bs9 1.0.0

package/src/commands/start.ts

@@ -0,0 +1,207 @@
+#!/usr/bin/env bun
+
+import { existsSync, readFileSync, statSync } from "node:fs";
+import { join, basename, resolve, dirname } from "node:path";
+import { execSync } from "node:child_process";
+import { randomUUID } from "node:crypto";
+import { writeFileSync, mkdirSync } from "node:fs";
+import { homedir } from "node:os";
+
+interface StartOptions {
+  name?: string;
+  port?: string;
+  env?: string[];
+  otel?: boolean;
+  prometheus?: boolean;
+  build?: boolean;
+}
+
+export async function startCommand(file: string, options: StartOptions): Promise<void> {
+  const fullPath = resolve(file);
+  if (!existsSync(fullPath)) {
+    console.error(`❌ File not found: ${fullPath}`);
+    process.exit(1);
+  }
+
+  const serviceName = options.name || basename(fullPath, fullPath.endsWith('.ts') ? '.ts' : '.js').replace(/[^a-zA-Z0-9-_]/g, "_");
+  const port = options.port || "3000";
+
+  // Port warning for privileged ports
+  const portNum = Number(port);
+  if (portNum < 1024) {
+    console.warn(`⚠️  Port ${port} is privileged (< 1024).`);
+    console.warn("   Options:");
+    console.warn("   - Use port >= 1024 (recommended)");
+    console.warn("   - Run with sudo (not recommended for user services)");
+    console.warn("   - Use port forwarding: `sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000`");
+  }
+
+  // Handle TypeScript files and build option
+  let execPath = fullPath;
+  let isBuilt = false;
+
+  if (fullPath.endsWith('.ts')) {
+    if (options.build) {
+      // AOT: Build TypeScript to single executable
+      console.log("🔨 Building TypeScript for production...");
+      const buildDir = join(dirname(fullPath), ".bs9-build");
+      mkdirSync(buildDir, { recursive: true });
+      
+      const outputFile = join(buildDir, `${serviceName}.js`);
+      try {
+        execSync(`bun build ${fullPath} --outdir ${buildDir} --target bun --minify --splitting`, { stdio: "inherit" });
+        execPath = outputFile;
+        isBuilt = true;
+        console.log(`✅ Built to: ${execPath}`);
+      } catch (err) {
+        console.error(`❌ Build failed: ${err}`);
+        process.exit(1);
+      }
+    } else {
+      // JIT: Run TypeScript directly (default)
+      console.log("⚡ Running TypeScript in JIT mode");
+    }
+  }
+
+  // Phase 2: Pre-start Security Audit
+  const auditResult = await securityAudit(execPath);
+  if (auditResult.critical.length > 0) {
+    console.error("🚨 Critical security issues found:");
+    auditResult.critical.forEach(issue => console.error(`  - ${issue}`));
+    console.error("\nRefusing to start. Fix issues or use --force to override.");
+    process.exit(1);
+  }
+
+  if (auditResult.warning.length > 0) {
+    console.warn("⚠️  Security warnings:");
+    auditResult.warning.forEach(issue => console.warn(`  - ${issue}`));
+  }
+
+  // Phase 1: Generate hardened systemd unit
+  const unitContent = generateSystemdUnit({
+    serviceName,
+    fullPath: execPath,
+    port,
+    env: options.env || [],
+    otel: options.otel ?? true,
+    prometheus: options.prometheus ?? true,
+  });
+
+  const unitPath = join(homedir(), ".config/systemd/user", `${serviceName}.service`);
+  
+  // Create user systemd directory if it doesn't exist
+  const userSystemdDir = join(homedir(), ".config/systemd/user");
+  if (!existsSync(userSystemdDir)) {
+    mkdirSync(userSystemdDir, { recursive: true });
+    console.log(`📁 Created user systemd directory: ${userSystemdDir}`);
+  }
+  
+  try {
+    writeFileSync(unitPath, unitContent, { encoding: "utf-8" });
+    console.log(`✅ Systemd user unit written to: ${unitPath}`);
+  } catch (err) {
+    console.error(`❌ Failed to write systemd user unit: ${err}`);
+    process.exit(1);
+  }
+
+  // Reload and start using user systemd
+  try {
+    execSync("systemctl --user daemon-reload", { stdio: "inherit" });
+    execSync(`systemctl --user enable ${serviceName}`, { stdio: "inherit" });
+    execSync(`systemctl --user start ${serviceName}`, { stdio: "inherit" });
+    console.log(`🚀 Service '${serviceName}' started successfully`);
+    console.log(`   Health: http://localhost:${port}/healthz`);
+    console.log(`   Metrics: http://localhost:${port}/metrics`);
+  } catch (err) {
+    console.error(`❌ Failed to start user service: ${err}`);
+    process.exit(1);
+  }
+}
+
+interface SecurityAuditResult {
+  critical: string[];
+  warning: string[];
+}
+
+async function securityAudit(filePath: string): Promise<SecurityAuditResult> {
+  const result: SecurityAuditResult = { critical: [], warning: [] };
+  const content = readFileSync(filePath, "utf-8");
+  const stat = statSync(filePath);
+
+  // Check file permissions
+  if (stat.mode & 0o002) {
+    result.critical.push("File is world-writable");
+  }
+
+  // Check for dangerous patterns
+  const dangerousPatterns = [
+    { pattern: /eval\s*\(/, msg: "Use of eval() detected" },
+    { pattern: /Function\s*\(/, msg: "Dynamic function construction detected" },
+    { pattern: /child_process\.exec\s*\(/, msg: "Unsafe child_process.exec() detected" },
+    { pattern: /require\s*\(\s*["']fs["']\s*\)/, msg: "Direct fs module usage (potential file system access)" },
+    { pattern: /process\.env\.\w+\s*\+\s*["']/, msg: "Potential command injection via env concatenation" },
+  ];
+
+  for (const { pattern, msg } of dangerousPatterns) {
+    if (pattern.test(content)) {
+      result.critical.push(msg);
+    }
+  }
+
+  // Check for network access patterns
+  if (content.includes("fetch(") || content.includes("http.request")) {
+    result.warning.push("Network access detected - ensure outbound rules are in place");
+  }
+
+  // Check for file system writes
+  if (content.includes("writeFileSync") || content.includes("createWriteStream")) {
+    result.warning.push("File system write access detected - ensure proper sandboxing");
+  }
+
+  return result;
+}
+
+interface SystemdUnitOptions {
+  serviceName: string;
+  fullPath: string;
+  port: string;
+  env: string[];
+  otel: boolean;
+  prometheus: boolean;
+}
+
+function generateSystemdUnit(opts: SystemdUnitOptions): string {
+  const envVars = [
+    `PORT=${opts.port}`,
+    `NODE_ENV=production`,
+    `SERVICE_NAME=${opts.serviceName}`,
+    ...opts.env,
+  ];
+
+  if (opts.otel) {
+    envVars.push("OTEL_SERVICE_NAME=" + opts.serviceName);
+    envVars.push("OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://localhost:4318/v1/traces");
+  }
+
+  const envSection = envVars.map(e => `Environment=${e}`).join("\n");
+  const workingDir = dirname(opts.fullPath);
+
+  const bunPath = execSync("which bun", { encoding: "utf-8" }).trim();
+  return `[Unit]
+Description=BS9 Service: ${opts.serviceName}
+After=network.target
+
+[Service]
+Type=simple
+Restart=on-failure
+RestartSec=2s
+TimeoutStartSec=30s
+TimeoutStopSec=30s
+WorkingDirectory=${workingDir}
+ExecStart=${bunPath} run ${opts.fullPath}
+${envSection}
+
+[Install]
+WantedBy=default.target
+`;
+}

package/src/commands/status.ts

@@ -0,0 +1,162 @@
+#!/usr/bin/env bun
+
+import { execSync } from "node:child_process";
+import { readFileSync } from "node:fs";
+
+interface StatusOptions {
+  watch?: boolean;
+}
+
+interface ServiceStatus {
+  name: string;
+  loaded: string;
+  active: string;
+  sub: string;
+  description: string;
+  cpu?: string;
+  memory?: string;
+  uptime?: string;
+  tasks?: string;
+}
+
+export async function statusCommand(options: StatusOptions): Promise<void> {
+  const doStatus = () => {
+    try {
+      // Get all bsn-managed user services
+      const listOutput = execSync("systemctl --user list-units --type=service --no-pager --no-legend", { encoding: "utf-8" });
+      const lines = listOutput.split("\n").filter(line => line.includes(".service"));
+      
+      // Debug: show all lines
+      // console.error("All service lines:", lines);
+      
+      const services: ServiceStatus[] = [];
+      
+      for (const line of lines) {
+        // Skip empty lines
+        if (!line.trim()) continue;
+        
+        // Try to match the line format - handle both ● and regular spaces
+        const match = line.match(/^(?:\s*([●\s○]))?\s*([^\s]+)\.service\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+(.+)$/);
+        if (!match) {
+          continue;
+        }
+        
+        const [, statusIndicator, name, loaded, active, sub, description] = match;
+        
+        // Only include services that look like BSN-managed (check for "Bun Service:" pattern)
+        if (!description.includes("Bun Service:") && !description.includes("BS9 Service:")) {
+          continue;
+        }
+        
+        const status: ServiceStatus = {
+          name,
+          loaded,
+          active,
+          sub,
+          description,
+        };
+        
+        // Get additional metrics
+        try {
+          const showOutput = execSync(`systemctl --user show ${name} -p CPUUsageNSec MemoryCurrent ActiveEnterTimestamp TasksCurrent`, { encoding: "utf-8" });
+          const cpuMatch = showOutput.match(/CPUUsageNSec=(\d+)/);
+          const memMatch = showOutput.match(/MemoryCurrent=(\d+)/);
+          const timeMatch = showOutput.match(/ActiveEnterTimestamp=(.+)/);
+          const tasksMatch = showOutput.match(/TasksCurrent=(\d+)/);
+          
+          if (cpuMatch) status.cpu = formatCPU(Number(cpuMatch[1]));
+          if (memMatch) status.memory = formatMemory(Number(memMatch[1]));
+          if (timeMatch) status.uptime = formatUptime(timeMatch[1]);
+          if (tasksMatch) status.tasks = tasksMatch[1];
+        } catch {
+          // Ignore metrics errors
+        }
+        
+        services.push(status);
+      }
+      
+      // Display table
+      console.clear();
+      console.log("🔍 BSN Service Status\n");
+      
+      if (services.length === 0) {
+        console.log("No BSN-managed services running.");
+        return;
+      }
+      
+      // Header
+      console.log(`${"SERVICE".padEnd(20)} ${"STATE".padEnd(12)} ${"CPU".padEnd(8)} ${"MEMORY".padEnd(10)} ${"UPTIME".padEnd(12)} ${"TASKS".padEnd(6)} DESCRIPTION`);
+      console.log("-".repeat(90));
+      
+      for (const svc of services) {
+        const state = `${svc.active}/${svc.sub}`;
+        console.log(
+          `${svc.name.padEnd(20)} ${state.padEnd(12)} ${(svc.cpu || "-").padEnd(8)} ${(svc.memory || "-").padEnd(10)} ${(svc.uptime || "-").padEnd(12)} ${(svc.tasks || "-").padEnd(6)} ${svc.description}`
+        );
+      }
+      
+      console.log("\n📊 SRE Metrics Summary:");
+      const totalServices = services.length;
+      const runningServices = services.filter(s => s.active === "active").length;
+      const totalMemory = services.reduce((sum, s) => sum + (s.memory ? parseMemory(s.memory) : 0), 0);
+      
+      console.log(`  Services: ${runningServices}/${totalServices} running`);
+      console.log(`  Memory: ${formatMemory(totalMemory)}`);
+      console.log(`  Last updated: ${new Date().toISOString()}`);
+      
+    } catch (err) {
+      console.error(`❌ Failed to get status: ${err}`);
+      process.exit(1);
+    }
+  };
+  
+  if (options.watch) {
+    console.log("🔄 Watch mode (Ctrl+C to exit)\n");
+    const interval = setInterval(doStatus, 2000);
+    process.on("SIGINT", () => {
+      clearInterval(interval);
+      console.log("\n👋 Exiting watch mode");
+      process.exit(0);
+    });
+    doStatus();
+  } else {
+    doStatus();
+  }
+}
+
+function formatCPU(nsec: number): string {
+  const ms = nsec / 1_000_000;
+  return `${ms.toFixed(1)}ms`;
+}
+
+function formatMemory(bytes: number): string {
+  const units = ["B", "KB", "MB", "GB"];
+  let size = bytes;
+  let unit = 0;
+  while (size >= 1024 && unit < units.length - 1) {
+    size /= 1024;
+    unit++;
+  }
+  return `${size.toFixed(1)}${units[unit]}`;
+}
+
+function parseMemory(str: string): number {
+  const match = str.match(/^([\d.]+)(B|KB|MB|GB)$/);
+  if (!match) return 0;
+  const [, value, unit] = match;
+  const mult = { B: 1, KB: 1024, MB: 1024 ** 2, GB: 1024 ** 3 }[unit] || 1;
+  return Number(value) * mult;
+}
+
+function formatUptime(timestamp: string): string {
+  try {
+    const date = new Date(timestamp);
+    const now = new Date();
+    const diff = now.getTime() - date.getTime();
+    const hours = Math.floor(diff / (1000 * 60 * 60));
+    const minutes = Math.floor((diff % (1000 * 60 * 60)) / (1000 * 60));
+    return `${hours}h ${minutes}m`;
+  } catch {
+    return "-";
+  }
+}

package/src/commands/stop.ts

@@ -0,0 +1,13 @@
+#!/usr/bin/env bun
+
+import { execSync } from "node:child_process";
+
+export async function stopCommand(name: string): Promise<void> {
+  try {
+    execSync(`systemctl --user stop ${name}`, { stdio: "inherit" });
+    console.log(`🛑 User service '${name}' stopped`);
+  } catch (err) {
+    console.error(`❌ Failed to stop user service '${name}': ${err}`);
+    process.exit(1);
+  }
+}

package/src/commands/web.ts

@@ -0,0 +1,49 @@
+#!/usr/bin/env bun
+
+import { execSync } from "node:child_process";
+import { spawn } from "node:child_process";
+
+interface WebOptions {
+  port?: string;
+  detach?: boolean;
+}
+
+export async function webCommand(options: WebOptions): Promise<void> {
+  const port = options.port || "8080";
+  const dashboardPath = `${import.meta.dir}/../web/dashboard.ts`;
+  
+  console.log(`🌐 Starting BS9 Web Dashboard on port ${port}`);
+  
+  if (options.detach) {
+    // Run in background
+    const child = spawn("bun", ["run", dashboardPath], {
+      detached: true,
+      stdio: 'ignore',
+      env: {
+        ...process.env,
+        WEB_DASHBOARD_PORT: port,
+      },
+    });
+    
+    child.unref();
+    
+    console.log(`✅ Web dashboard started in background`);
+    console.log(`   URL: http://localhost:${port}`);
+    console.log(`   Process ID: ${child.pid}`);
+    console.log(`   Stop with: kill ${child.pid}`);
+  } else {
+    // Run in foreground
+    console.log(`   URL: http://localhost:${port}`);
+    console.log(`   Press Ctrl+C to stop`);
+    console.log('');
+    
+    try {
+      execSync(`WEB_DASHBOARD_PORT=${port} bun run ${dashboardPath}`, { 
+        stdio: "inherit" 
+      });
+    } catch (error) {
+      console.error(`❌ Failed to start web dashboard: ${error}`);
+      process.exit(1);
+    }
+  }
+}

package/src/docker/Dockerfile

@@ -0,0 +1,44 @@
+# BS9 Docker Image
+FROM oven/bun:1.3.6-alpine
+
+# Install system dependencies
+RUN apk add --no-cache \
+    systemd \
+    curl \
+    bash \
+    && rm -rf /var/cache/apk/*
+
+# Create app directory
+WORKDIR /app
+
+# Copy package files
+COPY package.json bun.lockb ./
+
+# Install dependencies
+RUN bun install --frozen-lockfile --production
+
+# Copy BS9 source code
+COPY bin/ ./bin/
+COPY src/ ./src/
+
+# Create necessary directories
+RUN mkdir -p /app/.config/bs9 /app/.config/systemd/user
+
+# Make BS9 executable
+RUN chmod +x /app/bin/bs9
+
+# Add BS9 to PATH
+ENV PATH="/app/bin:${PATH}"
+
+# Expose web dashboard port
+EXPOSE 8080
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD curl -f http://localhost:8080/ || exit 1
+
+# Set up systemd for user mode
+RUN echo "user" > /etc/hostname
+
+# Default command
+CMD ["/bin/bash"]

package/src/injectors/otel.ts

@@ -0,0 +1,66 @@
+#!/usr/bin/env node
+
+import { writeFileSync, readFileSync, existsSync } from "node:fs";
+import { join, dirname } from "node:path";
+
+export function injectOpenTelemetry(entryFile: string, serviceName: string): void {
+  const wrapper = `
+// BSN OpenTelemetry Auto-injection
+import { NodeSDK } from "@opentelemetry/sdk-node";
+import { getNodeAutoInstrumentations } from "@opentelemetry/auto-instrumentations-node";
+import { Resource } from "@opentelemetry/resources";
+import { SemanticResourceAttributes } from "@opentelemetry/semantic-conventions";
+
+const sdk = new NodeSDK({
+  resource: new Resource({
+    [SemanticResourceAttributes.SERVICE_NAME]: "${serviceName}",
+    [SemanticResourceAttributes.SERVICE_VERSION]: "1.0.0",
+  }),
+  instrumentations: [getNodeAutoInstrumentations()],
+});
+
+sdk.start();
+
+// Original user code below
+`;
+
+  const originalContent = readFileSync(entryFile, "utf-8");
+  const newContent = wrapper + originalContent;
+  
+  writeFileSync(entryFile, newContent, { encoding: "utf-8" });
+}
+
+export function injectPrometheus(entryFile: string, port: string): void {
+  const prometheusInject = `
+// BSN Prometheus Auto-injection
+import promClient from "prom-client";
+
+const register = new promClient.Registry();
+promClient.collectDefaultMetrics({ register });
+
+const httpRequestDuration = new promClient.Histogram({
+  name: "http_request_duration_seconds",
+  help: "Duration of HTTP requests in seconds",
+  labelNames: ["method", "route", "status_code"],
+  registers: [register],
+});
+
+const httpRequestTotal = new promClient.Counter({
+  name: "http_requests_total",
+  help: "Total number of HTTP requests",
+  labelNames: ["method", "route", "status_code"],
+  registers: [register],
+});
+
+// Export for use in user code
+globalThis.prometheus = { register, httpRequestDuration, httpRequestTotal };
+`;
+
+  // This would need to be injected at the right place in the user's code
+  // For now, we'll write it to a temporary file that the user can import
+  const metricsFile = join(dirname(entryFile), "bsn-metrics.js");
+  writeFileSync(metricsFile, prometheusInject, { encoding: "utf-8" });
+  
+  console.log(`📊 Prometheus metrics written to: ${metricsFile}`);
+  console.log(`   Add to your app: import "./bsn-metrics.js"`);
+}