@celilo/cli 0.5.0-alpha.0 → 0.5.0-alpha.2

package/src/services/events-daemon.test.ts

@@ -8,6 +8,7 @@ import {
   readInstalledUnit,
   renderLaunchdPlist,
   renderSystemdUnit,
+  resolveRunAsUser,
   uninstallDaemon,
 } from './events-daemon';
 
@@ -19,6 +20,7 @@ describe('renderSystemdUnit', () => {
       pollMs: 1000,
       concurrency: 4,
       home: '/home/op',
+      scope: 'user',
     });
     expect(out).toContain(
       'ExecStart=/usr/local/bin/celilo events run --poll-ms 1000 --concurrency 4',
@@ -26,6 +28,7 @@ describe('renderSystemdUnit', () => {
     expect(out).toContain('Environment=EVENT_BUS_DB=/var/lib/celilo/events.db');
     expect(out).toContain('Restart=on-failure');
     expect(out).toContain('WantedBy=default.target');
+    expect(out).not.toContain('User=');
   });
 
   it('honors --poll-ms and --concurrency overrides', () => {
@@ -35,9 +38,26 @@ describe('renderSystemdUnit', () => {
       pollMs: 250,
       concurrency: 8,
       home: '/h',
+      scope: 'user',
     });
     expect(out).toContain('--poll-ms 250 --concurrency 8');
   });
+
+  it('system scope sets explicit User= and multi-user.target', () => {
+    const out = renderSystemdUnit({
+      celiloPath: '/usr/local/bin/celilo',
+      busDbPath: '/var/celilo/events.db',
+      pollMs: 1000,
+      concurrency: 4,
+      home: '/root',
+      scope: 'system',
+      runAsUser: 'celilo',
+    });
+    expect(out).toContain('User=celilo');
+    expect(out).toContain('WantedBy=multi-user.target');
+    expect(out).toContain('journalctl -u celilo-events.service');
+    expect(out).not.toContain('journalctl --user');
+  });
 });
 
 describe('renderLaunchdPlist', () => {
@@ -48,6 +68,7 @@ describe('renderLaunchdPlist', () => {
       pollMs: 1000,
       concurrency: 4,
       home: '/Users/op',
+      scope: 'user',
     });
     expect(out).toContain('<string>/Users/op/Library/Logs/celilo-events.out.log</string>');
     expect(out).toContain('<string>/Users/op/Library/Logs/celilo-events.err.log</string>');
@@ -55,6 +76,24 @@ describe('renderLaunchdPlist', () => {
     expect(out).toContain('<string>com.celilo.events</string>');
     expect(out).toContain('<key>RunAtLoad</key>');
     expect(out).toContain('<key>KeepAlive</key>');
+    expect(out).not.toContain('<key>UserName</key>');
+  });
+
+  it('system scope sets UserName and logs under /Library/Logs', () => {
+    const out = renderLaunchdPlist({
+      celiloPath: '/c',
+      busDbPath: '/db',
+      pollMs: 1000,
+      concurrency: 4,
+      home: '/Users/op',
+      scope: 'system',
+      runAsUser: 'celilo',
+    });
+    expect(out).toContain('<key>UserName</key>');
+    expect(out).toContain('<string>celilo</string>');
+    expect(out).toContain('<string>/Library/Logs/celilo-events.out.log</string>');
+    expect(out).toContain('<string>/Library/Logs/celilo-events.err.log</string>');
+    expect(out).not.toContain('/Users/op/Library/Logs');
   });
 });
 
@@ -69,6 +108,24 @@ describe('getDaemonUnitPath', () => {
       '/Users/op/Library/LaunchAgents/com.celilo.events.plist',
     );
   });
+  it('returns the system paths for system scope', () => {
+    expect(getDaemonUnitPath('linux', '/home/op', 'system')).toBe(
+      '/etc/systemd/system/celilo-events.service',
+    );
+    expect(getDaemonUnitPath('darwin', '/Users/op', 'system')).toBe(
+      '/Library/LaunchDaemons/com.celilo.events.plist',
+    );
+  });
+});
+
+describe('resolveRunAsUser', () => {
+  it('honors an explicit override', () => {
+    expect(resolveRunAsUser('/var/celilo/events.db', 'celilo')).toBe('celilo');
+  });
+  it('falls back to the current user when the state dir is missing', () => {
+    const me = resolveRunAsUser('/no/such/dir/events.db');
+    expect(me.length).toBeGreaterThan(0);
+  });
 });
 
 describe('installDaemon / uninstallDaemon roundtrip', () => {
@@ -99,6 +156,8 @@ describe('installDaemon / uninstallDaemon roundtrip', () => {
       busDbPath: '/var/lib/celilo/events.db',
     });
     expect(existsSync(installed.unitPath)).toBe(true);
+    expect(installed.scope).toBe('user');
+    expect(installed.runAsUser).toBeUndefined();
     expect(installed.unitPath).toBe(join(home, '.config/systemd/user/celilo-events.service'));
     expect(installed.nextSteps[0]).toContain('systemctl --user daemon-reload');
 

package/src/services/events-daemon.ts

@@ -1,10 +1,20 @@
 /**
- * Generate and install / uninstall a per-user supervisor unit for the
- * SQLite event-bus dispatcher. Linux gets a systemd user unit; macOS
- * gets a launchd plist. The command WRITES the unit file but never
- * touches the supervisor state — the operator runs `systemctl --user
- * enable --now celilo-events` (or `launchctl load`) themselves so the
- * effect is visible.
+ * Generate and install / uninstall a supervisor unit for the SQLite
+ * event-bus dispatcher. Linux gets a systemd unit; macOS gets a
+ * launchd plist. The command WRITES the unit file but never touches
+ * the supervisor state — the operator (or the celilo-mgmt Ansible
+ * role) runs the enable/bootstrap steps themselves so the effect is
+ * visible.
+ *
+ * Two scopes (designs/DISPATCHER_DAEMON_AND_TIMER_EVENTS.md A1):
+ *   - `user` (default): per-user unit under $HOME — dev-laptop shape.
+ *     Dies with the login session unless lingering is enabled.
+ *   - `system`: /etc/systemd/system unit (Linux) or a root-owned
+ *     /Library/LaunchDaemons plist (macOS) — the management-plane
+ *     shape; survives logout and reboot. The unit pins an explicit
+ *     run-as user (the celilo state-dir owner) so every handler
+ *     subprocess the dispatcher spawns stays signalable by that user
+ *     (ISS-0068 / A1b).
  *
  * Why split write-vs-enable: a celilo command silently flipping
  * systemd state would be hard to reason about during incidents. Pure
@@ -12,17 +22,28 @@
  * predictable.
  */
 
-import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs';
-import { homedir, platform as nodePlatform } from 'node:os';
+import { execFileSync } from 'node:child_process';
+import { existsSync, mkdirSync, readFileSync, statSync, unlinkSync, writeFileSync } from 'node:fs';
+import { homedir, platform as nodePlatform, userInfo } from 'node:os';
 import { dirname, join } from 'node:path';
 import { getEventBusPath } from '../config/paths';
 
 export type SupervisorPlatform = 'linux' | 'darwin';
+export type SupervisorScope = 'user' | 'system';
 
 export interface InstallDaemonOptions {
   celiloPath?: string;
   pollMs?: number;
   concurrency?: number;
+  /** Unit scope. Defaults to `user`. */
+  scope?: SupervisorScope;
+  /**
+   * Run-as user for system-scope units. Defaults to the owner of the
+   * bus DB's directory (the celilo state dir) — `celilo` on a
+   * deb-bootstrapped box, root on a local install. Ignored for user
+   * scope (user units already run as their owner).
+   */
+  runAsUser?: string;
   /** Override platform detection. Mainly for tests. */
   platform?: SupervisorPlatform;
   /** Override the bus DB path. Defaults to celilo's getEventBusPath(). */
@@ -33,15 +54,19 @@ export interface InstallDaemonOptions {
 
 export interface InstallDaemonResult {
   platform: SupervisorPlatform;
+  scope: SupervisorScope;
   unitPath: string;
   unitContent: string;
   celiloPath: string;
   busDbPath: string;
+  /** Explicit run-as user for system scope; undefined for user scope. */
+  runAsUser?: string;
   nextSteps: string[];
 }
 
 export interface UninstallDaemonResult {
   platform: SupervisorPlatform;
+  scope: SupervisorScope;
   unitPath: string;
   removed: boolean;
   nextSteps: string[];
@@ -59,19 +84,27 @@ export function detectPlatform(): SupervisorPlatform {
   if (p === 'linux') return 'linux';
   if (p === 'darwin') return 'darwin';
   throw new Error(
-    `celilo events daemon: unsupported platform "${p}". Only linux (systemd user) and darwin (launchd) are supported in v1.`,
+    `celilo events daemon: unsupported platform "${p}". Only linux (systemd) and darwin (launchd) are supported in v1.`,
   );
 }
 
 /**
- * Resolve where to write the unit file for a given platform + user.
- * User-mode locations only; system-wide is opt-in for a future phase.
+ * Resolve where to write the unit file for a given platform + scope.
+ * `home` only matters for user scope; system paths are fixed.
  */
-export function getDaemonUnitPath(platform: SupervisorPlatform, home: string): string {
+export function getDaemonUnitPath(
+  platform: SupervisorPlatform,
+  home: string,
+  scope: SupervisorScope = 'user',
+): string {
   if (platform === 'linux') {
-    return join(home, '.config', 'systemd', 'user', SYSTEMD_UNIT_NAME);
+    return scope === 'system'
+      ? join('/etc/systemd/system', SYSTEMD_UNIT_NAME)
+      : join(home, '.config', 'systemd', 'user', SYSTEMD_UNIT_NAME);
   }
-  return join(home, 'Library', 'LaunchAgents', `${LAUNCHD_LABEL}.plist`);
+  return scope === 'system'
+    ? join('/Library/LaunchDaemons', `${LAUNCHD_LABEL}.plist`)
+    : join(home, 'Library', 'LaunchAgents', `${LAUNCHD_LABEL}.plist`);
 }
 
 /**
@@ -100,15 +133,42 @@ export function resolveCeliloPath(override?: string): string {
   return found;
 }
 
+/**
+ * Run-as user for a system-scope unit: the owner of the celilo state
+ * dir (the bus DB's directory). Falls back to the current user when
+ * the dir doesn't exist yet or the uid can't be resolved to a name —
+ * a fresh dev box where nothing has been bootstrapped.
+ */
+export function resolveRunAsUser(busDbPath: string, override?: string): string {
+  if (override) return override;
+  try {
+    const ownerUid = statSync(dirname(busDbPath)).uid;
+    if (ownerUid === process.getuid?.()) return userInfo().username;
+    const name = execFileSync('id', ['-nu', String(ownerUid)], { encoding: 'utf-8' }).trim();
+    if (name) return name;
+  } catch {
+    // State dir missing or uid unresolvable — fall through.
+  }
+  return userInfo().username;
+}
+
 interface UnitInputs {
   celiloPath: string;
   busDbPath: string;
   pollMs: number;
   concurrency: number;
   home: string;
+  scope: SupervisorScope;
+  /** Required for system scope; ignored for user scope. */
+  runAsUser?: string;
 }
 
 export function renderSystemdUnit(input: UnitInputs): string {
+  const userLine = input.scope === 'system' && input.runAsUser ? `User=${input.runAsUser}\n` : '';
+  const journalHint =
+    input.scope === 'system'
+      ? `journalctl -u ${SYSTEMD_UNIT_NAME}`
+      : `journalctl --user -u ${SYSTEMD_UNIT_NAME}`;
   return `[Unit]
 Description=Celilo SQLite Event Bus Dispatcher
 Documentation=https://github.com/psbanka/infra/blob/main/design/SQLITE_EVENT_BUS.md
@@ -116,30 +176,36 @@ After=network.target
 
 [Service]
 Type=simple
-ExecStart=${input.celiloPath} events run --poll-ms ${input.pollMs} --concurrency ${input.concurrency}
+${userLine}ExecStart=${input.celiloPath} events run --poll-ms ${input.pollMs} --concurrency ${input.concurrency}
 Restart=on-failure
 RestartSec=10s
 Environment=EVENT_BUS_DB=${input.busDbPath}
-# stdout/stderr are captured by journalctl --user -u celilo-events.service.
+# stdout/stderr are captured by ${journalHint}.
 StandardOutput=journal
 StandardError=journal
 
 [Install]
-WantedBy=default.target
+WantedBy=${input.scope === 'system' ? 'multi-user.target' : 'default.target'}
 `;
 }
 
 export function renderLaunchdPlist(input: UnitInputs): string {
-  const logDir = join(input.home, 'Library', 'Logs');
-  // Indentation matters very little to launchd but we want it readable
-  // when an operator opens the file manually to debug.
+  // System daemons log under /Library/Logs (no $HOME at boot); user
+  // agents under the user's Library/Logs. Indentation matters very
+  // little to launchd but we want it readable when an operator opens
+  // the file manually to debug.
+  const logDir = input.scope === 'system' ? '/Library/Logs' : join(input.home, 'Library', 'Logs');
+  const userNameBlock =
+    input.scope === 'system' && input.runAsUser
+      ? `  <key>UserName</key>\n  <string>${input.runAsUser}</string>\n`
+      : '';
   return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
   <key>Label</key>
   <string>${LAUNCHD_LABEL}</string>
-  <key>ProgramArguments</key>
+${userNameBlock}  <key>ProgramArguments</key>
   <array>
     <string>${input.celiloPath}</string>
     <string>events</string>
@@ -167,50 +233,105 @@ export function renderLaunchdPlist(input: UnitInputs): string {
 `;
 }
 
+function nextStepsFor(
+  platform: SupervisorPlatform,
+  scope: SupervisorScope,
+  unitPath: string,
+): string[] {
+  if (platform === 'linux') {
+    return scope === 'system'
+      ? [
+          'Reload systemd:  sudo systemctl daemon-reload',
+          `Enable + start:  sudo systemctl enable --now ${SYSTEMD_UNIT_NAME}`,
+          `Tail logs:       journalctl -u ${SYSTEMD_UNIT_NAME} -f`,
+          `Status:          systemctl status ${SYSTEMD_UNIT_NAME}`,
+        ]
+      : [
+          'Reload systemd:  systemctl --user daemon-reload',
+          `Enable + start:  systemctl --user enable --now ${SYSTEMD_UNIT_NAME}`,
+          `Tail logs:       journalctl --user -u ${SYSTEMD_UNIT_NAME} -f`,
+          `Status:          systemctl --user status ${SYSTEMD_UNIT_NAME}`,
+        ];
+  }
+  return scope === 'system'
+    ? [
+        `Load + start:    sudo launchctl bootstrap system ${unitPath}`,
+        'Tail stdout:     tail -f /Library/Logs/celilo-events.out.log',
+        'Tail stderr:     tail -f /Library/Logs/celilo-events.err.log',
+        `Status:          sudo launchctl print system/${LAUNCHD_LABEL}`,
+      ]
+    : [
+        `Load + start:    launchctl load -w ${unitPath}`,
+        'Tail stdout:     tail -f ~/Library/Logs/celilo-events.out.log',
+        'Tail stderr:     tail -f ~/Library/Logs/celilo-events.err.log',
+        `Status:          launchctl list | grep ${LAUNCHD_LABEL}`,
+      ];
+}
+
 /**
- * Write the supervisor unit file. Idempotent: rewrites if present.
- * Returns the path written + the operator-facing next steps.
+ * Resolve everything an install would do — platform, paths, run-as
+ * user, rendered unit content — WITHOUT writing anything. This is the
+ * single renderer behind both `installDaemon` and the CLI's `--print`
+ * mode, which the celilo-mgmt Ansible role uses: the deb wrapper drops
+ * to the unprivileged celilo user, so the role renders via `--print`
+ * and performs the root-owned write itself with `copy:`.
  */
-export function installDaemon(opts: InstallDaemonOptions = {}): InstallDaemonResult {
+export function planDaemonInstall(opts: InstallDaemonOptions = {}): InstallDaemonResult {
   const platform = opts.platform ?? detectPlatform();
+  const scope = opts.scope ?? 'user';
   const home = opts.home ?? homedir();
   const celiloPath = resolveCeliloPath(opts.celiloPath);
   const busDbPath = opts.busDbPath ?? getEventBusPath();
   const pollMs = opts.pollMs ?? 1000;
   const concurrency = opts.concurrency ?? 4;
+  const runAsUser = scope === 'system' ? resolveRunAsUser(busDbPath, opts.runAsUser) : undefined;
 
-  const unitPath = getDaemonUnitPath(platform, home);
-  const unitInputs: UnitInputs = { celiloPath, busDbPath, pollMs, concurrency, home };
+  const unitPath = getDaemonUnitPath(platform, home, scope);
+  const unitInputs: UnitInputs = {
+    celiloPath,
+    busDbPath,
+    pollMs,
+    concurrency,
+    home,
+    scope,
+    runAsUser,
+  };
   const unitContent =
     platform === 'linux' ? renderSystemdUnit(unitInputs) : renderLaunchdPlist(unitInputs);
 
-  mkdirSync(dirname(unitPath), { recursive: true });
-  writeFileSync(unitPath, unitContent, { mode: 0o644 });
-
-  const nextSteps =
-    platform === 'linux'
-      ? [
-          'Reload systemd:  systemctl --user daemon-reload',
-          `Enable + start:  systemctl --user enable --now ${SYSTEMD_UNIT_NAME}`,
-          `Tail logs:       journalctl --user -u ${SYSTEMD_UNIT_NAME} -f`,
-          `Status:          systemctl --user status ${SYSTEMD_UNIT_NAME}`,
-        ]
-      : [
-          `Load + start:    launchctl load -w ${unitPath}`,
-          'Tail stdout:     tail -f ~/Library/Logs/celilo-events.out.log',
-          'Tail stderr:     tail -f ~/Library/Logs/celilo-events.err.log',
-          `Status:          launchctl list | grep ${LAUNCHD_LABEL}`,
-        ];
+  return {
+    platform,
+    scope,
+    unitPath,
+    unitContent,
+    celiloPath,
+    busDbPath,
+    runAsUser,
+    nextSteps: nextStepsFor(platform, scope, unitPath),
+  };
+}
 
-  return { platform, unitPath, unitContent, celiloPath, busDbPath, nextSteps };
+/**
+ * Write the supervisor unit file. Idempotent: rewrites if present.
+ * Returns the path written + the operator-facing next steps.
+ *
+ * System scope writes root-owned paths (/etc/systemd/system,
+ * /Library/LaunchDaemons) — run as root or the write fails loudly.
+ */
+export function installDaemon(opts: InstallDaemonOptions = {}): InstallDaemonResult {
+  const plan = planDaemonInstall(opts);
+  mkdirSync(dirname(plan.unitPath), { recursive: true });
+  writeFileSync(plan.unitPath, plan.unitContent, { mode: 0o644 });
+  return plan;
 }
 
 export function uninstallDaemon(
-  opts: { platform?: SupervisorPlatform; home?: string } = {},
+  opts: { platform?: SupervisorPlatform; scope?: SupervisorScope; home?: string } = {},
 ): UninstallDaemonResult {
   const platform = opts.platform ?? detectPlatform();
+  const scope = opts.scope ?? 'user';
   const home = opts.home ?? homedir();
-  const unitPath = getDaemonUnitPath(platform, home);
+  const unitPath = getDaemonUnitPath(platform, home, scope);
 
   let removed = false;
   if (existsSync(unitPath)) {
@@ -218,27 +339,40 @@ export function uninstallDaemon(
     removed = true;
   }
 
-  const nextSteps =
-    platform === 'linux'
-      ? removed
+  let nextSteps: string[];
+  if (!removed) {
+    nextSteps =
+      platform === 'linux'
+        ? ['No unit file present; nothing to clean up.']
+        : ['No plist present; nothing to clean up.'];
+  } else if (platform === 'linux') {
+    nextSteps =
+      scope === 'system'
         ? [
+            `Disable + stop:  sudo systemctl disable --now ${SYSTEMD_UNIT_NAME}`,
+            'Reload systemd:  sudo systemctl daemon-reload',
+          ]
+        : [
             `Disable + stop:  systemctl --user disable --now ${SYSTEMD_UNIT_NAME}`,
             'Reload systemd:  systemctl --user daemon-reload',
-          ]
-        : ['No unit file present; nothing to clean up.']
-      : removed
-        ? [`Unload:          launchctl unload ${unitPath}`]
-        : ['No plist present; nothing to clean up.'];
+          ];
+  } else {
+    nextSteps =
+      scope === 'system'
+        ? [`Unload:          sudo launchctl bootout system/${LAUNCHD_LABEL}`]
+        : [`Unload:          launchctl unload ${unitPath}`];
+  }
 
-  return { platform, unitPath, removed, nextSteps };
+  return { platform, scope, unitPath, removed, nextSteps };
 }
 
 export function readInstalledUnit(
-  opts: { platform?: SupervisorPlatform; home?: string } = {},
+  opts: { platform?: SupervisorPlatform; scope?: SupervisorScope; home?: string } = {},
 ): { exists: true; path: string; content: string } | { exists: false; path: string } {
   const platform = opts.platform ?? detectPlatform();
+  const scope = opts.scope ?? 'user';
   const home = opts.home ?? homedir();
-  const unitPath = getDaemonUnitPath(platform, home);
+  const unitPath = getDaemonUnitPath(platform, home, scope);
   if (!existsSync(unitPath)) return { exists: false, path: unitPath };
   return { exists: true, path: unitPath, content: readFileSync(unitPath, 'utf-8') };
 }

package/src/services/module-validator/capability-versions.test.ts

@@ -31,7 +31,7 @@ describe('validateCapabilityVersions', () => {
     expect(errors).toHaveLength(1);
     expect(errors[0]).toContain('provides[public_web]');
     expect(errors[0]).toContain('1.0.0');
-    expect(errors[0]).toContain('3.0.0');
+    expect(errors[0]).toContain('3.1.0');
   });
 
   test('error when provides[X].version is newer than runtime', () => {

package/src/templates/generator.test.ts

@@ -12,6 +12,7 @@ import {
   injectProxmoxLxcDns,
   isTemplateFile,
   readTemplateFiles,
+  targetNodeFromTfState,
   writeGeneratedFiles,
 } from './generator';
 import type { GeneratedFile } from './types';
@@ -651,7 +652,7 @@ resource "proxmox_lxc" "container" {
       expect(out).toContain('  nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('  lifecycle {');
       expect(out).toContain(
-        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]',
+        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]',
       );
       // Injected immediately after the opening line, before author attributes.
       const lines = out.split('\n');
@@ -668,7 +669,7 @@ resource "proxmox_lxc" "container" {
       expect(out).not.toContain('nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('  lifecycle {');
       expect(out).toContain(
-        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]',
+        '    ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]',
       );
     });
 
@@ -712,8 +713,34 @@ resource "proxmox_lxc" "container" {
       expect(out).toContain('    nameserver = "$self:lxc_nameserver"');
       expect(out).toContain('    lifecycle {');
       expect(out).toContain(
-        '      ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume]',
+        '      ignore_changes = [nameserver, network[0].hwaddr, rootfs[0].volume, ssh_public_keys]',
       );
     });
   });
 });
+
+describe("targetNodeFromTfState (ISS-0090 — terraform state is celilo's placement record)", () => {
+  test('reads the node from the proxmox_lxc target_node attribute', () => {
+    const state = {
+      resources: [
+        {
+          type: 'proxmox_lxc',
+          instances: [{ attributes: { target_node: 'node2', id: 'node2/lxc/200' } }],
+        },
+      ],
+    };
+    expect(targetNodeFromTfState(state)).toBe('node2');
+  });
+
+  test('falls back to parsing the resource id when target_node is absent', () => {
+    const state = {
+      resources: [{ type: 'proxmox_lxc', instances: [{ attributes: { id: 'node3/lxc/201' } }] }],
+    };
+    expect(targetNodeFromTfState(state)).toBe('node3');
+  });
+
+  test('returns null when there is no proxmox_lxc resource (fresh/empty state)', () => {
+    expect(targetNodeFromTfState({ resources: [] })).toBeNull();
+    expect(targetNodeFromTfState({})).toBeNull();
+  });
+});