@celilo/cli 0.1.9 → 0.2.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.1.9",
+  "version": "0.2.1",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {
@@ -46,8 +46,8 @@
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1024.0",
-    "@celilo/capabilities": "^0.1.4",
-    "@celilo/cli-display": "0.1.4",
+    "@celilo/capabilities": "^0.1.9",
+    "@celilo/cli-display": "^0.1.4",
     "@clack/prompts": "^1.1.0",
     "ajv": "^8.18.0",
     "drizzle-orm": "^0.36.4",

package/src/capabilities/well-known.test.ts

@@ -182,7 +182,7 @@ describe('Well-Known Capabilities Registry', () => {
 
       expect(schema).toEqual({
         provider: 'namecheap',
-        primary_domain: '$self:primary_domain',
+        domains: '$self:domains',
         supports: ['dynamic_dns_a_record'],
       });
     });

package/src/capabilities/well-known.ts

@@ -58,8 +58,16 @@ export const WELL_KNOWN_CAPABILITIES: Record<string, WellKnownCapability> = {
     required_zone: 'dmz',
     zone_enforced: false,
     data_schema: {
+      // The capability contract no longer carries a `primary_domain`
+      // convenience field. Consumers that want a default index into
+      // `domains[]` themselves; consumers that need to commit to a
+      // specific domain (lunacycle, authentik, knot-unbound-internal,
+      // technitium, etc.) declare an explicit user-set `domain`
+      // variable in their own manifest. The implicit primary-domain
+      // hand-off too easily gave a module the household's first
+      // registered domain without anyone deciding to.
       provider: 'namecheap',
-      primary_domain: '$self:primary_domain',
+      domains: '$self:domains',
       supports: ['dynamic_dns_a_record'],
     },
   },
@@ -91,9 +99,9 @@ export const WELL_KNOWN_CAPABILITIES: Record<string, WellKnownCapability> = {
    * Note: `oidc.issuer_url` is no longer derived here. Per the firm rule in
    * design/TECHNICAL_DESIGN_MANIFEST_V2.md D9, well-known capability data
    * templates must not cross-reference other capabilities. The IDP-providing
-   * module derives `auth_url` (or whatever it calls the issuer URL) in its
-   * own manifest from `$capability:dns_registrar.primary_domain` and exposes
-   * it through `provides.capabilities[].data`.
+   * module declares an explicit user-set `domain` field in its own manifest,
+   * derives `auth_url` from `$self:domain`, and exposes it through
+   * `provides.capabilities[].data`.
    */
   auth: {
     canonical_hostname: 'auth',

package/src/cli/commands/module-upgrade.ts

@@ -22,6 +22,16 @@ import { cleanupTempDir, extractPackage } from '../../module/packaging/extract';
 import { log } from '../prompts';
 import type { CommandResult } from '../types';
 
+type UpgradeOutcome =
+  | { status: 'success'; moduleId: string }
+  | { status: 'failed'; moduleId: string; error: string }
+  // `skipped` means the path expanded from a glob but isn't an
+  // upgradable target — either no manifest at all (probably a non-
+  // module sibling like `modules/archive/`) or a real module that
+  // isn't installed in this celilo. Treated as a soft pass so
+  // `celilo module update modules/*` does what users expect.
+  | { status: 'skipped'; moduleId: string; reason: string };
+
 /**
  * Upgrade a single module from a source path
  */
@@ -29,11 +39,15 @@ async function upgradeOne(
   sourcePath: string,
   db: ReturnType<typeof getDb>,
   flags: Record<string, string | boolean> = {},
-): Promise<{ moduleId: string; success: boolean; error?: string }> {
+): Promise<UpgradeOutcome> {
   const originalCwd = process.env.CELILO_ORIGINAL_CWD || process.cwd();
   const importPath = resolve(originalCwd, sourcePath);
   if (!existsSync(importPath)) {
-    return { moduleId: sourcePath, success: false, error: `Source path not found: ${importPath}` };
+    return {
+      status: 'failed',
+      moduleId: sourcePath,
+      error: `Source path not found: ${importPath}`,
+    };
   }
 
   // Handle .netapp packages: extract to temp dir
@@ -44,8 +58,8 @@ async function upgradeOne(
     const extractResult = await extractPackage(importPath);
     if (!extractResult.success || !extractResult.tempDir) {
       return {
+        status: 'failed',
         moduleId: sourcePath,
-        success: false,
         error: extractResult.error || 'Failed to extract package',
       };
     }
@@ -59,8 +73,8 @@ async function upgradeOne(
       if (!verifyResult.success) {
         await cleanupTempDir(tempDir);
         return {
+          status: 'failed',
           moduleId: sourcePath,
-          success: false,
           error: verifyResult.error || 'Package verification failed',
         };
       }
@@ -72,10 +86,13 @@ async function upgradeOne(
   const manifestPath = join(actualPath, 'manifest.yml');
   if (!existsSync(manifestPath)) {
     if (tempDir) await cleanupTempDir(tempDir);
+    // No manifest means the path isn't a module directory at all —
+    // a likely outcome of `module update modules/*` matching a
+    // non-module sibling. Skip silently rather than fail the batch.
     return {
+      status: 'skipped',
       moduleId: sourcePath,
-      success: false,
-      error: `No manifest.yml found at ${actualPath}`,
+      reason: 'not a module directory (no manifest.yml)',
     };
   }
 
@@ -87,17 +104,22 @@ async function upgradeOne(
   } catch (err) {
     if (tempDir) await cleanupTempDir(tempDir);
     const msg = err instanceof Error ? err.message : String(err);
-    return { moduleId: sourcePath, success: false, error: `Invalid manifest: ${msg}` };
+    return { status: 'failed', moduleId: sourcePath, error: `Invalid manifest: ${msg}` };
   }
 
   const moduleId = newManifest.id;
 
   const module = db.select().from(modules).where(eq(modules.id, moduleId)).get();
   if (!module) {
+    if (tempDir) await cleanupTempDir(tempDir);
+    // Module isn't installed in this celilo. Don't fail the batch —
+    // `module update modules/*` should keep going for everything
+    // that IS installed. Caller surfaces the skip count so the user
+    // sees what was passed over.
     return {
+      status: 'skipped',
       moduleId,
-      success: false,
-      error: `Module '${moduleId}' is not installed. Use 'celilo module import ${sourcePath}' first.`,
+      reason: `not installed (run 'celilo module import ${sourcePath}' to add)`,
     };
   }
 
@@ -141,7 +163,7 @@ async function upgradeOne(
   }
 
   log.success(`Upgraded ${moduleId} (v${oldManifest.version} → v${newManifest.version})`);
-  return { moduleId, success: true };
+  return { status: 'success', moduleId };
 }
 
 /**
@@ -162,31 +184,60 @@ export async function handleModuleUpgrade(
   }
 
   const db = getDb();
-  const results: Array<{ moduleId: string; success: boolean; error?: string }> = [];
+  const results: UpgradeOutcome[] = [];
 
   for (const path of args) {
     const result = await upgradeOne(path, db, flags);
     results.push(result);
   }
 
-  const succeeded = results.filter((r) => r.success);
-  const failed = results.filter((r) => !r.success);
+  const succeeded = results.filter(
+    (r): r is Extract<UpgradeOutcome, { status: 'success' }> => r.status === 'success',
+  );
+  const failed = results.filter(
+    (r): r is Extract<UpgradeOutcome, { status: 'failed' }> => r.status === 'failed',
+  );
+  const skipped = results.filter(
+    (r): r is Extract<UpgradeOutcome, { status: 'skipped' }> => r.status === 'skipped',
+  );
+
+  // Skips that fall under a wildcard expansion (e.g. modules/* picking
+  // up `modules/archive/`) shouldn't even be mentioned — they're not
+  // signal. Skips for "module not installed" ARE signal because the
+  // user explicitly named the path; surface those.
+  const meaningfulSkips = skipped.filter((r) => !r.reason.startsWith('not a module directory'));
 
   if (failed.length > 0) {
     const errors = failed.map((r) => `  ${r.moduleId}: ${r.error}`).join('\n');
+    const parts: string[] = [];
     if (succeeded.length > 0) {
-      const names = succeeded.map((r) => r.moduleId).join(', ');
-      return {
-        success: false,
-        error: `Upgraded ${succeeded.length} module(s): ${names}\n\nFailed ${failed.length}:\n${errors}`,
-      };
+      parts.push(
+        `Upgraded ${succeeded.length} module(s): ${succeeded.map((r) => r.moduleId).join(', ')}`,
+      );
+    }
+    if (meaningfulSkips.length > 0) {
+      const skipLines = meaningfulSkips.map((r) => `  ${r.moduleId}: ${r.reason}`).join('\n');
+      parts.push(`Skipped ${meaningfulSkips.length}:\n${skipLines}`);
     }
-    return { success: false, error: `Upgrade failed:\n${errors}` };
+    parts.push(`Failed ${failed.length}:\n${errors}`);
+    return { success: false, error: parts.join('\n\n') };
   }
 
-  const names = succeeded.map((r) => r.moduleId).join(', ');
-  return {
-    success: true,
-    message: `Successfully updated ${succeeded.length} module(s): ${names}`,
-  };
+  const lines: string[] = [];
+  if (succeeded.length > 0) {
+    lines.push(
+      `Updated ${succeeded.length} module(s): ${succeeded.map((r) => r.moduleId).join(', ')}`,
+    );
+  }
+  if (meaningfulSkips.length > 0) {
+    const skipLines = meaningfulSkips.map((r) => `  ${r.moduleId}: ${r.reason}`).join('\n');
+    lines.push(`Skipped ${meaningfulSkips.length}:\n${skipLines}`);
+  }
+  if (lines.length === 0) {
+    // Every arg was a non-module sibling — odd but not a failure.
+    lines.push(
+      `No modules to update (${results.length} path(s) skipped — none had a manifest.yml)`,
+    );
+  }
+  return { success: true, message: lines.join('\n\n') };
 }

package/src/cli/prompts.ts

@@ -122,7 +122,7 @@ export function showNote(message: string, title?: string): void {
 export const log = {
   success: (message: string) => {
     const d = getActiveDisplay();
-    if (d) return d.subEvent(`\x1b[32m✓\x1b[0m ${message}`);
+    if (d) return d.subEvent(`\x1b[32m✔\x1b[0m ${message}`);
     p.log.success(message);
   },
   error: (message: string) => {

package/src/hooks/define-hook.test.ts

@@ -91,6 +91,9 @@ const fakeIdp: IdpCapability = {
   async create_user() {
     return { user_id: 1, created: true };
   },
+  async create_token() {
+    return { token: 'fake-token', created: true };
+  },
 };
 
 describe('defineHook', () => {
@@ -253,6 +256,9 @@ describe('defineCapabilityFunction', () => {
         async create_user() {
           return { user_id: 1, created: true };
         },
+        async create_token() {
+          return { token: 'fake-token', created: true };
+        },
       }),
     });
 
@@ -313,6 +319,9 @@ describe('defineCapabilityFunction', () => {
           async create_user(_request: CreateUserRequest): Promise<CreateUserResult> {
             return { user_id: 1, created: true };
           },
+          async create_token(): Promise<{ token: string; created: boolean }> {
+            return { token: 'tok', created: true };
+          },
         };
       },
     });
@@ -443,6 +452,9 @@ void defineCapabilityFunction({
     async create_user() {
       return { user_id: 1, created: true };
     },
+    async create_token() {
+      return { token: 'x', created: true };
+    },
   }),
 });
 

package/src/hooks/executor.ts

@@ -7,6 +7,15 @@
  * - Output validation
  * - Structured logging
  *
+ * **Execution model:** hook scripts run *in-process* on the celilo CLI host.
+ * `runScript` dynamically `import()`s the hook module and awaits its default
+ * export. They do NOT execute on the target machine. A hook that needs to
+ * touch the target initiates SSH outbound itself (see e.g.
+ * modules/lunacycle/celilo/scripts/health-check.ts's `ssh()` helper). This
+ * means hook scripts can freely use npm packages, make HTTP calls, read
+ * local files, etc. — and conversely, anything they depend on (chromium,
+ * system binaries, credentials) must be available on the celilo CLI host.
+ *
  * Execution function (Rule 10.1) - performs side effects (script execution)
  */
 

package/src/hooks/logger.ts

@@ -66,6 +66,44 @@ export function createGaugeLogger(
     warn: (message: string) => emit('warn', message),
     error: (message: string) => emit('error', message),
     success: (message: string) => emit('success', message),
+    beginStep: (name: string) => {
+      const display = getActiveDisplay();
+      if (display) {
+        // pushStep nests under the FuelGauge step that wraps the hook,
+        // so inner log calls (logger.info within the capability impl)
+        // are sub-events of this nested step.
+        display.pushStep(`→ ${name}`, `✓ ${name}`);
+      } else {
+        // Without a display, fall back to a plain info-style marker so
+        // the line still appears in raw log output.
+        gauge.addOutput(`${prefix} → ${name}`);
+        if (nonInteractive) {
+          process.stdout.write(`${prefix} → ${name}\n`);
+        }
+      }
+    },
+    endStep: (_name: string) => {
+      const display = getActiveDisplay();
+      if (display) {
+        display.doneStep();
+      } else {
+        gauge.addOutput(`${prefix} ✓ ${_name}`);
+        if (nonInteractive) {
+          process.stdout.write(`${prefix} ✓ ${_name}\n`);
+        }
+      }
+    },
+    failStep: (name: string, error: string) => {
+      const display = getActiveDisplay();
+      if (display) {
+        display.failStep(`${name}: ${error}`);
+      } else {
+        gauge.addOutput(`${prefix} ✗ ${name}: ${error}`);
+        if (nonInteractive) {
+          process.stdout.write(`${prefix} ✗ ${name}: ${error}\n`);
+        }
+      }
+    },
   };
 }
 

package/src/hooks/types.ts

@@ -24,13 +24,24 @@ export interface HookDefinition {
 }
 
 /**
- * Logger interface provided to hook scripts
+ * Logger interface provided to hook scripts.
+ *
+ * Mirrors `HookLogger` in `@celilo/capabilities/types` — kept in sync so
+ * concrete loggers we build here (createGaugeLogger, createConsoleLogger,
+ * createCapturingLogger) satisfy both the in-process consumers and the
+ * cross-package contract used by `wrapWithLogging`.
  */
 export interface HookLogger {
   info(message: string): void;
   warn(message: string): void;
   error(message: string): void;
   success(message: string): void;
+  /** Begin a logical span. Subsequent log calls nest under it visually. */
+  beginStep?(name: string): void;
+  /** End the current span (success). */
+  endStep?(name: string): void;
+  /** End the current span (failure) with an error message. */
+  failStep?(name: string, error: string): void;
 }
 
 /**

package/src/manifest/validate.test.ts

@@ -993,6 +993,74 @@ describe('validateDeriveFromSources', () => {
     const result = validateDeriveFromSources(manifest);
     expect(result).toBeNull();
   });
+
+  test('should accept $self: references regardless of source', () => {
+    // $self: points at another variable in this same manifest, so it
+    // doesn't introduce the cross-context mismatch the validator exists
+    // to catch (e.g. authentik's auth_url derives from $self:domain).
+    const manifest = {
+      celilo_contract: '1.0' as const,
+      id: 'authentik',
+      name: 'Authentik',
+      version: '1.0.0',
+      requires: { capabilities: [] },
+      provides: { capabilities: [] },
+      variables: {
+        owns: [
+          {
+            name: 'domain',
+            type: 'string' as const,
+            required: true,
+            source: 'user' as const,
+          },
+          {
+            name: 'auth_url',
+            type: 'string' as const,
+            required: false,
+            source: 'capability' as const,
+            derive_from: 'https://auth.$self:domain',
+          },
+        ],
+        imports: [],
+      },
+    };
+
+    const result = validateDeriveFromSources(manifest);
+    expect(result).toBeNull();
+  });
+
+  test('should still reject mixed $self: and $system: when source is capability', () => {
+    // Self-refs are exempt, but other foreign sources still trigger the
+    // mismatch error. This guards against accidentally green-lighting
+    // "$self:foo and $system:bar" combos.
+    const manifest = {
+      celilo_contract: '1.0' as const,
+      id: 'test',
+      name: 'Test',
+      version: '1.0.0',
+      requires: { capabilities: [] },
+      provides: { capabilities: [] },
+      variables: {
+        owns: [
+          {
+            name: 'mixed',
+            type: 'string' as const,
+            required: false,
+            source: 'capability' as const,
+            derive_from: '$self:domain/$system:primary_domain',
+          },
+        ],
+        imports: [],
+      },
+    };
+
+    const result = validateDeriveFromSources(manifest);
+    expect(result).not.toBeNull();
+    if (result) {
+      expect(result.errors[0]?.message).toContain('$system:');
+      expect(result.errors[0]?.message).not.toContain('$self:');
+    }
+  });
 });
 
 describe('validateHookContract', () => {

package/src/manifest/validate.ts

@@ -285,9 +285,13 @@ export function validateZoneRequirements(manifest: ModuleManifest): ValidationEr
  *
  * Rules:
  * - `source: capability` → `derive_from` must only reference `$capability:`
- *   tokens (and may also include `{var}` placeholders).
+ *   tokens (and may also include `{var}` and `$self:` placeholders).
  * - `source: system` → `derive_from` must only reference `$system:` tokens
- *   (and `{var}` placeholders).
+ *   (and `{var}` and `$self:` placeholders).
+ * - `$self:` references are allowed under *any* source. They point at
+ *   another variable owned by the same manifest, so they don't introduce
+ *   a cross-context mismatch — that's the bug class this validator was
+ *   built to catch.
  * - Other sources (`user`, `infrastructure`, `terraform`) — `derive_from` is
  *   optional and unconstrained; we don't check the prefix.
  */
@@ -306,7 +310,9 @@ export function validateDeriveFromSources(manifest: ModuleManifest): ValidationE
     if (!expected) continue;
 
     const tokens = [...variable.derive_from.matchAll(tokenPattern)].map((m) => m[1]);
-    const offending = tokens.filter((t) => t !== expected);
+    // `self` is always allowed: it references another variable in this
+    // same manifest, which is the same context as the declared source.
+    const offending = tokens.filter((t) => t !== expected && t !== 'self');
     if (offending.length > 0) {
       const unique = Array.from(new Set(offending)).join(', ');
       errors.push({

package/src/services/config-interview.ts

@@ -103,7 +103,7 @@ export async function autoDeriveMachineConfig(
     const derived = resolveMachineDerivation(variable.derive_from, machine);
     if (derived === null) continue;
 
-    log.info(`✓ ${variable.name} = ${derived} (auto-derived from ${machine.hostname})`);
+    log.success(`${variable.name} = ${derived} (auto-derived from ${machine.hostname})`);
 
     await db
       .insert(moduleConfigs)
@@ -132,7 +132,7 @@ export async function autoDeriveMachineConfig(
         }
 
         if (followUpValue !== null) {
-          log.info(`✓ ${followUpKey} = ${followUpValue} (auto-derived from ${machine.hostname})`);
+          log.success(`${followUpKey} = ${followUpValue} (auto-derived from ${machine.hostname})`);
           await db
             .insert(moduleConfigs)
             .values({
@@ -534,7 +534,7 @@ export async function interviewForMissingSecrets(
 ): Promise<InterviewResult> {
   const configured: string[] = [];
 
-  log.info(`Module '${moduleId}' requires secrets. Configuring:`);
+  log.message(`Module '${moduleId}' requires secrets. Configuring:`);
 
   const masterKey = await getOrCreateMasterKey();
 
@@ -635,7 +635,7 @@ export async function interviewForMissingSecrets(
           deriveMethod: metadata.deriveMethod,
         });
 
-        log.info(`🔗 Derived ${variable.name} from ${metadata.deriveFrom}`);
+        log.message(`Derived ${variable.name} from ${metadata.deriveFrom}`);
       } else if (source === 'generated') {
         // Auto-generate without prompting
         // Manifest generate field takes priority over schema metadata
@@ -644,7 +644,7 @@ export async function interviewForMissingSecrets(
 
         value = generateSecret({ format, length });
 
-        log.info(`🔑 Auto-generated ${format} secret: ${variable.name}`);
+        log.message(`Auto-generated ${format} secret: ${variable.name}`);
       } else if (source === 'user_provided') {
         // Always prompt, required
         // Check if we're in interactive mode
@@ -667,7 +667,7 @@ export async function interviewForMissingSecrets(
           },
         });
 
-        log.info(`✓ Saved ${variable.name}`);
+        log.success(`Saved ${variable.name}`);
       } else if (source === 'user_password') {
         // Password the user must remember — prompt twice to confirm
         if (!process.stdin.isTTY) {
@@ -706,7 +706,7 @@ export async function interviewForMissingSecrets(
           };
         }
 
-        log.info(`✓ Saved ${variable.name}`);
+        log.success(`Saved ${variable.name}`);
       } else if (source === 'generated_optional') {
         // Prompt with auto-generate option
         const message = variable.description
@@ -725,11 +725,11 @@ export async function interviewForMissingSecrets(
 
           value = generateSecret({ format, length });
 
-          log.info(`🔑 Auto-generated ${format} secret: ${variable.name}`);
+          log.message(`Auto-generated ${format} secret: ${variable.name}`);
         } else {
           // Use user-provided value
           value = userValue;
-          log.info(`✓ Saved ${variable.name}`);
+          log.success(`Saved ${variable.name}`);
         }
       } else {
         return {

package/src/services/deploy-ansible.ts

@@ -152,7 +152,7 @@ export async function executeAnsible(
   await writeFile(passwordPath, vaultPassword, { mode: 0o600 });
 
   const logPath = join(generatedPath, 'deploy.log');
-  log.info('Deploying software...');
+  log.success('Configuring host (ansible-playbook)');
 
   try {
     const result = await executeBuildWithProgress({

package/src/services/health-runner.ts

@@ -117,7 +117,7 @@ export async function runModuleHealthCheck(
       { debug: false, capabilities: capabilityFunctions, requiredCapabilities },
     );
   } else {
-    const gauge = new FuelGauge(`Checking ${moduleId}`, {
+    const gauge = new FuelGauge('Testing app', {
       skipAnimation: options.noInteractive,
     });
     gauge.start();

package/src/services/module-deploy.ts

@@ -295,7 +295,6 @@ export async function deployModule(
       }
     }
 
-    log.info(`Deploying module: ${moduleId}`);
     const validation = await validateAndPrepareDeployment(moduleId, db);
     phases.validation = validation.success;
     phases.autoGenerated = validation.autoGenerated;
@@ -469,11 +468,9 @@ export async function deployModule(
       }
     }
 
-    log.success('Validation passed:');
-    log.message('  Templates generated');
-    if (validation.autoBuilt) {
-      log.message('  Module built');
-    }
+    log.success(
+      validation.autoBuilt ? 'Templates generated and module built' : 'Templates generated',
+    );
 
     // Run validate_config hook if defined (e.g., credential validation via Playwright)
     if (manifest.hooks?.validate_config) {
@@ -613,7 +610,7 @@ export async function deployModule(
       // Run on_install hook for config-only modules (e.g. publishing static files to caddy)
       if (manifest.hooks?.on_install) {
         const onInstallDef = manifest.hooks.on_install;
-        log.info('Running on_install hook...');
+        log.success('Running on_install hook');
 
         const { moduleConfigs: pcTable, secrets: secretsTable } = await import('../db/schema');
         const installConfigs = db
@@ -695,7 +692,6 @@ export async function deployModule(
       // Run health checks for config-only modules too
       if (manifest.hooks?.health_check) {
         const { runModuleHealthCheck } = await import('./health-runner');
-        log.info('Running health checks...');
         const healthResult = await runModuleHealthCheck(moduleId, db, {
           debug: options.debug,
           noInteractive: options.noInteractive,
@@ -710,7 +706,6 @@ export async function deployModule(
             .join('\n');
           return { success: false, phases, error: `Health checks failed:\n${failedChecks}` };
         }
-        log.success('Health checks passed → VERIFIED');
       }
 
       return {
@@ -855,7 +850,7 @@ export async function deployModule(
 
         if (!containerCreatedHook) continue;
 
-        log.info(
+        log.message(
           `Running container_created hook on ${capRecord.moduleId} (provides ${requiredCap.name})`,
         );
 
@@ -988,7 +983,6 @@ export async function deployModule(
     let machineId: string | undefined;
     if (plan.infrastructure?.type === 'machine' && plan.infrastructure.machineId) {
       machineId = plan.infrastructure.machineId;
-      log.info(`Writing temporary SSH key for machine: ${machineId}`);
       await writeTemporarySshKey(machineId);
     }
 
@@ -1012,15 +1006,16 @@ export async function deployModule(
         plan.infrastructure?.type === 'container_service' &&
         plan.infrastructure.serviceId
       ) {
-        // TODO: Extract Terraform outputs and update module_infrastructure.containerMetadata
-        // This will be implemented when we add Terraform output parsing
-        log.warn('Container service metadata update not yet implemented');
+        // TODO: extract Terraform outputs and persist them on
+        // module_infrastructure.containerMetadata. Until that lands,
+        // the deploy still succeeds — we just don't track which
+        // container ID/IP got assigned per module in the DB.
       }
 
       // Run on_install hook (post-deploy actions like port forwarding, DNS registration)
       if (manifest.hooks?.on_install) {
         const onInstallDef = manifest.hooks.on_install;
-        log.info('Running on_install hook...');
+        log.success('Running on_install hook');
 
         const { moduleConfigs: pcTable, secrets: secretsTable } = await import('../db/schema');
         const installConfigs = db
@@ -1120,7 +1115,6 @@ export async function deployModule(
       // Run health checks after successful deployment
       if (manifest.hooks?.health_check) {
         const { runModuleHealthCheck } = await import('./health-runner');
-        log.info('Running post-deploy health checks...');
         const healthResult = await runModuleHealthCheck(moduleId, db, {
           debug: options.debug,
           noInteractive: options.noInteractive,
@@ -1144,10 +1138,6 @@ export async function deployModule(
             error: `Health checks failed:\n${failedChecks}`,
           };
         }
-        const summary = healthResult.checks
-          .map((c) => `  ${c.status === 'pass' ? '✓' : '⚠'} ${c.name}`)
-          .join('\n');
-        log.success(`Health checks passed → VERIFIED\n${summary}`);
       }
 
       // Auto-register module hostname in internal DNS (if available)
@@ -1167,7 +1157,7 @@ export async function deployModule(
         );
       }
 
-      display.instantEvent(`\x1b[32m✓\x1b[0m Module '${moduleId}' deployed successfully`);
+      log.success(`Module '${moduleId}' deployed successfully`);
       return {
         success: true,
         phases,
@@ -1175,7 +1165,6 @@ export async function deployModule(
     } finally {
       // Clean up temporary SSH key
       if (machineId) {
-        log.info(`Cleaning up temporary SSH key for machine: ${machineId}`);
         deleteTemporarySshKey(machineId);
       }
     }

package/src/templates/generator.ts

@@ -491,9 +491,6 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
       }
     }
   } else {
-    // Module doesn't require infrastructure provisioning (e.g., VPS-based modules)
-    // Skip infrastructure selection
-    log.info('Skipping infrastructure selection (no requires.machine specified)');
     infrastructureSelection = undefined;
   }
 
@@ -525,12 +522,12 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
       if (!allocation) {
         // First generation - allocate VMID and IP
         allocation = await allocateForModule(moduleId, zone, db, db.$client);
-        log.info(
+        log.success(
           `Allocated VMID ${allocation.vmid} and IP ${allocation.containerIp} for ${moduleId}`,
         );
       } else {
         // Reuse existing allocation
-        log.info(
+        log.success(
           `Using existing allocation: VMID ${allocation.vmid}, IP ${allocation.containerIp}`,
         );
       }
@@ -615,7 +612,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
           .run();
       }
 
-      log.info(
+      log.success(
         `Infrastructure properties resolved from service: target_node=${providerConfig.default_target_node}`,
       );
     }

package/src/variables/declarative-derivation.test.ts

@@ -940,11 +940,13 @@ describe('applyDeclarativeDerivations', () => {
     });
   });
 
-  describe('$self: directly in derive_from', () => {
-    // $self: in derive_from is a manifest authoring error — substituteVariables
-    // does not handle $self:, so it passes through all resolution passes unchanged.
-    // The hasUnresolved check must prevent it from poisoning selfConfig.
-    test('does not set selfConfig when derive_from contains $self: directly', () => {
+  describe('$self: in derive_from', () => {
+    // $self: is the canonical reference syntax in capability data blocks
+    // (e.g. authentik's `data.auth_url: $self:auth_url`), so it must
+    // resolve in derive_from too — otherwise capability-sourced variables
+    // that derive from another self variable can't be persisted.
+    // Equivalent to the {var} syntax; reads from selfConfig.
+    test('resolves $self: against selfConfig like {var}', () => {
       const manifest: ModuleManifest = {
         celilo_contract: '1.0',
         id: 'test-module',
@@ -959,7 +961,7 @@ describe('applyDeclarativeDerivations', () => {
               type: 'string',
               required: false,
               source: 'user',
-              derive_from: '$self:hostname', // Wrong syntax — $self: is not supported in derive_from
+              derive_from: '$self:hostname',
             },
           ],
           imports: [],
@@ -977,8 +979,91 @@ describe('applyDeclarativeDerivations', () => {
 
       applyDeclarativeDerivations(manifest, context);
 
-      // $self: passes through unresolved; must not poison selfConfig
-      expect(context.selfConfig.hostname_copy).toBeUndefined();
+      expect(context.selfConfig.hostname_copy).toBe('my-host');
+    });
+
+    test('resolves $self: inside string interpolation (authentik auth_url shape)', () => {
+      // Mirrors the authentik manifest pattern that motivated the fix:
+      // auth_url derives from "https://auth.$self:domain" where domain
+      // is another self-owned variable set by the user.
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'authentik',
+        name: 'Authentik',
+        version: '1.0.0',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: {
+          owns: [
+            {
+              name: 'domain',
+              type: 'string',
+              required: true,
+              source: 'user',
+            },
+            {
+              name: 'auth_url',
+              type: 'string',
+              required: false,
+              source: 'capability',
+              derive_from: 'https://auth.$self:domain',
+            },
+          ],
+          imports: [],
+        },
+      };
+
+      const context: ResolutionContext = {
+        moduleId: 'authentik',
+        selfConfig: { domain: 'iamtheinternet.org' },
+        systemConfig: {},
+        systemSecrets: {},
+        secrets: {},
+        capabilities: {},
+      };
+
+      applyDeclarativeDerivations(manifest, context);
+
+      expect(context.selfConfig.auth_url).toBe('https://auth.iamtheinternet.org');
+    });
+
+    test('throws when $self: references an undeclared variable', () => {
+      const manifest: ModuleManifest = {
+        celilo_contract: '1.0',
+        id: 'test',
+        name: 'Test',
+        version: '1.0.0',
+        requires: { capabilities: [] },
+        provides: { capabilities: [] },
+        variables: {
+          owns: [
+            {
+              name: 'derived',
+              type: 'string',
+              required: false,
+              source: 'user',
+              derive_from: '$self:nonexistent',
+            },
+          ],
+          imports: [],
+        },
+      };
+
+      const context: ResolutionContext = {
+        moduleId: 'test',
+        selfConfig: {},
+        systemConfig: {},
+        systemSecrets: {},
+        secrets: {},
+        capabilities: {},
+      };
+
+      // Optional variable + missing dep → derivation fails silently per
+      // applyDeclarativeDerivations' optional-variable rule. The error
+      // is thrown from substituteVariables but caught by the optional
+      // branch in applyDeclarativeDerivations, leaving selfConfig clean.
+      applyDeclarativeDerivations(manifest, context);
+      expect(context.selfConfig.derived).toBeUndefined();
     });
   });
 

package/src/variables/declarative-derivation.ts

@@ -65,6 +65,21 @@ function substituteVariables(
     return value;
   });
 
+  // Replace $self:key patterns (both $self:key and ${self:key} forms).
+  // Same lookup target as the {var} syntax below — both read selfConfig —
+  // but $self: is the form that appears in user-authored manifests and
+  // capability data blocks, so it must resolve here too. Without this,
+  // a `derive_from: "https://auth.$self:domain"` stays literally
+  // unresolved and the defensive guard in applyDeclarativeDerivations
+  // refuses to store it, breaking downstream capability consumers.
+  result = result.replace(/\$\{?self:([a-zA-Z0-9_]+)\}?/g, (_match, key) => {
+    const value = context.selfConfig[key];
+    if (value === undefined) {
+      throw new Error(`Missing self variable: ${key} (required by variable '${variableName}')`);
+    }
+    return value;
+  });
+
   // Replace {variable_name} patterns
   result = result.replace(/\{([a-zA-Z0-9_]+)\}/g, (_match, varName) => {
     const value = context.selfConfig[varName];