@celilo/cli 0.1.4 → 0.1.6

package/src/services/module-deploy.ts

@@ -5,20 +5,30 @@
  */
 
 import { join } from 'node:path';
+import { ProgressDisplay } from '@celilo/cli-display';
 import { and, eq } from 'drizzle-orm';
 import { generateInventory } from '../ansible/inventory';
 import { FuelGauge } from '../cli/fuel-gauge';
-import { log } from '../cli/prompts';
+import { log, setActiveDisplay } from '../cli/prompts';
 import type { DbClient } from '../db/client';
 import { capabilities, machines, modules } from '../db/schema';
 import { loadCapabilityFunctions } from '../hooks/capability-loader';
 import { invokeHook } from '../hooks/executor';
 import { createGaugeLogger } from '../hooks/logger';
+import type { HookDefinition, HookLogger, HookResult } from '../hooks/types';
 import type { ModuleManifest } from '../manifest/schema';
 import { decryptSecret } from '../secrets/encryption';
 import { getOrCreateMasterKey } from '../secrets/master-key';
-import { interviewForMissingConfig, interviewForMissingSecrets } from './config-interview';
-import { getContainerService, getServiceCredentials } from './container-service';
+import { buildResolutionContext } from '../variables/context';
+import {
+  autoDeriveMachineConfig,
+  findEnsureOnProvider,
+  interviewForEnsureInputs,
+  interviewForMissingConfig,
+  interviewForMissingSecrets,
+  renderEnsureRecipe,
+} from './config-interview';
+import { getContainerService } from './container-service';
 import { executeAnsible } from './deploy-ansible';
 import { planDeployment } from './deploy-planner';
 import { waitForSSH } from './deploy-ssh';
@@ -27,6 +37,7 @@ import { validateAndPrepareDeployment } from './deploy-validation';
 import { resolveInfrastructureVariables } from './infrastructure-variable-resolver';
 import { findMachineForModule } from './machine-pool';
 import { deleteTemporarySshKey, writeTemporarySshKey } from './ssh-key-manager';
+import { buildTerraformEnvForService } from './terraform-env';
 
 export interface DeployResult {
   success: boolean;
@@ -82,6 +93,140 @@ export interface DeployOptions {
   debug?: boolean;
 }
 
+/**
+ * Per-attempt context the caller builds for `invokeHookWithEnsureRetry`.
+ * Recreated for each retry so the gauge animation and the logger that
+ * pipes into it stay paired — and so the interview prompts get a clean
+ * terminal between attempts (no animation collision).
+ */
+interface HookAttempt {
+  gauge: FuelGauge;
+  logger: HookLogger;
+  invokeOptions: Parameters<typeof invokeHook>[8];
+}
+
+/**
+ * Run a hook, and if it fails because a capability call discovered that a
+ * provider module is missing config, run the cross-module ensure interview
+ * against the provider, optionally redeploy it, and retry the hook.
+ *
+ * The factory is called once per attempt: the helper owns the gauge
+ * lifecycle so it can `stopSilent()` before running the interview (clean
+ * prompts) and create a fresh gauge for the retry.
+ *
+ * Loop guard: each (provider, ensure, value) triple is only allowed to
+ * trigger an interview once per call — a second hit means the post-action
+ * didn't actually pick up the change, and we abort with a circular-ensure
+ * error rather than spinning forever.
+ *
+ * See `apps/celilo/designs/CROSS_MODULE_CONFIG_INTERVIEW.md`.
+ */
+async function invokeHookWithEnsureRetry(
+  modulePath: string,
+  hookName: string,
+  contractVersion: string,
+  hookDef: HookDefinition,
+  inputs: Record<string, unknown>,
+  config: Record<string, unknown>,
+  hookSecrets: Record<string, string>,
+  buildAttempt: () => Promise<HookAttempt>,
+  db: DbClient,
+  deployOptions: DeployOptions,
+): Promise<HookResult> {
+  const seen = new Set<string>();
+  let attempt = await buildAttempt();
+
+  while (true) {
+    const result = await invokeHook(
+      modulePath,
+      hookName,
+      contractVersion,
+      hookDef,
+      inputs,
+      config,
+      hookSecrets,
+      attempt.logger,
+      attempt.invokeOptions,
+    );
+
+    if (result.success) {
+      attempt.gauge.stop(true);
+      return result;
+    }
+
+    if (!result.missingProviderInput) {
+      attempt.gauge.stop(false);
+      return result;
+    }
+
+    const m = result.missingProviderInput;
+    const key = `${m.providerModuleId}|${m.ensureId}|${m.value}`;
+    if (seen.has(key)) {
+      attempt.gauge.stop(false);
+      return {
+        ...result,
+        error: `Circular ensure: ${m.providerModuleId} still didn't satisfy "${m.ensureId}" for "${m.value}" after the interview ran. Check that the post action (e.g. redeploy_self) actually applies the change.`,
+      };
+    }
+    seen.add(key);
+
+    const ensure = findEnsureOnProvider(m.providerModuleId, m.ensureId, db);
+    if (!ensure) {
+      attempt.gauge.stop(false);
+      return {
+        ...result,
+        error:
+          `Module "${m.providerModuleId}" doesn't declare an "ensure" block ` +
+          `for "${m.ensureId}". Original hook error: ${result.error}`,
+      };
+    }
+
+    if (deployOptions.noInteractive) {
+      attempt.gauge.stop(false);
+      log.error(renderEnsureRecipe(m.providerModuleId, ensure, m.value));
+      return result;
+    }
+
+    // Step the gauge out of the way so prompts render on a clean line.
+    attempt.gauge.stopSilent();
+
+    log.info('');
+    log.info(
+      `${m.providerModuleId} doesn't yet provide ` +
+        `${m.ensureId} for "${m.value}" — running cross-module setup.`,
+    );
+
+    const interviewResult = await interviewForEnsureInputs(m.providerModuleId, ensure, m.value, db);
+
+    if (!interviewResult.success) {
+      return {
+        ...result,
+        error: `Cross-module interview failed: ${interviewResult.error ?? 'unknown'}`,
+      };
+    }
+
+    for (const line of interviewResult.applied) {
+      log.info(`  ✓ ${line}`);
+    }
+
+    if (ensure.post === 'redeploy_self') {
+      log.info('');
+      log.info(`Redeploying ${m.providerModuleId} to apply changes...`);
+      const redeploy = await deployModule(m.providerModuleId, db, deployOptions);
+      if (!redeploy.success) {
+        return {
+          ...result,
+          error: `Failed to redeploy ${m.providerModuleId}: ${redeploy.error ?? 'unknown'}`,
+        };
+      }
+    }
+
+    // Build a fresh attempt for the retry — new gauge, new logger, new
+    // capability bindings (capabilities close over the logger).
+    attempt = await buildAttempt();
+  }
+}
+
 /**
  * Orchestrate module deployment workflow
  * Orchestrator function - coordinates deployment phases
@@ -98,27 +243,37 @@ export async function deployModule(
 ): Promise<DeployResult> {
   const phases: DeployResult['phases'] = {};
 
+  const display = new ProgressDisplay({
+    mode: options.noInteractive ? 'protocol' : 'auto',
+  });
+  setActiveDisplay(display);
+
   try {
-    // Check for e2e test containers — live and e2e environments are mutually exclusive
-    try {
-      const { execSync } = await import('node:child_process');
-      const running = execSync('docker ps --format "{{.Names}}" 2>/dev/null', {
-        encoding: 'utf-8',
-        timeout: 5000,
-      });
-      const e2eContainers = running.split('\n').filter((n) => n.startsWith('celilo-e2e-'));
-      if (e2eContainers.length > 0) {
-        return {
-          success: false,
-          error:
-            'Cannot deploy: e2e test containers are running.\n' +
-            'Live and e2e environments are mutually exclusive.\n' +
-            'Stop e2e tests first: cd e2e && ./bin/e2e-down',
-          phases,
-        };
+    // Check for e2e test containers — live and e2e environments are mutually exclusive.
+    // Skip when using a test database (integration tests use os.tmpdir() paths).
+    const { tmpdir } = await import('node:os');
+    const usingTestDb = process.env.CELILO_DB_PATH?.startsWith(tmpdir());
+    if (!usingTestDb) {
+      try {
+        const { execSync } = await import('node:child_process');
+        const running = execSync('docker ps --format "{{.Names}}" 2>/dev/null', {
+          encoding: 'utf-8',
+          timeout: 5000,
+        });
+        const e2eContainers = running.split('\n').filter((n) => n.startsWith('celilo-e2e-'));
+        if (e2eContainers.length > 0) {
+          return {
+            success: false,
+            error:
+              'Cannot deploy: e2e test containers are running.\n' +
+              'Live and e2e environments are mutually exclusive.\n' +
+              'Stop e2e tests first: cele2e down',
+            phases,
+          };
+        }
+      } catch {
+        // docker ps failed — Docker may not be installed or running, that's fine
       }
-    } catch {
-      // docker ps failed — Docker may not be installed or running, that's fine
     }
 
     log.info(`Deploying module: ${moduleId}`);
@@ -153,7 +308,7 @@ export async function deployModule(
       const autoGeneratableSecrets = validation.missingVariables.filter(
         (v) => v.source === 'secret' && v.generate,
       );
-      const remainingMissing = validation.missingVariables.filter(
+      let remainingMissing = validation.missingVariables.filter(
         (v) => !(v.source === 'secret' && v.generate),
       );
 
@@ -180,6 +335,31 @@ export async function deployModule(
         await generateAnsibleSecrets(moduleId, secretsYamlPath, db);
       }
 
+      // Always auto-derive $machine: variables — even in non-interactive mode.
+      // Machine data (interfaces, zone IPs) is catalogued at machine add time and
+      // should never require user prompting.
+      const machineDerivable = remainingMissing.filter((v) =>
+        v.derive_from?.startsWith('$machine:'),
+      );
+      if (machineDerivable.length > 0) {
+        const isFirewall = manifest.provides?.capabilities?.some((cap) => cap.name === 'firewall');
+        const moduleZone = manifest.requires?.machine?.zone;
+        const matchedMachine = await findMachineForModule(
+          moduleId,
+          moduleZone,
+          isFirewall ? 'router' : undefined,
+        );
+        if (matchedMachine) {
+          const derived = await autoDeriveMachineConfig(
+            moduleId,
+            machineDerivable,
+            db,
+            matchedMachine,
+          );
+          remainingMissing = remainingMissing.filter((v) => !derived.configured.includes(v.name));
+        }
+      }
+
       if (remainingMissing.length > 0 && options.noInteractive) {
         // Non-interactive mode: fail with error for remaining missing variables
         const varList = remainingMissing.map((v) => `  - ${v.name} (${v.source})`).join('\n');
@@ -250,6 +430,26 @@ export async function deployModule(
       }
     }
 
+    // If validation returned early (missing variables were present), generation
+    // was deferred until after the interview. Run it now that all vars are set.
+    if (!validation.autoGenerated) {
+      const { generateTemplates } = await import('../templates/generator');
+      const regenResult = await generateTemplates({
+        moduleId,
+        modulePath: module.sourcePath,
+        outputPath: generatedPath,
+        db,
+        skipVariableValidation: false,
+      });
+      if (!regenResult.success) {
+        return {
+          success: false,
+          error: `Generation failed: ${regenResult.error || 'Unknown error'}`,
+          phases,
+        };
+      }
+    }
+
     log.success('Validation passed:');
     log.message('  Templates generated');
     if (validation.autoBuilt) {
@@ -391,6 +591,85 @@ export async function deployModule(
     if (isConfigOnly) {
       log.success('Config-only module — no infrastructure deployment needed');
 
+      // Run on_install hook for config-only modules (e.g. publishing static files to caddy)
+      if (manifest.hooks?.on_install) {
+        const onInstallDef = manifest.hooks.on_install;
+        log.info('Running on_install hook...');
+
+        const { moduleConfigs: pcTable, secrets: secretsTable } = await import('../db/schema');
+        const installConfigs = db
+          .select()
+          .from(pcTable)
+          .where(eq(pcTable.moduleId, moduleId))
+          .all();
+        const installConfigMap: Record<string, unknown> = {};
+        for (const c of installConfigs) {
+          installConfigMap[c.key] = c.valueJson ? JSON.parse(c.valueJson) : c.value;
+        }
+
+        const installContext = await buildResolutionContext(moduleId, db);
+        for (const [key, value] of Object.entries(installContext.selfConfig)) {
+          if (
+            !(key in installConfigMap) ||
+            (typeof installConfigMap[key] === 'string' &&
+              (installConfigMap[key] as string).startsWith('$'))
+          ) {
+            installConfigMap[key] = value;
+          }
+        }
+
+        const installSecrets = db
+          .select()
+          .from(secretsTable)
+          .where(eq(secretsTable.moduleId, moduleId))
+          .all();
+        const installMasterKey = await getOrCreateMasterKey();
+        const installSecretMap: Record<string, string> = {};
+        for (const s of installSecrets) {
+          installSecretMap[s.name] = decryptSecret(
+            { encryptedValue: s.encryptedValue, iv: s.iv, authTag: s.authTag },
+            installMasterKey,
+          );
+        }
+
+        const installResult = await invokeHookWithEnsureRetry(
+          module.sourcePath,
+          'on_install',
+          manifest.celilo_contract,
+          onInstallDef,
+          {},
+          installConfigMap,
+          installSecretMap,
+          async () => {
+            const gauge = new FuelGauge(`${moduleId}: on_install`, {
+              skipAnimation: options.noInteractive,
+            });
+            gauge.start();
+            const logger = createGaugeLogger(gauge, moduleId, 'on_install');
+            const capFns = await loadCapabilityFunctions(moduleId, db, logger);
+            return {
+              gauge,
+              logger,
+              invokeOptions: {
+                debug: options.debug,
+                capabilities: capFns,
+                requiredCapabilities: (manifest.requires?.capabilities ?? []).map((c) => c.name),
+              },
+            };
+          },
+          db,
+          options,
+        );
+
+        if (!installResult.success) {
+          log.error(`on_install hook failed: ${installResult.error}`);
+          log.error('Module remains in DEPLOYING state. Fix the issue and retry:');
+          log.error(`  celilo module run-hook ${moduleId} on_install`);
+          log.error(`  celilo module deploy ${moduleId}`);
+          return { success: false, phases, error: installResult.error };
+        }
+      }
+
       // Transition to INSTALLED
       db.update(modules).set({ state: 'INSTALLED' }).where(eq(modules.id, moduleId)).run();
 
@@ -402,9 +681,17 @@ export async function deployModule(
           debug: options.debug,
           noInteractive: options.noInteractive,
         });
-        if (healthResult.status === 'healthy' || healthResult.status === 'degraded') {
-          log.success('Health checks passed → VERIFIED');
+        if (healthResult.status === 'error') {
+          return { success: false, phases, error: `Health check failed: ${healthResult.error}` };
+        }
+        if (healthResult.status === 'unhealthy') {
+          const failedChecks = healthResult.checks
+            .filter((c) => c.status === 'fail')
+            .map((c) => `  ✗ ${c.name}: ${c.message}`)
+            .join('\n');
+          return { success: false, phases, error: `Health checks failed:\n${failedChecks}` };
         }
+        log.success('Health checks passed → VERIFIED');
       }
 
       return {
@@ -421,8 +708,9 @@ export async function deployModule(
 
     let terraformOutputs: Record<string, unknown> | null = null;
     if (plan.needsTerraform) {
-      // Convert service credentials to TF_VAR_* environment variables
-      const terraformEnvVars: Record<string, string> = {};
+      // Compose TF_VAR_* env vars from the bound container service's
+      // credentials. (Empty for machine-pool deployments.)
+      let terraformEnvVars: Record<string, string> = {};
       if (plan.infrastructure?.type === 'container_service' && plan.infrastructure.serviceId) {
         const service = await getContainerService(plan.infrastructure.serviceId);
         if (!service) {
@@ -432,17 +720,7 @@ export async function deployModule(
             phases,
           };
         }
-
-        const credentials = await getServiceCredentials(plan.infrastructure.serviceId);
-
-        // Convert credentials to Terraform environment variables based on provider
-        if (service.providerName === 'digitalocean' && 'api_token' in credentials) {
-          terraformEnvVars.TF_VAR_digitalocean_token = credentials.api_token;
-        } else if (service.providerName === 'proxmox' && 'api_url' in credentials) {
-          terraformEnvVars.TF_VAR_proxmox_api_url = credentials.api_url;
-          terraformEnvVars.TF_VAR_proxmox_token_id = credentials.api_token_id;
-          terraformEnvVars.TF_VAR_proxmox_token_secret = credentials.api_token_secret;
-        }
+        terraformEnvVars = await buildTerraformEnvForService(plan.infrastructure.serviceId);
       }
 
       const terraformResult = await executeTerraform(generatedPath, phases, terraformEnvVars, {
@@ -724,11 +1002,6 @@ export async function deployModule(
       if (manifest.hooks?.on_install) {
         const onInstallDef = manifest.hooks.on_install;
         log.info('Running on_install hook...');
-        const gauge = new FuelGauge(`${moduleId}: on_install`, {
-          skipAnimation: options.noInteractive,
-        });
-        gauge.start();
-        const hookLogger = createGaugeLogger(gauge, moduleId, 'on_install');
 
         const { moduleConfigs: pcTable, secrets: secretsTable } = await import('../db/schema');
         const installConfigs = db
@@ -741,13 +1014,28 @@ export async function deployModule(
           installConfigMap[c.key] = c.valueJson ? JSON.parse(c.valueJson) : c.value;
         }
 
-        // Inject machine IP into hook config for machine deployments
+        // Resolve capability-derived variables (e.g. source: capability with derive_from).
+        // buildResolutionContext resolves $self: refs in capability data and applies
+        // declarative derivations so that $capability:dns_registrar.primary_domain
+        // yields "iamtheinternet.org" rather than the raw "$self:primary_domain" template.
+        const installContext = await buildResolutionContext(moduleId, db);
+        for (const [key, value] of Object.entries(installContext.selfConfig)) {
+          if (
+            !(key in installConfigMap) ||
+            (typeof installConfigMap[key] === 'string' &&
+              (installConfigMap[key] as string).startsWith('$'))
+          ) {
+            installConfigMap[key] = value;
+          }
+        }
+
+        // Inject target IP into hook config — works for both machine and container deploys
         if (machineId) {
           const { getMachine } = await import('./machine-pool');
           const deployMachine = await getMachine(machineId);
           if (deployMachine) {
             installConfigMap['ip.primary'] = deployMachine.ipAddress;
-            installConfigMap.container_ip = deployMachine.ipAddress;
+            installConfigMap.target_ip = deployMachine.ipAddress;
           }
         }
 
@@ -765,8 +1053,7 @@ export async function deployModule(
           );
         }
 
-        const installCapFunctions = await loadCapabilityFunctions(moduleId, db, hookLogger);
-        const installResult = await invokeHook(
+        const installResult = await invokeHookWithEnsureRetry(
           module.sourcePath,
           'on_install',
           manifest.celilo_contract,
@@ -774,16 +1061,28 @@ export async function deployModule(
           {},
           installConfigMap,
           installSecretMap,
-          hookLogger,
-          {
-            debug: options.debug,
-            capabilities: installCapFunctions,
-            requiredCapabilities: manifest.requires.capabilities.map((c) => c.name),
+          async () => {
+            const gauge = new FuelGauge(`${moduleId}: on_install`, {
+              skipAnimation: options.noInteractive,
+            });
+            gauge.start();
+            const logger = createGaugeLogger(gauge, moduleId, 'on_install');
+            const capFns = await loadCapabilityFunctions(moduleId, db, logger);
+            return {
+              gauge,
+              logger,
+              invokeOptions: {
+                debug: options.debug,
+                capabilities: capFns,
+                requiredCapabilities: manifest.requires.capabilities.map((c) => c.name),
+              },
+            };
           },
+          db,
+          options,
         );
 
         if (!installResult.success) {
-          gauge.stop(false);
           log.error(`on_install hook failed: ${installResult.error}`);
           log.error('Module remains in DEPLOYED state. Fix the issue and retry:');
           log.error(`  celilo module run-hook ${moduleId} on_install`);
@@ -794,7 +1093,6 @@ export async function deployModule(
             error: installResult.error,
           };
         }
-        gauge.stop(true);
       }
 
       // Transition to INSTALLED
@@ -809,19 +1107,28 @@ export async function deployModule(
           noInteractive: options.noInteractive,
         });
 
+        if (healthResult.status === 'error') {
+          return {
+            success: false,
+            phases,
+            error: `Health check failed: ${healthResult.error}`,
+          };
+        }
         if (healthResult.status === 'unhealthy') {
           const failedChecks = healthResult.checks
             .filter((c) => c.status === 'fail')
             .map((c) => `  ✗ ${c.name}: ${c.message}`)
             .join('\n');
-          log.warn(`Health checks failed:\n${failedChecks}`);
-          log.warn(`Module is INSTALLED but not VERIFIED. Run: celilo module health ${moduleId}`);
-        } else {
-          const summary = healthResult.checks
-            .map((c) => `  ${c.status === 'pass' ? '✓' : '⚠'} ${c.name}`)
-            .join('\n');
-          log.success(`Health checks passed → VERIFIED\n${summary}`);
+          return {
+            success: false,
+            phases,
+            error: `Health checks failed:\n${failedChecks}`,
+          };
         }
+        const summary = healthResult.checks
+          .map((c) => `  ${c.status === 'pass' ? '✓' : '⚠'} ${c.name}`)
+          .join('\n');
+        log.success(`Health checks passed → VERIFIED\n${summary}`);
       }
 
       // Auto-register module hostname in internal DNS (if available)
@@ -841,6 +1148,7 @@ export async function deployModule(
         );
       }
 
+      display.instantEvent(`\x1b[32m✓\x1b[0m Module '${moduleId}' deployed successfully`);
       return {
         success: true,
         phases,
@@ -858,5 +1166,8 @@ export async function deployModule(
       error: error instanceof Error ? error.message : 'Unknown error',
       phases,
     };
+  } finally {
+    display.flush();
+    setActiveDisplay(null);
   }
 }

package/src/services/proxmox-state-recovery.ts

@@ -31,7 +31,7 @@ interface TerraformState {
 }
 
 /**
- * Ensure module_configs has vmid and container_ip from Terraform state
+ * Ensure module_configs has vmid and target_ip from Terraform state
  * This recovers from state drift scenarios where container was deleted/recreated
  *
  * @param moduleId - Module identifier
@@ -43,7 +43,7 @@ export async function ensureProxmoxConfigFromState(
   terraformDir: string,
   db: DbClient,
 ): Promise<void> {
-  // Check if vmid and container_ip already exist
+  // Check if vmid and target_ip already exist
   const existingVmid = await db
     .select()
     .from(moduleConfigs)
@@ -53,7 +53,7 @@ export async function ensureProxmoxConfigFromState(
   const existingContainerIp = await db
     .select()
     .from(moduleConfigs)
-    .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, 'container_ip')))
+    .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, 'target_ip')))
     .get();
 
   // If both exist, no recovery needed
@@ -104,7 +104,7 @@ export async function ensureProxmoxConfigFromState(
   }
 
   // Store in module_configs (recovery)
-  log.warn('  Recovering vmid and container_ip from Terraform state...');
+  log.warn('  Recovering vmid and target_ip from Terraform state...');
 
   if (!existingVmid) {
     await db
@@ -126,7 +126,7 @@ export async function ensureProxmoxConfigFromState(
       .insert(moduleConfigs)
       .values({
         moduleId,
-        key: 'container_ip',
+        key: 'target_ip',
         value: containerIp,
       })
       .onConflictDoUpdate({
@@ -136,5 +136,5 @@ export async function ensureProxmoxConfigFromState(
       .run();
   }
 
-  log.success(`  Recovered: vmid=${vmid}, container_ip=${containerIp}`);
+  log.success(`  Recovered: vmid=${vmid}, target_ip=${containerIp}`);
 }

package/src/services/ssh-key-manager.test.ts

@@ -101,7 +101,7 @@ describe('ssh-key-manager', () => {
 
       const keyPath = await writeTemporarySshKey(machine.id);
 
-      expect(keyPath).toContain('tmp/ansible-keys');
+      expect(keyPath).toContain('celilo-ansible-keys');
       expect(keyPath).toContain(`machine-${machine.id}.key`);
     });
   });

package/src/services/ssh-key-manager.ts

@@ -5,15 +5,16 @@
  */
 
 import { existsSync, mkdirSync, readdirSync, rmSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
 import { join } from 'node:path';
-import { getDataDir } from '../config/paths';
 import { getMachineSshKey } from './machine-pool';
 
 /**
  * Get the temporary SSH keys directory
+ * Uses OS temp directory to avoid EROFS issues with read-only data mounts
  */
 function getTempKeysDir(): string {
-  return join(getDataDir(), 'tmp', 'ansible-keys');
+  return join(tmpdir(), 'celilo-ansible-keys');
 }
 
 /**