@celilo/cli 0.1.5 → 0.1.6

package/src/services/audit/module-versions.ts

@@ -0,0 +1,154 @@
+/**
+ * Module version drift check.
+ *
+ * For each installed module, compares the installed version to the
+ * latest non-yanked version in the registry. A newer published version
+ * produces a `drift` finding per module. Network/registry failures
+ * for individual modules are surfaced as findings (severity: drift)
+ * so the user knows their audit may be incomplete, but they don't
+ * block the run.
+ *
+ * `registryFetcher` is injectable so tests don't hit a real registry.
+ */
+
+import { compareSemver } from './cli-version';
+import type { DriftFinding } from './types';
+
+export interface InstalledModule {
+  id: string;
+  version: string;
+}
+
+export interface RegistryVersionInfo {
+  latest: string | null;
+  /** Optional: count of intermediate releases between installed and latest, for the report. */
+  intermediateCount?: number;
+  /**
+   * Optional: release.json `message` from each release between installed
+   * and latest, newest-first. Surfaced in the audit report so the user
+   * sees "what changed" without leaving the terminal.
+   */
+  intermediateMessages?: Array<{ version: string; message: string }>;
+}
+
+/**
+ * Fetches the latest registry version for a module. Returns null in
+ * the `.latest` field if the module isn't in the registry; throws on
+ * a transport error so the caller can decide between "module not
+ * published" and "lookup failed".
+ */
+export type ModuleVersionFetcher = (moduleId: string) => Promise<RegistryVersionInfo>;
+
+/**
+ * Bucket-key for a rejection reason: a short string that identifies
+ * the class of failure. Used to detect "every module failed for the
+ * same reason" (e.g. registry unreachable) so we can collapse to one
+ * aggregate finding instead of N noisy ones.
+ */
+function errorBucketKey(reason: unknown): string {
+  if (reason instanceof Error) {
+    if (reason.name === 'TimeoutError') return 'timeout';
+    if (reason.message.includes('ENOTFOUND') || reason.message.includes('EAI_AGAIN')) return 'dns';
+    if (reason.message.includes('ECONNREFUSED')) return 'connection-refused';
+    if (reason.message.includes('fetch failed')) return 'fetch-failed';
+    return reason.name;
+  }
+  return String(reason).slice(0, 40);
+}
+
+export interface ModuleVersionsAuditDeps {
+  installed: InstalledModule[];
+  fetcher: ModuleVersionFetcher;
+}
+
+export async function auditModuleVersions(deps: ModuleVersionsAuditDeps): Promise<DriftFinding[]> {
+  const findings: DriftFinding[] = [];
+
+  // Run lookups in parallel; isolate per-module failures.
+  const results = await Promise.allSettled(
+    deps.installed.map(async (m) => ({ module: m, info: await deps.fetcher(m.id) })),
+  );
+
+  // If every lookup failed with the same error class (e.g. the
+  // registry is unreachable), emit ONE aggregate finding instead of
+  // N identical per-module findings — that's the user-facing signal,
+  // not "module X is broken".
+  const rejected = results.filter((r) => r.status === 'rejected') as PromiseRejectedResult[];
+  if (rejected.length > 0 && rejected.length === results.length) {
+    const errorBuckets = new Map<string, number>();
+    for (const r of rejected) {
+      const key = errorBucketKey(r.reason);
+      errorBuckets.set(key, (errorBuckets.get(key) ?? 0) + 1);
+    }
+    if (errorBuckets.size === 1) {
+      const [reason] = errorBuckets.keys();
+      findings.push({
+        category: 'module_versions',
+        severity: 'drift',
+        code: 'registry_unreachable',
+        message: `Registry unreachable — ${rejected.length} module${rejected.length === 1 ? '' : 's'} unchecked (${reason})`,
+        remediation: 'Check network connectivity to the registry, then press R to re-audit.',
+        actionable: false,
+        subject: 'system',
+      });
+      return findings;
+    }
+  }
+
+  for (let i = 0; i < results.length; i++) {
+    const r = results[i];
+    const installed = deps.installed[i];
+
+    if (r.status === 'rejected') {
+      findings.push({
+        category: 'module_versions',
+        severity: 'drift',
+        code: 'module_version_lookup_failed',
+        message: `${installed.id}: registry lookup failed (${String(r.reason).slice(0, 80)})`,
+        remediation: 'Check network connectivity to the registry, then press R to re-audit.',
+        actionable: false,
+        subject: installed.id,
+      });
+      continue;
+    }
+
+    const { module, info } = r.value;
+    if (info.latest === null) {
+      findings.push({
+        category: 'module_versions',
+        severity: 'drift',
+        code: 'module_not_in_registry',
+        message: `${module.id}@${module.version}: not found in registry (private/local-only build?)`,
+        subject: module.id,
+      });
+      continue;
+    }
+
+    const cmp = compareSemver(module.version, info.latest);
+    if (cmp >= 0) continue; // up to date or ahead
+
+    const tail =
+      info.intermediateCount && info.intermediateCount > 1
+        ? ` (${info.intermediateCount} intervening releases)`
+        : '';
+
+    // Format release messages as `details` lines if present.
+    const details =
+      info.intermediateMessages && info.intermediateMessages.length > 0
+        ? info.intermediateMessages.map((m) => `  ↳ "${m.message}" (${m.version})`).join('\n')
+        : undefined;
+
+    findings.push({
+      category: 'module_versions',
+      severity: 'drift',
+      code: 'module_version_drift',
+      message: `${module.id}: ${module.version} → ${info.latest}${tail}`,
+      details,
+      remediation: 'celilo system update',
+      actionable: true,
+      subject: module.id,
+    });
+  }
+
+  return findings;
+}

package/src/services/audit/schema.test.ts

@@ -0,0 +1,68 @@
+import { describe, expect, test } from 'bun:test';
+import type { DbClient } from '../../db/client';
+import { auditSchema } from './schema';
+
+const fakeDb = {} as DbClient;
+
+const journalWith = (tags: string[]) => () => ({
+  version: '5',
+  dialect: 'sqlite',
+  entries: tags.map((tag, i) => ({ idx: i, tag, when: 1700000000 + i })),
+});
+
+describe('auditSchema', () => {
+  test('no finding when journal is missing (folder not on disk)', async () => {
+    const result = await auditSchema({
+      journal: () => null,
+      applied: () => [],
+      db: fakeDb,
+    });
+    expect(result).toEqual([]);
+  });
+
+  test('no finding when every journal entry is applied', async () => {
+    const result = await auditSchema({
+      journal: journalWith(['0000_init', '0001_add_zones']),
+      applied: () => ['0000_init', '0001_add_zones'],
+      db: fakeDb,
+    });
+    expect(result).toEqual([]);
+  });
+
+  test('blocked finding when migrations are pending', async () => {
+    const result = await auditSchema({
+      journal: journalWith(['0000_init', '0001_add_zones', '0002_backup_tables']),
+      applied: () => ['0000_init'],
+      db: fakeDb,
+    });
+
+    expect(result).toHaveLength(1);
+    expect(result[0]).toMatchObject({
+      category: 'schema',
+      severity: 'blocked',
+      code: 'schema_pending_migrations',
+      subject: 'system',
+    });
+    expect(result[0].message).toContain('2 pending');
+    expect(result[0].details).toContain('0001_add_zones');
+    expect(result[0].details).toContain('0002_backup_tables');
+  });
+
+  test('singular wording for exactly one pending migration', async () => {
+    const result = await auditSchema({
+      journal: journalWith(['0000_init', '0001_add_zones']),
+      applied: () => ['0000_init'],
+      db: fakeDb,
+    });
+    expect(result[0].message).toBe('1 pending DB migration');
+  });
+
+  test('treats applied set as a set (order-independent)', async () => {
+    const result = await auditSchema({
+      journal: journalWith(['0000_init', '0001_add_zones']),
+      applied: () => ['0001_add_zones', '0000_init'], // reversed
+      db: fakeDb,
+    });
+    expect(result).toEqual([]);
+  });
+});

package/src/services/audit/schema.ts

@@ -0,0 +1,115 @@
+/**
+ * DB schema drift check.
+ *
+ * Compares the drizzle migrations folder against the `__drizzle_migrations`
+ * table. If the folder has more entries than the table records, a
+ * `blocked` finding is produced. In the typical celilo runtime, missing
+ * migrations are auto-applied at DB connect time (see
+ * `apps/celilo/src/db/client.ts:createDbClient`), so this check is a
+ * sanity net for cases where the auto-migrate path was skipped or
+ * failed silently.
+ *
+ * The `journalReader` and `appliedReader` deps are injectable so tests
+ * don't need a real drizzle journal on disk or a real DB.
+ */
+
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import type { DbClient } from '../../db/client';
+import type { DriftFinding } from './types';
+
+interface DrizzleJournalEntry {
+  idx: number;
+  tag: string;
+  when: number;
+}
+
+interface DrizzleJournal {
+  version: string;
+  dialect: string;
+  entries: DrizzleJournalEntry[];
+}
+
+export type JournalReader = () => DrizzleJournal | null;
+export type AppliedReader = (db: DbClient) => string[];
+
+/**
+ * Default journal reader: parses `<migrationsFolder>/meta/_journal.json`.
+ * Returns null if the journal isn't present (callers treat as "nothing to compare").
+ */
+export function makeJournalReader(migrationsFolder: string): JournalReader {
+  return () => {
+    const journalPath = join(migrationsFolder, 'meta', '_journal.json');
+    if (!existsSync(journalPath)) return null;
+    try {
+      return JSON.parse(readFileSync(journalPath, 'utf-8')) as DrizzleJournal;
+    } catch {
+      return null;
+    }
+  };
+}
+
+/**
+ * Default applied-migrations reader: queries `__drizzle_migrations`.
+ * Returns an empty array if the table doesn't exist (fresh DB).
+ */
+export const readAppliedMigrations: AppliedReader = (db) => {
+  // The drizzle migrations table tracks `hash` (which is the migration tag).
+  // We use a raw query because the table isn't in our schema definitions.
+  try {
+    const sqlite = (
+      db as unknown as { $client?: { query: (sql: string) => { all: () => unknown[] } } }
+    ).$client;
+    if (!sqlite) return [];
+    const rows = sqlite.query('SELECT hash FROM __drizzle_migrations').all() as Array<{
+      hash: string;
+    }>;
+    return rows.map((r) => r.hash);
+  } catch {
+    return [];
+  }
+};
+
+export interface SchemaAuditDeps {
+  journal: JournalReader;
+  applied: AppliedReader;
+  db: DbClient;
+}
+
+export async function auditSchema(deps: SchemaAuditDeps): Promise<DriftFinding[]> {
+  const journal = deps.journal();
+  if (!journal) return []; // No migrations folder → nothing to compare.
+
+  // drizzle stores SHA-256 hashes (not tag names) in __drizzle_migrations,
+  // so we can't intersect tags. The next-best signal is "did all the
+  // journal entries get applied?" — compare counts. The applied count
+  // can also exceed the journal count for old DBs with stale tracking
+  // rows; only flag when applied < journal.
+  const applied = deps.applied(deps.db);
+  const pendingCount = journal.entries.length - applied.length;
+  if (pendingCount <= 0) return [];
+
+  // We can identify *which* migrations are pending by treating the
+  // journal as ordered: the last `pendingCount` entries are the ones
+  // not yet tracked. Drizzle applies them in idx order, so the tail
+  // is the unapplied set.
+  const sortedJournal = [...journal.entries].sort((a, b) => a.idx - b.idx);
+  const pendingEntries = sortedJournal.slice(-pendingCount);
+
+  return [
+    {
+      category: 'schema',
+      severity: 'blocked',
+      code: 'schema_pending_migrations',
+      message: `${pendingCount} pending DB migration${pendingCount === 1 ? '' : 's'}`,
+      details: pendingEntries.map((e) => `  • ${e.tag}`).join('\n'),
+      remediation: [
+        'Migrations apply automatically when celilo starts.',
+        'Restart any long-running celilo process, or run',
+        'bun run apps/celilo/src/db/migrate.ts directly.',
+      ].join('\n'),
+      actionable: false,
+      subject: 'system',
+    },
+  ];
+}

package/src/services/audit/secrets-decryptable.test.ts

@@ -0,0 +1,82 @@
+import { describe, expect, test } from 'bun:test';
+import { auditSecretsDecryptable } from './secrets-decryptable';
+
+describe('auditSecretsDecryptable', () => {
+  test('no findings when every secret decrypts', async () => {
+    const result = await auditSecretsDecryptable({
+      results: [
+        { scope: 'module', subject: 'caddy', name: 'acme_token', error: null },
+        { scope: 'system', subject: 'system', name: 'master', error: null },
+      ],
+    });
+    expect(result).toEqual([]);
+  });
+
+  test('per-secret findings when some decrypt and others fail', async () => {
+    const result = await auditSecretsDecryptable({
+      results: [
+        { scope: 'module', subject: 'caddy', name: 'good', error: null },
+        {
+          scope: 'module',
+          subject: 'iptables',
+          name: 'bad',
+          error: 'Unsupported state or unable to authenticate data',
+        },
+      ],
+    });
+    expect(result).toHaveLength(1);
+    expect(result[0]).toMatchObject({
+      category: 'secrets_decryptable',
+      severity: 'blocked',
+      subject: 'iptables',
+      actionable: false,
+    });
+    expect(result[0].code).toContain('module');
+    expect(result[0].remediation).toContain('celilo module secret set iptables bad');
+  });
+
+  test('collapses to "master_key_mismatch" when every secret fails identically', async () => {
+    const result = await auditSecretsDecryptable({
+      results: [
+        { scope: 'module', subject: 'caddy', name: 'a', error: 'bad auth tag' },
+        { scope: 'module', subject: 'iptables', name: 'b', error: 'bad auth tag' },
+        { scope: 'system', subject: 'system', name: 'c', error: 'bad auth tag' },
+      ],
+    });
+    expect(result).toHaveLength(1);
+    expect(result[0]).toMatchObject({
+      category: 'secrets_decryptable',
+      severity: 'blocked',
+      code: 'master_key_mismatch',
+      subject: 'system',
+      actionable: false,
+    });
+    expect(result[0].message).toContain('All 3 secrets fail to decrypt');
+  });
+
+  test('does NOT collapse when failures have different errors', async () => {
+    const result = await auditSecretsDecryptable({
+      results: [
+        { scope: 'module', subject: 'caddy', name: 'a', error: 'bad auth tag' },
+        { scope: 'system', subject: 'system', name: 'b', error: 'corrupted' },
+      ],
+    });
+    expect(result).toHaveLength(2);
+    expect(result.every((f) => f.code !== 'master_key_mismatch')).toBe(true);
+  });
+
+  test('different scopes produce different remediation text', async () => {
+    // Distinct error messages so the "all-fail-same-reason" collapse
+    // doesn't trigger — we want per-scope findings here.
+    const result = await auditSecretsDecryptable({
+      results: [
+        { scope: 'module', subject: 'caddy', name: 'm', error: 'bad tag' },
+        { scope: 'system', subject: 'system', name: 's', error: 'bad iv' },
+      ],
+    });
+    const moduleFinding = result.find((f) => f.subject === 'caddy');
+    const systemFinding = result.find((f) => f.subject === 'system');
+    expect(moduleFinding?.remediation).toContain('celilo module secret set');
+    expect(systemFinding?.remediation).toContain('celilo system secret set');
+  });
+});

package/src/services/audit/secrets-decryptable.ts

@@ -0,0 +1,97 @@
+/**
+ * Secrets-decryptable check.
+ *
+ * Walks every encrypted secret in the celilo DB (module secrets,
+ * system secrets, capability secrets) and verifies it decrypts
+ * cleanly with the current master key. Catches:
+ *
+ * - Master key rotated without re-encrypting existing secrets.
+ * - Encryption envelope corrupted by external write.
+ * - Algorithm mismatch (key length / GCM tag failure).
+ *
+ * When *every* secret fails with the same error, we collapse to a
+ * single "master key mismatch" finding instead of N identical ones —
+ * the user-facing signal is "the master key is wrong", not "secret
+ * X is broken".
+ */
+
+import type { DriftFinding } from './types';
+
+export type SecretScope = 'module' | 'system' | 'capability';
+
+export interface SecretCheckResult {
+  scope: SecretScope;
+  /** Module ID for module/capability secrets; 'system' for system secrets. */
+  subject: string;
+  /** Secret name (e.g. `router_password`, `proxmox_api_token`). */
+  name: string;
+  /** null on success; error message on failure. */
+  error: string | null;
+}
+
+export interface SecretsDecryptableAuditDeps {
+  results: SecretCheckResult[];
+}
+
+export async function auditSecretsDecryptable(
+  deps: SecretsDecryptableAuditDeps,
+): Promise<DriftFinding[]> {
+  const failed = deps.results.filter((r) => r.error !== null);
+  if (failed.length === 0) return [];
+
+  // If every secret fails with the same error class, collapse to one
+  // finding pointing at the master key — that's the actual problem,
+  // not N broken records.
+  if (failed.length === deps.results.length && deps.results.length > 1) {
+    const errorBuckets = new Map<string, number>();
+    for (const r of failed) {
+      const key = (r.error ?? '').slice(0, 60);
+      errorBuckets.set(key, (errorBuckets.get(key) ?? 0) + 1);
+    }
+    if (errorBuckets.size === 1) {
+      const [reason] = errorBuckets.keys();
+      return [
+        {
+          category: 'secrets_decryptable',
+          severity: 'blocked',
+          code: 'master_key_mismatch',
+          message: `All ${failed.length} secrets fail to decrypt — master key may be wrong or rotated`,
+          details: reason,
+          remediation: [
+            'Every secret in the celilo DB fails to decrypt with the',
+            'current master key. Common causes:',
+            '',
+            '  1. Master key file replaced (e.g. machine restored from',
+            '     a backup that includes a different master key).',
+            '  2. Master key file corrupted.',
+            '  3. DB restored from a backup taken under a different',
+            '     master key.',
+            '',
+            'If you have the previous master key, restore it. If not,',
+            "you'll need to re-add every secret manually.",
+          ].join('\n'),
+          actionable: false,
+          subject: 'system',
+        },
+      ];
+    }
+  }
+
+  // Otherwise, per-secret findings.
+  return failed.map((r) => ({
+    category: 'secrets_decryptable' as const,
+    severity: 'blocked' as const,
+    code: `secret_decrypt_failed_${r.scope}`,
+    message: `${r.scope} secret "${r.name}" (${r.subject}) failed to decrypt`,
+    details: r.error ?? undefined,
+    remediation:
+      r.scope === 'module'
+        ? `Re-set the secret:\n  celilo module secret set ${r.subject} ${r.name} <value>`
+        : r.scope === 'system'
+          ? `Re-set the secret:\n  celilo system secret set ${r.name} <value>`
+          : 'Re-set the capability secret via the owning module.',
+    // Multi-step (need plaintext value); not a one-keypress fix.
+    actionable: false,
+    subject: r.subject,
+  }));
+}

package/src/services/audit/services-credentials.test.ts

@@ -0,0 +1,54 @@
+import { describe, expect, test } from 'bun:test';
+import { auditServicesCredentials } from './services-credentials';
+
+describe('auditServicesCredentials', () => {
+  test('no findings when every service decrypts', async () => {
+    const result = await auditServicesCredentials({
+      results: [
+        {
+          serviceId: 'home-proxmox',
+          name: 'Home Proxmox',
+          providerName: 'proxmox',
+          error: null,
+        },
+        { serviceId: 'do', name: 'DigitalOcean', providerName: 'digitalocean', error: null },
+      ],
+    });
+    expect(result).toEqual([]);
+  });
+
+  test('blocked finding per failing service', async () => {
+    const result = await auditServicesCredentials({
+      results: [
+        {
+          serviceId: 'home-proxmox',
+          name: 'Home Proxmox',
+          providerName: 'proxmox',
+          error: 'Failed to decrypt: bad authentication tag',
+        },
+      ],
+    });
+    expect(result).toHaveLength(1);
+    expect(result[0]).toMatchObject({
+      category: 'services_credentials',
+      severity: 'blocked',
+      code: 'service_credentials_invalid',
+      subject: 'home-proxmox',
+      actionable: false,
+    });
+    expect(result[0].message).toContain('Home Proxmox');
+    expect(result[0].message).toContain('proxmox');
+    expect(result[0].details).toContain('bad authentication tag');
+    expect(result[0].remediation).toContain('celilo service set-credentials home-proxmox');
+  });
+
+  test('mixed report — only failures produce findings', async () => {
+    const result = await auditServicesCredentials({
+      results: [
+        { serviceId: 'good', name: 'Good', providerName: 'proxmox', error: null },
+        { serviceId: 'bad', name: 'Bad', providerName: 'proxmox', error: 'oops' },
+      ],
+    });
+    expect(result.map((f) => f.subject)).toEqual(['bad']);
+  });
+});

package/src/services/audit/services-credentials.ts

@@ -0,0 +1,64 @@
+/**
+ * Services-credentials check.
+ *
+ * For each registered container service, verifies its API credentials
+ * are present and decryptable with the current master key. Catches
+ * failure modes that today only surface at deploy time:
+ *
+ * - Service registered but credentials never set (column null/empty).
+ * - Master key rotated; old envelope no longer decrypts.
+ * - Stored envelope is corrupt or doesn't match the provider's
+ *   credential schema (e.g. Proxmox service has DigitalOcean-shaped
+ *   credentials).
+ *
+ * Each finding is BLOCKED — `system update` would otherwise fan
+ * these out as opaque terraform / SSH errors. Surfacing them up
+ * front lets the user re-run `celilo service set-credentials`
+ * before any deploy work.
+ */
+
+import type { DriftFinding } from './types';
+
+export interface ServiceCredentialsResult {
+  /** Stable service identifier (the user-facing kebab-case ID). */
+  serviceId: string;
+  /** Display name for the finding message. */
+  name: string;
+  providerName: string;
+  /** null on success; error message on failure. */
+  error: string | null;
+}
+
+export interface ServicesCredentialsAuditDeps {
+  results: ServiceCredentialsResult[];
+}
+
+export async function auditServicesCredentials(
+  deps: ServicesCredentialsAuditDeps,
+): Promise<DriftFinding[]> {
+  const findings: DriftFinding[] = [];
+
+  for (const r of deps.results) {
+    if (r.error === null) continue;
+
+    findings.push({
+      category: 'services_credentials',
+      severity: 'blocked',
+      code: 'service_credentials_invalid',
+      message: `${r.name} (${r.providerName}): credentials missing or invalid`,
+      details: r.error,
+      remediation: [
+        'Re-add the credentials for this service. For example:',
+        `  celilo service set-credentials ${r.serviceId}`,
+        'or remove the service:',
+        `  celilo service remove ${r.name}`,
+      ].join('\n'),
+      // Multi-step (interactive prompts for credential values), so
+      // not a one-keypress remediation in the TUI.
+      actionable: false,
+      subject: r.serviceId,
+    });
+  }
+
+  return findings;
+}