@everystack/cli 0.1.0 → 0.2.1

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@everystack/cli",
-  "version": "0.1.0",
+  "version": "0.2.1",
   "description": "CLI and OTA updates for Expo apps on everystack",
-  "license": "MIT",
+  "license": "AGPL-3.0-only",
   "publishConfig": {
     "access": "public"
   },
@@ -10,7 +10,6 @@
     "src",
     "README.md"
   ],
-  "type": "module",
   "exports": {
     ".": {
       "types": "./src/index.ts",
@@ -27,30 +26,44 @@
     "./handler": {
       "types": "./src/handler/index.ts",
       "default": "./src/handler/index.ts"
+    },
+    "./plugin": {
+      "types": "./src/plugin.ts",
+      "default": "./src/plugin.ts"
     }
   },
   "bin": {
     "everystack": "./src/cli/index.ts"
   },
+  "scripts": {
+    "test": "jest",
+    "build": "tsc --build",
+    "lint": "tsc --noEmit"
+  },
   "dependencies": {
+    "@aws-sdk/client-cloudfront-keyvaluestore": "3.1045.0",
+    "@aws-sdk/signature-v4a": "3.1031.0",
     "glob": "13.0.6",
-    "node-forge": "^1.4.0",
-    "structured-headers": "^1.0.0",
-    "tsx": "^4.0.0"
+    "node-forge": "1.4.0",
+    "structured-headers": "1.0.1",
+    "tsx": "4.21.0"
   },
   "peerDependencies": {
-    "@aws-sdk/client-cloudfront": ">=3.0.0",
-    "@aws-sdk/client-cloudfront-keyvaluestore": ">=3.0.0",
-    "@aws-sdk/client-cloudwatch-logs": ">=3.0.0",
-    "@aws-sdk/client-lambda": ">=3.0.0",
-    "@aws-sdk/client-s3": ">=3.0.0",
-    "@aws-sdk/signature-v4a": ">=3.0.0",
-    "drizzle-orm": ">=0.30.0",
-    "expo-updates": ">=0.25.0",
-    "react": ">=18.0.0",
-    "react-native": ">=0.72.0"
+    "@everystack/server": ">=0.1.0",
+    "@aws-sdk/client-cloudfront": "3.1045.0",
+    "@aws-sdk/client-cloudwatch-logs": "3.1047.0",
+    "@aws-sdk/client-lambda": "3.1045.0",
+    "@aws-sdk/client-s3": "3.1045.0",
+    "@aws-sdk/s3-request-presigner": "3.1045.0",
+    "drizzle-orm": "0.41.0",
+    "expo-updates": "55.0.21",
+    "react": "19.2.6",
+    "react-native": "0.83.6"
   },
   "peerDependenciesMeta": {
+    "@everystack/server": {
+      "optional": true
+    },
     "@aws-sdk/client-cloudfront": {
       "optional": true
     },
@@ -63,12 +76,6 @@
     "@aws-sdk/client-lambda": {
       "optional": true
     },
-    "@aws-sdk/client-cloudfront-keyvaluestore": {
-      "optional": true
-    },
-    "@aws-sdk/signature-v4a": {
-      "optional": true
-    },
     "expo-updates": {
       "optional": true
     },
@@ -77,28 +84,25 @@
     },
     "react-native": {
       "optional": true
+    },
+    "@aws-sdk/s3-request-presigner": {
+      "optional": true
     }
   },
   "devDependencies": {
-    "@aws-sdk/client-cloudfront": "^3.700.0",
-    "@aws-sdk/client-cloudfront-keyvaluestore": "^3.700.0",
-    "@aws-sdk/client-cloudwatch-logs": "^3.1047.0",
-    "@aws-sdk/client-lambda": "^3.700.0",
-    "@aws-sdk/client-s3": "^3.700.0",
-    "@aws-sdk/signature-v4a": "^3.1031.0",
-    "@types/jest": "^29.5.14",
-    "@types/node": "^22.0.0",
-    "@types/node-forge": "^1.3.14",
-    "@types/react": "~19.2.14",
-    "drizzle-orm": "^0.41.0",
-    "jest": "^29.7.0",
-    "react": "19.2.0",
-    "ts-jest": "^29.3.0",
-    "typescript": "^5.7.0"
-  },
-  "scripts": {
-    "test": "NODE_OPTIONS='--experimental-vm-modules' jest",
-    "build": "tsc --build",
-    "lint": "tsc --noEmit"
+    "@aws-sdk/client-cloudfront": "3.1045.0",
+    "@aws-sdk/client-cloudwatch-logs": "3.1047.0",
+    "@aws-sdk/client-lambda": "3.1045.0",
+    "@aws-sdk/client-s3": "3.1045.0",
+    "@aws-sdk/s3-request-presigner": "3.1045.0",
+    "@types/jest": "29.5.14",
+    "@types/node": "22.19.18",
+    "@types/node-forge": "1.3.14",
+    "@types/react": "19.2.14",
+    "drizzle-orm": "0.41.0",
+    "jest": "29.7.0",
+    "react": "19.2.6",
+    "ts-jest": "29.4.9",
+    "typescript": "5.9.3"
   }
-}
+}

package/src/cli/aws.ts

@@ -5,20 +5,23 @@
  * Authentication uses the developer's IAM credentials (default credential chain).
  */
 
-import { S3Client, PutObjectCommand, GetObjectCommand } from '@aws-sdk/client-s3';
-import { LambdaClient, InvokeCommand } from '@aws-sdk/client-lambda';
+let s3Client: InstanceType<typeof import('@aws-sdk/client-s3').S3Client> | null = null;
+let lambdaClient: InstanceType<typeof import('@aws-sdk/client-lambda').LambdaClient> | null = null;
+let kvsClient: InstanceType<typeof import('@aws-sdk/client-cloudfront-keyvaluestore').CloudFrontKeyValueStoreClient> | null = null;
 
-let s3Client: S3Client | null = null;
-let lambdaClient: LambdaClient | null = null;
-let kvsClient: import('@aws-sdk/client-cloudfront-keyvaluestore').CloudFrontKeyValueStoreClient | null = null;
-
-function getS3(region: string): S3Client {
-  if (!s3Client) s3Client = new S3Client({ region });
+async function getS3(region: string) {
+  if (!s3Client) {
+    const { S3Client } = await import('@aws-sdk/client-s3');
+    s3Client = new S3Client({ region });
+  }
   return s3Client;
 }
 
-function getLambda(region: string): LambdaClient {
-  if (!lambdaClient) lambdaClient = new LambdaClient({ region });
+async function getLambda(region: string) {
+  if (!lambdaClient) {
+    const { LambdaClient } = await import('@aws-sdk/client-lambda');
+    lambdaClient = new LambdaClient({ region });
+  }
   return lambdaClient;
 }
 
@@ -29,7 +32,8 @@ export async function uploadToS3(
   body: Buffer | Uint8Array,
   contentType: string,
 ): Promise<void> {
-  const client = getS3(region);
+  const client = await getS3(region);
+  const { PutObjectCommand } = await import('@aws-sdk/client-s3');
   await client.send(new PutObjectCommand({
     Bucket: bucket,
     Key: key,
@@ -43,7 +47,8 @@ export async function getFromS3(
   bucket: string,
   key: string,
 ): Promise<Buffer | null> {
-  const client = getS3(region);
+  const client = await getS3(region);
+  const { GetObjectCommand } = await import('@aws-sdk/client-s3');
   try {
     const response = await client.send(new GetObjectCommand({
       Bucket: bucket,
@@ -66,7 +71,8 @@ export async function invokeAction(
   action: string,
   payload: unknown,
 ): Promise<unknown> {
-  const client = getLambda(region);
+  const client = await getLambda(region);
+  const { InvokeCommand } = await import('@aws-sdk/client-lambda');
   const response = await client.send(new InvokeCommand({
     FunctionName: functionName,
     Payload: new TextEncoder().encode(JSON.stringify({
@@ -86,6 +92,47 @@ export async function invokeAction(
   return JSON.parse(new TextDecoder().decode(response.Payload));
 }
 
+/**
+ * Resolve the CloudWatch log group for a Lambda function.
+ * Queries GetFunctionConfiguration for LoggingConfig.LogGroup, falling back to
+ * the conventional `/aws/lambda/{functionName}` pattern if not set.
+ */
+export async function resolveLogGroup(
+  region: string,
+  functionName: string,
+): Promise<string> {
+  const client = await getLambda(region);
+  const { GetFunctionConfigurationCommand } = await import('@aws-sdk/client-lambda');
+  const config = await client.send(
+    new GetFunctionConfigurationCommand({ FunctionName: functionName })
+  );
+  return config.LoggingConfig?.LogGroup ?? `/aws/lambda/${functionName}`;
+}
+
+/**
+ * Create a CloudFront cache invalidation.
+ * Used by cache:purge --invalidate to clear edge-cached responses (e.g. stale 404s).
+ */
+export async function createInvalidation(
+  region: string,
+  distributionId: string,
+  paths: string[] = ['/*'],
+): Promise<string | undefined> {
+  const { CloudFrontClient, CreateInvalidationCommand } = await import('@aws-sdk/client-cloudfront');
+  const client = new CloudFrontClient({ region });
+  const result = await client.send(new CreateInvalidationCommand({
+    DistributionId: distributionId,
+    InvalidationBatch: {
+      CallerReference: `cache-purge-${Date.now()}`,
+      Paths: {
+        Quantity: paths.length,
+        Items: paths,
+      },
+    },
+  }));
+  return result.Invalidation?.Id;
+}
+
 /**
  * Write a versioning key to CloudFront KeyValueStore.
  * KVS requires ETag for optimistic concurrency — DescribeKeyValueStore first.

package/src/cli/commands/cache.ts

@@ -4,13 +4,14 @@
  * No args → global epoch bump → all cached content refreshes.
  * --origin api|media|web → per-origin epoch bump → only that origin refreshes.
  * --path "/api/posts" → per-URL version bump → only that path refreshes.
+ * --invalidate → also create a CloudFront edge invalidation (for stale 404s).
  *
- * Writes directly to CloudFront KVS — no Lambda invoke, no CF invalidation API.
+ * Writes directly to CloudFront KVS — no Lambda invoke.
  */
 
 import { resolveConfig } from '../config.js';
-import { putKvsKey } from '../aws.js';
-import { step, success, fail, info } from '../output.js';
+import { putKvsKey, createInvalidation } from '../aws.js';
+import { step, success, warn, fail, info } from '../output.js';
 
 const VALID_ORIGINS = ['api', 'media', 'web'] as const;
 type CacheOrigin = typeof VALID_ORIGINS[number];
@@ -69,4 +70,24 @@ export async function cachePurgeCommand(flags: Record<string, string>): Promise<
     success(`Cache epoch updated to ${epoch}`);
     info('All cached content will refresh on next request.');
   }
+
+  // CloudFront edge invalidation (optional — clears cached responses without _v param)
+  if (flags.invalidate === 'true') {
+    const distributionId = flags['distribution-id'] || config.distributionId;
+    if (!distributionId) {
+      warn('No distributionId found. Add `distributionId` to sst.config.ts return block, or pass --distribution-id.');
+      info('  return { ..., distributionId: router.nodes.distribution.id }');
+    } else {
+      step('Creating CloudFront invalidation...');
+      try {
+        const invalidationPaths = flags.path ? [flags.path] : ['/*'];
+        const invalidationId = await createInvalidation(config.region, distributionId, invalidationPaths);
+        success(`CloudFront invalidation created: ${invalidationId || 'submitted'}`);
+        info('Edge caches will clear within 1-2 minutes.');
+      } catch (err: any) {
+        warn(`CloudFront invalidation failed: ${err.message}`);
+        info('Ensure your IAM user/role has cloudfront:CreateInvalidation permission.');
+      }
+    }
+  }
 }

package/src/cli/commands/logs.ts

@@ -7,7 +7,7 @@
  */
 
 import { resolveConfig } from '../config.js';
-import { invokeAction } from '../aws.js';
+import { invokeAction, resolveLogGroup } from '../aws.js';
 import { step, success, fail, info } from '../output.js';
 
 export async function logsErrorsCommand(flags: Record<string, string>): Promise<void> {
@@ -104,13 +104,13 @@ export async function logsTailCommand(flags: Record<string, string>): Promise<vo
 
   try {
     // Import AWS SDK dynamically
-    const { CloudWatchLogsClient, FilterLogEventsCommand, DescribeLogStreamsCommand } =
+    const { CloudWatchLogsClient, FilterLogEventsCommand } =
       await import('@aws-sdk/client-cloudwatch-logs');
 
     const client = new CloudWatchLogsClient({ region: config.region });
 
-    // Determine log group name from function name
-    const logGroupName = `/aws/lambda/${config.apiFunctionName}`;
+    // Resolve actual log group from Lambda config (handles SST name changes)
+    const logGroupName = await resolveLogGroup(config.region, config.apiFunctionName);
 
     // Parse since duration to milliseconds
     const sinceMs = parseDuration(since);

package/src/cli/commands/update.ts

@@ -8,7 +8,7 @@ import { spawn } from 'node:child_process';
 import { resolveConfig } from '../config.js';
 import { uploadToS3, invokeAction } from '../aws.js';
 import { step, success, warn, fail, info } from '../output.js';
-import { exportApp } from '../utils/export.js';
+import { exportApp, isDistStale } from '../utils/export.js';
 import { walkDirectory } from '../utils/walk.js';
 
 export interface UpdateFlags {
@@ -32,13 +32,26 @@ export async function updateCommand(flags: UpdateFlags & Record<string, string>)
 
   if (!runtimeVersion) {
     fail('No runtimeVersion found in app.json/app.config.js');
+    info('Add "runtimeVersion" to your app.json, e.g.:');
+    info('  { "expo": { "runtimeVersion": { "policy": "fingerprint" } } }');
+    info('See: https://docs.expo.dev/eas-update/runtime-versions/');
     process.exit(1);
   }
   success(`Runtime version: ${runtimeVersion}`);
 
   // Export if needed
   const distDir = path.resolve('dist');
-  const shouldExport = flags.export === 'true' || !(await dirExists(distDir));
+  const distExists = await dirExists(distDir);
+  let shouldExport = flags.export === 'true' || !distExists;
+
+  // Check if dist/ is stale (source files newer than dist/)
+  if (!shouldExport && flags['skip-export'] !== 'true' && distExists) {
+    if (await isDistStale(distDir)) {
+      step('Source files changed since last export, re-exporting...');
+      shouldExport = true;
+    }
+  }
+
   if (shouldExport) {
     step('Exporting app...');
     await exportApp();
@@ -264,12 +277,43 @@ export async function updateCommand(flags: UpdateFlags & Record<string, string>)
         success(`${uploaded}/${clientAssets.length} assets uploaded to s3://${config.clientBundlesBucket}/`);
       }
 
-      // 4. Register release via Lambda invoke (IAM auth)
-      // Writes versioned manifest, channel pointer, meta.json, and optional DB mirror.
-      step('Registering release...');
+      // 4. Write release manifests directly to S3 (source of truth for SSR).
+      step('Writing release manifests...');
       const updateId = crypto.createHash('sha256')
         .update(`${channel}:${runtimeVersion}:${Date.now()}`)
         .digest('hex');
+      const createdAt = new Date().toISOString();
+      const webManifest = JSON.stringify({
+        updateId,
+        runtimeVersion,
+        platform: 'web',
+        storagePrefix,
+        createdAt,
+      });
+      const manifestBody = Buffer.from(webManifest);
+
+      try {
+        await Promise.all([
+          // Versioned manifest: releases/{branch}/{rv}/{groupId}/web/manifest.json
+          uploadToS3(
+            config.region, config.updatesBucket,
+            `${storagePrefix}/manifest.json`, manifestBody, 'application/json',
+          ),
+          // Channel pointer: {channel}/web/manifest.json (mutable, points to latest)
+          uploadToS3(
+            config.region, config.updatesBucket,
+            `${channel}/web/manifest.json`, manifestBody, 'application/json',
+          ),
+        ]);
+        success(`Manifests written (channel=${channel}, updateId=${updateId.slice(0, 12)}...)`);
+      } catch (err: any) {
+        fail(`Manifest write failed: ${err.message}`);
+        info('Ensure your IAM user/role has s3:PutObject on the Updates bucket.');
+        process.exit(1);
+      }
+
+      // 5. Register release via Lambda invoke (optional — for DB mirroring only).
+      // The S3 manifests above are the source of truth for SSR resolution.
       try {
         const result: any = await invokeAction(
           config.region,
@@ -286,12 +330,17 @@ export async function updateCommand(flags: UpdateFlags & Record<string, string>)
           },
         );
         if (result?.error) {
-          warn(`Registration failed: ${result.error}`);
+          info(`DB mirror skipped: ${result.error}`);
         } else {
-          success(`Release registered: channel=${result?.channel || channel}, updateId=${result?.updateId || 'n/a'}`);
+          info(`Release mirrored to DB: channel=${result?.channel || channel}`);
         }
       } catch (err: any) {
-        warn(`Registration failed: ${err.message}`);
+        // register-web is optional — the S3 manifests are the source of truth.
+        if (err.message?.includes('Unknown action')) {
+          info('Tip: add a "register-web" case to onAction for DB-backed release tracking.');
+        } else {
+          info(`DB mirror skipped: ${err.message}`);
+        }
       }
 
       // Clean up archive

package/src/cli/config.ts

@@ -18,6 +18,7 @@ export interface CliConfig {
   updatesBucket: string;
   clientBundlesBucket: string;
   kvsArn?: string;
+  distributionId?: string;
 }
 
 interface SstOutputs {
@@ -28,6 +29,7 @@ interface SstOutputs {
   updatesBucket?: string;
   clientBundlesBucket?: string;
   kvsArn?: string;
+  distributionId?: string;
 }
 
 export async function resolveConfig(stage?: string): Promise<CliConfig> {
@@ -94,5 +96,6 @@ export async function resolveConfig(stage?: string): Promise<CliConfig> {
     updatesBucket: outputs.updatesBucket,
     clientBundlesBucket: outputs.clientBundlesBucket,
     kvsArn: outputs.kvsArn,
+    distributionId: outputs.distributionId,
   };
 }

package/src/cli/discover-distribution.ts

@@ -0,0 +1,36 @@
+/**
+ * CloudFront distribution discovery.
+ *
+ * Separated from discover.ts to avoid Jest ESM module resolution issues
+ * with the @aws-sdk/client-cloudfront ListDistributions types.
+ */
+
+/**
+ * Find the CloudFront distribution for a stage by matching the Comment field.
+ * SST sets the Comment to include the app name and stage.
+ * Best-effort: returns undefined if not found.
+ */
+export async function discoverDistribution(
+  region: string,
+  prefix: string,
+): Promise<string | undefined> {
+  const { CloudFrontClient, ListDistributionsCommand } = await import('@aws-sdk/client-cloudfront');
+  const client = new CloudFrontClient({ region });
+  const distNeedle = prefix.toLowerCase();
+
+  let marker: string | undefined;
+  do {
+    const res = await client.send(
+      new ListDistributionsCommand({ Marker: marker, MaxItems: 50 }),
+    );
+    for (const dist of res.DistributionList?.Items || []) {
+      const comment = (dist.Comment || '').toLowerCase();
+      if (comment.includes(distNeedle)) {
+        return dist.Id;
+      }
+    }
+    marker = res.DistributionList?.IsTruncated ? res.DistributionList.NextMarker : undefined;
+  } while (marker);
+
+  return undefined;
+}

package/src/cli/discover.ts

@@ -22,6 +22,7 @@ interface DiscoveredConfig {
   updatesBucket: string;
   clientBundlesBucket: string;
   kvsArn?: string;
+  distributionId?: string;
 }
 
 // ---------------------------------------------------------------------------
@@ -61,6 +62,7 @@ export async function parseAppName(configPath?: string): Promise<string> {
 
 interface CfFunctionResult {
   kvsArn?: string;
+  distributionId?: string;
 }
 
 /**
@@ -240,6 +242,15 @@ export async function discoverConfig(
     discoverBuckets(region, prefix),
   ]);
 
+  // Distribution discovery is best-effort (not critical for most CLI operations)
+  let distributionId: string | undefined;
+  try {
+    const { discoverDistribution } = await import('./discover-distribution.js');
+    distributionId = await discoverDistribution(region, prefix);
+  } catch {
+    // Non-fatal — only needed for cache:purge --invalidate
+  }
+
   if (!bucketsResult.updatesBucket) {
     throw new Error(
       `Could not find S3 bucket "${prefix}updatesbucket-*". ` +
@@ -261,6 +272,7 @@ export async function discoverConfig(
     updatesBucket: bucketsResult.updatesBucket,
     clientBundlesBucket: bucketsResult.clientBundlesBucket,
     kvsArn: cfResult.kvsArn,
+    distributionId,
   };
 }
 
@@ -277,6 +289,7 @@ interface CachedOutputs {
   updatesBucket?: string;
   clientBundlesBucket?: string;
   kvsArn?: string;
+  distributionId?: string;
 }
 
 function cachePath(stage: string): string {
@@ -298,6 +311,7 @@ export async function getCachedConfig(stage: string): Promise<DiscoveredConfig |
       updatesBucket: cached.updatesBucket,
       clientBundlesBucket: cached.clientBundlesBucket,
       kvsArn: cached.kvsArn,
+      distributionId: cached.distributionId,
     };
   } catch {
     return null;
@@ -312,6 +326,7 @@ export async function setCachedConfig(stage: string, config: DiscoveredConfig):
     updatesBucket: config.updatesBucket,
     clientBundlesBucket: config.clientBundlesBucket,
     kvsArn: config.kvsArn,
+    distributionId: config.distributionId,
   };
   try {
     await fs.writeFile(cachePath(stage), JSON.stringify(data, null, 2));

package/src/cli/index.ts

@@ -131,8 +131,8 @@ function printHelp() {
 everystack - CLI for Expo apps on everystack
 
 Usage:
-  everystack update            --branch <name> --message <msg> [--platform ios|android|web|all] [--stage <name>]
-  everystack update            --channel <name> --message <msg> [--platform ios|android|web|all] [--stage <name>]
+  everystack update            --branch <name> --message <msg> [--platform ios|android|web|all] [--stage <name>] [--skip-export]
+  everystack update            --channel <name> --message <msg> [--platform ios|android|web|all] [--stage <name>] [--skip-export]
   everystack db:migrate        [--stage <name>]  Run database migrations on deployed Lambda
   everystack db:seed           [--stage <name>]  Seed database on deployed Lambda (dev only)
   everystack db:reset          [--stage <name>]  Drop all schemas + re-run migrations (dev only)
@@ -143,6 +143,7 @@ Usage:
   everystack cache:purge       [--stage <name>]                  Bust all cached content (global epoch)
   everystack cache:purge       [--stage <name>] --origin api     Bust API origin cache (api|media|web)
   everystack cache:purge       [--stage <name>] --path "/api/posts"  Bust specific path cache
+  everystack cache:purge       [--stage <name>] --invalidate     Also create CloudFront edge invalidation
   everystack diag              [url] [--path /about] [--channel <name>] [--stage <name>]  Diagnose page freshness
   everystack diag              [url] --hydration  Analyze SSR hydration issues (fetches full HTML)
   everystack analyze:ssr       [--app ./app]      Scan app code for SSR anti-patterns

package/src/cli/utils/export.ts

@@ -1,4 +1,6 @@
 import { execSync } from 'child_process';
+import fs from 'fs/promises';
+import path from 'path';
 
 export async function exportApp(): Promise<void> {
   execSync('npx expo export --output-dir dist', {
@@ -6,3 +8,20 @@ export async function exportApp(): Promise<void> {
     env: { ...process.env },
   });
 }
+
+/**
+ * Check if dist/ is stale by comparing its mtime against known source files.
+ * Returns true if any source file (app.json, app.config.js, app.config.ts, app/)
+ * was modified after dist/ was last written.
+ */
+export async function isDistStale(distDir: string, projectDir?: string): Promise<boolean> {
+  const baseDir = projectDir ?? process.cwd();
+  const distMtime = (await fs.stat(distDir)).mtimeMs;
+  const sourceChecks = ['app.json', 'app.config.js', 'app.config.ts', 'app'].map(async (f) => {
+    try {
+      const s = await fs.stat(path.resolve(baseDir, f));
+      return s.mtimeMs > distMtime;
+    } catch { return false; }
+  });
+  return (await Promise.all(sourceChecks)).some(Boolean);
+}

package/src/handler/index.ts

@@ -8,6 +8,7 @@ import { handleListChannels, handleCreateChannel, handleEditChannel } from './ch
 
 export { handleRegisterWeb } from './publish-web';
 export { registerMobileRelease } from './publish';
+export { handleListChannels, handleCreateChannel } from './channels-crud';
 export type { RegisterMobileParams, RegisterMobileResult, RegisterMobileAsset } from './publish';
 export type { UpdatesHandlerOptions } from './types';
 
@@ -22,7 +23,7 @@ export function createUpdatesHandler(options: UpdatesHandlerOptions): (request:
       pathname = pathname.slice(basePath.length) || '/';
     }
 
-    if (request.method === 'GET' && pathname === '/manifest') {
+    if (request.method === 'GET' && (pathname === '/manifest' || pathname === '/')) {
       return handleManifest(request, options);
     }
 

package/src/plugin.ts

@@ -0,0 +1,123 @@
+/**
+ * @everystack/cli/plugin — OTA updates handler + CLI actions as a composable plugin.
+ *
+ * Registers the updates manifest/asset endpoint for Expo OTA updates,
+ * plus CLI actions for registering builds and managing channels.
+ *
+ * Note: Types are inlined to avoid circular dependency with @everystack/server.
+ */
+
+import type { StorageAdapter } from './storage/index';
+
+/** Minimal plugin context (compatible with @everystack/server/plugin PluginContext) */
+interface PluginContext {
+  db: any;
+  schema: Record<string, any>;
+  verifyToken: (token: string) => Promise<Record<string, unknown> | null>;
+  environment: string;
+  publishJob: (type: string, payload: unknown) => Promise<string>;
+  [key: string]: unknown;
+}
+
+/** Minimal route type (compatible with @everystack/server Route) */
+interface Route {
+  path: string;
+  method?: string;
+  exact?: boolean;
+  handler: (req: Request) => Promise<Response>;
+}
+
+/** Action handler type (compatible with @everystack/server/plugin ActionHandler) */
+type ActionHandler = (payload: unknown, ctx: PluginContext) => Promise<unknown>;
+
+/** Plugin factory function */
+type Plugin = (ctx: PluginContext) => Promise<{
+  routes?: Route[];
+  actions?: Record<string, ActionHandler>;
+}>;
+
+export interface UpdatesPluginOptions {
+  /** Base URL for update asset downloads (e.g., CDN_URL or SITE_URL) */
+  baseUrl?: string;
+  /** Base path for updates routes (default: '/api/updates') */
+  basePath?: string;
+  /** Ed25519 private key for signing manifests */
+  privateKey?: string;
+  /** Default channel name (default: 'production') */
+  defaultChannel?: string;
+}
+
+interface UpdatesContext extends PluginContext {
+  updatesStorage: StorageAdapter;
+  clientBundlesStorage?: StorageAdapter;
+}
+
+export function updatesPlugin(options: UpdatesPluginOptions = {}): Plugin {
+  const basePath = options.basePath ?? '/api/updates';
+
+  return async (ctx) => {
+    const {
+      createUpdatesHandler,
+      handleRegisterWeb,
+      registerMobileRelease,
+      handleListChannels,
+      handleCreateChannel,
+    } = await import('./handler/index');
+    const appCtx = ctx as UpdatesContext;
+
+    const handlerOptions = {
+      db: ctx.db,
+      storage: appCtx.updatesStorage,
+      baseUrl: options.baseUrl ?? process.env.CDN_URL ?? process.env.SITE_URL ?? 'http://localhost:8081',
+      basePath,
+      auth: { verifyToken: ctx.verifyToken },
+      privateKey: options.privateKey ?? process.env.UPDATES_PRIVATE_KEY,
+      defaultChannel: options.defaultChannel ?? 'production',
+      clientBundlesStorage: appCtx.clientBundlesStorage,
+    };
+
+    const handler = createUpdatesHandler(handlerOptions);
+
+    return {
+      routes: [{ path: basePath, handler }],
+      actions: {
+        'register-web': async (payload) => {
+          const req = new Request('http://internal/register-web', {
+            method: 'POST',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify(payload),
+          });
+          const res = await handleRegisterWeb(req, handlerOptions);
+          const body = await res.json().catch(() => ({}));
+          if (!res.ok) return { error: (body as any).error || `register-web failed (${res.status})` };
+          return body;
+        },
+        'register-mobile': async (payload) => {
+          try {
+            return await registerMobileRelease(handlerOptions, payload as any);
+          } catch (err: any) {
+            return { error: err?.message || 'register-mobile failed' };
+          }
+        },
+        'channels-list': async () => {
+          const req = new Request('http://internal/channels', { method: 'GET' });
+          const res = await handleListChannels(req, handlerOptions);
+          const body = await res.json().catch(() => ({}));
+          if (!res.ok) return { error: (body as any).error || `channels-list failed (${res.status})` };
+          return body;
+        },
+        'channels-create': async (payload) => {
+          const req = new Request('http://internal/channels', {
+            method: 'POST',
+            headers: { 'content-type': 'application/json' },
+            body: JSON.stringify(payload),
+          });
+          const res = await handleCreateChannel(req, handlerOptions);
+          const body = await res.json().catch(() => ({}));
+          if (!res.ok) return { error: (body as any).error || `channels-create failed (${res.status})` };
+          return body;
+        },
+      },
+    };
+  };
+}

package/src/storage/index.ts

@@ -14,12 +14,12 @@ export type StorageOptions =
   | { type: 'filesystem'; directory: string }
   | { type: 's3'; bucket: string; region?: string; endpoint?: string };
 
-export function createStorage(options: StorageOptions): StorageAdapter {
+export async function createStorage(options: StorageOptions): Promise<StorageAdapter> {
   if (options.type === 'filesystem') {
-    const { FilesystemStorageAdapter } = require('./filesystem') as typeof import('./filesystem');
+    const { FilesystemStorageAdapter } = await import('./filesystem');
     return new FilesystemStorageAdapter(options.directory);
   }
-  const { S3StorageAdapter } = require('./s3') as typeof import('./s3');
+  const { S3StorageAdapter } = await import('./s3');
   return new S3StorageAdapter(options.bucket, options.region, options.endpoint);
 }