@celilo/cli 0.1.0

package/src/services/deploy-preflight.ts

@@ -0,0 +1,274 @@
+/**
+ * Deployment Pre-flight Check
+ *
+ * Fast validation that catches deployment-blocking issues BEFORE
+ * spinning up infrastructure. Designed to run in ~100ms, not ~120s.
+ *
+ * Checks:
+ * 1. Module exists and has a valid manifest
+ * 2. All required capabilities have installed providers
+ * 3. All required variables have values (from config, derivation,
+ *    or capability chain)
+ * 4. Capability derivation chains resolve to actual values (not
+ *    unresolved templates like $self:primary_domain)
+ * 5. Infrastructure is available for the module's zone (machine or
+ *    container service exists)
+ *
+ * Does NOT:
+ * - Run template generation
+ * - Run Ansible or Terraform
+ * - Start any containers
+ * - Modify any state
+ */
+
+import { eq } from 'drizzle-orm';
+import type { DbClient } from '../db/client';
+import { getDb } from '../db/client';
+import { capabilities, moduleConfigs, modules, secrets } from '../db/schema';
+import type { ModuleManifest } from '../manifest/schema';
+import { buildResolutionContext } from '../variables/context';
+
+export interface PreflightResult {
+  success: boolean;
+  moduleId: string;
+  errors: PreflightError[];
+  warnings: PreflightWarning[];
+}
+
+export interface PreflightError {
+  category:
+    | 'missing-config'
+    | 'missing-capability'
+    | 'unresolved-template'
+    | 'no-infrastructure'
+    | 'missing-secret';
+  message: string;
+  variable?: string;
+  suggestion?: string;
+}
+
+export interface PreflightWarning {
+  category: string;
+  message: string;
+}
+
+/**
+ * Run a fast pre-flight check for a module deployment.
+ *
+ * Returns structured errors that describe exactly what's wrong and
+ * how to fix it, without actually attempting the deployment.
+ */
+export async function runPreflight(
+  moduleId: string,
+  db: DbClient = getDb(),
+): Promise<PreflightResult> {
+  const errors: PreflightError[] = [];
+  const warnings: PreflightWarning[] = [];
+
+  // 1. Module exists?
+  const module = db.select().from(modules).where(eq(modules.id, moduleId)).get();
+  if (!module) {
+    return {
+      success: false,
+      moduleId,
+      errors: [
+        {
+          category: 'missing-config',
+          message: `Module '${moduleId}' not found`,
+          suggestion: 'Run: celilo module import <path>',
+        },
+      ],
+      warnings: [],
+    };
+  }
+
+  const manifest = module.manifestData as ModuleManifest;
+
+  // 2. Required capabilities have providers?
+  if (manifest.requires?.capabilities) {
+    for (const cap of manifest.requires.capabilities) {
+      const provider = db
+        .select()
+        .from(capabilities)
+        .where(eq(capabilities.capabilityName, cap.name))
+        .get();
+      if (!provider) {
+        errors.push({
+          category: 'missing-capability',
+          message: `Required capability '${cap.name}' has no provider installed`,
+          suggestion: `Deploy a module that provides '${cap.name}' first`,
+        });
+      }
+    }
+  }
+
+  // 3. Required variables have values?
+  const configRows = db
+    .select()
+    .from(moduleConfigs)
+    .where(eq(moduleConfigs.moduleId, moduleId))
+    .all();
+  const configMap = new Map(
+    configRows.map((c) => [c.key, c.valueJson ? JSON.parse(c.valueJson) : c.value]),
+  );
+
+  const secretRows = db.select().from(secrets).where(eq(secrets.moduleId, moduleId)).all();
+  const secretNames = new Set(secretRows.map((s) => s.name));
+
+  if (manifest.variables?.owns) {
+    for (const variable of manifest.variables.owns) {
+      if (!variable.required) continue;
+
+      // Infrastructure/terraform variables are auto-derived during deploy
+      if (variable.source === 'infrastructure' || variable.source === 'terraform') {
+        continue;
+      }
+
+      const hasValue = configMap.has(variable.name);
+      const hasDeriveFrom = !!variable.derive_from;
+      const hasDefault = variable.default !== undefined;
+
+      if (!hasValue && !hasDeriveFrom && !hasDefault) {
+        errors.push({
+          category: 'missing-config',
+          message: `Required variable '${variable.name}' is not configured`,
+          variable: variable.name,
+          suggestion: `celilo module config set ${moduleId} ${variable.name} <value>`,
+        });
+      }
+    }
+  }
+
+  // Check secrets
+  if (manifest.secrets?.declares) {
+    for (const secret of manifest.secrets.declares) {
+      if (!secret.required) continue;
+      const hasSecret = secretNames.has(secret.name);
+      const hasGenerate = !!secret.generate;
+      if (!hasSecret && !hasGenerate) {
+        errors.push({
+          category: 'missing-secret',
+          message: `Required secret '${secret.name}' is not set`,
+          variable: secret.name,
+          suggestion: `celilo module secret set ${moduleId} ${secret.name} <value>`,
+        });
+      }
+    }
+  }
+
+  // 4. Check for unresolved template strings in configured values
+  // This catches the bug where capability derivation chains produce
+  // raw template strings like "$self:primary_domain" instead of
+  // actual values.
+  try {
+    const context = await buildResolutionContext(moduleId, db);
+    for (const [key, value] of Object.entries(context.selfConfig)) {
+      if (
+        typeof value === 'string' &&
+        (value.includes('$self:') ||
+          value.includes('$system:') ||
+          value.includes('$capability:') ||
+          value.includes('$secret:'))
+      ) {
+        errors.push({
+          category: 'unresolved-template',
+          message: `Variable '${key}' has unresolved template: ${value}`,
+          variable: key,
+          suggestion: `Set it explicitly: celilo module config set ${moduleId} ${key} <value>`,
+        });
+      }
+    }
+  } catch (error) {
+    // Resolution context may fail — that's informative too
+    warnings.push({
+      category: 'resolution',
+      message: `Variable resolution warning: ${error instanceof Error ? error.message : String(error)}`,
+    });
+  }
+
+  // 5. Infrastructure availability (for modules that need it)
+  if (manifest.requires?.machine) {
+    const zone = manifest.requires.machine.zone;
+    if (zone) {
+      // Simplified check: is there a machine or service for the module's zone?
+      // The full infrastructure selector (selectInfrastructure) needs a Module
+      // object, which is more than we want for a fast pre-flight. Instead,
+      // check if the deploy-validation flow would fail at the infrastructure
+      // selection step by looking for machines/services in the zone directly.
+      try {
+        const { listMachines } = await import('./machine-pool');
+        const machines = await listMachines();
+        const { listContainerServices } = await import('./container-service');
+        const services = await listContainerServices();
+
+        const hasMachine = machines.some((m) => m.zone === zone || m.earmarkedModule === moduleId);
+        const hasService = services.some((s) => {
+          const zones = s.zones || [];
+          return zones.includes(zone);
+        });
+
+        if (!hasMachine && !hasService) {
+          errors.push({
+            category: 'no-infrastructure',
+            message: `No infrastructure available for zone '${zone}'`,
+            suggestion: `Add a machine: celilo machine add <ip> --zone ${zone}\nOr add a container service: celilo service add proxmox`,
+          });
+        }
+      } catch {
+        // Machine/service queries may fail — non-fatal for preflight
+      }
+    }
+  }
+
+  return {
+    success: errors.length === 0,
+    moduleId,
+    errors,
+    warnings,
+  };
+}
+
+/**
+ * Format a preflight result as a human-readable string.
+ */
+export function formatPreflightResult(result: PreflightResult): string {
+  if (result.success) {
+    const warnCount = result.warnings.length;
+    return warnCount > 0
+      ? `Pre-flight check passed with ${warnCount} warning(s)`
+      : 'Pre-flight check passed';
+  }
+
+  const lines: string[] = [`Pre-flight check failed for '${result.moduleId}':`, ''];
+
+  for (const error of result.errors) {
+    lines.push(`  ${errorIcon(error.category)} ${error.message}`);
+    if (error.suggestion) {
+      lines.push(`    Fix: ${error.suggestion}`);
+    }
+  }
+
+  if (result.warnings.length > 0) {
+    lines.push('');
+    for (const warning of result.warnings) {
+      lines.push(`  ⚠ ${warning.message}`);
+    }
+  }
+
+  return lines.join('\n');
+}
+
+function errorIcon(category: PreflightError['category']): string {
+  switch (category) {
+    case 'missing-config':
+      return '✗';
+    case 'missing-capability':
+      return '◯';
+    case 'unresolved-template':
+      return '⟲';
+    case 'no-infrastructure':
+      return '▢';
+    case 'missing-secret':
+      return '🔑';
+  }
+}

package/src/services/deploy-ssh.ts

@@ -0,0 +1,131 @@
+/**
+ * SSH Readiness Service
+ *
+ * Waits for SSH to become available on target host with exponential backoff
+ */
+
+import { spawn } from 'node:child_process';
+import { FuelGauge } from '../cli/fuel-gauge';
+import { log } from '../cli/prompts';
+
+export interface SSHResult {
+  success: boolean;
+  error?: string;
+  attempts?: number;
+}
+
+/**
+ * Wait for SSH to become available on target host
+ * Execution function - polls SSH connectivity with backoff
+ *
+ * @param host - Target host IP address
+ * @param user - SSH user (default: root)
+ * @param timeoutSeconds - Timeout in seconds (default: 120)
+ * @returns SSH readiness result
+ */
+export async function waitForSSH(
+  host: string,
+  user = 'root',
+  timeoutSeconds = 120,
+): Promise<SSHResult> {
+  const startTime = Date.now();
+  const timeoutMs = timeoutSeconds * 1000;
+  let attempt = 0;
+
+  const gauge = new FuelGauge(`Waiting for SSH access to ${user}@${host}`);
+  gauge.start();
+
+  while (Date.now() - startTime < timeoutMs) {
+    attempt++;
+
+    gauge.addOutput(`Attempt ${attempt} - connecting to ${user}@${host}...`);
+
+    const connected = await trySSHConnection(host, user);
+
+    if (connected) {
+      gauge.stop(true);
+      log.success(`SSH ready after ${attempt} attempt${attempt === 1 ? '' : 's'}`);
+      return { success: true, attempts: attempt };
+    }
+
+    // Calculate backoff delay: 1s, 1.5s, 2.25s, ..., max 10s
+    const backoffDelay = Math.min(1000 * 1.5 ** (attempt - 1), 10000);
+    await sleep(backoffDelay);
+  }
+
+  gauge.stop(false);
+
+  return {
+    success: false,
+    error: `SSH connection timeout after ${timeoutSeconds} seconds (${attempt} attempts)\n\nTarget: ${user}@${host}\n\nPossible causes:\n  - Container failed to start\n  - SSH service not configured\n  - Firewall blocking connection\n  - Wrong IP address`,
+    attempts: attempt,
+  };
+}
+
+/**
+ * Try SSH connection to host
+ * Execution function - attempts single SSH connection
+ *
+ * @param host - Target host IP
+ * @param user - SSH user
+ * @returns True if connection successful
+ */
+async function trySSHConnection(host: string, user: string): Promise<boolean> {
+  return new Promise((resolve) => {
+    // Try SSH connection with short timeout
+    const child = spawn(
+      'ssh',
+      [
+        '-o',
+        'ConnectTimeout=5',
+        '-o',
+        'StrictHostKeyChecking=no',
+        '-o',
+        'UserKnownHostsFile=/dev/null',
+        '-o',
+        'LogLevel=ERROR',
+        `${user}@${host}`,
+        'echo',
+        'ready',
+      ],
+      {
+        stdio: ['ignore', 'pipe', 'pipe'],
+      },
+    );
+
+    let output = '';
+
+    child.stdout.on('data', (data) => {
+      output += data.toString();
+    });
+
+    child.on('close', (exitCode) => {
+      // Success if command executed and returned "ready"
+      if (exitCode === 0 && output.trim() === 'ready') {
+        resolve(true);
+      } else {
+        resolve(false);
+      }
+    });
+
+    child.on('error', () => {
+      resolve(false);
+    });
+
+    // Timeout after 6 seconds
+    setTimeout(() => {
+      child.kill();
+      resolve(false);
+    }, 6000);
+  });
+}
+
+/**
+ * Sleep for specified milliseconds
+ * Utility function
+ *
+ * @param ms - Milliseconds to sleep
+ */
+function sleep(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}

package/src/services/deploy-terraform.test.ts

@@ -0,0 +1,55 @@
+import { afterEach, beforeEach, describe, test } from 'bun:test';
+import { existsSync } from 'node:fs';
+import { mkdir, rm } from 'node:fs/promises';
+import { join } from 'node:path';
+
+const TEST_TERRAFORM_DIR = '/tmp/test-terraform-outputs';
+
+beforeEach(async () => {
+  // Create test directory
+  await mkdir(TEST_TERRAFORM_DIR, { recursive: true });
+});
+
+afterEach(async () => {
+  // Clean up test directory
+  if (existsSync(TEST_TERRAFORM_DIR)) {
+    await rm(TEST_TERRAFORM_DIR, { recursive: true, force: true });
+  }
+});
+
+describe('parseTerraformOutputs', () => {
+  test('parses wrapped Terraform output format', async () => {
+    // Create a mock terraform state directory
+    const tfDir = join(TEST_TERRAFORM_DIR, 'wrapped');
+    await mkdir(tfDir, { recursive: true });
+
+    // Mock terraform output -json by creating a state file
+    // (In reality, terraform reads from .tfstate, but we'll mock the command)
+    // We can't actually test this without mocking executeBuildWithProgress
+
+    // For now, skip this test - it requires mocking the terraform command
+    // The function is tested indirectly through integration tests
+  });
+
+  test('returns null when no outputs defined', async () => {
+    // This would require mocking terraform command that returns "no outputs"
+    // Skip for now - tested through integration tests
+  });
+
+  test('throws on invalid JSON output', async () => {
+    // This would require mocking terraform command that returns invalid JSON
+    // Skip for now - tested through integration tests
+  });
+});
+
+// Note: These tests are placeholders. The parseTerraformOutputs function
+// calls executeBuildWithProgress which executes actual terraform commands.
+// Proper testing requires either:
+// 1. Mocking executeBuildWithProgress (refactor needed)
+// 2. Integration tests with real terraform (slow)
+// 3. Dependency injection of the executor (architectural change)
+//
+// We'll rely on:
+// - Manual testing with real modules
+// - Integration tests in test-integration/
+// - Unit tests of property-extractor (already passing)