@celilo/cli 0.3.22 → 0.3.24

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.3.22",
+  "version": "0.3.24",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {

package/src/cli/commands/system-update.ts

@@ -218,8 +218,23 @@ function buildOps(registry: RegistryClient): OrchestratorOps {
       return { status: r.status, detail: r.error };
     },
     snapshotCeliloDb: async (_updateId) => {
-      const result = await createSystemStateBackup();
-      return result.success ? { ok: true } : { ok: false, error: result.error };
+      // resolveStorage throws when no default backup storage is configured
+      // (or it isn't verified). Catch here so the orchestrator gets a
+      // clean { ok: false, error } shape — the alternative is the throw
+      // escapes runSystemUpdate and surfaces as an unhandled stack trace.
+      // The handleSystemUpdate pre-flight already catches the common
+      // "no storage configured" case with a friendly message; this is
+      // a belt-and-suspenders for any other throw path resolveStorage
+      // takes (e.g. storage exists but isn't verified).
+      try {
+        const result = await createSystemStateBackup();
+        return result.success ? { ok: true } : { ok: false, error: result.error };
+      } catch (err) {
+        return {
+          ok: false,
+          error: err instanceof Error ? err.message : String(err),
+        };
+      }
     },
   };
 }
@@ -233,15 +248,45 @@ function formatResult(result: SystemUpdateResult): string {
     `  self-update: ${result.selfUpdate.performed ? `${result.selfUpdate.from} → ${result.selfUpdate.to}` : `(${result.selfUpdate.reason})`}`,
   );
   lines.push(`  backups: ${result.backupsCreated ? 'created' : 'skipped'}`);
-  lines.push('');
-  for (const m of result.modules) {
-    const tag =
-      m.step === 'done' ? '✓' : m.step === 'failed' ? '✗' : m.step === 'skipped' ? '↳' : '?';
-    const change =
-      m.fromVersion === m.toVersion ? m.fromVersion : `${m.fromVersion} → ${m.toVersion}`;
-    lines.push(`  ${tag} ${m.moduleId} (${change}) — ${m.step}`);
-    if (m.error) lines.push(`      ${m.error}`);
-    if (m.skipReason) lines.push(`      ${m.skipReason}`);
+
+  // Surface audit findings inline. DRIFT means "something is drifting
+  // but it didn't block the update" — without listing the findings the
+  // operator has no idea what; they'd have to run `celilo system audit`
+  // as a follow-up. Show them here so it's a single round-trip.
+  // BLOCKED also gets the listing (the orchestrator already short-
+  // circuited to skip the run, but the operator still needs to know
+  // why — formatResult is the friendly path for that too).
+  if (result.audit.findings.length > 0) {
+    lines.push('');
+    const drift = result.audit.findings.filter((f) => f.severity === 'drift');
+    const blocked = result.audit.findings.filter((f) => f.severity === 'blocked');
+    if (blocked.length > 0) {
+      lines.push(`  BLOCKED (${blocked.length}):`);
+      for (const f of blocked) {
+        lines.push(`    ✗ [${f.category}] ${f.subject}: ${f.message}`);
+        if (f.remediation) lines.push(`        → ${f.remediation}`);
+      }
+    }
+    if (drift.length > 0) {
+      lines.push(`  Drift findings (${drift.length}, informational):`);
+      for (const f of drift) {
+        lines.push(`    ▸ [${f.category}] ${f.subject}: ${f.message}`);
+        if (f.remediation) lines.push(`        → ${f.remediation}`);
+      }
+    }
+  }
+
+  if (result.modules.length > 0) {
+    lines.push('');
+    for (const m of result.modules) {
+      const tag =
+        m.step === 'done' ? '✓' : m.step === 'failed' ? '✗' : m.step === 'skipped' ? '↳' : '?';
+      const change =
+        m.fromVersion === m.toVersion ? m.fromVersion : `${m.fromVersion} → ${m.toVersion}`;
+      lines.push(`  ${tag} ${m.moduleId} (${change}) — ${m.step}`);
+      if (m.error) lines.push(`      ${m.error}`);
+      if (m.skipReason) lines.push(`      ${m.skipReason}`);
+    }
   }
   return lines.join('\n');
 }
@@ -394,6 +439,49 @@ export async function handleSystemUpdate(
         };
   }
 
+  // Decide whether the celilo-db snapshot is even needed for this run.
+  // If nothing's changing at the module level, there's nothing to roll
+  // back to — taking a snapshot would be pointless work, and on a fresh
+  // box (no storage configured yet) it would actively fail. Treat the
+  // "nothing-to-update" case as implicit --no-backup.
+  const hasModuleUpdates = [...snapshots.values()].some(
+    (s) => s.latestVersion && s.latestVersion !== s.installedVersion,
+  );
+  const effectiveNoBackup = noBackup || !hasModuleUpdates;
+
+  // Pre-flight the storage check so a missing default doesn't reach the
+  // orchestrator's snapshot hook (where the throw would surface as a
+  // hostile stack trace). Skip when we're already not going to backup.
+  if (!effectiveNoBackup) {
+    const { getDefaultBackupStorage } = await import('../../services/backup-storage');
+    const storage = getDefaultBackupStorage();
+    if (!storage) {
+      return {
+        success: false,
+        error: `No default backup storage configured.
+
+celilo system update snapshots the celilo DB before applying module
+updates as a safety net. Configure backup storage first:
+
+  celilo storage add local
+
+Or skip the safety net entirely (the CLI self-update still runs):
+
+  celilo system update --no-backup`,
+      };
+    }
+    if (!storage.verified) {
+      return {
+        success: false,
+        error: `Default backup storage '${storage.storageId}' is not verified.
+
+Run:  celilo storage verify ${storage.storageId}
+
+Then re-run system update.`,
+      };
+    }
+  }
+
   const ops = buildOps(registry);
 
   const result = await runSystemUpdate({
@@ -423,7 +511,7 @@ export async function handleSystemUpdate(
       },
     },
     progress: { emit() {} },
-    noBackup,
+    noBackup: effectiveNoBackup,
     allowDestructive,
     onlyModule,
   });