersion);
   const adminUser = await ask("Keycloak admin user", "admin");
   const adminPassword = await ask("Keycloak admin password", randomSecret(12));
   const smtpHost = await ask("SMTP host", "smtp.example.com");
@@ -669,12 +1159,16 @@ async function cmdSetup() {
   const publicObs = await ask("Expose obs.<domain> publicly (true/false)", "true") === "true";
   const mailpitEnabled = await ask("Enable mailpit (true/false)", "false") === "true";
   const config = {
+    source: defaultSourceConfig(releaseVersion),
+    release: {
+      version: releaseVersion
+    },
     domain: { root_domain: rootDomain, acme_email: acmeEmail },
     images: {
-      api: `ghcr.io/envsync-cloud/envsync-api:${channel}`,
-      keycloak: `envsync-keycloak:${channel}`,
-      web: `ghcr.io/envsync-cloud/envsync-web-static:${channel}`,
-      landing: `ghcr.io/envsync-cloud/envsync-landing-static:${channel}`,
+      api: releaseImages.api,
+      keycloak: releaseImages.keycloak,
+      web: releaseImages.web,
+      landing: releaseImages.landing,
       clickstack: "clickhouse/clickstack-all-in-one:latest",
       traefik: "traefik:v3.1",
       otel_agent: "otel/opentelemetry-collector-contrib:0.111.0"
@@ -719,36 +1213,59 @@ async function cmdSetup() {
       mailpit_enabled: mailpitEnabled,
       s3_public: true,
       s3_console_public: true
-    },
-    release_channel: channel
+    }
   };
-  ensureDir(REPO_ROOT);
-  if (!exists(path.join(REPO_ROOT, ".git"))) {
-    run("git", ["clone", "https://github.com/EnvSync-Cloud/envsync.git", REPO_ROOT]);
-  }
-  saveConfig(config);
+  saveDesiredConfig(config);
   console.log(`Config written to ${DEPLOY_YAML}`);
+  console.log(`Pinned source checkout: ${config.source.repo_url} @ ${config.source.ref}`);
   console.log("Create these DNS records:");
   console.log(JSON.stringify(domainMap(rootDomain), null, 2));
 }
-function extractStaticBundle(image, targetDir) {
-  ensureDir(targetDir);
-  const containerId = run("docker", ["create", image], { quiet: true }).trim();
-  try {
-    run("docker", ["cp", `${containerId}:/app/dist/.`, targetDir]);
-  } finally {
-    run("docker", ["rm", "-f", containerId], { quiet: true });
-  }
-}
-function buildKeycloakImage(imageTag, repoRoot = REPO_ROOT) {
-  const buildContext = path.join(repoRoot, "packages/envsync-keycloak-theme");
-  if (!exists(path.join(buildContext, "Dockerfile"))) {
-    throw new Error(`Missing Keycloak Docker build context at ${buildContext}`);
-  }
-  run("docker", ["build", "-t", imageTag, buildContext]);
+async function cmdBootstrap() {
+  const { config, generated } = loadState();
+  const nextGenerated = ensureGeneratedRuntimeState(generated);
+  const runtimeEnv = buildRuntimeEnv(config, nextGenerated);
+  assertSwarmManager();
+  ensureRepoCheckout(config);
+  writeDeployArtifacts(config, nextGenerated);
+  buildKeycloakImage(config.images.keycloak);
+  run("docker", ["stack", "deploy", "-c", BOOTSTRAP_BASE_STACK_FILE, config.services.stack_name]);
+  waitForPostgresService(config, "postgres", "postgres", "postgres", "envsync-postgres");
+  waitForRedisService(config);
+  waitForTcpService(config, "rustfs", "rustfs", 9e3);
+  waitForPostgresService(config, "keycloak", "keycloak_db", "keycloak", runtimeEnv.KEYCLOAK_ADMIN_PASSWORD);
+  waitForPostgresService(config, "openfga", "openfga_db", "openfga", runtimeEnv.OPENFGA_DB_PASSWORD);
+  waitForPostgresService(config, "minikms", "minikms_db", "postgres", runtimeEnv.MINIKMS_DB_PASSWORD);
+  runOpenFgaMigrate(config, runtimeEnv);
+  runMiniKmsMigrate(config, runtimeEnv);
+  run("docker", ["stack", "deploy", "-c", BOOTSTRAP_STACK_FILE, config.services.stack_name]);
+  waitForHttpService(config, "keycloak", "http://keycloak:8080/realms/master");
+  waitForHttpService(config, "openfga", "http://openfga:8090/stores");
+  waitForTcpService(config, "minikms", "minikms", 50051);
+  const initResult = runBootstrapInit(config);
+  const bootstrappedGenerated = normalizeGeneratedState({
+    openfga: {
+      store_id: initResult.openfgaStoreId,
+      model_id: initResult.openfgaModelId
+    },
+    secrets: nextGenerated.secrets,
+    bootstrap: {
+      completed_at: (/* @__PURE__ */ new Date()).toISOString()
+    }
+  });
+  writeDeployArtifacts(config, bootstrappedGenerated);
+  console.log("Bootstrap completed.");
 }
 async function cmdDeploy() {
-  const config = loadConfig();
+  const { config, generated } = loadState();
+  assertSwarmManager();
+  assertBootstrapState(generated);
+  const services = listStackServices(config);
+  if (serviceHealth(services, `${config.services.stack_name}_keycloak`) === "missing" || serviceHealth(services, `${config.services.stack_name}_openfga`) === "missing" || serviceHealth(services, `${config.services.stack_name}_minikms`) === "missing") {
+    throw new Error("Bootstrap has not completed successfully. Run 'envsync-deploy bootstrap' again.");
+  }
+  ensureRepoCheckout(config);
+  writeDeployArtifacts(config, generated);
   buildKeycloakImage(config.images.keycloak);
   ensureDir(`${RELEASES_ROOT}/web/current`);
   ensureDir(`${RELEASES_ROOT}/landing/current`);
@@ -759,12 +1276,29 @@ async function cmdDeploy() {
   run("docker", ["stack", "deploy", "-c", STACK_FILE, config.services.stack_name]);
 }
 async function cmdHealth(asJson) {
-  const config = loadConfig();
+  const { config, generated } = loadState();
   const hosts = domainMap(config.domain.root_domain);
-  const services = run("docker", ["stack", "services", config.services.stack_name], { quiet: true });
+  const services = listStackServices(config);
+  const stackName = config.services.stack_name;
+  const bootstrapServices = {
+    postgres: serviceHealth(services, `${stackName}_postgres`),
+    redis: serviceHealth(services, `${stackName}_redis`),
+    rustfs: serviceHealth(services, `${stackName}_rustfs`),
+    keycloak: serviceHealth(services, `${stackName}_keycloak`),
+    openfga: serviceHealth(services, `${stackName}_openfga`),
+    minikms: serviceHealth(services, `${stackName}_minikms`)
+  };
   const checks = {
-    keycloak_image: config.images.keycloak,
-    services,
+    bootstrap: {
+      completed: hasCompleteBootstrapState(generated) && generated.bootstrap.completed_at.length > 0,
+      completed_at: generated.bootstrap.completed_at || null,
+      services: bootstrapServices
+    },
+    deploy: {
+      api: apiHealth(services, stackName),
+      web: serviceHealth(services, `${stackName}_web_nginx`),
+      landing: serviceHealth(services, `${stackName}_landing_nginx`)
+    },
     public: {
       landing: `https://${hosts.landing}`,
       app: `https://${hosts.app}`,
@@ -773,25 +1307,27 @@ async function cmdHealth(asJson) {
       obs: `https://${hosts.obs}`
     }
   };
-  if (asJson) console.log(JSON.stringify(checks, null, 2));
-  else {
-    console.log(services);
-    console.log(JSON.stringify(checks.public, null, 2));
+  if (asJson) {
+    console.log(JSON.stringify(checks, null, 2));
+    return;
   }
+  console.log(JSON.stringify(checks, null, 2));
 }
 async function cmdUpgrade() {
-  const config = loadConfig();
-  const nextImage = `ghcr.io/envsync-cloud/envsync-api:${config.release_channel}`;
-  config.images.api = nextImage;
-  saveConfig(config);
+  const { config } = loadState();
+  config.images = {
+    ...config.images,
+    ...versionedImages(config.release.version)
+  };
+  saveDesiredConfig(config);
   await cmdDeploy();
 }
 async function cmdUpgradeDeps() {
-  const config = loadConfig();
+  const { config } = loadState();
   config.images.traefik = "traefik:v3.1";
   config.images.clickstack = "clickhouse/clickstack-all-in-one:latest";
   config.images.otel_agent = "otel/opentelemetry-collector-contrib:0.111.0";
-  saveConfig(config);
+  saveDesiredConfig(config);
   await cmdDeploy();
 }
 function sha256File(filePath) {
@@ -833,7 +1369,7 @@ function restoreDockerVolume(volumeName, sourceDir) {
   ]);
 }
 async function cmdBackup() {
-  const config = loadConfig();
+  const { config } = loadState();
   ensureDir(config.backup.output_dir);
   const timestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:]/g, "-");
   const archiveBase = path.join(config.backup.output_dir, `envsync-backup-${timestamp}`);
@@ -845,14 +1381,15 @@ async function cmdBackup() {
   writeFile(path.join(staged, "deploy.yaml"), fs.readFileSync(DEPLOY_YAML, "utf8"));
   writeFile(path.join(staged, "config.json"), fs.readFileSync(INTERNAL_CONFIG_JSON, "utf8"));
   writeFile(path.join(staged, "versions.lock.json"), fs.readFileSync(VERSIONS_LOCK, "utf8"));
+  writeFile(path.join(staged, "docker-stack.bootstrap.base.yaml"), fs.readFileSync(BOOTSTRAP_BASE_STACK_FILE, "utf8"));
+  writeFile(path.join(staged, "docker-stack.bootstrap.yaml"), fs.readFileSync(BOOTSTRAP_STACK_FILE, "utf8"));
   writeFile(path.join(staged, "docker-stack.yaml"), fs.readFileSync(STACK_FILE, "utf8"));
   writeFile(path.join(staged, "traefik-dynamic.yaml"), fs.readFileSync(TRAEFIK_DYNAMIC_FILE, "utf8"));
   writeFile(path.join(staged, "keycloak-realm.envsync.json"), fs.readFileSync(KEYCLOAK_REALM_FILE, "utf8"));
   writeFile(path.join(staged, "otel-agent.yaml"), fs.readFileSync(OTEL_AGENT_CONF, "utf8"));
   const volumesDir = path.join(staged, "volumes");
   for (const volume of STACK_VOLUMES) {
-    const target = path.join(volumesDir, volume);
-    backupDockerVolume(stackVolumeName(config, volume), target);
+    backupDockerVolume(stackVolumeName(config, volume), path.join(volumesDir, volume));
   }
   run("bash", ["-lc", `tar -czf ${JSON.stringify(tarPath)} -C ${JSON.stringify(staged)} .`]);
   const manifest = {
@@ -867,7 +1404,6 @@ async function cmdBackup() {
 }
 async function cmdRestore(archivePath) {
   if (!archivePath) throw new Error("restore requires a .tar.gz path");
-  const config = loadConfig();
   const restoreRoot = path.join(BACKUPS_ROOT, `restore-${Date.now()}`);
   ensureDir(restoreRoot);
   run("bash", ["-lc", `tar -xzf ${JSON.stringify(archivePath)} -C ${JSON.stringify(restoreRoot)}`]);
@@ -875,14 +1411,17 @@ async function cmdRestore(archivePath) {
   writeFile(DEPLOY_YAML, fs.readFileSync(path.join(restoreRoot, "deploy.yaml"), "utf8"));
   writeFile(INTERNAL_CONFIG_JSON, fs.readFileSync(path.join(restoreRoot, "config.json"), "utf8"));
   writeFile(VERSIONS_LOCK, fs.readFileSync(path.join(restoreRoot, "versions.lock.json"), "utf8"));
+  writeFile(BOOTSTRAP_BASE_STACK_FILE, fs.readFileSync(path.join(restoreRoot, "docker-stack.bootstrap.base.yaml"), "utf8"));
+  writeFile(BOOTSTRAP_STACK_FILE, fs.readFileSync(path.join(restoreRoot, "docker-stack.bootstrap.yaml"), "utf8"));
   writeFile(STACK_FILE, fs.readFileSync(path.join(restoreRoot, "docker-stack.yaml"), "utf8"));
   writeFile(TRAEFIK_DYNAMIC_FILE, fs.readFileSync(path.join(restoreRoot, "traefik-dynamic.yaml"), "utf8"));
   writeFile(KEYCLOAK_REALM_FILE, fs.readFileSync(path.join(restoreRoot, "keycloak-realm.envsync.json"), "utf8"));
   writeFile(OTEL_AGENT_CONF, fs.readFileSync(path.join(restoreRoot, "otel-agent.yaml"), "utf8"));
+  const config = loadConfig();
   for (const volume of STACK_VOLUMES) {
     restoreDockerVolume(stackVolumeName(config, volume), path.join(restoreRoot, "volumes", volume));
   }
-  await cmdDeploy();
+  console.log("Restore completed. Run 'envsync-deploy deploy' to start services.");
 }
 async function main() {
   const command = process.argv[2];
@@ -894,6 +1433,9 @@ async function main() {
     case "setup":
       await cmdSetup();
       break;
+    case "bootstrap":
+      await cmdBootstrap();
+      break;
     case "deploy":
       await cmdDeploy();
       break;
@@ -913,7 +1455,7 @@ async function main() {
       await cmdRestore(flag ?? "");
       break;
     default:
-      console.log("Usage: envsync-deploy <preinstall|setup|deploy|health|upgrade|upgrade-deps|backup|restore>");
+      console.log("Usage: envsync-deploy <preinstall|setup|bootstrap|deploy|health|upgrade|upgrade-deps|backup|restore>");
       process.exit(command ? 1 : 0);
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@envsync-cloud/deploy-cli",
-  "version": "0.6.1",
+  "version": "0.6.3",
   "description": "CLI for self-hosted EnvSync deployment on Docker Swarm",
   "type": "module",
   "bin": {