openpouch 0.2.0 → 0.2.2

package/README.md

@@ -10,6 +10,13 @@ npx openpouch deploy
 
 You get a live `https://<slug>.openpouch.sh` URL plus a claim link. The agent deploys autonomously; a human claims it via the link to keep it. openpouch writes the deployment truth (`deploy.manifest.json`, `deploy.evidence.json`, `DEPLOYMENT.md`) back into your repo, so any agent can resume after context loss.
 
+> **Framework frontends (React/Vite/Next/Svelte…): deploy the _built output_, not the source folder.** `openpouch deploy` ships whatever folder you run it in, as-is. So build first, then deploy the build directory:
+> ```bash
+> npm run build
+> cd dist && npx openpouch deploy     # Vite → dist/ · CRA → build/ · Next static export → out/
+> ```
+> A raw, unbuilt source folder is served as static files (the app won't run). Server-side build-on-deploy is on the roadmap.
+
 ## Accounts (optional)
 
 Start anonymous, or create a free account for higher limits — entirely from the agent, no dashboard:

package/openpouch.js

@@ -4259,9 +4259,8 @@ function findUsableApproval(file, match, now) {
 }
 
 // packages/cli/src/commands/activate.ts
-import { mkdir, writeFile as writeFile3 } from "node:fs/promises";
-import { homedir as homedir2 } from "node:os";
-import { join as join3 } from "node:path";
+import { mkdir, readFile as readFile3, writeFile as writeFile3 } from "node:fs/promises";
+import { dirname } from "node:path";
 
 // packages/cli/src/shared.ts
 import { readFile as readFile2, writeFile as writeFile2 } from "node:fs/promises";
@@ -4832,12 +4831,17 @@ var PROVIDER_CREDENTIALS = {
 };
 var ANONYMOUS_KEY = "anonymous";
 var RUN_KEY = { envVar: "OPENPOUCH_API_KEY", file: "openpouch-run.key" };
+function runKeyPath(env) {
+  const override = env["OPENPOUCH_KEY_FILE"]?.trim();
+  if (override) return override;
+  const home = env["OPENPOUCH_HOME"] ?? homedir();
+  return join2(home, ".openpouch", RUN_KEY.file);
+}
 async function resolveRunKey(env) {
   const fromEnv = env[RUN_KEY.envVar]?.trim();
   if (fromEnv) return fromEnv;
   try {
-    const home = env["OPENPOUCH_HOME"] ?? homedir();
-    const fromFile = (await readFile2(join2(home, ".openpouch", RUN_KEY.file), "utf8")).trim();
+    const fromFile = (await readFile2(runKeyPath(env), "utf8")).trim();
     if (fromFile.length > 0) return fromFile;
   } catch {
   }
@@ -4893,6 +4897,15 @@ function keyPublicPrefix(key) {
   const m = /^(op_live_[0-9a-f]+)_/.exec(key);
   return m ? m[1] : "op_live_\u2026";
 }
+function looksLikeOpenpouchKey(content) {
+  const t = content.trim();
+  if (t.length === 0) return true;
+  if (t.includes("\n")) return false;
+  return /^op_(?:live|test)_[0-9a-f]{6,}_[A-Za-z0-9_-]+$/.test(t);
+}
+function looksLikePrivateKey(content) {
+  return /-----BEGIN (?:[A-Z0-9 ]+ )?PRIVATE KEY-----/.test(content);
+}
 async function activateCommand(ctx, opts) {
   const account = opts.account?.trim();
   const token = opts.token?.trim();
@@ -4911,17 +4924,29 @@ async function activateCommand(ctx, opts) {
   try {
     const res = await adapter.verifyEmail(account, token);
     let saved = false;
-    let keyPath = "";
+    let reason;
+    const keyPath = opts.keyFile?.trim() || runKeyPath(ctx.env);
     try {
-      const home = ctx.env["OPENPOUCH_HOME"] ?? homedir2();
-      const dir = join3(home, ".openpouch");
-      await mkdir(dir, { recursive: true });
-      keyPath = join3(dir, "openpouch-run.key");
-      await writeFile3(keyPath, `${res.key}
+      let existing = null;
+      try {
+        existing = await readFile3(keyPath, "utf8");
+      } catch (e) {
+        if (e.code !== "ENOENT") throw e;
+      }
+      if (existing !== null && existing.trim().length > 0 && !looksLikeOpenpouchKey(existing)) {
+        const how = "Set OPENPOUCH_KEY_FILE (or pass --key-file) to a free path, or move that file.";
+        reason = looksLikePrivateKey(existing) ? `refusing to overwrite ${keyPath} \u2014 it looks like an existing private key. ${how}` : `refusing to overwrite ${keyPath} \u2014 it is not an openpouch key file. ${how}`;
+      } else {
+        await mkdir(dirname(keyPath), { recursive: true });
+        if (existing !== null && existing.trim().length > 0) {
+          await writeFile3(`${keyPath}.bak`, existing, { mode: 384 });
+        }
+        await writeFile3(keyPath, `${res.key}
 `, { mode: 384 });
-      saved = true;
-    } catch {
-      saved = false;
+        saved = true;
+      }
+    } catch (e) {
+      reason = `could not save the key to ${keyPath}: ${e.message}`;
     }
     return summarized(
       EXIT.OK,
@@ -4930,12 +4955,12 @@ async function activateCommand(ctx, opts) {
         account: res.account,
         keyPrefix: keyPublicPrefix(res.key),
         saved,
-        ...saved ? { keyPath } : { key: res.key }
+        ...saved ? { keyPath } : { reason, key: res.key }
       },
       activateSummary(saved),
       [
         `openpouch activate \u2713 ${res.account.id} [${res.account.tier}]`,
-        saved ? `  saved your key to ${keyPath} (chmod 600) \u2014 deploys now run under your account` : `  \u26A0 could not save the key file \u2014 set it yourself: export OPENPOUCH_API_KEY=${res.key}`,
+        ...saved ? [`  saved your key to ${keyPath} (chmod 600) \u2014 deploys now run under your account`] : [`  \u26A0 key NOT saved: ${reason}`, `  \u2192 use it now:  export OPENPOUCH_API_KEY=${res.key}`],
         `  key: ${keyPublicPrefix(res.key)}\u2026`
       ]
     );
@@ -4952,33 +4977,33 @@ import { createInterface } from "node:readline/promises";
 
 // packages/cli/src/approvals.ts
 import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
-import { mkdir as mkdir2, readFile as readFile3, writeFile as writeFile4 } from "node:fs/promises";
-import { homedir as homedir3, userInfo } from "node:os";
-import { join as join4 } from "node:path";
+import { mkdir as mkdir2, readFile as readFile4, writeFile as writeFile4 } from "node:fs/promises";
+import { homedir as homedir2, userInfo } from "node:os";
+import { join as join3 } from "node:path";
 var DEFAULT_TTL_MS = 24 * 60 * 60 * 1e3;
 async function loadApprovals(cwd) {
   try {
-    const raw = await readFile3(join4(cwd, APPROVALS_FILENAME), "utf8");
+    const raw = await readFile4(join3(cwd, APPROVALS_FILENAME), "utf8");
     return approvalsFileSchema.parse(JSON.parse(raw));
   } catch {
     return { version: 0, requests: [] };
   }
 }
 async function saveApprovals(cwd, file) {
-  await mkdir2(join4(cwd, APPROVALS_DIR), { recursive: true });
+  await mkdir2(join3(cwd, APPROVALS_DIR), { recursive: true });
   await ensureGitignored(cwd);
   await writeFile4(
-    join4(cwd, APPROVALS_FILENAME),
+    join3(cwd, APPROVALS_FILENAME),
     `${JSON.stringify(approvalsFileSchema.parse(file), null, 2)}
 `,
     "utf8"
   );
 }
 async function ensureGitignored(cwd) {
-  const path = join4(cwd, ".gitignore");
+  const path = join3(cwd, ".gitignore");
   let content = "";
   try {
-    content = await readFile3(path, "utf8");
+    content = await readFile4(path, "utf8");
   } catch {
   }
   if (!content.split("\n").some((line) => line.trim() === ".openpouch/")) {
@@ -4999,10 +5024,10 @@ function newApprovalRequest(match, now) {
   };
 }
 async function getApproverSecret(createIfMissing, home) {
-  const dir = join4(home ?? homedir3(), ".openpouch");
-  const path = join4(dir, "approver.secret");
+  const dir = join3(home ?? homedir2(), ".openpouch");
+  const path = join3(dir, "approver.secret");
   try {
-    const existing = (await readFile3(path, "utf8")).trim();
+    const existing = (await readFile4(path, "utf8")).trim();
     if (existing.length > 0) return existing;
   } catch {
   }
@@ -5322,11 +5347,11 @@ async function deployCommand(ctx, environment) {
 }
 
 // packages/cli/src/commands/init.ts
-import { join as join7 } from "node:path";
+import { join as join6 } from "node:path";
 
 // packages/cli/src/agentsmd.ts
-import { readFile as readFile4, writeFile as writeFile5 } from "node:fs/promises";
-import { join as join5 } from "node:path";
+import { readFile as readFile5, writeFile as writeFile5 } from "node:fs/promises";
+import { join as join4 } from "node:path";
 var AGENTS_MD_FILENAME = "AGENTS.md";
 var START = "<!-- openpouch:start -->";
 var END = "<!-- openpouch:end -->";
@@ -5338,6 +5363,7 @@ function renderAgentsSection(projectName) {
     "",
     `${projectName} deploys via openpouch \u2014 an agent-native deployment control plane. This works the same from any agent harness.`,
     "",
+    "- **Framework frontends (React/Vite/Next/Svelte\u2026): deploy the _built output_, not the source folder.** `openpouch deploy` ships whatever directory you run it in, as-is \u2014 so build first, then deploy the build directory: `npm run build`, then `cd dist && openpouch deploy` (Vite\u2192`dist/`, CRA\u2192`build/`, Next static export\u2192`out/`). A raw, unbuilt source folder is served as static files (the app won't run); server-side build-on-deploy is on the roadmap.",
     "- **Deployment truth** (what is live, where, which commit, rollback anchor): read `DEPLOYMENT.md` or `deploy.evidence.json`. Config lives in `deploy.manifest.json`, agent permissions in `deploy.policy.json`.",
     "- **CLI:** `openpouch inspect` \xB7 `plan` \xB7 `preview` (autonomous if policy allows) \xB7 `prod` \xB7 `verify` \xB7 `logs` \xB7 `rollback`. Add `--json` for a single machine-readable JSON object; errors come as `{category, message, fix}` \u2014 act on the fix. Exit codes are documented API.",
     "- **Relay the `summary` to your human:** every result (CLI `--json` and MCP) carries a top-level `summary` \u2014 plain-language, jargon-free text written for a non-technical operator. Pass it on verbatim: it says what happened, whether the app is live and healthy, the live link, and what (if anything) the human needs to do. The **live URL is the primary result** \u2014 on a successful deploy it's the top-level `url` field, ready to share.",
@@ -5349,11 +5375,11 @@ function renderAgentsSection(projectName) {
   ].join("\n");
 }
 async function upsertAgentsSection(cwd, projectName) {
-  const path = join5(cwd, AGENTS_MD_FILENAME);
+  const path = join4(cwd, AGENTS_MD_FILENAME);
   const section = renderAgentsSection(projectName);
   let existing;
   try {
-    existing = await readFile4(path, "utf8");
+    existing = await readFile5(path, "utf8");
   } catch {
     existing = void 0;
   }
@@ -5380,8 +5406,8 @@ ${section}
 }
 
 // packages/cli/src/detect.ts
-import { readFile as readFile5, readdir } from "node:fs/promises";
-import { basename, extname, join as join6 } from "node:path";
+import { readFile as readFile6, readdir } from "node:fs/promises";
+import { basename, extname, join as join5 } from "node:path";
 var FRAMEWORK_BY_DEP = [
   ["next", "nextjs"],
   ["astro", "astro"],
@@ -5416,7 +5442,7 @@ async function collectSourceFiles(root) {
     }
     for (const entry of entries) {
       if (files.length >= MAX_FILES) break;
-      const full = join6(current.dir, entry.name);
+      const full = join5(current.dir, entry.name);
       if (entry.isDirectory()) {
         if (!SKIP_DIRS.has(entry.name) && !entry.name.startsWith(".") && current.depth < MAX_DEPTH) {
           stack.push({ dir: full, depth: current.depth + 1 });
@@ -5433,7 +5459,7 @@ async function scanEnvVarNames(root) {
   for (const file of await collectSourceFiles(root)) {
     let content;
     try {
-      const buf = await readFile5(file);
+      const buf = await readFile6(file);
       if (buf.byteLength > MAX_FILE_BYTES) continue;
       content = buf.toString("utf8");
     } catch {
@@ -5451,7 +5477,7 @@ async function scanEnvVarNames(root) {
 async function detectProject(cwd) {
   let pkg = {};
   try {
-    pkg = JSON.parse(await readFile5(join6(cwd, "package.json"), "utf8"));
+    pkg = JSON.parse(await readFile6(join5(cwd, "package.json"), "utf8"));
   } catch {
   }
   const deps = { ...pkg.dependencies, ...pkg.devDependencies };
@@ -5561,8 +5587,8 @@ async function initCommand(ctx, flags) {
       "This is an openpouch bug \u2014 please report it."
     );
   }
-  await writeJsonFile(join7(ctx.cwd, MANIFEST_FILENAME), validated.value);
-  await writeJsonFile(join7(ctx.cwd, POLICY_FILENAME), defaultPolicy());
+  await writeJsonFile(join6(ctx.cwd, MANIFEST_FILENAME), validated.value);
+  await writeJsonFile(join6(ctx.cwd, POLICY_FILENAME), defaultPolicy());
   const agentsMd = await upsertAgentsSection(ctx.cwd, detected.name);
   hints.push("policy default: previews autonomous, production requires approval \u2014 edit deploy.policy.json to change");
   return summarized(
@@ -5602,8 +5628,8 @@ async function initCommand(ctx, flags) {
 
 // packages/cli/src/commands/instant.ts
 import { spawn } from "node:child_process";
-import { readFile as readFile6 } from "node:fs/promises";
-import { basename as basename2, join as join8 } from "node:path";
+import { readFile as readFile7 } from "node:fs/promises";
+import { basename as basename2, join as join7 } from "node:path";
 var TAR_EXCLUDES = [
   "./node_modules",
   "./.git",
@@ -5632,7 +5658,7 @@ function buildTarball(cwd) {
 }
 async function projectHint(cwd) {
   try {
-    const pkg = JSON.parse(await readFile6(join8(cwd, "package.json"), "utf8"));
+    const pkg = JSON.parse(await readFile7(join7(cwd, "package.json"), "utf8"));
     if (pkg.name) return pkg.name.replace(/^@[^/]+\//, "");
   } catch {
   }
@@ -5641,12 +5667,16 @@ async function projectHint(cwd) {
 async function instantCommand(ctx) {
   const loaded = await loadManifest(ctx.cwd);
   if (loaded.status === "ok") {
-    return errorResult(
-      EXIT.USAGE,
-      "usage",
-      "this project already has deploy.manifest.json",
-      "Use `openpouch preview` / `openpouch prod` for a configured project. `openpouch deploy` is the zero-config instant lane."
-    );
+    const envs = Object.values(loaded.manifest.environments ?? {});
+    const hasGovernedEnv = envs.some((e) => e.provider !== "openpouch-run");
+    if (hasGovernedEnv) {
+      return errorResult(
+        EXIT.USAGE,
+        "usage",
+        "this project already has deploy.manifest.json",
+        "Use `openpouch preview` / `openpouch prod` for a configured project. `openpouch deploy` is the zero-config instant lane."
+      );
+    }
   }
   let tarball;
   try {
@@ -5673,8 +5703,8 @@ async function instantCommand(ctx) {
         preview: { provider: "openpouch-run", serviceId: result2.slug, url: result2.url }
       }
     };
-    await writeJsonFile(join8(ctx.cwd, MANIFEST_FILENAME), manifest);
-    await writeJsonFile(join8(ctx.cwd, POLICY_FILENAME), defaultPolicy());
+    await writeJsonFile(join7(ctx.cwd, MANIFEST_FILENAME), manifest);
+    await writeJsonFile(join7(ctx.cwd, POLICY_FILENAME), defaultPolicy());
     await appendDeployment(ctx.cwd, {
       id: result2.slug,
       environment: "preview",
@@ -6216,8 +6246,9 @@ var USAGE = [
   "  --github       (signup) create an account via GitHub (prints the authorize URL)",
   "  --account <id> (activate) the account id from signup",
   "  --token <tok>  (activate) the verification token from the signup email",
+  "  --key-file <p> (activate) where to save the issued key (default ~/.openpouch/openpouch-run.key; never overwrites a non-openpouch file)",
   "",
-  "account key: deploys send Authorization: Bearer from OPENPOUCH_API_KEY or ~/.openpouch/openpouch-run.key (optional \u2014 no key = anonymous)",
+  "account key: deploys send Authorization: Bearer from OPENPOUCH_API_KEY or ~/.openpouch/openpouch-run.key (override the path with OPENPOUCH_KEY_FILE; optional \u2014 no key = anonymous)",
   "exit codes: 0 ok \xB7 1 unexpected \xB7 2 usage \xB7 3 manifest/policy missing or invalid \xB7 4 auth \xB7 5 provider \xB7 6 policy gate (approval required/denied/human required) \xB7 7 deploy failed \xB7 8 verify failed"
 ].join("\n");
 function render(result2, json) {
@@ -6240,7 +6271,8 @@ async function run(argv, ctx) {
         limit: { type: "string" },
         email: { type: "string" },
         account: { type: "string" },
-        token: { type: "string" }
+        token: { type: "string" },
+        "key-file": { type: "string" }
       },
       allowPositionals: true
     });
@@ -6269,7 +6301,14 @@ async function run(argv, ctx) {
       case "signup":
         return render(await signupCommand(ctx, { email: parsed.values.email, github: parsed.values.github === true }), json);
       case "activate":
-        return render(await activateCommand(ctx, { account: parsed.values.account, token: parsed.values.token }), json);
+        return render(
+          await activateCommand(ctx, {
+            account: parsed.values.account,
+            token: parsed.values.token,
+            keyFile: parsed.values["key-file"]
+          }),
+          json
+        );
       case "whoami":
         return render(await whoamiCommand(ctx), json);
       case "init":

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openpouch",
-  "version": "0.2.0",
+  "version": "0.2.2",
   "description": "openpouch 🦘 — agent-native hosting, built for coding agents. Deploy any folder to a live URL in one command: npx openpouch deploy",
   "license": "Apache-2.0",
   "type": "module",