@celilo/cli 0.1.5 → 0.1.7

package/src/cli/index.ts

@@ -32,14 +32,18 @@ import { handleModuleConfigGet, handleModuleConfigSet } from './commands/module-
 import { handleModuleDeploy } from './commands/module-deploy';
 import { handleModuleGenerate } from './commands/module-generate';
 import { handleModuleHealth } from './commands/module-health';
-import { handleModuleImport } from './commands/module-import';
+import { handleModuleImport, handlePublicRegistryImport } from './commands/module-import';
 import { handleModuleList } from './commands/module-list';
 import { handleModuleLogs } from './commands/module-logs';
+import { handleModulePublish } from './commands/module-publish';
 import { handleModuleRemove } from './commands/module-remove';
+import { handleModuleSearch } from './commands/module-search';
 import { handleModuleShowConfig, handleModuleShowZone } from './commands/module-show';
 import { handleModuleStatus } from './commands/module-status';
+import { handleModuleTerraformUnlock } from './commands/module-terraform-unlock';
 import { handleModuleTypesCheck, handleModuleTypesGenerate } from './commands/module-types';
 import { handleModuleUpgrade } from './commands/module-upgrade';
+import { moduleVerify } from './commands/module-verify';
 import { handlePackage } from './commands/package';
 import { handleSecretList } from './commands/secret-list';
 import { handleSecretSet } from './commands/secret-set';
@@ -52,10 +56,12 @@ import { handleServiceReconfigure } from './commands/service-reconfigure';
 import { handleServiceRemove } from './commands/service-remove';
 import { handleServiceVerify } from './commands/service-verify';
 import { handleStatus } from './commands/status';
+import { handleSystemAudit } from './commands/system-audit';
 import { handleSystemConfigGet, handleSystemConfigSet } from './commands/system-config';
 import { handleSystemInit } from './commands/system-init';
 import { handleSystemSecretGet } from './commands/system-secret-get';
 import { handleSystemSecretSet } from './commands/system-secret-set';
+import { handleSystemUpdate } from './commands/system-update';
 import { handleSystemVaultPassword } from './commands/system-vault-password';
 import { getCompletions } from './completion';
 import { parseArguments, validateFlags } from './parser';
@@ -102,6 +108,17 @@ function checkFlags(
   return null;
 }
 
+/**
+ * Display CLI version. Reads the npm package version from this
+ * package's manifest at runtime — single source of truth, so
+ * `bun publish` bumping the version automatically updates what
+ * `celilo --version` reports.
+ */
+function displayVersion(): CommandResult {
+  const pkg = require('../../package.json') as { version: string };
+  return { success: true, message: `celilo ${pkg.version}` };
+}
+
 /**
  * Display general help message
  */
@@ -114,6 +131,7 @@ Usage:
 
 Commands:
   status                   Show system and module status
+  audit                    Top-level alias for 'system audit'
   capability               View registered module capabilities
   package                  Create distributable .netapp packages from module source
   module                   Manage modules (import, list, configure, build, generate)
@@ -182,7 +200,7 @@ Examples:
 
 Related Commands:
   celilo module import <package.netapp>    Import a packaged module
-  celilo module audit <module-id>          Verify package integrity
+  celilo module verify <module-id>         Verify package integrity
 `;
 
   return {
@@ -245,7 +263,8 @@ Subcommands:
 
   remove <id>                          Remove a module and all its data
 
-  audit <id>                           Verify module integrity (checksums)
+  verify <id>                          Verify module integrity (signature + checksums)
+                                         (legacy alias: 'audit')
 
   config set <id> <key> <value>        Set module configuration value
   config get <id> [key]                Get module configuration value(s)
@@ -278,13 +297,33 @@ Subcommands:
 
   update <path> [path...]               Update module code while preserving state (configs, secrets, infra)
 
+Registry:
+  install <name>                       Download and import a module from the registry
+    Options:
+      --registry <url>                 Use a custom registry (default: https://celilo.computer/registry)
+
+  search [query]                       Search the registry for modules
+    Options:
+      --registry <url>                 Use a custom registry
+      --limit <n>                      Max results (default: 25)
+
+  publish <module-dir>                 Build and publish a module to the registry
+    Options:
+      --token <token>                  Publish token (or set CELILO_PUBLISH_TOKEN env var)
+      --registry <url>                 Use a custom registry
+      --revision <n>                   Force package revision number (default: auto)
+
 Examples:
+  celilo module install caddy
+  celilo module install namecheap --registry https://my-registry.example.com/registry
+  celilo module search dns
+  celilo module publish ./modules/caddy --token mytoken
   celilo module import ./modules/homebridge
   celilo module import homebridge.netapp
   celilo module import /abs/path/to/module --target /custom/location
   celilo module list
   celilo module remove homebridge
-  celilo module audit homebridge
+  celilo module verify homebridge
   celilo module config set homebridge hostname myhost
   celilo module config set homebridge container_ip "192.168.0.110/24"
   celilo module config get homebridge
@@ -678,6 +717,15 @@ Subcommands:
 
   vault-password                       Get Ansible Vault password for decrypting secrets.yml
 
+  audit [--json]                       Report system-wide drift (no mutations)
+
+  update [--module <id>] [--no-backup] [--allow-destructive] [--dry-run] [--json]
+                                       Bring the system to the audit-determined READY state
+
+Runbook:
+  https://celilo.computer/docs/system-update
+  (offline summary in apps/celilo/docs/INDEX.md)
+
 Description:
   System initialization (init) guides you through first-time setup with interactive
   prompts or applies sensible defaults for testing.
@@ -765,6 +813,17 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
     }
   }
 
+  // Handle --version / -v / `version` (top-level only — subcommands
+  // like `celilo module --version` aren't supported here; they'd
+  // reach the per-command help anyway).
+  if (
+    parsed.flags.version ||
+    parsed.flags.v ||
+    (parsed.command === 'version' && !parsed.subcommand)
+  ) {
+    return displayVersion();
+  }
+
   // Handle general help (only if no specific command, or command is 'help')
   if (parsed.command === 'help') {
     return displayHelp();
@@ -783,6 +842,11 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
     return handleStatus();
   }
 
+  // Top-level alias: `celilo audit` → `celilo system audit`
+  if (parsed.command === 'audit') {
+    return handleSystemAudit(parsed.args, parsed.flags);
+  }
+
   // Route commands
   if (parsed.command === 'package') {
     // Handle package --help
@@ -887,6 +951,8 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
         return handleModuleUpgrade(parsed.args, parsed.flags);
       case 'audit':
         return moduleAudit(parsed.args);
+      case 'verify':
+        return moduleVerify(parsed.args);
       case 'config': {
         // Config requires additional subcommand (set/get)
         const configSubcommand = parsed.args[0];
@@ -915,7 +981,7 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
           return {
             success: false,
             error:
-              'Secret action required (set or list)\n\nUsage:\n  celilo module secret set <module-id> <key> <value>\n  celilo module secret list <module-id>',
+              'Secret action required\n\nUsage:\n  celilo module secret set <module-id> <key> <value>\n  celilo module secret get <module-id> <key>\n  celilo module secret list <module-id>',
           };
         }
         const moduleSecretArgs = parsed.args.slice(1);
@@ -925,6 +991,10 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
         if (moduleSecretSubcommand === 'list') {
           return handleSecretList(moduleSecretArgs);
         }
+        if (moduleSecretSubcommand === 'get') {
+          const { handleModuleSecretGet } = await import('./commands/module-secret-get');
+          return handleModuleSecretGet(moduleSecretArgs);
+        }
         return {
           success: false,
           error: `Unknown secret action: ${moduleSecretSubcommand}`,
@@ -963,10 +1033,27 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
         return handleModuleDeploy(parsed.args, { ...parsed.flags, preflight: true });
       case 'run-hook':
         return handleHookRun(parsed.args, parsed.flags);
+      case 'terraform-unlock':
+        return handleModuleTerraformUnlock(parsed.args);
       case 'show-config':
         return handleModuleShowConfig(parsed.args);
       case 'show-zone':
         return handleModuleShowZone(parsed.args);
+      case 'search':
+        return handleModuleSearch(parsed.args, parsed.flags);
+      case 'install': {
+        // `celilo module install <name>` — shorthand for `module import public-registry <name>`
+        const name = parsed.args[0] ?? parsed.subcommand;
+        if (!name) {
+          return {
+            success: false,
+            error: 'Module name required\n\nUsage: celilo module install <name> [--registry <url>]',
+          };
+        }
+        return handlePublicRegistryImport(name, parsed.flags);
+      }
+      case 'publish':
+        return handleModulePublish(parsed.args, parsed.flags);
       default:
         return {
           success: false,
@@ -1296,6 +1383,14 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
       return handleSystemVaultPassword();
     }
 
+    if (parsed.subcommand === 'audit') {
+      return handleSystemAudit(parsed.args, parsed.flags);
+    }
+
+    if (parsed.subcommand === 'update') {
+      return handleSystemUpdate(parsed.args, parsed.flags);
+    }
+
     return {
       success: false,
       error: `Unknown system subcommand: ${parsed.subcommand}\n\nRun "celilo system --help" for usage`,
@@ -1554,6 +1649,18 @@ export async function main(): Promise<void> {
         process.exit(0);
       }
 
+      // Script-friendly commands bypass clack and write directly to stdout
+      if (result.rawOutput) {
+        process.stdout.write(`${result.message}\n`);
+        process.exit(0);
+      }
+
+      // Empty message → command already emitted its own output (e.g. via
+      // ProgressDisplay) and doesn't want a clack outro on top.
+      if (!result.message) {
+        process.exit(0);
+      }
+
       // Handle multi-line messages: split on section boundaries (\n\n) so
       // lines within a section are logged together (avoiding clack's per-call spacing).
       const sections = result.message.split('\n\n');

package/src/cli/parser.ts

@@ -45,6 +45,17 @@ export function parseArguments(argv: string[]): ParsedCommand {
     };
   }
 
+  // Handle --version or -v as first argument. Without this, the
+  // top-level loop in index.ts would never see the flag — `--version`
+  // would land as the command name (`Unknown command: --version`).
+  if (firstArg === '--version' || firstArg === '-v') {
+    return {
+      command: 'version',
+      args: [],
+      flags: { version: true },
+    };
+  }
+
   // Handle --get-completions as special flag (for shell completion)
   if (firstArg === '--get-completions') {
     return {

package/src/cli/prompts.ts

@@ -3,8 +3,24 @@
  * Beautiful interactive prompts using @clack/prompts
  */
 
+import type { ProgressDisplay } from '@celilo/cli-display';
 import * as p from '@clack/prompts';
 
+let activeDisplay: ProgressDisplay | null = null;
+
+/**
+ * When set, log.* calls route through the ProgressDisplay instead of @clack/prompts.
+ * Callers (e.g. module deploy) set this for the duration of a long-running operation
+ * so all the sub-services they call emit through one coherent display.
+ */
+export function setActiveDisplay(display: ProgressDisplay | null): void {
+  activeDisplay = display;
+}
+
+export function getActiveDisplay(): ProgressDisplay | null {
+  return activeDisplay;
+}
+
 /**
  * Interactive prompt wrapper with celilo branding
  */
@@ -113,9 +129,24 @@ export function showNote(message: string, title?: string): void {
  * Show log messages
  */
 export const log = {
-  success: (message: string) => p.log.success(message),
-  error: (message: string) => p.log.error(message),
-  warn: (message: string) => p.log.warn(message),
-  info: (message: string) => p.log.info(message),
-  message: (message: string) => p.log.message(message),
+  success: (message: string) => {
+    if (activeDisplay) return activeDisplay.subEvent(`\x1b[32m✓\x1b[0m ${message}`);
+    p.log.success(message);
+  },
+  error: (message: string) => {
+    if (activeDisplay) return activeDisplay.subEvent(`\x1b[31m✗\x1b[0m ${message}`);
+    p.log.error(message);
+  },
+  warn: (message: string) => {
+    if (activeDisplay) return activeDisplay.subEvent(`\x1b[33m⚠\x1b[0m ${message}`);
+    p.log.warn(message);
+  },
+  info: (message: string) => {
+    if (activeDisplay) return activeDisplay.instantEvent(message);
+    p.log.info(message);
+  },
+  message: (message: string) => {
+    if (activeDisplay) return activeDisplay.subEvent(message);
+    p.log.message(message);
+  },
 };

package/src/cli/tui/audit-state.test.ts

@@ -0,0 +1,246 @@
+import { describe, expect, test } from 'bun:test';
+import type { DriftFinding, SystemAuditReport } from '../../services/audit/types';
+import {
+  type AuditTuiState,
+  groupFindings,
+  initState,
+  reducer,
+  selectedFinding,
+} from './audit-state';
+
+function finding(over: Partial<DriftFinding>): DriftFinding {
+  return {
+    category: 'module_configs',
+    severity: 'drift',
+    code: 'cfg_unset',
+    subject: 'caddy',
+    message: 'config "acme_ca" is unset',
+    ...over,
+  };
+}
+
+function report(findings: DriftFinding[]): SystemAuditReport {
+  return {
+    version: 1,
+    verdict: findings.some((f) => f.severity === 'blocked')
+      ? 'BLOCKED'
+      : findings.length > 0
+        ? 'DRIFT'
+        : 'READY',
+    generatedAt: '2026-04-25T12:00:00.000Z',
+    findings,
+  };
+}
+
+describe('groupFindings', () => {
+  test('buckets by category and sorts blocked first', () => {
+    const groups = groupFindings([
+      finding({ category: 'module_configs', code: 'a', subject: 'caddy' }),
+      finding({
+        category: 'capability_abi',
+        severity: 'blocked',
+        code: 'b',
+        subject: 'public_web',
+      }),
+      finding({ category: 'module_configs', code: 'c', subject: 'iptables' }),
+    ]);
+    expect(groups.map((g) => g.category)).toEqual(['capability_abi', 'module_configs']);
+    expect(groups[0].severity).toBe('blocked');
+    expect(groups[1].findings).toHaveLength(2);
+  });
+
+  test('empty findings → empty groups', () => {
+    expect(groupFindings([])).toEqual([]);
+  });
+});
+
+describe('initState', () => {
+  test('selects first category and first finding by default', () => {
+    const s = initState(
+      report([
+        finding({ category: 'backups', code: 'b1', subject: 'caddy' }),
+        finding({ category: 'backups', code: 'b2', subject: 'iptables' }),
+      ]),
+    );
+    expect(s.selectedCategory).toBe('backups');
+    expect(s.selectedFindingId).toBe('caddy/b1');
+    expect(s.focusedPane).toBe('categories');
+  });
+
+  test('READY report with no findings has null selection', () => {
+    const s = initState(report([]));
+    expect(s.selectedCategory).toBeNull();
+    expect(s.selectedFindingId).toBeNull();
+  });
+});
+
+describe('reducer — drill-in (Enter)', () => {
+  function setup(): AuditTuiState {
+    return initState(
+      report([
+        finding({ category: 'backups', code: 'b1', subject: 'caddy' }),
+        finding({ category: 'module_configs', code: 'm1', subject: 'caddy' }),
+      ]),
+    );
+  }
+
+  test('summary → categories', () => {
+    const s = setup();
+    const next = reducer({ ...s, focusedPane: 'summary' }, { type: 'enter' });
+    expect(next.focusedPane).toBe('categories');
+  });
+
+  test('categories → findings (and selects first finding of category)', () => {
+    const s = setup();
+    const next = reducer(s, { type: 'enter' });
+    expect(next.focusedPane).toBe('findings');
+    expect(next.selectedFindingId).toBe('caddy/b1');
+  });
+
+  test('findings → detail', () => {
+    const s = setup();
+    const next = reducer({ ...s, focusedPane: 'findings' }, { type: 'enter' });
+    expect(next.focusedPane).toBe('detail');
+  });
+
+  test('detail → no-op (does not advance)', () => {
+    const s = setup();
+    const next = reducer({ ...s, focusedPane: 'detail' }, { type: 'enter' });
+    expect(next.focusedPane).toBe('detail');
+  });
+});
+
+describe('reducer — step-back (Esc)', () => {
+  function setup(): AuditTuiState {
+    return initState(report([finding({ code: 'a' })]));
+  }
+
+  test('detail → findings', () => {
+    const next = reducer({ ...setup(), focusedPane: 'detail' }, { type: 'escape' });
+    expect(next.focusedPane).toBe('findings');
+  });
+
+  test('findings → categories', () => {
+    const next = reducer({ ...setup(), focusedPane: 'findings' }, { type: 'escape' });
+    expect(next.focusedPane).toBe('categories');
+  });
+
+  test('log → detail (down-then-over recovery)', () => {
+    const next = reducer({ ...setup(), focusedPane: 'log' }, { type: 'escape' });
+    expect(next.focusedPane).toBe('detail');
+  });
+
+  test('categories → no-op (top-level handles quit)', () => {
+    const s = { ...setup(), focusedPane: 'categories' as const };
+    const next = reducer(s, { type: 'escape' });
+    expect(next).toBe(s);
+  });
+});
+
+describe('reducer — move within categories', () => {
+  test('moving down updates selected category and resets finding', () => {
+    const s = initState(
+      report([
+        finding({ category: 'backups', code: 'b1', subject: 'caddy' }),
+        finding({ category: 'capability_abi', severity: 'blocked', code: 'c1', subject: 'pw' }),
+      ]),
+    );
+    // initial: capability_abi (sorted blocked-first), c1 selected
+    expect(s.selectedCategory).toBe('capability_abi');
+    expect(s.selectedFindingId).toBe('pw/c1');
+
+    const next = reducer({ ...s, focusedPane: 'categories' }, { type: 'move', direction: 1 });
+    expect(next.selectedCategory).toBe('backups');
+    expect(next.selectedFindingId).toBe('caddy/b1');
+  });
+
+  test('moving wraps around', () => {
+    const s = initState(
+      report([
+        finding({ category: 'backups', code: 'b1' }),
+        finding({ category: 'module_configs', code: 'm1' }),
+      ]),
+    );
+    const down = reducer({ ...s, focusedPane: 'categories' }, { type: 'move', direction: 1 });
+    const wrap = reducer(down, { type: 'move', direction: 1 });
+    expect(wrap.selectedCategory).toBe(s.selectedCategory);
+  });
+});
+
+describe('reducer — move within findings', () => {
+  test('cycles within current category only', () => {
+    const s = initState(
+      report([
+        finding({ category: 'module_configs', code: 'a', subject: 'caddy' }),
+        finding({ category: 'module_configs', code: 'b', subject: 'iptables' }),
+        finding({ category: 'module_configs', code: 'c', subject: 'greenwave' }),
+      ]),
+    );
+    let st: AuditTuiState = { ...s, focusedPane: 'findings' };
+    expect(st.selectedFindingId).toBe('caddy/a');
+    st = reducer(st, { type: 'move', direction: 1 });
+    expect(st.selectedFindingId).toBe('iptables/b');
+    st = reducer(st, { type: 'move', direction: 1 });
+    expect(st.selectedFindingId).toBe('greenwave/c');
+    st = reducer(st, { type: 'move', direction: 1 });
+    expect(st.selectedFindingId).toBe('caddy/a');
+  });
+});
+
+describe('reducer — focus by number', () => {
+  test('cannot focus findings when no category', () => {
+    const s = initState(report([]));
+    const next = reducer(s, { type: 'focus', pane: 'findings' });
+    expect(next.focusedPane).toBe(s.focusedPane); // unchanged
+  });
+
+  test('focus pane succeeds when prerequisites met', () => {
+    const s = initState(report([finding({ code: 'a' })]));
+    const next = reducer(s, { type: 'focus', pane: 'detail' });
+    expect(next.focusedPane).toBe('detail');
+  });
+});
+
+describe('reducer — set-report preserves selection', () => {
+  test('selection retained when finding still present', () => {
+    const before = initState(
+      report([
+        finding({ category: 'backups', code: 'b1', subject: 'caddy' }),
+        finding({ category: 'backups', code: 'b2', subject: 'iptables' }),
+      ]),
+    );
+    // Select b2
+    const moved = reducer({ ...before, focusedPane: 'findings' }, { type: 'move', direction: 1 });
+    expect(moved.selectedFindingId).toBe('iptables/b2');
+
+    // Re-audit returns same findings
+    const after = reducer(moved, {
+      type: 'set-report',
+      report: report([
+        finding({ category: 'backups', code: 'b1', subject: 'caddy' }),
+        finding({ category: 'backups', code: 'b2', subject: 'iptables' }),
+      ]),
+    });
+    expect(after.selectedFindingId).toBe('iptables/b2');
+  });
+
+  test('selection falls back to first if missing after re-audit', () => {
+    const before = initState(report([finding({ code: 'gone' })]));
+    const after = reducer(before, {
+      type: 'set-report',
+      report: report([finding({ code: 'new', subject: 'other' })]),
+    });
+    expect(after.selectedFindingId).toBe('other/new');
+  });
+});
+
+describe('selectedFinding', () => {
+  test('returns the live finding object', () => {
+    const s = initState(report([finding({ code: 'x', message: 'hello' })]));
+    expect(selectedFinding(s)?.message).toBe('hello');
+  });
+
+  test('returns null with no selection', () => {
+    expect(selectedFinding(initState(report([])))).toBeNull();
+  });
+});