feat: add esbuild single-file bundle as lightweight distribution (#1581)

* feat: add esbuild single-file bundle as lightweight distribution

Add a ~350KB esbuild bundle (release/awf-bundle.js) as an alternative to
the ~50MB pkg binary. GitHub hosted runners already have Node.js 22,
making the bundled Node.js 18 runtime in pkg redundant.

Changes:
- Add scripts/build-bundle.mjs: esbuild config that bundles dist/cli.js
  into a single CJS file with the seccomp profile inlined via `define`
- Modify src/docker-manager.ts: support embedded seccomp profile
  (__AWF_SECCOMP_PROFILE__) and guard --build-local for bundle users
- Add esbuild to devDependencies and build:bundle script
- Update release.yml to build, smoke-test, and publish the bundle
- Update install.sh to prefer the bundle when Node.js >= 20 is available
  (opt out with AWF_FORCE_BINARY=1)
- Add release/ to .gitignore

Closes #1577

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: address review feedback on esbuild bundle PR

- Tighten Node.js version check in install.sh to >=20.12.0 (matches
  engines.node in package.json) instead of just >=20
- Remove redundant `npm install esbuild` in release workflow since
  esbuild is already installed via `npm ci` from devDependencies
- Add build-time JSON.parse validation for seccomp profile to fail
  fast on malformed JSON
- Set executable bit (chmod 755) on bundle output file

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Mossaka

.github/workflows/release.yml

@@ -367,6 +367,15 @@ jobs:
       - name: Build TypeScript
         run: npm run build
 
+      - name: Create esbuild bundle
+        run: |
+          node scripts/build-bundle.mjs
+          echo "=== Bundle size ==="
+          ls -lh release/awf-bundle.js
+          echo "=== Bundle smoke test ==="
+          node release/awf-bundle.js --version
+          node release/awf-bundle.js --help | head -5
+
       - name: Install pkg for binary creation
         run: npm install -g pkg
 
@@ -550,6 +559,7 @@ jobs:
             release/awf-linux-arm64
             release/awf-darwin-x64
             release/awf-darwin-arm64
+            release/awf-bundle.js
             release/awf.tgz
             release/checksums.txt
         env:

.gitignore

@@ -24,3 +24,6 @@ _codeql_detected_source_root
 
 # Design docs (working drafts, not checked in)
 design-docs/
+
+# Release build artifacts
+release/

install.sh

@@ -35,6 +35,7 @@ REPO="github/gh-aw-firewall"
 BINARY_NAME=""  # Set dynamically by check_platform
 INSTALL_DIR="/usr/local/bin"
 INSTALL_NAME="awf"
+USE_BUNDLE=false  # Set by check_node
 
 # Colors for output
 RED='\033[0;31m'
@@ -142,6 +143,28 @@ check_platform() {
     info "Detected platform: $os $arch (binary: $BINARY_NAME)"
 }
 
+# Check for Node.js >= 20.12.0 to decide between bundle and pkg binary
+# (matches engines.node requirement in package.json)
+check_node() {
+    if [ "${AWF_FORCE_BINARY:-}" = "1" ]; then
+        info "AWF_FORCE_BINARY=1 set, using standalone binary"
+        USE_BUNDLE=false
+        return
+    fi
+    if command -v node &> /dev/null; then
+        NODE_VERSION=$(node -v | sed 's/^v//')
+        NODE_MAJOR=$(echo "$NODE_VERSION" | cut -d. -f1)
+        NODE_MINOR=$(echo "$NODE_VERSION" | cut -d. -f2)
+        if [ "$NODE_MAJOR" -gt 20 ] || { [ "$NODE_MAJOR" -eq 20 ] && [ "$NODE_MINOR" -ge 12 ]; }; then
+            info "Node.js v${NODE_VERSION} detected (>= 20.12.0), using lightweight bundle"
+            USE_BUNDLE=true
+            return
+        fi
+        warn "Node.js v${NODE_VERSION} detected but < 20.12.0, using standalone binary"
+    fi
+    USE_BUNDLE=false
+}
+
 # Validate version format (should be like v1.0.0, v1.2.3, etc.)
 validate_version() {
     local version="$1"
@@ -263,54 +286,83 @@ main() {
     check_sudo
     check_requirements
     check_platform
-    
+    check_node
+
     # Get version (from argument, env var, or fetch latest)
     set_version "$1"
-    
+
     # Create temp directory with prefix for identification
     # mktemp creates secure temporary directories with proper permissions (0700)
     TEMP_DIR=$(mktemp -d -t awf-install.XXXXXX)
-    
+
     # Validate temp directory was created
     if [ -z "$TEMP_DIR" ] || [ ! -d "$TEMP_DIR" ]; then
         error "Failed to create temporary directory"
         exit 1
     fi
-    
+
     # Set up cleanup trap (mktemp already ensures secure location)
     trap 'rm -rf "$TEMP_DIR"' EXIT
-    
+
     # Download URLs
     BASE_URL="https://github.com/${REPO}/releases/download/${VERSION}"
-    BINARY_URL="${BASE_URL}/${BINARY_NAME}"
     CHECKSUMS_URL="${BASE_URL}/checksums.txt"
-    
-    # Download binary and checksums
-    download_file "$BINARY_URL" "$TEMP_DIR/$BINARY_NAME"
-    download_file "$CHECKSUMS_URL" "$TEMP_DIR/checksums.txt"
-    
-    # Verify checksum
-    verify_checksum "$TEMP_DIR/$BINARY_NAME" "$TEMP_DIR/checksums.txt"
-    
-    # Make binary executable
-    chmod +x "$TEMP_DIR/$BINARY_NAME"
-    
-    # Test if it's a valid executable (ELF on Linux, Mach-O on macOS)
-    local file_type
-    file_type=$(file "$TEMP_DIR/$BINARY_NAME")
-    if echo "$file_type" | grep -q "ELF.*executable"; then
-        info "Valid Linux ELF executable"
-    elif echo "$file_type" | grep -q "Mach-O 64-bit"; then
-        info "Valid macOS Mach-O executable"
+
+    if [ "$USE_BUNDLE" = true ]; then
+        # Lightweight bundle path — requires Node.js >= 20
+        ASSET_NAME="awf-bundle.js"
+        ASSET_URL="${BASE_URL}/${ASSET_NAME}"
+
+        download_file "$ASSET_URL" "$TEMP_DIR/$ASSET_NAME"
+        download_file "$CHECKSUMS_URL" "$TEMP_DIR/checksums.txt"
+
+        # Verify checksum (reuse BINARY_NAME for the checksum lookup)
+        BINARY_NAME="$ASSET_NAME"
+        verify_checksum "$TEMP_DIR/$ASSET_NAME" "$TEMP_DIR/checksums.txt"
+
+        # Validate the file starts with the expected shebang
+        if head -c 20 "$TEMP_DIR/$ASSET_NAME" | grep -q '#!/usr/bin/env node'; then
+            info "Valid Node.js bundle"
+        else
+            error "Downloaded file does not appear to be a valid Node.js bundle"
+            exit 1
+        fi
+
+        # Make executable and install
+        chmod +x "$TEMP_DIR/$ASSET_NAME"
+        info "Installing bundle to $INSTALL_DIR/$INSTALL_NAME..."
+        mv "$TEMP_DIR/$ASSET_NAME" "$INSTALL_DIR/$INSTALL_NAME"
     else
-        error "Downloaded file is not a valid executable: $file_type"
-        exit 1
+        # Standalone pkg binary path
+        BINARY_URL="${BASE_URL}/${BINARY_NAME}"
+
+        # Download binary and checksums
+        download_file "$BINARY_URL" "$TEMP_DIR/$BINARY_NAME"
+        download_file "$CHECKSUMS_URL" "$TEMP_DIR/checksums.txt"
+
+        # Verify checksum
+        verify_checksum "$TEMP_DIR/$BINARY_NAME" "$TEMP_DIR/checksums.txt"
+
+        # Make binary executable
+        chmod +x "$TEMP_DIR/$BINARY_NAME"
+
+        # Test if it's a valid executable (ELF on Linux, Mach-O on macOS)
+        local file_type
+        file_type=$(file "$TEMP_DIR/$BINARY_NAME")
+        if echo "$file_type" | grep -q "ELF.*executable"; then
+            info "Valid Linux ELF executable"
+        elif echo "$file_type" | grep -q "Mach-O 64-bit"; then
+            info "Valid macOS Mach-O executable"
+        else
+            error "Downloaded file is not a valid executable: $file_type"
+            exit 1
+        fi
+
+        # Install binary
+        info "Installing to $INSTALL_DIR/$INSTALL_NAME..."
+        mv "$TEMP_DIR/$BINARY_NAME" "$INSTALL_DIR/$INSTALL_NAME"
     fi
-    
-    # Install binary
-    info "Installing to $INSTALL_DIR/$INSTALL_NAME..."
-    mv "$TEMP_DIR/$BINARY_NAME" "$INSTALL_DIR/$INSTALL_NAME"
-    
+
     # Verify installation
     if [ -x "$INSTALL_DIR/$INSTALL_NAME" ]; then
         info "Installation successful! ✓"