@celilo/cli 0.1.4 → 0.1.6

package/src/cli/commands/module-remove.ts

@@ -7,10 +7,14 @@
 
 import { existsSync } from 'node:fs';
 import { join } from 'node:path';
-import { eq } from 'drizzle-orm';
+import { eq, ne } from 'drizzle-orm';
+import { FuelGauge } from '../../cli/fuel-gauge';
 import { getDb } from '../../db/client';
-import { moduleInfrastructure, modules } from '../../db/schema';
+import { capabilities as capabilitiesTable, moduleInfrastructure, modules } from '../../db/schema';
+import { createGaugeLogger } from '../../hooks/logger';
+import { runNamedHook } from '../../hooks/run-named-hook';
 import { deallocateForModule } from '../../ipam/auto-allocator';
+import { ModuleManifestSchema } from '../../manifest/schema';
 import { executeBuildWithProgress } from '../../services/build-stream';
 import { getContainerService, getServiceCredentials } from '../../services/container-service';
 import { getArg, hasFlag, validateRequiredArgs } from '../parser';
@@ -61,6 +65,82 @@ export async function handleModuleRemove(
     };
   }
 
+  // Check if any other installed module requires a capability this module provides
+  const providedCapabilities = db
+    .select()
+    .from(capabilitiesTable)
+    .where(eq(capabilitiesTable.moduleId, moduleId))
+    .all();
+
+  if (providedCapabilities.length > 0) {
+    const providedNames = new Set(providedCapabilities.map((c) => c.capabilityName));
+    const otherModules = db.select().from(modules).where(ne(modules.id, moduleId)).all();
+
+    const dependents = otherModules
+      .filter((m) => {
+        const parsed = ModuleManifestSchema.safeParse(m.manifestData);
+        if (!parsed.success) return false;
+        return (parsed.data.requires?.capabilities ?? []).some((req) =>
+          providedNames.has(req.name),
+        );
+      })
+      .map((m) => m.id);
+
+    if (dependents.length > 0) {
+      return {
+        success: false,
+        error: `Cannot remove '${moduleId}': the following installed modules depend on its capabilities: ${dependents.join(', ')}`,
+      };
+    }
+  }
+
+  // Run on_uninstall hook (if defined) BEFORE terraform destroy. Hooks
+  // typically need the module's runtime to still be up so they can talk
+  // to remote services — e.g. caddy's teardown SSHes the caddy host to
+  // unexpose its ports + clear the Caddyfile, which can't happen after
+  // terraform has destroyed the LXC. Failures here are best-effort: we
+  // log the error and continue with removal so an operator can still
+  // unstick a half-broken module. Use --force to skip the confirmation
+  // prompt on hook failure.
+  const manifestForHook = module.manifestData as { hooks?: { on_uninstall?: unknown } } | undefined;
+  if (manifestForHook?.hooks?.on_uninstall) {
+    // Match build-stream's TTY detection: in non-TTY contexts (tests,
+    // pipes, --no-interactive flow) skipAnimation prevents the gauge's
+    // setInterval/raw-stdin handlers from blocking process exit.
+    const isInteractive = process.stdout.isTTY && process.stdin.isTTY;
+    const gauge = new FuelGauge(`${moduleId}: on_uninstall`, {
+      skipAnimation: !isInteractive,
+    });
+    gauge.start();
+    const logger = createGaugeLogger(gauge, moduleId, 'on_uninstall');
+    const hookResult = await runNamedHook(moduleId, 'on_uninstall', db, logger, {});
+    if (hookResult.success) {
+      gauge.stop(true);
+    } else {
+      gauge.stop(false);
+      log.warn(`on_uninstall failed: ${hookResult.error ?? 'unknown error'}`);
+      if (force) {
+        log.info('--force set, continuing removal despite hook failure');
+      } else if (!isInteractive) {
+        // Non-TTY (tests, scripts, piped input). Don't try to prompt —
+        // @clack/prompts hangs on stdin in that context. Default
+        // behaviour: continue with removal so a hook crash doesn't
+        // wedge automation. Operators who want strict failure can
+        // re-run `celilo module run-hook <id> on_uninstall` manually.
+        log.warn('Non-interactive context detected; continuing removal despite hook failure');
+      } else {
+        const proceed = await promptConfirm({
+          message:
+            'on_uninstall hook failed. Continue removing the module anyway? ' +
+            '(some external state may not be cleaned up)',
+        });
+        if (!proceed) {
+          return { success: false, error: 'Removal cancelled after on_uninstall failure' };
+        }
+      }
+    }
+  }
+
   // Check if module has infrastructure that needs to be destroyed
   const infra = db
     .select()

package/src/cli/commands/module-search.ts

@@ -0,0 +1,57 @@
+/**
+ * Module search command — search the registry for modules
+ *
+ * Usage: celilo module search [<query>] [--registry <url>] [--limit <n>]
+ */
+
+import { RegistryClient } from '../../registry/client';
+import { getArg, getFlag } from '../parser';
+import type { CommandResult } from '../types';
+
+export async function handleModuleSearch(
+  args: string[],
+  flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const query = getArg(args, 0) ?? '';
+  const limit = Number(getFlag(flags, 'limit', '25'));
+  const registryUrl = getFlag(flags, 'registry', '');
+  const client = new RegistryClient(registryUrl || undefined);
+
+  let result: Awaited<ReturnType<typeof client.search>>;
+  try {
+    result = await client.search(query, limit);
+  } catch (err) {
+    return {
+      success: false,
+      error: `Registry unreachable: ${err instanceof Error ? err.message : String(err)}`,
+    };
+  }
+
+  if (result.modules.length === 0) {
+    return {
+      success: true,
+      message: query ? `No modules found matching "${query}"` : 'Registry is empty',
+    };
+  }
+
+  const nameWidth = Math.max(4, ...result.modules.map((m) => m.name.length));
+  const versionWidth = Math.max(7, ...result.modules.map((m) => m.max_version.length));
+
+  const header = `${'NAME'.padEnd(nameWidth)}  ${'VERSION'.padEnd(versionWidth)}  DESCRIPTION`;
+  const divider = '-'.repeat(header.length);
+  const rows = result.modules.map(
+    (m) =>
+      `${m.name.padEnd(nameWidth)}  ${m.max_version.padEnd(versionWidth)}  ${m.description || ''}`,
+  );
+
+  const footer =
+    result.total > result.modules.length
+      ? `\n(showing ${result.modules.length} of ${result.total} — use --limit to see more)`
+      : '';
+
+  return {
+    success: true,
+    message: [header, divider, ...rows].join('\n') + footer,
+    data: result,
+  };
+}

package/src/cli/commands/module-secret-get.ts

@@ -0,0 +1,59 @@
+/**
+ * Module secret get command
+ * Retrieves and decrypts a module-level secret
+ */
+
+import { and, eq } from 'drizzle-orm';
+import { getDb } from '../../db/client';
+import { secrets } from '../../db/schema';
+import { decryptSecret } from '../../secrets/encryption';
+import { getOrCreateMasterKey } from '../../secrets/master-key';
+import { getArg } from '../parser';
+import type { CommandResult } from '../types';
+
+/**
+ * Handle module secret get command
+ *
+ * Usage: celilo module secret get <module-id> <key>
+ *
+ * @param args - Command arguments
+ * @returns Command result with decrypted secret value
+ */
+export async function handleModuleSecretGet(args: string[]): Promise<CommandResult> {
+  const moduleId = getArg(args, 0);
+  const key = getArg(args, 1);
+
+  if (!moduleId || !key) {
+    return {
+      success: false,
+      error: 'Usage: celilo module secret get <module-id> <key>',
+    };
+  }
+
+  const db = getDb();
+  const secret = db
+    .select()
+    .from(secrets)
+    .where(and(eq(secrets.moduleId, moduleId), eq(secrets.name, key)))
+    .get();
+
+  if (!secret) {
+    return {
+      success: false,
+      error: `Secret not found: ${moduleId}/${key}`,
+    };
+  }
+
+  const masterKey = await getOrCreateMasterKey();
+  const decrypted = decryptSecret(
+    { encryptedValue: secret.encryptedValue, iv: secret.iv, authTag: secret.authTag },
+    masterKey,
+  );
+
+  return {
+    success: true,
+    message: decrypted,
+    rawOutput: true,
+    data: { moduleId, key, value: decrypted },
+  };
+}

package/src/cli/commands/module-show.ts

@@ -68,7 +68,7 @@ export async function handleModuleShowConfig(args: string[]): Promise<CommandRes
       if (
         key.startsWith('inventory.') ||
         key === 'vmid' ||
-        key === 'container_ip' ||
+        key === 'target_ip' ||
         key === 'gateway' ||
         key === 'vlan' ||
         key === 'subnet' ||

package/src/cli/commands/module-terraform-unlock.ts

@@ -0,0 +1,57 @@
+/**
+ * module terraform-unlock command
+ *
+ * Removes a stale Terraform state lock for a module.
+ * Only use this if you are certain no other deploy is running.
+ */
+
+import { existsSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+import { eq } from 'drizzle-orm';
+import { getDb } from '../../db/client';
+import { modules } from '../../db/schema';
+import { validateRequiredArgs } from '../parser';
+import { log } from '../prompts';
+import type { CommandResult } from '../types';
+
+export async function handleModuleTerraformUnlock(args: string[]): Promise<CommandResult> {
+  const error = validateRequiredArgs(args, 1);
+  if (error) {
+    return {
+      success: false,
+      error: 'Usage: celilo module terraform-unlock <module-id>',
+    };
+  }
+
+  const moduleId = args[0];
+  const db = getDb();
+  const module = await db.select().from(modules).where(eq(modules.id, moduleId)).get();
+
+  if (!module) {
+    return { success: false, error: `Module not found: ${moduleId}` };
+  }
+
+  const lockFile = join(
+    module.sourcePath,
+    'generated',
+    'terraform',
+    '.terraform.tfstate.lock.info',
+  );
+
+  if (!existsSync(lockFile)) {
+    log.success(`No state lock found for ${moduleId}`);
+    return { success: true, message: `No state lock found for ${moduleId}` };
+  }
+
+  try {
+    rmSync(lockFile);
+    log.success(`State lock removed for ${moduleId}`);
+    log.message('You can now retry the deploy.');
+    return { success: true, message: `State lock removed for ${moduleId}` };
+  } catch (err) {
+    return {
+      success: false,
+      error: `Failed to remove lock file: ${err instanceof Error ? err.message : String(err)}\n\nTry manually: rm ${lockFile}`,
+    };
+  }
+}

package/src/cli/commands/module-verify.test.ts

@@ -0,0 +1,59 @@
+import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { moduleAudit } from './module-audit';
+import { moduleVerify } from './module-verify';
+
+describe('moduleVerify', () => {
+  test('returns error when module ID is missing', async () => {
+    const result = await moduleVerify([]);
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.error).toContain('Module ID is required');
+      expect(result.error).toContain('module verify');
+    }
+  });
+});
+
+describe('moduleAudit (deprecation alias)', () => {
+  let dataDir: string;
+  const originalDataDir = process.env.CELILO_DATA_DIR;
+  const originalDbPath = process.env.CELILO_DB_PATH;
+
+  beforeEach(() => {
+    dataDir = mkdtempSync(join(tmpdir(), 'celilo-audit-alias-'));
+    process.env.CELILO_DATA_DIR = dataDir;
+    process.env.CELILO_DB_PATH = join(dataDir, 'celilo.db');
+  });
+
+  afterEach(() => {
+    rmSync(dataDir, { recursive: true, force: true });
+    if (originalDataDir === undefined) process.env.CELILO_DATA_DIR = undefined;
+    else process.env.CELILO_DATA_DIR = originalDataDir;
+    if (originalDbPath === undefined) process.env.CELILO_DB_PATH = undefined;
+    else process.env.CELILO_DB_PATH = originalDbPath;
+  });
+
+  test('writes a deprecation warning to stderr and delegates to verify', async () => {
+    const writes: Buffer[] = [];
+    const originalWrite = process.stderr.write.bind(process.stderr);
+    // Narrower override is fine for the duration of the test; cast to
+    // bypass the overload set on Process['stderr']['write'].
+    process.stderr.write = ((chunk: string | Buffer) => {
+      writes.push(typeof chunk === 'string' ? Buffer.from(chunk) : chunk);
+      return true;
+    }) as typeof process.stderr.write;
+
+    try {
+      const result = await moduleAudit([]); // no args triggers the same arg-error
+      expect(result.success).toBe(false);
+    } finally {
+      process.stderr.write = originalWrite;
+    }
+
+    const stderr = Buffer.concat(writes).toString('utf-8');
+    expect(stderr).toContain('deprecated');
+    expect(stderr).toContain('module verify');
+  });
+});

package/src/cli/commands/module-verify.ts

@@ -0,0 +1,53 @@
+import { auditModule } from '../../module/packaging/audit';
+import type { CommandResult } from '../types';
+
+/**
+ * Verify module integrity (signature + checksums).
+ *
+ * Usage: celilo module verify <module-id>
+ *
+ * Renamed from `module audit` per CELILO_UPDATE D11 — `audit` is now
+ * reserved for system-level drift detection (`celilo system audit`).
+ * The legacy `module audit` continues to work via a deprecation alias
+ * (see `module-audit.ts`).
+ *
+ * Returns a CommandResult so the dispatcher controls process exit
+ * behavior.
+ */
+export async function moduleVerify(args: string[]): Promise<CommandResult> {
+  if (args.length === 0) {
+    return {
+      success: false,
+      error: 'Module ID is required\n\nUsage: celilo module verify <module-id>',
+    };
+  }
+
+  const moduleId = args[0];
+
+  const result = await auditModule(moduleId);
+
+  if (result.error) {
+    return { success: false, error: result.error };
+  }
+
+  if (result.success) {
+    return {
+      success: true,
+      message: `Module '${moduleId}' passed integrity check\n  No violations found.`,
+    };
+  }
+
+  const violationLines = result.violations.map((v) => {
+    const icon = v.type === 'missing' ? '⚠' : v.type === 'modified' ? '✗' : '!';
+    return `  ${icon} [${v.type.toUpperCase()}] ${v.message}`;
+  });
+
+  return {
+    success: false,
+    error: [
+      `Module '${moduleId}' failed integrity check`,
+      `  Found ${result.violations.length} violation(s):`,
+      ...violationLines,
+    ].join('\n'),
+  };
+}

package/src/cli/commands/status.ts

@@ -13,40 +13,40 @@ import type { ModuleManifest } from '../../manifest/schema';
 import type { CommandResult } from '../types';
 
 /**
- * Determine module status based on configuration and filesystem
+ * Determine module status for display.
+ *
+ * Uses the DB state as the primary source of truth.
+ * Falls back to filesystem / config inspection for IMPORTED/CONFIGURED modules
+ * that haven't yet been deployed.
  */
 async function determineModuleStatus(
   _moduleId: string,
   manifest: ModuleManifest,
   configs: (typeof moduleConfigs.$inferSelect)[],
   generatedPath: string,
+  dbState: string,
 ): Promise<{
-  status: 'IMPORTED' | 'CONFIGURED' | 'GENERATED' | 'DEPLOYED' | 'NEEDS_UPDATE';
+  status: 'IMPORTED' | 'CONFIGURED' | 'GENERATED' | 'DEPLOYED' | 'VERIFIED' | 'NEEDS_UPDATE';
   missingCount?: number;
 }> {
-  // Check if generated directory exists and has recent files
+  // Deployed states come directly from the DB — don't infer from filesystem
+  if (dbState === 'VERIFIED') return { status: 'VERIFIED' };
+  if (dbState === 'INSTALLED') return { status: 'DEPLOYED' };
+
+  // For pre-deploy states, derive from filesystem / config
   if (existsSync(generatedPath)) {
-    // TODO: Add DEPLOYED and NEEDS_UPDATE detection
-    // For now, if generated exists, it's GENERATED
     return { status: 'GENERATED' };
   }
 
-  // Check if all required variables are set
   const requiredVars = manifest.variables?.owns?.filter((v) => v.required) || [];
   const configMap = new Map(configs.map((c) => [c.key, true]));
-
   const missingVars = requiredVars.filter((v) => !configMap.has(v.name));
 
-  if (missingVars.length === 0 && requiredVars.length > 0) {
-    return { status: 'CONFIGURED' };
-  }
-
   if (missingVars.length > 0) {
     return { status: 'IMPORTED', missingCount: missingVars.length };
   }
 
-  // No required variables, but some config set
-  if (configs.length > 0) {
+  if (requiredVars.length > 0 || configs.length > 0) {
     return { status: 'CONFIGURED' };
   }
 
@@ -116,10 +116,16 @@ export async function handleStatus(): Promise<CommandResult> {
           manifest,
           moduleConfigsList,
           generatedPath,
+          module.state,
         );
 
         // Status icon
-        const icon = statusInfo.status === 'GENERATED' ? '✓' : '⚠';
+        const icon =
+          statusInfo.status === 'VERIFIED' ||
+          statusInfo.status === 'DEPLOYED' ||
+          statusInfo.status === 'GENERATED'
+            ? '✓'
+            : '⚠';
 
         lines.push(`  ${icon} ${module.id} (v${module.version})`);
         lines.push(`    Status: ${statusInfo.status}`);
@@ -169,7 +175,11 @@ export async function handleStatus(): Promise<CommandResult> {
         }
 
         // Show when last generated (if applicable)
-        if (statusInfo.status === 'GENERATED') {
+        if (
+          statusInfo.status === 'GENERATED' ||
+          statusInfo.status === 'DEPLOYED' ||
+          statusInfo.status === 'VERIFIED'
+        ) {
           try {
             const stats = await stat(generatedPath);
             const age = Date.now() - stats.mtimeMs;
@@ -197,11 +207,11 @@ export async function handleStatus(): Promise<CommandResult> {
 
     // Legend
     lines.push('Legend:');
-    lines.push('  IMPORTED      - Module imported, not configured');
-    lines.push('  CONFIGURED    - Configuration complete, not generated');
-    lines.push('  GENERATED     - Infrastructure code generated, not deployed');
-    lines.push('  DEPLOYED      - Running in production (not yet implemented)');
-    lines.push('  NEEDS_UPDATE  - Configuration changed, needs regeneration (not yet implemented)');
+    lines.push('  IMPORTED   - Module imported, not configured');
+    lines.push('  CONFIGURED - Configuration complete, not generated');
+    lines.push('  GENERATED  - Infrastructure code generated, not deployed');
+    lines.push('  DEPLOYED   - Deployed (Ansible complete, health check pending)');
+    lines.push('  VERIFIED   - Deployed and health checks passed');
 
     return {
       success: true,

package/src/cli/commands/system-audit.test.ts

@@ -0,0 +1,138 @@
+import { describe, expect, test } from 'bun:test';
+import type { SystemAuditReport } from '../../services/audit';
+import { formatReport } from './system-audit';
+
+const baseReport = (overrides: Partial<SystemAuditReport> = {}): SystemAuditReport => ({
+  version: 1,
+  verdict: 'READY',
+  generatedAt: '2026-04-25T00:00:00.000Z',
+  findings: [],
+  ...overrides,
+});
+
+describe('formatReport', () => {
+  test('READY report calls out no drift', () => {
+    const out = formatReport(baseReport());
+    expect(out).toContain('READY');
+    expect(out).toContain('No drift detected');
+  });
+
+  test('DRIFT report lists each finding with remediation', () => {
+    const out = formatReport(
+      baseReport({
+        verdict: 'DRIFT',
+        findings: [
+          {
+            category: 'cli_version',
+            severity: 'drift',
+            code: 'cli_version_drift',
+            message: '@celilo/cli 0.1.5 → 0.1.7 available',
+            remediation: '`celilo system update` will self-update first',
+            subject: 'system',
+          },
+        ],
+      }),
+    );
+
+    expect(out).toContain('DRIFT (1 finding)');
+    expect(out).toContain('@celilo/cli 0.1.5 → 0.1.7');
+    expect(out).toContain('→ `celilo system update`');
+  });
+
+  test('BLOCKED report puts blocked findings first', () => {
+    const out = formatReport(
+      baseReport({
+        verdict: 'BLOCKED',
+        findings: [
+          {
+            category: 'cli_version',
+            severity: 'drift',
+            code: 'cli_version_drift',
+            message: 'cli is old',
+            subject: 'system',
+          },
+          {
+            category: 'schema',
+            severity: 'blocked',
+            code: 'schema_pending_migrations',
+            message: '2 pending DB migrations',
+            subject: 'system',
+          },
+        ],
+      }),
+    );
+
+    const blockedIdx = out.indexOf('BLOCKED • schema');
+    const driftIdx = out.indexOf('DRIFT • cli_version');
+    expect(blockedIdx).toBeGreaterThanOrEqual(0);
+    expect(driftIdx).toBeGreaterThan(blockedIdx);
+  });
+
+  test('groups findings by category', () => {
+    const out = formatReport(
+      baseReport({
+        verdict: 'DRIFT',
+        findings: [
+          {
+            category: 'module_versions',
+            severity: 'drift',
+            code: 'x',
+            message: 'caddy: 1.0 → 1.1',
+            subject: 'caddy',
+          },
+          {
+            category: 'module_versions',
+            severity: 'drift',
+            code: 'x',
+            message: 'iptables: 1.0 → 1.1',
+            subject: 'iptables',
+          },
+        ],
+      }),
+    );
+
+    expect(out).toContain('DRIFT • module_versions (2)');
+    expect(out).toContain('caddy: 1.0 → 1.1');
+    expect(out).toContain('iptables: 1.0 → 1.1');
+  });
+
+  test('renders details on indented lines', () => {
+    const out = formatReport(
+      baseReport({
+        verdict: 'BLOCKED',
+        findings: [
+          {
+            category: 'schema',
+            severity: 'blocked',
+            code: 'schema_pending_migrations',
+            message: '2 pending DB migrations',
+            details: '  • 0001_zones\n  • 0002_backups',
+            subject: 'system',
+          },
+        ],
+      }),
+    );
+
+    expect(out).toContain('0001_zones');
+    expect(out).toContain('0002_backups');
+  });
+
+  test('singular wording for exactly one finding', () => {
+    const out = formatReport(
+      baseReport({
+        verdict: 'DRIFT',
+        findings: [
+          {
+            category: 'cli_version',
+            severity: 'drift',
+            code: 'x',
+            message: 'cli is old',
+            subject: 'system',
+          },
+        ],
+      }),
+    );
+    expect(out).toContain('DRIFT (1 finding)');
+    expect(out).not.toContain('1 findings');
+  });
+});