@celilo/cli 0.3.14 → 0.3.16

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.3.14",
+  "version": "0.3.16",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {

package/src/cli/command-registry.ts

@@ -506,8 +506,14 @@ export const COMMANDS: CommandDef[] = [
       },
       {
         name: 'publish',
-        description: 'Build and publish a module to the registry',
-        args: [{ name: 'module-dir', description: 'Module directory', completion: 'directories' }],
+        description: 'Build and publish one or more modules to the registry',
+        args: [
+          {
+            name: 'module-dir...',
+            description: 'One or more module directories (shell-glob ./modules/* works)',
+            completion: 'directories',
+          },
+        ],
         flags: [
           { name: 'token', description: 'Publish token', takesValue: true },
           { name: 'registry', description: 'Registry URL', takesValue: true },
@@ -522,6 +528,11 @@ export const COMMANDS: CommandDef[] = [
             description: 'Bypass the clean-working-tree check (emergency publish)',
             takesValue: false,
           },
+          {
+            name: 'allow-stale',
+            description: 'Skip the manifest-vs-src stale-check (use sparingly)',
+            takesValue: false,
+          },
         ],
       },
     ],

package/src/cli/commands/module-publish.test.ts

@@ -15,7 +15,7 @@ import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
 import { mkdir, rm, writeFile } from 'node:fs/promises';
 import { join } from 'node:path';
 import type { IndexEntry } from '../../registry/client';
-import { handleModulePublish, validateCapabilityVersions } from './module-publish';
+import { handleModulePublish, resolveToken, validateCapabilityVersions } from './module-publish';
 
 const TEST_DIR = `/tmp/test-module-publish-${Date.now()}`;
 
@@ -37,14 +37,25 @@ describe('handleModulePublish — validation', () => {
   });
 
   test('missing token returns error', async () => {
+    // Isolate from the operator's real Celilo DB — otherwise the secret-store
+    // fallback in resolveToken() may read a real publish token and the test
+    // will skip the validation path it's trying to exercise.
     const origToken = process.env.CELILO_PUBLISH_TOKEN;
+    const origDbPath = process.env.CELILO_DB_PATH;
+    const origDataDir = process.env.CELILO_DATA_DIR;
     process.env.CELILO_PUBLISH_TOKEN = undefined;
+    process.env.CELILO_DB_PATH = `/tmp/test-celilo-no-token-${Date.now()}.db`;
+    process.env.CELILO_DATA_DIR = `/tmp/test-celilo-data-${Date.now()}`;
     try {
       const result = await handleModulePublish([TEST_DIR], {});
       expect(result.success).toBe(false);
       if (!result.success) expect(result.error).toContain('Publish token required');
     } finally {
       if (origToken !== undefined) process.env.CELILO_PUBLISH_TOKEN = origToken;
+      if (origDbPath !== undefined) process.env.CELILO_DB_PATH = origDbPath;
+      else process.env.CELILO_DB_PATH = undefined;
+      if (origDataDir !== undefined) process.env.CELILO_DATA_DIR = origDataDir;
+      else process.env.CELILO_DATA_DIR = undefined;
     }
   });
 
@@ -233,3 +244,75 @@ describe('validateCapabilityVersions', () => {
     expect(errors).toHaveLength(2);
   });
 });
+
+// ── Token resolution: --token → env → secret store ────────────────────────────
+
+describe('resolveToken — precedence', () => {
+  test('--token flag wins over env var and secret store', async () => {
+    const origEnv = process.env.CELILO_PUBLISH_TOKEN;
+    const origDbPath = process.env.CELILO_DB_PATH;
+    process.env.CELILO_PUBLISH_TOKEN = 'env-token';
+    process.env.CELILO_DB_PATH = `/tmp/test-celilo-resolve-${Date.now()}.db`;
+    try {
+      const t = await resolveToken('flag-token');
+      expect(t).toBe('flag-token');
+    } finally {
+      if (origEnv !== undefined) process.env.CELILO_PUBLISH_TOKEN = origEnv;
+      else process.env.CELILO_PUBLISH_TOKEN = undefined;
+      if (origDbPath !== undefined) process.env.CELILO_DB_PATH = origDbPath;
+      else process.env.CELILO_DB_PATH = undefined;
+    }
+  });
+
+  test('env var used when --token flag is empty', async () => {
+    const origEnv = process.env.CELILO_PUBLISH_TOKEN;
+    const origDbPath = process.env.CELILO_DB_PATH;
+    process.env.CELILO_PUBLISH_TOKEN = 'env-token';
+    process.env.CELILO_DB_PATH = `/tmp/test-celilo-resolve-${Date.now()}.db`;
+    try {
+      const t = await resolveToken('');
+      expect(t).toBe('env-token');
+    } finally {
+      if (origEnv !== undefined) process.env.CELILO_PUBLISH_TOKEN = origEnv;
+      else process.env.CELILO_PUBLISH_TOKEN = undefined;
+      if (origDbPath !== undefined) process.env.CELILO_DB_PATH = origDbPath;
+      else process.env.CELILO_DB_PATH = undefined;
+    }
+  });
+
+  test('returns empty string when no source has a token', async () => {
+    // All three sources empty: secret-store fallback hits an isolated empty
+    // DB and returns null gracefully.
+    const origEnv = process.env.CELILO_PUBLISH_TOKEN;
+    const origDbPath = process.env.CELILO_DB_PATH;
+    const origDataDir = process.env.CELILO_DATA_DIR;
+    process.env.CELILO_PUBLISH_TOKEN = undefined;
+    process.env.CELILO_DB_PATH = `/tmp/test-celilo-resolve-empty-${Date.now()}.db`;
+    process.env.CELILO_DATA_DIR = `/tmp/test-celilo-data-empty-${Date.now()}`;
+    try {
+      const t = await resolveToken('');
+      expect(t).toBe('');
+    } finally {
+      if (origEnv !== undefined) process.env.CELILO_PUBLISH_TOKEN = origEnv;
+      if (origDbPath !== undefined) process.env.CELILO_DB_PATH = origDbPath;
+      else process.env.CELILO_DB_PATH = undefined;
+      if (origDataDir !== undefined) process.env.CELILO_DATA_DIR = origDataDir;
+      else process.env.CELILO_DATA_DIR = undefined;
+    }
+  });
+});
+
+// ── Multi-module argument handling ────────────────────────────────────────────
+
+describe('handleModulePublish — multi-module', () => {
+  test('--revision combined with multiple module dirs is rejected', async () => {
+    const result = await handleModulePublish(['./a', './b'], {
+      token: 'tok',
+      revision: '1',
+    });
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.error).toContain('--revision cannot be combined with multiple module dirs');
+    }
+  });
+});

package/src/cli/commands/module-publish.ts

@@ -1,12 +1,28 @@
 /**
- * Module publish command — build and publish a module to the registry.
+ * Module publish command — build and publish one or more modules to the registry.
  *
- * Usage: celilo module publish <module-dir> --token <token>
+ * Usage: celilo module publish <module-dir>... [--token <token>]
  *                              [--registry <url>] [--revision <n>]
  *                              [--message "release note"] [--allow-dirty]
+ *                              [--allow-stale]
  *
- * The --token flag (or CELILO_PUBLISH_TOKEN env var) must contain a valid
- * publish token configured on the registry server.
+ * Multiple module directories may be passed; each is built and published in
+ * order. A failure on any one stops the run (publishes are non-destructive,
+ * safe to retry after fixing the root cause).
+ *
+ * Token resolution order:
+ *   1. --token <t> flag
+ *   2. CELILO_PUBLISH_TOKEN env var
+ *   3. The locally-installed `celilo-registry` module's `publish_tokens`
+ *      secret (first non-empty line). This is the path operators use after
+ *      deploying their own registry — no env-var ritual required.
+ *
+ * Stale-check (D6):
+ *   For each module, refuse to publish if commits touching the module dir
+ *   landed AFTER the last commit that touched its manifest.yml. The fix is
+ *   to bump manifest.yml#version (or just touch it, if the change is
+ *   build-only — auto-revision handles the +N bump). --allow-stale
+ *   overrides for one-time recovery from existing drift.
  *
  * Per CELILO_UPDATE D4 (strict-publish) the manifest's capability
  * versions are validated against `CAPABILITY_CONTRACT_VERSIONS` from
@@ -19,6 +35,7 @@
  * timestamp / CLI version / optional --message.
  */
 
+import { spawnSync } from 'node:child_process';
 import { rm } from 'node:fs/promises';
 import { readFile } from 'node:fs/promises';
 import { tmpdir } from 'node:os';
@@ -37,7 +54,8 @@ import {
   readInstalledCliVersion,
 } from '../../module/packaging/release-metadata';
 import { RegistryClient } from '../../registry/client';
-import { getArg, getFlag, hasFlag } from '../parser';
+import { CrossModuleDataManager } from '../../services/cross-module-data-manager';
+import { getFlag, hasFlag } from '../parser';
 import type { CommandResult } from '../types';
 
 interface ManifestCapabilityClaim {
@@ -96,39 +114,127 @@ export function validateCapabilityVersions(manifest: ManifestForPublish): string
   return errors;
 }
 
-export async function handleModulePublish(
-  args: string[],
-  flags: Record<string, string | boolean>,
-): Promise<CommandResult> {
-  const moduleDir = getArg(args, 0);
-  if (!moduleDir) {
-    return {
-      success: false,
-      error:
-        'Module directory required\n\nUsage: celilo module publish <module-dir> --token <token>',
-    };
-  }
+/**
+ * Look up the SHA of the last commit touching the given pathspecs. Returns
+ * null on any git failure (no repo, never-committed file, etc.) — callers
+ * treat that as "can't determine, skip the check."
+ */
+function lastCommitTouching(pathspec: string[]): string | null {
+  const r = spawnSync('git', ['log', '-1', '--format=%H', '--', ...pathspec], {
+    stdio: ['ignore', 'pipe', 'ignore'],
+    encoding: 'utf-8',
+  });
+  if (r.status !== 0) return null;
+  const sha = r.stdout.trim();
+  return sha || null;
+}
 
-  const token = getFlag(flags, 'token', '') || process.env.CELILO_PUBLISH_TOKEN || '';
-  if (!token) {
-    return {
-      success: false,
-      error: 'Publish token required — pass --token <token> or set CELILO_PUBLISH_TOKEN',
-    };
-  }
+function isAncestor(maybeAncestor: string, descendant: string): boolean {
+  const r = spawnSync('git', ['merge-base', '--is-ancestor', maybeAncestor, descendant], {
+    stdio: 'ignore',
+  });
+  return r.status === 0;
+}
 
-  const registryUrl = getFlag(flags, 'registry', '');
-  const revisionOverride = getFlag(flags, 'revision', '');
-  const message = getFlag(flags, 'message', '') || null;
-  const allowDirty = hasFlag(flags, 'allow-dirty');
+export interface StalenessIssue {
+  moduleDir: string;
+  lastSrcCommit: string;
+  lastManifestCommit: string;
+}
 
-  if (revisionOverride) {
-    const parsed = Number(revisionOverride);
-    if (!Number.isInteger(parsed) || parsed < 1) {
-      return { success: false, error: '--revision must be a positive integer' };
-    }
+/**
+ * Detect "I edited module src but forgot to bump (or touch) manifest.yml."
+ *
+ * Returns null when the manifest is the most recently-touched file in the
+ * dir (or when neither side has any commit history — e.g. brand-new module
+ * not yet committed). Returns a StalenessIssue when src has commits AFTER
+ * the last manifest.yml change — the operator must bump the manifest
+ * (semver change → reset +N to 1) or just touch it (release-only change →
+ * auto-bump +N), then re-publish.
+ *
+ * Exported for testing.
+ */
+export function checkModuleStale(moduleDir: string): StalenessIssue | null {
+  const manifestPath = join(moduleDir, 'manifest.yml');
+  const lastManifest = lastCommitTouching([manifestPath]);
+  // Excluding manifest.yml from the "src" pathspec is the whole point — we
+  // want to know if anything ELSE in the dir moved past it. node_modules and
+  // common build outputs are gitignored already, but be explicit defensively.
+  const lastSrc = lastCommitTouching([
+    moduleDir,
+    `:(exclude)${manifestPath}`,
+    `:(exclude)${moduleDir}/node_modules`,
+    `:(exclude)${moduleDir}/dist`,
+  ]);
+  if (!lastManifest || !lastSrc) return null;
+  if (lastSrc === lastManifest) return null; // same commit changed both
+  if (!isAncestor(lastManifest, lastSrc)) return null; // manifest moved last
+
+  return { moduleDir, lastSrcCommit: lastSrc, lastManifestCommit: lastManifest };
+}
+
+/**
+ * Resolve the publish token via three-tier fallback:
+ *   1. --token flag value passed directly (if non-empty)
+ *   2. CELILO_PUBLISH_TOKEN env var (if non-empty)
+ *   3. Celilo secret store: celilo-registry module's `publish_tokens` secret,
+ *      first non-empty line. Lazy DB read — if Celilo isn't installed locally
+ *      or the registry module isn't deployed, that's a graceful skip, not a
+ *      crash.
+ *
+ * Exported for testing.
+ */
+export async function resolveToken(flagValue: string): Promise<string> {
+  if (flagValue) return flagValue;
+  const envValue = process.env.CELILO_PUBLISH_TOKEN ?? '';
+  if (envValue) return envValue;
+
+  // Secret-store fallback. Wrap in try/catch — if the local Celilo install
+  // isn't initialized (no DB, no master key), we just return empty and let
+  // the caller report "no token found" with the full guidance.
+  try {
+    const dataManager = new CrossModuleDataManager();
+    await dataManager.initialize();
+    const raw = dataManager.getSecret('celilo-registry', 'publish_tokens');
+    if (!raw) return '';
+    const firstToken = raw
+      .split('\n')
+      .map((line) => line.trim())
+      .find((line) => line.length > 0);
+    return firstToken ?? '';
+  } catch {
+    return '';
   }
+}
+
+interface ResolvedOpts {
+  token: string;
+  registryUrl: string;
+  revisionOverride: number | null;
+  message: string | null;
+  allowDirty: boolean;
+  allowStale: boolean;
+}
 
+interface PerModuleOutcome {
+  moduleDir: string;
+  status: 'published' | 'skipped' | 'failed';
+  message: string;
+  /** Set when published — for the multi-publish summary. */
+  publishedAs?: string;
+}
+
+/**
+ * Publish a single module. Errors return outcome.status='failed' rather than
+ * throwing — the caller orchestrates the multi-module summary and decides
+ * whether to abort the run.
+ *
+ * Exported for testing.
+ */
+export async function publishOneModule(
+  moduleDir: string,
+  opts: ResolvedOpts,
+): Promise<PerModuleOutcome> {
   const resolvedDir = resolve(moduleDir);
 
   // Read manifest
@@ -137,10 +243,18 @@ export async function handleModulePublish(
     const manifestRaw = await readFile(join(resolvedDir, 'manifest.yml'), 'utf-8');
     manifest = parseYaml(manifestRaw) as ManifestForPublish;
     if (!manifest.id || !manifest.version) {
-      return { success: false, error: 'manifest.yml missing id or version' };
+      return {
+        moduleDir,
+        status: 'failed',
+        message: `${moduleDir}: manifest.yml missing id or version`,
+      };
     }
   } catch {
-    return { success: false, error: `Could not read manifest.yml in ${resolvedDir}` };
+    return {
+      moduleDir,
+      status: 'failed',
+      message: `${moduleDir}: Could not read manifest.yml in ${resolvedDir}`,
+    };
   }
   const name = manifest.id;
   const baseVersion = manifest.version;
@@ -149,32 +263,55 @@ export async function handleModulePublish(
   const capErrors = validateCapabilityVersions(manifest);
   if (capErrors.length > 0) {
     return {
-      success: false,
-      error: [
-        `Capability version validation failed for ${name}@${baseVersion}:`,
+      moduleDir,
+      status: 'failed',
+      message: [
+        `${moduleDir}: Capability version validation failed for ${name}@${baseVersion}:`,
         ...capErrors.map((e) => `  • ${e}`),
       ].join('\n'),
     };
   }
 
+  // Stale-check: src commits past the last manifest.yml commit. Only fires
+  // when the dir is in git history; brand-new uncommitted modules pass.
+  if (!opts.allowStale) {
+    const stale = checkModuleStale(resolvedDir);
+    if (stale) {
+      return {
+        moduleDir,
+        status: 'failed',
+        message: [
+          `${moduleDir}: Stale-version drift for ${name}@${baseVersion} —`,
+          `  src commit:        ${stale.lastSrcCommit.slice(0, 12)}`,
+          `  manifest.yml commit: ${stale.lastManifestCommit.slice(0, 12)}`,
+          `  Files in ${moduleDir} changed after manifest.yml. Either bump`,
+          '  manifest.yml#version (semver change), or touch it (release-only',
+          '  change — auto-revision will pick the next +N). Then commit and retry.',
+          '  --allow-stale skips this check (use sparingly).',
+        ].join('\n'),
+      };
+    }
+  }
+
   // Collect git state. Refuse a dirty tree unless --allow-dirty.
   const gitInfo = collectGitInfo(resolvedDir, makeRealGitRunner());
-  if (gitInfo.dirty && !allowDirty) {
+  if (gitInfo.dirty && !opts.allowDirty) {
     return {
-      success: false,
-      error: [
-        `Working tree at ${resolvedDir} has uncommitted changes.`,
-        'Refusing to publish — commit (or stash) your changes, or pass --allow-dirty to override.',
+      moduleDir,
+      status: 'failed',
+      message: [
+        `${moduleDir}: Working tree at ${resolvedDir} has uncommitted changes.`,
+        '  Refusing to publish — commit (or stash) your changes, or pass --allow-dirty to override.',
       ].join('\n'),
     };
   }
 
-  // Determine package revision: --revision flag, or query the registry for next rev
+  // Determine package revision: --revision flag, or query the registry for next rev.
   let revision: number;
-  if (revisionOverride) {
-    revision = Number(revisionOverride);
+  if (opts.revisionOverride !== null) {
+    revision = opts.revisionOverride;
   } else {
-    const client = new RegistryClient(registryUrl || undefined);
+    const client = new RegistryClient(opts.registryUrl || undefined);
     try {
       const entries = await client.getIndex(name);
       const existingRevs = entries
@@ -190,13 +327,34 @@ export async function handleModulePublish(
 
   const version = `${baseVersion}+${revision}`;
 
+  // Skip-if-explicit-version-already-published: only relevant when the user
+  // forced a revision number. Auto-revision always picks the next available
+  // slot, so there's no skip case.
+  if (opts.revisionOverride !== null) {
+    const client = new RegistryClient(opts.registryUrl || undefined);
+    try {
+      const entries = await client.getIndex(name);
+      const alreadyPublished = entries.some((e) => e.vers === version);
+      if (alreadyPublished) {
+        return {
+          moduleDir,
+          status: 'skipped',
+          message: `${name}@${version} already on registry — skipping.`,
+        };
+      }
+    } catch {
+      // Registry unreachable — let publish() fail at upload time with a
+      // clearer error than "couldn't list index."
+    }
+  }
+
   // Assemble release metadata for the .netapp.
   const releaseMetadata = buildReleaseMetadata({
     moduleId: name,
     version,
     git: gitInfo,
     cliVersion: readInstalledCliVersion(),
-    message,
+    message: opts.message,
   });
 
   // Build the .netapp into a temp dir
@@ -209,26 +367,148 @@ export async function handleModulePublish(
     releaseMetadata,
   });
   if (!buildResult.success || !buildResult.packagePath) {
-    return { success: false, error: buildResult.error ?? 'Build failed' };
+    return {
+      moduleDir,
+      status: 'failed',
+      message: `${moduleDir}: ${buildResult.error ?? 'Build failed'}`,
+    };
   }
 
   // Publish
-  const client = new RegistryClient(registryUrl || undefined);
+  const client = new RegistryClient(opts.registryUrl || undefined);
   try {
     console.log(`Publishing ${name}@${version} to ${client.baseUrl}...`);
-    await client.publish({ name, version, netappPath: buildResult.packagePath, token });
+    await client.publish({ name, version, netappPath: buildResult.packagePath, token: opts.token });
   } catch (err) {
     return {
-      success: false,
-      error: `Publish failed: ${err instanceof Error ? err.message : String(err)}`,
+      moduleDir,
+      status: 'failed',
+      message: `${moduleDir}: Publish failed: ${err instanceof Error ? err.message : String(err)}`,
     };
   } finally {
     await rm(tmpPath, { force: true });
   }
 
+  return {
+    moduleDir,
+    status: 'published',
+    message: `Published ${name}@${version}${opts.message ? ` — "${opts.message}"` : ''}`,
+    publishedAs: `${name}@${version}`,
+  };
+}
+
+export async function handleModulePublish(
+  args: string[],
+  flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  if (args.length === 0) {
+    return {
+      success: false,
+      error:
+        'Module directory required\n\nUsage: celilo module publish <module-dir>... [--token <token>]',
+    };
+  }
+
+  // Validate --revision early so multi-module runs fail fast.
+  const revisionFlag = getFlag(flags, 'revision', '');
+  let revisionOverride: number | null = null;
+  if (revisionFlag) {
+    const parsed = Number(revisionFlag);
+    if (!Number.isInteger(parsed) || parsed < 1) {
+      return { success: false, error: '--revision must be a positive integer' };
+    }
+    revisionOverride = parsed;
+  }
+  if (revisionOverride !== null && args.length > 1) {
+    return {
+      success: false,
+      error:
+        '--revision cannot be combined with multiple module dirs (each module has its own revision sequence)',
+    };
+  }
+
+  const token = await resolveToken(getFlag(flags, 'token', ''));
+  if (!token) {
+    return {
+      success: false,
+      error: [
+        'Publish token required. Resolution order:',
+        '  1. --token <token> flag',
+        '  2. CELILO_PUBLISH_TOKEN env var',
+        "  3. The celilo-registry module's `publish_tokens` secret",
+        '     (set automatically when you deploy celilo-registry locally)',
+      ].join('\n'),
+    };
+  }
+
+  const opts: ResolvedOpts = {
+    token,
+    registryUrl: getFlag(flags, 'registry', ''),
+    revisionOverride,
+    message: getFlag(flags, 'message', '') || null,
+    allowDirty: hasFlag(flags, 'allow-dirty'),
+    allowStale: hasFlag(flags, 'allow-stale'),
+  };
+
+  const outcomes: PerModuleOutcome[] = [];
+  for (const moduleDir of args) {
+    const outcome = await publishOneModule(moduleDir, opts);
+    outcomes.push(outcome);
+    if (outcome.status === 'failed') {
+      // Print summary so far, then bail. Publishes are non-destructive so
+      // re-running after fixing the underlying issue picks up where we left
+      // off (already-published modules are skipped at the registry level
+      // when --revision is explicit, and auto-revision just picks the next
+      // slot — nothing duplicates).
+      printSummary(outcomes);
+      return {
+        success: false,
+        error: outcome.message,
+      };
+    }
+    console.log(outcome.message);
+  }
+
+  printSummary(outcomes);
+
+  if (args.length === 1) {
+    // Backward-compat single-module shape — keep the existing message/data
+    // contract for callers (and tests) that depend on it. By this point no
+    // outcome is 'failed' (we'd have early-returned above), so success is
+    // unconditional.
+    const only = outcomes[0];
+    return {
+      success: true,
+      message: only.message,
+      data: only.publishedAs ? { publishedAs: only.publishedAs } : undefined,
+    };
+  }
+
   return {
     success: true,
-    message: `Published ${name}@${version}${message ? ` — "${message}"` : ''}`,
-    data: { name, version, releaseMetadata },
+    message: `Published ${outcomes.filter((o) => o.status === 'published').length} module(s).`,
   };
 }
+
+function printSummary(outcomes: PerModuleOutcome[]): void {
+  if (outcomes.length <= 1) return; // single-module mode already printed its line
+  const published = outcomes.filter((o) => o.status === 'published');
+  const skipped = outcomes.filter((o) => o.status === 'skipped');
+  const failed = outcomes.filter((o) => o.status === 'failed');
+
+  console.log('\n──────────────────────────────────────────────');
+  console.log(' Module publish summary');
+  console.log('──────────────────────────────────────────────');
+  if (published.length > 0) {
+    console.log('Published:');
+    for (const o of published) console.log(`  ✓ ${o.publishedAs}`);
+  }
+  if (skipped.length > 0) {
+    console.log('Skipped:');
+    for (const o of skipped) console.log(`  - ${o.message}`);
+  }
+  if (failed.length > 0) {
+    console.log('Failed:');
+    for (const o of failed) console.log(`  ✗ ${o.message}`);
+  }
+}

package/src/cli/index.ts

@@ -368,17 +368,21 @@ Registry:
       --registry <url>                 Use a custom registry
       --limit <n>                      Max results (default: 25)
 
-  publish <module-dir>                 Build and publish a module to the registry
+  publish <module-dir>...              Build and publish one or more modules to the registry
     Options:
-      --token <token>                  Publish token (or set CELILO_PUBLISH_TOKEN env var)
+      --token <token>                  Publish token. Falls back to CELILO_PUBLISH_TOKEN env var, then celilo-registry's publish_tokens secret.
       --registry <url>                 Use a custom registry
-      --revision <n>                   Force package revision number (default: auto)
+      --revision <n>                   Force package revision number (default: auto). Not allowed with multiple module dirs.
+      --message <text>                 Release note recorded in the .netapp's release.json
+      --allow-dirty                    Permit publishing from a dirty git tree
+      --allow-stale                    Skip the manifest-vs-src stale-check. Use sparingly.
 
 Examples:
   celilo module install caddy
   celilo module install namecheap --registry https://my-registry.example.com/registry
   celilo module search dns
   celilo module publish ./modules/caddy --token mytoken
+  celilo module publish ./modules/*                # publish every module in a dir
   celilo module import ./modules/homebridge
   celilo module import homebridge.netapp
   celilo module import /abs/path/to/module --target /custom/location