@celilo/cli 0.4.1 → 0.5.0-alpha.1

package/src/services/celilo-mgmt-hooks.test.ts

@@ -152,14 +152,18 @@ describe('celilo-mgmt on_backup', () => {
     expect(result.size_bytes).toBeGreaterThan(0);
   });
 
-  it('captures module SOURCE (excluding generated/) into module_src/', async () => {
+  it('captures LEAN module source (excludes generated/, node_modules/, large build artifacts)', async () => {
     // stateDir = dirname(db_path) = dir; on_backup reads dir/modules/<id>.
     const modSrc = join(dir, 'modules', 'caddy');
-    mkdirSync(join(modSrc, 'scripts'), { recursive: true });
+    mkdirSync(join(modSrc, 'scripts', 'node_modules', '@celilo'), { recursive: true });
     mkdirSync(join(modSrc, 'generated', 'terraform'), { recursive: true });
+    mkdirSync(join(modSrc, 'ansible', 'files'), { recursive: true });
     writeFileSync(join(modSrc, 'manifest.yml'), 'id: caddy');
     writeFileSync(join(modSrc, 'scripts', 'hook.ts'), '// hook');
     writeFileSync(join(modSrc, 'generated', 'terraform', 'main.tf'), 'resource {}');
+    writeFileSync(join(modSrc, 'scripts', 'node_modules', '@celilo', 'dep.js'), '// vendored');
+    // A >2MB "compiled binary" sitting in source — must be skipped by size.
+    writeFileSync(join(modSrc, 'ansible', 'files', 'server-bin'), Buffer.alloc(3 * 1024 * 1024));
 
     const { default: hook } = await import(`${HOOK_DIR}/on_backup.ts`);
     await hook(buildContext({ backup_dir: backupDir, cross_module_root: crossModuleRoot }));
@@ -167,8 +171,15 @@ describe('celilo-mgmt on_backup', () => {
     // Source files captured...
     expect(existsSync(join(backupDir, 'module_src', 'caddy', 'manifest.yml'))).toBe(true);
     expect(existsSync(join(backupDir, 'module_src', 'caddy', 'scripts', 'hook.ts'))).toBe(true);
-    // ...but generated/ excluded (TF state travels via cross_module_state).
+    // ...but build/vendored content excluded (keeps the backup small enough to
+    // not OOM the in-memory tar+encrypt — turnip's full dirs were ~1.6GB).
     expect(existsSync(join(backupDir, 'module_src', 'caddy', 'generated'))).toBe(false);
+    expect(existsSync(join(backupDir, 'module_src', 'caddy', 'scripts', 'node_modules'))).toBe(
+      false,
+    );
+    expect(
+      existsSync(join(backupDir, 'module_src', 'caddy', 'ansible', 'files', 'server-bin')),
+    ).toBe(false);
   });
 
   it('machine-pool.json is valid JSON (array)', async () => {

package/src/services/deploy-preflight.ts

@@ -26,7 +26,7 @@ import { eq } from 'drizzle-orm';
 import type { DbClient } from '../db/client';
 import { getDb } from '../db/client';
 import { capabilities, moduleConfigs, modules, secrets } from '../db/schema';
-import type { ModuleManifest } from '../manifest/schema';
+import { type ModuleManifest, getSingularSystemSpec } from '../manifest/schema';
 import { buildResolutionContext } from '../variables/context';
 import { E2E_CONFLICT_FIX, runningE2eContainers } from './e2e-guard';
 
@@ -241,8 +241,9 @@ export async function runPreflight(
   }
 
   // 5. Infrastructure availability (for modules that need it)
-  if (manifest.requires?.machine) {
-    const zone = manifest.requires.machine.zone;
+  const systemSpec = getSingularSystemSpec(manifest);
+  if (systemSpec) {
+    const zone = systemSpec.zone;
     if (zone) {
       // Simplified check: is there a machine or service for the module's zone?
       // The full infrastructure selector (selectInfrastructure) needs a Module

package/src/services/deployed-systems.test.ts

@@ -60,7 +60,7 @@ function seedProxmoxModule(
       id: opts.id,
       name: opts.id,
       version: '1.0.0',
-      manifestData: { requires: { machine: { zone: opts.zone } } },
+      manifestData: { requires: { system: { zone: opts.zone } } },
       sourcePath: `/tmp/${opts.id}`,
       state: 'VERIFIED',
     })
@@ -180,7 +180,7 @@ describe('backfillModuleSystems', () => {
         id: 'technitium',
         name: 'technitium',
         version: '1.0.0',
-        manifestData: { requires: { machine: { zone: 'internal' } } },
+        manifestData: { requires: { system: { zone: 'internal' } } },
         sourcePath: '/tmp/technitium',
         state: 'VERIFIED',
       })

package/src/services/deployed-systems.ts

@@ -150,7 +150,7 @@ function asZone(value: string | undefined): NetworkZone | null {
  * single sink the old scattered `target_ip` writes collapse into.
  *
  * Transition: every current module declares exactly one system (via
- * `requires.machine`, normalized to name `main`, or one `requires.systems`
+ * `requires.system`, normalized to name `main`, or one `requires.systems`
  * entry), so this records that single host from `hostname` config + the
  * resolved IP. Returns the systems it recorded ([] for an API-only module with
  * no host — e.g. namecheap). See v2/MODULE_SYSTEMS_ADDRESSING.md.

package/src/services/infrastructure-selector.test.ts

@@ -61,7 +61,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -119,7 +119,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -162,7 +162,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -197,7 +197,7 @@ describe('infrastructure-selector', () => {
       const module = (await db.select().from(modules).limit(1))[0] as Module;
 
       await expect(selectInfrastructure(module)).rejects.toThrow(InfrastructureError);
-      await expect(selectInfrastructure(module)).rejects.toThrow(/missing requires.machine/);
+      await expect(selectInfrastructure(module)).rejects.toThrow(/missing requires.system/);
     });
 
     it('throws error when module manifest missing zone', async () => {
@@ -210,7 +210,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -224,20 +224,20 @@ describe('infrastructure-selector', () => {
       const module = (await db.select().from(modules).limit(1))[0] as Module;
 
       await expect(selectInfrastructure(module)).rejects.toThrow(InfrastructureError);
-      await expect(selectInfrastructure(module)).rejects.toThrow(/missing requires.machine.zone/);
+      await expect(selectInfrastructure(module)).rejects.toThrow(/missing requires.system.zone/);
     });
 
-    it('supports requires.machine format', async () => {
+    it('supports requires.system format', async () => {
       const db = createDbClient({ path: testDbPath });
 
-      // Create test module with requires.machine format
+      // Create test module with requires.system format
       await db.insert(modules).values({
         id: 'test-module',
         name: 'Test Module',
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -284,7 +284,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -326,7 +326,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -366,7 +366,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -406,7 +406,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 2,
               memory: 2048,
               disk: 20,
@@ -449,7 +449,7 @@ describe('infrastructure-selector', () => {
         version: '1.0.0',
         manifestData: {
           requires: {
-            machine: {
+            system: {
               cpu: 4,
               memory: 4096,
               disk: 128,

package/src/services/infrastructure-selector.ts

@@ -1,5 +1,5 @@
 import type { Module } from '../db/schema';
-import type { ModuleManifest } from '../manifest/schema';
+import { type ModuleManifest, getSingularSystemSpec } from '../manifest/schema';
 import type {
   InfrastructureSelection,
   Machine,
@@ -25,27 +25,26 @@ export class InfrastructureError extends Error {
 function getResourceRequirements(module: Module): ResourceRequirements {
   const manifest = module.manifestData as ModuleManifest;
 
-  // Check for requires.machine
-  const machine = manifest.requires?.machine;
+  const system = getSingularSystemSpec(manifest);
 
-  if (!machine) {
+  if (!system) {
     throw new InfrastructureError(
-      `Module ${module.id} manifest missing requires.machine configuration`,
+      `Module ${module.id} manifest missing requires.system configuration`,
     );
   }
 
-  if (!machine.zone) {
+  if (!system.zone) {
     throw new InfrastructureError(
-      `Module ${module.id} manifest missing requires.machine.zone field`,
+      `Module ${module.id} manifest missing requires.system.zone field`,
     );
   }
 
   return {
-    cpu: machine.cpu ?? 1,
-    memory: machine.memory ?? 1024,
-    disk: machine.disk ?? 10,
-    storage: machine.storage,
-    zone: machine.zone,
+    cpu: system.cpu ?? 1,
+    memory: system.memory ?? 1024,
+    disk: system.disk ?? 10,
+    storage: system.storage,
+    zone: system.zone,
   };
 }
 

package/src/services/module-deploy.ts

@@ -16,7 +16,7 @@ import { loadCapabilityFunctions } from '../hooks/capability-loader';
 import { invokeHook } from '../hooks/executor';
 import { createGaugeLogger } from '../hooks/logger';
 import type { HookDefinition, HookLogger, HookResult } from '../hooks/types';
-import type { ModuleManifest } from '../manifest/schema';
+import { type ModuleManifest, getSingularSystemSpec } from '../manifest/schema';
 import { decryptSecret } from '../secrets/encryption';
 import { getOrCreateMasterKey } from '../secrets/master-key';
 import { buildResolutionContext } from '../variables/context';
@@ -416,7 +416,7 @@ async function deployModuleImpl(
       );
       if (machineDerivable.length > 0) {
         const isFirewall = manifest.provides?.capabilities?.some((cap) => cap.name === 'firewall');
-        const moduleZone = manifest.requires?.machine?.zone;
+        const moduleZone = getSingularSystemSpec(manifest)?.zone;
         const matchedMachine = await findMachineForModule(
           moduleId,
           moduleZone,
@@ -473,7 +473,7 @@ async function deployModuleImpl(
       if (regularConfig.length > 0) {
         // Look up machine for $machine: derivation (earmarked or best match from pool)
         const isFirewall = manifest.provides?.capabilities?.some((cap) => cap.name === 'firewall');
-        const moduleZone = manifest.requires?.machine?.zone;
+        const moduleZone = getSingularSystemSpec(manifest)?.zone;
         const matchedMachine = await findMachineForModule(
           moduleId,
           moduleZone,
@@ -668,7 +668,7 @@ async function deployModuleImpl(
     }
 
     // Config-only modules (no infrastructure requirements) don't need terraform/ansible
-    const isConfigOnly = !manifest.requires?.machine;
+    const isConfigOnly = !getSingularSystemSpec(manifest);
     if (isConfigOnly) {
       log.success('Config-only module — no infrastructure deployment needed');
 

package/src/services/restore-from-file.ts

@@ -208,10 +208,21 @@ export async function restoreFromArtifactFile(
       hookInputs.cross_module_write_root = crossModuleWriteRoot;
     }
 
-    // 5. Invoke the hook.
+    // 5. Invoke the hook. Resolve the module path from getModuleStoragePath()
+    //    rather than the stored mod.sourcePath (ISS-0052): on a box whose DB was
+    //    produced by a prior restore from ANOTHER box, source_path is that box's
+    //    absolute path (e.g. a macOS /Users/... path on a Linux box), and the
+    //    hook executor's screenshot-dir mkdir then EACCES'es on it. By
+    //    construction (import.ts) the code always lives at
+    //    ${getModuleStoragePath()}/<id>, so resolve there. Falls back to the
+    //    stored path only if the canonical dir is absent (e.g. a custom layout).
+    const canonicalModulePath = join(getModuleStoragePath(), mod.id);
+    const onRestoreModulePath = existsSync(canonicalModulePath)
+      ? canonicalModulePath
+      : mod.sourcePath;
     const logger = createConsoleLogger(mod.id, 'on_restore');
     const hookResult = await invokeHook(
-      mod.sourcePath,
+      onRestoreModulePath,
       'on_restore',
       manifest.celilo_contract,
       hookDef,

package/src/services/terraform-safety.ts

@@ -57,8 +57,14 @@ export function validateTerraformPlanSafety(planOutput: string): PlanSafetyResul
       };
     }
 
-    // Rule 2: Only CREATE operations allowed
-    if (action.action !== 'create') {
+    // Rule 2: CREATE and in-place UPDATE are allowed; REPLACE and DELETE are
+    // refused. (ISS-0055) An in-place update — the lifecycle-ignored
+    // computed-attribute redeploy, or a deliberate memory/cpu resize — is safe
+    // and must go through, so the management plane can update containers in
+    // place. Only destroy+recreate (replace) and delete are data-loss
+    // operations we hard-block. The parser matches `replace` before `update`,
+    // so a "must be replaced" plan is still classified as replace and refused.
+    if (action.action !== 'create' && action.action !== 'update') {
       return {
         safe: false,
         error: formatUnsafeOperationError(action),

package/src/services/zone-policy.ts

@@ -101,12 +101,12 @@ export function validateModuleZoneRequirements(
  * Policy function - determines if zone validation applies
  *
  * Zone is required if:
- * - Module specifies requires.machine (infrastructure provisioning)
+ * - Module specifies requires.system (infrastructure provisioning)
  *
  * Zone is optional if:
  * - Module has no infrastructure requirements (e.g., VPS-based modules)
  *
- * @param hasInfrastructureSpec - Whether module has requires.machine
+ * @param hasInfrastructureSpec - Whether module has requires.system
  * @returns True if zone field is required
  */
 export function isZoneRequired(hasInfrastructureSpec: boolean): boolean {

package/src/templates/generator.test.ts

@@ -12,6 +12,7 @@ import {
   injectProxmoxLxcDns,
   isTemplateFile,
   readTemplateFiles,
+  targetNodeFromTfState,
   writeGeneratedFiles,
 } from './generator';
 import type { GeneratedFile } from './types';
@@ -495,7 +496,7 @@ resource "proxmox_lxc" "container" {
         provides: { capabilities: [] },
         requires: {
           capabilities: [],
-          machine: {
+          system: {
             cpu: 1,
             memory: 1024,
             disk: 10,
@@ -650,7 +651,9 @@ resource "proxmox_lxc" "container" {
       const out = injectProxmoxLxcDns(LXC, true);
       expect(out).toContain('  nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('  lifecycle {');
-      expect(out).toContain('    ignore_changes = [nameserver]');
+      expect(out).toContain(
+        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]',
+      );
       // Injected immediately after the opening line, before author attributes.
       const lines = out.split('\n');
       expect(lines[0]).toBe('resource "proxmox_lxc" "caddy" {');
@@ -665,7 +668,9 @@ resource "proxmox_lxc" "container" {
       const out = injectProxmoxLxcDns(LXC, false);
       expect(out).not.toContain('nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('  lifecycle {');
-      expect(out).toContain('    ignore_changes = [nameserver]');
+      expect(out).toContain(
+        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]',
+      );
     });
 
     test('is idempotent — already-injected content is returned unchanged', () => {
@@ -687,8 +692,8 @@ resource "proxmox_lxc" "container" {
       const out = injectProxmoxLxcDns(stale, true);
       // Exactly one nameserver attribute survives.
       expect(out.match(/nameserver\s*=/g)?.length).toBe(1);
-      // The lifecycle guard is still added.
-      expect(out).toContain('ignore_changes = [nameserver]');
+      // The lifecycle guard is still added (ISS-0055 extended the ignore list).
+      expect(out).toContain('ignore_changes = [nameserver,');
     });
 
     test('leaves non-proxmox_lxc resources untouched', () => {
@@ -699,7 +704,7 @@ resource "proxmox_lxc" "container" {
     test('injects into every proxmox_lxc block in a multi-resource file', () => {
       const two = `${LXC}\n\n${LXC.replace('"caddy"', '"forgejo"')}`;
       const out = injectProxmoxLxcDns(two, true);
-      expect(out.match(/ignore_changes = \[nameserver\]/g)?.length).toBe(2);
+      expect(out.match(/ignore_changes = \[nameserver,/g)?.length).toBe(2);
     });
 
     test('matches the indentation of the resource opening line', () => {
@@ -707,7 +712,35 @@ resource "proxmox_lxc" "container" {
       const out = injectProxmoxLxcDns(indented, true);
       expect(out).toContain('    nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('    lifecycle {');
-      expect(out).toContain('      ignore_changes = [nameserver]');
+      expect(out).toContain(
+        '      ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]',
+      );
     });
   });
 });
+
+describe("targetNodeFromTfState (ISS-0090 — terraform state is celilo's placement record)", () => {
+  test('reads the node from the proxmox_lxc target_node attribute', () => {
+    const state = {
+      resources: [
+        {
+          type: 'proxmox_lxc',
+          instances: [{ attributes: { target_node: 'node2', id: 'node2/lxc/200' } }],
+        },
+      ],
+    };
+    expect(targetNodeFromTfState(state)).toBe('node2');
+  });
+
+  test('falls back to parsing the resource id when target_node is absent', () => {
+    const state = {
+      resources: [{ type: 'proxmox_lxc', instances: [{ attributes: { id: 'node3/lxc/201' } }] }],
+    };
+    expect(targetNodeFromTfState(state)).toBe('node3');
+  });
+
+  test('returns null when there is no proxmox_lxc resource (fresh/empty state)', () => {
+    expect(targetNodeFromTfState({ resources: [] })).toBeNull();
+    expect(targetNodeFromTfState({})).toBeNull();
+  });
+});

package/src/templates/generator.ts

@@ -6,6 +6,7 @@ import { and, eq } from 'drizzle-orm';
 import { generateInventory } from '../ansible/inventory';
 import { generateAnsibleSecrets } from '../ansible/secrets';
 import { log } from '../cli/prompts';
+import { getModuleStoragePath } from '../config/paths';
 import { type DbClient, getDb } from '../db/client';
 import {
   capabilities,
@@ -15,6 +16,7 @@ import {
   moduleInfrastructure,
   modules,
 } from '../db/schema';
+import { getSingularSystemSpec } from '../manifest/schema';
 import type { AnsibleCollection, ModuleManifest } from '../manifest/schema';
 import { validateZoneRequirements } from '../manifest/validate';
 import { selectInfrastructure } from '../services/infrastructure-selector';
@@ -161,7 +163,10 @@ export function getOutputFilename(templateFilename: string): string {
  */
 export function injectProxmoxLxcDns(content: string, hasNameserver: boolean): string {
   // Already injected (idempotent) or author opted into the lifecycle — done.
-  if (content.includes('ignore_changes = [nameserver]')) {
+  // Match the `[nameserver` prefix (no closing bracket) so this stays true
+  // whether the list is the original `[nameserver]` or the ISS-0055-extended
+  // `[nameserver, network[0].hwaddr, …]` — otherwise re-generate double-injects.
+  if (content.includes('ignore_changes = [nameserver')) {
     return content;
   }
 
@@ -181,12 +186,79 @@ export function injectProxmoxLxcDns(content: string, hasNameserver: boolean): st
       injected.push(`${inner}nameserver = "$self:lxc_nameserver"`);
     }
     injected.push(`${inner}lifecycle {`);
-    injected.push(`${inner}  ignore_changes = [nameserver]`);
+    // ISS-0055: ignore the ForceNew attributes Proxmox assigns at create time —
+    // the MAC (network hwaddr) and the rootfs volume path. telmate marks these
+    // ForceNew, so leaving them out of the config makes every re-deploy plan a
+    // destructive REPLACE. Ignoring just these two makes an unchanged re-deploy a
+    // no-op (the computed network id/type stay stable once the block is no longer
+    // being replaced) and a real change (e.g. a memory bump) an in-place UPDATE.
+    // We deliberately do NOT list network[0].id / network[0].type — they aren't
+    // schema attributes in telmate ~>2.9 and `terraform validate` rejects them.
+    // `nameserver` stays for the original DNS reason; `rootfs.size` is NOT ignored
+    // so a disk grow still applies in place.
+    // ISS-0089: also ignore `ssh_public_keys` — it's ForceNew, and on a module
+    // deployed before the current fleet key, the LXC's birth keys differ from the
+    // regenerated config, forcing a spurious REPLACE on redeploy. Rotating the
+    // authorized keys must never recreate the container. We do NOT ignore
+    // `target_node` — a node change is real and is handled by migration (ISS-0090),
+    // never silently dropped.
+    injected.push(
+      `${inner}  ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]`,
+    );
     injected.push(`${inner}}`);
     return injected.join('\n');
   });
 }
 
+/**
+ * Extract the node a proxmox_lxc resource is deployed on from a parsed terraform
+ * state object. Pure logic (Rule 10), split from the file read for testability.
+ * Prefers the explicit `target_node` attribute; falls back to parsing the
+ * resource id (`<node>/lxc/<vmid>`). Returns null when there's no proxmox_lxc
+ * resource (e.g. an empty/fresh state).
+ */
+export function targetNodeFromTfState(state: {
+  resources?: Array<{
+    type?: string;
+    instances?: Array<{ attributes?: { target_node?: string; id?: string } }>;
+  }>;
+}): string | null {
+  const lxc = state.resources?.find((r) => r.type === 'proxmox_lxc');
+  const attrs = lxc?.instances?.[0]?.attributes;
+  if (!attrs) {
+    return null;
+  }
+  if (attrs.target_node) {
+    return attrs.target_node;
+  }
+  // id format: "<node>/lxc/<vmid>"
+  return attrs.id?.split('/')[0] || null;
+}
+
+/**
+ * Read the node a module's container is currently deployed on, from its terraform
+ * state file. This is celilo's authoritative record of placement (ISS-0090).
+ * Returns null when no state exists yet (a first deploy) or it can't be read —
+ * the caller then falls back to the service `default_target_node`.
+ */
+async function readDeployedTargetNode(moduleId: string): Promise<string | null> {
+  const statePath = join(
+    getModuleStoragePath(),
+    moduleId,
+    'generated',
+    'terraform',
+    'terraform.tfstate',
+  );
+  if (!existsSync(statePath)) {
+    return null;
+  }
+  try {
+    return targetNodeFromTfState(JSON.parse(await readFile(statePath, 'utf-8')));
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Discover template files in directory recursively
  *
@@ -507,9 +579,9 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
 
   // Infrastructure Selection
   // Select infrastructure for this module and store in database
-  // Only required for modules that specify requires.machine (container-based or machine-poolbased)
+  // Only required for modules that specify requires.system (container-based or machine-pool-based)
   let infrastructureSelection: InfrastructureSelection | undefined;
-  const hasResourcesSpec = manifest.requires?.machine;
+  const hasResourcesSpec = getSingularSystemSpec(manifest);
 
   if (hasResourcesSpec) {
     // Check if infrastructure already selected (from previous generation)
@@ -559,7 +631,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
   // IPAM Auto-Allocation
   // Only allocate for Proxmox container services (not Digital Ocean or machines)
   // Digital Ocean gets IPs from Terraform outputs; Proxmox needs local IPAM
-  const zone = manifest.requires?.machine?.zone;
+  const zone = getSingularSystemSpec(manifest)?.zone;
   const hasManualVmid = manifest.variables?.owns?.some((v) => v.name === 'vmid');
   const isContainerService = infrastructureSelection?.type === 'container_service';
 
@@ -624,9 +696,28 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
         storage: string;
       };
 
+      // ISS-0090: target the node the container ACTUALLY lives on, not the
+      // service default. `default_target_node` governs only NEW placement; a
+      // changed default must NEVER relocate a running system. celilo's terraform
+      // state is its authoritative record of where it placed this container (kept
+      // in sync by deploy and by `module migrate`), so read the deployed node from
+      // there. Fall back to the default only when there's no state yet — a first
+      // deploy. Deliberate relocation is an explicit `module migrate`, not a
+      // side-effect of the default changing.
+      let targetNode = providerConfig.default_target_node;
+      const deployedNode = await readDeployedTargetNode(moduleId);
+      if (deployedNode) {
+        if (deployedNode !== targetNode) {
+          log.info(
+            `${moduleId} is already deployed on node '${deployedNode}' — targeting it (service default is '${providerConfig.default_target_node}'). Relocating requires a deliberate migration.`,
+          );
+        }
+        targetNode = deployedNode;
+      }
+
       // Store provider config values as temporary config (similar to IPAM allocation)
       const infraProperties = [
-        { key: 'target_node', value: providerConfig.default_target_node },
+        { key: 'target_node', value: targetNode },
         { key: 'lxc_template', value: providerConfig.lxc_template },
         { key: 'storage', value: providerConfig.storage },
       ];
@@ -635,9 +726,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
         upsertModuleConfig(db, moduleId, `__infra_${prop.key}`, prop.value);
       }
 
-      log.success(
-        `Infrastructure properties resolved from service: target_node=${providerConfig.default_target_node}`,
-      );
+      log.success(`Infrastructure properties resolved from service: target_node=${targetNode}`);
     }
   }
 
@@ -1094,7 +1183,7 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
   // Build infrastructure info for CLI output
   let infrastructureInfo: import('./types').InfrastructureInfo | undefined;
   if (infrastructureSelection) {
-    const zone = manifest.requires?.machine?.zone || 'unknown';
+    const zone = getSingularSystemSpec(manifest)?.zone || 'unknown';
 
     if (infrastructureSelection.type === 'machine' && infrastructureSelection.machineId) {
       const machine = await db