@celilo/cli 0.3.10 → 0.3.12

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.3.10",
+  "version": "0.3.12",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {
@@ -53,7 +53,7 @@
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1024.0",
     "@celilo/capabilities": "^0.1.10",
-    "@celilo/cli-display": "^0.1.7",
+    "@celilo/cli-display": "^0.1.9",
     "@celilo/event-bus": "^0.1.4",
     "@clack/prompts": "^1.1.0",
     "ajv": "^8.18.0",

package/src/cli/command-registry.ts

@@ -66,6 +66,18 @@ export const COMMANDS: CommandDef[] = [
     name: 'status',
     description: 'Show system and module status',
   },
+  {
+    name: 'doctor',
+    description: 'Diagnose @celilo/* version drift between the running CLI and the workspace',
+    flags: [
+      {
+        name: 'fix',
+        description:
+          'Repair drift by `bun link`-ing each drifted @celilo/* package from the workspace',
+        takesValue: false,
+      },
+    ],
+  },
   {
     name: 'audit',
     description: 'Top-level alias for `system audit`',

package/src/cli/commands/doctor.test.ts

@@ -0,0 +1,36 @@
+import { describe, expect, test } from 'bun:test';
+import { compareVersions } from './doctor';
+
+describe('compareVersions', () => {
+  test('detects ascending major/minor/patch', () => {
+    expect(compareVersions('1.0.0', '2.0.0')).toBe(-1);
+    expect(compareVersions('1.0.0', '1.1.0')).toBe(-1);
+    expect(compareVersions('1.0.0', '1.0.1')).toBe(-1);
+  });
+
+  test('detects descending major/minor/patch', () => {
+    expect(compareVersions('2.0.0', '1.0.0')).toBe(1);
+    expect(compareVersions('1.1.0', '1.0.0')).toBe(1);
+    expect(compareVersions('1.0.1', '1.0.0')).toBe(1);
+  });
+
+  test('treats equal versions as equal', () => {
+    expect(compareVersions('1.2.3', '1.2.3')).toBe(0);
+    expect(compareVersions('0.1.9', '0.1.9')).toBe(0);
+  });
+
+  test('catches the canonical drift case (loaded < workspace)', () => {
+    // The case that triggered #2 in the first place: globally-installed
+    // 0.1.8 vs. workspace 0.1.9.
+    expect(compareVersions('0.1.8', '0.1.9')).toBe(-1);
+  });
+
+  test('treats missing trailing segments as zeros', () => {
+    expect(compareVersions('1.0', '1.0.0')).toBe(0);
+    expect(compareVersions('1.0', '1.0.1')).toBe(-1);
+  });
+
+  test('strips a leading v prefix', () => {
+    expect(compareVersions('v1.2.3', '1.2.3')).toBe(0);
+  });
+});

package/src/cli/commands/doctor.ts

@@ -0,0 +1,385 @@
+/**
+ * `celilo doctor` — diagnose @celilo/* version drift between the running CLI
+ * and the surrounding workspace (if any).
+ *
+ * Catches the canonical "I edited the workspace but my global celilo is
+ * still running an older published version" failure mode.
+ *
+ * Resolution strategy:
+ *   - The running CLI's package.json comes from a relative import — that
+ *     anchors us to whatever copy of `@celilo/cli` is actually executing
+ *     (workspace TS source or globally-installed node_modules tree).
+ *   - For each `@celilo/*` dependency, we ask the runtime where it
+ *     resolves the package's `package.json` and read the version there.
+ *   - If we can find a workspace root by walking up from `process.cwd()`,
+ *     we read each `packages/*\/package.json` and flag anything where the
+ *     loaded version is older than the workspace.
+ */
+
+import { spawnSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { createRequire } from 'node:module';
+import { dirname, join, resolve } from 'node:path';
+import cliPkg from '../../../package.json' with { type: 'json' };
+import type { CommandResult } from '../types';
+
+interface CeliloPkgInfo {
+  name: string;
+  declaredRange: string;
+  loadedVersion: string | null;
+  loadedFrom: string | null;
+  resolveError: string | null;
+}
+
+interface WorkspaceVersion {
+  name: string;
+  version: string;
+  path: string;
+}
+
+const ANSI = {
+  reset: '\x1b[0m',
+  dim: '\x1b[2m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  red: '\x1b[31m',
+};
+
+/**
+ * Discover every `@celilo/*` entry in the running CLI's package.json
+ * dependencies and resolve where each one is actually loaded from.
+ */
+function inspectCeliloDeps(): CeliloPkgInfo[] {
+  const deps: Record<string, string> = {
+    ...((cliPkg as { dependencies?: Record<string, string> }).dependencies ?? {}),
+  };
+  const celiloDeps = Object.entries(deps)
+    .filter(([name]) => name.startsWith('@celilo/'))
+    .sort(([a], [b]) => a.localeCompare(b));
+
+  const require = createRequire(import.meta.url);
+
+  return celiloDeps.map(([name, declaredRange]) => {
+    try {
+      const pkgJsonPath = require.resolve(`${name}/package.json`);
+      const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf-8')) as { version: string };
+      return {
+        name,
+        declaredRange,
+        loadedVersion: pkg.version,
+        loadedFrom: dirname(pkgJsonPath),
+        resolveError: null,
+      };
+    } catch (err) {
+      return {
+        name,
+        declaredRange,
+        loadedVersion: null,
+        loadedFrom: null,
+        resolveError: err instanceof Error ? err.message : String(err),
+      };
+    }
+  });
+}
+
+/**
+ * Walk up from `start` until we find a `package.json` whose `workspaces`
+ * key is non-empty. Returns the directory containing that file or null.
+ */
+function findWorkspaceRoot(start: string): string | null {
+  let dir = resolve(start);
+  while (true) {
+    const candidate = join(dir, 'package.json');
+    if (existsSync(candidate)) {
+      try {
+        const pkg = JSON.parse(readFileSync(candidate, 'utf-8')) as {
+          workspaces?: string[] | { packages?: string[] };
+        };
+        const workspaces = Array.isArray(pkg.workspaces)
+          ? pkg.workspaces
+          : (pkg.workspaces?.packages ?? []);
+        if (workspaces.length > 0) return dir;
+      } catch {
+        /* malformed package.json — keep walking */
+      }
+    }
+    const parent = dirname(dir);
+    if (parent === dir) return null;
+    dir = parent;
+  }
+}
+
+/**
+ * Read every `@celilo/*` package.json in the workspace and return the
+ * version each one declares. Used to compare against what the running
+ * CLI actually loaded.
+ */
+function collectWorkspaceVersions(workspaceRoot: string): WorkspaceVersion[] {
+  const out: WorkspaceVersion[] = [];
+  // Hard-code the two glob roots used in this monorepo to avoid pulling
+  // in a glob library. Both directories are scanned the same way: read
+  // each immediate child, look for a package.json that names a @celilo/*
+  // package.
+  for (const dir of ['packages', 'apps']) {
+    const root = join(workspaceRoot, dir);
+    if (!existsSync(root)) continue;
+    for (const entry of readSubdirs(root)) {
+      const pkgJsonPath = join(root, entry, 'package.json');
+      if (!existsSync(pkgJsonPath)) continue;
+      try {
+        const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf-8')) as {
+          name?: string;
+          version?: string;
+        };
+        if (pkg.name?.startsWith('@celilo/') && pkg.version) {
+          out.push({ name: pkg.name, version: pkg.version, path: join(root, entry) });
+        }
+      } catch {
+        /* skip malformed */
+      }
+    }
+  }
+  return out;
+}
+
+function readSubdirs(dir: string): string[] {
+  // node:fs readdirSync — keep stdlib, no extra deps.
+  // Hidden dirs filtered out.
+  try {
+    const fs = require('node:fs') as typeof import('node:fs');
+    return fs
+      .readdirSync(dir, { withFileTypes: true })
+      .filter((d) => d.isDirectory() && !d.name.startsWith('.'))
+      .map((d) => d.name);
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Compare two semver-ish version strings. Returns -1 if a < b, 0 if
+ * equal, 1 if a > b. Tolerates non-numeric prerelease tags by comparing
+ * them as strings after the numeric segments.
+ *
+ * Exported for unit testing.
+ */
+export function compareVersions(a: string, b: string): number {
+  const split = (v: string) => v.replace(/^[v=]+/, '').split(/[.+-]/);
+  const aParts = split(a);
+  const bParts = split(b);
+  const len = Math.max(aParts.length, bParts.length);
+  for (let i = 0; i < len; i++) {
+    const ap = aParts[i] ?? '0';
+    const bp = bParts[i] ?? '0';
+    const an = Number(ap);
+    const bn = Number(bp);
+    if (!Number.isNaN(an) && !Number.isNaN(bn)) {
+      if (an !== bn) return an < bn ? -1 : 1;
+    } else if (ap !== bp) {
+      return ap < bp ? -1 : 1;
+    }
+  }
+  return 0;
+}
+
+interface DriftedDep {
+  name: string;
+  loadedVersion: string;
+  workspaceVersion: string;
+  workspacePath: string;
+}
+
+/**
+ * Run a command, capture stdout/stderr, return whether it succeeded.
+ * Used for the `bun link` calls that --fix orchestrates.
+ */
+function runCommand(
+  cmd: string,
+  args: string[],
+  cwd: string,
+): { ok: boolean; stdout: string; stderr: string } {
+  const r = spawnSync(cmd, args, { cwd, encoding: 'utf-8' });
+  return {
+    ok: r.status === 0,
+    stdout: (r.stdout ?? '').trim(),
+    stderr: (r.stderr ?? '').trim(),
+  };
+}
+
+/**
+ * Repair drift by `bun link`-ing each drifted package from the
+ * workspace into the running CLI's package directory.
+ *
+ * Two-step bun link workflow:
+ *   1. From each workspace package dir: `bun link` registers it
+ *      globally under its package name.
+ *   2. From the running CLI's package dir: `bun link <pkgname>`
+ *      replaces the resolved copy with the symlink to the workspace.
+ *
+ * `bun unlink` reverses both steps if the user wants to revert.
+ *
+ * Only safe to run when running from a globally-installed CLI; from
+ * a workspace TS-source invocation there's nothing to repair.
+ */
+function applyFix(drifted: DriftedDep[], cliRoot: string): string[] {
+  const lines: string[] = [];
+  for (const d of drifted) {
+    lines.push(`  ${d.name}: linking ${d.workspaceVersion} from ${d.workspacePath}`);
+
+    const reg = runCommand('bun', ['link'], d.workspacePath);
+    if (!reg.ok) {
+      lines.push(
+        `    ${ANSI.red}✗${ANSI.reset} register failed: ${reg.stderr || reg.stdout || 'no output'}`,
+      );
+      continue;
+    }
+
+    const link = runCommand('bun', ['link', d.name], cliRoot);
+    if (!link.ok) {
+      lines.push(
+        `    ${ANSI.red}✗${ANSI.reset} link failed: ${link.stderr || link.stdout || 'no output'}`,
+      );
+      continue;
+    }
+
+    lines.push(`    ${ANSI.green}✔${ANSI.reset} linked`);
+  }
+  return lines;
+}
+
+export async function handleDoctor(
+  _args: string[],
+  flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const lines: string[] = [];
+
+  const cliVersion = (cliPkg as { version: string }).version;
+  const cliName = (cliPkg as { name: string }).name;
+  // Where is *this* file loaded from? Anchors the "running from" line.
+  const cliRoot = resolve(dirname(new URL(import.meta.url).pathname), '../../..');
+  lines.push(`${cliName} ${cliVersion}`);
+  lines.push(`${ANSI.dim}running from ${cliRoot}${ANSI.reset}`);
+  lines.push('');
+
+  const workspaceRoot = findWorkspaceRoot(process.cwd());
+  const workspaceVersions = workspaceRoot ? collectWorkspaceVersions(workspaceRoot) : [];
+  const workspaceMap = new Map(workspaceVersions.map((w) => [w.name, w]));
+
+  if (workspaceRoot) {
+    lines.push(`workspace: ${workspaceRoot}`);
+  } else {
+    lines.push(`${ANSI.dim}no workspace detected from ${process.cwd()}${ANSI.reset}`);
+  }
+  lines.push('');
+
+  const deps = inspectCeliloDeps();
+  // Track whether anything is amiss so we can summarize and exit non-zero.
+  let driftCount = 0;
+  let unresolvedCount = 0;
+  const drifted: DriftedDep[] = [];
+
+  // Compute column widths for a clean table.
+  const nameCol = Math.max(...deps.map((d) => d.name.length), 12);
+  const declCol = Math.max(...deps.map((d) => d.declaredRange.length), 8);
+  const loadedCol = Math.max(...deps.map((d) => (d.loadedVersion ?? '?').length), 8);
+
+  lines.push(
+    `  ${'package'.padEnd(nameCol)}  ${'declares'.padEnd(declCol)}  ${'loaded'.padEnd(loadedCol)}  notes`,
+  );
+  lines.push(`  ${'-'.repeat(nameCol)}  ${'-'.repeat(declCol)}  ${'-'.repeat(loadedCol)}  -----`);
+
+  for (const dep of deps) {
+    const loaded = dep.loadedVersion ?? '?';
+    const notes: string[] = [];
+    let glyph = `${ANSI.green}✔${ANSI.reset}`;
+
+    if (dep.resolveError) {
+      glyph = `${ANSI.red}✗${ANSI.reset}`;
+      notes.push(`unresolved: ${dep.resolveError.split('\n')[0]}`);
+      unresolvedCount++;
+    } else if (dep.loadedVersion) {
+      const ws = workspaceMap.get(dep.name);
+      if (ws) {
+        const cmp = compareVersions(dep.loadedVersion, ws.version);
+        if (cmp < 0) {
+          glyph = `${ANSI.yellow}⚠${ANSI.reset}`;
+          notes.push(`workspace has ${ws.version} — running CLI is behind`);
+          driftCount++;
+          drifted.push({
+            name: dep.name,
+            loadedVersion: dep.loadedVersion,
+            workspaceVersion: ws.version,
+            workspacePath: ws.path,
+          });
+        } else if (cmp > 0) {
+          notes.push(`workspace has ${ws.version} (older — unpublished bump?)`);
+        }
+      }
+      if (dep.loadedFrom) {
+        const shortPath = dep.loadedFrom.replace(process.env.HOME ?? '', '~');
+        notes.push(`from ${shortPath}`);
+      }
+    }
+
+    lines.push(
+      `${glyph} ${dep.name.padEnd(nameCol)}  ${dep.declaredRange.padEnd(declCol)}  ${loaded.padEnd(loadedCol)}  ${ANSI.dim}${notes.join('; ')}${ANSI.reset}`,
+    );
+  }
+
+  // Workspace packages that the CLI doesn't depend on — surface them so
+  // the operator sees the full set of @celilo/* in play.
+  const declaredNames = new Set(deps.map((d) => d.name));
+  const extras = workspaceVersions.filter((w) => !declaredNames.has(w.name));
+  if (extras.length > 0) {
+    lines.push('');
+    lines.push(`${ANSI.dim}other workspace packages (not depended on by this CLI):${ANSI.reset}`);
+    for (const w of extras) {
+      lines.push(`  ${w.name} ${w.version}  ${ANSI.dim}${w.path}${ANSI.reset}`);
+    }
+  }
+
+  lines.push('');
+
+  const fix = flags.fix === true;
+
+  if (fix && drifted.length > 0) {
+    lines.push(`Repairing ${drifted.length} drifted package(s) with \`bun link\`:`);
+    lines.push(...applyFix(drifted, cliRoot));
+    lines.push('');
+    lines.push(
+      `${ANSI.dim}Re-run \`celilo doctor\` to verify; \`bun unlink\` from each workspace dir reverses.${ANSI.reset}`,
+    );
+    return {
+      success: true,
+      message: lines.join('\n'),
+      rawOutput: true,
+    };
+  }
+
+  if (fix && drifted.length === 0) {
+    lines.push(`${ANSI.dim}--fix: nothing to repair.${ANSI.reset}`);
+  }
+
+  if (driftCount > 0 || unresolvedCount > 0) {
+    const summary: string[] = [];
+    if (driftCount > 0) summary.push(`${driftCount} package(s) behind workspace`);
+    if (unresolvedCount > 0) summary.push(`${unresolvedCount} unresolved`);
+    if (drifted.length > 0) {
+      lines.push(
+        `${ANSI.dim}Run \`celilo doctor --fix\` to bun-link drifted packages from the workspace.${ANSI.reset}`,
+      );
+    }
+    return {
+      success: false,
+      error: `Drift detected: ${summary.join(', ')}`,
+      details: lines.join('\n'),
+    };
+  }
+
+  lines.push(`${ANSI.green}OK${ANSI.reset} — no drift detected`);
+  return {
+    success: true,
+    message: lines.join('\n'),
+    rawOutput: true,
+  };
+}

package/src/cli/commands/module-generate.ts

@@ -133,7 +133,43 @@ export async function handleModuleGenerate(
   const moduleSecretsMissing = await validateModuleSecrets(moduleId, db);
 
   if (moduleSecretsMissing.length > 0) {
-    // Always try to interview for missing secrets
+    // interviewForMissingSecrets fires `secret.required.*` bus events for
+    // user_provided secrets and waits forever for a responder. In a
+    // non-interactive context (no TTY, no piped responder), that's a
+    // silent hang. Probe the bus first; if nothing answers, fail fast
+    // with an actionable error instead of stalling indefinitely.
+    //
+    // Auto-generated secrets (manifest `generate:` field or schema
+    // source: 'generated') don't go through the bus, so missing-but-
+    // auto-generatable doesn't need a responder. Filter those out
+    // before deciding whether to probe.
+    if (!process.stdin.isTTY) {
+      const { getSecretMetadata } = await import('../../services/secret-schema-loader');
+      const promptable: typeof moduleSecretsMissing = [];
+      for (const s of moduleSecretsMissing) {
+        if (s.generate) continue; // manifest-declared auto-generate
+        const meta = await getSecretMetadata(moduleId, s.name, db);
+        if (meta?.source === 'generated') continue; // schema-declared auto-generate
+        promptable.push(s);
+      }
+
+      if (promptable.length > 0) {
+        const { probeForResponder } = await import('../../services/responder-probe');
+        const { getEventBusPath } = await import('../../config/paths');
+        const responderAvailable = await probeForResponder(getEventBusPath());
+        if (!responderAvailable) {
+          const names = promptable.map((s) => s.name).join(', ');
+          const setCommands = promptable
+            .map((s) => `       celilo module secret set ${moduleId} ${s.name} <value>`)
+            .join('\n');
+          return {
+            success: false,
+            error: `Missing required secret(s): ${names}\n\nNo responder is running and stdin isn't a TTY, so module generate can't prompt for them. Either:\n  1. Run interactively (in a terminal)\n  2. Pre-set the secrets:\n${setCommands}\n  3. Run a responder in another shell:\n       celilo events respond --values values.json`,
+          };
+        }
+      }
+    }
+
     // Auto-generated secrets work in non-interactive mode
     const result = await interviewForMissingSecrets(moduleId, moduleSecretsMissing, db);
     if (!result.success) {

package/src/cli/completion.ts

@@ -28,20 +28,22 @@ export async function getCompletions(words: string[], current: number): Promise<
   // currentIndex === 0 means we're completing the first word (the command)
   if (currentIndex === 0) {
     const commands = [
+      'audit',
       'backup',
       'capability',
+      'completion',
+      'doctor',
+      'events',
       'help',
       'hook',
-      'package',
+      'ipam',
+      'machine',
       'module',
+      'package',
       'service',
+      'status',
       'storage',
-      'machine',
       'system',
-      'ipam',
-      'completion',
-      'status',
-      'audit',
       'version',
     ];
     return filterSuggestions(commands, args[0] || '');
@@ -66,6 +68,28 @@ export async function getCompletions(words: string[], current: number): Promise<
     return filterSuggestions(capabilityNames, args[2] || '');
   }
 
+  // Events subcommands — keep this list in sync with command-registry.ts.
+  if (command === 'events' && currentIndex === 1) {
+    const subcommands = [
+      'status',
+      'tail',
+      'list-subscribers',
+      'list-pending',
+      'drain',
+      'run',
+      'emit',
+      'ack',
+      'fail',
+      'repair',
+      'resume',
+      'respond',
+      'install-daemon',
+      'uninstall-daemon',
+      'show-daemon',
+    ];
+    return filterSuggestions(subcommands, args[1] || '');
+  }
+
   // Hook subcommands
   if (command === 'hook' && currentIndex === 1) {
     const subcommands = ['run'];

package/src/cli/index.ts

@@ -10,6 +10,7 @@ import { COMMANDS, type CommandDef } from './command-registry';
 import { handleCapabilityInfo } from './commands/capability-info';
 import { handleCapabilityList } from './commands/capability-list';
 import { handleCompletion } from './commands/completion';
+import { handleDoctor } from './commands/doctor';
 import {
   handleEventsAck,
   handleEventsDrain,
@@ -147,7 +148,9 @@ Usage:
 
 Commands:
   status                   Show system and module status
+  doctor                   Diagnose @celilo/* version drift between the running CLI and the workspace
   audit                    Top-level alias for 'system audit'
+  events                   SQLite event-bus operations (status, tail, run dispatcher, etc.)
   capability               View registered module capabilities
   package                  Create distributable .netapp packages from module source
   module                   Manage modules (import, list, configure, build, generate)
@@ -900,6 +903,11 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
     return handleStatus();
   }
 
+  // Handle doctor command
+  if (parsed.command === 'doctor') {
+    return handleDoctor(parsed.args, parsed.flags);
+  }
+
   // Top-level alias: `celilo audit` → `celilo system audit`
   if (parsed.command === 'audit') {
     return handleSystemAudit(parsed.args, parsed.flags);

package/src/module/import.ts

@@ -429,62 +429,100 @@ async function installScriptDependencies(
 export async function importModule(options: ModuleImportOptions): Promise<ModuleImportResult> {
   const { sourcePath, targetBasePath = getDefaultTargetBase(), db = getDb(), flags = {} } = options;
 
-  let actualSourcePath = sourcePath;
+  // Directory imports route through the packager: build a temporary .netapp
+  // and re-enter through the package path. This makes the .netapp pipeline
+  // the single import path — no second flow that drifts. The packager is
+  // also the only place a manifest build runs, with CELILO_MODULE_SOURCE_DIR
+  // pointing at the unstaged source so sibling-package paths in a monorepo
+  // resolve (e.g. celilo-registry's `cd $CELILO_MODULE_SOURCE_DIR/../../packages/registry-server`).
+  // After this point the module is detached from the source tree, so a
+  // deploy-time rebuild can't work — bake the artifacts in here, once.
+  if (!sourcePath.endsWith('.netapp')) {
+    const dirError = validateModuleDirectory(sourcePath);
+    if (dirError) return { success: false, error: dirError };
+
+    const manifestResult = await readModuleManifest(sourcePath);
+    if (!manifestResult.success) return { success: false, error: manifestResult.error };
+
+    if (moduleExists(manifestResult.manifest.id, db)) {
+      return {
+        success: false,
+        error: `Module '${manifestResult.manifest.id}' already exists. Use update or remove it first.`,
+      };
+    }
+
+    const { mkdtempSync, rmSync } = await import('node:fs');
+    const { tmpdir } = await import('node:os');
+    const tempPkgDir = mkdtempSync(join(tmpdir(), 'celilo-import-pkg-'));
+    const tempPkgPath = join(tempPkgDir, `${manifestResult.manifest.id}.netapp`);
+
+    try {
+      const { buildModule } = await import('./packaging/build');
+      const buildResult = await buildModule({ sourceDir: sourcePath, outputPath: tempPkgPath });
+      if (!buildResult.success) {
+        return {
+          success: false,
+          error: buildResult.error || 'Failed to package module for import',
+        };
+      }
+      return await importModule({ ...options, sourcePath: tempPkgPath });
+    } finally {
+      rmSync(tempPkgDir, { recursive: true, force: true });
+    }
+  }
+
   let tempDir: string | null = null;
   let checksums: Record<string, string> | null = null;
   let signature: string | null = null;
 
   try {
-    // Check if source is a .netapp package
-    if (sourcePath.endsWith('.netapp')) {
-      // Extract and verify package
-      const extractResult = await extractPackage(sourcePath);
-      if (!extractResult.success || !extractResult.tempDir) {
-        return { success: false, error: extractResult.error || 'Failed to extract package' };
-      }
+    // sourcePath always ends with .netapp at this point — directory inputs
+    // were re-routed through the packager above and recursed back in here.
+    const extractResult = await extractPackage(sourcePath);
+    if (!extractResult.success || !extractResult.tempDir) {
+      return { success: false, error: extractResult.error || 'Failed to extract package' };
+    }
 
-      tempDir = extractResult.tempDir;
-
-      // Verify package integrity (unless --skip-verify)
-      const skipVerify = flags['skip-verify'] === true;
-      if (skipVerify) {
-        log.warn('Skipping package signature verification (--skip-verify)');
-      } else {
-        const verifyResult = await verifyPackageIntegrity(tempDir);
-        if (!verifyResult.success) {
-          await cleanupTempDir(tempDir);
-          return {
-            success: false,
-            error: verifyResult.error || 'Package integrity verification failed',
-          };
-        }
-      }
+    tempDir = extractResult.tempDir;
 
-      // Read checksums and signature for database storage (both optional with --skip-verify)
-      try {
-        const checksumsJson = await readFile(join(tempDir, 'checksums.json'), 'utf-8');
-        const ChecksumsFileSchema = z.object({
-          files: z.record(z.string(), z.string()),
-        });
-        const checksumsData = parseJsonWithValidation(
-          checksumsJson,
-          ChecksumsFileSchema,
-          'package checksums.json',
-        );
-        checksums = checksumsData.files;
-      } catch (err) {
-        if (!skipVerify) throw err;
-      }
-      try {
-        signature = await readFile(join(tempDir, 'signature.sig'), 'utf-8');
-      } catch (err) {
-        if (!skipVerify) throw err;
+    // Verify package integrity (unless --skip-verify)
+    const skipVerify = flags['skip-verify'] === true;
+    if (skipVerify) {
+      log.warn('Skipping package signature verification (--skip-verify)');
+    } else {
+      const verifyResult = await verifyPackageIntegrity(tempDir);
+      if (!verifyResult.success) {
+        await cleanupTempDir(tempDir);
+        return {
+          success: false,
+          error: verifyResult.error || 'Package integrity verification failed',
+        };
       }
+    }
 
-      // Use extracted directory as source
-      actualSourcePath = tempDir;
+    // Read checksums and signature for database storage (both optional with --skip-verify)
+    try {
+      const checksumsJson = await readFile(join(tempDir, 'checksums.json'), 'utf-8');
+      const ChecksumsFileSchema = z.object({
+        files: z.record(z.string(), z.string()),
+      });
+      const checksumsData = parseJsonWithValidation(
+        checksumsJson,
+        ChecksumsFileSchema,
+        'package checksums.json',
+      );
+      checksums = checksumsData.files;
+    } catch (err) {
+      if (!skipVerify) throw err;
+    }
+    try {
+      signature = await readFile(join(tempDir, 'signature.sig'), 'utf-8');
+    } catch (err) {
+      if (!skipVerify) throw err;
     }
 
+    const actualSourcePath = tempDir;
+
     // Policy: Validate directory structure
     const dirError = validateModuleDirectory(actualSourcePath);
     if (dirError) {
@@ -639,29 +677,14 @@ export async function importModule(options: ModuleImportOptions): Promise<Module
       );
     }
 
-    // Execution: Store integrity data
-    // For .netapp packages: store checksums + signature
-    // For directory imports: calculate and store checksums (no signature)
+    // Execution: Store integrity data from the package's checksums + signature.
+    // Directory imports go through the packager too (see top of importModule),
+    // so by the time we reach this point we always have these.
     try {
-      let finalChecksums: Record<string, string>;
-      let finalSignature: string | null = null;
-
-      if (checksums && signature) {
-        // From .netapp package - already verified
-        finalChecksums = checksums;
-        finalSignature = signature.trim();
-      } else {
-        // From directory - calculate checksums now
-        const { computeChecksums } = await import('./packaging/build');
-        const checksumsData = await computeChecksums(targetPath);
-        finalChecksums = checksumsData.files;
-        // No signature for directory imports
-      }
-
       const integrityData: NewModuleIntegrity = {
         moduleId: manifest.id,
-        checksums: finalChecksums,
-        signature: finalSignature,
+        checksums: checksums ?? {},
+        signature: signature?.trim() ?? null,
       };
       db.insert(moduleIntegrity).values(integrityData).run();
     } catch (error) {
@@ -669,21 +692,22 @@ export async function importModule(options: ModuleImportOptions): Promise<Module
       console.warn('Warning: Failed to store module integrity data', error);
     }
 
-    // For .netapp packages with build artifacts: record a successful build
-    // so that `module generate` doesn't require a rebuild
-    if (sourcePath.endsWith('.netapp') && manifest.build?.artifacts) {
-      const { existsSync: fileExists } = await import('node:fs');
-      const artifactPaths = manifest.build.artifacts
+    // Record a successful build entry so deploy-time validation sees the
+    // artifacts in place and skips rebuild. The packager runs the manifest
+    // build into the staged tree before tar, so any declared artifacts are
+    // already on disk under targetPath at this point.
+    if (manifest.build?.artifacts) {
+      const recordedArtifactPaths = manifest.build.artifacts
         .map((a: string) => join(targetPath, a))
-        .filter((p: string) => fileExists(p));
+        .filter((p: string) => existsSync(p));
 
-      if (artifactPaths.length > 0) {
+      if (recordedArtifactPaths.length > 0) {
         const { moduleBuilds } = await import('../db/schema');
         db.insert(moduleBuilds)
           .values({
             moduleId: manifest.id,
             version: manifest.version,
-            artifacts: artifactPaths,
+            artifacts: recordedArtifactPaths,
             status: 'success',
             buildLog: 'Pre-built artifacts from .netapp package',
           })

package/src/services/deploy-validation.ts

@@ -4,6 +4,8 @@
  * Validates module readiness and auto-prepares (generate/build) if needed
  */
 
+import { existsSync } from 'node:fs';
+import { join } from 'node:path';
 import { compareConsumerToProvider } from '@celilo/capabilities';
 import { and, eq } from 'drizzle-orm';
 import type { DbClient } from '../db/client';
@@ -123,10 +125,22 @@ export async function validateAndPrepareDeployment(
   // Auto-build if required and not built
   if (manifest.build) {
     const buildStatus = await getModuleBuildStatus(moduleId, db);
+    // Cross-check the manifest's declared artifacts against the actual
+    // filesystem in addition to whatever's in the build record. A "success"
+    // record with an empty artifact list (e.g. from a build that exited 0
+    // but produced nothing, or a synthetic record from a partial .netapp
+    // import) would otherwise pass `verifyArtifactsExist([])` trivially and
+    // let the deploy run on without binaries — exactly how Ansible ends up
+    // failing on a missing `src:` file.
+    const declaredArtifacts = manifest.build.artifacts ?? [];
+    const declaredArtifactsOk = declaredArtifacts.every((rel) =>
+      existsSync(join(module.sourcePath, rel)),
+    );
     const needsBuild =
       !buildStatus ||
       buildStatus.status !== 'success' ||
-      !verifyArtifactsExist(buildStatus.artifacts);
+      !verifyArtifactsExist(buildStatus.artifacts) ||
+      (declaredArtifacts.length > 0 && !declaredArtifactsOk);
 
     if (needsBuild) {
       const buildResult = await buildModuleFromSource(moduleId, db);

package/src/services/module-build.test.ts

@@ -207,6 +207,44 @@ describe('Module Build Service', () => {
       expect(buildRecord?.status).toBe('success');
       expect(buildRecord?.environment).toBe('system'); // No flake.nix
     }, 10000); // 10 second timeout for ansible execution
+
+    // Regression: a build.command that references $CELILO_MODULE_SOURCE_DIR
+    // (the variable celilo-registry's manifest uses to find sibling packages
+    // in the monorepo) must work the same at deploy time as at packaging
+    // time. Before the fix, executeBuildCommand didn't set the env var, so
+    // any module that imported from a local directory and relied on it
+    // would silently fail before producing artifacts.
+    test('build.command receives CELILO_MODULE_SOURCE_DIR pointing at modulePath', async () => {
+      await mkdir(TEST_MODULE_DIR, { recursive: true });
+
+      db.insert(modules)
+        .values({
+          id: 'env-test',
+          name: 'Env Test',
+          version: '1.0.0',
+          sourcePath: TEST_MODULE_DIR,
+          manifestData: {
+            id: 'env-test',
+            name: 'Env Test',
+            version: '1.0.0',
+            build: {
+              // Write the env var's value to a file. The build runs with
+              // cwd=modulePath, so a bare relative `built.marker` always
+              // lands there — but we want to prove the env var itself was
+              // set, so we fail explicitly if it's empty.
+              command:
+                'test -n "$CELILO_MODULE_SOURCE_DIR" && echo "$CELILO_MODULE_SOURCE_DIR" > built.marker',
+              artifacts: ['built.marker'],
+            },
+          },
+        })
+        .run();
+
+      const result = await buildModuleFromSource('env-test', db);
+
+      expect(result.success).toBe(true);
+      expect(existsSync(`${TEST_MODULE_DIR}/built.marker`)).toBe(true);
+    }, 10000);
   });
 
   describe('getModuleBuildStatus', () => {

package/src/services/module-build.ts

@@ -104,6 +104,11 @@ async function executeBuildCommand(
     command,
     args: [],
     cwd: modulePath,
+    // Match packaging/build.ts so deploy-time builds work the same as
+    // package-time builds. celilo-registry's manifest.build.command uses
+    // $CELILO_MODULE_SOURCE_DIR to find sibling packages in the monorepo;
+    // without this, that cd resolves to "/" and the build silently fails.
+    env: { CELILO_MODULE_SOURCE_DIR: modulePath },
   });
 
   return { success: result.success, output: result.output, error: result.error };
@@ -143,6 +148,7 @@ async function executeBuildScript(
     command,
     args,
     cwd: modulePath,
+    env: { CELILO_MODULE_SOURCE_DIR: modulePath },
   });
 
   return { success: result.success, output: result.output, error: result.error };

package/src/services/module-deploy.ts

@@ -35,6 +35,7 @@ import { executeTerraform, parseTerraformOutputs } from './deploy-terraform';
 import { validateAndPrepareDeployment } from './deploy-validation';
 import { resolveInfrastructureVariables } from './infrastructure-variable-resolver';
 import { findMachineForModule } from './machine-pool';
+import { checkProxmoxReachable, formatProxmoxUnreachableError } from './proxmox-preflight';
 import { deleteTemporarySshKey, writeTemporarySshKey } from './ssh-key-manager';
 import { buildTerraformEnvForService } from './terraform-env';
 
@@ -814,6 +815,20 @@ async function deployModuleImpl(
           };
         }
         terraformEnvVars = await buildTerraformEnvForService(plan.infrastructure.serviceId);
+
+        // Fail fast if the proxmox API host is unreachable (e.g. VPN
+        // down). The terraform provider would otherwise stall on a
+        // SYN_SENT connect for ~60s with no visible feedback.
+        if (service.providerName === 'proxmox' && terraformEnvVars.TF_VAR_proxmox_api_url) {
+          const probe = await checkProxmoxReachable(terraformEnvVars.TF_VAR_proxmox_api_url);
+          if (!probe.reachable) {
+            return {
+              success: false,
+              error: formatProxmoxUnreachableError(probe),
+              phases,
+            };
+          }
+        }
       }
 
       const terraformResult = await executeTerraform(generatedPath, phases, terraformEnvVars, {

package/src/services/programmatic-responder.ts

@@ -276,6 +276,20 @@ export function startProgrammaticResponder(
     answered.push({ type: event.type, key: lookupKey });
   });
 
+  // Liveness probe: a non-interactive caller (e.g. `module generate`
+  // with no TTY) emits `responder.probe` to detect whether any
+  // responder is listening before calling busInterview (which waits
+  // forever). We reply with our kind so the caller's probe completes
+  // and the deploy/generate proceeds.
+  const probeWatch = bus.watch('responder.probe', async (event) => {
+    if (event.replyFor !== null) return;
+    bus.emitRaw(
+      `${event.type}.reply`,
+      { kind: 'programmatic', emittedBy: me },
+      { replyFor: event.id, emittedBy: me },
+    );
+  });
+
   return {
     lastActivityAt: () => lastActivityAt,
     eventCount: () => answered.length + missed.length,
@@ -288,6 +302,7 @@ export function startProgrammaticResponder(
       configWatch.close();
       secretWatch.close();
       ensureWatch.close();
+      probeWatch.close();
       bus.close();
     },
   };

package/src/services/proxmox-preflight.test.ts

@@ -0,0 +1,63 @@
+import { afterEach, describe, expect, test } from 'bun:test';
+import { type AddressInfo, type Server, createServer } from 'node:net';
+import { checkProxmoxReachable, formatProxmoxUnreachableError } from './proxmox-preflight';
+
+describe('checkProxmoxReachable', () => {
+  let server: Server | null = null;
+
+  afterEach(async () => {
+    if (server) {
+      await new Promise<void>((resolve) => server?.close(() => resolve()));
+      server = null;
+    }
+  });
+
+  test('returns reachable=true when the host accepts the connection', async () => {
+    server = createServer();
+    await new Promise<void>((resolve) => server?.listen(0, '127.0.0.1', () => resolve()));
+    const port = (server.address() as AddressInfo).port;
+
+    const result = await checkProxmoxReachable(`https://127.0.0.1:${port}/api2/json`, 1000);
+    expect(result.reachable).toBe(true);
+    expect(result.host).toBe('127.0.0.1');
+    expect(result.port).toBe(port);
+    expect(result.error).toBeUndefined();
+  });
+
+  test('returns reachable=false on connection refused', async () => {
+    // Port 1 is reserved and reliably refuses on loopback.
+    const result = await checkProxmoxReachable('https://127.0.0.1:1/api2/json', 1000);
+    expect(result.reachable).toBe(false);
+    expect(result.host).toBe('127.0.0.1');
+    expect(result.port).toBe(1);
+    expect(result.error).toBeDefined();
+  });
+
+  test('returns reachable=false with timeout error on stalled connect', async () => {
+    // 192.0.2.1 is in TEST-NET-1 (RFC 5737) — guaranteed unroutable.
+    // SYN_SENT will hang until our timeout fires.
+    const result = await checkProxmoxReachable('https://192.0.2.1:8006/api2/json', 200);
+    expect(result.reachable).toBe(false);
+    expect(result.error).toMatch(/timed out/i);
+  }, 5000);
+
+  test('returns error for an invalid URL', async () => {
+    const result = await checkProxmoxReachable('not-a-url', 100);
+    expect(result.reachable).toBe(false);
+    expect(result.error).toMatch(/invalid/i);
+  });
+});
+
+describe('formatProxmoxUnreachableError', () => {
+  test('mentions VPN and the host:port in the message', () => {
+    const message = formatProxmoxUnreachableError({
+      reachable: false,
+      host: '10.0.30.102',
+      port: 8006,
+      error: 'Connection refused',
+    });
+    expect(message).toContain('10.0.30.102:8006');
+    expect(message).toContain('VPN');
+    expect(message).toContain('Connection refused');
+  });
+});

package/src/services/proxmox-preflight.ts

@@ -0,0 +1,100 @@
+/**
+ * Proxmox preflight reachability check.
+ *
+ * The Proxmox Terraform provider, when given an unreachable api_url,
+ * sits in TCP `SYN_SENT` until the kernel-level connect timeout fires
+ * — typically 30–75s on macOS. During that window the user sees a
+ * frozen progress display and no clue what's wrong (common cause: VPN
+ * is down). We probe the api_url's host:port with a short timeout
+ * before invoking terraform so we can fail fast with an actionable
+ * message instead of letting the provider hang.
+ *
+ * Scoped intentionally to the proxmox container-service deploy path —
+ * other terraform invocations (DigitalOcean, system audit) talk to
+ * different endpoints with their own failure modes.
+ */
+
+import { Socket } from 'node:net';
+
+export interface ProxmoxReachabilityResult {
+  reachable: boolean;
+  host: string;
+  port: number;
+  /** Populated when `reachable` is false. */
+  error?: string;
+}
+
+/**
+ * Probe `host:port` with a TCP connect attempt. Resolves on connect,
+ * timeout, or socket error — never rejects. Caller decides what to do
+ * with the result.
+ */
+export async function checkProxmoxReachable(
+  apiUrl: string,
+  timeoutMs = 3000,
+): Promise<ProxmoxReachabilityResult> {
+  let host: string;
+  let port: number;
+  try {
+    const url = new URL(apiUrl);
+    host = url.hostname;
+    port = url.port ? Number(url.port) : url.protocol === 'https:' ? 443 : 80;
+  } catch {
+    return {
+      reachable: false,
+      host: apiUrl,
+      port: 0,
+      error: `Invalid Proxmox API URL: ${apiUrl}`,
+    };
+  }
+
+  return await new Promise<ProxmoxReachabilityResult>((resolve) => {
+    const socket = new Socket();
+    let settled = false;
+
+    const finish = (result: ProxmoxReachabilityResult) => {
+      if (settled) return;
+      settled = true;
+      socket.destroy();
+      resolve(result);
+    };
+
+    socket.setTimeout(timeoutMs);
+    socket.once('connect', () => finish({ reachable: true, host, port }));
+    socket.once('timeout', () =>
+      finish({
+        reachable: false,
+        host,
+        port,
+        error: `Connection to ${host}:${port} timed out after ${timeoutMs}ms`,
+      }),
+    );
+    socket.once('error', (err) =>
+      finish({
+        reachable: false,
+        host,
+        port,
+        error: err.message,
+      }),
+    );
+
+    socket.connect(port, host);
+  });
+}
+
+/**
+ * Format an unreachable result into a multi-line error message
+ * suitable for display in the deploy progress panel.
+ */
+export function formatProxmoxUnreachableError(result: ProxmoxReachabilityResult): string {
+  return [
+    `Proxmox unreachable at ${result.host}:${result.port}`,
+    '',
+    'Check:',
+    '  - VPN connection (if Proxmox is on a private network)',
+    '  - Is the Proxmox host running and reachable from this machine?',
+    `  - Try: nc -zv ${result.host} ${result.port}`,
+    '',
+    `(${result.error ?? 'no further detail'})`,
+  ].join('\n');
+}

package/src/services/responder-probe.ts

@@ -0,0 +1,45 @@
+/**
+ * Responder liveness probe.
+ *
+ * busInterview waits forever for a reply (timeoutMs: 0 by design). For
+ * non-interactive callers (no TTY, no piped responder) that means a
+ * silent hang. The probe gives those callers a way to fail fast: emit
+ * a short-timeout query on the bus, return whether any responder was
+ * listening.
+ *
+ * Responders register a `responder.probe` watch and reply with their
+ * kind. As long as one is running on the same bus DB, the probe sees
+ * a reply and returns true.
+ */
+
+import { defineEvents, openBus } from '@celilo/event-bus';
+
+const NO_SCHEMAS = defineEvents({});
+
+export const RESPONDER_PROBE_EVENT = 'responder.probe' as const;
+
+export interface ResponderProbeReply {
+  kind: 'terminal' | 'programmatic' | 'daemon';
+  emittedBy: string;
+}
+
+/**
+ * Probe the bus for a live responder.
+ *
+ * @param busDbPath sqlite path the bus and any responder share
+ * @param timeoutMs how long to wait for a reply (default 1500ms)
+ * @returns true if at least one responder replied within the window
+ */
+export async function probeForResponder(busDbPath: string, timeoutMs = 1500): Promise<boolean> {
+  const bus = openBus({ dbPath: busDbPath, events: NO_SCHEMAS });
+  try {
+    const replies = await bus.query(RESPONDER_PROBE_EVENT as never, {} as never, {
+      timeoutMs,
+      pollIntervalMs: 100,
+      expect: 'first',
+    });
+    return replies.length > 0;
+  } finally {
+    bus.close();
+  }
+}

package/src/services/terminal-responder.ts

@@ -283,11 +283,24 @@ export function startTerminalResponder(): TerminalResponderHandle {
     });
   });
 
+  // Liveness probe: lets a non-interactive caller in another shell
+  // (e.g. `module generate`) detect that a terminal-responder is
+  // running here and that calling busInterview is safe.
+  const probeWatch = bus.watch('responder.probe', async (event) => {
+    if (event.replyFor !== null) return;
+    bus.emitRaw(
+      `${event.type}.reply`,
+      { kind: 'terminal', emittedBy: me },
+      { replyFor: event.id, emittedBy: me },
+    );
+  });
+
   return {
     close() {
       configWatch.close();
       secretWatch.close();
       ensureWatch.close();
+      probeWatch.close();
       bus.close();
     },
   };