create-paratix 0.0.1 → 0.2.0

package/dist/index.js

@@ -0,0 +1,1183 @@
+#!/usr/bin/env node
+
+// src/index.ts
+import { existsSync, mkdirSync, writeFileSync } from "fs";
+import { basename as basename2, join as join2, resolve } from "path";
+
+// src/interactivePrompts.ts
+import { createInterface } from "readline/promises";
+
+// src/hostFingerprintBootstrap.ts
+import { createHash } from "crypto";
+import { Client } from "ssh2";
+var DEFAULT_HOST_FINGERPRINT_PORT = 22;
+var DEFAULT_READY_TIMEOUT_MS = 1e4;
+function computeFingerprint(key) {
+  const hash = createHash("sha256").update(key).digest("base64");
+  return `SHA256:${hash.replaceAll("=", "")}`;
+}
+function toError(error, host, port) {
+  const message = error instanceof Error ? error.message : String(error);
+  return new Error(`Failed to read the host key from ${host}:${port}: ${message}`);
+}
+function createConnectionConfig(parameters) {
+  const { captureFingerprint, host, port, readyTimeoutMs } = parameters;
+  return {
+    host,
+    hostVerifier: (key) => {
+      captureFingerprint(computeFingerprint(Buffer.from(key)));
+      return false;
+    },
+    port,
+    readyTimeout: readyTimeoutMs,
+    username: "paratix-hostkey-scan"
+  };
+}
+function resolveBootstrapOptions(options) {
+  const clientFactory = options.clientFactory ?? (() => new Client());
+  return {
+    client: clientFactory(),
+    port: options.port ?? DEFAULT_HOST_FINGERPRINT_PORT,
+    readyTimeoutMs: options.readyTimeoutMs ?? DEFAULT_READY_TIMEOUT_MS
+  };
+}
+function cleanupClient(client) {
+  client.removeAllListeners();
+  try {
+    client.end();
+  } catch {
+  }
+}
+function createSettlementHandlers(parameters) {
+  const { cleanup, host, port, reject, resolve: resolve2 } = parameters;
+  let settled = false;
+  return {
+    rejectOnce: (error) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      reject(toError(error, host, port));
+    },
+    resolveOnce: (fingerprint) => {
+      if (settled) return;
+      settled = true;
+      cleanup();
+      resolve2(fingerprint);
+    }
+  };
+}
+function registerFingerprintListeners(parameters) {
+  const { client, onFingerprint, rejectOnce, resolveOnce } = parameters;
+  client.on("close", () => {
+    const capturedFingerprint = onFingerprint();
+    if (capturedFingerprint != null) {
+      resolveOnce(capturedFingerprint);
+    }
+  });
+  client.on("error", (error) => {
+    const capturedFingerprint = onFingerprint();
+    if (capturedFingerprint != null) {
+      resolveOnce(capturedFingerprint);
+      return;
+    }
+    rejectOnce(error);
+  });
+}
+async function readFingerprintFromClient(client, parameters) {
+  const { host, port, readyTimeoutMs } = parameters;
+  let capturedFingerprint = null;
+  return new Promise((resolve2, reject) => {
+    const cleanup = () => {
+      cleanupClient(client);
+    };
+    const { rejectOnce, resolveOnce } = createSettlementHandlers({
+      cleanup,
+      host,
+      port,
+      reject,
+      resolve: resolve2
+    });
+    registerFingerprintListeners({
+      client,
+      onFingerprint: () => capturedFingerprint,
+      rejectOnce,
+      resolveOnce
+    });
+    try {
+      client.connect(
+        createConnectionConfig({
+          captureFingerprint: (fingerprint) => {
+            capturedFingerprint = fingerprint;
+          },
+          host,
+          port,
+          readyTimeoutMs
+        })
+      );
+    } catch (error) {
+      rejectOnce(error);
+    }
+  });
+}
+async function readHostFingerprintViaSsh2(host, options = {}) {
+  const { client, port, readyTimeoutMs } = resolveBootstrapOptions(options);
+  return readFingerprintFromClient(client, { host, port, readyTimeoutMs });
+}
+
+// src/promptUi.ts
+import { emitKeypressEvents } from "readline";
+function createSelectLines(prompt, options, selectedIndex) {
+  return [
+    prompt,
+    "",
+    "Use the arrow keys to choose an option:",
+    ...options.flatMap((option, index) => {
+      const prefix = index === selectedIndex ? ">" : " ";
+      return [`${prefix} ${option.label}`, `   ${option.description}`];
+    }),
+    "",
+    "Press Enter to confirm."
+  ];
+}
+function redrawSelect(lines, renderedLines) {
+  if (renderedLines > 0) {
+    for (let index = 0; index < renderedLines; index++) {
+      process.stdout.write("\x1B[1A\x1B[2K");
+    }
+  }
+  process.stdout.write(`${lines.join("\n")}
+`);
+  return lines.length;
+}
+function ensureInteractiveTerminal() {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) {
+    throw new Error(
+      "Interactive selection requires a TTY. Use --initial-user <root|name> in non-interactive environments."
+    );
+  }
+}
+function prepareSelectInput() {
+  emitKeypressEvents(process.stdin);
+  const previousRawMode = process.stdin.isRaw;
+  process.stdin.setRawMode(true);
+  process.stdin.resume();
+  return { previousRawMode };
+}
+function cleanupSelectInput(previousRawMode) {
+  process.stdin.setRawMode(previousRawMode ?? false);
+  process.stdin.pause();
+  process.stdout.write("\x1B[?25h");
+}
+function createSelectRenderer(prompt, options) {
+  let renderedLines = 0;
+  let selectedIndex = 0;
+  return {
+    moveDown: () => {
+      selectedIndex = (selectedIndex + 1) % options.length;
+    },
+    moveUp: () => {
+      selectedIndex = (selectedIndex - 1 + options.length) % options.length;
+    },
+    render: () => {
+      renderedLines = redrawSelect(createSelectLines(prompt, options, selectedIndex), renderedLines);
+    },
+    selectedValue: () => options[selectedIndex].value
+  };
+}
+function finishSelection(cleanup, resolver, value) {
+  cleanup();
+  resolver(value);
+}
+function handleNavigationKey(keyName, renderer) {
+  if (keyName === "down") {
+    renderer.moveDown();
+    renderer.render();
+    return true;
+  }
+  if (keyName === "up") {
+    renderer.moveUp();
+    renderer.render();
+    return true;
+  }
+  return false;
+}
+function handleConfirmationKey(keyName, renderer, confirmSelection) {
+  if (keyName !== "enter" && keyName !== "return") {
+    return false;
+  }
+  process.stdout.write("\n");
+  confirmSelection(renderer.selectedValue());
+  return true;
+}
+function handleCancelKey(key, cleanup, reject) {
+  if (key.ctrl && key.name === "c") {
+    process.stdout.write("\n");
+    cleanup();
+    reject(new Error("Prompt cancelled."));
+  }
+}
+async function runTerminalSelect(prompt, options) {
+  ensureInteractiveTerminal();
+  const { previousRawMode } = prepareSelectInput();
+  const renderer = createSelectRenderer(prompt, options);
+  return new Promise((resolve2, reject) => {
+    const cleanup = () => {
+      process.stdin.removeListener("keypress", onKeypress);
+      cleanupSelectInput(previousRawMode);
+    };
+    const onKeypress = (_character, key) => {
+      if (handleNavigationKey(key.name, renderer)) {
+        return;
+      }
+      if (handleConfirmationKey(key.name, renderer, (value) => {
+        finishSelection(cleanup, resolve2, value);
+      })) {
+        return;
+      }
+      handleCancelKey(key, cleanup, reject);
+    };
+    process.stdout.write("\x1B[?25l");
+    renderer.render();
+    process.stdin.on("keypress", onKeypress);
+  });
+}
+function createTerminalSelect() {
+  return {
+    close: () => void 0,
+    select: async (prompt, options) => runTerminalSelect(prompt, options)
+  };
+}
+
+// src/publicKeySelection.ts
+import { readdirSync, readFileSync } from "fs";
+import { homedir } from "os";
+import { basename, join } from "path";
+var PUBLIC_KEY_PROMPT_OPTIONS = [
+  {
+    description: "Read a public key from ~/.ssh and embed it directly into server.ts for the bootstrap admin user.",
+    label: "Use local public key",
+    value: "local"
+  },
+  {
+    description: "Keep the placeholder in server.ts and paste your public key manually before the first apply.",
+    label: "Keep placeholder",
+    value: "placeholder"
+  }
+];
+var supportedOpenSshAlgorithms = /* @__PURE__ */ new Set([
+  "ecdsa-sha2-nistp256",
+  "ecdsa-sha2-nistp384",
+  "ecdsa-sha2-nistp521",
+  "sk-ecdsa-sha2-nistp256@openssh.com",
+  "sk-ssh-ed25519@openssh.com",
+  "ssh-ed25519",
+  "ssh-rsa"
+]);
+function parseOpenSshPublicKey(value) {
+  if (value.length === 0 || value.includes("\n")) {
+    return null;
+  }
+  const parts = value.split(new RegExp("\\s+", "v"));
+  if (parts.length < 2) {
+    return null;
+  }
+  const algorithm = parts[0];
+  const encodedKey = parts[1];
+  if (!supportedOpenSshAlgorithms.has(algorithm)) {
+    return null;
+  }
+  return {
+    algorithm,
+    encodedKey
+  };
+}
+function trimBase64Padding(value) {
+  let endIndex = value.length;
+  while (endIndex > 0 && value[endIndex - 1] === "=") {
+    endIndex--;
+  }
+  return value.slice(0, endIndex);
+}
+function isBase64AlphaNumeric(character) {
+  return character >= "A" && character <= "Z" || character >= "a" && character <= "z" || character >= "0" && character <= "9";
+}
+function isBase64DataCharacter(character) {
+  return isBase64AlphaNumeric(character) || character === "+" || character === "/";
+}
+function updatePaddingState(character, state) {
+  if (character !== "=") {
+    return null;
+  }
+  const nextState = {
+    paddingCount: state.paddingCount + 1,
+    sawPadding: true
+  };
+  return nextState.paddingCount <= 2 ? nextState : null;
+}
+function hasValidBase64Alphabet(value) {
+  if (value.length === 0) {
+    return false;
+  }
+  const state = { paddingCount: 0, sawPadding: false };
+  for (const character of value) {
+    if (isBase64DataCharacter(character)) {
+      if (state.sawPadding) {
+        return false;
+      }
+      continue;
+    }
+    const nextState = updatePaddingState(character, state);
+    if (nextState != null) {
+      state.paddingCount = nextState.paddingCount;
+      state.sawPadding = nextState.sawPadding;
+      continue;
+    }
+    return false;
+  }
+  return true;
+}
+function isCanonicalBase64(value) {
+  if (!hasValidBase64Alphabet(value)) {
+    return false;
+  }
+  try {
+    const decoded = Buffer.from(value, "base64");
+    if (decoded.length === 0) {
+      return false;
+    }
+    const normalizedValue = trimBase64Padding(value);
+    const encodedAgain = trimBase64Padding(decoded.toString("base64"));
+    return encodedAgain === normalizedValue;
+  } catch {
+    return false;
+  }
+}
+function isValidAdminPublicKey(value) {
+  const parsedKey = parseOpenSshPublicKey(value.trim());
+  return parsedKey != null && isCanonicalBase64(parsedKey.encodedKey);
+}
+function validateAdminPublicKey(exitWithMessage2, value, optionName = "--admin-public-key") {
+  const normalizedValue = value.trim();
+  if (!isValidAdminPublicKey(normalizedValue)) {
+    exitWithMessage2(
+      `Error: Invalid value for "${optionName}" \u2014 provide a valid single-line OpenSSH public key.`
+    );
+  }
+  return normalizedValue;
+}
+function readAdminPublicKeyFile(exitWithMessage2, path) {
+  let value;
+  try {
+    value = readFileSync(path, "utf8");
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    exitWithMessage2(`Error: Failed to read "--admin-public-key-file" from "${path}": ${message}`);
+  }
+  return validateAdminPublicKey(exitWithMessage2, value, "--admin-public-key-file");
+}
+function discoverLocalPublicKeys(sshDirectory = join(homedir(), ".ssh")) {
+  try {
+    return readdirSync(sshDirectory).filter((entry) => entry.endsWith(".pub")).sort((left, right) => left.localeCompare(right)).flatMap((entry) => {
+      const path = join(sshDirectory, entry);
+      try {
+        const key = readFileSync(path, "utf8").trim();
+        if (!isValidAdminPublicKey(key)) {
+          return [];
+        }
+        return [{ key, label: basename(entry), path }];
+      } catch {
+        return [];
+      }
+    });
+  } catch {
+    return [];
+  }
+}
+function createPublicKeyOptions(publicKeys) {
+  return publicKeys.map((publicKey) => ({
+    description: publicKey.path,
+    label: publicKey.label,
+    value: publicKey.path
+  }));
+}
+async function promptForAdminPublicKey(select, publicKeys = discoverLocalPublicKeys()) {
+  const publicKeyMode = await select(
+    "How should create-paratix configure the admin SSH public key?",
+    PUBLIC_KEY_PROMPT_OPTIONS
+  );
+  if (publicKeyMode !== "local") {
+    return void 0;
+  }
+  if (publicKeys.length === 0) {
+    console.error(
+      "No readable public keys were found in ~/.ssh. Keeping the placeholder in server.ts."
+    );
+    return void 0;
+  }
+  if (publicKeys.length === 1) {
+    return publicKeys[0]?.key;
+  }
+  const selectedPath = await select(
+    "Select the public key to embed into server.ts:",
+    createPublicKeyOptions(publicKeys)
+  );
+  return publicKeys.find((publicKey) => publicKey.path === selectedPath)?.key;
+}
+
+// src/scaffoldConfig.ts
+var CLI_USAGE = "Usage: create-paratix <project-name> [--host <domain-or-ip>] [--initial-user <root|name>] [--admin-public-key <ssh-public-key>] [--admin-public-key-file <path>]";
+function normalizeInitialUserName(name) {
+  return name.trim();
+}
+function isValidInitialUserName(name) {
+  return new RegExp("^(?:root|[a-z_][a-z0-9_\\x2d]*\\$?)$", "v").test(name);
+}
+function parseInitialUserConfig(exitWithMessage2, value) {
+  const normalizedValue = normalizeInitialUserName(value);
+  if (!isValidInitialUserName(normalizedValue)) {
+    exitWithMessage2(
+      `Error: Invalid initial user "${value}" \u2014 use "root" or a valid lowercase Linux username.`
+    );
+  }
+  return normalizedValue === "root" ? { kind: "root" } : { kind: "admin", user: normalizedValue };
+}
+function normalizeHost(value) {
+  return value.trim();
+}
+function isValidHost(value) {
+  const normalizedValue = normalizeHost(value);
+  return normalizedValue.length > 0 && !new RegExp("\\s", "v").test(normalizedValue);
+}
+function validateHost(exitWithMessage2, value) {
+  const normalizedValue = normalizeHost(value);
+  if (!isValidHost(normalizedValue)) {
+    exitWithMessage2(
+      `Error: Invalid host "${value}" \u2014 use a domain name, IPv4, or IPv6 address without spaces.`
+    );
+  }
+  return normalizedValue;
+}
+async function promptForHost(prompt) {
+  for (; ; ) {
+    const host = normalizeHost(await prompt("Server host (domain or IP): "));
+    if (isValidHost(host)) {
+      return host;
+    }
+    console.error("Error: Please enter a domain name, IPv4, or IPv6 address without spaces.");
+  }
+}
+function parseArgumentValue(argv, index, parameters) {
+  const value = argv.at(index + 1);
+  if (value == null || value.startsWith("--")) {
+    parameters.exitWithMessage(`Error: Missing value for "${parameters.optionName}".`);
+  }
+  return value;
+}
+function handleUnknownOption(argument, exitWithMessage2) {
+  if (argument === "--bootstrap-root") {
+    exitWithMessage2('Error: "--bootstrap-root" was removed. Use "--initial-user root" instead.');
+  }
+  exitWithMessage2(`Error: Unknown option "${argument}".`);
+}
+function parseOptionAssignment(parameters) {
+  if (parameters.argument === "--host") {
+    return {
+      host: parseArgumentValue(parameters.argv, parameters.index, {
+        exitWithMessage: parameters.exitWithMessage,
+        optionName: "--host"
+      })
+    };
+  }
+  if (parameters.argument === "--initial-user") {
+    return {
+      initialUser: parseArgumentValue(parameters.argv, parameters.index, {
+        exitWithMessage: parameters.exitWithMessage,
+        optionName: "--initial-user"
+      })
+    };
+  }
+  if (parameters.argument === "--admin-public-key") {
+    return {
+      adminPublicKey: parseArgumentValue(parameters.argv, parameters.index, {
+        exitWithMessage: parameters.exitWithMessage,
+        optionName: "--admin-public-key"
+      })
+    };
+  }
+  if (parameters.argument === "--admin-public-key-file") {
+    return {
+      adminPublicKeyFile: parseArgumentValue(parameters.argv, parameters.index, {
+        exitWithMessage: parameters.exitWithMessage,
+        optionName: "--admin-public-key-file"
+      })
+    };
+  }
+  return null;
+}
+function parseCliArguments(argv, exitWithMessage2) {
+  const parsed = {
+    adminPublicKey: void 0,
+    adminPublicKeyFile: void 0,
+    host: void 0,
+    initialUser: void 0,
+    projectName: void 0
+  };
+  for (let index = 0; index < argv.length; index++) {
+    const argument = argv[index];
+    const optionAssignment = parseOptionAssignment({ argument, argv, exitWithMessage: exitWithMessage2, index });
+    if (optionAssignment != null) {
+      Object.assign(parsed, optionAssignment);
+      index++;
+      continue;
+    }
+    parsed.projectName = handlePositionalOrUnknownArgument(
+      parsed.projectName,
+      argument,
+      exitWithMessage2
+    );
+  }
+  validatePublicKeyOptions(parsed, exitWithMessage2);
+  return parsed;
+}
+function handlePositionalOrUnknownArgument(projectName, argument, exitWithMessage2) {
+  if (argument.startsWith("--")) {
+    handleUnknownOption(argument, exitWithMessage2);
+  }
+  if (projectName == null) {
+    return argument;
+  }
+  exitWithMessage2(CLI_USAGE);
+}
+function validatePublicKeyOptions(parsed, exitWithMessage2) {
+  if (parsed.adminPublicKey == null || parsed.adminPublicKeyFile == null) {
+    return;
+  }
+  exitWithMessage2('Error: Use either "--admin-public-key" or "--admin-public-key-file", not both.');
+}
+
+// src/interactivePrompts.ts
+var NOOP = () => void 0;
+var INTERACTIVE_SELECTION_UNAVAILABLE = "Interactive selection is unavailable.";
+var UNAVAILABLE_SELECT = (() => {
+  throw new Error(INTERACTIVE_SELECTION_UNAVAILABLE);
+});
+var INITIAL_USER_OPTIONS = [
+  {
+    description: "Fresh server with SSH access only as root. Paratix bootstraps a dedicated admin user first.",
+    label: "Root user",
+    value: "root"
+  },
+  {
+    description: "A named admin user already exists. Paratix connects directly as that user and skips root bootstrap.",
+    label: "Admin user",
+    value: "admin"
+  }
+];
+var HOST_FINGERPRINT_OPTIONS = [
+  {
+    description: "Read the currently presented host key from SSH port 22 via ssh2 and pin its fingerprint in server.ts.",
+    label: "Scan host key",
+    value: "scan"
+  },
+  {
+    description: "Keep the expectedHostFingerprint placeholder in server.ts and verify the host key manually later.",
+    label: "Keep placeholder",
+    value: "placeholder"
+  }
+];
+function createTerminalPrompt() {
+  const readline = createInterface({ input: process.stdin, output: process.stdout });
+  return {
+    close: () => {
+      readline.close();
+    },
+    prompt: async (question) => readline.question(question)
+  };
+}
+function createPromptSession(prompt) {
+  const terminalPrompt = prompt == null ? createTerminalPrompt() : null;
+  const terminalSelect = prompt == null ? createTerminalSelect() : null;
+  if (terminalPrompt != null && terminalSelect != null) {
+    return {
+      ask: terminalPrompt.prompt,
+      chooseInitialUser: terminalSelect.select,
+      closePrompt: terminalPrompt.close,
+      closeSelect: terminalSelect.close
+    };
+  }
+  if (prompt == null) {
+    throw new Error("Interactive prompt is unavailable.");
+  }
+  return {
+    ask: prompt,
+    chooseInitialUser: UNAVAILABLE_SELECT,
+    closePrompt: NOOP,
+    closeSelect: NOOP
+  };
+}
+async function promptForAdminUser(ask, closePrompt) {
+  for (; ; ) {
+    const adminUser = normalizeInitialUserName(await ask("Admin username: "));
+    if (isValidInitialUserName(adminUser) && adminUser !== "root") {
+      closePrompt();
+      return { kind: "admin", user: adminUser };
+    }
+    console.error(
+      'Error: Invalid admin username. Use a valid lowercase Linux username other than "root".'
+    );
+  }
+}
+async function promptForHost2(prompt, closePrompt = NOOP) {
+  if (prompt != null) {
+    try {
+      return await promptForHost(prompt);
+    } finally {
+      closePrompt();
+    }
+  }
+  const terminalPrompt = createTerminalPrompt();
+  try {
+    return await promptForHost(terminalPrompt.prompt);
+  } finally {
+    terminalPrompt.close();
+  }
+}
+async function promptForInitialUserConfig(prompt, select) {
+  const promptSession = createPromptSession(prompt);
+  const chooseInitialUser = select ?? promptSession.chooseInitialUser;
+  try {
+    const initialUserType = await chooseInitialUser(
+      "Which SSH user already works for the first connection to this server?",
+      INITIAL_USER_OPTIONS
+    );
+    if (initialUserType === "root") {
+      promptSession.closeSelect();
+      promptSession.closePrompt();
+      return { kind: "root" };
+    }
+    return await promptForAdminUser(promptSession.ask, promptSession.closePrompt);
+  } finally {
+    promptSession.closeSelect();
+  }
+}
+async function promptForAdminPublicKey2(select, publicKeys) {
+  const terminalSelect = select == null ? createTerminalSelect() : null;
+  const choose = select ?? terminalSelect?.select;
+  if (choose == null) {
+    throw new Error(INTERACTIVE_SELECTION_UNAVAILABLE);
+  }
+  try {
+    return await promptForAdminPublicKey(choose, publicKeys);
+  } finally {
+    terminalSelect?.close();
+  }
+}
+async function promptForHostFingerprint(host, select, scanner = readHostFingerprintViaSsh2) {
+  const terminalSelect = select == null ? createTerminalSelect() : null;
+  const choose = select ?? terminalSelect?.select;
+  if (choose == null) {
+    throw new Error(INTERACTIVE_SELECTION_UNAVAILABLE);
+  }
+  try {
+    const hostKeyMode = await choose(
+      `How should create-paratix bootstrap the SSH host key for ${host}?`,
+      HOST_FINGERPRINT_OPTIONS
+    );
+    if (hostKeyMode !== "scan") {
+      return void 0;
+    }
+    try {
+      return await scanner(host);
+    } catch (error) {
+      console.error(
+        `${error instanceof Error ? error.message : String(error)} Keeping the expectedHostFingerprint placeholder in server.ts.`
+      );
+      return void 0;
+    }
+  } finally {
+    terminalSelect?.close();
+  }
+}
+
+// src/scaffoldRuntime.ts
+import { execSync } from "child_process";
+var MS_PER_MINUTE = 6e4;
+var INSTALL_TIMEOUT_MS = 12e4;
+function detectPackageManager() {
+  const agent = process.env.npm_config_user_agent ?? "";
+  if (agent.startsWith("pnpm")) {
+    return { command: "pnpm install", name: "pnpm" };
+  }
+  if (agent.startsWith("yarn")) {
+    return { command: "yarn install", name: "yarn" };
+  }
+  if (agent.startsWith("bun")) {
+    return { command: "bun install", name: "bun" };
+  }
+  return { command: "npm install", name: "npm" };
+}
+function installDependencies(projectDirectory, pm) {
+  console.log(`Installing dependencies with ${pm.name}...`);
+  try {
+    execSync(pm.command, { cwd: projectDirectory, stdio: "inherit", timeout: INSTALL_TIMEOUT_MS });
+    return true;
+  } catch (error) {
+    if (error instanceof Error && "signal" in error && error.signal === "SIGTERM") {
+      console.error(
+        `Installation timed out after ${Math.round(INSTALL_TIMEOUT_MS / MS_PER_MINUTE)} minutes.`
+      );
+    } else {
+      const message = error instanceof Error ? error.message : String(error);
+      console.error(`Failed to install dependencies: ${message}`);
+    }
+    console.error("Run install manually.");
+    return false;
+  }
+}
+function getCommandPrefix(pm) {
+  return pm.name === "npm" ? "npm run" : pm.name;
+}
+function printSuccessMessage(projectName, pm) {
+  const prefix = getCommandPrefix(pm);
+  console.log(`
+Project created successfully!
+
+  cd ${projectName}
+
+Edit server.ts with your server details, then:
+
+  ${prefix} apply:dry
+  ${prefix} apply
+`);
+}
+function printPartialSuccessMessage(projectName, pm) {
+  const prefix = getCommandPrefix(pm);
+  console.log(`
+Project files created, but dependency installation failed.
+
+  cd ${projectName}
+
+Install dependencies manually, then run:
+
+  ${prefix} apply:dry
+  ${prefix} apply
+`);
+}
+
+// src/templates.ts
+var TSCONFIG_TEMPLATE = `{
+  "compilerOptions": {
+    "target": "ES2024",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "types": ["node"],
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true
+  },
+  "include": ["**/*.ts"]
+}
+`;
+var GITIGNORE_TEMPLATE = `node_modules/
+dist/
+.env
+*.log
+`;
+var PRETTIER_RC_TEMPLATE = `{
+  "semi": false,
+  "singleQuote": false,
+  "bracketSpacing": true,
+  "arrowParens": "always",
+  "tabWidth": 2,
+  "trailingComma": "es5",
+  "printWidth": 100
+}
+`;
+var PRETTIER_IGNORE_TEMPLATE = `pnpm-lock.yaml
+package-lock.json
+yarn.lock
+bun.lockb
+`;
+var ESLINT_CONFIG_TEMPLATE = `import { getEslintConfig } from "eslint-config-setup"
+
+export default await getEslintConfig({ node: true })
+`;
+var ENV_EXAMPLE_TEMPLATE = `# Server configuration
+# SUDO_PASSWORD=your-sudo-password
+# SSH_KEY_PATH=~/.ssh/id_ed25519
+`;
+var AUTO_UPGRADES_20_TEMPLATE = `APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+`;
+var UNATTENDED_UPGRADES_50_TEMPLATE = `Unattended-Upgrade::Origins-Pattern {
+        "origin=\${distro_id},archive=\${distro_codename}-security";
+};
+
+Unattended-Upgrade::Automatic-Reboot "true";
+Unattended-Upgrade::Automatic-Reboot-Time "03:30";
+`;
+function createAdminNopasswdSudoersContent(adminUser) {
+  return `# Bootstrap default: dedicated admin user with passwordless sudo.
+# This keeps the post-bootstrap Paratix workflow non-interactive after the
+# initial root run. If you prefer password-protected sudo later, replace this
+# with a stricter policy after the bootstrap is complete.
+${adminUser} ALL=(ALL:ALL) NOPASSWD:ALL
+`;
+}
+function createBaseServerHeader({
+  adminPublicKey,
+  adminUserDeclaration,
+  expectedHostFingerprint,
+  host,
+  sshUser
+}) {
+  const strictHostKeyCheckingDeclaration = expectedHostFingerprint == null ? 'const strictHostKeyChecking = FIRST_RUN ? "accept-new" : "yes";' : 'const strictHostKeyChecking = "yes";';
+  const expectedHostFingerprintLine = expectedHostFingerprint == null ? '    // expectedHostFingerprint: "SHA256:REPLACE_ME_WITH_YOUR_HOST_FINGERPRINT",' : `    expectedHostFingerprint: ${JSON.stringify(expectedHostFingerprint)}, // captured from port 22 during scaffolding`;
+  return `import { firstRun, recipe, server } from "paratix";
+import { file, hostname, net, package as packages, ssh, sshd, sysctl, ufw, user } from "paratix/modules";
+
+${adminUserDeclaration}
+const adminPublicKey = ${JSON.stringify(adminPublicKey ?? "ssh-ed25519 REPLACE_ME_WITH_YOUR_PUBLIC_KEY")};
+const serverName = "my-server";
+const FIRST_RUN = process.env["PARATIX_FIRST_RUN"] === "true";
+const sshPorts = FIRST_RUN ? [22] : [2222];
+const firewallTcpPorts = FIRST_RUN ? [22, 2222, 80, 443] : [2222, 80, 443];
+${strictHostKeyCheckingDeclaration}
+
+export default server({
+  name: serverName,
+  host: ${JSON.stringify(host)},
+  ssh: {
+    ports: sshPorts,
+    privateKey: "~/.ssh/id_ed25519", // "~" is expanded by Paratix
+    // FIRST_RUN keeps the bootstrap path explicit:
+    // - pass "paratix apply ... --first-run" for the bootstrap run
+    // - later runs omit that flag and go through port 2222 with strict host-key checking again
+    strictHostKeyChecking,
+    user: ${sshUser},
+${expectedHostFingerprintLine}
+    // expectedHostPublicKey: "ssh-ed25519 REPLACE_ME_WITH_YOUR_HOST_PUBLIC_KEY",
+  },
+  env: {
+    FIRST_RUN,
+    SERVER_NAME: serverName,
+    SSH_PORT: 2222,
+  },
+  run: [
+    net.hosts("127.0.1.1", [serverName]),
+    hostname.set(serverName),
+    packages.upgrade("2026-03-01"),
+    packages.installed("curl", "htop", "ufw"),
+`;
+}
+function createFirewallRecipe() {
+  return `
+    recipe("firewall", [
+      ufw.rule("allow", firewallTcpPorts),
+      ufw.enabled(),
+    ]),
+`;
+}
+function createKernelHardeningRecipe() {
+  return `
+    recipe("kernel-hardening", [
+      sysctl.set("fs.protected_hardlinks", "1"),
+      sysctl.set("fs.protected_symlinks", "1"),
+      sysctl.set("kernel.dmesg_restrict", "1"),
+      sysctl.set("kernel.kptr_restrict", "2"),
+      sysctl.set("net.ipv4.conf.all.rp_filter", "1"),
+      sysctl.set("net.ipv4.conf.default.rp_filter", "1"),
+      sysctl.set("net.ipv4.tcp_syncookies", "1"),
+    ]),
+`;
+}
+function createAutomaticSecurityUpgradesRecipe() {
+  return `
+    recipe("automatic-security-upgrades", [
+      packages.installed("unattended-upgrades"),
+      file.copy("/etc/apt/apt.conf.d/20auto-upgrades", "./files/20auto-upgrades", {
+        mode: "0644",
+        owner: "root:root",
+      }),
+      file.copy("/etc/apt/apt.conf.d/50unattended-upgrades", "./files/50unattended-upgrades", {
+        mode: "0644",
+        owner: "root:root",
+      }),
+    ]),
+`;
+}
+function createFirstRunStopModule() {
+  return `
+    firstRun.stop("Bootstrap foundation complete; rerun without --first-run to continue."),
+
+    // Add application and user-facing services below this line.
+`;
+}
+function createAdminRecipe(recipeName) {
+  return `
+    recipe("${recipeName}", [
+      user.present(adminUser, {
+        groups: ["sudo"],
+        shell: "/bin/bash",
+      }),
+      ssh.authorizedKeys(adminUser, adminPublicKey),
+    ]),
+`;
+}
+function createHardenedAdminServerTemplate(parameters) {
+  const { adminPublicKey, expectedHostFingerprint, host, initialAdminUser } = parameters;
+  const adminUserDeclaration = `const adminUser = "${initialAdminUser}";`;
+  return `${createBaseServerHeader({
+    adminPublicKey,
+    adminUserDeclaration,
+    expectedHostFingerprint,
+    host,
+    sshUser: "adminUser"
+  })}
+${createAdminRecipe("admin-access")}
+${createFirewallRecipe()}
+    recipe("ssh-hardening", [
+      sshd.port(2222),
+      sshd.config({
+        PasswordAuthentication: "no",
+        PermitRootLogin: "no",
+      }),
+    ]),
+${createKernelHardeningRecipe()}
+${createAutomaticSecurityUpgradesRecipe()}
+${createFirstRunStopModule()}
+  ],
+});
+`;
+}
+function createBootstrapRootServerTemplate(host, adminPublicKey, expectedHostFingerprint) {
+  const adminUserDeclaration = 'const adminUser = "paratix";';
+  return `${createBaseServerHeader({
+    adminPublicKey,
+    adminUserDeclaration,
+    expectedHostFingerprint,
+    host,
+    sshUser: 'FIRST_RUN ? "root" : adminUser'
+  })}
+${createAdminRecipe("bootstrap-admin-user")}
+    recipe("bootstrap-admin-sudo", [
+      file.copy(
+        "/etc/sudoers.d/90-paratix-admin-nopasswd",
+        "./files/admin-nopasswd-sudoers",
+        {
+          mode: "0440",
+          owner: "root:root",
+        }
+      ),
+    ]),
+${createFirewallRecipe()}
+    // Transitional bootstrap mode:
+    // 1. Run this once as root with "--first-run" to create the dedicated admin user.
+    // 2. The generated sudoers drop-in keeps the new admin path non-interactive via NOPASSWD sudo.
+    // 3. Later runs omit "--first-run" and connect as the dedicated admin user on port 2222.
+    // 4. The next regular run disables root login completely.
+    recipe("ssh-hardening-transition", [
+      sshd.port(2222),
+      sshd.config({
+        PasswordAuthentication: "no",
+        PermitRootLogin: FIRST_RUN ? "prohibit-password" : "no",
+      }),
+    ]),
+${createKernelHardeningRecipe()}
+${createAutomaticSecurityUpgradesRecipe()}
+${createFirstRunStopModule()}
+  ],
+});
+`;
+}
+function createServerTemplate(options) {
+  return options.initialUser.kind === "root" ? createBootstrapRootServerTemplate(
+    options.host,
+    options.adminPublicKey,
+    options.expectedHostFingerprint
+  ) : createHardenedAdminServerTemplate({
+    adminPublicKey: options.adminPublicKey,
+    expectedHostFingerprint: options.expectedHostFingerprint,
+    host: options.host,
+    initialAdminUser: options.initialUser.user
+  });
+}
+
+// src/index.ts
+function writeSharedScaffoldFiles(projectDirectory) {
+  writeFileSync(join2(projectDirectory, "tsconfig.json"), TSCONFIG_TEMPLATE);
+  writeFileSync(join2(projectDirectory, ".gitignore"), GITIGNORE_TEMPLATE);
+  writeFileSync(join2(projectDirectory, ".prettierrc"), PRETTIER_RC_TEMPLATE);
+  writeFileSync(join2(projectDirectory, ".prettierignore"), PRETTIER_IGNORE_TEMPLATE);
+  writeFileSync(join2(projectDirectory, "eslint.config.ts"), ESLINT_CONFIG_TEMPLATE);
+  writeFileSync(join2(projectDirectory, ".env.example"), ENV_EXAMPLE_TEMPLATE);
+}
+function writeScaffoldSupportFiles(projectDirectory, initialUser) {
+  writeFileSync(join2(projectDirectory, "files", ".gitkeep"), "");
+  writeFileSync(join2(projectDirectory, "files", "20auto-upgrades"), AUTO_UPGRADES_20_TEMPLATE);
+  writeFileSync(
+    join2(projectDirectory, "files", "50unattended-upgrades"),
+    UNATTENDED_UPGRADES_50_TEMPLATE
+  );
+  if (initialUser.kind !== "root") return;
+  writeFileSync(
+    join2(projectDirectory, "files", "admin-nopasswd-sudoers"),
+    createAdminNopasswdSudoersContent("paratix")
+  );
+}
+function writeProjectFiles(projectDirectory, options) {
+  mkdirSync(projectDirectory, { recursive: true });
+  mkdirSync(join2(projectDirectory, "files"), { recursive: true });
+  const host = options?.host ?? "1.2.3.4";
+  const initialUser = options?.initialUser ?? { kind: "admin", user: "paratix" };
+  const adminPublicKey = options?.adminPublicKey;
+  const expectedHostFingerprint = options?.expectedHostFingerprint;
+  const packageJson = {
+    dependencies: {
+      paratix: "^0.1.0"
+    },
+    devDependencies: {
+      "@types/node": "^24.5.2",
+      eslint: "^10.0.3",
+      "eslint-config-setup": "^0.3.3",
+      prettier: "^3.6.2",
+      tsx: "^4.20.6"
+    },
+    engines: {
+      node: ">=24.0.0"
+    },
+    name: derivePackageName(projectDirectory),
+    private: true,
+    scripts: {
+      apply: "paratix apply server.ts",
+      "apply:dry": "paratix apply server.ts --dry-run",
+      "format:check": "prettier --check .",
+      "format:fix": "prettier --write .",
+      lint: "eslint ."
+    },
+    type: "module"
+  };
+  writeFileSync(join2(projectDirectory, "package.json"), `${JSON.stringify(packageJson, null, 2)}
+`);
+  writeFileSync(
+    join2(projectDirectory, "server.ts"),
+    createServerTemplate({ adminPublicKey, expectedHostFingerprint, host, initialUser })
+  );
+  writeSharedScaffoldFiles(projectDirectory);
+  writeScaffoldSupportFiles(projectDirectory, initialUser);
+}
+function isValidProjectName(name) {
+  const trimmed = name.trim();
+  return new RegExp("^[a-z0-9][a-z0-9\\x2d]*$", "v").test(trimmed);
+}
+function normalizeProjectName(name) {
+  return name.trim();
+}
+function derivePackageName(projectDirectory) {
+  return basename2(projectDirectory.replaceAll("\\", "/"));
+}
+function exitWithMessage(message) {
+  console.error(message);
+  process.exit(1);
+}
+function parseCliArguments2(argv) {
+  return parseCliArguments(argv, exitWithMessage);
+}
+function parseInitialUserConfig2(value) {
+  return parseInitialUserConfig(exitWithMessage, value);
+}
+function validateHost2(value) {
+  return validateHost(exitWithMessage, value);
+}
+function validateProjectName(name) {
+  if (name == null || name === "") {
+    exitWithMessage("Usage: create-paratix <project-name>");
+  }
+  const normalizedName = normalizeProjectName(name);
+  if (!isValidProjectName(normalizedName)) {
+    exitWithMessage(
+      `Error: Invalid project name "${name}" \u2014 use only lowercase letters, numbers, and hyphens.`
+    );
+  }
+  return normalizedName;
+}
+function scaffoldProject(projectName, pm, options) {
+  const normalizedProjectName = normalizeProjectName(projectName);
+  const projectDirectory = resolve(normalizedProjectName);
+  if (existsSync(projectDirectory)) {
+    exitWithMessage(`Error: Directory "${normalizedProjectName}" already exists.`);
+  }
+  console.log(`Creating Paratix project in ${projectDirectory}...`);
+  writeProjectFiles(projectDirectory, options);
+  const installer = options?.installer ?? installDependencies;
+  const installed = installer(projectDirectory, pm);
+  if (!installed) {
+    process.exitCode = 1;
+    printPartialSuccessMessage(normalizedProjectName, pm);
+    return false;
+  }
+  printSuccessMessage(normalizedProjectName, pm);
+  return true;
+}
+async function resolveCliOrPromptAdminPublicKey(parameters) {
+  const { adminPublicKey, adminPublicKeyFile } = parameters;
+  if (adminPublicKey !== void 0) {
+    return validateAdminPublicKey(exitWithMessage, adminPublicKey);
+  }
+  if (adminPublicKeyFile !== void 0) {
+    return readAdminPublicKeyFile(exitWithMessage, adminPublicKeyFile);
+  }
+  if (process.stdin.isTTY && process.stdout.isTTY) {
+    return promptForAdminPublicKey2();
+  }
+  return void 0;
+}
+function main() {
+  const { adminPublicKey, adminPublicKeyFile, host, initialUser, projectName } = parseCliArguments2(
+    process.argv.slice(2)
+  );
+  const normalizedProjectName = validateProjectName(projectName);
+  const pm = detectPackageManager();
+  void (async () => {
+    const validatedHost = host == null ? await promptForHost2() : validateHost2(host);
+    const resolvedExpectedHostFingerprint = process.stdin.isTTY && process.stdout.isTTY ? await promptForHostFingerprint(validatedHost) : void 0;
+    const initialUserConfig = initialUser == null ? await promptForInitialUserConfig() : parseInitialUserConfig2(initialUser);
+    const resolvedAdminPublicKey = await resolveCliOrPromptAdminPublicKey({
+      adminPublicKey,
+      adminPublicKeyFile
+    });
+    scaffoldProject(normalizedProjectName, pm, {
+      adminPublicKey: resolvedAdminPublicKey,
+      expectedHostFingerprint: resolvedExpectedHostFingerprint,
+      host: validatedHost,
+      initialUser: initialUserConfig
+    });
+  })().catch((error) => {
+    console.error(error instanceof Error ? error.message : String(error));
+    process.exitCode = 1;
+  });
+}
+function isDirectExecution(moduleUrl, argv1) {
+  return argv1 != null && moduleUrl.endsWith(argv1.replaceAll("\\", "/"));
+}
+if (isDirectExecution(import.meta.url, process.argv[1])) {
+  main();
+}
+export {
+  isDirectExecution,
+  isValidHost,
+  isValidInitialUserName,
+  isValidProjectName,
+  normalizeHost,
+  normalizeInitialUserName,
+  normalizeProjectName,
+  parseCliArguments2 as parseCliArguments,
+  parseInitialUserConfig2 as parseInitialUserConfig,
+  promptForAdminPublicKey2 as promptForAdminPublicKey,
+  promptForHost2 as promptForHost,
+  promptForHostFingerprint,
+  promptForInitialUserConfig,
+  scaffoldProject,
+  validateHost2 as validateHost,
+  writeProjectFiles
+};