@celilo/cli 0.1.4 → 0.1.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {
@@ -47,7 +47,7 @@
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1024.0",
     "@clack/prompts": "^1.1.0",
-    "@celilo/capabilities": "^0.1.1",
+    "@celilo/capabilities": "^0.1.2",
     "ajv": "^8.18.0",
     "drizzle-orm": "^0.36.4",
     "tar": "^7.5.10",

package/src/ansible/inventory.test.ts

@@ -99,14 +99,14 @@ describe('generateHostVarsYaml', () => {
     const vars = {
       vmid: 2110,
       hostname: 'iot',
-      container_ip: '192.168.0.110/24',
+      target_ip: '192.168.0.110/24',
     };
 
     const result = generateHostVarsYaml(vars);
 
     expect(result).toContain('vmid: 2110');
     expect(result).toContain('hostname: iot');
-    expect(result).toContain('container_ip: 192.168.0.110/24');
+    expect(result).toContain('target_ip: 192.168.0.110/24');
   });
 
   test('generates YAML for arrays', () => {
@@ -289,7 +289,7 @@ describe('Database integration', () => {
           { moduleId: 'homebridge', key: 'hostname', value: 'iot', valueJson: null },
           {
             moduleId: 'homebridge',
-            key: 'container_ip',
+            key: 'target_ip',
             value: '192.168.0.110/24',
             valueJson: null,
           },
@@ -301,7 +301,7 @@ describe('Database integration', () => {
 
       expect(vars.vmid).toBe(2110);
       expect(vars.hostname).toBe('iot');
-      expect(vars.container_ip).toBe('192.168.0.110/24');
+      expect(vars.target_ip).toBe('192.168.0.110/24');
       expect(vars.cores).toBe(1);
     });
 
@@ -404,7 +404,7 @@ describe('Database integration', () => {
       db.insert(moduleConfigs)
         .values([
           { moduleId: 'homebridge', key: 'hostname', value: 'iot' },
-          { moduleId: 'homebridge', key: 'container_ip', value: '192.168.0.110/24' },
+          { moduleId: 'homebridge', key: 'target_ip', value: '192.168.0.110/24' },
         ])
         .run();
 
@@ -446,7 +446,7 @@ describe('Database integration', () => {
       db.insert(moduleConfigs)
         .values([
           { moduleId: 'test', key: 'hostname', value: 'iot' },
-          // Missing container_ip or vps_ip for ansible_host
+          // Missing target_ip or vps_ip for ansible_host
         ])
         .run();
 

package/src/ansible/inventory.ts

@@ -259,13 +259,11 @@ export function extractInventoryHost(moduleId: string, db: DbClient): InventoryH
   }
 
   // Auto-derive ansible_host from infrastructure variables
-  // Priority: container_ip > ip.primary > vps_ip (for backward compatibility)
-  if (moduleConfig.container_ip) {
-    const slashIndex = moduleConfig.container_ip.indexOf('/');
+  // Priority: target_ip > ip.primary > vps_ip (for backward compatibility)
+  if (moduleConfig.target_ip) {
+    const slashIndex = moduleConfig.target_ip.indexOf('/');
     derived['inventory.ansible_host'] =
-      slashIndex === -1
-        ? moduleConfig.container_ip
-        : moduleConfig.container_ip.slice(0, slashIndex);
+      slashIndex === -1 ? moduleConfig.target_ip : moduleConfig.target_ip.slice(0, slashIndex);
   } else if (moduleConfig['ip.primary']) {
     derived['inventory.ansible_host'] = moduleConfig['ip.primary'];
   } else if (moduleConfig.vps_ip) {

package/src/capabilities/public-web-publish.test.ts

@@ -109,7 +109,7 @@ describe('publishStaticSite — clientConfig injection', () => {
       moduleId: 'lunacycle',
       logger: noopLogger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',
@@ -150,7 +150,7 @@ describe('publishStaticSite — clientConfig injection', () => {
       moduleId: 'lunacycle',
       logger: noopLogger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',
@@ -174,7 +174,7 @@ describe('publishStaticSite — clientConfig injection', () => {
       moduleId: 'lunacycle',
       logger: noopLogger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',
@@ -201,7 +201,7 @@ describe('publishStaticSite — clientConfig injection', () => {
       moduleId: 'lunacycle',
       logger: noopLogger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',
@@ -225,7 +225,7 @@ describe('publishStaticSite — clientConfig injection', () => {
       moduleId: 'lunacycle',
       logger: noopLogger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',
@@ -261,7 +261,7 @@ describe('registerReverseProxy', () => {
       moduleId: 'lunacycle',
       logger: noopLogger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',
@@ -294,7 +294,7 @@ describe('registerReverseProxy', () => {
       moduleId: 'lunacycle',
       logger: noopLogger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',
@@ -337,7 +337,7 @@ describe('auto-logging — end-to-end through createPublicWeb', () => {
       moduleId: 'lunacycle',
       logger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',
@@ -368,7 +368,7 @@ describe('auto-logging — end-to-end through createPublicWeb', () => {
       moduleId: 'lunacycle',
       logger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',
@@ -400,7 +400,7 @@ describe('auto-logging — end-to-end through createPublicWeb', () => {
       moduleId: 'lunacycle',
       logger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',
@@ -432,7 +432,7 @@ describe('auto-logging — end-to-end through createPublicWeb', () => {
       moduleId: 'lunacycle',
       logger,
       config: {
-        container_ip: '10.0.10.20/24',
+        target_ip: '10.0.10.20/24',
         hostname: 'www',
         primary_domain: 'example.com',
         email: 'admin@example.com',

package/src/capabilities/registration.test.ts

@@ -43,7 +43,7 @@ describe('Capability Registration', () => {
         version: '1.0.0',
         data: {
           server: {
-            ip: '$self:container_ip',
+            ip: '$self:target_ip',
             port: 443,
           },
         },
@@ -65,7 +65,7 @@ describe('Capability Registration', () => {
       // Variables are preserved, not resolved
       expect(result).toEqual({
         server: {
-          ip: '$self:container_ip',
+          ip: '$self:target_ip',
           port: 443,
         },
       });
@@ -177,7 +177,7 @@ describe('Capability Registration', () => {
         name: 'test_capability',
         version: '1.0.0',
         data: {
-          variable: '$self:container_ip',
+          variable: '$self:target_ip',
           literal: 'not-a-variable',
           with_dollar: '$100',
           empty: '',
@@ -198,7 +198,7 @@ describe('Capability Registration', () => {
       const result = buildCapabilityData(capability, manifest);
 
       expect(result).toEqual({
-        variable: '$self:container_ip',
+        variable: '$self:target_ip',
         literal: 'not-a-variable',
         with_dollar: '$100',
         empty: '',
@@ -337,7 +337,7 @@ describe('Capability Registration', () => {
         version: '1.0.0',
         data: {
           server: {
-            ip: '$self:container_ip',
+            ip: '$self:target_ip',
           },
         },
       };
@@ -360,7 +360,7 @@ describe('Capability Registration', () => {
       (result as any).server.ip = 'modified';
 
       // Original should be unchanged
-      expect(capability.data.server.ip).toBe('$self:container_ip');
+      expect(capability.data.server.ip).toBe('$self:target_ip');
     });
   });
 

package/src/capabilities/well-known.test.ts

@@ -170,7 +170,7 @@ describe('Well-Known Capabilities Registry', () => {
       expect(schema).toEqual({
         server: {
           ip: {
-            primary: '$self:container_ip',
+            primary: '$self:target_ip',
           },
           port: 443,
         },
@@ -196,7 +196,7 @@ describe('Well-Known Capabilities Registry', () => {
       expect(schema).toEqual({
         server: {
           ip: {
-            primary: '$self:container_ip',
+            primary: '$self:target_ip',
           },
           port: 9000,
         },

package/src/capabilities/well-known.ts

@@ -41,7 +41,7 @@ export const WELL_KNOWN_CAPABILITIES: Record<string, WellKnownCapability> = {
     data_schema: {
       server: {
         ip: {
-          primary: '$self:container_ip',
+          primary: '$self:target_ip',
         },
         port: 443,
       },
@@ -76,7 +76,7 @@ export const WELL_KNOWN_CAPABILITIES: Record<string, WellKnownCapability> = {
     data_schema: {
       server: {
         ip: {
-          primary: '$self:container_ip',
+          primary: '$self:target_ip',
         },
         port: 53,
       },
@@ -102,7 +102,7 @@ export const WELL_KNOWN_CAPABILITIES: Record<string, WellKnownCapability> = {
     data_schema: {
       server: {
         ip: {
-          primary: '$self:container_ip',
+          primary: '$self:target_ip',
         },
         port: 9000,
       },
@@ -121,12 +121,12 @@ export const WELL_KNOWN_CAPABILITIES: Record<string, WellKnownCapability> = {
     data_schema: {
       server: {
         ip: {
-          primary: '$self:container_ip',
+          primary: '$self:target_ip',
         },
         port: '$self:port', // Database-specific port
       },
       connection: {
-        host: '$self:container_ip',
+        host: '$self:target_ip',
         port: '$self:port',
         name: '$self:database_name',
       },

package/src/cli/commands/module-show.ts

@@ -68,7 +68,7 @@ export async function handleModuleShowConfig(args: string[]): Promise<CommandRes
       if (
         key.startsWith('inventory.') ||
         key === 'vmid' ||
-        key === 'container_ip' ||
+        key === 'target_ip' ||
         key === 'gateway' ||
         key === 'vlan' ||
         key === 'subnet' ||

package/src/db/schema.test.ts

@@ -121,7 +121,7 @@ describe('Database Schema', () => {
     // Insert config
     const newConfig: NewModuleConfig = {
       moduleId: 'homebridge',
-      key: 'container_ip',
+      key: 'target_ip',
       value: '192.168.0.50',
     };
 
@@ -129,7 +129,7 @@ describe('Database Schema', () => {
 
     expect(result).toBeDefined();
     expect(result.moduleId).toBe('homebridge');
-    expect(result.key).toBe('container_ip');
+    expect(result.key).toBe('target_ip');
     expect(result.value).toBe('192.168.0.50');
   });
 
@@ -206,7 +206,7 @@ describe('Database Schema', () => {
     // Insert config
     const newConfig: NewModuleConfig = {
       moduleId: 'homebridge',
-      key: 'container_ip',
+      key: 'target_ip',
       value: '192.168.0.50',
     };
     db.insert(moduleConfigs).values(newConfig).run();

package/src/hooks/capability-loader.ts

@@ -124,22 +124,6 @@ export async function loadCapabilityFunctions(
     const providerSecrets = await loadModuleSecrets(provider.moduleId, masterKey, db);
     const routeOps = buildRouteOps(db);
 
-    // Inject machine IP if module is deployed to a machine (not in moduleConfigs table)
-    if (!providerConfig.container_ip) {
-      const infra = db
-        .select()
-        .from(moduleInfrastructure)
-        .where(eq(moduleInfrastructure.moduleId, provider.moduleId))
-        .get();
-      if (infra?.machineId) {
-        const machine = db.select().from(machines).where(eq(machines.id, infra.machineId)).get();
-        if (machine) {
-          providerConfig.container_ip = machine.ipAddress;
-          debugLog(`public_web: injected container_ip=${machine.ipAddress} from machine`);
-        }
-      }
-    }
-
     try {
       // createPublicWeb internally applies wrapWithLogging using the
       // logger we pass in here, so the consumer doesn't need to wrap
@@ -308,7 +292,11 @@ function buildCapabilityInterface(
 }
 
 /**
- * Load all config values for a module
+ * Load all config values for a module.
+ *
+ * Injects `target_ip` from the deployment machine when the module was deployed
+ * to an existing machine (IPAM writes `target_ip` to moduleConfigs for
+ * container deploys, but machine deploys skip that path).
  */
 async function loadModuleConfig(moduleId: string, db: DbClient): Promise<Record<string, unknown>> {
   const configs = db.select().from(moduleConfigs).where(eq(moduleConfigs.moduleId, moduleId)).all();
@@ -317,6 +305,21 @@ async function loadModuleConfig(moduleId: string, db: DbClient): Promise<Record<
   for (const c of configs) {
     result[c.key] = c.valueJson ? JSON.parse(c.valueJson) : c.value;
   }
+
+  if (!result.target_ip) {
+    const infra = db
+      .select()
+      .from(moduleInfrastructure)
+      .where(eq(moduleInfrastructure.moduleId, moduleId))
+      .get();
+    if (infra?.machineId) {
+      const machine = db.select().from(machines).where(eq(machines.id, infra.machineId)).get();
+      if (machine) {
+        result.target_ip = machine.ipAddress;
+      }
+    }
+  }
+
   return result;
 }
 

package/src/hooks/define-hook.test.ts

@@ -286,7 +286,7 @@ describe('defineCapabilityFunction', () => {
     const factory = defineCapabilityFunction({
       capability: 'idp',
       handler: ({ config, secrets }) => {
-        expect(config).toEqual({ container_ip: '10.0.0.5' });
+        expect(config).toEqual({ target_ip: '10.0.0.5' });
         expect(secrets.token).toBe('abc');
         return {
           async create_oidc_client(
@@ -310,7 +310,7 @@ describe('defineCapabilityFunction', () => {
     });
 
     const methods = factory({
-      config: { container_ip: '10.0.0.5' },
+      config: { target_ip: '10.0.0.5' },
       secrets: { token: 'abc' },
       logger: makeLogger(),
     });

package/src/manifest/template-validator.test.ts

@@ -40,7 +40,7 @@ function createTestManifest(overrides?: Partial<ModuleManifest>): ModuleManifest
           source: 'user',
         },
         {
-          name: 'container_ip',
+          name: 'target_ip',
           type: 'string',
           required: false,
           source: 'user',

package/src/manifest/template-validator.ts

@@ -68,7 +68,7 @@ function pathExistsInManifest(manifest: ModuleManifest, path: string): boolean {
  */
 const AUTO_ALLOCATED_VARIABLES = new Set([
   'vmid', // Auto-allocated by IPAM (container-based modules)
-  'container_ip', // Auto-allocated by IPAM (container-based modules)
+  'target_ip', // Auto-allocated by IPAM or injected from machine infrastructure
   'vlan', // Auto-derived from zone configuration
   'gateway', // Auto-derived from zone configuration
   'target_node', // Can be auto-derived from system config

package/src/manifest/validate.test.ts

@@ -894,7 +894,7 @@ describe('validateVariableSources', () => {
       variables: {
         owns: [
           {
-            name: 'container_ip',
+            name: 'target_ip',
             type: 'string' as const,
             required: true,
             source: 'user' as const,

package/src/module/packaging/build.ts

@@ -140,17 +140,44 @@ export async function buildModule(options: ModuleBuildOptions): Promise<ModuleBu
     return { success: false, error: dirError };
   }
 
-  // Copy source to a temp directory so the build doesn't pollute the
-  // source tree and avoids workspace resolution issues (e.g., a
-  // monorepo's root package.json triggering bun workspace linking).
+  // Copy source to a temp dir for building. Strategy:
+  // - If the source has a package.json, use `bun pm pack` to respect the
+  //   `files` field (or .npmignore), copying only what the build needs.
+  //   Avoids copying node_modules, build artifacts, git history.
+  // - If no package.json (simple modules, test fixtures), fall back to
+  //   recursive copy with EXCLUDE_PATTERNS filter.
   const buildDir = mkdtempSync(join(tmpdir(), 'celilo-package-'));
+  const hasPackageJson = existsSync(join(sourceDir, 'package.json'));
 
   try {
-    console.log('Copying source to build directory...');
-    cpSync(sourceDir, buildDir, {
-      recursive: true,
-      filter: (src) => !shouldExclude(relative(sourceDir, src)),
-    });
+    if (hasPackageJson) {
+      console.log('Staging source for build (via bun pm pack)...');
+      try {
+        execSync(`bun pm pack --destination ${buildDir}`, {
+          cwd: sourceDir,
+          stdio: 'pipe',
+          timeout: 60_000,
+        });
+        const tarballs = execSync(`ls ${buildDir}/*.tgz`, { encoding: 'utf-8' }).trim().split('\n');
+        if (tarballs.length === 0) throw new Error('bun pm pack produced no tarball');
+        execSync(`tar -xzf ${tarballs[0]} --strip-components=1 -C ${buildDir}`, {
+          timeout: 60_000,
+        });
+        rmSync(tarballs[0], { force: true });
+      } catch (err) {
+        const errMsg = err instanceof Error ? err.message : String(err);
+        return {
+          success: false,
+          error: `Failed to stage source for build: ${errMsg}\n\nTip: Add a "files" field to your package.json listing the files/directories needed for the build.`,
+        };
+      }
+    } else {
+      console.log('Staging source for build (no package.json, using file copy)...');
+      cpSync(sourceDir, buildDir, {
+        recursive: true,
+        filter: (src) => !shouldExclude(relative(sourceDir, src)),
+      });
+    }
 
     // Read manifest to get module ID
     const manifestPath = join(buildDir, 'manifest.yml');
@@ -230,7 +257,7 @@ export async function buildModule(options: ModuleBuildOptions): Promise<ModuleBu
       error: `Failed to build module: ${error instanceof Error ? error.message : 'Unknown error'}`,
     };
   } finally {
-    // Clean up temp directory
+    // Clean up temp build directory
     rmSync(buildDir, { recursive: true, force: true });
   }
 }

package/src/services/deploy-planner.ts

@@ -126,15 +126,15 @@ export async function extractTargetHost(
   const hostname = configMap.get('hostname') || moduleId;
 
   // Extract IP - support infrastructure-derived variables
-  // Priority: container_ip > ip.primary > vps_ip (backward compatibility)
+  // Priority: target_ip > ip.primary > vps_ip (backward compatibility)
   let ip = '';
-  const containerIp = configMap.get('container_ip');
+  const targetIp = configMap.get('target_ip');
   const ipPrimary = configMap.get('ip.primary');
   const vpsIp = configMap.get('vps_ip');
 
-  if (containerIp) {
-    // Container IP format: "10.0.10.10/24" - extract just IP
-    ip = containerIp.split('/')[0];
+  if (targetIp) {
+    // Target IP format can be "10.0.10.10/24" - extract just IP
+    ip = targetIp.split('/')[0];
   } else if (ipPrimary) {
     // Infrastructure-derived IP (already plain format)
     ip = ipPrimary;

package/src/services/dns-auto-register.ts

@@ -38,15 +38,15 @@ async function getModuleHostAndIp(
 
   if (!hostnameConfig?.value) return null;
 
-  // Get IP: try container_ip first, then machine IP
-  const containerIpConfig = db
+  // Get IP: try target_ip first, then machine IP
+  const targetIpConfig = db
     .select()
     .from(moduleConfigs)
     .where(eq(moduleConfigs.moduleId, moduleId))
     .all()
-    .find((c) => c.key === 'container_ip');
+    .find((c) => c.key === 'target_ip');
 
-  let ip = containerIpConfig?.value;
+  let ip = targetIpConfig?.value;
 
   if (!ip) {
     // Try machine IP from infrastructure assignment

package/src/services/health-runner.ts

@@ -80,7 +80,7 @@ export async function runModuleHealthCheck(
     const machine = await getMachine(infraRecord.machineId);
     if (machine) {
       configMap['ip.primary'] = machine.ipAddress;
-      configMap.container_ip = machine.ipAddress;
+      configMap.target_ip = machine.ipAddress;
     }
   }
 

package/src/services/infrastructure-variable-resolver.test.ts

@@ -277,7 +277,7 @@ describe('resolveInfrastructureVariables - Proxmox Container Service', () => {
       },
       {
         moduleId,
-        key: 'container_ip',
+        key: 'target_ip',
         value: '10.0.10.5',
         valueJson: null,
       },

package/src/services/infrastructure-variable-resolver.ts

@@ -128,10 +128,10 @@ export async function resolveInfrastructureVariables(
     } else if (service.providerName === 'proxmox') {
       // Proxmox - use IPAM allocation + service provider config
       const vmid = await getModuleConfig(moduleId, 'vmid', db);
-      const containerIp = await getModuleConfig(moduleId, 'container_ip', db);
+      const targetIp = await getModuleConfig(moduleId, 'target_ip', db);
       const hostname = (await getModuleConfig(moduleId, 'hostname', db)) || moduleId;
 
-      if (!vmid || !containerIp) {
+      if (!vmid || !targetIp) {
         throw new Error(
           `IPAM allocation not found for module ${moduleId}. ` +
             `Run 'celilo module generate ${moduleId}' first.`,
@@ -143,7 +143,7 @@ export async function resolveInfrastructureVariables(
 
       properties = extractProxmoxProperties(
         Number.parseInt(vmid, 10),
-        containerIp,
+        targetIp,
         hostname,
         providerConfig,
       );

package/src/services/module-deploy.ts

@@ -741,13 +741,13 @@ export async function deployModule(
           installConfigMap[c.key] = c.valueJson ? JSON.parse(c.valueJson) : c.value;
         }
 
-        // Inject machine IP into hook config for machine deployments
+        // Inject target IP into hook config — works for both machine and container deploys
         if (machineId) {
           const { getMachine } = await import('./machine-pool');
           const deployMachine = await getMachine(machineId);
           if (deployMachine) {
             installConfigMap['ip.primary'] = deployMachine.ipAddress;
-            installConfigMap.container_ip = deployMachine.ipAddress;
+            installConfigMap.target_ip = deployMachine.ipAddress;
           }
         }
 

package/src/services/proxmox-state-recovery.ts

@@ -31,7 +31,7 @@ interface TerraformState {
 }
 
 /**
- * Ensure module_configs has vmid and container_ip from Terraform state
+ * Ensure module_configs has vmid and target_ip from Terraform state
  * This recovers from state drift scenarios where container was deleted/recreated
  *
  * @param moduleId - Module identifier
@@ -43,7 +43,7 @@ export async function ensureProxmoxConfigFromState(
   terraformDir: string,
   db: DbClient,
 ): Promise<void> {
-  // Check if vmid and container_ip already exist
+  // Check if vmid and target_ip already exist
   const existingVmid = await db
     .select()
     .from(moduleConfigs)
@@ -53,7 +53,7 @@ export async function ensureProxmoxConfigFromState(
   const existingContainerIp = await db
     .select()
     .from(moduleConfigs)
-    .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, 'container_ip')))
+    .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, 'target_ip')))
     .get();
 
   // If both exist, no recovery needed
@@ -104,7 +104,7 @@ export async function ensureProxmoxConfigFromState(
   }
 
   // Store in module_configs (recovery)
-  log.warn('  Recovering vmid and container_ip from Terraform state...');
+  log.warn('  Recovering vmid and target_ip from Terraform state...');
 
   if (!existingVmid) {
     await db
@@ -126,7 +126,7 @@ export async function ensureProxmoxConfigFromState(
       .insert(moduleConfigs)
       .values({
         moduleId,
-        key: 'container_ip',
+        key: 'target_ip',
         value: containerIp,
       })
       .onConflictDoUpdate({
@@ -136,5 +136,5 @@ export async function ensureProxmoxConfigFromState(
       .run();
   }
 
-  log.success(`  Recovered: vmid=${vmid}, container_ip=${containerIp}`);
+  log.success(`  Recovered: vmid=${vmid}, target_ip=${containerIp}`);
 }

package/src/templates/generator.test.ts

@@ -321,7 +321,7 @@ describe('Template Generator', () => {
 
       db.insert(moduleConfigs)
         .values([
-          { moduleId: 'test-module', key: 'container_ip', value: '192.168.0.50' },
+          { moduleId: 'test-module', key: 'target_ip', value: '192.168.0.50' },
           { moduleId: 'test-module', key: 'hostname', value: 'test' },
         ])
         .run();
@@ -340,7 +340,7 @@ describe('Template Generator', () => {
 resource "proxmox_lxc" "container" {
   hostname = "$self:hostname"
   network {
-    ip = "$self:container_ip/24"
+    ip = "$self:target_ip/24"
     gateway = "$system:management.ip"
   }
 }

package/src/templates/generator.ts

@@ -621,7 +621,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
       // biome-ignore lint/style/noNonNullAssertion: value is NOT NULL in schema, guaranteed to exist
       context.selfConfig.vmid = String(vmidConfig.value!);
       // biome-ignore lint/style/noNonNullAssertion: value is NOT NULL in schema, guaranteed to exist
-      context.selfConfig.container_ip = ipConfig.value!;
+      context.selfConfig.target_ip = ipConfig.value!;
     }
 
     // Add infrastructure properties to context (target_node, lxc_template, storage)

package/src/variables/context.test.ts

@@ -166,7 +166,7 @@ describe('Variable Context', () => {
 
       db.insert(moduleConfigs)
         .values([
-          { moduleId: 'homebridge', key: 'container_ip', value: '192.168.0.50' },
+          { moduleId: 'homebridge', key: 'target_ip', value: '192.168.0.50' },
           { moduleId: 'homebridge', key: 'hostname', value: 'homebridge' },
         ])
         .run();
@@ -174,7 +174,7 @@ describe('Variable Context', () => {
       const context = await buildResolutionContext('homebridge', db);
 
       expect(context.moduleId).toBe('homebridge');
-      expect(context.selfConfig.container_ip).toBe('192.168.0.50');
+      expect(context.selfConfig.target_ip).toBe('192.168.0.50');
       expect(context.selfConfig.hostname).toBe('homebridge');
       // Auto-derived variables
       expect(context.selfConfig['inventory.ansible_host']).toBe('192.168.0.50');
@@ -262,7 +262,7 @@ describe('Variable Context', () => {
       );
 
       db.insert(moduleConfigs)
-        .values({ moduleId: 'caddy', key: 'container_ip', value: '10.0.20.10' })
+        .values({ moduleId: 'caddy', key: 'target_ip', value: '10.0.20.10' })
         .run();
 
       db.insert(secrets)
@@ -290,7 +290,7 @@ describe('Variable Context', () => {
 
       const context = await buildResolutionContext('caddy', db);
 
-      expect(context.selfConfig.container_ip).toBe('10.0.20.10');
+      expect(context.selfConfig.target_ip).toBe('10.0.20.10');
       expect(context.secrets.ssl_cert).toBe('cert_data');
       expect(context.capabilities.dns_external).toBeDefined();
       expect(context.systemConfig['dns.primary']).toBe('192.168.0.1');
@@ -303,7 +303,7 @@ describe('Variable Context', () => {
       // Should have auto-derived inventory variables
       expect(context.selfConfig['inventory.ansible_user']).toBe('root');
       expect(context.selfConfig['inventory.groups']).toBe('empty-module');
-      // Should not have ansible_host (no container_ip)
+      // Should not have ansible_host (no target_ip)
       expect(context.selfConfig['inventory.ansible_host']).toBeUndefined();
       expect(context.secrets).toEqual({});
       expect(context.capabilities).toEqual({});
@@ -367,18 +367,18 @@ describe('Variable Context', () => {
       expect(context.selfConfig['requires.machine.memory']).toBeUndefined();
     });
 
-    test('should auto-derive inventory variables from container_ip', async () => {
+    test('should auto-derive inventory variables from target_ip', async () => {
       db.$client.run(
         `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('test-module', 'Test', '1.0.0', '/path', '{}')`,
       );
 
       db.insert(moduleConfigs)
-        .values({ moduleId: 'test-module', key: 'container_ip', value: '10.0.10.10/24' })
+        .values({ moduleId: 'test-module', key: 'target_ip', value: '10.0.10.10/24' })
         .run();
 
       const context = await buildResolutionContext('test-module', db);
 
-      // Should strip CIDR from container_ip
+      // Should strip CIDR from target_ip
       expect(context.selfConfig['inventory.ansible_host']).toBe('10.0.10.10');
       expect(context.selfConfig['inventory.ansible_user']).toBe('root');
       expect(context.selfConfig['inventory.groups']).toBe('test-module');
@@ -391,7 +391,7 @@ describe('Variable Context', () => {
 
       db.insert(moduleConfigs)
         .values([
-          { moduleId: 'custom', key: 'container_ip', value: '10.0.20.10' },
+          { moduleId: 'custom', key: 'target_ip', value: '10.0.20.10' },
           { moduleId: 'custom', key: 'inventory.ansible_user', value: 'admin' },
         ])
         .run();
@@ -403,13 +403,13 @@ describe('Variable Context', () => {
       expect(context.selfConfig['inventory.ansible_host']).toBe('10.0.20.10');
     });
 
-    test('should handle container_ip without CIDR', async () => {
+    test('should handle target_ip without CIDR', async () => {
       db.$client.run(
         `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('no-cidr', 'No CIDR', '1.0.0', '/path', '{}')`,
       );
 
       db.insert(moduleConfigs)
-        .values({ moduleId: 'no-cidr', key: 'container_ip', value: '192.168.1.100' })
+        .values({ moduleId: 'no-cidr', key: 'target_ip', value: '192.168.1.100' })
         .run();
 
       const context = await buildResolutionContext('no-cidr', db);
@@ -418,8 +418,8 @@ describe('Variable Context', () => {
       expect(context.selfConfig['inventory.ansible_host']).toBe('192.168.1.100');
     });
 
-    test('should auto-allocate IPAM resources when module declares vmid and container_ip', async () => {
-      // Create module with manifest that declares vmid and container_ip
+    test('should auto-allocate IPAM resources when module declares vmid and target_ip', async () => {
+      // Create module with manifest that declares vmid and target_ip
       db.insert(modules)
         .values({
           id: 'auto-module',
@@ -433,7 +433,7 @@ describe('Variable Context', () => {
             variables: {
               owns: [
                 { name: 'vmid', type: 'integer', required: true, source: 'user' },
-                { name: 'container_ip', type: 'string', required: true, source: 'user' },
+                { name: 'target_ip', type: 'string', required: true, source: 'user' },
               ],
             },
             requires: {
@@ -447,9 +447,9 @@ describe('Variable Context', () => {
 
       const context = await buildResolutionContext('auto-module', db);
 
-      // Should have auto-allocated vmid and container_ip
+      // Should have auto-allocated vmid and target_ip
       expect(context.selfConfig.vmid).toBe('2100');
-      expect(context.selfConfig.container_ip).toBe('10.0.10.10/24');
+      expect(context.selfConfig.target_ip).toBe('10.0.10.10/24');
 
       // Verify allocation persisted to database
       const allocations = await db.select().from(ipAllocations).all();
@@ -465,7 +465,7 @@ describe('Variable Context', () => {
         .where(eq(moduleConfigs.moduleId, 'auto-module'))
         .all();
       const vmidConfig = configs.find((c) => c.key === 'vmid');
-      const ipConfig = configs.find((c) => c.key === 'container_ip');
+      const ipConfig = configs.find((c) => c.key === 'target_ip');
       expect(vmidConfig?.value).toBe('2100');
       expect(ipConfig?.value).toBe('10.0.10.10/24');
     });
@@ -485,7 +485,7 @@ describe('Variable Context', () => {
             variables: {
               owns: [
                 { name: 'vmid', type: 'integer', required: true, source: 'user' },
-                { name: 'container_ip', type: 'string', required: true, source: 'user' },
+                { name: 'target_ip', type: 'string', required: true, source: 'user' },
               ],
             },
           },
@@ -506,14 +506,14 @@ describe('Variable Context', () => {
 
       // Should reuse existing allocation
       expect(context.selfConfig.vmid).toBe('2150');
-      expect(context.selfConfig.container_ip).toBe('10.0.10.50/24');
+      expect(context.selfConfig.target_ip).toBe('10.0.10.50/24');
 
       // Should not create duplicate allocation
       const allocations = await db.select().from(ipAllocations).all();
       expect(allocations).toHaveLength(1);
     });
 
-    test('should skip IPAM allocation if vmid and container_ip already configured', async () => {
+    test('should skip IPAM allocation if vmid and target_ip already configured', async () => {
       // Create module with existing config
       db.insert(modules)
         .values({
@@ -528,7 +528,7 @@ describe('Variable Context', () => {
             variables: {
               owns: [
                 { name: 'vmid', type: 'integer', required: true, source: 'user' },
-                { name: 'container_ip', type: 'string', required: true, source: 'user' },
+                { name: 'target_ip', type: 'string', required: true, source: 'user' },
               ],
             },
           },
@@ -538,7 +538,7 @@ describe('Variable Context', () => {
       db.insert(moduleConfigs)
         .values([
           { moduleId: 'manual-config', key: 'vmid', value: '9999' },
-          { moduleId: 'manual-config', key: 'container_ip', value: '192.168.99.99/24' },
+          { moduleId: 'manual-config', key: 'target_ip', value: '192.168.99.99/24' },
         ])
         .run();
 
@@ -546,15 +546,15 @@ describe('Variable Context', () => {
 
       // Should use existing config
       expect(context.selfConfig.vmid).toBe('9999');
-      expect(context.selfConfig.container_ip).toBe('192.168.99.99/24');
+      expect(context.selfConfig.target_ip).toBe('192.168.99.99/24');
 
       // Should not create allocation
       const allocations = await db.select().from(ipAllocations).all();
       expect(allocations).toHaveLength(0);
     });
 
-    test('should skip IPAM allocation for VPS modules without container_ip', async () => {
-      // Create VPS module (no container_ip variable)
+    test('should skip IPAM allocation for VPS modules without target_ip', async () => {
+      // Create VPS module (no target_ip variable)
       db.insert(modules)
         .values({
           id: 'vps-module',
@@ -576,7 +576,7 @@ describe('Variable Context', () => {
 
       // Should not allocate IPAM resources
       expect(context.selfConfig.vmid).toBeUndefined();
-      expect(context.selfConfig.container_ip).toBeUndefined();
+      expect(context.selfConfig.target_ip).toBeUndefined();
 
       const allocations = await db.select().from(ipAllocations).all();
       expect(allocations).toHaveLength(0);
@@ -597,7 +597,7 @@ describe('Variable Context', () => {
             variables: {
               owns: [
                 { name: 'vmid', type: 'integer', required: true, source: 'user' },
-                { name: 'container_ip', type: 'string', required: true, source: 'user' },
+                { name: 'target_ip', type: 'string', required: true, source: 'user' },
               ],
             },
           },
@@ -618,7 +618,7 @@ describe('Variable Context', () => {
             variables: {
               owns: [
                 { name: 'vmid', type: 'integer', required: true, source: 'user' },
-                { name: 'container_ip', type: 'string', required: true, source: 'user' },
+                { name: 'target_ip', type: 'string', required: true, source: 'user' },
               ],
             },
           },
@@ -634,8 +634,8 @@ describe('Variable Context', () => {
       expect(context2.selfConfig.vmid).toBe('2101');
 
       // Should have sequential IPs
-      expect(context1.selfConfig.container_ip).toBe('10.0.10.10/24');
-      expect(context2.selfConfig.container_ip).toBe('10.0.10.11/24');
+      expect(context1.selfConfig.target_ip).toBe('10.0.10.10/24');
+      expect(context2.selfConfig.target_ip).toBe('10.0.10.11/24');
 
       const allocations = await db.select().from(ipAllocations).all();
       expect(allocations).toHaveLength(2);
@@ -1254,7 +1254,7 @@ describe('Variable Context', () => {
 
     test('should auto-derive inventory variables in buildContextFromData', () => {
       const context = buildContextFromData('my-module', {
-        selfConfig: { container_ip: '10.0.30.15/24', hostname: 'my-host' },
+        selfConfig: { target_ip: '10.0.30.15/24', hostname: 'my-host' },
       });
 
       expect(context.selfConfig['inventory.ansible_host']).toBe('10.0.30.15');

package/src/variables/context.ts

@@ -92,7 +92,7 @@ async function autoAssignFromWellKnown(
  * Policy function - checks manifest and config
  *
  * A module needs IPAM if:
- * 1. It declares vmid and container_ip variables (container-based), AND
+ * 1. It declares vmid and target_ip variables (container-based), AND
  * 2. These values are not already set in module config
  *
  * @param manifest - Module manifest
@@ -106,16 +106,16 @@ function needsIpamAllocation(
   const variables = manifest.variables?.owns ?? [];
 
   const hasVmid = variables.some((v) => v.name === 'vmid');
-  const hasContainerIp = variables.some((v) => v.name === 'container_ip');
+  const hasTargetIp = variables.some((v) => v.name === 'target_ip');
 
-  // Module must declare both vmid and container_ip to be container-based
-  if (!hasVmid || !hasContainerIp) {
+  // Module must declare both vmid and target_ip to be container-based
+  if (!hasVmid || !hasTargetIp) {
     return false;
   }
 
   // Check if already allocated (both must be present)
   const vmidSet = selfConfig.vmid !== undefined && selfConfig.vmid !== '';
-  const ipSet = selfConfig.container_ip !== undefined && selfConfig.container_ip !== '';
+  const ipSet = selfConfig.target_ip !== undefined && selfConfig.target_ip !== '';
 
   // Need allocation if either is missing
   return !vmidSet || !ipSet;
@@ -162,7 +162,7 @@ function determineModuleZone(
  *
  * These variables are automatically available in Ansible templates:
  * - inventory.hostname: Derived from hostname variable
- * - inventory.ansible_host: Derived from container_ip (strips CIDR) or vps_ip
+ * - inventory.ansible_host: Derived from target_ip (strips CIDR) or vps_ip
  * - inventory.ansible_user: Defaults to "root"
  * - inventory.groups: Derived from module ID
  *
@@ -181,9 +181,9 @@ function autoDeriveInventoryVariables(
     derived['inventory.hostname'] = selfConfig.hostname;
   }
 
-  // Auto-derive ansible_host from container_ip (strips CIDR) or vps_ip
-  if (selfConfig.container_ip) {
-    derived['inventory.ansible_host'] = stripCidr(selfConfig.container_ip);
+  // Auto-derive ansible_host from target_ip (strips CIDR) or vps_ip
+  if (selfConfig.target_ip) {
+    derived['inventory.ansible_host'] = stripCidr(selfConfig.target_ip);
   } else if (selfConfig.vps_ip) {
     // VPS-based modules use vps_ip directly (no CIDR to strip)
     derived['inventory.ansible_host'] = selfConfig.vps_ip;
@@ -329,7 +329,7 @@ export async function buildResolutionContext(
   }
 
   // IPAM auto-allocation
-  // If module declares vmid/container_ip but they're not configured, allocate automatically
+  // If module declares vmid/target_ip but they're not configured, allocate automatically
   if (module?.manifestData) {
     const manifest = module.manifestData as ModuleManifest;
 
@@ -342,17 +342,17 @@ export async function buildResolutionContext(
         const existing = await getAllocation(moduleId, tx);
 
         let vmid: number;
-        let containerIp: string;
+        let allocatedIp: string;
 
         if (existing) {
           // Use existing allocation
           vmid = existing.vmid;
-          containerIp = existing.containerIp;
+          allocatedIp = existing.containerIp;
         } else {
           // Allocate new resources (persists to ipAllocations)
           const allocation = await allocateResources(moduleId, zone, tx);
           vmid = allocation.vmid;
-          containerIp = allocation.containerIp;
+          allocatedIp = allocation.containerIp;
         }
 
         // Ensure values are in module config (upsert to handle existing keys)
@@ -366,15 +366,15 @@ export async function buildResolutionContext(
 
         await tx
           .insert(moduleConfigs)
-          .values({ moduleId, key: 'container_ip', value: containerIp })
+          .values({ moduleId, key: 'target_ip', value: allocatedIp })
           .onConflictDoUpdate({
             target: [moduleConfigs.moduleId, moduleConfigs.key],
-            set: { value: containerIp },
+            set: { value: allocatedIp },
           });
 
         // Update selfConfig with allocated values
         selfConfig.vmid = String(vmid);
-        selfConfig.container_ip = containerIp;
+        selfConfig.target_ip = allocatedIp;
       });
     }
   }

package/src/variables/parser.test.ts

@@ -3,14 +3,14 @@ import { hasVariables, isValidVariableFormat, parseVariables } from './parser';
 
 describe('parseVariables', () => {
   test('should parse self variables', () => {
-    const content = 'ip: $self:container_ip';
+    const content = 'ip: $self:target_ip';
     const variables = parseVariables(content);
 
     expect(variables).toHaveLength(1);
     expect(variables[0]).toEqual({
       type: 'self',
-      path: 'container_ip',
-      raw: '$self:container_ip',
+      path: 'target_ip',
+      raw: '$self:target_ip',
     });
   });
 
@@ -52,7 +52,7 @@ describe('parseVariables', () => {
 
   test('should parse multiple variables in same content', () => {
     const content = `
-      ip: $self:container_ip
+      ip: $self:target_ip
       dns: $capability:dns_external.nameserver
       key: $secret:api_key
     `;
@@ -101,7 +101,7 @@ resource "proxmox_lxc" "homebridge" {
   cores    = $self:cores
   memory   = $self:memory
   network {
-    ip = "$self:container_ip/24"
+    ip = "$self:target_ip/24"
     gw = "$system:management.ip"
   }
 }
@@ -189,7 +189,7 @@ resource "proxmox_lxc" "homebridge" {
 
 describe('hasVariables', () => {
   test('should return true for content with variables', () => {
-    expect(hasVariables('ip: $self:container_ip')).toBe(true);
+    expect(hasVariables('ip: $self:target_ip')).toBe(true);
     expect(hasVariables('$secret:key')).toBe(true);
   });
 
@@ -206,7 +206,7 @@ describe('hasVariables', () => {
 
 describe('isValidVariableFormat', () => {
   test('should validate correct variable formats', () => {
-    expect(isValidVariableFormat('$self:container_ip')).toBe(true);
+    expect(isValidVariableFormat('$self:target_ip')).toBe(true);
     expect(isValidVariableFormat('$system:management.ip')).toBe(true);
     expect(isValidVariableFormat('$secret:api_key')).toBe(true);
     expect(isValidVariableFormat('$capability:dns_external.nameserver')).toBe(true);
@@ -219,7 +219,7 @@ describe('isValidVariableFormat', () => {
   });
 
   test('should reject invalid variable formats', () => {
-    expect(isValidVariableFormat('self:container_ip')).toBe(false); // missing $
+    expect(isValidVariableFormat('self:target_ip')).toBe(false); // missing $
     expect(isValidVariableFormat('$unknown:value')).toBe(false); // invalid type
     expect(isValidVariableFormat('$self:')).toBe(false); // missing path
     expect(isValidVariableFormat('$self')).toBe(false); // missing colon and path

package/src/variables/resolver.test.ts

@@ -29,7 +29,7 @@ const mockDb = {
 const createContext = (overrides?: Partial<ResolutionContext>): ResolutionContext => ({
   moduleId: 'test-module',
   selfConfig: {
-    container_ip: '192.168.0.50',
+    target_ip: '192.168.0.50',
     hostname: 'homebridge',
     cores: '2',
     'resources.machine.cpu': '2',
@@ -69,8 +69,8 @@ describe('resolveVariable', () => {
   test('should resolve self variable', async () => {
     const variable: VariableReference = {
       type: 'self',
-      path: 'container_ip',
-      raw: '$self:container_ip',
+      path: 'target_ip',
+      raw: '$self:target_ip',
     };
     const context = createContext();
 
@@ -245,7 +245,7 @@ describe('resolveVariable', () => {
 
 describe('resolveTemplate', () => {
   test('should resolve template with single variable', async () => {
-    const template = 'ip: $self:container_ip';
+    const template = 'ip: $self:target_ip';
     const context = createContext();
 
     const result = await resolveTemplate(template, context, mockDb);
@@ -259,7 +259,7 @@ describe('resolveTemplate', () => {
   test('should resolve template with multiple variables', async () => {
     const template = `
 hostname: $self:hostname
-ip: $self:container_ip
+ip: $self:target_ip
 domain: $system:network.domain
 `;
     const context = createContext();
@@ -276,7 +276,7 @@ domain: $system:network.domain
 
   test('should resolve template with mixed variable types', async () => {
     const template = `
-container_ip: $self:container_ip
+target_ip: $self:target_ip
 management_ip: $system:management.ip
 dns_server: $capability:dns_external.nameserver
 api_key: $secret:api_key
@@ -287,7 +287,7 @@ api_key: $secret:api_key
 
     expect(result.success).toBe(true);
     if (result.success) {
-      expect(result.content).toContain('container_ip: 192.168.0.50');
+      expect(result.content).toContain('target_ip: 192.168.0.50');
       expect(result.content).toContain('management_ip: 192.168.0.10');
       expect(result.content).toContain('dns_server: ns1.example.com');
       expect(result.content).toContain('api_key: secret123');
@@ -324,7 +324,7 @@ resource "proxmox_lxc" "container" {
   hostname = "$self:hostname"
   cores    = $self:cores
   network {
-    ip = "$self:container_ip/24"
+    ip = "$self:target_ip/24"
     gateway = "$system:management.ip"
   }
   environment = {
@@ -362,7 +362,7 @@ resource "proxmox_lxc" "container" {
 
   test('should return errors for missing variables', async () => {
     const template = `
-ip: $self:container_ip
+ip: $self:target_ip
 missing: $self:missing_var
 another_missing: $secret:missing_secret
 `;
@@ -380,9 +380,9 @@ another_missing: $secret:missing_secret
 
   test('should handle repeated variables', async () => {
     const template = `
-ip1: $self:container_ip
-ip2: $self:container_ip
-ip3: $self:container_ip
+ip1: $self:target_ip
+ip2: $self:target_ip
+ip3: $self:target_ip
 `;
     const context = createContext();
 
@@ -393,7 +393,7 @@ ip3: $self:container_ip
       expect(result.content).toContain('ip1: 192.168.0.50');
       expect(result.content).toContain('ip2: 192.168.0.50');
       expect(result.content).toContain('ip3: 192.168.0.50');
-      expect(result.content).not.toContain('$self:container_ip');
+      expect(result.content).not.toContain('$self:target_ip');
     }
   });
 
@@ -420,7 +420,7 @@ $self:hostname
     const template = 'ansible_host: $self:inventory.ansible_host';
     const context = createContext({
       selfConfig: {
-        container_ip: '10.0.10.10/24',
+        target_ip: '10.0.10.10/24',
         'inventory.ansible_host': '10.0.10.10', // Auto-derived (CIDR stripped)
         'inventory.ansible_user': 'root',
         'inventory.groups': 'test',

package/src/variables/types.ts

@@ -4,7 +4,7 @@
 
 /**
  * Variable reference parsed from template
- * Example: $self:container_ip -> { type: 'self', path: 'container_ip', raw: '$self:container_ip' }
+ * Example: $self:target_ip -> { type: 'self', path: 'target_ip', raw: '$self:target_ip' }
  */
 export interface VariableReference {
   type: 'self' | 'system' | 'system_secret' | 'secret' | 'capability';