@celilo/cli 0.3.25 → 0.3.27

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.3.25",
+  "version": "0.3.27",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {

package/src/cli/commands/storage-add-local.ts

@@ -4,7 +4,8 @@
  */
 
 import { homedir } from 'node:os';
-import { resolve } from 'node:path';
+import { join, resolve } from 'node:path';
+import { getDataDir } from '../../config/paths';
 import {
   addBackupStorage,
   setDefaultBackupStorage,
@@ -45,11 +46,21 @@ export async function handleStorageAddLocal(
         validate: validateRequired('Storage name'),
       }));
 
+    // Default path lives under celilo's own data dir
+    // (~/.local/share/celilo/backups on Linux, ~/Library/Application
+    // Support/celilo/backups on macOS). The directory is owned by the
+    // running user, mkdir -p succeeds without sudo, and operators who
+    // want NAS / external paths can override at the prompt. This
+    // replaces the prior placeholder of "/var/backups/celilo" which
+    // looked authoritative but required root to write.
+    const defaultPath = join(getDataDir(), 'backups');
+
     const path =
       flagPath ??
       (await promptText({
         message: 'Storage directory path:',
-        placeholder: 'e.g., /mnt/nas/backups or /var/backups/celilo',
+        defaultValue: defaultPath,
+        placeholder: defaultPath,
         validate: validateRequired('Storage path'),
       }));
 

package/src/cli/commands/system-update.test.ts

@@ -0,0 +1,103 @@
+/**
+ * Tests for the `system update` storage pre-flight.
+ *
+ * Background: an operator on celilo-mgmt hit a confusing chain when
+ * they ran `celilo storage add local /var/backups/celilo` (a system
+ * path that needs root). The verify step failed with EACCES, leaving
+ * an unverified storage row on disk. The next `celilo system update`
+ * said "No default backup storage configured" — technically true
+ * (unverified storage never auto-defaults), but misleading: there
+ * IS a storage, it just needs fixing. The pre-flight now distinguishes
+ * the cases and points at the right next command for each.
+ */
+
+import { describe, expect, test } from 'bun:test';
+import { type BackupStorageLike, checkBackupStoragePreflight } from './system-update';
+
+const verified = (id: string): BackupStorageLike => ({ storageId: id, verified: true });
+const unverified = (id: string): BackupStorageLike => ({ storageId: id, verified: false });
+
+describe('checkBackupStoragePreflight', () => {
+  test('verified default → ok', () => {
+    const result = checkBackupStoragePreflight({
+      defaultStorage: verified('home-backups'),
+      allStorages: [verified('home-backups')],
+    });
+    expect(result.kind).toBe('ok');
+  });
+
+  test('default exists but unverified → suggests `storage verify`', () => {
+    const result = checkBackupStoragePreflight({
+      defaultStorage: unverified('home-backups'),
+      allStorages: [unverified('home-backups')],
+    });
+    if (result.kind !== 'error') throw new Error('expected error');
+    expect(result.message).toContain("Default backup storage 'home-backups' is not verified");
+    expect(result.message).toContain('celilo storage verify home-backups');
+  });
+
+  test('no storage at all → suggests `storage add local`', () => {
+    const result = checkBackupStoragePreflight({
+      defaultStorage: null,
+      allStorages: [],
+    });
+    if (result.kind !== 'error') throw new Error('expected error');
+    expect(result.message).toContain('No backup storage configured');
+    expect(result.message).toContain('celilo storage add local');
+    // Always offer the --no-backup escape so the operator knows the
+    // CLI self-update can still run on a system without storage.
+    expect(result.message).toContain('--no-backup');
+  });
+
+  // The exact case the operator hit on celilo-mgmt: ran storage add,
+  // path was unwriteable (/var/backups/celilo without sudo), verify
+  // failed, the unverified row stayed in the DB and isn't default.
+  test('only unverified storage → suggests `storage verify`, not `storage add`', () => {
+    const result = checkBackupStoragePreflight({
+      defaultStorage: null,
+      allStorages: [unverified('local-backups')],
+    });
+    if (result.kind !== 'error') throw new Error('expected error');
+    expect(result.message).toContain('none is verified yet');
+    expect(result.message).toContain('Storages: local-backups');
+    expect(result.message).toContain('celilo storage verify <storage-id>');
+    // Critically, this case does NOT direct the operator to run
+    // `storage add local` — they already did, the row exists.
+    expect(result.message).not.toContain('celilo storage add local');
+    // Surface the most common cause inline rather than burying it.
+    expect(result.message).toContain('elevated permissions');
+    expect(result.message).toContain('--no-backup');
+  });
+
+  test('multiple unverified storages → lists all storage IDs', () => {
+    const result = checkBackupStoragePreflight({
+      defaultStorage: null,
+      allStorages: [unverified('local-a'), unverified('local-b'), unverified('local-c')],
+    });
+    if (result.kind !== 'error') throw new Error('expected error');
+    expect(result.message).toContain('Storages: local-a, local-b, local-c');
+  });
+
+  test('verified storage exists but none is default → suggests `storage set-default`', () => {
+    const result = checkBackupStoragePreflight({
+      defaultStorage: null,
+      allStorages: [verified('home-backups'), unverified('s3-cold')],
+    });
+    if (result.kind !== 'error') throw new Error('expected error');
+    expect(result.message).toContain('verified but no default is set');
+    expect(result.message).toContain('Verified: home-backups');
+    // Doesn't mention the unverified one in the "Verified:" listing
+    // (that would mislead).
+    expect(result.message).not.toContain('Verified: home-backups, s3-cold');
+    expect(result.message).toContain('celilo storage set-default <storage-id>');
+  });
+
+  test('multiple verified, no default → lists all verified IDs', () => {
+    const result = checkBackupStoragePreflight({
+      defaultStorage: null,
+      allStorages: [verified('home-backups'), verified('s3-cold'), unverified('nas')],
+    });
+    if (result.kind !== 'error') throw new Error('expected error');
+    expect(result.message).toContain('Verified: home-backups, s3-cold');
+  });
+});

package/src/cli/commands/system-update.ts

@@ -17,6 +17,7 @@
 
 import { spawnSync } from 'node:child_process';
 import { existsSync, readFileSync } from 'node:fs';
+import { homedir } from 'node:os';
 import { dirname, join } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { eq } from 'drizzle-orm';
@@ -50,6 +51,103 @@ import { fetchAndUpgrade } from './module-upgrade';
  */
 const MANAGED_PACKAGES = ['@celilo/cli', '@celilo/event-bus', '@celilo/e2e'] as const;
 
+/**
+ * Result of inspecting backup-storage configuration before letting
+ * `runSystemUpdate` take a celilo-DB snapshot. Three failure shapes
+ * the operator might hit, each with a distinct friendly message:
+ *
+ *   1. No storage rows at all          → run `storage add local`
+ *   2. Storage rows exist, none verified → run `storage verify <id>`
+ *      (the case the operator hits when an unverified storage was
+ *      left behind by a failed verify)
+ *   3. Verified storage exists, none is default → run
+ *      `storage set-default <id>`
+ *   4. Default exists but isn't verified → run `storage verify <id>`
+ *
+ * Pure data in / data out so it's testable without setting up an
+ * audit, registry, or DB.
+ */
+export interface BackupStorageLike {
+  storageId: string;
+  verified: boolean;
+}
+
+export function checkBackupStoragePreflight(input: {
+  defaultStorage: BackupStorageLike | null;
+  allStorages: BackupStorageLike[];
+}): { kind: 'ok' } | { kind: 'error'; message: string } {
+  const { defaultStorage, allStorages } = input;
+
+  if (defaultStorage) {
+    if (defaultStorage.verified) return { kind: 'ok' };
+    return {
+      kind: 'error',
+      message: `Default backup storage '${defaultStorage.storageId}' is not verified.
+
+Run:  celilo storage verify ${defaultStorage.storageId}
+
+Then re-run system update.`,
+    };
+  }
+
+  if (allStorages.length === 0) {
+    return {
+      kind: 'error',
+      message: `No backup storage configured.
+
+celilo system update snapshots the celilo DB before applying module
+updates as a safety net. Configure backup storage first:
+
+  celilo storage add local
+
+Or skip the safety net entirely (the CLI self-update still runs):
+
+  celilo system update --no-backup`,
+    };
+  }
+
+  const verified = allStorages.filter((s) => s.verified);
+  if (verified.length === 0) {
+    const ids = allStorages.map((s) => s.storageId).join(', ');
+    return {
+      kind: 'error',
+      message: `Backup storage exists but none is verified yet.
+
+Storages: ${ids}
+
+Verify one before re-running system update:
+
+  celilo storage verify <storage-id>
+
+Common causes of failed verification:
+  - The path requires elevated permissions (try a path under your
+    home directory; the default '${join(homedir(), '.local/share/celilo/backups')}'
+    works without sudo).
+  - The disk is full or the mount point isn't writeable.
+
+Or skip the safety net entirely (the CLI self-update still runs):
+
+  celilo system update --no-backup`,
+    };
+  }
+
+  const ids = verified.map((s) => s.storageId).join(', ');
+  return {
+    kind: 'error',
+    message: `Backup storage is verified but no default is set.
+
+Verified: ${ids}
+
+Set a default before re-running system update:
+
+  celilo storage set-default <storage-id>
+
+Or skip the safety net entirely (the CLI self-update still runs):
+
+  celilo system update --no-backup`,
+  };
+}
+
 function readInstalledCliVersion(): string {
   const here = dirname(fileURLToPath(import.meta.url));
   const candidates = [
@@ -159,9 +257,13 @@ async function buildSnapshots(
  * - `health` calls `runModuleHealthCheck`.
  * - `snapshotCeliloDb` calls `createSystemStateBackup`.
  */
-function buildOps(registry: RegistryClient): OrchestratorOps {
+function buildOps(registry: RegistryClient, wasDeployed: Set<string>): OrchestratorOps {
   return {
     backup: async (moduleId, _updateId) => {
+      // IMPORTED modules don't have running state to back up; skip
+      // silently. The orchestrator already gates on `!noBackup`, so
+      // this is the second layer (per-module rather than system-wide).
+      if (!wasDeployed.has(moduleId)) return { ok: true };
       const db = getDb();
       const mod = db.select().from(modules).where(eq(modules.id, moduleId)).get();
       if (!mod) return { ok: false, error: `module ${moduleId} not found` };
@@ -202,6 +304,12 @@ function buildOps(registry: RegistryClient): OrchestratorOps {
       }
     },
     deploy: async (id) => {
+      // IMPORTED modules weren't deployed before this run; we just
+      // refreshed their source files via `upgrade`. Don't try to
+      // deploy them here — that would surprise the operator who
+      // hasn't asked for a deploy. They'll get a `module deploy <id>`
+      // todo finding from the audit on the next run.
+      if (!wasDeployed.has(id)) return { ok: true };
       const db = getDb();
       // The deploy interview runs through the bus; if config is
       // missing the deploy hangs waiting for a responder. system-update
@@ -211,6 +319,19 @@ function buildOps(registry: RegistryClient): OrchestratorOps {
       return result.success ? { ok: true } : { ok: false, error: result.error };
     },
     health: async (id) => {
+      // Same gating as deploy: there's no live deployment to health-
+      // check for an IMPORTED module that we just refreshed. Return
+      // pass with a "not deployed" detail so the orchestrator's
+      // module-step record doesn't say "health: skipped" (which would
+      // imply a check ran and skipped its assertions).
+      if (!wasDeployed.has(id)) {
+        // The orchestrator's HealthStatus type uses 'healthy' /
+        // 'degraded' / 'unhealthy' / 'error' / 'no-checks'. There's
+        // no "skipped" — closest meaningful value for "we didn't
+        // run the check on purpose" is 'no-checks' (semantically:
+        // "the module didn't have any health checks to run").
+        return { status: 'no-checks', detail: 'not deployed; health check skipped' };
+      }
       // We can call the existing health-runner directly today — that's
       // already a clean service.
       const db = getDb();
@@ -249,17 +370,20 @@ function formatResult(result: SystemUpdateResult): string {
   );
   lines.push(`  backups: ${result.backupsCreated ? 'created' : 'skipped'}`);
 
-  // Surface audit findings inline. DRIFT means "something is drifting
-  // but it didn't block the update" — without listing the findings the
-  // operator has no idea what; they'd have to run `celilo system audit`
-  // as a follow-up. Show them here so it's a single round-trip.
-  // BLOCKED also gets the listing (the orchestrator already short-
-  // circuited to skip the run, but the operator still needs to know
-  // why — formatResult is the friendly path for that too).
+  // Surface audit findings inline. Three severity tiers:
+  //   blocked → ✗   gates the run (orchestrator short-circuits)
+  //   drift   → ▸   informational; the system moved away from a
+  //                 desired state, but the run still proceeded
+  //   todo    → ➤   next-step reminders (e.g. "you imported X but
+  //                 haven't deployed it yet"); never escalates the
+  //                 verdict.
+  // Each tier renders separately so operators can scan for what
+  // needs attention vs. what's just a friendly nudge.
   if (result.audit.findings.length > 0) {
     lines.push('');
-    const drift = result.audit.findings.filter((f) => f.severity === 'drift');
     const blocked = result.audit.findings.filter((f) => f.severity === 'blocked');
+    const drift = result.audit.findings.filter((f) => f.severity === 'drift');
+    const todo = result.audit.findings.filter((f) => f.severity === 'todo');
     if (blocked.length > 0) {
       lines.push(`  BLOCKED (${blocked.length}):`);
       for (const f of blocked) {
@@ -274,6 +398,13 @@ function formatResult(result: SystemUpdateResult): string {
         if (f.remediation) lines.push(`        → ${f.remediation}`);
       }
     }
+    if (todo.length > 0) {
+      lines.push(`  Todos (${todo.length}, next-step reminders):`);
+      for (const f of todo) {
+        lines.push(`    ➤ [${f.category}] ${f.subject}: ${f.message}`);
+        if (f.remediation) lines.push(`        → ${f.remediation}`);
+      }
+    }
   }
 
   if (result.modules.length > 0) {
@@ -303,12 +434,28 @@ export async function handleSystemUpdate(
 
   const db = getDb();
   const installed = db.select().from(modules).all();
-  const deployedModules = installed.filter((m) => ['INSTALLED', 'VERIFIED'].includes(m.state));
+  // Include IMPORTED modules in the upgrade scope so a fresh
+  // `module import <name>` followed (later, possibly weeks later) by
+  // `system update` actually picks up registry-side updates for
+  // not-yet-deployed modules. The deploy and health steps are gated
+  // on prior state in buildOps so we don't deploy something the
+  // operator hasn't asked us to deploy.
+  // INSTALLED + VERIFIED + IMPORTED is the upgrade-eligible set;
+  // ERROR / DEPLOYING / GENERATING / UNINSTALLING are skipped (the
+  // operator needs to handle those manually first).
+  const upgradeEligibleStates = new Set(['INSTALLED', 'VERIFIED', 'IMPORTED']);
+  const upgradableModules = installed.filter((m) => upgradeEligibleStates.has(m.state));
+  // Track which modules were already deployed BEFORE this run.
+  // Anything else gets the upgrade only — no deploy / health / backup
+  // attempts (those would be no-ops at best, surprising at worst).
+  const wasDeployed = new Set(
+    installed.filter((m) => ['INSTALLED', 'VERIFIED'].includes(m.state)).map((m) => m.id),
+  );
   const registry = new RegistryClient();
 
   // Build the dep graph from installed manifests.
-  const graph = buildModuleGraph(deployedModules.map((m) => m.manifestData as ModuleManifest));
-  const snapshots = await buildSnapshots(db, deployedModules, registry);
+  const graph = buildModuleGraph(upgradableModules.map((m) => m.manifestData as ModuleManifest));
+  const snapshots = await buildSnapshots(db, upgradableModules, registry);
 
   // Build audit deps. (Mostly mirrors system-audit.ts; could be refactored
   // into a shared helper in Phase 5.)
@@ -351,13 +498,13 @@ export async function handleSystemUpdate(
       db,
     },
     capabilityAbi: {
-      modules: deployedModules.map((m) => ({
+      modules: upgradableModules.map((m) => ({
         id: m.id,
         manifest: m.manifestData as ModuleManifest,
       })),
     },
     terraformPlan: {
-      modules: deployedModules.map((m) => ({
+      modules: upgradableModules.map((m) => ({
         id: m.id,
         terraformDir: existsSync(join(m.sourcePath, 'generated', 'terraform'))
           ? join(m.sourcePath, 'generated', 'terraform')
@@ -366,7 +513,7 @@ export async function handleSystemUpdate(
       run: async () => ({ exitCode: 0, stdout: '', stderr: '' }),
     },
     moduleVersions: {
-      installed: deployedModules.map((m) => ({ id: m.id, version: m.version })),
+      installed: upgradableModules.map((m) => ({ id: m.id, version: m.version })),
       fetcher: async (id: string) => {
         const entries = await registry.getIndex(id);
         const top = registry.latestVersion(entries);
@@ -374,7 +521,7 @@ export async function handleSystemUpdate(
       },
     },
     moduleConfigs: {
-      modules: deployedModules.map((m) => ({
+      modules: upgradableModules.map((m) => ({
         id: m.id,
         manifest: m.manifestData as ModuleManifest,
         configs: configsByModule.get(m.id) ?? {},
@@ -382,7 +529,7 @@ export async function handleSystemUpdate(
     },
     health: { results: healthResults },
     backups: {
-      modules: deployedModules.map((m) => ({
+      modules: upgradableModules.map((m) => ({
         id: m.id,
         manifest: m.manifestData as ModuleManifest,
         lastSuccessfulBackupAt: latestBackupByModule.get(m.id) ?? null,
@@ -415,7 +562,7 @@ export async function handleSystemUpdate(
       updateId: crypto.randomUUID(),
       audit,
       willSelfUpdate: false, // computed at run time; the dry-run preview is best-effort
-      modules: deployedModules
+      modules: upgradableModules
         .filter((m) => {
           const snap = snapshots.get(m.id);
           return snap?.latestVersion && snap.latestVersion !== snap.installedVersion;
@@ -449,40 +596,24 @@ export async function handleSystemUpdate(
   );
   const effectiveNoBackup = noBackup || !hasModuleUpdates;
 
-  // Pre-flight the storage check so a missing default doesn't reach the
-  // orchestrator's snapshot hook (where the throw would surface as a
-  // hostile stack trace). Skip when we're already not going to backup.
+  // Pre-flight the storage check so a missing/unusable default doesn't
+  // reach the orchestrator's snapshot hook (where the throw would
+  // surface as a hostile stack trace). Skip when we're already not
+  // going to backup.
   if (!effectiveNoBackup) {
-    const { getDefaultBackupStorage } = await import('../../services/backup-storage');
-    const storage = getDefaultBackupStorage();
-    if (!storage) {
-      return {
-        success: false,
-        error: `No default backup storage configured.
-
-celilo system update snapshots the celilo DB before applying module
-updates as a safety net. Configure backup storage first:
-
-  celilo storage add local
-
-Or skip the safety net entirely (the CLI self-update still runs):
-
-  celilo system update --no-backup`,
-      };
-    }
-    if (!storage.verified) {
-      return {
-        success: false,
-        error: `Default backup storage '${storage.storageId}' is not verified.
-
-Run:  celilo storage verify ${storage.storageId}
-
-Then re-run system update.`,
-      };
+    const { getDefaultBackupStorage, listBackupStorages } = await import(
+      '../../services/backup-storage'
+    );
+    const preflight = checkBackupStoragePreflight({
+      defaultStorage: getDefaultBackupStorage(),
+      allStorages: listBackupStorages(),
+    });
+    if (preflight.kind === 'error') {
+      return { success: false, error: preflight.message };
     }
   }
 
-  const ops = buildOps(registry);
+  const ops = buildOps(registry, wasDeployed);
 
   const result = await runSystemUpdate({
     audit: auditDeps,

package/src/cli/tui/icons.ts

@@ -9,6 +9,7 @@ export interface SeverityVisual {
 export const SEVERITY_VISUALS: Record<DriftSeverity, SeverityVisual> = {
   blocked: { icon: '×', color: 'red', label: 'BLOCKED' },
   drift: { icon: '▲', color: 'yellow', label: 'DRIFT' },
+  todo: { icon: '➤', color: 'gray', label: 'TODO' },
 };
 
 export const VERDICT_VISUALS: Record<AuditVerdict, SeverityVisual> = {
@@ -17,6 +18,11 @@ export const VERDICT_VISUALS: Record<AuditVerdict, SeverityVisual> = {
   READY: { icon: '✓', color: 'green', label: 'READY' },
 };
 
+// Lower rank = higher priority (sorts first when listing). todo is
+// the lowest priority — operators can scan past them when triaging
+// what actually needs attention.
 export function severityRank(s: DriftSeverity): number {
-  return s === 'blocked' ? 0 : 1;
+  if (s === 'blocked') return 0;
+  if (s === 'drift') return 1;
+  return 2; // todo
 }

package/src/services/audit/types.test.ts

@@ -17,6 +17,14 @@ const blocked: DriftFinding = {
   subject: 'lunacycle',
 };
 
+const todo: DriftFinding = {
+  category: 'undeployed_modules',
+  severity: 'todo',
+  code: 'module_undeployed',
+  message: 'namecheap: imported but not deployed (state: IMPORTED)',
+  subject: 'namecheap',
+};
+
 describe('computeVerdict', () => {
   test('READY when no findings', () => {
     expect(computeVerdict([])).toBe('READY');
@@ -33,4 +41,22 @@ describe('computeVerdict', () => {
   test('BLOCKED takes precedence regardless of order', () => {
     expect(computeVerdict([blocked, drift])).toBe('BLOCKED');
   });
+
+  // Pinning down the new severity tier: todo findings are
+  // informational reminders and never escalate the verdict beyond
+  // READY. The whole point of this severity level is to let
+  // categories like undeployed_modules and unconfigured_modules
+  // surface a TODO list without making `system update` look like
+  // it has unfinished work.
+  test('READY when only todo-severity findings', () => {
+    expect(computeVerdict([todo, { ...todo, subject: 'caddy' }])).toBe('READY');
+  });
+
+  test('DRIFT when both drift and todo findings exist (drift wins)', () => {
+    expect(computeVerdict([todo, drift])).toBe('DRIFT');
+  });
+
+  test('BLOCKED still wins over todos', () => {
+    expect(computeVerdict([todo, drift, blocked])).toBe('BLOCKED');
+  });
 });

package/src/services/audit/types.ts

@@ -3,14 +3,22 @@
  *
  * `runAudit` returns a `SystemAuditReport` aggregating findings from
  * each drift category. Each finding has a category (one of
- * `DriftCategory`), a severity (`drift` or `blocked`), a stable
+ * `DriftCategory`), a severity (`todo`, `drift`, or `blocked`), a stable
  * machine-readable code, and a human-readable message + suggested
  * remediation.
  *
  * The overall verdict is computed from the findings:
  * - any `blocked` finding → BLOCKED
  * - any `drift` finding (no blocked) → DRIFT
- * - no findings → READY
+ * - only `todo` findings (or none) → READY
+ *
+ * `todo` exists because some categories surface "next-step reminders"
+ * rather than actual divergence — `unconfigured_modules` and
+ * `undeployed_modules` are the canonical examples. The operator
+ * imported a module and hasn't gotten around to configuring/deploying;
+ * that's a TODO list, not a drifted system. Calling it DRIFT
+ * overloaded the term and made `system update` look like it had
+ * unfinished work even when it didn't.
  */
 
 export type DriftCategory =
@@ -29,7 +37,7 @@ export type DriftCategory =
   | 'services_reachable'
   | 'machines_reachable';
 
-export type DriftSeverity = 'drift' | 'blocked';
+export type DriftSeverity = 'todo' | 'drift' | 'blocked';
 
 export type AuditVerdict = 'READY' | 'DRIFT' | 'BLOCKED';
 
@@ -81,10 +89,12 @@ export interface SystemAuditReport {
 }
 
 /**
- * Compute the overall verdict from a set of findings.
+ * Compute the overall verdict from a set of findings. `todo` findings
+ * never escalate beyond READY — they're informational reminders, not
+ * a signal that the system has moved away from a desired state.
  */
 export function computeVerdict(findings: DriftFinding[]): AuditVerdict {
   if (findings.some((f) => f.severity === 'blocked')) return 'BLOCKED';
-  if (findings.length > 0) return 'DRIFT';
+  if (findings.some((f) => f.severity === 'drift')) return 'DRIFT';
   return 'READY';
 }

package/src/services/audit/unconfigured-modules.test.ts

@@ -9,7 +9,7 @@ describe('auditUnconfiguredModules', () => {
     expect(result).toHaveLength(1);
     expect(result[0]).toMatchObject({
       category: 'unconfigured_modules',
-      severity: 'drift',
+      severity: 'todo',
       code: 'module_unconfigured',
       actionable: false,
       subject: 'authentik',

package/src/services/audit/unconfigured-modules.ts

@@ -41,9 +41,13 @@ export async function auditUnconfiguredModules(
     if (ALREADY_DEPLOYED.has(m.state)) continue;
     if (m.configCount > 0) continue;
 
+    // todo: same reasoning as undeployed_modules — never running the
+    // configuration interview is a next-step reminder, not divergence
+    // from a desired state. Won't escalate the audit verdict beyond
+    // READY.
     findings.push({
       category: 'unconfigured_modules',
-      severity: 'drift',
+      severity: 'todo',
       code: 'module_unconfigured',
       message: `${m.id}: never configured (no config rows in DB)`,
       details: [

package/src/services/audit/undeployed-modules.test.ts

@@ -19,7 +19,7 @@ describe('auditUndeployedModules', () => {
     expect(result).toHaveLength(1);
     expect(result[0]).toMatchObject({
       category: 'undeployed_modules',
-      severity: 'drift',
+      severity: 'todo',
       code: 'module_undeployed',
       remediation: 'celilo module deploy authentik',
       actionable: true,

package/src/services/audit/undeployed-modules.ts

@@ -57,9 +57,15 @@ export async function auditUndeployedModules(
       continue;
     }
 
+    // todo: this is a next-step reminder, not a divergence from a
+    // desired state. The operator imported the module and hasn't
+    // deployed yet — that's a TODO list, not "the system has drifted".
+    // ERROR-state modules (handled above) DO stay severity=blocked
+    // because the operator's prior intent was to deploy, the deploy
+    // failed, and the system is now stuck pending intervention.
     findings.push({
       category: 'undeployed_modules',
-      severity: 'drift',
+      severity: 'todo',
       code: 'module_undeployed',
       message: `${m.id}: imported but not deployed (state: ${m.state})`,
       remediation: `celilo module deploy ${m.id}`,