feat(cli): complete CLI with full CRUD operations (NVIDIA#563) (NVIDIA#621)

* docs: add CLI CRUD and verbosity design document

Design for issue NVIDIA#563 covering:
- New CLI commands (describe, get, ssh, scp, update)
- Global verbosity flags (-q, -v, -d)
- Output formatting infrastructure
- Implementation tasks and testing strategy

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* docs: add CLI CRUD implementation plan

Detailed task-by-task implementation plan for:
- Global verbosity flags (-q, -v, -d)
- Unit tests for all new CLI commands
- Output formatter tests

11 tasks with TDD approach and commit checkpoints.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* feat(logger): add verbosity levels with Debug and Trace methods

Add Verbosity type with four levels (Quiet, Normal, Verbose, Debug) to
control log output. Info, Check, and Warning methods now respect
verbosity settings, while Error always prints. New Debug and Trace
methods provide additional logging granularity for troubleshooting.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* feat(cli): add global verbosity flags (-q, --verbose, -d)

Add global flags for controlling output verbosity:
- --quiet, -q: Suppress non-error output
- --verbose: Enable verbose output
- --debug, -d: Enable debug-level logging (also reads DEBUG env var)

Flag precedence: --debug > --verbose > --quiet

Note: -v was not used for --verbose to avoid conflict with built-in --version flag.
Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* refactor(cli): rename list --quiet to --ids-only

Rename the --quiet flag to --ids-only to avoid conflict with the new
global --quiet flag that controls verbosity. The --ids-only flag now
only outputs instance IDs, one per line.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* test(output): add unit tests for output formatting package

Add comprehensive unit tests for the pkg/output package covering:
- ValidFormats() and IsValidFormat() validation functions
- NewFormatter() with empty, valid, and invalid format inputs
- Formatter.Format() accessor method
- PrintJSON() with struct, map, and slice data types
- PrintYAML() with struct, map, and nested struct data
- Print() dispatch logic for JSON, YAML, and table formats
- PrintTable() with mock TableData interface
- TablePrinter fluent interface (Header, Row, Flush)
- SetWriter() for output redirection
- Error message quality for invalid formats

Achieves 97.9% code coverage.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* feat(output): add output formatting package with table/JSON/YAML support

Adds pkg/output with Formatter, TablePrinter, and TableData interface
for consistent output formatting across all CLI commands.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* feat(cli): add output formatting to status command

Adds -o flag (json/yaml/table) to holodeck status with structured
output types for JSON/YAML serialization.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* feat(cli): add describe, get, ssh, scp, update commands with tests

New commands for issue NVIDIA#563:
- describe: detailed instance introspection with JSON/YAML output
- get kubeconfig: download kubeconfig from instance
- get ssh-config: generate SSH config entry
- ssh: SSH into instance or run remote commands
- scp: copy files to/from instance via SFTP
- update: update instance configuration (add components, labels)

All commands include unit tests for core logic.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* test(list): update tests for --ids-only flag rename

Updates list_test.go to use --ids-only instead of the old --quiet/-q
flag which was renamed to avoid conflict with the global -q flag.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* fix(cli): fix nil map panic and SSH command quoting

C1: Add nil check for env.Labels before writing provisioned label
in update --reprovision. Previously panicked when no --label flags
were provided and the cached environment had no labels.

C2: Replace incorrect containsSpace+fmt.Sprintf("%q") quoting with
simple strings.Join. SSH session.Run always passes through the
remote shell, so Go-style quoting was wrong. Document this behavior.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* refactor(cli): extract shared utilities and fix review issues

- Extract getHostURL and connectSSH into cmd/cli/common package,
  eliminating duplication across ssh, scp, and get commands (I1)
- Use path instead of filepath for remote SFTP paths to ensure
  correct POSIX separators on all platforms (I2)
- Log warnings for skipped files during recursive remote copy (I3)
- Use c.IsSet() for flags with defaults to prevent overwriting
  existing config with default values (I4)

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* fix(ci): resolve lint issues, update go.mod, and remove plan docs

- Fix gofmt, gosec, staticcheck, unconvert, and errcheck lint issues
- Promote gopkg.in/yaml.v3 from indirect to direct dependency
- Remove planning documents (development artifacts)

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* fix(security): correct misleading host key comments (CWE-322)

Address CodeQL alert NVIDIA#6 (go/insecure-hostkeycallback) by replacing
the inaccurate comment about "no pre-established host keys". The env
file requires SSH authentication keys (client-to-server), but server
host keys are a separate concern — they are generated at instance boot
with no trusted distribution channel to the client.

The security trade-off is now explicitly documented with CWE reference.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* refactor(cli): use common.GetHostURL in update runProvision (S4)

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* fix(cli): consolidate update command cache file writes (C2)

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* feat(cli): add -q as alias for --ids-only for backwards compatibility (S1)

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* refactor(cli): extract SSH retry constants in ConnectSSH (S2)

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* docs(cli): document SSH remote command quoting behavior (S3)

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* fix(logger): warnings always print regardless of verbosity (M1)

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* refactor(cli): consolidate GetHostURL tests into common package (M3)

Move duplicate GetHostURL tests from cmd/cli/get/ and cmd/cli/ssh/
into cmd/cli/common/host_test.go. Merge overlapping test cases and
add a new TestGetHostURL_Cluster_FallbackToFirstNode case that covers
the fallback path when no control-plane node exists.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* fix(logger): make Verbosity thread-safe with atomic.Int32 (M6)

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

* fix(logger): add nolint directive for gosec G115 in SetVerbosity

Verbosity is an iota (0-3) so the int->int32 cast cannot overflow.

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

---------

Signed-off-by: Carlos Eduardo Arango Gutierrez <eduardoa@nvidia.com>

Author: ArangoGutierrez

cmd/cli/common/host.go

@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package common
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"golang.org/x/crypto/ssh"
+
+	"github.com/NVIDIA/holodeck/api/holodeck/v1alpha1"
+	"github.com/NVIDIA/holodeck/internal/logger"
+	"github.com/NVIDIA/holodeck/pkg/provider/aws"
+)
+
+// GetHostURL resolves the SSH-reachable host URL for an environment.
+// If nodeName is set, it looks for that specific node.
+// If preferControlPlane is true and no nodeName is set, it prefers a control-plane node.
+// Falls back to the first available node, then single-node properties.
+func GetHostURL(env *v1alpha1.Environment, nodeName string, preferControlPlane bool) (string, error) {
+	// For multinode clusters, find the appropriate node
+	if env.Spec.Cluster != nil && env.Status.Cluster != nil && len(env.Status.Cluster.Nodes) > 0 {
+		if nodeName != "" {
+			for _, node := range env.Status.Cluster.Nodes {
+				if node.Name == nodeName {
+					return node.PublicIP, nil
+				}
+			}
+			return "", fmt.Errorf("node %q not found in cluster", nodeName)
+		}
+
+		if preferControlPlane {
+			for _, node := range env.Status.Cluster.Nodes {
+				if node.Role == "control-plane" {
+					return node.PublicIP, nil
+				}
+			}
+		}
+
+		// Fallback to first node
+		return env.Status.Cluster.Nodes[0].PublicIP, nil
+	}
+
+	// Single node - get from properties
+	switch env.Spec.Provider {
+	case v1alpha1.ProviderAWS:
+		for _, p := range env.Status.Properties {
+			if p.Name == aws.PublicDnsName {
+				return p.Value, nil
+			}
+		}
+	case v1alpha1.ProviderSSH:
+		return env.Spec.HostUrl, nil
+	}
+
+	return "", fmt.Errorf("unable to determine host URL")
+}
+
+const (
+	// sshMaxRetries is the number of SSH connection attempts before giving up.
+	sshMaxRetries = 3
+	// sshRetryDelay is the delay between SSH connection retry attempts.
+	sshRetryDelay = 2 * time.Second
+)
+
+// ConnectSSH establishes an SSH connection with retries.
+//
+// Host key verification is disabled because server host keys are generated
+// at instance boot time and there is no trusted channel to distribute them
+// to the client beforehand. The env file's privateKey/publicKey fields are
+// SSH *authentication* keys (client-to-server), not server host keys.
+func ConnectSSH(log *logger.FunLogger, keyPath, userName, hostUrl string) (*ssh.Client, error) {
+	key, err := os.ReadFile(keyPath) //nolint:gosec // keyPath is from trusted env config
+	if err != nil {
+		return nil, fmt.Errorf("failed to read key file %s: %v", keyPath, err)
+	}
+
+	signer, err := ssh.ParsePrivateKey(key)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse private key: %v", err)
+	}
+
+	config := &ssh.ClientConfig{
+		User: userName,
+		Auth: []ssh.AuthMethod{
+			ssh.PublicKeys(signer),
+		},
+		// Server host keys are generated at instance boot with no trusted
+		// distribution channel; disable verification (CWE-322 accepted risk).
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(), //nolint:gosec
+		Timeout:         30 * time.Second,
+	}
+
+	var client *ssh.Client
+	for i := 0; i < sshMaxRetries; i++ {
+		client, err = ssh.Dial("tcp", hostUrl+":22", config)
+		if err == nil {
+			return client, nil
+		}
+		log.Warning("Connection attempt %d failed: %v", i+1, err)
+		time.Sleep(sshRetryDelay)
+	}
+
+	return nil, fmt.Errorf("failed to connect after %d attempts: %v", sshMaxRetries, err)
+}

cmd/cli/common/host_test.go

@@ -0,0 +1,176 @@
+/*
+ * Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package common
+
+import (
+	"testing"
+
+	"github.com/NVIDIA/holodeck/api/holodeck/v1alpha1"
+	"github.com/NVIDIA/holodeck/pkg/provider/aws"
+)
+
+func TestGetHostURL_AWS_SingleNode(t *testing.T) {
+	env := &v1alpha1.Environment{
+		Spec: v1alpha1.EnvironmentSpec{
+			Provider: v1alpha1.ProviderAWS,
+		},
+		Status: v1alpha1.EnvironmentStatus{
+			Properties: []v1alpha1.Properties{
+				{Name: aws.PublicDnsName, Value: "ec2-1-2-3-4.compute.amazonaws.com"},
+			},
+		},
+	}
+
+	url, err := GetHostURL(env, "", false)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if url != "ec2-1-2-3-4.compute.amazonaws.com" {
+		t.Errorf("expected DNS name, got %s", url)
+	}
+}
+
+func TestGetHostURL_SSH(t *testing.T) {
+	env := &v1alpha1.Environment{
+		Spec: v1alpha1.EnvironmentSpec{
+			Provider: v1alpha1.ProviderSSH,
+			Instance: v1alpha1.Instance{
+				HostUrl: "192.168.1.100",
+			},
+		},
+	}
+
+	url, err := GetHostURL(env, "", false)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if url != "192.168.1.100" {
+		t.Errorf("expected 192.168.1.100, got %s", url)
+	}
+}
+
+func TestGetHostURL_NoProperties(t *testing.T) {
+	env := &v1alpha1.Environment{
+		Spec: v1alpha1.EnvironmentSpec{
+			Provider: v1alpha1.ProviderAWS,
+		},
+		Status: v1alpha1.EnvironmentStatus{
+			Properties: []v1alpha1.Properties{},
+		},
+	}
+
+	_, err := GetHostURL(env, "", false)
+	if err == nil {
+		t.Error("expected error for missing properties")
+	}
+}
+
+func TestGetHostURL_Cluster_PreferControlPlane(t *testing.T) {
+	env := &v1alpha1.Environment{
+		Spec: v1alpha1.EnvironmentSpec{
+			Provider: v1alpha1.ProviderAWS,
+			Cluster:  &v1alpha1.ClusterSpec{},
+		},
+		Status: v1alpha1.EnvironmentStatus{
+			Cluster: &v1alpha1.ClusterStatus{
+				Nodes: []v1alpha1.NodeStatus{
+					{Name: "worker-0", Role: "worker", PublicIP: "10.0.0.1"},
+					{Name: "cp-0", Role: "control-plane", PublicIP: "10.0.0.2"},
+				},
+			},
+		},
+	}
+
+	url, err := GetHostURL(env, "", true)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if url != "10.0.0.2" {
+		t.Errorf("expected control-plane IP 10.0.0.2, got %s", url)
+	}
+}
+
+func TestGetHostURL_Cluster_FallbackToFirstNode(t *testing.T) {
+	env := &v1alpha1.Environment{
+		Spec: v1alpha1.EnvironmentSpec{
+			Provider: v1alpha1.ProviderAWS,
+			Cluster:  &v1alpha1.ClusterSpec{},
+		},
+		Status: v1alpha1.EnvironmentStatus{
+			Cluster: &v1alpha1.ClusterStatus{
+				Nodes: []v1alpha1.NodeStatus{
+					{Name: "worker-0", Role: "worker", PublicIP: "10.0.0.1"},
+					{Name: "worker-1", Role: "worker", PublicIP: "10.0.0.2"},
+				},
+			},
+		},
+	}
+
+	url, err := GetHostURL(env, "", true)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if url != "10.0.0.1" {
+		t.Errorf("expected first node IP 10.0.0.1, got %s", url)
+	}
+}
+
+func TestGetHostURL_Cluster_SpecificNode(t *testing.T) {
+	env := &v1alpha1.Environment{
+		Spec: v1alpha1.EnvironmentSpec{
+			Provider: v1alpha1.ProviderAWS,
+			Cluster:  &v1alpha1.ClusterSpec{},
+		},
+		Status: v1alpha1.EnvironmentStatus{
+			Cluster: &v1alpha1.ClusterStatus{
+				Nodes: []v1alpha1.NodeStatus{
+					{Name: "cp-0", Role: "control-plane", PublicIP: "10.0.0.1"},
+					{Name: "worker-0", Role: "worker", PublicIP: "10.0.0.2"},
+				},
+			},
+		},
+	}
+
+	url, err := GetHostURL(env, "worker-0", false)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if url != "10.0.0.2" {
+		t.Errorf("expected worker IP 10.0.0.2, got %s", url)
+	}
+}
+
+func TestGetHostURL_Cluster_NodeNotFound(t *testing.T) {
+	env := &v1alpha1.Environment{
+		Spec: v1alpha1.EnvironmentSpec{
+			Provider: v1alpha1.ProviderAWS,
+			Cluster:  &v1alpha1.ClusterSpec{},
+		},
+		Status: v1alpha1.EnvironmentStatus{
+			Cluster: &v1alpha1.ClusterStatus{
+				Nodes: []v1alpha1.NodeStatus{
+					{Name: "cp-0", Role: "control-plane", PublicIP: "10.0.0.1"},
+				},
+			},
+		},
+	}
+
+	_, err := GetHostURL(env, "nonexistent", false)
+	if err == nil {
+		t.Error("expected error for nonexistent node")
+	}
+}