@marcusrbrown/infra 0.4.9 → 0.4.11

package/src/commands/gateway/deploy.test.ts

@@ -0,0 +1,297 @@
+import {resolve} from 'node:path'
+import {afterEach, beforeEach, describe, expect, it, spyOn} from 'bun:test'
+
+import {getGatewayDeployEnv, validateGatewayRemotePreconditions} from './deploy'
+
+const cliDir = resolve(import.meta.dir, '../../..')
+
+const envKeys = [
+  'AWS_ACCESS_KEY_ID',
+  'AWS_SECRET_ACCESS_KEY',
+  'AWS_SESSION_TOKEN',
+  'DISCORD_APPLICATION_ID',
+  'DISCORD_GUILD_ID',
+  'DISCORD_TOKEN',
+  'GATEWAY_HOST',
+  'HOME',
+  'OBJECT_STORE_HOSTS',
+  'PATH',
+  'S3_BUCKET',
+  'S3_ENDPOINT',
+  'S3_REGION',
+  'SSH_AUTH_SOCK',
+] as const
+
+type ManagedEnvKey = (typeof envKeys)[number]
+
+let originalEnv: Partial<Record<ManagedEnvKey, string | undefined>>
+
+function restoreManagedEnv(): void {
+  for (const key of envKeys) {
+    const value = originalEnv[key]
+
+    if (value === undefined) {
+      delete process.env[key]
+      continue
+    }
+
+    process.env[key] = value
+  }
+}
+
+function setManagedEnv(overrides: Partial<Record<ManagedEnvKey, string | undefined>>): void {
+  restoreManagedEnv()
+
+  for (const [key, value] of Object.entries(overrides)) {
+    if (value === undefined) {
+      delete process.env[key]
+      continue
+    }
+
+    process.env[key as ManagedEnvKey] = value
+  }
+}
+
+async function runDeployCommand(
+  args: string[],
+  envOverrides: Partial<Record<ManagedEnvKey, string | undefined>> = {},
+): Promise<{stdout: string; stderr: string; exitCode: number}> {
+  const env: Record<string, string> = {}
+
+  for (const [key, value] of Object.entries(process.env)) {
+    if (value !== undefined) {
+      env[key] = value
+    }
+  }
+
+  // Apply overrides: undefined means explicitly unset the key
+  for (const [key, value] of Object.entries(envOverrides)) {
+    if (value === undefined) {
+      delete env[key]
+    } else {
+      env[key] = value
+    }
+  }
+
+  // Apply defaults only for keys not explicitly overridden
+  if (!Object.prototype.hasOwnProperty.call(envOverrides, 'HOME') && !env.HOME) {
+    env.HOME = '/tmp/test-home'
+  }
+
+  if (!Object.prototype.hasOwnProperty.call(envOverrides, 'PATH') && !env.PATH) {
+    env.PATH = '/usr/bin:/bin'
+  }
+
+  if (!Object.prototype.hasOwnProperty.call(envOverrides, 'SSH_AUTH_SOCK') && !env.SSH_AUTH_SOCK) {
+    env.SSH_AUTH_SOCK = '/tmp/test-sock'
+  }
+
+  env.NO_COLOR = '1'
+
+  const proc = Bun.spawn(['bun', 'src/cli.ts', 'gateway', 'deploy', ...args], {
+    cwd: cliDir,
+    env,
+    stdout: 'pipe',
+    stderr: 'pipe',
+  })
+
+  const [stdout, stderr, exitCode] = await Promise.all([
+    new Response(proc.stdout).text(),
+    new Response(proc.stderr).text(),
+    proc.exited,
+  ])
+
+  return {stdout, stderr, exitCode}
+}
+
+describe('gateway deploy', () => {
+  beforeEach(() => {
+    originalEnv = Object.fromEntries(envKeys.map(key => [key, process.env[key]]))
+  })
+
+  afterEach(() => {
+    restoreManagedEnv()
+  })
+
+  describe('getGatewayDeployEnv', () => {
+    it('returns the expected deploy environment when required variables are present', () => {
+      setManagedEnv({
+        GATEWAY_HOST: 'gateway.example.com',
+        HOME: '/tmp/test-home',
+        PATH: '/usr/bin:/bin',
+        SSH_AUTH_SOCK: '/tmp/test-sock',
+      })
+
+      const env = getGatewayDeployEnv()
+
+      expect(env.GATEWAY_HOST).toBe('gateway.example.com')
+      expect(env.HOME).toBe('/tmp/test-home')
+      expect(env.PATH).toBe('/usr/bin:/bin')
+      expect(env.SSH_AUTH_SOCK).toBe('/tmp/test-sock')
+    })
+
+    it('throws when SSH_AUTH_SOCK is missing', () => {
+      setManagedEnv({
+        GATEWAY_HOST: 'gateway.example.com',
+        HOME: '/tmp/test-home',
+        PATH: '/usr/bin:/bin',
+        SSH_AUTH_SOCK: undefined,
+      })
+
+      expect(() => getGatewayDeployEnv()).toThrow('SSH_AUTH_SOCK')
+    })
+
+    it('throws when PATH is missing', () => {
+      setManagedEnv({
+        GATEWAY_HOST: 'gateway.example.com',
+        HOME: '/tmp/test-home',
+        PATH: undefined,
+        SSH_AUTH_SOCK: '/tmp/test-sock',
+      })
+
+      expect(() => getGatewayDeployEnv()).toThrow('PATH')
+    })
+
+    it('passes required gateway env vars to the child process', () => {
+      setManagedEnv({
+        AWS_ACCESS_KEY_ID: 'test-key-id',
+        AWS_SECRET_ACCESS_KEY: 'test-secret',
+        AWS_SESSION_TOKEN: undefined,
+        DISCORD_APPLICATION_ID: 'test-app-id',
+        DISCORD_GUILD_ID: 'test-guild-id',
+        DISCORD_TOKEN: 'test-token',
+        GATEWAY_HOST: 'gateway.example.com',
+        HOME: '/tmp/test-home',
+        OBJECT_STORE_HOSTS: undefined,
+        PATH: '/usr/bin:/bin',
+        S3_BUCKET: 'test-bucket',
+        S3_ENDPOINT: undefined,
+        S3_REGION: 'us-east-1',
+        SSH_AUTH_SOCK: '/tmp/test-sock',
+      })
+
+      const env = getGatewayDeployEnv()
+
+      expect(env.DISCORD_TOKEN).toBe('test-token')
+      expect(env.AWS_ACCESS_KEY_ID).toBe('test-key-id')
+      expect(env.AWS_SECRET_ACCESS_KEY).toBe('test-secret')
+      expect(env.DISCORD_APPLICATION_ID).toBe('test-app-id')
+      expect(env.DISCORD_GUILD_ID).toBe('test-guild-id')
+      expect(env.S3_BUCKET).toBe('test-bucket')
+      expect(env.S3_REGION).toBe('us-east-1')
+      expect(env.GATEWAY_HOST).toBe('gateway.example.com')
+      // Optional vars present (empty string when unset)
+      expect(env.S3_ENDPOINT).toBe('')
+      expect(env.OBJECT_STORE_HOSTS).toBe('')
+      expect(env.AWS_SESSION_TOKEN).toBe('')
+      // Core vars still present
+      expect(env.PATH).toBe('/usr/bin:/bin')
+      expect(env.HOME).toBe('/tmp/test-home')
+      expect(env.SSH_AUTH_SOCK).toBe('/tmp/test-sock')
+    })
+
+    it('forwards S3_ENDPOINT and OBJECT_STORE_HOSTS when present in process.env', () => {
+      setManagedEnv({
+        GATEWAY_HOST: 'gateway.example.com',
+        HOME: '/tmp/test-home',
+        OBJECT_STORE_HOSTS: 'r2.example.com minio.example.com',
+        PATH: '/usr/bin:/bin',
+        S3_ENDPOINT: 'https://r2.example.com',
+        SSH_AUTH_SOCK: '/tmp/test-sock',
+      })
+
+      const env = getGatewayDeployEnv()
+
+      expect(env.S3_ENDPOINT).toBe('https://r2.example.com')
+      expect(env.OBJECT_STORE_HOSTS).toBe('r2.example.com minio.example.com')
+    })
+
+    it('forwards AWS_SESSION_TOKEN when present in process.env', () => {
+      setManagedEnv({
+        AWS_SESSION_TOKEN: 'sts-temporary-token-value',
+        GATEWAY_HOST: 'gateway.example.com',
+        HOME: '/tmp/test-home',
+        PATH: '/usr/bin:/bin',
+        SSH_AUTH_SOCK: '/tmp/test-sock',
+      })
+
+      const env = getGatewayDeployEnv()
+
+      expect(env.AWS_SESSION_TOKEN).toBe('sts-temporary-token-value')
+    })
+  })
+
+  describe('validateGatewayRemotePreconditions', () => {
+    it('throws when gh is not available', () => {
+      const spy = spyOn(Bun, 'which').mockReturnValue(null)
+
+      try {
+        expect(() => validateGatewayRemotePreconditions()).toThrow('gh')
+      } finally {
+        spy.mockRestore()
+      }
+    })
+
+    it('does not throw when gh is available', () => {
+      const spy = spyOn(Bun, 'which').mockReturnValue('/usr/bin/gh')
+
+      try {
+        expect(() => validateGatewayRemotePreconditions()).not.toThrow()
+      } finally {
+        spy.mockRestore()
+      }
+    })
+  })
+
+  describe('--remote (default) dry-run', () => {
+    it('prints planned actions without invoking gh', async () => {
+      const {stdout, exitCode} = await runDeployCommand(['--dry-run'], {
+        HOME: '/tmp/test-home',
+        PATH: process.env.PATH ?? '/usr/bin:/bin',
+        SSH_AUTH_SOCK: '/tmp/test-sock',
+      })
+
+      expect(exitCode).toBe(0)
+      expect(stdout).toContain('Dry run')
+      expect(stdout).toContain('Deploy Gateway')
+    })
+  })
+
+  describe('--local --dry-run', () => {
+    it('prints planned local actions without spawning bun run', async () => {
+      const {stdout, exitCode} = await runDeployCommand(['--local', '--dry-run'], {
+        HOME: '/tmp/test-home',
+        PATH: process.env.PATH ?? '/usr/bin:/bin',
+        SSH_AUTH_SOCK: '/tmp/test-sock',
+      })
+
+      expect(exitCode).toBe(0)
+      expect(stdout).toContain('Dry run')
+      expect(stdout).toContain('local')
+    })
+
+    it('succeeds even when SSH_AUTH_SOCK is unset', async () => {
+      const {stdout, exitCode} = await runDeployCommand(['--local', '--dry-run'], {
+        HOME: '/tmp/test-home',
+        PATH: process.env.PATH ?? '/usr/bin:/bin',
+        SSH_AUTH_SOCK: undefined,
+      })
+
+      expect(exitCode).toBe(0)
+      expect(stdout).toContain('Dry run')
+    })
+  })
+
+  describe('--local --force-recreate --dry-run', () => {
+    it('includes --force-recreate in the planned command', async () => {
+      const {stdout, exitCode} = await runDeployCommand(['--local', '--force-recreate', '--dry-run'], {
+        HOME: '/tmp/test-home',
+        PATH: process.env.PATH ?? '/usr/bin:/bin',
+        SSH_AUTH_SOCK: '/tmp/test-sock',
+      })
+
+      expect(exitCode).toBe(0)
+      expect(stdout).toContain('--force-recreate')
+    })
+  })
+})

package/src/commands/gateway/deploy.ts

@@ -0,0 +1,148 @@
+import type {goke} from 'goke'
+
+import {z} from 'zod'
+
+declare const process: {
+  env: Record<string, string | undefined>
+  exitCode?: number
+}
+
+const REPO = 'marcusrbrown/infra'
+const WORKFLOW_NAME = 'Deploy Gateway'
+const WORKFLOW_URL = 'https://github.com/marcusrbrown/infra/actions/workflows/deploy-gateway.yaml'
+
+type CliInstance = ReturnType<typeof goke>
+
+// ─── Env helpers ─────────────────────────────────────────────────────────────
+
+export function getGatewayDeployEnv(): Record<string, string> {
+  const path = process.env.PATH
+  const home = process.env.HOME
+  const sshAuthSock = process.env.SSH_AUTH_SOCK
+
+  if (!path) {
+    throw new Error('PATH is required for local deploy')
+  }
+
+  if (!home) {
+    throw new Error('HOME is required for local deploy')
+  }
+
+  if (!sshAuthSock) {
+    throw new Error('SSH_AUTH_SOCK is required for local deploy. Start ssh-agent and load your deploy key first.')
+  }
+
+  return {
+    PATH: path,
+    HOME: home,
+    SSH_AUTH_SOCK: sshAuthSock,
+    GATEWAY_HOST: process.env.GATEWAY_HOST ?? '',
+    DISCORD_TOKEN: process.env.DISCORD_TOKEN ?? '',
+    DISCORD_APPLICATION_ID: process.env.DISCORD_APPLICATION_ID ?? '',
+    DISCORD_GUILD_ID: process.env.DISCORD_GUILD_ID ?? '',
+    AWS_ACCESS_KEY_ID: process.env.AWS_ACCESS_KEY_ID ?? '',
+    AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY ?? '',
+    AWS_SESSION_TOKEN: process.env.AWS_SESSION_TOKEN ?? '',
+    S3_BUCKET: process.env.S3_BUCKET ?? '',
+    S3_REGION: process.env.S3_REGION ?? '',
+    S3_ENDPOINT: process.env.S3_ENDPOINT ?? '',
+    OBJECT_STORE_HOSTS: process.env.OBJECT_STORE_HOSTS ?? '',
+  }
+}
+
+export function validateGatewayRemotePreconditions(): void {
+  if (!Bun.which('gh')) {
+    throw new Error('gh CLI is required for remote deploy. Install gh and run `gh auth login`.')
+  }
+}
+
+// ─── Command registration ─────────────────────────────────────────────────────
+
+export function registerGatewayDeploy(cli: CliInstance): void {
+  cli
+    .command(
+      'gateway deploy',
+      'Deploy the gateway. Default mode triggers the GitHub Deploy Gateway workflow, while --local runs apps/gateway deploy directly with Bun.',
+    )
+    .option(
+      '--local',
+      z
+        .boolean()
+        .default(false)
+        .describe('Run local deployment with Bun using apps/gateway instead of triggering GitHub Actions.'),
+    )
+    .option(
+      '--dry-run',
+      z
+        .boolean()
+        .default(false)
+        .describe(
+          'Validate deploy prerequisites and print planned actions without executing local deploy or dispatching workflow.',
+        ),
+    )
+    .option(
+      '--force-recreate',
+      z.boolean().default(false).describe('Force recreate containers. Forwarded only in local mode.'),
+    )
+    .example('# Trigger remote GitHub Actions deploy (default mode)')
+    .example('infra gateway deploy')
+    .example('# Validate local deploy preconditions and planned command')
+    .example('infra gateway deploy --local --dry-run')
+    .example('# Run local deploy with explicit SSH agent context')
+    .example('infra gateway deploy --local')
+    .action(async options => {
+      if (options.local) {
+        const command = [
+          'bun',
+          'run',
+          '--cwd',
+          'apps/gateway',
+          'deploy',
+          ...(options.forceRecreate ? ['--force-recreate'] : []),
+        ]
+
+        if (options.dryRun) {
+          console.log('Dry run: local gateway deploy')
+          console.log(`- command: ${command.join(' ')}`)
+          return
+        }
+
+        const env = getGatewayDeployEnv()
+
+        const child = Bun.spawn(command, {
+          env,
+          stdout: 'inherit',
+          stderr: 'inherit',
+        })
+
+        const exitCode = await child.exited
+        if (exitCode !== 0) {
+          throw new Error(`Local deploy failed with exit code ${exitCode}`)
+        }
+
+        return
+      }
+
+      validateGatewayRemotePreconditions()
+
+      if (options.dryRun) {
+        console.log('Dry run: remote gateway deploy')
+        console.log(`- command: gh workflow run "${WORKFLOW_NAME}" --repo ${REPO}`)
+        console.log(`- workflow URL: ${WORKFLOW_URL}`)
+        return
+      }
+
+      const child = Bun.spawn(['gh', 'workflow', 'run', WORKFLOW_NAME, '--repo', REPO], {
+        stdout: 'inherit',
+        stderr: 'inherit',
+      })
+
+      const exitCode = await child.exited
+      if (exitCode !== 0) {
+        throw new Error(`Failed to trigger "${WORKFLOW_NAME}" workflow (exit code ${exitCode})`)
+      }
+
+      console.log(`Workflow triggered: ${WORKFLOW_URL}`)
+      console.log('Approve the gateway environment deployment in GitHub Actions to continue.')
+    })
+}

package/src/commands/gateway/host.test.ts

@@ -0,0 +1,73 @@
+import {describe, expect, it} from 'bun:test'
+
+import {validateGatewayHost} from './host'
+
+// ─── validateGatewayHost ──────────────────────────────────────────────────────
+
+describe('validateGatewayHost', () => {
+  // ── Valid inputs ────────────────────────────────────────────────────────────
+
+  it('accepts a standard FQDN', () => {
+    expect(() => validateGatewayHost('gateway.example.com')).not.toThrow()
+    expect(validateGatewayHost('gateway.example.com')).toBe('gateway.example.com')
+  })
+
+  it('accepts localhost', () => {
+    expect(() => validateGatewayHost('localhost')).not.toThrow()
+  })
+
+  it('accepts an IPv4 address', () => {
+    expect(() => validateGatewayHost('147.182.133.210')).not.toThrow()
+  })
+
+  it('accepts a single-character hostname', () => {
+    expect(() => validateGatewayHost('a')).not.toThrow()
+  })
+
+  it('accepts a hostname with hyphens', () => {
+    expect(() => validateGatewayHost('my-gateway.prod.example.com')).not.toThrow()
+  })
+
+  // ── Injection attacks ───────────────────────────────────────────────────────
+
+  it('rejects a leading-hyphen value (ProxyCommand injection vector)', () => {
+    expect(() => validateGatewayHost('-oProxyCommand=evil')).toThrow('Invalid GATEWAY_HOST')
+  })
+
+  it('rejects a value with shell metacharacters (semicolon)', () => {
+    expect(() => validateGatewayHost('gateway.example.com;rm -rf')).toThrow('Invalid GATEWAY_HOST')
+  })
+
+  it('rejects a value with shell metacharacters (backtick)', () => {
+    expect(() => validateGatewayHost('gateway.example.com`id`')).toThrow('Invalid GATEWAY_HOST')
+  })
+
+  it('rejects a value with spaces', () => {
+    expect(() => validateGatewayHost('gateway example.com')).toThrow('Invalid GATEWAY_HOST')
+  })
+
+  it('rejects a value with an at-sign', () => {
+    expect(() => validateGatewayHost('user@gateway.example.com')).toThrow('Invalid GATEWAY_HOST')
+  })
+
+  // ── Empty / blank ───────────────────────────────────────────────────────────
+
+  it('rejects an empty string', () => {
+    expect(() => validateGatewayHost('')).toThrow('Invalid GATEWAY_HOST')
+  })
+
+  // ── Error message sanitization ──────────────────────────────────────────────
+
+  it('truncates the invalid value in the error message to ~30 chars', () => {
+    const longMalicious = `-oProxyCommand=${'A'.repeat(100)}`
+    let message = ''
+    try {
+      validateGatewayHost(longMalicious)
+    } catch (error) {
+      message = error instanceof Error ? error.message : String(error)
+    }
+    // The excerpt in the message should not exceed 30 chars of the original value
+    expect(message).toContain('Invalid GATEWAY_HOST')
+    expect(message.length).toBeLessThan(longMalicious.length + 50)
+  })
+})

package/src/commands/gateway/host.ts

@@ -0,0 +1,31 @@
+// ─── Gateway host validation ──────────────────────────────────────────────────
+//
+// Validates GATEWAY_HOST values before they are passed as ssh argv arguments.
+// A value starting with `-` would be interpreted by ssh as an option flag,
+// enabling ProxyCommand injection and local code execution.
+
+const VALID_HOST_RE = /^[a-z\d][a-z\d.\-]*$/i
+
+/**
+ * Validates a candidate GATEWAY_HOST value against a strict hostname allowlist.
+ *
+ * Accepts: hostnames, FQDNs, IPv4 addresses, `localhost`.
+ * Rejects: empty strings, values starting with `-`, and anything containing
+ * characters outside `[A-Za-z0-9.-]`.
+ *
+ * @throws {Error} with a sanitized excerpt of the invalid value.
+ * @returns The validated host string (unchanged).
+ */
+export function validateGatewayHost(host: string): string {
+  if (!host) {
+    throw new Error('Invalid GATEWAY_HOST: value is empty')
+  }
+
+  if (!VALID_HOST_RE.test(host)) {
+    // Truncate to 30 chars and strip non-printable bytes before echoing back
+    const excerpt = host.slice(0, 30).replaceAll(/[^\u0020-\u007E]/g, '?')
+    throw new Error(`Invalid GATEWAY_HOST: "${excerpt}" — must match ${String.raw`[A-Za-z0-9][A-Za-z0-9.\-]*`}`)
+  }
+
+  return host
+}

package/src/commands/gateway/index.ts

@@ -0,0 +1,17 @@
+import type {goke} from 'goke'
+
+import {registerGatewayBackup} from './backup'
+import {registerGatewayDeploy} from './deploy'
+import {registerGatewayLogs} from './logs'
+import {registerGatewayRestore} from './restore'
+import {registerGatewayStatus} from './status'
+
+export {getGatewayStatusSummary} from './status'
+
+export function registerGatewayCommands(cli: ReturnType<typeof goke>): void {
+  registerGatewayStatus(cli)
+  registerGatewayDeploy(cli)
+  registerGatewayLogs(cli)
+  registerGatewayBackup(cli)
+  registerGatewayRestore(cli)
+}