@mittwald/cli 1.13.3 → 1.13.5

package/dist/commands/app/download.js

@@ -54,7 +54,7 @@ export class Download extends ExecRenderBaseCommand {
         });
         const rsyncHost = buildRsyncConnectionString(connectionData, this.flags);
         const rsyncOpts = [
-            ...appInstallationSyncFlagsToRsyncFlags(this.flags),
+            ...appInstallationSyncFlagsToRsyncFlags(this.flags, this.config.configDir),
             ...(await filterFileToRsyncFlagsIfPresent(target)),
         ];
         await spawnInProcess(p, "downloading app installation" + (dryRun ? " (dry-run)" : ""), "rsync", [...rsyncOpts, rsyncHost, target]);

package/dist/commands/app/exec.js

@@ -58,6 +58,7 @@ export default class Exec extends ExtendedBaseCommand {
         execCommand += command;
         const sshArgs = buildSSHClientFlags(user, host, flags, {
             interactive: false,
+            configDir: this.config.configDir,
         });
         const wrappedExecCommand = shellEscape(["/bin/bash", "-c", execCommand]);
         this.debug("running ssh %o, with command %o", sshArgs, wrappedExecCommand);

package/dist/commands/app/ssh.js

@@ -50,7 +50,7 @@ export default class Ssh extends ExtendedBaseCommand {
             return;
         }
         this.log("connecting to %o as %o", host, user);
-        const [cmd, args] = buildSSHCmdAndFlags(user, host, directory, this.flags);
+        const [cmd, args] = buildSSHCmdAndFlags(user, host, directory, this.flags, this.config.configDir);
         this.debug("running ssh %o, with command %o", args, cmd);
         if (flags.cd) {
             this.log("changing to %o; use --no-cd to disable this behaviour", directory);
@@ -60,10 +60,11 @@ export default class Ssh extends ExtendedBaseCommand {
         });
     }
 }
-function buildSSHCmdAndFlags(user, host, directory, flags) {
+function buildSSHCmdAndFlags(user, host, directory, flags, configDir) {
     const args = buildSSHClientFlags(user, host, flags, {
         interactive: true,
         additionalFlags: flags.test ? ["-q"] : [],
+        configDir,
     });
     if (flags.test) {
         return ["/bin/true", args];

package/dist/commands/app/upload.js

@@ -46,7 +46,7 @@ export class Upload extends ExecRenderBaseCommand {
         });
         const rsyncHost = buildRsyncConnectionString(connectionData, this.flags);
         const rsyncOpts = [
-            ...appInstallationSyncFlagsToRsyncFlags(this.flags),
+            ...appInstallationSyncFlagsToRsyncFlags(this.flags, this.config.configDir),
             ...(await filterFileToRsyncFlagsIfPresent(source)),
         ];
         await spawnInProcess(p, "uploading app installation" + (dryRun ? " (dry-run)" : ""), "rsync", [...rsyncOpts, source, rsyncHost]);

package/dist/commands/container/cp.js

@@ -4,6 +4,7 @@ import { Args, Flags } from "@oclif/core";
 import { ExecRenderBaseCommand } from "../../lib/basecommands/ExecRenderBaseCommand.js";
 import { getSSHConnectionForContainer } from "../../lib/resources/ssh/container.js";
 import { sshConnectionFlags } from "../../lib/resources/ssh/flags.js";
+import { getSSHKnownHostsFlags } from "../../lib/resources/ssh/knownhosts.js";
 import { withContainerAndStackId } from "../../lib/resources/container/flags.js";
 import { projectFlags } from "../../lib/resources/project/flags.js";
 import { makeProcessRenderer, processFlags, } from "../../rendering/process/process_flags.js";
@@ -60,7 +61,11 @@ Where CONTAINER can be a container ID, short ID, or service name.`;
         return { container, path: normalizedPath };
     }
     buildScpCommand(source, dest, flags) {
-        const scpArgs = ["-o", "PasswordAuthentication=no"];
+        const scpArgs = [
+            ...getSSHKnownHostsFlags(this.config.configDir),
+            "-o",
+            "PasswordAuthentication=no",
+        ];
         if (flags.archive) {
             scpArgs.push("-p");
         }

package/dist/commands/container/exec.js

@@ -69,6 +69,7 @@ export default class Exec extends ExtendedBaseCommand {
         execCommand += command;
         const sshArgs = buildSSHClientFlags(user, host, flags, {
             interactive: false,
+            configDir: this.config.configDir,
         });
         const wrappedExecCommand = shellEscape([flags.shell, "-c", execCommand]);
         this.debug("running ssh %o, with command %o", sshArgs, wrappedExecCommand);

package/dist/commands/container/port-forward.js

@@ -44,6 +44,7 @@ export class PortForward extends ExecRenderBaseCommand {
             additionalFlags: portMappings
                 .map((p) => ["-L", `${p.localPort}:localhost:${p.remotePort}`])
                 .flat(),
+            configDir: this.config.configDir,
         });
         cp.spawnSync("ssh", [...sshArgs, "sleep", "infinity"], {
             stdio: ["ignore", process.stdout, process.stderr],

package/dist/commands/container/ssh.js

@@ -42,17 +42,18 @@ export default class Ssh extends ExtendedBaseCommand {
             return;
         }
         this.log("connecting to %o as %o", host, user);
-        const [cmd, args] = buildSSHCmdAndFlags(user, host, flags);
+        const [cmd, args] = buildSSHCmdAndFlags(user, host, flags, this.config.configDir);
         this.debug("running ssh %o, with command %o", args, cmd);
         spawnSync("/usr/bin/ssh", [...args, cmd], {
             stdio: "inherit",
         });
     }
 }
-function buildSSHCmdAndFlags(user, host, flags) {
+function buildSSHCmdAndFlags(user, host, flags, configDir) {
     const args = buildSSHClientFlags(user, host, flags, {
         interactive: true,
         additionalFlags: flags.test ? ["-q"] : [],
+        configDir,
     });
     if (flags.test) {
         return ["/bin/true", args];

package/dist/commands/database/mysql/create.js

@@ -83,7 +83,7 @@ export class Create extends ExecRenderBaseCommand {
             const r = await this.apiClient.database.createMysqlDatabase({
                 projectId,
                 data: {
-                    database: { projectId, ...database },
+                    database,
                     user,
                 },
             });

package/dist/commands/database/mysql/dump.js

@@ -47,7 +47,7 @@ export class Dump extends ExecRenderBaseCommand {
                     shell: `set -e -o pipefail > /dev/null ; mysqldump ${escapedArgs} | gzip`,
                 };
             }
-            await p.runStep(`starting mysqldump via SSH on project ${project.shortId}`, () => executeViaSSH(this.apiClient, this.flags, { projectId: connectionDetails.project.id }, cmd, { input: null, output: this.getOutputStream() }));
+            await p.runStep(`starting mysqldump via SSH on project ${project.shortId}`, () => executeViaSSH(this.apiClient, this.flags, { projectId: connectionDetails.project.id }, cmd, { input: null, output: this.getOutputStream() }, this.config.configDir));
             return connectionDetails.database;
         });
         await p.complete(_jsx(DumpSuccess, { database: databaseName, output: this.flags.output }));

package/dist/commands/database/mysql/import.js

@@ -47,7 +47,7 @@ export class Import extends ExecRenderBaseCommand {
                     shell: `set -e -o pipefail > /dev/null ; gunzip | mysql ${escapedArgs}`,
                 };
             }
-            await p.runStep(`starting mysql via SSH on project ${project.shortId}`, () => executeViaSSH(this.apiClient, this.flags, { projectId: connectionDetails.project.id }, cmd, { input: this.getInputStream(), output: null }));
+            await p.runStep(`starting mysql via SSH on project ${project.shortId}`, () => executeViaSSH(this.apiClient, this.flags, { projectId: connectionDetails.project.id }, cmd, { input: this.getInputStream(), output: null }, this.config.configDir));
             return connectionDetails.database;
         });
         await p.complete(_jsx(ImportSuccess, { database: databaseName, input: this.flags.input }));

package/dist/commands/database/mysql/port-forward.js

@@ -32,6 +32,7 @@ export class PortForward extends ExecRenderBaseCommand {
         const sshArgs = buildSSHClientFlags(sshUser, sshHost, this.flags, {
             interactive: false,
             additionalFlags: ["-L", `${port}:${hostname}:3306`],
+            configDir: this.config.configDir,
         });
         cp.spawnSync("ssh", [...sshArgs, "sleep", "infinity"], {
             stdio: ["ignore", process.stdout, process.stderr],

package/dist/commands/database/mysql/shell.js

@@ -25,6 +25,7 @@ export class Shell extends ExecRenderBaseCommand {
         await p.complete(_jsx(Text, { children: "Starting MySQL shell -- get ready..." }));
         const sshArgs = buildSSHClientFlags(sshUser, sshHost, this.flags, {
             interactive: true,
+            configDir: this.config.configDir,
         });
         const mysqlArgs = ["-h", hostname, "-u", user, "-p" + password, database];
         cp.spawnSync("ssh", [...sshArgs, "mysql", ...mysqlArgs], {

package/dist/commands/database/redis/shell.js

@@ -24,6 +24,7 @@ export class Shell extends ExecRenderBaseCommand {
         await p.complete(_jsx(Text, { children: "Starting Redis shell -- get ready..." }));
         const sshArgs = buildSSHClientFlags(sshUser, sshHost, this.flags, {
             interactive: true,
+            configDir: this.config.configDir,
         });
         const redisArgs = ["-h", hostname];
         cp.spawnSync("ssh", [...sshArgs, "redis-cli", ...redisArgs], {

package/dist/commands/ddev/init.js

@@ -163,12 +163,16 @@ export class Init extends ExecRenderBaseCommand {
     }
     async writeMittwaldConfiguration(r, appInstallationId, databaseId, projectType) {
         const builder = new DDEVConfigBuilder(this.apiClient);
-        return await r.runStep("creating mittwald-specific DDEV configuration", async () => {
-            const config = await builder.build(appInstallationId, databaseId, projectType);
+        const { config, warnings } = await r.runStep("creating mittwald-specific DDEV configuration", async () => {
+            const result = await builder.build(appInstallationId, databaseId, projectType);
             const configFile = path.join(".ddev", "config.mittwald.yaml");
-            await writeContentsToFile(configFile, renderDDEVConfig(appInstallationId, config));
-            return config;
+            await writeContentsToFile(configFile, renderDDEVConfig(appInstallationId, result.config));
+            return result;
         });
+        for (const warning of warnings) {
+            r.addInfo(`Warning: ${warning}`);
+        }
+        return config;
     }
 }
 async function writeContentsToFile(filename, data) {

package/dist/commands/ddev/render-config.js

@@ -19,7 +19,10 @@ export class RenderConfig extends ExtendedBaseCommand {
             ? "none"
             : this.flags["database-id"];
         const ddevConfigBuilder = new DDEVConfigBuilder(this.apiClient);
-        const ddevConfig = await ddevConfigBuilder.build(appInstallationId, databaseId, projectType);
+        const { config: ddevConfig, warnings } = await ddevConfigBuilder.build(appInstallationId, databaseId, projectType);
+        for (const warning of warnings) {
+            this.warn(warning);
+        }
         this.log(renderDDEVConfig(appInstallationId, ddevConfig));
     }
 }

package/dist/commands/project/ssh.js

@@ -4,6 +4,7 @@ import { ExtendedBaseCommand } from "../../lib/basecommands/ExtendedBaseCommand.
 import { sshConnectionFlags } from "../../lib/resources/ssh/flags.js";
 import { getSSHConnectionForProject } from "../../lib/resources/ssh/project.js";
 import { sshWrapperDocumentation } from "../../lib/resources/ssh/doc.js";
+import { buildSSHClientFlags } from "../../lib/resources/ssh/connection.js";
 export default class Ssh extends ExtendedBaseCommand {
     static summary = "Connect to a project via SSH";
     static description = "Establishes an interactive SSH connection to a project.\n\n" +
@@ -16,7 +17,11 @@ export default class Ssh extends ExtendedBaseCommand {
         const projectId = await this.withProjectId(Ssh);
         const { user, host } = await getSSHConnectionForProject(this.apiClient, projectId, this.flags["ssh-user"]);
         this.log("connecting to %o as %o", host, user);
-        spawnSync("/usr/bin/ssh", ["-l", user, host], {
+        const sshArgs = buildSSHClientFlags(user, host, this.flags, {
+            interactive: true,
+            configDir: this.config.configDir,
+        });
+        spawnSync("/usr/bin/ssh", sshArgs, {
             stdio: "inherit",
         });
     }

package/dist/lib/apiutil/api_baseurl.d.ts

@@ -0,0 +1,2 @@
+import { AxiosInstance } from "@mittwald/api-client-commons";
+export declare function configureAxiosBaseURL(axios: AxiosInstance, baseURL: string): void;

package/dist/lib/apiutil/api_baseurl.js

@@ -0,0 +1,17 @@
+export function configureAxiosBaseURL(axios, baseURL) {
+    const trimmedBaseURL = baseURL.trim();
+    if (!trimmedBaseURL) {
+        throw new Error("MITTWALD_API_BASE_URL is empty or contains only whitespace. Please provide a valid absolute URL.");
+    }
+    let parsedUrl;
+    try {
+        parsedUrl = new URL(trimmedBaseURL);
+    }
+    catch {
+        throw new Error(`MITTWALD_API_BASE_URL="${trimmedBaseURL}" is not a valid absolute URL. Please provide a value like "https://api.example.com".`);
+    }
+    if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
+        throw new Error(`MITTWALD_API_BASE_URL="${trimmedBaseURL}" must use http or https scheme. Received protocol "${parsedUrl.protocol}".`);
+    }
+    axios.defaults.baseURL = parsedUrl.toString();
+}

package/dist/lib/basecommands/BaseCommand.js

@@ -5,6 +5,7 @@ import { CoreBaseCommand } from "./CoreBaseCommand.js";
 import { configureAxiosLogging } from "../apiutil/api_logging.js";
 import { configureAxiosRetry } from "../apiutil/api_retry.js";
 import { configureConsistencyHandling } from "../apiutil/api_consistency.js";
+import { configureAxiosBaseURL } from "../apiutil/api_baseurl.js";
 import NoTokenFoundError from "../error/NoTokenFoundError.js";
 /** Base command class for authenticated commands that includes the --token flag. */
 export class BaseCommand extends CoreBaseCommand {
@@ -27,6 +28,22 @@ export class BaseCommand extends CoreBaseCommand {
             this.apiClient = MittwaldAPIV2Client.newWithToken(token);
             this.apiClient.axios.defaults.headers["User-Agent"] =
                 `mittwald-cli/${this.config.version}`;
+            // Allow overriding API base URL for local testing/mocking.
+            // NOTE: This is intentionally dangerous; be careful not to leak tokens
+            // to unintended hosts via a leftover environment variable.
+            const rawBaseUrlEnv = process.env.MITTWALD_API_BASE_URL;
+            const overriddenBaseUrl = typeof rawBaseUrlEnv === "string" ? rawBaseUrlEnv.trim() : "";
+            if (overriddenBaseUrl) {
+                try {
+                    const parsed = new URL(overriddenBaseUrl);
+                    // Warn the user that requests (including tokens) will be sent to a non-default host.
+                    this.warn(`Using overridden API base URL from MITTWALD_API_BASE_URL (host: ${parsed.host}).`);
+                    configureAxiosBaseURL(this.apiClient.axios, overriddenBaseUrl);
+                }
+                catch {
+                    this.warn("Ignoring MITTWALD_API_BASE_URL because it is not a valid URL.");
+                }
+            }
             configureAxiosLogging(this.apiClient.axios);
             configureAxiosRetry(this.apiClient.axios);
             configureConsistencyHandling(this.apiClient.axios);

package/dist/lib/ddev/config_builder.d.ts

@@ -1,9 +1,13 @@
 import { MittwaldAPIV2Client } from "@mittwald/api-client";
 import { DDEVConfig } from "./config.js";
+export type DDEVConfigBuildResult = {
+    config: Partial<DDEVConfig>;
+    warnings: string[];
+};
 export declare class DDEVConfigBuilder {
     private apiClient;
     constructor(apiClient: MittwaldAPIV2Client);
-    build(appInstallationId: string, databaseId: string | undefined, type: string): Promise<Partial<DDEVConfig>>;
+    build(appInstallationId: string, databaseId: string | undefined, type: string): Promise<DDEVConfigBuildResult>;
     private buildHooks;
     private determineDocumentRoot;
     private determineProjectType;
@@ -16,3 +20,5 @@ export declare class DDEVConfigBuilder {
     private getAppVersion;
     private getAppInstallation;
 }
+export declare function hasExtendedSupportSuffix(version: string): boolean;
+export declare function stripPatchLevelVersion(version: string): string;

package/dist/lib/ddev/config_builder.js

@@ -10,17 +10,21 @@ export class DDEVConfigBuilder {
         const appInstallation = await this.getAppInstallation(appInstallationId);
         const systemSoftwares = await this.buildSystemSoftwareVersionMap(appInstallation);
         type = await this.determineProjectType(appInstallation, type);
+        const { version: phpVersion, warnings } = this.determinePHPVersion(systemSoftwares);
         return {
-            type,
-            webserver_type: "apache-fpm",
-            php_version: this.determinePHPVersion(systemSoftwares),
-            database: await this.determineDatabaseVersion(databaseId),
-            docroot: await this.determineDocumentRoot(appInstallation),
-            web_environment: [
-                `MITTWALD_APP_INSTALLATION_ID=${appInstallation.shortId}`,
-                `MITTWALD_DATABASE_ID=${databaseId ?? ""}`,
-            ],
-            hooks: this.buildHooks(type),
+            config: {
+                type,
+                webserver_type: "apache-fpm",
+                php_version: phpVersion,
+                database: await this.determineDatabaseVersion(databaseId),
+                docroot: await this.determineDocumentRoot(appInstallation),
+                web_environment: [
+                    `MITTWALD_APP_INSTALLATION_ID=${appInstallation.shortId}`,
+                    `MITTWALD_DATABASE_ID=${databaseId ?? ""}`,
+                ],
+                hooks: this.buildHooks(type),
+            },
+            warnings,
         };
     }
     buildHooks(type) {
@@ -82,10 +86,22 @@ export class DDEVConfigBuilder {
     }
     determinePHPVersion(systemSoftwareVersions) {
         if (!("php" in systemSoftwareVersions)) {
-            return undefined;
+            return { version: undefined, warnings: [] };
+        }
+        const originalVersion = systemSoftwareVersions["php"];
+        const normalizedVersion = stripPatchLevelVersion(originalVersion);
+        if (hasExtendedSupportSuffix(originalVersion)) {
+            return {
+                version: normalizedVersion,
+                warnings: [
+                    `The PHP version used by this project (${originalVersion}) is an extended support version ` +
+                        "that is not directly supported by DDEV. " +
+                        `Falling back to PHP ${normalizedVersion}. ` +
+                        "This may cause unintended side effects.",
+                ],
+            };
         }
-        const version = systemSoftwareVersions["php"];
-        return stripPatchLevelVersion(version);
+        return { version: normalizedVersion, warnings: [] };
     }
     async buildSystemSoftwareVersionMap(inst) {
         const versionMap = {};
@@ -133,7 +149,15 @@ function hasCustomDocumentRoot(inst) {
 function stripLeadingSlash(input) {
     return input.replace(/^\//, "");
 }
-function stripPatchLevelVersion(version) {
+const extendedSupportSuffixPattern = /-es$/;
+export function hasExtendedSupportSuffix(version) {
+    return extendedSupportSuffixPattern.test(version);
+}
+export function stripPatchLevelVersion(version) {
     const [major, minor] = version.split(".");
-    return `${major}.${minor}`;
+    // Strip any extended support suffix (e.g. "-es") from the minor version
+    const cleanMinor = minor
+        ? minor.replace(extendedSupportSuffixPattern, "")
+        : minor;
+    return `${major}.${cleanMinor}`;
 }

package/dist/lib/ddev/config_builder.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/lib/ddev/config_builder.test.js

@@ -0,0 +1,30 @@
+import { describe, expect, it } from "@jest/globals";
+import { hasExtendedSupportSuffix, stripPatchLevelVersion, } from "./config_builder.js";
+describe("hasExtendedSupportSuffix", () => {
+    it("returns true for extended support versions", () => {
+        expect(hasExtendedSupportSuffix("7.2-es")).toBe(true);
+        expect(hasExtendedSupportSuffix("7.1-es")).toBe(true);
+        expect(hasExtendedSupportSuffix("8.0-es")).toBe(true);
+    });
+    it("returns false for regular versions", () => {
+        expect(hasExtendedSupportSuffix("7.2")).toBe(false);
+        expect(hasExtendedSupportSuffix("8.3")).toBe(false);
+        expect(hasExtendedSupportSuffix("7.2.1")).toBe(false);
+        expect(hasExtendedSupportSuffix("7.2-lts")).toBe(false);
+    });
+});
+describe("stripPatchLevelVersion", () => {
+    it("strips patch level from regular versions", () => {
+        expect(stripPatchLevelVersion("7.2.5")).toBe("7.2");
+        expect(stripPatchLevelVersion("8.3.1")).toBe("8.3");
+    });
+    it("strips extended support suffix from versions", () => {
+        expect(stripPatchLevelVersion("7.2-es")).toBe("7.2");
+        expect(stripPatchLevelVersion("7.1-es")).toBe("7.1");
+        expect(stripPatchLevelVersion("8.0-es")).toBe("8.0");
+    });
+    it("returns major.minor unchanged for already-stripped versions", () => {
+        expect(stripPatchLevelVersion("7.2")).toBe("7.2");
+        expect(stripPatchLevelVersion("8.3")).toBe("8.3");
+    });
+});

package/dist/lib/resources/app/sync.d.ts

@@ -26,4 +26,4 @@ export declare function filterFileToRsyncFlagsIfPresent(targetDir: string, filte
  *   sync
  */
 export declare function buildRsyncConnectionString({ host, directory, user }: SSHConnectionData, { "remote-sub-directory": subDirectory }: AppInstallationSyncFlags): string;
-export declare function appInstallationSyncFlagsToRsyncFlags(f: AppInstallationSyncFlags & SSHConnectionFlags): string[];
+export declare function appInstallationSyncFlagsToRsyncFlags(f: AppInstallationSyncFlags & SSHConnectionFlags, configDir: string): string[];

package/dist/lib/resources/app/sync.js

@@ -1,6 +1,7 @@
 import { Flags } from "@oclif/core";
 import path from "path";
 import { pathExists } from "../../util/fs/pathExists.js";
+import { getSSHKnownHostsArgsString } from "../ssh/knownhosts.js";
 export const defaultRsyncFilterFile = ".mw-rsync-filter";
 export const appInstallationSyncFlags = (direction) => ({
     exclude: Flags.string({
@@ -53,7 +54,7 @@ export function buildRsyncConnectionString({ host, directory, user }, { "remote-
     }
     return `${user}@${host}:${directory}/`;
 }
-export function appInstallationSyncFlagsToRsyncFlags(f) {
+export function appInstallationSyncFlagsToRsyncFlags(f, configDir) {
     const { "dry-run": dryRun, "ssh-identity-file": sshIdentityFile, exclude, } = f;
     const rsyncOpts = [
         "--archive",
@@ -68,9 +69,12 @@ export function appInstallationSyncFlagsToRsyncFlags(f) {
     if (f.delete) {
         rsyncOpts.push("--delete");
     }
+    // Build the SSH command for rsync with known hosts and optional identity file
+    const sshArgs = [getSSHKnownHostsArgsString(configDir)];
     if (sshIdentityFile) {
-        rsyncOpts.push("--rsh", `ssh -i ${sshIdentityFile}`);
+        sshArgs.push(`-i ${sshIdentityFile}`);
     }
+    rsyncOpts.push("--rsh", `ssh ${sshArgs.join(" ")}`);
     if (exclude?.length > 0) {
         rsyncOpts.push(...exclude.map((e) => `--exclude=${e}`));
     }

package/dist/lib/resources/ssh/connection.d.ts

@@ -7,6 +7,8 @@ export interface SSHClientFlagOptions {
     interactive: boolean;
     /** Additional flags to pass to the SSH client invocation. */
     additionalFlags: string[];
+    /** The oclif config directory for storing the known_hosts file. */
+    configDir: string;
 }
 /**
  * Builds the flags and arguments for an SSH client invocation.
@@ -19,4 +21,4 @@ export interface SSHClientFlagOptions {
  * @param opts Additional (optional) options for the SSH client invocation.
  * @see https://linux.die.net/man/1/ssh
  */
-export declare function buildSSHClientFlags(username: string, hostname: string, inputFlags: SSHConnectionFlags, opts: Partial<SSHClientFlagOptions>): string[];
+export declare function buildSSHClientFlags(username: string, hostname: string, inputFlags: SSHConnectionFlags, opts: Partial<SSHClientFlagOptions> & Pick<SSHClientFlagOptions, "configDir">): string[];

package/dist/lib/resources/ssh/connection.js

@@ -1,3 +1,4 @@
+import { getSSHKnownHostsFlags } from "./knownhosts.js";
 /**
  * Builds the flags and arguments for an SSH client invocation.
  *
@@ -10,8 +11,13 @@
  * @see https://linux.die.net/man/1/ssh
  */
 export function buildSSHClientFlags(username, hostname, inputFlags, opts) {
-    const { interactive, additionalFlags = [] } = opts;
-    const flags = ["-l", username, interactive ? "-t" : "-T"];
+    const { interactive, additionalFlags = [], configDir } = opts;
+    const flags = [
+        ...getSSHKnownHostsFlags(configDir),
+        "-l",
+        username,
+        interactive ? "-t" : "-T",
+    ];
     if (inputFlags["ssh-identity-file"]) {
         flags.push("-i", inputFlags["ssh-identity-file"]);
     }

package/dist/lib/resources/ssh/exec.d.ts

@@ -15,4 +15,4 @@ export interface RunIO {
     input: NodeJS.ReadableStream | null;
     output: NodeJS.WritableStream | null;
 }
-export declare function executeViaSSH(client: MittwaldAPIV2Client, sshConnectionFlags: SSHConnectionFlags, target: RunTarget, command: RunCommand, { input, output }: RunIO): Promise<void>;
+export declare function executeViaSSH(client: MittwaldAPIV2Client, sshConnectionFlags: SSHConnectionFlags, target: RunTarget, command: RunCommand, { input, output }: RunIO, configDir: string): Promise<void>;

package/dist/lib/resources/ssh/exec.js

@@ -2,13 +2,14 @@ import cp from "child_process";
 import { getSSHConnectionForAppInstallation } from "./appinstall.js";
 import { getSSHConnectionForProject } from "./project.js";
 import { buildSSHClientFlags } from "./connection.js";
-export async function executeViaSSH(client, sshConnectionFlags, target, command, { input = null, output = null }) {
+export async function executeViaSSH(client, sshConnectionFlags, target, command, { input = null, output = null }, configDir) {
     const { user, host } = await connectionDataForTarget(client, target, sshConnectionFlags["ssh-user"]);
     const sshCommandArgs = "shell" in command
         ? ["bash", "-c", command.shell]
         : [command.command, ...command.args];
     const sshArgs = buildSSHClientFlags(user, host, sshConnectionFlags, {
         interactive: false,
+        configDir,
     });
     const ssh = cp.spawn("ssh", [...sshArgs, ...sshCommandArgs], {
         stdio: [input ? "pipe" : "ignore", output ? "pipe" : "ignore", "pipe"],

package/dist/lib/resources/ssh/knownhosts.d.ts

@@ -0,0 +1,36 @@
+/** Returns the known hosts content in SSH known_hosts format. */
+export declare function getKnownHostsContent(): string;
+/**
+ * Ensures that the mittwald known_hosts file exists and is up-to-date. Returns
+ * the path to the file.
+ *
+ * @param configDir The oclif config directory (typically ~/.config/mw on
+ *   Linux/macOS)
+ */
+export declare function ensureKnownHostsFile(configDir: string): string;
+/**
+ * Returns SSH command-line options to use the embedded known hosts.
+ *
+ * These options configure SSH to use our embedded known hosts file as a
+ * "global" known hosts file, which is checked in addition to the user's own
+ * ~/.ssh/known_hosts file.
+ *
+ * @param configDir The oclif config directory (typically ~/.config/mw on
+ *   Linux/macOS)
+ */
+export declare function getSSHKnownHostsFlags(configDir: string): string[];
+/**
+ * Returns the SSH options string for use with rsync's --rsh flag or scp.
+ *
+ * @example
+ *   // For rsync:
+ *   `--rsh "ssh ${getSSHKnownHostsArgsString(configDir)}"`;
+ *
+ * @example
+ *   // For scp:
+ *   `scp ${getSSHKnownHostsArgsString(configDir)} source dest`;
+ *
+ * @param configDir The oclif config directory (typically ~/.config/mw on
+ *   Linux/macOS)
+ */
+export declare function getSSHKnownHostsArgsString(configDir: string): string;

package/dist/lib/resources/ssh/knownhosts.js

@@ -0,0 +1,101 @@
+import * as fs from "fs";
+import * as path from "path";
+/**
+ * Known SSH host keys for mittwald clusters.
+ *
+ * These host keys are embedded in the CLI to allow SSH connections to succeed
+ * even in CI/CD environments where the host keys are not pre-populated in
+ * ~/.ssh/known_hosts.
+ *
+ * @see https://github.com/mittwald/cli/issues/1260
+ */
+/**
+ * Map of SSH hostnames to their RSA public keys. Format: "hostname" -> "ssh-rsa
+ * AAAA..."
+ *
+ * These keys are hardcoded to have an authentic source that is independent of
+ * the user's environment, so that SSH connections to mittwald clusters can
+ * succeed even if the user has not previously connected to those hosts and thus
+ * does not have their keys in their own known_hosts file. This is especially
+ * important for CI/CD environments where the user's home directory may not be
+ * persistent or pre-populated with known host keys.
+ *
+ * The hostnames used here (e.g. "ssh.fabbenstedt.project.host") are the ones
+ * that users will see in SSH connection strings, and they must match the
+ * hostnames used in the cluster connection instructions and the SSH config
+ * generated by the CLI.
+ */
+const knownHostKeys = {
+    "ssh.fabbenstedt.project.host": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3X+n//34lLBZQsxkqgs1BrUdbqpU3KeF9n+hF4XHIiq2tXm7w6mBVWZlebUjFzKyLMDsaz/1AnUajWPp5CjCA1brEGBrCVoC7nwgmsTw5CMN/66Kb/sr3DQLlqGl5ylv+hF9RVmcqKyBbkPIHCGJm1eG+rwEWX0QMNpTyeQxDzxBLTtvcYebgkrxNEo/bs7YvTFoR+yWHt2MqJMnVDbzy/sm0mZCOFgE/jZ2RwyGmPWat63cZIFWucTZ/C73dmwwOyX/RH9kUSaxBm77UTtNpM23dFLDYyh7dw9I0q/7beTNnMplIlo4YX5+mh2288qcFa6v7N/u/KvlzBmkRcRk7",
+    "ssh.schmalge.project.host": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC8DvrhtCe2FQnMPf0caDgTTeyFYMjC/N6xJK9X7OkUgA0A5UPKYQm9/rurJsv9/1TziFYypGF+IMJT3X9/5O9DZMed2hPMmDjEJYYHXZdHT5vSeFf0WuSMWhDEQD757XVA+4ySbyw5+SKsF8HFtuao9moXYMijM+iHp3TWC8be3eJdGkooZundveGIK2xlcgTr3y2LfE9DFMvpx2q4WgDbLrrplvQdJE8eY3Vaz0o251c1PEoOkwCEGQdZxc9XzXHC+SoGV3YPx8WJqhqkM1ayxhOCKJohoN4Nm9H6fcl0tYJCX62+RPi7RRobPzmwbjre8lA2Ibfl3iJVvB830ipj",
+    "ssh.vehlage.project.host": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTi2M1JMT+yL8F6TVyMvVWpDKQJT9tIAfm32gt5FZoJBMI2NM0REh8eTrI0d5nTiaTQSFskKIXMP6kv1UONaFAWIeh6r5+l3GntyOxcakoE9hqsBzQECXyWGMbav47bkLG3JYaTJchlQeeaV05j53LYvVIjw3mdGQKhnhvyJ7T5TjGCZYU2vnzqCtdXHCXMKAcdfh0XtMLjHBn/GJOolH9jDIzjZo2WbwT5S11tZcOnARFoNxelgIuSHwepz+gbgAILEw8UxjwII0M6kXXM0XgyjL/blOjfbkgiy36qMhDwjsQvA2u336R+UfbONajvBs8heygdVmgPsVc5Uz1PqAD",
+    "ssh.gestringen.project.host": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCv2Ojw4TM0+jFyxUgd9EzAAb8mXIzG24yS4V0Md7yphrl9vgZOyEKFhy8KfXAN1qnT1lMQKwfRqthVnfQbbSBGLSrwF1ecbnNtcXX5eAPIP7ycI+PAJJsLmV2099DpXEh9bOrf+vai29OBwtrq1ukFXatocJbC4nKSPWaFuC6yPcgqTTGMZM3ZxVhl6ONtWyao/IoGgTIHiPGxvKqcmqYYU8Zs6VSnYqQ0Sp+v1S5lgECZsDZf+EvBUe53QW8hzqm7z54ef4Qwhn13ODXU7L75LbfKbe0NJdz5higqaiz9BuIMjfbOsBHSTau5suP5fg/3nWsB3KTjl+P1B4Ipow53",
+    "ssh.fiestel.project.host": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmLLYqOR4nTxPpUbayAdhf8BxcbjCdzllS4ERhAOb8tmvm29dKrI9RAoFBwHYZL6fh/GnO3lIXpJI0hPtFifsi7WfdtPxK2rk/D8Ijgp19fqhuVQPnDp8WDbPU6dW7xqlWHsPXLIBdfLvPdgkuyC2FBUYG705P6n048DyC8RTJOA57LZ79W5MiaEfxxSqns1l5amhky1qEUmiuW20Y/QJ3aKxliz+Gw6jdSKfM66mAH/3+JhRyB4oGSPoR3IFTjiba6PLhUYzCj1J9lyGxrNAe8vlJeu/wxFjjCqAC0BIyWE4wuxZdjeCjgCKOFIQAuB3ECFg7Qda5tGLPgG58Ni31",
+    "ssh.frotheim.project.host": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDffzlp4b+mFwmVN2aZrm5pwYj/q6VU6P2NKQWsuft3wgroWbo74p2DAqxG904DrcSZJ1ZBbG9up8hBewbMDgMX5pr+A4Nq0nFS7C3+ctrFfpaRXTGOcqxwKlNlrkqhOHDTRvNcZoFd8DseX07YdM5E9vXcRrEFcO4MNuO6jEKtFXE5KRo4SzMUvHrFpDrL608uvv5LTJynkRGu9zrK8AMgURrIGs4GuhsE1/sSYdtu1+r5sMm4tgCrkfxgEi6weJVG4ZCap6tokg/JojMnExNNnhFvNQEg3QiXHMn4vPh45jldezusodhad51mILMPqSmHlDLwuB0KWmfLQidzT+6j",
+    "ssh.isenstedt.project.host": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDA4BkiBXadL4ZCixqcOywUp+l4RnzNEtTTC+Gr+w1dQkXuGg5b6RGJmu+KodFgMyOTPwQMnhj0y0ZQKeHSQVQ4xYLO4kAZNc5AgGPuR9a1cozdLisL8E52fl6YP0ytqOtuH/hsKoIskz1Zl8xUP6mtgVqOT3sZtG29kh3JhngP+JBw94yUs0bOIO84ZPpFbEQ9hmkHMrkHgVoCYpgbV5hnY7tOSyKxWVEQChgXwWe11vpmZzv4XZtnP39bwLbiy4mnOkGqLreXb7kCAljF9hqCOyTaC+mSDdAMsM+qdy7A4SHj6RqCd77QHkmzHJ9gBUnGNX8xMN7+9Rlz3qxK6bqD",
+};
+/**
+ * Path to the mittwald CLI known_hosts file.
+ *
+ * @param configDir The oclif config directory (typically ~/.config/mw on
+ *   Linux/macOS)
+ */
+function getKnownHostsFilePath(configDir) {
+    return path.join(configDir, "known_hosts");
+}
+/** Returns the known hosts content in SSH known_hosts format. */
+export function getKnownHostsContent() {
+    return Object.entries(knownHostKeys)
+        .map(([host, key]) => `${host} ${key}`)
+        .join("\n");
+}
+/**
+ * Ensures that the mittwald known_hosts file exists and is up-to-date. Returns
+ * the path to the file.
+ *
+ * @param configDir The oclif config directory (typically ~/.config/mw on
+ *   Linux/macOS)
+ */
+export function ensureKnownHostsFile(configDir) {
+    const filePath = getKnownHostsFilePath(configDir);
+    // Ensure the directory exists
+    if (!fs.existsSync(configDir)) {
+        fs.mkdirSync(configDir, { recursive: true, mode: 0o700 });
+    }
+    // Write the known hosts file
+    const content = getKnownHostsContent();
+    fs.writeFileSync(filePath, content + "\n", { mode: 0o600 });
+    return filePath;
+}
+/**
+ * Returns SSH command-line options to use the embedded known hosts.
+ *
+ * These options configure SSH to use our embedded known hosts file as a
+ * "global" known hosts file, which is checked in addition to the user's own
+ * ~/.ssh/known_hosts file.
+ *
+ * @param configDir The oclif config directory (typically ~/.config/mw on
+ *   Linux/macOS)
+ */
+export function getSSHKnownHostsFlags(configDir) {
+    const knownHostsFile = ensureKnownHostsFile(configDir);
+    return ["-o", `GlobalKnownHostsFile=${knownHostsFile}`];
+}
+/**
+ * Returns the SSH options string for use with rsync's --rsh flag or scp.
+ *
+ * @example
+ *   // For rsync:
+ *   `--rsh "ssh ${getSSHKnownHostsArgsString(configDir)}"`;
+ *
+ * @example
+ *   // For scp:
+ *   `scp ${getSSHKnownHostsArgsString(configDir)} source dest`;
+ *
+ * @param configDir The oclif config directory (typically ~/.config/mw on
+ *   Linux/macOS)
+ */
+export function getSSHKnownHostsArgsString(configDir) {
+    const knownHostsFile = ensureKnownHostsFile(configDir);
+    return `-o GlobalKnownHostsFile=${knownHostsFile}`;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mittwald/cli",
-  "version": "1.13.3",
+  "version": "1.13.5",
   "description": "Hand-crafted CLI for the mittwald API",
   "license": "MIT",
   "repository": {