npm - @envsync-cloud/deploy-cli - Versions diffs - 0.6.4 → 0.6.6 - Mend

@envsync-cloud/deploy-cli 0.6.4 → 0.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -40,7 +40,7 @@ bunx @envsync-cloud/deploy-cli <command>
 ```text
 envsync-deploy preinstall
 envsync-deploy setup
-envsync-deploy bootstrap [--dry-run]
+envsync-deploy bootstrap [--dry-run] [--force]
 envsync-deploy deploy [--dry-run]
 envsync-deploy health [--json]
 envsync-deploy upgrade [--dry-run]
@@ -71,6 +71,8 @@ Bootstrap infra, migrations, RustFS, and OpenFGA:
 npx @envsync-cloud/deploy-cli bootstrap
 ```
+`bootstrap` is destructive. It removes the existing EnvSync stack, matching containers, network, and managed volumes before rebuilding, and requires typing `yes` to continue. Use `--force` to bypass the prompt in automation or other non-interactive environments.
 Deploy the pending API and frontend services:
 ```bash
@@ -79,7 +81,7 @@ npx @envsync-cloud/deploy-cli deploy
 The staged flow is:
 - `setup` writes desired config
-- `bootstrap` starts base infra, runs OpenFGA and miniKMS migrations, starts runtime infra, and persists generated runtime env state
+- `bootstrap` resets the existing EnvSync deployment, then starts base infra, runs OpenFGA and miniKMS migrations, starts runtime infra, and persists generated runtime env state
 - `deploy` starts the pending API and frontend services
 Check service health:
@@ -104,6 +106,7 @@ Preview mutating commands without changing the host:
 ```bash
 npx @envsync-cloud/deploy-cli bootstrap --dry-run
+npx @envsync-cloud/deploy-cli bootstrap --force
 npx @envsync-cloud/deploy-cli deploy --dry-run
 ```

package/dist/index.js CHANGED Viewed

@@ -48,7 +48,7 @@ var REQUIRED_BOOTSTRAP_ENV_KEYS = [
   "OPENFGA_MODEL_ID"
 ];
 var SEMVER_VERSION_RE = /^\d+\.\d+\.\d+$/;
-var currentOptions = { dryRun: false };
+var currentOptions = { dryRun: false, force: false };
 function formatShellArg(arg) {
   if (/^[A-Za-z0-9_./:@%+=,-]+$/.test(arg)) return arg;
   return JSON.stringify(arg);
@@ -69,6 +69,9 @@ function logInfo(message) {
 function logSuccess(message) {
   console.log(`${chalk.green("[ok]")} ${message}`);
 }
+function logWarn(message) {
+  console.log(`${chalk.yellow("[warn]")} ${message}`);
+}
 function logDryRun(message) {
   console.log(`${chalk.magenta("[dry-run]")} ${message}`);
 }
@@ -216,6 +219,18 @@ async function ask(question, fallback = "") {
     });
   });
 }
+async function askRequired(question) {
+  if (!process.stdin.isTTY) {
+    throw new Error("Bootstrap confirmation requires an interactive terminal. Re-run with --force to bypass the prompt.");
+  }
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return await new Promise((resolve) => {
+    rl.question(`${question} `, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
 function sleepSeconds(seconds) {
   spawnSync("sleep", [`${seconds}`], { stdio: "ignore" });
 }
@@ -364,6 +379,7 @@ function emptyGeneratedState() {
     },
     secrets: {
       s3_secret_key: "",
+      keycloak_db_password: "",
       keycloak_web_client_secret: "",
       keycloak_api_client_secret: "",
       openfga_db_password: "",
@@ -384,6 +400,7 @@ function normalizeGeneratedState(raw) {
     },
     secrets: {
       s3_secret_key: raw?.secrets?.s3_secret_key ?? defaults.secrets.s3_secret_key,
+      keycloak_db_password: raw?.secrets?.keycloak_db_password ?? defaults.secrets.keycloak_db_password,
       keycloak_web_client_secret: raw?.secrets?.keycloak_web_client_secret ?? defaults.secrets.keycloak_web_client_secret,
       keycloak_api_client_secret: raw?.secrets?.keycloak_api_client_secret ?? defaults.secrets.keycloak_api_client_secret,
       openfga_db_password: raw?.secrets?.openfga_db_password ?? defaults.secrets.openfga_db_password,
@@ -426,6 +443,7 @@ function mergeGeneratedState(env, generated) {
     },
     secrets: {
       s3_secret_key: env.S3_SECRET_KEY ?? normalized.secrets.s3_secret_key,
+      keycloak_db_password: env.KEYCLOAK_DB_PASSWORD ?? normalized.secrets.keycloak_db_password,
       keycloak_web_client_secret: env.KEYCLOAK_WEB_CLIENT_SECRET ?? normalized.secrets.keycloak_web_client_secret,
       keycloak_api_client_secret: env.KEYCLOAK_API_CLIENT_SECRET ?? normalized.secrets.keycloak_api_client_secret,
       openfga_db_password: env.OPENFGA_DB_PASSWORD ?? normalized.secrets.openfga_db_password,
@@ -446,6 +464,7 @@ function ensureGeneratedRuntimeState(generated) {
     openfga: generated.openfga,
     secrets: {
       s3_secret_key: generated.secrets.s3_secret_key || randomSecret(16),
+      keycloak_db_password: generated.secrets.keycloak_db_password || "",
       keycloak_web_client_secret: generated.secrets.keycloak_web_client_secret || randomSecret(),
       keycloak_api_client_secret: generated.secrets.keycloak_api_client_secret || randomSecret(),
       openfga_db_password: generated.secrets.openfga_db_password || randomSecret(),
@@ -488,6 +507,7 @@ function buildRuntimeEnv(config, generated) {
     KEYCLOAK_REALM: config.auth.keycloak_realm,
     KEYCLOAK_ADMIN_USER: config.auth.admin_user,
     KEYCLOAK_ADMIN_PASSWORD: config.auth.admin_password,
+    KEYCLOAK_DB_PASSWORD: generated.secrets.keycloak_db_password || config.auth.admin_password,
     KEYCLOAK_WEB_CLIENT_ID: config.auth.web_client_id,
     KEYCLOAK_WEB_CLIENT_SECRET: generated.secrets.keycloak_web_client_secret,
     KEYCLOAK_CLI_CLIENT_ID: config.auth.cli_client_id,
@@ -781,7 +801,7 @@ ${renderEnvList({
     environment:
 ${renderEnvList({
     POSTGRES_USER: "keycloak",
-    POSTGRES_PASSWORD: runtimeEnv.KEYCLOAK_ADMIN_PASSWORD,
+    POSTGRES_PASSWORD: runtimeEnv.KEYCLOAK_DB_PASSWORD,
     POSTGRES_DB: "keycloak"
   })}
     volumes:
@@ -798,7 +818,7 @@ ${renderEnvList({
     KC_DB: "postgres",
     KC_DB_URL: "jdbc:postgresql://keycloak_db:5432/keycloak",
     KC_DB_USERNAME: "keycloak",
-    KC_DB_PASSWORD: runtimeEnv.KEYCLOAK_ADMIN_PASSWORD,
+    KC_DB_PASSWORD: runtimeEnv.KEYCLOAK_DB_PASSWORD,
     KC_BOOTSTRAP_ADMIN_USERNAME: config.auth.admin_user,
     KC_BOOTSTRAP_ADMIN_PASSWORD: config.auth.admin_password,
     KC_HTTP_ENABLED: "true",
@@ -1070,7 +1090,29 @@ function waitForTcpService(config, label, host, port, timeoutSeconds = 120) {
   throw new Error(`Timed out waiting for ${label} at ${host}:${port}`);
 }
 function waitForHttpService(config, label, url, timeoutSeconds = 120) {
-  waitForCommand(config, `${label} HTTP readiness`, "alpine:3.20", `wget -q -O /dev/null ${JSON.stringify(url)}`, timeoutSeconds);
+  if (currentOptions.dryRun) {
+    logDryRun(`Would wait for ${label} at ${url}`);
+    return;
+  }
+  logStep(`Waiting for ${label} on ${url}`);
+  const deadline = Date.now() + timeoutSeconds * 1e3;
+  while (Date.now() < deadline) {
+    if (commandSucceeds("docker", [
+      "run",
+      "--rm",
+      "--network",
+      stackNetworkName(config),
+      "alpine:3.20",
+      "sh",
+      "-lc",
+      `wget -q -O /dev/null ${JSON.stringify(url)}`
+    ])) {
+      logSuccess(`${label} is ready`);
+      return;
+    }
+    sleepSeconds(2);
+  }
+  throw new Error(`Timed out waiting for ${label} at ${url}`);
 }
 function runOpenFgaMigrate(config, runtimeEnv) {
   logStep("Running OpenFGA datastore migrations");
@@ -1251,6 +1293,100 @@ function listStackServices(config) {
   }
   return services;
 }
+function listManagedContainers(config) {
+  const output = tryRun("docker", ["ps", "-aq", "--filter", `name=^/${config.services.stack_name}_`], { quiet: true });
+  return output.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+}
+function stackExists(config) {
+  const output = tryRun("docker", ["stack", "ls", "--format", "{{.Name}}"], { quiet: true });
+  return output.split(/\r?\n/).map((line) => line.trim()).filter(Boolean).includes(config.services.stack_name);
+}
+function waitForStackRemoval(config, timeoutSeconds = 60) {
+  if (currentOptions.dryRun) {
+    logDryRun(`Would wait for stack ${config.services.stack_name} to be removed`);
+    return;
+  }
+  const deadline = Date.now() + timeoutSeconds * 1e3;
+  while (Date.now() < deadline) {
+    if (!stackExists(config)) {
+      return;
+    }
+    sleepSeconds(2);
+  }
+  throw new Error(`Timed out waiting for stack ${config.services.stack_name} to be removed`);
+}
+async function confirmBootstrapReset(config) {
+  const volumeNames = STACK_VOLUMES.map((volume) => stackVolumeName(config, volume));
+  const containerIds = listManagedContainers(config);
+  const networkName = stackNetworkName(config);
+  logWarn("Bootstrap will delete existing EnvSync Docker resources before rebuilding infra.");
+  logWarn(`Stack: ${config.services.stack_name}`);
+  logWarn(`Network: ${networkName}`);
+  logWarn(`Volumes: ${volumeNames.join(", ")}`);
+  if (containerIds.length > 0) {
+    logWarn(`Containers: ${containerIds.join(", ")}`);
+  } else {
+    logWarn("Containers: none currently matched");
+  }
+  logWarn("This removes existing deployment data for the managed EnvSync services.");
+  if (currentOptions.force) {
+    logWarn("Skipping confirmation because --force was provided.");
+    logSuccess("Destructive bootstrap reset confirmed");
+    return;
+  }
+  const response = await askRequired(chalk.bold.red('Type "yes" to continue:'));
+  if (response !== "yes") {
+    throw new Error("Bootstrap aborted. Confirmation did not match 'yes'.");
+  }
+  logSuccess("Destructive bootstrap reset confirmed");
+}
+function cleanupBootstrapState(config) {
+  const volumeNames = STACK_VOLUMES.map((volume) => stackVolumeName(config, volume));
+  const containerIds = listManagedContainers(config);
+  const networkName = stackNetworkName(config);
+  logStep("Removing existing EnvSync deployment resources");
+  if (currentOptions.dryRun) {
+    if (stackExists(config)) {
+      logDryRun(`Would remove stack ${config.services.stack_name}`);
+      logCommand("docker", ["stack", "rm", config.services.stack_name]);
+    } else {
+      logDryRun(`No existing stack named ${config.services.stack_name} found`);
+    }
+    if (containerIds.length > 0) {
+      logDryRun(`Would remove containers: ${containerIds.join(", ")}`);
+      logCommand("docker", ["rm", "-f", ...containerIds]);
+    }
+    logDryRun(`Would remove network ${networkName} if present`);
+    logCommand("docker", ["network", "rm", networkName]);
+    for (const volumeName of volumeNames) {
+      logDryRun(`Would remove volume ${volumeName}`);
+      logCommand("docker", ["volume", "rm", "-f", volumeName]);
+    }
+    logSuccess("Bootstrap cleanup preview completed");
+    return;
+  }
+  if (stackExists(config)) {
+    logCommand("docker", ["stack", "rm", config.services.stack_name]);
+    run("docker", ["stack", "rm", config.services.stack_name]);
+    waitForStackRemoval(config);
+  }
+  const refreshedContainers = listManagedContainers(config);
+  if (refreshedContainers.length > 0) {
+    logCommand("docker", ["rm", "-f", ...refreshedContainers]);
+    run("docker", ["rm", "-f", ...refreshedContainers]);
+  }
+  if (commandSucceeds("docker", ["network", "inspect", networkName])) {
+    logCommand("docker", ["network", "rm", networkName]);
+    run("docker", ["network", "rm", networkName]);
+  }
+  for (const volumeName of volumeNames) {
+    if (commandSucceeds("docker", ["volume", "inspect", volumeName])) {
+      logCommand("docker", ["volume", "rm", "-f", volumeName]);
+      run("docker", ["volume", "rm", "-f", volumeName]);
+    }
+  }
+  logSuccess("Existing EnvSync deployment resources removed");
+}
 function serviceHealth(services, name) {
   return services.get(`${name}`) ?? "missing";
 }
@@ -1369,6 +1505,11 @@ async function cmdBootstrap() {
   const runtimeEnv = buildRuntimeEnv(config, nextGenerated);
   logInfo(`Release version: ${config.release.version}`);
   assertSwarmManager();
+  if (currentOptions.dryRun) {
+    logWarn("Dry-run mode: bootstrap reset will be previewed but not executed.");
+  }
+  await confirmBootstrapReset(config);
+  cleanupBootstrapState(config);
   ensureRepoCheckout(config);
   writeDeployArtifacts(config, nextGenerated);
   buildKeycloakImage(config.images.keycloak);
@@ -1384,7 +1525,7 @@ async function cmdBootstrap() {
   waitForPostgresService(config, "postgres", "postgres", "postgres", "envsync-postgres");
   waitForRedisService(config);
   waitForTcpService(config, "rustfs", "rustfs", 9e3);
-  waitForPostgresService(config, "keycloak", "keycloak_db", "keycloak", runtimeEnv.KEYCLOAK_ADMIN_PASSWORD);
+  waitForPostgresService(config, "keycloak", "keycloak_db", "keycloak", runtimeEnv.KEYCLOAK_DB_PASSWORD);
   waitForPostgresService(config, "openfga", "openfga_db", "openfga", runtimeEnv.OPENFGA_DB_PASSWORD);
   waitForPostgresService(config, "minikms", "minikms_db", "postgres", runtimeEnv.MINIKMS_DB_PASSWORD);
   runOpenFgaMigrate(config, runtimeEnv);
@@ -1398,7 +1539,7 @@ async function cmdBootstrap() {
     run("docker", ["stack", "deploy", "-c", BOOTSTRAP_STACK_FILE, config.services.stack_name]);
     logSuccess("Runtime bootstrap stack deployed");
   }
-  waitForHttpService(config, "keycloak", "http://keycloak:8080/health/ready", 180);
+  waitForHttpService(config, "keycloak management readiness", "http://keycloak:9000/health/ready", 180);
   waitForHttpService(config, "openfga", "http://openfga:8090/stores");
   waitForTcpService(config, "minikms", "minikms", 50051);
   const initResult = runBootstrapInit(config);
@@ -1655,9 +1796,10 @@ async function main() {
   const command = argv[0];
   const args = argv.slice(1);
   currentOptions = {
-    dryRun: args.includes("--dry-run")
+    dryRun: args.includes("--dry-run"),
+    force: args.includes("--force")
   };
-  const positionals = args.filter((arg) => arg !== "--dry-run");
+  const positionals = args.filter((arg) => arg !== "--dry-run" && arg !== "--force");
   switch (command) {
     case "preinstall":
       await cmdPreinstall();
@@ -1688,7 +1830,7 @@ async function main() {
       break;
     default:
       console.log(
-        "Usage: envsync-deploy <preinstall|setup|bootstrap|deploy|health|upgrade|upgrade-deps|backup|restore> [--dry-run]"
+        "Usage: envsync-deploy <preinstall|setup|bootstrap|deploy|health|upgrade|upgrade-deps|backup|restore> [--dry-run] [--force]"
       );
       process.exit(command ? 1 : 0);
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@envsync-cloud/deploy-cli",
-  "version": "0.6.4",
+  "version": "0.6.6",
   "description": "CLI for self-hosted EnvSync deployment on Docker Swarm",
   "type": "module",
   "bin": {