@supatype/cli 0.1.0-alpha.9 → 0.1.1

package/src/binary-cache.ts

@@ -7,10 +7,13 @@
  *
  * Security model:
  *   1. Download checksums.sha256 + checksums.sha256.minisig from CDN.
- *   2. Verify Ed25519 minisign signature on the checksum file using the
- *      embedded public key (SUPATYPE_RELEASE_PUBLIC_KEY).
+ *   2. Verify the Ed25519 minisign signature on the checksum file using the
+ *      release public key (embedded at publish, overridable via
+ *      SUPATYPE_RELEASE_PUBLIC_KEY).
  *   3. Verify SHA256 of the downloaded binary against the signed checksum.
- *   Both checks are mandatory when SUPATYPE_RELEASE_PUBLIC_KEY is set.
+ *   Verification is mandatory and fails closed: if no public key is configured,
+ *   the download errors out rather than silently degrading to SHA256-only.
+ *   The only escape hatch is the explicit SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1.
  */
 
 import { createHash, createPublicKey, verify as cryptoVerify } from "node:crypto"
@@ -23,6 +26,7 @@ import {
   openSync,
   readFileSync,
   readSync,
+  rmdirSync,
   statSync,
   unlinkSync,
   writeFileSync,
@@ -31,6 +35,7 @@ import { chmod } from "node:fs/promises"
 import { homedir } from "node:os"
 import { basename, join, resolve, isAbsolute } from "node:path"
 import type { SupatypeProjectConfig } from "./project-config.js"
+import { loadProjectLink, migrateLegacyLinkFiles } from "./link.js"
 import { releasePublicKey } from "./release-public-key.js"
 
 /**
@@ -81,12 +86,16 @@ export function describeActiveOverrides(config: SupatypeProjectConfig): string[]
 
 /**
  * True when this working tree is associated with a remote Supatype Cloud project:
- * `project.ref`, `.supatype/cloud.json` (schema deploy link), or `.supatype/linked.json` (functions link).
+ * `project.ref` or `.supatype/link.json` (cloud kind).
  */
 export function isLinkedToCloudProject(cwd: string, config: SupatypeProjectConfig): boolean {
   const ref = config.project.ref
   if (typeof ref === "string" && ref.trim() !== "") return true
 
+  migrateLegacyLinkFiles(cwd)
+  const link = loadProjectLink(cwd)
+  if (link?.kind === "cloud" && link.projectRef.trim() !== "") return true
+
   const linkedPath = join(cwd, ".supatype", "linked.json")
   if (existsSync(linkedPath)) {
     try {
@@ -112,7 +121,7 @@ export function isLinkedToCloudProject(cwd: string, config: SupatypeProjectConfi
 
 export type { Component, ComponentVersions } from "./components.js"
 export { BINARY_COMPONENTS } from "./components.js"
-import { BINARY_COMPONENTS, type Component } from "./components.js"
+import { BINARY_COMPONENTS, type Component, type ComponentVersions } from "./components.js"
 
 export interface PlatformId {
   os: "linux" | "darwin" | "windows"
@@ -130,17 +139,6 @@ export function postgresArchiveTag(version: string): string {
   return version.split(".")[0]!
 }
 
-/**
- * Supatype release signing public key (minisign format).
- * Generated with: minisign -G
- * Rotate by: generating a new pair, updating this constant, and updating
- * the MINISIGN_PRIVATE_KEY GitHub Actions secret.
- *
- * ⚠ PLACEHOLDER — replace with actual public key before first release.
- * When empty, minisign verification is skipped with a warning (SHA256 only).
- */
-const SUPATYPE_RELEASE_PUBLIC_KEY = ""
-
 // CDN path templates per component.
 const CDN_PATHS: Record<Component, (version: string, platform: PlatformId) => string> = {
   engine:   (v, p) => `/engine/v${v}/supatype-engine-${p.os}-${p.arch}${p.os === "windows" ? ".exe" : ""}`,
@@ -226,7 +224,7 @@ export async function resolveBinary(
   }
 
   const overridePath = config.overrides?.[component === "postgres" ? "postgres_dir" : component]
-  const version = versionFor(component, config)
+  const version = await resolveVersionFor(component, config)
 
   if (version === VERSION_PIN_LOCAL && !overridePath) {
     const key = component === "postgres" ? "postgres_dir" : component
@@ -335,14 +333,14 @@ export async function download(
 
   console.log(`[supatype] Downloading ${component} v${version} (${platform.os}/${platform.arch})...`)
 
-  // ── Fetch checksums + optional minisig ────────────────────────────────────
-  const expectedChecksum = await withRetry(() =>
-    fetchChecksums(checksumsUrl, minisigUrl, name),
-  )
-
-  // ── Stream-download binary with progress ─────────────────────────────────
   const tmpPath = destPath + ".tmp"
   try {
+    // ── Fetch checksums + optional minisig (retried on transient failures) ───
+    const expectedChecksum = await withRetry(() =>
+      fetchChecksums(checksumsUrl, minisigUrl, name),
+    )
+
+    // ── Stream-download binary with progress (retried on transient failures) ─
     await withRetry(() => streamToFileWithProgress(binaryUrl, tmpPath))
 
     // ── Verify SHA256 ────────────────────────────────────────────────────────
@@ -354,9 +352,17 @@ export async function download(
     if (process.platform !== "win32" && EXECUTABLE_COMPONENTS.has(component)) {
       await chmod(destPath, 0o755)
     }
+  } catch (err) {
+    // Never leave a partial binary or an empty version directory behind: a stale
+    // empty dir makes the next resolve look fine while silently lacking a binary.
+    try { if (existsSync(destPath)) unlinkSync(destPath) } catch { /* ignore */ }
+    try { rmdirSync(dir) } catch { /* dir not empty or already removed */ }
+    throw new Error(
+      `Failed to download ${component} v${version} from ${CDN_BASE}: ${(err as Error).message}`,
+    )
   } finally {
     if (existsSync(tmpPath)) {
-      try { require("node:fs").unlinkSync(tmpPath) } catch { /* ignore */ }
+      try { unlinkSync(tmpPath) } catch { /* ignore */ }
     }
   }
 
@@ -379,24 +385,36 @@ async function fetchChecksums(
   const checksumsText = await csResp.text()
 
   const pubKey = releasePublicKey()
-  if (pubKey) {
-    // Minisign signature is required when a public key is embedded.
-    const sigResp = await fetch(minisigUrl)
-    if (!sigResp.ok) {
-      throw new Error(
-        `Failed to fetch checksum signature from ${minisigUrl}: HTTP ${sigResp.status}\n` +
-          "Cannot verify release integrity. Aborting download.",
+  if (!pubKey) {
+    // Fail closed: a missing public key means we cannot verify authenticity, only
+    // integrity (SHA256). Published builds always embed the key, so this only
+    // happens in source/contributor builds — never silently downgrade.
+    if (process.env["SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS"] === "1") {
+      console.warn(
+        "[supatype] \u26a0  SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1 — no minisign public " +
+          "key configured; verifying SHA256 only (authenticity NOT checked).",
       )
+      return extractChecksum(checksumsText, binaryFilename)
     }
-    const sigText = await sigResp.text()
-    verifyMinisign(Buffer.from(checksumsText, "utf8"), sigText, pubKey)
-  } else {
-    console.warn(
-      "[supatype] \u26a0  Minisign public key not configured — " +
-        "skipping signature verification (SHA256 only).",
+    throw new Error(
+      "No minisign public key configured — cannot verify release authenticity.\n" +
+        "Published @supatype/cli builds embed the key automatically; if you are building " +
+        "from source, set SUPATYPE_RELEASE_PUBLIC_KEY to the release public key, or set " +
+        "SUPATYPE_ALLOW_UNVERIFIED_DOWNLOADS=1 to download with SHA256-only verification (unsafe).",
     )
   }
 
+  // Minisign signature is mandatory when a public key is configured.
+  const sigResp = await fetch(minisigUrl)
+  if (!sigResp.ok) {
+    throw new Error(
+      `Failed to fetch checksum signature from ${minisigUrl}: HTTP ${sigResp.status}\n` +
+        "Cannot verify release integrity. Aborting download.",
+    )
+  }
+  const sigText = await sigResp.text()
+  verifyMinisign(Buffer.from(checksumsText, "utf8"), sigText, pubKey)
+
   return extractChecksum(checksumsText, binaryFilename)
 }
 
@@ -420,10 +438,10 @@ async function fetchChecksums(
 const ED25519_SPKI_PREFIX = Buffer.from("302a300506032b6570032100", "hex")
 
 /**
- * Verify a minisign signature (Ed25519 legacy mode, algorithm bytes "Ed").
- * Throws if verification fails.
+ * Verify a minisign signature. Supports both Ed25519 legacy mode ("Ed", over the
+ * raw file) and prehashed mode ("ED", over BLAKE2b-512(file)). Throws if invalid.
  */
-function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: string): void {
+export function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: string): void {
   // Parse public key: [2 algo][8 keyId][32 ed25519 key]
   const pkLines = pubKeyStr.trim().split("\n")
   const pkBytes = Buffer.from(pkLines[pkLines.length - 1]!.trim(), "base64")
@@ -445,14 +463,17 @@ function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: st
   const sigKeyId = sigBytes.subarray(2, 10)
   const signature = sigBytes.subarray(10, 74)
 
-  // Only Ed25519 legacy mode ("Ed" = 0x45, 0x64) is supported.
-  // Hashed mode ("ED") requires BLAKE2b prehashing — not implemented.
-  if (algo[0] !== 0x45 || algo[1] !== 0x64) {
+  // Both Ed25519 modes are supported:
+  //   "Ed" (0x45, 0x64) — legacy: signature is over the raw file bytes.
+  //   "ED" (0x45, 0x44) — prehashed: signature is over BLAKE2b-512(file).
+  // Modern minisign (and our release pipeline) default to prehashed mode.
+  if (algo[0] !== 0x45 || (algo[1] !== 0x64 && algo[1] !== 0x44)) {
     throw new Error(
-      "Unsupported minisign algorithm — only Ed25519 legacy mode supported.\n" +
+      "Unsupported minisign algorithm — expected Ed25519 ('Ed' legacy or 'ED' prehashed).\n" +
         `Got: 0x${algo[0]?.toString(16)}${algo[1]?.toString(16)}`,
     )
   }
+  const prehashed = algo[1] === 0x44
 
   if (!sigKeyId.equals(pkKeyId)) {
     throw new Error(
@@ -464,7 +485,13 @@ function verifyMinisign(fileBytes: Buffer, sigFileContent: string, pubKeyStr: st
   const spkiDer = Buffer.concat([ED25519_SPKI_PREFIX, pkEd25519])
   const keyObject = createPublicKey({ key: spkiDer, format: "der", type: "spki" })
 
-  const valid = cryptoVerify(null, fileBytes, keyObject, signature)
+  // Pure Ed25519 (PureEdDSA) verifies over the message directly; for prehashed
+  // minisign the "message" is the BLAKE2b-512 digest of the file.
+  const signedData = prehashed
+    ? createHash("blake2b512").update(fileBytes).digest()
+    : fileBytes
+
+  const valid = cryptoVerify(null, signedData, keyObject, signature)
   if (!valid) {
     throw new Error(
       "Minisign signature verification FAILED — the checksum file may have been tampered with.\n" +
@@ -730,10 +757,30 @@ export function normalisePlatformPath(p: string): string {
   return result
 }
 
+export function pinnedVersion(component: Component, config: SupatypeProjectConfig): string | undefined {
+  const version = config.versions?.[component]
+  if (typeof version !== "string") return undefined
+  const trimmed = version.trim()
+  return trimmed === "" ? undefined : trimmed
+}
+
+/** Pinned version from config, or latest from CDN when unset. */
+export async function resolveVersionFor(
+  component: Component,
+  config: SupatypeProjectConfig,
+): Promise<string> {
+  const pinned = pinnedVersion(component, config)
+  if (pinned) return pinned
+  return fetchLatestVersion(component)
+}
+
+/** @deprecated Prefer {@link pinnedVersion} or {@link resolveVersionFor}. */
 export function versionFor(component: Component, config: SupatypeProjectConfig): string {
-  const version = config.versions[component]
-  if (typeof version !== "string" || version.trim() === "") {
-    throw new Error(`[supatype] versions.${component} must be set in supatype.config.ts`)
+  const version = pinnedVersion(component, config)
+  if (!version) {
+    throw new Error(
+      `[supatype] versions.${component} is not pinned in supatype.config.ts (omit versions to use latest)`,
+    )
   }
   return version
 }
@@ -780,7 +827,10 @@ export async function fetchAllLatestVersions(): Promise<Record<Component, string
  * Verify all cached binaries for the current platform (used by integration CI).
  * Throws if any cached component is missing or fails format checks.
  */
-export function verifyCachedBinaries(versions: SupatypeProjectConfig["versions"]): void {
+export function verifyCachedBinaries(versions: Partial<ComponentVersions> | undefined): void {
+  if (!versions) {
+    throw new Error("[supatype] verifyCachedBinaries requires pinned versions")
+  }
   const platform = currentPlatform()
   for (const component of BINARY_COMPONENTS) {
     const version = versions[component]
@@ -798,15 +848,15 @@ export function verifyCachedBinaries(versions: SupatypeProjectConfig["versions"]
 }
 
 export async function downloadAll(
-  versions: SupatypeProjectConfig["versions"],
+  versions: Partial<ComponentVersions> | undefined,
   graceful = false,
 ): Promise<void> {
   const platform = currentPlatform()
   const components: Component[] = [...BINARY_COMPONENTS]
-  const fakeConfig = { versions } as SupatypeProjectConfig
+  const latest = await fetchAllLatestVersions()
 
   for (const component of components) {
-    const version = versionFor(component, fakeConfig)
+    const version = versions?.[component] ?? latest[component]
     if (version === VERSION_PIN_LOCAL) continue
     try {
       await download(component, version, platform)

package/src/cli.ts

@@ -7,11 +7,15 @@ import { registerPg } from "./commands/pg.js"
 import { registerPush } from "./commands/push.js"
 import { registerDiff } from "./commands/diff.js"
 import { registerPull } from "./commands/pull.js"
+import { registerDoctor } from "./commands/doctor.js"
+import { registerIntrospect } from "./commands/introspect.js"
+import { registerAdopt } from "./commands/adopt.js"
 import { registerGenerate } from "./commands/generate.js"
 import { registerMigrate } from "./commands/migrate.js"
 import { registerSeed } from "./commands/seed.js"
 import { registerKeys } from "./commands/keys.js"
 import { registerApp } from "./commands/app.js"
+import { registerAdd } from "./commands/add.js"
 import { registerSelfHost } from "./commands/self-host.js"
 import { registerCloud } from "./commands/cloud.js"
 import { registerEngine } from "./commands/engine.js"
@@ -25,8 +29,9 @@ import { registerPlugins } from "./commands/plugins.js"
 import { registerTypes } from "./commands/types.js"
 import { registerMigrateFromV1 } from "./commands/migrate-from-v1.js"
 import { registerSelfUpdate } from "./commands/self-update.js"
+import { reportCliFatal } from "./ui/fatal.js"
 
-export function run(): void {
+export async function run(): Promise<void> {
   const program = new Command()
     .name("supatype")
     .description("Supatype — schema-first Postgres API")
@@ -41,11 +46,15 @@ export function run(): void {
   registerPush(program)
   registerDiff(program)
   registerPull(program)
+  registerDoctor(program)
+  registerIntrospect(program)
+  registerAdopt(program)
   registerGenerate(program)
   registerMigrate(program)
   registerSeed(program)
   registerKeys(program)
   registerApp(program)
+  registerAdd(program)
   registerSelfHost(program)
   registerCloud(program)
   registerEngine(program)
@@ -59,5 +68,10 @@ export function run(): void {
   registerTypes(program)
   registerMigrateFromV1(program)
 
-  program.parse()
+  try {
+    await program.parseAsync(process.argv)
+  } catch (err) {
+    reportCliFatal(err)
+    process.exit(1)
+  }
 }

package/src/commands/add.ts

@@ -0,0 +1,97 @@
+import type { Command } from "commander"
+import * as p from "@clack/prompts"
+import { loadConfig } from "../config.js"
+import { selfHostTlsEnabled } from "../project-config.js"
+import { updateServerConfigInProject } from "../app-config.js"
+import { ensureNotCancelled, printLogo } from "../ui/prompts.js"
+import { file, error, info, plain } from "../ui/messages.js"
+import { nextSteps } from "../ui/next-steps.js"
+
+export function registerAdd(program: Command): void {
+  const addCmd = program
+    .command("add")
+    .description("Add capabilities to an existing project")
+
+  addCmd
+    .command("domain [domain]")
+    .description("Add a custom domain with automatic HTTPS (self-host)")
+    .option("--email <email>", "Email for Let's Encrypt TLS certificates")
+    .action(async (domainArg: string | undefined, opts: { email?: string }) => {
+      await addDomain(domainArg, opts.email)
+    })
+}
+
+async function promptDomain(initial?: string): Promise<string> {
+  const trimmed = initial?.trim()
+  if (trimmed) return trimmed
+  return ensureNotCancelled(
+    await p.text({
+      message: "Please provide domain:",
+      placeholder: "demo.supatype.com",
+      validate: (v) => ((v ?? "").trim().length === 0 ? "Domain is required" : undefined),
+    }),
+  ).trim()
+}
+
+async function promptEmail(initial?: string): Promise<string> {
+  const trimmed = initial?.trim()
+  if (trimmed) return trimmed
+  return ensureNotCancelled(
+    await p.text({
+      message: "Please provide email for TLS",
+      placeholder: "hello@supatype.com",
+      validate: (v) => ((v ?? "").trim().length === 0 ? "Email is required" : undefined),
+    }),
+  ).trim()
+}
+
+async function addDomain(domainArg?: string, emailArg?: string): Promise<void> {
+  const cwd = process.cwd()
+  const interactive = !domainArg?.trim() || !emailArg?.trim()
+
+  if (interactive) {
+    printLogo()
+    p.intro("Add a custom domain")
+  }
+
+  const domain = await promptDomain(domainArg)
+  const email = await promptEmail(emailArg)
+
+  try {
+    const configPath = updateServerConfigInProject(cwd, { domain, tlsEmail: email })
+    if (interactive) {
+      p.outro(`Updated ${configPath}`)
+    } else {
+      file("updated", configPath)
+    }
+    printDomainNextSteps(cwd, domain)
+  } catch (err) {
+    error((err as Error).message)
+    process.exit(1)
+  }
+}
+
+function printDomainNextSteps(cwd: string, domain: string): void {
+  let tlsActive = true
+  try {
+    tlsActive = selfHostTlsEnabled(loadConfig(cwd))
+  } catch {
+    // config re-load is best-effort for the warning below
+  }
+
+  info(`Domain set to ${domain} with automatic HTTPS.`)
+  if (!tlsActive) {
+    plain(
+      "\nNote: a supatype.local.config.ts override (server.mode=dev) is suppressing HTTPS locally.\n" +
+        "That file is gitignored, so HTTPS still activates on your production server.",
+    )
+  }
+  nextSteps("Go live:", [
+    `Point DNS: an A record for ${domain} -> your server's public IP`,
+    "Open ports 80 and 443 on the server firewall",
+    "supatype self-host compose up -d   # Kong provisions HTTPS automatically",
+    `Platform URL: https://${domain}`,
+  ])
+  plain("  App, REST, Auth, Storage, Realtime, Functions, and Studio — one HTTPS domain.")
+  plain("  Certificates persist in the valkey-data volume.\n")
+}