@factiii/stack 0.1.184 → 0.1.186

package/dist/plugins/servers/mac/index.js

@@ -138,16 +138,16 @@ class MacPlugin {
         return Object.keys(config).length === 0;
     }
     static helpText = {
-        SSH: `
-   SSH private key for accessing the server.
-
-   Step 1: Generate a new SSH key pair (if needed):
-   ssh-keygen -t ed25519 -C "deploy-key" -f ~/.ssh/deploy_key
-
-   Step 2: Add PUBLIC key to server:
-   ssh-copy-id -i ~/.ssh/deploy_key.pub ubuntu@YOUR_HOST
-
-   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
+        SSH: `
+   SSH private key for accessing the server.
+
+   Step 1: Generate a new SSH key pair (if needed):
+   ssh-keygen -t ed25519 -C "deploy-key" -f ~/.ssh/deploy_key
+
+   Step 2: Add PUBLIC key to server:
+   ssh-copy-id -i ~/.ssh/deploy_key.pub ubuntu@YOUR_HOST
+
+   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
    cat ~/.ssh/deploy_key`,
     };
     // ============================================================
@@ -238,8 +238,8 @@ class MacPlugin {
             }
             try {
                 const repoName = config.name ?? 'app';
-                await MacPlugin.sshExec(envConfig, `
-          cd ~/.factiii && docker compose stop ${repoName}-staging
+                await MacPlugin.sshExec(envConfig, `
+          cd ~/.factiii && docker compose stop ${repoName}-staging
         `);
                 return { success: true, message: 'Staging containers stopped' };
             }

package/dist/plugins/servers/mac/staging.js

@@ -291,7 +291,7 @@ async function writeEnvFile(envConfig, repoDir, environment, envVarsString) {
         const escapedContent = envFileContent
             .replace(/'/g, "'\\''")
             .replace(/\n/g, '\\n');
-        await sshExecCommand(envConfig, `cat > ${repoDir}/${envFileName} << 'ENVEOF'
+        await sshExecCommand(envConfig, `cat > ${repoDir}/${envFileName} << 'ENVEOF'
 ${envFileContent}ENVEOF`);
     }
 }
@@ -347,7 +347,7 @@ async function createEnvFromStaging(envConfig, repoDir) {
         console.log('   📝 Created .env from .env.staging (with host port replacement)');
     }
     else {
-        await sshExecCommand(envConfig, `cat > ${envPath} << 'ENVEOF'
+        await sshExecCommand(envConfig, `cat > ${envPath} << 'ENVEOF'
 ${updatedContent}ENVEOF`);
         console.log('   📝 Created .env from .env.staging on remote server (with host port replacement)');
     }

package/dist/plugins/servers/ubuntu/index.js

@@ -99,16 +99,16 @@ class UbuntuPlugin {
         return false;
     }
     static helpText = {
-        SSH: `
-   SSH private key for accessing the Ubuntu server.
-
-   Step 1: Generate a new SSH key pair (if needed):
-   ssh-keygen -t ed25519 -C "deploy-key" -f ~/.ssh/deploy_key
-
-   Step 2: Add PUBLIC key to server:
-   ssh-copy-id -i ~/.ssh/deploy_key.pub ubuntu@YOUR_HOST
-
-   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
+        SSH: `
+   SSH private key for accessing the Ubuntu server.
+
+   Step 1: Generate a new SSH key pair (if needed):
+   ssh-keygen -t ed25519 -C "deploy-key" -f ~/.ssh/deploy_key
+
+   Step 2: Add PUBLIC key to server:
+   ssh-copy-id -i ~/.ssh/deploy_key.pub ubuntu@YOUR_HOST
+
+   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
    cat ~/.ssh/deploy_key`,
     };
     // ============================================================
@@ -155,25 +155,25 @@ class UbuntuPlugin {
      * Get the command to install Docker on Ubuntu
      */
     static getDockerInstallCommand() {
-        return `
-      sudo apt-get update && \
-      sudo apt-get install -y ca-certificates curl gnupg && \
-      sudo install -m 0755 -d /etc/apt/keyrings && \
-      curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
-      sudo chmod a+r /etc/apt/keyrings/docker.gpg && \
-      echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null && \
-      sudo apt-get update && \
-      sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin && \
-      sudo usermod -aG docker $USER
+        return `
+      sudo apt-get update && \
+      sudo apt-get install -y ca-certificates curl gnupg && \
+      sudo install -m 0755 -d /etc/apt/keyrings && \
+      curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
+      sudo chmod a+r /etc/apt/keyrings/docker.gpg && \
+      echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null && \
+      sudo apt-get update && \
+      sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin && \
+      sudo usermod -aG docker $USER
     `;
     }
     /**
      * Get the command to install Node.js on Ubuntu
      */
     static getNodeInstallCommand() {
-        return `
-      curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && \
-      sudo apt-get install -y nodejs
+        return `
+      curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && \
+      sudo apt-get install -y nodejs
     `;
     }
     /**

package/dist/plugins/servers/windows/index.js

@@ -99,12 +99,12 @@ class WindowsPlugin {
         return false;
     }
     static helpText = {
-        SSH: `
-   SSH/RDP credentials for accessing the Windows server.
-
-   For SSH access, ensure OpenSSH Server is installed on Windows:
-   - Settings > Apps > Optional Features > Add a feature > OpenSSH Server
-
+        SSH: `
+   SSH/RDP credentials for accessing the Windows server.
+
+   For SSH access, ensure OpenSSH Server is installed on Windows:
+   - Settings > Apps > Optional Features > Add a feature > OpenSSH Server
+
    For RDP access, use Remote Desktop Connection.`,
     };
     // ============================================================
@@ -182,11 +182,11 @@ class WindowsPlugin {
      * Requires Docker Desktop or WSL2 with Docker
      */
     static getDockerInstallCommand() {
-        return `
-      # Install Docker Desktop via Chocolatey
-      choco install docker-desktop -y
-      # Or install via winget
-      # winget install Docker.DockerDesktop
+        return `
+      # Install Docker Desktop via Chocolatey
+      choco install docker-desktop -y
+      # Or install via winget
+      # winget install Docker.DockerDesktop
     `;
     }
     /**
@@ -205,10 +205,10 @@ class WindowsPlugin {
      * Get the command to install Chocolatey (package manager)
      */
     static getChocoInstallCommand() {
-        return `
-      Set-ExecutionPolicy Bypass -Scope Process -Force
-      [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
-      iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
+        return `
+      Set-ExecutionPolicy Bypass -Scope Process -Force
+      [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
+      iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
     `;
     }
     // ============================================================

package/dist/scripts/generate-all.js

@@ -271,31 +271,31 @@ function generateNginx(allConfigs) {
         return 0;
     }
     // Generate nginx config
-    let nginxConf = `# Auto-generated nginx configuration
-# Generated by: npx stack (generate-all)
-# Do not edit directly - modify stack.yml files and run: npx stack deploy
-
-events {
-    worker_connections 1024;
-}
-
-http {
-    include /etc/nginx/mime.types;
-    default_type application/octet-stream;
-
-    sendfile on;
-    keepalive_timeout 65;
-    client_max_body_size 100M;
-
-    # Logging
-    access_log /var/log/nginx/access.log;
-    error_log /var/log/nginx/error.log;
-
-    # Gzip
-    gzip on;
-    gzip_vary on;
-    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
+    let nginxConf = `# Auto-generated nginx configuration
+# Generated by: npx stack (generate-all)
+# Do not edit directly - modify stack.yml files and run: npx stack deploy
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    sendfile on;
+    keepalive_timeout 65;
+    client_max_body_size 100M;
+
+    # Logging
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    # Gzip
+    gzip on;
+    gzip_vary on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
 `;
     // ============================================================
     // CRITICAL: HTTPS Certificate Paths
@@ -308,54 +308,54 @@ http {
     for (const { domain, service, port } of routes) {
         // Always generate HTTPS-capable config
         // Certificates must exist before nginx can start (obtained via: npx stack fix --staging/--prod)
-        nginxConf += `
-    # ${service} - ${domain}
-
-    # HTTP - ACME challenge + redirect to HTTPS
-    server {
-        listen 80;
-        server_name ${domain};
-
-        # Allow certbot ACME challenge (for renewals)
-        location /.well-known/acme-challenge/ {
-            root /var/www/certbot;
-        }
-
-        # Redirect all other traffic to HTTPS
-        location / {
-            return 301 https://$server_name$request_uri;
-        }
-    }
-
-    # HTTPS - main server block
-    server {
-        listen 443 ssl;
-        http2 on;
-        server_name ${domain};
-
-        # SSL certificate paths (Let's Encrypt)
-        ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
-
-        # SSL security settings
-        ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_prefer_server_ciphers on;
-        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
-        ssl_session_cache shared:SSL:10m;
-        ssl_session_timeout 10m;
-
-        location / {
-            proxy_pass http://${service}:${port};
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection 'upgrade';
-            proxy_set_header Host $host;
-            proxy_cache_bypass $http_upgrade;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-        }
-    }
+        nginxConf += `
+    # ${service} - ${domain}
+
+    # HTTP - ACME challenge + redirect to HTTPS
+    server {
+        listen 80;
+        server_name ${domain};
+
+        # Allow certbot ACME challenge (for renewals)
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        # Redirect all other traffic to HTTPS
+        location / {
+            return 301 https://$server_name$request_uri;
+        }
+    }
+
+    # HTTPS - main server block
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name ${domain};
+
+        # SSL certificate paths (Let's Encrypt)
+        ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
+
+        # SSL security settings
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+
+        location / {
+            proxy_pass http://${service}:${port};
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_cache_bypass $http_upgrade;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
 `;
     }
     nginxConf += `}\n`;

package/dist/utils/deployment-report.js

@@ -154,8 +154,8 @@ function formatDeploymentReport(data) {
 function formatWorkflowSummary(data) {
     const report = formatDeploymentReport(data);
     // Workflow summaries support markdown, so we can enhance it
-    return `\`\`\`
-${report}
+    return `\`\`\`
+${report}
 \`\`\``;
 }
 /**

package/dist/utils/secret-prompts.js

@@ -64,16 +64,16 @@ const SECRET_METADATA = {
     STAGING_SSH: {
         type: 'ssh_key',
         description: 'SSH private key for accessing staging server',
-        helpText: `
-   Step 1: Generate a new SSH key pair:
-   ssh-keygen -t ed25519 -C "staging-deploy" -f ~/.ssh/staging_deploy
-   
-   Step 2: Add PUBLIC key to your staging server:
-   ssh-copy-id -i ~/.ssh/staging_deploy.pub ubuntu@YOUR_HOST
-   
-   (HOST is configured in stack.yml → environments.staging.host)
-   
-   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
+        helpText: `
+   Step 1: Generate a new SSH key pair:
+   ssh-keygen -t ed25519 -C "staging-deploy" -f ~/.ssh/staging_deploy
+   
+   Step 2: Add PUBLIC key to your staging server:
+   ssh-copy-id -i ~/.ssh/staging_deploy.pub ubuntu@YOUR_HOST
+   
+   (HOST is configured in stack.yml → environments.staging.host)
+   
+   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
    cat ~/.ssh/staging_deploy`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {
@@ -91,16 +91,16 @@ const SECRET_METADATA = {
     PROD_SSH: {
         type: 'ssh_key',
         description: 'SSH private key for accessing production server',
-        helpText: `
-   Step 1: Generate a new SSH key pair:
-   ssh-keygen -t ed25519 -C "production-deploy" -f ~/.ssh/prod_deploy
-   
-   Step 2: Add PUBLIC key to your production server:
-   ssh-copy-id -i ~/.ssh/prod_deploy.pub ubuntu@YOUR_HOST
-   
-   (HOST is configured in stack.yml → environments.production.host)
-   
-   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
+        helpText: `
+   Step 1: Generate a new SSH key pair:
+   ssh-keygen -t ed25519 -C "production-deploy" -f ~/.ssh/prod_deploy
+   
+   Step 2: Add PUBLIC key to your production server:
+   ssh-copy-id -i ~/.ssh/prod_deploy.pub ubuntu@YOUR_HOST
+   
+   (HOST is configured in stack.yml → environments.production.host)
+   
+   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
    cat ~/.ssh/prod_deploy`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {
@@ -118,14 +118,14 @@ const SECRET_METADATA = {
     AWS_SECRET_ACCESS_KEY: {
         type: 'aws_secret',
         description: 'AWS Secret Access Key (the only secret AWS value)',
-        helpText: `
-   Get from AWS Console: IAM → Users → Security credentials
-   
-   This is shown only once when you create the key.
-   If lost, you must create a new key pair.
-   
-   Note: AWS_ACCESS_KEY_ID and AWS_REGION go in stack.yml (not secrets)
-   
+        helpText: `
+   Get from AWS Console: IAM → Users → Security credentials
+   
+   This is shown only once when you create the key.
+   If lost, you must create a new key pair.
+   
+   Note: AWS_ACCESS_KEY_ID and AWS_REGION go in stack.yml (not secrets)
+   
    Enter AWS Secret Access Key:`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {
@@ -143,12 +143,12 @@ const SECRET_METADATA = {
     VERCEL_TOKEN: {
         type: 'api_token',
         description: 'Vercel API Token for deployments',
-        helpText: `
-   Get your token from: https://vercel.com/account/tokens
-   Create a new token with:
-   - Scope: Full Account (or specific team)
-   - Expiration: No Expiration (or custom)
-   
+        helpText: `
+   Get your token from: https://vercel.com/account/tokens
+   Create a new token with:
+   - Scope: Full Account (or specific team)
+   - Expiration: No Expiration (or custom)
+   
    Enter Vercel API Token:`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {

package/dist/utils/ssh-helper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ssh-helper.d.ts","sourceRoot":"","sources":["../../src/utils/ssh-helper.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,iBAAiB,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAKjF;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAU5E;AA+BD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAS9E;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA4BlF;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,GACpB,iBAAiB,GAAG,IAAI,CAc1B;AAmZD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAmrB/D;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,iBAAiB,EAC5B,OAAO,EAAE,MAAM,EACf,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,CAAC,CA8KjB"}
+{"version":3,"file":"ssh-helper.d.ts","sourceRoot":"","sources":["../../src/utils/ssh-helper.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,iBAAiB,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAKjF;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAU5E;AA+BD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAS9E;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA4BlF;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,GACpB,iBAAiB,GAAG,IAAI,CAc1B;AA+aD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAswB/D;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,iBAAiB,EAC5B,OAAO,EAAE,MAAM,EACf,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,CAAC,CAqMjB"}

package/dist/utils/ssh-helper.js

@@ -305,25 +305,54 @@ async function autoSetupSshKey(stage, host, user, config, rootDir) {
     }
     // Copy public key to server
     console.log('   Copying public key to ' + user + '@' + host + '...');
-    console.log('   Enter password when prompted:');
-    console.log('');
-    try {
-        const copyResult = (0, child_process_1.spawnSync)('ssh-copy-id', [
-            '-i', pubKeyPath,
-            '-o', 'StrictHostKeyChecking=no',
-            user + '@' + host,
-        ], {
-            stdio: 'inherit',
-            timeout: 60000,
-        });
-        if (copyResult.status !== 0) {
-            console.log('   [!] ssh-copy-id failed');
+    if (process.platform === 'win32') {
+        // Windows: ssh-copy-id is not available — use SSH to pipe the public key
+        console.log('   Enter password when prompted by SSH:');
+        console.log('');
+        try {
+            const pubKeyContent = fs.readFileSync(pubKeyPath, 'utf8').trim();
+            const addKeyCmd = 'mkdir -p ~/.ssh && chmod 700 ~/.ssh && echo "' + pubKeyContent + '" >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && sort -u -o ~/.ssh/authorized_keys ~/.ssh/authorized_keys';
+            const copyResult = (0, child_process_1.spawnSync)('ssh', [
+                '-o', 'StrictHostKeyChecking=no',
+                '-o', 'ConnectTimeout=10',
+                user + '@' + host,
+                addKeyCmd,
+            ], {
+                stdio: 'inherit',
+                timeout: 60000,
+            });
+            if (copyResult.status !== 0) {
+                console.log('   [!] Failed to copy public key to server');
+                return null;
+            }
+        }
+        catch (e) {
+            console.log('   [!] Failed to copy public key: ' + (e instanceof Error ? e.message : String(e)));
             return null;
         }
     }
-    catch (e) {
-        console.log('   [!] ssh-copy-id failed: ' + (e instanceof Error ? e.message : String(e)));
-        return null;
+    else {
+        // Linux/Mac: use ssh-copy-id
+        console.log('   Enter password when prompted:');
+        console.log('');
+        try {
+            const copyResult = (0, child_process_1.spawnSync)('ssh-copy-id', [
+                '-i', pubKeyPath,
+                '-o', 'StrictHostKeyChecking=no',
+                user + '@' + host,
+            ], {
+                stdio: 'inherit',
+                timeout: 60000,
+            });
+            if (copyResult.status !== 0) {
+                console.log('   [!] ssh-copy-id failed');
+                return null;
+            }
+        }
+        catch (e) {
+            console.log('   [!] ssh-copy-id failed: ' + (e instanceof Error ? e.message : String(e)));
+            return null;
+        }
     }
     // Fix remote permissions
     try {
@@ -822,15 +851,32 @@ async function sshRemoteFactiiiCommand(stage, config, command, rootDir) {
             }
             console.log('   SSH (password): ' + user + '@' + host + ' → npx stack ' + command);
             const pwStart = Date.now();
-            const pwResult = (0, child_process_1.spawnSync)('sshpass', [
-                '-p', password, 'ssh', '-tt',
-                '-o', 'StrictHostKeyChecking=no',
-                '-o', 'ConnectTimeout=10',
-                '-o', 'ServerAliveInterval=60',
-                '-o', 'ServerAliveCountMax=5',
-                user + '@' + host,
-                pwRemoteCommand,
-            ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
+            let pwResult;
+            if (process.platform === 'win32') {
+                // Windows: no sshpass — use interactive SSH so user types password
+                console.log('   You will be prompted for the password by SSH:');
+                console.log('');
+                pwResult = (0, child_process_1.spawnSync)('ssh', [
+                    '-tt',
+                    '-o', 'StrictHostKeyChecking=no',
+                    '-o', 'ConnectTimeout=10',
+                    '-o', 'ServerAliveInterval=60',
+                    '-o', 'ServerAliveCountMax=5',
+                    user + '@' + host,
+                    pwRemoteCommand,
+                ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
+            }
+            else {
+                pwResult = (0, child_process_1.spawnSync)('sshpass', [
+                    '-p', password, 'ssh', '-tt',
+                    '-o', 'StrictHostKeyChecking=no',
+                    '-o', 'ConnectTimeout=10',
+                    '-o', 'ServerAliveInterval=60',
+                    '-o', 'ServerAliveCountMax=5',
+                    user + '@' + host,
+                    pwRemoteCommand,
+                ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
+            }
             console.log('   SSH completed in ' + Math.floor((Date.now() - pwStart) / 1000) + 's');
             return {
                 success: pwResult.status === 0,
@@ -1054,6 +1100,68 @@ async function sshRemoteFactiiiCommand(stage, config, command, rootDir) {
             console.log('   Falling back to SSH password auth...');
             console.log('   SSH (password): ' + user + '@' + host + ' → npx stack ' + command);
             const startTime = Date.now();
+            // On Windows, sshpass is not available — use interactive SSH so user types password
+            if (process.platform === 'win32') {
+                console.log('   You will be prompted for the password by SSH:');
+                console.log('');
+                const result = (0, child_process_1.spawnSync)('ssh', [
+                    '-tt',
+                    '-o', 'StrictHostKeyChecking=no',
+                    '-o', 'ConnectTimeout=10',
+                    '-o', 'ServerAliveInterval=60',
+                    '-o', 'ServerAliveCountMax=5',
+                    user + '@' + host,
+                    remoteCommand,
+                ], {
+                    encoding: 'utf8',
+                    stdio: 'inherit',
+                    timeout: 600000,
+                });
+                const elapsed = Math.floor((Date.now() - startTime) / 1000);
+                console.log('   SSH completed in ' + elapsed + 's');
+                if (result.status === 0) {
+                    // Connection worked — set up SSH key for future so password isn't needed again
+                    console.log('   Setting up SSH key for future connections...');
+                    await autoSetupSshKey(stage, host, user, config, rootDir);
+                    return { success: true, stdout: '', stderr: '' };
+                }
+                // Interactive SSH failed — try auto key setup as last resort
+                console.log('   [!] SSH connection failed');
+                console.log('   Setting up SSH key auth for future connections...');
+                const autoKeyResult = await autoSetupSshKey(stage, host, user, config, rootDir);
+                if (autoKeyResult) {
+                    console.log('   Retrying command with SSH key...');
+                    console.log('   SSH (key): ' + user + '@' + host + ' → npx stack ' + command);
+                    const retryStart = Date.now();
+                    const retryResult = (0, child_process_1.spawnSync)('ssh', [
+                        '-tt',
+                        '-i', autoKeyResult,
+                        '-o', 'StrictHostKeyChecking=no',
+                        '-o', 'ConnectTimeout=10',
+                        '-o', 'ServerAliveInterval=60',
+                        '-o', 'ServerAliveCountMax=5',
+                        user + '@' + host,
+                        remoteCommand,
+                    ], {
+                        encoding: 'utf8',
+                        stdio: 'inherit',
+                        timeout: 600000,
+                    });
+                    const retryElapsed = Math.floor((Date.now() - retryStart) / 1000);
+                    console.log('   SSH completed in ' + retryElapsed + 's');
+                    return {
+                        success: retryResult.status === 0,
+                        stdout: '',
+                        stderr: retryResult.status !== 0 ? 'SSH command exited with code ' + retryResult.status : '',
+                    };
+                }
+                return {
+                    success: false,
+                    stdout: '',
+                    stderr: 'SSH connection failed. Check password and server accessibility.',
+                };
+            }
+            // Linux/Mac: use sshpass for non-interactive password auth
             const result = (0, child_process_1.spawnSync)('sshpass', [
                 '-p', password,
                 'ssh',
@@ -1298,6 +1406,26 @@ async function sshExec(envConfig, command, stage, config, rootDir) {
             }
         }
         if (password) {
+            if (process.platform === 'win32') {
+                // Windows: no sshpass — use interactive SSH (stdio: 'inherit' so user can type password)
+                const result = (0, child_process_1.spawnSync)('ssh', [
+                    '-tt',
+                    '-o', 'StrictHostKeyChecking=no',
+                    '-o', 'ConnectTimeout=10',
+                    '-o', 'ServerAliveInterval=60',
+                    '-o', 'ServerAliveCountMax=5',
+                    user + '@' + host,
+                    command,
+                ], {
+                    encoding: 'utf8',
+                    stdio: 'inherit',
+                });
+                if (result.status !== 0) {
+                    throw new Error('SSH command failed with exit code ' + result.status);
+                }
+                return '';
+            }
+            // Linux/Mac: use sshpass
             const result = (0, child_process_1.spawnSync)('sshpass', [
                 '-p', password,
                 'ssh',