@celilo/cli 0.5.0-alpha.7 → 0.5.0-alpha.9

package/src/services/deploy-validation.test.ts

@@ -15,14 +15,14 @@
  */
 
 import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
-import { mkdtempSync, rmSync } from 'node:fs';
+import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { type DbClient, getDb } from '../db/client';
 import { modules, secrets } from '../db/schema';
 import type { ModuleManifest } from '../manifest/schema';
 import { findMissingSecrets } from './config-interview';
-import { findMissingRequiredVariables } from './deploy-validation';
+import { findMissingBuildArtifacts, findMissingRequiredVariables } from './deploy-validation';
 
 function manifestWithStringMapSecret(): ModuleManifest {
   return {
@@ -293,3 +293,53 @@ describe('findMissingSecrets (shared)', () => {
     expect(missing[0].value_pattern_message).toBe('min 8 chars');
   });
 });
+
+/**
+ * The deploy build-gate: the management server does NOT build modules from
+ * source. A module's declared artifacts must already be present on disk
+ * (shipped in the .netapp at `module package` / `module publish` time). Deploy
+ * verifies them; a missing artifact is a hard error, never a from-source
+ * rebuild on the management box (ISS-0131).
+ */
+describe('findMissingBuildArtifacts (deploy build-gate)', () => {
+  let dir: string;
+
+  beforeEach(() => {
+    dir = mkdtempSync(join(tmpdir(), 'build-gate-'));
+  });
+
+  afterEach(() => {
+    rmSync(dir, { recursive: true, force: true });
+  });
+
+  function manifestWithArtifacts(artifacts: string[]): ModuleManifest {
+    return {
+      celilo_contract: '1.0',
+      id: 'buildmod',
+      name: 'Build Module',
+      version: '1.0.0',
+      description: 'fixture',
+      build: { command: 'true', artifacts },
+    } as unknown as ModuleManifest;
+  }
+
+  test('returns [] when the module declares no build section', () => {
+    const manifest = { celilo_contract: '1.0', id: 'm', version: '1.0.0' } as ModuleManifest;
+    expect(findMissingBuildArtifacts(manifest, dir)).toEqual([]);
+  });
+
+  test('returns [] when all declared artifacts exist on disk (prebuilt .netapp)', () => {
+    mkdirSync(join(dir, 'dist'), { recursive: true });
+    writeFileSync(join(dir, 'dist', 'server'), 'binary');
+    writeFileSync(join(dir, 'dist', 'index.html'), '<html>');
+    const manifest = manifestWithArtifacts(['dist/server', 'dist/index.html']);
+    expect(findMissingBuildArtifacts(manifest, dir)).toEqual([]);
+  });
+
+  test('returns the missing artifacts when some are absent (no mgmt-server rebuild)', () => {
+    mkdirSync(join(dir, 'dist'), { recursive: true });
+    writeFileSync(join(dir, 'dist', 'server'), 'binary');
+    const manifest = manifestWithArtifacts(['dist/server', 'dist/index.html', 'dist/db.sqlite']);
+    expect(findMissingBuildArtifacts(manifest, dir)).toEqual(['dist/index.html', 'dist/db.sqlite']);
+  });
+});

package/src/services/deploy-validation.ts

@@ -14,14 +14,12 @@ import type { ModuleManifest } from '../manifest/schema';
 import { isPrivilegedCapability } from '../manifest/validate';
 import { generateTemplates } from '../templates/generator';
 import { findMissingSecrets } from './config-interview';
-import { buildModuleFromSource, getModuleBuildStatus, verifyArtifactsExist } from './module-build';
 
 export interface ValidationResult {
   success: boolean;
   error?: string;
   warnings?: string[];
   autoGenerated?: boolean;
-  autoBuilt?: boolean;
   missingVariables?: Array<{
     name: string;
     source: 'user' | 'secret' | 'capability' | 'system';
@@ -41,9 +39,27 @@ export interface ValidationResult {
   }>;
 }
 
+/**
+ * Declared build artifacts that are missing on disk.
+ *
+ * Modules are built when their package is created: `module package` /
+ * `module publish` runs `manifest.build.command` and bakes the declared
+ * artifacts into the .netapp (cross-arch binaries and all). By deploy time —
+ * from the registry in production, or via `celilo package` in e2e — those
+ * artifacts are already on disk, so deploy only VERIFIES them. An empty result
+ * means the module is built; a non-empty result is a hard deploy error, because
+ * the management server does NOT build from source (ISS-0131: a from-source
+ * rebuild on the 3.7 GB management box deadlocked at `bun install`, then
+ * OOM-crashed nx workers, despite the .netapp shipping the binaries).
+ */
+export function findMissingBuildArtifacts(manifest: ModuleManifest, sourcePath: string): string[] {
+  const declared = manifest.build?.artifacts ?? [];
+  return declared.filter((rel) => !existsSync(join(sourcePath, rel)));
+}
+
 /**
  * Validate module is ready for deployment and auto-prepare if needed
- * Policy + Execution function - checks prerequisites and runs generate/build if needed
+ * Policy + Execution function - checks prerequisites and runs generate if needed
  *
  * @param moduleId - Module identifier
  * @param db - Database connection
@@ -54,7 +70,6 @@ export async function validateAndPrepareDeployment(
   db: DbClient,
 ): Promise<ValidationResult> {
   let autoGenerated = false;
-  let autoBuilt = false;
 
   // Check module exists
   const module = await db.select().from(modules).where(eq(modules.id, moduleId)).get();
@@ -107,7 +122,6 @@ export async function validateAndPrepareDeployment(
     return {
       success: true,
       autoGenerated: false,
-      autoBuilt: false,
       missingVariables,
     };
   }
@@ -131,42 +145,19 @@ export async function validateAndPrepareDeployment(
 
   autoGenerated = true;
 
-  // Auto-build if required and not built
-  if (manifest.build) {
-    const buildStatus = await getModuleBuildStatus(moduleId, db);
-    // Cross-check the manifest's declared artifacts against the actual
-    // filesystem in addition to whatever's in the build record. A "success"
-    // record with an empty artifact list (e.g. from a build that exited 0
-    // but produced nothing, or a synthetic record from a partial .netapp
-    // import) would otherwise pass `verifyArtifactsExist([])` trivially and
-    // let the deploy run on without binaries — exactly how Ansible ends up
-    // failing on a missing `src:` file.
-    const declaredArtifacts = manifest.build.artifacts ?? [];
-    const declaredArtifactsOk = declaredArtifacts.every((rel) =>
-      existsSync(join(module.sourcePath, rel)),
-    );
-    const needsBuild =
-      !buildStatus ||
-      buildStatus.status !== 'success' ||
-      !verifyArtifactsExist(buildStatus.artifacts) ||
-      (declaredArtifacts.length > 0 && !declaredArtifactsOk);
-
-    if (needsBuild) {
-      const buildResult = await buildModuleFromSource(moduleId, db);
-      if (!buildResult.success) {
-        return {
-          success: false,
-          error: `Auto-build failed: ${buildResult.error || 'Build failed'}`,
-        };
-      }
-      autoBuilt = true;
-    }
+  // Verify build artifacts are present — the management server does NOT build
+  // modules from source (see findMissingBuildArtifacts / ISS-0131).
+  const missingArtifacts = findMissingBuildArtifacts(manifest, module.sourcePath);
+  if (missingArtifacts.length > 0) {
+    return {
+      success: false,
+      error: `Module '${moduleId}' is missing build artifacts that must ship in its package:\n${missingArtifacts.map((m) => `  - ${m}`).join('\n')}\n\nThe management server does not build modules from source. Build where the module is authored, then republish and update:\n  celilo module publish <path>   (or: celilo module build ${moduleId})\n  celilo module update`,
+    };
   }
 
   return {
     success: true,
     autoGenerated,
-    autoBuilt,
   };
 }
 

package/src/services/fleet-checks.test.ts

@@ -378,6 +378,19 @@ describe('checkSubscribers + checkCapabilityProviders', () => {
       expect(f.remediation).toContain('natIp');
     });
 
+    it('SKIPS `.infra.<zone>` system-identity records (intentionally container-IP)', async () => {
+      seedFirewall('iptables', NAT_IP);
+      insertModule('technitium', baseManifest({ id: 'technitium', name: 'Technitium' }));
+      insertModule('forgejo', baseManifest({ id: 'forgejo', name: 'Forgejo' }));
+      seedSystem('forgejo', '10.0.20.14', 'dmz');
+      // The on-system-event handler registers <host>.infra.<domain> at the
+      // system's own container IP on purpose — a zone-side identity name, not a
+      // LAN-reachability record. The check must NOT flag it.
+      seedRecord('technitium', 'forgejo', 'forgejo.infra.celilo.computer', '10.0.20.14');
+      const f = await checkServiceDns(db);
+      expect(f.status).toBe('ok');
+    });
+
     it('is ok when a record points at an internal-zone (LAN) system IP', async () => {
       seedFirewall('iptables', NAT_IP);
       insertModule('technitium', baseManifest({ id: 'technitium', name: 'Technitium' }));

package/src/services/fleet-checks.ts

@@ -40,6 +40,17 @@ import { resolveSubscription } from './module-subscriptions';
  */
 const LAN_REACHABLE_ZONE = 'internal';
 
+/**
+ * Records under the dedicated `.infra.<zone>` label are system-IDENTITY names,
+ * registered by modules/technitium/scripts/on-system-event.ts at the system's
+ * own container IP ON PURPOSE — the zone-side name for in-zone / VPN access,
+ * deliberately kept separate from the natIp records LAN devices use (so a
+ * container-IP identity record doesn't clobber the natIp record public_web
+ * needs). They are NOT LAN-reachability records, so the natIp rule doesn't
+ * apply to them — the service-DNS check skips them.
+ */
+const SYSTEM_IDENTITY_HOST = /\.infra\./;
+
 export type FleetFindingStatus = 'ok' | 'warn' | 'fail';
 
 /**
@@ -600,6 +611,10 @@ export async function checkServiceDns(db: DbClient): Promise<FleetFinding> {
   const atContainer: string[] = [];
   const atOther: string[] = [];
   for (const r of records) {
+    // `.infra.<zone>` system-identity records are intentionally container-IP
+    // (zone-side names, not LAN-reachability records) — not subject to the
+    // natIp rule.
+    if (SYSTEM_IDENTITY_HOST.test(r.host)) continue;
     if (r.ip === natIp) continue;
     const owner = ipZone.get(r.ip);
     if (owner && owner.zone !== LAN_REACHABLE_ZONE) {

package/src/services/module-config.ts

@@ -106,6 +106,18 @@ export function upsertModuleConfig(
     .run();
 }
 
+/**
+ * Delete a module config row if present (no-op if absent). Used to drop a
+ * derived/cached key that should no longer persist — e.g. `__infra_target_node`,
+ * now resolved live from Proxmox each generate rather than cached in the DB
+ * (ISS-0090: "the DB stores intent, Proxmox reports reality").
+ */
+export function deleteModuleConfig(db: DbClient, moduleId: string, key: string): void {
+  db.delete(moduleConfigs)
+    .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, key)))
+    .run();
+}
+
 /**
  * Parse a stored module_configs row into its canonical typed value.
  * Throws if valueJson is null — that's a row written before the

package/src/services/module-deploy.ts

@@ -48,7 +48,6 @@ export interface DeployResult {
   phases: {
     validation?: boolean;
     autoGenerated?: boolean;
-    autoBuilt?: boolean;
     planning?: boolean;
     terraformInit?: boolean;
     terraformPlan?: boolean;
@@ -353,7 +352,6 @@ async function deployModuleImpl(
     const validation = await validateAndPrepareDeployment(moduleId, db);
     phases.validation = validation.success;
     phases.autoGenerated = validation.autoGenerated;
-    phases.autoBuilt = validation.autoBuilt;
     if (!validation.success) {
       return {
         success: false,
@@ -532,9 +530,7 @@ async function deployModuleImpl(
       }
     }
 
-    log.success(
-      validation.autoBuilt ? 'Templates generated and module built' : 'Templates generated',
-    );
+    log.success('Templates generated');
 
     // Run validate_config hook if defined (e.g., credential validation via Playwright)
     if (manifest.hooks?.validate_config) {
@@ -911,7 +907,12 @@ async function deployModuleImpl(
         lines.push(`  ${key} = ${value}`);
       }
       if (resolution.skipped.length > 0) {
-        lines.push(`  (skipped user-configured: ${resolution.skipped.join(', ')})`);
+        // These are infrastructure-managed vars with no value this deploy (e.g.
+        // vmid/target_node on a machine deploy). NOT honored operator overrides —
+        // such keys are rejected at `config set` (ISS-0069); don't imply otherwise.
+        lines.push(
+          `  (auto-managed, not applicable this deploy: ${resolution.skipped.join(', ')})`,
+        );
       }
       log.success(lines.join('\n'));
 

package/src/services/placement-reconcile.test.ts

@@ -0,0 +1,86 @@
+import { describe, expect, test } from 'bun:test';
+import type { DeployedSystem } from '@celilo/capabilities';
+import { formatPlacementLine, resolveOnePlacement } from './placement-reconcile';
+
+function sys(
+  overrides: Partial<DeployedSystem> & { infrastructure: DeployedSystem['infrastructure'] },
+): DeployedSystem {
+  return {
+    name: 'main',
+    hostname: 'caddy',
+    ipv4_address: '10.0.10.10',
+    zone: 'dmz',
+    ...overrides,
+  } as DeployedSystem;
+}
+
+const SVC = 'svc-1';
+const cs = (vmid?: number) =>
+  sys({
+    infrastructure: {
+      type: 'container_service',
+      serviceId: SVC,
+      ...(vmid != null ? { vmid } : {}),
+    },
+  });
+
+describe('resolveOnePlacement (ISS-0060 — node reconciled from Proxmox, not a cached DB value)', () => {
+  test('machine-pool system → machine (no Proxmox node)', () => {
+    const s = sys({ infrastructure: { type: 'machine', machineId: 'm1' } });
+    expect(resolveOnePlacement(s, new Map(), new Set(), new Set())).toEqual({ kind: 'machine' });
+  });
+
+  test('non-Proxmox container service → other', () => {
+    expect(resolveOnePlacement(cs(200), new Map(), new Set(), new Set([SVC]))).toEqual({
+      kind: 'other',
+    });
+  });
+
+  test('container_service without a vmid → uncreated', () => {
+    expect(resolveOnePlacement(cs(undefined), new Map(), new Set(), new Set())).toEqual({
+      kind: 'uncreated',
+    });
+  });
+
+  test('Proxmox unreachable for the service → unreachable (never a stale fallback)', () => {
+    expect(resolveOnePlacement(cs(200), new Map(), new Set([SVC]), new Set())).toEqual({
+      kind: 'unreachable',
+    });
+  });
+
+  test('vmid present in the cluster → node (the reconciled reality)', () => {
+    expect(resolveOnePlacement(cs(200), new Map([[200, 'node2']]), new Set(), new Set())).toEqual({
+      kind: 'node',
+      node: 'node2',
+    });
+  });
+
+  test('vmid absent from the cluster → absent', () => {
+    expect(resolveOnePlacement(cs(200), new Map([[999, 'node2']]), new Set(), new Set())).toEqual({
+      kind: 'absent',
+    });
+  });
+});
+
+describe('formatPlacementLine', () => {
+  const s = cs(200);
+
+  test('node resolution shows the real node + vmid', () => {
+    expect(formatPlacementLine(s, { kind: 'node', node: 'node2' })).toBe(
+      'caddy (vmid 200) → node2 (zone dmz)',
+    );
+  });
+
+  test('unreachable is explicit — no silent stale value', () => {
+    expect(formatPlacementLine(s, { kind: 'unreachable' })).toContain('Proxmox unreachable');
+  });
+
+  test('absent flags a vmid not in the cluster', () => {
+    expect(formatPlacementLine(s, { kind: 'absent' })).toContain('not found in Proxmox');
+  });
+
+  test('machine line omits vmid/node', () => {
+    const m = sys({ hostname: 'iot', zone: 'internal', infrastructure: { type: 'machine' } });
+    expect(formatPlacementLine(m, { kind: 'machine' })).toBe('iot — machine (zone internal)');
+  });
+});

package/src/services/placement-reconcile.ts

@@ -0,0 +1,108 @@
+/**
+ * Reconcile a module's ACTUAL node placement from Proxmox (ISS-0060 pt 2).
+ *
+ * "The DB stores intent, Proxmox reports reality." `module status` / `list`
+ * must show where a container ACTUALLY lives — queried live from the Proxmox
+ * cluster — not a cached `__infra_target_node` that drifts (caddy recorded
+ * node3, ran on node2). Machine-pool systems and non-Proxmox container services
+ * have no Proxmox node to reconcile.
+ *
+ * Never throws: a Proxmox outage yields an 'unreachable' resolution so a status
+ * or list command still renders instead of erroring.
+ */
+
+import type { DeployedSystem } from '@celilo/capabilities';
+import { ProxmoxClient, type ProxmoxCredentials } from '../api-clients/proxmox';
+import { getContainerService, getServiceCredentials } from './container-service';
+
+export type PlacementResolution =
+  | { kind: 'node'; node: string } // reconciled: lives on <node>
+  | { kind: 'unreachable' } // a Proxmox container, but the API couldn't be reached
+  | { kind: 'absent' } // a Proxmox container with a vmid not present in the cluster
+  | { kind: 'uncreated' } // a container_service system not yet created (no vmid)
+  | { kind: 'machine' } // a machine-pool system (no Proxmox node)
+  | { kind: 'other' }; // a non-Proxmox container service (e.g. DigitalOcean)
+
+/** One-line placement description for `module status`. Pure (Rule 10). */
+export function formatPlacementLine(sys: DeployedSystem, res: PlacementResolution): string {
+  const zone = `zone ${sys.zone}`;
+  const vmid = sys.infrastructure.vmid;
+  switch (res.kind) {
+    case 'machine':
+      return `${sys.hostname} — machine (${zone})`;
+    case 'other':
+      return `${sys.hostname} — container_service, non-Proxmox (${zone})`;
+    case 'uncreated':
+      return `${sys.hostname} — not yet created (${zone})`;
+    case 'unreachable':
+      return `${sys.hostname} (vmid ${vmid}) → node unknown — Proxmox unreachable (${zone})`;
+    case 'absent':
+      return `${sys.hostname} (vmid ${vmid}) → not found in Proxmox — not created? (${zone})`;
+    case 'node':
+      return `${sys.hostname} (vmid ${vmid}) → ${res.node} (${zone})`;
+  }
+}
+
+/** Pure resolution of one system given the reconciled vmid→node map + service classification. */
+export function resolveOnePlacement(
+  sys: DeployedSystem,
+  vmidToNode: Map<number, string>,
+  unreachable: Set<string>,
+  nonProxmox: Set<string>,
+): PlacementResolution {
+  const infra = sys.infrastructure;
+  if (infra.type !== 'container_service') return { kind: 'machine' };
+  if (infra.serviceId && nonProxmox.has(infra.serviceId)) return { kind: 'other' };
+  if (infra.vmid == null) return { kind: 'uncreated' };
+  if (infra.serviceId && unreachable.has(infra.serviceId)) return { kind: 'unreachable' };
+  const node = vmidToNode.get(infra.vmid);
+  return node ? { kind: 'node', node } : { kind: 'absent' };
+}
+
+/**
+ * Reconcile each system's real node from Proxmox. One `/cluster/resources` fetch
+ * per distinct Proxmox service (usually one); machine + non-Proxmox systems need
+ * no call. Returns each system paired with its resolution, in input order.
+ */
+export async function reconcilePlacement(
+  systems: DeployedSystem[],
+): Promise<Array<{ system: DeployedSystem; resolution: PlacementResolution }>> {
+  const serviceIds = [
+    ...new Set(
+      systems
+        .filter((s) => s.infrastructure.type === 'container_service')
+        .map((s) => s.infrastructure.serviceId)
+        .filter((id): id is string => !!id),
+    ),
+  ];
+
+  const vmidToNode = new Map<number, string>();
+  const unreachable = new Set<string>();
+  const nonProxmox = new Set<string>();
+
+  for (const serviceId of serviceIds) {
+    const service = await getContainerService(serviceId);
+    if (!service || service.providerName !== 'proxmox') {
+      nonProxmox.add(serviceId);
+      continue;
+    }
+    try {
+      const creds = (await getServiceCredentials(serviceId)) as ProxmoxCredentials;
+      const result = await new ProxmoxClient(creds).clusterResources();
+      if (!result.success) {
+        unreachable.add(serviceId);
+        continue;
+      }
+      for (const r of result.data) {
+        if (typeof r.vmid === 'number' && r.node) vmidToNode.set(r.vmid, r.node);
+      }
+    } catch {
+      unreachable.add(serviceId);
+    }
+  }
+
+  return systems.map((system) => ({
+    system,
+    resolution: resolveOnePlacement(system, vmidToNode, unreachable, nonProxmox),
+  }));
+}

package/src/services/programmatic-responder.ts

@@ -23,6 +23,7 @@ import { getOrCreateMasterKey } from '../secrets/master-key';
 import type {
   ConfigRequiredPayload,
   EnsureRequiredPayload,
+  InterviewRequiredPayload,
   SecretRequiredPayload,
 } from './bus-interview';
 import { readModuleSecretKey, writeModuleSecretKey } from './config-interview';
@@ -58,6 +59,13 @@ export interface ResponderValues {
       secretValues?: Record<string, string>;
     }
   >;
+  /**
+   * Generic interview answers keyed by `<scope>.<key>` (ISS-0127). When a
+   * command emits `interview.required.<scope>.<key>`, the responder replies
+   * with `{ value }`. The value's shape should match the payload's `kind`
+   * (string for text/select, string[] for multiselect, boolean for confirm).
+   */
+  interview?: Record<string, unknown>;
 }
 
 export interface ProgrammaticResponderOptions {
@@ -108,6 +116,7 @@ export interface ProgrammaticResponderHandle {
   seenConfigPayloads(): ConfigRequiredPayload[];
   seenSecretPayloads(): SecretRequiredPayload[];
   seenEnsurePayloads(): EnsureRequiredPayload[];
+  seenInterviewPayloads(): InterviewRequiredPayload[];
   /** Stop watching. Caller still owns the db client. */
   close(): void;
 }
@@ -126,6 +135,7 @@ export function startProgrammaticResponder(
   const seenConfig: ConfigRequiredPayload[] = [];
   const seenSecret: SecretRequiredPayload[] = [];
   const seenEnsure: EnsureRequiredPayload[] = [];
+  const seenInterview: InterviewRequiredPayload[] = [];
   let lastActivityAt = Date.now();
 
   const me = opts.emittedBy ?? 'programmatic';
@@ -276,6 +286,28 @@ export function startProgrammaticResponder(
     answered.push({ type: event.type, key: lookupKey });
   });
 
+  const interviewWatch = bus.watch('interview.required.*.*', async (event) => {
+    if (event.replyFor !== null) return;
+    lastActivityAt = Date.now();
+
+    const payload = event.payload as InterviewRequiredPayload;
+    if (!payload || typeof payload.scope !== 'string' || typeof payload.key !== 'string') {
+      missed.push({ type: event.type, key: '?', reason: 'malformed payload' });
+      return;
+    }
+    seenInterview.push(payload);
+
+    const lookupKey = `${payload.scope}.${payload.key}`;
+    const value = opts.values.interview?.[lookupKey];
+    if (value === undefined) {
+      handleMissing(event.type, lookupKey, `no interview value for "${lookupKey}"`);
+      return;
+    }
+
+    bus.emitRaw(`${event.type}.reply`, { value }, { replyFor: event.id, emittedBy: me });
+    answered.push({ type: event.type, key: lookupKey });
+  });
+
   // Liveness probe: a non-interactive caller (e.g. `module generate`
   // with no TTY) emits `responder.probe` to detect whether any
   // responder is listening before calling busInterview (which waits
@@ -298,10 +330,12 @@ export function startProgrammaticResponder(
     seenConfigPayloads: () => [...seenConfig],
     seenSecretPayloads: () => [...seenSecret],
     seenEnsurePayloads: () => [...seenEnsure],
+    seenInterviewPayloads: () => [...seenInterview],
     close: () => {
       configWatch.close();
       secretWatch.close();
       ensureWatch.close();
+      interviewWatch.close();
       probeWatch.close();
       bus.close();
     },