@stacksjs/ts-cloud 0.2.20 → 0.2.22

package/dist/index.js

@@ -80931,6 +80931,77 @@ class AcmeClient {
     return this.accountKey;
   }
 }
+// src/deploy/site-target.ts
+function resolveSiteDeployTarget(site) {
+  if (site.deploy)
+    return site.deploy;
+  if (site.start)
+    return "server";
+  return "bucket";
+}
+function resolveSiteKind(site) {
+  const target = resolveSiteDeployTarget(site);
+  if (target === "bucket")
+    return "bucket";
+  return site.start ? "server-app" : "server-static";
+}
+function hasComputeConfigured(config6) {
+  return config6.infrastructure?.compute != null;
+}
+function validateDeploymentConfig(config6) {
+  const errors = [];
+  const warnings = [];
+  const sites = config6.sites || {};
+  const computeConfigured = hasComputeConfigured(config6);
+  const portOwners = new Map;
+  for (const [name, site] of Object.entries(sites)) {
+    if (!site) {
+      continue;
+    }
+    const target = resolveSiteDeployTarget(site);
+    const kind = resolveSiteKind(site);
+    if (target === "server" && !site.start && !site.root) {
+      errors.push(`Site '${name}' sets deploy:'server' but declares neither \`start\` (dynamic app) nor \`root\` (static site to serve). Add one.`);
+      continue;
+    }
+    if (kind === "server-app") {
+      if (!computeConfigured) {
+        errors.push(`Site '${name}' deploys to a server (deploy:'server'${site.deploy ? "" : " inferred from `start`"}) but no \`infrastructure.compute\` is configured. Set deploy:'bucket' or add a server (infrastructure.compute).`);
+      }
+      if (typeof site.port === "number") {
+        const existing = portOwners.get(site.port);
+        if (existing) {
+          errors.push(`Sites '${existing}' and '${name}' both use port ${site.port}. Server apps sharing a box must use distinct ports.`);
+        } else {
+          portOwners.set(site.port, name);
+        }
+      }
+    } else if (kind === "server-static") {
+      if (!site.root) {
+        errors.push(`Site '${name}' is a server static site (deploy:'server', no \`start\`) but has no \`root\` directory to serve.`);
+      }
+      if (!computeConfigured) {
+        errors.push(`Site '${name}' deploys to a server (deploy:'server') but no \`infrastructure.compute\` is configured. Set deploy:'bucket' or add a server (infrastructure.compute).`);
+      }
+    } else {
+      if (!site.root) {
+        errors.push(`Site '${name}' deploys to a bucket but has no \`root\` directory to upload.`);
+      }
+      const serverOnly = [];
+      if (site.start)
+        serverOnly.push("start");
+      if (typeof site.port === "number")
+        serverOnly.push("port");
+      if (site.preStart && site.preStart.length > 0)
+        serverOnly.push("preStart");
+      if (serverOnly.length > 0) {
+        warnings.push(`Site '${name}' deploys to a bucket but sets server-only field(s): ${serverOnly.join(", ")}. These are ignored. Set deploy:'server' to use them.`);
+      }
+    }
+  }
+  return { errors, warnings };
+}
+
 // src/deploy/index.ts
 init_static_site();
 init_static_site_external_dns();
@@ -81159,46 +81230,202 @@ import { join as join13 } from "node:path";
 import { execSync } from "node:child_process";
 
 // src/drivers/shared/caddyfile.ts
-function buildCaddyfile(sites) {
-  const allSites = Object.entries(sites);
-  const sitesWithDomain = allSites.filter(([, s]) => typeof s.domain === "string" && s.domain && typeof s.port === "number");
-  if (sitesWithDomain.length === 0)
+function isOnDemandDomain(domain) {
+  return domain === "*" || domain.includes("*");
+}
+function isStaticApp(app) {
+  return typeof app.root === "string" && app.root.length > 0;
+}
+function isProxyApp(app) {
+  return typeof app.port === "number";
+}
+function staticSiteServerRoot(name) {
+  return `/var/www/${name}`;
+}
+function normalizeOnDemandTls(onDemandTls) {
+  if (!onDemandTls)
+    return;
+  if (onDemandTls === true)
+    return {};
+  return onDemandTls;
+}
+function wrapInHandle(body, path, indent) {
+  const inner = body.split(`
+`).map((line) => `  ${line}`).join(`
+`);
+  return `${indent}handle ${path} {
+${inner}
+${indent}}`;
+}
+function renderUpstreamBlock(app, indent) {
+  const host = app.upstreamHost || "localhost";
+  const upstream = `${host}:${app.port}`;
+  const directives = app.reverseProxyDirectives ?? [];
+  const proxyLine = directives.length === 0 ? `${indent}reverse_proxy ${upstream}` : [
+    `${indent}reverse_proxy ${upstream} {`,
+    ...directives.map((d) => `${indent}  ${d}`),
+    `${indent}}`
+  ].join(`
+`);
+  const isCatchAll = !app.path || app.path === "/";
+  if (isCatchAll)
+    return proxyLine;
+  return wrapInHandle(proxyLine, app.path, indent);
+}
+function renderStaticBlock(app, indent) {
+  const root = app.root;
+  const lines = [`${indent}root * ${root}`];
+  if (app.cache?.enabled) {
+    const maxAge = app.cache.maxAge ?? 3600;
+    lines.push(`${indent}header Cache-Control "public, max-age=${maxAge}"`);
+  }
+  if (app.spa) {
+    lines.push(`${indent}try_files {path} /index.html`);
+  } else if (app.pathRewriteStyle === "flat") {
+    lines.push(`${indent}try_files {path} {path}.html {path}/index.html`);
+  } else {
+    lines.push(`${indent}try_files {path} {path}/index.html {path}.html`);
+  }
+  lines.push(`${indent}file_server`);
+  const body = lines.join(`
+`);
+  const isCatchAll = !app.path || app.path === "/";
+  if (isCatchAll)
+    return body;
+  return wrapInHandle(body, app.path, indent);
+}
+function renderAppBlock(app, indent) {
+  return isStaticApp(app) ? renderStaticBlock(app, indent) : renderUpstreamBlock(app, indent);
+}
+function groupAppsByDomains(apps) {
+  const groups = new Map;
+  for (const app of apps) {
+    const domains = [...app.domains].filter(Boolean);
+    if (domains.length === 0)
+      continue;
+    const key = [...domains].sort().join(" ");
+    const group = groups.get(key) ?? { domains, apps: [] };
+    group.apps.push(app);
+    groups.set(key, group);
+  }
+  return [...groups.values()];
+}
+function sortAppsByPath(apps) {
+  return [...apps].sort((a, b) => {
+    const aCatchAll = !a.path || a.path === "/";
+    const bCatchAll = !b.path || b.path === "/";
+    if (aCatchAll && !bCatchAll)
+      return 1;
+    if (!aCatchAll && bCatchAll)
+      return -1;
+    return (b.path?.length ?? 0) - (a.path?.length ?? 0);
+  });
+}
+function buildCaddyfileFromProxy(proxy) {
+  if (proxy.raw && proxy.raw.trim())
+    return proxy.raw.trim();
+  const apps = (proxy.apps ?? []).filter((app) => app.domains.length > 0 && (isProxyApp(app) || isStaticApp(app)));
+  if (apps.length === 0)
     return;
-  const byDomain = new Map;
-  for (const [, site] of sitesWithDomain) {
-    const list = byDomain.get(site.domain) ?? [];
-    list.push({ port: site.port, path: site.path });
-    byDomain.set(site.domain, list);
+  const onDemand = normalizeOnDemandTls(proxy.onDemandTls);
+  const hasOnDemandDomain = apps.some((app) => app.domains.some(isOnDemandDomain));
+  const globalLines = [];
+  if (proxy.email)
+    globalLines.push(`email ${proxy.email}`);
+  if (proxy.staging)
+    globalLines.push("acme_ca https://acme-staging-v02.api.letsencrypt.org/directory");
+  if (onDemand) {
+    if (onDemand.ask || onDemand.interval || onDemand.burst != null) {
+      const inner = [];
+      if (onDemand.ask)
+        inner.push(`  ask ${onDemand.ask}`);
+      if (onDemand.interval || onDemand.burst != null) {
+        const rl = [];
+        if (onDemand.interval)
+          rl.push(`    interval ${onDemand.interval}`);
+        if (onDemand.burst != null)
+          rl.push(`    burst ${onDemand.burst}`);
+        inner.push(`  rate_limit {
+${rl.join(`
+`)}
+  }`);
+      }
+      globalLines.push(`on_demand_tls {
+${inner.join(`
+`)}
+}`);
+    } else {
+      globalLines.push(`on_demand_tls {
+}`);
+    }
   }
+  for (const directive of proxy.globalDirectives ?? [])
+    globalLines.push(directive);
   const blocks = [];
-  for (const [domain, domainSites] of byDomain) {
-    const sorted = [...domainSites].sort((a, b) => {
-      const aIsCatchAll = !a.path || a.path === "/";
-      const bIsCatchAll = !b.path || b.path === "/";
-      if (aIsCatchAll && !bIsCatchAll)
-        return 1;
-      if (!aIsCatchAll && bIsCatchAll)
-        return -1;
-      return (b.path?.length ?? 0) - (a.path?.length ?? 0);
-    });
-    const handles = sorted.map((s) => {
-      const isCatchAll = !s.path || s.path === "/";
-      const inner = `reverse_proxy localhost:${s.port}`;
-      return isCatchAll ? `  handle {
-    ${inner}
-  }` : `  handle ${s.path} {
-    ${inner}
-  }`;
-    });
-    blocks.push(`${domain} {
-${handles.join(`
+  if (globalLines.length > 0)
+    blocks.push(`{
+${globalLines.map((line) => `  ${line}`).join(`
 `)}
 }`);
+  for (const group of groupAppsByDomains(apps)) {
+    const sorted = sortAppsByPath(group.apps);
+    const body = sorted.map((app) => renderAppBlock(app, "  ")).join(`
+`);
+    const needsOnDemand = onDemand && group.domains.some(isOnDemandDomain);
+    const tlsBlock = needsOnDemand ? `
+  tls {
+    on_demand
+  }` : "";
+    blocks.push(`${group.domains.join(", ")} {
+${body}${tlsBlock}
+}`);
+  }
+  if (hasOnDemandDomain && !onDemand) {
+    blocks.unshift(`# WARNING: wildcard/catch-all domain present but on_demand_tls is not enabled.
+` + "# Caddy cannot provision TLS for these hosts. Set compute.proxy.onDemandTls.");
   }
   return blocks.join(`
 
 `);
 }
+function proxyConfigFromSites(sites) {
+  const apps = [];
+  for (const [name, site] of Object.entries(sites)) {
+    if (typeof site.domain !== "string" || !site.domain)
+      continue;
+    if (typeof site.port === "number" && site.deploy !== "bucket") {
+      apps.push({
+        name,
+        domains: [site.domain],
+        port: site.port,
+        path: site.path
+      });
+    } else if (resolveSiteKind(site) === "server-static") {
+      apps.push({
+        name,
+        domains: [site.domain],
+        root: staticSiteServerRoot(name),
+        path: site.path,
+        spa: site.spa,
+        pathRewriteStyle: site.pathRewriteStyle,
+        cache: site.cache
+      });
+    }
+  }
+  return { apps };
+}
+function resolveCaddyfile(sites, proxy) {
+  if (proxy) {
+    if (proxy.raw && proxy.raw.trim())
+      return proxy.raw.trim();
+    const resolved = proxy.apps && proxy.apps.length > 0 ? proxy : { ...proxy, apps: proxyConfigFromSites(sites).apps };
+    return buildCaddyfileFromProxy(resolved);
+  }
+  return buildCaddyfileFromProxy(proxyConfigFromSites(sites));
+}
+function buildCaddyfile(sites) {
+  return buildCaddyfileFromProxy(proxyConfigFromSites(sites));
+}
 
 // src/drivers/hetzner/client.ts
 var DEFAULT_API_URL = "https://api.hetzner.cloud/v1";
@@ -81223,10 +81450,20 @@ class HetznerClient {
       body: body === undefined ? undefined : JSON.stringify(body)
     });
     const text = await response.text();
-    const data = text ? JSON.parse(text) : {};
+    let data;
+    try {
+      data = text ? JSON.parse(text) : {};
+    } catch {
+      if (!response.ok) {
+        const snippet = text.trim().slice(0, 200) || response.statusText || "Hetzner API error";
+        throw new Error(`Hetzner API ${method} ${path} (${response.status}): ${snippet}`);
+      }
+      throw new Error(`Hetzner API ${method} ${path}: unexpected non-JSON response`);
+    }
     if (!response.ok) {
       const message = data.error?.message || response.statusText || "Hetzner API error";
-      throw new Error(`Hetzner API ${method} ${path}: ${message}`);
+      const code = data.error?.code ? ` [${data.error.code}]` : "";
+      throw new Error(`Hetzner API ${method} ${path} (${response.status})${code}: ${message}`);
     }
     return data;
   }
@@ -81270,6 +81507,12 @@ class HetznerClient {
     });
     return { firewall: data.firewall, actions: data.actions };
   }
+  async setFirewallRules(firewallId, rules) {
+    const data = await this.request("POST", `/firewalls/${firewallId}/actions/set_rules`, {
+      rules
+    });
+    return data.actions ?? [];
+  }
   async applyFirewallToResources(firewallId, applyTo) {
     const data = await this.request("POST", `/firewalls/${firewallId}/actions/apply_to_resources`, {
       apply_to: applyTo
@@ -81435,12 +81678,19 @@ echo "ts-cloud bootstrap complete — instance is ready for site deploys"
   return script;
 }
 function wrapCloudInitUserData(bootstrapScript) {
+  const scriptPath = "/var/lib/cloud/ts-cloud-bootstrap.sh";
+  const indented = bootstrapScript.split(`
+`).map((line) => `      ${line}`).join(`
+`);
   return `#cloud-config
+write_files:
+  - path: ${scriptPath}
+    permissions: '0755'
+    owner: root:root
+    content: |
+${indented}
 runcmd:
-  - |
-    ${bootstrapScript.split(`
-`).join(`
-    `)}
+  - [ bash, ${scriptPath} ]
 `;
 }
 
@@ -81464,10 +81714,10 @@ function buildHetznerFirewallRules(config6) {
 // src/drivers/hetzner/instance-sizes.ts
 var HETZNER_INSTANCE_TYPES = {
   micro: "cpx11",
-  small: "cx22",
-  medium: "cx32",
-  large: "cx42",
-  xlarge: "cx52",
+  small: "cx23",
+  medium: "cx33",
+  large: "cx43",
+  xlarge: "cx53",
   "2xlarge": "ccx33"
 };
 function resolveHetznerServerType(size) {
@@ -81516,6 +81766,7 @@ async function writeDriverState(stackName, state) {
 }
 
 // src/drivers/hetzner/driver.ts
+var SSH_MAX_BUFFER = 1024 * 1024 * 256;
 function expandHome(path) {
   return path.startsWith("~/") ? join13(homedir7(), path.slice(2)) : path;
 }
@@ -81528,6 +81779,8 @@ class HetznerDriver {
   sshPublicKeyPath;
   sshUser;
   location;
+  waitForBoot;
+  bootWait;
   constructor(options = {}) {
     this.client = options.client ?? new HetznerClient({
       apiToken: resolveHetznerApiToken(options.apiToken)
@@ -81536,6 +81789,13 @@ class HetznerDriver {
     this.sshPublicKeyPath = expandHome(options.sshPublicKeyPath || process.env.HCLOUD_SSH_PUBLIC_KEY || `${this.sshPrivateKeyPath}.pub`);
     this.sshUser = options.sshUser || process.env.HCLOUD_SSH_USER || "root";
     this.location = options.location || process.env.HCLOUD_LOCATION || "fsn1";
+    this.waitForBoot = options.waitForBoot ?? true;
+    this.bootWait = {
+      sshIntervalMs: options.bootWait?.sshIntervalMs ?? 5000,
+      sshTimeoutMs: options.bootWait?.sshTimeoutMs ?? 300000,
+      cloudInitIntervalMs: options.bootWait?.cloudInitIntervalMs ?? 5000,
+      cloudInitTimeoutMs: options.bootWait?.cloudInitTimeoutMs ?? 600000
+    };
   }
   async provisionComputeInfrastructure(options) {
     const { config: config6, environment } = options;
@@ -81545,16 +81805,32 @@ class HetznerDriver {
       throw new Error("infrastructure.compute is required to provision Hetzner compute");
     }
     const stackName = resolveProjectStackName(config6, environment);
+    const serverName = `${slug}-${environment}-app`;
     const existing = await readDriverState(stackName);
     if (existing?.serverId) {
-      const server2 = await this.client.getServer(existing.serverId);
-      if (server2.status !== "off") {
+      const server2 = await this.tryGetServer(existing.serverId);
+      if (server2 && server2.status !== "off") {
         return this.outputsFromState(existing, server2);
       }
     }
+    const labels = tsCloudLabels(slug, environment, "app");
+    const alreadyRunning = await this.findExistingServer(slug, environment, serverName);
+    if (alreadyRunning && alreadyRunning.status !== "off") {
+      const rehydrated = {
+        provider: "hetzner",
+        stackName,
+        serverId: alreadyRunning.id,
+        serverName: alreadyRunning.name,
+        publicIp: alreadyRunning.public_net.ipv4?.ip,
+        deployStoragePath: "/var/ts-cloud/staging",
+        sshUser: this.sshUser
+      };
+      await writeDriverState(stackName, rehydrated);
+      return this.outputsFromState(rehydrated, alreadyRunning);
+    }
     const sites = config6.sites || {};
-    const sitePorts = Object.values(sites).map((site) => site.port).filter((port) => typeof port === "number" && ![80, 443].includes(port));
-    const caddyfile = buildCaddyfile(sites);
+    const caddyfile = resolveCaddyfile(sites, compute.proxy);
+    const sitePorts = caddyfile ? [] : this.collectUpstreamPorts(sites, compute.proxy);
     const bootstrap = generateUbuntuAppCloudInit({
       runtime: compute.runtime || "bun",
       runtimeVersion: compute.runtimeVersion || "latest",
@@ -81563,19 +81839,13 @@ class HetznerDriver {
       caddyfile
     });
     const userData = wrapCloudInitUserData(bootstrap);
-    const serverName = `${slug}-${environment}-app`;
     const serverType = resolveHetznerServerType(compute.size);
     const image = compute.image || config6.hetzner?.image || "ubuntu-24.04";
-    const labels = tsCloudLabels(slug, environment, "app");
     const firewallName = `${slug}-${environment}-app-fw`;
-    const { firewall } = await this.client.createFirewall({
-      name: firewallName,
-      labels,
-      rules: buildHetznerFirewallRules({
-        allowSsh: compute.allowSsh !== false,
-        sitePorts
-      })
-    });
+    const { firewall } = await this.ensureFirewall(firewallName, labels, buildHetznerFirewallRules({
+      allowSsh: compute.allowSsh !== false,
+      sitePorts
+    }));
     const sshKeyId = await this.ensureSshKey(slug, environment, labels);
     const { server, action } = await this.client.createServer({
       name: serverName,
@@ -81600,6 +81870,11 @@ class HetznerDriver {
       sshUser: this.sshUser
     };
     await writeDriverState(stackName, state);
+    const ip = running.public_net.ipv4?.ip;
+    if (ip && this.waitForBoot) {
+      await this.waitForSshReady(ip);
+      await this.waitForCloudInit(ip);
+    }
     return this.outputsFromState(state, running);
   }
   async getComputeOutputs(options) {
@@ -81706,6 +81981,79 @@ class HetznerDriver {
     });
     return created.id;
   }
+  async tryGetServer(id) {
+    try {
+      return await this.client.getServer(id);
+    } catch {
+      return null;
+    }
+  }
+  async findExistingServer(slug, environment, serverName) {
+    const servers = await this.client.listServers();
+    return servers.find((server) => matchesTsCloudLabels(server.labels, slug, environment, "app") || server.name === serverName);
+  }
+  async ensureFirewall(name, labels, rules) {
+    const existing = await this.client.listFirewalls();
+    const match = existing.find((fw) => fw.name === name);
+    if (match) {
+      await this.client.setFirewallRules(match.id, rules);
+      return { firewall: match };
+    }
+    const { firewall } = await this.client.createFirewall({ name, labels, rules });
+    return { firewall };
+  }
+  collectUpstreamPorts(sites, proxy) {
+    const ports = new Set;
+    for (const app of proxy?.apps ?? []) {
+      if (typeof app.port === "number")
+        ports.add(app.port);
+    }
+    for (const site of Object.values(sites)) {
+      if (typeof site.port === "number")
+        ports.add(site.port);
+    }
+    return [...ports].filter((port) => ![80, 443].includes(port));
+  }
+  async sleep(ms) {
+    await new Promise((resolve13) => setTimeout(resolve13, ms));
+  }
+  async waitForSshReady(host) {
+    const { sshIntervalMs, sshTimeoutMs } = this.bootWait;
+    const start = Date.now();
+    let lastErr;
+    while (Date.now() - start < sshTimeoutMs) {
+      try {
+        execSync(`ssh ${this.sshBaseArgs(host, ["-o", "ConnectTimeout=5"]).map((a) => `"${a.replace(/"/g, "\\\"")}"`).join(" ")} true`, {
+          stdio: "pipe",
+          maxBuffer: SSH_MAX_BUFFER
+        });
+        return;
+      } catch (err) {
+        lastErr = err;
+        await this.sleep(sshIntervalMs);
+      }
+    }
+    throw new Error(`Timed out waiting for SSH on ${host} after ${sshTimeoutMs}ms: ${lastErr?.message ?? "unknown error"}`);
+  }
+  async waitForCloudInit(host) {
+    const { cloudInitIntervalMs, cloudInitTimeoutMs } = this.bootWait;
+    const start = Date.now();
+    while (Date.now() - start < cloudInitTimeoutMs) {
+      try {
+        const out = this.sshExec(host, "cloud-init status --long 2>/dev/null || cloud-init status 2>/dev/null || echo status:\\ done");
+        if (/status:\s*done/.test(out))
+          return;
+        if (/status:\s*error/.test(out))
+          throw new Error(`cloud-init reported an error on ${host}:
+${out}`);
+      } catch (err) {
+        if (err instanceof Error && /cloud-init reported an error/.test(err.message))
+          throw err;
+      }
+      await this.sleep(cloudInitIntervalMs);
+    }
+    throw new Error(`Timed out waiting for cloud-init to finish on ${host} after ${cloudInitTimeoutMs}ms`);
+  }
   outputsFromState(state, server) {
     return {
       deployStoragePath: state.deployStoragePath || "/var/ts-cloud/staging",
@@ -81714,7 +82062,7 @@ class HetznerDriver {
       sshUser: state.sshUser || this.sshUser
     };
   }
-  sshBaseArgs(host) {
+  sshBaseArgs(host, extra = []) {
     return [
       "-i",
       this.sshPrivateKeyPath,
@@ -81722,6 +82070,7 @@ class HetznerDriver {
       "StrictHostKeyChecking=accept-new",
       "-o",
       "BatchMode=yes",
+      ...extra,
       `${this.sshUser}@${host}`
     ];
   }
@@ -81736,13 +82085,14 @@ class HetznerDriver {
       "BatchMode=yes",
       localPath,
       `${this.sshUser}@${host}:${remotePath}`
-    ].map((arg) => `"${arg.replace(/"/g, "\\\"")}"`).join(" "), { stdio: "pipe" });
+    ].map((arg) => `"${arg.replace(/"/g, "\\\"")}"`).join(" "), { stdio: "pipe", maxBuffer: SSH_MAX_BUFFER });
   }
   sshExec(host, script) {
     const escaped = script.replace(/'/g, `'\\''`);
     return execSync(`ssh ${this.sshBaseArgs(host).map((a) => `"${a.replace(/"/g, "\\\"")}"`).join(" ")} '${escaped}'`, {
       encoding: "utf8",
-      stdio: ["pipe", "pipe", "pipe"]
+      stdio: ["pipe", "pipe", "pipe"],
+      maxBuffer: SSH_MAX_BUFFER
     });
   }
 }
@@ -81792,12 +82142,14 @@ function buildSiteDeployScript(options) {
     artifactFetch,
     execStart,
     envEntries,
-    port
+    port,
+    preStartCommands = []
   } = options;
   const appDir = options.appDir ?? `/var/www/${siteName}`;
   const serviceName = `${slug}-${siteName}.service`;
   const envFile = Object.entries(envEntries).map(([k, v]) => `${k}=${JSON.stringify(String(v))}`).join(`
 `);
+  const preStart = preStartCommands.length > 0 ? [`cd ${appDir}`, ...preStartCommands] : [];
   return [
     "set -euo pipefail",
     ...artifactFetch,
@@ -81808,6 +82160,7 @@ function buildSiteDeployScript(options) {
     envFile,
     "TS_CLOUD_ENV_EOF",
     `chmod 600 ${appDir}/.env`,
+    ...preStart,
     `cat > /etc/systemd/system/${serviceName} <<'TS_CLOUD_UNIT_EOF'`,
     "[Unit]",
     `Description=${siteName} (managed by ts-cloud)`,
@@ -81831,6 +82184,19 @@ function buildSiteDeployScript(options) {
     `systemctl is-active ${serviceName}`
   ];
 }
+function buildStaticSiteDeployScript(options) {
+  const { siteName, artifactFetch, preStartCommands = [] } = options;
+  const appDir = options.appDir ?? `/var/www/${siteName}`;
+  const preStart = preStartCommands.length > 0 ? [`cd ${appDir}`, ...preStartCommands] : [];
+  return [
+    "set -euo pipefail",
+    ...artifactFetch,
+    `mkdir -p ${appDir}`,
+    `find ${appDir} -mindepth 1 -maxdepth 1 -exec rm -rf {} +`,
+    `tar xzf /tmp/${siteName}-release.tar.gz -C ${appDir}`,
+    ...preStart
+  ];
+}
 function buildAwsArtifactFetch(bucket, key, region, siteName) {
   return [
     `aws s3 cp "s3://${bucket}/${key}" /tmp/${siteName}-release.tar.gz --region ${region}`
@@ -81880,13 +82246,18 @@ async function deploySiteRelease(driver, options, logger4 = noopLogger) {
     targets
   });
   const artifactFetch = driver.name === "aws" ? buildAwsArtifactFetch(outputs.deployBucketName, remoteKey, config6.project.region || "us-east-1", siteName) : buildLocalArtifactFetch(uploadResult.artifactRef, siteName);
-  const remoteScript = buildSiteDeployScript({
+  const remoteScript = resolveSiteKind(site) === "server-static" ? buildStaticSiteDeployScript({
+    siteName,
+    artifactFetch,
+    preStartCommands: site.preStart
+  }) : buildSiteDeployScript({
     siteName,
     slug,
     artifactFetch,
     execStart: resolveExecStart(site.start, runtime),
     envEntries: site.env || {},
-    port: site.port
+    port: site.port,
+    preStartCommands: site.preStart
   });
   logger4.step(`Deploying to ${targets.length} target(s)...`);
   const result = await driver.runRemoteDeploy({
@@ -81918,8 +82289,11 @@ async function deployAllComputeSites(options) {
   const slug = config6.project.slug;
   const sites = config6.sites || {};
   const deployable = Object.entries(sites).filter(([name, site]) => {
-    if (!site?.start) {
-      logger4.warn(`Site '${name}' has no \`start\` command — skipping (compute mode requires every site to declare how to run).`);
+    if (!site)
+      return false;
+    const kind = resolveSiteKind(site);
+    if (kind === "bucket") {
+      logger4.warn(`Site '${name}' targets a bucket — skipping (handled by the static-site path, not compute).`);
       return false;
     }
     return true;
@@ -81971,6 +82345,7 @@ export {
   validateTemplateSize,
   validateTemplate,
   validateResourceLimits,
+  validateDeploymentConfig,
   validateCredentials,
   validateConfiguration,
   validateCommand,
@@ -81986,6 +82361,7 @@ export {
   suggestFlags,
   suggestCommand,
   storageAdvancedManager,
+  staticSiteServerRoot,
   staticSiteManager,
   stackDependencyManager,
   signRequestAsync,
@@ -82006,6 +82382,8 @@ export {
   resolveStorageBucketName,
   resolveSiteStackName,
   resolveSiteResourceName,
+  resolveSiteKind,
+  resolveSiteDeployTarget,
   resolveSiteBucketName,
   resolveRegion,
   resolveProjectStackName,
@@ -82015,11 +82393,13 @@ export {
   resolveDeployBucketName,
   resolveCredentials,
   resolveCloudProvider,
+  resolveCaddyfile,
   requiresReplacement,
   replicaManager,
   regionPairManager,
   quickHash,
   queueManagementManager,
+  proxyConfigFromSites,
   providerEndpoint,
   progressiveDeploymentManager,
   processInChunks,
@@ -82052,6 +82432,7 @@ export {
   lambdaConcurrencyManager,
   isWebCryptoAvailable,
   isValidRegion,
+  isOnDemandDomain,
   isNodeCryptoAvailable,
   isLocalDevelopment,
   isLikelyTypo,
@@ -82200,9 +82581,11 @@ export {
   certificateManager,
   categorizeChanges,
   canaryManager,
+  buildStaticSiteDeployScript,
   buildSiteDeployScript,
   buildOptimizationManager,
   buildCloudFormationTemplate,
+  buildCaddyfileFromProxy,
   buildCaddyfile,
   bounceComplaintHandler,
   blueGreenManager,