@celilo/cli 0.3.30-alpha.0 → 0.4.0-alpha.0

package/src/services/infrastructure-variable-resolver.test.ts

@@ -12,6 +12,7 @@ import {
 import type { ModuleManifest } from '@/manifest/schema';
 import { and, eq } from 'drizzle-orm';
 import { resolveInfrastructureVariables } from './infrastructure-variable-resolver';
+import { upsertModuleConfig } from './module-config';
 
 const TEST_DB_PATH = './test-infra-resolver.db';
 
@@ -268,26 +269,9 @@ describe('resolveInfrastructureVariables - Proxmox Container Service', () => {
     });
 
     // Create IPAM-allocated config (mimics what IPAM does)
-    await db.insert(moduleConfigs).values([
-      {
-        moduleId,
-        key: 'vmid',
-        value: '100',
-        valueJson: null,
-      },
-      {
-        moduleId,
-        key: 'target_ip',
-        value: '10.0.10.5',
-        valueJson: null,
-      },
-      {
-        moduleId,
-        key: 'hostname',
-        value: 'homebridge',
-        valueJson: null,
-      },
-    ]);
+    upsertModuleConfig(db, moduleId, 'vmid', '100');
+    upsertModuleConfig(db, moduleId, 'target_ip', '10.0.10.5');
+    upsertModuleConfig(db, moduleId, 'hostname', 'homebridge');
 
     // Resolve variables (no Terraform outputs = Proxmox)
     const result = await resolveInfrastructureVariables(moduleId, manifest, null, db);
@@ -422,12 +406,7 @@ describe('resolveInfrastructureVariables - Digital Ocean Container Service', ()
     });
 
     // Create hostname config (user-configured)
-    await db.insert(moduleConfigs).values({
-      moduleId,
-      key: 'hostname',
-      value: 'dns-ext',
-      valueJson: null,
-    });
+    upsertModuleConfig(db, moduleId, 'hostname', 'dns-ext');
 
     // Terraform outputs (wrapped format)
     const terraformOutputs = {
@@ -502,12 +481,7 @@ describe('resolveInfrastructureVariables - User Override', () => {
     });
 
     // User manually set ip.primary
-    await db.insert(moduleConfigs).values({
-      moduleId,
-      key: 'ip.primary',
-      value: '198.51.100.50', // User override
-      valueJson: null,
-    });
+    upsertModuleConfig(db, moduleId, 'ip.primary', '198.51.100.50');
 
     const result = await resolveInfrastructureVariables(moduleId, manifest, null, db);
 

package/src/services/infrastructure-variable-resolver.ts

@@ -7,6 +7,7 @@ import {
   extractTerraformProperties,
 } from '@/infrastructure/property-extractor';
 import type { ModuleManifest } from '@/manifest/schema';
+import { upsertModuleConfig } from '@/services/module-config';
 import type { Machine } from '@/types/infrastructure';
 import { and, eq } from 'drizzle-orm';
 
@@ -190,19 +191,8 @@ export async function resolveInfrastructureVariables(
       continue;
     }
 
-    // Store in moduleConfigs
-    await db
-      .insert(moduleConfigs)
-      .values({
-        moduleId,
-        key: variable.name,
-        value,
-        valueJson: null,
-      })
-      .onConflictDoUpdate({
-        target: [moduleConfigs.moduleId, moduleConfigs.key],
-        set: { value, updatedAt: new Date() },
-      });
+    // Store in moduleConfigs (always via the typed-storage helper)
+    upsertModuleConfig(db, moduleId, variable.name, value);
 
     resolved[variable.name] = value;
   }

package/src/services/machine-detector.ts

@@ -1,6 +1,11 @@
 /**
  * Machine Detector
- * Auto-detects machine information via SSH
+ * Auto-detects machine information, either over SSH (remote machines) or
+ * locally (the management box adding itself — 127.0.0.1, no SSH needed).
+ *
+ * The detection logic is identical either way; only command EXECUTION
+ * differs. Each detector takes a `CommandRunner` so the SSH and local
+ * paths share the same parsing.
  */
 
 import { execSync } from 'node:child_process';
@@ -18,6 +23,9 @@ export class DetectionError extends Error {
   }
 }
 
+/** Runs a shell command and returns trimmed stdout (throws on failure). */
+export type CommandRunner = (command: string) => string;
+
 /**
  * Execute SSH command and return output
  */
@@ -38,11 +46,31 @@ function sshExec(ip: string, user: string, keyPath: string, command: string): st
   }
 }
 
+/** CommandRunner that SSHes to a remote machine. */
+function sshRunner(ip: string, user: string, keyPath: string): CommandRunner {
+  return (command) => sshExec(ip, user, keyPath, command);
+}
+
+/** CommandRunner that runs the command locally (for the self/localhost box). */
+export const localRunner: CommandRunner = (command) => {
+  try {
+    return execSync(command, {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+      timeout: 10000,
+      shell: '/bin/bash',
+    }).trim();
+  } catch (error) {
+    const message = error instanceof Error ? error.message : 'Unknown error';
+    throw new DetectionError(`Local command failed: ${message}`);
+  }
+};
+
 /**
  * Detect hostname
  */
-function detectHostname(ip: string, user: string, keyPath: string): string {
-  const output = sshExec(ip, user, keyPath, 'hostname');
+function detectHostname(run: CommandRunner): string {
+  const output = run('hostname');
   if (!output) {
     throw new DetectionError('Failed to detect hostname: empty output');
   }
@@ -52,8 +80,8 @@ function detectHostname(ip: string, user: string, keyPath: string): string {
 /**
  * Detect CPU cores
  */
-function detectCpuCores(ip: string, user: string, keyPath: string): number {
-  const output = sshExec(ip, user, keyPath, 'nproc || grep -c ^processor /proc/cpuinfo');
+function detectCpuCores(run: CommandRunner): number {
+  const output = run('nproc || grep -c ^processor /proc/cpuinfo');
   const cores = Number.parseInt(output, 10);
   if (Number.isNaN(cores) || cores <= 0) {
     throw new DetectionError(`Invalid CPU cores detected: ${output}`);
@@ -64,9 +92,9 @@ function detectCpuCores(ip: string, user: string, keyPath: string): number {
 /**
  * Detect memory in MB
  */
-function detectMemory(ip: string, user: string, keyPath: string): number {
+function detectMemory(run: CommandRunner): number {
   // Get memory line, parse in JavaScript
-  const output = sshExec(ip, user, keyPath, 'grep MemTotal /proc/meminfo');
+  const output = run('grep MemTotal /proc/meminfo');
 
   // Parse "MemTotal:        1048576 kB" -> extract number
   const match = output.match(/MemTotal:\s+(\d+)\s+kB/);
@@ -84,9 +112,9 @@ function detectMemory(ip: string, user: string, keyPath: string): number {
 /**
  * Detect disk space in GB
  */
-function detectDisk(ip: string, user: string, keyPath: string): number {
+function detectDisk(run: CommandRunner): number {
   // Get root filesystem size, parse in JavaScript
-  const output = sshExec(ip, user, keyPath, 'df -BG / | tail -1');
+  const output = run('df -BG / | tail -1');
 
   // Parse "Filesystem      1G-blocks  Used Available Use% Mounted" -> extract second field
   // Example: "/dev/sda1         20G   5G      14G  27% /"
@@ -112,9 +140,9 @@ function detectDisk(ip: string, user: string, keyPath: string): number {
 /**
  * Detect CPU architecture (arm64, x64, etc.)
  */
-function detectArch(ip: string, user: string, keyPath: string): string {
+function detectArch(run: CommandRunner): string {
   try {
-    const output = sshExec(ip, user, keyPath, 'dpkg --print-architecture 2>/dev/null || uname -m');
+    const output = run('dpkg --print-architecture 2>/dev/null || uname -m');
     const raw = output.trim();
     // Normalize: aarch64 → arm64, x86_64 → amd64
     if (raw === 'aarch64' || raw === 'arm64') return 'arm64';
@@ -128,22 +156,17 @@ function detectArch(ip: string, user: string, keyPath: string): string {
 /**
  * Detect OS information
  */
-function detectOsInfo(ip: string, user: string, keyPath: string): string {
+function detectOsInfo(run: CommandRunner): string {
   try {
     // Try /etc/os-release first (most modern systems)
-    const output = sshExec(
-      ip,
-      user,
-      keyPath,
-      "cat /etc/os-release | grep PRETTY_NAME | cut -d'\"' -f2",
-    );
+    const output = run("cat /etc/os-release | grep PRETTY_NAME | cut -d'\"' -f2");
     if (output) {
       return output;
     }
   } catch {
     // Fall back to uname if /etc/os-release not available
     try {
-      const output = sshExec(ip, user, keyPath, 'uname -s -r');
+      const output = run('uname -s -r');
       return output || 'Unknown Linux';
     } catch {
       return 'Unknown Linux';
@@ -201,37 +224,36 @@ function parseIpTextOutput(output: string): Array<{ name: string; ipAddress: str
 }
 
 /**
- * Detect all network interfaces on a machine via SSH
- * Classifies each interface's zone by matching IP against configured subnets
+ * Detect network interfaces using the given runner. `fallbackIp` is used
+ * to synthesize a single interface when detection yields nothing.
  */
-export async function detectNetworkInterfaces(
-  ip: string,
-  sshUser: string,
-  sshKeyPath: string,
+async function detectNetworkInterfacesWith(
+  run: CommandRunner,
+  fallbackIp: string,
 ): Promise<{ interfaces: NetworkInterface[]; role: MachineRole }> {
   let rawInterfaces: Array<{ name: string; ipAddress: string }>;
 
   try {
-    const jsonOutput = sshExec(ip, sshUser, sshKeyPath, 'ip -j addr show');
+    const jsonOutput = run('ip -j addr show');
     rawInterfaces = parseIpJsonOutput(jsonOutput);
   } catch {
     try {
-      const textOutput = sshExec(ip, sshUser, sshKeyPath, 'ip addr show');
+      const textOutput = run('ip addr show');
       rawInterfaces = parseIpTextOutput(textOutput);
     } catch {
       // Can't detect interfaces - return single interface from known IP
-      const zone = await detectZoneFromIp(ip);
+      const zone = await detectZoneFromIp(fallbackIp);
       return {
-        interfaces: [{ name: 'unknown', ipAddress: ip, zone }],
+        interfaces: [{ name: 'unknown', ipAddress: fallbackIp, zone }],
         role: 'host',
       };
     }
   }
 
   if (rawInterfaces.length === 0) {
-    const zone = await detectZoneFromIp(ip);
+    const zone = await detectZoneFromIp(fallbackIp);
     return {
-      interfaces: [{ name: 'unknown', ipAddress: ip, zone }],
+      interfaces: [{ name: 'unknown', ipAddress: fallbackIp, zone }],
       role: 'host',
     };
   }
@@ -261,6 +283,50 @@ export async function detectNetworkInterfaces(
   return { interfaces, role };
 }
 
+/**
+ * Detect all network interfaces on a remote machine via SSH.
+ */
+export async function detectNetworkInterfaces(
+  ip: string,
+  sshUser: string,
+  sshKeyPath: string,
+): Promise<{ interfaces: NetworkInterface[]; role: MachineRole }> {
+  return detectNetworkInterfacesWith(sshRunner(ip, sshUser, sshKeyPath), ip);
+}
+
+/**
+ * Detect network interfaces on the local (management) box — no SSH.
+ */
+export async function detectNetworkInterfacesLocal(): Promise<{
+  interfaces: NetworkInterface[];
+  role: MachineRole;
+}> {
+  return detectNetworkInterfacesWith(localRunner, '127.0.0.1');
+}
+
+/**
+ * Detect machine information using the given runner.
+ */
+function detectMachineInfoWith(run: CommandRunner): DetectedMachineInfo {
+  const hostname = detectHostname(run);
+  const cpu_cores = detectCpuCores(run);
+  const memory_mb = detectMemory(run);
+  const disk_gb = detectDisk(run);
+  const arch = detectArch(run);
+  const osInfo = detectOsInfo(run);
+
+  return {
+    hostname,
+    osInfo,
+    hardware: {
+      cpu_cores,
+      memory_mb,
+      disk_gb,
+      arch,
+    },
+  };
+}
+
 /**
  * Detect machine information via SSH
  *
@@ -286,24 +352,14 @@ export async function detectMachineInfo(
     throw new DetectionError('SSH key path is required');
   }
 
-  // Detect all information
-  const hostname = detectHostname(ip, sshUser, sshKeyPath);
-  const cpu_cores = detectCpuCores(ip, sshUser, sshKeyPath);
-  const memory_mb = detectMemory(ip, sshUser, sshKeyPath);
-  const disk_gb = detectDisk(ip, sshUser, sshKeyPath);
-  const arch = detectArch(ip, sshUser, sshKeyPath);
-  const osInfo = detectOsInfo(ip, sshUser, sshKeyPath);
+  return detectMachineInfoWith(sshRunner(ip, sshUser, sshKeyPath));
+}
 
-  return {
-    hostname,
-    osInfo,
-    hardware: {
-      cpu_cores,
-      memory_mb,
-      disk_gb,
-      arch,
-    },
-  };
+/**
+ * Detect machine information on the local (management) box — no SSH.
+ */
+export async function detectMachineInfoLocal(): Promise<DetectedMachineInfo> {
+  return detectMachineInfoWith(localRunner);
 }
 
 /**

package/src/services/machine-pool.ts

@@ -1,7 +1,13 @@
 import { randomUUID } from 'node:crypto';
-import { eq } from 'drizzle-orm';
+import { and, eq, inArray } from 'drizzle-orm';
 import { getDb } from '../db/client';
-import { type NetworkZone, machines, moduleInfrastructure } from '../db/schema';
+import {
+  type NetworkZone,
+  containerServices,
+  ipAllocations,
+  machines,
+  moduleInfrastructure,
+} from '../db/schema';
 import { decryptSecret, encryptSecret } from '../secrets/encryption';
 import { getOrCreateMasterKey } from '../secrets/master-key';
 import type {
@@ -70,6 +76,7 @@ export async function addMachine(
     interfaces: (machine.interfaces ?? []) as NetworkInterface[],
     assignedModuleIds: machine.assignedModuleIds,
     earmarkedModule: machine.earmarkedModule || null,
+    apiOnly: false, // defaults to false; toggled later via separate flow
     createdAt: now,
     updatedAt: now,
   };
@@ -95,6 +102,7 @@ function rowToMachine(row: typeof machines.$inferSelect): Machine {
     interfaces,
     assignedModuleIds,
     earmarkedModule: row.earmarkedModule ?? undefined,
+    apiOnly: row.apiOnly,
     createdAt: new Date(row.createdAt),
     updatedAt: new Date(row.updatedAt),
   };
@@ -231,6 +239,141 @@ export async function listMachines(filters?: MachineFilters): Promise<Machine[]>
   return results.map(rowToMachine);
 }
 
+/**
+ * Return every machine in any of the given zones — the discovery
+ * query the aspect runner uses to find fan-out targets per
+ * v2/CELILO_BASE.md.
+ *
+ * Filters:
+ * - `excludeApiOnly` (default `true`): drops machines marked
+ *   `api_only` (the greenwave / ISP-modem case). Aspects use
+ *   Ansible, so api_only systems are unreachable. v2/CELILO_BASE.md
+ *   D8.
+ * - `excludeHostnames` (default `[]`): drops named hostnames.
+ *   Aspect authors that need to skip the system running their own
+ *   primary deploy pass it here; the framework doesn't auto-skip
+ *   (v2/CELILO_BASE.md D3).
+ *
+ * NOTE on container_service systems: this Phase 1 implementation
+ * covers MACHINE-based systems only (the machines table). LXCs/VMs
+ * provisioned via container_service live in
+ * `module_infrastructure` and inherit zone from `ip_allocations`;
+ * supporting them is a future iteration. For Phase 1's
+ * aspect-fanout test (and forgejo's e2e), all targets are machine
+ * pool entries, so this is sufficient.
+ */
+export async function getSystemsByZone(
+  zones: string[],
+  options: { excludeApiOnly?: boolean; excludeHostnames?: string[] } = {},
+): Promise<Machine[]> {
+  if (zones.length === 0) return [];
+  const db = getDb();
+  const excludeApiOnly = options.excludeApiOnly ?? true;
+  const excludeHostnames = new Set(options.excludeHostnames ?? []);
+
+  const rows = await db
+    .select()
+    .from(machines)
+    .where(inArray(machines.zone, zones as NetworkZone[]));
+
+  return rows
+    .map(rowToMachine)
+    .filter((m) => !(excludeApiOnly && m.apiOnly))
+    .filter((m) => !excludeHostnames.has(m.hostname));
+}
+
+/**
+ * A container_service-provisioned system (Proxmox LXC, Digital
+ * Ocean droplet, etc.) — the complement to a machine-pool entry.
+ * Surfaced by `getContainerSystemsByZone` for SC5 Proxmox
+ * reconciliation: each LXC's owning module has terraform state we
+ * may need to update.
+ *
+ * `containerMetadata` is the raw JSON from the db (vmid, droplet
+ * ID, container_ip, etc. — provider-specific shape); callers
+ * inspect it as needed.
+ */
+export interface ContainerSystem {
+  /** UUID of the module_infrastructure row. */
+  infrastructureId: string;
+  /** Module that owns this provisioned system (and its terraform state). */
+  moduleId: string;
+  /** Container service this system was provisioned through. */
+  serviceId: string;
+  providerName: 'proxmox' | 'digitalocean' | 'aws' | 'gcp' | 'azure';
+  /** Zone from `ip_allocations` (the authoritative zone for the LXC's IP). */
+  zone: NetworkZone;
+  /** Container IP in CIDR (e.g., "10.0.20.42/24"). May be null if allocation absent. */
+  containerIp: string | null;
+  containerMetadata: Record<string, unknown> | null;
+  apiOnly: boolean;
+}
+
+/**
+ * Enumerate container_service-provisioned systems whose IP-allocation
+ * zone matches the input. Used by SC5's Proxmox reconciler to find
+ * LXCs whose terraform config may need rewriting when an aspect
+ * declares `proxmox_reconcile.tfvars`.
+ *
+ * Filters api_only systems by default. The aspect runner reads the
+ * same row to decide if Ansible should even reach the system.
+ *
+ * Phase 1 simulator note: cele2e test environments add systems via
+ * `celilo machine add`, which writes to the machines table — NOT
+ * module_infrastructure. So this function returns [] for those
+ * tests. It only matters in production where container_service
+ * (Proxmox) is real.
+ */
+export async function getContainerSystemsByZone(
+  zones: string[],
+  options: { excludeApiOnly?: boolean } = {},
+): Promise<ContainerSystem[]> {
+  if (zones.length === 0) return [];
+  const db = getDb();
+  const excludeApiOnly = options.excludeApiOnly ?? true;
+
+  // ip_allocations is the authoritative source for which LXC sits
+  // in which zone (Proxmox doesn't expose zone directly; celilo's
+  // IPAM is what assigned it). Join it to module_infrastructure to
+  // get the rest of the metadata.
+  const rows = await db
+    .select({
+      infraId: moduleInfrastructure.id,
+      moduleId: moduleInfrastructure.moduleId,
+      serviceId: moduleInfrastructure.serviceId,
+      containerMetadata: moduleInfrastructure.containerMetadata,
+      apiOnly: moduleInfrastructure.apiOnly,
+      ipZone: ipAllocations.zone,
+      containerIp: ipAllocations.containerIp,
+      providerName: containerServices.providerName,
+    })
+    .from(moduleInfrastructure)
+    .innerJoin(ipAllocations, eq(ipAllocations.moduleId, moduleInfrastructure.moduleId))
+    .innerJoin(containerServices, eq(containerServices.id, moduleInfrastructure.serviceId))
+    .where(
+      and(
+        eq(moduleInfrastructure.infrastructureType, 'container_service'),
+        // ip_allocations.zone is narrower than NetworkZone (no 'external');
+        // safe to cast — any 'external' input would just match zero rows.
+        inArray(ipAllocations.zone, zones as Array<'dmz' | 'app' | 'secure' | 'internal'>),
+      ),
+    );
+
+  return rows
+    .filter((r) => !(excludeApiOnly && r.apiOnly))
+    .filter((r): r is typeof r & { serviceId: string } => r.serviceId !== null)
+    .map((r) => ({
+      infrastructureId: r.infraId,
+      moduleId: r.moduleId,
+      serviceId: r.serviceId,
+      providerName: r.providerName,
+      zone: r.ipZone,
+      containerIp: r.containerIp ?? null,
+      containerMetadata: r.containerMetadata ?? null,
+      apiOnly: r.apiOnly,
+    }));
+}
+
 /**
  * Remove a machine from the pool
  */