fix(infra): harden setup.sh from independent audit findings

- Replace deprecated NodeSource curl|bash with modern GPG key + apt source - Add build-essential + python3 to apt deps (native addons: better-sqlite3) - Add --if-present to pnpm -r build (defensive: skip workspace members without build script) - Fix README: remove stale proxy stripping reference from Phase 3 - Add Known Limitations section: remote browser access, ARM VM, memory pressure - Remove AUDIT_PROMPT.md (served its purpose)
2026-03-24 12:56:43 -07:00 · 2026-03-24 12:56:43 -07:00 · c2ca7f53b4
commit c2ca7f53b4
parent 35021b67b9
2 changed files with 18 additions and 5 deletions
--- a/docs/devops/single_azure_vm/README.md
+++ b/docs/devops/single_azure_vm/README.md
@ -65,7 +65,7 @@ sudo ./setup.sh --help             # Show full usage
 |-------|----------|-------------|
 | 1. System | ~3 min | Install Docker, Node.js 22, pnpm 10.6.5, Ollama, git, jq |
 | 2. Gitea | ~1 min | Start Gitea Docker container, create admin + org + API token |
-| 3. Clone | ~3 min | Clone all 11 repos to `/opt/bytelyst/`, strip corporate proxy from Dockerfiles |
+| 3. Clone | ~3 min | Clone all 11 repos to `/opt/bytelyst/` |
 | 4. Build | ~5 min | `pnpm install && pnpm -r build` all `@bytelyst/*` packages |
 | 5. Publish | ~3 min | Publish all packages to local Gitea npm registry |
 | 6. Env | instant | Generate `.env.ecosystem` with Cosmos emulator key, Azurite key, JWT secret |
@ -178,4 +178,10 @@ All optional — defaults work for most setups:
 - **Build failures:** Check Gitea is running (`docker ps | grep gitea`) and packages published (`curl http://localhost:3300/api/packages/bytelyst/npm/`). Per-service build logs: `/opt/bytelyst/.setup-state/builds/<service>.log`. Retry: `sudo ./setup.sh --phase=7`.
 - **Ollama not responding:** Check `systemctl status ollama` or `curl http://localhost:11434/api/version`.
 - **Port conflicts:** Ensure nothing else runs on the listed ports before deploying.
- **Corporate proxy in Dockerfiles:** The script auto-strips hardcoded proxy ENVs from cloned Dockerfiles.
+
+## Known Limitations
+
+- **Remote browser access:** Product web apps fall back to `http://localhost:<port>` for API calls. This works when browsing from the VM itself but **not from a remote browser** (e.g., laptop accessing `http://<vm-ip>:3060`). For remote access, set up a reverse proxy (Traefik rules) or SSH port-forwarding. Health checks and server-side rendering still work regardless.
+- **Cosmos emulator is x86-only:** Do not use ARM-based VMs (e.g., Dpsv6). Stick with `Standard_D8s_v5` or similar Intel/AMD instances.
+- **Memory pressure:** 30 Docker builds + Cosmos emulator (~3 GB) + Ollama (~3 GB) compete for RAM on 32 GB. If builds OOM, retry with `sudo ./setup.sh --phase=7` (per-service fallback skips what already built).
+- **Corporate proxy in Dockerfiles:** Already removed at source across all repos. No runtime stripping needed.
--- a/docs/devops/single_azure_vm/setup.sh
+++ b/docs/devops/single_azure_vm/setup.sh
@ -158,7 +158,8 @@ phase1_system() {

  # Install essentials
  apt-get install -y -qq \
-    ca-certificates curl gnupg lsb-release git jq unzip iproute2
+    ca-certificates curl gnupg lsb-release git jq unzip iproute2 \
+    build-essential python3

  # ── Docker ─────────────────────────────────────────────────────────
  if ! command -v docker &>/dev/null; then
@ -193,7 +194,13 @@ DJSON
  # ── Node.js ────────────────────────────────────────────────────────
  if ! command -v node &>/dev/null || ! node -v | grep -q "v${NODE_VERSION}"; then
    log "Installing Node.js ${NODE_VERSION}..."
-    curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash -
+    # Modern NodeSource method (GPG key + apt source — the curl|bash setup_XX.x scripts are deprecated)
+    install -m 0755 -d /etc/apt/keyrings
+    curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
+      | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_VERSION}.x nodistro main" \
+      > /etc/apt/sources.list.d/nodesource.list
+    apt-get update -qq
    apt-get install -y -qq nodejs
    ok "Node.js installed: $(node -v)"
  else
@ -395,7 +402,7 @@ NPMRC

  # Build all packages
  log "  Building all packages..."
-  pnpm -r build 2>&1 | tail -5
+  pnpm -r --if-present build 2>&1 | tail -5

  ok "Phase 4 complete. All packages built."
 }