@freecodecamp/universe-cli 0.1.0

package/dist/index.js

@@ -0,0 +1,1009 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/output/envelope.ts
+function buildEnvelope(command, success, data) {
+  return {
+    schemaVersion: "1",
+    command,
+    success,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    ...data
+  };
+}
+function buildErrorEnvelope(command, code, message, issues) {
+  const error = {
+    code,
+    message
+  };
+  if (issues !== void 0) {
+    error.issues = issues;
+  }
+  return {
+    schemaVersion: "1",
+    command,
+    success: false,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    error
+  };
+}
+var init_envelope = __esm({
+  "src/output/envelope.ts"() {
+    "use strict";
+  }
+});
+
+// src/output/redact.ts
+function maskAkia(match) {
+  return match.slice(0, 4) + "****" + match.slice(-4);
+}
+function maskUrlCreds(match) {
+  const atIndex = match.lastIndexOf("@");
+  const protocolEnd = match.indexOf("://") + 3;
+  return match.slice(0, protocolEnd) + "****:****@" + match.slice(atIndex + 1);
+}
+function redact(value) {
+  let result = value;
+  result = result.replace(URL_CREDS_PATTERN, maskUrlCreds);
+  result = result.replace(AKIA_PATTERN, maskAkia);
+  result = result.replace(
+    CREDENTIAL_CONTEXT_PATTERN,
+    (_match, _secret, _offset, _full) => {
+      const eqIndex = _match.indexOf("=");
+      const colonIndex = _match.indexOf(":");
+      const sepIndex = eqIndex >= 0 && colonIndex >= 0 ? Math.min(eqIndex, colonIndex) : eqIndex >= 0 ? eqIndex : colonIndex;
+      const prefix = _match.slice(0, sepIndex + 1);
+      return prefix + "****";
+    }
+  );
+  result = result.replace(HEX_CREDENTIAL_CONTEXT_PATTERN, (_match, _secret) => {
+    const eqIndex = _match.indexOf("=");
+    const colonIndex = _match.indexOf(":");
+    const sepIndex = eqIndex >= 0 && colonIndex >= 0 ? Math.min(eqIndex, colonIndex) : eqIndex >= 0 ? eqIndex : colonIndex;
+    const prefix = _match.slice(0, sepIndex + 1);
+    return prefix + "****";
+  });
+  return result;
+}
+var AKIA_PATTERN, URL_CREDS_PATTERN, CREDENTIAL_CONTEXT_PATTERN, HEX_CREDENTIAL_CONTEXT_PATTERN;
+var init_redact = __esm({
+  "src/output/redact.ts"() {
+    "use strict";
+    AKIA_PATTERN = /AKIA[A-Z0-9]{12,}/g;
+    URL_CREDS_PATTERN = /https?:\/\/[^@\s]+@/g;
+    CREDENTIAL_CONTEXT_PATTERN = /(?:secret|password|token|key|credential|auth)[=:]\s*([A-Za-z0-9/+=]{21,})/gi;
+    HEX_CREDENTIAL_CONTEXT_PATTERN = /(?:secret|password|token|key|credential|auth|access_key_id|secret_access_key)[=:]\s*([a-f0-9]{32,})/gi;
+  }
+});
+
+// src/output/format.ts
+import { log } from "@clack/prompts";
+function outputSuccess(ctx, humanMessage, data) {
+  if (ctx.json) {
+    const envelope = buildEnvelope(ctx.command, true, data);
+    process.stdout.write(JSON.stringify(envelope) + "\n");
+  } else {
+    log.success(humanMessage);
+  }
+}
+function outputError(ctx, code, message, issues) {
+  const redactedMessage = redact(message);
+  const redactedIssues = issues?.map(redact);
+  if (ctx.json) {
+    const envelope = buildErrorEnvelope(
+      ctx.command,
+      code,
+      redactedMessage,
+      redactedIssues
+    );
+    process.stdout.write(JSON.stringify(envelope) + "\n");
+  } else {
+    log.error(redactedMessage);
+  }
+}
+var init_format = __esm({
+  "src/output/format.ts"() {
+    "use strict";
+    init_envelope();
+    init_redact();
+  }
+});
+
+// src/output/exit-codes.ts
+function exitWithCode(code, message) {
+  if (message !== void 0) {
+    process.stderr.write(message + "\n");
+  }
+  process.exit(code);
+}
+var EXIT_USAGE, EXIT_OUTPUT_DIR, EXIT_GIT, EXIT_ALIAS, EXIT_DEPLOY_NOT_FOUND, EXIT_CONFIRM, EXIT_PARTIAL;
+var init_exit_codes = __esm({
+  "src/output/exit-codes.ts"() {
+    "use strict";
+    EXIT_USAGE = 10;
+    EXIT_OUTPUT_DIR = 14;
+    EXIT_GIT = 15;
+    EXIT_ALIAS = 16;
+    EXIT_DEPLOY_NOT_FOUND = 17;
+    EXIT_CONFIRM = 18;
+    EXIT_PARTIAL = 19;
+  }
+});
+
+// src/config/schema.ts
+import { z } from "zod";
+var staticSchema, domainSchema, platformSchema;
+var init_schema = __esm({
+  "src/config/schema.ts"() {
+    "use strict";
+    staticSchema = z.object({
+      output_dir: z.string().min(1).default("dist"),
+      bucket: z.string().min(1).default("gxy-static-1"),
+      rclone_remote: z.string().min(1).default("gxy-static"),
+      region: z.string().min(1).default("auto")
+    }).default({});
+    domainSchema = z.object({
+      production: z.string().min(1),
+      preview: z.string().min(1)
+    });
+    platformSchema = z.object({
+      name: z.string().min(1).regex(/^[a-z0-9]([a-z0-9._-]*[a-z0-9])?$/i),
+      stack: z.literal("static"),
+      domain: domainSchema,
+      static: staticSchema
+    });
+  }
+});
+
+// src/config/loader.ts
+import { readFileSync } from "fs";
+import { resolve } from "path";
+import { parse as parseYaml } from "yaml";
+function readEnvOverrides() {
+  const overrides = {};
+  if (process.env.UNIVERSE_STATIC_OUTPUT_DIR) {
+    overrides.output_dir = process.env.UNIVERSE_STATIC_OUTPUT_DIR;
+  }
+  if (process.env.UNIVERSE_STATIC_BUCKET) {
+    overrides.bucket = process.env.UNIVERSE_STATIC_BUCKET;
+  }
+  if (process.env.UNIVERSE_STATIC_RCLONE_REMOTE) {
+    overrides.rclone_remote = process.env.UNIVERSE_STATIC_RCLONE_REMOTE;
+  }
+  if (process.env.UNIVERSE_STATIC_REGION) {
+    overrides.region = process.env.UNIVERSE_STATIC_REGION;
+  }
+  return overrides;
+}
+function readFlagOverrides(flags) {
+  if (!flags) return {};
+  const overrides = {};
+  if (flags.outputDir) overrides.output_dir = flags.outputDir;
+  if (flags.bucket) overrides.bucket = flags.bucket;
+  if (flags.rcloneRemote) overrides.rclone_remote = flags.rcloneRemote;
+  if (flags.region) overrides.region = flags.region;
+  return overrides;
+}
+function loadConfig(options = {}) {
+  const cwd = options.cwd ?? process.cwd();
+  const configPath = resolve(cwd, "platform.yaml");
+  let raw;
+  try {
+    raw = readFileSync(configPath, "utf-8");
+  } catch (err) {
+    if (err instanceof Error && err.code === "ENOENT") {
+      throw new Error(
+        `platform.yaml not found at ${configPath}. See STAFF-GUIDE.md for the required format.`
+      );
+    }
+    throw err;
+  }
+  const parsed = parseYaml(raw);
+  const yamlValidated = platformSchema.parse(parsed);
+  const envOverrides = readEnvOverrides();
+  const flagOverrides = readFlagOverrides(options.flags);
+  const merged = {
+    ...yamlValidated,
+    static: {
+      ...yamlValidated.static,
+      ...envOverrides,
+      ...flagOverrides
+    }
+  };
+  return merged;
+}
+var init_loader = __esm({
+  "src/config/loader.ts"() {
+    "use strict";
+    init_schema();
+  }
+});
+
+// src/credentials/resolver.ts
+import { execSync } from "child_process";
+function tryEnvCredentials() {
+  const key = process.env.S3_ACCESS_KEY_ID;
+  const secret = process.env.S3_SECRET_ACCESS_KEY;
+  const endpoint = process.env.S3_ENDPOINT;
+  const region = process.env.S3_REGION;
+  const present = [key, secret, endpoint].filter(Boolean);
+  if (present.length === 0) return "none";
+  if (present.length < 3) return "partial";
+  const creds = {
+    accessKeyId: key,
+    secretAccessKey: secret,
+    endpoint
+  };
+  if (region) creds.region = region;
+  return creds;
+}
+function fromRclone(remoteName) {
+  let output;
+  try {
+    output = execSync("rclone config dump", { stdio: "pipe" });
+  } catch (err) {
+    if (err instanceof Error && err.code === "ENOENT") {
+      throw new Error(
+        "rclone not found \u2014 install rclone or provide S3 credentials via environment variables"
+      );
+    }
+    throw new Error(
+      `Failed to run rclone config dump: ${redact(err instanceof Error ? err.message : "unknown error")}`
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(output.toString("utf-8"));
+  } catch {
+    throw new Error(`Failed to parse rclone config for remote ${remoteName}`);
+  }
+  output = null;
+  const remote = parsed[remoteName];
+  if (!remote) {
+    throw new Error(
+      `Remote "${remoteName}" not found in rclone config. Available remotes: ${Object.keys(parsed).join(", ") || "(none)"}`
+    );
+  }
+  const missing = [];
+  if (!remote.access_key_id) missing.push("access_key_id");
+  if (!remote.secret_access_key) missing.push("secret_access_key");
+  if (!remote.endpoint) missing.push("endpoint");
+  if (missing.length > 0) {
+    throw new Error(
+      `Rclone remote "${remoteName}" is missing required fields: ${missing.join(", ")}`
+    );
+  }
+  const creds = {
+    accessKeyId: remote.access_key_id,
+    secretAccessKey: remote.secret_access_key,
+    endpoint: remote.endpoint
+  };
+  if (remote.region) creds.region = remote.region;
+  return creds;
+}
+function resolveCredentials(options) {
+  const envResult = tryEnvCredentials();
+  if (envResult === "partial") {
+    throw new Error(
+      "Partial S3 credentials in environment. Set all three: S3_ACCESS_KEY_ID, S3_SECRET_ACCESS_KEY, S3_ENDPOINT \u2014 or remove all to use rclone fallback."
+    );
+  }
+  if (envResult !== "none") {
+    return envResult;
+  }
+  return fromRclone(options.remoteName);
+}
+var init_resolver = __esm({
+  "src/credentials/resolver.ts"() {
+    "use strict";
+    init_redact();
+  }
+});
+
+// src/storage/client.ts
+import { S3Client } from "@aws-sdk/client-s3";
+function createS3Client(credentials) {
+  return new S3Client({
+    endpoint: credentials.endpoint,
+    region: credentials.region ?? "auto",
+    credentials: {
+      accessKeyId: credentials.accessKeyId,
+      secretAccessKey: credentials.secretAccessKey
+    },
+    forcePathStyle: true
+  });
+}
+var init_client = __esm({
+  "src/storage/client.ts"() {
+    "use strict";
+  }
+});
+
+// src/storage/operations.ts
+import {
+  PutObjectCommand,
+  GetObjectCommand,
+  ListObjectsV2Command,
+  HeadObjectCommand,
+  DeleteObjectCommand,
+  DeleteObjectsCommand
+} from "@aws-sdk/client-s3";
+function isTransientError(error) {
+  if (!(error instanceof Error)) return false;
+  const meta = error.$metadata;
+  const statusCode = meta?.httpStatusCode;
+  if (statusCode !== void 0 && statusCode >= 500) return true;
+  if (statusCode === 429) return true;
+  const name = error.name;
+  if (name === "ThrottlingException" || name === "TooManyRequestsException" || name === "RequestTimeout" || name === "RequestTimeoutException")
+    return true;
+  if (name === "NetworkingError" || name === "TimeoutError" || error.code === "ECONNRESET")
+    return true;
+  return false;
+}
+async function withRetry(fn) {
+  for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+    try {
+      return await fn();
+    } catch (error) {
+      if (!isTransientError(error) || attempt === MAX_RETRIES) {
+        throw error;
+      }
+      const jitter = Math.random() * BASE_DELAY_MS;
+      const delay = BASE_DELAY_MS * Math.pow(2, attempt) + jitter;
+      await new Promise((resolve2) => setTimeout(resolve2, delay));
+    }
+  }
+  throw new Error("withRetry: unreachable");
+}
+async function putObject(client, params) {
+  await withRetry(
+    () => client.send(
+      new PutObjectCommand({
+        Bucket: params.bucket,
+        Key: params.key,
+        Body: params.body,
+        ContentType: params.contentType,
+        CacheControl: params.cacheControl
+      })
+    )
+  );
+}
+async function getObject(client, params) {
+  try {
+    const response = await withRetry(
+      () => client.send(
+        new GetObjectCommand({
+          Bucket: params.bucket,
+          Key: params.key
+        })
+      )
+    );
+    return await response.Body?.transformToString() ?? null;
+  } catch (error) {
+    if (error instanceof Error && error.name === "NoSuchKey") {
+      return null;
+    }
+    throw error;
+  }
+}
+async function listObjects(client, params) {
+  const allItems = [];
+  let continuationToken;
+  do {
+    const response = await withRetry(
+      () => client.send(
+        new ListObjectsV2Command({
+          Bucket: params.bucket,
+          Prefix: params.prefix,
+          ContinuationToken: continuationToken
+        })
+      )
+    );
+    if (response.Contents) {
+      for (const item of response.Contents) {
+        allItems.push({
+          key: item.Key ?? "",
+          size: item.Size ?? 0,
+          lastModified: item.LastModified ?? /* @__PURE__ */ new Date(0)
+        });
+      }
+    }
+    continuationToken = response.IsTruncated ? response.NextContinuationToken : void 0;
+  } while (continuationToken);
+  return allItems;
+}
+var MAX_RETRIES, BASE_DELAY_MS;
+var init_operations = __esm({
+  "src/storage/operations.ts"() {
+    "use strict";
+    MAX_RETRIES = 3;
+    BASE_DELAY_MS = 500;
+  }
+});
+
+// src/storage/aliases.ts
+async function readAlias(client, bucket, site, aliasName) {
+  const result = await getObject(client, {
+    bucket,
+    key: `${site}/${aliasName}`
+  });
+  return result !== null ? result.trim() : null;
+}
+async function writeAlias(client, bucket, site, aliasName, deployId) {
+  await putObject(client, {
+    bucket,
+    key: `${site}/${aliasName}`,
+    body: deployId,
+    contentType: "text/plain"
+  });
+}
+var init_aliases = __esm({
+  "src/storage/aliases.ts"() {
+    "use strict";
+    init_operations();
+  }
+});
+
+// src/deploy/id.ts
+function generateDeployId(gitHash, force = false) {
+  if (gitHash === void 0) {
+    if (!force) {
+      throw new Error("git hash is required unless --force is set");
+    }
+    return formatId("nogit");
+  }
+  return formatId(gitHash.slice(0, 7));
+}
+function formatId(suffix) {
+  const now = /* @__PURE__ */ new Date();
+  const y = now.getUTCFullYear();
+  const mo = String(now.getUTCMonth() + 1).padStart(2, "0");
+  const d = String(now.getUTCDate()).padStart(2, "0");
+  const h = String(now.getUTCHours()).padStart(2, "0");
+  const mi = String(now.getUTCMinutes()).padStart(2, "0");
+  const s = String(now.getUTCSeconds()).padStart(2, "0");
+  return `${y}${mo}${d}-${h}${mi}${s}-${suffix}`;
+}
+var init_id = __esm({
+  "src/deploy/id.ts"() {
+    "use strict";
+  }
+});
+
+// src/deploy/git.ts
+import { execSync as execSync2 } from "child_process";
+function getGitState() {
+  try {
+    const hash = execSync2("git rev-parse HEAD", { encoding: "utf-8" }).trim();
+    const status = execSync2("git status --porcelain", { encoding: "utf-8" });
+    return { hash, dirty: status.length > 0 };
+  } catch {
+    return { hash: null, dirty: false, error: "not a git repository" };
+  }
+}
+var init_git = __esm({
+  "src/deploy/git.ts"() {
+    "use strict";
+  }
+});
+
+// src/deploy/preflight.ts
+import { existsSync, statSync, readdirSync } from "fs";
+import { join } from "path";
+function validateOutputDir(dir) {
+  if (!existsSync(dir)) {
+    return { valid: false, fileCount: 0, error: "directory not found" };
+  }
+  if (!statSync(dir).isDirectory()) {
+    return { valid: false, fileCount: 0, error: "not a directory" };
+  }
+  const fileCount = countFiles(dir);
+  if (fileCount === 0) {
+    return { valid: false, fileCount: 0, error: "directory is empty" };
+  }
+  return { valid: true, fileCount };
+}
+function countFiles(dir) {
+  let count = 0;
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    if (entry.isFile()) {
+      count++;
+    } else if (entry.isDirectory()) {
+      count += countFiles(join(dir, entry.name));
+    }
+  }
+  return count;
+}
+var init_preflight = __esm({
+  "src/deploy/preflight.ts"() {
+    "use strict";
+  }
+});
+
+// src/deploy/upload.ts
+import { readdirSync as readdirSync2, readFileSync as readFileSync2 } from "fs";
+import { extname, basename, join as join2, relative } from "path";
+import { lookup } from "mrmime";
+import pLimit from "p-limit";
+function getContentType(filename) {
+  const mime = lookup(filename);
+  if (mime === void 0) {
+    console.warn(`Unknown content-type for extension: ${extname(filename)}`);
+    return "application/octet-stream";
+  }
+  return mime;
+}
+function getCacheControl(filename) {
+  if (extname(filename) === ".html") {
+    return "public, max-age=60, must-revalidate";
+  }
+  if (FINGERPRINT_RE.test(basename(filename))) {
+    return "public, max-age=31536000, immutable";
+  }
+  return "public, max-age=3600";
+}
+async function uploadDirectory(client, bucket, site, deployId, outputDir, options) {
+  const concurrency = options?.concurrency ?? 10;
+  const limit = pLimit(concurrency);
+  const entries = readdirSync2(outputDir, {
+    recursive: true,
+    withFileTypes: true
+  });
+  const files = entries.filter((entry) => entry.isFile() && !entry.isSymbolicLink()).map((entry) => {
+    const full = join2(entry.parentPath ?? entry.path, entry.name);
+    return relative(outputDir, full);
+  });
+  const errors = [];
+  let totalSize = 0;
+  let fileCount = 0;
+  const tasks = files.map(
+    (filePath) => limit(async () => {
+      const fullPath = `${outputDir}/${filePath}`;
+      const key = `${site}/deploys/${deployId}/${filePath}`;
+      const contentType = getContentType(filePath);
+      const cacheControl = getCacheControl(filePath);
+      try {
+        const body = readFileSync2(fullPath);
+        totalSize += body.byteLength;
+        fileCount++;
+        await putObject(client, {
+          bucket,
+          key,
+          body,
+          contentType,
+          cacheControl
+        });
+      } catch (err) {
+        const message = err instanceof Error ? err.message : "unknown upload error";
+        errors.push(`${filePath}: ${message}`);
+      }
+    })
+  );
+  await Promise.all(tasks);
+  return { fileCount, totalSize, errors };
+}
+var FINGERPRINT_RE;
+var init_upload = __esm({
+  "src/deploy/upload.ts"() {
+    "use strict";
+    init_operations();
+    FINGERPRINT_RE = /[.-][a-zA-Z0-9_-]{8,}\./;
+  }
+});
+
+// src/deploy/metadata.ts
+async function writeDeployMetadata(client, bucket, site, deployId, meta) {
+  const key = `${site}/_universe/deploys/${deployId}.json`;
+  const body = JSON.stringify(meta);
+  await putObject(client, {
+    bucket,
+    key,
+    body,
+    contentType: "application/json"
+  });
+}
+var init_metadata = __esm({
+  "src/deploy/metadata.ts"() {
+    "use strict";
+    init_operations();
+  }
+});
+
+// src/commands/deploy.ts
+var deploy_exports = {};
+__export(deploy_exports, {
+  deploy: () => deploy
+});
+async function resolveDeployId(client, bucket, site, gitHash, force) {
+  for (let attempt = 0; attempt < MAX_COLLISION_RETRIES; attempt++) {
+    const deployId = generateDeployId(gitHash, force);
+    const prefix = `${site}/deploys/${deployId}/`;
+    const existing = await listObjects(client, { bucket, prefix });
+    if (existing.length === 0) {
+      return deployId;
+    }
+    if (attempt < MAX_COLLISION_RETRIES - 1) {
+      await new Promise((resolve2) => setTimeout(resolve2, COLLISION_DELAY_MS));
+    }
+  }
+  return generateDeployId(gitHash, force);
+}
+async function deploy(options) {
+  const config = loadConfig({
+    flags: options.outputDir ? { outputDir: options.outputDir } : void 0
+  });
+  const credentials = resolveCredentials({
+    remoteName: config.static.rclone_remote
+  });
+  const client = createS3Client(credentials);
+  const bucket = config.static.bucket;
+  const site = config.name;
+  const ctx = { json: options.json, command: "deploy" };
+  const git = getGitState();
+  if (git.hash === null && !options.force) {
+    outputError(
+      ctx,
+      EXIT_GIT,
+      "Git hash not available \u2014 use --force to deploy without git info"
+    );
+    exitWithCode(
+      EXIT_GIT,
+      "Git hash not available \u2014 use --force to deploy without git info"
+    );
+    return;
+  }
+  if (git.dirty) {
+    console.warn(
+      "Warning: git working tree is dirty \u2014 uncommitted changes will not be reflected in the deploy"
+    );
+  }
+  const preflight = validateOutputDir(config.static.output_dir);
+  if (!preflight.valid) {
+    outputError(
+      ctx,
+      EXIT_OUTPUT_DIR,
+      `Output directory invalid: ${preflight.error}`
+    );
+    exitWithCode(
+      EXIT_OUTPUT_DIR,
+      `Output directory invalid: ${preflight.error}`
+    );
+    return;
+  }
+  const gitHash = git.hash ?? void 0;
+  const deployId = await resolveDeployId(
+    client,
+    bucket,
+    site,
+    gitHash,
+    options.force ?? false
+  );
+  const uploadResult = await uploadDirectory(
+    client,
+    bucket,
+    site,
+    deployId,
+    config.static.output_dir
+  );
+  if (uploadResult.errors.length > 0) {
+    outputError(
+      ctx,
+      EXIT_PARTIAL,
+      `Upload partially failed: ${uploadResult.errors.length} file(s) failed`,
+      uploadResult.errors
+    );
+    exitWithCode(
+      EXIT_PARTIAL,
+      `Upload partially failed: ${uploadResult.errors.length} file(s) failed`
+    );
+    return;
+  }
+  await writeDeployMetadata(client, bucket, site, deployId, {
+    deployId,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    gitHash: git.hash,
+    gitDirty: git.dirty,
+    fileCount: uploadResult.fileCount,
+    totalSize: uploadResult.totalSize
+  });
+  await writeAlias(client, bucket, site, "preview", deployId);
+  const sizeKB = (uploadResult.totalSize / 1024).toFixed(1);
+  const previewDomain = config.domain?.preview ?? `preview.${site}`;
+  const humanMsg = [
+    `Deployed ${deployId}`,
+    ``,
+    `  Site:     ${site}`,
+    `  Files:    ${uploadResult.fileCount}`,
+    `  Size:     ${sizeKB} KB`,
+    `  Alias:    preview`,
+    `  Preview:  https://${previewDomain}`,
+    ``,
+    `Next: universe static promote`
+  ].join("\n");
+  outputSuccess(ctx, humanMsg, {
+    deployId,
+    site,
+    fileCount: uploadResult.fileCount,
+    totalSize: uploadResult.totalSize,
+    alias: "preview",
+    previewDomain
+  });
+}
+var MAX_COLLISION_RETRIES, COLLISION_DELAY_MS;
+var init_deploy = __esm({
+  "src/commands/deploy.ts"() {
+    "use strict";
+    init_loader();
+    init_resolver();
+    init_client();
+    init_aliases();
+    init_operations();
+    init_id();
+    init_git();
+    init_preflight();
+    init_upload();
+    init_metadata();
+    init_format();
+    init_exit_codes();
+    MAX_COLLISION_RETRIES = 3;
+    COLLISION_DELAY_MS = 1e3;
+  }
+});
+
+// src/storage/deploys.ts
+async function listDeploys(client, bucket, site) {
+  const prefix = `${site}/deploys/`;
+  const items = await listObjects(client, { bucket, prefix });
+  const deployIds = /* @__PURE__ */ new Set();
+  for (const item of items) {
+    const afterPrefix = item.key.slice(prefix.length);
+    const segment = afterPrefix.split("/")[0];
+    if (segment) {
+      deployIds.add(segment);
+    }
+  }
+  return [...deployIds].sort().reverse();
+}
+async function deployExists(client, bucket, site, deployId) {
+  const prefix = `${site}/deploys/${deployId}/`;
+  const items = await listObjects(client, { bucket, prefix });
+  return items.length > 0;
+}
+var init_deploys = __esm({
+  "src/storage/deploys.ts"() {
+    "use strict";
+    init_operations();
+  }
+});
+
+// src/commands/promote.ts
+var promote_exports = {};
+__export(promote_exports, {
+  promote: () => promote
+});
+async function promote(options) {
+  const config = loadConfig();
+  const credentials = resolveCredentials({
+    remoteName: config.static.rclone_remote
+  });
+  const client = createS3Client(credentials);
+  const bucket = config.static.bucket;
+  const site = config.name;
+  const ctx = { json: options.json, command: "promote" };
+  let deployId;
+  if (options.deployId) {
+    const exists = await deployExists(client, bucket, site, options.deployId);
+    if (!exists) {
+      outputError(
+        ctx,
+        EXIT_DEPLOY_NOT_FOUND,
+        `Deploy ${options.deployId} not found`
+      );
+      exitWithCode(
+        EXIT_DEPLOY_NOT_FOUND,
+        `Deploy ${options.deployId} not found`
+      );
+      return;
+    }
+    deployId = options.deployId;
+  } else {
+    const preview = await readAlias(client, bucket, site, "preview");
+    if (!preview) {
+      outputError(
+        ctx,
+        EXIT_ALIAS,
+        "No preview alias set \u2014 deploy first or specify a deploy ID"
+      );
+      exitWithCode(
+        EXIT_ALIAS,
+        "No preview alias set \u2014 deploy first or specify a deploy ID"
+      );
+      return;
+    }
+    deployId = preview;
+  }
+  await writeAlias(client, bucket, site, "production", deployId);
+  const productionDomain = config.domain?.production ?? site;
+  const humanMsg = [
+    `Promoted ${deployId} to production`,
+    ``,
+    `  Site:        ${site}`,
+    `  Deploy:      ${deployId}`,
+    `  Production:  https://${productionDomain}`
+  ].join("\n");
+  outputSuccess(ctx, humanMsg, {
+    deployId,
+    site,
+    alias: "production",
+    productionDomain
+  });
+}
+var init_promote = __esm({
+  "src/commands/promote.ts"() {
+    "use strict";
+    init_loader();
+    init_resolver();
+    init_client();
+    init_aliases();
+    init_deploys();
+    init_format();
+    init_exit_codes();
+  }
+});
+
+// src/commands/rollback.ts
+var rollback_exports = {};
+__export(rollback_exports, {
+  rollback: () => rollback
+});
+import { confirm } from "@clack/prompts";
+async function rollback(options) {
+  const config = loadConfig();
+  const credentials = resolveCredentials({
+    remoteName: config.static.rclone_remote
+  });
+  const client = createS3Client(credentials);
+  const bucket = config.static.bucket;
+  const site = config.name;
+  const ctx = { json: options.json, command: "rollback" };
+  const currentDeployId = await readAlias(client, bucket, site, "production");
+  if (!currentDeployId) {
+    outputError(
+      ctx,
+      EXIT_ALIAS,
+      "No production alias set \u2014 nothing to rollback"
+    );
+    exitWithCode(EXIT_ALIAS, "No production alias set \u2014 nothing to rollback");
+    return;
+  }
+  const deploys = await listDeploys(client, bucket, site);
+  const currentIndex = deploys.indexOf(currentDeployId);
+  const previousDeploy = deploys[currentIndex + 1];
+  if (!previousDeploy) {
+    outputError(ctx, EXIT_ALIAS, "no previous deploy to rollback to");
+    exitWithCode(EXIT_ALIAS, "no previous deploy to rollback to");
+    return;
+  }
+  if (options.json && !options.confirm) {
+    outputError(
+      ctx,
+      EXIT_CONFIRM,
+      "Rollback requires --confirm flag in JSON mode"
+    );
+    exitWithCode(EXIT_CONFIRM, "Rollback requires --confirm flag in JSON mode");
+    return;
+  }
+  if (!options.json && !options.confirm) {
+    const confirmed = await confirm({
+      message: `Rollback production from ${currentDeployId} to ${previousDeploy}?`
+    });
+    if (!confirmed || typeof confirmed === "symbol") {
+      return;
+    }
+  }
+  await writeAlias(client, bucket, site, "production", previousDeploy);
+  const productionDomain = config.domain?.production ?? site;
+  const humanMsg = [
+    `Rolled back production`,
+    ``,
+    `  Site:        ${site}`,
+    `  Was:         ${currentDeployId}`,
+    `  Now:         ${previousDeploy}`,
+    `  Production:  https://${productionDomain}`
+  ].join("\n");
+  outputSuccess(ctx, humanMsg, {
+    previousDeployId: currentDeployId,
+    rolledBackTo: previousDeploy,
+    site,
+    alias: "production",
+    productionDomain
+  });
+}
+var init_rollback = __esm({
+  "src/commands/rollback.ts"() {
+    "use strict";
+    init_loader();
+    init_resolver();
+    init_client();
+    init_aliases();
+    init_deploys();
+    init_format();
+    init_exit_codes();
+  }
+});
+
+// src/cli.ts
+init_format();
+init_exit_codes();
+import { cac } from "cac";
+var version = true ? "0.1.0" : "0.0.0";
+function handleActionError(command, json, err) {
+  const ctx = { json, command };
+  const message = err instanceof Error ? err.message : "unknown error";
+  outputError(ctx, EXIT_USAGE, message);
+  exitWithCode(EXIT_USAGE, message);
+}
+function run(argv = process.argv) {
+  const args = argv.slice(2);
+  if (args[0] === "static") {
+    const staticCli = cac("universe static");
+    staticCli.command("deploy", "Deploy static site to S3").option("--json", "Output as JSON").option("--force", "Force deploy without git hash").option("--output-dir <dir>", "Build output directory").action(
+      async (flags) => {
+        try {
+          const { deploy: deploy2 } = await Promise.resolve().then(() => (init_deploy(), deploy_exports));
+          await deploy2({
+            json: flags.json ?? false,
+            force: flags.force ?? false,
+            outputDir: flags.outputDir
+          });
+        } catch (err) {
+          handleActionError("deploy", flags.json ?? false, err);
+        }
+      }
+    );
+    staticCli.command("promote [deploy-id]", "Promote a deploy to production").option("--json", "Output as JSON").action(
+      async (deployId, flags) => {
+        try {
+          const { promote: promote2 } = await Promise.resolve().then(() => (init_promote(), promote_exports));
+          await promote2({ json: flags.json ?? false, deployId });
+        } catch (err) {
+          handleActionError("promote", flags.json ?? false, err);
+        }
+      }
+    );
+    staticCli.command("rollback", "Rollback production to previous deploy").option("--json", "Output as JSON").option("--confirm", "Confirm rollback").action(async (flags) => {
+      try {
+        const { rollback: rollback2 } = await Promise.resolve().then(() => (init_rollback(), rollback_exports));
+        await rollback2({
+          json: flags.json ?? false,
+          confirm: flags.confirm ?? false
+        });
+      } catch (err) {
+        handleActionError("rollback", flags.json ?? false, err);
+      }
+    });
+    staticCli.help();
+    staticCli.version(version);
+    staticCli.parse(["node", "universe-static", ...args.slice(1)]);
+  } else {
+    const cli = cac("universe");
+    cli.command("static [...args]", "Static site deployment commands").action(() => {
+      console.log("Run: universe static --help");
+    });
+    cli.help();
+    cli.version(version);
+    cli.parse(argv);
+  }
+}
+
+// src/index.ts
+run();