@occam-scaly/scaly-cli 0.2.4 → 0.2.6

package/bin/scaly.js

@@ -78,7 +78,8 @@ Usage:
   scaly db shell  --addon <addOnId> [--ttl-minutes 60] [--local-port 5432] [--host 127.0.0.1]
   scaly db schema dump --addon <addOnId> [--out .scaly/schema.sql] [--ttl-minutes 60]
   scaly db migrate <sql-file> --addon <addOnId> [--ttl-minutes 60] [--yes]
-  scaly deploy --app <appId> [--watch] [--strategy auto|git|restart] [--json]
+  scaly deploy --app <appId> [--watch] [--strategy auto|git|restart|upload] [--json]
+    - upload flags: [--path <dir>] [--preview] [--yes] [--allow-unsafe] [--max-bytes N] [--max-files N]
   scaly logs --follow --app <appId> [--since 10m] [--level error|warn|info|debug|all] [--q <str>] [--duration-seconds N] [--max-lines N] [--json]
   scaly accounts create --email <email> [--name <org>] [--region EU|US|CANADA|ASIA_PACIFIC]
   scaly stacks create --account <id> --name <stackName> [--size Eco|Basic|...] [--min-idle N]
@@ -1856,9 +1857,15 @@ async function runDeploy(rest) {
   const f = parseKv(rest);
   const json = parseBool(f.json, false);
   const watch = f.watch !== undefined ? parseBool(f.watch, true) : false;
-  const strategy = String(f.strategy || 'auto').toLowerCase(); // auto|git|restart
+  const strategy = String(f.strategy || 'auto').toLowerCase(); // auto|git|restart|upload
   const pollSeconds = Number(f['poll-seconds'] || 5);
   const timeoutMinutes = Number(f['timeout-minutes'] || 20);
+  const preview = parseBool(f.preview, false);
+  const yes = parseBool(f.yes, false);
+  const allowUnsafe = parseBool(f['allow-unsafe'], false);
+  const maxBytes = f['max-bytes'] != null ? Number(f['max-bytes']) : undefined;
+  const maxFiles = f['max-files'] != null ? Number(f['max-files']) : undefined;
+  const uploadPath = f.path || f['project-path'] || f.project_path || '.';
 
   const appId = f.app || f['app-id'] || (f._ && f._[0]);
   if (!appId) {
@@ -1964,6 +1971,140 @@ async function runDeploy(rest) {
     return ok ? 0 : 1;
   }
 
+  if (chosen === 'upload') {
+    const path = require('path');
+    const readline = require('readline');
+    const artifacts = require('../lib/scaly-artifacts');
+
+    const rootPath = path.resolve(process.cwd(), String(uploadPath || '.'));
+    const scalyIgnorePath = path.join(rootPath, '.scalyignore');
+
+    let plan;
+    try {
+      plan = await artifacts.planDirectoryUpload({
+        rootPath,
+        scalyIgnorePath,
+        maxBytes,
+        maxFiles,
+        allowUnsafe
+      });
+    } catch (e) {
+      const msg = String(e && e.message ? e.message : e);
+      const out = {
+        ok: false,
+        strategy: 'upload',
+        error: { message: msg, code: e && e.code, details: e && e.details }
+      };
+      if (json) console.log(JSON.stringify(out));
+      else console.error(msg);
+      return 2;
+    }
+
+    if (preview) {
+      const out = { ok: true, strategy: 'upload', preview: true, app, plan };
+      if (json) console.log(JSON.stringify(out));
+      else {
+        console.log(`[deploy] preview upload path=${rootPath}`);
+        console.log(
+          `[deploy] included=${plan.included_count} excluded=${plan.excluded_count} bytes=${plan.total_bytes}`
+        );
+        console.log(`[deploy] preview_hash=${plan.preview_hash}`);
+        if (plan.scalyignore_path)
+          console.log(`[deploy] using .scalyignore: ${plan.scalyignore_path}`);
+      }
+      return 0;
+    }
+
+    if (!yes) {
+      const rl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout
+      });
+      const answer = await new Promise((resolve) =>
+        rl.question(
+          `Upload ${plan.included_count} files (${plan.total_bytes} bytes) for app ${app.name}? (y/N) `,
+          resolve
+        )
+      );
+      rl.close();
+      if (!/^y(es)?$/i.test(String(answer || '').trim())) {
+        if (json) console.log(JSON.stringify({ ok: false, aborted: true }));
+        else console.error('Aborted.');
+        return 1;
+      }
+    }
+
+    const tmpZip = artifacts.defaultTempZipPath({ appId });
+    let zipInfo;
+    try {
+      zipInfo = await artifacts.createZip({
+        rootPath,
+        files: plan.files,
+        outPath: tmpZip
+      });
+    } catch (e) {
+      const msg = String(e && e.message ? e.message : e);
+      if (json)
+        console.log(JSON.stringify({ ok: false, error: { message: msg } }));
+      else console.error(msg);
+      return 1;
+    }
+
+    let link;
+    try {
+      link = await deploy.createAppUploadLink(appId);
+    } catch (e) {
+      const msg = String(e && e.message ? e.message : e);
+      if (json)
+        console.log(JSON.stringify({ ok: false, error: { message: msg } }));
+      else console.error(msg);
+      return 1;
+    }
+    if (!link || !link.url) {
+      const msg = 'Failed to create upload link (missing url).';
+      if (json)
+        console.log(JSON.stringify({ ok: false, error: { message: msg } }));
+      else console.error(msg);
+      return 1;
+    }
+
+    try {
+      await artifacts.uploadToSignedUrl({
+        url: link.url,
+        filePath: zipInfo.out_path
+      });
+    } catch (e) {
+      const msg = String(e && e.message ? e.message : e);
+      if (json)
+        console.log(JSON.stringify({ ok: false, error: { message: msg } }));
+      else console.error(msg);
+      return 1;
+    }
+
+    const out = {
+      ok: true,
+      strategy: 'upload',
+      app,
+      upload: { bytes_uploaded: zipInfo.bytes_written, sha256: zipInfo.sha256 },
+      artifact: { path: zipInfo.out_path },
+      plan: {
+        included_count: plan.included_count,
+        excluded_count: plan.excluded_count,
+        total_bytes: plan.total_bytes,
+        preview_hash: plan.preview_hash
+      }
+    };
+
+    if (json) console.log(JSON.stringify(out));
+    else
+      console.log(
+        `[deploy] uploaded ${zipInfo.bytes_written} bytes (${zipInfo.sha256})`
+      );
+
+    // Upload triggers app version + deployment server-side.
+    return 0;
+  }
+
   // restart strategy
   const dep = await deploy.restartStackServices(app.stackId);
   if (!dep?.id) {

package/lib/scaly-api.js

@@ -254,6 +254,27 @@ const QUERIES = {
       }
     }
   `,
+  listAddOnsByType: `
+    query ListAddOnsByType($accountId: String!, $type: AddOnTypeEnum!, $take: Int) {
+      listAddOns(
+        where: {
+          AND: [
+            { accountId: { equals: $accountId } }
+            { type: { equals: $type } }
+            { isDeleted: { equals: false } }
+          ]
+        }
+        take: $take
+      ) {
+        id
+        name
+        type
+        accountId
+        status
+        addOnCognito { userPoolName }
+      }
+    }
+  `,
   listStacks: `
     query ListStacks($take: Int) {
       listStacks(
@@ -351,6 +372,15 @@ async function findAddOnByName({ name, accountId }) {
   return data?.listAddOns || [];
 }
 
+async function listAddOnsByType({ accountId, type, take = 10 }) {
+  const data = await graphqlRequest(QUERIES.listAddOnsByType, {
+    accountId,
+    type,
+    take
+  });
+  return data?.listAddOns || [];
+}
+
 async function createStack({ accountId, name, size, minIdle }) {
   const data = await graphqlRequest(MUTATIONS.createStack, {
     data: {
@@ -419,6 +449,7 @@ module.exports = {
   findStackByName,
   findAppByName,
   findAddOnByName,
+  listAddOnsByType,
   listStacks,
   listApps,
   createStack,

package/lib/scaly-artifacts.js

@@ -0,0 +1,295 @@
+'use strict';
+
+const crypto = require('crypto');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const fg = require('fast-glob');
+const ignore = require('ignore');
+const archiver = require('archiver');
+
+const DEFAULT_MAX_BYTES = 100 * 1024 * 1024; // 100MB
+const DEFAULT_MAX_FILES = 25_000;
+
+const SAFE_DEFAULT_IGNORE = [
+  '.git/',
+  'node_modules/',
+  '.venv/',
+  'venv/',
+  '__pycache__/',
+  '.pytest_cache/',
+  '.mypy_cache/',
+  '.ruff_cache/',
+  '.next/',
+  '.turbo/',
+  'dist/',
+  'build/',
+  '.DS_Store'
+];
+
+const SENSITIVE_PATH_PATTERNS = [
+  // dotenv
+  /(^|\/)\.env(\..*)?$/i,
+  // ssh / aws creds
+  /(^|\/)\.ssh(\/|$)/i,
+  /(^|\/)\.aws(\/|$)/i,
+  // common package registry credentials
+  /(^|\/)\.npmrc$/i,
+  /(^|\/)\.pypirc$/i,
+  // docker registry auth
+  /(^|\/)\.docker\/config\.json$/i,
+  // kubernetes creds
+  /(^|\/)\.kube(\/|$)/i,
+  /(^|\/)(kubeconfig|.*\.kubeconfig)$/i,
+  // terraform state (often contains secrets)
+  /(^|\/).*\.tfstate(\.backup)?$/i,
+  /(^|\/)terraform\.tfstate(\.backup)?$/i,
+  // GCP service account keys / generic credentials files
+  /(^|\/)credentials\.json$/i,
+  /(^|\/)service-account.*\.json$/i,
+  // keystores / pkcs
+  /\.p12$/i,
+  /\.pfx$/i,
+  /\.keystore$/i,
+  /\.jks$/i,
+  // generic "secrets" files (defense-in-depth; can be overridden)
+  /(^|\/).*secrets?.*\.(ya?ml|json)$/i,
+  // private keys
+  /\.pem$/i,
+  /\.key$/i,
+  /id_rsa/i,
+  /id_ed25519/i
+];
+
+function isSensitivePath(relPath) {
+  const p = String(relPath || '').replace(/\\/g, '/');
+  return SENSITIVE_PATH_PATTERNS.some((re) => re.test(p));
+}
+
+function readLinesIfExists(filePath) {
+  try {
+    if (!fs.existsSync(filePath)) return [];
+    const text = fs.readFileSync(filePath, 'utf8');
+    return text
+      .split(/\r?\n/g)
+      .map((l) => l.trim())
+      .filter((l) => l && !l.startsWith('#'));
+  } catch {
+    return [];
+  }
+}
+
+function buildIgnoreMatcher({ rootPath, scalyIgnorePath }) {
+  const ig = ignore();
+  ig.add(SAFE_DEFAULT_IGNORE);
+  const scalyIgnoreLines = readLinesIfExists(scalyIgnorePath);
+  if (scalyIgnoreLines.length) ig.add(scalyIgnoreLines);
+  return { ig, scalyIgnoreLines };
+}
+
+async function planDirectoryUpload({
+  rootPath,
+  scalyIgnorePath,
+  maxBytes = DEFAULT_MAX_BYTES,
+  maxFiles = DEFAULT_MAX_FILES,
+  allowUnsafe = false
+}) {
+  const absRoot = path.resolve(String(rootPath || '.'));
+  const stat = fs.statSync(absRoot);
+  if (!stat.isDirectory()) {
+    const e = new Error(`Not a directory: ${absRoot}`);
+    e.code = 'SCALY_ARTIFACT_NOT_DIR';
+    throw e;
+  }
+
+  const { ig, scalyIgnoreLines } = buildIgnoreMatcher({
+    rootPath: absRoot,
+    scalyIgnorePath
+  });
+
+  const entries = await fg(['**/*'], {
+    cwd: absRoot,
+    dot: true,
+    onlyFiles: true,
+    followSymbolicLinks: false
+  });
+
+  if (entries.length > maxFiles) {
+    const e = new Error(
+      `Too many files to upload (${entries.length} > ${maxFiles}). Add exclusions to .scalyignore or increase --max-files.`
+    );
+    e.code = 'SCALY_ARTIFACT_TOO_MANY_FILES';
+    throw e;
+  }
+
+  const included = [];
+  const excluded = [];
+  const blockedSensitive = [];
+  let totalBytes = 0;
+  const largest = [];
+
+  for (const rel of entries) {
+    const relPosix = String(rel).replace(/\\/g, '/');
+
+    if (ig.ignores(relPosix)) {
+      excluded.push(relPosix);
+      continue;
+    }
+
+    const abs = path.join(absRoot, rel);
+    const st = fs.lstatSync(abs);
+    if (st.isSymbolicLink()) {
+      excluded.push(relPosix);
+      continue;
+    }
+
+    if (!allowUnsafe && isSensitivePath(relPosix)) {
+      blockedSensitive.push(relPosix);
+      continue;
+    }
+
+    const size = st.size || 0;
+    totalBytes += size;
+    included.push({ path: relPosix, bytes: size });
+
+    if (largest.length < 10) {
+      largest.push({ path: relPosix, bytes: size });
+      largest.sort((a, b) => b.bytes - a.bytes);
+    } else if (size > largest[largest.length - 1].bytes) {
+      largest[largest.length - 1] = { path: relPosix, bytes: size };
+      largest.sort((a, b) => b.bytes - a.bytes);
+    }
+
+    if (totalBytes > maxBytes) {
+      const e = new Error(
+        `Upload too large (${totalBytes} bytes > ${maxBytes}). Add exclusions to .scalyignore, lower artifacts, or increase --max-bytes.`
+      );
+      e.code = 'SCALY_ARTIFACT_TOO_LARGE';
+      e.details = { total_bytes: totalBytes, max_bytes: maxBytes };
+      throw e;
+    }
+  }
+
+  if (!allowUnsafe && blockedSensitive.length) {
+    const e = new Error(
+      `Refusing to upload ${blockedSensitive.length} potentially sensitive files. Add them to .scalyignore or re-run with --allow-unsafe.`
+    );
+    e.code = 'SCALY_ARTIFACT_SENSITIVE';
+    e.details = { blocked: blockedSensitive.slice(0, 50) };
+    throw e;
+  }
+
+  const previewHash = crypto
+    .createHash('sha256')
+    .update(
+      JSON.stringify(
+        included
+          .slice()
+          .sort((a, b) => a.path.localeCompare(b.path))
+          .map((f) => [f.path, f.bytes])
+      )
+    )
+    .digest('hex');
+
+  return {
+    root: absRoot,
+    scalyignore_path:
+      scalyIgnorePath && fs.existsSync(scalyIgnorePath)
+        ? scalyIgnorePath
+        : null,
+    scalyignore_rules: scalyIgnoreLines,
+    safe_default_rules: SAFE_DEFAULT_IGNORE,
+    allow_unsafe: !!allowUnsafe,
+    included_count: included.length,
+    excluded_count: excluded.length,
+    total_bytes: totalBytes,
+    largest_files: largest,
+    preview_hash: `sha256:${previewHash}`,
+    files: included
+  };
+}
+
+async function createZip({ rootPath, files, outPath }) {
+  const absRoot = path.resolve(String(rootPath || '.'));
+  const absOut = path.resolve(String(outPath));
+  fs.mkdirSync(path.dirname(absOut), { recursive: true });
+
+  const output = fs.createWriteStream(absOut);
+  const archive = archiver('zip', { zlib: { level: 9 } });
+  const hash = crypto.createHash('sha256');
+  let bytesWritten = 0;
+
+  const done = new Promise((resolve, reject) => {
+    output.on('close', () =>
+      resolve({
+        out_path: absOut,
+        bytes_written: bytesWritten,
+        sha256: `sha256:${hash.digest('hex')}`
+      })
+    );
+    output.on('error', reject);
+    archive.on('error', reject);
+  });
+
+  archive.on('data', (chunk) => {
+    bytesWritten += chunk.length;
+    hash.update(chunk);
+  });
+
+  archive.pipe(output);
+
+  for (const entry of files || []) {
+    const rel = typeof entry === 'string' ? entry : entry.path;
+    if (!rel) continue;
+    const abs = path.join(absRoot, rel);
+    archive.file(abs, { name: rel });
+  }
+
+  await archive.finalize();
+  return await done;
+}
+
+function defaultTempZipPath({ appId }) {
+  const safe = String(appId || 'app')
+    .replace(/[^a-zA-Z0-9._-]/g, '_')
+    .slice(0, 64);
+  return path.join(os.tmpdir(), `scaly-upload-${safe}-${Date.now()}.zip`);
+}
+
+async function uploadToSignedUrl({
+  url,
+  filePath,
+  contentType = 'application/zip'
+}) {
+  const axios = require('axios');
+  const abs = path.resolve(String(filePath));
+  const st = fs.statSync(abs);
+  const stream = fs.createReadStream(abs);
+  const res = await axios.put(url, stream, {
+    headers: {
+      'content-type': contentType,
+      'content-length': st.size
+    },
+    maxBodyLength: Infinity,
+    maxContentLength: Infinity,
+    timeout: 10 * 60_000,
+    validateStatus: () => true
+  });
+  if (res.status < 200 || res.status >= 300) {
+    const e = new Error(`Upload failed (HTTP ${res.status})`);
+    e.code = 'SCALY_UPLOAD_FAILED';
+    throw e;
+  }
+  return { ok: true, status: res.status, bytes_uploaded: st.size };
+}
+
+module.exports = {
+  DEFAULT_MAX_BYTES,
+  DEFAULT_MAX_FILES,
+  SAFE_DEFAULT_IGNORE,
+  planDirectoryUpload,
+  createZip,
+  defaultTempZipPath,
+  uploadToSignedUrl
+};

package/lib/scaly-deploy.js

@@ -36,6 +36,12 @@ const TRIGGER_GIT_DEPLOY = `
   }
 `;
 
+const CREATE_APP_UPLOAD_LINK = `
+  mutation CreateAppUploadLink($where: AppWhereUniqueInput!) {
+    createAppUploadLink(where: $where) { url }
+  }
+`;
+
 const LIST_GIT_DEPLOYMENTS = `
   query ListGitDeployments($appId: String!, $limit: Int) {
     listGitDeployments(appId: $appId, limit: $limit) {
@@ -110,6 +116,13 @@ async function triggerGitDeploy(appId) {
   return data?.triggerGitDeploy || null;
 }
 
+async function createAppUploadLink(appId) {
+  const data = await api.graphqlRequest(CREATE_APP_UPLOAD_LINK, {
+    where: { id: appId }
+  });
+  return data?.createAppUploadLink || null;
+}
+
 async function listGitDeployments(appId, limit = 10) {
   const data = await api.graphqlRequest(LIST_GIT_DEPLOYMENTS, { appId, limit });
   return data?.listGitDeployments || [];
@@ -131,6 +144,7 @@ module.exports = {
   getAppBasic,
   getAppGitSource,
   triggerGitDeploy,
+  createAppUploadLink,
   listGitDeployments,
   restartStackServices,
   getDeployment

package/lib/scaly-plan.js

@@ -122,6 +122,12 @@ async function buildPlan({ config, env, appName }) {
     accountId = await resolveAccountId({ config });
   }
 
+  const requestedAuthPools = new Set();
+  for (const a of filteredApps) {
+    const pool = a && a.auth && a.auth.userPool;
+    if (typeof pool === 'string' && pool.trim()) requestedAuthPools.add(pool);
+  }
+
   let stackOpId = null;
   if (!currentStack) {
     stackOpId = 'op_stack_create';
@@ -258,6 +264,7 @@ async function buildPlan({ config, env, appName }) {
 
   if (Array.isArray(config.addons) && config.addons.length) {
     let addOnReadable = true;
+    let existingUserPools = null;
     for (const addOn of config.addons) {
       if (!addOn || typeof addOn !== 'object') continue;
       const apiType = mapAddOnType(addOn.type);
@@ -274,6 +281,28 @@ async function buildPlan({ config, env, appName }) {
 
       let currentAddOn = null;
       try {
+        if (apiType === 'COGNITO') {
+          try {
+            existingUserPools =
+              existingUserPools ||
+              (await api.listAddOnsByType({
+                accountId,
+                type: 'COGNITO',
+                take: 10
+              }));
+          } catch {
+            existingUserPools = null;
+          }
+          if (
+            Array.isArray(existingUserPools) &&
+            existingUserPools.length > 1
+          ) {
+            warnings.push(
+              `Multiple user groups add-ons exist in this account (${existingUserPools.length}). Scaly typically expects one user pool per account.`
+            );
+          }
+        }
+
         const list = await api.findAddOnByName({ name: addOn.name, accountId });
         currentAddOn = list?.[0] || null;
         if (list.length > 1) {
@@ -291,6 +320,44 @@ async function buildPlan({ config, env, appName }) {
       }
 
       if (!currentAddOn) {
+        if (apiType === 'COGNITO') {
+          const allowMultiple =
+            addOn.allow_multiple_user_pools === true ||
+            addOn.allowMultipleUserPools === true ||
+            config?.account?.allow_multiple_user_pools === true ||
+            config?.account?.allowMultipleUserPools === true;
+
+          const existing =
+            Array.isArray(existingUserPools) && existingUserPools.length
+              ? existingUserPools[0]
+              : null;
+
+          if (existing && !allowMultiple) {
+            warnings.push(
+              `User groups add-on '${addOn.name}' would create a new user pool, but this account already has '${existing.name}'. Reusing the existing pool is recommended to avoid "missing users" surprises. To create multiple pools, set addons[].allow_multiple_user_pools: true.`
+            );
+            if (requestedAuthPools.has(addOn.name)) {
+              warnings.push(
+                `app.auth.userPool is set to '${addOn.name}'. Consider changing it to '${existing.name}' to keep existing users.`
+              );
+            }
+            ops.push({
+              id: `op_addon_noop_${existing.name}`,
+              kind: 'addon',
+              action: 'noop',
+              resource: {
+                type: 'addon',
+                name: existing.name,
+                id: existing.id
+              },
+              current: pick(existing, ['id', 'name', 'type', 'accountId']),
+              desired: { name: existing.name, type: apiType, accountId },
+              diff: []
+            });
+            continue;
+          }
+        }
+
         const desired = { name: addOn.name, type: apiType, accountId };
         if (apiType === 'DATABASE') {
           const dbType = mapDbEngine(addOn.engine);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@occam-scaly/scaly-cli",
-  "version": "0.2.4",
+  "version": "0.2.6",
   "description": "Scaly CLI (auth + project config helpers)",
   "bin": {
     "scaly": "./bin/scaly.js"
@@ -10,6 +10,9 @@
   },
   "dependencies": {
     "axios": "^1.7.9",
+    "archiver": "^7.0.1",
+    "fast-glob": "^3.3.3",
+    "ignore": "^7.0.5",
     "ws": "^8.18.3",
     "yaml": "^2.8.1"
   },