@tokenbuddy/tb-admin 1.0.13 → 1.0.15

package/src/server-cmd.ts

@@ -1,6 +1,25 @@
-import { execSync } from "child_process";
+import { execSync, spawnSync, type SpawnSyncReturns } from "child_process";
+import * as fs from "fs";
 import { SellerProviderConfig } from "./config.js";
 
+type ExecRunner = (command: string, options?: Parameters<typeof execSync>[1]) => string | Buffer;
+type SpawnRunner = (command: string, args?: string[], options?: Parameters<typeof spawnSync>[2]) => SpawnSyncReturns<string | Buffer>;
+
+export interface DockerImageInspection {
+  ok: boolean;
+  error?: string;
+  exitCode?: number;
+}
+
+export type ImageInspectRunner = (image: string) => DockerImageInspection;
+
+export interface FlyProviderRuntime {
+  checkFlyctlInstalled?: (flyctlPath?: string) => boolean;
+  execSync?: ExecRunner;
+  spawnSync?: SpawnRunner;
+  imageInspector?: ImageInspectRunner;
+}
+
 /**
  * 检查 flyctl 是否在 PATH 中（或在指定路径）。
  *
@@ -16,6 +35,70 @@ export function checkFlyctlInstalled(flyctlPath?: string): boolean {
   }
 }
 
+export function inspectDockerImage(image: string): DockerImageInspection {
+  const result = spawnSync("docker", ["buildx", "imagetools", "inspect", image], {
+    encoding: "utf8",
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  return dockerImageInspectionFromResult(result);
+}
+
+export function requirePublishedDockerImage(image: string, inspectImage: ImageInspectRunner = inspectDockerImage): void {
+  const inspection = inspectImage(image);
+  if (inspection.ok) {
+    return;
+  }
+  const detail = inspection.error ? ` Detail: ${inspection.error.trim()}` : "";
+  throw new Error(
+    `seller image is not published or is not accessible: ${image}. ` +
+    `Publish it first with RELEASE_VERSION=<v> bash scripts/release/all.sh, or pass an existing registry.fly.io/tb-seller:<v> tag. ` +
+    `No Fly app was created.${detail}`
+  );
+}
+
+function dockerImageInspectionFromResult(result: SpawnSyncReturns<string>): DockerImageInspection {
+  if (result.error) {
+    return { ok: false, error: result.error.message };
+  }
+  if (result.status !== 0) {
+    return {
+      ok: false,
+      exitCode: result.status ?? undefined,
+      error: (result.stderr || result.stdout || "").toString()
+    };
+  }
+  return { ok: true };
+}
+
+export function parseFlyMachineIds(json: string, app: string): string[] {
+  let parsed: unknown;
+  try {
+    parsed = JSON.parse(json || "[]");
+  } catch {
+    throw new Error(`fly machines list returned invalid JSON for ${app}`);
+  }
+
+  if (!Array.isArray(parsed)) {
+    throw new Error(`fly machines list returned an unexpected shape for ${app}`);
+  }
+
+  const ids = parsed
+    .map((item) => {
+      if (item && typeof item === "object" && "id" in item) {
+        const id = (item as { id?: unknown }).id;
+        return typeof id === "string" && id.length > 0 ? id : undefined;
+      }
+      return undefined;
+    })
+    .filter((id): id is string => Boolean(id));
+
+  if (ids.length === 0) {
+    throw new Error(`fly app ${app} has no machines to update`);
+  }
+
+  return ids;
+}
+
 /**
  * `FlyProvider.createSeller` 的输入。
  * 字段未提供时回退到 `SellerProviderConfig` 的默认值。
@@ -31,6 +114,7 @@ export interface SellerCreateOptions {
   volumeSizeGb?: number;
   volumeId?: string;
   volumeSnapshotRetentionDays?: number;
+  initialConfigPath?: string;
   dryRun?: boolean;
 }
 
@@ -40,9 +124,17 @@ export interface SellerCreateOptions {
  */
 export class FlyProvider {
   private providerConfig?: SellerProviderConfig;
+  private readonly runtime: Required<FlyProviderRuntime>;
 
-  constructor(providerConfig?: SellerProviderConfig) {
+  constructor(providerConfig?: SellerProviderConfig, runtime?: FlyProviderRuntime) {
     this.providerConfig = providerConfig;
+    this.runtime = {
+      checkFlyctlInstalled,
+      execSync,
+      spawnSync,
+      imageInspector: inspectDockerImage,
+      ...runtime
+    };
   }
 
   private get flyctl(): string {
@@ -53,10 +145,10 @@ export class FlyProvider {
    * List apps on Fly.io
    */
   public listApps(): string {
-    if (!checkFlyctlInstalled(this.flyctl)) {
+    if (!this.runtime.checkFlyctlInstalled(this.flyctl)) {
       throw new Error(`\`${this.flyctl}\` is not installed on your system PATH.`);
     }
-    return execSync(`${this.flyctl} apps list`, { encoding: "utf8" });
+    return this.runtime.execSync(`${this.flyctl} apps list`, { encoding: "utf8" }) as string;
   }
 
   /**
@@ -83,6 +175,7 @@ export class FlyProvider {
       || 1;
     const volumeSnapshotRetentionDays = options.volumeSnapshotRetentionDays;
     const volumeId = options.volumeId;
+    const initialConfigPath = options.initialConfigPath;
 
     if (!targetImage) {
       throw new Error("seller create requires --image registry.fly.io/tb-seller:<v>");
@@ -100,35 +193,59 @@ export class FlyProvider {
         `  Volume: ${volumeName} (${volumeSizeGb}GB)`,
       ];
       if (flyConfig) lines.push(`  Fly config: ${flyConfig}`);
+      if (initialConfigPath) lines.push(`  Initial config secret: TOKENBUDDY_SELLER_CONFIG_B64 from ${initialConfigPath}`);
       if (volumeId) lines.push(`  Volume ID: ${volumeId}`);
       if (volumeSnapshotRetentionDays !== undefined) lines.push(`  Volume snapshot retention: ${volumeSnapshotRetentionDays} days`);
       return lines.join("\n");
     }
 
-    if (!checkFlyctlInstalled(this.flyctl)) {
+    if (!this.runtime.checkFlyctlInstalled(this.flyctl)) {
       throw new Error(`\`${this.flyctl}\` is not installed on PATH.`);
     }
 
     if (!operatorSecret) {
       throw new Error("operator_secret is required. Provide --operator-secret or configure seller_providers.fly.operator_secret");
     }
+    requireReadableFile(flyConfig, "Fly config");
+    if (initialConfigPath) {
+      requireReadableFile(initialConfigPath, "Initial seller config");
+    }
+    requirePublishedDockerImage(targetImage, this.runtime.imageInspector);
 
     console.log(`[Fly.io] Creating app ${appName}...`);
-    execSync(`${this.flyctl} apps create ${appName} --machines`, { stdio: "inherit" });
+    this.runtime.execSync(`${this.flyctl} apps create ${appName} --machines`, { stdio: "inherit" });
 
     console.log(`[Fly.io] Setting secrets...`);
-    execSync(
-      `${this.flyctl} secrets set ALLOW_MOCK=false OPERATOR_SECRET=${operatorSecret} --app ${appName}`,
-      { stdio: "inherit" }
-    );
+    this.importCreateSecrets(appName, operatorSecret, initialConfigPath);
 
     console.log(`[Fly.io] Deploying image ${targetImage}...`);
-    const deployCmd = `${this.flyctl} deploy -c ${flyConfig} --image ${targetImage} --region ${targetRegion} --app ${appName} --now`;
-    execSync(deployCmd, { stdio: "inherit" });
+    const deployCmd = `${this.flyctl} deploy -c ${flyConfig} --image ${targetImage} --primary-region ${targetRegion} --app ${appName} --now`;
+    this.runtime.execSync(deployCmd, { stdio: "inherit" });
 
     return `Successfully deployed ${appName} on Fly.io`;
   }
 
+  private importCreateSecrets(appName: string, operatorSecret: string, initialConfigPath: string | undefined): void {
+    const lines = [
+      "ALLOW_MOCK=false",
+      `OPERATOR_SECRET=${operatorSecret}`
+    ];
+    if (initialConfigPath) {
+      const configContent = fs.readFileSync(initialConfigPath, "utf8");
+      lines.push(`TOKENBUDDY_SELLER_CONFIG_B64=${Buffer.from(configContent, "utf8").toString("base64")}`);
+    }
+    const result = this.runtime.spawnSync(this.flyctl, ["secrets", "import", "--stage", "--app", appName], {
+      input: `${lines.join("\n")}\n`,
+      stdio: ["pipe", "inherit", "inherit"]
+    });
+    if (result.error) {
+      throw result.error;
+    }
+    if (result.status !== 0) {
+      throw new Error(`flyctl secrets import failed with exit code ${result.status}`);
+    }
+  }
+
   /**
    * Destroy a seller app on Fly.io.
    * @param nameOrApp  Either a bare name (e.g. "86d81e") or a full app name (e.g. "tbs-86d81e").
@@ -141,12 +258,12 @@ export class FlyProvider {
       return `[DRY-RUN] Will destroy fly app: ${appName}`;
     }
 
-    if (!checkFlyctlInstalled(this.flyctl)) {
+    if (!this.runtime.checkFlyctlInstalled(this.flyctl)) {
       throw new Error(`\`${this.flyctl}\` is not installed.`);
     }
 
     console.log(`[Fly.io] Destroying app ${appName}...`);
-    execSync(`${this.flyctl} apps destroy ${appName} --yes`, { stdio: "inherit" });
+    this.runtime.execSync(`${this.flyctl} apps destroy ${appName} --yes`, { stdio: "inherit" });
 
     return `Successfully destroyed ${appName} on Fly.io`;
   }
@@ -156,14 +273,17 @@ export class FlyProvider {
    */
   public statusApp(name: string): string {
     const appName = name.includes("-") ? name : `tb-seller-${name}`;
-    if (!checkFlyctlInstalled(this.flyctl)) {
+    if (!this.runtime.checkFlyctlInstalled(this.flyctl)) {
       throw new Error(`\`${this.flyctl}\` is not installed.`);
     }
-    return execSync(`${this.flyctl} status --app ${appName}`, { encoding: "utf8" });
+    return this.runtime.execSync(`${this.flyctl} status --app ${appName}`, { encoding: "utf8" }) as string;
   }
 
   /**
-   * Redeploy an existing seller app on Fly.io.
+   * Update an existing seller app's Machines to a new image.
+   *
+   * This intentionally does not call `fly deploy --config`: existing seller
+   * deploys must not reconcile volumes, mounts, or service configuration.
    */
   public deploySeller(options: {
     app: string;
@@ -171,32 +291,46 @@ export class FlyProvider {
     image?: string;
     dryRun?: boolean;
   }): string {
-    const { app, config, image, dryRun } = options;
-    const flyConfig = config;
+    const { app, image, dryRun } = options;
     const targetImage = image;
 
-    if (!flyConfig) {
-      throw new Error("seller deploy requires --fly-config deploy/fly.io/fly.tb-seller.toml");
-    }
     if (!targetImage) {
       throw new Error("seller deploy requires --image registry.fly.io/tb-seller:<v>");
     }
 
     if (dryRun) {
-      const lines = [`[DRY-RUN] Will redeploy app: ${app}`];
+      const lines = [`[DRY-RUN] Will update existing app machines: ${app}`];
       lines.push(`  Image: ${targetImage}`);
-      lines.push(`  Config: ${flyConfig}`);
+      lines.push("  Config: unchanged");
+      lines.push("  Volumes: unchanged");
       return lines.join("\n");
     }
 
-    if (!checkFlyctlInstalled(this.flyctl)) {
+    if (!this.runtime.checkFlyctlInstalled(this.flyctl)) {
       throw new Error(`\`${this.flyctl}\` is not installed.`);
     }
 
-    const cmd = `${this.flyctl} deploy --app ${app} --now --yes --config ${flyConfig} --image ${targetImage}`;
+    const machinesJson = this.runtime.execSync(`${this.flyctl} machines list --app ${app} --json`, { encoding: "utf8" }) as string;
+    const machineIds = parseFlyMachineIds(machinesJson, app);
 
-    console.log(`[Fly.io] Redeploying ${app}...`);
-    execSync(cmd, { stdio: "inherit" });
-    return `Successfully redeployed ${app}`;
+    console.log(`[Fly.io] Updating ${app} image on ${machineIds.length} machine(s)...`);
+    for (const machineId of machineIds) {
+      this.runtime.execSync(
+        `${this.flyctl} machine update ${machineId} --app ${app} --image ${targetImage} --yes`,
+        { stdio: "inherit" }
+      );
+    }
+    return `Successfully updated ${app} image`;
+  }
+}
+
+function requireReadableFile(filePath: string, label: string): void {
+  if (!fs.existsSync(filePath)) {
+    throw new Error(`${label} file does not exist: ${filePath}`);
+  }
+  const stat = fs.statSync(filePath);
+  if (!stat.isFile()) {
+    throw new Error(`${label} path is not a file: ${filePath}`);
   }
+  fs.accessSync(filePath, fs.constants.R_OK);
 }