@celilo/cli 0.5.0-alpha.5 → 0.5.0-alpha.7

package/src/config/paths.test.ts

@@ -1,4 +1,5 @@
 import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import { skipIntegration } from '../test-utils/integration-guard';
 import { getDataDir, getDbPath, getMasterKeyPath, getModuleStoragePath } from './paths';
 
 describe('paths configuration', () => {
@@ -34,18 +35,21 @@ describe('paths configuration', () => {
       expect(path).toMatch(/celilo-data\/modules$/);
     });
 
-    it('returns platform-specific path by default', () => {
-      process.env.CELILO_DATA_DIR = undefined;
-      process.env.ENVIRONMENT = undefined;
+    it.skipIf(skipIntegration({ platform: 'darwin' }))(
+      'returns platform-specific path by default',
+      () => {
+        process.env.CELILO_DATA_DIR = undefined;
+        process.env.ENVIRONMENT = undefined;
 
-      const path = getModuleStoragePath();
+        const path = getModuleStoragePath();
 
-      if (process.platform === 'darwin') {
-        expect(path).toMatch(/Library\/Application Support\/celilo\/modules$/);
-      } else {
-        expect(path).toBe('/var/lib/celilo/modules');
-      }
-    });
+        if (process.platform === 'darwin') {
+          expect(path).toMatch(/Library\/Application Support\/celilo\/modules$/);
+        } else {
+          expect(path).toBe('/var/lib/celilo/modules');
+        }
+      },
+    );
 
     it('prioritizes CELILO_DATA_DIR over ENVIRONMENT=dev', () => {
       process.env.CELILO_DATA_DIR = '/custom/data';
@@ -73,18 +77,21 @@ describe('paths configuration', () => {
       expect(path).toMatch(/celilo-data$/);
     });
 
-    it('returns platform-specific path by default', () => {
-      process.env.CELILO_DATA_DIR = undefined;
-      process.env.ENVIRONMENT = undefined;
-
-      const path = getDataDir();
-
-      if (process.platform === 'darwin') {
-        expect(path).toMatch(/Library\/Application Support\/celilo$/);
-      } else {
-        expect(path).toBe('/var/lib/celilo');
-      }
-    });
+    it.skipIf(skipIntegration({ platform: 'darwin' }))(
+      'returns platform-specific path by default',
+      () => {
+        process.env.CELILO_DATA_DIR = undefined;
+        process.env.ENVIRONMENT = undefined;
+
+        const path = getDataDir();
+
+        if (process.platform === 'darwin') {
+          expect(path).toMatch(/Library\/Application Support\/celilo$/);
+        } else {
+          expect(path).toBe('/var/lib/celilo');
+        }
+      },
+    );
   });
 
   describe('getMasterKeyPath', () => {
@@ -103,19 +110,22 @@ describe('paths configuration', () => {
       expect(path).toBe('/custom/data/master.key');
     });
 
-    it('uses platform-specific data dir by default', () => {
-      process.env.CELILO_MASTER_KEY_PATH = undefined;
-      process.env.CELILO_DATA_DIR = undefined;
-      process.env.ENVIRONMENT = undefined;
-
-      const path = getMasterKeyPath();
-
-      if (process.platform === 'darwin') {
-        expect(path).toMatch(/Library\/Application Support\/celilo\/master\.key$/);
-      } else {
-        expect(path).toBe('/var/lib/celilo/master.key');
-      }
-    });
+    it.skipIf(skipIntegration({ platform: 'darwin' }))(
+      'uses platform-specific data dir by default',
+      () => {
+        process.env.CELILO_MASTER_KEY_PATH = undefined;
+        process.env.CELILO_DATA_DIR = undefined;
+        process.env.ENVIRONMENT = undefined;
+
+        const path = getMasterKeyPath();
+
+        if (process.platform === 'darwin') {
+          expect(path).toMatch(/Library\/Application Support\/celilo\/master\.key$/);
+        } else {
+          expect(path).toBe('/var/lib/celilo/master.key');
+        }
+      },
+    );
   });
 
   describe('getDbPath', () => {
@@ -128,19 +138,22 @@ describe('paths configuration', () => {
       expect(path).toBe('/custom/path/celilo.db');
     });
 
-    it('returns data dir + celilo.db on macOS in production', () => {
-      process.env.CELILO_DB_PATH = undefined;
-      process.env.CELILO_DATA_DIR = undefined;
-      process.env.ENVIRONMENT = undefined;
-
-      const path = getDbPath();
-
-      if (process.platform === 'darwin') {
-        expect(path).toMatch(/Library\/Application Support\/celilo\/celilo.db$/);
-      } else {
-        expect(path).toBe('/var/lib/celilo/celilo.db');
-      }
-    });
+    it.skipIf(skipIntegration({ platform: 'darwin' }))(
+      'returns data dir + celilo.db on macOS in production',
+      () => {
+        process.env.CELILO_DB_PATH = undefined;
+        process.env.CELILO_DATA_DIR = undefined;
+        process.env.ENVIRONMENT = undefined;
+
+        const path = getDbPath();
+
+        if (process.platform === 'darwin') {
+          expect(path).toMatch(/Library\/Application Support\/celilo\/celilo.db$/);
+        } else {
+          expect(path).toBe('/var/lib/celilo/celilo.db');
+        }
+      },
+    );
 
     it('returns celilo-data/celilo.db in development mode', () => {
       process.env.CELILO_DB_PATH = undefined;

package/src/hooks/capability-loader-firewall.test.ts

@@ -37,7 +37,7 @@ export default defineCapabilityFunction({
   capability: 'firewall',
   handler: ({ config, secrets }) => ({
     exposeService: async (opts) => ({
-      externalIp: '71.36.99.96',
+      externalIp: '203.0.113.10',
       natIp: opts.internalIp,
     }),
     unexposeService: async () => {},
@@ -135,7 +135,7 @@ describe('Firewall Chain Building', () => {
       ports: [80],
       description: 'test',
     });
-    expect(exposed.externalIp).toBe('71.36.99.96');
+    expect(exposed.externalIp).toBe('203.0.113.10');
   });
 
   test('builds chain with two providers (iptables → greenwave)', async () => {
@@ -206,7 +206,7 @@ describe('Firewall Chain Building', () => {
     });
 
     // External IP came from greenwave (leaf)
-    expect(exposed.externalIp).toBe('71.36.99.96');
+    expect(exposed.externalIp).toBe('203.0.113.10');
     // NAT IP is iptables' NAT address
     expect(exposed.natIp).toBe('192.168.0.253');
     // iptables created local rules

package/src/infrastructure/property-extractor.test.ts

@@ -78,6 +78,21 @@ describe('extractProxmoxProperties', () => {
     });
   });
 
+  test('omits vm_template when the service config has none (LXC services)', () => {
+    const properties = extractProxmoxProperties(100, '10.0.10.5', 'caddy', mockProxmoxConfig);
+    // Omitted, not empty — so a required-infrastructure `vm_template` var fails
+    // loudly rather than resolving to "".
+    expect('vm_template' in properties).toBe(false);
+  });
+
+  test('includes vm_template when the service config provides one (VM services)', () => {
+    const properties = extractProxmoxProperties(100, '10.0.10.5', 'builder', {
+      ...mockProxmoxConfig,
+      vm_template: 'ubuntu-2204-cloudinit',
+    });
+    expect(properties.vm_template).toBe('ubuntu-2204-cloudinit');
+  });
+
   test('converts vmid number to string', () => {
     const properties = extractProxmoxProperties(12345, '10.0.20.15', 'caddy', mockProxmoxConfig);
 

package/src/infrastructure/property-extractor.ts

@@ -47,6 +47,13 @@ export interface ProxmoxProviderConfig {
   default_target_node: string;
   lxc_template: string;
   storage: string;
+  /**
+   * Cloud-init VM template to clone for `requires.system.type: vm` modules — the
+   * VM analogue of `lxc_template`. Optional: only Proxmox services that host VM
+   * modules configure it. A VM module declares `vm_template` as a *required*
+   * infrastructure var, so a service missing it fails loudly at resolution.
+   */
+  vm_template?: string;
 }
 
 /**
@@ -72,6 +79,11 @@ export function extractProxmoxProperties(
     target_node: providerConfig.default_target_node,
     lxc_template: providerConfig.lxc_template,
     storage: providerConfig.storage,
+    // VM clone source — present only when the service configures it. VM modules
+    // declare `vm_template` as a required infrastructure var (resolution errors
+    // if absent); LXC modules never reference it. Omitted (not empty) when unset
+    // so the resolver's required/optional handling stays correct.
+    ...(providerConfig.vm_template ? { vm_template: providerConfig.vm_template } : {}),
   };
 }
 

package/src/manifest/schema.ts

@@ -311,6 +311,13 @@ export const SystemResourceSchema = z.object({
   memory: z.number().int().positive().optional().describe('Recommended memory in MB'),
   disk: z.number().int().positive().optional().describe('Recommended disk size in GB'),
   storage: z.string().optional().describe('Proxmox storage backend (defaults to system config)'),
+  type: z
+    .enum(['lxc', 'vm'])
+    .default('lxc')
+    .describe(
+      'Proxmox provisioning type: lxc (default) or vm (qemu, for Docker / kernel-module workloads). ' +
+        'Modules declare this explicitly; celilo never infers it. Moot for machine-pool / external infra.',
+    ),
   zone: z
     .enum(['internal', 'dmz', 'app', 'secure', 'external'])
     .describe('Required security zone for this module'),

package/src/manifest/validate.test.ts

@@ -77,6 +77,59 @@ variables:
     }
   });
 
+  test('requires.system.type defaults to lxc when omitted', () => {
+    const yaml = `
+${CONTRACT_LINE}
+id: homebridge
+name: Homebridge
+version: 1.0.0
+requires:
+  system:
+    cpu: 1
+    zone: app
+`;
+    const result = validateManifest(yaml);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.requires.system?.type).toBe('lxc');
+    }
+  });
+
+  test('requires.system.type accepts an explicit vm', () => {
+    const yaml = `
+${CONTRACT_LINE}
+id: forgejo-runner
+name: Forgejo Runner
+version: 1.0.0
+requires:
+  system:
+    cpu: 4
+    memory: 8192
+    type: vm
+    zone: dmz
+`;
+    const result = validateManifest(yaml);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.requires.system?.type).toBe('vm');
+    }
+  });
+
+  test('requires.system.type rejects an unknown infra type', () => {
+    const yaml = `
+${CONTRACT_LINE}
+id: homebridge
+name: Homebridge
+version: 1.0.0
+requires:
+  system:
+    type: container
+    zone: app
+`;
+    const result = validateManifest(yaml);
+    expect(result.success).toBe(false);
+  });
+
   test('should validate dns-external manifest with capability provider', () => {
     const yaml = `
 ${CONTRACT_LINE}

package/src/services/bus-interview.test.ts

@@ -42,7 +42,7 @@ describe('busInterview', () => {
     const watch = responderBus.watch('config.required.lunacycle.domain', (event) => {
       responderBus.emitRaw(
         `${event.type}.reply`,
-        { value: 'lunacycle.net' },
+        { value: 'example.net' },
         { replyFor: event.id, emittedBy: 'test-responder' },
       );
     });
@@ -58,7 +58,7 @@ describe('busInterview', () => {
       payload,
     );
 
-    expect(reply.value).toBe('lunacycle.net');
+    expect(reply.value).toBe('example.net');
 
     watch.close();
     responderBus.close();

package/src/services/bus-secret-flow.test.ts

@@ -350,7 +350,7 @@ describe('bus-mediated interviewForMissingSecrets', () => {
     const { seen, close } = startTestResponder(
       bus,
       'secret.required.testmod.ddns_passwords',
-      { value: JSON.stringify({ 'lunacycle.net': 'pw1', 'celilo.computer': 'pw2' }) },
+      { value: JSON.stringify({ 'example.net': 'pw1', 'celilo.computer': 'pw2' }) },
       testDb,
     );
 
@@ -380,7 +380,7 @@ describe('bus-mediated interviewForMissingSecrets', () => {
 
     const masterKey = await getOrCreateMasterKey();
     const stored = await readModuleSecretKey('testmod', 'ddns_passwords', testDb, masterKey);
-    expect(stored).toBe(JSON.stringify({ 'lunacycle.net': 'pw1', 'celilo.computer': 'pw2' }));
+    expect(stored).toBe(JSON.stringify({ 'example.net': 'pw1', 'celilo.computer': 'pw2' }));
 
     close();
   });

package/src/services/celilo-mgmt-hooks.test.ts

@@ -18,6 +18,7 @@ import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
 import { existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
+import { skipIntegration } from '../test-utils/integration-guard';
 
 import type { HookContext } from '@celilo/capabilities';
 
@@ -77,7 +78,7 @@ function buildContext(extras: Record<string, unknown>): HookContext {
   } as HookContext;
 }
 
-describe('celilo-mgmt on_backup', () => {
+describe.skipIf(skipIntegration({ tools: ['wg'] }))('celilo-mgmt on_backup', () => {
   let dir: string;
   let backupDir: string;
   let crossModuleRoot: string;
@@ -214,7 +215,7 @@ describe('celilo-mgmt on_backup', () => {
   });
 });
 
-describe('celilo-mgmt on_restore', () => {
+describe.skipIf(skipIntegration({ tools: ['wg'] }))('celilo-mgmt on_restore', () => {
   let dir: string;
   let restoreDir: string;
   let crossModuleWriteRoot: string;

package/src/services/deploy-validation.test.ts

@@ -265,8 +265,8 @@ describe('findMissingSecrets (shared)', () => {
     // The terminal-responder reads these off the bus payload to apply
     // input-time regex validation. Without manifest → MissingVariable
     // propagation, the responder never sees them and operators end
-    // up entering invalid keys (e.g. 'www.lunacycle.net' instead of
-    // the apex 'lunacycle.net').
+    // up entering invalid keys (e.g. 'www.example.net' instead of
+    // the apex 'example.net').
     const missing = await findMissingSecrets(
       'testmod',
       {

package/src/services/dns-provider-backfill.test.ts

@@ -105,14 +105,14 @@ describe('backfillWebRouteDns (ISS-0029)', () => {
     seedFirewall('100.64.0.1');
     seedRoute('apt.celilo.computer', '/');
     seedRoute('apt.celilo.computer', '/-/publish'); // same host, different path → deduped
-    seedRoute('registry.lunacycle.net', '/');
+    seedRoute('registry.example.net', '/');
 
     const calls: DnsRecordRequest[] = [];
     await backfillWebRouteDns('technitium', getDb(), silentLogger, stubLoader(calls));
 
     expect(calls.map((c) => c.host).sort()).toEqual([
       'apt.celilo.computer',
-      'registry.lunacycle.net',
+      'registry.example.net',
     ]);
     expect(calls.every((c) => c.value === '100.64.0.1' && c.type === 'A')).toBe(true);
   });

package/src/services/dns-registrations.test.ts

@@ -50,19 +50,19 @@ describe('dns_registrations ledger', () => {
     recordDnsRegistration(db, {
       providerModuleId: 'namecheap',
       consumerModuleId: 'caddy',
-      fqdn: 'www.lunacycle.net',
+      fqdn: 'www.example.net',
       ip: '198.51.100.7',
     });
     recordDnsRegistration(db, {
       providerModuleId: 'namecheap',
       consumerModuleId: 'caddy',
-      fqdn: 'www.lunacycle.net',
+      fqdn: 'www.example.net',
       ip: '198.51.100.8',
     });
 
     const rows = listDnsRegistrations(db, { providerModuleId: 'namecheap' });
     expect(rows.length).toBe(1);
-    expect(rows[0].fqdn).toBe('www.lunacycle.net');
+    expect(rows[0].fqdn).toBe('www.example.net');
     expect(rows[0].ip).toBe('198.51.100.8');
     expect(rows[0].consumerModuleId).toBe('caddy');
     expect(rows[0].refreshedAt).toBeNull();
@@ -72,7 +72,7 @@ describe('dns_registrations ledger', () => {
     recordDnsRegistration(db, {
       providerModuleId: 'namecheap',
       consumerModuleId: 'caddy',
-      fqdn: 'git.lunacycle.net',
+      fqdn: 'git.example.net',
       ip: null,
     });
     stampDnsRegistrationsRefreshed(db, 'namecheap');
@@ -84,7 +84,7 @@ describe('dns_registrations ledger', () => {
     recordDnsRegistration(db, {
       providerModuleId: 'namecheap',
       consumerModuleId: 'caddy',
-      fqdn: 'www.lunacycle.net',
+      fqdn: 'www.example.net',
       ip: '198.51.100.7',
     });
     db.delete(modules).where(eq(modules.id, 'caddy')).run();
@@ -106,15 +106,15 @@ describe('dns_registrations ledger', () => {
       consumerModuleId: 'caddy',
     });
 
-    await wrapped.registerHost({ fqdn: 'www.lunacycle.net', ip: '198.51.100.7' });
-    await wrapped.registerHost({ fqdn: 'fail.lunacycle.net', ip: '198.51.100.7' });
-    await wrapped.registerHost({ fqdn: 'auto.lunacycle.net' });
+    await wrapped.registerHost({ fqdn: 'www.example.net', ip: '198.51.100.7' });
+    await wrapped.registerHost({ fqdn: 'fail.example.net', ip: '198.51.100.7' });
+    await wrapped.registerHost({ fqdn: 'auto.example.net' });
 
     expect(calls.length).toBe(3);
     const rows = listDnsRegistrations(db);
     const fqdns = rows.map((r) => r.fqdn).sort();
-    expect(fqdns).toEqual(['auto.lunacycle.net', 'www.lunacycle.net']);
-    const auto = rows.find((r) => r.fqdn === 'auto.lunacycle.net');
+    expect(fqdns).toEqual(['auto.example.net', 'www.example.net']);
+    const auto = rows.find((r) => r.fqdn === 'auto.example.net');
     expect(auto?.ip).toBeNull();
   });
 });

package/src/services/module-build.test.ts

@@ -5,6 +5,7 @@ import { eq } from 'drizzle-orm';
 import { log } from '../cli/prompts';
 import { type DbClient, createDbClient } from '../db/client';
 import { moduleBuilds, modules } from '../db/schema';
+import { skipIntegration } from '../test-utils/integration-guard';
 import { buildModuleFromSource, getModuleBuildStatus, verifyArtifactsExist } from './module-build';
 
 const TEST_DB_PATH = './test-module-build.db';
@@ -156,12 +157,14 @@ describe('Module Build Service', () => {
       // We're just testing that detection happens (message logged)
     }, 10000); // 10 second timeout
 
-    test('should record build metadata in database', async () => {
-      await mkdir(TEST_MODULE_DIR, { recursive: true });
-      await mkdir(`${TEST_MODULE_DIR}/build`, { recursive: true });
-      await writeFile(
-        `${TEST_MODULE_DIR}/build/playbook.yml`,
-        `---
+    test.skipIf(skipIntegration({ tools: ['ansible'] }))(
+      'should record build metadata in database',
+      async () => {
+        await mkdir(TEST_MODULE_DIR, { recursive: true });
+        await mkdir(`${TEST_MODULE_DIR}/build`, { recursive: true });
+        await writeFile(
+          `${TEST_MODULE_DIR}/build/playbook.yml`,
+          `---
 - name: Quick test build
   hosts: localhost
   gather_facts: false
@@ -170,43 +173,45 @@ describe('Module Build Service', () => {
       ansible.builtin.debug:
         msg: "Build test"
 `,
-      );
+        );
 
-      db.insert(modules)
-        .values({
-          id: 'record-test',
-          name: 'Record Test',
-          version: '1.0.0',
-          sourcePath: TEST_MODULE_DIR,
-          manifestData: {
+        db.insert(modules)
+          .values({
             id: 'record-test',
             name: 'Record Test',
             version: '1.0.0',
-            build: {
-              script: 'build/playbook.yml',
+            sourcePath: TEST_MODULE_DIR,
+            manifestData: {
+              id: 'record-test',
+              name: 'Record Test',
+              version: '1.0.0',
+              build: {
+                script: 'build/playbook.yml',
+              },
             },
-          },
-        })
-        .run();
-
-      const result = await buildModuleFromSource('record-test', db);
-
-      // Build should succeed (simple debug task)
-      expect(result.success).toBe(true);
-
-      // Verify build metadata was recorded
-      const buildRecord = await db
-        .select()
-        .from(moduleBuilds)
-        .where(eq(moduleBuilds.moduleId, 'record-test'))
-        .get();
-
-      expect(buildRecord).toBeDefined();
-      expect(buildRecord?.moduleId).toBe('record-test');
-      expect(buildRecord?.version).toBe('1.0.0');
-      expect(buildRecord?.status).toBe('success');
-      expect(buildRecord?.environment).toBe('system'); // No flake.nix
-    }, 10000); // 10 second timeout for ansible execution
+          })
+          .run();
+
+        const result = await buildModuleFromSource('record-test', db);
+
+        // Build should succeed (simple debug task)
+        expect(result.success).toBe(true);
+
+        // Verify build metadata was recorded
+        const buildRecord = await db
+          .select()
+          .from(moduleBuilds)
+          .where(eq(moduleBuilds.moduleId, 'record-test'))
+          .get();
+
+        expect(buildRecord).toBeDefined();
+        expect(buildRecord?.moduleId).toBe('record-test');
+        expect(buildRecord?.version).toBe('1.0.0');
+        expect(buildRecord?.status).toBe('success');
+        expect(buildRecord?.environment).toBe('system'); // No flake.nix
+      },
+      10000,
+    ); // 10 second timeout for ansible execution
 
     // Regression: a build.command that references $CELILO_MODULE_SOURCE_DIR
     // (the variable celilo-registry's manifest uses to find sibling packages