@celilo/cli 0.5.0-alpha.8 → 0.5.0-alpha.9

package/src/cli/commands/machine-add.ts

@@ -8,6 +8,7 @@ import { readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { getDb } from '../../db/client';
 import type { NetworkZone } from '../../db/schema';
+import { askText, withInterviewSession } from '../../services/bus-interview';
 import {
   detectMachineInfo,
   detectMachineInfoLocal,
@@ -23,9 +24,8 @@ import type {
   MachineRole,
   NetworkInterface,
 } from '../../types/infrastructure';
-import { celiloIntro, celiloOutro, promptText } from '../prompts';
+import { celiloIntro, celiloOutro } from '../prompts';
 import type { CommandResult } from '../types';
-import { validateIpAddress, validateRequired } from '../validators';
 
 /**
  * Auto-detect SSH private key from system configuration
@@ -97,183 +97,198 @@ export async function handleMachineAdd(
   args: string[],
   flags: Record<string, boolean | string> = {},
 ): Promise<CommandResult> {
-  try {
-    celiloIntro('Add Machine to Pool');
-
-    // Hybrid mode: use flags for what's provided, prompt for what's missing
-    let ipAddress: string;
-    let sshUser: string;
-
-    // IP address: from positional arg, --ip flag, or prompt
-    if (args[0] && /^\d+\.\d+\.\d+\.\d+$/.test(args[0])) {
-      ipAddress = args[0];
-    } else if (typeof flags.ip === 'string') {
-      ipAddress = flags.ip;
-    } else {
-      ipAddress = await promptText({
-        message: 'Machine IP address:',
-        validate: validateIpAddress,
-      });
-    }
+  // The two prompts below are bus interviews (ISS-0127), so `machine add` is
+  // drivable headlessly via `celilo events respond --values` / `events reply`.
+  // SSH auth uses a key file (--ssh-key-file or auto-detected) — never a
+  // prompted password — so there is no service credential to resolve here.
+  // `withInterviewSession` renders bus questions locally when stdin is a TTY.
+  const scope = 'machine-add';
 
-    // Check for duplicate IP
-    const existing = await getMachineByIp(ipAddress);
-    if (existing) {
-      return {
-        success: false,
-        error: `Machine with IP ${ipAddress} already exists (hostname: ${existing.hostname}, zone: ${existing.zone})`,
-      };
-    }
+  return withInterviewSession(async () => {
+    try {
+      celiloIntro('Add Machine to Pool');
 
-    // The local management box (127.0.0.1, or explicit --local) deploys
-    // over Ansible's local connection — no SSH, no key, no connectivity
-    // test. Determine this BEFORE the SSH-user step so the local path
-    // never prompts (it would hang a non-interactive bootstrap postinst).
-    const isLocal = ipAddress === '127.0.0.1' || flags.local === true;
-    // An explicit --zone overrides inference (needed for the local box,
-    // whose 127.0.0.1 matches no zone subnet, and useful before a firewall
-    // has provided the target zone).
-    const zoneOverride = typeof flags.zone === 'string' ? (flags.zone as NetworkZone) : undefined;
-
-    // SSH user: irrelevant for a local machine (local connection); else
-    // from flag, default to 'root', or prompt.
-    if (isLocal) {
-      sshUser = 'root';
-    } else if (typeof flags['ssh-user'] === 'string') {
-      sshUser = flags['ssh-user'];
-    } else {
-      sshUser = await promptText({
-        message: 'SSH username:',
-        defaultValue: 'root',
-        placeholder: 'root',
-        validate: validateRequired('SSH username'),
-      });
-    }
+      // Hybrid mode: use flags for what's provided, prompt for what's missing
+      let ipAddress: string;
+      let sshUser: string;
 
-    let detectedInfo: DetectedMachineInfo;
-    let zone: NetworkZone;
-    let interfaces: NetworkInterface[];
-    let role: MachineRole;
-    let sshKey: string;
-
-    if (isLocal) {
-      console.log('\nLocal machine — detecting locally (no SSH)...');
-      detectedInfo = await detectMachineInfoLocal();
-      const net = await detectNetworkInterfacesLocal();
-      interfaces = net.interfaces;
-      role = net.role;
-      // The box you're installing on is, by definition, on the internal LAN.
-      zone = zoneOverride ?? 'internal';
-      sshKey = ''; // local connection — no key needed
-      console.log(
-        `✓ Local: ${detectedInfo.hostname} — ${detectedInfo.hardware.cpu_cores} cores, ` +
-          `${detectedInfo.hardware.memory_mb} MB, ${detectedInfo.hardware.disk_gb} GB (zone ${zone}, connection local)\n`,
-      );
-    } else {
-      // SSH key: from flag, auto-detect, or error
-      let sshKeyPath: string;
-      if (typeof flags['ssh-key-file'] === 'string') {
-        sshKeyPath = flags['ssh-key-file'];
-        const expandedPath = sshKeyPath.replace(/^~/, process.env.HOME || '~');
-        if (!existsSync(expandedPath)) {
-          return { success: false, error: `SSH key file not found: ${expandedPath}` };
-        }
+      // IP address: from positional arg, --ip flag, or prompt
+      if (args[0] && /^\d+\.\d+\.\d+\.\d+$/.test(args[0])) {
+        ipAddress = args[0];
+      } else if (typeof flags.ip === 'string') {
+        ipAddress = flags.ip;
+      } else {
+        ipAddress = await askText({
+          scope,
+          key: 'ip_address',
+          message: 'Machine IP address',
+          placeholder: 'e.g., 192.168.1.100',
+          required: true,
+          pattern: '^\\d+\\.\\d+\\.\\d+\\.\\d+$',
+        });
+      }
+
+      // Check for duplicate IP
+      const existing = await getMachineByIp(ipAddress);
+      if (existing) {
+        return {
+          success: false,
+          error: `Machine with IP ${ipAddress} already exists (hostname: ${existing.hostname}, zone: ${existing.zone})`,
+        };
+      }
+
+      // The local management box (127.0.0.1, or explicit --local) deploys
+      // over Ansible's local connection — no SSH, no key, no connectivity
+      // test. Determine this BEFORE the SSH-user step so the local path
+      // never prompts (it would hang a non-interactive bootstrap postinst).
+      const isLocal = ipAddress === '127.0.0.1' || flags.local === true;
+      // An explicit --zone overrides inference (needed for the local box,
+      // whose 127.0.0.1 matches no zone subnet, and useful before a firewall
+      // has provided the target zone).
+      const zoneOverride = typeof flags.zone === 'string' ? (flags.zone as NetworkZone) : undefined;
+
+      // SSH user: irrelevant for a local machine (local connection); else
+      // from flag, default to 'root', or prompt.
+      if (isLocal) {
+        sshUser = 'root';
+      } else if (typeof flags['ssh-user'] === 'string') {
+        sshUser = flags['ssh-user'];
       } else {
-        // Auto-detect SSH key from system config
-        const detectedKeyPath = findSshPrivateKey();
-        if (!detectedKeyPath) {
+        sshUser = await askText({
+          scope,
+          key: 'ssh_user',
+          message: 'SSH username',
+          defaultValue: 'root',
+          placeholder: 'root',
+          required: true,
+        });
+      }
+
+      let detectedInfo: DetectedMachineInfo;
+      let zone: NetworkZone;
+      let interfaces: NetworkInterface[];
+      let role: MachineRole;
+      let sshKey: string;
+
+      if (isLocal) {
+        console.log('\nLocal machine — detecting locally (no SSH)...');
+        detectedInfo = await detectMachineInfoLocal();
+        const net = await detectNetworkInterfacesLocal();
+        interfaces = net.interfaces;
+        role = net.role;
+        // The box you're installing on is, by definition, on the internal LAN.
+        zone = zoneOverride ?? 'internal';
+        sshKey = ''; // local connection — no key needed
+        console.log(
+          `✓ Local: ${detectedInfo.hostname} — ${detectedInfo.hardware.cpu_cores} cores, ` +
+            `${detectedInfo.hardware.memory_mb} MB, ${detectedInfo.hardware.disk_gb} GB (zone ${zone}, connection local)\n`,
+        );
+      } else {
+        // SSH key: from flag, auto-detect, or error
+        let sshKeyPath: string;
+        if (typeof flags['ssh-key-file'] === 'string') {
+          sshKeyPath = flags['ssh-key-file'];
+          const expandedPath = sshKeyPath.replace(/^~/, process.env.HOME || '~');
+          if (!existsSync(expandedPath)) {
+            return { success: false, error: `SSH key file not found: ${expandedPath}` };
+          }
+        } else {
+          // Auto-detect SSH key from system config
+          const detectedKeyPath = findSshPrivateKey();
+          if (!detectedKeyPath) {
+            return {
+              success: false,
+              error:
+                'Cannot find SSH private key.\n\n' +
+                'The ssh.public_key system config is set, but no matching private key was found in ~/.ssh/\n\n' +
+                'Specify manually with: --ssh-key-file ~/.ssh/id_ed25519',
+            };
+          }
+          sshKeyPath = detectedKeyPath;
+          console.log(`Using SSH key: ${sshKeyPath}`);
+        }
+
+        // Expand tilde in path
+        const expandedKeyPath = sshKeyPath.replace(/^~/, process.env.HOME || '~');
+
+        // Read SSH key content
+        sshKey = readFileSync(expandedKeyPath, 'utf8');
+
+        console.log('\nTesting SSH connection...');
+
+        // Test SSH connectivity
+        const canConnect = await testSshConnection(ipAddress, sshUser, expandedKeyPath);
+        if (!canConnect) {
           return {
             success: false,
-            error:
-              'Cannot find SSH private key.\n\n' +
-              'The ssh.public_key system config is set, but no matching private key was found in ~/.ssh/\n\n' +
-              'Specify manually with: --ssh-key-file ~/.ssh/id_ed25519',
+            error: `Cannot connect to ${sshUser}@${ipAddress} with provided SSH key`,
           };
         }
-        sshKeyPath = detectedKeyPath;
-        console.log(`Using SSH key: ${sshKeyPath}`);
-      }
 
-      // Expand tilde in path
-      const expandedKeyPath = sshKeyPath.replace(/^~/, process.env.HOME || '~');
+        console.log('✓ SSH connection successful\n');
 
-      // Read SSH key content
-      sshKey = readFileSync(expandedKeyPath, 'utf8');
+        console.log('Detecting machine information...');
 
-      console.log('\nTesting SSH connection...');
+        // Auto-detect machine info
+        detectedInfo = await detectMachineInfo(ipAddress, sshUser, expandedKeyPath);
 
-      // Test SSH connectivity
-      const canConnect = await testSshConnection(ipAddress, sshUser, expandedKeyPath);
-      if (!canConnect) {
-        return {
-          success: false,
-          error: `Cannot connect to ${sshUser}@${ipAddress} with provided SSH key`,
-        };
-      }
+        console.log('✓ Machine detected:');
+        console.log(`  Hostname: ${detectedInfo.hostname}`);
+        console.log(`  OS: ${detectedInfo.osInfo}`);
+        console.log(
+          `  CPU: ${detectedInfo.hardware.cpu_cores} cores (${detectedInfo.hardware.arch || 'unknown'})`,
+        );
+        console.log(`  Memory: ${detectedInfo.hardware.memory_mb} MB`);
+        console.log(`  Disk: ${detectedInfo.hardware.disk_gb} GB\n`);
 
-      console.log('✓ SSH connection successful\n');
+        // Zone: explicit override, else infer from IP.
+        console.log('Detecting network zone...');
+        zone = zoneOverride ?? (await detectZoneFromIp(ipAddress));
+        console.log(`✓ Zone: ${zone}\n`);
 
-      console.log('Detecting machine information...');
+        // Detect network interfaces and classify machine
+        console.log('Detecting network interfaces...');
+        const net = await detectNetworkInterfaces(ipAddress, sshUser, expandedKeyPath);
+        interfaces = net.interfaces;
+        role = net.role;
 
-      // Auto-detect machine info
-      detectedInfo = await detectMachineInfo(ipAddress, sshUser, expandedKeyPath);
+        console.log(`✓ Role: ${role}`);
+        for (const iface of interfaces) {
+          console.log(`  ${iface.name}: ${iface.ipAddress} (${iface.zone})`);
+        }
+        console.log('');
+      }
 
-      console.log('✓ Machine detected:');
-      console.log(`  Hostname: ${detectedInfo.hostname}`);
-      console.log(`  OS: ${detectedInfo.osInfo}`);
-      console.log(
-        `  CPU: ${detectedInfo.hardware.cpu_cores} cores (${detectedInfo.hardware.arch || 'unknown'})`,
+      // Add machine to pool
+      const earmark = typeof flags.earmark === 'string' ? flags.earmark : undefined;
+      const machine = await addMachine({
+        hostname: detectedInfo.hostname,
+        zone,
+        ipAddress,
+        sshUser,
+        sshKey,
+        hardware: detectedInfo.hardware,
+        role,
+        interfaces,
+        assignedModuleIds: [],
+        earmarkedModule: earmark || null,
+      });
+
+      const earmarkNote = earmark ? `\n  Earmarked for: ${earmark}` : '';
+      const roleNote = role === 'router' ? ` (router - ${interfaces.length} interfaces)` : '';
+      celiloOutro(
+        `Machine '${detectedInfo.hostname}' added successfully!\n\nDetails:\n  Zone: ${zone}${roleNote}\n  IP: ${ipAddress}\n  Hardware: ${detectedInfo.hardware.cpu_cores} cores, ${detectedInfo.hardware.memory_mb} MB RAM, ${detectedInfo.hardware.disk_gb} GB disk${earmarkNote}\n\nNext steps:\n  - List machines: celilo machine list\n  - Check status: celilo machine status ${detectedInfo.hostname}`,
       );
-      console.log(`  Memory: ${detectedInfo.hardware.memory_mb} MB`);
-      console.log(`  Disk: ${detectedInfo.hardware.disk_gb} GB\n`);
-
-      // Zone: explicit override, else infer from IP.
-      console.log('Detecting network zone...');
-      zone = zoneOverride ?? (await detectZoneFromIp(ipAddress));
-      console.log(`✓ Zone: ${zone}\n`);
-
-      // Detect network interfaces and classify machine
-      console.log('Detecting network interfaces...');
-      const net = await detectNetworkInterfaces(ipAddress, sshUser, expandedKeyPath);
-      interfaces = net.interfaces;
-      role = net.role;
-
-      console.log(`✓ Role: ${role}`);
-      for (const iface of interfaces) {
-        console.log(`  ${iface.name}: ${iface.ipAddress} (${iface.zone})`);
-      }
-      console.log('');
-    }
 
-    // Add machine to pool
-    const earmark = typeof flags.earmark === 'string' ? flags.earmark : undefined;
-    const machine = await addMachine({
-      hostname: detectedInfo.hostname,
-      zone,
-      ipAddress,
-      sshUser,
-      sshKey,
-      hardware: detectedInfo.hardware,
-      role,
-      interfaces,
-      assignedModuleIds: [],
-      earmarkedModule: earmark || null,
-    });
-
-    const earmarkNote = earmark ? `\n  Earmarked for: ${earmark}` : '';
-    const roleNote = role === 'router' ? ` (router - ${interfaces.length} interfaces)` : '';
-    celiloOutro(
-      `Machine '${detectedInfo.hostname}' added successfully!\n\nDetails:\n  Zone: ${zone}${roleNote}\n  IP: ${ipAddress}\n  Hardware: ${detectedInfo.hardware.cpu_cores} cores, ${detectedInfo.hardware.memory_mb} MB RAM, ${detectedInfo.hardware.disk_gb} GB disk${earmarkNote}\n\nNext steps:\n  - List machines: celilo machine list\n  - Check status: celilo machine status ${detectedInfo.hostname}`,
-    );
-
-    return {
-      success: true,
-      message: `Added machine: ${machine.id}`,
-    };
-  } catch (error) {
-    return {
-      success: false,
-      error: `Failed to add machine: ${error instanceof Error ? error.message : String(error)}`,
-    };
-  }
+      return {
+        success: true,
+        message: `Added machine: ${machine.id}`,
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: `Failed to add machine: ${error instanceof Error ? error.message : String(error)}`,
+      };
+    }
+  });
 }

package/src/cli/commands/machine-remove.ts

@@ -3,7 +3,7 @@
  * Remove a machine from the machine pool
  */
 
-import * as p from '@clack/prompts';
+import { askConfirm, withInterviewSession } from '../../services/bus-interview';
 import { getMachineByHostname, getMachineByIp, removeMachine } from '../../services/machine-pool';
 import { celiloIntro, celiloOutro } from '../prompts';
 import type { CommandResult } from '../types';
@@ -61,13 +61,16 @@ export async function handleMachineRemove(
 
     // Confirm deletion
     if (!flags.force) {
-      const confirmed = await p.confirm({
-        message: `Remove machine '${hostname}' (${machine.ipAddress})?`,
-        initialValue: false,
-      });
+      const confirmed = await withInterviewSession(() =>
+        askConfirm({
+          scope: `machine:${hostname}`,
+          key: 'remove',
+          message: `Remove machine '${hostname}' (${machine.ipAddress})?`,
+          defaultValue: false,
+        }),
+      );
 
-      if (p.isCancel(confirmed) || !confirmed) {
-        p.cancel('Operation cancelled');
+      if (!confirmed) {
         return { success: false, error: 'Cancelled by user' };
       }
     }

package/src/cli/commands/module-config.test.ts

@@ -0,0 +1,78 @@
+/**
+ * Recurrence gate for ISS-0069: `config set` must never accept an
+ * infrastructure-managed key and then have the deploy silently override it.
+ * Framework-managed (`source: infrastructure`) keys are rejected at set time;
+ * operator-settable keys are honored.
+ */
+
+import { afterEach, beforeEach, describe, expect, test } from 'bun:test';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { type DbClient, getDb } from '../../db/client';
+import { modules } from '../../db/schema';
+import { handleModuleConfigSet } from './module-config';
+
+describe('handleModuleConfigSet — infra-key contract (ISS-0069)', () => {
+  let tempDir: string;
+  let db: DbClient;
+
+  beforeEach(() => {
+    tempDir = mkdtempSync(join(tmpdir(), 'celilo-module-config-'));
+    process.env.CELILO_DB_PATH = join(tempDir, 'test.db');
+    db = getDb();
+    db.insert(modules)
+      .values({
+        id: 'testmod',
+        name: 'Test Module',
+        sourcePath: tempDir,
+        version: '1.0.0',
+        manifestData: {
+          variables: {
+            owns: [
+              { name: 'vmid', type: 'integer', source: 'infrastructure' },
+              { name: 'target_node', type: 'string', source: 'infrastructure' },
+              { name: 'app_port', type: 'integer' },
+            ],
+          },
+        },
+      })
+      .run();
+  });
+
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+    process.env.CELILO_DB_PATH = undefined;
+  });
+
+  test('rejects an infrastructure-managed key (no silent accept-then-override)', async () => {
+    const result = await handleModuleConfigSet(['testmod', 'vmid', '203']);
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.error).toContain('infrastructure-managed');
+    }
+  });
+
+  test('rejects target_node and points at the real lever', async () => {
+    const result = await handleModuleConfigSet(['testmod', 'target_node', 'node3']);
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.error).toContain('not operator-settable');
+    }
+  });
+
+  test('accepts a normal operator-settable key', async () => {
+    const result = await handleModuleConfigSet(['testmod', 'app_port', '8080']);
+    expect(result.success).toBe(true);
+  });
+
+  test('still rejects an undeclared key, and omits infra keys from the valid-keys hint', async () => {
+    const result = await handleModuleConfigSet(['testmod', 'nope', 'x']);
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.error).toContain('Invalid config key');
+      expect(result.error).toContain('app_port');
+      expect(result.error).not.toContain('vmid'); // infra keys filtered from the hint
+    }
+  });
+});

package/src/cli/commands/module-config.ts

@@ -57,17 +57,32 @@ export async function handleModuleConfigSet(args: string[]): Promise<CommandResu
   // Validate key against manifest
   const manifest = module.manifestData as Record<string, unknown>;
   const variables = manifest.variables as
-    | { owns?: Array<{ name: string; required?: boolean; default?: string }> }
+    | { owns?: Array<{ name: string; required?: boolean; default?: string; source?: string }> }
     | undefined;
   const declaredVars = variables?.owns || [];
 
   // Check if key is declared in manifest
   const declaredVar = declaredVars.find((v) => v.name === key);
   if (!declaredVar) {
-    const validKeys = declaredVars.map((v) => v.name).join(', ');
+    const settableKeys = declaredVars
+      .filter((v) => v.source !== 'infrastructure')
+      .map((v) => v.name)
+      .join(', ');
     return {
       success: false,
-      error: `Invalid config key '${key}' for module ${moduleId}.\n\nValid keys: ${validKeys || '(none declared)'}`,
+      error: `Invalid config key '${key}' for module ${moduleId}.\n\nValid keys: ${settableKeys || '(none declared)'}`,
+    };
+  }
+
+  // ISS-0069: reject infrastructure-managed keys at SET time rather than
+  // accepting-then-silently-overriding them at deploy. `source: infrastructure`
+  // variables (vmid, target_ip, target_node, gateway, vlan, lxc_template) are
+  // derived by the deploy (IPAM allocates vmid/IP; the container service supplies
+  // node/template/gateway/vlan), so a value set here would be ignored.
+  if (declaredVar.source === 'infrastructure') {
+    return {
+      success: false,
+      error: `'${key}' is infrastructure-managed by celilo (source: infrastructure) — not operator-settable.\nThe deploy derives it automatically, so a value set here would be silently ignored.\n  • node placement: set the service default for NEW deploys (celilo service reconfigure); move an existing container with 'celilo proxmox migrate' (ISS-0062).\n  • vmid / IP: auto-allocated by IPAM.`,
     };
   }
 

package/src/cli/commands/module-import.ts

@@ -33,8 +33,8 @@ import {
   computeAspectScopeHash,
   recordAspectApproval,
 } from '../../services/aspect-approvals';
+import { askConfirm, withInterviewSession } from '../../services/bus-interview';
 import { getArg, getFlag, hasFlag } from '../parser';
-import { promptConfirm } from '../prompts';
 import type { CommandResult } from '../types';
 import { generateTypesForImportedModule } from './module-types';
 
@@ -148,10 +148,14 @@ export async function handleAspectApprovalAfterImport(args: {
   // mangles multi-line message arguments.
   process.stderr.write(`\n${scopeMsg}\n\n`);
 
-  const accepted = await promptConfirm({
-    message: 'Approve this base-module aspect?',
-    initialValue: false,
-  });
+  const accepted = await withInterviewSession(() =>
+    askConfirm({
+      scope: `module-import:${moduleId}`,
+      key: 'approve_aspect',
+      message: 'Approve this base-module aspect?',
+      defaultValue: false,
+    }),
+  );
 
   if (!accepted) {
     // Roll back the import — DB delete cascades to configs/secrets/etc.

package/src/cli/commands/module-remove.ts

@@ -16,6 +16,7 @@ import { runNamedHook } from '../../hooks/run-named-hook';
 import { deallocateForModule } from '../../ipam/auto-allocator';
 import { ModuleManifestSchema } from '../../manifest/schema';
 import { executeBuildWithProgress } from '../../services/build-stream';
+import { askConfirm, withInterviewSession } from '../../services/bus-interview';
 import {
   emitUninstallCompleted,
   emitUninstallFailed,
@@ -24,7 +25,7 @@ import {
 import { getContainerService, getServiceCredentials } from '../../services/container-service';
 import { completeOperation, failOperation, startOperation } from '../../services/module-operations';
 import { getArg, hasFlag, validateRequiredArgs } from '../parser';
-import { log, promptConfirm } from '../prompts';
+import { log } from '../prompts';
 import type { CommandResult } from '../types';
 
 /**
@@ -186,11 +187,16 @@ async function performModuleRemove(
         // re-run `celilo module run-hook <id> on_uninstall` manually.
         log.warn('Non-interactive context detected; continuing removal despite hook failure');
       } else {
-        const proceed = await promptConfirm({
-          message:
-            'on_uninstall hook failed. Continue removing the module anyway? ' +
-            '(some external state may not be cleaned up)',
-        });
+        const proceed = await withInterviewSession(() =>
+          askConfirm({
+            scope: `module-remove:${moduleId}`,
+            key: 'continue_after_hook_failure',
+            message:
+              'on_uninstall hook failed. Continue removing the module anyway? ' +
+              '(some external state may not be cleaned up)',
+            defaultValue: false,
+          }),
+        );
         if (!proceed) {
           return { success: false, error: 'Removal cancelled after on_uninstall failure' };
         }
@@ -211,9 +217,14 @@ async function performModuleRemove(
   if (infra && hasTerraformState) {
     // Module has infrastructure — need to destroy it
     if (!force) {
-      const confirmed = await promptConfirm({
-        message: `Module '${moduleId}' has deployed infrastructure. This will run terraform destroy to remove it. Continue?`,
-      });
+      const confirmed = await withInterviewSession(() =>
+        askConfirm({
+          scope: `module-remove:${moduleId}`,
+          key: 'destroy_infrastructure',
+          message: `Module '${moduleId}' has deployed infrastructure. This will run terraform destroy to remove it. Continue?`,
+          defaultValue: false,
+        }),
+      );
 
       if (!confirmed) {
         return {

package/src/cli/commands/module-status.ts

@@ -5,6 +5,8 @@
 import { eq } from 'drizzle-orm';
 import { getDb } from '../../db/client';
 import { capabilities, moduleConfigs, modules, secrets } from '../../db/schema';
+import { getModuleSystems } from '../../services/deployed-systems';
+import { formatPlacementLine, reconcilePlacement } from '../../services/placement-reconcile';
 import { getArg, validateRequiredArgs } from '../parser';
 import type { CommandResult } from '../types';
 
@@ -84,6 +86,19 @@ export async function handleModuleStatus(args: string[]): Promise<CommandResult>
   }
   sections.push(metadataLines.join('\n'));
 
+  // Section 1b: Placement (real node reconciled live from Proxmox — ISS-0060).
+  // Shows where each deployed system ACTUALLY lives, not the cached
+  // __infra_target_node config (which drifts). API-only modules (no deployed
+  // systems) skip this section; a Proxmox outage degrades to "node unknown".
+  const placements = await reconcilePlacement(getModuleSystems(moduleId, db));
+  if (placements.length > 0) {
+    const placementLines = ['Placement (live from Proxmox):'];
+    for (const p of placements) {
+      placementLines.push(`  ${formatPlacementLine(p.system, p.resolution)}`);
+    }
+    sections.push(placementLines.join('\n'));
+  }
+
   // Section 2: Configuration
   if (configs.length > 0) {
     const configLines = ['Configuration:'];