@zerct/zerct 0.1.2 → 0.1.4

package/README.md

@@ -1,6 +1,6 @@
 # zerct
 
-Deploy Rust backends to Zerct.
+Deploy Rust backends and static frontends to Zerct.
 
 ```sh
 npx @zerct/zerct deploy
@@ -9,13 +9,17 @@ npx @zerct/zerct deploy
 Target unscoped command, pending npm approval:
 
 ```sh
-npx @zerct/zerct init
-npx @zerct/zerct doctor
-npx @zerct/zerct deploy
+npx zerct init
+npx zerct doctor
+npx zerct deploy
 ```
 
 Zerct expects `Cargo.toml`, `Cargo.lock`, and `zerct.toml`. The app must listen
 on `0.0.0.0:$PORT` and expose the configured health endpoint.
 
-Use `ZERCT_TOKEN` or `npx @zerct/zerct login --token <token>` for authenticated
-commands.
+From a full-stack repo root, the same deploy command discovers nested
+`zerct.toml` files and deploys the whole workspace in one command.
+
+On first deploy, the CLI opens browser login, waits for GitHub or Google, stores
+the Zerct session in the OS credential store when available, and continues the
+deploy. Later commands reuse that session.

package/bin/zerct.js

@@ -4,11 +4,19 @@ import { existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSy
 import { homedir } from 'node:os'
 import path from 'node:path'
 
-const VERSION = '0.1.2'
+const VERSION = '0.1.4'
 const DEFAULT_API_URL = 'https://api.zerct.com'
 const ARCHIVE_LIMIT_BYTES = 48 * 1024 * 1024
 const SESSION_DIR = '.zerct'
 const SESSION_FILE = 'session-token'
+const SESSION_SERVICE = 'com.zerct.cli'
+const SESSION_ACCOUNT = 'session-token'
+const SESSION_LABEL = 'Zerct session'
+const DEFAULT_LOGIN_EXPIRES_SECONDS = 600
+const DEFAULT_LOGIN_INTERVAL_SECONDS = 5
+const DEFAULT_RUST_CHECK_COMMAND = 'cargo check --locked && cargo clippy --locked --all-targets --all-features -- -D warnings'
+const DEFAULT_NPM_FRONTEND_CHECK_COMMAND = 'npm ci --prefer-offline --no-audit --fund=false && npm run typecheck && npm run lint'
+const DEFAULT_BUN_FRONTEND_CHECK_COMMAND = 'bun ci && bun run typecheck && bun run lint'
 const ARCHIVE_EXCLUDES = [
   '.git',
   'target',
@@ -34,8 +42,20 @@ const ARCHIVE_EXCLUDES = [
   '*.sqlite3',
   '*.db',
   '*.log',
+  '._*',
   '.DS_Store'
 ]
+const WALK_EXCLUDED_DIRS = new Set(['.git', 'target', 'node_modules', '.zerct'])
+const WORKSPACE_EXCLUDED_DIRS = new Set([
+  ...WALK_EXCLUDED_DIRS,
+  '.cache',
+  '.next',
+  '.turbo',
+  'build',
+  'coverage',
+  'dist',
+  'vendor'
+])
 
 const HELP = `Zerct ${VERSION}
 
@@ -53,23 +73,12 @@ Usage:
   zerct billing [--api <url>] [--json]
 
 Agent contract:
-  - Keep Cargo.lock committed.
-  - Keep direct unsafe out of workspace source.
-  - Listen on 0.0.0.0:$PORT.
-  - Return HTTP 200 from the configured health endpoint.
+  - Rust backends keep Cargo.lock committed, listen on 0.0.0.0:$PORT, and return HTTP 200 from health.
+  - Static frontends set kind = "static_frontend", keep TypeScript source, a package lockfile, and typecheck + lint scripts.
+  - Run deploy from a repo root with nested zerct.toml files to deploy the whole workspace in one command.
+  - Keep direct unsafe out of Rust source.
 `
 
-main().catch((error) => {
-  if (error instanceof ZerctError) {
-    printAgentError(error.payload, error.json)
-    process.exitCode = error.exitCode
-    return
-  }
-
-  console.error(`zerct failed: ${error.message}`)
-  process.exitCode = 1
-})
-
 async function main() {
   const cli = parseArgs(process.argv.slice(2))
 
@@ -240,22 +249,11 @@ function doctorProject(projectDir, json) {
 
 function runDoctor(projectDir) {
   const checks = []
-  const requiredFiles = ['Cargo.toml', 'Cargo.lock', 'zerct.toml']
-  for (const file of requiredFiles) {
-    const ok = existsSync(path.join(projectDir, file))
-    checks.push({
-      name: file,
-      ok,
-      message: ok ? 'found' : 'missing',
-      agent_instruction: `Create and commit ${file}, then retry.`
-    })
-  }
-
   let config = null
   const configPath = path.join(projectDir, 'zerct.toml')
   if (existsSync(configPath)) {
     try {
-      config = parseZerctToml(readFileSync(configPath, 'utf8'))
+      config = parseZerctToml(readFileSync(configPath, 'utf8'), projectDir)
       validateConfig(config)
       checks.push({ name: 'zerct.toml', ok: true, message: 'valid' })
     } catch (error) {
@@ -263,9 +261,42 @@ function runDoctor(projectDir) {
         name: 'zerct.toml',
         ok: false,
         message: error.message,
-        agent_instruction: 'Fix zerct.toml so it matches the Zerct deploy contract.'
+        agent_instruction: `Fix zerct.toml: ${error.message}.`
       })
     }
+  } else {
+    checks.push({
+      name: 'zerct.toml',
+      ok: false,
+      message: 'missing',
+      agent_instruction: 'Create and commit zerct.toml, then retry.'
+    })
+  }
+
+  const kind = config?.kind || 'rust_backend'
+  const requiredFiles = kind === 'static_frontend'
+    ? ['package.json']
+    : ['Cargo.toml', 'Cargo.lock']
+  for (const file of requiredFiles) {
+    const ok = existsSync(path.join(projectDir, file))
+    checks.push({
+      name: file,
+      ok,
+      message: ok ? 'found' : 'missing',
+      agent_instruction: `Create and commit ${file}, then retry.`
+    })
+  }
+
+  if (kind === 'static_frontend') {
+    const hasLockfile = frontendLockfileExists(projectDir)
+    checks.push({
+      name: 'frontend lockfile',
+      ok: hasLockfile,
+      message: hasLockfile ? 'found' : 'missing',
+      agent_instruction: 'Commit package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lock, or bun.lockb, then retry.'
+    })
+    checks.push(...frontendSourceChecks(projectDir))
+    checks.push(...frontendScriptChecks(projectDir))
   }
 
   const unsafeHits = scanUnsafe(projectDir)
@@ -275,6 +306,10 @@ function runDoctor(projectDir) {
     message: unsafeHits.length === 0 ? 'no direct unsafe found' : unsafeHits.slice(0, 5).join(', '),
     agent_instruction: 'Remove direct unsafe usage from workspace Rust source before deploying.'
   })
+  if (kind === 'rust_backend') {
+    checks.push(cargoCheck(projectDir))
+    checks.push(cargoClippy(projectDir))
+  }
 
   return {
     ok: checks.every((check) => check.ok),
@@ -284,37 +319,125 @@ function runDoctor(projectDir) {
   }
 }
 
+function cargoCheck(projectDir) {
+  const cargo = spawnSync('cargo', ['check', '--locked', '--quiet'], {
+    cwd: projectDir,
+    encoding: 'utf8',
+    env: { ...process.env, CARGO_TERM_COLOR: 'never' },
+    stdio: ['ignore', 'pipe', 'pipe']
+  })
+
+  if (cargo.error) {
+    return {
+      name: 'cargo check',
+      ok: false,
+      message: cargo.error.message,
+      agent_instruction: 'Install Rust and Cargo, then run `cargo check --locked` locally before deploying.'
+    }
+  }
+
+  return {
+    name: 'cargo check',
+    ok: cargo.status === 0,
+    message: cargo.status === 0 ? 'passed' : (cargo.stderr || cargo.stdout || 'cargo check failed').trim().slice(0, 240),
+    agent_instruction: 'Run `cargo check --locked`, fix every compiler error and warning, then redeploy.'
+  }
+}
+
+function cargoClippy(projectDir) {
+  const cargo = spawnSync('cargo', ['clippy', '--locked', '--all-targets', '--all-features', '--quiet', '--', '-D', 'warnings'], {
+    cwd: projectDir,
+    encoding: 'utf8',
+    env: { ...process.env, CARGO_TERM_COLOR: 'never' },
+    stdio: ['ignore', 'pipe', 'pipe']
+  })
+
+  if (cargo.error) {
+    return {
+      name: 'cargo clippy',
+      ok: false,
+      message: cargo.error.message,
+      agent_instruction: 'Install Rust clippy, then run `cargo clippy --locked --all-targets --all-features -- -D warnings` before deploying.'
+    }
+  }
+
+  return {
+    name: 'cargo clippy',
+    ok: cargo.status === 0,
+    message: cargo.status === 0 ? 'passed' : (cargo.stderr || cargo.stdout || 'cargo clippy failed').trim().slice(0, 240),
+    agent_instruction: 'Run `cargo clippy --locked --all-targets --all-features -- -D warnings`, fix every warning, then redeploy.'
+  }
+}
+
 async function login(cli) {
   if (cli.token) {
-    writeSessionToken(process.cwd(), cli.token)
-    console.log('saved Zerct session token to .zerct/session-token')
+    writeSessionToken(cli.token)
+    console.log('saved Zerct session token')
     return
   }
 
-  const response = await apiRequest(cli, 'POST', '/v1/login/device', null, null)
-  openUrl(response.login_url)
-  console.log(`opened ${response.login_url}`)
-  console.log('After login, retry your deploy. If the CLI cannot finish automatically yet, set ZERCT_TOKEN or run `npx @zerct/zerct login --token <token>`.')
+  await loginAndStore(cli)
 }
 
 async function deploy(projectDir, cli) {
+  const projects = discoverDeployProjects(projectDir)
+  if (projects.length === 0) {
+    throw agentError('missing_project_contract', 'No zerct.toml was found.', 'Run `npx @zerct/zerct init` in each app directory, or pass a project path.', cli.json)
+  }
+
+  if (projects.length === 1) {
+    const project = projects[0]
+    if (project.kind === 'static_frontend' && cli.database) {
+      throw agentError('invalid_database_target', 'Static frontends cannot attach managed Postgres directly.', 'Deploy a Rust backend with managed Postgres and call it from the frontend.', cli.json)
+    }
+    const token = await readOrLoginToken(project.dir, cli)
+    const result = await deployProject(project.dir, cli, token, cli.database)
+    printDeployResult(result, cli)
+    return
+  }
+
+  const token = await readOrLoginToken(projectDir, cli)
+  const results = []
+  if (!cli.json) {
+    console.log(`deploying ${projects.length} projects`)
+  }
+
+  for (const project of projects) {
+    const wantsDatabase = cli.database && project.kind === 'rust_backend'
+    if (!cli.json) {
+      console.log(`checking ${project.relative}`)
+    }
+    const response = await deployProject(project.dir, cli, token, wantsDatabase)
+    results.push({ project, wantsDatabase, response })
+    if (!cli.json) {
+      console.log(`${project.relative} queued ${response.build_job.id}`)
+      console.log(`${project.relative} url ${response.app.url}`)
+    }
+  }
+
+  printWorkspaceDeployResults(projectDir, results, cli)
+}
+
+async function deployProject(projectDir, cli, token, wantsDatabase) {
   const report = runDoctor(projectDir)
   if (!report.ok) {
     const firstFailure = report.checks.find((check) => !check.ok)
     throw agentError('doctor_failed', 'Zerct doctor failed.', firstFailure?.agent_instruction || 'Fix the failed checks and retry.', cli.json)
   }
 
-  const token = readToken(projectDir, cli)
   const archive = createArchiveBase64(projectDir)
   const commitSha = gitCommitSha(projectDir)
   const body = {
     config: report.config,
     commit_sha: commitSha,
-    wants_database: cli.database,
+    wants_database: wantsDatabase,
     source_archive_base64: archive
   }
 
-  const response = await apiRequest(cli, 'POST', '/v1/deployments', token, body)
+  return apiRequest(cli, 'POST', '/v1/deploy', token, body)
+}
+
+function printDeployResult(response, cli) {
   if (cli.json) {
     console.log(JSON.stringify(response, null, 2))
     return
@@ -326,6 +449,27 @@ async function deploy(projectDir, cli) {
   console.log(`next npx @zerct/zerct logs --app ${response.app.id}`)
 }
 
+function printWorkspaceDeployResults(projectDir, results, cli) {
+  if (cli.json) {
+    console.log(JSON.stringify({
+      workspace: projectDir,
+      deploys: results.map((result) => ({
+        path: result.project.relative,
+        kind: result.project.kind,
+        wants_database: result.wantsDatabase,
+        app: result.response.app,
+        build_job: result.response.build_job
+      }))
+    }, null, 2))
+    return
+  }
+
+  const firstApp = results[0]?.response?.app?.id
+  if (firstApp) {
+    console.log(`next npx @zerct/zerct logs --app ${firstApp}`)
+  }
+}
+
 async function logs(cli) {
   const response = await appGet(cli, 'logs')
   if (cli.json) {
@@ -365,14 +509,14 @@ async function envCommand(cli) {
 
   const name = assignment.slice(0, separator)
   const value = assignment.slice(separator + 1)
-  const token = readToken(process.cwd(), cli)
+  const token = await readOrLoginToken(process.cwd(), cli)
   const app = requireApp(cli)
   const response = await apiRequest(cli, 'PUT', `/v1/apps/${encodeURIComponent(app)}/env`, token, { name, value })
   printJsonOrPretty(cli, response)
 }
 
 async function billing(cli) {
-  const token = readToken(process.cwd(), cli)
+  const token = await readOrLoginToken(process.cwd(), cli)
   const response = await apiRequest(cli, 'POST', '/v1/billing/checkout', token, {
     target_plan: 'pro',
     reason: 'Upgrade to Zerct Pro.'
@@ -386,11 +530,68 @@ async function billing(cli) {
 }
 
 async function appGet(cli, kind) {
-  const token = readToken(process.cwd(), cli)
+  const token = await readOrLoginToken(process.cwd(), cli)
   const app = requireApp(cli)
   return apiRequest(cli, 'GET', `/v1/apps/${encodeURIComponent(app)}/${kind}`, token, null)
 }
 
+async function readOrLoginToken(projectDir, cli) {
+  const token = readStoredToken(projectDir, cli)
+  if (token) {
+    return token
+  }
+
+  return loginAndStore(cli)
+}
+
+async function loginAndStore(cli) {
+  const start = await apiRequest(cli, 'POST', '/v1/login/device', null, null)
+  const loginUrl = start.loginUrl || start.login_url
+  if (!loginUrl) {
+    throw agentError('login_failed', 'Zerct login did not return a browser URL.', 'Retry `npx @zerct/zerct login`. If it keeps failing, check Zerct status.', cli.json)
+  }
+  openUrl(loginUrl)
+  progress(cli, 'opened browser login')
+  progress(cli, `waiting for browser login code ${start.userCode || start.user_code || 'ZERCT'}`)
+
+  const session = await pollLogin(cli, start)
+  if (!session.token) {
+    throw agentError('login_failed', 'Zerct login did not return a session token.', 'Run `npx @zerct/zerct login` again and complete the browser login.', cli.json)
+  }
+
+  writeSessionToken(session.token)
+  progress(cli, `logged in as ${session.email || 'Zerct user'}`)
+  return session.token
+}
+
+async function pollLogin(cli, start) {
+  const deviceCode = start.deviceCode || start.device_code
+  if (!deviceCode) {
+    throw agentError('login_failed', 'Zerct login did not return a device code.', 'Retry `npx @zerct/zerct login`. If it keeps failing, check Zerct status.', cli.json)
+  }
+
+  const expiresMs = Number(start.expiresInSeconds || start.expires_in_seconds || DEFAULT_LOGIN_EXPIRES_SECONDS) * 1000
+  const deadline = Date.now() + expiresMs
+  let intervalMs = Number(start.intervalSeconds || start.interval_seconds || DEFAULT_LOGIN_INTERVAL_SECONDS) * 1000
+
+  while (Date.now() < deadline) {
+    await sleep(intervalMs)
+    const response = await apiRequest(cli, 'GET', `/v1/login/device/${encodeURIComponent(deviceCode)}`, null, null)
+    if (response.status === 'complete') {
+      return response
+    }
+    if (response.status === 'expired') {
+      throw agentError('login_expired', 'Zerct login expired before it completed.', 'Run `npx @zerct/zerct login` again and finish the browser login in the newly opened tab.', cli.json)
+    }
+    intervalMs = Math.max(
+      DEFAULT_LOGIN_INTERVAL_SECONDS * 1000,
+      Number(response.intervalSeconds || response.interval_seconds || DEFAULT_LOGIN_INTERVAL_SECONDS) * 1000
+    )
+  }
+
+  throw agentError('login_expired', 'Zerct login expired before it completed.', 'Run `npx @zerct/zerct login` again and finish the browser login in the newly opened tab.', cli.json)
+}
+
 function requireApp(cli) {
   if (!cli.app) {
     throw agentError('missing_app', 'App id is required.', 'Pass `--app <app_id>`. Use the app id printed by `npx @zerct/zerct deploy`.', cli.json)
@@ -446,6 +647,7 @@ function createArchiveBase64(projectDir) {
   const excludeArgs = ARCHIVE_EXCLUDES.map((pattern) => `--exclude=${pattern}`)
   const tar = spawnSync('tar', [...excludeArgs, '-czf', '-', '-C', projectDir, '.'], {
     encoding: 'buffer',
+    env: { ...process.env, COPYFILE_DISABLE: '1' },
     maxBuffer: ARCHIVE_LIMIT_BYTES + 1024 * 1024
   })
 
@@ -471,7 +673,7 @@ function gitCommitSha(projectDir) {
   return git.status === 0 ? git.stdout.trim() || null : null
 }
 
-function readToken(projectDir, cli) {
+function readStoredToken(projectDir, cli) {
   if (cli.token) {
     return cli.token
   }
@@ -479,26 +681,123 @@ function readToken(projectDir, cli) {
     return process.env.ZERCT_TOKEN
   }
 
+  const keychainToken = readKeychainToken()
+  if (keychainToken) {
+    return keychainToken
+  }
+
+  const userToken = readTokenFile(userSessionPath())
+  if (userToken) {
+    return userToken
+  }
+
   const projectToken = path.join(projectDir, SESSION_DIR, SESSION_FILE)
-  if (existsSync(projectToken)) {
-    return readFileSync(projectToken, 'utf8').trim()
+  const legacyProjectToken = readTokenFile(projectToken)
+  if (legacyProjectToken) {
+    return legacyProjectToken
   }
 
   const homeToken = path.join(homedir(), SESSION_DIR, SESSION_FILE)
-  if (existsSync(homeToken)) {
-    return readFileSync(homeToken, 'utf8').trim()
+  return readTokenFile(homeToken)
+}
+
+function writeSessionToken(token) {
+  const cleanToken = token.trim()
+  if (!cleanToken) {
+    throw agentError('login_failed', 'Zerct session token is empty.', 'Run `npx @zerct/zerct login` again and complete the browser login.', false)
+  }
+  if (writeKeychainToken(cleanToken)) {
+    return
   }
 
-  throw agentError('login_required', 'Zerct login is required.', 'Run `npx @zerct/zerct login`, set `ZERCT_TOKEN`, or run `npx @zerct/zerct login --token <token>`, then retry.', cli.json)
+  writeTokenFile(userSessionPath(), cleanToken)
+}
+
+function readTokenFile(filePath) {
+  if (!existsSync(filePath)) {
+    return ''
+  }
+  return readFileSync(filePath, 'utf8').trim()
 }
 
-function writeSessionToken(projectDir, token) {
-  const dir = path.join(projectDir, SESSION_DIR)
+function writeTokenFile(filePath, token) {
+  const dir = path.dirname(filePath)
   mkdirSync(dir, { recursive: true, mode: 0o700 })
-  writeFileSync(path.join(dir, SESSION_FILE), `${token.trim()}\n`, { mode: 0o600 })
+  writeFileSync(filePath, `${token}\n`, { mode: 0o600 })
+}
+
+function userSessionPath() {
+  if (process.platform === 'win32' && process.env.APPDATA) {
+    return path.join(process.env.APPDATA, 'Zerct', SESSION_FILE)
+  }
+  const configHome = process.env.XDG_CONFIG_HOME || path.join(homedir(), '.config')
+  return path.join(configHome, 'zerct', SESSION_FILE)
+}
+
+function readKeychainToken() {
+  if (process.platform === 'darwin') {
+    const result = spawnSync('security', ['find-generic-password', '-s', SESSION_SERVICE, '-a', SESSION_ACCOUNT, '-w'], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    })
+    return result.status === 0 ? result.stdout.trim() : ''
+  }
+
+  if (process.platform === 'linux' && hasCommand('secret-tool')) {
+    const result = spawnSync('secret-tool', ['lookup', 'service', SESSION_SERVICE, 'account', SESSION_ACCOUNT], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    })
+    return result.status === 0 ? result.stdout.trim() : ''
+  }
+
+  return ''
+}
+
+function writeKeychainToken(token) {
+  if (process.platform === 'darwin') {
+    const result = spawnSync('security', [
+      'add-generic-password',
+      '-U',
+      '-s',
+      SESSION_SERVICE,
+      '-a',
+      SESSION_ACCOUNT,
+      '-l',
+      SESSION_LABEL,
+      '-w',
+      token
+    ], { stdio: 'ignore' })
+    return result.status === 0
+  }
+
+  if (process.platform === 'linux' && hasCommand('secret-tool')) {
+    const result = spawnSync('secret-tool', [
+      'store',
+      '--label',
+      SESSION_LABEL,
+      'service',
+      SESSION_SERVICE,
+      'account',
+      SESSION_ACCOUNT
+    ], {
+      input: token,
+      stdio: ['pipe', 'ignore', 'ignore']
+    })
+    return result.status === 0
+  }
+
+  return false
+}
+
+function hasCommand(command) {
+  return (process.env.PATH || '')
+    .split(path.delimiter)
+    .filter(Boolean)
+    .some((directory) => existsSync(path.join(directory, command)))
 }
 
-function parseZerctToml(source) {
+function parseZerctToml(source, projectDir) {
   const config = {
     build: {},
     run: {},
@@ -530,7 +829,12 @@ function parseZerctToml(source) {
     section[assignment[1]] = parseTomlValue(assignment[2])
   }
 
-  config.build.command ||= 'cargo build --release'
+  config.kind ||= 'rust_backend'
+  config.build.check ||= config.kind === 'static_frontend' ? frontendCheckCommand(projectDir) : DEFAULT_RUST_CHECK_COMMAND
+  config.build.command ||= config.kind === 'static_frontend' ? frontendBuildCommand(projectDir) : 'cargo build --release'
+  if (config.kind === 'static_frontend') {
+    config.build.output ||= 'dist'
+  }
   config.run.port ||= 3000
   config.run.health ||= '/healthz'
   config.resources.memory ||= '512mb'
@@ -560,6 +864,22 @@ function validateConfig(config) {
   if (!/^[a-z0-9](?:[a-z0-9-]{0,46}[a-z0-9])?$/u.test(config.name || '')) {
     throw new Error('name must be lowercase DNS-safe text up to 48 characters')
   }
+  if (!['rust_backend', 'static_frontend'].includes(config.kind)) {
+    throw new Error('kind must be rust_backend or static_frontend')
+  }
+  if (typeof config.build.command !== 'string' || !config.build.command.trim()) {
+    throw new Error('[build].command is required')
+  }
+  if (typeof config.build.check !== 'string' || !config.build.check.trim()) {
+    throw new Error('[build].check is required')
+  }
+  validateCheckCommand(config.kind, config.build.check)
+  if (config.kind === 'static_frontend') {
+    if (typeof config.build.output !== 'string' || !isSafeRelativePath(config.build.output)) {
+      throw new Error('[build].output must be a safe relative directory like dist')
+    }
+    return
+  }
   if (!config.run.command || typeof config.run.command !== 'string') {
     throw new Error('[run].command is required')
   }
@@ -577,23 +897,245 @@ function validateConfig(config) {
   }
 }
 
+function validateCheckCommand(kind, command) {
+  if (kind === 'static_frontend' && usesJavascriptLinter(command)) {
+    throw new Error('[build].check must not run JavaScript-based linters; use oxlint, biome, or deno lint')
+  }
+  const required = kind === 'static_frontend'
+    ? ['typecheck', 'lint']
+    : ['cargo check --locked', 'cargo clippy --locked', '--all-targets', '--all-features', '-D warnings']
+  if (required.every((fragment) => command.includes(fragment))) {
+    return
+  }
+  throw new Error(kind === 'static_frontend'
+    ? '[build].check must run frontend typecheck and lint'
+    : '[build].check must include cargo check --locked and cargo clippy --locked --all-targets --all-features -- -D warnings')
+}
+
+function frontendLockfileExists(projectDir) {
+  return ['package-lock.json', 'npm-shrinkwrap.json', 'pnpm-lock.yaml', 'yarn.lock', 'bun.lock', 'bun.lockb']
+    .some((file) => existsSync(path.join(projectDir, file)))
+}
+
+function frontendPackageManager(projectDir) {
+  return existsSync(path.join(projectDir, 'bun.lock')) || existsSync(path.join(projectDir, 'bun.lockb'))
+    ? 'bun'
+    : 'npm'
+}
+
+function frontendCheckCommand(projectDir) {
+  return frontendPackageManager(projectDir) === 'bun'
+    ? DEFAULT_BUN_FRONTEND_CHECK_COMMAND
+    : DEFAULT_NPM_FRONTEND_CHECK_COMMAND
+}
+
+function frontendBuildCommand(projectDir) {
+  return frontendPackageManager(projectDir) === 'bun'
+    ? 'bun run build'
+    : 'npm run build'
+}
+
+function frontendScriptChecks(projectDir) {
+  const manifest = readPackageJson(projectDir)
+  const missing = (script) => !manifest?.scripts || typeof manifest.scripts[script] !== 'string' || !manifest.scripts[script].trim()
+  const checks = ['typecheck', 'lint'].map((script) => ({
+    name: `package script ${script}`,
+    ok: !missing(script),
+    message: missing(script) ? 'missing' : 'found',
+    agent_instruction: `Add a non-empty "${script}" script to package.json, then retry.`
+  }))
+  const lintScript = manifest?.scripts?.lint || ''
+  const nativeLint = !lintScript || !usesJavascriptLinter(lintScript)
+  checks.push({
+    name: 'native frontend lint',
+    ok: nativeLint,
+    message: nativeLint ? 'accepted' : 'JavaScript linter found',
+    agent_instruction: 'Replace the lint script with native tooling such as `oxlint src vite.config.ts --deny-warnings`, `biome check .`, or `deno lint`, then retry.'
+  })
+
+  if (checks.every((check) => check.ok)) {
+    checks.push(packageScriptCheck(projectDir, 'typecheck'))
+    checks.push(packageScriptCheck(projectDir, 'lint'))
+  }
+
+  return checks
+}
+
+function frontendSourceChecks(projectDir) {
+  const report = frontendSourceReport(projectDir)
+  return [
+    {
+      name: 'typescript source',
+      ok: report.typescript.length > 0,
+      message: report.typescript.length > 0 ? report.typescript.slice(0, 3).join(', ') : 'missing',
+      agent_instruction: 'Add browser source as .ts or .tsx under src, app, pages, routes, or components, then retry.'
+    },
+    {
+      name: 'javascript source',
+      ok: report.javascript.length === 0,
+      message: report.javascript.length === 0 ? 'none found' : report.javascript.slice(0, 5).join(', '),
+      agent_instruction: 'Rename browser .js, .jsx, .mjs, or .cjs source files to .ts or .tsx and fix type errors before deploying.'
+    }
+  ]
+}
+
+function frontendSourceReport(projectDir) {
+  const report = { typescript: [], javascript: [] }
+  walkProjectFiles(projectDir, (file, relative) => {
+    if (!isFrontendSourcePath(relative)) {
+      return
+    }
+    if (isFrontendTypescriptSource(relative)) {
+      report.typescript.push(relative)
+    } else if (isFrontendJavascriptSource(relative)) {
+      report.javascript.push(relative)
+    }
+  })
+  return report
+}
+
+function isFrontendSourcePath(relative) {
+  const [root] = relative.split('/')
+  return ['src', 'app', 'pages', 'routes', 'components'].includes(root)
+}
+
+function isFrontendTypescriptSource(relative) {
+  return !relative.endsWith('.d.ts') && (relative.endsWith('.ts') || relative.endsWith('.tsx'))
+}
+
+function isFrontendJavascriptSource(relative) {
+  return ['.js', '.jsx', '.mjs', '.cjs'].some((extension) => relative.endsWith(extension))
+}
+
+function readPackageJson(projectDir) {
+  try {
+    return JSON.parse(readFileSync(path.join(projectDir, 'package.json'), 'utf8'))
+  } catch (_error) {
+    return null
+  }
+}
+
+function usesJavascriptLinter(command) {
+  const tokens = command
+    .replace(/[&|;()]/gu, ' ')
+    .split(/\s+/u)
+    .map((token) => token.trim().replace(/^["']|["']$/gu, ''))
+    .filter(Boolean)
+  return tokens.some((token, index) => {
+    const commandName = token.split('/').pop()
+    return ['eslint', 'eslint_d', 'standard', 'xo'].includes(commandName)
+      || (commandName === 'next' && tokens[index + 1] === 'lint')
+  })
+}
+
+function packageScriptCheck(projectDir, script) {
+  const manager = frontendPackageManager(projectDir)
+  const args = manager === 'bun' ? ['run', script] : ['run', '--silent', script]
+  const result = spawnSync(manager, args, {
+    cwd: projectDir,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'pipe']
+  })
+  if (result.error) {
+    return {
+      name: `${manager} run ${script}`,
+      ok: false,
+      message: result.error.message,
+      agent_instruction: `Install ${manager === 'bun' ? 'Bun' : 'Node.js and npm'}, then run \`${manager} run ${script}\` before deploying.`
+    }
+  }
+
+  return {
+    name: `${manager} run ${script}`,
+    ok: result.status === 0,
+    message: result.status === 0 ? 'passed' : (result.stderr || result.stdout || `${manager} run ${script} failed`).trim().slice(0, 240),
+    agent_instruction: `Run \`${manager} run ${script}\`, fix every error, then redeploy.`
+  }
+}
+
+function discoverDeployProjects(rootDir) {
+  ensureDirectory(rootDir)
+  if (existsSync(path.join(rootDir, 'zerct.toml'))) {
+    return [deployProjectInfo(rootDir, rootDir)]
+  }
+
+  const projectDirs = []
+  discoverProjectDirs(rootDir, projectDirs)
+  return projectDirs
+    .map((dir) => deployProjectInfo(dir, rootDir))
+    .sort(compareDeployProjects)
+}
+
+function discoverProjectDirs(dir, projectDirs) {
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    if (!entry.isDirectory() || WORKSPACE_EXCLUDED_DIRS.has(entry.name)) {
+      continue
+    }
+
+    const child = path.join(dir, entry.name)
+    if (existsSync(path.join(child, 'zerct.toml'))) {
+      projectDirs.push(child)
+      continue
+    }
+    discoverProjectDirs(child, projectDirs)
+  }
+}
+
+function deployProjectInfo(dir, rootDir) {
+  const relative = path.relative(rootDir, dir).replace(/\\/gu, '/') || '.'
+  try {
+    const config = parseZerctToml(readFileSync(path.join(dir, 'zerct.toml'), 'utf8'), dir)
+    return { dir, relative, kind: config.kind }
+  } catch (_error) {
+    return { dir, relative, kind: 'unknown' }
+  }
+}
+
+function compareDeployProjects(left, right) {
+  return kindOrder(left.kind) - kindOrder(right.kind)
+    || left.relative.localeCompare(right.relative)
+}
+
+function kindOrder(kind) {
+  if (kind === 'rust_backend') {
+    return 0
+  }
+  if (kind === 'static_frontend') {
+    return 1
+  }
+  return 2
+}
+
+function isSafeRelativePath(value) {
+  return value
+    && !path.isAbsolute(value)
+    && !value.includes('\\')
+    && value.split('/').every((part) => part && part !== '.' && part !== '..')
+}
+
 function scanUnsafe(projectDir) {
   const hits = []
-  walk(projectDir, (file) => {
+  walkProjectFiles(projectDir, (file, relative) => {
     if (!file.endsWith('.rs')) {
       return
     }
     const source = readFileSync(file, 'utf8')
     if (/\bunsafe\b/u.test(source)) {
-      hits.push(path.relative(projectDir, file))
+      hits.push(relative)
     }
   })
   return hits
 }
 
+function walkProjectFiles(projectDir, visit) {
+  walk(projectDir, (file) => {
+    visit(file, path.relative(projectDir, file).replace(/\\/gu, '/'))
+  })
+}
+
 function walk(dir, visit) {
   for (const entry of readdirSync(dir, { withFileTypes: true })) {
-    if (['.git', 'target', 'node_modules', '.zerct'].includes(entry.name)) {
+    if (WALK_EXCLUDED_DIRS.has(entry.name)) {
       continue
     }
     const fullPath = path.join(dir, entry.name)
@@ -626,6 +1168,20 @@ function openUrl(url) {
   spawnSync(command, args, { stdio: 'ignore', detached: true })
 }
 
+function sleep(milliseconds) {
+  return new Promise((resolve) => {
+    setTimeout(resolve, milliseconds)
+  })
+}
+
+function progress(cli, message) {
+  if (cli.json) {
+    console.error(message)
+    return
+  }
+  console.log(message)
+}
+
 function trimTrailingSlash(value) {
   return value.replace(/\/+$/u, '')
 }
@@ -666,3 +1222,14 @@ class ZerctError extends Error {
     this.exitCode = exitCode
   }
 }
+
+main().catch((error) => {
+  if (error instanceof ZerctError) {
+    printAgentError(error.payload, error.json)
+    process.exitCode = error.exitCode
+    return
+  }
+
+  console.error(`zerct failed: ${error.message}`)
+  process.exitCode = 1
+})

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@zerct/zerct",
-  "version": "0.1.2",
-  "description": "Deploy Rust backends to Zerct.",
+  "version": "0.1.4",
+  "description": "Deploy Rust backends and static frontends to Zerct.",
   "type": "module",
   "bin": {
     "zerct": "bin/zerct.js"
@@ -10,6 +10,9 @@
     "bin",
     "README.md"
   ],
+  "publishConfig": {
+    "access": "public"
+  },
   "engines": {
     "node": ">=18.17"
   },
@@ -33,8 +36,5 @@
   "scripts": {
     "check": "node --check bin/zerct.js",
     "pack:dry": "npm pack --dry-run"
-  },
-  "publishConfig": {
-    "access": "public"
   }
 }