@celilo/cli 0.1.8 → 0.2.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.1.8",
+  "version": "0.2.0",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {

package/src/capabilities/well-known.test.ts

@@ -182,7 +182,7 @@ describe('Well-Known Capabilities Registry', () => {
 
       expect(schema).toEqual({
         provider: 'namecheap',
-        primary_domain: '$self:primary_domain',
+        domains: '$self:domains',
         supports: ['dynamic_dns_a_record'],
       });
     });

package/src/capabilities/well-known.ts

@@ -58,8 +58,16 @@ export const WELL_KNOWN_CAPABILITIES: Record<string, WellKnownCapability> = {
     required_zone: 'dmz',
     zone_enforced: false,
     data_schema: {
+      // The capability contract no longer carries a `primary_domain`
+      // convenience field. Consumers that want a default index into
+      // `domains[]` themselves; consumers that need to commit to a
+      // specific domain (lunacycle, authentik, knot-unbound-internal,
+      // technitium, etc.) declare an explicit user-set `domain`
+      // variable in their own manifest. The implicit primary-domain
+      // hand-off too easily gave a module the household's first
+      // registered domain without anyone deciding to.
       provider: 'namecheap',
-      primary_domain: '$self:primary_domain',
+      domains: '$self:domains',
       supports: ['dynamic_dns_a_record'],
     },
   },
@@ -91,9 +99,9 @@ export const WELL_KNOWN_CAPABILITIES: Record<string, WellKnownCapability> = {
    * Note: `oidc.issuer_url` is no longer derived here. Per the firm rule in
    * design/TECHNICAL_DESIGN_MANIFEST_V2.md D9, well-known capability data
    * templates must not cross-reference other capabilities. The IDP-providing
-   * module derives `auth_url` (or whatever it calls the issuer URL) in its
-   * own manifest from `$capability:dns_registrar.primary_domain` and exposes
-   * it through `provides.capabilities[].data`.
+   * module declares an explicit user-set `domain` field in its own manifest,
+   * derives `auth_url` from `$self:domain`, and exposes it through
+   * `provides.capabilities[].data`.
    */
   auth: {
     canonical_hostname: 'auth',

package/src/cli/commands/module-upgrade.ts

@@ -22,6 +22,16 @@ import { cleanupTempDir, extractPackage } from '../../module/packaging/extract';
 import { log } from '../prompts';
 import type { CommandResult } from '../types';
 
+type UpgradeOutcome =
+  | { status: 'success'; moduleId: string }
+  | { status: 'failed'; moduleId: string; error: string }
+  // `skipped` means the path expanded from a glob but isn't an
+  // upgradable target — either no manifest at all (probably a non-
+  // module sibling like `modules/archive/`) or a real module that
+  // isn't installed in this celilo. Treated as a soft pass so
+  // `celilo module update modules/*` does what users expect.
+  | { status: 'skipped'; moduleId: string; reason: string };
+
 /**
  * Upgrade a single module from a source path
  */
@@ -29,11 +39,15 @@ async function upgradeOne(
   sourcePath: string,
   db: ReturnType<typeof getDb>,
   flags: Record<string, string | boolean> = {},
-): Promise<{ moduleId: string; success: boolean; error?: string }> {
+): Promise<UpgradeOutcome> {
   const originalCwd = process.env.CELILO_ORIGINAL_CWD || process.cwd();
   const importPath = resolve(originalCwd, sourcePath);
   if (!existsSync(importPath)) {
-    return { moduleId: sourcePath, success: false, error: `Source path not found: ${importPath}` };
+    return {
+      status: 'failed',
+      moduleId: sourcePath,
+      error: `Source path not found: ${importPath}`,
+    };
   }
 
   // Handle .netapp packages: extract to temp dir
@@ -44,8 +58,8 @@ async function upgradeOne(
     const extractResult = await extractPackage(importPath);
     if (!extractResult.success || !extractResult.tempDir) {
       return {
+        status: 'failed',
         moduleId: sourcePath,
-        success: false,
         error: extractResult.error || 'Failed to extract package',
       };
     }
@@ -59,8 +73,8 @@ async function upgradeOne(
       if (!verifyResult.success) {
         await cleanupTempDir(tempDir);
         return {
+          status: 'failed',
           moduleId: sourcePath,
-          success: false,
           error: verifyResult.error || 'Package verification failed',
         };
       }
@@ -72,10 +86,13 @@ async function upgradeOne(
   const manifestPath = join(actualPath, 'manifest.yml');
   if (!existsSync(manifestPath)) {
     if (tempDir) await cleanupTempDir(tempDir);
+    // No manifest means the path isn't a module directory at all —
+    // a likely outcome of `module update modules/*` matching a
+    // non-module sibling. Skip silently rather than fail the batch.
     return {
+      status: 'skipped',
       moduleId: sourcePath,
-      success: false,
-      error: `No manifest.yml found at ${actualPath}`,
+      reason: 'not a module directory (no manifest.yml)',
     };
   }
 
@@ -87,17 +104,22 @@ async function upgradeOne(
   } catch (err) {
     if (tempDir) await cleanupTempDir(tempDir);
     const msg = err instanceof Error ? err.message : String(err);
-    return { moduleId: sourcePath, success: false, error: `Invalid manifest: ${msg}` };
+    return { status: 'failed', moduleId: sourcePath, error: `Invalid manifest: ${msg}` };
   }
 
   const moduleId = newManifest.id;
 
   const module = db.select().from(modules).where(eq(modules.id, moduleId)).get();
   if (!module) {
+    if (tempDir) await cleanupTempDir(tempDir);
+    // Module isn't installed in this celilo. Don't fail the batch —
+    // `module update modules/*` should keep going for everything
+    // that IS installed. Caller surfaces the skip count so the user
+    // sees what was passed over.
     return {
+      status: 'skipped',
       moduleId,
-      success: false,
-      error: `Module '${moduleId}' is not installed. Use 'celilo module import ${sourcePath}' first.`,
+      reason: `not installed (run 'celilo module import ${sourcePath}' to add)`,
     };
   }
 
@@ -141,7 +163,7 @@ async function upgradeOne(
   }
 
   log.success(`Upgraded ${moduleId} (v${oldManifest.version} → v${newManifest.version})`);
-  return { moduleId, success: true };
+  return { status: 'success', moduleId };
 }
 
 /**
@@ -162,31 +184,60 @@ export async function handleModuleUpgrade(
   }
 
   const db = getDb();
-  const results: Array<{ moduleId: string; success: boolean; error?: string }> = [];
+  const results: UpgradeOutcome[] = [];
 
   for (const path of args) {
     const result = await upgradeOne(path, db, flags);
     results.push(result);
   }
 
-  const succeeded = results.filter((r) => r.success);
-  const failed = results.filter((r) => !r.success);
+  const succeeded = results.filter(
+    (r): r is Extract<UpgradeOutcome, { status: 'success' }> => r.status === 'success',
+  );
+  const failed = results.filter(
+    (r): r is Extract<UpgradeOutcome, { status: 'failed' }> => r.status === 'failed',
+  );
+  const skipped = results.filter(
+    (r): r is Extract<UpgradeOutcome, { status: 'skipped' }> => r.status === 'skipped',
+  );
+
+  // Skips that fall under a wildcard expansion (e.g. modules/* picking
+  // up `modules/archive/`) shouldn't even be mentioned — they're not
+  // signal. Skips for "module not installed" ARE signal because the
+  // user explicitly named the path; surface those.
+  const meaningfulSkips = skipped.filter((r) => !r.reason.startsWith('not a module directory'));
 
   if (failed.length > 0) {
     const errors = failed.map((r) => `  ${r.moduleId}: ${r.error}`).join('\n');
+    const parts: string[] = [];
     if (succeeded.length > 0) {
-      const names = succeeded.map((r) => r.moduleId).join(', ');
-      return {
-        success: false,
-        error: `Upgraded ${succeeded.length} module(s): ${names}\n\nFailed ${failed.length}:\n${errors}`,
-      };
+      parts.push(
+        `Upgraded ${succeeded.length} module(s): ${succeeded.map((r) => r.moduleId).join(', ')}`,
+      );
+    }
+    if (meaningfulSkips.length > 0) {
+      const skipLines = meaningfulSkips.map((r) => `  ${r.moduleId}: ${r.reason}`).join('\n');
+      parts.push(`Skipped ${meaningfulSkips.length}:\n${skipLines}`);
     }
-    return { success: false, error: `Upgrade failed:\n${errors}` };
+    parts.push(`Failed ${failed.length}:\n${errors}`);
+    return { success: false, error: parts.join('\n\n') };
   }
 
-  const names = succeeded.map((r) => r.moduleId).join(', ');
-  return {
-    success: true,
-    message: `Successfully updated ${succeeded.length} module(s): ${names}`,
-  };
+  const lines: string[] = [];
+  if (succeeded.length > 0) {
+    lines.push(
+      `Updated ${succeeded.length} module(s): ${succeeded.map((r) => r.moduleId).join(', ')}`,
+    );
+  }
+  if (meaningfulSkips.length > 0) {
+    const skipLines = meaningfulSkips.map((r) => `  ${r.moduleId}: ${r.reason}`).join('\n');
+    lines.push(`Skipped ${meaningfulSkips.length}:\n${skipLines}`);
+  }
+  if (lines.length === 0) {
+    // Every arg was a non-module sibling — odd but not a failure.
+    lines.push(
+      `No modules to update (${results.length} path(s) skipped — none had a manifest.yml)`,
+    );
+  }
+  return { success: true, message: lines.join('\n\n') };
 }

package/src/hooks/capability-loader.ts

@@ -519,7 +519,12 @@ async function buildFirewallChain(
 
     // Apply rules by default. Set CELILO_FIREWALL_DRY_RUN=1 to preview without applying.
     const dryRun = process.env.CELILO_FIREWALL_DRY_RUN === '1';
-    const downstreamFirewall = provFactory({ firewallIp, natIp, dryRun }, currentUpstream);
+    // Third arg (logger) lets iptables route its internal status lines
+    // ("[iptables] Rule already exists…", etc.) through the parent
+    // celilo's ProgressDisplay instead of dumping to stderr. Older
+    // iptables modules ignore it — the factory's signature is
+    // backward-compatible.
+    const downstreamFirewall = provFactory({ firewallIp, natIp, dryRun }, currentUpstream, logger);
 
     debugLog(`firewall chain: wired ${provider.moduleId} → ${hasExternal.moduleId}`);
     // Wrap each downstream layer with auto-logging.

package/src/module/packaging/build.ts

@@ -77,13 +77,11 @@ const FRAMEWORK_OWNED_PATHS = new Set(['celilo/types.d.ts']);
  *
  * `node_modules` exclusion is path-aware: regular npm dependencies are
  * skipped (size + bun re-installs them at module-import time), but the
- * framework's own `@celilo/*` packages stay in. That captures the
- * capabilities API the module was authored against, so a module's
- * hooks aren't silently broken by a runtime that ships a different
- * version of `@celilo/capabilities` than the one on npm.
+ * framework's own `@celilo/capabilities` package stays in. That
+ * captures the capabilities API the module was authored against, so a
+ * module's hooks aren't silently broken by a runtime that ships a
+ * different version of `@celilo/capabilities` than the one on npm.
  */
-const BUNDLED_CELILO_PACKAGES = new Set(['capabilities', 'cli-display']);
-
 function shouldExclude(filePath: string): boolean {
   if (FRAMEWORK_OWNED_PATHS.has(filePath)) return true;
 
@@ -95,18 +93,15 @@ function shouldExclude(filePath: string): boolean {
 
   const nmIdx = segments.indexOf('node_modules');
   if (nmIdx >= 0) {
-    // `node_modules` itself: descend so we can pick out @celilo/* SDK
-    // packages. capabilities is the public surface the module was
-    // authored against; cli-display is its transitive dep (the
-    // ProgressDisplay singleton that capability functions reach for to
-    // route output through the parent celilo's display). Everything
-    // else is regular npm cruft we'd just re-install on the target
-    // (or test-only deps inside packages like `@celilo/e2e` we don't
-    // want to drag in).
+    // `node_modules` itself: descend so we can pick out @celilo/capabilities.
+    // The capabilities scope is the only thing we ship — it's the framework
+    // SDK the module was authored against. Everything else is regular npm
+    // cruft we'd just re-install on the target (or test-only deps inside
+    // packages like `@celilo/e2e` we don't want to drag in).
     if (nmIdx + 1 >= segments.length) return false; // node_modules dir itself
     if (segments[nmIdx + 1] !== '@celilo') return true;
     if (nmIdx + 2 >= segments.length) return false; // node_modules/@celilo dir itself
-    return !BUNDLED_CELILO_PACKAGES.has(segments[nmIdx + 2]);
+    return segments[nmIdx + 2] !== 'capabilities';
   }
 
   const name = basename(filePath);