hackerrun 0.1.0

package/src/lib/app-config.ts

@@ -0,0 +1,95 @@
+// Local app configuration file (hackerrun.yaml)
+// This file links a local directory to a deployed app
+
+import { existsSync, readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+import { parse, stringify } from 'yaml';
+
+export interface AppConfig {
+  appName: string;  // Links this directory to an app
+}
+
+const CONFIG_FILENAME = 'hackerrun.yaml';
+
+/**
+ * Get the config file path for a directory
+ */
+export function getConfigPath(directory: string = process.cwd()): string {
+  return join(directory, CONFIG_FILENAME);
+}
+
+/**
+ * Check if a hackerrun.yaml file exists
+ */
+export function hasAppConfig(directory: string = process.cwd()): boolean {
+  return existsSync(getConfigPath(directory));
+}
+
+/**
+ * Read the hackerrun.yaml config
+ */
+export function readAppConfig(directory: string = process.cwd()): AppConfig | null {
+  const configPath = getConfigPath(directory);
+  if (!existsSync(configPath)) {
+    return null;
+  }
+
+  try {
+    const content = readFileSync(configPath, 'utf-8');
+    const config = parse(content) as AppConfig;
+
+    if (!config.appName) {
+      return null;
+    }
+
+    return config;
+  } catch (error) {
+    console.error(`Failed to parse ${CONFIG_FILENAME}:`, error);
+    return null;
+  }
+}
+
+/**
+ * Write the hackerrun.yaml config
+ */
+export function writeAppConfig(config: AppConfig, directory: string = process.cwd()): void {
+  const configPath = getConfigPath(directory);
+  const content = stringify(config);
+  writeFileSync(configPath, content, 'utf-8');
+}
+
+/**
+ * Get the app name for the current directory
+ * - First checks hackerrun.yaml
+ * - Falls back to folder name if no config exists
+ */
+export function getAppName(directory: string = process.cwd()): string {
+  const config = readAppConfig(directory);
+  if (config?.appName) {
+    return config.appName;
+  }
+
+  // Fallback to folder name (for backwards compatibility)
+  const folderName = directory.split('/').pop() || 'app';
+  return folderName.toLowerCase().replace(/[^a-z0-9_-]/g, '-');
+}
+
+/**
+ * Link the current directory to an app
+ */
+export function linkApp(appName: string, directory: string = process.cwd()): void {
+  writeAppConfig({ appName }, directory);
+}
+
+/**
+ * Unlink the current directory from an app
+ */
+export function unlinkApp(directory: string = process.cwd()): boolean {
+  const configPath = getConfigPath(directory);
+  if (existsSync(configPath)) {
+    const { unlinkSync } = require('fs');
+    unlinkSync(configPath);
+    return true;
+  }
+  return false;
+}

package/src/lib/cluster.ts

@@ -0,0 +1,428 @@
+import { AppCluster, VMNode, PlatformClient } from './platform-client.js';
+import { SSHCertManager } from './ssh-cert.js';
+import { execSync } from 'child_process';
+import ora from 'ora';
+import chalk from 'chalk';
+
+// Platform SSH keys cached for the session
+let platformKeysCache: { caPublicKey: string; platformPublicKey: string } | null = null;
+
+export interface ClusterInitOptions {
+  appName: string;
+  location: string;
+  vmSize: string;
+  storageSize: number;  // GB
+  bootImage: string;
+}
+
+export class ClusterManager {
+  private sshCertManager: SSHCertManager;
+
+  constructor(
+    private platformClient: PlatformClient
+  ) {
+    this.sshCertManager = new SSHCertManager(platformClient);
+  }
+
+  /**
+   * Get platform SSH keys (cached for the session)
+   * Returns CA public key and platform public key for VM creation
+   */
+  private async getPlatformKeys(): Promise<{ caPublicKey: string; platformPublicKey: string }> {
+    if (platformKeysCache) {
+      return platformKeysCache;
+    }
+
+    try {
+      platformKeysCache = await this.platformClient.getPlatformSSHKeys();
+      return platformKeysCache;
+    } catch (error) {
+      throw new Error(`Failed to get platform SSH keys: ${(error as Error).message}`);
+    }
+  }
+
+  /**
+   * Initialize a new cluster for an app (creates first VM and sets up uncloud)
+   *
+   * Flow:
+   * 1. Create VM with platform SSH key
+   * 2. Wait for VM to get IPv6 address
+   * 3. Call platform API to setup VM (DNS64, WireGuard, SSH CA)
+   * 4. Run `uc machine init` to install Docker + uncloud
+   * 5. Configure Docker for NAT64
+   * 6. Save app state to platform
+   *
+   * Users access VMs via SSH certificates signed by the platform CA.
+   */
+  async initializeCluster(options: ClusterInitOptions): Promise<AppCluster> {
+    const { appName, location, vmSize, storageSize, bootImage } = options;
+
+    // Generate VM name
+    const vmName = `${appName}-vm-${this.generateId()}`;
+
+    let spinner = ora(`Creating VM '${vmName}' in ${location}...`).start();
+
+    try {
+      // Get platform SSH keys (for VM creation)
+      spinner.text = 'Fetching platform SSH keys...';
+      const platformKeys = await this.getPlatformKeys();
+
+      // Get gateway info to get the private subnet ID for NAT64 routing
+      const gateway = await this.platformClient.getGateway(location);
+      const privateSubnetId = gateway?.subnetId;
+
+      // Create IPv6-only VM via platform API with platform SSH key
+      // VM is placed in the same private subnet as the gateway for NAT64 routing
+      spinner.text = `Creating VM '${vmName}'...`;
+      const vm = await this.platformClient.createVM({
+        name: vmName,
+        location,
+        size: vmSize,
+        storage_size: storageSize,
+        boot_image: bootImage,
+        unix_user: 'root',
+        public_key: platformKeys.platformPublicKey,
+        enable_ip4: !privateSubnetId,  // IPv6-only if we have a subnet for NAT64
+        private_subnet_id: privateSubnetId,
+      });
+
+      spinner.text = `Waiting for VM to be ready...`;
+      spinner.stop();
+
+      console.log(chalk.cyan('\nWaiting for VM to get an IPv6 address...'));
+
+      // Wait for VM to have IPv6 (we're creating IPv6-only VMs)
+      const vmWithIp = await this.waitForVM(location, vmName, 600, false); // 10 min timeout
+
+      spinner = ora('Setting up VM...').start();
+
+      // Wait for SSH to be ready
+      spinner.text = 'Waiting for SSH to be ready...';
+      await this.sleep(30000); // 30 seconds
+
+      // Step 1: Platform sets up VM (DNS64, WireGuard, SSH CA)
+      spinner.text = 'Configuring VM (DNS64, NAT64, SSH CA)...';
+      await this.platformClient.setupVM(vmWithIp.ip6!, location, appName);
+
+      // Create cluster state and save to backend BEFORE requesting SSH certificate
+      // (certificate request requires app to exist in database)
+      const cluster: AppCluster = {
+        appName,
+        location,
+        nodes: [{
+          name: vmName,
+          id: vm.id,
+          ipv6: vmWithIp.ip6,
+          isPrimary: true,
+        }],
+        uncloudContext: appName,
+        createdAt: new Date().toISOString(),
+      };
+      spinner.text = 'Registering app...';
+      const savedCluster = await this.platformClient.saveApp(cluster);
+
+      // Step 2: Initialize uncloud (installs Docker + uncloud daemon)
+      spinner.text = 'Installing Docker and Uncloud...';
+      spinner.stop();
+      console.log(chalk.cyan('\nInitializing uncloud (this may take a few minutes)...'));
+      await this.initializeUncloud(vmWithIp.ip6!, appName);
+
+      spinner = ora('Configuring Docker for NAT64...').start();
+
+      // Step 3: Configure Docker for NAT64
+      await this.configureDockerNAT64(vmWithIp.ip6!);
+
+      spinner.succeed(chalk.green(`Cluster initialized successfully`));
+
+      return savedCluster;
+    } catch (error) {
+      spinner.fail(chalk.red('Failed to initialize cluster'));
+      throw error;
+    }
+  }
+
+  /**
+   * Add a node to an existing cluster
+   */
+  async addNode(appName: string, vmSize: string, bootImage: string): Promise<VMNode> {
+    const cluster = await this.platformClient.getApp(appName);
+    if (!cluster) {
+      throw new Error(`App '${appName}' not found`);
+    }
+
+    const primaryNode = await this.platformClient.getPrimaryNode(appName);
+    if (!primaryNode || !primaryNode.ipv6) {
+      throw new Error(`Primary node not found or has no IPv6 address`);
+    }
+
+    // Get gateway info to get the private subnet ID for NAT64 routing
+    const gateway = await this.platformClient.getGateway(cluster.location);
+    const privateSubnetId = gateway?.subnetId;
+
+    const vmName = `${appName}-vm-${this.generateId()}`;
+
+    let spinner = ora(`Adding node '${vmName}' to cluster...`).start();
+
+    try {
+      // Get platform SSH keys (for VM creation)
+      spinner.text = 'Fetching platform SSH keys...';
+      const platformKeys = await this.getPlatformKeys();
+
+      // Create new IPv6-only VM via platform API with platform SSH key
+      spinner.text = `Creating VM '${vmName}'...`;
+      const vm = await this.platformClient.createVM({
+        name: vmName,
+        location: cluster.location,
+        size: vmSize,
+        boot_image: bootImage,
+        unix_user: 'root',
+        public_key: platformKeys.platformPublicKey,
+        enable_ip4: !privateSubnetId,
+        private_subnet_id: privateSubnetId,
+      });
+
+      spinner.text = `Waiting for VM to be ready...`;
+      spinner.stop();
+      console.log(chalk.cyan('\nWaiting for VM to get an IPv6 address...'));
+      const vmWithIp = await this.waitForVM(cluster.location, vmName, 600, false);
+
+      spinner = ora('Setting up VM...').start();
+      await this.sleep(30000);
+
+      // Step 1: Platform sets up VM (DNS64, WireGuard, SSH CA)
+      spinner.text = 'Configuring VM...';
+      await this.platformClient.setupVM(vmWithIp.ip6!, cluster.location, appName);
+
+      // Step 2: Get join token from primary and join cluster
+      spinner.text = 'Joining uncloud cluster...';
+      spinner.stop();
+      console.log(chalk.cyan('\nJoining uncloud cluster...'));
+      await this.joinUncloudCluster(vmWithIp.ip6!, primaryNode.ipv6, appName);
+
+      spinner = ora('Configuring Docker for NAT64...').start();
+
+      // Step 3: Configure Docker for NAT64
+      await this.configureDockerNAT64(vmWithIp.ip6!);
+
+      spinner.succeed(chalk.green(`Node '${vmName}' added successfully`));
+
+      const newNode: VMNode = {
+        name: vmName,
+        id: vm.id,
+        ipv6: vmWithIp.ip6,
+        isPrimary: false,
+      };
+
+      // Update cluster state on backend
+      cluster.nodes.push(newNode);
+      await this.platformClient.saveApp(cluster);
+
+      return newNode;
+    } catch (error) {
+      spinner.fail(chalk.red('Failed to add node'));
+      throw error;
+    }
+  }
+
+  /**
+   * Initialize uncloud on the VM using uc machine init
+   * Uses --no-dns because we manage our own domain via gateway
+   *
+   * Before running uc, we get an SSH certificate from the platform
+   * and add it to the ssh-agent. This allows uc to authenticate
+   * since the VM only accepts platform SSH key or signed certificates.
+   */
+  private async initializeUncloud(vmIp: string, contextName: string): Promise<void> {
+    try {
+      // Get SSH certificate and add to agent (required for auth)
+      // The VM was created with platform SSH key, so we need a certificate
+      await this.sshCertManager.getSession(contextName, vmIp);
+
+      // uc machine init connects to the VM and installs Docker + uncloud daemon
+      execSync(`uc machine init -c "${contextName}" --no-dns root@${vmIp}`, {
+        stdio: 'inherit',
+        timeout: 600000,  // 10 min timeout
+      });
+    } catch (error) {
+      throw new Error(`Failed to initialize uncloud: ${(error as Error).message}`);
+    }
+  }
+
+  /**
+   * Join a new node to an existing uncloud cluster
+   * Uses --connect ssh:// to avoid local context dependency
+   */
+  private async joinUncloudCluster(newVmIp: string, primaryVmIp: string, contextName: string): Promise<void> {
+    try {
+      // Get SSH certificates for both nodes and add to agent
+      await this.sshCertManager.getSession(contextName, primaryVmIp);
+      await this.sshCertManager.getSession(contextName, newVmIp);
+
+      // Get join token from primary node using --connect ssh://
+      const token = execSync(`uc --connect ssh://root@${primaryVmIp} machine token`, {
+        encoding: 'utf-8',
+        timeout: 30000,
+      }).trim();
+
+      if (!token) {
+        throw new Error('Failed to get join token from primary node');
+      }
+
+      // Join the new node to the cluster using --connect ssh://
+      execSync(`uc --connect ssh://root@${primaryVmIp} machine add root@${newVmIp} --token "${token}"`, {
+        stdio: 'inherit',
+        timeout: 600000,  // 10 min timeout
+      });
+    } catch (error) {
+      throw new Error(`Failed to join cluster: ${(error as Error).message}`);
+    }
+  }
+
+  /**
+   * Configure Docker for NAT64 support on IPv6-only VMs
+   *
+   * Problem: DNS64 returns both A (IPv4) and AAAA (IPv6) records. Applications may try
+   * IPv4 first, which times out because there's no route to IPv4 internet.
+   *
+   * Solution:
+   * 1. Enable IPv6 on Docker networks so containers get IPv6 addresses
+   * 2. Block IPv4 forwarding from Docker to internet so IPv4 fails immediately
+   * 3. Applications then use IPv6 (NAT64) which works via the gateway
+   */
+  private async configureDockerNAT64(vmIp: string): Promise<void> {
+    const setupScript = `#!/bin/bash
+set -e
+
+# Step 1: Add IPv6 support to Docker daemon config
+DAEMON_JSON='/etc/docker/daemon.json'
+if [ -f "$DAEMON_JSON" ]; then
+  # Merge with existing config using jq
+  jq '. + {"ipv6": true, "fixed-cidr-v6": "fd00:d0c6:e4::/64"}' "$DAEMON_JSON" > /tmp/daemon.json
+  mv /tmp/daemon.json "$DAEMON_JSON"
+else
+  cat > "$DAEMON_JSON" << 'EOFJSON'
+{
+  "ipv6": true,
+  "fixed-cidr-v6": "fd00:d0c6:e4::/64"
+}
+EOFJSON
+fi
+
+# Step 2: Create systemd service to block IPv4 forwarding from Docker containers
+cat > /etc/systemd/system/docker-ipv6-nat64.service << 'EOFSVC'
+[Unit]
+Description=Block IPv4 forwarding from Docker containers (force NAT64)
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/sbin/iptables -I FORWARD -i br-+ -o ens3 -j REJECT --reject-with icmp-net-unreachable
+ExecStop=/sbin/iptables -D FORWARD -i br-+ -o ens3 -j REJECT --reject-with icmp-net-unreachable
+
+[Install]
+WantedBy=multi-user.target
+EOFSVC
+
+systemctl daemon-reload
+systemctl enable docker-ipv6-nat64
+
+# Step 3: Restart Docker to apply IPv6 config
+systemctl restart docker
+sleep 3
+
+# Step 4: Recreate uncloud network with IPv6 enabled
+CONTAINERS=$(docker ps -aq --filter network=uncloud 2>/dev/null || true)
+
+for container in $CONTAINERS; do
+  docker network disconnect uncloud "$container" 2>/dev/null || true
+done
+
+docker network rm uncloud 2>/dev/null || true
+docker network create --driver bridge \
+  --subnet 10.210.0.0/24 --gateway 10.210.0.1 \
+  --ipv6 --subnet fd00:a10:210::/64 --gateway fd00:a10:210::1 \
+  uncloud
+
+for container in $CONTAINERS; do
+  docker network connect uncloud "$container" 2>/dev/null || true
+done
+
+# Step 5: Start the iptables service
+systemctl start docker-ipv6-nat64
+
+echo "Docker NAT64 configuration complete"
+`;
+
+    try {
+      // Use SSH to run the script on the VM
+      // After platform setup, SSH certificate auth is available
+      execSync(`ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null root@${vmIp} 'bash -s' << 'REMOTESCRIPT'
+${setupScript}
+REMOTESCRIPT`, {
+        stdio: 'inherit',
+        timeout: 120000,  // 2 min timeout
+      });
+    } catch (error) {
+      throw new Error(`Failed to configure Docker for NAT64: ${(error as Error).message}`);
+    }
+  }
+
+  /**
+   * Wait for VM to have an IP address
+   * @param requireIpv4 - If true, wait for IPv4 (for gateway VMs). Otherwise wait for IPv6.
+   */
+  private async waitForVM(location: string, vmName: string, timeoutSeconds: number, requireIpv4: boolean = false): Promise<any> {
+    const startTime = Date.now();
+    const timeoutMs = timeoutSeconds * 1000;
+    let lastStatus = '';
+
+    while (Date.now() - startTime < timeoutMs) {
+      const vm = await this.platformClient.getVM(location, vmName);
+
+      // Log status changes
+      if (vm.status && vm.status !== lastStatus) {
+        console.log(chalk.dim(`  Status: ${vm.status}`));
+        lastStatus = vm.status;
+      }
+
+      // Check for the required IP type
+      const hasRequiredIp = requireIpv4 ? vm.ip4 : vm.ip6;
+      if (hasRequiredIp) {
+        const ipDisplay = requireIpv4 ? vm.ip4 : vm.ip6;
+        console.log(chalk.green(`  IP assigned: ${ipDisplay}`));
+        return vm;
+      }
+
+      const elapsed = Math.floor((Date.now() - startTime) / 1000);
+      const ipType = requireIpv4 ? 'IPv4' : 'IPv6';
+      process.stdout.write(`\r  Waiting for ${ipType}... (${elapsed}s / ${timeoutSeconds}s)`);
+
+      await this.sleep(5000); // Check every 5 seconds
+    }
+
+    process.stdout.write('\n');
+    throw new Error(
+      `Timeout waiting for VM to get IP address after ${timeoutSeconds}s.\n\n` +
+      `The VM may still be provisioning. You can:\n` +
+      `  1. Check VM status: hackerrun vm list\n` +
+      `  2. Delete and retry: hackerrun vm delete ${vmName}\n` +
+      `  3. Check Ubicloud console: https://console.ubicloud.com`
+    );
+  }
+
+  /**
+   * Generate a random ID
+   */
+  private generateId(): string {
+    return Math.random().toString(36).substring(2, 9);
+  }
+
+  /**
+   * Sleep for specified milliseconds
+   */
+  private sleep(ms: number): Promise<void> {
+    return new Promise(resolve => setTimeout(resolve, ms));
+  }
+}

package/src/lib/config.ts

@@ -0,0 +1,137 @@
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from 'fs';
+import { homedir } from 'os';
+import { join } from 'path';
+
+export interface Config {
+  apiToken: string;
+}
+
+export class ConfigManager {
+  private configDir: string;
+  private configFile: string;
+
+  constructor() {
+    // XDG Base Directory Specification
+    this.configDir = join(homedir(), '.config', 'hackerrun');
+    this.configFile = join(this.configDir, 'config.json');
+    this.ensureConfigDir();
+  }
+
+  private ensureConfigDir(): void {
+    if (!existsSync(this.configDir)) {
+      mkdirSync(this.configDir, { recursive: true, mode: 0o700 });
+    }
+  }
+
+  /**
+   * Read config from ~/.config/hackerrun/config.json
+   */
+  private readConfig(): Partial<Config> {
+    if (!existsSync(this.configFile)) {
+      return {};
+    }
+
+    try {
+      const content = readFileSync(this.configFile, 'utf-8');
+      return JSON.parse(content);
+    } catch (error) {
+      console.warn('Failed to read config file');
+      return {};
+    }
+  }
+
+  /**
+   * Write config to ~/.config/hackerrun/config.json
+   */
+  private writeConfig(config: Partial<Config>): void {
+    writeFileSync(this.configFile, JSON.stringify(config, null, 2), { mode: 0o600 });
+  }
+
+  /**
+   * Load and validate config
+   */
+  load(): Config {
+    const config = this.readConfig();
+
+    if (!config.apiToken) {
+      throw new Error(
+        `Missing API token. Please run:\n\n` +
+        `  hackerrun login\n`
+      );
+    }
+
+    return {
+      apiToken: config.apiToken,
+    };
+  }
+
+  /**
+   * Set a config value
+   */
+  set(key: keyof Config, value: string): void {
+    const config = this.readConfig();
+    config[key] = value;
+    this.writeConfig(config);
+  }
+
+  /**
+   * Get a config value
+   */
+  get(key: keyof Config): string | undefined {
+    const config = this.readConfig();
+    return config[key];
+  }
+
+  /**
+   * Get all config values (with sensitive data masked)
+   */
+  getAll(maskSensitive: boolean = true): Partial<Config> {
+    const config = this.readConfig();
+
+    if (maskSensitive && config.apiToken) {
+      config.apiToken = this.maskToken(config.apiToken);
+    }
+
+    return config;
+  }
+
+  /**
+   * Mask sensitive token for display
+   */
+  private maskToken(token: string): string {
+    if (token.length <= 8) return '***';
+    return token.substring(0, 8) + '...' + token.substring(token.length - 4);
+  }
+
+  /**
+   * Delete a config value
+   */
+  unset(key: keyof Config): void {
+    const config = this.readConfig();
+    delete config[key];
+    this.writeConfig(config);
+  }
+
+  /**
+   * Check if config exists and is valid
+   */
+  exists(): boolean {
+    const config = this.readConfig();
+    return !!config.apiToken;
+  }
+
+  /**
+   * Get config file path
+   */
+  getConfigPath(): string {
+    return this.configFile;
+  }
+}
+
+/**
+ * Legacy function for backward compatibility
+ */
+export function loadConfig(): Config {
+  const configManager = new ConfigManager();
+  return configManager.load();
+}

package/src/lib/platform-auth.ts

@@ -0,0 +1,20 @@
+// Platform authentication utilities
+import chalk from 'chalk';
+import { ConfigManager } from './config.js';
+
+/**
+ * Get platform auth token from config
+ */
+export function getPlatformToken(): string {
+  const configManager = new ConfigManager();
+
+  try {
+    const config = configManager.load();
+    return config.apiToken;
+  } catch (error) {
+    console.error(chalk.red('\n Not logged in'));
+    console.log(chalk.cyan('\nPlease login first:\n'));
+    console.log(`  ${chalk.bold('hackerrun login')}\n`);
+    process.exit(1);
+  }
+}