thevoidforge 21.0.0

package/dist/wizard/lib/provisioners/scripts/docker-compose.js

@@ -0,0 +1,91 @@
+/**
+ * docker-compose.yml template generator.
+ */
+export function generateDockerCompose(opts) {
+    const services = [];
+    const volumes = [];
+    const envVars = [];
+    // App service
+    const appPort = opts.framework === 'django' ? '8000' : '3000';
+    const depends = [];
+    if (opts.database === 'postgres' || opts.database === 'mysql')
+        depends.push('db');
+    if (opts.cache === 'redis')
+        depends.push('redis');
+    let appService = `  app:
+    build: .
+    ports:
+      - "\${PORT:-${appPort}}:${appPort}"
+    env_file:
+      - .env
+    healthcheck:
+      test: ["CMD-SHELL", "wget --spider -q http://localhost:${appPort}/ || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 15s
+    restart: unless-stopped`;
+    if (depends.length > 0) {
+        appService += `\n    depends_on:\n${depends.map((d) => `      ${d}:\n        condition: service_healthy`).join('\n')}`;
+    }
+    services.push(appService);
+    // Database service
+    if (opts.database === 'postgres') {
+        envVars.push('DATABASE_URL=postgresql://${DB_USER:-postgres}:${DB_PASSWORD:-postgres}@db:5432/${DB_NAME:-app}');
+        services.push(`  db:
+    image: postgres:16-alpine
+    environment:
+      POSTGRES_USER: \${DB_USER:-postgres}
+      POSTGRES_PASSWORD: \${DB_PASSWORD:-postgres}
+      POSTGRES_DB: \${DB_NAME:-app}
+    expose:
+      - "5432"
+    volumes:
+      - db_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+    restart: unless-stopped`);
+        volumes.push('  db_data:');
+    }
+    if (opts.database === 'mysql') {
+        envVars.push('DATABASE_URL=mysql://root:${DB_PASSWORD:-mysql}@db:3306/${DB_NAME:-app}');
+        services.push(`  db:
+    image: mysql:8.0
+    environment:
+      MYSQL_ROOT_PASSWORD: \${DB_PASSWORD:-mysql}
+      MYSQL_DATABASE: \${DB_NAME:-app}
+    expose:
+      - "3306"
+    volumes:
+      - db_data:/var/lib/mysql
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+    restart: unless-stopped`);
+        volumes.push('  db_data:');
+    }
+    // Cache service
+    if (opts.cache === 'redis') {
+        envVars.push('REDIS_URL=redis://redis:6379');
+        services.push(`  redis:
+    image: redis:7-alpine
+    expose:
+      - "6379"
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+    restart: unless-stopped`);
+    }
+    let compose = `services:\n${services.join('\n\n')}\n`;
+    if (volumes.length > 0) {
+        compose += `\nvolumes:\n${volumes.join('\n')}\n`;
+    }
+    return compose;
+}

package/dist/wizard/lib/provisioners/scripts/dockerfile.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Dockerfile template generator — multi-stage builds per framework.
+ */
+export declare function generateDockerfile(framework: string): string;
+export declare function generateDockerignore(): string;

package/dist/wizard/lib/provisioners/scripts/dockerfile.js

@@ -0,0 +1,185 @@
+/**
+ * Dockerfile template generator — multi-stage builds per framework.
+ */
+export function generateDockerfile(framework) {
+    switch (framework) {
+        case 'next.js':
+            return nextjsDockerfile();
+        case 'express':
+            return expressDockerfile();
+        case 'django':
+            return djangoDockerfile();
+        case 'rails':
+            return railsDockerfile();
+        default:
+            return nodeDockerfile();
+    }
+}
+function nextjsDockerfile() {
+    return `# Stage 1: Dependencies
+FROM node:20-alpine AS deps
+WORKDIR /app
+COPY package.json package-lock.json* ./
+RUN npm ci --ignore-scripts
+
+# Stage 2: Build
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+RUN npm run build
+
+# Stage 3: Production
+FROM node:20-alpine AS runner
+WORKDIR /app
+ENV NODE_ENV=production
+
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+COPY --from=builder /app/public ./public
+COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
+
+USER nextjs
+EXPOSE 3000
+ENV PORT=3000
+ENV HOSTNAME="0.0.0.0"
+
+HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
+  CMD ["sh", "-c", "wget --spider -q http://localhost:3000/ || exit 1"]
+
+CMD ["node", "server.js"]
+`;
+}
+function expressDockerfile() {
+    return `# Stage 1: Build
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package.json package-lock.json* ./
+RUN npm ci --ignore-scripts
+COPY . .
+RUN npm run build
+
+# Stage 2: Production
+FROM node:20-alpine
+WORKDIR /app
+ENV NODE_ENV=production
+
+RUN addgroup --system --gid 1001 appgroup
+RUN adduser --system --uid 1001 appuser
+
+COPY --from=builder /app/package.json ./
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/dist ./dist
+
+USER appuser
+EXPOSE 3000
+
+HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
+  CMD ["sh", "-c", "wget --spider -q http://localhost:3000/ || exit 1"]
+
+CMD ["node", "dist/index.js"]
+`;
+}
+function djangoDockerfile() {
+    return `FROM python:3.12-slim
+
+WORKDIR /app
+
+RUN addgroup --system --gid 1001 appgroup && \\
+    adduser --system --uid 1001 --gid 1001 appuser
+
+COPY requirements.txt ./
+RUN pip install --no-cache-dir -r requirements.txt
+
+COPY . .
+
+RUN python manage.py collectstatic --noinput
+
+USER appuser
+EXPOSE 8000
+
+HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
+  CMD ["python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/')"]
+
+CMD ["gunicorn", "--bind", "0.0.0.0:8000", "--workers", "3", "config.wsgi:application"]
+`;
+}
+function railsDockerfile() {
+    return `FROM ruby:3.3-slim
+
+WORKDIR /app
+
+RUN apt-get update -qq && \\
+    apt-get install --no-install-recommends -y build-essential libpq-dev && \\
+    rm -rf /var/lib/apt/lists/*
+
+COPY Gemfile Gemfile.lock ./
+RUN bundle install --without development test
+
+COPY . .
+
+RUN bundle exec rails assets:precompile
+
+RUN addgroup --system --gid 1001 appgroup && \\
+    adduser --system --uid 1001 --gid 1001 appuser && \\
+    chown -R appuser:appgroup /app
+
+USER appuser
+EXPOSE 3000
+
+HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
+  CMD ["sh", "-c", "wget --spider -q http://localhost:3000/ || exit 1"]
+
+CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"]
+`;
+}
+function nodeDockerfile() {
+    return `# Stage 1: Build
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package.json package-lock.json* ./
+RUN npm ci --ignore-scripts
+COPY . .
+RUN npm run build
+
+# Stage 2: Production
+FROM node:20-alpine
+WORKDIR /app
+ENV NODE_ENV=production
+
+RUN addgroup --system --gid 1001 appgroup
+RUN adduser --system --uid 1001 appuser
+
+COPY --from=builder /app/package.json ./
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/dist ./dist
+
+USER appuser
+EXPOSE 3000
+
+HEALTHCHECK --interval=30s --timeout=3s --retries=3 \\
+  CMD ["sh", "-c", "wget --spider -q http://localhost:3000/ || exit 1"]
+
+CMD ["node", "dist/index.js"]
+`;
+}
+export function generateDockerignore() {
+    return `node_modules
+.git
+.gitignore
+.env
+.env.*
+*.md
+logs/
+docs/
+.claude/
+.next/cache
+dist/
+coverage/
+.vscode/
+.idea/
+*.log
+`;
+}

package/dist/wizard/lib/provisioners/scripts/ecosystem-config.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Template: ecosystem.config.js — PM2 process manager configuration.
+ * Written to projectDir/ecosystem.config.js
+ */
+interface EcosystemOptions {
+    projectName: string;
+    framework: string;
+}
+export declare function generateEcosystemConfig(opts: EcosystemOptions): string;
+export {};

package/dist/wizard/lib/provisioners/scripts/ecosystem-config.js

@@ -0,0 +1,36 @@
+/**
+ * Template: ecosystem.config.js — PM2 process manager configuration.
+ * Written to projectDir/ecosystem.config.js
+ */
+export function generateEcosystemConfig(opts) {
+    const isNextjs = opts.framework === 'next.js';
+    const script = isNextjs ? 'node_modules/.bin/next' : 'dist/index.js';
+    const args = isNextjs ? 'start' : '';
+    const instances = isNextjs ? '2' : 'max';
+    return `// ecosystem.config.js — PM2 configuration
+// Generated by VoidForge
+module.exports = {
+  apps: [
+    {
+      name: ${JSON.stringify(opts.projectName)},
+      script: '${script}',${args ? `\n      args: '${args}',` : ''}
+      instances: '${instances}',
+      exec_mode: 'cluster',
+      env_production: {
+        NODE_ENV: 'production',
+        PORT: 3000,
+      },
+      max_memory_restart: '512M',
+      max_restarts: 10,
+      min_uptime: '5s',
+      listen_timeout: 10000,
+      kill_timeout: 5000,
+      error_file: '/opt/app/logs/error.log',
+      out_file: '/opt/app/logs/out.log',
+      merge_logs: true,
+      time: true,
+    },
+  ],
+};
+`;
+}

package/dist/wizard/lib/provisioners/scripts/provision-vps.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Template: provision.sh — idempotent server setup for VPS.
+ * Includes security hardening (fail2ban, SSH, firewall), swap, log rotation.
+ * Written to projectDir/infra/provision.sh
+ */
+interface ProvisionScriptOptions {
+    framework: string;
+    database: string;
+    cache: string;
+    instanceType?: string;
+    extensions?: string[];
+}
+export declare function generateProvisionScript(opts: ProvisionScriptOptions): string;
+export {};

package/dist/wizard/lib/provisioners/scripts/provision-vps.js

@@ -0,0 +1,202 @@
+/**
+ * Template: provision.sh — idempotent server setup for VPS.
+ * Includes security hardening (fail2ban, SSH, firewall), swap, log rotation.
+ * Written to projectDir/infra/provision.sh
+ */
+// QA-001/SEC-009: Allowlist of safe PostgreSQL extensions — prevent SQL injection via extension names
+const ALLOWED_EXTENSIONS = ['postgis', 'pg_trgm', 'uuid-ossp', 'pgcrypto', 'citext', 'hstore', 'ltree', 'cube', 'earthdistance', 'unaccent', 'vector', 'pg_stat_statements', 'tablefunc', 'btree_gist', 'btree_gin', 'fuzzystrmatch'];
+/** Generate PostgreSQL extension install commands if extensions are specified. */
+function generateExtensionBlock(opts) {
+    if (!opts.extensions || opts.extensions.length === 0 || opts.database !== 'postgres')
+        return '';
+    // Filter to only allowed extensions
+    const safeExtensions = opts.extensions.filter(ext => ALLOWED_EXTENSIONS.includes(ext.toLowerCase().trim()));
+    if (safeExtensions.length === 0)
+        return '';
+    const lines = [
+        '',
+        '# ==========================================',
+        '# PostgreSQL Extensions',
+        '# ==========================================',
+    ];
+    for (const ext of safeExtensions) {
+        const extLower = ext.toLowerCase().trim();
+        if (extLower === 'postgis') {
+            lines.push('echo "Installing PostGIS..."');
+            lines.push('dnf install -y -q postgis34_16 || apt-get install -y -q postgresql-16-postgis-3 2>/dev/null || true');
+        }
+        else if (extLower === 'pg_trgm') {
+            lines.push('echo "Installing pg_trgm..."');
+            lines.push('# pg_trgm is included in postgresql-contrib (usually pre-installed)');
+            lines.push('dnf install -y -q postgresql16-contrib 2>/dev/null || apt-get install -y -q postgresql-contrib 2>/dev/null || true');
+        }
+        // CREATE EXTENSION is idempotent
+        lines.push(`sudo -u postgres psql -d "$\{DB_NAME:-app}" -c "CREATE EXTENSION IF NOT EXISTS ${extLower};" 2>/dev/null || true`);
+    }
+    return lines.join('\n');
+}
+export function generateProvisionScript(opts) {
+    const nodeSetup = ['next.js', 'express'].includes(opts.framework) || !opts.framework;
+    const pythonSetup = opts.framework === 'django';
+    const rubySetup = opts.framework === 'rails';
+    let runtimeInstall = '';
+    if (nodeSetup) {
+        runtimeInstall = `
+# Install Node.js 20.x
+if ! command -v node &>/dev/null; then
+  echo "Installing Node.js..."
+  curl -fsSL https://rpm.nodesource.com/setup_20.x | bash -
+  dnf install -y nodejs
+fi
+echo "Node.js $(node --version)"
+
+# Install PM2 globally
+if ! command -v pm2 &>/dev/null; then
+  npm install -g pm2
+fi
+echo "PM2 $(pm2 --version)"
+
+# Set up PM2 to start on boot
+pm2 startup systemd -u appuser --hp /opt/app 2>/dev/null || true`;
+    }
+    else if (pythonSetup) {
+        runtimeInstall = `
+# Install Python 3.12
+if ! command -v python3.12 &>/dev/null; then
+  echo "Installing Python 3.12..."
+  dnf install -y python3.12 python3.12-pip
+fi
+echo "Python $(python3.12 --version)"
+
+# Install gunicorn + supervisor
+pip3.12 install --quiet gunicorn supervisor`;
+    }
+    else if (rubySetup) {
+        runtimeInstall = `
+# Install Ruby
+if ! command -v ruby &>/dev/null; then
+  echo "Installing Ruby..."
+  dnf install -y ruby ruby-devel
+fi
+echo "Ruby $(ruby --version)"
+
+# Install bundler
+gem install bundler --no-document`;
+    }
+    return `#!/usr/bin/env bash
+# provision.sh — Idempotent VPS setup with security hardening
+# Generated by VoidForge. Safe to re-run.
+set -euo pipefail
+
+echo "=== VoidForge VPS Provisioning ==="
+
+# Update system
+echo "Updating packages..."
+dnf update -y -q
+
+# Install essentials
+dnf install -y -q git curl wget tar unzip
+${runtimeInstall}
+
+# Install Caddy (reverse proxy + auto HTTPS)
+if ! command -v caddy &>/dev/null; then
+  echo "Installing Caddy..."
+  dnf install -y 'dnf-command(copr)'
+  dnf copr enable -y @caddy/caddy
+  dnf install -y caddy
+  systemctl enable caddy
+fi
+echo "Caddy $(caddy version)"
+
+# ==========================================
+# Security Hardening
+# ==========================================
+
+# Install and configure fail2ban
+echo "Configuring fail2ban..."
+dnf install -y -q fail2ban
+cat > /etc/fail2ban/jail.local << 'JAIL'
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+maxretry = 5
+bantime = 3600
+findtime = 600
+JAIL
+systemctl enable --now fail2ban
+
+# Harden SSH — disable root login and password auth
+echo "Hardening SSH..."
+sed -i 's/^#\\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+sed -i 's/^#\\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
+systemctl reload sshd
+
+# Enable unattended security updates
+echo "Enabling automatic security updates..."
+dnf install -y -q dnf-automatic
+sed -i 's/^apply_updates.*/apply_updates = yes/' /etc/dnf/automatic.conf
+systemctl enable --now dnf-automatic-install.timer
+
+# ==========================================
+# Application Setup
+# ==========================================
+
+# Create app directories (release-directory structure)
+APP_DIR="/opt/app"
+mkdir -p "$APP_DIR/releases" "$APP_DIR/logs"
+
+# Create app user if not exists
+if ! id -u appuser &>/dev/null; then
+  useradd --system --home-dir "$APP_DIR" --shell /bin/bash appuser
+fi
+chown -R appuser:appuser "$APP_DIR"
+
+# ==========================================
+# Firewall — lock down then open
+# ==========================================
+echo "Configuring firewall..."
+if command -v firewall-cmd &>/dev/null; then
+  firewall-cmd --set-default-zone=drop 2>/dev/null || true
+  firewall-cmd --permanent --add-service=ssh 2>/dev/null || true
+  firewall-cmd --permanent --add-service=http 2>/dev/null || true
+  firewall-cmd --permanent --add-service=https 2>/dev/null || true
+  firewall-cmd --reload 2>/dev/null || true
+fi
+
+# ==========================================
+# Swap (prevents OOM during builds)
+# ==========================================
+${opts.instanceType === 't3.large' ? '# Swap skipped — t3.large has 8 GiB RAM' : `if [ ! -f /swapfile ]; then
+  echo "Setting up ${opts.instanceType === 't3.medium' ? '1GB' : '2GB'} swap..."
+  fallocate -l ${opts.instanceType === 't3.medium' ? '1G' : '2G'} /swapfile
+  chmod 600 /swapfile
+  mkswap /swapfile
+  swapon /swapfile
+  echo '/swapfile none swap sw 0 0' >> /etc/fstab
+fi`}
+
+# ==========================================
+# Log Rotation
+# ==========================================
+cat > /etc/logrotate.d/voidforge << 'LOGROTATE'
+/opt/app/logs/*.log {
+  daily
+  rotate 14
+  compress
+  delaycompress
+  missingok
+  notifempty
+  copytruncate
+}
+LOGROTATE
+
+${generateExtensionBlock(opts)}
+echo ""
+echo "=== Provisioning complete ==="
+echo "App directory: $APP_DIR/releases/ (symlinked via $APP_DIR/current)"
+echo "App user: appuser"
+echo "Security: fail2ban active, SSH hardened, firewall locked down"
+echo "Next: run deploy.sh to deploy your app"
+`;
+}

package/dist/wizard/lib/provisioners/scripts/rollback-vps.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Template: rollback.sh — swap to previous release directory.
+ * Compatible with deploy.sh's release-directory strategy.
+ * Written to projectDir/infra/rollback.sh
+ */
+interface RollbackScriptOptions {
+    framework: string;
+}
+export declare function generateRollbackScript(opts: RollbackScriptOptions): string;
+export {};

package/dist/wizard/lib/provisioners/scripts/rollback-vps.js

@@ -0,0 +1,67 @@
+/**
+ * Template: rollback.sh — swap to previous release directory.
+ * Compatible with deploy.sh's release-directory strategy.
+ * Written to projectDir/infra/rollback.sh
+ */
+export function generateRollbackScript(opts) {
+    const isNode = ['next.js', 'express'].includes(opts.framework) || !opts.framework;
+    const isDjango = opts.framework === 'django';
+    let restartCommands;
+    if (isNode) {
+        restartCommands = 'pm2 startOrRestart /opt/app/current/ecosystem.config.js --env production && pm2 save';
+    }
+    else if (isDjango) {
+        restartCommands = 'python3.12 manage.py migrate --noinput && supervisorctl restart app';
+    }
+    else {
+        restartCommands = 'RAILS_ENV=production bundle exec rails db:migrate && touch tmp/restart.txt';
+    }
+    return `#!/usr/bin/env bash
+# rollback.sh — Roll back to the previous release
+# Generated by VoidForge. Uses release-directory strategy.
+set -euo pipefail
+
+# Load environment
+if [ -f .env ]; then
+  set -a
+  source .env
+  set +a
+fi
+
+SSH_HOST="\${SSH_HOST:?Set SSH_HOST in .env}"
+SSH_USER="\${SSH_USER:-ec2-user}"
+SSH_KEY="\${SSH_KEY_PATH:-.ssh/deploy-key.pem}"
+RELEASES_DIR="/opt/app/releases"
+CURRENT_LINK="/opt/app/current"
+
+SSH_OPTS="-i $SSH_KEY -o StrictHostKeyChecking=accept-new"
+
+echo "=== Rolling back on $SSH_HOST ==="
+
+# Find current and previous releases
+CURRENT="$(ssh $SSH_OPTS $SSH_USER@$SSH_HOST "readlink $CURRENT_LINK 2>/dev/null || echo ''")"
+RELEASES="$(ssh $SSH_OPTS $SSH_USER@$SSH_HOST "ls -1d $RELEASES_DIR/*/ 2>/dev/null | sort")"
+PREVIOUS="$(echo "$RELEASES" | grep -B1 "$(basename "$CURRENT")" | head -1)"
+
+if [ -z "$PREVIOUS" ] || [ "$PREVIOUS" = "$CURRENT" ]; then
+  echo "No previous release to roll back to!"
+  echo "Available releases:"
+  ssh $SSH_OPTS $SSH_USER@$SSH_HOST "ls -1d $RELEASES_DIR/*/ 2>/dev/null"
+  exit 1
+fi
+
+echo "Current:  $(basename "$CURRENT")"
+echo "Rolling back to: $(basename "$PREVIOUS")"
+
+# Swap symlink
+ssh $SSH_OPTS $SSH_USER@$SSH_HOST "ln -sfn $PREVIOUS $CURRENT_LINK"
+
+# Restart
+ssh $SSH_OPTS $SSH_USER@$SSH_HOST "cd $CURRENT_LINK && ${restartCommands}"
+
+echo ""
+echo "=== Rollback complete ==="
+echo "Now running: $(basename "$PREVIOUS")"
+echo "Run deploy.sh to re-deploy the latest code."
+`;
+}

package/dist/wizard/lib/provisioners/self-deploy.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Self-Deploy Provisioner — deploys VoidForge itself to a remote VPS.
+ *
+ * Usage: npx voidforge deploy --self
+ *
+ * Steps:
+ * 1. Connect to VPS via SSH (EC2 or manual target)
+ * 2. Install: Node.js, Git, PM2, Caddy, Claude Code
+ * 3. Clone VoidForge, configure Caddy for HTTPS
+ * 4. Create forge-user (non-root PTY execution)
+ * 5. Generate initial admin credentials + TOTP secret
+ * 6. Start VoidForge as PM2-managed service
+ * 7. Report public URL + TOTP QR setup instructions
+ */
+export interface SelfDeployConfig {
+    sshHost: string;
+    sshUser: string;
+    sshKeyPath: string;
+    domain: string;
+    nodeVersion: string;
+    voidforgeRepo: string;
+    voidforgeBranch: string;
+}
+export interface SelfDeployResult {
+    publicUrl: string;
+    adminUsername: string;
+    totpSecret: string;
+    totpUri: string;
+    caddyDomain: string;
+    pm2Name: string;
+}
+/**
+ * Generate the provision script that runs on the remote VPS.
+ * This script is piped over SSH — no files need to exist on the remote first.
+ */
+export declare function generateProvisionScript(config: SelfDeployConfig): string;
+/**
+ * Generate the Caddy config template for manual setup.
+ * Used when the user wants to configure Caddy themselves.
+ */
+export declare function generateCaddyTemplate(domain: string): string;