@everystack/cli 0.1.0

package/src/handler/helpers.ts

@@ -0,0 +1,239 @@
+import type { UpdatesHandlerOptions } from './types';
+import type { StorageAdapter } from '../storage/index';
+import { convertSHA256HashToUUID } from './signing';
+
+// =============================================================================
+// Types
+// =============================================================================
+
+export interface ChannelMetadata {
+  name: string;
+  branchRef: string;
+  status: string;
+  createdAt: string;
+  updatedAt: string;
+}
+
+export interface ManifestAssetRecord {
+  s3Key: string;
+  contentHash: string;
+  filename: string;
+  mimeType: string;
+  fileExtension: string;
+  isLaunchAsset: boolean;
+}
+
+// =============================================================================
+// Response helpers
+// =============================================================================
+
+export function jsonError(status: number, message: string): Response {
+  return new Response(JSON.stringify({ error: message }), {
+    status,
+    headers: { 'content-type': 'application/json' },
+  });
+}
+
+// =============================================================================
+// Auth
+// =============================================================================
+
+export async function checkAuth(request: Request, options: UpdatesHandlerOptions): Promise<Response | null> {
+  if (!options.auth) return null;
+
+  const authHeader = request.headers.get('authorization');
+  if (!authHeader || !authHeader.startsWith('Bearer ')) {
+    return jsonError(401, 'Authentication required.');
+  }
+  const token = authHeader.slice(7);
+  const payload = await options.auth.verifyToken(token);
+  if (!payload) {
+    return jsonError(401, 'Invalid token.');
+  }
+  return null;
+}
+
+// =============================================================================
+// DB mirror — optional, non-blocking
+// =============================================================================
+
+export async function mirrorToDb(db: any | undefined, fn: () => Promise<void>): Promise<void> {
+  if (!db) return;
+  try {
+    await fn();
+  } catch (err) {
+    console.warn('[updates] DB mirror write failed:', err);
+  }
+}
+
+// =============================================================================
+// Manifest builder
+// =============================================================================
+
+/**
+ * Build a complete Expo manifest JSON from publish-time data.
+ * Produces the same shape that manifest.ts builds from DB queries,
+ * so the manifest can be written to S3 and served directly.
+ */
+export function buildManifestJson(
+  updateId: string,
+  runtimeVersion: string,
+  createdAt: string,
+  assetRecords: ManifestAssetRecord[],
+  expoConfig: Record<string, unknown> | undefined,
+  baseUrl: string,
+  basePath: string,
+): Record<string, unknown> {
+  const launchAsset = assetRecords.find(a => a.isLaunchAsset);
+  const regularAssets = assetRecords.filter(a => !a.isLaunchAsset);
+  const cleanBaseUrl = baseUrl.replace(/\/$/, '');
+
+  const buildAssetEntry = (a: ManifestAssetRecord) => ({
+    hash: a.contentHash,
+    key: a.filename,
+    fileExtension: a.fileExtension,
+    contentType: a.mimeType,
+    url: `${cleanBaseUrl}${basePath}/assets?key=${a.s3Key}`,
+  });
+
+  return {
+    id: convertSHA256HashToUUID(updateId),
+    createdAt,
+    runtimeVersion,
+    assets: regularAssets.map(buildAssetEntry),
+    launchAsset: launchAsset ? buildAssetEntry(launchAsset) : undefined,
+    metadata: {},
+    extra: {
+      expoClient: expoConfig || undefined,
+    },
+  };
+}
+
+// =============================================================================
+// S3 channel management
+// =============================================================================
+
+/**
+ * Read or create a channel metadata file in S3.
+ * Returns the channel metadata (existing or newly created).
+ */
+export async function ensureChannelInStorage(
+  storage: StorageAdapter,
+  channelName: string,
+  branchName: string,
+): Promise<ChannelMetadata> {
+  const key = `_channels/${channelName}.json`;
+  const existing = await storage.get(key);
+
+  if (existing) {
+    const meta = JSON.parse(existing.data.toString('utf8')) as ChannelMetadata;
+    if (!meta.branchRef) {
+      meta.branchRef = branchName;
+      meta.updatedAt = new Date().toISOString();
+      await storage.put(key, Buffer.from(JSON.stringify(meta)), 'application/json');
+    }
+    return meta;
+  }
+
+  const now = new Date().toISOString();
+  const meta: ChannelMetadata = {
+    name: channelName,
+    branchRef: branchName,
+    status: 'active',
+    createdAt: now,
+    updatedAt: now,
+  };
+  await storage.put(key, Buffer.from(JSON.stringify(meta)), 'application/json');
+  return meta;
+}
+
+/**
+ * Regenerate channel pointer manifests after a channel's branch mapping changes.
+ *
+ * Scans releases/{branchRef}/ for all platform+runtimeVersion combos,
+ * finds the latest manifest for each, and copies it to the channel pointer path:
+ *   {channelName}/{platform}/{runtimeVersion}/manifest.json
+ */
+export async function updateChannelPointers(
+  storage: StorageAdapter,
+  channelName: string,
+  branchRef: string,
+): Promise<void> {
+  const keys = await storage.list(`releases/${branchRef}/`);
+  const manifestKeys = keys.filter(k => k.endsWith('/manifest.json'));
+
+  // Group by platform+runtimeVersion
+  // Key format: releases/{branch}/{runtimeVersion}/{groupId}/{platform}/manifest.json
+  const grouped = new Map<string, string[]>();
+  for (const key of manifestKeys) {
+    const parts = key.split('/');
+    if (parts.length >= 6) {
+      const runtimeVersion = parts[2];
+      const platform = parts[4];
+      const combo = `${platform}/${runtimeVersion}`;
+      if (!grouped.has(combo)) grouped.set(combo, []);
+      grouped.get(combo)!.push(key);
+    }
+  }
+
+  // Helper: find the latest manifest key from a list by meta.json createdAt
+  async function findLatestManifest(paths: string[]): Promise<string | undefined> {
+    let latestKey: string | undefined;
+    let latestCreatedAt = '';
+
+    for (const mKey of paths) {
+      const parts = mKey.split('/');
+      const metaKey = parts.slice(0, 4).join('/') + '/meta.json';
+      try {
+        const metaResult = await storage.get(metaKey);
+        if (metaResult) {
+          const meta = JSON.parse(metaResult.data.toString('utf8'));
+          if (meta.createdAt > latestCreatedAt) {
+            latestCreatedAt = meta.createdAt;
+            latestKey = mKey;
+          }
+        }
+      } catch {
+        if (!latestKey) latestKey = mKey;
+      }
+    }
+    return latestKey;
+  }
+
+  // Mobile platforms: per-runtimeVersion pointers at {channel}/{platform}/{rv}/manifest.json
+  for (const [combo, paths] of grouped) {
+    const [platform] = combo.split('/');
+    if (platform === 'web') continue; // web handled separately below
+
+    const latestManifestKey = await findLatestManifest(paths);
+    if (latestManifestKey) {
+      const [, runtimeVersion] = combo.split('/');
+      const pointerKey = `${channelName}/${platform}/${runtimeVersion}/manifest.json`;
+      const manifestData = await storage.get(latestManifestKey);
+      if (manifestData) {
+        await storage.put(pointerKey, manifestData.data, 'application/json');
+      }
+    }
+  }
+
+  // Web platform: single runtimeVersion-agnostic pointer at {channel}/web/manifest.json
+  // Collects ALL web manifests across ALL runtimeVersions and finds the latest.
+  const allWebManifests: string[] = [];
+  for (const [combo, paths] of grouped) {
+    const [platform] = combo.split('/');
+    if (platform === 'web') {
+      allWebManifests.push(...paths);
+    }
+  }
+
+  if (allWebManifests.length > 0) {
+    const latestWebKey = await findLatestManifest(allWebManifests);
+    if (latestWebKey) {
+      const pointerKey = `${channelName}/web/manifest.json`;
+      const manifestData = await storage.get(latestWebKey);
+      if (manifestData) {
+        await storage.put(pointerKey, manifestData.data, 'application/json');
+      }
+    }
+  }
+}

package/src/handler/index.ts

@@ -0,0 +1,78 @@
+import type { UpdatesHandlerOptions } from './types';
+import { handleManifest } from './manifest';
+import { handleAssets } from './assets';
+import { handlePublish } from './publish';
+import { handlePresignWeb, handleRegisterWeb } from './publish-web';
+import { handleListBranches, handleCreateBranch, handleDeleteBranch } from './branches';
+import { handleListChannels, handleCreateChannel, handleEditChannel } from './channels-crud';
+
+export { handleRegisterWeb } from './publish-web';
+export { registerMobileRelease } from './publish';
+export type { RegisterMobileParams, RegisterMobileResult, RegisterMobileAsset } from './publish';
+export type { UpdatesHandlerOptions } from './types';
+
+export function createUpdatesHandler(options: UpdatesHandlerOptions): (request: Request) => Promise<Response> {
+  const basePath = options.basePath || '';
+
+  return async (request: Request): Promise<Response> => {
+    const url = new URL(request.url);
+    let pathname = url.pathname;
+
+    if (basePath && pathname.startsWith(basePath)) {
+      pathname = pathname.slice(basePath.length) || '/';
+    }
+
+    if (request.method === 'GET' && pathname === '/manifest') {
+      return handleManifest(request, options);
+    }
+
+    if (request.method === 'GET' && pathname === '/assets') {
+      return handleAssets(request, options);
+    }
+
+    if (request.method === 'POST' && pathname === '/publish') {
+      return handlePublish(request, options);
+    }
+
+    if (request.method === 'POST' && pathname === '/presign-web') {
+      return handlePresignWeb(request, options);
+    }
+
+    if (request.method === 'POST' && pathname === '/register-web') {
+      return handleRegisterWeb(request, options);
+    }
+
+    // Branch CRUD
+    if (request.method === 'GET' && pathname === '/branches') {
+      return handleListBranches(request, options);
+    }
+
+    if (request.method === 'POST' && pathname === '/branches') {
+      return handleCreateBranch(request, options);
+    }
+
+    if (request.method === 'DELETE' && pathname.startsWith('/branches/')) {
+      const branchName = decodeURIComponent(pathname.slice('/branches/'.length));
+      return handleDeleteBranch(request, options, branchName);
+    }
+
+    // Channel CRUD
+    if (request.method === 'GET' && pathname === '/channels') {
+      return handleListChannels(request, options);
+    }
+
+    if (request.method === 'POST' && pathname === '/channels') {
+      return handleCreateChannel(request, options);
+    }
+
+    if (request.method === 'PUT' && pathname.startsWith('/channels/')) {
+      const channelName = decodeURIComponent(pathname.slice('/channels/'.length));
+      return handleEditChannel(request, options, channelName);
+    }
+
+    return new Response(JSON.stringify({ error: 'Not found' }), {
+      status: 404,
+      headers: { 'content-type': 'application/json' },
+    });
+  };
+}

package/src/handler/manifest.ts

@@ -0,0 +1,276 @@
+import { serializeDictionary } from 'structured-headers';
+import { eq, and, desc, sql } from 'drizzle-orm';
+import type { UpdatesHandlerOptions } from './types';
+import { opsItems, buildArtifacts, runs } from '../schema';
+import { buildMultipartResponse } from './multipart';
+import { signRSASHA256, convertSHA256HashToUUID, convertToDictionaryItemsRepresentation } from './signing';
+import { jsonError } from './helpers';
+
+export async function handleManifest(request: Request, options: UpdatesHandlerOptions): Promise<Response> {
+  const headers = request.headers;
+
+  const protocolVersionRaw = headers.get('expo-protocol-version');
+  const protocolVersion = parseInt(protocolVersionRaw ?? '0', 10);
+
+  const platform = headers.get('expo-platform');
+  if (platform !== 'ios' && platform !== 'android') {
+    return jsonError(400, 'Unsupported platform. Expected either ios or android.');
+  }
+
+  const runtimeVersion = headers.get('expo-runtime-version');
+  if (!runtimeVersion) {
+    return jsonError(400, 'No runtimeVersion provided.');
+  }
+
+  const channelName = headers.get('expo-channel-name') || options.defaultChannel || 'production';
+
+  // Try S3 flat-file manifest first (works without DB)
+  const s3Manifest = await tryS3Manifest(options, channelName, platform, runtimeVersion);
+  if (s3Manifest) {
+    return buildManifestResponse(request, s3Manifest, options, protocolVersion);
+  }
+
+  // Fall back to DB-based lookup (V2)
+  if (!options.db) {
+    return jsonError(404, `No update found for ${channelName}/${platform}/${runtimeVersion}`);
+  }
+
+  let release: any;
+  let assets: any[];
+
+  try {
+    // Look up channel (opsItems type='release_channel')
+    const [channel] = await options.db
+      .select()
+      .from(opsItems)
+      .where(and(
+        eq(opsItems.type, 'release_channel'),
+        eq(opsItems.name, channelName),
+      ))
+      .limit(1);
+
+    if (!channel) {
+      return jsonError(404, `Channel "${channelName}" not found.`);
+    }
+
+    const branchRef = (channel.data as Record<string, unknown>)?.branchRef as string;
+    if (!branchRef) {
+      return jsonError(404, `Channel "${channelName}" has no branch mapping.`);
+    }
+
+    // Look up latest release (buildArtifact type='ota') via run branchRef
+    const releaseResults = await options.db
+      .select({ release: buildArtifacts })
+      .from(buildArtifacts)
+      .innerJoin(runs, eq(buildArtifacts.runId, runs.id))
+      .where(and(
+        eq(buildArtifacts.type, 'ota'),
+        eq(buildArtifacts.runtimeVersion, runtimeVersion),
+        eq(buildArtifacts.platform, platform),
+        eq(runs.type, 'release'),
+        sql`${runs.data}->>'branchRef' = ${branchRef}`,
+      ))
+      .orderBy(desc(buildArtifacts.indexedAt))
+      .limit(1);
+
+    if (!releaseResults[0]) {
+      return jsonError(404, `No update found for runtime version: ${runtimeVersion}`);
+    }
+    release = releaseResults[0].release;
+
+    // Look up assets (buildArtifacts type='ota_asset') for this release's run
+    assets = await options.db
+      .select()
+      .from(buildArtifacts)
+      .where(and(
+        eq(buildArtifacts.type, 'ota_asset'),
+        eq(buildArtifacts.runId, release.runId),
+      ));
+  } catch {
+    // DB unavailable or tables don't exist — not an error in V1
+    return jsonError(404, `No update found for ${channelName}/${platform}/${runtimeVersion}`);
+  }
+
+  const releaseData = (release.data as Record<string, unknown>) || {};
+
+  // Handle rollback
+  if (releaseData.isRollback) {
+    if (protocolVersion === 0) {
+      return jsonError(400, 'Rollbacks not supported on protocol version 0');
+    }
+    return buildRollbackResponse(request, release, options);
+  }
+
+  // Check if client already has latest
+  const currentUpdateId = headers.get('expo-current-update-id');
+  const updateId = releaseData.updateId as string;
+  const releaseUUID = convertSHA256HashToUUID(updateId);
+  if (currentUpdateId === releaseUUID && protocolVersion === 1) {
+    return buildNoUpdateAvailableResponse(request, options, protocolVersion);
+  }
+
+  // Build manifest from DB data
+  const launchAsset = assets.find((a: any) => (a.data as Record<string, unknown>)?.isLaunchAsset);
+  const regularAssets = assets.filter((a: any) => !(a.data as Record<string, unknown>)?.isLaunchAsset);
+
+  const baseUrl = options.baseUrl.replace(/\/$/, '');
+  const basePath = options.basePath || '';
+
+  const manifest = {
+    id: releaseUUID,
+    createdAt: release.indexedAt.toISOString(),
+    runtimeVersion: release.runtimeVersion,
+    assets: regularAssets.map((a: any) => {
+      const assetData = (a.data as Record<string, unknown>) || {};
+      return {
+        hash: a.contentHash,
+        key: a.filename,
+        fileExtension: assetData.fileExtension,
+        contentType: a.mimeType,
+        url: `${baseUrl}${basePath}/assets?key=${a.s3Key}`,
+      };
+    }),
+    launchAsset: launchAsset
+      ? (() => {
+          const launchData = (launchAsset.data as Record<string, unknown>) || {};
+          return {
+            hash: launchAsset.contentHash,
+            key: launchAsset.filename,
+            fileExtension: launchData.fileExtension,
+            contentType: launchAsset.mimeType,
+            url: `${baseUrl}${basePath}/assets?key=${launchAsset.s3Key}`,
+          };
+        })()
+      : undefined,
+    metadata: {},
+    extra: {
+      expoClient: releaseData.expoConfig || undefined,
+    },
+  };
+
+  return buildManifestResponse(request, manifest, options, protocolVersion);
+}
+
+/**
+ * Try reading a pre-generated manifest from S3.
+ * Path convention: {channel}/{platform}/{runtimeVersion}/manifest.json
+ */
+async function tryS3Manifest(
+  options: UpdatesHandlerOptions,
+  channel: string,
+  platform: string,
+  runtimeVersion: string,
+): Promise<any | null> {
+  const key = `${channel}/${platform}/${runtimeVersion}/manifest.json`;
+  try {
+    const result = await options.storage.get(key);
+    if (!result) return null;
+    return JSON.parse(result.data.toString('utf8'));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Build the multipart manifest response with optional code signing.
+ */
+function buildManifestResponse(
+  request: Request,
+  manifest: any,
+  options: UpdatesHandlerOptions,
+  protocolVersion: number,
+): Response {
+  // Code signing
+  let signature: string | null = null;
+  const expectSignature = request.headers.get('expo-expect-signature');
+  if (expectSignature && options.privateKey) {
+    const manifestString = JSON.stringify(manifest);
+    const hashSignature = signRSASHA256(manifestString, options.privateKey);
+    const dictionary = convertToDictionaryItemsRepresentation({ sig: hashSignature, keyid: 'main' });
+    signature = serializeDictionary(dictionary);
+  } else if (expectSignature && !options.privateKey) {
+    return jsonError(400, 'Code signing requested but no key supplied.');
+  }
+
+  const parts = [
+    {
+      name: 'manifest',
+      body: JSON.stringify(manifest),
+      headers: signature ? { 'expo-signature': signature } : undefined,
+    },
+    {
+      name: 'extensions',
+      body: JSON.stringify({ assetRequestHeaders: {} }),
+    },
+  ];
+
+  return buildMultipartResponse(parts, {
+    'expo-protocol-version': String(protocolVersion),
+    'expo-sfv-version': '0',
+    'cache-control': 'private, max-age=0',
+  });
+}
+
+async function buildRollbackResponse(request: Request, release: any, options: UpdatesHandlerOptions): Promise<Response> {
+  const directive = {
+    type: 'rollBackToEmbedded',
+    parameters: {
+      commitTime: release.indexedAt.toISOString(),
+    },
+  };
+
+  let signature: string | null = null;
+  const expectSignature = request.headers.get('expo-expect-signature');
+  if (expectSignature && options.privateKey) {
+    const directiveString = JSON.stringify(directive);
+    const hashSignature = signRSASHA256(directiveString, options.privateKey);
+    const dictionary = convertToDictionaryItemsRepresentation({ sig: hashSignature, keyid: 'main' });
+    signature = serializeDictionary(dictionary);
+  }
+
+  const parts = [
+    {
+      name: 'directive',
+      body: JSON.stringify(directive),
+      headers: signature ? { 'expo-signature': signature } : undefined,
+    },
+  ];
+
+  return buildMultipartResponse(parts, {
+    'expo-protocol-version': '1',
+    'expo-sfv-version': '0',
+    'cache-control': 'private, max-age=0',
+  });
+}
+
+async function buildNoUpdateAvailableResponse(request: Request, options: UpdatesHandlerOptions, protocolVersion: number): Promise<Response> {
+  if (protocolVersion === 0) {
+    return jsonError(400, 'NoUpdateAvailable directive not available in protocol version 0');
+  }
+
+  const directive = { type: 'noUpdateAvailable' };
+
+  let signature: string | null = null;
+  const expectSignature = request.headers.get('expo-expect-signature');
+  if (expectSignature && options.privateKey) {
+    const directiveString = JSON.stringify(directive);
+    const hashSignature = signRSASHA256(directiveString, options.privateKey);
+    const dictionary = convertToDictionaryItemsRepresentation({ sig: hashSignature, keyid: 'main' });
+    signature = serializeDictionary(dictionary);
+  }
+
+  const parts = [
+    {
+      name: 'directive',
+      body: JSON.stringify(directive),
+      headers: signature ? { 'expo-signature': signature } : undefined,
+    },
+  ];
+
+  return buildMultipartResponse(parts, {
+    'expo-protocol-version': '1',
+    'expo-sfv-version': '0',
+    'cache-control': 'private, max-age=0',
+  });
+}
+

package/src/handler/multipart.ts

@@ -0,0 +1,74 @@
+import crypto from 'crypto';
+
+export interface MultipartPart {
+  name: string;
+  body: string;
+  headers?: Record<string, string>;
+}
+
+export function buildMultipartResponse(parts: MultipartPart[], responseHeaders?: Record<string, string>): Response {
+  const boundary = `boundary-${crypto.randomBytes(16).toString('hex')}`;
+  const chunks: string[] = [];
+
+  for (const part of parts) {
+    chunks.push(`--${boundary}\r\n`);
+    chunks.push(`Content-Disposition: form-data; name="${part.name}"\r\n`);
+    chunks.push(`Content-Type: application/json; charset=utf-8\r\n`);
+    if (part.headers) {
+      for (const [key, value] of Object.entries(part.headers)) {
+        chunks.push(`${key}: ${value}\r\n`);
+      }
+    }
+    chunks.push(`\r\n`);
+    chunks.push(part.body);
+    chunks.push(`\r\n`);
+  }
+  chunks.push(`--${boundary}--\r\n`);
+
+  const body = chunks.join('');
+
+  return new Response(body, {
+    status: 200,
+    headers: {
+      'content-type': `multipart/mixed; boundary=${boundary}`,
+      ...responseHeaders,
+    },
+  });
+}
+
+export function parseMultipartResponse(body: string, boundary: string): MultipartPart[] {
+  const parts: MultipartPart[] = [];
+  const segments = body.split(`--${boundary}`);
+
+  for (const segment of segments) {
+    if (segment.trim() === '' || segment.trim() === '--') continue;
+
+    const headerBodySplit = segment.indexOf('\r\n\r\n');
+    if (headerBodySplit === -1) continue;
+
+    const headerSection = segment.slice(0, headerBodySplit);
+    const bodySection = segment.slice(headerBodySplit + 4).replace(/\r\n$/, '');
+
+    const headers: Record<string, string> = {};
+    let name = '';
+
+    for (const line of headerSection.split('\r\n')) {
+      if (!line.trim()) continue;
+      const colonIdx = line.indexOf(':');
+      if (colonIdx === -1) continue;
+      const key = line.slice(0, colonIdx).trim().toLowerCase();
+      const value = line.slice(colonIdx + 1).trim();
+
+      if (key === 'content-disposition') {
+        const nameMatch = value.match(/name="([^"]+)"/);
+        if (nameMatch) name = nameMatch[1];
+      } else if (key !== 'content-type') {
+        headers[key] = value;
+      }
+    }
+
+    parts.push({ name, body: bodySection, headers: Object.keys(headers).length > 0 ? headers : undefined });
+  }
+
+  return parts;
+}