tova 0.12.0 → 0.13.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tova",
-  "version": "0.12.0",
+  "version": "0.13.0",
   "description": "Tova — a modern programming language that transpiles to JavaScript, unifying frontend and backend",
   "type": "module",
   "main": "src/index.js",

package/src/analyzer/analyzer.js

@@ -751,6 +751,11 @@ export class Analyzer {
   // ─── Visitors ─────────────────────────────────────────────
 
   visitProgram(node) {
+    // Hoist top-level function and type declarations so forward references
+    // within the same module (or merged directory group) resolve correctly —
+    // matches JavaScript hoisting semantics of the emitted code.
+    this._hoistTopLevel(node.body);
+
     for (const stmt of node.body) {
       if (this.tolerant) {
         try { this.visitNode(stmt); } catch (e) { /* skip nodes that crash in tolerant mode */ }
@@ -760,6 +765,37 @@ export class Analyzer {
     }
   }
 
+  _hoistTopLevel(body) {
+    for (const stmt of body) {
+      const target = stmt && stmt.type === 'ExportDefault' ? stmt.declaration : stmt;
+      if (!target) continue;
+      if (target.type === 'FunctionDeclaration') {
+        if (this.currentScope.lookupLocal && this.currentScope.lookupLocal(target.name)) continue;
+        try {
+          const sym = new Symbol(target.name, 'function', target.returnType, false, target.loc);
+          sym._params = target.params.map(p => p.name);
+          sym._totalParamCount = target.params.length;
+          sym._requiredParamCount = target.params.filter(p => !p.defaultValue).length;
+          sym._paramTypes = target.params.map(p => p.typeAnnotation || null);
+          sym._typeParams = target.typeParams || [];
+          sym.isPublic = target.isPublic || false;
+          sym.isWasm = !!(target.decorators && target.decorators.some(d => d.name === 'wasm'));
+          sym._forward = true;
+          this.currentScope.define(target.name, sym);
+        } catch { /* duplicate — visitor will report */ }
+      } else if (target.type === 'TypeDeclaration' || target.type === 'TypeAlias') {
+        if (this.currentScope.lookupLocal && this.currentScope.lookupLocal(target.name)) continue;
+        try {
+          const sym = new Symbol(target.name, 'type', null, false, target.loc);
+          sym._typeParams = target.typeParams || [];
+          sym._forward = true;
+          sym.isPublic = target.isPublic || false;
+          this.currentScope.define(target.name, sym);
+        } catch { /* duplicate — visitor will report */ }
+      }
+    }
+  }
+
   visitNode(node) {
     if (!node) return;
 
@@ -3152,6 +3188,7 @@ export class Analyzer {
   }
 
   visitTypeAlias(node) {
+    this._checkNamingConvention(node.name, 'type', node.loc);
     try {
       const typeSym = new Symbol(node.name, 'type', null, false, node.loc);
       // Store type alias info for resolution

package/src/cli/deploy.js

@@ -1,7 +1,18 @@
-import { color } from './utils.js';
+import { resolve } from 'path';
+import { readFileSync, statSync } from 'fs';
+import { createInterface } from 'readline';
+import { color, findFiles } from './utils.js';
+import { resolveConfig } from '../config/resolve.js';
+import { Lexer } from '../lexer/lexer.js';
+import { Parser } from '../parser/parser.js';
+import { Program } from '../parser/ast.js';
+import { CodeGenerator } from '../codegen/codegen.js';
 
 export async function deployCommand(args) {
-  const { parseDeployArgs } = await import('../deploy/deploy.js');
+  const { parseDeployArgs, deploy } = await import('../deploy/deploy.js');
+  const { makeRunner, realExecutor, makeDryRunExecutor } = await import('../deploy/ssh-runner.js');
+  const { buildProject } = await import('./build.js');
+
   const deployArgs = parseDeployArgs(args);
 
   if (!deployArgs.envName && !deployArgs.list) {
@@ -9,7 +20,108 @@ export async function deployCommand(args) {
     process.exit(1);
   }
 
-  // For now, just parse and build — full SSH deployment is wired in integration
-  console.log(color.cyan('Deploy feature is being implemented...'));
-  console.log('Parsed args:', deployArgs);
+  const projectDir = process.cwd();
+  const isDryRun = process.env.TOVA_DEPLOY_DRY_RUN === '1';
+  const executor = isDryRun ? makeDryRunExecutor() : realExecutor;
+  const runner = makeRunner(executor);
+
+  deployArgs.confirm = isDryRun ? null : promptConfirm;
+
+  if (isDryRun) {
+    console.log(color.cyan('  [dry-run] No SSH commands will be executed.'));
+  }
+
+  // --list with no env: skip parsing the project
+  if (deployArgs.list && !deployArgs.envName) {
+    if (!deployArgs.server) {
+      console.error(color.red('Error: --list requires --server <user@host> when no environment is specified'));
+      process.exit(1);
+    }
+    try {
+      await deploy({ type: 'Program', body: [] }, {}, deployArgs, projectDir, runner);
+    } catch (err) {
+      console.error(color.red(`Error: ${err.message}`));
+      process.exit(1);
+    }
+    return;
+  }
+
+  const config = resolveConfig(projectDir);
+  const entry = resolve(config.project?.entry || '.');
+  const scanDir = existsDir(entry) ? entry : projectDir;
+  // Run the production build using the resolved scanDir so the deploy command
+  // honours the same fallback (entry → project root) as the deploy parser.
+  deployArgs.buildProject = (extraArgs) => buildProject([scanDir, ...extraArgs]);
+  const tovaFiles = findFiles(scanDir, '.tova');
+
+  if (tovaFiles.length === 0) {
+    console.error(color.red(`Error: no .tova files found in ${scanDir}`));
+    process.exit(1);
+  }
+
+  let ast, output;
+  try {
+    ({ ast, output } = parseAndGenerate(tovaFiles));
+  } catch (err) {
+    console.error(color.red(`Error parsing project: ${err.message}`));
+    process.exit(1);
+  }
+
+  if (!output.deploy || !output.deploy[deployArgs.envName]) {
+    const available = output.deploy ? Object.keys(output.deploy) : [];
+    const hint = available.length > 0
+      ? ` Available environments: ${available.join(', ')}`
+      : ' No deploy blocks found in project.';
+    console.error(color.red(`Error: no deploy block named "${deployArgs.envName}".${hint}`));
+    process.exit(1);
+  }
+
+  try {
+    await deploy(ast, output, deployArgs, projectDir, runner);
+  } catch (err) {
+    console.error(color.red(`Error: ${err.message}`));
+    process.exit(1);
+  }
+}
+
+function existsDir(path) {
+  try {
+    return statSync(path).isDirectory();
+  } catch {
+    return false;
+  }
+}
+
+function parseAndGenerate(files) {
+  const mergedBody = [];
+  for (const file of files) {
+    const source = readFileSync(file, 'utf-8');
+    const lexer = new Lexer(source, file);
+    const tokens = lexer.tokenize();
+    const parser = new Parser(tokens, file);
+    const fileAst = parser.parse();
+    if (parser.errors && parser.errors.length > 0) {
+      throw new Error(`${file}: ${parser.errors[0].message || parser.errors[0]}`);
+    }
+    for (const node of fileAst.body) mergedBody.push(node);
+  }
+  const ast = new Program(mergedBody);
+  const gen = new CodeGenerator(ast);
+  const output = gen.generate();
+  return { ast, output };
+}
+
+function promptConfirm(message) {
+  // Without a TTY (e.g., CI, piped scripts), refuse the destructive action.
+  if (!process.stdin.isTTY) {
+    console.error(color.red(`${message} Refusing without a TTY — re-run interactively to confirm.`));
+    return Promise.resolve(false);
+  }
+  return new Promise(resolve => {
+    const rl = createInterface({ input: process.stdin, output: process.stdout });
+    rl.question(`${message} Type 'yes' to confirm: `, answer => {
+      rl.close();
+      resolve(answer.trim().toLowerCase() === 'yes');
+    });
+  });
 }

package/src/codegen/codegen.js

@@ -5,57 +5,23 @@
 import { SharedCodegen } from './shared-codegen.js';
 import { BUILTIN_NAMES } from '../stdlib/inline.js';
 import { BlockRegistry } from '../registry/register-all.js';
-import { createRequire } from 'node:module';
-
-const _require = createRequire(import.meta.url);
-
-let _ServerCodegen = null;
-function getServerCodegen() {
-  if (!_ServerCodegen) _ServerCodegen = _require('./server-codegen.js').ServerCodegen;
-  return _ServerCodegen;
-}
-
-let _BrowserCodegen = null;
-function getBrowserCodegen() {
-  if (!_BrowserCodegen) _BrowserCodegen = _require('./browser-codegen.js').BrowserCodegen;
-  return _BrowserCodegen;
-}
-
-let _SecurityCodegen = null;
-function getSecurityCodegen() {
-  if (!_SecurityCodegen) _SecurityCodegen = _require('./security-codegen.js').SecurityCodegen;
-  return _SecurityCodegen;
-}
-
-let _CliCodegen = null;
-function getCliCodegen() {
-  if (!_CliCodegen) _CliCodegen = _require('./cli-codegen.js').CliCodegen;
-  return _CliCodegen;
-}
-
-let _EdgeCodegen = null;
-function getEdgeCodegen() {
-  if (!_EdgeCodegen) _EdgeCodegen = _require('./edge-codegen.js').EdgeCodegen;
-  return _EdgeCodegen;
-}
-
-let _DeployCodegen = null;
-function getDeployCodegen() {
-  if (!_DeployCodegen) _DeployCodegen = _require('./deploy-codegen.js').DeployCodegen;
-  return _DeployCodegen;
-}
-
-let _ThemeCodegen = null;
-function getThemeCodegen() {
-  if (!_ThemeCodegen) _ThemeCodegen = _require('./theme-codegen.js').ThemeCodegen;
-  return _ThemeCodegen;
-}
-
-let _AuthCodegen = null;
-function getAuthCodegen() {
-  if (!_AuthCodegen) _AuthCodegen = _require('./auth-codegen.js').AuthCodegen;
-  return _AuthCodegen;
-}
+import { ServerCodegen } from './server-codegen.js';
+import { BrowserCodegen } from './browser-codegen.js';
+import { SecurityCodegen } from './security-codegen.js';
+import { CliCodegen } from './cli-codegen.js';
+import { EdgeCodegen } from './edge-codegen.js';
+import { DeployCodegen } from './deploy-codegen.js';
+import { ThemeCodegen } from './theme-codegen.js';
+import { AuthCodegen } from './auth-codegen.js';
+
+function getServerCodegen() { return ServerCodegen; }
+function getBrowserCodegen() { return BrowserCodegen; }
+function getSecurityCodegen() { return SecurityCodegen; }
+function getCliCodegen() { return CliCodegen; }
+function getEdgeCodegen() { return EdgeCodegen; }
+function getDeployCodegen() { return DeployCodegen; }
+function getThemeCodegen() { return ThemeCodegen; }
+function getAuthCodegen() { return AuthCodegen; }
 
 export class CodeGenerator {
   constructor(ast, filename = '<stdin>', options = {}) {

package/src/deploy/deploy.js

@@ -134,9 +134,11 @@ export function printPlan(infra) {
  * @param {string} projectDir - Absolute path to the project directory
  * @returns {Object} result with plan, infra, and status
  */
-export async function deploy(ast, buildResult, deployArgs, projectDir) {
-  // Infer full infrastructure manifest from AST
-  const infra = inferInfrastructure(ast);
+export async function deploy(ast, buildResult, deployArgs, projectDir, runner = null) {
+  // Infer full infrastructure manifest from AST. When an env name is given,
+  // filter to that deploy block so env vars and databases do not leak across
+  // environments in multi-environment programs.
+  const infra = inferInfrastructure(ast, deployArgs.envName);
 
   // Override environment name from CLI args
   if (deployArgs.envName) {
@@ -153,65 +155,65 @@ export async function deploy(ast, buildResult, deployArgs, projectDir) {
     if (envConfig.branch) infra.branch = envConfig.branch;
   }
 
-  // Plan mode — just show what would be deployed
+  // Plan mode — just show what would be deployed (no SSH execution)
   if (deployArgs.plan) {
     printPlan(infra);
     return { action: 'plan', infra };
   }
 
-  // Rollback mode — stub
+  // Rollback
   if (deployArgs.rollback) {
     console.log(`  Rolling back ${deployArgs.envName}...`);
-    // TODO: SSH into server, symlink previous release
+    if (runner) await runner.rollback(infra);
     return { action: 'rollback', infra };
   }
 
-  // Logs mode — stub
+  // Logs
   if (deployArgs.logs) {
     const since = deployArgs.since || '1 hour ago';
     const instance = deployArgs.instance !== null ? ` (instance ${deployArgs.instance})` : '';
     console.log(`  Fetching logs for ${deployArgs.envName}${instance} since ${since}...`);
-    // TODO: SSH into server, journalctl/tail logs
+    if (runner) await runner.logs(infra, { since, instance: deployArgs.instance });
     return { action: 'logs', infra };
   }
 
-  // Status mode — stub
+  // Status
   if (deployArgs.status) {
     console.log(`  Checking status of ${deployArgs.envName}...`);
-    // TODO: SSH into server, check systemd service status
+    if (runner) await runner.status(infra);
     return { action: 'status', infra };
   }
 
-  // SSH mode — stub
+  // Interactive SSH
   if (deployArgs.ssh) {
     console.log(`  Opening SSH session to ${deployArgs.envName}...`);
-    // TODO: spawn interactive SSH session
+    if (runner) await runner.ssh(infra);
     return { action: 'ssh', infra };
   }
 
-  // Setup git push-to-deploy — stub
+  // Git push-to-deploy
   if (deployArgs.setupGit) {
     console.log(`  Setting up git push-to-deploy for ${deployArgs.envName}...`);
-    // TODO: SSH into server, configure bare repo + post-receive hook
+    if (runner) await runner.setupGit(infra);
     return { action: 'setup-git', infra };
   }
 
-  // Remove deployment — stub
+  // Remove
   if (deployArgs.remove) {
     console.log(`  Removing deployment ${deployArgs.envName}...`);
-    // TODO: SSH into server, stop services, remove files
+    if (runner) await runner.remove(infra, { confirm: deployArgs.confirm });
     return { action: 'remove', infra };
   }
 
-  // List deployments — stub
+  // List
   if (deployArgs.list) {
     console.log('  Listing deployments...');
-    // TODO: SSH into server, list ~/apps/
+    if (runner) await runner.list(infra, { server: deployArgs.server });
     return { action: 'list', infra };
   }
 
-  // Default: full deploy — stub
+  // Default — full deploy
   console.log(`  Deploying to ${deployArgs.envName}...`);
-  // TODO: rsync build, run provision script, restart services
+  if (runner) await runner.deploy(infra, { projectDir, buildProject: deployArgs.buildProject });
   return { action: 'deploy', infra };
 }

package/src/deploy/infer.js

@@ -75,9 +75,13 @@ function collectEnvCalls(node) {
  * Infer infrastructure requirements from the full program AST.
  *
  * @param {Object} ast - Program AST with ast.body array of top-level blocks
+ * @param {string} [envName] - Optional environment name. When provided, only
+ *   the matching deploy block contributes env, databases, and config fields,
+ *   so multi-environment programs do not leak env vars or databases across
+ *   environments. When omitted, all deploy blocks are merged (legacy behavior).
  * @returns {Object} Complete infrastructure manifest
  */
-export function inferInfrastructure(ast) {
+export function inferInfrastructure(ast, envName) {
   const manifest = JSON.parse(JSON.stringify(MANIFEST_DEFAULTS));
   const blockTypes = new Set();
   const deployBlocks = [];
@@ -171,9 +175,15 @@ export function inferInfrastructure(ast) {
     }
   }
 
+  // Filter to the named environment if provided, so multi-env programs do
+  // not leak env vars or databases across environments.
+  const blocksToMerge = envName
+    ? deployBlocks.filter(b => b.name === envName)
+    : deployBlocks;
+
   // Merge explicit deploy config via DeployCodegen
-  if (deployBlocks.length > 0) {
-    const deployConfig = DeployCodegen.mergeDeployBlocks(deployBlocks);
+  if (blocksToMerge.length > 0) {
+    const deployConfig = DeployCodegen.mergeDeployBlocks(blocksToMerge);
     // Apply deploy config fields to manifest
     if (deployConfig.name) manifest.name = deployConfig.name;
     if (deployConfig.server) manifest.server = deployConfig.server;

package/src/deploy/provision.js

@@ -1,12 +1,18 @@
 // Provisioning Script Generator for the Tova language
 // Generates idempotent bash scripts from an infrastructure manifest.
+//
+// The script auto-detects whether it is running as root or as a non-root user
+// with `sudo`, so it works on both styles of VPS access (root@host on a
+// freshly-imaged DigitalOcean droplet, or ubuntu@host on EC2). All privileged
+// commands route through the `$SUDO` shell variable.
 
 /**
  * Generate a complete provisioning shell script from an infrastructure manifest.
  *
  * The script is idempotent — it checks before installing (command -v, dpkg, etc.)
  * and is organized in layers:
- *   Layer 1: System (Bun, Caddy, UFW, tova user)
+ *   Layer 0: Privilege detection
+ *   Layer 1: System (tova user, Bun, Caddy, UFW)
  *   Layer 2: Databases (PostgreSQL, Redis — conditional)
  *   Layer 3: App directories
  *   Layer 5: Caddy config
@@ -26,18 +32,42 @@ export function generateProvisionScript(manifest) {
   lines.push(`# Generated by Tova deploy — idempotent, safe to re-run`);
   lines.push('');
 
+  // ── Layer 0: Privilege detection ──────────────────────────
+  lines.push('# Detect privilege model: root → no prefix, otherwise route through sudo');
+  lines.push('if [ "$(id -u)" -eq 0 ]; then');
+  lines.push('  SUDO=""');
+  lines.push('elif command -v sudo >/dev/null 2>&1; then');
+  lines.push('  SUDO="sudo"');
+  lines.push('else');
+  lines.push('  echo "Error: this script requires either root or sudo" >&2');
+  lines.push('  exit 1');
+  lines.push('fi');
+  lines.push('');
+
   // ── Layer 1: System ────────────────────────────────────────
   lines.push('# ═══════════════════════════════════════════════════════════');
   lines.push('# Layer 1: System dependencies');
   lines.push('# ═══════════════════════════════════════════════════════════');
   lines.push('');
 
+  // Create the tova user FIRST so Bun lands at /home/tova/.bun where the
+  // generated systemd unit expects it.
+  lines.push('# Create tova system user (created early so Bun installs into its $HOME)');
+  lines.push('if ! id "tova" &>/dev/null; then');
+  lines.push('  $SUDO useradd --system --create-home --shell /bin/bash tova');
+  lines.push('fi');
+  lines.push('');
+
   if (manifest.requires && manifest.requires.bun) {
-    lines.push('# Install Bun runtime');
-    lines.push('if ! command -v bun &>/dev/null; then');
-    lines.push('  echo "Installing Bun..."');
-    lines.push('  curl -fsSL https://bun.sh/install | bash');
-    lines.push('  export PATH="$HOME/.bun/bin:$PATH"');
+    lines.push('# Install Bun runtime as the tova user (required by curl|bash installer)');
+    lines.push('if [ ! -x /home/tova/.bun/bin/bun ]; then');
+    lines.push('  echo "Installing Bun for the tova user..."');
+    // unzip is required by the official Bun installer.
+    lines.push('  if ! command -v unzip >/dev/null 2>&1; then');
+    lines.push('    $SUDO apt-get update -qq');
+    lines.push('    $SUDO apt-get install -y -qq unzip ca-certificates curl');
+    lines.push('  fi');
+    lines.push("  $SUDO -u tova bash -c 'curl -fsSL https://bun.sh/install | bash'");
     lines.push('fi');
     lines.push('');
   }
@@ -46,12 +76,12 @@ export function generateProvisionScript(manifest) {
     lines.push('# Install Caddy web server');
     lines.push('if ! command -v caddy &>/dev/null; then');
     lines.push('  echo "Installing Caddy..."');
-    lines.push('  apt-get update -qq');
-    lines.push('  apt-get install -y -qq debian-keyring debian-archive-keyring apt-transport-https curl');
-    lines.push('  curl -1sLf "https://dl.cloudsmith.io/public/caddy/stable/gpg.key" | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg');
-    lines.push('  curl -1sLf "https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt" | tee /etc/apt/sources.list.d/caddy-stable.list');
-    lines.push('  apt-get update -qq');
-    lines.push('  apt-get install -y -qq caddy');
+    lines.push('  $SUDO apt-get update -qq');
+    lines.push('  $SUDO apt-get install -y -qq debian-keyring debian-archive-keyring apt-transport-https curl');
+    lines.push('  curl -1sLf "https://dl.cloudsmith.io/public/caddy/stable/gpg.key" | $SUDO gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg');
+    lines.push('  curl -1sLf "https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt" | $SUDO tee /etc/apt/sources.list.d/caddy-stable.list >/dev/null');
+    lines.push('  $SUDO apt-get update -qq');
+    lines.push('  $SUDO apt-get install -y -qq caddy');
     lines.push('fi');
     lines.push('');
   }
@@ -59,21 +89,14 @@ export function generateProvisionScript(manifest) {
   if (manifest.requires && manifest.requires.ufw) {
     lines.push('# Configure UFW firewall');
     lines.push('if command -v ufw &>/dev/null; then');
-    lines.push('  ufw allow 22/tcp');
-    lines.push('  ufw allow 80/tcp');
-    lines.push('  ufw allow 443/tcp');
-    lines.push('  echo "y" | ufw enable || true');
+    lines.push('  $SUDO ufw allow 22/tcp');
+    lines.push('  $SUDO ufw allow 80/tcp');
+    lines.push('  $SUDO ufw allow 443/tcp');
+    lines.push('  echo "y" | $SUDO ufw enable || true');
     lines.push('fi');
     lines.push('');
   }
 
-  // Create tova system user
-  lines.push('# Create tova system user');
-  lines.push('if ! id "tova" &>/dev/null; then');
-  lines.push('  useradd --system --create-home --shell /bin/bash tova');
-  lines.push('fi');
-  lines.push('');
-
   // ── Layer 2: Databases ─────────────────────────────────────
   const databases = manifest.databases || [];
   const hasPostgres = databases.some(d => d.engine === 'postgres');
@@ -92,14 +115,14 @@ export function generateProvisionScript(manifest) {
     lines.push('# Install PostgreSQL');
     lines.push('if ! command -v psql &>/dev/null; then');
     lines.push('  echo "Installing PostgreSQL..."');
-    lines.push('  apt-get update -qq');
-    lines.push('  apt-get install -y -qq postgresql postgresql-contrib');
-    lines.push('  systemctl enable postgresql');
-    lines.push('  systemctl start postgresql');
+    lines.push('  $SUDO apt-get update -qq');
+    lines.push('  $SUDO apt-get install -y -qq postgresql postgresql-contrib');
+    lines.push('  $SUDO systemctl enable postgresql');
+    lines.push('  $SUDO systemctl start postgresql');
     lines.push('fi');
     lines.push('');
     lines.push(`# Create database: ${dbName}`);
-    lines.push(`sudo -u postgres psql -tc "SELECT 1 FROM pg_database WHERE datname = '${dbName}'" | grep -q 1 || sudo -u postgres createdb "${dbName}"`);
+    lines.push(`$SUDO -u postgres psql -tc "SELECT 1 FROM pg_database WHERE datname = '${dbName}'" | grep -q 1 || $SUDO -u postgres createdb "${dbName}"`);
     lines.push('');
   }
 
@@ -107,10 +130,10 @@ export function generateProvisionScript(manifest) {
     lines.push('# Install Redis');
     lines.push('if ! command -v redis-server &>/dev/null; then');
     lines.push('  echo "Installing Redis..."');
-    lines.push('  apt-get update -qq');
-    lines.push('  apt-get install -y -qq redis-server');
-    lines.push('  systemctl enable redis-server');
-    lines.push('  systemctl start redis-server');
+    lines.push('  $SUDO apt-get update -qq');
+    lines.push('  $SUDO apt-get install -y -qq redis-server');
+    lines.push('  $SUDO systemctl enable redis-server');
+    lines.push('  $SUDO systemctl start redis-server');
     lines.push('fi');
     lines.push('');
   }
@@ -120,12 +143,12 @@ export function generateProvisionScript(manifest) {
   lines.push('# Layer 3: App directories');
   lines.push('# ═══════════════════════════════════════════════════════════');
   lines.push('');
-  lines.push('mkdir -p /opt/tova/apps');
+  lines.push('$SUDO mkdir -p /opt/tova/apps');
   lines.push(`APP_DIR="/opt/tova/apps/${appName}"`);
-  lines.push('mkdir -p "$APP_DIR/releases"');
-  lines.push('mkdir -p "$APP_DIR/shared/logs"');
-  lines.push('mkdir -p "$APP_DIR/shared/data"');
-  lines.push('chown -R tova:tova /opt/tova');
+  lines.push('$SUDO mkdir -p "$APP_DIR/releases"');
+  lines.push('$SUDO mkdir -p "$APP_DIR/shared/logs"');
+  lines.push('$SUDO mkdir -p "$APP_DIR/shared/data"');
+  lines.push('$SUDO chown -R tova:tova /opt/tova');
   lines.push('');
 
   // ── Layer 5: Caddy config ──────────────────────────────────
@@ -142,11 +165,12 @@ export function generateProvisionScript(manifest) {
       health_timeout: manifest.health_timeout,
       hasWebSocket: manifest.hasWebSocket,
     });
-    lines.push(`cat > /etc/caddy/Caddyfile <<'CADDY_EOF'`);
+    // Use `tee` rather than shell redirection so the write itself is privileged.
+    lines.push(`$SUDO tee /etc/caddy/Caddyfile >/dev/null <<'CADDY_EOF'`);
     lines.push(caddyConfig);
     lines.push('CADDY_EOF');
     lines.push('');
-    lines.push('systemctl reload caddy || systemctl restart caddy');
+    lines.push('$SUDO systemctl reload caddy || $SUDO systemctl restart caddy');
     lines.push('');
   }
 
@@ -160,17 +184,17 @@ export function generateProvisionScript(manifest) {
     restart_on_failure: manifest.restart_on_failure !== false,
     env: manifest.env || {},
   });
-  lines.push(`cat > /etc/systemd/system/${appName}@.service <<'SYSTEMD_EOF'`);
+  lines.push(`$SUDO tee /etc/systemd/system/${appName}@.service >/dev/null <<'SYSTEMD_EOF'`);
   lines.push(serviceUnit);
   lines.push('SYSTEMD_EOF');
   lines.push('');
-  lines.push('systemctl daemon-reload');
+  lines.push('$SUDO systemctl daemon-reload');
 
-  // Enable and start instances
+  // Enable instances
   const instances = manifest.instances || 1;
   for (let i = 0; i < instances; i++) {
     const port = 3000 + i;
-    lines.push(`systemctl enable ${appName}@${port}`);
+    lines.push(`$SUDO systemctl enable ${appName}@${port}`);
   }
   lines.push('');
 
@@ -226,7 +250,6 @@ export function generateSystemdService(appName, config = {}) {
   lines.push(`MemoryMax=${memLimit}`);
   lines.push('');
 
-  // Environment — load secrets from .env.production, then set inline defaults
   lines.push(`EnvironmentFile=-/opt/tova/apps/${appName}/.env.production`);
   lines.push('Environment=NODE_ENV=production');
   lines.push('Environment=PORT=%i');
@@ -237,7 +260,6 @@ export function generateSystemdService(appName, config = {}) {
   }
   lines.push('');
 
-  // Logging
   lines.push('StandardOutput=journal');
   lines.push('StandardError=journal');
   lines.push(`SyslogIdentifier=${appName}-%i`);
@@ -266,11 +288,9 @@ export function generateCaddyConfig(appName, opts = {}) {
   const lines = [];
   lines.push(`${domain} {`);
 
-  // Upstream / reverse proxy
   if (instances === 1) {
     lines.push('  reverse_proxy localhost:3000 {');
   } else {
-    // Multiple instances with round-robin load balancing
     const upstreams = [];
     for (let i = 0; i < instances; i++) {
       upstreams.push(`localhost:${3000 + i}`);
@@ -279,14 +299,12 @@ export function generateCaddyConfig(appName, opts = {}) {
     lines.push('    lb_policy round_robin');
   }
 
-  // Health check
   lines.push(`    health_uri ${health}`);
   lines.push(`    health_interval ${healthInterval}s`);
   lines.push(`    health_timeout ${healthTimeout}s`);
 
   lines.push('  }');
 
-  // WebSocket support
   if (hasWebSocket) {
     lines.push('');
     lines.push('  @websocket {');
@@ -304,7 +322,6 @@ export function generateCaddyConfig(appName, opts = {}) {
     }
   }
 
-  // Logging
   lines.push('');
   lines.push('  log {');
   lines.push(`    output file /var/log/caddy/${appName}.log`);

package/src/deploy/ssh-runner.js

@@ -0,0 +1,330 @@
+// SSH/scp/rsync runner for the Tova deploy command.
+//
+// The runner is split from the orchestrator so tests can exercise the
+// orchestrator with a no-op runner while the CLI plugs in a real one. A
+// dry-run runner prints commands instead of executing them — useful for
+// verifying without a reachable server.
+//
+// Before running any privileged action, the runner probes the SSH user once
+// to decide whether commands need a `sudo ` prefix. The result is cached for
+// the lifetime of the runner instance. Tests can pre-seed this via
+// `makeRunner(executor, { env: { ... } })` to skip the probe.
+
+import { spawn, spawnSync } from 'child_process';
+import { writeFileSync, mkdtempSync, rmSync, existsSync } from 'fs';
+import { join } from 'path';
+import { tmpdir } from 'os';
+import { generateProvisionScript } from './provision.js';
+
+// ── Executors ───────────────────────────────────────────────
+
+export const realExecutor = {
+  exec(cmd, args, opts = {}) {
+    const result = spawnSync(cmd, args, { encoding: 'utf-8', ...opts });
+    if (result.stdout) process.stdout.write(result.stdout);
+    if (result.stderr) process.stderr.write(result.stderr);
+    return result;
+  },
+  inherit(cmd, args) {
+    return new Promise((resolve, reject) => {
+      const child = spawn(cmd, args, { stdio: 'inherit' });
+      child.on('close', code => code === 0 ? resolve(0) : reject(new Error(`${cmd} exited with code ${code}`)));
+      child.on('error', reject);
+    });
+  },
+};
+
+export function makeDryRunExecutor() {
+  return {
+    log: [],
+    exec(cmd, args) {
+      const line = `${cmd} ${args.map(quote).join(' ')}`;
+      this.log.push(line);
+      console.log('  [dry-run] ' + line);
+      // Empty stdout signals to probeRemote that this is a dry-run, so it
+      // returns the typical "non-root + sudo" environment for the preview.
+      return { status: 0, stdout: '', stderr: '' };
+    },
+    inherit(cmd, args) {
+      const line = `${cmd} ${args.map(quote).join(' ')}`;
+      this.log.push(line);
+      console.log('  [dry-run] ' + line);
+      return Promise.resolve(0);
+    },
+  };
+}
+
+function quote(s) {
+  if (s === '' || /[\s'"$`\\!*?(){}|<>;&]/.test(s)) {
+    return `'${String(s).replace(/'/g, `'\\''`)}'`;
+  }
+  return s;
+}
+
+// ── SSH primitives ──────────────────────────────────────────
+
+function ssh(executor, server, command) {
+  return executor.exec('ssh', ['-o', 'BatchMode=yes', server, command]);
+}
+
+function scp(executor, localPath, server, remotePath) {
+  return executor.exec('scp', ['-o', 'BatchMode=yes', localPath, `${server}:${remotePath}`]);
+}
+
+function rsyncDir(executor, localDir, server, remotePath, useSudo) {
+  const args = ['-az', '--delete', '-e', 'ssh -o BatchMode=yes'];
+  // Run rsync as root on the remote when the SSH user isn't already root,
+  // so we can write under /opt/tova/apps. Requires passwordless sudo for
+  // rsync on the server side.
+  if (useSudo) args.push('--rsync-path=sudo rsync');
+  args.push(`${localDir}/`, `${server}:${remotePath}/`);
+  return executor.exec('rsync', args);
+}
+
+function timestamp() {
+  const d = new Date();
+  const pad = n => String(n).padStart(2, '0');
+  return `${d.getUTCFullYear()}${pad(d.getUTCMonth() + 1)}${pad(d.getUTCDate())}-${pad(d.getUTCHours())}${pad(d.getUTCMinutes())}${pad(d.getUTCSeconds())}`;
+}
+
+// ── Privilege probe ─────────────────────────────────────────
+
+// Returns { isRoot, hasSudo, sudoPrefix }. Throws on connection failure or
+// when the remote is unprivileged and lacks sudo.
+async function probeRemote(executor, server) {
+  const probe = 'printf "uid:%s;sudo:%s\\n" "$(id -u)" "$(command -v sudo >/dev/null 2>&1 && echo yes || echo no)"';
+  const r = executor.exec('ssh', ['-o', 'BatchMode=yes', server, probe]);
+  const stdout = (r.stdout || '').trim();
+
+  // Empty output AND zero exit → dry-run executor: assume the typical case
+  // (non-root with sudo) so the preview shows realistic commands.
+  if (!stdout && r.status === 0) {
+    return { isRoot: false, hasSudo: true, sudoPrefix: 'sudo ' };
+  }
+
+  if (r.status !== 0) {
+    throw new Error(`Cannot reach ${server}: ${(r.stderr || '').trim() || `ssh exited ${r.status}`}`);
+  }
+
+  const uidMatch = stdout.match(/uid:(\d+)/);
+  const sudoMatch = stdout.match(/sudo:(yes|no)/);
+  const uid = uidMatch ? parseInt(uidMatch[1], 10) : null;
+  const hasSudo = sudoMatch ? sudoMatch[1] === 'yes' : false;
+
+  if (uid !== 0 && !hasSudo) {
+    throw new Error(`${server}: SSH user is not root and sudo is not installed — cannot deploy`);
+  }
+
+  return {
+    isRoot: uid === 0,
+    hasSudo,
+    sudoPrefix: uid === 0 ? '' : 'sudo ',
+  };
+}
+
+// ── Runner ──────────────────────────────────────────────────
+
+export function makeRunner(executor = realExecutor, options = {}) {
+  // Cached privilege info for this runner instance — populated lazily.
+  let _env = options.env || null;
+
+  async function ensureEnv(infra) {
+    if (_env) return _env;
+    _env = await probeRemote(executor, infra.server);
+    return _env;
+  }
+
+  return {
+    async rollback(infra) {
+      requireServer(infra);
+      const { sudoPrefix } = await ensureEnv(infra);
+      const name = infra.name;
+      const cmd = `set -e
+cd /opt/tova/apps/${name}
+PREV=$(ls -1t releases 2>/dev/null | sed -n '2p')
+if [ -z "$PREV" ]; then
+  echo "No previous release available to roll back to" >&2
+  exit 1
+fi
+${sudoPrefix}ln -sfn "releases/$PREV" current
+${sudoPrefix}systemctl restart '${name}@*.service'
+echo "Rolled back to releases/$PREV"`;
+      const r = ssh(executor, infra.server, cmd);
+      if (r.status !== 0) throw new Error(`Rollback failed (exit ${r.status})`);
+    },
+
+    async status(infra) {
+      requireServer(infra);
+      const { sudoPrefix } = await ensureEnv(infra);
+      const r = ssh(executor, infra.server, `${sudoPrefix}systemctl status '${infra.name}@*.service' --no-pager`);
+      if (r.status !== 0 && r.status !== 3) {
+        throw new Error(`Status check failed (exit ${r.status})`);
+      }
+    },
+
+    async logs(infra, { since = '1 hour ago', instance = null } = {}) {
+      requireServer(infra);
+      const { sudoPrefix } = await ensureEnv(infra);
+      const unit = instance != null
+        ? `${infra.name}@${3000 + Number(instance)}.service`
+        : `${infra.name}@*.service`;
+      // journalctl typically requires root or membership in the systemd-journal
+      // group to read other users' units, so prefix with sudo when needed.
+      return executor.inherit('ssh', [
+        '-o', 'BatchMode=yes',
+        infra.server,
+        `${sudoPrefix}journalctl -u '${unit}' --no-pager --since '${since}'`,
+      ]);
+    },
+
+    async ssh(infra) {
+      requireServer(infra);
+      return executor.inherit('ssh', [infra.server]);
+    },
+
+    async setupGit(infra) {
+      requireServer(infra);
+      const { sudoPrefix } = await ensureEnv(infra);
+      const name = infra.name;
+      const cmd = `set -e
+REPO=/opt/tova/apps/${name}/repo.git
+${sudoPrefix}mkdir -p "$(dirname "$REPO")"
+if [ ! -d "$REPO" ]; then
+  ${sudoPrefix}git init --bare "$REPO"
+fi
+${sudoPrefix}tee "$REPO/hooks/post-receive" >/dev/null <<'HOOK'
+#!/bin/bash
+set -e
+TARGET=/opt/tova/apps/${name}/source
+mkdir -p "$TARGET"
+GIT_WORK_TREE="$TARGET" git checkout -f
+cd "$TARGET"
+if [ -f package.json ] || [ -f tova.toml ]; then
+  /home/tova/.bun/bin/bun install --silent || true
+  /home/tova/.bun/bin/bun /home/tova/.bun/bin/tova build --production --quiet || true
+fi
+systemctl restart '${name}@*.service' || true
+HOOK
+${sudoPrefix}chmod +x "$REPO/hooks/post-receive"
+${sudoPrefix}chown -R tova:tova "$REPO"
+echo "Configured. Add the remote with:"
+echo "  git remote add ${name} ${infra.server}:$REPO"
+echo "Then deploy with:"
+echo "  git push ${name} ${infra.branch || 'main'}"`;
+      const r = ssh(executor, infra.server, cmd);
+      if (r.status !== 0) throw new Error(`setup-git failed (exit ${r.status})`);
+    },
+
+    async remove(infra, { confirm = null } = {}) {
+      requireServer(infra);
+      if (confirm !== null) {
+        const ok = await confirm(`This will permanently delete /opt/tova/apps/${infra.name} on ${infra.server}.`);
+        if (!ok) {
+          console.log('  Aborted.');
+          return;
+        }
+      }
+      const { sudoPrefix } = await ensureEnv(infra);
+      const name = infra.name;
+      const cmd = `set -e
+${sudoPrefix}systemctl stop '${name}@*.service' 2>/dev/null || true
+${sudoPrefix}systemctl disable '${name}@*.service' 2>/dev/null || true
+${sudoPrefix}rm -f /etc/systemd/system/${name}@.service
+${sudoPrefix}systemctl daemon-reload
+${sudoPrefix}rm -rf /opt/tova/apps/${name}
+echo "Removed deployment ${name}"`;
+      const r = ssh(executor, infra.server, cmd);
+      if (r.status !== 0) throw new Error(`Remove failed (exit ${r.status})`);
+    },
+
+    async list(infra, { server = null } = {}) {
+      const target = server || infra.server;
+      if (!target) throw new Error('--list requires --server <user@host> when no deploy block is loaded');
+      // /opt/tova/apps is created world-readable by the provisioner, so no
+      // sudo is needed for `ls`.
+      const r = ssh(executor, target, 'if [ -d /opt/tova/apps ]; then ls -1 /opt/tova/apps; else echo "(none)"; fi');
+      if (r.status !== 0) throw new Error(`List failed (exit ${r.status})`);
+    },
+
+    async deploy(infra, { projectDir, buildOutDir = null, buildProject = null } = {}) {
+      requireServer(infra);
+      const { sudoPrefix, isRoot } = await ensureEnv(infra);
+      const name = infra.name;
+
+      // Step 1 — produce a build to ship
+      const outDir = buildOutDir || join(projectDir, '.tova-out');
+      if (buildProject) {
+        console.log('  Building project...');
+        const origCwd = process.cwd();
+        process.chdir(projectDir);
+        try {
+          await buildProject(['--production', '--quiet']);
+        } finally {
+          process.chdir(origCwd);
+        }
+      }
+      if (!existsSync(outDir)) {
+        throw new Error(`Build output directory not found: ${outDir}`);
+      }
+
+      // Step 2 — write provisioning script to a temp dir
+      const tmp = mkdtempSync(join(tmpdir(), 'tova-deploy-'));
+      const scriptPath = join(tmp, 'provision.sh');
+      writeFileSync(scriptPath, generateProvisionScript(infra));
+
+      try {
+        // Step 3 — provision (idempotent)
+        console.log(`  Provisioning ${infra.server}...`);
+        const upScript = scp(executor, scriptPath, infra.server, '/tmp/tova-provision.sh');
+        if (upScript.status !== 0) throw new Error('Failed to upload provision script');
+        // bash explicitly so the script runs on shells without /bin/bash as login shell
+        const provR = ssh(executor, infra.server, 'bash /tmp/tova-provision.sh');
+        if (provR.status !== 0) throw new Error(`Provisioning failed (exit ${provR.status})`);
+
+        // Step 4 — upload the new release
+        const ts = timestamp();
+        const releasePath = `/opt/tova/apps/${name}/releases/${ts}`;
+        console.log(`  Uploading release ${ts}...`);
+        const mk = ssh(
+          executor,
+          infra.server,
+          `${sudoPrefix}mkdir -p '${releasePath}'`,
+        );
+        if (mk.status !== 0) throw new Error('Failed to create release directory');
+        const sync = rsyncDir(executor, outDir, infra.server, releasePath, !isRoot);
+        if (sync.status !== 0) throw new Error('rsync failed');
+
+        // Step 5 — re-chown after rsync. rsync writes files as the SSH user;
+        // the systemd unit runs as `User=tova` and needs write access to the
+        // working directory for things like SQLite databases or log rotation.
+        const chown = ssh(
+          executor,
+          infra.server,
+          `${sudoPrefix}chown -R tova:tova /opt/tova/apps/${name}`,
+        );
+        if (chown.status !== 0) throw new Error('Failed to chown release directory');
+
+        // Step 6 — flip the symlink, restart, prune old releases
+        const keep = infra.keep_releases || 5;
+        const flip = `set -e
+${sudoPrefix}ln -sfn '${releasePath}' /opt/tova/apps/${name}/current
+${sudoPrefix}systemctl restart '${name}@*.service'
+cd /opt/tova/apps/${name}/releases
+ls -1t | tail -n +$((${keep} + 1)) | xargs -r ${sudoPrefix}rm -rf
+echo "Activated release ${ts}"`;
+        const flipR = ssh(executor, infra.server, flip);
+        if (flipR.status !== 0) throw new Error('Activation failed');
+
+        console.log(`  Deployed ${name} (release ${ts})`);
+      } finally {
+        try { rmSync(tmp, { recursive: true, force: true }); } catch {}
+      }
+    },
+  };
+}
+
+function requireServer(infra) {
+  if (!infra || !infra.server) {
+    throw new Error('Deploy block has no `server` field');
+  }
+}

package/src/parser/parser.js

@@ -560,7 +560,13 @@ export class Parser {
     if (this.check(TokenType.TYPE)) return this.parseTypeDeclaration();
     if (this.check(TokenType.MUT)) this.error("'mut' is not supported in Tova. Use 'var' for mutable variables");
     if (this.check(TokenType.VAR)) return this.parseVarDeclaration();
-    if (this.check(TokenType.LET)) this.error("'let' is not needed in Tova. Destructure directly: {a, b} = obj, [a, b] = list, or (a, b) = pair");
+    if (this.check(TokenType.LET)) {
+      const next = this.peek(1);
+      if (next && (next.type === TokenType.LBRACE || next.type === TokenType.LBRACKET || next.type === TokenType.LPAREN)) {
+        this.error("'let' is not needed in Tova. Destructure directly: '{a, b} = obj', '[a, b] = list', or '(a, b) = pair'");
+      }
+      this.error("'let' is not needed in Tova. Use 'name = value' for binding or 'var name = value' for mutable");
+    }
     if (this.check(TokenType.IF)) return this.parseIfStatement();
     if (this.check(TokenType.FOR)) return this.parseForStatement();
     if (this.check(TokenType.WHILE)) return this.parseWhileStatement();
@@ -1303,31 +1309,6 @@ export class Parser {
     return new AST.VarDeclaration(targets, values, l);
   }
 
-  parseLetDestructure() {
-    const l = this.loc();
-    this.expect(TokenType.LET);
-
-    let pattern;
-    if (this.check(TokenType.LBRACE)) {
-      pattern = this.parseObjectPattern();
-    } else if (this.check(TokenType.LBRACKET)) {
-      pattern = this.parseArrayPattern();
-    } else if (this.check(TokenType.LPAREN)) {
-      // Tuple destructuring: let (a, b) = expr
-      pattern = this.parseTuplePattern();
-    } else if (this.check(TokenType.IDENTIFIER)) {
-      const name = this.current().value;
-      this.error(`Use '${name} = value' for binding or 'var ${name} = value' for mutable. 'let' is only for destructuring: let {a, b} = obj`);
-    } else {
-      this.error("Expected '{', '[', or '(' after 'let' for destructuring");
-    }
-
-    this.expect(TokenType.ASSIGN, "Expected '=' in destructuring");
-    const value = this.parseExpression();
-
-    return new AST.LetDestructure(pattern, value, l);
-  }
-
   parseObjectPattern() {
     const l = this.loc();
     this.expect(TokenType.LBRACE);

package/src/version.js

@@ -1,2 +1,2 @@
 // Auto-generated by scripts/embed-runtime.js — do not edit
-export const VERSION = "0.12.0";
+export const VERSION = "0.13.0";