pgserve 2.5.0 → 2.6.0

package/README.md

@@ -101,17 +101,14 @@ psql postgresql://localhost:8432/myapp
 ## Installation
 
 ```bash
-# Zero install (recommended)
-npx pgserve
-
-# Global install
-npm install -g pgserve
+# Canonical install — signed binary from GitHub Releases
+curl -fsSL https://raw.githubusercontent.com/namastexlabs/pgserve/main/install.sh | bash
 
-# Project dependency
-npm install pgserve
+# Pinned version
+PGSERVE_VERSION=v2.6.0 curl -fsSL .../install.sh | bash
 ```
 
-> PostgreSQL binaries are automatically downloaded on first run (~100MB).
+> `install.sh` fetches the signed tarball from GitHub Releases and verifies it via `gh attestation verify` (Sigstore Rekor public-good). Requires the [`gh` CLI](https://cli.github.com/). pgserve no longer depends on npm — the install + upgrade path is binary tarballs all the way down.
 
 ### Windows
 

package/bin/pgserve-wrapper.cjs

@@ -47,6 +47,25 @@ const __installSubcommands = new Set([
   // `verify` shells out to cosign + writes an HMAC cache token. Pure node
   // (no bun) so it must skip the bun probe like the install surface above.
   'verify',
+  // pgserve singleton (v2.4) — wish Group 3, read-only V1. `doctor` runs
+  // entirely in node (admin.json + supervisor probes + socket reachability)
+  // and must skip the bun probe so it works on any installed binary.
+  'doctor',
+  // pgserve singleton (v2.4) — wish Group 3. `trust` manages the
+  // user-extensible cosign trust store at ~/.pgserve/trust/identities.json.
+  // Pure node, must skip bun probe.
+  'trust',
+  // pgserve singleton (v2.4) — wish Group 3, verb 3. `gc` shells out to
+  // psql to scan pgserve_meta + pg_database, classify orphans, and
+  // (under --apply) DROP DATABASE. Pure node + child_process, must skip
+  // the bun probe.
+  'gc',
+  // pgserve singleton (v2.4) — wish Group 3, verb 4. `provision` shells
+  // out to psql to CREATE ROLE / CREATE DATABASE / GRANT / INSERT INTO
+  // pgserve_meta. Idempotency-driven (no advisory lock — see
+  // src/commands/provision.js header for why). Pure node + child_process,
+  // must skip bun probe.
+  'provision',
 ]);
 if (__subcommand && __installSubcommands.has(__subcommand)) {
   const cli = require(path.join(__dirname, '..', 'src', 'cli-install.cjs'));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pgserve",
-  "version": "2.5.0",
+  "version": "2.6.0",
   "description": "Embedded PostgreSQL server with true concurrent connections - zero config, auto-provision databases",
   "main": "src/index.js",
   "type": "module",

package/scripts/aggregate-manifest.sh

@@ -0,0 +1,184 @@
+#!/usr/bin/env bash
+#
+# aggregate-manifest.sh — Group 8 of autopg-distribution-cutover.
+#
+# Walks dist/autopg-<version>-<platform>.tar.gz, gathers each tarball's
+# SHA256 + signature URL + provenance URL + platform tuple, and emits
+# dist/manifest.json that consumers (install.sh, autopg update) read to
+# resolve a download for a given (channel, version, platform).
+#
+# This runs after Group 8 signing + provenance generation and before
+# Group 9 (CDN publish).
+#
+# Usage:
+#   bash scripts/aggregate-manifest.sh --version 2.260503.1
+#   bash scripts/aggregate-manifest.sh --version 2.260503.1 --base-url https://cdn.automagik.dev/autopg/stable/2.260503.1
+#
+# Output:
+#   dist/manifest.json
+#
+# Exit codes:
+#   0  ok
+#   1  IO failure
+#   2  invalid args / missing inputs
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+DIST_DIR="${AUTOPG_DIST_DIR:-${REPO_ROOT}/dist}"
+
+usage() {
+  cat <<EOF
+Usage: $0 --version <v> [--base-url <url>] [--channel <c>] [--cosign-pub-url <url>]
+
+  --version          autopg version, e.g. 2.260503.1 (or read from package.json)
+  --base-url         absolute base URL prefix for tarball URLs
+                     (default: relative — consumers resolve against the
+                      directory the manifest sits in).
+  --channel          channel hint embedded in the manifest (stable|beta|canary).
+                     default: stable
+  --cosign-pub-url   absolute URL to the published cosign public key.
+                     default: <base-url>/../../keys/cosign.pub for production
+                     (cdn.automagik.dev layout) or "keys/cosign.pub" relative.
+
+Reads:
+  dist/autopg-<version>-<platform>.tar.gz
+  dist/autopg-<version>-<platform>.tar.gz.sha256
+  dist/autopg-<version>-<platform>.tar.gz.sig          (optional)
+  dist/autopg-<version>-<platform>.tar.gz.intoto.jsonl (optional)
+
+Writes:
+  dist/manifest.json
+EOF
+}
+
+parse_args() {
+  VERSION="${AUTOPG_VERSION:-}"
+  BASE_URL=""
+  CHANNEL="stable"
+  COSIGN_PUB_URL=""
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --version)        VERSION="$2";        shift 2 ;;
+      --base-url)       BASE_URL="$2";       shift 2 ;;
+      --channel)        CHANNEL="$2";        shift 2 ;;
+      --cosign-pub-url) COSIGN_PUB_URL="$2"; shift 2 ;;
+      -h|--help)        usage; exit 0 ;;
+      *) echo "unknown arg: $1" >&2; usage; exit 2 ;;
+    esac
+  done
+  if [[ -z "$VERSION" ]]; then
+    VERSION=$(node -p "require('${REPO_ROOT}/package.json').version" 2>/dev/null || echo "")
+  fi
+  if [[ -z "$VERSION" ]]; then
+    echo "error: --version required (or set in package.json)" >&2; exit 2
+  fi
+}
+
+# Portable SHA256 — sha256sum on linux, shasum -a 256 on macOS.
+sha256_of() {
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$1" | awk '{print $1}'
+  else
+    shasum -a 256 "$1" | awk '{print $1}'
+  fi
+}
+
+prefix_url() {
+  local rel="$1"
+  if [[ -n "$BASE_URL" ]]; then
+    printf '%s/%s' "${BASE_URL%/}" "$rel"
+  else
+    printf '%s' "$rel"
+  fi
+}
+
+emit_entry() {
+  local tarball="$1"
+  local first="$2"
+  local base platform sha sz
+  base=$(basename "$tarball")
+  # Strip "autopg-<version>-" prefix and ".tar.gz" suffix to get platform.
+  platform="${base#autopg-${VERSION}-}"
+  platform="${platform%.tar.gz}"
+
+  if [[ ! -f "${tarball}.sha256" ]]; then
+    echo "error: ${tarball}.sha256 missing — run assemble-tarball.sh first" >&2
+    return 1
+  fi
+  sha=$(awk '{print $1}' "${tarball}.sha256")
+  sz=$(stat -c %s "$tarball" 2>/dev/null || stat -f %z "$tarball")
+
+  local sig_url="" prov_url=""
+  if [[ -f "${tarball}.sig" ]]; then
+    sig_url=$(prefix_url "${base}.sig")
+  fi
+  if [[ -f "${tarball}.intoto.jsonl" ]]; then
+    prov_url=$(prefix_url "${base}.intoto.jsonl")
+  fi
+
+  if [[ "$first" -eq 0 ]]; then printf ',\n'; fi
+  printf '    {\n'
+  printf '      "platform": "%s",\n' "$platform"
+  printf '      "file": "%s",\n'     "$base"
+  printf '      "url": "%s",\n'      "$(prefix_url "$base")"
+  printf '      "sha256": "%s",\n'   "$sha"
+  printf '      "size": %d,\n'       "$sz"
+  printf '      "signature_url": "%s",\n' "$sig_url"
+  printf '      "provenance_url": "%s"\n' "$prov_url"
+  printf '    }'
+}
+
+main() {
+  parse_args "$@"
+  [[ -d "$DIST_DIR" ]] || { echo "error: $DIST_DIR not a directory" >&2; exit 2; }
+
+  local tarballs=()
+  while IFS= read -r line; do
+    tarballs+=("$line")
+  done < <(find "$DIST_DIR" -maxdepth 1 -name "autopg-${VERSION}-*.tar.gz" -type f | LC_ALL=C sort)
+
+  if [[ ${#tarballs[@]} -eq 0 ]]; then
+    echo "error: no autopg-${VERSION}-*.tar.gz files in ${DIST_DIR}" >&2
+    exit 2
+  fi
+
+  local generated_at
+  generated_at=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+
+  local out="${DIST_DIR}/manifest.json"
+  {
+    printf '{\n'
+    printf '  "name": "autopg",\n'
+    printf '  "version": "%s",\n' "$VERSION"
+    printf '  "channel": "%s",\n' "$CHANNEL"
+    printf '  "schemaVersion": 1,\n'
+    printf '  "generated_at": "%s",\n' "$generated_at"
+    local cpub
+    if [[ -n "$COSIGN_PUB_URL" ]]; then
+      cpub="$COSIGN_PUB_URL"
+    elif [[ -n "$BASE_URL" ]]; then
+      # CDN layout: <base>/autopg/<channel>/<version>/manifest.json
+      # Public key lives at: <base>/autopg/keys/cosign.pub
+      # If caller passes the full <base>/autopg/<channel>/<version> as
+      # base-url, walk two levels up to reach the keys/ sibling.
+      cpub="${BASE_URL%/*}"
+      cpub="${cpub%/*}/keys/cosign.pub"
+    else
+      cpub="keys/cosign.pub"
+    fi
+    printf '  "cosign_pub_url": "%s",\n' "$cpub"
+    printf '  "platforms": [\n'
+    local first=1
+    for t in "${tarballs[@]}"; do
+      emit_entry "$t" "$first"
+      first=0
+    done
+    printf '\n  ]\n'
+    printf '}\n'
+  } > "$out"
+
+  echo "==> manifest: $out ($(wc -l < "$out") lines, ${#tarballs[@]} platforms)"
+}
+
+main "$@"

package/scripts/assemble-tarball.sh

@@ -0,0 +1,191 @@
+#!/usr/bin/env bash
+#
+# assemble-tarball.sh — Group 7 of autopg-distribution-cutover.
+#
+# Assembles a single platform tarball with the locked shape:
+#
+#   autopg/
+#     autopg                  # static binary (from build-binary.sh)
+#     postgres/
+#       bin/*                 # postgres + initdb + libpq + ...
+#       share/*               # timezone data, locale, etc.
+#     manifest.json           # per-file SHA256 + size
+#
+# The tarball lives at:
+#   dist/autopg-<version>-<platform>.tar.gz
+# and a sibling .sha256 file holds the outer hash for Group 8 (cosign sign)
+# and Group 9 (CDN publish) to consume.
+#
+# Inputs come from dist/<platform>/autopg/{autopg, postgres/}, populated by
+# build-binary.sh + fetch-postgres-bins.sh.
+#
+# Usage:
+#   scripts/assemble-tarball.sh --platform linux-x64-glibc
+#   scripts/assemble-tarball.sh --all --version 2.260503.1
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+DIST_DIR="${AUTOPG_DIST_DIR:-${REPO_ROOT}/dist}"
+
+PLATFORMS=(linux-x64-glibc linux-x64-musl linux-arm64 darwin-x64 darwin-arm64)
+
+usage() {
+  cat <<EOF
+Usage: $0 (--platform <p> | --all) [--version <v>]
+
+Platforms: ${PLATFORMS[*]}
+
+Inputs (must already exist):
+  dist/<platform>/autopg/autopg               (build-binary.sh)
+  dist/<platform>/autopg/postgres/bin/*       (fetch-postgres-bins.sh)
+  dist/<platform>/autopg/postgres/share/*     (fetch-postgres-bins.sh)
+
+Outputs:
+  dist/autopg-<version>-<platform>.tar.gz
+  dist/autopg-<version>-<platform>.tar.gz.sha256
+EOF
+}
+
+parse_args() {
+  TARGET_PLATFORM=""
+  ASSEMBLE_ALL=0
+  VERSION="${AUTOPG_VERSION:-}"
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --platform) TARGET_PLATFORM="$2"; shift 2 ;;
+      --all)      ASSEMBLE_ALL=1; shift ;;
+      --version)  VERSION="$2"; shift 2 ;;
+      -h|--help)  usage; exit 0 ;;
+      *) echo "unknown arg: $1" >&2; usage; exit 2 ;;
+    esac
+  done
+
+  if [[ "$ASSEMBLE_ALL" -eq 0 && -z "$TARGET_PLATFORM" ]]; then
+    echo "error: pass --platform <p> or --all" >&2; usage; exit 2
+  fi
+
+  if [[ -z "$VERSION" ]]; then
+    VERSION=$(node -p "require('${REPO_ROOT}/package.json').version" 2>/dev/null || echo "0.0.0")
+  fi
+}
+
+# Portable SHA256 — use sha256sum on linux, shasum -a 256 on macOS.
+sha256_of() {
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$1" | awk '{print $1}'
+  else
+    shasum -a 256 "$1" | awk '{print $1}'
+  fi
+}
+
+# Emit manifest.json for the given platform's staged tree.
+# Walks autopg/ relative to <root>/, skipping manifest.json itself.
+emit_manifest() {
+  local root="$1" platform="$2" out="$3"
+
+  pushd "$root" >/dev/null
+  {
+    printf '{\n'
+    printf '  "name": "autopg",\n'
+    printf '  "version": "%s",\n' "$VERSION"
+    printf '  "platform": "%s",\n' "$platform"
+    printf '  "schemaVersion": 1,\n'
+    printf '  "files": [\n'
+
+    local first=1
+    while IFS= read -r f; do
+      [[ "$f" == "autopg/manifest.json" ]] && continue
+      local h sz
+      h=$(sha256_of "$f")
+      sz=$(stat -c %s "$f" 2>/dev/null || stat -f %z "$f")
+      if [[ $first -eq 1 ]]; then
+        first=0
+      else
+        printf ',\n'
+      fi
+      printf '    { "path": "%s", "sha256": "%s", "size": %d }' "$f" "$h" "$sz"
+    done < <(find autopg -type f | LC_ALL=C sort)
+
+    printf '\n  ]\n'
+    printf '}\n'
+  } > "$out"
+  popd >/dev/null
+}
+
+# Verify staged inputs are present + executable.
+verify_inputs() {
+  local stage="$1" platform="$2"
+  local missing=0
+  for required in autopg/autopg autopg/postgres/bin/postgres; do
+    if [[ ! -f "${stage}/${required}" ]]; then
+      echo "error: ${platform}: missing ${required}" >&2
+      missing=1
+    fi
+  done
+  return $missing
+}
+
+assemble_one() {
+  local platform="$1"
+  local stage="${DIST_DIR}/${platform}"
+  local tarball="${DIST_DIR}/autopg-${VERSION}-${platform}.tar.gz"
+  local outer_sha="${tarball}.sha256"
+
+  if [[ ! -d "${stage}/autopg" ]]; then
+    echo "error: ${stage}/autopg/ does not exist (run build-binary.sh + fetch-postgres-bins.sh first)" >&2
+    return 1
+  fi
+
+  echo "==> [${platform}] assemble tarball"
+  # `assemble_one` is invoked from main as `assemble_one ... || rc=$?` which
+  # disables `set -e` for the duration of this function. Each potentially-
+  # failing command needs explicit `|| return 1` to halt early instead of
+  # silently producing a corrupt tarball (gemini bot review HIGH on PR #84).
+  verify_inputs "$stage" "$platform" || return 1
+
+  # 1) emit per-file manifest BEFORE the tarball is rolled — manifest is
+  #    bundled inside.
+  emit_manifest "$stage" "$platform" "${stage}/autopg/manifest.json" || return 1
+
+  # 2) ensure binaries are executable inside the tar.
+  chmod +x "${stage}/autopg/autopg" || true
+  find "${stage}/autopg/postgres/bin" -type f -exec chmod +x {} +
+
+  # 3) build deterministic tarball: sorted entries, locked mtime.
+  local tar_flags=()
+  if tar --help 2>&1 | grep -q -- '--sort=name'; then
+    tar_flags+=(--sort=name)
+  fi
+  if tar --help 2>&1 | grep -q -- '--mtime='; then
+    tar_flags+=(--mtime=2026-01-01)
+  fi
+  if tar --help 2>&1 | grep -q -- '--owner='; then
+    tar_flags+=(--owner=0 --group=0 --numeric-owner)
+  fi
+
+  tar -C "$stage" -czf "$tarball" "${tar_flags[@]}" autopg/ || return 1
+  echo "    ✓ tarball: $tarball ($(du -h "$tarball" | cut -f1))"
+
+  # 4) outer SHA256 — Group 8 cosign-signs this; Group 9 publishes both.
+  sha256_of "$tarball" > "$outer_sha" || return 1
+  echo "    ✓ sha256:  $(cat "$outer_sha")  $(basename "$tarball")"
+}
+
+main() {
+  parse_args "$@"
+  mkdir -p "$DIST_DIR"
+
+  local rc=0
+  if [[ "$ASSEMBLE_ALL" -eq 1 ]]; then
+    for p in "${PLATFORMS[@]}"; do
+      assemble_one "$p" || rc=$?
+    done
+  else
+    assemble_one "$TARGET_PLATFORM" || rc=$?
+  fi
+  exit $rc
+}
+
+main "$@"

package/scripts/build-binary.sh

@@ -0,0 +1,213 @@
+#!/usr/bin/env bash
+#
+# build-binary.sh — Group 7 of autopg-distribution-cutover.
+#
+# Compiles the autopg CLI to a static binary using `bun build --compile`
+# for one or all of the 5 supported platforms:
+#
+#   linux-x64-glibc, linux-x64-musl, linux-arm64,
+#   darwin-x64, darwin-arm64
+#
+# Outputs land at: dist/<platform>/autopg/autopg
+#
+# Per the wish G7 fallback contract (distribution-exodus G1): if
+# `bun build --compile` fails for a target, retry with `pkg`/`nexe`
+# when AUTOPG_BUILD_FALLBACK=1. The fallback is recorded in the build
+# log so Group 9's CDN publish can surface it.
+#
+# Usage:
+#   scripts/build-binary.sh --platform linux-x64-glibc
+#   scripts/build-binary.sh --all
+#   scripts/build-binary.sh --platform darwin-arm64 --version 2.260503.1
+#
+# Exit codes:
+#   0  success
+#   1  bun build failed AND fallback disabled or also failed
+#   2  invalid arguments / unsupported platform
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+ENTRY_POINT="${AUTOPG_ENTRY_POINT:-bin/postgres-server.js}"
+DIST_DIR="${AUTOPG_DIST_DIR:-${REPO_ROOT}/dist}"
+FALLBACK_ENABLED="${AUTOPG_BUILD_FALLBACK:-0}"
+
+PLATFORMS=(linux-x64-glibc linux-x64-musl linux-arm64 darwin-x64 darwin-arm64)
+
+# Map autopg platform tag → bun --target value.
+bun_target_for() {
+  case "$1" in
+    linux-x64-glibc) echo "bun-linux-x64" ;;
+    linux-x64-musl)  echo "bun-linux-x64-musl" ;;
+    linux-arm64)     echo "bun-linux-arm64" ;;
+    darwin-x64)      echo "bun-darwin-x64" ;;
+    darwin-arm64)    echo "bun-darwin-arm64" ;;
+    *) return 1 ;;
+  esac
+}
+
+usage() {
+  cat <<EOF
+Usage: $0 (--platform <p> | --all) [--version <v>] [--entry <path>]
+
+Platforms: ${PLATFORMS[*]}
+
+Environment:
+  AUTOPG_ENTRY_POINT       Override entry file (default: bin/postgres-server.js)
+  AUTOPG_DIST_DIR          Override output root (default: \$REPO/dist)
+  AUTOPG_BUILD_FALLBACK    Set to 1 to retry failed bun builds via pkg/nexe
+EOF
+}
+
+parse_args() {
+  TARGET_PLATFORM=""
+  BUILD_ALL=0
+  VERSION="${AUTOPG_VERSION:-}"
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --platform) TARGET_PLATFORM="$2"; shift 2 ;;
+      --all)      BUILD_ALL=1; shift ;;
+      --version)  VERSION="$2"; shift 2 ;;
+      --entry)    ENTRY_POINT="$2"; shift 2 ;;
+      -h|--help)  usage; exit 0 ;;
+      *) echo "unknown arg: $1" >&2; usage; exit 2 ;;
+    esac
+  done
+
+  if [[ "$BUILD_ALL" -eq 0 && -z "$TARGET_PLATFORM" ]]; then
+    echo "error: pass --platform <p> or --all" >&2
+    usage; exit 2
+  fi
+
+  if [[ -z "$VERSION" ]]; then
+    VERSION=$(node -p "require('${REPO_ROOT}/package.json').version" 2>/dev/null || echo "0.0.0")
+  fi
+}
+
+build_one() {
+  local platform="$1"
+  local target
+  target="$(bun_target_for "$platform")" || {
+    echo "error: unsupported platform: $platform" >&2
+    return 2
+  }
+
+  local out_dir="${DIST_DIR}/${platform}/autopg"
+  # `build_one` runs without `set -e` (called via `|| rc=$?` in main), so
+  # mkdir failures must propagate explicitly (gemini PR #84 HIGH review).
+  mkdir -p "$out_dir" || return 1
+  local outfile="${out_dir}/autopg"
+
+  echo "==> [${platform}] bun build --compile --target=${target}"
+  if bun build --compile \
+       --target="${target}" \
+       --define BUILD_VERSION="'${VERSION}'" \
+       "${REPO_ROOT}/${ENTRY_POINT}" \
+       --outfile "${outfile}" 2>&1 | tee -a "${DIST_DIR}/build.log"; then
+    echo "    ✓ built: ${outfile}"
+    record_build "$platform" "bun" "ok"
+    return 0
+  fi
+
+  echo "    ✗ bun build failed for ${platform}" >&2
+
+  if [[ "$FALLBACK_ENABLED" -eq 1 ]]; then
+    echo "==> [${platform}] retry via pkg/nexe (AUTOPG_BUILD_FALLBACK=1)"
+    if try_fallback "$platform" "$outfile"; then
+      record_build "$platform" "fallback" "ok"
+      return 0
+    fi
+    record_build "$platform" "fallback" "fail"
+  else
+    record_build "$platform" "bun" "fail"
+  fi
+
+  return 1
+}
+
+# Fallback: try pkg first, then nexe. Both consume the same entrypoint and
+# emit a single executable. We only attempt the fallback when bun fails;
+# this is per the distribution-exodus G1 contract.
+try_fallback() {
+  local platform="$1"
+  local outfile="$2"
+
+  if command -v pkg >/dev/null 2>&1; then
+    echo "    -> trying pkg"
+    local pkg_target
+    pkg_target="$(pkg_target_for "$platform")" || return 1
+    if pkg --target "$pkg_target" \
+           --output "$outfile" \
+           "${REPO_ROOT}/${ENTRY_POINT}" 2>&1 | tee -a "${DIST_DIR}/build.log"; then
+      echo "    ✓ pkg succeeded"
+      return 0
+    fi
+  fi
+
+  if command -v nexe >/dev/null 2>&1; then
+    echo "    -> trying nexe"
+    local nexe_target
+    nexe_target="$(nexe_target_for "$platform")" || return 1
+    if nexe --target "$nexe_target" \
+            --output "$outfile" \
+            "${REPO_ROOT}/${ENTRY_POINT}" 2>&1 | tee -a "${DIST_DIR}/build.log"; then
+      echo "    ✓ nexe succeeded"
+      return 0
+    fi
+  fi
+
+  echo "    ✗ no fallback worked (install pkg or nexe to enable)" >&2
+  return 1
+}
+
+pkg_target_for() {
+  case "$1" in
+    linux-x64-glibc) echo "node20-linux-x64" ;;
+    linux-x64-musl)  echo "node20-linuxstatic-x64" ;;
+    linux-arm64)     echo "node20-linux-arm64" ;;
+    darwin-x64)      echo "node20-macos-x64" ;;
+    darwin-arm64)    echo "node20-macos-arm64" ;;
+    *) return 1 ;;
+  esac
+}
+
+nexe_target_for() {
+  case "$1" in
+    linux-x64-glibc) echo "linux-x64-20.0.0" ;;
+    linux-x64-musl)  echo "alpine-x64-20.0.0" ;;
+    linux-arm64)     echo "linux-arm64-20.0.0" ;;
+    darwin-x64)      echo "mac-x64-20.0.0" ;;
+    darwin-arm64)    echo "mac-arm64-20.0.0" ;;
+    *) return 1 ;;
+  esac
+}
+
+record_build() {
+  local platform="$1" tool="$2" status="$3"
+  local rec="${DIST_DIR}/build-record.tsv"
+  mkdir -p "$DIST_DIR"
+  printf '%s\t%s\t%s\t%s\t%s\n' "$(date -u +%FT%TZ)" "$platform" "$tool" "$status" "$VERSION" >> "$rec"
+}
+
+main() {
+  parse_args "$@"
+  mkdir -p "$DIST_DIR"
+  : > "${DIST_DIR}/build.log"
+
+  local rc=0
+  if [[ "$BUILD_ALL" -eq 1 ]]; then
+    for p in "${PLATFORMS[@]}"; do
+      build_one "$p" || rc=$?
+    done
+  else
+    build_one "$TARGET_PLATFORM" || rc=$?
+  fi
+
+  if [[ $rc -ne 0 ]]; then
+    echo "error: at least one build target failed (see ${DIST_DIR}/build.log)" >&2
+  fi
+  exit $rc
+}
+
+main "$@"