hackerrun 0.1.0

package/src/lib/platform.ts

@@ -0,0 +1,87 @@
+import { platform } from 'os';
+import { existsSync } from 'fs';
+import chalk from 'chalk';
+
+export class PlatformDetector {
+  /**
+   * Check if running on Windows
+   */
+  static isWindows(): boolean {
+    return platform() === 'win32';
+  }
+
+  /**
+   * Check if running inside WSL (Windows Subsystem for Linux)
+   */
+  static isWSL(): boolean {
+    if (!this.isWindows()) {
+      // Not Windows, check if we're Linux running under WSL
+      if (platform() === 'linux') {
+        // WSL has /proc/version with "Microsoft" or "WSL"
+        try {
+          const fs = require('fs');
+          const procVersion = fs.readFileSync('/proc/version', 'utf8').toLowerCase();
+          return procVersion.includes('microsoft') || procVersion.includes('wsl');
+        } catch {
+          return false;
+        }
+      }
+      return false;
+    }
+    return false;
+  }
+
+  /**
+   * Check if platform is supported for hackerrun
+   */
+  static isSupported(): boolean {
+    return platform() === 'darwin' || platform() === 'linux' || this.isWSL();
+  }
+
+  /**
+   * Get platform name for display
+   */
+  static getPlatformName(): string {
+    if (this.isWSL()) return 'WSL (Windows Subsystem for Linux)';
+    if (platform() === 'win32') return 'Windows';
+    if (platform() === 'darwin') return 'macOS';
+    if (platform() === 'linux') return 'Linux';
+    return platform();
+  }
+
+  /**
+   * Ensure platform is supported, exit with helpful message if not
+   */
+  static ensureSupported(): void {
+    if (this.isWindows() && !this.isWSL()) {
+      console.log(chalk.yellow('\n⚠️  Windows detected\n'));
+      console.log('Hackerrun requires WSL (Windows Subsystem for Linux) to run.');
+      console.log('Uncloud and SSH tools work best in a Linux environment.\n');
+
+      console.log(chalk.cyan('How to set up WSL:\n'));
+      console.log('1. Open PowerShell as Administrator and run:');
+      console.log(chalk.bold('   wsl --install\n'));
+
+      console.log('2. Restart your computer\n');
+
+      console.log('3. Install Ubuntu from Microsoft Store (or use default Linux)\n');
+
+      console.log('4. Open WSL terminal and install hackerrun:');
+      console.log(chalk.bold('   npm install -g hackerrun\n'));
+
+      console.log('Learn more: https://docs.microsoft.com/en-us/windows/wsl/install\n');
+
+      console.log(chalk.red('Please install WSL and run hackerrun from WSL terminal.\n'));
+      process.exit(1);
+    }
+
+    if (!this.isSupported()) {
+      console.log(chalk.red(`\n❌ Platform '${platform()}' is not supported\n`));
+      console.log('Hackerrun supports:');
+      console.log('  - macOS');
+      console.log('  - Linux');
+      console.log('  - Windows (via WSL)\n');
+      process.exit(1);
+    }
+  }
+}

package/src/lib/ssh-cert.ts

@@ -0,0 +1,264 @@
+// SSH Certificate Management for CLI
+// Handles temporary keypair generation, certificate requests, and SSH agent management
+
+import { execSync, spawnSync } from 'child_process';
+import { mkdtempSync, writeFileSync, readFileSync, rmSync, existsSync, chmodSync } from 'fs';
+import { join } from 'path';
+import { tmpdir } from 'os';
+import * as net from 'net';
+import { PlatformClient } from './platform-client.js';
+
+export interface SSHCertSession {
+  keyPath: string;           // Path to private key
+  publicKey: string;         // Public key content
+  certificate: string;       // Signed certificate
+  certPath: string;          // Path to certificate file
+  vmIp: string;              // VM IPv6 address
+  cleanup: () => void;       // Cleanup function
+}
+
+/**
+ * SSH Certificate Manager
+ * Handles temporary certificates for SSH access to app VMs
+ */
+export class SSHCertManager {
+  private sessions: Map<string, SSHCertSession> = new Map();
+  private sshAgentStarted = false;
+
+  constructor(private platformClient: PlatformClient) {}
+
+  /**
+   * Get or create an SSH session for an app
+   * Generates temp keypair, gets certificate, adds to SSH agent
+   */
+  async getSession(appName: string, vmIp: string): Promise<SSHCertSession> {
+    // Check for existing valid session
+    const existingSession = this.sessions.get(appName);
+    if (existingSession && this.isSessionValid(existingSession)) {
+      return existingSession;
+    }
+
+    // Create new session
+    const session = await this.createSession(appName, vmIp);
+    this.sessions.set(appName, session);
+    return session;
+  }
+
+  /**
+   * Create a new SSH session with certificate
+   */
+  private async createSession(appName: string, vmIp: string): Promise<SSHCertSession> {
+    // Create temp directory for keys
+    const tmpDir = mkdtempSync(join(tmpdir(), 'hackerrun-ssh-'));
+    const keyPath = join(tmpDir, 'key');
+
+    try {
+      // Generate ED25519 keypair
+      execSync(`ssh-keygen -t ed25519 -f "${keyPath}" -N "" -C "hackerrun-temp"`, {
+        stdio: 'pipe',
+      });
+
+      const publicKey = readFileSync(`${keyPath}.pub`, 'utf8').trim();
+
+      // Request certificate from platform
+      const { certificate } = await this.platformClient.requestSSHCertificate(appName, publicKey);
+
+      // Write certificate to file
+      const certPath = `${keyPath}-cert.pub`;
+      writeFileSync(certPath, certificate);
+
+      // Ensure private key has correct permissions
+      chmodSync(keyPath, 0o600);
+
+      // Add key+cert to SSH agent
+      await this.addToSSHAgent(keyPath);
+
+      const session: SSHCertSession = {
+        keyPath,
+        publicKey,
+        certificate,
+        certPath,
+        vmIp,
+        cleanup: () => {
+          // Remove from SSH agent
+          try {
+            execSync(`ssh-add -d "${keyPath}" 2>/dev/null`, { stdio: 'pipe' });
+          } catch {
+            // Ignore errors during cleanup
+          }
+          // Remove temp files
+          rmSync(tmpDir, { recursive: true, force: true });
+          this.sessions.delete(appName);
+        },
+      };
+
+      return session;
+    } catch (error) {
+      // Cleanup on error
+      rmSync(tmpDir, { recursive: true, force: true });
+      throw error;
+    }
+  }
+
+  /**
+   * Check if an SSH agent is running, start one if needed
+   */
+  private ensureSSHAgent(): void {
+    if (this.sshAgentStarted) return;
+
+    const agentPid = process.env.SSH_AGENT_PID;
+    const authSock = process.env.SSH_AUTH_SOCK;
+
+    if (agentPid && authSock && existsSync(authSock)) {
+      // Agent already running
+      this.sshAgentStarted = true;
+      return;
+    }
+
+    // Start SSH agent
+    try {
+      const result = execSync('ssh-agent -s', { encoding: 'utf-8' });
+
+      // Parse and set environment variables
+      const pidMatch = result.match(/SSH_AGENT_PID=(\d+)/);
+      const sockMatch = result.match(/SSH_AUTH_SOCK=([^;]+)/);
+
+      if (pidMatch && sockMatch) {
+        process.env.SSH_AGENT_PID = pidMatch[1];
+        process.env.SSH_AUTH_SOCK = sockMatch[1];
+        this.sshAgentStarted = true;
+      }
+    } catch {
+      // Agent might already be running in parent shell
+    }
+  }
+
+  /**
+   * Add key and certificate to SSH agent
+   */
+  private async addToSSHAgent(keyPath: string): Promise<void> {
+    this.ensureSSHAgent();
+
+    try {
+      // Add key with certificate (SSH agent picks up the cert automatically if -cert.pub exists)
+      execSync(`ssh-add "${keyPath}"`, { stdio: 'pipe' });
+    } catch (error) {
+      throw new Error(`Failed to add key to SSH agent: ${(error as Error).message}`);
+    }
+  }
+
+  /**
+   * Check if a session is still valid (certificate not expired)
+   * Certificates have 5-minute TTL
+   */
+  private isSessionValid(session: SSHCertSession): boolean {
+    try {
+      // Check if files still exist
+      if (!existsSync(session.keyPath) || !existsSync(session.certPath)) {
+        return false;
+      }
+
+      // Use ssh-keygen to check certificate validity
+      const result = execSync(`ssh-keygen -L -f "${session.certPath}"`, { encoding: 'utf-8' });
+
+      // Check if certificate has expired by looking at Valid: line
+      const validMatch = result.match(/Valid: from .* to (.+)/);
+      if (!validMatch) return false;
+
+      // Parse expiry time
+      const expiryStr = validMatch[1].trim();
+      const expiry = new Date(expiryStr);
+
+      // Add 30 second buffer before expiry
+      const now = new Date();
+      now.setSeconds(now.getSeconds() + 30);
+
+      return expiry > now;
+    } catch {
+      return false;
+    }
+  }
+
+  /**
+   * Get SSH command options for connecting with certificate
+   * Returns options that work with ssh+cli:// connector
+   */
+  getSSHOptions(session: SSHCertSession): string[] {
+    return [
+      '-o', 'StrictHostKeyChecking=no',
+      '-o', 'UserKnownHostsFile=/dev/null',
+      '-o', `IdentityFile=${session.keyPath}`,
+      '-o', `CertificateFile=${session.certPath}`,
+    ];
+  }
+
+  /**
+   * Format VM IP for uncloud --connect ssh+cli:// URL
+   * Note: Don't use brackets - uncloud passes this to SSH which expects raw addresses
+   */
+  formatConnectionURL(vmIp: string): string {
+    return `ssh+cli://root@${vmIp}`;
+  }
+
+  /**
+   * Clean up all sessions
+   */
+  cleanupAll(): void {
+    for (const session of this.sessions.values()) {
+      session.cleanup();
+    }
+    this.sessions.clear();
+  }
+}
+
+// Cache IPv6 connectivity results for the session
+const ipv6ConnectivityCache = new Map<string, boolean>();
+
+/**
+ * Test IPv6 connectivity with timeout
+ * Returns true if direct IPv6 connection is possible
+ * Results are cached for the session
+ */
+export async function testIPv6Connectivity(vmIp: string, timeoutMs: number = 2000): Promise<boolean> {
+  // Check cache first
+  if (ipv6ConnectivityCache.has(vmIp)) {
+    return ipv6ConnectivityCache.get(vmIp)!;
+  }
+
+  // Quick TCP connect test (faster than SSH)
+  const result = await new Promise<boolean>((resolve) => {
+    const socket = new net.Socket();
+
+    const cleanup = () => {
+      socket.destroy();
+    };
+
+    socket.setTimeout(timeoutMs);
+    socket.on('connect', () => {
+      cleanup();
+      resolve(true);
+    });
+    socket.on('timeout', () => {
+      cleanup();
+      resolve(false);
+    });
+    socket.on('error', () => {
+      cleanup();
+      resolve(false);
+    });
+
+    socket.connect(22, vmIp);
+  });
+
+  ipv6ConnectivityCache.set(vmIp, result);
+  return result;
+}
+
+/**
+ * Get SSH proxy command for routing through gateway
+ * Used when direct IPv6 connectivity is not available
+ */
+export function getGatewayProxyCommand(gatewayIp: string, vmIp: string): string {
+  // Use -W for netcat mode to proxy through gateway
+  return `ssh -W [${vmIp}]:22 root@${gatewayIp}`;
+}

package/src/lib/uncloud-runner.ts

@@ -0,0 +1,342 @@
+// Uncloud Command Runner
+// Executes uncloud commands using SSH certificate authentication
+// Replaces the old `uc -c <context>` approach with `uc --connect ssh+cli://`
+
+import { execSync, spawnSync, spawn, ChildProcess } from 'child_process';
+import * as net from 'net';
+import { PlatformClient } from './platform-client.js';
+import { SSHCertManager, testIPv6Connectivity } from './ssh-cert.js';
+import chalk from 'chalk';
+
+export interface UncloudRunnerOptions {
+  cwd?: string;
+  stdio?: 'inherit' | 'pipe';
+  timeout?: number;
+}
+
+interface TunnelInfo {
+  process: ChildProcess;
+  localPort: number;
+}
+
+/**
+ * UncloudRunner - Execute uncloud commands against app VMs
+ * Uses SSH certificates for authentication
+ */
+export class UncloudRunner {
+  private certManager: SSHCertManager;
+  private gatewayCache: Map<string, { ipv4: string; ipv6: string } | null> = new Map();
+  private activeTunnels: Map<string, TunnelInfo> = new Map();
+  private tempConfigPath: string | null = null;
+
+  constructor(private platformClient: PlatformClient) {
+    this.certManager = new SSHCertManager(platformClient);
+  }
+
+  /**
+   * Get the connection URL for an app's primary VM
+   * Handles IPv6 direct connection or gateway proxy fallback
+   */
+  async getConnectionInfo(appName: string): Promise<{
+    url: string;
+    vmIp: string;
+    viaGateway: boolean;
+    localPort?: number;
+  }> {
+    // Get app info
+    const app = await this.platformClient.getApp(appName);
+    if (!app) {
+      throw new Error(`App '${appName}' not found`);
+    }
+
+    const primaryNode = app.nodes.find(n => n.isPrimary);
+    if (!primaryNode?.ipv6) {
+      throw new Error(`App '${appName}' has no primary node with IPv6 address`);
+    }
+
+    const vmIp = primaryNode.ipv6;
+
+    // Get or create SSH session with certificate (adds to agent)
+    await this.certManager.getSession(appName, vmIp);
+
+    // Test direct IPv6 connectivity (3 second timeout)
+    const canConnectDirect = await testIPv6Connectivity(vmIp, 3000);
+    const viaGateway = !canConnectDirect;
+
+    if (viaGateway) {
+      // Need to tunnel through gateway
+      // Start a local SSH tunnel: ssh -L localport:[vmip]:22 root@gateway
+      const tunnelInfo = await this.ensureTunnel(appName, vmIp, app.location);
+
+      // Use ssh:// through the tunnel (Go SSH library with agent)
+      return {
+        url: `ssh://root@localhost:${tunnelInfo.localPort}`,
+        vmIp,
+        viaGateway: true,
+        localPort: tunnelInfo.localPort,
+      };
+    }
+
+    // Direct IPv6 connection using ssh:// (Go SSH library with agent support)
+    // This is faster than ssh+cli:// because:
+    // - One persistent SSH connection (no per-operation process spawning)
+    // - Go's SSH library uses ssh-agent which has our temp certificate
+    // - Dialer() works for image push to unregistry
+    return {
+      url: `ssh://root@${vmIp}`,
+      vmIp,
+      viaGateway: false,
+    };
+  }
+
+  /**
+   * Pre-accept a host's SSH key by running ssh-keyscan
+   * This prevents "Host key verification failed" errors from uncloud
+   */
+  private preAcceptHostKey(host: string, port?: number): void {
+    try {
+      const portArg = port ? `-p ${port}` : '';
+      // Scan the host key and add to known_hosts
+      execSync(
+        `ssh-keyscan ${portArg} -H ${host} >> ~/.ssh/known_hosts 2>/dev/null`,
+        { stdio: 'pipe', timeout: 10000 }
+      );
+    } catch {
+      // Ignore errors - host might already be in known_hosts
+    }
+  }
+
+  /**
+   * Ensure an SSH tunnel exists for gateway fallback
+   */
+  private async ensureTunnel(appName: string, vmIp: string, location: string): Promise<TunnelInfo> {
+    // Check for existing tunnel
+    const existing = this.activeTunnels.get(appName);
+    if (existing && !existing.process.killed) {
+      return existing;
+    }
+
+    // Get gateway
+    const gateway = await this.getGateway(location);
+    if (!gateway) {
+      throw new Error(`No gateway found for location ${location}`);
+    }
+
+    // Find an available port
+    const localPort = await this.findAvailablePort();
+
+    // Start SSH tunnel in background
+    // The SSH agent will provide the certificate for authentication
+    const tunnelProcess = spawn('ssh', [
+      '-N',  // No remote command
+      '-L', `${localPort}:[${vmIp}]:22`,  // Local port forward
+      '-o', 'StrictHostKeyChecking=no',
+      '-o', 'UserKnownHostsFile=/dev/null',
+      '-o', 'LogLevel=ERROR',
+      '-o', 'ExitOnForwardFailure=yes',
+      '-o', 'ServerAliveInterval=30',
+      `root@${gateway.ipv4}`,
+    ], {
+      detached: true,
+      stdio: 'pipe',
+    });
+
+    // Wait for tunnel to be established
+    await this.waitForTunnel(localPort);
+
+    const tunnelInfo: TunnelInfo = { process: tunnelProcess, localPort };
+    this.activeTunnels.set(appName, tunnelInfo);
+
+    return tunnelInfo;
+  }
+
+  /**
+   * Find an available local port
+   */
+  private async findAvailablePort(): Promise<number> {
+    return new Promise((resolve, reject) => {
+      const server = net.createServer();
+      server.listen(0, () => {
+        const port = server.address().port;
+        server.close(() => resolve(port));
+      });
+      server.on('error', reject);
+    });
+  }
+
+  /**
+   * Wait for tunnel to be established
+   */
+  private async waitForTunnel(port: number, timeoutMs: number = 10000): Promise<void> {
+    const startTime = Date.now();
+
+    while (Date.now() - startTime < timeoutMs) {
+      try {
+        await new Promise<void>((resolve, reject) => {
+          const socket = net.createConnection(port, 'localhost', () => {
+            socket.destroy();
+            resolve();
+          });
+          socket.on('error', () => {
+            socket.destroy();
+            reject();
+          });
+          socket.setTimeout(500, () => {
+            socket.destroy();
+            reject();
+          });
+        });
+        return;
+      } catch {
+        await new Promise(r => setTimeout(r, 200));
+      }
+    }
+
+    throw new Error(`Tunnel failed to establish on port ${port}`);
+  }
+
+  /**
+   * Run an uncloud command on the app's VM
+   */
+  async run(
+    appName: string,
+    command: string,
+    args: string[] = [],
+    options: UncloudRunnerOptions = {}
+  ): Promise<string | void> {
+    // Get connection info (handles certificate and gateway tunnel if needed)
+    const connInfo = await this.getConnectionInfo(appName);
+
+    if (connInfo.viaGateway) {
+      console.log(chalk.dim(`Connecting via gateway...`));
+    }
+
+    // Build the uc command
+    const fullArgs = ['--connect', connInfo.url, command, ...args];
+
+    if (options.stdio === 'inherit') {
+      // For interactive commands, spawn with inherited stdio
+      const result = spawnSync('uc', fullArgs, {
+        cwd: options.cwd,
+        stdio: 'inherit',
+        timeout: options.timeout,
+      });
+
+      if (result.status !== 0) {
+        throw new Error(`Uncloud command failed with exit code ${result.status}`);
+      }
+    } else {
+      // For pipe mode, return output
+      const result = execSync(`uc ${fullArgs.map(a => `"${a}"`).join(' ')}`, {
+        cwd: options.cwd,
+        encoding: 'utf-8',
+        timeout: options.timeout,
+      });
+      return result;
+    }
+  }
+
+  /**
+   * Run 'uc deploy' for an app
+   */
+  async deploy(appName: string, cwd: string): Promise<void> {
+    await this.run(appName, 'deploy', ['--yes'], { cwd, stdio: 'inherit' });
+  }
+
+  /**
+   * Run 'uc service logs' for an app
+   */
+  async logs(
+    appName: string,
+    serviceName: string,
+    options: { follow?: boolean; tail?: number } = {}
+  ): Promise<void> {
+    const args = [serviceName];
+    if (options.follow) args.push('-f');
+    if (options.tail) args.push('--tail', String(options.tail));
+
+    await this.run(appName, 'service', ['logs', ...args], { stdio: 'inherit' });
+  }
+
+  /**
+   * Run 'uc service ls' for an app
+   */
+  async serviceList(appName: string): Promise<string> {
+    const result = await this.run(appName, 'service', ['ls'], { stdio: 'pipe' });
+    return result as string;
+  }
+
+  /**
+   * Run 'uc machine token' on remote VM via SSH
+   * This is different - it runs on the VM directly, not via uncloud connector
+   */
+  async getMachineToken(appName: string): Promise<string> {
+    // Get connection info (sets up certificate and tunnel if needed)
+    const connInfo = await this.getConnectionInfo(appName);
+
+    // For getting machine token, we need to SSH directly to the VM
+    let sshCmd: string;
+    if (connInfo.viaGateway && connInfo.localPort) {
+      // Use the tunnel
+      sshCmd = `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`;
+    } else {
+      // Direct connection
+      sshCmd = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
+    }
+
+    const token = execSync(`${sshCmd} "uc machine token"`, { encoding: 'utf-8' }).trim();
+    return token;
+  }
+
+  /**
+   * Execute an SSH command on the VM
+   */
+  async sshExec(appName: string, command: string): Promise<string> {
+    const connInfo = await this.getConnectionInfo(appName);
+
+    let sshCmd: string;
+    if (connInfo.viaGateway && connInfo.localPort) {
+      sshCmd = `ssh -p ${connInfo.localPort} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@localhost`;
+    } else {
+      sshCmd = `ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR root@${connInfo.vmIp}`;
+    }
+
+    return execSync(`${sshCmd} "${command}"`, { encoding: 'utf-8' }).trim();
+  }
+
+  /**
+   * Get gateway info (cached)
+   */
+  private async getGateway(location: string): Promise<{ ipv4: string; ipv6: string } | null> {
+    if (this.gatewayCache.has(location)) {
+      return this.gatewayCache.get(location) || null;
+    }
+
+    const gateway = await this.platformClient.getGateway(location);
+    if (gateway) {
+      this.gatewayCache.set(location, { ipv4: gateway.ipv4, ipv6: gateway.ipv6 });
+      return { ipv4: gateway.ipv4, ipv6: gateway.ipv6 };
+    }
+
+    this.gatewayCache.set(location, null);
+    return null;
+  }
+
+  /**
+   * Clean up all SSH sessions and tunnels
+   */
+  cleanup(): void {
+    // Kill all active tunnels
+    for (const [appName, tunnel] of this.activeTunnels) {
+      try {
+        tunnel.process.kill();
+      } catch {
+        // Ignore errors during cleanup
+      }
+    }
+    this.activeTunnels.clear();
+
+    // Clean up SSH certificate sessions
+    this.certManager.cleanupAll();
+  }
+}