+| `hosts_ip` | `TEXT` | no | `''` | Legacy compatibility column. The current app model keeps one canonical routable IP and mirrors it here. |

+| `dns_ip` | `TEXT` | no | `''` | Canonical routable IP for the host. The current UI/API expose this as a single `ip` field. |

+- The `certificate_id` binding stays on the vhost row when the vhost moves to another host.

+## 2026-06-09 - Verificare sesiune inainte de fluxuri cu save

+

+Regula de development: orice operatie UI care poate ajunge la `save`/`submit` trebuie sa verifice starea de autentificare inainte ca operatorul sa inceapa editarea si din nou imediat inainte de salvare. Aceeasi regula se aplica la schimbarea taburilor/sectiunilor, pentru ca navigarea poate declansa incarcari sau actiuni protejate.

+

+Comportamentul asteptat:

+

+- daca sesiunea este valida, fluxul continua normal

+- daca sesiunea lipseste sau a expirat, aplicatia revine coerent la login

+- datele deja introduse intr-un formular nu trebuie resetate doar pentru ca autentificarea a expirat inainte de save

+

+Scop:

+

+- evitarea pierderii modificarilor locale din formulare

+- separarea clara intre erori de validare si sesiune expirata

+- evitarea operatiunilor partiale pe endpoint-uri protejate

+

+Modelul curent de adresare păstrează un singur IP canonic per host. UI-ul și API-ul expun acest câmp ca `ip`, iar store-ul runtime îl mapează în coloanele istorice SQLite doar pentru compatibilitate internă.

+

+Modelul curent de naming separă explicit:

+

+- `fqdn` — numele canonic al hostului

+- `aliases` — nume suplimentare atașate hostului, care pot fi adăugate sau șterse

+- `vhosts` — nume virtuale servite de host, care pot fi adăugate, șterse sau mutate pe alt host

+

+Mutarea unui vhost înseamnă schimbarea `host_fqdn` în tabelul `vhosts`; legătura `certificate_id` de pe rândul vhostului rămâne atașată vhostului pe durata mutării.

+

+| `config/local-hosts.tsv` | manifest DNS generat, cu un singur IP canonic pe host și aliasuri scurte derivate |

+## Politica de adresare

+

+Registry-ul de cluster publică un singur IP rutabil pentru fiecare host. Micromanagement-ul local, inclusiv orice intrări `127.0.0.1 localhost localhost.localdomain` sau override-uri locale pe host, nu se administrează din Madagascar Local Authority.

+

+| `jumper.madagascar.xdev.ro` | 192.168.2.100 | 192.168.2.100 | Registry-ul publică doar adresa rutabilă; orice comportament local special rămâne responsabilitatea hostului |

+| `jumper.madagascar.xdev.ro` | 192.168.2.100 |

+- UI flows that can lead to a save must verify authentication before the user starts editing, before tab/section changes, and again before submit/save. If authentication is missing or expired, return to login without discarding in-progress form data.

+    ip: "192.168.10.91"

+    ip: "192.168.10.92"

+    ip: "192.168.10.93"

+    ip: "192.168.10.21"

+    ip: "192.168.10.22"

+    ip: "192.168.2.95"

+    ip: "192.168.2.96"

+    ip: "192.168.2.102"

+    ip: "192.168.2.103"

+    ip: "192.168.2.107"

+    ip: "192.168.2.100"

+    notes: "Cluster registry publishes only the routable address."

+# ip<TAB>name [aliases...]

+192.168.2.96	andrafiabe.madagascar.xdev.ro pbs.andrafiabe.madagascar.xdev.ro andrafiabe pbs.andrafiabe

+192.168.2.95	anjothibe.madagascar.xdev.ro pbs.anjothibe.madagascar.xdev.ro anjothibe pbs.anjothibe

+192.168.10.21	autonas01.madagascar.xdev.ro autonas01

+192.168.10.22	autonas02.madagascar.xdev.ro autonas02

+192.168.10.91	baobab.madagascar.xdev.ro pmx.baobab.madagascar.xdev.ro baobab pmx.baobab

+192.168.10.92	ebony.madagascar.xdev.ro pmx.ebony.madagascar.xdev.ro ebony pmx.ebony

+192.168.2.100	jumper.madagascar.xdev.ro hosts.madagascar.xdev.ro jumper hosts

+192.168.2.102	mazeri.madagascar.xdev.ro mazeri

+192.168.10.93	tapia.madagascar.xdev.ro pmx.tapia.madagascar.xdev.ro tapia pmx.tapia

+192.168.2.103	toltec.madagascar.xdev.ro toltec

+192.168.2.107	zabbix.madagascar.xdev.ro zabbix

+    return $path =~ m{\A/(?:|overview|hosts|vhosts|dns|work-orders|ca|debug)\z};

+                my @kept_aliases = grep { $_ ne $name } declared_alias_names($host);

+                my @kept_vhosts = grep { $_ ne $name } declared_vhost_names($host);

+                $removed = (@kept_aliases != @{ $host->{aliases} || [] }) || (@kept_vhosts != @{ $host->{vhosts} || [] });

+                $host->{aliases} = \@kept_aliases;

+                $host->{vhosts} = \@kept_vhosts;

+    my $vhost_count = sum(map { scalar declared_vhost_names($_) } @{ $registry->{hosts} });

+            vhosts => $vhost_count,

+    my $ip = canonical_ip($payload);

+    return send_json($client, 400, { error => 'missing_ip' }) unless $ip;

+    my $fqdn = canonical_host_fqdn($payload);

+    return send_json($client, 400, { error => 'missing_fqdn' }) unless $fqdn;

+    my @aliases = clean_alias_names($payload);

+    my @vhosts = clean_vhost_names($payload);

+        fqdn => $fqdn,

+        ip => $ip,

+        aliases => \@aliases,

+        vhosts => \@vhosts,

+    my $response = eval {

+        my $replaced = 0;

+        for my $i (0 .. $#{ $registry->{hosts} }) {

+            if ($registry->{hosts}->[$i]{id} eq $id) {

+                $registry->{hosts}->[$i] = \%host;

+                $replaced = 1;

+                last;

+            }

+        push @{ $registry->{hosts} }, \%host unless $replaced;

+        save_registry($registry);

+        1;

+    };

+    if (!$response) {

+        my $err = $@ || 'upsert_failed';

+        return send_json($client, 409, { error => 'alias_conflict', detail => clean_scalar($err) })

+            if $err =~ /alias_conflict:/;

+        die $err;

+        my $fqdn = canonical_host_fqdn($host);

+        push @problems, problem($host, 'missing-fqdn', 'No madagascar.xdev.ro FQDN') unless ($fqdn =~ /\.madagascar\.xdev\.ro$/) || ($host->{status} || '') ne 'active';

+        my @declared = declared_dns_names($host);

+            if grep { /\.vad\.is\.xdev\.ro$/ } @declared;

+            if grep { /^(is|vad|b)-/ } @declared;

+        for my $name (@declared) {

+        my %declared = map { $_ => 1 } @declared;

+        for my $derived (derived_alias_names($host), derived_vhost_alias_names($host)) {

+        push @problems, problem($host, 'missing-ip', 'Host is missing a canonical routable IP')

+            unless canonical_ip($host) || ($host->{status} || '') ne 'active';

+    $copy{fqdn} = canonical_host_fqdn($host);

+    $copy{ip} = canonical_ip($host);

+    $copy{declared_names} = [ declared_dns_names($host) ];

+    $copy{aliases} = [ declared_alias_names($host) ];

+    $copy{derived_aliases} = [ derived_alias_names($host) ];

+    $copy{vhosts} = [ declared_vhost_names($host) ];

+    $copy{derived_vhost_aliases} = [ derived_vhost_alias_names($host) ];

+    my @names = declared_dns_names($host);

+    push @names, derived_alias_names($host), derived_vhost_alias_names($host);

+sub declared_dns_names {

+    my ($host) = @_;

+    my @names;

+    my $fqdn = canonical_host_fqdn($host);

+    push @names, $fqdn if length $fqdn;

+    push @names, declared_alias_names($host);

+    push @names, declared_vhost_names($host);

+    return unique_preserve(@names);

+}

+

+sub declared_alias_names {

+    my ($host) = @_;

+    return unique_preserve(map { normalize_dns_name($_) } @{ $host->{aliases} || [] });

+}

+

+sub declared_vhost_names {

+    my ($host) = @_;

+    return unique_preserve(map { normalize_dns_name($_) } @{ $host->{vhosts} || [] });

+}

+

+sub declared_dns_names_legacy {

+    my ($host) = @_;

+    return map { normalize_dns_name($_) } @{ $host->{names} || [] };

+}

+

+sub split_legacy_names {

+    my ($id, $names) = @_;

+    my $fallback = clean_id($id || '');

+    my (%result) = (

+        fqdn => '',

+        aliases => [],

+        vhosts => [],

+    );

+    for my $name (map { normalize_dns_name($_) } @$names) {

+        next unless length $name;

+        if (!$result{fqdn} && $name =~ /\.madagascar\.xdev\.ro\z/ && !name_is_vhost($name)) {

+            $result{fqdn} = $name;

+            next;

+        }

+        if (!$result{fqdn} && $name =~ /\./ && !name_is_vhost($name)) {

+            $result{fqdn} = $name;

+            next;

+        }

+        if (name_is_vhost($name)) {

+            push @{ $result{vhosts} }, $name;

+        } else {

+            push @{ $result{aliases} }, $name;

+        }

+    }

+    $result{fqdn} ||= $fallback ? "$fallback.madagascar.xdev.ro" : '';

+    $result{aliases} = [ unique_preserve(grep { $_ ne $result{fqdn} } @{ $result{aliases} }) ];

+    $result{vhosts} = [ unique_preserve(@{ $result{vhosts} }) ];

+    return \%result;

+}

+

+sub derived_alias_names {

+    my $fqdn = canonical_host_fqdn($host);

+    push @derived, short_alias_for_fqdn($fqdn) if length $fqdn;

+    for my $name (declared_alias_names($host)) {

+        push @derived, short_alias_for_fqdn($name);

+    }

+    return unique_preserve(grep { length $_ } @derived);

+}

+

+sub derived_vhost_alias_names {

+    my ($host) = @_;

+    my @derived;

+    for my $name (declared_vhost_names($host)) {

+        push @derived, short_alias_for_fqdn($name);

+    return unique_preserve(grep { length $_ } @derived);

+}

+

+sub clean_alias_names {

+    my ($payload) = @_;

+    return clean_name_bucket($payload->{aliases})

+        if defined $payload->{aliases};

+    my @legacy = remove_derived_names(clean_list($payload->{names}));

+    return grep { !name_is_vhost($_) && $_ ne canonical_host_fqdn({ %$payload, names => \@legacy }) } @legacy;

+}

+

+sub clean_vhost_names {

+    my ($payload) = @_;

+    return clean_name_bucket($payload->{vhosts})

+        if defined $payload->{vhosts};

+    my @legacy = remove_derived_names(clean_list($payload->{names}));

+    return grep { name_is_vhost($_) } @legacy;

+}

+

+sub clean_name_bucket {

+    my ($value) = @_;

+    my @names = clean_list($value);

+    return unique_preserve(map { normalize_dns_name($_) } remove_derived_names(@names));

+sub canonical_ip {

+    my ($host) = @_;

+    return '' unless $host && ref($host) eq 'HASH';

+    for my $key (qw(ip dns_ip hosts_ip)) {

+        my $value = clean_scalar($host->{$key} || '');

+        return $value if length $value;

+    }

+    return '';

+}

+

+    $out .= "# ip<TAB>name [aliases...]\n";

+        my $ip = canonical_ip($host);

+        next unless $ip;

+        $out .= join("\t", $ip, join(' ', @names)) . "\n";

+            address => canonical_ip($host),

+            fqdn => canonical_host_fqdn($host),

+            declared_names => [ declared_dns_names($host) ],

+            aliases_declared => [ declared_alias_names($host) ],

+            aliases_derived => [ derived_alias_names($host) ],

+            vhosts_declared => [ declared_vhost_names($host) ],

+            vhost_aliases_derived => [ derived_vhost_alias_names($host) ],

+                fqdn => '',

+                ip => '',

+                aliases => [],

+                vhosts => [],

+            my $key = $1;

+            my $value = yaml_unquote($2);

+            if ($key eq 'ip') {

+                $current->{ip} = $value;

+            } elsif ($key eq 'dns_ip' || $key eq 'hosts_ip') {

+                $current->{ip} ||= $value;

+            } elsif ($key eq 'fqdn') {

+                $current->{fqdn} = normalize_dns_name($value);

+            } elsif ($key eq 'names') {

+                # ignored here; legacy list is handled after parsing

+            } else {

+                $current->{$key} = $value;

+            }

+    for my $host (@{ $registry{hosts} }) {

+        my @legacy_names = @{ $host->{names} || [] };

+        if (@legacy_names) {

+            my $legacy = split_legacy_names($host->{id}, \@legacy_names);

+            $host->{fqdn} ||= $legacy->{fqdn};

+            $host->{aliases} = $legacy->{aliases} unless @{ $host->{aliases} || [] };

+            $host->{vhosts} = $legacy->{vhosts} unless @{ $host->{vhosts} || [] };

+        }

+        delete $host->{names};

+        $host->{fqdn} ||= canonical_host_fqdn($host);

+    }

+        $out .= "    fqdn: " . yq(canonical_host_fqdn($host)) . "\n";

+        $out .= "    status: " . yq($host->{status} || '') . "\n";

+        $out .= "    ip: " . yq(canonical_ip($host)) . "\n";

+        for my $key (qw(aliases vhosts roles sources)) {

+            fqdn => $fqdn,

+            ip => canonical_ip($row),

+            aliases => [ active_aliases_for_host($dbh, $fqdn) ],

+            vhosts => [ active_vhosts_for_host($dbh, $fqdn) ],

+    my $ip = canonical_ip($host);

+        $fqdn, $legacy_id, $status, $ip, $ip, $monitoring, $notes, $now, $now,

+    sync_host_aliases_and_vhosts($dbh, $fqdn, [ declared_alias_names($host) ], [ declared_vhost_names($host) ]);

+sub sync_host_aliases_and_vhosts {

+    my ($dbh, $fqdn, $aliases_in, $vhosts_in) = @_;

+    for my $name (@$aliases_in) {

+        $aliases{$name} = 1;

+        upsert_alias_to_db($dbh, $fqdn, $name, 'declared', $now);

+        if (my $short = short_alias_for_fqdn($name)) {

+            $aliases{$short} = 1;

+            upsert_alias_to_db($dbh, $fqdn, $short, 'derived', $now);

+        }

+    }

+    for my $name (@$vhosts_in) {

+        $name = normalize_dns_name($name);

+        next unless length $name;

+        $vhosts{$name} = 1;

+        upsert_vhost_to_db($dbh, $fqdn, $name, $now);

+        if (my $short = short_alias_for_fqdn($name)) {

+            $aliases{$short} = 1;

+            upsert_alias_to_db($dbh, $fqdn, $short, 'derived-vhost', $now);

+    my ($existing_fqdn) = $dbh->selectrow_array(

+        "SELECT host_fqdn FROM host_aliases WHERE alias_name = ? AND status = 'active'",

+        undef,

+        $alias,

+    );

+    if ($existing_fqdn && $existing_fqdn ne $fqdn) {

+        if ($kind eq 'derived-vhost') {

+            $dbh->do(

+                "UPDATE host_aliases SET status = 'retired', is_dns_published = 0, retired_at = ? WHERE alias_name = ? AND host_fqdn = ? AND status = 'active'",

+                undef,

+                $now, $alias, $existing_fqdn,

+            );

+        } else {

+            die "alias_conflict: $alias is already active on $existing_fqdn\n";

+        }

+    }

+sub active_aliases_for_host {

+    my @names;

+    return unique_preserve(@names);

+}

+

+sub active_vhosts_for_host {

+    my ($dbh, $fqdn) = @_;

+    my @names;

+    my $fqdn = normalize_dns_name($host->{fqdn} || '');

+    return $fqdn if length $fqdn;

+    my @names = declared_dns_names_legacy($host);

+    .pill.canonical { font-weight: 700; }

+    .pill.vhost { background: #eef7ff; border-color: #b6d6f7; color: #0e4f96; }

+        <a href="/vhosts" data-page-link="vhosts">Vhosts</a>

+                  <th style="width: 140px">IP</th>

+      <section class="page" id="page-vhosts" data-page="vhosts" hidden>

+        <section class="panel">

+          <div class="panel-head">

+            <h2>Vhosts</h2>

+            <div class="host-tools">

+              <input id="vhost-filter" placeholder="filter">

+              <div class="stats" id="vhost-stats"></div>

+            </div>

+          </div>

+          <div class="table-wrap">

+            <table>

+              <thead>

+                <tr>

+                  <th>Vhost</th>

+                  <th style="width: 190px">Host</th>

+                  <th style="width: 140px">IP</th>

+                  <th style="width: 180px">Derived aliases</th>

+                  <th style="width: 120px">Monitoring</th>

+                  <th style="width: 90px">Status</th>

+                </tr>

+              </thead>

+              <tbody id="vhosts"></tbody>

+            </table>

+          </div>

+        </section>

+      </section>

+

+          <label>FQDN<input name="fqdn" required></label>

+          <label>IP<input name="ip" required></label>

+          <label class="span2">Aliases<textarea name="aliases"></textarea></label>

+          <label class="span2">Vhosts<textarea name="vhosts"></textarea></label>

+      '/vhosts': 'vhosts',

+    async function ensureAuthenticated(message) {

+      if (!state.authenticated) {

+        handleAuthLost(message || 'Autentifica-te pentru a continua.');

+        return false;

+      }

+      const session = await api('/api/session');

+      state.authenticated = session.authenticated;

+      if (!state.authenticated) {

+        handleAuthLost(message || 'Sesiunea a expirat. Autentifica-te din nou.');

+        return false;

+      }

+      return true;

+    }

+

+        ['vhosts', data.counts.vhosts || vhostRows().length],

+      renderVhosts();

+            <td>${escapeHtml(h.ip || '')}</td>

+      document.querySelectorAll('[data-edit]').forEach(button => button.addEventListener('click', () => {

+        editHost(button.dataset.edit).catch(e => {

+          if (!isAuthLost(e)) msg(e.message);

+        });

+      }));

+      const canonical = host.fqdn ? `<span class="pill canonical">${escapeHtml(host.fqdn)}</span>` : '';

+      const aliases = (host.aliases || []).map(name => `<span class="pill">${escapeHtml(name)}</span>`).join('');

+      const derivedAliases = (host.derived_aliases || []).map(name => `<span class="pill derived" title="derived alias">${escapeHtml(name)}</span>`).join('');

+      const vhosts = (host.vhosts || []).map(name => `<span class="pill vhost">${escapeHtml(name)}</span>`).join('');

+      const derivedVhostAliases = (host.derived_vhost_aliases || []).map(name => `<span class="pill derived vhost" title="derived vhost alias">${escapeHtml(name)}</span>`).join('');

+      return canonical + aliases + derivedAliases + vhosts + derivedVhostAliases;

+    }

+

+    function vhostRows() {

+      return state.hosts.flatMap(host => (host.vhosts || []).map(vhost => ({

+        vhost,

+        host_id: host.id || '',

+        host_fqdn: host.fqdn || '',

+        ip: host.ip || '',

+        derived_aliases: shortAliasForFqdn(vhost) ? [shortAliasForFqdn(vhost)] : [],

+        monitoring: host.monitoring || '',

+        status: host.status || '',

+      })));

+    }

+

+    function renderVhosts() {

+      const input = $('vhost-filter');

+      const filter = input ? input.value.toLowerCase() : '';

+      const rows = vhostRows()

+        .sort((a, b) => String(a.vhost || '').localeCompare(String(b.vhost || '')))

+        .filter(row => JSON.stringify(row).toLowerCase().includes(filter));

+      $('vhost-stats').innerHTML = [

+        ['shown', rows.length],

+        ['total', vhostRows().length],

+      ].map(([k, v]) => `<span class="stat">${escapeHtml(k)}: ${escapeHtml(String(v))}</span>`).join('');

+      $('vhosts').innerHTML = rows.length ? rows.map(row => `<tr>

+        <td><span class="pill vhost">${escapeHtml(row.vhost)}</span></td>

+        <td><button type="button" data-edit-vhost-host="${escapeHtml(row.host_id)}">${escapeHtml(row.host_id)}</button><div class="muted mono">${escapeHtml(row.host_fqdn)}</div></td>

+        <td>${escapeHtml(row.ip)}</td>

+        <td>${row.derived_aliases.map(name => `<span class="pill derived vhost">${escapeHtml(name)}</span>`).join('')}</td>

+        <td><span class="pill">${escapeHtml(row.monitoring)}</span></td>

+        <td>${escapeHtml(row.status)}</td>

+      </tr>`).join('') : '<tr><td colspan="6" class="muted">No vhosts.</td></tr>';

+      document.querySelectorAll('[data-edit-vhost-host]').forEach(button => button.addEventListener('click', () => {

+        editHost(button.dataset.editVhostHost).catch(e => {

+          if (!isAuthLost(e)) msg(e.message);

+        });

+      }));

+    }

+

+    function shortAliasForFqdn(name) {

+      const suffix = '.madagascar.xdev.ro';

+      name = String(name || '').toLowerCase();

+      return name.endsWith(suffix) ? name.slice(0, -suffix.length) : '';

+    async function editHost(id) {

+      if (!await ensureAuthenticated('Autentifica-te inainte de editare.')) return;

+      for (const key of ['id', 'fqdn', 'status', 'ip', 'monitoring', 'notes']) hostField(key).value = host[key] || '';

+      hostField('aliases').value = (host.aliases || []).join('\n');

+      hostField('vhosts').value = (host.vhosts || []).join('\n');

+    async function newHost() {

+      if (!await ensureAuthenticated('Autentifica-te inainte de adaugarea unui host.')) return;

+      link.addEventListener('click', async (event) => {

+        if (!await ensureAuthenticated('Autentifica-te pentru a schimba sectiunea.')) return;

+    window.addEventListener('popstate', () => {

+      ensureAuthenticated('Autentifica-te pentru a schimba sectiunea.')

+        .then(authenticated => { if (authenticated) showPage(currentPage()); })

+        .catch(e => { if (!isAuthLost(e)) msg(e.message); });

+    });

+    $('vhost-filter').addEventListener('input', renderVhosts);

+    $('new-host').addEventListener('click', () => {

+      newHost().catch(e => {

+        if (!isAuthLost(e)) msg(e.message);

+      });

+    });

+      if (!await ensureAuthenticated('Autentifica-te inainte de salvare. Modificarile raman in formular.')) return;

+    line="${line//$'\r'/}"

+    IFS=$'\t' read -r col1 col2 col3 _ <<< "$line"

+    if [[ -n "${col3:-}" ]]; then

+        ip="$col2"

+        names="$col3"

+    else

+        ip="$col1"

+        names="$col2"

+    fi

+    [[ -n "${ip:-}" && -n "${names:-}" ]] || die "Invalid row: $line"

+    printf '%s   %s\n' "$ip" "$names" >> "$HOSTS_ROWS"

+        printf '%-40s %s\n' "$name" "$ip" >> "$CLOAK_ROWS"

+            printf '%s %s\n' "$name" "$ip" >> "$VERIFY_ROWS"

+        ros_ip="$(quote_ros "$ip")"