@flui-cloud/cli 0.0.1 → 0.2.0

package/lib/cli/src/commands/env/create.js

@@ -3,12 +3,13 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+const node_crypto_1 = require("node:crypto");
 const core_1 = require("@oclif/core");
 const chalk_1 = __importDefault(require("chalk"));
 const ora_1 = __importDefault(require("ora"));
 const nest_app_1 = require("../../lib/nest-app");
 const nip_base_domain_util_1 = require("../../lib/nip-base-domain.util");
-const cli_observability_cluster_service_1 = require("../../services/cli-observability-cluster.service");
+const cli_control_cluster_service_1 = require("../../services/cli-control-cluster.service");
 const cli_ssh_service_1 = require("../../services/cli-ssh.service");
 const cloud_provider_enum_1 = require("../../../../src/modules/providers/enums/cloud-provider.enum");
 const cluster_entity_1 = require("../../../../src/modules/infrastructure/clusters/entities/cluster.entity");
@@ -21,6 +22,7 @@ const api_client_1 = require("../../lib/api-client");
 const config_storage_1 = require("../../lib/config-storage");
 const provider_credential_schemas_1 = require("../../lib/provider-credential-schemas");
 const context_banner_1 = require("../../lib/context-banner");
+const release_override_1 = require("../../config/release-override");
 const server_type_cache_service_1 = require("../../services/server-type-cache.service");
 const server_type_validator_service_1 = require("../../services/server-type-validator.service");
 const defaults_1 = require("../../config/defaults");
@@ -28,9 +30,36 @@ const prompts_1 = require("../../lib/prompts");
 const preferences_resolver_1 = require("../../config/preferences-resolver");
 const preferences_schema_1 = require("../../config/preferences-schema");
 class EnvCreate extends core_1.Command {
+    /** The sole provider with configured credentials, or undefined if none/both. */
+    detectConfiguredProvider(configStorage) {
+        const configured = ['hetzner', 'scaleway'].filter((p) => (0, provider_credential_schemas_1.isCompoundProvider)(p)
+            ? configStorage.hasCredentials(p)
+            : configStorage.hasToken(p));
+        return configured.length === 1 ? configured[0] : undefined;
+    }
     async run() {
         const { flags } = await this.parse(EnvCreate);
-        const providerKey = flags.provider;
+        if (flags['auth-mode'] !== 'oidc') {
+            this.error(`Authentication mode '${flags['auth-mode']}' is not supported. Only 'oidc' is available.`, { exit: 1 });
+        }
+        const configStorage = new config_storage_1.ConfigStorage();
+        const hasCreds = (p) => (0, provider_credential_schemas_1.isCompoundProvider)(p)
+            ? configStorage.hasCredentials(p)
+            : configStorage.hasToken(p);
+        // Resolve the target provider BEFORE deriving provider-specific defaults.
+        // Precedence: explicit --provider > the profile's single configured
+        // provider > the setup wizard's choice. (Previously hard-defaulted to
+        // hetzner, so a Scaleway-only profile still tried — and failed — to build
+        // on Hetzner.)
+        let providerKey = flags.provider ?? this.detectConfiguredProvider(configStorage);
+        if (!providerKey || !hasCreds(providerKey)) {
+            const configured = await (0, prompts_1.runProviderSetupWizard)(providerKey);
+            if (!configured) {
+                console.log(chalk_1.default.dim(`   To configure manually: flui config set ${providerKey ?? '<provider>'}\n`));
+                this.exit(1);
+            }
+            providerKey = configured;
+        }
         const cloudProvider = providerKey === 'scaleway'
             ? cloud_provider_enum_1.CloudProvider.SCALEWAY
             : cloud_provider_enum_1.CloudProvider.HETZNER;
@@ -40,9 +69,6 @@ class EnvCreate extends core_1.Command {
         if (!allowedRegions.includes(region)) {
             this.error(`Region '${region}' is not supported for provider '${providerKey}'. Allowed: ${allowedRegions.join(', ')}`, { exit: 1 });
         }
-        if (flags['auth-mode'] !== 'oidc') {
-            this.error(`Authentication mode '${flags['auth-mode']}' is not supported. Only 'oidc' is available.`, { exit: 1 });
-        }
         (0, context_banner_1.printContextBanner)({
             cluster: { provider: providerKey, region },
         });
@@ -55,9 +81,8 @@ class EnvCreate extends core_1.Command {
             app = await (0, nest_app_1.getNestApp)();
             spinner.succeed('Initialized');
             spinner = (0, ora_1.default)('Loading services...').start();
-            const configStorage = new config_storage_1.ConfigStorage();
             const apiUrl = configStorage.getApiUrl();
-            const observabilityService = app.get(cli_observability_cluster_service_1.CliObservabilityClusterService);
+            const controlService = app.get(cli_control_cluster_service_1.CliControlClusterService);
             const apiClient = new api_client_1.ApiClient({
                 baseUrl: apiUrl,
                 apiKey: configStorage.getApiKey(),
@@ -65,20 +90,6 @@ class EnvCreate extends core_1.Command {
             const cacheService = new server_type_cache_service_1.ServerTypeCacheService();
             const validatorService = new server_type_validator_service_1.ServerTypeValidatorService();
             spinner.succeed('Services loaded');
-            // 2. Early credential check — must happen before any provider call
-            const hasProviderCreds = (0, provider_credential_schemas_1.isCompoundProvider)(providerKey)
-                ? configStorage.hasCredentials(providerKey)
-                : configStorage.hasToken(providerKey);
-            if (!hasProviderCreds) {
-                spinner.stop();
-                const configured = await (0, prompts_1.runProviderSetupWizard)();
-                if (!configured) {
-                    console.log(chalk_1.default.dim(`   To configure manually: flui config set ${providerKey}\n`));
-                    this.exit(1);
-                }
-                spinner = (0, ora_1.default)('Resuming...').start();
-                spinner.succeed('Provider configured');
-            }
             // 3. Resolve admin email (prompt if not set, then persist)
             const emailResolver = new preferences_resolver_1.PreferencesResolver(configStorage);
             const emailResult = emailResolver.resolve('email');
@@ -102,7 +113,12 @@ class EnvCreate extends core_1.Command {
             // server-side, so the LE 5-certs-per-7-days rate limit never trips on
             // repeated test creations.
             const acmeStaging = flags['acme-staging'];
+            const useLatest = flags.latest;
             spinner.stop();
+            const overrideBanner = (0, release_override_1.formatReleaseOverrideBanner)((0, release_override_1.getEffectiveRelease)(useLatest));
+            if (overrideBanner) {
+                console.log(overrideBanner);
+            }
             if (acmeStaging) {
                 console.log(chalk_1.default.yellow(`\n⚠ ACME endpoint: Let's Encrypt STAGING — cert will not be browser-trusted (warning expected).\n`));
             }
@@ -231,17 +247,17 @@ class EnvCreate extends core_1.Command {
                 spinner.succeed('Server type validation skipped (no data available)');
             }
             // Display cluster configuration
-            console.log(chalk_1.default.cyan('\n🚀 Creating Flui Observability Cluster (K3s)\n'));
+            console.log(chalk_1.default.cyan('\n🚀 Creating Flui Control Cluster (K3s)\n'));
             console.log(chalk_1.default.dim(`   Provider: ${providerKey}`));
             console.log(chalk_1.default.dim(`   Node Size: ${validatedNodeSize}`));
             console.log(chalk_1.default.dim(`   Region: ${validatedRegion}`));
             console.log(chalk_1.default.dim(`   Worker Nodes: ${flags['node-count']}\n`));
-            // 3. Check if observability cluster already exists
+            // 3. Check if control cluster already exists
             spinner = (0, ora_1.default)('Checking for existing cluster...').start();
-            const existingCluster = await observabilityService.getObservabilityCluster();
+            const existingCluster = await controlService.getControlCluster();
             if (existingCluster && existingCluster.status !== cluster_entity_1.ClusterStatus.DELETED) {
-                spinner.fail('Observability cluster already exists!');
-                console.log(chalk_1.default.yellow('\n⚠️  An observability cluster is already running:\n'));
+                spinner.fail('Control cluster already exists!');
+                console.log(chalk_1.default.yellow('\n⚠️  An control cluster is already running:\n'));
                 console.log(`   ${chalk_1.default.bold('Name:')}     ${existingCluster.name}`);
                 console.log(`   ${chalk_1.default.bold('ID:')}       ${existingCluster.id}`);
                 console.log(`   ${chalk_1.default.bold('Status:')}   ${existingCluster.status}`);
@@ -263,7 +279,7 @@ class EnvCreate extends core_1.Command {
                 const vnetService = app.get(vnet_provisioning_service_1.VnetProvisioningService);
                 envVnetInfo = await vnetService.ensureEnvVnet({
                     provider: cloudProvider,
-                    name: 'flui-env-vnet',
+                    name: `flui-env-${(0, node_crypto_1.randomBytes)(3).toString('hex')}`,
                     ipRange: '10.10.0.0/16',
                     subnetIpRange: '10.10.1.0/24',
                     networkZone: cloudProvider === cloud_provider_enum_1.CloudProvider.HETZNER
@@ -277,7 +293,7 @@ class EnvCreate extends core_1.Command {
             }
             catch (error) {
                 spinner.fail(`VNet provisioning failed: ${error.message}`);
-                console.log(chalk_1.default.red('\n   Cannot proceed without an environment VNet. The observability cluster and all workload clusters must share a private network.'));
+                console.log(chalk_1.default.red('\n   Cannot proceed without an environment VNet. The control cluster and all workload clusters must share a private network.'));
                 this.exit(1);
             }
             // 4. Create firewall BEFORE cluster (if enabled)
@@ -296,15 +312,18 @@ class EnvCreate extends core_1.Command {
                         const publicIp = await ipService.getPublicIp();
                         sourceCidrs = [ipService.toCidr(publicIp)];
                     }
-                    const rules = (0, firewall_rules_1.OBSERVABILITY_FIREWALL_RULES)(sourceCidrs);
-                    const temporaryFirewallName = `flui-observability-firewall-${Date.now()}`;
+                    const rules = (0, firewall_rules_1.CONTROL_FIREWALL_RULES)(sourceCidrs);
+                    // Unique temporary name to avoid colliding with orphaned firewalls
+                    // from previous runs; renamed to flui-control-firewall-<clusterId>
+                    // (by firewallId) once the cluster is ready.
+                    const temporaryFirewallName = `flui-control-firewall-${(0, node_crypto_1.randomBytes)(4).toString('hex')}`;
                     // Create firewall with temporary name (will be renamed when cluster is ready)
                     const result = await firewallService.createFirewall({
                         name: temporaryFirewallName,
                         labels: [
                             { key: 'managed-by', value: 'flui-cloud' },
                             { key: 'flui-resource-type', value: 'firewall' },
-                            { key: 'flui-cluster-type', value: 'observability' },
+                            { key: 'flui-cluster-type', value: 'control' },
                         ],
                         rules,
                         // Label selector will be applied later when cluster servers exist
@@ -326,10 +345,10 @@ class EnvCreate extends core_1.Command {
                     spinner.succeed(`Firewall created (Source: ${sourceCidrs.join(', ')})`);
                 }
                 catch (error) {
-                    spinner.warn(`Firewall creation failed: ${error.message}`);
-                    console.log(chalk_1.default.yellow('   Continuing without firewall. You can configure it manually later.'));
-                    firewallId = undefined;
-                    sourceCidrs = undefined;
+                    spinner.fail(`Firewall creation failed: ${error.message}`);
+                    console.log(chalk_1.default.red('\n   Aborting: the control cluster must not be provisioned without a firewall.'));
+                    console.log(chalk_1.default.dim('   Resolve the cause (e.g. remove a leftover/orphaned firewall on the provider) and retry,\n   or pass --no-configure-firewall to explicitly opt out of firewall protection.'));
+                    this.exit(1);
                 }
             }
             // 5. Create K3s cluster
@@ -337,7 +356,7 @@ class EnvCreate extends core_1.Command {
             console.log(chalk_1.default.dim(flags['node-count'] > 0
                 ? '   This will create master node + worker nodes'
                 : '   This will create master node only'));
-            const clusterId = await observabilityService.createObservabilityCluster(cloudProvider, validatedRegion, validatedNodeSize, flags['node-count'], firewallId, sourceCidrs, flags['auth-mode'], envVnetInfo
+            const clusterId = await controlService.createControlCluster(cloudProvider, validatedRegion, validatedNodeSize, flags['node-count'], firewallId, sourceCidrs, flags['auth-mode'], envVnetInfo
                 ? {
                     vnetProviderResourceId: envVnetInfo.vnetProviderResourceId,
                     vnetIpRange: envVnetInfo.vnetIpRange,
@@ -349,6 +368,7 @@ class EnvCreate extends core_1.Command {
                 : undefined, adminEmail, acmeStaging, flags['disk-size'], {
                 sharedStorageEnabled: !flags['no-shared-storage'],
                 sharedStorageVolumeSizeGb: flags['shared-storage-size'],
+                useLatest,
             });
             spinner.succeed('Cluster creation started!');
             if (firewallId && clusterId) {
@@ -369,7 +389,7 @@ class EnvCreate extends core_1.Command {
             }
             if (flags.detached) {
                 // DETACHED MODE: Exit immediately with monitoring instructions
-                console.log(chalk_1.default.green('\n✅ Observability Cluster Creation Started!\n'));
+                console.log(chalk_1.default.green('\n✅ Control Cluster Creation Started!\n'));
                 console.log(chalk_1.default.cyan('📋 Cluster Details:\n'));
                 console.log(`   ${chalk_1.default.bold('Cluster ID:')}  ${clusterId}`);
                 console.log(`   ${chalk_1.default.bold('Provider:')}    ${cloudProvider}`);
@@ -391,7 +411,7 @@ class EnvCreate extends core_1.Command {
                 // WAIT MODE: Wait for cluster to be ready
                 spinner = (0, ora_1.default)('Waiting for cluster to be ready...').start();
                 try {
-                    await observabilityService.waitForClusterReady(clusterId, 600000);
+                    await controlService.waitForClusterReady(clusterId, 600000);
                     spinner.succeed('Cluster is ready!');
                 }
                 catch (error) {
@@ -399,7 +419,7 @@ class EnvCreate extends core_1.Command {
                     console.log(chalk_1.default.red(`\n❌ Error: ${error.message}\n`));
                     this.exit(1);
                 }
-                console.log(chalk_1.default.green('\n✅ Observability Cluster Created Successfully!\n'));
+                console.log(chalk_1.default.green('\n✅ Control Cluster Created Successfully!\n'));
                 console.log(chalk_1.default.cyan('📋 Cluster Details:\n'));
                 console.log(`   ${chalk_1.default.bold('Cluster ID:')}  ${clusterId}`);
                 console.log(`   ${chalk_1.default.bold('Provider:')}    ${cloudProvider}`);
@@ -428,7 +448,7 @@ class EnvCreate extends core_1.Command {
                 // This ensures reconciliation runs even if SSH setup fails
                 let shouldExit = false;
                 const onReconcile = async () => {
-                    const cluster = await observabilityService.getObservabilityCluster();
+                    const cluster = await controlService.getControlCluster();
                     const masterIp = cluster?.masterIpAddress;
                     const nipToken = cluster?.nipHostnameToken;
                     const baseDomain = (0, nip_base_domain_util_1.buildNipBaseDomain)(masterIp ?? '', nipToken);
@@ -440,13 +460,13 @@ class EnvCreate extends core_1.Command {
                         const interval = 15_000;
                         const deadline = Date.now() + maxWait;
                         while (Date.now() < deadline) {
-                            const valid = await observabilityService.waitForValidTls(certUrl, interval, interval, acmeStaging);
+                            const valid = await controlService.waitForValidTls(certUrl, interval, interval, acmeStaging);
                             if (valid)
                                 break;
                             elapsed += interval;
                             console.log(chalk_1.default.dim(`  Certificate pending... (${Math.round(elapsed / 1000)}s / ${maxWait / 1000}s)`));
                         }
-                        const tlsReady = await observabilityService.waitForValidTls(certUrl, 5_000, 5_000, acmeStaging);
+                        const tlsReady = await controlService.waitForValidTls(certUrl, 5_000, 5_000, acmeStaging);
                         if (tlsReady) {
                             console.log(chalk_1.default.green(acmeStaging
                                 ? "✅ TLS certificate valid (Let's Encrypt STAGING — not browser-trusted)"
@@ -477,12 +497,14 @@ class EnvCreate extends core_1.Command {
                                 }
                             }
                             console.log(chalk_1.default.dim(`\n→ Waiting for OIDC client provisioning...`));
-                            const oidcReady = await observabilityService.waitForOidcReady(apiBaseUrl, 300_000, 10_000, acmeStaging);
+                            const oidcReady = await controlService.waitForOidcReady(apiBaseUrl, 300_000, 10_000, acmeStaging);
                             if (oidcReady) {
                                 console.log(chalk_1.default.green('✅ OIDC login ready'));
                             }
                             else {
-                                console.log(chalk_1.default.yellow('⚠ OIDC not ready — run `flui env force-ready` to retry bootstrap'));
+                                console.log(chalk_1.default.yellow('⚠ OIDC login not ready — the dashboard sign-in will fail until this is resolved.'));
+                                console.log(chalk_1.default.dim('   Diagnose with `flui env status`, or `flui ssh master` + kubectl (check the zitadel and flui-web pods).\n' +
+                                    '   `flui env force-ready` does NOT retry bootstrap — it only overrides the local status, so use it only after the cause is fixed.'));
                             }
                         }
                     }
@@ -507,12 +529,12 @@ class EnvCreate extends core_1.Command {
                         '\n'));
                     shouldExit = true;
                 };
-                pollerHandle = observabilityService.pollOperationUntilReady(clusterId, onReconcile, onFailed);
+                pollerHandle = controlService.pollOperationUntilReady(clusterId, onReconcile, onFailed);
                 // Phase 1: Wait for server provisioning (master IP)
                 spinner = (0, ora_1.default)('Provisioning server...').start();
                 let masterIp;
                 try {
-                    masterIp = await observabilityService.waitForMasterIp(clusterId, 600000, 5000);
+                    masterIp = await controlService.waitForMasterIp(clusterId, 600000, 5000);
                     spinner.succeed(`Server provisioned (${masterIp})`);
                 }
                 catch (error) {
@@ -528,7 +550,7 @@ class EnvCreate extends core_1.Command {
                 // Phase 2: Wait for server boot (SSH port open)
                 spinner = (0, ora_1.default)('Server booting...').start();
                 try {
-                    await observabilityService.waitForPortReady(masterIp, 22, 600000, 5000);
+                    await controlService.waitForPortReady(masterIp, 22, 600000, 5000);
                     spinner.succeed('Server online');
                 }
                 catch (error) {
@@ -542,7 +564,7 @@ class EnvCreate extends core_1.Command {
                 // Phase 3: Wait for SSH authentication (CA enrollment via cloud-init)
                 spinner = (0, ora_1.default)('Waiting for SSH access (CA enrollment)...').start();
                 try {
-                    await observabilityService.waitForSshAuth(() => sshService.sshExec(masterIp, 'echo ok'), 600000, 10000);
+                    await controlService.waitForSshAuth(() => sshService.sshExec(masterIp, 'echo ok'), 600000, 10000);
                     spinner.succeed('SSH access ready');
                 }
                 catch (error) {
@@ -611,7 +633,7 @@ class EnvCreate extends core_1.Command {
             }
         }
         catch (error) {
-            spinner.fail('Failed to create observability cluster');
+            spinner.fail('Failed to create control cluster');
             if (firewallId) {
                 try {
                     spinner = (0, ora_1.default)('Cleaning up orphaned firewall...').start();
@@ -653,7 +675,7 @@ class EnvCreate extends core_1.Command {
         }
     }
 }
-EnvCreate.description = 'Create observability cluster infrastructure on K3s';
+EnvCreate.description = 'Create control cluster infrastructure on K3s';
 EnvCreate.examples = [
     '<%= config.bin %> <%= command.id %>',
     '<%= config.bin %> <%= command.id %> --node-size cx32',
@@ -664,8 +686,7 @@ EnvCreate.examples = [
 EnvCreate.flags = {
     provider: core_1.Flags.string({
         char: 'p',
-        description: 'Cloud provider for the observability cluster',
-        default: 'hetzner',
+        description: "Cloud provider for the control cluster (default: the profile's configured provider)",
         options: ['hetzner', 'scaleway'],
     }),
     'node-size': core_1.Flags.string({
@@ -696,6 +717,7 @@ EnvCreate.flags = {
     'configure-firewall': core_1.Flags.boolean({
         description: 'Automatically configure firewall after cluster creation',
         default: true,
+        allowNo: true,
     }),
     'firewall-ip': core_1.Flags.string({
         description: 'Source IP/CIDR for firewall (comma-separated, default: auto-detect)',
@@ -708,6 +730,10 @@ EnvCreate.flags = {
         description: "Use Let's Encrypt staging endpoint (untrusted cert, no rate limits) — useful while iterating to avoid burning prod quota",
         default: false,
     }),
+    latest: core_1.Flags.boolean({
+        description: 'Install mobile dev tags instead of the pinned release: bootstrap scripts from `master` and `:latest` Docker images. Default: every component is pinned to the CLI release version.',
+        default: false,
+    }),
     'no-shared-storage': core_1.Flags.boolean({
         description: 'Disable Flui shared storage (NFS+fscache). Default: shared storage enabled — master gets a Volume hosting the NFS export, workers mount it. Disable to fall back to local-path on each node bundled disk.',
         default: false,

package/lib/cli/src/commands/env/credentials.js

@@ -45,7 +45,7 @@ const os = __importStar(require("node:os"));
 const nest_app_1 = require("../../lib/nest-app");
 const context_banner_1 = require("../../lib/context-banner");
 const nip_base_domain_util_1 = require("../../lib/nip-base-domain.util");
-const cli_observability_cluster_service_1 = require("../../services/cli-observability-cluster.service");
+const cli_control_cluster_service_1 = require("../../services/cli-control-cluster.service");
 const cli_ssh_service_1 = require("../../services/cli-ssh.service");
 const encryption_service_1 = require("../../../../src/modules/shared/encryption/services/encryption.service");
 const cluster_entity_1 = require("../../../../src/modules/infrastructure/clusters/entities/cluster.entity");
@@ -95,9 +95,9 @@ class EnvCredentials extends core_1.Command {
             return '';
         }
     }
-    async runHealthCheck(observabilityService, masterIp, nipHostnameToken) {
+    async runHealthCheck(controlService, masterIp, nipHostnameToken) {
         const s = (0, ora_1.default)('Testing connections...').start();
-        const result = await observabilityService.checkObservabilityServices(masterIp, nipHostnameToken);
+        const result = await controlService.checkObservabilityServices(masterIp, nipHostnameToken);
         s.succeed('Connection tests completed');
         return result;
     }
@@ -141,13 +141,13 @@ class EnvCredentials extends core_1.Command {
         let spinner = (0, ora_1.default)('Fetching credentials...').start();
         try {
             const app = await (0, nest_app_1.getNestApp)();
-            const observabilityService = app.get(cli_observability_cluster_service_1.CliObservabilityClusterService);
+            const controlService = app.get(cli_control_cluster_service_1.CliControlClusterService);
             const encryptionService = app.get(encryption_service_1.EncryptionService);
-            // Get observability cluster
-            const cluster = await observabilityService.getObservabilityCluster();
+            // Get control cluster
+            const cluster = await controlService.getControlCluster();
             if (!cluster) {
-                spinner.fail('No observability cluster found');
-                console.log(chalk_1.default.yellow('\n⚠️  No observability cluster exists.\n'));
+                spinner.fail('No control cluster found');
+                console.log(chalk_1.default.yellow('\n⚠️  No control cluster exists.\n'));
                 console.log(chalk_1.default.dim('Create one with:'));
                 console.log(`   ${chalk_1.default.cyan('flui env create')}\n`);
                 return;
@@ -159,7 +159,7 @@ class EnvCredentials extends core_1.Command {
             }
             spinner.succeed('Cluster found');
             // Get endpoints
-            const endpoints = await observabilityService.getObservabilityEndpoints(cluster.id);
+            const endpoints = await controlService.getObservabilityEndpoints(cluster.id);
             const masterIp = cluster.masterIpAddress;
             if (!masterIp) {
                 spinner.fail('Master IP address not available');
@@ -204,7 +204,7 @@ class EnvCredentials extends core_1.Command {
                 ? this.redact(zitadelAdminTempPassword, showSecrets)
                 : '';
             const healthStatus = flags.test
-                ? await this.runHealthCheck(observabilityService, masterIp, cluster.nipHostnameToken)
+                ? await this.runHealthCheck(controlService, masterIp, cluster.nipHostnameToken)
                 : null;
             const secretStatus = flags.verify
                 ? await this.runSecretVerify(app.get(cli_ssh_service_1.CliSshService), masterIp)
@@ -295,7 +295,7 @@ class EnvCredentials extends core_1.Command {
         }
     }
     displayTextOutput(masterIp, endpoints, passwords, admin, healthStatus, secretStatus, zitadel = null) {
-        console.log(chalk_1.default.cyan('\n📋 Observability Cluster Credentials'));
+        console.log(chalk_1.default.cyan('\n📋 Control Cluster Credentials'));
         console.log(chalk_1.default.cyan('━'.repeat(50)));
         // Endpoints section
         console.log(chalk_1.default.cyan('\n🌐 Endpoints:\n'));
@@ -404,7 +404,7 @@ class EnvCredentials extends core_1.Command {
         return `${chalk_1.default.red('❌ unreachable')}`;
     }
 }
-EnvCredentials.description = 'Display observability cluster connection information.\n' +
+EnvCredentials.description = 'Display control cluster connection information.\n' +
     'Secrets are hidden by default; pass --show-secrets to print them. To populate\n' +
     'a local .env.local for development use `flui dev creds` instead.';
 EnvCredentials.examples = [

package/lib/cli/src/commands/env/destroy.d.ts

@@ -1,9 +1,10 @@
 import { Command } from '@oclif/core';
 export default class EnvDestroy extends Command {
-    static readonly description = "Permanently delete observability cluster (WARNING: All data will be lost!)";
+    static readonly description = "Permanently delete control cluster (WARNING: All data will be lost!)";
     static readonly examples: string[];
     static readonly flags: {
         force: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
     };
+    private cleanupClusterScopedConfig;
     run(): Promise<void>;
 }

package/lib/cli/src/commands/env/destroy.js

@@ -8,11 +8,45 @@ const chalk_1 = __importDefault(require("chalk"));
 const ora_1 = __importDefault(require("ora"));
 const nest_app_1 = require("../../lib/nest-app");
 const context_banner_1 = require("../../lib/context-banner");
-const cli_observability_cluster_service_1 = require("../../services/cli-observability-cluster.service");
+const cli_control_cluster_service_1 = require("../../services/cli-control-cluster.service");
 const config_storage_1 = require("../../lib/config-storage");
 const prompts_1 = require("../../lib/prompts");
 const vnet_provisioning_service_1 = require("../../lib/services/vnet-provisioning.service");
 class EnvDestroy extends core_1.Command {
+    // Drop config tied to the deleted cluster: registration, API endpoint and key.
+    cleanupClusterScopedConfig() {
+        const spinner = (0, ora_1.default)('Cleaning up configuration...').start();
+        try {
+            const configStorage = new config_storage_1.ConfigStorage();
+            const config = configStorage['readConfig']();
+            let changed = false;
+            if (config.credentials?.['observability-cluster-registration']) {
+                delete config.credentials['observability-cluster-registration'];
+                changed = true;
+            }
+            if (config.apiUrl) {
+                delete config.apiUrl;
+                if (config.metadata)
+                    delete config.metadata.apiUrlUpdatedAt;
+                changed = true;
+            }
+            if (config.apiKey) {
+                delete config.apiKey;
+                changed = true;
+            }
+            if (changed) {
+                configStorage['writeConfig'](config);
+                spinner.succeed('Configuration cleaned up');
+            }
+            else {
+                spinner.info('No configuration to clean up');
+            }
+        }
+        catch (error) {
+            spinner.warn(`Failed to clean up configuration: ${error.message}`);
+            console.log(chalk_1.default.yellow('   This is not critical, continuing...'));
+        }
+    }
     async run() {
         const { flags } = await this.parse(EnvDestroy);
         (0, context_banner_1.printContextBanner)();
@@ -21,14 +55,14 @@ class EnvDestroy extends core_1.Command {
             // Bootstrap NestJS and get services
             const app = await (0, nest_app_1.getNestApp)();
             spinner.stop();
-            console.log(chalk_1.default.red('\n⚠️  DESTROY Observability Cluster\n'));
+            console.log(chalk_1.default.red('\n⚠️  DESTROY Control Cluster\n'));
             spinner = (0, ora_1.default)('Checking for cluster...').start();
-            const observabilityService = app.get(cli_observability_cluster_service_1.CliObservabilityClusterService);
-            // Find observability cluster
-            const cluster = await observabilityService.getObservabilityCluster();
+            const controlService = app.get(cli_control_cluster_service_1.CliControlClusterService);
+            // Find control cluster
+            const cluster = await controlService.getControlCluster();
             if (!cluster) {
-                spinner.fail('No observability cluster found');
-                console.log(chalk_1.default.yellow('\n⚠️  No observability cluster exists.\n'));
+                spinner.fail('No control cluster found');
+                console.log(chalk_1.default.yellow('\n⚠️  No control cluster exists.\n'));
                 console.log(chalk_1.default.dim('Create one with:'));
                 console.log(`   ${chalk_1.default.cyan('flui env create')}\n`);
                 return;
@@ -64,31 +98,14 @@ class EnvDestroy extends core_1.Command {
                 color: 'yellow',
             }).start();
             try {
-                await observabilityService.deleteObservabilityCluster();
+                await controlService.deleteControlCluster();
                 spinner.succeed('All cluster resources deleted successfully');
             }
             catch (error) {
                 spinner.fail('Cluster deletion encountered an error');
                 throw error;
             }
-            // Clean up observability-cluster-registration from config.json
-            spinner = (0, ora_1.default)('Cleaning up configuration...').start();
-            try {
-                const configStorage = new config_storage_1.ConfigStorage();
-                const config = configStorage['readConfig']();
-                if (config.credentials?.['observability-cluster-registration']) {
-                    delete config.credentials['observability-cluster-registration'];
-                    configStorage['writeConfig'](config);
-                    spinner.succeed('Configuration cleaned up');
-                }
-                else {
-                    spinner.info('No registration to clean up');
-                }
-            }
-            catch (error) {
-                spinner.warn(`Failed to clean up configuration: ${error.message}`);
-                console.log(chalk_1.default.yellow('   This is not critical, continuing...'));
-            }
+            this.cleanupClusterScopedConfig();
             // Tear down environment VNet/Subnet (must run AFTER all servers are deleted —
             // Hetzner refuses to delete a network that still has attached servers).
             try {
@@ -101,7 +118,7 @@ class EnvDestroy extends core_1.Command {
                 spinner.warn(`VNet teardown failed: ${error.message}`);
                 console.log(chalk_1.default.yellow('   You may need to delete the VNet manually from the Hetzner console.'));
             }
-            console.log(chalk_1.default.green('\n✅ Observability Cluster Deleted Successfully\n'));
+            console.log(chalk_1.default.green('\n✅ Control Cluster Deleted Successfully\n'));
             console.log(chalk_1.default.dim('   All cluster resources have been removed:'));
             console.log(chalk_1.default.dim('   • Servers (master and worker nodes)'));
             console.log(chalk_1.default.dim('   • Firewalls and security rules'));
@@ -130,7 +147,7 @@ class EnvDestroy extends core_1.Command {
         }
     }
 }
-EnvDestroy.description = 'Permanently delete observability cluster (WARNING: All data will be lost!)';
+EnvDestroy.description = 'Permanently delete control cluster (WARNING: All data will be lost!)';
 EnvDestroy.examples = [
     '<%= config.bin %> <%= command.id %>',
     '<%= config.bin %> <%= command.id %> --force',

package/lib/cli/src/commands/env/diag-ca.js

@@ -8,7 +8,7 @@ const chalk_1 = __importDefault(require("chalk"));
 const ora_1 = __importDefault(require("ora"));
 const nest_app_1 = require("../../lib/nest-app");
 const nip_base_domain_util_1 = require("../../lib/nip-base-domain.util");
-const cli_observability_cluster_service_1 = require("../../services/cli-observability-cluster.service");
+const cli_control_cluster_service_1 = require("../../services/cli-control-cluster.service");
 const cli_ssh_service_1 = require("../../services/cli-ssh.service");
 const context_banner_1 = require("../../lib/context-banner");
 class EnvDiagCA extends core_1.Command {
@@ -17,9 +17,9 @@ class EnvDiagCA extends core_1.Command {
         const spinner = (0, ora_1.default)('Connecting to cluster...').start();
         try {
             const app = await (0, nest_app_1.getNestApp)();
-            const observabilityService = app.get(cli_observability_cluster_service_1.CliObservabilityClusterService);
+            const controlService = app.get(cli_control_cluster_service_1.CliControlClusterService);
             const sshService = app.get(cli_ssh_service_1.CliSshService);
-            const cluster = await observabilityService.getObservabilityCluster();
+            const cluster = await controlService.getControlCluster();
             if (!this.assertClusterReady(cluster, spinner)) {
                 return;
             }
@@ -42,8 +42,8 @@ class EnvDiagCA extends core_1.Command {
     }
     assertClusterReady(cluster, spinner) {
         if (!cluster) {
-            spinner.fail('No observability cluster found');
-            console.log(chalk_1.default.yellow('\n⚠️  No observability cluster exists.\n'));
+            spinner.fail('No control cluster found');
+            console.log(chalk_1.default.yellow('\n⚠️  No control cluster exists.\n'));
             console.log(chalk_1.default.dim('Create one with:'));
             console.log(`   ${chalk_1.default.cyan('flui env create')}\n`);
             return false;

package/lib/cli/src/commands/env/export-config.d.ts

@@ -14,25 +14,8 @@ export default class EnvExportConfig extends Command {
         save: import("@oclif/core/lib/interfaces").BooleanFlag<boolean>;
     };
     run(): Promise<void>;
-    /**
-     * Resolve every preference this command consumes (email, dashboardPath, certificateMode)
-     * through the layered config: flag > env > project-local > user > default > prompt.
-     *
-     * Prompted values are persisted to the active profile only when --save is set;
-     * otherwise they are used for this run and forgotten (no surprise side effects).
-     *
-     * `skipDashboard` shortcuts the dashboard-only preferences when --no-dashboard is set.
-     */
     private resolvePreferences;
-    /**
-     * Patch the dashboard's config.json with the localhost API endpoints + cluster auth +
-     * the resolved certificateMode. Caller is responsible for resolving inputs.
-     */
     private syncDashboardConfig;
-    /**
-     * Prompt for a missing preference value, validating against the schema.
-     * Used only when every other layer (flag, env, project, user, default) failed to provide a value.
-     */
     private promptForPreference;
     private resolveIssuer;
     private resolveJwks;