@celilo/cli 0.3.30-alpha.0 → 0.4.0-alpha.0

package/src/services/system-init.test.ts

@@ -8,7 +8,7 @@ import type { DbClient } from '../db/client';
 import { systemConfig } from '../db/schema';
 import { setupTestDatabase } from '../test-utils/database';
 import {
-  autoDetectSSHKey,
+  autoDetectSSHKeys,
   getDefaultConfiguration,
   initializeSystem,
   isSystemInitialized,
@@ -22,25 +22,35 @@ describe('System Init Service', () => {
   });
 
   describe('getDefaultConfiguration', () => {
-    test('returns all default values from schema', async () => {
-      const defaults = await getDefaultConfiguration();
+    test('returns default values from schema', () => {
+      const defaults = getDefaultConfiguration();
 
+      // network.bridge keeps its default (a container-service concept, not
+      // a zone address).
       expect(defaults['network.bridge']).toBe('vmbr0');
-      expect(defaults['network.dmz.subnet']).toBe('10.0.10.0/24');
-      expect(defaults['network.dmz.vlan']).toBe(10);
+      // Network/DNS addressing is no longer defaulted
+      // (v2/NETWORK_CONFIG_TO_FIREWALL.md): internal is discovered at
+      // celilo-mgmt install; dmz/app/secure appear only when a firewall
+      // module provides them.
+      expect(defaults['network.dmz.subnet']).toBeUndefined();
+      expect(defaults['network.dmz.vlan']).toBeUndefined();
+      expect(defaults['network.internal.subnet']).toBeUndefined();
+      expect(defaults['dns.primary']).toBeUndefined();
+      expect(defaults['dns.fallback']).toBeUndefined();
       // primary_domain was removed from system config in MANIFEST_V2 D9.
       expect(defaults.primary_domain).toBeUndefined();
     });
   });
 
-  describe('autoDetectSSHKey', () => {
-    test('returns null or string', () => {
-      const key = autoDetectSSHKey();
+  describe('autoDetectSSHKeys', () => {
+    test('returns an array of detected keys', () => {
+      const keys = autoDetectSSHKeys();
 
-      // Either null (no key found) or a non-empty string
-      if (key !== null) {
-        expect(typeof key).toBe('string');
-        expect(key.length).toBeGreaterThan(0);
+      // Either empty (no key found) or entries with non-empty content.
+      expect(Array.isArray(keys)).toBe(true);
+      for (const key of keys) {
+        expect(typeof key.content).toBe('string');
+        expect(key.content.length).toBeGreaterThan(0);
       }
     });
   });
@@ -62,8 +72,14 @@ describe('System Init Service', () => {
       expect(networkBridge?.value).toBe('vmbr0');
     });
 
-    test('computes gateway IPs from subnets', () => {
-      initializeSystem(db);
+    test('computes gateway IPs from provided subnets', () => {
+      // Subnets are no longer defaulted, so the operator/firewall supplies
+      // them as overrides; the gateway is still auto-computed from the
+      // subnet network address.
+      initializeSystem(db, {
+        'network.dmz.subnet': '10.0.10.0/24',
+        'network.app.subnet': '10.0.20.0/24',
+      });
 
       // Check DMZ gateway was computed
       const dmzGateway = db
@@ -84,6 +100,30 @@ describe('System Init Service', () => {
       expect(appGateway?.value).toBe('10.0.20.1');
     });
 
+    test('does not seed network/DNS addressing by default', () => {
+      initializeSystem(db);
+
+      for (const key of [
+        'network.dmz.subnet',
+        'network.app.subnet',
+        'network.secure.subnet',
+        'network.internal.subnet',
+        'dns.primary',
+        'dns.fallback',
+      ]) {
+        const row = db.select().from(systemConfig).where(eq(systemConfig.key, key)).get();
+        expect(row).toBeUndefined();
+      }
+
+      // network.bridge IS still seeded.
+      const bridge = db
+        .select()
+        .from(systemConfig)
+        .where(eq(systemConfig.key, 'network.bridge'))
+        .get();
+      expect(bridge?.value).toBe('vmbr0');
+    });
+
     test('applies overrides instead of defaults', () => {
       initializeSystem(db, {
         primary_domain: 'custom.com',
@@ -112,8 +152,9 @@ describe('System Init Service', () => {
     test('includes SSH key if auto-detected', () => {
       const config = initializeSystem(db);
 
-      const detectedKey = autoDetectSSHKey();
-      if (detectedKey) {
+      const detectedKeys = autoDetectSSHKeys();
+      if (detectedKeys.length > 0) {
+        const detectedKey = detectedKeys[0].content;
         expect(config['ssh.public_key']).toBe(detectedKey);
 
         const sshKey = db
@@ -140,14 +181,16 @@ describe('System Init Service', () => {
       expect(initialized).toBe(true);
     });
 
-    test('returns true with partial configuration', async () => {
-      // Critical keys are network.dmz.subnet and ssh.public_key (2 of 2 after
-      // primary_domain was removed in D9).
+    test('keys off the sentinel, not config rows', async () => {
+      // Config rows present but no sentinel → NOT initialized. Initialization
+      // is tracked by the explicit `system.initialized` marker
+      // (v2/NETWORK_CONFIG_TO_FIREWALL.md), not by any network row.
       db.insert(systemConfig).values({ key: 'network.dmz.subnet', value: '10.0.0.0/24' }).run();
       db.insert(systemConfig).values({ key: 'ssh.public_key', value: 'ssh-rsa AAAA...' }).run();
+      expect(isSystemInitialized(db)).toBe(false);
 
-      const initialized = isSystemInitialized(db);
-      expect(initialized).toBe(true);
+      db.insert(systemConfig).values({ key: 'system.initialized', value: 'true' }).run();
+      expect(isSystemInitialized(db)).toBe(true);
     });
   });
 });

package/src/services/system-init.ts

@@ -127,12 +127,6 @@ export function autoDetectSSHKeys(): DetectedSSHKey[] {
   return keys;
 }
 
-/** @deprecated Use autoDetectSSHKeys() instead */
-export function autoDetectSSHKey(): string | null {
-  const keys = autoDetectSSHKeys();
-  return keys.length > 0 ? keys[0].content : null;
-}
-
 /**
  * Initialize system configuration with defaults
  *
@@ -165,9 +159,9 @@ export function initializeSystem(
 
   // Auto-detect SSH key if not provided
   if (!config['ssh.public_key']) {
-    const detectedKey = autoDetectSSHKey();
-    if (detectedKey) {
-      config['ssh.public_key'] = detectedKey;
+    const detectedKeys = autoDetectSSHKeys();
+    if (detectedKeys.length > 0) {
+      config['ssh.public_key'] = detectedKeys[0].content;
     }
   }
 
@@ -204,6 +198,19 @@ export function initializeSystem(
       .run();
   }
 
+  // Explicit init marker. Network/DNS addressing is no longer seeded with
+  // defaults (v2/NETWORK_CONFIG_TO_FIREWALL.md), so we can't key
+  // "is this system initialized?" off a network row anymore. Write a
+  // dedicated sentinel instead. additionalProperties:true in the schema
+  // permits this non-schema key.
+  db.insert(systemConfig)
+    .values({ key: 'system.initialized', value: 'true' })
+    .onConflictDoUpdate({
+      target: systemConfig.key,
+      set: { value: 'true' },
+    })
+    .run();
+
   return config;
 }
 
@@ -228,26 +235,21 @@ export function loadExistingConfiguration(db: DbClient): Record<string, string>
 /**
  * Check if system is already initialized
  *
- * System is considered initialized if critical configuration exists:
- * - At least one network zone subnet
- * - ssh.public_key
+ * Keys off the explicit `system.initialized` sentinel written by
+ * initializeSystem(). Earlier this checked for a seeded network zone
+ * subnet, but network/DNS addressing is no longer defaulted
+ * (v2/NETWORK_CONFIG_TO_FIREWALL.md), so a fresh init leaves those
+ * rows absent.
  *
  * @param db - Database instance
- * @returns true if system appears to be initialized
+ * @returns true if initializeSystem has run against this database
  */
 export function isSystemInitialized(db: DbClient): boolean {
-  const criticalKeys = ['network.dmz.subnet', 'ssh.public_key'];
-
-  let foundKeys = 0;
-
-  for (const key of criticalKeys) {
-    const result = db.select().from(systemConfig).where(eq(systemConfig.key, key)).get();
-
-    if (result) {
-      foundKeys++;
-    }
-  }
+  const result = db
+    .select()
+    .from(systemConfig)
+    .where(eq(systemConfig.key, 'system.initialized'))
+    .get();
 
-  // Consider initialized if at least 2 of 3 critical keys exist
-  return foundKeys >= 2;
+  return result?.value === 'true';
 }

package/src/templates/generator.test.ts

@@ -3,7 +3,8 @@ import { existsSync } from 'node:fs';
 import { mkdir, readFile, rm, writeFile } from 'node:fs/promises';
 import { join } from 'node:path';
 import { type DbClient, createDbClient } from '../db/client';
-import { capabilities, moduleConfigs } from '../db/schema';
+import { capabilities } from '../db/schema';
+import { upsertModuleConfig } from '../services/module-config';
 import {
   discoverTemplateFiles,
   generateTemplates,
@@ -319,12 +320,8 @@ describe('Template Generator', () => {
         `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('test-module', 'Test', '1.0.0', '/path', '{}')`,
       );
 
-      db.insert(moduleConfigs)
-        .values([
-          { moduleId: 'test-module', key: 'target_ip', value: '192.168.0.50' },
-          { moduleId: 'test-module', key: 'hostname', value: 'test' },
-        ])
-        .run();
+      upsertModuleConfig(db, 'test-module', 'target_ip', '192.168.0.50');
+      upsertModuleConfig(db, 'test-module', 'hostname', 'test');
 
       // Insert system config
       db.$client.run(
@@ -375,9 +372,7 @@ resource "proxmox_lxc" "container" {
       db.$client.run(
         `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('test-module', 'Test', '1.0.0', '/path', '{}')`,
       );
-      db.insert(moduleConfigs)
-        .values({ moduleId: 'test-module', key: 'name', value: 'test' })
-        .run();
+      upsertModuleConfig(db, 'test-module', 'name', 'test');
 
       // Create templates
       await mkdir(join(TEST_MODULE_DIR, 'terraform'), { recursive: true });
@@ -511,9 +506,7 @@ resource "proxmox_lxc" "container" {
         `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('test-module', 'Test', '1.0.0', '/path', ?)`,
         [manifestWithResources],
       );
-      db.insert(moduleConfigs)
-        .values({ moduleId: 'test-module', key: 'name', value: 'test' })
-        .run();
+      upsertModuleConfig(db, 'test-module', 'name', 'test');
 
       // Insert dummy machine (required for foreign key)
       db.$client.run(
@@ -598,9 +591,7 @@ resource "proxmox_lxc" "container" {
         `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('test-module', 'Test', '1.0.0', '/path', ?)`,
         [manifestWithResources],
       );
-      db.insert(moduleConfigs)
-        .values({ moduleId: 'test-module', key: 'name', value: 'test' })
-        .run();
+      upsertModuleConfig(db, 'test-module', 'name', 'test');
 
       // Insert dummy container service (required for foreign key)
       db.$client.run(

package/src/templates/generator.ts

@@ -18,6 +18,7 @@ import {
 import type { AnsibleCollection, ModuleManifest } from '../manifest/schema';
 import { validateZoneRequirements } from '../manifest/validate';
 import { selectInfrastructure } from '../services/infrastructure-selector';
+import { upsertModuleConfig } from '../services/module-config';
 import type { InfrastructureSelection } from '../types/infrastructure';
 import { convertSecretsToJinja } from '../variables/ansible-resolver';
 import { buildResolutionContext } from '../variables/context';
@@ -532,39 +533,11 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
         );
       }
 
-      // Store allocation in config temporarily (will be available in context)
-      // These are "virtual" config values - not stored in module_configs table
-      // Insert VMID
-      db.insert(moduleConfigs)
-        .values({
-          moduleId,
-          key: '__ipam_vmid',
-          value: String(allocation.vmid),
-          valueJson: null,
-        })
-        .onConflictDoUpdate({
-          target: [moduleConfigs.moduleId, moduleConfigs.key],
-          set: {
-            value: String(allocation.vmid),
-          },
-        })
-        .run();
-
-      // Insert container IP
-      db.insert(moduleConfigs)
-        .values({
-          moduleId,
-          key: '__ipam_container_ip',
-          value: allocation.containerIp,
-          valueJson: null,
-        })
-        .onConflictDoUpdate({
-          target: [moduleConfigs.moduleId, moduleConfigs.key],
-          set: {
-            value: allocation.containerIp,
-          },
-        })
-        .run();
+      // Store allocation in config temporarily (will be available in context).
+      // These are "virtual" config values (the __ipam_ prefix flags them as
+      // framework-internal). Typed: vmid is number, container_ip is string.
+      upsertModuleConfig(db, moduleId, '__ipam_vmid', allocation.vmid);
+      upsertModuleConfig(db, moduleId, '__ipam_container_ip', allocation.containerIp);
     } catch (error) {
       return {
         success: false,
@@ -598,18 +571,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
       ];
 
       for (const prop of infraProperties) {
-        db.insert(moduleConfigs)
-          .values({
-            moduleId,
-            key: `__infra_${prop.key}`,
-            value: prop.value,
-            valueJson: null,
-          })
-          .onConflictDoUpdate({
-            target: [moduleConfigs.moduleId, moduleConfigs.key],
-            set: { value: prop.value, updatedAt: new Date() },
-          })
-          .run();
+        upsertModuleConfig(db, moduleId, `__infra_${prop.key}`, prop.value);
       }
 
       log.success(
@@ -677,8 +639,6 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
       const derivedValue = context.selfConfig[variable.name];
       if (derivedValue === undefined) continue;
 
-      const stringValue =
-        typeof derivedValue === 'string' ? derivedValue : JSON.stringify(derivedValue);
       const existing = db
         .select()
         .from(moduleConfigs)
@@ -686,14 +646,16 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
         .get();
 
       if (!existing) {
-        db.insert(moduleConfigs)
-          .values({
-            moduleId,
-            key: variable.name,
-            value: typeof derivedValue === 'string' ? stringValue : '',
-            valueJson: typeof derivedValue !== 'string' ? stringValue : null,
-          })
-          .run();
+        // Insert-only (not upsert) — derived values only seed on first
+        // generate; subsequent runs preserve whatever the user has set.
+        // Routes through upsertModuleConfig anyway because the helper
+        // is the only path that maintains the valueJson invariant.
+        upsertModuleConfig(
+          db,
+          moduleId,
+          variable.name,
+          derivedValue as string | number | boolean | unknown[] | Record<string, unknown>,
+        );
       }
     }
   }
@@ -787,33 +749,12 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
 
       if (value !== undefined) {
         // Store in module_configs so it appears in host_vars
-        const stringValue = typeof value === 'string' ? value : JSON.stringify(value);
-        const existing = db
-          .select()
-          .from(moduleConfigs)
-          .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, imp.name)))
-          .get();
-
-        const isString = typeof value === 'string';
-        if (existing) {
-          db.update(moduleConfigs)
-            .set({
-              value: isString ? stringValue : '',
-              valueJson: isString ? null : stringValue,
-              updatedAt: new Date(),
-            })
-            .where(eq(moduleConfigs.id, existing.id))
-            .run();
-        } else {
-          db.insert(moduleConfigs)
-            .values({
-              moduleId,
-              key: imp.name,
-              value: isString ? stringValue : '',
-              valueJson: isString ? null : stringValue,
-            })
-            .run();
-        }
+        upsertModuleConfig(
+          db,
+          moduleId,
+          imp.name,
+          value as string | number | boolean | unknown[] | Record<string, unknown>,
+        );
 
         // Redact sensitive values in logs
         const isSensitive =
@@ -1000,21 +941,10 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
               ),
             )
             .get();
-          if (existingTasksPath) {
-            db.update(moduleConfigs)
-              .set({ value: tasksPathValue, updatedAt: new Date() })
-              .where(eq(moduleConfigs.id, existingTasksPath.id))
-              .run();
-          } else {
-            db.insert(moduleConfigs)
-              .values({
-                moduleId,
-                key: 'registrar_tasks_path',
-                value: tasksPathValue,
-                valueJson: null,
-              })
-              .run();
-          }
+          upsertModuleConfig(db, moduleId, 'registrar_tasks_path', tasksPathValue);
+          // (existingTasksPath select above is now redundant — left for
+          // the broader refactor; upsertModuleConfig is idempotent.)
+          void existingTasksPath;
         }
       }
     }
@@ -1024,24 +954,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
   // Modules with build artifacts (e.g., compiled binaries, static assets) need
   // this path so Ansible can copy them to the target machine.
   if (manifest.build?.artifacts && manifest.build.artifacts.length > 0) {
-    const existing = db
-      .select()
-      .from(moduleConfigs)
-      .where(
-        and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, 'build_artifacts_dir')),
-      )
-      .get();
-
-    if (!existing) {
-      db.insert(moduleConfigs)
-        .values({ moduleId, key: 'build_artifacts_dir', value: modulePath })
-        .run();
-    } else {
-      db.update(moduleConfigs)
-        .set({ value: modulePath, updatedAt: new Date() })
-        .where(eq(moduleConfigs.id, existing.id))
-        .run();
-    }
+    upsertModuleConfig(db, moduleId, 'build_artifacts_dir', modulePath);
   }
 
   // Execution: Generate Ansible inventory structure

package/src/test-utils/integration.ts

@@ -67,8 +67,11 @@ export async function setupIntegrationTest(): Promise<IntegrationTestContext> {
   // the same path so subprocess + responder share the bus DB.
   const busDbPath = join(dataDir, 'events.db');
 
-  // CLI with isolated environment
-  const cli = `CELILO_DB_PATH="${dbPath}" CELILO_DATA_DIR="${dataDir}" bun run src/cli/index.ts`;
+  // CLI with isolated environment. CELILO_SUPPRESS_DEPRECATION silences
+  // the legacy-path banners (e.g. on `celilo system init`) so they
+  // don't pollute test output — the banners are an operator-UX concern,
+  // not a CI signal.
+  const cli = `CELILO_DB_PATH="${dbPath}" CELILO_DATA_DIR="${dataDir}" CELILO_SUPPRESS_DEPRECATION=1 bun run src/cli/index.ts`;
 
   // Note: Migrations are auto-run by createDbClient() in setupTestDatabaseFile()
 

package/src/types/infrastructure.ts

@@ -87,6 +87,14 @@ export interface Machine {
   assignedModuleIds: string[];
   /** Module ID this machine is earmarked for, or null/undefined */
   earmarkedModule?: string | null;
+  /**
+   * Appliance / API-only machines (e.g., greenwave) where celilo has
+   * no shell access. Base-module aspects skip these — see
+   * v2/CELILO_BASE.md D8. Optional on the type because most call
+   * sites don't care; the DB column defaults to false so the
+   * effective value is well-defined regardless.
+   */
+  apiOnly?: boolean;
   createdAt: Date;
   updatedAt: Date;
 }