@fluxup/install 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+Copyright (c) 2026
+Diovani Bernardi da Motta
+
+All rights reserved.
+
+This software and associated documentation files (the "Software") are the
+exclusive property of the Authors.
+
+No permission is granted to use, copy, modify, merge, publish, distribute,
+sublicense, and/or sell copies of the Software, in whole or in part, without
+explicit prior written permission from the Authors.
+
+The Software may not be used for commercial purposes without a separate
+written commercial agreement signed by the Authors.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,145 @@
+## Visao geral
+
+Este repositório centraliza o processo de instalação da plataforma FluxUp em servidores Docker on-premises.
+Contém a CLI de instalação interativa (`npx @fluxup/install`), o `docker-compose.yml` baseado em imagens pré-publicadas no GHCR, e a configuração de nginx que serve o frontend e faz proxy para os serviços internos.
+
+> Contexto de negócio completo: [github.com/fluxup-platform/profile](https://github.com/fluxup-platform/profile/blob/main/README.md)
+
+## Tecnologias
+
+| Tecnologia | Versão mínima | Papel |
+|---|---|---|
+| Node.js | 18 | Runtime da CLI npx |
+| Docker Engine | 20.10 | Execução dos containers |
+| Docker Compose | v2 | Orquestração dos serviços |
+| AWS SDK for JS | v3 | Download do S3 e acesso ao Secrets Manager |
+| nginx | alpine | Reverse proxy e servidor de arquivos estáticos |
+
+---
+
+## Arquitetura
+
+O instalador opera em 8 etapas sequenciais:
+
+1. **Preflight** — verifica `docker` e `docker compose` v2 no servidor
+2. **Wizard** — coleta variáveis de ambiente via prompts interativos por grupo
+3. **Secrets Manager** — busca o token GHCR no AWS Secrets Manager (em memória, nunca em disco)
+4. **GHCR Login** — `docker login ghcr.io --password-stdin` com o token obtido
+5. **Download S3** — baixa o `docker-compose.yml` do bucket S3 via SDK
+6. **Geração do .env** — cria `<dir>/.env` com permissão `0600` (sem token GHCR)
+7. **Pull + Up** — `docker compose pull` seguido de `docker compose up -d`
+8. **Status** — exibe containers ativos e URLs de acesso
+
+O nginx embute o build do Angular frontend como imagem GHCR. O servidor on-premises não precisa de código-fonte — apenas Docker.
+
+---
+
+## Como executar a instalação
+
+### Pré-requisitos no servidor
+
+- Docker Engine ≥ 20.10 instalado e em execução
+- Docker Compose v2 disponível (`docker compose version`)
+- Node.js ≥ 18 disponível no `PATH` (apenas para o npx — pode ser removido após instalar)
+- Acesso à internet: GHCR, bucket S3 e AWS Secrets Manager
+
+### Execução
+
+```bash
+npx @fluxup/install
+```
+
+O wizard guiará pela configuração de todas as variáveis necessárias.
+
+### Flags disponíveis
+
+| Flag | Descrição |
+|------|-----------|
+| `--dir <path>` | Diretório de instalação (padrão: `./fluxup`) |
+| `--non-interactive` | Lê variáveis já exportadas no shell — útil para CI/automação |
+| `--no-pull` | Pula o `docker compose pull` |
+
+### Modo não-interativo (CI/automação)
+
+```bash
+export GHCR_USERNAME="Fluxup Deploy Bot"
+export GHCR_SECRET_NAME="fluxup/ghcr-token"
+export IMAGE_TAG="1.4.3"
+export S3_BUCKET="meu-bucket"
+export S3_KEY="releases/1.4.3/docker-compose.yml"
+export AWS_REGION="us-east-1"
+export AWS_ACCESS_KEY_ID="..."
+export AWS_SECRET_ACCESS_KEY="..."
+# ... demais variáveis
+
+npx @fluxup/install --non-interactive --dir /opt/fluxup
+```
+
+---
+
+## Configuração do secret GHCR no AWS Secrets Manager
+
+Crie um secret com valor JSON:
+
+```json
+{ "token": "ghp_..." }
+```
+
+O nome do secret é configurado via `GHCR_SECRET_NAME` (padrão: `fluxup/ghcr-token`).
+O token **nunca** é armazenado em disco — apenas em memória durante o login.
+
+---
+
+## Estrutura do repositório
+
+```
+compose/docker-compose.yml          — compose baseado em imagens (fonte; CI publica no S3)
+nginx/Dockerfile                    — build nginx + Angular frontend (usado só pelo CI)
+nginx/nginx.conf                    — configuração do nginx (proxy + SPA fallback)
+bin/cli.js                          — entrypoint da CLI
+src/
+  preflight.js                      — verifica pré-requisitos Docker
+  wizard.js                         — prompts interativos agrupados
+  env.schema.js                     — definição declarativa de todas as variáveis
+  secrets.js                        — busca token GHCR no AWS Secrets Manager
+  ghcr.js                           — docker login via --password-stdin
+  s3.js                             — download do compose do bucket S3
+  env.js                            — geração do .env
+  docker.js                         — docker compose pull / up / ps
+.github/workflows/
+  publish-nginx.yml                 — publica ghcr.io/fluxup-platform/fluxup-nginx:<ver>
+  upload-compose.yml                — sobe compose no S3 em cada release tag
+```
+
+---
+
+## Release
+
+Em cada tag `vX.Y.Z`, os workflows CI executam automaticamente:
+
+1. `publish-nginx.yml` — builda o nginx com o frontend Angular e publica `ghcr.io/fluxup-platform/fluxup-nginx:X.Y.Z` no GHCR
+2. `upload-compose.yml` — sobe `compose/docker-compose.yml` para `s3://<bucket>/releases/X.Y.Z/docker-compose.yml`
+
+O instalador então usa `IMAGE_TAG=X.Y.Z` e `S3_KEY=releases/X.Y.Z/docker-compose.yml` para instalar a versão correta.
+
+---
+
+## Contribuição
+
+1. Leia o [CONTRIBUTING.md](CONTRIBUTING.md) antes de começar.
+2. Crie uma branch de feature: `git checkout -b feature/descricao-curta`.
+3. Valide localmente: `npm install && node bin/cli.js --help`.
+4. Abra um pull request com descrição objetiva das mudanças.
+
+---
+
+## Autores
+
+- [Diovani Motta](https://github.com/diovanibmotta)
+- [João Cristofoloni](https://github.com/IJhonC)
+- [João Puel](https://github.com/joaopuel)
+- [Jonas Magalhães](https://github.com/JonasVMagalhaes)
+
+## Contato
+
+Dúvidas ou sugestões: [contato@fluxup.com.br](mailto:contato@fluxup.com.br)

package/bin/cli.js

@@ -0,0 +1,137 @@
+#!/usr/bin/env node
+/**
+ * fluxup-install — FluxUp on-premises Docker installation CLI.
+ *
+ * Usage:
+ *   npx @fluxup/install
+ *   npx @fluxup/install --dir /opt/fluxup
+ *   npx @fluxup/install --non-interactive   (reads env vars already exported in the shell)
+ *   npx @fluxup/install --no-pull           (skips docker compose pull)
+ */
+
+import { join, resolve } from 'node:path';
+import { mkdirSync } from 'node:fs';
+import * as p from '@clack/prompts';
+import pc from 'picocolors';
+
+import { preflight } from '../src/preflight.js';
+import { runWizard } from '../src/wizard.js';
+import { fetchGhcrToken } from '../src/secrets.js';
+import { loginGhcr } from '../src/ghcr.js';
+import { downloadCompose } from '../src/s3.js';
+import { writeEnvFile } from '../src/env.js';
+import { pullImages, upServices, showStatus } from '../src/docker.js';
+
+// ─── Flag parsing ─────────────────────────────────────────────────────────────
+const args = process.argv.slice(2);
+const flags = {
+  dir: args[args.indexOf('--dir') + 1] ?? './fluxup',
+  nonInteractive: args.includes('--non-interactive'),
+  noPull: args.includes('--no-pull'),
+};
+
+const installDir = resolve(flags.dir);
+
+// ─── Main ────────────────────────────────────────────────────────────────────
+async function main() {
+  console.log('');
+  console.log(pc.bgBlue(pc.white(' FluxUp Install ')));
+  console.log(pc.dim(`Install directory: ${installDir}\n`));
+
+  // 1. Preflight
+  p.log.step('Checking prerequisites...');
+  await preflight();
+
+  // 2. Wizard (or read from existing env vars in --non-interactive mode)
+  let answers;
+  if (flags.nonInteractive) {
+    p.log.info('Non-interactive mode: reading environment variables from shell.');
+    answers = Object.fromEntries(
+      process.env
+        ? Object.entries(process.env).filter(([k]) => k.match(/^(GHCR|IMAGE|S3|AWS|DB|JPA|NGINX|BACKEND)/))
+        : []
+    );
+  } else {
+    answers = await runWizard();
+  }
+
+  // 3. Fetch GHCR token from AWS Secrets Manager (in-memory only — never written to disk)
+  p.log.step('Fetching GHCR token from AWS Secrets Manager...');
+  let ghcrToken;
+  try {
+    ghcrToken = await fetchGhcrToken({
+      secretName: answers.GHCR_SECRET_NAME,
+      region: answers.AWS_REGION,
+      accessKeyId: answers.AWS_ACCESS_KEY_ID,
+      secretAccessKey: answers.AWS_SECRET_ACCESS_KEY,
+    });
+    p.log.success('GHCR token retrieved from Secrets Manager.');
+  } catch (err) {
+    p.log.error(`Failed to fetch GHCR token: ${err.message}`);
+    p.log.warn('Check your AWS credentials and the secret name (GHCR_SECRET_NAME).');
+    process.exit(1);
+  }
+
+  // 4. GHCR login
+  p.log.step('Authenticating with GHCR...');
+  try {
+    await loginGhcr({ username: answers.GHCR_USERNAME, token: ghcrToken });
+  } catch (err) {
+    p.log.error(`GHCR login failed: ${err.message}`);
+    process.exit(1);
+  }
+
+  // Discard token from memory
+  ghcrToken = null;
+
+  // 5. Create install directory and download docker-compose.yml from S3
+  mkdirSync(installDir, { recursive: true });
+  const composePath = join(installDir, 'docker-compose.yml');
+
+  p.log.step('Downloading docker-compose.yml from S3...');
+  try {
+    await downloadCompose({
+      bucket: answers.S3_BUCKET,
+      key: answers.S3_KEY,
+      region: answers.S3_REGION ?? answers.AWS_REGION,
+      accessKeyId: answers.S3_AWS_ACCESS_KEY_ID,
+      secretAccessKey: answers.S3_AWS_SECRET_ACCESS_KEY,
+      destPath: composePath,
+    });
+  } catch (err) {
+    p.log.error(`Failed to download compose from S3: ${err.message}`);
+    process.exit(1);
+  }
+
+  // 6. Write .env (without GHCR token)
+  p.log.step('Generating .env file...');
+  const envPath = writeEnvFile(installDir, answers);
+
+  // 7. Pull + Up
+  try {
+    if (!flags.noPull) {
+      await pullImages(composePath, envPath);
+    }
+    await upServices(composePath, envPath);
+  } catch (err) {
+    p.log.error(`Docker Compose failed: ${err.message}`);
+    process.exit(1);
+  }
+
+  // 8. Post-install
+  await showStatus(composePath, envPath);
+
+  const port = answers.NGINX_PORT ?? '80';
+  console.log('');
+  p.outro(
+    pc.green('✔ FluxUp installed successfully!') +
+    `\n\n  Frontend: ${pc.cyan(`http://<server>:${port}/`)}\n` +
+    `  API:      ${pc.cyan(`http://<server>:${port}/api/`)}\n` +
+    `  BFF:      ${pc.cyan(`http://<server>:${port}/bff/`)}\n`
+  );
+}
+
+main().catch((err) => {
+  console.error(pc.red('\nUnexpected error:'), err);
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,37 @@
+{
+  "name": "@fluxup/install",
+  "version": "1.0.0",
+  "description": "FluxUp on-premises Docker installation CLI",
+  "type": "module",
+  "bin": {
+    "fluxup-install": "./bin/cli.js"
+  },
+  "files": [
+    "bin/",
+    "src/"
+  ],
+  "scripts": {
+    "lint": "node --check bin/cli.js src/*.js",
+    "semantic-release": "semantic-release"
+  },
+  "dependencies": {
+    "@aws-sdk/client-s3": "^3.600.0",
+    "@aws-sdk/client-secrets-manager": "^3.600.0",
+    "@clack/prompts": "^0.9.0",
+    "execa": "^9.3.0",
+    "picocolors": "^1.1.0"
+  },
+  "devDependencies": {
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/github": "^10.3.5",
+    "@semantic-release/npm": "^12.0.1",
+    "semantic-release": "^24.1.0"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/docker.js

@@ -0,0 +1,48 @@
+import { execa } from 'execa';
+import pc from 'picocolors';
+
+/**
+ * Runs docker compose with the given files and arguments.
+ */
+function compose(composePath, envPath, args) {
+  return execa(
+    'docker',
+    ['compose', '-f', composePath, '--env-file', envPath, ...args],
+    { stdout: 'inherit', stderr: 'inherit' }
+  );
+}
+
+/**
+ * Pulls all images declared in the compose file.
+ *
+ * @param {string} composePath
+ * @param {string} envPath
+ */
+export async function pullImages(composePath, envPath) {
+  console.log(pc.bold('\nPulling images...'));
+  await compose(composePath, envPath, ['pull']);
+  console.log(pc.green('✔') + ' Pull complete.');
+}
+
+/**
+ * Starts all services in detached mode.
+ *
+ * @param {string} composePath
+ * @param {string} envPath
+ */
+export async function upServices(composePath, envPath) {
+  console.log(pc.bold('\nStarting containers...'));
+  await compose(composePath, envPath, ['up', '-d']);
+  console.log(pc.green('✔') + ' Containers running.');
+}
+
+/**
+ * Displays container status.
+ *
+ * @param {string} composePath
+ * @param {string} envPath
+ */
+export async function showStatus(composePath, envPath) {
+  console.log(pc.bold('\nContainer status:'));
+  await compose(composePath, envPath, ['ps']);
+}

package/src/env.js

@@ -0,0 +1,44 @@
+import { writeFileSync, chmodSync } from 'node:fs';
+import { join } from 'node:path';
+import { ENV_SCHEMA } from './env.schema.js';
+import pc from 'picocolors';
+
+/**
+ * Writes the .env file to the install directory.
+ * The GHCR token is NOT included — it is always fetched from Secrets Manager at runtime.
+ * Permission 0600 applied (owner read-only).
+ *
+ * @param {string}                    dir      Directory where .env will be created
+ * @param {Record<string, string>}    answers  Wizard answers
+ * @returns {string} Path to the created .env file
+ */
+export function writeEnvFile(dir, answers) {
+  const envPath = join(dir, '.env');
+
+  const lines = ENV_SCHEMA
+    .filter((f) => !f.key.startsWith('GHCR_SECRET') || true) // includes GHCR_SECRET_NAME (name, not the token)
+    .map((f) => {
+      const val = answers[f.key] ?? '';
+      return `${f.key}=${val}`;
+    });
+
+  const content = [
+    '# Generated by fluxup-install — DO NOT commit',
+    '# GHCR token is not here — fetched from AWS Secrets Manager at runtime',
+    '',
+    ...lines,
+    '',
+  ].join('\n');
+
+  writeFileSync(envPath, content, { encoding: 'utf8' });
+
+  try {
+    chmodSync(envPath, 0o600);
+  } catch {
+    // Windows does not support chmod — silently ignored
+  }
+
+  console.log(pc.green('✔') + ` .env created at ${envPath}`);
+
+  return envPath;
+}

package/src/env.schema.js

@@ -0,0 +1,170 @@
+/**
+ * Declarative definition of all environment variables collected by the wizard.
+ *
+ * Fields:
+ *   key      — variable name in .env
+ *   prompt   — text displayed to the user
+ *   default  — default value (string) or undefined
+ *   secret   — true = masked input
+ *   group    — visual grouping in the wizard
+ */
+export const ENV_SCHEMA = [
+  // ─── GHCR ────────────────────────────────────────────────────────────────
+  {
+    group: 'GHCR (GitHub Container Registry)',
+    key: 'GHCR_USERNAME',
+    prompt: 'GHCR username (e.g. Fluxup Deploy Bot)',
+    default: 'Fluxup Deploy Bot',
+  },
+  {
+    group: 'GHCR (GitHub Container Registry)',
+    key: 'IMAGE_TAG',
+    prompt: 'Docker image tag (e.g. 1.4.3)',
+    default: 'latest',
+  },
+  {
+    group: 'GHCR (GitHub Container Registry)',
+    key: 'GHCR_SECRET_NAME',
+    prompt: 'Name/ARN of the AWS Secrets Manager secret that holds the GHCR token',
+    default: 'fluxup/ghcr-token',
+  },
+
+  // ─── S3 ──────────────────────────────────────────────────────────────────
+  {
+    group: 'S3 (docker-compose source)',
+    key: 'S3_BUCKET',
+    prompt: 'S3 bucket name that stores docker-compose.yml',
+    default: 'fluxup-installer',
+  },
+  {
+    group: 'S3 (docker-compose source)',
+    key: 'S3_KEY',
+    prompt: 'Object key in the bucket (e.g. v1.4.3/docker-compose.yml)',
+    default: 'docker-compose.yml',
+  },
+  {
+    group: 'S3 (docker-compose source)',
+    key: 'S3_REGION',
+    prompt: 'AWS region of the S3 bucket',
+    default: 'us-east-1',
+  },
+  {
+    group: 'S3 (docker-compose source)',
+    key: 'S3_AWS_ACCESS_KEY_ID',
+    prompt: 'AWS Access Key ID for the installer S3 bucket (read-only user)',
+  },
+  {
+    group: 'S3 (docker-compose source)',
+    key: 'S3_AWS_SECRET_ACCESS_KEY',
+    prompt: 'AWS Secret Access Key for the installer S3 bucket (read-only user)',
+    secret: true,
+  },
+
+  // ─── AWS Credentials ─────────────────────────────────────────────────────
+  {
+    group: 'AWS Credentials',
+    key: 'AWS_REGION',
+    prompt: 'Default AWS region',
+    default: 'us-east-1',
+  },
+  {
+    group: 'AWS Credentials',
+    key: 'AWS_ACCESS_KEY_ID',
+    prompt: 'AWS Access Key ID',
+  },
+  {
+    group: 'AWS Credentials',
+    key: 'AWS_SECRET_ACCESS_KEY',
+    prompt: 'AWS Secret Access Key',
+    secret: true,
+  },
+  {
+    group: 'AWS Credentials',
+    key: 'AWS_STS_BROKER_ROLE_ARN',
+    prompt: 'STS Broker IAM Role ARN',
+  },
+  {
+    group: 'AWS Credentials',
+    key: 'AWS_SECRETSMANAGER_READER_ROLE_ARN',
+    prompt: 'Secrets Manager reader IAM Role ARN',
+  },
+
+  // ─── Database ────────────────────────────────────────────────────────────
+  {
+    group: 'Database (PostgreSQL)',
+    key: 'DB_NAME',
+    prompt: 'Database name',
+    default: 'fluxup',
+  },
+  {
+    group: 'Database (PostgreSQL)',
+    key: 'DB_USERNAME',
+    prompt: 'Database username',
+    default: 'fluxup',
+  },
+  {
+    group: 'Database (PostgreSQL)',
+    key: 'DB_PASSWORD',
+    prompt: 'Database password',
+    secret: true,
+  },
+  {
+    group: 'Database (PostgreSQL)',
+    key: 'JPA_DDL_AUTO',
+    prompt: 'JPA DDL Auto (update | validate | none)',
+    default: 'update',
+  },
+
+  // ─── DynamoDB ────────────────────────────────────────────────────────────
+  {
+    group: 'DynamoDB',
+    key: 'AWS_DAILY_JOBS_TABLE',
+    prompt: 'DynamoDB daily jobs table name',
+  },
+  {
+    group: 'DynamoDB',
+    key: 'AWS_DYNAMODB_DAILY_JOBS_ROLE_ARN',
+    prompt: 'DynamoDB access IAM Role ARN',
+  },
+
+  // ─── SQS ─────────────────────────────────────────────────────────────────
+  {
+    group: 'SQS',
+    key: 'AWS_SQS_CONSUMER_ROLE_ARN',
+    prompt: 'SQS consumer IAM Role ARN',
+  },
+  {
+    group: 'SQS',
+    key: 'AWS_SQS_PUBLISHER_ROLE_ARN',
+    prompt: 'SQS publisher IAM Role ARN',
+  },
+  {
+    group: 'SQS',
+    key: 'AWS_DAILY_REQUEST_QUEUE_URL',
+    prompt: 'Daily request SQS queue URL',
+  },
+  {
+    group: 'SQS',
+    key: 'AWS_DAILY_RESPONSE_QUEUE_URL',
+    prompt: 'Daily response SQS queue URL',
+  },
+  {
+    group: 'SQS',
+    key: 'AWS_DAILY_DLQ_URL',
+    prompt: 'Dead Letter Queue SQS URL',
+  },
+
+  // ─── Network ─────────────────────────────────────────────────────────────
+  {
+    group: 'Network',
+    key: 'NGINX_PORT',
+    prompt: 'nginx HTTP port on the host',
+    default: '80',
+  },
+  {
+    group: 'Network',
+    key: 'BACKEND_API_TIMEOUT',
+    prompt: 'Backend API timeout in ms',
+    default: '5000',
+  },
+];

package/src/ghcr.js

@@ -0,0 +1,22 @@
+import { execa } from 'execa';
+import pc from 'picocolors';
+
+/**
+ * Authenticates with GHCR using docker login --password-stdin.
+ * The token stays in memory only (piped directly to the docker process).
+ *
+ * @param {object} opts
+ * @param {string} opts.username   GHCR username
+ * @param {string} opts.token      GHCR token (fetched from AWS Secrets Manager)
+ */
+export async function loginGhcr({ username, token }) {
+  console.log(pc.dim(`  docker login ghcr.io -u "${username}" --password-stdin`));
+
+  await execa('docker', ['login', 'ghcr.io', '-u', username, '--password-stdin'], {
+    input: token,
+    stdout: 'inherit',
+    stderr: 'inherit',
+  });
+
+  console.log(pc.green('✔') + ' GHCR login successful.');
+}

package/src/preflight.js

@@ -0,0 +1,41 @@
+import { execa } from 'execa';
+import pc from 'picocolors';
+
+/**
+ * Checks that docker and docker compose v2 are available.
+ * Aborts with a clear message if any prerequisite is missing.
+ */
+export async function preflight() {
+  const checks = [
+    {
+      cmd: 'docker',
+      args: ['--version'],
+      label: 'Docker',
+      hint: 'Install Docker Engine: https://docs.docker.com/engine/install/',
+    },
+    {
+      cmd: 'docker',
+      args: ['compose', 'version'],
+      label: 'Docker Compose v2',
+      hint: 'Compose v2 ships with Docker Engine >= 20.10. Update Docker.',
+    },
+  ];
+
+  let ok = true;
+
+  for (const { cmd, args, label, hint } of checks) {
+    try {
+      const { stdout } = await execa(cmd, args);
+      console.log(pc.green('✔') + ' ' + label + ' — ' + stdout.trim().split('\n')[0]);
+    } catch {
+      console.error(pc.red('✘') + ' ' + label + ' not found.');
+      console.error('  ' + pc.yellow(hint));
+      ok = false;
+    }
+  }
+
+  if (!ok) {
+    console.error(pc.red('\nMissing prerequisites. Install the required tools and try again.'));
+    process.exit(1);
+  }
+}

package/src/s3.js

@@ -0,0 +1,45 @@
+import { S3Client, GetObjectCommand } from '@aws-sdk/client-s3';
+import { createWriteStream, mkdirSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { pipeline } from 'node:stream/promises';
+import pc from 'picocolors';
+
+/**
+ * Downloads docker-compose.yml from an S3 bucket to disk.
+ *
+ * @param {object} opts
+ * @param {string} opts.bucket
+ * @param {string} opts.key
+ * @param {string} opts.region
+ * @param {string} opts.accessKeyId
+ * @param {string} opts.secretAccessKey
+ * @param {string} opts.destPath   Local destination path (e.g. ./fluxup/docker-compose.yml)
+ */
+export async function downloadCompose({
+  bucket,
+  key,
+  region,
+  accessKeyId,
+  secretAccessKey,
+  destPath,
+}) {
+  const client = new S3Client({
+    region,
+    credentials: { accessKeyId, secretAccessKey },
+  });
+
+  console.log(pc.dim(`  s3://${bucket}/${key} → ${destPath}`));
+
+  const { Body } = await client.send(
+    new GetObjectCommand({ Bucket: bucket, Key: key })
+  );
+
+  if (!Body) {
+    throw new Error(`Object s3://${bucket}/${key} returned no Body.`);
+  }
+
+  mkdirSync(dirname(destPath), { recursive: true });
+  await pipeline(Body, createWriteStream(destPath));
+
+  console.log(pc.green('✔') + ` docker-compose.yml saved to ${destPath}`);
+}

package/src/secrets.js

@@ -0,0 +1,42 @@
+import {
+  SecretsManagerClient,
+  GetSecretValueCommand,
+} from '@aws-sdk/client-secrets-manager';
+
+/**
+ * Fetches the GHCR token from AWS Secrets Manager at runtime.
+ * The token is kept in memory only — never written to disk.
+ *
+ * @param {object} opts
+ * @param {string} opts.secretName   Secret name or ARN (e.g. 'fluxup/ghcr-token')
+ * @param {string} opts.region       AWS region
+ * @param {string} opts.accessKeyId
+ * @param {string} opts.secretAccessKey
+ * @returns {Promise<string>} GHCR token
+ */
+export async function fetchGhcrToken({ secretName, region, accessKeyId, secretAccessKey }) {
+  const client = new SecretsManagerClient({
+    region,
+    credentials: {
+      accessKeyId,
+      secretAccessKey,
+    },
+  });
+
+  const response = await client.send(
+    new GetSecretValueCommand({ SecretId: secretName })
+  );
+
+  const raw = response.SecretString;
+  if (!raw) {
+    throw new Error(`Secret "${secretName}" has no SecretString.`);
+  }
+
+  // Supports secret as JSON { "token": "ghp_..." } or plain string
+  try {
+    const parsed = JSON.parse(raw);
+    return parsed.token ?? parsed.GHCR_TOKEN ?? raw;
+  } catch {
+    return raw.trim();
+  }
+}

package/src/wizard.js

@@ -0,0 +1,58 @@
+import * as p from '@clack/prompts';
+import pc from 'picocolors';
+import { ENV_SCHEMA } from './env.schema.js';
+
+/**
+ * Collects all environment variables via grouped interactive prompts.
+ * Fields marked with secret:true use masked input.
+ *
+ * @param {Record<string, string>} existing  Pre-existing values (e.g. from --non-interactive env vars)
+ * @returns {Promise<Record<string, string>>}
+ */
+export async function runWizard(existing = {}) {
+  const answers = { ...existing };
+
+  const groups = [...new Set(ENV_SCHEMA.map((e) => e.group))];
+
+  p.intro(pc.bgBlue(pc.white(' FluxUp Install — Configuration ')));
+
+  for (const group of groups) {
+    const fields = ENV_SCHEMA.filter((e) => e.group === group);
+
+    p.log.step(pc.bold(group));
+
+    for (const field of fields) {
+      if (answers[field.key] !== undefined && answers[field.key] !== '') {
+        p.log.info(`${field.key} = ${field.secret ? '***' : answers[field.key]}  (kept)`);
+        continue;
+      }
+
+      const value = field.secret
+        ? await p.password({
+            message: field.prompt,
+            validate(v) {
+              if (!field.default && !v) return 'Required.';
+            },
+          })
+        : await p.text({
+            message: field.prompt,
+            defaultValue: field.default,
+            placeholder: field.default ?? '',
+            validate(v) {
+              if (!field.default && !v) return 'Required.';
+            },
+          });
+
+      if (p.isCancel(value)) {
+        p.cancel('Installation cancelled.');
+        process.exit(0);
+      }
+
+      answers[field.key] = value || field.default || '';
+    }
+  }
+
+  p.log.success('Configuration collected.');
+
+  return answers;
+}