tova 0.7.0 → 0.8.2

package/src/deploy/infer.js

@@ -0,0 +1,218 @@
+// Infrastructure Inference Engine for the Tova language
+// Walks the entire program AST and produces a complete infrastructure manifest
+// by combining explicit deploy block config with inferred requirements from
+// server, browser, and security blocks.
+
+import { DeployCodegen } from '../codegen/deploy-codegen.js';
+
+const MANIFEST_DEFAULTS = {
+  name: null,
+  server: null,
+  domain: null,
+  instances: 1,
+  memory: '512mb',
+  branch: 'main',
+  health: '/healthz',
+  health_interval: 30,
+  health_timeout: 5,
+  restart_on_failure: true,
+  keep_releases: 5,
+  env: {},
+  databases: [],
+  requires: { bun: false, caddy: false, ufw: false },
+  hasWebSocket: false,
+  hasSSE: false,
+  hasBrowser: false,
+  requiredSecrets: [],
+  blockTypes: [],
+};
+
+/**
+ * Walk an AST node tree recursively and invoke a visitor callback on each node.
+ */
+function walkNode(node, visitor) {
+  if (!node || typeof node !== 'object') return;
+  if (node.type) visitor(node);
+
+  // Walk arrays (e.g., body, entries, arguments)
+  for (const key of Object.keys(node)) {
+    const val = node[key];
+    if (Array.isArray(val)) {
+      for (const item of val) {
+        walkNode(item, visitor);
+      }
+    } else if (val && typeof val === 'object' && val.type) {
+      walkNode(val, visitor);
+    }
+  }
+}
+
+/**
+ * Collect all env() call arguments from a node tree.
+ * env("JWT_SECRET") => CallExpression with callee.name === "env" and args[0].value
+ */
+function collectEnvCalls(node) {
+  const secrets = [];
+  walkNode(node, (n) => {
+    if (
+      n.type === 'CallExpression' &&
+      n.callee &&
+      n.callee.type === 'Identifier' &&
+      n.callee.name === 'env' &&
+      n.arguments &&
+      n.arguments.length > 0
+    ) {
+      const arg = n.arguments[0];
+      if (arg && (arg.value !== undefined)) {
+        secrets.push(typeof arg.value === 'string' ? arg.value : String(arg.value));
+      }
+    }
+  });
+  return secrets;
+}
+
+/**
+ * Infer infrastructure requirements from the full program AST.
+ *
+ * @param {Object} ast - Program AST with ast.body array of top-level blocks
+ * @returns {Object} Complete infrastructure manifest
+ */
+export function inferInfrastructure(ast) {
+  const manifest = JSON.parse(JSON.stringify(MANIFEST_DEFAULTS));
+  const blockTypes = new Set();
+  const deployBlocks = [];
+  const inferredDatabases = [];
+  const secretsSet = new Set();
+
+  if (!ast || !ast.body) return manifest;
+
+  for (const node of ast.body) {
+    switch (node.type) {
+      case 'DeployBlock': {
+        blockTypes.add('deploy');
+        deployBlocks.push(node);
+        break;
+      }
+
+      case 'ServerBlock': {
+        blockTypes.add('server');
+        manifest.requires.bun = true;
+        manifest.requires.caddy = true;
+        manifest.requires.ufw = true;
+
+        // Scan server block body for specific declarations
+        if (node.body && Array.isArray(node.body)) {
+          for (const stmt of node.body) {
+            if (stmt.type === 'DbDeclaration') {
+              // Server-block db is always SQLite (bun:sqlite)
+              const dbConfig = {};
+              if (stmt.config && typeof stmt.config === 'object') {
+                for (const [k, v] of Object.entries(stmt.config)) {
+                  dbConfig[k] = v && v.value !== undefined ? v.value : v;
+                }
+              }
+              inferredDatabases.push({ engine: 'sqlite', config: dbConfig });
+            }
+            if (stmt.type === 'WebSocketDeclaration') {
+              manifest.hasWebSocket = true;
+            }
+            if (stmt.type === 'SseDeclaration') {
+              manifest.hasSSE = true;
+            }
+            // Also check inside route groups
+            if (stmt.type === 'RouteGroupDeclaration' && stmt.body) {
+              for (const inner of stmt.body) {
+                if (inner.type === 'WebSocketDeclaration') {
+                  manifest.hasWebSocket = true;
+                }
+                if (inner.type === 'SseDeclaration') {
+                  manifest.hasSSE = true;
+                }
+                if (inner.type === 'DbDeclaration') {
+                  const dbConfig = {};
+                  if (inner.config && typeof inner.config === 'object') {
+                    for (const [k, v] of Object.entries(inner.config)) {
+                      dbConfig[k] = v && v.value !== undefined ? v.value : v;
+                    }
+                  }
+                  inferredDatabases.push({ engine: 'sqlite', config: dbConfig });
+                }
+              }
+            }
+          }
+        }
+        break;
+      }
+
+      case 'BrowserBlock': {
+        blockTypes.add('browser');
+        manifest.hasBrowser = true;
+        break;
+      }
+
+      case 'SecurityBlock': {
+        blockTypes.add('security');
+        // Scan for env() calls to find required secrets
+        if (node.body && Array.isArray(node.body)) {
+          for (const stmt of node.body) {
+            if (stmt.type === 'SecurityAuthDeclaration') {
+              // Walk the config looking for env() calls
+              if (stmt.config && typeof stmt.config === 'object') {
+                for (const [, value] of Object.entries(stmt.config)) {
+                  const secrets = collectEnvCalls(value);
+                  for (const s of secrets) secretsSet.add(s);
+                }
+              }
+            }
+          }
+        }
+        break;
+      }
+    }
+  }
+
+  // Merge explicit deploy config via DeployCodegen
+  if (deployBlocks.length > 0) {
+    const deployConfig = DeployCodegen.mergeDeployBlocks(deployBlocks);
+    // Apply deploy config fields to manifest
+    if (deployConfig.name) manifest.name = deployConfig.name;
+    if (deployConfig.server) manifest.server = deployConfig.server;
+    if (deployConfig.domain) manifest.domain = deployConfig.domain;
+    if (deployConfig.instances !== undefined) manifest.instances = deployConfig.instances;
+    if (deployConfig.memory) manifest.memory = deployConfig.memory;
+    if (deployConfig.branch) manifest.branch = deployConfig.branch;
+    if (deployConfig.health) manifest.health = deployConfig.health;
+    if (deployConfig.health_interval !== undefined) manifest.health_interval = deployConfig.health_interval;
+    if (deployConfig.health_timeout !== undefined) manifest.health_timeout = deployConfig.health_timeout;
+    if (deployConfig.restart_on_failure !== undefined) manifest.restart_on_failure = deployConfig.restart_on_failure;
+    if (deployConfig.keep_releases !== undefined) manifest.keep_releases = deployConfig.keep_releases;
+    if (deployConfig.env && Object.keys(deployConfig.env).length > 0) {
+      manifest.env = { ...manifest.env, ...deployConfig.env };
+    }
+    // Declared databases from deploy block
+    if (deployConfig.databases && deployConfig.databases.length > 0) {
+      manifest.databases = [...deployConfig.databases];
+    }
+  }
+
+  // Merge inferred databases with declared ones (avoid duplicates by engine name)
+  const declaredEngines = new Set(manifest.databases.map(d => d.engine));
+  for (const inferred of inferredDatabases) {
+    if (!declaredEngines.has(inferred.engine)) {
+      manifest.databases.push(inferred);
+      declaredEngines.add(inferred.engine);
+    }
+  }
+
+  // If server block is present, ensure bun/caddy/ufw are required
+  if (blockTypes.has('server')) {
+    manifest.requires.bun = true;
+    manifest.requires.caddy = true;
+    manifest.requires.ufw = true;
+  }
+
+  manifest.requiredSecrets = [...secretsSet].sort();
+  manifest.blockTypes = [...blockTypes].sort();
+
+  return manifest;
+}

package/src/deploy/provision.js

@@ -0,0 +1,311 @@
+// Provisioning Script Generator for the Tova language
+// Generates idempotent bash scripts from an infrastructure manifest.
+
+/**
+ * Generate a complete provisioning shell script from an infrastructure manifest.
+ *
+ * The script is idempotent — it checks before installing (command -v, dpkg, etc.)
+ * and is organized in layers:
+ *   Layer 1: System (Bun, Caddy, UFW, tova user)
+ *   Layer 2: Databases (PostgreSQL, Redis — conditional)
+ *   Layer 3: App directories
+ *   Layer 5: Caddy config
+ *   Layer 6: systemd services
+ *
+ * @param {Object} manifest - Infrastructure manifest from inferInfrastructure()
+ * @returns {string} Complete provisioning bash script
+ */
+export function generateProvisionScript(manifest) {
+  const appName = manifest.name || 'tova-app';
+  const lines = [];
+
+  lines.push('#!/bin/bash');
+  lines.push('set -euo pipefail');
+  lines.push('');
+  lines.push(`# Provisioning script for ${appName}`);
+  lines.push(`# Generated by Tova deploy — idempotent, safe to re-run`);
+  lines.push('');
+
+  // ── Layer 1: System ────────────────────────────────────────
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('# Layer 1: System dependencies');
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('');
+
+  if (manifest.requires && manifest.requires.bun) {
+    lines.push('# Install Bun runtime');
+    lines.push('if ! command -v bun &>/dev/null; then');
+    lines.push('  echo "Installing Bun..."');
+    lines.push('  curl -fsSL https://bun.sh/install | bash');
+    lines.push('  export PATH="$HOME/.bun/bin:$PATH"');
+    lines.push('fi');
+    lines.push('');
+  }
+
+  if (manifest.requires && manifest.requires.caddy) {
+    lines.push('# Install Caddy web server');
+    lines.push('if ! command -v caddy &>/dev/null; then');
+    lines.push('  echo "Installing Caddy..."');
+    lines.push('  apt-get update -qq');
+    lines.push('  apt-get install -y -qq debian-keyring debian-archive-keyring apt-transport-https curl');
+    lines.push('  curl -1sLf "https://dl.cloudsmith.io/public/caddy/stable/gpg.key" | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg');
+    lines.push('  curl -1sLf "https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt" | tee /etc/apt/sources.list.d/caddy-stable.list');
+    lines.push('  apt-get update -qq');
+    lines.push('  apt-get install -y -qq caddy');
+    lines.push('fi');
+    lines.push('');
+  }
+
+  if (manifest.requires && manifest.requires.ufw) {
+    lines.push('# Configure UFW firewall');
+    lines.push('if command -v ufw &>/dev/null; then');
+    lines.push('  ufw allow 22/tcp');
+    lines.push('  ufw allow 80/tcp');
+    lines.push('  ufw allow 443/tcp');
+    lines.push('  echo "y" | ufw enable || true');
+    lines.push('fi');
+    lines.push('');
+  }
+
+  // Create tova system user
+  lines.push('# Create tova system user');
+  lines.push('if ! id "tova" &>/dev/null; then');
+  lines.push('  useradd --system --create-home --shell /bin/bash tova');
+  lines.push('fi');
+  lines.push('');
+
+  // ── Layer 2: Databases ─────────────────────────────────────
+  const databases = manifest.databases || [];
+  const hasPostgres = databases.some(d => d.engine === 'postgres');
+  const hasRedis = databases.some(d => d.engine === 'redis');
+
+  if (hasPostgres || hasRedis) {
+    lines.push('# ═══════════════════════════════════════════════════════════');
+    lines.push('# Layer 2: Databases');
+    lines.push('# ═══════════════════════════════════════════════════════════');
+    lines.push('');
+  }
+
+  if (hasPostgres) {
+    const pgDb = databases.find(d => d.engine === 'postgres');
+    const dbName = (pgDb && pgDb.config && pgDb.config.name) || `${appName}_db`;
+    lines.push('# Install PostgreSQL');
+    lines.push('if ! command -v psql &>/dev/null; then');
+    lines.push('  echo "Installing PostgreSQL..."');
+    lines.push('  apt-get update -qq');
+    lines.push('  apt-get install -y -qq postgresql postgresql-contrib');
+    lines.push('  systemctl enable postgresql');
+    lines.push('  systemctl start postgresql');
+    lines.push('fi');
+    lines.push('');
+    lines.push(`# Create database: ${dbName}`);
+    lines.push(`sudo -u postgres psql -tc "SELECT 1 FROM pg_database WHERE datname = '${dbName}'" | grep -q 1 || sudo -u postgres createdb "${dbName}"`);
+    lines.push('');
+  }
+
+  if (hasRedis) {
+    lines.push('# Install Redis');
+    lines.push('if ! command -v redis-server &>/dev/null; then');
+    lines.push('  echo "Installing Redis..."');
+    lines.push('  apt-get update -qq');
+    lines.push('  apt-get install -y -qq redis-server');
+    lines.push('  systemctl enable redis-server');
+    lines.push('  systemctl start redis-server');
+    lines.push('fi');
+    lines.push('');
+  }
+
+  // ── Layer 3: App directories ───────────────────────────────
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('# Layer 3: App directories');
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('');
+  lines.push('mkdir -p /opt/tova/apps');
+  lines.push(`APP_DIR="/opt/tova/apps/${appName}"`);
+  lines.push('mkdir -p "$APP_DIR/releases"');
+  lines.push('mkdir -p "$APP_DIR/shared/logs"');
+  lines.push('mkdir -p "$APP_DIR/shared/data"');
+  lines.push('chown -R tova:tova /opt/tova');
+  lines.push('');
+
+  // ── Layer 5: Caddy config ──────────────────────────────────
+  if (manifest.requires && manifest.requires.caddy && manifest.domain) {
+    lines.push('# ═══════════════════════════════════════════════════════════');
+    lines.push('# Layer 5: Caddy config');
+    lines.push('# ═══════════════════════════════════════════════════════════');
+    lines.push('');
+    const caddyConfig = generateCaddyConfig(appName, {
+      domain: manifest.domain,
+      instances: manifest.instances || 1,
+      health: manifest.health,
+      hasWebSocket: manifest.hasWebSocket,
+    });
+    lines.push(`cat > /etc/caddy/Caddyfile <<'CADDY_EOF'`);
+    lines.push(caddyConfig);
+    lines.push('CADDY_EOF');
+    lines.push('');
+    lines.push('systemctl reload caddy || systemctl restart caddy');
+    lines.push('');
+  }
+
+  // ── Layer 6: systemd services ──────────────────────────────
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('# Layer 6: systemd services');
+  lines.push('# ═══════════════════════════════════════════════════════════');
+  lines.push('');
+  const serviceUnit = generateSystemdService(appName, {
+    memory: manifest.memory || '512mb',
+    restart_on_failure: manifest.restart_on_failure !== false,
+    env: manifest.env || {},
+  });
+  lines.push(`cat > /etc/systemd/system/${appName}@.service <<'SYSTEMD_EOF'`);
+  lines.push(serviceUnit);
+  lines.push('SYSTEMD_EOF');
+  lines.push('');
+  lines.push('systemctl daemon-reload');
+
+  // Enable and start instances
+  const instances = manifest.instances || 1;
+  for (let i = 0; i < instances; i++) {
+    const port = 3000 + i;
+    lines.push(`systemctl enable ${appName}@${port}`);
+  }
+  lines.push('');
+
+  lines.push(`echo "Provisioning complete for ${appName}"`);
+  return lines.join('\n');
+}
+
+/**
+ * Parse a memory string like "512mb", "1gb" into bytes for systemd MemoryMax.
+ */
+function parseMemory(mem) {
+  if (typeof mem === 'number') return mem;
+  const str = String(mem).toLowerCase().trim();
+  const match = str.match(/^(\d+(?:\.\d+)?)\s*(mb|gb|m|g|kb|k)?$/);
+  if (!match) return str;
+  const num = parseFloat(match[1]);
+  const unit = match[2] || 'mb';
+  switch (unit) {
+    case 'kb': case 'k': return `${Math.round(num)}K`;
+    case 'mb': case 'm': return `${Math.round(num)}M`;
+    case 'gb': case 'g': return `${Math.round(num * 1024)}M`;
+    default: return str;
+  }
+}
+
+/**
+ * Generate a systemd unit template for the application.
+ *
+ * Uses %i for the instance port (template unit: appName@.service).
+ *
+ * @param {string} appName - Application name
+ * @param {Object} config - { memory, restart_on_failure, env }
+ * @returns {string} systemd unit file content
+ */
+export function generateSystemdService(appName, config = {}) {
+  const memLimit = parseMemory(config.memory || '512mb');
+  const restart = config.restart_on_failure !== false ? 'on-failure' : 'no';
+  const env = config.env || {};
+
+  const lines = [];
+  lines.push('[Unit]');
+  lines.push(`Description=${appName} instance on port %i`);
+  lines.push('After=network.target');
+  lines.push('');
+  lines.push('[Service]');
+  lines.push('Type=simple');
+  lines.push('User=tova');
+  lines.push('Group=tova');
+  lines.push(`WorkingDirectory=/opt/tova/apps/${appName}/current`);
+  lines.push(`ExecStart=/home/tova/.bun/bin/bun run server.js --port %i`);
+  lines.push(`Restart=${restart}`);
+  lines.push('RestartSec=5');
+  lines.push(`MemoryMax=${memLimit}`);
+  lines.push('');
+
+  // Environment — load secrets from .env.production, then set inline defaults
+  lines.push(`EnvironmentFile=-/opt/tova/apps/${appName}/.env.production`);
+  lines.push('Environment=NODE_ENV=production');
+  lines.push('Environment=PORT=%i');
+  for (const [key, value] of Object.entries(env)) {
+    if (key !== 'NODE_ENV' && key !== 'PORT') {
+      lines.push(`Environment=${key}=${value}`);
+    }
+  }
+  lines.push('');
+
+  // Logging
+  lines.push('StandardOutput=journal');
+  lines.push('StandardError=journal');
+  lines.push(`SyslogIdentifier=${appName}-%i`);
+  lines.push('');
+  lines.push('[Install]');
+  lines.push('WantedBy=multi-user.target');
+
+  return lines.join('\n');
+}
+
+/**
+ * Generate a Caddy site block configuration.
+ *
+ * @param {string} appName - Application name
+ * @param {Object} opts - { domain, instances, health, hasWebSocket }
+ * @returns {string} Caddy config block
+ */
+export function generateCaddyConfig(appName, opts = {}) {
+  const domain = opts.domain || 'localhost';
+  const instances = opts.instances || 1;
+  const health = opts.health || '/healthz';
+  const hasWebSocket = opts.hasWebSocket || false;
+
+  const lines = [];
+  lines.push(`${domain} {`);
+
+  // Upstream / reverse proxy
+  if (instances === 1) {
+    lines.push('  reverse_proxy localhost:3000 {');
+  } else {
+    // Multiple instances with round-robin load balancing
+    const upstreams = [];
+    for (let i = 0; i < instances; i++) {
+      upstreams.push(`localhost:${3000 + i}`);
+    }
+    lines.push(`  reverse_proxy ${upstreams.join(' ')} {`);
+    lines.push('    lb_policy round_robin');
+  }
+
+  // Health check
+  lines.push(`    health_uri ${health}`);
+  lines.push('    health_interval 30s');
+  lines.push('    health_timeout 5s');
+
+  lines.push('  }');
+
+  // WebSocket support
+  if (hasWebSocket) {
+    lines.push('');
+    lines.push('  @websocket {');
+    lines.push('    header Connection *Upgrade*');
+    lines.push('    header Upgrade websocket');
+    lines.push('  }');
+    if (instances === 1) {
+      lines.push('  reverse_proxy @websocket localhost:3000');
+    } else {
+      const upstreams = [];
+      for (let i = 0; i < instances; i++) {
+        upstreams.push(`localhost:${3000 + i}`);
+      }
+      lines.push(`  reverse_proxy @websocket ${upstreams.join(' ')}`);
+    }
+  }
+
+  // Logging
+  lines.push('');
+  lines.push('  log {');
+  lines.push(`    output file /var/log/caddy/${appName}.log`);
+  lines.push('  }');
+
+  lines.push('}');
+  return lines.join('\n');
+}