@celilo/cli 0.5.0-alpha.7 → 0.5.0-alpha.9

package/src/services/terminal-responder.ts

@@ -37,6 +37,7 @@ import { getOrCreateMasterKey } from '../secrets/master-key';
 import type {
   ConfigRequiredPayload,
   EnsureRequiredPayload,
+  InterviewRequiredPayload,
   SecretRequiredPayload,
 } from './bus-interview';
 import { readModuleSecretKey, writeModuleSecretKey } from './config-interview';
@@ -283,6 +284,117 @@ export function startTerminalResponder(): TerminalResponderHandle {
     });
   });
 
+  // Generic interview family (ISS-0127). Non-deploy commands (e.g.
+  // `service reconfigure`) ask their questions here so they're driveable
+  // over the bus like a deploy. Renders by `kind`. Like the other watches,
+  // we ignore reply events (replyFor !== null) and de-dupe by event id.
+  const interviewWatch = bus.watch('interview.required.*.*', async (event) => {
+    if (event.replyFor !== null) return;
+    if (handled.has(event.id)) return;
+    handled.add(event.id);
+
+    const payload = event.payload as InterviewRequiredPayload;
+    if (!payload || typeof payload.scope !== 'string' || typeof payload.key !== 'string') {
+      log.warn(
+        `Terminal responder skipped malformed interview event ${event.type} (id ${event.id}): missing scope/key`,
+      );
+      return;
+    }
+
+    const message = payload.description
+      ? `${payload.message} — ${payload.description}`
+      : payload.message;
+
+    let value: unknown;
+
+    if (payload.kind === 'confirm') {
+      const answer = await p.confirm({
+        message,
+        initialValue: payload.defaultValue === 'true',
+      });
+      if (p.isCancel(answer)) {
+        log.warn(
+          `Terminal responder: cancelled prompt for ${payload.scope}.${payload.key}; no reply emitted`,
+        );
+        return;
+      }
+      value = answer;
+    } else if (payload.kind === 'select') {
+      const answer = await p.select({
+        message,
+        options: (payload.options ?? []).map((opt) => ({
+          value: opt.value,
+          label: opt.label,
+          hint: opt.hint,
+        })),
+        initialValue: payload.defaultValue,
+      });
+      if (p.isCancel(answer)) {
+        log.warn(
+          `Terminal responder: cancelled prompt for ${payload.scope}.${payload.key}; no reply emitted`,
+        );
+        return;
+      }
+      value = answer;
+    } else if (payload.kind === 'multiselect') {
+      const answer = await p.multiselect({
+        message,
+        options: (payload.options ?? []).map((opt) => ({
+          value: opt.value,
+          label: opt.label,
+          hint: opt.hint,
+        })),
+        required: payload.required,
+      });
+      if (p.isCancel(answer)) {
+        log.warn(
+          `Terminal responder: cancelled prompt for ${payload.scope}.${payload.key}; no reply emitted`,
+        );
+        return;
+      }
+      value = answer;
+    } else {
+      // kind === 'text'
+      const type = payload.type ?? 'string';
+      const typeHint = describeTypeHint(type);
+      const answer = await promptText({
+        message: typeHint ? `${message}  (${typeHint})` : message,
+        defaultValue: payload.defaultValue,
+        placeholder: payload.placeholder,
+        validate: (val) => {
+          if (payload.required && (!val || val.trim() === '')) {
+            return 'This field is required';
+          }
+          if (payload.pattern && val) {
+            const re = new RegExp(payload.pattern);
+            if (!re.test(val)) return `Value must match: ${payload.pattern}`;
+          }
+          try {
+            coerceValue(val, type);
+          } catch (err) {
+            return err instanceof Error ? err.message : String(err);
+          }
+        },
+      });
+      if (answer === undefined) {
+        log.warn(
+          `Terminal responder: cancelled prompt for ${payload.scope}.${payload.key}; no reply emitted`,
+        );
+        return;
+      }
+      value = coerceValue(answer, type);
+    }
+
+    bus.emitRaw(
+      `${event.type}.reply`,
+      { value },
+      {
+        replyFor: event.id,
+        emittedBy: me,
+      },
+    );
+  });
+
   // Liveness probe: lets a non-interactive caller in another shell
   // (e.g. `module generate`) detect that a terminal-responder is
   // running here and that calling busInterview is safe.
@@ -300,6 +412,7 @@ export function startTerminalResponder(): TerminalResponderHandle {
       configWatch.close();
       secretWatch.close();
       ensureWatch.close();
+      interviewWatch.close();
       probeWatch.close();
       bus.close();
     },

package/src/templates/generator.test.ts

@@ -6,6 +6,7 @@ import { type DbClient, createDbClient } from '../db/client';
 import { capabilities } from '../db/schema';
 import { upsertModuleConfig } from '../services/module-config';
 import {
+  decideTargetNode,
   discoverTemplateFiles,
   generateTemplates,
   getOutputFilename,
@@ -794,3 +795,32 @@ describe("targetNodeFromTfState (ISS-0090 — terraform state is celilo's placem
     expect(targetNodeFromTfState({})).toBeNull();
   });
 });
+
+describe('decideTargetNode (ISS-0090 — deploy follows reality: Proxmox > state > default)', () => {
+  test('Proxmox reality wins — adopts a hand-migration tf-state would miss', () => {
+    expect(
+      decideTargetNode({ proxmoxNode: 'node2', stateNode: 'node3', defaultNode: 'node3' }),
+    ).toEqual({ node: 'node2', source: 'proxmox' });
+  });
+
+  test('falls back to terraform state when Proxmox is unknown/unreachable', () => {
+    expect(
+      decideTargetNode({ proxmoxNode: null, stateNode: 'node2', defaultNode: 'node3' }),
+    ).toEqual({ node: 'node2', source: 'state' });
+  });
+
+  test('first deploy (no Proxmox, no state) → service default', () => {
+    expect(decideTargetNode({ proxmoxNode: null, stateNode: null, defaultNode: 'node3' })).toEqual({
+      node: 'node3',
+      source: 'default',
+    });
+  });
+
+  test('a changed default never relocates a running container (reality overrides default)', () => {
+    // default flipped node2→node3, but the container actually runs on node2:
+    // resolution stays node2, so the redeploy is an in-place update, not a move.
+    expect(
+      decideTargetNode({ proxmoxNode: 'node2', stateNode: null, defaultNode: 'node3' }),
+    ).toEqual({ node: 'node2', source: 'proxmox' });
+  });
+});

package/src/templates/generator.ts

@@ -5,6 +5,7 @@ import { dirname, join, relative } from 'node:path';
 import { and, eq } from 'drizzle-orm';
 import { generateInventory } from '../ansible/inventory';
 import { generateAnsibleSecrets } from '../ansible/secrets';
+import { ProxmoxClient, type ProxmoxCredentials } from '../api-clients/proxmox';
 import { log } from '../cli/prompts';
 import { getModuleStoragePath } from '../config/paths';
 import { type DbClient, getDb } from '../db/client';
@@ -19,12 +20,14 @@ import {
 import { getSingularSystemSpec } from '../manifest/schema';
 import type { AnsibleCollection, ModuleManifest } from '../manifest/schema';
 import { validateZoneRequirements } from '../manifest/validate';
+import { getServiceCredentials } from '../services/container-service';
+import { getModuleSystems } from '../services/deployed-systems';
 import {
   describeCapabilityProblem,
   findBrokenCapabilityDerivations,
 } from '../services/fleet-checks';
 import { selectInfrastructure } from '../services/infrastructure-selector';
-import { upsertModuleConfig } from '../services/module-config';
+import { deleteModuleConfig, upsertModuleConfig } from '../services/module-config';
 import type { InfrastructureSelection } from '../types/infrastructure';
 import { convertSecretsToJinja } from '../variables/ansible-resolver';
 import { buildResolutionContext } from '../variables/context';
@@ -261,6 +264,49 @@ async function readDeployedTargetNode(moduleId: string): Promise<string | null>
   }
 }
 
+/**
+ * The node a module's container ACTUALLY lives on, from Proxmox (ISS-0090).
+ * Proxmox is the ultimate source of truth for current location — it sees a
+ * hand-migration that celilo's terraform state wouldn't. Returns null when the
+ * module has no deployed vmid yet, the service is unreachable, or the vmid isn't
+ * in the cluster — the caller then falls back to terraform state / the default.
+ * Never throws: a Proxmox outage must not block a deploy.
+ */
+async function readProxmoxNodeForModule(
+  moduleId: string,
+  serviceId: string,
+  db: DbClient,
+): Promise<string | null> {
+  const vmid = getModuleSystems(moduleId, db).find(
+    (s) => s.infrastructure.type === 'container_service' && s.infrastructure.vmid != null,
+  )?.infrastructure.vmid;
+  if (vmid == null) return null;
+  try {
+    const creds = (await getServiceCredentials(serviceId)) as ProxmoxCredentials;
+    const result = await new ProxmoxClient(creds).nodeForVmid(vmid);
+    return result.success ? result.data : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Decide which node to target for a deploy (ISS-0090). Pure (Rule 10):
+ *   Proxmox reality > recorded terraform state > service default.
+ * `default_target_node` governs only a FIRST placement; a changed default must
+ * never relocate a running container. A hand-migration (seen by Proxmox but not
+ * tf-state) is adopted. Deliberate moves are an explicit migrate (ISS-0062).
+ */
+export function decideTargetNode(opts: {
+  proxmoxNode: string | null;
+  stateNode: string | null;
+  defaultNode: string;
+}): { node: string; source: 'proxmox' | 'state' | 'default' } {
+  if (opts.proxmoxNode) return { node: opts.proxmoxNode, source: 'proxmox' };
+  if (opts.stateNode) return { node: opts.stateNode, source: 'state' };
+  return { node: opts.defaultNode, source: 'default' };
+}
+
 /**
  * Discover template files in directory recursively
  *
@@ -684,6 +730,9 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
   // Infrastructure Properties Resolution (Proxmox provider config)
   // For Proxmox services, extract provider config and store as temporary values
   // This happens during generation so templates can access target_node, lxc_template, etc.
+  // Resolved live each generate (ISS-0090) and injected into the context below,
+  // never cached in the DB. undefined for non-Proxmox / machine deploys.
+  let resolvedTargetNode: string | undefined;
   if (isContainerService && isProxmoxService && infrastructureSelection?.serviceId) {
     const service = await db
       .select()
@@ -698,37 +747,36 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
         storage: string;
       };
 
-      // ISS-0090: target the node the container ACTUALLY lives on, not the
-      // service default. `default_target_node` governs only NEW placement; a
-      // changed default must NEVER relocate a running system. celilo's terraform
-      // state is its authoritative record of where it placed this container (kept
-      // in sync by deploy and by `module migrate`), so read the deployed node from
-      // there. Fall back to the default only when there's no state yet — a first
-      // deploy. Deliberate relocation is an explicit `module migrate`, not a
-      // side-effect of the default changing.
-      let targetNode = providerConfig.default_target_node;
-      const deployedNode = await readDeployedTargetNode(moduleId);
-      if (deployedNode) {
-        if (deployedNode !== targetNode) {
-          log.info(
-            `${moduleId} is already deployed on node '${deployedNode}' — targeting it (service default is '${providerConfig.default_target_node}'). Relocating requires a deliberate migration.`,
-          );
-        }
-        targetNode = deployedNode;
+      // ISS-0090: deploy follows REALITY. Resolve the node from Proxmox (it sees
+      // a hand-migration that tf-state wouldn't), else the recorded terraform
+      // state, else the service default (FIRST placement only). A changed default
+      // must never relocate a running container; deliberate moves are an explicit
+      // migrate (ISS-0062).
+      const decision = decideTargetNode({
+        proxmoxNode: await readProxmoxNodeForModule(
+          moduleId,
+          infrastructureSelection.serviceId,
+          db,
+        ),
+        stateNode: await readDeployedTargetNode(moduleId),
+        defaultNode: providerConfig.default_target_node,
+      });
+      resolvedTargetNode = decision.node;
+      if (decision.source !== 'default' && decision.node !== providerConfig.default_target_node) {
+        const from = decision.source === 'proxmox' ? 'Proxmox' : 'terraform state';
+        log.info(
+          `${moduleId} → node '${decision.node}' (from ${from}; service default is '${providerConfig.default_target_node}'). Relocating requires a deliberate migration.`,
+        );
       }
 
-      // Store provider config values as temporary config (similar to IPAM allocation)
-      const infraProperties = [
-        { key: 'target_node', value: targetNode },
-        { key: 'lxc_template', value: providerConfig.lxc_template },
-        { key: 'storage', value: providerConfig.storage },
-      ];
-
-      for (const prop of infraProperties) {
-        upsertModuleConfig(db, moduleId, `__infra_${prop.key}`, prop.value);
-      }
+      // Persist only the non-drift provider values. target_node is reality — it's
+      // injected into the resolution context below, never cached (ISS-0090); drop
+      // any stale __infra_target_node a prior generate left behind.
+      upsertModuleConfig(db, moduleId, '__infra_lxc_template', providerConfig.lxc_template);
+      upsertModuleConfig(db, moduleId, '__infra_storage', providerConfig.storage);
+      deleteModuleConfig(db, moduleId, '__infra_target_node');
 
-      log.success(`Infrastructure properties resolved from service: target_node=${targetNode}`);
+      log.success(`Infrastructure resolved: target_node=${decision.node} (${decision.source})`);
     }
   }
 
@@ -760,8 +808,15 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
       context.selfConfig.target_ip = ipConfig.value!;
     }
 
-    // Add infrastructure properties to context (target_node, lxc_template, storage)
-    const infraKeys = ['target_node', 'lxc_template', 'storage'];
+    // target_node is the live-resolved reality (ISS-0090) — inject it directly,
+    // never from a cached __infra_target_node row (which drifts).
+    if (resolvedTargetNode) {
+      context.selfConfig.target_node = resolvedTargetNode;
+    }
+
+    // lxc_template / storage are provider config (intent, not drift-prone) — read
+    // them back from the __infra_* rows persisted above.
+    const infraKeys = ['lxc_template', 'storage'];
     for (const key of infraKeys) {
       const infraConfig = db
         .select()