@celilo/cli 0.1.5 → 0.1.7

package/src/templates/generator.ts

@@ -1,6 +1,6 @@
 import { randomUUID } from 'node:crypto';
 import { existsSync, statSync } from 'node:fs';
-import { chmod, mkdir, readFile, readdir, writeFile } from 'node:fs/promises';
+import { chmod, cp, mkdir, readFile, readdir, writeFile } from 'node:fs/promises';
 import { dirname, join, relative } from 'node:path';
 import { and, eq } from 'drizzle-orm';
 import { generateInventory } from '../ansible/inventory';
@@ -209,6 +209,31 @@ export async function readTemplateFiles(
  * @param outputPath - Base output path
  * @param files - Generated files to write
  */
+/**
+ * Copy each `ansible/roles/<role>/files/` directory from the module source
+ * to the generated output, verbatim (preserving binary content + mode bits).
+ *
+ * These hold Ansible role-local static assets — they may be binaries and
+ * don't need template variable resolution, so the standard template
+ * pipeline (which is utf-8) can't handle them.
+ */
+export async function copyAnsibleRoleFilesDirs(
+  modulePath: string,
+  outputPath: string,
+): Promise<void> {
+  const rolesDir = join(modulePath, 'ansible', 'roles');
+  if (!existsSync(rolesDir)) return;
+  const roles = await readdir(rolesDir, { withFileTypes: true });
+  for (const role of roles) {
+    if (!role.isDirectory()) continue;
+    const srcFilesDir = join(rolesDir, role.name, 'files');
+    if (!existsSync(srcFilesDir)) continue;
+    const destFilesDir = join(outputPath, 'ansible', 'roles', role.name, 'files');
+    await mkdir(dirname(destFilesDir), { recursive: true });
+    await cp(srcFilesDir, destFilesDir, { recursive: true, preserveTimestamps: true });
+  }
+}
+
 export async function writeGeneratedFiles(
   outputPath: string,
   files: GeneratedFile[],
@@ -913,6 +938,22 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
     };
   }
 
+  // Execution: Copy Ansible role-local `files/` directories verbatim.
+  // These hold static assets (binaries, certs, scripts, blobs) used by
+  // Ansible's `copy` module. They're outside the template pipeline because
+  // (a) they don't need variable resolution and (b) they may be binary —
+  // utf-8 round-tripping would corrupt them. The template pipeline only
+  // handles .tpl/.j2/.yml/.yaml/.tf files.
+  try {
+    await copyAnsibleRoleFilesDirs(modulePath, outputPath);
+  } catch (error) {
+    return {
+      success: false,
+      error: 'Failed to copy Ansible role files/ directories',
+      details: error,
+    };
+  }
+
   // Execution: Copy capability-provided Ansible tasks into generated output
   // When a module requires capabilities that provide Ansible tasks (e.g., dns_registrar),
   // copy those tasks so the consumer's playbook can include them.

package/src/test-utils/completion-harness.test.ts

@@ -19,7 +19,7 @@ describe('CompletionHarness', () => {
       CELILO_DB_PATH: ctx.dbPath,
       CELILO_DATA_DIR: ctx.dataDir,
     });
-    harness = new CompletionHarness(ctx.cli);
+    harness = new CompletionHarness(cli);
   });
 
   afterEach(async () => {

package/src/test-utils/completion-harness.ts

@@ -6,13 +6,13 @@
  */
 
 import { expect } from 'bun:test';
-import { runCli } from './cli';
+import type { CLIContext } from './cli-context';
 
 /**
  * Test harness for CLI completion
  */
 export class CompletionHarness {
-  constructor(private cli: string) {}
+  constructor(private cli: CLIContext) {}
 
   /**
    * Get completions for a given set of words
@@ -26,10 +26,10 @@ export class CompletionHarness {
     // If partial=false, we're completing the next word after all current words
     const currentIndex = partial && words.length > 0 ? words.length - 1 : words.length;
     try {
-      const result = runCli(this.cli, `--get-completions ${words.join(' ')} ${currentIndex}`);
+      const result = await this.cli.run(`--get-completions ${words.join(' ')} ${currentIndex}`);
 
       // Parse completion output (one per line)
-      return result.split('\n').filter(Boolean);
+      return result.stdout.split('\n').filter(Boolean);
     } catch (_error) {
       // Completion errors return empty array
       return [];

package/src/variables/capability-self-ref.test.ts

@@ -9,6 +9,7 @@ import { mkdtempSync, rmSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { createDbClient } from '@/db/client';
+import { buildResolutionContext } from './context';
 import { resolveVariable } from './resolver';
 import type { ResolutionContext } from './types';
 
@@ -217,4 +218,206 @@ describe('Capability data $self: variable resolution', () => {
       expect(result.error).toContain("has not configured 'ip.primary'");
     }
   });
+
+  test('buildResolutionContext resolves capability-derived variable even when DB has raw unresolved $self: value', async () => {
+    // Regression: hook config was assembled from raw DB reads without applying
+    // capability derivation. When lunacycle stores primary_domain as "$self:primary_domain"
+    // (because the DB guard skipped persisting the resolved value), the hook
+    // received the literal template string instead of "iamtheinternet.org".
+    // After the fix, buildResolutionContext always returns the resolved value in selfConfig.
+    const testDir = mkdtempSync(join(tmpdir(), 'test-cap-self-raw-'));
+    testDirs.push(testDir);
+    const db = createDbClient({ path: join(testDir, 'test.db') });
+
+    db.$client
+      .prepare(
+        'INSERT INTO modules (id, name, version, source_path, state, manifest_data) VALUES (?, ?, ?, ?, ?, ?)',
+      )
+      .run(
+        'namecheap',
+        'Namecheap',
+        '1.0.0',
+        '/tmp/modules/namecheap',
+        'VERIFIED',
+        JSON.stringify({ id: 'namecheap', name: 'Namecheap', version: '1.0.0' }),
+      );
+
+    db.$client
+      .prepare('INSERT INTO module_configs (module_id, key, value) VALUES (?, ?, ?)')
+      .run('namecheap', 'primary_domain', 'iamtheinternet.org');
+
+    db.$client
+      .prepare(
+        'INSERT INTO capabilities (module_id, capability_name, version, data) VALUES (?, ?, ?, ?)',
+      )
+      .run(
+        'namecheap',
+        'dns_registrar',
+        '2.0.0',
+        JSON.stringify({ primary_domain: '$self:primary_domain' }),
+      );
+
+    const consumerManifest = {
+      id: 'lunacycle',
+      name: 'LunaCycle',
+      version: '1.0.0',
+      celilo_contract: '1.0',
+      variables: {
+        owns: [
+          {
+            name: 'primary_domain',
+            type: 'string',
+            required: false,
+            source: 'capability',
+            derive_from: '$capability:dns_registrar.primary_domain',
+          },
+        ],
+      },
+    };
+
+    db.$client
+      .prepare(
+        'INSERT INTO modules (id, name, version, source_path, state, manifest_data) VALUES (?, ?, ?, ?, ?, ?)',
+      )
+      .run(
+        'lunacycle',
+        'LunaCycle',
+        '1.0.0',
+        '/tmp/modules/lunacycle',
+        'INSTALLED',
+        JSON.stringify(consumerManifest),
+      );
+
+    // Simulate raw DB state: primary_domain stored as unresolved template string
+    db.$client
+      .prepare('INSERT INTO module_configs (module_id, key, value) VALUES (?, ?, ?)')
+      .run('lunacycle', 'primary_domain', '$self:primary_domain');
+
+    const context = await buildResolutionContext('lunacycle', db);
+
+    // selfConfig should have the resolved value, not the raw DB "$self:primary_domain"
+    expect(context.selfConfig.primary_domain).toBe('iamtheinternet.org');
+
+    // Simulate the hook installConfigMap merge logic from module-deploy.ts:
+    // Raw DB read produces the unresolved string; the fix overwrites it from context.selfConfig
+    const installConfigMap: Record<string, unknown> = { primary_domain: '$self:primary_domain' };
+    for (const [key, value] of Object.entries(context.selfConfig)) {
+      if (
+        !(key in installConfigMap) ||
+        (typeof installConfigMap[key] === 'string' &&
+          (installConfigMap[key] as string).startsWith('$'))
+      ) {
+        installConfigMap[key] = value;
+      }
+    }
+    expect(installConfigMap.primary_domain).toBe('iamtheinternet.org');
+  });
+
+  test('hook config merge does not overwrite user-set values with capability-derived ones', async () => {
+    // If a user explicitly sets a value that happens to match a capability-derived variable,
+    // their value (which does NOT start with $) should be preserved.
+    const installConfigMap: Record<string, unknown> = {
+      primary_domain: 'my-custom-domain.com', // user-set, no $ prefix
+      other_key: '$self:unresolved', // raw template — should be overwritten
+    };
+
+    const resolvedSelfConfig: Record<string, string> = {
+      primary_domain: 'iamtheinternet.org', // capability-derived value
+      other_key: 'resolved-value',
+      new_key: 'auto-derived',
+    };
+
+    for (const [key, value] of Object.entries(resolvedSelfConfig)) {
+      if (
+        !(key in installConfigMap) ||
+        (typeof installConfigMap[key] === 'string' &&
+          (installConfigMap[key] as string).startsWith('$'))
+      ) {
+        installConfigMap[key] = value;
+      }
+    }
+
+    // User-set value preserved (no $ prefix → not overwritten)
+    expect(installConfigMap.primary_domain).toBe('my-custom-domain.com');
+    // Unresolved template overwritten
+    expect(installConfigMap.other_key).toBe('resolved-value');
+    // New keys from context added
+    expect(installConfigMap.new_key).toBe('auto-derived');
+  });
+
+  test('buildResolutionContext resolves $self: refs in capability data for consumer module', async () => {
+    // Regression test: lunacycle's primary_domain (source: capability, derive_from:
+    // "$capability:dns_registrar.primary_domain") should resolve to the provider's
+    // actual configured value, not the raw "$self:primary_domain" template string.
+    const testDir = mkdtempSync(join(tmpdir(), 'test-cap-self-ctx-'));
+    testDirs.push(testDir);
+    const db = createDbClient({ path: join(testDir, 'test.db') });
+
+    // Provider module (namecheap) with primary_domain configured
+    db.$client
+      .prepare(
+        'INSERT INTO modules (id, name, version, source_path, state, manifest_data) VALUES (?, ?, ?, ?, ?, ?)',
+      )
+      .run(
+        'namecheap',
+        'Namecheap',
+        '1.0.0',
+        '/tmp/modules/namecheap',
+        'VERIFIED',
+        JSON.stringify({ id: 'namecheap', name: 'Namecheap', version: '1.0.0' }),
+      );
+
+    db.$client
+      .prepare('INSERT INTO module_configs (module_id, key, value) VALUES (?, ?, ?)')
+      .run('namecheap', 'primary_domain', 'iamtheinternet.org');
+
+    // Capability data stored with unresolved $self: reference (as registered at import time)
+    db.$client
+      .prepare(
+        'INSERT INTO capabilities (module_id, capability_name, version, data) VALUES (?, ?, ?, ?)',
+      )
+      .run(
+        'namecheap',
+        'dns_registrar',
+        '2.0.0',
+        JSON.stringify({ provider: 'namecheap', primary_domain: '$self:primary_domain' }),
+      );
+
+    // Consumer module (lunacycle) with capability-derived primary_domain
+    const consumerManifest = {
+      id: 'lunacycle',
+      name: 'LunaCycle',
+      version: '1.0.0',
+      celilo_contract: '1.0',
+      variables: {
+        owns: [
+          {
+            name: 'primary_domain',
+            type: 'string',
+            required: false,
+            source: 'capability',
+            derive_from: '$capability:dns_registrar.primary_domain',
+          },
+        ],
+      },
+    };
+
+    db.$client
+      .prepare(
+        'INSERT INTO modules (id, name, version, source_path, state, manifest_data) VALUES (?, ?, ?, ?, ?, ?)',
+      )
+      .run(
+        'lunacycle',
+        'LunaCycle',
+        '1.0.0',
+        '/tmp/modules/lunacycle',
+        'INSTALLED',
+        JSON.stringify(consumerManifest),
+      );
+
+    const context = await buildResolutionContext('lunacycle', db);
+
+    // primary_domain should be resolved to the provider's actual value
+    expect(context.selfConfig.primary_domain).toBe('iamtheinternet.org');
+  });
 });

package/src/variables/context.ts

@@ -15,6 +15,7 @@ import type { ModuleManifest } from '../manifest/schema';
 import { decryptSecret } from '../secrets/encryption';
 import { getOrCreateMasterKey } from '../secrets/master-key';
 import { applyDeclarativeDerivations } from './declarative-derivation';
+import { applyIndex, parsePath } from './parser';
 import type { ResolutionContext } from './types';
 
 /**
@@ -202,6 +203,34 @@ function autoDeriveInventoryVariables(
   return derived;
 }
 
+/**
+ * Recursively resolve "$self:key" strings in a capability data object
+ * using the provider module's actual config values. Supports the
+ * optional `[N]` array-index suffix (e.g. `$self:domains[0]`) so a
+ * provider can declare computed aliases — `primary_domain:
+ * $self:domains[0]` — without the framework storing the alias as a
+ * separate value. Non-string values and strings that don't start
+ * with "$self:" are returned unchanged.
+ */
+function resolveSelfRefsInObject(
+  obj: Record<string, unknown>,
+  providerConfig: Record<string, unknown>,
+): Record<string, unknown> {
+  const result: Record<string, unknown> = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (typeof value === 'string' && value.startsWith('$self:')) {
+      const { name, index } = parsePath(value.slice(6));
+      const resolved = applyIndex(providerConfig[name], index);
+      result[key] = resolved !== undefined ? resolved : value;
+    } else if (value !== null && typeof value === 'object' && !Array.isArray(value)) {
+      result[key] = resolveSelfRefsInObject(value as Record<string, unknown>, providerConfig);
+    } else {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+
 /**
  * Build resolution context for a module
  *
@@ -418,7 +447,26 @@ export async function buildResolutionContext(
     } else {
       data = row.data;
     }
-    capabilitiesMap[row.capabilityName] = data as Record<string, unknown>;
+
+    // Lazily resolve $self: references in capability data using the provider
+    // module's actual config values. Capability data is stored with unresolved
+    // $self: references (e.g. namecheap stores primary_domain: "$self:primary_domain")
+    // because the real value isn't known at import time. We resolve them here so
+    // consuming modules see the actual values (e.g. "iamtheinternet.org") rather
+    // than the raw template strings.
+    const providerConfigs = db
+      .select()
+      .from(moduleConfigs)
+      .where(eq(moduleConfigs.moduleId, row.moduleId))
+      .all();
+    const providerConfigMap: Record<string, unknown> = {};
+    for (const c of providerConfigs) {
+      providerConfigMap[c.key] = c.valueJson ? JSON.parse(c.valueJson) : c.value;
+    }
+    capabilitiesMap[row.capabilityName] = resolveSelfRefsInObject(
+      data as Record<string, unknown>,
+      providerConfigMap,
+    );
   }
 
   // Fetch system configuration (for $system: variables)