hackerrun 0.1.0 → 0.1.6

package/src/lib/uncloud-runner.ts

@@ -2,10 +2,20 @@
 // Executes uncloud commands using SSH certificate authentication
 // Replaces the old `uc -c <context>` approach with `uc --connect ssh+cli://`
 
-import { execSync, spawnSync, spawn, ChildProcess } from 'child_process';
-import * as net from 'net';
+import { execSync, spawnSync } from 'child_process';
 import { PlatformClient } from './platform-client.js';
 import { SSHCertManager, testIPv6Connectivity } from './ssh-cert.js';
+import { TunnelManager, TunnelInfo } from './gateway-tunnel.js';
+import {
+  VPNManager,
+  VPNConfig,
+  isWireGuardInstalled,
+  isVPNUp,
+  isRoutedViaVPN,
+  getOrCreateKeyPair,
+  testIPv6Connectivity as vpnTestIPv6,
+  getWireGuardInstallInstructions,
+} from './vpn.js';
 import chalk from 'chalk';
 
 export interface UncloudRunnerOptions {
@@ -14,20 +24,18 @@ export interface UncloudRunnerOptions {
   timeout?: number;
 }
 
-interface TunnelInfo {
-  process: ChildProcess;
-  localPort: number;
-}
-
 /**
  * UncloudRunner - Execute uncloud commands against app VMs
  * Uses SSH certificates for authentication
+ * Uses WireGuard VPN for IPv6 connectivity when direct IPv6 is unavailable
  */
 export class UncloudRunner {
   private certManager: SSHCertManager;
   private gatewayCache: Map<string, { ipv4: string; ipv6: string } | null> = new Map();
-  private activeTunnels: Map<string, TunnelInfo> = new Map();
+  private tunnelManager: TunnelManager = new TunnelManager();
+  private vpnManager: VPNManager = new VPNManager();
   private tempConfigPath: string | null = null;
+  private vpnEstablishedByUs: boolean = false;
 
   constructor(private platformClient: PlatformClient) {
     this.certManager = new SSHCertManager(platformClient);
@@ -35,12 +43,13 @@ export class UncloudRunner {
 
   /**
    * Get the connection URL for an app's primary VM
-   * Handles IPv6 direct connection or gateway proxy fallback
+   * Handles IPv6 direct connection, VPN, or gateway SSH tunnel fallback
    */
   async getConnectionInfo(appName: string): Promise<{
     url: string;
     vmIp: string;
     viaGateway: boolean;
+    viaVPN: boolean;
     localPort?: number;
   }> {
     // Get app info
@@ -61,31 +70,97 @@ export class UncloudRunner {
 
     // Test direct IPv6 connectivity (3 second timeout)
     const canConnectDirect = await testIPv6Connectivity(vmIp, 3000);
-    const viaGateway = !canConnectDirect;
 
-    if (viaGateway) {
-      // Need to tunnel through gateway
-      // Start a local SSH tunnel: ssh -L localport:[vmip]:22 root@gateway
-      const tunnelInfo = await this.ensureTunnel(appName, vmIp, app.location);
+    if (canConnectDirect) {
+      // Check if this connection goes through VPN (informational only)
+      const viaVPN = isRoutedViaVPN(vmIp);
 
-      // Use ssh:// through the tunnel (Go SSH library with agent)
+      // Direct IPv6 connection using ssh:// (Go SSH library with agent support)
       return {
-        url: `ssh://root@localhost:${tunnelInfo.localPort}`,
+        url: `ssh://root@${vmIp}`,
         vmIp,
-        viaGateway: true,
-        localPort: tunnelInfo.localPort,
+        viaGateway: false,
+        viaVPN,
       };
     }
 
-    // Direct IPv6 connection using ssh:// (Go SSH library with agent support)
-    // This is faster than ssh+cli:// because:
-    // - One persistent SSH connection (no per-operation process spawning)
-    // - Go's SSH library uses ssh-agent which has our temp certificate
-    // - Dialer() works for image push to unregistry
+    // No direct IPv6 - try VPN first (more reliable for large transfers)
+    const vpnAvailable = isWireGuardInstalled();
+
+    if (vpnAvailable) {
+      console.log(chalk.yellow('Direct IPv6 not available, trying VPN...'));
+
+      try {
+        // Check if VPN is already up and working
+        if (isVPNUp() && vpnTestIPv6(vmIp, 3)) {
+          console.log(chalk.green('✓ VPN already connected'));
+          return {
+            url: `ssh://root@${vmIp}`,
+            vmIp,
+            viaGateway: false,
+            viaVPN: true,
+          };
+        }
+
+        // Try to establish VPN
+        this.vpnEstablishedByUs = await this.vpnManager.ensureConnected(
+          vmIp,
+          async () => this.getVPNConfig(app.location)
+        );
+
+        // If VPN is now up, use direct connection
+        if (vpnTestIPv6(vmIp, 5)) {
+          console.log(chalk.green('✓ Connected via VPN'));
+          return {
+            url: `ssh://root@${vmIp}`,
+            vmIp,
+            viaGateway: false,
+            viaVPN: true,
+          };
+        }
+      } catch (error) {
+        console.log(chalk.yellow(`VPN setup failed: ${(error as Error).message}`));
+        console.log(chalk.dim('Falling back to SSH tunnel...'));
+      }
+    } else {
+      // WireGuard not installed - show instructions
+      console.log(chalk.yellow('Direct IPv6 not available on your network.'));
+      console.log(chalk.dim('For faster deploys, install WireGuard:'));
+      console.log(chalk.dim(getWireGuardInstallInstructions()));
+      console.log();
+    }
+
+    // VPN not available or failed - fall back to SSH tunnel (less reliable)
+    console.log(chalk.yellow('Using SSH tunnel (may be slower for large transfers)...'));
+
+    const tunnelInfo = await this.ensureTunnel(appName, vmIp, app.location);
+
     return {
-      url: `ssh://root@${vmIp}`,
+      url: `ssh://root@localhost:${tunnelInfo.localPort}`,
       vmIp,
-      viaGateway: false,
+      viaGateway: true,
+      viaVPN: false,
+      localPort: tunnelInfo.localPort,
+    };
+  }
+
+  /**
+   * Get VPN configuration from platform
+   */
+  private async getVPNConfig(location: string): Promise<VPNConfig> {
+    // Get or create keypair
+    const { privateKey, publicKey } = getOrCreateKeyPair();
+
+    // Register with platform and get config
+    const vpnConfigResponse = await this.platformClient.registerVPNPeer(publicKey, location);
+
+    return {
+      privateKey,
+      publicKey,
+      address: vpnConfigResponse.address,
+      gatewayEndpoint: vpnConfigResponse.gatewayEndpoint,
+      gatewayPublicKey: vpnConfigResponse.gatewayPublicKey,
+      allowedIPs: vpnConfigResponse.allowedIPs,
     };
   }
 
@@ -110,89 +185,14 @@ export class UncloudRunner {
    * Ensure an SSH tunnel exists for gateway fallback
    */
   private async ensureTunnel(appName: string, vmIp: string, location: string): Promise<TunnelInfo> {
-    // Check for existing tunnel
-    const existing = this.activeTunnels.get(appName);
-    if (existing && !existing.process.killed) {
-      return existing;
-    }
-
     // Get gateway
     const gateway = await this.getGateway(location);
     if (!gateway) {
       throw new Error(`No gateway found for location ${location}`);
     }
 
-    // Find an available port
-    const localPort = await this.findAvailablePort();
-
-    // Start SSH tunnel in background
-    // The SSH agent will provide the certificate for authentication
-    const tunnelProcess = spawn('ssh', [
-      '-N',  // No remote command
-      '-L', `${localPort}:[${vmIp}]:22`,  // Local port forward
-      '-o', 'StrictHostKeyChecking=no',
-      '-o', 'UserKnownHostsFile=/dev/null',
-      '-o', 'LogLevel=ERROR',
-      '-o', 'ExitOnForwardFailure=yes',
-      '-o', 'ServerAliveInterval=30',
-      `root@${gateway.ipv4}`,
-    ], {
-      detached: true,
-      stdio: 'pipe',
-    });
-
-    // Wait for tunnel to be established
-    await this.waitForTunnel(localPort);
-
-    const tunnelInfo: TunnelInfo = { process: tunnelProcess, localPort };
-    this.activeTunnels.set(appName, tunnelInfo);
-
-    return tunnelInfo;
-  }
-
-  /**
-   * Find an available local port
-   */
-  private async findAvailablePort(): Promise<number> {
-    return new Promise((resolve, reject) => {
-      const server = net.createServer();
-      server.listen(0, () => {
-        const port = server.address().port;
-        server.close(() => resolve(port));
-      });
-      server.on('error', reject);
-    });
-  }
-
-  /**
-   * Wait for tunnel to be established
-   */
-  private async waitForTunnel(port: number, timeoutMs: number = 10000): Promise<void> {
-    const startTime = Date.now();
-
-    while (Date.now() - startTime < timeoutMs) {
-      try {
-        await new Promise<void>((resolve, reject) => {
-          const socket = net.createConnection(port, 'localhost', () => {
-            socket.destroy();
-            resolve();
-          });
-          socket.on('error', () => {
-            socket.destroy();
-            reject();
-          });
-          socket.setTimeout(500, () => {
-            socket.destroy();
-            reject();
-          });
-        });
-        return;
-      } catch {
-        await new Promise(r => setTimeout(r, 200));
-      }
-    }
-
-    throw new Error(`Tunnel failed to establish on port ${port}`);
+    // Use shared tunnel manager
+    return this.tunnelManager.ensureTunnel(appName, vmIp, gateway.ipv4);
   }
 
   /**
@@ -304,6 +304,34 @@ export class UncloudRunner {
     return execSync(`${sshCmd} "${command}"`, { encoding: 'utf-8' }).trim();
   }
 
+  /**
+   * Remove a node from the uncloud cluster
+   * Uses 'uc machine rm' to drain containers and remove from cluster
+   */
+  async removeNode(appName: string, nodeName: string): Promise<void> {
+    // Get connection info to primary node
+    const connInfo = await this.getConnectionInfo(appName);
+
+    // Run uc machine rm with --yes to skip confirmation
+    // The --no-reset flag is NOT used because we're deleting the VM anyway
+    const result = spawnSync('uc', ['--connect', connInfo.url, 'machine', 'rm', nodeName, '--yes'], {
+      stdio: 'inherit',
+      timeout: 300000, // 5 minute timeout for container drainage
+    });
+
+    if (result.status !== 0) {
+      throw new Error(`Failed to remove node '${nodeName}' from cluster (exit code ${result.status})`);
+    }
+  }
+
+  /**
+   * List machines in the uncloud cluster
+   */
+  async listMachines(appName: string): Promise<string> {
+    const result = await this.run(appName, 'machine', ['ls'], { stdio: 'pipe' });
+    return result as string;
+  }
+
   /**
    * Get gateway info (cached)
    */
@@ -323,20 +351,19 @@ export class UncloudRunner {
   }
 
   /**
-   * Clean up all SSH sessions and tunnels
+   * Clean up all SSH sessions, tunnels, and VPN
    */
   cleanup(): void {
     // Kill all active tunnels
-    for (const [appName, tunnel] of this.activeTunnels) {
-      try {
-        tunnel.process.kill();
-      } catch {
-        // Ignore errors during cleanup
-      }
-    }
-    this.activeTunnels.clear();
+    this.tunnelManager.closeAll();
 
     // Clean up SSH certificate sessions
     this.certManager.cleanupAll();
+
+    // Disconnect VPN if we established it
+    if (this.vpnEstablishedByUs) {
+      this.vpnManager.disconnect();
+      this.vpnEstablishedByUs = false;
+    }
   }
 }

package/src/lib/uncloud.ts

@@ -30,12 +30,21 @@ export class UncloudManager {
 
   /**
    * Check if uncloud is installed, offer to install if not
+   * @param options.nonInteractive - If true, fail immediately without prompting (for CI/CD)
    */
-  static async ensureInstalled(): Promise<void> {
+  static async ensureInstalled(options?: { nonInteractive?: boolean }): Promise<void> {
     if (this.isInstalled()) {
       return;
     }
 
+    // In non-interactive mode (CI/CD), fail immediately with clear error
+    if (options?.nonInteractive) {
+      console.error(chalk.red('\n❌ Uncloud CLI (uc) not found\n'));
+      console.error('The uncloud CLI must be installed on the build VM.');
+      console.error('This is a build infrastructure issue - the uc binary should be pre-installed.\n');
+      process.exit(1);
+    }
+
     console.log(chalk.yellow('\n⚠️  Uncloud CLI not found\n'));
     console.log('Uncloud is required to deploy and manage your apps.');
     console.log('Learn more: https://uncloud.run\n');