puls-dev 0.2.8 → 0.2.9

package/dist/core/checker.js

@@ -123,6 +123,53 @@ function renderAws(inv) {
         ]);
     }
 }
+function renderGcp(inv) {
+    if (inv.vms.length > 0) {
+        printSection(`GCP Compute VMs  ·  ${inv.vms.length}`, inv.vms, [
+            { header: "Name", width: 24, render: (v) => v.name },
+            { header: "Zone", width: 15, render: (v) => v.zone },
+            { header: "Machine Type", width: 14, render: (v) => v.machineType },
+            { header: "Status", width: 8, render: (v) => v.status },
+            { header: "IP", width: 15, render: (v) => v.ip },
+        ]);
+    }
+    if (inv.rdsInstances.length > 0) {
+        printSection(`GCP Cloud SQL  ·  ${inv.rdsInstances.length}`, inv.rdsInstances, [
+            { header: "Name", width: 24, render: (i) => i.name },
+            { header: "Engine", width: 18, render: (i) => i.engine },
+            { header: "Tier", width: 12, render: (i) => i.tier },
+            { header: "Status", width: 10, render: (i) => i.status },
+        ]);
+    }
+    if (inv.distributions.length > 0) {
+        printSection(`GCP Cloud Run  ·  ${inv.distributions.length}`, inv.distributions, [
+            { header: "Service", width: 24, render: (s) => s.name },
+            { header: "Region", width: 12, render: (s) => s.region },
+            { header: "URL", width: 42, render: (s) => s.url },
+        ]);
+    }
+    if (inv.hostedZones.length > 0) {
+        printSection(`GCP Cloud DNS  ·  ${inv.hostedZones.length}`, inv.hostedZones, [
+            { header: "Zone", width: 24, render: (z) => z.name },
+            { header: "DNS Name", width: 32, render: (z) => z.dnsName },
+        ]);
+    }
+}
+function renderFirebase(inv) {
+    if (inv.hostingSites.length > 0) {
+        printSection(`Firebase Hosting  ·  ${inv.hostingSites.length}`, inv.hostingSites, [
+            { header: "Site ID", width: 32, render: (s) => s.site },
+        ]);
+    }
+    if (inv.functions.length > 0) {
+        printSection(`Firebase Functions  ·  ${inv.functions.length}`, inv.functions, [
+            { header: "Function", width: 24, render: (f) => f.name },
+            { header: "Region", width: 12, render: (f) => f.region },
+            { header: "Entry Point", width: 18, render: (f) => f.entryPoint },
+            { header: "Runtime", width: 10, render: (f) => f.runtime },
+        ]);
+    }
+}
 // ─── Checker ──────────────────────────────────────────────────────────────────
 export class Checker {
     async check() {
@@ -161,6 +208,26 @@ export class Checker {
                 errors.push({ provider: "aws", message: err.message });
             }));
         }
+        if (cfg.providers.gcp?.serviceAccountPath || process.env.GCP_SA) {
+            tasks.push(import("../providers/gcp/list.js")
+                .then((m) => m.listGcpResources())
+                .then((inv) => {
+                result.gcp = inv;
+            })
+                .catch((err) => {
+                errors.push({ provider: "gcp", message: err.message });
+            }));
+        }
+        if (cfg.providers.firebase?.serviceAccountPath || process.env.FIREBASE_SA) {
+            tasks.push(import("../providers/firebase/list.js")
+                .then((m) => m.listFirebaseResources())
+                .then((inv) => {
+                result.firebase = inv;
+            })
+                .catch((err) => {
+                errors.push({ provider: "firebase", message: err.message });
+            }));
+        }
         await Promise.all(tasks);
         if (result.proxmox)
             renderProxmox(result.proxmox);
@@ -168,6 +235,10 @@ export class Checker {
             renderDo(result.do);
         if (result.aws)
             renderAws(result.aws);
+        if (result.gcp)
+            renderGcp(result.gcp);
+        if (result.firebase)
+            renderFirebase(result.firebase);
         for (const e of errors) {
             console.warn(`\n  [!] ${e.provider}: ${e.message}`);
         }

package/dist/core/config.d.ts

@@ -1,5 +1,7 @@
 export interface GlobalConfig {
     dryRun?: boolean;
+    parallel?: boolean;
+    offline?: boolean;
     providers: {
         do?: {
             token: string;
@@ -37,6 +39,8 @@ declare class ConfigManager {
     set(newConfig: Partial<GlobalConfig>): void;
     get(): GlobalConfig;
     isGlobalDryRun(): boolean;
+    isParallelActive(): boolean;
+    isOfflineMode(): boolean;
 }
 export declare const Config: ConfigManager;
 export {};

package/dist/core/config.js

@@ -3,7 +3,11 @@ class ConfigManager {
         providers: {},
     };
     set(newConfig) {
-        this.config = { ...this.config, ...newConfig };
+        this.config = {
+            ...this.config,
+            ...newConfig,
+            providers: { ...this.config.providers, ...newConfig.providers },
+        };
     }
     get() {
         return this.config;
@@ -11,5 +15,11 @@ class ConfigManager {
     isGlobalDryRun() {
         return this.config.dryRun ?? false;
     }
+    isParallelActive() {
+        return this.config.parallel ?? false;
+    }
+    isOfflineMode() {
+        return this.config.offline ?? false;
+    }
 }
 export const Config = new ConfigManager();

package/dist/core/context.d.ts

@@ -0,0 +1,14 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+export interface HostEntry {
+    name: string;
+    ip: string;
+    user: string;
+    sshKey?: string;
+    provider: string;
+}
+export interface ResourceContext {
+    abortSignal?: AbortSignal;
+    hosts?: HostEntry[];
+    stackName?: string;
+}
+export declare const resourceContextStorage: AsyncLocalStorage<ResourceContext>;

package/dist/core/context.js

@@ -0,0 +1,2 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+export const resourceContextStorage = new AsyncLocalStorage();

package/dist/core/decorators.d.ts

@@ -4,6 +4,8 @@ type ProviderOpts = {
     region?: string;
     regions?: string[];
     dryRun?: boolean;
+    parallel?: boolean;
+    offline?: boolean;
     firebase?: string;
     proxmox?: {
         url: string;

package/dist/core/decorators.js

@@ -5,27 +5,21 @@ import { Stack } from "./stack.js";
 function applyConfig(opts) {
     if (opts.dryRun !== undefined)
         Config.set({ dryRun: opts.dryRun });
+    if (opts.parallel !== undefined)
+        Config.set({ parallel: opts.parallel });
+    if (opts.offline !== undefined)
+        Config.set({ offline: opts.offline });
     if (opts.token)
-        Config.set({
-            providers: { ...Config.get().providers, do: { token: opts.token } },
-        });
+        Config.set({ providers: { do: { token: opts.token } } });
     if (opts.region)
-        Config.set({
-            providers: { ...Config.get().providers, aws: { region: opts.region } },
-        });
+        Config.set({ providers: { aws: { region: opts.region } } });
     if (opts.proxmox)
-        Config.set({
-            providers: { ...Config.get().providers, proxmox: opts.proxmox },
-        });
+        Config.set({ providers: { proxmox: opts.proxmox } });
     if (opts.firebase) {
         const sa = JSON.parse(readFileSync(opts.firebase, "utf8"));
         Config.set({
             providers: {
-                ...Config.get().providers,
-                firebase: {
-                    projectId: sa.project_id,
-                    serviceAccountPath: opts.firebase,
-                },
+                firebase: { projectId: sa.project_id, serviceAccountPath: opts.firebase },
             },
         });
     }

package/dist/core/parallel.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/core/parallel.test.js

@@ -0,0 +1,215 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+import { test, describe, beforeEach } from "node:test";
+import assert from "node:assert";
+import { Stack } from "./stack.js";
+import { Deploy } from "./decorators.js";
+import { BaseBuilder } from "./resource.js";
+import { Config } from "./config.js";
+import { Output } from "./output.js";
+// Helper delay
+const delay = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+class DelayResource extends BaseBuilder {
+    delayMs;
+    executionLogs;
+    out = {
+        val: new Output(),
+    };
+    constructor(name, delayMs, executionLogs) {
+        super(name);
+        this.delayMs = delayMs;
+        this.executionLogs = executionLogs;
+    }
+    async deploy() {
+        this.executionLogs.push(`start:${this.name}`);
+        await delay(this.delayMs);
+        this.executionLogs.push(`end:${this.name}`);
+        this.out.val.resolve(this.name);
+        return { name: this.name };
+    }
+    async destroy() {
+        this.executionLogs.push(`destroy:${this.name}`);
+        await delay(this.delayMs);
+        return { name: this.name, destroyed: true };
+    }
+}
+class FailResource extends BaseBuilder {
+    async deploy() {
+        throw new Error("Failed to deploy!");
+    }
+}
+describe("Parallel Resource Deployment Unit Tests", () => {
+    let logs = [];
+    beforeEach(() => {
+        Config.set({
+            dryRun: false,
+            parallel: false,
+            providers: {},
+        });
+        logs = [];
+    });
+    test("runs sequential deployments by default (verifies base case)", async () => {
+        class SeqStack extends Stack {
+            r1 = new DelayResource("r1", 30, logs);
+            r2 = new DelayResource("r2", 30, logs);
+        }
+        const start = Date.now();
+        const stack = new SeqStack();
+        await stack.deploy();
+        const duration = Date.now() - start;
+        // In sequential, execution is r1 start -> r1 end -> r2 start -> r2 end
+        assert.deepStrictEqual(logs, [
+            "start:r1",
+            "end:r1",
+            "start:r2",
+            "end:r2"
+        ]);
+        assert.ok(duration >= 60, `Sequential should take at least 60ms, took ${duration}ms`);
+    });
+    test("runs parallel deployments concurrently when opted in", async () => {
+        // Enable parallel globally for the stack run
+        Config.set({
+            dryRun: false,
+            parallel: true,
+            providers: {},
+        });
+        class ParStack extends Stack {
+            r1 = new DelayResource("r1", 40, logs);
+            r2 = new DelayResource("r2", 40, logs);
+        }
+        const start = Date.now();
+        const stack = new ParStack();
+        await stack.deploy();
+        const duration = Date.now() - start;
+        // In parallel, both start before either finishes:
+        // start:r1 and start:r2 will both be printed first.
+        assert.strictEqual(logs[0].startsWith("start:"), true);
+        assert.strictEqual(logs[1].startsWith("start:"), true);
+        assert.ok(logs.includes("end:r1"));
+        assert.ok(logs.includes("end:r2"));
+        // Total duration should be closer to 40ms than 80ms
+        assert.ok(duration < 75, `Parallel should take less than 75ms (sum), took ${duration}ms`);
+    });
+    test("respects explicit dependsOn() ordering in parallel mode", async () => {
+        Config.set({
+            dryRun: false,
+            parallel: true,
+            providers: {},
+        });
+        class DependencyStack extends Stack {
+            // r1 depends on r2
+            r1 = new DelayResource("r1", 20, logs);
+            r2 = new DelayResource("r2", 20, logs);
+            constructor() {
+                super();
+                this.r1.dependsOn(this.r2);
+            }
+        }
+        const stack = new DependencyStack();
+        await stack.deploy();
+        // Since r1 depends on r2, r2 must fully complete before r1 starts
+        const r2StartIndex = logs.indexOf("start:r2");
+        const r2EndIndex = logs.indexOf("end:r2");
+        const r1StartIndex = logs.indexOf("start:r1");
+        assert.ok(r2StartIndex < r2EndIndex);
+        assert.ok(r2EndIndex < r1StartIndex);
+    });
+    test("respects implicit Output waiting in parallel mode", async () => {
+        Config.set({
+            dryRun: false,
+            parallel: true,
+            providers: {},
+        });
+        class OutputAwaitingResource extends BaseBuilder {
+            dependentVal;
+            executionLogs;
+            constructor(name, dependentVal, executionLogs) {
+                super(name);
+                this.dependentVal = dependentVal;
+                this.executionLogs = executionLogs;
+            }
+            async deploy() {
+                this.executionLogs.push(`start:${this.name}`);
+                // Blocks on the Output of the other resource!
+                const val = await this.dependentVal.get();
+                this.executionLogs.push(`end:${this.name}:${val}`);
+                return { name: this.name };
+            }
+        }
+        class OutputStack extends Stack {
+            r1 = new DelayResource("r1", 30, logs);
+            // r2 depends implicitly on r1's output
+            r2 = new OutputAwaitingResource("r2", this.r1.out.val, logs);
+        }
+        const stack = new OutputStack();
+        await stack.deploy();
+        // r2 starts in parallel, but it cannot end until r1 finishes and resolves the output
+        const r2StartIndex = logs.indexOf("start:r2");
+        const r1EndIndex = logs.indexOf("end:r1");
+        const r2EndIndex = logs.findIndex(line => line.startsWith("end:r2"));
+        assert.ok(r2StartIndex >= 0);
+        assert.ok(r1EndIndex >= 0);
+        assert.ok(r1EndIndex < r2EndIndex, `r1 end (${r1EndIndex}) must be before r2 end (${r2EndIndex})`);
+        assert.ok(logs.includes("end:r2:r1"));
+    });
+    test("runs parallel teardowns in reverse topological order on @Destroy", async () => {
+        Config.set({
+            dryRun: false,
+            parallel: true,
+            providers: {},
+        });
+        class TeardownStack extends Stack {
+            r1 = new DelayResource("r1", 20, logs);
+            r2 = new DelayResource("r2", 20, logs);
+            constructor() {
+                super();
+                // r2 depends on r1 during deploy (so r1 deploys first).
+                // Teardown should destroy r2 first, then r1!
+                this.r2.dependsOn(this.r1);
+            }
+        }
+        const stack = new TeardownStack();
+        await stack.destroy();
+        const r2DestroyIndex = logs.indexOf("destroy:r2");
+        const r1DestroyIndex = logs.indexOf("destroy:r1");
+        // r2 depends on r1, so r2 must be fully destroyed BEFORE r1 begins destruction
+        assert.ok(r2DestroyIndex < r1DestroyIndex, `r2 destroy (${r2DestroyIndex}) must be before r1 destroy (${r1DestroyIndex})`);
+    });
+    test("halts execution of dependent resources if a dependency fails", async () => {
+        Config.set({
+            dryRun: false,
+            parallel: true,
+            providers: {},
+        });
+        class FailStack extends Stack {
+            r1 = new FailResource("r1");
+            r2 = new DelayResource("r2", 30, logs);
+            constructor() {
+                super();
+                this.r2.dependsOn(this.r1);
+            }
+        }
+        const stack = new FailStack();
+        await assert.rejects(async () => {
+            await stack.deploy();
+        }, /Failed to deploy!/);
+        // r2 should never have started because its dependency r1 failed!
+        assert.strictEqual(logs.includes("start:r2"), false);
+    });
+    test("decorator option propagation sets configuration values", async () => {
+        // Clear parallel flag
+        Config.set({ parallel: false });
+        // We define a decorated simple stack
+        let SimpleDecoStack = class SimpleDecoStack extends Stack {
+        };
+        SimpleDecoStack = __decorate([
+            Deploy({ parallel: true })
+        ], SimpleDecoStack);
+        // Verify decorator correctly updated global configuration to true
+        assert.strictEqual(Config.isParallelActive(), true);
+    });
+});

package/dist/core/production.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/core/production.test.js

@@ -0,0 +1,189 @@
+import { test, describe, beforeEach } from "node:test";
+import assert from "node:assert";
+import { Stack } from "./stack.js";
+import { Config } from "./config.js";
+import { Output } from "./output.js";
+import { BaseBuilder } from "./resource.js";
+import { Secret } from "./secret.js";
+import { resourceContextStorage } from "./context.js";
+import { runAnsible } from "./provisioner.js";
+const delay = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+class DelayResource extends BaseBuilder {
+    delayMs;
+    executionLogs;
+    out = { val: new Output() };
+    constructor(name, delayMs, executionLogs) {
+        super(name);
+        this.delayMs = delayMs;
+        this.executionLogs = executionLogs;
+    }
+    async deploy() {
+        this.executionLogs.push(`start:${this.name}`);
+        await delay(this.delayMs);
+        this.executionLogs.push(`end:${this.name}`);
+        return { name: this.name };
+    }
+}
+class FailResource extends BaseBuilder {
+    async deploy() {
+        throw new Error("Failure in deploy!");
+    }
+}
+class AbortResource extends BaseBuilder {
+    signalLogs;
+    constructor(name, signalLogs) {
+        super(name);
+        this.signalLogs = signalLogs;
+    }
+    async deploy() {
+        const signal = resourceContextStorage.getStore()?.abortSignal;
+        if (signal) {
+            if (signal.aborted) {
+                this.signalLogs.push(`aborted-before:${this.name}`);
+            }
+            else {
+                signal.addEventListener("abort", () => {
+                    this.signalLogs.push(`aborted-during:${this.name}`);
+                });
+            }
+        }
+        await delay(50);
+        return { name: this.name };
+    }
+}
+describe("Production Features Unit Tests", () => {
+    beforeEach(() => {
+        Config.set({
+            dryRun: false,
+            parallel: false,
+            offline: false,
+            providers: {}
+        });
+    });
+    test("Secret Redaction in console.log during Stack execution", async () => {
+        // Register secret
+        const mySecret = new Secret("my-api-key", async () => "super-secret-12345");
+        await mySecret.get(); // resolves and registers it
+        const logs = [];
+        const originalLog = console.log;
+        // Create a stack that logs the secret
+        class SecretStack extends Stack {
+            r1 = new DelayResource("r1", 10, []);
+            async beforeDeploy() {
+                console.log("Starting deployment with my-api-key super-secret-12345");
+            }
+        }
+        const stack = new SecretStack();
+        // Intercept console.log temporarily just to capture it
+        console.log = (...args) => {
+            logs.push(args.join(" "));
+            originalLog(...args);
+        };
+        try {
+            await stack.deploy();
+        }
+        finally {
+            console.log = originalLog;
+        }
+        const deploymentLog = logs.join("\n");
+        assert.ok(!deploymentLog.includes("super-secret-12345"), "Should NOT contain raw secret");
+        assert.ok(deploymentLog.includes("my-api-key ********"), "Should contain redacted secret replacement");
+    });
+    test("Secret Redaction in formatEntry table matching patterns", async () => {
+        class CredentialsStack extends Stack {
+            creds_resource = new class extends BaseBuilder {
+                async deploy() {
+                    return {
+                        password: "my-cleartext-password",
+                        api_token: "my-cleartext-token",
+                        safe_field: "public-info"
+                    };
+                }
+            }("creds");
+            db_password = new class extends BaseBuilder {
+                async deploy() {
+                    return "my-cleartext-db-pass";
+                }
+            }("db-pass");
+        }
+        const logs = [];
+        const originalLog = console.log;
+        console.log = (...args) => {
+            logs.push(args.join(" "));
+            originalLog(...args);
+        };
+        try {
+            await new CredentialsStack().deploy();
+        }
+        finally {
+            console.log = originalLog;
+        }
+        const tableOutput = logs.join("\n");
+        assert.ok(!tableOutput.includes("my-cleartext-password"), "Should redact password key values in table");
+        assert.ok(!tableOutput.includes("my-cleartext-token"), "Should redact token key values in table");
+        assert.ok(!tableOutput.includes("my-cleartext-db-pass"), "Should redact sensitive parent key values in table");
+        assert.ok(tableOutput.includes("********"), "Should replace with asterisks");
+        assert.ok(tableOutput.includes("public-info"), "Should preserve non-sensitive fields");
+    });
+    test("Parallel Scheduler Cancellation (Fail-Fast)", async () => {
+        Config.set({ parallel: true });
+        const signalLogs = [];
+        class CancelStack extends Stack {
+            r1 = new AbortResource("r1", signalLogs);
+            r2 = new FailResource("r2");
+        }
+        await assert.rejects(async () => {
+            await new CancelStack().deploy();
+        }, /Failure in deploy!/);
+        // Wait a bit for abort listener
+        await delay(30);
+        assert.ok(signalLogs.includes("aborted-during:r1") || signalLogs.includes("aborted-before:r1"), "Aborted resource should have abort signal triggered");
+    });
+    test("Credential-Free Offline Dry-Run Mode", async () => {
+        Config.set({ offline: true, dryRun: true });
+        class OfflineStack extends Stack {
+            aws_vm = new class extends BaseBuilder {
+                async deploy() {
+                    const { getEC2Client } = await import("../providers/aws/api.js");
+                    const client = getEC2Client();
+                    const res = await client.send({ constructor: { name: "RunInstancesCommand" } });
+                    return res;
+                }
+            }("aws");
+            gcp_vm = new class extends BaseBuilder {
+                async deploy() {
+                    const { gcpFetch } = await import("../providers/gcp/api.js");
+                    const res = await gcpFetch("compute", "/instances");
+                    return res;
+                }
+            }("gcp");
+        }
+        const outputs = await new OfflineStack().deploy();
+        assert.ok(outputs.aws_vm.Instances[0].InstanceId.startsWith("i-mock"), "AWS VM should resolve to mock");
+        assert.ok(outputs.gcp_vm.id.startsWith("mock-gcp-instance"), "GCP VM should resolve to mock");
+    });
+    test("Ansible Provisioner Stack-Wide Dynamic Inventory Generation", async () => {
+        const context = {
+            stackName: "my-test-stack",
+            hosts: [
+                { name: "web1", ip: "1.2.3.4", user: "root", sshKey: "/path/to/key", provider: "do" },
+                { name: "db1", ip: "5.6.7.8", user: "ubuntu", sshKey: "/path/to/other-key", provider: "aws" }
+            ]
+        };
+        await resourceContextStorage.run(context, async () => {
+            try {
+                await runAnsible("1.2.3.4", "root", "/path/to/key", "playbook.yml");
+            }
+            catch (err) {
+                // We expect it might fail if ansible-playbook binary is missing, but it should still attempt write!
+                assert.ok(err.message.includes("ansible-playbook") || err.message.includes("ENOENT"), "Should attempt run");
+            }
+            const fs = await import("node:fs");
+            const exists = fs.existsSync("/tmp/puls-inventory-my-test-stack.ini");
+            assert.ok(exists, "Dynamic inventory file should be generated in /tmp");
+            const contents = fs.readFileSync("/tmp/puls-inventory-my-test-stack.ini", "utf8");
+            assert.ok(contents.includes("web1 ansible_host=1.2.3.4"), "Should contain web1 host entry");
+            assert.ok(contents.includes("db1 ansible_host=5.6.7.8"), "Should contain db1 host entry");
+        });
+    });
+});

package/dist/core/provisioner.js

@@ -1,6 +1,8 @@
 import { spawn } from "node:child_process";
 import net from "node:net";
 import { homedir } from "node:os";
+import { writeFileSync } from "node:fs";
+import { resourceContextStorage } from "./context.js";
 export function checkPort(ip, port) {
     return new Promise((resolve) => {
         const socket = new net.Socket();
@@ -31,18 +33,34 @@ function resolveSshKeyPath(sshKeys) {
 export function runAnsible(ip, user, sshKeys, playbook) {
     console.log(`   🔧 Running Ansible: ${playbook} → ${ip}`);
     const keyPath = resolveSshKeyPath(sshKeys);
+    const context = resourceContextStorage.getStore();
+    const stackName = context?.stackName ?? "default";
+    const hosts = context?.hosts ?? [];
     return new Promise((resolve, reject) => {
-        const proc = spawn("ansible-playbook", [
-            playbook,
-            "-i",
-            `${ip},`,
-            "-u",
-            user,
-            "--private-key",
-            keyPath,
-            "--ssh-extra-args",
-            "-o StrictHostKeyChecking=no -o ConnectTimeout=30",
-        ], { stdio: "inherit" });
+        const args = [playbook];
+        if (hosts.length > 0) {
+            const inventoryPath = `/tmp/puls-inventory-${stackName}.ini`;
+            let inventoryContent = "[all]\n";
+            for (const h of hosts) {
+                const hKeyPath = resolveSshKeyPath(h.sshKey);
+                inventoryContent += `${h.name} ansible_host=${h.ip} ansible_user=${h.user} ansible_ssh_private_key_file=${hKeyPath}\n`;
+            }
+            try {
+                writeFileSync(inventoryPath, inventoryContent, "utf8");
+            }
+            catch (err) {
+                reject(new Error(`Failed to write Ansible inventory: ${err.message}`));
+                return;
+            }
+            const currentHost = hosts.find(h => h.ip === ip);
+            const hostLimit = currentHost ? currentHost.name : ip;
+            args.push("-i", inventoryPath, "--limit", hostLimit);
+        }
+        else {
+            args.push("-i", `${ip},`, "-u", user, "--private-key", keyPath);
+        }
+        args.push("--ssh-extra-args", "-o StrictHostKeyChecking=no -o ConnectTimeout=30");
+        const proc = spawn("ansible-playbook", args, { stdio: "inherit" });
         proc.on("close", (code) => {
             if (code === 0) {
                 console.log(`   ✅ Provisioning complete`);