npm - @celilo/cli - Versions diffs - 0.1.0 - Mend

@celilo/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (267) hide show

package/README.md +1566 -0
package/bin/celilo +16 -0
package/drizzle/0000_complex_puma.sql +179 -0
package/drizzle/0001_dizzy_wolfpack.sql +2 -0
package/drizzle/0002_web_routes.sql +16 -0
package/drizzle/0003_backup_storage.sql +32 -0
package/drizzle/meta/0000_snapshot.json +1151 -0
package/drizzle/meta/0001_snapshot.json +1167 -0
package/drizzle/meta/0002_snapshot.json +1257 -0
package/drizzle/meta/_journal.json +27 -0
package/package.json +64 -0
package/schemas/system_config.json +106 -0
package/src/__integration__/container-services-cli.integration.test.ts +246 -0
package/src/ansible/dependencies.test.ts +309 -0
package/src/ansible/dependencies.ts +896 -0
package/src/ansible/inventory.test.ts +463 -0
package/src/ansible/inventory.ts +445 -0
package/src/ansible/secrets.ts +222 -0
package/src/ansible/validation.test.ts +92 -0
package/src/ansible/validation.ts +272 -0
package/src/api-clients/digitalocean.ts +94 -0
package/src/api-clients/proxmox.ts +655 -0
package/src/capabilities/logging-wrapper.test.ts +217 -0
package/src/capabilities/lookup.test.ts +149 -0
package/src/capabilities/lookup.ts +89 -0
package/src/capabilities/public-web-helpers.test.ts +198 -0
package/src/capabilities/public-web-publish.test.ts +458 -0
package/src/capabilities/registration.test.ts +395 -0
package/src/capabilities/registration.ts +200 -0
package/src/capabilities/route-validation.test.ts +121 -0
package/src/capabilities/route-validation.ts +96 -0
package/src/capabilities/secret-ref.test.ts +313 -0
package/src/capabilities/secret-validation.ts +157 -0
package/src/capabilities/secrets.test.ts +750 -0
package/src/capabilities/secrets.ts +244 -0
package/src/capabilities/validation.test.ts +613 -0
package/src/capabilities/validation.ts +160 -0
package/src/capabilities/well-known.test.ts +238 -0
package/src/capabilities/well-known.ts +222 -0
package/src/cli/cli.test.ts +654 -0
package/src/cli/command-registry.ts +742 -0
package/src/cli/command-tree-parser.test.ts +180 -0
package/src/cli/command-tree-parser.ts +193 -0
package/src/cli/commands/backup-create.ts +137 -0
package/src/cli/commands/backup-delete.ts +74 -0
package/src/cli/commands/backup-import.ts +97 -0
package/src/cli/commands/backup-list.ts +132 -0
package/src/cli/commands/backup-name.ts +73 -0
package/src/cli/commands/backup-prune.ts +98 -0
package/src/cli/commands/backup-restore.ts +122 -0
package/src/cli/commands/capability-info.ts +121 -0
package/src/cli/commands/capability-list.ts +47 -0
package/src/cli/commands/completion.ts +87 -0
package/src/cli/commands/hook-run.ts +176 -0
package/src/cli/commands/ipam.ts +607 -0
package/src/cli/commands/machine-add.ts +235 -0
package/src/cli/commands/machine-earmark.ts +82 -0
package/src/cli/commands/machine-list.ts +77 -0
package/src/cli/commands/machine-remove.ts +90 -0
package/src/cli/commands/machine-status.ts +131 -0
package/src/cli/commands/module-audit.ts +51 -0
package/src/cli/commands/module-build.ts +60 -0
package/src/cli/commands/module-config.ts +170 -0
package/src/cli/commands/module-deploy.ts +71 -0
package/src/cli/commands/module-generate.ts +236 -0
package/src/cli/commands/module-health.ts +108 -0
package/src/cli/commands/module-import.ts +80 -0
package/src/cli/commands/module-list.ts +43 -0
package/src/cli/commands/module-logs.ts +73 -0
package/src/cli/commands/module-remove.ts +162 -0
package/src/cli/commands/module-show.ts +208 -0
package/src/cli/commands/module-status.ts +131 -0
package/src/cli/commands/module-types.ts +189 -0
package/src/cli/commands/module-upgrade.ts +192 -0
package/src/cli/commands/package.ts +68 -0
package/src/cli/commands/secret-list.ts +99 -0
package/src/cli/commands/secret-set.ts +134 -0
package/src/cli/commands/service-add-digitalocean.ts +133 -0
package/src/cli/commands/service-add-proxmox.ts +342 -0
package/src/cli/commands/service-config-get.ts +83 -0
package/src/cli/commands/service-config-set.ts +145 -0
package/src/cli/commands/service-list.ts +74 -0
package/src/cli/commands/service-reconfigure.ts +230 -0
package/src/cli/commands/service-remove.ts +103 -0
package/src/cli/commands/service-verify.ts +240 -0
package/src/cli/commands/status.ts +216 -0
package/src/cli/commands/storage-add-local.ts +106 -0
package/src/cli/commands/storage-add-s3.ts +114 -0
package/src/cli/commands/storage-list.ts +72 -0
package/src/cli/commands/storage-remove.ts +54 -0
package/src/cli/commands/storage-set-default.ts +44 -0
package/src/cli/commands/storage-verify.ts +54 -0
package/src/cli/commands/system-config.ts +168 -0
package/src/cli/commands/system-init.ts +314 -0
package/src/cli/commands/system-secret-get.ts +98 -0
package/src/cli/commands/system-secret-set.ts +76 -0
package/src/cli/commands/system-vault-password.ts +34 -0
package/src/cli/completion.test.ts +37 -0
package/src/cli/completion.ts +482 -0
package/src/cli/fuel-gauge.test.ts +208 -0
package/src/cli/fuel-gauge.ts +405 -0
package/src/cli/generate-zsh-completion.test.ts +95 -0
package/src/cli/generate-zsh-completion.ts +497 -0
package/src/cli/index.ts +1583 -0
package/src/cli/interactive-config.test.ts +201 -0
package/src/cli/interactive-config.ts +62 -0
package/src/cli/parser.test.ts +227 -0
package/src/cli/parser.ts +244 -0
package/src/cli/prompts.test.ts +33 -0
package/src/cli/prompts.ts +121 -0
package/src/cli/types.ts +38 -0
package/src/cli/validators.test.ts +235 -0
package/src/cli/validators.ts +188 -0
package/src/config/env.ts +41 -0
package/src/config/paths.test.ts +172 -0
package/src/config/paths.ts +108 -0
package/src/db/client.ts +190 -0
package/src/db/migrate.ts +30 -0
package/src/db/schema.test.ts +221 -0
package/src/db/schema.ts +434 -0
package/src/hooks/capability-loader-firewall.test.ts +246 -0
package/src/hooks/capability-loader.test.ts +100 -0
package/src/hooks/capability-loader.ts +520 -0
package/src/hooks/define-hook.test.ts +488 -0
package/src/hooks/executor.test.ts +462 -0
package/src/hooks/executor.ts +469 -0
package/src/hooks/logger.test.ts +54 -0
package/src/hooks/logger.ts +95 -0
package/src/hooks/test-fixtures/failing-hook.ts +13 -0
package/src/hooks/test-fixtures/no-default-hook.ts +6 -0
package/src/hooks/test-fixtures/success-hook.ts +20 -0
package/src/hooks/test-fixtures/unbranded-hook.ts +11 -0
package/src/hooks/test-fixtures/void-hook.ts +13 -0
package/src/hooks/types.ts +89 -0
package/src/infrastructure/property-extractor.test.ts +194 -0
package/src/infrastructure/property-extractor.ts +151 -0
package/src/ipam/allocator.test.ts +442 -0
package/src/ipam/allocator.ts +369 -0
package/src/ipam/auto-allocator.test.ts +247 -0
package/src/ipam/auto-allocator.ts +270 -0
package/src/ipam/subnet-parser.test.ts +107 -0
package/src/ipam/subnet-parser.ts +136 -0
package/src/manifest/contracts/index.ts +61 -0
package/src/manifest/contracts/v1.ts +118 -0
package/src/manifest/json-schema-roundtrip.test.ts +99 -0
package/src/manifest/schema.ts +367 -0
package/src/manifest/template-validator.test.ts +231 -0
package/src/manifest/template-validator.ts +322 -0
package/src/manifest/validate.test.ts +1180 -0
package/src/manifest/validate.ts +415 -0
package/src/module/import.test.ts +355 -0
package/src/module/import.ts +676 -0
package/src/module/packaging/audit.ts +169 -0
package/src/module/packaging/build.ts +228 -0
package/src/module/packaging/checksum.ts +41 -0
package/src/module/packaging/extract.ts +234 -0
package/src/module/packaging/signature.ts +47 -0
package/src/secrets/encryption.test.ts +284 -0
package/src/secrets/encryption.ts +162 -0
package/src/secrets/generators.test.ts +112 -0
package/src/secrets/generators.ts +127 -0
package/src/secrets/master-key.test.ts +159 -0
package/src/secrets/master-key.ts +114 -0
package/src/secrets/storage.test.ts +115 -0
package/src/secrets/storage.ts +106 -0
package/src/secrets/vault.test.ts +35 -0
package/src/secrets/vault.ts +42 -0
package/src/services/backup-create.ts +532 -0
package/src/services/backup-metadata.ts +198 -0
package/src/services/backup-restore.ts +229 -0
package/src/services/backup-retention.ts +84 -0
package/src/services/backup-storage.ts +281 -0
package/src/services/build-stream.test.ts +122 -0
package/src/services/build-stream.ts +201 -0
package/src/services/config-interview.ts +694 -0
package/src/services/container-service.test.ts +298 -0
package/src/services/container-service.ts +401 -0
package/src/services/cross-module-data-manager.test.ts +405 -0
package/src/services/cross-module-data-manager.ts +412 -0
package/src/services/deploy-ansible.ts +88 -0
package/src/services/deploy-planner.ts +153 -0
package/src/services/deploy-preflight.ts +274 -0
package/src/services/deploy-ssh.ts +131 -0
package/src/services/deploy-terraform.test.ts +55 -0
package/src/services/deploy-terraform.ts +445 -0
package/src/services/deploy-validation.ts +311 -0
package/src/services/dns-auto-register.ts +211 -0
package/src/services/health-runner.ts +184 -0
package/src/services/infrastructure-selector.test.ts +485 -0
package/src/services/infrastructure-selector.ts +245 -0
package/src/services/infrastructure-variable-resolver.test.ts +751 -0
package/src/services/infrastructure-variable-resolver.ts +234 -0
package/src/services/machine-detector.ts +328 -0
package/src/services/machine-pool.test.ts +405 -0
package/src/services/machine-pool.ts +316 -0
package/src/services/manifest-validation.ts +120 -0
package/src/services/module-build.test.ts +290 -0
package/src/services/module-build.ts +431 -0
package/src/services/module-config.test.ts +237 -0
package/src/services/module-config.ts +298 -0
package/src/services/module-deploy.ts +862 -0
package/src/services/module-types-drift.test.ts +73 -0
package/src/services/module-types-generator.test.ts +288 -0
package/src/services/module-types-generator.ts +189 -0
package/src/services/proxmox-state-recovery.ts +140 -0
package/src/services/schema-validation.ts +155 -0
package/src/services/secret-schema-loader.test.ts +311 -0
package/src/services/secret-schema-loader.ts +239 -0
package/src/services/ssh-key-manager.test.ts +283 -0
package/src/services/ssh-key-manager.ts +193 -0
package/src/services/storage-providers/local.ts +105 -0
package/src/services/storage-providers/s3.ts +182 -0
package/src/services/storage-providers/types.ts +24 -0
package/src/services/system-config-schema-types.ts +25 -0
package/src/services/system-config-validator.test.ts +160 -0
package/src/services/system-config-validator.ts +74 -0
package/src/services/system-init.test.ts +153 -0
package/src/services/system-init.ts +253 -0
package/src/services/terraform-safety.ts +174 -0
package/src/services/zone-detector.test.ts +110 -0
package/src/services/zone-detector.ts +102 -0
package/src/services/zone-policy.test.ts +97 -0
package/src/services/zone-policy.ts +126 -0
package/src/templates/generator.test.ts +645 -0
package/src/templates/generator.ts +1119 -0
package/src/templates/types.ts +62 -0
package/src/test-utils/INTERACTIVE_PROMPTS.md +167 -0
package/src/test-utils/cli-context-interactive.test.ts +152 -0
package/src/test-utils/cli-context-server.test.ts +66 -0
package/src/test-utils/cli-context.test.ts +273 -0
package/src/test-utils/cli-context.ts +677 -0
package/src/test-utils/cli-result.test.ts +282 -0
package/src/test-utils/cli-result.ts +241 -0
package/src/test-utils/cli.ts +55 -0
package/src/test-utils/completion-harness.test.ts +126 -0
package/src/test-utils/completion-harness.ts +82 -0
package/src/test-utils/database.test.ts +182 -0
package/src/test-utils/database.ts +126 -0
package/src/test-utils/filesystem.test.ts +208 -0
package/src/test-utils/filesystem.ts +142 -0
package/src/test-utils/fixtures.test.ts +123 -0
package/src/test-utils/fixtures.ts +160 -0
package/src/test-utils/golden-diff.ts +197 -0
package/src/test-utils/index.ts +77 -0
package/src/test-utils/integration.ts +81 -0
package/src/test-utils/module-fixtures.ts +468 -0
package/src/test-utils/modules.test.ts +144 -0
package/src/test-utils/modules.ts +183 -0
package/src/test-utils/setup-test-db.ts +90 -0
package/src/test-utils/value-extractor.test.ts +231 -0
package/src/test-utils/value-extractor.ts +228 -0
package/src/types/infrastructure.ts +157 -0
package/src/utils/shell.test.ts +365 -0
package/src/utils/shell.ts +159 -0
package/src/validation/schemas.ts +166 -0
package/src/variables/ansible-resolver.test.ts +142 -0
package/src/variables/ansible-resolver.ts +69 -0
package/src/variables/capability-self-ref.test.ts +220 -0
package/src/variables/context.test.ts +1265 -0
package/src/variables/context.ts +624 -0
package/src/variables/declarative-derivation.test.ts +743 -0
package/src/variables/declarative-derivation.ts +200 -0
package/src/variables/parser.test.ts +231 -0
package/src/variables/parser.ts +76 -0
package/src/variables/resolver.test.ts +458 -0
package/src/variables/resolver.ts +282 -0
package/src/variables/types.ts +59 -0

package/src/capabilities/validation.test.ts ADDED Viewed

@@ -0,0 +1,613 @@
+import type { Database } from 'bun:sqlite';
+import { describe, expect, test } from 'bun:test';
+import type { ModuleManifest } from '../manifest/schema';
+import { checkAllowlist, getProviderManifest, validateCapabilityAccess } from './validation';
+describe('Capability Access Validation', () => {
+  describe('checkAllowlist', () => {
+    test('should return true when consumer provides capability in allowlist', () => {
+      const consumerCapabilities = ['public_web'];
+      const allowlist = ['public_web', 'api_gateway'];
+      const result = checkAllowlist(consumerCapabilities, allowlist);
+      expect(result).toBe(true);
+    });
+    test('should return true when consumer provides multiple capabilities and one matches', () => {
+      const consumerCapabilities = ['dns_internal', 'monitoring', 'public_web'];
+      const allowlist = ['public_web', 'api_gateway'];
+      const result = checkAllowlist(consumerCapabilities, allowlist);
+      expect(result).toBe(true);
+    });
+    test('should return false when consumer provides no matching capability', () => {
+      const consumerCapabilities = ['monitoring', 'logging'];
+      const allowlist = ['public_web', 'api_gateway'];
+      const result = checkAllowlist(consumerCapabilities, allowlist);
+      expect(result).toBe(false);
+    });
+    test('should return false when consumer provides no capabilities', () => {
+      const consumerCapabilities: string[] = [];
+      const allowlist = ['public_web', 'api_gateway'];
+      const result = checkAllowlist(consumerCapabilities, allowlist);
+      expect(result).toBe(false);
+    });
+    test('should return false when allowlist is empty', () => {
+      const consumerCapabilities = ['public_web'];
+      const allowlist: string[] = [];
+      const result = checkAllowlist(consumerCapabilities, allowlist);
+      expect(result).toBe(false);
+    });
+    test('should return false when both are empty', () => {
+      const consumerCapabilities: string[] = [];
+      const allowlist: string[] = [];
+      const result = checkAllowlist(consumerCapabilities, allowlist);
+      expect(result).toBe(false);
+    });
+    test('should match exact capability names', () => {
+      const consumerCapabilities = ['public_web_v2'];
+      const allowlist = ['public_web'];
+      const result = checkAllowlist(consumerCapabilities, allowlist);
+      expect(result).toBe(false);
+    });
+    test('should be case-sensitive', () => {
+      const consumerCapabilities = ['Public_Web'];
+      const allowlist = ['public_web'];
+      const result = checkAllowlist(consumerCapabilities, allowlist);
+      expect(result).toBe(false);
+    });
+  });
+  describe('getProviderManifest', () => {
+    test('should return manifest when capability exists', () => {
+      const mockManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'dns-external',
+        name: 'DNS External',
+        version: '1.0.0',
+        description: 'External DNS',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'dns_external',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'tsig',
+                  type: 'string',
+                  description: 'TSIG secret',
+                  readable_by: ['public_web'],
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: (_query: string) => ({
+          get: (capabilityName: string) => {
+            if (capabilityName === 'dns_external') {
+              return {
+                manifest_data: JSON.stringify(mockManifest),
+              };
+            }
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      const result = getProviderManifest('dns_external', mockDb);
+      expect(result).toEqual(mockManifest);
+    });
+    test('should return null when capability does not exist', () => {
+      const mockDb = {
+        prepare: () => ({
+          get: () => undefined,
+        }),
+      } as unknown as Database;
+      const result = getProviderManifest('unknown_capability', mockDb);
+      expect(result).toBeNull();
+    });
+    test('should parse JSON manifest correctly', () => {
+      const mockManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'test_capability',
+              version: '1.0.0',
+              data: { nested: { value: 'test' } },
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(mockManifest),
+          }),
+        }),
+      } as unknown as Database;
+      const result = getProviderManifest('test_capability', mockDb);
+      expect(result?.provides?.capabilities?.[0]?.data).toEqual({
+        nested: { value: 'test' },
+      });
+    });
+  });
+  describe('validateCapabilityAccess', () => {
+    test('should return success when module does not require capabilities', async () => {
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {} as Database;
+      const result = await validateCapabilityAccess(manifest, mockDb);
+      expect(result.success).toBe(true);
+    });
+    test('should return success when module requires capabilities array is empty', async () => {
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test-module',
+        name: 'Test Module',
+        version: '1.0.0',
+        description: 'Test',
+        requires: {
+          capabilities: [],
+        },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {} as Database;
+      const result = await validateCapabilityAccess(manifest, mockDb);
+      expect(result.success).toBe(true);
+    });
+    test('should return error when required capability not found', async () => {
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'caddy',
+        name: 'Caddy',
+        version: '1.0.0',
+        description: 'Web server',
+        requires: {
+          capabilities: [{ name: 'dns_external', version: '1.0.0' }],
+        },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => undefined,
+        }),
+      } as unknown as Database;
+      const result = await validateCapabilityAccess(manifest, mockDb);
+      expect(result.success).toBe(false);
+      expect(result.error).toContain("Required capability 'dns_external' not found");
+      expect(result.error).toContain('No module provides this capability');
+    });
+    test('should return success when capability has no secrets', async () => {
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'consumer',
+        name: 'Consumer',
+        version: '1.0.0',
+        description: 'Test',
+        requires: {
+          capabilities: [{ name: 'monitoring', version: '1.0.0' }],
+        },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'provider',
+        name: 'Provider',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'monitoring',
+              version: '1.0.0',
+              data: {},
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(providerManifest),
+          }),
+        }),
+      } as unknown as Database;
+      const result = await validateCapabilityAccess(manifest, mockDb);
+      expect(result.success).toBe(true);
+    });
+    test('should return success when secret has no readable_by restriction', async () => {
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'consumer',
+        name: 'Consumer',
+        version: '1.0.0',
+        description: 'Test',
+        requires: {
+          capabilities: [{ name: 'dns_external', version: '1.0.0' }],
+        },
+        provides: { capabilities: [] },
+        variables: { owns: [], imports: [] },
+      };
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'dns-external',
+        name: 'DNS External',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'dns_external',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'api_key',
+                  type: 'string',
+                  description: 'API key',
+                  // No readable_by - accessible to all
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(providerManifest),
+          }),
+        }),
+      } as unknown as Database;
+      const result = await validateCapabilityAccess(manifest, mockDb);
+      expect(result.success).toBe(true);
+    });
+    test('should return success when consumer matches allowlist', async () => {
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'caddy',
+        name: 'Caddy',
+        version: '1.0.0',
+        description: 'Web server',
+        requires: {
+          capabilities: [{ name: 'dns_external', version: '1.0.0' }],
+        },
+        provides: {
+          capabilities: [
+            {
+              name: 'public_web',
+              version: '1.0.0',
+              data: {},
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'dns-external',
+        name: 'DNS External',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'dns_external',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'tsig',
+                  type: 'string',
+                  description: 'TSIG secret',
+                  readable_by: ['public_web'],
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(providerManifest),
+          }),
+        }),
+      } as unknown as Database;
+      const result = await validateCapabilityAccess(manifest, mockDb);
+      expect(result.success).toBe(true);
+    });
+    test('should return error when consumer does not match allowlist', async () => {
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'some-app',
+        name: 'Some App',
+        version: '1.0.0',
+        description: 'Test',
+        requires: {
+          capabilities: [{ name: 'dns_external', version: '1.0.0' }],
+        },
+        provides: {
+          capabilities: [
+            {
+              name: 'monitoring',
+              version: '1.0.0',
+              data: {},
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'dns-external',
+        name: 'DNS External',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'dns_external',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'tsig',
+                  type: 'string',
+                  description: 'TSIG secret',
+                  readable_by: ['public_web'],
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(providerManifest),
+          }),
+        }),
+      } as unknown as Database;
+      const result = await validateCapabilityAccess(manifest, mockDb);
+      expect(result.success).toBe(false);
+      expect(result.error).toContain("Module 'some-app' cannot access secret 'tsig'");
+      expect(result.error).toContain("capability 'dns_external'");
+      expect(result.error).toContain('only allows access to modules that provide: public_web');
+      expect(result.error).toContain('This module provides: monitoring');
+    });
+    test('should return error when consumer provides no capabilities', async () => {
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'consumer',
+        name: 'Consumer',
+        version: '1.0.0',
+        description: 'Test',
+        requires: {
+          capabilities: [{ name: 'dns_external', version: '1.0.0' }],
+        },
+        provides: { capabilities: [] }, // No provides section - empty
+        variables: { owns: [], imports: [] },
+      };
+      const providerManifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'dns-external',
+        name: 'DNS External',
+        version: '1.0.0',
+        description: 'Test',
+        requires: { capabilities: [] },
+        provides: {
+          capabilities: [
+            {
+              name: 'dns_external',
+              version: '1.0.0',
+              data: {},
+              secrets: [
+                {
+                  name: 'tsig',
+                  type: 'string',
+                  description: 'TSIG secret',
+                  readable_by: ['public_web'],
+                },
+              ],
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      const mockDb = {
+        prepare: () => ({
+          get: () => ({
+            manifest_data: JSON.stringify(providerManifest),
+          }),
+        }),
+      } as unknown as Database;
+      const result = await validateCapabilityAccess(manifest, mockDb);
+      expect(result.success).toBe(false);
+      expect(result.error).toContain('This module provides: (none)');
+    });
+    test('should validate all required capabilities', async () => {
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'complex-app',
+        name: 'Complex App',
+        version: '1.0.0',
+        description: 'Test',
+        requires: {
+          capabilities: [
+            { name: 'dns_external', version: '1.0.0' },
+            { name: 'database', version: '1.0.0' },
+          ],
+        },
+        provides: {
+          capabilities: [
+            {
+              name: 'public_web',
+              version: '1.0.0',
+              data: {},
+            },
+          ],
+        },
+        variables: { owns: [], imports: [] },
+      };
+      let callCount = 0;
+      const mockDb = {
+        prepare: () => ({
+          get: (capabilityName: string) => {
+            callCount++;
+            if (capabilityName === 'dns_external') {
+              return {
+                manifest_data: JSON.stringify({
+                  id: 'dns-external',
+                  name: 'DNS',
+                  version: '1.0.0',
+                  description: 'Test',
+                  provides: {
+                    capabilities: [
+                      {
+                        name: 'dns_external',
+                        version: '1.0.0',
+                        data: {},
+                        secrets: [
+                          {
+                            name: 'tsig',
+                            type: 'string',
+                            readable_by: ['public_web'],
+                          },
+                        ],
+                      },
+                    ],
+                  },
+                }),
+              };
+            }
+            if (capabilityName === 'database') {
+              return {
+                manifest_data: JSON.stringify({
+                  id: 'postgres',
+                  name: 'PostgreSQL',
+                  version: '1.0.0',
+                  description: 'Test',
+                  provides: {
+                    capabilities: [
+                      {
+                        name: 'database',
+                        version: '1.0.0',
+                        data: {},
+                      },
+                    ],
+                  },
+                }),
+              };
+            }
+            return undefined;
+          },
+        }),
+      } as unknown as Database;
+      const result = await validateCapabilityAccess(manifest, mockDb);
+      expect(result.success).toBe(true);
+      expect(callCount).toBe(2); // Should query both capabilities
+    });
+  });
+});