@celilo/cli 0.4.0 → 0.5.0-alpha.0

package/src/services/deployed-systems.ts

@@ -150,7 +150,7 @@ function asZone(value: string | undefined): NetworkZone | null {
  * single sink the old scattered `target_ip` writes collapse into.
  *
  * Transition: every current module declares exactly one system (via
- * `requires.machine`, normalized to name `main`, or one `requires.systems`
+ * `requires.system`, normalized to name `main`, or one `requires.systems`
  * entry), so this records that single host from `hostname` config + the
  * resolved IP. Returns the systems it recorded ([] for an API-only module with
  * no host — e.g. namecheap). See v2/MODULE_SYSTEMS_ADDRESSING.md.

package/src/services/infrastructure-selector.test.ts

@@ -61,7 +61,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -119,7 +119,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -162,7 +162,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -197,7 +197,7 @@ describe('infrastructure-selector', () => {
       const module = (await db.select().from(modules).limit(1))[0] as Module;
 
       await expect(selectInfrastructure(module)).rejects.toThrow(InfrastructureError);
-      await expect(selectInfrastructure(module)).rejects.toThrow(/missing requires.machine/);
+      await expect(selectInfrastructure(module)).rejects.toThrow(/missing requires.system/);
     });
 
     it('throws error when module manifest missing zone', async () => {
@@ -210,7 +210,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -224,20 +224,20 @@ describe('infrastructure-selector', () => {
       const module = (await db.select().from(modules).limit(1))[0] as Module;
 
       await expect(selectInfrastructure(module)).rejects.toThrow(InfrastructureError);
-      await expect(selectInfrastructure(module)).rejects.toThrow(/missing requires.machine.zone/);
+      await expect(selectInfrastructure(module)).rejects.toThrow(/missing requires.system.zone/);
     });
 
-    it('supports requires.machine format', async () => {
+    it('supports requires.system format', async () => {
       const db = createDbClient({ path: testDbPath });
 
-      // Create test module with requires.machine format
+      // Create test module with requires.system format
       await db.insert(modules).values({
         id: 'test-module',
         name: 'Test Module',
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -284,7 +284,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -326,7 +326,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -366,7 +366,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -406,7 +406,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -449,7 +449,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 4,
               memory: 4096,
               disk: 128,

package/src/services/infrastructure-selector.ts

@@ -1,5 +1,5 @@
 import type { Module } from '../db/schema';
-import type { ModuleManifest } from '../manifest/schema';
+import { type ModuleManifest, getSingularSystemSpec } from '../manifest/schema';
 import type {
   InfrastructureSelection,
   Machine,
@@ -25,27 +25,26 @@ export class InfrastructureError extends Error {
 function getResourceRequirements(module: Module): ResourceRequirements {
   const manifest = module.manifestData as ModuleManifest;
 
-  // Check for requires.machine
-  const machine = manifest.requires?.machine;
+  const system = getSingularSystemSpec(manifest);
 
-  if (!machine) {
+  if (!system) {
     throw new InfrastructureError(
-      `Module ${module.id} manifest missing requires.machine configuration`,
+      `Module ${module.id} manifest missing requires.system configuration`,
     );
   }
 
-  if (!machine.zone) {
+  if (!system.zone) {
     throw new InfrastructureError(
-      `Module ${module.id} manifest missing requires.machine.zone field`,
+      `Module ${module.id} manifest missing requires.system.zone field`,
     );
   }
 
   return {
-    cpu: machine.cpu ?? 1,
-    memory: machine.memory ?? 1024,
-    disk: machine.disk ?? 10,
-    storage: machine.storage,
-    zone: machine.zone,
+    cpu: system.cpu ?? 1,
+    memory: system.memory ?? 1024,
+    disk: system.disk ?? 10,
+    storage: system.storage,
+    zone: system.zone,
   };
 }
 

package/src/services/module-deploy.ts

@@ -16,7 +16,7 @@ import { loadCapabilityFunctions } from '../hooks/capability-loader';
 import { invokeHook } from '../hooks/executor';
 import { createGaugeLogger } from '../hooks/logger';
 import type { HookDefinition, HookLogger, HookResult } from '../hooks/types';
-import type { ModuleManifest } from '../manifest/schema';
+import { type ModuleManifest, getSingularSystemSpec } from '../manifest/schema';
 import { decryptSecret } from '../secrets/encryption';
 import { getOrCreateMasterKey } from '../secrets/master-key';
 import { buildResolutionContext } from '../variables/context';
@@ -416,7 +416,7 @@ async function deployModuleImpl(
       );
       if (machineDerivable.length > 0) {
         const isFirewall = manifest.provides?.capabilities?.some((cap) => cap.name === 'firewall');
-        const moduleZone = manifest.requires?.machine?.zone;
+        const moduleZone = getSingularSystemSpec(manifest)?.zone;
         const matchedMachine = await findMachineForModule(
           moduleId,
           moduleZone,
@@ -473,7 +473,7 @@ async function deployModuleImpl(
       if (regularConfig.length > 0) {
         // Look up machine for $machine: derivation (earmarked or best match from pool)
         const isFirewall = manifest.provides?.capabilities?.some((cap) => cap.name === 'firewall');
-        const moduleZone = manifest.requires?.machine?.zone;
+        const moduleZone = getSingularSystemSpec(manifest)?.zone;
         const matchedMachine = await findMachineForModule(
           moduleId,
           moduleZone,
@@ -668,7 +668,7 @@ async function deployModuleImpl(
     }
 
     // Config-only modules (no infrastructure requirements) don't need terraform/ansible
-    const isConfigOnly = !manifest.requires?.machine;
+    const isConfigOnly = !getSingularSystemSpec(manifest);
     if (isConfigOnly) {
       log.success('Config-only module — no infrastructure deployment needed');
 

package/src/services/restore-from-file.test.ts

@@ -8,6 +8,7 @@
  * via this service) is an e2e concern, not exercised at the unit level.
  */
 
+import { Database } from 'bun:sqlite';
 import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
 import {
   existsSync,
@@ -38,11 +39,14 @@ describe('applyStagedSystemFiles', () => {
     keyPath = join(dir, 'master.key');
     process.env.CELILO_DB_PATH = livePath;
     process.env.CELILO_MASTER_KEY_PATH = keyPath;
+    process.env.CELILO_DATA_DIR = dir; // getModuleStoragePath() = dir/modules
   });
 
   afterEach(() => {
+    closeDb();
     process.env.CELILO_DB_PATH = undefined;
     process.env.CELILO_MASTER_KEY_PATH = undefined;
+    process.env.CELILO_DATA_DIR = undefined;
     try {
       rmSync(dir, { recursive: true, force: true });
     } catch {
@@ -124,6 +128,48 @@ describe('applyStagedSystemFiles', () => {
     expect(result.dbApplied).toBe(false);
     expect(result.keyApplied).toBe(false);
   });
+
+  it('lays down staged module source dirs at the modules storage path', () => {
+    const stagedSrc = join(stagingDir, 'module_src');
+    mkdirSync(join(stagedSrc, 'caddy', 'scripts'), { recursive: true });
+    writeFileSync(join(stagedSrc, 'caddy', 'manifest.yml'), 'id: caddy');
+    writeFileSync(join(stagedSrc, 'caddy', 'scripts', 'hook.ts'), '// hook');
+
+    const result = applyStagedSystemFiles(stagingDir);
+    expect(result.moduleSourcesApplied).toBe(1);
+    // getModuleStoragePath() = <CELILO_DATA_DIR>/modules = dir/modules.
+    const laid = join(dir, 'modules', 'caddy');
+    expect(readFileSync(join(laid, 'manifest.yml'), 'utf-8')).toBe('id: caddy');
+    expect(readFileSync(join(laid, 'scripts', 'hook.ts'), 'utf-8')).toBe('// hook');
+  });
+
+  it("rewrites every module's source_path to this box on the staged DB before swap", () => {
+    // A real staged SQLite DB whose module points at a FOREIGN (macOS) path —
+    // exactly the macOS→Linux cross-host case ISS-0051 broke on. Build a minimal
+    // self-contained DB (no runMigrations, which would hold a connection and
+    // lock the journal-mode switch the rewrite needs).
+    const stagedDbPath = join(stagingDir, 'celilo.db');
+    const seed = new Database(stagedDbPath);
+    seed.run(
+      'CREATE TABLE modules (id TEXT PRIMARY KEY, name TEXT, version TEXT, manifest_data TEXT, source_path TEXT)',
+    );
+    seed.run(
+      "INSERT INTO modules (id, name, version, manifest_data, source_path) VALUES ('caddy', 'caddy', '2.0.0', '{}', '/Users/someone/Library/Application Support/celilo/modules/caddy')",
+    );
+    seed.close();
+
+    const result = applyStagedSystemFiles(stagingDir);
+    expect(result.dbApplied).toBe(true);
+
+    // The swapped-in live DB must now point at THIS box's modules dir, not the
+    // source box's dead macOS path.
+    const live = new Database(livePath);
+    const row = live.query("SELECT source_path AS sp FROM modules WHERE id = 'caddy'").get() as {
+      sp: string;
+    };
+    live.close();
+    expect(row.sp).toBe(join(dir, 'modules', 'caddy'));
+  });
 });
 
 describe('restoreFromArtifactFile error paths', () => {

package/src/services/restore-from-file.ts

@@ -16,13 +16,18 @@
  * of the restore the hook itself cannot do (live DB is open).
  */
 
+import { Database } from 'bun:sqlite';
 import { execSync } from 'node:child_process';
 import {
   chmodSync,
+  closeSync,
   copyFileSync,
+  cpSync,
   existsSync,
   mkdirSync,
+  openSync,
   readFileSync,
+  readSync,
   readdirSync,
   rmSync,
   writeFileSync,
@@ -30,7 +35,7 @@ import {
 import { tmpdir } from 'node:os';
 import { dirname, join } from 'node:path';
 import { eq } from 'drizzle-orm';
-import { getDbPath, getMasterKeyPath } from '../config/paths';
+import { getDbPath, getMasterKeyPath, getModuleStoragePath } from '../config/paths';
 import { closeDb, getDb } from '../db/client';
 import { runMigrations } from '../db/migrate';
 import { modules } from '../db/schema';
@@ -61,6 +66,8 @@ export interface RestoreFromFileResult {
   masterKeyApplied?: boolean;
   /** Was the fleet SSH keypair restored to <dataDir>/.ssh/? */
   sshKeyApplied?: boolean;
+  /** How many module source dirs were laid down at the target's modules dir. */
+  moduleSourcesApplied?: number;
 }
 
 export interface RestoreFromFileOptions {
@@ -201,10 +208,21 @@ export async function restoreFromArtifactFile(
       hookInputs.cross_module_write_root = crossModuleWriteRoot;
     }
 
-    // 5. Invoke the hook.
+    // 5. Invoke the hook. Resolve the module path from getModuleStoragePath()
+    //    rather than the stored mod.sourcePath (ISS-0052): on a box whose DB was
+    //    produced by a prior restore from ANOTHER box, source_path is that box's
+    //    absolute path (e.g. a macOS /Users/... path on a Linux box), and the
+    //    hook executor's screenshot-dir mkdir then EACCES'es on it. By
+    //    construction (import.ts) the code always lives at
+    //    ${getModuleStoragePath()}/<id>, so resolve there. Falls back to the
+    //    stored path only if the canonical dir is absent (e.g. a custom layout).
+    const canonicalModulePath = join(getModuleStoragePath(), mod.id);
+    const onRestoreModulePath = existsSync(canonicalModulePath)
+      ? canonicalModulePath
+      : mod.sourcePath;
     const logger = createConsoleLogger(mod.id, 'on_restore');
     const hookResult = await invokeHook(
-      mod.sourcePath,
+      onRestoreModulePath,
       'on_restore',
       manifest.celilo_contract,
       hookDef,
@@ -258,6 +276,7 @@ export async function restoreFromArtifactFile(
       systemDbApplied: apply.dbApplied,
       masterKeyApplied: apply.keyApplied,
       sshKeyApplied: apply.sshApplied,
+      moduleSourcesApplied: apply.moduleSourcesApplied,
     };
   } finally {
     try {
@@ -272,6 +291,61 @@ export interface StagedSystemApplyResult {
   dbApplied: boolean;
   keyApplied: boolean;
   sshApplied: boolean;
+  /** How many module source dirs were laid down at the target's modules dir. */
+  moduleSourcesApplied: number;
+}
+
+/** Cheap check for the SQLite file magic without reading the whole DB. */
+function looksLikeSqlite(path: string): boolean {
+  let fd: number;
+  try {
+    fd = openSync(path, 'r');
+  } catch {
+    return false;
+  }
+  try {
+    const buf = Buffer.alloc(16);
+    readSync(fd, buf, 0, 16, 0);
+    // Magic header is "SQLite format 3" (15 bytes) + a NUL terminator.
+    return buf.subarray(0, 15).toString('utf-8') === 'SQLite format 3' && buf[15] === 0;
+  } finally {
+    closeSync(fd);
+  }
+}
+
+/**
+ * Recompute every module's source_path to THIS box's modules dir, on the
+ * STAGED DB file (pre-swap). The artifact carries the SOURCE box's absolute
+ * source_path (e.g. macOS `~/Library/Application Support/celilo/modules/<id>`),
+ * which doesn't exist on a different box/OS — so a restored DB references module
+ * code at a dead path and no deploy can generate. By construction (import.ts)
+ * source_path is always `${dataDir}/modules/<id>`, so it's safe to recompute for
+ * the target; a no-op when the paths already match (same-OS restore).
+ *
+ * Done on the staged file (a fresh connection that's about to be swapped in),
+ * never the live DB, so there's no post-swap in-process reopen (ISS-0037). The
+ * PRAGMA forces commits into the main file (no -wal sibling) so the copy below
+ * captures the rewrite; the live DB re-enters WAL when celilo reopens it.
+ */
+function rewriteStagedModuleSourcePaths(stagedDbPath: string): void {
+  // Tolerate non-SQLite staged files: some callers/tests stage placeholder
+  // bytes to exercise the file-copy path. A real artifact DB always opens
+  // with the "SQLite format 3\0" magic header — skip anything that doesn't
+  // (a valid-header-but-corrupt DB still surfaces by throwing below).
+  if (!looksLikeSqlite(stagedDbPath)) return;
+
+  const moduleStorageBase = getModuleStoragePath();
+  const staged = new Database(stagedDbPath);
+  try {
+    staged.query('PRAGMA journal_mode = DELETE').run();
+    const rows = staged.query('SELECT id FROM modules').all() as Array<{ id: string }>;
+    const update = staged.query('UPDATE modules SET source_path = ? WHERE id = ?');
+    for (const { id } of rows) {
+      update.run(join(moduleStorageBase, id), id);
+    }
+  } finally {
+    staged.close();
+  }
 }
 
 /**
@@ -291,14 +365,16 @@ export function applyStagedSystemFiles(systemStagingDir: string): StagedSystemAp
   let dbApplied = false;
   let keyApplied = false;
   let sshApplied = false;
+  let moduleSourcesApplied = 0;
 
   if (!existsSync(systemStagingDir)) {
-    return { dbApplied, keyApplied, sshApplied };
+    return { dbApplied, keyApplied, sshApplied, moduleSourcesApplied };
   }
 
   const stagedDb = join(systemStagingDir, 'celilo.db');
   const stagedKey = join(systemStagingDir, 'master.key');
   const stagedSsh = join(systemStagingDir, 'ssh');
+  const stagedModuleSrc = join(systemStagingDir, 'module_src');
 
   // master.key first: it's not load-bearing for the running process
   // (already in memory if the daemon's running). Safe to swap before
@@ -329,9 +405,31 @@ export function applyStagedSystemFiles(systemStagingDir: string): StagedSystemAp
     sshApplied = true;
   }
 
+  // Module SOURCE code → lay down at THIS box's modules dir so the restored
+  // box has the code for EVERY module (incl. non-registry ones like lunacycle).
+  // on_backup captured each module's source; without this the restored DB
+  // references modules whose code isn't on disk and no deploy can generate.
+  // The artifact carries no generated/ subtree, so any existing generated/
+  // under a module dir (e.g. restored TF state) is preserved by the merge.
+  if (existsSync(stagedModuleSrc)) {
+    const moduleStorageBase = getModuleStoragePath();
+    mkdirSync(moduleStorageBase, { recursive: true });
+    for (const entry of readdirSync(stagedModuleSrc, { withFileTypes: true })) {
+      if (!entry.isDirectory()) continue;
+      cpSync(join(stagedModuleSrc, entry.name), join(moduleStorageBase, entry.name), {
+        recursive: true,
+      });
+      moduleSourcesApplied += 1;
+    }
+  }
+
   // celilo.db: must close the live DB connection before replacing
   // the file or SQLite gets confused (macOS holds a vnode handle).
   if (existsSync(stagedDb)) {
+    // Reconcile module source_paths to THIS box on the staged file BEFORE the
+    // swap (and before closeDb) — fixes cross-host / cross-OS restores. See
+    // rewriteStagedModuleSourcePaths.
+    rewriteStagedModuleSourcePaths(stagedDb);
     closeDb();
     const livePath = getDbPath();
     mkdirSync(join(livePath, '..'), { recursive: true });
@@ -348,7 +446,7 @@ export function applyStagedSystemFiles(systemStagingDir: string): StagedSystemAp
     dbApplied = true;
   }
 
-  return { dbApplied, keyApplied, sshApplied };
+  return { dbApplied, keyApplied, sshApplied, moduleSourcesApplied };
 }
 
 /**

package/src/services/terraform-safety.ts

@@ -57,8 +57,14 @@ export function validateTerraformPlanSafety(planOutput: string): PlanSafetyResul
       };
     }
 
-    // Rule 2: Only CREATE operations allowed
-    if (action.action !== 'create') {
+    // Rule 2: CREATE and in-place UPDATE are allowed; REPLACE and DELETE are
+    // refused. (ISS-0055) An in-place update — the lifecycle-ignored
+    // computed-attribute redeploy, or a deliberate memory/cpu resize — is safe
+    // and must go through, so the management plane can update containers in
+    // place. Only destroy+recreate (replace) and delete are data-loss
+    // operations we hard-block. The parser matches `replace` before `update`,
+    // so a "must be replaced" plan is still classified as replace and refused.
+    if (action.action !== 'create' && action.action !== 'update') {
       return {
         safe: false,
         error: formatUnsafeOperationError(action),

package/src/services/zone-policy.ts

@@ -101,12 +101,12 @@ export function validateModuleZoneRequirements(
  * Policy function - determines if zone validation applies
  *
  * Zone is required if:
- * - Module specifies requires.machine (infrastructure provisioning)
+ * - Module specifies requires.system (infrastructure provisioning)
  *
  * Zone is optional if:
  * - Module has no infrastructure requirements (e.g., VPS-based modules)
  *
- * @param hasInfrastructureSpec - Whether module has requires.machine
+ * @param hasInfrastructureSpec - Whether module has requires.system
  * @returns True if zone field is required
  */
 export function isZoneRequired(hasInfrastructureSpec: boolean): boolean {

package/src/templates/generator.test.ts

@@ -495,7 +495,7 @@ resource "proxmox_lxc" "container" {
         provides: { capabilities: [] },
         requires: {
           capabilities: [],
-          machine: {
+          system: {
             cpu: 1,
             memory: 1024,
             disk: 10,
@@ -650,7 +650,9 @@ resource "proxmox_lxc" "container" {
       const out = injectProxmoxLxcDns(LXC, true);
       expect(out).toContain('  nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('  lifecycle {');
-      expect(out).toContain('    ignore_changes = [nameserver]');
+      expect(out).toContain(
+        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]',
+      );
       // Injected immediately after the opening line, before author attributes.
       const lines = out.split('\n');
       expect(lines[0]).toBe('resource "proxmox_lxc" "caddy" {');
@@ -665,7 +667,9 @@ resource "proxmox_lxc" "container" {
       const out = injectProxmoxLxcDns(LXC, false);
       expect(out).not.toContain('nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('  lifecycle {');
-      expect(out).toContain('    ignore_changes = [nameserver]');
+      expect(out).toContain(
+        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]',
+      );
     });
 
     test('is idempotent — already-injected content is returned unchanged', () => {
@@ -687,8 +691,8 @@ resource "proxmox_lxc" "container" {
       const out = injectProxmoxLxcDns(stale, true);
       // Exactly one nameserver attribute survives.
       expect(out.match(/nameserver\s*=/g)?.length).toBe(1);
-      // The lifecycle guard is still added.
-      expect(out).toContain('ignore_changes = [nameserver]');
+      // The lifecycle guard is still added (ISS-0055 extended the ignore list).
+      expect(out).toContain('ignore_changes = [nameserver,');
     });
 
     test('leaves non-proxmox_lxc resources untouched', () => {
@@ -699,7 +703,7 @@ resource "proxmox_lxc" "container" {
     test('injects into every proxmox_lxc block in a multi-resource file', () => {
       const two = `${LXC}\n\n${LXC.replace('"caddy"', '"forgejo"')}`;
       const out = injectProxmoxLxcDns(two, true);
-      expect(out.match(/ignore_changes = \[nameserver\]/g)?.length).toBe(2);
+      expect(out.match(/ignore_changes = \[nameserver,/g)?.length).toBe(2);
     });
 
     test('matches the indentation of the resource opening line', () => {
@@ -707,7 +711,9 @@ resource "proxmox_lxc" "container" {
       const out = injectProxmoxLxcDns(indented, true);
       expect(out).toContain('    nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('    lifecycle {');
-      expect(out).toContain('      ignore_changes = [nameserver]');
+      expect(out).toContain(
+        '      ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]',
+      );
     });
   });
 });

package/src/templates/generator.ts

@@ -15,6 +15,7 @@ import {
   moduleInfrastructure,
   modules,
 } from '../db/schema';
+import { getSingularSystemSpec } from '../manifest/schema';
 import type { AnsibleCollection, ModuleManifest } from '../manifest/schema';
 import { validateZoneRequirements } from '../manifest/validate';
 import { selectInfrastructure } from '../services/infrastructure-selector';
@@ -161,7 +162,10 @@ export function getOutputFilename(templateFilename: string): string {
  */
 export function injectProxmoxLxcDns(content: string, hasNameserver: boolean): string {
   // Already injected (idempotent) or author opted into the lifecycle — done.
-  if (content.includes('ignore_changes = [nameserver]')) {
+  // Match the `[nameserver` prefix (no closing bracket) so this stays true
+  // whether the list is the original `[nameserver]` or the ISS-0055-extended
+  // `[nameserver, network[0].hwaddr, …]` — otherwise re-generate double-injects.
+  if (content.includes('ignore_changes = [nameserver')) {
     return content;
   }
 
@@ -181,7 +185,17 @@ export function injectProxmoxLxcDns(content: string, hasNameserver: boolean): st
       injected.push(`${inner}nameserver = "$self:lxc_nameserver"`);
     }
     injected.push(`${inner}lifecycle {`);
-    injected.push(`${inner}  ignore_changes = [nameserver]`);
+    // ISS-0055: ignore the ForceNew attributes Proxmox assigns at create time —
+    // the MAC (network hwaddr) and the rootfs volume path. telmate marks these
+    // ForceNew, so leaving them out of the config makes every re-deploy plan a
+    // destructive REPLACE. Ignoring just these two makes an unchanged re-deploy a
+    // no-op (the computed network id/type stay stable once the block is no longer
+    // being replaced) and a real change (e.g. a memory bump) an in-place UPDATE.
+    // We deliberately do NOT list network[0].id / network[0].type — they aren't
+    // schema attributes in telmate ~>2.9 and `terraform validate` rejects them.
+    // `nameserver` stays for the original DNS reason; `rootfs.size` is NOT ignored
+    // so a disk grow still applies in place.
+    injected.push(`${inner}  ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]`);
     injected.push(`${inner}}`);
     return injected.join('\n');
   });
@@ -507,9 +521,9 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
 
   // Infrastructure Selection
   // Select infrastructure for this module and store in database
-  // Only required for modules that specify requires.machine (container-based or machine-poolbased)
+  // Only required for modules that specify requires.system (container-based or machine-pool-based)
   let infrastructureSelection: InfrastructureSelection | undefined;
-  const hasResourcesSpec = manifest.requires?.machine;
+  const hasResourcesSpec = getSingularSystemSpec(manifest);
 
   if (hasResourcesSpec) {
     // Check if infrastructure already selected (from previous generation)
@@ -559,7 +573,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
   // IPAM Auto-Allocation
   // Only allocate for Proxmox container services (not Digital Ocean or machines)
   // Digital Ocean gets IPs from Terraform outputs; Proxmox needs local IPAM
-  const zone = manifest.requires?.machine?.zone;
+  const zone = getSingularSystemSpec(manifest)?.zone;
   const hasManualVmid = manifest.variables?.owns?.some((v) => v.name === 'vmid');
   const isContainerService = infrastructureSelection?.type === 'container_service';
 
@@ -1094,7 +1108,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
   // Build infrastructure info for CLI output
   let infrastructureInfo: import('./types').InfrastructureInfo | undefined;
   if (infrastructureSelection) {
-    const zone = manifest.requires?.machine?.zone || 'unknown';
+    const zone = getSingularSystemSpec(manifest)?.zone || 'unknown';
 
     if (infrastructureSelection.type === 'machine' && infrastructureSelection.machineId) {
       const machine = await db