@celilo/cli 0.3.16 → 0.3.18

package/src/services/bus-secret-flow.test.ts

@@ -324,4 +324,98 @@ describe('bus-mediated interviewForMissingSecrets', () => {
 
     handle.close();
   });
+
+  // string-map secrets: the responder collects key/value pairs via an
+  // add-loop and JSON-stringifies the result before writing. The bus
+  // payload signals the type so the responder picks the right UX.
+  test('string-map: payload carries type=string-map + labels; stored value is JSON-stringified record', async () => {
+    const { seen, close } = startTestResponder(
+      bus,
+      'secret.required.testmod.ddns_passwords',
+      { value: JSON.stringify({ 'lunacycle.net': 'pw1', 'celilo.computer': 'pw2' }) },
+      testDb,
+    );
+
+    const result = await interviewForMissingSecrets(
+      'testmod',
+      [
+        {
+          name: 'ddns_passwords',
+          source: 'secret',
+          type: 'string-map',
+          description: 'Namecheap Dynamic DNS password per managed domain',
+          key_label: 'Domain',
+          value_label: 'Password',
+        },
+      ],
+      testDb,
+    );
+
+    expect(result.success).toBe(true);
+    expect(seen.length).toBe(1);
+    expect(seen[0].payload.type).toBe('string-map');
+    expect(seen[0].payload.key_label).toBe('Domain');
+    expect(seen[0].payload.value_label).toBe('Password');
+
+    // Bus must NOT carry the secret value, even for string-map.
+    expect(seen[0].payload).not.toHaveProperty('value');
+
+    const masterKey = await getOrCreateMasterKey();
+    const stored = await readModuleSecretKey('testmod', 'ddns_passwords', testDb, masterKey);
+    expect(stored).toBe(JSON.stringify({ 'lunacycle.net': 'pw1', 'celilo.computer': 'pw2' }));
+
+    close();
+  });
+
+  test('string-map: enrichment from manifest.yml makes its way to the bus payload', async () => {
+    // Drop a manifest.yml in tempDir (the module's sourcePath) declaring
+    // the secret as string-map with custom labels. validateModuleSecrets
+    // reads the manifest and threads the metadata through to the bus.
+    writeSecretsSchema(tempDir, {
+      ddns_passwords: { source: 'user_provided' },
+    });
+    writeFileSync(
+      join(tempDir, 'manifest.yml'),
+      `
+celilo_contract: "1.0"
+id: testmod
+name: Test Module
+version: 1.0.0
+secrets:
+  declares:
+    - name: ddns_passwords
+      type: string-map
+      required: true
+      description: Per-domain DDNS password
+      sensitive: true
+      key_label: Domain
+      value_label: Password
+`,
+    );
+
+    const { seen, close } = startTestResponder(
+      bus,
+      'secret.required.testmod.ddns_passwords',
+      { value: JSON.stringify({ 'a.test': 'pw' }) },
+      testDb,
+    );
+
+    const { interviewForMissingSecrets, validateModuleSecrets } = await import(
+      './config-interview'
+    );
+    const missing = await validateModuleSecrets('testmod', testDb);
+    expect(missing).toHaveLength(1);
+    expect(missing[0].name).toBe('ddns_passwords');
+    expect(missing[0].type).toBe('string-map');
+    expect(missing[0].key_label).toBe('Domain');
+    expect(missing[0].value_label).toBe('Password');
+
+    const result = await interviewForMissingSecrets('testmod', missing, testDb);
+    expect(result.success).toBe(true);
+    expect(seen[0].payload.type).toBe('string-map');
+    expect(seen[0].payload.key_label).toBe('Domain');
+    expect(seen[0].payload.value_label).toBe('Password');
+
+    close();
+  });
 });

package/src/services/config-interview.ts

@@ -19,11 +19,54 @@ import {
 } from './bus-interview';
 import { getSecretMetadata, loadSecretsSchema } from './secret-schema-loader';
 
+/**
+ * Pull the manifest's `secrets.declares[]` entries keyed by name. Best-
+ * effort — returns an empty Map on any read/parse failure so the caller
+ * can fall back to JSON-schema-only interview behavior.
+ */
+async function loadManifestSecretDeclares(
+  moduleId: string,
+  db: DbClient,
+): Promise<
+  Map<string, { type?: string; description?: string; key_label?: string; value_label?: string }>
+> {
+  const out = new Map<
+    string,
+    { type?: string; description?: string; key_label?: string; value_label?: string }
+  >();
+  const moduleRow = db.select().from(modules).where(eq(modules.id, moduleId)).get();
+  if (!moduleRow?.sourcePath) return out;
+
+  try {
+    const { readFile } = await import('node:fs/promises');
+    const { join } = await import('node:path');
+    const { parse: parseYaml } = await import('yaml');
+    const yamlContent = await readFile(join(moduleRow.sourcePath, 'manifest.yml'), 'utf-8');
+    const parsed = parseYaml(yamlContent) as { secrets?: { declares?: unknown[] } } | undefined;
+    const declares = parsed?.secrets?.declares;
+    if (!Array.isArray(declares)) return out;
+    for (const d of declares) {
+      if (typeof d !== 'object' || d === null) continue;
+      const decl = d as Record<string, unknown>;
+      if (typeof decl.name !== 'string') continue;
+      out.set(decl.name, {
+        type: typeof decl.type === 'string' ? decl.type : undefined,
+        description: typeof decl.description === 'string' ? decl.description : undefined,
+        key_label: typeof decl.key_label === 'string' ? decl.key_label : undefined,
+        value_label: typeof decl.value_label === 'string' ? decl.value_label : undefined,
+      });
+    }
+  } catch {
+    // Manifest unreadable / malformed — fall back to schema-only.
+  }
+  return out;
+}
+
 export interface MissingVariable {
   name: string;
   source: 'user' | 'secret' | 'capability' | 'system';
   description?: string;
-  /** Variable type from manifest (string, array, etc.) */
+  /** Variable type from manifest (string, array, string-map, etc.) */
   type?: string;
   /** Derivation source (e.g., "$machine:ipAddress") */
   derive_from?: string;
@@ -42,6 +85,9 @@ export interface MissingVariable {
     length: number;
     encoding: string;
   };
+  /** For `type: string-map` only — labels shown in the add-loop prompt. */
+  key_label?: string;
+  value_label?: string;
 }
 
 export interface InterviewResult {
@@ -445,6 +491,12 @@ export async function validateModuleSecrets(
     return [];
   }
 
+  // Best-effort: load manifest declarations so we can enrich each missing
+  // secret with `type` (e.g. 'string-map'), `key_label`, `value_label`.
+  // The JSON schema knows shape; the manifest knows interview UX. If the
+  // manifest can't be read, we degrade to plain prompts.
+  const manifestDeclares = await loadManifestSecretDeclares(moduleId, db);
+
   // Check each declared secret
   for (const [secretName, propertySchema] of Object.entries(schema.properties)) {
     // Check if secret exists in database
@@ -455,10 +507,14 @@ export async function validateModuleSecrets(
       .get();
 
     if (!existing) {
+      const declare = manifestDeclares.get(secretName);
       missingSecrets.push({
         name: secretName,
         source: 'secret',
-        description: propertySchema.description || propertySchema.title,
+        description: declare?.description || propertySchema.description || propertySchema.title,
+        type: declare?.type,
+        key_label: declare?.key_label,
+        value_label: declare?.value_label,
       });
     }
   }
@@ -614,13 +670,15 @@ export async function interviewForMissingSecrets(
         // value into the encrypted store out-of-band, then replies
         // with `{ acknowledged: true }`. The value never crosses the
         // bus. See INTERACTIVE_DEPLOYS_VIA_BUS.md.
+        // The bus payload accepts scalar types and `string-map`
+        // (Record<string, string>, gathered via add-loop, stored as JSON).
+        // Cross-module ensure flows write composite shapes via a separate
+        // path, but the interview-driven `string-map` lands here.
+        const declaredType = (variable.type as SecretRequiredPayload['type']) ?? 'string';
         const payload: SecretRequiredPayload = {
           module: moduleId,
           key: variable.name,
-          // The bus payload narrows to scalar types. Secrets in the
-          // wider system can be objects, but those are written via
-          // the cross-module ensure flow, not this interview.
-          type: 'string',
+          type: declaredType === 'string-map' ? 'string-map' : 'string',
           required: true,
           description: variable.description,
           style: source,
@@ -631,6 +689,8 @@ export async function interviewForMissingSecrets(
                   length: metadata?.length || 32,
                 }
               : undefined,
+          key_label: variable.key_label,
+          value_label: variable.value_label,
         };
         await busInterview<SecretAck>(EVENT_TYPES.secretRequired(moduleId, variable.name), payload);
         log.success(`Saved ${variable.name}`);

package/src/services/module-deploy.ts

@@ -1137,13 +1137,31 @@ async function deployModuleImpl(
           }
         }
 
-        // Inject target IP into hook config — works for both machine and container deploys
+        // Persist target_ip to moduleConfigs (not just inject into the
+        // in-memory hook context). Later hooks like on_backup build
+        // their context from the DB only, so without this they'd see
+        // no target_ip and fail with "No container IP configured".
+        // Mirrors proxmox-state-recovery.ts for the machine-deployed
+        // case.
         if (machineId) {
           const { getMachine } = await import('./machine-pool');
           const deployMachine = await getMachine(machineId);
           if (deployMachine) {
             installConfigMap['ip.primary'] = deployMachine.ipAddress;
             installConfigMap.target_ip = deployMachine.ipAddress;
+
+            await db
+              .insert(pcTable)
+              .values({
+                moduleId,
+                key: 'target_ip',
+                value: deployMachine.ipAddress,
+              })
+              .onConflictDoUpdate({
+                target: [pcTable.moduleId, pcTable.key],
+                set: { value: deployMachine.ipAddress },
+              })
+              .run();
           }
         }
 

package/src/services/module-validator/capability-versions.test.ts

@@ -0,0 +1,90 @@
+/**
+ * Strict-publish: manifest-claimed versions for known capabilities must
+ * match the framework's runtime registry. Mismatches refuse the publish
+ * and surface as failed checks in `module check`.
+ */
+
+import { describe, expect, test } from 'bun:test';
+import { validateCapabilityVersions } from './capability-versions';
+
+describe('validateCapabilityVersions', () => {
+  test('no errors when no capabilities are declared', () => {
+    expect(validateCapabilityVersions({ id: 'x', version: '1.0.0' })).toEqual([]);
+  });
+
+  test('no errors when provides matches the runtime registry exactly', () => {
+    expect(
+      validateCapabilityVersions({
+        id: 'caddy',
+        version: '3.0.0',
+        provides: { capabilities: [{ name: 'public_web', version: '3.0.0' }] },
+      }),
+    ).toEqual([]);
+  });
+
+  test('error when provides[X].version differs from runtime', () => {
+    const errors = validateCapabilityVersions({
+      id: 'caddy',
+      version: '1.0.0',
+      provides: { capabilities: [{ name: 'public_web', version: '1.0.0' }] },
+    });
+    expect(errors).toHaveLength(1);
+    expect(errors[0]).toContain('provides[public_web]');
+    expect(errors[0]).toContain('1.0.0');
+    expect(errors[0]).toContain('3.0.0');
+  });
+
+  test('error when provides[X].version is newer than runtime', () => {
+    const errors = validateCapabilityVersions({
+      id: 'caddy',
+      version: '4.0.0',
+      provides: { capabilities: [{ name: 'public_web', version: '4.0.0' }] },
+    });
+    expect(errors).toHaveLength(1);
+    expect(errors[0]).toContain('provides[public_web]');
+  });
+
+  test('skips capabilities not in the framework registry (third-party)', () => {
+    expect(
+      validateCapabilityVersions({
+        id: 'odd',
+        version: '1.0.0',
+        provides: { capabilities: [{ name: 'custom_metric', version: '99.0.0' }] },
+      }),
+    ).toEqual([]);
+  });
+
+  test('error when requires[X].version is a higher major than runtime', () => {
+    const errors = validateCapabilityVersions({
+      id: 'lunacycle',
+      version: '1.0.0',
+      requires: { capabilities: [{ name: 'idp', version: '2.0.0' }] },
+    });
+    expect(errors).toHaveLength(1);
+    expect(errors[0]).toContain('requires[idp]');
+  });
+
+  test('no error when requires[X].version is at most the runtime version', () => {
+    expect(
+      validateCapabilityVersions({
+        id: 'caddy',
+        version: '1.0.0',
+        requires: { capabilities: [{ name: 'dns_registrar', version: '4.0.0' }] },
+      }),
+    ).toEqual([]);
+  });
+
+  test('reports multiple errors at once', () => {
+    const errors = validateCapabilityVersions({
+      id: 'broken',
+      version: '1.0.0',
+      provides: {
+        capabilities: [
+          { name: 'public_web', version: '99.0.0' },
+          { name: 'idp', version: '99.0.0' },
+        ],
+      },
+    });
+    expect(errors).toHaveLength(2);
+  });
+});

package/src/services/module-validator/capability-versions.ts

@@ -0,0 +1,115 @@
+import {
+  CAPABILITY_CONTRACT_VERSIONS,
+  type KnownCapabilityName,
+  compareProviderToRuntime,
+} from '@celilo/capabilities';
+import type { Check } from './types';
+
+export interface ManifestCapabilityClaim {
+  name: string;
+  version: string;
+}
+
+export interface ManifestForCapabilityCheck {
+  id?: string;
+  version?: string;
+  provides?: { capabilities?: ManifestCapabilityClaim[] };
+  requires?: { capabilities?: ManifestCapabilityClaim[] };
+}
+
+function isKnownCapability(name: string): name is KnownCapabilityName {
+  return name in CAPABILITY_CONTRACT_VERSIONS;
+}
+
+/**
+ * Strict-publish: every `provides[X].version` must match the framework's
+ * runtime registry; every `requires[X].version` must be at most the
+ * framework's runtime version (consumers can require older minors of
+ * still-supported majors).
+ *
+ * Returns a list of human-readable error messages — empty list means OK.
+ * Used both by `module publish` (which fails on any error) and
+ * `module check` (which surfaces them as failed checks).
+ */
+export function validateCapabilityVersions(manifest: ManifestForCapabilityCheck): string[] {
+  const errors: string[] = [];
+
+  for (const p of manifest.provides?.capabilities ?? []) {
+    if (!isKnownCapability(p.name)) continue;
+    const runtime = CAPABILITY_CONTRACT_VERSIONS[p.name];
+    const r = compareProviderToRuntime(p.version, runtime);
+    if (!r.compatible) {
+      errors.push(
+        `provides[${p.name}].version is ${p.version} but framework registry is ${runtime} ` +
+          `(${r.reason}). Update the manifest, then retry.`,
+      );
+    }
+  }
+
+  for (const need of manifest.requires?.capabilities ?? []) {
+    if (!isKnownCapability(need.name)) continue;
+    const runtime = CAPABILITY_CONTRACT_VERSIONS[need.name];
+    const r = compareProviderToRuntime(need.version, runtime);
+    if (!r.compatible && r.reason === 'major_mismatch_higher') {
+      errors.push(
+        `requires[${need.name}].version is ${need.version} but framework registry is ${runtime}. Bump the framework before publishing, or lower the manifest version.`,
+      );
+    }
+  }
+
+  return errors;
+}
+
+/**
+ * Per-capability `Check[]` form for `module check`. Emits one OK row for
+ * every known capability the manifest references and one FAIL row for
+ * every mismatch. A manifest with no known-capability claims yields a
+ * single synthetic OK so the report is never empty.
+ */
+export function checkCapabilityVersions(manifest: ManifestForCapabilityCheck): Check[] {
+  const checks: Check[] = [];
+
+  for (const p of manifest.provides?.capabilities ?? []) {
+    if (!isKnownCapability(p.name)) continue;
+    const runtime = CAPABILITY_CONTRACT_VERSIONS[p.name];
+    const r = compareProviderToRuntime(p.version, runtime);
+    checks.push({
+      category: 'capability',
+      name: `provides[${p.name}]`,
+      status: r.compatible ? 'ok' : 'fail',
+      message: r.compatible
+        ? `provides ${p.name}@${p.version} matches framework registry ${runtime}`
+        : `provides ${p.name}@${p.version} but framework registry is ${runtime} (${r.reason}). Update the manifest.`,
+      currentValue: p.version,
+      suggestedValue: r.compatible ? undefined : runtime,
+    });
+  }
+
+  for (const need of manifest.requires?.capabilities ?? []) {
+    if (!isKnownCapability(need.name)) continue;
+    const runtime = CAPABILITY_CONTRACT_VERSIONS[need.name];
+    const r = compareProviderToRuntime(need.version, runtime);
+    const tooNew = !r.compatible && r.reason === 'major_mismatch_higher';
+    checks.push({
+      category: 'capability',
+      name: `requires[${need.name}]`,
+      status: tooNew ? 'fail' : 'ok',
+      message: tooNew
+        ? `requires ${need.name}@${need.version} but framework registry is ${runtime}. Bump the framework, or lower the manifest version.`
+        : `requires ${need.name}@${need.version} can be satisfied by framework registry ${runtime}`,
+      currentValue: need.version,
+      suggestedValue: tooNew ? runtime : undefined,
+    });
+  }
+
+  if (checks.length === 0) {
+    checks.push({
+      category: 'capability',
+      name: 'no known-capability claims',
+      status: 'ok',
+      message: 'manifest declares no provides/requires for known framework capabilities',
+    });
+  }
+
+  return checks;
+}

package/src/services/module-validator/contract-version.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, test } from 'bun:test';
+import { checkContractVersion } from './contract-version';
+
+describe('checkContractVersion', () => {
+  test('ok when manifest declares the latest supported contract', () => {
+    const r = checkContractVersion({ celilo_contract: '1.0' });
+    expect(r.status).toBe('ok');
+    expect(r.message).toContain('latest');
+  });
+
+  test('fail when celilo_contract field is missing entirely', () => {
+    const r = checkContractVersion({});
+    expect(r.status).toBe('fail');
+    expect(r.message).toContain('missing');
+    expect(r.suggestedValue).toBe('1.0');
+  });
+
+  test('fail when celilo_contract claims an unknown version', () => {
+    const r = checkContractVersion({ celilo_contract: '99.0' });
+    expect(r.status).toBe('fail');
+    expect(r.message).toContain('unknown');
+    expect(r.suggestedValue).toBe('1.0');
+  });
+});

package/src/services/module-validator/contract-version.ts

@@ -0,0 +1,69 @@
+import { SUPPORTED_CONTRACT_VERSIONS } from '../../manifest/contracts';
+import type { Check } from './types';
+
+interface ManifestWithContract {
+  celilo_contract?: string;
+}
+
+/**
+ * Compares the manifest's declared `celilo_contract` against the framework's
+ * supported set:
+ *
+ * - `ok`   — claim equals the latest supported contract.
+ * - `warn` — claim is older but still supported. The manifest works, but
+ *            new contract features won't be available.
+ * - `fail` — claim is unknown to the framework (typo, future version
+ *            from a newer celilo, etc.). Manifest schema validation
+ *            already catches this case more loudly; we still report it
+ *            so a `module check` against a manifest with a bad contract
+ *            highlights it as a contract-level problem.
+ *
+ * Today the framework only ships contract "1.0", so the warn branch is
+ * forward-looking; once "1.1" lands, modules still on "1.0" will see a
+ * minor-bump suggestion.
+ */
+export function checkContractVersion(manifest: ManifestWithContract): Check {
+  const claimed = manifest.celilo_contract;
+  const supported = SUPPORTED_CONTRACT_VERSIONS;
+  const latest = supported[supported.length - 1];
+
+  if (!claimed) {
+    return {
+      category: 'contract_version',
+      name: 'celilo_contract',
+      status: 'fail',
+      message: 'manifest is missing the celilo_contract field',
+      suggestedValue: latest,
+    };
+  }
+
+  if (claimed === latest) {
+    return {
+      category: 'contract_version',
+      name: 'celilo_contract',
+      status: 'ok',
+      message: `manifest declares celilo_contract: ${claimed} (latest)`,
+      currentValue: claimed,
+    };
+  }
+
+  if ((supported as readonly string[]).includes(claimed)) {
+    return {
+      category: 'contract_version',
+      name: 'celilo_contract',
+      status: 'warn',
+      message: `manifest declares celilo_contract: ${claimed} (still supported, but ${latest} is available)`,
+      currentValue: claimed,
+      suggestedValue: latest,
+    };
+  }
+
+  return {
+    category: 'contract_version',
+    name: 'celilo_contract',
+    status: 'fail',
+    message: `manifest declares celilo_contract: ${claimed} (unknown to this framework — supported: ${supported.join(', ')})`,
+    currentValue: claimed,
+    suggestedValue: latest,
+  };
+}