+Madagascar Local Authority folosește SQLite ca sursă de adevăr runtime pentru hosturi, aliasuri, vhosturi, Work Orders, workeri de date și certificate.

+## Principii

+Hosturile sunt identificate prin FQDN complet, nu prin short name. Exemplu: `gw.local` și `gw.remote` sunt identități diferite. Coloana compatibilă `legacy_id` păstrează ID-ul scurt folosit de UI-ul curent, dar cheia reală este `hosts.fqdn`.

+Schema evită să transforme `hosts` într-un tabel cu prea multe coloane. Datele specializate sunt în tabele separate:

+- aliasuri: `host_aliases`

+- roluri: `host_roles`

+- surse: `host_sources`

+- flaguri: `host_flags`

+- SSH: `host_ssh`

+- vhosturi mutabile: `vhosts`

+- certificate: `certificates`, `certificate_dns_names`

+- workeri și observații: `data_workers`, `dhcp_leases`, `mdns_observations`

+`documents` rămâne doar tabel legacy pentru migrarea din modelul vechi document-store. Aplicația nu îl mai folosește ca sursă de adevăr.

+## Schema Version

+

+Schema curentă este versiunea `2`.

+

+```sql

+schema_meta('schema_version') = '2'

+```

+

+`schema_meta` păstrează și metadate runtime precum `registry_updated_at`.

+

+## Catalog

+

+| Tabel | Rol |

+|-------|-----|

+| `schema_meta` | metadate de schemă/runtime |

+| `documents` | document-store legacy pentru migrare |

+| `hosts` | hosturi canonice, identificate prin FQDN |

+| `host_aliases` | aliasuri păstrate inclusiv după retragere |

+| `host_roles` | roluri active/retrase per host |

+| `host_sources` | surse active/retrase per host |

+| `host_flags` | flaguri extensibile per host |

+| `host_ssh` | profile SSH per host |

+| `vhosts` | vhosturi mutabile între hosturi |

+| `data_workers` | workeri/surse care colectează date |

+| `dhcp_leases` | date observate din DHCP lease/reservation |

+| `mdns_observations` | date observate din mDNS |

+| `certificates` | certificate emise de CA locală |

+| `certificate_dns_names` | SAN DNS names pentru certificate |

+| `work_orders` | Work Orders |

+| `work_order_checklist` | checklist items pentru Work Orders |

+| `work_order_actions` | acțiuni confirmabile pentru Work Orders |

+

+## Tabele

+

+### `hosts`

+CREATE TABLE hosts (

+    fqdn TEXT PRIMARY KEY,

+    legacy_id TEXT NOT NULL UNIQUE,

+    status TEXT NOT NULL DEFAULT 'active',

+    hosts_ip TEXT NOT NULL DEFAULT '',

+    dns_ip TEXT NOT NULL DEFAULT '',

+    monitoring TEXT NOT NULL DEFAULT 'pending',

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+Chei și indexuri:

+- PK: `hosts(fqdn)`

+- UNIQUE: `hosts(legacy_id)`

+### `host_aliases`

+```sql

+CREATE TABLE host_aliases (

+    alias_name TEXT NOT NULL,

+    host_fqdn TEXT NOT NULL REFERENCES hosts(fqdn)

+        ON UPDATE CASCADE ON DELETE RESTRICT,

+    alias_kind TEXT NOT NULL DEFAULT 'declared',

+    status TEXT NOT NULL DEFAULT 'active',

+    is_dns_published INTEGER NOT NULL DEFAULT 1,

+    created_at TEXT NOT NULL,

+    retired_at TEXT,

+    notes TEXT NOT NULL DEFAULT '',

+    PRIMARY KEY (alias_name, host_fqdn)

+);

+```

+Indexuri:

+```sql

+CREATE UNIQUE INDEX idx_host_aliases_active_name

+ON host_aliases(alias_name)

+WHERE status = 'active';

+CREATE INDEX idx_host_aliases_host_status

+ON host_aliases(host_fqdn, status);

+```

+Reguli:

+- aliasurile retrase nu se șterg; se setează `status = 'retired'`

+- un alias activ poate aparține unui singur host

+- aliasurile scurte derivate, cum ar fi `baobab`, sunt păstrate cu `alias_kind = 'derived'`

+- short aliases derivate din vhosturi, cum ar fi `pmx.baobab`, sunt păstrate cu `alias_kind = 'derived-vhost'`

+### `vhosts`

+```sql

+CREATE TABLE vhosts (

+    vhost_fqdn TEXT PRIMARY KEY,

+    host_fqdn TEXT NOT NULL REFERENCES hosts(fqdn)

+        ON UPDATE CASCADE ON DELETE RESTRICT,

+    status TEXT NOT NULL DEFAULT 'active',

+    service_name TEXT NOT NULL DEFAULT '',

+    upstream_url TEXT NOT NULL DEFAULT '',

+    tls_mode TEXT NOT NULL DEFAULT 'local-ca',

+    certificate_id TEXT REFERENCES certificates(certificate_id)

+        ON UPDATE CASCADE ON DELETE SET NULL,

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL

+);

+```

+Indexuri:

+```sql

+CREATE INDEX idx_vhosts_host_status

+ON vhosts(host_fqdn, status);

+```

+Un vhost se mută de pe un host pe altul prin update pe `vhosts.host_fqdn`. Vhosturile retrase rămân în tabel cu `status = 'retired'`.

+### `host_roles`, `host_sources`, `host_flags`, `host_ssh`

+```sql

+CREATE TABLE host_roles (

+    host_fqdn TEXT NOT NULL REFERENCES hosts(fqdn)

+        ON UPDATE CASCADE ON DELETE RESTRICT,

+    role TEXT NOT NULL,

+    status TEXT NOT NULL DEFAULT 'active',

+    created_at TEXT NOT NULL,

+    retired_at TEXT,

+    PRIMARY KEY (host_fqdn, role)

+);

+CREATE TABLE host_sources (

+    host_fqdn TEXT NOT NULL REFERENCES hosts(fqdn)

+        ON UPDATE CASCADE ON DELETE RESTRICT,

+    source TEXT NOT NULL,

+    status TEXT NOT NULL DEFAULT 'active',

+    created_at TEXT NOT NULL,

+    retired_at TEXT,

+    PRIMARY KEY (host_fqdn, source)

+);

+CREATE TABLE host_flags (

+    host_fqdn TEXT NOT NULL REFERENCES hosts(fqdn)

+        ON UPDATE CASCADE ON DELETE RESTRICT,

+    flag TEXT NOT NULL,

+    value TEXT NOT NULL DEFAULT '1',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    PRIMARY KEY (host_fqdn, flag)

+);

+CREATE TABLE host_ssh (

+    host_fqdn TEXT NOT NULL REFERENCES hosts(fqdn)

+        ON UPDATE CASCADE ON DELETE RESTRICT,

+    profile_name TEXT NOT NULL DEFAULT 'default',

+    username TEXT NOT NULL DEFAULT '',

+    port INTEGER NOT NULL DEFAULT 22,

+    identity_file TEXT NOT NULL DEFAULT '',

+    address TEXT NOT NULL DEFAULT '',

+    local_forward_host TEXT NOT NULL DEFAULT '',

+    local_forward_port INTEGER,

+    remote_forward_host TEXT NOT NULL DEFAULT '',

+    remote_forward_port INTEGER,

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    PRIMARY KEY (host_fqdn, profile_name)

+);

+```

+### `data_workers`

+CREATE TABLE data_workers (

+    worker_id TEXT PRIMARY KEY,

+    worker_type TEXT NOT NULL,

+    name TEXT NOT NULL DEFAULT '',

+    status TEXT NOT NULL DEFAULT 'active',

+    source TEXT NOT NULL DEFAULT '',

+    last_run_at TEXT,

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL

+);

+Indexuri:

+CREATE INDEX idx_data_workers_type_status

+ON data_workers(worker_type, status);

+Seed implicit:

+

+- `dhcp-router`, type `dhcp`

+- `mdns-listener`, type `mdns`

+

+### `dhcp_leases`

+CREATE TABLE dhcp_leases (

+    lease_key TEXT PRIMARY KEY,

+    worker_id TEXT NOT NULL REFERENCES data_workers(worker_id)

+        ON UPDATE CASCADE ON DELETE RESTRICT,

+    host_fqdn TEXT REFERENCES hosts(fqdn)

+        ON UPDATE CASCADE ON DELETE SET NULL,

+    observed_name TEXT NOT NULL DEFAULT '',

+    ip_address TEXT NOT NULL,

+    mac_address TEXT NOT NULL DEFAULT '',

+    lease_state TEXT NOT NULL DEFAULT '',

+    first_seen TEXT NOT NULL,

+    last_seen TEXT NOT NULL,

+    raw TEXT NOT NULL DEFAULT ''

+Indexuri:

+CREATE INDEX idx_dhcp_leases_ip ON dhcp_leases(ip_address);

+CREATE INDEX idx_dhcp_leases_mac ON dhcp_leases(mac_address);

+CREATE INDEX idx_dhcp_leases_worker_last_seen

+ON dhcp_leases(worker_id, last_seen);

+### `mdns_observations`

+```sql

+CREATE TABLE mdns_observations (

+    observation_key TEXT PRIMARY KEY,

+    worker_id TEXT NOT NULL REFERENCES data_workers(worker_id)

+        ON UPDATE CASCADE ON DELETE RESTRICT,

+    host_fqdn TEXT REFERENCES hosts(fqdn)

+        ON UPDATE CASCADE ON DELETE SET NULL,

+    observed_name TEXT NOT NULL,

+    ip_address TEXT NOT NULL,

+    rr_type TEXT NOT NULL DEFAULT 'A',

+    ttl INTEGER NOT NULL DEFAULT 0,

+    first_seen TEXT NOT NULL,

+    last_seen TEXT NOT NULL,

+    seen_count INTEGER NOT NULL DEFAULT 1,

+    last_peer TEXT NOT NULL DEFAULT '',

+    raw TEXT NOT NULL DEFAULT ''

+);

+```

+Indexuri:

+```sql

+CREATE INDEX idx_mdns_observations_name ON mdns_observations(observed_name);

+CREATE INDEX idx_mdns_observations_ip ON mdns_observations(ip_address);

+CREATE INDEX idx_mdns_observations_worker_last_seen

+ON mdns_observations(worker_id, last_seen);

+```

+### `certificates` și `certificate_dns_names`

+```sql

+CREATE TABLE certificates (

+    certificate_id TEXT PRIMARY KEY,

+    host_fqdn TEXT REFERENCES hosts(fqdn)

+        ON UPDATE CASCADE ON DELETE SET NULL,

+    common_name TEXT NOT NULL DEFAULT '',

+    subject TEXT NOT NULL DEFAULT '',

+    issuer TEXT NOT NULL DEFAULT '',

+    serial TEXT UNIQUE,

+    status TEXT NOT NULL DEFAULT 'issued',

+    not_before TEXT NOT NULL DEFAULT '',

+    not_after TEXT NOT NULL DEFAULT '',

+    fingerprint_sha256 TEXT UNIQUE,

+    cert_path TEXT NOT NULL DEFAULT '',

+    csr_path TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    notes TEXT NOT NULL DEFAULT ''

+);

+CREATE TABLE certificate_dns_names (

+    certificate_id TEXT NOT NULL REFERENCES certificates(certificate_id)

+        ON UPDATE CASCADE ON DELETE CASCADE,

+    dns_name TEXT NOT NULL,

+    PRIMARY KEY (certificate_id, dns_name)

+);

+Indexuri:

+```sql

+CREATE INDEX idx_certificate_dns_names_dns_name

+ON certificate_dns_names(dns_name);

+```

+Certificatele emise sunt sincronizate când aplicația citește lista CA prin `ca_manager.sh list-json`.

+### Work Orders

+```sql

+CREATE TABLE work_orders (

+    id TEXT PRIMARY KEY,

+    status TEXT NOT NULL DEFAULT 'pending',

+    title TEXT NOT NULL DEFAULT '',

+    reason TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    confirmed_at TEXT NOT NULL DEFAULT '',

+    result TEXT NOT NULL DEFAULT '',

+    updated_at TEXT NOT NULL

+);

+CREATE TABLE work_order_checklist (

+    work_order_id TEXT NOT NULL REFERENCES work_orders(id)

+        ON UPDATE CASCADE ON DELETE CASCADE,

+    item_id TEXT NOT NULL,

+    text TEXT NOT NULL DEFAULT '',

+    status TEXT NOT NULL DEFAULT 'pending',

+    owner TEXT NOT NULL DEFAULT '',

+    notes TEXT NOT NULL DEFAULT '',

+    updated_at TEXT NOT NULL DEFAULT '',

+    PRIMARY KEY (work_order_id, item_id)

+);

+CREATE TABLE work_order_actions (

+    work_order_id TEXT NOT NULL REFERENCES work_orders(id)

+        ON UPDATE CASCADE ON DELETE CASCADE,

+    position INTEGER NOT NULL,

+    type TEXT NOT NULL,

+    host_fqdn TEXT REFERENCES hosts(fqdn)

+        ON UPDATE CASCADE ON DELETE SET NULL,

+    host_legacy_id TEXT NOT NULL DEFAULT '',

+    name TEXT NOT NULL DEFAULT '',

+    payload TEXT NOT NULL DEFAULT '',

+    PRIMARY KEY (work_order_id, position)

+);

+```

+## Migrare și Seed

+La prima inițializare a unei baze fără rânduri în `hosts`, aplicația seed-uiește din:

+1. `documents.name = 'hosts_yaml'`, dacă există din vechiul model

+2. `config/hosts.yaml`, dacă documentul legacy lipsește

+3. document gol valid, dacă lipsește și seed-ul

+Work Orders se seed-uiesc similar din `documents.name = 'work_orders_yaml'` sau `config/work-orders.yaml`.

+Seed-ul curent produce:

+- 11 hosturi cunoscute

+- aliasuri scurte derivate pentru hosturi și vhosturi

+- vhosturile `hosts.*`, `pmx.*` și `pbs.*`

+- workerii `dhcp-router` și `mdns-listener`

+- Work Order-ul existent pentru retragerea numelor legacy

+`config/local-hosts.tsv` rămâne manifest generat explicit din tabelele runtime.

+sqlite3 var/host-manager.sqlite '.schema hosts'

+sqlite3 var/host-manager.sqlite '.schema host_aliases'

+sqlite3 var/host-manager.sqlite '.schema vhosts'

+sqlite3 var/host-manager.sqlite 'pragma foreign_key_list(vhosts);'

+sqlite3 var/host-manager.sqlite 'pragma index_list(host_aliases);'

+sqlite3 var/host-manager.sqlite 'select fqdn, legacy_id, status, dns_ip from hosts order by legacy_id;'

+sqlite3 var/host-manager.sqlite 'select alias_name, host_fqdn, alias_kind, status from host_aliases order by alias_name;'

+sqlite3 var/host-manager.sqlite 'select vhost_fqdn, host_fqdn, status from vhosts order by vhost_fqdn;'

+Backup recomandat:

+Cu WAL activ, o copie brută trebuie să trateze fișierele ca set coerent:

+```text

+var/host-manager.sqlite

+var/host-manager.sqlite-wal

+var/host-manager.sqlite-shm

+Restore-ul înlocuiește sursa de adevăr runtime:

+

+## 2026-06-09 - Relational Runtime Schema

+

+Observație: primul pas SQLite mutase sursa de adevăr din git în baza de date, dar o păstra ca document YAML într-o tabelă generică. Asta rezolva pierderea editărilor la push, dar nu oferea o bază de date operațională reală.

+

+Decizie:

+

+- `hosts.fqdn` devine cheia reală pentru hosturi, ca numele complete să evite coliziuni între domenii

+- `legacy_id` rămâne doar compatibilitate pentru UI/API-ul curent

+- aliasurile sunt păstrate în `host_aliases`, inclusiv după retragere

+- vhosturile sunt în `vhosts` și pot fi mutate prin schimbarea `host_fqdn`

+- rolurile, sursele, flagurile și SSH sunt în tabele separate, nu coloane adăugate continuu în `hosts`

+- workerii de date au `data_workers`, `dhcp_leases` și `mdns_observations`

+- certificatele emise au `certificates` și `certificate_dns_names`

+- `documents` rămâne doar tabel legacy pentru migrare din modelul vechi document-store

+

+Scop:

+

+- schema să poată susține inventar, DNS, vhosturi, observații externe și certificate fără să piardă istoric operațional

+- aliasurile/vhosturile retrase să rămână audibile în baza de date

+- structura să fie extensibilă fără să supraîncarce tabelul `hosts`

+`var/host-manager.sqlite` este sursa de adevăr runtime pentru hosturi, aliasuri, vhosturi, Work Orders, workeri de date și certificate emise. La prima pornire, aplicația seed-uiește tabelele din `config/hosts.yaml` și `config/work-orders.yaml` dacă baza nu are încă rânduri operaționale. Aplicația este complet în spatele autentificării OTP pentru orice date de registru, exporturi sau modificări.

+`madagascar.xdev.ro` este domeniul implicit al rețelei interne. Hosturile sunt identificate în baza de date prin FQDN complet, iar UI-ul păstrează temporar `id` ca identificator compatibil.

+Aliasurile derivate nu se declară separat în `hosts.yaml`. Ele sunt păstrate în tabelul `host_aliases` și apar în API, monitoring export și `local-hosts.tsv` ca nume efective.

+  var/host-manager.sqlite  sursă runtime relațională pentru registry și Work Orders

+  storage_authority: "sqlite-relational"

+    my $registry = load_registry_from_db();

+    save_registry_to_db($registry);

+    return load_work_orders_from_db();

+    save_work_orders_to_db($orders);

+    $out ||= $command eq 'list-json' ? '[]' : '{}';

+    sync_certificates_from_json($out) if $command eq 'list-json';

+    return $out;

+}

+

+sub sync_certificates_from_json {

+    my ($json) = @_;

+    my $certs = eval { json_decode($json || '[]') };

+    return if $@ || ref($certs) ne 'ARRAY';

+    my $dbh = dbh();

+    my $now = iso_now();

+    with_transaction($dbh, sub {

+        for my $cert (@$certs) {

+            next unless ref($cert) eq 'HASH';

+            my $name = clean_id($cert->{name} || $cert->{serial} || $cert->{fingerprint_sha256} || '');

+            next unless $name;

+            my @dns_names = map { normalize_dns_name($_) } @{ $cert->{dns_names} || [] };

+            my $host_fqdn = infer_certificate_host_fqdn($dbh, \@dns_names);

+            my $cert_path = ca_issued_cert_path($name);

+            my $csr_path = ca_dir() . "/csr/$name.csr.pem";

+            my $serial = clean_scalar($cert->{serial} || '');

+            my $fingerprint = clean_scalar($cert->{fingerprint_sha256} || '');

+            $dbh->do(

+                'INSERT INTO certificates (certificate_id, host_fqdn, common_name, subject, issuer, serial, status, not_before, not_after, fingerprint_sha256, cert_path, csr_path, created_at, updated_at, notes) '

+                . "VALUES (?, ?, ?, ?, ?, ?, 'issued', ?, ?, ?, ?, ?, ?, ?, '') "

+                . 'ON CONFLICT(certificate_id) DO UPDATE SET host_fqdn = excluded.host_fqdn, common_name = excluded.common_name, '

+                . 'subject = excluded.subject, issuer = excluded.issuer, serial = excluded.serial, status = excluded.status, '

+                . 'not_before = excluded.not_before, not_after = excluded.not_after, fingerprint_sha256 = excluded.fingerprint_sha256, '

+                . 'cert_path = excluded.cert_path, csr_path = excluded.csr_path, updated_at = excluded.updated_at',

+                undef,

+                $name,

+                $host_fqdn || undef,

+                $dns_names[0] || '',

+                clean_scalar($cert->{subject} || ''),

+                clean_scalar($cert->{issuer} || ''),

+                length($serial) ? $serial : undef,

+                clean_scalar($cert->{not_before} || ''),

+                clean_scalar($cert->{not_after} || ''),

+                length($fingerprint) ? $fingerprint : undef,

+                $cert_path,

+                $csr_path,

+                $now,

+                $now,

+            );

+            $dbh->do('DELETE FROM certificate_dns_names WHERE certificate_id = ?', undef, $name);

+            for my $dns_name (@dns_names) {

+                next unless length $dns_name;

+                $dbh->do(

+                    'INSERT OR IGNORE INTO certificate_dns_names (certificate_id, dns_name) VALUES (?, ?)',

+                    undef,

+                    $name,

+                    $dns_name,

+                );

+            }

+        }

+    });

+}

+

+sub infer_certificate_host_fqdn {

+    my ($dbh, $dns_names) = @_;

+    for my $name (@$dns_names) {

+        my ($fqdn) = $dbh->selectrow_array('SELECT fqdn FROM hosts WHERE fqdn = ?', undef, $name);

+        return $fqdn if $fqdn;

+    }

+    for my $name (@$dns_names) {

+        my ($fqdn) = $dbh->selectrow_array('SELECT host_fqdn FROM host_aliases WHERE alias_name = ? AND status = ?', undef, $name, 'active');

+        return $fqdn if $fqdn;

+        ($fqdn) = $dbh->selectrow_array('SELECT host_fqdn FROM vhosts WHERE vhost_fqdn = ? AND status = ?', undef, $name, 'active');

+        return $fqdn if $fqdn;

+    }

+    for my $name (@$dns_names) {

+        return $name if $name =~ /\./;

+    }

+    return '';

+my $db_seeded = 0;

+    create_database_schema($db_handle);

+    seed_database($db_handle) unless $db_seeded++;

+    return $db_handle;

+}

+

+sub create_database_schema {

+    my ($dbh) = @_;

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS schema_meta (

+    key TEXT PRIMARY KEY,

+    value TEXT NOT NULL,

+    updated_at TEXT NOT NULL

+)

+SQL

+    $dbh->do(<<'SQL');

+    $dbh->do(

+        'INSERT INTO schema_meta (key, value, updated_at) VALUES (?, ?, ?) '

+        . 'ON CONFLICT(key) DO UPDATE SET value = excluded.value, updated_at = excluded.updated_at',

+        undef, 'schema_version', '2', iso_now()

+    );

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS hosts (

+    fqdn TEXT PRIMARY KEY,

+    legacy_id TEXT NOT NULL UNIQUE,

+    status TEXT NOT NULL DEFAULT 'active',

+    hosts_ip TEXT NOT NULL DEFAULT '',

+    dns_ip TEXT NOT NULL DEFAULT '',

+    monitoring TEXT NOT NULL DEFAULT 'pending',

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS host_aliases (

+    alias_name TEXT NOT NULL,

+    host_fqdn TEXT NOT NULL,

+    alias_kind TEXT NOT NULL DEFAULT 'declared',

+    status TEXT NOT NULL DEFAULT 'active',

+    is_dns_published INTEGER NOT NULL DEFAULT 1,

+    created_at TEXT NOT NULL,

+    retired_at TEXT,

+    notes TEXT NOT NULL DEFAULT '',

+    PRIMARY KEY (alias_name, host_fqdn),

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE UNIQUE INDEX IF NOT EXISTS idx_host_aliases_active_name

+ON host_aliases(alias_name)

+WHERE status = 'active'

+SQL

+    $dbh->do(<<'SQL');

+CREATE INDEX IF NOT EXISTS idx_host_aliases_host_status

+ON host_aliases(host_fqdn, status)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS host_roles (

+    host_fqdn TEXT NOT NULL,

+    role TEXT NOT NULL,

+    status TEXT NOT NULL DEFAULT 'active',

+    created_at TEXT NOT NULL,

+    retired_at TEXT,

+    PRIMARY KEY (host_fqdn, role),

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS host_sources (

+    host_fqdn TEXT NOT NULL,

+    source TEXT NOT NULL,

+    status TEXT NOT NULL DEFAULT 'active',

+    created_at TEXT NOT NULL,

+    retired_at TEXT,

+    PRIMARY KEY (host_fqdn, source),

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS host_flags (

+    host_fqdn TEXT NOT NULL,

+    flag TEXT NOT NULL,

+    value TEXT NOT NULL DEFAULT '1',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    PRIMARY KEY (host_fqdn, flag),

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS host_ssh (

+    host_fqdn TEXT NOT NULL,

+    profile_name TEXT NOT NULL DEFAULT 'default',

+    username TEXT NOT NULL DEFAULT '',

+    port INTEGER NOT NULL DEFAULT 22,

+    identity_file TEXT NOT NULL DEFAULT '',

+    address TEXT NOT NULL DEFAULT '',

+    local_forward_host TEXT NOT NULL DEFAULT '',

+    local_forward_port INTEGER,

+    remote_forward_host TEXT NOT NULL DEFAULT '',

+    remote_forward_port INTEGER,

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    PRIMARY KEY (host_fqdn, profile_name),

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS certificates (

+    certificate_id TEXT PRIMARY KEY,

+    host_fqdn TEXT,

+    common_name TEXT NOT NULL DEFAULT '',

+    subject TEXT NOT NULL DEFAULT '',

+    issuer TEXT NOT NULL DEFAULT '',

+    serial TEXT UNIQUE,

+    status TEXT NOT NULL DEFAULT 'issued',

+    not_before TEXT NOT NULL DEFAULT '',

+    not_after TEXT NOT NULL DEFAULT '',

+    fingerprint_sha256 TEXT UNIQUE,

+    cert_path TEXT NOT NULL DEFAULT '',

+    csr_path TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    notes TEXT NOT NULL DEFAULT '',

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE SET NULL

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS certificate_dns_names (

+    certificate_id TEXT NOT NULL,

+    dns_name TEXT NOT NULL,

+    PRIMARY KEY (certificate_id, dns_name),

+    FOREIGN KEY (certificate_id) REFERENCES certificates(certificate_id) ON UPDATE CASCADE ON DELETE CASCADE

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE INDEX IF NOT EXISTS idx_certificate_dns_names_dns_name

+ON certificate_dns_names(dns_name)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS vhosts (

+    vhost_fqdn TEXT PRIMARY KEY,

+    host_fqdn TEXT NOT NULL,

+    status TEXT NOT NULL DEFAULT 'active',

+    service_name TEXT NOT NULL DEFAULT '',

+    upstream_url TEXT NOT NULL DEFAULT '',

+    tls_mode TEXT NOT NULL DEFAULT 'local-ca',

+    certificate_id TEXT,

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT,

+    FOREIGN KEY (certificate_id) REFERENCES certificates(certificate_id) ON UPDATE CASCADE ON DELETE SET NULL

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE INDEX IF NOT EXISTS idx_vhosts_host_status

+ON vhosts(host_fqdn, status)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS data_workers (

+    worker_id TEXT PRIMARY KEY,

+    worker_type TEXT NOT NULL,

+    name TEXT NOT NULL DEFAULT '',

+    status TEXT NOT NULL DEFAULT 'active',

+    source TEXT NOT NULL DEFAULT '',

+    last_run_at TEXT,

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE INDEX IF NOT EXISTS idx_data_workers_type_status

+ON data_workers(worker_type, status)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS dhcp_leases (

+    lease_key TEXT PRIMARY KEY,

+    worker_id TEXT NOT NULL,

+    host_fqdn TEXT,

+    observed_name TEXT NOT NULL DEFAULT '',

+    ip_address TEXT NOT NULL,

+    mac_address TEXT NOT NULL DEFAULT '',

+    lease_state TEXT NOT NULL DEFAULT '',

+    first_seen TEXT NOT NULL,

+    last_seen TEXT NOT NULL,

+    raw TEXT NOT NULL DEFAULT '',

+    FOREIGN KEY (worker_id) REFERENCES data_workers(worker_id) ON UPDATE CASCADE ON DELETE RESTRICT,

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE SET NULL

+)

+SQL

+    $dbh->do('CREATE INDEX IF NOT EXISTS idx_dhcp_leases_ip ON dhcp_leases(ip_address)');

+    $dbh->do('CREATE INDEX IF NOT EXISTS idx_dhcp_leases_mac ON dhcp_leases(mac_address)');

+    $dbh->do('CREATE INDEX IF NOT EXISTS idx_dhcp_leases_worker_last_seen ON dhcp_leases(worker_id, last_seen)');

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS mdns_observations (

+    observation_key TEXT PRIMARY KEY,

+    worker_id TEXT NOT NULL,

+    host_fqdn TEXT,

+    observed_name TEXT NOT NULL,

+    ip_address TEXT NOT NULL,

+    rr_type TEXT NOT NULL DEFAULT 'A',

+    ttl INTEGER NOT NULL DEFAULT 0,

+    first_seen TEXT NOT NULL,

+    last_seen TEXT NOT NULL,

+    seen_count INTEGER NOT NULL DEFAULT 1,

+    last_peer TEXT NOT NULL DEFAULT '',

+    raw TEXT NOT NULL DEFAULT '',

+    FOREIGN KEY (worker_id) REFERENCES data_workers(worker_id) ON UPDATE CASCADE ON DELETE RESTRICT,

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE SET NULL

+)

+SQL

+    $dbh->do('CREATE INDEX IF NOT EXISTS idx_mdns_observations_name ON mdns_observations(observed_name)');

+    $dbh->do('CREATE INDEX IF NOT EXISTS idx_mdns_observations_ip ON mdns_observations(ip_address)');

+    $dbh->do('CREATE INDEX IF NOT EXISTS idx_mdns_observations_worker_last_seen ON mdns_observations(worker_id, last_seen)');

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS work_orders (

+    id TEXT PRIMARY KEY,

+    status TEXT NOT NULL DEFAULT 'pending',

+    title TEXT NOT NULL DEFAULT '',

+    reason TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    confirmed_at TEXT NOT NULL DEFAULT '',

+    result TEXT NOT NULL DEFAULT '',

+    updated_at TEXT NOT NULL

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS work_order_checklist (

+    work_order_id TEXT NOT NULL,

+    item_id TEXT NOT NULL,

+    text TEXT NOT NULL DEFAULT '',

+    status TEXT NOT NULL DEFAULT 'pending',

+    owner TEXT NOT NULL DEFAULT '',

+    notes TEXT NOT NULL DEFAULT '',

+    updated_at TEXT NOT NULL DEFAULT '',

+    PRIMARY KEY (work_order_id, item_id),

+    FOREIGN KEY (work_order_id) REFERENCES work_orders(id) ON UPDATE CASCADE ON DELETE CASCADE

+)

+SQL

+    $dbh->do(<<'SQL');

+CREATE TABLE IF NOT EXISTS work_order_actions (

+    work_order_id TEXT NOT NULL,

+    position INTEGER NOT NULL,

+    type TEXT NOT NULL,

+    host_fqdn TEXT,

+    host_legacy_id TEXT NOT NULL DEFAULT '',

+    name TEXT NOT NULL DEFAULT '',

+    payload TEXT NOT NULL DEFAULT '',

+    PRIMARY KEY (work_order_id, position),

+    FOREIGN KEY (work_order_id) REFERENCES work_orders(id) ON UPDATE CASCADE ON DELETE CASCADE,

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE SET NULL

+)

+SQL

+sub seed_database {

+    my ($dbh) = @_;

+    seed_default_workers($dbh);

+

+    if (!db_scalar($dbh, 'SELECT COUNT(*) FROM hosts')) {

+        my $registry = parse_hosts_yaml(legacy_document_text($dbh, 'hosts_yaml', $opt{data}, default_hosts_yaml()));

+        normalize_registry_policy($registry);

+        with_transaction($dbh, sub {

+            import_registry_to_db($dbh, $registry, 0);

+        });

+    }

+

+    if (!db_scalar($dbh, 'SELECT COUNT(*) FROM work_orders')) {

+        my $orders = parse_work_orders_yaml(legacy_document_text($dbh, 'work_orders_yaml', $opt{work_orders}, default_work_orders_yaml()));

+        with_transaction($dbh, sub {

+            import_work_orders_to_db($dbh, $orders);

+        });

+    }

+

+    seed_mdns_observations_from_yaml($dbh);

+}

+

+sub with_transaction {

+    my ($dbh, $code) = @_;

+    return $code->() unless $dbh->{AutoCommit};

+    $dbh->begin_work;

+    my $ok = eval {

+        $code->();

+        1;

+    };

+    if (!$ok) {

+        my $err = $@ || 'transaction failed';

+        eval { $dbh->rollback };

+        die $err;

+    }

+    $dbh->commit;

+}

+

+sub db_scalar {

+    my ($dbh, $sql, @bind) = @_;

+    my ($value) = $dbh->selectrow_array($sql, undef, @bind);

+    return $value || 0;

+}

+

+sub legacy_document_text {

+    my ($dbh, $name, $seed_path, $default_text) = @_;

+    return $row->{content} if $row && defined $row->{content};

+    return read_file($seed_path) if -f $seed_path;

+    return $default_text;

+}

+

+sub load_registry_from_db {

+    my $dbh = dbh();

+    my $registry = {

+        version => 1,

+        updated_at => db_scalar($dbh, 'SELECT value FROM schema_meta WHERE key = ?', 'registry_updated_at') || '',

+        policy => {},

+        hosts => [],

+    };

+

+    my $sth = $dbh->prepare('SELECT * FROM hosts ORDER BY legacy_id');

+    $sth->execute;

+    while (my $row = $sth->fetchrow_hashref) {

+        my $fqdn = $row->{fqdn};

+        push @{ $registry->{hosts} }, {

+            id => $row->{legacy_id},

+            status => $row->{status},

+            hosts_ip => $row->{hosts_ip},

+            dns_ip => $row->{dns_ip},

+            names => [ active_names_for_host($dbh, $fqdn) ],

+            roles => [ active_values_for_host($dbh, 'host_roles', 'role', $fqdn) ],

+            sources => [ active_values_for_host($dbh, 'host_sources', 'source', $fqdn) ],

+            monitoring => $row->{monitoring},

+            notes => $row->{notes},

+        };

+    }

+

+    return $registry;

+}

+

+sub save_registry_to_db {

+    my ($registry) = @_;

+    my $dbh = dbh();

+    with_transaction($dbh, sub {

+        import_registry_to_db($dbh, $registry, 1);

+        set_schema_meta($dbh, 'registry_updated_at', $registry->{updated_at} || iso_now());

+    });

+}

+

+sub import_registry_to_db {

+    my ($dbh, $registry, $retire_missing) = @_;

+    my %seen;

+    for my $host (@{ $registry->{hosts} || [] }) {

+        my $fqdn = upsert_host_to_db($dbh, $host);

+        $seen{$fqdn} = 1 if $fqdn;

+    }

+

+    return unless $retire_missing;

+    my $sth = $dbh->prepare('SELECT fqdn FROM hosts WHERE status <> ?');

+    $sth->execute('retired');

+    while (my ($fqdn) = $sth->fetchrow_array) {

+        next if $seen{$fqdn};

+        retire_host_in_db($dbh, $fqdn);

+    }

+}

+sub upsert_host_to_db {

+    my ($dbh, $host) = @_;

+    my $now = iso_now();

+    my $fqdn = canonical_host_fqdn($host);

+    return '' unless $fqdn;

+    my $legacy_id = clean_id($host->{id} || legacy_id_from_fqdn($fqdn));

+    my $status = clean_scalar($host->{status} || 'active');

+    my $hosts_ip = clean_scalar($host->{hosts_ip} || '');

+    my $dns_ip = clean_scalar($host->{dns_ip} || '');

+    my $monitoring = clean_scalar($host->{monitoring} || 'pending');

+    my $notes = clean_scalar($host->{notes} || '');

+

+    $dbh->do(

+        'INSERT INTO hosts (fqdn, legacy_id, status, hosts_ip, dns_ip, monitoring, notes, created_at, updated_at) '

+        . 'VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?) '

+        . 'ON CONFLICT(fqdn) DO UPDATE SET legacy_id = excluded.legacy_id, status = excluded.status, '

+        . 'hosts_ip = excluded.hosts_ip, dns_ip = excluded.dns_ip, monitoring = excluded.monitoring, '

+        . 'notes = excluded.notes, updated_at = excluded.updated_at',

+        undef,

+        $fqdn, $legacy_id, $status, $hosts_ip, $dns_ip, $monitoring, $notes, $now, $now,

+    );

+

+    sync_host_values($dbh, 'host_roles', 'role', $fqdn, [ clean_list($host->{roles}) ]);

+    sync_host_values($dbh, 'host_sources', 'source', $fqdn, [ clean_list($host->{sources}) ]);

+    sync_host_names($dbh, $fqdn, [ clean_list($host->{names}) ]);

+    return $fqdn;

+}

+

+sub sync_host_values {

+    my ($dbh, $table, $column, $fqdn, $values) = @_;

+    my $now = iso_now();

+    my %active = map { $_ => 1 } @$values;

+    for my $value (@$values) {

+        $dbh->do(

+            "INSERT INTO $table (host_fqdn, $column, status, created_at, retired_at) VALUES (?, ?, 'active', ?, '') "

+            . "ON CONFLICT(host_fqdn, $column) DO UPDATE SET status = 'active', retired_at = ''",

+            undef,

+            $fqdn, $value, $now,

+        );

+    }

+

+    my $sth = $dbh->prepare("SELECT $column FROM $table WHERE host_fqdn = ? AND status = 'active'");

+    $sth->execute($fqdn);

+    while (my ($value) = $sth->fetchrow_array) {

+        next if $active{$value};

+        $dbh->do("UPDATE $table SET status = 'retired', retired_at = ? WHERE host_fqdn = ? AND $column = ?", undef, $now, $fqdn, $value);

+    }

+}

+

+sub sync_host_names {

+    my ($dbh, $fqdn, $names) = @_;

+    my $now = iso_now();

+    my (%aliases, %vhosts);

+    if (my $short = short_alias_for_fqdn($fqdn)) {

+        $aliases{$short} = 1;

+        upsert_alias_to_db($dbh, $fqdn, $short, 'derived', $now);

+    }

+    for my $name (@$names) {

+        $name = normalize_dns_name($name);

+        next unless length $name;

+        next if $name eq $fqdn;

+        if (name_is_vhost($name)) {

+            $vhosts{$name} = 1;

+            upsert_vhost_to_db($dbh, $fqdn, $name, $now);

+            if (my $short = short_alias_for_fqdn($name)) {

+                $aliases{$short} = 1;

+                upsert_alias_to_db($dbh, $fqdn, $short, 'derived-vhost', $now);

+            }

+        } else {

+            $aliases{$name} = 1;

+            upsert_alias_to_db($dbh, $fqdn, $name, 'declared', $now);

+            if (my $short = short_alias_for_fqdn($name)) {

+                $aliases{$short} = 1;

+                upsert_alias_to_db($dbh, $fqdn, $short, 'derived', $now);

+            }

+        }

+    }

+

+    retire_missing_names($dbh, 'host_aliases', 'alias_name', $fqdn, \%aliases, $now);

+    retire_missing_names($dbh, 'vhosts', 'vhost_fqdn', $fqdn, \%vhosts, $now);

+}

+

+sub upsert_alias_to_db {

+    my ($dbh, $fqdn, $alias, $kind, $now) = @_;

+    $dbh->do(

+        'INSERT INTO host_aliases (alias_name, host_fqdn, alias_kind, status, is_dns_published, created_at, retired_at, notes) '

+        . "VALUES (?, ?, ?, 'active', 1, ?, '', '') "

+        . "ON CONFLICT(alias_name, host_fqdn) DO UPDATE SET alias_kind = excluded.alias_kind, status = 'active', is_dns_published = 1, retired_at = ''",

+        undef,

+        $alias, $fqdn, $kind, $now,

+    );

+}

+

+sub upsert_vhost_to_db {

+    my ($dbh, $fqdn, $vhost, $now) = @_;

+    my $service = vhost_service_name($vhost);

+    $dbh->do(

+        'INSERT INTO vhosts (vhost_fqdn, host_fqdn, status, service_name, upstream_url, tls_mode, certificate_id, notes, created_at, updated_at) '

+        . "VALUES (?, ?, 'active', ?, '', 'local-ca', NULL, '', ?, ?) "

+        . "ON CONFLICT(vhost_fqdn) DO UPDATE SET host_fqdn = excluded.host_fqdn, status = 'active', "

+        . 'service_name = excluded.service_name, updated_at = excluded.updated_at',

+        undef,

+        $vhost, $fqdn, $service, $now, $now,

+    );

+}

+

+sub retire_missing_names {

+    my ($dbh, $table, $name_column, $fqdn, $active, $now) = @_;

+    my $sth = $dbh->prepare("SELECT $name_column FROM $table WHERE host_fqdn = ? AND status = 'active'");

+    $sth->execute($fqdn);

+    while (my ($name) = $sth->fetchrow_array) {

+        next if $active->{$name};

+        if ($table eq 'host_aliases') {

+            $dbh->do(

+                "UPDATE host_aliases SET status = 'retired', is_dns_published = 0, retired_at = ? WHERE host_fqdn = ? AND alias_name = ?",

+                undef, $now, $fqdn, $name,

+            );

+        } else {

+            $dbh->do(

+                "UPDATE vhosts SET status = 'retired', updated_at = ? WHERE host_fqdn = ? AND vhost_fqdn = ?",

+                undef, $now, $fqdn, $name,

+            );

+        }

+    }

+}

+

+sub retire_host_in_db {

+    my ($dbh, $fqdn) = @_;

+    my $now = iso_now();

+    $dbh->do("UPDATE hosts SET status = 'retired', updated_at = ? WHERE fqdn = ?", undef, $now, $fqdn);

+    $dbh->do("UPDATE host_aliases SET status = 'retired', is_dns_published = 0, retired_at = ? WHERE host_fqdn = ? AND status = 'active'", undef, $now, $fqdn);

+    $dbh->do("UPDATE vhosts SET status = 'retired', updated_at = ? WHERE host_fqdn = ? AND status = 'active'", undef, $now, $fqdn);

+    $dbh->do("UPDATE host_roles SET status = 'retired', retired_at = ? WHERE host_fqdn = ? AND status = 'active'", undef, $now, $fqdn);

+    $dbh->do("UPDATE host_sources SET status = 'retired', retired_at = ? WHERE host_fqdn = ? AND status = 'active'", undef, $now, $fqdn);

+sub active_names_for_host {

+    my ($dbh, $fqdn) = @_;

+    my @names = ($fqdn);

+    my $aliases = $dbh->prepare("SELECT alias_name FROM host_aliases WHERE host_fqdn = ? AND status = 'active' AND is_dns_published = 1 AND alias_kind NOT LIKE 'derived%' ORDER BY alias_name");

+    $aliases->execute($fqdn);

+    while (my ($name) = $aliases->fetchrow_array) {

+        push @names, $name;

+    }

+    my $vhosts = $dbh->prepare("SELECT vhost_fqdn FROM vhosts WHERE host_fqdn = ? AND status = 'active' ORDER BY vhost_fqdn");

+    $vhosts->execute($fqdn);

+    while (my ($name) = $vhosts->fetchrow_array) {

+        push @names, $name;

+    }

+    return unique_preserve(@names);

+}

+

+sub active_values_for_host {

+    my ($dbh, $table, $column, $fqdn) = @_;

+    my @values;

+    my $sth = $dbh->prepare("SELECT $column FROM $table WHERE host_fqdn = ? AND status = 'active' ORDER BY $column");

+    $sth->execute($fqdn);

+    while (my ($value) = $sth->fetchrow_array) {

+        push @values, $value;

+    }

+    return @values;

+}

+

+sub load_work_orders_from_db {

+    my $orders = { version => 1, work_orders => [] };

+    my $sth = $dbh->prepare('SELECT * FROM work_orders ORDER BY id');

+    $sth->execute;

+    while (my $row = $sth->fetchrow_hashref) {

+        my $wo = {

+            id => $row->{id},

+            status => $row->{status},

+            title => $row->{title},

+            reason => $row->{reason},

+            created_at => $row->{created_at},

+            checklist => [],

+            actions => [],

+        };

+        $wo->{confirmed_at} = $row->{confirmed_at} if length($row->{confirmed_at} || '');

+        $wo->{result} = $row->{result} if length($row->{result} || '');

+

+        my $items = $dbh->prepare('SELECT * FROM work_order_checklist WHERE work_order_id = ? ORDER BY item_id');

+        $items->execute($row->{id});

+        while (my $item = $items->fetchrow_hashref) {

+            my %copy = (

+                id => $item->{item_id},

+                text => $item->{text},

+                status => $item->{status},

+            );

+            for my $key (qw(owner notes updated_at)) {

+                $copy{$key} = $item->{$key} if length($item->{$key} || '');

+            }

+            push @{ $wo->{checklist} }, \%copy;

+        }

+

+        my $actions = $dbh->prepare('SELECT * FROM work_order_actions WHERE work_order_id = ? ORDER BY position');

+        $actions->execute($row->{id});

+        while (my $action = $actions->fetchrow_hashref) {

+            my %copy = ( type => $action->{type} );

+            $copy{host_id} = $action->{host_legacy_id} if length($action->{host_legacy_id} || '');

+            $copy{name} = $action->{name} if length($action->{name} || '');

+            push @{ $wo->{actions} }, \%copy;

+        }

+

+        push @{ $orders->{work_orders} }, $wo;

+    }

+    return $orders;

+}

+

+sub save_work_orders_to_db {

+    my ($orders) = @_;

+    my $dbh = dbh();

+    with_transaction($dbh, sub {

+        import_work_orders_to_db($dbh, $orders);

+    });

+}

+

+sub import_work_orders_to_db {

+    my ($dbh, $orders) = @_;

+    my $now = iso_now();

+    my %seen;

+    for my $wo (@{ $orders->{work_orders} || [] }) {

+        my $id = clean_scalar($wo->{id} || '');

+        next unless $id;

+        $seen{$id} = 1;

+        $dbh->do(

+            'INSERT INTO work_orders (id, status, title, reason, created_at, confirmed_at, result, updated_at) '

+            . 'VALUES (?, ?, ?, ?, ?, ?, ?, ?) '

+            . 'ON CONFLICT(id) DO UPDATE SET status = excluded.status, title = excluded.title, reason = excluded.reason, '

+            . 'created_at = excluded.created_at, confirmed_at = excluded.confirmed_at, result = excluded.result, updated_at = excluded.updated_at',

+            undef,

+            $id,

+            clean_scalar($wo->{status} || 'pending'),

+            clean_scalar($wo->{title} || ''),

+            clean_scalar($wo->{reason} || ''),

+            clean_scalar($wo->{created_at} || $now),

+            clean_scalar($wo->{confirmed_at} || ''),

+            clean_scalar($wo->{result} || ''),

+            $now,

+        );

+        $dbh->do('DELETE FROM work_order_checklist WHERE work_order_id = ?', undef, $id);

+        for my $item (@{ $wo->{checklist} || [] }) {

+            $dbh->do(

+                'INSERT INTO work_order_checklist (work_order_id, item_id, text, status, owner, notes, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?)',

+                undef,

+                $id,

+                clean_scalar($item->{id} || ''),

+                clean_scalar($item->{text} || ''),

+                clean_scalar($item->{status} || 'pending'),

+                clean_scalar($item->{owner} || ''),

+                clean_scalar($item->{notes} || ''),

+                clean_scalar($item->{updated_at} || ''),

+            );

+        }

+        $dbh->do('DELETE FROM work_order_actions WHERE work_order_id = ?', undef, $id);

+        my $position = 0;

+        for my $action (@{ $wo->{actions} || [] }) {

+            my $legacy_id = clean_id($action->{host_id} || '');

+            my $host_fqdn = fqdn_for_legacy_id($dbh, $legacy_id);

+            $dbh->do(

+                'INSERT INTO work_order_actions (work_order_id, position, type, host_fqdn, host_legacy_id, name, payload) VALUES (?, ?, ?, ?, ?, ?, ?)',

+                undef,

+                $id,

+                $position++,

+                clean_scalar($action->{type} || ''),

+                $host_fqdn || undef,

+                $legacy_id,

+                normalize_dns_name($action->{name} || ''),

+                '',

+            );

+        }

+    }

+}

+

+sub seed_default_workers {

+    my ($dbh) = @_;

+    my $now = iso_now();

+    my @workers = (

+        [ 'dhcp-router', 'dhcp', 'Router DHCP leases', 'admin@192.168.2.1', 'DHCP lease/reservation collector source.' ],

+        [ 'mdns-listener', 'mdns', 'mDNS listener', 'var/mdns-observations.yaml', 'mDNS observation collector source.' ],

+    );

+    for my $worker (@workers) {

+        $dbh->do(

+            'INSERT INTO data_workers (worker_id, worker_type, name, status, source, last_run_at, notes, created_at, updated_at) '

+            . "VALUES (?, ?, ?, 'active', ?, NULL, ?, ?, ?) "

+            . 'ON CONFLICT(worker_id) DO UPDATE SET worker_type = excluded.worker_type, name = excluded.name, '

+            . 'status = excluded.status, source = excluded.source, notes = excluded.notes, updated_at = excluded.updated_at',

+            undef,

+            @$worker,

+            $now,

+            $now,

+        );

+    }

+}

+

+sub seed_mdns_observations_from_yaml {

+    my ($dbh) = @_;

+    return if db_scalar($dbh, 'SELECT COUNT(*) FROM mdns_observations');

+    my $path = "$project_dir/var/mdns-observations.yaml";

+    return unless -f $path;

+    my $db = parse_mdns_observations_yaml(read_file($path));

+    with_transaction($dbh, sub {

+        for my $observation (@{ $db->{observations} || [] }) {

+            $dbh->do(

+                'INSERT INTO mdns_observations (observation_key, worker_id, host_fqdn, observed_name, ip_address, rr_type, ttl, first_seen, last_seen, seen_count, last_peer, raw) '

+                . "VALUES (?, 'mdns-listener', NULL, ?, ?, 'A', ?, ?, ?, ?, ?, '') "

+                . 'ON CONFLICT(observation_key) DO UPDATE SET observed_name = excluded.observed_name, ip_address = excluded.ip_address, '

+                . 'ttl = excluded.ttl, last_seen = excluded.last_seen, seen_count = excluded.seen_count, last_peer = excluded.last_peer',

+                undef,

+                clean_scalar($observation->{key} || "$observation->{name}|$observation->{ip}"),

+                clean_scalar($observation->{name} || ''),

+                clean_scalar($observation->{ip} || ''),

+                int($observation->{ttl} || 0),

+                clean_scalar($observation->{first_seen} || iso_now()),

+                clean_scalar($observation->{last_seen} || iso_now()),

+                int($observation->{seen_count} || 1),

+                clean_scalar($observation->{last_peer} || ''),

+            );

+        }

+    });

+}

+

+sub parse_mdns_observations_yaml {

+    my ($text) = @_;

+    my %db = ( observations => [] );

+    my ($section, $current);

+    for my $line (split /\n/, $text || '') {

+        next if $line =~ /^\s*$/ || $line =~ /^\s*#/;

+        if ($line =~ /^observations:\s*$/) {

+            $section = 'observations';

+        } elsif (($section || '') eq 'observations' && $line =~ /^  - key:\s*(.+)$/) {

+            $current = { key => yaml_unquote($1) };

+            push @{ $db{observations} }, $current;

+        } elsif ($current && $line =~ /^    ([A-Za-z0-9_]+):\s*(.*)$/) {

+            $current->{$1} = yaml_unquote($2);

+        }

+    }

+    return \%db;

+}

+

+sub set_schema_meta {

+    my ($dbh, $key, $value) = @_;

+        'INSERT INTO schema_meta (key, value, updated_at) VALUES (?, ?, ?) '

+        . 'ON CONFLICT(key) DO UPDATE SET value = excluded.value, updated_at = excluded.updated_at',

+        $key,

+        defined $value ? $value : '',

+sub fqdn_for_legacy_id {

+    my ($dbh, $legacy_id) = @_;

+    return '' unless length($legacy_id || '');

+    my ($fqdn) = $dbh->selectrow_array('SELECT fqdn FROM hosts WHERE legacy_id = ?', undef, $legacy_id);

+    return $fqdn || '';

+}

+

+sub canonical_host_fqdn {

+    my ($host) = @_;

+    my @names = map { normalize_dns_name($_) } @{ $host->{names} || [] };

+    for my $name (@names) {

+        return $name if $name =~ /\.madagascar\.xdev\.ro\z/ && !name_is_vhost($name);

+    }

+    for my $name (@names) {

+        return $name if $name =~ /\./ && !name_is_vhost($name);

+    }

+    for my $name (@names) {

+        return $name if $name =~ /\./;