npm - @celilo/cli - Versions diffs - 0.1.0 - Mend

@celilo/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (267) hide show

package/README.md +1566 -0
package/bin/celilo +16 -0
package/drizzle/0000_complex_puma.sql +179 -0
package/drizzle/0001_dizzy_wolfpack.sql +2 -0
package/drizzle/0002_web_routes.sql +16 -0
package/drizzle/0003_backup_storage.sql +32 -0
package/drizzle/meta/0000_snapshot.json +1151 -0
package/drizzle/meta/0001_snapshot.json +1167 -0
package/drizzle/meta/0002_snapshot.json +1257 -0
package/drizzle/meta/_journal.json +27 -0
package/package.json +64 -0
package/schemas/system_config.json +106 -0
package/src/__integration__/container-services-cli.integration.test.ts +246 -0
package/src/ansible/dependencies.test.ts +309 -0
package/src/ansible/dependencies.ts +896 -0
package/src/ansible/inventory.test.ts +463 -0
package/src/ansible/inventory.ts +445 -0
package/src/ansible/secrets.ts +222 -0
package/src/ansible/validation.test.ts +92 -0
package/src/ansible/validation.ts +272 -0
package/src/api-clients/digitalocean.ts +94 -0
package/src/api-clients/proxmox.ts +655 -0
package/src/capabilities/logging-wrapper.test.ts +217 -0
package/src/capabilities/lookup.test.ts +149 -0
package/src/capabilities/lookup.ts +89 -0
package/src/capabilities/public-web-helpers.test.ts +198 -0
package/src/capabilities/public-web-publish.test.ts +458 -0
package/src/capabilities/registration.test.ts +395 -0
package/src/capabilities/registration.ts +200 -0
package/src/capabilities/route-validation.test.ts +121 -0
package/src/capabilities/route-validation.ts +96 -0
package/src/capabilities/secret-ref.test.ts +313 -0
package/src/capabilities/secret-validation.ts +157 -0
package/src/capabilities/secrets.test.ts +750 -0
package/src/capabilities/secrets.ts +244 -0
package/src/capabilities/validation.test.ts +613 -0
package/src/capabilities/validation.ts +160 -0
package/src/capabilities/well-known.test.ts +238 -0
package/src/capabilities/well-known.ts +222 -0
package/src/cli/cli.test.ts +654 -0
package/src/cli/command-registry.ts +742 -0
package/src/cli/command-tree-parser.test.ts +180 -0
package/src/cli/command-tree-parser.ts +193 -0
package/src/cli/commands/backup-create.ts +137 -0
package/src/cli/commands/backup-delete.ts +74 -0
package/src/cli/commands/backup-import.ts +97 -0
package/src/cli/commands/backup-list.ts +132 -0
package/src/cli/commands/backup-name.ts +73 -0
package/src/cli/commands/backup-prune.ts +98 -0
package/src/cli/commands/backup-restore.ts +122 -0
package/src/cli/commands/capability-info.ts +121 -0
package/src/cli/commands/capability-list.ts +47 -0
package/src/cli/commands/completion.ts +87 -0
package/src/cli/commands/hook-run.ts +176 -0
package/src/cli/commands/ipam.ts +607 -0
package/src/cli/commands/machine-add.ts +235 -0
package/src/cli/commands/machine-earmark.ts +82 -0
package/src/cli/commands/machine-list.ts +77 -0
package/src/cli/commands/machine-remove.ts +90 -0
package/src/cli/commands/machine-status.ts +131 -0
package/src/cli/commands/module-audit.ts +51 -0
package/src/cli/commands/module-build.ts +60 -0
package/src/cli/commands/module-config.ts +170 -0
package/src/cli/commands/module-deploy.ts +71 -0
package/src/cli/commands/module-generate.ts +236 -0
package/src/cli/commands/module-health.ts +108 -0
package/src/cli/commands/module-import.ts +80 -0
package/src/cli/commands/module-list.ts +43 -0
package/src/cli/commands/module-logs.ts +73 -0
package/src/cli/commands/module-remove.ts +162 -0
package/src/cli/commands/module-show.ts +208 -0
package/src/cli/commands/module-status.ts +131 -0
package/src/cli/commands/module-types.ts +189 -0
package/src/cli/commands/module-upgrade.ts +192 -0
package/src/cli/commands/package.ts +68 -0
package/src/cli/commands/secret-list.ts +99 -0
package/src/cli/commands/secret-set.ts +134 -0
package/src/cli/commands/service-add-digitalocean.ts +133 -0
package/src/cli/commands/service-add-proxmox.ts +342 -0
package/src/cli/commands/service-config-get.ts +83 -0
package/src/cli/commands/service-config-set.ts +145 -0
package/src/cli/commands/service-list.ts +74 -0
package/src/cli/commands/service-reconfigure.ts +230 -0
package/src/cli/commands/service-remove.ts +103 -0
package/src/cli/commands/service-verify.ts +240 -0
package/src/cli/commands/status.ts +216 -0
package/src/cli/commands/storage-add-local.ts +106 -0
package/src/cli/commands/storage-add-s3.ts +114 -0
package/src/cli/commands/storage-list.ts +72 -0
package/src/cli/commands/storage-remove.ts +54 -0
package/src/cli/commands/storage-set-default.ts +44 -0
package/src/cli/commands/storage-verify.ts +54 -0
package/src/cli/commands/system-config.ts +168 -0
package/src/cli/commands/system-init.ts +314 -0
package/src/cli/commands/system-secret-get.ts +98 -0
package/src/cli/commands/system-secret-set.ts +76 -0
package/src/cli/commands/system-vault-password.ts +34 -0
package/src/cli/completion.test.ts +37 -0
package/src/cli/completion.ts +482 -0
package/src/cli/fuel-gauge.test.ts +208 -0
package/src/cli/fuel-gauge.ts +405 -0
package/src/cli/generate-zsh-completion.test.ts +95 -0
package/src/cli/generate-zsh-completion.ts +497 -0
package/src/cli/index.ts +1583 -0
package/src/cli/interactive-config.test.ts +201 -0
package/src/cli/interactive-config.ts +62 -0
package/src/cli/parser.test.ts +227 -0
package/src/cli/parser.ts +244 -0
package/src/cli/prompts.test.ts +33 -0
package/src/cli/prompts.ts +121 -0
package/src/cli/types.ts +38 -0
package/src/cli/validators.test.ts +235 -0
package/src/cli/validators.ts +188 -0
package/src/config/env.ts +41 -0
package/src/config/paths.test.ts +172 -0
package/src/config/paths.ts +108 -0
package/src/db/client.ts +190 -0
package/src/db/migrate.ts +30 -0
package/src/db/schema.test.ts +221 -0
package/src/db/schema.ts +434 -0
package/src/hooks/capability-loader-firewall.test.ts +246 -0
package/src/hooks/capability-loader.test.ts +100 -0
package/src/hooks/capability-loader.ts +520 -0
package/src/hooks/define-hook.test.ts +488 -0
package/src/hooks/executor.test.ts +462 -0
package/src/hooks/executor.ts +469 -0
package/src/hooks/logger.test.ts +54 -0
package/src/hooks/logger.ts +95 -0
package/src/hooks/test-fixtures/failing-hook.ts +13 -0
package/src/hooks/test-fixtures/no-default-hook.ts +6 -0
package/src/hooks/test-fixtures/success-hook.ts +20 -0
package/src/hooks/test-fixtures/unbranded-hook.ts +11 -0
package/src/hooks/test-fixtures/void-hook.ts +13 -0
package/src/hooks/types.ts +89 -0
package/src/infrastructure/property-extractor.test.ts +194 -0
package/src/infrastructure/property-extractor.ts +151 -0
package/src/ipam/allocator.test.ts +442 -0
package/src/ipam/allocator.ts +369 -0
package/src/ipam/auto-allocator.test.ts +247 -0
package/src/ipam/auto-allocator.ts +270 -0
package/src/ipam/subnet-parser.test.ts +107 -0
package/src/ipam/subnet-parser.ts +136 -0
package/src/manifest/contracts/index.ts +61 -0
package/src/manifest/contracts/v1.ts +118 -0
package/src/manifest/json-schema-roundtrip.test.ts +99 -0
package/src/manifest/schema.ts +367 -0
package/src/manifest/template-validator.test.ts +231 -0
package/src/manifest/template-validator.ts +322 -0
package/src/manifest/validate.test.ts +1180 -0
package/src/manifest/validate.ts +415 -0
package/src/module/import.test.ts +355 -0
package/src/module/import.ts +676 -0
package/src/module/packaging/audit.ts +169 -0
package/src/module/packaging/build.ts +228 -0
package/src/module/packaging/checksum.ts +41 -0
package/src/module/packaging/extract.ts +234 -0
package/src/module/packaging/signature.ts +47 -0
package/src/secrets/encryption.test.ts +284 -0
package/src/secrets/encryption.ts +162 -0
package/src/secrets/generators.test.ts +112 -0
package/src/secrets/generators.ts +127 -0
package/src/secrets/master-key.test.ts +159 -0
package/src/secrets/master-key.ts +114 -0
package/src/secrets/storage.test.ts +115 -0
package/src/secrets/storage.ts +106 -0
package/src/secrets/vault.test.ts +35 -0
package/src/secrets/vault.ts +42 -0
package/src/services/backup-create.ts +532 -0
package/src/services/backup-metadata.ts +198 -0
package/src/services/backup-restore.ts +229 -0
package/src/services/backup-retention.ts +84 -0
package/src/services/backup-storage.ts +281 -0
package/src/services/build-stream.test.ts +122 -0
package/src/services/build-stream.ts +201 -0
package/src/services/config-interview.ts +694 -0
package/src/services/container-service.test.ts +298 -0
package/src/services/container-service.ts +401 -0
package/src/services/cross-module-data-manager.test.ts +405 -0
package/src/services/cross-module-data-manager.ts +412 -0
package/src/services/deploy-ansible.ts +88 -0
package/src/services/deploy-planner.ts +153 -0
package/src/services/deploy-preflight.ts +274 -0
package/src/services/deploy-ssh.ts +131 -0
package/src/services/deploy-terraform.test.ts +55 -0
package/src/services/deploy-terraform.ts +445 -0
package/src/services/deploy-validation.ts +311 -0
package/src/services/dns-auto-register.ts +211 -0
package/src/services/health-runner.ts +184 -0
package/src/services/infrastructure-selector.test.ts +485 -0
package/src/services/infrastructure-selector.ts +245 -0
package/src/services/infrastructure-variable-resolver.test.ts +751 -0
package/src/services/infrastructure-variable-resolver.ts +234 -0
package/src/services/machine-detector.ts +328 -0
package/src/services/machine-pool.test.ts +405 -0
package/src/services/machine-pool.ts +316 -0
package/src/services/manifest-validation.ts +120 -0
package/src/services/module-build.test.ts +290 -0
package/src/services/module-build.ts +431 -0
package/src/services/module-config.test.ts +237 -0
package/src/services/module-config.ts +298 -0
package/src/services/module-deploy.ts +862 -0
package/src/services/module-types-drift.test.ts +73 -0
package/src/services/module-types-generator.test.ts +288 -0
package/src/services/module-types-generator.ts +189 -0
package/src/services/proxmox-state-recovery.ts +140 -0
package/src/services/schema-validation.ts +155 -0
package/src/services/secret-schema-loader.test.ts +311 -0
package/src/services/secret-schema-loader.ts +239 -0
package/src/services/ssh-key-manager.test.ts +283 -0
package/src/services/ssh-key-manager.ts +193 -0
package/src/services/storage-providers/local.ts +105 -0
package/src/services/storage-providers/s3.ts +182 -0
package/src/services/storage-providers/types.ts +24 -0
package/src/services/system-config-schema-types.ts +25 -0
package/src/services/system-config-validator.test.ts +160 -0
package/src/services/system-config-validator.ts +74 -0
package/src/services/system-init.test.ts +153 -0
package/src/services/system-init.ts +253 -0
package/src/services/terraform-safety.ts +174 -0
package/src/services/zone-detector.test.ts +110 -0
package/src/services/zone-detector.ts +102 -0
package/src/services/zone-policy.test.ts +97 -0
package/src/services/zone-policy.ts +126 -0
package/src/templates/generator.test.ts +645 -0
package/src/templates/generator.ts +1119 -0
package/src/templates/types.ts +62 -0
package/src/test-utils/INTERACTIVE_PROMPTS.md +167 -0
package/src/test-utils/cli-context-interactive.test.ts +152 -0
package/src/test-utils/cli-context-server.test.ts +66 -0
package/src/test-utils/cli-context.test.ts +273 -0
package/src/test-utils/cli-context.ts +677 -0
package/src/test-utils/cli-result.test.ts +282 -0
package/src/test-utils/cli-result.ts +241 -0
package/src/test-utils/cli.ts +55 -0
package/src/test-utils/completion-harness.test.ts +126 -0
package/src/test-utils/completion-harness.ts +82 -0
package/src/test-utils/database.test.ts +182 -0
package/src/test-utils/database.ts +126 -0
package/src/test-utils/filesystem.test.ts +208 -0
package/src/test-utils/filesystem.ts +142 -0
package/src/test-utils/fixtures.test.ts +123 -0
package/src/test-utils/fixtures.ts +160 -0
package/src/test-utils/golden-diff.ts +197 -0
package/src/test-utils/index.ts +77 -0
package/src/test-utils/integration.ts +81 -0
package/src/test-utils/module-fixtures.ts +468 -0
package/src/test-utils/modules.test.ts +144 -0
package/src/test-utils/modules.ts +183 -0
package/src/test-utils/setup-test-db.ts +90 -0
package/src/test-utils/value-extractor.test.ts +231 -0
package/src/test-utils/value-extractor.ts +228 -0
package/src/types/infrastructure.ts +157 -0
package/src/utils/shell.test.ts +365 -0
package/src/utils/shell.ts +159 -0
package/src/validation/schemas.ts +166 -0
package/src/variables/ansible-resolver.test.ts +142 -0
package/src/variables/ansible-resolver.ts +69 -0
package/src/variables/capability-self-ref.test.ts +220 -0
package/src/variables/context.test.ts +1265 -0
package/src/variables/context.ts +624 -0
package/src/variables/declarative-derivation.test.ts +743 -0
package/src/variables/declarative-derivation.ts +200 -0
package/src/variables/parser.test.ts +231 -0
package/src/variables/parser.ts +76 -0
package/src/variables/resolver.test.ts +458 -0
package/src/variables/resolver.ts +282 -0
package/src/variables/types.ts +59 -0

package/src/capabilities/secrets.test.ts ADDED Viewed

@@ -0,0 +1,750 @@
+import type { Database } from 'bun:sqlite';
+import { describe, expect, test } from 'bun:test';
+import type { ModuleManifest } from '../manifest/schema';
+import {
+  checkCapabilitySecretAccess,
+  getCapabilitySecret,
+  isCapabilityFieldSecret,
+} from './secrets';
+describe('Capability Secret Access', () => {
+  describe('isCapabilityFieldSecret', () => {
+    test('should return true when field is marked as secret', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'dns-external',
+        name: 'DNS External',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'dns_external',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'tsig',
+                  type: 'string',
+                  description: 'TSIG secret',
+                  readable_by: ['public_web'],
+                },
+                {
+                  name: 'api_key',
+                  type: 'string',
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(providerManifest),
+          }),
+        }),
+      } as unknown as Database;
+      const result = isCapabilityFieldSecret('dns_external', 'tsig', mockDb);
+      expect(result).toBe(true);
+    });
+    test('should return true for any secret in the list', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'provider',
+        name: 'Provider',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'test_capability',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'api_key',
+                  type: 'string',
+                },
+                {
+                  name: 'db_password',
+                  type: 'string',
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(providerManifest),
+          }),
+        }),
+      } as unknown as Database;
+      expect(isCapabilityFieldSecret('test_capability', 'api_key', mockDb)).toBe(true);
+      expect(isCapabilityFieldSecret('test_capability', 'db_password', mockDb)).toBe(true);
+    });
+    test('should return false when field is not in secrets list', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'dns-external',
+        name: 'DNS External',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'dns_external',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'tsig',
+                  type: 'string',
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(providerManifest),
+          }),
+        }),
+      } as unknown as Database;
+      const result = isCapabilityFieldSecret('dns_external', 'nameserver', mockDb);
+      expect(result).toBe(false);
+    });
+    test('should return false when capability has no secrets', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'provider',
+        name: 'Provider',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'monitoring',
+              version: '1.0.0',
+              data: {},
+              // No secrets defined
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(providerManifest),
+          }),
+        }),
+      } as unknown as Database;
+      const result = isCapabilityFieldSecret('monitoring', 'any_field', mockDb);
+      expect(result).toBe(false);
+    });
+    test('should return false when provider manifest not found', () => {
+      const mockDb = {
+        prepare: () => ({
+          get: () => undefined,
+        }),
+      } as unknown as Database;
+      const result = isCapabilityFieldSecret('unknown_capability', 'any_field', mockDb);
+      expect(result).toBe(false);
+    });
+    test('should match exact secret name', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'provider',
+        name: 'Provider',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'test_capability',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'api_key',
+                  type: 'string',
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(providerManifest),
+          }),
+        }),
+      } as unknown as Database;
+      // Exact match
+      expect(isCapabilityFieldSecret('test_capability', 'api_key', mockDb)).toBe(true);
+      // Substring should not match
+      expect(isCapabilityFieldSecret('test_capability', 'api', mockDb)).toBe(false);
+      expect(isCapabilityFieldSecret('test_capability', 'api_key_v2', mockDb)).toBe(false);
+    });
+  });
+  describe('checkCapabilitySecretAccess', () => {
+    test('should return true when consumer matches allowlist', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'dns-external',
+        name: 'DNS External',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'dns_external',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'tsig',
+                  type: 'string',
+                  readable_by: ['public_web'],
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const consumerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'caddy',
+        name: 'Caddy',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'public_web',
+              version: '1.0.0',
+              data: {},
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: (query: string) => ({
+          get: (_param: string) => {
+            // Provider manifest query
+            if (query.includes('JOIN capabilities')) {
+              return {
+                manifest_data: JSON.stringify(providerManifest),
+              };
+            }
+            // Consumer manifest query
+            if (query.includes('WHERE id = ?')) {
+              return {
+                manifest_data: JSON.stringify(consumerManifest),
+              };
+            }
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      const result = checkCapabilitySecretAccess('caddy', 'dns_external', 'tsig', mockDb);
+      expect(result).toBe(true);
+    });
+    test('should return false when consumer does not match allowlist', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'dns-external',
+        name: 'DNS External',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'dns_external',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'tsig',
+                  type: 'string',
+                  readable_by: ['public_web'],
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const consumerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'some-app',
+        name: 'Some App',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'monitoring',
+              version: '1.0.0',
+              data: {},
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: (query: string) => ({
+          get: () => {
+            if (query.includes('JOIN capabilities')) {
+              return {
+                manifest_data: JSON.stringify(providerManifest),
+              };
+            }
+            if (query.includes('WHERE id = ?')) {
+              return {
+                manifest_data: JSON.stringify(consumerManifest),
+              };
+            }
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      const result = checkCapabilitySecretAccess('some-app', 'dns_external', 'tsig', mockDb);
+      expect(result).toBe(false);
+    });
+    test('should return true when secret has no readable_by restriction', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'provider',
+        name: 'Provider',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'test_capability',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'api_key',
+                  type: 'string',
+                  // No readable_by - accessible to all
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const consumerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'consumer',
+        name: 'Consumer',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+        // No capabilities provided
+      };
+      const mockDb = {
+        prepare: (query: string) => ({
+          get: () => {
+            if (query.includes('JOIN capabilities')) {
+              return {
+                manifest_data: JSON.stringify(providerManifest),
+              };
+            }
+            if (query.includes('WHERE id = ?')) {
+              return {
+                manifest_data: JSON.stringify(consumerManifest),
+              };
+            }
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      const result = checkCapabilitySecretAccess('consumer', 'test_capability', 'api_key', mockDb);
+      expect(result).toBe(true);
+    });
+    test('should return true when readable_by is empty array', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'provider',
+        name: 'Provider',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'test_capability',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'api_key',
+                  type: 'string',
+                  readable_by: [], // Empty array - no restrictions
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const consumerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'consumer',
+        name: 'Consumer',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: (query: string) => ({
+          get: () => {
+            if (query.includes('JOIN capabilities')) {
+              return {
+                manifest_data: JSON.stringify(providerManifest),
+              };
+            }
+            if (query.includes('WHERE id = ?')) {
+              return {
+                manifest_data: JSON.stringify(consumerManifest),
+              };
+            }
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      const result = checkCapabilitySecretAccess('consumer', 'test_capability', 'api_key', mockDb);
+      expect(result).toBe(true);
+    });
+    test('should return false when provider not found', () => {
+      const mockDb = {
+        prepare: (_query: string) => ({
+          get: () => undefined,
+        }),
+      } as unknown as Database;
+      const result = checkCapabilitySecretAccess(
+        'consumer',
+        'unknown_capability',
+        'secret',
+        mockDb,
+      );
+      expect(result).toBe(false);
+    });
+    test('should return false when consumer not found', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'provider',
+        name: 'Provider',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'test_capability',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'secret',
+                  type: 'string',
+                  readable_by: ['public_web'],
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: (query: string) => ({
+          get: () => {
+            if (query.includes('JOIN capabilities')) {
+              return {
+                manifest_data: JSON.stringify(providerManifest),
+              };
+            }
+            // Consumer not found
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      const result = checkCapabilitySecretAccess(
+        'unknown_consumer',
+        'test_capability',
+        'secret',
+        mockDb,
+      );
+      expect(result).toBe(false);
+    });
+    test('should return false when secret not found in capability', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'provider',
+        name: 'Provider',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'test_capability',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'api_key',
+                  type: 'string',
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const consumerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'consumer',
+        name: 'Consumer',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: (query: string) => ({
+          get: () => {
+            if (query.includes('JOIN capabilities')) {
+              return {
+                manifest_data: JSON.stringify(providerManifest),
+              };
+            }
+            if (query.includes('WHERE id = ?')) {
+              return {
+                manifest_data: JSON.stringify(consumerManifest),
+              };
+            }
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      const result = checkCapabilitySecretAccess(
+        'consumer',
+        'test_capability',
+        'unknown_secret',
+        mockDb,
+      );
+      expect(result).toBe(false);
+    });
+    test('should return false when capability has no secrets', () => {
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'provider',
+        name: 'Provider',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'test_capability',
+              version: '1.0.0',
+              data: {},
+              // No secrets
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const consumerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'consumer',
+        name: 'Consumer',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: (query: string) => ({
+          get: () => {
+            if (query.includes('JOIN capabilities')) {
+              return {
+                manifest_data: JSON.stringify(providerManifest),
+              };
+            }
+            if (query.includes('WHERE id = ?')) {
+              return {
+                manifest_data: JSON.stringify(consumerManifest),
+              };
+            }
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      const result = checkCapabilitySecretAccess('consumer', 'test_capability', 'api_key', mockDb);
+      expect(result).toBe(false);
+    });
+  });
+  describe('getCapabilitySecret', () => {
+    test('should throw error when capability not found', async () => {
+      const mockDb = {
+        prepare: () => ({
+          get: () => undefined,
+        }),
+      } as unknown as Database;
+      await expect(getCapabilitySecret('unknown_capability', 'secret', mockDb)).rejects.toThrow(
+        "Provider manifest not found for capability 'unknown_capability'",
+      );
+    });
+    test('should throw error when secret not found', async () => {
+      // Mock manifest with capability but without the requested secret
+      const manifest = {
+        provides: {
+          capabilities: [
+            {
+              name: 'dns_external',
+              version: '1.0.0',
+              secrets: [{ name: 'tsig_key', description: 'TSIG key' }],
+            },
+          ],
+        },
+      };
+      const mockDb = {
+        prepare: (query: string) => ({
+          get: (_param?: unknown) => {
+            // Return manifest data for getProviderManifest
+            if (query.includes('SELECT p.manifest_data')) {
+              return { manifest_data: JSON.stringify(manifest) };
+            }
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      await expect(getCapabilitySecret('dns_external', 'unknown_secret', mockDb)).rejects.toThrow(
+        "Secret 'unknown_secret' not defined in capability 'dns_external'",
+      );
+    });
+    test('should decrypt and return secret when found', async () => {
+      // Note: This test would require mocking the encryption module
+      // For now, we test that it queries correctly and attempts decryption
+      const mockDb = {
+        prepare: (query: string) => ({
+          get: (_param1?: unknown, _param2?: unknown) => {
+            if (query.includes('SELECT id FROM capabilities')) {
+              return { id: 1 };
+            }
+            if (query.includes('SELECT encrypted_value')) {
+              return {
+                encrypted_value: 'encrypted_data',
+                iv: 'initialization_vector',
+                auth_tag: 'auth_tag',
+              };
+            }
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      // This will fail at decryption with actual master key
+      // but proves the query logic works
+      await expect(getCapabilitySecret('dns_external', 'tsig', mockDb)).rejects.toThrow();
+    });
+  });
+});