@celilo/cli 0.4.0-alpha.1 → 0.4.0

package/src/module/packaging/build.test.ts

@@ -0,0 +1,75 @@
+/**
+ * Packaging bundles the module's hook-script runtime deps in full (ISS-0046):
+ * scripts/node_modules must land in the .netapp's checksummed payload so a
+ * module's hooks resolve their third-party deps (e.g. tldts) on a target with
+ * no reachable package registry. Other node_modules trees stay
+ * @celilo/capabilities-only.
+ */
+
+import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { computeChecksums } from './build';
+
+describe('computeChecksums — scripts/node_modules bundling (ISS-0046)', () => {
+  let dir: string;
+
+  function write(rel: string, content = 'x'): void {
+    const full = join(dir, rel);
+    mkdirSync(join(full, '..'), { recursive: true });
+    writeFileSync(full, content);
+  }
+
+  beforeEach(() => {
+    dir = mkdtempSync(join(tmpdir(), 'celilo-build-test-'));
+    write('manifest.yml', 'id: demo\n');
+    write('scripts/on-install.ts');
+    // Hook-script runtime closure — must all be bundled.
+    write('scripts/node_modules/@celilo/capabilities/src/dns-internal.ts');
+    write('scripts/node_modules/tldts/index.js');
+    write('scripts/node_modules/drizzle-orm/index.js');
+    // .bin holds symlink shims — excluded.
+    write('scripts/node_modules/.bin/tldts');
+    // A module-root node_modules: only @celilo/capabilities is kept.
+    write('node_modules/@celilo/capabilities/index.js');
+    write('node_modules/lodash/index.js');
+    // e2e/ is never part of the deployed module.
+    write('e2e/foo.test.ts');
+  });
+
+  afterEach(() => {
+    try {
+      rmSync(dir, { recursive: true, force: true });
+    } catch {
+      /* ignore */
+    }
+  });
+
+  it('bundles the full scripts/node_modules closure, drops .bin', async () => {
+    const { files } = await computeChecksums(dir);
+    const paths = Object.keys(files);
+
+    expect(paths).toContain('scripts/node_modules/@celilo/capabilities/src/dns-internal.ts');
+    expect(paths).toContain('scripts/node_modules/tldts/index.js');
+    expect(paths).toContain('scripts/node_modules/drizzle-orm/index.js');
+    expect(paths).not.toContain('scripts/node_modules/.bin/tldts');
+  });
+
+  it('keeps only @celilo/capabilities in a non-scripts node_modules', async () => {
+    const { files } = await computeChecksums(dir);
+    const paths = Object.keys(files);
+
+    expect(paths).toContain('node_modules/@celilo/capabilities/index.js');
+    expect(paths).not.toContain('node_modules/lodash/index.js');
+  });
+
+  it('excludes the module e2e/ directory and the manifest stays', async () => {
+    const { files } = await computeChecksums(dir);
+    const paths = Object.keys(files);
+
+    expect(paths).toContain('manifest.yml');
+    expect(paths).toContain('scripts/on-install.ts');
+    expect(paths.some((p) => p.startsWith('e2e/'))).toBe(false);
+  });
+});

package/src/module/packaging/build.ts

@@ -8,6 +8,7 @@ import { parse as parseYaml } from 'yaml';
 import { log } from '../../cli/prompts';
 import { validateModuleDirectory } from '../import';
 import { computeFileChecksum } from './checksum';
+import { includeNodeModulesPath } from './package-rules';
 import { signChecksums } from './signature';
 
 /**
@@ -48,9 +49,9 @@ export interface ModuleBuildResult {
 /**
  * Files/directories to exclude from package.
  *
- * `node_modules` is handled by `shouldExclude` directly (path-aware) so
- * the framework's own `@celilo/*` packages can still be bundled — see
- * the comment on shouldExclude for why.
+ * `node_modules` is NOT listed here — it's path-aware via the canonical
+ * `includeNodeModulesPath` rule (package-rules.ts), so the hook-script runtime
+ * closure is bundled while other node_modules is dropped.
  */
 const EXCLUDE_PATTERNS = [
   '.git',
@@ -75,12 +76,9 @@ const FRAMEWORK_OWNED_PATHS = new Set(['celilo/types.d.ts']);
  * Check if a path inside the source dir should be excluded from the
  * package.
  *
- * `node_modules` exclusion is path-aware: regular npm dependencies are
- * skipped (size + bun re-installs them at module-import time), but the
- * framework's own `@celilo/capabilities` package stays in. That
- * captures the capabilities API the module was authored against, so a
- * module's hooks aren't silently broken by a runtime that ships a
- * different version of `@celilo/capabilities` than the one on npm.
+ * The `node_modules` decision is delegated to the canonical
+ * `includeNodeModulesPath` rule (package-rules.ts) — the single source of truth
+ * the registry-server's bootstrap packager is held to as well (ISS-0046).
  */
 function shouldExclude(filePath: string): boolean {
   if (FRAMEWORK_OWNED_PATHS.has(filePath)) return true;
@@ -91,17 +89,8 @@ function shouldExclude(filePath: string): boolean {
   // not part of the deployed module.
   if (segments[0] === 'e2e') return true;
 
-  const nmIdx = segments.indexOf('node_modules');
-  if (nmIdx >= 0) {
-    // `node_modules` itself: descend so we can pick out @celilo/capabilities.
-    // The capabilities scope is the only thing we ship — it's the framework
-    // SDK the module was authored against. Everything else is regular npm
-    // cruft we'd just re-install on the target (or test-only deps inside
-    // packages like `@celilo/e2e` we don't want to drag in).
-    if (nmIdx + 1 >= segments.length) return false; // node_modules dir itself
-    if (segments[nmIdx + 1] !== '@celilo') return true;
-    if (nmIdx + 2 >= segments.length) return false; // node_modules/@celilo dir itself
-    return segments[nmIdx + 2] !== 'capabilities';
+  if (segments.includes('node_modules')) {
+    return !includeNodeModulesPath(filePath);
   }
 
   const name = basename(filePath);

package/src/module/packaging/package-rules.ts

@@ -0,0 +1,44 @@
+/**
+ * Canonical rule for which `node_modules` paths a module package bundles —
+ * the single source of truth for module packaging (ISS-0046).
+ *
+ * Two packagers must agree on this:
+ *   - apps/celilo/src/module/packaging/build.ts (`celilo package` / publish)
+ *   - packages/registry-server/src/bootstrap.ts (the e2e registry-sim's
+ *     on-demand packager — what the e2e actually serves)
+ *
+ * They can't share this at RUNTIME: the registry-server ships in a standalone
+ * Docker image with no `@celilo/*` deps, so it carries its own structural copy
+ * of the rule. Lockstep is instead enforced by a test
+ * (packages/registry-server/src/bootstrap-packaging.test.ts) that asserts the
+ * registry-server's packaging output conforms to THIS function — so a drift in
+ * either copy fails CI rather than shipping a broken `.netapp`.
+ *
+ * The rule itself: `scripts/node_modules` is the module's hook runtime, bundled
+ * in full (minus `.bin` symlink shims) so hooks resolve their third-party deps
+ * (tldts, drizzle-orm, …) on a target with no reachable registry; any OTHER
+ * `node_modules` ships only `@celilo/capabilities` — the authored-against SDK.
+ */
+
+/**
+ * Whether a module-relative path that contains a `node_modules` segment should
+ * be INCLUDED in the package. Paths without a `node_modules` segment are not
+ * this function's concern — it returns `true` for them (the caller applies its
+ * own non-node_modules exclusions).
+ */
+export function includeNodeModulesPath(relPath: string): boolean {
+  const segments = relPath.split('/');
+  const nmIdx = segments.indexOf('node_modules');
+  if (nmIdx < 0) return true;
+
+  // scripts/node_modules: the hook runtime closure — bundle everything but .bin.
+  if (nmIdx >= 1 && segments[nmIdx - 1] === 'scripts') {
+    return segments[nmIdx + 1] !== '.bin';
+  }
+
+  // Other node_modules: ship only @celilo/capabilities.
+  if (nmIdx + 1 >= segments.length) return true; // node_modules dir itself
+  if (segments[nmIdx + 1] !== '@celilo') return false;
+  if (nmIdx + 2 >= segments.length) return true; // node_modules/@celilo dir itself
+  return segments[nmIdx + 2] === 'capabilities';
+}

package/src/secrets/generators.test.ts

@@ -1,5 +1,18 @@
 import { describe, expect, test } from 'bun:test';
-import { deriveSecret, generateSecret } from './generators';
+import { deriveSecret, generateGpgPrivateKey, generateSecret } from './generators';
+
+describe('generateGpgPrivateKey', () => {
+  test('mints a base64-encoded ASCII-armored PGP private key', () => {
+    const b64 = generateGpgPrivateKey('apt.celilo.computer');
+    const armor = Buffer.from(b64, 'base64').toString('utf-8');
+    expect(armor).toContain('BEGIN PGP PRIVATE KEY BLOCK');
+    expect(armor).toContain('END PGP PRIVATE KEY BLOCK');
+  });
+
+  test('mints a distinct key each call (throwaway keyring)', () => {
+    expect(generateGpgPrivateKey('a@example.com')).not.toBe(generateGpgPrivateKey('a@example.com'));
+  });
+});
 
 describe('generateSecret', () => {
   test('generates base64 secret with default length', () => {

package/src/secrets/generators.ts

@@ -5,13 +5,75 @@
  * and derives related secrets (e.g., WireGuard public keys from private keys)
  */
 
-import { execSync } from 'node:child_process';
+import { execFileSync, execSync } from 'node:child_process';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
 
 export interface SecretGenerationOptions {
   format: string;
   length?: number;
 }
 
+/**
+ * Mint a passphraseless GPG/PGP signing key for `identity` and return the
+ * base64'd ASCII-armored PRIVATE key — the shape consuming Ansible roles decode
+ * (e.g. celilo-apt-repo's reprepro signing key). For `generate: {method: gpg}`
+ * secrets: celilo owns the signing key as infrastructure, not the operator.
+ *
+ * The key is generated in a throwaway GNUPGHOME (never touches the host
+ * operator's keyring) and is passphraseless because celilo encrypts it at rest
+ * in the secret store. Requires `gnupg` on the celilo host. Uses execFileSync
+ * (argv, no shell) so `identity` can't inject.
+ */
+export function generateGpgPrivateKey(identity: string): string {
+  const home = mkdtempSync(join(tmpdir(), 'celilo-gpg-'));
+  const env = { ...process.env, GNUPGHOME: home };
+  try {
+    execFileSync(
+      'gpg',
+      [
+        '--batch',
+        '--pinentry-mode',
+        'loopback',
+        '--passphrase',
+        '',
+        '--quick-generate-key',
+        identity,
+        'default',
+        'sign',
+        'never',
+      ],
+      { env, stdio: 'pipe' },
+    );
+    const armor = execFileSync(
+      'gpg',
+      [
+        '--batch',
+        '--pinentry-mode',
+        'loopback',
+        '--passphrase',
+        '',
+        '--armor',
+        '--export-secret-keys',
+      ],
+      { env, encoding: 'utf-8' },
+    );
+    if (!armor.includes('BEGIN PGP PRIVATE KEY')) {
+      throw new Error('gpg produced no private-key armor');
+    }
+    return Buffer.from(armor, 'utf-8').toString('base64');
+  } catch (err) {
+    throw new Error(
+      `Failed to generate GPG signing key for "${identity}": ${
+        err instanceof Error ? err.message : String(err)
+      }. Is gnupg installed on the celilo host?`,
+    );
+  } finally {
+    rmSync(home, { recursive: true, force: true });
+  }
+}
+
 export interface SecretDerivationOptions {
   sourceSecret: string;
   deriveMethod: string;

package/src/services/aspect-approvals.test.ts

@@ -11,6 +11,7 @@ import {
   computeAspectScopeHash,
   findAspectApproval,
   recordAspectApproval,
+  recordAspectConsent,
 } from './aspect-approvals';
 
 const baseAspect: BaseModuleAspect = {
@@ -120,7 +121,7 @@ describe('aspect-approvals', () => {
       expect(found?.scopeHash).toBe(written.scopeHash);
     });
 
-    it('rejects duplicate (moduleId, version) via unique constraint', () => {
+    it('upserts on duplicate (moduleId, version) — the latest decision wins', () => {
       insertModule('knot-unbound-internal', '1.0.0');
       const db = getDb();
       recordAspectApproval({
@@ -130,15 +131,19 @@ describe('aspect-approvals', () => {
         approver: null,
         db,
       });
-      expect(() =>
-        recordAspectApproval({
-          moduleId: 'knot-unbound-internal',
-          version: '1.0.0',
-          scopeHash: 'def',
-          approver: null,
-          db,
-        }),
-      ).toThrow();
+      // Re-deciding the same (module, version) overwrites rather than throwing
+      // — this is how a refusal flips to approval, or a scope change re-records.
+      recordAspectConsent({
+        moduleId: 'knot-unbound-internal',
+        version: '1.0.0',
+        scopeHash: 'def',
+        approver: null,
+        consented: false,
+        db,
+      });
+      const row = findAspectApproval('knot-unbound-internal', '1.0.0', db);
+      expect(row?.scopeHash).toBe('def'); // latest scope
+      expect(row?.consented).toBe(false); // latest decision (a refusal)
     });
 
     it('allows two approvals for the same module at different versions', () => {
@@ -202,6 +207,21 @@ describe('aspect-approvals', () => {
       expect(status).toBe('approved');
     });
 
+    it('returns "denied" when a matching-scope row recorded a refusal', () => {
+      insertModule('knot-unbound-internal', '1.0.0');
+      const db = getDb();
+      recordAspectConsent({
+        moduleId: 'knot-unbound-internal',
+        version: '1.0.0',
+        scopeHash: computeAspectScopeHash(baseAspect),
+        approver: null,
+        consented: false,
+        db,
+      });
+      const status = checkAspectApproval('knot-unbound-internal', '1.0.0', baseAspect, db);
+      expect(status).toBe('denied');
+    });
+
     it('returns "scope_changed" when scope diverges from a prior approval', () => {
       insertModule('knot-unbound-internal', '1.0.0');
       const db = getDb();

package/src/services/aspect-approvals.ts

@@ -21,7 +21,7 @@
  */
 
 import { createHash, randomUUID } from 'node:crypto';
-import { and, eq } from 'drizzle-orm';
+import { and, eq, sql } from 'drizzle-orm';
 import type { getDb } from '../db/client';
 import { aspectApprovals } from '../db/schema';
 import type { BaseModuleAspect } from '../manifest/schema';
@@ -66,15 +66,55 @@ export function findAspectApproval(
 }
 
 /**
- * Record operator approval for a module version's base-module
- * aspect. Caller is responsible for verifying that an approval
- * doesn't already exist (the unique constraint will reject
- * duplicates, but callers should check first to provide a clear
- * error path).
+ * Record the operator's consent DECISION for a module version's
+ * base-module aspect — `consented: true` (approve) or `false`
+ * (refuse, ISS-0027). Upserts on (moduleId, version): a later
+ * decision (e.g. a denial flipped to approval via
+ * `import --accept-aspects`, or a re-decision after a scope change)
+ * overwrites the prior one, keeping exactly one row per
+ * (module, version) reflecting the latest scope + decision.
  *
- * @param approver - operator identifier (e.g., $USER). Null when
- *   --accept-aspects is used in a context with no USER, or when
- *   approval is automated.
+ * @param approver - operator identifier (e.g., $USER). Null when the
+ *   decision was made in a context with no USER, or automated.
+ */
+export function recordAspectConsent(args: {
+  moduleId: string;
+  version: string;
+  scopeHash: string;
+  approver: string | null;
+  consented: boolean;
+  db: DbClient;
+}): typeof aspectApprovals.$inferSelect {
+  args.db
+    .insert(aspectApprovals)
+    .values({
+      id: randomUUID(),
+      moduleId: args.moduleId,
+      version: args.version,
+      scopeHash: args.scopeHash,
+      consented: args.consented,
+      approver: args.approver,
+    })
+    .onConflictDoUpdate({
+      target: [aspectApprovals.moduleId, aspectApprovals.version],
+      set: {
+        scopeHash: args.scopeHash,
+        consented: args.consented,
+        approver: args.approver,
+        approvedAt: sql`(unixepoch())`,
+      },
+    })
+    .run();
+  return findAspectApproval(
+    args.moduleId,
+    args.version,
+    args.db,
+  ) as typeof aspectApprovals.$inferSelect;
+}
+
+/**
+ * Record operator APPROVAL (consent = true). Thin wrapper over
+ * `recordAspectConsent` for the import path (`--accept-aspects`).
  */
 export function recordAspectApproval(args: {
   moduleId: string;
@@ -83,38 +123,28 @@ export function recordAspectApproval(args: {
   approver: string | null;
   db: DbClient;
 }): typeof aspectApprovals.$inferSelect {
-  const row = {
-    id: randomUUID(),
-    moduleId: args.moduleId,
-    version: args.version,
-    scopeHash: args.scopeHash,
-    approver: args.approver,
-  };
-  args.db.insert(aspectApprovals).values(row).run();
-  return args.db
-    .select()
-    .from(aspectApprovals)
-    .where(eq(aspectApprovals.id, row.id))
-    .get() as typeof aspectApprovals.$inferSelect;
+  return recordAspectConsent({ ...args, consented: true });
 }
 
 /**
- * Check whether the current (moduleId, version) has an approval
- * whose scope matches the manifest's declared aspect. Returns:
- *   - 'approved': there's an approval and its scope_hash matches
- *   - 'scope_changed': there's an approval but the manifest's
- *     scope is different (D7 — re-approval required before aspects
- *     fan out under the new scope)
- *   - 'no_approval': no approval row for this version
+ * Check the operator's consent state for the current (moduleId,
+ * version) against the manifest's declared aspect scope. Returns:
+ *   - 'approved': a matching-scope row with `consented: true` — run.
+ *   - 'denied': a matching-scope row with `consented: false` — the
+ *     operator explicitly refused (ISS-0027). Skip; do NOT re-prompt.
+ *   - 'scope_changed': a row exists but the manifest's scope differs
+ *     (D7 — the prior decision was about a different scope; re-prompt).
+ *   - 'no_approval': no row for this version — undecided; prompt.
  */
 export function checkAspectApproval(
   moduleId: string,
   version: string,
   aspect: BaseModuleAspect,
   db: DbClient,
-): 'approved' | 'scope_changed' | 'no_approval' {
+): 'approved' | 'denied' | 'scope_changed' | 'no_approval' {
   const existing = findAspectApproval(moduleId, version, db);
   if (!existing) return 'no_approval';
   const currentHash = computeAspectScopeHash(aspect);
-  return existing.scopeHash === currentHash ? 'approved' : 'scope_changed';
+  if (existing.scopeHash !== currentHash) return 'scope_changed';
+  return existing.consented ? 'approved' : 'denied';
 }