@celilo/cli 0.1.4 → 0.1.6

package/src/templates/generator.ts

@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto';
 import { existsSync, statSync } from 'node:fs';
-import { chmod, mkdir, readFile, readdir, writeFile } from 'node:fs/promises';
+import { chmod, cp, mkdir, readFile, readdir, writeFile } from 'node:fs/promises';
 import { dirname, join, relative } from 'node:path';
 import { and, eq } from 'drizzle-orm';
 import { generateInventory } from '../ansible/inventory';
@@ -209,6 +209,31 @@ export async function readTemplateFiles(
  * @param outputPath - Base output path
  * @param files - Generated files to write
  */
+/**
+ * Copy each `ansible/roles/<role>/files/` directory from the module source
+ * to the generated output, verbatim (preserving binary content + mode bits).
+ *
+ * These hold Ansible role-local static assets — they may be binaries and
+ * don't need template variable resolution, so the standard template
+ * pipeline (which is utf-8) can't handle them.
+ */
+export async function copyAnsibleRoleFilesDirs(
+  modulePath: string,
+  outputPath: string,
+): Promise<void> {
+  const rolesDir = join(modulePath, 'ansible', 'roles');
+  if (!existsSync(rolesDir)) return;
+  const roles = await readdir(rolesDir, { withFileTypes: true });
+  for (const role of roles) {
+    if (!role.isDirectory()) continue;
+    const srcFilesDir = join(rolesDir, role.name, 'files');
+    if (!existsSync(srcFilesDir)) continue;
+    const destFilesDir = join(outputPath, 'ansible', 'roles', role.name, 'files');
+    await mkdir(dirname(destFilesDir), { recursive: true });
+    await cp(srcFilesDir, destFilesDir, { recursive: true, preserveTimestamps: true });
+  }
+}
+
 export async function writeGeneratedFiles(
   outputPath: string,
   files: GeneratedFile[],
@@ -621,7 +646,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
       // biome-ignore lint/style/noNonNullAssertion: value is NOT NULL in schema, guaranteed to exist
       context.selfConfig.vmid = String(vmidConfig.value!);
       // biome-ignore lint/style/noNonNullAssertion: value is NOT NULL in schema, guaranteed to exist
-      context.selfConfig.container_ip = ipConfig.value!;
+      context.selfConfig.target_ip = ipConfig.value!;
     }
 
     // Add infrastructure properties to context (target_node, lxc_template, storage)
@@ -913,6 +938,22 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
     };
   }
 
+  // Execution: Copy Ansible role-local `files/` directories verbatim.
+  // These hold static assets (binaries, certs, scripts, blobs) used by
+  // Ansible's `copy` module. They're outside the template pipeline because
+  // (a) they don't need variable resolution and (b) they may be binary —
+  // utf-8 round-tripping would corrupt them. The template pipeline only
+  // handles .tpl/.j2/.yml/.yaml/.tf files.
+  try {
+    await copyAnsibleRoleFilesDirs(modulePath, outputPath);
+  } catch (error) {
+    return {
+      success: false,
+      error: 'Failed to copy Ansible role files/ directories',
+      details: error,
+    };
+  }
+
   // Execution: Copy capability-provided Ansible tasks into generated output
   // When a module requires capabilities that provide Ansible tasks (e.g., dns_registrar),
   // copy those tasks so the consumer's playbook can include them.

package/src/test-utils/completion-harness.test.ts

@@ -19,7 +19,7 @@ describe('CompletionHarness', () => {
       CELILO_DB_PATH: ctx.dbPath,
       CELILO_DATA_DIR: ctx.dataDir,
     });
-    harness = new CompletionHarness(ctx.cli);
+    harness = new CompletionHarness(cli);
   });
 
   afterEach(async () => {

package/src/test-utils/completion-harness.ts

@@ -6,13 +6,13 @@
  */
 
 import { expect } from 'bun:test';
-import { runCli } from './cli';
+import type { CLIContext } from './cli-context';
 
 /**
  * Test harness for CLI completion
  */
 export class CompletionHarness {
-  constructor(private cli: string) {}
+  constructor(private cli: CLIContext) {}
 
   /**
    * Get completions for a given set of words
@@ -26,10 +26,10 @@ export class CompletionHarness {
     // If partial=false, we're completing the next word after all current words
     const currentIndex = partial && words.length > 0 ? words.length - 1 : words.length;
     try {
-      const result = runCli(this.cli, `--get-completions ${words.join(' ')} ${currentIndex}`);
+      const result = await this.cli.run(`--get-completions ${words.join(' ')} ${currentIndex}`);
 
       // Parse completion output (one per line)
-      return result.split('\n').filter(Boolean);
+      return result.stdout.split('\n').filter(Boolean);
     } catch (_error) {
       // Completion errors return empty array
       return [];

package/src/variables/capability-self-ref.test.ts

@@ -9,6 +9,7 @@ import { mkdtempSync, rmSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { createDbClient } from '@/db/client';
+import { buildResolutionContext } from './context';
 import { resolveVariable } from './resolver';
 import type { ResolutionContext } from './types';
 
@@ -217,4 +218,206 @@ describe('Capability data $self: variable resolution', () => {
       expect(result.error).toContain("has not configured 'ip.primary'");
     }
   });
+
+  test('buildResolutionContext resolves capability-derived variable even when DB has raw unresolved $self: value', async () => {
+    // Regression: hook config was assembled from raw DB reads without applying
+    // capability derivation. When lunacycle stores primary_domain as "$self:primary_domain"
+    // (because the DB guard skipped persisting the resolved value), the hook
+    // received the literal template string instead of "iamtheinternet.org".
+    // After the fix, buildResolutionContext always returns the resolved value in selfConfig.
+    const testDir = mkdtempSync(join(tmpdir(), 'test-cap-self-raw-'));
+    testDirs.push(testDir);
+    const db = createDbClient({ path: join(testDir, 'test.db') });
+
+    db.$client
+      .prepare(
+        'INSERT INTO modules (id, name, version, source_path, state, manifest_data) VALUES (?, ?, ?, ?, ?, ?)',
+      )
+      .run(
+        'namecheap',
+        'Namecheap',
+        '1.0.0',
+        '/tmp/modules/namecheap',
+        'VERIFIED',
+        JSON.stringify({ id: 'namecheap', name: 'Namecheap', version: '1.0.0' }),
+      );
+
+    db.$client
+      .prepare('INSERT INTO module_configs (module_id, key, value) VALUES (?, ?, ?)')
+      .run('namecheap', 'primary_domain', 'iamtheinternet.org');
+
+    db.$client
+      .prepare(
+        'INSERT INTO capabilities (module_id, capability_name, version, data) VALUES (?, ?, ?, ?)',
+      )
+      .run(
+        'namecheap',
+        'dns_registrar',
+        '2.0.0',
+        JSON.stringify({ primary_domain: '$self:primary_domain' }),
+      );
+
+    const consumerManifest = {
+      id: 'lunacycle',
+      name: 'LunaCycle',
+      version: '1.0.0',
+      celilo_contract: '1.0',
+      variables: {
+        owns: [
+          {
+            name: 'primary_domain',
+            type: 'string',
+            required: false,
+            source: 'capability',
+            derive_from: '$capability:dns_registrar.primary_domain',
+          },
+        ],
+      },
+    };
+
+    db.$client
+      .prepare(
+        'INSERT INTO modules (id, name, version, source_path, state, manifest_data) VALUES (?, ?, ?, ?, ?, ?)',
+      )
+      .run(
+        'lunacycle',
+        'LunaCycle',
+        '1.0.0',
+        '/tmp/modules/lunacycle',
+        'INSTALLED',
+        JSON.stringify(consumerManifest),
+      );
+
+    // Simulate raw DB state: primary_domain stored as unresolved template string
+    db.$client
+      .prepare('INSERT INTO module_configs (module_id, key, value) VALUES (?, ?, ?)')
+      .run('lunacycle', 'primary_domain', '$self:primary_domain');
+
+    const context = await buildResolutionContext('lunacycle', db);
+
+    // selfConfig should have the resolved value, not the raw DB "$self:primary_domain"
+    expect(context.selfConfig.primary_domain).toBe('iamtheinternet.org');
+
+    // Simulate the hook installConfigMap merge logic from module-deploy.ts:
+    // Raw DB read produces the unresolved string; the fix overwrites it from context.selfConfig
+    const installConfigMap: Record<string, unknown> = { primary_domain: '$self:primary_domain' };
+    for (const [key, value] of Object.entries(context.selfConfig)) {
+      if (
+        !(key in installConfigMap) ||
+        (typeof installConfigMap[key] === 'string' &&
+          (installConfigMap[key] as string).startsWith('$'))
+      ) {
+        installConfigMap[key] = value;
+      }
+    }
+    expect(installConfigMap.primary_domain).toBe('iamtheinternet.org');
+  });
+
+  test('hook config merge does not overwrite user-set values with capability-derived ones', async () => {
+    // If a user explicitly sets a value that happens to match a capability-derived variable,
+    // their value (which does NOT start with $) should be preserved.
+    const installConfigMap: Record<string, unknown> = {
+      primary_domain: 'my-custom-domain.com', // user-set, no $ prefix
+      other_key: '$self:unresolved', // raw template — should be overwritten
+    };
+
+    const resolvedSelfConfig: Record<string, string> = {
+      primary_domain: 'iamtheinternet.org', // capability-derived value
+      other_key: 'resolved-value',
+      new_key: 'auto-derived',
+    };
+
+    for (const [key, value] of Object.entries(resolvedSelfConfig)) {
+      if (
+        !(key in installConfigMap) ||
+        (typeof installConfigMap[key] === 'string' &&
+          (installConfigMap[key] as string).startsWith('$'))
+      ) {
+        installConfigMap[key] = value;
+      }
+    }
+
+    // User-set value preserved (no $ prefix → not overwritten)
+    expect(installConfigMap.primary_domain).toBe('my-custom-domain.com');
+    // Unresolved template overwritten
+    expect(installConfigMap.other_key).toBe('resolved-value');
+    // New keys from context added
+    expect(installConfigMap.new_key).toBe('auto-derived');
+  });
+
+  test('buildResolutionContext resolves $self: refs in capability data for consumer module', async () => {
+    // Regression test: lunacycle's primary_domain (source: capability, derive_from:
+    // "$capability:dns_registrar.primary_domain") should resolve to the provider's
+    // actual configured value, not the raw "$self:primary_domain" template string.
+    const testDir = mkdtempSync(join(tmpdir(), 'test-cap-self-ctx-'));
+    testDirs.push(testDir);
+    const db = createDbClient({ path: join(testDir, 'test.db') });
+
+    // Provider module (namecheap) with primary_domain configured
+    db.$client
+      .prepare(
+        'INSERT INTO modules (id, name, version, source_path, state, manifest_data) VALUES (?, ?, ?, ?, ?, ?)',
+      )
+      .run(
+        'namecheap',
+        'Namecheap',
+        '1.0.0',
+        '/tmp/modules/namecheap',
+        'VERIFIED',
+        JSON.stringify({ id: 'namecheap', name: 'Namecheap', version: '1.0.0' }),
+      );
+
+    db.$client
+      .prepare('INSERT INTO module_configs (module_id, key, value) VALUES (?, ?, ?)')
+      .run('namecheap', 'primary_domain', 'iamtheinternet.org');
+
+    // Capability data stored with unresolved $self: reference (as registered at import time)
+    db.$client
+      .prepare(
+        'INSERT INTO capabilities (module_id, capability_name, version, data) VALUES (?, ?, ?, ?)',
+      )
+      .run(
+        'namecheap',
+        'dns_registrar',
+        '2.0.0',
+        JSON.stringify({ provider: 'namecheap', primary_domain: '$self:primary_domain' }),
+      );
+
+    // Consumer module (lunacycle) with capability-derived primary_domain
+    const consumerManifest = {
+      id: 'lunacycle',
+      name: 'LunaCycle',
+      version: '1.0.0',
+      celilo_contract: '1.0',
+      variables: {
+        owns: [
+          {
+            name: 'primary_domain',
+            type: 'string',
+            required: false,
+            source: 'capability',
+            derive_from: '$capability:dns_registrar.primary_domain',
+          },
+        ],
+      },
+    };
+
+    db.$client
+      .prepare(
+        'INSERT INTO modules (id, name, version, source_path, state, manifest_data) VALUES (?, ?, ?, ?, ?, ?)',
+      )
+      .run(
+        'lunacycle',
+        'LunaCycle',
+        '1.0.0',
+        '/tmp/modules/lunacycle',
+        'INSTALLED',
+        JSON.stringify(consumerManifest),
+      );
+
+    const context = await buildResolutionContext('lunacycle', db);
+
+    // primary_domain should be resolved to the provider's actual value
+    expect(context.selfConfig.primary_domain).toBe('iamtheinternet.org');
+  });
 });

package/src/variables/context.test.ts

@@ -166,7 +166,7 @@ describe('Variable Context', () => {
 
       db.insert(moduleConfigs)
         .values([
-          { moduleId: 'homebridge', key: 'container_ip', value: '192.168.0.50' },
+          { moduleId: 'homebridge', key: 'target_ip', value: '192.168.0.50' },
           { moduleId: 'homebridge', key: 'hostname', value: 'homebridge' },
         ])
         .run();
@@ -174,7 +174,7 @@ describe('Variable Context', () => {
       const context = await buildResolutionContext('homebridge', db);
 
       expect(context.moduleId).toBe('homebridge');
-      expect(context.selfConfig.container_ip).toBe('192.168.0.50');
+      expect(context.selfConfig.target_ip).toBe('192.168.0.50');
       expect(context.selfConfig.hostname).toBe('homebridge');
       // Auto-derived variables
       expect(context.selfConfig['inventory.ansible_host']).toBe('192.168.0.50');
@@ -262,7 +262,7 @@ describe('Variable Context', () => {
       );
 
       db.insert(moduleConfigs)
-        .values({ moduleId: 'caddy', key: 'container_ip', value: '10.0.20.10' })
+        .values({ moduleId: 'caddy', key: 'target_ip', value: '10.0.20.10' })
         .run();
 
       db.insert(secrets)
@@ -290,7 +290,7 @@ describe('Variable Context', () => {
 
       const context = await buildResolutionContext('caddy', db);
 
-      expect(context.selfConfig.container_ip).toBe('10.0.20.10');
+      expect(context.selfConfig.target_ip).toBe('10.0.20.10');
       expect(context.secrets.ssl_cert).toBe('cert_data');
       expect(context.capabilities.dns_external).toBeDefined();
       expect(context.systemConfig['dns.primary']).toBe('192.168.0.1');
@@ -303,7 +303,7 @@ describe('Variable Context', () => {
       // Should have auto-derived inventory variables
       expect(context.selfConfig['inventory.ansible_user']).toBe('root');
       expect(context.selfConfig['inventory.groups']).toBe('empty-module');
-      // Should not have ansible_host (no container_ip)
+      // Should not have ansible_host (no target_ip)
       expect(context.selfConfig['inventory.ansible_host']).toBeUndefined();
       expect(context.secrets).toEqual({});
       expect(context.capabilities).toEqual({});
@@ -367,18 +367,18 @@ describe('Variable Context', () => {
       expect(context.selfConfig['requires.machine.memory']).toBeUndefined();
     });
 
-    test('should auto-derive inventory variables from container_ip', async () => {
+    test('should auto-derive inventory variables from target_ip', async () => {
       db.$client.run(
         `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('test-module', 'Test', '1.0.0', '/path', '{}')`,
       );
 
       db.insert(moduleConfigs)
-        .values({ moduleId: 'test-module', key: 'container_ip', value: '10.0.10.10/24' })
+        .values({ moduleId: 'test-module', key: 'target_ip', value: '10.0.10.10/24' })
         .run();
 
       const context = await buildResolutionContext('test-module', db);
 
-      // Should strip CIDR from container_ip
+      // Should strip CIDR from target_ip
       expect(context.selfConfig['inventory.ansible_host']).toBe('10.0.10.10');
       expect(context.selfConfig['inventory.ansible_user']).toBe('root');
       expect(context.selfConfig['inventory.groups']).toBe('test-module');
@@ -391,7 +391,7 @@ describe('Variable Context', () => {
 
       db.insert(moduleConfigs)
         .values([
-          { moduleId: 'custom', key: 'container_ip', value: '10.0.20.10' },
+          { moduleId: 'custom', key: 'target_ip', value: '10.0.20.10' },
           { moduleId: 'custom', key: 'inventory.ansible_user', value: 'admin' },
         ])
         .run();
@@ -403,13 +403,13 @@ describe('Variable Context', () => {
       expect(context.selfConfig['inventory.ansible_host']).toBe('10.0.20.10');
     });
 
-    test('should handle container_ip without CIDR', async () => {
+    test('should handle target_ip without CIDR', async () => {
       db.$client.run(
         `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('no-cidr', 'No CIDR', '1.0.0', '/path', '{}')`,
       );
 
       db.insert(moduleConfigs)
-        .values({ moduleId: 'no-cidr', key: 'container_ip', value: '192.168.1.100' })
+        .values({ moduleId: 'no-cidr', key: 'target_ip', value: '192.168.1.100' })
         .run();
 
       const context = await buildResolutionContext('no-cidr', db);
@@ -418,8 +418,8 @@ describe('Variable Context', () => {
       expect(context.selfConfig['inventory.ansible_host']).toBe('192.168.1.100');
     });
 
-    test('should auto-allocate IPAM resources when module declares vmid and container_ip', async () => {
-      // Create module with manifest that declares vmid and container_ip
+    test('should auto-allocate IPAM resources when module declares vmid and target_ip', async () => {
+      // Create module with manifest that declares vmid and target_ip
       db.insert(modules)
         .values({
           id: 'auto-module',
@@ -433,7 +433,7 @@ describe('Variable Context', () => {
             variables: {
               owns: [
                 { name: 'vmid', type: 'integer', required: true, source: 'user' },
-                { name: 'container_ip', type: 'string', required: true, source: 'user' },
+                { name: 'target_ip', type: 'string', required: true, source: 'user' },
               ],
             },
             requires: {
@@ -447,9 +447,9 @@ describe('Variable Context', () => {
 
       const context = await buildResolutionContext('auto-module', db);
 
-      // Should have auto-allocated vmid and container_ip
+      // Should have auto-allocated vmid and target_ip
       expect(context.selfConfig.vmid).toBe('2100');
-      expect(context.selfConfig.container_ip).toBe('10.0.10.10/24');
+      expect(context.selfConfig.target_ip).toBe('10.0.10.10/24');
 
       // Verify allocation persisted to database
       const allocations = await db.select().from(ipAllocations).all();
@@ -465,7 +465,7 @@ describe('Variable Context', () => {
         .where(eq(moduleConfigs.moduleId, 'auto-module'))
         .all();
       const vmidConfig = configs.find((c) => c.key === 'vmid');
-      const ipConfig = configs.find((c) => c.key === 'container_ip');
+      const ipConfig = configs.find((c) => c.key === 'target_ip');
       expect(vmidConfig?.value).toBe('2100');
       expect(ipConfig?.value).toBe('10.0.10.10/24');
     });
@@ -485,7 +485,7 @@ describe('Variable Context', () => {
             variables: {
               owns: [
                 { name: 'vmid', type: 'integer', required: true, source: 'user' },
-                { name: 'container_ip', type: 'string', required: true, source: 'user' },
+                { name: 'target_ip', type: 'string', required: true, source: 'user' },
               ],
             },
           },
@@ -506,14 +506,14 @@ describe('Variable Context', () => {
 
       // Should reuse existing allocation
       expect(context.selfConfig.vmid).toBe('2150');
-      expect(context.selfConfig.container_ip).toBe('10.0.10.50/24');
+      expect(context.selfConfig.target_ip).toBe('10.0.10.50/24');
 
       // Should not create duplicate allocation
       const allocations = await db.select().from(ipAllocations).all();
       expect(allocations).toHaveLength(1);
     });
 
-    test('should skip IPAM allocation if vmid and container_ip already configured', async () => {
+    test('should skip IPAM allocation if vmid and target_ip already configured', async () => {
       // Create module with existing config
       db.insert(modules)
         .values({
@@ -528,7 +528,7 @@ describe('Variable Context', () => {
             variables: {
               owns: [
                 { name: 'vmid', type: 'integer', required: true, source: 'user' },
-                { name: 'container_ip', type: 'string', required: true, source: 'user' },
+                { name: 'target_ip', type: 'string', required: true, source: 'user' },
               ],
             },
           },
@@ -538,7 +538,7 @@ describe('Variable Context', () => {
       db.insert(moduleConfigs)
         .values([
           { moduleId: 'manual-config', key: 'vmid', value: '9999' },
-          { moduleId: 'manual-config', key: 'container_ip', value: '192.168.99.99/24' },
+          { moduleId: 'manual-config', key: 'target_ip', value: '192.168.99.99/24' },
         ])
         .run();
 
@@ -546,15 +546,15 @@ describe('Variable Context', () => {
 
       // Should use existing config
       expect(context.selfConfig.vmid).toBe('9999');
-      expect(context.selfConfig.container_ip).toBe('192.168.99.99/24');
+      expect(context.selfConfig.target_ip).toBe('192.168.99.99/24');
 
       // Should not create allocation
       const allocations = await db.select().from(ipAllocations).all();
       expect(allocations).toHaveLength(0);
     });
 
-    test('should skip IPAM allocation for VPS modules without container_ip', async () => {
-      // Create VPS module (no container_ip variable)
+    test('should skip IPAM allocation for VPS modules without target_ip', async () => {
+      // Create VPS module (no target_ip variable)
       db.insert(modules)
         .values({
           id: 'vps-module',
@@ -576,7 +576,7 @@ describe('Variable Context', () => {
 
       // Should not allocate IPAM resources
       expect(context.selfConfig.vmid).toBeUndefined();
-      expect(context.selfConfig.container_ip).toBeUndefined();
+      expect(context.selfConfig.target_ip).toBeUndefined();
 
       const allocations = await db.select().from(ipAllocations).all();
       expect(allocations).toHaveLength(0);
@@ -597,7 +597,7 @@ describe('Variable Context', () => {
             variables: {
               owns: [
                 { name: 'vmid', type: 'integer', required: true, source: 'user' },
-                { name: 'container_ip', type: 'string', required: true, source: 'user' },
+                { name: 'target_ip', type: 'string', required: true, source: 'user' },
               ],
             },
           },
@@ -618,7 +618,7 @@ describe('Variable Context', () => {
             variables: {
               owns: [
                 { name: 'vmid', type: 'integer', required: true, source: 'user' },
-                { name: 'container_ip', type: 'string', required: true, source: 'user' },
+                { name: 'target_ip', type: 'string', required: true, source: 'user' },
               ],
             },
           },
@@ -634,8 +634,8 @@ describe('Variable Context', () => {
       expect(context2.selfConfig.vmid).toBe('2101');
 
       // Should have sequential IPs
-      expect(context1.selfConfig.container_ip).toBe('10.0.10.10/24');
-      expect(context2.selfConfig.container_ip).toBe('10.0.10.11/24');
+      expect(context1.selfConfig.target_ip).toBe('10.0.10.10/24');
+      expect(context2.selfConfig.target_ip).toBe('10.0.10.11/24');
 
       const allocations = await db.select().from(ipAllocations).all();
       expect(allocations).toHaveLength(2);
@@ -1254,7 +1254,7 @@ describe('Variable Context', () => {
 
     test('should auto-derive inventory variables in buildContextFromData', () => {
       const context = buildContextFromData('my-module', {
-        selfConfig: { container_ip: '10.0.30.15/24', hostname: 'my-host' },
+        selfConfig: { target_ip: '10.0.30.15/24', hostname: 'my-host' },
       });
 
       expect(context.selfConfig['inventory.ansible_host']).toBe('10.0.30.15');