@celilo/cli 0.1.5 → 0.1.6

package/src/cli/commands/system-update.ts

@@ -0,0 +1,391 @@
+/**
+ * System update command — orchestrates the audit-determined upgrade flow.
+ *
+ * Usage:
+ *   celilo system update [--module <id>] [--no-backup] [--allow-destructive]
+ *                        [--dry-run] [--json]
+ *
+ * Per CELILO_UPDATE Phase 4: runs `system audit` first, refuses on
+ * BLOCKED, then walks each drifting module through
+ * backup → upgrade → deploy → health, isolating failures to the
+ * dependency subtree.
+ *
+ * This is a thin adapter — per Rule 10.5: parse args, compose deps,
+ * call `runSystemUpdate`, format output, return. The real logic
+ * lives in `services/update/orchestrator.ts`.
+ */
+
+import { existsSync, readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { eq } from 'drizzle-orm';
+import { getDb } from '../../db/client';
+import { backups, moduleConfigs as moduleConfigsTbl, modules } from '../../db/schema';
+import type { ModuleManifest } from '../../manifest/schema';
+import { RegistryClient } from '../../registry/client';
+import { runAudit } from '../../services/audit';
+import { fetchLatestCliVersion } from '../../services/audit/cli-version';
+import { makeJournalReader, readAppliedMigrations } from '../../services/audit/schema';
+import { createModuleBackup, createSystemStateBackup } from '../../services/backup-create';
+import { runAllHealthChecks, runModuleHealthCheck } from '../../services/health-runner';
+import { deployModule } from '../../services/module-deploy';
+import { buildModuleGraph } from '../../services/update/dep-graph';
+import {
+  type ModuleSnapshot,
+  type OrchestratorOps,
+  runSystemUpdate,
+} from '../../services/update/orchestrator';
+import type { SystemUpdateResult } from '../../services/update/types';
+import { getFlag, hasFlag } from '../parser';
+import type { CommandResult } from '../types';
+
+function readInstalledCliVersion(): string {
+  const here = dirname(fileURLToPath(import.meta.url));
+  const candidates = [
+    join(here, '..', '..', '..', 'package.json'),
+    join(process.cwd(), 'package.json'),
+  ];
+  for (const path of candidates) {
+    if (existsSync(path)) {
+      try {
+        const pkg = JSON.parse(readFileSync(path, 'utf-8')) as { version?: string };
+        if (pkg.version) return pkg.version;
+      } catch {
+        // try the next candidate
+      }
+    }
+  }
+  return '0.0.0';
+}
+
+function findMigrationsFolderSafe(): string | null {
+  try {
+    const here = dirname(fileURLToPath(import.meta.url));
+    const candidates = [
+      join(here, '..', '..', '..', 'drizzle'),
+      join(process.cwd(), 'drizzle'),
+      join(process.cwd(), 'apps', 'celilo', 'drizzle'),
+    ];
+    for (const c of candidates) {
+      if (existsSync(join(c, 'meta', '_journal.json'))) return c;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Build a snapshot map from installed modules + registry lookups.
+ *
+ * `installedProvides` and `pendingRequires` come from the manifest
+ * — `installedProvides` from the currently-deployed manifest in the
+ * DB; `pendingRequires` from the manifest of the latest registry
+ * version (so the version-aware skip can compare what the new code
+ * needs against what the still-running provider has).
+ *
+ * Phase 4 V1: we don't yet fetch the new manifest from the registry
+ * — that needs a registry endpoint that exposes the embedded
+ * manifest.yml. Until that lands, `pendingRequires` is populated
+ * from the *currently installed* manifest (so consumer compatibility
+ * checks behave as "are the running versions still compatible?").
+ * That degrades the skip logic to the pre-D3 behavior in mixed
+ * cases but doesn't crash anything.
+ */
+async function buildSnapshots(
+  db: ReturnType<typeof getDb>,
+  installed: Array<typeof modules.$inferSelect>,
+  registry: RegistryClient,
+): Promise<Map<string, ModuleSnapshot>> {
+  const snapshots = new Map<string, ModuleSnapshot>();
+  for (const m of installed) {
+    const manifest = m.manifestData as ModuleManifest;
+    const provides: Record<string, string> = {};
+    for (const p of manifest.provides?.capabilities ?? []) {
+      provides[p.name] = p.version;
+    }
+    const requires: Record<string, string> = {};
+    for (const r of manifest.requires?.capabilities ?? []) {
+      requires[r.name] = r.version;
+    }
+    for (const r of manifest.optional?.capabilities ?? []) {
+      requires[r.name] = r.version;
+    }
+
+    let latest: string | null = null;
+    try {
+      const entries = await registry.getIndex(m.id);
+      const top = registry.latestVersion(entries);
+      latest = top ? top.vers : null;
+    } catch {
+      // network error → leave null
+    }
+
+    snapshots.set(m.id, {
+      id: m.id,
+      installedVersion: m.version,
+      latestVersion: latest,
+      installedProvides: provides,
+      pendingRequires: requires,
+    });
+  }
+  // Suppress the unused-db warning while we don't yet need the parameter.
+  // (Future revs read pending manifests from the DB cache.)
+  void db;
+  return snapshots;
+}
+
+/**
+ * Live ops — wraps the existing per-module services as the
+ * orchestrator's hook callbacks.
+ *
+ * - `backup` calls `createModuleBackup`. Modules without an
+ *   `on_backup` hook return ok (nothing to back up; not an error).
+ * - `upgrade` is a no-op for now — the in-place upgrade path lives
+ *   in `module install <name>` and needs a refactor before the
+ *   orchestrator can drive it cleanly. Deploy will re-converge
+ *   against whatever's installed, which is the right behavior for
+ *   "redeploy what's there."
+ * - `deploy` calls `deployModule`.
+ * - `health` calls `runModuleHealthCheck`.
+ * - `snapshotCeliloDb` calls `createSystemStateBackup`.
+ */
+function buildOps(): OrchestratorOps {
+  return {
+    backup: async (moduleId, _updateId) => {
+      const db = getDb();
+      const mod = db.select().from(modules).where(eq(modules.id, moduleId)).get();
+      if (!mod) return { ok: false, error: `module ${moduleId} not found` };
+      const manifest = mod.manifestData as ModuleManifest;
+      if (!manifest.hooks?.on_backup) {
+        return { ok: true };
+      }
+      const result = await createModuleBackup(moduleId);
+      return result.success ? { ok: true } : { ok: false, error: result.error };
+    },
+    upgrade: async (_id) => ({ ok: true }),
+    deploy: async (id) => {
+      const db = getDb();
+      const result = await deployModule(id, db, { noInteractive: true });
+      return result.success ? { ok: true } : { ok: false, error: result.error };
+    },
+    health: async (id) => {
+      // We can call the existing health-runner directly today — that's
+      // already a clean service.
+      const db = getDb();
+      const r = await runModuleHealthCheck(id, db);
+      return { status: r.status, detail: r.error };
+    },
+    snapshotCeliloDb: async (_updateId) => {
+      const result = await createSystemStateBackup();
+      return result.success ? { ok: true } : { ok: false, error: result.error };
+    },
+  };
+}
+
+function formatResult(result: SystemUpdateResult): string {
+  const lines: string[] = [];
+  lines.push('');
+  lines.push(`update ${result.updateId} → ${result.ok ? 'OK' : 'FAILED'}`);
+  lines.push(`  audit verdict: ${result.audit.verdict}`);
+  lines.push(
+    `  self-update: ${result.selfUpdate.performed ? `${result.selfUpdate.from} → ${result.selfUpdate.to}` : `(${result.selfUpdate.reason})`}`,
+  );
+  lines.push(`  backups: ${result.backupsCreated ? 'created' : 'skipped'}`);
+  lines.push('');
+  for (const m of result.modules) {
+    const tag =
+      m.step === 'done' ? '✓' : m.step === 'failed' ? '✗' : m.step === 'skipped' ? '↳' : '?';
+    const change =
+      m.fromVersion === m.toVersion ? m.fromVersion : `${m.fromVersion} → ${m.toVersion}`;
+    lines.push(`  ${tag} ${m.moduleId} (${change}) — ${m.step}`);
+    if (m.error) lines.push(`      ${m.error}`);
+    if (m.skipReason) lines.push(`      ${m.skipReason}`);
+  }
+  return lines.join('\n');
+}
+
+export async function handleSystemUpdate(
+  _args: string[],
+  flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const json = hasFlag(flags, 'json');
+  const dryRun = hasFlag(flags, 'dry-run');
+  const noBackup = hasFlag(flags, 'no-backup');
+  const allowDestructive = hasFlag(flags, 'allow-destructive');
+  const onlyModule = getFlag(flags, 'module', '') || undefined;
+
+  const db = getDb();
+  const installed = db.select().from(modules).all();
+  const deployedModules = installed.filter((m) => ['INSTALLED', 'VERIFIED'].includes(m.state));
+  const registry = new RegistryClient();
+
+  // Build the dep graph from installed manifests.
+  const graph = buildModuleGraph(deployedModules.map((m) => m.manifestData as ModuleManifest));
+  const snapshots = await buildSnapshots(db, deployedModules, registry);
+
+  // Build audit deps. (Mostly mirrors system-audit.ts; could be refactored
+  // into a shared helper in Phase 5.)
+  const migrationsFolder = findMigrationsFolderSafe();
+  const healthResults = await runAllHealthChecks(db);
+
+  const latestBackupByModule = new Map<string, number>();
+  try {
+    const successfulBackups = db
+      .select()
+      .from(backups)
+      .where(eq(backups.status, 'completed'))
+      .all();
+    for (const b of successfulBackups) {
+      if (!b.moduleId || !b.completedAt) continue;
+      const prev = latestBackupByModule.get(b.moduleId);
+      const ts = b.completedAt.getTime();
+      if (prev === undefined || ts > prev) latestBackupByModule.set(b.moduleId, ts);
+    }
+  } catch {
+    // backups table missing on a fresh DB — fine.
+  }
+
+  const allConfigs = db.select().from(moduleConfigsTbl).all();
+  const configsByModule = new Map<string, Record<string, unknown>>();
+  for (const c of allConfigs) {
+    const m = configsByModule.get(c.moduleId) ?? {};
+    m[c.key] = c.valueJson ? JSON.parse(c.valueJson) : c.value;
+    configsByModule.set(c.moduleId, m);
+  }
+
+  const auditDeps = {
+    cliVersion: {
+      installedVersion: readInstalledCliVersion(),
+      fetcher: fetchLatestCliVersion,
+    },
+    schema: {
+      journal: migrationsFolder ? makeJournalReader(migrationsFolder) : () => null,
+      applied: readAppliedMigrations,
+      db,
+    },
+    capabilityAbi: {
+      modules: deployedModules.map((m) => ({
+        id: m.id,
+        manifest: m.manifestData as ModuleManifest,
+      })),
+    },
+    terraformPlan: {
+      modules: deployedModules.map((m) => ({
+        id: m.id,
+        terraformDir: existsSync(join(m.sourcePath, 'generated', 'terraform'))
+          ? join(m.sourcePath, 'generated', 'terraform')
+          : null,
+      })),
+      run: async () => ({ exitCode: 0, stdout: '', stderr: '' }),
+    },
+    moduleVersions: {
+      installed: deployedModules.map((m) => ({ id: m.id, version: m.version })),
+      fetcher: async (id: string) => {
+        const entries = await registry.getIndex(id);
+        const top = registry.latestVersion(entries);
+        return top ? { latest: top.vers } : { latest: null };
+      },
+    },
+    moduleConfigs: {
+      modules: deployedModules.map((m) => ({
+        id: m.id,
+        manifest: m.manifestData as ModuleManifest,
+        configs: configsByModule.get(m.id) ?? {},
+      })),
+    },
+    health: { results: healthResults },
+    backups: {
+      modules: deployedModules.map((m) => ({
+        id: m.id,
+        manifest: m.manifestData as ModuleManifest,
+        lastSuccessfulBackupAt: latestBackupByModule.get(m.id) ?? null,
+      })),
+    },
+    undeployedModules: {
+      modules: installed.map((m) => ({ id: m.id, state: m.state })),
+    },
+    unconfiguredModules: {
+      modules: installed.map((m) => ({
+        id: m.id,
+        state: m.state,
+        configCount: Object.keys(configsByModule.get(m.id) ?? {}).length,
+      })),
+    },
+    // The update flow doesn't run these checks itself — pass empty
+    // results so the typed AuditDeps shape is satisfied. The full
+    // audit (with credential + secret decryption checks) runs in
+    // `system audit`; pre-update we just consume what we have.
+    servicesCredentials: { results: [] },
+    secretsDecryptable: { results: [] },
+    servicesReachable: { results: [] },
+    machinesReachable: { results: [] },
+  };
+
+  if (dryRun) {
+    const audit = await runAudit(auditDeps);
+    const plan = {
+      version: 1 as const,
+      updateId: crypto.randomUUID(),
+      audit,
+      willSelfUpdate: false, // computed at run time; the dry-run preview is best-effort
+      modules: deployedModules
+        .filter((m) => {
+          const snap = snapshots.get(m.id);
+          return snap?.latestVersion && snap.latestVersion !== snap.installedVersion;
+        })
+        .map((m) => ({
+          moduleId: m.id,
+          fromVersion: m.version,
+          toVersion: snapshots.get(m.id)?.latestVersion ?? m.version,
+          dependsOn: [...(graph.edges.get(m.id) ?? [])],
+        })),
+      willBackup: !noBackup,
+      destructiveTerraformBlocked: !allowDestructive,
+    };
+    return json
+      ? { success: true, message: JSON.stringify(plan, null, 2), rawOutput: true }
+      : {
+          success: true,
+          message: `dry-run: ${plan.modules.length} module(s) would be updated, backups=${plan.willBackup ? 'on' : 'off'}, allow-destructive=${allowDestructive}\n${plan.modules
+            .map((m) => `  ▸ ${m.moduleId}: ${m.fromVersion} → ${m.toVersion}`)
+            .join('\n')}`,
+        };
+  }
+
+  const ops = buildOps();
+
+  const result = await runSystemUpdate({
+    audit: auditDeps,
+    graph,
+    snapshots,
+    ops,
+    selfUpdate: {
+      installedVersion: readInstalledCliVersion(),
+      fetcher: fetchLatestCliVersion,
+      updater: async () => ({
+        ok: false,
+        stderr: 'self-update wiring lands in Phase 5',
+      }),
+    },
+    progress: { emit() {} },
+    noBackup,
+    allowDestructive,
+    onlyModule,
+  });
+
+  if (json) {
+    if (result.ok) {
+      return { success: true, message: JSON.stringify(result, null, 2), rawOutput: true };
+    }
+    return { success: false, error: JSON.stringify(result, null, 2) };
+  }
+
+  if (result.ok) {
+    return { success: true, message: formatResult(result) };
+  }
+  return {
+    success: false,
+    error: `${formatResult(result)}\n\none or more modules failed; see output above`,
+  };
+}

package/src/cli/completion.ts

@@ -41,6 +41,7 @@ export async function getCompletions(words: string[], current: number): Promise<
       'ipam',
       'completion',
       'status',
+      'audit',
       'version',
     ];
     return filterSuggestions(commands, args[0] || '');
@@ -98,9 +99,13 @@ export async function getCompletions(words: string[], current: number): Promise<
   if (command === 'module' && currentIndex === 1) {
     const subcommands = [
       'import',
+      'install',
       'list',
+      'publish',
       'remove',
+      'search',
       'update',
+      'verify',
       'audit',
       'config',
       'show-config',
@@ -114,12 +119,18 @@ export async function getCompletions(words: string[], current: number): Promise<
       'run-hook',
       'secret',
       'status',
+      'terraform-unlock',
       'types',
       'validate',
     ];
     return filterSuggestions(subcommands, args[1] || '');
   }
 
+  // Module import subcommands (celilo module import file|public-registry)
+  if (command === 'module' && args[1] === 'import' && currentIndex === 2) {
+    return filterSuggestions(['file', 'public-registry'], args[2] || '');
+  }
+
   // Module config subcommands (celilo module config set/get)
   if (command === 'module' && args[1] === 'config' && currentIndex === 2) {
     const subcommands = ['set', 'get'];
@@ -306,6 +317,9 @@ export async function getCompletions(words: string[], current: number): Promise<
       'build',
       'run-hook',
       'status',
+      'terraform-unlock',
+      'verify',
+      'audit', // deprecation alias for `verify`
     ];
     if (moduleCommands.includes(args[1] || '')) {
       const db = getDb();
@@ -399,7 +413,7 @@ export async function getCompletions(words: string[], current: number): Promise<
 
   // System subcommands
   if (command === 'system' && currentIndex === 1) {
-    const subcommands = ['init', 'config', 'secret', 'vault-password'];
+    const subcommands = ['init', 'config', 'secret', 'vault-password', 'audit', 'update'];
     return filterSuggestions(subcommands, args[1] || '');
   }
 

package/src/cli/fuel-gauge.ts

@@ -11,6 +11,7 @@
 
 import { stdout } from 'node:process';
 import * as p from '@clack/prompts';
+import { getActiveDisplay } from './prompts';
 
 /**
  * ANSI color codes for terminal output
@@ -53,6 +54,8 @@ export class FuelGauge {
   private sigintHandler?: () => void;
   private alreadyCleanedUp = false; // Track if we've already cleaned up terminal
   private linesDrawn = 0; // Track exactly how many lines were drawn last frame
+  private startTime = Date.now();
+  private lastOutputTime = Date.now();
 
   constructor(title: string, options: FuelGaugeOptions = {}) {
     this.title = title;
@@ -71,6 +74,16 @@ export class FuelGauge {
       return;
     }
 
+    // When a ProgressDisplay is active (e.g. inside `module deploy`),
+    // delegate to it instead of running the cursor-redraw animation —
+    // the two would otherwise stomp on each other's output.
+    const display = getActiveDisplay();
+    if (display) {
+      this.running = true;
+      display.startStep(this.title, this.title);
+      return;
+    }
+
     this.running = true;
 
     // Hide cursor
@@ -140,7 +153,17 @@ export class FuelGauge {
       this.outputLines.shift();
     }
 
+    const display = getActiveDisplay();
+    if (display) {
+      // Pass the original line (ANSI preserved) so colour/dim codes from
+      // the hook logger render in the display. Skip blank lines that the
+      // child process may emit between output chunks.
+      if (line.trim()) display.subEvent(line);
+      return;
+    }
+
     this.hasNewOutput = true;
+    this.lastOutputTime = Date.now();
   }
 
   /**
@@ -169,6 +192,21 @@ export class FuelGauge {
       return;
     }
 
+    const display = getActiveDisplay();
+    if (display) {
+      if (success) {
+        display.doneStep();
+      } else {
+        display.failStep(this.title);
+        // Surface the last few output lines so the user can see what broke.
+        const errorLines = this.outputLines.slice(-this.errorDisplayLines);
+        for (const line of errorLines) {
+          if (line.trim()) display.subEvent(line);
+        }
+      }
+      return;
+    }
+
     this.cleanup();
 
     if (success) {
@@ -187,6 +225,25 @@ export class FuelGauge {
     }
   }
 
+  /**
+   * Tear down the animation without printing a success or failure stamp.
+   * Used when the gauge needs to step out of the way temporarily — e.g.
+   * for the cross-module ensure interview, where the next prompt would
+   * otherwise collide with the running animation. Pair with a fresh
+   * FuelGauge for any subsequent work.
+   */
+  stopSilent(): void {
+    if (!this.running) return;
+    this.running = false;
+    if (this.skipAnimation) return;
+    const display = getActiveDisplay();
+    if (display) {
+      display.abandon();
+      return;
+    }
+    this.cleanup();
+  }
+
   /**
    * Clean up resources (keyboard listener, animation, cursor)
    */
@@ -351,13 +408,21 @@ export class FuelGauge {
       return s + ' '.repeat(remaining);
     };
 
-    // Title line
-    const titleText = `▸ ${this.title}`;
+    // Title line with elapsed time
+    const elapsedSecs = Math.floor((Date.now() - this.startTime) / 1000);
+    const elapsedStr = elapsedSecs > 0 ? ` (${elapsedSecs}s)` : '';
+    const titleText = `▸ ${this.title}${elapsedStr}`;
     frame += `${pad(colors.cyan(titleText), titleText.length + 2)}\n`;
     lineCount++;
 
+    // If process has been silent for >5s, inject a status line so user knows it's alive
+    const silentSecs = Math.floor((Date.now() - this.lastOutputTime) / 1000);
+    const silentLines = silentSecs >= 5 ? ['  Status: running'] : [];
+
     // Output preview lines
-    const displayLines = this.formatOutputLines(this.outputLines, this.maxDisplayLines);
+    const sourceLines =
+      silentLines.length > 0 ? [...this.outputLines, ...silentLines] : this.outputLines;
+    const displayLines = this.formatOutputLines(sourceLines, this.maxDisplayLines);
     for (const line of displayLines) {
       frame += `${pad(colors.dim(line), line.length)}\n`;
       lineCount++;

package/src/cli/generate-zsh-completion.ts

@@ -132,9 +132,19 @@ function generateCommandFunction(cmd: CommandDef, path: string[], lines: string[
   lines.push('  local curcontext="$curcontext" state line');
   lines.push('  typeset -A opt_args');
   lines.push('');
-  lines.push('  _arguments -C \\');
-  lines.push(`    '1: :${fnName}_commands' \\`);
-  lines.push("    '*::arg:->args'");
+  const flagArgs = cmd.flags && cmd.flags.length > 0 ? generateFlagArgs(cmd.flags) : [];
+  if (flagArgs.length > 0) {
+    lines.push('  _arguments -C \\');
+    for (const flag of flagArgs) {
+      lines.push(`    ${flag} \\`);
+    }
+    lines.push(`    '1: :${fnName}_commands' \\`);
+    lines.push("    '*::arg:->args'");
+  } else {
+    lines.push('  _arguments -C \\');
+    lines.push(`    '1: :${fnName}_commands' \\`);
+    lines.push("    '*::arg:->args'");
+  }
   lines.push('');
   lines.push('  case $state in');
   lines.push('    args)');