@celilo/cli 0.5.0-alpha.7 → 0.5.0-alpha.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.5.0-alpha.7",
+  "version": "0.5.0-alpha.8",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {
@@ -54,7 +54,7 @@
     "@aws-sdk/client-s3": "^3.1024.0",
     "@celilo/capabilities": "^0.4.2",
     "@celilo/cli-display": "^0.1.9",
-    "@celilo/event-bus": "^0.1.6",
+    "@celilo/event-bus": "^0.1.7",
     "@clack/prompts": "^1.1.0",
     "ajv": "^8.18.0",
     "drizzle-orm": "^0.36.4",

package/src/services/deploy-validation.test.ts

@@ -15,14 +15,14 @@
  */
 
 import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
-import { mkdtempSync, rmSync } from 'node:fs';
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { type DbClient, getDb } from '../db/client';
 import { modules, secrets } from '../db/schema';
 import type { ModuleManifest } from '../manifest/schema';
 import { findMissingSecrets } from './config-interview';
-import { findMissingRequiredVariables } from './deploy-validation';
+import { findMissingBuildArtifacts, findMissingRequiredVariables } from './deploy-validation';
 
 function manifestWithStringMapSecret(): ModuleManifest {
   return {
@@ -293,3 +293,53 @@ describe('findMissingSecrets (shared)', () => {
     expect(missing[0].value_pattern_message).toBe('min 8 chars');
   });
 });
+
+/**
+ * The deploy build-gate: the management server does NOT build modules from
+ * source. A module's declared artifacts must already be present on disk
+ * (shipped in the .netapp at `module package` / `module publish` time). Deploy
+ * verifies them; a missing artifact is a hard error, never a from-source
+ * rebuild on the management box (ISS-0131).
+ */
+describe('findMissingBuildArtifacts (deploy build-gate)', () => {
+  let dir: string;
+
+  beforeEach(() => {
+    dir = mkdtempSync(join(tmpdir(), 'build-gate-'));
+  });
+
+  afterEach(() => {
+    rmSync(dir, { recursive: true, force: true });
+  });
+
+  function manifestWithArtifacts(artifacts: string[]): ModuleManifest {
+    return {
+      celilo_contract: '1.0',
+      id: 'buildmod',
+      name: 'Build Module',
+      version: '1.0.0',
+      description: 'fixture',
+      build: { command: 'true', artifacts },
+    } as unknown as ModuleManifest;
+  }
+
+  test('returns [] when the module declares no build section', () => {
+    const manifest = { celilo_contract: '1.0', id: 'm', version: '1.0.0' } as ModuleManifest;
+    expect(findMissingBuildArtifacts(manifest, dir)).toEqual([]);
+  });
+
+  test('returns [] when all declared artifacts exist on disk (prebuilt .netapp)', () => {
+    mkdirSync(join(dir, 'dist'), { recursive: true });
+    writeFileSync(join(dir, 'dist', 'server'), 'binary');
+    writeFileSync(join(dir, 'dist', 'index.html'), '<html>');
+    const manifest = manifestWithArtifacts(['dist/server', 'dist/index.html']);
+    expect(findMissingBuildArtifacts(manifest, dir)).toEqual([]);
+  });
+
+  test('returns the missing artifacts when some are absent (no mgmt-server rebuild)', () => {
+    mkdirSync(join(dir, 'dist'), { recursive: true });
+    writeFileSync(join(dir, 'dist', 'server'), 'binary');
+    const manifest = manifestWithArtifacts(['dist/server', 'dist/index.html', 'dist/db.sqlite']);
+    expect(findMissingBuildArtifacts(manifest, dir)).toEqual(['dist/index.html', 'dist/db.sqlite']);
+  });
+});

package/src/services/deploy-validation.ts

@@ -14,14 +14,12 @@ import type { ModuleManifest } from '../manifest/schema';
 import { isPrivilegedCapability } from '../manifest/validate';
 import { generateTemplates } from '../templates/generator';
 import { findMissingSecrets } from './config-interview';
-import { buildModuleFromSource, getModuleBuildStatus, verifyArtifactsExist } from './module-build';
 
 export interface ValidationResult {
   success: boolean;
   error?: string;
   warnings?: string[];
   autoGenerated?: boolean;
-  autoBuilt?: boolean;
   missingVariables?: Array<{
     name: string;
     source: 'user' | 'secret' | 'capability' | 'system';
@@ -41,9 +39,27 @@ export interface ValidationResult {
   }>;
 }
 
+/**
+ * Declared build artifacts that are missing on disk.
+ *
+ * Modules are built when their package is created: `module package` /
+ * `module publish` runs `manifest.build.command` and bakes the declared
+ * artifacts into the .netapp (cross-arch binaries and all). By deploy time —
+ * from the registry in production, or via `celilo package` in e2e — those
+ * artifacts are already on disk, so deploy only VERIFIES them. An empty result
+ * means the module is built; a non-empty result is a hard deploy error, because
+ * the management server does NOT build from source (ISS-0131: a from-source
+ * rebuild on the 3.7 GB management box deadlocked at `bun install`, then
+ * OOM-crashed nx workers, despite the .netapp shipping the binaries).
+ */
+export function findMissingBuildArtifacts(manifest: ModuleManifest, sourcePath: string): string[] {
+  const declared = manifest.build?.artifacts ?? [];
+  return declared.filter((rel) => !existsSync(join(sourcePath, rel)));
+}
+
 /**
  * Validate module is ready for deployment and auto-prepare if needed
- * Policy + Execution function - checks prerequisites and runs generate/build if needed
+ * Policy + Execution function - checks prerequisites and runs generate if needed
  *
  * @param moduleId - Module identifier
  * @param db - Database connection
@@ -54,7 +70,6 @@ export async function validateAndPrepareDeployment(
   db: DbClient,
 ): Promise<ValidationResult> {
   let autoGenerated = false;
-  let autoBuilt = false;
 
   // Check module exists
   const module = await db.select().from(modules).where(eq(modules.id, moduleId)).get();
@@ -107,7 +122,6 @@ export async function validateAndPrepareDeployment(
     return {
       success: true,
       autoGenerated: false,
-      autoBuilt: false,
       missingVariables,
     };
   }
@@ -131,42 +145,19 @@ export async function validateAndPrepareDeployment(
 
   autoGenerated = true;
 
-  // Auto-build if required and not built
-  if (manifest.build) {
-    const buildStatus = await getModuleBuildStatus(moduleId, db);
-    // Cross-check the manifest's declared artifacts against the actual
-    // filesystem in addition to whatever's in the build record. A "success"
-    // record with an empty artifact list (e.g. from a build that exited 0
-    // but produced nothing, or a synthetic record from a partial .netapp
-    // import) would otherwise pass `verifyArtifactsExist([])` trivially and
-    // let the deploy run on without binaries — exactly how Ansible ends up
-    // failing on a missing `src:` file.
-    const declaredArtifacts = manifest.build.artifacts ?? [];
-    const declaredArtifactsOk = declaredArtifacts.every((rel) =>
-      existsSync(join(module.sourcePath, rel)),
-    );
-    const needsBuild =
-      !buildStatus ||
-      buildStatus.status !== 'success' ||
-      !verifyArtifactsExist(buildStatus.artifacts) ||
-      (declaredArtifacts.length > 0 && !declaredArtifactsOk);
-
-    if (needsBuild) {
-      const buildResult = await buildModuleFromSource(moduleId, db);
-      if (!buildResult.success) {
-        return {
-          success: false,
-          error: `Auto-build failed: ${buildResult.error || 'Build failed'}`,
-        };
-      }
-      autoBuilt = true;
-    }
+  // Verify build artifacts are present — the management server does NOT build
+  // modules from source (see findMissingBuildArtifacts / ISS-0131).
+  const missingArtifacts = findMissingBuildArtifacts(manifest, module.sourcePath);
+  if (missingArtifacts.length > 0) {
+    return {
+      success: false,
+      error: `Module '${moduleId}' is missing build artifacts that must ship in its package:\n${missingArtifacts.map((m) => `  - ${m}`).join('\n')}\n\nThe management server does not build modules from source. Build where the module is authored, then republish and update:\n  celilo module publish <path>   (or: celilo module build ${moduleId})\n  celilo module update`,
+    };
   }
 
   return {
     success: true,
     autoGenerated,
-    autoBuilt,
   };
 }
 

package/src/services/fleet-checks.test.ts

@@ -378,6 +378,19 @@ describe('checkSubscribers + checkCapabilityProviders', () => {
       expect(f.remediation).toContain('natIp');
     });
 
+    it('SKIPS `.infra.<zone>` system-identity records (intentionally container-IP)', async () => {
+      seedFirewall('iptables', NAT_IP);
+      insertModule('technitium', baseManifest({ id: 'technitium', name: 'Technitium' }));
+      insertModule('forgejo', baseManifest({ id: 'forgejo', name: 'Forgejo' }));
+      seedSystem('forgejo', '10.0.20.14', 'dmz');
+      // The on-system-event handler registers <host>.infra.<domain> at the
+      // system's own container IP on purpose — a zone-side identity name, not a
+      // LAN-reachability record. The check must NOT flag it.
+      seedRecord('technitium', 'forgejo', 'forgejo.infra.celilo.computer', '10.0.20.14');
+      const f = await checkServiceDns(db);
+      expect(f.status).toBe('ok');
+    });
+
     it('is ok when a record points at an internal-zone (LAN) system IP', async () => {
       seedFirewall('iptables', NAT_IP);
       insertModule('technitium', baseManifest({ id: 'technitium', name: 'Technitium' }));

package/src/services/fleet-checks.ts

@@ -40,6 +40,17 @@ import { resolveSubscription } from './module-subscriptions';
  */
 const LAN_REACHABLE_ZONE = 'internal';
 
+/**
+ * Records under the dedicated `.infra.<zone>` label are system-IDENTITY names,
+ * registered by modules/technitium/scripts/on-system-event.ts at the system's
+ * own container IP ON PURPOSE — the zone-side name for in-zone / VPN access,
+ * deliberately kept separate from the natIp records LAN devices use (so a
+ * container-IP identity record doesn't clobber the natIp record public_web
+ * needs). They are NOT LAN-reachability records, so the natIp rule doesn't
+ * apply to them — the service-DNS check skips them.
+ */
+const SYSTEM_IDENTITY_HOST = /\.infra\./;
+
 export type FleetFindingStatus = 'ok' | 'warn' | 'fail';
 
 /**
@@ -600,6 +611,10 @@ export async function checkServiceDns(db: DbClient): Promise<FleetFinding> {
   const atContainer: string[] = [];
   const atOther: string[] = [];
   for (const r of records) {
+    // `.infra.<zone>` system-identity records are intentionally container-IP
+    // (zone-side names, not LAN-reachability records) — not subject to the
+    // natIp rule.
+    if (SYSTEM_IDENTITY_HOST.test(r.host)) continue;
     if (r.ip === natIp) continue;
     const owner = ipZone.get(r.ip);
     if (owner && owner.zone !== LAN_REACHABLE_ZONE) {

package/src/services/module-deploy.ts

@@ -48,7 +48,6 @@ export interface DeployResult {
   phases: {
     validation?: boolean;
     autoGenerated?: boolean;
-    autoBuilt?: boolean;
     planning?: boolean;
     terraformInit?: boolean;
     terraformPlan?: boolean;
@@ -353,7 +352,6 @@ async function deployModuleImpl(
     const validation = await validateAndPrepareDeployment(moduleId, db);
     phases.validation = validation.success;
     phases.autoGenerated = validation.autoGenerated;
-    phases.autoBuilt = validation.autoBuilt;
     if (!validation.success) {
       return {
         success: false,
@@ -532,9 +530,7 @@ async function deployModuleImpl(
       }
     }
 
-    log.success(
-      validation.autoBuilt ? 'Templates generated and module built' : 'Templates generated',
-    );
+    log.success('Templates generated');
 
     // Run validate_config hook if defined (e.g., credential validation via Playwright)
     if (manifest.hooks?.validate_config) {