@marcusrbrown/infra 0.8.0 → 0.9.0

package/src/commands/cliproxy/setup.ts

@@ -90,6 +90,8 @@ export interface RunSetupDeps {
     intro: typeof intro
     note: typeof note
     outro: typeof outro
+    promptForProviders?: typeof promptForProviders
+    promptForModel?: typeof promptForModel
   }
   smoke?: {
     runSmokeTest: typeof runSmokeTest
@@ -105,13 +107,121 @@ function resolveBaseUrl(input?: string): string {
   return stripTrailingSlash(input ?? process.env.CLIPROXY_URL ?? DEFAULT_CLIPROXY_URL)
 }
 
+/**
+ * Emit a warning without ever throwing. Used inside verifyWrittenNamesVisible so that a
+ * failure in warning emission itself cannot escape to the outer write catch and wrongly
+ * roll back a key whose secrets are already written.
+ */
+function safeWarn(message: string): void {
+  try {
+    log.warn(message)
+  } catch {
+    // Warning emission must never escape the post-write readback — a throw here would
+    // reach the outer write catch and wrongly roll back a key whose secrets are written.
+  }
+}
+
+function buildCannotVerifyMessage(repo: string, writtenSecretNames: string[], writtenVariableNames: string[]): string {
+  const secretPart =
+    writtenSecretNames.length > 0
+      ? `gh secret list --repo ${repo} (expect: ${writtenSecretNames.join(', ')})`
+      : `gh secret list --repo ${repo}`
+  const variablePart =
+    writtenVariableNames.length > 0
+      ? `gh variable list --repo ${repo} (expect: ${writtenVariableNames.join(', ')})`
+      : `gh variable list --repo ${repo}`
+  return (
+    `Post-write readback: could not verify the written names are visible in ${repo} ` +
+    `(the GitHub list call failed). Verify manually: ${secretPart}; ${variablePart}.`
+  )
+}
+
+/**
+ * After a successful write, re-list secret and variable names and warn if any written name
+ * is absent on readback — signaling an unreliable token list view that may have bypassed
+ * the pre-write safety gates.
+ *
+ * Distinguishes:
+ * - Verified mismatch: readback succeeded but a written name is absent (strong signal).
+ * - Cannot verify: the readback gh call itself failed (weaker signal).
+ *
+ * NEVER throws. The entire body is wrapped in a single try/catch so any failure — including
+ * errors during diff computation or warning emission — degrades to the cannot-verify warning.
+ * A throw here would propagate to the mutationError rollback and wrongly delete a key whose
+ * secrets are already written.
+ */
+async function verifyWrittenNamesVisible(
+  repo: string,
+  writtenSecretNames: string[],
+  writtenVariableNames: string[],
+  listExistingGhNames: typeof import('./setup/gh').listExistingGhNames,
+): Promise<void> {
+  try {
+    let secretReadback: string[]
+    let variableReadback: string[]
+    let readbackFailed = false
+
+    try {
+      secretReadback = await listExistingGhNames(repo, 'secret')
+    } catch {
+      readbackFailed = true
+      secretReadback = []
+    }
+
+    if (readbackFailed) {
+      variableReadback = []
+    } else {
+      try {
+        variableReadback = await listExistingGhNames(repo, 'variable')
+      } catch {
+        readbackFailed = true
+        variableReadback = []
+      }
+    }
+
+    if (readbackFailed) {
+      safeWarn(buildCannotVerifyMessage(repo, writtenSecretNames, writtenVariableNames))
+      return
+    }
+
+    const absentSecrets = writtenSecretNames.filter(name => !secretReadback.includes(name))
+    const absentVariables = writtenVariableNames.filter(name => !variableReadback.includes(name))
+
+    if (absentSecrets.length === 0 && absentVariables.length === 0) {
+      // Happy path: all written names are visible. Emit nothing.
+      return
+    }
+
+    const lines: string[] = [
+      `Post-write readback: the following written names are not visible in ${repo} — ` +
+        `the token's list view may be unreliable and the pre-write safety gates may have been bypassed.`,
+    ]
+
+    if (absentSecrets.length > 0) {
+      lines.push(`  Absent secrets: ${absentSecrets.join(', ')}`)
+      lines.push(`  Verify manually: gh secret list --repo ${repo}`)
+    }
+
+    if (absentVariables.length > 0) {
+      lines.push(`  Absent variables: ${absentVariables.join(', ')}`)
+      lines.push(`  Verify manually: gh variable list --repo ${repo}`)
+    }
+
+    safeWarn(lines.join('\n'))
+  } catch {
+    // Any failure in the entire verification block (readback, diff, or warning emission)
+    // degrades to this softer cannot-verify warning. Never re-throw.
+    safeWarn(buildCannotVerifyMessage(repo, writtenSecretNames, writtenVariableNames))
+  }
+}
+
 function extractErrorMessage(error: unknown): string {
   return error instanceof Error ? error.message : String(error)
 }
 
 // Redact a bearer token for display in interactive prompts — never show raw key values.
 // Exported for direct unit testing of the redaction contract. The redacted form is
-// what gets shown in the interactive R8 prompt; the raw key must never reach the prompt UI.
+// what gets shown in the interactive key-reuse prompt; the raw key must never reach the prompt UI.
 export function redactKey(key: string): string {
   if (key.length < 12) return 'sk-***'
   return `${key.slice(0, 3)}***${key.slice(-4)}`
@@ -172,8 +282,10 @@ async function buildInteractivePlan(
   let model: string | undefined
 
   if (harness === 'opencode') {
-    providers = await promptForProviders()
-    model = await promptForModel(providers)
+    const doPromptForProviders = promptsImpl.promptForProviders ?? promptForProviders
+    const doPromptForModel = promptsImpl.promptForModel ?? promptForModel
+    providers = await doPromptForProviders()
+    model = await doPromptForModel(providers)
   }
 
   const keyValue = options.key ?? buildApiKeyValue(keyName ?? 'cliproxy')
@@ -271,6 +383,8 @@ const realPrompts: Required<RunSetupDeps>['prompts'] = {
   intro,
   note,
   outro,
+  promptForProviders,
+  promptForModel,
 }
 
 const realSmoke: Required<RunSetupDeps>['smoke'] = {
@@ -437,7 +551,10 @@ export async function runSetupCommand(options: SetupOptions, deps: RunSetupDeps
       }
 
       if (!interactive && options.force) {
-        log.warn(`Overwriting existing GitHub values: ${collisions.join(', ')}`)
+        log.warn(
+          `Overwriting existing GitHub values: ${collisions.join(', ')}. ` +
+            `Concurrent setup runs against the same repo are not coordinated and resolve last-write-wins — don't run setup against this repo from two places at once.`,
+        )
         // proceed
       }
 
@@ -486,6 +603,13 @@ export async function runSetupCommand(options: SetupOptions, deps: RunSetupDeps
         interactive,
       )
 
+      await verifyWrittenNamesVisible(
+        plan.repo,
+        plan.template.secrets.map(s => s.name),
+        plan.template.variables.map(v => v.name),
+        gh.listExistingGhNames,
+      )
+
       await withSpinner('Verifying the new key through the proxy', async () => {
         await validation.assertProxyKeyWorks(baseUrl, plan.keyValue)
       })

package/src/commands/mcp.test.ts

@@ -37,6 +37,7 @@ import {registerGatewayCommands} from './gateway'
 import {registerKeewebCommands} from './keeweb'
 import {MCP_ALLOWLIST, registerMcp} from './mcp'
 import {registerStatus} from './status'
+import {registerUmamiCommands} from './umami'
 
 // ─── Tool name constants ──────────────────────────────────────────────────────
 
@@ -54,6 +55,8 @@ const CLI_ONLY_TOOLS = [
   'gateway_restore',
   'keeweb_deploy',
   'keeweb_open',
+  'umami_deploy',
+  'umami_logs',
 ].sort()
 
 // ─── Helpers ──────────────────────────────────────────────────────────────────
@@ -64,6 +67,7 @@ function buildTestCli(): ReturnType<typeof goke> {
   registerKeewebCommands(cli)
   registerCliproxyCommands(cli)
   registerGatewayCommands(cli)
+  registerUmamiCommands(cli)
   registerStatus(cli)
   registerMcp(cli)
   return cli
@@ -105,7 +109,7 @@ describe('mcp integration (Tier-1, in-process)', () => {
 
   // ── tools/list assertions ──────────────────────────────────────────────────
 
-  test('tools/list returns exactly the 10 allowlist tool names', async () => {
+  test('tools/list returns exactly the allowlist tool names', async () => {
     const result = await client.listTools()
     const names = result.tools.map((t: {name: string}) => t.name).sort()
     expect(names).toEqual(EXPECTED_TOOLS)

package/src/commands/mcp.ts

@@ -13,6 +13,8 @@ import {createMcpAction} from '@goke/mcp'
  * - `cliproxy setup`   — interactive (@clack/prompts wizard, requires TTY)
  * - `gateway restore`  — destructive policy (replaces mitmproxy CA on live gateway, deferred to MCP v2 #292)
  * - `keeweb open`      — host-machine side effect (spawns local browser, requires user intent)
+ * - `umami deploy`     — intentionally CLI-only: mutates live deployment and requires environment approval
+ * - `umami logs`       — intentionally CLI-only: streams logs that may emit sensitive data (DB passwords, app secrets)
  */
 export const MCP_ALLOWLIST: ReadonlySet<string> = new Set([
   'gateway status',
@@ -24,6 +26,7 @@ export const MCP_ALLOWLIST: ReadonlySet<string> = new Set([
   'cliproxy config get',
   'cliproxy config set',
   'keeweb status',
+  'umami status',
   'status',
 ])
 

package/src/commands/status.test.ts

@@ -31,11 +31,21 @@ const healthyGateway: StatusSummary = {
   usageStats: '—',
 }
 
+const healthyUmami: StatusSummary = {
+  app: 'umami',
+  http: 'OK: umami:running/healthy',
+  lastDeploy: '—',
+  version: '—',
+  contentHash: '—',
+  usageStats: '—',
+}
+
 function makeDeps(overrides?: Partial<Parameters<typeof registerStatus>[1]>): Parameters<typeof registerStatus>[1] {
   return {
     getKeewebStatusSummary: async () => healthyKeeweb,
     getCliproxyStatusSummary: async () => healthyCliproxy,
     getGatewayStatusSummary: async () => healthyGateway,
+    getUmamiStatusSummary: async () => healthyUmami,
     ...overrides,
   }
 }
@@ -52,6 +62,30 @@ describe('top-level status command (Tier-2 ctx capture)', () => {
     expect(expectCapturedToInclude(captured, '| keeweb | OK | 2026-04-12 10:00 | — | match | — |')).toBe(true)
     expect(expectCapturedToInclude(captured, '| cliproxy | OK | — | v1.2.3 | — | 12 req / 0 fail |')).toBe(true)
     expect(expectCapturedToInclude(captured, '| gateway | OK: gateway:running/healthy | — | — | — | — |')).toBe(true)
+    expect(expectCapturedToInclude(captured, '| umami | OK: umami:running/healthy | — | — | — | — |')).toBe(true)
+  })
+
+  it('shows an error row when umami is unreachable and keeps the other results', async () => {
+    const {ctx, captured} = createCapturedCtx()
+
+    await unifiedStatusAction(
+      {},
+      ctx,
+      makeDeps({
+        getUmamiStatusSummary: async () => {
+          throw new Error('UMAMI_DOMAIN not set')
+        },
+      }),
+    )
+
+    expect(
+      expectCapturedToInclude(
+        captured,
+        '| umami | ❌ UMAMI_DOMAIN not set | ❌ UMAMI_DOMAIN not set | ❌ UMAMI_DOMAIN not set | ❌ UMAMI_DOMAIN not set | ❌ UMAMI_DOMAIN not set |',
+      ),
+    ).toBe(true)
+    expect(expectCapturedToInclude(captured, '| gateway | OK: gateway:running/healthy | — | — | — | — |')).toBe(true)
+    expect(captured.stderr.join('')).toContain('umami status check failed: UMAMI_DOMAIN not set')
   })
 
   it('shows an error row when one app fails and keeps the other results', async () => {
@@ -92,11 +126,13 @@ describe('top-level status command (Tier-2 ctx capture)', () => {
       keeweb: {http: string}
       cliproxy: {version: string}
       gateway: {http: string}
+      umami: {http: string}
     }
 
     expect(parsed.keeweb.http).toBe('OK')
     expect(parsed.cliproxy.version).toBe('v1.2.3')
     expect(parsed.gateway.http).toBe('OK: gateway:running/healthy')
+    expect(parsed.umami.http).toBe('OK: umami:running/healthy')
   })
 
   it('does not write to global console (output is captured via ctx)', async () => {

package/src/commands/status.ts

@@ -7,13 +7,14 @@ import {z} from 'zod'
 import {getCliproxyStatusSummary} from './cliproxy/status'
 import {getGatewayStatusSummary} from './gateway'
 import {getKeewebStatusSummary} from './keeweb/status'
+import {getUmamiStatusSummary} from './umami'
 
 declare const process: {
   env: Record<string, string | undefined>
 }
 
 export interface StatusSummary {
-  app: 'keeweb' | 'cliproxy' | 'gateway'
+  app: 'keeweb' | 'cliproxy' | 'gateway' | 'umami'
   http: string
   lastDeploy: string
   version: string
@@ -27,6 +28,7 @@ interface StatusDependencies {
   getKeewebStatusSummary: (verbose: boolean) => Promise<StatusSummary>
   getCliproxyStatusSummary: (baseUrl: string, key: string, verbose: boolean) => Promise<StatusSummary>
   getGatewayStatusSummary: (host: string) => Promise<StatusSummary>
+  getUmamiStatusSummary: (host: string) => Promise<StatusSummary>
 }
 
 const DEFAULT_CLIPROXY_URL = 'https://cliproxy.fro.bot'
@@ -63,6 +65,7 @@ function toJsonPayload(rows: StatusSummary[]): Record<AppName, StatusSummary> {
     keeweb: rows.find(row => row.app === 'keeweb') ?? errorSummary('keeweb', 'missing result'),
     cliproxy: rows.find(row => row.app === 'cliproxy') ?? errorSummary('cliproxy', 'missing result'),
     gateway: rows.find(row => row.app === 'gateway') ?? errorSummary('gateway', 'missing result'),
+    umami: rows.find(row => row.app === 'umami') ?? errorSummary('umami', 'missing result'),
   }
 }
 
@@ -78,20 +81,23 @@ export async function unifiedStatusAction(
     getKeewebStatusSummary,
     getCliproxyStatusSummary,
     getGatewayStatusSummary,
+    getUmamiStatusSummary,
   },
 ): Promise<void> {
   const verbose = options.verbose === true
   const cliproxyBaseUrl = stripTrailingSlash(process.env.CLIPROXY_URL ?? DEFAULT_CLIPROXY_URL)
   const cliproxyKey = process.env.CLIPROXY_MANAGEMENT_KEY ?? ''
   const gatewayHost = process.env.GATEWAY_HOST ?? ''
+  const umamiHost = process.env.UMAMI_DOMAIN ?? ''
 
   const results = await Promise.allSettled([
     dependencies.getKeewebStatusSummary(verbose),
     dependencies.getCliproxyStatusSummary(cliproxyBaseUrl, cliproxyKey, verbose),
     dependencies.getGatewayStatusSummary(gatewayHost),
+    dependencies.getUmamiStatusSummary(umamiHost),
   ])
 
-  const appNames: AppName[] = ['keeweb', 'cliproxy', 'gateway']
+  const appNames: AppName[] = ['keeweb', 'cliproxy', 'gateway', 'umami']
   const rows: StatusSummary[] = results.map((result, index) => {
     const app = appNames[index] ?? 'keeweb'
     if (result.status === 'fulfilled') {
@@ -120,13 +126,14 @@ export function registerStatus(
     getKeewebStatusSummary,
     getCliproxyStatusSummary,
     getGatewayStatusSummary,
+    getUmamiStatusSummary,
   },
 ): void {
   cli
     .command('status', 'Show status of all deployments')
     .option(
       '--json',
-      z.boolean().describe('Output machine-readable JSON with keeweb, cliproxy, and gateway summary objects.'),
+      z.boolean().describe('Output machine-readable JSON with keeweb, cliproxy, gateway, and umami summary objects.'),
     )
     .option(
       '--verbose',

package/src/commands/umami/deploy.test.ts

@@ -0,0 +1,202 @@
+import {resolve} from 'node:path'
+import {afterEach, beforeEach, describe, expect, it} from 'bun:test'
+
+import {getUmamiDeployEnv, validateUmamiRemotePreconditions} from './deploy'
+
+const repoRoot = resolve(import.meta.dir, '../../../../..')
+
+const envKeys = [
+  'HOME',
+  'PATH',
+  'SSH_AUTH_SOCK',
+  'UMAMI_DOMAIN',
+  'UMAMI_APP_SECRET',
+  'UMAMI_DB_PASSWORD',
+  'UMAMI_ADMIN_PASSWORD',
+  'UMAMI_SSH_KEY',
+] as const
+
+type ManagedEnvKey = (typeof envKeys)[number]
+
+let originalEnv: Partial<Record<ManagedEnvKey, string | undefined>>
+
+function restoreManagedEnv(): void {
+  for (const key of envKeys) {
+    const value = originalEnv[key]
+    if (value === undefined) {
+      delete process.env[key]
+    } else {
+      process.env[key] = value
+    }
+  }
+}
+
+function setManagedEnv(overrides: Partial<Record<ManagedEnvKey, string | undefined>>): void {
+  restoreManagedEnv()
+  for (const [key, value] of Object.entries(overrides)) {
+    if (value === undefined) {
+      delete process.env[key as ManagedEnvKey]
+    } else {
+      process.env[key as ManagedEnvKey] = value
+    }
+  }
+}
+
+beforeEach(() => {
+  originalEnv = {}
+  for (const key of envKeys) {
+    originalEnv[key] = process.env[key]
+  }
+})
+
+afterEach(() => {
+  restoreManagedEnv()
+})
+
+// ─── getUmamiDeployEnv ────────────────────────────────────────────────────────
+
+describe('getUmamiDeployEnv', () => {
+  it('returns env object with required keys when all are set', () => {
+    setManagedEnv({
+      PATH: '/usr/bin:/bin',
+      HOME: '/home/user',
+      SSH_AUTH_SOCK: '/tmp/ssh-agent.sock',
+      UMAMI_DOMAIN: 'metrics.fro.bot',
+    })
+
+    const env = getUmamiDeployEnv()
+
+    expect(env.PATH).toBe('/usr/bin:/bin')
+    expect(env.HOME).toBe('/home/user')
+    expect(env.SSH_AUTH_SOCK).toBe('/tmp/ssh-agent.sock')
+    expect(env.UMAMI_DOMAIN).toBe('metrics.fro.bot')
+  })
+
+  it('throws when PATH is missing', () => {
+    setManagedEnv({PATH: undefined, HOME: '/home/user', SSH_AUTH_SOCK: '/tmp/ssh-agent.sock'})
+
+    expect(() => getUmamiDeployEnv()).toThrow('PATH is required')
+  })
+
+  it('throws when HOME is missing', () => {
+    setManagedEnv({PATH: '/usr/bin:/bin', HOME: undefined, SSH_AUTH_SOCK: '/tmp/ssh-agent.sock'})
+
+    expect(() => getUmamiDeployEnv()).toThrow('HOME is required')
+  })
+
+  it('throws when SSH_AUTH_SOCK is missing and no UMAMI_SSH_KEY either', () => {
+    setManagedEnv({
+      PATH: '/usr/bin:/bin',
+      HOME: '/home/user',
+      SSH_AUTH_SOCK: undefined,
+      UMAMI_SSH_KEY: undefined,
+    })
+
+    expect(() => getUmamiDeployEnv()).toThrow('Local deploy needs an SSH context')
+  })
+
+  it('succeeds with only SSH_AUTH_SOCK set (no UMAMI_SSH_KEY)', () => {
+    setManagedEnv({
+      PATH: '/usr/bin:/bin',
+      HOME: '/home/user',
+      SSH_AUTH_SOCK: '/tmp/ssh-agent.sock',
+      UMAMI_SSH_KEY: undefined,
+    })
+
+    const env = getUmamiDeployEnv()
+
+    expect(env.SSH_AUTH_SOCK).toBe('/tmp/ssh-agent.sock')
+    expect('UMAMI_SSH_KEY' in env).toBe(false)
+  })
+
+  it('succeeds with only UMAMI_SSH_KEY set (no SSH_AUTH_SOCK) and includes the key in env', () => {
+    setManagedEnv({
+      PATH: '/usr/bin:/bin',
+      HOME: '/home/user',
+      SSH_AUTH_SOCK: undefined,
+      UMAMI_SSH_KEY: 'ssh-ed25519 AAAA...',
+    })
+
+    const env = getUmamiDeployEnv()
+
+    expect(env.UMAMI_SSH_KEY).toBe('ssh-ed25519 AAAA...')
+    expect('SSH_AUTH_SOCK' in env).toBe(false)
+  })
+
+  it('includes optional umami env vars when set', () => {
+    setManagedEnv({
+      PATH: '/usr/bin:/bin',
+      HOME: '/home/user',
+      SSH_AUTH_SOCK: '/tmp/ssh-agent.sock',
+      UMAMI_APP_SECRET: 'secret123',
+      UMAMI_DB_PASSWORD: 'dbpass',
+      UMAMI_ADMIN_PASSWORD: 'adminpass',
+    })
+
+    const env = getUmamiDeployEnv()
+
+    expect(env.UMAMI_APP_SECRET).toBe('secret123')
+    expect(env.UMAMI_DB_PASSWORD).toBe('dbpass')
+    expect(env.UMAMI_ADMIN_PASSWORD).toBe('adminpass')
+  })
+})
+
+// ─── validateUmamiRemotePreconditions ─────────────────────────────────────────
+
+describe('validateUmamiRemotePreconditions', () => {
+  it('throws a clear error when gh is not available', () => {
+    // We cannot reliably mock Bun.which, so we test the function contract:
+    // if gh is not installed, it should throw with a helpful message.
+    // This test verifies the error message shape by calling with a known-missing binary.
+    // In CI where gh IS installed, we skip this test.
+    if (Bun.which('gh')) {
+      // gh is available — just verify the function does not throw
+      expect(() => validateUmamiRemotePreconditions()).not.toThrow()
+      return
+    }
+
+    expect(() => validateUmamiRemotePreconditions()).toThrow('gh CLI is required')
+  })
+})
+
+// ─── deploy command (subprocess integration via CLI) ─────────────────────────
+
+describe('deploy command', () => {
+  it('dry-run remote mode prints planned gh workflow run command without executing', async () => {
+    const proc = Bun.spawn(['bun', 'run', 'packages/cli/src/cli.ts', 'umami', 'deploy', '--dry-run'], {
+      cwd: repoRoot,
+      env: {...process.env, NO_COLOR: '1'},
+      stdout: 'pipe',
+      stderr: 'pipe',
+    })
+
+    const [stdout, _stderr, exitCode] = await Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text(),
+      proc.exited,
+    ])
+
+    expect(exitCode).toBe(0)
+    expect(stdout).toContain('Dry run')
+    expect(stdout).toContain('Deploy Umami')
+  })
+
+  it('dry-run local mode prints planned bun command without executing', async () => {
+    const proc = Bun.spawn(['bun', 'run', 'packages/cli/src/cli.ts', 'umami', 'deploy', '--local', '--dry-run'], {
+      cwd: repoRoot,
+      env: {...process.env, NO_COLOR: '1'},
+      stdout: 'pipe',
+      stderr: 'pipe',
+    })
+
+    const [stdout, _stderr, exitCode] = await Promise.all([
+      new Response(proc.stdout).text(),
+      new Response(proc.stderr).text(),
+      proc.exited,
+    ])
+
+    expect(exitCode).toBe(0)
+    expect(stdout).toContain('Dry run')
+    expect(stdout).toContain('apps/umami')
+  })
+})