@celilo/cli 0.4.0-alpha.1 → 0.4.0

package/drizzle/0008_aspect_consent.sql

@@ -0,0 +1 @@
+ALTER TABLE `aspect_approvals` ADD `consented` integer DEFAULT true NOT NULL;

package/drizzle/meta/_journal.json

@@ -57,6 +57,13 @@
       "when": 1780459200000,
       "tag": "0007_module_systems",
       "breakpoints": true
+    },
+    {
+      "idx": 8,
+      "version": "6",
+      "when": 1781064000000,
+      "tag": "0008_aspect_consent",
+      "breakpoints": true
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.4.0-alpha.1",
+  "version": "0.4.0",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {
@@ -52,9 +52,9 @@
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1024.0",
-    "@celilo/capabilities": "0.2.0-alpha.0",
-    "@celilo/cli-display": "0.1.9-alpha.0",
-    "@celilo/event-bus": "0.1.5-alpha.0",
+    "@celilo/capabilities": "^0.3.0",
+    "@celilo/cli-display": "^0.1.9",
+    "@celilo/event-bus": "^0.1.5",
     "@clack/prompts": "^1.1.0",
     "ajv": "^8.18.0",
     "drizzle-orm": "^0.36.4",
@@ -75,6 +75,5 @@
     "ink-testing-library": "^4.0.0",
     "typescript": "^5.9.3",
     "zod-to-json-schema": "^3.25.2"
-  },
-  "gitHead": "26189a1eaaa2a7da94a9098a16305d8a9a95ac50"
+  }
 }

package/src/cli/command-registry.ts

@@ -148,6 +148,21 @@ export const COMMANDS: CommandDef[] = [
           { name: 'emitted-by', description: 'Audit tag', takesValue: true },
         ],
       },
+      {
+        name: 'reply',
+        description: 'Answer one pending interview query by event id (config/secret/ensure)',
+        args: [
+          { name: 'event_id', description: 'Query event id from `tail`' },
+          { name: 'value', description: "Answer as JSON (e.g. '\"foo\"', '8080', '[\"a\"]')" },
+        ],
+        flags: [
+          {
+            name: 'emitted-by',
+            description: 'Responder identity for the reply audit trail',
+            takesValue: true,
+          },
+        ],
+      },
       {
         name: 'ack',
         description: 'Mark a running delivery succeeded',
@@ -1091,6 +1106,16 @@ export const COMMANDS: CommandDef[] = [
                 takesValue: true,
               },
               { name: 'name', description: 'Storage name', takesValue: true },
+              {
+                name: 'access-key-id',
+                description: 'S3 access key ID (non-interactive)',
+                takesValue: true,
+              },
+              {
+                name: 'secret-access-key',
+                description: 'S3 secret access key (non-interactive)',
+                takesValue: true,
+              },
             ],
           },
         ],
@@ -1210,6 +1235,19 @@ export const COMMANDS: CommandDef[] = [
           { name: 'yes', description: 'Skip confirmation', takesValue: false },
         ],
       },
+      {
+        name: 'pull',
+        description: "Download another box's backup artifact from a storage destination",
+        flags: [
+          { name: 'storage', description: 'Storage destination name', takesValue: true },
+          {
+            name: 'module',
+            description: 'Module ID whose backup to pull (default: system state)',
+            takesValue: true,
+          },
+          { name: 'output', description: 'Local path to write the artifact', takesValue: true },
+        ],
+      },
     ],
   },
   {

package/src/cli/commands/backup-pull.test.ts

@@ -0,0 +1,48 @@
+import { describe, expect, test } from 'bun:test';
+import { pickNewestArtifact } from './backup-pull';
+
+describe('pickNewestArtifact', () => {
+  const keys = [
+    '2026-06-02/celilo-mgmt-2026-06-02T10-00-00-000Z.backup',
+    '2026-06-04/celilo-mgmt-2026-06-04T21-05-21-637Z.backup',
+    '2026-06-03/celilo-mgmt-2026-06-03T08-30-00-000Z.backup',
+    '2026-06-04/system-2026-06-04T22-00-00-000Z.backup',
+    '2026-06-01/celilo-2026-06-01T00-00-00-000Z.backup',
+  ];
+
+  test('picks the chronologically newest module artifact', () => {
+    expect(pickNewestArtifact(keys, 'celilo-mgmt')).toBe(
+      '2026-06-04/celilo-mgmt-2026-06-04T21-05-21-637Z.backup',
+    );
+  });
+
+  test('does not treat a shorter module id as a prefix of a longer one', () => {
+    // 'celilo' must NOT match 'celilo-mgmt-...' artifacts — only the literal
+    // celilo-<year> artifact.
+    expect(pickNewestArtifact(keys, 'celilo')).toBe(
+      '2026-06-01/celilo-2026-06-01T00-00-00-000Z.backup',
+    );
+  });
+
+  test('matches system-state artifacts via the system prefix', () => {
+    expect(pickNewestArtifact(keys, 'system')).toBe(
+      '2026-06-04/system-2026-06-04T22-00-00-000Z.backup',
+    );
+  });
+
+  test('returns null when nothing matches', () => {
+    expect(pickNewestArtifact(keys, 'homebridge')).toBeNull();
+    expect(pickNewestArtifact([], 'celilo-mgmt')).toBeNull();
+  });
+
+  test('ignores non-.backup objects and verify probes', () => {
+    const noisy = [
+      'celilo-mgmt/.celilo-verify-test',
+      '2026-06-04/celilo-mgmt-2026-06-04T21-05-21-637Z.backup',
+      '2026-06-04/celilo-mgmt-notes.txt',
+    ];
+    expect(pickNewestArtifact(noisy, 'celilo-mgmt')).toBe(
+      '2026-06-04/celilo-mgmt-2026-06-04T21-05-21-637Z.backup',
+    );
+  });
+});

package/src/cli/commands/backup-pull.ts

@@ -0,0 +1,116 @@
+/**
+ * Backup Pull Command
+ *
+ * Downloads a backup artifact that ANOTHER box wrote to a shared storage
+ * destination, onto THIS box, as a local `.backup` file ready for
+ * `celilo restore --from <file>`.
+ *
+ * This closes the fresh-box gap in the S3 migration path: `restore --from`
+ * needs a local file, `backup restore <id>` needs a local DB row, and
+ * `backup import` goes the wrong way. None of them let a freshly-bootstrapped
+ * celilo-mgr fetch turnip's backup straight out of the bucket. The storage
+ * provider already exposes list()/download(); this is the missing glue.
+ *
+ *   celilo storage add s3 ...           # same creds as the source box
+ *   celilo backup pull --storage <id> --module celilo-mgmt
+ *   celilo restore --from <printed-path> --force
+ *
+ * Part of P5 (v2/CELILO_MGMT_MIGRATION.md), apps/celilo/designs/P5_MIGRATION_E2E.md.
+ */
+
+import { tmpdir } from 'node:os';
+import { basename, join } from 'node:path';
+import {
+  createStorageProvider,
+  getBackupStorageByStorageId,
+  getDefaultBackupStorage,
+} from '../../services/backup-storage';
+import { celiloIntro, celiloOutro } from '../prompts';
+import type { CommandResult } from '../types';
+
+/**
+ * Pick the newest backup artifact key from a storage listing.
+ *
+ * Storage layout (backup-create.ts): `<YYYY-MM-DD>/<prefix>-<ISO-ts>.backup`
+ * where `<prefix>` is the moduleId for module backups or `system` for
+ * system-state backups, and `<ISO-ts>` is an ISO timestamp with `:`/`.`
+ * replaced by `-`. ISO timestamps sort lexically as chronologically, so the
+ * lexically-greatest matching key is the newest.
+ *
+ * `keyPrefix` matches the basename's leading `<prefix>-<4-digit-year>` so a
+ * module id is never a false-prefix of a longer one (e.g. `celilo` vs
+ * `celilo-mgmt`).
+ */
+export function pickNewestArtifact(keys: string[], keyPrefix: string): string | null {
+  const matcher = new RegExp(`^${keyPrefix}-\\d{4}-.*\\.backup$`);
+  const matching = keys.filter((k) => matcher.test(basename(k)));
+  if (matching.length === 0) return null;
+  // Lexical sort; newest (greatest) last.
+  matching.sort();
+  return matching[matching.length - 1] ?? null;
+}
+
+export async function handleBackupPull(
+  _args: string[],
+  flags: Record<string, boolean | string> = {},
+): Promise<CommandResult> {
+  try {
+    celiloIntro('Pull Backup');
+
+    const storageName = typeof flags.storage === 'string' ? flags.storage : undefined;
+    const moduleId = typeof flags.module === 'string' ? flags.module : undefined;
+    const outputFlag = typeof flags.output === 'string' ? flags.output : undefined;
+
+    const storage = storageName
+      ? getBackupStorageByStorageId(storageName)
+      : getDefaultBackupStorage();
+
+    if (!storage) {
+      return {
+        success: false,
+        error: storageName
+          ? `Storage not found: ${storageName}\n\nList destinations: celilo storage list`
+          : 'No default backup storage configured.\n\nAdd storage first: celilo storage add s3',
+      };
+    }
+    if (!storage.verified) {
+      return {
+        success: false,
+        error: `Storage '${storage.storageId}' is not verified. Run: celilo storage verify ${storage.storageId}`,
+      };
+    }
+
+    // `system` is the artifact prefix for system-state backups; otherwise we
+    // match the module's artifacts.
+    const keyPrefix = moduleId ?? 'system';
+
+    console.log(`\n▸ Listing backups in '${storage.storageId}'...`);
+    const provider = await createStorageProvider(storage.id);
+    const keys = await provider.list('');
+
+    const remotePath = pickNewestArtifact(keys, keyPrefix);
+    if (!remotePath) {
+      return {
+        success: false,
+        error: `No '${keyPrefix}' backup artifact found in storage '${storage.storageId}'.\n\nExpected an object like <date>/${keyPrefix}-<timestamp>.backup`,
+      };
+    }
+
+    const outputPath = outputFlag ?? join(tmpdir(), basename(remotePath));
+
+    console.log(`▸ Downloading ${remotePath}...`);
+    await provider.download(remotePath, outputPath);
+
+    console.log(`✓ Pulled ${basename(remotePath)}`);
+    console.log(`  → ${outputPath}`);
+
+    celiloOutro(`Restore it with:\n  celilo restore --from ${outputPath} --force`);
+
+    return { success: true, message: `Pulled backup to ${outputPath}` };
+  } catch (error) {
+    return {
+      success: false,
+      error: `Pull failed: ${error instanceof Error ? error.message : String(error)}`,
+    };
+  }
+}

package/src/cli/commands/events.test.ts

@@ -11,6 +11,7 @@ import {
   handleEventsListPending,
   handleEventsListSubscribers,
   handleEventsRepair,
+  handleEventsReply,
   handleEventsStatus,
   handleEventsTail,
 } from './events';
@@ -153,4 +154,111 @@ describe('celilo events command handlers', () => {
     expect((result.data as { recovered: boolean }).recovered).toBe(true);
     expect((result.data as { stuckCount: number }).stuckCount).toBe(1);
   });
+
+  it('reply answers a config.required query with a correlated reply', async () => {
+    const setupBus = openBus({ dbPath, events: defineEvents({}) });
+    const query = setupBus.emitRaw('config.required.lunacycle.domain', {
+      module: 'lunacycle',
+      key: 'domain',
+      type: 'string',
+      required: true,
+    });
+    setupBus.close();
+
+    const res = await handleEventsReply([String(query.id), '"lunacycle.net"'], {});
+    expect(res.success).toBe(true);
+    if (!res.success) throw new Error('expected success');
+    const data = res.data as { status: string; family: string; value: unknown };
+    expect(data.status).toBe('replied');
+    expect(data.family).toBe('config');
+    expect(data.value).toBe('lunacycle.net');
+
+    const checkBus = openBus({ dbPath, events: defineEvents({}) });
+    const replies = checkBus.recentEvents({ type: 'config.required.lunacycle.domain.reply' });
+    checkBus.close();
+    expect(replies).toHaveLength(1);
+    expect(replies[0].replyFor).toBe(query.id);
+    expect(replies[0].payload).toEqual({ value: 'lunacycle.net' });
+    expect(replies[0].emittedBy).toBe('claude-config-responder');
+  });
+
+  it('reply honors --emitted-by for the audit identity', async () => {
+    const setupBus = openBus({ dbPath, events: defineEvents({}) });
+    const query = setupBus.emitRaw('config.required.caddy.acme_email', {
+      module: 'caddy',
+      key: 'acme_email',
+      type: 'string',
+      required: true,
+    });
+    setupBus.close();
+
+    await handleEventsReply([String(query.id), '"a@b.com"'], { 'emitted-by': 'operator-x' });
+
+    const checkBus = openBus({ dbPath, events: defineEvents({}) });
+    const replies = checkBus.recentEvents({ type: 'config.required.caddy.acme_email.reply' });
+    checkBus.close();
+    expect(replies[0].emittedBy).toBe('operator-x');
+  });
+
+  it('reply on an unknown event id fails clearly', async () => {
+    const res = await handleEventsReply(['99999', '"x"'], {});
+    expect(res.success).toBe(false);
+    if (res.success) throw new Error('expected failure');
+    expect(res.error).toContain('No event with id 99999');
+  });
+
+  it('reply on a non-interview event fails clearly', async () => {
+    const setupBus = openBus({ dbPath, events: defineEvents({}) });
+    const event = setupBus.emitRaw('custom.thing', { x: 1 });
+    setupBus.close();
+
+    const res = await handleEventsReply([String(event.id), '"x"'], {});
+    expect(res.success).toBe(false);
+    if (res.success) throw new Error('expected failure');
+    expect(res.error).toContain('not an interview query');
+  });
+
+  it('reply rejects a non-JSON value', async () => {
+    const setupBus = openBus({ dbPath, events: defineEvents({}) });
+    const query = setupBus.emitRaw('config.required.lunacycle.domain', {
+      module: 'lunacycle',
+      key: 'domain',
+      type: 'string',
+      required: true,
+    });
+    setupBus.close();
+
+    // A bare word isn't valid JSON — the operator must quote strings.
+    const res = await handleEventsReply([String(query.id), 'lunacycle.net'], {});
+    expect(res.success).toBe(false);
+    if (res.success) throw new Error('expected failure');
+    expect(res.error).toContain('Invalid JSON value');
+  });
+
+  it('reply is idempotent — a second reply reports already-answered and does not re-emit', async () => {
+    const setupBus = openBus({ dbPath, events: defineEvents({}) });
+    const query = setupBus.emitRaw('config.required.lunacycle.domain', {
+      module: 'lunacycle',
+      key: 'domain',
+      type: 'string',
+      required: true,
+    });
+    setupBus.close();
+
+    const first = await handleEventsReply([String(query.id), '"a.net"'], {});
+    expect(first.success).toBe(true);
+    if (!first.success) throw new Error('expected success');
+    expect((first.data as { status: string }).status).toBe('replied');
+
+    const second = await handleEventsReply([String(query.id), '"b.net"'], {});
+    expect(second.success).toBe(true);
+    if (!second.success) throw new Error('expected success');
+    expect((second.data as { status: string }).status).toBe('already-answered');
+
+    const checkBus = openBus({ dbPath, events: defineEvents({}) });
+    const replies = checkBus.recentEvents({ type: 'config.required.lunacycle.domain.reply' });
+    checkBus.close();
+    expect(replies).toHaveLength(1);
+    expect(replies[0].payload).toEqual({ value: 'a.net' });
+  });
 });

package/src/cli/commands/events.ts

@@ -13,6 +13,7 @@
  *   drain                process pending deliveries once
  *   run                  long-running dispatcher (foreground; SIGINT to stop)
  *   emit <type> [json]   emit an event (operator/test path; bypasses schema)
+ *   reply <id> <value>   answer one pending interview query by event id
  *   ack <event_id>       mark a running delivery succeeded
  *   fail <event_id>      mark a running delivery failed
  *   repair               crash-recovery sweep without starting the dispatcher
@@ -34,6 +35,7 @@ import { createConsoleLogger } from '../../hooks/logger';
 import { runNamedHook } from '../../hooks/run-named-hook';
 import type { HookName } from '../../hooks/types';
 import type { ModuleManifest } from '../../manifest/schema';
+import type { EnsureRequiredPayload } from '../../services/bus-interview';
 import { installDaemon, readInstalledUnit, uninstallDaemon } from '../../services/events-daemon';
 import { getArg, hasFlag } from '../parser';
 import type { CommandResult } from '../types';
@@ -354,6 +356,247 @@ export async function handleEventsRepair(): Promise<CommandResult> {
   }
 }
 
+const INTERVIEW_FAMILIES = ['config', 'secret', 'ensure', 'aspect'] as const;
+type InterviewFamily = (typeof INTERVIEW_FAMILIES)[number];
+
+/** Classify a query event type into its interview family, or null if it isn't one. */
+function interviewFamily(type: string): InterviewFamily | null {
+  if (type.startsWith('config.required.')) return 'config';
+  if (type.startsWith('secret.required.')) return 'secret';
+  if (type.startsWith('ensure.required.')) return 'ensure';
+  if (type.startsWith('aspect.required.')) return 'aspect';
+  return null;
+}
+
+/**
+ * `celilo events reply <query-event-id> <value-json>` — answer ONE pending
+ * interview query by its event id. The one-shot reply primitive a
+ * `claude-config-responder` uses: read the question with
+ * `events tail --type 'config.required.*'`, ask the operator, emit the answer
+ * here. Unlike `events respond` (which must be subscribed BEFORE the query is
+ * emitted — bus watches don't replay history) this looks the query up by id
+ * and emits a correlated reply carrying `replyFor`, which plain `events emit`
+ * can't set.
+ *
+ * The query's event type selects how `<value-json>` is interpreted:
+ *   - config.required.<m>.<k>  → value is the answer itself ('"foo"', '8080',
+ *                                '["a","b"]'); replies { value }.
+ *   - secret.required.<m>.<k>  → value is the secret (string, or JSON object for
+ *                                structured secrets). Written out-of-band to the
+ *                                encrypted store; replies { acknowledged: true }
+ *                                so the value never lands on the bus.
+ *   - ensure.required.<p>.<id> → value is an object keyed by each input `target`
+ *                                (e.g. '{"config.x":"v","secret.y":"v"}'). Config
+ *                                targets go in the reply's `values`; secret targets
+ *                                are written out-of-band (merged into the JSON
+ *                                object keyed by the input's objectKey); replies
+ *                                { values, acknowledged? }.
+ *   - aspect.required.<m>.<r>  → value is a boolean — 'true' approves the
+ *                                base-module aspect, 'false' refuses it (ISS-0027).
+ *                                Replies { consented }; the deploy records the
+ *                                approval/denial.
+ */
+export async function handleEventsReply(
+  args: string[],
+  flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const idArg = getArg(args, 0);
+  const valueArg = getArg(args, 1);
+  if (!idArg || valueArg === undefined) {
+    return {
+      success: false,
+      error: `Usage: celilo events reply <query-event-id> <value-json>
+  e.g. celilo events reply 42 '"lunacycle.net"'`,
+    };
+  }
+  const queryId = Number(idArg);
+  if (!Number.isInteger(queryId)) {
+    return { success: false, error: 'query-event-id must be an integer (from `events tail`)' };
+  }
+
+  let value: unknown;
+  try {
+    value = JSON.parse(valueArg);
+  } catch (err) {
+    return {
+      success: false,
+      error: `Invalid JSON value: ${err instanceof Error ? err.message : String(err)}
+  Encode the answer as JSON, e.g. '"lunacycle.net"', '8080', '["a","b"]'.`,
+    };
+  }
+
+  const emittedBy =
+    typeof flags['emitted-by'] === 'string' ? flags['emitted-by'] : 'claude-config-responder';
+
+  const bus = openCliBus();
+  try {
+    const query = bus.getEvent(queryId);
+    if (!query) {
+      return {
+        success: false,
+        error: `No event with id ${queryId} on the bus (check \`celilo events tail\`).`,
+      };
+    }
+
+    const family = interviewFamily(query.type);
+    if (!family) {
+      return {
+        success: false,
+        error: `Event ${queryId} is type '${query.type}', not an interview query.
+  Expected one of: config.required.* / secret.required.* / ensure.required.* / aspect.required.*`,
+      };
+    }
+
+    // First-reply-wins: if a reply already landed for this query, don't
+    // double-answer (and don't re-write a secret). Report who answered so the
+    // caller's loop can move on rather than treat it as an error.
+    const existingReply = bus
+      .recentEvents({ limit: 500, type: `${query.type}.reply` })
+      .find((e) => e.replyFor === queryId);
+    if (existingReply) {
+      return jsonResult({
+        ok: true,
+        status: 'already-answered',
+        queryId,
+        type: query.type,
+        repliedBy: existingReply.emittedBy ?? null,
+      });
+    }
+
+    if (family === 'config') {
+      bus.emitRaw(`${query.type}.reply`, { value }, { replyFor: queryId, emittedBy });
+      return jsonResult({ ok: true, status: 'replied', queryId, type: query.type, family, value });
+    }
+
+    if (family === 'secret') {
+      const payload = query.payload as { module?: unknown; key?: unknown };
+      if (typeof payload?.module !== 'string' || typeof payload?.key !== 'string') {
+        return {
+          success: false,
+          error: `Secret query ${queryId} has a malformed payload (missing module/key).`,
+        };
+      }
+      const { getOrCreateMasterKey } = await import('../../secrets/master-key');
+      const { writeModuleSecretKey } = await import('../../services/config-interview');
+      const plaintext = typeof value === 'string' ? value : JSON.stringify(value);
+      const masterKey = await getOrCreateMasterKey();
+      await writeModuleSecretKey(payload.module, payload.key, plaintext, getDb(), masterKey);
+      bus.emitRaw(`${query.type}.reply`, { acknowledged: true }, { replyFor: queryId, emittedBy });
+      return jsonResult({
+        ok: true,
+        status: 'replied',
+        queryId,
+        type: query.type,
+        family,
+        secretWritten: `${payload.module}.${payload.key}`,
+      });
+    }
+
+    if (family === 'aspect') {
+      // Aspect-consent (ISS-0027): the reply carries only the decision; the
+      // deploy process records the approval/denial (it holds module/version/
+      // scope). Config-like — `'true'` approves, `'false'` refuses.
+      if (typeof value !== 'boolean') {
+        return {
+          success: false,
+          error: `Aspect-consent reply must be a JSON boolean — 'true' to approve the aspect, 'false' to refuse. Got: ${valueArg}`,
+        };
+      }
+      bus.emitRaw(`${query.type}.reply`, { consented: value }, { replyFor: queryId, emittedBy });
+      return jsonResult({
+        ok: true,
+        status: 'replied',
+        queryId,
+        type: query.type,
+        family,
+        consented: value,
+      });
+    }
+
+    // family === 'ensure'
+    const payload = query.payload as EnsureRequiredPayload;
+    if (typeof payload?.provider !== 'string' || !Array.isArray(payload?.inputs)) {
+      return {
+        success: false,
+        error: `Ensure query ${queryId} has a malformed payload (missing provider/inputs).`,
+      };
+    }
+    if (typeof value !== 'object' || value === null || Array.isArray(value)) {
+      const targets = payload.inputs.map((i) => i.target).join(', ');
+      return {
+        success: false,
+        error: `Ensure reply must be a JSON object keyed by input target, e.g.
+  '{"config.foo":"x","secret.bar":"y"}'
+  Required targets: ${targets}`,
+      };
+    }
+    const provided = value as Record<string, unknown>;
+
+    const { getOrCreateMasterKey } = await import('../../secrets/master-key');
+    const { readModuleSecretKey, writeModuleSecretKey } = await import(
+      '../../services/config-interview'
+    );
+    const db = getDb();
+    const replyValues: Record<string, unknown> = {};
+    let acknowledged = false;
+    let masterKey: Buffer | null = null;
+
+    for (const input of payload.inputs) {
+      const providedValue = provided[input.target];
+      if (providedValue === undefined) {
+        const targets = payload.inputs.map((i) => i.target).join(', ');
+        return {
+          success: false,
+          error: `Ensure reply is missing target '${input.target}'. Provide all of: ${targets}`,
+        };
+      }
+
+      if (input.target.startsWith('config.')) {
+        replyValues[input.target] = providedValue;
+        continue;
+      }
+
+      // Secret target: read-merge-write the JSON-encoded secret object so we
+      // never clobber sibling keys, then ack (value stays off the bus).
+      const name = input.target.slice('secret.'.length);
+      if (!masterKey) masterKey = await getOrCreateMasterKey();
+      let obj: Record<string, unknown> = {};
+      const currentRaw = await readModuleSecretKey(payload.provider, name, db, masterKey);
+      if (currentRaw) {
+        try {
+          const parsed = JSON.parse(currentRaw);
+          if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) {
+            obj = parsed as Record<string, unknown>;
+          }
+        } catch {
+          /* malformed existing secret — overwrite */
+        }
+      }
+      obj[input.objectKey] =
+        typeof providedValue === 'string' ? providedValue : JSON.stringify(providedValue);
+      await writeModuleSecretKey(payload.provider, name, JSON.stringify(obj), db, masterKey);
+      acknowledged = true;
+    }
+
+    bus.emitRaw(
+      `${query.type}.reply`,
+      acknowledged ? { values: replyValues, acknowledged: true } : { values: replyValues },
+      { replyFor: queryId, emittedBy },
+    );
+    return jsonResult({
+      ok: true,
+      status: 'replied',
+      queryId,
+      type: query.type,
+      family,
+      values: replyValues,
+      acknowledged,
+    });
+  } finally {
+    bus.close();
+  }
+}
+
 /**
  * `celilo events respond` — start a responder against the bus and
  * block. Two modes:

package/src/cli/commands/module-generate.ts

@@ -134,10 +134,11 @@ export async function handleModuleGenerate(
 
   if (moduleSecretsMissing.length > 0) {
     // interviewForMissingSecrets fires `secret.required.*` bus events for
-    // user_provided secrets and waits forever for a responder. In a
-    // non-interactive context (no TTY, no piped responder), that's a
-    // silent hang. Probe the bus first; if nothing answers, fail fast
-    // with an actionable error instead of stalling indefinitely.
+    // user_provided secrets and waits for a responder. busInterviewGuarded
+    // (ISS-0025) is the shared backstop that fails fast when none is listening,
+    // but we probe here FIRST so `module generate` can emit a command-tailored
+    // error: the full list of missing secrets plus a `module secret set` line
+    // for each. The shared guard would only name one prompt at a time.
     //
     // Auto-generated secrets (manifest `generate:` field or schema
     // source: 'generated') don't go through the bus, so missing-but-