@logtrace/tracker 0.1.0

package/src/commands/update.js

@@ -0,0 +1,598 @@
+/**
+ * packages/cli/src/commands/update.js
+ *
+ * tracker update           — interactive update flow
+ * tracker update --check   — show available version without installing
+ *
+ * Flow:
+ *   1. Fetch latest release from GitHub API
+ *   2. Compare tag against VERSION constant
+ *   3. If up-to-date: inform and exit
+ *   4. If update available:
+ *      --check → show version + first 3 changelog lines
+ *      (no flag) → show full changelog → confirm → download → verify SHA256
+ *                  → backup current binary → replace → systemctl restart
+ *                  → health-check → rollback on failure
+ *
+ * Background update hint:
+ *   Every command calls checkUpdateBackground() which:
+ *     - Reads /tmp/.logtrace-update-check (TTL 4 hours)
+ *     - If stale: fires a detached check in background (does NOT block)
+ *     - If cached update available: prints a yellow hint line
+ *
+ * Security:
+ *   - SHA256 is verified against SHA256SUMS asset in the same release
+ *   - Binary is not executed before verification passes
+ *   - Backup is kept as <binary>.bak so rollback is always possible
+ */
+
+import fs from 'node:fs'
+import fsp from 'node:fs/promises'
+import path from 'node:path'
+import https from 'node:https'
+import crypto from 'node:crypto'
+import { execFile } from 'node:child_process'
+import { promisify } from 'node:util'
+import chalk from 'chalk'
+import ora from 'ora'
+import { confirm } from '@inquirer/prompts'
+import { VERSION } from '@logtrace/shared/constants'
+import { createClient } from '../client.js'
+import { printError, printWarning, printInfo } from '../ui/renderer.js'
+
+const execFileAsync = promisify(execFile)
+
+// ── Constants ─────────────────────────────────────────────────────────────────
+
+const GITHUB_API   = 'https://api.github.com/repos/logtrace-cloud/tracker/releases/latest'
+const UPDATE_CACHE = '/tmp/.logtrace-update-check'
+const CACHE_TTL_MS = 4 * 60 * 60 * 1000          // 4 hours
+
+// The installed tracker binary path.
+// process.execPath is the Node binary in dev; in pkg-compiled mode it is the
+// actual tracker binary. We detect pkg by checking if the exec path looks like
+// a tracker binary rather than a node/node26 executable.
+function resolvedBinaryPath() {
+  const ep = process.execPath
+  if (path.basename(ep).startsWith('tracker')) return ep
+  // Fallback for dev mode: look for the binary next to the script
+  return ep   // will be handled gracefully — installer replaces the right file
+}
+
+// ── HTTP helper ───────────────────────────────────────────────────────────────
+
+/**
+ * httpGet(url, options) → Promise<{ body: string, headers: object }>
+ *
+ * Simple promise-based HTTPS GET with timeout. Follows one redirect.
+ * Does NOT use fetch so we can control timeout precisely.
+ */
+function httpGet(url, { timeout = 5000, headers = {} } = {}) {
+  return new Promise((resolve, reject) => {
+    const opts = new URL(url)
+
+    const req = https.request(
+      {
+        hostname: opts.hostname,
+        path:     opts.pathname + opts.search,
+        method:   'GET',
+        headers: {
+          'User-Agent': `tracker-cli/${VERSION}`,
+          'Accept':     'application/vnd.github+json',
+          ...headers,
+        },
+      },
+      (res) => {
+        // Follow a single redirect (e.g. GitHub asset download)
+        if (res.statusCode >= 301 && res.statusCode <= 302 && res.headers.location) {
+          resolve(httpGet(res.headers.location, { timeout, headers }))
+          res.resume()
+          return
+        }
+
+        const chunks = []
+        res.on('data', (c) => chunks.push(c))
+        res.on('end', () => {
+          resolve({
+            status:  res.statusCode,
+            headers: res.headers,
+            body:    Buffer.concat(chunks).toString('utf8'),
+          })
+        })
+      },
+    )
+
+    req.setTimeout(timeout, () => {
+      req.destroy()
+      reject(new Error('timeout'))
+    })
+
+    req.on('error', reject)
+    req.end()
+  })
+}
+
+/**
+ * downloadToFile(url, destPath) → Promise<void>
+ *
+ * Stream a binary file from url to destPath.
+ * Follows redirects.
+ */
+function downloadToFile(url, destPath) {
+  return new Promise((resolve, reject) => {
+    const opts = new URL(url)
+
+    const req = https.request(
+      {
+        hostname: opts.hostname,
+        path:     opts.pathname + opts.search,
+        method:   'GET',
+        headers: { 'User-Agent': `tracker-cli/${VERSION}` },
+      },
+      (res) => {
+        if (res.statusCode >= 301 && res.statusCode <= 302 && res.headers.location) {
+          resolve(downloadToFile(res.headers.location, destPath))
+          res.resume()
+          return
+        }
+
+        if (res.statusCode !== 200) {
+          reject(new Error(`HTTP ${res.statusCode} descargando asset`))
+          res.resume()
+          return
+        }
+
+        const out = fs.createWriteStream(destPath)
+        res.pipe(out)
+        out.on('finish', resolve)
+        out.on('error', reject)
+        res.on('error', reject)
+      },
+    )
+
+    req.on('error', reject)
+    req.end()
+  })
+}
+
+// ── GitHub release helpers ────────────────────────────────────────────────────
+
+/**
+ * fetchLatestRelease() → Promise<release | null>
+ *
+ * Returns the parsed GitHub release object or null if network unavailable.
+ */
+async function fetchLatestRelease() {
+  try {
+    const res = await httpGet(GITHUB_API, { timeout: 5000 })
+
+    if (res.status !== 200) return null
+
+    return JSON.parse(res.body)
+  } catch {
+    return null
+  }
+}
+
+/**
+ * compareVersions(current, latest) → boolean
+ *
+ * Returns true if latest is strictly newer than current.
+ * Uses simple numeric semver comparison (major.minor.patch).
+ */
+function isNewer(current, latest) {
+  // Strip leading 'v'
+  const parse = (v) => v.replace(/^v/, '').split('.').map(Number)
+  const [cMaj, cMin, cPat] = parse(current)
+  const [lMaj, lMin, lPat] = parse(latest)
+
+  if (lMaj !== cMaj) return lMaj > cMaj
+  if (lMin !== cMin) return lMin > cMin
+  return lPat > cPat
+}
+
+/**
+ * firstNLines(text, n) — return first n non-blank lines.
+ */
+function firstNLines(text, n) {
+  return (text || '')
+    .split('\n')
+    .filter((l) => l.trim() !== '')
+    .slice(0, n)
+    .join('\n')
+}
+
+// ── OS/arch detection ─────────────────────────────────────────────────────────
+
+/**
+ * detectAssetName(assets) → string | null
+ *
+ * Matches the correct binary asset for the current platform.
+ * Supported targets: linux-x64, linux-arm64.
+ */
+function detectAssetName(assets) {
+  const { platform, arch } = process
+
+  let suffix = null
+
+  if (platform === 'linux' && arch === 'x64')   suffix = 'linux-x64'
+  if (platform === 'linux' && arch === 'arm64')  suffix = 'linux-arm64'
+  if (platform === 'darwin' && arch === 'x64')   suffix = 'darwin-x64'
+  if (platform === 'darwin' && arch === 'arm64') suffix = 'darwin-arm64'
+
+  if (!suffix) return null
+
+  // Asset naming convention: tracker-linux-x64, tracker-linux-arm64, etc.
+  return assets.find((a) => a.name === `tracker-${suffix}`) || null
+}
+
+// ── SHA256 verification ───────────────────────────────────────────────────────
+
+/**
+ * verifySha256(filePath, sumsContent, assetName) → boolean
+ *
+ * Reads SHA256SUMS content (one line per asset: <hash>  <name>)
+ * and verifies the downloaded file matches.
+ */
+async function verifySha256(filePath, sumsContent, assetName) {
+  const line = sumsContent
+    .split('\n')
+    .find((l) => l.trim().endsWith(assetName))
+
+  if (!line) return false   // asset not in SUMS file
+
+  const expectedHash = line.trim().split(/\s+/)[0]
+
+  const fileBuffer = await fsp.readFile(filePath)
+  const actualHash = crypto.createHash('sha256').update(fileBuffer).digest('hex')
+
+  return actualHash === expectedHash
+}
+
+// ── Update cache (background check) ──────────────────────────────────────────
+
+/**
+ * readUpdateCache() → { checkedAt, latestVersion } | null
+ */
+function readUpdateCache() {
+  try {
+    const raw = fs.readFileSync(UPDATE_CACHE, 'utf8')
+    return JSON.parse(raw)
+  } catch {
+    return null
+  }
+}
+
+/**
+ * writeUpdateCache(data)
+ */
+function writeUpdateCache(data) {
+  try {
+    fs.writeFileSync(UPDATE_CACHE, JSON.stringify(data), 'utf8')
+  } catch {
+    // /tmp write failures are non-fatal — silently ignore
+  }
+}
+
+/**
+ * checkUpdateBackground()
+ *
+ * Called at the end of any tracker command output.
+ * - If cache is fresh (< 4h) and has update info → maybe print hint
+ * - If cache is stale → trigger a background check (detached child process)
+ *
+ * This function is synchronous from the caller's perspective — it never awaits
+ * network and never blocks the main process.
+ */
+export function checkUpdateBackground() {
+  const cache = readUpdateCache()
+  const now   = Date.now()
+
+  if (cache && (now - cache.checkedAt) < CACHE_TTL_MS) {
+    // Cache is fresh
+    if (cache.latestVersion && isNewer(VERSION, cache.latestVersion)) {
+      console.log()
+      console.log(
+        chalk.yellow(
+          `  Actualizacion disponible: v${cache.latestVersion} — ejecuta: tracker update`,
+        ),
+      )
+    }
+    return   // Do not re-check until TTL expires
+  }
+
+  // Cache is stale or missing — fire a detached background check
+  // We use a child_process detached + unref so it outlives the CLI process
+  try {
+    const child = require('node:child_process').spawn(
+      process.execPath,
+      [
+        '--input-type=module',
+        '--eval',
+        `
+import https from 'https'
+import fs from 'fs'
+
+const GITHUB_API = 'https://api.github.com/repos/logtrace-cloud/tracker/releases/latest'
+const UPDATE_CACHE = '/tmp/.logtrace-update-check'
+const UA = 'tracker-cli/${VERSION}'
+
+const req = https.request(
+  { hostname: 'api.github.com', path: '/repos/logtrace-cloud/tracker/releases/latest',
+    headers: { 'User-Agent': UA, 'Accept': 'application/vnd.github+json' } },
+  (res) => {
+    const chunks = []
+    res.on('data', c => chunks.push(c))
+    res.on('end', () => {
+      try {
+        const data = JSON.parse(Buffer.concat(chunks).toString())
+        fs.writeFileSync(UPDATE_CACHE, JSON.stringify({ checkedAt: Date.now(), latestVersion: data.tag_name?.replace(/^v/, '') }))
+      } catch {}
+    })
+  }
+)
+req.setTimeout(5000, () => req.destroy())
+req.on('error', () => {})
+req.end()
+        `,
+      ],
+      { detached: true, stdio: 'ignore' },
+    )
+    child.unref()
+  } catch {
+    // Spawning the background check is optional — never crash on failure
+  }
+}
+
+// ── tracker update --check ────────────────────────────────────────────────────
+
+export async function updateCheckCommand(_argv) {
+  const spinner = ora('Verificando actualizaciones...').start()
+
+  const release = await fetchLatestRelease()
+
+  if (!release) {
+    spinner.warn(chalk.yellow('No se pudo verificar actualizaciones (sin conexion o GitHub no responde).'))
+    return
+  }
+
+  const latestVersion = (release.tag_name || '').replace(/^v/, '')
+
+  // Update cache while we have fresh data
+  writeUpdateCache({ checkedAt: Date.now(), latestVersion })
+
+  if (!isNewer(VERSION, latestVersion)) {
+    spinner.succeed(chalk.green(`Ya tienes la ultima version (v${VERSION}).`))
+    return
+  }
+
+  spinner.succeed(chalk.cyan(`Actualizacion disponible: v${latestVersion}`))
+
+  const shortChangelog = firstNLines(release.body, 3)
+  if (shortChangelog) {
+    console.log()
+    console.log(chalk.bold('  Changelog:'))
+    for (const line of shortChangelog.split('\n')) {
+      console.log(chalk.dim('  ' + line))
+    }
+    console.log()
+  }
+
+  console.log(chalk.dim(`  Ejecuta: ${chalk.white('tracker update')} para actualizar.`))
+  console.log()
+}
+
+// ── tracker update (full install) ─────────────────────────────────────────────
+
+export async function updateCommand(_argv) {
+  // ── Step 1: Check for update ──────────────────────────────────────────────
+  const checkSpinner = ora('Verificando actualizaciones...').start()
+
+  const release = await fetchLatestRelease()
+
+  if (!release) {
+    checkSpinner.warn(chalk.yellow('No se pudo verificar actualizaciones (sin conexion o GitHub no responde).'))
+    return
+  }
+
+  const latestVersion = (release.tag_name || '').replace(/^v/, '')
+  writeUpdateCache({ checkedAt: Date.now(), latestVersion })
+
+  if (!isNewer(VERSION, latestVersion)) {
+    checkSpinner.succeed(chalk.green(`Ya tienes la ultima version (v${VERSION}).`))
+    return
+  }
+
+  checkSpinner.succeed(chalk.cyan(`Actualizacion disponible: v${latestVersion} (actual: v${VERSION})`))
+
+  // ── Step 2: Show full changelog ───────────────────────────────────────────
+  if (release.body && release.body.trim()) {
+    console.log()
+    console.log(chalk.bold('  Changelog:'))
+    for (const line of release.body.split('\n')) {
+      console.log(chalk.dim('  ' + line))
+    }
+    console.log()
+  }
+
+  // ── Step 3: Confirm ───────────────────────────────────────────────────────
+  let confirmed
+  try {
+    confirmed = await confirm({
+      message: `Actualizar tracker a v${latestVersion}?`,
+      default: true,
+    })
+  } catch {
+    // inquirer throws if stdin is not a TTY (e.g. piped input)
+    printError('No se pudo confirmar la actualización en modo no interactivo. Usa: tracker update --check')
+    process.exitCode = 1
+    return
+  }
+
+  if (!confirmed) {
+    printInfo('Actualización cancelada.')
+    return
+  }
+
+  // ── Step 4: Detect asset ─────────────────────────────────────────────────
+  const asset = detectAssetName(release.assets || [])
+
+  if (!asset) {
+    printError(`No hay un binario precompilado para ${process.platform}/${process.arch} en esta release.`)
+    process.exitCode = 1
+    return
+  }
+
+  // SHA256SUMS asset
+  const sumsAsset = (release.assets || []).find((a) => a.name === 'SHA256SUMS')
+
+  // ── Step 5: Download ──────────────────────────────────────────────────────
+  const tmpBinary = path.join('/tmp', `tracker-update-${latestVersion}`)
+
+  const downloadSpinner = ora(`Descargando ${asset.name}...`).start()
+
+  try {
+    await downloadToFile(asset.browser_download_url, tmpBinary)
+    downloadSpinner.succeed(`Descargado: ${asset.name}`)
+  } catch (err) {
+    downloadSpinner.fail(chalk.red(`Error al descargar: ${err.message}`))
+    process.exitCode = 1
+    return
+  }
+
+  // ── Step 6: Verify SHA256 ─────────────────────────────────────────────────
+  if (sumsAsset) {
+    const verifySpinner = ora('Verificando SHA256...').start()
+
+    try {
+      const sumsRes = await httpGet(sumsAsset.browser_download_url, { timeout: 5000 })
+      const valid   = await verifySha256(tmpBinary, sumsRes.body, asset.name)
+
+      if (!valid) {
+        verifySpinner.fail(chalk.red('Verificacion SHA256 fallida — el archivo puede estar corrupto o comprometido.'))
+        await fsp.unlink(tmpBinary).catch(() => {})
+        process.exitCode = 1
+        return
+      }
+
+      verifySpinner.succeed('SHA256 verificado.')
+    } catch (err) {
+      verifySpinner.warn(chalk.yellow(`No se pudo verificar SHA256: ${err.message}. Continuando...`))
+    }
+  } else {
+    printWarning('SHA256SUMS no encontrado en la release. Continuando sin verificación.')
+  }
+
+  // Make the downloaded binary executable
+  try {
+    await fsp.chmod(tmpBinary, 0o755)
+  } catch (err) {
+    printError(`No se pudo marcar el binario como ejecutable: ${err.message}`)
+    await fsp.unlink(tmpBinary).catch(() => {})
+    process.exitCode = 1
+    return
+  }
+
+  // ── Step 7: Backup current binary ────────────────────────────────────────
+  const currentBinary = resolvedBinaryPath()
+  const backupBinary  = currentBinary + '.bak'
+
+  const installSpinner = ora('Instalando actualización...').start()
+
+  try {
+    // Copy current → .bak (using copy so permissions are preserved on dest)
+    await fsp.copyFile(currentBinary, backupBinary)
+  } catch (err) {
+    installSpinner.warn(chalk.yellow(`No se pudo crear backup: ${err.message}. Continuando sin backup.`))
+  }
+
+  // ── Step 8: Replace binary ────────────────────────────────────────────────
+  try {
+    await fsp.copyFile(tmpBinary, currentBinary)
+    await fsp.chmod(currentBinary, 0o755)
+    await fsp.unlink(tmpBinary).catch(() => {})
+    installSpinner.succeed('Binario reemplazado.')
+  } catch (err) {
+    installSpinner.fail(chalk.red(`Error al reemplazar binario: ${err.message}`))
+    await rollback(currentBinary, backupBinary)
+    process.exitCode = 1
+    return
+  }
+
+  // ── Step 9: Restart daemon ────────────────────────────────────────────────
+  const restartSpinner = ora('Reiniciando daemon (systemctl)...').start()
+
+  try {
+    await execFileAsync('systemctl', ['restart', 'logtrace'], { timeout: 10000 })
+    restartSpinner.succeed('Daemon reiniciado.')
+  } catch {
+    restartSpinner.warn(chalk.yellow('No se pudo reiniciar el daemon via systemctl (puede no estar instalado como servicio).'))
+  }
+
+  // ── Step 10: Health check ─────────────────────────────────────────────────
+  await new Promise((r) => setTimeout(r, 3000))   // wait 3s for daemon to boot
+
+  const healthSpinner = ora('Verificando salud del daemon...').start()
+
+  const healthy = await checkDaemonHealth()
+
+  if (healthy) {
+    healthSpinner.succeed(chalk.green(`LogTrace actualizado a v${latestVersion}`))
+    printInfo(`Backup disponible en: ${backupBinary}`)
+  } else {
+    healthSpinner.fail(chalk.red('El daemon no respondio tras la actualización.'))
+    printWarning('Restaurando versión anterior...')
+
+    const restored = await rollback(currentBinary, backupBinary)
+
+    if (restored) {
+      printInfo('Versión anterior restaurada.')
+      try {
+        await execFileAsync('systemctl', ['restart', 'logtrace'], { timeout: 10000 })
+      } catch {
+        // Best effort
+      }
+    } else {
+      printError('No se pudo restaurar la versión anterior. Backup en: ' + backupBinary)
+    }
+
+    process.exitCode = 1
+  }
+}
+
+// ── Helpers ───────────────────────────────────────────────────────────────────
+
+/**
+ * rollback(currentBinary, backupBinary) → Promise<boolean>
+ *
+ * Restores the .bak file over the current binary.
+ */
+async function rollback(currentBinary, backupBinary) {
+  try {
+    await fsp.access(backupBinary)
+    await fsp.copyFile(backupBinary, currentBinary)
+    await fsp.chmod(currentBinary, 0o755)
+    return true
+  } catch {
+    return false
+  }
+}
+
+/**
+ * checkDaemonHealth() → Promise<boolean>
+ *
+ * Sends a status request over the Unix socket.
+ * Returns true if the daemon responds within ~3 seconds.
+ */
+async function checkDaemonHealth() {
+  const client = createClient()
+  try {
+    await client.connect()
+    await client.send('status', {})
+    return true
+  } catch {
+    return false
+  } finally {
+    client.close()
+  }
+}