@factiii/stack 0.1.23 → 0.1.25

package/dist/plugins/pipelines/factiii/workflows/stack-deploy.yml

@@ -0,0 +1,202 @@
+name: Stack Deploy
+
+# Generated by @factiii/stack v{VERSION}
+# INFRASTRUCTURE: Manual deployment triggered via CLI
+# Run: npx stack deploy --staging or npx stack deploy --prod
+# For auto-deploy on push, see stack-cicd-staging.yml / stack-cicd-prod.yml
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to deploy'
+        required: true
+        type: choice
+        options:
+          - staging
+          - prod
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install yq
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
+      - name: Read config
+        id: config
+        run: |
+          CONFIG_FILE="stack.yml"
+          if [ ! -f "$CONFIG_FILE" ]; then CONFIG_FILE="factiii.yml"; fi
+          if [ ! -f "$CONFIG_FILE" ]; then
+            echo "❌ stack.yml or factiii.yml not found"
+            exit 1
+          fi
+
+          REPO_NAME=$(yq eval '.name' "$CONFIG_FILE")
+
+          if [ "${{ inputs.environment }}" == "staging" ]; then
+            HOST=$(yq eval '.staging.domain // ""' "$CONFIG_FILE")
+            SSH_USER=$(yq eval '.staging.ssh_user // "ubuntu"' "$CONFIG_FILE")
+          else
+            HOST=$(yq eval '.prod.domain // ""' "$CONFIG_FILE")
+            SSH_USER=$(yq eval '.prod.ssh_user // "ubuntu"' "$CONFIG_FILE")
+          fi
+
+          echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
+          echo "host=$HOST" >> $GITHUB_OUTPUT
+          echo "ssh_user=$SSH_USER" >> $GITHUB_OUTPUT
+
+      - name: Check if environment configured
+        id: check_env
+        run: |
+          CONFIG_FILE="stack.yml"; if [ ! -f "$CONFIG_FILE" ]; then CONFIG_FILE="factiii.yml"; fi
+          if [ "${{ inputs.environment }}" == "staging" ]; then
+            HAS_ENV=$(yq eval '.staging != null' "$CONFIG_FILE")
+          else
+            HAS_ENV=$(yq eval '.prod != null' "$CONFIG_FILE")
+          fi
+
+          echo "has_env=$HAS_ENV" >> $GITHUB_OUTPUT
+
+          if [ "$HAS_ENV" != "true" ]; then
+            echo "⏭️  ${{ inputs.environment }} not configured in config"
+            exit 1
+          fi
+
+      - name: Read staging config (for prod builds)
+        if: steps.check_env.outputs.has_env == 'true' && inputs.environment == 'prod'
+        id: staging_config
+        run: |
+          CONFIG_FILE="stack.yml"; if [ ! -f "$CONFIG_FILE" ]; then CONFIG_FILE="factiii.yml"; fi
+          STAGING_HOST=$(yq eval '.staging.domain // ""' "$CONFIG_FILE")
+          STAGING_SSH_USER=$(yq eval '.staging.ssh_user // "ubuntu"' "$CONFIG_FILE")
+
+          echo "staging_host=$STAGING_HOST" >> $GITHUB_OUTPUT
+          echo "staging_ssh_user=$STAGING_SSH_USER" >> $GITHUB_OUTPUT
+
+      - name: Setup Node.js
+        if: steps.check_env.outputs.has_env == 'true'
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Load SSH keys from Ansible Vault
+        if: steps.check_env.outputs.has_env == 'true'
+        env:
+          ANSIBLE_VAULT_PASSWORD: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
+        run: |
+          if [ -z "$ANSIBLE_VAULT_PASSWORD" ]; then
+            echo "❌ Missing ANSIBLE_VAULT_PASSWORD secret (vault password)"
+            exit 1
+          fi
+          
+          npx stack secrets write-ssh-keys
+          
+          # Create deploy_key symlink for current environment
+          if [ "${{ inputs.environment }}" == "staging" ]; then
+            ln -sf ~/.ssh/staging_deploy_key ~/.ssh/deploy_key
+          else
+            ln -sf ~/.ssh/prod_deploy_key ~/.ssh/deploy_key
+          fi
+
+      - name: Build production image on staging (prod only)
+        if: steps.check_env.outputs.has_env == 'true' && inputs.environment == 'prod'
+        env:
+          STAGING_HOST: ${{ steps.staging_config.outputs.staging_host }}
+          STAGING_USER: ${{ steps.staging_config.outputs.staging_ssh_user }}
+          REPO_NAME: ${{ steps.config.outputs.repo_name }}
+          COMMIT_HASH: ${{ github.sha }}
+          BRANCH: ${{ github.ref_name }}
+          GITHUB_REPO: ${{ github.repository }}
+        run: |
+          if [ -z "$STAGING_HOST" ]; then
+            echo "⚠️  Staging host not configured, skipping build step"
+            exit 0
+          fi
+          
+          echo "🔨 Building production image on staging server ($STAGING_HOST)..."
+          
+          ssh -i ~/.ssh/staging_deploy_key -o StrictHostKeyChecking=no "$STAGING_USER@$STAGING_HOST" \
+            "export PATH=\"/opt/homebrew/bin:/usr/local/bin:\$PATH\" && \
+             REPO_DIR=\"\$HOME/.factiii/$REPO_NAME\" && \
+             if [ -d \"\$REPO_DIR\" ]; then \
+               cd \"\$REPO_DIR\" && \
+               GITHUB_ACTIONS=true COMMIT_HASH=$COMMIT_HASH BRANCH=$BRANCH GITHUB_REPO=$GITHUB_REPO \
+               npx stack deploy --prod --commit $COMMIT_HASH --branch $BRANCH; \
+             else \
+               echo \"❌ Repo directory not found at \$REPO_DIR\"; \
+               exit 1; \
+             fi"
+          
+          BUILD_EXIT_CODE=$?
+          if [ $BUILD_EXIT_CODE -ne 0 ]; then
+            echo "❌ Build step failed with exit code $BUILD_EXIT_CODE"
+            exit $BUILD_EXIT_CODE
+          fi
+          
+          echo "✅ Production image built and pushed to ECR"
+
+      - name: Deploy via CLI
+        if: steps.check_env.outputs.has_env == 'true'
+        env:
+          HOST: ${{ steps.config.outputs.host }}
+          USER: ${{ steps.config.outputs.ssh_user }}
+          REPO_NAME: ${{ steps.config.outputs.repo_name }}
+          ENVIRONMENT: ${{ inputs.environment }}
+          COMMIT_HASH: ${{ github.sha }}
+          BRANCH: ${{ github.ref_name }}
+          GITHUB_REPO: ${{ github.repository }}
+          STAGING_ENVS: ${{ inputs.environment == 'staging' && secrets.STAGING_ENVS || '' }}
+          PROD_ENVS: ${{ inputs.environment == 'prod' && secrets.PROD_ENVS || '' }}
+        run: |
+          if [ -z "$HOST" ]; then
+            echo "❌ Missing domain in config: $ENVIRONMENT.domain"
+            exit 1
+          fi
+          
+          echo "🚀 Deploying to $ENVIRONMENT ($HOST)..."
+          
+          # For prod, skip build step (already done in previous step)
+          SKIP_BUILD_FLAG=""
+          if [ "$ENVIRONMENT" == "prod" ]; then
+            SKIP_BUILD_FLAG="SKIP_BUILD=true"
+          fi
+          
+          # Prepare environment variables for SSH (base64 encode to handle special characters)
+          ENV_VARS_EXPORT=""
+          if [ "$ENVIRONMENT" == "staging" ] && [ -n "$STAGING_ENVS" ]; then
+            ENV_VARS_B64=$(echo -n "$STAGING_ENVS" | base64 -w 0)
+            ENV_VARS_EXPORT="STAGING_ENVS=\$(echo '$ENV_VARS_B64' | base64 -d) && export STAGING_ENVS && "
+          elif [ "$ENVIRONMENT" == "prod" ] && [ -n "$PROD_ENVS" ]; then
+            ENV_VARS_B64=$(echo -n "$PROD_ENVS" | base64 -w 0)
+            ENV_VARS_EXPORT="PROD_ENVS=\$(echo '$ENV_VARS_B64' | base64 -d) && export PROD_ENVS && "
+          fi
+          
+          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "$USER@$HOST" \
+            "export PATH=\"/opt/homebrew/bin:/usr/local/bin:\$PATH\" && \
+             REPO_DIR=\"\$HOME/.factiii/$REPO_NAME\" && \
+             if [ -d \"\$REPO_DIR\" ]; then \
+               cd \"\$REPO_DIR\" && \
+               $ENV_VARS_EXPORT$SKIP_BUILD_FLAG GITHUB_ACTIONS=true COMMIT_HASH=$COMMIT_HASH BRANCH=$BRANCH GITHUB_REPO=$GITHUB_REPO \
+               npx stack deploy --$ENVIRONMENT --commit $COMMIT_HASH --branch $BRANCH; \
+             else \
+               echo \"❌ Repo directory not found at \$REPO_DIR\"; \
+               echo \"Run deployment first to clone the repository\"; \
+               exit 1; \
+             fi"
+          
+          DEPLOY_EXIT_CODE=$?
+          rm -f ~/.ssh/deploy_key ~/.ssh/staging_deploy_key ~/.ssh/prod_deploy_key
+          
+          if [ $DEPLOY_EXIT_CODE -eq 0 ]; then
+            echo "✅ Deployment complete!"
+          else
+            echo "❌ Deployment failed with exit code $DEPLOY_EXIT_CODE"
+            exit $DEPLOY_EXIT_CODE
+          fi

package/dist/plugins/pipelines/factiii/workflows/stack-dev-sync.yml

@@ -0,0 +1,181 @@
+name: Stack Dev Sync
+
+# Generated by @factiii/stack v{VERSION}
+# DEV/TESTING ONLY - Deploys locally built infrastructure for testing beta features
+# This workflow receives infrastructure changes and deploys them to servers
+# Use: npx stack dev-sync
+#
+# ⚠️ WARNING: This is for developing @factiii/stack itself, not for app deployments
+# Only use this when testing new infrastructure features before releasing them
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to sync'
+        required: true
+        type: choice
+        options:
+          - staging
+          - prod
+      release_id:
+        description: 'GitHub Release ID containing artifact'
+        required: true
+        type: string
+      asset_id:
+        description: 'Release Asset ID for infrastructure tarball'
+        required: true
+        type: string
+      deploy:
+        description: 'Deploy after syncing'
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  dev-sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install yq
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
+      - name: Read config
+        id: config
+        run: |
+          CONFIG_FILE="stack.yml"; if [ ! -f "$CONFIG_FILE" ]; then CONFIG_FILE="factiii.yml"; fi
+          if [ ! -f "$CONFIG_FILE" ]; then
+            echo "❌ stack.yml or factiii.yml not found"
+            exit 1
+          fi
+          
+          REPO_NAME=$(yq eval '.name' "$CONFIG_FILE")
+          
+          if [ "${{ inputs.environment }}" == "staging" ]; then
+            HOST=$(yq eval '.staging.domain // ""' "$CONFIG_FILE")
+            SSH_USER=$(yq eval '.staging.ssh_user // "ubuntu"' "$CONFIG_FILE")
+          else
+            HOST=$(yq eval '.prod.domain // ""' "$CONFIG_FILE")
+            SSH_USER=$(yq eval '.prod.ssh_user // "ubuntu"' "$CONFIG_FILE")
+          fi
+          
+          echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
+          echo "host=$HOST" >> $GITHUB_OUTPUT
+          echo "ssh_user=$SSH_USER" >> $GITHUB_OUTPUT
+
+      - name: Check if environment configured
+        id: check_env
+        run: |
+          CONFIG_FILE="stack.yml"; if [ ! -f "$CONFIG_FILE" ]; then CONFIG_FILE="factiii.yml"; fi
+          if [ "${{ inputs.environment }}" == "staging" ]; then
+            HAS_ENV=$(yq eval '.staging != null' "$CONFIG_FILE")
+          else
+            HAS_ENV=$(yq eval '.prod != null' "$CONFIG_FILE")
+          fi
+          
+          echo "has_env=$HAS_ENV" >> $GITHUB_OUTPUT
+          
+          if [ "$HAS_ENV" != "true" ]; then
+            echo "⏭️  ${{ inputs.environment }} not configured in config"
+            exit 1
+          fi
+
+      - name: Setup SSH
+        if: steps.check_env.outputs.has_env == 'true'
+        env:
+          SSH_KEY: ${{ inputs.environment == 'staging' && secrets.STAGING_SSH || secrets.PROD_SSH }}
+        run: |
+          if [ -z "$SSH_KEY" ]; then
+            echo "❌ Missing ${{ inputs.environment == 'staging' && 'STAGING_SSH' || 'PROD_SSH' }} secret"
+            exit 1
+          fi
+          
+          mkdir -p ~/.ssh
+          echo "$SSH_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+
+      - name: Download infrastructure artifact from release
+        if: steps.check_env.outputs.has_env == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_ID: ${{ inputs.release_id }}
+          ASSET_ID: ${{ inputs.asset_id }}
+        run: |
+          echo "⚠️  DEV SYNC MODE - Using infrastructure from local build"
+          echo "   This syncs uncommitted infrastructure changes for testing"
+          echo "   Release ID: $RELEASE_ID"
+          echo "   Asset ID: $ASSET_ID"
+          
+          echo "📦 Downloading infrastructure artifact..."
+          
+          # Download release asset using GitHub API
+          curl -L \
+            -H "Accept: application/octet-stream" \
+            -H "Authorization: Bearer $GITHUB_TOKEN" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "https://api.github.com/repos/${{ github.repository }}/releases/assets/$ASSET_ID" \
+            -o infrastructure.tar.gz
+          
+          # Verify download
+          if [ ! -f infrastructure.tar.gz ]; then
+            echo "❌ Failed to download artifact"
+            exit 1
+          fi
+          
+          SIZE=$(du -h infrastructure.tar.gz | cut -f1)
+          echo "✅ Downloaded artifact ($SIZE)"
+
+      - name: Deploy infrastructure to server
+        if: steps.check_env.outputs.has_env == 'true'
+        env:
+          HOST: ${{ steps.config.outputs.host }}
+          USER: ${{ steps.config.outputs.ssh_user }}
+          DEPLOY: ${{ inputs.deploy }}
+          REPO_NAME: ${{ steps.config.outputs.repo_name }}
+          ENVIRONMENT: ${{ inputs.environment }}
+        run: |
+          if [ -z "$HOST" ]; then
+            echo "❌ Missing domain in config: $ENVIRONMENT.domain"
+            exit 1
+          fi
+          
+          echo "🚀 Syncing infrastructure to $ENVIRONMENT ($HOST)..."
+          
+          # Copy infrastructure to server
+          echo "📤 Uploading infrastructure package..."
+          scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no infrastructure.tar.gz "$USER@$HOST:/tmp/"
+          
+          # Extract and setup on server
+          echo "📦 Extracting infrastructure on server..."
+          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "$USER@$HOST" \
+            "export PATH=\"/opt/homebrew/bin:/usr/local/bin:\$PATH\" && \
+             echo \"📦 Setting up infrastructure...\" && \
+             mkdir -p ~/.factiii/infrastructure && \
+             cd ~/.factiii/infrastructure && \
+             tar -xzf /tmp/infrastructure.tar.gz && \
+             rm /tmp/infrastructure.tar.gz && \
+             echo \"\" && \
+             echo \"📋 Verifying version...\" && \
+             VERSION=\$(cat package.json | grep '\"version\"' | head -1 | sed 's/.*: \"\(.*\)\".*/\1/') && \
+             echo \"   Version: \$VERSION\" && \
+             echo \"\" && \
+             echo \"✅ Infrastructure synced successfully\""
+          
+          # Optionally deploy
+          if [ "$DEPLOY" == "true" ]; then
+            echo ""
+            echo "🚀 Deploying to $ENVIRONMENT..."
+            ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "$USER@$HOST" \
+              "export PATH=\"/opt/homebrew/bin:/usr/local/bin:\$PATH\" && \
+               cd ~/.factiii/$REPO_NAME && \
+               GITHUB_ACTIONS=true node ~/.factiii/infrastructure/bin/stack deploy --$ENVIRONMENT"
+          fi
+          
+          rm -f ~/.ssh/deploy_key
+          echo ""
+          echo "✅ Dev sync complete!"
+

package/dist/plugins/pipelines/factiii/workflows/stack-fix.yml

@@ -0,0 +1,177 @@
+name: Stack Fix
+
+# Generated by @factiii/stack v{VERSION}
+# INFRASTRUCTURE: Fix server issues via CLI
+# Run: npx stack fix (triggers this workflow)
+# Runs on configured environments in parallel using matrix strategy
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to fix'
+        required: true
+        type: choice
+        options:
+          - all
+          - staging
+          - prod
+        default: all
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install yq
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
+      - name: Determine environments
+        id: set-matrix
+        run: |
+          ENVS="[]"
+
+          CONFIG_FILE="stack.yml"; if [ ! -f "$CONFIG_FILE" ]; then CONFIG_FILE="factiii.yml"; fi
+          if [ "${{ inputs.environment }}" == "all" ]; then
+            HAS_STAGING=$(yq eval '.staging != null' "$CONFIG_FILE")
+            HAS_PROD=$(yq eval '.prod != null' "$CONFIG_FILE")
+
+            if [ "$HAS_STAGING" == "true" ] && [ "$HAS_PROD" == "true" ]; then
+              ENVS='["staging", "prod"]'
+            elif [ "$HAS_STAGING" == "true" ]; then
+              ENVS='["staging"]'
+            elif [ "$HAS_PROD" == "true" ]; then
+              ENVS='["prod"]'
+            fi
+          else
+            ENVS='["${{ inputs.environment }}"]'
+          fi
+
+          echo "matrix={\"environment\":$ENVS}" >> $GITHUB_OUTPUT
+
+  fix:
+    needs: setup
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.setup.outputs.matrix) }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install yq
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
+      - name: Read config
+        id: config
+        env:
+          ENVIRONMENT: ${{ matrix.environment }}
+        run: |
+          CONFIG_FILE="stack.yml"; if [ ! -f "$CONFIG_FILE" ]; then CONFIG_FILE="factiii.yml"; fi
+          if [ ! -f "$CONFIG_FILE" ]; then
+            echo "❌ stack.yml or factiii.yml not found"
+            exit 1
+          fi
+
+          REPO_NAME=$(yq eval '.name' "$CONFIG_FILE")
+          HOST=$(yq eval ".$ENVIRONMENT.domain // \"\"" "$CONFIG_FILE")
+          SSH_USER=$(yq eval ".$ENVIRONMENT.ssh_user // \"ubuntu\"" "$CONFIG_FILE")
+
+          echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
+          echo "host=$HOST" >> $GITHUB_OUTPUT
+          echo "ssh_user=$SSH_USER" >> $GITHUB_OUTPUT
+
+      - name: Check if environment configured
+        id: check_env
+        env:
+          ENVIRONMENT: ${{ matrix.environment }}
+        run: |
+          CONFIG_FILE="stack.yml"; if [ ! -f "$CONFIG_FILE" ]; then CONFIG_FILE="factiii.yml"; fi
+          HAS_ENV=$(yq eval ".$ENVIRONMENT != null" "$CONFIG_FILE")
+          echo "has_env=$HAS_ENV" >> $GITHUB_OUTPUT
+
+          if [ "$HAS_ENV" != "true" ]; then
+            echo "⏭️  $ENVIRONMENT not configured"
+            exit 0
+          fi
+
+      - name: Check SSH secret
+        if: steps.check_env.outputs.has_env == 'true'
+        env:
+          ENVIRONMENT: ${{ matrix.environment }}
+          SSH_KEY: ${{ matrix.environment == 'staging' && secrets.STAGING_SSH || secrets.PROD_SSH }}
+        run: |
+          if [ -z "$SSH_KEY" ]; then
+            SECRET_NAME="${ENVIRONMENT^^}_SSH"
+            echo "❌ ${SECRET_NAME} secret not found"
+            echo "Add it at: https://github.com/${{ github.repository }}/settings/secrets/actions"
+            exit 1
+          fi
+          echo "✅ SSH secret exists for $ENVIRONMENT"
+
+      - name: Setup SSH
+        if: steps.check_env.outputs.has_env == 'true'
+        env:
+          SSH_KEY: ${{ matrix.environment == 'staging' && secrets.STAGING_SSH || secrets.PROD_SSH }}
+        run: |
+          mkdir -p ~/.ssh
+          echo "$SSH_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+
+      - name: Bootstrap Node.js (one-time)
+        if: steps.check_env.outputs.has_env == 'true'
+        env:
+          HOST: ${{ steps.config.outputs.host }}
+          USER: ${{ steps.config.outputs.ssh_user }}
+        run: |
+          echo "🔍 Checking Node.js on server..."
+          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "$USER@$HOST" \
+            'if ! command -v node &> /dev/null; then
+               echo "📦 Installing Node.js...";
+               if [ -f /opt/homebrew/bin/brew ] || [ -f /usr/local/bin/brew ]; then
+                 export PATH="/opt/homebrew/bin:/usr/local/bin:$PATH";
+                 brew install node;
+               else
+                 curl -fsSL https://deb.nodesource.com/setup_20.x | sudo -E bash - && sudo apt-get install -y nodejs;
+               fi;
+             else
+               echo "✅ Node.js already installed";
+             fi'
+
+      - name: Fix via SSH
+        if: steps.check_env.outputs.has_env == 'true'
+        env:
+          HOST: ${{ steps.config.outputs.host }}
+          USER: ${{ steps.config.outputs.ssh_user }}
+          REPO_NAME: ${{ steps.config.outputs.repo_name }}
+          ENVIRONMENT: ${{ matrix.environment }}
+        run: |
+          if [ -z "$HOST" ]; then
+            echo "❌ Missing domain in config: $ENVIRONMENT.domain"
+            exit 1
+          fi
+          
+          echo "🔧 Fixing $ENVIRONMENT ($HOST)..."
+          
+          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no -o ConnectTimeout=10 -o ServerAliveInterval=60 -o ServerAliveCountMax=5 "$USER@$HOST" \
+            "export PATH=\"/opt/homebrew/bin:/usr/local/bin:\$PATH\" && \
+             REPO_DIR=\"\$HOME/.factiii/$REPO_NAME\" && \
+             if [ -d \"\$REPO_DIR\" ]; then \
+               cd \"\$REPO_DIR\" && \
+               GITHUB_ACTIONS=true npx stack fix --$ENVIRONMENT; \
+             else \
+               echo \"❌ Repo directory not found at \$REPO_DIR\"; \
+               echo \"Run deployment first to clone the repository\"; \
+               exit 1; \
+             fi"
+          
+          rm -f ~/.ssh/deploy_key
+          echo "✅ $ENVIRONMENT fix complete!"

package/dist/plugins/pipelines/factiii/workflows/stack-pr-check.yml

@@ -0,0 +1,106 @@
+name: Stack PR Check
+
+# Generated by @factiii/stack v{VERSION}
+# Validates server/client/mobile builds when PR opens to main.
+# SSH to staging, run builds, report status to GitHub.
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  pr-check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install yq
+        run: |
+          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
+          sudo chmod +x /usr/local/bin/yq
+
+      - name: Read config
+        id: config
+        run: |
+          CONFIG_FILE="stack.yml"
+          if [ ! -f "$CONFIG_FILE" ]; then CONFIG_FILE="factiii.yml"; fi
+          if [ ! -f "$CONFIG_FILE" ]; then
+            echo "❌ stack.yml or factiii.yml not found"
+            exit 1
+          fi
+
+          REPO_NAME=$(yq eval '.name' "$CONFIG_FILE")
+          HOST=$(yq eval '.staging.domain // ""' "$CONFIG_FILE")
+          SSH_USER=$(yq eval '.staging.ssh_user // "ubuntu"' "$CONFIG_FILE")
+
+          echo "repo_name=$REPO_NAME" >> $GITHUB_OUTPUT
+          echo "host=$HOST" >> $GITHUB_OUTPUT
+          echo "ssh_user=$SSH_USER" >> $GITHUB_OUTPUT
+
+      - name: Check if staging configured
+        id: check_staging
+        run: |
+          CONFIG_FILE="stack.yml"; if [ ! -f "$CONFIG_FILE" ]; then CONFIG_FILE="factiii.yml"; fi
+          HAS_STAGING=$(yq eval '.staging != null' "$CONFIG_FILE")
+          echo "has_staging=$HAS_STAGING" >> $GITHUB_OUTPUT
+
+          if [ "$HAS_STAGING" != "true" ]; then
+            echo "⏭️  Staging not configured - skipping PR check"
+            exit 0
+          fi
+
+      - name: Setup SSH
+        if: steps.check_staging.outputs.has_staging == 'true'
+        env:
+          SSH_KEY: ${{ secrets.STAGING_SSH }}
+        run: |
+          if [ -z "$SSH_KEY" ]; then
+            echo "❌ Missing STAGING_SSH secret"
+            exit 1
+          fi
+
+          mkdir -p ~/.ssh
+          echo "$SSH_KEY" > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+
+      - name: Run PR check on staging
+        if: steps.check_staging.outputs.has_staging == 'true'
+        env:
+          HOST: ${{ steps.config.outputs.host }}
+          USER: ${{ steps.config.outputs.ssh_user }}
+          REPO_NAME: ${{ steps.config.outputs.repo_name }}
+          COMMIT_HASH: ${{ github.event.pull_request.head.sha }}
+          BRANCH: ${{ github.event.pull_request.head.ref }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if [ -z "$HOST" ]; then
+            echo "❌ Missing staging.domain in config"
+            exit 1
+          fi
+
+          echo "🔍 Running PR check on staging ($HOST)..."
+
+          GITHUB_TOKEN_B64=$(echo -n "$GITHUB_TOKEN" | base64 -w 0)
+          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=no "$USER@$HOST" \
+            "export PATH=\"/opt/homebrew/bin:/usr/local/bin:\$PATH\" && \
+             export GITHUB_TOKEN=\$(echo \"$GITHUB_TOKEN_B64\" | base64 -d) && \
+             export GITHUB_ACTIONS=true COMMIT_HASH=$COMMIT_HASH BRANCH=$BRANCH PR_NUMBER=$PR_NUMBER && \
+             REPO_DIR=\"\$HOME/.factiii/$REPO_NAME\" && \
+             if [ -d \"\$REPO_DIR\" ]; then \
+               cd \"\$REPO_DIR\" && npx stack pr-check --staging; \
+             else \
+               echo \"❌ Repo not found at \$REPO_DIR\"; exit 1; \
+             fi"
+
+          EXIT_CODE=$?
+          rm -f ~/.ssh/deploy_key
+
+          if [ $EXIT_CODE -eq 0 ]; then
+            echo "✅ PR check passed"
+          else
+            echo "❌ PR check failed"
+            exit $EXIT_CODE
+          fi