@celilo/cli 0.1.0

package/src/services/config-interview.ts

@@ -0,0 +1,694 @@
+/**
+ * Interactive Configuration Interview Service
+ *
+ * Prompts users for missing required configuration during deployment
+ */
+
+import * as p from '@clack/prompts';
+import { and, eq } from 'drizzle-orm';
+import { log, promptPassword, promptText } from '../cli/prompts';
+import type { DbClient } from '../db/client';
+import { moduleConfigs, secrets } from '../db/schema';
+import { encryptSecret } from '../secrets/encryption';
+import { deriveSecret, generateSecret } from '../secrets/generators';
+import { getOrCreateMasterKey } from '../secrets/master-key';
+import type { Machine } from '../types/infrastructure';
+import { getSecretMetadata, loadSecretsSchema } from './secret-schema-loader';
+
+export interface MissingVariable {
+  name: string;
+  source: 'user' | 'secret' | 'capability' | 'system';
+  description?: string;
+  /** Variable type from manifest (string, array, etc.) */
+  type?: string;
+  /** Derivation source (e.g., "$machine:ipAddress") */
+  derive_from?: string;
+  /** For multi-select: available options */
+  options?: Array<{ value: string; label: string; hint?: string }>;
+  /** Follow-up prompt for each selected option */
+  per_selection?: {
+    key_pattern: string;
+    prompt: string;
+    type?: string;
+    derive_from?: string;
+  };
+  /** Secret auto-generation config from manifest */
+  generate?: {
+    method: string;
+    length: number;
+    encoding: string;
+  };
+}
+
+export interface InterviewResult {
+  success: boolean;
+  configured: string[];
+  error?: string;
+}
+
+/**
+ * Resolve a $machine: derivation from an earmarked machine
+ *
+ * @returns Resolved value, or null if not resolvable
+ */
+function resolveMachineDerivation(deriveFrom: string, machine: Machine): string | null {
+  const key = deriveFrom.replace('$machine:', '');
+
+  switch (key) {
+    case 'ipAddress':
+      return machine.ipAddress;
+    case 'hostname':
+      return machine.hostname;
+    case 'zone':
+      return machine.zone;
+    case 'zones':
+      // Return comma-separated list of zones from interfaces
+      if (machine.interfaces.length === 0) return null;
+      return [
+        ...new Set(machine.interfaces.map((i) => i.zone).filter((z) => z !== 'unknown')),
+      ].join(',');
+    default:
+      return null;
+  }
+}
+
+/**
+ * Resolve a $machine:zone_ip derivation for a per_selection follow-up
+ * Looks up the interface IP for a given zone
+ */
+function resolveMachineZoneIp(machine: Machine, zone: string): string | null {
+  const iface = machine.interfaces.find((i) => i.zone === zone);
+  return iface?.ipAddress ?? null;
+}
+
+/**
+ * Interview user for missing required configuration
+ *
+ * @param moduleId - Module identifier
+ * @param missingVariables - Variables that need to be configured
+ * @param db - Database connection
+ * @param earmarkedMachine - Optional earmarked machine for $machine: derivation
+ * @returns Interview result
+ */
+export async function interviewForMissingConfig(
+  moduleId: string,
+  missingVariables: MissingVariable[],
+  db: DbClient,
+  earmarkedMachine?: Machine | null,
+): Promise<InterviewResult> {
+  const configured: string[] = [];
+
+  log.info(`Module '${moduleId}' requires configuration. Please provide the following:`);
+
+  for (const variable of missingVariables) {
+    try {
+      // Try to derive from earmarked machine before prompting
+      if (variable.derive_from?.startsWith('$machine:') && earmarkedMachine) {
+        const derived = resolveMachineDerivation(variable.derive_from, earmarkedMachine);
+        if (derived !== null) {
+          log.info(`✓ ${variable.name} = ${derived} (from machine ${earmarkedMachine.hostname})`);
+
+          // For multi-select variables with options, also handle per_selection follow-ups
+          if (variable.options && variable.per_selection) {
+            const selectedValues = derived.split(',');
+
+            // Store the main variable
+            await db
+              .insert(moduleConfigs)
+              .values({
+                moduleId,
+                key: variable.name,
+                value: derived,
+                valueJson: null,
+                createdAt: new Date(),
+                updatedAt: new Date(),
+              })
+              .onConflictDoUpdate({
+                target: [moduleConfigs.moduleId, moduleConfigs.key],
+                set: { value: derived, updatedAt: new Date() },
+              });
+            configured.push(variable.name);
+
+            // Handle per_selection follow-ups
+            for (const selectedVal of selectedValues) {
+              const followUpKey = variable.per_selection.key_pattern.replace(
+                '{value}',
+                selectedVal,
+              );
+
+              // Try to derive the follow-up value from machine
+              let followUpValue: string | null = null;
+              if (variable.per_selection.derive_from === '$machine:zone_ip' && earmarkedMachine) {
+                followUpValue = resolveMachineZoneIp(earmarkedMachine, selectedVal);
+              }
+
+              if (followUpValue !== null) {
+                log.info(
+                  `✓ ${followUpKey} = ${followUpValue} (from machine ${earmarkedMachine.hostname})`,
+                );
+                await db
+                  .insert(moduleConfigs)
+                  .values({
+                    moduleId,
+                    key: followUpKey,
+                    value: followUpValue,
+                    valueJson: null,
+                    createdAt: new Date(),
+                    updatedAt: new Date(),
+                  })
+                  .onConflictDoUpdate({
+                    target: [moduleConfigs.moduleId, moduleConfigs.key],
+                    set: { value: followUpValue, updatedAt: new Date() },
+                  });
+                configured.push(followUpKey);
+              } else {
+                // Can't derive - prompt for this follow-up
+                const option = variable.options?.find((o) => o.value === selectedVal);
+                const followUpPrompt = variable.per_selection.prompt
+                  .replace('{value}', selectedVal)
+                  .replace('{label}', option?.label || selectedVal)
+                  .replace('{hint}', option?.hint || '');
+
+                const userValue = await promptText({
+                  message: followUpPrompt,
+                  validate: (val) => {
+                    if (!val || val.trim() === '') return 'This field is required';
+                  },
+                });
+
+                await db
+                  .insert(moduleConfigs)
+                  .values({
+                    moduleId,
+                    key: followUpKey,
+                    value: userValue,
+                    valueJson: null,
+                    createdAt: new Date(),
+                    updatedAt: new Date(),
+                  })
+                  .onConflictDoUpdate({
+                    target: [moduleConfigs.moduleId, moduleConfigs.key],
+                    set: { value: userValue, updatedAt: new Date() },
+                  });
+                configured.push(followUpKey);
+              }
+            }
+
+            continue; // Already handled this variable fully
+          }
+
+          // Simple (non-multi-select) derived variable
+          await db
+            .insert(moduleConfigs)
+            .values({
+              moduleId,
+              key: variable.name,
+              value: derived,
+              valueJson: null,
+              createdAt: new Date(),
+              updatedAt: new Date(),
+            })
+            .onConflictDoUpdate({
+              target: [moduleConfigs.moduleId, moduleConfigs.key],
+              set: { value: derived, updatedAt: new Date() },
+            });
+          configured.push(variable.name);
+          continue;
+        }
+      }
+
+      let value: string;
+
+      if (variable.source === 'secret') {
+        // Prompt for secret (masked input)
+        const message = variable.description
+          ? `${variable.name} - ${variable.description}:`
+          : `${variable.name}:`;
+
+        value = await promptPassword({
+          message,
+          validate: (val) => {
+            if (!val || val.trim() === '') {
+              return 'This field is required';
+            }
+          },
+        });
+
+        // Encrypt and store secret
+        const masterKey = await getOrCreateMasterKey();
+        const encrypted = encryptSecret(value, masterKey);
+        await db
+          .insert(secrets)
+          .values({
+            moduleId,
+            name: variable.name,
+            encryptedValue: encrypted.encryptedValue,
+            iv: encrypted.iv,
+            authTag: encrypted.authTag,
+          })
+          .run();
+
+        configured.push(`${variable.name} (secret)`);
+      } else if (variable.options && variable.options.length > 0) {
+        // Multi-select prompt for variables with options
+        const message = variable.description
+          ? `${variable.name} - ${variable.description}:`
+          : `${variable.name}:`;
+
+        const selected = await p.multiselect({
+          message,
+          options: variable.options.map((opt) => ({
+            value: opt.value,
+            label: opt.label,
+            hint: opt.hint,
+          })),
+          required: true,
+        });
+
+        if (p.isCancel(selected)) {
+          return {
+            success: false,
+            configured,
+            error: `Configuration cancelled for ${variable.name}`,
+          };
+        }
+
+        const selectedValues = selected as string[];
+        value = selectedValues.join(',');
+
+        // Store config
+        await db
+          .insert(moduleConfigs)
+          .values({
+            moduleId,
+            key: variable.name,
+            value,
+            valueJson: null,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          })
+          .onConflictDoUpdate({
+            target: [moduleConfigs.moduleId, moduleConfigs.key],
+            set: {
+              value,
+              updatedAt: new Date(),
+            },
+          });
+
+        configured.push(variable.name);
+
+        // Handle per_selection follow-up prompts
+        if (variable.per_selection) {
+          for (const selectedVal of selectedValues) {
+            const option = variable.options?.find((o) => o.value === selectedVal);
+            const followUpKey = variable.per_selection.key_pattern.replace('{value}', selectedVal);
+            const followUpPrompt = variable.per_selection.prompt
+              .replace('{value}', selectedVal)
+              .replace('{label}', option?.label || selectedVal)
+              .replace('{hint}', option?.hint || '');
+
+            // Check if already configured
+            const existingFollowUp = db
+              .select()
+              .from(moduleConfigs)
+              .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, followUpKey)))
+              .get();
+
+            if (!existingFollowUp || !existingFollowUp.value) {
+              const followUpValue = await promptText({
+                message: followUpPrompt,
+                validate: (val) => {
+                  if (!val || val.trim() === '') return 'This field is required';
+                },
+              });
+
+              await db
+                .insert(moduleConfigs)
+                .values({
+                  moduleId,
+                  key: followUpKey,
+                  value: followUpValue,
+                  valueJson: null,
+                  createdAt: new Date(),
+                  updatedAt: new Date(),
+                })
+                .onConflictDoUpdate({
+                  target: [moduleConfigs.moduleId, moduleConfigs.key],
+                  set: { value: followUpValue, updatedAt: new Date() },
+                });
+
+              configured.push(followUpKey);
+            }
+          }
+        }
+      } else {
+        // Prompt for regular config (visible input)
+        const message = variable.description
+          ? `${variable.name} - ${variable.description}:`
+          : `${variable.name}:`;
+
+        value = await promptText({
+          message,
+          validate: (val) => {
+            if (!val || val.trim() === '') {
+              return 'This field is required';
+            }
+          },
+        });
+
+        // Store config
+        await db
+          .insert(moduleConfigs)
+          .values({
+            moduleId,
+            key: variable.name,
+            value,
+            valueJson: null,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+          })
+          .onConflictDoUpdate({
+            target: [moduleConfigs.moduleId, moduleConfigs.key],
+            set: {
+              value,
+              updatedAt: new Date(),
+            },
+          });
+
+        configured.push(variable.name);
+      }
+    } catch (error) {
+      return {
+        success: false,
+        configured,
+        error: `Failed to configure ${variable.name}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      };
+    }
+  }
+
+  return {
+    success: true,
+    configured,
+  };
+}
+
+/**
+ * Validate module secrets against manifest declarations
+ *
+ * Policy function (Rule 10.1) - reads database and manifest, no side effects
+ *
+ * @param moduleId - Module identifier
+ * @param db - Database connection
+ * @returns Array of missing secrets with metadata
+ */
+export async function validateModuleSecrets(
+  moduleId: string,
+  db: DbClient,
+): Promise<MissingVariable[]> {
+  const missingSecrets: MissingVariable[] = [];
+
+  // Load secrets schema
+  const schema = await loadSecretsSchema(moduleId, db);
+  if (!schema) {
+    // No schema file = no secrets declared
+    return [];
+  }
+
+  // Check each declared secret
+  for (const [secretName, propertySchema] of Object.entries(schema.properties)) {
+    // Check if secret exists in database
+    const existing = db
+      .select()
+      .from(secrets)
+      .where(and(eq(secrets.moduleId, moduleId), eq(secrets.name, secretName)))
+      .get();
+
+    if (!existing) {
+      missingSecrets.push({
+        name: secretName,
+        source: 'secret',
+        description: propertySchema.description || propertySchema.title,
+      });
+    }
+  }
+
+  return missingSecrets;
+}
+
+/**
+ * Interview user for missing module secrets with schema-aware logic
+ *
+ * Execution function (Rule 10.1) - performs I/O (prompts, database writes)
+ *
+ * Handles three secret source types:
+ * - "generated": Auto-generate, never prompt
+ * - "user_provided": Always prompt, required
+ * - "generated_optional": Prompt with "Press Enter to auto-generate"
+ *
+ * Also handles derived secrets (derive_from field)
+ *
+ * @param moduleId - Module identifier
+ * @param missingSecrets - Secrets that need to be configured
+ * @param db - Database connection
+ * @returns Interview result
+ */
+export async function interviewForMissingSecrets(
+  moduleId: string,
+  missingSecrets: MissingVariable[],
+  db: DbClient,
+): Promise<InterviewResult> {
+  const configured: string[] = [];
+
+  log.info(`Module '${moduleId}' requires secrets. Configuring:`);
+
+  const masterKey = await getOrCreateMasterKey();
+
+  // Sort secrets to ensure derived secrets come after their source secrets
+  // Build dependency map
+  const metadataMap = new Map<string, Awaited<ReturnType<typeof getSecretMetadata>>>();
+  for (const variable of missingSecrets) {
+    const metadata = await getSecretMetadata(moduleId, variable.name, db);
+    metadataMap.set(variable.name, metadata);
+  }
+
+  // Topological sort: ensure derived secrets come immediately after their source
+  const sorted: typeof missingSecrets = [];
+  const processed = new Set<string>();
+
+  function addWithDependents(secret: (typeof missingSecrets)[0]) {
+    if (processed.has(secret.name)) return;
+
+    processed.add(secret.name);
+    sorted.push(secret);
+
+    // Immediately add any secrets that derive from this one
+    for (const s of missingSecrets) {
+      const meta = metadataMap.get(s.name);
+      if (meta?.deriveFrom === secret.name && !processed.has(s.name)) {
+        addWithDependents(s);
+      }
+    }
+  }
+
+  // Process all non-derived secrets first (in original order), each followed by its dependents
+  for (const secret of missingSecrets) {
+    const meta = metadataMap.get(secret.name);
+    if (!meta?.deriveFrom) {
+      addWithDependents(secret);
+    }
+  }
+
+  // Add any remaining secrets (shouldn't happen if derivation graph is valid)
+  for (const secret of missingSecrets) {
+    if (!processed.has(secret.name)) {
+      addWithDependents(secret);
+    }
+  }
+
+  for (const variable of sorted) {
+    try {
+      // Get metadata from schema (already loaded during sorting)
+      const metadata = metadataMap.get(variable.name);
+
+      // Manifest generate field takes priority over schema metadata
+      const hasManifestGenerate = !!variable.generate;
+      // If no metadata, default to user_provided (safe default)
+      const source = hasManifestGenerate ? 'generated' : metadata?.source || 'user_provided';
+
+      let value: string;
+
+      // Handle derived secrets first
+      if (metadata?.deriveFrom) {
+        // Look up source secret
+        const sourceSecret = db
+          .select()
+          .from(secrets)
+          .where(and(eq(secrets.moduleId, moduleId), eq(secrets.name, metadata.deriveFrom)))
+          .get();
+
+        if (!sourceSecret) {
+          return {
+            success: false,
+            configured,
+            error: `Cannot derive ${variable.name}: source secret ${metadata.deriveFrom} not found`,
+          };
+        }
+
+        // Decrypt source secret
+        const decryptedSource = await import('../secrets/encryption').then((m) =>
+          m.decryptSecret(
+            {
+              encryptedValue: sourceSecret.encryptedValue,
+              iv: sourceSecret.iv,
+              authTag: sourceSecret.authTag,
+            },
+            masterKey,
+          ),
+        );
+
+        // Derive value
+        if (!metadata.deriveMethod) {
+          return {
+            success: false,
+            configured,
+            error: `Cannot derive ${variable.name}: derive_method not specified in schema`,
+          };
+        }
+
+        value = deriveSecret({
+          sourceSecret: decryptedSource,
+          deriveMethod: metadata.deriveMethod,
+        });
+
+        log.info(`🔗 Derived ${variable.name} from ${metadata.deriveFrom}`);
+      } else if (source === 'generated') {
+        // Auto-generate without prompting
+        // Manifest generate field takes priority over schema metadata
+        const format = variable.generate?.encoding || metadata?.format || 'base64';
+        const length = variable.generate?.length || metadata?.length || 32;
+
+        value = generateSecret({ format, length });
+
+        log.info(`🔑 Auto-generated ${format} secret: ${variable.name}`);
+      } else if (source === 'user_provided') {
+        // Always prompt, required
+        // Check if we're in interactive mode
+        if (!process.stdin.isTTY) {
+          // Non-interactive: skip this secret and continue processing others
+          // The caller will handle the remaining user-provided secrets
+          continue;
+        }
+
+        const message = variable.description
+          ? `${variable.name} - ${variable.description}:`
+          : `${variable.name}:`;
+
+        value = await promptPassword({
+          message,
+          validate: (val) => {
+            if (!val || val.trim() === '') {
+              return 'This field is required';
+            }
+          },
+        });
+
+        log.info(`✓ Saved ${variable.name}`);
+      } else if (source === 'user_password') {
+        // Password the user must remember — prompt twice to confirm
+        if (!process.stdin.isTTY) {
+          continue;
+        }
+
+        const message = variable.description
+          ? `${variable.name} - ${variable.description}:`
+          : `${variable.name}:`;
+
+        value = await promptPassword({
+          message,
+          validate: (val) => {
+            if (!val || val.trim() === '') {
+              return 'This field is required';
+            }
+          },
+        });
+
+        const confirmation = await promptPassword({
+          message: `Confirm ${variable.name}:`,
+          validate: (val) => {
+            if (!val || val.trim() === '') {
+              return 'This field is required';
+            }
+          },
+        });
+
+        if (value !== confirmation) {
+          log.error('Passwords do not match. Please try again.');
+          // Re-prompt by decrementing — but we're in a for-of loop, so just return error
+          return {
+            success: false,
+            configured,
+            error: `Passwords do not match for ${variable.name}. Re-run deploy to try again.`,
+          };
+        }
+
+        log.info(`✓ Saved ${variable.name}`);
+      } else if (source === 'generated_optional') {
+        // Prompt with auto-generate option
+        const message = variable.description
+          ? `${variable.name} - ${variable.description} (Press Enter to auto-generate):`
+          : `${variable.name} (Press Enter to auto-generate):`;
+
+        const userValue = await promptPassword({
+          message,
+          validate: () => undefined, // Allow empty
+        });
+
+        if (!userValue || userValue.trim() === '') {
+          // Auto-generate
+          const format = metadata?.format || 'base64';
+          const length = metadata?.length || 32;
+
+          value = generateSecret({ format, length });
+
+          log.info(`🔑 Auto-generated ${format} secret: ${variable.name}`);
+        } else {
+          // Use user-provided value
+          value = userValue;
+          log.info(`✓ Saved ${variable.name}`);
+        }
+      } else {
+        return {
+          success: false,
+          configured,
+          error: `Unknown secret source type: ${source}`,
+        };
+      }
+
+      // Encrypt and store secret
+      const encrypted = encryptSecret(value, masterKey);
+      await db
+        .insert(secrets)
+        .values({
+          moduleId,
+          name: variable.name,
+          encryptedValue: encrypted.encryptedValue,
+          iv: encrypted.iv,
+          authTag: encrypted.authTag,
+        })
+        .run();
+
+      configured.push(`${variable.name} (secret)`);
+    } catch (error) {
+      return {
+        success: false,
+        configured,
+        error: `Failed to configure ${variable.name}: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      };
+    }
+  }
+
+  return {
+    success: true,
+    configured,
+  };
+}