@celilo/cli 0.3.30-alpha.0 → 0.4.0-alpha.0

package/src/variables/context.ts

@@ -4,16 +4,23 @@ import { getDb } from '../db/client';
 import type { DbClient } from '../db/client';
 import {
   capabilities,
+  containerServices,
+  machines,
   moduleConfigs,
+  moduleInfrastructure,
   modules,
   secrets,
   systemConfig,
   systemSecrets,
 } from '../db/schema';
 import { allocateResources, getAllocation } from '../ipam/allocator';
-import type { ModuleManifest } from '../manifest/schema';
+import { type ModuleManifest, getDeclaredSystems } from '../manifest/schema';
 import { decryptSecret } from '../secrets/encryption';
 import { getOrCreateMasterKey } from '../secrets/master-key';
+import { upsertModuleConfig } from '../services/module-config';
+import { resolveComputedFields } from './computed/evaluate';
+import { containsComputedMarker } from './computed/marker';
+import { buildProviderLookup } from './computed/provider-lookup';
 import { applyDeclarativeDerivations } from './declarative-derivation';
 import { applyIndex, parsePath } from './parser';
 import type { ResolutionContext } from './types';
@@ -88,75 +95,6 @@ async function autoAssignFromWellKnown(
   return result;
 }
 
-/**
- * Determine if module needs IPAM auto-allocation
- * Policy function - checks manifest and config
- *
- * A module needs IPAM if:
- * 1. It declares vmid and target_ip variables (container-based), AND
- * 2. These values are not already set in module config
- *
- * @param manifest - Module manifest
- * @param selfConfig - Current module configuration
- * @returns true if IPAM allocation needed
- */
-function needsIpamAllocation(
-  manifest: ModuleManifest,
-  selfConfig: Record<string, string>,
-): boolean {
-  const variables = manifest.variables?.owns ?? [];
-
-  const hasVmid = variables.some((v) => v.name === 'vmid');
-  const hasTargetIp = variables.some((v) => v.name === 'target_ip');
-
-  // Module must declare both vmid and target_ip to be container-based
-  if (!hasVmid || !hasTargetIp) {
-    return false;
-  }
-
-  // Check if already allocated (both must be present)
-  const vmidSet = selfConfig.vmid !== undefined && selfConfig.vmid !== '';
-  const ipSet = selfConfig.target_ip !== undefined && selfConfig.target_ip !== '';
-
-  // Need allocation if either is missing
-  return !vmidSet || !ipSet;
-}
-
-/**
- * Determine network zone for module
- * Policy function - extracts zone from manifest or config
- *
- * Zone determination priority:
- * 1. Explicit zone in module config (user override)
- * 2. VM resources zone in manifest
- * 3. Default to 'dmz'
- *
- * @param manifest - Module manifest
- * @param selfConfig - Current module configuration
- * @returns Network zone ('dmz', 'app', 'secure', or 'internal')
- */
-function determineModuleZone(
-  manifest: ModuleManifest,
-  selfConfig: Record<string, string>,
-): 'dmz' | 'app' | 'secure' | 'internal' {
-  // Priority 1: Explicit zone in config
-  if (selfConfig.zone) {
-    const zone = selfConfig.zone;
-    if (zone === 'dmz' || zone === 'app' || zone === 'secure' || zone === 'internal') {
-      return zone;
-    }
-  }
-
-  // Priority 2: VM resources zone in manifest
-  const vmZone = manifest.requires?.machine?.zone;
-  if (vmZone === 'dmz' || vmZone === 'app' || vmZone === 'secure' || vmZone === 'internal') {
-    return vmZone;
-  }
-
-  // Default: dmz (public-facing services)
-  return 'dmz';
-}
-
 /**
  * Auto-derive inventory variables from module configuration
  * Policy function - derives values from existing config
@@ -204,17 +142,18 @@ function autoDeriveInventoryVariables(
 }
 
 /**
- * Recursively resolve "$self:key" strings in a capability data object
- * using the provider module's actual config values. Supports the
- * optional `[N]` array-index suffix (e.g. `$self:domains[0]`) so a
- * provider can declare computed aliases — `primary_domain:
- * $self:domains[0]` — without the framework storing the alias as a
- * separate value. Non-string values and strings that don't start
- * with "$self:" are returned unchanged.
+ * Recursively resolve "$self:key" and "$infra:<name>.<field>" strings in a
+ * capability data object using the provider module's actual config values and
+ * its deployed systems. `$self:` supports the optional `[N]` array-index suffix
+ * (e.g. `$self:domains[0]`). `$infra:` references a provider's deployed system
+ * by name (the replacement for the old `$self:target_ip` — see
+ * v2/MODULE_SYSTEMS_ADDRESSING.md). Non-string values and strings that don't
+ * start with one of those prefixes are returned unchanged.
  */
 function resolveSelfRefsInObject(
   obj: Record<string, unknown>,
   providerConfig: Record<string, unknown>,
+  providerSystems: Record<string, import('./types').InfraSystemFields> = {},
 ): Record<string, unknown> {
   const result: Record<string, unknown> = {};
   for (const [key, value] of Object.entries(obj)) {
@@ -222,8 +161,20 @@ function resolveSelfRefsInObject(
       const { name, index } = parsePath(value.slice(6));
       const resolved = applyIndex(providerConfig[name], index);
       result[key] = resolved !== undefined ? resolved : value;
+    } else if (typeof value === 'string' && value.startsWith('$infra:')) {
+      const path = value.slice('$infra:'.length);
+      const dot = path.indexOf('.');
+      const sysName = dot === -1 ? path : path.slice(0, dot);
+      const field = dot === -1 ? '' : path.slice(dot + 1);
+      const sys = providerSystems[sysName] as unknown as Record<string, unknown> | undefined;
+      const resolved = sys ? sys[field] : undefined;
+      result[key] = resolved !== undefined && resolved !== '' ? resolved : value;
     } else if (value !== null && typeof value === 'object' && !Array.isArray(value)) {
-      result[key] = resolveSelfRefsInObject(value as Record<string, unknown>, providerConfig);
+      result[key] = resolveSelfRefsInObject(
+        value as Record<string, unknown>,
+        providerConfig,
+        providerSystems,
+      );
     } else {
       result[key] = value;
     }
@@ -256,12 +207,13 @@ export async function buildResolutionContext(
 
   const selfConfig: Record<string, string> = {};
   for (const row of configRows) {
-    // Handle complex types (stored in valueJson)
-    if (row.valueJson) {
-      selfConfig[row.key] = row.valueJson; // Store JSON string
-    } else {
-      selfConfig[row.key] = row.value;
-    }
+    // Template variables substitute as strings (the YAML/HCL files
+    // this map drives expect string replacements). `value` is already
+    // the human-readable string form populated alongside valueJson;
+    // safe to use directly here. The typed path (numbers, booleans
+    // as their JS types) is parseStoredConfigValue, used by hook
+    // contexts.
+    selfConfig[row.key] = row.value;
   }
 
   // Well-known capability auto-assignment
@@ -272,24 +224,12 @@ export async function buildResolutionContext(
 
     // Store assigned values in module config
     if (assigned.hostname) {
-      await db
-        .insert(moduleConfigs)
-        .values({ moduleId, key: 'hostname', value: assigned.hostname })
-        .onConflictDoUpdate({
-          target: [moduleConfigs.moduleId, moduleConfigs.key],
-          set: { value: assigned.hostname },
-        });
+      upsertModuleConfig(db, moduleId, 'hostname', assigned.hostname);
       selfConfig.hostname = assigned.hostname;
     }
 
     if (assigned.zone) {
-      await db
-        .insert(moduleConfigs)
-        .values({ moduleId, key: 'zone', value: assigned.zone })
-        .onConflictDoUpdate({
-          target: [moduleConfigs.moduleId, moduleConfigs.key],
-          set: { value: assigned.zone },
-        });
+      upsertModuleConfig(db, moduleId, 'zone', assigned.zone);
       selfConfig.zone = assigned.zone;
     }
   }
@@ -301,19 +241,18 @@ export async function buildResolutionContext(
     const variables = manifest.variables?.owns ?? [];
 
     for (const variable of variables) {
-      // Only apply if variable has a default and config doesn't already have it
+      // Only apply if variable has a default and config doesn't already have it.
+      // Pass the typed manifest default directly so valueJson preserves the
+      // declared shape — e.g. `default: 2222` (YAML int) round-trips as
+      // `number` not the string "2222". This is the root of Defect 1.
       if (variable.default !== undefined && !selfConfig[variable.name]) {
-        const valueStr = String(variable.default);
-
-        await db
-          .insert(moduleConfigs)
-          .values({ moduleId, key: variable.name, value: valueStr })
-          .onConflictDoUpdate({
-            target: [moduleConfigs.moduleId, moduleConfigs.key],
-            set: { value: valueStr },
-          });
-
-        selfConfig[variable.name] = valueStr;
+        upsertModuleConfig(
+          db,
+          moduleId,
+          variable.name,
+          variable.default as string | number | boolean | unknown[] | Record<string, unknown>,
+        );
+        selfConfig[variable.name] = String(variable.default);
       }
     }
   }
@@ -339,72 +278,99 @@ export async function buildResolutionContext(
       for (const { manifestKey, configKey } of resourceMappings) {
         const value = machineResources[manifestKey];
 
-        // Only apply if manifest specifies a value and config doesn't already have it
+        // Manifest fields are typed (cpu: number, storage: string, etc.).
+        // Pass them through unstringified so valueJson preserves the
+        // shape — see comment in the variable-defaults block above.
         if (value !== undefined && !selfConfig[configKey]) {
-          const valueStr = String(value);
-
-          await db
-            .insert(moduleConfigs)
-            .values({ moduleId, key: configKey, value: valueStr })
-            .onConflictDoUpdate({
-              target: [moduleConfigs.moduleId, moduleConfigs.key],
-              set: { value: valueStr },
-            });
-
-          selfConfig[configKey] = valueStr;
+          upsertModuleConfig(
+            db,
+            moduleId,
+            configKey,
+            value as string | number | boolean | unknown[] | Record<string, unknown>,
+          );
+          selfConfig[configKey] = String(value);
         }
       }
     }
   }
 
-  // IPAM auto-allocation
-  // If module declares vmid/target_ip but they're not configured, allocate automatically
+  // Deployed-system recording (v2/MODULE_SYSTEMS_ADDRESSING.md).
+  // Record this module's system(s) into module_systems at generate time, so
+  // `$infra:<name>.…` resolves in templates. The address comes from:
+  //   - machine pool      → the machine's own IP; no vmid (no container).
+  //   - container_service → IPAM-allocated zone IP + vmid (proxmox only).
+  //   - DigitalOcean      → assigned by terraform; recorded at deploy from
+  //                         outputs (resolveInfrastructureVariables), not here.
+  // This is the single place generate-time addresses are recorded — `target_ip`
+  // no longer lives in module_configs.
   if (module?.manifestData) {
     const manifest = module.manifestData as ModuleManifest;
-
-    if (needsIpamAllocation(manifest, selfConfig)) {
-      const zone = determineModuleZone(manifest, selfConfig);
-
-      // Use transaction to ensure atomicity
-      await db.transaction(async (tx) => {
-        // Check if allocation already exists in ipAllocations table
-        const existing = await getAllocation(moduleId, tx);
-
-        let vmid: number;
-        let allocatedIp: string;
-
-        if (existing) {
-          // Use existing allocation
-          vmid = existing.vmid;
-          allocatedIp = existing.containerIp;
-        } else {
-          // Allocate new resources (persists to ipAllocations)
-          const allocation = await allocateResources(moduleId, zone, tx);
-          vmid = allocation.vmid;
-          allocatedIp = allocation.containerIp;
+    const declared = getDeclaredSystems(manifest);
+    const hostname = selfConfig.hostname;
+
+    if (declared.length > 0 && hostname) {
+      // Single-system transition: every current module declares one system.
+      const decl = declared[0];
+      const zone = decl.resources.zone;
+      const infraSelection = db
+        .select()
+        .from(moduleInfrastructure)
+        .where(eq(moduleInfrastructure.moduleId, moduleId))
+        .get();
+      const { upsertDeployedSystem } = await import('../services/deployed-systems');
+
+      if (infraSelection?.infrastructureType === 'machine') {
+        if (!infraSelection.machineId) {
+          throw new Error(
+            `Module '${moduleId}' is assigned to a machine but module_infrastructure.machineId is null`,
+          );
         }
-
-        // Ensure values are in module config (upsert to handle existing keys)
-        await tx
-          .insert(moduleConfigs)
-          .values({ moduleId, key: 'vmid', value: String(vmid) })
-          .onConflictDoUpdate({
-            target: [moduleConfigs.moduleId, moduleConfigs.key],
-            set: { value: String(vmid) },
-          });
-
-        await tx
-          .insert(moduleConfigs)
-          .values({ moduleId, key: 'target_ip', value: allocatedIp })
-          .onConflictDoUpdate({
-            target: [moduleConfigs.moduleId, moduleConfigs.key],
-            set: { value: allocatedIp },
+        const machineRow = db
+          .select()
+          .from(machines)
+          .where(eq(machines.id, infraSelection.machineId))
+          .get();
+        if (!machineRow?.ipAddress) {
+          throw new Error(
+            `Machine '${infraSelection.machineId}' for module '${moduleId}' has no ipAddress`,
+          );
+        }
+        upsertDeployedSystem(db, moduleId, {
+          name: decl.name,
+          hostname,
+          ipv4Address: machineRow.ipAddress,
+          zone,
+          infraType: 'machine',
+          machineId: infraSelection.machineId,
+        });
+      } else if (infraSelection?.infrastructureType === 'container_service') {
+        // Only proxmox needs IPAM; DigitalOcean's IP comes from terraform
+        // outputs at deploy. Determine the provider from the selected service.
+        let isProxmox = false;
+        if (infraSelection.serviceId) {
+          const svc = db
+            .select()
+            .from(containerServices)
+            .where(eq(containerServices.id, infraSelection.serviceId))
+            .get();
+          isProxmox = svc?.providerName === 'proxmox';
+        }
+        if (isProxmox && zone !== 'external') {
+          await db.transaction(async (tx) => {
+            const existing = await getAllocation(moduleId, tx);
+            const allocation = existing ?? (await allocateResources(moduleId, zone, tx));
+            upsertDeployedSystem(tx as unknown as DbClient, moduleId, {
+              name: decl.name,
+              hostname,
+              ipv4Address: allocation.containerIp,
+              zone,
+              infraType: 'container_service',
+              serviceId: infraSelection.serviceId,
+              vmid: allocation.vmid,
+            });
           });
-
-        // Update selfConfig with allocated values
-        selfConfig.vmid = String(vmid);
-        selfConfig.target_ip = allocatedIp;
-      });
+        }
+      }
     }
   }
 
@@ -463,10 +429,38 @@ export async function buildResolutionContext(
     for (const c of providerConfigs) {
       providerConfigMap[c.key] = c.valueJson ? JSON.parse(c.valueJson) : c.value;
     }
-    capabilitiesMap[row.capabilityName] = resolveSelfRefsInObject(
+    // The provider's deployed systems, so capability data can reference
+    // `$infra:<name>.ipv4_address` (replacing the old `$self:target_ip`).
+    // CIDR uses the default prefix here (capability data reads bare ipv4/host,
+    // not cidr); the full systemConfig isn't built yet at this point.
+    const { buildInfraSystemsMap } = await import('../services/deployed-systems');
+    const providerSystems = buildInfraSystemsMap(row.moduleId, db, {});
+    let resolved = resolveSelfRefsInObject(
       data as Record<string, unknown>,
       providerConfigMap,
+      providerSystems,
     );
+
+    // Evaluate computed-field markers (v2/INTERNAL_DNS_DHCP_AND_SPLIT_HORIZON.md
+    // D1) in the PROVIDER's context, so consumers — both `$capability:` template
+    // refs AND `variables.imports` — see the real value (e.g. domain_list as an
+    // array) rather than the raw marker. Only build the provider lookup when a
+    // marker is actually present (the common case has none). Best-effort: a
+    // single provider's eval failure must not break an unrelated module's
+    // context build, so we log and leave the original data on error.
+    if (containsComputedMarker(resolved)) {
+      try {
+        const lookup = await buildProviderLookup(row.moduleId, db);
+        resolved = resolveComputedFields(resolved, lookup) as Record<string, unknown>;
+      } catch (err) {
+        console.error(
+          `Failed to evaluate computed fields for capability '${row.capabilityName}' (provider '${row.moduleId}'):`,
+          err,
+        );
+      }
+    }
+
+    capabilitiesMap[row.capabilityName] = resolved;
   }
 
   // Fetch system configuration (for $system: variables)
@@ -508,6 +502,16 @@ export async function buildResolutionContext(
     // System secrets are optional
   }
 
+  // Build the `$infra:<name>.<field>` lookup from the systems recorded above
+  // (proxmox/machine at generate; DigitalOcean gets refreshed at deploy from
+  // terraform outputs). This is what lets `$infra:` resolve in templates.
+  // v2/MODULE_SYSTEMS_ADDRESSING.md.
+  let infraSystemsMap: Record<string, import('./types').InfraSystemFields> = {};
+  if (module?.manifestData) {
+    const { buildInfraSystemsMap } = await import('../services/deployed-systems');
+    infraSystemsMap = buildInfraSystemsMap(moduleId, db, systemConfigMap);
+  }
+
   // Zone-based networking
   // Auto-derive network config from zone (gateway, vlan, subnet, bridge)
   if (module?.manifestData) {
@@ -516,13 +520,7 @@ export async function buildResolutionContext(
 
     // If zone from manifest but not in selfConfig, store it as first-class config
     if (zone && !selfConfig.zone) {
-      await db
-        .insert(moduleConfigs)
-        .values({ moduleId, key: 'zone', value: zone })
-        .onConflictDoUpdate({
-          target: [moduleConfigs.moduleId, moduleConfigs.key],
-          set: { value: zone },
-        });
+      upsertModuleConfig(db, moduleId, 'zone', zone);
       selfConfig.zone = zone;
     }
 
@@ -537,15 +535,25 @@ export async function buildResolutionContext(
           const value = systemConfigMap[systemConfigKey];
 
           if (value) {
-            await db
-              .insert(moduleConfigs)
-              .values({ moduleId, key: field, value })
-              .onConflictDoUpdate({
-                target: [moduleConfigs.moduleId, moduleConfigs.key],
-                set: { value },
-              });
-
-            selfConfig[field] = value;
+            // system_config stores everything as strings (no
+            // valueJson companion column there — that's a sister
+            // type-fidelity gap, tracked separately). Use a
+            // try-JSON-parse heuristic at the boundary to recover
+            // primitive types: "20" → 20 (vlan tags are numbers),
+            // "true" → true, IPs/hostnames fall through to string.
+            // Once system_config gets the same treatment as
+            // module_configs this coercion becomes redundant.
+            const coerced = ((): string | number | boolean => {
+              try {
+                const parsed = JSON.parse(value);
+                if (typeof parsed === 'number' || typeof parsed === 'boolean') return parsed;
+              } catch {
+                // not JSON — fall through
+              }
+              return value;
+            })();
+            upsertModuleConfig(db, moduleId, field, coerced);
+            selfConfig[field] = String(coerced);
           }
         }
       }
@@ -563,6 +571,7 @@ export async function buildResolutionContext(
       systemSecrets: systemSecretsMap,
       secrets: secretsMap,
       capabilities: capabilitiesMap,
+      systems: infraSystemsMap,
     };
 
     // Snapshot values before derivation so we can detect changes
@@ -603,14 +612,7 @@ export async function buildResolutionContext(
       }
 
       if (isNew || isChanged) {
-        await db
-          .insert(moduleConfigs)
-          .values({ moduleId, key, value })
-          .onConflictDoUpdate({
-            target: [moduleConfigs.moduleId, moduleConfigs.key],
-            set: { value },
-          });
-
+        upsertModuleConfig(db, moduleId, key, value);
         selfConfig[key] = value;
       }
     }
@@ -630,6 +632,7 @@ export async function buildResolutionContext(
     systemSecrets: systemSecretsMap,
     secrets: secretsMap,
     capabilities: capabilitiesMap,
+    systems: infraSystemsMap,
   };
 }
 
@@ -650,6 +653,7 @@ export function buildContextFromData(
     systemSecrets?: Record<string, string>;
     secrets?: Record<string, string>;
     capabilities?: Record<string, Record<string, unknown>>;
+    systems?: Record<string, import('./types').InfraSystemFields>;
   } = {},
 ): ResolutionContext {
   const selfConfig = data.selfConfig ?? {};
@@ -668,5 +672,6 @@ export function buildContextFromData(
     systemSecrets: data.systemSecrets ?? {},
     secrets: data.secrets ?? {},
     capabilities: data.capabilities ?? {},
+    systems: data.systems ?? {},
   };
 }

package/src/variables/parser.ts

@@ -21,7 +21,7 @@ import type { VariableReference } from './types';
  * computed alias for the canonical default).
  */
 const VARIABLE_PATTERN =
-  /\$\{(self|system|system_secret|secret|capability):([a-zA-Z_][a-zA-Z0-9_.-]*(?:\[\d+\])?)\}|\$(self|system|system_secret|secret|capability):([a-zA-Z_][a-zA-Z0-9_.-]*(?:\[\d+\])?)/g;
+  /\$\{(self|system|system_secret|secret|capability|infra):([a-zA-Z_][a-zA-Z0-9_.-]*(?:\[\d+\])?)\}|\$(self|system|system_secret|secret|capability|infra):([a-zA-Z_][a-zA-Z0-9_.-]*(?:\[\d+\])?)/g;
 
 /**
  * Parse template content to extract variable references
@@ -64,7 +64,7 @@ export function hasVariables(content: string): boolean {
   // Create new regex without state to avoid issues with global flag
   // Matches both ${type:path} and $type:path (with optional [N] index)
   const pattern =
-    /\$\{?(self|system|system_secret|secret|capability):([a-zA-Z_][a-zA-Z0-9_.-]*(?:\[\d+\])?)/;
+    /\$\{?(self|system|system_secret|secret|capability|infra):([a-zA-Z_][a-zA-Z0-9_.-]*(?:\[\d+\])?)/;
   return pattern.test(content);
 }
 
@@ -78,7 +78,7 @@ export function isValidVariableFormat(variable: string): boolean {
   // Path must start with letter or underscore, not digit
   // Accepts both ${type:path} and $type:path with optional [N] indexing
   const pattern =
-    /^(?:\$\{(self|system|system_secret|secret|capability):[a-zA-Z_][a-zA-Z0-9_.-]*(?:\[\d+\])?\}|\$(self|system|system_secret|secret|capability):[a-zA-Z_][a-zA-Z0-9_.-]*(?:\[\d+\])?)$/;
+    /^(?:\$\{(self|system|system_secret|secret|capability|infra):[a-zA-Z_][a-zA-Z0-9_.-]*(?:\[\d+\])?\}|\$(self|system|system_secret|secret|capability|infra):[a-zA-Z_][a-zA-Z0-9_.-]*(?:\[\d+\])?)$/;
   return pattern.test(variable);
 }
 

package/src/variables/resolver.test.ts

@@ -82,6 +82,67 @@ describe('resolveVariable', () => {
     }
   });
 
+  describe('$infra: deployed-system selector', () => {
+    const infraContext = () =>
+      createContext({
+        systems: {
+          main: {
+            name: 'main',
+            hostname: 'homebridge',
+            ipv4_address: '10.0.20.20',
+            zone: 'app',
+            cidr: '10.0.20.20/24',
+            vmid: '2100',
+          },
+        },
+      });
+
+    test('resolves $infra:<name>.ipv4_address', async () => {
+      const result = await resolveVariable(
+        { type: 'infra', path: 'main.ipv4_address', raw: '$infra:main.ipv4_address' },
+        infraContext(),
+        mockDb,
+      );
+      expect(result.success).toBe(true);
+      if (result.success) expect(result.value).toBe('10.0.20.20');
+    });
+
+    test('resolves $infra:<name>.cidr and .vmid', async () => {
+      const ctx = infraContext();
+      const cidr = await resolveVariable(
+        { type: 'infra', path: 'main.cidr', raw: '$infra:main.cidr' },
+        ctx,
+        mockDb,
+      );
+      const vmid = await resolveVariable(
+        { type: 'infra', path: 'main.vmid', raw: '$infra:main.vmid' },
+        ctx,
+        mockDb,
+      );
+      expect(cidr.success && cidr.value).toBe('10.0.20.20/24');
+      expect(vmid.success && vmid.value).toBe('2100');
+    });
+
+    test('fails clearly for an unknown system name', async () => {
+      const result = await resolveVariable(
+        { type: 'infra', path: 'db.ipv4_address', raw: '$infra:db.ipv4_address' },
+        infraContext(),
+        mockDb,
+      );
+      expect(result.success).toBe(false);
+      if (!result.success) expect(result.error).toContain("No deployed system named 'db'");
+    });
+
+    test('fails when no systems recorded (API-only / pre-deploy)', async () => {
+      const result = await resolveVariable(
+        { type: 'infra', path: 'main.ipv4_address', raw: '$infra:main.ipv4_address' },
+        createContext(),
+        mockDb,
+      );
+      expect(result.success).toBe(false);
+    });
+  });
+
   test('should resolve system variable', async () => {
     const variable: VariableReference = {
       type: 'system',