@celilo/cli 0.1.0

package/src/variables/ansible-resolver.test.ts

@@ -0,0 +1,142 @@
+import { describe, expect, test } from 'bun:test';
+import { convertSecretsToJinja, isAnsibleTemplate } from './ansible-resolver';
+import { buildContextFromData } from './context';
+
+// Mock database for tests
+const mockDb = {
+  $client: {
+    prepare: () => ({
+      get: () => null,
+      all: () => [],
+      run: () => ({ changes: 0 }),
+    }),
+  },
+  select: () => ({
+    from: () => ({
+      where: () => ({
+        get: () => null,
+        all: () => [],
+      }),
+    }),
+  }),
+  // biome-ignore lint/suspicious/noExplicitAny: mock database for testing, full type not needed
+} as any;
+
+describe('Ansible Resolver', () => {
+  describe('isAnsibleTemplate', () => {
+    test('should identify .j2 files', async () => {
+      expect(isAnsibleTemplate('config.json.j2')).toBe(true);
+      expect(isAnsibleTemplate('template.j2')).toBe(true);
+    });
+
+    test('should identify ansible/ directory files', async () => {
+      expect(isAnsibleTemplate('ansible/playbook.yml')).toBe(true);
+      expect(isAnsibleTemplate('ansible/roles/main.yml')).toBe(true);
+    });
+
+    test('should reject non-ansible files', async () => {
+      expect(isAnsibleTemplate('terraform/main.tf')).toBe(false);
+      expect(isAnsibleTemplate('config.json')).toBe(false);
+    });
+  });
+
+  describe('convertSecretsToJinja', () => {
+    test('should convert secret variables to Jinja2 format', async () => {
+      const context = buildContextFromData('test', {
+        secrets: {
+          api_key: 'secret123',
+          db_password: 'pass456',
+        },
+      });
+
+      const template = 'username: $secret:api_key\npassword: $secret:db_password';
+      const result = await convertSecretsToJinja(template, context, mockDb);
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.content).toBe('username: {{ api_key }}\npassword: {{ db_password }}');
+      }
+    });
+
+    test('should resolve non-secret variables normally', async () => {
+      const context = buildContextFromData('test', {
+        selfConfig: {
+          hostname: 'myhost',
+          port: '8080',
+        },
+        systemConfig: {
+          'dns.primary': '192.168.0.1',
+        },
+      });
+
+      const template = 'host: $self:hostname\nport: $self:port\ndns: $system:dns.primary';
+      const result = await convertSecretsToJinja(template, context, mockDb);
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.content).toBe('host: myhost\nport: 8080\ndns: 192.168.0.1');
+      }
+    });
+
+    test('should mix secret conversion and normal resolution', async () => {
+      const context = buildContextFromData('test', {
+        selfConfig: {
+          username: 'admin',
+        },
+        secrets: {
+          password: 'secret123',
+        },
+      });
+
+      const template = 'user: $self:username\npass: $secret:password';
+      const result = await convertSecretsToJinja(template, context, mockDb);
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.content).toBe('user: admin\npass: {{ password }}');
+      }
+    });
+
+    test('should return errors for missing non-secret variables', async () => {
+      const context = buildContextFromData('test', {});
+
+      const template = 'host: $self:missing_hostname';
+      const result = await convertSecretsToJinja(template, context, mockDb);
+
+      expect(result.success).toBe(false);
+      if (!result.success) {
+        expect(result.errors).toHaveLength(1);
+        expect(result.errors[0]?.variable).toBe('$self:missing_hostname');
+      }
+    });
+
+    test('should convert secrets even if not in context', async () => {
+      const context = buildContextFromData('test', {});
+
+      const template = 'pass: $secret:api_key';
+      const result = await convertSecretsToJinja(template, context, mockDb);
+
+      // Secrets are always converted to Jinja2, regardless of presence
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.content).toBe('pass: {{ api_key }}');
+      }
+    });
+
+    test('should handle multiple occurrences of same variable', async () => {
+      const context = buildContextFromData('test', {
+        secrets: {
+          token: 'xyz',
+        },
+      });
+
+      const template = 'auth: $secret:token\nbackup: $secret:token';
+      const result = await convertSecretsToJinja(template, context, mockDb);
+
+      expect(result.success).toBe(true);
+      if (result.success) {
+        expect(result.content).toBe('auth: {{ token }}\nbackup: {{ token }}');
+      }
+    });
+  });
+});

package/src/variables/ansible-resolver.ts

@@ -0,0 +1,69 @@
+import { parseVariables } from './parser';
+import { resolveVariable } from './resolver';
+import type { ResolutionContext, TemplateResolveResult } from './types';
+
+/**
+ * Convert secret variables to Jinja2 format for Ansible
+ *
+ * Execution function (Rule 10.1) - may perform database access
+ *
+ * Converts $secret:name to {{ name }} for Ansible templates
+ * Resolves non-secret variables normally ($self:, $system:, $capability:)
+ *
+ * @param content - Template content with variables
+ * @param context - Resolution context
+ * @param db - Database connection (required for capability variables)
+ * @returns Resolved template with Jinja2 variables for secrets
+ */
+export async function convertSecretsToJinja(
+  content: string,
+  context: ResolutionContext,
+  db: ReturnType<typeof import('../db/client').getDb>,
+): Promise<TemplateResolveResult> {
+  // Parse all variables
+  const variables = parseVariables(content);
+
+  if (variables.length === 0) {
+    return { success: true, content };
+  }
+
+  const errors: Array<{ variable: string; error: string }> = [];
+  let resolvedContent = content;
+
+  // Process each variable
+  for (const variable of variables) {
+    if (variable.type === 'secret') {
+      // Convert secret variables to Jinja2 format
+      // $secret:vesync_username -> {{ vesync_username }}
+      const jinjaVar = `{{ ${variable.path} }}`;
+      resolvedContent = resolvedContent.replaceAll(variable.raw, jinjaVar);
+    } else {
+      // Resolve non-secret variables normally
+      const result = await resolveVariable(variable, context, db);
+
+      if (!result.success) {
+        errors.push({ variable: result.variable, error: result.error });
+      } else {
+        resolvedContent = resolvedContent.replaceAll(variable.raw, result.value);
+      }
+    }
+  }
+
+  if (errors.length > 0) {
+    return { success: false, errors };
+  }
+
+  return { success: true, content: resolvedContent };
+}
+
+/**
+ * Check if file is an Ansible template
+ *
+ * Policy function - validation only
+ *
+ * @param path - File path
+ * @returns True if file is Ansible template (.j2 extension or in ansible/ directory)
+ */
+export function isAnsibleTemplate(path: string): boolean {
+  return path.endsWith('.j2') || path.includes('/ansible/') || path.startsWith('ansible/');
+}

package/src/variables/capability-self-ref.test.ts

@@ -0,0 +1,220 @@
+/**
+ * Tests for capability data $self: variable resolution (lazy resolution)
+ * Verifies that capability data containing unresolved $self: variables
+ * gets resolved from the provider module's config when requested
+ */
+
+import { afterEach, describe, expect, test } from 'bun:test';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { createDbClient } from '@/db/client';
+import { resolveVariable } from './resolver';
+import type { ResolutionContext } from './types';
+
+let testDirs: string[] = [];
+
+afterEach(() => {
+  for (const dir of testDirs) {
+    try {
+      rmSync(dir, { recursive: true, force: true });
+    } catch {
+      // Ignore
+    }
+  }
+  testDirs = [];
+});
+
+describe('Capability data $self: variable resolution', () => {
+  test('should lazily resolve $self: variables in capability data', async () => {
+    const testDir = mkdtempSync(join(tmpdir(), 'test-cap-self-'));
+    testDirs.push(testDir);
+    const testDbPath = join(testDir, 'test.db');
+    const db = createDbClient({ path: testDbPath });
+
+    // Create provider module (dns-external)
+    db.$client
+      .prepare(
+        `INSERT INTO modules (id, name, version, source_path, state, manifest_data)
+         VALUES (?, ?, ?, ?, ?, ?)`,
+      )
+      .run(
+        'dns-external',
+        'DNS External',
+        '1.0.0',
+        '/tmp/modules/dns-external',
+        'CONFIGURED',
+        JSON.stringify({ id: 'dns-external', name: 'DNS External', version: '1.0.0' }),
+      );
+
+    // Register capability with unresolved $self: variables
+    db.$client
+      .prepare(
+        `INSERT INTO capabilities (module_id, capability_name, version, data)
+         VALUES (?, ?, ?, ?)`,
+      )
+      .run(
+        'dns-external',
+        'dns_external',
+        '1.0.0',
+        JSON.stringify({
+          server: {
+            ip: {
+              primary: '$self:ip.primary', // Unresolved!
+            },
+          },
+          tsig: {
+            key_name: '$self:tsig_key_name', // Unresolved!
+          },
+        }),
+      );
+
+    // Store provider module's config
+    db.$client
+      .prepare(
+        `INSERT INTO module_configs (module_id, key, value)
+         VALUES (?, ?, ?), (?, ?, ?)`,
+      )
+      .run(
+        'dns-external',
+        'ip.primary',
+        '203.0.113.42',
+        'dns-external',
+        'tsig_key_name',
+        'celilo-ddns',
+      );
+
+    // Create consumer module (caddy)
+    db.$client
+      .prepare(
+        `INSERT INTO modules (id, name, version, source_path, state, manifest_data)
+         VALUES (?, ?, ?, ?, ?, ?)`,
+      )
+      .run(
+        'caddy',
+        'Caddy',
+        '1.0.0',
+        '/tmp/modules/caddy',
+        'CONFIGURED',
+        JSON.stringify({ id: 'caddy', name: 'Caddy', version: '1.0.0' }),
+      );
+
+    // Test: Resolve capability variable with lazy $self: resolution
+    const context: ResolutionContext = {
+      moduleId: 'caddy',
+      selfConfig: {},
+      systemConfig: {},
+      secrets: {},
+      systemSecrets: {},
+      capabilities: {
+        dns_external: {
+          server: {
+            ip: {
+              primary: '$self:ip.primary', // Will be lazily resolved
+            },
+          },
+          tsig: {
+            key_name: '$self:tsig_key_name', // Will be lazily resolved
+          },
+        },
+      },
+    };
+
+    const result1 = await resolveVariable(
+      {
+        type: 'capability',
+        path: 'dns_external.server.ip.primary',
+        raw: '$capability:dns_external.server.ip.primary',
+      },
+      context,
+      db,
+    );
+
+    expect(result1.success).toBe(true);
+    if (result1.success) {
+      expect(result1.value).toBe('203.0.113.42');
+    }
+
+    const result2 = await resolveVariable(
+      {
+        type: 'capability',
+        path: 'dns_external.tsig.key_name',
+        raw: '$capability:dns_external.tsig.key_name',
+      },
+      context,
+      db,
+    );
+
+    expect(result2.success).toBe(true);
+    if (result2.success) {
+      expect(result2.value).toBe('celilo-ddns');
+    }
+  });
+
+  test('should error when provider module has not configured the required value', async () => {
+    const testDir = mkdtempSync(join(tmpdir(), 'test-cap-self-'));
+    testDirs.push(testDir);
+    const testDbPath = join(testDir, 'test.db');
+    const db = createDbClient({ path: testDbPath });
+
+    // Create provider module
+    db.$client
+      .prepare(
+        `INSERT INTO modules (id, name, version, source_path, state, manifest_data)
+         VALUES (?, ?, ?, ?, ?, ?)`,
+      )
+      .run(
+        'dns-external',
+        'DNS External',
+        '1.0.0',
+        '/tmp/modules/dns-external',
+        'CONFIGURED',
+        JSON.stringify({ id: 'dns-external', name: 'DNS External', version: '1.0.0' }),
+      );
+
+    // Register capability with unresolved variable
+    db.$client
+      .prepare(
+        `INSERT INTO capabilities (module_id, capability_name, version, data)
+         VALUES (?, ?, ?, ?)`,
+      )
+      .run(
+        'dns-external',
+        'dns_external',
+        '1.0.0',
+        JSON.stringify({
+          server: { ip: { primary: '$self:ip.primary' } },
+        }),
+      );
+
+    // Provider module config is MISSING the required value
+
+    const context: ResolutionContext = {
+      moduleId: 'caddy',
+      selfConfig: {},
+      systemConfig: {},
+      secrets: {},
+      systemSecrets: {},
+      capabilities: {
+        dns_external: {
+          server: { ip: { primary: '$self:ip.primary' } },
+        },
+      },
+    };
+
+    const result = await resolveVariable(
+      {
+        type: 'capability',
+        path: 'dns_external.server.ip.primary',
+        raw: '$capability:dns_external.server.ip.primary',
+      },
+      context,
+      db,
+    );
+
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.error).toContain("has not configured 'ip.primary'");
+    }
+  });
+});