@supatype/cli 0.1.0-alpha.12 → 0.1.0-alpha.14

package/dist/self-host-compose.js

@@ -1,7 +1,7 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { dirname, join, relative, resolve } from "node:path";
 import { spawnSync } from "node:child_process";
-import { preferredFunctionsPathFromProject } from "./project-config.js";
+import { preferredFunctionsPathFromProject, selfHostTlsEnabled } from "./project-config.js";
 import { hasEngineOverride, hasStudioOverride, pinnedVersion, fetchLatestVersion, VERSION_PIN_LOCAL } from "./binary-cache.js";
 import { buildKongDeclarative } from "./kong-config.js";
 /** Env keys written when `versions` pins exist in supatype.config.ts. */
@@ -196,6 +196,11 @@ export function renderSelfHostCompose(config, cwd = process.cwd(), options) {
     const projectMount = projectMountPath(cwd);
     const kongMount = kongMountPath(cwd);
     const devLocal = options?.devLocal === true;
+    const tlsEnabled = selfHostTlsEnabled(config, devLocal);
+    const domain = config.server.domain?.trim() ?? "";
+    // When TLS is on, default external URLs to https://<domain> so auth links/redirects use HTTPS.
+    const externalUrlFallback = tlsEnabled ? `https://${domain}` : "http://localhost:18473";
+    const siteUrlFallback = tlsEnabled ? `https://${domain}` : "http://localhost:3000";
     const studioHostDev = devLocal && hasStudioOverride(config);
     const appEnv = serverAppEnvForCompose(config, devLocal);
     const staticDir = staticDirForCompose(config) ?? "./dist";
@@ -207,7 +212,7 @@ export function renderSelfHostCompose(config, cwd = process.cwd(), options) {
   studio:
 ${studioService}
     environment:
-      SUPATYPE_CLOUD_JSON: '{"url":"\${API_EXTERNAL_URL:-http://localhost:18473}","anonKey":"\${ANON_KEY:-}"}'
+      SUPATYPE_CLOUD_JSON: '{"url":"\${API_EXTERNAL_URL:-${externalUrlFallback}}","anonKey":"\${ANON_KEY:-}"}'
     expose:
       - "3002"
 `;
@@ -237,6 +242,43 @@ ${studioService}
         : `    ports:
       - "9000:9000"
       - "9001:9001"
+`;
+    const kongTlsEnv = tlsEnabled
+        ? `      KONG_PROXY_LISTEN: "0.0.0.0:8000, 0.0.0.0:8443 ssl"
+      KONG_LUA_SSL_TRUSTED_CERTIFICATE: system
+`
+        : "";
+    const kongPorts = tlsEnabled
+        ? `      - "80:8000"
+      - "443:8443"`
+        : `      - "\${SUPATYPE_KONG_PORT:-18473}:8000"`;
+    const kongTlsDependsOn = tlsEnabled ? "\n      - valkey" : "";
+    const valkeyBlock = tlsEnabled
+        ? `
+  valkey:
+    image: \${SUPATYPE_VALKEY_IMAGE:-valkey/valkey:8-alpine}
+    command: ["valkey-server", "--appendonly", "yes"]
+    expose:
+      - "6379"
+    volumes:
+      - valkey-data:/data
+`
+        : "";
+    const tlsHintComment = tlsEnabled
+        ? ""
+        : `  # HTTPS is off. To enable automatic TLS (Let's Encrypt) for production, set in supatype.config.ts:
+  #   server: { mode: "standalone", domain: "your.domain", tls: { email: "you@example.com" } }
+  # then re-run \`supatype self-host compose up -d\`. Kong publishes :80/:443 and provisions certs automatically.
+`;
+    const volumesBlock = tlsEnabled
+        ? `volumes:
+  db-data:
+  minio-data:
+  valkey-data:
+`
+        : `volumes:
+  db-data:
+  minio-data:
 `;
     return `# Generated by supatype self-host compose
 # Kong → supatype-server (unified gateway) → internal PostgREST / storage / etc.
@@ -297,12 +339,12 @@ ${dbPorts}    volumes:
       SUPATYPE_FUNCTIONS_ROOT: /project/functions
       SUPATYPE_DENO_FUNCTIONS_DIR: /project/functions
       PORT: "8001"
-      SUPATYPE_URL: \${API_EXTERNAL_URL:-http://localhost:18473}
+      SUPATYPE_URL: \${API_EXTERNAL_URL:-${externalUrlFallback}}
       SUPATYPE_ANON_KEY: \${ANON_KEY:-}
       SUPATYPE_SERVICE_ROLE_KEY: \${SERVICE_ROLE_KEY:-}
       STRIPE_SECRET_KEY: \${STRIPE_SECRET_KEY:-}
       STRIPE_WEBHOOK_SECRET: \${STRIPE_WEBHOOK_SECRET:-}
-      SITE_URL: \${SITE_URL:-\${API_EXTERNAL_URL:-http://localhost:18473}}
+      SITE_URL: \${SITE_URL:-\${API_EXTERNAL_URL:-${externalUrlFallback}}}
     depends_on:
       db:
         condition: service_healthy
@@ -341,7 +383,7 @@ ${serverPorts}    volumes:
       SUPATYPE_POSTGREST_URL: http://postgrest:3000
       SUPATYPE_GRAPHQL_URL: http://postgrest:3000
       SUPATYPE_STORAGE_URL: http://storage:5000
-      SUPATYPE_URL: \${API_EXTERNAL_URL:-http://localhost:18473}
+      SUPATYPE_URL: \${API_EXTERNAL_URL:-${externalUrlFallback}}
       SUPATYPE_ANON_KEY: \${ANON_KEY:-}
       SUPATYPE_SERVICE_ROLE_KEY: \${SERVICE_ROLE_KEY:-}
       SUPATYPE_SQL_DATABASE_URL: "postgresql://\${POSTGRES_USER:-supatype_admin}:\${POSTGRES_PASSWORD:-postgres}@db:5432/\${POSTGRES_DB:-supatype}"
@@ -351,11 +393,11 @@ ${serverPorts}    volumes:
 ${appEnv}
       GOTRUE_API_HOST: 0.0.0.0
       GOTRUE_API_PORT: 9999
-      API_EXTERNAL_URL: \${API_EXTERNAL_URL:-http://localhost:18473}
-      GOTRUE_API_EXTERNAL_URL: \${API_EXTERNAL_URL:-http://localhost:18473}
+      API_EXTERNAL_URL: \${API_EXTERNAL_URL:-${externalUrlFallback}}
+      GOTRUE_API_EXTERNAL_URL: \${API_EXTERNAL_URL:-${externalUrlFallback}}
       GOTRUE_DB_DRIVER: postgres
       GOTRUE_DB_DATABASE_URL: "postgres://\${POSTGRES_USER:-supatype_admin}:\${POSTGRES_PASSWORD:-postgres}@db:5432/\${POSTGRES_DB:-supatype}?search_path=auth"
-      GOTRUE_SITE_URL: \${SITE_URL:-http://localhost:3000}
+      GOTRUE_SITE_URL: \${SITE_URL:-${siteUrlFallback}}
       GOTRUE_JWT_SECRET: \${JWT_SECRET:-super-secret-jwt-token-change-in-production}
       GOTRUE_JWT_EXP: 3600
       GOTRUE_JWT_AUD: authenticated
@@ -395,8 +437,7 @@ ${minioPorts}    volumes:
     depends_on:
       db:
         condition: service_healthy
-${studioBlock}
-  kong:
+${studioBlock}${valkeyBlock}${tlsHintComment}  kong:
     image: kong:3.6
     environment:
       KONG_DATABASE: "off"
@@ -405,17 +446,14 @@ ${studioBlock}
       KONG_ADMIN_ACCESS_LOG: /dev/stdout
       KONG_PROXY_ERROR_LOG: /dev/stderr
       KONG_ADMIN_ERROR_LOG: /dev/stderr
-    volumes:
+${kongTlsEnv}    volumes:
       - ${kongMount}:/etc/kong/kong.yml:ro
     ports:
-      - "\${SUPATYPE_KONG_PORT:-18473}:8000"
+${kongPorts}
     depends_on:
-${kongDependsOn}
+${kongDependsOn}${kongTlsDependsOn}
 
-volumes:
-  db-data:
-  minio-data:
-`;
+${volumesBlock}`;
 }
 function ensureComposeManifest(cwd) {
     const manifestPath = join(cwd, ".supatype", "manifest.json");
@@ -441,12 +479,18 @@ export function writeSelfHostCompose(cwd, config, options) {
     ensureComposeManifest(cwd);
     writeFileSync(paths.composePath, renderSelfHostCompose(config, cwd, options), "utf8");
     const studioHostDev = options?.devLocal === true && hasStudioOverride(config);
+    const tlsEnabled = selfHostTlsEnabled(config, options?.devLocal === true);
+    const domain = config.server.domain?.trim();
+    const acmeEmail = config.server.tls?.email?.trim();
     writeFileSync(paths.kongPath, buildKongDeclarative({
         unifiedGateway: true,
         ...(studioHostDev && {
             studioServiceUrl: COMPOSE_STUDIO_HOST_URL,
             studioStripPath: false,
         }),
+        ...(tlsEnabled && domain && acmeEmail
+            ? { acme: { email: acmeEmail, domain, redisHost: "valkey" } }
+            : {}),
     }), "utf8");
     return paths;
 }

package/dist/self-host-compose.js.map

@@ -1 +1 @@
-{"version":3,"file":"self-host-compose.js","sourceRoot":"","sources":["../src/self-host-compose.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AAC5E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,iCAAiC,EAA8B,MAAM,qBAAqB,CAAA;AACnG,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,aAAa,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AAC9H,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAA;AAEvD,yEAAyE;AACzE,MAAM,CAAC,MAAM,6BAA6B,GAAG;IAC3C,uBAAuB;IACvB,uBAAuB;IACvB,yBAAyB;CACjB,CAAA;AAEV,wEAAwE;AACxE,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,GAAG,6BAA6B;IAChC,8BAA8B;IAC9B,qBAAqB;IACrB,uBAAuB;IACvB,wBAAwB;IACxB,iCAAiC;CACzB,CAAA;AAIV,gEAAgE;AAChE,MAAM,UAAU,cAAc,CAC5B,SAA6B,EAC7B,OAAe,EACf,MAA8B;IAE9B,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAA;IAC9B,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,QAAQ;YACX,OAAO,0BAA0B,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,EAAE,CAAA;QACtF,KAAK,QAAQ;YACX,OAAO,mBAAmB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,EAAE,CAAA;QAC/E,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,MAAM,QAAQ,GAAG,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;YAChD,IAAI,QAAQ;gBAAE,OAAO,QAAQ,CAAA;YAC7B,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAAE,OAAO,qBAAqB,OAAO,EAAE,CAAA;YACtE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;YACnC,OAAO,qBAAqB,KAAK,SAAS,CAAA;QAC5C,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAA6B;IACjE,MAAM,GAAG,GAA2B,EAAE,CAAA;IACtC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAA;IAChC,IAAI,CAAC,QAAQ;QAAE,OAAO,GAAG,CAAA;IAEzB,IAAI,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC7D,GAAG,CAAC,qBAAqB,GAAG,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAA;IACvE,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC7D,GAAG,CAAC,qBAAqB,GAAG,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAA;IACvE,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,KAAK,iBAAiB,EAAE,CAAC;QACjE,GAAG,CAAC,uBAAuB,GAAG,cAAc,CAAC,UAAU,EAAE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;IACrF,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,8FAA8F;AAC9F,MAAM,UAAU,0BAA0B,CAAC,GAAW;IACpD,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAA;IAC1B,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAA;IACzB,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;IAC1F,IAAI,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAA;IACjC,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACxC,IAAI,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACzC,OAAO,KAAK,CAAA;AACd,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAA6B;IAC/D,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAA;IAChC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAA;IAC3B,OAAO,CACL,QAAQ,CAAC,MAAM,KAAK,iBAAiB;QACrC,QAAQ,CAAC,MAAM,KAAK,iBAAiB;QACrC,QAAQ,CAAC,QAAQ,KAAK,iBAAiB;QACvC,QAAQ,CAAC,IAAI,KAAK,iBAAiB,CACpC,CAAA;AACH,CAAC;AAED,SAAS,yBAAyB,CAAC,GAAW;IAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACpC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAA;IACnC,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAC1C,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,KAAK,MAAM,GAAG,IAAI,sBAAsB,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,IAAI,GAAG,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAA;QAC1D,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;IAC9C,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,8BAA8B,CAC5C,MAA6B,EAC7B,MAAc,OAAO,CAAC,GAAG,EAAE;IAE3B,IAAI,mBAAmB,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAA;IAC5C,OAAO,yBAAyB,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,0BAA0B,CAAC,GAAG,CAAC,CAAC,CAAA;AACvF,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,MAA6B;IAE7B,MAAM,MAAM,GAAG,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;IAC9C,IAAI,MAAM,KAAK,iBAAiB;QAAE,OAAO,SAAS,CAAA;IAClD,IAAI,MAAM;QAAE,OAAO,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;IACnD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAA;IAClD,OAAO,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;AAC1C,CAAC;AASD,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,WAAW,EAAE,WAAW,CAAC,CAAA;IAClD,OAAO;QACL,GAAG;QACH,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,oBAAoB,CAAC;QAC5C,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC;QAC/B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC;KACnC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,MAA6B;IACjE,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,KAAK,OAAO;QAAE,OAAO,SAAS,CAAA;IACjD,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAA;IAC5C,OAAO,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAA;AAC/D,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAA6B;IAC/D,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAA;IAClD,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,CAAA;IACzC,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAA;AACjD,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,yFAAyF;AACzF,SAAS,uBAAuB,CAAC,GAAW,EAAE,MAAc;IAC1D,IAAI,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IACrE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACjD,GAAG,GAAG,KAAK,GAAG,EAAE,CAAA;IAClB,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,OAAO,8BAA8B,CAAA;AACvC,CAAC;AAED,oEAAoE;AACpE,MAAM,CAAC,MAAM,uBAAuB,GAAG,kCAAkC,CAAA;AAEzE,wFAAwF;AACxF,SAAS,kBAAkB;IACzB,OAAO,8DAA8D,CAAA;AACvE,CAAC;AAED,qFAAqF;AACrF,SAAS,uBAAuB,CAAC,QAAgB,EAAE,QAAiB;IAClE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC/B,IAAI,CAAC,QAAQ;QAAE,OAAO,OAAO,CAAA;IAC7B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAA;QAC5B,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACjE,GAAG,CAAC,QAAQ,GAAG,sBAAsB,CAAA;YACrC,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;QACvB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uCAAuC;IACzC,CAAC;IACD,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,SAAS,sBAAsB,CAAC,MAA6B,EAAE,QAAiB;IAC9E,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,CAAA;IACtC,MAAM,KAAK,GAAG,CAAC,4BAA4B,IAAI,EAAE,CAAC,CAAA;IAClD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,mBAAmB,CAAC,MAAM,CAAC,IAAI,UAAU,CAAA;QACrD,KAAK,CAAC,IAAI,CAAC,2CAA2C,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC,CAAA;IACnF,CAAC;SAAM,IAAI,IAAI,KAAK,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC;QAC3D,KAAK,CAAC,IAAI,CAAC,gCAAgC,uBAAuB,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAA;IACtG,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACzB,CAAC;AAOD,MAAM,UAAU,qBAAqB,CACnC,MAA6B,EAC7B,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,OAAgC;IAEhC,MAAM,YAAY,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAA;IACpC,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,KAAK,IAAI,CAAA;IAC3C,MAAM,aAAa,GAAG,QAAQ,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAA;IAC3D,MAAM,MAAM,GAAG,sBAAsB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;IACvD,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAA;IACzD,MAAM,cAAc,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IAC9D,MAAM,aAAa,GAAG,kBAAkB,EAAE,CAAA;IAC1C,MAAM,WAAW,GAAG,aAAa;QAC/B,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;EAEJ,aAAa;;;;;CAKd,CAAA;IACC,MAAM,aAAa,GAAG,aAAa;QACjC,CAAC,CAAC;sBACgB;QAClB,CAAC,CAAC;;sBAEgB,CAAA;IACpB,MAAM,eAAe,GAAG,CAAC,QAAQ,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAA;IAC9D,MAAM,OAAO,GAAG,eAAe;QAC7B,CAAC,CAAC,QAAQ;YACR,CAAC,CAAC;;CAEP;YACK,CAAC,CAAC;;CAEP;QACG,CAAC,CAAC,EAAE,CAAA;IACN,MAAM,WAAW,GAAG,QAAQ;QAC1B,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;CAEL,CAAA;IACC,MAAM,UAAU,GAAG,QAAQ;QACzB,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;;CAGL,CAAA;IAEC,OAAO;;;;;;;;;EASP,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;UA6CC,YAAY;;;;;;;;;;;;;;;;;;;;UAoBZ,YAAY;;;;8BAIQ,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;;;;uCAI1B,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;;8BAEvC,cAAc;;;;;;;;EAQ1C,WAAW;UACH,YAAY;;;uBAGC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY;;;;;;;;;;;;;;EAcpD,MAAM;;;;;;;;;;;;;;;EAeN,QAAQ,CAAC,CAAC,CAAC,gCAAgC,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;EAmBhD,UAAU;;;;;;;;UAQF,YAAY;;;;;EAKpB,WAAW;;;;;;;;;;;UAWH,SAAS;;;;EAIjB,aAAa;;;;;CAKd,CAAA;AACD,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW;IACxC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,eAAe,CAAC,CAAA;IAC5D,IAAI,UAAU,CAAC,YAAY,CAAC;QAAE,OAAM;IACpC,SAAS,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACrD,MAAM,QAAQ,GAAG;QACf,MAAM,EAAE,QAAQ;QAChB,aAAa,EAAE,uBAAuB;QACtC,WAAW,EAAE,qBAAqB;QAClC,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,KAAK;KACzB,CAAA;IACD,aAAa,CAAC,YAAY,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;AAC/E,CAAC;AAED,SAAS,yBAAyB,CAAC,GAAW,EAAE,MAA6B;IAC3E,SAAS,CAAC,iCAAiC,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;AAChF,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,GAAW,EACX,MAA6B,EAC7B,OAAgC;IAEhC,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAA;IACvC,SAAS,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACzC,yBAAyB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACtC,qBAAqB,CAAC,GAAG,CAAC,CAAA;IAC1B,aAAa,CAAC,KAAK,CAAC,WAAW,EAAE,qBAAqB,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,CAAA;IACrF,MAAM,aAAa,GAAG,OAAO,EAAE,QAAQ,KAAK,IAAI,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAA;IAC7E,aAAa,CACX,KAAK,CAAC,QAAQ,EACd,oBAAoB,CAAC;QACnB,cAAc,EAAE,IAAI;QACpB,GAAG,CAAC,aAAa,IAAI;YACnB,gBAAgB,EAAE,uBAAuB;YACzC,eAAe,EAAE,KAAK;SACvB,CAAC;KACH,CAAC,EACF,MAAM,CACP,CAAA;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAOD,MAAM,UAAU,gBAAgB,CAC9B,WAAmB,EACnB,IAAc,EACd,cAAsB,OAAO,CAAC,GAAG,EAAE,EACnC,cAAuB,EACvB,OAAiC;IAEjC,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAA;IAC5C,MAAM,WAAW,GAAG,CAAC,SAAS,CAAC,CAAA;IAC/B,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,WAAW,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;IACzC,CAAC;IACD,4EAA4E;IAC5E,uEAAuE;IACvE,gEAAgE;IAChE,IAAI,cAAc;QAAE,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAA;IAC1D,uFAAuF;IACvF,WAAW,CAAC,IAAI,CAAC,qBAAqB,EAAE,WAAW,CAAC,CAAA;IACpD,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;IACnC,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,WAAW,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;IACzC,CAAC;IACD,WAAW,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAA;IACzB,MAAM,GAAG,GAAsB,OAAO,EAAE,KAAK;QAC3C,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,gBAAgB,EAAE,OAAO,EAAE;QAC/C,CAAC,CAAC,OAAO,CAAC,GAAG,CAAA;IACf,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAA;IAC5F,OAAO,MAAM,CAAC,MAAM,IAAI,CAAC,CAAA;AAC3B,CAAC;AAED,uFAAuF;AACvF,MAAM,UAAU,kBAAkB,CAAC,WAAmB;IACpD,MAAM,IAAI,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAA;IAC5F,OAAO,YAAY,IAAI,IAAI,SAAS,EAAE,CAAA;AACxC,CAAC"}
+{"version":3,"file":"self-host-compose.js","sourceRoot":"","sources":["../src/self-host-compose.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAA;AAC5E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAC5D,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAA;AAC9C,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAA8B,MAAM,qBAAqB,CAAA;AACvH,OAAO,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,aAAa,EAAE,kBAAkB,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAA;AAC9H,OAAO,EAAE,oBAAoB,EAAE,MAAM,kBAAkB,CAAA;AAEvD,yEAAyE;AACzE,MAAM,CAAC,MAAM,6BAA6B,GAAG;IAC3C,uBAAuB;IACvB,uBAAuB;IACvB,yBAAyB;CACjB,CAAA;AAEV,wEAAwE;AACxE,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,GAAG,6BAA6B;IAChC,8BAA8B;IAC9B,qBAAqB;IACrB,uBAAuB;IACvB,wBAAwB;IACxB,iCAAiC;CACzB,CAAA;AAIV,gEAAgE;AAChE,MAAM,UAAU,cAAc,CAC5B,SAA6B,EAC7B,OAAe,EACf,MAA8B;IAE9B,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAA;IAC9B,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,QAAQ;YACX,OAAO,0BAA0B,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,EAAE,CAAA;QACtF,KAAK,QAAQ;YACX,OAAO,mBAAmB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,OAAO,EAAE,EAAE,CAAA;QAC/E,KAAK,UAAU,CAAC,CAAC,CAAC;YAChB,MAAM,QAAQ,GAAG,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;YAChD,IAAI,QAAQ;gBAAE,OAAO,QAAQ,CAAA;YAC7B,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAAE,OAAO,qBAAqB,OAAO,EAAE,CAAA;YACtE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;YACnC,OAAO,qBAAqB,KAAK,SAAS,CAAA;QAC5C,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAA6B;IACjE,MAAM,GAAG,GAA2B,EAAE,CAAA;IACtC,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAA;IAChC,IAAI,CAAC,QAAQ;QAAE,OAAO,GAAG,CAAA;IAEzB,IAAI,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC7D,GAAG,CAAC,qBAAqB,GAAG,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAA;IACvE,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,iBAAiB,EAAE,CAAC;QAC7D,GAAG,CAAC,qBAAqB,GAAG,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAA;IACvE,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,KAAK,iBAAiB,EAAE,CAAC;QACjE,GAAG,CAAC,uBAAuB,GAAG,cAAc,CAAC,UAAU,EAAE,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;IACrF,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,8FAA8F;AAC9F,MAAM,UAAU,0BAA0B,CAAC,GAAW;IACpD,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAA;IAC1B,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAA;IACzB,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;IAC1F,IAAI,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAA;IACjC,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACxC,IAAI,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAA;IACzC,OAAO,KAAK,CAAA;AACd,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAA6B;IAC/D,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAA;IAChC,IAAI,CAAC,QAAQ;QAAE,OAAO,KAAK,CAAA;IAC3B,OAAO,CACL,QAAQ,CAAC,MAAM,KAAK,iBAAiB;QACrC,QAAQ,CAAC,MAAM,KAAK,iBAAiB;QACrC,QAAQ,CAAC,QAAQ,KAAK,iBAAiB;QACvC,QAAQ,CAAC,IAAI,KAAK,iBAAiB,CACpC,CAAA;AACH,CAAC;AAED,SAAS,yBAAyB,CAAC,GAAW;IAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACpC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,EAAE,CAAA;IACnC,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAC1C,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,KAAK,MAAM,GAAG,IAAI,sBAAsB,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,IAAI,GAAG,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAA;QAC1D,IAAI,KAAK,EAAE,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAA;IAC9C,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,8BAA8B,CAC5C,MAA6B,EAC7B,MAAc,OAAO,CAAC,GAAG,EAAE;IAE3B,IAAI,mBAAmB,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAA;IAC5C,OAAO,yBAAyB,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,0BAA0B,CAAC,GAAG,CAAC,CAAC,CAAA;AACvF,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,MAA6B;IAE7B,MAAM,MAAM,GAAG,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;IAC9C,IAAI,MAAM,KAAK,iBAAiB;QAAE,OAAO,SAAS,CAAA;IAClD,IAAI,MAAM;QAAE,OAAO,cAAc,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;IACnD,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAA;IAClD,OAAO,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;AAC1C,CAAC;AASD,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,WAAW,EAAE,WAAW,CAAC,CAAA;IAClD,OAAO;QACL,GAAG;QACH,WAAW,EAAE,IAAI,CAAC,GAAG,EAAE,oBAAoB,CAAC;QAC5C,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC;QAC/B,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC;KACnC,CAAA;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,MAA6B;IACjE,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,KAAK,OAAO;QAAE,OAAO,SAAS,CAAA;IACjD,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAA;IAC5C,OAAO,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAA;AAC/D,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAA6B;IAC/D,IAAI,MAAM,CAAC,GAAG,CAAC,IAAI,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAA;IAClD,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,UAAU,EAAE,IAAI,EAAE,CAAA;IACzC,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAA;AACjD,CAAC;AAED;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,yFAAyF;AACzF,SAAS,uBAAuB,CAAC,GAAW,EAAE,MAAc;IAC1D,IAAI,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IACrE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACjD,GAAG,GAAG,KAAK,GAAG,EAAE,CAAA;IAClB,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,OAAO,8BAA8B,CAAA;AACvC,CAAC;AAED,oEAAoE;AACpE,MAAM,CAAC,MAAM,uBAAuB,GAAG,kCAAkC,CAAA;AAEzE,wFAAwF;AACxF,SAAS,kBAAkB;IACzB,OAAO,8DAA8D,CAAA;AACvE,CAAC;AAED,qFAAqF;AACrF,SAAS,uBAAuB,CAAC,QAAgB,EAAE,QAAiB;IAClE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAA;IAC/B,IAAI,CAAC,QAAQ;QAAE,OAAO,OAAO,CAAA;IAC7B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAA;QAC5B,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACjE,GAAG,CAAC,QAAQ,GAAG,sBAAsB,CAAA;YACrC,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAA;QACvB,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uCAAuC;IACzC,CAAC;IACD,OAAO,OAAO,CAAA;AAChB,CAAC;AAED,SAAS,sBAAsB,CAAC,MAA6B,EAAE,QAAiB;IAC9E,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,MAAM,CAAA;IACtC,MAAM,KAAK,GAAG,CAAC,4BAA4B,IAAI,EAAE,CAAC,CAAA;IAClD,IAAI,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtB,MAAM,GAAG,GAAG,mBAAmB,CAAC,MAAM,CAAC,IAAI,UAAU,CAAA;QACrD,KAAK,CAAC,IAAI,CAAC,2CAA2C,GAAG,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,EAAE,CAAC,CAAA;IACnF,CAAC;SAAM,IAAI,IAAI,KAAK,OAAO,IAAI,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,CAAC;QAC3D,KAAK,CAAC,IAAI,CAAC,gCAAgC,uBAAuB,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAA;IACtG,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AACzB,CAAC;AAOD,MAAM,UAAU,qBAAqB,CACnC,MAA6B,EAC7B,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,OAAgC;IAEhC,MAAM,YAAY,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAA;IAC1C,MAAM,SAAS,GAAG,aAAa,CAAC,GAAG,CAAC,CAAA;IACpC,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,KAAK,IAAI,CAAA;IAC3C,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;IACvD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;IACjD,+FAA+F;IAC/F,MAAM,mBAAmB,GAAG,UAAU,CAAC,CAAC,CAAC,WAAW,MAAM,EAAE,CAAC,CAAC,CAAC,wBAAwB,CAAA;IACvF,MAAM,eAAe,GAAG,UAAU,CAAC,CAAC,CAAC,WAAW,MAAM,EAAE,CAAC,CAAC,CAAC,uBAAuB,CAAA;IAClF,MAAM,aAAa,GAAG,QAAQ,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAA;IAC3D,MAAM,MAAM,GAAG,sBAAsB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;IACvD,MAAM,SAAS,GAAG,mBAAmB,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAA;IACzD,MAAM,cAAc,GAAG,kBAAkB,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;IAC9D,MAAM,aAAa,GAAG,kBAAkB,EAAE,CAAA;IAC1C,MAAM,WAAW,GAAG,aAAa;QAC/B,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;EAEJ,aAAa;;2DAE4C,mBAAmB;;;CAG7E,CAAA;IACC,MAAM,aAAa,GAAG,aAAa;QACjC,CAAC,CAAC;sBACgB;QAClB,CAAC,CAAC;;sBAEgB,CAAA;IACpB,MAAM,eAAe,GAAG,CAAC,QAAQ,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAA;IAC9D,MAAM,OAAO,GAAG,eAAe;QAC7B,CAAC,CAAC,QAAQ;YACR,CAAC,CAAC;;CAEP;YACK,CAAC,CAAC;;CAEP;QACG,CAAC,CAAC,EAAE,CAAA;IACN,MAAM,WAAW,GAAG,QAAQ;QAC1B,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;CAEL,CAAA;IACC,MAAM,UAAU,GAAG,QAAQ;QACzB,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;;CAGL,CAAA;IACC,MAAM,UAAU,GAAG,UAAU;QAC3B,CAAC,CAAC;;CAEL;QACG,CAAC,CAAC,EAAE,CAAA;IACN,MAAM,SAAS,GAAG,UAAU;QAC1B,CAAC,CAAC;mBACa;QACf,CAAC,CAAC,8CAA8C,CAAA;IAClD,MAAM,gBAAgB,GAAG,UAAU,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,EAAE,CAAA;IAC7D,MAAM,WAAW,GAAG,UAAU;QAC5B,CAAC,CAAC;;;;;;;;CAQL;QACG,CAAC,CAAC,EAAE,CAAA;IACN,MAAM,cAAc,GAAG,UAAU;QAC/B,CAAC,CAAC,EAAE;QACJ,CAAC,CAAC;;;CAGL,CAAA;IACC,MAAM,YAAY,GAAG,UAAU;QAC7B,CAAC,CAAC;;;;CAIL;QACG,CAAC,CAAC;;;CAGL,CAAA;IAEC,OAAO;;;;;;;;;EASP,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;UA6CC,YAAY;;;;;2CAKqB,mBAAmB;;;;;oDAKV,mBAAmB;;;;;;;;;;UAU7D,YAAY;;;;8BAIQ,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;;;;uCAI1B,SAAS,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;;8BAEvC,cAAc;;;;;;;;EAQ1C,WAAW;UACH,YAAY;;;uBAGC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY;;;;;;;2CAOX,mBAAmB;;;;;;;EAO5D,MAAM;;;+CAGuC,mBAAmB;sDACZ,mBAAmB;;;sCAGnC,eAAe;;;;;;;;EAQnD,QAAQ,CAAC,CAAC,CAAC,gCAAgC,CAAC,CAAC,CAAC,EAAE;;;;;;;;;;;;;;;;;;;EAmBhD,UAAU;;;;;;;;UAQF,YAAY;;;;;EAKpB,WAAW,GAAG,WAAW,GAAG,cAAc;;;;;;;;;EAS1C,UAAU;UACF,SAAS;;EAEjB,SAAS;;EAET,aAAa,GAAG,gBAAgB;;EAEhC,YAAY,EAAE,CAAA;AAChB,CAAC;AAED,SAAS,qBAAqB,CAAC,GAAW;IACxC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,eAAe,CAAC,CAAA;IAC5D,IAAI,UAAU,CAAC,YAAY,CAAC;QAAE,OAAM;IACpC,SAAS,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACrD,MAAM,QAAQ,GAAG;QACf,MAAM,EAAE,QAAQ;QAChB,aAAa,EAAE,uBAAuB;QACtC,WAAW,EAAE,qBAAqB;QAClC,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,KAAK;KACzB,CAAA;IACD,aAAa,CAAC,YAAY,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,CAAA;AAC/E,CAAC;AAED,SAAS,yBAAyB,CAAC,GAAW,EAAE,MAA6B;IAC3E,SAAS,CAAC,iCAAiC,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;AAChF,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,GAAW,EACX,MAA6B,EAC7B,OAAgC;IAEhC,MAAM,KAAK,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAA;IACvC,SAAS,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACzC,yBAAyB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;IACtC,qBAAqB,CAAC,GAAG,CAAC,CAAA;IAC1B,aAAa,CAAC,KAAK,CAAC,WAAW,EAAE,qBAAqB,CAAC,MAAM,EAAE,GAAG,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,CAAA;IACrF,MAAM,aAAa,GAAG,OAAO,EAAE,QAAQ,KAAK,IAAI,IAAI,iBAAiB,CAAC,MAAM,CAAC,CAAA;IAC7E,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,KAAK,IAAI,CAAC,CAAA;IACzE,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,CAAA;IAC3C,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,CAAA;IAClD,aAAa,CACX,KAAK,CAAC,QAAQ,EACd,oBAAoB,CAAC;QACnB,cAAc,EAAE,IAAI;QACpB,GAAG,CAAC,aAAa,IAAI;YACnB,gBAAgB,EAAE,uBAAuB;YACzC,eAAe,EAAE,KAAK;SACvB,CAAC;QACF,GAAG,CAAC,UAAU,IAAI,MAAM,IAAI,SAAS;YACnC,CAAC,CAAC,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,EAAE;YAC7D,CAAC,CAAC,EAAE,CAAC;KACR,CAAC,EACF,MAAM,CACP,CAAA;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAOD,MAAM,UAAU,gBAAgB,CAC9B,WAAmB,EACnB,IAAc,EACd,cAAsB,OAAO,CAAC,GAAG,EAAE,EACnC,cAAuB,EACvB,OAAiC;IAEjC,MAAM,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,MAAM,CAAC,CAAA;IAC5C,MAAM,WAAW,GAAG,CAAC,SAAS,CAAC,CAAA;IAC/B,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;QACnB,WAAW,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;IACzC,CAAC;IACD,4EAA4E;IAC5E,uEAAuE;IACvE,gEAAgE;IAChE,IAAI,cAAc;QAAE,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,cAAc,CAAC,CAAA;IAC1D,uFAAuF;IACvF,WAAW,CAAC,IAAI,CAAC,qBAAqB,EAAE,WAAW,CAAC,CAAA;IACpD,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAA;IACnC,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,WAAW,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAA;IACzC,CAAC;IACD,WAAW,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAA;IACzB,MAAM,GAAG,GAAsB,OAAO,EAAE,KAAK;QAC3C,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,gBAAgB,EAAE,OAAO,EAAE;QAC/C,CAAC,CAAC,OAAO,CAAC,GAAG,CAAA;IACf,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,EAAE,WAAW,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,CAAA;IAC5F,OAAO,MAAM,CAAC,MAAM,IAAI,CAAC,CAAA;AAC3B,CAAC;AAED,uFAAuF;AACvF,MAAM,UAAU,kBAAkB,CAAC,WAAmB;IACpD,MAAM,IAAI,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,eAAe,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAA;IAC5F,OAAO,YAAY,IAAI,IAAI,SAAS,EAAE,CAAA;AACxC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@supatype/cli",
-  "version": "0.1.0-alpha.12",
+  "version": "0.1.0-alpha.14",
   "description": "Supatype CLI — schema push, introspect, generate",
   "type": "module",
   "bin": {
@@ -19,6 +19,7 @@
     }
   },
   "dependencies": {
+    "@clack/prompts": "^1.6.0",
     "commander": "^12.1.0",
     "pg": "^8.13.0",
     "ts-morph": "^28.0.0",

package/src/app-config.ts

@@ -55,6 +55,86 @@ function updateAppConfigAst(configPath: string, input: UpdateAppConfigInput): st
   return sourceFile.getFullText()
 }
 
+export interface UpdateServerConfigInput {
+  domain: string
+  tlsEmail: string
+  provider?: "kong" | "none"
+}
+
+/**
+ * Set `server.mode = "standalone"` plus `domain` and `tls` in supatype.config.ts,
+ * enabling self-host HTTPS. Preserves other `server` keys (port, etc).
+ */
+export function updateServerConfigInProject(cwd: string, input: UpdateServerConfigInput): string {
+  const configPath = resolve(cwd, "supatype.config.ts")
+  if (!existsSync(configPath)) {
+    throw new Error("supatype.config.ts not found. Run: supatype init")
+  }
+  const next = updateServerConfigAst(configPath, input)
+  writeFileSync(configPath, next, "utf8")
+  return configPath
+}
+
+function updateServerConfigAst(configPath: string, input: UpdateServerConfigInput): string {
+  const project = new Project({
+    useInMemoryFileSystem: false,
+    skipAddingFilesFromTsConfig: true,
+    manipulationSettings: {
+      quoteKind: QuoteKind.Double,
+    },
+  })
+  const srcText = readFileSync(configPath, "utf8")
+  const sourceFile = project.createSourceFile(configPath, srcText, { overwrite: true })
+  const rootObject = getRootConfigObject(sourceFile)
+
+  const serverProperty = rootObject.getProperty("server")
+
+  if (serverProperty === undefined) {
+    rootObject.addPropertyAssignment({
+      name: "server",
+      initializer: renderServerInitializer(input),
+    })
+  } else if (Node.isPropertyAssignment(serverProperty)) {
+    const init = serverProperty.getInitializer()
+    if (init && Node.isObjectLiteralExpression(init)) {
+      patchServerObject(init, input)
+    } else {
+      serverProperty.setInitializer(renderServerInitializer(input))
+    }
+  } else {
+    serverProperty.remove()
+    rootObject.addPropertyAssignment({
+      name: "server",
+      initializer: renderServerInitializer(input),
+    })
+  }
+
+  return sourceFile.getFullText()
+}
+
+function renderServerInitializer(input: UpdateServerConfigInput): string {
+  const provider = input.provider ?? "kong"
+  return `{
+    mode: "standalone",
+    domain: "${input.domain}",
+    tls: { email: "${input.tlsEmail}", provider: "${provider}" },
+  }`
+}
+
+function patchServerObject(serverObj: ObjectLiteralExpression, input: UpdateServerConfigInput): void {
+  upsertStringProperty(serverObj, "mode", "standalone")
+  upsertStringProperty(serverObj, "domain", input.domain)
+  const provider = input.provider ?? "kong"
+  const tlsInitializer = `{ email: "${input.tlsEmail}", provider: "${provider}" }`
+  const existing = serverObj.getProperty("tls")
+  if (existing && Node.isPropertyAssignment(existing)) {
+    existing.setInitializer(tlsInitializer)
+  } else {
+    if (existing) existing.remove()
+    serverObj.addPropertyAssignment({ name: "tls", initializer: tlsInitializer })
+  }
+}
+
 function getRootConfigObject(sourceFile: SourceFile): ObjectLiteralExpression {
   const exportAssignment = sourceFile.getFirstDescendantByKind(SyntaxKind.ExportAssignment)
   if (!exportAssignment) {

package/src/binary-cache.ts

@@ -7,10 +7,13 @@
  *
  * Security model:
  *   1. Download checksums.sha256 + checksums.sha256.minisig from CDN.
- *   2. Verify Ed25519 minisign signature on the checksum file using the
- *      embedded public key (SUPATYPE_RELEASE_PUBLIC_KEY).
+ *   2. Verify the Ed25519 minisign signature on the checksum file using the
+ *      release public key (embedded at publish, overridable via
+ *      SUPATYPE_RELEASE_PUBLIC_KEY).
  *   3. Verify SHA256 of the downloaded binary against the signed checksum.
- *   Both checks are mandatory when SUPATYPE_RELEASE_PUBLIC_KEY is set.
+ *   Verification is mandatory and fails closed: if no public key is configured,
+ *   the download errors out rather than silently degrading to SHA256-only.
+ *   The only escape hatch is the explicit SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1.
  */
 
 import { createHash, createPublicKey, verify as cryptoVerify } from "node:crypto"
@@ -23,6 +26,7 @@ import {
   openSync,
   readFileSync,
   readSync,
+  rmdirSync,
   statSync,
   unlinkSync,
   writeFileSync,
@@ -135,17 +139,6 @@ export function postgresArchiveTag(version: string): string {
   return version.split(".")[0]!
 }
 
-/**
- * Supatype release signing public key (minisign format).
- * Generated with: minisign -G
- * Rotate by: generating a new pair, updating this constant, and updating
- * the MINISIGN_PRIVATE_KEY GitHub Actions secret.
- *
- * ⚠ PLACEHOLDER — replace with actual public key before first release.
- * When empty, minisign verification is skipped with a warning (SHA256 only).
- */
-const SUPATYPE_RELEASE_PUBLIC_KEY = ""
-
 // CDN path templates per component.
 const CDN_PATHS: Record<Component, (version: string, platform: PlatformId) => string> = {
   engine:   (v, p) => `/engine/v${v}/supatype-engine-${p.os}-${p.arch}${p.os === "windows" ? ".exe" : ""}`,
@@ -340,14 +333,14 @@ export async function download(
 
   console.log(`[supatype] Downloading ${component} v${version} (${platform.os}/${platform.arch})...`)
 
-  // ── Fetch checksums + optional minisig ────────────────────────────────────
-  const expectedChecksum = await withRetry(() =>
-    fetchChecksums(checksumsUrl, minisigUrl, name),
-  )
-
-  // ── Stream-download binary with progress ─────────────────────────────────
   const tmpPath = destPath + ".tmp"
   try {
+    // ── Fetch checksums + optional minisig (retried on transient failures) ───
+    const expectedChecksum = await withRetry(() =>
+      fetchChecksums(checksumsUrl, minisigUrl, name),
+    )
+
+    // ── Stream-download binary with progress (retried on transient failures) ─
     await withRetry(() => streamToFileWithProgress(binaryUrl, tmpPath))
 
     // ── Verify SHA256 ────────────────────────────────────────────────────────
@@ -359,9 +352,17 @@ export async function download(
     if (process.platform !== "win32" && EXECUTABLE_COMPONENTS.has(component)) {
       await chmod(destPath, 0o755)
     }
+  } catch (err) {
+    // Never leave a partial binary or an empty version directory behind: a stale
+    // empty dir makes the next resolve look fine while silently lacking a binary.
+    try { if (existsSync(destPath)) unlinkSync(destPath) } catch { /* ignore */ }
+    try { rmdirSync(dir) } catch { /* dir not empty or already removed */ }
+    throw new Error(
+      `Failed to download ${component} v${version} from ${CDN_BASE}: ${(err as Error).message}`,
+    )
   } finally {
     if (existsSync(tmpPath)) {
-      try { require("node:fs").unlinkSync(tmpPath) } catch { /* ignore */ }
+      try { unlinkSync(tmpPath) } catch { /* ignore */ }
     }
   }
 
@@ -384,24 +385,36 @@ async function fetchChecksums(
   const checksumsText = await csResp.text()
 
   const pubKey = releasePublicKey()
-  if (pubKey) {
-    // Minisign signature is required when a public key is embedded.
-    const sigResp = await fetch(minisigUrl)
-    if (!sigResp.ok) {
-      throw new Error(
-        `Failed to fetch checksum signature from ${minisigUrl}: HTTP ${sigResp.status}\n` +
-          "Cannot verify release integrity. Aborting download.",
+  if (!pubKey) {
+    // Fail closed: a missing public key means we cannot verify authenticity, only
+    // integrity (SHA256). Published builds always embed the key, so this only
+    // happens in source/contributor builds — never silently downgrade.
+    if (process.env["SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS"] === "1") {
+      console.warn(
+        "[supatype] \u26a0  SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1 — no minisign public " +
+          "key configured; verifying SHA256 only (authenticity NOT checked).",
       )
+      return extractChecksum(checksumsText, binaryFilename)
     }
-    const sigText = await sigResp.text()
-    verifyMinisign(Buffer.from(checksumsText, "utf8"), sigText, pubKey)
-  } else {
-    console.warn(
-      "[supatype] \u26a0  Minisign public key not configured — " +
-        "skipping signature verification (SHA256 only).",
+    throw new Error(
+      "No minisign public key configured — cannot verify release authenticity.\n" +
+        "Published @supatype/cli builds embed the key automatically; if you are building " +
+        "from source, set SUPATYPE_RELEASE_PUBLIC_KEY to the release public key, or set " +
+        "SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1 to download with SHA256-only verification (unsafe).",
     )
   }
 
+  // Minisign signature is mandatory when a public key is configured.
+  const sigResp = await fetch(minisigUrl)
+  if (!sigResp.ok) {
+    throw new Error(
+      `Failed to fetch checksum signature from ${minisigUrl}: HTTP ${sigResp.status}\n` +
+        "Cannot verify release integrity. Aborting download.",
+    )
+  }
+  const sigText = await sigResp.text()
+  verifyMinisign(Buffer.from(checksumsText, "utf8"), sigText, pubKey)
+
   return extractChecksum(checksumsText, binaryFilename)
 }
 
@@ -425,10 +438,10 @@ async function fetchChecksums(
 const ED25519_SPKI_PREFIX = Buffer.from("302a300506032b6570032100", "hex")
 
 /**
- * Verify a minisign signature (Ed25519 legacy mode, algorithm bytes "Ed").
- * Throws if verification fails.
+ * Verify a minisign signature. Supports both Ed25519 legacy mode ("Ed", over the
+ * raw file) and prehashed mode ("ED", over BLAKE2b-512(file)). Throws if invalid.
  */
-function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: string): void {
+export function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: string): void {
   // Parse public key: [2 algo][8 keyId][32 ed25519 key]
   const pkLines = pubKeyStr.trim().split("\n")
   const pkBytes = Buffer.from(pkLines[pkLines.length - 1]!.trim(), "base64")
@@ -450,14 +463,17 @@ function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: st
   const sigKeyId = sigBytes.subarray(2, 10)
   const signature = sigBytes.subarray(10, 74)
 
-  // Only Ed25519 legacy mode ("Ed" = 0x45, 0x64) is supported.
-  // Hashed mode ("ED") requires BLAKE2b prehashing — not implemented.
-  if (algo[0] !== 0x45 || algo[1] !== 0x64) {
+  // Both Ed25519 modes are supported:
+  //   "Ed" (0x45, 0x64) — legacy: signature is over the raw file bytes.
+  //   "ED" (0x45, 0x44) — prehashed: signature is over BLAKE2b-512(file).
+  // Modern minisign (and our release pipeline) default to prehashed mode.
+  if (algo[0] !== 0x45 || (algo[1] !== 0x64 && algo[1] !== 0x44)) {
     throw new Error(
-      "Unsupported minisign algorithm — only Ed25519 legacy mode supported.\n" +
+      "Unsupported minisign algorithm — expected Ed25519 ('Ed' legacy or 'ED' prehashed).\n" +
         `Got: 0x${algo[0]?.toString(16)}${algo[1]?.toString(16)}`,
     )
   }
+  const prehashed = algo[1] === 0x44
 
   if (!sigKeyId.equals(pkKeyId)) {
     throw new Error(
@@ -469,7 +485,13 @@ function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: st
   const spkiDer = Buffer.concat([ED25519_SPKI_PREFIX, pkEd25519])
   const keyObject = createPublicKey({ key: spkiDer, format: "der", type: "spki" })
 
-  const valid = cryptoVerify(null, fileBytes, keyObject, signature)
+  // Pure Ed25519 (PureEdDSA) verifies over the message directly; for prehashed
+  // minisign the "message" is the BLAKE2b-512 digest of the file.
+  const signedData = prehashed
+    ? createHash("blake2b512").update(fileBytes).digest()
+    : fileBytes
+
+  const valid = cryptoVerify(null, signedData, keyObject, signature)
   if (!valid) {
     throw new Error(
       "Minisign signature verification FAILED — the checksum file may have been tampered with.\n" +

package/src/cli.ts

@@ -15,6 +15,7 @@ import { registerMigrate } from "./commands/migrate.js"
 import { registerSeed } from "./commands/seed.js"
 import { registerKeys } from "./commands/keys.js"
 import { registerApp } from "./commands/app.js"
+import { registerAdd } from "./commands/add.js"
 import { registerSelfHost } from "./commands/self-host.js"
 import { registerCloud } from "./commands/cloud.js"
 import { registerEngine } from "./commands/engine.js"
@@ -52,6 +53,7 @@ export function run(): void {
   registerSeed(program)
   registerKeys(program)
   registerApp(program)
+  registerAdd(program)
   registerSelfHost(program)
   registerCloud(program)
   registerEngine(program)

package/src/commands/add.ts

@@ -0,0 +1,94 @@
+import type { Command } from "commander"
+import * as p from "@clack/prompts"
+import { loadConfig } from "../config.js"
+import { selfHostTlsEnabled } from "../project-config.js"
+import { updateServerConfigInProject } from "../app-config.js"
+import { ensureNotCancelled, printLogo } from "../prompts.js"
+
+export function registerAdd(program: Command): void {
+  const addCmd = program
+    .command("add")
+    .description("Add capabilities to an existing project")
+
+  addCmd
+    .command("domain [domain]")
+    .description("Add a custom domain with automatic HTTPS (self-host)")
+    .option("--email <email>", "Email for Let's Encrypt TLS certificates")
+    .action(async (domainArg: string | undefined, opts: { email?: string }) => {
+      await addDomain(domainArg, opts.email)
+    })
+}
+
+async function promptDomain(initial?: string): Promise<string> {
+  const trimmed = initial?.trim()
+  if (trimmed) return trimmed
+  return ensureNotCancelled(
+    await p.text({
+      message: "Please provide domain:",
+      placeholder: "demo.supatype.com",
+      validate: (v) => ((v ?? "").trim().length === 0 ? "Domain is required" : undefined),
+    }),
+  ).trim()
+}
+
+async function promptEmail(initial?: string): Promise<string> {
+  const trimmed = initial?.trim()
+  if (trimmed) return trimmed
+  return ensureNotCancelled(
+    await p.text({
+      message: "Please provide email for TLS",
+      placeholder: "hello@supatype.com",
+      validate: (v) => ((v ?? "").trim().length === 0 ? "Email is required" : undefined),
+    }),
+  ).trim()
+}
+
+async function addDomain(domainArg?: string, emailArg?: string): Promise<void> {
+  const cwd = process.cwd()
+  const interactive = !domainArg?.trim() || !emailArg?.trim()
+
+  if (interactive) {
+    printLogo()
+    p.intro("Add a custom domain")
+  }
+
+  const domain = await promptDomain(domainArg)
+  const email = await promptEmail(emailArg)
+
+  try {
+    const configPath = updateServerConfigInProject(cwd, { domain, tlsEmail: email })
+    if (interactive) {
+      p.outro(`Updated ${configPath}`)
+    } else {
+      console.log(`  updated  ${configPath}`)
+    }
+    printDomainNextSteps(cwd, domain)
+  } catch (err) {
+    console.error((err as Error).message)
+    process.exit(1)
+  }
+}
+
+function printDomainNextSteps(cwd: string, domain: string): void {
+  let tlsActive = true
+  try {
+    tlsActive = selfHostTlsEnabled(loadConfig(cwd))
+  } catch {
+    // config re-load is best-effort for the warning below
+  }
+
+  console.log(`\nDomain set to ${domain} with automatic HTTPS.`)
+  if (!tlsActive) {
+    console.log(
+      "\nNote: a supatype.local.config.ts override (server.mode=dev) is suppressing HTTPS locally.\n" +
+        "That file is gitignored, so HTTPS still activates on your production server.",
+    )
+  }
+  console.log("\nGo live:")
+  console.log(`  1. Point DNS: an A record for ${domain} -> your server's public IP`)
+  console.log("  2. Open ports 80 and 443 on the server firewall")
+  console.log("  3. supatype self-host compose up -d   # Kong provisions HTTPS automatically")
+  console.log(`\nYour Supatype platform goes live at https://${domain}`)
+  console.log("  Your app, REST, Auth, Storage, Realtime, Functions, and Studio — all behind one HTTPS domain.")
+  console.log("  Certificates persist in the valkey-data volume.\n")
+}

package/src/commands/app.ts

@@ -14,7 +14,7 @@ export function registerApp(program: Command): void {
     .description("Configure app routing: --static for a built site, or proxy to a dev server")
     .option("--static", "Serve a static directory at / (default: ./public, or [dir] argument)")
     .option("--port <port>", "Port your app listens on (proxy mode)", "3000")
-    .option("--upstream <url>", "Explicit upstream URL (proxy mode; defaults to localhost:<port>)")
+    .option("--upstream <url>", "URL of your running dev server (proxy mode; defaults to localhost:<port>)")
     .option("--dockerfile <path>", "(deprecated) ignored — use supatype.config.ts")
     .action(
       (
@@ -77,7 +77,7 @@ function addProxyApp(cwd: string, port: string, upstream?: string): void {
   try {
     const configPath = updateAppConfigInProject(cwd, { mode: "proxy", upstream: upstreamUrl })
     console.log(`  updated  ${configPath}`)
-    console.log(`\nApp upstream set to ${upstreamUrl}. The app will be available at ${localKongBaseUrl()}/\n`)
+    console.log(`\nForwarding requests to your dev server at ${upstreamUrl}. The app will be available at ${localKongBaseUrl()}/\n`)
     console.log("Run: supatype self-host compose render")
   } catch (err) {
     console.error((err as Error).message)