@celilo/cli 0.1.0

package/src/capabilities/registration.test.ts

@@ -0,0 +1,395 @@
+import { describe, expect, test } from 'bun:test';
+import type { ModuleManifest } from '../manifest/schema';
+import { buildCapabilityData, promptForSecretValue } from './registration';
+
+describe('Capability Registration', () => {
+  describe('buildCapabilityData', () => {
+    test('should return capability data unchanged', () => {
+      const capability = {
+        name: 'test_capability',
+        version: '1.0.0',
+        data: {
+          server: {
+            port: 443,
+            protocol: 'https',
+          },
+        },
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      expect(result).toEqual({
+        server: {
+          port: 443,
+          protocol: 'https',
+        },
+      });
+    });
+
+    test('should preserve $self: variables (not resolved)', () => {
+      const capability = {
+        name: 'test_capability',
+        version: '1.0.0',
+        data: {
+          server: {
+            ip: '$self:container_ip',
+            port: 443,
+          },
+        },
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      // Variables are preserved, not resolved
+      expect(result).toEqual({
+        server: {
+          ip: '$self:container_ip',
+          port: 443,
+        },
+      });
+    });
+
+    test('should preserve nested $self: variables', () => {
+      const capability = {
+        name: 'dns_external',
+        version: '1.0.0',
+        data: {
+          server: {
+            ip: {
+              primary: '$self:vps_ip',
+            },
+            port: 53,
+          },
+          zone: {
+            primary_domain: '$self:primary_domain',
+          },
+        },
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'dns-external',
+        name: 'DNS External',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      expect(result).toEqual({
+        server: {
+          ip: {
+            primary: '$self:vps_ip',
+          },
+          port: 53,
+        },
+        zone: {
+          primary_domain: '$self:primary_domain',
+        },
+      });
+    });
+
+    test('should preserve multiple variables in same object', () => {
+      const capability = {
+        name: 'test_capability',
+        version: '1.0.0',
+        data: {
+          url: '$self:base_url',
+          api_version: '$self:api_version',
+          timeout: 30,
+        },
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      expect(result).toEqual({
+        url: '$self:base_url',
+        api_version: '$self:api_version',
+        timeout: 30,
+      });
+    });
+
+    test('should preserve variables in arrays', () => {
+      const capability = {
+        name: 'test_capability',
+        version: '1.0.0',
+        data: {
+          servers: ['$self:primary_server', '$self:backup_server'],
+        },
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      expect(result).toEqual({
+        servers: ['$self:primary_server', '$self:backup_server'],
+      });
+    });
+
+    test('should preserve all string types including variables', () => {
+      const capability = {
+        name: 'test_capability',
+        version: '1.0.0',
+        data: {
+          variable: '$self:container_ip',
+          literal: 'not-a-variable',
+          with_dollar: '$100',
+          empty: '',
+        },
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      expect(result).toEqual({
+        variable: '$self:container_ip',
+        literal: 'not-a-variable',
+        with_dollar: '$100',
+        empty: '',
+      });
+    });
+
+    test('should handle empty data object', () => {
+      const capability = {
+        name: 'test_capability',
+        version: '1.0.0',
+        data: {},
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      expect(result).toEqual({});
+    });
+
+    test('should preserve deeply nested structures', () => {
+      const capability = {
+        name: 'test_capability',
+        version: '1.0.0',
+        data: {
+          level1: {
+            level2: {
+              level3: {
+                value: '$self:deep_value',
+              },
+            },
+          },
+        },
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      expect(result).toEqual({
+        level1: {
+          level2: {
+            level3: {
+              value: '$self:deep_value',
+            },
+          },
+        },
+      });
+    });
+
+    test('should preserve number and boolean types', () => {
+      const capability = {
+        name: 'test_capability',
+        version: '1.0.0',
+        data: {
+          port: 443,
+          enabled: true,
+          timeout: 0,
+          disabled: false,
+        },
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      expect(result).toEqual({
+        port: 443,
+        enabled: true,
+        timeout: 0,
+        disabled: false,
+      });
+    });
+
+    test('should handle null and undefined values', () => {
+      const capability = {
+        name: 'test_capability',
+        version: '1.0.0',
+        data: {
+          nullable: null,
+          optional: undefined,
+          present: 'value',
+        },
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      expect(result).toEqual({
+        nullable: null,
+        optional: undefined,
+        present: 'value',
+      });
+    });
+
+    test('should return cloned data (not mutate original)', () => {
+      const capability = {
+        name: 'test_capability',
+        version: '1.0.0',
+        data: {
+          server: {
+            ip: '$self:container_ip',
+          },
+        },
+      };
+
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+
+      const result = buildCapabilityData(capability, manifest);
+
+      // Modify result to test deep copy
+      // biome-ignore lint/suspicious/noExplicitAny: intentionally mutating result to verify deep copy behavior
+      (result as any).server.ip = 'modified';
+
+      // Original should be unchanged
+      expect(capability.data.server.ip).toBe('$self:container_ip');
+    });
+  });
+
+  describe('promptForSecretValue', () => {
+    test('should generate base64-encoded secret when auto-generate is true', async () => {
+      const result = await promptForSecretValue('tsig', 'TSIG secret for DNS', true);
+
+      // Should be base64-encoded 32-byte value
+      expect(result).toMatch(/^[A-Za-z0-9+/]+=*$/);
+      expect(result.length).toBeGreaterThan(40); // base64 of 32 bytes is ~44 chars
+    });
+
+    test('should generate different secrets on each call', async () => {
+      const secret1 = await promptForSecretValue('secret1', 'Test secret', true);
+      const secret2 = await promptForSecretValue('secret2', 'Test secret', true);
+
+      expect(secret1).not.toBe(secret2);
+    });
+
+    test('should generate secrets of consistent length', async () => {
+      const results = await Promise.all([
+        promptForSecretValue('s1', 'Test', true),
+        promptForSecretValue('s2', 'Test', true),
+        promptForSecretValue('s3', 'Test', true),
+      ]);
+
+      const lengths = results.map((r) => r.length);
+      expect(lengths[0]).toBe(lengths[1]);
+      expect(lengths[1]).toBe(lengths[2]);
+    });
+  });
+});

package/src/capabilities/registration.ts

@@ -0,0 +1,200 @@
+/**
+ * Capability Registration
+ * Handles registration of capabilities during module import
+ */
+
+import type { Database } from 'bun:sqlite';
+import { randomBytes } from 'node:crypto';
+import type { ModuleManifest } from '../manifest/schema';
+import { encryptSecret } from '../secrets/encryption';
+import type { EncryptedSecret } from '../secrets/encryption';
+import { getOrCreateMasterKey } from '../secrets/master-key';
+
+export interface RegistrationResult {
+  success: boolean;
+  error?: string;
+  details?: unknown;
+}
+
+export interface CapabilitySecretDefinition {
+  name: string;
+  type: 'string' | 'number' | 'boolean';
+  description?: string;
+  readable_by?: string[];
+}
+
+/**
+ * Register all capabilities provided by a module
+ *
+ * Execution function (Rule 10.1) - performs database operations
+ *
+ * @param moduleId - Module identifier
+ * @param manifest - Module manifest
+ * @param db - Database connection
+ * @param flags - CLI flags (e.g., auto-generate-secrets)
+ * @returns Registration result
+ */
+export async function registerModuleCapabilities(
+  moduleId: string,
+  manifest: ModuleManifest,
+  db: Database,
+  _flags: Record<string, unknown> = {},
+): Promise<RegistrationResult> {
+  if (!manifest.provides?.capabilities || manifest.provides.capabilities.length === 0) {
+    return { success: true }; // No capabilities to register
+  }
+
+  try {
+    const _masterKey = await getOrCreateMasterKey();
+
+    for (const capability of manifest.provides.capabilities) {
+      // Build capability data by resolving $self: variables
+      const capabilityData = buildCapabilityData(capability, manifest);
+
+      // Insert capability into database (with optional zones)
+      const zones = capability.zones ? JSON.stringify(capability.zones) : null;
+      const capabilityRecord = db
+        .prepare(
+          `INSERT INTO capabilities (module_id, capability_name, version, data, zones, registered_at)
+           VALUES (?, ?, ?, ?, ?, unixepoch())
+           RETURNING id`,
+        )
+        .get(
+          moduleId,
+          capability.name,
+          capability.version,
+          JSON.stringify(capabilityData),
+          zones,
+        ) as {
+        id: number;
+      };
+
+      // Register capability secret metadata (values will be prompted during generation)
+      if (capability.secrets && capability.secrets.length > 0) {
+        for (const secret of capability.secrets) {
+          // Store secret metadata only (no value yet)
+          db.prepare(
+            `INSERT INTO capability_secrets (capability_id, name, description, created_at, updated_at)
+             VALUES (?, ?, ?, unixepoch(), unixepoch())`,
+          ).run(capabilityRecord.id, secret.name, secret.description || null);
+        }
+      }
+    }
+
+    return { success: true };
+  } catch (error) {
+    return {
+      success: false,
+      error: 'Failed to register capabilities',
+      details: error,
+    };
+  }
+}
+
+/**
+ * Build capability data by resolving $self: variables
+ *
+ * Policy function (Rule 10.1) - pure data transformation
+ *
+ * Note: Only resolves $self: variables. Other variable types ($system:, $capability:)
+ * are resolved during generation, not registration.
+ *
+ * @param capability - Capability definition from manifest
+ * @param manifest - Module manifest (for $self: variable resolution)
+ * @returns Capability data with resolved variables
+ */
+export function buildCapabilityData(
+  capability: { data?: Record<string, unknown> },
+  _manifest: ModuleManifest,
+): Record<string, unknown> {
+  if (!capability.data) {
+    return {};
+  }
+
+  // Capability data is static (no $self: variables in well-known capabilities)
+  // This function is here for future extensibility
+  return structuredClone(capability.data);
+}
+
+/**
+ * Prompt user for secret value or auto-generate
+ *
+ * Execution function (Rule 10.1) - performs I/O (console input)
+ *
+ * @param secretName - Name of the secret
+ * @param description - Description of the secret
+ * @param autoGenerate - Whether to auto-generate without prompting
+ * @returns Secret value
+ */
+export async function promptForSecretValue(
+  secretName: string,
+  description: string,
+  autoGenerate: boolean,
+): Promise<string> {
+  if (autoGenerate) {
+    // Auto-generate secret (TSIG keys are base64-encoded 32-byte values)
+    const randomValue = randomBytes(32);
+    return randomValue.toString('base64');
+  }
+
+  // Check if stdin is available (TTY check)
+  if (!process.stdin.isTTY) {
+    throw new Error(
+      `Cannot prompt for secret '${secretName}': stdin is not available.\nUse --auto-generate-secrets flag to auto-generate capability secrets.`,
+    );
+  }
+
+  // Prompt user for secret value
+  console.log('\nCapability secret required:');
+  console.log(`  • ${secretName}: ${description}`);
+  console.log(`\nEnter value for ${secretName} (or press Enter to auto-generate):`);
+
+  // Read from stdin
+  const readline = await import('node:readline');
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+  });
+
+  return new Promise((resolve) => {
+    rl.question('> ', (answer) => {
+      rl.close();
+
+      if (answer.trim() === '') {
+        // User pressed Enter - auto-generate
+        const randomValue = randomBytes(32);
+        const generated = randomValue.toString('base64');
+        console.log('  ✓ Auto-generated secret (hmac-sha256)');
+        resolve(generated);
+      } else {
+        resolve(answer.trim());
+      }
+    });
+  });
+}
+
+/**
+ * Encrypt and store capability secret
+ *
+ * Execution function (Rule 10.1) - performs database operations
+ *
+ * @param capabilityId - Capability ID from database
+ * @param name - Secret name
+ * @param value - Plaintext secret value
+ * @param masterKey - Master encryption key
+ * @param db - Database connection
+ */
+export async function storeCapabilitySecret(
+  capabilityId: number,
+  name: string,
+  value: string,
+  masterKey: Buffer,
+  db: Database,
+): Promise<void> {
+  const encrypted: EncryptedSecret = encryptSecret(value, masterKey);
+
+  db.prepare(
+    `INSERT INTO capability_secrets (capability_id, name, encrypted_value, iv, auth_tag, created_at, updated_at)
+     VALUES (?, ?, ?, ?, ?, unixepoch(), unixepoch())`,
+  ).run(capabilityId, name, encrypted.encryptedValue, encrypted.iv, encrypted.authTag);
+}

package/src/capabilities/route-validation.test.ts

@@ -0,0 +1,121 @@
+import { describe, expect, test } from 'bun:test';
+import { validatePath, validateRouteRequest, validateSlug } from './route-validation';
+
+describe('validateSlug', () => {
+  test('accepts valid kebab-case slugs', () => {
+    expect(validateSlug('lunacycle').valid).toBe(true);
+    expect(validateSlug('my-app').valid).toBe(true);
+    expect(validateSlug('app1').valid).toBe(true);
+    expect(validateSlug('dns-external').valid).toBe(true);
+    expect(validateSlug('a').valid).toBe(true);
+  });
+
+  test('rejects invalid slugs', () => {
+    expect(validateSlug('MyApp').valid).toBe(false);
+    expect(validateSlug('my_app').valid).toBe(false);
+    expect(validateSlug('my--app').valid).toBe(false);
+    expect(validateSlug('-app').valid).toBe(false);
+    expect(validateSlug('app-').valid).toBe(false);
+    expect(validateSlug('').valid).toBe(false);
+    expect(validateSlug('App').valid).toBe(false);
+  });
+});
+
+describe('validatePath', () => {
+  test('accepts valid paths', () => {
+    expect(validatePath('/lunacycle').valid).toBe(true);
+    expect(validatePath('/lunacycle/api').valid).toBe(true);
+    expect(validatePath('/a').valid).toBe(true);
+    expect(validatePath('/foo/bar/baz').valid).toBe(true);
+  });
+
+  test('rejects paths without leading slash', () => {
+    const result = validatePath('lunacycle');
+    expect(result.valid).toBe(false);
+    expect(result.errors[0]).toContain('start with /');
+  });
+
+  test('rejects paths with trailing slash', () => {
+    const result = validatePath('/lunacycle/');
+    expect(result.valid).toBe(false);
+    expect(result.errors[0]).toContain('trailing slash');
+  });
+
+  test('rejects paths with double slashes', () => {
+    const result = validatePath('/luna//cycle');
+    expect(result.valid).toBe(false);
+    expect(result.errors[0]).toContain('double slashes');
+  });
+
+  test('rejects empty path', () => {
+    expect(validatePath('').valid).toBe(false);
+  });
+});
+
+describe('validateRouteRequest', () => {
+  test('accepts valid static route', () => {
+    const result = validateRouteRequest({
+      slug: 'lunacycle',
+      type: 'static',
+      path: '/lunacycle',
+    });
+    expect(result.valid).toBe(true);
+  });
+
+  test('accepts valid reverse_proxy route', () => {
+    const result = validateRouteRequest({
+      slug: 'lunacycle',
+      type: 'reverse_proxy',
+      path: '/lunacycle/api',
+      targetHost: '10.0.20.5',
+      targetPort: 3000,
+    });
+    expect(result.valid).toBe(true);
+  });
+
+  test('rejects reverse_proxy without targetHost', () => {
+    const result = validateRouteRequest({
+      slug: 'lunacycle',
+      type: 'reverse_proxy',
+      path: '/lunacycle/api',
+      targetPort: 3000,
+    });
+    expect(result.valid).toBe(false);
+    expect(result.errors).toContain('reverse_proxy route requires targetHost');
+  });
+
+  test('rejects reverse_proxy without targetPort', () => {
+    const result = validateRouteRequest({
+      slug: 'lunacycle',
+      type: 'reverse_proxy',
+      path: '/lunacycle/api',
+      targetHost: '10.0.20.5',
+    });
+    expect(result.valid).toBe(false);
+    expect(result.errors).toContain('reverse_proxy route requires targetPort');
+  });
+
+  test('rejects invalid port numbers', () => {
+    const result = validateRouteRequest({
+      slug: 'lunacycle',
+      type: 'reverse_proxy',
+      path: '/lunacycle/api',
+      targetHost: '10.0.20.5',
+      targetPort: 70000,
+    });
+    expect(result.valid).toBe(false);
+    expect(result.errors[0]).toContain('between 1 and 65535');
+  });
+
+  test('collects multiple errors', () => {
+    const result = validateRouteRequest({
+      slug: 'BAD SLUG',
+      type: 'reverse_proxy',
+      path: 'no-slash',
+      targetHost: undefined,
+      targetPort: undefined,
+    });
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(2);
+  });
+});