@flui-cloud/cli 0.0.1 → 0.1.0

package/lib/cli/src/commands/version.d.ts

@@ -0,0 +1,18 @@
+import { Command } from '@oclif/core';
+/**
+ * `flui version` — surfaces the CLI version AND the platform release it pins.
+ *
+ * The CLI's npm version is decoupled from the platform release (carried in
+ * RELEASE), so this command makes the mapping explicit: which bootstrap ref and
+ * which component image tags a `flui env create` would install. Handy when
+ * debugging an install ("which versions did this CLI actually use?").
+ */
+export default class Version extends Command {
+    static readonly description = "Show the CLI version and the platform release it pins (component image tags + bootstrap ref). Useful for debugging an install.";
+    static readonly examples: string[];
+    static readonly flags: {
+        latest: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+        json: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
+    };
+    run(): Promise<void>;
+}

package/lib/cli/src/commands/version.js

@@ -0,0 +1,85 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const core_1 = require("@oclif/core");
+const chalk_1 = __importDefault(require("chalk"));
+const release_config_1 = require("../../../src/config/release.config");
+const bootstrap_config_1 = require("../config/bootstrap.config");
+/**
+ * `flui version` — surfaces the CLI version AND the platform release it pins.
+ *
+ * The CLI's npm version is decoupled from the platform release (carried in
+ * RELEASE), so this command makes the mapping explicit: which bootstrap ref and
+ * which component image tags a `flui env create` would install. Handy when
+ * debugging an install ("which versions did this CLI actually use?").
+ */
+class Version extends core_1.Command {
+    async run() {
+        const { flags } = await this.parse(Version);
+        const useLatest = flags.latest;
+        const tags = (0, release_config_1.resolveImageTags)(useLatest);
+        const bootstrapRef = (0, release_config_1.resolveBootstrapRef)(useLatest);
+        const scriptsBaseUrl = (0, bootstrap_config_1.getScriptsBaseUrl)(useLatest);
+        const urlOverride = process.env.BOOTSTRAP_SCRIPTS_URL ?? null;
+        const images = {
+            'flui-api': `ghcr.io/flui-cloud/core:${tags.fluiApi}`,
+            'flui-web': `ghcr.io/flui-cloud/dashboard:${tags.fluiWeb}`,
+            'flui-authz': `ghcr.io/flui-cloud/flui-authz:${tags.fluiAuthz}`,
+        };
+        if (flags.json) {
+            this.log(JSON.stringify({
+                cli: this.config.version,
+                mode: useLatest ? 'latest' : 'pinned',
+                platform: useLatest ? null : release_config_1.RELEASE.version,
+                bootstrapRef,
+                scriptsBaseUrl,
+                bootstrapUrlOverride: urlOverride,
+                images: tags,
+            }, null, 2));
+            return;
+        }
+        const label = (s) => chalk_1.default.dim(s.padEnd(15));
+        this.log('');
+        this.log(chalk_1.default.bold('Flui CLI'));
+        this.log('');
+        this.log(`  ${label('CLI')}${chalk_1.default.cyan(this.config.version)}  ${chalk_1.default.dim(`(${this.config.name})`)}`);
+        this.log(`  ${label('Platform')}${useLatest
+            ? chalk_1.default.yellow('latest (mobile tags)')
+            : `${chalk_1.default.cyan(release_config_1.RELEASE.version)}${chalk_1.default.dim('  (pinned release)')}`}`);
+        this.log(`  ${label('Bootstrap ref')}${chalk_1.default.cyan(bootstrapRef)}`);
+        this.log('');
+        this.log(chalk_1.default.dim('  Component images:'));
+        for (const [name, ref] of Object.entries(images)) {
+            this.log(`    ${chalk_1.default.dim(name.padEnd(12))}${ref}`);
+        }
+        this.log('');
+        this.log(`  ${label('Scripts URL')}${chalk_1.default.dim(scriptsBaseUrl)}`);
+        if (urlOverride) {
+            this.log(`  ${label('')}${chalk_1.default.yellow('↑ overridden via BOOTSTRAP_SCRIPTS_URL')}`);
+        }
+        if (!useLatest) {
+            this.log('');
+            this.log(chalk_1.default.dim('  Tip: `flui version --latest` shows what `env create --latest` would use.'));
+        }
+        this.log('');
+    }
+}
+Version.description = 'Show the CLI version and the platform release it pins (component image tags + bootstrap ref). Useful for debugging an install.';
+Version.examples = [
+    '<%= config.bin %> <%= command.id %>',
+    '<%= config.bin %> <%= command.id %> --latest',
+    '<%= config.bin %> <%= command.id %> --json',
+];
+Version.flags = {
+    latest: core_1.Flags.boolean({
+        description: 'Show what `env create --latest` would resolve to (mobile tags: bootstrap master, :latest images) instead of the pinned release',
+        default: false,
+    }),
+    json: core_1.Flags.boolean({
+        description: 'Output as JSON',
+        default: false,
+    }),
+};
+exports.default = Version;

package/lib/cli/src/config/bootstrap.config.d.ts

@@ -2,8 +2,17 @@
  * Bootstrap Scripts Configuration
  *
  * Configuration for downloading initialization scripts from GitHub.
- * Scripts are hosted in the flui-cloud/flui-bootstrap repository.
+ * Scripts are hosted in the flui-cloud/bootstrap-scripts repository.
  */
+/**
+ * Base URL for the bootstrap scripts directory.
+ *
+ * Precedence:
+ *  1. `BOOTSTRAP_SCRIPTS_URL` env — full override (dev/CI escape hatch), wins over all.
+ *  2. Otherwise derived from the release pin: `<repo>/<ref>/scripts`, where the
+ *     ref is the pinned release tag, or `master` when `useLatest`.
+ */
+export declare function getScriptsBaseUrl(useLatest?: boolean): string;
 export interface BootstrapConfig {
     /**
      * Base URL for downloading scripts

package/lib/cli/src/config/bootstrap.config.js

@@ -3,17 +3,34 @@
  * Bootstrap Scripts Configuration
  *
  * Configuration for downloading initialization scripts from GitHub.
- * Scripts are hosted in the flui-cloud/flui-bootstrap repository.
+ * Scripts are hosted in the flui-cloud/bootstrap-scripts repository.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.BOOTSTRAP_CONFIG = void 0;
+exports.getScriptsBaseUrl = getScriptsBaseUrl;
 exports.getScriptUrl = getScriptUrl;
+const release_config_1 = require("../../../src/config/release.config");
+const BOOTSTRAP_REPO_RAW_BASE = 'https://raw.githubusercontent.com/flui-cloud/bootstrap-scripts';
+/**
+ * Base URL for the bootstrap scripts directory.
+ *
+ * Precedence:
+ *  1. `BOOTSTRAP_SCRIPTS_URL` env — full override (dev/CI escape hatch), wins over all.
+ *  2. Otherwise derived from the release pin: `<repo>/<ref>/scripts`, where the
+ *     ref is the pinned release tag, or `master` when `useLatest`.
+ */
+function getScriptsBaseUrl(useLatest = false) {
+    if (process.env.BOOTSTRAP_SCRIPTS_URL) {
+        return process.env.BOOTSTRAP_SCRIPTS_URL;
+    }
+    return `${BOOTSTRAP_REPO_RAW_BASE}/${(0, release_config_1.resolveBootstrapRef)(useLatest)}/scripts`;
+}
 /**
  * Default bootstrap configuration
  */
 exports.BOOTSTRAP_CONFIG = {
-    scriptsBaseUrl: process.env.BOOTSTRAP_SCRIPTS_URL ||
-        'https://raw.githubusercontent.com/flui-cloud/bootstrap-scripts/master/scripts',
+    // Pinned-release default; per-install resolution goes through getScriptsBaseUrl().
+    scriptsBaseUrl: getScriptsBaseUrl(false),
     scripts: {
         fluiInit: 'flui-init.sh',
         k3sMaster: 'k3s-master-init.sh',
@@ -22,7 +39,7 @@ exports.BOOTSTRAP_CONFIG = {
     repository: {
         org: 'flui-cloud',
         name: 'bootstrap-scripts',
-        branch: 'master',
+        branch: (0, release_config_1.resolveBootstrapRef)(false),
     },
 };
 /**

package/lib/cli/src/config/preferences-schema.js

@@ -16,15 +16,15 @@ exports.isPreferenceKey = isPreferenceKey;
 exports.PREFERENCES = {
     email: {
         key: 'email',
-        description: 'Contact email used for ACME/Let\'s Encrypt and operational notifications',
+        description: "Contact email used for ACME/Let's Encrypt and operational notifications",
         envVar: 'FLUI_EMAIL',
         projectOverridable: true,
         required: true,
-        validate: (v) => (/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(v) ? null : 'Not a valid email'),
+        validate: (v) => /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(v) ? null : 'Not a valid email',
     },
     apiPath: {
         key: 'apiPath',
-        description: 'Path to the flui.api repo, used to locate the .env file written by env export-config',
+        description: 'Path to the flui-core repo, used to locate the .env file written by env export-config',
         envVar: 'FLUI_API_PATH',
         projectOverridable: true,
         defaultValue: '.',
@@ -32,10 +32,10 @@ exports.PREFERENCES = {
     },
     dashboardPath: {
         key: 'dashboardPath',
-        description: 'Path to the flui.dashboard repo, used when syncing its config.json',
+        description: 'Path to the flui-dashboard repo, used when syncing its config.json',
         envVar: 'FLUI_DASHBOARD_PATH',
         projectOverridable: true,
-        defaultValue: '../flui.dashboard',
+        defaultValue: '../flui-dashboard',
         required: false,
     },
     certificateMode: {

package/lib/cli/src/config/release.config.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Release manifest — single source of truth for the versions Flui pins at
+ * install time. Bumped by hand on each CLI release.
+ *
+ * As long as the installed CLI stays at this version, every component a fresh
+ * cluster receives is pinned: the bootstrap scripts/manifests (a git ref on
+ * flui-cloud/bootstrap-scripts) and the Docker image tags injected into the
+ * cluster. `flui env create --latest` opts back into the mobile dev behaviour
+ * (bootstrap ref `master`, `:latest` image tags).
+ */
+export interface ComponentImageTags {
+    /** ghcr.io/flui-cloud/core */
+    fluiApi: string;
+    /** ghcr.io/flui-cloud/dashboard */
+    fluiWeb: string;
+    /** ghcr.io/flui-cloud/flui-authz */
+    fluiAuthz: string;
+}
+export interface ReleaseManifest {
+    /** Platform release version, recorded on the cluster at install. */
+    version: string;
+    /** Git ref (tag) on flui-cloud/bootstrap-scripts holding scripts + manifests. */
+    bootstrapRef: string;
+    /** Pinned Docker image tags, per Flui component. */
+    images: ComponentImageTags;
+}
+export declare const RELEASE: ReleaseManifest;
+/** Bootstrap-scripts git ref to install from. `--latest` → `master`. */
+export declare function resolveBootstrapRef(useLatest: boolean): string;
+/** Docker image tags to deploy. `--latest` → all `latest`. */
+export declare function resolveImageTags(useLatest: boolean): ComponentImageTags;

package/lib/cli/src/config/release.config.js

@@ -0,0 +1,38 @@
+"use strict";
+/**
+ * Release manifest — single source of truth for the versions Flui pins at
+ * install time. Bumped by hand on each CLI release.
+ *
+ * As long as the installed CLI stays at this version, every component a fresh
+ * cluster receives is pinned: the bootstrap scripts/manifests (a git ref on
+ * flui-cloud/bootstrap-scripts) and the Docker image tags injected into the
+ * cluster. `flui env create --latest` opts back into the mobile dev behaviour
+ * (bootstrap ref `master`, `:latest` image tags).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RELEASE = void 0;
+exports.resolveBootstrapRef = resolveBootstrapRef;
+exports.resolveImageTags = resolveImageTags;
+exports.RELEASE = {
+    version: '0.5.0',
+    bootstrapRef: 'v0.5.0',
+    images: {
+        fluiApi: '0.5.0',
+        fluiWeb: '0.5.0',
+        fluiAuthz: '0.5.0',
+    },
+};
+const LATEST_BOOTSTRAP_REF = 'master';
+const LATEST_IMAGE_TAGS = {
+    fluiApi: 'latest',
+    fluiWeb: 'latest',
+    fluiAuthz: 'latest',
+};
+/** Bootstrap-scripts git ref to install from. `--latest` → `master`. */
+function resolveBootstrapRef(useLatest) {
+    return useLatest ? LATEST_BOOTSTRAP_REF : exports.RELEASE.bootstrapRef;
+}
+/** Docker image tags to deploy. `--latest` → all `latest`. */
+function resolveImageTags(useLatest) {
+    return useLatest ? { ...LATEST_IMAGE_TAGS } : { ...exports.RELEASE.images };
+}

package/lib/cli/src/lib/prompts.d.ts

@@ -15,12 +15,7 @@ export declare function selectWithArrows(title: string, items: ArrowSelectItem[]
  * Supports both typing and paste (Cmd+V), including bracketed paste mode.
  */
 export declare function promptMaskedInput(message: string): Promise<string>;
-/**
- * Interactive provider setup wizard.
- * Shows arrow-key provider selection, prompts for token, saves to ConfigStorage.
- * Returns true if setup completed successfully, false if cancelled.
- */
-export declare function runProviderSetupWizard(): Promise<boolean>;
+export declare function runProviderSetupWizard(preselectedProviderId?: string): Promise<string | null>;
 /**
  * Prompt user for yes/no confirmation
  */

package/lib/cli/src/lib/prompts.js

@@ -226,7 +226,16 @@ async function promptMaskedInput(message) {
  * Shows arrow-key provider selection, prompts for token, saves to ConfigStorage.
  * Returns true if setup completed successfully, false if cancelled.
  */
-async function runProviderSetupWizard() {
+async function pickProviderToConfigure(preselectedProviderId) {
+    // When the target provider is already known (explicit --provider, or a
+    // single-provider profile with missing creds), configure it directly.
+    const preselected = preselectedProviderId
+        ? SUPPORTED_PROVIDERS.find((p) => p.id === preselectedProviderId && p.available)
+        : undefined;
+    if (preselected) {
+        console.log(chalk_1.default.yellow(`\n⚠  No ${preselected.label} API token configured.`));
+        return preselected;
+    }
     console.log(chalk_1.default.yellow('\n⚠  No cloud provider API token configured.'));
     const items = SUPPORTED_PROVIDERS.map((p) => ({
         label: p.label,
@@ -236,15 +245,11 @@ async function runProviderSetupWizard() {
     const index = await selectWithArrows('Select a provider to configure:', items);
     if (index === -1) {
         console.log(chalk_1.default.dim('\n   Cancelled. Run: flui config set hetzner YOUR_TOKEN\n'));
-        return false;
-    }
-    const selectedProvider = SUPPORTED_PROVIDERS[index];
-    const schema = (0, provider_credential_schemas_1.getCredentialSchema)(selectedProvider.id);
-    if (!schema) {
-        console.log(chalk_1.default.red(`\n   Missing credential schema for ${selectedProvider.label}\n`));
-        return false;
+        return null;
     }
-    console.log(chalk_1.default.dim(`\n   Enter your ${selectedProvider.label} credentials below.\n   They will be stored encrypted on disk.\n`));
+    return SUPPORTED_PROVIDERS[index];
+}
+async function collectProviderCredentials(schema) {
     const collected = {};
     for (const field of schema.fields) {
         const label = `   ${field.label}`;
@@ -255,17 +260,32 @@ async function runProviderSetupWizard() {
             })).trim();
         if (!value.trim()) {
             console.log(chalk_1.default.red(`\n   ${field.label} is required. Setup cancelled.\n`));
-            return false;
+            return null;
         }
         collected[field.key] = value.trim();
     }
+    return collected;
+}
+async function runProviderSetupWizard(preselectedProviderId) {
+    const selectedProvider = await pickProviderToConfigure(preselectedProviderId);
+    if (!selectedProvider)
+        return null;
+    const schema = (0, provider_credential_schemas_1.getCredentialSchema)(selectedProvider.id);
+    if (!schema) {
+        console.log(chalk_1.default.red(`\n   Missing credential schema for ${selectedProvider.label}\n`));
+        return null;
+    }
+    console.log(chalk_1.default.dim(`\n   Enter your ${selectedProvider.label} credentials below.\n   They will be stored encrypted on disk.\n`));
+    const collected = await collectProviderCredentials(schema);
+    if (!collected)
+        return null;
     if (selectedProvider.id === 'scaleway') {
         process.stdout.write(chalk_1.default.dim('\n   Validating credentials with Scaleway IAM...'));
         const result = await (0, scaleway_validator_1.validateScalewayCredentials)(collected.accessKey, collected.secretKey);
         process.stdout.write('\r\u001B[2K');
         if (!result.success) {
             console.log(chalk_1.default.red(`   ✖ ${result.message}\n`));
-            return false;
+            return null;
         }
         console.log(chalk_1.default.green(`   ✔ ${result.message}`));
     }
@@ -278,11 +298,11 @@ async function runProviderSetupWizard() {
             storage.saveToken(selectedProvider.id, collected[schema.fields[0].key]);
         }
         console.log(chalk_1.default.green(`\n   ✔ ${selectedProvider.label} credentials saved (AES-256-GCM encrypted)\n`));
-        return true;
+        return selectedProvider.id;
     }
     catch (err) {
         console.log(chalk_1.default.red(`\n   Failed to save credentials: ${err instanceof Error ? err.message : String(err)}\n`));
-        return false;
+        return null;
     }
 }
 /**

package/lib/cli/src/lib/services/cli-app.service.d.ts

@@ -10,6 +10,24 @@ export interface AppSummary {
     lastDeployedAt?: string;
     clusterId: string;
 }
+export interface AppGroupComponent extends AppSummary {
+    isPrimary?: boolean;
+}
+export interface AppGroup {
+    id: string;
+    type: 'standalone' | 'composed';
+    name: string;
+    slug: string;
+    status: string;
+    category: string;
+    clusterId: string;
+    url?: string;
+    catalogSlug?: string;
+    catalogInstallId?: string;
+    primaryComponentId?: string;
+    componentCount: number;
+    components: AppGroupComponent[];
+}
 export interface AppRuntime {
     appId: string;
     deploymentName: string;
@@ -186,14 +204,29 @@ export interface AvailableVersionsResponse {
     nextPage: number | null;
     allowedPatterns: string[] | null;
 }
+export interface AppEndpoint {
+    id: string;
+    clusterId: string;
+    applicationId?: string;
+    endpointType: string;
+    hostnameMode: string;
+    fqdn: string;
+    tlsEnabled: boolean;
+    certificateStatus?: string;
+    certificateMessage?: string;
+    reconciliationStatus?: string;
+    errorMessage?: string;
+}
 export declare class CliAppService {
     private readonly apiClient;
     private readonly clusterId;
     constructor(apiClient: ApiClient, clusterId: string);
     static create(clusterId: string): Promise<CliAppService>;
     listApps(): Promise<AppSummary[]>;
+    listAppGroups(): Promise<AppGroup[]>;
     getAppByName(name: string): Promise<AppSummary>;
     getRuntime(appId: string): Promise<AppRuntime>;
+    listEndpoints(applicationId?: string): Promise<AppEndpoint[]>;
     getLogs(options: AppLogsOptions): Promise<AppLogsResponse>;
     scale(appId: string, replicas: number): Promise<AppRuntime>;
     restart(appId: string): Promise<void>;

package/lib/cli/src/lib/services/cli-app.service.js

@@ -21,6 +21,9 @@ class CliAppService {
     async listApps() {
         return this.apiClient.get(`/clusters/${this.clusterId}/applications`);
     }
+    async listAppGroups() {
+        return this.apiClient.get(`/clusters/${this.clusterId}/applications/grouped`);
+    }
     async getAppByName(name) {
         const apps = await this.listApps();
         const app = apps.find((a) => a.name.toLowerCase() === name.toLowerCase() ||
@@ -33,6 +36,12 @@ class CliAppService {
     async getRuntime(appId) {
         return this.apiClient.get(`/applications/${appId}/runtime`);
     }
+    async listEndpoints(applicationId) {
+        const all = await this.apiClient.get(`/clusters/${this.clusterId}/endpoints`);
+        return applicationId
+            ? all.filter((e) => e.applicationId === applicationId)
+            : all;
+    }
     async getLogs(options) {
         const params = new URLSearchParams();
         if (options.app)

package/lib/cli/src/lib/services/reconciliation.service.js

@@ -72,7 +72,7 @@ class ReconciliationService {
                 return {
                     type: ReconciliationType.DNS,
                     success: true,
-                    message: 'No observability cluster found, skipping DNS reconciliation',
+                    message: 'No control cluster found, skipping DNS reconciliation',
                 };
             }
             try {

package/lib/cli/src/lib/templates/firewall-rules.d.ts

@@ -1,8 +1,8 @@
 /**
  * @deprecated Import from shared template instead:
- * import { OBSERVABILITY_FIREWALL_RULES, OBSERVABILITY_PORTS } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';
+ * import { CONTROL_FIREWALL_RULES, OBSERVABILITY_PORTS } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';
  *
  * This file is kept for backward compatibility with existing CLI code.
  * New code should use the shared template.
  */
-export { OBSERVABILITY_FIREWALL_RULES, OBSERVABILITY_PORTS, WORKLOAD_FIREWALL_RULES, WORKLOAD_PORTS, validateFirewallRules, getFirewallRulesForClusterType, } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';
+export { CONTROL_FIREWALL_RULES, OBSERVABILITY_PORTS, WORKLOAD_FIREWALL_RULES, WORKLOAD_PORTS, validateFirewallRules, getFirewallRulesForClusterType, } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';

package/lib/cli/src/lib/templates/firewall-rules.js

@@ -1,15 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getFirewallRulesForClusterType = exports.validateFirewallRules = exports.WORKLOAD_PORTS = exports.WORKLOAD_FIREWALL_RULES = exports.OBSERVABILITY_PORTS = exports.OBSERVABILITY_FIREWALL_RULES = void 0;
+exports.getFirewallRulesForClusterType = exports.validateFirewallRules = exports.WORKLOAD_PORTS = exports.WORKLOAD_FIREWALL_RULES = exports.OBSERVABILITY_PORTS = exports.CONTROL_FIREWALL_RULES = void 0;
 /**
  * @deprecated Import from shared template instead:
- * import { OBSERVABILITY_FIREWALL_RULES, OBSERVABILITY_PORTS } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';
+ * import { CONTROL_FIREWALL_RULES, OBSERVABILITY_PORTS } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';
  *
  * This file is kept for backward compatibility with existing CLI code.
  * New code should use the shared template.
  */
 var firewall_rules_template_1 = require("../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template");
-Object.defineProperty(exports, "OBSERVABILITY_FIREWALL_RULES", { enumerable: true, get: function () { return firewall_rules_template_1.OBSERVABILITY_FIREWALL_RULES; } });
+Object.defineProperty(exports, "CONTROL_FIREWALL_RULES", { enumerable: true, get: function () { return firewall_rules_template_1.CONTROL_FIREWALL_RULES; } });
 Object.defineProperty(exports, "OBSERVABILITY_PORTS", { enumerable: true, get: function () { return firewall_rules_template_1.OBSERVABILITY_PORTS; } });
 Object.defineProperty(exports, "WORKLOAD_FIREWALL_RULES", { enumerable: true, get: function () { return firewall_rules_template_1.WORKLOAD_FIREWALL_RULES; } });
 Object.defineProperty(exports, "WORKLOAD_PORTS", { enumerable: true, get: function () { return firewall_rules_template_1.WORKLOAD_PORTS; } });

package/lib/cli/src/modules/cli-infrastructure.module.js

@@ -58,7 +58,7 @@ const label_service_1 = require("../../../src/modules/infrastructure/shared/serv
 const cli_k3s_script_service_1 = require("../services/cli-k3s-script.service");
 const cli_cluster_creator_service_1 = require("../services/cli-cluster-creator.service");
 const cli_clusters_service_1 = require("../services/cli-clusters.service");
-const cli_observability_cluster_service_1 = require("../services/cli-observability-cluster.service");
+const cli_control_cluster_service_1 = require("../services/cli-control-cluster.service");
 const cli_ssh_service_1 = require("../services/cli-ssh.service");
 const cli_ca_service_1 = require("../services/cli-ca.service");
 const cli_logger_service_1 = require("../services/cli-logger.service");
@@ -174,7 +174,7 @@ exports.CliInfrastructureModule = CliInfrastructureModule = __decorate([
             label_service_1.LabelService,
             kubernetes_service_1.KubernetesService,
             cli_clusters_service_1.CliClustersService,
-            cli_observability_cluster_service_1.CliObservabilityClusterService,
+            cli_control_cluster_service_1.CliControlClusterService,
             cli_ssh_service_1.CliSshService,
             cli_ca_service_1.CliCaService,
             cli_logger_service_1.CliLoggerService,
@@ -233,7 +233,7 @@ exports.CliInfrastructureModule = CliInfrastructureModule = __decorate([
             cluster_node_scaling_service_1.ClusterNodeScalingService,
         ],
         exports: [
-            cli_observability_cluster_service_1.CliObservabilityClusterService,
+            cli_control_cluster_service_1.CliControlClusterService,
             cli_clusters_service_1.CliClustersService,
             kubernetes_service_1.KubernetesService,
             label_service_1.LabelService,

package/lib/cli/src/services/cli-cluster-creator.service.js

@@ -61,6 +61,7 @@ const node_child_process_1 = require("node:child_process");
 const fs = __importStar(require("node:fs"));
 const path = __importStar(require("node:path"));
 const os = __importStar(require("node:os"));
+const profile_manager_1 = require("../lib/profile-manager");
 const https = __importStar(require("node:https"));
 const hetzner_firewall_service_1 = require("../../../src/modules/providers/services/hetzner-firewall.service");
 const cli_firewall_repository_1 = require("../lib/repositories/cli-firewall.repository");
@@ -167,7 +168,7 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                 provider: cluster.provider,
                 caPublicKey,
                 operationId: operation.id,
-                deployObservabilityStack: cluster.clusterType === cluster_entity_1.ClusterType.OBSERVABILITY,
+                deployObservabilityStack: (0, cluster_entity_1.isControlClusterType)(cluster.clusterType),
                 postgresPassword,
                 redisPassword,
                 grafanaPassword,
@@ -190,6 +191,7 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                 clusterFirewallId: firewallId || '',
                 nipIoCertEnabled: !clusterMeta?.zitadelDomain,
                 acmeStaging: !!clusterMeta?.acmeStaging,
+                useLatest: !!clusterMeta?.useLatest,
                 nipHostnameToken: cluster.nipHostnameToken || null,
                 envVnet: envVnet
                     ? {
@@ -277,7 +279,7 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                 sharedStorageVolumeSizeGb: cluster.sharedStorageVolumeSizeGb ?? undefined,
             });
             // Step 3c: Informational — Zitadel PAT injected on demand via sync-auth-domain
-            if (cluster.clusterType === cluster_entity_1.ClusterType.OBSERVABILITY) {
+            if ((0, cluster_entity_1.isControlClusterType)(cluster.clusterType)) {
                 this.log(opId, 'ℹ️  Zitadel service account PAT will be injected when sync-auth-domain is called.');
                 this.log(opId, '   After DNS is configured, call: POST /api/v1/clusters/:id/dns-zone/sync-auth-domain');
             }
@@ -332,6 +334,7 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                         provider: cluster.provider,
                         caPublicKey,
                         operationId: operation.id,
+                        useLatest: !!clusterMeta?.useLatest,
                         sharedStorage: workerSharedStorage,
                     });
                     const workerServer = await provider.createServer({
@@ -362,12 +365,15 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                 try {
                     const firewallRecord = await this.firewallRepository.findById(firewallId);
                     if (firewallRecord) {
+                        // Cluster-scoped name so destroy matches by exact name only.
+                        const scopedFirewallName = `flui-control-firewall-${cluster.id}`;
                         firewallRecord.clusterId = cluster.id;
+                        firewallRecord.name = scopedFirewallName;
                         // Get server IDs from cluster nodes
                         const serverIds = cluster.nodes.map((node) => node.providerResourceId);
                         firewallRecord.appliedToServerIds = serverIds;
                         await this.firewallRepository.save(firewallRecord);
-                        // Update Hetzner firewall labels with cluster ID
+                        // Update Hetzner firewall labels + name with cluster ID
                         try {
                             const existingLabels = Object.fromEntries(firewallRecord.labels.map((l) => [l.key, l.value]));
                             const updatedLabels = {
@@ -375,7 +381,7 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                                 'flui-cluster-id': cluster.id,
                                 'flui-cluster-name': cluster.name,
                             };
-                            await this.firewallService.updateFirewallLabels(firewallId, updatedLabels);
+                            await this.firewallService.updateFirewallLabels(firewallId, updatedLabels, scopedFirewallName);
                             this.log(opId, `✅ Firewall ${firewallId} labels updated on Hetzner with cluster ID`);
                         }
                         catch (labelError) {
@@ -399,6 +405,23 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
         }
         catch (error) {
             this.log(opId, `Failed to create cluster: ${error.message}`, 'ERROR');
+            // Roll back the pre-created firewall. If creation failed before the
+            // rename/label step it stays with a temporary name and no
+            // flui-cluster-id label, which makes it invisible to `env destroy`
+            // (it matches neither the label query nor the scoped-name fallback)
+            // and leaks as an orphan that blocks the next run's name.
+            const orphanFirewallId = operation.metadata?.firewallId;
+            if (orphanFirewallId) {
+                try {
+                    await this.firewallService.deleteFirewall(orphanFirewallId);
+                    await this.firewallRepository.delete(orphanFirewallId);
+                    this.log(opId, `✅ Rolled back firewall ${orphanFirewallId} after failed cluster creation`);
+                }
+                catch (cleanupError) {
+                    this.log(opId, `Failed to roll back firewall ${orphanFirewallId}: ${cleanupError.message}. ` +
+                        `Delete it manually on the provider to avoid an orphan.`, 'WARN');
+                }
+            }
             // Mark cluster as FAILED
             cluster.status = cluster_entity_1.ClusterStatus.ERROR;
             await this.clusterRepository.save(cluster);
@@ -571,8 +594,10 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
     async createApiCredentialsSecret(operationId, masterIp, bootstrap) {
         this.log(operationId, 'Patching Kubernetes secret with SSH CA keys + bootstrap vars...');
         try {
-            // Load CLI CA keys to share with API for unified SSH access
-            const caKeyDir = path.join(os.homedir(), '.flui', 'ca');
+            // Load CLI CA keys to share with API for unified SSH access.
+            // CA keys are profile-scoped (~/.flui/profiles/<profile>/ca), not global —
+            // the old global path threw ENOENT and silently skipped the whole patch.
+            const caKeyDir = path.join(profile_manager_1.ProfileManager.getProfileDir(), 'ca');
             const caPrivateKey = fs
                 .readFileSync(path.join(caKeyDir, 'ca_key'), 'utf8')
                 .trim();