From c2ca7f53b4fcf7b0ea75a43efe945f1d7b9a13ca Mon Sep 17 00:00:00 2001
From: saravanakumardb1 <saravanakumardb1@users.noreply.github.com>
Date: Tue, 24 Mar 2026 12:56:43 -0700
Subject: [PATCH] fix(infra): harden setup.sh from independent audit findings

- Replace deprecated NodeSource curl|bash with modern GPG key + apt source
- Add build-essential + python3 to apt deps (native addons: better-sqlite3)
- Add --if-present to pnpm -r build (defensive: skip workspace members without build script)
- Fix README: remove stale proxy stripping reference from Phase 3
- Add Known Limitations section: remote browser access, ARM VM, memory pressure
- Remove AUDIT_PROMPT.md (served its purpose)
---
 docs/devops/single_azure_vm/README.md | 10 ++++++++--
 docs/devops/single_azure_vm/setup.sh  | 13 ++++++++++---
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/docs/devops/single_azure_vm/README.md b/docs/devops/single_azure_vm/README.md
index 5371bdf7..fa4e4938 100644
--- a/docs/devops/single_azure_vm/README.md
+++ b/docs/devops/single_azure_vm/README.md
@@ -65,7 +65,7 @@ sudo ./setup.sh --help             # Show full usage
 |-------|----------|-------------|
 | 1. System | ~3 min | Install Docker, Node.js 22, pnpm 10.6.5, Ollama, git, jq |
 | 2. Gitea | ~1 min | Start Gitea Docker container, create admin + org + API token |
-| 3. Clone | ~3 min | Clone all 11 repos to `/opt/bytelyst/`, strip corporate proxy from Dockerfiles |
+| 3. Clone | ~3 min | Clone all 11 repos to `/opt/bytelyst/` |
 | 4. Build | ~5 min | `pnpm install && pnpm -r build` all `@bytelyst/*` packages |
 | 5. Publish | ~3 min | Publish all packages to local Gitea npm registry |
 | 6. Env | instant | Generate `.env.ecosystem` with Cosmos emulator key, Azurite key, JWT secret |
@@ -178,4 +178,10 @@ All optional — defaults work for most setups:
 - **Build failures:** Check Gitea is running (`docker ps | grep gitea`) and packages published (`curl http://localhost:3300/api/packages/bytelyst/npm/`). Per-service build logs: `/opt/bytelyst/.setup-state/builds/<service>.log`. Retry: `sudo ./setup.sh --phase=7`.
 - **Ollama not responding:** Check `systemctl status ollama` or `curl http://localhost:11434/api/version`.
 - **Port conflicts:** Ensure nothing else runs on the listed ports before deploying.
-- **Corporate proxy in Dockerfiles:** The script auto-strips hardcoded proxy ENVs from cloned Dockerfiles.
+
+## Known Limitations
+
+- **Remote browser access:** Product web apps fall back to `http://localhost:<port>` for API calls. This works when browsing from the VM itself but **not from a remote browser** (e.g., laptop accessing `http://<vm-ip>:3060`). For remote access, set up a reverse proxy (Traefik rules) or SSH port-forwarding. Health checks and server-side rendering still work regardless.
+- **Cosmos emulator is x86-only:** Do not use ARM-based VMs (e.g., Dpsv6). Stick with `Standard_D8s_v5` or similar Intel/AMD instances.
+- **Memory pressure:** 30 Docker builds + Cosmos emulator (~3 GB) + Ollama (~3 GB) compete for RAM on 32 GB. If builds OOM, retry with `sudo ./setup.sh --phase=7` (per-service fallback skips what already built).
+- **Corporate proxy in Dockerfiles:** Already removed at source across all repos. No runtime stripping needed.
diff --git a/docs/devops/single_azure_vm/setup.sh b/docs/devops/single_azure_vm/setup.sh
index 7f0948ba..cc962083 100755
--- a/docs/devops/single_azure_vm/setup.sh
+++ b/docs/devops/single_azure_vm/setup.sh
@@ -158,7 +158,8 @@ phase1_system() {
 
   # Install essentials
   apt-get install -y -qq \
-    ca-certificates curl gnupg lsb-release git jq unzip iproute2
+    ca-certificates curl gnupg lsb-release git jq unzip iproute2 \
+    build-essential python3
 
   # ── Docker ─────────────────────────────────────────────────────────
   if ! command -v docker &>/dev/null; then
@@ -193,7 +194,13 @@ DJSON
   # ── Node.js ────────────────────────────────────────────────────────
   if ! command -v node &>/dev/null || ! node -v | grep -q "v${NODE_VERSION}"; then
     log "Installing Node.js ${NODE_VERSION}..."
-    curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash -
+    # Modern NodeSource method (GPG key + apt source — the curl|bash setup_XX.x scripts are deprecated)
+    install -m 0755 -d /etc/apt/keyrings
+    curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
+      | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
+    echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_VERSION}.x nodistro main" \
+      > /etc/apt/sources.list.d/nodesource.list
+    apt-get update -qq
     apt-get install -y -qq nodejs
     ok "Node.js installed: $(node -v)"
   else
@@ -395,7 +402,7 @@ NPMRC
 
   # Build all packages
   log "  Building all packages..."
-  pnpm -r build 2>&1 | tail -5
+  pnpm -r --if-present build 2>&1 | tail -5
 
   ok "Phase 4 complete. All packages built."
 }