+# SQLite Database

+

+Madagascar Local Authority folosește SQLite ca sursă de adevăr runtime pentru hosturi, aliasuri, vhosturi, Work Orders, workeri de date și certificate.

+

+Locația implicită în checkout:

+

+```text

+var/host-manager.sqlite

+```

+

+Locația runtime pe jumper:

+

+```text

+/usr/local/xdev-host-manager/var/host-manager.sqlite

+```

+

+Path-ul poate fi schimbat cu:

+

+```text

+HOST_MANAGER_DB=/path/to/host-manager.sqlite

+```

+

+## Principii

+

+Hosturile sunt identificate prin FQDN complet, nu prin short name. Exemplu: `gw.local` și `gw.remote` sunt identități diferite. Coloana compatibilă `legacy_id` păstrează ID-ul scurt folosit de UI-ul curent, dar cheia reală este `hosts.fqdn`.

+

+Schema evită să transforme `hosts` într-un tabel cu prea multe coloane. Datele specializate stau în tabele separate:

+

+- aliasuri: [`host_aliases`](tables/host_aliases.md)

+- roluri: [`host_roles`](tables/host_roles.md)

+- surse: [`host_sources`](tables/host_sources.md)

+- flaguri: [`host_flags`](tables/host_flags.md)

+- SSH: [`host_ssh`](tables/host_ssh.md)

+- vhosturi mutabile: [`vhosts`](tables/vhosts.md)

+- certificate: [`certificates`](tables/certificates.md), [`certificate_dns_names`](tables/certificate_dns_names.md)

+- workeri și observații: [`data_workers`](tables/data_workers.md), [`dhcp_leases`](tables/dhcp_leases.md), [`mdns_observations`](tables/mdns_observations.md)

+

+[`documents`](tables/documents.md) rămâne doar tabel legacy pentru migrarea din modelul vechi document-store. Aplicația nu îl mai folosește ca sursă de adevăr.

+

+## Schema Version

+

+Schema curentă este versiunea `2`.

+

+```sql

+schema_meta('schema_version') = '2'

+```

+

+[`schema_meta`](tables/schema_meta.md) păstrează și metadate runtime precum `registry_updated_at`.

+

+## Catalog

+

+| Tabel | Rol |

+|-------|-----|

+| [`schema_meta`](tables/schema_meta.md) | metadate de schemă/runtime |

+| [`documents`](tables/documents.md) | document-store legacy pentru migrare |

+| [`hosts`](tables/hosts.md) | hosturi canonice, identificate prin FQDN |

+| [`host_aliases`](tables/host_aliases.md) | aliasuri păstrate inclusiv după retragere |

+| [`host_roles`](tables/host_roles.md) | roluri active/retrase per host |

+| [`host_sources`](tables/host_sources.md) | surse active/retrase per host |

+| [`host_flags`](tables/host_flags.md) | flaguri extensibile per host |

+| [`host_ssh`](tables/host_ssh.md) | profile SSH per host |

+| [`vhosts`](tables/vhosts.md) | vhosturi mutabile între hosturi |

+| [`data_workers`](tables/data_workers.md) | workeri/surse care colectează date |

+| [`dhcp_leases`](tables/dhcp_leases.md) | date observate din DHCP lease/reservation |

+| [`mdns_observations`](tables/mdns_observations.md) | date observate din mDNS |

+| [`certificates`](tables/certificates.md) | certificate emise de CA locală |

+| [`certificate_dns_names`](tables/certificate_dns_names.md) | SAN DNS names pentru certificate |

+| [`work_orders`](tables/work_orders.md) | Work Orders |

+| [`work_order_checklist`](tables/work_order_checklist.md) | checklist items pentru Work Orders |

+| [`work_order_actions`](tables/work_order_actions.md) | acțiuni confirmabile pentru Work Orders |

+

+## Relații Principale

+

+```mermaid

+erDiagram

+  hosts ||--o{ host_aliases : has

+  hosts ||--o{ vhosts : serves

+  hosts ||--o{ host_roles : has

+  hosts ||--o{ host_sources : has

+  hosts ||--o{ host_flags : has

+  hosts ||--o{ host_ssh : has

+  hosts ||--o{ dhcp_leases : may_match

+  hosts ||--o{ mdns_observations : may_match

+  hosts ||--o{ certificates : may_own

+  certificates ||--o{ certificate_dns_names : has

+  data_workers ||--o{ dhcp_leases : collects

+  data_workers ||--o{ mdns_observations : collects

+  work_orders ||--o{ work_order_checklist : has

+  work_orders ||--o{ work_order_actions : has

+  hosts ||--o{ work_order_actions : targets

+```

+

+## Migrare și Seed

+

+La prima inițializare a unei baze fără rânduri în `hosts`, aplicația seed-uiește din:

+

+1. `documents.name = 'hosts_yaml'`, dacă există din vechiul model

+2. `config/hosts.yaml`, dacă documentul legacy lipsește

+3. document gol valid, dacă lipsește și seed-ul

+

+Work Orders se seed-uiesc similar din `documents.name = 'work_orders_yaml'` sau `config/work-orders.yaml`.

+

+Seed-ul curent produce:

+

+- 11 hosturi cunoscute

+- aliasuri scurte derivate pentru hosturi și vhosturi

+- vhosturile `hosts.*`, `pmx.*` și `pbs.*`

+- workerii `dhcp-router` și `mdns-listener`

+- Work Order-ul existent pentru retragerea numelor legacy

+

+`config/local-hosts.tsv` rămâne manifest generat explicit din tabelele runtime.

+

+## Inspecție

+

+Pe jumper:

+

+```bash

+cd /usr/local/xdev-host-manager

+sqlite3 var/host-manager.sqlite '.tables'

+sqlite3 var/host-manager.sqlite '.schema hosts'

+sqlite3 var/host-manager.sqlite '.schema host_aliases'

+sqlite3 var/host-manager.sqlite '.schema vhosts'

+sqlite3 var/host-manager.sqlite 'pragma foreign_key_list(vhosts);'

+sqlite3 var/host-manager.sqlite 'pragma index_list(host_aliases);'

+sqlite3 var/host-manager.sqlite 'select fqdn, legacy_id, status, dns_ip from hosts order by legacy_id;'

+sqlite3 var/host-manager.sqlite 'select alias_name, host_fqdn, alias_kind, status from host_aliases order by alias_name;'

+sqlite3 var/host-manager.sqlite 'select vhost_fqdn, host_fqdn, status from vhosts order by vhost_fqdn;'

+```

+

+## Backup

+

+Backup recomandat:

+

+```bash

+cd /usr/local/xdev-host-manager

+sqlite3 var/host-manager.sqlite ".backup 'backups/host-manager/host-manager.sqlite.$(date +%Y%m%d_%H%M%S).bak'"

+```

+

+Cu WAL activ, o copie brută trebuie să trateze fișierele ca set coerent:

+

+```text

+var/host-manager.sqlite

+var/host-manager.sqlite-wal

+var/host-manager.sqlite-shm

+```

+

+## Restore

+

+Restore-ul înlocuiește sursa de adevăr runtime:

+

+```bash

+sudo systemctl stop host-manager

+sudo cp backups/host-manager/host-manager.sqlite.YYYYMMDD_HHMMSS.bak var/host-manager.sqlite

+sudo chown host-manager:host-manager var/host-manager.sqlite

+sudo systemctl start host-manager

+curl -fsS http://127.0.0.1:8088/healthz >/dev/null

+```

+# Table: `certificate_dns_names`

+

+Stores DNS Subject Alternative Names for certificates.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `certificate_id` | `TEXT` | no | none | Certificate identifier. References `certificates(certificate_id)`. |

+| `dns_name` | `TEXT` | no | none | DNS SAN value. |

+

+## Keys And Indexes

+

+- Primary key: `(certificate_id, dns_name)`

+- Lookup index: `idx_certificate_dns_names_dns_name` on `dns_name`

+

+## Relationships

+

+- `certificate_id` references `certificates(certificate_id)` with `ON UPDATE CASCADE ON DELETE CASCADE`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS certificate_dns_names (

+    certificate_id TEXT NOT NULL,

+    dns_name TEXT NOT NULL,

+    PRIMARY KEY (certificate_id, dns_name),

+    FOREIGN KEY (certificate_id) REFERENCES certificates(certificate_id) ON UPDATE CASCADE ON DELETE CASCADE

+);

+

+CREATE INDEX IF NOT EXISTS idx_certificate_dns_names_dns_name

+ON certificate_dns_names(dns_name);

+```

+# Table: `certificates`

+

+Stores metadata for certificates issued by the local CA.

+

+Certificate rows are synchronized when the app reads `ca_manager.sh list-json`.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `certificate_id` | `TEXT` | no | none | Certificate identifier, currently derived from issued cert filename. Primary key. |

+| `host_fqdn` | `TEXT` | yes | `NULL` | Matched host if known. References `hosts(fqdn)`. |

+| `common_name` | `TEXT` | no | `''` | Common name or primary DNS name. |

+| `subject` | `TEXT` | no | `''` | Certificate subject. |

+| `issuer` | `TEXT` | no | `''` | Certificate issuer. |

+| `serial` | `TEXT` | yes | `NULL` | Certificate serial. Unique when present. |

+| `status` | `TEXT` | no | `'issued'` | Certificate lifecycle state. |

+| `not_before` | `TEXT` | no | `''` | Certificate validity start. |

+| `not_after` | `TEXT` | no | `''` | Certificate validity end. |

+| `fingerprint_sha256` | `TEXT` | yes | `NULL` | SHA256 fingerprint. Unique when present. |

+| `cert_path` | `TEXT` | no | `''` | Certificate file path. |

+| `csr_path` | `TEXT` | no | `''` | CSR file path. |

+| `created_at` | `TEXT` | no | none | ISO UTC creation timestamp. |

+| `updated_at` | `TEXT` | no | none | ISO UTC update timestamp. |

+| `notes` | `TEXT` | no | `''` | Operator notes. |

+

+## Keys And Indexes

+

+- Primary key: `certificate_id`

+- Unique: `serial`

+- Unique: `fingerprint_sha256`

+

+## Relationships

+

+- `host_fqdn` references `hosts(fqdn)` with `ON UPDATE CASCADE ON DELETE SET NULL`

+- Referenced by `certificate_dns_names.certificate_id`

+- Referenced by `vhosts.certificate_id`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS certificates (

+    certificate_id TEXT PRIMARY KEY,

+    host_fqdn TEXT,

+    common_name TEXT NOT NULL DEFAULT '',

+    subject TEXT NOT NULL DEFAULT '',

+    issuer TEXT NOT NULL DEFAULT '',

+    serial TEXT UNIQUE,

+    status TEXT NOT NULL DEFAULT 'issued',

+    not_before TEXT NOT NULL DEFAULT '',

+    not_after TEXT NOT NULL DEFAULT '',

+    fingerprint_sha256 TEXT UNIQUE,

+    cert_path TEXT NOT NULL DEFAULT '',

+    csr_path TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    notes TEXT NOT NULL DEFAULT '',

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE SET NULL

+);

+```

+# Table: `data_workers`

+

+Stores worker/source definitions for collected external data.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `worker_id` | `TEXT` | no | none | Worker identifier. Primary key. |

+| `worker_type` | `TEXT` | no | none | Worker type, for example `dhcp` or `mdns`. |

+| `name` | `TEXT` | no | `''` | Human-readable name. |

+| `status` | `TEXT` | no | `'active'` | Worker lifecycle state. |

+| `source` | `TEXT` | no | `''` | Source endpoint/file. |

+| `last_run_at` | `TEXT` | yes | `NULL` | Last successful collection timestamp. |

+| `notes` | `TEXT` | no | `''` | Operator notes. |

+| `created_at` | `TEXT` | no | none | ISO UTC creation timestamp. |

+| `updated_at` | `TEXT` | no | none | ISO UTC update timestamp. |

+

+## Keys And Indexes

+

+- Primary key: `worker_id`

+- Lookup index: `idx_data_workers_type_status` on `(worker_type, status)`

+

+## Relationships

+

+Referenced by:

+

+- `dhcp_leases.worker_id`

+- `mdns_observations.worker_id`

+

+## Seed Rows

+

+- `dhcp-router`, type `dhcp`

+- `mdns-listener`, type `mdns`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS data_workers (

+    worker_id TEXT PRIMARY KEY,

+    worker_type TEXT NOT NULL,

+    name TEXT NOT NULL DEFAULT '',

+    status TEXT NOT NULL DEFAULT 'active',

+    source TEXT NOT NULL DEFAULT '',

+    last_run_at TEXT,

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL

+);

+

+CREATE INDEX IF NOT EXISTS idx_data_workers_type_status

+ON data_workers(worker_type, status);

+```

+# Table: `dhcp_leases`

+

+Stores observed DHCP lease/reservation data.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `lease_key` | `TEXT` | no | none | Stable lease observation key. Primary key. |

+| `worker_id` | `TEXT` | no | none | Collector worker. References `data_workers(worker_id)`. |

+| `host_fqdn` | `TEXT` | yes | `NULL` | Matched host if known. References `hosts(fqdn)`. |

+| `observed_name` | `TEXT` | no | `''` | Name reported by DHCP. |

+| `ip_address` | `TEXT` | no | none | Observed IP address. |

+| `mac_address` | `TEXT` | no | `''` | Observed MAC address. |

+| `lease_state` | `TEXT` | no | `''` | DHCP state, if known. |

+| `first_seen` | `TEXT` | no | none | First observation timestamp. |

+| `last_seen` | `TEXT` | no | none | Last observation timestamp. |

+| `raw` | `TEXT` | no | `''` | Raw source payload or diagnostic text. |

+

+## Keys And Indexes

+

+- Primary key: `lease_key`

+- `idx_dhcp_leases_ip` on `ip_address`

+- `idx_dhcp_leases_mac` on `mac_address`

+- `idx_dhcp_leases_worker_last_seen` on `(worker_id, last_seen)`

+

+## Relationships

+

+- `worker_id` references `data_workers(worker_id)` with `ON UPDATE CASCADE ON DELETE RESTRICT`

+- `host_fqdn` references `hosts(fqdn)` with `ON UPDATE CASCADE ON DELETE SET NULL`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS dhcp_leases (

+    lease_key TEXT PRIMARY KEY,

+    worker_id TEXT NOT NULL,

+    host_fqdn TEXT,

+    observed_name TEXT NOT NULL DEFAULT '',

+    ip_address TEXT NOT NULL,

+    mac_address TEXT NOT NULL DEFAULT '',

+    lease_state TEXT NOT NULL DEFAULT '',

+    first_seen TEXT NOT NULL,

+    last_seen TEXT NOT NULL,

+    raw TEXT NOT NULL DEFAULT '',

+    FOREIGN KEY (worker_id) REFERENCES data_workers(worker_id) ON UPDATE CASCADE ON DELETE RESTRICT,

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE SET NULL

+);

+

+CREATE INDEX IF NOT EXISTS idx_dhcp_leases_ip ON dhcp_leases(ip_address);

+CREATE INDEX IF NOT EXISTS idx_dhcp_leases_mac ON dhcp_leases(mac_address);

+CREATE INDEX IF NOT EXISTS idx_dhcp_leases_worker_last_seen

+ON dhcp_leases(worker_id, last_seen);

+```

+# Table: `documents`

+

+Legacy document-store table kept only for migration from the first SQLite implementation.

+

+The application no longer uses this table as source of truth after relational tables are seeded.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `name` | `TEXT` | no | none | Legacy document name. Known values: `hosts_yaml`, `work_orders_yaml`. |

+| `content` | `TEXT` | no | none | Legacy YAML payload. |

+| `updated_at` | `TEXT` | no | none | Legacy document update timestamp. |

+

+## Keys And Indexes

+

+- Primary key: `name`

+- SQLite creates the internal primary-key index.

+

+## Relationships

+

+None. Migration code reads this table and imports the YAML into relational tables when `hosts` or `work_orders` are empty.

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS documents (

+    name TEXT PRIMARY KEY,

+    content TEXT NOT NULL,

+    updated_at TEXT NOT NULL

+);

+```

+# Table: `host_aliases`

+

+Stores aliases for canonical hosts. Aliases are retained after retirement for audit and collision prevention.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `alias_name` | `TEXT` | no | none | Alias DNS name or short alias. |

+| `host_fqdn` | `TEXT` | no | none | Target host. References `hosts(fqdn)`. |

+| `alias_kind` | `TEXT` | no | `'declared'` | `declared`, `derived`, or `derived-vhost`. |

+| `status` | `TEXT` | no | `'active'` | Alias lifecycle state. |

+| `is_dns_published` | `INTEGER` | no | `1` | Whether this alias should appear in generated DNS exports. |

+| `created_at` | `TEXT` | no | none | ISO UTC creation timestamp. |

+| `retired_at` | `TEXT` | yes | `NULL` | ISO UTC retirement timestamp. |

+| `notes` | `TEXT` | no | `''` | Operator notes. |

+

+## Keys And Indexes

+

+- Primary key: `(alias_name, host_fqdn)`

+- Unique partial index: `idx_host_aliases_active_name` on `alias_name` where `status = 'active'`

+- Lookup index: `idx_host_aliases_host_status` on `(host_fqdn, status)`

+

+## Relationships

+

+- `host_fqdn` references `hosts(fqdn)` with `ON UPDATE CASCADE ON DELETE RESTRICT`

+

+## Rules

+

+- A retired alias is not deleted; `status` changes to `retired` and `is_dns_published` is set to `0`.

+- One active alias can point to only one host.

+- Derived short names such as `baobab` are persisted with `alias_kind = 'derived'`.

+- Derived vhost short names such as `pmx.baobab` are persisted with `alias_kind = 'derived-vhost'`.

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS host_aliases (

+    alias_name TEXT NOT NULL,

+    host_fqdn TEXT NOT NULL,

+    alias_kind TEXT NOT NULL DEFAULT 'declared',

+    status TEXT NOT NULL DEFAULT 'active',

+    is_dns_published INTEGER NOT NULL DEFAULT 1,

+    created_at TEXT NOT NULL,

+    retired_at TEXT,

+    notes TEXT NOT NULL DEFAULT '',

+    PRIMARY KEY (alias_name, host_fqdn),

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT

+);

+

+CREATE UNIQUE INDEX IF NOT EXISTS idx_host_aliases_active_name

+ON host_aliases(alias_name)

+WHERE status = 'active';

+

+CREATE INDEX IF NOT EXISTS idx_host_aliases_host_status

+ON host_aliases(host_fqdn, status);

+```

+# Table: `host_flags`

+

+Stores extensible boolean/string flags for hosts without adding one column per flag to `hosts`.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `host_fqdn` | `TEXT` | no | none | Target host. References `hosts(fqdn)`. |

+| `flag` | `TEXT` | no | none | Flag name. |

+| `value` | `TEXT` | no | `'1'` | Flag value. |

+| `created_at` | `TEXT` | no | none | ISO UTC creation timestamp. |

+| `updated_at` | `TEXT` | no | none | ISO UTC update timestamp. |

+

+## Keys And Indexes

+

+- Primary key: `(host_fqdn, flag)`

+

+## Relationships

+

+- `host_fqdn` references `hosts(fqdn)` with `ON UPDATE CASCADE ON DELETE RESTRICT`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS host_flags (

+    host_fqdn TEXT NOT NULL,

+    flag TEXT NOT NULL,

+    value TEXT NOT NULL DEFAULT '1',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    PRIMARY KEY (host_fqdn, flag),

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT

+);

+```

+# Table: `host_roles`

+

+Stores host roles separately from `hosts` so the host table does not grow a role-specific column set.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `host_fqdn` | `TEXT` | no | none | Target host. References `hosts(fqdn)`. |

+| `role` | `TEXT` | no | none | Role label, for example `proxmox`, `pbs`, `storage`. |

+| `status` | `TEXT` | no | `'active'` | Role lifecycle state. |

+| `created_at` | `TEXT` | no | none | ISO UTC creation timestamp. |

+| `retired_at` | `TEXT` | yes | `NULL` | ISO UTC retirement timestamp. |

+

+## Keys And Indexes

+

+- Primary key: `(host_fqdn, role)`

+

+## Relationships

+

+- `host_fqdn` references `hosts(fqdn)` with `ON UPDATE CASCADE ON DELETE RESTRICT`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS host_roles (

+    host_fqdn TEXT NOT NULL,

+    role TEXT NOT NULL,

+    status TEXT NOT NULL DEFAULT 'active',

+    created_at TEXT NOT NULL,

+    retired_at TEXT,

+    PRIMARY KEY (host_fqdn, role),

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT

+);

+```

+# Table: `host_sources`

+

+Stores evidence/source labels for a host.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `host_fqdn` | `TEXT` | no | none | Target host. References `hosts(fqdn)`. |

+| `source` | `TEXT` | no | none | Source label, for example `local-hosts.tsv` or `madagascar.json`. |

+| `status` | `TEXT` | no | `'active'` | Source lifecycle state. |

+| `created_at` | `TEXT` | no | none | ISO UTC creation timestamp. |

+| `retired_at` | `TEXT` | yes | `NULL` | ISO UTC retirement timestamp. |

+

+## Keys And Indexes

+

+- Primary key: `(host_fqdn, source)`

+

+## Relationships

+

+- `host_fqdn` references `hosts(fqdn)` with `ON UPDATE CASCADE ON DELETE RESTRICT`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS host_sources (

+    host_fqdn TEXT NOT NULL,

+    source TEXT NOT NULL,

+    status TEXT NOT NULL DEFAULT 'active',

+    created_at TEXT NOT NULL,

+    retired_at TEXT,

+    PRIMARY KEY (host_fqdn, source),

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT

+);

+```

+# Table: `host_ssh`

+

+Stores SSH access profiles separately from `hosts`.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `host_fqdn` | `TEXT` | no | none | Target host. References `hosts(fqdn)`. |

+| `profile_name` | `TEXT` | no | `'default'` | SSH profile name. |

+| `username` | `TEXT` | no | `''` | SSH username. |

+| `port` | `INTEGER` | no | `22` | SSH port. |

+| `identity_file` | `TEXT` | no | `''` | SSH identity path or key label. |

+| `address` | `TEXT` | no | `''` | Optional override address. |

+| `local_forward_host` | `TEXT` | no | `''` | Optional local-forward host. |

+| `local_forward_port` | `INTEGER` | yes | `NULL` | Optional local-forward port. |

+| `remote_forward_host` | `TEXT` | no | `''` | Optional remote-forward host. |

+| `remote_forward_port` | `INTEGER` | yes | `NULL` | Optional remote-forward port. |

+| `notes` | `TEXT` | no | `''` | Operator notes. |

+| `created_at` | `TEXT` | no | none | ISO UTC creation timestamp. |

+| `updated_at` | `TEXT` | no | none | ISO UTC update timestamp. |

+

+## Keys And Indexes

+

+- Primary key: `(host_fqdn, profile_name)`

+

+## Relationships

+

+- `host_fqdn` references `hosts(fqdn)` with `ON UPDATE CASCADE ON DELETE RESTRICT`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS host_ssh (

+    host_fqdn TEXT NOT NULL,

+    profile_name TEXT NOT NULL DEFAULT 'default',

+    username TEXT NOT NULL DEFAULT '',

+    port INTEGER NOT NULL DEFAULT 22,

+    identity_file TEXT NOT NULL DEFAULT '',

+    address TEXT NOT NULL DEFAULT '',

+    local_forward_host TEXT NOT NULL DEFAULT '',

+    local_forward_port INTEGER,

+    remote_forward_host TEXT NOT NULL DEFAULT '',

+    remote_forward_port INTEGER,

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    PRIMARY KEY (host_fqdn, profile_name),

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT

+);

+```

+# Table: `hosts`

+

+Canonical host registry. Hosts are identified by full DNS name in `fqdn`.

+

+`legacy_id` exists for compatibility with the current UI/API, but it is not the canonical identity.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `fqdn` | `TEXT` | no | none | Canonical full host name. Primary key. |

+| `legacy_id` | `TEXT` | no | none | Short ID used by the existing UI/API. Unique. |

+| `status` | `TEXT` | no | `'active'` | Host lifecycle state, currently `active`, `planned`, or `retired`. |

+| `hosts_ip` | `TEXT` | no | `''` | IP used for `/etc/hosts` on jumper. |

+| `dns_ip` | `TEXT` | no | `''` | IP published to clients through local DNS. |

+| `monitoring` | `TEXT` | no | `'pending'` | Monitoring state. |

+| `notes` | `TEXT` | no | `''` | Operator notes. |

+| `created_at` | `TEXT` | no | none | ISO UTC creation timestamp. |

+| `updated_at` | `TEXT` | no | none | ISO UTC update timestamp. |

+

+## Keys And Indexes

+

+- Primary key: `fqdn`

+- Unique key: `legacy_id`

+

+## Relationships

+

+Referenced by:

+

+- `host_aliases.host_fqdn`

+- `host_roles.host_fqdn`

+- `host_sources.host_fqdn`

+- `host_flags.host_fqdn`

+- `host_ssh.host_fqdn`

+- `vhosts.host_fqdn`

+- `dhcp_leases.host_fqdn`

+- `mdns_observations.host_fqdn`

+- `certificates.host_fqdn`

+- `work_order_actions.host_fqdn`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS hosts (

+    fqdn TEXT PRIMARY KEY,

+    legacy_id TEXT NOT NULL UNIQUE,

+    status TEXT NOT NULL DEFAULT 'active',

+    hosts_ip TEXT NOT NULL DEFAULT '',

+    dns_ip TEXT NOT NULL DEFAULT '',

+    monitoring TEXT NOT NULL DEFAULT 'pending',

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL

+);

+```

+# Table: `mdns_observations`

+

+Stores observed mDNS records.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `observation_key` | `TEXT` | no | none | Stable observation key. Primary key. |

+| `worker_id` | `TEXT` | no | none | Collector worker. References `data_workers(worker_id)`. |

+| `host_fqdn` | `TEXT` | yes | `NULL` | Matched host if known. References `hosts(fqdn)`. |

+| `observed_name` | `TEXT` | no | none | Observed mDNS name. |

+| `ip_address` | `TEXT` | no | none | Observed IP address. |

+| `rr_type` | `TEXT` | no | `'A'` | DNS record type. |

+| `ttl` | `INTEGER` | no | `0` | Observed TTL. |

+| `first_seen` | `TEXT` | no | none | First observation timestamp. |

+| `last_seen` | `TEXT` | no | none | Last observation timestamp. |

+| `seen_count` | `INTEGER` | no | `1` | Number of times observed. |

+| `last_peer` | `TEXT` | no | `''` | Last sender peer. |

+| `raw` | `TEXT` | no | `''` | Raw source payload or diagnostic text. |

+

+## Keys And Indexes

+

+- Primary key: `observation_key`

+- `idx_mdns_observations_name` on `observed_name`

+- `idx_mdns_observations_ip` on `ip_address`

+- `idx_mdns_observations_worker_last_seen` on `(worker_id, last_seen)`

+

+## Relationships

+

+- `worker_id` references `data_workers(worker_id)` with `ON UPDATE CASCADE ON DELETE RESTRICT`

+- `host_fqdn` references `hosts(fqdn)` with `ON UPDATE CASCADE ON DELETE SET NULL`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS mdns_observations (

+    observation_key TEXT PRIMARY KEY,

+    worker_id TEXT NOT NULL,

+    host_fqdn TEXT,

+    observed_name TEXT NOT NULL,

+    ip_address TEXT NOT NULL,

+    rr_type TEXT NOT NULL DEFAULT 'A',

+    ttl INTEGER NOT NULL DEFAULT 0,

+    first_seen TEXT NOT NULL,

+    last_seen TEXT NOT NULL,

+    seen_count INTEGER NOT NULL DEFAULT 1,

+    last_peer TEXT NOT NULL DEFAULT '',

+    raw TEXT NOT NULL DEFAULT '',

+    FOREIGN KEY (worker_id) REFERENCES data_workers(worker_id) ON UPDATE CASCADE ON DELETE RESTRICT,

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE SET NULL

+);

+

+CREATE INDEX IF NOT EXISTS idx_mdns_observations_name ON mdns_observations(observed_name);

+CREATE INDEX IF NOT EXISTS idx_mdns_observations_ip ON mdns_observations(ip_address);

+CREATE INDEX IF NOT EXISTS idx_mdns_observations_worker_last_seen

+ON mdns_observations(worker_id, last_seen);

+```

+# Table: `schema_meta`

+

+Stores schema/runtime metadata as key-value rows.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `key` | `TEXT` | no | none | Metadata key. |

+| `value` | `TEXT` | no | none | Metadata value. |

+| `updated_at` | `TEXT` | no | none | ISO UTC timestamp written by the application. |

+

+## Keys And Indexes

+

+- Primary key: `key`

+- SQLite creates the internal primary-key index.

+

+## Known Keys

+

+| Key | Meaning |

+|-----|---------|

+| `schema_version` | Current relational schema version. Current value: `2`. |

+| `registry_updated_at` | Last registry update timestamp used for API/export metadata. |

+

+## Relationships

+

+None.

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS schema_meta (

+    key TEXT PRIMARY KEY,

+    value TEXT NOT NULL,

+    updated_at TEXT NOT NULL

+);

+```

+# Table: `vhosts`

+

+Stores virtual hosts separately from physical/logical hosts so a vhost can be moved between hosts.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `vhost_fqdn` | `TEXT` | no | none | Vhost DNS name. Primary key. |

+| `host_fqdn` | `TEXT` | no | none | Current host serving the vhost. References `hosts(fqdn)`. |

+| `status` | `TEXT` | no | `'active'` | Vhost lifecycle state. |

+| `service_name` | `TEXT` | no | `''` | Service label, often inferred from first DNS label. |

+| `upstream_url` | `TEXT` | no | `''` | Optional upstream URL. |

+| `tls_mode` | `TEXT` | no | `'local-ca'` | TLS handling mode. |

+| `certificate_id` | `TEXT` | yes | `NULL` | Optional issued certificate. References `certificates(certificate_id)`. |

+| `notes` | `TEXT` | no | `''` | Operator notes. |

+| `created_at` | `TEXT` | no | none | ISO UTC creation timestamp. |

+| `updated_at` | `TEXT` | no | none | ISO UTC update timestamp. |

+

+## Keys And Indexes

+

+- Primary key: `vhost_fqdn`

+- Lookup index: `idx_vhosts_host_status` on `(host_fqdn, status)`

+

+## Relationships

+

+- `host_fqdn` references `hosts(fqdn)` with `ON UPDATE CASCADE ON DELETE RESTRICT`

+- `certificate_id` references `certificates(certificate_id)` with `ON UPDATE CASCADE ON DELETE SET NULL`

+

+## Rules

+

+- Moving a vhost means updating `host_fqdn`.

+- Retiring a vhost means setting `status = 'retired'`; the row remains.

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS vhosts (

+    vhost_fqdn TEXT PRIMARY KEY,

+    host_fqdn TEXT NOT NULL,

+    status TEXT NOT NULL DEFAULT 'active',

+    service_name TEXT NOT NULL DEFAULT '',

+    upstream_url TEXT NOT NULL DEFAULT '',

+    tls_mode TEXT NOT NULL DEFAULT 'local-ca',

+    certificate_id TEXT,

+    notes TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    updated_at TEXT NOT NULL,

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE RESTRICT,

+    FOREIGN KEY (certificate_id) REFERENCES certificates(certificate_id) ON UPDATE CASCADE ON DELETE SET NULL

+);

+

+CREATE INDEX IF NOT EXISTS idx_vhosts_host_status

+ON vhosts(host_fqdn, status);

+```

+# Table: `work_order_actions`

+

+Stores ordered actions attached to Work Orders.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `work_order_id` | `TEXT` | no | none | Parent Work Order. References `work_orders(id)`. |

+| `position` | `INTEGER` | no | none | Ordered action position. |

+| `type` | `TEXT` | no | none | Action type, for example `remove_name`. |

+| `host_fqdn` | `TEXT` | yes | `NULL` | Target host if resolved. References `hosts(fqdn)`. |

+| `host_legacy_id` | `TEXT` | no | `''` | Compatibility target ID from old Work Order format. |

+| `name` | `TEXT` | no | `''` | Target name for action. |

+| `payload` | `TEXT` | no | `''` | Reserved structured payload field. |

+

+## Keys And Indexes

+

+- Primary key: `(work_order_id, position)`

+

+## Relationships

+

+- `work_order_id` references `work_orders(id)` with `ON UPDATE CASCADE ON DELETE CASCADE`

+- `host_fqdn` references `hosts(fqdn)` with `ON UPDATE CASCADE ON DELETE SET NULL`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS work_order_actions (

+    work_order_id TEXT NOT NULL,

+    position INTEGER NOT NULL,

+    type TEXT NOT NULL,

+    host_fqdn TEXT,

+    host_legacy_id TEXT NOT NULL DEFAULT '',

+    name TEXT NOT NULL DEFAULT '',

+    payload TEXT NOT NULL DEFAULT '',

+    PRIMARY KEY (work_order_id, position),

+    FOREIGN KEY (work_order_id) REFERENCES work_orders(id) ON UPDATE CASCADE ON DELETE CASCADE,

+    FOREIGN KEY (host_fqdn) REFERENCES hosts(fqdn) ON UPDATE CASCADE ON DELETE SET NULL

+);

+```

+# Table: `work_order_checklist`

+

+Stores checklist items for Work Orders.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `work_order_id` | `TEXT` | no | none | Parent Work Order. References `work_orders(id)`. |

+| `item_id` | `TEXT` | no | none | Checklist item ID. |

+| `text` | `TEXT` | no | `''` | Checklist item text. |

+| `status` | `TEXT` | no | `'pending'` | Item state. |

+| `owner` | `TEXT` | no | `''` | Optional owner. |

+| `notes` | `TEXT` | no | `''` | Operator notes. |

+| `updated_at` | `TEXT` | no | `''` | Item update timestamp. |

+

+## Keys And Indexes

+

+- Primary key: `(work_order_id, item_id)`

+

+## Relationships

+

+- `work_order_id` references `work_orders(id)` with `ON UPDATE CASCADE ON DELETE CASCADE`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS work_order_checklist (

+    work_order_id TEXT NOT NULL,

+    item_id TEXT NOT NULL,

+    text TEXT NOT NULL DEFAULT '',

+    status TEXT NOT NULL DEFAULT 'pending',

+    owner TEXT NOT NULL DEFAULT '',

+    notes TEXT NOT NULL DEFAULT '',

+    updated_at TEXT NOT NULL DEFAULT '',

+    PRIMARY KEY (work_order_id, item_id),

+    FOREIGN KEY (work_order_id) REFERENCES work_orders(id) ON UPDATE CASCADE ON DELETE CASCADE

+);

+```

+# Table: `work_orders`

+

+Stores Work Order headers.

+

+## Columns

+

+| Column | Type | Null | Default | Notes |

+|--------|------|------|---------|-------|

+| `id` | `TEXT` | no | none | Work Order ID. Primary key. |

+| `status` | `TEXT` | no | `'pending'` | Work Order state. |

+| `title` | `TEXT` | no | `''` | Title. |

+| `reason` | `TEXT` | no | `''` | Reason/context. |

+| `created_at` | `TEXT` | no | none | ISO UTC creation timestamp. |

+| `confirmed_at` | `TEXT` | no | `''` | Confirmation timestamp, empty until confirmed. |

+| `result` | `TEXT` | no | `''` | Result summary. |

+| `updated_at` | `TEXT` | no | none | ISO UTC update timestamp. |

+

+## Keys And Indexes

+

+- Primary key: `id`

+

+## Relationships

+

+Referenced by:

+

+- `work_order_checklist.work_order_id`

+- `work_order_actions.work_order_id`

+

+## Definition

+

+```sql

+CREATE TABLE IF NOT EXISTS work_orders (

+    id TEXT PRIMARY KEY,

+    status TEXT NOT NULL DEFAULT 'pending',

+    title TEXT NOT NULL DEFAULT '',

+    reason TEXT NOT NULL DEFAULT '',

+    created_at TEXT NOT NULL,

+    confirmed_at TEXT NOT NULL DEFAULT '',

+    result TEXT NOT NULL DEFAULT '',

+    updated_at TEXT NOT NULL

+);

+```

+- [`.doc/database/`](.doc/database/README.md)

+- [.doc/database/](.doc/database/README.md) - SQLite runtime store schema, table docs, seed rules, backup and restore.