codex-snapshots 0.1.0 → 0.1.1

package/deploy/aliyun/deploy.env.example

@@ -0,0 +1,52 @@
+# Copy to deploy/aliyun/deploy.env and edit locally.
+# Keep deploy.env out of git because it contains OAuth secrets, optional tokens, and host details.
+
+# ECS SSH target. Use root or a user with passwordless sudo.
+SSH_TARGET=root@1.2.3.4
+
+# Optional SSH settings.
+SSH_IDENTITY_FILE=
+SSH_PORT=
+
+# Public API domain. Add an A record for this domain pointing to the ECS public IP.
+DOMAIN=snapshots.example.com
+API_URL=https://snapshots.example.com
+
+# Public GitHub Pages site that renders sessions.
+SITE_URL=https://ffffhx.github.io/codex-snapshots/
+
+# Optional legacy token auth. GitHub OAuth mode ignores TOKEN=change-me.
+# Generate a strong token with: openssl rand -base64 32
+# Or set TOKEN=auto to let deploy-to-ecs.sh generate one for this deployment.
+TOKEN=change-me
+# GENERATE_TOKEN=0
+
+# Optional GitHub OAuth publish/delete auth.
+# Register an OAuth App callback URL:
+#   https://snapshots.example.com/api/auth/github/callback
+# SNAPSHOT_GITHUB_CLIENT_ID=change-me
+# SNAPSHOT_GITHUB_CLIENT_SECRET=change-me
+# SNAPSHOT_SESSION_SECRET=change-me-generate-with-openssl-rand-base64-48
+# SNAPSHOT_GITHUB_OWNER_LOGIN=your-github-login
+# SNAPSHOT_GITHUB_OWNER_ID=
+# SNAPSHOT_AUTH_ALLOWED_ORIGINS=https://ffffhx.github.io
+
+# Certbot email used when ISSUE_CERT=1.
+CERTBOT_EMAIL=you@example.com
+
+# GitHub Pages repository/workflow.
+PAGES_REPO=ffffhx/codex-snapshots
+PAGES_WORKFLOW=pages.yml
+
+# Deployment behavior. Use 1 for enabled, 0 for disabled.
+INSTALL_DEPS=1
+ISSUE_CERT=1
+RUN_PREFLIGHT=1
+RUN_VERIFY=1
+CONFIGURE_PAGES=1
+WAIT_PAGES=1
+CONFIGURE_LOCAL=1
+REINSTALL_DAEMON=1
+
+# Remote rsync staging directory.
+REMOTE_DIR=/tmp/codex-snapshots-deploy

package/deploy/aliyun/doctor.mjs

@@ -0,0 +1,398 @@
+#!/usr/bin/env node
+
+import { spawnSync } from "node:child_process";
+import dns from "node:dns/promises";
+import { existsSync, readFileSync } from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+
+const ROOT_DIR = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "../..");
+const DEFAULT_CONFIG = path.join(ROOT_DIR, "deploy/aliyun/deploy.env");
+const parsed = parseArgs(process.argv.slice(2));
+
+if (parsed.help) {
+  printHelp();
+  process.exit(0);
+}
+
+main().catch((error) => {
+  console.error(`✗ ${error instanceof Error ? error.message : String(error)}`);
+  process.exitCode = 1;
+});
+
+async function main() {
+  const configPath = path.resolve(parsed.options.config || process.env.CODEX_SNAPSHOTS_ALIYUN_CONFIG || DEFAULT_CONFIG);
+  const checks = [];
+
+  if (!existsSync(configPath)) {
+    checks.push(fail("Config file", `not found: ${configPath}`));
+    printChecks(checks);
+    process.exitCode = 1;
+    return;
+  }
+
+  checks.push(pass("Config file", configPath));
+
+  const config = parseEnvFile(readFileSync(configPath, "utf8"));
+  const resolved = resolveConfig(config);
+
+  checks.push(...validateConfig(resolved));
+  checks.push(...checkLocalCommands(resolved));
+  checks.push(checkLocalTokenSource(resolved));
+
+  if (!parsed.options.offline && resolved.domain && !isPlaceholderDomain(resolved.domain)) {
+    checks.push(await checkDns(resolved.domain));
+  } else {
+    checks.push(skip("DNS", parsed.options.offline ? "offline mode" : "domain is not ready"));
+  }
+
+  checks.push(runDryRun(configPath));
+
+  printChecks(checks);
+
+  const failures = checks.filter((check) => check.status === "fail");
+  const warnings = checks.filter((check) => check.status === "warn");
+
+  if (failures.length) {
+    console.log("\nNext: fix the failed checks above, then rerun this doctor command.");
+    process.exitCode = 1;
+    return;
+  }
+
+  console.log("\nReady for local deployment orchestration.");
+  if (warnings.length) {
+    console.log("Warnings remain; deployment may still need external setup such as DNS propagation or GitHub CLI auth.");
+  }
+  console.log(`Run: deploy/aliyun/deploy-to-ecs.sh --config ${relativeToRoot(configPath)}`);
+}
+
+function parseEnvFile(text) {
+  const values = {};
+
+  for (const rawLine of text.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (!line || line.startsWith("#")) continue;
+
+    const match = line.match(/^([A-Za-z_][A-Za-z0-9_]*)=(.*)$/);
+    if (!match) continue;
+
+    let value = match[2].trim();
+    if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
+      value = value.slice(1, -1);
+    }
+    values[match[1]] = value;
+  }
+
+  return values;
+}
+
+function resolveConfig(config) {
+  const domain = first(config.DOMAIN, config.ALIYUN_DOMAIN);
+  const resolved = {
+    apiUrl: first(config.API_URL, config.SNAPSHOT_SHARE_PUBLIC_API_URL) || (domain ? `https://${domain}` : ""),
+    certbotEmail: first(config.CERTBOT_EMAIL),
+    configureLocal: isEnabled(config.CONFIGURE_LOCAL),
+    configurePages: isEnabled(config.CONFIGURE_PAGES),
+    domain,
+    generateToken: isEnabled(config.GENERATE_TOKEN) || isAutoToken(config.TOKEN),
+    githubClientId: first(config.SNAPSHOT_GITHUB_CLIENT_ID, config.GITHUB_CLIENT_ID),
+    githubClientSecret: first(config.SNAPSHOT_GITHUB_CLIENT_SECRET, config.GITHUB_CLIENT_SECRET),
+    githubOwner: first(config.SNAPSHOT_GITHUB_OWNER_LOGIN, config.SNAPSHOT_GITHUB_OWNER, config.SNAPSHOT_GITHUB_OWNER_ID),
+    sessionSecret: first(config.SNAPSHOT_SESSION_SECRET),
+    issueCert: isEnabled(config.ISSUE_CERT),
+    pagesRepo: first(config.PAGES_REPO, process.env.GITHUB_REPOSITORY, "ffffhx/codex-snapshots"),
+    siteUrl: first(config.SITE_URL, config.SNAPSHOT_SHARE_SITE_URL, "https://ffffhx.github.io/codex-snapshots/"),
+    sshTarget: first(config.SSH_TARGET, config.ALIYUN_SSH_TARGET),
+    token: first(config.TOKEN, config.SNAPSHOT_SHARE_TOKEN),
+  };
+  if (hasGithubAuthConfig(resolved) && resolved.token === "change-me") {
+    resolved.token = "";
+  }
+  return resolved;
+}
+
+function validateConfig(config) {
+  const checks = [];
+  const apiHost = urlHost(config.apiUrl);
+  const siteHost = urlHost(config.siteUrl);
+  const githubAuthConfigured = hasGithubAuthConfig(config);
+
+  checks.push(config.sshTarget && !config.sshTarget.includes("1.2.3.4")
+    ? pass("SSH target", maskSshTarget(config.sshTarget))
+    : fail("SSH target", "set SSH_TARGET to your ECS user and public IP"));
+  checks.push(config.domain && !isPlaceholderDomain(config.domain)
+    ? pass("Domain", config.domain)
+    : fail("Domain", "set DOMAIN to your public API domain"));
+  checks.push(isHttpUrl(config.apiUrl) && !isLocalHost(apiHost) && !isPlaceholderDomain(apiHost)
+    ? pass("Public API URL", config.apiUrl.replace(/\/+$/, ""))
+    : fail("Public API URL", "set API_URL to the public HTTPS API URL"));
+  checks.push(isHttpUrl(config.siteUrl) && !isLocalHost(siteHost)
+    ? pass("Site URL", config.siteUrl.replace(/\/+$/, ""))
+    : fail("Site URL", "set SITE_URL to the public GitHub Pages URL"));
+
+  if (githubAuthConfigured && (!config.githubClientId || !config.githubClientSecret || !config.githubOwner)) {
+    checks.push(fail("GitHub OAuth", "set SNAPSHOT_GITHUB_CLIENT_ID, SNAPSHOT_GITHUB_CLIENT_SECRET, and SNAPSHOT_GITHUB_OWNER_LOGIN/ID"));
+  } else if (githubAuthConfigured) {
+    checks.push(config.sessionSecret && config.sessionSecret.length >= 32
+      ? pass("GitHub OAuth", `configured for ${config.githubOwner}`)
+      : pass("GitHub OAuth", `configured for ${config.githubOwner}; deploy-to-ecs.sh will generate SNAPSHOT_SESSION_SECRET`));
+  } else {
+    checks.push(skip("GitHub OAuth", "not configured"));
+  }
+
+  if (config.generateToken) {
+    checks.push(pass("Publish token", "will be generated by deploy-to-ecs.sh"));
+  } else if (config.token === "change-me") {
+    checks.push(fail("Publish token", "replace TOKEN=change-me with TOKEN=auto, GENERATE_TOKEN=1, or a real token"));
+  } else if (config.token && config.token !== "change-me" && config.token.length >= 16) {
+    checks.push(pass("Publish token", `set (${config.token.length} chars)`));
+  } else if (githubAuthConfigured) {
+    checks.push(skip("Publish token", "not required when GitHub OAuth is configured"));
+  } else if (!config.token && readLocalToken()) {
+    checks.push(pass("Publish token", "will be reused from local publisher config"));
+  } else {
+    checks.push(fail("Publish token", "set TOKEN=auto, GENERATE_TOKEN=1, --generate-token, or a real TOKEN"));
+  }
+
+  if (config.issueCert) {
+    checks.push(config.certbotEmail && config.certbotEmail !== "you@example.com" && config.certbotEmail.includes("@")
+      ? pass("Certbot email", config.certbotEmail)
+      : fail("Certbot email", "set CERTBOT_EMAIL when ISSUE_CERT=1"));
+  } else {
+    checks.push(skip("Certbot email", "ISSUE_CERT=0"));
+  }
+
+  return checks;
+}
+
+function checkLocalCommands(config) {
+  const checks = [];
+  checks.push(commandExists("ssh") ? pass("Local ssh", "available") : fail("Local ssh", "ssh command not found"));
+  checks.push(commandExists("rsync") ? pass("Local rsync", "available") : fail("Local rsync", "rsync command not found"));
+  checks.push(commandExists("node") ? pass("Local node", "available") : fail("Local node", "node command not found"));
+
+  if (config.configurePages) {
+    checks.push(commandExists("gh")
+      ? pass("GitHub CLI", `available for ${config.pagesRepo}`)
+      : warn("GitHub CLI", "gh not found; --configure-pages cannot run until installed and authenticated"));
+  } else {
+    checks.push(skip("GitHub CLI", "CONFIGURE_PAGES=0"));
+  }
+
+  return checks;
+}
+
+function checkLocalTokenSource(config) {
+  if (!config.configureLocal) {
+    return skip("Local publisher config", "CONFIGURE_LOCAL=0");
+  }
+  if (hasGithubAuthConfig(config) && !config.token && !config.generateToken) {
+    return pass("Local publisher config", "will be written with public API/site URLs for GitHub OAuth");
+  }
+  if (config.generateToken) {
+    return pass("Local publisher config", "will be written with generated token");
+  }
+  if (config.token === "change-me") {
+    return fail("Local publisher config", "CONFIGURE_LOCAL=1 cannot use TOKEN=change-me");
+  }
+  if (config.token && config.token !== "change-me" && config.token.length >= 16) {
+    return pass("Local publisher config", "will be written with configured token");
+  }
+  if (!config.token && readLocalToken()) {
+    return pass("Local publisher config", "existing token can be reused");
+  }
+  return fail("Local publisher config", "CONFIGURE_LOCAL=1 needs TOKEN=auto, GENERATE_TOKEN=1, or a real TOKEN");
+}
+
+function hasGithubAuthConfig(config) {
+  return Boolean(config.githubClientId || config.githubClientSecret || config.githubOwner || config.sessionSecret);
+}
+
+async function checkDns(domain) {
+  try {
+    const addresses = await resolveHost(domain);
+    if (!addresses.length) {
+      return fail("DNS", "no A or AAAA records found");
+    }
+    return pass("DNS", `${domain} -> ${addresses.join(", ")}`);
+  } catch (error) {
+    return warn("DNS", error instanceof Error ? error.message : String(error));
+  }
+}
+
+function runDryRun(configPath) {
+  const result = spawnSync("bash", [path.join(ROOT_DIR, "deploy/aliyun/deploy-to-ecs.sh"), "--config", configPath, "--dry-run"], {
+    cwd: ROOT_DIR,
+    encoding: "utf8",
+    env: process.env,
+  });
+
+  if (result.status === 0) {
+    return pass("Deploy dry-run", "deploy-to-ecs.sh accepted the config");
+  }
+
+  const output = `${result.stdout || ""}\n${result.stderr || ""}`.trim().split(/\r?\n/).slice(0, 8).join(" ");
+  return fail("Deploy dry-run", output || `exited with ${result.status}`);
+}
+
+function commandExists(command) {
+  const result = spawnSync("command", ["-v", command], {
+    encoding: "utf8",
+    shell: true,
+    stdio: ["ignore", "pipe", "ignore"],
+  });
+  return result.status === 0;
+}
+
+function readLocalToken() {
+  const candidates = [
+    process.env.CODEX_SNAPSHOTS_AGENT_FILE,
+    process.env.SNAPSHOT_SHARE_TOKEN_FILE,
+    path.join(os.homedir(), ".codex-snapshots-agent.json"),
+  ].filter(Boolean);
+
+  for (const filePath of candidates) {
+    try {
+      const payload = JSON.parse(readFileSync(filePath, "utf8"));
+      const token = first(payload.snapshotShareToken, payload.agentToken, payload.token, payload.uploadToken);
+      if (token) return token;
+    } catch {}
+  }
+
+  return "";
+}
+
+async function resolveHost(host) {
+  const [v4, v6] = await Promise.allSettled([dns.resolve4(host), dns.resolve6(host)]);
+  return [
+    ...(v4.status === "fulfilled" ? v4.value : []),
+    ...(v6.status === "fulfilled" ? v6.value : []),
+  ];
+}
+
+function pass(label, message) {
+  return { label, message, status: "pass" };
+}
+
+function warn(label, message) {
+  return { label, message, status: "warn" };
+}
+
+function fail(label, message) {
+  return { label, message, status: "fail" };
+}
+
+function skip(label, message) {
+  return { label, message, status: "skip" };
+}
+
+function printChecks(checks) {
+  for (const check of checks) {
+    const marker = {
+      fail: "✗",
+      pass: "✓",
+      skip: "•",
+      warn: "!",
+    }[check.status];
+    console.log(`${marker} ${check.label}: ${check.message}`);
+  }
+}
+
+function first(...values) {
+  for (const value of values) {
+    if (typeof value === "string" && value.trim()) {
+      return value.trim();
+    }
+  }
+  return "";
+}
+
+function lowercase(value) {
+  return String(value || "").toLowerCase();
+}
+
+function isEnabled(value) {
+  return ["1", "true", "yes", "on"].includes(lowercase(value));
+}
+
+function isAutoToken(value) {
+  return ["auto", "generate", "generated"].includes(lowercase(value));
+}
+
+function isPlaceholderDomain(value) {
+  const text = lowercase(value);
+  return text === "example.com" || text.endsWith(".example.com") || text === "snapshots.example.com";
+}
+
+function isLocalHost(value) {
+  const text = lowercase(value);
+  return text === "127.0.0.1" || text === "localhost" || text === "::1";
+}
+
+function isHttpUrl(value) {
+  try {
+    const url = new URL(value);
+    return url.protocol === "http:" || url.protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+
+function urlHost(value) {
+  try {
+    return new URL(value).hostname.toLowerCase();
+  } catch {
+    return "";
+  }
+}
+
+function maskSshTarget(value) {
+  const text = String(value || "");
+  return text.replace(/@(.{2}).+$/, "@$1...");
+}
+
+function relativeToRoot(filePath) {
+  const relative = path.relative(ROOT_DIR, filePath);
+  return relative.startsWith("..") ? filePath : relative;
+}
+
+function parseArgs(args) {
+  const options = {
+    config: "",
+    offline: false,
+  };
+  let help = false;
+
+  for (let index = 0; index < args.length; index += 1) {
+    const arg = args[index];
+    if (arg === "-h" || arg === "--help") {
+      help = true;
+      continue;
+    }
+    if (arg === "--config") {
+      options.config = String(args[++index] || "");
+      continue;
+    }
+    if (arg === "--offline") {
+      options.offline = true;
+      continue;
+    }
+    throw new Error(`unknown option: ${arg}`);
+  }
+
+  return { help, options };
+}
+
+function printHelp() {
+  console.log(`aliyun deploy doctor
+
+Usage:
+  node deploy/aliyun/doctor.mjs --config deploy/aliyun/deploy.env
+
+Options:
+  --config FILE  Deployment env file. Defaults to deploy/aliyun/deploy.env.
+  --offline      Skip DNS lookup.
+  -h, --help     Show help.
+`);
+}