ante-erp-cli 1.11.44 → 1.11.45

package/bin/ante-cli.js

@@ -76,6 +76,7 @@ program
   .option('--skip-backup', 'Skip automatic backup before update')
   .option('--skip-cleanup', 'Skip Docker cleanup after update')
   .option('--force', 'Force update without confirmation')
+  .option('--rebuild', 'Force rebuild: remove containers and app volumes, recreate from fresh images (preserves databases)')
   .action(update);
 
 program

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ante-erp-cli",
-  "version": "1.11.44",
+  "version": "1.11.45",
   "description": "Comprehensive CLI tool for managing ANTE ERP self-hosted installations",
   "type": "module",
   "bin": {

package/src/commands/update.js

@@ -4,7 +4,7 @@ import { join } from 'path';
 import { readFileSync, writeFileSync, renameSync } from 'fs';
 import semver from 'semver';
 import { getInstallDir } from '../utils/config.js';
-import { pullImagesSilent, stopServicesSilent, startServicesSilent, waitForServiceHealthy, runMigrations, pruneDockerSilent } from '../utils/docker.js';
+import { pullImagesSilent, stopServicesSilent, startServicesSilent, waitForServiceHealthy, runMigrations, pruneDockerSilent, downServicesSilent, forceRecreateServicesSilent, removeVolumesSilent, listVolumes } from '../utils/docker.js';
 import { backup } from './backup.js';
 import { getCurrentVersion, getLatestVersion } from './update-cli.js';
 import { generateDockerCompose } from '../templates/docker-compose.yml.js';
@@ -363,8 +363,30 @@ function formatStepTitle(step, total, description) {
   return `[${step}/${total}] ${description}`;
 }
 
+/**
+ * Database volumes that should be preserved during rebuild
+ * These contain critical data and should never be deleted
+ */
+const PROTECTED_VOLUMES = [
+  'postgres_data',
+  'mongodb_data',
+  'redis_data'
+];
+
+/**
+ * Application volumes that can be safely removed during rebuild
+ * These are recreated from fresh images
+ */
+const REBUILD_VOLUMES = [
+  'backend_uploads'
+];
+
 /**
  * Update ANTE to latest version
+ * @param {Object} options - Update options
+ * @param {boolean} options.rebuild - Force rebuild: remove app containers and volumes, recreate from fresh images
+ * @param {boolean} options.skipBackup - Skip backup before update
+ * @param {boolean} options.skipCleanup - Skip Docker cleanup after update
  */
 export async function update(options) {
   try {
@@ -372,8 +394,22 @@ export async function update(options) {
     const composeFile = join(installDir, 'docker-compose.yml');
     const envFile = join(installDir, '.env');
 
+    // Get the project name from docker-compose (usually directory name)
+    const projectName = 'ante-erp';
+
     console.log(chalk.bold('\n🔄 ANTE ERP Update\n'));
 
+    // Show rebuild warning if flag is set
+    if (options.rebuild) {
+      console.log(chalk.yellow('⚠️  REBUILD MODE ENABLED'));
+      console.log(chalk.gray('This will:'));
+      console.log(chalk.gray('  • Stop and remove all containers'));
+      console.log(chalk.gray('  • Remove application volumes (uploads, cache)'));
+      console.log(chalk.gray('  • Preserve database volumes (PostgreSQL, MongoDB, Redis)'));
+      console.log(chalk.gray('  • Pull fresh images and recreate containers'));
+      console.log('');
+    }
+
     // Check CLI version first
     try {
       const currentVersion = getCurrentVersion();
@@ -408,6 +444,7 @@ export async function update(options) {
     let totalSteps = 6; // Base steps: check services, pull, stop, start, backend health, migrations
     if (!options.skipBackup) totalSteps += 2; // Pre-start + backup steps
     if (hasNewServices) totalSteps++; // Install new services step
+    if (options.rebuild) totalSteps += 2; // Rebuild steps: down containers + remove volumes
     if (hasGateApp || missingServices.gateApp) totalSteps++; // Gate App health check
     if (hasGuardianApp || missingServices.guardianApp) totalSteps++; // Guardian App health check
     if (hasFacialWeb || missingServices.facialWeb) totalSteps++; // Facial Web health check
@@ -431,7 +468,9 @@ export async function update(options) {
     const stepCheckServices = ++currentStep;
     const stepInstallServices = hasNewServices ? ++currentStep : null;
     const stepPull = ++currentStep;
-    const stepStop = ++currentStep;
+    const stepRebuildDown = options.rebuild ? ++currentStep : null;
+    const stepRebuildVolumes = options.rebuild ? ++currentStep : null;
+    const stepStop = !options.rebuild ? ++currentStep : null; // Skip if rebuild (already downed)
     const stepStart = ++currentStep;
     const stepBackendHealth = ++currentStep;
     const stepGateHealth = (hasGateApp || missingServices.gateApp) ? ++currentStep : null;
@@ -516,15 +555,52 @@ export async function update(options) {
         }
       },
       {
-        title: formatStepTitle(stepStop, totalSteps, 'Stopping services'),
+        title: stepRebuildDown ? formatStepTitle(stepRebuildDown, totalSteps, 'Removing containers (rebuild mode)') : '',
+        skip: () => !stepRebuildDown ? 'Not in rebuild mode' : false,
+        task: async () => {
+          // Down all containers (but not volumes - we handle those separately)
+          await downServicesSilent(composeFile, false);
+        }
+      },
+      {
+        title: stepRebuildVolumes ? formatStepTitle(stepRebuildVolumes, totalSteps, 'Removing application volumes (preserving databases)') : '',
+        skip: () => !stepRebuildVolumes ? 'Not in rebuild mode' : false,
+        task: async (ctx, task) => {
+          // Get all volumes for this project
+          const allVolumes = await listVolumes(projectName);
+
+          // Filter to only remove non-protected volumes
+          const volumesToRemove = allVolumes.filter(vol => {
+            const volumeSuffix = vol.replace(`${projectName}_`, '');
+            // Remove if it's in REBUILD_VOLUMES list OR not in PROTECTED_VOLUMES list
+            return REBUILD_VOLUMES.includes(volumeSuffix) ||
+                   (!PROTECTED_VOLUMES.includes(volumeSuffix) && !vol.includes('postgres') && !vol.includes('mongodb') && !vol.includes('redis'));
+          });
+
+          if (volumesToRemove.length > 0) {
+            const result = await removeVolumesSilent(volumesToRemove);
+            task.title = formatStepTitle(stepRebuildVolumes, totalSteps, `Removed ${result.removed.length} application volumes (databases preserved)`);
+          } else {
+            task.title = formatStepTitle(stepRebuildVolumes, totalSteps, 'No application volumes to remove (databases preserved)');
+          }
+        }
+      },
+      {
+        title: stepStop ? formatStepTitle(stepStop, totalSteps, 'Stopping services') : '',
+        skip: () => !stepStop ? 'Skipped (rebuild mode)' : false,
         task: async () => {
           await stopServicesSilent(composeFile);
         }
       },
       {
-        title: formatStepTitle(stepStart, totalSteps, 'Starting with new images'),
+        title: formatStepTitle(stepStart, totalSteps, options.rebuild ? 'Starting with fresh containers' : 'Starting with new images'),
         task: async () => {
-          await startServicesSilent(composeFile);
+          if (options.rebuild) {
+            // Force recreate all containers
+            await forceRecreateServicesSilent(composeFile);
+          } else {
+            await startServicesSilent(composeFile);
+          }
         }
       },
       {

package/src/templates/docker-compose.yml.js

@@ -211,6 +211,13 @@ ${installGate ? `
       - "${gateAppPort}:3000"
     networks:
       - ante-network
+    # Security hardening
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=100m
+      - /app/.next/cache:noexec,nosuid,size=200m
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3000"]
       interval: 30s
@@ -239,6 +246,13 @@ ${installGate ? `
       - "${guardianAppPort}:9003"
     networks:
       - ante-network
+    # Security hardening
+    security_opt:
+      - no-new-privileges:true
+    read_only: true
+    tmpfs:
+      - /tmp:noexec,nosuid,size=100m
+      - /app/.next/cache:noexec,nosuid,size=200m
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:9003"]
       interval: 30s

package/src/utils/docker.js

@@ -338,6 +338,81 @@ export async function pruneDockerSilent() {
   });
 }
 
+/**
+ * Down all services (silent version - no output)
+ * @param {string} composeFile - Path to docker-compose.yml
+ * @param {boolean} removeVolumes - Remove volumes
+ * @returns {Promise<void>}
+ */
+export async function downServicesSilent(composeFile, removeVolumes = false) {
+  const args = ['compose', '-f', composeFile, 'down'];
+
+  if (removeVolumes) {
+    args.push('-v');
+  }
+
+  await execa('docker', args, {
+    stdout: 'pipe',
+    stderr: 'pipe'
+  });
+}
+
+/**
+ * Start services with force recreate (silent version - no output)
+ * @param {string} composeFile - Path to docker-compose.yml
+ * @returns {Promise<void>}
+ */
+export async function forceRecreateServicesSilent(composeFile) {
+  await execa('docker', ['compose', '-f', composeFile, 'up', '-d', '--force-recreate'], {
+    stdout: 'pipe',
+    stderr: 'pipe'
+  });
+}
+
+/**
+ * Remove specific Docker volumes (silent version - no output)
+ * @param {string[]} volumeNames - Array of volume names to remove
+ * @returns {Promise<{success: boolean, removed: string[], failed: string[]}>}
+ */
+export async function removeVolumesSilent(volumeNames) {
+  const removed = [];
+  const failed = [];
+
+  for (const volumeName of volumeNames) {
+    try {
+      await execa('docker', ['volume', 'rm', '-f', volumeName], {
+        stdout: 'pipe',
+        stderr: 'pipe'
+      });
+      removed.push(volumeName);
+    } catch (error) {
+      // Volume might not exist, which is fine
+      failed.push(volumeName);
+    }
+  }
+
+  return { success: true, removed, failed };
+}
+
+/**
+ * List Docker volumes matching a prefix
+ * @param {string} prefix - Volume name prefix to match
+ * @returns {Promise<string[]>}
+ */
+export async function listVolumes(prefix) {
+  try {
+    const { stdout } = await execa('docker', ['volume', 'ls', '--format', '{{.Name}}'], {
+      stdout: 'pipe',
+      stderr: 'pipe'
+    });
+
+    const volumes = stdout.trim().split('\n').filter(v => v.startsWith(prefix));
+    return volumes;
+  } catch (error) {
+    return [];
+  }
+}
+
 /**
  * Run Prisma migrations in backend container
  * @param {string} composeFile - Path to docker-compose.yml