@meshxdata/fops 0.0.1

package/src/setup/aws.js

@@ -0,0 +1,369 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import readline from "node:readline";
+import chalk from "chalk";
+import { execa } from "execa";
+import inquirer from "inquirer";
+
+/**
+ * Read saved FOPS config (~/.fops.json) for AWS SSO settings etc.
+ */
+export function readFopsConfig() {
+  const configPath = path.join(os.homedir(), ".fops.json");
+  try {
+    if (fs.existsSync(configPath)) {
+      return JSON.parse(fs.readFileSync(configPath, "utf8"));
+    }
+  } catch {}
+  return {};
+}
+
+/**
+ * Save FOPS config (~/.fops.json)
+ */
+export function saveFopsConfig(config) {
+  const configPath = path.join(os.homedir(), ".fops.json");
+  fs.writeFileSync(configPath, JSON.stringify(config, null, 2) + "\n", { mode: 0o600 });
+}
+
+/**
+ * Prompt user for AWS SSO configuration interactively
+ */
+export async function promptAwsSsoConfig() {
+  console.log(chalk.cyan("\n  AWS SSO Configuration\n"));
+  console.log(chalk.gray("  We'll set up an AWS CLI profile for ECR image pulls."));
+  console.log(chalk.gray("  You can find these values in your AWS SSO portal.\n"));
+
+  const answers = await inquirer.prompt([
+    {
+      type: "input",
+      name: "profileName",
+      message: "AWS profile name:",
+      default: "dev",
+    },
+    {
+      type: "input",
+      name: "ssoStartUrl",
+      message: "SSO start URL:",
+      validate: (v) => v?.trim() ? true : "SSO start URL is required.",
+    },
+    {
+      type: "input",
+      name: "ssoRegion",
+      message: "SSO region:",
+      default: "us-east-1",
+    },
+    {
+      type: "input",
+      name: "accountId",
+      message: "AWS account ID:",
+      validate: (v) => /^\d{12}$/.test(v?.trim()) ? true : "Account ID must be 12 digits.",
+    },
+    {
+      type: "input",
+      name: "roleName",
+      message: "SSO role name:",
+      default: "AdministratorAccess",
+    },
+    {
+      type: "input",
+      name: "region",
+      message: "Default region:",
+      default: (answers) => answers.ssoRegion,
+    },
+  ]);
+
+  return {
+    profileName: answers.profileName.trim(),
+    ssoStartUrl: answers.ssoStartUrl.trim(),
+    ssoRegion: answers.ssoRegion.trim(),
+    accountId: answers.accountId.trim(),
+    roleName: answers.roleName.trim(),
+    region: answers.region.trim(),
+  };
+}
+
+/**
+ * Detect ECR registry URL from docker-compose.yaml
+ */
+export function detectEcrRegistry(dir) {
+  try {
+    const composePath = path.join(dir, "docker-compose.yaml");
+    if (!fs.existsSync(composePath)) return null;
+    const content = fs.readFileSync(composePath, "utf8");
+    const match = content.match(/(\d{12})\.dkr\.ecr\.([^.]+)\.amazonaws\.com/);
+    if (match) return { accountId: match[1], region: match[2] };
+  } catch {}
+  return null;
+}
+
+/**
+ * Parse ~/.aws/config and find SSO profiles with their sso_session names.
+ */
+export function detectAwsSsoProfiles() {
+  const configPath = path.join(os.homedir(), ".aws", "config");
+  if (!fs.existsSync(configPath)) return [];
+  const content = fs.readFileSync(configPath, "utf8");
+  const profiles = [];
+  let currentProfile = null;
+  let currentAttrs = {};
+
+  for (const line of content.split("\n")) {
+    const profileMatch = line.match(/^\[profile\s+(.+?)\]/);
+    if (profileMatch) {
+      if (currentProfile && currentAttrs.sso_session) {
+        profiles.push({ name: currentProfile, ...currentAttrs });
+      }
+      currentProfile = profileMatch[1];
+      currentAttrs = {};
+      continue;
+    }
+    if (line.startsWith("[")) {
+      if (currentProfile && currentAttrs.sso_session) {
+        profiles.push({ name: currentProfile, ...currentAttrs });
+      }
+      currentProfile = null;
+      currentAttrs = {};
+      continue;
+    }
+    const kv = line.match(/^\s*(\S+)\s*=\s*(.+)/);
+    if (kv && currentProfile) {
+      currentAttrs[kv[1]] = kv[2].trim();
+    }
+  }
+  if (currentProfile && currentAttrs.sso_session) {
+    profiles.push({ name: currentProfile, ...currentAttrs });
+  }
+  return profiles;
+}
+
+/**
+ * Simple readline prompt helper.
+ */
+function ask(question, defaultVal) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  const suffix = defaultVal ? chalk.gray(` (${defaultVal})`) : "";
+  return new Promise((resolve) => {
+    rl.question(`  ${question}${suffix}: `, (answer) => {
+      rl.close();
+      resolve(answer.trim() || defaultVal || "");
+    });
+  });
+}
+
+/**
+ * Check if ~/.aws/config has an sso-session block with sso_start_url.
+ * If not, prompt user for the values and write them.
+ */
+export async function ensureSsoConfig() {
+  const configPath = path.join(os.homedir(), ".aws", "config");
+  const content = fs.existsSync(configPath) ? fs.readFileSync(configPath, "utf8") : "";
+
+  // Check if any sso-session block has sso_start_url
+  if (/sso_start_url\s*=/.test(content)) return; // already configured
+
+  console.log(chalk.cyan("\n  AWS SSO is not configured. Let's set it up.\n"));
+  console.log(chalk.gray("  You can find these values in your AWS SSO portal.\n"));
+
+  const sessionName = await ask("SSO session name", "meshx");
+  const startUrl = await ask("SSO start URL");
+  const ssoRegion = await ask("SSO region", "us-east-1");
+  const accountId = await ask("AWS account ID");
+  const roleName = await ask("SSO role name", "AdministratorAccess");
+  const region = await ask("Default region", ssoRegion);
+  const profileName = await ask("Profile name", "dev");
+
+  if (!startUrl || !accountId) {
+    throw new Error("SSO start URL and account ID are required");
+  }
+
+  // Ensure ~/.aws directory exists
+  const awsDir = path.join(os.homedir(), ".aws");
+  if (!fs.existsSync(awsDir)) fs.mkdirSync(awsDir, { mode: 0o700 });
+
+  const block = `
+[sso-session ${sessionName}]
+sso_start_url = ${startUrl}
+sso_region = ${ssoRegion}
+sso_registration_scopes = sso:account:access
+
+[profile ${profileName}]
+sso_session = ${sessionName}
+sso_account_id = ${accountId}
+sso_role_name = ${roleName}
+region = ${region}
+output = json
+`;
+
+  fs.appendFileSync(configPath, block);
+  console.log(chalk.green(`\n  ✓ Written to ~/.aws/config (profile: ${profileName})`));
+}
+
+/**
+ * Fix AWS SSO: ensure config exists, detect profile, then login.
+ */
+export async function fixAwsSso() {
+  await ensureSsoConfig();
+
+  const profiles = detectAwsSsoProfiles();
+  if (profiles.length === 0) {
+    throw new Error("No SSO profiles found after config — check ~/.aws/config");
+  }
+
+  const profile = profiles[0];
+  console.log(chalk.gray(`  Using AWS profile: ${profile.name}`));
+  console.log(chalk.cyan(`  ▶ aws sso login --profile ${profile.name}`));
+
+  // Open /dev/tty directly so SSO login gets a real terminal even when
+  // the parent process has piped stdio (e.g. agent → runShellCommand → fops doctor)
+  let ttyFd;
+  try { ttyFd = fs.openSync("/dev/tty", "r"); } catch { ttyFd = null; }
+
+  await execa("aws", ["sso", "login", "--profile", profile.name], {
+    stdio: [ttyFd ?? "inherit", "inherit", "inherit"],
+    reject: false,
+    timeout: 120_000,
+  });
+
+  if (ttyFd !== null) fs.closeSync(ttyFd);
+}
+
+/**
+ * Fix ECR: ensure SSO session is valid, then docker login to ECR.
+ */
+export async function fixEcr(ecrInfo) {
+  const profiles = detectAwsSsoProfiles();
+  // Pick the profile whose region matches ECR, or fall back to first
+  const profile = profiles.find((p) => p.region === ecrInfo.region) || profiles[0];
+  const profileArgs = profile ? ["--profile", profile.name] : [];
+
+  // First make sure SSO works
+  const { stdout } = await execa("aws", ["sts", "get-caller-identity", "--output", "json", ...profileArgs], {
+    reject: false, timeout: 10000,
+  });
+  if (!stdout || !stdout.includes("Account")) {
+    await fixAwsSso();
+  }
+
+  // Now do ECR docker login
+  const ecrUrl = `${ecrInfo.accountId}.dkr.ecr.${ecrInfo.region}.amazonaws.com`;
+  console.log(chalk.cyan(`  ▶ ECR docker login → ${ecrUrl}`));
+  const { stdout: password } = await execa("aws", [
+    "ecr", "get-login-password", "--region", ecrInfo.region, ...profileArgs,
+  ], { reject: false, timeout: 15000 });
+
+  if (password?.trim()) {
+    const { exitCode } = await execa("docker", ["login", "--username", "AWS", "--password-stdin", ecrUrl], {
+      input: password.trim(), reject: false, timeout: 15000,
+    });
+    if (exitCode === 0) console.log(chalk.green(`  ✓ Logged in to ECR`));
+    else throw new Error("docker login failed");
+  } else {
+    throw new Error("Could not get ECR login password — check AWS session");
+  }
+}
+
+/**
+ * Ensure ECR auth is valid before starting services.
+ * Detects ECR images in compose file, checks/refreshes credentials.
+ * Silently skips if no ECR images are found.
+ */
+export async function ensureEcrAuth(dir) {
+  const ecrInfo = detectEcrRegistry(dir);
+  if (!ecrInfo) return; // no ECR images — nothing to do
+
+  const ecrUrl = `${ecrInfo.accountId}.dkr.ecr.${ecrInfo.region}.amazonaws.com`;
+
+  // Check if AWS CLI is available
+  try {
+    await execa("aws", ["--version"], { timeout: 5000 });
+  } catch {
+    console.log(chalk.yellow("  ⚠ AWS CLI not found — skipping ECR auth (image pulls may fail)"));
+    return;
+  }
+
+  const profiles = detectAwsSsoProfiles();
+  const profile = profiles.find((p) => p.region === ecrInfo.region) || profiles[0];
+  const profileArgs = profile ? ["--profile", profile.name] : [];
+
+  // Check if STS session is valid
+  const { stdout: stsOut } = await execa("aws", ["sts", "get-caller-identity", "--output", "json", ...profileArgs], {
+    reject: false, timeout: 10000,
+  });
+
+  if (!stsOut || !stsOut.includes("Account")) {
+    console.log(chalk.yellow("  ⚠ AWS session expired — logging in via SSO..."));
+    try {
+      await fixAwsSso();
+    } catch (err) {
+      console.log(chalk.red(`  ✗ AWS SSO login failed: ${err.message}`));
+      return;
+    }
+  }
+
+  // Docker login to ECR
+  try {
+    const { stdout: password } = await execa("aws", [
+      "ecr", "get-login-password", "--region", ecrInfo.region, ...profileArgs,
+    ], { reject: false, timeout: 15000 });
+
+    if (!password?.trim()) {
+      console.log(chalk.red("  ✗ Could not get ECR login password — image pulls may fail"));
+      return;
+    }
+
+    const { exitCode } = await execa("docker", ["login", "--username", "AWS", "--password-stdin", ecrUrl], {
+      input: password.trim(), reject: false, timeout: 15000,
+    });
+
+    if (exitCode === 0) {
+      console.log(chalk.green(`  ✓ ECR authenticated (${ecrUrl})`));
+    } else {
+      console.log(chalk.red(`  ✗ ECR docker login failed — image pulls may fail`));
+    }
+  } catch (err) {
+    console.log(chalk.red(`  ✗ ECR auth error: ${err.message}`));
+  }
+}
+
+export async function checkEcrRepos(dir, awsConfig) {
+  const profile = awsConfig?.profileName || "dev";
+  const ecrInfo = detectEcrRegistry(dir);
+  if (!ecrInfo) return;
+
+  const ecrPrefix = `${ecrInfo.accountId}.dkr.ecr.${ecrInfo.region}.amazonaws.com/`;
+  try {
+    const composePath = path.join(dir, "docker-compose.yaml");
+    if (!fs.existsSync(composePath)) return;
+    const content = fs.readFileSync(composePath, "utf8");
+    const imageRefs = [...content.matchAll(/image:\s*(.+)/g)]
+      .map((m) => m[1].trim())
+      .filter((img) => img.includes(".dkr.ecr.") && img.includes(".amazonaws.com"));
+    const neededRepos = [...new Set(
+      imageRefs.map((img) => {
+        const noTag = img.replace(/\$\{[^}]+\}/, "compose").split(":")[0];
+        return noTag.replace(ecrPrefix, "").replace(/^\//, "");
+      })
+    )];
+    const { stdout } = await execa("aws", [
+      "ecr", "describe-repositories",
+      "--registry-id", ecrInfo.accountId,
+      "--region", ecrInfo.region,
+      "--profile", profile,
+      "--query", "repositories[].repositoryName",
+      "--output", "json",
+    ], { timeout: 10000 });
+    const existingRepos = JSON.parse(stdout);
+    const missing = neededRepos.filter((r) => !existingRepos.includes(r));
+    if (missing.length > 0) {
+      console.log(chalk.yellow("\n⚠ These ECR repos are referenced but don't exist (will need local build):"));
+      for (const r of missing) console.log(chalk.gray(`  ✗ ${r}`));
+      console.log(chalk.gray("  These services will be built from source instead.\n"));
+    } else {
+      console.log(chalk.green("All required ECR repos exist."));
+    }
+  } catch {
+    // Non-critical
+  }
+}

package/src/setup/aws.test.js

@@ -0,0 +1,280 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+describe("setup/aws", () => {
+  let tmpDir;
+
+  beforeEach(() => {
+    tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "fops-aws-"));
+  });
+
+  afterEach(() => {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  describe("readFopsConfig / saveFopsConfig", () => {
+    it("readFopsConfig returns empty object when file does not exist", () => {
+      const configPath = path.join(tmpDir, ".fops.json");
+      expect(fs.existsSync(configPath)).toBe(false);
+      let config = {};
+      try {
+        if (fs.existsSync(configPath)) {
+          config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+        }
+      } catch {}
+      expect(config).toEqual({});
+    });
+
+    it("saveFopsConfig writes valid JSON", () => {
+      const configPath = path.join(tmpDir, ".fops.json");
+      const data = { aws: { profile: "dev" } };
+      fs.writeFileSync(configPath, JSON.stringify(data, null, 2) + "\n", { mode: 0o600 });
+      const read = JSON.parse(fs.readFileSync(configPath, "utf8"));
+      expect(read).toEqual(data);
+    });
+
+    it("readFopsConfig handles corrupted JSON gracefully", () => {
+      const configPath = path.join(tmpDir, ".fops.json");
+      fs.writeFileSync(configPath, "not valid json{");
+      let config = {};
+      try {
+        if (fs.existsSync(configPath)) {
+          config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+        }
+      } catch {}
+      expect(config).toEqual({});
+    });
+
+    it("round-trips nested config", () => {
+      const configPath = path.join(tmpDir, ".fops.json");
+      const data = {
+        aws: { profile: "dev", region: "us-east-1" },
+        plugins: { entries: { "my-plugin": { enabled: true, config: { key: "val" } } } },
+      };
+      fs.writeFileSync(configPath, JSON.stringify(data, null, 2) + "\n");
+      const read = JSON.parse(fs.readFileSync(configPath, "utf8"));
+      expect(read).toEqual(data);
+    });
+  });
+
+  describe("detectEcrRegistry", () => {
+    let detectEcrRegistry;
+
+    beforeEach(async () => {
+      ({ detectEcrRegistry } = await import("./aws.js"));
+    });
+
+    it("returns null when no docker-compose.yaml", () => {
+      expect(detectEcrRegistry(tmpDir)).toBe(null);
+    });
+
+    it("returns null when no ECR URL in compose", () => {
+      fs.writeFileSync(path.join(tmpDir, "docker-compose.yaml"), "version: '3'\nservices:\n  web:\n    image: nginx\n");
+      expect(detectEcrRegistry(tmpDir)).toBe(null);
+    });
+
+    it("extracts ECR info from docker-compose.yaml", () => {
+      fs.writeFileSync(
+        path.join(tmpDir, "docker-compose.yaml"),
+        `services:\n  app:\n    image: 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-app:latest\n`
+      );
+      const result = detectEcrRegistry(tmpDir);
+      expect(result).toEqual({ accountId: "123456789012", region: "us-east-1" });
+    });
+
+    it("extracts different regions", () => {
+      fs.writeFileSync(
+        path.join(tmpDir, "docker-compose.yaml"),
+        `services:\n  app:\n    image: 987654321098.dkr.ecr.eu-west-1.amazonaws.com/app:v1\n`
+      );
+      const result = detectEcrRegistry(tmpDir);
+      expect(result).toEqual({ accountId: "987654321098", region: "eu-west-1" });
+    });
+
+    it("handles multiple ECR references (returns first match)", () => {
+      fs.writeFileSync(
+        path.join(tmpDir, "docker-compose.yaml"),
+        [
+          "services:",
+          "  app1:",
+          "    image: 111111111111.dkr.ecr.us-east-1.amazonaws.com/app1:latest",
+          "  app2:",
+          "    image: 222222222222.dkr.ecr.eu-west-1.amazonaws.com/app2:latest",
+        ].join("\n")
+      );
+      const result = detectEcrRegistry(tmpDir);
+      expect(result.accountId).toBe("111111111111");
+    });
+
+    it("returns null for compose with no image directives", () => {
+      fs.writeFileSync(
+        path.join(tmpDir, "docker-compose.yaml"),
+        "services:\n  app:\n    build: .\n"
+      );
+      expect(detectEcrRegistry(tmpDir)).toBe(null);
+    });
+  });
+
+  describe("detectAwsSsoProfiles", () => {
+    let detectAwsSsoProfiles;
+
+    beforeEach(async () => {
+      ({ detectAwsSsoProfiles } = await import("./aws.js"));
+    });
+
+    it("returns an array", () => {
+      const result = detectAwsSsoProfiles();
+      expect(Array.isArray(result)).toBe(true);
+    });
+  });
+
+  describe("detectAwsSsoProfiles parsing logic", () => {
+    it("parses SSO profiles from aws config content", () => {
+      const configContent = `[profile dev]
+sso_session = meshx
+sso_account_id = 123456789012
+sso_role_name = AdministratorAccess
+region = us-east-1
+
+[sso-session meshx]
+sso_start_url = https://meshx.awsapps.com/start
+sso_region = us-east-1
+
+[profile staging]
+sso_session = meshx
+sso_account_id = 987654321098
+sso_role_name = ReadOnly
+region = us-west-2
+`;
+      // Inline the parsing logic (same as detectAwsSsoProfiles)
+      const content = configContent;
+      const profiles = [];
+      let currentProfile = null;
+      let currentAttrs = {};
+      for (const line of content.split("\n")) {
+        const profileMatch = line.match(/^\[profile\s+(.+?)\]/);
+        if (profileMatch) {
+          if (currentProfile && currentAttrs.sso_session) {
+            profiles.push({ name: currentProfile, ...currentAttrs });
+          }
+          currentProfile = profileMatch[1];
+          currentAttrs = {};
+          continue;
+        }
+        if (line.startsWith("[")) {
+          if (currentProfile && currentAttrs.sso_session) {
+            profiles.push({ name: currentProfile, ...currentAttrs });
+          }
+          currentProfile = null;
+          currentAttrs = {};
+          continue;
+        }
+        const kv = line.match(/^\s*(\S+)\s*=\s*(.+)/);
+        if (kv && currentProfile) {
+          currentAttrs[kv[1]] = kv[2].trim();
+        }
+      }
+      if (currentProfile && currentAttrs.sso_session) {
+        profiles.push({ name: currentProfile, ...currentAttrs });
+      }
+
+      expect(profiles).toHaveLength(2);
+      expect(profiles[0].name).toBe("dev");
+      expect(profiles[0].sso_session).toBe("meshx");
+      expect(profiles[0].sso_account_id).toBe("123456789012");
+      expect(profiles[0].region).toBe("us-east-1");
+      expect(profiles[1].name).toBe("staging");
+      expect(profiles[1].sso_account_id).toBe("987654321098");
+      expect(profiles[1].region).toBe("us-west-2");
+    });
+
+    it("skips profiles without sso_session", () => {
+      const content = `[profile default]
+region = us-east-1
+output = json
+
+[profile sso-dev]
+sso_session = meshx
+region = us-east-1
+`;
+      const profiles = [];
+      let currentProfile = null;
+      let currentAttrs = {};
+      for (const line of content.split("\n")) {
+        const profileMatch = line.match(/^\[profile\s+(.+?)\]/);
+        if (profileMatch) {
+          if (currentProfile && currentAttrs.sso_session) {
+            profiles.push({ name: currentProfile, ...currentAttrs });
+          }
+          currentProfile = profileMatch[1];
+          currentAttrs = {};
+          continue;
+        }
+        if (line.startsWith("[")) {
+          if (currentProfile && currentAttrs.sso_session) {
+            profiles.push({ name: currentProfile, ...currentAttrs });
+          }
+          currentProfile = null;
+          currentAttrs = {};
+          continue;
+        }
+        const kv = line.match(/^\s*(\S+)\s*=\s*(.+)/);
+        if (kv && currentProfile) {
+          currentAttrs[kv[1]] = kv[2].trim();
+        }
+      }
+      if (currentProfile && currentAttrs.sso_session) {
+        profiles.push({ name: currentProfile, ...currentAttrs });
+      }
+
+      expect(profiles).toHaveLength(1);
+      expect(profiles[0].name).toBe("sso-dev");
+    });
+
+    it("handles empty config", () => {
+      const profiles = [];
+      // No profiles to parse
+      expect(profiles).toHaveLength(0);
+    });
+
+    it("handles profile at end of file (no trailing section)", () => {
+      const content = `[profile last]
+sso_session = test
+region = us-east-1`;
+      const profiles = [];
+      let currentProfile = null;
+      let currentAttrs = {};
+      for (const line of content.split("\n")) {
+        const profileMatch = line.match(/^\[profile\s+(.+?)\]/);
+        if (profileMatch) {
+          if (currentProfile && currentAttrs.sso_session) {
+            profiles.push({ name: currentProfile, ...currentAttrs });
+          }
+          currentProfile = profileMatch[1];
+          currentAttrs = {};
+          continue;
+        }
+        if (line.startsWith("[")) {
+          if (currentProfile && currentAttrs.sso_session) {
+            profiles.push({ name: currentProfile, ...currentAttrs });
+          }
+          currentProfile = null;
+          currentAttrs = {};
+          continue;
+        }
+        const kv = line.match(/^\s*(\S+)\s*=\s*(.+)/);
+        if (kv && currentProfile) {
+          currentAttrs[kv[1]] = kv[2].trim();
+        }
+      }
+      if (currentProfile && currentAttrs.sso_session) {
+        profiles.push({ name: currentProfile, ...currentAttrs });
+      }
+
+      expect(profiles).toHaveLength(1);
+      expect(profiles[0].name).toBe("last");
+    });
+  });
+});

package/src/setup/index.js

@@ -0,0 +1,3 @@
+export { runSetup } from "./setup.js";
+export { runInitWizard } from "./wizard.js";
+export { checkEcrRepos } from "./aws.js";