@celilo/cli 0.1.5 → 0.1.7

package/src/cli/tui/panes/findings.tsx

@@ -0,0 +1,97 @@
+import { Box, Text } from 'ink';
+import type { AuditTuiState } from '../audit-state';
+import { findingId, findingsForCategory } from '../audit-state';
+import { InboxZeroCelebration } from '../celebration';
+
+interface Props {
+  state: AuditTuiState;
+  focused: boolean;
+  /**
+   * Total height the pane will occupy. Used to compute the scroll
+   * window so the selected finding stays visible without the pane
+   * resizing.
+   */
+  height: number;
+}
+
+/**
+ * Compute a scroll window that keeps `selectedIndex` visible inside a
+ * window of `windowSize` rows. Anchors selection at the top when it
+ * would otherwise scroll off above; at the bottom when it would
+ * scroll off below. Exported so the mouse-click hit-tester can apply
+ * the same math when translating clicks into list indices.
+ */
+export function computeScrollWindow(
+  selectedIndex: number,
+  totalCount: number,
+  windowSize: number,
+): { start: number; end: number } {
+  if (totalCount <= windowSize) return { start: 0, end: totalCount };
+  let start = Math.max(0, selectedIndex - Math.floor(windowSize / 2));
+  if (start + windowSize > totalCount) {
+    start = totalCount - windowSize;
+  }
+  return { start, end: start + windowSize };
+}
+
+/** Chrome (border+title+spacer) above the first finding row. */
+export const FINDINGS_CHROME = 4;
+
+export function FindingsPane({ state, focused, height }: Props) {
+  const findings = findingsForCategory(state.groups, state.selectedCategory);
+  // Pane height accounts for: 2 border rows + 1 title row + 1 spacer
+  // = 4 chrome rows. Reserve one bottom row for the "(N more)" hint
+  // when the list overflows, so the visible window is height - 5.
+  const chrome = 4;
+  const overflowRow = findings.length > Math.max(height - chrome, 0) ? 1 : 0;
+  const visible = Math.max(height - chrome - overflowRow, 0);
+
+  const selectedIndex = Math.max(
+    findings.findIndex((f) => findingId(f) === state.selectedFindingId),
+    0,
+  );
+  const { start, end } = computeScrollWindow(selectedIndex, findings.length, visible);
+  const slice = findings.slice(start, end);
+  const hidden = findings.length - end;
+
+  return (
+    <Box
+      borderStyle="round"
+      borderColor={focused ? 'cyan' : 'gray'}
+      flexDirection="column"
+      paddingX={1}
+      width="100%"
+      height="100%"
+      overflow="hidden"
+    >
+      <Text dimColor wrap="truncate-end">
+        3 Findings · {state.selectedCategory ?? '—'}
+        {findings.length > 0 ? ` (${selectedIndex + 1}/${findings.length})` : ''}
+      </Text>
+      <Box flexDirection="column" marginTop={1}>
+        {findings.length === 0 ? (
+          state.auditing ? (
+            <Text dimColor>(checking…)</Text>
+          ) : state.report.findings.length === 0 ? (
+            <InboxZeroCelebration compact />
+          ) : (
+            <Text dimColor>(none)</Text>
+          )
+        ) : (
+          slice.map((f) => {
+            const id = findingId(f);
+            const isSelected = focused && id === state.selectedFindingId;
+            const marker = isSelected ? '▸ ' : '  ';
+            return (
+              <Text key={id} inverse={isSelected} wrap="truncate-end">
+                {marker}
+                {f.message}
+              </Text>
+            );
+          })
+        )}
+        {hidden > 0 && <Text dimColor>↓ {hidden} more</Text>}
+      </Box>
+    </Box>
+  );
+}

package/src/cli/tui/panes/summary.tsx

@@ -0,0 +1,64 @@
+import { Box, Text } from 'ink';
+import Spinner from 'ink-spinner';
+import type { AuditTuiState } from '../audit-state';
+import { VERDICT_VISUALS } from '../icons';
+
+interface Props {
+  state: AuditTuiState;
+  focused: boolean;
+}
+
+function formatTimestamp(iso: string): string {
+  // Local-time HH:MM:SS — full ISO is dense and the UTC component is
+  // rarely useful for an interactive operator at the keyboard.
+  try {
+    return new Date(iso).toLocaleTimeString();
+  } catch {
+    return iso;
+  }
+}
+
+export function SummaryPane({ state, focused }: Props) {
+  const { report, auditing, progressMessage } = state;
+  const verdict = VERDICT_VISUALS[report.verdict];
+  const blockedCount = report.findings.filter((f) => f.severity === 'blocked').length;
+  const driftCount = report.findings.filter((f) => f.severity === 'drift').length;
+
+  return (
+    <Box
+      borderStyle="round"
+      borderColor={focused ? 'cyan' : 'gray'}
+      flexDirection="column"
+      paddingX={1}
+      width="100%"
+      height="100%"
+      overflow="hidden"
+    >
+      <Text dimColor>1 Summary</Text>
+      <Box marginTop={1}>
+        {auditing ? (
+          <Text>
+            <Spinner type="dots" />
+            <Text> auditing…</Text>
+          </Text>
+        ) : (
+          <Text color={verdict.color} bold>
+            {verdict.icon} {verdict.label}
+          </Text>
+        )}
+      </Box>
+      {auditing ? (
+        <Text dimColor wrap="truncate-end">
+          {progressMessage ?? 'starting…'}
+        </Text>
+      ) : (
+        <>
+          <Text>
+            {blockedCount} blocked, {driftCount} drift
+          </Text>
+          <Text dimColor>at {formatTimestamp(report.generatedAt)}</Text>
+        </>
+      )}
+    </Box>
+  );
+}

package/src/cli/tui/spawn.ts

@@ -0,0 +1,130 @@
+/**
+ * Run a `celilo …` subcommand and stream its stdout/stderr through
+ * the supplied callbacks. Used by the remediation modal — when the
+ * user submits, we spawn the same celilo entry point with the edited
+ * args and let the TUI's reducer absorb the output line-by-line.
+ *
+ * The same Bun/Node binary that's running the TUI is reused
+ * (`process.argv[0]` + `process.argv[1]`) so we don't depend on
+ * `celilo` being on PATH or worry about which build is "the" build.
+ */
+
+export interface RunCeliloHandlers {
+  onLine: (stream: 'stdout' | 'stderr', text: string) => void;
+  onExit: (exitCode: number) => void;
+}
+
+/**
+ * Parse a shell-ish command string into argv. Honors `"..."` and
+ * `'...'` quoting and `\` escapes. Not a full shell parser — it
+ * does not expand variables, run subshells, or honor pipes. The
+ * remediation modal pre-fills a single command, and that's what we
+ * support.
+ */
+export function parseCommand(input: string): string[] {
+  const args: string[] = [];
+  let current = '';
+  let inQuote: '"' | "'" | null = null;
+  let escaped = false;
+  for (const c of input) {
+    if (escaped) {
+      current += c;
+      escaped = false;
+      continue;
+    }
+    if (c === '\\') {
+      escaped = true;
+      continue;
+    }
+    if (inQuote === c) {
+      inQuote = null;
+      continue;
+    }
+    if (inQuote === null && (c === '"' || c === "'")) {
+      inQuote = c;
+      continue;
+    }
+    if (inQuote === null && /\s/.test(c)) {
+      if (current) args.push(current);
+      current = '';
+      continue;
+    }
+    current += c;
+  }
+  if (current) args.push(current);
+  return args;
+}
+
+/**
+ * Strip a leading `celilo` token if the user typed one. The runner
+ * always invokes the celilo entry point itself, so the `celilo`
+ * prefix is implicit.
+ */
+function stripCeliloPrefix(args: string[]): string[] {
+  if (args.length > 0 && (args[0] === 'celilo' || args[0].endsWith('/celilo'))) {
+    return args.slice(1);
+  }
+  return args;
+}
+
+/**
+ * Run `celilo <args>` and stream its output. Returns a function that
+ * can be called to terminate the running process (best-effort kill).
+ */
+export function runCelilo(commandString: string, handlers: RunCeliloHandlers): () => void {
+  const parsed = stripCeliloPrefix(parseCommand(commandString));
+  // Reuse the parent process's invocation. argv[0] is bun/node,
+  // argv[1] is the entry script (or the bin path for compiled use).
+  const exe = process.argv[0];
+  const entry = process.argv[1];
+  const proc = Bun.spawn([exe, entry, ...parsed], {
+    stdout: 'pipe',
+    stderr: 'pipe',
+    stdin: 'ignore',
+    env: { ...process.env },
+  });
+
+  void streamLines(proc.stdout, (line) => handlers.onLine('stdout', line));
+  void streamLines(proc.stderr, (line) => handlers.onLine('stderr', line));
+
+  proc.exited.then((code) => {
+    handlers.onExit(typeof code === 'number' ? code : -1);
+  });
+
+  return () => {
+    try {
+      proc.kill();
+    } catch {
+      // Process may already have exited; ignore.
+    }
+  };
+}
+
+/**
+ * Read a ReadableStream of bytes and call `cb` for each newline-
+ * delimited line. Trailing partial lines are flushed when the
+ * stream closes.
+ */
+async function streamLines(
+  stream: ReadableStream<Uint8Array> | undefined,
+  cb: (line: string) => void,
+): Promise<void> {
+  if (!stream) return;
+  const reader = stream.getReader();
+  const decoder = new TextDecoder();
+  let buffer = '';
+  try {
+    while (true) {
+      const { value, done } = await reader.read();
+      if (done) break;
+      buffer += decoder.decode(value, { stream: true });
+      const lines = buffer.split('\n');
+      buffer = lines.pop() ?? '';
+      for (const line of lines) cb(line);
+    }
+    buffer += decoder.decode();
+    if (buffer.length > 0) cb(buffer);
+  } finally {
+    reader.releaseLock();
+  }
+}

package/src/cli/tui/theme.ts

@@ -0,0 +1,42 @@
+/**
+ * TUI theme — colors that vary between dark and light terminal
+ * backgrounds. Pulled into one place so a future theme picker, env
+ * var, or auto-detection only needs to swap the active object.
+ *
+ * Severity colors (red/yellow/green) are kept theme-agnostic — those
+ * are ANSI named colors that respect the user's terminal palette and
+ * read correctly on both dark and light backgrounds.
+ *
+ * Selected via `--theme=dark|light` on `celilo system audit --tui`.
+ * Default: `dark`. We don't auto-detect terminal background — the
+ * standard probe (`COLORFGBG` env var, or OSC 11) is unreliable
+ * across terminals, and an explicit flag is more honest than a guess
+ * that's right 70% of the time.
+ */
+
+export type ThemeName = 'dark' | 'light';
+
+export interface Theme {
+  /**
+   * Dialog background. Should contrast strongly with the typical
+   * terminal background on this theme — pure black on dark themes,
+   * pure white on light themes.
+   */
+  dialogBg: 'black' | 'white';
+  /** Foreground text color inside dialogs. Inverse of dialogBg. */
+  dialogFg: 'white' | 'black';
+}
+
+const DARK: Theme = {
+  dialogBg: 'black',
+  dialogFg: 'white',
+};
+
+const LIGHT: Theme = {
+  dialogBg: 'white',
+  dialogFg: 'black',
+};
+
+export function getTheme(name: ThemeName | undefined): Theme {
+  return name === 'light' ? LIGHT : DARK;
+}

package/src/cli/tui/wrap.test.ts

@@ -0,0 +1,43 @@
+import { describe, expect, test } from 'bun:test';
+import { wrapText } from './wrap';
+
+describe('wrapText', () => {
+  test('preserves short lines unchanged', () => {
+    expect(wrapText('hello world', 80)).toEqual(['hello world']);
+  });
+
+  test('preserves existing newlines as line breaks', () => {
+    expect(wrapText('a\nb\nc', 80)).toEqual(['a', 'b', 'c']);
+  });
+
+  test('empty input lines render as single space (visible blank row)', () => {
+    expect(wrapText('a\n\nb', 80)).toEqual(['a', ' ', 'b']);
+  });
+
+  test('word-wraps long lines on whitespace', () => {
+    const result = wrapText('the quick brown fox jumps over the lazy dog', 15);
+    expect(result.every((line) => line.length <= 15)).toBe(true);
+    expect(result.join(' ').replace(/\s+/g, ' ')).toBe(
+      'the quick brown fox jumps over the lazy dog',
+    );
+  });
+
+  test('hard-breaks words longer than the width', () => {
+    const result = wrapText('xxxxxxxxxxxxxxxxxxxx', 5);
+    expect(result.every((line) => line.length <= 5)).toBe(true);
+    expect(result.join('')).toBe('xxxxxxxxxxxxxxxxxxxx');
+  });
+
+  test('mix of short, long, and blank lines', () => {
+    const text = ['short', '', 'a much longer sentence that needs to wrap'].join('\n');
+    const result = wrapText(text, 20);
+    // First line: short stays as-is
+    expect(result[0]).toBe('short');
+    // Second line: blank → space
+    expect(result[1]).toBe(' ');
+    // Subsequent lines: each <= 20
+    for (const line of result.slice(2)) {
+      expect(line.length).toBeLessThanOrEqual(20);
+    }
+  });
+});

package/src/cli/tui/wrap.ts

@@ -0,0 +1,45 @@
+/**
+ * Pre-wrap text to a known column width, returning an array of
+ * lines no longer than `width` characters. Used by the Detail pane
+ * to render multi-line content (capability_abi guidance, terraform
+ * stderr, etc.) without falling into Ink's "Text sibling wraps and
+ * its remainder overlaps the next sibling" trap.
+ *
+ * Rules:
+ * - Existing newlines (`\n`) are preserved as line breaks.
+ * - Empty input lines render as a single-space output line — a true
+ *   empty Text would measure as zero height and let siblings
+ *   collapse together; one space keeps the row visible.
+ * - Long lines word-wrap on whitespace when possible. A word longer
+ *   than `width` (rare — long URLs, base64) is hard-broken.
+ */
+export function wrapText(text: string, width: number): string[] {
+  if (width <= 0) return [text];
+  const out: string[] = [];
+  for (const line of text.split('\n')) {
+    if (line === '') {
+      out.push(' '); // visible blank row
+      continue;
+    }
+    if (line.length <= width) {
+      out.push(line);
+      continue;
+    }
+    let remaining = line;
+    while (remaining.length > width) {
+      // Prefer breaking at the last whitespace within the window.
+      let breakAt = remaining.lastIndexOf(' ', width);
+      if (breakAt <= 0) {
+        // No whitespace fits — hard-break at the width boundary so a
+        // long URL or base64 string doesn't blow out the layout.
+        breakAt = width;
+      }
+      out.push(remaining.slice(0, breakAt));
+      // Drop the leading whitespace introduced by the wrap point so
+      // the next line doesn't begin with a stray space.
+      remaining = remaining.slice(breakAt).replace(/^\s+/, '');
+    }
+    if (remaining) out.push(remaining);
+  }
+  return out;
+}

package/src/cli/types.ts

@@ -19,6 +19,11 @@ export interface CommandSuccess {
   success: true;
   message: string;
   data?: unknown;
+  /**
+   * When true, the CLI writes `message` directly to stdout (no clack formatting).
+   * Use for commands designed to be consumed by scripts (e.g. `module secret get`).
+   */
+  rawOutput?: boolean;
 }
 
 export interface CommandError {

package/src/db/client.ts

@@ -19,7 +19,7 @@ interface DatabaseConfig {
  * Find migrations folder relative to current working directory
  */
 export function findMigrationsFolder(): string {
-  // Get directory of current file (works in both Bun and Node/vitest)
+  // Get directory of current file
   const currentDir = dirname(fileURLToPath(import.meta.url));
 
   // Try common locations
@@ -57,7 +57,9 @@ function needsMigration(sqlite: Database): boolean {
     const alterStatements = [
       'ALTER TABLE capabilities ADD zones text',
       'ALTER TABLE machines ADD earmarked_module text',
-      'ALTER TABLE web_routes ADD subdomain text',
+      // web_routes' subdomain/custom_domain columns were folded into a
+      // single `hostname` field by migration 0004. Don't re-add them
+      // here — the migration drops and recreates the table.
       // Backup system tables (Phase 1)
       `CREATE TABLE IF NOT EXISTS backup_storages (
         id text PRIMARY KEY NOT NULL,
@@ -100,6 +102,57 @@ function needsMigration(sqlite: Database): boolean {
       }
     }
 
+    // web_routes hostname migration (CADDY_HOSTNAME_LIST design).
+    // Drizzle's auto-migrate path (`migrate()`) only runs for fresh
+    // databases — for existing celilo installs we apply the schema
+    // change here. Phase 0 + no production users = destructive
+    // rebuild; modules repopulate routes on their next deploy.
+    try {
+      const cols = sqlite.query("SELECT name FROM pragma_table_info('web_routes')").all() as Array<{
+        name: string;
+      }>;
+      const hasHostname = cols.some((c) => c.name === 'hostname');
+      const hasOldColumns = cols.some((c) => c.name === 'subdomain' || c.name === 'custom_domain');
+      if (!hasHostname && cols.length > 0) {
+        // Old shape detected (or missing hostname) — drop and recreate.
+        // Wrap in a transaction so the table is never half-migrated.
+        sqlite.exec('BEGIN');
+        try {
+          sqlite.exec('DROP TABLE web_routes');
+          sqlite.exec(`CREATE TABLE web_routes (
+            id integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+            slug text NOT NULL,
+            module_id text NOT NULL,
+            type text NOT NULL,
+            path text NOT NULL,
+            hostname text NOT NULL,
+            target_host text,
+            target_port integer,
+            websocket integer DEFAULT false NOT NULL,
+            content_hash text,
+            created_at integer DEFAULT (unixepoch()) NOT NULL,
+            updated_at integer DEFAULT (unixepoch()) NOT NULL,
+            FOREIGN KEY (module_id) REFERENCES modules(id) ON UPDATE no action ON DELETE cascade
+          )`);
+          sqlite.exec(
+            'CREATE UNIQUE INDEX web_routes_hostname_path_idx ON web_routes (hostname, path)',
+          );
+          sqlite.exec('COMMIT');
+          if (hasOldColumns) {
+            console.log(
+              'web_routes migrated to hostname-based schema. Modules will repopulate their routes on next deploy.',
+            );
+          }
+        } catch (err) {
+          sqlite.exec('ROLLBACK');
+          throw err;
+        }
+      }
+    } catch (err) {
+      console.error('Failed to migrate web_routes schema:', err);
+      throw err;
+    }
+
     return false; // Schema is up to date
   } catch {
     return true;

package/src/db/schema.ts

@@ -1,5 +1,5 @@
 import { sql } from 'drizzle-orm';
-import { integer, sqliteTable, text, unique } from 'drizzle-orm/sqlite-core';
+import { integer, sqliteTable, text, unique, uniqueIndex } from 'drizzle-orm/sqlite-core';
 
 /**
  * Module lifecycle states
@@ -326,22 +326,31 @@ export const moduleInfrastructure = sqliteTable('module_infrastructure', {
  * Routes are registered during on_install hooks and removed during on_uninstall.
  * The public_web provider (Caddy) uses these to generate its configuration.
  */
-export const webRoutes = sqliteTable('web_routes', {
-  id: integer('id').primaryKey({ autoIncrement: true }),
-  slug: text('slug').notNull(),
-  moduleId: text('module_id')
-    .notNull()
-    .references(() => modules.id, { onDelete: 'cascade' }),
-  type: text('type').$type<'static' | 'reverse_proxy'>().notNull(),
-  path: text('path').notNull().unique(),
-  targetHost: text('target_host'),
-  targetPort: integer('target_port'),
-  subdomain: text('subdomain'),
-  websocket: integer('websocket', { mode: 'boolean' }).notNull().default(false),
-  contentHash: text('content_hash'),
-  createdAt: integer('created_at', { mode: 'timestamp' }).notNull().default(sql`(unixepoch())`),
-  updatedAt: integer('updated_at', { mode: 'timestamp' }).notNull().default(sql`(unixepoch())`),
-});
+export const webRoutes = sqliteTable(
+  'web_routes',
+  {
+    id: integer('id').primaryKey({ autoIncrement: true }),
+    slug: text('slug').notNull(),
+    moduleId: text('module_id')
+      .notNull()
+      .references(() => modules.id, { onDelete: 'cascade' }),
+    type: text('type').$type<'static' | 'reverse_proxy'>().notNull(),
+    path: text('path').notNull(),
+    /** FQDN this route serves under — must be in caddy's hostnames list. */
+    hostname: text('hostname').notNull(),
+    targetHost: text('target_host'),
+    targetPort: integer('target_port'),
+    websocket: integer('websocket', { mode: 'boolean' }).notNull().default(false),
+    contentHash: text('content_hash'),
+    createdAt: integer('created_at', { mode: 'timestamp' }).notNull().default(sql`(unixepoch())`),
+    updatedAt: integer('updated_at', { mode: 'timestamp' }).notNull().default(sql`(unixepoch())`),
+  },
+  (table) => ({
+    // Path uniqueness is scoped to hostname — two modules can both own
+    // "/" as long as they're on different hostnames.
+    hostnamePathUnique: uniqueIndex('web_routes_hostname_path_idx').on(table.hostname, table.path),
+  }),
+);
 
 /**
  * Backup storage providers - destinations for backup archives