@swarp/cli 0.0.3-rc.25 → 0.0.3-rc.27

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@swarp/cli",
-  "version": "0.0.3-rc.25",
+  "version": "0.0.3-rc.27",
   "description": "SWARP agent orchestration platform — CLI, MCP server, generator",
   "type": "module",
   "bin": {

package/src/deploy/wireguard.mjs

@@ -0,0 +1,54 @@
+import { execFileSync } from "node:child_process";
+import { readFileSync, writeFileSync } from "node:fs";
+
+export function createWireGuardPeer(org, region, agentName) {
+  const confPath = `/tmp/${agentName}.conf`;
+  execFileSync("flyctl", ["wireguard", "create", org, region, agentName, confPath]);
+  return confPath;
+}
+
+export function extractDnsIP(confPath) {
+  const contents = readFileSync(confPath, "utf8");
+  for (const line of contents.split("\n")) {
+    const trimmed = line.trim();
+    if (trimmed.startsWith("DNS")) {
+      const [, value] = trimmed.split("=");
+      return value.trim();
+    }
+  }
+  return null;
+}
+
+export function addKeepalive(confPath, interval = 25) {
+  const contents = readFileSync(confPath, "utf8");
+  if (contents.includes("PersistentKeepalive")) {
+    return confPath;
+  }
+  const updated = contents.replace(
+    /(\[Peer\])/,
+    `$1\nPersistentKeepalive = ${interval}`
+  );
+  writeFileSync(confPath, updated, "utf8");
+  return confPath;
+}
+
+export function pushWireGuardToSprite(agentName, confPath) {
+  const conf = readFileSync(confPath, "utf8");
+  execFileSync(
+    "sprite",
+    [
+      "exec",
+      "-s",
+      agentName,
+      "--",
+      "bash",
+      "-c",
+      "mkdir -p /etc/wireguard && cat > /etc/wireguard/wg0.conf && wg-quick up wg0",
+    ],
+    { input: conf }
+  );
+}
+
+export function removeWireGuardPeer(org, agentName) {
+  execFileSync("flyctl", ["wireguard", "remove", org, agentName]);
+}

package/src/deploy/wireguard.test.mjs

@@ -0,0 +1,91 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { writeFileSync, readFileSync } from "node:fs";
+
+vi.mock("node:child_process", () => ({ execFileSync: vi.fn() }));
+
+import { execFileSync } from "node:child_process";
+import {
+  createWireGuardPeer,
+  extractDnsIP,
+  addKeepalive,
+  pushWireGuardToSprite,
+  removeWireGuardPeer,
+} from "./wireguard.mjs";
+
+const SAMPLE_CONF = `[Interface]
+PrivateKey = abc123
+Address = fdaa:0:5e4f:a7b:23c:0:a:2/120
+DNS = fdaa:0:5e4f::3
+
+[Peer]
+PublicKey = xyz789
+AllowedIPs = fdaa:0:5e4f::/48
+Endpoint = sea1.gateway.6pn.dev:51820
+`;
+
+function writeTempConf(contents = SAMPLE_CONF) {
+  const path = join(tmpdir(), `wg-test-${Date.now()}.conf`);
+  writeFileSync(path, contents, "utf8");
+  return path;
+}
+
+describe("createWireGuardPeer", () => {
+  beforeEach(() => vi.clearAllMocks());
+
+  it("calls flyctl with correct args and returns conf path", () => {
+    const result = createWireGuardPeer("my-org", "sea", "my-agent");
+    expect(execFileSync).toHaveBeenCalledWith("flyctl", [
+      "wireguard",
+      "create",
+      "my-org",
+      "sea",
+      "my-agent",
+      "/tmp/my-agent.conf",
+    ]);
+    expect(result).toBe("/tmp/my-agent.conf");
+  });
+});
+
+describe("extractDnsIP", () => {
+  it("parses the DNS IP from a WG config", () => {
+    const confPath = writeTempConf();
+    expect(extractDnsIP(confPath)).toBe("fdaa:0:5e4f::3");
+  });
+});
+
+describe("addKeepalive", () => {
+  it("inserts PersistentKeepalive after [Peer]", () => {
+    const confPath = writeTempConf();
+    addKeepalive(confPath);
+    const result = readFileSync(confPath, "utf8");
+    expect(result).toContain("PersistentKeepalive = 25");
+    expect(result.indexOf("[Peer]")).toBeLessThan(
+      result.indexOf("PersistentKeepalive")
+    );
+  });
+
+  it("is idempotent — does not add keepalive twice", () => {
+    const confPath = writeTempConf();
+    addKeepalive(confPath);
+    addKeepalive(confPath);
+    const result = readFileSync(confPath, "utf8");
+    const count = (result.match(/PersistentKeepalive/g) || []).length;
+    expect(count).toBe(1);
+  });
+});
+
+describe("removeWireGuardPeer", () => {
+  beforeEach(() => vi.clearAllMocks());
+
+  it("calls flyctl with correct args", () => {
+    removeWireGuardPeer("my-org", "my-agent");
+    expect(execFileSync).toHaveBeenCalledWith("flyctl", [
+      "wireguard",
+      "remove",
+      "my-org",
+      "my-agent",
+    ]);
+  });
+});

package/src/init/index.mjs

@@ -136,6 +136,52 @@ function updateMcpJson(cwd) {
   console.log(`  update ${mcpPath} — added swarp entry`);
 }
 
+// ── GitHub environment setup ──────────────────────────────────────────────────
+
+/**
+ * Creates the `swarp-certs` GitHub environment with the authenticated user as
+ * a required reviewer. Best-effort — logs a skip message if `gh` is unavailable
+ * or the API call fails.
+ */
+function createGithubCertsEnvironment() {
+  try {
+    const repo = execFileSync('gh', ['repo', 'view', '--json', 'nameWithOwner', '-q', '.nameWithOwner'], {
+      encoding: 'utf8',
+    }).trim();
+
+    execFileSync(
+      'gh',
+      ['api', `repos/${repo}/environments/swarp-certs`, '-X', 'PUT', '--input', '-'],
+      { input: JSON.stringify({ deployment_branch_policy: null }), encoding: 'utf8' },
+    );
+
+    const userId = execFileSync('gh', ['api', 'user', '-q', '.id'], { encoding: 'utf8' }).trim();
+
+    execFileSync(
+      'gh',
+      [
+        'api',
+        `repos/${repo}/environments/swarp-certs`,
+        '-X',
+        'PUT',
+        '--input',
+        '-',
+      ],
+      {
+        input: JSON.stringify({
+          reviewers: [{ type: 'User', id: Number(userId) }],
+          deployment_branch_policy: null,
+        }),
+        encoding: 'utf8',
+      },
+    );
+
+    console.log('  create GitHub environment swarp-certs (required reviewer set)');
+  } catch {
+    console.log('  skip   GitHub environment swarp-certs (gh unavailable or request failed)');
+  }
+}
+
 // ── Main entry point ──────────────────────────────────────────────────────────
 
 /**
@@ -177,6 +223,9 @@ export async function runInit({ cwd = process.cwd(), wizardAnswers, input, outpu
   // 7. .mcp.json
   updateMcpJson(cwd);
 
+  // 7b. GitHub swarp-certs environment
+  createGithubCertsEnvironment();
+
   // 8. .claude/skills/swarp/SKILL.md — generated from agent configs
   const skillContent = generateSkill({
     agentsDir: path.resolve(cwd, agentsDir),

package/src/init/index.test.mjs

@@ -4,6 +4,24 @@ import path from 'node:path';
 import os from 'node:os';
 import { runInit } from './index.mjs';
 
+// Track calls made to execFileSync by the module under test.
+// We cannot vi.spyOn a CJS binding in ESM, so we use a shared call log
+// populated via vi.mock instead.
+const execFileSyncCalls = [];
+let execFileSyncImpl = null;
+
+vi.mock('node:child_process', async (importOriginal) => {
+  const original = await importOriginal();
+  return {
+    ...original,
+    execFileSync: (...args) => {
+      execFileSyncCalls.push(args);
+      if (execFileSyncImpl) return execFileSyncImpl(...args);
+      return original.execFileSync(...args);
+    },
+  };
+});
+
 // ── Helpers ───────────────────────────────────────────────────────────────────
 
 function makeTmpDir() {
@@ -28,6 +46,8 @@ describe('runInit', () => {
 
   beforeEach(() => {
     tmpDir = makeTmpDir();
+    execFileSyncCalls.length = 0;
+    execFileSyncImpl = null;
     // Silence stdout/stderr during tests
     vi.spyOn(console, 'log').mockImplementation(() => {});
     vi.spyOn(console, 'warn').mockImplementation(() => {});
@@ -35,6 +55,7 @@ describe('runInit', () => {
 
   afterEach(() => {
     cleanDir(tmpDir);
+    execFileSyncImpl = null;
     vi.restoreAllMocks();
   });
 
@@ -165,4 +186,32 @@ describe('runInit', () => {
     const messages = logSpy.mock.calls.map((c) => c[0]).join('\n');
     expect(messages).toContain('/swarp');
   });
+
+  describe('GitHub swarp-certs environment', () => {
+    it('calls gh api to create the swarp-certs environment', async () => {
+      execFileSyncImpl = (cmd, args) => {
+        if (cmd === 'gh' && args[0] === 'repo') return 'myorg/myrepo\n';
+        if (cmd === 'gh' && args[0] === 'api' && args[1] === 'user') return '12345\n';
+        if (cmd === 'gh' && args[0] === 'api') return '{}';
+        // which checks — return empty string (tool found)
+        return '';
+      };
+
+      await runInit({ cwd: tmpDir, wizardAnswers: DEFAULT_ANSWERS });
+
+      const apiCalls = execFileSyncCalls.filter(
+        ([cmd, args]) => cmd === 'gh' && args[0] === 'api' && args[1]?.includes('swarp-certs'),
+      );
+      expect(apiCalls.length).toBeGreaterThanOrEqual(1);
+    });
+
+    it('skips environment creation gracefully when gh fails', async () => {
+      execFileSyncImpl = (cmd, args) => {
+        if (cmd === 'gh' && args[0] === 'repo') throw new Error('gh not found');
+        return '';
+      };
+
+      await expect(runInit({ cwd: tmpDir, wizardAnswers: DEFAULT_ANSWERS })).resolves.toBeUndefined();
+    });
+  });
 });