@celilo/cli 0.5.0-alpha.8 → 0.5.0-alpha.9

package/src/services/module-config.ts

@@ -106,6 +106,18 @@ export function upsertModuleConfig(
     .run();
 }
 
+/**
+ * Delete a module config row if present (no-op if absent). Used to drop a
+ * derived/cached key that should no longer persist — e.g. `__infra_target_node`,
+ * now resolved live from Proxmox each generate rather than cached in the DB
+ * (ISS-0090: "the DB stores intent, Proxmox reports reality").
+ */
+export function deleteModuleConfig(db: DbClient, moduleId: string, key: string): void {
+  db.delete(moduleConfigs)
+    .where(and(eq(moduleConfigs.moduleId, moduleId), eq(moduleConfigs.key, key)))
+    .run();
+}
+
 /**
  * Parse a stored module_configs row into its canonical typed value.
  * Throws if valueJson is null — that's a row written before the

package/src/services/module-deploy.ts

@@ -907,7 +907,12 @@ async function deployModuleImpl(
         lines.push(`  ${key} = ${value}`);
       }
       if (resolution.skipped.length > 0) {
-        lines.push(`  (skipped user-configured: ${resolution.skipped.join(', ')})`);
+        // These are infrastructure-managed vars with no value this deploy (e.g.
+        // vmid/target_node on a machine deploy). NOT honored operator overrides —
+        // such keys are rejected at `config set` (ISS-0069); don't imply otherwise.
+        lines.push(
+          `  (auto-managed, not applicable this deploy: ${resolution.skipped.join(', ')})`,
+        );
       }
       log.success(lines.join('\n'));
 

package/src/services/placement-reconcile.test.ts

@@ -0,0 +1,86 @@
+import { describe, expect, test } from 'bun:test';
+import type { DeployedSystem } from '@celilo/capabilities';
+import { formatPlacementLine, resolveOnePlacement } from './placement-reconcile';
+
+function sys(
+  overrides: Partial<DeployedSystem> & { infrastructure: DeployedSystem['infrastructure'] },
+): DeployedSystem {
+  return {
+    name: 'main',
+    hostname: 'caddy',
+    ipv4_address: '10.0.10.10',
+    zone: 'dmz',
+    ...overrides,
+  } as DeployedSystem;
+}
+
+const SVC = 'svc-1';
+const cs = (vmid?: number) =>
+  sys({
+    infrastructure: {
+      type: 'container_service',
+      serviceId: SVC,
+      ...(vmid != null ? { vmid } : {}),
+    },
+  });
+
+describe('resolveOnePlacement (ISS-0060 — node reconciled from Proxmox, not a cached DB value)', () => {
+  test('machine-pool system → machine (no Proxmox node)', () => {
+    const s = sys({ infrastructure: { type: 'machine', machineId: 'm1' } });
+    expect(resolveOnePlacement(s, new Map(), new Set(), new Set())).toEqual({ kind: 'machine' });
+  });
+
+  test('non-Proxmox container service → other', () => {
+    expect(resolveOnePlacement(cs(200), new Map(), new Set(), new Set([SVC]))).toEqual({
+      kind: 'other',
+    });
+  });
+
+  test('container_service without a vmid → uncreated', () => {
+    expect(resolveOnePlacement(cs(undefined), new Map(), new Set(), new Set())).toEqual({
+      kind: 'uncreated',
+    });
+  });
+
+  test('Proxmox unreachable for the service → unreachable (never a stale fallback)', () => {
+    expect(resolveOnePlacement(cs(200), new Map(), new Set([SVC]), new Set())).toEqual({
+      kind: 'unreachable',
+    });
+  });
+
+  test('vmid present in the cluster → node (the reconciled reality)', () => {
+    expect(resolveOnePlacement(cs(200), new Map([[200, 'node2']]), new Set(), new Set())).toEqual({
+      kind: 'node',
+      node: 'node2',
+    });
+  });
+
+  test('vmid absent from the cluster → absent', () => {
+    expect(resolveOnePlacement(cs(200), new Map([[999, 'node2']]), new Set(), new Set())).toEqual({
+      kind: 'absent',
+    });
+  });
+});
+
+describe('formatPlacementLine', () => {
+  const s = cs(200);
+
+  test('node resolution shows the real node + vmid', () => {
+    expect(formatPlacementLine(s, { kind: 'node', node: 'node2' })).toBe(
+      'caddy (vmid 200) → node2 (zone dmz)',
+    );
+  });
+
+  test('unreachable is explicit — no silent stale value', () => {
+    expect(formatPlacementLine(s, { kind: 'unreachable' })).toContain('Proxmox unreachable');
+  });
+
+  test('absent flags a vmid not in the cluster', () => {
+    expect(formatPlacementLine(s, { kind: 'absent' })).toContain('not found in Proxmox');
+  });
+
+  test('machine line omits vmid/node', () => {
+    const m = sys({ hostname: 'iot', zone: 'internal', infrastructure: { type: 'machine' } });
+    expect(formatPlacementLine(m, { kind: 'machine' })).toBe('iot — machine (zone internal)');
+  });
+});

package/src/services/placement-reconcile.ts

@@ -0,0 +1,108 @@
+/**
+ * Reconcile a module's ACTUAL node placement from Proxmox (ISS-0060 pt 2).
+ *
+ * "The DB stores intent, Proxmox reports reality." `module status` / `list`
+ * must show where a container ACTUALLY lives — queried live from the Proxmox
+ * cluster — not a cached `__infra_target_node` that drifts (caddy recorded
+ * node3, ran on node2). Machine-pool systems and non-Proxmox container services
+ * have no Proxmox node to reconcile.
+ *
+ * Never throws: a Proxmox outage yields an 'unreachable' resolution so a status
+ * or list command still renders instead of erroring.
+ */
+
+import type { DeployedSystem } from '@celilo/capabilities';
+import { ProxmoxClient, type ProxmoxCredentials } from '../api-clients/proxmox';
+import { getContainerService, getServiceCredentials } from './container-service';
+
+export type PlacementResolution =
+  | { kind: 'node'; node: string } // reconciled: lives on <node>
+  | { kind: 'unreachable' } // a Proxmox container, but the API couldn't be reached
+  | { kind: 'absent' } // a Proxmox container with a vmid not present in the cluster
+  | { kind: 'uncreated' } // a container_service system not yet created (no vmid)
+  | { kind: 'machine' } // a machine-pool system (no Proxmox node)
+  | { kind: 'other' }; // a non-Proxmox container service (e.g. DigitalOcean)
+
+/** One-line placement description for `module status`. Pure (Rule 10). */
+export function formatPlacementLine(sys: DeployedSystem, res: PlacementResolution): string {
+  const zone = `zone ${sys.zone}`;
+  const vmid = sys.infrastructure.vmid;
+  switch (res.kind) {
+    case 'machine':
+      return `${sys.hostname} — machine (${zone})`;
+    case 'other':
+      return `${sys.hostname} — container_service, non-Proxmox (${zone})`;
+    case 'uncreated':
+      return `${sys.hostname} — not yet created (${zone})`;
+    case 'unreachable':
+      return `${sys.hostname} (vmid ${vmid}) → node unknown — Proxmox unreachable (${zone})`;
+    case 'absent':
+      return `${sys.hostname} (vmid ${vmid}) → not found in Proxmox — not created? (${zone})`;
+    case 'node':
+      return `${sys.hostname} (vmid ${vmid}) → ${res.node} (${zone})`;
+  }
+}
+
+/** Pure resolution of one system given the reconciled vmid→node map + service classification. */
+export function resolveOnePlacement(
+  sys: DeployedSystem,
+  vmidToNode: Map<number, string>,
+  unreachable: Set<string>,
+  nonProxmox: Set<string>,
+): PlacementResolution {
+  const infra = sys.infrastructure;
+  if (infra.type !== 'container_service') return { kind: 'machine' };
+  if (infra.serviceId && nonProxmox.has(infra.serviceId)) return { kind: 'other' };
+  if (infra.vmid == null) return { kind: 'uncreated' };
+  if (infra.serviceId && unreachable.has(infra.serviceId)) return { kind: 'unreachable' };
+  const node = vmidToNode.get(infra.vmid);
+  return node ? { kind: 'node', node } : { kind: 'absent' };
+}
+
+/**
+ * Reconcile each system's real node from Proxmox. One `/cluster/resources` fetch
+ * per distinct Proxmox service (usually one); machine + non-Proxmox systems need
+ * no call. Returns each system paired with its resolution, in input order.
+ */
+export async function reconcilePlacement(
+  systems: DeployedSystem[],
+): Promise<Array<{ system: DeployedSystem; resolution: PlacementResolution }>> {
+  const serviceIds = [
+    ...new Set(
+      systems
+        .filter((s) => s.infrastructure.type === 'container_service')
+        .map((s) => s.infrastructure.serviceId)
+        .filter((id): id is string => !!id),
+    ),
+  ];
+
+  const vmidToNode = new Map<number, string>();
+  const unreachable = new Set<string>();
+  const nonProxmox = new Set<string>();
+
+  for (const serviceId of serviceIds) {
+    const service = await getContainerService(serviceId);
+    if (!service || service.providerName !== 'proxmox') {
+      nonProxmox.add(serviceId);
+      continue;
+    }
+    try {
+      const creds = (await getServiceCredentials(serviceId)) as ProxmoxCredentials;
+      const result = await new ProxmoxClient(creds).clusterResources();
+      if (!result.success) {
+        unreachable.add(serviceId);
+        continue;
+      }
+      for (const r of result.data) {
+        if (typeof r.vmid === 'number' && r.node) vmidToNode.set(r.vmid, r.node);
+      }
+    } catch {
+      unreachable.add(serviceId);
+    }
+  }
+
+  return systems.map((system) => ({
+    system,
+    resolution: resolveOnePlacement(system, vmidToNode, unreachable, nonProxmox),
+  }));
+}

package/src/services/programmatic-responder.ts

@@ -23,6 +23,7 @@ import { getOrCreateMasterKey } from '../secrets/master-key';
 import type {
   ConfigRequiredPayload,
   EnsureRequiredPayload,
+  InterviewRequiredPayload,
   SecretRequiredPayload,
 } from './bus-interview';
 import { readModuleSecretKey, writeModuleSecretKey } from './config-interview';
@@ -58,6 +59,13 @@ export interface ResponderValues {
       secretValues?: Record<string, string>;
     }
   >;
+  /**
+   * Generic interview answers keyed by `<scope>.<key>` (ISS-0127). When a
+   * command emits `interview.required.<scope>.<key>`, the responder replies
+   * with `{ value }`. The value's shape should match the payload's `kind`
+   * (string for text/select, string[] for multiselect, boolean for confirm).
+   */
+  interview?: Record<string, unknown>;
 }
 
 export interface ProgrammaticResponderOptions {
@@ -108,6 +116,7 @@ export interface ProgrammaticResponderHandle {
   seenConfigPayloads(): ConfigRequiredPayload[];
   seenSecretPayloads(): SecretRequiredPayload[];
   seenEnsurePayloads(): EnsureRequiredPayload[];
+  seenInterviewPayloads(): InterviewRequiredPayload[];
   /** Stop watching. Caller still owns the db client. */
   close(): void;
 }
@@ -126,6 +135,7 @@ export function startProgrammaticResponder(
   const seenConfig: ConfigRequiredPayload[] = [];
   const seenSecret: SecretRequiredPayload[] = [];
   const seenEnsure: EnsureRequiredPayload[] = [];
+  const seenInterview: InterviewRequiredPayload[] = [];
   let lastActivityAt = Date.now();
 
   const me = opts.emittedBy ?? 'programmatic';
@@ -276,6 +286,28 @@ export function startProgrammaticResponder(
     answered.push({ type: event.type, key: lookupKey });
   });
 
+  const interviewWatch = bus.watch('interview.required.*.*', async (event) => {
+    if (event.replyFor !== null) return;
+    lastActivityAt = Date.now();
+
+    const payload = event.payload as InterviewRequiredPayload;
+    if (!payload || typeof payload.scope !== 'string' || typeof payload.key !== 'string') {
+      missed.push({ type: event.type, key: '?', reason: 'malformed payload' });
+      return;
+    }
+    seenInterview.push(payload);
+
+    const lookupKey = `${payload.scope}.${payload.key}`;
+    const value = opts.values.interview?.[lookupKey];
+    if (value === undefined) {
+      handleMissing(event.type, lookupKey, `no interview value for "${lookupKey}"`);
+      return;
+    }
+
+    bus.emitRaw(`${event.type}.reply`, { value }, { replyFor: event.id, emittedBy: me });
+    answered.push({ type: event.type, key: lookupKey });
+  });
+
   // Liveness probe: a non-interactive caller (e.g. `module generate`
   // with no TTY) emits `responder.probe` to detect whether any
   // responder is listening before calling busInterview (which waits
@@ -298,10 +330,12 @@ export function startProgrammaticResponder(
     seenConfigPayloads: () => [...seenConfig],
     seenSecretPayloads: () => [...seenSecret],
     seenEnsurePayloads: () => [...seenEnsure],
+    seenInterviewPayloads: () => [...seenInterview],
     close: () => {
       configWatch.close();
       secretWatch.close();
       ensureWatch.close();
+      interviewWatch.close();
       probeWatch.close();
       bus.close();
     },

package/src/services/terminal-responder.ts

@@ -37,6 +37,7 @@ import { getOrCreateMasterKey } from '../secrets/master-key';
 import type {
   ConfigRequiredPayload,
   EnsureRequiredPayload,
+  InterviewRequiredPayload,
   SecretRequiredPayload,
 } from './bus-interview';
 import { readModuleSecretKey, writeModuleSecretKey } from './config-interview';
@@ -283,6 +284,117 @@ export function startTerminalResponder(): TerminalResponderHandle {
     });
   });
 
+  // Generic interview family (ISS-0127). Non-deploy commands (e.g.
+  // `service reconfigure`) ask their questions here so they're driveable
+  // over the bus like a deploy. Renders by `kind`. Like the other watches,
+  // we ignore reply events (replyFor !== null) and de-dupe by event id.
+  const interviewWatch = bus.watch('interview.required.*.*', async (event) => {
+    if (event.replyFor !== null) return;
+    if (handled.has(event.id)) return;
+    handled.add(event.id);
+
+    const payload = event.payload as InterviewRequiredPayload;
+    if (!payload || typeof payload.scope !== 'string' || typeof payload.key !== 'string') {
+      log.warn(
+        `Terminal responder skipped malformed interview event ${event.type} (id ${event.id}): missing scope/key`,
+      );
+      return;
+    }
+
+    const message = payload.description
+      ? `${payload.message} — ${payload.description}`
+      : payload.message;
+
+    let value: unknown;
+
+    if (payload.kind === 'confirm') {
+      const answer = await p.confirm({
+        message,
+        initialValue: payload.defaultValue === 'true',
+      });
+      if (p.isCancel(answer)) {
+        log.warn(
+          `Terminal responder: cancelled prompt for ${payload.scope}.${payload.key}; no reply emitted`,
+        );
+        return;
+      }
+      value = answer;
+    } else if (payload.kind === 'select') {
+      const answer = await p.select({
+        message,
+        options: (payload.options ?? []).map((opt) => ({
+          value: opt.value,
+          label: opt.label,
+          hint: opt.hint,
+        })),
+        initialValue: payload.defaultValue,
+      });
+      if (p.isCancel(answer)) {
+        log.warn(
+          `Terminal responder: cancelled prompt for ${payload.scope}.${payload.key}; no reply emitted`,
+        );
+        return;
+      }
+      value = answer;
+    } else if (payload.kind === 'multiselect') {
+      const answer = await p.multiselect({
+        message,
+        options: (payload.options ?? []).map((opt) => ({
+          value: opt.value,
+          label: opt.label,
+          hint: opt.hint,
+        })),
+        required: payload.required,
+      });
+      if (p.isCancel(answer)) {
+        log.warn(
+          `Terminal responder: cancelled prompt for ${payload.scope}.${payload.key}; no reply emitted`,
+        );
+        return;
+      }
+      value = answer;
+    } else {
+      // kind === 'text'
+      const type = payload.type ?? 'string';
+      const typeHint = describeTypeHint(type);
+      const answer = await promptText({
+        message: typeHint ? `${message}  (${typeHint})` : message,
+        defaultValue: payload.defaultValue,
+        placeholder: payload.placeholder,
+        validate: (val) => {
+          if (payload.required && (!val || val.trim() === '')) {
+            return 'This field is required';
+          }
+          if (payload.pattern && val) {
+            const re = new RegExp(payload.pattern);
+            if (!re.test(val)) return `Value must match: ${payload.pattern}`;
+          }
+          try {
+            coerceValue(val, type);
+          } catch (err) {
+            return err instanceof Error ? err.message : String(err);
+          }
+        },
+      });
+      if (answer === undefined) {
+        log.warn(
+          `Terminal responder: cancelled prompt for ${payload.scope}.${payload.key}; no reply emitted`,
+        );
+        return;
+      }
+      value = coerceValue(answer, type);
+    }
+
+    bus.emitRaw(
+      `${event.type}.reply`,
+      { value },
+      {
+        replyFor: event.id,
+        emittedBy: me,
+      },
+    );
+  });
+
   // Liveness probe: lets a non-interactive caller in another shell
   // (e.g. `module generate`) detect that a terminal-responder is
   // running here and that calling busInterview is safe.
@@ -300,6 +412,7 @@ export function startTerminalResponder(): TerminalResponderHandle {
       configWatch.close();
       secretWatch.close();
       ensureWatch.close();
+      interviewWatch.close();
       probeWatch.close();
       bus.close();
     },

package/src/templates/generator.test.ts

@@ -6,6 +6,7 @@ import { type DbClient, createDbClient } from '../db/client';
 import { capabilities } from '../db/schema';
 import { upsertModuleConfig } from '../services/module-config';
 import {
+  decideTargetNode,
   discoverTemplateFiles,
   generateTemplates,
   getOutputFilename,
@@ -794,3 +795,32 @@ describe("targetNodeFromTfState (ISS-0090 — terraform state is celilo's placem
     expect(targetNodeFromTfState({})).toBeNull();
   });
 });
+
+describe('decideTargetNode (ISS-0090 — deploy follows reality: Proxmox > state > default)', () => {
+  test('Proxmox reality wins — adopts a hand-migration tf-state would miss', () => {
+    expect(
+      decideTargetNode({ proxmoxNode: 'node2', stateNode: 'node3', defaultNode: 'node3' }),
+    ).toEqual({ node: 'node2', source: 'proxmox' });
+  });
+
+  test('falls back to terraform state when Proxmox is unknown/unreachable', () => {
+    expect(
+      decideTargetNode({ proxmoxNode: null, stateNode: 'node2', defaultNode: 'node3' }),
+    ).toEqual({ node: 'node2', source: 'state' });
+  });
+
+  test('first deploy (no Proxmox, no state) → service default', () => {
+    expect(decideTargetNode({ proxmoxNode: null, stateNode: null, defaultNode: 'node3' })).toEqual({
+      node: 'node3',
+      source: 'default',
+    });
+  });
+
+  test('a changed default never relocates a running container (reality overrides default)', () => {
+    // default flipped node2→node3, but the container actually runs on node2:
+    // resolution stays node2, so the redeploy is an in-place update, not a move.
+    expect(
+      decideTargetNode({ proxmoxNode: 'node2', stateNode: null, defaultNode: 'node3' }),
+    ).toEqual({ node: 'node2', source: 'proxmox' });
+  });
+});

package/src/templates/generator.ts

@@ -5,6 +5,7 @@ import { dirname, join, relative } from 'node:path';
 import { and, eq } from 'drizzle-orm';
 import { generateInventory } from '../ansible/inventory';
 import { generateAnsibleSecrets } from '../ansible/secrets';
+import { ProxmoxClient, type ProxmoxCredentials } from '../api-clients/proxmox';
 import { log } from '../cli/prompts';
 import { getModuleStoragePath } from '../config/paths';
 import { type DbClient, getDb } from '../db/client';
@@ -19,12 +20,14 @@ import {
 import { getSingularSystemSpec } from '../manifest/schema';
 import type { AnsibleCollection, ModuleManifest } from '../manifest/schema';
 import { validateZoneRequirements } from '../manifest/validate';
+import { getServiceCredentials } from '../services/container-service';
+import { getModuleSystems } from '../services/deployed-systems';
 import {
   describeCapabilityProblem,
   findBrokenCapabilityDerivations,
 } from '../services/fleet-checks';
 import { selectInfrastructure } from '../services/infrastructure-selector';
-import { upsertModuleConfig } from '../services/module-config';
+import { deleteModuleConfig, upsertModuleConfig } from '../services/module-config';
 import type { InfrastructureSelection } from '../types/infrastructure';
 import { convertSecretsToJinja } from '../variables/ansible-resolver';
 import { buildResolutionContext } from '../variables/context';
@@ -261,6 +264,49 @@ async function readDeployedTargetNode(moduleId: string): Promise<string | null>
   }
 }
 
+/**
+ * The node a module's container ACTUALLY lives on, from Proxmox (ISS-0090).
+ * Proxmox is the ultimate source of truth for current location — it sees a
+ * hand-migration that celilo's terraform state wouldn't. Returns null when the
+ * module has no deployed vmid yet, the service is unreachable, or the vmid isn't
+ * in the cluster — the caller then falls back to terraform state / the default.
+ * Never throws: a Proxmox outage must not block a deploy.
+ */
+async function readProxmoxNodeForModule(
+  moduleId: string,
+  serviceId: string,
+  db: DbClient,
+): Promise<string | null> {
+  const vmid = getModuleSystems(moduleId, db).find(
+    (s) => s.infrastructure.type === 'container_service' && s.infrastructure.vmid != null,
+  )?.infrastructure.vmid;
+  if (vmid == null) return null;
+  try {
+    const creds = (await getServiceCredentials(serviceId)) as ProxmoxCredentials;
+    const result = await new ProxmoxClient(creds).nodeForVmid(vmid);
+    return result.success ? result.data : null;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Decide which node to target for a deploy (ISS-0090). Pure (Rule 10):
+ *   Proxmox reality > recorded terraform state > service default.
+ * `default_target_node` governs only a FIRST placement; a changed default must
+ * never relocate a running container. A hand-migration (seen by Proxmox but not
+ * tf-state) is adopted. Deliberate moves are an explicit migrate (ISS-0062).
+ */
+export function decideTargetNode(opts: {
+  proxmoxNode: string | null;
+  stateNode: string | null;
+  defaultNode: string;
+}): { node: string; source: 'proxmox' | 'state' | 'default' } {
+  if (opts.proxmoxNode) return { node: opts.proxmoxNode, source: 'proxmox' };
+  if (opts.stateNode) return { node: opts.stateNode, source: 'state' };
+  return { node: opts.defaultNode, source: 'default' };
+}
+
 /**
  * Discover template files in directory recursively
  *
@@ -684,6 +730,9 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
   // Infrastructure Properties Resolution (Proxmox provider config)
   // For Proxmox services, extract provider config and store as temporary values
   // This happens during generation so templates can access target_node, lxc_template, etc.
+  // Resolved live each generate (ISS-0090) and injected into the context below,
+  // never cached in the DB. undefined for non-Proxmox / machine deploys.
+  let resolvedTargetNode: string | undefined;
   if (isContainerService && isProxmoxService && infrastructureSelection?.serviceId) {
     const service = await db
       .select()
@@ -698,37 +747,36 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
         storage: string;
       };
 
-      // ISS-0090: target the node the container ACTUALLY lives on, not the
-      // service default. `default_target_node` governs only NEW placement; a
-      // changed default must NEVER relocate a running system. celilo's terraform
-      // state is its authoritative record of where it placed this container (kept
-      // in sync by deploy and by `module migrate`), so read the deployed node from
-      // there. Fall back to the default only when there's no state yet — a first
-      // deploy. Deliberate relocation is an explicit `module migrate`, not a
-      // side-effect of the default changing.
-      let targetNode = providerConfig.default_target_node;
-      const deployedNode = await readDeployedTargetNode(moduleId);
-      if (deployedNode) {
-        if (deployedNode !== targetNode) {
-          log.info(
-            `${moduleId} is already deployed on node '${deployedNode}' — targeting it (service default is '${providerConfig.default_target_node}'). Relocating requires a deliberate migration.`,
-          );
-        }
-        targetNode = deployedNode;
+      // ISS-0090: deploy follows REALITY. Resolve the node from Proxmox (it sees
+      // a hand-migration that tf-state wouldn't), else the recorded terraform
+      // state, else the service default (FIRST placement only). A changed default
+      // must never relocate a running container; deliberate moves are an explicit
+      // migrate (ISS-0062).
+      const decision = decideTargetNode({
+        proxmoxNode: await readProxmoxNodeForModule(
+          moduleId,
+          infrastructureSelection.serviceId,
+          db,
+        ),
+        stateNode: await readDeployedTargetNode(moduleId),
+        defaultNode: providerConfig.default_target_node,
+      });
+      resolvedTargetNode = decision.node;
+      if (decision.source !== 'default' && decision.node !== providerConfig.default_target_node) {
+        const from = decision.source === 'proxmox' ? 'Proxmox' : 'terraform state';
+        log.info(
+          `${moduleId} → node '${decision.node}' (from ${from}; service default is '${providerConfig.default_target_node}'). Relocating requires a deliberate migration.`,
+        );
       }
 
-      // Store provider config values as temporary config (similar to IPAM allocation)
-      const infraProperties = [
-        { key: 'target_node', value: targetNode },
-        { key: 'lxc_template', value: providerConfig.lxc_template },
-        { key: 'storage', value: providerConfig.storage },
-      ];
-
-      for (const prop of infraProperties) {
-        upsertModuleConfig(db, moduleId, `__infra_${prop.key}`, prop.value);
-      }
+      // Persist only the non-drift provider values. target_node is reality — it's
+      // injected into the resolution context below, never cached (ISS-0090); drop
+      // any stale __infra_target_node a prior generate left behind.
+      upsertModuleConfig(db, moduleId, '__infra_lxc_template', providerConfig.lxc_template);
+      upsertModuleConfig(db, moduleId, '__infra_storage', providerConfig.storage);
+      deleteModuleConfig(db, moduleId, '__infra_target_node');
 
-      log.success(`Infrastructure properties resolved from service: target_node=${targetNode}`);
+      log.success(`Infrastructure resolved: target_node=${decision.node} (${decision.source})`);
     }
   }
 
@@ -760,8 +808,15 @@ export async function generateTemplates(options: GenerateOptions): Promise<Gener
       context.selfConfig.target_ip = ipConfig.value!;
     }
 
-    // Add infrastructure properties to context (target_node, lxc_template, storage)
-    const infraKeys = ['target_node', 'lxc_template', 'storage'];
+    // target_node is the live-resolved reality (ISS-0090) — inject it directly,
+    // never from a cached __infra_target_node row (which drifts).
+    if (resolvedTargetNode) {
+      context.selfConfig.target_node = resolvedTargetNode;
+    }
+
+    // lxc_template / storage are provider config (intent, not drift-prone) — read
+    // them back from the __infra_* rows persisted above.
+    const infraKeys = ['lxc_template', 'storage'];
     for (const key of infraKeys) {
       const infraConfig = db
         .select()