@factiii/stack 0.1.185 → 0.1.187

package/dist/scripts/generate-all.js

@@ -271,31 +271,31 @@ function generateNginx(allConfigs) {
         return 0;
     }
     // Generate nginx config
-    let nginxConf = `# Auto-generated nginx configuration
-# Generated by: npx stack (generate-all)
-# Do not edit directly - modify stack.yml files and run: npx stack deploy
-
-events {
-    worker_connections 1024;
-}
-
-http {
-    include /etc/nginx/mime.types;
-    default_type application/octet-stream;
-
-    sendfile on;
-    keepalive_timeout 65;
-    client_max_body_size 100M;
-
-    # Logging
-    access_log /var/log/nginx/access.log;
-    error_log /var/log/nginx/error.log;
-
-    # Gzip
-    gzip on;
-    gzip_vary on;
-    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
+    let nginxConf = `# Auto-generated nginx configuration
+# Generated by: npx stack (generate-all)
+# Do not edit directly - modify stack.yml files and run: npx stack deploy
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    sendfile on;
+    keepalive_timeout 65;
+    client_max_body_size 100M;
+
+    # Logging
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+
+    # Gzip
+    gzip on;
+    gzip_vary on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
 `;
     // ============================================================
     // CRITICAL: HTTPS Certificate Paths
@@ -308,54 +308,54 @@ http {
     for (const { domain, service, port } of routes) {
         // Always generate HTTPS-capable config
         // Certificates must exist before nginx can start (obtained via: npx stack fix --staging/--prod)
-        nginxConf += `
-    # ${service} - ${domain}
-
-    # HTTP - ACME challenge + redirect to HTTPS
-    server {
-        listen 80;
-        server_name ${domain};
-
-        # Allow certbot ACME challenge (for renewals)
-        location /.well-known/acme-challenge/ {
-            root /var/www/certbot;
-        }
-
-        # Redirect all other traffic to HTTPS
-        location / {
-            return 301 https://$server_name$request_uri;
-        }
-    }
-
-    # HTTPS - main server block
-    server {
-        listen 443 ssl;
-        http2 on;
-        server_name ${domain};
-
-        # SSL certificate paths (Let's Encrypt)
-        ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
-
-        # SSL security settings
-        ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_prefer_server_ciphers on;
-        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
-        ssl_session_cache shared:SSL:10m;
-        ssl_session_timeout 10m;
-
-        location / {
-            proxy_pass http://${service}:${port};
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection 'upgrade';
-            proxy_set_header Host $host;
-            proxy_cache_bypass $http_upgrade;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-        }
-    }
+        nginxConf += `
+    # ${service} - ${domain}
+
+    # HTTP - ACME challenge + redirect to HTTPS
+    server {
+        listen 80;
+        server_name ${domain};
+
+        # Allow certbot ACME challenge (for renewals)
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        # Redirect all other traffic to HTTPS
+        location / {
+            return 301 https://$server_name$request_uri;
+        }
+    }
+
+    # HTTPS - main server block
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name ${domain};
+
+        # SSL certificate paths (Let's Encrypt)
+        ssl_certificate /etc/letsencrypt/live/${domain}/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/${domain}/privkey.pem;
+
+        # SSL security settings
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+
+        location / {
+            proxy_pass http://${service}:${port};
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_cache_bypass $http_upgrade;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
 `;
     }
     nginxConf += `}\n`;

package/dist/utils/deployment-report.js

@@ -154,8 +154,8 @@ function formatDeploymentReport(data) {
 function formatWorkflowSummary(data) {
     const report = formatDeploymentReport(data);
     // Workflow summaries support markdown, so we can enhance it
-    return `\`\`\`
-${report}
+    return `\`\`\`
+${report}
 \`\`\``;
 }
 /**

package/dist/utils/secret-prompts.js

@@ -64,16 +64,16 @@ const SECRET_METADATA = {
     STAGING_SSH: {
         type: 'ssh_key',
         description: 'SSH private key for accessing staging server',
-        helpText: `
-   Step 1: Generate a new SSH key pair:
-   ssh-keygen -t ed25519 -C "staging-deploy" -f ~/.ssh/staging_deploy
-   
-   Step 2: Add PUBLIC key to your staging server:
-   ssh-copy-id -i ~/.ssh/staging_deploy.pub ubuntu@YOUR_HOST
-   
-   (HOST is configured in stack.yml → environments.staging.host)
-   
-   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
+        helpText: `
+   Step 1: Generate a new SSH key pair:
+   ssh-keygen -t ed25519 -C "staging-deploy" -f ~/.ssh/staging_deploy
+   
+   Step 2: Add PUBLIC key to your staging server:
+   ssh-copy-id -i ~/.ssh/staging_deploy.pub ubuntu@YOUR_HOST
+   
+   (HOST is configured in stack.yml → environments.staging.host)
+   
+   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
    cat ~/.ssh/staging_deploy`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {
@@ -91,16 +91,16 @@ const SECRET_METADATA = {
     PROD_SSH: {
         type: 'ssh_key',
         description: 'SSH private key for accessing production server',
-        helpText: `
-   Step 1: Generate a new SSH key pair:
-   ssh-keygen -t ed25519 -C "production-deploy" -f ~/.ssh/prod_deploy
-   
-   Step 2: Add PUBLIC key to your production server:
-   ssh-copy-id -i ~/.ssh/prod_deploy.pub ubuntu@YOUR_HOST
-   
-   (HOST is configured in stack.yml → environments.production.host)
-   
-   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
+        helpText: `
+   Step 1: Generate a new SSH key pair:
+   ssh-keygen -t ed25519 -C "production-deploy" -f ~/.ssh/prod_deploy
+   
+   Step 2: Add PUBLIC key to your production server:
+   ssh-copy-id -i ~/.ssh/prod_deploy.pub ubuntu@YOUR_HOST
+   
+   (HOST is configured in stack.yml → environments.production.host)
+   
+   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
    cat ~/.ssh/prod_deploy`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {
@@ -118,14 +118,14 @@ const SECRET_METADATA = {
     AWS_SECRET_ACCESS_KEY: {
         type: 'aws_secret',
         description: 'AWS Secret Access Key (the only secret AWS value)',
-        helpText: `
-   Get from AWS Console: IAM → Users → Security credentials
-   
-   This is shown only once when you create the key.
-   If lost, you must create a new key pair.
-   
-   Note: AWS_ACCESS_KEY_ID and AWS_REGION go in stack.yml (not secrets)
-   
+        helpText: `
+   Get from AWS Console: IAM → Users → Security credentials
+   
+   This is shown only once when you create the key.
+   If lost, you must create a new key pair.
+   
+   Note: AWS_ACCESS_KEY_ID and AWS_REGION go in stack.yml (not secrets)
+   
    Enter AWS Secret Access Key:`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {
@@ -143,12 +143,12 @@ const SECRET_METADATA = {
     VERCEL_TOKEN: {
         type: 'api_token',
         description: 'Vercel API Token for deployments',
-        helpText: `
-   Get your token from: https://vercel.com/account/tokens
-   Create a new token with:
-   - Scope: Full Account (or specific team)
-   - Expiration: No Expiration (or custom)
-   
+        helpText: `
+   Get your token from: https://vercel.com/account/tokens
+   Create a new token with:
+   - Scope: Full Account (or specific team)
+   - Expiration: No Expiration (or custom)
+   
    Enter Vercel API Token:`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {

package/dist/utils/ssh-helper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ssh-helper.d.ts","sourceRoot":"","sources":["../../src/utils/ssh-helper.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,iBAAiB,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAKjF;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAU5E;AA+BD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAS9E;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA4BlF;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,GACpB,iBAAiB,GAAG,IAAI,CAc1B;AAmZD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAmrB/D;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,iBAAiB,EAC5B,OAAO,EAAE,MAAM,EACf,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,CAAC,CA8KjB"}
+{"version":3,"file":"ssh-helper.d.ts","sourceRoot":"","sources":["../../src/utils/ssh-helper.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,iBAAiB,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAKjF;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAU5E;AA+BD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAS9E;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA4BlF;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,GACpB,iBAAiB,GAAG,IAAI,CAc1B;AA+aD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAiyB/D;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,iBAAiB,EAC5B,OAAO,EAAE,MAAM,EACf,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,CAAC,CAqMjB"}

package/dist/utils/ssh-helper.js

@@ -305,25 +305,54 @@ async function autoSetupSshKey(stage, host, user, config, rootDir) {
     }
     // Copy public key to server
     console.log('   Copying public key to ' + user + '@' + host + '...');
-    console.log('   Enter password when prompted:');
-    console.log('');
-    try {
-        const copyResult = (0, child_process_1.spawnSync)('ssh-copy-id', [
-            '-i', pubKeyPath,
-            '-o', 'StrictHostKeyChecking=no',
-            user + '@' + host,
-        ], {
-            stdio: 'inherit',
-            timeout: 60000,
-        });
-        if (copyResult.status !== 0) {
-            console.log('   [!] ssh-copy-id failed');
+    if (process.platform === 'win32') {
+        // Windows: ssh-copy-id is not available — use SSH to pipe the public key
+        console.log('   Enter password when prompted by SSH:');
+        console.log('');
+        try {
+            const pubKeyContent = fs.readFileSync(pubKeyPath, 'utf8').trim();
+            const addKeyCmd = 'mkdir -p ~/.ssh && chmod 700 ~/.ssh && echo "' + pubKeyContent + '" >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys && sort -u -o ~/.ssh/authorized_keys ~/.ssh/authorized_keys';
+            const copyResult = (0, child_process_1.spawnSync)('ssh', [
+                '-o', 'StrictHostKeyChecking=no',
+                '-o', 'ConnectTimeout=10',
+                user + '@' + host,
+                addKeyCmd,
+            ], {
+                stdio: 'inherit',
+                timeout: 60000,
+            });
+            if (copyResult.status !== 0) {
+                console.log('   [!] Failed to copy public key to server');
+                return null;
+            }
+        }
+        catch (e) {
+            console.log('   [!] Failed to copy public key: ' + (e instanceof Error ? e.message : String(e)));
             return null;
         }
     }
-    catch (e) {
-        console.log('   [!] ssh-copy-id failed: ' + (e instanceof Error ? e.message : String(e)));
-        return null;
+    else {
+        // Linux/Mac: use ssh-copy-id
+        console.log('   Enter password when prompted:');
+        console.log('');
+        try {
+            const copyResult = (0, child_process_1.spawnSync)('ssh-copy-id', [
+                '-i', pubKeyPath,
+                '-o', 'StrictHostKeyChecking=no',
+                user + '@' + host,
+            ], {
+                stdio: 'inherit',
+                timeout: 60000,
+            });
+            if (copyResult.status !== 0) {
+                console.log('   [!] ssh-copy-id failed');
+                return null;
+            }
+        }
+        catch (e) {
+            console.log('   [!] ssh-copy-id failed: ' + (e instanceof Error ? e.message : String(e)));
+            return null;
+        }
     }
     // Fix remote permissions
     try {
@@ -755,6 +784,8 @@ async function sshRemoteFactiiiCommand(stage, config, command, rootDir) {
         'if [ ! -d "' + projectDir + '/.git" ]; then ' +
         'echo "   Cloning project..." && ' +
         'mkdir -p $HOME/.factiii && ' +
+        // Remove broken/partial clone directory if it exists without .git
+        'if [ -d "' + projectDir + '" ]; then echo "   Removing broken clone..." && rm -rf "' + projectDir + '"; fi && ' +
         (githubRepo
             ? 'cd $HOME/.factiii && git clone https://github.com/' + githubRepo + '.git ' + repoName + '; '
             : 'echo "   [!] No github_repo configured — cannot auto-clone" && exit 1; ') +
@@ -822,15 +853,32 @@ async function sshRemoteFactiiiCommand(stage, config, command, rootDir) {
             }
             console.log('   SSH (password): ' + user + '@' + host + ' → npx stack ' + command);
             const pwStart = Date.now();
-            const pwResult = (0, child_process_1.spawnSync)('sshpass', [
-                '-p', password, 'ssh', '-tt',
-                '-o', 'StrictHostKeyChecking=no',
-                '-o', 'ConnectTimeout=10',
-                '-o', 'ServerAliveInterval=60',
-                '-o', 'ServerAliveCountMax=5',
-                user + '@' + host,
-                pwRemoteCommand,
-            ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
+            let pwResult;
+            if (process.platform === 'win32') {
+                // Windows: no sshpass — use interactive SSH so user types password
+                console.log('   You will be prompted for the password by SSH:');
+                console.log('');
+                pwResult = (0, child_process_1.spawnSync)('ssh', [
+                    '-tt',
+                    '-o', 'StrictHostKeyChecking=no',
+                    '-o', 'ConnectTimeout=10',
+                    '-o', 'ServerAliveInterval=60',
+                    '-o', 'ServerAliveCountMax=5',
+                    user + '@' + host,
+                    pwRemoteCommand,
+                ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
+            }
+            else {
+                pwResult = (0, child_process_1.spawnSync)('sshpass', [
+                    '-p', password, 'ssh', '-tt',
+                    '-o', 'StrictHostKeyChecking=no',
+                    '-o', 'ConnectTimeout=10',
+                    '-o', 'ServerAliveInterval=60',
+                    '-o', 'ServerAliveCountMax=5',
+                    user + '@' + host,
+                    pwRemoteCommand,
+                ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
+            }
             console.log('   SSH completed in ' + Math.floor((Date.now() - pwStart) / 1000) + 's');
             return {
                 success: pwResult.status === 0,
@@ -859,6 +907,29 @@ async function sshRemoteFactiiiCommand(stage, config, command, rootDir) {
         timeout: 10000,
     });
     if (keyTest.status !== 0) {
+        const keyTestStderr = (keyTest.stderr ?? '').toLowerCase();
+        // Detect DNS/connection failures — don't delete key or try password, the server is unreachable
+        const isConnectionFailure = keyTestStderr.includes('could not resolve') ||
+            keyTestStderr.includes('connection refused') ||
+            keyTestStderr.includes('connection timed out') ||
+            keyTestStderr.includes('no route to host') ||
+            keyTestStderr.includes('network is unreachable') ||
+            keyTestStderr.includes('unknown port') ||
+            keyTestStderr.includes('name or service not known');
+        if (isConnectionFailure) {
+            console.log('   [!] Cannot connect to ' + host + ' — server may be down or domain not resolving');
+            console.log('   SSH error: ' + (keyTest.stderr ?? '').trim());
+            console.log('');
+            console.log('   Check:');
+            console.log('     - DNS: does ' + host + ' resolve? (nslookup ' + host + ')');
+            console.log('     - Server: is the server running and accepting SSH on port 22?');
+            console.log('     - Firewall: is port 22 open?');
+            return {
+                success: false,
+                stdout: '',
+                stderr: 'Cannot connect to ' + host + ': ' + (keyTest.stderr ?? '').trim(),
+            };
+        }
         // Categorize key type — only remove repo-specific deploy keys, not system/.pem keys
         const isRepoSpecificKey = activeKeyPath.includes('_deploy_key') || activeKeyPath.endsWith('_factiii');
         const isPemKey = activeKeyPath.endsWith('.pem');
@@ -1054,6 +1125,68 @@ async function sshRemoteFactiiiCommand(stage, config, command, rootDir) {
             console.log('   Falling back to SSH password auth...');
             console.log('   SSH (password): ' + user + '@' + host + ' → npx stack ' + command);
             const startTime = Date.now();
+            // On Windows, sshpass is not available — use interactive SSH so user types password
+            if (process.platform === 'win32') {
+                console.log('   You will be prompted for the password by SSH:');
+                console.log('');
+                const result = (0, child_process_1.spawnSync)('ssh', [
+                    '-tt',
+                    '-o', 'StrictHostKeyChecking=no',
+                    '-o', 'ConnectTimeout=10',
+                    '-o', 'ServerAliveInterval=60',
+                    '-o', 'ServerAliveCountMax=5',
+                    user + '@' + host,
+                    remoteCommand,
+                ], {
+                    encoding: 'utf8',
+                    stdio: 'inherit',
+                    timeout: 600000,
+                });
+                const elapsed = Math.floor((Date.now() - startTime) / 1000);
+                console.log('   SSH completed in ' + elapsed + 's');
+                if (result.status === 0) {
+                    // Connection worked — set up SSH key for future so password isn't needed again
+                    console.log('   Setting up SSH key for future connections...');
+                    await autoSetupSshKey(stage, host, user, config, rootDir);
+                    return { success: true, stdout: '', stderr: '' };
+                }
+                // Interactive SSH failed — try auto key setup as last resort
+                console.log('   [!] SSH connection failed');
+                console.log('   Setting up SSH key auth for future connections...');
+                const autoKeyResult = await autoSetupSshKey(stage, host, user, config, rootDir);
+                if (autoKeyResult) {
+                    console.log('   Retrying command with SSH key...');
+                    console.log('   SSH (key): ' + user + '@' + host + ' → npx stack ' + command);
+                    const retryStart = Date.now();
+                    const retryResult = (0, child_process_1.spawnSync)('ssh', [
+                        '-tt',
+                        '-i', autoKeyResult,
+                        '-o', 'StrictHostKeyChecking=no',
+                        '-o', 'ConnectTimeout=10',
+                        '-o', 'ServerAliveInterval=60',
+                        '-o', 'ServerAliveCountMax=5',
+                        user + '@' + host,
+                        remoteCommand,
+                    ], {
+                        encoding: 'utf8',
+                        stdio: 'inherit',
+                        timeout: 600000,
+                    });
+                    const retryElapsed = Math.floor((Date.now() - retryStart) / 1000);
+                    console.log('   SSH completed in ' + retryElapsed + 's');
+                    return {
+                        success: retryResult.status === 0,
+                        stdout: '',
+                        stderr: retryResult.status !== 0 ? 'SSH command exited with code ' + retryResult.status : '',
+                    };
+                }
+                return {
+                    success: false,
+                    stdout: '',
+                    stderr: 'SSH connection failed. Check password and server accessibility.',
+                };
+            }
+            // Linux/Mac: use sshpass for non-interactive password auth
             const result = (0, child_process_1.spawnSync)('sshpass', [
                 '-p', password,
                 'ssh',
@@ -1298,6 +1431,26 @@ async function sshExec(envConfig, command, stage, config, rootDir) {
             }
         }
         if (password) {
+            if (process.platform === 'win32') {
+                // Windows: no sshpass — use interactive SSH (stdio: 'inherit' so user can type password)
+                const result = (0, child_process_1.spawnSync)('ssh', [
+                    '-tt',
+                    '-o', 'StrictHostKeyChecking=no',
+                    '-o', 'ConnectTimeout=10',
+                    '-o', 'ServerAliveInterval=60',
+                    '-o', 'ServerAliveCountMax=5',
+                    user + '@' + host,
+                    command,
+                ], {
+                    encoding: 'utf8',
+                    stdio: 'inherit',
+                });
+                if (result.status !== 0) {
+                    throw new Error('SSH command failed with exit code ' + result.status);
+                }
+                return '';
+            }
+            // Linux/Mac: use sshpass
             const result = (0, child_process_1.spawnSync)('sshpass', [
                 '-p', password,
                 'ssh',