uniweb 0.12.3 → 0.12.5

package/src/commands/deploy.js

@@ -44,8 +44,10 @@ import yaml from 'js-yaml'
 
 import { detectFoundationType } from '@uniweb/build'
 
-import { ensureAuth } from '../utils/auth.js'
+import { ensureAuth, readAuth, decodeJwtPayload } from '../utils/auth.js'
 import { getBackendUrl, getRegistryUrl } from '../utils/config.js'
+import { RemoteRegistry } from '../utils/registry.js'
+import { receiptFromRegistryEntry, splitRegistryRef } from '../utils/receipt.js'
 import {
   findWorkspaceRoot,
   findSites,
@@ -164,13 +166,36 @@ const say = {
   dim: (m) => console.log(`  ${c.dim}${m}${c.reset}`),
 }
 
+/**
+ * Read the git state for `dir`, scoped to that directory's history and
+ * working tree — NOT the whole repo's HEAD.
+ *
+ * `gitSha`  : last commit that touched `dir` (`git log -1 -- .`).
+ * `gitDirty`: uncommitted changes inside `dir` only (`git status -- .`).
+ *
+ * Why scope it. In a multi-package monorepo, `git rev-parse HEAD` is
+ * the same value for every directory — the repo's current HEAD. That
+ * meant editing a SITE then deploying triggered the foundation's
+ * staleness check (its receipt's recorded sha didn't match the new
+ * repo HEAD), even though the foundation source was unchanged. The
+ * receipt's `publishedFromGitSha` field is per-foundation by design;
+ * the comparison side has to be too.
+ *
+ * If the path is outside a git repo, or has no commits touching it
+ * yet, the function returns `{ gitSha: null, gitDirty: false }` —
+ * same fallback shape as before.
+ */
 function readGitState(dir) {
   try {
-    const sha = execSync('git rev-parse HEAD', {
+    // `git log -1 --format=%H -- .` returns the SHA of the last
+    // commit that touched the cwd path. If no such commit exists
+    // yet (path was never committed), output is empty — caller
+    // treats null as "no published-from-sha to compare against."
+    const sha = execSync('git log -1 --format=%H -- .', {
       cwd: dir,
       stdio: ['ignore', 'pipe', 'ignore'],
     }).toString().trim()
-    const status = execSync('git status --porcelain', {
+    const status = execSync('git status --porcelain -- .', {
       cwd: dir,
       stdio: ['ignore', 'pipe', 'ignore'],
     }).toString()
@@ -193,16 +218,35 @@ function composeFoundationUrl(ref, registryBase) {
  * Inspect a workspace-local foundation's `dist/publish.json` (Phase 1 receipt)
  * and decide whether it's stale relative to the current source tree.
  *
- * Returns `{ stale, reason, receipt }`. The caller decides whether to
- * auto-publish (Phase 2 default) or fail (`--no-auto-publish`).
+ * When the receipt file is missing and a `registry` is provided, attempt
+ * to refill it from the registry's index entry for `<name>@<version>`.
+ * That makes the receipt pure cache: a fresh clone with a matching
+ * upstream artifact resolves without an unnecessary republish. If the
+ * registry has no record (or the stored entry lacks git provenance), the
+ * inspector returns `stale: true` and the caller's auto-publish path
+ * runs as before.
+ *
+ * Returns `{ stale, reason, receipt, refilled? }`. The caller decides
+ * whether to auto-publish (Phase 2 default) or fail (`--no-auto-publish`).
  */
-async function inspectLocalFoundationReceipt(localPath, { dirtyAsStale }) {
+async function inspectLocalFoundationReceipt(localPath, { dirtyAsStale, registry }) {
   const receiptPath = join(localPath, 'dist', 'publish.json')
   let receipt = null
+  let refilled = false
   try {
     receipt = JSON.parse(await readFile(receiptPath, 'utf8'))
   } catch {
-    return { stale: true, reason: 'no dist/publish.json (foundation has not been published from this checkout)' }
+    if (registry) {
+      const refill = await tryRefillReceiptFromRegistry({ localPath, registry })
+      if (refill) {
+        await writeFile(receiptPath, JSON.stringify(refill, null, 2) + '\n')
+        receipt = refill
+        refilled = true
+      }
+    }
+    if (!receipt) {
+      return { stale: true, reason: 'no dist/publish.json (foundation has not been published from this checkout)' }
+    }
   }
 
   const { gitSha, gitDirty } = readGitState(localPath)
@@ -219,14 +263,94 @@ async function inspectLocalFoundationReceipt(localPath, { dirtyAsStale }) {
   if (gitDirty && dirtyAsStale) {
     return { stale: true, reason: 'foundation working tree is dirty', receipt }
   }
-  return { stale: false, receipt }
+  return { stale: false, receipt, refilled }
+}
+
+/**
+ * When a receipt is missing, try to reconstruct it from the registry's
+ * own record of the publish. We resolve `name@version` from the same
+ * package metadata `deriveLocalFoundationRef` uses, then ask the registry
+ * for its stored version entry. The entry's `publishedFromGitSha` is the
+ * load-bearing field — without it (entries written before git provenance
+ * was added) we can't compare against HEAD, so we don't synthesize a
+ * misleading "fresh" receipt and let the caller fall through to the
+ * republish path.
+ *
+ * Returns the receipt body, or null when refill is not possible.
+ */
+async function tryRefillReceiptFromRegistry({ localPath, registry }) {
+  // Two ways to derive the canonical `<name>@<version>`:
+  //   1. `deriveLocalFoundationRef` — works for org-scope foundations
+  //      (where the namespace is in package.json) and for any foundation
+  //      where a previous receipt already exists. On the wipe-and-deploy
+  //      path that fired this code, the receipt is gone, so this only
+  //      works for org-scope.
+  //   2. Empty-scope fallback — if package.json has `uniweb.id` and the
+  //      user's auth.json carries a `memberUuid` claim, we can synthesize
+  //      `~<memberUuid>/<id>@<version>` directly. Same shape the server
+  //      stores under.
+  let ref = await deriveLocalFoundationRef(localPath)
+  if (!ref) ref = await refFromAuthAndPkg(localPath)
+  const split = splitRegistryRef(ref)
+  if (!split) return null
+  let existingEntry
+  try {
+    existingEntry = await registry.getVersionEntry(split.name, split.version)
+  } catch {
+    return null
+  }
+  if (!existingEntry) return null
+  return receiptFromRegistryEntry({
+    existingEntry,
+    registry,
+    name: split.name,
+    version: split.version,
+    isLocal: false,
+    isPropagateDefault: false,
+  })
+}
+
+/**
+ * Last-resort canonical-name derivation for empty-scope foundations.
+ * Combines `package.json::uniweb.id` (the foundation's bare name) with
+ * the user's `memberUuid` claim from auth.json to produce
+ * `~<memberUuid>/<id>@<version>`. Only fires when both inputs are
+ * available — otherwise returns null and the caller falls through to
+ * the republish path.
+ */
+async function refFromAuthAndPkg(localPath) {
+  let pkg
+  try {
+    pkg = JSON.parse(await readFile(join(localPath, 'package.json'), 'utf8'))
+  } catch {
+    return null
+  }
+  const id = pkg?.uniweb?.id
+  const version = pkg?.version
+  if (!id || !version || !/^[a-z0-9_-]+$/.test(id)) return null
+  try {
+    const auth = await readAuth()
+    const claims = decodeJwtPayload(auth?.token)
+    if (claims?.memberUuid) return `~${claims.memberUuid}/${id}@${version}`
+  } catch { /* no auth — fall through to null */ }
+  return null
 }
 
 /**
  * Read a workspace-local foundation's identity (scoped name + version) from
  * its `dist/meta/schema.json` + `package.json`, mirroring `publish.js`'s
- * namespace resolution. Returns the registry ref (`@ns/name@ver`), or null
- * if any of the inputs are missing.
+ * namespace resolution. Returns the registry ref (`@ns/name@ver` or
+ * `~uuid/name@ver`), or null if no shape can be resolved.
+ *
+ * Resolution order:
+ *   1. Org scope from `pkg.uniweb.namespace` or `pkg.name`'s `@org/...` prefix.
+ *   2. The receipt at `dist/publish.json`. After a successful publish, the
+ *      receipt's `url` carries the canonical server-rewritten name —
+ *      including empty-scope publishes, which the server rewrites to
+ *      `~<memberUuid>/<name>`. The CLI can't synthesize that locally
+ *      because the memberUuid lives in the JWT, not in the workspace.
+ *   3. null — caller falls through to the helpful "set uniweb.namespace"
+ *      error message.
  */
 async function deriveLocalFoundationRef(localPath) {
   let pkg
@@ -248,14 +372,134 @@ async function deriveLocalFoundationRef(localPath) {
   version = version || pkg.version
   if (!rawName || !version) return null
 
+  // Org-scope path — derived purely from local files.
   const uniwebNamespace = pkg.uniweb?.namespace
   const pkgScopeMatch = (pkg.name || '').match(/^@([a-z0-9_-]+)\//)
   const selfScopeMatch = rawName.match(/^@([a-z0-9_-]+)\//)
   const namespace = uniwebNamespace || pkgScopeMatch?.[1] || selfScopeMatch?.[1]
-  if (!namespace) return null
+  if (namespace) {
+    const bareName = selfScopeMatch ? rawName.slice(selfScopeMatch[0].length) : rawName
+    return `@${namespace}/${bareName}@${version}`
+  }
+
+  // Empty-scope path — read the canonical name from the receipt's URL.
+  // The server rewrites bare names to `~<memberUuid>/<name>`; the URL it
+  // returns carries that canonical form (e.g.
+  // `/foundations/~<uuid>/<name>@<ver>/foundation.js`). Parse it back.
+  const fromReceipt = await refFromReceiptUrl(localPath)
+  if (fromReceipt) return fromReceipt
+
+  return null
+}
+
+// Personal-scope namespaces are base58 memberUuids (mixed case; the
+// alphabet is `[A-HJ-NP-Za-km-z1-9]`). Org-scope handles are
+// lowercase-only. Allow both shapes here so the regex captures personal
+// scopes correctly. The bare-name portion (after the `/`) stays
+// lowercase per BARE_NAME_RE.
+const RECEIPT_URL_REF_RE = /\/foundations\/((?:@[a-z0-9_-]+|~[A-Za-z0-9_-]+)\/[a-z0-9_-]+)@([^/]+)\//
+
+async function refFromReceiptUrl(localPath) {
+  try {
+    const receipt = JSON.parse(await readFile(join(localPath, 'dist', 'publish.json'), 'utf8'))
+    const m = RECEIPT_URL_REF_RE.exec(receipt?.url || '')
+    if (m) return `${m[1]}@${m[2]}`
+  } catch {
+    // No receipt, malformed JSON, or URL doesn't carry the canonical
+    // shape — fall through to null.
+  }
+  return null
+}
+
+/**
+ * Resolve the deploy mode for this site.
+ *
+ * Returns `'link'` or `'bundle'`, optionally prompting the user when
+ * neither inference nor an explicit flag yields an answer. Mode choice
+ * is persisted server-side after the first successful deploy; switching
+ * modes later requires deleting the site and redeploying fresh.
+ *
+ * Ladder (first match wins):
+ *   1. `--link` or `--bundle` flag passed explicitly.
+ *   2. `site.yml::foundation` is a registry ref (`@org/x@ver` or
+ *      `~uuid/x@ver`) or full HTTPS URL → infer link. The user already
+ *      declared "load this foundation by URL at runtime."
+ *   3. `site.yml::foundation` is a workspace-local sibling AND that
+ *      foundation has a publish receipt (`dist/publish.json` with a
+ *      registry URL) → infer link. The user has already done the work
+ *      to make the foundation loadable from the registry.
+ *   4. Otherwise → ask (TTY prompt) or error (CI).
+ *
+ * @param {Object} ctx
+ * @param {string} ctx.foundationRef - the raw value of site.yml::foundation (string or normalized object).
+ * @param {string} ctx.siteDir - absolute path to the site dir (for resolving local foundation siblings).
+ * @param {boolean} ctx.linkFlag
+ * @param {boolean} ctx.bundleFlag
+ * @returns {Promise<{ mode: 'link'|'bundle', source: 'flag'|'inferred-registry-ref'|'inferred-published-local'|'asked' }>}
+ */
+async function resolveDeployMode({ foundationRef, siteDir, linkFlag, bundleFlag }) {
+  // 1. Explicit flag wins.
+  if (linkFlag) return { mode: 'link', source: 'flag' }
+  if (bundleFlag) return { mode: 'bundle', source: 'flag' }
+
+  // 2. Registry ref or URL in site.yml → link mode is the only sensible choice.
+  if (typeof foundationRef === 'string') {
+    if (foundationRef.startsWith('http://') || foundationRef.startsWith('https://')) {
+      return { mode: 'link', source: 'inferred-registry-ref' }
+    }
+    if (/^@[a-z0-9_-]+\/[a-z0-9_-]+@/.test(foundationRef)) {
+      return { mode: 'link', source: 'inferred-registry-ref' }
+    }
+    if (/^~[A-Za-z0-9_-]+\/[a-z0-9_-]+@/.test(foundationRef)) {
+      return { mode: 'link', source: 'inferred-registry-ref' }
+    }
+  }
+
+  // 3. Workspace-local foundation with an existing publish receipt → infer link.
+  //    The receipt being there means the user has already published this
+  //    foundation at least once, so they've shown intent to ship via the
+  //    registry. We don't validate the receipt's freshness here — that's
+  //    the existing inspectLocalFoundationReceipt path's job, which runs
+  //    later in the deploy flow.
+  if (typeof foundationRef === 'string') {
+    const detected = detectFoundationType(foundationRef, siteDir)
+    if (detected.type === 'local') {
+      const receiptPath = join(detected.path, 'dist', 'publish.json')
+      if (existsSync(receiptPath)) {
+        return { mode: 'link', source: 'inferred-published-local' }
+      }
+    }
+  }
 
-  const bareName = selfScopeMatch ? rawName.slice(selfScopeMatch[0].length) : rawName
-  return `@${namespace}/${bareName}@${version}`
+  // 4. Ambiguous — local foundation never published, or unknown shape. Ask.
+  if (isNonInteractive(process.argv)) {
+    say.err('First deploy of this site needs an explicit mode.')
+    console.log('')
+    console.log('  Pick one and re-run:')
+    console.log(`    ${c.cyan}uniweb deploy --link${c.reset}    ${c.dim}Uniweb-edge hosting (data only; worker generates HTML)${c.reset}`)
+    console.log(`    ${c.cyan}uniweb deploy --bundle${c.reset}  ${c.dim}Static-host artifact (vite build; for non-Uniweb hosts)${c.reset}`)
+    console.log('')
+    console.log(`  ${c.dim}Mode is persisted after the first deploy and can't be changed in place.${c.reset}`)
+    process.exit(1)
+  }
+
+  const prompts = (await import('prompts')).default
+  console.log('')
+  console.log(`${c.dim}First deploy of this site. Pick a deployment mode:${c.reset}`)
+  const resp = await prompts({
+    type: 'select',
+    name: 'mode',
+    message: 'Deployment mode',
+    choices: [
+      { title: 'Link mode (Uniweb-edge hosting)', description: 'Data only; worker generates HTML at request time', value: 'link' },
+      { title: 'Bundle mode (static-host artifact)', description: 'vite-built; deploy to Netlify, Vercel, GitHub Pages, etc.', value: 'bundle' },
+    ],
+    initial: 0,
+  }, {
+    onCancel: () => { console.log(''); console.log('Deploy cancelled.'); process.exit(0) },
+  })
+  if (!resp.mode) process.exit(0)
+  return { mode: resp.mode, source: 'asked' }
 }
 
 // ─── Main ───────────────────────────────────────────────────
@@ -276,6 +520,16 @@ export async function deploy(args = []) {
   // its `dist/publish.json` receipt is missing/stale. These flags opt out.
   const autoPublishFoundation = !args.includes('--no-auto-publish')
   const treatDirtyAsStale = !args.includes('--no-dirty-as-stale')
+  // Site mode — `--link` ships data only (Uniweb-edge hosting); `--bundle`
+  // ships a vite-built static-host artifact. Mutually exclusive. Resolution
+  // ladder runs further below: explicit flag → registry-ref / URL infer →
+  // published-local-foundation infer → ask-or-error.
+  const linkFlag = args.includes('--link')
+  const bundleFlag = args.includes('--bundle')
+  if (linkFlag && bundleFlag) {
+    say.err('Cannot pass both --link and --bundle.')
+    process.exit(1)
+  }
 
   const siteDir = await resolveSiteDir(args)
   const backendUrl = getBackendUrl()
@@ -308,6 +562,29 @@ export async function deploy(args = []) {
     say.dim('Foundation policy: exact (pinned)')
   }
 
+  // Resolve deploy mode (link vs bundle) BEFORE the foundation
+  // staleness check, because mode selection feeds into how we run
+  // the site build later. The resolver may prompt the user on first
+  // deploy; subsequent deploys infer or use the explicit flag.
+  // TODO: when PHP authorize starts returning a persisted mode for
+  // this site, reconcile it with the resolved mode here and reject
+  // any mismatch ("delete site and redeploy fresh to change modes").
+  const { mode: deployMode, source: modeSource } = await resolveDeployMode({
+    foundationRef: foundation,
+    siteDir,
+    linkFlag,
+    bundleFlag,
+  })
+  if (modeSource === 'inferred-registry-ref') {
+    say.dim('Deploy mode: link (inferred — foundation is a registry ref)')
+  } else if (modeSource === 'inferred-published-local') {
+    say.dim('Deploy mode: link (inferred — local foundation has a publish receipt)')
+  } else if (modeSource === 'asked') {
+    say.dim(`Deploy mode: ${deployMode} (selected)`)
+  } else {
+    say.dim(`Deploy mode: ${deployMode}`)
+  }
+
   // Phase 2: resolve workspace-local `file:` foundation refs.
   //
   // The object form of `foundation:` already requires a registry ref
@@ -325,9 +602,17 @@ export async function deploy(args = []) {
       const localPath = detected.path
       const relPath = relative(siteDir, localPath) || localPath
 
+      // Pass a RemoteRegistry into the inspector so it can refill a missing
+      // `dist/publish.json` from the registry's index (fresh-clone case).
+      // No auth needed — `getVersionEntry` reads the public listing.
+      const refillRegistry = new RemoteRegistry(workerUrl)
       const inspection = await inspectLocalFoundationReceipt(localPath, {
         dirtyAsStale: treatDirtyAsStale,
+        registry: refillRegistry,
       })
+      if (inspection.refilled) {
+        say.dim(`Foundation receipt at ${relPath} refilled from registry.`)
+      }
 
       if (inspection.stale && !autoPublishFoundation) {
         say.err(`Local foundation at ${relPath} is stale: ${inspection.reason}.`)
@@ -338,7 +623,16 @@ export async function deploy(args = []) {
         say.info(`Foundation at ${relPath} is stale (${inspection.reason}). Auto-publishing…`)
         console.log('')
         try {
-          execSync('npx uniweb publish', { cwd: localPath, stdio: 'inherit' })
+          // Spawn the SAME CLI binary that's currently running, not via
+          // `npx uniweb` — npx resolves through node_modules and could
+          // pick up a stale npm-published version that doesn't share
+          // this CLI's behavior (e.g. doesn't recognize new flags).
+          // Using `process.argv[1]` keeps the outer/inner CLI version
+          // identical, eliminating the skew.
+          execSync(`node ${JSON.stringify(process.argv[1])} publish`, {
+            cwd: localPath,
+            stdio: 'inherit',
+          })
         } catch {
           say.err(`Auto-publish of foundation at ${relPath} failed. See output above.`)
           process.exit(1)
@@ -394,10 +688,19 @@ export async function deploy(args = []) {
     //
     // For workspace-local foundations (Phase 2 resolution above),
     // UNIWEB_FOUNDATION_REF tells defineSiteConfig to use the resolved
-    // registry ref instead of site.yml's literal value, so the build
-    // produces a runtime-mode bundle pointing at the just-published
-    // foundation rather than embedding the local source.
-    execSync('npx uniweb build', {
+    // registry ref instead of site.yml's literal value. In bundle mode
+    // the build produces a runtime-mode bundle pointing at the just-
+    // published foundation rather than embedding the local source.
+    // Link mode doesn't run vite at all, so the env var is harmless
+    // there but still passed through for consistency.
+    //
+    // Spawn the SAME CLI binary that's currently running rather than
+    // `npx uniweb build` — npx walks node_modules and would resolve to
+    // whatever version is installed there (which might be older than
+    // the deploy CLI and silently ignore --link). `process.argv[1]`
+    // pins the inner build to the outer's exact version.
+    const buildModeFlag = deployMode === 'link' ? '--link' : '--bundle'
+    execSync(`node ${JSON.stringify(process.argv[1])} build ${buildModeFlag}`, {
       cwd: siteDir,
       stdio: 'inherit',
       env: foundationBuildOverride
@@ -484,6 +787,13 @@ export async function deploy(args = []) {
       // User-forced review (`uniweb deploy --review`). PHP refuses to
       // fast-path even when nothing else has drifted.
       forceReview: forceReview || undefined,
+      // Deploy mode for this site. On first deploy PHP should persist
+      // it to the site row; on subsequent deploys PHP should return the
+      // persisted value back so the CLI can detect mode mismatches and
+      // refuse with "delete and redeploy fresh" rather than silently
+      // reshape the storage layout. PHP versions that pre-date mode
+      // persistence ignore this field — back-compat is built in.
+      mode: deployMode,
     }
     let authRes
     try {
@@ -504,6 +814,21 @@ export async function deploy(args = []) {
       }
     }
 
+    // Mode lock — once a site has a persisted mode on the server,
+    // deploying with a different mode would silently reshape its R2
+    // storage layout. Refuse and direct the user to start fresh.
+    // Until PHP starts returning `persistedMode`, this check is a
+    // no-op (forward-compatible).
+    if (authRes.persistedMode && authRes.persistedMode !== deployMode) {
+      say.err(`Deploy mode mismatch: this site is configured for ${authRes.persistedMode}, but this deploy resolved to ${deployMode}.`)
+      console.log('')
+      console.log(`  ${c.dim}Mode is locked after the first deploy. To switch:${c.reset}`)
+      console.log(`    1. Delete the site (manage.uniweb.app or the dashboard)`)
+      console.log(`    2. Remove ${c.cyan}site.id${c.reset} and ${c.cyan}site.handle${c.reset} from site.yml`)
+      console.log(`    3. Re-run ${c.cyan}uniweb deploy --${deployMode}${c.reset}`)
+      process.exit(1)
+    }
+
     if (authRes.needsReview) {
       const flowLabel = authRes.intent === 'create' ? 'site creation' : 'review'
       // openBrowser returns a hint about whether a GUI was available. On