@celilo/cli 0.1.0

package/src/services/system-init.ts

@@ -0,0 +1,253 @@
+/**
+ * System Initialization Service
+ *
+ * Handles first-time system configuration with sensible defaults.
+ * Supports both interactive and non-interactive (--accept-defaults) modes.
+ */
+
+import { existsSync, readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { dirname, join } from 'node:path';
+import { eq } from 'drizzle-orm';
+import type { DbClient } from '../db/client';
+import { systemConfig } from '../db/schema';
+
+/**
+ * System configuration schema interface
+ */
+interface SystemConfigSchema {
+  properties: Record<
+    string,
+    {
+      type: string;
+      default?: string | number;
+      description?: string;
+      pattern?: string;
+      minimum?: number;
+      maximum?: number;
+      format?: string;
+    }
+  >;
+}
+
+/**
+ * Load system config schema from JSON file
+ */
+function loadSchema(): SystemConfigSchema {
+  // Try common locations (relative to this file's directory and cwd)
+  const thisDir = dirname(new URL(import.meta.url).pathname);
+  const candidates = [
+    join(thisDir, '..', '..', 'schemas', 'system_config.json'), // Relative to src/services/ → apps/celilo/schemas/
+    './schemas/system_config.json', // From cwd (apps/celilo)
+    join(process.cwd(), 'schemas', 'system_config.json'),
+  ];
+
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) {
+      try {
+        return JSON.parse(readFileSync(candidate, 'utf-8'));
+      } catch (error) {
+        throw new Error(
+          `Failed to parse system_config.json schema: ${error instanceof Error ? error.message : 'Invalid JSON'}`,
+        );
+      }
+    }
+  }
+
+  throw new Error('Could not find system_config.json schema file');
+}
+
+/**
+ * Get default configuration values from schema
+ */
+export function getDefaultConfiguration(): Record<string, string | number> {
+  const schema = loadSchema();
+  const defaults: Record<string, string | number> = {};
+
+  for (const [key, property] of Object.entries(schema.properties)) {
+    if (property.default !== undefined) {
+      defaults[key] = property.default;
+    }
+  }
+
+  return defaults;
+}
+
+/**
+ * Compute gateway IP from subnet CIDR
+ * Returns the first usable IP address in the subnet
+ *
+ * @param subnet - CIDR notation (e.g., "10.0.10.0/24")
+ * @returns Gateway IP (e.g., "10.0.10.1")
+ */
+function computeGateway(subnet: string): string {
+  const [network, _bits] = subnet.split('/');
+  const octets = network.split('.').map(Number);
+
+  // First usable IP (network address + 1)
+  octets[3] += 1;
+
+  return octets.join('.');
+}
+
+/**
+ * Auto-detect SSH public key from common locations
+ *
+ * Checks ~/.ssh/ for common key files:
+ * - id_ed25519.pub (preferred)
+ * - id_rsa.pub
+ * - id_ecdsa.pub
+ *
+ * @returns SSH public key content or null if none found
+ */
+export interface DetectedSSHKey {
+  filename: string;
+  keyType: string;
+  content: string;
+}
+
+export function autoDetectSSHKeys(): DetectedSSHKey[] {
+  const sshDir = join(homedir(), '.ssh');
+  const keyFiles = ['id_ed25519.pub', 'id_rsa.pub', 'id_ecdsa.pub'];
+  const keys: DetectedSSHKey[] = [];
+
+  for (const keyFile of keyFiles) {
+    const keyPath = join(sshDir, keyFile);
+    if (existsSync(keyPath)) {
+      try {
+        const keyContent = readFileSync(keyPath, 'utf-8').trim();
+        if (keyContent) {
+          const keyType = keyContent.split(' ')[0] || keyFile;
+          keys.push({ filename: keyFile, keyType, content: keyContent });
+        }
+      } catch {}
+    }
+  }
+
+  return keys;
+}
+
+/** @deprecated Use autoDetectSSHKeys() instead */
+export function autoDetectSSHKey(): string | null {
+  const keys = autoDetectSSHKeys();
+  return keys.length > 0 ? keys[0].content : null;
+}
+
+/**
+ * Initialize system configuration with defaults
+ *
+ * This function does all the "smart" work:
+ * - Loads defaults from schema
+ * - Computes gateway IPs from subnets
+ * - Derives admin email from primary domain
+ * - Auto-detects SSH keys
+ * - Applies user overrides
+ * - Stores everything in the database
+ *
+ * @param db - Database instance
+ * @param overrides - Optional overrides for specific keys (used for interactive mode)
+ * @returns Configuration that was applied (for summary display)
+ */
+export function initializeSystem(
+  db: DbClient,
+  overrides: Partial<Record<string, string | number>> = {},
+): Record<string, string | number> {
+  const defaults = getDefaultConfiguration();
+
+  // Start with defaults
+  let config = { ...defaults };
+
+  // Apply user overrides (filter out undefined values)
+  const definedOverrides = Object.fromEntries(
+    Object.entries(overrides).filter(([_, v]) => v !== undefined),
+  ) as Record<string, string | number>;
+  config = { ...config, ...definedOverrides };
+
+  // Auto-detect SSH key if not provided
+  if (!config['ssh.public_key']) {
+    const detectedKey = autoDetectSSHKey();
+    if (detectedKey) {
+      config['ssh.public_key'] = detectedKey;
+    }
+  }
+
+  // Compute gateway IPs from subnets (if subnet was provided but not gateway)
+  const zones = ['dmz', 'app', 'secure', 'internal'];
+  for (const zone of zones) {
+    const subnetKey = `network.${zone}.subnet`;
+    const gatewayKey = `network.${zone}.gateway`;
+
+    // If user provided a subnet, compute gateway from it
+    if (config[subnetKey] && !overrides[gatewayKey]) {
+      config[gatewayKey] = computeGateway(String(config[subnetKey]));
+    }
+  }
+
+  // primary_domain and admin.email are no longer system config — they live
+  // in the dns_registrar capability and in the authentik/caddy modules
+  // respectively as of MANIFEST_V2 Phase 2 (D9).
+
+  // Store all configuration in database
+  for (const [key, value] of Object.entries(config)) {
+    if (value === undefined || value === null) {
+      continue; // Skip undefined/null values
+    }
+
+    const valueStr = String(value);
+
+    db.insert(systemConfig)
+      .values({ key, value: valueStr })
+      .onConflictDoUpdate({
+        target: systemConfig.key,
+        set: { value: valueStr },
+      })
+      .run();
+  }
+
+  return config;
+}
+
+/**
+ * Load existing system configuration from database
+ *
+ * @param db - Database instance
+ * @returns Map of existing configuration values
+ */
+export function loadExistingConfiguration(db: DbClient): Record<string, string> {
+  const existing: Record<string, string> = {};
+
+  const rows = db.select().from(systemConfig).all();
+
+  for (const row of rows) {
+    existing[row.key] = row.value;
+  }
+
+  return existing;
+}
+
+/**
+ * Check if system is already initialized
+ *
+ * System is considered initialized if critical configuration exists:
+ * - At least one network zone subnet
+ * - ssh.public_key
+ *
+ * @param db - Database instance
+ * @returns true if system appears to be initialized
+ */
+export function isSystemInitialized(db: DbClient): boolean {
+  const criticalKeys = ['network.dmz.subnet', 'ssh.public_key'];
+
+  let foundKeys = 0;
+
+  for (const key of criticalKeys) {
+    const result = db.select().from(systemConfig).where(eq(systemConfig.key, key)).get();
+
+    if (result) {
+      foundKeys++;
+    }
+  }
+
+  // Consider initialized if at least 2 of 3 critical keys exist
+  return foundKeys >= 2;
+}

package/src/services/terraform-safety.ts

@@ -0,0 +1,174 @@
+/**
+ * Terraform Plan Safety Validation
+ *
+ * Parses Terraform plan output and validates that only safe operations are planned.
+ *
+ * Safety Rules:
+ * - Only CREATE operations allowed
+ * - Only whitelisted provider resources allowed:
+ *   - Proxmox: proxmox_lxc, proxmox_vm
+ *   - Digital Ocean: digitalocean_droplet, digitalocean_*
+ * - No UPDATE operations (coming in future phase)
+ * - No DELETE operations
+ * - No REPLACE operations
+ */
+
+/**
+ * Allowed Terraform resource type prefixes
+ * Only resources from these providers can be created
+ */
+const ALLOWED_RESOURCE_PREFIXES = ['proxmox_lxc', 'proxmox_vm', 'digitalocean_'];
+
+export interface PlanSafetyResult {
+  safe: boolean;
+  error?: string;
+  actions: TerraformAction[];
+}
+
+export interface TerraformAction {
+  resourceType: string;
+  resourceName: string;
+  action: 'create' | 'update' | 'delete' | 'replace';
+}
+
+/**
+ * Parse and validate Terraform plan for safety
+ * Policy function - validates plan adheres to safety rules
+ *
+ * @param planOutput - Terraform plan output (from terraform plan -no-color)
+ * @returns Safety validation result
+ */
+export function validateTerraformPlanSafety(planOutput: string): PlanSafetyResult {
+  const actions = parseTerraformPlan(planOutput);
+
+  // Check each action against safety rules
+  for (const action of actions) {
+    // Rule 1: Only whitelisted provider resources allowed
+    const isAllowed = ALLOWED_RESOURCE_PREFIXES.some((prefix) =>
+      action.resourceType.startsWith(prefix),
+    );
+
+    if (!isAllowed) {
+      const allowedList = ALLOWED_RESOURCE_PREFIXES.join(', ');
+      return {
+        safe: false,
+        error: `Unexpected resource type: ${action.resourceType}\nOnly resources from approved providers are allowed: ${allowedList}`,
+        actions,
+      };
+    }
+
+    // Rule 2: Only CREATE operations allowed
+    if (action.action !== 'create') {
+      return {
+        safe: false,
+        error: formatUnsafeOperationError(action),
+        actions,
+      };
+    }
+  }
+
+  return { safe: true, actions };
+}
+
+/**
+ * Parse Terraform plan output to extract resource actions
+ * Policy function - pure parsing logic
+ *
+ * Terraform plan format examples:
+ *   # proxmox_lxc.caddy will be created
+ *   # proxmox_lxc.caddy will be updated in-place
+ *   # proxmox_lxc.caddy will be updated in-place (some changes)
+ *   # proxmox_lxc.caddy must be replaced
+ *   # proxmox_lxc.caddy will be destroyed
+ *   # proxmox_lxc.caddy must be replaced (forces new resource)
+ *
+ * @param planOutput - Terraform plan output text
+ * @returns Array of parsed actions
+ */
+export function parseTerraformPlan(planOutput: string): TerraformAction[] {
+  const actions: TerraformAction[] = [];
+  const lines = planOutput.split('\n');
+
+  // Regex patterns for Terraform plan actions
+  const createPattern = /^#\s+([\w_]+)\.([\w_-]+)\s+will be created$/;
+  const updatePattern = /^#\s+([\w_]+)\.([\w_-]+)\s+will be updated/;
+  const replacePattern = /^#\s+([\w_]+)\.([\w_-]+)\s+must be replaced/;
+  const deletePattern = /^#\s+([\w_]+)\.([\w_-]+)\s+will be destroyed$/;
+
+  for (const line of lines) {
+    const trimmed = line.trim();
+
+    // Try each pattern in order (replace must come before update since replace contains "must be")
+    let match = trimmed.match(replacePattern);
+    if (match) {
+      actions.push({
+        resourceType: match[1],
+        resourceName: match[2],
+        action: 'replace',
+      });
+      continue;
+    }
+
+    match = trimmed.match(createPattern);
+    if (match) {
+      actions.push({
+        resourceType: match[1],
+        resourceName: match[2],
+        action: 'create',
+      });
+      continue;
+    }
+
+    match = trimmed.match(updatePattern);
+    if (match) {
+      actions.push({
+        resourceType: match[1],
+        resourceName: match[2],
+        action: 'update',
+      });
+      continue;
+    }
+
+    match = trimmed.match(deletePattern);
+    if (match) {
+      actions.push({
+        resourceType: match[1],
+        resourceName: match[2],
+        action: 'delete',
+      });
+    }
+  }
+
+  return actions;
+}
+
+/**
+ * Format error message for unsafe operations
+ * Presentation function - formats output for user
+ *
+ * @param action - Terraform action that failed validation
+ * @returns Formatted error message
+ */
+function formatUnsafeOperationError(action: TerraformAction): string {
+  const lines = [
+    `Unsafe operation: ${action.action} on ${action.resourceType}.${action.resourceName}`,
+    '',
+    'Only CREATE operations are currently allowed.',
+  ];
+
+  if (action.action === 'update') {
+    lines.push('UPDATE operations require explicit approval.');
+    lines.push('');
+    lines.push('To fix: Review the changes and manually apply if safe.');
+  } else if (action.action === 'delete') {
+    lines.push('DELETE operations are never auto-approved.');
+    lines.push('');
+    lines.push('To fix: Remove the resource manually or use terraform destroy.');
+  } else if (action.action === 'replace') {
+    lines.push('REPLACE operations require explicit approval.');
+    lines.push('');
+    lines.push('To fix: Review what triggered the replacement and decide if it should proceed.');
+  }
+
+  return lines.join('\n');
+}

package/src/services/zone-detector.test.ts

@@ -0,0 +1,110 @@
+/**
+ * Tests for zone detector
+ */
+
+import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { closeDb, createDbClient } from '../db/client';
+import { runMigrations } from '../db/migrate';
+import { systemConfig } from '../db/schema';
+import { detectZoneFromIp, isValidIp } from './zone-detector';
+
+describe('zone-detector', () => {
+  let testDbPath: string;
+  let testDir: string;
+
+  beforeEach(async () => {
+    // Create temp directory for test database
+    testDir = mkdtempSync(join(tmpdir(), 'celilo-test-'));
+    testDbPath = join(testDir, 'test.db');
+
+    // Set environment variable for database path
+    process.env.CELILO_DB_PATH = testDbPath;
+
+    // Initialize database and run migrations
+    await runMigrations(testDbPath);
+
+    // Insert test network configuration
+    const db = createDbClient({ path: testDbPath });
+    await db.insert(systemConfig).values([
+      { key: 'network.internal.subnet', value: '192.168.0.0/24' },
+      { key: 'network.dmz.subnet', value: '10.0.10.0/24' },
+      { key: 'network.app.subnet', value: '10.0.20.0/24' },
+      { key: 'network.secure.subnet', value: '10.0.30.0/24' },
+    ]);
+  });
+
+  afterEach(() => {
+    // Close database connection
+    closeDb();
+
+    // Clean up test directory
+    if (testDir) {
+      rmSync(testDir, { recursive: true, force: true });
+    }
+
+    // Clear environment variables
+    process.env.CELILO_DB_PATH = undefined;
+  });
+
+  describe('detectZoneFromIp', () => {
+    it('detects internal zone', async () => {
+      const zone = await detectZoneFromIp('192.168.0.100');
+      expect(zone).toBe('internal');
+    });
+
+    it('detects dmz zone', async () => {
+      const zone = await detectZoneFromIp('10.0.10.50');
+      expect(zone).toBe('dmz');
+    });
+
+    it('detects app zone', async () => {
+      const zone = await detectZoneFromIp('10.0.20.100');
+      expect(zone).toBe('app');
+    });
+
+    it('detects secure zone', async () => {
+      const zone = await detectZoneFromIp('10.0.30.25');
+      expect(zone).toBe('secure');
+    });
+
+    it('returns external for non-matching IP', async () => {
+      const zone = await detectZoneFromIp('167.99.123.45');
+      expect(zone).toBe('external');
+    });
+
+    it('matches first IP in subnet', async () => {
+      const zone = await detectZoneFromIp('192.168.0.1');
+      expect(zone).toBe('internal');
+    });
+
+    it('matches last IP in subnet', async () => {
+      const zone = await detectZoneFromIp('192.168.0.254');
+      expect(zone).toBe('internal');
+    });
+
+    it('does not match IP outside subnet', async () => {
+      const zone = await detectZoneFromIp('192.168.1.100');
+      expect(zone).toBe('external');
+    });
+  });
+
+  describe('isValidIp', () => {
+    it('validates correct IPv4 addresses', () => {
+      expect(isValidIp('192.168.1.1')).toBe(true);
+      expect(isValidIp('10.0.0.1')).toBe(true);
+      expect(isValidIp('255.255.255.255')).toBe(true);
+      expect(isValidIp('0.0.0.0')).toBe(true);
+    });
+
+    it('rejects invalid IPv4 addresses', () => {
+      expect(isValidIp('192.168.1.256')).toBe(false); // Number > 255
+      expect(isValidIp('192.168.1')).toBe(false); // Too few octets
+      expect(isValidIp('192.168.1.1.1')).toBe(false); // Too many octets
+      expect(isValidIp('not.an.ip.address')).toBe(false); // Non-numeric
+      expect(isValidIp('')).toBe(false); // Empty string
+    });
+  });
+});

package/src/services/zone-detector.ts

@@ -0,0 +1,102 @@
+/**
+ * Zone Detector
+ * Auto-detects network zone from IP address by matching against system subnets
+ */
+
+import { eq } from 'drizzle-orm';
+import { getDb } from '../db/client';
+import { type NetworkZone, systemConfig } from '../db/schema';
+
+/**
+ * Parse CIDR notation to get network address and prefix length
+ */
+function parseCIDR(cidr: string): { network: string; prefixLength: number } {
+  const [ip, prefix] = cidr.split('/');
+  return {
+    network: ip,
+    prefixLength: Number.parseInt(prefix, 10),
+  };
+}
+
+/**
+ * Convert IP address string to 32-bit integer
+ */
+function ipToInt(ip: string): number {
+  const parts = ip.split('.').map((part) => Number.parseInt(part, 10));
+  return (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
+}
+
+/**
+ * Check if an IP address is in a CIDR subnet
+ */
+function ipInSubnet(ip: string, cidr: string): boolean {
+  try {
+    const { network, prefixLength } = parseCIDR(cidr);
+    const ipInt = ipToInt(ip);
+    const networkInt = ipToInt(network);
+
+    // Create subnet mask
+    const mask = ~((1 << (32 - prefixLength)) - 1);
+
+    // Check if IP is in subnet
+    return (ipInt & mask) === (networkInt & mask);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Get system network configuration for a zone
+ */
+async function getZoneSubnet(zone: NetworkZone): Promise<string | null> {
+  const db = getDb();
+
+  // Try to get subnet from system config
+  // Format: network.{zone}.subnet (e.g., network.dmz.subnet)
+  const key = `network.${zone}.subnet`;
+
+  const result = await db.select().from(systemConfig).where(eq(systemConfig.key, key)).limit(1);
+
+  if (result.length === 0) {
+    return null;
+  }
+
+  return result[0].value;
+}
+
+/**
+ * Detect network zone from IP address
+ * Matches IP against system network configuration
+ *
+ * @param ip - IP address to check
+ * @returns Detected network zone, or 'external' if no match
+ */
+export async function detectZoneFromIp(ip: string): Promise<NetworkZone> {
+  // Check each zone's subnet
+  const zones: NetworkZone[] = ['internal', 'dmz', 'app', 'secure'];
+
+  for (const zone of zones) {
+    const subnet = await getZoneSubnet(zone);
+    if (subnet && ipInSubnet(ip, subnet)) {
+      return zone;
+    }
+  }
+
+  // No match found - must be external
+  return 'external';
+}
+
+/**
+ * Validate IP address format
+ */
+export function isValidIp(ip: string): boolean {
+  const parts = ip.split('.');
+  if (parts.length !== 4) {
+    return false;
+  }
+
+  return parts.every((part) => {
+    const num = Number.parseInt(part, 10);
+    return !Number.isNaN(num) && num >= 0 && num <= 255;
+  });
+}