From 7f1512768b29d169d22e92904b8fd9244bfcfdca Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 23 Mar 2026 07:54:01 +0000 Subject: [PATCH 1/2] feat: enable rekey via compiled binary for Docker users The rekey utility previously required source code and bun to run. Docker users can now run `docker exec plexus ./plexus rekey` directly against the compiled binary without pulling down the source. https://claude.ai/code/session_01PEc4ULoCGubhAUvec2CYuZ --- docs/CONFIGURATION.md | 7 +++++++ packages/backend/src/cli/rekey.ts | 13 +++++++++---- packages/backend/src/index.ts | 16 ++++++++++++++++ 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/docs/CONFIGURATION.md b/docs/CONFIGURATION.md index 8fe181ad..af70a0dc 100644 --- a/docs/CONFIGURATION.md +++ b/docs/CONFIGURATION.md @@ -916,6 +916,13 @@ export ENCRYPTION_KEY="your-64-character-hex-key" **Key rotation:** To rotate the encryption key, use the built-in rekey utility: ```bash +# Docker (no source code required): +docker exec -e ENCRYPTION_KEY="old-key" -e NEW_ENCRYPTION_KEY="new-key" plexus ./plexus rekey + +# Docker Compose: +docker compose exec -e ENCRYPTION_KEY="old-key" -e NEW_ENCRYPTION_KEY="new-key" plexus ./plexus rekey + +# From source: ENCRYPTION_KEY="old-key" NEW_ENCRYPTION_KEY="new-key" bun run rekey ``` diff --git a/packages/backend/src/cli/rekey.ts b/packages/backend/src/cli/rekey.ts index de6b8a42..ca716673 100644 --- a/packages/backend/src/cli/rekey.ts +++ b/packages/backend/src/cli/rekey.ts @@ -196,7 +196,12 @@ async function main() { ); } -main().catch((err) => { - logger.error('Re-key failed:', err); - process.exit(1); -}); +export { main as rekeyMain }; + +// Allow direct execution: bun run src/cli/rekey.ts +if (import.meta.main) { + main().catch((err) => { + logger.error('Re-key failed:', err); + process.exit(1); + }); +} diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index f29e9864..76bf952b 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -1,3 +1,19 @@ +// --- CLI Subcommand Routing --- +// Check for subcommands (e.g. `./plexus rekey`) before starting the server. +// This allows Docker users to run CLI tools without needing the source code. +const subcommand = process.argv[2]; +if (subcommand === 'rekey') { + const { rekeyMain } = await import('./cli/rekey'); + rekeyMain() + .then(() => process.exit(0)) + .catch((err) => { + console.error('Re-key failed:', err); + process.exit(1); + }); + // Prevent the rest of the server from initializing + await new Promise(() => {}); // Block forever; process.exit above will terminate +} + import Fastify, { FastifyReply, FastifyRequest } from 'fastify'; import cors from '@fastify/cors'; import multipart from '@fastify/multipart'; From f52f621912fcb3d1f701612fc002577c6a79f46b Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 23 Mar 2026 07:56:09 +0000 Subject: [PATCH 2/2] docs: add binary install rekey instructions https://claude.ai/code/session_01PEc4ULoCGubhAUvec2CYuZ --- docs/CONFIGURATION.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/CONFIGURATION.md b/docs/CONFIGURATION.md index af70a0dc..05f2ac6a 100644 --- a/docs/CONFIGURATION.md +++ b/docs/CONFIGURATION.md @@ -922,6 +922,9 @@ docker exec -e ENCRYPTION_KEY="old-key" -e NEW_ENCRYPTION_KEY="new-key" plexus . # Docker Compose: docker compose exec -e ENCRYPTION_KEY="old-key" -e NEW_ENCRYPTION_KEY="new-key" plexus ./plexus rekey +# Binary install: +ENCRYPTION_KEY="old-key" NEW_ENCRYPTION_KEY="new-key" ./plexus rekey + # From source: ENCRYPTION_KEY="old-key" NEW_ENCRYPTION_KEY="new-key" bun run rekey ```