@celilo/cli 0.3.3 → 0.3.9

package/src/services/config-interview.ts

@@ -1,12 +1,5 @@
-/**
- * Interactive Configuration Interview Service
- *
- * Prompts users for missing required configuration during deployment
- */
-
-import * as p from '@clack/prompts';
 import { and, eq } from 'drizzle-orm';
-import { log, promptPassword, promptText } from '../cli/prompts';
+import { log, promptPassword } from '../cli/prompts';
 import type { DbClient } from '../db/client';
 import { moduleConfigs, modules, secrets } from '../db/schema';
 import type { Ensure } from '../manifest/schema';
@@ -18,6 +11,10 @@ import {
   type ConfigReply,
   type ConfigRequiredPayload,
   EVENT_TYPES,
+  type EnsureReply,
+  type EnsureRequiredPayload,
+  type SecretAck,
+  type SecretRequiredPayload,
   busInterview,
 } from './bus-interview';
 import { getSecretMetadata, loadSecretsSchema } from './secret-schema-loader';
@@ -243,34 +240,25 @@ export async function interviewForMissingConfig(
                   });
                 configured.push(followUpKey);
               } else {
-                // Can't derive - prompt for this follow-up
+                // Can't derive — bus-mediated prompt (responder
+                // races terminal vs `events respond` etc.)
                 const option = variable.options?.find((o) => o.value === selectedVal);
                 const followUpPrompt = variable.per_selection.prompt
                   .replace('{value}', selectedVal)
                   .replace('{label}', option?.label || selectedVal)
                   .replace('{hint}', option?.hint || '');
-
-                const userValue = await promptText({
-                  message: followUpPrompt,
-                  validate: (val) => {
-                    if (!val || val.trim() === '') return 'This field is required';
-                  },
-                });
-
-                await db
-                  .insert(moduleConfigs)
-                  .values({
-                    moduleId,
-                    key: followUpKey,
-                    value: userValue,
-                    valueJson: null,
-                    createdAt: new Date(),
-                    updatedAt: new Date(),
-                  })
-                  .onConflictDoUpdate({
-                    target: [moduleConfigs.moduleId, moduleConfigs.key],
-                    set: { value: userValue, updatedAt: new Date() },
-                  });
+                const followUpPayload: ConfigRequiredPayload = {
+                  module: moduleId,
+                  key: followUpKey,
+                  type: (variable.per_selection.type as ConfigRequiredPayload['type']) ?? 'string',
+                  required: true,
+                  description: followUpPrompt,
+                };
+                const followUpReply = await busInterview<ConfigReply>(
+                  EVENT_TYPES.configRequired(moduleId, followUpKey),
+                  followUpPayload,
+                );
+                await writeModuleConfigKey(moduleId, followUpKey, followUpReply.value, db);
                 configured.push(followUpKey);
               }
             }
@@ -331,54 +319,29 @@ export async function interviewForMissingConfig(
 
         configured.push(`${variable.name} (secret)`);
       } else if (variable.options && variable.options.length > 0) {
-        // Multi-select prompt for variables with options
-        const message = variable.description
-          ? `${variable.name} - ${variable.description}:`
-          : `${variable.name}:`;
-
-        const selected = await p.multiselect({
-          message,
-          options: variable.options.map((opt) => ({
-            value: opt.value,
-            label: opt.label,
-            hint: opt.hint,
-          })),
+        // Multi-select via bus. The terminal-responder (or any other
+        // responder) sees the options[] in the payload and presents a
+        // multiselect prompt; the reply value is the selected
+        // string[]. Same race + first-reply-wins semantics as the
+        // simple-text path.
+        const payload: ConfigRequiredPayload = {
+          module: moduleId,
+          key: variable.name,
+          type: 'array',
           required: true,
-        });
-
-        if (p.isCancel(selected)) {
-          return {
-            success: false,
-            configured,
-            error: `Configuration cancelled for ${variable.name}`,
-          };
-        }
-
-        const selectedValues = selected as string[];
-        value = selectedValues.join(',');
-
-        // Store config
-        await db
-          .insert(moduleConfigs)
-          .values({
-            moduleId,
-            key: variable.name,
-            value,
-            valueJson: null,
-            createdAt: new Date(),
-            updatedAt: new Date(),
-          })
-          .onConflictDoUpdate({
-            target: [moduleConfigs.moduleId, moduleConfigs.key],
-            set: {
-              value,
-              updatedAt: new Date(),
-            },
-          });
-
+          description: variable.description,
+          options: variable.options,
+        };
+        const reply = await busInterview<ConfigReply>(
+          EVENT_TYPES.configRequired(moduleId, variable.name),
+          payload,
+        );
+        const selectedValues = reply.value as string[];
+        await writeModuleConfigKey(moduleId, variable.name, selectedValues, db);
         configured.push(variable.name);
 
-        // Handle per_selection follow-up prompts
+        // Handle per_selection follow-up prompts. One bus event per
+        // selected option; each races independently.
         if (variable.per_selection) {
           for (const selectedVal of selectedValues) {
             const option = variable.options?.find((o) => o.value === selectedVal);
@@ -388,7 +351,8 @@ export async function interviewForMissingConfig(
               .replace('{label}', option?.label || selectedVal)
               .replace('{hint}', option?.hint || '');
 
-            // Check if already configured
+            // Skip if this follow-up was already answered (e.g., a
+            // previous deploy attempt).
             const existingFollowUp = db
               .select()
               .from(moduleConfigs)
@@ -396,27 +360,19 @@ export async function interviewForMissingConfig(
               .get();
 
             if (!existingFollowUp || !existingFollowUp.value) {
-              const followUpValue = await promptText({
-                message: followUpPrompt,
-                validate: (val) => {
-                  if (!val || val.trim() === '') return 'This field is required';
-                },
-              });
+              const followUpPayload: ConfigRequiredPayload = {
+                module: moduleId,
+                key: followUpKey,
+                type: (variable.per_selection.type as ConfigRequiredPayload['type']) ?? 'string',
+                required: true,
+                description: followUpPrompt,
+              };
+              const followUpReply = await busInterview<ConfigReply>(
+                EVENT_TYPES.configRequired(moduleId, followUpKey),
+                followUpPayload,
+              );
 
-              await db
-                .insert(moduleConfigs)
-                .values({
-                  moduleId,
-                  key: followUpKey,
-                  value: followUpValue,
-                  valueJson: null,
-                  createdAt: new Date(),
-                  updatedAt: new Date(),
-                })
-                .onConflictDoUpdate({
-                  target: [moduleConfigs.moduleId, moduleConfigs.key],
-                  set: { value: followUpValue, updatedAt: new Date() },
-                });
+              await writeModuleConfigKey(moduleId, followUpKey, followUpReply.value, db);
 
               configured.push(followUpKey);
             }
@@ -442,29 +398,13 @@ export async function interviewForMissingConfig(
           payload,
         );
 
-        // The reply.value is typed per payload.type; the terminal-
-        // responder coerces strings to numbers/bools/json-as-array etc.
-        // For storage, we still need a string + an optional valueJson
-        // for non-scalar types. Match what `module config set` does.
-        value = typeof reply.value === 'string' ? reply.value : JSON.stringify(reply.value);
-
-        await db
-          .insert(moduleConfigs)
-          .values({
-            moduleId,
-            key: variable.name,
-            value,
-            valueJson: null,
-            createdAt: new Date(),
-            updatedAt: new Date(),
-          })
-          .onConflictDoUpdate({
-            target: [moduleConfigs.moduleId, moduleConfigs.key],
-            set: {
-              value,
-              updatedAt: new Date(),
-            },
-          });
+        // Persist via writeModuleConfigKey so the (string value,
+        // typed valueJson) pair is set correctly. Downstream readers
+        // (validate_config hooks, capability resolvers) deserialize
+        // typed values from valueJson — earlier I was only writing
+        // value with valueJson:null, which broke `array`/`object`
+        // typed configs that consumers expected to be JSON-parsed.
+        await writeModuleConfigKey(moduleId, variable.name, reply.value, db);
 
         configured.push(variable.name);
       }
@@ -606,7 +546,9 @@ export async function interviewForMissingSecrets(
       // If no metadata, default to user_provided (safe default)
       const source = hasManifestGenerate ? 'generated' : metadata?.source || 'user_provided';
 
-      let value: string;
+      // Whether we need to encrypt + insert here, or whether the
+      // bus responder already wrote the value out-of-band.
+      let value: string | null = null;
 
       // Handle derived secrets first
       if (metadata?.deriveFrom) {
@@ -661,92 +603,41 @@ export async function interviewForMissingSecrets(
         value = generateSecret({ format, length });
 
         log.message(`Auto-generated ${format} secret: ${variable.name}`);
-      } else if (source === 'user_provided') {
-        // Always prompt, required
-        // Check if we're in interactive mode
-        if (!process.stdin.isTTY) {
-          // Non-interactive: skip this secret and continue processing others
-          // The caller will handle the remaining user-provided secrets
-          continue;
-        }
-
-        const message = variable.description
-          ? `${variable.name} - ${variable.description}:`
-          : `${variable.name}:`;
-
-        value = await promptPassword({
-          message,
-          validate: (val) => {
-            if (!val || val.trim() === '') {
-              return 'This field is required';
-            }
-          },
-        });
-
-        log.success(`Saved ${variable.name}`);
-      } else if (source === 'user_password') {
-        // Password the user must remember — prompt twice to confirm
-        if (!process.stdin.isTTY) {
-          continue;
-        }
-
-        const message = variable.description
-          ? `${variable.name} - ${variable.description}:`
-          : `${variable.name}:`;
-
-        value = await promptPassword({
-          message,
-          validate: (val) => {
-            if (!val || val.trim() === '') {
-              return 'This field is required';
-            }
-          },
-        });
-
-        const confirmation = await promptPassword({
-          message: `Confirm ${variable.name}:`,
-          validate: (val) => {
-            if (!val || val.trim() === '') {
-              return 'This field is required';
-            }
-          },
-        });
-
-        if (value !== confirmation) {
-          log.error('Passwords do not match. Please try again.');
-          // Re-prompt by decrementing — but we're in a for-of loop, so just return error
-          return {
-            success: false,
-            configured,
-            error: `Passwords do not match for ${variable.name}. Re-run deploy to try again.`,
-          };
-        }
-
+      } else if (
+        source === 'user_provided' ||
+        source === 'user_password' ||
+        source === 'generated_optional'
+      ) {
+        // Bus-mediated interview. The responder (terminal-responder
+        // when running on a TTY, Claude subagent, or `events respond`
+        // from another shell) prompts the user, writes the secret
+        // value into the encrypted store out-of-band, then replies
+        // with `{ acknowledged: true }`. The value never crosses the
+        // bus. See INTERACTIVE_DEPLOYS_VIA_BUS.md.
+        const payload: SecretRequiredPayload = {
+          module: moduleId,
+          key: variable.name,
+          // The bus payload narrows to scalar types. Secrets in the
+          // wider system can be objects, but those are written via
+          // the cross-module ensure flow, not this interview.
+          type: 'string',
+          required: true,
+          description: variable.description,
+          style: source,
+          generate:
+            source === 'generated_optional'
+              ? {
+                  format: metadata?.format || 'base64',
+                  length: metadata?.length || 32,
+                }
+              : undefined,
+        };
+        await busInterview<SecretAck>(EVENT_TYPES.secretRequired(moduleId, variable.name), payload);
         log.success(`Saved ${variable.name}`);
-      } else if (source === 'generated_optional') {
-        // Prompt with auto-generate option
-        const message = variable.description
-          ? `${variable.name} - ${variable.description} (Press Enter to auto-generate):`
-          : `${variable.name} (Press Enter to auto-generate):`;
-
-        const userValue = await promptPassword({
-          message,
-          validate: () => undefined, // Allow empty
-        });
-
-        if (!userValue || userValue.trim() === '') {
-          // Auto-generate
-          const format = metadata?.format || 'base64';
-          const length = metadata?.length || 32;
-
-          value = generateSecret({ format, length });
-
-          log.message(`Auto-generated ${format} secret: ${variable.name}`);
-        } else {
-          // Use user-provided value
-          value = userValue;
-          log.success(`Saved ${variable.name}`);
-        }
+        configured.push(`${variable.name} (secret)`);
+        // Responder already wrote to the encrypted store; skip the
+        // encrypt+insert below.
+        continue;
       } else {
         return {
           success: false,
@@ -755,7 +646,15 @@ export async function interviewForMissingSecrets(
         };
       }
 
-      // Encrypt and store secret
+      // Encrypt and store secret (deriveFrom + generated paths only;
+      // bus-mediated paths above already wrote and `continue`d).
+      if (value === null) {
+        return {
+          success: false,
+          configured,
+          error: `Internal error: ${variable.name} branch left value unset`,
+        };
+      }
       const encrypted = encryptSecret(value, masterKey);
       await db
         .insert(secrets)
@@ -814,7 +713,11 @@ function renderEnsureTemplate(template: string, value: string): string {
   return template.replace(/\{\{\s*value\s*\}\}/g, value);
 }
 
-async function readModuleConfigKey(moduleId: string, key: string, db: DbClient): Promise<unknown> {
+export async function readModuleConfigKey(
+  moduleId: string,
+  key: string,
+  db: DbClient,
+): Promise<unknown> {
   const row = db
     .select()
     .from(moduleConfigs)
@@ -831,7 +734,7 @@ async function readModuleConfigKey(moduleId: string, key: string, db: DbClient):
   return row.value;
 }
 
-async function writeModuleConfigKey(
+export async function writeModuleConfigKey(
   moduleId: string,
   key: string,
   value: unknown,
@@ -856,7 +759,7 @@ async function writeModuleConfigKey(
     .run();
 }
 
-async function readModuleSecretKey(
+export async function readModuleSecretKey(
   moduleId: string,
   name: string,
   db: DbClient,
@@ -874,7 +777,7 @@ async function readModuleSecretKey(
   );
 }
 
-async function writeModuleSecretKey(
+export async function writeModuleSecretKey(
   moduleId: string,
   name: string,
   plaintext: string,
@@ -914,12 +817,6 @@ async function writeModuleSecretKey(
 }
 
 export interface EnsureInterviewOptions {
-  /**
-   * In non-interactive mode the framework prints the recipe and aborts
-   * before reaching this function — but tests / scripted callers still
-   * use this flag to apply changes without prompting for any text input.
-   */
-  noInteractive?: boolean;
   /** Override prompts for testing — return string answers in order. */
   promptOverride?: (prompt: string, hint?: string) => Promise<string>;
 }
@@ -934,9 +831,14 @@ export interface EnsureInterviewResult {
 }
 
 /**
- * Render the CLI recipe shown in `--no-interactive` mode. Generated
- * from the manifest's `ensures` block so it stays correct as modules
- * evolve.
+ * Render the CLI recipe operators see in `events list-pending` when
+ * an ensure interview is waiting for a responder. Generated from the
+ * manifest's `ensures` block so it stays correct as modules evolve.
+ *
+ * Pre-stage 4 this was the abort-message body for `--no-interactive`
+ * deploys; now it's a diagnostic for stuck queries (the bus path
+ * waits indefinitely, but the recipe tells the operator exactly
+ * which CLI commands they could run by hand to satisfy the ensure).
  */
 export function renderEnsureRecipe(
   providerModuleId: string,
@@ -1003,31 +905,46 @@ export async function interviewForEnsureInputs(
 
   const masterKey = await getOrCreateMasterKey();
 
+  // 1. Apply append_to_array inputs deterministically. The trigger
+  //    value is known up-front, so no responder is needed.
   for (const input of ensure.inputs) {
+    if (input.kind !== 'append_to_array') continue;
     const { scope, name } = parseEnsureTarget(input.target);
-
-    if (input.kind === 'append_to_array') {
-      if (scope !== 'config') {
-        return {
-          success: false,
-          applied,
-          error: `append_to_array only supports config targets (got ${input.target})`,
-        };
-      }
-      const current = await readModuleConfigKey(providerModuleId, name, db);
-      const arr = Array.isArray(current) ? [...current] : [];
-      if (arr.includes(value)) {
-        applied.push(`${input.target} already contains "${value}" — skipped`);
-        continue;
-      }
-      arr.push(value);
-      await writeModuleConfigKey(providerModuleId, name, arr, db);
-      applied.push(`${input.target} ← appended "${value}"`);
-      allNoop = false;
+    if (scope !== 'config') {
+      return {
+        success: false,
+        applied,
+        error: `append_to_array only supports config targets (got ${input.target})`,
+      };
+    }
+    const current = await readModuleConfigKey(providerModuleId, name, db);
+    const arr = Array.isArray(current) ? [...current] : [];
+    if (arr.includes(value)) {
+      applied.push(`${input.target} already contains "${value}" — skipped`);
       continue;
     }
+    arr.push(value);
+    await writeModuleConfigKey(providerModuleId, name, arr, db);
+    applied.push(`${input.target} ← appended "${value}"`);
+    allNoop = false;
+  }
+
+  // 2. Collect set_in_object inputs that aren't already populated.
+  //    These are the ones that genuinely need user input.
+  interface PendingInput {
+    target: string;
+    name: string;
+    scope: 'config' | 'secret';
+    objectKey: string;
+    prompt: string;
+    hint?: string;
+    type: string;
+  }
+  const pending: PendingInput[] = [];
 
-    // input.kind === 'set_in_object'
+  for (const input of ensure.inputs) {
+    if (input.kind !== 'set_in_object') continue;
+    const { scope, name } = parseEnsureTarget(input.target);
     const objectKey = renderEnsureTemplate(input.key, value);
     const promptMsg = renderEnsureTemplate(input.prompt, value);
 
@@ -1035,60 +952,150 @@ export async function interviewForEnsureInputs(
       const current = await readModuleConfigKey(providerModuleId, name, db);
       const obj =
         current && typeof current === 'object' && !Array.isArray(current)
-          ? { ...(current as Record<string, unknown>) }
+          ? (current as Record<string, unknown>)
           : {};
       if (objectKey in obj) {
         applied.push(`${input.target}["${objectKey}"] already set — skipped`);
         continue;
       }
-      const promptFn =
-        options.promptOverride ??
-        (async () => promptText({ message: promptMsg, placeholder: input.hint }));
-      const userValue = await promptFn(promptMsg, input.hint);
-      obj[objectKey] = userValue;
-      await writeModuleConfigKey(providerModuleId, name, obj, db);
-      applied.push(`${input.target}["${objectKey}"] set`);
-      allNoop = false;
-      continue;
-    }
-
-    // Secret object: stored as a JSON-encoded string secret. Round-trip
-    // through parse/serialize so other keys are preserved.
-    const currentRaw = await readModuleSecretKey(providerModuleId, name, db, masterKey);
-    let obj: Record<string, unknown> = {};
-    if (currentRaw) {
-      try {
-        const parsed = JSON.parse(currentRaw);
-        if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
-          obj = parsed as Record<string, unknown>;
+    } else {
+      const currentRaw = await readModuleSecretKey(providerModuleId, name, db, masterKey);
+      let obj: Record<string, unknown> = {};
+      if (currentRaw) {
+        try {
+          const parsed = JSON.parse(currentRaw);
+          if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            obj = parsed as Record<string, unknown>;
+          }
+        } catch {
+          // Existing secret isn't a JSON object — overwrite later.
         }
-      } catch {
-        // Existing secret isn't a JSON object — overwrite (the schema
-        // declares this secret as an object, so any other shape is stale).
       }
+      if (objectKey in obj) {
+        applied.push(`${input.target}["${objectKey}"] already set — skipped`);
+        continue;
+      }
+    }
+
+    pending.push({
+      target: input.target,
+      name,
+      scope,
+      objectKey,
+      prompt: promptMsg,
+      hint: input.hint,
+      // EnsureInputSchema doesn't carry a type — set_in_object is
+      // always a string today. Carry 'string' through to the bus
+      // payload's type field for future-proofing.
+      type: 'string',
+    });
+  }
+
+  if (pending.length === 0) {
+    return { success: true, alreadyApplied: allNoop, applied };
+  }
+
+  // 3. Test escape hatch: if a promptOverride is provided, run the
+  //    legacy direct-prompt path. Lets existing unit tests keep their
+  //    inline prompt stubs without setting up a bus responder.
+  if (options.promptOverride) {
+    for (const input of pending) {
+      const userValue = await options.promptOverride(input.prompt, input.hint);
+      await applyEnsureInput(input, userValue, providerModuleId, db, masterKey);
+      applied.push(`${input.target}["${input.objectKey}"] set`);
+      allNoop = false;
     }
-    if (objectKey in obj) {
-      applied.push(`${input.target}["${objectKey}"] already set — skipped`);
+    return { success: true, alreadyApplied: allNoop, applied };
+  }
+
+  // 4. Bus-mediated interview. One event for the whole ensure; the
+  //    responder prompts the user, sets secret-target values
+  //    out-of-band, replies with config-target values plus an
+  //    `acknowledged: true` flag when secrets were touched.
+  const payload: EnsureRequiredPayload = {
+    consumer: providerModuleId,
+    provider: providerModuleId,
+    ensureId: ensure.id,
+    triggerValue: value,
+    description: ensure.description,
+    inputs: pending.map((i) => ({
+      target: i.target,
+      kind: 'set_in_object',
+      prompt: i.prompt,
+      hint: i.hint,
+      type: i.type,
+      objectKey: i.objectKey,
+    })),
+  };
+  const reply = await busInterview<EnsureReply>(
+    EVENT_TYPES.ensureRequired(providerModuleId, ensure.id),
+    payload,
+  );
+
+  // 5. Apply reply values for config targets. Secret targets aren't
+  //    in `values` — the responder wrote them out-of-band; we record
+  //    them as applied since the encrypted store is already updated.
+  const replyValues = reply.values ?? {};
+  for (const input of pending) {
+    if (input.scope === 'secret') {
+      applied.push(`${input.target}["${input.objectKey}"] set`);
+      allNoop = false;
       continue;
     }
-    const promptFn =
-      options.promptOverride ??
-      // promptPassword doesn't take a placeholder, so fold the hint
-      // into the message — the user only sees the message before typing.
-      (async () =>
-        promptPassword({
-          message: input.hint ? `${promptMsg}\n  ${input.hint}` : promptMsg,
-        }));
-    const userValue = await promptFn(promptMsg, input.hint);
-    obj[objectKey] = userValue;
-    await writeModuleSecretKey(providerModuleId, name, JSON.stringify(obj), db, masterKey);
-    applied.push(`${input.target}["${objectKey}"] set`);
+    const userValue = replyValues[input.target];
+    if (userValue === undefined) {
+      return {
+        success: false,
+        applied,
+        error: `Responder reply missing value for ${input.target}`,
+      };
+    }
+    await applyEnsureInput(input, userValue, providerModuleId, db, masterKey);
+    applied.push(`${input.target}["${input.objectKey}"] set`);
     allNoop = false;
   }
 
   return { success: true, alreadyApplied: allNoop, applied };
 }
 
+/**
+ * Read-merge-write one set_in_object input. Used by both the
+ * promptOverride test path and the bus-mediated config-target path
+ * after the responder reply is in hand.
+ */
+async function applyEnsureInput(
+  input: { target: string; name: string; scope: 'config' | 'secret'; objectKey: string },
+  userValue: unknown,
+  providerModuleId: string,
+  db: DbClient,
+  masterKey: Buffer,
+): Promise<void> {
+  if (input.scope === 'config') {
+    const current = await readModuleConfigKey(providerModuleId, input.name, db);
+    const obj =
+      current && typeof current === 'object' && !Array.isArray(current)
+        ? { ...(current as Record<string, unknown>) }
+        : {};
+    obj[input.objectKey] = userValue;
+    await writeModuleConfigKey(providerModuleId, input.name, obj, db);
+    return;
+  }
+  const currentRaw = await readModuleSecretKey(providerModuleId, input.name, db, masterKey);
+  let obj: Record<string, unknown> = {};
+  if (currentRaw) {
+    try {
+      const parsed = JSON.parse(currentRaw);
+      if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+        obj = parsed as Record<string, unknown>;
+      }
+    } catch {
+      // Existing secret isn't a JSON object — overwrite.
+    }
+  }
+  obj[input.objectKey] = userValue;
+  await writeModuleSecretKey(providerModuleId, input.name, JSON.stringify(obj), db, masterKey);
+}
+
 /**
  * Look up an `ensures` block on a provider module's manifest by id.
  * Returns null when the module doesn't exist or doesn't declare a