phio 0.3.5 → 0.4.0

package/src/lib/defaultInstanceId.ts

@@ -1,48 +1,70 @@
-import { existsSync, readFileSync, writeFileSync } from 'fs'
-import { PHIO_INSTANCE_NAME } from './constants'
+import { existsSync, readFileSync, unlinkSync, writeFileSync } from 'fs'
+import { PHIO_CONFIG_FILE, PHIO_INSTANCE_NAME } from './constants'
 
-export const savedInstanceName = () => {
-  if (PHIO_INSTANCE_NAME()) {
-    return PHIO_INSTANCE_NAME()
+type PhioConfig = {
+  instanceName?: string
+}
+
+const readPhioConfig = (): PhioConfig | null => {
+  if (!existsSync(PHIO_CONFIG_FILE)) {
+    return null
+  }
+  return JSON.parse(readFileSync(PHIO_CONFIG_FILE).toString()) as PhioConfig
+}
+
+const writePhioConfig = (instanceName: string) => {
+  writeFileSync(PHIO_CONFIG_FILE, JSON.stringify({ instanceName }, null, 2) + '\n')
+}
+
+const migrateLegacyPackageJson = (): string | null => {
+  if (!existsSync('package.json')) {
+    return null
   }
-  if (existsSync('package.json')) {
-    const pkg = JSON.parse(readFileSync('package.json').toString())
-    if (pkg.pockethost?.instanceName) {
-      return pkg.pockethost.instanceName
-    }
+  const pkg = JSON.parse(readFileSync('package.json').toString())
+  const instanceName = pkg.pockethost?.instanceName
+  if (!instanceName) {
+    return null
   }
-  if (existsSync('pockethost.json')) {
-    const pkg = JSON.parse(readFileSync('pockethost.json').toString())
-    if (pkg.instanceName) {
-      return pkg.instanceName
-    }
+
+  writePhioConfig(instanceName)
+  delete pkg.pockethost.instanceName
+  if (Object.keys(pkg.pockethost).length === 0) {
+    delete pkg.pockethost
   }
-  return null
+  writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n')
+  console.log(`Migrated instance link from package.json to ${PHIO_CONFIG_FILE}`)
+  return instanceName
 }
 
-export const saveInstanceName = (
-  instanceName: string,
-  file: 'package.json' | 'pockethost.json'
-) => {
-  if (!existsSync(file)) {
-    // Create new file if it doesn't exist
-    const newContent =
-      file === 'package.json'
-        ? { pockethost: { instanceName } }
-        : { instanceName }
-    writeFileSync(file, JSON.stringify(newContent, null, 2))
-    return
+const migrateLegacyPockethostJson = (): string | null => {
+  if (!existsSync('pockethost.json')) {
+    return null
+  }
+  const legacy = JSON.parse(readFileSync('pockethost.json').toString())
+  const instanceName = legacy.instanceName
+  if (!instanceName) {
+    return null
   }
 
-  // Update existing file
-  const content = JSON.parse(readFileSync(file).toString())
+  writePhioConfig(instanceName)
+  unlinkSync('pockethost.json')
+  console.log(`Migrated instance link from pockethost.json to ${PHIO_CONFIG_FILE}`)
+  return instanceName
+}
+
+export const savedInstanceName = () => {
+  if (PHIO_INSTANCE_NAME()) {
+    return PHIO_INSTANCE_NAME()
+  }
 
-  if (file === 'package.json') {
-    content.pockethost = content.pockethost || {}
-    content.pockethost.instanceName = instanceName
-  } else {
-    content.instanceName = instanceName
+  const phioConfig = readPhioConfig()
+  if (phioConfig?.instanceName) {
+    return phioConfig.instanceName
   }
 
-  writeFileSync(file, JSON.stringify(content, null, 2))
+  return migrateLegacyPackageJson() ?? migrateLegacyPockethostJson()
+}
+
+export const saveInstanceName = (instanceName: string) => {
+  writePhioConfig(instanceName)
 }

package/src/lib/deployKey.ts

@@ -0,0 +1,222 @@
+import { chmodSync, existsSync, readFileSync, writeFileSync } from 'fs'
+import { generateKeyPairSync, type KeyObject } from 'crypto'
+import type PocketBase from 'pocketbase'
+import { PHIO_HOME } from './constants'
+import { fingerprintForPublicKey, parseSshEd25519PublicKey } from './sshPublicKey'
+import { isPkcs8PrivateKey, pkcs8Ed25519ToOpenSshPrivateKeyPem } from '../../vendor/ftp-deploy/sshPrivateKey'
+
+const SSH_KEYS_COLLECTION = 'ssh_keys'
+export const DEPLOY_KEY_LABEL = 'Phio'
+
+const PRIVATE_KEY_FILE = 'phio_deploy_ed25519'
+const PUBLIC_KEY_FILE = 'phio_deploy_ed25519.pub'
+
+export type DeployKeyPaths = {
+  privateKeyPath: string
+  publicKeyPath: string
+}
+
+export const getDeployKeyPaths = (): DeployKeyPaths => ({
+  privateKeyPath: PHIO_HOME(PRIVATE_KEY_FILE),
+  publicKeyPath: PHIO_HOME(PUBLIC_KEY_FILE),
+})
+
+const writeSshString = (value: Buffer | string) => {
+  const buf = typeof value === 'string' ? Buffer.from(value) : value
+  const len = Buffer.alloc(4)
+  len.writeUInt32BE(buf.length)
+  return Buffer.concat([len, buf])
+}
+
+const spkiToOpenSshPublicKey = (publicKey: KeyObject, comment = 'phio') => {
+  const der = publicKey.export({ format: 'der', type: 'spki' })
+  const raw = der.subarray(der.length - 32)
+  const wire = Buffer.concat([writeSshString('ssh-ed25519'), writeSshString(raw)])
+  return `ssh-ed25519 ${wire.toString('base64')} ${comment}`
+}
+
+const writeOpenSshPrivateKey = (privateKeyPath: string, privateKey: KeyObject) => {
+  const privateKeyPem = privateKey.export({ format: 'pem', type: 'pkcs8' }).toString()
+  writeFileSync(privateKeyPath, pkcs8Ed25519ToOpenSshPrivateKeyPem(privateKeyPem), { mode: 0o600 })
+}
+
+const migratePkcs8PrivateKeyIfNeeded = (privateKeyPath: string) => {
+  const pem = readFileSync(privateKeyPath, 'utf8')
+  if (!isPkcs8PrivateKey(pem)) {
+    return
+  }
+  writeFileSync(privateKeyPath, pkcs8Ed25519ToOpenSshPrivateKeyPem(pem), { mode: 0o600 })
+  try {
+    chmodSync(privateKeyPath, 0o600)
+  } catch {
+    // Windows may ignore mode bits
+  }
+}
+
+const ensureLocalKeyPair = () => {
+  const { privateKeyPath, publicKeyPath } = getDeployKeyPaths()
+
+  if (existsSync(privateKeyPath) && existsSync(publicKeyPath)) {
+    migratePkcs8PrivateKeyIfNeeded(privateKeyPath)
+    return {
+      privateKeyPath,
+      publicKeyPath,
+      publicKey: readFileSync(publicKeyPath, 'utf8').trim(),
+    }
+  }
+
+  const { publicKey, privateKey } = generateKeyPairSync('ed25519')
+  const publicKeyLine = spkiToOpenSshPublicKey(publicKey)
+  writeOpenSshPrivateKey(privateKeyPath, privateKey)
+  writeFileSync(publicKeyPath, `${publicKeyLine}\n`, { mode: 0o644 })
+  try {
+    chmodSync(privateKeyPath, 0o600)
+  } catch {
+    // Windows may ignore mode bits
+  }
+
+  return {
+    privateKeyPath,
+    publicKeyPath,
+    publicKey: publicKeyLine,
+  }
+}
+
+const publicKeysMatch = (localPublicKey: string, remotePublicKey: string) => {
+  const local = parseSshEd25519PublicKey(localPublicKey)
+  const remote = parseSshEd25519PublicKey(remotePublicKey)
+  return local.normalized === remote.normalized
+}
+
+export type DeployKeyRemoteStatus = 'not_checked' | 'missing' | 'registered' | 'mismatch'
+
+export type DeployKeyStatus = {
+  local: 'missing' | 'present'
+  privateKeyPath: string
+  publicKeyPath: string
+  fingerprint?: string
+  remote: DeployKeyRemoteStatus
+}
+
+const readLocalDeployKey = () => {
+  const { privateKeyPath, publicKeyPath } = getDeployKeyPaths()
+  if (!existsSync(privateKeyPath) || !existsSync(publicKeyPath)) {
+    return { local: 'missing' as const, privateKeyPath, publicKeyPath }
+  }
+
+  const publicKey = readFileSync(publicKeyPath, 'utf8').trim()
+  const parsed = parseSshEd25519PublicKey(publicKey)
+  return {
+    local: 'present' as const,
+    privateKeyPath,
+    publicKeyPath,
+    publicKey: parsed.normalized,
+    fingerprint: fingerprintForPublicKey(parsed.normalized),
+  }
+}
+
+/** Read-only deploy key status. Does not generate keys or register remotely. */
+export const getDeployKeyStatus = async (client?: PocketBase): Promise<DeployKeyStatus> => {
+  const localKey = readLocalDeployKey()
+  if (localKey.local === 'missing') {
+    return {
+      local: 'missing',
+      privateKeyPath: localKey.privateKeyPath,
+      publicKeyPath: localKey.publicKeyPath,
+      remote: client?.authStore.isValid ? 'missing' : 'not_checked',
+    }
+  }
+
+  let remote: DeployKeyRemoteStatus = client?.authStore.isValid ? 'missing' : 'not_checked'
+  if (client?.authStore.isValid) {
+    const userId = client.authStore.record?.id
+    if (userId) {
+      try {
+        const remoteKey = await client.collection(SSH_KEYS_COLLECTION).getFirstListItem(
+          `user=${JSON.stringify(userId)} && label=${JSON.stringify(DEPLOY_KEY_LABEL)}`
+        )
+        remote = publicKeysMatch(localKey.publicKey, remoteKey.public_key) ? 'registered' : 'mismatch'
+      } catch {
+        remote = 'missing'
+      }
+    }
+  }
+
+  return {
+    local: 'present',
+    privateKeyPath: localKey.privateKeyPath,
+    publicKeyPath: localKey.publicKeyPath,
+    fingerprint: localKey.fingerprint,
+    remote,
+  }
+}
+
+export const formatDeployKeyRemoteStatus = (remote: DeployKeyRemoteStatus) => {
+  switch (remote) {
+    case 'registered':
+      return 'registered (matches local)'
+    case 'missing':
+      return 'not registered (created on deploy)'
+    case 'mismatch':
+      return 'mismatch with local key'
+    case 'not_checked':
+      return 'not checked'
+  }
+}
+
+/**
+ * Ensures a local Ed25519 deploy key exists under PHIO_HOME and that Account → Keys
+ * has a matching "Phio" entry. Creates the remote key on first run.
+ */
+export const ensureDeployKey = async (client: PocketBase) => {
+  const userId = client.authStore.record?.id
+  if (!userId) {
+    throw new Error(`You must be logged in first. Use 'phio login'`)
+  }
+
+  const { privateKeyPath, publicKeyPath, publicKey } = ensureLocalKeyPair()
+  const parsed = parseSshEd25519PublicKey(publicKey)
+  const fingerprint = fingerprintForPublicKey(parsed.normalized)
+
+  let remoteKey: { id: string; public_key: string } | undefined
+  try {
+    remoteKey = await client.collection(SSH_KEYS_COLLECTION).getFirstListItem(
+      `user=${JSON.stringify(userId)} && label=${JSON.stringify(DEPLOY_KEY_LABEL)}`
+    )
+  } catch {
+    remoteKey = undefined
+  }
+
+  if (remoteKey) {
+    if (!publicKeysMatch(parsed.normalized, remoteKey.public_key)) {
+      throw new Error(
+        `Account key "${DEPLOY_KEY_LABEL}" does not match the local key in ${PHIO_HOME()}. ` +
+          `Update it at https://pockethost.io/account/keys or delete ${PUBLIC_KEY_FILE} to regenerate locally.`
+      )
+    }
+    return { privateKeyPath, publicKeyPath, publicKey: parsed.normalized, fingerprint }
+  }
+
+  try {
+    await client.collection(SSH_KEYS_COLLECTION).create({
+      label: DEPLOY_KEY_LABEL,
+      public_key: parsed.normalized,
+      fingerprint,
+      all_instances: true,
+      instances: [],
+      user: userId,
+    })
+    console.log(`Registered SFTP deploy key "${DEPLOY_KEY_LABEL}" under Account → Keys`)
+  } catch (error) {
+    const message = `${error}`
+    if (message.includes('fingerprint') || message.includes('unique')) {
+      throw new Error(
+        `This deploy key is already registered under a different label. ` +
+          `Add or rename a key labeled "${DEPLOY_KEY_LABEL}" at https://pockethost.io/account/keys.`
+      )
+    }
+    throw error
+  }
+
+  return { privateKeyPath, publicKeyPath, publicKey: parsed.normalized, fingerprint }
+}

package/src/lib/fetchEventSource.ts

@@ -0,0 +1,3 @@
+import microsoftFetchEventSource from '@microsoft/fetch-event-source'
+
+export const { fetchEventSource } = microsoftFetchEventSource

package/src/lib/getClient.ts

@@ -2,9 +2,32 @@ import PocketBase from 'pocketbase'
 import { runTasks } from './../lib/Task'
 import { config } from './config'
 import { PHIO_MOTHERSHIP_URL, PHIO_PASSWORD, PHIO_USERNAME } from './constants'
+import { ensureDeployKey } from './deployKey'
 import { ensureLoggedIn } from './ensureLoggedIn'
 
 let client: PocketBase | undefined
+
+export type AuthStatus =
+  | { state: 'logged_out' }
+  | { state: 'session_expired'; email: string }
+  | { state: 'authenticated'; email: string; client: PocketBase }
+
+export const resolveAuthStatus = async (): Promise<AuthStatus> => {
+  const savedEmail = config('email')
+  const client = await getClient()
+
+  if (client.authStore.isValid) {
+    const email = (client.authStore.record?.email as string | undefined) || savedEmail || ''
+    return { state: 'authenticated', email, client }
+  }
+
+  if (savedEmail) {
+    return { state: 'session_expired', email: savedEmail }
+  }
+
+  return { state: 'logged_out' }
+}
+
 export const getClient = async () => {
   if (client) {
     return client
@@ -33,8 +56,12 @@ export const getClient = async () => {
       }
       config('pb_auth', client.authStore.exportToCookie())
     })
-    await client.collection(`users`).authRefresh()
-    config(`pb_auth`, client.authStore.exportToCookie())
+    try {
+      await client.collection(`users`).authRefresh()
+      config(`pb_auth`, client.authStore.exportToCookie())
+    } catch {
+      client.authStore.clear()
+    }
   }
   return client
 }
@@ -72,5 +99,6 @@ const unsafeLogin = async (username: string, password: string) => {
 export const login = async (username: string, password: string) => {
   const client = await getClient()
   await unsafeLogin(username, password)
+  await ensureDeployKey(client)
   return client.authStore
 }

package/src/lib/phioRoot.ts

@@ -0,0 +1,67 @@
+import { existsSync } from 'fs'
+import env from 'env-var'
+import { dirname, join, relative } from 'path'
+import { fileURLToPath } from 'url'
+import { PHIO_CONFIG_FILE } from './constants'
+
+const phioPackageRoot = join(dirname(fileURLToPath(import.meta.url)), '..', '..')
+
+const isInsidePhioCliPackage = (dir: string): boolean => {
+  const rel = relative(phioPackageRoot, dir)
+  return rel === '' || (!rel.startsWith('..') && rel !== '')
+}
+
+const resolveStartDir = (startDir: string): string => {
+  if (isInsidePhioCliPackage(startDir)) {
+    return dirname(phioPackageRoot)
+  }
+  return startDir
+}
+
+const walkUp = (startDir: string, predicate: (dir: string) => boolean): string | null => {
+  let dir = startDir
+  while (true) {
+    if (predicate(dir)) {
+      return dir
+    }
+    const parent = dirname(dir)
+    if (parent === dir) {
+      return null
+    }
+    dir = parent
+  }
+}
+
+const hasPhioConfig = (dir: string): boolean => {
+  return existsSync(join(dir, PHIO_CONFIG_FILE)) && !isInsidePhioCliPackage(dir)
+}
+
+const hasProjectPackageJson = (dir: string): boolean => {
+  return existsSync(join(dir, 'package.json')) && !isInsidePhioCliPackage(dir)
+}
+
+export const findPhioRoot = (
+  startDir = env.get('PHIO_PROJECT_DIR').asString() ??
+    process.env.INIT_CWD ??
+    process.cwd()
+): string => {
+  const resolvedStart = resolveStartDir(startDir)
+
+  const phioConfigRoot = walkUp(resolvedStart, hasPhioConfig)
+  if (phioConfigRoot) {
+    return phioConfigRoot
+  }
+
+  const packageJsonRoot = walkUp(resolvedStart, hasProjectPackageJson)
+  if (packageJsonRoot) {
+    return packageJsonRoot
+  }
+
+  return resolvedStart
+}
+
+export const ensurePhioRoot = (): string => {
+  const root = findPhioRoot()
+  process.chdir(root)
+  return root
+}

package/src/lib/sftpConnection.ts

@@ -0,0 +1,33 @@
+export const PHIO_SFTP_HOST = 'ftp.pockethost.io'
+export const PHIO_SFTP_PORT = 2222
+
+export type SftpConnection = {
+  host: string
+  port: number
+  username: string
+  privateKeyPath: string
+  remoteDir: string
+}
+
+export const buildSftpTarget = ({ username, host, remoteDir }: SftpConnection) => {
+  const userHost = `${username}@${host}`
+  return remoteDir ? `${userHost}:${remoteDir}` : userHost
+}
+
+export const buildSftpArgs = (connection: SftpConnection) => [
+  '-i',
+  connection.privateKeyPath,
+  '-P',
+  String(connection.port),
+  buildSftpTarget(connection),
+]
+
+const shellQuote = (value: string) => {
+  if (/^[a-zA-Z0-9_./:-]+$/.test(value)) {
+    return value
+  }
+  return `'${value.replace(/'/g, `'\\''`)}'`
+}
+
+export const formatSftpCommand = (connection: SftpConnection, sftpBin = 'sftp') =>
+  [sftpBin, ...buildSftpArgs(connection).map(shellQuote)].join(' ')

package/src/lib/sshPublicKey.ts

@@ -0,0 +1,128 @@
+import { createHash } from 'crypto'
+
+/** ssh-ed25519 public key parsing (mirrors pockethost/common). */
+
+const ED25519_ALGO = 'ssh-ed25519'
+const ED25519_WIRE_KEY_LEN = 32
+const ED25519_WIRE_LEN = 4 + ED25519_ALGO.length + 4 + ED25519_WIRE_KEY_LEN
+
+export type ParsedSshEd25519PublicKey = {
+  normalized: string
+  wire: Uint8Array
+}
+
+const readUint32BE = (bytes: Uint8Array, offset: number) => {
+  if (offset + 4 > bytes.length) {
+    throw new Error('Invalid public key encoding.')
+  }
+  return (
+    ((bytes[offset]! << 24) | (bytes[offset + 1]! << 16) | (bytes[offset + 2]! << 8) | bytes[offset + 3]!) >>> 0
+  )
+}
+
+const readSshString = (bytes: Uint8Array, offset: number) => {
+  const length = readUint32BE(bytes, offset)
+  offset += 4
+  if (length < 0 || offset + length > bytes.length) {
+    throw new Error('Invalid public key encoding.')
+  }
+  const value = bytes.slice(offset, offset + length)
+  return { value, nextOffset: offset + length }
+}
+
+const bytesToAscii = (bytes: Uint8Array) => {
+  let out = ''
+  for (let i = 0; i < bytes.length; i++) {
+    out += String.fromCharCode(bytes[i]!)
+  }
+  return out
+}
+
+const decodeBase64 = (value: string) => {
+  const normalized = value.replace(/[\s\r\n]+/g, '')
+  if (!normalized || normalized.length % 4 === 1 || !/^[A-Za-z0-9+/]+=*$/.test(normalized)) {
+    throw new Error('Public key base64 is invalid.')
+  }
+
+  const alphabet = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
+  const bytes: number[] = []
+  let buffer = 0
+  let bits = 0
+
+  for (const char of normalized.replace(/=+$/, '')) {
+    const index = alphabet.indexOf(char)
+    if (index === -1) {
+      throw new Error('Public key base64 is invalid.')
+    }
+    buffer = (buffer << 6) | index
+    bits += 6
+    if (bits >= 8) {
+      bits -= 8
+      bytes.push((buffer >> bits) & 0xff)
+    }
+  }
+
+  return new Uint8Array(bytes)
+}
+
+const validateWire = (wire: Uint8Array) => {
+  if (wire.length !== ED25519_WIRE_LEN) {
+    throw new Error('Invalid Ed25519 public key length.')
+  }
+
+  let offset = 0
+  const algo = readSshString(wire, offset)
+  offset = algo.nextOffset
+  if (bytesToAscii(algo.value) !== ED25519_ALGO) {
+    throw new Error('Public key algorithm must be ssh-ed25519.')
+  }
+
+  const key = readSshString(wire, offset)
+  if (key.value.length !== ED25519_WIRE_KEY_LEN) {
+    throw new Error('Invalid Ed25519 public key length.')
+  }
+  if (key.nextOffset !== wire.length) {
+    throw new Error('Invalid public key encoding.')
+  }
+}
+
+export const parseSshEd25519PublicKey = (input: string): ParsedSshEd25519PublicKey => {
+  const trimmed = input.trim()
+  if (!trimmed) {
+    throw new Error('Public key is required.')
+  }
+
+  const lines = trimmed
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter(Boolean)
+  if (lines.length > 1) {
+    throw new Error('Paste a single public key line only.')
+  }
+
+  const line = lines[0] ?? ''
+  const parts = line.split(/\s+/).filter(Boolean)
+  if (parts.length < 2) {
+    throw new Error('Public key must look like: ssh-ed25519 AAAA… comment')
+  }
+
+  const algo = parts[0]
+  const keyData = parts[1]
+  if (algo !== ED25519_ALGO) {
+    throw new Error('Only ssh-ed25519 public keys are supported.')
+  }
+
+  const wire = decodeBase64(keyData!)
+  validateWire(wire)
+
+  const comment = parts.slice(2).join(' ')
+  const normalized = comment ? `${ED25519_ALGO} ${keyData} ${comment}` : `${ED25519_ALGO} ${keyData}`
+
+  return { normalized, wire }
+}
+
+export const fingerprintForPublicKey = (publicKeyLine: string): string => {
+  const { wire } = parseSshEd25519PublicKey(publicKeyLine)
+  const hash = createHash('sha256').update(wire).digest('base64').replace(/=+$/, '')
+  return `SHA256:${hash}`
+}