@celilo/cli 0.1.0

package/src/services/cross-module-data-manager.ts

@@ -0,0 +1,412 @@
+/**
+ * Cross-Module Data Manager
+ *
+ * Manages data exchange between modules, including:
+ * - Storing/retrieving configuration data from function calls
+ * - Encrypting sensitive data (secrets)
+ * - Resolving variables in parameters
+ * - Looking up capability providers
+ *
+ * Future: Full function call orchestration, lifecycle management
+ */
+
+import { and, eq } from 'drizzle-orm';
+import { type DbClient, createDbClient } from '../db/client';
+import { capabilities, moduleConfigs, secrets } from '../db/schema';
+import { decryptSecret, encryptSecret } from '../secrets/encryption';
+import { getOrCreateMasterKey } from '../secrets/master-key';
+import { buildResolutionContext } from '../variables/context';
+import { resolveTemplate } from '../variables/resolver';
+
+/**
+ * Configuration data type
+ */
+export interface ConfigData {
+  key: string;
+  value: string | number | boolean | unknown[] | Record<string, unknown>;
+  isSecret: boolean;
+}
+
+/**
+ * Capability lookup result
+ */
+export interface CapabilityInfo {
+  moduleId: string;
+  capabilityName: string;
+  version: string;
+  data: Record<string, unknown>;
+}
+
+/**
+ * Cross-module data manager
+ * Orchestrates data exchange between modules
+ */
+export class CrossModuleDataManager {
+  private db: DbClient;
+  private masterKey: Buffer | null = null;
+
+  constructor(db?: DbClient) {
+    this.db = db || createDbClient();
+  }
+
+  /**
+   * Initialize manager (load master key)
+   * Execution function - performs I/O
+   */
+  async initialize(): Promise<void> {
+    this.masterKey = await getOrCreateMasterKey();
+  }
+
+  /**
+   * Ensure master key is loaded
+   * Policy function - validates state
+   */
+  private ensureMasterKey(): Buffer {
+    if (!this.masterKey) {
+      throw new Error('CrossModuleDataManager not initialized. Call initialize() first.');
+    }
+    return this.masterKey;
+  }
+
+  /**
+   * Store configuration data for a module
+   * Handles both regular config and secrets
+   *
+   * Execution function - performs database writes and encryption
+   *
+   * @param moduleId - Module ID
+   * @param key - Configuration key
+   * @param value - Configuration value
+   * @param isSecret - Whether to encrypt the value
+   */
+  async storeConfigData(
+    moduleId: string,
+    key: string,
+    value: string | number | boolean | unknown[] | Record<string, unknown>,
+    isSecret = false,
+  ): Promise<void> {
+    if (isSecret) {
+      await this.storeSecret(moduleId, key, String(value));
+    } else {
+      await this.storeConfig(moduleId, key, value);
+    }
+  }
+
+  /**
+   * Store regular (non-secret) configuration
+   * Execution function - performs database write
+   */
+  private async storeConfig(
+    moduleId: string,
+    key: string,
+    value: string | number | boolean | unknown[] | Record<string, unknown>,
+  ): Promise<void> {
+    const isComplex = typeof value === 'object' && value !== null;
+
+    const existing = this.db
+      .select()
+      .from(moduleConfigs)
+      .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, key)))
+      .get();
+
+    if (existing) {
+      // Update existing
+      this.db
+        .update(moduleConfigs)
+        .set({
+          value: isComplex ? '' : String(value),
+          valueJson: isComplex ? JSON.stringify(value) : null,
+          updatedAt: new Date(Date.now()),
+        })
+        .where(eq(moduleConfigs.id, existing.id))
+        .run();
+    } else {
+      // Insert new
+      this.db
+        .insert(moduleConfigs)
+        .values({
+          moduleId,
+          key,
+          value: isComplex ? '' : String(value),
+          valueJson: isComplex ? JSON.stringify(value) : null,
+        })
+        .run();
+    }
+  }
+
+  /**
+   * Store secret (encrypted)
+   * Execution function - performs encryption and database write
+   *
+   * @param moduleId - Module ID
+   * @param name - Secret name
+   * @param value - Secret value (plaintext)
+   */
+  async storeSecret(moduleId: string, name: string, value: string): Promise<void> {
+    const masterKey = this.ensureMasterKey();
+
+    // Encrypt the secret
+    const encrypted = encryptSecret(value, masterKey);
+
+    // Check if secret already exists
+    const existing = this.db
+      .select()
+      .from(secrets)
+      .where(and(eq(secrets.moduleId, moduleId), eq(secrets.name, name)))
+      .get();
+
+    if (existing) {
+      // Update existing
+      this.db
+        .update(secrets)
+        .set({
+          encryptedValue: encrypted.encryptedValue,
+          iv: encrypted.iv,
+          authTag: encrypted.authTag,
+          updatedAt: new Date(Date.now()),
+        })
+        .where(eq(secrets.id, existing.id))
+        .run();
+    } else {
+      // Insert new
+      this.db
+        .insert(secrets)
+        .values({
+          moduleId,
+          name,
+          encryptedValue: encrypted.encryptedValue,
+          iv: encrypted.iv,
+          authTag: encrypted.authTag,
+        })
+        .run();
+    }
+  }
+
+  /**
+   * Get configuration data (non-secret)
+   * Execution function - performs database read
+   *
+   * @param moduleId - Module ID
+   * @param key - Configuration key
+   * @returns Configuration value or null if not found
+   */
+  getConfigData(
+    moduleId: string,
+    key: string,
+  ): string | number | boolean | unknown[] | Record<string, unknown> | null {
+    const config = this.db
+      .select()
+      .from(moduleConfigs)
+      .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, key)))
+      .get();
+
+    if (!config) {
+      return null;
+    }
+
+    // Return complex type from valueJson
+    if (config.valueJson) {
+      try {
+        return JSON.parse(config.valueJson);
+      } catch (error) {
+        throw new Error(
+          `Failed to parse config value for ${moduleId}.${key}: ${error instanceof Error ? error.message : 'Invalid JSON'}`,
+        );
+      }
+    }
+
+    // Return primitive type from value
+    // Parse to correct type
+    if (config.value === 'true') return true;
+    if (config.value === 'false') return false;
+
+    const num = Number(config.value);
+    if (!Number.isNaN(num)) {
+      return num;
+    }
+
+    return config.value;
+  }
+
+  /**
+   * Get secret (decrypted)
+   * Execution function - performs database read and decryption
+   *
+   * @param moduleId - Module ID
+   * @param name - Secret name
+   * @returns Decrypted secret value or null if not found
+   */
+  getSecret(moduleId: string, name: string): string | null {
+    const masterKey = this.ensureMasterKey();
+
+    const secret = this.db
+      .select()
+      .from(secrets)
+      .where(and(eq(secrets.moduleId, moduleId), eq(secrets.name, name)))
+      .get();
+
+    if (!secret) {
+      return null;
+    }
+
+    // Decrypt and return
+    return decryptSecret(
+      {
+        encryptedValue: secret.encryptedValue,
+        iv: secret.iv,
+        authTag: secret.authTag,
+      },
+      masterKey,
+    );
+  }
+
+  /**
+   * Get all secrets for a module (decrypted)
+   * Execution function - performs database read and decryption
+   *
+   * @param moduleId - Module ID
+   * @returns Record of secret name -> decrypted value
+   */
+  getAllSecrets(moduleId: string): Record<string, string> {
+    const masterKey = this.ensureMasterKey();
+
+    const secretRecords = this.db
+      .select()
+      .from(secrets)
+      .where(eq(secrets.moduleId, moduleId))
+      .all();
+
+    const result: Record<string, string> = {};
+
+    for (const secret of secretRecords) {
+      result[secret.name] = decryptSecret(
+        {
+          encryptedValue: secret.encryptedValue,
+          iv: secret.iv,
+          authTag: secret.authTag,
+        },
+        masterKey,
+      );
+    }
+
+    return result;
+  }
+
+  /**
+   * Look up which module provides a capability
+   * Execution function - performs database query
+   *
+   * @param capabilityName - Capability name (e.g., 'dns_registrar', 'idp')
+   * @returns Capability info or null if not found
+   */
+  findCapabilityProvider(capabilityName: string): CapabilityInfo | null {
+    const capability = this.db
+      .select()
+      .from(capabilities)
+      .where(eq(capabilities.capabilityName, capabilityName))
+      .get();
+
+    if (!capability) {
+      return null;
+    }
+
+    return {
+      moduleId: capability.moduleId,
+      capabilityName: capability.capabilityName,
+      version: capability.version,
+      data: capability.data as Record<string, unknown>,
+    };
+  }
+
+  /**
+   * Resolve variables in parameters
+   * Uses the variable resolver to handle $self:, $system:, $capability:, etc.
+   *
+   * Execution function - performs database reads for variable resolution
+   *
+   * @param moduleId - Module ID for $self: resolution
+   * @param params - Parameters with variables to resolve
+   * @returns Resolved parameters
+   */
+  async resolveParameters(
+    moduleId: string,
+    params: Record<string, unknown>,
+  ): Promise<Record<string, unknown>> {
+    // Build resolution context
+    const context = await buildResolutionContext(moduleId, this.db);
+
+    // Resolve each parameter value
+    const resolved: Record<string, unknown> = {};
+
+    for (const [key, value] of Object.entries(params)) {
+      if (typeof value === 'string') {
+        const result = await resolveTemplate(value, context, this.db);
+        if (!result.success) {
+          throw new Error(
+            `Failed to resolve parameter '${key}': ${result.errors.map((e) => e.error).join(', ')}`,
+          );
+        }
+        resolved[key] = result.content;
+      } else if (Array.isArray(value)) {
+        // Resolve each array element
+        resolved[key] = await Promise.all(
+          value.map(async (item) => {
+            if (typeof item === 'string') {
+              const result = await resolveTemplate(item, context, this.db);
+              if (!result.success) {
+                throw new Error(`Failed to resolve array element in '${key}'`);
+              }
+              return result.content;
+            }
+            return item;
+          }),
+        );
+      } else if (typeof value === 'object' && value !== null) {
+        // Recursively resolve object properties
+        resolved[key] = await this.resolveParameters(moduleId, value as Record<string, unknown>);
+      } else {
+        // Primitive value - keep as-is
+        resolved[key] = value;
+      }
+    }
+
+    return resolved;
+  }
+
+  /**
+   * Generate TSIG key for DNS dynamic updates
+   * Planning function (Rule 10.1) - decides what type of key to generate
+   *
+   * @param algorithm - TSIG algorithm (default: hmac-sha256)
+   * @returns Base64-encoded TSIG key
+   */
+  generateTSIGKey(algorithm = 'hmac-sha256'): string {
+    // TSIG keys are typically 256-bit (32 bytes) for hmac-sha256
+    const keyLength = algorithm === 'hmac-sha256' ? 32 : 32;
+    const key = new Uint8Array(keyLength);
+    crypto.getRandomValues(key);
+    return btoa(String.fromCharCode(...key));
+  }
+
+  /**
+   * Generate secure random secret
+   * Planning function - decides length and encoding
+   *
+   * @param length - Length in bytes (default: 32)
+   * @param encoding - Encoding format (default: hex)
+   * @returns Random secret
+   */
+  generateSecret(length = 32, encoding: 'hex' | 'base64' = 'hex'): string {
+    const bytes = new Uint8Array(length);
+    crypto.getRandomValues(bytes);
+
+    if (encoding === 'base64') {
+      return btoa(String.fromCharCode(...bytes));
+    }
+
+    // Hex encoding
+    return Array.from(bytes)
+      .map((b) => b.toString(16).padStart(2, '0'))
+      .join('');
+  }
+}

package/src/services/deploy-ansible.ts

@@ -0,0 +1,88 @@
+/**
+ * Ansible Execution Service
+ *
+ * Executes Ansible playbooks with vault password and streaming progress
+ */
+
+import { appendFile, mkdtemp, rm, writeFile } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { log } from '../cli/prompts';
+import { getVaultPassword } from '../secrets/vault';
+import { shellEscape } from '../utils/shell';
+import { executeBuildWithProgress } from './build-stream';
+
+export interface AnsibleResult {
+  success: boolean;
+  output: string;
+  error?: string;
+}
+
+/**
+ * Execute Ansible playbook with streaming progress
+ * Execution function - performs software deployment
+ *
+ * @param generatedPath - Path to generated module artifacts
+ * @returns Ansible execution result
+ */
+export async function executeAnsible(
+  generatedPath: string,
+  options?: { noInteractive?: boolean },
+): Promise<AnsibleResult> {
+  const ansibleDir = join(generatedPath, 'ansible');
+  const inventoryPath = join(ansibleDir, 'inventory', 'hosts.ini');
+  const playbookPath = join(ansibleDir, 'playbook.yml');
+
+  // Get Ansible Vault password
+  const vaultPassword = await getVaultPassword();
+
+  // Write vault password to temp file (same approach as ansible/secrets.ts)
+  // Using /dev/stdin doesn't work reliably — Ansible tries to execute it as a
+  // script and hits permission errors on some platforms.
+  const tempDir = await mkdtemp(join(tmpdir(), 'celilo-vault-'));
+  const passwordPath = join(tempDir, 'vault-pass');
+  await writeFile(passwordPath, vaultPassword, { mode: 0o600 });
+
+  const logPath = join(generatedPath, 'deploy.log');
+  log.info('Deploying software...');
+
+  try {
+    // Execute ansible-playbook with streaming progress
+    // Note: Paths escaped for shell execution (macOS paths contain spaces)
+    const result = await executeBuildWithProgress({
+      command: 'ansible-playbook',
+      args: [
+        '-i',
+        shellEscape(inventoryPath),
+        '--vault-password-file',
+        shellEscape(passwordPath),
+        shellEscape(playbookPath),
+      ],
+      cwd: ansibleDir,
+      title: 'Deploying software',
+      noInteractive: options?.noInteractive,
+    });
+
+    // Persist full output to log file for debugging
+    const timestamp = new Date().toISOString();
+    const logHeader = `\n--- Ansible deploy ${timestamp} ---\n`;
+    await appendFile(logPath, logHeader + result.output, 'utf-8');
+
+    if (!result.success) {
+      log.warn(`Full deploy log: ${logPath}`);
+      return {
+        success: false,
+        output: result.output,
+        error: result.error || 'Ansible deployment failed',
+      };
+    }
+
+    log.success('Software deployed');
+    return {
+      success: true,
+      output: result.output,
+    };
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+}

package/src/services/deploy-planner.ts

@@ -0,0 +1,153 @@
+/**
+ * Deployment Planning Service
+ *
+ * Determines what deployment steps are needed based on current state
+ */
+
+import { join } from 'node:path';
+import { eq } from 'drizzle-orm';
+import type { DbClient } from '../db/client';
+import { moduleConfigs, moduleInfrastructure } from '../db/schema';
+import type { ModuleManifest } from '../manifest/schema';
+
+export interface DeploymentPlan {
+  needsTerraform: boolean;
+  needsSSHWait: boolean;
+  ansiblePlaybook: string;
+  targetHost: {
+    hostname: string;
+    ip: string;
+    user: string;
+  };
+  infrastructure?: {
+    type: 'machine' | 'container_service';
+    machineId?: string;
+    serviceId?: string;
+  };
+}
+
+/**
+ * Determine what deployment steps are needed
+ * Planning function - analyzes state and returns plan
+ *
+ * - Machine infrastructure: skip Terraform (machine already exists)
+ * - Container service: run Terraform (need to provision container)
+ *
+ * @param moduleId - Module identifier
+ * @param generatedPath - Path to generated artifacts
+ * @param manifest - Module manifest
+ * @param db - Database connection
+ * @returns Deployment plan
+ */
+export async function planDeployment(
+  moduleId: string,
+  generatedPath: string,
+  _manifest: ModuleManifest,
+  db: DbClient,
+): Promise<DeploymentPlan> {
+  const infrastructure = await db
+    .select()
+    .from(moduleInfrastructure)
+    .where(eq(moduleInfrastructure.moduleId, moduleId))
+    .get();
+
+  if (!infrastructure) {
+    throw new Error(
+      `No infrastructure selected for module ${moduleId}. Run 'celilo module generate ${moduleId}' first to select infrastructure (container service or machine) and generate templates.`,
+    );
+  }
+
+  let needsTerraform: boolean;
+  let needsSSHWait: boolean;
+
+  if (infrastructure.infrastructureType === 'machine') {
+    // Machine infrastructure: skip Terraform (machine already exists)
+    // No SSH wait needed (machine already running)
+    needsTerraform = false;
+    needsSSHWait = false;
+  } else if (infrastructure.infrastructureType === 'container_service') {
+    // Container service: run Terraform to provision container
+    needsTerraform = true;
+    needsSSHWait = true;
+  } else {
+    throw new Error(`Unknown infrastructure type: ${infrastructure.infrastructureType}`);
+  }
+
+  // Extract target host information from module config
+  const targetHost = await extractTargetHost(moduleId, db);
+
+  return {
+    needsTerraform,
+    needsSSHWait,
+    ansiblePlaybook: join(generatedPath, 'ansible', 'playbook.yml'),
+    targetHost,
+    infrastructure: infrastructure
+      ? {
+          type: infrastructure.infrastructureType as 'machine' | 'container_service',
+          machineId: infrastructure.machineId || undefined,
+          serviceId: infrastructure.serviceId || undefined,
+        }
+      : undefined,
+  };
+}
+
+/**
+ * Extract target host information from module configuration
+ * Execution function - queries database
+ *
+ * Must be called AFTER infrastructure variable resolution
+ * to pick up infrastructure-derived variables like ip.primary
+ *
+ * @param moduleId - Module identifier
+ * @param db - Database connection
+ * @returns Target host information
+ */
+export async function extractTargetHost(
+  moduleId: string,
+  db: DbClient,
+): Promise<{ hostname: string; ip: string; user: string }> {
+  // Get module configuration
+  const configs = await db
+    .select()
+    .from(moduleConfigs)
+    .where(eq(moduleConfigs.moduleId, moduleId))
+    .all();
+
+  // Build config map
+  const configMap = new Map<string, string>();
+  for (const config of configs) {
+    const value = config.valueJson || config.value;
+    if (value) {
+      configMap.set(config.key, value);
+    }
+  }
+
+  // Extract hostname
+  const hostname = configMap.get('hostname') || moduleId;
+
+  // Extract IP - support infrastructure-derived variables
+  // Priority: container_ip > ip.primary > vps_ip (backward compatibility)
+  let ip = '';
+  const containerIp = configMap.get('container_ip');
+  const ipPrimary = configMap.get('ip.primary');
+  const vpsIp = configMap.get('vps_ip');
+
+  if (containerIp) {
+    // Container IP format: "10.0.10.10/24" - extract just IP
+    ip = containerIp.split('/')[0];
+  } else if (ipPrimary) {
+    // Infrastructure-derived IP (already plain format)
+    ip = ipPrimary;
+  } else if (vpsIp) {
+    ip = vpsIp;
+  }
+
+  // Extract ansible user (defaults to root)
+  const user = configMap.get('ansible_user') || 'root';
+
+  return {
+    hostname,
+    ip,
+    user,
+  };
+}