@lenne.tech/cli 1.22.0 → 1.24.0

package/build/lib/cloudflared.js

@@ -0,0 +1,129 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TRYCLOUDFLARE_URL_PATTERN = void 0;
+exports.buildQuickTunnelArgs = buildQuickTunnelArgs;
+exports.cloudflaredAvailable = cloudflaredAvailable;
+exports.extractTrycloudflareUrl = extractTrycloudflareUrl;
+exports.spawnQuickTunnel = spawnQuickTunnel;
+/**
+ * Cloudflare Tunnel integration for `lt dev tunnel`.
+ *
+ * Quick tunnels (no Cloudflare account, ephemeral URL) are the only
+ * mode supported here. Named tunnels would require multi-step Cloudflare
+ * setup (auth, DNS routing) which belongs in a separate command and is
+ * intentionally out of scope for this lib.
+ *
+ * The Caddy upstream stays unchanged: cloudflared connects to Caddy's
+ * HTTPS endpoint and rewrites the `Host` header to the configured
+ * `*.localhost` so Caddy's per-project block matches. Without that
+ * rewrite Cloudflare's edge would forward the random `*.trycloudflare.com`
+ * hostname which Caddy doesn't know.
+ */
+const child_process_1 = require("child_process");
+/**
+ * Match the trycloudflare URL anywhere in cloudflared's log output.
+ *
+ * cloudflared prints it in an ASCII-box on stderr (Linux/macOS) — exported
+ * here so tests can assert the exact pattern without spawning the binary.
+ */
+exports.TRYCLOUDFLARE_URL_PATTERN = /https:\/\/[a-z0-9][a-z0-9-]*\.trycloudflare\.com/i;
+/**
+ * Build the argv list for `cloudflared tunnel --url ...`. Pure helper.
+ *
+ * Why each flag:
+ *   --url             : the local upstream (Caddy's HTTPS endpoint)
+ *   --http-host-header: tells cloudflared to rewrite Host before forwarding,
+ *                       so Caddy's vhost match works for the public URL
+ *   --no-tls-verify   : Caddy serves a locally-signed cert that cloudflared
+ *                       cannot validate from outside the local trust store;
+ *                       disabling the check is safe because the upstream
+ *                       hop never leaves localhost
+ */
+function buildQuickTunnelArgs(opts) {
+    return [
+        'tunnel',
+        '--no-autoupdate',
+        '--no-tls-verify',
+        '--http-host-header',
+        opts.hostHeader,
+        '--url',
+        opts.upstreamUrl,
+    ];
+}
+/** Detect whether `cloudflared` is on PATH. */
+function cloudflaredAvailable() {
+    return __awaiter(this, void 0, void 0, function* () {
+        return new Promise((resolve) => {
+            var _a;
+            const child = (0, child_process_1.spawn)('cloudflared', ['--version'], { stdio: ['ignore', 'pipe', 'pipe'] });
+            let stdout = '';
+            (_a = child.stdout) === null || _a === void 0 ? void 0 : _a.on('data', (b) => (stdout += String(b)));
+            child.on('error', () => resolve({ installed: false }));
+            child.on('close', (code) => {
+                if (code !== 0)
+                    return resolve({ installed: false });
+                const match = stdout.match(/version\s+(\S+)/i);
+                resolve({ binary: 'cloudflared', installed: true, version: match === null || match === void 0 ? void 0 : match[1] });
+            });
+        });
+    });
+}
+/**
+ * Extract the trycloudflare URL from a chunk of cloudflared output.
+ * Returns the first match (cloudflared logs the URL exactly once).
+ */
+function extractTrycloudflareUrl(output) {
+    const match = output.match(exports.TRYCLOUDFLARE_URL_PATTERN);
+    return match ? match[0] : null;
+}
+/**
+ * Spawn a quick tunnel and resolve the public URL once cloudflared logs it.
+ *
+ * The returned `publicUrl` promise rejects if the child exits before
+ * surfacing a URL (timeout: ~30s, then cloudflared usually emits an
+ * error message and exits). The caller is expected to keep the
+ * process alive (foreground command) and `child.kill()` on Ctrl-C.
+ */
+function spawnQuickTunnel(opts) {
+    const args = buildQuickTunnelArgs(opts);
+    const child = (0, child_process_1.spawn)('cloudflared', args, { stdio: ['ignore', 'pipe', 'pipe'] });
+    const publicUrl = new Promise((resolve, reject) => {
+        var _a, _b;
+        let buffer = '';
+        let settled = false;
+        const onChunk = (chunk) => {
+            if (settled)
+                return;
+            buffer += String(chunk);
+            const url = extractTrycloudflareUrl(buffer);
+            if (url) {
+                settled = true;
+                resolve(url);
+            }
+        };
+        (_a = child.stdout) === null || _a === void 0 ? void 0 : _a.on('data', onChunk);
+        (_b = child.stderr) === null || _b === void 0 ? void 0 : _b.on('data', onChunk);
+        child.on('error', (err) => {
+            if (settled)
+                return;
+            settled = true;
+            reject(err);
+        });
+        child.on('close', (code) => {
+            if (settled)
+                return;
+            settled = true;
+            reject(new Error(`cloudflared exited (code ${code}) before publishing a tunnel URL.\n${buffer.slice(-500)}`));
+        });
+    });
+    return { child, publicUrl };
+}

package/build/lib/dev-env-bridge.js

@@ -86,6 +86,9 @@ function writeEnvBridge(projectRoot, devEnv, dbName) {
         'NUXT_PUBLIC_API_PROXY',
         'NSC__MONGOOSE__URI',
         'DATABASE_URL',
+        // Legacy aliases — see dev-env.ts for the rationale.
+        'API_URL',
+        'SITE_URL',
     ];
     for (const key of exported) {
         const v = devEnv.app.env[key];

package/build/lib/dev-env.js

@@ -1,6 +1,27 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.buildDevEnv = buildDevEnv;
+/**
+ * Build environment variables for `lt dev up`.
+ *
+ * URL-first: API and App processes receive complete URLs (not just ports)
+ * so they can configure CORS, BetterAuth trusted origins, OpenAPI servers,
+ * Vite proxies and storage prefixes consistently — without ever needing
+ * to know which internal port Caddy proxies them to.
+ *
+ * Cross-wiring protection:
+ * - `BASE_URL`/`APP_URL` lock the API to its own App origin (CORS + BetterAuth)
+ * - `NUXT_PUBLIC_*` lock the App to its own API
+ * - `NUXT_PUBLIC_STORAGE_PREFIX` namespaces localStorage/sessionStorage
+ * - `NSC__MONGOOSE__URI` / `DATABASE_URL` namespace the database per project
+ *
+ * CA trust for SSR fetches:
+ * - Both API and App receive `NODE_EXTRA_CA_CERTS` pointing at the
+ *   Caddy local root CA so server-side fetches between the two
+ *   subdomains succeed. Without this Nuxt SSR fails with "unable to
+ *   get local issuer certificate" when the app calls its own API.
+ */
+const dev_env_bridge_1 = require("./dev-env-bridge");
 /**
  * Build the environment maps for both API and App processes.
  *
@@ -13,14 +34,23 @@ function buildDevEnv(input) {
     const appSub = identity.subdomains.app;
     const apiUrl = apiSub ? `https://${apiSub.hostname}` : '';
     const appUrl = appSub ? `https://${appSub.hostname}` : '';
-    const sharedKeys = Object.assign(Object.assign(Object.assign({}, (apiUrl ? { BASE_URL: apiUrl, NSC__BASE_URL: apiUrl } : {})), (appUrl ? { APP_URL: appUrl, NSC__APP_URL: appUrl } : {})), (dbName ? { DATABASE_URL: buildPostgresUrl(dbName), NSC__MONGOOSE__URI: `mongodb://127.0.0.1/${dbName}` } : {}));
+    const caPath = (0, dev_env_bridge_1.detectCaddyRootCa)();
+    const sharedKeys = Object.assign(Object.assign(Object.assign(Object.assign({}, (apiUrl ? { BASE_URL: apiUrl, NSC__BASE_URL: apiUrl } : {})), (appUrl ? { APP_URL: appUrl, NSC__APP_URL: appUrl } : {})), (dbName ? { DATABASE_URL: buildPostgresUrl(dbName), NSC__MONGOOSE__URI: `mongodb://127.0.0.1/${dbName}` } : {})), (caPath ? { NODE_EXTRA_CA_CERTS: caPath } : {}));
     return {
         api: {
-            env: Object.assign(Object.assign(Object.assign({}, baseEnv), sharedKeys), { PORT: String(apiInternalPort) }),
+            env: Object.assign(Object.assign(Object.assign({}, baseEnv), sharedKeys), { 
+                // Force IPv4 loopback binding so Caddy's `127.0.0.1` upstream
+                // (see `caddy.ts#renderProjectBlock`) always matches the
+                // listener. Without this, Nuxt + Nest sometimes bind to
+                // `[::1]` only, and Caddy gets connection-refused on IPv4.
+                HOST: '127.0.0.1', NITRO_HOST: '127.0.0.1', PORT: String(apiInternalPort) }),
             internalPort: apiInternalPort,
         },
         app: {
-            env: Object.assign(Object.assign(Object.assign(Object.assign(Object.assign({}, baseEnv), sharedKeys), (apiUrl ? { NUXT_API_URL: apiUrl, NUXT_PUBLIC_API_URL: apiUrl } : {})), (appUrl ? { NUXT_PUBLIC_SITE_URL: appUrl } : {})), { 
+            env: Object.assign(Object.assign(Object.assign(Object.assign(Object.assign(Object.assign({}, baseEnv), sharedKeys), { 
+                // See API note above: pin the dev server to IPv4 so Caddy's
+                // `127.0.0.1` upstream is unambiguous.
+                HOST: '127.0.0.1', NITRO_HOST: '127.0.0.1' }), (apiUrl ? { API_URL: apiUrl, NUXT_API_URL: apiUrl, NUXT_PUBLIC_API_URL: apiUrl } : {})), (appUrl ? { NUXT_PUBLIC_SITE_URL: appUrl, SITE_URL: appUrl } : {})), { 
                 // Vite-API-Proxy is OFF by default in lt dev mode — Caddy serves
                 // both subdomains under HTTPS with shared cookie domain, so
                 // same-origin trickery is no longer required.

package/build/lib/dev-service.js

@@ -0,0 +1,414 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SERVICE_LABEL = void 0;
+exports.getServicePaths = getServicePaths;
+exports.getServiceStatus = getServiceStatus;
+exports.installService = installService;
+exports.platformSupported = platformSupported;
+exports.renderLaunchAgentPlist = renderLaunchAgentPlist;
+exports.renderSystemdUnit = renderSystemdUnit;
+exports.resolveCaddyBin = resolveCaddyBin;
+exports.setShellRunner = setShellRunner;
+exports.uninstallService = uninstallService;
+exports.waitForServiceReady = waitForServiceReady;
+/**
+ * Service lifecycle for the dedicated `lt-dev` Caddy daemon.
+ *
+ * Why a dedicated service:
+ *   `brew services start caddy` is fragile because the Homebrew plist
+ *   hardcodes `--config /opt/homebrew/etc/Caddyfile` (or the equivalent
+ *   Intel/Linux paths). When lt-dev keeps its Caddyfile at
+ *   `~/.lenneTech/Caddyfile`, Caddy crashes in an endless relaunch
+ *   loop, port 2019 never opens, and `sudo caddy trust` fails with
+ *   "connection refused" — which is what blocked the first real
+ *   install attempt. Owning the service definition removes that
+ *   coupling entirely.
+ *
+ * Platforms:
+ *   - macOS  (Darwin): per-user LaunchAgent under
+ *     `~/Library/LaunchAgents/tech.lenne.lt-dev-caddy.plist`,
+ *     bootstrapped via `launchctl bootstrap gui/<uid> <plist>`.
+ *   - Linux:  systemd-user unit at
+ *     `~/.config/systemd/user/lt-dev-caddy.service`, controlled via
+ *     `systemctl --user`.
+ *   - Anything else (Windows, BSDs without systemd-user): explicitly
+ *     unsupported — the caller surfaces a clear message.
+ *
+ * Tests inject a `ShellRunner` to mock `launchctl` / `systemctl`
+ * without touching the real OS. Render functions stay pure.
+ */
+const child_process_1 = require("child_process");
+const fs_1 = require("fs");
+const os_1 = require("os");
+const path_1 = require("path");
+const caddy_1 = require("./caddy");
+/**
+ * Resolve the user's home directory in a test-overridable way.
+ *
+ * `os.homedir()` on macOS goes through `getpwuid()` and **ignores**
+ * `process.env.HOME`, which makes it impossible to redirect file-system
+ * side effects in tests. Honouring `HOME` first (then falling back to
+ * `homedir()`) keeps real-world behaviour identical while letting tests
+ * scope writes to a temp directory by setting `process.env.HOME` in
+ * `beforeEach`.
+ */
+function userHome() {
+    return process.env.HOME || (0, os_1.homedir)();
+}
+/** Reverse-DNS label for the service. Keep stable — used in launchctl + systemd. */
+exports.SERVICE_LABEL = 'tech.lenne.lt-dev-caddy';
+let activeRunner = defaultShellRunner;
+/** Compute the file-system locations for the service. Pure. */
+function getServicePaths(home = userHome(), plat = platformSupported()) {
+    const logFile = (0, path_1.join)(home, '.lenneTech', 'caddy.log');
+    const errFile = (0, path_1.join)(home, '.lenneTech', 'caddy.err.log');
+    if (plat === 'darwin') {
+        return {
+            errFile,
+            label: exports.SERVICE_LABEL,
+            logFile,
+            platform: 'darwin',
+            unitFile: (0, path_1.join)(home, 'Library', 'LaunchAgents', `${exports.SERVICE_LABEL}.plist`),
+        };
+    }
+    if (plat === 'linux') {
+        return {
+            errFile,
+            label: exports.SERVICE_LABEL,
+            logFile,
+            platform: 'linux',
+            unitFile: (0, path_1.join)(home, '.config', 'systemd', 'user', 'lt-dev-caddy.service'),
+        };
+    }
+    return { errFile, label: exports.SERVICE_LABEL, logFile, platform: 'unsupported', unitFile: '' };
+}
+/** Current service state — installed/loaded/reachable. */
+function getServiceStatus() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const paths = getServicePaths();
+        const installed = paths.platform !== 'unsupported' && (0, fs_1.existsSync)(paths.unitFile);
+        let loaded = false;
+        let pid;
+        if (paths.platform === 'darwin' && installed) {
+            const uid = (0, os_1.userInfo)().uid;
+            const res = yield activeRunner('launchctl', ['print', `gui/${uid}/${paths.label}`]);
+            loaded = res.ok;
+            const pidMatch = res.stdout.match(/pid\s*=\s*(\d+)/);
+            if (pidMatch)
+                pid = Number(pidMatch[1]);
+        }
+        else if (paths.platform === 'linux' && installed) {
+            const res = yield activeRunner('systemctl', ['--user', 'is-active', `${paths.label}.service`]);
+            loaded = res.ok && res.stdout.trim() === 'active';
+            if (loaded) {
+                const pidRes = yield activeRunner('systemctl', ['--user', 'show', `${paths.label}.service`, '-p', 'MainPID']);
+                const m = pidRes.stdout.match(/MainPID=(\d+)/);
+                if (m && m[1] !== '0')
+                    pid = Number(m[1]);
+            }
+        }
+        const daemonReachable = yield pingCaddyAdmin();
+        return { daemonReachable, installed, loaded, pid, platform: paths.platform, unitFile: paths.unitFile };
+    });
+}
+/**
+ * Install (or update) and start the service.
+ *
+ * Idempotent:
+ *   - rewrites the unit file only when its content changes
+ *   - bootstraps the service only when not already loaded
+ *   - on content change: bootout + bootstrap (= reload)
+ */
+function installService() {
+    return __awaiter(this, arguments, void 0, function* (opts = {}) {
+        const plat = platformSupported();
+        if (plat === 'unsupported') {
+            return {
+                bootstrapped: false,
+                created: false,
+                message: 'Service management is only supported on macOS and Linux.',
+                ok: false,
+            };
+        }
+        const caddyBin = opts.caddyBin || (yield resolveCaddyBin());
+        if (!caddyBin) {
+            return {
+                bootstrapped: false,
+                created: false,
+                message: 'caddy not found on PATH. Install with `brew install caddy` (macOS) or your package manager (Linux).',
+                ok: false,
+            };
+        }
+        const paths = getServicePaths();
+        const cfg = {
+            caddyBin,
+            caddyfile: caddy_1.paths.caddyfile,
+            errFile: paths.errFile,
+            homeDir: userHome(),
+            label: paths.label,
+            logFile: paths.logFile,
+        };
+        const desired = plat === 'darwin' ? renderLaunchAgentPlist(cfg) : renderSystemdUnit(cfg);
+        const existed = (0, fs_1.existsSync)(paths.unitFile);
+        const current = existed ? (0, fs_1.readFileSync)(paths.unitFile, 'utf8') : '';
+        const changed = current !== desired;
+        if (changed) {
+            (0, fs_1.mkdirSync)((0, path_1.dirname)(paths.unitFile), { recursive: true });
+            // Make sure log targets exist + are writable BEFORE the daemon
+            // tries to open them — otherwise launchd silently keeps restarting.
+            (0, fs_1.mkdirSync)((0, path_1.dirname)(paths.logFile), { recursive: true });
+            touchFile(paths.logFile);
+            touchFile(paths.errFile);
+            (0, fs_1.writeFileSync)(paths.unitFile, desired, 'utf8');
+        }
+        if (plat === 'darwin')
+            return installDarwin(paths, changed, existed);
+        return installLinux(paths, changed, existed);
+    });
+}
+/** Detect the supported platform. */
+function platformSupported() {
+    const p = (0, os_1.platform)();
+    if (p === 'darwin')
+        return 'darwin';
+    if (p === 'linux')
+        return 'linux';
+    return 'unsupported';
+}
+/**
+ * Render the macOS LaunchAgent plist.
+ *
+ * Critical env keys:
+ *   - HOME:  caddy stores its local CA in `$HOME/Library/Application
+ *            Support/Caddy/` — without HOME caddy falls back to
+ *            launchd's empty default and fails to persist CA state.
+ *   - PATH:  caddy shells out to `security` (Keychain) during
+ *            `caddy trust`; a minimal launchd PATH cannot find it.
+ */
+function renderLaunchAgentPlist(cfg) {
+    const programArgs = [cfg.caddyBin, 'run', '--config', cfg.caddyfile, '--adapter', 'caddyfile'];
+    const programArgsXml = programArgs.map((a) => `        <string>${escapeXml(a)}</string>`).join('\n');
+    const pathValue = '/usr/local/bin:/opt/homebrew/bin:/usr/bin:/bin:/usr/sbin:/sbin';
+    return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>Label</key>
+    <string>${escapeXml(cfg.label)}</string>
+    <key>ProgramArguments</key>
+    <array>
+${programArgsXml}
+    </array>
+    <key>EnvironmentVariables</key>
+    <dict>
+        <key>HOME</key>
+        <string>${escapeXml(cfg.homeDir)}</string>
+        <key>PATH</key>
+        <string>${pathValue}</string>
+    </dict>
+    <key>RunAtLoad</key>
+    <true/>
+    <key>KeepAlive</key>
+    <true/>
+    <key>WorkingDirectory</key>
+    <string>${escapeXml(cfg.homeDir)}</string>
+    <key>StandardOutPath</key>
+    <string>${escapeXml(cfg.logFile)}</string>
+    <key>StandardErrorPath</key>
+    <string>${escapeXml(cfg.errFile)}</string>
+</dict>
+</plist>
+`;
+}
+/** Render the systemd-user unit file. */
+function renderSystemdUnit(cfg) {
+    return `[Unit]
+Description=lt-dev Caddy reverse proxy (HTTPS for *.localhost)
+Documentation=https://github.com/lenneTech/cli
+After=network.target
+
+[Service]
+Type=simple
+Environment=HOME=${cfg.homeDir}
+ExecStart=${cfg.caddyBin} run --config ${cfg.caddyfile} --adapter caddyfile
+Restart=on-failure
+RestartSec=5s
+StandardOutput=append:${cfg.logFile}
+StandardError=append:${cfg.errFile}
+
+[Install]
+WantedBy=default.target
+`;
+}
+/** Resolve the absolute path of `caddy` via `which` so launchd has a guaranteed path. */
+function resolveCaddyBin() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const r = yield activeRunner('which', ['caddy']);
+        if (!r.ok)
+            return undefined;
+        const line = r.stdout.split('\n').find((s) => s.trim().length > 0);
+        return line ? line.trim() : undefined;
+    });
+}
+/** Inject a custom runner (tests). Pass `null` to reset to the real spawner. */
+function setShellRunner(runner) {
+    activeRunner = runner !== null && runner !== void 0 ? runner : defaultShellRunner;
+}
+/** Stop the service and remove the unit file. */
+function uninstallService() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const plat = platformSupported();
+        if (plat === 'unsupported') {
+            return { bootedOut: false, message: 'Nothing to uninstall on this platform.', ok: true, removed: [] };
+        }
+        const paths = getServicePaths();
+        let bootedOut = false;
+        if (plat === 'darwin') {
+            const uid = (0, os_1.userInfo)().uid;
+            const target = `gui/${uid}/${paths.label}`;
+            const printRes = yield activeRunner('launchctl', ['print', target]);
+            if (printRes.ok) {
+                const result = yield activeRunner('launchctl', ['bootout', target]);
+                bootedOut = result.ok;
+                // bootout returns non-zero with "Operation now in progress" on some
+                // macOS versions even when the service is unloaded — tolerate it.
+                if (!result.ok && /no such process|not loaded|service is not loaded/i.test(result.stderr))
+                    bootedOut = true;
+            }
+        }
+        else {
+            yield activeRunner('systemctl', ['--user', 'stop', `${paths.label}.service`]);
+            const dis = yield activeRunner('systemctl', ['--user', 'disable', `${paths.label}.service`]);
+            bootedOut = dis.ok;
+        }
+        const removed = [];
+        if ((0, fs_1.existsSync)(paths.unitFile)) {
+            (0, fs_1.unlinkSync)(paths.unitFile);
+            removed.push(paths.unitFile);
+        }
+        return {
+            bootedOut,
+            message: removed.length > 0 ? `Service uninstalled (${removed.length} file(s) removed).` : 'Service was not installed.',
+            ok: true,
+            removed,
+        };
+    });
+}
+/** Wait until Caddy's admin API responds, or until timeout. Returns true on success. */
+function waitForServiceReady() {
+    return __awaiter(this, arguments, void 0, function* (timeoutMs = 5000) {
+        const start = Date.now();
+        while (Date.now() - start < timeoutMs) {
+            if (yield pingCaddyAdmin())
+                return true;
+            yield sleep(150);
+        }
+        return false;
+    });
+}
+function defaultShellRunner(cmd, args) {
+    return new Promise((resolve) => {
+        var _a, _b;
+        const child = (0, child_process_1.spawn)(cmd, args, { stdio: ['ignore', 'pipe', 'pipe'] });
+        let stdout = '';
+        let stderr = '';
+        let errored = false;
+        (_a = child.stdout) === null || _a === void 0 ? void 0 : _a.on('data', (b) => (stdout += String(b)));
+        (_b = child.stderr) === null || _b === void 0 ? void 0 : _b.on('data', (b) => (stderr += String(b)));
+        child.on('error', () => (errored = true));
+        child.on('close', (code) => {
+            if (errored)
+                resolve({ code: null, ok: false, stderr: stderr || 'command not found', stdout });
+            else
+                resolve({ code, ok: code === 0, stderr, stdout });
+        });
+    });
+}
+function escapeXml(s) {
+    return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
+function installDarwin(paths, changed, existed) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const uid = (0, os_1.userInfo)().uid;
+        const target = `gui/${uid}/${paths.label}`;
+        const print = yield activeRunner('launchctl', ['print', target]);
+        const alreadyLoaded = print.ok;
+        if (alreadyLoaded && changed) {
+            // bootout returns "no such process" with a non-zero exit on macOS 14+
+            // even on success; we re-check via `print` to confirm.
+            yield activeRunner('launchctl', ['bootout', target]);
+        }
+        let bootstrapped = alreadyLoaded && !changed;
+        if (!bootstrapped) {
+            const result = yield activeRunner('launchctl', ['bootstrap', `gui/${uid}`, paths.unitFile]);
+            bootstrapped = result.ok;
+            if (!bootstrapped) {
+                return {
+                    bootstrapped: false,
+                    created: changed,
+                    message: `launchctl bootstrap failed: ${result.stderr.trim() || result.stdout.trim() || 'unknown error'}`,
+                    ok: false,
+                };
+            }
+        }
+        return {
+            bootstrapped,
+            created: changed,
+            message: existed && !changed ? 'Service already installed and up to date.' : 'Service installed.',
+            ok: true,
+        };
+    });
+}
+function installLinux(paths, changed, existed) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const reload = yield activeRunner('systemctl', ['--user', 'daemon-reload']);
+        if (!reload.ok) {
+            return {
+                bootstrapped: false,
+                created: changed,
+                message: `systemctl daemon-reload failed: ${reload.stderr.trim() || 'unknown error'}`,
+                ok: false,
+            };
+        }
+        const enableRes = yield activeRunner('systemctl', ['--user', 'enable', '--now', `${paths.label}.service`]);
+        if (!enableRes.ok) {
+            return {
+                bootstrapped: false,
+                created: changed,
+                message: `systemctl --user enable --now failed: ${enableRes.stderr.trim() || 'unknown error'}`,
+                ok: false,
+            };
+        }
+        return {
+            bootstrapped: true,
+            created: changed,
+            message: existed && !changed ? 'Service already installed and up to date.' : 'Service installed.',
+            ok: true,
+        };
+    });
+}
+function pingCaddyAdmin() {
+    return new Promise((resolve) => {
+        const child = (0, child_process_1.spawn)('curl', ['-fsS', '-o', '/dev/null', '--max-time', '1', 'http://127.0.0.1:2019/config/'], {
+            stdio: ['ignore', 'ignore', 'ignore'],
+        });
+        child.on('error', () => resolve(false));
+        child.on('close', (code) => resolve(code === 0));
+    });
+}
+function sleep(ms) {
+    return new Promise((r) => setTimeout(r, ms));
+}
+function touchFile(p) {
+    if (!(0, fs_1.existsSync)(p))
+        (0, fs_1.writeFileSync)(p, '', 'utf8');
+}