@celilo/cli 0.5.0-alpha.3 → 0.5.0-alpha.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.5.0-alpha.3",
+  "version": "0.5.0-alpha.4",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {
@@ -52,7 +52,7 @@
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1024.0",
-    "@celilo/capabilities": "^0.4.1",
+    "@celilo/capabilities": "^0.4.2",
     "@celilo/cli-display": "^0.1.9",
     "@celilo/event-bus": "^0.1.6",
     "@clack/prompts": "^1.1.0",

package/src/cli/command-registry.ts

@@ -106,6 +106,11 @@ export const COMMANDS: CommandDef[] = [
         ],
       },
       { name: 'list-subscribers', description: 'List persistent bus subscribers' },
+      {
+        name: 'resync-subscriptions',
+        description:
+          "Rebuild subscribers from deployed modules' manifests (after a restore/migration)",
+      },
       {
         name: 'list-pending',
         description: 'List pending deliveries',

package/src/cli/commands/events.ts

@@ -192,6 +192,34 @@ export async function handleEventsListSubscribers(): Promise<CommandResult> {
   }
 }
 
+/**
+ * `celilo events resync-subscriptions` — rebuild the bus `subscribers` table
+ * from every deployed module's manifest. The reactive layer is registered at
+ * DEPLOY time and lives in the bus, which a restore/migration starts EMPTY — so
+ * after a cutover this re-establishes who-reacts-to-what without redeploying
+ * every module (ISS-0088). Idempotent.
+ */
+export async function handleEventsResyncSubscriptions(): Promise<CommandResult> {
+  try {
+    const { resyncAllSubscriptions } = await import('../../services/module-subscriptions');
+    const result = resyncAllSubscriptions();
+    const lines = [
+      `Re-registered ${result.registered} subscription(s) from ${result.modules} deployed module(s).`,
+    ];
+    if (result.failures.length > 0) {
+      const detail = result.failures.map((f) => `  ${f.moduleId}: ${f.error}`).join('\n');
+      return {
+        success: false,
+        error: `${result.failures.length} module(s) failed to re-register subscriptions:\n${detail}`,
+      };
+    }
+    lines.push('', 'A running dispatcher will now deliver events to these handlers.');
+    return { success: true, message: lines.join('\n'), data: result };
+  } catch (err) {
+    return { success: false, error: err instanceof Error ? err.message : String(err) };
+  }
+}
+
 export async function handleEventsListPending(
   _args: string[],
   flags: Record<string, string | boolean>,

package/src/cli/commands/module-publish.ts

@@ -238,6 +238,30 @@ export async function publishOneModule(
     }
   }
 
+  // ISS-0104: a module's hooks resolve @celilo/* from its OWN bundled
+  // scripts/node_modules (gitignored, prone to going stale). Refresh that
+  // closure and refuse to ship a stale capability SDK — a stale bundle
+  // silently runs old capability code even after a clean republish.
+  const { refreshAndVerifyBundledDeps } = await import(
+    '../../services/module-validator/bundled-deps'
+  );
+  const depCheck = refreshAndVerifyBundledDeps(resolvedDir);
+  if (depCheck.mismatches.length > 0 && !opts.allowStale) {
+    return {
+      moduleDir,
+      status: 'failed',
+      message: [
+        `${moduleDir}: bundled @celilo dependency is stale vs the workspace (ISS-0104):`,
+        ...depCheck.mismatches.map(
+          (m) => `  ${m.pkg}: bundled ${m.bundled}, workspace ${m.workspace}`,
+        ),
+        '  The deployed module would run the bundled (older) capability code.',
+        `  Fix: cd ${join(moduleDir, 'scripts')} && bun install   (then retry)`,
+        '  --allow-stale skips this check.',
+      ].join('\n'),
+    };
+  }
+
   // Assemble release metadata for the .netapp.
   const releaseMetadata = buildReleaseMetadata({
     moduleId: name,

package/src/cli/commands/restore.ts

@@ -93,9 +93,38 @@ export async function handleRestore(
     );
   }
 
+  // Re-register event-bus subscriptions from the restored modules' manifests.
+  // The bus (events.db) is NOT in the backup envelope, so a restore/migration
+  // starts with an EMPTY subscribers table — every event-driven reconcile (caddy
+  // public_web, dns register, namecheap's 15m DDNS refresh, …) is dormant until
+  // subscriptions are re-registered (ISS-0088). Reconstruct them from durable
+  // celilo.db state rather than requiring a redeploy of every module. Best-effort:
+  // the DB was just swapped + reopened, so on an unhappy reopen, point the
+  // operator at the standalone command (which runs in a fresh process).
+  let subsResynced: { modules: number; registered: number } | undefined;
+  try {
+    const { resyncAllSubscriptions } = await import('../../services/module-subscriptions');
+    const r = resyncAllSubscriptions();
+    subsResynced = { modules: r.modules, registered: r.registered };
+    if (r.failures.length > 0) {
+      log.warn(
+        `Re-registered ${r.registered} subscription(s); ${r.failures.length} module(s) failed — run \`celilo events resync-subscriptions\` to retry.`,
+      );
+    }
+  } catch (err) {
+    log.warn(
+      `Restore landed but event-bus subscriptions were not re-registered: ${err instanceof Error ? err.message : String(err)}. Event-driven reconciles stay dormant until you run \`celilo events resync-subscriptions\`.`,
+    );
+  }
+
   // Build the success message.
   const lines: string[] = ['Restore complete.'];
   if (result.systemDbApplied) lines.push('  • celilo.db swapped into place');
+  if (subsResynced) {
+    lines.push(
+      `  • re-registered ${subsResynced.registered} event-bus subscription(s) from ${subsResynced.modules} deployed module(s)`,
+    );
+  }
   if (result.masterKeyApplied) lines.push('  • master.key swapped into place');
   if (result.sshKeyApplied) lines.push('  • fleet SSH key restored to <data-dir>/.ssh/');
   if (result.moduleSourcesApplied && result.moduleSourcesApplied > 0) {

package/src/cli/completion.ts

@@ -82,6 +82,7 @@ export async function getCompletions(words: string[], current: number): Promise<
       'status',
       'tail',
       'list-subscribers',
+      'resync-subscriptions',
       'list-pending',
       'drain',
       'run',

package/src/cli/index.ts

@@ -22,6 +22,7 @@ import {
   handleEventsRepair,
   handleEventsReply,
   handleEventsRespond,
+  handleEventsResyncSubscriptions,
   handleEventsRun,
   handleEventsRunHook,
   handleEventsShowDaemon,
@@ -257,6 +258,7 @@ Subcommands:
   status                       Print bus health as JSON
   tail [--type T] [--limit N]  Recent events as JSON
   list-subscribers             List persistent bus subscribers
+  resync-subscriptions         Rebuild subscribers from deployed modules' manifests (after a restore/migration)
   list-pending [--subscriber]  List pending deliveries
   drain [--concurrency N]      Process pending deliveries once and return
   run [--poll-ms N]            Run the long-running dispatcher (foreground)
@@ -1194,6 +1196,8 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
         return handleEventsTail(parsed.args, parsed.flags);
       case 'list-subscribers':
         return handleEventsListSubscribers();
+      case 'resync-subscriptions':
+        return handleEventsResyncSubscriptions();
       case 'list-pending':
         return handleEventsListPending(parsed.args, parsed.flags);
       case 'drain':

package/src/hooks/capability-loader.ts

@@ -62,6 +62,10 @@ const CAPABILITY_MODULE_MAP: Record<string, { script: string; legacyFactoryName:
     script: 'scripts/idp-functions.ts',
     legacyFactoryName: 'createIdp',
   },
+  git_forge: {
+    script: 'scripts/git-forge-functions.ts',
+    legacyFactoryName: 'createForgejoGitForge',
+  },
   dhcp_server: {
     script: 'scripts/dhcp-server-functions.ts',
     legacyFactoryName: 'default',

package/src/services/module-subscriptions.test.ts

@@ -3,11 +3,14 @@ import { mkdtempSync, rmSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { defineEvents, openBus } from '@celilo/event-bus';
+import { closeDb, getDb } from '../db/client';
 import { ModuleSubscriptionSchema } from '../manifest/schema';
 import type { ModuleManifest } from '../manifest/schema';
+import { setupTestDatabase as migrateDbFile } from '../test-utils/setup-test-db';
 import {
   registerModuleSubscriptions,
   resolveSubscription,
+  resyncAllSubscriptions,
   unregisterModuleSubscriptions,
 } from './module-subscriptions';
 
@@ -253,3 +256,88 @@ describe('register / unregister roundtrip', () => {
     }
   });
 });
+
+describe('resyncAllSubscriptions (ISS-0088)', () => {
+  let dir: string;
+  let busPath: string;
+
+  beforeEach(async () => {
+    closeDb();
+    dir = mkdtempSync(join(tmpdir(), 'resync-test-'));
+    busPath = join(dir, 'events.db');
+    process.env.CELILO_DB_PATH = join(dir, 'celilo.db');
+    process.env.EVENT_BUS_DB = busPath;
+    // Migrate the celilo.db file getDb() will open (resyncAllSubscriptions reads it).
+    const setupDb = await migrateDbFile(join(dir, 'celilo.db'));
+    setupDb.$client.close();
+  });
+  afterEach(() => {
+    closeDb();
+    process.env.CELILO_DB_PATH = undefined;
+    process.env.EVENT_BUS_DB = undefined;
+    try {
+      rmSync(dir, { recursive: true, force: true });
+    } catch {
+      /* ignore */
+    }
+  });
+
+  function seedModule(
+    id: string,
+    state: string,
+    subs: Array<{ name: string; pattern: string; handler: string }>,
+  ): void {
+    const manifest = JSON.stringify({
+      celilo_contract: '1.0',
+      id,
+      name: id,
+      version: '1.0.0',
+      requires: { capabilities: [] },
+      provides: { capabilities: [] },
+      variables: { owns: [], imports: [] },
+      subscriptions: subs,
+    });
+    getDb().$client.run(
+      'INSERT INTO modules (id, name, version, source_path, manifest_data, state) VALUES (?, ?, ?, ?, ?, ?)',
+      [id, id, '1.0.0', '/p', manifest, state],
+    );
+  }
+
+  function subscriberNames(): string[] {
+    const bus = openBus({ dbPath: busPath, events: defineEvents({}) });
+    try {
+      return bus.db
+        .query<{ name: string }, []>('SELECT name FROM subscribers ORDER BY name')
+        .all()
+        .map((r) => r.name);
+    } finally {
+      bus.close();
+    }
+  }
+
+  it('registers subs for DEPLOYED modules only, skipping imported/undeployed', () => {
+    seedModule('caddy', 'VERIFIED', [
+      { name: 'reconcile', pattern: 'public_web.routes_changed', handler: 'echo' },
+    ]);
+    seedModule('technitium', 'INSTALLED', [
+      { name: 'dns', pattern: 'system.created.*', handler: 'echo' },
+    ]);
+    seedModule('forgejo', 'IMPORTED', [{ name: 'x', pattern: 'y', handler: 'echo' }]);
+    seedModule('greenwave', 'VERIFIED', []); // deployed but declares no subs
+
+    const result = resyncAllSubscriptions();
+
+    expect(result.modules).toBe(2); // caddy + technitium (forgejo not deployed, greenwave has none)
+    expect(result.registered).toBe(2);
+    expect(result.failures).toEqual([]);
+    // forgejo.x absent — it was IMPORTED, not deployed.
+    expect(subscriberNames()).toEqual(['caddy.reconcile', 'technitium.dns']);
+  });
+
+  it('is idempotent — a second resync does not duplicate rows', () => {
+    seedModule('caddy', 'VERIFIED', [{ name: 'reconcile', pattern: 'a', handler: 'echo' }]);
+    resyncAllSubscriptions();
+    resyncAllSubscriptions();
+    expect(subscriberNames()).toEqual(['caddy.reconcile']);
+  });
+});

package/src/services/module-subscriptions.ts

@@ -14,8 +14,12 @@
  * colliding.
  */
 
+import { join } from 'node:path';
 import { defineEvents, openBus } from '@celilo/event-bus';
-import { getEventBusPath } from '../config/paths';
+import { inArray } from 'drizzle-orm';
+import { getEventBusPath, getModuleStoragePath } from '../config/paths';
+import { getDb } from '../db/client';
+import { modules } from '../db/schema';
 import type { ModuleManifest, ModuleSubscription } from '../manifest/schema';
 
 /**
@@ -126,6 +130,51 @@ export function unregisterModuleSubscriptions(moduleId: string): {
   }
 }
 
+/**
+ * Rebuild the event-bus `subscribers` table from every deployed module's
+ * manifest `subscriptions:`. The reactive layer (who-reacts-to-what) is
+ * registered at module DEPLOY time and lives in the bus (events.db), which a
+ * restore/migration starts EMPTY — so after a cutover, event-driven reconciles
+ * (caddy public_web, dns register, …) are dead until every module redeploys
+ * (ISS-0088). This reconstructs them from durable celilo.db state instead.
+ *
+ * Idempotent (registerModuleSubscriptions upserts by subscriber name). Per-module
+ * failures are collected, not thrown, so one bad manifest doesn't abort the rest.
+ */
+export function resyncAllSubscriptions(): {
+  modules: number;
+  registered: number;
+  failures: Array<{ moduleId: string; error: string }>;
+} {
+  const db = getDb();
+  const deployed = db
+    .select()
+    .from(modules)
+    .where(inArray(modules.state, ['INSTALLED', 'VERIFIED']))
+    .all();
+
+  let modulesWithSubs = 0;
+  let registered = 0;
+  const failures: Array<{ moduleId: string; error: string }> = [];
+
+  for (const mod of deployed) {
+    const manifest = mod.manifestData as unknown as ModuleManifest;
+    if (!manifest?.subscriptions?.length) continue;
+    // Code always lives at ${getModuleStoragePath()}/<id> by construction
+    // (import.ts) — the same path module-upgrade re-registers from (ISS-0091).
+    const modulePath = join(getModuleStoragePath(), mod.id);
+    try {
+      const result = registerModuleSubscriptions(manifest, modulePath);
+      registered += result.registered;
+      modulesWithSubs += 1;
+    } catch (err) {
+      failures.push({ moduleId: mod.id, error: err instanceof Error ? err.message : String(err) });
+    }
+  }
+
+  return { modules: modulesWithSubs, registered, failures };
+}
+
 function scopedName(moduleId: string, subName: string): string {
   return `${moduleId}.${subName}`;
 }

package/src/services/module-validator/bundled-deps.test.ts

@@ -0,0 +1,55 @@
+import { describe, expect, test } from 'bun:test';
+import { findStaleBundledDeps, refreshAndVerifyBundledDeps } from './bundled-deps';
+
+describe('findStaleBundledDeps (ISS-0104)', () => {
+  test('flags a bundled @celilo dep older than the workspace', () => {
+    const mismatches = findStaleBundledDeps(
+      { '@celilo/capabilities': '0.1.8' },
+      { '@celilo/capabilities': '0.4.1' },
+    );
+    expect(mismatches).toEqual([
+      { pkg: '@celilo/capabilities', bundled: '0.1.8', workspace: '0.4.1' },
+    ]);
+  });
+
+  test('no mismatch when bundled matches workspace', () => {
+    expect(
+      findStaleBundledDeps(
+        { '@celilo/capabilities': '0.4.1', '@celilo/event-bus': '0.1.6' },
+        { '@celilo/capabilities': '0.4.1', '@celilo/event-bus': '0.1.6' },
+      ),
+    ).toEqual([]);
+  });
+
+  test('ignores workspace packages the module does not bundle', () => {
+    // Module bundles only capabilities; cli-display is a workspace package but
+    // not in this module's closure — must not be flagged.
+    expect(
+      findStaleBundledDeps(
+        { '@celilo/capabilities': '0.4.1' },
+        { '@celilo/capabilities': '0.4.1', '@celilo/cli-display': '0.1.9' },
+      ),
+    ).toEqual([]);
+  });
+
+  test('flags each stale dep independently', () => {
+    const mismatches = findStaleBundledDeps(
+      { '@celilo/capabilities': '0.1.8', '@celilo/event-bus': '0.1.6' },
+      { '@celilo/capabilities': '0.4.1', '@celilo/event-bus': '0.1.6' },
+    );
+    expect(mismatches).toEqual([
+      { pkg: '@celilo/capabilities', bundled: '0.1.8', workspace: '0.4.1' },
+    ]);
+  });
+});
+
+describe('refreshAndVerifyBundledDeps (ISS-0104)', () => {
+  test('no-op for a module without scripts/package.json', () => {
+    let installs = 0;
+    const result = refreshAndVerifyBundledDeps('/tmp/does-not-exist-module-xyz', () => {
+      installs++;
+    });
+    expect(result).toEqual({ refreshed: false, mismatches: [] });
+    expect(installs).toBe(0);
+  });
+});

package/src/services/module-validator/bundled-deps.ts

@@ -0,0 +1,115 @@
+/**
+ * ISS-0104: a module's hooks resolve `@celilo/*` from the module's OWN
+ * `scripts/node_modules` (nearest-wins), and those are gitignored local
+ * installs that go stale. The publish bundles them as-is, so a deployed module
+ * can silently run capability code months older than what was just published
+ * (e.g. caddy shipped capabilities@0.1.8 while the workspace was at 0.4.1, so
+ * ISS-0102 never reached the rendered Caddyfile).
+ *
+ * Before packing, the publish refreshes a module's `scripts/` deps and verifies
+ * the bundled `@celilo/*` versions match the workspace — the versions being
+ * co-published. A mismatch fails the publish (unless --allow-stale).
+ */
+
+import { execSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+
+/** The @celilo workspace packages a module may bundle (by published name). */
+const CELILO_WORKSPACE_PACKAGES = ['capabilities', 'cli-display', 'event-bus'] as const;
+
+export interface DepMismatch {
+  pkg: string;
+  bundled: string;
+  workspace: string;
+}
+
+/**
+ * Pure: which bundled `@celilo/*` versions differ from the workspace. Only deps
+ * the module actually bundles AND the workspace owns are compared — a module
+ * that doesn't bundle a given package, or a package the workspace doesn't own,
+ * is ignored.
+ */
+export function findStaleBundledDeps(
+  bundled: Record<string, string>,
+  workspace: Record<string, string>,
+): DepMismatch[] {
+  const mismatches: DepMismatch[] = [];
+  for (const [pkg, wsVersion] of Object.entries(workspace)) {
+    const bundledVersion = bundled[pkg];
+    if (bundledVersion && bundledVersion !== wsVersion) {
+      mismatches.push({ pkg, bundled: bundledVersion, workspace: wsVersion });
+    }
+  }
+  return mismatches;
+}
+
+function readVersion(packageJsonPath: string): string | undefined {
+  try {
+    const parsed = JSON.parse(readFileSync(packageJsonPath, 'utf-8')) as { version?: string };
+    return parsed.version;
+  } catch {
+    return undefined;
+  }
+}
+
+/** Find the monorepo root (the dir with `packages/capabilities`) by walking up. */
+function findWorkspaceRoot(start: string): string | undefined {
+  let dir = start;
+  for (let depth = 0; depth < 8; depth++) {
+    if (existsSync(join(dir, 'packages', 'capabilities', 'package.json'))) return dir;
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return undefined;
+}
+
+export interface RefreshResult {
+  /** Whether the module had a scripts/ package to refresh. */
+  refreshed: boolean;
+  /** Bundled @celilo/* that don't match the workspace (empty = clean). */
+  mismatches: DepMismatch[];
+}
+
+/**
+ * Refresh a module's `scripts/` deps (so the bundled hook runtime is current)
+ * and verify the bundled `@celilo/*` versions match the workspace. No-op for a
+ * module without `scripts/package.json`, or when run outside the monorepo (a
+ * standalone module has no workspace to compare against — refresh only).
+ *
+ * `run` is injected so tests can stub the `bun install` side effect.
+ */
+export function refreshAndVerifyBundledDeps(
+  moduleDir: string,
+  run: (cmd: string, cwd: string) => void = (cmd, cwd) =>
+    void execSync(cmd, { cwd, stdio: 'pipe' }),
+): RefreshResult {
+  const scriptsDir = join(moduleDir, 'scripts');
+  if (!existsSync(join(scriptsDir, 'package.json'))) {
+    return { refreshed: false, mismatches: [] };
+  }
+
+  // Reconcile node_modules with the lockfile + package.json pins so the pack
+  // bundles a CURRENT closure, not whatever the operator last installed.
+  run('bun install', scriptsDir);
+
+  const workspaceRoot = findWorkspaceRoot(moduleDir);
+  if (!workspaceRoot) {
+    return { refreshed: true, mismatches: [] };
+  }
+
+  const workspace: Record<string, string> = {};
+  for (const name of CELILO_WORKSPACE_PACKAGES) {
+    const version = readVersion(join(workspaceRoot, 'packages', name, 'package.json'));
+    if (version) workspace[`@celilo/${name}`] = version;
+  }
+
+  const bundled: Record<string, string> = {};
+  for (const pkg of Object.keys(workspace)) {
+    const version = readVersion(join(scriptsDir, 'node_modules', pkg, 'package.json'));
+    if (version) bundled[pkg] = version;
+  }
+
+  return { refreshed: true, mismatches: findStaleBundledDeps(bundled, workspace) };
+}