@flui-cloud/cli 0.0.1 → 0.2.0

package/lib/cli/src/lib/services/cli-app.service.d.ts

@@ -10,6 +10,24 @@ export interface AppSummary {
     lastDeployedAt?: string;
     clusterId: string;
 }
+export interface AppGroupComponent extends AppSummary {
+    isPrimary?: boolean;
+}
+export interface AppGroup {
+    id: string;
+    type: 'standalone' | 'composed';
+    name: string;
+    slug: string;
+    status: string;
+    category: string;
+    clusterId: string;
+    url?: string;
+    catalogSlug?: string;
+    catalogInstallId?: string;
+    primaryComponentId?: string;
+    componentCount: number;
+    components: AppGroupComponent[];
+}
 export interface AppRuntime {
     appId: string;
     deploymentName: string;
@@ -186,14 +204,29 @@ export interface AvailableVersionsResponse {
     nextPage: number | null;
     allowedPatterns: string[] | null;
 }
+export interface AppEndpoint {
+    id: string;
+    clusterId: string;
+    applicationId?: string;
+    endpointType: string;
+    hostnameMode: string;
+    fqdn: string;
+    tlsEnabled: boolean;
+    certificateStatus?: string;
+    certificateMessage?: string;
+    reconciliationStatus?: string;
+    errorMessage?: string;
+}
 export declare class CliAppService {
     private readonly apiClient;
     private readonly clusterId;
     constructor(apiClient: ApiClient, clusterId: string);
     static create(clusterId: string): Promise<CliAppService>;
     listApps(): Promise<AppSummary[]>;
+    listAppGroups(): Promise<AppGroup[]>;
     getAppByName(name: string): Promise<AppSummary>;
     getRuntime(appId: string): Promise<AppRuntime>;
+    listEndpoints(applicationId?: string): Promise<AppEndpoint[]>;
     getLogs(options: AppLogsOptions): Promise<AppLogsResponse>;
     scale(appId: string, replicas: number): Promise<AppRuntime>;
     restart(appId: string): Promise<void>;

package/lib/cli/src/lib/services/cli-app.service.js

@@ -21,6 +21,9 @@ class CliAppService {
     async listApps() {
         return this.apiClient.get(`/clusters/${this.clusterId}/applications`);
     }
+    async listAppGroups() {
+        return this.apiClient.get(`/clusters/${this.clusterId}/applications/grouped`);
+    }
     async getAppByName(name) {
         const apps = await this.listApps();
         const app = apps.find((a) => a.name.toLowerCase() === name.toLowerCase() ||
@@ -33,6 +36,12 @@ class CliAppService {
     async getRuntime(appId) {
         return this.apiClient.get(`/applications/${appId}/runtime`);
     }
+    async listEndpoints(applicationId) {
+        const all = await this.apiClient.get(`/clusters/${this.clusterId}/endpoints`);
+        return applicationId
+            ? all.filter((e) => e.applicationId === applicationId)
+            : all;
+    }
     async getLogs(options) {
         const params = new URLSearchParams();
         if (options.app)

package/lib/cli/src/lib/services/reconciliation.service.js

@@ -72,7 +72,7 @@ class ReconciliationService {
                 return {
                     type: ReconciliationType.DNS,
                     success: true,
-                    message: 'No observability cluster found, skipping DNS reconciliation',
+                    message: 'No control cluster found, skipping DNS reconciliation',
                 };
             }
             try {

package/lib/cli/src/lib/templates/firewall-rules.d.ts

@@ -1,8 +1,8 @@
 /**
  * @deprecated Import from shared template instead:
- * import { OBSERVABILITY_FIREWALL_RULES, OBSERVABILITY_PORTS } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';
+ * import { CONTROL_FIREWALL_RULES, OBSERVABILITY_PORTS } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';
  *
  * This file is kept for backward compatibility with existing CLI code.
  * New code should use the shared template.
  */
-export { OBSERVABILITY_FIREWALL_RULES, OBSERVABILITY_PORTS, WORKLOAD_FIREWALL_RULES, WORKLOAD_PORTS, validateFirewallRules, getFirewallRulesForClusterType, } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';
+export { CONTROL_FIREWALL_RULES, OBSERVABILITY_PORTS, WORKLOAD_FIREWALL_RULES, WORKLOAD_PORTS, validateFirewallRules, getFirewallRulesForClusterType, } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';

package/lib/cli/src/lib/templates/firewall-rules.js

@@ -1,15 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getFirewallRulesForClusterType = exports.validateFirewallRules = exports.WORKLOAD_PORTS = exports.WORKLOAD_FIREWALL_RULES = exports.OBSERVABILITY_PORTS = exports.OBSERVABILITY_FIREWALL_RULES = void 0;
+exports.getFirewallRulesForClusterType = exports.validateFirewallRules = exports.WORKLOAD_PORTS = exports.WORKLOAD_FIREWALL_RULES = exports.OBSERVABILITY_PORTS = exports.CONTROL_FIREWALL_RULES = void 0;
 /**
  * @deprecated Import from shared template instead:
- * import { OBSERVABILITY_FIREWALL_RULES, OBSERVABILITY_PORTS } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';
+ * import { CONTROL_FIREWALL_RULES, OBSERVABILITY_PORTS } from '../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template';
  *
  * This file is kept for backward compatibility with existing CLI code.
  * New code should use the shared template.
  */
 var firewall_rules_template_1 = require("../../../../src/modules/infrastructure/firewalls/templates/firewall-rules.template");
-Object.defineProperty(exports, "OBSERVABILITY_FIREWALL_RULES", { enumerable: true, get: function () { return firewall_rules_template_1.OBSERVABILITY_FIREWALL_RULES; } });
+Object.defineProperty(exports, "CONTROL_FIREWALL_RULES", { enumerable: true, get: function () { return firewall_rules_template_1.CONTROL_FIREWALL_RULES; } });
 Object.defineProperty(exports, "OBSERVABILITY_PORTS", { enumerable: true, get: function () { return firewall_rules_template_1.OBSERVABILITY_PORTS; } });
 Object.defineProperty(exports, "WORKLOAD_FIREWALL_RULES", { enumerable: true, get: function () { return firewall_rules_template_1.WORKLOAD_FIREWALL_RULES; } });
 Object.defineProperty(exports, "WORKLOAD_PORTS", { enumerable: true, get: function () { return firewall_rules_template_1.WORKLOAD_PORTS; } });

package/lib/cli/src/modules/cli-infrastructure.module.js

@@ -58,7 +58,7 @@ const label_service_1 = require("../../../src/modules/infrastructure/shared/serv
 const cli_k3s_script_service_1 = require("../services/cli-k3s-script.service");
 const cli_cluster_creator_service_1 = require("../services/cli-cluster-creator.service");
 const cli_clusters_service_1 = require("../services/cli-clusters.service");
-const cli_observability_cluster_service_1 = require("../services/cli-observability-cluster.service");
+const cli_control_cluster_service_1 = require("../services/cli-control-cluster.service");
 const cli_ssh_service_1 = require("../services/cli-ssh.service");
 const cli_ca_service_1 = require("../services/cli-ca.service");
 const cli_logger_service_1 = require("../services/cli-logger.service");
@@ -174,7 +174,7 @@ exports.CliInfrastructureModule = CliInfrastructureModule = __decorate([
             label_service_1.LabelService,
             kubernetes_service_1.KubernetesService,
             cli_clusters_service_1.CliClustersService,
-            cli_observability_cluster_service_1.CliObservabilityClusterService,
+            cli_control_cluster_service_1.CliControlClusterService,
             cli_ssh_service_1.CliSshService,
             cli_ca_service_1.CliCaService,
             cli_logger_service_1.CliLoggerService,
@@ -233,7 +233,7 @@ exports.CliInfrastructureModule = CliInfrastructureModule = __decorate([
             cluster_node_scaling_service_1.ClusterNodeScalingService,
         ],
         exports: [
-            cli_observability_cluster_service_1.CliObservabilityClusterService,
+            cli_control_cluster_service_1.CliControlClusterService,
             cli_clusters_service_1.CliClustersService,
             kubernetes_service_1.KubernetesService,
             label_service_1.LabelService,

package/lib/cli/src/services/cli-cluster-creator.service.js

@@ -61,6 +61,7 @@ const node_child_process_1 = require("node:child_process");
 const fs = __importStar(require("node:fs"));
 const path = __importStar(require("node:path"));
 const os = __importStar(require("node:os"));
+const profile_manager_1 = require("../lib/profile-manager");
 const https = __importStar(require("node:https"));
 const hetzner_firewall_service_1 = require("../../../src/modules/providers/services/hetzner-firewall.service");
 const cli_firewall_repository_1 = require("../lib/repositories/cli-firewall.repository");
@@ -167,7 +168,7 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                 provider: cluster.provider,
                 caPublicKey,
                 operationId: operation.id,
-                deployObservabilityStack: cluster.clusterType === cluster_entity_1.ClusterType.OBSERVABILITY,
+                deployObservabilityStack: (0, cluster_entity_1.isControlClusterType)(cluster.clusterType),
                 postgresPassword,
                 redisPassword,
                 grafanaPassword,
@@ -190,6 +191,7 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                 clusterFirewallId: firewallId || '',
                 nipIoCertEnabled: !clusterMeta?.zitadelDomain,
                 acmeStaging: !!clusterMeta?.acmeStaging,
+                useLatest: !!clusterMeta?.useLatest,
                 nipHostnameToken: cluster.nipHostnameToken || null,
                 envVnet: envVnet
                     ? {
@@ -277,7 +279,7 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                 sharedStorageVolumeSizeGb: cluster.sharedStorageVolumeSizeGb ?? undefined,
             });
             // Step 3c: Informational — Zitadel PAT injected on demand via sync-auth-domain
-            if (cluster.clusterType === cluster_entity_1.ClusterType.OBSERVABILITY) {
+            if ((0, cluster_entity_1.isControlClusterType)(cluster.clusterType)) {
                 this.log(opId, 'ℹ️  Zitadel service account PAT will be injected when sync-auth-domain is called.');
                 this.log(opId, '   After DNS is configured, call: POST /api/v1/clusters/:id/dns-zone/sync-auth-domain');
             }
@@ -332,6 +334,7 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                         provider: cluster.provider,
                         caPublicKey,
                         operationId: operation.id,
+                        useLatest: !!clusterMeta?.useLatest,
                         sharedStorage: workerSharedStorage,
                     });
                     const workerServer = await provider.createServer({
@@ -362,12 +365,15 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                 try {
                     const firewallRecord = await this.firewallRepository.findById(firewallId);
                     if (firewallRecord) {
+                        // Cluster-scoped name so destroy matches by exact name only.
+                        const scopedFirewallName = `flui-control-firewall-${cluster.id}`;
                         firewallRecord.clusterId = cluster.id;
+                        firewallRecord.name = scopedFirewallName;
                         // Get server IDs from cluster nodes
                         const serverIds = cluster.nodes.map((node) => node.providerResourceId);
                         firewallRecord.appliedToServerIds = serverIds;
                         await this.firewallRepository.save(firewallRecord);
-                        // Update Hetzner firewall labels with cluster ID
+                        // Update Hetzner firewall labels + name with cluster ID
                         try {
                             const existingLabels = Object.fromEntries(firewallRecord.labels.map((l) => [l.key, l.value]));
                             const updatedLabels = {
@@ -375,7 +381,7 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
                                 'flui-cluster-id': cluster.id,
                                 'flui-cluster-name': cluster.name,
                             };
-                            await this.firewallService.updateFirewallLabels(firewallId, updatedLabels);
+                            await this.firewallService.updateFirewallLabels(firewallId, updatedLabels, scopedFirewallName);
                             this.log(opId, `✅ Firewall ${firewallId} labels updated on Hetzner with cluster ID`);
                         }
                         catch (labelError) {
@@ -399,6 +405,23 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
         }
         catch (error) {
             this.log(opId, `Failed to create cluster: ${error.message}`, 'ERROR');
+            // Roll back the pre-created firewall. If creation failed before the
+            // rename/label step it stays with a temporary name and no
+            // flui-cluster-id label, which makes it invisible to `env destroy`
+            // (it matches neither the label query nor the scoped-name fallback)
+            // and leaks as an orphan that blocks the next run's name.
+            const orphanFirewallId = operation.metadata?.firewallId;
+            if (orphanFirewallId) {
+                try {
+                    await this.firewallService.deleteFirewall(orphanFirewallId);
+                    await this.firewallRepository.delete(orphanFirewallId);
+                    this.log(opId, `✅ Rolled back firewall ${orphanFirewallId} after failed cluster creation`);
+                }
+                catch (cleanupError) {
+                    this.log(opId, `Failed to roll back firewall ${orphanFirewallId}: ${cleanupError.message}. ` +
+                        `Delete it manually on the provider to avoid an orphan.`, 'WARN');
+                }
+            }
             // Mark cluster as FAILED
             cluster.status = cluster_entity_1.ClusterStatus.ERROR;
             await this.clusterRepository.save(cluster);
@@ -571,8 +594,10 @@ let CliClusterCreatorService = CliClusterCreatorService_1 = class CliClusterCrea
     async createApiCredentialsSecret(operationId, masterIp, bootstrap) {
         this.log(operationId, 'Patching Kubernetes secret with SSH CA keys + bootstrap vars...');
         try {
-            // Load CLI CA keys to share with API for unified SSH access
-            const caKeyDir = path.join(os.homedir(), '.flui', 'ca');
+            // Load CLI CA keys to share with API for unified SSH access.
+            // CA keys are profile-scoped (~/.flui/profiles/<profile>/ca), not global —
+            // the old global path threw ENOENT and silently skipped the whole patch.
+            const caKeyDir = path.join(profile_manager_1.ProfileManager.getProfileDir(), 'ca');
             const caPrivateKey = fs
                 .readFileSync(path.join(caKeyDir, 'ca_key'), 'utf8')
                 .trim();

package/lib/cli/src/services/cli-clusters.service.d.ts

@@ -9,7 +9,7 @@ import { EncryptionService } from '../../../src/modules/shared/encryption/servic
 import { CliSshService } from './cli-ssh.service';
 import { CliCaService } from './cli-ca.service';
 import { ProviderFactory } from '../../../src/modules/providers/services/provider.factory';
-import { HetznerFirewallService } from '../../../src/modules/providers/services/hetzner-firewall.service';
+import { FirewallProviderFactory } from '../../../src/modules/providers/core/factories/firewall-provider.factory';
 /**
  * CLI Clusters Service
  *
@@ -26,10 +26,10 @@ export declare class CliClustersService {
     private readonly sshService;
     private readonly caService;
     private readonly providerFactory;
-    private readonly firewallService;
+    private readonly firewallFactory;
     private readonly infrastructureQueue;
     private readonly logger;
-    constructor(clusterRepository: CliClusterRepository, operationRepository: CliOperationRepository, nodeRepository: CliNodeRepository, firewallRepository: CliFirewallRepository, encryptionService: EncryptionService, sshService: CliSshService, caService: CliCaService, providerFactory: ProviderFactory, firewallService: HetznerFirewallService, infrastructureQueue: any);
+    constructor(clusterRepository: CliClusterRepository, operationRepository: CliOperationRepository, nodeRepository: CliNodeRepository, firewallRepository: CliFirewallRepository, encryptionService: EncryptionService, sshService: CliSshService, caService: CliCaService, providerFactory: ProviderFactory, firewallFactory: FirewallProviderFactory, infrastructureQueue: any);
     /**
      * Create a new cluster
      */

package/lib/cli/src/services/cli-clusters.service.js

@@ -63,7 +63,7 @@ const encryption_service_1 = require("../../../src/modules/shared/encryption/ser
 const cli_ssh_service_1 = require("./cli-ssh.service");
 const cli_ca_service_1 = require("./cli-ca.service");
 const provider_factory_1 = require("../../../src/modules/providers/services/provider.factory");
-const hetzner_firewall_service_1 = require("../../../src/modules/providers/services/hetzner-firewall.service");
+const firewall_provider_factory_1 = require("../../../src/modules/providers/core/factories/firewall-provider.factory");
 const fs = __importStar(require("node:fs"));
 const path = __importStar(require("node:path"));
 const os = __importStar(require("node:os"));
@@ -75,7 +75,7 @@ const os = __importStar(require("node:os"));
  * Integrates SSH and CA management for secure server access.
  */
 let CliClustersService = CliClustersService_1 = class CliClustersService {
-    constructor(clusterRepository, operationRepository, nodeRepository, firewallRepository, encryptionService, sshService, caService, providerFactory, firewallService, infrastructureQueue) {
+    constructor(clusterRepository, operationRepository, nodeRepository, firewallRepository, encryptionService, sshService, caService, providerFactory, firewallFactory, infrastructureQueue) {
         this.clusterRepository = clusterRepository;
         this.operationRepository = operationRepository;
         this.nodeRepository = nodeRepository;
@@ -84,7 +84,7 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
         this.sshService = sshService;
         this.caService = caService;
         this.providerFactory = providerFactory;
-        this.firewallService = firewallService;
+        this.firewallFactory = firewallFactory;
         this.infrastructureQueue = infrastructureQueue;
         this.logger = new common_1.Logger(CliClustersService_1.name);
     }
@@ -134,17 +134,17 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
         const jwtSecret = this.generateSecurePassword(64);
         const adminEmail = createClusterDto.metadata?.adminEmail || '';
         const adminPassword = this.generateSecurePassword(24);
-        // Generate Zitadel secrets (only used by OBSERVABILITY clusters)
+        // Generate Zitadel secrets (only used by control clusters)
         const zitadelMasterkey = this.generateSecurePassword(32);
         const zitadelDbAdminPassword = this.generateSecurePassword(32);
         const zitadelDbUserPassword = this.generateSecurePassword(32);
         const zitadelAdminTempPassword = this.generateSecurePassword(24);
         // Get worker count from DTO
         const workerCount = createClusterDto.workerCount;
-        // Determine cluster type from metadata (same logic as API)
+        // Determine cluster type from metadata (same logic as API; accept legacy flag)
         const metadata = createClusterDto.metadata || {};
-        const clusterType = metadata.isObservabilityCluster
-            ? cluster_entity_1.ClusterType.OBSERVABILITY
+        const clusterType = metadata.isControlCluster || metadata.isObservabilityCluster
+            ? cluster_entity_1.ClusterType.CONTROL
             : cluster_entity_1.ClusterType.WORKLOAD;
         const hostnameMode = createClusterDto.endpointHostnameMode ?? hostname_mode_enum_1.HostnameMode.IP;
         let nipHostnameToken = null;
@@ -266,7 +266,7 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
         if (!cluster) {
             throw new Error(`Cluster ${id} not found`);
         }
-        this.logger.log(`Deleting observability cluster ${id} (${cluster.name})`);
+        this.logger.log(`Deleting control cluster ${id} (${cluster.name})`);
         this.logger.log(`Cluster details: ${JSON.stringify({
             id: cluster.id,
             name: cluster.name,
@@ -367,14 +367,14 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                     labels: s.labels?.map((l) => `${l.key}=${l.value}`),
                 })))}`);
             }
-            // Filter servers that belong to this observability cluster
+            // Filter servers that belong to this control cluster
             const orphanedServers = allServers.filter((server) => {
                 // Check if already deleted in Phase 1
                 if (deletedServerIds.has(server.provider_resource_id)) {
                     this.logger.log(`Skipping server ${server.name} - already deleted in Phase 1`);
                     return false;
                 }
-                // Check if server belongs to this observability cluster
+                // Check if server belongs to this control cluster
                 const hasObservabilityId = server.labels?.some((label) => label.key === 'flui-cluster-id' && label.value === cluster.id);
                 // Check if server is managed by flui
                 const isFluiManaged = server.labels?.some((label) => label.key === 'managed-by' && label.value === 'flui-cloud');
@@ -434,9 +434,11 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
             // PHASE 2.5: Delete cluster firewalls (GUARANTEED CLEANUP)
             this.logger.log(`Phase 2.5: Deleting cluster firewalls from ${cluster.provider}...`);
             try {
+                const providerEnum = (cluster.provider || '').toLowerCase();
+                const firewallService = this.firewallFactory.getFirewallProviderOrFail(providerEnum);
                 // STEP 1: Find ALL firewalls for this cluster
                 this.logger.log(`Searching for firewalls with label flui-cluster-id=${cluster.id}`);
-                const clusterFirewalls = await this.firewallService.listFirewalls({
+                const clusterFirewalls = await firewallService.listFirewalls({
                     clusterId: cluster.id,
                 });
                 this.logger.log(`Found ${clusterFirewalls.length} firewall(s) for cluster ${cluster.id}`);
@@ -444,13 +446,12 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                 let allFirewalls = [...clusterFirewalls];
                 if (clusterFirewalls.length === 0) {
                     this.logger.log(`No firewalls found by label. Searching by name pattern...`);
-                    // Search for firewalls with observability pattern:
-                    // - Old pattern: flui-observability-{clusterId}
-                    // - New pattern: flui-observability-firewall-{timestamp}
-                    const allProviderFirewalls = await this.firewallService.listFirewalls({});
-                    const nameMatchedFirewalls = allProviderFirewalls.filter((fw) => fw.name === `flui-observability-${cluster.id}` ||
-                        fw.name.startsWith('flui-observability-firewall-') ||
-                        fw.name.startsWith('flui-firewall-temp-'));
+                    // Exact cluster-scoped names only — never global prefixes (would hit
+                    // another cluster's firewall).
+                    const allProviderFirewalls = await firewallService.listFirewalls({});
+                    const nameMatchedFirewalls = allProviderFirewalls.filter((fw) => fw.name === `flui-control-firewall-${cluster.id}` ||
+                        fw.name === `flui-control-${cluster.id}` ||
+                        fw.name === `flui-observability-${cluster.id}`);
                     if (nameMatchedFirewalls.length > 0) {
                         this.logger.log(`Found ${nameMatchedFirewalls.length} firewall(s) by name pattern:`);
                         nameMatchedFirewalls.forEach((fw) => {
@@ -462,26 +463,45 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                         this.logger.log(`No firewalls found with observability name patterns`);
                     }
                 }
+                // STEP 1c: Sweep orphaned control firewalls left with a TEMPORARY name.
+                // A firewall created before a failed cluster run keeps its temp name
+                // (`flui-control-firewall` or `flui-control-firewall-<hex>`) and has no
+                // flui-cluster-id label, so neither the label query nor the scoped-name
+                // fallback above can find it. There is exactly one control cluster per
+                // environment, so any such firewall is leftover garbage from a previous
+                // attempt and is safe to remove while tearing down the control cluster.
+                // The regex only matches the temp form (8-hex suffix), never another
+                // cluster's UUID-scoped name.
+                if ((0, cluster_entity_1.isControlClusterType)(cluster.clusterType)) {
+                    const tempControlFirewall = /^flui-control-firewall(-[0-9a-f]{8})?$/;
+                    const known = new Set(allFirewalls.map((fw) => fw.id));
+                    const providerFirewalls = await firewallService.listFirewalls({});
+                    const orphans = providerFirewalls.filter((fw) => tempControlFirewall.test(fw.name) && !known.has(fw.id));
+                    if (orphans.length > 0) {
+                        this.logger.log(`Found ${orphans.length} orphaned control firewall(s) with a temporary name:`);
+                        orphans.forEach((fw) => this.logger.log(`  - ${fw.name} (${fw.id})`));
+                        allFirewalls.push(...orphans);
+                    }
+                }
                 if (allFirewalls.length === 0) {
                     this.logger.log('✓ No firewalls to delete for this cluster');
                 }
                 else {
-                    // STEP 2: Delete each firewall with retry logic for "resource_in_use" errors
+                    // STEP 2: Delete each firewall, retrying while the server still holds it
                     const deletePromises = allFirewalls.map(async (fw) => {
-                        const maxRetries = 5;
+                        const maxRetries = 6;
                         const retryDelay = 5000; // 5 seconds
                         for (let attempt = 1; attempt <= maxRetries; attempt++) {
                             try {
                                 this.logger.log(`Deleting firewall ${fw.name} (${fw.id}) - Attempt ${attempt}/${maxRetries}`);
-                                await this.firewallService.deleteFirewall(fw.id);
+                                await firewallService.deleteFirewall(fw.id);
                                 this.logger.log(`✓ Deleted firewall ${fw.name}`);
                                 return { success: true, id: fw.id, name: fw.name };
                             }
                             catch (error) {
-                                const isResourceInUse = error.message?.includes('resource_in_use') ||
-                                    error.message?.includes('still in use');
-                                if (isResourceInUse && attempt < maxRetries) {
-                                    this.logger.warn(`Firewall ${fw.name} is still in use. Waiting ${retryDelay}ms before retry ${attempt + 1}/${maxRetries}...`);
+                                // Retry on any error: the firewall frees up once the server is gone.
+                                if (attempt < maxRetries) {
+                                    this.logger.warn(`Firewall ${fw.name} not deletable yet (${error.message}); retry ${attempt + 1}/${maxRetries} in ${retryDelay}ms...`);
                                     await new Promise((resolve) => setTimeout(resolve, retryDelay));
                                     continue; // Retry
                                 }
@@ -500,7 +520,7 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                     const failedCount = results.filter((r) => !r.success).length;
                     // STEP 3: VERIFICATION - Re-scan to ensure all deleted
                     this.logger.log('Verifying all firewalls deleted...');
-                    const remainingFirewalls = await this.firewallService.listFirewalls({
+                    const remainingFirewalls = await firewallService.listFirewalls({
                         clusterId: cluster.id,
                     });
                     if (remainingFirewalls.length > 0) {
@@ -509,7 +529,7 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                         for (const fw of remainingFirewalls) {
                             try {
                                 this.logger.log(`RETRY: Deleting firewall ${fw.name} (${fw.id})`);
-                                await this.firewallService.deleteFirewall(fw.id);
+                                await firewallService.deleteFirewall(fw.id);
                                 this.logger.log(`✓ RETRY SUCCESS: Deleted firewall ${fw.name}`);
                             }
                             catch (error) {
@@ -517,7 +537,7 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
                             }
                         }
                         // Final verification
-                        const finalCheck = await this.firewallService.listFirewalls({
+                        const finalCheck = await firewallService.listFirewalls({
                             clusterId: cluster.id,
                         });
                         if (finalCheck.length > 0) {
@@ -559,13 +579,16 @@ let CliClustersService = CliClustersService_1 = class CliClustersService {
             if (provider.listSSHKeys && provider.deleteSSHKey) {
                 const allKeys = await provider.listSSHKeys();
                 this.logger.log(`Found ${allKeys.length} total SSH keys on provider`);
-                // Filter bootstrap keys for this observability cluster
+                // Filter bootstrap keys for this control cluster
                 const bootstrapKeys = allKeys.filter((key) => {
                     const tags = key.tags || {};
-                    const isFluiManaged = tags['managed-by'] === 'flui-cloud';
-                    const hasMatchingObsId = tags['flui-cluster-id'] === cluster.id;
-                    const isBootstrapKey = tags['flui-resource-type'] === 'ssh-key';
-                    return isFluiManaged && hasMatchingObsId && isBootstrapKey;
+                    const tagMatch = tags['managed-by'] === 'flui-cloud' &&
+                        tags['flui-cluster-id'] === cluster.id &&
+                        tags['flui-resource-type'] === 'ssh-key';
+                    // Scaleway IAM keys have no tags — match the cluster id in the name.
+                    const nameMatch = typeof key.name === 'string' &&
+                        key.name.startsWith(`flui-bootstrap-${cluster.id}`);
+                    return tagMatch || nameMatch;
                 });
                 this.logger.log(`Found ${bootstrapKeys.length} bootstrap SSH keys to clean up`);
                 // Delete bootstrap keys
@@ -758,5 +781,5 @@ exports.CliClustersService = CliClustersService = CliClustersService_1 = __decor
         cli_ssh_service_1.CliSshService,
         cli_ca_service_1.CliCaService,
         provider_factory_1.ProviderFactory,
-        hetzner_firewall_service_1.HetznerFirewallService, Object])
+        firewall_provider_factory_1.FirewallProviderFactory, Object])
 ], CliClustersService);

package/lib/cli/src/services/cli-control-cluster.service.d.ts

@@ -0,0 +1,129 @@
+import { ClusterEntity } from '../../../src/modules/infrastructure/clusters/entities/cluster.entity';
+import { CliClusterRepository } from '../lib/repositories/cli-cluster.repository';
+import { CliNodeRepository } from '../lib/repositories/cli-node.repository';
+import { CliClustersService } from './cli-clusters.service';
+import { CliOperationRepository } from '../lib/repositories/cli-operation.repository';
+import { CliSshService } from './cli-ssh.service';
+import { InfrastructureOperationEntity } from '../../../src/modules/infrastructure/servers/entities/infrastructure-operations.entity';
+/**
+ * CLI Control Cluster Service
+ *
+ * Simplified version of ObservabilityClusterService for CLI usage.
+ * Uses file-based repositories instead of TypeORM.
+ */
+export declare class CliControlClusterService {
+    private readonly clusterRepository;
+    private readonly nodeRepository;
+    private readonly clustersService;
+    private readonly operationRepository;
+    private readonly sshService;
+    private readonly logger;
+    constructor(clusterRepository: CliClusterRepository, nodeRepository: CliNodeRepository, clustersService: CliClustersService, operationRepository: CliOperationRepository, sshService: CliSshService);
+    /**
+     * Get the control cluster
+     */
+    getControlCluster(): Promise<ClusterEntity | null>;
+    /**
+     * Check if control cluster exists
+     */
+    hasControlCluster(): Promise<boolean>;
+    /**
+     * Get observability service endpoints
+     */
+    getObservabilityEndpoints(clusterId: string): Promise<{
+        prometheus?: string;
+        grafana?: string;
+        loki?: string;
+        postgres?: string;
+        redis?: string;
+        fluiApi?: string;
+        fluiWeb?: string;
+    }>;
+    /**
+     * Create control cluster
+     */
+    createControlCluster(provider: string, region: string, nodeSize: string, workerCount?: number, firewallId?: string, sourceCidrs?: string[], authMode?: string, envVnet?: {
+        vnetProviderResourceId: string;
+        vnetIpRange: string;
+        subnetProviderResourceId: string;
+        subnetIpRange: string;
+        subnetType: string;
+        networkZone: string;
+    }, adminEmail?: string, acmeStaging?: boolean, diskSizeGb?: number, options?: {
+        sharedStorageEnabled?: boolean;
+        sharedStorageVolumeSizeGb?: number;
+        useLatest?: boolean;
+    }): Promise<string>;
+    /**
+     * Deploy observability stack (Prometheus, Grafana, Loki)
+     */
+    deployObservabilityStack(clusterId: string): Promise<void>;
+    /**
+     * Delete control cluster
+     */
+    deleteControlCluster(): Promise<void>;
+    /**
+     * Get cluster operation by cluster ID
+     */
+    getClusterOperation(clusterId: string): Promise<InfrastructureOperationEntity | null>;
+    /**
+     * Wait for cluster to be ready by polling operation status
+     * @param clusterId Cluster ID to wait for
+     * @param timeoutMs Timeout in milliseconds (default: 10 minutes)
+     * @param pollIntervalMs Polling interval in milliseconds (default: 10 seconds)
+     * @returns Promise that resolves when cluster is ready
+     * @throws Error if timeout is reached or operation fails
+     */
+    waitForClusterReady(clusterId: string, timeoutMs?: number, pollIntervalMs?: number): Promise<void>;
+    /**
+     * Wait for master node IP address to become available
+     * Polls the cluster repository until masterIpAddress is populated
+     */
+    waitForMasterIp(clusterId: string, timeoutMs?: number, pollIntervalMs?: number): Promise<string>;
+    /**
+     * Wait for TCP port to become reachable on a host
+     */
+    waitForPortReady(host: string, port?: number, timeoutMs?: number, pollIntervalMs?: number): Promise<void>;
+    /**
+     * Wait for SSH to be fully ready (CA enrolled + cert auth working)
+     * Attempts an actual SSH command with retry until it succeeds.
+     * This is needed because TCP port 22 can be open before cloud-init
+     * has finished configuring the CA for certificate authentication.
+     *
+     * @param sshTestFn Function that attempts an SSH command and throws on failure
+     */
+    waitForSshAuth(sshTestFn: () => Promise<void>, timeoutMs?: number, pollIntervalMs?: number): Promise<void>;
+    /**
+     * Poll operation status in background and call onReady when COMPLETED.
+     * Returns a stop function and a done promise that resolves when the
+     * poller finishes (after onReady/onFailed callback completes or stop() is called).
+     */
+    pollOperationUntilReady(clusterId: string, onReady: () => Promise<void>, onFailed?: (error: string) => void, pollIntervalMs?: number): {
+        stop: () => void;
+        done: Promise<void>;
+    };
+    /**
+     * Check observability services health via HTTP endpoints
+     * @param masterIp Master node IP address
+     * @returns Object with service health status
+     */
+    checkObservabilityServices(masterIp: string, _nipHostnameToken?: string | null): Promise<{
+        prometheus: 'healthy' | 'unreachable';
+        grafana: 'healthy' | 'unreachable';
+        loki: 'healthy' | 'unreachable';
+        postgres: 'healthy' | 'unreachable';
+        redis: 'healthy' | 'unreachable';
+        fluiApi: 'healthy' | 'unreachable';
+        fluiWeb: 'healthy' | 'unreachable';
+    }>;
+    /**
+     * Check if a TCP port is reachable on a host
+     */
+    private checkTcpPort;
+    /**
+     * Sleep helper
+     */
+    private sleep;
+    waitForValidTls(url: string, timeoutMs?: number, intervalMs?: number, acmeStaging?: boolean): Promise<boolean>;
+    waitForOidcReady(apiBaseUrl: string, timeoutMs?: number, intervalMs?: number, acmeStaging?: boolean): Promise<boolean>;
+}