nvoi 0.1.7 → 0.2.0

data/.claude/todo/refactor/08-cli-deploy-steps.md

@@ -1,201 +0,0 @@
-# 08 - CLI: Deploy Steps (Details)
-
-## Priority: FIFTH (part of deploy)
-
-Each step is a focused, single-responsibility class.
-
----
-
-## Step 1: provision_network.rb (~50 lines)
-
-**Source:** Extract from `deployer/infrastructure.rb`
-
-**Does:**
-
-- Find or create network
-- Find or create firewall
-
-```ruby
-# cli/deploy/steps/provision_network.rb
-module Nvoi
-  module CLI
-    module Deploy
-      module Steps
-        class ProvisionNetwork
-          def initialize(config, provider, log)
-            @config = config
-            @provider = provider
-            @log = log
-          end
-
-          def run
-            @log.info "Provisioning network: %s", @config.network_name
-            network = @provider.find_or_create_network(@config.network_name)
-
-            @log.info "Provisioning firewall: %s", @config.firewall_name
-            firewall = @provider.find_or_create_firewall(@config.firewall_name)
-
-            { network: network, firewall: firewall }
-          end
-        end
-      end
-    end
-  end
-end
-```
-
----
-
-## Step 2: provision_server.rb (~80 lines)
-
-**Source:** `steps/server_provisioner.rb` + `deployer/infrastructure.rb`
-
-**Does:**
-
-- Create servers for each group
-- Wait for SSH ready
-- Return main server IP
-
----
-
-## Step 3: provision_volume.rb (~150 lines)
-
-**Source:** `steps/volume_provisioner.rb`
-
-**Does:**
-
-- Collect all volumes needed (database, services, app)
-- Create volumes via provider
-- Attach to servers
-- Mount via SSH (format if needed, add to fstab)
-
----
-
-## Step 4: setup_k3s.rb (~400 lines)
-
-**Source:** Merge `steps/k3s_provisioner.rb` + `steps/k3s_cluster_setup.rb`
-
-**Does:**
-
-- Wait for cloud-init
-- Install K3s server on master
-- Setup kubeconfig
-- Setup in-cluster registry
-- Setup NGINX ingress
-- Install K3s agent on workers
-- Label nodes
-- Get cluster token
-
-**Note:** This is the largest step. Consider keeping as single file with private methods, or split into:
-
-- `setup_k3s/master.rb`
-- `setup_k3s/worker.rb`
-- `setup_k3s/registry.rb`
-
----
-
-## Step 5: configure_tunnel.rb (~70 lines)
-
-**Source:** `steps/tunnel_configurator.rb`
-
-**Does:**
-
-- For each app service with domain:
-  - Create/find Cloudflare tunnel
-  - Configure tunnel ingress
-  - Create DNS CNAME record
-- Return array of TunnelInfo
-
----
-
-## Step 6: build_image.rb (~100 lines)
-
-**Source:** `deployer/image_builder.rb` + parts of `remote/docker_manager.rb`
-
-**Does:**
-
-- Build Docker image locally
-- Save to tar
-- Rsync to remote server
-- Import into containerd
-- Tag image
-- Push to in-cluster registry
-
----
-
-## Step 7: deploy_database.rb (~80 lines)
-
-**Source:** `steps/database_provisioner.rb` + `deployer/service_deployer.rb#deploy_database`
-
-**Does:**
-
-- Skip if SQLite (handled by app volumes)
-- Deploy database secret (POSTGRES_USER, etc.)
-- Deploy StatefulSet with hostPath volume
-- Wait for database pod to be Running
-
----
-
-## Step 8: deploy_service.rb (~300 lines)
-
-**Source:** Merge `deployer/orchestrator.rb` + `deployer/service_deployer.rb`
-
-**Does:**
-
-- Deploy app secret (env vars)
-- Deploy additional services (redis, etc.)
-- Deploy app services (web, worker)
-- Deploy cloudflared sidecars
-- Verify traffic routing
-- Run pre-run commands (migrations)
-
-**Note:** Uses `External::Kubectl` for all manifest operations.
-
----
-
-## Step 9: cleanup_images.rb (~40 lines)
-
-**Source:** `deployer/cleaner.rb`
-
-**Does:**
-
-- List all images with prefix
-- Keep newest N images
-- Delete the rest
-
----
-
-## Step Dependencies
-
-```
-provision_network ─┐
-                   ├─► provision_server ─► provision_volume ─► setup_k3s
-                   │
-configure_tunnel ──┼─► build_image ─► deploy_service ─► cleanup_images
-                   │
-                   └── (parallel where possible)
-```
-
----
-
-## Common Patterns Across Steps
-
-### Constructor Signature
-
-All steps follow:
-
-```ruby
-def initialize(config, provider_or_deps, log)
-```
-
-### Return Values
-
-- Most return `nil` (side effects only)
-- Some return data for next step:
-  - `provision_server` → main_server_ip
-  - `configure_tunnel` → [TunnelInfo]
-  - `provision_network` → { network:, firewall: }
-
-### Error Handling
-
-Steps raise specific errors. Command catches and logs.

data/.claude/todo/refactor/09-cli-delete-command.md

@@ -1,169 +0,0 @@
-# 09 - CLI: Delete Command
-
-## Priority: FIFTH (parallel with deploy)
-
----
-
-## Current State
-
-| File                | Lines | Purpose                                |
-| ------------------- | ----- | -------------------------------------- |
-| `service/delete.rb` | 235   | DeleteService - teardown all resources |
-
----
-
-## Target Structure
-
-```
-lib/nvoi/cli/delete/
-├── command.rb
-└── steps/
-    ├── teardown_tunnel.rb
-    ├── teardown_dns.rb
-    ├── detach_volumes.rb
-    ├── teardown_server.rb
-    ├── teardown_volume.rb
-    ├── teardown_firewall.rb
-    └── teardown_network.rb
-```
-
----
-
-## What Delete Does (Current)
-
-```ruby
-def run
-  detach_volumes          # Must happen before server deletion
-  delete_all_servers      # Delete servers from all groups
-  delete_volumes          # Now safe to delete
-  delete_firewall         # With retry (might still be attached)
-  delete_network
-  delete_cloudflare_resources  # Tunnels + DNS records
-end
-```
-
----
-
-## Target Flow
-
-```ruby
-# cli/delete/command.rb
-class Command
-  def run
-    config = Utils::ConfigLoader.new.load(config_path)
-    provider = External::Cloud.for(config)
-    cloudflare = External::DNS::Cloudflare.new(config.cloudflare)
-    log = Utils::Logger.new
-
-    # Order matters!
-    Steps::DetachVolumes.new(config, provider, log).run
-    Steps::TeardownServer.new(config, provider, log).run
-    Steps::TeardownVolume.new(config, provider, log).run
-    Steps::TeardownFirewall.new(config, provider, log).run
-    Steps::TeardownNetwork.new(config, provider, log).run
-    Steps::TeardownTunnel.new(config, cloudflare, log).run
-    Steps::TeardownDNS.new(config, cloudflare, log).run
-
-    log.success "Cleanup complete"
-  end
-end
-```
-
----
-
-## DRY Opportunities
-
-### 1. Shared Volume Name Collection
-
-Both `detach_volumes` and `delete_volumes` call `collect_volume_names`.
-Extract to utils or pass as step output:
-
-```ruby
-volumes = Steps::DetachVolumes.new(...).run  # returns volume list
-Steps::TeardownVolume.new(...).run(volumes)
-```
-
-### 2. Shared Hostname Builder
-
-`build_hostname` is duplicated. Already planned for `utils/namer.rb`.
-
-### 3. Merge Tunnel + DNS Teardown
-
-Both iterate over app services with domains. Could be single step:
-
-```ruby
-Steps::TeardownCloudflare.new(config, cloudflare, log).run
-# Deletes both tunnels and DNS records
-```
-
-### 4. Error Tolerance
-
-Delete operations should be idempotent. Current code does:
-
-```ruby
-rescue StandardError => e
-  @log.warning "Failed to delete: %s", e.message
-end
-```
-
-Keep this pattern - deletion should continue even if some resources are already gone.
-
----
-
-## Step Details
-
-### detach_volumes.rb (~40 lines)
-
-- Collect all volume names
-- For each: find volume, detach if attached
-
-### teardown_server.rb (~50 lines)
-
-- For each server group:
-  - For each server in group:
-    - Find and delete server
-
-### teardown_volume.rb (~40 lines)
-
-- For each volume name:
-  - Find and delete volume
-
-### teardown_firewall.rb (~30 lines)
-
-- Find firewall by name
-- Delete with retry (may still be detaching)
-
-### teardown_network.rb (~20 lines)
-
-- Find network by name
-- Delete
-
-### teardown_tunnel.rb (~40 lines)
-
-- For each app service with domain:
-  - Find and delete tunnel
-
-### teardown_dns.rb (~40 lines)
-
-- For each app service with domain:
-  - Find zone
-  - Find and delete CNAME record
-
----
-
-## Migration Steps
-
-1. Create `lib/nvoi/cli/delete/command.rb`
-2. Create `lib/nvoi/cli/delete/steps/` directory
-3. Extract each operation from `service/delete.rb` into separate step
-4. Move `collect_volume_names` to command (shared state)
-5. Delete `service/delete.rb`
-
----
-
-## Estimated Effort
-
-- **Lines to reorganize:** 235
-- **Files created:** 8 (command + 7 steps)
-- **Files deleted:** 1
-- **DRY savings:** ~30 lines (shared hostname, merged tunnel+dns option)

data/.claude/todo/refactor/10-cli-exec-command.md

@@ -1,157 +0,0 @@
-# 10 - CLI: Exec Command
-
-## Priority: FIFTH (parallel with deploy/delete)
-
----
-
-## Current State
-
-| File | Lines | Purpose |
-|------|-------|---------|
-| `service/exec.rb` | 145 | ExecService - remote command execution |
-
----
-
-## Target Structure
-
-```
-lib/nvoi/cli/exec/
-└── command.rb          # Single file, no steps needed
-```
-
----
-
-## What Exec Does
-
-Three modes:
-1. **Single server:** `nvoi exec "ls -la"` → run on main server
-2. **All servers:** `nvoi exec --all "ls -la"` → run on all servers in parallel
-3. **Interactive:** `nvoi exec -i` → open SSH shell
-
----
-
-## Target Implementation
-
-```ruby
-# cli/exec/command.rb
-module Nvoi
-  module CLI
-    module Exec
-      class Command
-        def initialize(options)
-          @options = options
-          @log = Utils::Logger.new
-        end
-
-        def run(args)
-          config = Utils::ConfigLoader.new.load(config_path)
-          provider = External::Cloud.for(config)
-
-          if @options[:interactive]
-            open_shell(config, provider)
-          elsif @options[:all]
-            run_all(config, provider, args.join(" "))
-          else
-            run_single(config, provider, args.join(" "), @options[:server])
-          end
-        end
-
-        private
-
-        def run_single(config, provider, command, server_name)
-          server = find_server(config, provider, server_name)
-          ssh = External::SSH.new(server.public_ipv4, config.ssh_key_path)
-
-          @log.info "Executing on %s: %s", server.name, command
-          ssh.execute(command, stream: true)
-          @log.success "Command completed"
-        end
-
-        def run_all(config, provider, command)
-          servers = all_servers(config, provider)
-          @log.info "Executing on %d servers", servers.size
-
-          threads = servers.map do |server|
-            Thread.new do
-              ssh = External::SSH.new(server.public_ipv4, config.ssh_key_path)
-              output = ssh.execute(command)
-              [server.name, output]
-            end
-          end
-
-          threads.each do |t|
-            name, output = t.value
-            output.lines.each { |line| puts "[#{name}] #{line}" }
-          end
-        end
-
-        def open_shell(config, provider)
-          server = find_server(config, provider, @options[:server])
-          ssh = External::SSH.new(server.public_ipv4, config.ssh_key_path)
-          ssh.open_shell
-        end
-
-        def find_server(config, provider, name)
-          actual_name = resolve_server_name(config, name)
-          provider.find_server(actual_name) or raise ServiceError, "server not found: #{actual_name}"
-        end
-
-        def resolve_server_name(config, name)
-          return config.server_name if name == "main" || name.nil?
-          # Parse "worker-1" → server_name("worker", 1)
-          # ...
-        end
-
-        def all_servers(config, provider)
-          config.deploy.application.servers.flat_map do |group, cfg|
-            (1..cfg.count).map { |i| provider.find_server(config.namer.server_name(group, i)) }
-          end.compact
-        end
-      end
-    end
-  end
-end
-```
-
----
-
-## DRY Opportunities
-
-### 1. Server Name Resolution
-`resolve_server_name` logic is useful. Could go to `utils/namer.rb`:
-```ruby
-# utils/namer.rb
-def resolve_server_reference(ref)
-  # "main" → server_name for master
-  # "worker-1" → server_name("worker", 1)
-end
-```
-
-### 2. Server Collection
-`all_servers` pattern could be a config method:
-```ruby
-# objects/config.rb
-def each_server
-  deploy.application.servers.each do |group, cfg|
-    (1..cfg.count).each { |i| yield(group, i) }
-  end
-end
-```
-
----
-
-## Migration Steps
-
-1. Create `lib/nvoi/cli/exec/command.rb`
-2. Move logic from `service/exec.rb`
-3. Extract `resolve_server_name` to `utils/namer.rb`
-4. Delete `service/exec.rb`
-
----
-
-## Estimated Effort
-
-- **Lines to reorganize:** 145
-- **Files created:** 1
-- **Files deleted:** 1
-- **Net change:** ~0 (simple move + namespace change)

data/.claude/todo/refactor/11-cli-credentials-command.md

@@ -1,190 +0,0 @@
-# 11 - CLI: Credentials Commands
-
-## Priority: FIFTH (parallel with others)
-
----
-
-## Current State
-
-| File                      | Lines | Purpose                         |
-| ------------------------- | ----- | ------------------------------- |
-| `cli.rb` (CredentialsCLI) | ~55   | Thor subcommand for credentials |
-| `credentials/editor.rb`   | ~80   | Edit/show encrypted credentials |
-| `credentials/manager.rb`  | ~150  | Load/save encrypted files       |
-| `credentials/crypto.rb`   | ~100  | AES encryption                  |
-
-**Total: ~385 lines**
-
----
-
-## Target Structure
-
-```
-lib/nvoi/cli/credentials/
-├── edit/
-│   └── command.rb      # nvoi credentials edit
-└── show/
-    └── command.rb      # nvoi credentials show
-```
-
-Note: `crypto.rb` and `manager.rb` move to `utils/` (see 02-utils.md)
-
----
-
-## What Each Command Does
-
-### credentials edit
-
-1. Load or create credentials file
-2. Decrypt to temp file
-3. Open in $EDITOR
-4. Validate YAML on save
-5. Re-encrypt
-6. Update .gitignore if first run
-
-### credentials show
-
-1. Load credentials file
-2. Decrypt
-3. Print to stdout
-
----
-
-## Target Implementation
-
-```ruby
-# cli/credentials/edit/command.rb
-module Nvoi
-  module CLI
-    module Credentials
-      module Edit
-        class Command
-          def initialize(options)
-            @options = options
-            @log = Utils::Logger.new
-          end
-
-          def run
-            working_dir = resolve_working_dir
-            store = Utils::CredentialStore.new(working_dir, @options[:credentials], @options[:master_key])
-
-            if store.exists?
-              edit_existing(store)
-            else
-              create_new(store)
-            end
-          end
-
-          private
-
-          def edit_existing(store)
-            content = store.read
-            new_content = open_in_editor(content)
-            validate_yaml!(new_content)
-            store.write(new_content)
-            @log.success "Credentials updated"
-          end
-
-          def create_new(store)
-            @log.info "Creating new credentials file"
-            template = default_template
-            new_content = open_in_editor(template)
-            validate_yaml!(new_content)
-            store.write(new_content)
-            store.update_gitignore
-            @log.success "Credentials created"
-            @log.warning "Keep your master key safe!"
-          end
-
-          def open_in_editor(content)
-            # Write to temp file, exec $EDITOR, read back
-          end
-
-          def validate_yaml!(content)
-            YAML.safe_load(content)
-          rescue Psych::SyntaxError => e
-            raise ConfigError, "Invalid YAML: #{e.message}"
-          end
-        end
-      end
-    end
-  end
-end
-```
-
-```ruby
-# cli/credentials/show/command.rb
-module Nvoi
-  module CLI
-    module Credentials
-      module Show
-        class Command
-          def initialize(options)
-            @options = options
-          end
-
-          def run
-            working_dir = resolve_working_dir
-            store = Utils::CredentialStore.new(working_dir, @options[:credentials], @options[:master_key])
-            puts store.read
-          end
-        end
-      end
-    end
-  end
-end
-```
-
----
-
-## DRY Opportunities
-
-### 1. Merge Crypto + Manager → CredentialStore
-
-Already planned in 02-utils.md. Single class:
-
-```ruby
-# utils/crypto.rb
-class CredentialStore
-  def initialize(working_dir, enc_path = nil, key_path = nil)
-  def exists? → bool
-  def read → String
-  def write(content)
-  def update_gitignore
-end
-```
-
-### 2. Remove Editor Class
-
-Current `credentials/editor.rb` is thin wrapper. Logic goes directly into command.
-
-### 3. YAML Validation
-
-Move to utils for reuse:
-
-```ruby
-# utils/config_loader.rb
-def self.validate_yaml!(content)
-  YAML.safe_load(content, permitted_classes: [Symbol])
-end
-```
-
----
-
-## Migration Steps
-
-1. Move `credentials/crypto.rb` + `credentials/manager.rb` → `utils/crypto.rb` (02-utils.md)
-2. Create `lib/nvoi/cli/credentials/edit/command.rb`
-3. Create `lib/nvoi/cli/credentials/show/command.rb`
-4. Move editor logic into `edit/command.rb`
-5. Delete `credentials/editor.rb`
-6. Update `cli.rb` to route to new commands
-
----
-
-## Estimated Effort
-
-- **Lines to reorganize:** ~385
-- **Files created:** 2
-- **Files deleted:** 3 (`editor.rb`, `manager.rb`, `crypto.rb` → merged to utils)
-- **Net reduction:** ~50 lines (removed wrapper, merged classes)