@mutmutco/cli 2.21.0 → 2.23.0

package/dist/main.cjs

@@ -6172,6 +6172,7 @@ function derivedStagePlan(derived, shell2, stops = true) {
 function stageLivePlan() {
   return [
     { label: "stage-live is not an org command; /stage is local only", command: "mmi-cli stage run --apply" },
+    { label: "personal IP-gated cloud dev stage (on-demand, #1060)", command: "mmi-cli stage --live --apply" },
     { label: "remote rc/live environments move through the gated promotion train", command: "mmi-cli rcand && mmi-cli release && mmi-cli hotfix", gated: true }
   ];
 }
@@ -6218,6 +6219,21 @@ function trainPlan(command, options = {}) {
         { label: "roll development forward", gated: true }
       ];
     }
+    if (options.dev) {
+      return [
+        { label: "verify operator is a master-admin org owner", command: "gh api orgs/<owner>/memberships/<login> --jq .role", gated: true },
+        { label: "verify current branch is development", gated: true },
+        { label: "guard: refuse if origin/rc carries content not in development (a dev -> main release would drop it)", command: "git rev-list --count --right-only --cherry-pick --no-merges origin/development...origin/rc", gated: true },
+        { label: "verify registry META for this project", command: "mmi-cli project get <owner/repo>", gated: true },
+        { label: "preflight required main secret names", command: "mmi-cli secrets preflight --stage main --repo <owner/repo>", gated: true },
+        { label: "merge development to main (rc skipped)", gated: true },
+        { label: "fold the version bump into the release commit \u2014 runs inside the apply step, no separate bump PR", gated: true },
+        { label: "tag release and publish GitHub Release", gated: true },
+        { label: "trigger the deploy path for this repo model, returning Hub Actions run id/url data (and, with --watch, its outcome)", command: "tenant-container: gh workflow run tenant-deploy.yml ... then gh run list/watch", gated: true },
+        { label: "retire the rc runtime (rc is ephemeral \u2014 non-fatal, reported as rcRetirement)", command: "mmi-cli tenant control <owner/repo> rc retire", gated: true },
+        { label: "roll development forward and align rc to the released main", gated: true }
+      ];
+    }
     return [
       { label: "verify operator is a master-admin org owner", command: "gh api orgs/<owner>/memberships/<login> --jq .role", gated: true },
       { label: "verify current branch is rc", gated: true },
@@ -6862,11 +6878,92 @@ function buildHubCompatCheck(input) {
   return { ok: versionAtLeast(input.installedVersion, min), label: `${label}: requires >= ${min}`, fix: HUB_COMPAT_FIX };
 }
 
+// src/stage-live.ts
+var import_node_net = require("node:net");
+var STAGE_LIVE_HUB_REPO = "mutmutco/MMI-Hub";
+var IP_ECHO_URL = "https://api.ipify.org";
+var IP_DETECT_TIMEOUT_MS = 1e4;
+function validStageLiveIp(ip) {
+  return (0, import_node_net.isIP)(ip.trim()) !== 0;
+}
+async function detectPublicIp(fetchImpl = fetch) {
+  let res;
+  try {
+    res = await fetchImpl(IP_ECHO_URL, { signal: AbortSignal.timeout(IP_DETECT_TIMEOUT_MS) });
+  } catch (e) {
+    throw new Error(`public IP detection failed (${IP_ECHO_URL}): ${e.message}`);
+  }
+  if (!res.ok) throw new Error(`public IP detection failed: HTTP ${res.status} from ${IP_ECHO_URL}`);
+  const ip = (await res.text()).trim();
+  if (!validStageLiveIp(ip)) throw new Error(`public IP detection returned a non-IP body from ${IP_ECHO_URL}: "${ip.slice(0, 80)}"`);
+  return ip;
+}
+function ghDispatchArgs(workflow, inputs) {
+  const args = ["workflow", "run", workflow, "--repo", STAGE_LIVE_HUB_REPO];
+  for (const [key, value] of Object.entries(inputs)) args.push("-f", `${key}=${value}`);
+  return args;
+}
+function stageLiveUpSteps(t) {
+  return [
+    { label: `detect your public IP (${IP_ECHO_URL}, bounded)` },
+    {
+      label: `deploy ${t.ref ?? "<current branch>"} to the ${t.slug} dev stage via the central deployer`,
+      command: `gh ${ghDispatchArgs("tenant-deploy.yml", { slug: t.slug, repo: t.repo, ref: t.ref ?? "<branch>", stage: "dev" }).join(" ")}`
+    },
+    {
+      label: "record your IP as the dev allowlist (box writes /opt/mmi/<slug>/dev/allowlist + reloads Caddy)",
+      command: `gh ${ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "allow-ip", ip: "<your ip>" }).join(" ")}`
+    },
+    { label: "tear down when done", command: "mmi-cli stage --live --down --apply" }
+  ];
+}
+function stageLiveDownSteps(t) {
+  return [
+    {
+      label: `stop the ${t.slug} dev runtime`,
+      command: `gh ${ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "stop" }).join(" ")}`
+    },
+    {
+      label: "clear the dev allowlist (the stage goes dark even if restarted)",
+      command: `gh ${ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "allow-ip", ip: "clear" }).join(" ")}`
+    }
+  ];
+}
+async function runStageLiveUp(deps, t) {
+  if (!t.ref?.trim()) throw new Error("stage --live: cannot resolve the current branch to deploy");
+  const ip = (await deps.detectIp()).trim();
+  if (!validStageLiveIp(ip)) throw new Error(`stage --live: detected public IP is not a literal IPv4/IPv6 address: "${ip.slice(0, 80)}"`);
+  await deps.run("gh", ghDispatchArgs("tenant-deploy.yml", { slug: t.slug, repo: t.repo, ref: t.ref, stage: "dev" }));
+  await deps.run("gh", ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "allow-ip", ip }));
+  return {
+    command: "stage --live",
+    mode: "up",
+    slug: t.slug,
+    repo: t.repo,
+    ref: t.ref,
+    ip,
+    dispatched: ["tenant-deploy.yml", "tenant-control.yml"],
+    message: `dispatched the dev deploy of ${t.ref} and the allowlist update for ${ip}; watch the runs in ${STAGE_LIVE_HUB_REPO} Actions \u2014 tear down with: mmi-cli stage --live --down --apply`
+  };
+}
+async function runStageLiveDown(deps, t) {
+  await deps.run("gh", ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "stop" }));
+  await deps.run("gh", ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "allow-ip", ip: "clear" }));
+  return {
+    command: "stage --live",
+    mode: "down",
+    slug: t.slug,
+    repo: t.repo,
+    dispatched: ["tenant-control.yml", "tenant-control.yml"],
+    message: `dispatched the dev stop and allowlist clear for ${t.slug}; the dev stage is dark until the next mmi-cli stage --live --apply`
+  };
+}
+
 // src/stage-runner.ts
 var import_node_child_process6 = require("node:child_process");
 var import_node_fs8 = require("node:fs");
 var import_node_path8 = require("node:path");
-var import_node_net = require("node:net");
+var import_node_net2 = require("node:net");
 var import_node_util6 = require("node:util");
 var execFileP4 = (0, import_node_util6.promisify)(import_node_child_process6.execFile);
 function stageStatePath(cwd = process.cwd()) {
@@ -6916,7 +7013,7 @@ function pickStagePort(range, isFree) {
 }
 function isPortFree(port) {
   return new Promise((resolve) => {
-    const srv = (0, import_node_net.createServer)();
+    const srv = (0, import_node_net2.createServer)();
     srv.once("error", () => resolve(false));
     srv.once("listening", () => srv.close(() => resolve(true)));
     srv.listen(port, "127.0.0.1");
@@ -7642,9 +7739,93 @@ async function runTrainApply(command, deps, options = {}) {
       rcRetirement: "not-applicable",
       rcRetirementNote: "direct-track release skips rc; no rc runtime to retire",
       announceNote: announceNote2,
+      // #1062: --dev on a direct-track repo is a friendly no-op — it already releases from development.
+      devNote: options.dev ? "--dev is a no-op on a direct-track repo \u2014 it already releases development -> main" : void 0,
       release: { tag: tag2, url: releaseUrl2, targetSha: releaseSha2 }
     };
   }
+  if (command === "release" && options.dev) {
+    await requireBranch(deps, "development");
+    await deps.run("git", ["pull", "--ff-only", "origin", "development"]);
+    const rcOnlyOut = (await deps.run("git", ["rev-list", "--count", "--right-only", "--cherry-pick", "--no-merges", "origin/development...origin/rc"])).trim();
+    const rcOnly = Number.parseInt(rcOnlyOut, 10);
+    if (!Number.isFinite(rcOnly)) throw new Error(`release --dev: could not count rc-only commits for the guard: ${rcOnlyOut || "(empty)"}`);
+    if (rcOnly > 0) {
+      throw new Error(
+        `release --dev refused: origin/rc carries ${rcOnly} commit(s) not in origin/development \u2014 a development -> main release would drop that rc-only content. Land it on development first, or release the candidate via the default rc -> main path, then rerun.`
+      );
+    }
+    ensurePositiveCount(
+      await deps.run("git", ["rev-list", "--count", "origin/main..origin/development"]),
+      "nothing to release: origin/development is not ahead of origin/main"
+    );
+    const deployModel2 = await preflight(deps, ctx, "main", meta);
+    const tag2 = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release tag");
+    const rcShaAtRelease = clean(await deps.run("git", ["rev-parse", "origin/rc"]));
+    const foldPaths2 = await resolveFoldPaths(deps, deployModel2);
+    const tolerated2 = [...foldPaths2, ...RELEASE_TOLERATED_PATHS];
+    const predicted2 = await predictMergeConflicts(deps, "origin/main", "origin/development");
+    const predictedBlocking2 = predicted2.filter((f) => !isSpinePath(f) && !tolerated2.includes(f));
+    if (predictedBlocking2.length > 0) {
+      throw new Error(
+        `development -> main merge would conflict on non-spine path(s): ${predictedBlocking2.join(", ")} \u2014 no merge was started. The train is misaligned: reconcile main and development via an approved alignment PR, then rerun release.`
+      );
+    }
+    await deps.run("git", ["checkout", "main"]);
+    await deps.run("git", ["pull", "--ff-only", "origin", "main"]);
+    if (predicted2.length === 0) {
+      await deps.run("git", ["merge", "development", "--no-edit"]);
+    } else {
+      await mergeWithSpineResolution(deps, "development", "development -> main", "theirs", tolerated2);
+    }
+    const versionFold2 = await foldReleaseVersion(deps, deployModel2, tag2, foldPaths2);
+    const releaseSha2 = requireValue(clean(await deps.run("git", ["rev-parse", "main"])), "release sha");
+    await ensureTagPushed(deps, tag2, releaseSha2);
+    const requiredChecks2 = await discoverRequiredCheckContexts(deps, ctx, "main");
+    const checks2 = await waitForRequiredTrainChecks(deps, ctx, releaseSha2, requiredChecks2);
+    await deps.run("git", ["push", "origin", "main"]);
+    const releaseUrl2 = clean(await deps.run("gh", ["release", "create", tag2, "--generate-notes", "--latest", "--repo", ctx.repo])) || void 0;
+    const announceNote2 = deps.announce ? (await deps.announce({ repo: ctx.repo, tag: tag2, summaryFile: options.announceSummaryFile })).note : void 0;
+    const autoRunSince2 = (deps.now ?? Date.now)();
+    const d2 = await dispatchDeploy(deps, ctx, "main", "main", deployModel2, watch, autoRunSince2, releaseSha2);
+    const retirement2 = await retireRcRuntime(deps, ctx, deployModel2, d2.deployStatus, rcShaAtRelease);
+    await deps.run("git", ["checkout", "development"]);
+    await deps.run("git", ["pull", "--ff-only", "origin", "development"]);
+    await deps.run("git", ["merge", "main", "--no-edit"]);
+    await deps.run("git", ["push", "origin", "development"]);
+    let rcAlignment2;
+    try {
+      await deps.run("git", ["push", "origin", "main:rc"]);
+      rcAlignment2 = "origin/rc aligned to the released main";
+    } catch (e) {
+      rcAlignment2 = `rc alignment push failed \u2014 align manually with \`git push origin main:rc\`: ${e instanceof Error ? e.message : String(e)}`;
+    }
+    const environments2 = await buildEnvironments(deps, ctx, deployModel2, d2.deployStatus, retirement2);
+    return {
+      ...ctx,
+      command,
+      stage: "main",
+      ref: "main",
+      tag: tag2,
+      deployModel: deployModel2,
+      promoted: true,
+      checks: checks2,
+      versionFold: versionFold2,
+      dispatch: d2.note,
+      runId: d2.runId,
+      runUrl: d2.runUrl,
+      workflowRuns: d2.workflowRuns,
+      deployStatus: d2.deployStatus,
+      rcRetirement: retirement2.status,
+      rcRetirementNote: retirement2.note,
+      rcRetirementCategory: retirement2.category,
+      rcAlignment: rcAlignment2,
+      announceNote: announceNote2,
+      devNote: "released development -> main (--dev), skipping the rc candidate",
+      release: { tag: tag2, url: releaseUrl2, targetSha: releaseSha2 },
+      environments: environments2
+    };
+  }
   await requireBranch(deps, "rc");
   ensurePositiveCount(
     await deps.run("git", ["rev-list", "--count", "origin/main..origin/rc"]),
@@ -12550,7 +12731,39 @@ program2.command("port-range <repo>").description("assign (idempotently) + print
     printLine(`${repo}: stage.portRange [${start}, ${end}]${write.ok ? "" : ` (META not persisted: ${write.error ?? `HTTP ${write.status}`})`}`);
   }
 });
-var stage = program2.command("stage").description("plan or run the repo local stage environment").option("--json", "machine-readable output").option("--apply", "run the full local stage: stop previous, build, start, health-check").option("--timeout-ms <ms>", "bounded build/health timeout", "60000").action(async (o) => {
+async function stageLiveTarget() {
+  const repo = await resolveRepo();
+  if (!repo) throw new Error("stage --live: cannot resolve the current repo (run inside a GitHub-remoted checkout)");
+  const ref = await gitOut(["rev-parse", "--abbrev-ref", "HEAD"]).catch(() => "") || void 0;
+  return { slug: slugOf(repo), repo, ref };
+}
+async function runStageLiveCommand(o) {
+  let target;
+  try {
+    target = await stageLiveTarget();
+  } catch (e) {
+    return failGraceful(e.message);
+  }
+  const mode = o.down ? "down" : "up";
+  if (!o.apply) {
+    const steps = o.down ? stageLiveDownSteps(target) : stageLiveUpSteps(target);
+    if (o.json) return console.log(JSON.stringify({ command: "stage --live", mode, slug: target.slug, repo: target.repo, ref: o.down ? void 0 : target.ref, steps }, null, 2));
+    return console.log(renderSteps(`mmi-cli stage --live${o.down ? " --down" : ""}: dry-run plan`, steps));
+  }
+  const deps = {
+    detectIp: () => detectPublicIp(),
+    run: async (file, args) => (await execFileP2(file, args, { timeout: GH_MUTATION_TIMEOUT_MS })).stdout
+  };
+  try {
+    const result = o.down ? await runStageLiveDown(deps, target) : await runStageLiveUp(deps, target);
+    return printLine(o.json ? JSON.stringify(result) : `mmi-cli stage --live: ${result.message}`);
+  } catch (e) {
+    return failGraceful(`stage --live: ${e.message}`);
+  }
+}
+var stage = program2.command("stage").description("plan or run the repo local stage environment; --live = personal IP-gated cloud dev stage").option("--json", "machine-readable output").option("--apply", "run the full local stage: stop previous, build, start, health-check").option("--live", "personal cloud dev stage: deploy the current branch to the dev runtime, served only to your public IP").option("--down", "with --live: stop the dev runtime and clear the IP allowlist").option("--timeout-ms <ms>", "bounded build/health timeout", "60000").action(async (o) => {
+  if (o.down && !o.live) return fail("stage: --down applies to --live only (local teardown is `mmi-cli stage stop --apply`)");
+  if (o.live) return runStageLiveCommand(o);
   const res = await resolveStage();
   if (o.apply) {
     if (res.source === "none") return failGraceful(`stage: ${res.gap}`);
@@ -12718,6 +12931,7 @@ function renderTrainApply(commandName, r) {
   let base = `mmi-cli ${commandName}: promoted ${r.repo} \u2192 ${r.stage} at ${r.tag} [${r.deployModel}]; ${renderDeployLine(r)}`;
   if (r.versionFold) base = `${base}; ${r.versionFold}`;
   if (r.resumeNote) base = `${base}; ${r.resumeNote}`;
+  if (r.devNote) base = `${base}; ${r.devNote}`;
   if (r.rcRetirement) base = `${base}; rc retirement: ${r.rcRetirement.toUpperCase()} (${r.rcRetirementNote ?? ""})`;
   return r.announceNote ? `${base}; announce: ${r.announceNote}` : base;
 }
@@ -12733,7 +12947,7 @@ async function resolveRcandPlanTargets() {
   }
 }
 for (const commandName of ["rcand", "release"]) {
-  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").option("--ack <shas>", "release only: comma-separated dev shas a human verified are in the candidate, overriding the hotfix-coverage guard for a conflicted port whose -x trailer was lost (#958)").action(async (o) => {
+  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").option("--ack <shas>", "release only: comma-separated dev shas a human verified are in the candidate, overriding the hotfix-coverage guard for a conflicted port whose -x trailer was lost (#958)").option("--dev", "release only: full-track repos release development -> main directly, skipping rc (refuses if rc carries content not in development; no-op on direct-track repos) (#1062)").action(async (o) => {
     try {
       await requireFreshTrainCli(commandName);
     } catch (e) {
@@ -12742,10 +12956,13 @@ for (const commandName of ["rcand", "release"]) {
     if (o.ack && commandName !== "release") {
       return fail("--ack applies only to release: it overrides the rc -> main hotfix-coverage guard, which rcand does not run");
     }
+    if (o.dev && commandName !== "release") {
+      return fail("--dev applies only to release: it ships development -> main skipping rc, which rcand cannot do");
+    }
     if (o.apply) {
       try {
         const ack = (o.ack ?? "").split(",").map((s) => s.trim()).filter(Boolean);
-        const result = await runTrainApply(commandName, trainApplyDeps(), { watch: o.watch, announceSummaryFile: o.announceSummaryFile, ack });
+        const result = await runTrainApply(commandName, trainApplyDeps(), { watch: o.watch, announceSummaryFile: o.announceSummaryFile, ack, dev: o.dev });
         return printLine(o.json ? JSON.stringify(result, null, 2) : renderTrainApply(commandName, result));
       } catch (e) {
         return failGraceful(`${commandName}: ${e.message}`);
@@ -12753,7 +12970,7 @@ for (const commandName of ["rcand", "release"]) {
     }
     const repo = await resolveRepo();
     const targets = commandName === "rcand" ? await resolveRcandPlanTargets() : void 0;
-    const steps = trainPlan(commandName, { ...targets ?? {}, repo });
+    const steps = trainPlan(commandName, { ...targets ?? {}, repo, dev: o.dev });
     console.log(
       o.json ? JSON.stringify({ command: commandName, ...targets ?? {}, repo, steps }, null, 2) : renderSteps(`mmi-cli ${commandName}: dry-run plan`, steps)
     );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mutmutco/cli",
-  "version": "2.21.0",
+  "version": "2.23.0",
   "description": "MMI Future CLI — delivers the org rules (whole-file), plus saga and KB access. The cross-IDE engine the plugin's SessionStart hook drives.",
   "type": "module",
   "license": "UNLICENSED",