@factiii/stack 0.1.201 → 0.7.1

package/dist/utils/secret-prompts.js

@@ -64,16 +64,16 @@ const SECRET_METADATA = {
     STAGING_SSH: {
         type: 'ssh_key',
         description: 'SSH private key for accessing staging server',
-        helpText: `
-   Step 1: Generate a new SSH key pair:
-   ssh-keygen -t ed25519 -C "staging-deploy" -f ~/.ssh/staging_deploy
-   
-   Step 2: Add PUBLIC key to your staging server:
-   ssh-copy-id -i ~/.ssh/staging_deploy.pub ubuntu@YOUR_HOST
-   
-   (HOST is configured in stack.yml → environments.staging.host)
-   
-   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
+        helpText: `
+   Step 1: Generate a new SSH key pair:
+   ssh-keygen -t ed25519 -C "staging-deploy" -f ~/.ssh/staging_deploy
+   
+   Step 2: Add PUBLIC key to your staging server:
+   ssh-copy-id -i ~/.ssh/staging_deploy.pub ubuntu@YOUR_HOST
+   
+   (HOST is configured in stack.yml → environments.staging.host)
+   
+   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
    cat ~/.ssh/staging_deploy`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {
@@ -91,16 +91,16 @@ const SECRET_METADATA = {
     PROD_SSH: {
         type: 'ssh_key',
         description: 'SSH private key for accessing production server',
-        helpText: `
-   Step 1: Generate a new SSH key pair:
-   ssh-keygen -t ed25519 -C "production-deploy" -f ~/.ssh/prod_deploy
-   
-   Step 2: Add PUBLIC key to your production server:
-   ssh-copy-id -i ~/.ssh/prod_deploy.pub ubuntu@YOUR_HOST
-   
-   (HOST is configured in stack.yml → environments.production.host)
-   
-   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
+        helpText: `
+   Step 1: Generate a new SSH key pair:
+   ssh-keygen -t ed25519 -C "production-deploy" -f ~/.ssh/prod_deploy
+   
+   Step 2: Add PUBLIC key to your production server:
+   ssh-copy-id -i ~/.ssh/prod_deploy.pub ubuntu@YOUR_HOST
+   
+   (HOST is configured in stack.yml → environments.production.host)
+   
+   Step 3: Paste the PRIVATE key below (multi-line, end with blank line):
    cat ~/.ssh/prod_deploy`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {
@@ -118,14 +118,14 @@ const SECRET_METADATA = {
     AWS_SECRET_ACCESS_KEY: {
         type: 'aws_secret',
         description: 'AWS Secret Access Key (the only secret AWS value)',
-        helpText: `
-   Get from AWS Console: IAM → Users → Security credentials
-   
-   This is shown only once when you create the key.
-   If lost, you must create a new key pair.
-   
-   Note: AWS_ACCESS_KEY_ID and AWS_REGION go in stack.yml (not secrets)
-   
+        helpText: `
+   Get from AWS Console: IAM → Users → Security credentials
+   
+   This is shown only once when you create the key.
+   If lost, you must create a new key pair.
+   
+   Note: AWS_ACCESS_KEY_ID and AWS_REGION go in stack.yml (not secrets)
+   
    Enter AWS Secret Access Key:`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {
@@ -143,12 +143,12 @@ const SECRET_METADATA = {
     VERCEL_TOKEN: {
         type: 'api_token',
         description: 'Vercel API Token for deployments',
-        helpText: `
-   Get your token from: https://vercel.com/account/tokens
-   Create a new token with:
-   - Scope: Full Account (or specific team)
-   - Expiration: No Expiration (or custom)
-   
+        helpText: `
+   Get your token from: https://vercel.com/account/tokens
+   Create a new token with:
+   - Scope: Full Account (or specific team)
+   - Expiration: No Expiration (or custom)
+   
    Enter Vercel API Token:`,
         validation: (value) => {
             if (!value || value.trim().length === 0) {

package/dist/utils/ssh-helper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ssh-helper.d.ts","sourceRoot":"","sources":["../../src/utils/ssh-helper.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,iBAAiB,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAKjF;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAU5E;AA+BD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAS9E;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA4BlF;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,GACpB,iBAAiB,GAAG,IAAI,CAc1B;AA+aD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CA+2B/D;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,iBAAiB,EAC5B,OAAO,EAAE,MAAM,EACf,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,CAAC,CAqMjB"}
+{"version":3,"file":"ssh-helper.d.ts","sourceRoot":"","sources":["../../src/utils/ssh-helper.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,iBAAiB,EAAE,aAAa,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAKjF;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAU5E;AA+BD;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAS9E;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA4BlF;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,GACpB,iBAAiB,GAAG,IAAI,CAc1B;AAwbD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,uBAAuB,CAC3C,KAAK,EAAE,KAAK,EACZ,MAAM,EAAE,aAAa,EACrB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CA+2B/D;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,OAAO,CAC3B,SAAS,EAAE,iBAAiB,EAC5B,OAAO,EAAE,MAAM,EACf,KAAK,CAAC,EAAE,KAAK,EACb,MAAM,CAAC,EAAE,aAAa,EACtB,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAAC,MAAM,CAAC,CAqMjB"}

package/dist/utils/ssh-helper.js

@@ -354,14 +354,15 @@ async function autoSetupSshKey(stage, host, user, config, rootDir) {
             return null;
         }
     }
-    // Fix remote permissions
+    // Fix remote permissions using the key we just copied (avoid extra password prompt)
     try {
         (0, child_process_1.spawnSync)('ssh', [
+            '-i', keyPath,
             '-o', 'StrictHostKeyChecking=no',
             '-o', 'ConnectTimeout=5',
             user + '@' + host,
             'chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys',
-        ], { stdio: 'inherit', timeout: 15000 });
+        ], { encoding: 'utf8', stdio: 'pipe', timeout: 15000 });
     }
     catch { /* best effort */ }
     // Verify key auth
@@ -426,6 +427,11 @@ async function promptAndValidatePassword(stage, host, user, config, rootDir) {
             stdio: 'pipe',
             timeout: 15000,
         });
+        if (testResult.status === 5) {
+            // sshpass exit code 5 = wrong password
+            console.log('   [!] Incorrect password.');
+            return null;
+        }
         if (testResult.status !== 0) {
             // sshpass failed — likely keyboard-interactive auth (Mac servers)
             // Fall back to auto SSH key setup so we never need sshpass again
@@ -513,16 +519,18 @@ async function promptAndValidatePassword(stage, host, user, config, rootDir) {
                 // Store password in vault anyway so sshExec can try it
                 return await storePasswordAndReturn(password, stage, config, rootDir);
             }
-            // Step 2.5: Fix remote permissions (common issue on Mac servers)
+            // Step 2.5: Fix remote permissions using the key we just copied (avoid extra password prompt)
             console.log('   Fixing remote SSH permissions...');
             try {
                 (0, child_process_1.spawnSync)('ssh', [
+                    '-i', keyPath,
                     '-o', 'StrictHostKeyChecking=no',
                     '-o', 'ConnectTimeout=5',
                     user + '@' + host,
                     'chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys',
                 ], {
-                    stdio: 'inherit',
+                    encoding: 'utf8',
+                    stdio: 'pipe',
                     timeout: 15000,
                 });
             }
@@ -764,107 +772,67 @@ async function sshRemoteFactiiiCommand(stage, config, command, rootDir) {
     const localGithubToken = process.env.GITHUB_TOKEN || '';
     const tokenExport = localGithubToken ? 'export GITHUB_TOKEN="' + localGithubToken + '" && ' : '';
     // Auto-bootstrap: install dependencies and clone repo if missing on server
-    // Platform-aware: Mac uses Homebrew, Ubuntu uses apt-get
-    const serverType = envConfig.server ?? 'ubuntu';
-    const isMacServer = serverType === 'mac';
-    const bootstrapCmd = isMacServer
-        ? (
-        // ── macOS bootstrap (Homebrew) ──
-        // Install Homebrew if missing
-        'export PATH="/opt/homebrew/bin:/usr/local/bin:$PATH" && ' +
-            'if ! command -v brew &>/dev/null; then ' +
-            'echo "   Installing Homebrew..." && ' +
-            '/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" && ' +
-            'eval "$(/opt/homebrew/bin/brew shellenv 2>/dev/null || /usr/local/bin/brew shellenv 2>/dev/null)"; ' +
-            'fi && ' +
-            // Install git if missing (usually pre-installed via Xcode CLI tools)
-            'if ! command -v git &>/dev/null; then ' +
-            'echo "   Installing git..." && ' +
-            'brew install git; ' +
-            'fi && ' +
-            // Install Node.js if missing
-            'if ! command -v node &>/dev/null; then ' +
-            'echo "   Installing Node.js..." && ' +
-            'brew install node; ' +
-            'fi && ' +
-            // Install Docker (Colima) if missing
-            'if ! command -v docker &>/dev/null; then ' +
-            'echo "   Installing Docker via Colima..." && ' +
-            'brew install docker docker-compose colima && ' +
-            'colima start --memory 4 --cpu 2; ' +
-            'fi && ' +
-            // Ensure Docker daemon is running (Colima or Docker Desktop)
-            'if ! docker info &>/dev/null; then ' +
-            'echo "   Starting Docker..." && ' +
-            'if command -v colima &>/dev/null; then ' +
-            'colima start --memory 4 --cpu 2 2>/dev/null; ' +
-            'elif [ -d "/Applications/Docker.app" ]; then ' +
-            'nohup /Applications/Docker.app/Contents/MacOS/Docker --unattended > /dev/null 2>&1 & ' +
-            'for i in $(seq 1 30); do sleep 1; if docker info &>/dev/null; then break; fi; done; ' +
-            'fi; ' +
-            'fi && ')
-        : (
-        // ── Ubuntu/Linux bootstrap (apt-get) ──
-        // Install git if missing
-        'if ! command -v git &>/dev/null; then ' +
-            'echo "   Installing git..." && ' +
-            'sudo apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq git; ' +
-            'fi && ' +
-            // Install Node.js if missing
-            'if ! command -v node &>/dev/null; then ' +
-            'echo "   Installing Node.js 20.x..." && ' +
-            'curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && ' +
-            'sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq nodejs; ' +
-            'fi && ' +
-            // Install Docker if missing
-            'if ! command -v docker &>/dev/null; then ' +
-            'echo "   Installing Docker..." && ' +
-            'sudo apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq docker.io docker-compose-v2 && ' +
-            'sudo usermod -aG docker $USER && ' +
-            'sudo systemctl enable docker && sudo systemctl start docker; ' +
-            'fi && ') +
-            // Clone repo if missing (check .git dir to catch empty/broken clones)
-            'if [ ! -d "' + projectDir + '/.git" ]; then ' +
-            'echo "   Cloning project..." && ' +
-            'mkdir -p $HOME/.factiii && ' +
-            // Remove broken/partial clone directory if it exists without .git
-            'if [ -d "' + projectDir + '" ]; then echo "   Removing broken clone..." && rm -rf "' + projectDir + '"; fi && ' +
-            // Add github.com to known_hosts to avoid interactive prompt
-            'mkdir -p ~/.ssh && ssh-keyscan -t ed25519,rsa github.com >> ~/.ssh/known_hosts 2>/dev/null && ' +
-            // Generate a GitHub deploy key on the server if none exists
-            'if [ ! -f ~/.ssh/github_deploy_key ]; then ' +
-            'echo "   Generating GitHub deploy key on server..." && ' +
-            'ssh-keygen -t ed25519 -f ~/.ssh/github_deploy_key -N "" -C "server-deploy" -q && ' +
-            'chmod 600 ~/.ssh/github_deploy_key; ' +
-            'fi && ' +
-            // Configure SSH to use the deploy key for github.com
-            'if ! grep -q "Host github.com" ~/.ssh/config 2>/dev/null; then ' +
-            'printf "\\nHost github.com\\n  IdentityFile ~/.ssh/github_deploy_key\\n  IdentitiesOnly yes\\n" >> ~/.ssh/config && ' +
-            'chmod 600 ~/.ssh/config; ' +
-            'fi && ' +
-            (githubRepo
-                ? 'cd $HOME/.factiii && ' +
-                    // Try HTTPS with token first (works for private repos when GITHUB_TOKEN is set)
-                    'if [ -n "$GITHUB_TOKEN" ]; then ' +
-                    'GIT_TERMINAL_PROMPT=0 git clone https://x-access-token:$GITHUB_TOKEN@github.com/' + githubRepo + '.git ' + repoName + '; ' +
-                    // Then try SSH (works if server has a GitHub deploy key in repo settings)
-                    'elif GIT_TERMINAL_PROMPT=0 git clone git@github.com:' + githubRepo + '.git ' + repoName + ' 2>/dev/null; then ' +
-                    'true; ' +
-                    // All clone methods failed — show deploy key and instructions
-                    'else ' +
-                    'echo "" && ' +
-                    'echo "   [!] Cannot clone private repo — server needs GitHub access" && ' +
-                    'echo "" && ' +
-                    'echo "   Add this deploy key to your GitHub repo:" && ' +
-                    'echo "   GitHub → ' + githubRepo + ' → Settings → Deploy keys → Add" && ' +
-                    'echo "" && ' +
-                    'cat ~/.ssh/github_deploy_key.pub && ' +
-                    'echo "" && ' +
-                    'echo "   Then re-run: npx stack fix --prod" && ' +
-                    'exit 1; ' +
-                    'fi; '
-                : 'echo "   [!] No github_repo configured — cannot auto-clone" && exit 1; ') +
-            'fi && ';
+    const bootstrapCmd = 
+    // Install git if missing
+    'if ! command -v git &>/dev/null; then ' +
+        'echo "   Installing git..." && ' +
+        'sudo apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq git; ' +
+        'fi && ' +
+        // Install Node.js if missing
+        'if ! command -v node &>/dev/null; then ' +
+        'echo "   Installing Node.js 20.x..." && ' +
+        'curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && ' +
+        'sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq nodejs; ' +
+        'fi && ' +
+        // Install Docker if missing
+        'if ! command -v docker &>/dev/null; then ' +
+        'echo "   Installing Docker..." && ' +
+        'sudo apt-get update -qq && sudo DEBIAN_FRONTEND=noninteractive apt-get install -y -qq docker.io docker-compose-v2 && ' +
+        'sudo usermod -aG docker $USER && ' +
+        'sudo systemctl enable docker && sudo systemctl start docker; ' +
+        'fi && ' +
+        // Clone repo if missing (check .git dir to catch empty/broken clones)
+        'if [ ! -d "' + projectDir + '/.git" ]; then ' +
+        'echo "   Cloning project..." && ' +
+        'mkdir -p $HOME/.factiii && ' +
+        // Remove broken/partial clone directory if it exists without .git
+        'if [ -d "' + projectDir + '" ]; then echo "   Removing broken clone..." && rm -rf "' + projectDir + '"; fi && ' +
+        // Add github.com to known_hosts to avoid interactive prompt
+        'mkdir -p ~/.ssh && ssh-keyscan -t ed25519,rsa github.com >> ~/.ssh/known_hosts 2>/dev/null && ' +
+        // Generate a GitHub deploy key on the server if none exists
+        'if [ ! -f ~/.ssh/github_deploy_key ]; then ' +
+        'echo "   Generating GitHub deploy key on server..." && ' +
+        'ssh-keygen -t ed25519 -f ~/.ssh/github_deploy_key -N "" -C "server-deploy" -q && ' +
+        'chmod 600 ~/.ssh/github_deploy_key; ' +
+        'fi && ' +
+        // Configure SSH to use the deploy key for github.com
+        'if ! grep -q "Host github.com" ~/.ssh/config 2>/dev/null; then ' +
+        'printf "\\nHost github.com\\n  IdentityFile ~/.ssh/github_deploy_key\\n  IdentitiesOnly yes\\n" >> ~/.ssh/config && ' +
+        'chmod 600 ~/.ssh/config; ' +
+        'fi && ' +
+        (githubRepo
+            ? 'cd $HOME/.factiii && ' +
+                // Try HTTPS with token first (works for private repos when GITHUB_TOKEN is set)
+                'if [ -n "$GITHUB_TOKEN" ]; then ' +
+                'GIT_TERMINAL_PROMPT=0 git clone https://x-access-token:$GITHUB_TOKEN@github.com/' + githubRepo + '.git ' + repoName + '; ' +
+                // Then try SSH (works if server has a GitHub deploy key in repo settings)
+                'elif GIT_TERMINAL_PROMPT=0 git clone git@github.com:' + githubRepo + '.git ' + repoName + ' 2>/dev/null; then ' +
+                'true; ' +
+                // All clone methods failed — show deploy key and instructions
+                'else ' +
+                'echo "" && ' +
+                'echo "   [!] Cannot clone private repo — server needs GitHub access" && ' +
+                'echo "" && ' +
+                'echo "   Add this deploy key to your GitHub repo:" && ' +
+                'echo "   GitHub → ' + githubRepo + ' → Settings → Deploy keys → Add" && ' +
+                'echo "" && ' +
+                'cat ~/.ssh/github_deploy_key.pub && ' +
+                'echo "" && ' +
+                'echo "   Then re-run: npx stack fix --prod" && ' +
+                'exit 1; ' +
+                'fi; '
+            : 'echo "   [!] No github_repo configured — cannot auto-clone" && exit 1; ') +
+        'fi && ';
     const projectCheckCmd = bootstrapCmd;
     // Step 2: Still no key — prompt for it (EC2: .pem file, others: password)
     if (!resolvedKeyPath) {
@@ -919,47 +887,61 @@ async function sshRemoteFactiiiCommand(stage, config, command, rootDir) {
             if (!password) {
                 password = await promptAndValidatePassword(stage, host, user, config, rootDir);
             }
-            if (!password) {
+            // promptAndValidatePassword may have set up an SSH key — check before falling back to sshpass
+            const candidateKey1 = path.join(os.homedir(), '.ssh', stage + '_deploy_key');
+            if (fs.existsSync(candidateKey1)) {
+                const kv = (0, child_process_1.spawnSync)('ssh', [
+                    '-i', candidateKey1, '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=no',
+                    '-o', 'ConnectTimeout=5', user + '@' + host, 'echo ok',
+                ], { encoding: 'utf8', stdio: 'pipe', timeout: 10000 });
+                if (kv.status === 0) {
+                    resolvedKeyPath = candidateKey1;
+                }
+            }
+            // If we now have a key, skip sshpass and fall through to Step 3
+            if (!resolvedKeyPath) {
+                if (!password) {
+                    return {
+                        success: false,
+                        stdout: '',
+                        stderr: 'No SSH key for ' + stage + '. For EC2: provide the .pem file from AWS Console.',
+                    };
+                }
+                console.log('   SSH (password): ' + user + '@' + host + ' → npx stack ' + command);
+                const pwStart = Date.now();
+                let pwResult;
+                if (process.platform === 'win32') {
+                    // Windows: no sshpass — use interactive SSH so user types password
+                    console.log('   You will be prompted for the password by SSH:');
+                    console.log('');
+                    pwResult = (0, child_process_1.spawnSync)('ssh', [
+                        '-tt',
+                        '-o', 'StrictHostKeyChecking=no',
+                        '-o', 'ConnectTimeout=10',
+                        '-o', 'ServerAliveInterval=60',
+                        '-o', 'ServerAliveCountMax=5',
+                        user + '@' + host,
+                        pwRemoteCommand,
+                    ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
+                }
+                else {
+                    pwResult = (0, child_process_1.spawnSync)('sshpass', [
+                        '-p', password, 'ssh', '-tt',
+                        '-o', 'StrictHostKeyChecking=no',
+                        '-o', 'ConnectTimeout=10',
+                        '-o', 'ServerAliveInterval=60',
+                        '-o', 'ServerAliveCountMax=5',
+                        user + '@' + host,
+                        pwRemoteCommand,
+                    ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
+                }
+                console.log('   SSH completed in ' + Math.floor((Date.now() - pwStart) / 1000) + 's');
                 return {
-                    success: false,
+                    success: pwResult.status === 0,
                     stdout: '',
-                    stderr: 'No SSH key for ' + stage + '. For EC2: provide the .pem file from AWS Console.',
+                    stderr: pwResult.status !== 0 ? 'SSH command exited with code ' + pwResult.status : '',
                 };
             }
-            console.log('   SSH (password): ' + user + '@' + host + ' → npx stack ' + command);
-            const pwStart = Date.now();
-            let pwResult;
-            if (process.platform === 'win32') {
-                // Windows: no sshpass — use interactive SSH so user types password
-                console.log('   You will be prompted for the password by SSH:');
-                console.log('');
-                pwResult = (0, child_process_1.spawnSync)('ssh', [
-                    '-tt',
-                    '-o', 'StrictHostKeyChecking=no',
-                    '-o', 'ConnectTimeout=10',
-                    '-o', 'ServerAliveInterval=60',
-                    '-o', 'ServerAliveCountMax=5',
-                    user + '@' + host,
-                    pwRemoteCommand,
-                ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
-            }
-            else {
-                pwResult = (0, child_process_1.spawnSync)('sshpass', [
-                    '-p', password, 'ssh', '-tt',
-                    '-o', 'StrictHostKeyChecking=no',
-                    '-o', 'ConnectTimeout=10',
-                    '-o', 'ServerAliveInterval=60',
-                    '-o', 'ServerAliveCountMax=5',
-                    user + '@' + host,
-                    pwRemoteCommand,
-                ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
-            }
-            console.log('   SSH completed in ' + Math.floor((Date.now() - pwStart) / 1000) + 's');
-            return {
-                success: pwResult.status === 0,
-                stdout: '',
-                stderr: pwResult.status !== 0 ? 'SSH command exited with code ' + pwResult.status : '',
-            };
         }
     }
     // Step 3: We have a key — build command and run
@@ -1196,6 +1178,32 @@ async function sshRemoteFactiiiCommand(stage, config, command, rootDir) {
         if (!password) {
             password = await promptAndValidatePassword(stage, host, user, config, rootDir);
         }
+        // promptAndValidatePassword may have set up an SSH key — use it directly instead of sshpass
+        const candidateKey2 = path.join(os.homedir(), '.ssh', stage + '_deploy_key');
+        if (fs.existsSync(candidateKey2)) {
+            const kv2 = (0, child_process_1.spawnSync)('ssh', [
+                '-i', candidateKey2, '-o', 'BatchMode=yes', '-o', 'StrictHostKeyChecking=no',
+                '-o', 'ConnectTimeout=5', user + '@' + host, 'echo ok',
+            ], { encoding: 'utf8', stdio: 'pipe', timeout: 10000 });
+            if (kv2.status === 0) {
+                console.log('   [OK] Using SSH key set up during password auth');
+                const ksStart = Date.now();
+                const ksResult = (0, child_process_1.spawnSync)('ssh', [
+                    '-tt', '-i', candidateKey2,
+                    '-o', 'StrictHostKeyChecking=no',
+                    '-o', 'ConnectTimeout=10',
+                    '-o', 'ServerAliveInterval=60',
+                    '-o', 'ServerAliveCountMax=5',
+                    user + '@' + host, remoteCommand,
+                ], { encoding: 'utf8', stdio: 'inherit', timeout: 600000 });
+                console.log('   SSH completed in ' + Math.floor((Date.now() - ksStart) / 1000) + 's');
+                return {
+                    success: ksResult.status === 0,
+                    stdout: '',
+                    stderr: ksResult.status !== 0 ? 'SSH command exited with code ' + ksResult.status : '',
+                };
+            }
+        }
         if (password) {
             console.log('   Falling back to SSH password auth...');
             console.log('   SSH (password): ' + user + '@' + host + ' → npx stack ' + command);