@celilo/cli 0.5.0-alpha.5 → 0.5.0-alpha.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.5.0-alpha.5",
+  "version": "0.5.0-alpha.6",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {
@@ -52,9 +52,9 @@
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1024.0",
-    "@celilo/capabilities": "^0.4.1",
+    "@celilo/capabilities": "^0.4.2",
     "@celilo/cli-display": "^0.1.9",
-    "@celilo/event-bus": "^0.1.6",
+    "@celilo/event-bus": "^0.1.7",
     "@clack/prompts": "^1.1.0",
     "ajv": "^8.18.0",
     "drizzle-orm": "^0.36.4",

package/src/ansible/inventory.test.ts

@@ -61,7 +61,7 @@ describe('generateHostsIni', () => {
       },
       {
         hostname: 'dns-ext',
-        ansibleHost: '188.166.157.2',
+        ansibleHost: '192.0.2.20',
         ansibleUser: 'root',
         groups: ['dns_external'],
       },
@@ -72,7 +72,7 @@ describe('generateHostsIni', () => {
     expect(result).toContain('[homebridge]');
     expect(result).toContain('[dns_external]');
     expect(result).toContain('iot ansible_host=192.168.0.110 ansible_user=root');
-    expect(result).toContain('dns-ext ansible_host=188.166.157.2 ansible_user=root');
+    expect(result).toContain('dns-ext ansible_host=192.0.2.20 ansible_user=root');
   });
 
   test('includes SSH private key file path when provided', () => {
@@ -136,8 +136,8 @@ describe('generateHostVarsYaml', () => {
   test('generates YAML for arrays', () => {
     const vars = {
       zone_records: [
-        { name: 'ns1', type: 'A', value: '188.166.157.2' },
-        { name: 'www', type: 'A', value: '71.36.99.96' },
+        { name: 'ns1', type: 'A', value: '192.0.2.20' },
+        { name: 'www', type: 'A', value: '203.0.113.10' },
       ],
     };
 
@@ -146,9 +146,9 @@ describe('generateHostVarsYaml', () => {
     expect(result).toContain('zone_records:');
     expect(result).toContain('- name: ns1');
     expect(result).toContain('type: A');
-    expect(result).toContain('value: 188.166.157.2');
+    expect(result).toContain('value: 192.0.2.20');
     expect(result).toContain('- name: www');
-    expect(result).toContain('value: 71.36.99.96');
+    expect(result).toContain('value: 203.0.113.10');
   });
 
   test('generates YAML for nested objects', () => {
@@ -359,13 +359,13 @@ describe('Database integration', () => {
       );
 
       upsertModuleConfig(db, 'dns', 'zone_records', [
-        { name: 'ns1', type: 'A', value: '188.166.157.2' },
+        { name: 'ns1', type: 'A', value: '192.0.2.20' },
       ]);
 
       const vars = buildHostVars('dns', db);
 
       expect(Array.isArray(vars.zone_records)).toBe(true);
-      expect(vars.zone_records).toEqual([{ name: 'ns1', type: 'A', value: '188.166.157.2' }]);
+      expect(vars.zone_records).toEqual([{ name: 'ns1', type: 'A', value: '192.0.2.20' }]);
     });
   });
 
@@ -416,13 +416,13 @@ describe('Database integration', () => {
       );
 
       upsertModuleConfig(db, 'dns-external', 'hostname', 'dns-ext');
-      upsertModuleConfig(db, 'dns-external', 'vps_ip', '188.166.157.2');
+      upsertModuleConfig(db, 'dns-external', 'vps_ip', '192.0.2.20');
 
       const host = extractInventoryHost('dns-external', db);
 
       expect(host).not.toBeNull();
       expect(host?.hostname).toBe('dns-ext');
-      expect(host?.ansibleHost).toBe('188.166.157.2'); // VPS IP used directly
+      expect(host?.ansibleHost).toBe('192.0.2.20'); // VPS IP used directly
       expect(host?.ansibleUser).toBe('root');
       expect(host?.groups).toEqual(['dns-external']);
     });

package/src/ansible/validation.test.ts

@@ -1,4 +1,5 @@
 import { describe, expect, test } from 'bun:test';
+import { skipIntegration } from '../test-utils/integration-guard';
 import {
   isAnsibleInventoryAvailable,
   isAnsibleLintAvailable,
@@ -54,17 +55,23 @@ describe('validateWithAnsibleLint', () => {
 });
 
 describe('validatePlaybookSyntax', () => {
-  test('returns error when playbook does not exist', async () => {
-    const result = await validatePlaybookSyntax('/nonexistent/playbook.yml', '/tmp');
-    expect(result.success).toBe(false);
-    expect(result.error).toContain('Playbook not found');
-  });
+  test.skipIf(skipIntegration({ tools: ['ansible'] }))(
+    'returns error when playbook does not exist',
+    async () => {
+      const result = await validatePlaybookSyntax('/nonexistent/playbook.yml', '/tmp');
+      expect(result.success).toBe(false);
+      expect(result.error).toContain('Playbook not found');
+    },
+  );
 
-  test('returns error when inventory does not exist', async () => {
-    const result = await validatePlaybookSyntax('/tmp/playbook.yml', '/nonexistent/inventory');
-    expect(result.success).toBe(false);
-    expect(result.error).toContain('not found');
-  });
+  test.skipIf(skipIntegration({ tools: ['ansible'] }))(
+    'returns error when inventory does not exist',
+    async () => {
+      const result = await validatePlaybookSyntax('/tmp/playbook.yml', '/nonexistent/inventory');
+      expect(result.success).toBe(false);
+      expect(result.error).toContain('not found');
+    },
+  );
 
   test('returns error when ansible-playbook not installed', async () => {
     if (!isAnsiblePlaybookAvailable()) {
@@ -76,11 +83,14 @@ describe('validatePlaybookSyntax', () => {
 });
 
 describe('validateInventory', () => {
-  test('returns error when inventory does not exist', async () => {
-    const result = await validateInventory('/nonexistent/inventory');
-    expect(result.success).toBe(false);
-    expect(result.error).toContain('Inventory not found');
-  });
+  test.skipIf(skipIntegration({ tools: ['ansible'] }))(
+    'returns error when inventory does not exist',
+    async () => {
+      const result = await validateInventory('/nonexistent/inventory');
+      expect(result.success).toBe(false);
+      expect(result.error).toContain('Inventory not found');
+    },
+  );
 
   test('returns error when ansible-inventory not installed', async () => {
     if (!isAnsibleInventoryAvailable()) {

package/src/cli/commands/events.test.ts

@@ -165,20 +165,20 @@ describe('celilo events command handlers', () => {
     });
     setupBus.close();
 
-    const res = await handleEventsReply([String(query.id), '"lunacycle.net"'], {});
+    const res = await handleEventsReply([String(query.id), '"example.net"'], {});
     expect(res.success).toBe(true);
     if (!res.success) throw new Error('expected success');
     const data = res.data as { status: string; family: string; value: unknown };
     expect(data.status).toBe('replied');
     expect(data.family).toBe('config');
-    expect(data.value).toBe('lunacycle.net');
+    expect(data.value).toBe('example.net');
 
     const checkBus = openBus({ dbPath, events: defineEvents({}) });
     const replies = checkBus.recentEvents({ type: 'config.required.lunacycle.domain.reply' });
     checkBus.close();
     expect(replies).toHaveLength(1);
     expect(replies[0].replyFor).toBe(query.id);
-    expect(replies[0].payload).toEqual({ value: 'lunacycle.net' });
+    expect(replies[0].payload).toEqual({ value: 'example.net' });
     expect(replies[0].emittedBy).toBe('claude-config-responder');
   });
 
@@ -229,7 +229,7 @@ describe('celilo events command handlers', () => {
     setupBus.close();
 
     // A bare word isn't valid JSON — the operator must quote strings.
-    const res = await handleEventsReply([String(query.id), 'lunacycle.net'], {});
+    const res = await handleEventsReply([String(query.id), 'example.net'], {});
     expect(res.success).toBe(false);
     if (res.success) throw new Error('expected failure');
     expect(res.error).toContain('Invalid JSON value');

package/src/cli/commands/events.ts

@@ -439,7 +439,7 @@ export async function handleEventsReply(
     return {
       success: false,
       error: `Usage: celilo events reply <query-event-id> <value-json>
-  e.g. celilo events reply 42 '"lunacycle.net"'`,
+  e.g. celilo events reply 42 '"example.net"'`,
     };
   }
   const queryId = Number(idArg);
@@ -454,7 +454,7 @@ export async function handleEventsReply(
     return {
       success: false,
       error: `Invalid JSON value: ${err instanceof Error ? err.message : String(err)}
-  Encode the answer as JSON, e.g. '"lunacycle.net"', '8080', '["a","b"]'.`,
+  Encode the answer as JSON, e.g. '"example.net"', '8080', '["a","b"]'.`,
     };
   }
 

package/src/cli/commands/service-add-proxmox.ts

@@ -122,6 +122,14 @@ export async function handleServiceAddProxmox(
       validate: validateRequired('Storage'),
     });
 
+    // VM template name for `requires.system.type: vm` modules. Optional —
+    // skip if you only deploy LXC modules. See v2/PROXMOX_VM_TEMPLATE.md.
+    const vmTemplateInput = await promptText({
+      message: 'VM template name (optional — for VM-type modules):',
+      placeholder: 'e.g., ubuntu-2404-cloud-init-9000',
+    });
+    const vmTemplate = vmTemplateInput?.trim() || undefined;
+
     // Find storage that supports vztmpl content. We do this BEFORE prompting
     // for a template so the user only ever sees one storage in subsequent
     // messages, and so the saved volid uses the right storage.
@@ -178,6 +186,7 @@ export async function handleServiceAddProxmox(
         default_target_node: targetNode,
         lxc_template: lxcTemplate,
         storage,
+        ...(vmTemplate ? { vm_template: vmTemplate } : {}),
       },
     });
 

package/src/cli/index.ts

@@ -287,7 +287,7 @@ Examples:
   celilo events tail --type deploy.completed.lunacycle   # filter by type
   celilo events emit deploy.completed.lunacycle '{}'     # operator-fired event
   celilo events tail --type 'config.required.*'          # see pending deploy questions
-  celilo events reply 42 '"lunacycle.net"'               # answer query #42 (config)
+  celilo events reply 42 '"example.net"'               # answer query #42 (config)
 `;
   return { success: true, message: helpText.trim() };
 }
@@ -1091,7 +1091,7 @@ export async function runCli(argv: string[]): Promise<CommandResult> {
           '',
           'Examples:',
           '  celilo hook run namecheap validate_config --debug',
-          '  celilo hook run namecheap container_created vps_ip=138.68.140.177',
+          '  celilo hook run namecheap container_created vps_ip=192.0.2.30',
         ].join('\n'),
       };
     }

package/src/config/paths.test.ts

@@ -1,4 +1,5 @@
 import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
+import { skipIntegration } from '../test-utils/integration-guard';
 import { getDataDir, getDbPath, getMasterKeyPath, getModuleStoragePath } from './paths';
 
 describe('paths configuration', () => {
@@ -34,18 +35,21 @@ describe('paths configuration', () => {
       expect(path).toMatch(/celilo-data\/modules$/);
     });
 
-    it('returns platform-specific path by default', () => {
-      process.env.CELILO_DATA_DIR = undefined;
-      process.env.ENVIRONMENT = undefined;
+    it.skipIf(skipIntegration({ platform: 'darwin' }))(
+      'returns platform-specific path by default',
+      () => {
+        process.env.CELILO_DATA_DIR = undefined;
+        process.env.ENVIRONMENT = undefined;
 
-      const path = getModuleStoragePath();
+        const path = getModuleStoragePath();
 
-      if (process.platform === 'darwin') {
-        expect(path).toMatch(/Library\/Application Support\/celilo\/modules$/);
-      } else {
-        expect(path).toBe('/var/lib/celilo/modules');
-      }
-    });
+        if (process.platform === 'darwin') {
+          expect(path).toMatch(/Library\/Application Support\/celilo\/modules$/);
+        } else {
+          expect(path).toBe('/var/lib/celilo/modules');
+        }
+      },
+    );
 
     it('prioritizes CELILO_DATA_DIR over ENVIRONMENT=dev', () => {
       process.env.CELILO_DATA_DIR = '/custom/data';
@@ -73,18 +77,21 @@ describe('paths configuration', () => {
       expect(path).toMatch(/celilo-data$/);
     });
 
-    it('returns platform-specific path by default', () => {
-      process.env.CELILO_DATA_DIR = undefined;
-      process.env.ENVIRONMENT = undefined;
-
-      const path = getDataDir();
-
-      if (process.platform === 'darwin') {
-        expect(path).toMatch(/Library\/Application Support\/celilo$/);
-      } else {
-        expect(path).toBe('/var/lib/celilo');
-      }
-    });
+    it.skipIf(skipIntegration({ platform: 'darwin' }))(
+      'returns platform-specific path by default',
+      () => {
+        process.env.CELILO_DATA_DIR = undefined;
+        process.env.ENVIRONMENT = undefined;
+
+        const path = getDataDir();
+
+        if (process.platform === 'darwin') {
+          expect(path).toMatch(/Library\/Application Support\/celilo$/);
+        } else {
+          expect(path).toBe('/var/lib/celilo');
+        }
+      },
+    );
   });
 
   describe('getMasterKeyPath', () => {
@@ -103,19 +110,22 @@ describe('paths configuration', () => {
       expect(path).toBe('/custom/data/master.key');
     });
 
-    it('uses platform-specific data dir by default', () => {
-      process.env.CELILO_MASTER_KEY_PATH = undefined;
-      process.env.CELILO_DATA_DIR = undefined;
-      process.env.ENVIRONMENT = undefined;
-
-      const path = getMasterKeyPath();
-
-      if (process.platform === 'darwin') {
-        expect(path).toMatch(/Library\/Application Support\/celilo\/master\.key$/);
-      } else {
-        expect(path).toBe('/var/lib/celilo/master.key');
-      }
-    });
+    it.skipIf(skipIntegration({ platform: 'darwin' }))(
+      'uses platform-specific data dir by default',
+      () => {
+        process.env.CELILO_MASTER_KEY_PATH = undefined;
+        process.env.CELILO_DATA_DIR = undefined;
+        process.env.ENVIRONMENT = undefined;
+
+        const path = getMasterKeyPath();
+
+        if (process.platform === 'darwin') {
+          expect(path).toMatch(/Library\/Application Support\/celilo\/master\.key$/);
+        } else {
+          expect(path).toBe('/var/lib/celilo/master.key');
+        }
+      },
+    );
   });
 
   describe('getDbPath', () => {
@@ -128,19 +138,22 @@ describe('paths configuration', () => {
       expect(path).toBe('/custom/path/celilo.db');
     });
 
-    it('returns data dir + celilo.db on macOS in production', () => {
-      process.env.CELILO_DB_PATH = undefined;
-      process.env.CELILO_DATA_DIR = undefined;
-      process.env.ENVIRONMENT = undefined;
-
-      const path = getDbPath();
-
-      if (process.platform === 'darwin') {
-        expect(path).toMatch(/Library\/Application Support\/celilo\/celilo.db$/);
-      } else {
-        expect(path).toBe('/var/lib/celilo/celilo.db');
-      }
-    });
+    it.skipIf(skipIntegration({ platform: 'darwin' }))(
+      'returns data dir + celilo.db on macOS in production',
+      () => {
+        process.env.CELILO_DB_PATH = undefined;
+        process.env.CELILO_DATA_DIR = undefined;
+        process.env.ENVIRONMENT = undefined;
+
+        const path = getDbPath();
+
+        if (process.platform === 'darwin') {
+          expect(path).toMatch(/Library\/Application Support\/celilo\/celilo.db$/);
+        } else {
+          expect(path).toBe('/var/lib/celilo/celilo.db');
+        }
+      },
+    );
 
     it('returns celilo-data/celilo.db in development mode', () => {
       process.env.CELILO_DB_PATH = undefined;

package/src/hooks/capability-loader-firewall.test.ts

@@ -37,7 +37,7 @@ export default defineCapabilityFunction({
   capability: 'firewall',
   handler: ({ config, secrets }) => ({
     exposeService: async (opts) => ({
-      externalIp: '71.36.99.96',
+      externalIp: '203.0.113.10',
       natIp: opts.internalIp,
     }),
     unexposeService: async () => {},
@@ -135,7 +135,7 @@ describe('Firewall Chain Building', () => {
       ports: [80],
       description: 'test',
     });
-    expect(exposed.externalIp).toBe('71.36.99.96');
+    expect(exposed.externalIp).toBe('203.0.113.10');
   });
 
   test('builds chain with two providers (iptables → greenwave)', async () => {
@@ -206,7 +206,7 @@ describe('Firewall Chain Building', () => {
     });
 
     // External IP came from greenwave (leaf)
-    expect(exposed.externalIp).toBe('71.36.99.96');
+    expect(exposed.externalIp).toBe('203.0.113.10');
     // NAT IP is iptables' NAT address
     expect(exposed.natIp).toBe('192.168.0.253');
     // iptables created local rules

package/src/infrastructure/property-extractor.test.ts

@@ -78,6 +78,21 @@ describe('extractProxmoxProperties', () => {
     });
   });
 
+  test('omits vm_template when the service config has none (LXC services)', () => {
+    const properties = extractProxmoxProperties(100, '10.0.10.5', 'caddy', mockProxmoxConfig);
+    // Omitted, not empty — so a required-infrastructure `vm_template` var fails
+    // loudly rather than resolving to "".
+    expect('vm_template' in properties).toBe(false);
+  });
+
+  test('includes vm_template when the service config provides one (VM services)', () => {
+    const properties = extractProxmoxProperties(100, '10.0.10.5', 'builder', {
+      ...mockProxmoxConfig,
+      vm_template: 'ubuntu-2204-cloudinit',
+    });
+    expect(properties.vm_template).toBe('ubuntu-2204-cloudinit');
+  });
+
   test('converts vmid number to string', () => {
     const properties = extractProxmoxProperties(12345, '10.0.20.15', 'caddy', mockProxmoxConfig);
 

package/src/infrastructure/property-extractor.ts

@@ -47,6 +47,13 @@ export interface ProxmoxProviderConfig {
   default_target_node: string;
   lxc_template: string;
   storage: string;
+  /**
+   * Cloud-init VM template to clone for `requires.system.type: vm` modules — the
+   * VM analogue of `lxc_template`. Optional: only Proxmox services that host VM
+   * modules configure it. A VM module declares `vm_template` as a *required*
+   * infrastructure var, so a service missing it fails loudly at resolution.
+   */
+  vm_template?: string;
 }
 
 /**
@@ -72,6 +79,11 @@ export function extractProxmoxProperties(
     target_node: providerConfig.default_target_node,
     lxc_template: providerConfig.lxc_template,
     storage: providerConfig.storage,
+    // VM clone source — present only when the service configures it. VM modules
+    // declare `vm_template` as a required infrastructure var (resolution errors
+    // if absent); LXC modules never reference it. Omitted (not empty) when unset
+    // so the resolver's required/optional handling stays correct.
+    ...(providerConfig.vm_template ? { vm_template: providerConfig.vm_template } : {}),
   };
 }
 

package/src/manifest/schema.ts

@@ -311,6 +311,13 @@ export const SystemResourceSchema = z.object({
   memory: z.number().int().positive().optional().describe('Recommended memory in MB'),
   disk: z.number().int().positive().optional().describe('Recommended disk size in GB'),
   storage: z.string().optional().describe('Proxmox storage backend (defaults to system config)'),
+  type: z
+    .enum(['lxc', 'vm'])
+    .default('lxc')
+    .describe(
+      'Proxmox provisioning type: lxc (default) or vm (qemu, for Docker / kernel-module workloads). ' +
+        'Modules declare this explicitly; celilo never infers it. Moot for machine-pool / external infra.',
+    ),
   zone: z
     .enum(['internal', 'dmz', 'app', 'secure', 'external'])
     .describe('Required security zone for this module'),

package/src/manifest/validate.test.ts

@@ -77,6 +77,59 @@ variables:
     }
   });
 
+  test('requires.system.type defaults to lxc when omitted', () => {
+    const yaml = `
+${CONTRACT_LINE}
+id: homebridge
+name: Homebridge
+version: 1.0.0
+requires:
+  system:
+    cpu: 1
+    zone: app
+`;
+    const result = validateManifest(yaml);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.requires.system?.type).toBe('lxc');
+    }
+  });
+
+  test('requires.system.type accepts an explicit vm', () => {
+    const yaml = `
+${CONTRACT_LINE}
+id: forgejo-runner
+name: Forgejo Runner
+version: 1.0.0
+requires:
+  system:
+    cpu: 4
+    memory: 8192
+    type: vm
+    zone: dmz
+`;
+    const result = validateManifest(yaml);
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.requires.system?.type).toBe('vm');
+    }
+  });
+
+  test('requires.system.type rejects an unknown infra type', () => {
+    const yaml = `
+${CONTRACT_LINE}
+id: homebridge
+name: Homebridge
+version: 1.0.0
+requires:
+  system:
+    type: container
+    zone: app
+`;
+    const result = validateManifest(yaml);
+    expect(result.success).toBe(false);
+  });
+
   test('should validate dns-external manifest with capability provider', () => {
     const yaml = `
 ${CONTRACT_LINE}

package/src/services/bus-interview.test.ts

@@ -42,7 +42,7 @@ describe('busInterview', () => {
     const watch = responderBus.watch('config.required.lunacycle.domain', (event) => {
       responderBus.emitRaw(
         `${event.type}.reply`,
-        { value: 'lunacycle.net' },
+        { value: 'example.net' },
         { replyFor: event.id, emittedBy: 'test-responder' },
       );
     });
@@ -58,7 +58,7 @@ describe('busInterview', () => {
       payload,
     );
 
-    expect(reply.value).toBe('lunacycle.net');
+    expect(reply.value).toBe('example.net');
 
     watch.close();
     responderBus.close();

package/src/services/bus-secret-flow.test.ts

@@ -350,7 +350,7 @@ describe('bus-mediated interviewForMissingSecrets', () => {
     const { seen, close } = startTestResponder(
       bus,
       'secret.required.testmod.ddns_passwords',
-      { value: JSON.stringify({ 'lunacycle.net': 'pw1', 'celilo.computer': 'pw2' }) },
+      { value: JSON.stringify({ 'example.net': 'pw1', 'celilo.computer': 'pw2' }) },
       testDb,
     );
 
@@ -380,7 +380,7 @@ describe('bus-mediated interviewForMissingSecrets', () => {
 
     const masterKey = await getOrCreateMasterKey();
     const stored = await readModuleSecretKey('testmod', 'ddns_passwords', testDb, masterKey);
-    expect(stored).toBe(JSON.stringify({ 'lunacycle.net': 'pw1', 'celilo.computer': 'pw2' }));
+    expect(stored).toBe(JSON.stringify({ 'example.net': 'pw1', 'celilo.computer': 'pw2' }));
 
     close();
   });

package/src/services/celilo-mgmt-hooks.test.ts

@@ -18,6 +18,7 @@ import { afterEach, beforeEach, describe, expect, it } from 'bun:test';
 import { existsSync, mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
+import { skipIntegration } from '../test-utils/integration-guard';
 
 import type { HookContext } from '@celilo/capabilities';
 
@@ -77,7 +78,7 @@ function buildContext(extras: Record<string, unknown>): HookContext {
   } as HookContext;
 }
 
-describe('celilo-mgmt on_backup', () => {
+describe.skipIf(skipIntegration({ tools: ['wg'] }))('celilo-mgmt on_backup', () => {
   let dir: string;
   let backupDir: string;
   let crossModuleRoot: string;
@@ -214,7 +215,7 @@ describe('celilo-mgmt on_backup', () => {
   });
 });
 
-describe('celilo-mgmt on_restore', () => {
+describe.skipIf(skipIntegration({ tools: ['wg'] }))('celilo-mgmt on_restore', () => {
   let dir: string;
   let restoreDir: string;
   let crossModuleWriteRoot: string;

package/src/services/deploy-validation.test.ts

@@ -265,8 +265,8 @@ describe('findMissingSecrets (shared)', () => {
     // The terminal-responder reads these off the bus payload to apply
     // input-time regex validation. Without manifest → MissingVariable
     // propagation, the responder never sees them and operators end
-    // up entering invalid keys (e.g. 'www.lunacycle.net' instead of
-    // the apex 'lunacycle.net').
+    // up entering invalid keys (e.g. 'www.example.net' instead of
+    // the apex 'example.net').
     const missing = await findMissingSecrets(
       'testmod',
       {

package/src/services/dns-provider-backfill.test.ts

@@ -105,14 +105,14 @@ describe('backfillWebRouteDns (ISS-0029)', () => {
     seedFirewall('100.64.0.1');
     seedRoute('apt.celilo.computer', '/');
     seedRoute('apt.celilo.computer', '/-/publish'); // same host, different path → deduped
-    seedRoute('registry.lunacycle.net', '/');
+    seedRoute('registry.example.net', '/');
 
     const calls: DnsRecordRequest[] = [];
     await backfillWebRouteDns('technitium', getDb(), silentLogger, stubLoader(calls));
 
     expect(calls.map((c) => c.host).sort()).toEqual([
       'apt.celilo.computer',
-      'registry.lunacycle.net',
+      'registry.example.net',
     ]);
     expect(calls.every((c) => c.value === '100.64.0.1' && c.type === 'A')).toBe(true);
   });