@celilo/cli 0.1.8 → 0.1.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {

package/src/hooks/capability-loader.ts

@@ -519,7 +519,12 @@ async function buildFirewallChain(
 
     // Apply rules by default. Set CELILO_FIREWALL_DRY_RUN=1 to preview without applying.
     const dryRun = process.env.CELILO_FIREWALL_DRY_RUN === '1';
-    const downstreamFirewall = provFactory({ firewallIp, natIp, dryRun }, currentUpstream);
+    // Third arg (logger) lets iptables route its internal status lines
+    // ("[iptables] Rule already exists…", etc.) through the parent
+    // celilo's ProgressDisplay instead of dumping to stderr. Older
+    // iptables modules ignore it — the factory's signature is
+    // backward-compatible.
+    const downstreamFirewall = provFactory({ firewallIp, natIp, dryRun }, currentUpstream, logger);
 
     debugLog(`firewall chain: wired ${provider.moduleId} → ${hasExternal.moduleId}`);
     // Wrap each downstream layer with auto-logging.

package/src/module/packaging/build.ts

@@ -77,13 +77,11 @@ const FRAMEWORK_OWNED_PATHS = new Set(['celilo/types.d.ts']);
  *
  * `node_modules` exclusion is path-aware: regular npm dependencies are
  * skipped (size + bun re-installs them at module-import time), but the
- * framework's own `@celilo/*` packages stay in. That captures the
- * capabilities API the module was authored against, so a module's
- * hooks aren't silently broken by a runtime that ships a different
- * version of `@celilo/capabilities` than the one on npm.
+ * framework's own `@celilo/capabilities` package stays in. That
+ * captures the capabilities API the module was authored against, so a
+ * module's hooks aren't silently broken by a runtime that ships a
+ * different version of `@celilo/capabilities` than the one on npm.
  */
-const BUNDLED_CELILO_PACKAGES = new Set(['capabilities', 'cli-display']);
-
 function shouldExclude(filePath: string): boolean {
   if (FRAMEWORK_OWNED_PATHS.has(filePath)) return true;
 
@@ -95,18 +93,15 @@ function shouldExclude(filePath: string): boolean {
 
   const nmIdx = segments.indexOf('node_modules');
   if (nmIdx >= 0) {
-    // `node_modules` itself: descend so we can pick out @celilo/* SDK
-    // packages. capabilities is the public surface the module was
-    // authored against; cli-display is its transitive dep (the
-    // ProgressDisplay singleton that capability functions reach for to
-    // route output through the parent celilo's display). Everything
-    // else is regular npm cruft we'd just re-install on the target
-    // (or test-only deps inside packages like `@celilo/e2e` we don't
-    // want to drag in).
+    // `node_modules` itself: descend so we can pick out @celilo/capabilities.
+    // The capabilities scope is the only thing we ship — it's the framework
+    // SDK the module was authored against. Everything else is regular npm
+    // cruft we'd just re-install on the target (or test-only deps inside
+    // packages like `@celilo/e2e` we don't want to drag in).
     if (nmIdx + 1 >= segments.length) return false; // node_modules dir itself
     if (segments[nmIdx + 1] !== '@celilo') return true;
     if (nmIdx + 2 >= segments.length) return false; // node_modules/@celilo dir itself
-    return !BUNDLED_CELILO_PACKAGES.has(segments[nmIdx + 2]);
+    return segments[nmIdx + 2] !== 'capabilities';
   }
 
   const name = basename(filePath);