@celilo/cli 0.3.1 → 0.3.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.3.1",
+  "version": "0.3.3",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {
@@ -54,7 +54,7 @@
     "@aws-sdk/client-s3": "^3.1024.0",
     "@celilo/capabilities": "^0.1.10",
     "@celilo/cli-display": "^0.1.6",
-    "@celilo/event-bus": "^0.1.0",
+    "@celilo/event-bus": "^0.1.3",
     "@clack/prompts": "^1.1.0",
     "ajv": "^8.18.0",
     "drizzle-orm": "^0.36.4",

package/src/services/bus-interview.test.ts

@@ -0,0 +1,134 @@
+import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { defineEvents, openBus } from '@celilo/event-bus';
+import {
+  type ConfigReply,
+  type ConfigRequiredPayload,
+  EVENT_TYPES,
+  busInterview,
+} from './bus-interview';
+
+const NO_SCHEMAS = defineEvents({});
+
+describe('busInterview', () => {
+  let dir: string;
+  let dbPath: string;
+  let origEnv: string | undefined;
+
+  beforeEach(() => {
+    dir = mkdtempSync(join(tmpdir(), 'bus-interview-test-'));
+    dbPath = join(dir, 'events.db');
+    origEnv = process.env.EVENT_BUS_DB;
+    process.env.EVENT_BUS_DB = dbPath;
+  });
+  afterEach(() => {
+    if (origEnv === undefined) process.env.EVENT_BUS_DB = undefined;
+    else process.env.EVENT_BUS_DB = origEnv;
+    try {
+      rmSync(dir, { recursive: true, force: true });
+    } catch {
+      /* ignore */
+    }
+  });
+
+  it('emits a query and returns the responder reply', async () => {
+    // Stand up a responder in a separate Bus instance against the same
+    // DB. The deploy's busInterview opens its own short-lived Bus and
+    // queries; the responder's Bus emits the reply. The cross-process
+    // poll inside bus.query is what makes this work.
+    const responderBus = openBus({ dbPath, events: NO_SCHEMAS });
+    const watch = responderBus.watch('config.required.lunacycle.domain', (event) => {
+      responderBus.emitRaw(
+        `${event.type}.reply`,
+        { value: 'lunacycle.net' },
+        { replyFor: event.id, emittedBy: 'test-responder' },
+      );
+    });
+
+    const payload: ConfigRequiredPayload = {
+      module: 'lunacycle',
+      key: 'domain',
+      type: 'string',
+      required: true,
+    };
+    const reply = await busInterview<ConfigReply>(
+      EVENT_TYPES.configRequired('lunacycle', 'domain'),
+      payload,
+    );
+
+    expect(reply.value).toBe('lunacycle.net');
+
+    watch.close();
+    responderBus.close();
+  });
+
+  it('honors first-reply-wins when multiple responders compete', async () => {
+    const fastResponder = openBus({ dbPath, events: NO_SCHEMAS });
+    const slowResponder = openBus({ dbPath, events: NO_SCHEMAS });
+
+    fastResponder.watch('config.required.foo.bar', (event) => {
+      fastResponder.emitRaw(
+        `${event.type}.reply`,
+        { value: 'fast' },
+        { replyFor: event.id, emittedBy: 'fast' },
+      );
+    });
+    slowResponder.watch('config.required.foo.bar', (event) => {
+      // Reply after a delay; the fast responder should win.
+      setTimeout(() => {
+        slowResponder.emitRaw(
+          `${event.type}.reply`,
+          { value: 'slow' },
+          { replyFor: event.id, emittedBy: 'slow' },
+        );
+      }, 200);
+    });
+
+    const reply = await busInterview<ConfigReply>(EVENT_TYPES.configRequired('foo', 'bar'), {
+      module: 'foo',
+      key: 'bar',
+      type: 'string',
+      required: true,
+    });
+    expect(reply.value).toBe('fast');
+
+    fastResponder.close();
+    slowResponder.close();
+  });
+
+  it('uses the existing Bus instance when one is passed in', async () => {
+    const sharedBus = openBus({ dbPath, events: NO_SCHEMAS });
+    sharedBus.watch('config.required.shared.x', (event) => {
+      sharedBus.emitRaw(
+        `${event.type}.reply`,
+        { value: 'shared' },
+        { replyFor: event.id, emittedBy: 'in-process' },
+      );
+    });
+
+    const reply = await busInterview<ConfigReply>(
+      EVENT_TYPES.configRequired('shared', 'x'),
+      { module: 'shared', key: 'x', type: 'string', required: true },
+      sharedBus,
+    );
+    expect(reply.value).toBe('shared');
+
+    sharedBus.close();
+  });
+});
+
+describe('EVENT_TYPES', () => {
+  it('builds dotted event names for each interview shape', () => {
+    expect(EVENT_TYPES.configRequired('lunacycle', 'domain')).toBe(
+      'config.required.lunacycle.domain',
+    );
+    expect(EVENT_TYPES.secretRequired('authentik', 'admin_password')).toBe(
+      'secret.required.authentik.admin_password',
+    );
+    expect(EVENT_TYPES.ensureRequired('namecheap', 'add_domain')).toBe(
+      'ensure.required.namecheap.add_domain',
+    );
+  });
+});

package/src/services/bus-interview.ts

@@ -0,0 +1,141 @@
+/**
+ * Bus-mediated deploy interview. Replaces the terminal-only prompt
+ * sites in `config-interview.ts` with `<bus-event-emit>` → wait for
+ * a responder's reply. Responders include the terminal (when stdin
+ * is a TTY), the `cele2e events respond` CLI, the Claude
+ * `celilo-config-responder` subagent, etc.
+ *
+ * No timeouts: the deploy waits indefinitely for a responder. If
+ * nothing answers, the operator sees the unanswered query via
+ * `celilo events list-pending` and fixes the responder setup.
+ *
+ * See `infra/design/INTERACTIVE_DEPLOYS_VIA_BUS.md`.
+ */
+
+import { type Bus, defineEvents, openBus } from '@celilo/event-bus';
+import { getEventBusPath } from '../config/paths';
+
+const NO_SCHEMAS = defineEvents({});
+
+export const EVENT_TYPES = {
+  configRequired: (module: string, key: string) => `config.required.${module}.${key}`,
+  secretRequired: (module: string, key: string) => `secret.required.${module}.${key}`,
+  ensureRequired: (provider: string, ensureId: string) => `ensure.required.${provider}.${ensureId}`,
+} as const;
+
+/**
+ * Payload for `config.required.<module>.<key>`. The deploy emits this
+ * when a non-secret variable is missing AND has no default to fall
+ * back on (defaults are applied at variable-resolution time before
+ * the missing-config check fires, so by the time we get here, no
+ * default exists).
+ */
+export interface ConfigRequiredPayload {
+  module: string;
+  key: string;
+  type: 'string' | 'integer' | 'number' | 'boolean' | 'array' | 'object';
+  required: boolean;
+  description?: string;
+  pattern?: string;
+  options?: Array<{ value: string; label: string; hint?: string }>;
+  /**
+   * Set on re-emits after a previous reply failed validation. The
+   * responder sees the prior error message and presumably does
+   * better the next round.
+   */
+  previousError?: string;
+  /** 1-indexed attempt counter. Bounds prevent infinite re-emit loops. */
+  attempt?: number;
+}
+
+export interface ConfigReply {
+  value: unknown;
+}
+
+/**
+ * Payload for `secret.required.<module>.<key>`. The reply NEVER
+ * carries the secret value — the responder calls
+ * `celilo module secret set <module> <key> <value>` out-of-band to
+ * write the value into the encrypted store, then replies with
+ * `{ acknowledged: true }`.
+ *
+ * Only fires for secrets WITHOUT a `generate:` block in the manifest
+ * (auto-generated secrets bypass the interview entirely).
+ */
+export interface SecretRequiredPayload {
+  module: string;
+  key: string;
+  type: 'string' | 'integer' | 'number';
+  required: boolean;
+  description?: string;
+}
+
+export interface SecretAck {
+  acknowledged: true;
+}
+
+/**
+ * Payload for `ensure.required.<provider>.<ensureId>`. One event per
+ * ensure (with all `inputs[]` in the payload), since the ensure is
+ * conceptually a single interview — the inputs relate to each other
+ * via the consumer's recipe.
+ */
+export interface EnsureRequiredPayload {
+  consumer: string;
+  provider: string;
+  ensureId: string;
+  triggerValue: string;
+  description?: string;
+  inputs: Array<{
+    target: string;
+    kind: 'append_to_array' | 'set_in_object';
+    prompt: string;
+    hint?: string;
+    type: string;
+  }>;
+}
+
+export interface EnsureReply {
+  values: Record<string, unknown>;
+  /**
+   * Set when one or more `inputs[]` had `target: 'secret.*'` and the
+   * responder set them out-of-band rather than including the value
+   * in the reply payload.
+   */
+  acknowledged?: true;
+}
+
+/**
+ * Emit a query event on the bus and wait for a responder to reply.
+ *
+ * No timeout — the deploy hangs until someone answers. The terminal-
+ * responder (when running on a TTY) is one of the responders; other
+ * responders include `celilo events respond` from another shell, the
+ * `celilo-config-responder` Claude subagent, and an autoresponder
+ * daemon (when one exists).
+ *
+ * `ownerBus` is the long-lived Bus instance the caller may already be
+ * holding (e.g. for a TerminalResponder). When passed, the function
+ * uses it; otherwise it opens + closes a short-lived bus per call.
+ */
+export async function busInterview<TReply>(
+  type: string,
+  payload: object,
+  ownerBus?: Bus,
+): Promise<TReply> {
+  const ownsBus = !ownerBus;
+  const bus: Bus = ownerBus ?? openBus({ dbPath: getEventBusPath(), events: NO_SCHEMAS });
+  try {
+    const replies = await bus.query(type as never, payload as never, {
+      timeoutMs: 0, // wait forever — race semantics, no timeout
+      pollIntervalMs: 250,
+      expect: 'first',
+    });
+    if (replies.length === 0) {
+      throw new Error(`bus-interview: ${type} returned no reply`);
+    }
+    return replies[0].payload as unknown as TReply;
+  } finally {
+    if (ownsBus) bus.close();
+  }
+}

package/src/services/config-interview.ts

@@ -14,6 +14,12 @@ import { decryptSecret, encryptSecret } from '../secrets/encryption';
 import { deriveSecret, generateSecret } from '../secrets/generators';
 import { getOrCreateMasterKey } from '../secrets/master-key';
 import type { Machine } from '../types/infrastructure';
+import {
+  type ConfigReply,
+  type ConfigRequiredPayload,
+  EVENT_TYPES,
+  busInterview,
+} from './bus-interview';
 import { getSecretMetadata, loadSecretsSchema } from './secret-schema-loader';
 
 export interface MissingVariable {
@@ -417,21 +423,31 @@ export async function interviewForMissingConfig(
           }
         }
       } else {
-        // Prompt for regular config (visible input)
-        const message = variable.description
-          ? `${variable.name} - ${variable.description}:`
-          : `${variable.name}:`;
+        // Bus-mediated prompt: emit a query event, await the reply
+        // from any responder. The terminal-responder (started by
+        // module-deploy when stdin.isTTY) is one racer; the Claude
+        // subagent and `celilo events respond` from another shell are
+        // others. First reply wins. No timeout — the deploy hangs
+        // until someone answers; misconfigured environments are
+        // observable via `celilo events list-pending`.
+        const payload: ConfigRequiredPayload = {
+          module: moduleId,
+          key: variable.name,
+          type: (variable.type as ConfigRequiredPayload['type']) ?? 'string',
+          required: true,
+          description: variable.description,
+        };
+        const reply = await busInterview<ConfigReply>(
+          EVENT_TYPES.configRequired(moduleId, variable.name),
+          payload,
+        );
 
-        value = await promptText({
-          message,
-          validate: (val) => {
-            if (!val || val.trim() === '') {
-              return 'This field is required';
-            }
-          },
-        });
+        // The reply.value is typed per payload.type; the terminal-
+        // responder coerces strings to numbers/bools/json-as-array etc.
+        // For storage, we still need a string + an optional valueJson
+        // for non-scalar types. Match what `module config set` does.
+        value = typeof reply.value === 'string' ? reply.value : JSON.stringify(reply.value);
 
-        // Store config
         await db
           .insert(moduleConfigs)
           .values({

package/src/services/module-deploy.ts

@@ -318,6 +318,17 @@ async function deployModuleImpl(
   });
   setActiveDisplay(display);
 
+  // Terminal-responder: when running on a TTY, this subscribes to
+  // `config.required.*` events and prompts via clack so the operator
+  // can answer the deploy's interview without `--no-interactive`'s
+  // brittle "everything must be pre-staged" flow. Other responders
+  // (Claude subagent, `celilo events respond`) compete; first reply
+  // wins. See infra/design/INTERACTIVE_DEPLOYS_VIA_BUS.md.
+  const terminalResponder =
+    !options.noInteractive && process.stdin.isTTY
+      ? (await import('./terminal-responder')).startTerminalResponder()
+      : null;
+
   try {
     // Check for e2e test containers — live and e2e environments are mutually exclusive.
     // Skip when using a test database (integration tests use os.tmpdir() paths).
@@ -1228,5 +1239,6 @@ async function deployModuleImpl(
   } finally {
     display.flush();
     setActiveDisplay(null);
+    terminalResponder?.close();
   }
 }

package/src/services/terminal-responder.ts

@@ -0,0 +1,139 @@
+/**
+ * Terminal-responder: when a deploy runs on a TTY, this subscribes
+ * to `config.required.*` events and prompts the operator via clack
+ * for each one, replying on the bus with the user's input.
+ *
+ * Just one of several responder shapes — the bus query/reply path is
+ * a race, and the terminal is one racer. Other racers (Claude
+ * subagent, `celilo events respond` from another shell, autoresponder
+ * daemon) compete for the same events; first reply wins.
+ *
+ * The terminal-responder doesn't try to detect "another responder
+ * just won the race while my user was typing." For Stage 1, if the
+ * user types after losing, their reply is a stale-reply and the
+ * deploy already moved on. The user sees their prompt close and the
+ * deploy continues with the winning value (logged by the deploy in
+ * its normal output). Race-during-typing detection is a follow-up.
+ */
+
+import { hostname } from 'node:os';
+import { type Bus, openBus } from '@celilo/event-bus';
+import { defineEvents } from '@celilo/event-bus';
+import { log, promptText } from '../cli/prompts';
+import { getEventBusPath } from '../config/paths';
+import type { ConfigRequiredPayload } from './bus-interview';
+
+const NO_SCHEMAS = defineEvents({});
+
+/**
+ * Identifies this responder in the bus's `emittedBy` audit field.
+ * The deploy's audit log shows "config.required.lunacycle.domain →
+ * answered by terminal:hostname" so operators can correlate which
+ * shell answered which prompt.
+ */
+function responderId(): string {
+  return `terminal:${hostname()}:${process.pid}`;
+}
+
+export interface TerminalResponderHandle {
+  /** Stop watching for events. Doesn't cancel any in-flight prompt. */
+  close(): void;
+}
+
+/**
+ * Register a transient subscription on `config.required.*` events.
+ * For each event, prompt the operator via clack and reply on the bus.
+ *
+ * Returns a handle the caller can close() when the deploy completes.
+ */
+export function startTerminalResponder(): TerminalResponderHandle {
+  const bus: Bus = openBus({ dbPath: getEventBusPath(), events: NO_SCHEMAS });
+  const me = responderId();
+
+  // Track which queries we've already started a prompt for, so a
+  // re-fire (e.g. validation re-emit) doesn't double-prompt.
+  const handled = new Set<number>();
+
+  const watch = bus.watch('config.required.**', async (event) => {
+    if (handled.has(event.id)) return;
+    handled.add(event.id);
+
+    const payload = event.payload as ConfigRequiredPayload;
+    try {
+      const message = payload.description
+        ? `${payload.module}.${payload.key} — ${payload.description}:`
+        : `${payload.module}.${payload.key}:`;
+
+      const value = await promptText({
+        message,
+        validate: (val) => {
+          if (payload.required && (!val || val.trim() === '')) {
+            return 'This field is required';
+          }
+          if (payload.pattern && val) {
+            const re = new RegExp(payload.pattern);
+            if (!re.test(val)) return `Value must match: ${payload.pattern}`;
+          }
+        },
+      });
+
+      // Coerce to the declared type. clack returns string; the
+      // responder honors the type contract so the deploy doesn't
+      // have to second-guess the reply shape.
+      const coerced = coerceValue(value, payload.type);
+
+      bus.emitRaw(
+        `${event.type}.reply`,
+        { value: coerced },
+        {
+          replyFor: event.id,
+          emittedBy: me,
+        },
+      );
+    } catch (err) {
+      // Reply with an error-shaped payload so the deploy can surface
+      // it cleanly. The deploy can decide whether to re-emit (for
+      // recoverable errors) or fail.
+      const message = err instanceof Error ? err.message : String(err);
+      log.warn(`Terminal responder error for ${event.type}: ${message}`);
+      bus.emitRaw(`${event.type}.reply`, { error: message }, { replyFor: event.id, emittedBy: me });
+    }
+  });
+
+  return {
+    close() {
+      watch.close();
+      bus.close();
+    },
+  };
+}
+
+function coerceValue(raw: string, type: ConfigRequiredPayload['type']): unknown {
+  switch (type) {
+    case 'string':
+      return raw;
+    case 'integer':
+    case 'number': {
+      const n = Number(raw);
+      if (!Number.isFinite(n)) {
+        throw new Error(`Expected ${type}, got "${raw}"`);
+      }
+      return n;
+    }
+    case 'boolean':
+      if (/^(true|yes|y|1)$/i.test(raw.trim())) return true;
+      if (/^(false|no|n|0)$/i.test(raw.trim())) return false;
+      throw new Error(`Expected boolean, got "${raw}"`);
+    case 'array':
+    case 'object':
+      try {
+        return JSON.parse(raw);
+      } catch (err) {
+        throw new Error(
+          `Expected ${type} as JSON, got "${raw}": ${err instanceof Error ? err.message : err}`,
+        );
+      }
+    default:
+      return raw;
+  }
+}