mt-wall 0.1.0

data/lib/mt/wall/cli.rb

@@ -0,0 +1,473 @@
+# frozen_string_literal: true
+
+require "optparse"
+require "json"
+
+module Mt
+  module Wall
+    # Command-line entry point driving the GitOps loop:
+    #
+    #   mt-wall validate <paths...>            # load + compile the DSL, no device
+    #   mt-wall plan     <paths...> [--device] # show the diff per device (read-only)
+    #   mt-wall apply    <paths...> [--device] # converge each device to desired
+    #
+    # PATHS may be `*.rb` files and/or DIRECTORIES (a directory contributes every
+    # `*.rb` under it, recursively, in sorted order) — see Mt::Wall.load.
+    #
+    # FLEET: plan/apply operate on EVERY device in the loaded Configuration by
+    # default. `--device NAME` may be REPEATED to target a subset. Output is a
+    # per-device section followed by a rollup summary line.
+    #
+    # Typical CI wiring: `validate` + `plan` on every PR, `apply` on merge.
+    #
+    # EXIT CODES (CI-friendly, Terraform-style; aggregated across the fleet):
+    #   0  success / no device has changes
+    #   1  error (invalid DSL, unknown device, transport/plan failure, bad args,
+    #      apply aborted/refused, any device failed during apply)
+    #   2  `plan` ONLY: success, but at least one device has pending changes
+    #
+    # SECRETS: credentials are NEVER passed on the command line. The per-device
+    # transport adapter (selected by the DSL `transport:`) reads them from ENV.
+    class CLI # rubocop:disable Metrics/ClassLength
+      EXIT_OK = 0
+      EXIT_ERROR = 1
+      # `plan` returns this when the diff is non-empty so CI can branch on "there
+      # is work to apply" without parsing stdout.
+      EXIT_CHANGES = 2
+
+      # Glyphs prefixing each operation in a printed plan (Terraform-style).
+      ACTION_GLYPHS = { create: "+", update: "~", delete: "-", move: "»" }.freeze
+
+      USAGE = <<~USAGE
+        Usage: mt-wall {validate|plan|apply} [options] <paths...>
+
+          validate <paths...>             Load and compile the DSL; no device access.
+          plan     <paths...> [--device]  Show the per-device diff (read-only).
+          apply    <paths...> [--device]  Converge each device to the desired state.
+
+        PATHS may be DSL files or directories (a directory loads every *.rb under
+        it, recursively, in sorted order). plan/apply target ALL devices by default.
+
+        Options:
+          --device NAME   Limit plan/apply to device NAME (repeatable; default: all).
+          --json          plan/validate: emit machine-readable JSON instead of text.
+          --auto-approve  apply: skip the interactive confirmation (required for CI).
+          -h, --help      Show this help.
+
+        apply prompts for confirmation ('yes' to proceed) and REFUSES on a
+        non-interactive stdin unless --auto-approve is given.
+
+        Exit codes: 0 = success/no changes, 1 = error, 2 = plan has changes.
+      USAGE
+
+      # @return [Integer] process exit status
+      def self.start(argv = ARGV)
+        new.run(argv)
+      end
+
+      # @param out [IO] stream for normal output (test seam)
+      # @param err [IO] stream for errors/usage (test seam)
+      # @param input [IO] stream the apply confirmation prompt reads from (test
+      #   seam). Its `#tty?` decides whether stdin is interactive.
+      # @param transport_factory [#call] device -> Transport (test seam: inject a
+      #   stub so plan/apply never touch a real device). Defaults to the
+      #   DSL-driven adapter built from `device.transport`.
+      def initialize(out: $stdout, err: $stderr, input: $stdin, transport_factory: nil)
+        @out = out
+        @err = err
+        @input = input
+        @transport_factory = transport_factory || method(:build_transport)
+      end
+
+      # @return [Integer] process exit status
+      def run(argv)
+        dispatch(argv.dup)
+      rescue ConfigurationError, TransportError, PlanError, OptionParser::ParseError => e
+        # Known, user-facing failures: a concise message, never a backtrace.
+        @err.puts("Error: #{e.message}")
+        EXIT_ERROR
+      end
+
+      private
+
+      def dispatch(argv)
+        command = argv.shift
+        case command
+        when "validate" then validate(argv)
+        when "plan" then plan(argv)
+        when "apply" then apply(argv)
+        when "-h", "--help", "help", nil then print_usage(@out, EXIT_OK)
+        else unknown_command(command)
+        end
+      end
+
+      def unknown_command(command)
+        @err.puts("Unknown command: #{command.inspect}")
+        print_usage(@err, EXIT_ERROR)
+      end
+
+      # ── subcommands ────────────────────────────────────────────────────────
+
+      def validate(argv)
+        paths, options = parse(argv, command: "validate")
+        return EXIT_OK if options[:help]
+
+        config = load_config(paths)
+        errors = compile_errors(config)
+        return emit_validate_json(config, errors) if options[:json]
+        return report_validation_errors(errors) unless errors.empty?
+
+        @out.puts("OK: configuration is valid (#{config.devices.size} device(s) compiled).")
+        EXIT_OK
+      end
+
+      def plan(argv)
+        paths, options = parse(argv, command: "plan")
+        return EXIT_OK if options[:help]
+
+        config = load_config(paths)
+        results = select_devices(config, options[:devices]).map { |device| compute_plan(config, device) }
+        options[:json] ? emit_plan_json(results) : emit_plan_human(results)
+        plan_exit_code(results)
+      end
+
+      def apply(argv)
+        paths, options = parse(argv, command: "apply")
+        return EXIT_OK if options[:help]
+
+        previews = build_apply_previews(load_config(paths), options[:devices])
+        print_apply_previews(previews)
+        converge_apply(previews, options)
+      end
+
+      def build_apply_previews(config, names)
+        select_devices(config, names).map { |device| preview_apply(config, device) }
+      end
+
+      # Prompt (unless skipped), then apply every device that has pending changes.
+      def converge_apply(previews, options)
+        pending = previews.select { |preview| preview[:status] == :changed }
+        return finish_apply(previews) if pending.empty?
+        return cancel_apply(previews) unless approved?(options, pending.map { |p| p[:device].name })
+
+        pending.each { |preview| execute_apply(preview) }
+        finish_apply(previews)
+      end
+
+      # ── shared pipeline helpers ────────────────────────────────────────────
+
+      def load_config(paths)
+        raise ConfigurationError, "no DSL paths given" if paths.empty?
+
+        Mt::Wall.load(*paths)
+      end
+
+      # Compile every device to surface ConfigurationErrors WITHOUT touching a
+      # device. Collects per-device failures so the operator sees them all.
+      def compile_errors(config)
+        config.devices.values.each_with_object([]) do |device, errors|
+          Compiler.new(config).compile(device: device)
+        rescue ConfigurationError => e
+          errors << [device.name, e.message]
+        end
+      end
+
+      def report_validation_errors(errors)
+        @err.puts("Invalid configuration:")
+        errors.each { |name, message| @err.puts("  device #{name}: #{message}") }
+        EXIT_ERROR
+      end
+
+      # The selected devices: the subset named via (repeatable) --device, else
+      # the whole fleet. An unknown name fails fast with a clear error.
+      def select_devices(config, names)
+        return config.devices.values if names.nil? || names.empty?
+
+        names.map do |name|
+          config.devices.fetch(name) { raise ConfigurationError, "unknown device #{name.inspect}" }
+        end
+      end
+
+      def reconciler_for(config, device)
+        transport = @transport_factory.call(device)
+        Reconciler.new(configuration: config, device: device, transport: transport)
+      end
+
+      # Default device -> transport mapping, driven entirely by the DSL.
+      # Credentials are read from ENV inside the adapter, never here.
+      def build_transport(device)
+        case device.transport
+        when :rest_api then Transport::RestApi.for_device(device)
+        when :rsc then Transport::Rsc.new
+        else
+          raise ConfigurationError,
+                "device #{device.name.inspect} uses unsupported transport #{device.transport.inspect}"
+        end
+      end
+
+      # ── fleet plan ─────────────────────────────────────────────────────────
+
+      # Compute one device's plan, tagging the result with a fleet status. A
+      # transport failure is captured (not raised) so the rest of the fleet
+      # still gets planned and reported.
+      def compute_plan(config, device)
+        device_plan = reconciler_for(config, device).plan
+        { device: device, plan: device_plan, status: device_plan.empty? ? :no_change : :changed }
+      rescue TransportError => e
+        { device: device, plan: nil, status: :failed, error: e.message }
+      end
+
+      # Aggregate exit code for `plan`: any failure => error; else any changes
+      # => EXIT_CHANGES (CI signal); else EXIT_OK.
+      def plan_exit_code(results)
+        return EXIT_ERROR if results.any? { |r| r[:status] == :failed }
+
+        results.any? { |r| r[:status] == :changed } ? EXIT_CHANGES : EXIT_OK
+      end
+
+      # ── fleet apply ──────────────────────────────────────────────────────────
+
+      # Read-only preview phase: compute each device's plan (and keep the
+      # reconciler around to execute it after confirmation).
+      def preview_apply(config, device)
+        reconciler = reconciler_for(config, device)
+        device_plan = reconciler.plan
+        { device: device, reconciler: reconciler, plan: device_plan,
+          status: device_plan.empty? ? :no_change : :changed }
+      rescue TransportError => e
+        { device: device, reconciler: nil, plan: nil, status: :failed, error: e.message }
+      end
+
+      # Execute one device's apply under the commit-confirm envelope. A failure
+      # is recorded and reported, then we move on to the next device.
+      def execute_apply(preview)
+        applied = preview[:reconciler].apply(preview[:plan])
+        print_apply(preview[:device], applied)
+      rescue TransportError => e
+        preview[:status] = :failed
+        preview[:error] = e.message
+        @err.puts("  Error applying to #{preview[:device].name}: #{e.message}")
+      end
+
+      def cancel_apply(previews)
+        @out.puts("Apply cancelled. No changes were made.")
+        @out.puts(rollup_line(previews))
+        EXIT_ERROR
+      end
+
+      # Print the rollup and derive the apply exit code: any failed device =>
+      # error, else success.
+      def finish_apply(previews)
+        @out.puts(rollup_line(previews))
+        previews.any? { |p| p[:status] == :failed } ? EXIT_ERROR : EXIT_OK
+      end
+
+      # ── confirmation ─────────────────────────────────────────────────────────
+
+      # Terraform-style gate. `--auto-approve` skips it. A non-interactive stdin
+      # without `--auto-approve` is REFUSED (never block waiting for input in
+      # CI). Otherwise prompt and accept ONLY an exact "yes".
+      def approved?(options, device_names)
+        return true if options[:auto_approve]
+
+        unless interactive?
+          @err.puts("Refusing to apply without a TTY; re-run with --auto-approve for non-interactive/CI use.")
+          return false
+        end
+
+        @out.print("Apply these changes to #{device_names.join(', ')}? Only 'yes' will be accepted: ")
+        @input.gets.to_s.chomp == "yes"
+      end
+
+      def interactive?
+        @input.respond_to?(:tty?) && @input.tty?
+      end
+
+      # ── argument parsing ───────────────────────────────────────────────────
+
+      # @return [Array(Array<String>, Hash)] (paths, options)
+      def parse(argv, command:)
+        options = {}
+        parser = option_parser(command, options)
+        paths = parser.parse(argv)
+        [paths, options]
+      end
+
+      def option_parser(command, options)
+        OptionParser.new do |parser|
+          parser.banner = "Usage: mt-wall #{command} [options] <paths...>"
+          register_command_options(parser, command, options)
+          parser.on("-h", "--help", "Show this help") do
+            @out.puts(parser)
+            options[:help] = true
+          end
+        end
+      end
+
+      def register_command_options(parser, command, options)
+        register_device_option(parser, options) if %w[plan apply].include?(command)
+        if %w[plan validate].include?(command)
+          parser.on("--json", "Emit machine-readable JSON") { options[:json] = true }
+        end
+        return unless command == "apply"
+
+        parser.on("--auto-approve", "Skip the confirmation prompt (for CI)") { options[:auto_approve] = true }
+      end
+
+      def register_device_option(parser, options)
+        options[:devices] = []
+        parser.on("--device NAME", "Target device NAME (repeatable; default: all)") do |name|
+          options[:devices] << name
+        end
+      end
+
+      def print_usage(io, status)
+        io.puts(USAGE)
+        status
+      end
+
+      # ── output rendering ───────────────────────────────────────────────────
+
+      # Human-readable fleet plan: a per-device section, then the rollup line.
+      def emit_plan_human(results)
+        results.each do |result|
+          if result[:status] == :failed
+            @out.puts(device_header(result[:device]))
+            @err.puts("  Error: #{result[:error]}")
+          else
+            print_plan(result[:device], result[:plan])
+          end
+        end
+        @out.puts(rollup_line(results))
+      end
+
+      # Machine-readable fleet plan: a top-level JSON object keyed by device
+      # name, each carrying its host, changed flag, summary counts and the
+      # per-path operations. Exit codes are identical to human mode.
+      def emit_plan_json(results)
+        document = results.to_h { |result| [result[:device].name, device_plan_json(result)] }
+        @out.puts(JSON.pretty_generate(document))
+      end
+
+      def device_plan_json(result)
+        device = result[:device]
+        return { host: device.host, changed: false, error: result[:error] } if result[:status] == :failed
+
+        plan = result[:plan]
+        { host: device.host, changed: !plan.empty?, summary: summary_counts(plan),
+          operations: plan.operations.map { |op| operation_json(op) } }
+      end
+
+      def operation_json(operation)
+        { action: operation.action, path: operation.path,
+          identity: describe_row(operation.payload), comment: operation.payload[:comment],
+          payload: stringify_keys(operation.payload) }
+      end
+
+      def stringify_keys(payload)
+        payload.to_h { |key, value| [key.to_s, value] }
+      end
+
+      def summary_counts(plan)
+        counts = plan.operations.group_by(&:action).transform_values(&:size)
+        { create: counts[:create] || 0, update: counts[:update] || 0,
+          move: counts[:move] || 0, delete: counts[:delete] || 0, total: plan.operations.size }
+      end
+
+      def emit_validate_json(config, errors)
+        if errors.empty?
+          @out.puts(JSON.pretty_generate(valid: true, devices: config.devices.keys))
+          EXIT_OK
+        else
+          @out.puts(JSON.pretty_generate(valid: false,
+                                         errors: errors.map { |name, message| { device: name, message: message } }))
+          EXIT_ERROR
+        end
+      end
+
+      # Show every device's pending plan before prompting; failures are noted so
+      # the operator sees them in the preview too.
+      def print_apply_previews(previews)
+        previews.each do |preview|
+          if preview[:status] == :failed
+            @out.puts(device_header(preview[:device]))
+            @err.puts("  Error: #{preview[:error]}")
+          else
+            print_plan(preview[:device], preview[:plan])
+          end
+        end
+      end
+
+      # One-line fleet rollup, e.g.:
+      #   Devices: 3  |  with changes: 1  |  no-change: 2  |  failed: 0
+      def rollup_line(results)
+        counts = results.group_by { |r| r[:status] }.transform_values(&:size)
+        "Devices: #{results.size}  |  with changes: #{counts[:changed].to_i}  |  " \
+          "no-change: #{counts[:no_change].to_i}  |  failed: #{counts[:failed].to_i}"
+      end
+
+      def print_plan(device, device_plan)
+        @out.puts(device_header(device))
+        return @out.puts("  No changes. Infrastructure is up to date.") if device_plan.empty?
+
+        print_grouped_operations(device_plan)
+        @out.puts("  Plan: #{summary_line(device_plan)}.")
+      end
+
+      def print_grouped_operations(device_plan)
+        device_plan.operations.group_by(&:path).each do |path, ops|
+          @out.puts("  #{path}")
+          ops.each { |op| @out.puts("    #{format_operation(op)}") }
+        end
+      end
+
+      def print_apply(device, applied)
+        @out.puts(device_header(device))
+        if applied.empty?
+          @out.puts("  No changes. Nothing to apply.")
+          return
+        end
+
+        @out.puts("  Applied #{applied.operations.size} change(s): #{summary_line(applied)}.")
+        @out.puts("  Commit-confirm envelope armed and confirmed (device-side auto-revert canceled).")
+      end
+
+      def device_header(device)
+        "Device #{device.name} (#{device.host}):"
+      end
+
+      def format_operation(operation)
+        glyph = ACTION_GLYPHS.fetch(operation.action, "?")
+        "#{glyph} #{operation.action} #{describe_row(operation.payload)}"
+      end
+
+      # A short, human identity for a row: address-list entries by (list, address),
+      # filter/nat rules by chain/action plus the operator note from the comment.
+      def describe_row(payload)
+        return "#{payload[:list]} #{payload[:address]}".strip if payload[:list] || payload[:address]
+
+        parts = [payload[:chain], payload[:action]].compact
+        note = comment_note(payload[:comment])
+        parts << "(#{note})" if note
+        parts.join(" ")
+      end
+
+      # The operator note half of a rendered comment ("mt-wall:<hash> | note"),
+      # falling back to the bare identity tag when there is no note.
+      def comment_note(comment)
+        return nil if comment.nil?
+
+        head, tail = comment.split(Compiler::COMMENT_SEPARATOR, 2)
+        tail || head
+      end
+
+      def summary_line(device_plan)
+        counts = device_plan.operations.group_by(&:action).transform_values(&:size)
+        %i[create update move delete].filter_map do |action|
+          count = counts[action]
+          "#{count} to #{action}" if count
+        end.join(", ")
+      end
+    end
+  end
+end