@celilo/cli 0.5.0-alpha.5 → 0.5.0-alpha.7

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@celilo/cli",
-  "version": "0.5.0-alpha.5",
+  "version": "0.5.0-alpha.7",
   "description": "Celilo — home lab orchestration CLI",
   "type": "module",
   "bin": {
@@ -52,7 +52,7 @@
   },
   "dependencies": {
     "@aws-sdk/client-s3": "^3.1024.0",
-    "@celilo/capabilities": "^0.4.1",
+    "@celilo/capabilities": "^0.4.2",
     "@celilo/cli-display": "^0.1.9",
     "@celilo/event-bus": "^0.1.6",
     "@clack/prompts": "^1.1.0",

package/src/ansible/inventory.test.ts

@@ -61,7 +61,7 @@ describe('generateHostsIni', () => {
       },
       {
         hostname: 'dns-ext',
-        ansibleHost: '188.166.157.2',
+        ansibleHost: '192.0.2.20',
         ansibleUser: 'root',
         groups: ['dns_external'],
       },
@@ -72,7 +72,7 @@ describe('generateHostsIni', () => {
     expect(result).toContain('[homebridge]');
     expect(result).toContain('[dns_external]');
     expect(result).toContain('iot ansible_host=192.168.0.110 ansible_user=root');
-    expect(result).toContain('dns-ext ansible_host=188.166.157.2 ansible_user=root');
+    expect(result).toContain('dns-ext ansible_host=192.0.2.20 ansible_user=root');
   });
 
   test('includes SSH private key file path when provided', () => {
@@ -136,8 +136,8 @@ describe('generateHostVarsYaml', () => {
   test('generates YAML for arrays', () => {
     const vars = {
       zone_records: [
-        { name: 'ns1', type: 'A', value: '188.166.157.2' },
-        { name: 'www', type: 'A', value: '71.36.99.96' },
+        { name: 'ns1', type: 'A', value: '192.0.2.20' },
+        { name: 'www', type: 'A', value: '203.0.113.10' },
       ],
     };
 
@@ -146,9 +146,9 @@ describe('generateHostVarsYaml', () => {
     expect(result).toContain('zone_records:');
     expect(result).toContain('- name: ns1');
     expect(result).toContain('type: A');
-    expect(result).toContain('value: 188.166.157.2');
+    expect(result).toContain('value: 192.0.2.20');
     expect(result).toContain('- name: www');
-    expect(result).toContain('value: 71.36.99.96');
+    expect(result).toContain('value: 203.0.113.10');
   });
 
   test('generates YAML for nested objects', () => {
@@ -359,13 +359,13 @@ describe('Database integration', () => {
       );
 
       upsertModuleConfig(db, 'dns', 'zone_records', [
-        { name: 'ns1', type: 'A', value: '188.166.157.2' },
+        { name: 'ns1', type: 'A', value: '192.0.2.20' },
       ]);
 
       const vars = buildHostVars('dns', db);
 
       expect(Array.isArray(vars.zone_records)).toBe(true);
-      expect(vars.zone_records).toEqual([{ name: 'ns1', type: 'A', value: '188.166.157.2' }]);
+      expect(vars.zone_records).toEqual([{ name: 'ns1', type: 'A', value: '192.0.2.20' }]);
     });
   });
 
@@ -416,13 +416,13 @@ describe('Database integration', () => {
       );
 
       upsertModuleConfig(db, 'dns-external', 'hostname', 'dns-ext');
-      upsertModuleConfig(db, 'dns-external', 'vps_ip', '188.166.157.2');
+      upsertModuleConfig(db, 'dns-external', 'vps_ip', '192.0.2.20');
 
       const host = extractInventoryHost('dns-external', db);
 
       expect(host).not.toBeNull();
       expect(host?.hostname).toBe('dns-ext');
-      expect(host?.ansibleHost).toBe('188.166.157.2'); // VPS IP used directly
+      expect(host?.ansibleHost).toBe('192.0.2.20'); // VPS IP used directly
       expect(host?.ansibleUser).toBe('root');
       expect(host?.groups).toEqual(['dns-external']);
     });

package/src/ansible/validation.test.ts

@@ -1,4 +1,5 @@
 import { describe, expect, test } from 'bun:test';
+import { skipIntegration } from '../test-utils/integration-guard';
 import {
   isAnsibleInventoryAvailable,
   isAnsibleLintAvailable,
@@ -54,17 +55,23 @@ describe('validateWithAnsibleLint', () => {
 });
 
 describe('validatePlaybookSyntax', () => {
-  test('returns error when playbook does not exist', async () => {
-    const result = await validatePlaybookSyntax('/nonexistent/playbook.yml', '/tmp');
-    expect(result.success).toBe(false);
-    expect(result.error).toContain('Playbook not found');
-  });
+  test.skipIf(skipIntegration({ tools: ['ansible'] }))(
+    'returns error when playbook does not exist',
+    async () => {
+      const result = await validatePlaybookSyntax('/nonexistent/playbook.yml', '/tmp');
+      expect(result.success).toBe(false);
+      expect(result.error).toContain('Playbook not found');
+    },
+  );
 
-  test('returns error when inventory does not exist', async () => {
-    const result = await validatePlaybookSyntax('/tmp/playbook.yml', '/nonexistent/inventory');
-    expect(result.success).toBe(false);
-    expect(result.error).toContain('not found');
-  });
+  test.skipIf(skipIntegration({ tools: ['ansible'] }))(
+    'returns error when inventory does not exist',
+    async () => {
+      const result = await validatePlaybookSyntax('/tmp/playbook.yml', '/nonexistent/inventory');
+      expect(result.success).toBe(false);
+      expect(result.error).toContain('not found');
+    },
+  );
 
   test('returns error when ansible-playbook not installed', async () => {
     if (!isAnsiblePlaybookAvailable()) {
@@ -76,11 +83,14 @@ describe('validatePlaybookSyntax', () => {
 });
 
 describe('validateInventory', () => {
-  test('returns error when inventory does not exist', async () => {
-    const result = await validateInventory('/nonexistent/inventory');
-    expect(result.success).toBe(false);
-    expect(result.error).toContain('Inventory not found');
-  });
+  test.skipIf(skipIntegration({ tools: ['ansible'] }))(
+    'returns error when inventory does not exist',
+    async () => {
+      const result = await validateInventory('/nonexistent/inventory');
+      expect(result.success).toBe(false);
+      expect(result.error).toContain('Inventory not found');
+    },
+  );
 
   test('returns error when ansible-inventory not installed', async () => {
     if (!isAnsibleInventoryAvailable()) {

package/src/api-clients/proxmox.test.ts

@@ -1,5 +1,12 @@
 import { describe, expect, test } from 'bun:test';
-import { findNodeForVmid } from './proxmox';
+import {
+  buildCloudImageVolid,
+  filterVmTemplates,
+  findNodeForVmid,
+  pollTaskUntilDone,
+  selectFreeVmid,
+  selectIsoStorage,
+} from './proxmox';
 
 describe('findNodeForVmid (ISS-0090 — Proxmox is source of truth for current location)', () => {
   // A trimmed /cluster/resources payload: guest rows carry a vmid; node/storage
@@ -28,3 +35,118 @@ describe('findNodeForVmid (ISS-0090 — Proxmox is source of truth for current l
     expect(findNodeForVmid([], 200)).toBeNull();
   });
 });
+
+describe('filterVmTemplates — extract VM templates from a /nodes/{node}/qemu listing', () => {
+  test('keeps only guests flagged template===1 and projects to {vmid, name}', () => {
+    const guests = [
+      { vmid: 100, name: 'running-vm' }, // no template flag → a live VM
+      { vmid: 9000, name: 'ubuntu-2404-cloudinit', template: 1 },
+      { vmid: 201, name: 'another-vm', template: 0 }, // explicitly not a template
+      { vmid: 9001, name: 'ubuntu-2204-cloudinit', template: 1 },
+    ];
+    expect(filterVmTemplates(guests)).toEqual([
+      { vmid: 9000, name: 'ubuntu-2404-cloudinit' },
+      { vmid: 9001, name: 'ubuntu-2204-cloudinit' },
+    ]);
+  });
+
+  test('returns an empty array when no guests are templates', () => {
+    expect(filterVmTemplates([{ vmid: 100, name: 'vm', template: 0 }])).toEqual([]);
+  });
+
+  test('returns an empty array for an empty listing', () => {
+    expect(filterVmTemplates([])).toEqual([]);
+  });
+});
+
+describe('selectIsoStorage — pick a storage that accepts iso content', () => {
+  test('returns the first active, enabled storage whose content includes iso', () => {
+    const storages = [
+      { storage: 'local-lvm', content: 'images,rootdir', active: 1, enabled: 1 },
+      { storage: 'local', content: 'iso,vztmpl,backup', active: 1, enabled: 1 },
+    ];
+    expect(selectIsoStorage(storages)).toBe('local');
+  });
+
+  test('skips an iso-capable storage that is inactive', () => {
+    const storages = [
+      { storage: 'cold', content: 'iso', active: 0, enabled: 1 },
+      { storage: 'local', content: 'iso', active: 1, enabled: 1 },
+    ];
+    expect(selectIsoStorage(storages)).toBe('local');
+  });
+
+  test('skips an iso-capable storage that is disabled', () => {
+    const storages = [
+      { storage: 'off', content: 'iso', active: 1, enabled: 0 },
+      { storage: 'local', content: 'iso', active: 1, enabled: 1 },
+    ];
+    expect(selectIsoStorage(storages)).toBe('local');
+  });
+
+  test('returns null when no storage accepts iso content', () => {
+    const storages = [{ storage: 'local-lvm', content: 'images,rootdir', active: 1, enabled: 1 }];
+    expect(selectIsoStorage(storages)).toBeNull();
+  });
+
+  test('returns null for an empty storage list', () => {
+    expect(selectIsoStorage([])).toBeNull();
+  });
+});
+
+describe('selectFreeVmid — first free VMID >= minVmid (template hygiene)', () => {
+  test('returns the default minimum (9000) when nothing is in use', () => {
+    expect(selectFreeVmid([])).toBe(9000);
+  });
+
+  test('returns 9000 when only low (IPAM-range) VMIDs are used', () => {
+    expect(selectFreeVmid([200, 201, 202])).toBe(9000);
+  });
+
+  test('skips a contiguous block of used template VMIDs', () => {
+    expect(selectFreeVmid([9000, 9001, 9002])).toBe(9003);
+  });
+
+  test('finds a gap inside the used set', () => {
+    // 9000 used, 9001 free → returns 9001
+    expect(selectFreeVmid([9000, 9002, 9003])).toBe(9001);
+  });
+
+  test('honors a custom minVmid floor', () => {
+    expect(selectFreeVmid([9000], 9500)).toBe(9500);
+  });
+
+  test('never returns a VMID below the floor even if low ones are free', () => {
+    // 100/101 are free but below the 9000 floor — must stay out of the IPAM range
+    expect(selectFreeVmid([9000])).toBe(9001);
+  });
+});
+
+describe('buildCloudImageVolid — volid for a cloud image on iso storage', () => {
+  test('places the filename under the storage iso/ namespace', () => {
+    expect(buildCloudImageVolid('local', 'noble-server-cloudimg-amd64.img')).toBe(
+      'local:iso/noble-server-cloudimg-amd64.img',
+    );
+  });
+
+  test('works with an arbitrary storage name', () => {
+    expect(buildCloudImageVolid('nas-iso', 'jammy.img')).toBe('nas-iso:iso/jammy.img');
+  });
+});
+
+describe('pollTaskUntilDone — synchronous-task guard (null/empty UPID)', () => {
+  const creds = {
+    api_url: 'https://proxmox.invalid:8006/api2/json',
+    api_token_id: 'root@pam!test',
+    api_token_secret: 'unused',
+  };
+
+  test('resolves to OK immediately for an empty UPID without hitting the network', async () => {
+    // An empty UPID means the API call completed synchronously (e.g. converting
+    // a diskless VM to a template returns null data, not a worker UPID). The
+    // guard must short-circuit BEFORE any task-status lookup — proxmox.invalid
+    // would otherwise throw a DNS/connection error, so a clean 'OK' proves it
+    // never tried to poll.
+    expect(await pollTaskUntilDone(creds, 'pve', '')).toBe('OK');
+  });
+});

package/src/api-clients/proxmox.ts

@@ -558,12 +558,11 @@ export async function listAvailableTemplates(
 }
 
 /**
- * Make an authenticated POST request to the Proxmox API.
- * Shares connection/auth handling with makeProxmoxRequest; the only differences
- * are the verb and the form-encoded body.
+ * Make an authenticated form-encoded request (POST or PUT) to the Proxmox API.
  */
-async function makeProxmoxPost<T>(
+async function makeProxmoxFormRequest<T>(
   credentials: ProxmoxCredentials,
+  method: 'POST' | 'PUT',
   path: string,
   params: Record<string, string>,
 ): Promise<ProxmoxResult<T>> {
@@ -576,7 +575,7 @@ async function makeProxmoxPost<T>(
       const postData = new URLSearchParams(params).toString();
 
       if (process.env.DEBUG) {
-        console.log(`[Proxmox] POST: ${fullUrl}`);
+        console.log(`[Proxmox] ${method}: ${fullUrl}`);
         console.log(`[Proxmox] Body: ${postData}`);
       }
 
@@ -587,7 +586,7 @@ async function makeProxmoxPost<T>(
           hostname: url.hostname,
           port: url.port || 443,
           path: url.pathname,
-          method: 'POST',
+          method,
           headers: {
             Authorization: authHeader,
             'Content-Type': 'application/x-www-form-urlencoded',
@@ -605,7 +604,7 @@ async function makeProxmoxPost<T>(
 
             if (statusCode < 200 || statusCode >= 300) {
               if (process.env.DEBUG || statusCode >= 400) {
-                console.error(`[Proxmox] POST ${path} failed (${statusCode}): ${body}`);
+                console.error(`[Proxmox] ${method} ${path} failed (${statusCode}): ${body}`);
               }
               resolve({
                 success: false,
@@ -649,6 +648,14 @@ async function makeProxmoxPost<T>(
   });
 }
 
+async function makeProxmoxPost<T>(
+  credentials: ProxmoxCredentials,
+  path: string,
+  params: Record<string, string>,
+): Promise<ProxmoxResult<T>> {
+  return makeProxmoxFormRequest(credentials, 'POST', path, params);
+}
+
 /**
  * Entry from Proxmox's appliance catalog (`pveam available`). The `template`
  * field is the canonical filename (revision included) that should be passed to
@@ -742,3 +749,281 @@ export function buildTemplatePath(storageName: string, templateFilename: string)
 export function buildProxmoxApiUrl(ipAddress: string, port = 8006): string {
   return `https://${ipAddress}:${port}/api2/json`;
 }
+
+// ── VM template build API ─────────────────────────────────────────────────────
+// Used by proxmox-vm-template-build.ts to build a cloud-init template via the
+// Proxmox API (no SSH to the node required).
+//
+// Version requirements (the build needs the HIGHER of the two — i.e. PVE 8.0+):
+//   - the storage `download-url` endpoint (downloadCloudImage)      → PVE 7.2+
+//   - `import-from=` on a disk in the VM-create call                → PVE 8.0+
+// On PVE 7.x the create call rejects `import-from`; the older two-step
+// `qm importdisk` flow would be needed there (not implemented — 8.x is current).
+// @psbanka - 2026-06: revisit only if a 7.x node must be supported.
+
+export interface ProxmoxVmTemplate {
+  vmid: number;
+  name: string;
+}
+
+/** Raw `/nodes/{node}/qemu` guest row (only the fields we read). */
+interface ProxmoxQemuGuestRow {
+  vmid: number;
+  name: string;
+  template?: number;
+}
+
+/**
+ * Extract VM templates (guests with `template === 1`) from a `/nodes/{node}/qemu`
+ * listing. Pure filtering logic, split from the network call for testability
+ * (Rule 10) — mirrors findNodeForVmid.
+ */
+export function filterVmTemplates(guests: ProxmoxQemuGuestRow[]): ProxmoxVmTemplate[] {
+  return guests.filter((vm) => vm.template === 1).map((vm) => ({ vmid: vm.vmid, name: vm.name }));
+}
+
+/** List existing VM templates on a node. */
+export async function listVmTemplates(
+  credentials: ProxmoxCredentials,
+  nodeName: string,
+): Promise<ProxmoxResult<ProxmoxVmTemplate[]>> {
+  const result = await makeProxmoxRequest<ProxmoxQemuGuestRow[]>(
+    credentials,
+    `/nodes/${nodeName}/qemu`,
+  );
+  if (!result.success) return result;
+  return { success: true, data: filterVmTemplates(result.data) };
+}
+
+/** Storage row shape (subset) used when picking ISO-capable storage. */
+type ProxmoxStorageRow = { storage: string; content: string; active: number; enabled: number };
+
+/**
+ * Pick the first active, enabled storage that accepts `iso` content. Pure
+ * selection logic, split from the network call for testability (Rule 10).
+ * Returns the storage name, or null when none qualifies.
+ */
+export function selectIsoStorage(storages: ProxmoxStorageRow[]): string | null {
+  const iso = storages.find((s) => s.active && s.enabled && s.content.includes('iso'));
+  return iso?.storage ?? null;
+}
+
+/**
+ * Find a storage on the node that accepts `iso` content (for downloading cloud
+ * images). Returns the storage name, or null if none found.
+ */
+export async function findIsoStorage(
+  credentials: ProxmoxCredentials,
+  nodeName: string,
+): Promise<ProxmoxResult<string | null>> {
+  const result = await listNodeStorage(credentials, nodeName);
+  if (!result.success) return result;
+  return { success: true, data: selectIsoStorage(result.data) };
+}
+
+/**
+ * Pick the first free VMID >= minVmid given the set of in-use VMIDs. Pure
+ * selection logic, split from the network call for testability (Rule 10).
+ * Template VMIDs must stay outside celilo's IPAM range (200+) so they can
+ * never collide with deployed systems — hence minVmid defaults to 9000.
+ */
+export function selectFreeVmid(usedVmids: Iterable<number>, minVmid = 9000): number {
+  const used = new Set(usedVmids);
+  let candidate = minVmid;
+  while (used.has(candidate)) {
+    candidate++;
+  }
+  return candidate;
+}
+
+/**
+ * Find a free VMID >= minVmid (default 9000) across the cluster.
+ * Template VMIDs must stay outside celilo's IPAM range (200+) so they can
+ * never collide with deployed systems.
+ */
+export async function findFreeTemplateVmid(
+  credentials: ProxmoxCredentials,
+  _nodeName: string,
+  minVmid = 9000,
+): Promise<ProxmoxResult<number>> {
+  const result = await makeProxmoxRequest<Array<{ vmid?: number }>>(
+    credentials,
+    '/cluster/resources',
+  );
+  if (!result.success) return result;
+  const usedVmids = result.data
+    .map((r) => r.vmid)
+    .filter((vmid): vmid is number => typeof vmid === 'number');
+  return { success: true, data: selectFreeVmid(usedVmids, minVmid) };
+}
+
+/**
+ * Download a cloud image URL to ISO storage on the node. Returns a UPID for
+ * status polling. Requires PVE 7.2+ (`download-url` endpoint).
+ */
+export async function downloadCloudImage(
+  credentials: ProxmoxCredentials,
+  nodeName: string,
+  isoStorage: string,
+  url: string,
+  filename: string,
+): Promise<ProxmoxResult<string>> {
+  return makeProxmoxPost<string>(
+    credentials,
+    `/nodes/${nodeName}/storage/${isoStorage}/download-url`,
+    { url, filename, content: 'iso' },
+  );
+}
+
+/**
+ * Poll a task UPID until it reaches `stopped` status. Resolves with the
+ * exitstatus string (typically `'OK'` on success). Throws on timeout or a
+ * non-OK exitstatus.
+ *
+ * An empty/missing UPID means the API call completed synchronously (some PVE
+ * endpoints — e.g. converting a diskless VM to a template — return `null` data
+ * instead of a worker UPID). There is nothing to poll, so treat it as an
+ * immediate success rather than encoding the empty string and 404-ing on the
+ * task-status lookup.
+ */
+export async function pollTaskUntilDone(
+  credentials: ProxmoxCredentials,
+  nodeName: string,
+  upid: string,
+  timeoutMs = 600_000,
+): Promise<string> {
+  if (!upid) return 'OK';
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    await new Promise<void>((r) => setTimeout(r, 3_000));
+    const status = await checkTaskStatus(credentials, nodeName, upid);
+    if (!status.success) throw new Error(`Task poll failed: ${status.message}`);
+    if (status.data.status === 'stopped') {
+      const exit = status.data.exitstatus ?? 'unknown';
+      if (exit !== 'OK') throw new Error(`Task ${upid} failed with exitstatus: ${exit}`);
+      return exit;
+    }
+  }
+  throw new Error(`Task ${upid} timed out after ${timeoutMs / 1000}s`);
+}
+
+/**
+ * Build the volid for a cloud image downloaded to ISO storage. Pure path
+ * construction, split out for testability (Rule 10) — mirrors buildTemplatePath.
+ * Proxmox's `download-url` with `content=iso` stores the `.img` under the
+ * storage's `iso/` namespace, so the volid is `<storage>:iso/<filename>`.
+ */
+export function buildCloudImageVolid(isoStorage: string, filename: string): string {
+  return `${isoStorage}:iso/${filename}`;
+}
+
+export interface CreateVmFromCloudImageParams {
+  credentials: ProxmoxCredentials;
+  nodeName: string;
+  vmid: number;
+  name: string;
+  /** Volume ID of the downloaded cloud image, e.g. `local:iso/noble-server-cloudimg-amd64.img` */
+  isoVolid: string;
+  /** Storage for the imported VM disk and the cloud-init drive */
+  diskStorage: string;
+}
+
+/**
+ * Create a VM and import the cloud image as its boot disk in one API call.
+ * Also attaches the cloud-init CDROM drive so terraform can inject credentials
+ * at clone time. Returns a UPID — poll with pollTaskUntilDone.
+ *
+ * `import-from=` in the disk spec requires PVE 8.0+ (see the version note at the
+ * top of this section). The `net0` bridge is hardcoded to `vmbr0` (the Proxmox
+ * default); it only governs the template's own NIC, which terraform overrides
+ * with `$system:network.bridge` at clone time — so it never reaches a deployed
+ * guest. @psbanka - 2026-06: parameterize if a non-vmbr0 node ever blocks the
+ * template build itself.
+ */
+export async function createVmFromCloudImage(
+  params: CreateVmFromCloudImageParams,
+): Promise<ProxmoxResult<string>> {
+  const { credentials, nodeName, vmid, name, isoVolid, diskStorage } = params;
+  return makeProxmoxPost<string>(credentials, `/nodes/${nodeName}/qemu`, {
+    vmid: String(vmid),
+    name,
+    memory: '2048',
+    cores: '2',
+    scsihw: 'virtio-scsi-pci',
+    net0: 'virtio,bridge=vmbr0',
+    agent: 'enabled=1',
+    serial0: 'socket',
+    vga: 'serial0',
+    boot: 'order=scsi0',
+    scsi0: `${diskStorage}:0,import-from=${isoVolid}`,
+    ide2: `${diskStorage}:cloudinit`,
+  });
+}
+
+/**
+ * Convert an existing VM to a template. Returns a UPID — the VM must be
+ * powered off. Poll with pollTaskUntilDone.
+ */
+export async function convertVmToTemplate(
+  credentials: ProxmoxCredentials,
+  nodeName: string,
+  vmid: number,
+): Promise<ProxmoxResult<string>> {
+  return makeProxmoxPost<string>(credentials, `/nodes/${nodeName}/qemu/${vmid}/template`, {});
+}
+
+/**
+ * Delete a VM (cleanup on build failure). Returns a UPID.
+ * Passes `purge=1` so storage volumes are also removed.
+ */
+export async function deleteVm(
+  credentials: ProxmoxCredentials,
+  nodeName: string,
+  vmid: number,
+): Promise<ProxmoxResult<string>> {
+  return new Promise((resolve) => {
+    try {
+      const { api_url, api_token_id, api_token_secret } = credentials;
+      const authHeader = `PVEAPIToken=${api_token_id}=${api_token_secret}`;
+      const fullUrl = `${api_url}/nodes/${nodeName}/qemu/${vmid}`;
+      const url = new URL(fullUrl);
+      const agent = new https.Agent({ rejectUnauthorized: false });
+      const req = https.request(
+        {
+          hostname: url.hostname,
+          port: url.port || 443,
+          path: `${url.pathname}?purge=1`,
+          method: 'DELETE',
+          headers: { Authorization: authHeader },
+          agent,
+        },
+        (res) => {
+          let body = '';
+          res.on('data', (chunk) => {
+            body += chunk;
+          });
+          res.on('end', () => {
+            const statusCode = res.statusCode || 0;
+            if (statusCode < 200 || statusCode >= 300) {
+              resolve({
+                success: false,
+                message: `Delete failed with status ${statusCode}: ${body}`,
+              });
+              return;
+            }
+            try {
+              const data = JSON.parse(body) as ProxmoxApiResponse<string>;
+              resolve({ success: true, data: data.data });
+            } catch {
+              resolve({ success: true, data: '' });
+            }
+          });
+        },
+      );
+      req.on('error', (error) => resolve({ success: false, message: error.message }));
+      req.end();
+    } catch (error) {
+      resolve({ success: false, message: error instanceof Error ? error.message : String(error) });
+    }
+  });
+}

package/src/cli/commands/events.test.ts

@@ -165,20 +165,20 @@ describe('celilo events command handlers', () => {
     });
     setupBus.close();
 
-    const res = await handleEventsReply([String(query.id), '"lunacycle.net"'], {});
+    const res = await handleEventsReply([String(query.id), '"example.net"'], {});
     expect(res.success).toBe(true);
     if (!res.success) throw new Error('expected success');
     const data = res.data as { status: string; family: string; value: unknown };
     expect(data.status).toBe('replied');
     expect(data.family).toBe('config');
-    expect(data.value).toBe('lunacycle.net');
+    expect(data.value).toBe('example.net');
 
     const checkBus = openBus({ dbPath, events: defineEvents({}) });
     const replies = checkBus.recentEvents({ type: 'config.required.lunacycle.domain.reply' });
     checkBus.close();
     expect(replies).toHaveLength(1);
     expect(replies[0].replyFor).toBe(query.id);
-    expect(replies[0].payload).toEqual({ value: 'lunacycle.net' });
+    expect(replies[0].payload).toEqual({ value: 'example.net' });
     expect(replies[0].emittedBy).toBe('claude-config-responder');
   });
 
@@ -229,7 +229,7 @@ describe('celilo events command handlers', () => {
     setupBus.close();
 
     // A bare word isn't valid JSON — the operator must quote strings.
-    const res = await handleEventsReply([String(query.id), 'lunacycle.net'], {});
+    const res = await handleEventsReply([String(query.id), 'example.net'], {});
     expect(res.success).toBe(false);
     if (res.success) throw new Error('expected failure');
     expect(res.error).toContain('Invalid JSON value');

package/src/cli/commands/events.ts

@@ -439,7 +439,7 @@ export async function handleEventsReply(
     return {
       success: false,
       error: `Usage: celilo events reply <query-event-id> <value-json>
-  e.g. celilo events reply 42 '"lunacycle.net"'`,
+  e.g. celilo events reply 42 '"example.net"'`,
     };
   }
   const queryId = Number(idArg);
@@ -454,7 +454,7 @@ export async function handleEventsReply(
     return {
       success: false,
       error: `Invalid JSON value: ${err instanceof Error ? err.message : String(err)}
-  Encode the answer as JSON, e.g. '"lunacycle.net"', '8080', '["a","b"]'.`,
+  Encode the answer as JSON, e.g. '"example.net"', '8080', '["a","b"]'.`,
     };
   }