@flui-cloud/cli 0.0.1 → 0.2.0

package/lib/cli/src/services/cli-k3s-script.service.js

@@ -50,10 +50,11 @@ const path = __importStar(require("node:path"));
 const os = __importStar(require("node:os"));
 const cli_logger_service_1 = require("./cli-logger.service");
 const bootstrap_config_1 = require("../config/bootstrap.config");
+const release_override_1 = require("../config/release-override");
 /**
  * CLI K3s Script Service
  *
- * Generates K3s initialization scripts for observability clusters.
+ * Generates K3s initialization scripts for control clusters.
  * Uses scripts from cli/src/modules/instances/assets/scripts/ directory.
  */
 let CliK3sScriptService = CliK3sScriptService_1 = class CliK3sScriptService {
@@ -93,11 +94,13 @@ let CliK3sScriptService = CliK3sScriptService_1 = class CliK3sScriptService {
         try {
             this.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`, opId);
             this.log(`[BOOTSTRAP MASTER SCRIPT] Cluster: ${config.clusterName}`, opId);
-            this.log(`Scripts URL: ${bootstrap_config_1.BOOTSTRAP_CONFIG.scriptsBaseUrl}`, opId);
+            const scriptsBaseUrl = (0, bootstrap_config_1.getScriptsBaseUrl)(config.useLatest ?? false);
+            const imageTags = (0, release_override_1.resolveEffectiveImageTags)(config.useLatest ?? false);
+            this.log(`Scripts URL: ${scriptsBaseUrl}`, opId);
             // Generate bootstrap script that downloads and executes k3s-master-init.sh from GitHub
             const script = this.generateBootstrapScript('master', {
-                SCRIPTS_BASE_URL: bootstrap_config_1.BOOTSTRAP_CONFIG.scriptsBaseUrl,
-                MANIFESTS_BASE_URL: bootstrap_config_1.BOOTSTRAP_CONFIG.scriptsBaseUrl.replace('/scripts', '/manifests'),
+                SCRIPTS_BASE_URL: scriptsBaseUrl,
+                MANIFESTS_BASE_URL: scriptsBaseUrl.replace('/scripts', '/manifests'),
                 SERVER_ID: config.serverId || '', // Database node ID for observability
                 INSTANCE_ID: config.instanceId,
                 INSTANCE_NAME: config.instanceName,
@@ -106,6 +109,10 @@ let CliK3sScriptService = CliK3sScriptService_1 = class CliK3sScriptService {
                 CLUSTER_NAME: config.clusterName,
                 K3S_TOKEN: config.k3sToken,
                 K3S_VERSION: config.k3sVersion || 'v1.35.4+k3s1',
+                // Pinned Flui image tags — consumed by the system manifests via envsubst.
+                FLUI_API_IMAGE_TAG: imageTags.fluiApi,
+                FLUI_WEB_IMAGE_TAG: imageTags.fluiWeb,
+                FLUI_AUTHZ_IMAGE_TAG: imageTags.fluiAuthz,
                 DEPLOY_OBSERVABILITY_STACK: config.deployObservabilityStack
                     ? 'true'
                     : 'false',
@@ -179,11 +186,12 @@ let CliK3sScriptService = CliK3sScriptService_1 = class CliK3sScriptService {
         try {
             this.log(`━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━`, opId);
             this.log(`[BOOTSTRAP WORKER SCRIPT] Cluster: ${config.clusterName}`, opId);
-            this.log(`Scripts URL: ${bootstrap_config_1.BOOTSTRAP_CONFIG.scriptsBaseUrl}`, opId);
+            const scriptsBaseUrl = (0, bootstrap_config_1.getScriptsBaseUrl)(config.useLatest ?? false);
+            this.log(`Scripts URL: ${scriptsBaseUrl}`, opId);
             // Generate bootstrap script that downloads and executes k3s-worker-init.sh from GitHub
             const script = this.generateBootstrapScript('worker', {
                 SERVER_ID: config.serverId || '', // Database node ID for observability
-                SCRIPTS_BASE_URL: bootstrap_config_1.BOOTSTRAP_CONFIG.scriptsBaseUrl,
+                SCRIPTS_BASE_URL: scriptsBaseUrl,
                 INSTANCE_ID: config.instanceId,
                 INSTANCE_NAME: config.instanceName,
                 CLOUD_PROVIDER: config.provider,

package/lib/src/config/release.config.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Release manifest — single source of truth for the versions Flui pins at
+ * install time. Shared by the backend (API-driven cluster creation) AND the
+ * CLI (which imports it via the `src/*` path alias), so bumping a release means
+ * editing this one file. The bootstrap-scripts ref can still be overridden via
+ * BOOTSTRAP_SCRIPTS_URL.
+ */
+export interface ComponentImageTags {
+    /** ghcr.io/flui-cloud/core */
+    fluiApi: string;
+    /** ghcr.io/flui-cloud/dashboard */
+    fluiWeb: string;
+    /** ghcr.io/flui-cloud/flui-authz */
+    fluiAuthz: string;
+}
+export interface ReleaseManifest {
+    /** Platform release version, recorded on the cluster at install. */
+    version: string;
+    /** Git ref (tag) on flui-cloud/bootstrap-scripts holding scripts + manifests. */
+    bootstrapRef: string;
+    /** Pinned Docker image tags, per Flui component. */
+    images: ComponentImageTags;
+}
+export declare const RELEASE: ReleaseManifest;
+/** Bootstrap-scripts git ref to install from. `useLatest` → `master`. */
+export declare function resolveBootstrapRef(useLatest: boolean): string;
+/** Docker image tags to deploy. `useLatest` → all `latest`. */
+export declare function resolveImageTags(useLatest: boolean): ComponentImageTags;

package/lib/src/config/release.config.js

@@ -0,0 +1,35 @@
+"use strict";
+/**
+ * Release manifest — single source of truth for the versions Flui pins at
+ * install time. Shared by the backend (API-driven cluster creation) AND the
+ * CLI (which imports it via the `src/*` path alias), so bumping a release means
+ * editing this one file. The bootstrap-scripts ref can still be overridden via
+ * BOOTSTRAP_SCRIPTS_URL.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RELEASE = void 0;
+exports.resolveBootstrapRef = resolveBootstrapRef;
+exports.resolveImageTags = resolveImageTags;
+exports.RELEASE = {
+    version: '0.5.1',
+    bootstrapRef: 'v0.5.1',
+    images: {
+        fluiApi: '0.5.1',
+        fluiWeb: '0.5.0',
+        fluiAuthz: '0.5.0',
+    },
+};
+const LATEST_BOOTSTRAP_REF = 'master';
+const LATEST_IMAGE_TAGS = {
+    fluiApi: 'latest',
+    fluiWeb: 'latest',
+    fluiAuthz: 'latest',
+};
+/** Bootstrap-scripts git ref to install from. `useLatest` → `master`. */
+function resolveBootstrapRef(useLatest) {
+    return useLatest ? LATEST_BOOTSTRAP_REF : exports.RELEASE.bootstrapRef;
+}
+/** Docker image tags to deploy. `useLatest` → all `latest`. */
+function resolveImageTags(useLatest) {
+    return useLatest ? { ...LATEST_IMAGE_TAGS } : { ...exports.RELEASE.images };
+}

package/lib/src/modules/applications/entities/application.entity.d.ts

@@ -33,6 +33,11 @@ export declare class ApplicationEntity {
     workloadKind: 'Deployment' | 'StatefulSet' | 'DaemonSet';
     replicas: number;
     port?: number;
+    portProtocol?: 'http' | 'tcp';
+    configFiles?: Array<{
+        path: string;
+        content: string;
+    }>;
     currentRevisionId?: string;
     imageRef?: string;
     startCommand?: string;
@@ -88,31 +93,19 @@ export declare class ApplicationEntity {
     frameworkConfirmed?: string;
     isFluiManaged: boolean;
     /**
-     * Placement strategy for the app's PersistentVolumeClaims.
-     *
-     * - `shared` (default): pods can run anywhere; PVCs land on the cluster
-     *   flui-shared (NFS) layer. Safe for stateless apps and light file I/O.
-     * - `dedicated`: pods pin to the master node so writes hit the backing
-     *   Volume directly (no NFS hop). Required for databases (Postgres,
-     *   MariaDB, MongoDB, …) where NFS breaks fsync/locking semantics.
-     *
-     * Source: catalog manifest `spec.persistence.scope`, defaulting to
-     * `shared` when missing.
+     * `shared` (default): PVCs ride the cluster flui-shared (NFS) layer, pods run
+     * anywhere. `dedicated`: pod pins to a worker's local disk (no NFS hop) —
+     * required by databases where NFS breaks fsync/locking. Source: catalog
+     * `spec.persistence.scope`.
      */
     persistenceScope: 'shared' | 'dedicated';
     /**
-     * Target node for `persistenceScope=dedicated` workloads.
-     *
-     * - `null` (default) → pinned to the master node via the standard
-     *   `node-role.kubernetes.io/control-plane` selector + tolerations.
-     * - explicit kubernetes node name → pinned to that specific worker via
-     *   `kubernetes.io/hostname=<name>`. The node hosting at least one
-     *   dedicated app is considered "locked" by the cluster scaling
-     *   primitives (cannot be drained nor scale-downed).
-     *
-     * Ignored when `persistenceScope=shared`.
+     * Worker hosting a `dedicated` app, locked against drain/scale-down while it
+     * lives there. Null until the deploy auto-assigns the roomiest worker.
      */
     dedicatedNodeName?: string;
+    /** Let a `dedicated` app schedule on the master instead of a worker. */
+    allowMasterPlacement: boolean;
     createdAt: Date;
     updatedAt: Date;
     deletedAt?: Date;

package/lib/src/modules/applications/entities/application.entity.js

@@ -150,6 +150,14 @@ __decorate([
     (0, typeorm_1.Column)({ type: 'int', nullable: true }),
     __metadata("design:type", Number)
 ], ApplicationEntity.prototype, "port", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'varchar', length: 8, nullable: true }),
+    __metadata("design:type", String)
+], ApplicationEntity.prototype, "portProtocol", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'json', nullable: true }),
+    __metadata("design:type", Array)
+], ApplicationEntity.prototype, "configFiles", void 0);
 __decorate([
     (0, typeorm_1.Column)({ type: 'uuid', nullable: true }),
     __metadata("design:type", String)
@@ -250,6 +258,10 @@ __decorate([
     (0, typeorm_1.Column)({ type: 'varchar', length: 253, nullable: true }),
     __metadata("design:type", String)
 ], ApplicationEntity.prototype, "dedicatedNodeName", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ default: false }),
+    __metadata("design:type", Boolean)
+], ApplicationEntity.prototype, "allowMasterPlacement", void 0);
 __decorate([
     (0, typeorm_1.CreateDateColumn)({ type: 'timestamptz' }),
     __metadata("design:type", Date)

package/lib/src/modules/applications/enums/application-exposure.enum.d.ts

@@ -1,4 +1,5 @@
 export declare enum ApplicationExposure {
     PUBLIC = "public",
-    INTERNAL = "internal"
+    INTERNAL = "internal",
+    CLUSTER = "cluster"
 }

package/lib/src/modules/applications/enums/application-exposure.enum.js

@@ -5,4 +5,5 @@ var ApplicationExposure;
 (function (ApplicationExposure) {
     ApplicationExposure["PUBLIC"] = "public";
     ApplicationExposure["INTERNAL"] = "internal";
+    ApplicationExposure["CLUSTER"] = "cluster";
 })(ApplicationExposure || (exports.ApplicationExposure = ApplicationExposure = {}));

package/lib/src/modules/applications/interfaces/source-config.interface.d.ts

@@ -123,6 +123,7 @@ export interface ApplicationHealthProbe {
     httpPath?: string;
     httpPort?: number;
     httpScheme?: 'HTTP' | 'HTTPS';
+    httpHeaders?: Record<string, string>;
     tcpPort?: number;
     execCommand?: string[];
     initialDelaySeconds?: number;

package/lib/src/modules/infrastructure/clusters/entities/cluster.entity.d.ts

@@ -11,9 +11,15 @@ export declare enum ClusterStatus {
     DELETED = "deleted"
 }
 export declare enum ClusterType {
-    OBSERVABILITY = "observability",
-    WORKLOAD = "workload"
+    CONTROL = "control",
+    WORKLOAD = "workload",
+    /** @deprecated legacy value for the control cluster; kept for back-compat reads until all rows are migrated. */
+    OBSERVABILITY = "observability"
 }
+/** Maps the legacy `observability` value forward to `control`; passes other values through. */
+export declare function normalizeClusterType(value?: ClusterType | string | null): ClusterType;
+/** True for the control cluster, accepting both the new and legacy enum values. */
+export declare function isControlClusterType(value?: ClusterType | string | null): boolean;
 export declare class ClusterEntity {
     id: string;
     generateId(): void;

package/lib/src/modules/infrastructure/clusters/entities/cluster.entity.js

@@ -10,6 +10,8 @@ var __metadata = (this && this.__metadata) || function (k, v) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ClusterEntity = exports.ClusterType = exports.ClusterStatus = void 0;
+exports.normalizeClusterType = normalizeClusterType;
+exports.isControlClusterType = isControlClusterType;
 const typeorm_1 = require("typeorm");
 const uuid_1 = require("uuid");
 const cluster_node_entity_1 = require("./cluster-node.entity");
@@ -27,9 +29,22 @@ var ClusterStatus;
 })(ClusterStatus || (exports.ClusterStatus = ClusterStatus = {}));
 var ClusterType;
 (function (ClusterType) {
-    ClusterType["OBSERVABILITY"] = "observability";
+    ClusterType["CONTROL"] = "control";
     ClusterType["WORKLOAD"] = "workload";
+    /** @deprecated legacy value for the control cluster; kept for back-compat reads until all rows are migrated. */
+    ClusterType["OBSERVABILITY"] = "observability";
 })(ClusterType || (exports.ClusterType = ClusterType = {}));
+/** Maps the legacy `observability` value forward to `control`; passes other values through. */
+function normalizeClusterType(value) {
+    if (value === ClusterType.OBSERVABILITY) {
+        return ClusterType.CONTROL;
+    }
+    return value ?? ClusterType.WORKLOAD;
+}
+/** True for the control cluster, accepting both the new and legacy enum values. */
+function isControlClusterType(value) {
+    return value === ClusterType.CONTROL || value === ClusterType.OBSERVABILITY;
+}
 let ClusterEntity = class ClusterEntity {
     generateId() {
         if (!this.id) {

package/lib/src/modules/infrastructure/clusters/services/cluster-node-scaling.service.js

@@ -380,8 +380,8 @@ let ClusterNodeScalingService = ClusterNodeScalingService_1 = class ClusterNodeS
             throw new common_1.BadRequestException({
                 code: 'NODE_LOCKED_BY_DEDICATED_APPS',
                 message: `Node ${node.serverName} hosts ${apps.length} dedicated workload(s) ` +
-                    `(${apps.map((a) => a.slug).join(', ')}). Move them with ` +
-                    `\`flui app placement <slug> --node <other>\` or delete the apps before removing this worker.`,
+                    `(${apps.map((a) => a.slug).join(', ')}). Back up their data, then delete ` +
+                    `or redeploy these apps before removing this worker.`,
                 details: { affectedApps: apps.map((a) => a.slug) },
             });
         }

package/lib/src/modules/infrastructure/firewalls/templates/firewall-rules.template.d.ts

@@ -11,7 +11,7 @@ import { FirewallRule } from '../../../providers/interfaces/firewall-provider.in
  *   80     Traefik HTTP (api/app/auth via nip.io ingress)
  *   443    Traefik HTTPS
  */
-export declare const OBSERVABILITY_FIREWALL_RULES: (sourceCidrs: string[]) => FirewallRule[];
+export declare const CONTROL_FIREWALL_RULES: (sourceCidrs: string[]) => FirewallRule[];
 export declare const WORKLOAD_FIREWALL_RULES: (sourceCidrs: string[]) => FirewallRule[];
 export declare const OBSERVABILITY_PORTS: {
     readonly SSH: {
@@ -51,4 +51,5 @@ export declare function validateFirewallRules(rules: FirewallRule[]): {
     valid: boolean;
     errors: string[];
 };
-export declare function getFirewallRulesForClusterType(clusterType: 'observability' | 'workload', sourceCidrs: string[]): FirewallRule[];
+export declare function sanitizeApiServerFirewallRules(rules: FirewallRule[], subnetCidr: string): FirewallRule[];
+export declare function getFirewallRulesForClusterType(clusterType: 'control' | 'observability' | 'workload', sourceCidrs: string[]): FirewallRule[];

package/lib/src/modules/infrastructure/firewalls/templates/firewall-rules.template.js

@@ -1,7 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.WORKLOAD_PORTS = exports.OBSERVABILITY_PORTS = exports.WORKLOAD_FIREWALL_RULES = exports.OBSERVABILITY_FIREWALL_RULES = void 0;
+exports.WORKLOAD_PORTS = exports.OBSERVABILITY_PORTS = exports.WORKLOAD_FIREWALL_RULES = exports.CONTROL_FIREWALL_RULES = void 0;
 exports.validateFirewallRules = validateFirewallRules;
+exports.sanitizeApiServerFirewallRules = sanitizeApiServerFirewallRules;
 exports.getFirewallRulesForClusterType = getFirewallRulesForClusterType;
 /**
  * Firewall rules — public surface only.
@@ -15,7 +16,7 @@ exports.getFirewallRulesForClusterType = getFirewallRulesForClusterType;
  *   80     Traefik HTTP (api/app/auth via nip.io ingress)
  *   443    Traefik HTTPS
  */
-const OBSERVABILITY_FIREWALL_RULES = (sourceCidrs) => [
+const CONTROL_FIREWALL_RULES = (sourceCidrs) => [
     {
         description: 'SSH access for server management',
         direction: 'in',
@@ -50,7 +51,7 @@ const OBSERVABILITY_FIREWALL_RULES = (sourceCidrs) => [
         destinationIps: ['0.0.0.0/0', '::/0'],
     },
 ];
-exports.OBSERVABILITY_FIREWALL_RULES = OBSERVABILITY_FIREWALL_RULES;
+exports.CONTROL_FIREWALL_RULES = CONTROL_FIREWALL_RULES;
 const WORKLOAD_FIREWALL_RULES = (sourceCidrs) => [
     {
         description: 'SSH access for cluster management',
@@ -150,6 +151,11 @@ function validateFirewallRules(rules) {
         errors,
     };
 }
+function sanitizeApiServerFirewallRules(rules, subnetCidr) {
+    return rules.map((rule) => rule.direction === 'in' && rule.protocol === 'tcp' && rule.port === '6443'
+        ? { ...rule, sourceIps: [subnetCidr] }
+        : rule);
+}
 function isValidCidr(cidr) {
     const ipv4Regex = /^(\d{1,3}\.){3}\d{1,3}\/\d{1,2}$/;
     const ipv6Regex = /^([0-9a-fA-F:]+)\/\d{1,3}$/;
@@ -157,8 +163,9 @@ function isValidCidr(cidr) {
 }
 function getFirewallRulesForClusterType(clusterType, sourceCidrs) {
     switch (clusterType) {
+        case 'control':
         case 'observability':
-            return (0, exports.OBSERVABILITY_FIREWALL_RULES)(sourceCidrs);
+            return (0, exports.CONTROL_FIREWALL_RULES)(sourceCidrs);
         case 'workload':
             return (0, exports.WORKLOAD_FIREWALL_RULES)(sourceCidrs);
         default:

package/lib/src/modules/infrastructure/shared/services/kubernetes.service.d.ts

@@ -249,6 +249,11 @@ export declare class KubernetesService {
     cordonNode(kubeconfigContent: string, nodeName: string): Promise<void>;
     uncordonNode(kubeconfigContent: string, nodeName: string): Promise<void>;
     private setNodeUnschedulable;
+    /**
+     * Add/remove the control-plane NoSchedule taint on master node(s) via the
+     * k8s API. Returns false when no control-plane node is found.
+     */
+    setControlPlaneTaint(kubeconfigContent: string, apply: boolean): Promise<boolean>;
     /**
      * Sum resource requests (CPU in millicores, memory in Mi) across all
      * containers in Running pods across all namespaces.
@@ -290,6 +295,27 @@ export declare class KubernetesService {
             memory: number;
         };
     } | null>;
+    /**
+     * Allocatable, requested and free resources for every READY worker node
+     * (nodes without the control-plane/master label). CPU in millicores, mem Mi.
+     */
+    listWorkerNodeCapacities(kubeconfigContent: string): Promise<Array<{
+        nodeName: string;
+        allocatable: {
+            cpu: number;
+            memory: number;
+        };
+        requested: {
+            cpu: number;
+            memory: number;
+        };
+        free: {
+            cpu: number;
+            memory: number;
+        };
+    }>>;
+    private isReadyWorker;
+    private sumPodRequestsOnNode;
     /**
      * Parse a Kubernetes CPU string to millicores.
      * Examples: "250m" → 250, "2" → 2000, "0.5" → 500

package/lib/src/modules/infrastructure/shared/services/kubernetes.service.js

@@ -43,6 +43,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.KubernetesService = void 0;
 const common_1 = require("@nestjs/common");
 const k8s = __importStar(require("@kubernetes/client-node"));
+const node_stream_1 = require("node:stream");
 let KubernetesService = KubernetesService_1 = class KubernetesService {
     constructor() {
         this.logger = new common_1.Logger(KubernetesService_1.name);
@@ -618,16 +619,20 @@ let KubernetesService = KubernetesService_1 = class KubernetesService {
         return new Promise((resolve, reject) => {
             let stdout = '';
             let stderr = '';
-            exec
-                .exec(namespace, pod.metadata.name, containerName, command, {
-                write: (chunk) => {
-                    stdout += typeof chunk === 'string' ? chunk : chunk.toString();
+            const stdoutStream = new node_stream_1.Writable({
+                write(chunk, _enc, cb) {
+                    stdout += chunk.toString();
+                    cb();
                 },
-            }, {
-                write: (chunk) => {
-                    stderr += typeof chunk === 'string' ? chunk : chunk.toString();
+            });
+            const stderrStream = new node_stream_1.Writable({
+                write(chunk, _enc, cb) {
+                    stderr += chunk.toString();
+                    cb();
                 },
-            }, null, false, (status) => {
+            });
+            exec
+                .exec(namespace, pod.metadata.name, containerName, command, stdoutStream, stderrStream, null, false, (status) => {
                 if (status?.status === 'Success') {
                     resolve(stdout);
                 }
@@ -1039,6 +1044,41 @@ let KubernetesService = KubernetesService_1 = class KubernetesService {
         };
         await client.patch(patch, undefined, undefined, 'flui-api', undefined, k8s.PatchStrategy.MergePatch);
     }
+    /**
+     * Add/remove the control-plane NoSchedule taint on master node(s) via the
+     * k8s API. Returns false when no control-plane node is found.
+     */
+    async setControlPlaneTaint(kubeconfigContent, apply) {
+        const key = 'node-role.kubernetes.io/control-plane';
+        const { coreApi } = this.getKubeClient(kubeconfigContent);
+        const nodes = await coreApi.listNode();
+        const masters = (nodes.items ?? []).filter((n) => {
+            const labels = n.metadata?.labels ?? {};
+            return ('node-role.kubernetes.io/control-plane' in labels ||
+                'node-role.kubernetes.io/master' in labels);
+        });
+        if (masters.length === 0)
+            return false;
+        const kc = this.loadKubeconfig(kubeconfigContent);
+        const client = k8s.KubernetesObjectApi.makeApiClient(kc);
+        for (const node of masters) {
+            const name = node.metadata?.name;
+            if (!name)
+                continue;
+            const without = (node.spec?.taints ?? []).filter((t) => t.key !== key);
+            const taints = apply
+                ? [...without, { key, effect: 'NoSchedule' }]
+                : without;
+            const patch = {
+                apiVersion: 'v1',
+                kind: 'Node',
+                metadata: { name },
+                spec: { taints },
+            };
+            await client.patch(patch, undefined, undefined, 'flui-api', undefined, k8s.PatchStrategy.MergePatch);
+        }
+        return true;
+    }
     /**
      * Sum resource requests (CPU in millicores, memory in Mi) across all
      * containers in Running pods across all namespaces.
@@ -1118,6 +1158,63 @@ let KubernetesService = KubernetesService_1 = class KubernetesService {
             requested: { cpu: cpuReq, memory: memReq },
         };
     }
+    /**
+     * Allocatable, requested and free resources for every READY worker node
+     * (nodes without the control-plane/master label). CPU in millicores, mem Mi.
+     */
+    async listWorkerNodeCapacities(kubeconfigContent) {
+        const { coreApi } = this.getKubeClient(kubeconfigContent);
+        const nodes = await coreApi.listNode();
+        const pods = await coreApi.listPodForAllNamespaces();
+        return (nodes.items ?? [])
+            .filter((n) => this.isReadyWorker(n))
+            .map((node) => {
+            const nodeName = node.metadata?.name ?? '';
+            const alloc = node.status?.allocatable ?? {};
+            const allocatable = {
+                cpu: this.parseCpu(alloc['cpu'] ?? '0'),
+                memory: this.parseMemory(alloc['memory'] ?? '0'),
+            };
+            const requested = this.sumPodRequestsOnNode(pods.items ?? [], nodeName);
+            return {
+                nodeName,
+                allocatable,
+                requested,
+                free: {
+                    cpu: allocatable.cpu - requested.cpu,
+                    memory: allocatable.memory - requested.memory,
+                },
+            };
+        });
+    }
+    isReadyWorker(node) {
+        const labels = node.metadata?.labels ?? {};
+        if ('node-role.kubernetes.io/control-plane' in labels ||
+            'node-role.kubernetes.io/master' in labels) {
+            return false;
+        }
+        if (!node.metadata?.name)
+            return false;
+        const ready = (node.status?.conditions ?? []).find((c) => c.type === 'Ready');
+        return ready?.status === 'True';
+    }
+    sumPodRequestsOnNode(pods, nodeName) {
+        let cpu = 0;
+        let memory = 0;
+        for (const pod of pods) {
+            if (pod.spec?.nodeName !== nodeName)
+                continue;
+            const phase = pod.status?.phase;
+            if (phase !== 'Running' && phase !== 'Pending')
+                continue;
+            for (const container of pod.spec?.containers ?? []) {
+                const requests = container.resources?.requests ?? {};
+                cpu += this.parseCpu(requests['cpu'] ?? '0');
+                memory += this.parseMemory(requests['memory'] ?? '0');
+            }
+        }
+        return { cpu, memory };
+    }
     /**
      * Parse a Kubernetes CPU string to millicores.
      * Examples: "250m" → 250, "2" → 2000, "0.5" → 500

package/lib/src/modules/management/entities/provider-capabilities.entity.d.ts

@@ -82,4 +82,6 @@ export interface ProviderCapabilities {
     };
     /** VNet topology info — null when privateNetworking is false */
     vnetTopology: VNetTopology | null;
+    vnetRequired: boolean;
+    crossClusterAllowed: boolean;
 }

package/lib/src/modules/providers/implementations/contabo/contabo-capabilities.service.js

@@ -232,6 +232,8 @@ let ContaboCapabilitiesService = ContaboCapabilitiesService_1 = class ContaboCap
                 minimumCost: 4.5, // Cloud VPS 10: 4 vCPU, 8 GB RAM @ €4.50/mo
             },
             vnetTopology: null, // Contabo VNet not yet implemented
+            vnetRequired: true,
+            crossClusterAllowed: false,
         };
     }
     async getCapabilities() {

package/lib/src/modules/providers/implementations/hetzner/hetzner-capabilities.service.js

@@ -127,12 +127,7 @@ let HetznerCapabilitiesService = HetznerCapabilitiesService_1 = class HetznerCap
                 ],
             },
             dnsZoneDelegation: {
-                nameservers: [
-                    'ns1.your-server.de',
-                    'ns.second-ns.com',
-                    'ns3.second-ns.de',
-                ],
-                delegationGuideUrl: 'https://docs.hetzner.com/networking/dns/getting-started/delegate-to-hetzner/',
+                delegationGuideUrl: 'https://docs.hetzner.com/dns-console/dns/general/delegating-a-domain-to-hetzner-dns/',
             },
         };
     }
@@ -219,6 +214,8 @@ let HetznerCapabilitiesService = HetznerCapabilitiesService_1 = class HetznerCap
                 vnetIpRange: { minPrefix: 8, maxPrefix: 29 },
                 subnetIpRange: { minPrefix: 8, maxPrefix: 29 },
             },
+            vnetRequired: true,
+            crossClusterAllowed: false,
         };
     }
     mapHetznerLocationsToRegions(locations) {

package/lib/src/modules/providers/implementations/scaleway/scaleway-capabilities.service.js

@@ -135,7 +135,6 @@ let ScalewayCapabilitiesService = ScalewayCapabilitiesService_1 = class Scaleway
                 ],
             },
             dnsZoneDelegation: {
-                nameservers: ['ns0.dom.scw.cloud', 'ns1.dom.scw.cloud'],
                 delegationGuideUrl: 'https://www.scaleway.com/en/docs/network/domains-and-dns/how-to/add-external-domain/',
             },
         };
@@ -226,6 +225,8 @@ let ScalewayCapabilitiesService = ScalewayCapabilitiesService_1 = class Scaleway
                 vnetIpRange: { minPrefix: 20, maxPrefix: 28 },
                 subnetIpRange: { minPrefix: 20, maxPrefix: 28 },
             },
+            vnetRequired: true,
+            crossClusterAllowed: false,
         };
     }
     async getCapabilities() {

package/lib/src/modules/providers/implementations/scaleway/scaleway-firewall.service.js

@@ -401,7 +401,9 @@ let ScalewayFirewallService = ScalewayFirewallService_1 = class ScalewayFirewall
                 this.logger.warn(`Security group ${firewallId} not found, already deleted`);
                 return;
             }
-            throw new Error(`Failed to delete security group: ${error.message}`);
+            const data = error?.response?.data;
+            const detail = data?.help_message || data?.message || error.message;
+            throw new Error(`Failed to delete security group: ${detail}`);
         }
     }
     async applyToServers(firewallId, serverIds) {

package/lib/src/modules/providers/implementations/scaleway/scaleway-provider.service.js

@@ -1105,7 +1105,9 @@ let ScalewayProviderService = ScalewayProviderService_1 = class ScalewayProvider
                 for (const [name, entry] of typeMap.entries()) {
                     const t = entry.type;
                     const ramBytes = t.ram || 0;
-                    const ramGb = Math.round(ramBytes / 1e9); // Scaleway uses decimal bytes (1 GB = 1_000_000_000)
+                    // RAM is reported in binary bytes (8 GiB = 8_589_934_592), unlike disk
+                    // which is decimal. Divide by 1024³ so a "8G" plan reads 8 GB, not 9.
+                    const ramGb = Math.round(ramBytes / 1024 ** 3);
                     const diskGb = mapDiskGb(t);
                     const prices = [];
                     for (const [region, p] of entry.pricesByRegion.entries()) {

package/lib/src/modules/providers/interfaces/provider-capabilities.interface.d.ts

@@ -64,8 +64,6 @@ export interface ProviderCredentialFields {
     supportsExpiry: boolean;
 }
 export interface DnsZoneDelegation {
-    /** Nameservers to set at the domain registrar to delegate to this provider */
-    nameservers: string[];
     /** Official guide URL explaining how to delegate/import an external domain */
     delegationGuideUrl: string;
 }

package/lib/src/modules/providers/services/hetzner-firewall.service.d.ts

@@ -44,5 +44,5 @@ export declare class HetznerFirewallService implements IFirewallProvider {
     getServerIdsByLabelSelector(labelSelector: string): Promise<string[]>;
     applyToServers(firewallId: string, serverIds: string[]): Promise<void>;
     removeFromServers(firewallId: string, serverIds: string[]): Promise<void>;
-    updateFirewallLabels(firewallId: string, labels: Record<string, string>): Promise<void>;
+    updateFirewallLabels(firewallId: string, labels: Record<string, string>, name?: string): Promise<void>;
 }