npm - puls-dev - Versions diffs - 0.2.7 → 0.2.8 - Mend

puls-dev 0.2.7 → 0.2.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

package/dist/core/config.d.ts +2 -0
package/dist/core/decorators.d.ts +2 -0
package/dist/core/decorators.js +48 -16
package/dist/core/hooks.d.ts +21 -0
package/dist/core/hooks.js +116 -0
package/dist/core/hooks.test.d.ts +1 -0
package/dist/core/hooks.test.js +194 -0
package/dist/core/multiregion.test.d.ts +1 -0
package/dist/core/multiregion.test.js +87 -0
package/dist/core/output.d.ts +2 -0
package/dist/core/output.js +9 -2
package/dist/core/parser.d.ts +10 -0
package/dist/core/parser.js +140 -0
package/dist/core/parser.test.d.ts +1 -0
package/dist/core/parser.test.js +117 -0
package/dist/core/provisioner.d.ts +4 -0
package/dist/core/provisioner.js +105 -0
package/dist/core/resource.d.ts +16 -0
package/dist/core/resource.js +44 -0
package/dist/core/secret.d.ts +40 -0
package/dist/core/secret.js +95 -0
package/dist/core/secret.test.d.ts +1 -0
package/dist/core/secret.test.js +166 -0
package/dist/core/stack.d.ts +4 -3
package/dist/core/stack.js +50 -9
package/dist/index.d.ts +2 -0
package/dist/index.js +2 -0
package/dist/providers/aws/ec2.d.ts +48 -0
package/dist/providers/aws/ec2.js +297 -0
package/dist/providers/aws/ec2.test.d.ts +1 -0
package/dist/providers/aws/ec2.test.js +279 -0
package/dist/providers/aws/index.d.ts +2 -0
package/dist/providers/aws/index.js +2 -0
package/dist/providers/aws/route53.d.ts +1 -0
package/dist/providers/aws/route53.js +15 -2
package/dist/providers/aws/route53.test.js +47 -0
package/dist/providers/do/api.d.ts +1 -1
package/dist/providers/do/api.js +2 -1
package/dist/providers/do/app.d.ts +26 -0
package/dist/providers/do/app.js +124 -0
package/dist/providers/do/app.test.d.ts +1 -0
package/dist/providers/do/app.test.js +268 -0
package/dist/providers/do/database.d.ts +44 -0
package/dist/providers/do/database.js +208 -0
package/dist/providers/do/database.test.d.ts +1 -0
package/dist/providers/do/database.test.js +293 -0
package/dist/providers/do/domain.d.ts +2 -0
package/dist/providers/do/domain.js +30 -0
package/dist/providers/do/domain.test.js +49 -0
package/dist/providers/do/droplet.d.ts +9 -0
package/dist/providers/do/droplet.js +132 -8
package/dist/providers/do/droplet.test.js +228 -1
package/dist/providers/do/firewall.d.ts +2 -1
package/dist/providers/do/firewall.js +23 -9
package/dist/providers/do/firewall.test.js +54 -0
package/dist/providers/do/index.d.ts +11 -0
package/dist/providers/do/index.js +8 -0
package/dist/providers/do/spaces.d.ts +27 -0
package/dist/providers/do/spaces.js +142 -0
package/dist/providers/do/spaces.test.d.ts +1 -0
package/dist/providers/do/spaces.test.js +180 -0
package/dist/providers/do/spaces_api.d.ts +2 -0
package/dist/providers/do/spaces_api.js +20 -0
package/dist/providers/do/vpc.d.ts +30 -0
package/dist/providers/do/vpc.js +128 -0
package/dist/providers/do/vpc.test.d.ts +1 -0
package/dist/providers/do/vpc.test.js +258 -0
package/dist/providers/gcp/clouddns.d.ts +1 -0
package/dist/providers/gcp/clouddns.js +15 -2
package/dist/providers/gcp/clouddns.test.js +45 -0
package/dist/providers/gcp/index.d.ts +3 -1
package/dist/providers/gcp/index.js +3 -1
package/dist/providers/gcp/vm.d.ts +45 -0
package/dist/providers/gcp/vm.js +332 -0
package/dist/providers/gcp/vm.test.d.ts +1 -0
package/dist/providers/gcp/vm.test.js +321 -0
package/dist/providers/proxmox/vm.d.ts +4 -4
package/dist/providers/proxmox/vm.js +17 -93
package/dist/providers/proxmox/vm.test.js +77 -0
package/package.json +3 -1

package/dist/providers/do/database.test.js ADDED Viewed

@@ -0,0 +1,293 @@
+import { test, describe, beforeEach, afterEach } from "node:test";
+import assert from "node:assert";
+import { DatabaseBuilder } from "./database.js";
+import { Config } from "../../core/config.js";
+describe("DatabaseBuilder Unit Tests", () => {
+    let originalFetch;
+    let fetchCalls = [];
+    let mockResponses = {};
+    beforeEach(() => {
+        Config.set({
+            dryRun: false,
+            providers: {
+                do: { token: "fake-do-token", defaultRegion: "nyc3" },
+            },
+        });
+        originalFetch = globalThis.fetch;
+        fetchCalls = [];
+        mockResponses = {};
+        globalThis.fetch = async (input, init) => {
+            const url = String(input);
+            const method = init?.method ?? "GET";
+            const body = init?.body ? JSON.parse(init.body) : undefined;
+            const headers = init?.headers;
+            fetchCalls.push({ url, method, body, headers });
+            const matchKey = Object.keys(mockResponses)
+                .filter((key) => {
+                const [mMethod, mPath] = key.split(" ");
+                return method === mMethod && url.includes(mPath);
+            })
+                .sort((a, b) => b.split(" ")[1].length - a.split(" ")[1].length)[0];
+            if (matchKey) {
+                const resp = mockResponses[matchKey];
+                return {
+                    ok: resp.status >= 200 && resp.status < 300,
+                    status: resp.status,
+                    json: async () => resp.body,
+                    text: async () => JSON.stringify(resp.body),
+                };
+            }
+            return {
+                ok: false,
+                status: 404,
+                json: async () => ({ message: "Not found" }),
+                text: async () => "Not found",
+            };
+        };
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+    });
+    test("gracefully handles discovery when Database Cluster does not exist", async () => {
+        mockResponses["GET /databases"] = {
+            status: 200,
+            body: { databases: [] },
+        };
+        const builder = new DatabaseBuilder("my-db");
+        const discoveryResult = await builder.discoveryPromise;
+        assert.strictEqual(discoveryResult, null);
+        assert.strictEqual(fetchCalls.length, 1);
+        assert.strictEqual(fetchCalls[0].method, "GET");
+        assert.ok(fetchCalls[0].url.includes("/databases"));
+    });
+    test("discovers Database Cluster successfully when it exists", async () => {
+        mockResponses["GET /databases"] = {
+            status: 200,
+            body: {
+                databases: [
+                    {
+                        id: "db-123",
+                        name: "my-db",
+                        status: "online",
+                        connection: {
+                            host: "10.0.0.5",
+                            port: 5432,
+                            uri: "postgresql://user:pass@10.0.0.5:5432/db",
+                            user: "user",
+                            password: "pass",
+                        },
+                    },
+                ],
+            },
+        };
+        const builder = new DatabaseBuilder("my-db");
+        const discoveryResult = await builder.discoveryPromise;
+        assert.ok(discoveryResult);
+        assert.strictEqual(discoveryResult.id, "db-123");
+        assert.strictEqual(discoveryResult.status, "online");
+        const host = await builder.out.host.get();
+        const port = await builder.out.port.get();
+        const uri = await builder.out.uri.get();
+        assert.strictEqual(host, "10.0.0.5");
+        assert.strictEqual(port, 5432);
+        assert.strictEqual(uri, "postgresql://user:pass@10.0.0.5:5432/db");
+    });
+    test("performs clean dry-run planning without making write requests", async () => {
+        Config.set({
+            dryRun: true,
+            providers: { do: { token: "fake-token" } },
+        });
+        mockResponses["GET /databases"] = {
+            status: 200,
+            body: { databases: [] },
+        };
+        const builder = new DatabaseBuilder("my-dry-db")
+            .engine("mysql")
+            .version("8")
+            .size("db-s-2vcpu-4gb")
+            .nodes(2)
+            .vpc("vpc-999")
+            .allowIp("1.1.1.1/32");
+        const result = await builder.deploy();
+        assert.ok(result);
+        assert.strictEqual(result.name, "my-dry-db");
+        assert.strictEqual(result.id, "PENDING");
+        // Discover should run, but no creations/firewall writes
+        const writeCalls = fetchCalls.filter((c) => c.method !== "GET");
+        assert.strictEqual(writeCalls.length, 0);
+        const host = await builder.out.host.get();
+        assert.strictEqual(host, "127.0.0.1");
+    });
+    test("deploys new Database Cluster and awaits status: online", async () => {
+        mockResponses["GET /databases"] = {
+            status: 200,
+            body: { databases: [] },
+        };
+        mockResponses["POST /databases"] = {
+            status: 201,
+            body: { database: { id: "new-db-id", name: "my-db-new", status: "provisioning" } },
+        };
+        let pollCount = 0;
+        mockResponses["GET /databases/new-db-id"] = {
+            status: 200,
+            get body() {
+                pollCount++;
+                if (pollCount === 1) {
+                    return { database: { id: "new-db-id", status: "provisioning" } };
+                }
+                return {
+                    database: {
+                        id: "new-db-id",
+                        status: "online",
+                        connection: {
+                            host: "db-node.example.com",
+                            port: 3306,
+                            uri: "mysql://admin:secret@db-node.example.com:3306/db",
+                            user: "admin",
+                            password: "secret",
+                        },
+                    },
+                };
+            },
+        };
+        mockResponses["PUT /databases/new-db-id/firewall"] = {
+            status: 204,
+            body: {},
+        };
+        const builder = new DatabaseBuilder("my-db-new")
+            .engine("mysql")
+            .version("8.0")
+            .size("db-s-1vcpu-1gb")
+            .nodes(1)
+            .allowIp("1.2.3.4/32");
+        // Instantly check status
+        builder.waitFor = async (label, condition) => {
+            let done = false;
+            while (!done) {
+                done = await condition();
+            }
+        };
+        const result = await builder.deploy();
+        assert.ok(result);
+        assert.strictEqual(result.id, "new-db-id");
+        assert.strictEqual(result.status, "online");
+        const host = await builder.out.host.get();
+        assert.strictEqual(host, "db-node.example.com");
+        const postCall = fetchCalls.find((c) => c.method === "POST" && c.url.includes("/databases"));
+        assert.ok(postCall);
+        assert.deepStrictEqual(postCall.body, {
+            name: "my-db-new",
+            engine: "mysql",
+            version: "8.0",
+            region: "nyc3",
+            size: "db-s-1vcpu-1gb",
+            num_nodes: 1,
+        });
+        const firewallCall = fetchCalls.find((c) => c.method === "PUT" && c.url.includes("/databases/new-db-id/firewall"));
+        assert.ok(firewallCall);
+        assert.deepStrictEqual(firewallCall.body, {
+            rules: [{ type: "ip_addr", value: "1.2.3.4/32" }],
+        });
+    });
+    test("deploys new Database Cluster with private VPC network assignment", async () => {
+        mockResponses["GET /databases"] = {
+            status: 200,
+            body: { databases: [] },
+        };
+        mockResponses["POST /databases"] = {
+            status: 201,
+            body: { database: { id: "vpc-db-id", name: "my-vpc-db", status: "provisioning" } },
+        };
+        mockResponses["GET /databases/vpc-db-id"] = {
+            status: 200,
+            body: {
+                database: {
+                    id: "vpc-db-id",
+                    status: "online",
+                    private_connection: {
+                        host: "db-node.private.int",
+                        port: 5432,
+                        uri: "postgresql://user:pwd@db-node.private.int:5432/db",
+                        user: "user",
+                        password: "pwd",
+                    },
+                    connection: {
+                        host: "db-node.public.com",
+                        port: 5432,
+                        uri: "postgresql://user:pwd@db-node.public.com:5432/db",
+                        user: "user",
+                        password: "pwd",
+                    },
+                },
+            },
+        };
+        const builder = new DatabaseBuilder("my-vpc-db")
+            .engine("pg")
+            .vpc("my-custom-vpc-uuid");
+        builder.waitFor = async (label, condition) => {
+            await condition();
+        };
+        const result = await builder.deploy();
+        assert.ok(result);
+        const host = await builder.out.host.get();
+        // Should prefer private VPC host!
+        assert.strictEqual(host, "db-node.private.int");
+        const postCall = fetchCalls.find((c) => c.method === "POST" && c.url.includes("/databases"));
+        assert.ok(postCall);
+        assert.strictEqual(postCall.body.private_network_uuid, "my-custom-vpc-uuid");
+    });
+    test("updates firewall rules (trusted sources) on existing cluster", async () => {
+        mockResponses["GET /databases"] = {
+            status: 200,
+            body: {
+                databases: [
+                    {
+                        id: "db-123",
+                        name: "my-db",
+                        status: "online",
+                        connection: {
+                            host: "10.0.0.5",
+                            port: 5432,
+                            uri: "postgresql://user:pass@10.0.0.5:5432/db",
+                            user: "user",
+                            password: "pass",
+                        },
+                    },
+                ],
+            },
+        };
+        mockResponses["PUT /databases/db-123/firewall"] = {
+            status: 204,
+            body: {},
+        };
+        const builder = new DatabaseBuilder("my-db")
+            .allowDroplet("99999");
+        await builder.deploy();
+        const putCall = fetchCalls.find((c) => c.method === "PUT" && c.url.includes("/databases/db-123/firewall"));
+        assert.ok(putCall);
+        assert.deepStrictEqual(putCall.body, {
+            rules: [{ type: "droplet", value: "99999" }],
+        });
+    });
+    test("destroys Database Cluster successfully", async () => {
+        mockResponses["GET /databases"] = {
+            status: 200,
+            body: {
+                databases: [
+                    { id: "db-123", name: "my-db-del" },
+                ],
+            },
+        };
+        mockResponses["DELETE /databases/db-123"] = {
+            status: 204,
+            body: {},
+        };
+        const builder = new DatabaseBuilder("my-db-del");
+        await builder.discoveryPromise;
+        const result = await builder.destroy();
+        assert.deepStrictEqual(result, { destroyed: "my-db-del" });
+        const deleteCall = fetchCalls.find((c) => c.method === "DELETE");
+        assert.ok(deleteCall);
+        assert.ok(deleteCall.url.endsWith("/databases/db-123"));
+    });
+});

package/dist/providers/do/domain.d.ts CHANGED Viewed

@@ -17,6 +17,8 @@ export declare class DomainBuilder extends BaseBuilder {
     constructor(domainName: string);
     private discoverDomain;
     withSSL(): this;
+    record(filePath: string): this;
+    record(name: string, type: DNSRecord["type"], value: string | DropletBuilder | Output<string>, ttl?: number, priority?: number, port?: number, weight?: number, flags?: number, tag?: string): this;
     pointer(name: string, target: DropletBuilder | Output<string> | string): this;
     cname(name: string, target: string): this;
     aaaa(name: string, target: string | Output<string>): this;

package/dist/providers/do/domain.js CHANGED Viewed

@@ -3,6 +3,7 @@ import { Output } from "../../core/output.js";
 import { DropletBuilder } from "./droplet.js";
 import { CertificateBuilder } from "./certificate.js";
 import { getDoApi } from "./api.js";
+import { loadRecordsFromFile } from "../../core/parser.js";
 export class DomainBuilder extends BaseBuilder {
     domainName;
     records = [];
@@ -27,6 +28,35 @@ export class DomainBuilder extends BaseBuilder {
         this.sidecars.push(cert);
         return this;
     }
+    record(nameOrPath, type, value, ttl, priority, port, weight, flags, tag) {
+        if (arguments.length === 1 && typeof nameOrPath === "string" && (nameOrPath.endsWith(".yaml") || nameOrPath.endsWith(".yml") || nameOrPath.endsWith(".json"))) {
+            const loaded = loadRecordsFromFile(nameOrPath);
+            for (const r of loaded) {
+                this.records.push({
+                    name: r.name,
+                    type: r.type,
+                    value: r.value,
+                    priority: r.priority,
+                    port: r.port,
+                    weight: r.weight,
+                    flags: r.flags,
+                    tag: r.tag,
+                });
+            }
+            return this;
+        }
+        this.records.push({
+            name: nameOrPath,
+            type: type,
+            value: value,
+            priority,
+            port,
+            weight,
+            flags,
+            tag,
+        });
+        return this;
+    }
     pointer(name, target) {
         this.records.push({ type: "A", name, value: target });
         return this;

package/dist/providers/do/domain.test.js CHANGED Viewed

@@ -1,5 +1,7 @@
 import { test, describe, beforeEach, afterEach } from "node:test";
 import assert from "node:assert";
+import fs from "node:fs";
+import path from "node:path";
 import { DomainBuilder } from "./domain.js";
 import { Config } from "../../core/config.js";
 describe("DomainBuilder Unit Tests", () => {
@@ -197,4 +199,51 @@ describe("DomainBuilder Unit Tests", () => {
         assert.ok(deleteCall);
         assert.ok(deleteCall.url.endsWith("/domains/destroy.com"));
     });
+    test("loads records from a configuration file (YAML) successfully", async () => {
+        mockResponses["GET /domains/file-do.com"] = {
+            status: 200,
+            body: { domain: { name: "file-do.com" } }
+        };
+        mockResponses["GET /domains/file-do.com/records?per_page=200"] = {
+            status: 200,
+            body: { domain_records: [] }
+        };
+        mockResponses["POST /domains/file-do.com/records"] = {
+            status: 201,
+            body: { domain_record: { id: 201 } }
+        };
+        // Mock YAML file creation
+        const tempYamlPath = path.resolve(process.cwd(), "temp-do-records.yaml");
+        const yamlContent = `
+- name: www
+  type: CNAME
+  value: lb.google.com
+- name: mail
+  type: A
+  value: 1.2.3.4
+`;
+        fs.writeFileSync(tempYamlPath, yamlContent, "utf-8");
+        try {
+            const builder = new DomainBuilder("file-do.com")
+                .record("temp-do-records.yaml")
+                .record("api", "A", "10.0.0.9"); // Hybrid programmatic record!
+            const result = await builder.deploy();
+            assert.strictEqual(result.records.length, 3);
+            const wwwRec = result.records.find((r) => r.name === "www");
+            assert.ok(wwwRec);
+            assert.strictEqual(wwwRec.type, "CNAME");
+            assert.strictEqual(wwwRec.value, "lb.google.com");
+            const mailRec = result.records.find((r) => r.name === "mail");
+            assert.ok(mailRec);
+            assert.strictEqual(mailRec.type, "A");
+            assert.strictEqual(mailRec.value, "1.2.3.4");
+            const apiRec = result.records.find((r) => r.name === "api");
+            assert.ok(apiRec);
+            assert.strictEqual(apiRec.value, "10.0.0.9");
+        }
+        finally {
+            if (fs.existsSync(tempYamlPath))
+                fs.unlinkSync(tempYamlPath);
+        }
+    });
 });

package/dist/providers/do/droplet.d.ts CHANGED Viewed

@@ -12,6 +12,8 @@ export declare class DropletBuilder extends BaseBuilder {
     private dropletId?;
     private resolvedIp?;
     private sshKeyPath?;
+    private _provision;
+    private _forceConfigCheck;
     constructor(name: string);
     private discoverDroplet;
     getPublicIp(): Promise<string | undefined>;
@@ -20,6 +22,11 @@ export declare class DropletBuilder extends BaseBuilder {
     region(region: (typeof REGION)[keyof typeof REGION] | string): this;
     size(size: (typeof SIZE)[keyof typeof SIZE] | string): this;
     sslKey(keyPath: string): this;
+    vpc(uuid: string | Output<string>): this;
+    provision(...playbookPaths: (string | string[])[]): this;
+    forceConfigCheck(): this;
+    protected checkPort(ip: string, port: number): Promise<boolean>;
+    protected runProvisioner(ip: string, script: string): Promise<void>;
     private resolveOrRegisterSshKey;
     deploy(): Promise<any>;
     destroy(): Promise<any>;
@@ -33,3 +40,5 @@ export declare const DO: {
     Domain: (name: string) => DomainBuilder;
     LoadBalancer: (name: string) => LoadBalancerBuilder;
 };
+export declare function parseDropletTagsForProvision(tags: string[]): Record<string, string>;
+export declare function generateDropletTagForProvision(playbook: string, hash: string): string;

package/dist/providers/do/droplet.js CHANGED Viewed

@@ -8,6 +8,8 @@ import { FirewallBuilder } from './firewall.js';
 import { DomainBuilder } from './domain.js';
 import { LoadBalancerBuilder } from './load_balancer.js';
 import { getDoApi } from './api.js';
+import { checkPort, runProvisioner } from '../../core/provisioner.js';
+import { getFileHash } from '../proxmox/hash.js';
 export class DropletBuilder extends BaseBuilder {
     out = {
         ip: new Output(),
@@ -21,6 +23,8 @@ export class DropletBuilder extends BaseBuilder {
     dropletId;
     resolvedIp;
     sshKeyPath;
+    _provision = [];
+    _forceConfigCheck = false;
     constructor(name) {
         super(name);
         this.discoveryPromise = this.discoverDroplet(name);
@@ -69,6 +73,25 @@ export class DropletBuilder extends BaseBuilder {
         this.sshKeyPath = keyPath.replace('~', homedir());
         return this;
     }
+    vpc(uuid) {
+        this.config.vpc_uuid = uuid;
+        return this;
+    }
+    provision(...playbookPaths) {
+        this._provision.push(...playbookPaths.flat());
+        return this;
+    }
+    forceConfigCheck() {
+        this._forceConfigCheck = true;
+        return this;
+    }
+    async checkPort(ip, port) {
+        return checkPort(ip, port);
+    }
+    async runProvisioner(ip, script) {
+        const keyPath = this.sshKeyPath ? this.sshKeyPath : undefined;
+        return runProvisioner(ip, "root", keyPath, script);
+    }
     async resolveOrRegisterSshKey(api) {
         const pubPath = this.sshKeyPath.replace(/\.pub$/, '') + '.pub';
         const pubKey = fs.readFileSync(pubPath, 'utf8').trim();
@@ -90,16 +113,46 @@ export class DropletBuilder extends BaseBuilder {
             : true;
         if (await this.checkProtection(hasChanges))
             return null;
+        // Provisioning Calculations
+        const appliedHashes = existing ? parseDropletTagsForProvision(existing.tags || []) : {};
+        const declaredPlaybooksWithHashes = this._provision.map((p) => {
+            const baseName = p.split("/").pop() ?? p;
+            const slug = baseName.toLowerCase().replace(/[^a-z0-9_-]/g, '-');
+            return { path: p, slug, hash: getFileHash(p) };
+        });
+        const playbooksToRun = this._forceConfigCheck
+            ? declaredPlaybooksWithHashes
+            : declaredPlaybooksWithHashes.filter((p) => {
+                const appliedHash = appliedHashes[p.slug];
+                return !appliedHash || appliedHash !== p.hash;
+            });
+        const playbookRunRequired = playbooksToRun.length > 0;
         if (dryRun) {
             console.log(`\n🔍 [DRY RUN] "${this.name}"...`);
             if (!existing) {
                 const keyHint = this.sshKeyPath ? ` + key ${this.sshKeyPath.split('/').pop()}` : '';
-                console.log(`   📝 Plan: Create droplet ${this.name} (${this.config.size} in ${this.config.region}${keyHint})`);
+                let vpcHint = '';
+                if (this.config.vpc_uuid) {
+                    const vpcVal = this.config.vpc_uuid instanceof Output ? 'PENDING' : this.config.vpc_uuid;
+                    vpcHint = ` in VPC ${vpcVal}`;
+                }
+                console.log(`   📝 Plan: Create droplet ${this.name} (${this.config.size} in ${this.config.region}${vpcHint}${keyHint})`);
+                if (this._provision.length > 0) {
+                    console.log(`      └─ Provision: ${this._provision.join(", ")}`);
+                }
                 this.out.id.resolve(-1);
                 this.out.ip.resolve('0.0.0.0');
             }
-            else if (hasChanges) {
-                console.log(`   📝 Plan: Resize ${this.name} → ${this.config.size}`);
+            else if (hasChanges || playbookRunRequired) {
+                if (hasChanges) {
+                    console.log(`   📝 Plan: Resize ${this.name} → ${this.config.size}`);
+                }
+                if (playbookRunRequired) {
+                    console.log(`   📝 [PLAN] Run ${playbooksToRun.length} playbook changes on existing droplet:`);
+                    for (const p of playbooksToRun) {
+                        console.log(`      └─ Playbook: ${p.path} (hash: ${p.hash})`);
+                    }
+                }
             }
             else {
                 console.log(`   ✅ ${this.name} is up to date.`);
@@ -111,12 +164,23 @@ export class DropletBuilder extends BaseBuilder {
         console.log(`\n⏳ Finalizing "${this.name}"...`);
         if (!existing) {
             const sshKeyIds = this.sshKeyPath ? [await this.resolveOrRegisterSshKey(api)] : [];
+            let resolvedVpcUuid;
+            if (this.config.vpc_uuid) {
+                resolvedVpcUuid = this.config.vpc_uuid instanceof Output ? await this.config.vpc_uuid.get() : this.config.vpc_uuid;
+            }
+            const initialTags = [];
+            for (const playbook of this._provision) {
+                const hash = getFileHash(playbook);
+                initialTags.push(generateDropletTagForProvision(playbook, hash));
+            }
             const result = await api.post('/droplets', {
                 name: this.name,
                 region: this.config.region,
                 size: this.config.size,
                 image: this.config.image,
                 ...(sshKeyIds.length && { ssh_keys: sshKeyIds }),
+                ...(resolvedVpcUuid && { vpc_uuid: resolvedVpcUuid }),
+                ...(initialTags.length && { tags: initialTags }),
             });
             this.dropletId = result.droplet.id;
             this.out.id.resolve(this.dropletId);
@@ -134,13 +198,57 @@ export class DropletBuilder extends BaseBuilder {
                 this.out.ip.resolve(this.resolvedIp);
                 console.log(`   🌐 Public IP: ${this.resolvedIp}`);
             }
-        }
-        else if (hasChanges) {
-            console.log(`✨ Resizing ${this.name} → ${this.config.size}...`);
-            await api.post(`/droplets/${this.dropletId}/actions`, { type: 'resize', size: this.config.size });
+            if (this._provision.length > 0) {
+                const activeIp = this.resolvedIp ?? '0.0.0.0';
+                if (activeIp === '0.0.0.0') {
+                    throw new Error(`Failed to resolve IP for new droplet "${this.name}" to run playbooks`);
+                }
+                await this.waitFor(`SSH on ${activeIp} to be ready`, () => this.checkPort(activeIp, 22), { intervalMs: 10_000, timeoutMs: 300_000 });
+                for (const playbook of this._provision) {
+                    await this.runProvisioner(activeIp, playbook);
+                }
+            }
         }
         else {
-            console.log(`✅ ${this.name} is up to date.`);
+            if (hasChanges) {
+                console.log(`✨ Resizing ${this.name} → ${this.config.size}...`);
+                await api.post(`/droplets/${this.dropletId}/actions`, { type: 'resize', size: this.config.size });
+            }
+            if (playbookRunRequired) {
+                console.log(`   🔄 Running ${playbooksToRun.length} playbook changes...`);
+                const activeIp = this.resolvedIp ?? '0.0.0.0';
+                if (activeIp === '0.0.0.0') {
+                    throw new Error(`Failed to resolve IP for existing droplet "${this.name}" to run playbooks`);
+                }
+                await this.waitFor(`SSH on ${activeIp} to be ready`, () => this.checkPort(activeIp, 22), { intervalMs: 10_000, timeoutMs: 300_000 });
+                for (const p of playbooksToRun) {
+                    await this.runProvisioner(activeIp, p.path);
+                    // Update tags on DigitalOcean Droplet
+                    const oldHash = appliedHashes[p.slug];
+                    if (oldHash) {
+                        const oldTag = `puls-h-${p.slug}-${oldHash}`;
+                        try {
+                            await api.delete(`/tags/${encodeURIComponent(oldTag)}/resources`, {
+                                resources: [{ id: String(this.dropletId), type: 'droplet' }]
+                            });
+                        }
+                        catch { }
+                    }
+                    const newTag = `puls-h-${p.slug}-${p.hash}`;
+                    try {
+                        await api.post('/tags', { name: newTag });
+                    }
+                    catch { }
+                    await api.post(`/tags/${encodeURIComponent(newTag)}/resources`, {
+                        resources: [{ id: String(this.dropletId), type: 'droplet' }]
+                    });
+                    appliedHashes[p.slug] = p.hash;
+                }
+                console.log(`   ✅ Playbooks applied successfully and metadata updated.`);
+            }
+            if (!hasChanges && !playbookRunRequired) {
+                console.log(`✅ ${this.name} is up to date.`);
+            }
         }
         for (const sidecar of this.sidecars)
             await sidecar.deploy();
@@ -178,3 +286,19 @@ export const DO = {
     Domain: (name) => new DomainBuilder(name),
     LoadBalancer: (name) => new LoadBalancerBuilder(name),
 };
+export function parseDropletTagsForProvision(tags) {
+    const result = {};
+    for (const tag of tags) {
+        const match = tag.match(/^puls-h-([a-zA-Z0-9_-]+)-([a-f0-9]{12})$/);
+        if (match) {
+            const [_, playbookName, hash] = match;
+            result[playbookName] = hash;
+        }
+    }
+    return result;
+}
+export function generateDropletTagForProvision(playbook, hash) {
+    const baseName = playbook.split('/').pop() ?? playbook;
+    const slug = baseName.toLowerCase().replace(/[^a-z0-9_-]/g, '-');
+    return `puls-h-${slug}-${hash}`;
+}