certops 1.0.15 → 1.1.0

package/dist/api.js

@@ -1,3 +1,9 @@
+const REQUEST_TIMEOUT_MS = 30_000;
+function fetchWithTimeout(url, init) {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+    return fetch(url, { ...init, signal: controller.signal }).finally(() => clearTimeout(timer));
+}
 export function createApiClient(options) {
     const base = (options.apiUrl ?? 'https://ssl-manager.dcom.at').replace(/\/$/, '');
     const baseHeaders = {
@@ -20,7 +26,7 @@ export function createApiClient(options) {
         throw new Error(msg);
     }
     async function request(path) {
-        const res = await fetch(`${base}/api/cli${path}`, {
+        const res = await fetchWithTimeout(`${base}/api/cli${path}`, {
             headers: { ...baseHeaders, 'Content-Type': 'application/json' },
         });
         const body = (await res.json());
@@ -31,7 +37,7 @@ export function createApiClient(options) {
         return body.data;
     }
     async function requestBinary(path) {
-        const res = await fetch(`${base}/api/cli${path}`, {
+        const res = await fetchWithTimeout(`${base}/api/cli${path}`, {
             headers: baseHeaders,
         });
         if (!res.ok) {

package/dist/commands/download.js

@@ -3,10 +3,14 @@ import select from '@inquirer/select';
 import {} from '../api.js';
 import { getConfiguredClient } from '../client.js';
 import { saveZip } from '../files.js';
+import { updateCertState } from '../state.js';
+import { createLogger, logError } from '../logger.js';
+const log = createLogger('download');
 async function performDownload(cert, client) {
     process.stdout.write(`\nDownloading ${cert.certName}…\n`);
     const zipBuffer = await client.downloadCert(cert._id);
     const paths = await saveZip(cert.certName, zipBuffer);
+    await updateCertState(cert.certName, cert.expiryDate ?? '');
     process.stdout.write(`  ✓ Fullchain   : ${paths.fullchainPath}\n`);
     process.stdout.write(`  ✓ Certificate : ${paths.certPath}\n`);
     process.stdout.write(`  ✓ Chain       : ${paths.chainPath}\n`);
@@ -15,6 +19,8 @@ async function performDownload(cert, client) {
         process.stdout.write(`  ✓ Expires     : ${new Date(cert.expiryDate).toLocaleDateString()}\n`);
     }
     process.stdout.write('\n');
+    const expiry = cert.expiryDate ? ` expires ${new Date(cert.expiryDate).toLocaleDateString()}` : '';
+    log(`Downloaded ${cert.certName}${expiry} → ${paths.fullchainPath}`);
 }
 export const downloadCommand = new Command('download')
     .description('Download a certificate to /etc/certops/certs/<domain>/ — requires sudo')
@@ -81,7 +87,9 @@ Examples:
     catch (err) {
         if (err.name === 'ExitPromptError')
             process.exit(0);
-        process.stderr.write(`\nError: ${err.message}\n\n`);
+        const msg = err.message;
+        process.stderr.write(`\nError: ${msg}\n\n`);
+        logError(msg);
         process.exit(1);
     }
 });

package/dist/commands/service/configure.js

@@ -1,18 +1,19 @@
 import { Command } from 'commander';
 import input from '@inquirer/input';
 import { spawnSync } from 'child_process';
-import { readConfig, writeConfig } from '../../config.js';
+import { readConfig, writeConfig, CERTOPS_DIR } from '../../config.js';
+import { BRAND } from '../../brand.js';
 export const configureCommand = new Command('configure')
     .description('Update service config (watch domains, check interval) and restart')
     .action(async () => {
     try {
         if (process.getuid?.() !== 0) {
-            console.error('Error: certops service configure must run as root.');
-            console.error('\n  sudo sp service configure\n');
+            console.error(`Error: ${BRAND.binName} service configure must run as root.`);
+            console.error(`\n  sudo ${BRAND.binName} service configure\n`);
             process.exit(1);
         }
         const existing = await readConfig();
-        console.log('\nCertOps — Update Service Config\n');
+        console.log(`\n${BRAND.displayName} — Update Service Config\n`);
         console.log('  (API key is stored in the systemd unit, not changed here)\n');
         const intervalStr = await input({
             message: 'Check interval (hours):',
@@ -44,8 +45,8 @@ export const configureCommand = new Command('configure')
             maxDownloadRetries: Number(retriesStr),
             watchDomains,
         });
-        console.log('\n✓ Config updated at /etc/certops/config.json');
-        const result = spawnSync('systemctl', ['restart', 'certops'], {
+        console.log(`\n✓ Config updated at ${CERTOPS_DIR}/config.json`);
+        const result = spawnSync('systemctl', ['restart', BRAND.serviceUnit], {
             stdio: ['inherit', 'inherit', 'pipe'],
             encoding: 'utf8',
         });
@@ -53,7 +54,7 @@ export const configureCommand = new Command('configure')
             if (result.stderr?.trim())
                 process.stderr.write(result.stderr + '\n');
             process.stderr.write('\nWarning: config saved but service restart failed.\n');
-            process.stderr.write('  Run: sudo sp service start\n\n');
+            process.stderr.write(`  Run: sudo ${BRAND.binName} service start\n\n`);
             process.exit(1);
         }
         console.log('✓ Service restarted with new config.\n');

package/dist/commands/service/control.js

@@ -4,6 +4,7 @@ import { unlink } from 'fs/promises';
 import { resolveApiKey, runRenewalCycle } from './renew.js';
 import { BRAND } from '../../brand.js';
 import { CERTOPS_DIR } from '../../config.js';
+import { createLogger } from '../../logger.js';
 const UNIT = BRAND.serviceUnit;
 const UNIT_PATH = `/etc/systemd/system/${BRAND.serviceUnit}.service`;
 function systemctl(args, exitOnFail = true) {
@@ -49,7 +50,7 @@ export const checkCommand = new Command('check')
         process.stderr.write(`  Set the env var or run: sudo ${BRAND.binName} service install\n\n`);
         process.exit(1);
     }
-    const log = (msg) => process.stdout.write(`  ${msg}\n`);
+    const log = createLogger();
     process.stdout.write('\nRunning renewal check…\n\n');
     try {
         const result = await runRenewalCycle(apiKey, log);

package/dist/commands/service/daemon.js

@@ -2,9 +2,8 @@ import { Command } from 'commander';
 import { readConfig } from '../../config.js';
 import { resolveApiKey, runRenewalCycle } from './renew.js';
 import { BRAND } from '../../brand.js';
-function log(msg) {
-    process.stdout.write(`[${new Date().toISOString()}] ${msg}\n`);
-}
+import { createLogger } from '../../logger.js';
+const log = createLogger();
 function sleep(ms) {
     return new Promise(resolve => setTimeout(resolve, ms));
 }

package/dist/commands/service/install.js

@@ -7,7 +7,13 @@ import { domainHookPath, GLOBAL_HOOK } from '../../hooks.js';
 import { BRAND } from '../../brand.js';
 const UNIT_PATH = `/etc/systemd/system/${BRAND.serviceUnit}.service`;
 const API_KEY_ENV = `${BRAND.envPrefix}_API_KEY`;
+function resolveBinPath() {
+    // process.argv[1] is the actual path of the running certops script
+    return process.argv[1] ?? `/usr/local/bin/${BRAND.binName}`;
+}
 function buildUnitContent(apiKey) {
+    const binPath = resolveBinPath();
+    const nodePath = process.execPath;
     return `\
 [Unit]
 Description=${BRAND.displayName} Certificate Monitor
@@ -17,7 +23,7 @@ Wants=network-online.target
 [Service]
 Type=simple
 Environment=${API_KEY_ENV}=${apiKey}
-ExecStart=/usr/local/bin/${BRAND.binName} service run
+ExecStart=${nodePath} ${binPath} service run
 Restart=on-failure
 RestartSec=30
 StandardOutput=journal
@@ -57,10 +63,6 @@ export const installCommand = new Command('install')
                 ? true
                 : `Key must start with ${BRAND.keyPrefix}`,
         });
-        const apiUrl = await input({
-            message: `API URL (leave blank for default ${BRAND.apiUrl}):`,
-            default: existing.apiUrl ?? '',
-        });
         const intervalStr = await input({
             message: 'Check interval (hours):',
             default: String(existing.checkIntervalHours),
@@ -75,7 +77,7 @@ export const installCommand = new Command('install')
             .map(d => d.trim())
             .filter(Boolean);
         const config = {
-            apiUrl: apiUrl.trim() || undefined,
+            apiUrl: existing.apiUrl,
             renewalThresholdDays: existing.renewalThresholdDays,
             checkIntervalHours: Number(intervalStr),
             watchDomains,

package/dist/config.js

@@ -3,6 +3,8 @@ import { join } from 'path';
 import { BRAND } from './brand.js';
 export const CERTOPS_DIR = BRAND.configDir;
 export const HOOKS_DIR = join(CERTOPS_DIR, 'hooks');
+export const LOG_DIR = `/var/log/${BRAND.name}`;
+export const LOG_FILE = join(LOG_DIR, `${BRAND.name}.log`);
 const CONFIG_PATH = join(CERTOPS_DIR, 'config.json');
 const DEFAULTS = {
     renewalThresholdDays: 5,

package/dist/files.js

@@ -2,6 +2,7 @@ import { mkdir, writeFile, chmod } from 'fs/promises';
 import { join } from 'path';
 import { unzipSync } from 'fflate';
 import { CERTOPS_DIR } from './config.js';
+import { BRAND } from './brand.js';
 export async function saveZip(certName, zipBuffer) {
     const zipDirName = certName.replace(/^\*\./, 'wildcard.');
     const dir = join(CERTOPS_DIR, 'certs', zipDirName);
@@ -45,8 +46,8 @@ function fsError(err, certName, path) {
     const e = err instanceof Error ? err : null;
     if (e?.code === 'EACCES' || e?.code === 'EPERM') {
         process.stderr.write(`\nPermission denied: ${path}\n`);
-        process.stderr.write(`/etc/certops requires root. Re-run:\n\n`);
-        process.stderr.write(`  sudo certops download '${certName}'\n\n`);
+        process.stderr.write(`${CERTOPS_DIR} requires root. Re-run:\n\n`);
+        process.stderr.write(`  sudo ${BRAND.binName} download '${certName}'\n\n`);
         process.exit(1);
     }
     throw err;

package/dist/hooks.js

@@ -17,19 +17,25 @@ async function fileExists(path) {
         return false;
     }
 }
+const HOOK_TIMEOUT_MS = 60_000;
 async function execHook(scriptPath, vars) {
     return new Promise((resolve, reject) => {
         const child = spawn('bash', [scriptPath], {
             env: { ...process.env, ...vars },
             stdio: 'inherit',
         });
+        const timer = setTimeout(() => {
+            child.kill('SIGTERM');
+            reject(new Error(`Hook timed out after ${HOOK_TIMEOUT_MS / 1000}s`));
+        }, HOOK_TIMEOUT_MS);
         child.on('close', (code) => {
+            clearTimeout(timer);
             if (code === 0)
                 resolve();
             else
                 reject(new Error(`Hook exited with code ${code}`));
         });
-        child.on('error', reject);
+        child.on('error', (err) => { clearTimeout(timer); reject(err); });
     });
 }
 export async function runHooks(certName, vars, log) {

package/dist/logger.js

@@ -0,0 +1,41 @@
+import { appendFile, mkdir } from 'fs/promises';
+import { LOG_DIR, LOG_FILE } from './config.js';
+let logDirReady = false;
+async function ensureLogDir() {
+    if (logDirReady)
+        return;
+    try {
+        await mkdir(LOG_DIR, { recursive: true });
+        logDirReady = true;
+    }
+    catch {
+        // silently fail — never crash the daemon over a logging error
+    }
+}
+async function writeToFile(line) {
+    await ensureLogDir();
+    if (!logDirReady)
+        return;
+    try {
+        await appendFile(LOG_FILE, line + '\n', { encoding: 'utf8', mode: 0o640 });
+    }
+    catch {
+        // silently fail
+    }
+}
+function timestamp() {
+    return new Date().toISOString();
+}
+export function createLogger(tag) {
+    const prefix = tag ? `[${tag}] ` : '';
+    return (msg) => {
+        const line = `[${timestamp()}] ${prefix}${msg}`;
+        process.stdout.write(line + '\n');
+        void writeToFile(line);
+    };
+}
+export function logError(msg) {
+    const line = `[${timestamp()}] [ERROR] ${msg}`;
+    process.stderr.write(line + '\n');
+    void writeToFile(line);
+}

package/dist/version.js

@@ -1,18 +1,19 @@
 import { readFileSync } from 'node:fs';
 import { dirname, join } from 'node:path';
 import { fileURLToPath } from 'node:url';
-function isPackageJson(value) {
-    return (typeof value === 'object' &&
-        value !== null &&
-        'version' in value &&
-        typeof value.version === 'string');
-}
 function readCliVersion() {
-    const dir = dirname(fileURLToPath(import.meta.url));
-    const path = join(dir, '..', 'package.json');
-    const raw = JSON.parse(readFileSync(path, 'utf8'));
-    if (!isPackageJson(raw))
-        throw new Error('package.json is missing a valid version field');
-    return raw.version;
+    // Injected at compile time by Bun build --define
+    if (process.env.CLI_VERSION)
+        return process.env.CLI_VERSION;
+    // JS mode (npm package with dist/): read from package.json
+    try {
+        const dir = dirname(fileURLToPath(import.meta.url));
+        const path = join(dir, '..', 'package.json');
+        const raw = JSON.parse(readFileSync(path, 'utf8'));
+        return raw.version;
+    }
+    catch {
+        return '0.0.0';
+    }
 }
 export const CLI_VERSION = readCliVersion();

package/package.json

@@ -1,10 +1,11 @@
 {
   "name": "certops",
-  "version": "1.0.15",
+  "version": "1.1.0",
   "description": "SSL Pilot CLI — download and manage your SSL certificates",
   "type": "module",
   "files": [
-    "dist"
+    "dist",
+    "scripts"
   ],
   "bin": {
     "certops": "./dist/index.js"
@@ -12,7 +13,9 @@
   "scripts": {
     "build": "tsc",
     "dev": "tsx src/index.ts",
-    "typecheck": "tsc --noEmit"
+    "typecheck": "tsc --noEmit",
+    "postinstall": "node scripts/postinstall.cjs",
+    "preuninstall": "node scripts/preuninstall.cjs"
   },
   "publishConfig": {
     "access": "public"

package/scripts/postinstall.cjs

@@ -0,0 +1,72 @@
+#!/usr/bin/env node
+'use strict'
+
+const { createWriteStream, chmodSync, existsSync, unlinkSync } = require('fs')
+const { get } = require('https')
+const { join } = require('path')
+
+const { name, version } = require('../package.json')
+const REPO        = 'Vimosoftdev/ssl-checker-web'
+const BIN_NAME    = 'certops'
+const INSTALL_DIR = '/usr/local/bin'
+const INSTALL_PATH = join(INSTALL_DIR, BIN_NAME)
+
+const platformMap = { linux: 'linux', darwin: 'darwin' }
+const archMap     = { x64: 'x64', arm64: 'arm64' }
+const plat = platformMap[process.platform]
+const arc  = archMap[process.arch]
+
+if (!plat || !arc) {
+  console.warn(`[certops] Unsupported platform ${process.platform}-${process.arch}. Skipping binary install.`)
+  console.warn(`[certops] Install manually: https://github.com/${REPO}/releases/latest`)
+  process.exit(0)
+}
+
+const isRoot = typeof process.getuid === 'function' && process.getuid() === 0
+
+if (!isRoot) {
+  console.warn(`[certops] Not running as root — binary not installed to ${INSTALL_PATH}.`)
+  console.warn(`[certops] To install system-wide: sudo npm install -g certops`)
+  console.warn(`[certops] Or: curl -fsSL https://github.com/${REPO}/releases/latest/download/install.sh | sudo bash`)
+  process.exit(0)
+}
+
+const assetName   = `${BIN_NAME}-${plat}-${arc}`
+const downloadUrl = `https://github.com/${REPO}/releases/download/v${version}/${assetName}`
+
+console.log(`[certops] Installing v${version} binary for ${plat}-${arc}…`)
+console.log(`[certops] Downloading ${downloadUrl}`)
+
+downloadFile(downloadUrl, INSTALL_PATH)
+  .then(() => {
+    chmodSync(INSTALL_PATH, 0o755)
+    console.log(`[certops] ✓ Installed to ${INSTALL_PATH}`)
+  })
+  .catch(err => {
+    // clean up partial download
+    try { if (existsSync(INSTALL_PATH)) unlinkSync(INSTALL_PATH) } catch {}
+    console.error(`[certops] Binary install failed: ${err.message}`)
+    console.error(`[certops] Fallback: curl -fsSL https://github.com/${REPO}/releases/latest/download/install.sh | sudo bash`)
+    // non-fatal — npm install still succeeds
+    process.exit(0)
+  })
+
+function downloadFile(url, dest) {
+  return new Promise((resolve, reject) => {
+    function fetch(url) {
+      get(url, res => {
+        if (res.statusCode === 301 || res.statusCode === 302) {
+          return fetch(res.headers.location)
+        }
+        if (res.statusCode !== 200) {
+          return reject(new Error(`HTTP ${res.statusCode} from ${url}`))
+        }
+        const file = createWriteStream(dest)
+        res.pipe(file)
+        file.on('finish', () => file.close(resolve))
+        file.on('error', err => { unlinkSync(dest); reject(err) })
+      }).on('error', reject)
+    }
+    fetch(url)
+  })
+}

package/scripts/preuninstall.cjs

@@ -0,0 +1,15 @@
+#!/usr/bin/env node
+'use strict'
+
+const { unlinkSync, existsSync } = require('fs')
+
+const INSTALL_PATH = '/usr/local/bin/certops'
+
+try {
+  if (existsSync(INSTALL_PATH)) {
+    unlinkSync(INSTALL_PATH)
+    console.log(`[certops] ✓ Removed binary from ${INSTALL_PATH}`)
+  }
+} catch (err) {
+  console.warn(`[certops] Could not remove ${INSTALL_PATH}: ${err.message}`)
+}