@envsync-cloud/deploy-cli 0.6.14 → 0.6.17

package/README.md

@@ -65,6 +65,8 @@ npx @envsync-cloud/deploy-cli setup
 
 `setup` requires an exact release version such as `0.6.2`. Channel names like `stable` and `latest` are not accepted for self-hosted installs.
 
+The configured target release comes from `/etc/envsync/deploy.yaml`. Running a newer CLI package with `bunx @envsync-cloud/deploy-cli@<version> ...` does not change the pinned target release by itself.
+
 Bootstrap infra, migrations, RustFS, and OpenFGA:
 
 ```bash
@@ -73,6 +75,8 @@ npx @envsync-cloud/deploy-cli bootstrap
 
 `bootstrap` is destructive. It removes the existing EnvSync stack, matching containers, network, and managed volumes before rebuilding, and requires typing `yes` to continue. Use `--force` to bypass the prompt in automation or other non-interactive environments.
 
+During destructive bootstrap, stable generated secrets are preserved, but persisted OpenFGA store/model IDs are cleared before re-initialization so a fresh OpenFGA database cannot reuse stale IDs from a previous run.
+
 Deploy the pending API and frontend services:
 
 ```bash
@@ -117,6 +121,26 @@ npx @envsync-cloud/deploy-cli bootstrap --force
 npx @envsync-cloud/deploy-cli deploy --dry-run
 ```
 
+## Local Smoke Testing
+
+Use the repo-local smoke harness to test unpublished self-hosted deploy-cli changes without publishing to GitHub or npm:
+
+```bash
+bun run selfhost:smoke
+```
+
+The smoke harness:
+- runs the local `packages/deploy-cli/src/index.ts` directly
+- uses disposable roots under `.tmp/selfhost-smoke`
+- sets `ENVSYNC_REPO_ROOT` to the current workspace so no repo clone/fetch/checkout happens
+- uses high host ports instead of `80/443`
+
+Advanced local test overrides supported by the deploy-cli:
+- `ENVSYNC_HOST_ROOT`
+- `ENVSYNC_ETC_ROOT`
+- `ENVSYNC_TRAEFIK_STATE_ROOT`
+- `ENVSYNC_REPO_ROOT`
+
 ## Links
 
 - Repository: https://github.com/EnvSync-Cloud/envsync

package/dist/index.js

@@ -7,26 +7,26 @@ import fs from "fs";
 import path from "path";
 import readline from "readline";
 import chalk from "chalk";
-var HOST_ROOT = "/opt/envsync";
-var DEPLOY_ROOT = "/opt/envsync/deploy";
-var RELEASES_ROOT = "/opt/envsync/releases";
-var BACKUPS_ROOT = "/opt/envsync/backups";
-var ETC_ROOT = "/etc/envsync";
-var TRAEFIK_STATE_ROOT = "/var/lib/envsync/traefik";
-var REPO_ROOT = "/opt/envsync/repo";
-var DEPLOY_ENV = "/etc/envsync/deploy.env";
-var DEPLOY_YAML = "/etc/envsync/deploy.yaml";
-var VERSIONS_LOCK = "/opt/envsync/deploy/versions.lock.json";
-var STACK_FILE = "/opt/envsync/deploy/docker-stack.yaml";
-var BOOTSTRAP_BASE_STACK_FILE = "/opt/envsync/deploy/docker-stack.bootstrap.base.yaml";
-var BOOTSTRAP_STACK_FILE = "/opt/envsync/deploy/docker-stack.bootstrap.yaml";
-var TRAEFIK_DYNAMIC_FILE = "/opt/envsync/deploy/traefik-dynamic.yaml";
-var KEYCLOAK_REALM_FILE = "/opt/envsync/deploy/keycloak-realm.envsync.json";
-var NGINX_WEB_CONF = "/opt/envsync/deploy/nginx-web.conf";
-var NGINX_LANDING_CONF = "/opt/envsync/deploy/nginx-landing.conf";
-var OTEL_AGENT_CONF = "/opt/envsync/deploy/otel-agent.yaml";
-var CLICKSTACK_CLICKHOUSE_CONF = "/opt/envsync/deploy/clickhouse-listen.xml";
-var INTERNAL_CONFIG_JSON = "/opt/envsync/deploy/config.json";
+var HOST_ROOT = process.env.ENVSYNC_HOST_ROOT ?? "/opt/envsync";
+var ETC_ROOT = process.env.ENVSYNC_ETC_ROOT ?? "/etc/envsync";
+var TRAEFIK_STATE_ROOT = process.env.ENVSYNC_TRAEFIK_STATE_ROOT ?? "/var/lib/envsync/traefik";
+var DEPLOY_ROOT = path.join(HOST_ROOT, "deploy");
+var RELEASES_ROOT = path.join(HOST_ROOT, "releases");
+var BACKUPS_ROOT = path.join(HOST_ROOT, "backups");
+var REPO_ROOT = process.env.ENVSYNC_REPO_ROOT ?? path.join(HOST_ROOT, "repo");
+var DEPLOY_ENV = path.join(ETC_ROOT, "deploy.env");
+var DEPLOY_YAML = path.join(ETC_ROOT, "deploy.yaml");
+var VERSIONS_LOCK = path.join(DEPLOY_ROOT, "versions.lock.json");
+var STACK_FILE = path.join(DEPLOY_ROOT, "docker-stack.yaml");
+var BOOTSTRAP_BASE_STACK_FILE = path.join(DEPLOY_ROOT, "docker-stack.bootstrap.base.yaml");
+var BOOTSTRAP_STACK_FILE = path.join(DEPLOY_ROOT, "docker-stack.bootstrap.yaml");
+var TRAEFIK_DYNAMIC_FILE = path.join(DEPLOY_ROOT, "traefik-dynamic.yaml");
+var KEYCLOAK_REALM_FILE = path.join(DEPLOY_ROOT, "keycloak-realm.envsync.json");
+var NGINX_WEB_CONF = path.join(DEPLOY_ROOT, "nginx-web.conf");
+var NGINX_LANDING_CONF = path.join(DEPLOY_ROOT, "nginx-landing.conf");
+var OTEL_AGENT_CONF = path.join(DEPLOY_ROOT, "otel-agent.yaml");
+var CLICKSTACK_CLICKHOUSE_CONF = path.join(DEPLOY_ROOT, "clickhouse-listen.xml");
+var INTERNAL_CONFIG_JSON = path.join(DEPLOY_ROOT, "config.json");
 var STACK_VOLUMES = [
   "postgres_data",
   "redis_data",
@@ -109,6 +109,28 @@ function commandSucceeds(cmd, args, opts = {}) {
   });
   return result.status === 0;
 }
+function runIgnoringAbsent(cmd, args, opts = {}) {
+  const result = spawnSync(cmd, args, {
+    cwd: opts.cwd,
+    env: { ...process.env, ...opts.env },
+    stdio: "pipe",
+    encoding: "utf8"
+  });
+  if (result.status === 0) {
+    const stdout = typeof result.stdout === "string" ? result.stdout.trim() : "";
+    if (stdout) console.log(stdout);
+    return true;
+  }
+  const combined = `${typeof result.stdout === "string" ? result.stdout : ""}
+${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
+  const absentPatterns = (opts.absentPatterns ?? []).map((pattern) => pattern.toLowerCase());
+  if (absentPatterns.some((pattern) => combined.includes(pattern))) {
+    return false;
+  }
+  const stderr = typeof result.stderr === "string" ? result.stderr : "";
+  throw new Error(`Command failed: ${cmd} ${args.join(" ")}${stderr ? `
+${stderr}` : ""}`);
+}
 function ensureDir(dir) {
   fs.mkdirSync(dir, { recursive: true });
 }
@@ -256,6 +278,19 @@ function getDeployCliVersion() {
     return process.env.npm_package_version ?? "0.0.0";
   }
 }
+function hasExplicitRepoOverride() {
+  return typeof process.env.ENVSYNC_REPO_ROOT === "string" && process.env.ENVSYNC_REPO_ROOT.length > 0;
+}
+function logReleaseContext(config) {
+  const cliVersion = getDeployCliVersion();
+  logInfo(`Configured release version from ${DEPLOY_YAML}: ${config.release.version}`);
+  logInfo(`Running deploy-cli version: ${cliVersion}`);
+  if (cliVersion !== config.release.version) {
+    logWarn(
+      `The running deploy-cli version does not change the configured release target. This run will deploy the version pinned in ${DEPLOY_YAML}.`
+    );
+  }
+}
 function assertSemverVersion(version, label = "release version") {
   if (!SEMVER_VERSION_RE.test(version)) {
     throw new Error(`Invalid ${label} '${version}'. Expected an exact semver like 0.6.2.`);
@@ -332,6 +367,8 @@ function normalizeConfig(raw) {
     services: {
       stack_name: requireDefined(raw.services?.stack_name, "services.stack_name"),
       api_port: requireDefined(raw.services?.api_port, "services.api_port"),
+      public_http_port: raw.services?.public_http_port ?? 80,
+      public_https_port: raw.services?.public_https_port ?? 443,
       clickstack_ui_port: requireDefined(raw.services?.clickstack_ui_port, "services.clickstack_ui_port"),
       clickstack_otlp_http_port: requireDefined(raw.services?.clickstack_otlp_http_port, "services.clickstack_otlp_http_port"),
       clickstack_otlp_grpc_port: requireDefined(raw.services?.clickstack_otlp_grpc_port, "services.clickstack_otlp_grpc_port"),
@@ -475,6 +512,18 @@ function ensureGeneratedRuntimeState(generated) {
     bootstrap: generated.bootstrap
   });
 }
+function resetBootstrapGeneratedState(generated) {
+  return normalizeGeneratedState({
+    openfga: {
+      store_id: "",
+      model_id: ""
+    },
+    secrets: generated.secrets,
+    bootstrap: {
+      completed_at: ""
+    }
+  });
+}
 function keycloakImageTag(image) {
   return image.split(":").slice(1).join(":") || "local";
 }
@@ -805,11 +854,11 @@ services:
       - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
     ports:
       - target: 80
-        published: 80
+        published: ${config.services.public_http_port}
         protocol: tcp
         mode: host
       - target: 443
-        published: 443
+        published: ${config.services.public_https_port}
         protocol: tcp
         mode: host
     volumes:
@@ -956,9 +1005,7 @@ ${renderEnvList({
     environment:
 ${renderEnvList({
     HYPERDX_APP_URL: `https://${hosts.obs}`,
-    HYPERDX_APP_PORT: "443",
     HYPERDX_API_URL: `https://${hosts.obs}`,
-    HYPERDX_API_PORT: "443",
     FRONTEND_URL: `https://${hosts.obs}`
   })}
     volumes:
@@ -1058,6 +1105,14 @@ function ensureRepoCheckout(config) {
     logDryRun(`Would ensure repo checkout at ${REPO_ROOT}`);
     return;
   }
+  if (hasExplicitRepoOverride()) {
+    if (!exists(path.join(REPO_ROOT, ".git"))) {
+      throw new Error(`ENVSYNC_REPO_ROOT is set but no git repo was found at ${REPO_ROOT}`);
+    }
+    logInfo(`Using local repo override at ${REPO_ROOT}`);
+    logSuccess("Local repo override is ready");
+    return;
+  }
   ensureDir(REPO_ROOT);
   if (!exists(path.join(REPO_ROOT, ".git"))) {
     logCommand("git", ["clone", config.source.repo_url, REPO_ROOT]);
@@ -1495,16 +1550,31 @@ function cleanupBootstrapState(config) {
   const refreshedContainers = listManagedContainers(config);
   if (refreshedContainers.length > 0) {
     logCommand("docker", ["rm", "-f", ...refreshedContainers]);
-    run("docker", ["rm", "-f", ...refreshedContainers]);
+    const removed = runIgnoringAbsent("docker", ["rm", "-f", ...refreshedContainers], {
+      absentPatterns: ["no such container", "not found"]
+    });
+    if (!removed) {
+      logInfo("Managed containers were already absent");
+    }
   }
   if (commandSucceeds("docker", ["network", "inspect", networkName])) {
     logCommand("docker", ["network", "rm", networkName]);
-    run("docker", ["network", "rm", networkName]);
+    const removed = runIgnoringAbsent("docker", ["network", "rm", networkName], {
+      absentPatterns: ["network", "not found", "no such network"]
+    });
+    if (!removed) {
+      logInfo(`Network ${networkName} was already absent`);
+    }
   }
   for (const volumeName of volumeNames) {
     if (commandSucceeds("docker", ["volume", "inspect", volumeName])) {
       logCommand("docker", ["volume", "rm", "-f", volumeName]);
-      run("docker", ["volume", "rm", "-f", volumeName]);
+      const removed = runIgnoringAbsent("docker", ["volume", "rm", "-f", volumeName], {
+        absentPatterns: ["no such volume", "not found"]
+      });
+      if (!removed) {
+        logInfo(`Volume ${volumeName} was already absent`);
+      }
     }
   }
   logSuccess("Existing EnvSync deployment resources removed");
@@ -1575,6 +1645,8 @@ async function cmdSetup() {
     services: {
       stack_name: "envsync",
       api_port: 4e3,
+      public_http_port: 80,
+      public_https_port: 443,
       clickstack_ui_port: 8080,
       clickstack_otlp_http_port: 4318,
       clickstack_otlp_grpc_port: 4317,
@@ -1623,9 +1695,9 @@ async function cmdSetup() {
 async function cmdBootstrap() {
   logSection("Bootstrap");
   const { config, generated } = loadState();
-  const nextGenerated = ensureGeneratedRuntimeState(generated);
+  const nextGenerated = ensureGeneratedRuntimeState(resetBootstrapGeneratedState(generated));
   const runtimeEnv = buildRuntimeEnv(config, nextGenerated);
-  logInfo(`Release version: ${config.release.version}`);
+  logReleaseContext(config);
   assertSwarmManager();
   if (currentOptions.dryRun) {
     logWarn("Dry-run mode: bootstrap reset will be previewed but not executed.");
@@ -1698,7 +1770,7 @@ async function cmdBootstrap() {
 async function cmdDeploy() {
   logSection("Deploy");
   const { config, generated } = loadState();
-  logInfo(`Release version: ${config.release.version}`);
+  logReleaseContext(config);
   assertSwarmManager();
   assertBootstrapState(generated);
   if (!currentOptions.dryRun) {
@@ -1795,6 +1867,7 @@ async function cmdHealth(asJson) {
 async function cmdUpgrade() {
   logSection("Upgrade");
   const { config } = loadState();
+  logReleaseContext(config);
   config.images = {
     ...config.images,
     ...versionedImages(config.release.version)
@@ -1808,6 +1881,7 @@ async function cmdUpgrade() {
 async function cmdUpgradeDeps() {
   logSection("Upgrade Dependencies");
   const { config } = loadState();
+  logReleaseContext(config);
   config.images.traefik = "traefik:v3.6.6";
   config.images.clickstack = "clickhouse/clickstack-all-in-one:latest";
   config.images.otel_agent = "otel/opentelemetry-collector-contrib:0.111.0";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@envsync-cloud/deploy-cli",
-  "version": "0.6.14",
+  "version": "0.6.17",
   "description": "CLI for self-hosted EnvSync deployment on Docker Swarm",
   "type": "module",
   "bin": {