@celilo/cli 0.3.18 → 0.3.20

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.3.18",
+  "version": "0.3.20",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {

package/src/cli/command-registry.ts

@@ -303,11 +303,12 @@ export const COMMANDS: CommandDef[] = [
       },
       {
         name: 'update',
-        description: 'Update module code while preserving state',
+        description:
+          'Update modules. No args = sweep registry (auto-apply non-breaking, prompt for breaking). With args = update from local path(s).',
         args: [
           {
             name: 'path',
-            description: 'Path to updated module source',
+            description: 'Path to updated module source (omit to sweep registry)',
             completion: 'directories',
             variadic: true,
           },

package/src/cli/commands/module-import-routing.test.ts

@@ -7,7 +7,7 @@
  */
 
 import { describe, expect, test } from 'bun:test';
-import { classifyImportArg } from './module-import';
+import { classifyImportArg, handleModuleImport } from './module-import';
 
 describe('classifyImportArg', () => {
   test('routes bare kebab names to the registry', () => {
@@ -50,3 +50,31 @@ describe('classifyImportArg', () => {
     expect(classifyImportArg('caddy@1.0.0')).toBe('name');
   });
 });
+
+describe('legacy subcommand migration hints', () => {
+  test('catches `module import file <path>` and suggests the new form', async () => {
+    const result = await handleModuleImport(['file', 'celilo-registry'], {});
+    if (result.success) throw new Error('expected failure');
+    expect(result.error).toContain("'file' is no longer a subcommand");
+    // 'file' was the LOCAL form; a bare name now goes to the registry,
+    // so the hint must lead the operator to a path-shaped form.
+    expect(result.error).toContain('./celilo-registry');
+    expect(result.error).toContain('/abs/path/to/celilo-registry');
+  });
+
+  test('catches `module import public-registry <name>` and suggests the new form', async () => {
+    const result = await handleModuleImport(['public-registry', 'caddy'], {});
+    if (result.success) throw new Error('expected failure');
+    expect(result.error).toContain("'public-registry' is no longer a subcommand");
+    expect(result.error).toContain('celilo module import caddy');
+  });
+
+  test('does not catch a real registry name that happens to share no characters with legacy commands', async () => {
+    // Sanity: caddy → registry lookup. We can't fully exercise this without
+    // network mocks, but we can confirm it doesn't fall through the legacy
+    // branch (the error message would mention "no longer a subcommand").
+    const result = await handleModuleImport(['caddy'], { registry: 'http://0.0.0.0:1' });
+    if (result.success) throw new Error('expected failure');
+    expect(result.error).not.toContain('no longer a subcommand');
+  });
+});

package/src/cli/commands/module-import.ts

@@ -66,6 +66,34 @@ export async function handleModuleImport(
     return { success: false, error: `Module name or path required.\n\n${USAGE}` };
   }
 
+  // Catch the legacy subcommand-style invocation (`module import file <path>`,
+  // `module import public-registry <name>`) before routing. Without this guard
+  // 'file' would round-trip to the registry as a name and surface a confusing
+  // "module not found" — the user thinks they're using a real subcommand.
+  // Both forms have the second arg in the same slot regardless of which the
+  // operator used, so the migration hint can offer the exact fix.
+  if (arg === 'file' || arg === 'public-registry') {
+    const next = getArg(args, 1);
+    // 'file' was the local-path form. A bare name now routes to the
+    // registry, so we have to suggest a path-shaped form (./, /, etc.)
+    // to preserve the original intent.
+    // 'public-registry' was the registry form. A bare name does what
+    // the operator wanted, so the hint is straightforward.
+    const example =
+      arg === 'public-registry'
+        ? `  celilo module import ${next ?? '<name>'}        # registry (bare name)`
+        : `  celilo module import ./${next ?? '<dir>'}        # local directory (leading ./)
+  celilo module import /abs/path/to/${next ?? '<dir>'}    # absolute path`;
+    return {
+      success: false,
+      error: `'${arg}' is no longer a subcommand of 'module import'. The command auto-routes by argument shape now:
+
+${example}
+
+A bare name (no leading ./, /, ~) is treated as a registry name. See 'celilo module import --help' for the full routing rules.`,
+    };
+  }
+
   if (classifyImportArg(arg) === 'name') {
     if (!KEBAB_NAME.test(arg)) {
       return {

package/src/cli/commands/module-upgrade.test.ts

@@ -0,0 +1,58 @@
+/**
+ * Unit tests for the version-change classifier used by `module update`'s
+ * registry-sweep mode.
+ */
+
+import { describe, expect, test } from 'bun:test';
+import { classifyVersionChange } from './module-upgrade';
+
+describe('classifyVersionChange', () => {
+  test('identical versions are up-to-date', () => {
+    expect(classifyVersionChange('1.0.0', '1.0.0')).toBe('up-to-date');
+    expect(classifyVersionChange('1.0.0+3', '1.0.0+3')).toBe('up-to-date');
+    expect(classifyVersionChange('2.4.7+5', '2.4.7+5')).toBe('up-to-date');
+  });
+
+  test('major bump → breaking', () => {
+    expect(classifyVersionChange('1.0.0+3', '2.0.0+1')).toBe('major');
+    expect(classifyVersionChange('1.5.9', '2.0.0')).toBe('major');
+    // Even a tiny step into the next major counts as breaking; the
+    // operator decides whether to take it.
+    expect(classifyVersionChange('1.0.0+9', '2.0.0+0')).toBe('major');
+  });
+
+  test('minor bump → non-breaking', () => {
+    expect(classifyVersionChange('1.0.0+3', '1.1.0+1')).toBe('minor');
+    expect(classifyVersionChange('2.5.0', '2.6.0')).toBe('minor');
+  });
+
+  test('patch bump → non-breaking', () => {
+    expect(classifyVersionChange('1.0.0+3', '1.0.1+1')).toBe('patch');
+    expect(classifyVersionChange('2.5.7', '2.5.8')).toBe('patch');
+  });
+
+  test('revision-only bump (+N) → patch (non-breaking)', () => {
+    // Exact case the user is hitting today: same code, fresh publish.
+    expect(classifyVersionChange('1.0.0+3', '1.0.0+4')).toBe('patch');
+    expect(classifyVersionChange('namecheap-1.0.0', 'namecheap-1.0.0+5')).not.toBe('major');
+    expect(classifyVersionChange('3.1.0+0', '3.1.0+9')).toBe('patch');
+  });
+
+  test('installed ahead of registry → ahead (skip silently)', () => {
+    // Operator pushed locally without publishing — registry is stale.
+    expect(classifyVersionChange('2.0.0+1', '1.5.0+9')).toBe('ahead');
+    expect(classifyVersionChange('1.0.1', '1.0.0')).toBe('ahead');
+    expect(classifyVersionChange('1.0.0+5', '1.0.0+3')).toBe('ahead');
+  });
+
+  test('tolerates `v` / `=` prefixes', () => {
+    expect(classifyVersionChange('v1.0.0+3', 'v1.0.0+4')).toBe('patch');
+    expect(classifyVersionChange('=1.0.0', '=1.1.0')).toBe('minor');
+  });
+
+  test('missing patch / revision segments default to 0', () => {
+    expect(classifyVersionChange('1.0', '1.0.1')).toBe('patch');
+    expect(classifyVersionChange('1.0', '2.0')).toBe('major');
+    expect(classifyVersionChange('1.0.0', '1.0.0+1')).toBe('patch');
+  });
+});

package/src/cli/commands/module-upgrade.ts

@@ -10,7 +10,10 @@
  */
 
 import { cpSync, existsSync, readFileSync, readdirSync } from 'node:fs';
+import { unlink } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
 import { join, resolve } from 'node:path';
+import * as p from '@clack/prompts';
 import { eq } from 'drizzle-orm';
 import { parse as parseYaml } from 'yaml';
 import { registerModuleCapabilities } from '../../capabilities/registration';
@@ -19,11 +22,22 @@ import { capabilities, modules } from '../../db/schema';
 import { ModuleManifestSchema } from '../../manifest/schema';
 import type { ModuleManifest } from '../../manifest/schema';
 import { cleanupTempDir, extractPackage } from '../../module/packaging/extract';
+import { RegistryClient } from '../../registry/client';
+import { getFlag } from '../parser';
 import { log } from '../prompts';
 import type { CommandResult } from '../types';
 
 type UpgradeOutcome =
-  | { status: 'success'; moduleId: string }
+  | {
+      status: 'success';
+      moduleId: string;
+      /** Version that was on disk before the upgrade (manifest.yml semver). */
+      previousVersion: string;
+      /** Version that's now installed. Includes +N revision when known
+       *  (registry-driven upgrades pass the canonical "1.0.0+5" form;
+       *  path-driven upgrades fall back to the manifest semver). */
+      newVersion: string;
+    }
   | { status: 'failed'; moduleId: string; error: string }
   // `skipped` means the path expanded from a glob but isn't an
   // upgradable target — either no manifest at all (probably a non-
@@ -32,6 +46,108 @@ type UpgradeOutcome =
   // `celilo module update modules/*` does what users expect.
   | { status: 'skipped'; moduleId: string; reason: string };
 
+/**
+ * Tunables for `upgradeOne`. Quiet mode silences the per-call log
+ * lines so callers driving a batch (the registry sweep) can render
+ * their own structured output without duplicates. `displayVersion`
+ * lets the registry caller carry the canonical `+N` revision through
+ * to both the DB column and the success log.
+ */
+interface UpgradeOpts {
+  quiet?: boolean;
+  displayVersion?: string;
+}
+
+/**
+ * Parse a celilo version string into [major, minor, patch, revision].
+ * Celilo's published versions look like `1.0.0+3` — semver core plus a
+ * publish revision suffix (the +N resets on every semver bump). Missing
+ * segments default to 0; non-numeric segments are clamped to 0 so we
+ * never throw on weird upstream input.
+ */
+function parseModuleVersion(v: string): [number, number, number, number] {
+  const cleaned = v.replace(/^[v=]+/, '');
+  const [core, rev] = cleaned.split('+');
+  const parts = (core ?? '').split('.');
+  const num = (s: string | undefined) => {
+    const n = Number(s ?? '0');
+    return Number.isNaN(n) ? 0 : n;
+  };
+  return [num(parts[0]), num(parts[1]), num(parts[2]), num(rev)];
+}
+
+export type VersionChangeKind = 'up-to-date' | 'ahead' | 'patch' | 'minor' | 'major';
+
+/**
+ * Classify a registry-side update relative to the installed version.
+ *   `major` = breaking (semver-major bump). Operator must approve.
+ *   `minor` = additive feature. Auto-applied.
+ *   `patch` = bugfix or revision-only (+N) bump. Auto-applied.
+ *   `up-to-date` = identical version.
+ *   `ahead` = installed is newer than registry. Skip silently — usually
+ *             means the operator pushed locally without publishing.
+ *
+ * Exported for unit tests.
+ */
+export function classifyVersionChange(installed: string, latest: string): VersionChangeKind {
+  const [aMaj, aMin, aPat, aRev] = parseModuleVersion(installed);
+  const [bMaj, bMin, bPat, bRev] = parseModuleVersion(latest);
+  if (bMaj > aMaj) return 'major';
+  if (bMaj < aMaj) return 'ahead';
+  if (bMin > aMin) return 'minor';
+  if (bMin < aMin) return 'ahead';
+  if (bPat > aPat) return 'patch';
+  if (bPat < aPat) return 'ahead';
+  if (bRev > aRev) return 'patch';
+  if (bRev < aRev) return 'ahead';
+  return 'up-to-date';
+}
+
+/**
+ * Download a module package from the registry into a temp file and run
+ * the standard upgradeOne path against it. Cleans the temp file in a
+ * finally block so a mid-flight failure doesn't leak a tar.zst on disk.
+ */
+async function fetchAndUpgrade(
+  client: RegistryClient,
+  moduleId: string,
+  version: string,
+  db: ReturnType<typeof getDb>,
+  flags: Record<string, string | boolean>,
+): Promise<UpgradeOutcome> {
+  const tmpPath = join(tmpdir(), `${moduleId}-${version}-${Date.now()}.netapp`);
+  try {
+    const pkgData = await client.download(moduleId, version);
+    await Bun.write(tmpPath, pkgData);
+  } catch (err) {
+    return {
+      status: 'failed',
+      moduleId,
+      error: `Download failed: ${err instanceof Error ? err.message : String(err)}`,
+    };
+  }
+  try {
+    // Registry packages are pre-verified at publish time; skip the
+    // signature check here to match `module import`'s registry path.
+    // `quiet: true` suppresses upgradeOne's per-call log lines so the
+    // sweep can render its own structured per-module output without
+    // duplicates. `displayVersion: version` carries the registry's
+    // canonical "X.Y.Z+N" through to both the DB column and the success
+    // log line — without it, output would say "v1.0.0 → v1.0.0" because
+    // the manifest semver doesn't include the +N revision.
+    return await upgradeOne(
+      tmpPath,
+      db,
+      { ...flags, 'skip-verify': true },
+      { quiet: true, displayVersion: version },
+    );
+  } finally {
+    try {
+      await unlink(tmpPath);
+    } catch {}
+  }
+}
+
 /**
  * Upgrade a single module from a source path
  */
@@ -39,6 +155,7 @@ async function upgradeOne(
   sourcePath: string,
   db: ReturnType<typeof getDb>,
   flags: Record<string, string | boolean> = {},
+  opts: UpgradeOpts = {},
 ): Promise<UpgradeOutcome> {
   const originalCwd = process.env.CELILO_ORIGINAL_CWD || process.cwd();
   const importPath = resolve(originalCwd, sourcePath);
@@ -78,7 +195,7 @@ async function upgradeOne(
           error: verifyResult.error || 'Package verification failed',
         };
       }
-    } else {
+    } else if (!opts.quiet) {
       log.warn('Skipping package signature verification (--skip-verify)');
     }
   }
@@ -123,8 +240,17 @@ async function upgradeOne(
     };
   }
 
-  const oldManifest = module.manifestData as ModuleManifest;
-  log.info(`Upgrading ${moduleId}: v${oldManifest.version} → v${newManifest.version}`);
+  // Old version comes from the DB so we capture whatever was last
+  // recorded (which IS the registry-versioned form, e.g. "1.0.0+5",
+  // for registry-driven installs/upgrades).
+  const previousVersion = module.version;
+  // New version: prefer the caller-supplied display version (registry's
+  // canonical "X.Y.Z+N"), fall back to the manifest semver core when
+  // upgrading from a local path.
+  const newVersion = opts.displayVersion ?? newManifest.version;
+  if (!opts.quiet) {
+    log.info(`Upgrading ${moduleId}: ${previousVersion} → ${newVersion}`);
+  }
 
   // Copy new module files, preserving generated output and state
   const installedPath = module.sourcePath;
@@ -142,11 +268,13 @@ async function upgradeOne(
   // Clean up temp dir if we extracted a .netapp
   if (tempDir) await cleanupTempDir(tempDir);
 
-  // Update manifest in database
+  // Update manifest in database. We persist the display version (with
+  // +N when known) so subsequent `module list` / `module update` calls
+  // see the same version string the registry reported.
   db.update(modules)
     .set({
       manifestData: newManifest as unknown as Record<string, unknown>,
-      version: newManifest.version,
+      version: newVersion,
       name: newManifest.name,
     })
     .where(eq(modules.id, moduleId))
@@ -157,13 +285,18 @@ async function upgradeOne(
 
   if (newManifest.provides?.capabilities && newManifest.provides.capabilities.length > 0) {
     const regResult = await registerModuleCapabilities(moduleId, newManifest, db.$client);
-    if (!regResult.success) {
+    if (!regResult.success && !opts.quiet) {
+      // Capability re-registration warnings are useful when upgrading
+      // from a path (operator iterating on dev module); for the
+      // registry sweep, the caller will surface them itself if needed.
       log.warn(`  ${moduleId}: capability re-registration warning: ${regResult.error}`);
     }
   }
 
-  log.success(`Upgraded ${moduleId} (v${oldManifest.version} → v${newManifest.version})`);
-  return { status: 'success', moduleId };
+  if (!opts.quiet) {
+    log.success(`Upgraded ${moduleId} (${previousVersion} → ${newVersion})`);
+  }
+  return { status: 'success', moduleId, previousVersion, newVersion };
 }
 
 /**
@@ -176,14 +309,15 @@ export async function handleModuleUpgrade(
   args: string[],
   flags: Record<string, string | boolean> = {},
 ): Promise<CommandResult> {
+  const db = getDb();
+
+  // Zero args = registry sweep: walk every installed module, pick up
+  // any non-breaking update from the registry automatically, and
+  // prompt per-module for breaking (semver-major) updates.
   if (args.length === 0) {
-    return {
-      success: false,
-      error: 'At least one module path is required\n\nUsage: celilo module update <path> [path...]',
-    };
+    return runRegistrySweep(db, flags);
   }
 
-  const db = getDb();
   const results: UpgradeOutcome[] = [];
 
   for (const path of args) {
@@ -241,3 +375,177 @@ export async function handleModuleUpgrade(
   }
   return { success: true, message: lines.join('\n\n') };
 }
+
+interface UpdatePlan {
+  moduleId: string;
+  installedVersion: string;
+  targetVersion: string;
+  classification: Exclude<VersionChangeKind, 'up-to-date' | 'ahead'>;
+}
+
+/**
+ * Walk every installed module, query the registry, and produce a plan.
+ * Auto-apply non-breaking updates (patch/minor); prompt per-module for
+ * breaking (major) updates. Modules absent from the registry are
+ * surfaced as a skip — typically these are local-only modules the
+ * operator imported from a path, never published.
+ */
+async function runRegistrySweep(
+  db: ReturnType<typeof getDb>,
+  flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const installed = db.select().from(modules).all();
+  if (installed.length === 0) {
+    return { success: true, message: 'No modules installed.' };
+  }
+
+  const registryUrl = getFlag(flags, 'registry', '');
+  const client = new RegistryClient(registryUrl || undefined);
+
+  log.info(`Checking ${installed.length} installed module(s) against the registry…`);
+
+  const plans: UpdatePlan[] = [];
+  const upToDate: string[] = [];
+  const notInRegistry: string[] = [];
+  const errored: Array<{ moduleId: string; error: string }> = [];
+
+  for (const mod of installed) {
+    try {
+      const entries = await client.getIndex(mod.id);
+      if (entries.length === 0) {
+        notInRegistry.push(mod.id);
+        continue;
+      }
+      const latest = client.latestVersion(entries);
+      if (!latest) {
+        // All versions yanked.
+        notInRegistry.push(mod.id);
+        continue;
+      }
+      const cmp = classifyVersionChange(mod.version, latest.vers);
+      if (cmp === 'up-to-date' || cmp === 'ahead') {
+        upToDate.push(mod.id);
+        continue;
+      }
+      plans.push({
+        moduleId: mod.id,
+        installedVersion: mod.version,
+        targetVersion: latest.vers,
+        classification: cmp,
+      });
+    } catch (err) {
+      errored.push({
+        moduleId: mod.id,
+        error: err instanceof Error ? err.message : String(err),
+      });
+    }
+  }
+
+  if (plans.length === 0) {
+    const lines: string[] = ['All installed modules are up to date.'];
+    if (notInRegistry.length > 0) {
+      lines.push(`Not in registry: ${notInRegistry.join(', ')}`);
+    }
+    if (errored.length > 0) {
+      lines.push(`Registry errors: ${errored.map((e) => `${e.moduleId} (${e.error})`).join('; ')}`);
+    }
+    return { success: true, message: lines.join('\n') };
+  }
+
+  const nonBreaking = plans.filter((p) => p.classification !== 'major');
+  const breaking = plans.filter((p) => p.classification === 'major');
+
+  let appliedNonBreaking = 0;
+  const failed: Array<{ moduleId: string; error: string }> = [];
+
+  if (nonBreaking.length > 0) {
+    log.info(`Auto-applying ${nonBreaking.length} non-breaking update(s):`);
+    for (const plan of nonBreaking) {
+      const result = await fetchAndUpgrade(client, plan.moduleId, plan.targetVersion, db, flags);
+      if (result.status === 'failed') {
+        failed.push({ moduleId: plan.moduleId, error: result.error });
+        console.log(
+          `  ✗ ${plan.moduleId.padEnd(30)} ${plan.installedVersion} → ${plan.targetVersion}  (${plan.classification}, FAILED)`,
+        );
+      } else if (result.status === 'success') {
+        appliedNonBreaking++;
+        console.log(
+          `  ✓ ${plan.moduleId.padEnd(30)} ${result.previousVersion} → ${result.newVersion}  (${plan.classification})`,
+        );
+      }
+      // status === 'skipped' shouldn't happen for registry-fetched packages
+      // (we know the module is installed; the package definitely has a
+      // manifest), but treat it as a no-op if it does.
+    }
+  }
+
+  let appliedBreaking = 0;
+  let skippedBreaking = 0;
+
+  if (breaking.length > 0) {
+    log.info('\nBreaking updates available — review required (semver-major bump):');
+    for (const plan of breaking) {
+      console.log(
+        `  ⚠ ${plan.moduleId.padEnd(30)} ${plan.installedVersion} → ${plan.targetVersion}`,
+      );
+    }
+    log.message('Each breaking update will be applied only on explicit confirmation.\n');
+
+    for (const plan of breaking) {
+      const proceed = await p.confirm({
+        message: `Apply breaking update for ${plan.moduleId} (${plan.installedVersion} → ${plan.targetVersion})?`,
+        initialValue: false,
+      });
+      if (p.isCancel(proceed) || !proceed) {
+        skippedBreaking++;
+        continue;
+      }
+      const result = await fetchAndUpgrade(client, plan.moduleId, plan.targetVersion, db, flags);
+      if (result.status === 'failed') {
+        failed.push({ moduleId: plan.moduleId, error: result.error });
+        console.log(
+          `  ✗ ${plan.moduleId.padEnd(30)} ${plan.installedVersion} → ${plan.targetVersion}  (major, FAILED)`,
+        );
+      } else if (result.status === 'success') {
+        appliedBreaking++;
+        console.log(
+          `  ✓ ${plan.moduleId.padEnd(30)} ${result.previousVersion} → ${result.newVersion}  (major)`,
+        );
+      }
+    }
+  }
+
+  // Summary
+  const summary: string[] = [];
+  const totalApplied = appliedNonBreaking + appliedBreaking;
+  if (totalApplied > 0) {
+    const parts = [`${appliedNonBreaking} non-breaking`];
+    if (appliedBreaking > 0) parts.push(`${appliedBreaking} breaking`);
+    summary.push(`Applied ${totalApplied} update(s) (${parts.join(', ')}).`);
+  } else {
+    summary.push('No updates applied.');
+  }
+  if (skippedBreaking > 0) {
+    summary.push(`Skipped ${skippedBreaking} breaking update(s) (operator declined).`);
+  }
+  if (notInRegistry.length > 0) {
+    summary.push(`Not in registry (${notInRegistry.length}): ${notInRegistry.join(', ')}`);
+  }
+  if (errored.length > 0) {
+    summary.push(
+      `Registry errors (${errored.length}): ${errored.map((e) => `${e.moduleId} — ${e.error}`).join('; ')}`,
+    );
+  }
+  if (failed.length > 0) {
+    return {
+      success: false,
+      error: [
+        ...summary,
+        '',
+        'Failures:',
+        ...failed.map((f) => `  ${f.moduleId}: ${f.error}`),
+      ].join('\n'),
+    };
+  }
+  return { success: true, message: summary.join('\n') };
+}

package/src/cli/index.ts

@@ -357,7 +357,10 @@ Subcommands:
     Options:
       --debug                            Run with visible browser (Playwright hooks)
 
-  update <path> [path...]               Update module code while preserving state (configs, secrets, infra)
+  update                                Sweep registry: auto-apply non-breaking updates, prompt for breaking
+  update <path> [path...]               Update module(s) from local path(s) (preserves config/secrets/infra)
+    Options:
+      --registry <url>                  Use a custom registry (sweep mode only)
 
 Registry:
   search [query]                       Search the registry for modules

package/src/services/deploy-validation.ts

@@ -29,6 +29,9 @@ export interface ValidationResult {
     options?: Array<{ value: string; label: string; hint?: string }>;
     per_selection?: { key_pattern: string; prompt: string; type?: string; derive_from?: string };
     generate?: { method: string; length: number; encoding: string };
+    /** For `type: string-map` only — labels shown in the add-loop prompt. */
+    key_label?: string;
+    value_label?: string;
   }>;
 }
 
@@ -383,6 +386,9 @@ async function findMissingRequiredVariables(
     type?: string;
     options?: Array<{ value: string; label: string; hint?: string }>;
     per_selection?: { key_pattern: string; prompt: string; type?: string; derive_from?: string };
+    generate?: { method: string; length: number; encoding: string };
+    key_label?: string;
+    value_label?: string;
   }>
 > {
   const missing: Array<{
@@ -394,6 +400,8 @@ async function findMissingRequiredVariables(
     options?: Array<{ value: string; label: string; hint?: string }>;
     per_selection?: { key_pattern: string; prompt: string; type?: string; derive_from?: string };
     generate?: { method: string; length: number; encoding: string };
+    key_label?: string;
+    value_label?: string;
   }> = [];
 
   // Check declared variables (user config, capability, system, infrastructure)
@@ -460,6 +468,12 @@ async function findMissingRequiredVariables(
           source: 'secret',
           description: secret.description,
           generate: secret.generate,
+          // Pass through manifest-declared type + add-loop labels so the
+          // bus payload can drive the right responder UX (e.g. string-map
+          // gets the per-key add-loop instead of the JSON-blob prompt).
+          type: secret.type,
+          key_label: secret.key_label,
+          value_label: secret.value_label,
         });
       }
     }