@celilo/cli 0.4.0-alpha.1 → 0.4.0

package/src/cli/commands/module-import-aspect.test.ts

@@ -0,0 +1,116 @@
+/**
+ * Aspect-approval flow on import (ISS-0045): in a non-TTY context, importing a
+ * module that declares a base_module_aspect must fail fast with guidance rather
+ * than hang on the approval prompt; --accept-aspects approves non-interactively.
+ */
+
+import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { closeDb, getDb } from '../../db/client';
+import { runMigrations } from '../../db/migrate';
+import { modules } from '../../db/schema';
+import type { BaseModuleAspect } from '../../manifest/schema';
+import { handleAspectApprovalAfterImport } from './module-import';
+
+const aspect: BaseModuleAspect = {
+  ansible_role: 'dns-client-config',
+  applicable_zones: ['dmz', 'app', 'secure'],
+  triggers: ['on_install'],
+};
+
+function insertAspectModule(id: string, version: string): void {
+  getDb()
+    .insert(modules)
+    .values({
+      id,
+      name: id,
+      version,
+      manifestData: {
+        id,
+        name: id,
+        version,
+        celilo_contract: '1.0',
+        base_module_aspect: aspect,
+      },
+      sourcePath: `/tmp/${id}`,
+    })
+    .run();
+}
+
+// Use defineProperty (not direct assignment): another suite may have redefined
+// process.stdin.isTTY as a non-writable property, which makes `= false` throw.
+function setTTY(value: boolean | undefined): void {
+  Object.defineProperty(process.stdin, 'isTTY', { value, configurable: true });
+}
+
+describe('handleAspectApprovalAfterImport (non-interactive)', () => {
+  let dir: string;
+  let originalIsTTY: boolean | undefined;
+
+  beforeEach(async () => {
+    dir = mkdtempSync(join(tmpdir(), 'celilo-import-aspect-test-'));
+    process.env.CELILO_DB_PATH = join(dir, 'celilo.db');
+    await runMigrations(process.env.CELILO_DB_PATH);
+    originalIsTTY = process.stdin.isTTY;
+    // Force non-interactive so the no-flag path can't block on a real prompt.
+    setTTY(false);
+  });
+
+  afterEach(() => {
+    setTTY(originalIsTTY);
+    closeDb();
+    process.env.CELILO_DB_PATH = undefined;
+    try {
+      rmSync(dir, { recursive: true, force: true });
+    } catch {
+      /* ignore */
+    }
+  });
+
+  it('fails fast (no hang) when stdin is not a TTY and --accept-aspects is absent', async () => {
+    insertAspectModule('technitium', '1.0.0');
+    const result = await handleAspectApprovalAfterImport({
+      moduleId: 'technitium',
+      targetPath: '/tmp/technitium',
+      flags: {},
+      db: getDb(),
+    });
+    expect(result.approved).toBe(false);
+    if (result.approved) throw new Error('expected approval to be declined');
+    expect(result.error).toContain('--accept-aspects');
+    expect(result.error).toContain("isn't a TTY");
+  });
+
+  it('approves non-interactively when --accept-aspects is passed', async () => {
+    insertAspectModule('technitium', '1.0.0');
+    const result = await handleAspectApprovalAfterImport({
+      moduleId: 'technitium',
+      targetPath: '/tmp/technitium',
+      flags: { 'accept-aspects': true },
+      db: getDb(),
+    });
+    expect(result.approved).toBe(true);
+  });
+
+  it('is a no-op for a module without a base_module_aspect', async () => {
+    getDb()
+      .insert(modules)
+      .values({
+        id: 'caddy',
+        name: 'caddy',
+        version: '1.0.0',
+        manifestData: { id: 'caddy', name: 'caddy', version: '1.0.0', celilo_contract: '1.0' },
+        sourcePath: '/tmp/caddy',
+      })
+      .run();
+    const result = await handleAspectApprovalAfterImport({
+      moduleId: 'caddy',
+      targetPath: '/tmp/caddy',
+      flags: {},
+      db: getDb(),
+    });
+    expect(result.approved).toBe(true);
+  });
+});

package/src/cli/commands/module-import.ts

@@ -71,7 +71,7 @@ Examples:
  * `{ approved: false, error: string }` on decline or non-interactive
  * mismatch. The caller is responsible for surfacing the error.
  */
-async function handleAspectApprovalAfterImport(args: {
+export async function handleAspectApprovalAfterImport(args: {
   moduleId: string;
   targetPath: string;
   flags: Record<string, string | boolean>;
@@ -120,6 +120,17 @@ async function handleAspectApprovalAfterImport(args: {
     };
   }
 
+  // Non-interactive (e2e / CI / automation): there is no one to answer the
+  // approval prompt, so fail fast with guidance instead of hanging on stdin
+  // until an outer timeout kills us (ISS-0045). Mirrors the secret-interview /
+  // module-generate non-TTY behavior.
+  if (!process.stdin.isTTY) {
+    return {
+      approved: false,
+      error: `Module '${moduleId}' declares a base-module aspect (Ansible role '${aspect.ansible_role}', zones: ${aspect.applicable_zones.join(', ')}; triggers: ${aspect.triggers.join(', ')}). Approval can't be prompted because stdin isn't a TTY. Re-run with --accept-aspects to approve it non-interactively.`,
+    };
+  }
+
   // Interactive prompt path. Display the scope clearly so the
   // operator's consent is informed.
   const scopeMsg = [

package/src/cli/commands/storage-add-s3.ts

@@ -15,53 +15,92 @@ import { validateRequired } from '../validators';
 
 export async function handleStorageAddS3(
   _args: string[],
-  _flags: Record<string, boolean | string> = {},
+  flags: Record<string, boolean | string> = {},
 ): Promise<CommandResult> {
   try {
     celiloIntro('Add S3 Backup Storage');
 
-    const name = await promptText({
-      message: 'Human-readable name:',
-      placeholder: 'e.g., Backblaze B2 Backups',
-      validate: validateRequired('Storage name'),
-    });
-
-    const bucket = await promptText({
-      message: 'Bucket name:',
-      placeholder: 'e.g., homelab-backups',
-      validate: validateRequired('Bucket name'),
-    });
-
-    const region = await promptText({
-      message: 'Region:',
-      defaultValue: 'us-east-1',
-      placeholder: 'us-east-1',
-      validate: validateRequired('Region'),
-    });
+    // Support non-interactive mode via flags (scriptable from docker-exec /
+    // automation). region + endpoint have sensible defaults; name, bucket, and
+    // the two credential flags are required for a fully non-interactive run.
+    const flagName = typeof flags.name === 'string' ? flags.name : undefined;
+    const flagBucket = typeof flags.bucket === 'string' ? flags.bucket : undefined;
+    const flagRegion = typeof flags.region === 'string' ? flags.region : undefined;
+    const flagEndpoint = typeof flags.endpoint === 'string' ? flags.endpoint : undefined;
+    const flagAccessKeyId =
+      typeof flags['access-key-id'] === 'string' ? flags['access-key-id'] : undefined;
+    const flagSecretAccessKey =
+      typeof flags['secret-access-key'] === 'string' ? flags['secret-access-key'] : undefined;
+
+    const nonInteractive = Boolean(
+      flagName && flagBucket && flagAccessKeyId && flagSecretAccessKey,
+    );
 
-    const endpoint = await promptText({
-      message: 'Endpoint URL:',
-      defaultValue: 'https://s3.amazonaws.com',
-      placeholder: 'https://s3.amazonaws.com',
-      validate: (value) => {
-        const err = validateRequired('Endpoint URL')(value);
-        if (err) return err;
-        if (value && !value.startsWith('https://') && !value.startsWith('http://')) {
-          return 'Endpoint must start with https:// or http://';
-        }
-        return undefined;
-      },
-    });
+    const name =
+      flagName ??
+      (await promptText({
+        message: 'Human-readable name:',
+        placeholder: 'e.g., Backblaze B2 Backups',
+        validate: validateRequired('Storage name'),
+      }));
+
+    const bucket =
+      flagBucket ??
+      (await promptText({
+        message: 'Bucket name:',
+        placeholder: 'e.g., homelab-backups',
+        validate: validateRequired('Bucket name'),
+      }));
+
+    const region =
+      flagRegion ??
+      (await promptText({
+        message: 'Region:',
+        defaultValue: 'us-east-1',
+        placeholder: 'us-east-1',
+        validate: validateRequired('Region'),
+      }));
+
+    const endpoint =
+      flagEndpoint ??
+      (await promptText({
+        message: 'Endpoint URL:',
+        defaultValue: 'https://s3.amazonaws.com',
+        placeholder: 'https://s3.amazonaws.com',
+        validate: (value) => {
+          const err = validateRequired('Endpoint URL')(value);
+          if (err) return err;
+          if (value && !value.startsWith('https://') && !value.startsWith('http://')) {
+            return 'Endpoint must start with https:// or http://';
+          }
+          return undefined;
+        },
+      }));
+
+    if (
+      flagEndpoint &&
+      !flagEndpoint.startsWith('https://') &&
+      !flagEndpoint.startsWith('http://')
+    ) {
+      return {
+        success: false,
+        error: `Invalid --endpoint '${flagEndpoint}': must start with https:// or http://`,
+      };
+    }
 
-    const accessKeyId = await promptText({
-      message: 'Access Key ID:',
-      validate: validateRequired('Access Key ID'),
-    });
+    const accessKeyId =
+      flagAccessKeyId ??
+      (await promptText({
+        message: 'Access Key ID:',
+        validate: validateRequired('Access Key ID'),
+      }));
 
-    const secretAccessKey = await promptPassword({
-      message: 'Secret Access Key:',
-      validate: validateRequired('Secret Access Key'),
-    });
+    const secretAccessKey =
+      flagSecretAccessKey ??
+      (await promptPassword({
+        message: 'Secret Access Key:',
+        validate: validateRequired('Secret Access Key'),
+      }));
 
     const storage = await addBackupStorage({
       name,
@@ -90,14 +129,20 @@ export async function handleStorageAddS3(
 
     console.log(`✓ ${result.message}`);
 
-    const makeDefault = await promptConfirm({
-      message: 'Set as default backup destination?',
-      initialValue: true,
-    });
-
-    if (makeDefault) {
+    if (nonInteractive) {
+      // Non-interactive: auto-set as default (matches storage-add-local).
       setDefaultBackupStorage(storage.id);
       console.log('✓ Set as default');
+    } else {
+      const makeDefault = await promptConfirm({
+        message: 'Set as default backup destination?',
+        initialValue: true,
+      });
+
+      if (makeDefault) {
+        setDefaultBackupStorage(storage.id);
+        console.log('✓ Set as default');
+      }
     }
 
     celiloOutro(

package/src/cli/completion.ts

@@ -81,6 +81,7 @@ export async function getCompletions(words: string[], current: number): Promise<
       'run',
       'run-hook',
       'emit',
+      'reply',
       'ack',
       'fail',
       'repair',
@@ -399,7 +400,7 @@ export async function getCompletions(words: string[], current: number): Promise<
 
   // Backup subcommands
   if (command === 'backup' && currentIndex === 1) {
-    const subcommands = ['create', 'list', 'restore', 'delete', 'prune', 'name', 'import'];
+    const subcommands = ['create', 'list', 'restore', 'delete', 'prune', 'name', 'import', 'pull'];
     return filterSuggestions(subcommands, args[1] || '');
   }
 

package/src/cli/index.ts

@@ -19,6 +19,7 @@ import {
   handleEventsListPending,
   handleEventsListSubscribers,
   handleEventsRepair,
+  handleEventsReply,
   handleEventsRespond,
   handleEventsRun,
   handleEventsRunHook,
@@ -258,6 +259,7 @@ Subcommands:
   drain [--concurrency N]      Process pending deliveries once and return
   run [--poll-ms N]            Run the long-running dispatcher (foreground)
   emit <type> [<payload>]      Emit an event (operator/test path)
+  reply <event_id> <value>     Answer one pending interview query by id (config/secret/ensure)
   ack <event_id>               Mark a running delivery succeeded
   fail <event_id> --error MSG  Mark a running delivery failed
   repair                       Crash-recovery sweep without starting the dispatcher
@@ -279,6 +281,8 @@ Examples:
   celilo events status                                   # is anything stuck?
   celilo events tail --type deploy.completed.lunacycle   # filter by type
   celilo events emit deploy.completed.lunacycle '{}'     # operator-fired event
+  celilo events tail --type 'config.required.*'          # see pending deploy questions
+  celilo events reply 42 '"lunacycle.net"'               # answer query #42 (config)
 `;
   return { success: true, message: helpText.trim() };
 }
@@ -1150,6 +1154,8 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
         return handleEventsRunHook(parsed.args);
       case 'emit':
         return handleEventsEmit(parsed.args, parsed.flags);
+      case 'reply':
+        return handleEventsReply(parsed.args, parsed.flags);
       case 'ack':
         return handleEventsAck(parsed.args, parsed.flags);
       case 'fail':
@@ -1569,6 +1575,11 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
       return handleBackupImport(parsed.args, parsed.flags);
     }
 
+    if (parsed.subcommand === 'pull') {
+      const { handleBackupPull } = await import('./commands/backup-pull');
+      return handleBackupPull(parsed.args, parsed.flags);
+    }
+
     return {
       success: false,
       error: `Unknown backup subcommand: ${parsed.subcommand}\n\nRun "celilo backup --help" for usage`,

package/src/db/client.ts

@@ -109,6 +109,10 @@ function needsMigration(sqlite: Database): boolean {
         updated_at integer DEFAULT (unixepoch()) NOT NULL,
         PRIMARY KEY (module_id, name)
       )`,
+      // Aspect consent decision (ISS-0027). Fresh DBs get this via migration
+      // 0008; existing installs get it here. Defaults to true so pre-existing
+      // rows (all approvals) keep running; false = a durable refusal.
+      'ALTER TABLE aspect_approvals ADD consented integer DEFAULT true NOT NULL',
     ];
 
     for (const stmt of alterStatements) {

package/src/db/schema.ts

@@ -540,8 +540,16 @@ export const aspectApprovals = sqliteTable(
     version: text('version').notNull(),
     /** Hash of `applicable_zones` + `triggers` — see table comment. */
     scopeHash: text('scope_hash').notNull(),
+    /**
+     * The operator's decision for this (module, version, scope): `true` =
+     * approved (run the aspect), `false` = explicitly refused (skip and do NOT
+     * re-prompt — ISS-0027). The ABSENCE of a row is the third state, "not yet
+     * decided" → interview. Defaults to true so pre-existing rows (all of which
+     * were approvals) keep running.
+     */
+    consented: integer('consented', { mode: 'boolean' }).notNull().default(true),
     approvedAt: integer('approved_at', { mode: 'timestamp' }).notNull().default(sql`(unixepoch())`),
-    /** Operator identifier (e.g., $USER at approval time). Null when --accept-aspects was used in a context with no USER. */
+    /** Operator identifier (e.g., $USER at approval/denial time). Null when consent was granted in a context with no USER. */
     approver: text('approver'),
   },
   (table) => ({

package/src/hooks/capability-loader.test.ts

@@ -6,7 +6,7 @@ import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
 import { mkdirSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
-import type { HookLogger } from '@celilo/capabilities';
+import type { HookLogger, RouteReadView } from '@celilo/capabilities';
 import type { DbClient } from '../db/client';
 import { upsertModuleConfig } from '../services/module-config';
 import { cleanupTestDatabase, setupTestDatabase } from '../test-utils/database';
@@ -96,4 +96,34 @@ describe('Capability Loader', () => {
     expect(result).toHaveProperty('dns_registrar');
     expect(result.dns_registrar).toBeTruthy();
   });
+
+  test('injects a read-only web_routes view into the public_web provider own hooks (ISS-0035)', async () => {
+    const modulePath = join(tempDir, 'caddy');
+    mkdirSync(modulePath, { recursive: true });
+    db.$client.run(
+      `INSERT INTO modules (id, name, version, source_path, manifest_data) VALUES ('caddy', 'Caddy', '1.0.0', '${modulePath}', '{}')`,
+    );
+    db.$client.run(
+      `INSERT INTO capabilities (module_id, capability_name, version, data, registered_at) VALUES ('caddy', 'public_web', '1.0.0', '{}', unixepoch())`,
+    );
+    db.$client.run(
+      `INSERT INTO web_routes (slug, module_id, type, path, hostname, target_host, target_port, websocket) VALUES ('apt--root', 'apt-repo', 'reverse_proxy', '/', 'apt.example.com', '10.0.20.50', 8080, 0)`,
+    );
+    db.$client.run(
+      `INSERT INTO web_routes (slug, module_id, type, path, hostname, target_host, target_port, websocket) VALUES ('auth--root', 'authentik', 'reverse_proxy', '/', 'auth.example.com', '10.0.20.51', 9000, 0)`,
+    );
+
+    // caddy running its OWN hook gets a read-only view of the route registry.
+    const provider = await loadCapabilityFunctions('caddy', db, noopLogger);
+    expect(provider).toHaveProperty('web_routes');
+    const view = provider.web_routes as RouteReadView;
+    const all = view.getAllRoutes();
+    expect(all).toHaveLength(2);
+    expect(all.map((r) => r.hostname).sort()).toEqual(['apt.example.com', 'auth.example.com']);
+    expect(view.getRoutes('apt-repo').map((r) => r.hostname)).toEqual(['apt.example.com']);
+
+    // A consumer (not the provider) never sees the route table.
+    const consumer = await loadCapabilityFunctions('apt-repo', db, noopLogger);
+    expect(consumer).not.toHaveProperty('web_routes');
+  });
 });

package/src/hooks/capability-loader.ts

@@ -17,12 +17,18 @@ import {
   isCompiledCapabilityFactory,
   wrapWithLogging,
 } from '@celilo/capabilities';
-import type { DnsInternalCapability, HookLogger, RouteOps } from '@celilo/capabilities';
+import type {
+  DnsInternalCapability,
+  HookLogger,
+  RouteOps,
+  RouteReadView,
+} from '@celilo/capabilities';
 import { and, eq } from 'drizzle-orm';
 import type { DbClient } from '../db/client';
 import { capabilities, modules, secrets, webRoutes } from '../db/schema';
 import { decryptSecret } from '../secrets/encryption';
 import { getOrCreateMasterKey } from '../secrets/master-key';
+import { emitWebRoutesChangedAndWait } from '../services/celilo-events';
 import { getModuleSystems } from '../services/deployed-systems';
 import { loadHookConfigMap } from './load-hook-config';
 
@@ -84,6 +90,29 @@ const CAPABILITY_MODULE_MAP: Record<string, { script: string; legacyFactoryName:
  * @param logger - Hook logger captured by the auto-logging wrapper
  * @returns Map of capability name to function interface
  */
+/**
+ * The firewall's internal NAT IP — split-horizon DNS records point here so
+ * internal-zone clients reach a service via the iptables DNAT rules rather than
+ * Caddy's unreachable DMZ container IP. Returns undefined when no firewall
+ * provider advertises a `nat_ip`. Shared by the live public_web registration
+ * and the deploy-time web-route DNS backfill (ISS-0029) so both write the same
+ * value.
+ */
+export async function resolveFirewallNatIp(db: DbClient): Promise<string | undefined> {
+  const firewallProviders = db
+    .select()
+    .from(capabilities)
+    .where(eq(capabilities.capabilityName, 'firewall'))
+    .all();
+  for (const fp of firewallProviders) {
+    const fpConfig = await loadModuleConfig(fp.moduleId, db);
+    if (typeof fpConfig.nat_ip === 'string' && fpConfig.nat_ip) {
+      return fpConfig.nat_ip;
+    }
+  }
+  return undefined;
+}
+
 export async function loadCapabilityFunctions(
   consumingModuleId: string,
   db: DbClient,
@@ -232,21 +261,9 @@ export async function loadCapabilityFunctions(
 
     // Find the firewall NAT IP so split-horizon records point to the iptables
     // internal interface rather than Caddy's unreachable DMZ container IP.
-    const firewallProviders = db
-      .select()
-      .from(capabilities)
-      .where(eq(capabilities.capabilityName, 'firewall'))
-      .all();
-    let firewallNatIp: string | undefined;
-    for (const fp of firewallProviders) {
-      const fpConfig = await loadModuleConfig(fp.moduleId, db);
-      if (typeof fpConfig.nat_ip === 'string' && fpConfig.nat_ip) {
-        firewallNatIp = fpConfig.nat_ip;
-        debugLog(
-          `public_web: using firewall natIp ${firewallNatIp} from ${fp.moduleId} for internal DNS`,
-        );
-        break;
-      }
+    const firewallNatIp = await resolveFirewallNatIp(db);
+    if (firewallNatIp) {
+      debugLog(`public_web: using firewall natIp ${firewallNatIp} for internal DNS`);
     }
 
     // Caddy's configured hostnames — public_web rejects routes for any
@@ -343,6 +360,24 @@ export async function loadCapabilityFunctions(
         caddyModuleId: provider.moduleId,
         dnsManagedDomains,
         dnsRegistrarModuleId,
+        // ISS-0035: register_route/unregister_routes emit this coarse signal
+        // instead of SSHing caddy; the caddy provider's reconcile_routes
+        // subscription re-renders the Caddyfile from web_routes. We await the
+        // reconcile so register_route returns only once the route is live —
+        // the consuming module's health_check runs right after and would
+        // otherwise race the async reconcile.
+        onRoutesChanged: async () => {
+          const reconcile = await emitWebRoutesChangedAndWait(consumingModuleId);
+          if (reconcile.timedOut) {
+            logger.warn(
+              `public_web reconcile for ${consumingModuleId} did not finish within the deadline (${reconcile.succeeded} ok, ${reconcile.failed} failed of ${reconcile.events} change event(s)); the route is persisted and the provider will reconcile on its next run`,
+            );
+          } else if (reconcile.failed > 0) {
+            logger.warn(
+              `public_web reconcile for ${consumingModuleId}: ${reconcile.failed} delivery(ies) failed; the route is persisted but the provider config may be stale`,
+            );
+          }
+        },
       });
       debugLog(`public_web: loaded via framework implementation for ${consumingModuleId}`);
     } catch (error) {
@@ -350,6 +385,20 @@ export async function loadCapabilityFunctions(
         `public_web: FAILED to load: ${error instanceof Error ? error.message : String(error)}`,
       );
     }
+
+    // ISS-0035: when the module running THIS hook is the public_web PROVIDER
+    // itself (caddy running its own hook, not a consumer), give it a read-only
+    // view of the route registry so it can reconcile its config from web_routes
+    // — symmetric with how consumers get the public_web capability. Consumers
+    // never see this; only the provider does.
+    if (consumingModuleId === provider.moduleId) {
+      const routeView: RouteReadView = {
+        getAllRoutes: () => routeOps.getAllRoutes(),
+        getRoutes: (m: string) => routeOps.getRoutes(m),
+      };
+      result.web_routes = routeView;
+      debugLog(`web_routes: read-only route view injected for provider ${consumingModuleId}`);
+    }
   } else {
     debugLog('public_web: not registered in DB, skipping');
   }

package/src/manifest/contracts/v1.ts

@@ -166,6 +166,18 @@ export const V1_HOOKS: ContractHooks = {
     },
     outputs: {},
   },
+  /**
+   * Reconcile the provider's running config from a celilo registry when a
+   * change event fires (ISS-0035). The caddy public_web provider declares this;
+   * the dispatcher invokes it on `public_web.routes_changed` so caddy re-renders
+   * its Caddyfile from web_routes (read via the injected web_routes view +
+   * config). No required inputs — the event is a coarse "re-read the table"
+   * signal. No structured outputs; throws on failure (no-surprises).
+   */
+  reconcile_routes: {
+    inputs: {},
+    outputs: {},
+  },
   /**
    * Build-bus upstream publish hook. The executor passes the
    * PublishEvent fields as env vars (CELILO_EVENT_PAYLOAD,

package/src/manifest/schema.ts

@@ -88,9 +88,13 @@ export const VariableImportSchema = z.object({
  * When present, the secret is auto-generated during deployment instead of prompting the user
  */
 export const SecretGenerateSchema = z.object({
-  method: z.enum(['random']).default('random'),
+  method: z.enum(['random', 'gpg']).default('random'),
   length: z.number().int().positive().default(32),
   encoding: z.enum(['base64', 'hex']).default('base64'),
+  // For method: 'gpg' — the user ID stamped on the generated signing key
+  // (e.g. "apt.celilo.computer"). The secret holds the base64'd ASCII-armored
+  // private key, minted once at the config-interview stage.
+  identity: z.string().optional(),
 });
 
 export const SecretDeclareSchema = z.object({
@@ -511,6 +515,14 @@ export const ModuleManifestSchema = z
          * [[v2/INTERNAL_DNS_DHCP_AND_SPLIT_HORIZON.md]] D5.
          */
         on_system_event: LifecycleHookSchema.optional(),
+        /**
+         * Reconcile the provider's running config from a celilo registry on a
+         * change event. The caddy `public_web` provider declares this to
+         * re-render its Caddyfile from web_routes when a consumer registers or
+         * unregisters a route (ISS-0035). See
+         * [[v2/PUBLIC_WEB_PROVIDER_RECONCILE.md]].
+         */
+        reconcile_routes: LifecycleHookSchema.optional(),
         /**
          * Build-bus upstream publish hooks. Array (a module can react
          * to multiple upstream packages with different actions). See

package/src/manifest/template-validator.ts

@@ -72,6 +72,7 @@ const AUTO_ALLOCATED_VARIABLES = new Set([
   'vlan', // Auto-derived from zone configuration
   'gateway', // Auto-derived from zone configuration
   'target_node', // Can be auto-derived from system config
+  'lxc_nameserver', // Composed at generate time from dns_internal + dns.primary (v2/LXC_INTERNAL_DNS.md)
 ]);
 
 /**