@percepta/create 3.1.0 → 3.1.3

package/templates/webapp/scripts/deploy-percepta-test.ts

@@ -0,0 +1,837 @@
+#!/usr/bin/env tsx
+
+import { execFileSync, spawnSync } from "node:child_process";
+import { existsSync } from "node:fs";
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+import { stdin as input, stdout as output } from "node:process";
+import { createInterface } from "node:readline/promises";
+import { fileURLToPath } from "node:url";
+
+const APP_NAME = "__APP_NAME__";
+const REPO_SLUG = "Percepta-Core/__REPO_NAME__";
+const ENVIRONMENT = "percepta-test";
+const TERRAFORM_SERVICE_NAME = `${APP_NAME}-terraform`;
+const DEPLOY_URL = `https://${APP_NAME}.${ENVIRONMENT}.aitco.dev`;
+const DEFAULT_TIMEOUT_MINUTES = 20;
+
+const REQUIRED_PLATFORM_INSTALLATIONS = [
+  {
+    name: "percepta-internal-terraform",
+    label: "shared Postgres",
+  },
+  {
+    name: "inngest-test",
+    label: "shared Inngest",
+  },
+  {
+    name: "otel-collector",
+    label: "shared OTEL collector",
+  },
+  {
+    name: "lgtm-stack-helm",
+    label: "shared LGTM stack",
+  },
+  {
+    name: "langfuse",
+    label: "shared Langfuse",
+  },
+] as const;
+
+const REQUIRED_PLATFORM_VARIABLE_GROUPS = [
+  {
+    name: "demos-commons",
+    label: "shared demo config",
+    requiredVariables: [
+      "ANTHROPIC_API_KEY",
+      "LANGFUSE_PUBLIC_KEY",
+      "LANGFUSE_SECRET_KEY",
+    ],
+    requiredSensitiveVariables: ["ANTHROPIC_API_KEY", "LANGFUSE_SECRET_KEY"],
+  },
+] as const;
+
+interface Options {
+  yes: boolean;
+  skipRepo: boolean;
+  skipPush: boolean;
+  skipWorkflows: boolean;
+  skipSecrets: boolean;
+  ref: string;
+  timeoutMinutes: number;
+}
+
+interface WorkflowRun {
+  databaseId: number;
+  status: string;
+  conclusion: string | null;
+  url: string;
+}
+
+interface InstallationTask {
+  associatedTaskId: string;
+  createdAt: string;
+  description?: string;
+  isApprovable: boolean;
+  status: string;
+  taskType: string;
+}
+
+interface Installation {
+  name?: string;
+  status?: string;
+  health?: string;
+}
+
+interface VariableGroup {
+  name?: string;
+  variables?: Array<{
+    key: string;
+    sensitive?: boolean;
+  }>;
+}
+
+function parseArgs(argv: string[]): Options {
+  const options: Options = {
+    yes: false,
+    skipRepo: false,
+    skipPush: false,
+    skipWorkflows: false,
+    skipSecrets: false,
+    ref: "main",
+    timeoutMinutes: DEFAULT_TIMEOUT_MINUTES,
+  };
+
+  for (let index = 0; index < argv.length; index++) {
+    const arg = argv[index];
+    if (arg === "--") {
+      continue;
+    } else if (arg === "--yes" || arg === "-y") {
+      options.yes = true;
+    } else if (arg === "--skip-repo") {
+      options.skipRepo = true;
+    } else if (arg === "--skip-push") {
+      options.skipPush = true;
+    } else if (arg === "--skip-workflows") {
+      options.skipWorkflows = true;
+    } else if (arg === "--skip-secrets") {
+      options.skipSecrets = true;
+    } else if (arg === "--ref") {
+      const value = argv[index + 1];
+      if (!value) throw new Error("--ref requires a branch or ref");
+      options.ref = value;
+      index++;
+    } else if (arg === "--timeout-minutes") {
+      const value = Number(argv[index + 1]);
+      if (!Number.isFinite(value) || value <= 0) {
+        throw new Error("--timeout-minutes requires a positive number");
+      }
+      options.timeoutMinutes = value;
+      index++;
+    } else {
+      throw new Error(`Unknown argument: ${arg}`);
+    }
+  }
+
+  return options;
+}
+
+function run(
+  command: string,
+  args: string[],
+  cwd: string,
+  stdio: "inherit" | "pipe" = "inherit",
+): string {
+  const result = execFileSync(command, args, {
+    cwd,
+    encoding: "utf8",
+    stdio,
+  });
+
+  return typeof result === "string" ? result.trim() : "";
+}
+
+function runJson<T>(command: string, args: string[], cwd: string): T {
+  const outputText = run(command, args, cwd, "pipe");
+  return JSON.parse(outputText) as T;
+}
+
+function assertCommand(command: string): void {
+  try {
+    run(command, ["--version"], process.cwd(), "pipe");
+  } catch {
+    throw new Error(
+      `Required command not found or not authenticated: ${command}`,
+    );
+  }
+}
+
+function findUp(startDir: string, fileName: string): string | null {
+  let dir = startDir;
+  while (true) {
+    if (existsSync(path.join(dir, fileName))) return dir;
+    const parent = path.dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
+
+function parseGitHubRepo(remoteUrl: string): string | null {
+  const match = remoteUrl.match(
+    /github\.com[:/]([^/\s]+\/[^/\s]+?)(?:\.git)?$/,
+  );
+  return match?.[1] ?? null;
+}
+
+function getRemoteRepoSlug(monorepoRoot: string): string | null {
+  try {
+    return parseGitHubRepo(
+      run("git", ["remote", "get-url", "origin"], monorepoRoot, "pipe"),
+    );
+  } catch {
+    return null;
+  }
+}
+
+async function confirm(message: string): Promise<boolean> {
+  const rl = createInterface({ input, output });
+  try {
+    const answer = (await rl.question(`${message} [Y/n] `))
+      .trim()
+      .toLowerCase();
+    return answer === "" || answer === "y" || answer === "yes";
+  } finally {
+    rl.close();
+  }
+}
+
+async function confirmOrThrow(
+  message: string,
+  options: Options,
+): Promise<void> {
+  if (options.yes) return;
+  if (!process.stdin.isTTY) {
+    throw new Error(`${message} Re-run with --yes to confirm.`);
+  }
+  if (!(await confirm(message))) {
+    throw new Error("Deployment cancelled.");
+  }
+}
+
+function sleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function ensureGitHubRepo(
+  monorepoRoot: string,
+  options: Options,
+): Promise<string> {
+  const remoteRepoSlug = getRemoteRepoSlug(monorepoRoot);
+  const repoSlug = remoteRepoSlug ?? REPO_SLUG;
+
+  if (remoteRepoSlug && remoteRepoSlug !== REPO_SLUG) {
+    console.log(`Using GitHub repo from origin remote: ${remoteRepoSlug}`);
+  }
+
+  if (options.skipRepo) return repoSlug;
+
+  try {
+    run("gh", ["repo", "view", repoSlug], monorepoRoot, "pipe");
+  } catch {
+    await confirmOrThrow(
+      `GitHub repo ${repoSlug} was not found. Create it and push this repo?`,
+      options,
+    );
+    run(
+      "gh",
+      [
+        "repo",
+        "create",
+        repoSlug,
+        "--private",
+        "--source",
+        monorepoRoot,
+        "--remote",
+        "origin",
+        "--push",
+      ],
+      monorepoRoot,
+    );
+    return repoSlug;
+  }
+
+  if (!remoteRepoSlug) {
+    run(
+      "git",
+      ["remote", "add", "origin", `git@github.com:${repoSlug}.git`],
+      monorepoRoot,
+    );
+  }
+
+  return repoSlug;
+}
+
+function ensureCleanAndPushed(monorepoRoot: string, options: Options): void {
+  if (options.skipPush) return;
+
+  const status = run("git", ["status", "--porcelain"], monorepoRoot, "pipe");
+  if (status.length > 0) {
+    throw new Error(
+      [
+        "The git worktree has uncommitted changes.",
+        "Commit the app before deploying so GitHub Actions builds the exact code you expect.",
+        status,
+      ].join("\n"),
+    );
+  }
+
+  const branch = run("git", ["branch", "--show-current"], monorepoRoot, "pipe");
+  if (!branch) {
+    throw new Error("Could not determine the current git branch.");
+  }
+
+  run(
+    "git",
+    ["push", "-u", "origin", `${branch}:${options.ref}`],
+    monorepoRoot,
+  );
+}
+
+function upsertService(manifestPath: string, monorepoRoot: string): void {
+  run("ryvn", ["replace", "-f", manifestPath], monorepoRoot);
+}
+
+function getInstallation(
+  name: string,
+  monorepoRoot: string,
+): Installation | null {
+  try {
+    return runJson<Installation>(
+      "ryvn",
+      ["get", "installation", name, "-e", ENVIRONMENT, "-o", "json"],
+      monorepoRoot,
+    );
+  } catch {
+    return null;
+  }
+}
+
+function getVariableGroup(
+  name: string,
+  monorepoRoot: string,
+): VariableGroup | null {
+  try {
+    return runJson<VariableGroup>(
+      "ryvn",
+      ["get", "variable-group", name, "-e", ENVIRONMENT, "-o", "json"],
+      monorepoRoot,
+    );
+  } catch {
+    return null;
+  }
+}
+
+function installationExists(name: string, monorepoRoot: string): boolean {
+  return getInstallation(name, monorepoRoot) !== null;
+}
+
+function assertHealthyPlatformInstallation(
+  installation: Installation | null,
+  name: string,
+  label: string,
+): string | null {
+  if (installation === null) {
+    return `${label} (${name}) was not found in ${ENVIRONMENT}.`;
+  }
+
+  if (
+    installation.status !== "UP_TO_DATE" ||
+    installation.health !== "HEALTHY"
+  ) {
+    return `${label} (${name}) is ${installation.status ?? "unknown"}/${installation.health ?? "unknown"}, expected UP_TO_DATE/HEALTHY.`;
+  }
+
+  return null;
+}
+
+function assertPlatformVariableGroup(
+  variableGroup: VariableGroup | null,
+  name: string,
+  label: string,
+  requiredVariables: readonly string[],
+  requiredSensitiveVariables: readonly string[],
+): string | null {
+  if (variableGroup === null) {
+    return `${label} variable group (${name}) was not found in ${ENVIRONMENT}.`;
+  }
+
+  const variables = new Map(
+    (variableGroup.variables ?? []).map((variable) => [variable.key, variable]),
+  );
+  const missing = requiredVariables.filter((key) => !variables.has(key));
+  if (missing.length > 0) {
+    return `${label} variable group (${name}) is missing ${missing.join(", ")}.`;
+  }
+
+  const notSensitive = requiredSensitiveVariables.filter(
+    (key) => variables.get(key)?.sensitive !== true,
+  );
+  if (notSensitive.length > 0) {
+    return `${label} variable group (${name}) must mark ${notSensitive.join(", ")} as sensitive.`;
+  }
+
+  return null;
+}
+
+function verifyExistingPlatform(monorepoRoot: string): void {
+  console.log(`Checking existing ${ENVIRONMENT} platform dependencies...`);
+
+  const installationFailures = REQUIRED_PLATFORM_INSTALLATIONS.map(
+    (dependency) =>
+      assertHealthyPlatformInstallation(
+        getInstallation(dependency.name, monorepoRoot),
+        dependency.name,
+        dependency.label,
+      ),
+  ).filter((failure): failure is string => failure !== null);
+  const variableGroupFailures = REQUIRED_PLATFORM_VARIABLE_GROUPS.map(
+    (dependency) =>
+      assertPlatformVariableGroup(
+        getVariableGroup(dependency.name, monorepoRoot),
+        dependency.name,
+        dependency.label,
+        dependency.requiredVariables,
+        dependency.requiredSensitiveVariables,
+      ),
+  ).filter((failure): failure is string => failure !== null);
+  const failures = [...installationFailures, ...variableGroupFailures];
+
+  if (failures.length > 0) {
+    throw new Error(
+      [
+        `Cannot deploy ${APP_NAME} into ${ENVIRONMENT} because required platform services are missing or unhealthy.`,
+        ...failures,
+        "This helper performs the existing-environment deploy motion only. Stand up the platform services first, then rerun deploy:percepta-test.",
+      ].join("\n"),
+    );
+  }
+
+  for (const dependency of REQUIRED_PLATFORM_INSTALLATIONS) {
+    console.log(`Found ${dependency.label}: ${dependency.name}`);
+  }
+
+  for (const dependency of REQUIRED_PLATFORM_VARIABLE_GROUPS) {
+    console.log(`Found ${dependency.label} variable group: ${dependency.name}`);
+  }
+}
+
+function upsertInstallation(
+  name: string,
+  manifestPath: string,
+  monorepoRoot: string,
+): void {
+  if (installationExists(name, monorepoRoot)) {
+    run("ryvn", ["replace", "-f", manifestPath], monorepoRoot);
+  } else {
+    run("ryvn", ["create", "-f", manifestPath], monorepoRoot);
+  }
+}
+
+async function triggerWorkflow(
+  repoSlug: string,
+  workflowFile: string,
+  monorepoRoot: string,
+  options: Options,
+): Promise<void> {
+  if (options.skipWorkflows) return;
+
+  console.log(`Running ${workflowFile}...`);
+  run(
+    "gh",
+    ["workflow", "run", workflowFile, "--repo", repoSlug, "--ref", options.ref],
+    monorepoRoot,
+  );
+  await sleep(3_000);
+
+  let runs = runJson<WorkflowRun[]>(
+    "gh",
+    [
+      "run",
+      "list",
+      "--repo",
+      repoSlug,
+      "--workflow",
+      workflowFile,
+      "--branch",
+      options.ref,
+      "--event",
+      "workflow_dispatch",
+      "--limit",
+      "1",
+      "--json",
+      "databaseId,status,conclusion,url",
+    ],
+    monorepoRoot,
+  );
+
+  if (runs.length === 0) {
+    runs = runJson<WorkflowRun[]>(
+      "gh",
+      [
+        "run",
+        "list",
+        "--repo",
+        repoSlug,
+        "--workflow",
+        workflowFile,
+        "--branch",
+        options.ref,
+        "--limit",
+        "1",
+        "--json",
+        "databaseId,status,conclusion,url",
+      ],
+      monorepoRoot,
+    );
+  }
+
+  const runInfo = runs.at(0);
+  if (runInfo === undefined) {
+    throw new Error(`Could not find a GitHub Actions run for ${workflowFile}`);
+  }
+
+  console.log(`Watching ${runInfo.url}`);
+  run(
+    "gh",
+    [
+      "run",
+      "watch",
+      String(runInfo.databaseId),
+      "--repo",
+      repoSlug,
+      "--exit-status",
+    ],
+    monorepoRoot,
+  );
+}
+
+function latestTask(tasks: InstallationTask[]): InstallationTask | null {
+  return (
+    [...tasks].sort(
+      (a, b) =>
+        new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime(),
+    )[0] ?? null
+  );
+}
+
+async function waitForTerraformApply(
+  monorepoRoot: string,
+  options: Options,
+): Promise<void> {
+  const deadline = Date.now() + options.timeoutMinutes * 60_000;
+  const approved = new Set<string>();
+
+  while (Date.now() < deadline) {
+    const tasks = runJson<InstallationTask[]>(
+      "ryvn",
+      [
+        "get",
+        "installation-task",
+        TERRAFORM_SERVICE_NAME,
+        "-e",
+        ENVIRONMENT,
+        "-o",
+        "json",
+      ],
+      monorepoRoot,
+    );
+    const newest = latestTask(tasks);
+    const failed = tasks.find((task) => task.status === "FAILED");
+    if (failed) {
+      throw new Error(
+        `${failed.description ?? failed.taskType} failed for ${TERRAFORM_SERVICE_NAME}.`,
+      );
+    }
+
+    const approvablePlan = tasks.find(
+      (task) =>
+        task.isApprovable &&
+        task.taskType === "terraformPlanV1" &&
+        !approved.has(task.associatedTaskId),
+    );
+    if (approvablePlan) {
+      await confirmOrThrow(
+        `Approve Terraform plan for ${TERRAFORM_SERVICE_NAME}?`,
+        options,
+      );
+      run(
+        "ryvn",
+        [
+          "task",
+          "approve",
+          approvablePlan.associatedTaskId,
+          "--reason",
+          `Deploy ${APP_NAME} schema to ${ENVIRONMENT}`,
+        ],
+        monorepoRoot,
+      );
+      approved.add(approvablePlan.associatedTaskId);
+    }
+
+    if (
+      newest?.status === "COMPLETED" &&
+      newest.taskType === "terraformApplyV1"
+    ) {
+      console.log(`${TERRAFORM_SERVICE_NAME} is applied.`);
+      return;
+    }
+
+    await sleep(5_000);
+  }
+
+  throw new Error(
+    `${TERRAFORM_SERVICE_NAME} did not finish within ${options.timeoutMinutes} minutes.`,
+  );
+}
+
+function parseEnvFile(
+  contents: string,
+): Array<{ name: string; value: string }> {
+  return contents
+    .split("\n")
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0 && !line.startsWith("#"))
+    .map((line) => {
+      const equalsIndex = line.indexOf("=");
+      if (equalsIndex === -1) return null;
+      const name = line.slice(0, equalsIndex).trim();
+      let value = line.slice(equalsIndex + 1).trim();
+      if (
+        (value.startsWith('"') && value.endsWith('"')) ||
+        (value.startsWith("'") && value.endsWith("'"))
+      ) {
+        value = value.slice(1, -1);
+      }
+      return name ? { name, value } : null;
+    })
+    .filter(
+      (entry): entry is { name: string; value: string } => entry !== null,
+    );
+}
+
+async function patchInstallationSecrets(
+  packageDir: string,
+  monorepoRoot: string,
+  options: Options,
+): Promise<void> {
+  if (options.skipSecrets) return;
+
+  const secretsPath = path.join(
+    packageDir,
+    "deploy",
+    "ryvn",
+    `${ENVIRONMENT}.secrets.env`,
+  );
+  if (!existsSync(secretsPath)) {
+    console.log(
+      `No secrets file found at ${secretsPath}; skipping secret patch.`,
+    );
+    return;
+  }
+
+  const secrets = parseEnvFile(await readFile(secretsPath, "utf8"));
+  if (secrets.length === 0) return;
+
+  const secretEnv = secrets.map(({ name, value }) => ({
+    key: name,
+    value,
+    isSecret: true,
+  }));
+  // Strategic merge preserves existing non-secret env entries while upserting
+  // these generated secrets by key.
+  const patch = JSON.stringify({ spec: { env: secretEnv, secrets } });
+  const result = spawnSync(
+    "ryvn",
+    [
+      "update",
+      "installation",
+      APP_NAME,
+      "-e",
+      ENVIRONMENT,
+      "--type",
+      "strategic",
+      "--patch-file",
+      "-",
+    ],
+    {
+      cwd: monorepoRoot,
+      input: patch,
+      stdio: ["pipe", "inherit", "inherit"],
+      encoding: "utf8",
+    },
+  );
+
+  if (result.status !== 0) {
+    throw new Error(`Failed to patch secrets for ${APP_NAME}.`);
+  }
+}
+
+async function waitForHealthy(
+  monorepoRoot: string,
+  options: Options,
+): Promise<void> {
+  const deadline = Date.now() + options.timeoutMinutes * 60_000;
+
+  while (Date.now() < deadline) {
+    const installation = runJson<Installation>(
+      "ryvn",
+      ["get", "installation", APP_NAME, "-e", ENVIRONMENT, "-o", "json"],
+      monorepoRoot,
+    );
+
+    if (
+      installation.status === "UP_TO_DATE" &&
+      installation.health === "HEALTHY"
+    ) {
+      console.log(`${APP_NAME} is healthy.`);
+      return;
+    }
+
+    console.log(
+      `${APP_NAME} status: ${installation.status ?? "unknown"}, health: ${installation.health ?? "unknown"}`,
+    );
+    await sleep(10_000);
+  }
+
+  throw new Error(
+    `${APP_NAME} did not become healthy within ${options.timeoutMinutes} minutes.`,
+  );
+}
+
+async function fetchDeployUrl(
+  pathname: string,
+  init: RequestInit = {},
+): Promise<Response> {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), 10_000);
+  try {
+    return await fetch(`${DEPLOY_URL}${pathname}`, {
+      ...init,
+      signal: controller.signal,
+    });
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+async function verifyEndpoint(pathname: string): Promise<void> {
+  const response = await fetchDeployUrl(pathname);
+  if (!response.ok) {
+    throw new Error(`${pathname} returned HTTP ${response.status}`);
+  }
+}
+
+async function verifyAppRoute(): Promise<void> {
+  const response = await fetchDeployUrl("/", { redirect: "manual" });
+  if (response.ok) return;
+
+  if ([301, 302, 303, 307, 308].includes(response.status)) {
+    const location = response.headers.get("location");
+    let redirectPathname: string | null = null;
+    if (location) {
+      try {
+        redirectPathname = new URL(location, DEPLOY_URL).pathname;
+      } catch {
+        redirectPathname = null;
+      }
+    }
+    if (redirectPathname === "/auth/signin") return;
+
+    throw new Error(
+      `/ redirected to ${location ?? "an empty location"} instead of /auth/signin`,
+    );
+  }
+
+  throw new Error(`/ returned HTTP ${response.status}`);
+}
+
+async function verifyDeployment(): Promise<void> {
+  await verifyEndpoint("/api/healthz");
+  await verifyEndpoint("/api/readyz");
+  await verifyAppRoute();
+}
+
+async function main(): Promise<void> {
+  const options = parseArgs(process.argv.slice(2));
+  assertCommand("git");
+  assertCommand("gh");
+  assertCommand("ryvn");
+
+  const packageDir = path.resolve(
+    path.dirname(fileURLToPath(import.meta.url)),
+    "..",
+  );
+  const monorepoRoot = findUp(packageDir, "pnpm-workspace.yaml") ?? packageDir;
+  verifyExistingPlatform(monorepoRoot);
+
+  const repoSlug = await ensureGitHubRepo(monorepoRoot, options);
+  ensureCleanAndPushed(monorepoRoot, options);
+
+  const ryvnDir = path.join(packageDir, "deploy", "ryvn");
+  const serviceManifest = path.join(ryvnDir, `${APP_NAME}.service.yaml`);
+  const terraformServiceManifest = path.join(
+    ryvnDir,
+    `${TERRAFORM_SERVICE_NAME}.service.yaml`,
+  );
+  const installationManifest = path.join(
+    ryvnDir,
+    "environments",
+    ENVIRONMENT,
+    "installations",
+    `${APP_NAME}.env.${ENVIRONMENT}.serviceinstallation.yaml`,
+  );
+  const terraformInstallationManifest = path.join(
+    ryvnDir,
+    "environments",
+    ENVIRONMENT,
+    "installations",
+    `${TERRAFORM_SERVICE_NAME}.env.${ENVIRONMENT}.serviceinstallation.yaml`,
+  );
+
+  console.log(`Creating/updating Ryvn services in ${ENVIRONMENT}...`);
+  upsertService(terraformServiceManifest, monorepoRoot);
+  upsertService(serviceManifest, monorepoRoot);
+
+  await triggerWorkflow(
+    repoSlug,
+    `${TERRAFORM_SERVICE_NAME}-ryvn-release.yaml`,
+    monorepoRoot,
+    options,
+  );
+  upsertInstallation(
+    TERRAFORM_SERVICE_NAME,
+    terraformInstallationManifest,
+    monorepoRoot,
+  );
+  await waitForTerraformApply(monorepoRoot, options);
+
+  await triggerWorkflow(
+    repoSlug,
+    `${APP_NAME}-ryvn-release.yaml`,
+    monorepoRoot,
+    options,
+  );
+  upsertInstallation(APP_NAME, installationManifest, monorepoRoot);
+  await patchInstallationSecrets(packageDir, monorepoRoot, options);
+  await waitForHealthy(monorepoRoot, options);
+
+  await verifyDeployment();
+
+  console.log("");
+  console.log(`Deployed ${APP_NAME}: ${DEPLOY_URL}`);
+}
+
+void main().catch((error) => {
+  console.error(error instanceof Error ? error.message : error);
+  process.exit(1);
+});