@factiii/stack 0.1.2

package/dist/utils/ssh-deploy.js

@@ -0,0 +1,268 @@
+"use strict";
+/**
+ * SSH Deploy Helper
+ *
+ * Utility for deploying secrets to remote servers via SSH.
+ * Used by the `factiii secrets deploy` command to write .env files
+ * directly from the dev laptop to staging/prod servers.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SSHDeploy = void 0;
+const child_process_1 = require("child_process");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+/**
+ * SSH Deploy - handles secure deployment of secrets to remote servers
+ */
+class SSHDeploy {
+    host;
+    user;
+    privateKey;
+    repoName;
+    keyPath = null;
+    constructor(config) {
+        this.host = config.host;
+        this.user = config.user;
+        this.privateKey = config.privateKey;
+        this.repoName = config.repoName;
+    }
+    /**
+     * Write SSH key to temp file and return path
+     */
+    setupSSHKey() {
+        const keyPath = path.join(os.tmpdir(), `factiii-deploy-key-${Date.now()}`);
+        // Ensure key ends with newline (SSH requirement)
+        let key = this.privateKey;
+        if (!key.endsWith('\n')) {
+            key += '\n';
+        }
+        fs.writeFileSync(keyPath, key, { mode: 0o600 });
+        this.keyPath = keyPath;
+        return keyPath;
+    }
+    /**
+     * Clean up temporary SSH key file
+     */
+    cleanupSSHKey() {
+        if (this.keyPath && fs.existsSync(this.keyPath)) {
+            try {
+                fs.unlinkSync(this.keyPath);
+            }
+            catch {
+                // ignore cleanup errors
+            }
+            this.keyPath = null;
+        }
+    }
+    /**
+     * Execute SSH command
+     */
+    sshExec(command) {
+        const keyPath = this.keyPath ?? this.setupSSHKey();
+        // Build SSH command with strict options
+        const sshCmd = [
+            'ssh',
+            '-i', `"${keyPath}"`,
+            '-o', 'StrictHostKeyChecking=no',
+            '-o', 'UserKnownHostsFile=/dev/null',
+            '-o', 'BatchMode=yes',
+            '-o', 'ConnectTimeout=30',
+            `"${this.user}@${this.host}"`,
+            `"${command.replace(/"/g, '\\"')}"`,
+        ].join(' ');
+        try {
+            return (0, child_process_1.execSync)(sshCmd, {
+                encoding: 'utf8',
+                stdio: ['pipe', 'pipe', 'pipe'],
+            });
+        }
+        catch (e) {
+            const error = e;
+            throw new Error(`SSH command failed: ${error.stderr || error.message}`);
+        }
+    }
+    /**
+     * Test SSH connection to server
+     */
+    async testConnection() {
+        try {
+            this.setupSSHKey();
+            this.sshExec('echo "Connection test"');
+            return true;
+        }
+        catch {
+            return false;
+        }
+        finally {
+            this.cleanupSSHKey();
+        }
+    }
+    /**
+     * Convert environment variables to .env file format
+     */
+    envToFileContent(envVars) {
+        const lines = [];
+        lines.push('# Environment variables - deployed by factiii secrets');
+        lines.push(`# Last updated: ${new Date().toISOString()}`);
+        lines.push('');
+        for (const [key, value] of Object.entries(envVars)) {
+            // Quote values that contain spaces, special chars, or are multi-line
+            const needsQuotes = /[\s"'$`\\]/.test(value) || value.includes('\n');
+            if (needsQuotes) {
+                // Use double quotes and escape inner double quotes and backslashes
+                const escaped = value
+                    .replace(/\\/g, '\\\\')
+                    .replace(/"/g, '\\"')
+                    .replace(/\n/g, '\\n');
+                lines.push(`${key}="${escaped}"`);
+            }
+            else {
+                lines.push(`${key}=${value}`);
+            }
+        }
+        return lines.join('\n') + '\n';
+    }
+    /**
+     * Write .env file to server
+     */
+    async writeEnvFile(stage, envVars) {
+        try {
+            this.setupSSHKey();
+            const envContent = this.envToFileContent(envVars);
+            const envFileName = `.env.${stage}`;
+            const factiiiDir = `\\$HOME/.factiii/${this.repoName}`;
+            const envFilePath = `${factiiiDir}/${envFileName}`;
+            // Create directory if it doesn't exist, then write the file
+            // Use heredoc to safely pass content with special characters
+            const escapedContent = envContent
+                .replace(/\\/g, '\\\\')
+                .replace(/'/g, "'\\''");
+            const command = `mkdir -p ${factiiiDir} && cat > ${envFilePath} << 'FACTIII_ENV_EOF'
+${envContent}FACTIII_ENV_EOF
+chmod 600 ${envFilePath}`;
+            this.sshExec(command);
+            const keyCount = Object.keys(envVars).length;
+            return {
+                success: true,
+                message: `Wrote ${keyCount} environment variables to ${envFilePath} on ${this.host}`,
+            };
+        }
+        catch (e) {
+            return {
+                success: false,
+                error: e instanceof Error ? e.message : String(e),
+            };
+        }
+        finally {
+            this.cleanupSSHKey();
+        }
+    }
+    /**
+     * Restart container on server
+     */
+    async restartContainer(containerName) {
+        try {
+            this.setupSSHKey();
+            const command = `docker restart ${containerName}`;
+            this.sshExec(command);
+            return {
+                success: true,
+                message: `Restarted container ${containerName}`,
+            };
+        }
+        catch (e) {
+            return {
+                success: false,
+                error: e instanceof Error ? e.message : String(e),
+            };
+        }
+        finally {
+            this.cleanupSSHKey();
+        }
+    }
+    /**
+     * Check if env file exists on server
+     */
+    async checkEnvFileExists(stage) {
+        try {
+            this.setupSSHKey();
+            const envFileName = `.env.${stage}`;
+            const factiiiDir = `\\$HOME/.factiii/${this.repoName}`;
+            const envFilePath = `${factiiiDir}/${envFileName}`;
+            const command = `test -f ${envFilePath} && echo "exists" || echo "missing"`;
+            const result = this.sshExec(command).trim();
+            return result === 'exists';
+        }
+        catch {
+            return false;
+        }
+        finally {
+            this.cleanupSSHKey();
+        }
+    }
+    /**
+     * Get last modified time of env file on server
+     */
+    async getEnvFileInfo(stage) {
+        try {
+            this.setupSSHKey();
+            const envFileName = `.env.${stage}`;
+            const factiiiDir = `\\$HOME/.factiii/${this.repoName}`;
+            const envFilePath = `${factiiiDir}/${envFileName}`;
+            // Cross-platform: macOS uses `stat -f %m`, Linux uses `stat -c %Y`
+            const command = `stat -f %m ${envFilePath} 2>/dev/null || stat -c %Y ${envFilePath} 2>/dev/null || echo "missing"`;
+            const result = this.sshExec(command).trim();
+            if (result === 'missing') {
+                return { exists: false };
+            }
+            const timestamp = parseInt(result, 10);
+            return {
+                exists: true,
+                modified: new Date(timestamp * 1000),
+            };
+        }
+        catch {
+            return { exists: false };
+        }
+        finally {
+            this.cleanupSSHKey();
+        }
+    }
+}
+exports.SSHDeploy = SSHDeploy;
+exports.default = SSHDeploy;
+//# sourceMappingURL=ssh-deploy.js.map

package/dist/utils/ssh-deploy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-deploy.js","sourceRoot":"","sources":["../../src/utils/ssh-deploy.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,iDAAyC;AACzC,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAezB;;GAEG;AACH,MAAa,SAAS;IACV,IAAI,CAAS;IACb,IAAI,CAAS;IACb,UAAU,CAAS;IACnB,QAAQ,CAAS;IACjB,OAAO,GAAkB,IAAI,CAAC;IAEtC,YAAY,MAAuB;QAC/B,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QACpC,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IACpC,CAAC;IAED;;OAEG;IACK,WAAW;QACf,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,sBAAsB,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAE3E,iDAAiD;QACjD,IAAI,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC;QAC1B,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACtB,GAAG,IAAI,IAAI,CAAC;QAChB,CAAC;QAED,EAAE,CAAC,aAAa,CAAC,OAAO,EAAE,GAAG,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;QAChD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;QACvB,OAAO,OAAO,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,aAAa;QACjB,IAAI,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9C,IAAI,CAAC;gBACD,EAAE,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACL,wBAAwB;YAC5B,CAAC;YACD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC;QACxB,CAAC;IACL,CAAC;IAED;;OAEG;IACK,OAAO,CAAC,OAAe;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QAEnD,wCAAwC;QACxC,MAAM,MAAM,GAAG;YACX,KAAK;YACL,IAAI,EAAE,IAAI,OAAO,GAAG;YACpB,IAAI,EAAE,0BAA0B;YAChC,IAAI,EAAE,8BAA8B;YACpC,IAAI,EAAE,eAAe;YACrB,IAAI,EAAE,mBAAmB;YACzB,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,GAAG;YAC7B,IAAI,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG;SACtC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,IAAI,CAAC;YACD,OAAO,IAAA,wBAAQ,EAAC,MAAM,EAAE;gBACpB,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAClC,CAAC,CAAC;QACP,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACT,MAAM,KAAK,GAAG,CAA0C,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,uBAAuB,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5E,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc;QAChB,IAAI,CAAC;YACD,IAAI,CAAC,WAAW,EAAE,CAAC;YACnB,IAAI,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC;YACvC,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;gBAAS,CAAC;YACP,IAAI,CAAC,aAAa,EAAE,CAAC;QACzB,CAAC;IACL,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,OAA+B;QACpD,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;QACpE,KAAK,CAAC,IAAI,CAAC,mBAAmB,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;QAC1D,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAEf,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACjD,qEAAqE;YACrE,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACrE,IAAI,WAAW,EAAE,CAAC;gBACd,mEAAmE;gBACnE,MAAM,OAAO,GAAG,KAAK;qBAChB,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;qBACtB,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;qBACpB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;gBAC3B,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,KAAK,OAAO,GAAG,CAAC,CAAC;YACtC,CAAC;iBAAM,CAAC;gBACJ,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;YAClC,CAAC;QACL,CAAC;QAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,YAAY,CACd,KAAyB,EACzB,OAA+B;QAE/B,IAAI,CAAC;YACD,IAAI,CAAC,WAAW,EAAE,CAAC;YAEnB,MAAM,UAAU,GAAG,IAAI,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;YAClD,MAAM,WAAW,GAAG,QAAQ,KAAK,EAAE,CAAC;YACpC,MAAM,UAAU,GAAG,oBAAoB,IAAI,CAAC,QAAQ,EAAE,CAAC;YACvD,MAAM,WAAW,GAAG,GAAG,UAAU,IAAI,WAAW,EAAE,CAAC;YAEnD,4DAA4D;YAC5D,6DAA6D;YAC7D,MAAM,cAAc,GAAG,UAAU;iBAC5B,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC;iBACtB,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAE5B,MAAM,OAAO,GAAG,YAAY,UAAU,aAAa,WAAW;EACxE,UAAU;YACA,WAAW,EAAE,CAAC;YAEd,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAEtB,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;YAC7C,OAAO;gBACH,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,SAAS,QAAQ,6BAA6B,WAAW,OAAO,IAAI,CAAC,IAAI,EAAE;aACvF,CAAC;QACN,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACT,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;aACpD,CAAC;QACN,CAAC;gBAAS,CAAC;YACP,IAAI,CAAC,aAAa,EAAE,CAAC;QACzB,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,gBAAgB,CAAC,aAAqB;QACxC,IAAI,CAAC;YACD,IAAI,CAAC,WAAW,EAAE,CAAC;YAEnB,MAAM,OAAO,GAAG,kBAAkB,aAAa,EAAE,CAAC;YAClD,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAEtB,OAAO;gBACH,OAAO,EAAE,IAAI;gBACb,OAAO,EAAE,uBAAuB,aAAa,EAAE;aAClD,CAAC;QACN,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACT,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;aACpD,CAAC;QACN,CAAC;gBAAS,CAAC;YACP,IAAI,CAAC,aAAa,EAAE,CAAC;QACzB,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB,CAAC,KAAyB;QAC9C,IAAI,CAAC;YACD,IAAI,CAAC,WAAW,EAAE,CAAC;YAEnB,MAAM,WAAW,GAAG,QAAQ,KAAK,EAAE,CAAC;YACpC,MAAM,UAAU,GAAG,oBAAoB,IAAI,CAAC,QAAQ,EAAE,CAAC;YACvD,MAAM,WAAW,GAAG,GAAG,UAAU,IAAI,WAAW,EAAE,CAAC;YAEnD,MAAM,OAAO,GAAG,WAAW,WAAW,qCAAqC,CAAC;YAC5E,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YAE5C,OAAO,MAAM,KAAK,QAAQ,CAAC;QAC/B,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;gBAAS,CAAC;YACP,IAAI,CAAC,aAAa,EAAE,CAAC;QACzB,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAAC,KAAyB;QAC1C,IAAI,CAAC;YACD,IAAI,CAAC,WAAW,EAAE,CAAC;YAEnB,MAAM,WAAW,GAAG,QAAQ,KAAK,EAAE,CAAC;YACpC,MAAM,UAAU,GAAG,oBAAoB,IAAI,CAAC,QAAQ,EAAE,CAAC;YACvD,MAAM,WAAW,GAAG,GAAG,UAAU,IAAI,WAAW,EAAE,CAAC;YAEnD,mEAAmE;YACnE,MAAM,OAAO,GAAG,cAAc,WAAW,8BAA8B,WAAW,gCAAgC,CAAC;YACnH,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;YAE5C,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACvB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;YAC7B,CAAC;YAED,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACvC,OAAO;gBACH,MAAM,EAAE,IAAI;gBACZ,QAAQ,EAAE,IAAI,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;aACvC,CAAC;QACN,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QAC7B,CAAC;gBAAS,CAAC;YACP,IAAI,CAAC,aAAa,EAAE,CAAC;QACzB,CAAC;IACL,CAAC;CACJ;AA1OD,8BA0OC;AAED,kBAAe,SAAS,CAAC"}

package/dist/utils/ssh-helper.d.ts

@@ -0,0 +1,40 @@
+import type { EnvironmentConfig, FactiiiConfig, Stage } from '../types/index.js';
+/**
+ * Find the SSH key path for a given stage.
+ * Only returns stage-specific deploy keys — no generic key fallback.
+ *
+ * @param stage - The deployment stage (staging, prod, mac)
+ * @returns Absolute path to SSH key, or null if none found
+ */
+export declare function findSshKeyForStage(stage: string): string | null;
+/**
+ * Get the EnvironmentConfig for a given stage from factiii.yml config.
+ * Returns the first environment matching the stage.
+ *
+ * @param stage - The deployment stage (staging, prod)
+ * @param config - Parsed factiii.yml config
+ * @returns EnvironmentConfig with domain and ssh_user, or null
+ */
+export declare function getEnvConfigForStage(stage: Stage, config: FactiiiConfig): EnvironmentConfig | null;
+/**
+ * Execute a Factiii CLI command on a remote server via direct SSH.
+ * Used by scan.ts, fix.ts, and deployStage() when canReach returns via: 'ssh'.
+ *
+ * @param stage - Target stage (staging, prod)
+ * @param config - Parsed factiii.yml config
+ * @param command - The factiii CLI command to run (e.g., 'scan --staging', 'fix --prod')
+ * @returns Object with success, stdout, and stderr
+ */
+export declare function sshRemoteFactiiiCommand(stage: Stage, config: FactiiiConfig, command: string): {
+    success: boolean;
+    stdout: string;
+    stderr: string;
+};
+/**
+ * Execute a command on a remote server via SSH
+ * @param envConfig - Environment config with host and ssh_user
+ * @param command - Command to execute
+ * @returns Command output
+ */
+export declare function sshExec(envConfig: EnvironmentConfig, command: string): Promise<string>;
+//# sourceMappingURL=ssh-helper.d.ts.map

package/dist/utils/ssh-helper.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-helper.d.ts","sourceRoot":"","sources":["../../src/utils/ssh-helper.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,iBAAiB,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAajF;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAY/D;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,GACpB,iBAAiB,GAAG,IAAI,CAc1B;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,GACd;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAuEtD;AAED;;;;;GAKG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,iBAAiB,EAC5B,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,CAAC,CAkDjB"}

package/dist/utils/ssh-helper.js

@@ -0,0 +1,221 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.findSshKeyForStage = findSshKeyForStage;
+exports.getEnvConfigForStage = getEnvConfigForStage;
+exports.sshRemoteFactiiiCommand = sshRemoteFactiiiCommand;
+exports.sshExec = sshExec;
+/**
+ * SSH Helper Utility
+ *
+ * Shared SSH execution logic for pipeline and server plugins.
+ * Provides a consistent way to execute commands on remote servers.
+ *
+ * Supports environment-specific deploy keys only:
+ * - ~/.ssh/staging_deploy_key, ~/.ssh/prod_deploy_key, ~/.ssh/mac_deploy_key
+ * - Generated by: npx factiii secrets write-ssh-keys
+ */
+const child_process_1 = require("child_process");
+const os = __importStar(require("os"));
+const path = __importStar(require("path"));
+const fs = __importStar(require("fs"));
+const config_helpers_js_1 = require("./config-helpers.js");
+/**
+ * Map of stage names to their environment-specific SSH key filenames.
+ * These keys are extracted from Ansible Vault by `npx factiii secrets write-ssh-keys`.
+ */
+const STAGE_KEY_MAP = {
+    staging: ['staging_deploy_key'],
+    prod: ['prod_deploy_key'],
+    mac: ['mac_deploy_key'],
+};
+/**
+ * Find the SSH key path for a given stage.
+ * Only returns stage-specific deploy keys — no generic key fallback.
+ *
+ * @param stage - The deployment stage (staging, prod, mac)
+ * @returns Absolute path to SSH key, or null if none found
+ */
+function findSshKeyForStage(stage) {
+    const sshDir = path.join(os.homedir(), '.ssh');
+    const stageKeys = STAGE_KEY_MAP[stage] ?? [];
+    for (const keyName of stageKeys) {
+        const keyPath = path.join(sshDir, keyName);
+        if (fs.existsSync(keyPath)) {
+            return keyPath;
+        }
+    }
+    return null;
+}
+/**
+ * Get the EnvironmentConfig for a given stage from factiii.yml config.
+ * Returns the first environment matching the stage.
+ *
+ * @param stage - The deployment stage (staging, prod)
+ * @param config - Parsed factiii.yml config
+ * @returns EnvironmentConfig with domain and ssh_user, or null
+ */
+function getEnvConfigForStage(stage, config) {
+    const environments = (0, config_helpers_js_1.extractEnvironments)(config);
+    for (const [envName, envConfig] of Object.entries(environments)) {
+        try {
+            if ((0, config_helpers_js_1.getStageFromEnvironment)(envName) === stage) {
+                return envConfig;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    return null;
+}
+/**
+ * Execute a Factiii CLI command on a remote server via direct SSH.
+ * Used by scan.ts, fix.ts, and deployStage() when canReach returns via: 'ssh'.
+ *
+ * @param stage - Target stage (staging, prod)
+ * @param config - Parsed factiii.yml config
+ * @param command - The factiii CLI command to run (e.g., 'scan --staging', 'fix --prod')
+ * @returns Object with success, stdout, and stderr
+ */
+function sshRemoteFactiiiCommand(stage, config, command) {
+    const envConfig = getEnvConfigForStage(stage, config);
+    if (!envConfig) {
+        return {
+            success: false,
+            stdout: '',
+            stderr: 'No environment config found for stage: ' + stage,
+        };
+    }
+    const host = envConfig.domain;
+    const user = envConfig.ssh_user ?? 'root';
+    const keyPath = findSshKeyForStage(stage);
+    if (!keyPath) {
+        return {
+            success: false,
+            stdout: '',
+            stderr: 'No SSH key found at ' + path.join(os.homedir(), '.ssh', stage + '_deploy_key') + '. Run: npx factiii secrets write-ssh-keys',
+        };
+    }
+    if (!host) {
+        return {
+            success: false,
+            stdout: '',
+            stderr: 'No domain configured for stage: ' + stage + '. Check factiii.yml environments.',
+        };
+    }
+    // Build the remote command
+    // Run inside the factiii repo directory on the server
+    // $HOME is expanded by the remote shell, supporting non-root users
+    const repoName = config.name || 'app';
+    const remoteCommand = 'export PATH="/usr/local/bin:/opt/homebrew/bin:$PATH" && export FACTIII_ON_SERVER=true && cd $HOME/.factiii/' + repoName + ' && npx factiii ' + command;
+    console.log('   SSH: ' + user + '@' + host + ' → npx factiii ' + command);
+    console.log('   Connecting to ' + host + '... (timeout: 10min)');
+    const startTime = Date.now();
+    const result = (0, child_process_1.spawnSync)('ssh', [
+        '-i', keyPath,
+        '-o', 'StrictHostKeyChecking=no',
+        '-o', 'ConnectTimeout=10',
+        '-o', 'ServerAliveInterval=60',
+        '-o', 'ServerAliveCountMax=5',
+        user + '@' + host,
+        remoteCommand,
+    ], {
+        encoding: 'utf8',
+        stdio: ['pipe', 'pipe', 'pipe'],
+        timeout: 600000, // 10 minute timeout for long-running operations
+    });
+    const elapsed = Math.floor((Date.now() - startTime) / 1000);
+    console.log('   SSH completed in ' + elapsed + 's');
+    // Print output in real-time style
+    if (result.stdout) {
+        process.stdout.write(result.stdout);
+    }
+    if (result.stderr) {
+        process.stderr.write(result.stderr);
+    }
+    return {
+        success: result.status === 0,
+        stdout: result.stdout ?? '',
+        stderr: result.stderr ?? '',
+    };
+}
+/**
+ * Execute a command on a remote server via SSH
+ * @param envConfig - Environment config with host and ssh_user
+ * @param command - Command to execute
+ * @returns Command output
+ */
+async function sshExec(envConfig, command) {
+    // ============================================================
+    // CRITICAL: Detect if we're already on the server
+    // ============================================================
+    // When GITHUB_ACTIONS=true or FACTIII_ON_SERVER=true, we're executing
+    // on the server itself. Run commands locally instead of trying to SSH.
+    // ============================================================
+    if (process.env.GITHUB_ACTIONS === 'true' || process.env.FACTIII_ON_SERVER === 'true') {
+        // We're already on the server - run command locally
+        const result = (0, child_process_1.execSync)(command, { encoding: 'utf8', stdio: 'pipe' });
+        return result.trim();
+    }
+    // Running from dev machine - SSH to server
+    const host = envConfig.domain;
+    const user = envConfig.ssh_user ?? 'ubuntu';
+    // Only use environment-specific deploy keys (no generic key fallback)
+    const keyPaths = [
+        path.join(os.homedir(), '.ssh', 'staging_deploy_key'),
+        path.join(os.homedir(), '.ssh', 'prod_deploy_key'),
+        path.join(os.homedir(), '.ssh', 'mac_deploy_key'),
+    ];
+    let keyPath = null;
+    for (const kp of keyPaths) {
+        if (fs.existsSync(kp)) {
+            keyPath = kp;
+            break;
+        }
+    }
+    if (!keyPath) {
+        throw new Error('No SSH key found. Add a deploy key to ~/.ssh/ or run: npx factiii secrets write-ssh-keys');
+    }
+    const result = (0, child_process_1.execSync)('ssh -i ' + keyPath +
+        ' -o StrictHostKeyChecking=no' +
+        ' -o ConnectTimeout=10' +
+        ' -o ServerAliveInterval=60' +
+        ' -o ServerAliveCountMax=5' +
+        ' ' + user + '@' + host +
+        ' "' + command.replace(/"/g, '\\"') + '"', { encoding: 'utf8', stdio: 'pipe' });
+    return result.trim();
+}
+//# sourceMappingURL=ssh-helper.js.map

package/dist/utils/ssh-helper.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssh-helper.js","sourceRoot":"","sources":["../../src/utils/ssh-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmCA,gDAYC;AAUD,oDAiBC;AAWD,0DA2EC;AAQD,0BAqDC;AA7ND;;;;;;;;;GASG;AACH,iDAAoD;AACpD,uCAAyB;AACzB,2CAA6B;AAC7B,uCAAyB;AAGzB,2DAAmF;AAEnF;;;GAGG;AACH,MAAM,aAAa,GAA6B;IAC9C,OAAO,EAAE,CAAC,oBAAoB,CAAC;IAC/B,IAAI,EAAE,CAAC,iBAAiB,CAAC;IACzB,GAAG,EAAE,CAAC,gBAAgB,CAAC;CACxB,CAAC;AAEF;;;;;;GAMG;AACH,SAAgB,kBAAkB,CAAC,KAAa;IAC9C,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,CAAC,CAAC;IAE/C,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IAC7C,KAAK,MAAM,OAAO,IAAI,SAAS,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC3C,IAAI,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,OAAO,OAAO,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,oBAAoB,CAClC,KAAY,EACZ,MAAqB;IAErB,MAAM,YAAY,GAAG,IAAA,uCAAmB,EAAC,MAAM,CAAC,CAAC;IAEjD,KAAK,MAAM,CAAC,OAAO,EAAE,SAAS,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,CAAC;QAChE,IAAI,CAAC;YACH,IAAI,IAAA,2CAAuB,EAAC,OAAO,CAAC,KAAK,KAAK,EAAE,CAAC;gBAC/C,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,uBAAuB,CACrC,KAAY,EACZ,MAAqB,EACrB,OAAe;IAEf,MAAM,SAAS,GAAG,oBAAoB,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACtD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,EAAE;YACV,MAAM,EAAE,yCAAyC,GAAG,KAAK;SAC1D,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,SAAS,CAAC,MAAM,CAAC;IAC9B,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,IAAI,MAAM,CAAC;IAC1C,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAE1C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,EAAE;YACV,MAAM,EAAE,sBAAsB,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,KAAK,GAAG,aAAa,CAAC,GAAG,2CAA2C;SACtI,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,EAAE;YACV,MAAM,EAAE,kCAAkC,GAAG,KAAK,GAAG,mCAAmC;SACzF,CAAC;IACJ,CAAC;IAED,2BAA2B;IAC3B,sDAAsD;IACtD,mEAAmE;IACnE,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,IAAI,KAAK,CAAC;IACtC,MAAM,aAAa,GAAG,6GAA6G,GAAG,QAAQ,GAAG,kBAAkB,GAAG,OAAO,CAAC;IAE9K,OAAO,CAAC,GAAG,CAAC,UAAU,GAAG,IAAI,GAAG,GAAG,GAAG,IAAI,GAAG,iBAAiB,GAAG,OAAO,CAAC,CAAC;IAC1E,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,IAAI,GAAG,sBAAsB,CAAC,CAAC;IAEjE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,MAAM,MAAM,GAAG,IAAA,yBAAS,EAAC,KAAK,EAAE;QAC9B,IAAI,EAAE,OAAO;QACb,IAAI,EAAE,0BAA0B;QAChC,IAAI,EAAE,mBAAmB;QACzB,IAAI,EAAE,wBAAwB;QAC9B,IAAI,EAAE,uBAAuB;QAC7B,IAAI,GAAG,GAAG,GAAG,IAAI;QACjB,aAAa;KACd,EAAE;QACD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;QAC/B,OAAO,EAAE,MAAM,EAAE,gDAAgD;KAClE,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,GAAG,IAAI,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,CAAC,sBAAsB,GAAG,OAAO,GAAG,GAAG,CAAC,CAAC;IAEpD,kCAAkC;IAClC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACtC,CAAC;IAED,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC5B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE;QAC3B,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,EAAE;KAC5B,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,OAAO,CAC3B,SAA4B,EAC5B,OAAe;IAEf,+DAA+D;IAC/D,kDAAkD;IAClD,+DAA+D;IAC/D,sEAAsE;IACtE,uEAAuE;IACvE,+DAA+D;IAC/D,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,MAAM,EAAE,CAAC;QACtF,oDAAoD;QACpD,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,OAAO,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACtE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;IACvB,CAAC;IAED,2CAA2C;IAC3C,MAAM,IAAI,GAAG,SAAS,CAAC,MAAM,CAAC;IAC9B,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,IAAI,QAAQ,CAAC;IAE5C,sEAAsE;IACtE,MAAM,QAAQ,GAAG;QACf,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,oBAAoB,CAAC;QACrD,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,iBAAiB,CAAC;QAClD,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,gBAAgB,CAAC;KAClD,CAAC;IAEF,IAAI,OAAO,GAAkB,IAAI,CAAC;IAClC,KAAK,MAAM,EAAE,IAAI,QAAQ,EAAE,CAAC;QAC1B,IAAI,EAAE,CAAC,UAAU,CAAC,EAAE,CAAC,EAAE,CAAC;YACtB,OAAO,GAAG,EAAE,CAAC;YACb,MAAM;QACR,CAAC;IACH,CAAC;IAED,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,0FAA0F,CAC3F,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,wBAAQ,EACrB,SAAS,GAAG,OAAO;QACnB,8BAA8B;QAC9B,uBAAuB;QACvB,4BAA4B;QAC5B,2BAA2B;QAC3B,GAAG,GAAG,IAAI,GAAG,GAAG,GAAG,IAAI;QACvB,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,GAAG,EACzC,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,CACpC,CAAC;IAEF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;AACvB,CAAC"}

package/dist/utils/template-generator.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Template Generator
+ *
+ * Generates template files for environment configuration.
+ */
+import type { FactiiiConfig } from '../types/index.js';
+interface EnvVars {
+    [key: string]: string;
+}
+interface TemplateCreationError {
+    file: string;
+    error: string;
+}
+interface TemplateCreationResult {
+    created: string[];
+    skipped: string[];
+    errors: TemplateCreationError[];
+}
+/**
+ * Generate .env.example template file content
+ * @param config - Parsed factiii.yml configuration
+ */
+export declare function generateEnvExampleTemplate(config: FactiiiConfig): string;
+/**
+ * Generate .env template file content for staging/prod
+ * Copies structure from .env.example with placeholder values
+ * @param environment - 'staging' or 'prod'
+ * @param devEnv - Parsed .env.example key-value pairs
+ */
+export declare function generateEnvTemplate(environment: string, devEnv: EnvVars): string;
+/**
+ * Create .env template files if they don't exist
+ * @param rootDir - Repository root directory
+ * @param config - Parsed factiii.yml configuration
+ */
+export declare function createEnvTemplates(rootDir: string, config: FactiiiConfig): TemplateCreationResult;
+/**
+ * Generate secrets checklist for display
+ */
+export declare function generateSecretsChecklist(): string;
+export {};
+//# sourceMappingURL=template-generator.d.ts.map

package/dist/utils/template-generator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"template-generator.d.ts","sourceRoot":"","sources":["../../src/utils/template-generator.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAMH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEvD,UAAU,OAAO;IACf,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;CACvB;AAED,UAAU,qBAAqB;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED,UAAU,sBAAsB;IAC9B,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,MAAM,EAAE,qBAAqB,EAAE,CAAC;CACjC;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CA+CxE;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,GAAG,MAAM,CA8BhF;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,OAAO,EAAE,MAAM,EACf,MAAM,EAAE,aAAa,GACpB,sBAAsB,CAgExB;AAED;;GAEG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAuBjD"}