@celilo/cli 0.3.30-alpha.0 → 0.4.0-alpha.0

package/src/services/deployed-systems.test.ts

@@ -0,0 +1,235 @@
+import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
+import { existsSync } from 'node:fs';
+import { rm } from 'node:fs/promises';
+import { type DbClient, createDbClient } from '../db/client';
+import {
+  containerServices,
+  machines,
+  moduleConfigs,
+  moduleInfrastructure,
+  moduleSystems,
+  modules,
+} from '../db/schema';
+import { backfillModuleSystems, getModuleSystems } from './deployed-systems';
+
+const TEST_DB_PATH = './test-deployed-systems.db';
+
+/**
+ * Coverage for the one-time `module_systems` upgrade backfill
+ * (v2/MODULE_SYSTEMS_ADDRESSING.md): a deployment created before 0007 has its
+ * host data in module_configs / ip_allocations / module_infrastructure but an
+ * empty module_systems, and the refactored hooks resolve to no system. The
+ * backfill reconstructs it. Mirrors the real turnip prod state (caddy etc.:
+ * proxmox container_service, target_ip with /24, vmid in module_configs).
+ */
+const SERVICE_ID = 'svc-proxmox';
+
+function ensureProxmoxService(db: DbClient): void {
+  if (
+    db
+      .select()
+      .from(containerServices)
+      .all()
+      .some((s) => s.id === SERVICE_ID)
+  )
+    return;
+  db.insert(containerServices)
+    .values({
+      id: SERVICE_ID,
+      serviceId: SERVICE_ID,
+      name: 'Proxmox',
+      providerName: 'proxmox',
+      zones: ['dmz', 'app', 'internal'] as Array<
+        'internal' | 'dmz' | 'app' | 'secure' | 'external'
+      >,
+      apiCredentialsEncrypted: JSON.stringify({ encryptedValue: '', iv: '', authTag: '' }),
+      providerConfig: { default_target_node: 'pve', lxc_template: 't', storage: 's' },
+      verified: true,
+    })
+    .run();
+}
+
+function seedProxmoxModule(
+  db: DbClient,
+  opts: { id: string; hostname: string; zone: string; targetIp: string; vmid: number },
+): void {
+  const serviceId = SERVICE_ID;
+  ensureProxmoxService(db);
+  db.insert(modules)
+    .values({
+      id: opts.id,
+      name: opts.id,
+      version: '1.0.0',
+      manifestData: { requires: { machine: { zone: opts.zone } } },
+      sourcePath: `/tmp/${opts.id}`,
+      state: 'VERIFIED',
+    })
+    .run();
+  db.insert(moduleInfrastructure)
+    .values({
+      id: `infra-${opts.id}`,
+      moduleId: opts.id,
+      infrastructureType: 'container_service',
+      serviceId,
+    })
+    .run();
+  for (const [key, value] of [
+    ['hostname', opts.hostname],
+    ['zone', opts.zone],
+    ['target_ip', opts.targetIp],
+    ['vmid', String(opts.vmid)],
+  ]) {
+    db.insert(moduleConfigs)
+      .values({ moduleId: opts.id, key, value, valueJson: JSON.stringify(value) })
+      .run();
+  }
+}
+
+describe('backfillModuleSystems', () => {
+  let db: DbClient;
+
+  beforeEach(() => {
+    db = createDbClient({ path: TEST_DB_PATH });
+  });
+
+  afterEach(async () => {
+    db.$client.close();
+    for (const suffix of ['', '-shm', '-wal']) {
+      const p = `${TEST_DB_PATH}${suffix}`;
+      if (existsSync(p)) await rm(p);
+    }
+  });
+
+  test('reconstructs a pre-0007 proxmox deployment into module_systems', () => {
+    seedProxmoxModule(db, {
+      id: 'caddy',
+      hostname: 'www',
+      zone: 'dmz',
+      targetIp: '10.0.10.10/24',
+      vmid: 200,
+    });
+    expect(getModuleSystems('caddy', db)).toHaveLength(0);
+
+    const filled = backfillModuleSystems(db);
+    expect(filled).toEqual(['caddy']);
+
+    const systems = getModuleSystems('caddy', db);
+    expect(systems).toHaveLength(1);
+    expect(systems[0]).toMatchObject({
+      name: 'main',
+      hostname: 'www',
+      ipv4_address: '10.0.10.10', // CIDR stripped
+      zone: 'dmz',
+      infrastructure: { type: 'container_service', serviceId: 'svc-proxmox', vmid: 200 },
+    });
+  });
+
+  test('is idempotent — a second run backfills nothing', () => {
+    seedProxmoxModule(db, {
+      id: 'authentik',
+      hostname: 'authentik',
+      zone: 'app',
+      targetIp: '10.0.20.10/24',
+      vmid: 201,
+    });
+    expect(backfillModuleSystems(db)).toEqual(['authentik']);
+    expect(backfillModuleSystems(db)).toEqual([]);
+    expect(getModuleSystems('authentik', db)).toHaveLength(1);
+  });
+
+  test('does not overwrite a system already recorded post-refactor', () => {
+    seedProxmoxModule(db, {
+      id: 'lunacycle',
+      hostname: 'lunacycle',
+      zone: 'app',
+      targetIp: '10.0.20.11/24',
+      vmid: 202,
+    });
+    // Simulate a deploy-time recording already present with a different IP.
+    db.insert(moduleSystems)
+      .values({
+        moduleId: 'lunacycle',
+        name: 'main',
+        hostname: 'lunacycle',
+        ipv4Address: '10.0.20.99',
+        zone: 'app',
+        infraType: 'container_service',
+        serviceId: 'svc-proxmox',
+        vmid: 202,
+      })
+      .run();
+
+    expect(backfillModuleSystems(db)).toEqual([]);
+    expect(getModuleSystems('lunacycle', db)[0].ipv4_address).toBe('10.0.20.99');
+  });
+
+  test('backfills a machine-pool deployment from the machine IP', () => {
+    db.insert(machines)
+      .values({
+        id: 'm-1',
+        hostname: 'pi-dns',
+        ipAddress: '192.168.0.151',
+        sshUser: 'peba',
+        sshKeyEncrypted: JSON.stringify({ encryptedValue: '', iv: '', authTag: '' }),
+        hardware: { cpu_cores: 4, memory_mb: 8192, disk_gb: 64 },
+        zone: 'internal',
+      })
+      .run();
+    db.insert(modules)
+      .values({
+        id: 'technitium',
+        name: 'technitium',
+        version: '1.0.0',
+        manifestData: { requires: { machine: { zone: 'internal' } } },
+        sourcePath: '/tmp/technitium',
+        state: 'VERIFIED',
+      })
+      .run();
+    db.insert(moduleInfrastructure)
+      .values({
+        id: 'infra-technitium',
+        moduleId: 'technitium',
+        infrastructureType: 'machine',
+        machineId: 'm-1',
+      })
+      .run();
+    db.insert(moduleConfigs)
+      .values({ moduleId: 'technitium', key: 'hostname', value: 'dns-int', valueJson: '"dns-int"' })
+      .run();
+
+    expect(backfillModuleSystems(db)).toEqual(['technitium']);
+    const systems = getModuleSystems('technitium', db);
+    expect(systems[0]).toMatchObject({
+      hostname: 'dns-int',
+      ipv4_address: '192.168.0.151',
+      zone: 'internal',
+      infrastructure: { type: 'machine', machineId: 'm-1' },
+    });
+    expect(systems[0].infrastructure.vmid).toBeUndefined();
+  });
+
+  test('skips an API-only module (no declared systems)', () => {
+    ensureProxmoxService(db);
+    db.insert(modules)
+      .values({
+        id: 'namecheap',
+        name: 'namecheap',
+        version: '1.0.0',
+        manifestData: { requires: {} },
+        sourcePath: '/tmp/namecheap',
+        state: 'INSTALLED',
+      })
+      .run();
+    db.insert(moduleInfrastructure)
+      .values({
+        id: 'infra-namecheap',
+        moduleId: 'namecheap',
+        infrastructureType: 'container_service',
+        serviceId: 'svc-proxmox',
+      })
+      .run();
+
+    expect(backfillModuleSystems(db)).toEqual([]);
+    expect(getModuleSystems('namecheap', db)).toHaveLength(0);
+  });
+});

package/src/services/deployed-systems.ts

@@ -0,0 +1,308 @@
+import type { DeployedSystem } from '@celilo/capabilities';
+import { and, eq } from 'drizzle-orm';
+import type { DbClient } from '../db/client';
+import {
+  type NetworkZone,
+  machines,
+  moduleConfigs,
+  moduleInfrastructure,
+  moduleSystems,
+  modules,
+} from '../db/schema';
+import { type ModuleManifest, getDeclaredSystems } from '../manifest/schema';
+import type { InfrastructureSelection } from '../types/infrastructure';
+import type { InfraSystemFields } from '../variables/types';
+
+/**
+ * The deployment-STATE layer: a module's 0..N deployed systems
+ * (v2/MODULE_SYSTEMS_ADDRESSING.md). Replaces the scalar `target_ip`/`vmid`
+ * rows that used to live in module_configs and the single-result
+ * `getModuleHostAndIp`. There is deliberately no "get THE system" helper —
+ * callers work with the array so the 0/1/N reality stays visible.
+ */
+
+/** Strip CIDR notation from an IPv4 address ("10.0.20.10/24" → "10.0.20.10"). */
+function stripCidr(addr: string): string {
+  const slash = addr.indexOf('/');
+  return slash === -1 ? addr : addr.slice(0, slash);
+}
+
+function rowToSystem(row: typeof moduleSystems.$inferSelect): DeployedSystem {
+  return {
+    name: row.name,
+    hostname: row.hostname,
+    ipv4_address: row.ipv4Address,
+    zone: row.zone,
+    infrastructure: {
+      type: row.infraType,
+      ...(row.machineId ? { machineId: row.machineId } : {}),
+      ...(row.serviceId ? { serviceId: row.serviceId } : {}),
+      ...(row.vmid != null ? { vmid: row.vmid } : {}),
+    },
+  };
+}
+
+/**
+ * All systems a module has deployed onto, ordered by name for determinism.
+ * Returns [] for API-only modules (e.g. namecheap) — that is a modeled state,
+ * not an error.
+ */
+export function getModuleSystems(moduleId: string, db: DbClient): DeployedSystem[] {
+  const rows = db.select().from(moduleSystems).where(eq(moduleSystems.moduleId, moduleId)).all();
+  return rows.map(rowToSystem).sort((a, b) => a.name.localeCompare(b.name));
+}
+
+/** Input to {@link upsertDeployedSystem} — the realized facts about one host. */
+export interface DeployedSystemInput {
+  /** Stable handle from requires.systems[].name — the per-system key. */
+  name: string;
+  hostname: string;
+  /** Accepts CIDR or bare; stored CIDR-stripped. */
+  ipv4Address: string;
+  zone: NetworkZone;
+  infraType: 'machine' | 'container_service';
+  machineId?: string | null;
+  serviceId?: string | null;
+  vmid?: number | null;
+}
+
+/**
+ * Insert or update one deployed system for a module, keyed by (moduleId, name).
+ * Idempotent — re-deploying the same system overwrites its address / infra
+ * fields. This is the single sink the old `target_ip` write sites collapse into.
+ */
+export function upsertDeployedSystem(
+  db: DbClient,
+  moduleId: string,
+  system: DeployedSystemInput,
+): void {
+  const ipv4 = stripCidr(system.ipv4Address);
+  db.insert(moduleSystems)
+    .values({
+      moduleId,
+      name: system.name,
+      hostname: system.hostname,
+      ipv4Address: ipv4,
+      zone: system.zone,
+      infraType: system.infraType,
+      machineId: system.machineId ?? null,
+      serviceId: system.serviceId ?? null,
+      vmid: system.vmid ?? null,
+      updatedAt: new Date(),
+    })
+    .onConflictDoUpdate({
+      target: [moduleSystems.moduleId, moduleSystems.name],
+      set: {
+        hostname: system.hostname,
+        ipv4Address: ipv4,
+        zone: system.zone,
+        infraType: system.infraType,
+        machineId: system.machineId ?? null,
+        serviceId: system.serviceId ?? null,
+        vmid: system.vmid ?? null,
+        updatedAt: new Date(),
+      },
+    })
+    .run();
+}
+
+const NETWORK_ZONES: readonly NetworkZone[] = ['internal', 'dmz', 'app', 'secure', 'external'];
+
+function asZone(value: string | undefined): NetworkZone | null {
+  return value && (NETWORK_ZONES as readonly string[]).includes(value)
+    ? (value as NetworkZone)
+    : null;
+}
+
+/**
+ * Resolve a module's deployed system(s) from the deploy state and persist them
+ * to `module_systems`. Called during deploy after infrastructure variables are
+ * resolved (the IP is known for machine / proxmox / DO alike). This is the
+ * single sink the old scattered `target_ip` writes collapse into.
+ *
+ * Transition: every current module declares exactly one system (via
+ * `requires.machine`, normalized to name `main`, or one `requires.systems`
+ * entry), so this records that single host from `hostname` config + the
+ * resolved IP. Returns the systems it recorded ([] for an API-only module with
+ * no host — e.g. namecheap). See v2/MODULE_SYSTEMS_ADDRESSING.md.
+ */
+export async function recordDeployedSystemForModule(
+  moduleId: string,
+  manifest: ModuleManifest,
+  infrastructure: InfrastructureSelection | undefined,
+  db: DbClient,
+): Promise<DeployedSystem[]> {
+  const declared = getDeclaredSystems(manifest);
+  // No declared systems → API-only module (e.g. namecheap). Records nothing.
+  if (declared.length === 0) return [];
+
+  const configs = db.select().from(moduleConfigs).where(eq(moduleConfigs.moduleId, moduleId)).all();
+  const cfg = (key: string) => configs.find((c) => c.key === key)?.value;
+
+  const hostname = cfg('hostname');
+  // No hostname → not yet addressable. A modeled state, not an error.
+  if (!hostname) return [];
+
+  // IP: the module's resolved target_ip, else ip.primary, else the assigned
+  // machine's own IP (machine-pool deploys where neither was written).
+  let ip = cfg('target_ip') ?? cfg('ip.primary');
+  if (!ip && infrastructure?.machineId) {
+    const machine = db
+      .select()
+      .from(machines)
+      .where(eq(machines.id, infrastructure.machineId))
+      .get();
+    ip = machine?.ipAddress;
+  }
+  if (!ip) return [];
+
+  // Single-system transition: take the first declared system's name + zone.
+  const decl = declared[0];
+  const zone = asZone(decl.resources.zone) ?? asZone(cfg('zone'));
+  if (!zone) {
+    throw new Error(
+      `Cannot record deployed system for '${moduleId}': no resolvable network zone (checked requires.systems[].resources.zone and config.zone).`,
+    );
+  }
+
+  const infraType = infrastructure?.type ?? 'machine';
+  const vmidStr = cfg('vmid');
+  const vmid = vmidStr ? Number.parseInt(vmidStr, 10) : null;
+
+  upsertDeployedSystem(db, moduleId, {
+    name: decl.name,
+    hostname,
+    ipv4Address: ip,
+    zone,
+    infraType,
+    machineId: infrastructure?.machineId ?? null,
+    serviceId: infrastructure?.serviceId ?? null,
+    vmid: Number.isNaN(vmid as number) ? null : vmid,
+  });
+
+  return getModuleSystems(moduleId, db);
+}
+
+/**
+ * One-time upgrade backfill: populate `module_systems` for deployments that
+ * predate `0007_module_systems` (v2/MODULE_SYSTEMS_ADDRESSING.md). A DB created
+ * before the target_ip → systems refactor has its host data in
+ * `module_configs.target_ip` / `vmid` / `zone` + `ip_allocations` +
+ * `module_infrastructure`, but an empty `module_systems` — so `$infra:` and
+ * `ctx.systems` resolve to nothing and the migrated hooks throw "No deployed
+ * system found". This reconstructs each module's system from that existing
+ * state, mirroring `recordDeployedSystemForModule`'s field derivation.
+ *
+ * Idempotent: skips any module that already has a `module_systems` row, so it's
+ * safe to call on every schema upgrade. Intended to run once, right after
+ * migrations apply, gated on a migration actually having happened (a fresh DB
+ * has no `module_infrastructure` rows, so this is a no-op there). Returns the
+ * module ids it backfilled, for operator-visible logging.
+ */
+export function backfillModuleSystems(db: DbClient): string[] {
+  const backfilled: string[] = [];
+
+  for (const infra of db.select().from(moduleInfrastructure).all()) {
+    // Already recorded (post-refactor deploy, or a prior backfill run) — skip.
+    if (getModuleSystems(infra.moduleId, db).length > 0) continue;
+
+    const moduleRow = db.select().from(modules).where(eq(modules.id, infra.moduleId)).get();
+    if (!moduleRow?.manifestData) continue;
+
+    const declared = getDeclaredSystems(moduleRow.manifestData as ModuleManifest);
+    // API-only module (no host) — nothing to record.
+    if (declared.length === 0) continue;
+
+    const configs = db
+      .select()
+      .from(moduleConfigs)
+      .where(eq(moduleConfigs.moduleId, infra.moduleId))
+      .all();
+    const cfg = (key: string) => configs.find((c) => c.key === key)?.value;
+
+    const hostname = cfg('hostname');
+    if (!hostname) continue;
+
+    // IP: resolved target_ip, else ip.primary, else the assigned machine's own
+    // IP (machine-pool deploy where neither was written). Mirrors
+    // recordDeployedSystemForModule. CIDR is stripped by upsertDeployedSystem.
+    let ip = cfg('target_ip') ?? cfg('ip.primary');
+    if (!ip && infra.machineId) {
+      ip = db.select().from(machines).where(eq(machines.id, infra.machineId)).get()?.ipAddress;
+    }
+    if (!ip) continue;
+
+    const decl = declared[0];
+    const zone = asZone(decl.resources.zone) ?? asZone(cfg('zone'));
+    // Can't address a system without a zone; skip rather than abort the whole
+    // backfill (a re-deploy will record it properly).
+    if (!zone) continue;
+
+    const vmidStr = cfg('vmid');
+    const vmid = vmidStr ? Number.parseInt(vmidStr, 10) : null;
+
+    upsertDeployedSystem(db, infra.moduleId, {
+      name: decl.name,
+      hostname,
+      ipv4Address: ip,
+      zone,
+      infraType: infra.infrastructureType,
+      machineId: infra.machineId ?? null,
+      serviceId: infra.serviceId ?? null,
+      vmid: vmid != null && !Number.isNaN(vmid) ? vmid : null,
+    });
+    backfilled.push(infra.moduleId);
+  }
+
+  return backfilled;
+}
+
+/** Default CIDR prefix length when a zone has no `network.<zone>.subnet` set. */
+const DEFAULT_PREFIX = 24;
+
+/** Extract the prefix length ("/24" → 24) from a CIDR; default 24. */
+function prefixOf(subnetCidr: string | undefined): number {
+  if (!subnetCidr) return DEFAULT_PREFIX;
+  const slash = subnetCidr.indexOf('/');
+  if (slash === -1) return DEFAULT_PREFIX;
+  const n = Number.parseInt(subnetCidr.slice(slash + 1), 10);
+  return Number.isNaN(n) ? DEFAULT_PREFIX : n;
+}
+
+/**
+ * Build the `$infra:<name>.<field>` lookup for a module — one entry per deployed
+ * system, keyed by its `name`. `cidr` is derived from `ipv4_address` + the
+ * zone's prefix (from `network.<zone>.subnet` in system config). Consumed by the
+ * variable resolver at generate time. v2/MODULE_SYSTEMS_ADDRESSING.md.
+ */
+export function buildInfraSystemsMap(
+  moduleId: string,
+  db: DbClient,
+  systemConfig: Record<string, string>,
+): Record<string, InfraSystemFields> {
+  const map: Record<string, InfraSystemFields> = {};
+  for (const sys of getModuleSystems(moduleId, db)) {
+    const prefix = prefixOf(systemConfig[`network.${sys.zone}.subnet`]);
+    map[sys.name] = {
+      name: sys.name,
+      hostname: sys.hostname,
+      ipv4_address: sys.ipv4_address,
+      zone: sys.zone,
+      cidr: `${sys.ipv4_address}/${prefix}`,
+      vmid: sys.infrastructure.vmid != null ? String(sys.infrastructure.vmid) : '',
+    };
+  }
+  return map;
+}
+
+/** Remove all deployed-system rows for a module (used on uninstall/teardown). */
+export function deleteModuleSystems(db: DbClient, moduleId: string): void {
+  db.delete(moduleSystems).where(eq(moduleSystems.moduleId, moduleId)).run();
+}
+
+/** Remove a single deployed system (used when one host of N is torn down). */
+export function deleteDeployedSystem(db: DbClient, moduleId: string, hostname: string): void {
+  db.delete(moduleSystems)
+    .where(and(eq(moduleSystems.moduleId, moduleId), eq(moduleSystems.hostname, hostname)))
+    .run();
+}

package/src/services/dns-provider-backfill.ts

@@ -0,0 +1,75 @@
+/**
+ * Deploy-time DNS backfill for a freshly-deployed `dns_internal` provider.
+ *
+ * Event deliveries bind at emit time, so a provider that deploys late never
+ * receives the `system.created` events of systems that came up before it. This
+ * backfill closes that gap: when a `dns_internal` provider deploys, it registers
+ * every currently-deployed system in its zones by invoking its OWN
+ * `on_system_event` hook once per host. The ongoing case (a system deploying
+ * AFTER the provider) is handled by the provider's `system.created.*`
+ * subscription. See v2/EVENT_DRIVEN_HOOK_SUBSCRIPTIONS.md.
+ *
+ * All DNS mechanics (which zones, register vs delete) live in the module's
+ * hook; this file only decides WHICH hosts and invokes the hook. That is the
+ * D5 division of labour: celilo owns host inventory, the module owns DNS.
+ */
+
+import type { HookLogger } from '@celilo/capabilities';
+import { and, eq } from 'drizzle-orm';
+import type { DbClient } from '../db/client';
+import { capabilities as capabilitiesTable, modules } from '../db/schema';
+import { runNamedHook } from '../hooks/run-named-hook';
+import type { HookName } from '../hooks/types';
+import { getModuleSystems } from './deployed-systems';
+
+/** True when `moduleId` provides the `dns_internal` capability. */
+export function isDnsInternalProvider(moduleId: string, db: DbClient): boolean {
+  const row = db
+    .select()
+    .from(capabilitiesTable)
+    .where(
+      and(
+        eq(capabilitiesTable.capabilityName, 'dns_internal'),
+        eq(capabilitiesTable.moduleId, moduleId),
+      ),
+    )
+    .get();
+  return Boolean(row);
+}
+
+/**
+ * Register every currently-deployed system in the just-deployed provider's
+ * zones, via its `on_system_event` hook (`op: register`). Includes the provider
+ * itself, so the provider's own record exists even in daemonless contexts where
+ * no dispatcher delivers its `system.created` event.
+ *
+ * Attempts every host, then throws an aggregated error if any failed (no
+ * surprises; v2/issues/ISS-0004) — one bad host doesn't abort the rest.
+ */
+export async function backfillProviderDns(
+  moduleId: string,
+  db: DbClient,
+  logger: HookLogger,
+): Promise<void> {
+  logger.info(`dns_internal provider '${moduleId}' deployed — backfilling DNS for all systems`);
+
+  const deployed = db.select().from(modules).all();
+  const failures: string[] = [];
+
+  // One register per deployed system across all modules — a module with N
+  // hosts backfills N records (v2/MODULE_SYSTEMS_ADDRESSING.md).
+  for (const mod of deployed) {
+    for (const sys of getModuleSystems(mod.id, db)) {
+      const result = await runNamedHook(moduleId, 'on_system_event' as HookName, db, logger, {
+        inputs: { hostname: sys.hostname, target_ip: sys.ipv4_address, op: 'register' },
+      });
+      if (!result.success && !result.notDefined) {
+        failures.push(`${sys.hostname} (${mod.id}): ${result.error ?? 'unknown error'}`);
+      }
+    }
+  }
+
+  if (failures.length > 0) {
+    throw new Error(`DNS backfill failed for ${failures.length} host(s): ${failures.join('; ')}`);
+  }
+}

package/src/services/health-runner.ts

@@ -17,6 +17,7 @@ import type { HookResult } from '../hooks/types';
 import type { ModuleManifest } from '../manifest/schema';
 import { decryptSecret } from '../secrets/encryption';
 import { getOrCreateMasterKey } from '../secrets/master-key';
+import { getModuleSystems } from './deployed-systems';
 
 export interface HealthCheckItem {
   name: string;
@@ -95,7 +96,12 @@ export async function runModuleHealthCheck(
       configMap,
       secretMap,
       logger,
-      { debug: true, capabilities: capabilityFunctions, requiredCapabilities },
+      {
+        debug: true,
+        capabilities: capabilityFunctions,
+        requiredCapabilities,
+        systems: getModuleSystems(moduleId, db),
+      },
     );
   } else if (options.onProgress) {
     // TUI mode: emit a progress message instead of drawing FuelGauge
@@ -114,7 +120,12 @@ export async function runModuleHealthCheck(
       configMap,
       secretMap,
       logger,
-      { debug: false, capabilities: capabilityFunctions, requiredCapabilities },
+      {
+        debug: false,
+        capabilities: capabilityFunctions,
+        requiredCapabilities,
+        systems: getModuleSystems(moduleId, db),
+      },
     );
   } else {
     const gauge = new FuelGauge('Testing app', {
@@ -132,7 +143,12 @@ export async function runModuleHealthCheck(
       configMap,
       secretMap,
       logger,
-      { debug: false, capabilities: capabilityFunctions, requiredCapabilities },
+      {
+        debug: false,
+        capabilities: capabilityFunctions,
+        requiredCapabilities,
+        systems: getModuleSystems(moduleId, db),
+      },
     );
     gauge.stop(hookResult.success);
   }