npm - @celilo/cli - Versions diffs - 0.1.0 - Mend

@celilo/cli 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (267) hide show

package/README.md +1566 -0
package/bin/celilo +16 -0
package/drizzle/0000_complex_puma.sql +179 -0
package/drizzle/0001_dizzy_wolfpack.sql +2 -0
package/drizzle/0002_web_routes.sql +16 -0
package/drizzle/0003_backup_storage.sql +32 -0
package/drizzle/meta/0000_snapshot.json +1151 -0
package/drizzle/meta/0001_snapshot.json +1167 -0
package/drizzle/meta/0002_snapshot.json +1257 -0
package/drizzle/meta/_journal.json +27 -0
package/package.json +64 -0
package/schemas/system_config.json +106 -0
package/src/__integration__/container-services-cli.integration.test.ts +246 -0
package/src/ansible/dependencies.test.ts +309 -0
package/src/ansible/dependencies.ts +896 -0
package/src/ansible/inventory.test.ts +463 -0
package/src/ansible/inventory.ts +445 -0
package/src/ansible/secrets.ts +222 -0
package/src/ansible/validation.test.ts +92 -0
package/src/ansible/validation.ts +272 -0
package/src/api-clients/digitalocean.ts +94 -0
package/src/api-clients/proxmox.ts +655 -0
package/src/capabilities/logging-wrapper.test.ts +217 -0
package/src/capabilities/lookup.test.ts +149 -0
package/src/capabilities/lookup.ts +89 -0
package/src/capabilities/public-web-helpers.test.ts +198 -0
package/src/capabilities/public-web-publish.test.ts +458 -0
package/src/capabilities/registration.test.ts +395 -0
package/src/capabilities/registration.ts +200 -0
package/src/capabilities/route-validation.test.ts +121 -0
package/src/capabilities/route-validation.ts +96 -0
package/src/capabilities/secret-ref.test.ts +313 -0
package/src/capabilities/secret-validation.ts +157 -0
package/src/capabilities/secrets.test.ts +750 -0
package/src/capabilities/secrets.ts +244 -0
package/src/capabilities/validation.test.ts +613 -0
package/src/capabilities/validation.ts +160 -0
package/src/capabilities/well-known.test.ts +238 -0
package/src/capabilities/well-known.ts +222 -0
package/src/cli/cli.test.ts +654 -0
package/src/cli/command-registry.ts +742 -0
package/src/cli/command-tree-parser.test.ts +180 -0
package/src/cli/command-tree-parser.ts +193 -0
package/src/cli/commands/backup-create.ts +137 -0
package/src/cli/commands/backup-delete.ts +74 -0
package/src/cli/commands/backup-import.ts +97 -0
package/src/cli/commands/backup-list.ts +132 -0
package/src/cli/commands/backup-name.ts +73 -0
package/src/cli/commands/backup-prune.ts +98 -0
package/src/cli/commands/backup-restore.ts +122 -0
package/src/cli/commands/capability-info.ts +121 -0
package/src/cli/commands/capability-list.ts +47 -0
package/src/cli/commands/completion.ts +87 -0
package/src/cli/commands/hook-run.ts +176 -0
package/src/cli/commands/ipam.ts +607 -0
package/src/cli/commands/machine-add.ts +235 -0
package/src/cli/commands/machine-earmark.ts +82 -0
package/src/cli/commands/machine-list.ts +77 -0
package/src/cli/commands/machine-remove.ts +90 -0
package/src/cli/commands/machine-status.ts +131 -0
package/src/cli/commands/module-audit.ts +51 -0
package/src/cli/commands/module-build.ts +60 -0
package/src/cli/commands/module-config.ts +170 -0
package/src/cli/commands/module-deploy.ts +71 -0
package/src/cli/commands/module-generate.ts +236 -0
package/src/cli/commands/module-health.ts +108 -0
package/src/cli/commands/module-import.ts +80 -0
package/src/cli/commands/module-list.ts +43 -0
package/src/cli/commands/module-logs.ts +73 -0
package/src/cli/commands/module-remove.ts +162 -0
package/src/cli/commands/module-show.ts +208 -0
package/src/cli/commands/module-status.ts +131 -0
package/src/cli/commands/module-types.ts +189 -0
package/src/cli/commands/module-upgrade.ts +192 -0
package/src/cli/commands/package.ts +68 -0
package/src/cli/commands/secret-list.ts +99 -0
package/src/cli/commands/secret-set.ts +134 -0
package/src/cli/commands/service-add-digitalocean.ts +133 -0
package/src/cli/commands/service-add-proxmox.ts +342 -0
package/src/cli/commands/service-config-get.ts +83 -0
package/src/cli/commands/service-config-set.ts +145 -0
package/src/cli/commands/service-list.ts +74 -0
package/src/cli/commands/service-reconfigure.ts +230 -0
package/src/cli/commands/service-remove.ts +103 -0
package/src/cli/commands/service-verify.ts +240 -0
package/src/cli/commands/status.ts +216 -0
package/src/cli/commands/storage-add-local.ts +106 -0
package/src/cli/commands/storage-add-s3.ts +114 -0
package/src/cli/commands/storage-list.ts +72 -0
package/src/cli/commands/storage-remove.ts +54 -0
package/src/cli/commands/storage-set-default.ts +44 -0
package/src/cli/commands/storage-verify.ts +54 -0
package/src/cli/commands/system-config.ts +168 -0
package/src/cli/commands/system-init.ts +314 -0
package/src/cli/commands/system-secret-get.ts +98 -0
package/src/cli/commands/system-secret-set.ts +76 -0
package/src/cli/commands/system-vault-password.ts +34 -0
package/src/cli/completion.test.ts +37 -0
package/src/cli/completion.ts +482 -0
package/src/cli/fuel-gauge.test.ts +208 -0
package/src/cli/fuel-gauge.ts +405 -0
package/src/cli/generate-zsh-completion.test.ts +95 -0
package/src/cli/generate-zsh-completion.ts +497 -0
package/src/cli/index.ts +1583 -0
package/src/cli/interactive-config.test.ts +201 -0
package/src/cli/interactive-config.ts +62 -0
package/src/cli/parser.test.ts +227 -0
package/src/cli/parser.ts +244 -0
package/src/cli/prompts.test.ts +33 -0
package/src/cli/prompts.ts +121 -0
package/src/cli/types.ts +38 -0
package/src/cli/validators.test.ts +235 -0
package/src/cli/validators.ts +188 -0
package/src/config/env.ts +41 -0
package/src/config/paths.test.ts +172 -0
package/src/config/paths.ts +108 -0
package/src/db/client.ts +190 -0
package/src/db/migrate.ts +30 -0
package/src/db/schema.test.ts +221 -0
package/src/db/schema.ts +434 -0
package/src/hooks/capability-loader-firewall.test.ts +246 -0
package/src/hooks/capability-loader.test.ts +100 -0
package/src/hooks/capability-loader.ts +520 -0
package/src/hooks/define-hook.test.ts +488 -0
package/src/hooks/executor.test.ts +462 -0
package/src/hooks/executor.ts +469 -0
package/src/hooks/logger.test.ts +54 -0
package/src/hooks/logger.ts +95 -0
package/src/hooks/test-fixtures/failing-hook.ts +13 -0
package/src/hooks/test-fixtures/no-default-hook.ts +6 -0
package/src/hooks/test-fixtures/success-hook.ts +20 -0
package/src/hooks/test-fixtures/unbranded-hook.ts +11 -0
package/src/hooks/test-fixtures/void-hook.ts +13 -0
package/src/hooks/types.ts +89 -0
package/src/infrastructure/property-extractor.test.ts +194 -0
package/src/infrastructure/property-extractor.ts +151 -0
package/src/ipam/allocator.test.ts +442 -0
package/src/ipam/allocator.ts +369 -0
package/src/ipam/auto-allocator.test.ts +247 -0
package/src/ipam/auto-allocator.ts +270 -0
package/src/ipam/subnet-parser.test.ts +107 -0
package/src/ipam/subnet-parser.ts +136 -0
package/src/manifest/contracts/index.ts +61 -0
package/src/manifest/contracts/v1.ts +118 -0
package/src/manifest/json-schema-roundtrip.test.ts +99 -0
package/src/manifest/schema.ts +367 -0
package/src/manifest/template-validator.test.ts +231 -0
package/src/manifest/template-validator.ts +322 -0
package/src/manifest/validate.test.ts +1180 -0
package/src/manifest/validate.ts +415 -0
package/src/module/import.test.ts +355 -0
package/src/module/import.ts +676 -0
package/src/module/packaging/audit.ts +169 -0
package/src/module/packaging/build.ts +228 -0
package/src/module/packaging/checksum.ts +41 -0
package/src/module/packaging/extract.ts +234 -0
package/src/module/packaging/signature.ts +47 -0
package/src/secrets/encryption.test.ts +284 -0
package/src/secrets/encryption.ts +162 -0
package/src/secrets/generators.test.ts +112 -0
package/src/secrets/generators.ts +127 -0
package/src/secrets/master-key.test.ts +159 -0
package/src/secrets/master-key.ts +114 -0
package/src/secrets/storage.test.ts +115 -0
package/src/secrets/storage.ts +106 -0
package/src/secrets/vault.test.ts +35 -0
package/src/secrets/vault.ts +42 -0
package/src/services/backup-create.ts +532 -0
package/src/services/backup-metadata.ts +198 -0
package/src/services/backup-restore.ts +229 -0
package/src/services/backup-retention.ts +84 -0
package/src/services/backup-storage.ts +281 -0
package/src/services/build-stream.test.ts +122 -0
package/src/services/build-stream.ts +201 -0
package/src/services/config-interview.ts +694 -0
package/src/services/container-service.test.ts +298 -0
package/src/services/container-service.ts +401 -0
package/src/services/cross-module-data-manager.test.ts +405 -0
package/src/services/cross-module-data-manager.ts +412 -0
package/src/services/deploy-ansible.ts +88 -0
package/src/services/deploy-planner.ts +153 -0
package/src/services/deploy-preflight.ts +274 -0
package/src/services/deploy-ssh.ts +131 -0
package/src/services/deploy-terraform.test.ts +55 -0
package/src/services/deploy-terraform.ts +445 -0
package/src/services/deploy-validation.ts +311 -0
package/src/services/dns-auto-register.ts +211 -0
package/src/services/health-runner.ts +184 -0
package/src/services/infrastructure-selector.test.ts +485 -0
package/src/services/infrastructure-selector.ts +245 -0
package/src/services/infrastructure-variable-resolver.test.ts +751 -0
package/src/services/infrastructure-variable-resolver.ts +234 -0
package/src/services/machine-detector.ts +328 -0
package/src/services/machine-pool.test.ts +405 -0
package/src/services/machine-pool.ts +316 -0
package/src/services/manifest-validation.ts +120 -0
package/src/services/module-build.test.ts +290 -0
package/src/services/module-build.ts +431 -0
package/src/services/module-config.test.ts +237 -0
package/src/services/module-config.ts +298 -0
package/src/services/module-deploy.ts +862 -0
package/src/services/module-types-drift.test.ts +73 -0
package/src/services/module-types-generator.test.ts +288 -0
package/src/services/module-types-generator.ts +189 -0
package/src/services/proxmox-state-recovery.ts +140 -0
package/src/services/schema-validation.ts +155 -0
package/src/services/secret-schema-loader.test.ts +311 -0
package/src/services/secret-schema-loader.ts +239 -0
package/src/services/ssh-key-manager.test.ts +283 -0
package/src/services/ssh-key-manager.ts +193 -0
package/src/services/storage-providers/local.ts +105 -0
package/src/services/storage-providers/s3.ts +182 -0
package/src/services/storage-providers/types.ts +24 -0
package/src/services/system-config-schema-types.ts +25 -0
package/src/services/system-config-validator.test.ts +160 -0
package/src/services/system-config-validator.ts +74 -0
package/src/services/system-init.test.ts +153 -0
package/src/services/system-init.ts +253 -0
package/src/services/terraform-safety.ts +174 -0
package/src/services/zone-detector.test.ts +110 -0
package/src/services/zone-detector.ts +102 -0
package/src/services/zone-policy.test.ts +97 -0
package/src/services/zone-policy.ts +126 -0
package/src/templates/generator.test.ts +645 -0
package/src/templates/generator.ts +1119 -0
package/src/templates/types.ts +62 -0
package/src/test-utils/INTERACTIVE_PROMPTS.md +167 -0
package/src/test-utils/cli-context-interactive.test.ts +152 -0
package/src/test-utils/cli-context-server.test.ts +66 -0
package/src/test-utils/cli-context.test.ts +273 -0
package/src/test-utils/cli-context.ts +677 -0
package/src/test-utils/cli-result.test.ts +282 -0
package/src/test-utils/cli-result.ts +241 -0
package/src/test-utils/cli.ts +55 -0
package/src/test-utils/completion-harness.test.ts +126 -0
package/src/test-utils/completion-harness.ts +82 -0
package/src/test-utils/database.test.ts +182 -0
package/src/test-utils/database.ts +126 -0
package/src/test-utils/filesystem.test.ts +208 -0
package/src/test-utils/filesystem.ts +142 -0
package/src/test-utils/fixtures.test.ts +123 -0
package/src/test-utils/fixtures.ts +160 -0
package/src/test-utils/golden-diff.ts +197 -0
package/src/test-utils/index.ts +77 -0
package/src/test-utils/integration.ts +81 -0
package/src/test-utils/module-fixtures.ts +468 -0
package/src/test-utils/modules.test.ts +144 -0
package/src/test-utils/modules.ts +183 -0
package/src/test-utils/setup-test-db.ts +90 -0
package/src/test-utils/value-extractor.test.ts +231 -0
package/src/test-utils/value-extractor.ts +228 -0
package/src/types/infrastructure.ts +157 -0
package/src/utils/shell.test.ts +365 -0
package/src/utils/shell.ts +159 -0
package/src/validation/schemas.ts +166 -0
package/src/variables/ansible-resolver.test.ts +142 -0
package/src/variables/ansible-resolver.ts +69 -0
package/src/variables/capability-self-ref.test.ts +220 -0
package/src/variables/context.test.ts +1265 -0
package/src/variables/context.ts +624 -0
package/src/variables/declarative-derivation.test.ts +743 -0
package/src/variables/declarative-derivation.ts +200 -0
package/src/variables/parser.test.ts +231 -0
package/src/variables/parser.ts +76 -0
package/src/variables/resolver.test.ts +458 -0
package/src/variables/resolver.ts +282 -0
package/src/variables/types.ts +59 -0

package/src/cli/commands/ipam.ts ADDED Viewed

@@ -0,0 +1,607 @@
+/**
+ * IPAM (IP Address Management) commands
+ * Manage VMID and IP address reservations and allocations
+ */
+import { getDb } from '../../db/client';
+import {
+  inferZoneFromIP,
+  listReservations,
+  listVMIDReservations,
+  reserveIP,
+  reserveVMID,
+  unreserveIP,
+  unreserveVMID,
+} from '../../ipam/allocator';
+import { getArg, getFlag, validateRequiredArgs } from '../parser';
+import type { CommandResult } from '../types';
+/**
+ * Handle IPAM VMID reserve command
+ *
+ * Usage: celilo ipam vmid reserve <vmid-or-range> --reason <reason>
+ *
+ * @param args - Command arguments
+ * @param flags - Command flags
+ * @returns Command result
+ */
+export async function handleIpamVmidReserve(
+  args: string[],
+  flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const error = validateRequiredArgs(args, 1);
+  if (error) {
+    return {
+      success: false,
+      error: `${error}\n\nUsage: celilo ipam vmid reserve <vmid-or-range> --reason <reason>`,
+    };
+  }
+  const vmidArg = getArg(args, 0);
+  if (!vmidArg) {
+    return {
+      success: false,
+      error: 'VMID or range is required',
+    };
+  }
+  // Parse reason flag
+  const reason = getFlag(flags, 'reason');
+  if (!reason) {
+    return {
+      success: false,
+      error: 'Reason is required. Use --reason "description"',
+    };
+  }
+  const db = getDb();
+  try {
+    // Parse VMID or range
+    if (vmidArg.includes('-')) {
+      // Range format: "2100-2110"
+      const [startStr, endStr] = vmidArg.split('-');
+      const start = Number.parseInt(startStr, 10);
+      const end = Number.parseInt(endStr, 10);
+      if (Number.isNaN(start) || Number.isNaN(end)) {
+        return {
+          success: false,
+          error: `Invalid VMID range: ${vmidArg}`,
+        };
+      }
+      if (start >= end) {
+        return {
+          success: false,
+          error: 'Invalid range: start must be less than end',
+        };
+      }
+      // Reserve each VMID in range
+      for (let vmid = start; vmid <= end; vmid++) {
+        await reserveVMID(vmid, reason, db);
+      }
+      return {
+        success: true,
+        message: `Reserved VMIDs ${start}-${end}: ${reason}`,
+      };
+    }
+    // Single VMID
+    const vmid = Number.parseInt(vmidArg, 10);
+    if (Number.isNaN(vmid)) {
+      return {
+        success: false,
+        error: `Invalid VMID: ${vmidArg}`,
+      };
+    }
+    await reserveVMID(vmid, reason, db);
+    return {
+      success: true,
+      message: `Reserved VMID ${vmid}: ${reason}`,
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+/**
+ * Handle IPAM VMID unreserve command
+ *
+ * Usage: celilo ipam vmid unreserve <vmid-or-range>
+ *
+ * @param args - Command arguments
+ * @param flags - Command flags
+ * @returns Command result
+ */
+export async function handleIpamVmidUnreserve(
+  args: string[],
+  _flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const error = validateRequiredArgs(args, 1);
+  if (error) {
+    return {
+      success: false,
+      error: `${error}\n\nUsage: celilo ipam vmid unreserve <vmid-or-range>`,
+    };
+  }
+  const vmidArg = getArg(args, 0);
+  if (!vmidArg) {
+    return {
+      success: false,
+      error: 'VMID or range is required',
+    };
+  }
+  const db = getDb();
+  try {
+    // Parse VMID or range
+    if (vmidArg.includes('-')) {
+      // Range format: "2100-2110"
+      const [startStr, endStr] = vmidArg.split('-');
+      const start = Number.parseInt(startStr, 10);
+      const end = Number.parseInt(endStr, 10);
+      if (Number.isNaN(start) || Number.isNaN(end)) {
+        return {
+          success: false,
+          error: `Invalid VMID range: ${vmidArg}`,
+        };
+      }
+      if (start >= end) {
+        return {
+          success: false,
+          error: 'Invalid range: start must be less than end',
+        };
+      }
+      // Unreserve each VMID in range
+      for (let vmid = start; vmid <= end; vmid++) {
+        await unreserveVMID(vmid, db);
+      }
+      return {
+        success: true,
+        message: `Unreserved VMIDs ${start}-${end}`,
+      };
+    }
+    // Single VMID
+    const vmid = Number.parseInt(vmidArg, 10);
+    if (Number.isNaN(vmid)) {
+      return {
+        success: false,
+        error: `Invalid VMID: ${vmidArg}`,
+      };
+    }
+    await unreserveVMID(vmid, db);
+    return {
+      success: true,
+      message: `Unreserved VMID ${vmid}`,
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+/**
+ * Handle IPAM VMID list-reservations command
+ *
+ * Usage: celilo ipam vmid list-reservations
+ *
+ * @param args - Command arguments
+ * @param flags - Command flags
+ * @returns Command result
+ */
+export async function handleIpamVmidListReservations(
+  _args: string[],
+  _flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const db = getDb();
+  try {
+    const reservations = await listVMIDReservations(db);
+    if (reservations.length === 0) {
+      return {
+        success: true,
+        message: 'No VMID reservations',
+      };
+    }
+    const lines = ['VMID Reservations:', ''];
+    for (const reservation of reservations) {
+      lines.push(`VMID ${reservation.vmid}: ${reservation.reason}`);
+      lines.push(`  Reserved: ${new Date(reservation.reservedAt).toLocaleString()}`);
+    }
+    return {
+      success: true,
+      message: lines.join('\n'),
+      data: reservations,
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+/**
+ * Handle IPAM IP exclude command
+ *
+ * Usage: celilo ipam ip exclude <ip-range> --reason <reason> [--zone <zone>]
+ *
+ * @param args - Command arguments
+ * @param flags - Command flags
+ * @returns Command result
+ */
+export async function handleIpamIpReserve(
+  args: string[],
+  flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const error = validateRequiredArgs(args, 1);
+  if (error) {
+    return {
+      success: false,
+      error: `${error}\n\nUsage: celilo ipam ip exclude <ip-range> --reason <reason> [--zone <zone>]`,
+    };
+  }
+  const ipArg = getArg(args, 0);
+  if (!ipArg) {
+    return {
+      success: false,
+      error: 'IP or range is required',
+    };
+  }
+  // Parse reason flag
+  const reason = getFlag(flags, 'reason');
+  if (!reason) {
+    return {
+      success: false,
+      error: 'Reason is required. Use --reason "description"',
+    };
+  }
+  const db = getDb();
+  try {
+    // Parse IP or range
+    let ipStart: string;
+    let ipEnd: string | null = null;
+    if (ipArg.includes('-')) {
+      // Range format: "10.0.10.1-10.0.10.9"
+      const [start, end] = ipArg.split('-');
+      ipStart = start.trim();
+      ipEnd = end.trim();
+    } else {
+      // Single IP
+      ipStart = ipArg;
+    }
+    // Infer zone from IP, or use explicit --zone override
+    const explicitZone = getFlag(flags, 'zone');
+    const zone = explicitZone || (await inferZoneFromIP(ipStart, db));
+    if (!zone) {
+      return {
+        success: false,
+        error: `Cannot determine zone for IP ${ipStart}. It doesn't match any configured zone subnet. Use --zone to specify manually.`,
+      };
+    }
+    if (zone !== 'dmz' && zone !== 'app' && zone !== 'secure' && zone !== 'internal') {
+      return {
+        success: false,
+        error: `Invalid zone: ${zone}. Must be internal, dmz, app, or secure`,
+      };
+    }
+    await reserveIP(ipStart, zone, reason, ipEnd, db);
+    return {
+      success: true,
+      message: `Excluded IP ${ipEnd ? `${ipStart}-${ipEnd}` : ipStart} in zone ${zone}: ${reason}`,
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+/**
+ * Handle IPAM IP include command (remove exclusion)
+ *
+ * Usage: celilo ipam ip include <ip-or-range> [--zone <zone>]
+ *
+ * @param args - Command arguments
+ * @param flags - Command flags
+ * @returns Command result
+ */
+export async function handleIpamIpUnreserve(
+  args: string[],
+  flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const error = validateRequiredArgs(args, 1);
+  if (error) {
+    return {
+      success: false,
+      error: `${error}\n\nUsage: celilo ipam ip include <ip-or-range> [--zone <zone>]`,
+    };
+  }
+  const ipArg = getArg(args, 0);
+  if (!ipArg) {
+    return {
+      success: false,
+      error: 'IP is required',
+    };
+  }
+  const db = getDb();
+  try {
+    // Parse IP (take first part if range)
+    const ipStart = ipArg.includes('-') ? ipArg.split('-')[0].trim() : ipArg;
+    // Infer zone from IP, or use explicit --zone override
+    const explicitZone = getFlag(flags, 'zone');
+    const zone = explicitZone || (await inferZoneFromIP(ipStart, db));
+    if (!zone) {
+      return {
+        success: false,
+        error: `Cannot determine zone for IP ${ipStart}. Use --zone to specify manually.`,
+      };
+    }
+    if (zone !== 'dmz' && zone !== 'app' && zone !== 'secure' && zone !== 'internal') {
+      return {
+        success: false,
+        error: `Invalid zone: ${zone}. Must be internal, dmz, app, or secure`,
+      };
+    }
+    await unreserveIP(ipStart, zone, db);
+    return {
+      success: true,
+      message: `Removed exclusion for IP ${ipArg} in zone ${zone}`,
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+/**
+ * Handle IPAM IP list-exclusions command
+ *
+ * Usage: celilo ipam ip list-exclusions
+ *
+ * @param args - Command arguments
+ * @param flags - Command flags
+ * @returns Command result
+ */
+export async function handleIpamIpListReservations(
+  _args: string[],
+  _flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const db = getDb();
+  try {
+    const reservations = await listReservations(db);
+    if (reservations.length === 0) {
+      return {
+        success: true,
+        message: 'No IP exclusions',
+      };
+    }
+    const lines = ['IP Exclusions:', ''];
+    for (const reservation of reservations) {
+      const range = reservation.ipEnd
+        ? `${reservation.ipStart}-${reservation.ipEnd}`
+        : reservation.ipStart;
+      lines.push(`${range} (${reservation.zone}): ${reservation.reason}`);
+      lines.push(`  Excluded: ${new Date(reservation.reservedAt).toLocaleString()}`);
+    }
+    return {
+      success: true,
+      message: lines.join('\n'),
+      data: reservations,
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+/**
+ * Handle IPAM show command - comprehensive summary
+ *
+ * Usage: celilo ipam show
+ *
+ * @param args - Command arguments
+ * @param flags - Command flags
+ * @returns Command result
+ */
+export async function handleIpamShow(
+  _args: string[],
+  _flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const db = getDb();
+  try {
+    const { ipAllocations } = await import('../../db/schema');
+    const allocations = await db.select().from(ipAllocations).all();
+    const ipReservations = await listReservations(db);
+    const vmidReservations = await listVMIDReservations(db);
+    const lines: string[] = ['IPAM Allocations Summary', ''];
+    // VMID section
+    lines.push('VMID Allocations:');
+    if (allocations.length === 0) {
+      lines.push('  (none)');
+    } else {
+      for (const allocation of allocations) {
+        lines.push(`  ${allocation.vmid}: ${allocation.moduleId} (allocated)`);
+      }
+    }
+    lines.push('');
+    lines.push('VMID Reservations:');
+    if (vmidReservations.length === 0) {
+      lines.push('  (none)');
+    } else {
+      for (const reservation of vmidReservations) {
+        lines.push(`  ${reservation.vmid}: ${reservation.reason}`);
+      }
+    }
+    lines.push('');
+    // IP section - group by zone
+    const zones = ['internal', 'dmz', 'app', 'secure'];
+    for (const zone of zones) {
+      const zoneAllocations = allocations.filter((a) => a.zone === zone);
+      const zoneReservations = ipReservations.filter((r) => r.zone === zone);
+      if (zoneAllocations.length === 0 && zoneReservations.length === 0) {
+        continue; // Skip empty zones
+      }
+      const zoneName = zone.toUpperCase();
+      lines.push(`IP Allocations (${zoneName}):`);
+      if (zoneAllocations.length === 0) {
+        lines.push('  (none)');
+      } else {
+        for (const allocation of zoneAllocations) {
+          lines.push(`  ${allocation.containerIp}: ${allocation.moduleId} (allocated)`);
+        }
+      }
+      lines.push('');
+      lines.push(`IP Exclusions (${zoneName}):`);
+      if (zoneReservations.length === 0) {
+        lines.push('  (none)');
+      } else {
+        for (const reservation of zoneReservations) {
+          const range = reservation.ipEnd
+            ? `${reservation.ipStart}-${reservation.ipEnd}`
+            : reservation.ipStart;
+          lines.push(`  ${range}: ${reservation.reason}`);
+        }
+      }
+      lines.push('');
+    }
+    // Summary
+    lines.push('Summary:');
+    lines.push(`  VMIDs: ${allocations.length} allocated, ${vmidReservations.length} reserved`);
+    const totalIpAllocations = allocations.length;
+    const totalIpReservations = ipReservations.reduce((sum, r) => {
+      if (r.ipEnd) {
+        // Calculate range size
+        const startOctet = Number.parseInt(r.ipStart.split('.')[3], 10);
+        const endOctet = Number.parseInt(r.ipEnd.split('.')[3], 10);
+        return sum + (endOctet - startOctet + 1);
+      }
+      return sum + 1;
+    }, 0);
+    lines.push(`  IPs: ${totalIpAllocations} allocated, ${totalIpReservations} excluded`);
+    return {
+      success: true,
+      message: lines.join('\n'),
+      data: {
+        allocations,
+        ipReservations,
+        vmidReservations,
+      },
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}
+/**
+ * Handle IPAM list-allocations command
+ *
+ * Usage: celilo ipam list-allocations
+ *
+ * @param args - Command arguments
+ * @param flags - Command flags
+ * @returns Command result
+ */
+export async function handleIpamListAllocations(
+  _args: string[],
+  _flags: Record<string, string | boolean>,
+): Promise<CommandResult> {
+  const db = getDb();
+  try {
+    const { ipAllocations } = await import('../../db/schema');
+    const allocations = await db.select().from(ipAllocations).all();
+    if (allocations.length === 0) {
+      return {
+        success: true,
+        message: 'No IPAM allocations',
+      };
+    }
+    const lines = ['IPAM Allocations:', ''];
+    for (const allocation of allocations) {
+      lines.push(`Module: ${allocation.moduleId}`);
+      lines.push(`  VMID: ${allocation.vmid}`);
+      lines.push(`  IP: ${allocation.containerIp}`);
+      lines.push(`  Zone: ${allocation.zone}`);
+      lines.push(`  Allocated: ${new Date(allocation.allocatedAt).toLocaleString()}`);
+      lines.push('');
+    }
+    return {
+      success: true,
+      message: lines.join('\n'),
+      data: allocations,
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err instanceof Error ? err.message : String(err),
+    };
+  }
+}