@celilo/cli 0.5.0-alpha.4 → 0.5.0-alpha.5

package/drizzle/0010_dns_internal_records.sql

@@ -0,0 +1,12 @@
+CREATE TABLE `dns_internal_records` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`provider_module_id` text NOT NULL,
+	`consumer_module_id` text NOT NULL,
+	`host` text NOT NULL,
+	`ip` text NOT NULL,
+	`registered_at` integer DEFAULT (unixepoch()) NOT NULL,
+	FOREIGN KEY (`provider_module_id`) REFERENCES `modules`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`consumer_module_id`) REFERENCES `modules`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `dns_internal_records_provider_host_idx` ON `dns_internal_records` (`provider_module_id`,`host`);

package/drizzle/0011_backups_name.sql

@@ -0,0 +1 @@
+ALTER TABLE `backups` ADD `name` text;

package/drizzle/meta/_journal.json

@@ -71,6 +71,20 @@
       "when": 1781280898000,
       "tag": "0009_dns_registrations",
       "breakpoints": true
+    },
+    {
+      "idx": 10,
+      "version": "6",
+      "when": 1781481600000,
+      "tag": "0010_dns_internal_records",
+      "breakpoints": true
+    },
+    {
+      "idx": 11,
+      "version": "6",
+      "when": 1781481660000,
+      "tag": "0011_backups_name",
+      "breakpoints": true
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.5.0-alpha.4",
+  "version": "0.5.0-alpha.5",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {
@@ -52,7 +52,7 @@
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1024.0",
-    "@celilo/capabilities": "^0.4.2",
+    "@celilo/capabilities": "^0.4.1",
     "@celilo/cli-display": "^0.1.9",
     "@celilo/event-bus": "^0.1.6",
     "@clack/prompts": "^1.1.0",

package/src/cli/command-registry.ts

@@ -956,14 +956,25 @@ export const COMMANDS: CommandDef[] = [
           },
         ],
       },
+      {
+        name: 'migrate',
+        description: 'Apply pending database migrations (idempotent; safe to re-run)',
+      },
       {
         name: 'doctor',
-        description: 'Diagnose system prerequisites and @celilo/* version drift',
+        description:
+          'Diagnose system prerequisites, @celilo/* version drift, and (on a management plane) fleet-runtime drift',
         flags: [
           {
             name: 'fix',
             description:
-              'Repair drift by `bun link`-ing each drifted @celilo/* package from the workspace',
+              'Repair the auto-fixable findings: `bun link` drifted @celilo/* packages and resync bus subscribers',
+            takesValue: false,
+          },
+          {
+            name: 'fleet',
+            description:
+              'Force the fleet-runtime section (dispatcher, subscribers, capability chains) even without a celilo DB',
             takesValue: false,
           },
         ],

package/src/cli/commands/system-doctor.ts

@@ -30,10 +30,20 @@
  */
 
 import { spawnSync } from 'node:child_process';
-import { existsSync, readFileSync } from 'node:fs';
+import { existsSync, readFileSync, statSync } from 'node:fs';
 import { createRequire } from 'node:module';
 import { dirname, join, resolve } from 'node:path';
+import { defineEvents, openBus } from '@celilo/event-bus';
 import cliPkg from '../../../package.json' with { type: 'json' };
+import { getDbPath, getEventBusPath } from '../../config/paths';
+import { getDb } from '../../db/client';
+import {
+  type FleetFinding,
+  type FleetFindingStatus,
+  checkSubscribers,
+  runFleetChecks,
+} from '../../services/fleet-checks';
+import { resyncAllSubscriptions } from '../../services/module-subscriptions';
 import { checkAllPrerequisites, failingPrerequisites } from '../../system/prereqs';
 import type { CommandResult } from '../types';
 
@@ -296,6 +306,93 @@ function renderPrereqSection(): { lines: string[]; failingCount: number } {
   return { lines, failingCount: failingPrerequisites(checks).length };
 }
 
+/**
+ * mtime (ms) of the installed dispatcher code (`@celilo/event-bus`
+ * package.json). The fleet dispatcher check compares this against the
+ * running dispatcher's start time to spot a process on stale code. Null
+ * when the package can't be located (the staleness aspect is then skipped).
+ */
+function installedEventBusMtime(): number | null {
+  try {
+    const require = createRequire(import.meta.url);
+    return statSync(require.resolve('@celilo/event-bus/package.json')).mtimeMs;
+  } catch {
+    return null;
+  }
+}
+
+const FLEET_GLYPH: Record<FleetFindingStatus, string> = {
+  ok: `${ANSI.green}✔${ANSI.reset}`,
+  warn: `${ANSI.yellow}⚠${ANSI.reset}`,
+  fail: `${ANSI.red}✗${ANSI.reset}`,
+};
+
+function renderFleetFinding(f: FleetFinding): string[] {
+  const lines = [`  ${FLEET_GLYPH[f.status]} ${f.title}  ${ANSI.dim}— ${f.summary}${ANSI.reset}`];
+  for (const d of f.detail) lines.push(`      ${ANSI.dim}${d}${ANSI.reset}`);
+  if (f.remediation && f.status !== 'ok')
+    lines.push(`    ${ANSI.dim}→ ${f.remediation}${ANSI.reset}`);
+  return lines;
+}
+
+/**
+ * The fleet-runtime section: dispatcher / subscribers / capability-chain
+ * drift, read from the celilo DB + event bus. State-aware, so it's skipped
+ * cleanly on a fresh dev box with no DB unless `--fleet` forces it. `--fix`
+ * runs only the auto-fixable checks (today: subscribers resync).
+ */
+async function renderFleetSection(opts: { forced: boolean; fix: boolean }): Promise<{
+  lines: string[];
+  failCount: number;
+  warnCount: number;
+}> {
+  const lines: string[] = ['Fleet runtime'];
+  const dbExists = existsSync(getDbPath());
+
+  if (!dbExists) {
+    if (opts.forced) {
+      lines.push(
+        `  ${ANSI.dim}skipped — no celilo database at ${getDbPath()} (not a management plane)${ANSI.reset}`,
+      );
+      return { lines, failCount: 0, warnCount: 0 };
+    }
+    // Dev box, no --fleet: don't render the section at all.
+    return { lines: [], failCount: 0, warnCount: 0 };
+  }
+
+  const bus = openBus({ dbPath: getEventBusPath(), events: defineEvents({}) });
+  try {
+    const db = getDb();
+    let findings = await runFleetChecks(bus, db, {
+      installedCodeMtimeMs: installedEventBusMtime(),
+    });
+
+    if (opts.fix) {
+      const subscribers = findings.find((f) => f.id === 'subscribers');
+      if (subscribers?.autoFixable && subscribers.status !== 'ok') {
+        const r = resyncAllSubscriptions();
+        lines.push(
+          `  ${ANSI.dim}--fix: re-registered ${r.registered} subscription(s) from ${r.modules} module(s).${ANSI.reset}`,
+        );
+        // Re-evaluate the subscribers finding so the section shows the healed state.
+        const healed = checkSubscribers(bus, db);
+        findings = findings.map((f) => (f.id === 'subscribers' ? healed : f));
+      }
+    }
+
+    let failCount = 0;
+    let warnCount = 0;
+    for (const f of findings) {
+      lines.push(...renderFleetFinding(f));
+      if (f.status === 'fail') failCount++;
+      else if (f.status === 'warn') warnCount++;
+    }
+    return { lines, failCount, warnCount };
+  } finally {
+    bus.close();
+  }
+}
+
 export async function handleSystemDoctor(
   _args: string[],
   flags: Record<string, string | boolean>,
@@ -397,61 +494,59 @@ export async function handleSystemDoctor(
 
   const fix = flags.fix === true;
 
+  // Drift repair (bun link). Does NOT early-return — the fleet section
+  // still runs on a --fix invocation so a single `--fix` heals both.
   if (fix && drifted.length > 0) {
     lines.push(`Repairing ${drifted.length} drifted package(s) with \`bun link\`:`);
     lines.push(...applyFix(drifted, cliRoot));
+    lines.push(`${ANSI.dim}\`bun unlink\` from each workspace dir reverses.${ANSI.reset}`);
+    lines.push('');
+    // Linked from the workspace now — no longer drift for the summary.
+    driftCount = 0;
+    drifted.length = 0;
+  } else if (fix && drifted.length === 0) {
+    lines.push(`${ANSI.dim}--fix: no drifted packages to repair.${ANSI.reset}`);
     lines.push('');
+  } else if (drifted.length > 0) {
     lines.push(
-      `${ANSI.dim}Re-run \`celilo system doctor\` to verify; \`bun unlink\` from each workspace dir reverses.${ANSI.reset}`,
+      `${ANSI.dim}Run \`celilo system doctor --fix\` to bun-link drifted packages from the workspace.${ANSI.reset}`,
     );
-    // Note: --fix only addresses drift, not missing prereqs. If prereqs
-    // failed, surface that even on a successful --fix run.
-    if (prereqResult.failingCount > 0) {
-      return {
-        success: false,
-        error: `${prereqResult.failingCount} system prerequisite(s) missing or below minimum — install before running celilo`,
-        details: lines.join('\n'),
-      };
-    }
-    return {
-      success: true,
-      message: lines.join('\n'),
-      rawOutput: true,
-    };
+    lines.push('');
   }
 
-  if (fix && drifted.length === 0) {
-    lines.push(`${ANSI.dim}--fix: nothing to repair.${ANSI.reset}`);
+  // Fleet-runtime section (state-aware; only renders on a management
+  // plane with a celilo DB, or when --fleet forces it).
+  const fleet = await renderFleetSection({ forced: flags.fleet === true, fix });
+  if (fleet.lines.length > 0) {
+    lines.push(...fleet.lines);
+    lines.push('');
   }
 
-  if (driftCount > 0 || unresolvedCount > 0 || prereqResult.failingCount > 0) {
-    const summary: string[] = [];
-    if (prereqResult.failingCount > 0) {
-      summary.push(`${prereqResult.failingCount} prerequisite(s) missing/below-minimum`);
-    }
-    if (driftCount > 0) summary.push(`${driftCount} package(s) behind workspace`);
-    if (unresolvedCount > 0) summary.push(`${unresolvedCount} unresolved`);
-    if (drifted.length > 0) {
-      lines.push(
-        `${ANSI.dim}Run \`celilo system doctor --fix\` to bun-link drifted packages from the workspace.${ANSI.reset}`,
-      );
-    }
-    // Distinguish prereq-only from drift-only from both — the
-    // operator's next move is different.
-    const errorPrefix =
-      driftCount === 0 && unresolvedCount === 0
-        ? 'System prerequisites missing'
-        : prereqResult.failingCount === 0
-          ? 'Drift detected'
-          : 'Issues detected';
+  // Unified summary: anything that fails the run, with a per-cause count.
+  const problems: string[] = [];
+  if (prereqResult.failingCount > 0) {
+    problems.push(`${prereqResult.failingCount} prerequisite(s) missing/below-minimum`);
+  }
+  if (driftCount > 0) problems.push(`${driftCount} package(s) behind workspace`);
+  if (unresolvedCount > 0) problems.push(`${unresolvedCount} unresolved`);
+  if (fleet.failCount > 0) problems.push(`${fleet.failCount} fleet check(s) failing`);
+
+  if (problems.length > 0) {
     return {
       success: false,
-      error: `${errorPrefix}: ${summary.join(', ')}`,
+      error: `Issues detected: ${problems.join(', ')}`,
       details: lines.join('\n'),
     };
   }
 
-  lines.push(`${ANSI.green}OK${ANSI.reset} — no issues detected`);
+  // Fleet warnings don't fail the run, but they shouldn't read as a clean bill.
+  if (fleet.warnCount > 0) {
+    lines.push(
+      `${ANSI.yellow}OK with warnings${ANSI.reset} — ${fleet.warnCount} fleet warning(s); see above`,
+    );
+  } else {
+    lines.push(`${ANSI.green}OK${ANSI.reset} — no issues detected`);
+  }
   return {
     success: true,
     message: lines.join('\n'),

package/src/cli/commands/system-migrate.test.ts

@@ -0,0 +1,40 @@
+import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { closeDb } from '../../db/client';
+import { handleSystemMigrate } from './system-migrate';
+
+describe('handleSystemMigrate', () => {
+  let dir: string;
+
+  beforeEach(() => {
+    dir = mkdtempSync(join(tmpdir(), 'sysmig-'));
+    process.env.CELILO_DB_PATH = join(dir, 'celilo.db');
+  });
+  afterEach(() => {
+    closeDb();
+    process.env.CELILO_DB_PATH = undefined;
+    try {
+      rmSync(dir, { recursive: true, force: true });
+    } catch {
+      /* ignore */
+    }
+  });
+
+  it('reports a fresh/current DB as up to date with the full schema', async () => {
+    const result = await handleSystemMigrate();
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.message).toContain('up to date');
+      expect(result.message).toContain('tables');
+    }
+  });
+
+  it('is idempotent — a second run is also clean', async () => {
+    (await handleSystemMigrate()).success;
+    closeDb();
+    const second = await handleSystemMigrate();
+    expect(second.success).toBe(true);
+  });
+});

package/src/cli/commands/system-migrate.ts

@@ -0,0 +1,65 @@
+/**
+ * `celilo system migrate` — apply pending DB migrations (ISS-0100).
+ *
+ * Drizzle's migrator is the single migration mechanism; createDbClient already
+ * auto-migrates on open, so this command is the explicit, operator-visible
+ * entrypoint the .deb postinst and celilo-mgmt deploy call. Idempotent: a
+ * current DB reports "up to date".
+ */
+
+import type { Database } from 'bun:sqlite';
+import { getDb } from '../../db/client';
+import { runMigrationsOn } from '../../db/migrate';
+import { findSchemaDrift } from '../../db/schema-introspection';
+import type { CommandResult } from '../types';
+
+function countApplied(sqlite: Database): number {
+  try {
+    const row = sqlite
+      .query<{ c: number }, []>('SELECT COUNT(*) AS c FROM `__drizzle_migrations`')
+      .get();
+    return row?.c ?? 0;
+  } catch {
+    return 0;
+  }
+}
+
+export async function handleSystemMigrate(): Promise<CommandResult> {
+  // getDb() auto-migrates on open; do it inside try so an existing DB that
+  // predates the drizzle-authoritative change fails with an actionable message
+  // instead of a raw migrator error.
+  let db: ReturnType<typeof getDb>;
+  try {
+    db = getDb();
+  } catch (error) {
+    const msg = error instanceof Error ? error.message : String(error);
+    return {
+      success: false,
+      error: `Migration failed: ${msg}\n\nIf this DB predates the drizzle-authoritative migration change, it needs a one-time remediation (stamp \`__drizzle_migrations\` to the latest migration + create any missing table) before the migrator can run cleanly — see ISS-0100.`,
+    };
+  }
+
+  const sqlite = db.$client;
+  const before = countApplied(sqlite);
+  try {
+    runMigrationsOn(db); // idempotent re-assert
+  } catch (error) {
+    return { success: false, error: error instanceof Error ? error.message : String(error) };
+  }
+  const applied = countApplied(sqlite) - before;
+
+  const drift = findSchemaDrift(sqlite);
+  if (drift.missingTables.length > 0 || drift.missingColumns.length > 0) {
+    const missing = [...drift.missingTables, ...drift.missingColumns].join(', ');
+    return {
+      success: false,
+      error: `Schema still behind after migrate — missing: ${missing}. This DB likely needs one-time remediation — see ISS-0100.`,
+    };
+  }
+
+  const lines = [
+    applied > 0 ? `Applied ${applied} migration(s).` : 'Schema already up to date.',
+    `Schema current: ${drift.tableCount} tables.`,
+  ];
+  return { success: true, message: lines.join('\n') };
+}

package/src/cli/completion.ts

@@ -460,6 +460,7 @@ export async function getCompletions(words: string[], current: number): Promise<
       'audit',
       'update',
       'doctor',
+      'migrate',
     ];
     return filterSuggestions(subcommands, args[1] || '');
   }

package/src/cli/index.ts

@@ -89,6 +89,7 @@ import { handleSystemAudit } from './commands/system-audit';
 import { handleSystemConfigGet, handleSystemConfigSet } from './commands/system-config';
 import { handleSystemDoctor } from './commands/system-doctor';
 import { handleSystemInit } from './commands/system-init';
+import { handleSystemMigrate } from './commands/system-migrate';
 import { handleSystemSecretGet } from './commands/system-secret-get';
 import { handleSystemSecretSet } from './commands/system-secret-set';
 import { handleSystemUpdate } from './commands/system-update';
@@ -1783,6 +1784,10 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
       return handleSystemDoctor(parsed.args, parsed.flags);
     }
 
+    if (parsed.subcommand === 'migrate') {
+      return handleSystemMigrate();
+    }
+
     return {
       success: false,
       error: `Unknown system subcommand: ${parsed.subcommand}\n\nRun "celilo system --help" for usage`,

package/src/db/client.ts

@@ -41,145 +41,6 @@ export function findMigrationsFolder(): string {
   throw new Error(`Could not find drizzle migrations folder. Tried: ${candidates.join(', ')}`);
 }
 
-/**
- * Check if database needs initialization (tables don't exist)
- */
-function needsMigration(sqlite: Database): boolean {
-  try {
-    // Check if the modules table exists at all (new database)
-    const result = sqlite
-      .query("SELECT name FROM sqlite_master WHERE type='table' AND name='modules'")
-      .get();
-    if (!result) return true; // New database — run full migrations
-
-    // Existing database — apply incremental schema updates
-    // Each statement is wrapped in try/catch (no-op if already applied)
-    const alterStatements = [
-      'ALTER TABLE capabilities ADD zones text',
-      'ALTER TABLE machines ADD earmarked_module text',
-      // web_routes' subdomain/custom_domain columns were folded into a
-      // single `hostname` field by migration 0004. Don't re-add them
-      // here — the migration drops and recreates the table.
-      // Backup system tables (Phase 1)
-      `CREATE TABLE IF NOT EXISTS backup_storages (
-        id text PRIMARY KEY NOT NULL,
-        storage_id text NOT NULL UNIQUE,
-        name text NOT NULL,
-        provider_name text NOT NULL,
-        credentials_encrypted text NOT NULL,
-        provider_config text NOT NULL,
-        verified integer DEFAULT 0 NOT NULL,
-        verified_at integer,
-        verification_error text,
-        is_default integer DEFAULT 0 NOT NULL,
-        created_at integer DEFAULT (unixepoch()) NOT NULL,
-        updated_at integer DEFAULT (unixepoch()) NOT NULL
-      )`,
-      `CREATE TABLE IF NOT EXISTS backups (
-        id text PRIMARY KEY NOT NULL,
-        module_id text REFERENCES modules(id) ON DELETE SET NULL,
-        storage_id text NOT NULL REFERENCES backup_storages(id),
-        storage_path text NOT NULL,
-        backup_type text NOT NULL,
-        module_version text,
-        schema_version text,
-        size_bytes integer,
-        metadata text DEFAULT '{}' NOT NULL,
-        status text DEFAULT 'in_progress' NOT NULL,
-        error_message text,
-        started_at integer DEFAULT (unixepoch()) NOT NULL,
-        completed_at integer
-      )`,
-      // Backup naming support
-      'ALTER TABLE backups ADD name text',
-      // Module systems (v2/MODULE_SYSTEMS_ADDRESSING.md) — a module's 0..N
-      // deployed hosts. Fresh DBs get this via migration 0007; existing installs
-      // get it here. Replaces the scalar target_ip/vmid rows in module_configs.
-      `CREATE TABLE IF NOT EXISTS module_systems (
-        module_id text NOT NULL REFERENCES modules(id) ON DELETE cascade,
-        name text NOT NULL,
-        hostname text NOT NULL,
-        ipv4_address text NOT NULL,
-        zone text NOT NULL,
-        infra_type text NOT NULL,
-        machine_id text REFERENCES machines(id),
-        service_id text REFERENCES container_services(id),
-        vmid integer,
-        created_at integer DEFAULT (unixepoch()) NOT NULL,
-        updated_at integer DEFAULT (unixepoch()) NOT NULL,
-        PRIMARY KEY (module_id, name)
-      )`,
-      // Aspect consent decision (ISS-0027). Fresh DBs get this via migration
-      // 0008; existing installs get it here. Defaults to true so pre-existing
-      // rows (all approvals) keep running; false = a durable refusal.
-      'ALTER TABLE aspect_approvals ADD consented integer DEFAULT true NOT NULL',
-    ];
-
-    for (const stmt of alterStatements) {
-      try {
-        sqlite.exec(stmt);
-      } catch {
-        // Column already exists — fine
-      }
-    }
-
-    // web_routes hostname migration (CADDY_HOSTNAME_LIST design).
-    // Drizzle's auto-migrate path (`migrate()`) only runs for fresh
-    // databases — for existing celilo installs we apply the schema
-    // change here. Phase 0 + no production users = destructive
-    // rebuild; modules repopulate routes on their next deploy.
-    try {
-      const cols = sqlite.query("SELECT name FROM pragma_table_info('web_routes')").all() as Array<{
-        name: string;
-      }>;
-      const hasHostname = cols.some((c) => c.name === 'hostname');
-      const hasOldColumns = cols.some((c) => c.name === 'subdomain' || c.name === 'custom_domain');
-      if (!hasHostname && cols.length > 0) {
-        // Old shape detected (or missing hostname) — drop and recreate.
-        // Wrap in a transaction so the table is never half-migrated.
-        sqlite.exec('BEGIN');
-        try {
-          sqlite.exec('DROP TABLE web_routes');
-          sqlite.exec(`CREATE TABLE web_routes (
-            id integer PRIMARY KEY AUTOINCREMENT NOT NULL,
-            slug text NOT NULL,
-            module_id text NOT NULL,
-            type text NOT NULL,
-            path text NOT NULL,
-            hostname text NOT NULL,
-            target_host text,
-            target_port integer,
-            websocket integer DEFAULT false NOT NULL,
-            content_hash text,
-            created_at integer DEFAULT (unixepoch()) NOT NULL,
-            updated_at integer DEFAULT (unixepoch()) NOT NULL,
-            FOREIGN KEY (module_id) REFERENCES modules(id) ON UPDATE no action ON DELETE cascade
-          )`);
-          sqlite.exec(
-            'CREATE UNIQUE INDEX web_routes_hostname_path_idx ON web_routes (hostname, path)',
-          );
-          sqlite.exec('COMMIT');
-          if (hasOldColumns) {
-            console.log(
-              'web_routes migrated to hostname-based schema. Modules will repopulate their routes on next deploy.',
-            );
-          }
-        } catch (err) {
-          sqlite.exec('ROLLBACK');
-          throw err;
-        }
-      }
-    } catch (err) {
-      console.error('Failed to migrate web_routes schema:', err);
-      throw err;
-    }
-
-    return false; // Schema is up to date
-  } catch {
-    return true;
-  }
-}
-
 /**
  * Create database client and run migrations if needed
  */
@@ -209,12 +70,21 @@ export function createDbClient(config?: Partial<DatabaseConfig>) {
 
   const db = drizzle(sqlite, { schema });
 
-  // Auto-run migrations if database is new
-  if (!readonly && needsMigration(sqlite)) {
+  // Apply migrations on open (ISS-0100). Drizzle's migrator is the single
+  // migration mechanism for ALL DBs — fresh and existing — and the only place
+  // schema changes live (the old imperative hand-list is gone). migrate() is
+  // idempotent: it applies every migration newer than the latest recorded in
+  // `__drizzle_migrations` and no-ops once current.
+  //
+  // One-time caveat (ISS-0100): an existing DB from the hand-list era has a
+  // frozen `__drizzle_migrations` watermark; it must be remediated by hand
+  // (stamp the watermark to the latest migration + create any missing table)
+  // BEFORE this code opens it, or migrate() re-runs already-applied migrations
+  // and throws. `celilo system doctor` (checkSchemaDrift) detects the drift.
+  if (!readonly) {
     try {
       const migrationsFolder = findMigrationsFolder();
       migrate(db, { migrationsFolder });
-      console.log('Database initialized with migrations');
     } catch (error) {
       console.error('Failed to run migrations:', error);
       throw error;
@@ -222,10 +92,9 @@ export function createDbClient(config?: Partial<DatabaseConfig>) {
   }
 
   // One-time upgrade backfill for the target_ip → module_systems refactor
-  // (v2/MODULE_SYSTEMS_ADDRESSING.md). Runs for both paths above: needsMigration
-  // has already ensured the module_systems table exists (via migration 0007 for
-  // a fresh DB, or the imperative CREATE for an existing install). A deployment
-  // created before the refactor has its host data only in module_configs /
+  // (v2/MODULE_SYSTEMS_ADDRESSING.md). migrate() above has ensured the
+  // module_systems table exists (migration 0007). A deployment created before
+  // the refactor has its host data only in module_configs /
   // ip_allocations / module_infrastructure and an EMPTY module_systems, so its
   // modules resolve to no system and the migrated hooks throw "No deployed
   // system found". This lifts that state across. Idempotent (skips modules

package/src/db/migrate.ts

@@ -1,17 +1,25 @@
 import { migrate } from 'drizzle-orm/bun-sqlite/migrator';
-import { closeDb, createDbClient, findMigrationsFolder } from './client';
+import { type DbClient, closeDb, createDbClient, findMigrationsFolder } from './client';
 
 /**
- * Run database migrations
+ * Apply pending drizzle migrations to an open DB. Idempotent — drizzle applies
+ * only migrations newer than the latest recorded in `__drizzle_migrations`.
+ * The single migration mechanism (ISS-0100); createDbClient also calls this
+ * shape on open (auto-migrate).
+ */
+export function runMigrationsOn(db: DbClient): void {
+  migrate(db, { migrationsFolder: findMigrationsFolder() });
+}
+
+/**
+ * Run database migrations (standalone entrypoint — `bun run src/db/migrate.ts`).
+ * createDbClient already migrates on open; this re-asserts for explicit use.
  */
 export async function runMigrations(dbPath?: string) {
   console.log('Running database migrations...');
-
   const db = createDbClient(dbPath ? { path: dbPath } : undefined);
-
   try {
-    const migrationsFolder = findMigrationsFolder();
-    await migrate(db, { migrationsFolder });
+    runMigrationsOn(db);
     console.log('Migrations completed successfully');
   } catch (error) {
     console.error('Migration failed:', error);