@eve-horizon/cli 0.2.44 → 0.2.46

package/assets/local-k8s/base/worker-deployment.yaml

@@ -53,6 +53,8 @@ spec:
               value: "4749"
             - name: EVE_DEFAULT_DOMAIN
               value: lvh.me
+            - name: EVE_ORG_FS_ROOT
+              value: /org
           ports:
             - name: http
               containerPort: 4749

package/dist/index.js

@@ -80594,17 +80594,27 @@ async function downloadBytes(url) {
   return Buffer.from(arrayBuffer);
 }
 async function fetchText(url, headers) {
-  const response = await fetch(url, {
-    headers: {
-      "User-Agent": "eve-cli-local-stack",
-      Accept: "application/json,text/plain,*/*",
-      ...headers ?? {}
+  const maxRetries = 3;
+  for (let attempt = 0; attempt <= maxRetries; attempt++) {
+    const response = await fetch(url, {
+      headers: {
+        "User-Agent": "eve-cli-local-stack",
+        Accept: "application/json,text/plain,*/*",
+        ...headers ?? {}
+      }
+    });
+    if (response.status === 429 && attempt < maxRetries) {
+      const retryAfter = parseInt(response.headers.get("retry-after") ?? "", 10);
+      const delay = (retryAfter > 0 ? retryAfter : 2 ** attempt) * 1e3;
+      await new Promise((r) => setTimeout(r, delay));
+      continue;
     }
-  });
-  if (!response.ok) {
-    throw new Error(`Request failed (${response.status}) for ${url}`);
+    if (!response.ok) {
+      throw new Error(`Request failed (${response.status}) for ${url}`);
+    }
+    return response.text();
   }
-  return response.text();
+  throw new Error(`Request failed after ${maxRetries} retries for ${url}`);
 }
 function writeExecutable(destination, bytes) {
   const tempPath = `${destination}.tmp-${Date.now()}-${process.pid}`;
@@ -80709,11 +80719,52 @@ async function fetchRegistryTags(imageRef) {
   }
   const registry2 = imageRef.slice(0, slashIndex);
   const repository = imageRef.slice(slashIndex + 1);
-  const tagsPayload = await fetchText(
-    `https://${registry2}/v2/${repository}/tags/list?n=200`
-  );
+  const url = `https://${registry2}/v2/${repository}/tags/list?n=200`;
+  const token = await fetchRegistryBearerToken(registry2, repository);
+  const headers = token ? { Authorization: `Bearer ${token}` } : void 0;
+  const tagsPayload = await fetchText(url, headers);
   return JSON.parse(tagsPayload).tags ?? [];
 }
+async function fetchRegistryBearerToken(registry2, repository) {
+  const probeUrl = `https://${registry2}/v2/`;
+  const probeResponse = await fetch(probeUrl, {
+    headers: { "User-Agent": "eve-cli-local-stack" }
+  });
+  if (probeResponse.ok) {
+    return void 0;
+  }
+  if (probeResponse.status !== 401) {
+    throw new Error(`Registry probe failed (${probeResponse.status}) for ${probeUrl}`);
+  }
+  const wwwAuth = probeResponse.headers.get("www-authenticate") ?? "";
+  const challenge = parseWwwAuthenticate(wwwAuth);
+  if (!challenge.realm) {
+    throw new Error(`Registry returned 401 without a Bearer realm in WWW-Authenticate header: ${wwwAuth}`);
+  }
+  const tokenUrl = new URL(challenge.realm);
+  if (challenge.service) {
+    tokenUrl.searchParams.set("service", challenge.service);
+  }
+  tokenUrl.searchParams.set("scope", `repository:${repository}:pull`);
+  const tokenResponse = await fetch(tokenUrl.toString(), {
+    headers: { "User-Agent": "eve-cli-local-stack" }
+  });
+  if (!tokenResponse.ok) {
+    throw new Error(`Token exchange failed (${tokenResponse.status}) at ${tokenUrl.toString()}`);
+  }
+  const tokenData = await tokenResponse.json();
+  return tokenData.token ?? tokenData.access_token;
+}
+function parseWwwAuthenticate(header) {
+  const result = {};
+  const body = header.replace(/^Bearer\s+/i, "");
+  const pattern = /(\w+)="([^"]*)"/g;
+  let match;
+  while ((match = pattern.exec(body)) !== null) {
+    result[match[1]] = match[2];
+  }
+  return result;
+}
 function normalizeVersion(value) {
   const trimmed = value.trim();
   if (!trimmed) return null;
@@ -80740,14 +80791,17 @@ async function importPlatformImages(version2, runtimeOptions) {
   const docker = requireToolPath("docker", "Install Docker Desktop.");
   const k3d = requireToolPath("k3d", "Run 'eve local up' again to auto-install managed tools.");
   const stdio = runtimeOptions.verbose && !runtimeOptions.quiet ? "inherit" : "pipe";
+  ensureDockerRegistryAuth(docker, runtimeOptions);
   for (const image of PLATFORM_IMAGES) {
     const remoteTag = `${image.remote}:${version2}`;
     printProgress(runtimeOptions, `Pulling image ${remoteTag}...`);
     const pull = pullImageWithRetry(docker, remoteTag, stdio, runtimeOptions);
     if (pull.status !== 0) {
-      throw new Error(
-        `Failed to pull ${remoteTag}. Ensure image availability/access at ${image.remote} and the version exists. Try: eve local up --version <x.y.z>`
-      );
+      const pullOutput = `${pull.stderr}
+${pull.stdout}`.toLowerCase();
+      const isAuthError = pullOutput.includes("403") || pullOutput.includes("401") || pullOutput.includes("unauthorized");
+      const hint = isAuthError ? "This is likely an ECR authentication issue. Run: aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws" : `Ensure image availability/access at ${image.remote} and the version exists. Try: eve local up --version <x.y.z>`;
+      throw new Error(`Failed to pull ${remoteTag}. ${hint}`);
     }
     run(docker, ["tag", remoteTag, image.local], { stdio });
     printProgress(runtimeOptions, `Importing image ${image.component} into k3d...`);
@@ -80778,7 +80832,7 @@ function pullImageWithRetry(docker, remoteTag, stdio, runtimeOptions) {
     }
     const combined = `${pull.stderr}
 ${pull.stdout}`.toLowerCase();
-    const retryable = combined.includes("unexpected eof") || combined.includes("short read") || combined.includes("i/o timeout") || combined.includes("timed out");
+    const retryable = combined.includes("unexpected eof") || combined.includes("short read") || combined.includes("i/o timeout") || combined.includes("timed out") || combined.includes("403 forbidden") || combined.includes("toomanyrequests");
     if (!retryable || attempt === maxAttempts) {
       return pull;
     }
@@ -80786,6 +80840,42 @@ ${pull.stdout}`.toLowerCase();
   }
   return { status: 1, stdout: "", stderr: "pull retry exhausted" };
 }
+function ensureDockerRegistryAuth(docker, runtimeOptions) {
+  const registry2 = PLATFORM_IMAGE_REGISTRY.split("/")[0];
+  if (!registry2 || !registry2.includes("ecr.aws")) {
+    return;
+  }
+  printProgress(runtimeOptions, "Authenticating Docker to ECR public registry...");
+  if (dockerLoginViaAwsCli(docker, registry2)) {
+    printProgress(runtimeOptions, "Docker registry auth succeeded.");
+    return;
+  }
+  printProgress(
+    runtimeOptions,
+    "Warning: could not authenticate to ECR. Pulls may hit rate limits.\n  Install AWS CLI and configure credentials to avoid this: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html"
+  );
+}
+function dockerLoginViaAwsCli(docker, registry2) {
+  const aws = findExecutable("aws");
+  if (!aws) {
+    return false;
+  }
+  const token = run(aws, ["ecr-public", "get-login-password", "--region", "us-east-1"], {
+    stdio: "pipe",
+    allowFailure: true,
+    timeoutMs: 15e3
+  });
+  if (token.status !== 0 || !token.stdout.trim()) {
+    return false;
+  }
+  const login = (0, import_node_child_process10.spawnSync)(docker, ["login", "--username", "AWS", "--password-stdin", registry2], {
+    input: token.stdout.trim(),
+    encoding: "utf8",
+    stdio: ["pipe", "pipe", "pipe"],
+    timeout: 15e3
+  });
+  return login.status === 0;
+}
 function applyLocalManifests(runtimeOptions) {
   const kubectl = requireToolPath("kubectl", "Run 'eve local up' again to auto-install managed tools.");
   printProgress(runtimeOptions, "Applying local Kubernetes manifests...");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@eve-horizon/cli",
-  "version": "0.2.44",
+  "version": "0.2.46",
   "description": "Eve Horizon CLI",
   "license": "MIT",
   "repository": {