@stacksjs/ts-cloud 0.2.21 → 0.2.23

package/dist/index.js

@@ -2123,6 +2123,67 @@ class S3Client2 {
     });
     return result;
   }
+  async getObjectBytes(bucket, key) {
+    const { accessKeyId, secretAccessKey, sessionToken } = this.getCredentials();
+    const host = this.s3VirtualHost(bucket);
+    const encodedKey = key.split("/").map((seg) => encodeURIComponent(seg)).join("/");
+    const canonicalUri = this.forcePathStyle ? `/${bucket}/${encodedKey}` : `/${encodedKey}`;
+    const url = `https://${host}${canonicalUri}`;
+    const now = new Date;
+    const amzDate = now.toISOString().replace(/[:-]|\.\d{3}/g, "");
+    const dateStamp = now.toISOString().slice(0, 10).replace(/-/g, "");
+    const payloadHash = crypto3.createHash("sha256").update("").digest("hex");
+    const requestHeaders = {
+      host,
+      "x-amz-date": amzDate,
+      "x-amz-content-sha256": payloadHash
+    };
+    if (sessionToken) {
+      requestHeaders["x-amz-security-token"] = sessionToken;
+    }
+    const canonicalHeaders = Object.keys(requestHeaders).sort().map((k) => `${k.toLowerCase()}:${requestHeaders[k].trim()}
+`).join("");
+    const signedHeaders = Object.keys(requestHeaders).sort().map((k) => k.toLowerCase()).join(";");
+    const canonicalRequest = [
+      "GET",
+      canonicalUri,
+      "",
+      canonicalHeaders,
+      signedHeaders,
+      payloadHash
+    ].join(`
+`);
+    const algorithm = "AWS4-HMAC-SHA256";
+    const credentialScope = `${dateStamp}/${this.region}/s3/aws4_request`;
+    const stringToSign = [
+      algorithm,
+      amzDate,
+      credentialScope,
+      crypto3.createHash("sha256").update(canonicalRequest).digest("hex")
+    ].join(`
+`);
+    const kDate = crypto3.createHmac("sha256", `AWS4${secretAccessKey}`).update(dateStamp).digest();
+    const kRegion = crypto3.createHmac("sha256", kDate).update(this.region).digest();
+    const kService = crypto3.createHmac("sha256", kRegion).update("s3").digest();
+    const kSigning = crypto3.createHmac("sha256", kService).update("aws4_request").digest();
+    const signature = crypto3.createHmac("sha256", kSigning).update(stringToSign).digest("hex");
+    const authorizationHeader = `${algorithm} Credential=${accessKeyId}/${credentialScope}, SignedHeaders=${signedHeaders}, Signature=${signature}`;
+    const response = await fetch(url, {
+      method: "GET",
+      headers: { ...requestHeaders, Authorization: authorizationHeader }
+    });
+    if (!response.ok) {
+      const errorText = await response.text();
+      throw new Error(`S3 GET failed: ${response.status} ${errorText}`);
+    }
+    const buffer = await response.arrayBuffer();
+    const contentLengthHeader = response.headers.get("content-length");
+    return {
+      body: new Uint8Array(buffer),
+      contentType: response.headers.get("content-type") ?? undefined,
+      contentLength: contentLengthHeader ? Number.parseInt(contentLengthHeader, 10) : undefined
+    };
+  }
   async copyObject(options) {
     const headers = {
       "x-amz-copy-source": `/${options.sourceBucket}/${options.sourceKey}`
@@ -65570,6 +65631,165 @@ init_client();
 
 // src/object-storage/index.ts
 init_s3();
+
+// src/object-storage/migrate.ts
+function stripPrefix(key, prefix) {
+  if (!prefix)
+    return key;
+  return key.startsWith(prefix) ? key.slice(prefix.length) : key;
+}
+function remapKey(sourceKey, fromPrefix, toPrefix) {
+  const stripped = stripPrefix(sourceKey, fromPrefix);
+  return `${toPrefix ?? ""}${stripped}`;
+}
+function keyMatchesFilters(key, include, exclude) {
+  if (exclude && exclude.some((p) => key.startsWith(p)))
+    return false;
+  if (include && include.length > 0)
+    return include.some((p) => key.startsWith(p));
+  return true;
+}
+async function mapWithConcurrency(items, limit, worker) {
+  let cursor = 0;
+  const runners = [];
+  const size = Math.max(1, Math.min(limit, items.length || 1));
+  for (let i = 0;i < size; i++) {
+    runners.push((async () => {
+      while (true) {
+        const index = cursor++;
+        if (index >= items.length)
+          return;
+        await worker(items[index], index);
+      }
+    })());
+  }
+  await Promise.all(runners);
+}
+function clientFor(endpoint) {
+  if (endpoint.client)
+    return endpoint.client;
+  return createObjectStorageClient({
+    provider: endpoint.provider,
+    region: endpoint.region,
+    endpoint: endpoint.endpoint,
+    forcePathStyle: endpoint.forcePathStyle,
+    credentials: endpoint.credentials
+  });
+}
+async function migrateObjectStorage(options) {
+  const concurrency = options.concurrency ?? 8;
+  const fromClient = clientFor(options.from);
+  const toClient = clientFor(options.to);
+  const sourceObjects = await fromClient.listAllObjects({
+    bucket: options.from.bucket,
+    prefix: options.from.prefix
+  });
+  const result = {
+    copied: 0,
+    skipped: 0,
+    excluded: 0,
+    bytesCopied: 0,
+    errors: [],
+    excludedKeys: [],
+    deleted: []
+  };
+  const toCopy = [];
+  for (const obj of sourceObjects) {
+    if (!keyMatchesFilters(obj.Key, options.include, options.exclude)) {
+      result.excluded++;
+      result.excludedKeys.push(obj.Key);
+      continue;
+    }
+    toCopy.push({ source: obj, destKey: remapKey(obj.Key, options.from.prefix, options.to.prefix) });
+  }
+  if (options.dryRun) {
+    result.plan = toCopy.map(({ source, destKey }) => ({ key: source.Key, destKey, size: source.Size }));
+    const total2 = sourceObjects.length;
+    let index = 0;
+    for (const obj of sourceObjects) {
+      index++;
+      const excluded = !keyMatchesFilters(obj.Key, options.include, options.exclude);
+      options.onProgress?.({
+        key: obj.Key,
+        destKey: excluded ? "" : remapKey(obj.Key, options.from.prefix, options.to.prefix),
+        size: obj.Size,
+        action: excluded ? "excluded" : "planned",
+        index,
+        total: total2
+      });
+    }
+    return result;
+  }
+  const total = toCopy.length;
+  let processed = 0;
+  await mapWithConcurrency(toCopy, concurrency, async ({ source, destKey }) => {
+    const myIndex = ++processed;
+    try {
+      if (!options.force) {
+        const head = await toClient.headObject(options.to.bucket, destKey);
+        if (head && head.ContentLength === source.Size) {
+          result.skipped++;
+          options.onProgress?.({ key: source.Key, destKey, size: source.Size, action: "skipped", index: myIndex, total });
+          return;
+        }
+      }
+      const { body, contentType } = await fromClient.getObjectBytes(options.from.bucket, source.Key);
+      await toClient.putObject({
+        bucket: options.to.bucket,
+        key: destKey,
+        body,
+        contentType
+      });
+      result.copied++;
+      result.bytesCopied += body.byteLength;
+      options.onProgress?.({ key: source.Key, destKey, size: source.Size, action: "copied", index: myIndex, total });
+    } catch (err) {
+      result.errors.push({ key: source.Key, message: err?.message ?? String(err) });
+      options.onProgress?.({ key: source.Key, destKey, size: source.Size, action: "error", index: myIndex, total });
+    }
+  });
+  const copiedDestKeys = new Set(toCopy.map((c) => c.destKey));
+  if (options.deleteExtraneous) {
+    const destObjects = await toClient.listAllObjects({ bucket: options.to.bucket, prefix: options.to.prefix });
+    const extraneous = destObjects.filter((o) => !copiedDestKeys.has(o.Key)).map((o) => o.Key);
+    for (const key of extraneous) {
+      try {
+        await toClient.deleteObject(options.to.bucket, key);
+        result.deleted.push(key);
+      } catch (err) {
+        result.errors.push({ key, message: `delete failed: ${err?.message ?? String(err)}` });
+      }
+    }
+  }
+  if (options.verify) {
+    const destObjects = await toClient.listAllObjects({ bucket: options.to.bucket, prefix: options.to.prefix });
+    const destBySizeKey = new Map(destObjects.map((o) => [o.Key, o.Size]));
+    const missing = [];
+    const sizeMismatches = [];
+    let matched = 0;
+    for (const { source, destKey } of toCopy) {
+      if (!destBySizeKey.has(destKey)) {
+        missing.push(destKey);
+        continue;
+      }
+      const actual = destBySizeKey.get(destKey);
+      if (actual !== source.Size) {
+        sizeMismatches.push({ key: destKey, expected: source.Size, actual });
+        continue;
+      }
+      matched++;
+    }
+    result.verification = {
+      ok: missing.length === 0 && sizeMismatches.length === 0,
+      matched,
+      missing,
+      sizeMismatches
+    };
+  }
+  return result;
+}
+
+// src/object-storage/index.ts
 var DEFAULT_REGION = {
   aws: "us-east-1",
   backblaze: "us-west-004",
@@ -80931,6 +81151,77 @@ class AcmeClient {
     return this.accountKey;
   }
 }
+// src/deploy/site-target.ts
+function resolveSiteDeployTarget(site) {
+  if (site.deploy)
+    return site.deploy;
+  if (site.start)
+    return "server";
+  return "bucket";
+}
+function resolveSiteKind(site) {
+  const target = resolveSiteDeployTarget(site);
+  if (target === "bucket")
+    return "bucket";
+  return site.start ? "server-app" : "server-static";
+}
+function hasComputeConfigured(config6) {
+  return config6.infrastructure?.compute != null;
+}
+function validateDeploymentConfig(config6) {
+  const errors = [];
+  const warnings = [];
+  const sites = config6.sites || {};
+  const computeConfigured = hasComputeConfigured(config6);
+  const portOwners = new Map;
+  for (const [name, site] of Object.entries(sites)) {
+    if (!site) {
+      continue;
+    }
+    const target = resolveSiteDeployTarget(site);
+    const kind = resolveSiteKind(site);
+    if (target === "server" && !site.start && !site.root) {
+      errors.push(`Site '${name}' sets deploy:'server' but declares neither \`start\` (dynamic app) nor \`root\` (static site to serve). Add one.`);
+      continue;
+    }
+    if (kind === "server-app") {
+      if (!computeConfigured) {
+        errors.push(`Site '${name}' deploys to a server (deploy:'server'${site.deploy ? "" : " inferred from `start`"}) but no \`infrastructure.compute\` is configured. Set deploy:'bucket' or add a server (infrastructure.compute).`);
+      }
+      if (typeof site.port === "number") {
+        const existing = portOwners.get(site.port);
+        if (existing) {
+          errors.push(`Sites '${existing}' and '${name}' both use port ${site.port}. Server apps sharing a box must use distinct ports.`);
+        } else {
+          portOwners.set(site.port, name);
+        }
+      }
+    } else if (kind === "server-static") {
+      if (!site.root) {
+        errors.push(`Site '${name}' is a server static site (deploy:'server', no \`start\`) but has no \`root\` directory to serve.`);
+      }
+      if (!computeConfigured) {
+        errors.push(`Site '${name}' deploys to a server (deploy:'server') but no \`infrastructure.compute\` is configured. Set deploy:'bucket' or add a server (infrastructure.compute).`);
+      }
+    } else {
+      if (!site.root) {
+        errors.push(`Site '${name}' deploys to a bucket but has no \`root\` directory to upload.`);
+      }
+      const serverOnly = [];
+      if (site.start)
+        serverOnly.push("start");
+      if (typeof site.port === "number")
+        serverOnly.push("port");
+      if (site.preStart && site.preStart.length > 0)
+        serverOnly.push("preStart");
+      if (serverOnly.length > 0) {
+        warnings.push(`Site '${name}' deploys to a bucket but sets server-only field(s): ${serverOnly.join(", ")}. These are ignored. Set deploy:'server' to use them.`);
+      }
+    }
+  }
+  return { errors, warnings };
+}
+
 // src/deploy/index.ts
 init_static_site();
 init_static_site_external_dns();
@@ -81159,46 +81450,202 @@ import { join as join13 } from "node:path";
 import { execSync } from "node:child_process";
 
 // src/drivers/shared/caddyfile.ts
-function buildCaddyfile(sites) {
-  const allSites = Object.entries(sites);
-  const sitesWithDomain = allSites.filter(([, s]) => typeof s.domain === "string" && s.domain && typeof s.port === "number");
-  if (sitesWithDomain.length === 0)
+function isOnDemandDomain(domain) {
+  return domain === "*" || domain.includes("*");
+}
+function isStaticApp(app) {
+  return typeof app.root === "string" && app.root.length > 0;
+}
+function isProxyApp(app) {
+  return typeof app.port === "number";
+}
+function staticSiteServerRoot(name) {
+  return `/var/www/${name}`;
+}
+function normalizeOnDemandTls(onDemandTls) {
+  if (!onDemandTls)
     return;
-  const byDomain = new Map;
-  for (const [, site] of sitesWithDomain) {
-    const list = byDomain.get(site.domain) ?? [];
-    list.push({ port: site.port, path: site.path });
-    byDomain.set(site.domain, list);
+  if (onDemandTls === true)
+    return {};
+  return onDemandTls;
+}
+function wrapInHandle(body, path, indent) {
+  const inner = body.split(`
+`).map((line) => `  ${line}`).join(`
+`);
+  return `${indent}handle ${path} {
+${inner}
+${indent}}`;
+}
+function renderUpstreamBlock(app, indent) {
+  const host = app.upstreamHost || "localhost";
+  const upstream = `${host}:${app.port}`;
+  const directives = app.reverseProxyDirectives ?? [];
+  const proxyLine = directives.length === 0 ? `${indent}reverse_proxy ${upstream}` : [
+    `${indent}reverse_proxy ${upstream} {`,
+    ...directives.map((d) => `${indent}  ${d}`),
+    `${indent}}`
+  ].join(`
+`);
+  const isCatchAll = !app.path || app.path === "/";
+  if (isCatchAll)
+    return proxyLine;
+  return wrapInHandle(proxyLine, app.path, indent);
+}
+function renderStaticBlock(app, indent) {
+  const root = app.root;
+  const lines = [`${indent}root * ${root}`];
+  if (app.cache?.enabled) {
+    const maxAge = app.cache.maxAge ?? 3600;
+    lines.push(`${indent}header Cache-Control "public, max-age=${maxAge}"`);
+  }
+  if (app.spa) {
+    lines.push(`${indent}try_files {path} /index.html`);
+  } else if (app.pathRewriteStyle === "flat") {
+    lines.push(`${indent}try_files {path} {path}.html {path}/index.html`);
+  } else {
+    lines.push(`${indent}try_files {path} {path}/index.html {path}.html`);
   }
+  lines.push(`${indent}file_server`);
+  const body = lines.join(`
+`);
+  const isCatchAll = !app.path || app.path === "/";
+  if (isCatchAll)
+    return body;
+  return wrapInHandle(body, app.path, indent);
+}
+function renderAppBlock(app, indent) {
+  return isStaticApp(app) ? renderStaticBlock(app, indent) : renderUpstreamBlock(app, indent);
+}
+function groupAppsByDomains(apps) {
+  const groups = new Map;
+  for (const app of apps) {
+    const domains = [...app.domains].filter(Boolean);
+    if (domains.length === 0)
+      continue;
+    const key = [...domains].sort().join(" ");
+    const group = groups.get(key) ?? { domains, apps: [] };
+    group.apps.push(app);
+    groups.set(key, group);
+  }
+  return [...groups.values()];
+}
+function sortAppsByPath(apps) {
+  return [...apps].sort((a, b) => {
+    const aCatchAll = !a.path || a.path === "/";
+    const bCatchAll = !b.path || b.path === "/";
+    if (aCatchAll && !bCatchAll)
+      return 1;
+    if (!aCatchAll && bCatchAll)
+      return -1;
+    return (b.path?.length ?? 0) - (a.path?.length ?? 0);
+  });
+}
+function buildCaddyfileFromProxy(proxy) {
+  if (proxy.raw && proxy.raw.trim())
+    return proxy.raw.trim();
+  const apps = (proxy.apps ?? []).filter((app) => app.domains.length > 0 && (isProxyApp(app) || isStaticApp(app)));
+  if (apps.length === 0)
+    return;
+  const onDemand = normalizeOnDemandTls(proxy.onDemandTls);
+  const hasOnDemandDomain = apps.some((app) => app.domains.some(isOnDemandDomain));
+  const globalLines = [];
+  if (proxy.email)
+    globalLines.push(`email ${proxy.email}`);
+  if (proxy.staging)
+    globalLines.push("acme_ca https://acme-staging-v02.api.letsencrypt.org/directory");
+  if (onDemand) {
+    if (onDemand.ask || onDemand.interval || onDemand.burst != null) {
+      const inner = [];
+      if (onDemand.ask)
+        inner.push(`  ask ${onDemand.ask}`);
+      if (onDemand.interval || onDemand.burst != null) {
+        const rl = [];
+        if (onDemand.interval)
+          rl.push(`    interval ${onDemand.interval}`);
+        if (onDemand.burst != null)
+          rl.push(`    burst ${onDemand.burst}`);
+        inner.push(`  rate_limit {
+${rl.join(`
+`)}
+  }`);
+      }
+      globalLines.push(`on_demand_tls {
+${inner.join(`
+`)}
+}`);
+    } else {
+      globalLines.push(`on_demand_tls {
+}`);
+    }
+  }
+  for (const directive of proxy.globalDirectives ?? [])
+    globalLines.push(directive);
   const blocks = [];
-  for (const [domain, domainSites] of byDomain) {
-    const sorted = [...domainSites].sort((a, b) => {
-      const aIsCatchAll = !a.path || a.path === "/";
-      const bIsCatchAll = !b.path || b.path === "/";
-      if (aIsCatchAll && !bIsCatchAll)
-        return 1;
-      if (!aIsCatchAll && bIsCatchAll)
-        return -1;
-      return (b.path?.length ?? 0) - (a.path?.length ?? 0);
-    });
-    const handles = sorted.map((s) => {
-      const isCatchAll = !s.path || s.path === "/";
-      const inner = `reverse_proxy localhost:${s.port}`;
-      return isCatchAll ? `  handle {
-    ${inner}
-  }` : `  handle ${s.path} {
-    ${inner}
-  }`;
-    });
-    blocks.push(`${domain} {
-${handles.join(`
+  if (globalLines.length > 0)
+    blocks.push(`{
+${globalLines.map((line) => `  ${line}`).join(`
 `)}
 }`);
+  for (const group of groupAppsByDomains(apps)) {
+    const sorted = sortAppsByPath(group.apps);
+    const body = sorted.map((app) => renderAppBlock(app, "  ")).join(`
+`);
+    const needsOnDemand = onDemand && group.domains.some(isOnDemandDomain);
+    const tlsBlock = needsOnDemand ? `
+  tls {
+    on_demand
+  }` : "";
+    blocks.push(`${group.domains.join(", ")} {
+${body}${tlsBlock}
+}`);
+  }
+  if (hasOnDemandDomain && !onDemand) {
+    blocks.unshift(`# WARNING: wildcard/catch-all domain present but on_demand_tls is not enabled.
+` + "# Caddy cannot provision TLS for these hosts. Set compute.proxy.onDemandTls.");
   }
   return blocks.join(`
 
 `);
 }
+function proxyConfigFromSites(sites) {
+  const apps = [];
+  for (const [name, site] of Object.entries(sites)) {
+    if (typeof site.domain !== "string" || !site.domain)
+      continue;
+    if (typeof site.port === "number" && site.deploy !== "bucket") {
+      apps.push({
+        name,
+        domains: [site.domain],
+        port: site.port,
+        path: site.path
+      });
+    } else if (resolveSiteKind(site) === "server-static") {
+      apps.push({
+        name,
+        domains: [site.domain],
+        root: staticSiteServerRoot(name),
+        path: site.path,
+        spa: site.spa,
+        pathRewriteStyle: site.pathRewriteStyle,
+        cache: site.cache
+      });
+    }
+  }
+  return { apps };
+}
+function resolveCaddyfile(sites, proxy) {
+  if (proxy) {
+    if (proxy.raw && proxy.raw.trim())
+      return proxy.raw.trim();
+    const resolved = proxy.apps && proxy.apps.length > 0 ? proxy : { ...proxy, apps: proxyConfigFromSites(sites).apps };
+    return buildCaddyfileFromProxy(resolved);
+  }
+  return buildCaddyfileFromProxy(proxyConfigFromSites(sites));
+}
+function buildCaddyfile(sites) {
+  return buildCaddyfileFromProxy(proxyConfigFromSites(sites));
+}
 
 // src/drivers/hetzner/client.ts
 var DEFAULT_API_URL = "https://api.hetzner.cloud/v1";
@@ -81223,10 +81670,20 @@ class HetznerClient {
       body: body === undefined ? undefined : JSON.stringify(body)
     });
     const text = await response.text();
-    const data = text ? JSON.parse(text) : {};
+    let data;
+    try {
+      data = text ? JSON.parse(text) : {};
+    } catch {
+      if (!response.ok) {
+        const snippet = text.trim().slice(0, 200) || response.statusText || "Hetzner API error";
+        throw new Error(`Hetzner API ${method} ${path} (${response.status}): ${snippet}`);
+      }
+      throw new Error(`Hetzner API ${method} ${path}: unexpected non-JSON response`);
+    }
     if (!response.ok) {
       const message = data.error?.message || response.statusText || "Hetzner API error";
-      throw new Error(`Hetzner API ${method} ${path}: ${message}`);
+      const code = data.error?.code ? ` [${data.error.code}]` : "";
+      throw new Error(`Hetzner API ${method} ${path} (${response.status})${code}: ${message}`);
     }
     return data;
   }
@@ -81270,6 +81727,12 @@ class HetznerClient {
     });
     return { firewall: data.firewall, actions: data.actions };
   }
+  async setFirewallRules(firewallId, rules) {
+    const data = await this.request("POST", `/firewalls/${firewallId}/actions/set_rules`, {
+      rules
+    });
+    return data.actions ?? [];
+  }
   async applyFirewallToResources(firewallId, applyTo) {
     const data = await this.request("POST", `/firewalls/${firewallId}/actions/apply_to_resources`, {
       apply_to: applyTo
@@ -81536,6 +81999,8 @@ class HetznerDriver {
   sshPublicKeyPath;
   sshUser;
   location;
+  waitForBoot;
+  bootWait;
   constructor(options = {}) {
     this.client = options.client ?? new HetznerClient({
       apiToken: resolveHetznerApiToken(options.apiToken)
@@ -81544,6 +82009,13 @@ class HetznerDriver {
     this.sshPublicKeyPath = expandHome(options.sshPublicKeyPath || process.env.HCLOUD_SSH_PUBLIC_KEY || `${this.sshPrivateKeyPath}.pub`);
     this.sshUser = options.sshUser || process.env.HCLOUD_SSH_USER || "root";
     this.location = options.location || process.env.HCLOUD_LOCATION || "fsn1";
+    this.waitForBoot = options.waitForBoot ?? true;
+    this.bootWait = {
+      sshIntervalMs: options.bootWait?.sshIntervalMs ?? 5000,
+      sshTimeoutMs: options.bootWait?.sshTimeoutMs ?? 300000,
+      cloudInitIntervalMs: options.bootWait?.cloudInitIntervalMs ?? 5000,
+      cloudInitTimeoutMs: options.bootWait?.cloudInitTimeoutMs ?? 600000
+    };
   }
   async provisionComputeInfrastructure(options) {
     const { config: config6, environment } = options;
@@ -81553,16 +82025,32 @@ class HetznerDriver {
       throw new Error("infrastructure.compute is required to provision Hetzner compute");
     }
     const stackName = resolveProjectStackName(config6, environment);
+    const serverName = `${slug}-${environment}-app`;
     const existing = await readDriverState(stackName);
     if (existing?.serverId) {
-      const server2 = await this.client.getServer(existing.serverId);
-      if (server2.status !== "off") {
+      const server2 = await this.tryGetServer(existing.serverId);
+      if (server2 && server2.status !== "off") {
         return this.outputsFromState(existing, server2);
       }
     }
+    const labels = tsCloudLabels(slug, environment, "app");
+    const alreadyRunning = await this.findExistingServer(slug, environment, serverName);
+    if (alreadyRunning && alreadyRunning.status !== "off") {
+      const rehydrated = {
+        provider: "hetzner",
+        stackName,
+        serverId: alreadyRunning.id,
+        serverName: alreadyRunning.name,
+        publicIp: alreadyRunning.public_net.ipv4?.ip,
+        deployStoragePath: "/var/ts-cloud/staging",
+        sshUser: this.sshUser
+      };
+      await writeDriverState(stackName, rehydrated);
+      return this.outputsFromState(rehydrated, alreadyRunning);
+    }
     const sites = config6.sites || {};
-    const sitePorts = Object.values(sites).map((site) => site.port).filter((port) => typeof port === "number" && ![80, 443].includes(port));
-    const caddyfile = buildCaddyfile(sites);
+    const caddyfile = resolveCaddyfile(sites, compute.proxy);
+    const sitePorts = caddyfile ? [] : this.collectUpstreamPorts(sites, compute.proxy);
     const bootstrap = generateUbuntuAppCloudInit({
       runtime: compute.runtime || "bun",
       runtimeVersion: compute.runtimeVersion || "latest",
@@ -81571,19 +82059,13 @@ class HetznerDriver {
       caddyfile
     });
     const userData = wrapCloudInitUserData(bootstrap);
-    const serverName = `${slug}-${environment}-app`;
     const serverType = resolveHetznerServerType(compute.size);
     const image = compute.image || config6.hetzner?.image || "ubuntu-24.04";
-    const labels = tsCloudLabels(slug, environment, "app");
     const firewallName = `${slug}-${environment}-app-fw`;
-    const { firewall } = await this.client.createFirewall({
-      name: firewallName,
-      labels,
-      rules: buildHetznerFirewallRules({
-        allowSsh: compute.allowSsh !== false,
-        sitePorts
-      })
-    });
+    const { firewall } = await this.ensureFirewall(firewallName, labels, buildHetznerFirewallRules({
+      allowSsh: compute.allowSsh !== false,
+      sitePorts
+    }));
     const sshKeyId = await this.ensureSshKey(slug, environment, labels);
     const { server, action } = await this.client.createServer({
       name: serverName,
@@ -81608,6 +82090,11 @@ class HetznerDriver {
       sshUser: this.sshUser
     };
     await writeDriverState(stackName, state);
+    const ip = running.public_net.ipv4?.ip;
+    if (ip && this.waitForBoot) {
+      await this.waitForSshReady(ip);
+      await this.waitForCloudInit(ip);
+    }
     return this.outputsFromState(state, running);
   }
   async getComputeOutputs(options) {
@@ -81714,6 +82201,79 @@ class HetznerDriver {
     });
     return created.id;
   }
+  async tryGetServer(id) {
+    try {
+      return await this.client.getServer(id);
+    } catch {
+      return null;
+    }
+  }
+  async findExistingServer(slug, environment, serverName) {
+    const servers = await this.client.listServers();
+    return servers.find((server) => matchesTsCloudLabels(server.labels, slug, environment, "app") || server.name === serverName);
+  }
+  async ensureFirewall(name, labels, rules) {
+    const existing = await this.client.listFirewalls();
+    const match = existing.find((fw) => fw.name === name);
+    if (match) {
+      await this.client.setFirewallRules(match.id, rules);
+      return { firewall: match };
+    }
+    const { firewall } = await this.client.createFirewall({ name, labels, rules });
+    return { firewall };
+  }
+  collectUpstreamPorts(sites, proxy) {
+    const ports = new Set;
+    for (const app of proxy?.apps ?? []) {
+      if (typeof app.port === "number")
+        ports.add(app.port);
+    }
+    for (const site of Object.values(sites)) {
+      if (typeof site.port === "number")
+        ports.add(site.port);
+    }
+    return [...ports].filter((port) => ![80, 443].includes(port));
+  }
+  async sleep(ms) {
+    await new Promise((resolve13) => setTimeout(resolve13, ms));
+  }
+  async waitForSshReady(host) {
+    const { sshIntervalMs, sshTimeoutMs } = this.bootWait;
+    const start = Date.now();
+    let lastErr;
+    while (Date.now() - start < sshTimeoutMs) {
+      try {
+        execSync(`ssh ${this.sshBaseArgs(host, ["-o", "ConnectTimeout=5"]).map((a) => `"${a.replace(/"/g, "\\\"")}"`).join(" ")} true`, {
+          stdio: "pipe",
+          maxBuffer: SSH_MAX_BUFFER
+        });
+        return;
+      } catch (err) {
+        lastErr = err;
+        await this.sleep(sshIntervalMs);
+      }
+    }
+    throw new Error(`Timed out waiting for SSH on ${host} after ${sshTimeoutMs}ms: ${lastErr?.message ?? "unknown error"}`);
+  }
+  async waitForCloudInit(host) {
+    const { cloudInitIntervalMs, cloudInitTimeoutMs } = this.bootWait;
+    const start = Date.now();
+    while (Date.now() - start < cloudInitTimeoutMs) {
+      try {
+        const out = this.sshExec(host, "cloud-init status --long 2>/dev/null || cloud-init status 2>/dev/null || echo status:\\ done");
+        if (/status:\s*done/.test(out))
+          return;
+        if (/status:\s*error/.test(out))
+          throw new Error(`cloud-init reported an error on ${host}:
+${out}`);
+      } catch (err) {
+        if (err instanceof Error && /cloud-init reported an error/.test(err.message))
+          throw err;
+      }
+      await this.sleep(cloudInitIntervalMs);
+    }
+    throw new Error(`Timed out waiting for cloud-init to finish on ${host} after ${cloudInitTimeoutMs}ms`);
+  }
   outputsFromState(state, server) {
     return {
       deployStoragePath: state.deployStoragePath || "/var/ts-cloud/staging",
@@ -81722,7 +82282,7 @@ class HetznerDriver {
       sshUser: state.sshUser || this.sshUser
     };
   }
-  sshBaseArgs(host) {
+  sshBaseArgs(host, extra = []) {
     return [
       "-i",
       this.sshPrivateKeyPath,
@@ -81730,6 +82290,7 @@ class HetznerDriver {
       "StrictHostKeyChecking=accept-new",
       "-o",
       "BatchMode=yes",
+      ...extra,
       `${this.sshUser}@${host}`
     ];
   }
@@ -81843,6 +82404,19 @@ function buildSiteDeployScript(options) {
     `systemctl is-active ${serviceName}`
   ];
 }
+function buildStaticSiteDeployScript(options) {
+  const { siteName, artifactFetch, preStartCommands = [] } = options;
+  const appDir = options.appDir ?? `/var/www/${siteName}`;
+  const preStart = preStartCommands.length > 0 ? [`cd ${appDir}`, ...preStartCommands] : [];
+  return [
+    "set -euo pipefail",
+    ...artifactFetch,
+    `mkdir -p ${appDir}`,
+    `find ${appDir} -mindepth 1 -maxdepth 1 -exec rm -rf {} +`,
+    `tar xzf /tmp/${siteName}-release.tar.gz -C ${appDir}`,
+    ...preStart
+  ];
+}
 function buildAwsArtifactFetch(bucket, key, region, siteName) {
   return [
     `aws s3 cp "s3://${bucket}/${key}" /tmp/${siteName}-release.tar.gz --region ${region}`
@@ -81892,7 +82466,11 @@ async function deploySiteRelease(driver, options, logger4 = noopLogger) {
     targets
   });
   const artifactFetch = driver.name === "aws" ? buildAwsArtifactFetch(outputs.deployBucketName, remoteKey, config6.project.region || "us-east-1", siteName) : buildLocalArtifactFetch(uploadResult.artifactRef, siteName);
-  const remoteScript = buildSiteDeployScript({
+  const remoteScript = resolveSiteKind(site) === "server-static" ? buildStaticSiteDeployScript({
+    siteName,
+    artifactFetch,
+    preStartCommands: site.preStart
+  }) : buildSiteDeployScript({
     siteName,
     slug,
     artifactFetch,
@@ -81931,8 +82509,11 @@ async function deployAllComputeSites(options) {
   const slug = config6.project.slug;
   const sites = config6.sites || {};
   const deployable = Object.entries(sites).filter(([name, site]) => {
-    if (!site?.start) {
-      logger4.warn(`Site '${name}' has no \`start\` command — skipping (compute mode requires every site to declare how to run).`);
+    if (!site)
+      return false;
+    const kind = resolveSiteKind(site);
+    if (kind === "bucket") {
+      logger4.warn(`Site '${name}' targets a bucket — skipping (handled by the static-site path, not compute).`);
       return false;
     }
     return true;
@@ -81984,6 +82565,7 @@ export {
   validateTemplateSize,
   validateTemplate,
   validateResourceLimits,
+  validateDeploymentConfig,
   validateCredentials,
   validateConfiguration,
   validateCommand,
@@ -81999,6 +82581,7 @@ export {
   suggestFlags,
   suggestCommand,
   storageAdvancedManager,
+  staticSiteServerRoot,
   staticSiteManager,
   stackDependencyManager,
   signRequestAsync,
@@ -82019,6 +82602,8 @@ export {
   resolveStorageBucketName,
   resolveSiteStackName,
   resolveSiteResourceName,
+  resolveSiteKind,
+  resolveSiteDeployTarget,
   resolveSiteBucketName,
   resolveRegion,
   resolveProjectStackName,
@@ -82028,11 +82613,14 @@ export {
   resolveDeployBucketName,
   resolveCredentials,
   resolveCloudProvider,
+  resolveCaddyfile,
   requiresReplacement,
   replicaManager,
+  remapKey,
   regionPairManager,
   quickHash,
   queueManagementManager,
+  proxyConfigFromSites,
   providerEndpoint,
   progressiveDeploymentManager,
   processInChunks,
@@ -82050,6 +82638,7 @@ export {
   multiRegionManager,
   multiAccountManager,
   migrationManager,
+  migrateObjectStorage,
   metricsManager,
   mergeInfrastructure,
   makeAWSRequestOnce,
@@ -82063,8 +82652,10 @@ export {
   lambdaDestinationsManager,
   lambdaDLQManager,
   lambdaConcurrencyManager,
+  keyMatchesFilters,
   isWebCryptoAvailable,
   isValidRegion,
+  isOnDemandDomain,
   isNodeCryptoAvailable,
   isLocalDevelopment,
   isLikelyTypo,
@@ -82213,9 +82804,11 @@ export {
   certificateManager,
   categorizeChanges,
   canaryManager,
+  buildStaticSiteDeployScript,
   buildSiteDeployScript,
   buildOptimizationManager,
   buildCloudFormationTemplate,
+  buildCaddyfileFromProxy,
   buildCaddyfile,
   bounceComplaintHandler,
   blueGreenManager,