@celilo/cli 0.1.5 → 0.1.7

package/src/services/deploy-terraform.ts

@@ -1,3 +1,4 @@
+import { existsSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { log } from '../cli/prompts';
 import { executeBuildWithProgress } from './build-stream';
@@ -288,39 +289,45 @@ async function attemptAutoImport(
  * @returns Execution result
  */
 /**
- * Auto-recover from a stale Terraform state lock.
- * Parses the lock ID from the error output and runs force-unlock.
+ * Detect a stale Terraform state lock and surface actionable guidance.
+ *
+ * We intentionally do NOT auto-delete: if Terraform crashed mid-apply the
+ * state file may be inconsistent, and blindly retrying could double-apply
+ * partial infrastructure changes. The user should verify state before
+ * unlocking.
  */
 async function autoForceUnlock(
   terraformDir: string,
   errorOutput: string,
-  terraformEnv: Record<string, string>,
-  noInteractive?: boolean,
+  _terraformEnv: Record<string, string>,
+  _noInteractive?: boolean,
 ): Promise<boolean> {
   const lockIdMatch = errorOutput.match(/ID:\s+([0-9a-f-]+)/);
-  if (!lockIdMatch) {
-    log.warn('State lock detected but could not parse lock ID');
-    return false;
+  const lockId = lockIdMatch?.[1];
+
+  const lockFile = join(terraformDir, '.terraform.tfstate.lock.info');
+  const isLocalLock = existsSync(lockFile);
+
+  // Try to surface who holds the lock and when it was created.
+  let lockInfo = '';
+  if (isLocalLock) {
+    try {
+      const raw = JSON.parse(readFileSync(lockFile, 'utf-8')) as Record<string, string>;
+      const who = raw.Who ?? 'unknown';
+      const created = raw.Created ? new Date(raw.Created).toLocaleString() : 'unknown';
+      const op = raw.Operation ?? 'unknown';
+      lockInfo = `  Held by: ${who}\n  Operation: ${op}\n  Created: ${created}`;
+    } catch {
+      lockInfo = `  Lock file: ${lockFile}`;
+    }
+  } else if (lockId) {
+    lockInfo = `  Lock ID: ${lockId}`;
   }
 
-  const lockId = lockIdMatch[1];
-  log.warn(`Stale state lock detected (${lockId}) -- auto-recovering...`);
-
-  const result = await executeBuildWithProgress({
-    command: 'terraform',
-    args: ['force-unlock', '-force', lockId],
-    cwd: terraformDir,
-    title: 'Removing stale state lock',
-    env: { ...terraformEnv, TF_IN_AUTOMATION: '1' },
-    noInteractive,
-  });
-
-  if (result.success) {
-    log.success('State lock removed');
-    return true;
-  }
+  log.error(
+    `Terraform state is locked — another deploy may be running, or a previous one crashed.\n${lockInfo}\n\nIf no other deploy is running, unlock with:\n  celilo module terraform-unlock <module-id>`,
+  );
 
-  log.error(`Failed to remove state lock: ${result.error || result.output}`);
   return false;
 }
 

package/src/services/deploy-validation.ts

@@ -4,6 +4,7 @@
  * Validates module readiness and auto-prepares (generate/build) if needed
  */
 
+import { compareConsumerToProvider } from '@celilo/capabilities';
 import { and, eq } from 'drizzle-orm';
 import type { DbClient } from '../db/client';
 import { capabilities, moduleConfigs, modules, secrets } from '../db/schema';
@@ -56,14 +57,58 @@ export async function validateAndPrepareDeployment(
 
   const manifest = module.manifestData as ModuleManifest;
 
-  // Always regenerate to ensure templates and config are up-to-date
+  // Check capability dependencies first — no point interviewing or generating
+  // if required provider modules aren't deployed yet.
+  if (manifest.requires?.capabilities) {
+    const missingCapabilities = await findMissingCapabilities(manifest.requires.capabilities, db);
+
+    if (missingCapabilities.length > 0) {
+      const capList = missingCapabilities.join(', ');
+      return {
+        success: false,
+        error: `Missing required capabilities: ${capList}\nDeploy provider modules first.\n\nSuggested order:\n${getSuggestedDeploymentOrder(missingCapabilities, moduleId)}`,
+      };
+    }
+
+    // Provider exists — verify the provider's claimed capability version is
+    // compatible with what this module declares it requires. Catches the
+    // class of break where a capability had a major bump (e.g. dns_registrar
+    // 4.0.0 → 5.0.0) and the consumer was rebuilt against the new major but
+    // the provider on this system still ships the old one (or vice-versa).
+    const versionMismatches = await findCapabilityVersionMismatches(
+      manifest.requires.capabilities,
+      db,
+    );
+    if (versionMismatches.length > 0) {
+      return {
+        success: false,
+        error: formatVersionMismatchError(moduleId, versionMismatches),
+      };
+    }
+  }
+
+  // Check for missing required variables BEFORE generating — if any are missing
+  // we return them for the caller to interview, then the caller re-invokes deploy
+  // after the user has answered. This prevents generation from failing mid-way
+  // on an unresolved $self: variable.
+  const missingVariables = await findMissingRequiredVariables(moduleId, manifest, db);
+  if (missingVariables.length > 0) {
+    return {
+      success: true,
+      autoGenerated: false,
+      autoBuilt: false,
+      missingVariables,
+    };
+  }
+
+  // All variables present — safe to generate templates now.
   const generatedPath = getGeneratedPath(module.sourcePath, moduleId);
   const generateResult = await generateTemplates({
     moduleId,
     modulePath: module.sourcePath,
     outputPath: generatedPath,
     db,
-    skipVariableValidation: true, // Deploy flow handles interview for missing variables
+    skipVariableValidation: true,
   });
 
   if (!generateResult.success) {
@@ -95,29 +140,10 @@ export async function validateAndPrepareDeployment(
     }
   }
 
-  // Check capability dependencies (cannot auto-deploy dependencies)
-  if (manifest.requires?.capabilities) {
-    const missingCapabilities = await findMissingCapabilities(manifest.requires.capabilities, db);
-
-    if (missingCapabilities.length > 0) {
-      const capList = missingCapabilities.join(', ');
-      return {
-        success: false,
-        error: `Missing required capabilities: ${capList}\nDeploy provider modules first.\n\nSuggested order:\n${getSuggestedDeploymentOrder(missingCapabilities, moduleId)}`,
-      };
-    }
-  }
-
-  // Check required variables are configured
-  const missingVariables = await findMissingRequiredVariables(moduleId, manifest, db);
-
-  // Return validation result with missing variables info
-  // The caller (deploy command) will decide whether to prompt or fail
   return {
     success: true,
     autoGenerated,
     autoBuilt,
-    missingVariables: missingVariables.length > 0 ? missingVariables : undefined,
   };
 }
 
@@ -145,6 +171,113 @@ async function findMissingCapabilities(
   return missing;
 }
 
+interface CapabilityVersionMismatch {
+  capabilityName: string;
+  requiredVersion: string;
+  providedVersion: string;
+  providerModuleId: string;
+  reason: string;
+}
+
+/**
+ * Find capabilities whose installed providers can't satisfy what the
+ * consumer module's manifest declares it requires.
+ *
+ * Multi-provider semantics: a capability can have several installed
+ * providers (e.g., zone-scoped firewalls, or `dns_registrar` split
+ * across an internal-zone provider like knot-unbound-internal and an
+ * external-zone provider like namecheap). The deploy passes when at
+ * LEAST ONE provider is version-compatible with the consumer — that
+ * matches the runtime behaviour of `findCapabilityProvider`, which
+ * picks the right provider per zone. The mismatch error names the
+ * "best" (closest-version) incompatible provider so the operator
+ * sees an actionable suggestion.
+ *
+ * Uses `compareConsumerToProvider` from `@celilo/capabilities`, the
+ * same helper that powers the system audit's capability_abi check —
+ * so deploy and audit verdicts stay in lockstep.
+ */
+async function findCapabilityVersionMismatches(
+  required: Array<{ name: string; version: string }>,
+  db: DbClient,
+): Promise<CapabilityVersionMismatch[]> {
+  const mismatches: CapabilityVersionMismatch[] = [];
+
+  for (const cap of required) {
+    const providers = await db
+      .select()
+      .from(capabilities)
+      .where(eq(capabilities.capabilityName, cap.name))
+      .all();
+    if (providers.length === 0) continue; // Missing-provider case is handled separately.
+
+    // If any provider is compatible, the consumer is fine — runtime's
+    // zone-aware lookup will pick that one for the relevant zone.
+    // Otherwise, capture the first provider's mismatch as the canonical
+    // example for the error message.
+    let exampleMismatch: {
+      provider: { version: string; moduleId: string };
+      reason: string;
+    } | null = null;
+    let anyCompatible = false;
+    for (const p of providers) {
+      const result = compareConsumerToProvider(cap.version, p.version);
+      if (result.compatible) {
+        anyCompatible = true;
+        break;
+      }
+      if (!exampleMismatch) {
+        exampleMismatch = { provider: p, reason: result.reason };
+      }
+    }
+    if (anyCompatible || !exampleMismatch) continue;
+
+    mismatches.push({
+      capabilityName: cap.name,
+      requiredVersion: cap.version,
+      providedVersion: exampleMismatch.provider.version,
+      providerModuleId: exampleMismatch.provider.moduleId,
+      reason: exampleMismatch.reason,
+    });
+  }
+
+  return mismatches;
+}
+
+/**
+ * Format a version-mismatch error message for the deploy refusal.
+ *
+ * The message names the consumer, the requirement, the actual provider
+ * version, and an actionable next step — so an operator can resolve the
+ * break without reading the source of `compareConsumerToProvider`.
+ */
+function formatVersionMismatchError(
+  consumerModuleId: string,
+  mismatches: CapabilityVersionMismatch[],
+): string {
+  const lines: string[] = [`Capability version mismatch: cannot deploy '${consumerModuleId}'.`, ''];
+  for (const m of mismatches) {
+    lines.push(
+      `  ${m.capabilityName}: requires ${m.requiredVersion}, but ` +
+        `'${m.providerModuleId}' provides ${m.providedVersion}`,
+    );
+    if (m.reason === 'caller_minor_too_old') {
+      lines.push(
+        `    Fix: upgrade '${m.providerModuleId}' to a version that provides ` +
+          `${m.capabilityName}@${m.requiredVersion} or newer.`,
+      );
+    } else {
+      lines.push(
+        `    Fix: the major version differs. Either update '${consumerModuleId}' ` +
+          `to require ${m.capabilityName}@${m.providedVersion} (matching the ` +
+          `installed provider's major), or rebuild '${m.providerModuleId}' ` +
+          `against ${m.capabilityName}@${m.requiredVersion}.`,
+      );
+    }
+  }
+  return lines.join('\n');
+}
+
 /**
  * Check if a capability is provided by any deployed module
  * Execution function - queries database
@@ -154,13 +287,24 @@ async function findMissingCapabilities(
  * @returns True if capability is provided
  */
 async function isCapabilityProvided(capabilityName: string, db: DbClient): Promise<boolean> {
-  const result = await db
+  const cap = await db
     .select()
     .from(capabilities)
     .where(eq(capabilities.capabilityName, capabilityName))
     .get();
 
-  return !!result;
+  if (!cap) return false;
+
+  // Also verify the provider module is actually deployed (VERIFIED or DEPLOYED),
+  // not just imported/configured. A capability registered by an undeployed
+  // module cannot serve hook requests at runtime.
+  const provider = await db
+    .select({ state: modules.state })
+    .from(modules)
+    .where(eq(modules.id, cap.moduleId))
+    .get();
+
+  return provider?.state === 'VERIFIED' || provider?.state === 'INSTALLED';
 }
 
 /**

package/src/services/ensure-interview.test.ts

@@ -0,0 +1,245 @@
+import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { and, eq } from 'drizzle-orm';
+import { type DbClient, getDb } from '../db/client';
+import { moduleConfigs, modules, secrets } from '../db/schema';
+import type { Ensure } from '../manifest/schema';
+import { decryptSecret } from '../secrets/encryption';
+import { getOrCreateMasterKey } from '../secrets/master-key';
+import {
+  findEnsureOnProvider,
+  interviewForEnsureInputs,
+  renderEnsureRecipe,
+} from './config-interview';
+
+const ENSURE: Ensure = {
+  id: 'managed_domain',
+  description: 'Add a domain.',
+  inputs: [
+    { kind: 'append_to_array', target: 'config.additional_domains' },
+    {
+      kind: 'set_in_object',
+      target: 'secret.additional_ddns_passwords',
+      key: '{{value}}',
+      prompt: 'Namecheap DDNS password for {{value}}',
+      hint: 'Advanced DNS panel',
+    },
+  ],
+  post: 'redeploy_self',
+};
+
+describe('interviewForEnsureInputs', () => {
+  let tempDir: string;
+  let testDb: DbClient;
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), 'celilo-ensure-'));
+    process.env.CELILO_DB_PATH = join(tempDir, 'test.db');
+    testDb = getDb();
+    testDb
+      .insert(modules)
+      .values({
+        id: 'namecheap',
+        name: 'Namecheap',
+        sourcePath: tempDir,
+        version: '2.0.0',
+        manifestData: {
+          provides: {
+            capabilities: [{ name: 'dns_registrar', version: '3.0.0', ensures: [ENSURE] }],
+          },
+        },
+      })
+      .run();
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+    process.env.CELILO_DB_PATH = undefined;
+  });
+
+  test('appends to array config and sets secret object key', async () => {
+    const promptedFor: string[] = [];
+    const result = await interviewForEnsureInputs('namecheap', ENSURE, 'celilo.computer', testDb, {
+      promptOverride: async (msg) => {
+        promptedFor.push(msg);
+        return 'super-secret-pw';
+      },
+    });
+
+    expect(result.success).toBe(true);
+    expect(result.alreadyApplied).toBe(false);
+    expect(promptedFor[0]).toContain('celilo.computer');
+
+    // config array
+    const configRow = testDb
+      .select()
+      .from(moduleConfigs)
+      .where(
+        and(eq(moduleConfigs.moduleId, 'namecheap'), eq(moduleConfigs.key, 'additional_domains')),
+      )
+      .get();
+    expect(configRow?.valueJson).toBeTruthy();
+    expect(JSON.parse(configRow?.valueJson ?? '[]')).toEqual(['celilo.computer']);
+
+    // secret JSON object
+    const secretRow = testDb
+      .select()
+      .from(secrets)
+      .where(and(eq(secrets.moduleId, 'namecheap'), eq(secrets.name, 'additional_ddns_passwords')))
+      .get();
+    expect(secretRow).toBeTruthy();
+    if (!secretRow) return;
+    const masterKey = await getOrCreateMasterKey();
+    const decoded = decryptSecret(
+      {
+        encryptedValue: secretRow.encryptedValue,
+        iv: secretRow.iv,
+        authTag: secretRow.authTag,
+      },
+      masterKey,
+    );
+    expect(JSON.parse(decoded)).toEqual({ 'celilo.computer': 'super-secret-pw' });
+  });
+
+  test('idempotent — re-running with same value is a no-op', async () => {
+    await interviewForEnsureInputs('namecheap', ENSURE, 'celilo.computer', testDb, {
+      promptOverride: async () => 'pw1',
+    });
+
+    let promptCount = 0;
+    const result = await interviewForEnsureInputs('namecheap', ENSURE, 'celilo.computer', testDb, {
+      promptOverride: async () => {
+        promptCount++;
+        return 'should-not-be-used';
+      },
+    });
+
+    expect(result.success).toBe(true);
+    expect(result.alreadyApplied).toBe(true);
+    expect(promptCount).toBe(0);
+  });
+
+  test('preserves existing entries when adding a second domain', async () => {
+    await interviewForEnsureInputs('namecheap', ENSURE, 'first.com', testDb, {
+      promptOverride: async () => 'pw1',
+    });
+
+    await interviewForEnsureInputs('namecheap', ENSURE, 'second.com', testDb, {
+      promptOverride: async () => 'pw2',
+    });
+
+    const configRow = testDb
+      .select()
+      .from(moduleConfigs)
+      .where(
+        and(eq(moduleConfigs.moduleId, 'namecheap'), eq(moduleConfigs.key, 'additional_domains')),
+      )
+      .get();
+    expect(JSON.parse(configRow?.valueJson ?? '[]')).toEqual(['first.com', 'second.com']);
+
+    const secretRow = testDb
+      .select()
+      .from(secrets)
+      .where(and(eq(secrets.moduleId, 'namecheap'), eq(secrets.name, 'additional_ddns_passwords')))
+      .get();
+    if (!secretRow) throw new Error('expected secret row');
+    const masterKey = await getOrCreateMasterKey();
+    const decoded = decryptSecret(
+      {
+        encryptedValue: secretRow.encryptedValue,
+        iv: secretRow.iv,
+        authTag: secretRow.authTag,
+      },
+      masterKey,
+    );
+    expect(JSON.parse(decoded)).toEqual({ 'first.com': 'pw1', 'second.com': 'pw2' });
+  });
+
+  // The "declined confirm short-circuits" test was removed when the
+  // confirm prompt itself was removed — running `module deploy <consumer>`
+  // is the user's consent for the cross-module config its hooks imply.
+  // See config-interview.ts and CADDY_HOSTNAME_LIST.md, Decision 6.
+
+  test('non-interactive mode applies directly', async () => {
+    // In production, non-interactive mode prints a recipe and aborts
+    // before reaching this function. The function itself supports being
+    // called non-interactively for tests / scripted use, applying inputs
+    // directly. promptOverride is still required for set_in_object inputs.
+    const result = await interviewForEnsureInputs('namecheap', ENSURE, 'celilo.computer', testDb, {
+      noInteractive: true,
+      promptOverride: async () => 'pw',
+    });
+    expect(result.success).toBe(true);
+  });
+});
+
+describe('findEnsureOnProvider', () => {
+  let tempDir: string;
+  let testDb: DbClient;
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), 'celilo-find-ensure-'));
+    process.env.CELILO_DB_PATH = join(tempDir, 'test.db');
+    testDb = getDb();
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+    process.env.CELILO_DB_PATH = undefined;
+  });
+
+  test('finds ensure by id on a registered provider', () => {
+    testDb
+      .insert(modules)
+      .values({
+        id: 'namecheap',
+        name: 'Namecheap',
+        sourcePath: tempDir,
+        version: '2.0.0',
+        manifestData: {
+          provides: {
+            capabilities: [{ name: 'dns_registrar', version: '3.0.0', ensures: [ENSURE] }],
+          },
+        },
+      })
+      .run();
+
+    const found = findEnsureOnProvider('namecheap', 'managed_domain', testDb);
+    expect(found?.id).toBe('managed_domain');
+  });
+
+  test('returns null when module exists but ensure id does not match', () => {
+    testDb
+      .insert(modules)
+      .values({
+        id: 'namecheap',
+        name: 'Namecheap',
+        sourcePath: tempDir,
+        version: '2.0.0',
+        manifestData: { provides: { capabilities: [] } },
+      })
+      .run();
+    expect(findEnsureOnProvider('namecheap', 'managed_domain', testDb)).toBeNull();
+  });
+
+  test('returns null when provider module does not exist', () => {
+    expect(findEnsureOnProvider('ghost', 'managed_domain', testDb)).toBeNull();
+  });
+});
+
+describe('renderEnsureRecipe', () => {
+  test('mentions module id, ensure id, value, and post action', () => {
+    const recipe = renderEnsureRecipe('namecheap', ENSURE, 'celilo.computer');
+    expect(recipe).toContain('namecheap');
+    expect(recipe).toContain('managed_domain');
+    expect(recipe).toContain('celilo.computer');
+    expect(recipe).toContain('celilo module deploy namecheap');
+  });
+
+  test('renders the per-domain prompt template', () => {
+    const recipe = renderEnsureRecipe('namecheap', ENSURE, 'celilo.computer');
+    expect(recipe).toContain('Namecheap DDNS password for celilo.computer');
+  });
+});