@celilo/cli 0.3.24 → 0.3.25

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.3.24",
+  "version": "0.3.25",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {

package/src/manifest/schema.ts

@@ -112,6 +112,17 @@ export const SecretDeclareSchema = z.object({
   // generic; namecheap wants 'Domain' / 'Password'.
   key_label: z.string().optional(),
   value_label: z.string().optional(),
+  // For `type: string-map` only: optional regex applied to each entered
+  // key. The responder rejects mismatches and re-prompts. Use for
+  // domain-shape validation (apex-only), hostname/email shape, etc.
+  // Pair with key_pattern_message to give the operator the rule in
+  // plain English when they hit it.
+  key_pattern: z.string().optional(),
+  key_pattern_message: z.string().optional(),
+  // Same idea for value validation. Less commonly useful for secrets
+  // (passwords vary), but provided for symmetry.
+  value_pattern: z.string().optional(),
+  value_pattern_message: z.string().optional(),
 });
 
 /**

package/src/services/bus-interview.ts

@@ -87,6 +87,16 @@ export interface SecretRequiredPayload {
    */
   key_label?: string;
   value_label?: string;
+  /**
+   * For `type: string-map` only — optional regex applied to each
+   * entered key/value. Mismatches are rejected at input time and the
+   * prompt re-fires. Pair with the `_message` variants for a
+   * plain-English explanation when the operator hits one.
+   */
+  key_pattern?: string;
+  key_pattern_message?: string;
+  value_pattern?: string;
+  value_pattern_message?: string;
 }
 
 export interface SecretAck {

package/src/services/config-interview.ts

@@ -70,6 +70,10 @@ interface SecretDeclareLike {
   description?: string;
   key_label?: string;
   value_label?: string;
+  key_pattern?: string;
+  key_pattern_message?: string;
+  value_pattern?: string;
+  value_pattern_message?: string;
   generate?: { method: string; length: number; encoding: string };
 }
 
@@ -89,6 +93,11 @@ function coerceSecretDeclare(entry: unknown): SecretDeclareLike | null {
   if (typeof e.description === 'string') out.description = e.description;
   if (typeof e.key_label === 'string') out.key_label = e.key_label;
   if (typeof e.value_label === 'string') out.value_label = e.value_label;
+  if (typeof e.key_pattern === 'string') out.key_pattern = e.key_pattern;
+  if (typeof e.key_pattern_message === 'string') out.key_pattern_message = e.key_pattern_message;
+  if (typeof e.value_pattern === 'string') out.value_pattern = e.value_pattern;
+  if (typeof e.value_pattern_message === 'string')
+    out.value_pattern_message = e.value_pattern_message;
   if (typeof e.generate === 'object' && e.generate !== null) {
     const g = e.generate as Record<string, unknown>;
     if (
@@ -129,6 +138,10 @@ export async function findMissingSecrets(
       type: secret.type,
       key_label: secret.key_label,
       value_label: secret.value_label,
+      key_pattern: secret.key_pattern,
+      key_pattern_message: secret.key_pattern_message,
+      value_pattern: secret.value_pattern,
+      value_pattern_message: secret.value_pattern_message,
       generate: secret.generate,
     });
   }
@@ -161,6 +174,11 @@ export interface MissingVariable {
   /** For `type: string-map` only — labels shown in the add-loop prompt. */
   key_label?: string;
   value_label?: string;
+  /** For `type: string-map` only — optional regex validation per entry. */
+  key_pattern?: string;
+  key_pattern_message?: string;
+  value_pattern?: string;
+  value_pattern_message?: string;
 }
 
 export interface InterviewResult {
@@ -735,6 +753,10 @@ export async function interviewForMissingSecrets(
               : undefined,
           key_label: variable.key_label,
           value_label: variable.value_label,
+          key_pattern: variable.key_pattern,
+          key_pattern_message: variable.key_pattern_message,
+          value_pattern: variable.value_pattern,
+          value_pattern_message: variable.value_pattern_message,
         };
         await busInterview<SecretAck>(EVENT_TYPES.secretRequired(moduleId, variable.name), payload);
         log.success(`Saved ${variable.name}`);

package/src/services/deploy-validation.test.ts

@@ -260,4 +260,36 @@ describe('findMissingSecrets (shared)', () => {
     );
     expect(missing.map((m) => m.name)).toEqual(['still_missing']);
   });
+
+  test('passes through key_pattern / value_pattern + their messages', async () => {
+    // The terminal-responder reads these off the bus payload to apply
+    // input-time regex validation. Without manifest → MissingVariable
+    // propagation, the responder never sees them and operators end
+    // up entering invalid keys (e.g. 'www.lunacycle.net' instead of
+    // the apex 'lunacycle.net').
+    const missing = await findMissingSecrets(
+      'testmod',
+      {
+        secrets: {
+          declares: [
+            {
+              name: 'ddns_passwords',
+              type: 'string-map',
+              required: true,
+              key_pattern: '^[a-z0-9-]+\\.[a-z]{2,}$',
+              key_pattern_message: 'apex domain only — drop the www.',
+              value_pattern: '^.{8,}$',
+              value_pattern_message: 'min 8 chars',
+            },
+          ],
+        },
+      },
+      db,
+    );
+    expect(missing).toHaveLength(1);
+    expect(missing[0].key_pattern).toBe('^[a-z0-9-]+\\.[a-z]{2,}$');
+    expect(missing[0].key_pattern_message).toBe('apex domain only — drop the www.');
+    expect(missing[0].value_pattern).toBe('^.{8,}$');
+    expect(missing[0].value_pattern_message).toBe('min 8 chars');
+  });
 });

package/src/services/deploy-validation.ts

@@ -33,6 +33,10 @@ export interface ValidationResult {
     /** For `type: string-map` only — labels shown in the add-loop prompt. */
     key_label?: string;
     value_label?: string;
+    key_pattern?: string;
+    key_pattern_message?: string;
+    value_pattern?: string;
+    value_pattern_message?: string;
   }>;
 }
 
@@ -390,6 +394,10 @@ export async function findMissingRequiredVariables(
     generate?: { method: string; length: number; encoding: string };
     key_label?: string;
     value_label?: string;
+    key_pattern?: string;
+    key_pattern_message?: string;
+    value_pattern?: string;
+    value_pattern_message?: string;
   }>
 > {
   const missing: Array<{
@@ -403,6 +411,10 @@ export async function findMissingRequiredVariables(
     generate?: { method: string; length: number; encoding: string };
     key_label?: string;
     value_label?: string;
+    key_pattern?: string;
+    key_pattern_message?: string;
+    value_pattern?: string;
+    value_pattern_message?: string;
   }> = [];
 
   // Check declared variables (user config, capability, system, infrastructure)
@@ -466,6 +478,10 @@ export async function findMissingRequiredVariables(
       generate: s.generate,
       key_label: s.key_label,
       value_label: s.value_label,
+      key_pattern: s.key_pattern,
+      key_pattern_message: s.key_pattern_message,
+      value_pattern: s.value_pattern,
+      value_pattern_message: s.value_pattern_message,
     });
   }
 

package/src/services/terminal-responder.ts

@@ -397,6 +397,21 @@ async function promptForStringMap(payload: SecretRequiredPayload): Promise<strin
     `Add ${keyLabel.toLowerCase()} → ${valueLabel.toLowerCase()} entries one at a time. Press Enter on an empty ${keyLabel.toLowerCase()} when done.`,
   );
 
+  // Compile the optional regex validators once. An invalid regex (i.e.
+  // a typo in the manifest) gets surfaced once here; we treat it as
+  // "no validation" rather than wedging the whole interview.
+  const keyRegex = compileMaybeRegex(
+    payload.key_pattern,
+    `${payload.module}.${payload.key} key_pattern`,
+  );
+  const valueRegex = compileMaybeRegex(
+    payload.value_pattern,
+    `${payload.module}.${payload.key} value_pattern`,
+  );
+  const keyPatternMessage = payload.key_pattern_message ?? `must match: ${payload.key_pattern}`;
+  const valuePatternMessage =
+    payload.value_pattern_message ?? `must match: ${payload.value_pattern}`;
+
   const collected: Record<string, string> = {};
 
   while (true) {
@@ -405,7 +420,14 @@ async function promptForStringMap(payload: SecretRequiredPayload): Promise<strin
 
     const key = await promptText({
       message: keyMessage,
-      validate: () => undefined, // empty = finish
+      // promptText empties + falsy returns terminate the loop, so
+      // validate has to allow empty input. Apply the key regex only
+      // to non-empty values so the operator can still finish the loop.
+      validate: (val) => {
+        if (!val || val.trim() === '') return undefined;
+        if (keyRegex && !keyRegex.test(val.trim())) return keyPatternMessage;
+        return undefined;
+      },
     });
     if (key === undefined) {
       // User cancelled (Ctrl-C). Return undefined so the responder
@@ -429,7 +451,11 @@ async function promptForStringMap(payload: SecretRequiredPayload): Promise<strin
 
     const value = await promptPassword({
       message: `${valueLabel} for '${trimmedKey}':`,
-      validate: (val) => (!val || val.trim() === '' ? 'Required' : undefined),
+      validate: (val) => {
+        if (!val || val.trim() === '') return 'Required';
+        if (valueRegex && !valueRegex.test(val)) return valuePatternMessage;
+        return undefined;
+      },
     });
     if (value === undefined) {
       // User cancelled mid-entry; abort the whole interview.
@@ -443,6 +469,23 @@ async function promptForStringMap(payload: SecretRequiredPayload): Promise<strin
   return JSON.stringify(collected);
 }
 
+/**
+ * Compile a regex pattern from manifest config, returning null on
+ * empty or invalid input. A bad regex emits a one-time warning and
+ * disables that validation rather than crashing the interview.
+ */
+function compileMaybeRegex(pattern: string | undefined, label: string): RegExp | null {
+  if (!pattern) return null;
+  try {
+    return new RegExp(pattern);
+  } catch (err) {
+    log.warn(
+      `${label}: invalid regex '${pattern}' — ${err instanceof Error ? err.message : String(err)}. Skipping validation.`,
+    );
+    return null;
+  }
+}
+
 /**
  * Short hint shown in the prompt for non-string types so the operator
  * isn't guessing what shape we want. Returns null for plain strings —