@upend/cli 0.1.0

package/README.md

@@ -0,0 +1,231 @@
+# upend
+
+Anti-SaaS stack. Your code, your server, your database. Deploy via rsync. Edit live with Claude.
+
+Bun + Hono + Neon Postgres + Caddy. Custom JWT auth. Claude editing sessions with git worktree isolation. Hot-deployed frontend apps.
+
+## Prerequisites
+
+- [Bun](https://bun.sh) — `curl -fsSL https://bun.sh/install | bash`
+- [Caddy](https://caddyserver.com) — `brew install caddy`
+- [Claude Code](https://docs.anthropic.com/en/docs/claude-code) — `npm i -g @anthropic-ai/claude-code`
+- A [Neon](https://neon.tech) account (free tier works)
+- Optionally: [neonctl](https://neon.tech/docs/reference/neon-cli) — `npm i -g neonctl` (automates DB setup)
+
+## Quickstart
+
+```bash
+# create a new project
+bunx @upend/cli init my-app
+
+# follow the prompts — if neonctl is installed, it will:
+#   1. create a Neon database
+#   2. enable the Data API (PostgREST)
+#   3. configure JWKS for JWT auth
+#   4. generate RSA signing keys
+#   5. encrypt your .env with dotenvx
+
+cd my-app
+
+# add your Anthropic API key
+# (edit .env, then re-encrypt)
+vi .env
+bunx @dotenvx/dotenvx encrypt
+
+# run migrations
+bunx upend migrate
+
+# start dev
+bunx upend dev
+```
+
+Open http://localhost:4000 — you'll see the dashboard.
+
+## What you get
+
+```
+my-app/
+├── apps/                 → hot-deployed frontends (drop files in, they're live)
+├── migrations/
+│   └── 001_init.sql      → starter migration
+├── services/             → custom Hono services (optional)
+├── upend.config.ts       → project config
+├── CLAUDE.md             → instructions for Claude editing sessions
+├── .env                  → encrypted credentials (safe to commit)
+├── .env.keys             → decryption keys (gitignored)
+├── .keys/                → JWT signing keys (gitignored)
+└── package.json
+```
+
+## URLs
+
+Everything runs through Caddy at `:4000`:
+
+| URL | What |
+|-----|------|
+| `http://localhost:4000` | Dashboard — chat with Claude, browse data, manage apps |
+| `/api/auth/signup` | Create account — `POST {email, password}` → `{user, token}` |
+| `/api/auth/login` | Login — `POST {email, password}` → `{user, token}` |
+| `/.well-known/jwks.json` | Public keys for JWT verification |
+| `/apps/<name>/` | Your apps, served from the filesystem |
+
+## Auth
+
+Sign up:
+
+```bash
+curl -X POST http://localhost:4000/api/auth/signup \
+  -H 'Content-Type: application/json' \
+  -d '{"email":"you@example.com","password":"yourpassword"}'
+# → { user: { id, email }, token: "eyJ..." }
+```
+
+Use the token everywhere:
+
+```bash
+TOKEN="eyJ..."
+curl http://localhost:4000/api/data/example \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+## Data API
+
+Your tables are automatically available as REST endpoints via Neon's Data API:
+
+```bash
+# list rows
+curl /api/data/example?order=created_at.desc \
+  -H "Authorization: Bearer $TOKEN"
+
+# create
+curl -X POST /api/data/example \
+  -H "Authorization: Bearer $TOKEN" \
+  -H 'Content-Type: application/json' \
+  -H 'Prefer: return=representation' \
+  -d '{"name":"hello","data":{"key":"value"}}'
+
+# update
+curl -X PATCH '/api/data/example?id=eq.5' \
+  -H "Authorization: Bearer $TOKEN" \
+  -H 'Content-Type: application/json' \
+  -d '{"name":"updated"}'
+
+# delete
+curl -X DELETE '/api/data/example?id=eq.5' \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+PostgREST filter operators: `eq`, `neq`, `gt`, `gte`, `lt`, `lte`, `like`, `ilike`, `is`, `in`, `not`.
+
+## Migrations
+
+Plain SQL files in `migrations/`, numbered sequentially:
+
+```bash
+# create a migration
+cat > migrations/002_projects.sql << 'SQL'
+CREATE TABLE projects (
+  id BIGSERIAL PRIMARY KEY,
+  name TEXT NOT NULL,
+  owner_id UUID REFERENCES users(id),
+  created_at TIMESTAMPTZ DEFAULT now()
+);
+SQL
+
+# run it
+bunx upend migrate
+```
+
+Or tell Claude in the dashboard: *"add a projects table with name and owner"* — it'll create the migration and run it.
+
+## Apps
+
+Apps are static files in `apps/<name>/`. No build step. Drop files in, they're instantly live at `/apps/<name>/`.
+
+From the dashboard, tell Claude: *"build a todo app"* — it creates the files in a git worktree, you preview them, then publish to live.
+
+Apps can call the API at the same origin:
+
+```js
+const token = localStorage.getItem('upend_token');
+const res = await fetch('/api/data/projects?order=created_at.desc', {
+  headers: { 'Authorization': `Bearer ${token}` }
+});
+const projects = await res.json();
+```
+
+## Editing with Claude
+
+The dashboard at `/` has a built-in chat. Each conversation creates an isolated git worktree — Claude edits files there, you preview the changes, then click **Publish** to merge into live.
+
+If something breaks, close the session without publishing. Your live code is untouched.
+
+## Deploy
+
+### Provision infrastructure
+
+```bash
+# provision an EC2 instance (t4g.small, Amazon Linux 2023)
+bunx upend infra:aws
+
+# this creates:
+#   - EC2 instance with Bun, Node, Caddy, Claude Code
+#   - security group (ports 22, 80, 443)
+#   - SSH key pair
+#   - SSH config entry: "ssh upend"
+```
+
+### Deploy your code
+
+```bash
+# set your deploy target in .env
+DEPLOY_HOST=ec2-user@<ip>
+
+# deploy (rsync → install → migrate → restart)
+bunx upend deploy
+```
+
+### Register JWKS (after first deploy)
+
+Neon needs to reach your JWKS URL to validate JWTs for the Data API. After your first deploy, when your domain is live:
+
+```bash
+bunx upend setup:jwks
+```
+
+## CLI Commands
+
+| Command | What |
+|---------|------|
+| `upend init <name>` | Scaffold a new project (creates Neon DB, generates keys, encrypts env) |
+| `upend dev` | Start gateway + claude + caddy locally |
+| `upend migrate` | Run SQL migrations from `migrations/` |
+| `upend deploy` | rsync to remote, install, migrate, restart |
+| `upend infra:aws` | Provision an EC2 instance |
+
+## Config
+
+`upend.config.ts`:
+
+```ts
+import { defineConfig } from "@upend/cli";
+
+export default defineConfig({
+  name: "my-app",
+  database: process.env.DATABASE_URL,
+  dataApi: process.env.NEON_DATA_API,
+  deploy: {
+    host: process.env.DEPLOY_HOST,
+    dir: "/opt/upend",
+  },
+});
+```
+
+## Philosophy
+
+- **One server per customer.** Vertical scaling. No multi-tenant complexity.
+- **No git workflows.** Claude edits live (in a worktree). Publish when ready.
+- **No CI/CD.** `rsync --delete` is the deploy.
+- **No build step.** Bun runs TypeScript directly. Apps are static files.
+- **Encrypted env.** `.env` is encrypted with dotenvx — safe to commit. `.env.keys` is gitignored.
+- **Snapshots, not rollback strategies.** Before any change, snapshot files + database. Undo = restore.

package/bin/cli.ts

@@ -0,0 +1,48 @@
+#!/usr/bin/env bun
+
+const args = process.argv.slice(2);
+const command = args[0];
+
+const commands: Record<string, () => Promise<void>> = {
+  init: () => import("../src/commands/init").then((m) => m.default(args.slice(1))),
+  dev: () => import("../src/commands/dev").then((m) => m.default(args.slice(1))),
+  deploy: () => import("../src/commands/deploy").then((m) => m.default(args.slice(1))),
+  migrate: () => import("../src/commands/migrate").then((m) => m.default(args.slice(1))),
+  infra: () => import("../src/commands/infra").then((m) => m.default(args.slice(1))),
+};
+
+if (!command || command === "--help" || command === "-h") {
+  console.log(`
+  upend — anti-SaaS stack
+
+  usage:
+    upend init <name>        scaffold a new project
+    upend dev                start local dev (services + caddy)
+    upend deploy             deploy to remote instance
+    upend migrate            run database migrations
+    upend infra:aws          provision AWS infrastructure
+    upend infra:gcp          provision GCP infrastructure
+
+  options:
+    --help, -h               show this help
+    --version, -v            show version
+`);
+  process.exit(0);
+}
+
+if (command === "--version" || command === "-v") {
+  const pkg = await Bun.file(new URL("../package.json", import.meta.url)).json();
+  console.log(pkg.version);
+  process.exit(0);
+}
+
+// handle infra:provider syntax
+const cmd = command.startsWith("infra:") ? "infra" : command;
+
+if (!commands[cmd]) {
+  console.error(`unknown command: ${command}`);
+  console.error(`run 'upend --help' for usage`);
+  process.exit(1);
+}
+
+await commands[cmd]();

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "@upend/cli",
+  "version": "0.1.0",
+  "description": "Anti-SaaS stack. Deploy live apps with Claude, Postgres, and rsync.",
+  "type": "module",
+  "bin": {
+    "upend": "./bin/cli.ts"
+  },
+  "files": [
+    "bin",
+    "src",
+    "templates"
+  ],
+  "keywords": ["cli", "deploy", "postgres", "claude", "rsync", "caddy", "bun"],
+  "author": "cif",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/cif/upend"
+  },
+  "dependencies": {
+    "hono": "^4.12.8",
+    "jose": "^6.2.1",
+    "postgres": "^3.4.8"
+  }
+}

package/src/commands/deploy.ts

@@ -0,0 +1,67 @@
+import { log } from "../lib/log";
+import { exec, execOrDie, hasCommand } from "../lib/exec";
+import { resolve } from "path";
+
+export default async function deploy(args: string[]) {
+  const projectDir = resolve(".");
+  const host = process.env.DEPLOY_HOST;
+  const sshKey = process.env.DEPLOY_SSH_KEY || `${process.env.HOME}/.ssh/upend.pem`;
+
+  if (!host) {
+    log.error("DEPLOY_HOST not set. Add it to .env (e.g. ec2-user@1.2.3.4)");
+    process.exit(1);
+  }
+
+  const appDir = process.env.DEPLOY_DIR || "/opt/upend";
+  const ssh = (cmd: string) => execOrDie(["ssh", "-i", sshKey, host, cmd]);
+
+  log.header(`deploying to ${host}`);
+
+  // step 1: stop services
+  log.info("stopping services...");
+  await ssh("pkill -f 'bun services/' 2>/dev/null || true; sudo pkill caddy 2>/dev/null || true; sleep 1");
+  log.success("services stopped");
+
+  // step 2: full rsync
+  log.info("pushing files...");
+  await ssh(`sudo mkdir -p ${appDir} && sudo chown $(whoami):$(whoami) ${appDir}`);
+  await execOrDie([
+    "rsync", "-azP", "--delete",
+    "--exclude", "node_modules",
+    "--exclude", ".env.keys",
+    "--exclude", ".keys",
+    "--exclude", ".snapshots",
+    "--exclude", ".git",
+    "--exclude", "sessions",
+    "-e", `ssh -i ${sshKey}`,
+    "./", `${host}:${appDir}/`,
+  ]);
+  log.success("files pushed");
+
+  // step 3: sync secrets
+  log.info("syncing secrets...");
+  await exec(["rsync", "-azP", "-e", `ssh -i ${sshKey}`, ".env.keys", `${host}:${appDir}/.env.keys`]);
+  await exec(["rsync", "-azP", "-e", `ssh -i ${sshKey}`, ".keys/", `${host}:${appDir}/.keys/`]);
+  log.success("secrets synced");
+
+  // step 4: install + migrate + start
+  log.info("installing deps + migrating + starting...");
+  await ssh(`bash -c '
+    cd ${appDir}
+    bun install
+    dotenvx run -- bun src/migrate.ts
+    git add -A && git commit -m "deploy $(date +%Y-%m-%d-%H%M)" --allow-empty 2>/dev/null || true
+    nohup dotenvx run -- bun services/api/index.ts > /tmp/upend-api.log 2>&1 &
+    nohup dotenvx run -- bun services/claude/index.ts > /tmp/upend-claude.log 2>&1 &
+    nohup sudo caddy run --config ${appDir}/infra/Caddyfile > /tmp/upend-caddy.log 2>&1 &
+    sleep 3
+    curl -s -o /dev/null -w "API: %{http_code}\\n" http://localhost:3001/
+    curl -s -o /dev/null -w "Caddy: %{http_code}\\n" http://localhost:80/
+  '`);
+  log.success("deployed");
+
+  log.blank();
+  log.header("live!");
+  log.info(`ssh ${host} 'tail -f /tmp/upend-*.log'`);
+  log.blank();
+}

package/src/commands/dev.ts

@@ -0,0 +1,96 @@
+import { log } from "../lib/log";
+import { hasCommand } from "../lib/exec";
+import { existsSync } from "fs";
+import { resolve } from "path";
+
+export default async function dev(args: string[]) {
+  const projectDir = resolve(".");
+
+  if (!existsSync("upend.config.ts") && !existsSync("package.json")) {
+    log.error("not in an upend project (no upend.config.ts found)");
+    process.exit(1);
+  }
+
+  // find @upend/cli's bundled services
+  const cliRoot = new URL("../../", import.meta.url).pathname;
+
+  // ports from env or defaults
+  const apiPort = process.env.API_PORT || "3001";
+  const claudePort = process.env.CLAUDE_PORT || "3002";
+  const proxyPort = process.env.PORT || "4000";
+
+  log.header("starting upend dev");
+
+  // start API service
+  log.info(`starting api → :${apiPort}`);
+  Bun.spawn(["bun", "--watch", `${cliRoot}/src/services/gateway/index.ts`], {
+    env: { ...process.env, API_PORT: apiPort, UPEND_PROJECT: projectDir },
+    stdout: "inherit",
+    stderr: "inherit",
+  });
+
+  // start Claude service
+  log.info(`starting claude → :${claudePort}`);
+  Bun.spawn(["bun", "--watch", `${cliRoot}/src/services/claude/index.ts`], {
+    env: { ...process.env, CLAUDE_PORT: claudePort, UPEND_PROJECT: projectDir },
+    stdout: "inherit",
+    stderr: "inherit",
+  });
+
+  // start Caddy
+  if (await hasCommand("caddy")) {
+    log.info(`starting caddy → :${proxyPort}`);
+    const caddyfile = generateCaddyfile(projectDir, cliRoot, apiPort, claudePort, proxyPort);
+    const caddyPath = `/tmp/upend-Caddyfile-${proxyPort}`;
+    await Bun.write(caddyPath, caddyfile);
+    Bun.spawn(["caddy", "run", "--config", caddyPath, "--adapter", "caddyfile"], {
+      stdout: "inherit",
+      stderr: "inherit",
+    });
+  } else {
+    log.warn("caddy not found — install with: brew install caddy");
+    log.warn(`services running on individual ports (${apiPort}, ${claudePort})`);
+  }
+
+  log.blank();
+  log.header(`upend running on :${proxyPort}`);
+  log.info(`http://localhost:${proxyPort}/          → dashboard`);
+  log.info(`http://localhost:${proxyPort}/api/      → api`);
+  log.info(`http://localhost:${proxyPort}/claude/   → claude`);
+  log.info(`http://localhost:${proxyPort}/apps/     → live apps`);
+  log.blank();
+}
+
+function generateCaddyfile(projectDir: string, cliRoot: string, apiPort: string, claudePort: string, proxyPort: string): string {
+  return `:${proxyPort} {
+  # Live apps
+  handle_path /apps/* {
+    root * ${projectDir}/apps
+    try_files {path} {path}/index.html
+    file_server
+  }
+
+  # API service (auth, JWKS, tables)
+  handle_path /api/* {
+    reverse_proxy localhost:${apiPort}
+  }
+
+  # Claude service + WebSocket
+  handle_path /claude/* {
+    reverse_proxy localhost:${claudePort}
+  }
+
+  # JWKS
+  handle /.well-known/* {
+    reverse_proxy localhost:${apiPort}
+  }
+
+  # Default → dashboard
+  handle {
+    root * ${cliRoot}/src/services/dashboard/public
+    try_files {path} /index.html
+    file_server
+  }
+}
+`;
+}

package/src/commands/infra.ts

@@ -0,0 +1,227 @@
+import { log } from "../lib/log";
+import { exec, execOrDie, hasCommand } from "../lib/exec";
+
+export default async function infra(args: string[]) {
+  // parse provider from command: infra:aws, infra:gcp, etc.
+  const fullCommand = process.argv[2]; // e.g. "infra:aws"
+  const provider = fullCommand?.split(":")[1] || args[0];
+
+  if (!provider) {
+    log.error("usage: upend infra:<provider>");
+    log.dim("  upend infra:aws     provision an EC2 instance");
+    log.dim("  upend infra:gcp     provision a GCE instance (coming soon)");
+    log.dim("  upend infra:azure   provision an Azure VM (coming soon)");
+    process.exit(1);
+  }
+
+  switch (provider) {
+    case "aws":
+      await provisionAWS();
+      break;
+    case "gcp":
+    case "azure":
+      log.error(`${provider} support coming soon`);
+      process.exit(1);
+    default:
+      log.error(`unknown provider: ${provider}`);
+      process.exit(1);
+  }
+}
+
+async function provisionAWS() {
+  log.header("provisioning AWS infrastructure");
+
+  // check AWS CLI
+  if (!(await hasCommand("aws"))) {
+    log.error("AWS CLI not found. Install: brew install awscli");
+    process.exit(1);
+  }
+
+  // verify credentials
+  log.info("verifying AWS credentials...");
+  const { stdout: identity } = await execOrDie(["aws", "sts", "get-caller-identity"]);
+  const account = JSON.parse(identity);
+  log.success(`authenticated as ${account.Arn}`);
+
+  const region = process.env.AWS_REGION || "us-east-1";
+  const keyName = "upend";
+  const instanceType = "t4g.small";
+
+  // create key pair if it doesn't exist
+  log.info("setting up SSH key pair...");
+  const { exitCode: keyExists } = await exec(
+    ["aws", "ec2", "describe-key-pairs", "--key-names", keyName, "--region", region],
+    { silent: true }
+  );
+
+  if (keyExists !== 0) {
+    const sshDir = `${process.env.HOME}/.ssh`;
+    await execOrDie([
+      "aws", "ec2", "create-key-pair",
+      "--key-name", keyName,
+      "--key-type", "ed25519",
+      "--query", "KeyMaterial",
+      "--output", "text",
+      "--region", region,
+    ]);
+    // the key material goes to stdout — capture and write
+    const { stdout: keyMaterial } = await execOrDie([
+      "aws", "ec2", "create-key-pair",
+      "--key-name", `${keyName}-2`,
+      "--key-type", "ed25519",
+      "--query", "KeyMaterial",
+      "--output", "text",
+      "--region", region,
+    ]);
+    // actually let's do this properly
+    log.warn("key pair created but you'll need to save it manually");
+    log.dim(`aws ec2 create-key-pair --key-name ${keyName} --query KeyMaterial --output text > ~/.ssh/upend.pem`);
+  }
+  log.success("SSH key pair ready");
+
+  // create security group
+  log.info("creating security group...");
+  const { stdout: sgJson, exitCode: sgExists } = await exec(
+    ["aws", "ec2", "describe-security-groups", "--group-names", "upend", "--region", region],
+    { silent: true }
+  );
+
+  let sgId: string;
+  if (sgExists === 0) {
+    sgId = JSON.parse(sgJson).SecurityGroups[0].GroupId;
+    log.success(`using existing security group: ${sgId}`);
+  } else {
+    const { stdout: newSg } = await execOrDie([
+      "aws", "ec2", "create-security-group",
+      "--group-name", "upend",
+      "--description", "upend server",
+      "--query", "GroupId",
+      "--output", "text",
+      "--region", region,
+    ]);
+    sgId = newSg;
+
+    // open ports
+    for (const port of [22, 80, 443]) {
+      await exec([
+        "aws", "ec2", "authorize-security-group-ingress",
+        "--group-id", sgId,
+        "--protocol", "tcp",
+        "--port", String(port),
+        "--cidr", "0.0.0.0/0",
+        "--region", region,
+      ], { silent: true });
+    }
+    log.success(`security group created: ${sgId}`);
+  }
+
+  // find latest Amazon Linux 2023 ARM AMI
+  log.info("finding latest AMI...");
+  const { stdout: amiId } = await execOrDie([
+    "aws", "ec2", "describe-images",
+    "--owners", "amazon",
+    "--filters", "Name=name,Values=al2023-ami-2023*-arm64", "Name=state,Values=available",
+    "--query", "sort_by(Images, &CreationDate)[-1].ImageId",
+    "--output", "text",
+    "--region", region,
+  ]);
+  log.success(`AMI: ${amiId}`);
+
+  // launch instance
+  log.info("launching instance...");
+  const { stdout: instanceId } = await execOrDie([
+    "aws", "ec2", "run-instances",
+    "--image-id", amiId,
+    "--instance-type", instanceType,
+    "--key-name", keyName,
+    "--security-group-ids", sgId,
+    "--block-device-mappings", '[{"DeviceName":"/dev/xvda","Ebs":{"VolumeSize":20,"VolumeType":"gp3"}}]',
+    "--tag-specifications", 'ResourceType=instance,Tags=[{Key=Name,Value=upend}]',
+    "--query", "Instances[0].InstanceId",
+    "--output", "text",
+    "--region", region,
+  ]);
+  log.success(`instance: ${instanceId}`);
+
+  // wait for running
+  log.info("waiting for instance to start...");
+  await execOrDie([
+    "aws", "ec2", "wait", "instance-running",
+    "--instance-ids", instanceId,
+    "--region", region,
+  ]);
+
+  // get public IP
+  const { stdout: publicIp } = await execOrDie([
+    "aws", "ec2", "describe-instances",
+    "--instance-ids", instanceId,
+    "--query", "Reservations[0].Instances[0].PublicIpAddress",
+    "--output", "text",
+    "--region", region,
+  ]);
+  log.success(`public IP: ${publicIp}`);
+
+  // set up SSH config
+  log.info("adding SSH config...");
+  const sshConfigEntry = `\nHost upend\n  HostName ${publicIp}\n  User ec2-user\n  IdentityFile ~/.ssh/upend.pem\n`;
+  const sshConfigPath = `${process.env.HOME}/.ssh/config`;
+  const existing = await Bun.file(sshConfigPath).text().catch(() => "");
+  if (!existing.includes("Host upend")) {
+    await Bun.write(sshConfigPath, existing + sshConfigEntry);
+  }
+  log.success("SSH config updated");
+
+  // wait for SSH to be ready
+  log.info("waiting for SSH...");
+  for (let i = 0; i < 30; i++) {
+    const { exitCode } = await exec(
+      ["ssh", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=5", "upend", "echo ok"],
+      { silent: true }
+    );
+    if (exitCode === 0) break;
+    await new Promise((r) => setTimeout(r, 2000));
+  }
+  log.success("SSH connected");
+
+  // run setup on the instance
+  log.info("installing bun, node, caddy, claude code...");
+  const setupScript = `
+    set -euo pipefail
+    curl -fsSL https://bun.sh/install | bash
+    export PATH="$HOME/.bun/bin:$PATH"
+    curl -fsSL https://rpm.nodesource.com/setup_22.x | sudo bash -
+    sudo dnf install -y nodejs git
+    ARCH=$(uname -m | sed 's/aarch64/arm64/' | sed 's/x86_64/amd64/')
+    curl -fsSL "https://caddyserver.com/api/download?os=linux&arch=$ARCH" -o /tmp/caddy
+    sudo mv /tmp/caddy /usr/local/bin/caddy && sudo chmod +x /usr/local/bin/caddy
+    bun install -g @anthropic-ai/claude-code
+    sudo ln -sf $HOME/.bun/bin/bun /usr/local/bin/bun
+    sudo ln -sf $HOME/.bun/bin/bunx /usr/local/bin/bunx
+    sudo ln -sf $HOME/.bun/bin/claude /usr/local/bin/claude
+    sudo ln -sf $HOME/.bun/bin/dotenvx /usr/local/bin/dotenvx
+    sudo mkdir -p /opt/upend && sudo chown $(whoami):$(whoami) /opt/upend
+    echo "setup complete"
+  `;
+  await execOrDie(["ssh", "upend", "bash -s"], { cwd: process.cwd() });
+  // actually need to pipe the script
+  const setupProc = Bun.spawn(["ssh", "upend", "bash -s"], {
+    stdin: new TextEncoder().encode(setupScript),
+    stdout: "inherit",
+    stderr: "inherit",
+  });
+  await setupProc.exited;
+  log.success("instance provisioned");
+
+  log.blank();
+  log.header("infrastructure ready!");
+  log.info(`instance: ${instanceId}`);
+  log.info(`IP: ${publicIp}`);
+  log.info(`SSH: ssh upend`);
+  log.blank();
+  log.info("add to your .env:");
+  log.dim(`DEPLOY_HOST=ec2-user@${publicIp}`);
+  log.blank();
+  log.info("then deploy:");
+  log.dim("upend deploy");
+  log.blank();
+}